diff --git a/policy-f20-base.patch b/policy-f20-base.patch new file mode 100644 index 0000000..68ba07b --- /dev/null +++ b/policy-f20-base.patch @@ -0,0 +1,44980 @@ +diff --git a/Makefile b/Makefile +index 85d4cfb..7bfdfc6 100644 +--- a/Makefile ++++ b/Makefile +@@ -61,6 +61,7 @@ SEMODULE ?= $(tc_usrsbindir)/semodule + SEMOD_PKG ?= $(tc_usrbindir)/semodule_package + SEMOD_LNK ?= $(tc_usrbindir)/semodule_link + SEMOD_EXP ?= $(tc_usrbindir)/semodule_expand ++SEPOLGEN ?= $(tc_usrbindir)/sepolgen-ifgen + LOADPOLICY ?= $(tc_usrsbindir)/load_policy + SETFILES ?= $(tc_sbindir)/setfiles + XMLLINT ?= $(BINDIR)/xmllint +@@ -249,7 +250,7 @@ seusers := $(appconf)/seusers + appdir := $(contextpath) + user_default_contexts := $(wildcard config/appconfig-$(TYPE)/*_default_contexts) + user_default_contexts_names := $(addprefix $(contextpath)/users/,$(subst _default_contexts,,$(notdir $(user_default_contexts)))) +-appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts sepgsql_contexts x_contexts customizable_types securetty_types virtual_domain_context virtual_image_context) $(contextpath)/files/media $(fcsubspath) $(user_default_contexts_names) ++appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts sepgsql_contexts x_contexts customizable_types securetty_types virtual_image_context virtual_domain_context lxc_contexts systemd_contexts) $(contextpath)/files/media $(user_default_contexts_names) + net_contexts := $(builddir)net_contexts + + all_layers := $(shell find $(wildcard $(moddir)/*) -maxdepth 0 -type d) +@@ -608,15 +609,17 @@ resetlabels: + # Clean everything + # + bare: clean +- rm -f $(polxml) +- rm -f $(layerxml) +- rm -f $(modxml) +- rm -f $(tunxml) +- rm -f $(boolxml) +- rm -f $(mod_conf) +- rm -f $(booleans) +- rm -fR $(htmldir) +- rm -f $(tags) ++ echo "hehe kde jsem asi tak" ++ pwd ++ #rm -f $(polxml) ++ #rm -f $(layerxml) ++ #rm -f $(modxml) ++ #rm -f $(tunxml) ++ #rm -f $(boolxml) ++ #rm -f $(mod_conf) ++ #rm -f $(booleans) ++ #rm -fR $(htmldir) ++ #rm -f $(tags) + # don't remove these files if we're given a local root + ifndef LOCAL_ROOT + rm -f $(fcsort) +diff --git a/Rules.modular b/Rules.modular +index 313d837..ef3c532 100644 +--- a/Rules.modular ++++ b/Rules.modular +@@ -201,6 +201,7 @@ validate: $(base_pkg) $(mod_pkgs) + @echo "Validating policy linking." + $(verbose) $(SEMOD_LNK) -o $(tmpdir)/test.lnk $^ + $(verbose) $(SEMOD_EXP) $(tmpdir)/test.lnk $(tmpdir)/policy.bin ++ $(verbose) $(SEPOLGEN) -p $(tmpdir)/policy.bin -i $(poldir) -o $(tmpdir)/output + @echo "Success." + + ######################################## +diff --git a/config/appconfig-mcs/staff_u_default_contexts b/config/appconfig-mcs/staff_u_default_contexts +index 881a292..80110a4 100644 +--- a/config/appconfig-mcs/staff_u_default_contexts ++++ b/config/appconfig-mcs/staff_u_default_contexts +@@ -1,7 +1,7 @@ + system_r:local_login_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 + system_r:remote_login_t:s0 staff_r:staff_t:s0 + system_r:sshd_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 +-system_r:crond_t:s0 staff_r:cronjob_t:s0 ++system_r:crond_t:s0 staff_r:staff_t:s0 + system_r:xdm_t:s0 staff_r:staff_t:s0 + staff_r:staff_su_t:s0 staff_r:staff_t:s0 + staff_r:staff_sudo_t:s0 staff_r:staff_t:s0 +diff --git a/config/appconfig-mcs/systemd_contexts b/config/appconfig-mcs/systemd_contexts +new file mode 100644 +index 0000000..ff32acc +--- /dev/null ++++ b/config/appconfig-mcs/systemd_contexts +@@ -0,0 +1 @@ ++runtime=system_u:object_r:systemd_runtime_unit_file_t:s0 +diff --git a/config/appconfig-mcs/user_u_default_contexts b/config/appconfig-mcs/user_u_default_contexts +index cacbc93..4f59f94 100644 +--- a/config/appconfig-mcs/user_u_default_contexts ++++ b/config/appconfig-mcs/user_u_default_contexts +@@ -1,7 +1,7 @@ + system_r:local_login_t:s0 user_r:user_t:s0 + system_r:remote_login_t:s0 user_r:user_t:s0 + system_r:sshd_t:s0 user_r:user_t:s0 +-system_r:crond_t:s0 user_r:cronjob_t:s0 ++system_r:crond_t:s0 user_r:user_t:s0 + system_r:xdm_t:s0 user_r:user_t:s0 + user_r:user_su_t:s0 user_r:user_t:s0 + user_r:user_sudo_t:s0 user_r:user_t:s0 +diff --git a/config/appconfig-mcs/virtual_domain_context b/config/appconfig-mcs/virtual_domain_context +index d387b42..150f281 100644 +--- a/config/appconfig-mcs/virtual_domain_context ++++ b/config/appconfig-mcs/virtual_domain_context +@@ -1 +1,2 @@ + system_u:system_r:svirt_t:s0 ++system_u:system_r:svirt_tcg_t:s0 +diff --git a/config/appconfig-mls/staff_u_default_contexts b/config/appconfig-mls/staff_u_default_contexts +index 881a292..80110a4 100644 +--- a/config/appconfig-mls/staff_u_default_contexts ++++ b/config/appconfig-mls/staff_u_default_contexts +@@ -1,7 +1,7 @@ + system_r:local_login_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 + system_r:remote_login_t:s0 staff_r:staff_t:s0 + system_r:sshd_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 +-system_r:crond_t:s0 staff_r:cronjob_t:s0 ++system_r:crond_t:s0 staff_r:staff_t:s0 + system_r:xdm_t:s0 staff_r:staff_t:s0 + staff_r:staff_su_t:s0 staff_r:staff_t:s0 + staff_r:staff_sudo_t:s0 staff_r:staff_t:s0 +diff --git a/config/appconfig-mls/systemd_contexts b/config/appconfig-mls/systemd_contexts +new file mode 100644 +index 0000000..ff32acc +--- /dev/null ++++ b/config/appconfig-mls/systemd_contexts +@@ -0,0 +1 @@ ++runtime=system_u:object_r:systemd_runtime_unit_file_t:s0 +diff --git a/config/appconfig-mls/user_u_default_contexts b/config/appconfig-mls/user_u_default_contexts +index cacbc93..4f59f94 100644 +--- a/config/appconfig-mls/user_u_default_contexts ++++ b/config/appconfig-mls/user_u_default_contexts +@@ -1,7 +1,7 @@ + system_r:local_login_t:s0 user_r:user_t:s0 + system_r:remote_login_t:s0 user_r:user_t:s0 + system_r:sshd_t:s0 user_r:user_t:s0 +-system_r:crond_t:s0 user_r:cronjob_t:s0 ++system_r:crond_t:s0 user_r:user_t:s0 + system_r:xdm_t:s0 user_r:user_t:s0 + user_r:user_su_t:s0 user_r:user_t:s0 + user_r:user_sudo_t:s0 user_r:user_t:s0 +diff --git a/config/appconfig-standard/staff_u_default_contexts b/config/appconfig-standard/staff_u_default_contexts +index c2a5ea8..f63999e 100644 +--- a/config/appconfig-standard/staff_u_default_contexts ++++ b/config/appconfig-standard/staff_u_default_contexts +@@ -1,7 +1,7 @@ + system_r:local_login_t staff_r:staff_t sysadm_r:sysadm_t + system_r:remote_login_t staff_r:staff_t + system_r:sshd_t staff_r:staff_t sysadm_r:sysadm_t +-system_r:crond_t staff_r:cronjob_t ++system_r:crond_t staff_r:staff_t + system_r:xdm_t staff_r:staff_t + staff_r:staff_su_t staff_r:staff_t + staff_r:staff_sudo_t staff_r:staff_t +diff --git a/config/appconfig-standard/systemd_contexts b/config/appconfig-standard/systemd_contexts +new file mode 100644 +index 0000000..ff32acc +--- /dev/null ++++ b/config/appconfig-standard/systemd_contexts +@@ -0,0 +1 @@ ++runtime=system_u:object_r:systemd_runtime_unit_file_t:s0 +diff --git a/config/appconfig-standard/user_u_default_contexts b/config/appconfig-standard/user_u_default_contexts +index f5bfac3..639555b 100644 +--- a/config/appconfig-standard/user_u_default_contexts ++++ b/config/appconfig-standard/user_u_default_contexts +@@ -1,7 +1,7 @@ + system_r:local_login_t user_r:user_t + system_r:remote_login_t user_r:user_t + system_r:sshd_t user_r:user_t +-system_r:crond_t user_r:cronjob_t ++system_r:crond_t user_r:user_t + system_r:xdm_t user_r:user_t + user_r:user_su_t user_r:user_t + user_r:user_sudo_t user_r:user_t +diff --git a/config/appconfig-standard/virtual_domain_context b/config/appconfig-standard/virtual_domain_context +index c049e10..150f281 100644 +--- a/config/appconfig-standard/virtual_domain_context ++++ b/config/appconfig-standard/virtual_domain_context +@@ -1 +1,2 @@ +-system_u:system_r:svirt_t ++system_u:system_r:svirt_t:s0 ++system_u:system_r:svirt_tcg_t:s0 +diff --git a/man/man8/ftpd_selinux.8 b/man/man8/ftpd_selinux.8 +deleted file mode 100644 +index 5bebd82..0000000 +--- a/man/man8/ftpd_selinux.8 ++++ /dev/null +@@ -1,65 +0,0 @@ +-.TH "ftpd_selinux" "8" "17 Jan 2005" "dwalsh@redhat.com" "ftpd SELinux policy documentation" +-.SH "NAME" +-.PP +-ftpd_selinux \- Security-Enhanced Linux policy for ftp daemons. +-.SH "DESCRIPTION" +-.PP +-Security-Enhanced Linux provides security for ftp daemons via flexible mandatory access control. +-.SH FILE_CONTEXTS +-.PP +-SELinux requires files to have a file type. File types may be specified with semanage and are restored with restorecon. Policy governs the access that daemons have to files. +-.TP +-Allow ftp servers to read the /var/ftp directory by adding the public_content_t file type to the directory and by restoring the file type. +-.PP +-.B +-semanage fcontext -a -t public_content_t "/var/ftp(/.*)?" +-.TP +-.B +-restorecon -F -R -v /var/ftp +-.TP +-Allow ftp servers to read and write /var/tmp/incoming by adding the public_content_rw_t type to the directory and by restoring the file type. This also requires the allow_ftpd_anon_write boolean to be set. +-.PP +-.B +-semanage fcontext -a -t public_content_rw_t "/var/ftp/incoming(/.*)?" +-.TP +-.B +-restorecon -F -R -v /var/ftp/incoming +- +-.SH BOOLEANS +-.PP +-SELinux policy is based on least privilege required and may also be customizable by setting a boolean with setsebool. +-.TP +-Allow ftp servers to read and write files with the public_content_rw_t file type. +-.PP +-.B +-setsebool -P allow_ftpd_anon_write on +-.TP +-Allow ftp servers to read or write files in the user home directories. +-.PP +-.B +-setsebool -P ftp_home_dir on +-.TP +-Allow ftp servers to read or write all files on the system. +-.PP +-.B +-setsebool -P allow_ftpd_full_access on +-.TP +-Allow ftp servers to use cifs for public file transfer services. +-.PP +-.B +-setsebool -P allow_ftpd_use_cifs on +-.TP +-Allow ftp servers to use nfs for public file transfer services. +-.PP +-.B +-setsebool -P allow_ftpd_use_nfs on +-.TP +-system-config-selinux is a GUI tool available to customize SELinux policy settings. +-.SH AUTHOR +-.PP +-This manual page was written by Dan Walsh . +- +-.SH "SEE ALSO" +-.PP +- +-selinux(8), ftpd(8), setsebool(8), semanage(8), restorecon(8) +diff --git a/man/man8/git_selinux.8 b/man/man8/git_selinux.8 +deleted file mode 100644 +index e9c43b1..0000000 +--- a/man/man8/git_selinux.8 ++++ /dev/null +@@ -1,109 +0,0 @@ +-.TH "git_selinux" "8" "27 May 2010" "domg472@gmail.com" "Git SELinux policy documentation" +-.de EX +-.nf +-.ft CW +-.. +-.de EE +-.ft R +-.fi +-.. +-.SH "NAME" +-git_selinux \- Security Enhanced Linux Policy for the Git daemon. +-.SH "DESCRIPTION" +-Security-Enhanced Linux secures the Git server via flexible mandatory access +-control. +-.SH FILE_CONTEXTS +-SELinux requires files to have an extended attribute to define the file type. +-Policy governs the access daemons have to these files. +-SELinux Git policy is very flexible allowing users to setup their web services in as secure a method as possible. +-.PP +-The following file contexts types are by default defined for Git: +-.EX +-git_system_content_t +-.EE +-- Set files with git_system_content_t if you want the Git system daemon to read the file, and if you want the file to be modifiable and executable by all "Git shell" users. +-.EX +-git_session_content_t +-.EE +-- Set files with git_session_content_t if you want the Git session and system daemon to read the file, and if you want the file to be modifiable and executable by all users. Note that "Git shell" users may not interact with this type. +-.SH BOOLEANS +-SELinux policy is customizable based on least access required. Git policy is extremely flexible and has several booleans that allow you to manipulate the policy and run Git with the tightest access possible. +-.PP +-Allow the Git system daemon to search user home directories so that it can find git session content. This is useful if you want the Git system daemon to host users personal repositories. +-.EX +-sudo setsebool -P git_system_enable_homedirs 1 +-.EE +-.PP +-Allow the Git system daemon to read system shared repositories on NFS shares. +-.EX +-sudo setsebool -P git_system_use_nfs 1 +-.EE +-.PP +-Allow the Git system daemon to read system shared repositories on Samba shares. +-.EX +-sudo setsebool -P git_system_use_cifs 1 +-.EE +-.PP +-Allow the Git session daemon to read users personal repositories on NFS mounted home directories. +-.EX +-sudo setsebool -P use_nfs_home_dirs 1 +-.EE +-.PP +-Allow the Git session daemon to read users personal repositories on Samba mounted home directories. +-.EX +-sudo setsebool -P use_samba_home_dirs 1 +-.EE +-.PP +-To also allow Git system daemon to read users personal repositories on NFS and Samba mounted home directories you must also allow the Git system daemon to search home directories so that it can find the repositories. +-.EX +-sudo setsebool -P git_system_enable_homedirs 1 +-.EE +-.PP +-To allow the Git System daemon mass hosting of users personal repositories you can allow the Git daemon to listen to any unreserved ports. +-.EX +-sudo setsebool -P git_session_bind_all_unreserved_ports 1 +-.EE +-.SH GIT_SHELL +-The Git policy by default provides a restricted user environment to be used with "Git shell". This default git_shell_u SELinux user can modify and execute generic Git system content (generic system shared respositories with type git_system_content_t). +-.PP +-To add a new Linux user and map him to this Git shell user domain automatically: +-.EX +-sudo useradd -Z git_shell_u joe +-.EE +-.SH ADVANCED_SYSTEM_SHARED_REPOSITORY_AND GIT_SHELL_RESTRICTIONS +-Alternatively Git SELinux policy can be used to restrict "Git shell" users to git system shared repositories. The policy allows for the creation of new types of Git system content and Git shell user environment. The policy allows for delegation of types of "Git shell" environments to types of Git system content. +-.PP +-To add a new Git system repository type, for example "project1" create a file named project1.te and add to it: +-.EX +-policy_module(project1, 1.0.0) +-git_content_template(project1) +-.EE +-Next create a file named project1.fc and add a file context specification for the new repository type to it: +-.EX +-/srv/git/project1\.git(/.*)? gen_context(system_u:object_r:git_project1_content_t,s0) +-.EE +-Build a binary representation of this source policy module, load it into the policy store and restore the context of the repository: +-.EX +-make -f /usr/share/selinux/devel/Makefile project.pp +-sudo semodule -i project1.pp +-sudo restorecon -R -v /srv/git/project1 +-.EE +-To create a "Git shell" domain that can interact with this repository create a file named project1user.te in the same directory as where the source policy for the Git systemm content type is and add the following: +-.EX +-policy_module(project1user, 1.0.0) +-git_role_template(project1user) +-git_content_delegation(project1user_t, git_project1_content_t) +-gen_user(project1user_u, user, project1user_r, s0, s0) +-.EE +-Build a binary representation of this source policy module, load it into the policy store and map Linux users to the new project1user_u SELinux user: +-.EX +-make -f /usr/share/selinux/devel/Makefile project1user.pp +-sudo semodule -i project1user.pp +-sudo useradd -Z project1user_u jane +-.EE +-.PP +-system-config-selinux is a GUI tool available to customize SELinux policy settings. +-.SH AUTHOR +-This manual page was written by Dominick Grift . +-.SH "SEE ALSO" +-selinux(8), git(8), chcon(1), semodule(8), setsebool(8) +diff --git a/man/man8/httpd_selinux.8 b/man/man8/httpd_selinux.8 +deleted file mode 100644 +index 16e8b13..0000000 +--- a/man/man8/httpd_selinux.8 ++++ /dev/null +@@ -1,120 +0,0 @@ +-.TH "httpd_selinux" "8" "17 Jan 2005" "dwalsh@redhat.com" "httpd Selinux Policy documentation" +-.de EX +-.nf +-.ft CW +-.. +-.de EE +-.ft R +-.fi +-.. +-.SH "NAME" +-httpd_selinux \- Security Enhanced Linux Policy for the httpd daemon +-.SH "DESCRIPTION" +- +-Security-Enhanced Linux secures the httpd server via flexible mandatory access +-control. +-.SH FILE_CONTEXTS +-SELinux requires files to have an extended attribute to define the file type. +-Policy governs the access daemons have to these files. +-SELinux httpd policy is very flexible allowing users to setup their web services in as secure a method as possible. +-.PP +-The following file contexts types are defined for httpd: +-.EX +-httpd_sys_content_t +-.EE +-- Set files with httpd_sys_content_t if you want httpd_sys_script_exec_t scripts and the daemon to read the file, and disallow other non sys scripts from access. +-.EX +-httpd_sys_script_exec_t +-.EE +-- Set cgi scripts with httpd_sys_script_exec_t to allow them to run with access to all sys types. +-.EX +-httpd_sys_content_rw_t +-.EE +-- Set files with httpd_sys_content_rw_t if you want httpd_sys_script_exec_t scripts and the daemon to read/write the data, and disallow other non sys scripts from access. +-.EX +-httpd_sys_content_ra_t +-.EE +-- Set files with httpd_sys_content_ra_t if you want httpd_sys_script_exec_t scripts and the daemon to read/append to the file, and disallow other non sys scripts from access. +-.EX +-httpd_unconfined_script_exec_t +-.EE +-- Set cgi scripts with httpd_unconfined_script_exec_t to allow them to run without any SELinux protection. This should only be used for a very complex httpd scripts, after exhausting all other options. It is better to use this script rather than turning off SELinux protection for httpd. +- +-.SH NOTE +-With certain policies you can define additional file contexts based on roles like user or staff. httpd_user_script_exec_t can be defined where it would only have access to "user" contexts. +- +-.SH SHARING FILES +-If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean. allow_DOMAIN_anon_write. So for httpd you would execute: +- +-.EX +-setsebool -P allow_httpd_anon_write=1 +-.EE +- +-or +- +-.EX +-setsebool -P allow_httpd_sys_script_anon_write=1 +-.EE +- +-.SH BOOLEANS +-SELinux policy is customizable based on least access required. SELinux can be setup to prevent certain http scripts from working. httpd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run httpd with the tightest access possible. +-.PP +-httpd can be setup to allow cgi scripts to be executed, set httpd_enable_cgi to allow this +- +-.EX +-setsebool -P httpd_enable_cgi 1 +-.EE +- +-.PP +-SELinux policy for httpd can be setup to not allowed to access users home directories. If you want to allow access to users home directories you need to set the httpd_enable_homedirs boolean and change the context of the files that you want people to access off the home dir. +- +-.EX +-setsebool -P httpd_enable_homedirs 1 +-chcon -R -t httpd_sys_content_t ~user/public_html +-.EE +- +-.PP +-SELinux policy for httpd can be setup to not allow access to the controlling terminal. In most cases this is preferred, because an intruder might be able to use the access to the terminal to gain privileges. But in certain situations httpd needs to prompt for a password to open a certificate file, in these cases, terminal access is required. Set the httpd_tty_comm boolean to allow terminal access. +- +-.EX +-setsebool -P httpd_tty_comm 1 +-.EE +- +-.PP +-httpd can be configured to not differentiate file controls based on context, i.e. all files labeled as httpd context can be read/write/execute. Setting this boolean to false allows you to setup the security policy such that one httpd service can not interfere with another. +- +-.EX +-setsebool -P httpd_unified 0 +-.EE +- +-.PP +-SELinu policy for httpd can be configured to turn on sending email. This is a security feature, since it would prevent a vulnerabiltiy in http from causing a spam attack. I certain situations, you may want http modules to send mail. You can turn on the httpd_send_mail boolean. +- +-.EX +-setsebool -P httpd_can_sendmail 1 +-.PP +-httpd can be configured to turn off internal scripting (PHP). PHP and other +-loadable modules run under the same context as httpd. Therefore several policy rules allow httpd greater access to the system then is needed if you only use external cgi scripts. +- +-.EX +-setsebool -P httpd_builtin_scripting 0 +-.EE +- +-.PP +-SELinux policy can be setup such that httpd scripts are not allowed to connect out to the network. +-This would prevent a hacker from breaking into you httpd server and attacking +-other machines. If you need scripts to be able to connect you can set the httpd_can_network_connect boolean on. +- +-.EX +-setsebool -P httpd_can_network_connect 1 +-.EE +- +-.PP +-system-config-selinux is a GUI tool available to customize SELinux policy settings. +-.SH AUTHOR +-This manual page was written by Dan Walsh . +- +-.SH "SEE ALSO" +-selinux(8), httpd(8), chcon(1), setsebool(8) +- +- +diff --git a/man/man8/kerberos_selinux.8 b/man/man8/kerberos_selinux.8 +deleted file mode 100644 +index a8f81c8..0000000 +--- a/man/man8/kerberos_selinux.8 ++++ /dev/null +@@ -1,28 +0,0 @@ +-.TH "kerberos_selinux" "8" "17 Jan 2005" "dwalsh@redhat.com" "kerberos Selinux Policy documentation" +-.de EX +-.nf +-.ft CW +-.. +-.de EE +-.ft R +-.fi +-.. +-.SH "NAME" +-kerberos_selinux \- Security Enhanced Linux Policy for Kerberos. +-.SH "DESCRIPTION" +- +-Security-Enhanced Linux secures the system via flexible mandatory access +-control. SELinux policy can be configured to deny Kerberos access to confined applications, since it requires daemons to be allowed greater access to certain secure files and additional access to the network. +-.SH BOOLEANS +-.PP +-You must set the allow_kerberos boolean to allow your system to work properly in a Kerberos environment. +-.EX +-setsebool -P allow_kerberos 1 +-.EE +-.PP +-system-config-selinux is a GUI tool available to customize SELinux policy settings. +-.SH AUTHOR +-This manual page was written by Dan Walsh . +- +-.SH "SEE ALSO" +-selinux(8), kerberos(1), chcon(1), setsebool(8) +diff --git a/man/man8/named_selinux.8 b/man/man8/named_selinux.8 +deleted file mode 100644 +index fce0b48..0000000 +--- a/man/man8/named_selinux.8 ++++ /dev/null +@@ -1,30 +0,0 @@ +-.TH "named_selinux" "8" "17 Jan 2005" "dwalsh@redhat.com" "named Selinux Policy documentation" +-.de EX +-.nf +-.ft CW +-.. +-.de EE +-.ft R +-.fi +-.. +-.SH "NAME" +-named_selinux \- Security Enhanced Linux Policy for the Internet Name server (named) daemon +-.SH "DESCRIPTION" +- +-Security-Enhanced Linux secures the named server via flexible mandatory access +-control. +-.SH BOOLEANS +-SELinux policy is customizable based on least access required. So by +-default SELinux policy does not allow named to write master zone files. If you want to have named update the master zone files you need to set the named_write_master_zones boolean. +-.EX +-setsebool -P named_write_master_zones 1 +-.EE +-.PP +-system-config-selinux is a GUI tool available to customize SELinux policy settings. +-.SH AUTHOR +-This manual page was written by Dan Walsh . +- +-.SH "SEE ALSO" +-selinux(8), named(8), chcon(1), setsebool(8) +- +- +diff --git a/man/man8/nfs_selinux.8 b/man/man8/nfs_selinux.8 +deleted file mode 100644 +index 8e30c4c..0000000 +--- a/man/man8/nfs_selinux.8 ++++ /dev/null +@@ -1,31 +0,0 @@ +-.TH "nfs_selinux" "8" "9 Feb 2009" "dwalsh@redhat.com" "NFS SELinux Policy documentation" +-.SH "NAME" +-nfs_selinux \- Security Enhanced Linux Policy for NFS +-.SH "DESCRIPTION" +- +-Security Enhanced Linux secures the NFS server via flexible mandatory access +-control. +-.SH BOOLEANS +-SELinux policy is customizable based on the least level of access required. SELinux can be configured to not allow NFS to share files. If you want to share NFS partitions, and only allow read-only access to those NFS partitions, turn the nfs_export_all_ro boolean on: +- +-.TP +-setsebool -P nfs_export_all_ro 1 +-.TP +-If you want to share files read/write you must set the nfs_export_all_rw boolean. +-.TP +-setsebool -P nfs_export_all_rw 1 +- +-.TP +-These booleans are not required when files to be shared are labeled with the public_content_t or public_content_rw_t types. NFS can share files labeled with the public_content_t or public_content_rw_t types even if the nfs_export_all_ro and nfs_export_all_rw booleans are off. +- +-.TP +-If you want to use a remote NFS server for the home directories on this machine, you must set the use_nfs_home_dirs boolean: +-.TP +-setsebool -P use_nfs_home_dirs 1 +-.TP +-system-config-selinux is a GUI tool available to customize SELinux policy settings. +-.SH AUTHOR +-This manual page was written by Dan Walsh . +- +-.SH "SEE ALSO" +-selinux(8), chcon(1), setsebool(8) +diff --git a/man/man8/nis_selinux.8 b/man/man8/nis_selinux.8 +deleted file mode 100644 +index 6271c95..0000000 +--- a/man/man8/nis_selinux.8 ++++ /dev/null +@@ -1 +0,0 @@ +-.so man8/ypbind_selinux.8 +diff --git a/man/man8/rsync_selinux.8 b/man/man8/rsync_selinux.8 +deleted file mode 100644 +index ad9ccf5..0000000 +--- a/man/man8/rsync_selinux.8 ++++ /dev/null +@@ -1,52 +0,0 @@ +-.TH "rsync_selinux" "8" "17 Jan 2005" "dwalsh@redhat.com" "rsync Selinux Policy documentation" +-.de EX +-.nf +-.ft CW +-.. +-.de EE +-.ft R +-.fi +-.. +-.SH "NAME" +-rsync_selinux \- Security Enhanced Linux Policy for the rsync daemon +-.SH "DESCRIPTION" +- +-Security-Enhanced Linux secures the rsync server via flexible mandatory access +-control. +-.SH FILE_CONTEXTS +-SELinux requires files to have an extended attribute to define the file type. +-Policy governs the access daemons have to these files. +-If you want to share files using the rsync daemon, you must label the files and directories public_content_t. So if you created a special directory /var/rsync, you +-would need to label the directory with the chcon tool. +-.TP +-chcon -t public_content_t /var/rsync +-.TP +-.TP +-To make this change permanent (survive a relabel), use the semanage command to add the change to file context configuration: +-.TP +-semanage fcontext -a -t public_content_t "/var/rsync(/.*)?" +-.TP +-This command adds the following entry to /etc/selinux/POLICYTYPE/contexts/files/file_contexts.local: +-.TP +-/var/rsync(/.*)? system_u:object_r:publix_content_t:s0 +-.TP +-Run the restorecon command to apply the changes: +-.TP +-restorecon -R -v /var/rsync/ +-.EE +- +-.SH SHARING FILES +-If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean. allow_DOMAIN_anon_write. So for rsync you would execute: +- +-.EX +-setsebool -P allow_rsync_anon_write=1 +-.EE +- +-.SH BOOLEANS +-.TP +-system-config-selinux is a GUI tool available to customize SELinux policy settings. +-.SH AUTHOR +-This manual page was written by Dan Walsh . +- +-.SH "SEE ALSO" +-selinux(8), rsync(1), chcon(1), setsebool(8), semanage(8) +diff --git a/man/man8/samba_selinux.8 b/man/man8/samba_selinux.8 +deleted file mode 100644 +index ca702c7..0000000 +--- a/man/man8/samba_selinux.8 ++++ /dev/null +@@ -1,56 +0,0 @@ +-.TH "samba_selinux" "8" "17 Jan 2005" "dwalsh@redhat.com" "Samba Selinux Policy documentation" +-.SH "NAME" +-samba_selinux \- Security Enhanced Linux Policy for Samba +-.SH "DESCRIPTION" +- +-Security-Enhanced Linux secures the Samba server via flexible mandatory access +-control. +-.SH FILE_CONTEXTS +-SELinux requires files to have an extended attribute to define the file type. +-Policy governs the access daemons have to these files. +-If you want to share files other than home directories, those files must be +-labeled samba_share_t. So if you created a special directory /var/eng, you +-would need to label the directory with the chcon tool. +-.TP +-chcon -t samba_share_t /var/eng +-.TP +-To make this change permanent (survive a relabel), use the semanage command to add the change to file context configuration: +-.TP +-semanage fcontext -a -t samba_share_t "/var/eng(/.*)?" +-.TP +-This command adds the following entry to /etc/selinux/POLICYTYPE/contexts/files/file_contexts.local: +-.TP +-/var/eng(/.*)? system_u:object_r:samba_share_t:s0 +-.TP +-Run the restorecon command to apply the changes: +-.TP +-restorecon -R -v /var/eng/ +- +-.SH SHARING FILES +-If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean. allow_DOMAIN_anon_write. So for samba you would execute: +- +-setsebool -P allow_smbd_anon_write=1 +- +-.SH BOOLEANS +-.br +-SELinux policy is customizable based on least access required. So by +-default SELinux policy turns off SELinux sharing of home directories and +-the use of Samba shares from a remote machine as a home directory. +-.TP +-If you are setting up this machine as a Samba server and wish to share the home directories, you need to set the samba_enable_home_dirs boolean. +-.br +- +-setsebool -P samba_enable_home_dirs 1 +-.TP +-If you want to use a remote Samba server for the home directories on this machine, you must set the use_samba_home_dirs boolean. +-.br +- +-setsebool -P use_samba_home_dirs 1 +-.TP +-system-config-selinux is a GUI tool available to customize SELinux policy settings. +- +-.SH AUTHOR +-This manual page was written by Dan Walsh . +- +-.SH "SEE ALSO" +-selinux(8), samba(7), chcon(1), setsebool(8), semanage(8) +diff --git a/man/man8/ypbind_selinux.8 b/man/man8/ypbind_selinux.8 +deleted file mode 100644 +index 5061a5f..0000000 +--- a/man/man8/ypbind_selinux.8 ++++ /dev/null +@@ -1,19 +0,0 @@ +-.TH "ypbind_selinux" "8" "17 Jan 2005" "dwalsh@redhat.com" "ypbind Selinux Policy documentation" +-.SH "NAME" +-ypbind_selinux \- Security Enhanced Linux Policy for NIS. +-.SH "DESCRIPTION" +- +-Security-Enhanced Linux secures the system via flexible mandatory access +-control. SELinux can be setup deny NIS from working, since it requires daemons to be allowed greater access to the network. +-.SH BOOLEANS +-.TP +-You must set the allow_ypbind boolean to allow your system to work properly in a NIS environment. +-.TP +-setsebool -P allow_ypbind 1 +-.TP +-system-config-selinux is a GUI tool available to customize SELinux policy settings. +-.SH AUTHOR +-This manual page was written by Dan Walsh . +- +-.SH "SEE ALSO" +-selinux(8), ypbind(8), chcon(1), setsebool(8) +diff --git a/policy/constraints b/policy/constraints +index 3a45f23..f4754f0 100644 +--- a/policy/constraints ++++ b/policy/constraints +@@ -105,6 +105,18 @@ constrain process { transition dyntransition noatsecure siginh rlimitinh } + or ( t1 == process_uncond_exempt ) + ); + ++constrain process dyntransition ++( ++ u1 == u2 ++ or ( t1 == can_change_process_identity and t2 == process_user_target ) ++); ++ ++constrain process dyntransition ++( ++ r1 == r2 ++ or ( t1 == can_change_process_identity and t2 == process_user_target ) ++); ++ + # These permissions do not have ubac constraints: + # fork + # setexec +diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors +index 28802c5..1afd77b 100644 +--- a/policy/flask/access_vectors ++++ b/policy/flask/access_vectors +@@ -329,6 +329,7 @@ class process + execheap + setkeycreate + setsockcreate ++ ptrace_child + } + + +@@ -393,6 +394,13 @@ class system + syslog_mod + syslog_console + module_request ++ halt ++ reboot ++ status ++ undefined ++ enable ++ disable ++ reload + } + + # +@@ -443,10 +451,12 @@ class capability + class capability2 + { + mac_override # unused by SELinux +- mac_admin # unused by SELinux ++ mac_admin + syslog + wake_alarm ++ epolwakeup + block_suspend ++ compromise_kernel + } + + # +@@ -690,6 +700,8 @@ class nscd + shmemhost + getserv + shmemserv ++ getnetgrp ++ shmemnetgrp + } + + # Define the access vector interpretation for controlling +@@ -827,6 +839,9 @@ class kernel_service + + class tun_socket + inherits socket ++{ ++ attach_queue ++} + + class x_pointer + inherits x_device +@@ -862,3 +877,18 @@ inherits database + implement + execute + } ++ ++class service ++{ ++ start ++ stop ++ status ++ reload ++ enable ++ disable ++} ++ ++class proxy ++{ ++ read ++} +diff --git a/policy/flask/security_classes b/policy/flask/security_classes +index 14a4799..db2e4a0 100644 +--- a/policy/flask/security_classes ++++ b/policy/flask/security_classes +@@ -131,4 +131,11 @@ class db_view # userspace + class db_sequence # userspace + class db_language # userspace + ++# systemd services ++class service ++ ++# gssd services ++class proxy ++ ++ + # FLASK +diff --git a/policy/global_booleans b/policy/global_booleans +index 66e85ea..d02654d 100644 +--- a/policy/global_booleans ++++ b/policy/global_booleans +@@ -6,7 +6,7 @@ + + ## + ##

+-## Enabling secure mode disallows programs, such as ++## disallow programs, such as + ## newrole, from transitioning to administrative + ## user domains. + ##

+diff --git a/policy/global_tunables b/policy/global_tunables +index 4705ab6..b7e7ea5 100644 +--- a/policy/global_tunables ++++ b/policy/global_tunables +@@ -6,52 +6,59 @@ + + ## + ##

++## Deny any process from ptracing or debugging any other processes. ++##

++## ++gen_tunable(deny_ptrace, false) ++ ++## ++##

+ ## Allow unconfined executables to make their heap memory executable. Doing this is a really bad idea. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla + ##

+ ## +-gen_tunable(allow_execheap,false) ++gen_tunable(selinuxuser_execheap,false) + + ## + ##

+-## Allow unconfined executables to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla") ++## Deny user domains applications to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla + ##

+ ## +-gen_tunable(allow_execmem,false) ++gen_tunable(deny_execmem,false) + + ## + ##

+-## Allow all unconfined executables to use libraries requiring text relocation that are not labeled textrel_shlib_t") ++## Allow all unconfined executables to use libraries requiring text relocation that are not labeled textrel_shlib_t + ##

+ ## +-gen_tunable(allow_execmod,false) ++gen_tunable(selinuxuser_execmod,false) + + ## + ##

+-## Allow unconfined executables to make their stack executable. This should never, ever be necessary. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla") ++## Allow unconfined executables to make their stack executable. This should never, ever be necessary. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla + ##

+ ## +-gen_tunable(allow_execstack,false) ++gen_tunable(selinuxuser_execstack,false) + + ## + ##

+ ## Enable polyinstantiated directory support. + ##

+ ## +-gen_tunable(allow_polyinstantiation,false) ++gen_tunable(polyinstantiation_enabled,false) + + ## + ##

+ ## Allow system to run with NIS + ##

+ ## +-gen_tunable(allow_ypbind,false) ++gen_tunable(nis_enabled,false) + + ## + ##

+ ## Allow logging in and using the system from /dev/console. + ##

+ ## +-gen_tunable(console_login,true) ++gen_tunable(login_console_enabled,true) + + ## + ##

+@@ -68,15 +75,6 @@ gen_tunable(global_ssp,false) + + ## + ##

+-## Allow email client to various content. +-## nfs, samba, removable devices, and user temp +-## files +-##

+-## +-gen_tunable(mail_read_content,false) +- +-## +-##

+ ## Allow any files/directories to be exported read/write via NFS. + ##

+ ## +@@ -105,9 +103,30 @@ gen_tunable(use_samba_home_dirs,false) + + ## + ##

++## Support ecryptfs home directories ++##

++## ++gen_tunable(use_ecryptfs_home_dirs,false) ++ ++## ++##

++## Support fusefs home directories ++##

++## ++gen_tunable(use_fusefs_home_dirs,false) ++ ++## ++##

+ ## Allow users to run TCP servers (bind to ports and accept connection from + ## the same domain and outside users) disabling this forces FTP passive mode + ## and may change other protocols. + ##

+ ## +-gen_tunable(user_tcp_server,false) ++gen_tunable(selinuxuser_tcp_server,false) ++ ++## ++##

++## Allow the mount commands to mount any directory or file. ++##

++## ++gen_tunable(mount_anyfile, false) +diff --git a/policy/mcs b/policy/mcs +index 216b3d1..275d3d9 100644 +--- a/policy/mcs ++++ b/policy/mcs +@@ -1,4 +1,6 @@ + ifdef(`enable_mcs',` ++default_range dir_file_class_set target low; ++ + # + # Define sensitivities + # +@@ -69,53 +71,50 @@ gen_levels(1,mcs_num_cats) + # - /proc/pid operations are not constrained. + + mlsconstrain file { read ioctl lock execute execute_no_trans } +- (( h1 dom h2 ) or ( t1 == mcsreadall ) or +- (( t1 != mcs_constrained_type ) and (t2 == domain))); ++ (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); + + mlsconstrain file { write setattr append unlink link rename } +- (( h1 dom h2 ) or ( t1 == mcswriteall ) or +- (( t1 != mcs_constrained_type ) and (t2 == domain))); ++ (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); + + mlsconstrain dir { search read ioctl lock } +- (( h1 dom h2 ) or ( t1 == mcsreadall ) or +- (( t1 != mcs_constrained_type ) and (t2 == domain))); ++ (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); + + mlsconstrain dir { write setattr append unlink link rename add_name remove_name } +- (( h1 dom h2 ) or ( t1 == mcswriteall ) or +- (( t1 != mcs_constrained_type ) and (t2 == domain))); ++ (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); + + mlsconstrain fifo_file { open } +- (( h1 dom h2 ) or ( t1 == mcsreadall ) or +- (( t1 != mcs_constrained_type ) and ( t2 == domain ))); ++ (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); + + mlsconstrain { lnk_file chr_file blk_file sock_file } { getattr read ioctl } +- (( h1 dom h2 ) or ( t1 == mcsreadall ) or +- (( t1 != mcs_constrained_type ) and (t2 == domain))); ++ (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); + + mlsconstrain { lnk_file chr_file blk_file sock_file } { write setattr } +- (( h1 dom h2 ) or ( t1 == mcswriteall ) or +- (( t1 != mcs_constrained_type ) and (t2 == domain))); ++ (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); + + # New filesystem object labels must be dominated by the relabeling subject + # clearance, also the objects are single-level. + mlsconstrain file { create relabelto } +- (( h1 dom h2 ) and ( l2 eq h2 )); ++ ((( h1 dom h2 ) and ( l2 eq h2 )) or ++ ( t1 != mcs_constrained_type )); + + # new file labels must be dominated by the relabeling subject clearance + mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { relabelfrom } +- ( h1 dom h2 ); ++ (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); ++ ++mlsconstrain { file lnk_file fifo_file } { create relabelto } ++ (( l2 eq h2 ) or ( t1 != mcs_constrained_type )); + + mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { create relabelto } +- (( h1 dom h2 ) and ( l2 eq h2 )); ++ (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); + + mlsconstrain process { transition dyntransition } +- (( h1 dom h2 ) or ( t1 == mcssetcats )); ++ (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); + + mlsconstrain process { ptrace } +- (( h1 dom h2) or ( t1 == mcsptraceall )); ++ (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); + + mlsconstrain process { sigkill sigstop } +- (( h1 dom h2 ) or ( t1 == mcskillall )); ++ (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); + + mlsconstrain process { signal } + (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); +@@ -135,6 +134,9 @@ mlsconstrain { db_database db_schema db_table db_sequence db_view db_procedure d + mlsconstrain { db_tuple } { insert relabelto } + (( h1 dom h2 ) and ( l2 eq h2 )); + ++mlsconstrain context contains ++ (( h1 dom h2 ) and ( l1 domby l2)); ++ + # Access control for any database objects based on MCS rules. + mlsconstrain db_database { drop getattr setattr relabelfrom access install_module load_module get_param set_param } + ( h1 dom h2 ); +@@ -166,4 +168,23 @@ mlsconstrain db_language { drop getattr setattr relabelfrom execute } + mlsconstrain db_blob { drop getattr setattr relabelfrom read write import export } + ( h1 dom h2 ); + ++mlsconstrain { tcp_socket udp_socket rawip_socket } node_bind ++ (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); ++ ++# the node recvfrom/sendto ops, the recvfrom permission is a "write" operation ++# because the subject in this particular case is the remote domain which is ++# writing data out the network node which is acting as the object ++mlsconstrain { node } { recvfrom sendto } ++ (( l1 dom l2 ) or (t1 != mcs_constrained_type)); ++ ++mlsconstrain { packet peer } { recv } ++ (( l1 dom l2 ) or ++ ((t1 != mcs_constrained_type) and (t2 != mcs_constrained_type))); ++ ++# the netif ingress/egress ops, the ingress permission is a "write" operation ++# because the subject in this particular case is the remote domain which is ++# writing data out the network interface which is acting as the object ++mlsconstrain { netif } { egress ingress } ++ (( l1 dom l2 ) or (t1 != mcs_constrained_type)); ++ + ') dnl end enable_mcs +diff --git a/policy/mls b/policy/mls +index d218387..c2541c2 100644 +--- a/policy/mls ++++ b/policy/mls +@@ -195,7 +195,8 @@ mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_s + (( l1 eq l2 ) or + (( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or + (( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or +- ( t1 == mlsnetwrite )); ++ ( t1 == mlsnetwrite ) or ++ ( t2 == mlstrustedobject )); + + # used by netlabel to restrict normal domains to same level connections + mlsconstrain { tcp_socket udp_socket rawip_socket } recvfrom +@@ -361,9 +362,6 @@ mlsconstrain { peer packet } { recv } + (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or + ( t1 == mlsnetread )); + +- +- +- + # + # MLS policy for the process class + # +diff --git a/policy/modules/admin/bootloader.fc b/policy/modules/admin/bootloader.fc +index 7a6f06f..5745bb2 100644 +--- a/policy/modules/admin/bootloader.fc ++++ b/policy/modules/admin/bootloader.fc +@@ -1,9 +1,16 @@ ++/etc/default/grub -- gen_context(system_u:object_r:bootloader_etc_t,s0) ++/etc/lilo\.conf.* gen_context(system_u:object_r:bootloader_etc_t,s0) ++/etc/yaboot\.conf.* gen_context(system_u:object_r:bootloader_etc_t,s0) ++/etc/zipl\.conf.* gen_context(system_u:object_r:bootloader_etc_t,s0) + +-/etc/lilo\.conf.* -- gen_context(system_u:object_r:bootloader_etc_t,s0) +-/etc/yaboot\.conf.* -- gen_context(system_u:object_r:bootloader_etc_t,s0) +- +-/sbin/grub -- gen_context(system_u:object_r:bootloader_exec_t,s0) ++/sbin/grub.* -- gen_context(system_u:object_r:bootloader_exec_t,s0) + /sbin/lilo.* -- gen_context(system_u:object_r:bootloader_exec_t,s0) + /sbin/ybin.* -- gen_context(system_u:object_r:bootloader_exec_t,s0) ++/sbin/zipl -- gen_context(system_u:object_r:bootloader_exec_t,s0) ++ ++/usr/sbin/grub.* -- gen_context(system_u:object_r:bootloader_exec_t,s0) ++/usr/sbin/lilo.* -- gen_context(system_u:object_r:bootloader_exec_t,s0) ++/usr/sbin/ybin.* -- gen_context(system_u:object_r:bootloader_exec_t,s0) ++/usr/sbin/zipl -- gen_context(system_u:object_r:bootloader_exec_t,s0) + +-/usr/sbin/grub -- gen_context(system_u:object_r:bootloader_exec_t,s0) ++/var/lib/os-prober(/.*)? gen_context(system_u:object_r:bootloader_var_lib_t,s0) +diff --git a/policy/modules/admin/bootloader.if b/policy/modules/admin/bootloader.if +index cc8df9d..34c2a4e 100644 +--- a/policy/modules/admin/bootloader.if ++++ b/policy/modules/admin/bootloader.if +@@ -19,6 +19,24 @@ interface(`bootloader_domtrans',` + domtrans_pattern($1, bootloader_exec_t, bootloader_t) + ') + ++###################################### ++## ++## Execute bootloader in the caller domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`bootloader_exec',` ++ gen_require(` ++ type bootloader_exec_t; ++ ') ++ ++ can_exec($1, bootloader_exec_t) ++') ++ + ######################################## + ## + ## Execute bootloader interactively and do +@@ -38,16 +56,26 @@ interface(`bootloader_domtrans',` + # + interface(`bootloader_run',` + gen_require(` +- attribute_role bootloader_roles; ++ type bootloader_t; ++ #attribute_role bootloader_roles; + ') + ++ #bootloader_domtrans($1) ++ #roleattribute $2 bootloader_roles; ++ + bootloader_domtrans($1) +- roleattribute $2 bootloader_roles; ++ ++ role $2 types bootloader_t; ++ ++ ifdef(`distro_redhat',` ++ # for mke2fs ++ mount_run(bootloader_t, $2) ++ ') + ') + + ######################################## + ## +-## Execute bootloader in the caller domain. ++## Read the bootloader configuration file. + ## + ## + ## +@@ -55,36 +83,37 @@ interface(`bootloader_run',` + ## + ## + # +-interface(`bootloader_exec',` ++interface(`bootloader_read_config',` + gen_require(` +- type bootloader_exec_t; ++ type bootloader_etc_t; + ') + +- corecmd_search_bin($1) +- can_exec($1, bootloader_exec_t) ++ allow $1 bootloader_etc_t:file read_file_perms; + ') + + ######################################## + ## +-## Read the bootloader configuration file. ++## Read and write the bootloader ++## configuration file. + ## + ## + ## + ## Domain allowed access. + ## + ## ++## + # +-interface(`bootloader_read_config',` ++interface(`bootloader_rw_config',` + gen_require(` + type bootloader_etc_t; + ') + +- allow $1 bootloader_etc_t:file read_file_perms; ++ allow $1 bootloader_etc_t:file rw_file_perms; + ') + + ######################################## + ## +-## Read and write the bootloader ++## Manage the bootloader + ## configuration file. + ## + ## +@@ -94,12 +123,12 @@ interface(`bootloader_read_config',` + ## + ## + # +-interface(`bootloader_rw_config',` ++interface(`bootloader_manage_config',` + gen_require(` + type bootloader_etc_t; + ') + +- allow $1 bootloader_etc_t:file rw_file_perms; ++ manage_files_pattern($1, bootloader_etc_t, bootloader_etc_t) + ') + + ######################################## +@@ -119,7 +148,7 @@ interface(`bootloader_rw_tmp_files',` + ') + + files_search_tmp($1) +- allow $1 bootloader_tmp_t:file rw_file_perms; ++ allow $1 bootloader_tmp_t:file rw_inherited_file_perms; + ') + + ######################################## +@@ -141,3 +170,24 @@ interface(`bootloader_create_runtime_file',` + allow $1 boot_runtime_t:file { create_file_perms rw_file_perms }; + files_boot_filetrans($1, boot_runtime_t, file) + ') ++ ++######################################## ++## ++## Type transition files created in /etc ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`bootloader_filetrans_config',` ++ gen_require(` ++ type bootloader_etc_t; ++ ') ++ ++ files_etc_filetrans($1,bootloader_etc_t,file, "grub") ++ files_etc_filetrans($1,bootloader_etc_t,file, "lilo.conf") ++ files_etc_filetrans($1,bootloader_etc_t,file, "yaboot.conf") ++ files_etc_filetrans($1,bootloader_etc_t,file, "zipl.conf") ++') +diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te +index e3dbbb8..a99f6e9 100644 +--- a/policy/modules/admin/bootloader.te ++++ b/policy/modules/admin/bootloader.te +@@ -5,8 +5,8 @@ policy_module(bootloader, 1.13.2) + # Declarations + # + +-attribute_role bootloader_roles; +-roleattribute system_r bootloader_roles; ++#attribute_role bootloader_roles; ++#roleattribute system_r bootloader_roles; + + # + # boot_runtime_t is the type for /boot/kernel.h, +@@ -19,14 +19,21 @@ files_type(boot_runtime_t) + type bootloader_t; + type bootloader_exec_t; + application_domain(bootloader_t, bootloader_exec_t) +-role bootloader_roles types bootloader_t; ++#role bootloader_roles types bootloader_t; ++role system_r types bootloader_t; ++ ++type bootloader_var_run_t; ++files_pid_file(bootloader_var_run_t) ++ ++type bootloader_var_lib_t; ++files_type(bootloader_var_lib_t) + + # + # bootloader_etc_t is the configuration file, + # grub.conf, lilo.conf, etc. + # + type bootloader_etc_t alias etc_bootloader_t; +-files_type(bootloader_etc_t) ++files_config_file(bootloader_etc_t) + + # + # The temp file is used for initrd creation; +@@ -41,7 +48,7 @@ dev_node(bootloader_tmp_t) + # bootloader local policy + # + +-allow bootloader_t self:capability { dac_override dac_read_search fsetid sys_rawio sys_admin mknod chown }; ++allow bootloader_t self:capability { dac_override dac_read_search fsetid sys_rawio sys_admin sys_chroot mknod chown }; + allow bootloader_t self:process { signal_perms execmem }; + allow bootloader_t self:fifo_file rw_fifo_file_perms; + +@@ -59,6 +66,15 @@ files_tmp_filetrans(bootloader_t, bootloader_tmp_t, { dir file lnk_file chr_file + # for tune2fs (cjp: ?) + files_root_filetrans(bootloader_t, bootloader_tmp_t, file) + ++manage_dirs_pattern(bootloader_t, bootloader_var_run_t, bootloader_var_run_t) ++manage_files_pattern(bootloader_t, bootloader_var_run_t, bootloader_var_run_t) ++files_pid_filetrans(bootloader_t, bootloader_var_run_t, {dir file }) ++ ++manage_dirs_pattern(bootloader_t, bootloader_var_lib_t, bootloader_var_lib_t) ++manage_files_pattern(bootloader_t, bootloader_var_lib_t, bootloader_var_lib_t) ++manage_lnk_files_pattern(bootloader_t, bootloader_var_lib_t, bootloader_var_lib_t) ++files_var_lib_filetrans(bootloader_t, bootloader_var_lib_t, {dir file }) ++ + kernel_getattr_core_if(bootloader_t) + kernel_read_network_state(bootloader_t) + kernel_read_system_state(bootloader_t) +@@ -81,6 +97,8 @@ dev_rw_nvram(bootloader_t) + + fs_getattr_xattr_fs(bootloader_t) + fs_getattr_tmpfs(bootloader_t) ++fs_list_hugetlbfs(bootloader_t) ++fs_list_tmpfs(bootloader_t) + fs_read_tmpfs_symlinks(bootloader_t) + #Needed for ia64 + fs_manage_dos_files(bootloader_t) +@@ -89,7 +107,10 @@ mls_file_read_all_levels(bootloader_t) + mls_file_write_all_levels(bootloader_t) + + term_getattr_all_ttys(bootloader_t) ++term_getattr_all_ptys(bootloader_t) + term_dontaudit_manage_pty_dirs(bootloader_t) ++term_dontaudit_getattr_generic_ptys(bootloader_t) ++term_use_unallocated_ttys(bootloader_t) + + corecmd_exec_all_executables(bootloader_t) + +@@ -98,12 +119,14 @@ domain_use_interactive_fds(bootloader_t) + files_create_boot_dirs(bootloader_t) + files_manage_boot_files(bootloader_t) + files_manage_boot_symlinks(bootloader_t) ++files_manage_kernel_modules(bootloader_t) + files_read_etc_files(bootloader_t) + files_exec_etc_files(bootloader_t) + files_read_usr_src_files(bootloader_t) + files_read_usr_files(bootloader_t) + files_read_var_files(bootloader_t) + files_read_kernel_modules(bootloader_t) ++files_read_kernel_symbol_table(bootloader_t) + # for nscd + files_dontaudit_search_pids(bootloader_t) + # for blkid.tab +@@ -111,6 +134,7 @@ files_manage_etc_runtime_files(bootloader_t) + files_etc_filetrans_etc_runtime(bootloader_t, file) + files_dontaudit_search_home(bootloader_t) + ++ + init_getattr_initctl(bootloader_t) + init_use_script_ptys(bootloader_t) + init_use_script_fds(bootloader_t) +@@ -118,19 +142,20 @@ init_rw_script_pipes(bootloader_t) + + libs_read_lib_files(bootloader_t) + libs_exec_lib_files(bootloader_t) ++libs_exec_ld_so(bootloader_t) + +-logging_send_syslog_msg(bootloader_t) +-logging_rw_generic_logs(bootloader_t) ++auth_use_nsswitch(bootloader_t) + +-miscfiles_read_localization(bootloader_t) ++logging_send_syslog_msg(bootloader_t) ++logging_manage_generic_logs(bootloader_t) + + modutils_domtrans_insmod(bootloader_t) + + seutil_read_bin_policy(bootloader_t) + seutil_read_loadpolicy(bootloader_t) +-seutil_dontaudit_search_config(bootloader_t) + +-userdom_use_user_terminals(bootloader_t) ++userdom_getattr_user_tmpfs_files(bootloader_t) ++userdom_use_inherited_user_terminals(bootloader_t) + userdom_dontaudit_search_user_home_dirs(bootloader_t) + + ifdef(`distro_debian',` +@@ -166,7 +191,8 @@ ifdef(`distro_redhat',` + files_manage_isid_type_chr_files(bootloader_t) + + # for mke2fs +- mount_run(bootloader_t, bootloader_roles) ++ #mount_run(bootloader_t, bootloader_roles) ++ mount_domtrans(bootloader_t) + + optional_policy(` + unconfined_domain(bootloader_t) +@@ -174,6 +200,10 @@ ifdef(`distro_redhat',` + ') + + optional_policy(` ++ devicekit_dontaudit_read_pid_files(bootloader_t) ++') ++ ++optional_policy(` + fstools_exec(bootloader_t) + ') + +@@ -183,6 +213,14 @@ optional_policy(` + ') + + optional_policy(` ++ gpm_getattr_gpmctl(bootloader_t) ++') ++ ++optional_policy(` ++ fsadm_manage_pid(bootloader_t) ++') ++ ++optional_policy(` + kudzu_domtrans(bootloader_t) + ') + +@@ -195,17 +233,18 @@ optional_policy(` + + optional_policy(` + modutils_exec_insmod(bootloader_t) +- modutils_read_module_deps(bootloader_t) +- modutils_read_module_config(bootloader_t) +- modutils_exec_insmod(bootloader_t) + modutils_exec_depmod(bootloader_t) + modutils_exec_update_mods(bootloader_t) ++ modutils_domtrans_insmod_uncond(bootloader_t) ++ modutils_list_module_config(bootloader_t) ++ modutils_read_module_deps(bootloader_t) ++ modutils_read_module_config(bootloader_t) + ') + + optional_policy(` +- nscd_use(bootloader_t) ++ rpm_rw_pipes(bootloader_t) + ') + + optional_policy(` +- rpm_rw_pipes(bootloader_t) ++ udev_read_pid_files(bootloader_t) + ') +diff --git a/policy/modules/admin/consoletype.fc b/policy/modules/admin/consoletype.fc +index b7f053b..5d4fc31 100644 +--- a/policy/modules/admin/consoletype.fc ++++ b/policy/modules/admin/consoletype.fc +@@ -1,2 +1,4 @@ + + /sbin/consoletype -- gen_context(system_u:object_r:consoletype_exec_t,s0) ++ ++/usr/sbin/consoletype -- gen_context(system_u:object_r:consoletype_exec_t,s0) +diff --git a/policy/modules/admin/consoletype.if b/policy/modules/admin/consoletype.if +index 0f57d3b..655d07f 100644 +--- a/policy/modules/admin/consoletype.if ++++ b/policy/modules/admin/consoletype.if +@@ -19,10 +19,6 @@ interface(`consoletype_domtrans',` + + corecmd_search_bin($1) + domtrans_pattern($1, consoletype_exec_t, consoletype_t) +- +- ifdef(`hide_broken_symptoms', ` +- dontaudit consoletype_t $1:socket_class_set { read write }; +- ') + ') + + ######################################## +diff --git a/policy/modules/admin/consoletype.te b/policy/modules/admin/consoletype.te +index cd5e005..247259a 100644 +--- a/policy/modules/admin/consoletype.te ++++ b/policy/modules/admin/consoletype.te +@@ -7,8 +7,8 @@ policy_module(consoletype, 1.10.0) + + type consoletype_t; + type consoletype_exec_t; +-init_domain(consoletype_t, consoletype_exec_t) +-init_system_domain(consoletype_t, consoletype_exec_t) ++application_domain(consoletype_t, consoletype_exec_t) ++role system_r types consoletype_t; + + ######################################## + # +@@ -47,14 +47,16 @@ fs_list_inotifyfs(consoletype_t) + mls_file_read_all_levels(consoletype_t) + mls_file_write_all_levels(consoletype_t) + +-term_use_all_terms(consoletype_t) ++term_use_all_inherited_terms(consoletype_t) ++term_use_ptmx(consoletype_t) + + init_use_fds(consoletype_t) + init_use_script_ptys(consoletype_t) + init_use_script_fds(consoletype_t) + init_rw_script_pipes(consoletype_t) ++init_rw_inherited_script_tmp_files(consoletype_t) + +-userdom_use_user_terminals(consoletype_t) ++userdom_use_inherited_user_terminals(consoletype_t) + + ifdef(`distro_redhat',` + fs_rw_tmpfs_chr_files(consoletype_t) +@@ -79,16 +81,14 @@ optional_policy(` + ') + + optional_policy(` +- files_read_etc_files(consoletype_t) +- firstboot_use_fds(consoletype_t) +- firstboot_rw_pipes(consoletype_t) ++ devicekit_dontaudit_read_pid_files(consoletype_t) ++ devicekit_dontaudit_rw_log(consoletype_t) + ') + + optional_policy(` +- hal_dontaudit_use_fds(consoletype_t) +- hal_dontaudit_rw_pipes(consoletype_t) +- hal_dontaudit_rw_dgram_sockets(consoletype_t) +- hal_dontaudit_write_log(consoletype_t) ++ files_read_etc_files(consoletype_t) ++ firstboot_use_fds(consoletype_t) ++ firstboot_rw_pipes(consoletype_t) + ') + + optional_policy(` +@@ -114,6 +114,7 @@ optional_policy(` + + optional_policy(` + userdom_use_unpriv_users_fds(consoletype_t) ++ userdom_dontaudit_rw_dgram_socket(consoletype_t) + ') + + optional_policy(` +diff --git a/policy/modules/admin/dmesg.fc b/policy/modules/admin/dmesg.fc +index d6cc2d9..0685b19 100644 +--- a/policy/modules/admin/dmesg.fc ++++ b/policy/modules/admin/dmesg.fc +@@ -1,2 +1,4 @@ + + /bin/dmesg -- gen_context(system_u:object_r:dmesg_exec_t,s0) ++ ++/usr/bin/dmesg -- gen_context(system_u:object_r:dmesg_exec_t,s0) +diff --git a/policy/modules/admin/dmesg.te b/policy/modules/admin/dmesg.te +index 72bc6d8..17357e5 100644 +--- a/policy/modules/admin/dmesg.te ++++ b/policy/modules/admin/dmesg.te +@@ -9,6 +9,10 @@ type dmesg_t; + type dmesg_exec_t; + init_system_domain(dmesg_t, dmesg_exec_t) + ++ifdef(`enable_mls',` ++ init_ranged_daemon_domain(dmesg_t, dmesg_exec_t, mls_systemhigh) ++') ++ + ######################################## + # + # Local policy +@@ -19,14 +23,17 @@ dontaudit dmesg_t self:capability sys_tty_config; + + allow dmesg_t self:process signal_perms; + ++kernel_read_system_state(dmesg_t) + kernel_read_kernel_sysctls(dmesg_t) + kernel_read_ring_buffer(dmesg_t) + kernel_clear_ring_buffer(dmesg_t) + kernel_change_ring_buffer_level(dmesg_t) + kernel_list_proc(dmesg_t) + kernel_read_proc_symlinks(dmesg_t) ++kernel_dontaudit_write_kernel_sysctl(dmesg_t) + + dev_read_sysfs(dmesg_t) ++dev_read_kmsg(dmesg_t) + + fs_search_auto_mountpoints(dmesg_t) + +@@ -44,10 +51,12 @@ init_use_script_ptys(dmesg_t) + logging_send_syslog_msg(dmesg_t) + logging_write_generic_logs(dmesg_t) + +-miscfiles_read_localization(dmesg_t) +- + userdom_dontaudit_use_unpriv_user_fds(dmesg_t) +-userdom_use_user_terminals(dmesg_t) ++userdom_use_inherited_user_terminals(dmesg_t) ++ ++optional_policy(` ++ abrt_rw_inherited_cache(dmesg_t) ++') + + optional_policy(` + seutil_sigchld_newrole(dmesg_t) +diff --git a/policy/modules/admin/netutils.fc b/policy/modules/admin/netutils.fc +index 407078f..1a09bea 100644 +--- a/policy/modules/admin/netutils.fc ++++ b/policy/modules/admin/netutils.fc +@@ -1,15 +1,22 @@ + /bin/ping.* -- gen_context(system_u:object_r:ping_exec_t,s0) +-/bin/tracepath.* -- gen_context(system_u:object_r:traceroute_exec_t,s0) ++/bin/tracepath.* -- gen_context(system_u:object_r:traceroute_exec_t,s0) + /bin/traceroute.* -- gen_context(system_u:object_r:traceroute_exec_t,s0) + + /sbin/arping -- gen_context(system_u:object_r:netutils_exec_t,s0) + + /usr/bin/lft -- gen_context(system_u:object_r:traceroute_exec_t,s0) ++/usr/bin/mtr -- gen_context(system_u:object_r:traceroute_exec_t,s0) + /usr/bin/nmap -- gen_context(system_u:object_r:traceroute_exec_t,s0) ++/usr/bin/ping.* -- gen_context(system_u:object_r:ping_exec_t,s0) ++/usr/bin/tracepath.* -- gen_context(system_u:object_r:traceroute_exec_t,s0) + /usr/bin/traceroute.* -- gen_context(system_u:object_r:traceroute_exec_t,s0) + +-/usr/sbin/fping -- gen_context(system_u:object_r:ping_exec_t,s0) ++/usr/lib/heartbeat/send_arp -- gen_context(system_u:object_r:ping_exec_t,s0) ++ ++/usr/sbin/arping -- gen_context(system_u:object_r:netutils_exec_t,s0) ++/usr/sbin/fping.* -- gen_context(system_u:object_r:ping_exec_t,s0) + /usr/sbin/traceroute.* -- gen_context(system_u:object_r:traceroute_exec_t,s0) + /usr/sbin/hping2 -- gen_context(system_u:object_r:ping_exec_t,s0) ++/usr/sbin/mtr -- gen_context(system_u:object_r:traceroute_exec_t,s0) + /usr/sbin/send_arp -- gen_context(system_u:object_r:ping_exec_t,s0) + /usr/sbin/tcpdump -- gen_context(system_u:object_r:netutils_exec_t,s0) +diff --git a/policy/modules/admin/netutils.if b/policy/modules/admin/netutils.if +index c6ca761..0c86bfd 100644 +--- a/policy/modules/admin/netutils.if ++++ b/policy/modules/admin/netutils.if +@@ -42,6 +42,7 @@ interface(`netutils_run',` + ') + + netutils_domtrans($1) ++ allow $1 netutils_t:process { signal sigkill }; + role $2 types netutils_t; + ') + +@@ -161,6 +162,7 @@ interface(`netutils_run_ping',` + + netutils_domtrans_ping($1) + role $2 types ping_t; ++ allow $1 ping_t:process { signal sigkill }; + ') + + ######################################## +@@ -183,13 +185,14 @@ interface(`netutils_run_ping',` + interface(`netutils_run_ping_cond',` + gen_require(` + type ping_t; +- bool user_ping; ++ bool selinuxuser_ping; + ') + + role $2 types ping_t; + +- if ( user_ping ) { ++ if ( selinuxuser_ping ) { + netutils_domtrans_ping($1) ++ allow $1 ping_t:process { signal sigkill }; + } + ') + +@@ -254,6 +257,7 @@ interface(`netutils_run_traceroute',` + ') + + netutils_domtrans_traceroute($1) ++ allow $1 traceroute_t:process { signal sigkill }; + role $2 types traceroute_t; + ') + +@@ -277,13 +281,14 @@ interface(`netutils_run_traceroute',` + interface(`netutils_run_traceroute_cond',` + gen_require(` + type traceroute_t; +- bool user_ping; ++ bool selinuxuser_ping; + ') + + role $2 types traceroute_t; + +- if( user_ping ) { ++ if( selinuxuser_ping ) { + netutils_domtrans_traceroute($1) ++ allow $1 traceroute_t:process { signal sigkill }; + } + ') + +diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te +index 8128de8..b0a385b 100644 +--- a/policy/modules/admin/netutils.te ++++ b/policy/modules/admin/netutils.te +@@ -7,10 +7,10 @@ policy_module(netutils, 1.11.2) + + ## + ##

+-## Control users use of ping and traceroute ++## Allow confined users the ability to execute the ping and traceroute commands. + ##

+ ## +-gen_tunable(user_ping, false) ++gen_tunable(selinuxuser_ping, false) + + type netutils_t; + type netutils_exec_t; +@@ -42,16 +42,17 @@ allow netutils_t self:packet_socket create_socket_perms; + allow netutils_t self:udp_socket create_socket_perms; + allow netutils_t self:tcp_socket create_stream_socket_perms; + allow netutils_t self:socket create_socket_perms; ++allow netutils_t self:netlink_socket create_socket_perms; + + manage_dirs_pattern(netutils_t, netutils_tmp_t, netutils_tmp_t) + manage_files_pattern(netutils_t, netutils_tmp_t, netutils_tmp_t) + files_tmp_filetrans(netutils_t, netutils_tmp_t, { file dir }) + + kernel_search_proc(netutils_t) +-kernel_read_network_state(netutils_t) + kernel_read_all_sysctls(netutils_t) ++kernel_read_network_state(netutils_t) ++kernel_request_load_module(netutils_t) + +-corenet_all_recvfrom_unlabeled(netutils_t) + corenet_all_recvfrom_netlabel(netutils_t) + corenet_tcp_sendrecv_generic_if(netutils_t) + corenet_raw_sendrecv_generic_if(netutils_t) +@@ -66,6 +67,9 @@ corenet_sendrecv_all_client_packets(netutils_t) + corenet_udp_bind_generic_node(netutils_t) + + dev_read_sysfs(netutils_t) ++dev_read_usbmon_dev(netutils_t) ++dev_write_usbmon_dev(netutils_t) ++dev_rw_generic_usb_dev(netutils_t) + + fs_getattr_xattr_fs(netutils_t) + +@@ -82,10 +86,9 @@ auth_use_nsswitch(netutils_t) + + logging_send_syslog_msg(netutils_t) + +-miscfiles_read_localization(netutils_t) + + term_dontaudit_use_console(netutils_t) +-userdom_use_user_terminals(netutils_t) ++userdom_use_inherited_user_terminals(netutils_t) + userdom_use_all_users_fds(netutils_t) + + optional_policy(` +@@ -106,13 +109,14 @@ optional_policy(` + # + + allow ping_t self:capability { setuid net_raw }; ++allow ping_t self:process setcap; ++ + dontaudit ping_t self:capability sys_tty_config; + allow ping_t self:tcp_socket create_socket_perms; +-allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt }; +-allow ping_t self:packet_socket { create ioctl read write bind getopt setopt }; ++allow ping_t self:rawip_socket create_socket_perms; ++allow ping_t self:packet_socket create_socket_perms; + allow ping_t self:netlink_route_socket create_netlink_socket_perms; + +-corenet_all_recvfrom_unlabeled(ping_t) + corenet_all_recvfrom_netlabel(ping_t) + corenet_tcp_sendrecv_generic_if(ping_t) + corenet_raw_sendrecv_generic_if(ping_t) +@@ -122,6 +126,7 @@ corenet_raw_bind_generic_node(ping_t) + corenet_tcp_sendrecv_all_ports(ping_t) + + fs_dontaudit_getattr_xattr_fs(ping_t) ++fs_dontaudit_rw_anon_inodefs_files(ping_t) + + domain_use_interactive_fds(ping_t) + +@@ -129,14 +134,13 @@ files_read_etc_files(ping_t) + files_dontaudit_search_var(ping_t) + + kernel_read_system_state(ping_t) ++kernel_read_network_state(ping_t) + + auth_use_nsswitch(ping_t) + +-logging_send_syslog_msg(ping_t) +- +-miscfiles_read_localization(ping_t) ++init_rw_inherited_script_tmp_files(ping_t) + +-userdom_use_user_terminals(ping_t) ++logging_send_syslog_msg(ping_t) + + ifdef(`hide_broken_symptoms',` + init_dontaudit_use_fds(ping_t) +@@ -147,11 +151,25 @@ ifdef(`hide_broken_symptoms',` + ') + ') + ++term_use_all_inherited_terms(ping_t) ++ ++tunable_policy(`selinuxuser_ping',` ++ term_use_all_ttys(ping_t) ++ term_use_all_ptys(ping_t) ++',` ++ term_dontaudit_use_all_ttys(ping_t) ++ term_dontaudit_use_all_ptys(ping_t) ++') ++ + optional_policy(` + munin_append_log(ping_t) + ') + + optional_policy(` ++ nagios_rw_inerited_tmp_files(ping_t) ++') ++ ++optional_policy(` + pcmcia_use_cardmgr_fds(ping_t) + ') + +@@ -159,6 +177,15 @@ optional_policy(` + hotplug_use_fds(ping_t) + ') + ++optional_policy(` ++ openshift_rw_inherited_content(ping_t) ++ openshift_dontaudit_rw_inherited_fifo_files(ping_t) ++') ++ ++optional_policy(` ++ zabbix_read_tmp(ping_t) ++') ++ + ######################################## + # + # Traceroute local policy +@@ -172,7 +199,6 @@ allow traceroute_t self:udp_socket create_socket_perms; + kernel_read_system_state(traceroute_t) + kernel_read_network_state(traceroute_t) + +-corenet_all_recvfrom_unlabeled(traceroute_t) + corenet_all_recvfrom_netlabel(traceroute_t) + corenet_tcp_sendrecv_generic_if(traceroute_t) + corenet_udp_sendrecv_generic_if(traceroute_t) +@@ -196,6 +222,7 @@ fs_dontaudit_getattr_xattr_fs(traceroute_t) + domain_use_interactive_fds(traceroute_t) + + files_read_etc_files(traceroute_t) ++files_read_usr_files(traceroute_t) + files_dontaudit_search_var(traceroute_t) + + init_use_fds(traceroute_t) +@@ -204,11 +231,17 @@ auth_use_nsswitch(traceroute_t) + + logging_send_syslog_msg(traceroute_t) + +-miscfiles_read_localization(traceroute_t) +- +-userdom_use_user_terminals(traceroute_t) + + #rules needed for nmap + dev_read_rand(traceroute_t) + dev_read_urand(traceroute_t) +-files_read_usr_files(traceroute_t) ++ ++term_use_all_inherited_terms(traceroute_t) ++ ++tunable_policy(`selinuxuser_ping',` ++ term_use_all_ttys(traceroute_t) ++ term_use_all_ptys(traceroute_t) ++',` ++ term_dontaudit_use_all_ttys(traceroute_t) ++ term_dontaudit_use_all_ptys(traceroute_t) ++') +diff --git a/policy/modules/admin/su.fc b/policy/modules/admin/su.fc +index 688abc2..3d89250 100644 +--- a/policy/modules/admin/su.fc ++++ b/policy/modules/admin/su.fc +@@ -3,3 +3,4 @@ + + /usr/(local/)?bin/ksu -- gen_context(system_u:object_r:su_exec_t,s0) + /usr/bin/kdesu -- gen_context(system_u:object_r:su_exec_t,s0) ++/usr/bin/su -- gen_context(system_u:object_r:su_exec_t,s0) +diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if +index 03ec5ca..025c177 100644 +--- a/policy/modules/admin/su.if ++++ b/policy/modules/admin/su.if +@@ -89,7 +89,6 @@ template(`su_restricted_domain_template', ` + + logging_send_syslog_msg($1_su_t) + +- miscfiles_read_localization($1_su_t) + + ifdef(`distro_redhat',` + # RHEL5 and possibly newer releases incl. Fedora +@@ -119,11 +118,6 @@ template(`su_restricted_domain_template', ` + userdom_spec_domtrans_unpriv_users($1_su_t) + ') + +- ifdef(`hide_broken_symptoms',` +- # dontaudit leaked sockets from parent +- dontaudit $1_su_t $2:socket_class_set { read write }; +- ') +- + optional_policy(` + cron_read_pipes($1_su_t) + ') +@@ -172,14 +166,6 @@ template(`su_role_template',` + role $2 types $1_su_t; + + allow $3 $1_su_t:process signal; +- +- allow $1_su_t self:capability { audit_control audit_write setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource }; +- dontaudit $1_su_t self:capability sys_tty_config; +- allow $1_su_t self:process { setexec setsched setrlimit }; +- allow $1_su_t self:fifo_file rw_fifo_file_perms; +- allow $1_su_t self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms }; +- allow $1_su_t self:key { search write }; +- + allow $1_su_t $3:key search; + + # Transition from the user domain to this domain. +@@ -194,125 +180,12 @@ template(`su_role_template',` + allow $3 $1_su_t:process sigchld; + + kernel_read_system_state($1_su_t) +- kernel_read_kernel_sysctls($1_su_t) +- kernel_search_key($1_su_t) +- kernel_link_key($1_su_t) +- +- # for SSP +- dev_read_urand($1_su_t) +- +- fs_search_auto_mountpoints($1_su_t) + +- # needed for pam_rootok +- selinux_compute_access_vector($1_su_t) +- +- auth_domtrans_chk_passwd($1_su_t) +- auth_dontaudit_read_shadow($1_su_t) +- auth_use_nsswitch($1_su_t) +- auth_rw_faillog($1_su_t) +- +- corecmd_search_bin($1_su_t) +- +- domain_use_interactive_fds($1_su_t) +- +- files_read_etc_files($1_su_t) +- files_read_etc_runtime_files($1_su_t) +- files_search_var_lib($1_su_t) +- files_dontaudit_getattr_tmp_dirs($1_su_t) +- +- init_dontaudit_use_fds($1_su_t) +- # Write to utmp. +- init_rw_utmp($1_su_t) ++ auth_use_pam($1_su_t) + + mls_file_write_all_levels($1_su_t) + + logging_send_syslog_msg($1_su_t) +- +- miscfiles_read_localization($1_su_t) +- +- userdom_use_user_terminals($1_su_t) +- userdom_search_user_home_dirs($1_su_t) +- +- ifdef(`distro_redhat',` +- # RHEL5 and possibly newer releases incl. Fedora +- auth_domtrans_upd_passwd($1_su_t) +- +- optional_policy(` +- locallogin_search_keys($1_su_t) +- ') +- ') +- +- ifdef(`distro_rhel4',` +- domain_role_change_exemption($1_su_t) +- domain_subj_id_change_exemption($1_su_t) +- domain_obj_id_change_exemption($1_su_t) +- +- selinux_get_fs_mount($1_su_t) +- selinux_validate_context($1_su_t) +- selinux_compute_create_context($1_su_t) +- selinux_compute_relabel_context($1_su_t) +- selinux_compute_user_contexts($1_su_t) +- +- # Relabel ttys and ptys. +- term_relabel_all_ttys($1_su_t) +- term_relabel_all_ptys($1_su_t) +- # Close and re-open ttys and ptys to get the fd into the correct domain. +- term_use_all_ttys($1_su_t) +- term_use_all_ptys($1_su_t) +- +- seutil_read_config($1_su_t) +- seutil_read_default_contexts($1_su_t) +- +- if(secure_mode) { +- # Only allow transitions to unprivileged user domains. +- userdom_spec_domtrans_unpriv_users($1_su_t) +- } else { +- # Allow transitions to all user domains +- userdom_spec_domtrans_all_users($1_su_t) +- } +- +- optional_policy(` +- unconfined_domtrans($1_su_t) +- unconfined_signal($1_su_t) +- ') +- ') +- +- ifdef(`hide_broken_symptoms',` +- # dontaudit leaked sockets from parent +- dontaudit $1_su_t $3:socket_class_set { read write }; +- ') +- +- tunable_policy(`allow_polyinstantiation',` +- fs_mount_xattr_fs($1_su_t) +- fs_unmount_xattr_fs($1_su_t) +- ') +- +- tunable_policy(`use_nfs_home_dirs',` +- fs_search_nfs($1_su_t) +- ') +- +- tunable_policy(`use_samba_home_dirs',` +- fs_search_cifs($1_su_t) +- ') +- +- optional_policy(` +- cron_read_pipes($1_su_t) +- ') +- +- optional_policy(` +- kerberos_use($1_su_t) +- ') +- +- optional_policy(` +- # used when the password has expired +- usermanage_read_crack_db($1_su_t) +- ') +- +- # Modify .Xauthority file (via xauth program). +- optional_policy(` +- xserver_user_home_dir_filetrans_user_xauth($1_su_t) +- xserver_domtrans_xauth($1_su_t) +- ') + ') + + ####################################### +diff --git a/policy/modules/admin/su.te b/policy/modules/admin/su.te +index 85bb77e..5f38282 100644 +--- a/policy/modules/admin/su.te ++++ b/policy/modules/admin/su.te +@@ -9,3 +9,82 @@ attribute su_domain_type; + + type su_exec_t; + corecmd_executable_file(su_exec_t) ++ ++allow su_domain_type self:capability { audit_control audit_write setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource }; ++dontaudit su_domain_type self:capability sys_tty_config; ++allow su_domain_type self:process { setexec setsched setrlimit }; ++allow su_domain_type self:fifo_file rw_fifo_file_perms; ++allow su_domain_type self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms }; ++allow su_domain_type self:key { search write }; ++ ++kernel_read_kernel_sysctls(su_domain_type) ++kernel_search_key(su_domain_type) ++kernel_link_key(su_domain_type) ++ ++# for SSP ++dev_read_urand(su_domain_type) ++dev_dontaudit_getattr_all(su_domain_type) ++ ++fs_search_auto_mountpoints(su_domain_type) ++ ++# needed for pam_rootok ++selinux_compute_access_vector(su_domain_type) ++ ++corecmd_search_bin(su_domain_type) ++ ++domain_use_interactive_fds(su_domain_type) ++ ++files_read_etc_files(su_domain_type) ++files_read_etc_runtime_files(su_domain_type) ++files_search_var_lib(su_domain_type) ++files_dontaudit_getattr_tmp_dirs(su_domain_type) ++ ++init_dontaudit_use_fds(su_domain_type) ++# Write to utmp. ++init_rw_utmp(su_domain_type) ++init_read_state(su_domain_type) ++ ++userdom_use_user_terminals(su_domain_type) ++userdom_search_user_home_dirs(su_domain_type) ++userdom_search_admin_dir(su_domain_type) ++ ++ifdef(`distro_redhat',` ++ # RHEL5 and possibly newer releases incl. Fedora ++ auth_domtrans_upd_passwd(su_domain_type) ++ ++ optional_policy(` ++ locallogin_search_keys(su_domain_type) ++ ') ++') ++ ++tunable_policy(`polyinstantiation_enabled',` ++ fs_mount_xattr_fs(su_domain_type) ++ fs_unmount_xattr_fs(su_domain_type) ++') ++ ++tunable_policy(`use_nfs_home_dirs',` ++ fs_search_nfs(su_domain_type) ++') ++ ++tunable_policy(`use_samba_home_dirs',` ++ fs_search_cifs(su_domain_type) ++') ++ ++optional_policy(` ++ cron_read_pipes(su_domain_type) ++') ++ ++optional_policy(` ++ kerberos_use(su_domain_type) ++') ++ ++optional_policy(` ++ # used when the password has expired ++ usermanage_read_crack_db(su_domain_type) ++') ++ ++# Modify .Xauthority file (via xauth program). ++optional_policy(` ++ xserver_user_home_dir_filetrans_user_xauth(su_domain_type) ++ xserver_domtrans_xauth(su_domain_type) ++') +diff --git a/policy/modules/admin/sudo.fc b/policy/modules/admin/sudo.fc +index 7bddc02..2b59ed0 100644 +--- a/policy/modules/admin/sudo.fc ++++ b/policy/modules/admin/sudo.fc +@@ -1,2 +1,4 @@ + + /usr/bin/sudo(edit)? -- gen_context(system_u:object_r:sudo_exec_t,s0) ++ ++/var/db/sudo(/.*)? gen_context(system_u:object_r:sudo_db_t,s0) +diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if +index 0960199..aa51ab2 100644 +--- a/policy/modules/admin/sudo.if ++++ b/policy/modules/admin/sudo.if +@@ -32,6 +32,7 @@ template(`sudo_role_template',` + + gen_require(` + type sudo_exec_t; ++ type sudo_db_t; + attribute sudodomain; + ') + +@@ -45,27 +46,13 @@ template(`sudo_role_template',` + domain_interactive_fd($1_sudo_t) + domain_role_change_exemption($1_sudo_t) + role $2 types $1_sudo_t; ++ userdom_home_manager($1_sudo_t) + +- ############################## +- # +- # Local Policy +- # ++ type $1_sudo_tmp_t; ++ files_tmp_file($1_sudo_tmp_t) + +- # Use capabilities. +- allow $1_sudo_t self:capability { fowner setuid setgid dac_override sys_nice sys_resource }; +- allow $1_sudo_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; +- allow $1_sudo_t self:process { setexec setrlimit }; +- allow $1_sudo_t self:fd use; +- allow $1_sudo_t self:fifo_file rw_fifo_file_perms; +- allow $1_sudo_t self:shm create_shm_perms; +- allow $1_sudo_t self:sem create_sem_perms; +- allow $1_sudo_t self:msgq create_msgq_perms; +- allow $1_sudo_t self:msg { send receive }; +- allow $1_sudo_t self:unix_dgram_socket create_socket_perms; +- allow $1_sudo_t self:unix_stream_socket create_stream_socket_perms; +- allow $1_sudo_t self:unix_dgram_socket sendto; +- allow $1_sudo_t self:unix_stream_socket connectto; +- allow $1_sudo_t self:key manage_key_perms; ++ allow $1_sudo_t $1_sudo_tmp_t:file manage_file_perms; ++ files_tmp_filetrans($1_sudo_t, $1_sudo_tmp_t, file) + + allow $1_sudo_t $3:key search; + +@@ -75,88 +62,30 @@ template(`sudo_role_template',` + # By default, revert to the calling domain when a shell is executed. + corecmd_shell_domtrans($1_sudo_t, $3) + corecmd_bin_domtrans($1_sudo_t, $3) ++ userdom_domtrans_user_home($1_sudo_t, $3) ++ userdom_domtrans_user_tmp($1_sudo_t, $3) ++ domain_entry_file($3, sudo_exec_t) ++ domain_auto_transition_pattern($1_sudo_t, sudo_exec_t, $3) ++ + allow $3 $1_sudo_t:fd use; + allow $3 $1_sudo_t:fifo_file rw_fifo_file_perms; + allow $3 $1_sudo_t:process signal_perms; + +- kernel_read_kernel_sysctls($1_sudo_t) + kernel_read_system_state($1_sudo_t) +- kernel_link_key($1_sudo_t) +- +- corecmd_read_bin_symlinks($1_sudo_t) +- corecmd_exec_all_executables($1_sudo_t) +- +- dev_getattr_fs($1_sudo_t) +- dev_read_urand($1_sudo_t) +- dev_rw_generic_usb_dev($1_sudo_t) +- dev_read_sysfs($1_sudo_t) +- +- domain_use_interactive_fds($1_sudo_t) +- domain_sigchld_interactive_fds($1_sudo_t) +- domain_getattr_all_entry_files($1_sudo_t) +- +- files_read_etc_files($1_sudo_t) +- files_read_var_files($1_sudo_t) +- files_read_usr_symlinks($1_sudo_t) +- files_getattr_usr_files($1_sudo_t) +- # for some PAM modules and for cwd +- files_dontaudit_search_home($1_sudo_t) +- files_list_tmp($1_sudo_t) +- +- fs_search_auto_mountpoints($1_sudo_t) +- fs_getattr_xattr_fs($1_sudo_t) +- +- selinux_validate_context($1_sudo_t) +- selinux_compute_relabel_context($1_sudo_t) +- +- term_getattr_pty_fs($1_sudo_t) +- term_relabel_all_ttys($1_sudo_t) +- term_relabel_all_ptys($1_sudo_t) ++ seutil_libselinux_linked($1_sudo_t) + + auth_run_chk_passwd($1_sudo_t, $2) +- # sudo stores a token in the pam_pid directory +- auth_manage_pam_pid($1_sudo_t) + auth_use_nsswitch($1_sudo_t) + +- init_rw_utmp($1_sudo_t) +- +- logging_send_audit_msgs($1_sudo_t) + logging_send_syslog_msg($1_sudo_t) + +- miscfiles_read_localization($1_sudo_t) +- +- seutil_search_default_contexts($1_sudo_t) +- seutil_libselinux_linked($1_sudo_t) +- +- userdom_spec_domtrans_all_users($1_sudo_t) +- userdom_create_all_users_keys($1_sudo_t) +- userdom_manage_user_home_content_files($1_sudo_t) +- userdom_manage_user_home_content_symlinks($1_sudo_t) +- userdom_manage_user_tmp_files($1_sudo_t) +- userdom_manage_user_tmp_symlinks($1_sudo_t) +- userdom_use_user_terminals($1_sudo_t) +- # for some PAM modules and for cwd +- userdom_dontaudit_search_user_home_content($1_sudo_t) +- userdom_dontaudit_search_user_home_dirs($1_sudo_t) +- +- ifdef(`hide_broken_symptoms', ` +- dontaudit $1_sudo_t $3:socket_class_set { read write }; +- ') +- +- tunable_policy(`use_nfs_home_dirs',` +- fs_manage_nfs_files($1_sudo_t) +- ') +- +- tunable_policy(`use_samba_home_dirs',` +- fs_manage_cifs_files($1_sudo_t) +- ') +- + optional_policy(` +- dbus_system_bus_client($1_sudo_t) ++ mta_role($2, $1_sudo_t) + ') + + optional_policy(` +- fprintd_dbus_chat($1_sudo_t) ++ kerberos_manage_host_rcache($1_sudo_t) ++ kerberos_read_config($1_sudo_t) + ') + + ') +@@ -178,3 +107,22 @@ interface(`sudo_sigchld',` + + allow $1 sudodomain:process sigchld; + ') ++ ++####################################### ++## ++## Allow execute sudo in called domain. ++## This interfaces is added for nova-stack policy. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`sudo_exec',` ++ gen_require(` ++ type sudo_exec_t; ++ ') ++ ++ can_exec($1, sudo_exec_t) ++') +diff --git a/policy/modules/admin/sudo.te b/policy/modules/admin/sudo.te +index d9fce57..fc6d1d3 100644 +--- a/policy/modules/admin/sudo.te ++++ b/policy/modules/admin/sudo.te +@@ -7,3 +7,100 @@ attribute sudodomain; + + type sudo_exec_t; + application_executable_file(sudo_exec_t) ++ ++type sudo_db_t; ++files_type(sudo_db_t) ++mls_trusted_object(sudo_db_t) ++ ++manage_dirs_pattern(sudodomain, sudo_db_t, sudo_db_t) ++manage_files_pattern(sudodomain, sudo_db_t, sudo_db_t) ++ ++############################## ++# ++# Local Policy ++# ++ ++# Use capabilities. ++allow sudodomain self:capability { chown fowner setuid setgid dac_override sys_nice sys_resource }; ++allow sudodomain self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; ++allow sudodomain self:process { setexec setrlimit }; ++allow sudodomain self:fd use; ++allow sudodomain self:fifo_file rw_fifo_file_perms; ++allow sudodomain self:shm create_shm_perms; ++allow sudodomain self:sem create_sem_perms; ++allow sudodomain self:msgq create_msgq_perms; ++allow sudodomain self:msg { send receive }; ++allow sudodomain self:unix_dgram_socket create_socket_perms; ++allow sudodomain self:unix_stream_socket create_stream_socket_perms; ++allow sudodomain self:unix_dgram_socket sendto; ++allow sudodomain self:unix_stream_socket connectto; ++allow sudodomain self:key manage_key_perms; ++ ++kernel_getattr_core_if(sudodomain) ++kernel_link_key(sudodomain) ++kernel_read_kernel_sysctls(sudodomain) ++ ++corecmd_read_bin_symlinks(sudodomain) ++corecmd_exec_all_executables(sudodomain) ++ ++dev_getattr_fs(sudodomain) ++dev_read_urand(sudodomain) ++dev_rw_generic_usb_dev(sudodomain) ++dev_read_sysfs(sudodomain) ++dev_dontaudit_getattr_all(sudodomain) ++ ++domain_use_interactive_fds(sudodomain) ++domain_sigchld_interactive_fds(sudodomain) ++domain_getattr_all_entry_files(sudodomain) ++ ++files_read_etc_files(sudodomain) ++files_read_var_files(sudodomain) ++files_read_usr_files(sudodomain) ++# for some PAM modules and for cwd ++files_dontaudit_search_home(sudodomain) ++files_list_tmp(sudodomain) ++ ++fs_search_auto_mountpoints(sudodomain) ++fs_getattr_all_fs(sudodomain) ++ ++selinux_validate_context(sudodomain) ++selinux_compute_relabel_context(sudodomain) ++ ++term_getattr_pty_fs(sudodomain) ++term_relabel_all_ttys(sudodomain) ++term_relabel_all_ptys(sudodomain) ++ ++#auth_run_chk_passwd(sudodomain) ++# sudo stores a token in the pam_pid directory ++auth_manage_pam_pid(sudodomain) ++auth_manage_faillog(sudodomain) ++ ++application_signal(sudodomain) ++ ++init_rw_utmp(sudodomain) ++ ++logging_send_audit_msgs(sudodomain) ++logging_set_audit_parameters(sudodomain) ++ ++seutil_read_default_contexts(sudodomain) ++ ++userdom_spec_domtrans_all_users(sudodomain) ++userdom_manage_user_home_content_files(sudodomain) ++userdom_manage_user_home_content_symlinks(sudodomain) ++userdom_manage_user_tmp_files(sudodomain) ++userdom_manage_user_tmp_symlinks(sudodomain) ++userdom_use_user_terminals(sudodomain) ++userdom_signal_all_users(sudodomain) ++userdom_exec_user_home_content_files(sudodomain) ++# for some PAM modules and for cwd ++userdom_search_user_home_content(sudodomain) ++userdom_search_admin_dir(sudodomain) ++userdom_manage_all_users_keys(sudodomain) ++ ++optional_policy(` ++ dbus_system_bus_client(sudodomain) ++') ++ ++optional_policy(` ++ fprintd_dbus_chat(sudodomain) ++') +diff --git a/policy/modules/admin/usermanage.fc b/policy/modules/admin/usermanage.fc +index f82f0ce..204bdc8 100644 +--- a/policy/modules/admin/usermanage.fc ++++ b/policy/modules/admin/usermanage.fc +@@ -20,6 +20,7 @@ ifdef(`distro_gentoo',` + /usr/sbin/groupmod -- gen_context(system_u:object_r:groupadd_exec_t,s0) + /usr/sbin/grpconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) + /usr/sbin/grpunconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) ++/usr/sbin/newusers -- gen_context(system_u:object_r:useradd_exec_t,s0) + /usr/sbin/pwconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) + /usr/sbin/pwunconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) + /usr/sbin/useradd -- gen_context(system_u:object_r:useradd_exec_t,s0) +diff --git a/policy/modules/admin/usermanage.if b/policy/modules/admin/usermanage.if +index 99e3903..7270808 100644 +--- a/policy/modules/admin/usermanage.if ++++ b/policy/modules/admin/usermanage.if +@@ -17,10 +17,6 @@ interface(`usermanage_domtrans_chfn',` + + corecmd_search_bin($1) + domtrans_pattern($1, chfn_exec_t, chfn_t) +- +- ifdef(`hide_broken_symptoms',` +- dontaudit chfn_t $1:socket_class_set { read write }; +- ') + ') + + ######################################## +@@ -41,11 +37,16 @@ interface(`usermanage_domtrans_chfn',` + # + interface(`usermanage_run_chfn',` + gen_require(` +- attribute_role chfn_roles; ++ #attribute_role chfn_roles; ++ type chfn_t; + ') + ++ #usermanage_domtrans_chfn($1) ++ #roleattribute $2 chfn_roles; ++ + usermanage_domtrans_chfn($1) +- roleattribute $2 chfn_roles; ++ role $2 types chfn_t; ++ + ') + + ######################################## +@@ -65,10 +66,25 @@ interface(`usermanage_domtrans_groupadd',` + + corecmd_search_bin($1) + domtrans_pattern($1, groupadd_exec_t, groupadd_t) ++') + +- ifdef(`hide_broken_symptoms',` +- dontaudit groupadd_t $1:socket_class_set { read write }; ++######################################## ++## ++## Check access to the groupadd executable. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`usermanage_access_check_groupadd',` ++ gen_require(` ++ type groupadd_exec_t; + ') ++ ++ corecmd_search_bin($1) ++ allow $1 groupadd_exec_t:file { getattr_file_perms execute }; + ') + + ######################################## +@@ -90,11 +106,19 @@ interface(`usermanage_domtrans_groupadd',` + # + interface(`usermanage_run_groupadd',` + gen_require(` +- attribute_role groupadd_roles; ++ type groupadd_t; ++ #attribute_role groupadd_roles; + ') + ++ #usermanage_domtrans_groupadd($1) ++ #roleattribute $2 groupadd_roles; + usermanage_domtrans_groupadd($1) +- roleattribute $2 groupadd_roles; ++ role $2 types groupadd_t; ++ ++ optional_policy(` ++ nscd_run(groupadd_t, $2) ++ ') ++ + ') + + ######################################## +@@ -114,10 +138,6 @@ interface(`usermanage_domtrans_passwd',` + + corecmd_search_bin($1) + domtrans_pattern($1, passwd_exec_t, passwd_t) +- +- ifdef(`hide_broken_symptoms',` +- dontaudit passwd_t $1:socket_class_set { read write }; +- ') + ') + + ######################################## +@@ -174,11 +194,35 @@ interface(`usermanage_check_exec_passwd',` + # + interface(`usermanage_run_passwd',` + gen_require(` +- attribute_role passwd_roles; ++ type passwd_t; ++ #attribute_role passwd_roles; + ') + ++ #usermanage_domtrans_passwd($1) ++ #roleattribute $2 passwd_roles; ++ + usermanage_domtrans_passwd($1) +- roleattribute $2 passwd_roles; ++ role $2 types passwd_t; ++ auth_run_chk_passwd(passwd_t, $2) ++') ++ ++######################################## ++## ++## Check access to the passwd executable ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`usermanage_access_check_passwd',` ++ gen_require(` ++ type passwd_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ allow $1 passwd_exec_t:file { getattr_file_perms execute }; + ') + + ######################################## +@@ -221,11 +265,20 @@ interface(`usermanage_domtrans_admin_passwd',` + # + interface(`usermanage_run_admin_passwd',` + gen_require(` +- attribute_role sysadm_passwd_roles; ++ type sysadm_passwd_t; ++ #attribute_role sysadm_passwd_roles; + ') + ++ #usermanage_domtrans_admin_passwd($1) ++ #roleattribute $2 sysadm_passwd_roles; ++ + usermanage_domtrans_admin_passwd($1) +- roleattribute $2 sysadm_passwd_roles; ++ role $2 types sysadm_passwd_t; ++ ++ optional_policy(` ++ nscd_run(sysadm_passwd_t, $2) ++ ') ++ + ') + + ######################################## +@@ -263,10 +316,6 @@ interface(`usermanage_domtrans_useradd',` + + corecmd_search_bin($1) + domtrans_pattern($1, useradd_exec_t, useradd_t) +- +- ifdef(`hide_broken_symptoms',` +- dontaudit useradd_t $1:socket_class_set { read write }; +- ') + ') + + ######################################## +@@ -306,11 +355,38 @@ interface(`usermanage_check_exec_useradd',` + # + interface(`usermanage_run_useradd',` + gen_require(` +- attribute_role useradd_roles; ++ #attribute_role useradd_roles; ++ type useradd_t; + ') + ++ #usermanage_domtrans_useradd($1) ++ #roleattribute $2 useradd_roles; ++ + usermanage_domtrans_useradd($1) +- roleattribute $2 useradd_roles; ++ role $2 types useradd_t; ++ ++ optional_policy(` ++ nscd_run(useradd_t, $2) ++ ') ++') ++ ++######################################## ++## ++## Check access to the useradd executable. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`usermanage_access_check_useradd',` ++ gen_require(` ++ type useradd_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ allow $1 useradd_exec_t:file { getattr_file_perms execute }; + ') + + ######################################## +diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te +index d555767..3053e39 100644 +--- a/policy/modules/admin/usermanage.te ++++ b/policy/modules/admin/usermanage.te +@@ -5,18 +5,18 @@ policy_module(usermanage, 1.18.1) + # Declarations + # + +-attribute_role chfn_roles; +-role system_r types chfn_t; ++#attribute_role chfn_roles; ++#role system_r types chfn_t; + +-attribute_role groupadd_roles; ++#attribute_role groupadd_roles; + +-attribute_role passwd_roles; +-roleattribute system_r passwd_roles; ++#attribute_role passwd_roles; ++#roleattribute system_r passwd_roles; + +-attribute_role sysadm_passwd_roles; +-roleattribute system_r sysadm_passwd_roles; ++#attribute_role sysadm_passwd_roles; ++#roleattribute system_r sysadm_passwd_roles; + +-attribute_role useradd_roles; ++#attribute_role useradd_roles; + + type admin_passwd_exec_t; + files_type(admin_passwd_exec_t) +@@ -25,7 +25,8 @@ type chfn_t; + type chfn_exec_t; + domain_obj_id_change_exemption(chfn_t) + application_domain(chfn_t, chfn_exec_t) +-role chfn_roles types chfn_t; ++#role chfn_roles types chfn_t; ++role system_r types chfn_t; + + type crack_t; + type crack_exec_t; +@@ -42,18 +43,22 @@ type groupadd_t; + type groupadd_exec_t; + domain_obj_id_change_exemption(groupadd_t) + init_system_domain(groupadd_t, groupadd_exec_t) +-role groupadd_roles types groupadd_t; ++#role groupadd_roles types groupadd_t; ++ + + type passwd_t; + type passwd_exec_t; + domain_obj_id_change_exemption(passwd_t) ++domain_system_change_exemption(passwd_t) + application_domain(passwd_t, passwd_exec_t) +-role passwd_roles types passwd_t; ++#role passwd_roles types passwd_t; ++role system_r types passwd_t; + + type sysadm_passwd_t; + domain_obj_id_change_exemption(sysadm_passwd_t) + application_domain(sysadm_passwd_t, admin_passwd_exec_t) +-role sysadm_passwd_roles types sysadm_passwd_t; ++#role sysadm_passwd_roles types sysadm_passwd_t; ++role system_r types sysadm_passwd_t; + + type sysadm_passwd_tmp_t; + files_tmp_file(sysadm_passwd_tmp_t) +@@ -61,8 +66,13 @@ files_tmp_file(sysadm_passwd_tmp_t) + type useradd_t; + type useradd_exec_t; + domain_obj_id_change_exemption(useradd_t) ++domain_system_change_exemption(useradd_t) + init_system_domain(useradd_t, useradd_exec_t) +-role useradd_roles types useradd_t; ++#role useradd_roles types useradd_t; ++role system_r types useradd_t; ++ ++type useradd_var_run_t; ++files_pid_file(useradd_var_run_t) + + ######################################## + # +@@ -86,6 +96,7 @@ allow chfn_t self:unix_stream_socket connectto; + + kernel_read_system_state(chfn_t) + kernel_read_kernel_sysctls(chfn_t) ++kernel_dontaudit_getattr_core_if(chfn_t) + + selinux_get_fs_mount(chfn_t) + selinux_validate_context(chfn_t) +@@ -94,25 +105,29 @@ selinux_compute_create_context(chfn_t) + selinux_compute_relabel_context(chfn_t) + selinux_compute_user_contexts(chfn_t) + +-term_use_all_ttys(chfn_t) +-term_use_all_ptys(chfn_t) ++term_use_all_inherited_ttys(chfn_t) ++term_use_all_inherited_ptys(chfn_t) ++term_getattr_all_ptys(chfn_t) + + fs_getattr_xattr_fs(chfn_t) + fs_search_auto_mountpoints(chfn_t) + + # for SSP + dev_read_urand(chfn_t) ++dev_dontaudit_getattr_all(chfn_t) + +-auth_run_chk_passwd(chfn_t, chfn_roles) +-auth_dontaudit_read_shadow(chfn_t) +-auth_use_nsswitch(chfn_t) ++auth_manage_passwd(chfn_t) ++auth_use_pam(chfn_t) ++#auth_run_chk_passwd(chfn_t, chfn_roles) ++#auth_dontaudit_read_shadow(chfn_t) ++#auth_use_nsswitch(chfn_t) + + # allow checking if a shell is executable + corecmd_check_exec_shell(chfn_t) ++corecmd_exec_bin(chfn_t) + + domain_use_interactive_fds(chfn_t) + +-files_manage_etc_files(chfn_t) + files_read_etc_runtime_files(chfn_t) + files_dontaudit_search_var(chfn_t) + files_dontaudit_search_home(chfn_t) +@@ -120,19 +135,29 @@ files_dontaudit_search_home(chfn_t) + # /usr/bin/passwd asks for w access to utmp, but it will operate + # correctly without it. Do not audit write denials to utmp. + init_dontaudit_rw_utmp(chfn_t) ++init_dontaudit_getattr_initctl(chfn_t) + +-miscfiles_read_localization(chfn_t) + + logging_send_syslog_msg(chfn_t) + +-# uses unix_chkpwd for checking passwords +-seutil_dontaudit_search_config(chfn_t) ++userdom_manage_user_tmp_files(chfn_t) ++userdom_tmp_filetrans_user_tmp(chfn_t, { file }) + + userdom_use_unpriv_users_fds(chfn_t) + # user generally runs this from their home directory, so do not audit a search + # on user home dir + userdom_dontaudit_search_user_home_content(chfn_t) + ++optional_policy(` ++ rssh_exec(chfn_t) ++') ++ ++ ++optional_policy(` ++ # allow to exec tmux ++ screen_exec(chfn_t) ++') ++ + ######################################## + # + # Crack local policy +@@ -209,8 +234,8 @@ selinux_compute_create_context(groupadd_t) + selinux_compute_relabel_context(groupadd_t) + selinux_compute_user_contexts(groupadd_t) + +-term_use_all_ttys(groupadd_t) +-term_use_all_ptys(groupadd_t) ++term_use_all_inherited_terms(groupadd_t) ++term_getattr_all_ptys(groupadd_t) + + init_use_fds(groupadd_t) + init_read_utmp(groupadd_t) +@@ -218,8 +243,8 @@ init_dontaudit_write_utmp(groupadd_t) + + domain_use_interactive_fds(groupadd_t) + +-files_manage_etc_files(groupadd_t) + files_relabel_etc_files(groupadd_t) ++files_read_etc_files(groupadd_t) + files_read_etc_runtime_files(groupadd_t) + files_read_usr_symlinks(groupadd_t) + +@@ -229,14 +254,15 @@ corecmd_exec_bin(groupadd_t) + logging_send_audit_msgs(groupadd_t) + logging_send_syslog_msg(groupadd_t) + +-miscfiles_read_localization(groupadd_t) + +-auth_run_chk_passwd(groupadd_t, groupadd_roles) ++#auth_run_chk_passwd(groupadd_t, groupadd_roles) ++auth_domtrans_chk_passwd(groupadd_t) + auth_rw_lastlog(groupadd_t) + auth_use_nsswitch(groupadd_t) ++auth_manage_passwd(groupadd_t) ++auth_manage_shadow(groupadd_t) + # these may be unnecessary due to the above + # domtrans_chk_passwd() call. +-auth_manage_shadow(groupadd_t) + auth_relabel_shadow(groupadd_t) + auth_etc_filetrans_shadow(groupadd_t) + +@@ -253,7 +279,8 @@ optional_policy(` + ') + + optional_policy(` +- nscd_run(groupadd_t, groupadd_roles) ++# nscd_run(groupadd_t, groupadd_roles) ++ nscd_domtrans(groupadd_t) + ') + + optional_policy(` +@@ -285,6 +312,7 @@ allow passwd_t self:shm create_shm_perms; + allow passwd_t self:sem create_sem_perms; + allow passwd_t self:msgq create_msgq_perms; + allow passwd_t self:msg { send receive }; ++allow passwd_t self:netlink_selinux_socket create_socket_perms; + + allow passwd_t crack_db_t:dir list_dir_perms; + read_files_pattern(passwd_t, crack_db_t, crack_db_t) +@@ -293,6 +321,7 @@ kernel_read_kernel_sysctls(passwd_t) + + # for SSP + dev_read_urand(passwd_t) ++dev_dontaudit_getattr_all(passwd_t) + + fs_getattr_xattr_fs(passwd_t) + fs_search_auto_mountpoints(passwd_t) +@@ -307,26 +336,38 @@ selinux_compute_create_context(passwd_t) + selinux_compute_relabel_context(passwd_t) + selinux_compute_user_contexts(passwd_t) + +-term_use_all_ttys(passwd_t) +-term_use_all_ptys(passwd_t) ++term_use_all_inherited_terms(passwd_t) ++term_getattr_all_ptys(passwd_t) + +-auth_run_chk_passwd(passwd_t, passwd_roles) ++auth_manage_passwd(passwd_t) + auth_manage_shadow(passwd_t) + auth_relabel_shadow(passwd_t) + auth_etc_filetrans_shadow(passwd_t) +-auth_use_nsswitch(passwd_t) ++auth_use_pam(passwd_t) ++ ++#auth_run_chk_passwd(passwd_t, passwd_roles) ++#auth_manage_passwd(passwd_t) ++#auth_manage_shadow(passwd_t) ++#auth_relabel_shadow(passwd_t) ++#auth_etc_filetrans_shadow(passwd_t) ++#auth_use_nsswitch(passwd_t) + + # allow checking if a shell is executable + corecmd_check_exec_shell(passwd_t) ++corecmd_exec_bin(passwd_t) ++ ++corenet_tcp_connect_kerberos_password_port(passwd_t) + + domain_use_interactive_fds(passwd_t) + + files_read_etc_runtime_files(passwd_t) +-files_manage_etc_files(passwd_t) ++files_read_usr_files(passwd_t) + files_search_var(passwd_t) + files_dontaudit_search_pids(passwd_t) + files_relabel_etc_files(passwd_t) + ++term_search_ptys(passwd_t) ++ + # /usr/bin/passwd asks for w access to utmp, but it will operate + # correctly without it. Do not audit write denials to utmp. + init_dontaudit_rw_utmp(passwd_t) +@@ -335,12 +376,11 @@ init_use_fds(passwd_t) + logging_send_audit_msgs(passwd_t) + logging_send_syslog_msg(passwd_t) + +-miscfiles_read_localization(passwd_t) + + seutil_read_config(passwd_t) + seutil_read_file_contexts(passwd_t) + +-userdom_use_user_terminals(passwd_t) ++userdom_use_inherited_user_terminals(passwd_t) + userdom_use_unpriv_users_fds(passwd_t) + # make sure that getcon succeeds + userdom_getattr_all_users(passwd_t) +@@ -349,9 +389,17 @@ userdom_read_user_tmp_files(passwd_t) + # user generally runs this from their home directory, so do not audit a search + # on user home dir + userdom_dontaudit_search_user_home_content(passwd_t) ++userdom_stream_connect(passwd_t) + + optional_policy(` +- nscd_run(passwd_t, passwd_roles) ++ gnome_exec_keyringd(passwd_t) ++ gnome_manage_cache_home_dir(passwd_t) ++ gnome_stream_connect_gkeyringd(passwd_t) ++') ++ ++optional_policy(` ++ #nscd_run(passwd_t, passwd_roles) ++ nscd_domtrans(passwd_t) + ') + + ######################################## +@@ -398,9 +446,10 @@ dev_read_urand(sysadm_passwd_t) + fs_getattr_xattr_fs(sysadm_passwd_t) + fs_search_auto_mountpoints(sysadm_passwd_t) + +-term_use_all_ttys(sysadm_passwd_t) +-term_use_all_ptys(sysadm_passwd_t) ++term_use_all_inherited_terms(sysadm_passwd_t) ++term_getattr_all_ptys(sysadm_passwd_t) + ++auth_manage_passwd(sysadm_passwd_t) + auth_manage_shadow(sysadm_passwd_t) + auth_relabel_shadow(sysadm_passwd_t) + auth_etc_filetrans_shadow(sysadm_passwd_t) +@@ -413,7 +462,6 @@ files_read_usr_files(sysadm_passwd_t) + + domain_use_interactive_fds(sysadm_passwd_t) + +-files_manage_etc_files(sysadm_passwd_t) + files_relabel_etc_files(sysadm_passwd_t) + files_read_etc_runtime_files(sysadm_passwd_t) + # for nscd lookups +@@ -423,19 +471,17 @@ files_dontaudit_search_pids(sysadm_passwd_t) + # correctly without it. Do not audit write denials to utmp. + init_dontaudit_rw_utmp(sysadm_passwd_t) + +-miscfiles_read_localization(sysadm_passwd_t) + + logging_send_syslog_msg(sysadm_passwd_t) + +-seutil_dontaudit_search_config(sysadm_passwd_t) +- + userdom_use_unpriv_users_fds(sysadm_passwd_t) + # user generally runs this from their home directory, so do not audit a search + # on user home dir + userdom_dontaudit_search_user_home_content(sysadm_passwd_t) + + optional_policy(` +- nscd_run(sysadm_passwd_t, sysadm_passwd_roles) ++ nscd_domtrans(sysadm_passwd_t) ++ #nscd_run(sysadm_passwd_t, sysadm_passwd_roles) + ') + + ######################################## +@@ -443,7 +489,8 @@ optional_policy(` + # Useradd local policy + # + +-allow useradd_t self:capability { dac_override chown kill fowner fsetid setuid sys_resource }; ++allow useradd_t self:capability { dac_override chown kill fowner fsetid setuid sys_ptrace sys_resource sys_chroot }; ++ + dontaudit useradd_t self:capability sys_tty_config; + allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; + allow useradd_t self:process setfscreate; +@@ -458,6 +505,10 @@ allow useradd_t self:unix_stream_socket create_stream_socket_perms; + allow useradd_t self:unix_dgram_socket sendto; + allow useradd_t self:unix_stream_socket connectto; + ++manage_dirs_pattern(useradd_t, useradd_var_run_t, useradd_var_run_t) ++manage_files_pattern(useradd_t, useradd_var_run_t, useradd_var_run_t) ++files_pid_filetrans(useradd_t, useradd_var_run_t, dir) ++ + # for getting the number of groups + kernel_read_kernel_sysctls(useradd_t) + +@@ -465,36 +516,36 @@ corecmd_exec_shell(useradd_t) + # Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}. + corecmd_exec_bin(useradd_t) + ++kernel_getattr_core_if(useradd_t) ++dev_dontaudit_getattr_all(useradd_t) ++ + domain_use_interactive_fds(useradd_t) + domain_read_all_domains_state(useradd_t) ++domain_dontaudit_read_all_domains_state(useradd_t) + +-files_manage_etc_files(useradd_t) + files_search_var_lib(useradd_t) + files_relabel_etc_files(useradd_t) + files_read_etc_runtime_files(useradd_t) ++files_manage_etc_files(useradd_t) ++files_rw_var_lib_dirs(useradd_t) + + fs_search_auto_mountpoints(useradd_t) + fs_getattr_xattr_fs(useradd_t) + + mls_file_upgrade(useradd_t) ++mls_process_read_to_clearance(useradd_t) + +-# Allow access to context for shadow file +-selinux_get_fs_mount(useradd_t) +-selinux_validate_context(useradd_t) +-selinux_compute_access_vector(useradd_t) +-selinux_compute_create_context(useradd_t) +-selinux_compute_relabel_context(useradd_t) +-selinux_compute_user_contexts(useradd_t) +- +-term_use_all_ttys(useradd_t) +-term_use_all_ptys(useradd_t) ++term_use_all_inherited_terms(useradd_t) ++term_getattr_all_ptys(useradd_t) + +-auth_run_chk_passwd(useradd_t, useradd_roles) ++#auth_run_chk_passwd(useradd_t, useradd_roles) ++auth_domtrans_chk_passwd(useradd_t) + auth_rw_lastlog(useradd_t) + auth_rw_faillog(useradd_t) + auth_use_nsswitch(useradd_t) + # these may be unnecessary due to the above + # domtrans_chk_passwd() call. ++auth_manage_passwd(useradd_t) + auth_manage_shadow(useradd_t) + auth_relabel_shadow(useradd_t) + auth_etc_filetrans_shadow(useradd_t) +@@ -505,33 +556,36 @@ init_rw_utmp(useradd_t) + logging_send_audit_msgs(useradd_t) + logging_send_syslog_msg(useradd_t) + +-miscfiles_read_localization(useradd_t) ++ ++seutil_semanage_policy(useradd_t) ++seutil_manage_file_contexts(useradd_t) ++seutil_manage_config(useradd_t) ++seutil_manage_login_config(useradd_t) ++seutil_manage_default_contexts(useradd_t) + + seutil_read_config(useradd_t) + seutil_read_file_contexts(useradd_t) + seutil_read_default_contexts(useradd_t) +-seutil_run_semanage(useradd_t, useradd_roles) +-seutil_run_setfiles(useradd_t, useradd_roles) ++seutil_domtrans_semanage(useradd_t) ++seutil_domtrans_setfiles(useradd_t) ++seutil_domtrans_loadpolicy(useradd_t) ++#seutil_manage_bin_policy(useradd_t) ++#seutil_manage_module_store(useradd_t) ++seutil_get_semanage_trans_lock(useradd_t) ++seutil_get_semanage_read_lock(useradd_t) ++#seutil_run_semanage(useradd_t, useradd_roles) ++#seutil_run_setfiles(useradd_t, useradd_roles) + + userdom_use_unpriv_users_fds(useradd_t) + # Add/remove user home directories +-userdom_manage_user_home_dirs(useradd_t) + userdom_home_filetrans_user_home_dir(useradd_t) +-userdom_manage_user_home_content_dirs(useradd_t) +-userdom_manage_user_home_content_files(useradd_t) +-userdom_home_filetrans_user_home_dir(useradd_t) +-userdom_user_home_dir_filetrans_user_home_content(useradd_t, notdevfile_class_set) ++userdom_manage_home_role(system_r, useradd_t) ++userdom_delete_all_user_home_content(useradd_t) + + optional_policy(` + mta_manage_spool(useradd_t) + ') + +-ifdef(`distro_redhat',` +- optional_policy(` +- unconfined_domain(useradd_t) +- ') +-') +- + optional_policy(` + apache_manage_all_user_content(useradd_t) + ') +@@ -542,7 +596,12 @@ optional_policy(` + ') + + optional_policy(` +- nscd_run(useradd_t, useradd_roles) ++ nscd_domtrans(useradd_t) ++# nscd_run(useradd_t, useradd_roles) ++') ++ ++optional_policy(` ++ openshift_manage_content(useradd_t) + ') + + optional_policy(` +@@ -550,6 +609,11 @@ optional_policy(` + ') + + optional_policy(` ++ rpc_list_nfs_state_data(useradd_t) ++ rpc_read_nfs_state_data(useradd_t) ++') ++ ++optional_policy(` + tunable_policy(`samba_domain_controller',` + samba_append_log(useradd_t) + ') +@@ -559,3 +623,12 @@ optional_policy(` + rpm_use_fds(useradd_t) + rpm_rw_pipes(useradd_t) + ') ++ ++optional_policy(` ++ smsd_manage_lib_files(useradd_t) ++ smsd_manage_lib_dirs(useradd_t) ++') ++ ++optional_policy(` ++ stapserver_manage_lib(useradd_t) ++') +diff --git a/policy/modules/apps/seunshare.if b/policy/modules/apps/seunshare.if +index 1dc7a85..c6f4da0 100644 +--- a/policy/modules/apps/seunshare.if ++++ b/policy/modules/apps/seunshare.if +@@ -43,18 +43,18 @@ interface(`seunshare_run',` + role $2 types seunshare_t; + + allow $1 seunshare_t:process signal_perms; +- +- ifdef(`hide_broken_symptoms', ` +- dontaudit seunshare_t $1:tcp_socket rw_socket_perms; +- dontaudit seunshare_t $1:udp_socket rw_socket_perms; +- dontaudit seunshare_t $1:unix_stream_socket rw_socket_perms; +- ') + ') + + ######################################## + ## +-## Role access for seunshare ++## The role template for the seunshare module. + ## ++## ++## ++## The prefix of the user role (e.g., user ++## is the prefix for user_r). ++## ++## + ## + ## + ## Role allowed access. +@@ -66,15 +66,44 @@ interface(`seunshare_run',` + ## + ## + # +-interface(`seunshare_role',` ++interface(`seunshare_role_template',` + gen_require(` +- type seunshare_t; ++ attribute seunshare_domain; ++ type seunshare_exec_t; + ') + +- role $2 types seunshare_t; ++ type $1_seunshare_t, seunshare_domain; ++ application_domain($1_seunshare_t, seunshare_exec_t) ++ role $2 types $1_seunshare_t; + +- seunshare_domtrans($1) ++ kernel_read_system_state($1_seunshare_t) ++ ++ auth_use_nsswitch($1_seunshare_t) ++ ++ logging_send_syslog_msg($1_seunshare_t) ++ ++ mls_process_set_level($1_seunshare_t) ++ ++ domtrans_pattern($3, seunshare_exec_t, $1_seunshare_t) ++ ++ # part of sandboxX.pp ++ optional_policy(` ++ sandbox_x_transition($1_seunshare_t, $2) ++ ') ++ ++ # part of sandbox.pp ++ optional_policy(` ++ sandbox_transition($1_seunshare_t, $2) ++ ') ++ ++ ps_process_pattern($3, $1_seunshare_t) ++ dontaudit $1_seunshare_t $3:file read; ++ allow $3 $1_seunshare_t:process signal_perms; ++ allow $3 $1_seunshare_t:fd use; ++ ++ allow $1_seunshare_t $3:process transition; ++ dontaudit $1_seunshare_t $3:process { noatsecure siginh rlimitinh }; + +- ps_process_pattern($2, seunshare_t) +- allow $2 seunshare_t:process signal; ++ corecmd_bin_domtrans($1_seunshare_t, $1_t) ++ corecmd_shell_domtrans($1_seunshare_t, $1_t) + ') +diff --git a/policy/modules/apps/seunshare.te b/policy/modules/apps/seunshare.te +index 7590165..fb30c11 100644 +--- a/policy/modules/apps/seunshare.te ++++ b/policy/modules/apps/seunshare.te +@@ -5,40 +5,61 @@ policy_module(seunshare, 1.1.0) + # Declarations + # + +-type seunshare_t; ++attribute seunshare_domain; + type seunshare_exec_t; +-application_domain(seunshare_t, seunshare_exec_t) +-role system_r types seunshare_t; + + ######################################## + # + # seunshare local policy + # ++allow seunshare_domain self:capability { fowner setgid setuid dac_override setpcap sys_admin sys_nice }; ++allow seunshare_domain self:process { fork setexec signal getcap setcap setsched }; + +-allow seunshare_t self:capability { setuid dac_override setpcap sys_admin }; +-allow seunshare_t self:process { setexec signal getcap setcap }; ++allow seunshare_domain self:fifo_file rw_file_perms; ++allow seunshare_domain self:unix_stream_socket create_stream_socket_perms; + +-allow seunshare_t self:fifo_file rw_file_perms; +-allow seunshare_t self:unix_stream_socket create_stream_socket_perms; ++corecmd_exec_shell(seunshare_domain) ++corecmd_exec_bin(seunshare_domain) + +-corecmd_exec_shell(seunshare_t) +-corecmd_exec_bin(seunshare_t) ++dev_read_urand(seunshare_domain) ++dev_dontaudit_rw_dri(seunshare_domain) + +-files_read_etc_files(seunshare_t) +-files_mounton_all_poly_members(seunshare_t) ++files_search_all(seunshare_domain) ++files_read_etc_files(seunshare_domain) ++files_mounton_all_poly_members(seunshare_domain) ++files_mounton_rootfs(seunshare_domain) ++files_manage_generic_tmp_dirs(seunshare_domain) ++files_relabelfrom_tmp_dirs(seunshare_domain) + +-auth_use_nsswitch(seunshare_t) +- +-logging_send_syslog_msg(seunshare_t) +- +-miscfiles_read_localization(seunshare_t) +- +-userdom_use_user_terminals(seunshare_t) ++fs_manage_cgroup_dirs(seunshare_domain) ++fs_manage_cgroup_files(seunshare_domain) ++fs_unmount_all_fs(seunshare_domain) + ++userdom_dontaudit_rw_user_tmp_pipes(seunshare_domain) ++userdom_use_inherited_user_terminals(seunshare_domain) ++userdom_list_user_home_content(seunshare_domain) + ifdef(`hide_broken_symptoms', ` +- fs_dontaudit_rw_anon_inodefs_files(seunshare_t) ++ fs_dontaudit_rw_anon_inodefs_files(seunshare_domain) ++ fs_dontaudit_list_inotifyfs(seunshare_domain) ++ ++ optional_policy(` ++ gnome_dontaudit_rw_inherited_config(seunshare_domain) ++ ') + + optional_policy(` +- mozilla_dontaudit_manage_user_home_files(seunshare_t) ++ mozilla_dontaudit_manage_user_home_files(seunshare_domain) ++ mozilla_plugin_dontaudit_leaks(seunshare_domain) + ') + ') ++ ++tunable_policy(`use_nfs_home_dirs',` ++ fs_mounton_nfs(seunshare_domain) ++') ++ ++tunable_policy(`use_samba_home_dirs',` ++ fs_mounton_cifs(seunshare_domain) ++') ++ ++tunable_policy(`use_fusefs_home_dirs',` ++ fs_mounton_fusefs(seunshare_domain) ++') +diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc +index 644d4d7..6e7dd83 100644 +--- a/policy/modules/kernel/corecommands.fc ++++ b/policy/modules/kernel/corecommands.fc +@@ -1,9 +1,10 @@ + # + # /bin + # +-/bin -d gen_context(system_u:object_r:bin_t,s0) ++/bin gen_context(system_u:object_r:bin_t,s0) + /bin/.* gen_context(system_u:object_r:bin_t,s0) + /bin/d?ash -- gen_context(system_u:object_r:shell_exec_t,s0) ++/bin/esh -- gen_context(system_u:object_r:shell_exec_t,s0) + /bin/bash -- gen_context(system_u:object_r:shell_exec_t,s0) + /bin/bash2 -- gen_context(system_u:object_r:shell_exec_t,s0) + /bin/fish -- gen_context(system_u:object_r:shell_exec_t,s0) +@@ -46,6 +47,7 @@ ifdef(`distro_redhat',` + /etc/apcupsd/offbattery -- gen_context(system_u:object_r:bin_t,s0) + /etc/apcupsd/onbattery -- gen_context(system_u:object_r:bin_t,s0) + ++/etc/auto\.[^/]* -- gen_context(system_u:object_r:bin_t,s0) + /etc/avahi/.*\.action -- gen_context(system_u:object_r:bin_t,s0) + + /etc/cipe/ip-up.* -- gen_context(system_u:object_r:bin_t,s0) +@@ -69,16 +71,25 @@ ifdef(`distro_redhat',` + /etc/kde/env(/.*)? gen_context(system_u:object_r:bin_t,s0) + /etc/kde/shutdown(/.*)? gen_context(system_u:object_r:bin_t,s0) + ++/etc/redhat-lsb(/.*)? gen_context(system_u:object_r:bin_t,s0) ++ ++/etc/lxdm/LoginReady -- gen_context(system_u:object_r:bin_t,s0) ++/etc/lxdm/Post.* -- gen_context(system_u:object_r:bin_t,s0) ++/etc/lxdm/Pre.* -- gen_context(system_u:object_r:bin_t,s0) ++/etc/lxdm/Xsession -- gen_context(system_u:object_r:bin_t,s0) ++ + /etc/mail/make -- gen_context(system_u:object_r:bin_t,s0) + + /etc/mcelog/.*-error-trigger -- gen_context(system_u:object_r:bin_t,s0) + /etc/mcelog/.*\.local -- gen_context(system_u:object_r:bin_t,s0) ++/etc/mcelog/.*\.setup -- gen_context(system_u:object_r:bin_t,s0) + + ifdef(`distro_redhat',` + /etc/mcelog/triggers(/.*)? gen_context(system_u:object_r:bin_t,s0) + ') + + /etc/mgetty\+sendfax/new_fax -- gen_context(system_u:object_r:bin_t,s0) ++/etc/munin/plugins(/.*)? gen_context(system_u:object_r:bin_t,s0) + + /etc/netplug\.d(/.*)? gen_context(system_u:object_r:bin_t,s0) + +@@ -101,8 +112,6 @@ ifdef(`distro_redhat',` + + /etc/rc\.d/init\.d/functions -- gen_context(system_u:object_r:bin_t,s0) + +-/etc/security/namespace.init -- gen_context(system_u:object_r:bin_t,s0) +- + /etc/sysconfig/crond -- gen_context(system_u:object_r:bin_t,s0) + /etc/sysconfig/init -- gen_context(system_u:object_r:bin_t,s0) + /etc/sysconfig/libvirtd -- gen_context(system_u:object_r:bin_t,s0) +@@ -116,6 +125,9 @@ ifdef(`distro_redhat',` + + /etc/vmware-tools(/.*)? gen_context(system_u:object_r:bin_t,s0) + ++ ++/etc/wdmd\.d/checkquorum\.wdmd gen_context(system_u:object_r:bin_t,s0) ++ + /etc/X11/xdm/GiveConsole -- gen_context(system_u:object_r:bin_t,s0) + /etc/X11/xdm/TakeConsole -- gen_context(system_u:object_r:bin_t,s0) + /etc/X11/xdm/Xsetup_0 -- gen_context(system_u:object_r:bin_t,s0) +@@ -134,10 +146,12 @@ ifdef(`distro_debian',` + + /lib/readahead(/.*)? gen_context(system_u:object_r:bin_t,s0) + /lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0) +-/lib/systemd/systemd.* -- gen_context(system_u:object_r:bin_t,s0) ++/usr/lib64/security/pam_krb5/pam_krb5_cchelper -- gen_context(system_u:object_r:bin_t,s0) + /lib/udev/[^/]* -- gen_context(system_u:object_r:bin_t,s0) ++/lib/udev/devices/MAKEDEV -l gen_context(system_u:object_r:bin_t,s0) + /lib/udev/scsi_id -- gen_context(system_u:object_r:bin_t,s0) + /lib/upstart(/.*)? gen_context(system_u:object_r:bin_t,s0) ++/lib/security/pam_krb5(/.*)? gen_context(system_u:object_r:bin_t,s0) + + ifdef(`distro_gentoo',` + /lib/dhcpcd/dhcpcd-run-hooks -- gen_context(system_u:object_r:bin_t,s0) +@@ -151,7 +165,7 @@ ifdef(`distro_gentoo',` + # + # /sbin + # +-/sbin -d gen_context(system_u:object_r:bin_t,s0) ++/sbin gen_context(system_u:object_r:bin_t,s0) + /sbin/.* gen_context(system_u:object_r:bin_t,s0) + /sbin/insmod_ksymoops_clean -- gen_context(system_u:object_r:bin_t,s0) + /sbin/mkfs\.cramfs -- gen_context(system_u:object_r:bin_t,s0) +@@ -167,6 +181,7 @@ ifdef(`distro_gentoo',` + /opt/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0) + + /opt/google/talkplugin(/.*)? gen_context(system_u:object_r:bin_t,s0) ++/opt/google/chrome(/.*)? gen_context(system_u:object_r:bin_t,s0) + + /opt/gutenprint/cups/lib/filter(/.*)? gen_context(system_u:object_r:bin_t,s0) + +@@ -178,33 +193,49 @@ ifdef(`distro_gentoo',` + /opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0) + ') + ++/root/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) ++ + # + # /usr + # ++/usr/bin -d gen_context(system_u:object_r:bin_t,s0) + /usr/(.*/)?Bin(/.*)? gen_context(system_u:object_r:bin_t,s0) + /usr/(.*/)?bin(/.*)? gen_context(system_u:object_r:bin_t,s0) +-/usr/bin/git-shell -- gen_context(system_u:object_r:shell_exec_t,s0) ++/usr/bin/d?ash -- gen_context(system_u:object_r:shell_exec_t,s0) ++/usr/bin/esh -- gen_context(system_u:object_r:shell_exec_t,s0) ++/usr/bin/bash -- gen_context(system_u:object_r:shell_exec_t,s0) ++/usr/bin/bash2 -- gen_context(system_u:object_r:shell_exec_t,s0) + /usr/bin/fish -- gen_context(system_u:object_r:shell_exec_t,s0) +-/usr/bin/scponly -- gen_context(system_u:object_r:shell_exec_t,s0) ++/usr/bin/ksh.* -- gen_context(system_u:object_r:shell_exec_t,s0) ++/usr/bin/mksh -- gen_context(system_u:object_r:shell_exec_t,s0) ++/usr/bin/mountpoint -- gen_context(system_u:object_r:bin_t,s0) ++/usr/bin/pingus.* -- gen_context(system_u:object_r:bin_t,s0) ++/usr/bin/sash -- gen_context(system_u:object_r:shell_exec_t,s0) + /usr/bin/tcsh -- gen_context(system_u:object_r:shell_exec_t,s0) ++/usr/bin/yash -- gen_context(system_u:object_r:shell_exec_t,s0) ++/usr/bin/zsh.* -- gen_context(system_u:object_r:shell_exec_t,s0) + +-/usr/lib(.*/)?bin(/.*)? gen_context(system_u:object_r:bin_t,s0) ++/usr/bin/git-shell -- gen_context(system_u:object_r:shell_exec_t,s0) ++/usr/bin/scponly -- gen_context(system_u:object_r:shell_exec_t,s0) + + /usr/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0) + /usr/lib(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0) + ++/usr/lib/jvm/java(.*/)bin(/.*) gen_context(system_u:object_r:bin_t,s0) ++/usr/lib(.*/)?bin(/.*)? gen_context(system_u:object_r:bin_t,s0) + /usr/lib/ccache/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) + /usr/lib/fence(/.*)? gen_context(system_u:object_r:bin_t,s0) ++/usr/lib/libreoffice(/.*)?/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) + /usr/lib/pgsql/test/regress/.*\.sh -- gen_context(system_u:object_r:bin_t,s0) + /usr/lib/qt.*/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) + /usr/lib/wicd/monitor\.py -- gen_context(system_u:object_r:bin_t, s0) +-/usr/lib/apt/methods.+ -- gen_context(system_u:object_r:bin_t,s0) ++/usr/lib/apt/methods.+ -- gen_context(system_u:object_r:bin_t,s0) ++/usr/lib/chromium-browser(/.*)? gen_context(system_u:object_r:bin_t,s0) + /usr/lib/ConsoleKit/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0) +-/usr/lib/ConsoleKit/run-session.d(/.*)? gen_context(system_u:object_r:bin_t,s0) +-/usr/lib/courier(/.*)? gen_context(system_u:object_r:bin_t,s0) +-/usr/lib/cups(/.*)? gen_context(system_u:object_r:bin_t,s0) +-/usr/lib/cyrus/.* -- gen_context(system_u:object_r:bin_t,s0) +-/usr/lib/cyrus-imapd/.* -- gen_context(system_u:object_r:bin_t,s0) ++/usr/lib/ConsoleKit/run-session\.d(/.*)? gen_context(system_u:object_r:bin_t,s0) ++/usr/lib/courier(/.*)? gen_context(system_u:object_r:bin_t,s0) ++/usr/lib/cups(/.*)? gen_context(system_u:object_r:bin_t,s0) ++/usr/lib/cyrus-imapd/.* -- gen_context(system_u:object_r:bin_t,s0) + /usr/lib/dpkg/.+ -- gen_context(system_u:object_r:bin_t,s0) + /usr/lib/emacsen-common/.* gen_context(system_u:object_r:bin_t,s0) + /usr/lib/gimp/.*/plug-ins(/.*)? gen_context(system_u:object_r:bin_t,s0) +@@ -215,18 +246,31 @@ ifdef(`distro_gentoo',` + /usr/lib/mailman/mail(/.*)? gen_context(system_u:object_r:bin_t,s0) + /usr/lib/mediawiki/math/texvc.* gen_context(system_u:object_r:bin_t,s0) + /usr/lib/misc/sftp-server -- gen_context(system_u:object_r:bin_t,s0) +-/usr/lib/nagios/plugins(/.*)? gen_context(system_u:object_r:bin_t,s0) +-/usr/lib/netsaint/plugins(/.*)? gen_context(system_u:object_r:bin_t,s0) +-/usr/lib/news/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) +-/usr/lib/nspluginwrapper/np.* gen_context(system_u:object_r:bin_t,s0) +-/usr/lib/portage/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) +-/usr/lib/pm-utils(/.*)? gen_context(system_u:object_r:bin_t,s0) ++/usr/lib/nagios/plugins/negate -- gen_context(system_u:object_r:bin_t,s0) ++/usr/lib/nagios/plugins/urlize -- gen_context(system_u:object_r:bin_t,s0) ++/usr/lib/nagios/plugins/utils.sh -- gen_context(system_u:object_r:bin_t,s0) ++/usr/lib/nagios/plugins/utils.pm -- gen_context(system_u:object_r:bin_t,s0) ++/usr/lib/netsaint/plugins(/.*)? gen_context(system_u:object_r:bin_t,s0) ++/usr/lib/news/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) ++/usr/lib/nspluginwrapper/np.* gen_context(system_u:object_r:bin_t,s0) ++/usr/lib/ocf(/.*)? gen_context(system_u:object_r:bin_t,s0) ++/usr/lib/portage/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) ++/usr/lib/pm-utils(/.*)? gen_context(system_u:object_r:bin_t,s0) ++/usr/lib/readahead(/.*)? gen_context(system_u:object_r:bin_t,s0) + /usr/lib/rpm/rpmd -- gen_context(system_u:object_r:bin_t,s0) + /usr/lib/rpm/rpmk -- gen_context(system_u:object_r:bin_t,s0) + /usr/lib/rpm/rpmq -- gen_context(system_u:object_r:bin_t,s0) + /usr/lib/rpm/rpmv -- gen_context(system_u:object_r:bin_t,s0) ++/usr/lib/tumbler-[^/]*/tumblerd -- gen_context(system_u:object_r:bin_t,s0) ++/usr/lib/security/pam_krb5(/.*)? -- gen_context(system_u:object_r:bin_t,s0) + /usr/lib/sftp-server -- gen_context(system_u:object_r:bin_t,s0) +-/usr/lib/vte/gnome-pty-helper -- gen_context(system_u:object_r:bin_t,s0) ++/usr/lib/systemd/system-sleep(/.*)? gen_context(system_u:object_r:bin_t,s0) ++/usr/lib/vte/gnome-pty-helper -- gen_context(system_u:object_r:bin_t,s0) ++/usr/lib/yaboot/addnote -- gen_context(system_u:object_r:bin_t,s0) ++/usr/lib/udev/[^/]* -- gen_context(system_u:object_r:bin_t,s0) ++/usr/lib/udev/devices/MAKEDEV -l gen_context(system_u:object_r:bin_t,s0) ++/usr/lib/udev/scsi_id -- gen_context(system_u:object_r:bin_t,s0) ++/usr/lib/upstart(/.*)? gen_context(system_u:object_r:bin_t,s0) + /usr/lib/xfce4/exo-1/exo-compose-mail-1 -- gen_context(system_u:object_r:bin_t,s0) + /usr/lib/xfce4/exo-1/exo-helper-1 -- gen_context(system_u:object_r:bin_t,s0) + /usr/lib/xfce4/panel/migrate -- gen_context(system_u:object_r:bin_t,s0) +@@ -241,10 +285,15 @@ ifdef(`distro_gentoo',` + /usr/lib/debug/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0) + /usr/lib/debug/usr/bin(/.*)? -- gen_context(system_u:object_r:bin_t,s0) + /usr/lib/debug/usr/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0) ++/usr/lib/debug/usr/libexec(/.*)? gen_context(system_u:object_r:bin_t,s0) + + /usr/lib/[^/]*thunderbird[^/]*/thunderbird -- gen_context(system_u:object_r:bin_t,s0) + /usr/lib/[^/]*thunderbird[^/]*/thunderbird-bin -- gen_context(system_u:object_r:bin_t,s0) + /usr/lib/[^/]*thunderbird[^/]*/open-browser\.sh -- gen_context(system_u:object_r:bin_t,s0) ++/usr/lib/xulrunner[^/]*/xulrunner[^/]* -- gen_context(system_u:object_r:bin_t,s0) ++/usr/lib/xulrunner[^/]*/updater -- gen_context(system_u:object_r:bin_t,s0) ++/usr/lib/xulrunner[^/]*/crashreporter -- gen_context(system_u:object_r:bin_t,s0) ++ + /usr/lib/[^/]*/run-mozilla\.sh -- gen_context(system_u:object_r:bin_t,s0) + /usr/lib/[^/]*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0) + /usr/lib/thunderbird.*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0) +@@ -257,10 +306,17 @@ ifdef(`distro_gentoo',` + + /usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0) + +-/usr/local/Brother(/.*)? gen_context(system_u:object_r:bin_t,s0) +-/usr/local/Printer(/.*)? gen_context(system_u:object_r:bin_t,s0) +-/usr/local/linuxprinter/filters(/.*)? gen_context(system_u:object_r:bin_t,s0) ++/usr/lib/xfce4(/.*)? gen_context(system_u:object_r:bin_t,s0) + ++/usr/Brother(/.*)? gen_context(system_u:object_r:bin_t,s0) ++/usr/Printer(/.*)? gen_context(system_u:object_r:bin_t,s0) ++/usr/Brother/(.*/)?inf/brprintconf.* gen_context(system_u:object_r:bin_t,s0) ++/usr/Brother/(.*/)?inf/setup.* gen_context(system_u:object_r:bin_t,s0) ++/usr/linuxprinter/filters(/.*)? gen_context(system_u:object_r:bin_t,s0) ++ ++/usr/sbin/insmod_ksymoops_clean -- gen_context(system_u:object_r:bin_t,s0) ++/usr/sbin/mkfs\.cramfs -- gen_context(system_u:object_r:bin_t,s0) ++/usr/sbin/nologin -- gen_context(system_u:object_r:shell_exec_t,s0) + /usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0) + /usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0) + /usr/sbin/smrsh -- gen_context(system_u:object_r:shell_exec_t,s0) +@@ -276,10 +332,15 @@ ifdef(`distro_gentoo',` + /usr/share/cluster/.*\.sh gen_context(system_u:object_r:bin_t,s0) + /usr/share/cluster/ocf-shellfuncs -- gen_context(system_u:object_r:bin_t,s0) + /usr/share/cluster/svclib_nfslock -- gen_context(system_u:object_r:bin_t,s0) ++/usr/share/cluster/SAPDatabase -- gen_context(system_u:object_r:bin_t,s0) ++/usr/share/cluster/SAPInstance -- gen_context(system_u:object_r:bin_t,s0) ++/usr/share/cluster/fence_scsi_check\.pl -- gen_context(system_u:object_r:bin_t,s0) ++/usr/share/cluster/checkquorum.* -- gen_context(system_u:object_r:bin_t,s0) + /usr/share/e16/misc(/.*)? gen_context(system_u:object_r:bin_t,s0) + /usr/share/gedit-2/plugins/externaltools/tools(/.*)? gen_context(system_u:object_r:bin_t,s0) + /usr/share/gitolite/hooks/common/update -- gen_context(system_u:object_r:bin_t,s0) + /usr/share/gitolite/hooks/gitolite-admin/post-update -- gen_context(system_u:object_r:bin_t,s0) ++/usr/share/gitolite3/commands(/.*)? -- gen_context(system_u:object_r:bin_t,s0) + /usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0) + /usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0) + /usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0) +@@ -294,16 +355,22 @@ ifdef(`distro_gentoo',` + /usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0) + /usr/share/smolt/client(/.*)? gen_context(system_u:object_r:bin_t,s0) + /usr/share/shorewall/compiler\.pl -- gen_context(system_u:object_r:bin_t,s0) +-/usr/share/shorewall/configpath -- gen_context(system_u:object_r:bin_t,s0) ++/usr/share/shorewall6?/configpath -- gen_context(system_u:object_r:bin_t,s0) ++/usr/share/shorewall/getparams -- gen_context(system_u:object_r:bin_t,s0) ++/usr/share/shorewall6?/wait4ifup -- gen_context(system_u:object_r:bin_t,s0) + /usr/share/shorewall-perl(/.*)? gen_context(system_u:object_r:bin_t,s0) + /usr/share/shorewall-shell(/.*)? gen_context(system_u:object_r:bin_t,s0) + /usr/share/shorewall-lite(/.*)? gen_context(system_u:object_r:bin_t,s0) + /usr/share/shorewall6-lite(/.*)? gen_context(system_u:object_r:bin_t,s0) + /usr/share/spamassassin/sa-update\.cron gen_context(system_u:object_r:bin_t,s0) ++/usr/share/texlive/texmf/web2c/mktex(dir|nam|upd) gen_context(system_u:object_r:bin_t,s0) + /usr/share/turboprint/lib(/.*)? -- gen_context(system_u:object_r:bin_t,s0) ++/usr/share/tucan.*/tucan.py -- gen_context(system_u:object_r:bin_t,s0) + /usr/share/vhostmd/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0) ++/usr/share/virtualbox/.*\.sh gen_context(system_u:object_r:bin_t,s0) ++/usr/share/wicd/daemon(/.*)? gen_context(system_u:object_r:bin_t,s0) + +-/usr/X11R6/lib(64)?/X11/xkb/xkbcomp -- gen_context(system_u:object_r:bin_t,s0) ++/usr/X11R6/lib/X11/xkb/xkbcomp -- gen_context(system_u:object_r:bin_t,s0) + + ifdef(`distro_debian',` + /usr/lib/ConsoleKit/.* -- gen_context(system_u:object_r:bin_t,s0) +@@ -321,20 +388,27 @@ ifdef(`distro_redhat', ` + /etc/gdm/[^/]+ -d gen_context(system_u:object_r:bin_t,s0) + /etc/gdm/[^/]+/.* gen_context(system_u:object_r:bin_t,s0) + ++/usr/lib/.*/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0) + /usr/lib/.*/program(/.*)? gen_context(system_u:object_r:bin_t,s0) + /usr/lib/bluetooth(/.*)? -- gen_context(system_u:object_r:bin_t,s0) ++/usr/lib/nfs-utils/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0) ++/usr/lib/oracle/xe/apps(/.*)? gen_context(system_u:object_r:bin_t,s0) ++/usr/lib/tuned/.*/.*\.sh -- gen_context(system_u:object_r:bin_t,s0) + /usr/lib/vmware-tools/(s)?bin32(/.*)? gen_context(system_u:object_r:bin_t,s0) + /usr/lib/vmware-tools/(s)?bin64(/.*)? gen_context(system_u:object_r:bin_t,s0) + /usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0) + /usr/share/authconfig/authconfig-tui\.py -- gen_context(system_u:object_r:bin_t,s0) +-/usr/share/authconfig/authconfig\.py -- gen_context(system_u:object_r:bin_t,s0) ++#/usr/share/authconfig/authconfig\.py -- gen_context(system_u:object_r:bin_t,s0) + /usr/share/cvs/contrib/rcs2log -- gen_context(system_u:object_r:bin_t,s0) + /usr/share/clamav/clamd-gen -- gen_context(system_u:object_r:bin_t,s0) + /usr/share/clamav/freshclam-sleep -- gen_context(system_u:object_r:bin_t,s0) + /usr/share/createrepo(/.*)? gen_context(system_u:object_r:bin_t,s0) ++/usr/share/doc/ghc/html/libraries/gen_contents_index -- gen_context(system_u:object_r:bin_t,s0) + /usr/share/fedora-usermgmt/wrapper -- gen_context(system_u:object_r:bin_t,s0) + /usr/share/hplip/[^/]* -- gen_context(system_u:object_r:bin_t,s0) + /usr/share/hwbrowser/hwbrowser -- gen_context(system_u:object_r:bin_t,s0) ++/usr/share/kde4/apps/kajongg/kajongg.py -- gen_context(system_u:object_r:bin_t,s0) ++/usr/share/munin/plugins/plugin\.sh -- gen_context(system_u:object_r:bin_t,s0) + /usr/share/pwlib/make/ptlib-config -- gen_context(system_u:object_r:bin_t,s0) + /usr/share/pydict/pydict\.py -- gen_context(system_u:object_r:bin_t,s0) + /usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0) +@@ -342,6 +416,7 @@ ifdef(`distro_redhat', ` + /usr/share/ssl/misc(/.*)? gen_context(system_u:object_r:bin_t,s0) + /usr/share/switchdesk/switchdesk-gui\.py -- gen_context(system_u:object_r:bin_t,s0) + /usr/share/system-config-date/system-config-date\.py -- gen_context(system_u:object_r:bin_t,s0) ++/usr/share/system-config-selinux/polgengui.py -- gen_context(system_u:object_r:bin_t,s0) + /usr/share/system-config-selinux/polgen\.py -- gen_context(system_u:object_r:bin_t,s0) + /usr/share/system-config-selinux/system-config-selinux\.py -- gen_context(system_u:object_r:bin_t,s0) + /usr/share/system-config-display/system-config-display -- gen_context(system_u:object_r:bin_t,s0) +@@ -383,11 +458,15 @@ ifdef(`distro_suse', ` + # + # /var + # +-/var/mailman/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) ++/var/mailman.*/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) + + /var/ftp/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) + + /var/lib/asterisk/agi-bin(/.*)? gen_context(system_u:object_r:bin_t,s0) ++/var/lib/iscan/interpreter gen_context(system_u:object_r:bin_t,s0) ++/usr/lib/ruby/gems(/.*)?/helper-scripts(/.*)? gen_context(system_u:object_r:bin_t,s0) ++/usr/share/gems(/.*)?/helper-scripts(/.*)? gen_context(system_u:object_r:bin_t,s0) ++ + /usr/lib/yp/.+ -- gen_context(system_u:object_r:bin_t,s0) + + /var/qmail/bin -d gen_context(system_u:object_r:bin_t,s0) +@@ -397,3 +476,12 @@ ifdef(`distro_suse', ` + ifdef(`distro_suse',` + /var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0) + ') ++ ++# ++# /usr/lib ++# ++ ++/usr/lib/dracut(/.*)? gen_context(system_u:object_r:bin_t,s0) ++/usr/lib/iscan/network -- gen_context(system_u:object_r:bin_t,s0) ++/usr/lib/ruby/gems/.*/agents(/.*)? gen_context(system_u:object_r:bin_t,s0) ++/usr/lib/virtualbox/VBoxManage -- gen_context(system_u:object_r:bin_t,s0) +diff --git a/policy/modules/kernel/corecommands.if b/policy/modules/kernel/corecommands.if +index 9e9263a..77e6c8c 100644 +--- a/policy/modules/kernel/corecommands.if ++++ b/policy/modules/kernel/corecommands.if +@@ -8,6 +8,22 @@ + ## run init. + ## + ++##################################### ++## ++## corecmd stub bin_t interface. No access allowed. ++## ++## ++## ++## Domain allowed access ++## ++## ++# ++interface(`corecmd_stub_bin',` ++ gen_require(` ++ type bin_t; ++ ') ++') ++ + ######################################## + ## + ## Make the specified type usable for files +@@ -68,9 +84,11 @@ interface(`corecmd_bin_alias',` + interface(`corecmd_bin_entry_type',` + gen_require(` + type bin_t; ++ type usr_t; + ') + + domain_entry_file($1, bin_t) ++ domain_entry_file($1, usr_t) + ') + + ######################################## +@@ -122,6 +140,7 @@ interface(`corecmd_search_bin',` + type bin_t; + ') + ++ corecmd_read_bin_symlinks($1) + search_dirs_pattern($1, bin_t, bin_t) + ') + +@@ -158,6 +177,7 @@ interface(`corecmd_list_bin',` + type bin_t; + ') + ++ corecmd_read_bin_symlinks($1) + list_dirs_pattern($1, bin_t, bin_t) + ') + +@@ -203,7 +223,7 @@ interface(`corecmd_getattr_bin_files',` + ## + ## + ## +-## Domain allowed access. ++## Domain to not audit. + ## + ## + # +@@ -231,6 +251,7 @@ interface(`corecmd_read_bin_files',` + type bin_t; + ') + ++ corecmd_read_bin_symlinks($1) + read_files_pattern($1, bin_t, bin_t) + ') + +@@ -254,6 +275,24 @@ interface(`corecmd_dontaudit_write_bin_files',` + + ######################################## + ## ++## Do not audit attempts to access check bin files. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`corecmd_dontaudit_access_check_bin',` ++ gen_require(` ++ type bin_t; ++ ') ++ ++ dontaudit $1 bin_t:file audit_access; ++') ++ ++######################################## ++## + ## Read symbolic links in bin directories. + ## + ## +@@ -285,6 +324,7 @@ interface(`corecmd_read_bin_pipes',` + type bin_t; + ') + ++ corecmd_read_bin_symlinks(bin_t) + read_fifo_files_pattern($1, bin_t, bin_t) + ') + +@@ -303,6 +343,7 @@ interface(`corecmd_read_bin_sockets',` + type bin_t; + ') + ++ corecmd_read_bin_symlinks($1) + read_sock_files_pattern($1, bin_t, bin_t) + ') + +@@ -345,6 +386,10 @@ interface(`corecmd_exec_bin',` + read_lnk_files_pattern($1, bin_t, bin_t) + list_dirs_pattern($1, bin_t, bin_t) + can_exec($1, bin_t) ++ ++ ifdef(`enable_mls',`',` ++ files_exec_all_base_ro_files($1) ++ ') + ') + + ######################################## +@@ -362,6 +407,7 @@ interface(`corecmd_manage_bin_files',` + type bin_t; + ') + ++ corecmd_read_bin_symlinks($1) + manage_files_pattern($1, bin_t, bin_t) + ') + +@@ -398,6 +444,7 @@ interface(`corecmd_mmap_bin_files',` + type bin_t; + ') + ++ corecmd_read_bin_symlinks($1) + mmap_files_pattern($1, bin_t, bin_t) + ') + +@@ -440,10 +487,14 @@ interface(`corecmd_mmap_bin_files',` + interface(`corecmd_bin_spec_domtrans',` + gen_require(` + type bin_t; ++ type usr_t; + ') + + read_lnk_files_pattern($1, bin_t, bin_t) + domain_transition_pattern($1, bin_t, $2) ++ ++ read_lnk_files_pattern($1, usr_t, usr_t) ++ domain_transition_pattern($1, usr_t, $2) + ') + + ######################################## +@@ -483,10 +534,12 @@ interface(`corecmd_bin_spec_domtrans',` + interface(`corecmd_bin_domtrans',` + gen_require(` + type bin_t; ++ type usr_t; + ') + + corecmd_bin_spec_domtrans($1, $2) + type_transition $1 bin_t:process $2; ++ type_transition $1 usr_t:process $2; + ') + + ######################################## +@@ -945,6 +998,7 @@ interface(`corecmd_shell_domtrans',` + interface(`corecmd_exec_chroot',` + gen_require(` + type chroot_exec_t; ++ type bin_t; + ') + + read_lnk_files_pattern($1, bin_t, bin_t) +@@ -954,6 +1008,24 @@ interface(`corecmd_exec_chroot',` + + ######################################## + ## ++## Do not audit attempts to access check executable files. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`corecmd_dontaudit_access_all_executables',` ++ gen_require(` ++ attribute exec_type; ++ ') ++ ++ dontaudit $1 exec_type:file audit_access; ++') ++ ++######################################## ++## + ## Get the attributes of all executable files. + ## + ## +@@ -1012,6 +1084,10 @@ interface(`corecmd_exec_all_executables',` + can_exec($1, exec_type) + list_dirs_pattern($1, bin_t, bin_t) + read_lnk_files_pattern($1, bin_t, exec_type) ++ ++ ifdef(`enable_mls',`',` ++ files_exec_all_base_ro_files($1) ++ ') + ') + + ######################################## +@@ -1049,6 +1125,7 @@ interface(`corecmd_manage_all_executables',` + type bin_t; + ') + ++ manage_dirs_pattern($1, bin_t, exec_type) + manage_files_pattern($1, bin_t, exec_type) + manage_lnk_files_pattern($1, bin_t, bin_t) + ') +@@ -1091,3 +1168,36 @@ interface(`corecmd_mmap_all_executables',` + + mmap_files_pattern($1, bin_t, exec_type) + ') ++ ++######################################## ++## ++## Create objects in the /bin directory ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## The type of the object to be created ++## ++## ++## ++## ++## The object class. ++## ++## ++## ++## ++## The name of the object being created. ++## ++## ++# ++interface(`corecmd_bin_filetrans',` ++ gen_require(` ++ type bin_t; ++ ') ++ ++ filetrans_pattern($1, bin_t, $2, $3, $4) ++') +diff --git a/policy/modules/kernel/corecommands.te b/policy/modules/kernel/corecommands.te +index 43090a0..a784e8e 100644 +--- a/policy/modules/kernel/corecommands.te ++++ b/policy/modules/kernel/corecommands.te +@@ -13,7 +13,8 @@ attribute exec_type; + # + # bin_t is the type of files in the system bin/sbin directories. + # +-type bin_t alias { ls_exec_t sbin_t }; ++type bin_t alias { ls_exec_t sbin_t unconfined_execmem_exec_t execmem_exec_t java_exec_t mono_exec_t }; ++files_ro_base_file(bin_t) + corecmd_executable_file(bin_t) + dev_associate(bin_t) #For /dev/MAKEDEV + +@@ -21,6 +22,7 @@ dev_associate(bin_t) #For /dev/MAKEDEV + # shell_exec_t is the type of user shells such as /bin/bash. + # + type shell_exec_t; ++files_ro_base_file(shell_exec_t) + corecmd_executable_file(shell_exec_t) + + type chroot_exec_t; +diff --git a/policy/modules/kernel/corenetwork.fc b/policy/modules/kernel/corenetwork.fc +index f9b25c1..9af1f7a 100644 +--- a/policy/modules/kernel/corenetwork.fc ++++ b/policy/modules/kernel/corenetwork.fc +@@ -8,3 +8,6 @@ + + /lib/udev/devices/ppp -c gen_context(system_u:object_r:ppp_device_t,s0) + /lib/udev/devices/net/.* -c gen_context(system_u:object_r:tun_tap_device_t,s0) ++ ++/usr/lib/udev/devices/ppp -c gen_context(system_u:object_r:ppp_device_t,s0) ++/usr/lib/udev/devices/net/.* -c gen_context(system_u:object_r:tun_tap_device_t,s0) +diff --git a/policy/modules/kernel/corenetwork.if.in b/policy/modules/kernel/corenetwork.if.in +index 07126bd..38ba47d 100644 +--- a/policy/modules/kernel/corenetwork.if.in ++++ b/policy/modules/kernel/corenetwork.if.in +@@ -55,6 +55,7 @@ interface(`corenet_reserved_port',` + ') + + typeattribute $1 reserved_port_type; ++ corenet_port($1) + ') + + ######################################## +@@ -82,6 +83,7 @@ interface(`corenet_rpc_port',` + ') + + typeattribute $1 rpc_port_type; ++ corenet_port($1) + ') + + ######################################## +@@ -615,6 +617,24 @@ interface(`corenet_raw_sendrecv_all_if',` + + ######################################## + ## ++## Send and receive DCCP network traffic on generic nodes. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`corenet_dccp_sendrecv_generic_node',` ++ gen_require(` ++ type node_t; ++ ') ++ ++ allow $1 node_t:node { dccp_send dccp_recv sendto recvfrom }; ++') ++ ++######################################## ++## + ## Send and receive TCP network traffic on generic nodes. + ## + ## +@@ -789,6 +809,24 @@ interface(`corenet_raw_sendrecv_generic_node',` + + ######################################## + ## ++## Bind DCCP sockets to generic nodes. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`corenet_dccp_bind_generic_node',` ++ gen_require(` ++ type node_t; ++ ') ++ ++ allow $1 node_t:dccp_socket node_bind; ++') ++ ++######################################## ++## + ## Bind TCP sockets to generic nodes. + ## + ## +@@ -855,6 +893,44 @@ interface(`corenet_udp_bind_generic_node',` + + ######################################## + ## ++## Dontaudit attempts to bind TCP sockets to generic nodes. ++## ++## ++## ++## Domain to not audit. ++## ++## ++## ++# ++interface(`corenet_dontaudit_tcp_bind_generic_node',` ++ gen_require(` ++ type node_t; ++ ') ++ ++ dontaudit $1 node_t:tcp_socket node_bind; ++') ++ ++######################################## ++## ++## Dontaudit attempts to bind UDP sockets to generic nodes. ++## ++## ++## ++## Domain to not audit. ++## ++## ++## ++# ++interface(`corenet_dontaudit_udp_bind_generic_node',` ++ gen_require(` ++ type node_t; ++ ') ++ ++ dontaudit $1 node_t:udp_socket node_bind; ++') ++ ++######################################## ++## + ## Bind raw sockets to genric nodes. + ## + ## +@@ -928,6 +1004,24 @@ interface(`corenet_inout_generic_node',` + + ######################################## + ## ++## Send and receive DCCP network traffic on all nodes. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`corenet_dccp_sendrecv_all_nodes',` ++ gen_require(` ++ attribute node_type; ++ ') ++ ++ allow $1 node_type:node { dccp_send dccp_recv sendto recvfrom }; ++') ++ ++######################################## ++## + ## Send and receive TCP network traffic on all nodes. + ## + ## +@@ -1102,6 +1196,24 @@ interface(`corenet_raw_sendrecv_all_nodes',` + + ######################################## + ## ++## Bind DCCP sockets to all nodes. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`corenet_dccp_bind_all_nodes',` ++ gen_require(` ++ attribute node_type; ++ ') ++ ++ allow $1 node_type:dccp_socket node_bind; ++') ++ ++######################################## ++## + ## Bind TCP sockets to all nodes. + ## + ## +@@ -1157,6 +1269,24 @@ interface(`corenet_raw_bind_all_nodes',` + + ######################################## + ## ++## Send and receive DCCP network traffic on generic ports. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`corenet_dccp_sendrecv_generic_port',` ++ gen_require(` ++ type port_t, unreserved_port_t, ephemeral_port_t; ++ ') ++ ++ allow $1 { port_t unreserved_port_t ephemeral_port_t }:dccp_socket { send_msg recv_msg }; ++') ++ ++######################################## ++## + ## Send and receive TCP network traffic on generic ports. + ## + ## +@@ -1167,10 +1297,30 @@ interface(`corenet_raw_bind_all_nodes',` + # + interface(`corenet_tcp_sendrecv_generic_port',` + gen_require(` +- type port_t; ++ type port_t, unreserved_port_t, ephemeral_port_t; ++ ') ++ ++ allow $1 { port_t unreserved_port_t ephemeral_port_t }:tcp_socket { send_msg recv_msg }; ++') ++ ++######################################## ++## ++## Do not audit attempts to send and ++## receive DCCP network traffic on ++## generic ports. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`corenet_dontaudit_dccp_sendrecv_generic_port',` ++ gen_require(` ++ type port_t, unreserved_port_t, ephemeral_port_t; + ') + +- allow $1 port_t:tcp_socket { send_msg recv_msg }; ++ dontaudit $1 { port_t unreserved_port_t ephemeral_port_t }:dccp_socket { send_msg recv_msg }; + ') + + ######################################## +@@ -1185,10 +1335,10 @@ interface(`corenet_tcp_sendrecv_generic_port',` + # + interface(`corenet_dontaudit_tcp_sendrecv_generic_port',` + gen_require(` +- type port_t; ++ type port_t, unreserved_port_t, ephemeral_port_t; + ') + +- dontaudit $1 port_t:tcp_socket { send_msg recv_msg }; ++ dontaudit $1 { port_t unreserved_port_t ephemeral_port_t }:tcp_socket { send_msg recv_msg }; + ') + + ######################################## +@@ -1203,10 +1353,10 @@ interface(`corenet_dontaudit_tcp_sendrecv_generic_port',` + # + interface(`corenet_udp_send_generic_port',` + gen_require(` +- type port_t; ++ type port_t, unreserved_port_t, ephemeral_port_t; + ') + +- allow $1 port_t:udp_socket send_msg; ++ allow $1 { port_t unreserved_port_t ephemeral_port_t }:udp_socket send_msg; + ') + + ######################################## +@@ -1221,10 +1371,10 @@ interface(`corenet_udp_send_generic_port',` + # + interface(`corenet_udp_receive_generic_port',` + gen_require(` +- type port_t; ++ type port_t, unreserved_port_t, ephemeral_port_t; + ') + +- allow $1 port_t:udp_socket recv_msg; ++ allow $1 { port_t unreserved_port_t ephemeral_port_t }:udp_socket recv_msg; + ') + + ######################################## +@@ -1244,6 +1394,26 @@ interface(`corenet_udp_sendrecv_generic_port',` + + ######################################## + ## ++## Bind DCCP sockets to generic ports. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`corenet_dccp_bind_generic_port',` ++ gen_require(` ++ type port_t, unreserved_port_t, ephemeral_port_t; ++ attribute defined_port_type; ++ ') ++ ++ allow $1 { port_t unreserved_port_t ephemeral_port_t }:dccp_socket name_bind; ++ dontaudit $1 defined_port_type:dccp_socket name_bind; ++') ++ ++######################################## ++## + ## Bind TCP sockets to generic ports. + ## + ## +@@ -1254,16 +1424,35 @@ interface(`corenet_udp_sendrecv_generic_port',` + # + interface(`corenet_tcp_bind_generic_port',` + gen_require(` +- type port_t; ++ type port_t, unreserved_port_t, ephemeral_port_t; + attribute defined_port_type; + ') + +- allow $1 port_t:tcp_socket name_bind; ++ allow $1 { port_t unreserved_port_t ephemeral_port_t }:tcp_socket name_bind; + dontaudit $1 defined_port_type:tcp_socket name_bind; + ') + + ######################################## + ## ++## Do not audit attempts to bind DCCP ++## sockets to generic ports. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`corenet_dontaudit_dccp_bind_generic_port',` ++ gen_require(` ++ type port_t, unreserved_port_t, ephemeral_port_t; ++ ') ++ ++ dontaudit $1 { port_t unreserved_port_t ephemeral_port_t }:dccp_socket name_bind; ++') ++ ++######################################## ++## + ## Do not audit bind TCP sockets to generic ports. + ## + ## +@@ -1274,10 +1463,10 @@ interface(`corenet_tcp_bind_generic_port',` + # + interface(`corenet_dontaudit_tcp_bind_generic_port',` + gen_require(` +- type port_t; ++ type port_t, unreserved_port_t, ephemeral_port_t; + ') + +- dontaudit $1 port_t:tcp_socket name_bind; ++ dontaudit $1 { port_t unreserved_port_t ephemeral_port_t }:tcp_socket name_bind; + ') + + ######################################## +@@ -1292,16 +1481,34 @@ interface(`corenet_dontaudit_tcp_bind_generic_port',` + # + interface(`corenet_udp_bind_generic_port',` + gen_require(` +- type port_t; ++ type port_t, unreserved_port_t, ephemeral_port_t; + attribute defined_port_type; + ') + +- allow $1 port_t:udp_socket name_bind; ++ allow $1 { port_t unreserved_port_t ephemeral_port_t }:udp_socket name_bind; + dontaudit $1 defined_port_type:udp_socket name_bind; + ') + + ######################################## + ## ++## Connect DCCP sockets to generic ports. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`corenet_dccp_connect_generic_port',` ++ gen_require(` ++ type port_t, unreserved_port_t,ephemeral_port_t; ++ ') ++ ++ allow $1 { port_t unreserved_port_t ephemeral_port_t }:dccp_socket name_connect; ++') ++ ++######################################## ++## + ## Connect TCP sockets to generic ports. + ## + ## +@@ -1312,10 +1519,28 @@ interface(`corenet_udp_bind_generic_port',` + # + interface(`corenet_tcp_connect_generic_port',` + gen_require(` +- type port_t; ++ type port_t, unreserved_port_t, ephemeral_port_t; ++ ') ++ ++ allow $1 { port_t unreserved_port_t ephemeral_port_t }:tcp_socket name_connect; ++') ++ ++######################################## ++## ++## Send and receive DCCP network traffic on all ports. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`corenet_dccp_sendrecv_all_ports',` ++ gen_require(` ++ attribute port_type; + ') + +- allow $1 port_t:tcp_socket name_connect; ++ allow $1 port_type:dccp_socket { send_msg recv_msg }; + ') + + ######################################## +@@ -1439,6 +1664,25 @@ interface(`corenet_udp_sendrecv_all_ports',` + + ######################################## + ## ++## Bind DCCP sockets to all ports. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`corenet_dccp_bind_all_ports',` ++ gen_require(` ++ attribute port_type; ++ ') ++ ++ allow $1 port_type:dccp_socket name_bind; ++ allow $1 self:capability net_bind_service; ++') ++ ++######################################## ++## + ## Bind TCP sockets to all ports. + ## + ## +@@ -1458,6 +1702,24 @@ interface(`corenet_tcp_bind_all_ports',` + + ######################################## + ## ++## Do not audit attepts to bind DCCP sockets to any ports. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`corenet_dontaudit_dccp_bind_all_ports',` ++ gen_require(` ++ attribute port_type; ++ ') ++ ++ dontaudit $1 port_type:dccp_socket name_bind; ++') ++ ++######################################## ++## + ## Do not audit attepts to bind TCP sockets to any ports. + ## + ## +@@ -1513,6 +1775,24 @@ interface(`corenet_dontaudit_udp_bind_all_ports',` + + ######################################## + ## ++## Connect DCCP sockets to all ports. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`corenet_dccp_connect_all_ports',` ++ gen_require(` ++ attribute port_type; ++ ') ++ ++ allow $1 port_type:dccp_socket name_connect; ++') ++ ++######################################## ++## + ## Connect TCP sockets to all ports. + ## + ## +@@ -1559,6 +1839,25 @@ interface(`corenet_tcp_connect_all_ports',` + + ######################################## + ## ++## Do not audit attempts to connect DCCP sockets ++## to all ports. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`corenet_dontaudit_dccp_connect_all_ports',` ++ gen_require(` ++ attribute port_type; ++ ') ++ ++ dontaudit $1 port_type:dccp_socket name_connect; ++') ++ ++######################################## ++## + ## Do not audit attempts to connect TCP sockets + ## to all ports. + ## +@@ -1578,6 +1877,24 @@ interface(`corenet_dontaudit_tcp_connect_all_ports',` + + ######################################## + ## ++## Send and receive DCCP network traffic on generic reserved ports. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`corenet_dccp_sendrecv_reserved_port',` ++ gen_require(` ++ type reserved_port_t; ++ ') ++ ++ allow $1 reserved_port_t:dccp_socket { send_msg recv_msg }; ++') ++ ++######################################## ++## + ## Send and receive TCP network traffic on generic reserved ports. + ## + ## +@@ -1647,7 +1964,26 @@ interface(`corenet_udp_sendrecv_reserved_port',` + + ######################################## + ## +-## Bind TCP sockets to generic reserved ports. ++## Bind DCCP sockets to generic reserved ports. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`corenet_dccp_bind_reserved_port',` ++ gen_require(` ++ type reserved_port_t; ++ ') ++ ++ allow $1 reserved_port_t:dccp_socket name_bind; ++ allow $1 self:capability net_bind_service; ++') ++ ++######################################## ++## ++## Bind TCP sockets to generic reserved ports. + ## + ## + ## +@@ -1685,6 +2021,24 @@ interface(`corenet_udp_bind_reserved_port',` + + ######################################## + ## ++## Connect DCCP sockets to generic reserved ports. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`corenet_dccp_connect_reserved_port',` ++ gen_require(` ++ type reserved_port_t; ++ ') ++ ++ allow $1 reserved_port_t:dccp_socket name_connect; ++') ++ ++######################################## ++## + ## Connect TCP sockets to generic reserved ports. + ## + ## +@@ -1703,6 +2057,24 @@ interface(`corenet_tcp_connect_reserved_port',` + + ######################################## + ## ++## Send and receive DCCP network traffic on all reserved ports. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`corenet_dccp_sendrecv_all_reserved_ports',` ++ gen_require(` ++ attribute reserved_port_type; ++ ') ++ ++ allow $1 reserved_port_type:dccp_socket { send_msg recv_msg }; ++') ++ ++######################################## ++## + ## Send and receive TCP network traffic on all reserved ports. + ## + ## +@@ -1757,7 +2129,259 @@ interface(`corenet_udp_receive_all_reserved_ports',` + + ######################################## + ## +-## Send and receive UDP network traffic on all reserved ports. ++## Send and receive UDP network traffic on all reserved ports. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`corenet_udp_sendrecv_all_reserved_ports',` ++ corenet_udp_send_all_reserved_ports($1) ++ corenet_udp_receive_all_reserved_ports($1) ++') ++ ++######################################## ++## ++## Bind DCCP sockets to all reserved ports. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`corenet_dccp_bind_all_reserved_ports',` ++ gen_require(` ++ attribute reserved_port_type; ++ ') ++ ++ allow $1 reserved_port_type:dccp_socket name_bind; ++ allow $1 self:capability net_bind_service; ++') ++ ++######################################## ++## ++## Bind TCP sockets to all reserved ports. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`corenet_tcp_bind_all_reserved_ports',` ++ gen_require(` ++ attribute reserved_port_type; ++ ') ++ ++ allow $1 reserved_port_type:tcp_socket name_bind; ++ allow $1 self:capability net_bind_service; ++') ++ ++######################################## ++## ++## Do not audit attempts to bind DCCP sockets to all reserved ports. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`corenet_dontaudit_dccp_bind_all_reserved_ports',` ++ gen_require(` ++ attribute reserved_port_type; ++ ') ++ ++ dontaudit $1 reserved_port_type:dccp_socket name_bind; ++') ++ ++######################################## ++## ++## Do not audit attempts to bind TCP sockets to all reserved ports. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`corenet_dontaudit_tcp_bind_all_reserved_ports',` ++ gen_require(` ++ attribute reserved_port_type; ++ ') ++ ++ dontaudit $1 reserved_port_type:tcp_socket name_bind; ++') ++ ++######################################## ++## ++## Bind UDP sockets to all reserved ports. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`corenet_udp_bind_all_reserved_ports',` ++ gen_require(` ++ attribute reserved_port_type; ++ ') ++ ++ allow $1 reserved_port_type:udp_socket name_bind; ++ allow $1 self:capability net_bind_service; ++') ++ ++######################################## ++## ++## Do not audit attempts to bind UDP sockets to all reserved ports. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`corenet_dontaudit_udp_bind_all_reserved_ports',` ++ gen_require(` ++ attribute reserved_port_type; ++ ') ++ ++ dontaudit $1 reserved_port_type:udp_socket name_bind; ++') ++ ++######################################## ++## ++## Bind DCCP sockets to all ports > 1024. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`corenet_dccp_bind_all_unreserved_ports',` ++ gen_require(` ++ attribute unreserved_port_type; ++ ') ++ ++ allow $1 unreserved_port_type:dccp_socket name_bind; ++') ++ ++######################################## ++## ++## Bind TCP sockets to all ports > 1024. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`corenet_tcp_bind_all_unreserved_ports',` ++ gen_require(` ++ attribute unreserved_port_type; ++ ') ++ ++ allow $1 unreserved_port_type:tcp_socket name_bind; ++') ++ ++######################################## ++## ++## Bind UDP sockets to all ports > 1024. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`corenet_udp_bind_all_unreserved_ports',` ++ gen_require(` ++ attribute unreserved_port_type; ++ ') ++ ++ allow $1 unreserved_port_type:udp_socket name_bind; ++') ++ ++######################################## ++## ++## Bind TCP sockets to all ports > 32768. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`corenet_tcp_bind_all_ephemeral_ports',` ++ gen_require(` ++ attribute ephemeral_port_type; ++ ') ++ ++ allow $1 ephemeral_port_type:tcp_socket name_bind; ++') ++ ++######################################## ++## ++## Bind UDP sockets to all ports > 32768. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`corenet_udp_bind_all_ephemeral_ports',` ++ gen_require(` ++ attribute ephemeral_port_type; ++ ') ++ ++ allow $1 ephemeral_port_type:udp_socket name_bind; ++') ++ ++######################################## ++## ++## Connect DCCP sockets to reserved ports. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`corenet_dccp_connect_all_reserved_ports',` ++ gen_require(` ++ attribute reserved_port_type; ++ ') ++ ++ allow $1 reserved_port_type:dccp_socket name_connect; ++') ++ ++######################################## ++## ++## Connect TCP sockets to reserved ports. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`corenet_tcp_connect_all_reserved_ports',` ++ gen_require(` ++ attribute reserved_port_type; ++ ') ++ ++ allow $1 reserved_port_type:tcp_socket name_connect; ++') ++ ++######################################## ++## ++## Connect DCCP sockets to all ports > 1024. + ## + ## + ## +@@ -1765,51 +2389,53 @@ interface(`corenet_udp_receive_all_reserved_ports',` + ## + ## + # +-interface(`corenet_udp_sendrecv_all_reserved_ports',` +- corenet_udp_send_all_reserved_ports($1) +- corenet_udp_receive_all_reserved_ports($1) ++interface(`corenet_dccp_connect_all_unreserved_ports',` ++ gen_require(` ++ attribute unreserved_port_type; ++ ') ++ ++ allow $1 unreserved_port_type:dccp_socket name_connect; + ') + +-######################################## ++####################################### + ## +-## Bind TCP sockets to all reserved ports. ++## Connect TCP sockets to ports > 1024. + ## + ## +-## +-## Domain allowed access. +-## ++## ++## Domain allowed access. ++## + ## + # +-interface(`corenet_tcp_bind_all_reserved_ports',` +- gen_require(` +- attribute reserved_port_type; +- ') ++interface(`corenet_tcp_connect_unreserved_ports',` ++ gen_require(` ++ type unreserved_port_t; ++ ') + +- allow $1 reserved_port_type:tcp_socket name_bind; +- allow $1 self:capability net_bind_service; ++ allow $1 unreserved_port_t:tcp_socket name_connect; + ') + + ######################################## + ## +-## Do not audit attempts to bind TCP sockets to all reserved ports. ++## Connect TCP sockets to all ports > 1024. + ## + ## + ## +-## Domain to not audit. ++## Domain allowed access. + ## + ## + # +-interface(`corenet_dontaudit_tcp_bind_all_reserved_ports',` ++interface(`corenet_tcp_connect_all_unreserved_ports',` + gen_require(` +- attribute reserved_port_type; ++ attribute unreserved_port_type; + ') + +- dontaudit $1 reserved_port_type:tcp_socket name_bind; ++ allow $1 unreserved_port_type:tcp_socket name_connect; + ') + + ######################################## + ## +-## Bind UDP sockets to all reserved ports. ++## Connect TCP sockets to all ports > 32768. + ## + ## + ## +@@ -1817,18 +2443,18 @@ interface(`corenet_dontaudit_tcp_bind_all_reserved_ports',` + ## + ## + # +-interface(`corenet_udp_bind_all_reserved_ports',` ++interface(`corenet_tcp_connect_all_ephemeral_ports',` + gen_require(` +- attribute reserved_port_type; ++ attribute ephemeral_port_type; + ') + +- allow $1 reserved_port_type:udp_socket name_bind; +- allow $1 self:capability net_bind_service; ++ allow $1 ephemeral_port_type:tcp_socket name_connect; + ') + + ######################################## + ## +-## Do not audit attempts to bind UDP sockets to all reserved ports. ++## Do not audit attempts to connect DCCP sockets ++## all reserved ports. + ## + ## + ## +@@ -1836,35 +2462,36 @@ interface(`corenet_udp_bind_all_reserved_ports',` + ## + ## + # +-interface(`corenet_dontaudit_udp_bind_all_reserved_ports',` ++interface(`corenet_dontaudit_dccp_connect_all_reserved_ports',` + gen_require(` + attribute reserved_port_type; + ') + +- dontaudit $1 reserved_port_type:udp_socket name_bind; ++ dontaudit $1 reserved_port_type:dccp_socket name_connect; + ') + + ######################################## + ## +-## Bind TCP sockets to all ports > 1024. ++## Do not audit attempts to connect TCP sockets ++## all reserved ports. + ## + ## + ## +-## Domain allowed access. ++## Domain to not audit. + ## + ## + # +-interface(`corenet_tcp_bind_all_unreserved_ports',` ++interface(`corenet_dontaudit_tcp_connect_all_reserved_ports',` + gen_require(` +- attribute unreserved_port_type; ++ attribute reserved_port_type; + ') + +- allow $1 unreserved_port_type:tcp_socket name_bind; ++ dontaudit $1 reserved_port_type:tcp_socket name_connect; + ') + + ######################################## + ## +-## Bind UDP sockets to all ports > 1024. ++## Connect DCCP sockets to rpc ports. + ## + ## + ## +@@ -1872,17 +2499,17 @@ interface(`corenet_tcp_bind_all_unreserved_ports',` + ## + ## + # +-interface(`corenet_udp_bind_all_unreserved_ports',` ++interface(`corenet_dccp_connect_all_rpc_ports',` + gen_require(` +- attribute unreserved_port_type; ++ attribute rpc_port_type; + ') + +- allow $1 unreserved_port_type:udp_socket name_bind; ++ allow $1 rpc_port_type:dccp_socket name_connect; + ') + + ######################################## + ## +-## Connect TCP sockets to reserved ports. ++## Connect TCP sockets to rpc ports. + ## + ## + ## +@@ -1890,36 +2517,37 @@ interface(`corenet_udp_bind_all_unreserved_ports',` + ## + ## + # +-interface(`corenet_tcp_connect_all_reserved_ports',` ++interface(`corenet_tcp_connect_all_rpc_ports',` + gen_require(` +- attribute reserved_port_type; ++ attribute rpc_port_type; + ') + +- allow $1 reserved_port_type:tcp_socket name_connect; ++ allow $1 rpc_port_type:tcp_socket name_connect; + ') + + ######################################## + ## +-## Connect TCP sockets to all ports > 1024. ++## Do not audit attempts to connect DCCP sockets ++## all rpc ports. + ## + ## + ## +-## Domain allowed access. ++## Domain to not audit. + ## + ## + # +-interface(`corenet_tcp_connect_all_unreserved_ports',` ++interface(`corenet_dontaudit_dccp_connect_all_rpc_ports',` + gen_require(` +- attribute unreserved_port_type; ++ attribute rpc_port_type; + ') + +- allow $1 unreserved_port_type:tcp_socket name_connect; ++ dontaudit $1 rpc_port_type:dccp_socket name_connect; + ') + + ######################################## + ## + ## Do not audit attempts to connect TCP sockets +-## all reserved ports. ++## all rpc ports. + ## + ## + ## +@@ -1927,54 +2555,54 @@ interface(`corenet_tcp_connect_all_unreserved_ports',` + ## + ## + # +-interface(`corenet_dontaudit_tcp_connect_all_reserved_ports',` ++interface(`corenet_dontaudit_tcp_connect_all_rpc_ports',` + gen_require(` +- attribute reserved_port_type; ++ attribute rpc_port_type; + ') + +- dontaudit $1 reserved_port_type:tcp_socket name_connect; ++ dontaudit $1 rpc_port_type:tcp_socket name_connect; + ') + + ######################################## + ## +-## Connect TCP sockets to rpc ports. ++## Read and write the TUN/TAP virtual network device. + ## + ## + ## +-## Domain allowed access. ++## The domain allowed access. + ## + ## + # +-interface(`corenet_tcp_connect_all_rpc_ports',` ++interface(`corenet_rw_tun_tap_dev',` + gen_require(` +- attribute rpc_port_type; ++ type tun_tap_device_t; + ') + +- allow $1 rpc_port_type:tcp_socket name_connect; ++ dev_list_all_dev_nodes($1) ++ allow $1 tun_tap_device_t:chr_file rw_chr_file_perms; + ') + + ######################################## + ## +-## Do not audit attempts to connect TCP sockets +-## all rpc ports. ++## Relabel to and from the TUN/TAP virtual network device. + ## + ## + ## +-## Domain to not audit. ++## The domain allowed access. + ## + ## + # +-interface(`corenet_dontaudit_tcp_connect_all_rpc_ports',` ++interface(`corenet_relabel_tun_tap_dev',` + gen_require(` +- attribute rpc_port_type; ++ type tun_tap_device_t; + ') + +- dontaudit $1 rpc_port_type:tcp_socket name_connect; ++ relabel_chr_files_pattern($1, tun_tap_device_t, tun_tap_device_t) + ') + + ######################################## + ## +-## Read and write the TUN/TAP virtual network device. ++## Read and write inherited TUN/TAP virtual network device. + ## + ## + ## +@@ -1982,13 +2610,12 @@ interface(`corenet_dontaudit_tcp_connect_all_rpc_ports',` + ## + ## + # +-interface(`corenet_rw_tun_tap_dev',` ++interface(`corenet_rw_inherited_tun_tap_dev',` + gen_require(` + type tun_tap_device_t; + ') + +- dev_list_all_dev_nodes($1) +- allow $1 tun_tap_device_t:chr_file rw_chr_file_perms; ++ allow $1 tun_tap_device_t:chr_file rw_inherited_chr_file_perms; + ') + + ######################################## +@@ -2049,6 +2676,25 @@ interface(`corenet_rw_ppp_dev',` + + ######################################## + ## ++## Bind DCCP sockets to all RPC ports. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`corenet_dccp_bind_all_rpc_ports',` ++ gen_require(` ++ attribute rpc_port_type; ++ ') ++ ++ allow $1 rpc_port_type:dccp_socket name_bind; ++ allow $1 self:capability net_bind_service; ++') ++ ++######################################## ++## + ## Bind TCP sockets to all RPC ports. + ## + ## +@@ -2068,6 +2714,24 @@ interface(`corenet_tcp_bind_all_rpc_ports',` + + ######################################## + ## ++## Do not audit attempts to bind DCCP sockets to all RPC ports. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`corenet_dontaudit_dccp_bind_all_rpc_ports',` ++ gen_require(` ++ attribute rpc_port_type; ++ ') ++ ++ dontaudit $1 rpc_port_type:dccp_socket name_bind; ++') ++ ++######################################## ++## + ## Do not audit attempts to bind TCP sockets to all RPC ports. + ## + ## +@@ -2194,6 +2858,25 @@ interface(`corenet_tcp_recv_netlabel',` + + ######################################## + ## ++## Receive DCCP packets from a NetLabel connection. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`corenet_dccp_recvfrom_netlabel',` ++ gen_require(` ++ type netlabel_peer_t; ++ ') ++ ++ allow $1 netlabel_peer_t:peer recv; ++ allow $1 netlabel_peer_t:dccp_socket recvfrom; ++') ++ ++######################################## ++## + ## Receive TCP packets from a NetLabel connection. + ## + ## +@@ -2213,7 +2896,7 @@ interface(`corenet_tcp_recvfrom_netlabel',` + + ######################################## + ## +-## Receive TCP packets from an unlabled connection. ++## Receive DCCP packets from an unlabled connection. + ## + ## + ## +@@ -2221,10 +2904,15 @@ interface(`corenet_tcp_recvfrom_netlabel',` + ## + ## + # +-interface(`corenet_tcp_recvfrom_unlabeled',` +- kernel_tcp_recvfrom_unlabeled($1) ++interface(`corenet_dccp_recvfrom_unlabeled',` ++ gen_require(` ++ attribute corenet_unlabeled_type; ++ ') ++ ++ kernel_dccp_recvfrom_unlabeled($1) + kernel_recvfrom_unlabeled_peer($1) + ++ typeattribute $1 corenet_unlabeled_type; + # XXX - at some point the oubound/send access check will be removed + # but for right now we need to keep this in place so as not to break + # older systems +@@ -2249,6 +2937,26 @@ interface(`corenet_dontaudit_tcp_recv_netlabel',` + + ######################################## + ## ++## Do not audit attempts to receive DCCP packets from a NetLabel ++## connection. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`corenet_dontaudit_dccp_recvfrom_netlabel',` ++ gen_require(` ++ type netlabel_peer_t; ++ ') ++ ++ dontaudit $1 netlabel_peer_t:peer recv; ++ dontaudit $1 netlabel_peer_t:dccp_socket recvfrom; ++') ++ ++######################################## ++## + ## Do not audit attempts to receive TCP packets from a NetLabel + ## connection. + ## +@@ -2269,6 +2977,27 @@ interface(`corenet_dontaudit_tcp_recvfrom_netlabel',` + + ######################################## + ## ++## Do not audit attempts to receive DCCP packets from an unlabeled ++## connection. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`corenet_dontaudit_dccp_recvfrom_unlabeled',` ++ kernel_dontaudit_dccp_recvfrom_unlabeled($1) ++ kernel_dontaudit_recvfrom_unlabeled_peer($1) ++ ++ # XXX - at some point the oubound/send access check will be removed ++ # but for right now we need to keep this in place so as not to break ++ # older systems ++ kernel_dontaudit_sendrecv_unlabeled_association($1) ++') ++ ++######################################## ++## + ## Do not audit attempts to receive TCP packets from an unlabeled + ## connection. + ## +@@ -2533,15 +3262,10 @@ interface(`corenet_dontaudit_raw_recvfrom_unlabeled',` + ## + # + interface(`corenet_all_recvfrom_unlabeled',` +- kernel_tcp_recvfrom_unlabeled($1) +- kernel_udp_recvfrom_unlabeled($1) +- kernel_raw_recvfrom_unlabeled($1) +- kernel_recvfrom_unlabeled_peer($1) +- +- # XXX - at some point the oubound/send access check will be removed +- # but for right now we need to keep this in place so as not to break +- # older systems +- kernel_sendrecv_unlabeled_association($1) ++ gen_require(` ++ attribute corenet_unlabeled_type; ++ ') ++ typeattribute $1 corenet_unlabeled_type; + ') + + ######################################## +@@ -2567,11 +3291,34 @@ interface(`corenet_all_recvfrom_unlabeled',` + # + interface(`corenet_all_recvfrom_netlabel',` + gen_require(` +- type netlabel_peer_t; ++ attribute netlabel_peer_type; + ') + +- allow $1 netlabel_peer_t:peer recv; +- allow $1 netlabel_peer_t:{ tcp_socket udp_socket rawip_socket } recvfrom; ++ typeattribute $1 netlabel_peer_type; ++') ++ ++######################################## ++## ++## Enable unlabeled net packets ++## ++## ++##

++## Allow unlabeled_packet_t to be used by all domains that use the network ++##

++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`corenet_enable_unlabeled_packets',` ++ gen_require(` ++ attribute corenet_unlabeled_type; ++ ') ++ ++ kernel_sendrecv_unlabeled_association(corenet_unlabeled_type) + ') + + ######################################## +@@ -2585,6 +3332,7 @@ interface(`corenet_all_recvfrom_netlabel',` + ## + # + interface(`corenet_dontaudit_all_recvfrom_unlabeled',` ++ kernel_dontaudit_dccp_recvfrom_unlabeled($1) + kernel_dontaudit_tcp_recvfrom_unlabeled($1) + kernel_dontaudit_udp_recvfrom_unlabeled($1) + kernel_dontaudit_raw_recvfrom_unlabeled($1) +@@ -2613,7 +3361,35 @@ interface(`corenet_dontaudit_all_recvfrom_netlabel',` + ') + + dontaudit $1 netlabel_peer_t:peer recv; +- dontaudit $1 netlabel_peer_t:{ tcp_socket udp_socket rawip_socket } recvfrom; ++ dontaudit $1 netlabel_peer_t:{ tcp_socket udp_socket rawip_socket dccp_socket } recvfrom; ++') ++ ++######################################## ++## ++## Rules for receiving labeled DCCP packets. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## Peer domain. ++## ++## ++# ++interface(`corenet_dccp_recvfrom_labeled',` ++ allow { $1 $2 } self:association sendto; ++ allow $1 $2:{ association dccp_socket } recvfrom; ++ allow $2 $1:{ association dccp_socket } recvfrom; ++ ++ allow $1 $2:peer recv; ++ allow $2 $1:peer recv; ++ ++ # allow receiving packets from MLS-only peers using NetLabel ++ corenet_dccp_recvfrom_netlabel($1) ++ corenet_dccp_recvfrom_netlabel($2) + ') + + ######################################## +@@ -2727,6 +3503,7 @@ interface(`corenet_raw_recvfrom_labeled',` + ## + # + interface(`corenet_all_recvfrom_labeled',` ++ corenet_dccp_recvfrom_labeled($1, $2) + corenet_tcp_recvfrom_labeled($1, $2) + corenet_udp_recvfrom_labeled($1, $2) + corenet_raw_recvfrom_labeled($1, $2) +@@ -3134,3 +3911,53 @@ interface(`corenet_unconfined',` + + typeattribute $1 corenet_unconfined_type; + ') ++ ++######################################## ++## ++## Create all network named devices with the correct label ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`corenet_filetrans_all_named_dev',` ++ ++ gen_require(` ++ type tun_tap_device_t; ++ type ppp_device_t; ++ ') ++ ++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap0") ++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap1") ++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap2") ++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap3") ++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap4") ++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap5") ++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap6") ++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap7") ++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap8") ++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap9") ++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap10") ++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap11") ++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap12") ++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap13") ++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap14") ++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap15") ++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap16") ++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap17") ++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap18") ++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap19") ++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap20") ++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap21") ++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap22") ++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap23") ++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap24") ++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap25") ++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap26") ++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap27") ++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap28") ++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap29") ++ dev_filetrans($1, ppp_device_t, chr_file, "ppp") ++') +diff --git a/policy/modules/kernel/corenetwork.if.m4 b/policy/modules/kernel/corenetwork.if.m4 +index 8e0f9cd..b9f45b9 100644 +--- a/policy/modules/kernel/corenetwork.if.m4 ++++ b/policy/modules/kernel/corenetwork.if.m4 +@@ -631,6 +631,26 @@ interface(`corenet_udp_bind_$1_port',` + + ######################################## + ## ++## Do not audit attempts to sbind to $1 port. ++## ++## ++## ++## Domain to not audit. ++## ++## ++## ++# ++interface(`corenet_dontaudit_udp_bind_$1_port',` ++ gen_require(` ++ $3 $1_$2; ++ ') ++ ++ dontaudit dollarsone $1_$2:udp_socket name_bind; ++ $4 ++') ++ ++######################################## ++## + ## Make a TCP connection to the $1 port. + ## + ## +@@ -646,6 +666,23 @@ interface(`corenet_tcp_connect_$1_port',` + + allow dollarsone $1_$2:tcp_socket name_connect; + ') ++######################################## ++## ++## Do not audit attempts to make a TCP connection to $1 port. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`corenet_dontaudit_tcp_connect_$1_port',` ++ gen_require(` ++ $3 $1_$2; ++ ') ++ ++ dontaudit dollarsone $1_$2:tcp_socket name_connect; ++') + '') dnl end create_port_interfaces + + define(`create_packet_interfaces',`` +diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in +index 4edc40d..06129ea 100644 +--- a/policy/modules/kernel/corenetwork.te.in ++++ b/policy/modules/kernel/corenetwork.te.in +@@ -5,6 +5,7 @@ policy_module(corenetwork, 1.18.4) + # Declarations + # + ++attribute netlabel_peer_type; + attribute client_packet_type; + # This is an optimization for { port_type -port_t } + attribute defined_port_type; +@@ -14,12 +15,14 @@ attribute node_type; + attribute packet_type; + attribute port_type; + attribute reserved_port_type; ++attribute ephemeral_port_type; + attribute rpc_port_type; + attribute server_packet_type; + # This is an optimization for { port_type -reserved_port_type } + attribute unreserved_port_type; + + attribute corenet_unconfined_type; ++attribute corenet_unlabeled_type; + + type ppp_device_t; + dev_node(ppp_device_t) +@@ -29,6 +32,7 @@ dev_node(ppp_device_t) + # + type tun_tap_device_t; + dev_node(tun_tap_device_t) ++mls_trusted_object(tun_tap_device_t) + + ######################################## + # +@@ -38,6 +42,18 @@ dev_node(tun_tap_device_t) + # + # client_packet_t is the default type of IPv4 and IPv6 client packets. + # ++type intranet_packet_t; ++corenet_packet(intranet_packet_t) ++ ++# ++# client_packet_t is the default type of IPv4 and IPv6 client packets. ++# ++type internet_packet_t; ++corenet_packet(internet_packet_t) ++ ++# ++# client_packet_t is the default type of IPv4 and IPv6 client packets. ++# + type client_packet_t, packet_type, client_packet_type; + + # +@@ -46,6 +62,7 @@ type client_packet_t, packet_type, client_packet_type; + # + type netlabel_peer_t; + sid netmsg gen_context(system_u:object_r:netlabel_peer_t,mls_systemhigh) ++mcs_constrained(netlabel_peer_t) + + # + # port_t is the default type of INET port numbers. +@@ -59,6 +76,12 @@ sid port gen_context(system_u:object_r:port_t,s0) + type unreserved_port_t, port_type, unreserved_port_type; + + # ++# ephemeral_port_t is the default type of ephemeral port numbers. ++# cat /proc/sys/net/ipv4/ip_local_port_range ++# ++type ephemeral_port_t, port_type, ephemeral_port_type; ++ ++# + # reserved_port_t is the type of INET port numbers below 1024. + # + type reserved_port_t, port_type, reserved_port_type; +@@ -84,10 +107,10 @@ network_port(amanda, udp,10080-10082,s0, tcp,10080-10083,s0) + network_port(amavisd_recv, tcp,10024,s0) + network_port(amavisd_send, tcp,10025,s0) + network_port(amqp, udp,5671-5672,s0, tcp,5671-5672,s0) +-network_port(aol, udp,5190-5193,s0, tcp,5190-5193,s0) ++network_port(aol, udp,5190-5193,s0, tcp,5190-5193,s0) ++network_port(apc, tcp,3052,s0, udp,3052,s0) + network_port(apcupsd, tcp,3551,s0, udp,3551,s0) + network_port(apertus_ldp, tcp,539,s0, udp,539,s0) +-network_port(armtechdaemon, tcp,9292,s0, udp,9292,s0) + network_port(asterisk, tcp,1720,s0, udp,2427,s0, udp,2727,s0, udp,4569,s0) + network_port(audit, tcp,60,s0) + network_port(auth, tcp,113,s0) +@@ -96,19 +119,19 @@ network_port(boinc, tcp,31416,s0) + network_port(boinc_client, tcp,1043,s0, udp,1034,s0) + network_port(biff) # no defined portcon + network_port(certmaster, tcp,51235,s0) ++network_port(collectd, udp,25826,s0) + network_port(chronyd, udp,323,s0) + network_port(clamd, tcp,3310,s0) + network_port(clockspeed, udp,4041,s0) + network_port(cluster, tcp,5149,s0, udp,5149,s0, tcp,40040,s0, tcp,50006-50008,s0, udp,50006-50008,s0) + network_port(cma, tcp,1050,s0, udp,1050,s0) + network_port(cobbler, tcp,25151,s0) +-network_port(commplex_link, tcp,5001,s0, udp,5001,s0) ++network_port(commplex_link, tcp,4331,s0, tcp,5001,s0, udp,5001,s0) + network_port(commplex_main, tcp,5000,s0, udp,5000,s0) + network_port(comsat, udp,512,s0) + network_port(condor, tcp,9618,s0, udp,9618,s0) + network_port(couchdb, tcp,5984,s0, udp,5984,s0) +-network_port(cslistener, tcp,9000,s0, udp,9000,s0) +-network_port(ctdb, tcp,4379,s0, udp,4397,s0) ++network_port(ctdb, tcp,4379,s0, udp,4379,s0) + network_port(cvs, tcp,2401,s0, udp,2401,s0) + network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, tcp,6780-6799,s0, udp,32771,s0) + network_port(daap, tcp,3689,s0, udp,3689,s0) +@@ -119,19 +142,26 @@ network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0, udp,5546,s0, + network_port(dhcpd, udp,67,s0, udp,547,s0, tcp, 547,s0, udp,548,s0, tcp, 548,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0, tcp,7911,s0) + network_port(dict, tcp,2628,s0) + network_port(distccd, tcp,3632,s0) +-network_port(dns, tcp,53,s0, udp,53,s0) ++network_port(dogtag, tcp,7390,s0) ++network_port(dns, udp,53,s0, tcp,53,s0) ++network_port(dnssec, tcp,8955,s0) ++network_port(echo, tcp,7,s0, udp,7,s0) + network_port(efs, tcp,520,s0) + network_port(embrace_dp_c, tcp,3198,s0, udp,3198,s0) + network_port(epmap, tcp,135,s0, udp,135,s0) + network_port(epmd, tcp,4369,s0, udp,4369,s0) + network_port(fingerd, tcp,79,s0) +-network_port(ftp, tcp,21,s0, tcp,990,s0, udp,990,s0) ++network_port(fmpro_internal, tcp,5003,s0, udp,5003,s0) ++network_port(flash, tcp,843,s0, tcp,1935,s0, udp,1935,s0) ++network_port(ftp, tcp,21,s0, tcp,989,s0, udp,989,s0, tcp,990,s0, udp,990,s0) + network_port(ftp_data, tcp,20,s0) + network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0) + network_port(gds_db, tcp,3050,s0, udp,3050,s0) + network_port(giftd, tcp,1213,s0) + network_port(git, tcp,9418,s0, udp,9418,s0) ++network_port(glance, tcp,9292,s0, udp,9292,s0) + network_port(glance_registry, tcp,9191,s0, udp,9191,s0) ++network_port(gluster, tcp,24007-24027,s0, tcp, 38465-38469,s0) + network_port(gopher, tcp,70,s0, udp,70,s0) + network_port(gpsd, tcp,2947,s0) + network_port(hadoop_datanode, tcp,50010,s0) +@@ -139,45 +169,52 @@ network_port(hadoop_namenode, tcp,8020,s0) + network_port(hddtemp, tcp,7634,s0) + network_port(howl, tcp,5335,s0, udp,5353,s0) + network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0) +-network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port +-network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0, tcp,8118,s0, tcp,10001-10010,s0) # 8118 is for privoxy ++network_port(http, tcp,80,s0, tcp,81,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0,tcp,9000, s0) #8443 is mod_nss default port ++network_port(http_cache, udp,3130,s0, tcp,8080,s0, tcp,8118,s0, tcp,8123,s0, tcp,10001-10010,s0) # 8118 is for privoxy + network_port(i18n_input, tcp,9010,s0) + network_port(imaze, tcp,5323,s0, udp,5323,s0) +-network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0) ++network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,512,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,5666,s0) + network_port(innd, tcp,119,s0) + network_port(interwise, tcp,7778,s0, udp,7778,s0) + network_port(ionixnetmon, tcp,7410,s0, udp,7410,s0) + network_port(ipmi, udp,623,s0, udp,664,s0) + network_port(ipp, tcp,631,s0, udp,631,s0, tcp,8610-8614,s0, udp,8610-8614,s0) + network_port(ipsecnat, tcp,4500,s0, udp,4500,s0) +-network_port(ircd, tcp,6667,s0) ++network_port(ircd, tcp,6667,s0, tcp,6697,s0) + network_port(isakmp, udp,500,s0) + network_port(iscsi, tcp,3260,s0) + network_port(isns, tcp,3205,s0, udp,3205,s0) + network_port(jabber_client, tcp,5222,s0, tcp,5223,s0) + network_port(jabber_interserver, tcp,5269,s0) +-network_port(jboss_iiop, tcp,3528,s0, udp,3528,s0) +-network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0) +-network_port(kerberos_admin, tcp,464,s0, udp,464,s0, tcp,749,s0) +-network_port(kerberos_master, tcp,4444,s0, udp,4444,s0) +-network_port(kismet, tcp,2501,s0) ++network_port(jabber_router, tcp,5347,s0) ++network_port(jacorb, tcp,3528,s0, tcp,3529,s0) ++network_port(jboss_debug, tcp,8787,s0, udp,8787,s0) ++network_port(jboss_messaging, tcp,5445,s0, tcp,5455,s0) ++network_port(jboss_management, tcp,4712,s0, udp,4712,s0, tcp,4447,s0, tcp,7600,s0, tcp,9123,s0, udp,9123,s0, tcp, 9990, s0, tcp, 9999, s0, tcp, 18001, s0) ++network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0, tcp,4444,s0, udp,4444,s0) ++network_port(kerberos_admin, tcp,749,s0) ++network_port(kerberos_password, tcp,464,s0, udp,464,s0) ++network_port(keystone, tcp, 35357,s0, udp, 35357,s0) ++network_port(rlogin, tcp,543,s0, tcp,2105,s0) ++network_port(rtsclient, tcp,2501,s0) + network_port(kprop, tcp,754,s0) + network_port(ktalkd, udp,517,s0, udp,518,s0) +-network_port(l2tp, tcp,1701,s0, udp,1701,s0) +-network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0) ++network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0, tcp, 7389,s0) + network_port(lirc, tcp,8765,s0) +-network_port(lmtp, tcp,24,s0, udp,24,s0) ++network_port(luci, tcp,8084,s0) ++network_port(lmtp, tcp,24,s0, udp,24,s0, tcp,2003,s0) + network_port(lrrd) # no defined portcon ++network_port(l2tp, tcp,1701,s0, udp,1701,s0) + network_port(mail, tcp,2000,s0, tcp,3905,s0) + network_port(matahari, tcp,49000,s0, udp,49000,s0) + network_port(memcache, tcp,11211,s0, udp,11211,s0) +-network_port(milter) # no defined portcon ++network_port(milter, tcp, 8891, s0, tcp, 8893, s0) # no defined portcon + network_port(mmcc, tcp,5050,s0, udp,5050,s0) ++network_port(mongod, tcp,27017-27019,s0, tcp, 28017-28019,s0) + network_port(monopd, tcp,1234,s0) + network_port(mountd, tcp,20048,s0, udp,20048,s0) + network_port(movaz_ssc, tcp,5252,s0, udp,5252,s0) + network_port(mpd, tcp,6600,s0) +-network_port(msgsrvr, tcp,8787,s0, udp,8787,s0) + network_port(msnp, tcp,1863,s0, udp,1863,s0) + network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0) + network_port(ms_streaming, tcp,1755,s0, udp,1755,s0) +@@ -185,26 +222,34 @@ network_port(munin, tcp,4949,s0, udp,4949,s0) + network_port(mxi, tcp,8005,s0, udp,8005,s0) + network_port(mysqld, tcp,1186,s0, tcp,3306,s0, tcp,63132-63164,s0) + network_port(mysqlmanagerd, tcp,2273,s0) ++network_port(mythtv, tcp,6543-6544,s0) + network_port(nessus, tcp,1241,s0) + network_port(netport, tcp,3129,s0, udp,3129,s0) + network_port(netsupport, tcp,5404,s0, udp,5404,s0, tcp,5405,s0, udp,5405,s0) +-network_port(nfs, tcp,2049,s0, udp,2049,s0) +-network_port(nfsrdma, tcp,20049,s0, udp,20049,s0) ++network_port(nfs, tcp,2049,s0, udp,2049,s0, tcp,20048-20049,s0, udp,20048-20049,s0) + network_port(nmbd, udp,137,s0, udp,138,s0) ++network_port(nodejs_debug, tcp,5858,s0, udp,5858,s0) + network_port(ntop, tcp,3000-3001,s0, udp,3000-3001,s0) + network_port(ntp, udp,123,s0) ++network_port(oracle, tcp, 1521,s0,udp, 1521,s0, tcp,2483,s0,udp,2483,s0, tcp,2484,s0, udp,2484,s0) + network_port(oa_system, tcp,8022,s0, udp,8022,s0) +-network_port(oracledb, tcp, 1521,s0,udp, 1521,s0, tcp,2483,s0,udp,2483,s0, tcp,2484,s0, udp,2484,s0) + network_port(ocsp, tcp,9080,s0) + network_port(openhpid, tcp,4743,s0, udp,4743,s0) + network_port(openvpn, tcp,1194,s0, udp,1194,s0) ++network_port(osapi_compute, tcp, 8774, s0) + network_port(pdps, tcp,1314,s0, udp,1314,s0) + network_port(pegasus_http, tcp,5988,s0) + network_port(pegasus_https, tcp,5989,s0) + network_port(pgpkeyserver, udp, 11371,s0, tcp,11371,s0) + network_port(pingd, tcp,9125,s0) ++network_port(pki_ca, tcp, 829, s0, tcp, 9180, s0, tcp, 9701, s0, tcp, 9443-9447, s0) ++network_port(pki_kra, tcp, 10180, s0, tcp, 10701, s0, tcp, 10443-10446, s0) ++network_port(pki_ocsp, tcp, 11180, s0, tcp, 11701, s0, tcp, 11443-11446, s0) ++network_port(pki_tks, tcp, 13180, s0, tcp, 13701, s0, tcp, 13443-13446, s0) ++network_port(pki_ra, tcp,12888-12889,s0) ++network_port(pki_tps, tcp,7888-7889,s0) + network_port(pktcable_cops, tcp,2126,s0, udp,2126,s0) +-network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0) ++network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0, tcp,10993,s0) + network_port(portmap, udp,111,s0, tcp,111,s0) + network_port(postfix_policyd, tcp,10031,s0) + network_port(postgresql, tcp,5432,s0) +@@ -214,38 +259,45 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0) + network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0) + network_port(printer, tcp,515,s0) + network_port(ptal, tcp,5703,s0) +-network_port(pulseaudio, tcp,4713,s0) ++network_port(pulseaudio, tcp,4713,s0, udp,4713,s0) + network_port(puppet, tcp, 8140, s0) + network_port(pxe, udp,4011,s0) + network_port(pyzor, udp,24441,s0) ++network_port(neutron, tcp,9696,s0) + network_port(radacct, udp,1646,s0, udp,1813,s0) + network_port(radius, udp,1645,s0, udp,1812,s0) + network_port(radsec, tcp,2083,s0) + network_port(razor, tcp,2703,s0) ++network_port(time, tcp,37,s0, udp,37,s0) ++network_port(redis, tcp,6379,s0) + network_port(repository, tcp, 6363, s0) + network_port(ricci, tcp,11111,s0, udp,11111,s0) + network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0) + network_port(rlogind, tcp,513,s0) +-network_port(rndc, tcp,953,s0, udp,953,s0) ++network_port(rndc, tcp,953,s0, udp,953,s0, tcp,8953,s0) + network_port(router, udp,520,s0, udp,521,s0, tcp,521,s0) + network_port(rsh, tcp,514,s0) + network_port(rsync, tcp,873,s0, udp,873,s0) +-network_port(rtsp, tcp,554,s0, udp,554,s0) ++network_port(rtp_media, tcp,5004-5005,s0, udp,5004-5005,s0) ++network_port(rtsp, tcp,554,s0, udp,554,s0, tcp,8554,s0, udp,8554,s0) + network_port(rwho, udp,513,s0) ++network_port(salt, tcp,4505,s0, tcp,4506,s0) + network_port(sap, tcp,9875,s0, udp,9875,s0) ++network_port(saphostctrl, tcp,1128,s0, tcp,1129,s0) + network_port(servistaitsm, tcp,3636,s0, udp,3636,s0) ++network_port(sge, tcp,6444,s0, tcp,6445,s0) + network_port(sieve, tcp,4190,s0) + network_port(sip, tcp,5060,s0, udp,5060,s0, tcp,5061,s0, udp,5061,s0) + network_port(sixxsconfig, tcp,3874,s0, udp,3874,s0) + network_port(smbd, tcp,137-139,s0, tcp,445,s0) + network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0) +-network_port(snmp, udp,161,s0, udp,162,s0, tcp,199,s0, tcp,1161,s0) ++network_port(snmp, tcp,161-162,s0, udp,161-162,s0, tcp,199,s0, tcp, 1161, s0) + network_port(socks) # no defined portcon + network_port(soundd, tcp,8000,s0, tcp,9433,s0, tcp, 16001, s0) +-network_port(spamd, tcp,783,s0) ++network_port(spamd, tcp,783,s0, tcp, 10026, s0, tcp, 10027, s0) + network_port(speech, tcp,8036,s0) +-network_port(squid, udp,3401,s0, tcp,3401,s0, udp,4827,s0, tcp,4827,s0) # snmp and htcp +-network_port(ssdp, tcp,1900,s0, udp,1900,s0) ++network_port(squid, tcp,3128,s0, udp,3401,s0, tcp,3401,s0, udp,4827,s0, tcp,4827,s0) # snmp and htcp ++network_port(ssdp, tcp,1900,s0, udp, 1900, s0) + network_port(ssh, tcp,22,s0) + network_port(stunnel) # no defined portcon + network_port(svn, tcp,3690,s0, udp,3690,s0) +@@ -257,8 +309,9 @@ network_port(syslog_tls, tcp,6514,s0, udp,6514,s0) + network_port(tcs, tcp, 30003, s0) + network_port(telnetd, tcp,23,s0) + network_port(tftp, udp,69,s0) +-network_port(tor, tcp,6969,s0, tcp,9001,s0, tcp,9030,s0, tcp,9050,s0, tcp,9051,s0) ++network_port(tor, tcp,6969,s0, tcp,9001,s0, tcp,9030,s0, tcp,9050,s0, tcp,9051,s0, tcp,9150,s0) + network_port(traceroute, udp,64000-64010,s0) ++network_port(tram, tcp, 4567, s0) + network_port(transproxy, tcp,8081,s0) + network_port(trisoap, tcp,10200,s0, udp,10200,s0) + network_port(ups, tcp,3493,s0) +@@ -268,10 +321,10 @@ network_port(varnishd, tcp,6081-6082,s0) + network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0) + network_port(virtual_places, tcp,1533,s0, udp,1533,s0) + network_port(virt_migration, tcp,49152-49216,s0) +-network_port(vnc, tcp,5900,s0) ++network_port(vnc, tcp,5900-5983,s0, tcp,5985-5999,s0) + network_port(wccp, udp,2048,s0) + network_port(websm, tcp,9090,s0, udp,9090,s0) +-network_port(whois, tcp,43,s0, udp,43,s0, tcp,4321,s0, udp,4321,s0) ++network_port(whois, tcp,43,s0, udp,43,s0, tcp, 4321, s0 , udp, 4321, s0 ) + network_port(winshadow, tcp,3161,s0, udp,3261,s0) + network_port(wsdapi, tcp,5357,s0, udp,5357,s0) + network_port(wsicopy, tcp,3378,s0, udp,3378,s0) +@@ -285,19 +338,23 @@ network_port(zabbix_agent, tcp,10050,s0) + network_port(zookeeper_client, tcp,2181,s0) + network_port(zookeeper_election, tcp,3888,s0) + network_port(zookeeper_leader, tcp,2888,s0) +-network_port(zebra, tcp,2600-2604,s0, tcp,2606,s0, udp,2600-2604,s0, udp,2606,s0) ++network_port(zebra, tcp,2600-2604,s0, tcp,2606,s0, tcp,2608-2609,s0, udp,2600-2604,s0, udp,2606,s0, udp,2608-2609,s0) + network_port(zented, tcp,1229,s0, udp,1229,s0) + network_port(zope, tcp,8021,s0) + + # Defaults for reserved ports. Earlier portcon entries take precedence; + # these entries just cover any remaining reserved ports not otherwise declared. + +-portcon udp 1024-65535 gen_context(system_u:object_r:unreserved_port_t, s0) +-portcon tcp 1024-65535 gen_context(system_u:object_r:unreserved_port_t, s0) + portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0) + portcon udp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0) + portcon tcp 1-511 gen_context(system_u:object_r:reserved_port_t, s0) + portcon udp 1-511 gen_context(system_u:object_r:reserved_port_t, s0) ++portcon tcp 1024-32767 gen_context(system_u:object_r:unreserved_port_t, s0) ++portcon tcp 32768-61000 gen_context(system_u:object_r:ephemeral_port_t, s0) ++portcon tcp 61001-65535 gen_context(system_u:object_r:unreserved_port_t, s0) ++portcon udp 1024-32767 gen_context(system_u:object_r:unreserved_port_t, s0) ++portcon udp 32768-61000 gen_context(system_u:object_r:ephemeral_port_t, s0) ++portcon udp 61001-65535 gen_context(system_u:object_r:unreserved_port_t, s0) + + ######################################## + # +@@ -330,6 +387,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh) + + build_option(`enable_mls',` + network_interface(lo, lo, s0 - mls_systemhigh) ++allow netlabel_peer_t lo_netif_t:netif ingress; ++allow netlabel_peer_type lo_netif_t:netif egress; + ',` + typealias netif_t alias { lo_netif_t netif_lo_t }; + ') +@@ -342,9 +401,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t }; + allow corenet_unconfined_type node_type:node *; + allow corenet_unconfined_type netif_type:netif *; + allow corenet_unconfined_type packet_type:packet *; ++allow corenet_unconfined_type port_type:dccp_socket { send_msg recv_msg name_connect }; + allow corenet_unconfined_type port_type:tcp_socket { send_msg recv_msg name_connect }; + allow corenet_unconfined_type port_type:udp_socket { send_msg recv_msg }; + + # Bind to any network address. +-allow corenet_unconfined_type port_type:{ tcp_socket udp_socket rawip_socket } name_bind; +-allow corenet_unconfined_type node_type:{ tcp_socket udp_socket rawip_socket } node_bind; ++allow corenet_unconfined_type port_type:{ dccp_socket tcp_socket udp_socket rawip_socket } name_bind; ++allow corenet_unconfined_type node_type:{ dccp_socket tcp_socket udp_socket rawip_socket } node_bind; ++ ++# ++# Rules coverning the use of unlabeled types ++# ++kernel_dccp_recvfrom_unlabeled(corenet_unlabeled_type) ++kernel_tcp_recvfrom_unlabeled(corenet_unlabeled_type) ++kernel_udp_recvfrom_unlabeled(corenet_unlabeled_type) ++kernel_raw_recvfrom_unlabeled(corenet_unlabeled_type) ++kernel_recvfrom_unlabeled_peer(corenet_unlabeled_type) ++ ++allow netlabel_peer_type netlabel_peer_t:peer recv; ++allow netlabel_peer_type netlabel_peer_t:{ tcp_socket udp_socket rawip_socket dccp_socket } recvfrom; ++allow netlabel_peer_t netif_t:netif { rawip_recv egress ingress }; ++allow netlabel_peer_t node_t:node recvfrom; ++ ++typealias neutron_port_t alias quantum_port_t; ++typealias neutron_server_packet_t alias quantum_server_packet_t; ++typealias neutron_client_packet_t alias quantum_client_packet_t; +diff --git a/policy/modules/kernel/corenetwork.te.m4 b/policy/modules/kernel/corenetwork.te.m4 +index 3f6e168..51ad69a 100644 +--- a/policy/modules/kernel/corenetwork.te.m4 ++++ b/policy/modules/kernel/corenetwork.te.m4 +@@ -86,6 +86,11 @@ define(`add_port_attribute',`dnl + ifelse(eval(range_start($2) < 1024),1,`typeattribute $1 reserved_port_type;',`typeattribute $1 unreserved_port_type;') + ') + ++define(`add_ephemeral_attribute',`dnl ++ifelse(eval(range_start($3) >= 32768 && range_start($3) < 61001),1,`typeattribute $1 ephemeral_port_type; ++',`ifelse(`$5',`',`',`add_ephemeral_attribute($1,shiftn(4,$*))')')dnl ++') ++ + # bindresvport in glibc starts searching for reserved ports at 512 + define(`add_rpc_attribute',`dnl + ifelse(eval(range_start($3) >= 512 && range_start($3) < 1024),1,`typeattribute $1 rpc_port_type; +@@ -101,6 +106,7 @@ type $1_client_packet_t, packet_type, client_packet_type; + type $1_server_packet_t, packet_type, server_packet_type; + ifelse(`$2',`',`',`add_port_attribute($1_port_t,$3)')dnl + ifelse(`$2',`',`',`add_rpc_attribute($1_port_t,shift($*))')dnl ++ifelse(`$2',`',`',`add_ephemeral_attribute($1_port_t,shift($*))')dnl + ifelse(`$2',`',`',`declare_portcons($1_port_t,shift($*))')dnl + ') + +diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc +index b31c054..e4d61f5 100644 +--- a/policy/modules/kernel/devices.fc ++++ b/policy/modules/kernel/devices.fc +@@ -15,15 +15,18 @@ + /dev/atibm -c gen_context(system_u:object_r:mouse_device_t,s0) + /dev/audio.* -c gen_context(system_u:object_r:sound_device_t,s0) + /dev/autofs.* -c gen_context(system_u:object_r:autofs_device_t,s0) ++/dev/bsr.* -c gen_context(system_u:object_r:cpu_device_t,s0) + /dev/beep -c gen_context(system_u:object_r:sound_device_t,s0) + /dev/btrfs-control -c gen_context(system_u:object_r:lvm_control_t,s0) +-/dev/cachefiles -c gen_context(system_u:object_r:cachefiles_device_t,s0) + /dev/controlD64 -c gen_context(system_u:object_r:xserver_misc_device_t,s0) + /dev/crash -c gen_context(system_u:object_r:crash_device_t,mls_systemhigh) + /dev/dahdi/.* -c gen_context(system_u:object_r:sound_device_t,s0) +-/dev/dmfm -c gen_context(system_u:object_r:sound_device_t,s0) ++/dev/dlm.* -c gen_context(system_u:object_r:dlm_control_device_t,s0) ++/dev/dmfm.* -c gen_context(system_u:object_r:sound_device_t,s0) + /dev/dmmidi.* -c gen_context(system_u:object_r:sound_device_t,s0) + /dev/dsp.* -c gen_context(system_u:object_r:sound_device_t,s0) ++/dev/ecryptfs -c gen_context(system_u:object_r:ecryptfs_device_t,mls_systemhigh) ++/dev/ptp.* -c gen_context(system_u:object_r:clock_device_t,s0) + /dev/efirtc -c gen_context(system_u:object_r:clock_device_t,s0) + /dev/elographics/e2201 -c gen_context(system_u:object_r:mouse_device_t,s0) + /dev/em8300.* -c gen_context(system_u:object_r:v4l_device_t,s0) +@@ -61,7 +64,8 @@ + /dev/loop-control -c gen_context(system_u:object_r:loop_control_device_t,s0) + /dev/lp.* -c gen_context(system_u:object_r:printer_device_t,s0) + /dev/mcelog -c gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh) +-/dev/mei -c gen_context(system_u:object_r:mei_device_t,s0) ++/dev/media.* -c gen_context(system_u:object_r:v4l_device_t,s0) ++/dev/mei -c gen_context(system_u:object_r:mei_device_t,s0) + /dev/mem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh) + /dev/mergemem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh) + /dev/mga_vid.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) +@@ -106,6 +110,7 @@ + /dev/snapshot -c gen_context(system_u:object_r:apm_bios_t,s0) + /dev/sndstat -c gen_context(system_u:object_r:sound_device_t,s0) + /dev/sonypi -c gen_context(system_u:object_r:v4l_device_t,s0) ++/dev/spidev.* -c gen_context(system_u:object_r:usb_device_t,s0) + /dev/tlk[0-3] -c gen_context(system_u:object_r:v4l_device_t,s0) + /dev/tpm[0-9]* -c gen_context(system_u:object_r:tpm_device_t,s0) + /dev/uinput -c gen_context(system_u:object_r:event_device_t,s0) +@@ -118,6 +123,9 @@ + ifdef(`distro_suse', ` + /dev/usbscanner -c gen_context(system_u:object_r:scanner_device_t,s0) + ') ++/dev/vchiq -c gen_context(system_u:object_r:v4l_device_t,s0) ++/dev/vc-mem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh) ++/dev/vfio/vfio -c gen_context(system_u:object_r:vfio_device_t,s0) + /dev/vhost-net -c gen_context(system_u:object_r:vhost_device_t,s0) + /dev/vbi.* -c gen_context(system_u:object_r:v4l_device_t,s0) + /dev/vbox.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) +@@ -129,12 +137,14 @@ ifdef(`distro_suse', ` + /dev/vttuner -c gen_context(system_u:object_r:v4l_device_t,s0) + /dev/vtx.* -c gen_context(system_u:object_r:v4l_device_t,s0) + /dev/watchdog.* -c gen_context(system_u:object_r:watchdog_device_t,s0) ++/dev/cdc-wdm[0-9] -c gen_context(system_u:object_r:modem_device_t,s0) + /dev/winradio.* -c gen_context(system_u:object_r:v4l_device_t,s0) + /dev/z90crypt -c gen_context(system_u:object_r:crypt_device_t,s0) + /dev/zero -c gen_context(system_u:object_r:zero_device_t,s0) + + /dev/bus/usb/.*/[0-9]+ -c gen_context(system_u:object_r:usb_device_t,s0) + ++/dev/ati/card.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) + /dev/card.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) + /dev/cmx.* -c gen_context(system_u:object_r:smartcard_device_t,s0) + +@@ -198,12 +208,22 @@ ifdef(`distro_debian',` + /lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0) + /lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0) + +-/sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0) +- + ifdef(`distro_redhat',` + # originally from named.fc + /var/named/chroot/dev -d gen_context(system_u:object_r:device_t,s0) + /var/named/chroot/dev/null -c gen_context(system_u:object_r:null_device_t,s0) + /var/named/chroot/dev/random -c gen_context(system_u:object_r:random_device_t,s0) + /var/named/chroot/dev/zero -c gen_context(system_u:object_r:zero_device_t,s0) ++/var/spool/postfix/dev -d gen_context(system_u:object_r:device_t,s0) + ') ++ ++# ++# /sys ++# ++/sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0) ++/sys/devices/system/cpu/online gen_context(system_u:object_r:cpu_online_t,s0) ++ ++/usr/lib/udev/devices(/.*)? gen_context(system_u:object_r:device_t,s0) ++/usr/lib/udev/devices/lp.* -c gen_context(system_u:object_r:printer_device_t,s0) ++/usr/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0) ++/usr/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0) +diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if +index 76f285e..b708d28 100644 +--- a/policy/modules/kernel/devices.if ++++ b/policy/modules/kernel/devices.if +@@ -143,13 +143,32 @@ interface(`dev_relabel_all_dev_nodes',` + type device_t; + ') + +- relabelfrom_dirs_pattern($1, device_t, device_node) +- relabelfrom_files_pattern($1, device_t, device_node) +- relabelfrom_lnk_files_pattern($1, device_t, { device_t device_node }) +- relabelfrom_fifo_files_pattern($1, device_t, device_node) +- relabelfrom_sock_files_pattern($1, device_t, device_node) +- relabel_blk_files_pattern($1, device_t, { device_t device_node }) +- relabel_chr_files_pattern($1, device_t, { device_t device_node }) ++ relabel_dirs_pattern($1, device_t, device_node) ++ relabel_files_pattern($1, device_t, device_node) ++ relabel_lnk_files_pattern($1, device_t, device_node) ++ relabel_fifo_files_pattern($1, device_t, device_node) ++ relabel_sock_files_pattern($1, device_t, device_node) ++ relabel_blk_files_pattern($1, device_t, device_node) ++ relabel_chr_files_pattern($1, device_t, device_node) ++') ++ ++######################################## ++## ++## Allow full relabeling (to and from) of all device files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`dev_relabel_all_dev_files',` ++ gen_require(` ++ type device_t; ++ ') ++ ++ relabel_files_pattern($1, device_t, device_t) + ') + + ######################################## +@@ -209,6 +228,24 @@ interface(`dev_dontaudit_list_all_dev_nodes',` + + ######################################## + ## ++## Dontaudit attempts to list all device nodes. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`dev_dontaudit_all_access_check',` ++ gen_require(` ++ attribute device_node; ++ ') ++ ++ dontaudit $1 device_node:file_class_set audit_access; ++') ++ ++######################################## ++## + ## Add entries to directories in /dev. + ## + ## +@@ -352,6 +389,24 @@ interface(`dev_read_generic_files',` + read_files_pattern($1, device_t, device_t) + ') + ++####################################### ++## ++## Read generic files in /dev. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`dev_dontaudit_read_generic_files',` ++ gen_require(` ++ type device_t; ++ ') ++ ++ dontaudit $1 device_t:file { read getattr }; ++') ++ + ######################################## + ## + ## Read and write generic files in /dev. +@@ -462,6 +517,42 @@ interface(`dev_getattr_generic_blk_files',` + + ######################################## + ## ++## Rename generic block device nodes. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_rename_generic_blk_files',` ++ gen_require(` ++ type device_t; ++ ') ++ ++ rename_blk_files_pattern($1, device_t, device_t) ++') ++ ++######################################## ++## ++## write generic sock files in /dev. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`dev_write_generic_sock_files',` ++ gen_require(` ++ type device_t; ++ ') ++ ++ write_sock_files_pattern($1, device_t, device_t) ++') ++ ++######################################## ++## + ## Dontaudit getattr on generic block devices. + ## + ## +@@ -570,6 +661,24 @@ interface(`dev_dontaudit_getattr_generic_chr_files',` + + ######################################## + ## ++## Rename generic character device nodes. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_rename_generic_chr_files',` ++ gen_require(` ++ type device_t; ++ ') ++ ++ rename_chr_files_pattern($1, device_t, device_t) ++') ++ ++######################################## ++## + ## Dontaudit setattr for generic character device files. + ## + ## +@@ -646,7 +755,7 @@ interface(`dev_rw_generic_blk_files',` + ## + ## + ## +-## Domain to dontaudit access. ++## Domain to not audit. + ## + ## + # +@@ -733,7 +842,7 @@ interface(`dev_dontaudit_setattr_generic_symlinks',` + + ######################################## + ## +-## Read symbolic links in device directories. ++## Create symbolic links in device directories. + ## + ## + ## +@@ -741,17 +850,17 @@ interface(`dev_dontaudit_setattr_generic_symlinks',` + ## + ## + # +-interface(`dev_read_generic_symlinks',` ++interface(`dev_create_generic_symlinks',` + gen_require(` + type device_t; + ') + +- allow $1 device_t:lnk_file read_lnk_file_perms; ++ create_lnk_files_pattern($1, device_t, device_t) + ') + + ######################################## + ## +-## Create symbolic links in device directories. ++## Delete symbolic links in device directories. + ## + ## + ## +@@ -759,17 +868,17 @@ interface(`dev_read_generic_symlinks',` + ## + ## + # +-interface(`dev_create_generic_symlinks',` ++interface(`dev_delete_generic_symlinks',` + gen_require(` + type device_t; + ') + +- create_lnk_files_pattern($1, device_t, device_t) ++ delete_lnk_files_pattern($1, device_t, device_t) + ') + + ######################################## + ## +-## Delete symbolic links in device directories. ++## Read symbolic links in device directories. + ## + ## + ## +@@ -777,12 +886,12 @@ interface(`dev_create_generic_symlinks',` + ## + ## + # +-interface(`dev_delete_generic_symlinks',` ++interface(`dev_read_generic_symlinks',` + gen_require(` + type device_t; + ') + +- delete_lnk_files_pattern($1, device_t, device_t) ++ allow $1 device_t:lnk_file read_lnk_file_perms; + ') + + ######################################## +@@ -877,6 +986,24 @@ interface(`dev_dontaudit_rw_generic_dev_nodes',` + + ######################################## + ## ++## Read block device files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_read_generic_blk_files',` ++ gen_require(` ++ type device_t; ++ ') ++ ++ read_blk_files_pattern($1, device_t, device_t) ++') ++ ++######################################## ++## + ## Create, delete, read, and write block device files. + ## + ## +@@ -1003,6 +1130,26 @@ interface(`dev_getattr_all_blk_files',` + + ######################################## + ## ++## Read on all block file device nodes. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`dev_read_all_blk_files',` ++ gen_require(` ++ attribute device_node; ++ type device_t; ++ ') ++ ++ read_blk_files_pattern($1, device_t, device_node) ++') ++ ++######################################## ++## + ## Dontaudit getattr on all block file device nodes. + ## + ## +@@ -1034,6 +1181,7 @@ interface(`dev_dontaudit_getattr_all_blk_files',` + interface(`dev_getattr_all_chr_files',` + gen_require(` + attribute device_node; ++ type device_t; + ') + + getattr_chr_files_pattern($1, device_t, device_node) +@@ -1206,6 +1354,42 @@ interface(`dev_create_all_chr_files',` + + ######################################## + ## ++## rw all inherited character device files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_rw_all_inherited_chr_files',` ++ gen_require(` ++ attribute device_node; ++ ') ++ ++ allow $1 device_node:chr_file rw_inherited_chr_file_perms; ++') ++ ++######################################## ++## ++## rw all inherited blk device files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_rw_all_inherited_blk_files',` ++ gen_require(` ++ attribute device_node; ++ ') ++ ++ allow $1 device_node:blk_file rw_inherited_blk_file_perms; ++') ++ ++######################################## ++## + ## Delete all block device files. + ## + ## +@@ -1560,25 +1744,6 @@ interface(`dev_relabel_autofs_dev',` + + ######################################## + ## +-## Read and write cachefiles character +-## device nodes. +-## +-## +-## +-## Domain allowed access. +-## +-## +-# +-interface(`dev_rw_cachefiles',` +- gen_require(` +- type device_t, cachefiles_device_t; +- ') +- +- rw_chr_files_pattern($1, device_t, cachefiles_device_t) +-') +- +-######################################## +-## + ## Read and write the PCMCIA card manager device. + ## + ## +@@ -1682,6 +1847,26 @@ interface(`dev_filetrans_cardmgr',` + + ######################################## + ## ++## Automatic type transition to the type ++## for xserver misc device nodes when ++## created in /dev. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_filetrans_xserver_misc',` ++ gen_require(` ++ type device_t, xserver_misc_device_t; ++ ') ++ ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file ) ++') ++ ++######################################## ++## + ## Get the attributes of the CPU + ## microcode and id interfaces. + ## +@@ -1791,6 +1976,24 @@ interface(`dev_rw_crypto',` + rw_chr_files_pattern($1, device_t, crypt_device_t) + ') + ++######################################## ++## ++## Read and write the the ecrypt filesystem device. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_rw_ecryptfs',` ++ gen_require(` ++ type device_t, ecryptfs_device_t; ++ ') ++ ++ rw_chr_files_pattern($1, device_t, ecryptfs_device_t) ++') ++ + ####################################### + ## + ## Set the attributes of the dlm control devices. +@@ -2402,7 +2605,7 @@ interface(`dev_filetrans_lirc',` + + ######################################## + ## +-## Get the attributes of the lvm comtrol device. ++## Get the attributes of the loop comtrol device. + ## + ## + ## +@@ -2410,17 +2613,17 @@ interface(`dev_filetrans_lirc',` + ## + ## + # +-interface(`dev_getattr_lvm_control',` ++interface(`dev_getattr_loop_control',` + gen_require(` +- type device_t, lvm_control_t; ++ type device_t, loop_control_device_t; + ') + +- getattr_chr_files_pattern($1, device_t, lvm_control_t) ++ getattr_chr_files_pattern($1, device_t, loop_control_device_t) + ') + + ######################################## + ## +-## Read the lvm comtrol device. ++## Read the loop comtrol device. + ## + ## + ## +@@ -2428,17 +2631,17 @@ interface(`dev_getattr_lvm_control',` + ## + ## + # +-interface(`dev_read_lvm_control',` ++interface(`dev_read_loop_control',` + gen_require(` +- type device_t, lvm_control_t; ++ type device_t, loop_control_device_t; + ') + +- read_chr_files_pattern($1, device_t, lvm_control_t) ++ read_chr_files_pattern($1, device_t, loop_control_device_t) + ') + + ######################################## + ## +-## Read and write the lvm control device. ++## Read and write the loop control device. + ## + ## + ## +@@ -2446,17 +2649,17 @@ interface(`dev_read_lvm_control',` + ## + ## + # +-interface(`dev_rw_lvm_control',` ++interface(`dev_rw_loop_control',` + gen_require(` +- type device_t, lvm_control_t; ++ type device_t, loop_control_device_t; + ') + +- rw_chr_files_pattern($1, device_t, lvm_control_t) ++ rw_chr_files_pattern($1, device_t, loop_control_device_t) + ') + + ######################################## + ## +-## Do not audit attempts to read and write lvm control device. ++## Do not audit attempts to read and write loop control device. + ## + ## + ## +@@ -2464,17 +2667,17 @@ interface(`dev_rw_lvm_control',` + ## + ## + # +-interface(`dev_dontaudit_rw_lvm_control',` ++interface(`dev_dontaudit_rw_loop_control',` + gen_require(` +- type lvm_control_t; ++ type loop_control_device_t; + ') + +- dontaudit $1 lvm_control_t:chr_file rw_file_perms; ++ dontaudit $1 loop_control_device_t:chr_file rw_file_perms; + ') + + ######################################## + ## +-## Delete the lvm control device. ++## Delete the loop control device. + ## + ## + ## +@@ -2482,35 +2685,35 @@ interface(`dev_dontaudit_rw_lvm_control',` + ## + ## + # +-interface(`dev_delete_lvm_control_dev',` ++interface(`dev_delete_loop_control_dev',` + gen_require(` +- type device_t, lvm_control_t; ++ type device_t, loop_control_device_t; + ') + +- delete_chr_files_pattern($1, device_t, lvm_control_t) ++ delete_chr_files_pattern($1, device_t, loop_control_device_t) + ') + + ######################################## + ## +-## dontaudit getattr raw memory devices (e.g. /dev/mem). ++## Get the attributes of the loop comtrol device. + ## + ## + ## +-## Domain to not audit. ++## Domain allowed access. + ## + ## + # +-interface(`dev_dontaudit_getattr_memory_dev',` ++interface(`dev_getattr_lvm_control',` + gen_require(` +- type memory_device_t; ++ type device_t, lvm_control_t; + ') + +- dontaudit $1 memory_device_t:chr_file getattr; ++ getattr_chr_files_pattern($1, device_t, lvm_control_t) + ') + + ######################################## + ## +-## Read raw memory devices (e.g. /dev/mem). ++## Read the lvm comtrol device. + ## + ## + ## +@@ -2518,16 +2721,106 @@ interface(`dev_dontaudit_getattr_memory_dev',` + ## + ## + # +-interface(`dev_read_raw_memory',` ++interface(`dev_read_lvm_control',` + gen_require(` +- type device_t, memory_device_t; +- attribute memory_raw_read; ++ type device_t, lvm_control_t; + ') + +- read_chr_files_pattern($1, device_t, memory_device_t) +- +- allow $1 self:capability sys_rawio; +- typeattribute $1 memory_raw_read; ++ read_chr_files_pattern($1, device_t, lvm_control_t) ++') ++ ++######################################## ++## ++## Read and write the lvm control device. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_rw_lvm_control',` ++ gen_require(` ++ type device_t, lvm_control_t; ++ ') ++ ++ rw_chr_files_pattern($1, device_t, lvm_control_t) ++') ++ ++######################################## ++## ++## Do not audit attempts to read and write lvm control device. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`dev_dontaudit_rw_lvm_control',` ++ gen_require(` ++ type lvm_control_t; ++ ') ++ ++ dontaudit $1 lvm_control_t:chr_file rw_file_perms; ++') ++ ++######################################## ++## ++## Delete the lvm control device. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_delete_lvm_control_dev',` ++ gen_require(` ++ type device_t, lvm_control_t; ++ ') ++ ++ delete_chr_files_pattern($1, device_t, lvm_control_t) ++') ++ ++######################################## ++## ++## dontaudit getattr raw memory devices (e.g. /dev/mem). ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`dev_dontaudit_getattr_memory_dev',` ++ gen_require(` ++ type memory_device_t; ++ ') ++ ++ dontaudit $1 memory_device_t:chr_file getattr; ++') ++ ++######################################## ++## ++## Read raw memory devices (e.g. /dev/mem). ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_read_raw_memory',` ++ gen_require(` ++ type device_t, memory_device_t; ++ attribute memory_raw_read; ++ ') ++ ++ read_chr_files_pattern($1, device_t, memory_device_t) ++ ++ allow $1 self:capability sys_rawio; ++ typeattribute $1 memory_raw_read; + ') + + ######################################## +@@ -2725,7 +3018,7 @@ interface(`dev_write_misc',` + ## + ## + ## +-## Domain allowed access. ++## Domain to not audit. + ## + ## + # +@@ -2903,20 +3196,20 @@ interface(`dev_getattr_mtrr_dev',` + + ######################################## + ## +-## Read the memory type range ++## Write the memory type range + ## registers (MTRR). (Deprecated) + ## + ## + ##

+-## Read the memory type range ++## Write the memory type range + ## registers (MTRR). This interface has + ## been deprecated, dev_rw_mtrr() should be + ## used instead. + ##

+ ##

+ ## The MTRR device ioctls can be used for +-## reading and writing; thus, read access to the +-## device cannot be separated from write access. ++## reading and writing; thus, write access to the ++## device cannot be separated from read access. + ##

+ ## + ## +@@ -2925,43 +3218,34 @@ interface(`dev_getattr_mtrr_dev',` + ## + ## + # +-interface(`dev_read_mtrr',` ++interface(`dev_write_mtrr',` + refpolicywarn(`$0($*) has been replaced with dev_rw_mtrr().') + dev_rw_mtrr($1) + ') + + ######################################## + ## +-## Write the memory type range +-## registers (MTRR). (Deprecated) ++## Do not audit attempts to write the memory type ++## range registers (MTRR). + ## +-## +-##

+-## Write the memory type range +-## registers (MTRR). This interface has +-## been deprecated, dev_rw_mtrr() should be +-## used instead. +-##

+-##

+-## The MTRR device ioctls can be used for +-## reading and writing; thus, write access to the +-## device cannot be separated from read access. +-##

+-## + ## + ## +-## Domain allowed access. ++## Domain to not audit. + ## + ## + # +-interface(`dev_write_mtrr',` +- refpolicywarn(`$0($*) has been replaced with dev_rw_mtrr().') +- dev_rw_mtrr($1) ++interface(`dev_dontaudit_write_mtrr',` ++ gen_require(` ++ type mtrr_device_t; ++ ') ++ ++ dontaudit $1 mtrr_device_t:file write_file_perms; ++ dontaudit $1 mtrr_device_t:chr_file write_chr_file_perms; + ') + + ######################################## + ## +-## Do not audit attempts to write the memory type ++## Do not audit attempts to read the memory type + ## range registers (MTRR). + ## + ## +@@ -2970,13 +3254,13 @@ interface(`dev_write_mtrr',` + ## + ## + # +-interface(`dev_dontaudit_write_mtrr',` ++interface(`dev_dontaudit_read_mtrr',` + gen_require(` + type mtrr_device_t; + ') + +- dontaudit $1 mtrr_device_t:file write; +- dontaudit $1 mtrr_device_t:chr_file write; ++ dontaudit $1 mtrr_device_t:file { open read }; ++ dontaudit $1 mtrr_device_t:chr_file { open read }; + ') + + ######################################## +@@ -3144,6 +3428,42 @@ interface(`dev_create_null_dev',` + + ######################################## + ## ++## Get the status of a null device service. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_service_status_null_dev',` ++ gen_require(` ++ type null_device_t; ++ ') ++ ++ allow $1 null_device_t:service status; ++') ++ ++######################################## ++## ++## Configure null_device as a unit files. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`dev_config_null_dev_service',` ++ gen_require(` ++ type null_device_t; ++ ') ++ ++ allow $1 null_device_t:service manage_service_perms; ++') ++ ++######################################## ++## + ## Do not audit attempts to get the attributes + ## of the BIOS non-volatile RAM device. + ## +@@ -3163,6 +3483,24 @@ interface(`dev_dontaudit_getattr_nvram_dev',` + + ######################################## + ## ++## Read BIOS non-volatile RAM. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_read_nvram',` ++ gen_require(` ++ type nvram_device_t; ++ ') ++ ++ read_chr_files_pattern($1, device_t, nvram_device_t) ++') ++ ++######################################## ++## + ## Read and write BIOS non-volatile RAM. + ## + ## +@@ -3254,7 +3592,25 @@ interface(`dev_rw_printer',` + + ######################################## + ## +-## Read printk devices (e.g., /dev/kmsg /dev/mcelog) ++## Relabel the printer device node. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_relabel_printer',` ++ gen_require(` ++ type printer_device_t; ++ ') ++ ++ allow $1 printer_device_t:chr_file relabel_chr_file_perms; ++') ++ ++######################################## ++## ++## Read and write the printer device. + ## + ## + ## +@@ -3262,12 +3618,13 @@ interface(`dev_rw_printer',` + ## + ## + # +-interface(`dev_read_printk',` ++interface(`dev_manage_printer',` + gen_require(` +- type device_t, printk_device_t; ++ type device_t, printer_device_t; + ') + +- read_chr_files_pattern($1, device_t, printk_device_t) ++ manage_chr_files_pattern($1, device_t, printer_device_t) ++ dev_filetrans_printer_named_dev($1) + ') + + ######################################## +@@ -3399,7 +3756,7 @@ interface(`dev_dontaudit_read_rand',` + + ######################################## + ## +-## Do not audit attempts to append to random ++## Do not audit attempts to append to the random + ## number generator devices (e.g., /dev/random) + ## + ## +@@ -3413,7 +3770,7 @@ interface(`dev_dontaudit_append_rand',` + type random_device_t; + ') + +- dontaudit $1 random_device_t:chr_file append_chr_file_perms; ++ dontaudit $1 random_device_t:chr_file { append }; + ') + + ######################################## +@@ -3855,7 +4212,7 @@ interface(`dev_getattr_sysfs_dirs',` + + ######################################## + ## +-## Search the sysfs directories. ++## Set the attributes of sysfs directories. + ## + ## + ## +@@ -3863,53 +4220,53 @@ interface(`dev_getattr_sysfs_dirs',` + ## + ## + # +-interface(`dev_search_sysfs',` ++interface(`dev_setattr_sysfs_dirs',` + gen_require(` + type sysfs_t; + ') + +- search_dirs_pattern($1, sysfs_t, sysfs_t) ++ allow $1 sysfs_t:dir setattr_dir_perms; + ') + + ######################################## + ## +-## Do not audit attempts to search sysfs. ++## Get attributes of sysfs filesystems. + ## + ## + ## +-## Domain to not audit. ++## Domain allowed access. + ## + ## + # +-interface(`dev_dontaudit_search_sysfs',` ++interface(`dev_getattr_sysfs_fs',` + gen_require(` + type sysfs_t; + ') + +- dontaudit $1 sysfs_t:dir search_dir_perms; ++ allow $1 sysfs_t:filesystem getattr; + ') + + ######################################## + ## +-## List the contents of the sysfs directories. ++## Mount a filesystem on /sys + ## + ## + ## +-## Domain allowed access. ++## Domain allow access. + ## + ## + # +-interface(`dev_list_sysfs',` ++interface(`dev_mounton_sysfs',` + gen_require(` + type sysfs_t; + ') + +- list_dirs_pattern($1, sysfs_t, sysfs_t) ++ allow $1 sysfs_t:dir mounton; + ') + + ######################################## + ## +-## Write in a sysfs directories. ++## Mount sysfs filesystems. + ## + ## + ## +@@ -3917,37 +4274,35 @@ interface(`dev_list_sysfs',` + ## + ## + # +-# cjp: added for cpuspeed +-interface(`dev_write_sysfs_dirs',` ++interface(`dev_mount_sysfs_fs',` + gen_require(` + type sysfs_t; + ') + +- allow $1 sysfs_t:dir write; ++ allow $1 sysfs_t:filesystem mount; + ') + + ######################################## + ## +-## Do not audit attempts to write in a sysfs directory. ++## Unmount sysfs filesystems. + ## + ## + ## +-## Domain to not audit. ++## Domain allowed access. + ## + ## + # +-interface(`dev_dontaudit_write_sysfs_dirs',` ++interface(`dev_unmount_sysfs_fs',` + gen_require(` + type sysfs_t; + ') + +- dontaudit $1 sysfs_t:dir write; ++ allow $1 sysfs_t:filesystem unmount; + ') + + ######################################## + ## +-## Create, read, write, and delete sysfs +-## directories. ++## Search the sysfs directories. + ## + ## + ## +@@ -3955,47 +4310,35 @@ interface(`dev_dontaudit_write_sysfs_dirs',` + ## + ## + # +-interface(`dev_manage_sysfs_dirs',` ++interface(`dev_search_sysfs',` + gen_require(` + type sysfs_t; + ') + +- manage_dirs_pattern($1, sysfs_t, sysfs_t) ++ search_dirs_pattern($1, sysfs_t, sysfs_t) + ') + + ######################################## + ## +-## Read hardware state information. ++## Do not audit attempts to search sysfs. + ## +-## +-##

+-## Allow the specified domain to read the contents of +-## the sysfs filesystem. This filesystem contains +-## information, parameters, and other settings on the +-## hardware installed on the system. +-##

+-## + ## + ## +-## Domain allowed access. ++## Domain to not audit. + ## + ## +-## + # +-interface(`dev_read_sysfs',` ++interface(`dev_dontaudit_search_sysfs',` + gen_require(` + type sysfs_t; + ') + +- read_files_pattern($1, sysfs_t, sysfs_t) +- read_lnk_files_pattern($1, sysfs_t, sysfs_t) +- +- list_dirs_pattern($1, sysfs_t, sysfs_t) ++ dontaudit $1 sysfs_t:dir search_dir_perms; + ') + + ######################################## + ## +-## Allow caller to modify hardware state information. ++## List the contents of the sysfs directories. + ## + ## + ## +@@ -4003,20 +4346,18 @@ interface(`dev_read_sysfs',` + ## + ## + # +-interface(`dev_rw_sysfs',` ++interface(`dev_list_sysfs',` + gen_require(` + type sysfs_t; + ') + +- rw_files_pattern($1, sysfs_t, sysfs_t) + read_lnk_files_pattern($1, sysfs_t, sysfs_t) +- + list_dirs_pattern($1, sysfs_t, sysfs_t) + ') + + ######################################## + ## +-## Read and write the TPM device. ++## Write in a sysfs directories. + ## + ## + ## +@@ -4024,22 +4365,211 @@ interface(`dev_rw_sysfs',` + ## + ## + # +-interface(`dev_rw_tpm',` ++# cjp: added for cpuspeed ++interface(`dev_write_sysfs_dirs',` + gen_require(` +- type device_t, tpm_device_t; ++ type sysfs_t; + ') + +- rw_chr_files_pattern($1, device_t, tpm_device_t) ++ allow $1 sysfs_t:dir write; + ') + + ######################################## + ## +-## Read from pseudo random number generator devices (e.g., /dev/urandom). ++## Do not audit attempts to write in a sysfs directory. + ## +-## +-##

+-## Allow the specified domain to read from pseudo random number +-## generator devices (e.g., /dev/urandom). Typically this is ++## ++##

++## Domain to not audit. ++## ++## ++# ++interface(`dev_dontaudit_write_sysfs_dirs',` ++ gen_require(` ++ type sysfs_t; ++ ') ++ ++ dontaudit $1 sysfs_t:dir write; ++') ++ ++######################################## ++## ++## Read cpu online hardware state information. ++## ++## ++##

++## Allow the specified domain to read /sys/devices/system/cpu/online file. ++##

++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_read_cpu_online',` ++ gen_require(` ++ type cpu_online_t; ++ ') ++ ++ dev_search_sysfs($1) ++ read_files_pattern($1, cpu_online_t, cpu_online_t) ++') ++ ++######################################## ++## ++## Relabel cpu online hardware state information. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_relabel_cpu_online',` ++ gen_require(` ++ type cpu_online_t; ++ type sysfs_t; ++ ') ++ ++ dev_search_sysfs($1) ++ allow $1 cpu_online_t:file relabel_file_perms; ++') ++ ++ ++######################################## ++## ++## Read hardware state information. ++## ++## ++##

++## Allow the specified domain to read the contents of ++## the sysfs filesystem. This filesystem contains ++## information, parameters, and other settings on the ++## hardware installed on the system. ++##

++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`dev_read_sysfs',` ++ gen_require(` ++ type sysfs_t; ++ ') ++ ++ read_files_pattern($1, sysfs_t, sysfs_t) ++ read_lnk_files_pattern($1, sysfs_t, sysfs_t) ++ ++ list_dirs_pattern($1, sysfs_t, sysfs_t) ++') ++ ++######################################## ++## ++## Allow caller to modify hardware state information. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_rw_sysfs',` ++ gen_require(` ++ type sysfs_t; ++ ') ++ ++ rw_files_pattern($1, sysfs_t, sysfs_t) ++ read_lnk_files_pattern($1, sysfs_t, sysfs_t) ++ ++ list_dirs_pattern($1, sysfs_t, sysfs_t) ++') ++ ++######################################## ++## ++## Relabel hardware state directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_relabel_sysfs_dirs',` ++ gen_require(` ++ type sysfs_t; ++ ') ++ ++ relabel_dirs_pattern($1, sysfs_t, sysfs_t) ++') ++ ++######################################## ++## ++## Relabel hardware state files ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_relabel_all_sysfs',` ++ gen_require(` ++ type sysfs_t; ++ ') ++ ++ relabel_dirs_pattern($1, sysfs_t, sysfs_t) ++ relabel_files_pattern($1, sysfs_t, sysfs_t) ++ relabel_lnk_files_pattern($1, sysfs_t, sysfs_t) ++') ++ ++######################################## ++## ++## Allow caller to modify hardware state information. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_manage_sysfs_dirs',` ++ gen_require(` ++ type sysfs_t; ++ ') ++ ++ manage_dirs_pattern($1, sysfs_t, sysfs_t) ++') ++ ++######################################## ++## ++## Read and write the TPM device. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_rw_tpm',` ++ gen_require(` ++ type device_t, tpm_device_t; ++ ') ++ ++ rw_chr_files_pattern($1, device_t, tpm_device_t) ++') ++ ++######################################## ++## ++## Read from pseudo random number generator devices (e.g., /dev/urandom). ++## ++## ++##

++## Allow the specified domain to read from pseudo random number ++## generator devices (e.g., /dev/urandom). Typically this is + ## used in situations when a cryptographically secure random + ## number is not necessarily needed. One example is the Stack + ## Smashing Protector (SSP, formerly known as ProPolice) support +@@ -4113,6 +4643,25 @@ interface(`dev_write_urand',` + + ######################################## + ##

++## Do not audit attempts to write to pseudo ++## random devices (e.g., /dev/urandom) ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`dev_dontaudit_write_urand',` ++ gen_require(` ++ type urandom_device_t; ++ ') ++ ++ dontaudit $1 urandom_device_t:chr_file write; ++') ++ ++######################################## ++## + ## Getattr generic the USB devices. + ## + ## +@@ -4409,9 +4958,9 @@ interface(`dev_rw_usbfs',` + read_lnk_files_pattern($1, usbfs_t, usbfs_t) + ') + +-######################################## ++###################################### + ## +-## Get the attributes of video4linux devices. ++## Read and write userio device. + ## + ## + ## +@@ -4419,17 +4968,17 @@ interface(`dev_rw_usbfs',` + ## + ## + # +-interface(`dev_getattr_video_dev',` ++interface(`dev_rw_userio_dev',` + gen_require(` +- type device_t, v4l_device_t; ++ type device_t, userio_device_t; + ') + +- getattr_chr_files_pattern($1, device_t, v4l_device_t) ++ rw_chr_files_pattern($1, device_t, userio_device_t) + ') + +-###################################### ++######################################## + ## +-## Read and write userio device. ++## Get the attributes of video4linux devices. + ## + ## + ## +@@ -4437,12 +4986,12 @@ interface(`dev_getattr_video_dev',` + ## + ## + # +-interface(`dev_rw_userio_dev',` ++interface(`dev_getattr_video_dev',` + gen_require(` +- type device_t, userio_device_t; ++ type device_t, v4l_device_t; + ') + +- rw_chr_files_pattern($1, device_t, userio_device_t) ++ getattr_chr_files_pattern($1, device_t, v4l_device_t) + ') + + ######################################## +@@ -4539,6 +5088,134 @@ interface(`dev_write_video_dev',` + + ######################################## + ## ++## Get the attributes of vfio devices. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_getattr_vfio_dev',` ++ gen_require(` ++ type device_t, vfio_device_t; ++ ') ++ ++ getattr_chr_files_pattern($1, device_t, vfio_device_t) ++') ++ ++######################################## ++## ++## Do not audit attempts to get the attributes ++## of vfio device nodes. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`dev_dontaudit_getattr_vfio_dev',` ++ gen_require(` ++ type vfio_device_t; ++ ') ++ ++ dontaudit $1 vfio_device_t:chr_file getattr; ++') ++ ++######################################## ++## ++## Set the attributes of vfio device nodes. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_setattr_vfio_dev',` ++ gen_require(` ++ type device_t, vfio_device_t; ++ ') ++ ++ setattr_chr_files_pattern($1, device_t, vfio_device_t) ++') ++ ++######################################## ++## ++## Do not audit attempts to set the attributes ++## of vfio device nodes. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`dev_dontaudit_setattr_vfio_dev',` ++ gen_require(` ++ type vfio_device_t; ++ ') ++ ++ dontaudit $1 vfio_device_t:chr_file setattr; ++') ++ ++######################################## ++## ++## Read the vfio devices. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_read_vfio_dev',` ++ gen_require(` ++ type device_t, vfio_device_t; ++ ') ++ ++ read_chr_files_pattern($1, device_t, vfio_device_t) ++') ++ ++######################################## ++## ++## Write the vfio devices. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_write_vfio_dev',` ++ gen_require(` ++ type device_t, vfio_device_t; ++ ') ++ ++ write_chr_files_pattern($1, device_t, vfio_device_t) ++') ++ ++######################################## ++## ++## Read and write the VFIO devices. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_rw_vfio_dev',` ++ gen_require(` ++ type device_t, vfio_device_t; ++ ') ++ ++ rw_chr_files_pattern($1, device_t, vfio_device_t) ++') ++ ++######################################## ++## + ## Allow read/write the vhost net device + ## + ## +@@ -4557,6 +5234,24 @@ interface(`dev_rw_vhost',` + + ######################################## + ## ++## Allow read/write inheretid the vhost net device ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_rw_inherited_vhost',` ++ gen_require(` ++ type device_t, vhost_device_t; ++ ') ++ ++ allow $1 vhost_device_t:chr_file rw_inherited_chr_file_perms; ++') ++ ++######################################## ++## + ## Read and write VMWare devices. + ## + ## +@@ -4762,6 +5457,26 @@ interface(`dev_rw_xserver_misc',` + + ######################################## + ## ++## Read and write X server miscellaneous devices. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_manage_xserver_misc',` ++ gen_require(` ++ type device_t, xserver_misc_device_t; ++ ') ++ ++ manage_chr_files_pattern($1, device_t, xserver_misc_device_t) ++ ++ dev_filetrans_xserver_named_dev($1) ++') ++ ++######################################## ++## + ## Read and write to the zero device (/dev/zero). + ## + ## +@@ -4851,3 +5566,943 @@ interface(`dev_unconfined',` + + typeattribute $1 devices_unconfined_type; + ') ++ ++######################################## ++## ++## Dontaudit getattr on all device nodes. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`dev_dontaudit_getattr_all',` ++ gen_require(` ++ attribute device_node; ++ type device_t; ++ ') ++ ++ dontaudit $1 { device_t device_node }:dir_file_class_set getattr; ++') ++ ++######################################## ++## ++## Get the attributes of the mei devices. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_getattr_mei',` ++ gen_require(` ++ type device_t, mei_device_t; ++ ') ++ ++ getattr_chr_files_pattern($1, device_t, mei_device_t) ++') ++ ++######################################## ++## ++## Read the mei devices. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_read_mei',` ++ gen_require(` ++ type device_t, mei_device_t; ++ ') ++ ++ read_chr_files_pattern($1, device_t, mei_device_t) ++') ++ ++######################################## ++## ++## Read and write to mei devices. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_rw_mei',` ++ gen_require(` ++ type device_t, mei_device_t; ++ ') ++ ++ rw_chr_files_pattern($1, device_t, mei_device_t) ++') ++ ++######################################## ++## ++## Create all named devices with the correct label ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_filetrans_printer_named_dev',` ++ ++ gen_require(` ++ type printer_device_t; ++ ++ ') ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt0") ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt1") ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt2") ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt3") ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt4") ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt5") ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt6") ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt7") ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt8") ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt9") ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp0") ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp1") ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp2") ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp3") ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp4") ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp5") ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp6") ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp7") ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp8") ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp9") ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par0") ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par1") ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par2") ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par3") ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par4") ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par5") ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par6") ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par7") ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par8") ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par9") ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp0") ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp1") ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp2") ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp3") ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp4") ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp5") ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp6") ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp7") ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp8") ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp9") ++') ++ ++######################################## ++## ++## Create all named devices with the correct label ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_filetrans_all_named_dev',` ++ ++gen_require(` ++ type device_t; ++ type usb_device_t; ++ type sound_device_t; ++ type apm_bios_t; ++ type mouse_device_t; ++ type autofs_device_t; ++ type lvm_control_t; ++ type crash_device_t; ++ type dlm_control_device_t; ++ type clock_device_t; ++ type v4l_device_t; ++ type vfio_device_t; ++ type event_device_t; ++ type xen_device_t; ++ type framebuf_device_t; ++ type null_device_t; ++ type random_device_t; ++ type dri_device_t; ++ type ipmi_device_t; ++ type memory_device_t; ++ type kmsg_device_t; ++ type qemu_device_t; ++ type ksm_device_t; ++ type kvm_device_t; ++ type lirc_device_t; ++ type cpu_device_t; ++ type scanner_device_t; ++ type modem_device_t; ++ type vhost_device_t; ++ type netcontrol_device_t; ++ type nvram_device_t; ++ type power_device_t; ++ type wireless_device_t; ++ type tpm_device_t; ++ type userio_device_t; ++ type urandom_device_t; ++ type usbmon_device_t; ++ type vmware_device_t; ++ type watchdog_device_t; ++ type crypt_device_t; ++ type zero_device_t; ++ type smartcard_device_t; ++ type mtrr_device_t; ++ type ecryptfs_device_t; ++') ++ ++ dev_filetrans_printer_named_dev($1) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi0") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi1") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi2") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi3") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi4") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi5") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi6") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi7") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi8") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi9") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "adsp0") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "adsp1") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "adsp2") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "adsp3") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "adsp4") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "adsp5") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "adsp6") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "adsp7") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "adsp8") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "adsp9") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "aload0") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "aload1") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "aload2") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "aload3") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "aload4") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "aload5") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "aload6") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "aload7") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "aload8") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "aload9") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "amidi0") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "amidi1") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "amidi2") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "amidi3") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "amidi4") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "amidi5") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "amidi6") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "amidi7") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "amidi8") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "amidi9") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "amixer0") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "amixer1") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "amixer2") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "amixer3") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "amixer4") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "amixer5") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "amixer6") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "amixer7") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "amixer8") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "amixer9") ++ filetrans_pattern($1, device_t, apm_bios_t, chr_file, "apm_bios") ++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "atibm") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "audio0") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "audio1") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "audio2") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "audio3") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "audio4") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "audio5") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "audio6") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "audio7") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "audio8") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "audio9") ++ filetrans_pattern($1, device_t, ecryptfs_device_t, chr_file, "ecryptfs") ++ filetrans_pattern($1, device_t, autofs_device_t, chr_file, "autofs0") ++ filetrans_pattern($1, device_t, autofs_device_t, chr_file, "autofs1") ++ filetrans_pattern($1, device_t, autofs_device_t, chr_file, "autofs2") ++ filetrans_pattern($1, device_t, autofs_device_t, chr_file, "autofs3") ++ filetrans_pattern($1, device_t, autofs_device_t, chr_file, "autofs4") ++ filetrans_pattern($1, device_t, autofs_device_t, chr_file, "autofs5") ++ filetrans_pattern($1, device_t, autofs_device_t, chr_file, "autofs6") ++ filetrans_pattern($1, device_t, autofs_device_t, chr_file, "autofs7") ++ filetrans_pattern($1, device_t, autofs_device_t, chr_file, "autofs8") ++ filetrans_pattern($1, device_t, autofs_device_t, chr_file, "autofs9") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "beep") ++ filetrans_pattern($1, device_t, lvm_control_t, chr_file, "btrfs-control") ++ filetrans_pattern($1, device_t, crash_device_t, chr_file, "crash") ++ filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, "dlm0") ++ filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, "dlm1") ++ filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, "dlm2") ++ filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, "dlm3") ++ filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, "dlm4") ++ filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, "dlm5") ++ filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, "dlm6") ++ filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, "dlm7") ++ filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, "dlm8") ++ filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, "dlm9") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dmfm") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dmmidi0") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dmmidi1") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dmmidi2") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dmmidi3") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dmmidi4") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dmmidi5") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dmmidi6") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dmmidi7") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dmmidi8") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dmmidi9") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dsp0") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dsp1") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dsp2") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dsp3") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dsp4") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dsp5") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dsp6") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dsp7") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dsp8") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dsp9") ++ filetrans_pattern($1, device_t, clock_device_t, chr_file, "efirtc") ++ filetrans_pattern($1, device_t, clock_device_t, chr_file, "ptp0") ++ filetrans_pattern($1, device_t, clock_device_t, chr_file, "ptp1") ++ filetrans_pattern($1, device_t, clock_device_t, chr_file, "ptp2") ++ filetrans_pattern($1, device_t, clock_device_t, chr_file, "ptp3") ++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "e2201") ++ filetrans_pattern($1, device_t, vfio_device_t, chr_file, "vfio") ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83000") ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83001") ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83002") ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83003") ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83004") ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83005") ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83006") ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83007") ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83008") ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83009") ++ filetrans_pattern($1, device_t, event_device_t, chr_file, "event0") ++ filetrans_pattern($1, device_t, event_device_t, chr_file, "event1") ++ filetrans_pattern($1, device_t, event_device_t, chr_file, "event2") ++ filetrans_pattern($1, device_t, event_device_t, chr_file, "event3") ++ filetrans_pattern($1, device_t, event_device_t, chr_file, "event4") ++ filetrans_pattern($1, device_t, event_device_t, chr_file, "event5") ++ filetrans_pattern($1, device_t, event_device_t, chr_file, "event6") ++ filetrans_pattern($1, device_t, event_device_t, chr_file, "event7") ++ filetrans_pattern($1, device_t, event_device_t, chr_file, "event8") ++ filetrans_pattern($1, device_t, event_device_t, chr_file, "event9") ++ filetrans_pattern($1, device_t, event_device_t, chr_file, "event10") ++ filetrans_pattern($1, device_t, event_device_t, chr_file, "event11") ++ filetrans_pattern($1, device_t, event_device_t, chr_file, "event12") ++ filetrans_pattern($1, device_t, event_device_t, chr_file, "event13") ++ filetrans_pattern($1, device_t, event_device_t, chr_file, "event14") ++ filetrans_pattern($1, device_t, event_device_t, chr_file, "event15") ++ filetrans_pattern($1, device_t, event_device_t, chr_file, "event16") ++ filetrans_pattern($1, device_t, event_device_t, chr_file, "event17") ++ filetrans_pattern($1, device_t, event_device_t, chr_file, "event18") ++ filetrans_pattern($1, device_t, event_device_t, chr_file, "event19") ++ filetrans_pattern($1, device_t, event_device_t, chr_file, "event20") ++ filetrans_pattern($1, device_t, xen_device_t, chr_file, "evtchn") ++ filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb0") ++ filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb1") ++ filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb2") ++ filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb3") ++ filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb4") ++ filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb5") ++ filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb6") ++ filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb7") ++ filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb8") ++ filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb9") ++ filetrans_pattern($1, device_t, null_device_t, chr_file, "full") ++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "fw0") ++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "fw1") ++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "fw2") ++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "fw3") ++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "fw4") ++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "fw5") ++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "fw6") ++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "fw7") ++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "fw8") ++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "fw9") ++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "000") ++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "001") ++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "002") ++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "003") ++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "004") ++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "005") ++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "006") ++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "007") ++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "008") ++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "009") ++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "010") ++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "011") ++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "012") ++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "013") ++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "014") ++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "015") ++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "016") ++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "017") ++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "018") ++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "019") ++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "020") ++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "021") ++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "022") ++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "023") ++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "024") ++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "025") ++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "026") ++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "027") ++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "028") ++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "029") ++ filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc0") ++ filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc1") ++ filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc2") ++ filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc3") ++ filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc4") ++ filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc5") ++ filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc6") ++ filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc7") ++ filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc8") ++ filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc9") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "hfmodem") ++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "hiddev0") ++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "hiddev1") ++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "hiddev2") ++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "hiddev3") ++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "hiddev4") ++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "hiddev5") ++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "hiddev6") ++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "hiddev7") ++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "hiddev8") ++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "hiddev9") ++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "hidraw0") ++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "hidraw1") ++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "hidraw2") ++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "hidraw3") ++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "hidraw4") ++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "hidraw5") ++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "hidraw6") ++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "hidraw7") ++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "hidraw8") ++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "hidraw9") ++ filetrans_pattern($1, device_t, clock_device_t, chr_file, "hpet") ++ filetrans_pattern($1, device_t, random_device_t, chr_file, "hw_random") ++ filetrans_pattern($1, device_t, random_device_t, chr_file, "hwrng") ++ filetrans_pattern($1, device_t, dri_device_t, chr_file, "i915") ++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "inportbm") ++ filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi0") ++ filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi1") ++ filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi2") ++ filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi3") ++ filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi4") ++ filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi5") ++ filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi6") ++ filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi7") ++ filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi8") ++ filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi9") ++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "jbm") ++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "js0") ++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "js1") ++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "js2") ++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "js3") ++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "js4") ++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "js5") ++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "js6") ++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "js7") ++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "js8") ++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "js9") ++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mouse0") ++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mouse1") ++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mouse2") ++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mouse3") ++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mouse4") ++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mouse5") ++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mouse6") ++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mouse7") ++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mouse8") ++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mouse9") ++ filetrans_pattern($1, device_t, memory_device_t, chr_file, "kmem") ++ filetrans_pattern($1, device_t, kmsg_device_t, chr_file, "kmsg") ++ filetrans_pattern($1, device_t, qemu_device_t, chr_file, "kqemu") ++ filetrans_pattern($1, device_t, ksm_device_t, chr_file, "ksm") ++ filetrans_pattern($1, device_t, kvm_device_t, chr_file, "kvm") ++ filetrans_pattern($1, device_t, event_device_t, chr_file, "lik0") ++ filetrans_pattern($1, device_t, event_device_t, chr_file, "lik1") ++ filetrans_pattern($1, device_t, event_device_t, chr_file, "lik2") ++ filetrans_pattern($1, device_t, event_device_t, chr_file, "lik3") ++ filetrans_pattern($1, device_t, event_device_t, chr_file, "lik4") ++ filetrans_pattern($1, device_t, event_device_t, chr_file, "lik5") ++ filetrans_pattern($1, device_t, event_device_t, chr_file, "lik6") ++ filetrans_pattern($1, device_t, event_device_t, chr_file, "lik7") ++ filetrans_pattern($1, device_t, event_device_t, chr_file, "lik8") ++ filetrans_pattern($1, device_t, event_device_t, chr_file, "lik9") ++ filetrans_pattern($1, device_t, lirc_device_t, chr_file, "lirc0") ++ filetrans_pattern($1, device_t, lirc_device_t, chr_file, "lirc1") ++ filetrans_pattern($1, device_t, lirc_device_t, chr_file, "lirc2") ++ filetrans_pattern($1, device_t, lirc_device_t, chr_file, "lirc3") ++ filetrans_pattern($1, device_t, lirc_device_t, chr_file, "lirc4") ++ filetrans_pattern($1, device_t, lirc_device_t, chr_file, "lirc5") ++ filetrans_pattern($1, device_t, lirc_device_t, chr_file, "lirc6") ++ filetrans_pattern($1, device_t, lirc_device_t, chr_file, "lirc7") ++ filetrans_pattern($1, device_t, lirc_device_t, chr_file, "lirc8") ++ filetrans_pattern($1, device_t, lirc_device_t, chr_file, "lirc9") ++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "lircm") ++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "logibm") ++ filetrans_pattern($1, device_t, kmsg_device_t, chr_file, "mcelog") ++ filetrans_pattern($1, device_t, memory_device_t, chr_file, "mem") ++ filetrans_pattern($1, device_t, memory_device_t, chr_file, "mergemem") ++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mice") ++ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "microcode") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "midi0") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "midi1") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "midi2") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "midi3") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "midi4") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "midi5") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "midi6") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "midi7") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "midi8") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "midi9") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "mixer0") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "mixer1") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "mixer2") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "mixer3") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "mixer4") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "mixer5") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "mixer6") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "mixer7") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "mixer8") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "mixer9") ++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mmetfgrab") ++ filetrans_pattern($1, device_t, modem_device_t, chr_file, "modem") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "mpu4010") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "mpu4011") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "mpu4012") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "mpu4013") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "mpu4014") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "mpu4015") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "mpu4016") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "mpu4017") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "mpu4018") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "mpu4019") ++ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "msr0") ++ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "msr1") ++ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "msr2") ++ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "msr3") ++ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "msr4") ++ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "msr5") ++ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "msr6") ++ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "msr7") ++ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "msr8") ++ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "msr9") ++ filetrans_pattern($1, device_t, vhost_device_t, chr_file, "vhost") ++ filetrans_pattern($1, device_t, netcontrol_device_t, chr_file, "network_latency") ++ filetrans_pattern($1, device_t, netcontrol_device_t, chr_file, "network_throughput") ++ filetrans_pattern($1, device_t, modem_device_t, chr_file, "noz0") ++ filetrans_pattern($1, device_t, modem_device_t, chr_file, "noz1") ++ filetrans_pattern($1, device_t, modem_device_t, chr_file, "noz2") ++ filetrans_pattern($1, device_t, modem_device_t, chr_file, "noz3") ++ filetrans_pattern($1, device_t, modem_device_t, chr_file, "noz4") ++ filetrans_pattern($1, device_t, modem_device_t, chr_file, "noz5") ++ filetrans_pattern($1, device_t, modem_device_t, chr_file, "noz6") ++ filetrans_pattern($1, device_t, modem_device_t, chr_file, "noz7") ++ filetrans_pattern($1, device_t, modem_device_t, chr_file, "noz8") ++ filetrans_pattern($1, device_t, modem_device_t, chr_file, "noz9") ++ filetrans_pattern($1, device_t, null_device_t, chr_file, "null") ++ filetrans_pattern($1, device_t, nvram_device_t, chr_file, "nvram") ++ filetrans_pattern($1, device_t, memory_device_t, chr_file, "oldmem") ++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "pc110pad") ++ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pcfclock0") ++ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pcfclock1") ++ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pcfclock2") ++ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pcfclock3") ++ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pcfclock4") ++ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pcfclock5") ++ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pcfclock6") ++ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pcfclock7") ++ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pcfclock8") ++ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pcfclock9") ++ filetrans_pattern($1, device_t, power_device_t, chr_file, "pmu") ++ filetrans_pattern($1, device_t, memory_device_t, chr_file, "port") ++ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pps0") ++ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pps1") ++ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pps2") ++ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pps3") ++ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pps4") ++ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pps5") ++ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pps6") ++ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pps7") ++ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pps8") ++ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pps9") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "rmidi0") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "rmidi1") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "rmidi2") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "rmidi3") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "rmidi4") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "rmidi5") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "rmidi6") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "rmidi7") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "rmidi8") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "rmidi9") ++ filetrans_pattern($1, device_t, dri_device_t, chr_file, "radeon") ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "radio0") ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "radio1") ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "radio2") ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "radio3") ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "radio4") ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "radio5") ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "radio6") ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "radio7") ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "radio8") ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "radio9") ++ filetrans_pattern($1, device_t, random_device_t, chr_file, "random") ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "raw13940") ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "raw13941") ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "raw13942") ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "raw13943") ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "raw13944") ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "raw13945") ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "raw13946") ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "raw13947") ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "raw13948") ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "raw13949") ++ filetrans_pattern($1, device_t, modem_device_t, chr_file, "cdc-wdm0") ++ filetrans_pattern($1, device_t, modem_device_t, chr_file, "cdc-wdm1") ++ filetrans_pattern($1, device_t, wireless_device_t, chr_file, "rfkill") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "sequencer") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "sequencer2") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "smpte0") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "smpte1") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "smpte2") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "smpte3") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "smpte4") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "smpte5") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "smpte6") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "smpte7") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "smpte8") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "smpte9") ++ filetrans_pattern($1, device_t, power_device_t, chr_file, "smu") ++ filetrans_pattern($1, device_t, apm_bios_t, chr_file, "snapshot") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "sndstat") ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "sonypi") ++ filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpm0") ++ filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpm1") ++ filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpm2") ++ filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpm3") ++ filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpm4") ++ filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpm5") ++ filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpm6") ++ filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpm7") ++ filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpm8") ++ filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpm9") ++ filetrans_pattern($1, device_t, event_device_t, chr_file, "uinput") ++ filetrans_pattern($1, device_t, userio_device_t, chr_file, "uio0") ++ filetrans_pattern($1, device_t, userio_device_t, chr_file, "uio1") ++ filetrans_pattern($1, device_t, userio_device_t, chr_file, "uio2") ++ filetrans_pattern($1, device_t, userio_device_t, chr_file, "uio3") ++ filetrans_pattern($1, device_t, userio_device_t, chr_file, "uio4") ++ filetrans_pattern($1, device_t, userio_device_t, chr_file, "uio5") ++ filetrans_pattern($1, device_t, userio_device_t, chr_file, "uio6") ++ filetrans_pattern($1, device_t, userio_device_t, chr_file, "uio7") ++ filetrans_pattern($1, device_t, userio_device_t, chr_file, "uio8") ++ filetrans_pattern($1, device_t, userio_device_t, chr_file, "uio9") ++ filetrans_pattern($1, device_t, urandom_device_t, chr_file, "urandom") ++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "usb0") ++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "usb1") ++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "usb2") ++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "usb3") ++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "usb4") ++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "usb5") ++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "usb6") ++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "usb7") ++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "usb8") ++ filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon0") ++ filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon1") ++ filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon2") ++ filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon3") ++ filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon4") ++ filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon5") ++ filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon6") ++ filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon7") ++ filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon8") ++ filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon9") ++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "usbscanner") ++ filetrans_pattern($1, device_t, vhost_device_t, chr_file, "vhost-net") ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vbi0") ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vbi1") ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vbi2") ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vbi3") ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vbi4") ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vbi5") ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vbi6") ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vbi7") ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vbi8") ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vbi9") ++ filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmmon") ++ filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet0") ++ filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet1") ++ filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet2") ++ filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet3") ++ filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet4") ++ filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet5") ++ filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet6") ++ filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet7") ++ filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet8") ++ filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet9") ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media0") ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media1") ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media2") ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media3") ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media4") ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media5") ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media6") ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media7") ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media8") ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media9") ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "video0") ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "video1") ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "video2") ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "video3") ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "video4") ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "video5") ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "video6") ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "video7") ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "video8") ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "video9") ++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "vrtpanel") ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vttuner") ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vtx0") ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vtx1") ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vtx2") ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vtx3") ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vtx4") ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vtx5") ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vtx6") ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vtx7") ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vtx8") ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vtx9") ++ filetrans_pattern($1, device_t, watchdog_device_t, chr_file, "watchdog") ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "winradio0") ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "winradio1") ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "winradio2") ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "winradio3") ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "winradio4") ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "winradio5") ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "winradio6") ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "winradio7") ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "winradio8") ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "winradio9") ++ filetrans_pattern($1, device_t, crypt_device_t, chr_file, "z90crypt") ++ filetrans_pattern($1, device_t, zero_device_t, chr_file, "zero") ++ filetrans_pattern($1, device_t, smartcard_device_t, chr_file, "cmx0") ++ filetrans_pattern($1, device_t, smartcard_device_t, chr_file, "cmx1") ++ filetrans_pattern($1, device_t, smartcard_device_t, chr_file, "cmx2") ++ filetrans_pattern($1, device_t, smartcard_device_t, chr_file, "cmx3") ++ filetrans_pattern($1, device_t, smartcard_device_t, chr_file, "cmx4") ++ filetrans_pattern($1, device_t, smartcard_device_t, chr_file, "cmx5") ++ filetrans_pattern($1, device_t, smartcard_device_t, chr_file, "cmx6") ++ filetrans_pattern($1, device_t, smartcard_device_t, chr_file, "cmx7") ++ filetrans_pattern($1, device_t, smartcard_device_t, chr_file, "cmx8") ++ filetrans_pattern($1, device_t, smartcard_device_t, chr_file, "cmx9") ++ filetrans_pattern($1, device_t, netcontrol_device_t, chr_file, "cpu_dma_latency") ++ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "cpu0") ++ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "cpu1") ++ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "cpu2") ++ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "cpu3") ++ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "cpu4") ++ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "cpu5") ++ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "cpu6") ++ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "cpu7") ++ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "cpu8") ++ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "cpu9") ++ filetrans_pattern($1, device_t, mtrr_device_t, chr_file, "mtrr") ++ filetrans_pattern($1, device_t, event_device_t, chr_file, "sensor0") ++ filetrans_pattern($1, device_t, event_device_t, chr_file, "sensor1") ++ filetrans_pattern($1, device_t, event_device_t, chr_file, "sensor2") ++ filetrans_pattern($1, device_t, event_device_t, chr_file, "sensor3") ++ filetrans_pattern($1, device_t, event_device_t, chr_file, "sensor4") ++ filetrans_pattern($1, device_t, event_device_t, chr_file, "sensor5") ++ filetrans_pattern($1, device_t, event_device_t, chr_file, "sensor6") ++ filetrans_pattern($1, device_t, event_device_t, chr_file, "sensor7") ++ filetrans_pattern($1, device_t, event_device_t, chr_file, "sensor8") ++ filetrans_pattern($1, device_t, event_device_t, chr_file, "sensor9") ++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "m0") ++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "m1") ++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "m2") ++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "m3") ++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "m4") ++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "m5") ++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "m6") ++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "m7") ++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "m8") ++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "m9") ++ filetrans_pattern($1, device_t, event_device_t, chr_file, "keyboard0") ++ filetrans_pattern($1, device_t, event_device_t, chr_file, "keyboard1") ++ filetrans_pattern($1, device_t, event_device_t, chr_file, "keyboard2") ++ filetrans_pattern($1, device_t, event_device_t, chr_file, "keyboard3") ++ filetrans_pattern($1, device_t, event_device_t, chr_file, "keyboard4") ++ filetrans_pattern($1, device_t, event_device_t, chr_file, "keyboard5") ++ filetrans_pattern($1, device_t, event_device_t, chr_file, "keyboard6") ++ filetrans_pattern($1, device_t, event_device_t, chr_file, "keyboard7") ++ filetrans_pattern($1, device_t, event_device_t, chr_file, "keyboard8") ++ filetrans_pattern($1, device_t, event_device_t, chr_file, "keyboard9") ++ filetrans_pattern($1, device_t, lvm_control_t, chr_file, "control") ++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "ucb1x00") ++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mk712") ++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "dc2xx0") ++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "dc2xx1") ++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "dc2xx2") ++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "dc2xx3") ++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "dc2xx4") ++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "dc2xx5") ++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "dc2xx6") ++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "dc2xx7") ++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "dc2xx8") ++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "dc2xx9") ++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mdc8000") ++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mdc8001") ++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mdc8002") ++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mdc8003") ++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mdc8004") ++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mdc8005") ++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mdc8006") ++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mdc8007") ++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mdc8008") ++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mdc8009") ++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "scanner0") ++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "scanner1") ++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "scanner2") ++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "scanner3") ++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "scanner4") ++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "scanner5") ++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "scanner6") ++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "scanner7") ++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "scanner8") ++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "scanner9") ++ filetrans_pattern($1, device_t, xen_device_t, chr_file, "blktap0") ++ filetrans_pattern($1, device_t, xen_device_t, chr_file, "blktap1") ++ filetrans_pattern($1, device_t, xen_device_t, chr_file, "blktap2") ++ filetrans_pattern($1, device_t, xen_device_t, chr_file, "blktap3") ++ filetrans_pattern($1, device_t, xen_device_t, chr_file, "blktap4") ++ filetrans_pattern($1, device_t, xen_device_t, chr_file, "blktap5") ++ filetrans_pattern($1, device_t, xen_device_t, chr_file, "blktap6") ++ filetrans_pattern($1, device_t, xen_device_t, chr_file, "blktap7") ++ filetrans_pattern($1, device_t, xen_device_t, chr_file, "blktap8") ++ filetrans_pattern($1, device_t, xen_device_t, chr_file, "blktap9") ++ filetrans_pattern($1, device_t, xen_device_t, chr_file, "gntdev") ++ filetrans_pattern($1, device_t, xen_device_t, chr_file, "gntalloc") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC0") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC1") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC2") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC3") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC4") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC5") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC6") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC7") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC8") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC9") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC10") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC11") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC12") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC13") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC14") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC15") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC16") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC17") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC18") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC19") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC20") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC21") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC22") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC23") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC24") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC25") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC26") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC27") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC28") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC29") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "patmgr0") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "patmgr1") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "srnd0") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "srnd1") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "srnd2") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "srnd3") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "srnd4") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "srnd5") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "srnd6") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "srnd7") ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "tlk0") ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "tlk1") ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "tlk2") ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "tlk3") ++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "uba") ++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "ubb") ++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "ubc") ++ dev_filetrans_xserver_named_dev($1) ++') ++ ++######################################## ++## ++## Create all named devices with the correct label ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_filetrans_xserver_named_dev',` ++ ++ gen_require(` ++ type xserver_misc_device_t; ++ ') ++ ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "3dfx") ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "controlD64") ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "gfx") ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "graphics") ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid0") ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid1") ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid2") ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid3") ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid4") ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid5") ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid6") ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid7") ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid8") ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid9") ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia0") ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia1") ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia2") ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia3") ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia4") ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia5") ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia6") ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia7") ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia8") ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia9") ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidiactl") ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "opengl") ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox0") ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox1") ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox2") ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox3") ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox4") ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox5") ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox6") ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox7") ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox8") ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox9") ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vga_arbiter") ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card0") ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card1") ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card2") ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card3") ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card4") ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card5") ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card6") ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card7") ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card8") ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card9") ++') +diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te +index 6529bd9..831344c 100644 +--- a/policy/modules/kernel/devices.te ++++ b/policy/modules/kernel/devices.te +@@ -15,11 +15,12 @@ attribute devices_unconfined_type; + # + type device_t; + fs_associate_tmpfs(device_t) +-files_type(device_t) ++files_base_file(device_t) + files_mountpoint(device_t) + files_associate_tmp(device_t) + fs_type(device_t) + fs_use_trans devtmpfs gen_context(system_u:object_r:device_t,s0); ++dev_node(device_t) + + # + # Type for /dev/agpgart +@@ -43,9 +44,6 @@ type cardmgr_dev_t; + dev_node(cardmgr_dev_t) + files_tmp_file(cardmgr_dev_t) + +-type cachefiles_device_t; +-dev_node(cachefiles_device_t) +- + # + # clock_device_t is the type of + # /dev/rtc. +@@ -65,6 +63,9 @@ dev_node(cpu_device_t) + type crash_device_t; + dev_node(crash_device_t) + ++type ecryptfs_device_t; ++dev_node(ecryptfs_device_t) ++ + # for the IBM zSeries z90crypt hardware ssl accelorator + type crypt_device_t; + dev_node(crypt_device_t) +@@ -111,6 +112,7 @@ dev_node(ksm_device_t) + # + type kvm_device_t; + dev_node(kvm_device_t) ++mls_trusted_object(kvm_device_t) + + # + # Type for /dev/lirc +@@ -118,6 +120,9 @@ dev_node(kvm_device_t) + type lirc_device_t; + dev_node(lirc_device_t) + ++# ++# Type for /dev/mapper/control ++# + type loop_control_device_t; + dev_node(loop_control_device_t) + +@@ -227,6 +232,10 @@ files_mountpoint(sysfs_t) + fs_type(sysfs_t) + genfscon sysfs / gen_context(system_u:object_r:sysfs_t,s0) + ++type cpu_online_t; ++files_type(cpu_online_t) ++dev_associate_sysfs(cpu_online_t) ++ + # + # Type for /dev/tpm + # +@@ -266,6 +275,9 @@ dev_node(usbmon_device_t) + type userio_device_t; + dev_node(userio_device_t) + ++type vfio_device_t; ++dev_node(vfio_device_t) ++ + type v4l_device_t; + dev_node(v4l_device_t) + +@@ -274,6 +286,7 @@ dev_node(v4l_device_t) + # + type vhost_device_t; + dev_node(vhost_device_t) ++mls_trusted_object(vhost_device_t) + + # Type for vmware devices. + type vmware_device_t; +@@ -319,5 +332,5 @@ files_associate_tmp(device_node) + # + + allow devices_unconfined_type self:capability sys_rawio; +-allow devices_unconfined_type device_node:{ blk_file chr_file } *; ++allow devices_unconfined_type device_node:{ blk_file chr_file lnk_file } *; + allow devices_unconfined_type mtrr_device_t:file *; +diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if +index 6a1e4d1..84e8030 100644 +--- a/policy/modules/kernel/domain.if ++++ b/policy/modules/kernel/domain.if +@@ -76,33 +76,8 @@ interface(`domain_type',` + # start with basic domain + domain_base_type($1) + +- ifdef(`distro_redhat',` +- optional_policy(` +- unconfined_use_fds($1) +- ') +- ') +- +- # send init a sigchld and signull +- optional_policy(` +- init_sigchld($1) +- init_signull($1) +- ') +- +- # these seem questionable: +- +- optional_policy(` +- rpm_use_fds($1) +- rpm_read_pipes($1) +- ') +- +- optional_policy(` +- selinux_dontaudit_getattr_fs($1) +- selinux_dontaudit_read_fs($1) +- ') +- +- optional_policy(` +- seutil_dontaudit_read_config($1) +- ') ++ # Only way to get corenet_unlabeled packets disabled to work ++ corenet_all_recvfrom_unlabeled($1) + ') + + ######################################## +@@ -128,7 +103,7 @@ interface(`domain_entry_file',` + ') + + allow $1 $2:file entrypoint; +- allow $1 $2:file { mmap_file_perms ioctl lock }; ++ allow $1 $2:file { mmap_file_perms ioctl lock execute_no_trans }; + + typeattribute $2 entry_type; + +@@ -513,6 +488,26 @@ interface(`domain_signull_all_domains',` + + ######################################## + ## ++## Do not audit attempts to send ++## signulls to all domains. ++## ++## ++## ++## Domain to not audit. ++## ++## ++## ++# ++interface(`domain_dontaudit_signull_all_domains',` ++ gen_require(` ++ attribute domain; ++ ') ++ ++ dontaudit $1 domain:process signull; ++') ++ ++######################################## ++## + ## Send a stop signal to all domains. + ## + ## +@@ -631,7 +626,7 @@ interface(`domain_read_all_domains_state',` + + ######################################## + ## +-## Get the attributes of all domains of all domains. ++## Get the attributes of all domains. + ## + ## + ## +@@ -655,7 +650,7 @@ interface(`domain_getattr_all_domains',` + ## + ## + ## +-## Domain allowed access. ++## Domain to not audit. + ## + ## + # +@@ -1356,6 +1351,24 @@ interface(`domain_manage_all_entry_files',` + + ######################################## + ## ++## Relabel from domain types on files if a user managed to mislable ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`domain_relabelfrom',` ++ gen_require(` ++ attribute domain; ++ ') ++ ++ allow $1 domain:dir_file_class_set relabelfrom_file_perms; ++') ++ ++######################################## ++## + ## Relabel to and from all entry point + ## file types. + ## +@@ -1508,6 +1521,24 @@ interface(`domain_unconfined_signal',` + + ######################################## + ## ++## Named Filetrans Domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`domain_named_filetrans',` ++ gen_require(` ++ attribute named_filetrans_domain; ++ ') ++ ++ typeattribute $1 named_filetrans_domain; ++') ++ ++######################################## ++## + ## Unconfined access to domains. + ## + ## +@@ -1530,4 +1561,63 @@ interface(`domain_unconfined',` + typeattribute $1 can_change_object_identity; + typeattribute $1 set_curr_context; + typeattribute $1 process_uncond_exempt; ++ ++ mcs_process_set_categories($1) ++ ++ userdom_filetrans_home_content($1) ++') ++ ++######################################## ++## ++## Do not audit attempts to read or write ++## all leaked sockets. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`domain_dontaudit_leaks',` ++ gen_require(` ++ attribute domain; ++ ') ++ ++ dontaudit $1 domain:socket_class_set { read write }; ++') ++ ++######################################## ++## ++## Allow caller to transition to any domain ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`domain_transition_all',` ++ gen_require(` ++ attribute domain; ++ ') ++ ++ allow $1 domain:process transition; ++') ++ ++######################################## ++## ++## Do not audit attempts to access check /proc ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`domain_dontaudit_access_check',` ++ gen_require(` ++ attribute domain; ++ ') ++ ++ dontaudit $1 domain:dir_file_class_set audit_access; + ') +diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te +index cf04cb5..369ddc2 100644 +--- a/policy/modules/kernel/domain.te ++++ b/policy/modules/kernel/domain.te +@@ -4,6 +4,29 @@ policy_module(domain, 1.11.0) + # + # Declarations + # ++## ++##

++## Allow all domains to use other domains file descriptors ++##

++## ++# ++gen_tunable(domain_fd_use, true) ++ ++## ++##

++## Allow all domains to execute in fips_mode ++##

++## ++# ++gen_tunable(fips_mode, true) ++ ++## ++##

++## Allow all domains to have the kernel load modules ++##

++## ++# ++gen_tunable(domain_kernel_load_modules, false) + + ## + ##

+@@ -15,6 +38,7 @@ gen_tunable(mmap_low_allowed, false) + + # Mark process types as domains + attribute domain; ++attribute named_filetrans_domain; + + # Transitions only allowed from domains to other domains + neverallow domain ~domain:process { transition dyntransition }; +@@ -86,23 +110,45 @@ neverallow ~{ domain unlabeled_t } *:process *; + allow domain self:dir list_dir_perms; + allow domain self:lnk_file { read_lnk_file_perms lock ioctl }; + allow domain self:file rw_file_perms; ++allow domain self:fifo_file rw_fifo_file_perms; ++allow domain self:sem create_sem_perms; ++allow domain self:shm create_shm_perms; ++ + kernel_read_proc_symlinks(domain) ++kernel_read_crypto_sysctls(domain) ++kernel_read_vm_overcommit_sysctls(domain) ++ + # Every domain gets the key ring, so we should default + # to no one allowed to look at it; afs kernel support creates + # a keyring + kernel_dontaudit_search_key(domain) + kernel_dontaudit_link_key(domain) ++kernel_dontaudit_search_debugfs(domain) + + # create child processes in the domain +-allow domain self:process { fork sigchld }; ++allow domain self:process { getcap fork getsched sigchld }; + + # Use trusted objects in /dev ++dev_read_cpu_online(domain) + dev_rw_null(domain) + dev_rw_zero(domain) + term_use_controlling_term(domain) + + # list the root directory + files_list_root(domain) ++# allow all domains to search through default_t directory, since users sometimes ++# place labels within these directories. (samba_share_t) for example. ++files_search_default(domain) ++files_read_inherited_tmp_files(domain) ++files_append_inherited_tmp_files(domain) ++files_read_all_base_ro_files(domain) ++ ++# All executables should be able to search the directory they are in ++corecmd_search_bin(domain) ++ ++tunable_policy(`domain_kernel_load_modules',` ++ kernel_request_load_module(domain) ++') + + ifdef(`hide_broken_symptoms',` + # This check is in the general socket +@@ -121,8 +167,18 @@ tunable_policy(`global_ssp',` + ') + + optional_policy(` ++ afs_rw_cache(domain) ++') ++ ++optional_policy(` + libs_use_ld_so(domain) + libs_use_shared_libs(domain) ++ libs_read_lib_files(domain) ++') ++ ++optional_policy(` ++ miscfiles_read_localization(domain) ++ miscfiles_read_man_pages(domain) + ') + + optional_policy(` +@@ -133,6 +189,9 @@ optional_policy(` + optional_policy(` + xserver_dontaudit_use_xdm_fds(domain) + xserver_dontaudit_rw_xdm_pipes(domain) ++ xserver_dontaudit_append_xdm_home_files(domain) ++ xserver_dontaudit_write_log(domain) ++ xserver_dontaudit_xdm_rw_stream_sockets(domain) + ') + + ######################################## +@@ -147,12 +206,18 @@ optional_policy(` + # Use/sendto/connectto sockets created by any domain. + allow unconfined_domain_type domain:{ socket_class_set socket key_socket } *; + ++allow unconfined_domain_type domain:system all_system_perms; + # Use descriptors and pipes created by any domain. + allow unconfined_domain_type domain:fd use; + allow unconfined_domain_type domain:fifo_file rw_file_perms; + ++allow unconfined_domain_type unconfined_domain_type:dbus send_msg; ++ + # Act upon any other process. +-allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap }; ++allow unconfined_domain_type domain:process ~{ ptrace transition dyntransition execmem execstack execheap }; ++tunable_policy(`deny_ptrace',`',` ++ allow unconfined_domain_type domain:process ptrace; ++') + + # Create/access any System V IPC objects. + allow unconfined_domain_type domain:{ sem msgq shm } *; +@@ -166,5 +231,306 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; + # act on all domains keys + allow unconfined_domain_type domain:key *; + ++corenet_filetrans_all_named_dev(named_filetrans_domain) ++ ++dev_filetrans_all_named_dev(named_filetrans_domain) ++ + # receive from all domains over labeled networking + domain_all_recvfrom_all_domains(unconfined_domain_type) ++ ++files_filetrans_named_content(named_filetrans_domain) ++files_filetrans_system_conf_named_files(named_filetrans_domain) ++files_config_all_files(unconfined_domain_type) ++dev_config_null_dev_service(unconfined_domain_type) ++ ++optional_policy(` ++ kdump_filetrans_named_content(unconfined_domain_type) ++') ++ ++optional_policy(` ++ locallogin_filetrans_home_content(named_filetrans_domain) ++') ++ ++optional_policy(` ++ mandb_filetrans_named_home_content(named_filetrans_domain) ++') ++ ++optional_policy(` ++ seutil_filetrans_named_content(named_filetrans_domain) ++') ++ ++storage_filetrans_all_named_dev(named_filetrans_domain) ++ ++term_filetrans_all_named_dev(named_filetrans_domain) ++ ++optional_policy(` ++ init_disable_services(unconfined_domain_type) ++ init_enable_services(unconfined_domain_type) ++ init_reload_services(unconfined_domain_type) ++ init_status(unconfined_domain_type) ++ init_reboot(unconfined_domain_type) ++ init_halt(unconfined_domain_type) ++ init_undefined(unconfined_domain_type) ++ init_filetrans_named_content(named_filetrans_domain) ++') ++ ++optional_policy(` ++ auth_filetrans_named_content(named_filetrans_domain) ++ auth_filetrans_admin_home_content(named_filetrans_domain) ++') ++ ++optional_policy(` ++ libs_filetrans_named_content(named_filetrans_domain) ++') ++ ++optional_policy(` ++ logging_filetrans_named_content(named_filetrans_domain) ++') ++ ++optional_policy(` ++ miscfiles_filetrans_named_content(named_filetrans_domain) ++') ++ ++optional_policy(` ++ abrt_filetrans_named_content(named_filetrans_domain) ++') ++ ++optional_policy(` ++ alsa_filetrans_named_content(named_filetrans_domain) ++') ++ ++optional_policy(` ++ apache_filetrans_named_content(named_filetrans_domain) ++') ++ ++optional_policy(` ++ apcupsd_filetrans_named_content(named_filetrans_domain) ++') ++ ++optional_policy(` ++ bootloader_filetrans_config(named_filetrans_domain) ++') ++ ++optional_policy(` ++ clock_filetrans_named_content(named_filetrans_domain) ++') ++ ++optional_policy(` ++ cups_filetrans_named_content(named_filetrans_domain) ++') ++ ++optional_policy(` ++ devicekit_filetrans_named_content(named_filetrans_domain) ++') ++ ++optional_policy(` ++ dnsmasq_filetrans_named_content(named_filetrans_domain) ++') ++ ++optional_policy(` ++ gnome_filetrans_admin_home_content(named_filetrans_domain) ++') ++ ++optional_policy(` ++ iscsi_filetrans_named_content(named_filetrans_domain) ++') ++ ++optional_policy(` ++ kerberos_filetrans_named_content(named_filetrans_domain) ++') ++ ++optional_policy(` ++ mta_filetrans_named_content(named_filetrans_domain) ++') ++ ++optional_policy(` ++ mplayer_filetrans_home_content(named_filetrans_domain) ++') ++ ++optional_policy(` ++ modules_filetrans_named_content(named_filetrans_domain) ++') ++ ++optional_policy(` ++ mysql_filetrans_named_content(named_filetrans_domain) ++') ++ ++optional_policy(` ++ networkmanager_filetrans_named_content(named_filetrans_domain) ++') ++ ++optional_policy(` ++ ntp_filetrans_named_content(named_filetrans_domain) ++') ++ ++optional_policy(` ++ nx_filetrans_named_content(named_filetrans_domain) ++') ++ ++optional_policy(` ++ postgresql_filetrans_named_content(named_filetrans_domain) ++') ++ ++optional_policy(` ++ postfix_filetrans_named_content(named_filetrans_domain) ++') ++ ++optional_policy(` ++ prelink_filetrans_named_content(named_filetrans_domain) ++') ++ ++optional_policy(` ++ pulseaudio_filetrans_admin_home_content(named_filetrans_domain) ++') ++ ++optional_policy(` ++ quota_filetrans_named_content(named_filetrans_domain) ++') ++ ++optional_policy(` ++ rpcbind_filetrans_named_content(named_filetrans_domain) ++') ++ ++optional_policy(` ++ rsync_filetrans_named_content(named_filetrans_domain) ++') ++ ++optional_policy(` ++ sysnet_filetrans_named_content(named_filetrans_domain) ++') ++ ++optional_policy(` ++ systemd_login_status(unconfined_domain_type) ++ systemd_login_reboot(unconfined_domain_type) ++ systemd_login_halt(unconfined_domain_type) ++ systemd_login_undefined(unconfined_domain_type) ++ systemd_filetrans_named_content(named_filetrans_domain) ++ systemd_filetrans_named_hostname(named_filetrans_domain) ++ systemd_filetrans_home_content(named_filetrans_domain) ++') ++ ++optional_policy(` ++ tftp_filetrans_named_content(named_filetrans_domain) ++') ++ ++optional_policy(` ++ userdom_user_home_dir_filetrans_user_home_content(named_filetrans_domain, { dir file lnk_file fifo_file sock_file }) ++') ++ ++optional_policy(` ++ ssh_filetrans_admin_home_content(named_filetrans_domain) ++ ssh_filetrans_keys(unconfined_domain_type) ++') ++ ++optional_policy(` ++ virt_filetrans_named_content(named_filetrans_domain) ++') ++ ++selinux_getattr_fs(domain) ++selinux_search_fs(domain) ++selinux_dontaudit_read_fs(domain) ++ ++optional_policy(` ++ seutil_dontaudit_read_config(domain) ++') ++ ++optional_policy(` ++ init_sigchld(domain) ++ init_signull(domain) ++ init_read_machineid(domain) ++') ++ ++ifdef(`distro_redhat',` ++ files_search_mnt(domain) ++') ++ ++# these seem questionable: ++ ++optional_policy(` ++ abrt_domtrans_helper(domain) ++ abrt_read_pid_files(domain) ++ abrt_read_state(domain) ++ abrt_signull(domain) ++ abrt_append_cache(domain) ++ abrt_rw_fifo_file(domain) ++') ++ ++optional_policy(` ++ sosreport_append_tmp_files(domain) ++') ++ ++tunable_policy(`domain_fd_use',` ++ # Allow all domains to use fds past to them ++ allow domain domain:fd use; ++') ++ ++optional_policy(` ++ cron_dontaudit_write_system_job_tmp_files(domain) ++ cron_rw_pipes(domain) ++ cron_rw_system_job_pipes(domain) ++') ++ ++ifdef(`hide_broken_symptoms',` ++ dontaudit domain self:udp_socket listen; ++ allow domain domain:key { link search }; ++ dontaudit domain domain:socket_class_set { read write }; ++ dontaudit domain self:capability sys_module; ++') ++ ++optional_policy(` ++ ipsec_match_default_spd(domain) ++') ++ ++optional_policy(` ++ ifdef(`hide_broken_symptoms',` ++ afs_rw_udp_sockets(domain) ++ ') ++') ++ ++optional_policy(` ++ ssh_rw_pipes(domain) ++') ++ ++optional_policy(` ++ unconfined_dontaudit_rw_pipes(domain) ++ unconfined_sigchld(domain) ++') ++ ++# broken kernel ++dontaudit can_change_object_identity can_change_object_identity:key link; ++ ++ifdef(`distro_redhat',` ++ optional_policy(` ++ unconfined_use_fds(domain) ++ ') ++') ++ ++# these seem questionable: ++ ++optional_policy(` ++ puppet_rw_tmp(domain) ++') ++ ++dontaudit domain domain:process { noatsecure siginh rlimitinh } ; ++ ++optional_policy(` ++ rpm_rw_script_inherited_pipes(domain) ++ rpm_use_fds(domain) ++ rpm_read_pipes(domain) ++ rpm_search_log(domain) ++ rpm_append_tmp_files(domain) ++ rpm_dontaudit_leaks(domain) ++ rpm_read_script_tmp_files(domain) ++ rpm_inherited_fifo(domain) ++') ++ ++tunable_policy(`fips_mode',` ++ allow domain self:fifo_file manage_fifo_file_perms; ++ kernel_read_kernel_sysctls(domain) ++') ++ ++optional_policy(` ++ tunable_policy(`fips_mode',` ++ prelink_exec(domain) ++ ') ++') +diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc +index c2c6e05..058bb58 100644 +--- a/policy/modules/kernel/files.fc ++++ b/policy/modules/kernel/files.fc +@@ -18,6 +18,7 @@ ifdef(`distro_redhat',` + /fsckoptions -- gen_context(system_u:object_r:etc_runtime_t,s0) + /halt -- gen_context(system_u:object_r:etc_runtime_t,s0) + /poweroff -- gen_context(system_u:object_r:etc_runtime_t,s0) ++/[^/]+ -- gen_context(system_u:object_r:etc_runtime_t,s0) + ') + + ifdef(`distro_suse',` +@@ -27,7 +28,7 @@ ifdef(`distro_suse',` + # + # /boot + # +-/boot -d gen_context(system_u:object_r:boot_t,s0) ++/boot gen_context(system_u:object_r:boot_t,s0) + /boot/.* gen_context(system_u:object_r:boot_t,s0) + /boot/\.journal <> + /boot/efi(/.*)?/System\.map(-.*)? -- gen_context(system_u:object_r:system_map_t,s0) +@@ -38,13 +39,13 @@ ifdef(`distro_suse',` + # + # /emul + # +-/emul -d gen_context(system_u:object_r:usr_t,s0) ++/emul gen_context(system_u:object_r:usr_t,s0) + /emul/.* gen_context(system_u:object_r:usr_t,s0) + + # + # /etc + # +-/etc -d gen_context(system_u:object_r:etc_t,s0) ++/etc gen_context(system_u:object_r:etc_t,s0) + /etc/.* gen_context(system_u:object_r:etc_t,s0) + /etc/\.fstab\.hal\..+ -- gen_context(system_u:object_r:etc_runtime_t,s0) + /etc/blkid(/.*)? gen_context(system_u:object_r:etc_runtime_t,s0) +@@ -52,13 +53,17 @@ ifdef(`distro_suse',` + /etc/fstab\.REVOKE -- gen_context(system_u:object_r:etc_runtime_t,s0) + /etc/ioctl\.save -- gen_context(system_u:object_r:etc_runtime_t,s0) + /etc/killpower -- gen_context(system_u:object_r:etc_runtime_t,s0) +-/etc/localtime -l gen_context(system_u:object_r:etc_t,s0) +-/etc/mtab -- gen_context(system_u:object_r:etc_runtime_t,s0) +-/etc/mtab~[0-9]* -- gen_context(system_u:object_r:etc_runtime_t,s0) +-/etc/mtab\.tmp -- gen_context(system_u:object_r:etc_runtime_t,s0) +-/etc/mtab\.fuselock -- gen_context(system_u:object_r:etc_runtime_t,s0) ++/etc/mtab.* -- gen_context(system_u:object_r:etc_runtime_t,s0) + /etc/nohotplug -- gen_context(system_u:object_r:etc_runtime_t,s0) + /etc/nologin.* -- gen_context(system_u:object_r:etc_runtime_t,s0) ++/etc/securetty -- gen_context(system_u:object_r:etc_runtime_t,s0) ++ ++/etc/sysctl\.conf(\.old)? -- gen_context(system_u:object_r:system_conf_t,s0) ++/etc/sysconfig/ebtables.* -- gen_context(system_u:object_r:system_conf_t,s0) ++/etc/sysconfig/ip6?tables.* -- gen_context(system_u:object_r:system_conf_t,s0) ++/etc/sysconfig/ipvsadm.* -- gen_context(system_u:object_r:system_conf_t,s0) ++/etc/sysconfig/system-config-firewall.* -- gen_context(system_u:object_r:system_conf_t,s0) ++/etc/yum\.repos\.d/redhat\.repo -- gen_context(system_u:object_r:system_conf_t,s0) + + /etc/cups/client\.conf -- gen_context(system_u:object_r:etc_t,s0) + +@@ -70,7 +75,10 @@ ifdef(`distro_suse',` + + /etc/sysconfig/hwconf -- gen_context(system_u:object_r:etc_runtime_t,s0) + /etc/sysconfig/iptables\.save -- gen_context(system_u:object_r:etc_runtime_t,s0) +-/etc/sysconfig/firstboot -- gen_context(system_u:object_r:etc_runtime_t,s0) ++ ++/etc/xorg\.conf\.d/00-system-setup-keyboard\.conf -- gen_context(system_u:object_r:etc_runtime_t,s0) ++/etc/X11/xorg\.conf\.d/00-system-setup-keyboard\.conf -- gen_context(system_u:object_r:etc_runtime_t,s0) ++ + + ifdef(`distro_gentoo', ` + /etc/profile\.env -- gen_context(system_u:object_r:etc_runtime_t,s0) +@@ -78,10 +86,6 @@ ifdef(`distro_gentoo', ` + /etc/env\.d/.* -- gen_context(system_u:object_r:etc_runtime_t,s0) + ') + +-ifdef(`distro_redhat',` +-/etc/rhgb(/.*)? -d gen_context(system_u:object_r:mnt_t,s0) +-') +- + ifdef(`distro_suse',` + /etc/defkeymap\.map -- gen_context(system_u:object_r:etc_runtime_t,s0) + /etc/rc\.d/init\.d/\.depend.* -- gen_context(system_u:object_r:etc_runtime_t,s0) +@@ -104,7 +108,7 @@ HOME_ROOT/lost\+found/.* <> + /initrd -d gen_context(system_u:object_r:root_t,s0) + + # +-# /lib(64)? ++# /lib + # + /lib/modules(/.*)? gen_context(system_u:object_r:modules_object_t,s0) + +@@ -129,6 +133,8 @@ ifdef(`distro_debian',` + /media(/[^/]*)? -d gen_context(system_u:object_r:mnt_t,s0) + /media/[^/]*/.* <> + /media/\.hal-.* -- gen_context(system_u:object_r:mnt_t,s0) ++/var/run/media(/[^/]*)? -d gen_context(system_u:object_r:mnt_t,s0) ++/var/run/media/.* <> + + # + # /misc +@@ -150,10 +156,10 @@ ifdef(`distro_debian',` + # + # /opt + # +-/opt -d gen_context(system_u:object_r:usr_t,s0) ++/opt gen_context(system_u:object_r:usr_t,s0) + /opt/.* gen_context(system_u:object_r:usr_t,s0) + +-/opt/(.*/)?var/lib(64)?(/.*)? gen_context(system_u:object_r:var_lib_t,s0) ++/opt/(.*/)?var/lib(/.*)? gen_context(system_u:object_r:var_lib_t,s0) + + # + # /proc +@@ -161,6 +167,12 @@ ifdef(`distro_debian',` + /proc -d <> + /proc/.* <> + ++ifdef(`distro_redhat',` ++/rhev -d gen_context(system_u:object_r:mnt_t,s0) ++/rhev(/[^/]*)? -d gen_context(system_u:object_r:mnt_t,s0) ++/rhev/[^/]*/.* <> ++') ++ + # + # /run + # +@@ -169,6 +181,7 @@ ifdef(`distro_debian',` + /run/.*\.*pid <> + /run/lock(/.*)? gen_context(system_u:object_r:var_lock_t,s0) + ++/sandbox(/.*)? gen_context(system_u:object_r:tmp_t,s0) + # + # /selinux + # +@@ -178,13 +191,14 @@ ifdef(`distro_debian',` + # + # /srv + # +-/srv -d gen_context(system_u:object_r:var_t,s0) ++/srv gen_context(system_u:object_r:var_t,s0) + /srv/.* gen_context(system_u:object_r:var_t,s0) + + # + # /tmp + # +-/tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh) ++/tmp gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh) ++/tmp-inst gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh) + /tmp/.* <> + /tmp/\.journal <> + +@@ -194,9 +208,10 @@ ifdef(`distro_debian',` + # + # /usr + # +-/usr -d gen_context(system_u:object_r:usr_t,s0) ++/usr gen_context(system_u:object_r:usr_t,s0) + /usr/.* gen_context(system_u:object_r:usr_t,s0) + /usr/\.journal <> ++/export(/.*)? gen_context(system_u:object_r:usr_t,s0) + + /usr/doc(/.*)?/lib(/.*)? gen_context(system_u:object_r:usr_t,s0) + +@@ -204,15 +219,9 @@ ifdef(`distro_debian',` + + /usr/inclu.e(/.*)? gen_context(system_u:object_r:usr_t,s0) + +-/usr/local/\.journal <> +- +-/usr/local/etc(/.*)? gen_context(system_u:object_r:etc_t,s0) +- +-/usr/local/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) +-/usr/local/lost\+found/.* <> +- + /usr/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) + /usr/lost\+found/.* <> ++/usr/lib/modules(/.*)? gen_context(system_u:object_r:modules_object_t,s0) + + /usr/share/doc(/.*)?/README.* gen_context(system_u:object_r:usr_t,s0) + +@@ -220,8 +229,6 @@ ifdef(`distro_debian',` + /usr/tmp/.* <> + + ifndef(`distro_redhat',` +-/usr/local/src(/.*)? gen_context(system_u:object_r:src_t,s0) +- + /usr/src(/.*)? gen_context(system_u:object_r:src_t,s0) + /usr/src/kernels/.+/lib(/.*)? gen_context(system_u:object_r:usr_t,s0) + ') +@@ -229,7 +236,7 @@ ifndef(`distro_redhat',` + # + # /var + # +-/var -d gen_context(system_u:object_r:var_t,s0) ++/var gen_context(system_u:object_r:var_t,s0) + /var/.* gen_context(system_u:object_r:var_t,s0) + /var/\.journal <> + +@@ -237,11 +244,24 @@ ifndef(`distro_redhat',` + + /var/ftp/etc(/.*)? gen_context(system_u:object_r:etc_t,s0) + ++/var/named/chroot/etc(/.*)? gen_context(system_u:object_r:etc_t,s0) ++ + /var/lib(/.*)? gen_context(system_u:object_r:var_lib_t,s0) + + /var/lib/nfs/rpc_pipefs(/.*)? <> + +-/var/lock(/.*)? gen_context(system_u:object_r:var_lock_t,s0) ++/var/lib/stickshift/.stickshift-proxy.d(/.*)? gen_context(system_u:object_r:etc_t,s0) ++/var/lib/stickshift/.limits.d(/.*)? gen_context(system_u:object_r:etc_t,s0) ++ ++/var/lib/openshift/.openshift-proxy.d(/.*)? gen_context(system_u:object_r:etc_t,s0) ++/var/lib/openshift/.stickshift-proxy.d(/.*)? gen_context(system_u:object_r:etc_t,s0) ++/var/lib/openshift/.limits.d(/.*)? gen_context(system_u:object_r:etc_t,s0) ++ ++/var/lib/servicelog/servicelog.db -- gen_context(system_u:object_r:system_db_t,s0) ++ ++/var/lock -d gen_context(system_u:object_r:var_lock_t,s0) ++/var/lock -l gen_context(system_u:object_r:var_lock_t,s0) ++/var/lock/.* <> + + /var/log/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) + /var/log/lost\+found/.* <> +@@ -256,12 +276,14 @@ ifndef(`distro_redhat',` + /var/run -l gen_context(system_u:object_r:var_run_t,s0) + /var/run/.* gen_context(system_u:object_r:var_run_t,s0) + /var/run/.*\.*pid <> ++/var/run/lock/.* <> + + /var/spool(/.*)? gen_context(system_u:object_r:var_spool_t,s0) + /var/spool/postfix/etc(/.*)? gen_context(system_u:object_r:etc_t,s0) + + /var/tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh) + /var/tmp -l gen_context(system_u:object_r:tmp_t,s0) ++/var/tmp-inst -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh) + /var/tmp/.* <> + /var/tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) + /var/tmp/lost\+found/.* <> +@@ -270,3 +292,5 @@ ifndef(`distro_redhat',` + ifdef(`distro_debian',` + /var/run/motd -- gen_context(system_u:object_r:initrc_var_run_t,s0) + ') ++/nsr(/.*)? gen_context(system_u:object_r:var_t,s0) ++/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0) +diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if +index 64ff4d7..2b01383 100644 +--- a/policy/modules/kernel/files.if ++++ b/policy/modules/kernel/files.if +@@ -19,6 +19,136 @@ + ## Comains the file initial SID. + ## + ++##################################### ++##

++## files stub etc_t interface. No access allowed. ++## ++## ++## ++## Domain allowed access ++## ++## ++# ++interface(`files_stub_etc',` ++ gen_require(` ++ type etc_t; ++ ') ++') ++ ++##################################### ++## ++## files stub var_lock_t interface. No access allowed. ++## ++## ++## ++## Domain allowed access ++## ++## ++# ++interface(`files_stub_var_lock',` ++ gen_require(` ++ type var_lock_t; ++ ') ++') ++ ++##################################### ++## ++## files stub var_log_t interface. No access allowed. ++## ++## ++## ++## Domain allowed access ++## ++## ++# ++interface(`files_stub_var_log',` ++ gen_require(` ++ type var_log_t; ++ ') ++') ++ ++##################################### ++## ++## files stub var_lib_t interface. No access allowed. ++## ++## ++## ++## Domain allowed access ++## ++## ++# ++interface(`files_stub_var_lib',` ++ gen_require(` ++ type var_lib_t; ++ ') ++') ++ ++##################################### ++## ++## files stub var_run_t interface. No access allowed. ++## ++## ++## ++## Domain allowed access ++## ++## ++# ++interface(`files_stub_var_run',` ++ gen_require(` ++ type var_run_t; ++ ') ++') ++ ++##################################### ++## ++## files stub var_run_t interface. No access allowed. ++## ++## ++## ++## Domain allowed access ++## ++## ++# ++interface(`files_stub_var_spool',` ++ gen_require(` ++ type var_spool_t; ++ ') ++') ++ ++##################################### ++## ++## files stub var_run_t interface. No access allowed. ++## ++## ++## ++## Domain allowed access ++## ++## ++# ++interface(`files_stub_var',` ++ gen_require(` ++ type var_t; ++ ') ++') ++ ++ ++##################################### ++## ++## files stub tmp_t interface. No access allowed. ++## ++## ++## ++## Domain allowed access ++## ++## ++# ++interface(`files_stub_tmp',` ++ gen_require(` ++ type tmp_t; ++ ') ++') ++ ++ + ######################################## + ## + ## Make the specified type usable for files +@@ -55,6 +185,7 @@ + ##
  • files_pid_file()
    • + ##
  • files_security_file()
    • + ##
  • files_security_mountpoint()
    • ++##
  • files_spool_file()
    • + ##
  • files_tmp_file()
    • + ##
  • files_tmpfs_file()
    • + ##
  • logging_log_file()
    • +@@ -125,44 +256,59 @@ interface(`files_security_file',` + typeattribute $1 file_type, security_file_type, non_auth_file_type; + ') + ++ + ######################################## + ## + ## Make the specified type usable for +-## lock files. ++## filesystem mount points. + ## + ## + ## +-## Type to be used for lock files. ++## Type to be used for mount points. + ## + ## + # +-interface(`files_lock_file',` ++interface(`files_mountpoint',` + gen_require(` +- attribute lockfile; ++ attribute mountpoint; + ') + + files_type($1) +- typeattribute $1 lockfile; ++ typeattribute $1 mountpoint; + ') + + ######################################## + ## +-## Make the specified type usable for +-## filesystem mount points. ++## Create a private type object in mountpoint dir ++## with an automatic type transition + ## +-## ++## + ## +-## Type to be used for mount points. ++## Domain allowed access. ++## ++## ++## ++## ++## The type of the object to be created. ++## ++## ++## ++## ++## The object class of the object being created. ++## ++## ++## ++## ++## The name of the object being created. + ## + ## + # +-interface(`files_mountpoint',` ++interface(`files_mountpoint_filetrans',` + gen_require(` + attribute mountpoint; + ') + +- files_type($1) +- typeattribute $1 mountpoint; ++ filetrans_pattern($1, mountpoint, $2, $3, $4) + ') + + ######################################## +@@ -188,6 +334,26 @@ interface(`files_security_mountpoint',` + ######################################## + ## + ## Make the specified type usable for ++## lock files. ++## ++## ++## ++## Type to be used for lock files. ++## ++## ++# ++interface(`files_lock_file',` ++ gen_require(` ++ attribute lockfile; ++ ') ++ ++ files_type($1) ++ typeattribute $1 lockfile; ++') ++ ++######################################## ++## ++## Make the specified type usable for + ## runtime process ID files. + ## + ## +@@ -521,7 +687,7 @@ interface(`files_mounton_non_security',` + attribute non_security_file_type; + ') + +- allow $1 non_security_file_type:dir mounton; ++ allow $1 non_security_file_type:dir { write setattr mounton }; + allow $1 non_security_file_type:file mounton; + ') + +@@ -620,6 +786,63 @@ interface(`files_dontaudit_getattr_non_security_files',` + + ######################################## + ## ++## Do not audit attempts to search ++## non security dirs. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`files_dontaudit_search_non_security_dirs',` ++ gen_require(` ++ attribute non_security_file_type; ++ ') ++ ++ dontaudit $1 non_security_file_type:dir search_dir_perms; ++') ++ ++######################################## ++## ++## Do not audit attempts to set the attributes ++## of non security files. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`files_dontaudit_setattr_non_security_files',` ++ gen_require(` ++ attribute non_security_file_type; ++ ') ++ ++ dontaudit $1 non_security_file_type:file setattr; ++') ++ ++######################################## ++## ++## Do not audit attempts to set the attributes ++## of non security directories. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`files_dontaudit_setattr_non_security_dirs',` ++ gen_require(` ++ attribute non_security_file_type; ++ ') ++ ++ dontaudit $1 non_security_file_type:dir setattr; ++') ++ ++######################################## ++## + ## Read all files. + ## + ## +@@ -683,12 +906,107 @@ interface(`files_read_non_security_files',` + attribute non_security_file_type; + ') + ++ list_dirs_pattern($1, non_security_file_type, non_security_file_type) + read_files_pattern($1, non_security_file_type, non_security_file_type) + read_lnk_files_pattern($1, non_security_file_type, non_security_file_type) + ') + + ######################################## + ## ++## Read/Write all inherited non-security files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`files_rw_inherited_non_security_files',` ++ gen_require(` ++ attribute non_security_file_type; ++ ') ++ ++ allow $1 non_security_file_type:file { read write }; ++') ++ ++######################################## ++## ++## Manage all non-security files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`files_manage_non_security_files',` ++ gen_require(` ++ attribute non_security_file_type; ++ ') ++ ++ manage_files_pattern($1, non_security_file_type, non_security_file_type) ++ manage_lnk_files_pattern($1, non_security_file_type, non_security_file_type) ++') ++ ++######################################## ++## ++## Relabel all non-security files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`files_relabel_non_security_files',` ++ gen_require(` ++ attribute non_security_file_type; ++ ') ++ ++ relabel_files_pattern($1, non_security_file_type, non_security_file_type) ++ allow $1 { non_security_file_type }:dir list_dir_perms; ++ relabel_dirs_pattern($1, { non_security_file_type }, { non_security_file_type }) ++ relabel_files_pattern($1, { non_security_file_type }, { non_security_file_type }) ++ relabel_lnk_files_pattern($1, { non_security_file_type }, { non_security_file_type }) ++ relabel_fifo_files_pattern($1, { non_security_file_type }, { non_security_file_type }) ++ relabel_sock_files_pattern($1, { non_security_file_type }, { non_security_file_type }) ++ relabel_blk_files_pattern($1, { non_security_file_type }, { non_security_file_type }) ++ relabel_chr_files_pattern($1, { non_security_file_type }, { non_security_file_type }) ++ ++ # satisfy the assertions: ++ seutil_relabelto_bin_policy($1) ++') ++ ++######################################## ++## ++## Relabel all base file types. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_relabel_base_file_types',` ++ gen_require(` ++ attribute base_file_type; ++ ') ++ ++ allow $1 base_file_type:dir list_dir_perms; ++ relabel_dirs_pattern($1, base_file_type , base_file_type ) ++ relabel_files_pattern($1, base_file_type , base_file_type ) ++ relabel_lnk_files_pattern($1, base_file_type , base_file_type ) ++ relabel_fifo_files_pattern($1, base_file_type , base_file_type ) ++ relabel_sock_files_pattern($1, base_file_type , base_file_type ) ++ relabel_blk_files_pattern($1, base_file_type , base_file_type ) ++ relabel_chr_files_pattern($1, base_file_type , base_file_type ) ++') ++ ++######################################## ++## + ## Read all directories on the filesystem, except + ## the listed exceptions. + ## +@@ -953,6 +1271,25 @@ interface(`files_dontaudit_getattr_non_security_pipes',` + + ######################################## + ## ++## Do not audit attempts to read/write ++## of non security named pipes. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`files_dontaudit_rw_inherited_pipes',` ++ gen_require(` ++ attribute non_security_file_type; ++ ') ++ ++ dontaudit $1 non_security_file_type:fifo_file rw_inherited_fifo_file_perms; ++') ++ ++######################################## ++## + ## Get the attributes of all named sockets. + ## + ## +@@ -991,8 +1328,8 @@ interface(`files_dontaudit_getattr_all_sockets',` + + ######################################## + ## +-## Do not audit attempts to get the attributes +-## of non security named sockets. ++## Do not audit attempts to read ++## of all named sockets. + ## + ## + ## +@@ -1000,43 +1337,81 @@ interface(`files_dontaudit_getattr_all_sockets',` + ## + ## + # +-interface(`files_dontaudit_getattr_non_security_sockets',` ++interface(`files_dontaudit_read_all_sockets',` + gen_require(` +- attribute non_security_file_type; ++ attribute file_type; + ') + +- dontaudit $1 non_security_file_type:sock_file getattr; ++ dontaudit $1 file_type:sock_file read; + ') + + ######################################## + ## +-## Read all block nodes with file types. ++## Do not audit attempts to read ++## of all security file types. + ## + ## + ## +-## Domain allowed access. ++## Domain to not audit. + ## + ## + # +-interface(`files_read_all_blk_files',` ++interface(`files_dontaudit_read_all_non_security_files',` + gen_require(` +- attribute file_type; ++ attribute non_security_file_type; + ') + +- read_blk_files_pattern($1, file_type, file_type) ++ dontaudit $1 non_security_file_type:file read_file_perms; + ') + + ######################################## + ## +-## Read all character nodes with file types. ++## Do not audit attempts to get the attributes ++## of non security named sockets. + ## + ## + ## +-## Domain allowed access. ++## Domain to not audit. + ## + ## + # +-interface(`files_read_all_chr_files',` ++interface(`files_dontaudit_getattr_non_security_sockets',` ++ gen_require(` ++ attribute non_security_file_type; ++ ') ++ ++ dontaudit $1 non_security_file_type:sock_file getattr; ++') ++ ++######################################## ++## ++## Read all block nodes with file types. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_read_all_blk_files',` ++ gen_require(` ++ attribute file_type; ++ ') ++ ++ read_blk_files_pattern($1, file_type, file_type) ++') ++ ++######################################## ++## ++## Read all character nodes with file types. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_read_all_chr_files',` + gen_require(` + attribute file_type; + ') +@@ -1073,10 +1448,8 @@ interface(`files_relabel_all_files',` + relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 }) + relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 }) + relabel_sock_files_pattern($1, { file_type $2 }, { file_type $2 }) +- # this is only relabelfrom since there should be no +- # device nodes with file types. +- relabelfrom_blk_files_pattern($1, { file_type $2 }, { file_type $2 }) +- relabelfrom_chr_files_pattern($1, { file_type $2 }, { file_type $2 }) ++ relabel_blk_files_pattern($1, { file_type $2 }, { file_type $2 }) ++ relabel_chr_files_pattern($1, { file_type $2 }, { file_type $2 }) + + # satisfy the assertions: + seutil_relabelto_bin_policy($1) +@@ -1182,24 +1555,6 @@ interface(`files_list_all',` + + ######################################## + ## +-## Create all files as is. +-## +-## +-## +-## Domain allowed access. +-## +-## +-# +-interface(`files_create_all_files_as',` +- gen_require(` +- attribute file_type; +- ') +- +- allow $1 file_type:kernel_service create_files_as; +-') +- +-######################################## +-## + ## Do not audit attempts to search the + ## contents of any directories on extended + ## attribute filesystems. +@@ -1443,9 +1798,6 @@ interface(`files_relabel_non_auth_files',` + # device nodes with file types. + relabelfrom_blk_files_pattern($1, non_auth_file_type, non_auth_file_type) + relabelfrom_chr_files_pattern($1, non_auth_file_type, non_auth_file_type) +- +- # satisfy the assertions: +- seutil_relabelto_bin_policy($1) + ') + + ############################################# +@@ -1583,6 +1935,24 @@ interface(`files_getattr_all_mountpoints',` + + ######################################## + ## ++## List the directory of all mount points. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_list_all_mountpoints',` ++ gen_require(` ++ attribute mountpoint; ++ ') ++ ++ allow $1 mountpoint:dir list_dir_perms; ++') ++ ++######################################## ++## + ## Set the attributes of all mount points. + ## + ## +@@ -1673,6 +2043,24 @@ interface(`files_dontaudit_list_all_mountpoints',` + + ######################################## + ## ++## Write all mount points. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_write_all_mountpoints',` ++ gen_require(` ++ attribute mountpoint; ++ ') ++ ++ allow $1 mountpoint:dir write; ++') ++ ++######################################## ++## + ## Do not audit attempts to write to mount points. + ## + ## +@@ -1691,6 +2079,42 @@ interface(`files_dontaudit_write_all_mountpoints',` + + ######################################## + ## ++## Do not audit attempts to unmount all mount points. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`files_dontaudit_unmount_all_mountpoints',` ++ gen_require(` ++ attribute mountpoint; ++ ') ++ ++ dontaudit $1 mountpoint:filesystem unmount; ++') ++ ++######################################## ++## ++## Write all file type directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_write_all_dirs',` ++ gen_require(` ++ attribute file_type; ++ ') ++ ++ allow $1 file_type:dir write; ++') ++ ++######################################## ++## + ## List the contents of the root directory. + ## + ## +@@ -1874,25 +2298,25 @@ interface(`files_delete_root_dir_entry',` + + ######################################## + ## +-## Associate to root file system. ++## Set attributes of the root directory. + ## +-## ++## + ## +-## Type of the file to associate. ++## Domain allowed access. + ## + ## + # +-interface(`files_associate_rootfs',` ++interface(`files_setattr_root_dirs',` + gen_require(` + type root_t; + ') + +- allow $1 root_t:filesystem associate; ++ allow $1 root_t:dir setattr_dir_perms; + ') + + ######################################## + ## +-## Relabel to and from rootfs file system. ++## Relabel a rootfs filesystem. + ## + ## + ## +@@ -1905,7 +2329,7 @@ interface(`files_relabel_rootfs',` + type root_t; + ') + +- allow $1 root_t:filesystem { relabelto relabelfrom }; ++ allow $1 root_t:filesystem relabel_file_perms; + ') + + ######################################## +@@ -1928,6 +2352,24 @@ interface(`files_unmount_rootfs',` + + ######################################## + ## ++## Mount a filesystem on the root file system ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_mounton_rootfs',` ++ gen_require(` ++ type root_t; ++ ') ++ ++ allow $1 root_t:dir { search_dir_perms mounton }; ++') ++ ++######################################## ++## + ## Get attributes of the /boot directory. + ## + ## +@@ -2163,6 +2605,24 @@ interface(`files_relabelfrom_boot_files',` + relabelfrom_files_pattern($1, boot_t, boot_t) + ') + ++######################################## ++## ++## Relabel to files in the /boot directory. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_relabelto_boot_files',` ++ gen_require(` ++ type boot_t; ++ ') ++ ++ relabelto_files_pattern($1, boot_t, boot_t) ++') ++ + ###################################### + ## + ## Read symbolic links in the /boot directory. +@@ -2627,6 +3087,24 @@ interface(`files_rw_etc_dirs',` + allow $1 etc_t:dir rw_dir_perms; + ') + ++####################################### ++## ++## Dontaudit remove dir /etc directories. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`files_dontaudit_remove_etc_dir',` ++ gen_require(` ++ type etc_t; ++ ') ++ ++ dontaudit $1 etc_t:dir rmdir; ++') ++ + ########################################## + ## + ## Manage generic directories in /etc +@@ -2698,6 +3176,7 @@ interface(`files_read_etc_files',` + allow $1 etc_t:dir list_dir_perms; + read_files_pattern($1, etc_t, etc_t) + read_lnk_files_pattern($1, etc_t, etc_t) ++ files_read_etc_runtime_files($1) + ') + + ######################################## +@@ -2706,7 +3185,7 @@ interface(`files_read_etc_files',` + ## + ## + ## +-## Domain allowed access. ++## Domain to not audit. + ## + ## + # +@@ -2762,6 +3241,25 @@ interface(`files_manage_etc_files',` + + ######################################## + ## ++## Do not audit attempts to check the ++## access on etc files ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`files_dontaudit_access_check_etc',` ++ gen_require(` ++ type etc_t; ++ ') ++ ++ dontaudit $1 etc_t:dir_file_class_set audit_access; ++') ++ ++######################################## ++## + ## Delete system configuration files in /etc. + ## + ## +@@ -2780,6 +3278,24 @@ interface(`files_delete_etc_files',` + + ######################################## + ## ++## Remove entries from the etc directory. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_delete_etc_dir_entry',` ++ gen_require(` ++ type etc_t; ++ ') ++ ++ allow $1 etc_t:dir del_entry_dir_perms; ++') ++ ++######################################## ++## + ## Execute generic files in /etc. + ## + ## +@@ -2945,24 +3461,6 @@ interface(`files_delete_boot_flag',` + + ######################################## + ## +-## Do not audit attempts to set the attributes of the etc_runtime files +-## +-## +-## +-## Domain to not audit. +-## +-## +-# +-interface(`files_dontaudit_setattr_etc_runtime_files',` +- gen_require(` +- type etc_runtime_t; +- ') +- +- dontaudit $1 etc_runtime_t:file setattr; +-') +- +-######################################## +-## + ## Read files in /etc that are dynamically + ## created on boot, such as mtab. + ## +@@ -3003,9 +3501,7 @@ interface(`files_read_etc_runtime_files',` + + ######################################## + ## +-## Do not audit attempts to read files +-## in /etc that are dynamically +-## created on boot, such as mtab. ++## Do not audit attempts to set the attributes of the etc_runtime files + ## + ## + ## +@@ -3013,18 +3509,17 @@ interface(`files_read_etc_runtime_files',` + ## + ## + # +-interface(`files_dontaudit_read_etc_runtime_files',` ++interface(`files_dontaudit_setattr_etc_runtime_files',` + gen_require(` + type etc_runtime_t; + ') + +- dontaudit $1 etc_runtime_t:file { getattr read }; ++ dontaudit $1 etc_runtime_t:file setattr; + ') + + ######################################## + ## +-## Do not audit attempts to write +-## etc runtime files. ++## Do not audit attempts to write etc_runtime files + ## + ## + ## +@@ -3042,6 +3537,26 @@ interface(`files_dontaudit_write_etc_runtime_files',` + + ######################################## + ## ++## Do not audit attempts to read files ++## in /etc that are dynamically ++## created on boot, such as mtab. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`files_dontaudit_read_etc_runtime_files',` ++ gen_require(` ++ type etc_runtime_t; ++ ') ++ ++ dontaudit $1 etc_runtime_t:file { getattr read }; ++') ++ ++######################################## ++## + ## Read and write files in /etc that are dynamically + ## created on boot, such as mtab. + ## +@@ -3059,6 +3574,7 @@ interface(`files_rw_etc_runtime_files',` + + allow $1 etc_t:dir list_dir_perms; + rw_files_pattern($1, etc_t, etc_runtime_t) ++ read_lnk_files_pattern($1, etc_t, etc_t) + ') + + ######################################## +@@ -3080,6 +3596,7 @@ interface(`files_manage_etc_runtime_files',` + ') + + manage_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t) ++ read_lnk_files_pattern($1, etc_t, etc_runtime_t) + ') + + ######################################## +@@ -3132,45 +3649,64 @@ interface(`files_getattr_isid_type_dirs',` + + ######################################## + ## +-## Do not audit attempts to search directories on new filesystems ++## Setattr of directories on new filesystems + ## that have not yet been labeled. + ## + ## + ## +-## Domain to not audit. ++## Domain allowed access. + ## + ## + # +-interface(`files_dontaudit_search_isid_type_dirs',` ++interface(`files_setattr_isid_type_dirs',` + gen_require(` + type file_t; + ') + +- dontaudit $1 file_t:dir search_dir_perms; ++ allow $1 file_t:dir setattr; + ') + + ######################################## + ## +-## List the contents of directories on new filesystems ++## Do not audit attempts to search directories on new filesystems + ## that have not yet been labeled. + ## + ## + ## +-## Domain allowed access. ++## Domain to not audit. + ## + ## + # +-interface(`files_list_isid_type_dirs',` ++interface(`files_dontaudit_search_isid_type_dirs',` + gen_require(` + type file_t; + ') + +- allow $1 file_t:dir list_dir_perms; ++ dontaudit $1 file_t:dir search_dir_perms; + ') + + ######################################## + ## +-## Read and write directories on new filesystems ++## List the contents of directories on new filesystems ++## that have not yet been labeled. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_list_isid_type_dirs',` ++ gen_require(` ++ type file_t; ++ ') ++ ++ allow $1 file_t:dir list_dir_perms; ++') ++ ++######################################## ++## ++## Read and write directories on new filesystems + ## that have not yet been labeled. + ## + ## +@@ -3205,6 +3741,62 @@ interface(`files_delete_isid_type_dirs',` + + delete_dirs_pattern($1, file_t, file_t) + ') ++######################################## ++## ++## Execute files on new filesystems ++## that have not yet been labeled. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_exec_isid_files',` ++ gen_require(` ++ type file_t; ++ ') ++ ++ can_exec($1, file_t) ++') ++ ++######################################## ++## ++## Moundon directories on new filesystems ++## that have not yet been labeled. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_mounton_isid',` ++ gen_require(` ++ type file_t; ++ ') ++ ++ allow $1 file_t:dir mounton; ++') ++ ++######################################## ++## ++## Relabelfrom all file opbjects on new filesystems ++## that have not yet been labeled. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_relabelfrom_isid_type',` ++ gen_require(` ++ type file_t; ++ ') ++ ++ dontaudit $1 file_t:dir_file_class_set relabelfrom; ++') + + ######################################## + ## +@@ -3455,6 +4047,25 @@ interface(`files_rw_isid_type_blk_files',` + + ######################################## + ## ++## rw any files inherited from another process ++## on new filesystems that have not yet been labeled. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_rw_inherited_isid_type_files',` ++ gen_require(` ++ type file_t; ++ ') ++ ++ allow $1 file_t:file rw_inherited_file_perms; ++') ++ ++######################################## ++## + ## Create, read, write, and delete block device nodes + ## on new filesystems that have not yet been labeled. + ## +@@ -3796,20 +4407,38 @@ interface(`files_list_mnt',` + + ###################################### + ## +-## Do not audit attempts to list the contents of /mnt. ++## dontaudit List the contents of /mnt. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`files_dontaudit_list_mnt',` ++ gen_require(` ++ type mnt_t; ++ ') ++ ++ dontaudit $1 mnt_t:dir list_dir_perms; ++') ++ ++######################################## ++## ++## Do not audit attempts to check the ++## write access on mnt files + ## + ## + ## +-## Domain allowed access. ++## Domain to not audit. + ## + ## + # +-interface(`files_dontaudit_list_mnt',` ++interface(`files_dontaudit_access_check_mnt',` + gen_require(` + type mnt_t; + ') +- +- dontaudit $1 mnt_t:dir list_dir_perms; ++ dontaudit $1 mnt_t:dir_file_class_set audit_access; + ') + + ######################################## +@@ -4199,6 +4828,171 @@ interface(`files_read_world_readable_sockets',` + allow $1 readable_t:sock_file read_sock_file_perms; + ') + ++####################################### ++## ++## Read manageable system configuration files in /etc ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_read_system_conf_files',` ++ gen_require(` ++ type etc_t, system_conf_t; ++ ') ++ ++ allow $1 etc_t:dir list_dir_perms; ++ read_files_pattern($1, etc_t, system_conf_t) ++ read_lnk_files_pattern($1, etc_t, system_conf_t) ++') ++ ++###################################### ++## ++## Manage manageable system configuration files in /etc. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_manage_system_conf_files',` ++ gen_require(` ++ type etc_t, system_conf_t; ++ ') ++ ++ manage_files_pattern($1, { etc_t system_conf_t }, system_conf_t) ++ files_filetrans_system_conf_named_files($1) ++') ++ ++##################################### ++## ++## File name transition for system configuration files in /etc. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_filetrans_system_conf_named_files',` ++ gen_require(` ++ type etc_t, system_conf_t; ++ ') ++ ++ filetrans_pattern($1, etc_t, system_conf_t, file, "sysctl.conf") ++ filetrans_pattern($1, etc_t, system_conf_t, file, "sysctl.conf.old") ++ filetrans_pattern($1, etc_t, system_conf_t, file, "ebtables") ++ filetrans_pattern($1, etc_t, system_conf_t, file, "ebtables.old") ++ filetrans_pattern($1, etc_t, system_conf_t, file, "ebtables-config") ++ filetrans_pattern($1, etc_t, system_conf_t, file, "ebtables-config.old") ++ filetrans_pattern($1, etc_t, system_conf_t, file, "iptables") ++ filetrans_pattern($1, etc_t, system_conf_t, file, "iptables.old") ++ filetrans_pattern($1, etc_t, system_conf_t, file, "iptables-config") ++ filetrans_pattern($1, etc_t, system_conf_t, file, "iptables-config.old") ++ filetrans_pattern($1, etc_t, system_conf_t, file, "ip6tables") ++ filetrans_pattern($1, etc_t, system_conf_t, file, "ip6tables.old") ++ filetrans_pattern($1, etc_t, system_conf_t, file, "ip6tables-config") ++ filetrans_pattern($1, etc_t, system_conf_t, file, "ip6tables-config.old") ++ filetrans_pattern($1, etc_t, system_conf_t, file, "redhat.repo") ++ filetrans_pattern($1, etc_t, system_conf_t, file, "system-config-firewall") ++ filetrans_pattern($1, etc_t, system_conf_t, file, "system-config-firewall.old") ++') ++ ++###################################### ++## ++## Relabel manageable system configuration files in /etc. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_relabelto_system_conf_files',` ++ gen_require(` ++ type usr_t; ++ ') ++ ++ relabelto_files_pattern($1, system_conf_t, system_conf_t) ++') ++ ++###################################### ++## ++## Relabel manageable system configuration files in /etc. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_relabelfrom_system_conf_files',` ++ gen_require(` ++ type usr_t; ++ ') ++ ++ relabelfrom_files_pattern($1, system_conf_t, system_conf_t) ++') ++ ++################################### ++## ++## Create files in /etc with the type used for ++## the manageable system config files. ++## ++## ++## ++## The type of the process performing this action. ++## ++## ++# ++interface(`files_etc_filetrans_system_conf',` ++ gen_require(` ++ type etc_t, system_conf_t; ++ ') ++ ++ filetrans_pattern($1, etc_t, system_conf_t, file) ++') ++ ++###################################### ++## ++## Manage manageable system db files in /var/lib. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_manage_system_db_files',` ++ gen_require(` ++ type var_lib_t, system_db_t; ++ ') ++ ++ manage_files_pattern($1, { var_lib_t system_db_t }, system_db_t) ++ files_filetrans_system_db_named_files($1) ++') ++ ++##################################### ++## ++## File name transition for system db files in /var/lib. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_filetrans_system_db_named_files',` ++ gen_require(` ++ type var_lib_t, system_db_t; ++ ') ++ ++ filetrans_pattern($1, var_lib_t, system_db_t, file, "servicelog.db") ++') ++ + ######################################## + ## + ## Allow the specified type to associate +@@ -4221,6 +5015,26 @@ interface(`files_associate_tmp',` + + ######################################## + ## ++## Allow the specified type to associate ++## to a filesystem with the type of the ++## / file system ++## ++## ++## ++## Type of the file to associate. ++## ++## ++# ++interface(`files_associate_rootfs',` ++ gen_require(` ++ type root_t; ++ ') ++ ++ allow $1 root_t:filesystem associate; ++') ++ ++######################################## ++## + ## Get the attributes of the tmp directory (/tmp). + ## + ## +@@ -4234,17 +5048,37 @@ interface(`files_getattr_tmp_dirs',` + type tmp_t; + ') + ++ read_lnk_files_pattern($1, tmp_t, tmp_t) + allow $1 tmp_t:dir getattr; + ') + + ######################################## + ## ++## Do not audit attempts to check the ++## access on tmp files ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`files_dontaudit_access_check_tmp',` ++ gen_require(` ++ type etc_t; ++ ') ++ ++ dontaudit $1 tmp_t:dir_file_class_set audit_access; ++') ++ ++######################################## ++## + ## Do not audit attempts to get the + ## attributes of the tmp directory (/tmp). + ## + ## + ## +-## Domain allowed access. ++## Domain to not audit. + ## + ## + # +@@ -4271,6 +5105,7 @@ interface(`files_search_tmp',` + type tmp_t; + ') + ++ read_lnk_files_pattern($1, tmp_t, tmp_t) + allow $1 tmp_t:dir search_dir_perms; + ') + +@@ -4307,6 +5142,7 @@ interface(`files_list_tmp',` + type tmp_t; + ') + ++ read_lnk_files_pattern($1, tmp_t, tmp_t) + allow $1 tmp_t:dir list_dir_perms; + ') + +@@ -4316,7 +5152,7 @@ interface(`files_list_tmp',` + ## + ## + ## +-## Domain not to audit. ++## Domain to not audit. + ## + ## + # +@@ -4328,6 +5164,25 @@ interface(`files_dontaudit_list_tmp',` + dontaudit $1 tmp_t:dir list_dir_perms; + ') + ++####################################### ++## ++## Allow read and write to the tmp directory (/tmp). ++## ++## ++## ++## Domain not to audit. ++## ++## ++# ++interface(`files_rw_generic_tmp_dir',` ++ gen_require(` ++ type tmp_t; ++ ') ++ ++ files_search_tmp($1) ++ allow $1 tmp_t:dir rw_dir_perms; ++') ++ + ######################################## + ## + ## Remove entries from the tmp directory. +@@ -4343,6 +5198,7 @@ interface(`files_delete_tmp_dir_entry',` + type tmp_t; + ') + ++ files_search_tmp($1) + allow $1 tmp_t:dir del_entry_dir_perms; + ') + +@@ -4384,6 +5240,32 @@ interface(`files_manage_generic_tmp_dirs',` + + ######################################## + ## ++## Allow shared library text relocations in tmp files. ++## ++## ++##

    ++## Allow shared library text relocations in tmp files. ++##

    ++##

    ++## This is added to support java policy. ++##

    ++##     ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_execmod_tmp',` ++ gen_require(` ++ attribute tmpfile; ++ ') ++ ++ allow $1 tmpfile:file execmod; ++') ++ ++######################################## ++## + ## Manage temporary files and directories in /tmp. + ## + ## +@@ -4438,7 +5320,7 @@ interface(`files_rw_generic_tmp_sockets',` + + ######################################## + ## +-## Set the attributes of all tmp directories. ++## Relabel a dir from the type used in /tmp. + ## + ## + ## +@@ -4446,17 +5328,17 @@ interface(`files_rw_generic_tmp_sockets',` + ## + ## + # +-interface(`files_setattr_all_tmp_dirs',` ++interface(`files_relabelfrom_tmp_dirs',` + gen_require(` +- attribute tmpfile; ++ type tmp_t; + ') + +- allow $1 tmpfile:dir { search_dir_perms setattr }; ++ relabelfrom_dirs_pattern($1, tmp_t, tmp_t) + ') + + ######################################## + ## +-## List all tmp directories. ++## Relabel a file from the type used in /tmp. + ## + ## + ## +@@ -4464,34 +5346,124 @@ interface(`files_setattr_all_tmp_dirs',` + ## + ## + # +-interface(`files_list_all_tmp',` ++interface(`files_relabelfrom_tmp_files',` + gen_require(` +- attribute tmpfile; ++ type tmp_t; + ') + +- allow $1 tmpfile:dir list_dir_perms; ++ relabelfrom_files_pattern($1, tmp_t, tmp_t) + ') + + ######################################## + ## +-## Relabel to and from all temporary +-## directory types. ++## Set the attributes of all tmp directories. + ## + ## + ## + ## Domain allowed access. + ## + ## +-## + # +-interface(`files_relabel_all_tmp_dirs',` ++interface(`files_setattr_all_tmp_dirs',` + gen_require(` + attribute tmpfile; +- type var_t; + ') + +- allow $1 var_t:dir search_dir_perms; +- relabel_dirs_pattern($1, tmpfile, tmpfile) ++ allow $1 tmpfile:dir { search_dir_perms setattr }; ++') ++ ++######################################## ++## ++## Allow caller to read inherited tmp files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_read_inherited_tmp_files',` ++ gen_require(` ++ attribute tmpfile; ++ ') ++ ++ allow $1 tmpfile:file { append read_inherited_file_perms }; ++') ++ ++######################################## ++## ++## Allow caller to append inherited tmp files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_append_inherited_tmp_files',` ++ gen_require(` ++ attribute tmpfile; ++ ') ++ ++ allow $1 tmpfile:file append_inherited_file_perms; ++') ++ ++######################################## ++## ++## Allow caller to read and write inherited tmp files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_rw_inherited_tmp_file',` ++ gen_require(` ++ attribute tmpfile; ++ ') ++ ++ allow $1 tmpfile:file rw_inherited_file_perms; ++') ++ ++######################################## ++## ++## List all tmp directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_list_all_tmp',` ++ gen_require(` ++ attribute tmpfile; ++ ') ++ ++ allow $1 tmpfile:dir list_dir_perms; ++') ++ ++######################################## ++## ++## Relabel to and from all temporary ++## directory types. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`files_relabel_all_tmp_dirs',` ++ gen_require(` ++ attribute tmpfile; ++ type var_t; ++ ') ++ ++ allow $1 var_t:dir search_dir_perms; ++ relabel_dirs_pattern($1, tmpfile, tmpfile) + ') + + ######################################## +@@ -4501,7 +5473,7 @@ interface(`files_relabel_all_tmp_dirs',` + ##     + ## + ## +-## Domain not to audit. ++## Domain to not audit. + ## + ## + # +@@ -4561,7 +5533,7 @@ interface(`files_relabel_all_tmp_files',` + ##     + ## + ## +-## Domain not to audit. ++## Domain to not audit. + ## + ## + # +@@ -4593,6 +5565,44 @@ interface(`files_read_all_tmp_files',` + + ######################################## + ## ++## Do not audit attempts to read or write ++## all leaked tmpfiles files. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`files_dontaudit_tmp_file_leaks',` ++ gen_require(` ++ attribute tmpfile; ++ ') ++ ++ dontaudit $1 tmpfile:file rw_inherited_file_perms; ++') ++ ++######################################## ++## ++## Do allow attempts to read or write ++## all leaked tmpfiles files. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`files_rw_tmp_file_leaks',` ++ gen_require(` ++ attribute tmpfile; ++ ') ++ ++ allow $1 tmpfile:file rw_inherited_file_perms; ++') ++ ++######################################## ++## + ## Create an object in the tmp directories, with a private + ## type using a type transition. + ## +@@ -4646,6 +5656,16 @@ interface(`files_purge_tmp',` + delete_lnk_files_pattern($1, tmpfile, tmpfile) + delete_fifo_files_pattern($1, tmpfile, tmpfile) + delete_sock_files_pattern($1, tmpfile, tmpfile) ++ delete_chr_files_pattern($1, tmpfile, tmpfile) ++ delete_blk_files_pattern($1, tmpfile, tmpfile) ++ files_list_isid_type_dirs($1) ++ files_delete_isid_type_dirs($1) ++ files_delete_isid_type_files($1) ++ files_delete_isid_type_symlinks($1) ++ files_delete_isid_type_fifo_files($1) ++ files_delete_isid_type_sock_files($1) ++ files_delete_isid_type_blk_files($1) ++ files_delete_isid_type_chr_files($1) + ') + + ######################################## +@@ -5223,6 +6243,24 @@ interface(`files_list_var',` + + ######################################## + ## ++## Do not audit listing of the var directory (/var). ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`files_dontaudit_list_var',` ++ gen_require(` ++ type var_t; ++ ') ++ ++ dontaudit $1 var_t:dir list_dir_perms; ++') ++ ++######################################## ++## + ## Create, read, write, and delete directories + ## in the /var directory. + ## +@@ -5578,6 +6616,25 @@ interface(`files_read_var_lib_symlinks',` + read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t) + ') + ++######################################## ++## ++## manage generic symbolic links ++## in the /var/lib directory. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_manage_var_lib_symlinks',` ++ gen_require(` ++ type var_lib_t; ++ ') ++ ++ manage_lnk_files_pattern($1,var_lib_t,var_lib_t) ++') ++ + # cjp: the next two interfaces really need to be fixed + # in some way. They really neeed their own types. + +@@ -5623,7 +6680,7 @@ interface(`files_manage_mounttab',` + + ######################################## + ## +-## Set the attributes of the generic lock directories. ++## List generic lock directories. + ## + ## + ## +@@ -5631,12 +6688,13 @@ interface(`files_manage_mounttab',` + ## + ## + # +-interface(`files_setattr_lock_dirs',` ++interface(`files_list_locks',` + gen_require(` + type var_t, var_lock_t; + ') + +- setattr_dirs_pattern($1, var_t, var_lock_t) ++ files_search_locks($1) ++ list_dirs_pattern($1, var_t, var_lock_t) + ') + + ######################################## +@@ -5654,6 +6712,7 @@ interface(`files_search_locks',` + type var_t, var_lock_t; + ') + ++ files_search_pids($1) + allow $1 var_lock_t:lnk_file read_lnk_file_perms; + search_dirs_pattern($1, var_t, var_lock_t) + ') +@@ -5680,7 +6739,26 @@ interface(`files_dontaudit_search_locks',` + + ######################################## + ## +-## List generic lock directories. ++## Do not audit attempts to read/write inherited ++## locks (/var/lock). ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`files_dontaudit_rw_inherited_locks',` ++ gen_require(` ++ type var_lock_t; ++ ') ++ ++ dontaudit $1 var_lock_t:file rw_inherited_file_perms; ++') ++ ++######################################## ++## ++## Set the attributes of the /var/lock directory. + ## + ## + ## +@@ -5688,13 +6766,12 @@ interface(`files_dontaudit_search_locks',` + ## + ## + # +-interface(`files_list_locks',` ++interface(`files_setattr_lock_dirs',` + gen_require(` +- type var_t, var_lock_t; ++ type var_lock_t; + ') + +- allow $1 var_lock_t:lnk_file read_lnk_file_perms; +- list_dirs_pattern($1, var_t, var_lock_t) ++ allow $1 var_lock_t:dir setattr; + ') + + ######################################## +@@ -5713,7 +6790,7 @@ interface(`files_rw_lock_dirs',` + type var_t, var_lock_t; + ') + +- allow $1 var_lock_t:lnk_file read_lnk_file_perms; ++ files_search_locks($1) + rw_dirs_pattern($1, var_t, var_lock_t) + ') + +@@ -5746,7 +6823,6 @@ interface(`files_create_lock_dirs',` + ## Domain allowed access. + ##     + ## +-## + # + interface(`files_relabel_all_lock_dirs',` + gen_require(` +@@ -5761,7 +6837,7 @@ interface(`files_relabel_all_lock_dirs',` + + ######################################## + ## +-## Get the attributes of generic lock files. ++## Relabel to and from all lock file types. + ## + ## + ## +@@ -5769,13 +6845,33 @@ interface(`files_relabel_all_lock_dirs',` + ## + ## + # +-interface(`files_getattr_generic_locks',` ++interface(`files_relabel_all_lock_files',` + gen_require(` ++ attribute lockfile; + type var_t, var_lock_t; + ') + + allow $1 var_t:dir search_dir_perms; + allow $1 var_lock_t:lnk_file read_lnk_file_perms; ++ relabel_files_pattern($1, lockfile, lockfile) ++') ++ ++######################################## ++## ++## Get the attributes of generic lock files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_getattr_generic_locks',` ++ gen_require(` ++ type var_t, var_lock_t; ++ ') ++ ++ files_search_locks($1) + allow $1 var_lock_t:dir list_dir_perms; + getattr_files_pattern($1, var_lock_t, var_lock_t) + ') +@@ -5791,13 +6887,12 @@ interface(`files_getattr_generic_locks',` + ## + # + interface(`files_delete_generic_locks',` +- gen_require(` ++ gen_require(` + type var_t, var_lock_t; +- ') ++ ') + +- allow $1 var_t:dir search_dir_perms; +- allow $1 var_lock_t:lnk_file read_lnk_file_perms; +- delete_files_pattern($1, var_lock_t, var_lock_t) ++ files_search_locks($1) ++ delete_files_pattern($1, var_lock_t, var_lock_t) + ') + + ######################################## +@@ -5816,9 +6911,7 @@ interface(`files_manage_generic_locks',` + type var_t, var_lock_t; + ') + +- allow $1 var_t:dir search_dir_perms; +- allow $1 var_lock_t:lnk_file read_lnk_file_perms; +- manage_dirs_pattern($1, var_lock_t, var_lock_t) ++ files_search_locks($1) + manage_files_pattern($1, var_lock_t, var_lock_t) + ') + +@@ -5860,8 +6953,7 @@ interface(`files_read_all_locks',` + type var_t, var_lock_t; + ') + +- allow $1 var_lock_t:lnk_file read_lnk_file_perms; +- allow $1 { var_t var_lock_t }:dir search_dir_perms; ++ files_search_locks($1) + allow $1 lockfile:dir list_dir_perms; + read_files_pattern($1, lockfile, lockfile) + read_lnk_files_pattern($1, lockfile, lockfile) +@@ -5883,8 +6975,7 @@ interface(`files_manage_all_locks',` + type var_t, var_lock_t; + ') + +- allow $1 var_lock_t:lnk_file read_lnk_file_perms; +- allow $1 { var_t var_lock_t }:dir search_dir_perms; ++ files_search_locks($1) + manage_dirs_pattern($1, lockfile, lockfile) + manage_files_pattern($1, lockfile, lockfile) + manage_lnk_files_pattern($1, lockfile, lockfile) +@@ -5921,8 +7012,7 @@ interface(`files_lock_filetrans',` + type var_t, var_lock_t; + ') + +- allow $1 var_t:dir search_dir_perms; +- allow $1 var_lock_t:lnk_file read_lnk_file_perms; ++ files_search_locks($1) + filetrans_pattern($1, var_lock_t, $2, $3, $4) + ') + +@@ -5961,7 +7051,7 @@ interface(`files_setattr_pid_dirs',` + type var_run_t; + ') + +- allow $1 var_run_t:lnk_file read_lnk_file_perms; ++ files_search_pids($1) + allow $1 var_run_t:dir setattr; + ') + +@@ -5981,10 +7071,48 @@ interface(`files_search_pids',` + type var_t, var_run_t; + ') + ++ allow $1 var_t:lnk_file read_lnk_file_perms; + allow $1 var_run_t:lnk_file read_lnk_file_perms; + search_dirs_pattern($1, var_t, var_run_t) + ') + ++###################################### ++## ++## Add and remove entries from pid directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_rw_pid_dirs',` ++ gen_require(` ++ type var_run_t; ++ ') ++ ++ allow $1 var_run_t:dir rw_dir_perms; ++') ++ ++####################################### ++## ++## Create generic pid directory. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_create_var_run_dirs',` ++ gen_require(` ++ type var_t, var_run_t; ++ ') ++ ++ allow $1 var_t:dir search_dir_perms; ++ allow $1 var_run_t:dir create_dir_perms; ++') ++ + ######################################## + ## + ## Do not audit attempts to search +@@ -6007,6 +7135,25 @@ interface(`files_dontaudit_search_pids',` + + ######################################## + ## ++## Do not audit attempts to search ++## the all /var/run directory. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`files_dontaudit_search_all_pids',` ++ gen_require(` ++ attribute pidfile; ++ ') ++ ++ dontaudit $1 pidfile:dir search_dir_perms; ++') ++ ++######################################## ++## + ## List the contents of the runtime process + ## ID directories (/var/run). + ## +@@ -6021,7 +7168,7 @@ interface(`files_list_pids',` + type var_t, var_run_t; + ') + +- allow $1 var_run_t:lnk_file read_lnk_file_perms; ++ files_search_pids($1) + list_dirs_pattern($1, var_t, var_run_t) + ') + +@@ -6040,7 +7187,7 @@ interface(`files_read_generic_pids',` + type var_t, var_run_t; + ') + +- allow $1 var_run_t:lnk_file read_lnk_file_perms; ++ files_search_pids($1) + list_dirs_pattern($1, var_t, var_run_t) + read_files_pattern($1, var_run_t, var_run_t) + ') +@@ -6060,7 +7207,7 @@ interface(`files_write_generic_pid_pipes',` + type var_run_t; + ') + +- allow $1 var_run_t:lnk_file read_lnk_file_perms; ++ files_search_pids($1) + allow $1 var_run_t:fifo_file write; + ') + +@@ -6122,7 +7269,6 @@ interface(`files_pid_filetrans',` + ') + + allow $1 var_t:dir search_dir_perms; +- allow $1 var_run_t:lnk_file read_lnk_file_perms; + filetrans_pattern($1, var_run_t, $2, $3, $4) + ') + +@@ -6151,7 +7297,7 @@ interface(`files_pid_filetrans_lock_dir',` + + ######################################## + ## +-## Read and write generic process ID files. ++## rw generic pid files inherited from another process + ## + ## + ## +@@ -6159,20 +7305,38 @@ interface(`files_pid_filetrans_lock_dir',` + ## + ## + # +-interface(`files_rw_generic_pids',` ++interface(`files_rw_inherited_generic_pid_files',` + gen_require(` +- type var_t, var_run_t; ++ type var_run_t; + ') + +- allow $1 var_run_t:lnk_file read_lnk_file_perms; +- list_dirs_pattern($1, var_t, var_run_t) +- rw_files_pattern($1, var_run_t, var_run_t) ++ allow $1 var_run_t:file rw_inherited_file_perms; + ') + + ######################################## + ## +-## Do not audit attempts to get the attributes of +-## daemon runtime data files. ++## Read and write generic process ID files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_rw_generic_pids',` ++ gen_require(` ++ type var_t, var_run_t; ++ ') ++ ++ files_search_pids($1) ++ list_dirs_pattern($1, var_t, var_run_t) ++ rw_files_pattern($1, var_run_t, var_run_t) ++') ++ ++######################################## ++## ++## Do not audit attempts to get the attributes of ++## daemon runtime data files. + ## + ## + ## +@@ -6231,6 +7395,116 @@ interface(`files_dontaudit_ioctl_all_pids',` + + ######################################## + ## ++## Relable all pid directories ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_relabel_all_pid_dirs',` ++ gen_require(` ++ attribute pidfile; ++ ') ++ ++ relabel_dirs_pattern($1, pidfile, pidfile) ++') ++ ++######################################## ++## ++## Delete all pid sockets ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_delete_all_pid_sockets',` ++ gen_require(` ++ attribute pidfile; ++ ') ++ ++ allow $1 pidfile:sock_file delete_sock_file_perms; ++') ++ ++######################################## ++## ++## Create all pid sockets ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_create_all_pid_sockets',` ++ gen_require(` ++ attribute pidfile; ++ ') ++ ++ allow $1 pidfile:sock_file create_sock_file_perms; ++') ++ ++######################################## ++## ++## Create all pid named pipes ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_create_all_pid_pipes',` ++ gen_require(` ++ attribute pidfile; ++ ') ++ ++ allow $1 pidfile:fifo_file create_fifo_file_perms; ++') ++ ++######################################## ++## ++## Delete all pid named pipes ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_delete_all_pid_pipes',` ++ gen_require(` ++ attribute pidfile; ++ ') ++ ++ allow $1 pidfile:fifo_file delete_fifo_file_perms; ++') ++ ++######################################## ++## ++## manage all pidfile directories ++## in the /var/run directory. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_manage_all_pid_dirs',` ++ gen_require(` ++ attribute pidfile; ++ ') ++ ++ manage_dirs_pattern($1,pidfile,pidfile) ++') ++ ++ ++######################################## ++## + ## Read all process ID files. + ## + ## +@@ -6243,12 +7517,86 @@ interface(`files_dontaudit_ioctl_all_pids',` + interface(`files_read_all_pids',` + gen_require(` + attribute pidfile; +- type var_t, var_run_t; ++ type var_t; + ') + +- allow $1 var_run_t:lnk_file read_lnk_file_perms; + list_dirs_pattern($1, var_t, pidfile) + read_files_pattern($1, pidfile, pidfile) ++ read_lnk_files_pattern($1, pidfile, pidfile) ++') ++ ++######################################## ++## ++## Relable all pid files ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_relabel_all_pid_files',` ++ gen_require(` ++ attribute pidfile; ++ ') ++ ++ relabel_files_pattern($1, pidfile, pidfile) ++') ++ ++######################################## ++## ++## Execute generic programs in /var/run in the caller domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_exec_generic_pid_files',` ++ gen_require(` ++ type var_run_t; ++ ') ++ ++ exec_files_pattern($1, var_run_t, var_run_t) ++') ++ ++######################################## ++## ++## manage all pidfiles ++## in the /var/run directory. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_manage_all_pids',` ++ gen_require(` ++ attribute pidfile; ++ ') ++ ++ manage_files_pattern($1,pidfile,pidfile) ++') ++ ++######################################## ++## ++## Mount filesystems on all polyinstantiation ++## member directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_mounton_all_poly_members',` ++ gen_require(` ++ attribute polymember; ++ ') ++ ++ allow $1 polymember:dir mounton; + ') + + ######################################## +@@ -6268,8 +7616,8 @@ interface(`files_delete_all_pids',` + type var_t, var_run_t; + ') + ++ files_search_pids($1) + allow $1 var_t:dir search_dir_perms; +- allow $1 var_run_t:lnk_file read_lnk_file_perms; + allow $1 var_run_t:dir rmdir; + allow $1 var_run_t:lnk_file delete_lnk_file_perms; + delete_files_pattern($1, pidfile, pidfile) +@@ -6293,36 +7641,80 @@ interface(`files_delete_all_pid_dirs',` + type var_t, var_run_t; + ') + ++ files_search_pids($1) + allow $1 var_t:dir search_dir_perms; +- allow $1 var_run_t:lnk_file read_lnk_file_perms; + delete_dirs_pattern($1, pidfile, pidfile) + ') + + ######################################## + ## +-## Create, read, write and delete all +-## var_run (pid) content ++## Make the specified type a file ++## used for spool files. ++## ++## ++##

    ++## Make the specified type usable for spool files. ++## This will also make the type usable for files, making ++## calls to files_type() redundant. Failure to use this interface ++## for a spool file may result in problems with ++## purging spool files. ++##

    ++##

    ++## Related interfaces: ++##

    ++##
      ++##
    • files_spool_filetrans()
      • ++##
    ++##

    ++## Example usage with a domain that can create and ++## write its spool file in the system spool file ++## directories (/var/spool): ++##

    ++##

    ++## type myspoolfile_t; ++## files_spool_file(myfile_spool_t) ++## allow mydomain_t myfile_spool_t:file { create_file_perms write_file_perms }; ++## files_spool_filetrans(mydomain_t, myfile_spool_t, file) ++##

    ++##     ++## ++## ++## Type of the file to be used as a ++## spool file. ++## ++## ++## ++# ++interface(`files_spool_file',` ++ gen_require(` ++ attribute spoolfile; ++ ') ++ ++ files_type($1) ++ typeattribute $1 spoolfile; ++') ++ ++######################################## ++## ++## Create all spool sockets + ## + ## + ## +-## Domain alloed access. ++## Domain allowed access. + ## + ## + # +-interface(`files_manage_all_pids',` ++interface(`files_create_all_spool_sockets',` + gen_require(` +- attribute pidfile; ++ attribute spoolfile; + ') + +- manage_dirs_pattern($1, pidfile, pidfile) +- manage_files_pattern($1, pidfile, pidfile) +- manage_lnk_files_pattern($1, pidfile, pidfile) ++ allow $1 spoolfile:sock_file create_sock_file_perms; + ') + + ######################################## + ## +-## Mount filesystems on all polyinstantiation +-## member directories. ++## Delete all spool sockets + ## + ## + ## +@@ -6330,12 +7722,33 @@ interface(`files_manage_all_pids',` + ## + ## + # +-interface(`files_mounton_all_poly_members',` ++interface(`files_delete_all_spool_sockets',` + gen_require(` +- attribute polymember; ++ attribute spoolfile; + ') + +- allow $1 polymember:dir mounton; ++ allow $1 spoolfile:sock_file delete_sock_file_perms; ++') ++ ++######################################## ++## ++## Relabel to and from all spool ++## directory types. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`files_relabel_all_spool_dirs',` ++ gen_require(` ++ attribute spoolfile; ++ type var_t; ++ ') ++ ++ relabel_dirs_pattern($1, spoolfile, spoolfile) + ') + + ######################################## +@@ -6562,3 +7975,491 @@ interface(`files_unconfined',` + + typeattribute $1 files_unconfined_type; + ') ++ ++######################################## ++## ++## Create a core files in / ++## ++## ++##

    ++## Create a core file in /, ++##

    ++##     ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`files_manage_root_files',` ++ gen_require(` ++ type root_t; ++ ') ++ ++ manage_files_pattern($1, root_t, root_t) ++') ++ ++######################################## ++## ++## Create a default directory ++## ++## ++##

    ++## Create a default_t direcrory ++##

    ++##     ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`files_create_default_dir',` ++ gen_require(` ++ type default_t; ++ ') ++ ++ allow $1 default_t:dir create; ++') ++ ++######################################## ++## ++## Create, default_t objects with an automatic ++## type transition. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## The class of the object being created. ++## ++## ++# ++interface(`files_root_filetrans_default',` ++ gen_require(` ++ type root_t, default_t; ++ ') ++ ++ filetrans_pattern($1, root_t, default_t, $2) ++') ++ ++######################################## ++## ++## manage generic symbolic links ++## in the /var/run directory. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_manage_generic_pids_symlinks',` ++ gen_require(` ++ type var_run_t; ++ ') ++ ++ manage_lnk_files_pattern($1,var_run_t,var_run_t) ++') ++ ++######################################## ++## ++## Do not audit attempts to getattr ++## all tmpfs files. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`files_dontaudit_getattr_tmpfs_files',` ++ gen_require(` ++ attribute tmpfsfile; ++ ') ++ ++ allow $1 tmpfsfile:file getattr; ++') ++ ++######################################## ++## ++## Allow read write all tmpfs files ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`files_rw_tmpfs_files',` ++ gen_require(` ++ attribute tmpfsfile; ++ ') ++ ++ allow $1 tmpfsfile:file { read write }; ++') ++ ++######################################## ++## ++## Do not audit attempts to read security files ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`files_dontaudit_read_security_files',` ++ gen_require(` ++ attribute security_file_type; ++ ') ++ ++ dontaudit $1 security_file_type:file read_file_perms; ++') ++ ++######################################## ++## ++## rw any files inherited from another process ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## Object type. ++## ++## ++# ++interface(`files_rw_all_inherited_files',` ++ gen_require(` ++ attribute file_type; ++ ') ++ ++ allow $1 { file_type $2 }:file rw_inherited_file_perms; ++ allow $1 { file_type $2 }:fifo_file rw_inherited_fifo_file_perms; ++ allow $1 { file_type $2 }:sock_file rw_inherited_sock_file_perms; ++ allow $1 { file_type $2 }:chr_file rw_inherited_chr_file_perms; ++') ++ ++######################################## ++## ++## Allow any file point to be the entrypoint of this domain ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`files_entrypoint_all_files',` ++ gen_require(` ++ attribute file_type; ++ ') ++ allow $1 file_type:file entrypoint; ++') ++ ++######################################## ++## ++## Do not audit attempts to rw inherited file perms ++## of non security files. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`files_dontaudit_all_non_security_leaks',` ++ gen_require(` ++ attribute non_security_file_type; ++ ') ++ ++ dontaudit $1 non_security_file_type:file_class_set rw_inherited_file_perms; ++') ++ ++######################################## ++## ++## Do not audit attempts to read or write ++## all leaked files. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`files_dontaudit_leaks',` ++ gen_require(` ++ attribute file_type; ++ ') ++ ++ dontaudit $1 file_type:file rw_inherited_file_perms; ++ dontaudit $1 file_type:lnk_file { read }; ++') ++ ++######################################## ++## ++## Allow domain to create_file_ass all types ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_create_as_is_all_files',` ++ gen_require(` ++ attribute file_type; ++ class kernel_service create_files_as; ++ ') ++ ++ allow $1 file_type:kernel_service create_files_as; ++') ++ ++######################################## ++## ++## Do not audit attempts to check the ++## access on all files ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`files_dontaudit_all_access_check',` ++ gen_require(` ++ attribute file_type; ++ ') ++ ++ dontaudit $1 file_type:dir_file_class_set audit_access; ++') ++ ++######################################## ++## ++## Do not audit attempts to write to all files ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`files_dontaudit_write_all_files',` ++ gen_require(` ++ attribute file_type; ++ ') ++ ++ dontaudit $1 file_type:dir_file_class_set write; ++') ++ ++######################################## ++## ++## Allow domain to delete to all files ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`files_delete_all_non_security_files',` ++ gen_require(` ++ attribute non_security_file_type; ++ ') ++ ++ allow $1 non_security_file_type:dir del_entry_dir_perms; ++ allow $1 non_security_file_type:file_class_set delete_file_perms; ++') ++ ++######################################## ++## ++## Transition named content in the var_run_t directory ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_filetrans_named_content',` ++ gen_require(` ++ type etc_t; ++ type mnt_t; ++ type usr_t; ++ type tmp_t; ++ type var_t; ++ type var_run_t; ++ type tmp_t; ++ ') ++ ++ files_pid_filetrans($1, mnt_t, dir, "media") ++ files_root_filetrans($1, etc_runtime_t, file, ".readahead") ++ files_root_filetrans($1, etc_runtime_t, file, ".autorelabel") ++ files_root_filetrans($1, mnt_t, dir, "afs") ++ files_root_filetrans($1, mnt_t, dir, "misc") ++ files_root_filetrans($1, mnt_t, dir, "net") ++ files_root_filetrans($1, usr_t, dir, "export") ++ files_root_filetrans($1, usr_t, dir, "opt") ++ files_root_filetrans($1, usr_t, dir, "emul") ++ files_root_filetrans($1, var_t, dir, "srv") ++ files_root_filetrans($1, var_run_t, dir, "run") ++ files_root_filetrans($1, tmp_t, dir, "sandbox") ++ files_root_filetrans($1, tmp_t, dir, "tmp") ++ files_root_filetrans($1, var_t, dir, "nsr") ++ files_etc_filetrans($1, etc_t, file, "system-auth-ac") ++ files_etc_filetrans($1, etc_t, file, "postlogin-ac") ++ files_etc_filetrans($1, etc_t, file, "password-auth-ac") ++ files_etc_filetrans($1, etc_t, file, "fingerprint-auth-ac") ++ files_etc_filetrans($1, etc_t, file, "smartcard-auth-ac") ++ files_etc_filetrans($1, etc_t, file, "hwdb.bin") ++ files_etc_filetrans_etc_runtime($1, file, "runtime") ++ files_etc_filetrans_etc_runtime($1, dir, "blkid") ++ files_etc_filetrans_etc_runtime($1, dir, "cmtab") ++ files_etc_filetrans_etc_runtime($1, file, "fstab.REVOKE") ++ files_etc_filetrans_etc_runtime($1, file, "ioctl.save") ++ files_etc_filetrans_etc_runtime($1, file, "nologin") ++ files_etc_filetrans_etc_runtime($1, file, "securetty") ++ files_etc_filetrans_etc_runtime($1, file, "ifstate") ++ files_etc_filetrans_etc_runtime($1, file, "ptal-printd-like") ++ files_etc_filetrans_etc_runtime($1, file, "hwconf") ++ files_etc_filetrans_etc_runtime($1, file, "iptables.save") ++ files_tmp_filetrans($1, tmp_t, dir, "tmp-inst") ++ files_var_filetrans($1, tmp_t, dir, "tmp") ++') ++ ++######################################## ++## ++## Make the specified type a ++## base file. ++## ++## ++##

    ++## Identify file type as base file type. Tools will use this attribute, ++## to help users diagnose problems. ++##

    ++##     ++## ++## ++## Type to be used as a base files. ++## ++## ++## ++# ++interface(`files_base_file',` ++ gen_require(` ++ attribute base_file_type; ++ ') ++ files_type($1) ++ typeattribute $1 base_file_type; ++') ++ ++######################################## ++## ++## Make the specified type a ++## base read only file. ++## ++## ++##

    ++## Make the specified type readable for all domains. ++##

    ++##     ++## ++## ++## Type to be used as a base read only files. ++## ++## ++## ++# ++interface(`files_ro_base_file',` ++ gen_require(` ++ attribute base_ro_file_type; ++ ') ++ files_base_file($1) ++ typeattribute $1 base_ro_file_type; ++') ++ ++######################################## ++## ++## Read all ro base files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`files_read_all_base_ro_files',` ++ gen_require(` ++ attribute base_ro_file_type; ++ ') ++ ++ list_dirs_pattern($1, base_ro_file_type, base_ro_file_type) ++ read_files_pattern($1, base_ro_file_type, base_ro_file_type) ++ read_lnk_files_pattern($1, base_ro_file_type, base_ro_file_type) ++') ++ ++######################################## ++## ++## Execute all base ro files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`files_exec_all_base_ro_files',` ++ gen_require(` ++ attribute base_ro_file_type; ++ ') ++ ++ can_exec($1, base_ro_file_type) ++') ++ ++######################################## ++## ++## Allow the specified domain to modify the systemd configuration of ++## any file. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_config_all_files',` ++ gen_require(` ++ attribute file_type; ++ ') ++ ++ allow $1 file_type:service all_service_perms; ++') ++ ++######################################## ++## ++## Get the status of etc_t files ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_status_etc',` ++ gen_require(` ++ type etc_t; ++ ') ++ ++ allow $1 etc_t:service status; ++') +diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te +index 148d87a..ccbcb66 100644 +--- a/policy/modules/kernel/files.te ++++ b/policy/modules/kernel/files.te +@@ -5,12 +5,16 @@ policy_module(files, 1.17.5) + # Declarations + # + ++attribute base_file_type; ++attribute base_ro_file_type; + attribute file_type; + attribute files_unconfined_type; + attribute lockfile; + attribute mountpoint; + attribute pidfile; ++attribute spoolfile; + attribute configfile; ++attribute etcfile; + + # For labeling types that are to be polyinstantiated + attribute polydir; +@@ -48,28 +52,45 @@ attribute usercanread; + # + type boot_t; + files_mountpoint(boot_t) ++files_ro_base_file(boot_t) + + # default_t is the default type for files that do not + # match any specification in the file_contexts configuration + # other than the generic /.* specification. + type default_t; + files_mountpoint(default_t) ++files_base_file(default_t) + + # + # etc_t is the type of the system etc directories. + # + type etc_t, configfile; +-files_type(etc_t) ++files_ro_base_file(etc_t) ++ + # compatibility aliases for removed types: + typealias etc_t alias automount_etc_t; + typealias etc_t alias snmpd_etc_t; + ++# system_conf_t is a new type of various ++# files in /etc/ that can be managed and ++# created by several domains. ++# ++type system_conf_t, configfile; ++files_ro_base_file(system_conf_t) ++# compatibility aliases for removed type: ++typealias system_conf_t alias iptables_conf_t; ++ ++# system_db_t is a new type of various ++# db files. ++type system_db_t; ++files_ro_base_file(system_db_t) ++ + # + # etc_runtime_t is the type of various + # files in /etc that are automatically + # generated during initialization. + # +-type etc_runtime_t; ++type etc_runtime_t, configfile; + files_type(etc_runtime_t) + #Temporarily in policy until FC5 dissappears + typealias etc_runtime_t alias firstboot_rw_t; +@@ -81,6 +102,7 @@ typealias etc_runtime_t alias firstboot_rw_t; + # + type file_t; + files_mountpoint(file_t) ++files_base_file(file_t) + kernel_rootfs_mountpoint(file_t) + sid file gen_context(system_u:object_r:file_t,s0) + +@@ -89,6 +111,7 @@ sid file gen_context(system_u:object_r:file_t,s0) + # are created + # + type home_root_t; ++files_base_file(home_root_t) + files_mountpoint(home_root_t) + files_poly_parent(home_root_t) + +@@ -96,12 +119,13 @@ files_poly_parent(home_root_t) + # lost_found_t is the type for the lost+found directories. + # + type lost_found_t; +-files_type(lost_found_t) ++files_base_file(lost_found_t) + + # + # mnt_t is the type for mount points such as /mnt/cdrom + # + type mnt_t; ++files_base_file(mnt_t) + files_mountpoint(mnt_t) + + # +@@ -123,6 +147,7 @@ files_type(readable_t) + # root_t is the type for rootfs and the root directory. + # + type root_t; ++files_base_file(root_t) + files_mountpoint(root_t) + files_poly_parent(root_t) + kernel_rootfs_mountpoint(root_t) +@@ -133,52 +158,63 @@ genfscon rootfs / gen_context(system_u:object_r:root_t,s0) + # + type src_t; + files_mountpoint(src_t) ++files_ro_base_file(src_t) + + # + # system_map_t is for the system.map files in /boot + # + type system_map_t; + files_type(system_map_t) ++kernel_proc_type(system_map_t) + genfscon proc /kallsyms gen_context(system_u:object_r:system_map_t,s0) + + # + # tmp_t is the type of the temporary directories + # + type tmp_t; ++files_base_file(tmp_t) + files_tmp_file(tmp_t) + files_mountpoint(tmp_t) + files_poly(tmp_t) + files_poly_parent(tmp_t) ++typealias tmp_t alias firstboot_tmp_t; + + # + # usr_t is the type for /usr. + # + type usr_t; ++files_ro_base_file(usr_t) + files_mountpoint(usr_t) + + # + # var_t is the type of /var + # + type var_t; ++files_base_file(var_t) + files_mountpoint(var_t) + + # + # var_lib_t is the type of /var/lib + # + type var_lib_t; ++files_base_file(var_lib_t) + files_mountpoint(var_lib_t) ++files_poly(var_lib_t) + + # + # var_lock_t is tye type of /var/lock + # + type var_lock_t; ++files_base_file(var_lock_t) + files_lock_file(var_lock_t) ++files_mountpoint(var_lock_t) + + # + # var_run_t is the type of /var/run, usually + # used for pid and other runtime files. + # + type var_run_t; ++files_base_file(var_run_t) + files_pid_file(var_run_t) + files_mountpoint(var_run_t) + +@@ -186,7 +222,9 @@ files_mountpoint(var_run_t) + # var_spool_t is the type of /var/spool + # + type var_spool_t; ++files_base_file(var_spool_t) + files_tmp_file(var_spool_t) ++files_spool_file(var_spool_t) + + ######################################## + # +@@ -225,10 +263,11 @@ fs_associate_tmpfs(tmpfsfile) + # Create/access any file in a labeled filesystem; + allow files_unconfined_type file_type:{ file chr_file } ~execmod; + allow files_unconfined_type file_type:{ dir lnk_file sock_file fifo_file blk_file } *; ++allow files_unconfined_type file_type:service *; + + # Mount/unmount any filesystem with the context= option. + allow files_unconfined_type file_type:filesystem *; + +-tunable_policy(`allow_execmod',` ++tunable_policy(`selinuxuser_execmod',` + allow files_unconfined_type file_type:file execmod; + ') +diff --git a/policy/modules/kernel/filesystem.fc b/policy/modules/kernel/filesystem.fc +index cda5588..924f856 100644 +--- a/policy/modules/kernel/filesystem.fc ++++ b/policy/modules/kernel/filesystem.fc +@@ -1,9 +1,12 @@ +-/cgroup -d gen_context(system_u:object_r:cgroup_t,s0) +-/cgroup/.* <> ++# ecryptfs does not support xattr ++HOME_DIR/\.ecryptfs(/.*)? gen_context(system_u:object_r:ecryptfs_t,s0) ++HOME_DIR/\.Private(/.*)? gen_context(system_u:object_r:ecryptfs_t,s0) ++ ++/cgroup(/.*)? gen_context(system_u:object_r:cgroup_t,s0) + + /dev/hugepages -d gen_context(system_u:object_r:hugetlbfs_t,s0) + /dev/hugepages(/.*)? <> +-/dev/shm -d gen_context(system_u:object_r:tmpfs_t,s0) ++/dev/shm -d gen_context(system_u:object_r:tmpfs_t,s0-mls_systemhigh) + /dev/shm/.* <> + + /lib/udev/devices/hugepages -d gen_context(system_u:object_r:hugetlbfs_t,s0) +@@ -12,5 +15,11 @@ + /lib/udev/devices/shm/.* <> + + # for systemd systems: +-/sys/fs/cgroup -d gen_context(system_u:object_r:cgroup_t,s0) +-/sys/fs/cgroup/.* <> ++/sys/fs/cgroup(/.*)? gen_context(system_u:object_r:cgroup_t,s0) ++ ++/usr/lib/udev/devices/hugepages -d gen_context(system_u:object_r:hugetlbfs_t,s0) ++/usr/lib/udev/devices/hugepages/.* <> ++/usr/lib/udev/devices/shm -d gen_context(system_u:object_r:tmpfs_t,s0) ++/usr/lib/udev/devices/shm/.* <> ++/var/run/[^/]*/gvfs -d gen_context(system_u:object_r:fusefs_t,s0) ++/var/run/[^/]*/gvfs/.* <> +diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if +index 8416beb..c6cd3eb 100644 +--- a/policy/modules/kernel/filesystem.if ++++ b/policy/modules/kernel/filesystem.if +@@ -631,6 +631,27 @@ interface(`fs_getattr_cgroup',` + + ######################################## + ## ++## Get attributes of cgroup files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_getattr_cgroup_files',` ++ gen_require(` ++ type cgroup_t; ++ ++ ') ++ ++ getattr_files_pattern($1, cgroup_t, cgroup_t) ++ fs_search_tmpfs($1) ++ dev_search_sysfs($1) ++') ++ ++######################################## ++## + ## Search cgroup directories. + ## + ## +@@ -646,11 +667,31 @@ interface(`fs_search_cgroup_dirs',` + ') + + search_dirs_pattern($1, cgroup_t, cgroup_t) ++ fs_search_tmpfs($1) + dev_search_sysfs($1) + ') + + ######################################## + ## ++## Relabel cgroup directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_relabel_cgroup_dirs',` ++ gen_require(` ++ type cgroup_t; ++ ++ ') ++ ++ relabel_dirs_pattern($1, cgroup_t, cgroup_t) ++') ++ ++######################################## ++## + ## list cgroup directories. + ## + ## +@@ -659,15 +700,35 @@ interface(`fs_search_cgroup_dirs',` + ##     + ## + # +-interface(`fs_list_cgroup_dirs', ` ++interface(`fs_list_cgroup_dirs',` + gen_require(` + type cgroup_t; + ') + + list_dirs_pattern($1, cgroup_t, cgroup_t) ++ fs_search_tmpfs($1) + dev_search_sysfs($1) + ') + ++####################################### ++## ++## Do not audit attempts to search cgroup directories. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`fs_dontaudit_search_cgroup_dirs', ` ++ gen_require(` ++ type cgroup_t; ++ ') ++ ++ dontaudit $1 cgroup_t:dir search_dir_perms; ++ dev_dontaudit_search_sysfs($1) ++') ++ + ######################################## + ## + ## Delete cgroup directories. +@@ -684,6 +745,7 @@ interface(`fs_delete_cgroup_dirs', ` + ') + + delete_dirs_pattern($1, cgroup_t, cgroup_t) ++ fs_search_tmpfs($1) + dev_search_sysfs($1) + ') + +@@ -704,6 +766,7 @@ interface(`fs_manage_cgroup_dirs',` + ') + + manage_dirs_pattern($1, cgroup_t, cgroup_t) ++ fs_search_tmpfs($1) + dev_search_sysfs($1) + ') + +@@ -724,6 +787,8 @@ interface(`fs_read_cgroup_files',` + ') + + read_files_pattern($1, cgroup_t, cgroup_t) ++ read_lnk_files_pattern($1, cgroup_t, cgroup_t) ++ fs_search_tmpfs($1) + dev_search_sysfs($1) + ') + +@@ -743,6 +808,7 @@ interface(`fs_write_cgroup_files', ` + ') + + write_files_pattern($1, cgroup_t, cgroup_t) ++ fs_search_tmpfs($1) + dev_search_sysfs($1) + ') + +@@ -762,7 +828,9 @@ interface(`fs_rw_cgroup_files',` + + ') + ++ read_lnk_files_pattern($1, cgroup_t, cgroup_t) + rw_files_pattern($1, cgroup_t, cgroup_t) ++ fs_search_tmpfs($1) + dev_search_sysfs($1) + ') + +@@ -803,6 +871,8 @@ interface(`fs_manage_cgroup_files',` + ') + + manage_files_pattern($1, cgroup_t, cgroup_t) ++ manage_lnk_files_pattern($1, cgroup_t, cgroup_t) ++ fs_search_tmpfs($1) + dev_search_sysfs($1) + ') + +@@ -1107,6 +1177,24 @@ interface(`fs_read_noxattr_fs_files',` + + ######################################## + ## ++## Read/Write all inherited noxattrfs files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_rw_inherited_noxattr_fs_files',` ++ gen_require(` ++ attribute noxattrfs; ++ ') ++ ++ allow $1 noxattrfs:file rw_inherited_file_perms; ++') ++ ++######################################## ++## + ## Do not audit attempts to read all + ## noxattrfs files. + ## +@@ -1245,7 +1333,7 @@ interface(`fs_append_cifs_files',` + + ######################################## + ## +-## dontaudit Append files ++## Do not audit attempts to append files + ## on a CIFS filesystem. + ## + ## +@@ -1265,6 +1353,42 @@ interface(`fs_dontaudit_append_cifs_files',` + + ######################################## + ## ++## Read inherited files on a CIFS or SMB filesystem. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_read_inherited_cifs_files',` ++ gen_require(` ++ type cifs_t; ++ ') ++ ++ allow $1 cifs_t:file read_inherited_file_perms; ++') ++ ++######################################## ++## ++## Read/Write inherited files on a CIFS or SMB filesystem. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_rw_inherited_cifs_files',` ++ gen_require(` ++ type cifs_t; ++ ') ++ ++ allow $1 cifs_t:file rw_inherited_file_perms; ++') ++ ++######################################## ++## + ## Do not audit attempts to read or + ## write files on a CIFS or SMB filesystem. + ## +@@ -1279,7 +1403,7 @@ interface(`fs_dontaudit_rw_cifs_files',` + type cifs_t; + ') + +- dontaudit $1 cifs_t:file rw_file_perms; ++ dontaudit $1 cifs_t:file rw_inherited_file_perms; + ') + + ######################################## +@@ -1542,6 +1666,25 @@ interface(`fs_cifs_domtrans',` + domain_auto_transition_pattern($1, cifs_t, $2) + ') + ++######################################## ++## ++## Make general progams in cifs an entrypoint for ++## the specified domain. ++## ++## ++## ++## The domain for which cifs_t is an entrypoint. ++## ++## ++# ++interface(`fs_cifs_entry_type',` ++ gen_require(` ++ type cifs_t; ++ ') ++ ++ domain_entry_file($1, cifs_t) ++') ++ + ####################################### + ## + ## Create, read, write, and delete dirs +@@ -1582,6 +1725,24 @@ interface(`fs_manage_configfs_files',` + + ######################################## + ## ++## Unmount a configfs filesystem ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_unmount_configfs',` ++ gen_require(` ++ type configfs_t; ++ ') ++ ++ allow $1 configfs_t:filesystem unmount; ++') ++ ++######################################## ++## + ## Mount a DOS filesystem, such as + ## FAT32 or NTFS. + ## +@@ -1793,6 +1954,205 @@ interface(`fs_read_eventpollfs',` + refpolicywarn(`$0($*) has been deprecated.') + ') + ++ ++####################################### ++## ++## Search directories ++## on a ecrypt filesystem. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_search_ecryptfs',` ++ gen_require(` ++ type ecryptfs_t; ++ ') ++ ++ allow $1 ecryptfs_t:dir search_dir_perms; ++') ++ ++######################################## ++## ++## Create, read, write, and delete directories ++## on a FUSEFS filesystem. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`fs_manage_ecryptfs_dirs',` ++ gen_require(` ++ type ecryptfs_t; ++ ') ++ ++ manage_dirs_pattern($1, ecryptfs_t, ecryptfs_t) ++ allow $1 ecryptfs_t:dir manage_dir_perms; ++') ++ ++####################################### ++## ++## Create, read, write, and delete files ++## on a FUSEFS filesystem. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`fs_read_ecryptfs_files',` ++ gen_require(` ++ type ecryptfs_t; ++ ') ++ ++ read_files_pattern($1, ecryptfs_t, ecryptfs_t) ++') ++ ++######################################## ++## ++## Create, read, write, and delete files ++## on a FUSEFS filesystem. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`fs_manage_ecryptfs_files',` ++ gen_require(` ++ type ecryptfs_t; ++ ') ++ ++ manage_files_pattern($1, ecryptfs_t, ecryptfs_t) ++') ++ ++######################################## ++## ++## Do not audit attempts to create, ++## read, write, and delete files ++## on a FUSEFS filesystem. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`fs_dontaudit_manage_ecryptfs_files',` ++ gen_require(` ++ type ecryptfs_t; ++ ') ++ ++ dontaudit $1 ecryptfs_t:file manage_file_perms; ++') ++ ++######################################## ++## ++## Read symbolic links on a FUSEFS filesystem. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_read_ecryptfs_symlinks',` ++ gen_require(` ++ type ecryptfs_t; ++ ') ++ ++ allow $1 ecryptfs_t:dir list_dir_perms; ++ read_lnk_files_pattern($1, ecryptfs_t, ecryptfs_t) ++') ++ ++####################################### ++## ++## Dontaudit append files on ecrypt filesystem. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_dontaudit_append_ecryptfs_files',` ++ gen_require(` ++ type ecryptfs_t; ++ ') ++ dontaudit $1 ecryptfs_t:file append; ++') ++ ++######################################## ++## ++## Manage symbolic links on a FUSEFS filesystem. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_manage_ecryptfs_symlinks',` ++ gen_require(` ++ type ecryptfs_t; ++ ') ++ ++ manage_lnk_files_pattern($1, ecryptfs_t, ecryptfs_t) ++') ++ ++######################################## ++## ++## Execute a file on a FUSE filesystem ++## in the specified domain. ++## ++## ++##

    ++## Execute a file on a FUSE filesystem ++## in the specified domain. This allows ++## the specified domain to execute any file ++## on these filesystems in the specified ++## domain. This is not suggested. ++##

    ++##

    ++## No interprocess communication (signals, pipes, ++## etc.) is provided by this interface since ++## the domains are not owned by this module. ++##

    ++##

    ++## This interface was added to handle ++## home directories on FUSE filesystems, ++## in particular used by the ssh-agent policy. ++##

    ++##     ++## ++## ++## Domain allowed to transition. ++## ++## ++## ++## ++## The type of the new process. ++## ++## ++# ++interface(`fs_ecryptfs_domtrans',` ++ gen_require(` ++ type ecryptfs_t; ++ ') ++ ++ allow $1 ecryptfs_t:dir search_dir_perms; ++ domain_auto_transition_pattern($1, ecryptfs_t, $2) ++') ++ + ######################################## + ## + ## Mount a FUSE filesystem. +@@ -2025,6 +2385,87 @@ interface(`fs_read_fusefs_symlinks',` + + ######################################## + ## ++## Manage symbolic links on a FUSEFS filesystem. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_manage_fusefs_symlinks',` ++ gen_require(` ++ type fusefs_t; ++ ') ++ ++ manage_lnk_files_pattern($1, fusefs_t, fusefs_t) ++') ++ ++######################################## ++## ++## Execute a file on a FUSE filesystem ++## in the specified domain. ++## ++## ++##

    ++## Execute a file on a FUSE filesystem ++## in the specified domain. This allows ++## the specified domain to execute any file ++## on these filesystems in the specified ++## domain. This is not suggested. ++##

    ++##

    ++## No interprocess communication (signals, pipes, ++## etc.) is provided by this interface since ++## the domains are not owned by this module. ++##

    ++##

    ++## This interface was added to handle ++## home directories on FUSE filesystems, ++## in particular used by the ssh-agent policy. ++##

    ++##     ++## ++## ++## Domain allowed to transition. ++## ++## ++## ++## ++## The type of the new process. ++## ++## ++# ++interface(`fs_fusefs_domtrans',` ++ gen_require(` ++ type fusefs_t; ++ ') ++ ++ allow $1 fusefs_t:dir search_dir_perms; ++ domain_auto_transition_pattern($1, fusefs_t, $2) ++') ++ ++######################################## ++## ++## Get the attributes of a FUSEFS filesystem. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`fs_getattr_fusefs',` ++ gen_require(` ++ type fusefs_t; ++ ') ++ ++ allow $1 fusefs_t:filesystem getattr; ++') ++ ++######################################## ++## + ## Get the attributes of an hugetlbfs + ## filesystem. + ## +@@ -2080,6 +2521,24 @@ interface(`fs_manage_hugetlbfs_dirs',` + + ######################################## + ## ++## Read hugetlbfs files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_read_hugetlbfs_files',` ++ gen_require(` ++ type hugetlbfs_t; ++ ') ++ ++ read_files_pattern($1, hugetlbfs_t, hugetlbfs_t) ++') ++ ++######################################## ++## + ## Read and write hugetlbfs files. + ## + ## +@@ -2098,6 +2557,25 @@ interface(`fs_rw_hugetlbfs_files',` + + ######################################## + ## ++## Execute hugetlbfs files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_exec_hugetlbfs_files',` ++ gen_require(` ++ type hugetlbfs_t; ++ ') ++ ++ allow $1 hugetlbfs_t:dir list_dir_perms; ++ exec_files_pattern($1, hugetlbfs_t, hugetlbfs_t) ++') ++ ++######################################## ++## + ## Allow the type to associate to hugetlbfs filesystems. + ## + ## +@@ -2148,11 +2626,12 @@ interface(`fs_list_inotifyfs',` + ') + + allow $1 inotifyfs_t:dir list_dir_perms; ++ fs_read_anon_inodefs_files($1) + ') + + ######################################## + ## +-## Dontaudit List inotifyfs filesystem. ++## Do not audit attempts to list inotifyfs filesystem. + ## + ## + ## +@@ -2485,6 +2964,7 @@ interface(`fs_read_nfs_files',` + type nfs_t; + ') + ++ fs_search_auto_mountpoints($1) + allow $1 nfs_t:dir list_dir_perms; + read_files_pattern($1, nfs_t, nfs_t) + ') +@@ -2523,6 +3003,7 @@ interface(`fs_write_nfs_files',` + type nfs_t; + ') + ++ fs_search_auto_mountpoints($1) + allow $1 nfs_t:dir list_dir_perms; + write_files_pattern($1, nfs_t, nfs_t) + ') +@@ -2549,6 +3030,25 @@ interface(`fs_exec_nfs_files',` + + ######################################## + ## ++## Make general progams in nfs an entrypoint for ++## the specified domain. ++## ++## ++## ++## The domain for which nfs_t is an entrypoint. ++## ++## ++# ++interface(`fs_nfs_entry_type',` ++ gen_require(` ++ type nfs_t; ++ ') ++ ++ domain_entry_file($1, nfs_t) ++') ++ ++######################################## ++## + ## Append files + ## on a NFS filesystem. + ## +@@ -2569,7 +3069,7 @@ interface(`fs_append_nfs_files',` + + ######################################## + ## +-## dontaudit Append files ++## Do not audit attempts to append files + ## on a NFS filesystem. + ## + ## +@@ -2589,6 +3089,42 @@ interface(`fs_dontaudit_append_nfs_files',` + + ######################################## + ## ++## Read inherited files on a NFS filesystem. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_read_inherited_nfs_files',` ++ gen_require(` ++ type nfs_t; ++ ') ++ ++ allow $1 nfs_t:file read_inherited_file_perms; ++') ++ ++######################################## ++## ++## Read/write inherited files on a NFS filesystem. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_rw_inherited_nfs_files',` ++ gen_require(` ++ type nfs_t; ++ ') ++ ++ allow $1 nfs_t:file rw_inherited_file_perms; ++') ++ ++######################################## ++## + ## Do not audit attempts to read or + ## write files on a NFS filesystem. + ## +@@ -2603,7 +3139,7 @@ interface(`fs_dontaudit_rw_nfs_files',` + type nfs_t; + ') + +- dontaudit $1 nfs_t:file rw_file_perms; ++ dontaudit $1 nfs_t:file rw_inherited_file_perms; + ') + + ######################################## +@@ -2627,7 +3163,7 @@ interface(`fs_read_nfs_symlinks',` + + ######################################## + ## +-## Dontaudit read symbolic links on a NFS filesystem. ++## Do not audit attempts to read symbolic links on a NFS filesystem. + ## + ## + ## +@@ -2719,6 +3255,26 @@ interface(`fs_search_rpc',` + + ######################################## + ## ++## Do not audit attempts to list removable storage directories. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`fs_list_pstorefs',` ++ gen_require(` ++ type pstorefs_t; ++ ') ++ ++ allow $1 pstorefs_t:dir list_dir_perms; ++') ++ ++ ++ ++######################################## ++## + ## Search removable storage directories. + ## + ## +@@ -2741,7 +3297,7 @@ interface(`fs_search_removable',` + ## + ## + ## +-## Domain not to audit. ++## Domain to not audit. + ## + ## + # +@@ -2777,7 +3333,7 @@ interface(`fs_read_removable_files',` + ## + ## + ## +-## Domain not to audit. ++## Domain to not audit. + ## + ## + # +@@ -2970,6 +3526,7 @@ interface(`fs_manage_nfs_dirs',` + type nfs_t; + ') + ++ fs_search_auto_mountpoints($1) + allow $1 nfs_t:dir manage_dir_perms; + ') + +@@ -3010,6 +3567,7 @@ interface(`fs_manage_nfs_files',` + type nfs_t; + ') + ++ fs_search_auto_mountpoints($1) + manage_files_pattern($1, nfs_t, nfs_t) + ') + +@@ -3050,6 +3608,7 @@ interface(`fs_manage_nfs_symlinks',` + type nfs_t; + ') + ++ fs_search_auto_mountpoints($1) + manage_lnk_files_pattern($1, nfs_t, nfs_t) + ') + +@@ -3137,6 +3696,24 @@ interface(`fs_nfs_domtrans',` + + ######################################## + ## ++## Mount on nfsd_fs directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_mounton_nfsd_fs', ` ++ gen_require(` ++ type nfsd_fs_t; ++ ') ++ ++ allow $1 nfsd_fs_t:dir mounton; ++') ++ ++######################################## ++## + ## Mount a NFS server pseudo filesystem. + ## + ## +@@ -3255,17 +3832,53 @@ interface(`fs_list_nfsd_fs',` + ##     + ## + # +-interface(`fs_getattr_nfsd_files',` ++interface(`fs_getattr_nfsd_files',` ++ gen_require(` ++ type nfsd_fs_t; ++ ') ++ ++ getattr_files_pattern($1, nfsd_fs_t, nfsd_fs_t) ++') ++ ++####################################### ++## ++## read files on an nfsd filesystem ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_read_nfsd_files',` ++ gen_require(` ++ type nfsd_fs_t; ++ ') ++ ++ read_files_pattern($1, nfsd_fs_t, nfsd_fs_t) ++') ++ ++######################################## ++## ++## Read and write NFS server files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_rw_nfsd_fs',` + gen_require(` + type nfsd_fs_t; + ') + +- getattr_files_pattern($1, nfsd_fs_t, nfsd_fs_t) ++ rw_files_pattern($1, nfsd_fs_t, nfsd_fs_t) + ') + + ######################################## + ## +-## Read and write NFS server files. ++## Manage NFS server files. + ## + ## + ## +@@ -3273,12 +3886,12 @@ interface(`fs_getattr_nfsd_files',` + ## + ## + # +-interface(`fs_rw_nfsd_fs',` ++interface(`fs_manage_nfsd_fs',` + gen_require(` + type nfsd_fs_t; + ') + +- rw_files_pattern($1, nfsd_fs_t, nfsd_fs_t) ++ manage_files_pattern($1, nfsd_fs_t, nfsd_fs_t) + ') + + ######################################## +@@ -3392,7 +4005,7 @@ interface(`fs_search_ramfs',` + + ######################################## + ## +-## Dontaudit Search directories on a ramfs ++## Do not audit attempts to search directories on a ramfs + ## + ## + ## +@@ -3429,7 +4042,7 @@ interface(`fs_manage_ramfs_dirs',` + + ######################################## + ## +-## Dontaudit read on a ramfs files. ++## Do not audit attempts to read on a ramfs files. + ## + ## + ## +@@ -3447,7 +4060,7 @@ interface(`fs_dontaudit_read_ramfs_files',` + + ######################################## + ## +-## Dontaudit read on a ramfs fifo_files. ++## Do not audit attempts to read on a ramfs fifo_files. + ## + ## + ## +@@ -3815,6 +4428,24 @@ interface(`fs_unmount_tmpfs',` + + ######################################## + ## ++## Mount on tmpfs directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_mounton_tmpfs', ` ++ gen_require(` ++ type tmpfs_t; ++ ') ++ ++ allow $1 tmpfs_t:dir mounton; ++') ++ ++######################################## ++## + ## Get the attributes of a tmpfs + ## filesystem. + ## +@@ -3908,7 +4539,7 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',` + + ######################################## + ## +-## Mount on tmpfs directories. ++## Set the attributes of tmpfs directories. + ## + ## + ## +@@ -3916,17 +4547,17 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',` + ## + ## + # +-interface(`fs_mounton_tmpfs',` ++interface(`fs_setattr_tmpfs_dirs',` + gen_require(` + type tmpfs_t; + ') + +- allow $1 tmpfs_t:dir mounton; ++ allow $1 tmpfs_t:dir setattr; + ') + + ######################################## + ## +-## Set the attributes of tmpfs directories. ++## Search tmpfs directories. + ## + ## + ## +@@ -3934,17 +4565,17 @@ interface(`fs_mounton_tmpfs',` + ## + ## + # +-interface(`fs_setattr_tmpfs_dirs',` ++interface(`fs_search_tmpfs',` + gen_require(` + type tmpfs_t; + ') + +- allow $1 tmpfs_t:dir setattr; ++ allow $1 tmpfs_t:dir search_dir_perms; + ') + + ######################################## + ## +-## Search tmpfs directories. ++## List the contents of generic tmpfs directories. + ## + ## + ## +@@ -3952,17 +4583,36 @@ interface(`fs_setattr_tmpfs_dirs',` + ## + ## + # +-interface(`fs_search_tmpfs',` ++interface(`fs_list_tmpfs',` + gen_require(` + type tmpfs_t; + ') + +- allow $1 tmpfs_t:dir search_dir_perms; ++ allow $1 tmpfs_t:dir list_dir_perms; + ') + + ######################################## + ## +-## List the contents of generic tmpfs directories. ++## Do not audit attempts to list the ++## contents of generic tmpfs directories. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`fs_dontaudit_list_tmpfs',` ++ gen_require(` ++ type tmpfs_t; ++ ') ++ ++ dontaudit $1 tmpfs_t:dir list_dir_perms; ++') ++ ++######################################## ++## ++## Relabel directory on tmpfs filesystems. + ## + ## + ## +@@ -3970,31 +4620,48 @@ interface(`fs_search_tmpfs',` + ## + ## + # +-interface(`fs_list_tmpfs',` ++interface(`fs_relabel_tmpfs_dirs',` + gen_require(` + type tmpfs_t; + ') + +- allow $1 tmpfs_t:dir list_dir_perms; ++ relabel_dirs_pattern($1, tmpfs_t, tmpfs_t) + ') + + ######################################## + ## +-## Do not audit attempts to list the +-## contents of generic tmpfs directories. ++## Relabel fifo_file on tmpfs filesystems. + ## + ## + ## +-## Domain to not audit. ++## Domain allowed access. + ## + ## + # +-interface(`fs_dontaudit_list_tmpfs',` ++interface(`fs_relabel_tmpfs_fifo_files',` + gen_require(` + type tmpfs_t; + ') + +- dontaudit $1 tmpfs_t:dir list_dir_perms; ++ relabel_fifo_files_pattern($1, tmpfs_t, tmpfs_t) ++') ++ ++######################################## ++## ++## Relabel files on tmpfs filesystems. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_relabel_tmpfs_files',` ++ gen_require(` ++ type tmpfs_t; ++ ') ++ ++ relabel_files_pattern($1, tmpfs_t, tmpfs_t) + ') + + ######################################## +@@ -4105,7 +4772,7 @@ interface(`fs_dontaudit_rw_tmpfs_files',` + type tmpfs_t; + ') + +- dontaudit $1 tmpfs_t:file rw_file_perms; ++ dontaudit $1 tmpfs_t:file rw_inherited_file_perms; + ') + + ######################################## +@@ -4165,6 +4832,24 @@ interface(`fs_rw_tmpfs_files',` + + ######################################## + ## ++## Read and write generic tmpfs files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_rw_inherited_tmpfs_files',` ++ gen_require(` ++ type tmpfs_t; ++ ') ++ ++ allow $1 tmpfs_t:file { read write }; ++') ++ ++######################################## ++## + ## Read tmpfs link files. + ## + ## +@@ -4202,7 +4887,7 @@ interface(`fs_rw_tmpfs_chr_files',` + + ######################################## + ## +-## dontaudit Read and write character nodes on tmpfs filesystems. ++## Do not audit attempts to read and write character nodes on tmpfs filesystems. + ## + ## + ## +@@ -4221,6 +4906,60 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',` + + ######################################## + ## ++## Do not audit attempts to create character nodes on tmpfs filesystems. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`fs_dontaudit_create_tmpfs_chr_dev',` ++ gen_require(` ++ type tmpfs_t; ++ ') ++ ++ dontaudit $1 tmpfs_t:chr_file create; ++') ++ ++######################################## ++## ++## Do not audit attempts to dontaudit read block nodes on tmpfs filesystems. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`fs_dontaudit_read_tmpfs_blk_dev',` ++ gen_require(` ++ type tmpfs_t; ++ ') ++ ++ dontaudit $1 tmpfs_t:blk_file read_blk_file_perms; ++') ++ ++######################################## ++## ++## Do not audit attempts to read files on tmpfs filesystems. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`fs_dontaudit_read_tmpfs_files',` ++ gen_require(` ++ type tmpfs_t; ++ ') ++ ++ dontaudit $1 tmpfs_t:blk_file read; ++') ++ ++######################################## ++## + ## Relabel character nodes on tmpfs filesystems. + ## + ## +@@ -4278,6 +5017,44 @@ interface(`fs_relabel_tmpfs_blk_file',` + + ######################################## + ## ++## Relabel sock nodes on tmpfs filesystems. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_relabel_tmpfs_sock_file',` ++ gen_require(` ++ type tmpfs_t; ++ ') ++ ++ allow $1 tmpfs_t:dir list_dir_perms; ++ relabel_sock_files_pattern($1, tmpfs_t, tmpfs_t) ++') ++ ++######################################## ++## ++## Delete generic files in tmpfs directory. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_delete_tmpfs_files',` ++ gen_require(` ++ type tmpfs_t; ++ ') ++ ++ allow $1 tmpfs_t:dir del_entry_dir_perms; ++ allow $1 tmpfs_t:file_class_set delete_file_perms; ++') ++ ++######################################## ++## + ## Read and write, create and delete generic + ## files on tmpfs filesystems. + ## +@@ -4297,6 +5074,25 @@ interface(`fs_manage_tmpfs_files',` + + ######################################## + ## ++## Execute files on a tmpfs filesystem. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`fs_exec_tmpfs_files',` ++ gen_require(` ++ type tmpfs_t; ++ ') ++ ++ exec_files_pattern($1, tmpfs_t, tmpfs_t) ++') ++ ++######################################## ++## + ## Read and write, create and delete symbolic + ## links on tmpfs filesystems. + ## +@@ -4503,6 +5299,8 @@ interface(`fs_mount_all_fs',` + ') + + allow $1 filesystem_type:filesystem mount; ++# Mount checks write access on the dir ++ allow $1 filesystem_type:dir write; + ') + + ######################################## +@@ -4549,7 +5347,7 @@ interface(`fs_unmount_all_fs',` + ## + ##

    + ## Allow the specified domain to +-## et the attributes of all filesystems. ++## get the attributes of all filesystems. + ## Example attributes: + ##

    + ##
      +@@ -4596,6 +5394,26 @@ interface(`fs_dontaudit_getattr_all_fs',` + + ######################################## + ## ++## Do not audit attempts to check the ++## access on all filesystems. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`fs_dontaudit_all_access_check',` ++ gen_require(` ++ attribute filesystem_type; ++ ') ++ ++ dontaudit $1 filesystem_type:dir_file_class_set audit_access; ++') ++ ++ ++######################################## ++## + ## Get the quotas of all filesystems. + ## + ## +@@ -4671,6 +5489,25 @@ interface(`fs_getattr_all_dirs',` + + ######################################## + ## ++## Dontaudit Get the attributes of all directories ++## with a filesystem type. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_dontaudit_getattr_all_dirs',` ++ gen_require(` ++ attribute filesystem_type; ++ ') ++ ++ dontaudit $1 filesystem_type:dir getattr; ++') ++ ++######################################## ++## + ## Search all directories with a filesystem type. + ## + ## +@@ -4912,3 +5749,43 @@ interface(`fs_unconfined',` + + typeattribute $1 filesystem_unconfined_type; + ') ++ ++######################################## ++## ++## Do not audit attempts to read or write ++## all leaked filesystems files. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`fs_dontaudit_leaks',` ++ gen_require(` ++ attribute filesystem_type; ++ ') ++ ++ dontaudit $1 filesystem_type:file rw_inherited_file_perms; ++ dontaudit $1 filesystem_type:lnk_file { read }; ++') ++ ++ ++######################################## ++## ++## Transition named content in tmpfs_t directory ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_tmpfs_filetrans_named_content',` ++ gen_require(` ++ type cgroup_t; ++ ') ++ ++ fs_tmpfs_filetrans($1, cgroup_t, lnk_file, "cpu") ++ fs_tmpfs_filetrans($1, cgroup_t, lnk_file, "cpuacct") ++') +diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te +index 9e603f5..1198b51 100644 +--- a/policy/modules/kernel/filesystem.te ++++ b/policy/modules/kernel/filesystem.te +@@ -32,8 +32,11 @@ fs_use_xattr gpfs gen_context(system_u:object_r:fs_t,s0); + fs_use_xattr jffs2 gen_context(system_u:object_r:fs_t,s0); + fs_use_xattr jfs gen_context(system_u:object_r:fs_t,s0); + fs_use_xattr lustre gen_context(system_u:object_r:fs_t,s0); ++fs_use_xattr ocfs2 gen_context(system_u:object_r:fs_t,s0); + fs_use_xattr xfs gen_context(system_u:object_r:fs_t,s0); ++fs_use_xattr squashfs gen_context(system_u:object_r:fs_t,s0); + fs_use_xattr zfs gen_context(system_u:object_r:fs_t,s0); ++fs_use_xattr fuse.glusterfs gen_context(system_u:object_r:fs_t,s0); + + # Use the allocating task SID to label inodes in the following filesystem + # types, and label the filesystem itself with the specified context. +@@ -53,6 +56,7 @@ type anon_inodefs_t; + fs_type(anon_inodefs_t) + files_mountpoint(anon_inodefs_t) + genfscon anon_inodefs / gen_context(system_u:object_r:anon_inodefs_t,s0) ++mls_trusted_object(anon_inodefs_t) + + type bdev_t; + fs_type(bdev_t) +@@ -63,12 +67,17 @@ fs_type(binfmt_misc_fs_t) + files_mountpoint(binfmt_misc_fs_t) + genfscon binfmt_misc / gen_context(system_u:object_r:binfmt_misc_fs_t,s0) + ++type oracleasmfs_t; ++fs_type(oracleasmfs_t) ++files_mountpoint(oracleasmfs_t) ++genfscon oracleasmfs / gen_context(system_u:object_r:oracleasmfs_t,s0) ++ + type capifs_t; + fs_type(capifs_t) + files_mountpoint(capifs_t) + genfscon capifs / gen_context(system_u:object_r:capifs_t,s0) + +-type cgroup_t; ++type cgroup_t alias cgroupfs_t; + fs_type(cgroup_t) + files_type(cgroup_t) + files_mountpoint(cgroup_t) +@@ -89,6 +98,11 @@ fs_noxattr_type(ecryptfs_t) + files_mountpoint(ecryptfs_t) + genfscon ecryptfs / gen_context(system_u:object_r:ecryptfs_t,s0) + ++type efivarfs_t; ++fs_noxattr_type(efivarfs_t) ++files_mountpoint(efivarfs_t) ++genfscon efivarfs / gen_context(system_u:object_r:efivarfs_t,s0) ++ + type futexfs_t; + fs_type(futexfs_t) + genfscon futexfs / gen_context(system_u:object_r:futexfs_t,s0) +@@ -97,6 +111,7 @@ type hugetlbfs_t; + fs_type(hugetlbfs_t) + files_mountpoint(hugetlbfs_t) + fs_use_trans hugetlbfs gen_context(system_u:object_r:hugetlbfs_t,s0); ++dev_associate(hugetlbfs_t) + + type ibmasmfs_t; + fs_type(ibmasmfs_t) +@@ -119,12 +134,17 @@ genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0) + + type nfsd_fs_t; + fs_type(nfsd_fs_t) ++files_mountpoint(nfsd_fs_t) + genfscon nfsd / gen_context(system_u:object_r:nfsd_fs_t,s0) + + type oprofilefs_t; + fs_type(oprofilefs_t) + genfscon oprofilefs / gen_context(system_u:object_r:oprofilefs_t,s0) + ++type pstorefs_t; ++fs_type(pstorefs_t) ++genfscon pstore / gen_context(system_u:object_r:pstorefs_t,s0) ++ + type ramfs_t; + fs_type(ramfs_t) + files_mountpoint(ramfs_t) +@@ -145,11 +165,6 @@ fs_type(spufs_t) + genfscon spufs / gen_context(system_u:object_r:spufs_t,s0) + files_mountpoint(spufs_t) + +-type squash_t; +-fs_type(squash_t) +-genfscon squash / gen_context(system_u:object_r:squash_t,s0) +-files_mountpoint(squash_t) +- + type sysv_t; + fs_noxattr_type(sysv_t) + files_mountpoint(sysv_t) +@@ -167,6 +182,8 @@ type vxfs_t; + fs_noxattr_type(vxfs_t) + files_mountpoint(vxfs_t) + genfscon vxfs / gen_context(system_u:object_r:vxfs_t,s0) ++genfscon odmfs / gen_context(system_u:object_r:vxfs_t,s0) ++genfscon vxclonefs / gen_context(system_u:object_r:vxfs_t,s0) + + # + # tmpfs_t is the type for tmpfs filesystems +@@ -176,6 +193,8 @@ fs_type(tmpfs_t) + files_type(tmpfs_t) + files_mountpoint(tmpfs_t) + files_poly_parent(tmpfs_t) ++dev_associate(tmpfs_t) ++mls_trusted_object(tmpfs_t) + + # Use a transition SID based on the allocating task SID and the + # filesystem SID to label inodes in the following filesystem types, +@@ -255,6 +274,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0) + type removable_t; + allow removable_t noxattrfs:filesystem associate; + fs_noxattr_type(removable_t) ++files_type(removable_t) ++dev_node(removable_t) + files_mountpoint(removable_t) + + # +@@ -274,6 +295,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0) + genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0) + genfscon panfs / gen_context(system_u:object_r:nfs_t,s0) + genfscon gadgetfs / gen_context(system_u:object_r:nfs_t,s0) ++genfscon 9p / gen_context(system_u:object_r:nfs_t,s0) + + ######################################## + # +diff --git a/policy/modules/kernel/kernel.fc b/policy/modules/kernel/kernel.fc +index 7be4ddf..f7021a0 100644 +--- a/policy/modules/kernel/kernel.fc ++++ b/policy/modules/kernel/kernel.fc +@@ -1 +1,2 @@ +-# This module currently does not have any file contexts. ++ ++/sys/class/net/ib.* gen_context(system_u:object_r:sysctl_net_t,s0) +diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if +index 649e458..d47750f 100644 +--- a/policy/modules/kernel/kernel.if ++++ b/policy/modules/kernel/kernel.if +@@ -286,7 +286,7 @@ interface(`kernel_rw_unix_dgram_sockets',` + type kernel_t; + ') + +- allow $1 kernel_t:unix_dgram_socket { read write ioctl }; ++ allow $1 kernel_t:unix_dgram_socket { getattr read write ioctl }; + ') + + ######################################## +@@ -786,6 +786,24 @@ interface(`kernel_mount_kvmfs',` + + ######################################## + ## ++## Mount the proc filesystem. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`kernel_mount_proc',` ++ gen_require(` ++ type proc_t; ++ ') ++ ++ allow $1 proc_t:filesystem mount; ++') ++ ++######################################## ++## + ## Unmount the proc filesystem. + ## + ## +@@ -804,6 +822,24 @@ interface(`kernel_unmount_proc',` + + ######################################## + ## ++## Mounton a proc filesystem. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`kernel_mounton_proc',` ++ gen_require(` ++ type proc_t; ++ ') ++ ++ allow $1 proc_t:dir mounton; ++') ++ ++######################################## ++## + ## Get the attributes of the proc filesystem. + ## + ## +@@ -991,13 +1027,10 @@ interface(`kernel_read_proc_symlinks',` + # + interface(`kernel_read_system_state',` + gen_require(` +- type proc_t; ++ attribute kernel_system_state_reader; + ') + +- read_files_pattern($1, proc_t, proc_t) +- read_lnk_files_pattern($1, proc_t, proc_t) +- +- list_dirs_pattern($1, proc_t, proc_t) ++ typeattribute $1 kernel_system_state_reader; + ') + + ######################################## +@@ -1477,6 +1510,24 @@ interface(`kernel_dontaudit_list_all_proc',` + + ######################################## + ## ++## Allow attempts to read all proc types. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`kernel_read_all_proc',` ++ gen_require(` ++ attribute proc_type; ++ ') ++ ++ read_files_pattern($1, proc_type, proc_type) ++') ++ ++######################################## ++## + ## Do not audit attempts by caller to search + ## the base directory of sysctls. + ## +@@ -2085,7 +2136,7 @@ interface(`kernel_dontaudit_list_all_sysctls',` + ') + + dontaudit $1 sysctl_type:dir list_dir_perms; +- dontaudit $1 sysctl_type:file getattr; ++ dontaudit $1 sysctl_type:file read_file_perms; + ') + + ######################################## +@@ -2282,6 +2333,25 @@ interface(`kernel_list_unlabeled',` + + ######################################## + ## ++## Delete unlabeled files ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`kernel_delete_unlabeled',` ++ gen_require(` ++ type unlabeled_t; ++ ') ++ ++ allow $1 unlabeled_t:dir delete_dir_perms; ++ allow $1 unlabeled_t:dir_file_class_set delete_file_perms; ++') ++ ++######################################## ++## + ## Read the process state (/proc/pid) of all unlabeled_t. + ## + ## +@@ -2306,7 +2376,7 @@ interface(`kernel_read_unlabeled_state',` + ##
    + ## + ## +-## Domain allowed access. ++## Domain to not audit. + ## + ## + # +@@ -2488,6 +2558,24 @@ interface(`kernel_rw_unlabeled_blk_files',` + + ######################################## + ## ++## Read and write unlabeled sockets. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`kernel_rw_unlabeled_socket',` ++ gen_require(` ++ type unlabeled_t; ++ ') ++ ++ allow $1 unlabeled_t:socket rw_socket_perms; ++') ++ ++######################################## ++## + ## Do not audit attempts by caller to get attributes for + ## unlabeled character devices. + ## +@@ -2525,6 +2613,24 @@ interface(`kernel_relabelfrom_unlabeled_dirs',` + + ######################################## + ## ++## Allow caller to relabel unlabeled filesystems. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`kernel_relabelfrom_unlabeled_fs',` ++ gen_require(` ++ type unlabeled_t; ++ ') ++ ++ allow $1 unlabeled_t:filesystem relabelfrom; ++') ++ ++######################################## ++## + ## Allow caller to relabel unlabeled files. + ## + ## +@@ -2632,7 +2738,7 @@ interface(`kernel_sendrecv_unlabeled_association',` + allow $1 unlabeled_t:association { sendto recvfrom }; + + # temporary hack until labeling on packets is supported +- allow $1 unlabeled_t:packet { send recv }; ++# allow $1 unlabeled_t:packet { send recv }; + ') + + ######################################## +@@ -2670,6 +2776,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',` + + ######################################## + ## ++## Receive DCCP packets from an unlabeled connection. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`kernel_dccp_recvfrom_unlabeled',` ++ gen_require(` ++ type unlabeled_t; ++ ') ++ ++ allow $1 unlabeled_t:dccp_socket recvfrom; ++') ++ ++######################################## ++## + ## Receive TCP packets from an unlabeled connection. + ## + ## +@@ -2697,6 +2821,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',` + + ######################################## + ## ++## Do not audit attempts to receive DCCP packets from an unlabeled ++## connection. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`kernel_dontaudit_dccp_recvfrom_unlabeled',` ++ gen_require(` ++ type unlabeled_t; ++ ') ++ ++ dontaudit $1 unlabeled_t:dccp_socket recvfrom; ++') ++ ++######################################## ++## + ## Do not audit attempts to receive TCP packets from an unlabeled + ## connection. + ## +@@ -2806,6 +2949,33 @@ interface(`kernel_raw_recvfrom_unlabeled',` + + allow $1 unlabeled_t:rawip_socket recvfrom; + ') ++######################################## ++## ++## Read/Write Raw IP packets from an unlabeled connection. ++## ++## ++##

    ++## Receive Raw IP packets from an unlabeled connection. ++##

    ++##

    ++## The corenetwork interface corenet_raw_recv_unlabeled() should ++## be used instead of this one. ++##

    ++##     ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`kernel_rw_unlabeled_rawip_socket',` ++ gen_require(` ++ type unlabeled_t; ++ ') ++ ++ allow $1 unlabeled_t:rawip_socket rw_socket_perms; ++') ++ + + ######################################## + ## +@@ -2961,6 +3131,24 @@ interface(`kernel_relabelfrom_unlabeled_database',` + + ######################################## + ## ++## Relabel to unlabeled context . ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`kernel_relabelto_unlabeled',` ++ gen_require(` ++ type unlabeled_t; ++ ') ++ ++ allow $1 unlabeled_t:dir_file_class_set relabelto; ++') ++ ++######################################## ++## + ## Unconfined access to kernel module resources. + ## + ## +@@ -2975,5 +3163,300 @@ interface(`kernel_unconfined',` + ') + + typeattribute $1 kern_unconfined; +- kernel_load_module($1) ++ kernel_load_module($1) ++') ++ ++######################################## ++## ++## Allow the specified domain to getattr on ++## the kernel with a unix socket. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`kernel_stream_read',` ++ gen_require(` ++ type kernel_t; ++ ') ++ ++ allow $1 kernel_t:unix_stream_socket { read getattr }; ++') ++ ++####################################### ++## ++## Allow the specified domain to write on ++## the kernel with a unix socket. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`kernel_stream_write',` ++ gen_require(` ++ type kernel_t; ++ ') ++ ++ allow $1 kernel_t:unix_stream_socket { write getattr }; ++') ++ ++####################################### ++## ++## Allow the specified domain to read/write on ++## the kernel with a unix socket. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`kernel_rw_stream_socket_perms',` ++ gen_require(` ++ type kernel_t; ++ ') ++ ++ allow $1 kernel_t:unix_stream_socket rw_socket_perms; ++ allow $1 kernel_t:fd use; ++') ++ ++######################################## ++## ++## Make the specified type usable for regular entries in proc ++## ++## ++## ++## Type to be used for /proc entries. ++## ++## ++# ++interface(`kernel_proc_type',` ++ gen_require(` ++ attribute proc_type; ++ ') ++ ++ typeattribute $1 proc_type; ++') ++ ++######################################## ++## ++## Do not audit attempts by caller to get attributes on all sysctls. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`kernel_dontaudit_getattr_all_sysctls',` ++ gen_require(` ++ attribute sysctl_type; ++ ') ++ ++ dontaudit $1 sysctl_type:file getattr; ++') ++ ++######################################## ++## ++## Read the process state (/proc/pid) of the kernel. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`kernel_read_state',` ++ gen_require(` ++ type kernel_t; ++ ') ++ ++ allow $1 kernel_t:dir search_dir_perms; ++ allow $1 kernel_t:file read_file_perms; ++ allow $1 kernel_t:lnk_file read_lnk_file_perms; ++') ++ ++######################################## ++## ++## Dontaudit attempts to read the process state (/proc/pid) of the kernel. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`kernel_dontaudit_read_state',` ++ gen_require(` ++ type kernel_t; ++ ') ++ ++ dontaudit $1 kernel_t:dir search_dir_perms; ++ dontaudit $1 kernel_t:file read_file_perms; ++ dontaudit $1 kernel_t:lnk_file read_lnk_file_perms; ++') ++ ++######################################## ++## ++## Allow searching of numa state directory. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`kernel_search_numa_state',` ++ gen_require(` ++ type proc_t, proc_numa_t; ++ ') ++ ++ search_dirs_pattern($1, proc_t, proc_numa_t) ++') ++ ++######################################## ++## ++## Do not audit attempts to search the numa ++## state directory. ++## ++## ++## ++## Domain to not audit. ++## ++## ++## ++# ++interface(`kernel_dontaudit_search_numa_state',` ++ gen_require(` ++ type proc_numa_t; ++ ') ++ ++ dontaudit $1 proc_numa_t:dir search; ++') ++ ++######################################## ++## ++## Allow caller to read the numa state information. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`kernel_read_numa_state',` ++ gen_require(` ++ type proc_t, proc_numa_t; ++ ') ++ ++ read_files_pattern($1, { proc_t proc_numa_t }, proc_numa_t) ++ read_lnk_files_pattern($1, { proc_t proc_numa_t }, proc_numa_t) ++ ++ list_dirs_pattern($1, proc_t, proc_numa_t) ++') ++ ++######################################## ++## ++## Allow caller to read the numa state symbolic links. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`kernel_read_numa_state_symlinks',` ++ gen_require(` ++ type proc_t, proc_numa_t; ++ ') ++ ++ read_lnk_files_pattern($1, { proc_t proc_numa_t }, proc_numa_t) ++ ++ list_dirs_pattern($1, proc_t, proc_numa_t) ++') ++ ++######################################## ++## ++## Allow caller to write numa state information. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`kernel_write_numa_state',` ++ gen_require(` ++ type proc_t, proc_numa_t; ++ ') ++ ++ write_files_pattern($1, { proc_t proc_numa_t }, proc_numa_t) ++') ++ ++######################################## ++## ++## Allow caller to search virtual memory overcommit sysctls. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`kernel_search_vm_overcommit_sysctl',` ++ gen_require(` ++ type sysctl_vm_overcommit_t; ++ ') ++ ++ kernel_search_vm_sysctl($1) ++ search_dirs_pattern($1, sysctl_vm_overcommit_t, sysctl_vm_overcommit_t) ++') ++ ++######################################## ++## ++## Allow caller to read virtual memory overcommit sysctls. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`kernel_read_vm_overcommit_sysctls',` ++ gen_require(` ++ type sysctl_vm_overcommit_t; ++ ') ++ ++ kernel_search_vm_sysctl($1) ++ read_files_pattern($1, sysctl_vm_overcommit_t, sysctl_vm_overcommit_t) ++') ++ ++######################################## ++## ++## Read and write virtual memory overcommit sysctls. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`kernel_rw_vm_overcommit_sysctls',` ++ gen_require(` ++ type sysctl_vm_overcommit_t; ++ ') ++ ++ kernel_search_vm_sysctl($1) ++ rw_files_pattern($1, sysctl_vm_overcommit_t, sysctl_vm_overcommit_t) ++ list_dirs_pattern($1, sysctl_vm_overcommit_t, sysctl_vm_overcommit_t) + ') +diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te +index 6fac350..5a087a7 100644 +--- a/policy/modules/kernel/kernel.te ++++ b/policy/modules/kernel/kernel.te +@@ -25,6 +25,9 @@ attribute kern_unconfined; + # regular entries in proc + attribute proc_type; + ++# attribute for domains which read proc_t ++attribute kernel_system_state_reader; ++ + # sysctls + attribute sysctl_type; + +@@ -48,6 +51,7 @@ ifdef(`enable_mls',` + type kernel_t, can_load_kernmodule; + domain_base_type(kernel_t) + mls_rangetrans_source(kernel_t) ++mls_trusted_object(kernel_t) + role system_r types kernel_t; + sid kernel gen_context(system_u:system_r:kernel_t,mls_systemhigh) + +@@ -58,6 +62,7 @@ sid kernel gen_context(system_u:system_r:kernel_t,mls_systemhigh) + type debugfs_t; + files_mountpoint(debugfs_t) + fs_type(debugfs_t) ++ + allow debugfs_t self:filesystem associate; + genfscon debugfs / gen_context(system_u:object_r:debugfs_t,s0) + +@@ -95,6 +100,10 @@ genfscon proc /kcore gen_context(system_u:object_r:proc_kcore_t,mls_systemhigh) + type proc_mdstat_t, proc_type; + genfscon proc /mdstat gen_context(system_u:object_r:proc_mdstat_t,s0) + ++type proc_numa_t, proc_type; ++genfscon proc /numatools gen_context(system_u:object_r:proc_numa_t,s0) ++mls_trusted_object(proc_numa_t) ++ + type proc_net_t, proc_type; + genfscon proc /net gen_context(system_u:object_r:proc_net_t,s0) + +@@ -153,6 +162,10 @@ genfscon proc /sys/net/unix gen_context(system_u:object_r:sysctl_net_unix_t,s0) + type sysctl_vm_t, sysctl_type; + genfscon proc /sys/vm gen_context(system_u:object_r:sysctl_vm_t,s0) + ++# /proc/sys/vm/overcommit_memory ++type sysctl_vm_overcommit_t, sysctl_type; ++genfscon proc /sys/vm/overcommit_memory gen_context(system_u:object_r:sysctl_vm_overcommit_t,s0) ++ + # /proc/sys/dev directory and files + type sysctl_dev_t, sysctl_type; + genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0) +@@ -165,6 +178,7 @@ genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0) + type unlabeled_t; + fs_associate(unlabeled_t) + sid unlabeled gen_context(system_u:object_r:unlabeled_t,mls_systemhigh) ++allow unlabeled_t self:filesystem associate; + + # These initial sids are no longer used, and can be removed: + sid any_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh) +@@ -189,6 +203,7 @@ sid tcp_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh) + # kernel local policy + # + ++allow kernel_t self:capability2 mac_admin; + allow kernel_t self:capability ~sys_module; + allow kernel_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; + allow kernel_t self:shm create_shm_perms; +@@ -233,7 +248,6 @@ allow unlabeled_t unlabeled_t:packet { forward_in forward_out }; + corenet_in_generic_if(unlabeled_t) + corenet_in_generic_node(unlabeled_t) + +-corenet_all_recvfrom_unlabeled(kernel_t) + corenet_all_recvfrom_netlabel(kernel_t) + # Kernel-generated traffic e.g., ICMP replies: + corenet_raw_sendrecv_all_if(kernel_t) +@@ -244,17 +258,21 @@ corenet_tcp_sendrecv_all_if(kernel_t) + corenet_tcp_sendrecv_all_nodes(kernel_t) + corenet_raw_send_generic_node(kernel_t) + corenet_send_all_packets(kernel_t) ++corenet_filetrans_all_named_dev(kernel_t) + + dev_read_sysfs(kernel_t) + dev_search_usbfs(kernel_t) + # devtmpfs handling: + dev_create_generic_dirs(kernel_t) + dev_delete_generic_dirs(kernel_t) +-dev_create_generic_blk_files(kernel_t) +-dev_delete_generic_blk_files(kernel_t) +-dev_create_generic_chr_files(kernel_t) +-dev_delete_generic_chr_files(kernel_t) ++dev_create_all_blk_files(kernel_t) ++dev_delete_all_blk_files(kernel_t) ++dev_create_all_chr_files(kernel_t) ++dev_delete_all_chr_files(kernel_t) + dev_mounton(kernel_t) ++dev_filetrans_all_named_dev(kernel_t) ++storage_filetrans_all_named_dev(kernel_t) ++term_filetrans_all_named_dev(kernel_t) + + # Mount root file system. Used when loading a policy + # from initrd, then mounting the root filesystem +@@ -263,7 +281,8 @@ fs_unmount_all_fs(kernel_t) + + selinux_load_policy(kernel_t) + +-term_use_console(kernel_t) ++term_use_all_terms(kernel_t) ++term_use_ptmx(kernel_t) + + corecmd_exec_shell(kernel_t) + corecmd_list_bin(kernel_t) +@@ -277,25 +296,49 @@ files_list_root(kernel_t) + files_list_etc(kernel_t) + files_list_home(kernel_t) + files_read_usr_files(kernel_t) ++files_manage_mounttab(kernel_t) ++files_manage_generic_spool_dirs(kernel_t) + + mcs_process_set_categories(kernel_t) ++mcs_file_read_all(kernel_t) ++mcs_file_write_all(kernel_t) ++mcs_socket_write_all_levels(kernel_t) + + mls_process_read_up(kernel_t) + mls_process_write_down(kernel_t) ++mls_file_downgrade(kernel_t) + mls_file_write_all_levels(kernel_t) + mls_file_read_all_levels(kernel_t) ++mls_socket_write_all_levels(kernel_t) ++mls_fd_share_all_levels(kernel_t) ++mls_fd_use_all_levels(kernel_t) ++mls_process_set_level(kernel_t) + + ifdef(`distro_redhat',` + # Bugzilla 222337 + fs_rw_tmpfs_chr_files(kernel_t) + ') + ++ ++optional_policy(` ++ apache_filetrans_home_content(kernel_t) ++') ++ ++optional_policy(` ++ gnome_filetrans_home_content(kernel_t) ++') ++ ++optional_policy(` ++ kerberos_filetrans_home_content(kernel_t) ++') ++ + optional_policy(` + hotplug_search_config(kernel_t) + ') + + optional_policy(` + init_sigchld(kernel_t) ++ init_dyntrans(kernel_t) + ') + + optional_policy(` +@@ -305,6 +348,19 @@ optional_policy(` + + optional_policy(` + logging_send_syslog_msg(kernel_t) ++ logging_manage_generic_logs(kernel_t) ++') ++ ++optional_policy(` ++ mta_filetrans_home_content(kernel_t) ++') ++ ++optional_policy(` ++ ssh_filetrans_home_content(kernel_t) ++') ++ ++optional_policy(` ++ userdom_user_home_dir_filetrans_user_home_content(kernel_t, { file dir }) + ') + + optional_policy(` +@@ -312,6 +368,10 @@ optional_policy(` + ') + + optional_policy(` ++ plymouthd_create_log(kernel_t) ++') ++ ++optional_policy(` + # nfs kernel server needs kernel UDP access. It is less risky and painful + # to just give it everything. + allow kernel_t self:tcp_socket create_stream_socket_perms; +@@ -332,9 +392,6 @@ optional_policy(` + + sysnet_read_config(kernel_t) + +- rpc_manage_nfs_ro_content(kernel_t) +- rpc_manage_nfs_rw_content(kernel_t) +- rpc_tcp_rw_nfs_sockets(kernel_t) + rpc_udp_rw_nfs_sockets(kernel_t) + + tunable_policy(`nfs_export_all_ro',` +@@ -343,9 +400,7 @@ optional_policy(` + fs_read_noxattr_fs_files(kernel_t) + fs_read_noxattr_fs_symlinks(kernel_t) + +- files_list_non_auth_dirs(kernel_t) +- files_read_non_auth_files(kernel_t) +- files_read_non_auth_symlinks(kernel_t) ++ files_read_non_security_files(kernel_t) + ') + + tunable_policy(`nfs_export_all_rw',` +@@ -354,7 +409,7 @@ optional_policy(` + fs_read_noxattr_fs_files(kernel_t) + fs_read_noxattr_fs_symlinks(kernel_t) + +- files_manage_non_auth_files(kernel_t) ++ files_manage_non_security_files(kernel_t) + ') + ') + +@@ -367,6 +422,15 @@ optional_policy(` + unconfined_domain_noaudit(kernel_t) + ') + ++optional_policy(` ++ virt_filetrans_home_content(kernel_t) ++') ++ ++optional_policy(` ++ xserver_xdm_manage_spool(kernel_t) ++ xserver_filetrans_home_content(kernel_t) ++') ++ + ######################################## + # + # Unlabeled process local policy +@@ -409,4 +473,26 @@ allow kern_unconfined unlabeled_t:dir_file_class_set *; + allow kern_unconfined unlabeled_t:filesystem *; + allow kern_unconfined unlabeled_t:association *; + allow kern_unconfined unlabeled_t:packet *; +-allow kern_unconfined unlabeled_t:process ~{ transition dyntransition execmem execstack execheap }; ++allow kern_unconfined unlabeled_t:process ~{ ptrace transition dyntransition execmem execstack execheap }; ++ ++gen_require(` ++ bool secure_mode_insmod; ++') ++ ++if( ! secure_mode_insmod ) { ++ allow can_load_kernmodule self:capability sys_module; ++ allow can_load_kernmodule self:capability2 compromise_kernel; ++ # load_module() calls stop_machine() which ++ # calls sched_setscheduler() ++ allow can_load_kernmodule self:capability sys_nice; ++ kernel_setsched(can_load_kernmodule) ++} ++ ++####################################### ++# ++# Kernel system state reader policy ++# ++ ++read_files_pattern(kernel_system_state_reader, proc_t, proc_t) ++read_lnk_files_pattern(kernel_system_state_reader, proc_t, proc_t) ++list_dirs_pattern(kernel_system_state_reader, proc_t, proc_t) +diff --git a/policy/modules/kernel/mcs.if b/policy/modules/kernel/mcs.if +index b08a6e8..43d504b 100644 +--- a/policy/modules/kernel/mcs.if ++++ b/policy/modules/kernel/mcs.if +@@ -44,11 +44,7 @@ interface(`mcs_constrained',` + ## + # + interface(`mcs_file_read_all',` +- gen_require(` +- attribute mcsreadall; +- ') +- +- typeattribute $1 mcsreadall; ++ refpolicywarn(`$0() has been deprecated, please remove mcs_constrained() instead.') + ') + + ######################################## +@@ -64,11 +60,7 @@ interface(`mcs_file_read_all',` + ## + # + interface(`mcs_file_write_all',` +- gen_require(` +- attribute mcswriteall; +- ') +- +- typeattribute $1 mcswriteall; ++ refpolicywarn(`$0() has been deprecated, please remove mcs_constrained() instead.') + ') + + ######################################## +@@ -84,11 +76,7 @@ interface(`mcs_file_write_all',` + ## + # + interface(`mcs_killall',` +- gen_require(` +- attribute mcskillall; +- ') +- +- typeattribute $1 mcskillall; ++ refpolicywarn(`$0() has been deprecated, please remove mcs_constrained() instead.') + ') + + ######################################## +@@ -104,11 +92,7 @@ interface(`mcs_killall',` + ## + # + interface(`mcs_ptrace_all',` +- gen_require(` +- attribute mcsptraceall; +- ') +- +- typeattribute $1 mcsptraceall; ++ refpolicywarn(`$0() has been deprecated, please remove mcs_constrained() instead.') + ') + + ######################################## +@@ -130,3 +114,19 @@ interface(`mcs_process_set_categories',` + + typeattribute $1 mcssetcats; + ') ++ ++######################################## ++## ++## Make specified domain MCS trusted ++## for writing to sockets at any level. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`mcs_socket_write_all_levels',` ++ refpolicywarn(`$0() has been deprecated, please remove mcs_constrained() instead.') ++') +diff --git a/policy/modules/kernel/mcs.te b/policy/modules/kernel/mcs.te +index 5cbeb54..8067370 100644 +--- a/policy/modules/kernel/mcs.te ++++ b/policy/modules/kernel/mcs.te +@@ -11,3 +11,4 @@ attribute mcssetcats; + attribute mcswriteall; + attribute mcsreadall; + attribute mcs_constrained_type; ++attribute mcsnetwrite; +diff --git a/policy/modules/kernel/selinux.fc b/policy/modules/kernel/selinux.fc +index 7be4ddf..4d4c577 100644 +--- a/policy/modules/kernel/selinux.fc ++++ b/policy/modules/kernel/selinux.fc +@@ -1 +1 @@ +-# This module currently does not have any file contexts. ++/selinux -l gen_context(system_u:object_r:security_t,s0) +diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if +index 81440c5..a02d444 100644 +--- a/policy/modules/kernel/selinux.if ++++ b/policy/modules/kernel/selinux.if +@@ -40,7 +40,7 @@ interface(`selinux_labeled_boolean',` + + # because of this statement, any module which + # calls this interface must be in the base module: +- genfscon selinuxfs /booleans/$2 gen_context(system_u:object_r:$1,s0) ++# genfscon selinuxfs /booleans/$2 gen_context(system_u:object_r:$1,s0) + ') + + ######################################## +@@ -58,6 +58,9 @@ interface(`selinux_get_fs_mount',` + type security_t; + ') + ++ allow $1 security_t:lnk_file read_lnk_file_perms; ++ dev_getattr_sysfs_fs($1) ++ dev_search_sysfs($1) + # starting in libselinux 2.0.5, init_selinuxmnt() will + # attempt to short circuit by checking if SELINUXMNT + # (/selinux) is already a selinuxfs +@@ -87,6 +90,7 @@ interface(`selinux_dontaudit_get_fs_mount',` + # starting in libselinux 2.0.5, init_selinuxmnt() will + # attempt to short circuit by checking if SELINUXMNT + # (/selinux) is already a selinuxfs ++ dev_dontaudit_search_sysfs($1) + dontaudit $1 security_t:filesystem getattr; + + # read /proc/filesystems to see if selinuxfs is supported +@@ -109,6 +113,9 @@ interface(`selinux_mount_fs',` + type security_t; + ') + ++ dev_getattr_sysfs_fs($1) ++ dev_search_sysfs($1) ++ allow $1 security_t:lnk_file read_lnk_file_perms; + allow $1 security_t:filesystem mount; + ') + +@@ -128,6 +135,9 @@ interface(`selinux_remount_fs',` + type security_t; + ') + ++ dev_getattr_sysfs_fs($1) ++ dev_search_sysfs($1) ++ allow $1 security_t:lnk_file read_lnk_file_perms; + allow $1 security_t:filesystem remount; + ') + +@@ -146,6 +156,9 @@ interface(`selinux_unmount_fs',` + type security_t; + ') + ++ dev_getattr_sysfs_fs($1) ++ dev_search_sysfs($1) ++ allow $1 security_t:lnk_file read_lnk_file_perms; + allow $1 security_t:filesystem unmount; + ') + +@@ -164,6 +177,7 @@ interface(`selinux_getattr_fs',` + type security_t; + ') + ++ allow $1 security_t:lnk_file read_lnk_file_perms; + allow $1 security_t:filesystem getattr; + ') + +@@ -220,6 +234,9 @@ interface(`selinux_search_fs',` + type security_t; + ') + ++ dev_getattr_sysfs_fs($1) ++ dev_search_sysfs($1) ++ allow $1 security_t:lnk_file read_lnk_file_perms; + allow $1 security_t:dir search_dir_perms; + ') + +@@ -243,6 +260,28 @@ interface(`selinux_dontaudit_search_fs',` + + ######################################## + ## ++## Mount on selinuxfs directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`selinux_mounton_fs',` ++ gen_require(` ++ type security_t; ++ ') ++ ++ dev_getattr_sysfs_fs($1) ++ dev_search_sysfs($1) ++ allow $1 security_t:lnk_file read_lnk_file_perms; ++ allow $1 security_t:dir mounton; ++') ++ ++ ++######################################## ++## + ## Do not audit attempts to read + ## generic selinuxfs entries + ## +@@ -257,6 +296,7 @@ interface(`selinux_dontaudit_read_fs',` + type security_t; + ') + ++ selinux_dontaudit_getattr_fs($1) + dontaudit $1 security_t:dir search_dir_perms; + dontaudit $1 security_t:file read_file_perms; + ') +@@ -278,6 +318,8 @@ interface(`selinux_get_enforce_mode',` + type security_t; + ') + ++ selinux_get_fs_mount($1) ++ allow $1 security_t:lnk_file read_lnk_file_perms; + allow $1 security_t:dir list_dir_perms; + allow $1 security_t:file read_file_perms; + ') +@@ -308,21 +350,9 @@ interface(`selinux_set_enforce_mode',` + gen_require(` + type security_t; + attribute can_setenforce; +- bool secure_mode_policyload; + ') + +- allow $1 security_t:dir list_dir_perms; +- allow $1 security_t:file rw_file_perms; + typeattribute $1 can_setenforce; +- +- if(!secure_mode_policyload) { +- allow $1 security_t:security setenforce; +- +- ifdef(`distro_rhel4',` +- # needed for systems without audit support +- auditallow $1 security_t:security setenforce; +- ') +- } + ') + + ######################################## +@@ -339,21 +369,14 @@ interface(`selinux_load_policy',` + gen_require(` + type security_t; + attribute can_load_policy; +- bool secure_mode_policyload; + ') + ++ dev_getattr_sysfs_fs($1) ++ dev_search_sysfs($1) ++ allow $1 security_t:lnk_file read_lnk_file_perms; + allow $1 security_t:dir list_dir_perms; + allow $1 security_t:file rw_file_perms; + typeattribute $1 can_load_policy; +- +- if(!secure_mode_policyload) { +- allow $1 security_t:security load_policy; +- +- ifdef(`distro_rhel4',` +- # needed for systems without audit support +- auditallow $1 security_t:security load_policy; +- ') +- } + ') + + ######################################## +@@ -371,6 +394,9 @@ interface(`selinux_read_policy',` + type security_t; + ') + ++ dev_getattr_sysfs_fs($1) ++ dev_search_sysfs($1) ++ allow $1 security_t:lnk_file read_lnk_file_perms; + allow $1 security_t:dir list_dir_perms; + allow $1 security_t:file read_file_perms; + allow $1 security_t:security read_policy; +@@ -433,17 +459,16 @@ interface(`selinux_set_boolean',` + interface(`selinux_set_generic_booleans',` + gen_require(` + type security_t; ++ attribute can_setbool; + ') + ++ typeattribute $1 can_setbool; ++ dev_getattr_sysfs_fs($1) ++ dev_search_sysfs($1) ++ allow $1 security_t:lnk_file read_lnk_file_perms; + allow $1 security_t:dir list_dir_perms; + allow $1 security_t:file rw_file_perms; + +- allow $1 security_t:security setbool; +- +- ifdef(`distro_rhel4',` +- # needed for systems without audit support +- auditallow $1 security_t:security setbool; +- ') + ') + + ######################################## +@@ -472,23 +497,16 @@ interface(`selinux_set_all_booleans',` + gen_require(` + type security_t, secure_mode_policyload_t; + attribute boolean_type; +- bool secure_mode_policyload; ++ attribute can_setbool; + ') + ++ typeattribute $1 can_setbool; ++ dev_getattr_sysfs_fs($1) ++ dev_search_sysfs($1) ++ allow $1 security_t:lnk_file read_lnk_file_perms; + allow $1 security_t:dir list_dir_perms; +- allow $1 { boolean_type -secure_mode_policyload_t }:file rw_file_perms; +- allow $1 secure_mode_policyload_t:file read_file_perms; +- +- allow $1 security_t:security setbool; +- +- ifdef(`distro_rhel4',` +- # needed for systems without audit support +- auditallow $1 security_t:security setbool; +- ') +- +- if(!secure_mode_policyload) { +- allow $1 secure_mode_policyload_t:file write_file_perms; +- } ++ allow $1 boolean_type:dir list_dir_perms; ++ allow $1 boolean_type:file rw_file_perms; + ') + + ######################################## +@@ -519,6 +537,9 @@ interface(`selinux_set_parameters',` + attribute can_setsecparam; + ') + ++ dev_getattr_sysfs_fs($1) ++ dev_search_sysfs($1) ++ allow $1 security_t:lnk_file read_lnk_file_perms; + allow $1 security_t:dir list_dir_perms; + allow $1 security_t:file rw_file_perms; + allow $1 security_t:security setsecparam; +@@ -542,6 +563,9 @@ interface(`selinux_validate_context',` + type security_t; + ') + ++ dev_getattr_sysfs_fs($1) ++ dev_search_sysfs($1) ++ allow $1 security_t:lnk_file read_lnk_file_perms; + allow $1 security_t:dir list_dir_perms; + allow $1 security_t:file rw_file_perms; + allow $1 security_t:security check_context; +@@ -584,6 +608,9 @@ interface(`selinux_compute_access_vector',` + type security_t; + ') + ++ dev_getattr_sysfs_fs($1) ++ dev_search_sysfs($1) ++ allow $1 security_t:lnk_file read_lnk_file_perms; + allow $1 security_t:dir list_dir_perms; + allow $1 security_t:file rw_file_perms; + allow $1 security_t:security compute_av; +@@ -605,6 +632,9 @@ interface(`selinux_compute_create_context',` + type security_t; + ') + ++ dev_getattr_sysfs_fs($1) ++ dev_search_sysfs($1) ++ allow $1 security_t:lnk_file read_lnk_file_perms; + allow $1 security_t:dir list_dir_perms; + allow $1 security_t:file rw_file_perms; + allow $1 security_t:security compute_create; +@@ -626,6 +656,9 @@ interface(`selinux_compute_member',` + type security_t; + ') + ++ dev_getattr_sysfs_fs($1) ++ dev_search_sysfs($1) ++ allow $1 security_t:lnk_file read_lnk_file_perms; + allow $1 security_t:dir list_dir_perms; + allow $1 security_t:file rw_file_perms; + allow $1 security_t:security compute_member; +@@ -655,6 +688,9 @@ interface(`selinux_compute_relabel_context',` + type security_t; + ') + ++ dev_getattr_sysfs_fs($1) ++ dev_search_sysfs($1) ++ allow $1 security_t:lnk_file read_lnk_file_perms; + allow $1 security_t:dir list_dir_perms; + allow $1 security_t:file rw_file_perms; + allow $1 security_t:security compute_relabel; +@@ -675,6 +711,9 @@ interface(`selinux_compute_user_contexts',` + type security_t; + ') + ++ dev_getattr_sysfs_fs($1) ++ dev_search_sysfs($1) ++ allow $1 security_t:lnk_file read_lnk_file_perms; + allow $1 security_t:dir list_dir_perms; + allow $1 security_t:file rw_file_perms; + allow $1 security_t:security compute_user; +@@ -696,4 +735,29 @@ interface(`selinux_unconfined',` + ') + + typeattribute $1 selinux_unconfined_type; ++ selinux_set_all_booleans($1) ++ selinux_load_policy($1) ++ selinux_set_parameters($1) ++ selinux_set_enforce_mode($1) ++') ++ ++######################################## ++## ++## Generate a file context for a boolean type ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`selinux_genbool',` ++ gen_require(` ++ attribute boolean_type; ++ ') ++ ++ type $1, boolean_type; ++ fs_type($1) ++ mls_trusted_object($1) + ') ++ +diff --git a/policy/modules/kernel/selinux.te b/policy/modules/kernel/selinux.te +index 522ab32..cb9c3a2 100644 +--- a/policy/modules/kernel/selinux.te ++++ b/policy/modules/kernel/selinux.te +@@ -17,6 +17,7 @@ gen_bool(secure_mode_policyload,false) + attribute boolean_type; + attribute can_load_policy; + attribute can_setenforce; ++attribute can_setbool; + attribute can_setsecparam; + attribute selinux_unconfined_type; + +@@ -36,9 +37,9 @@ sid security gen_context(system_u:object_r:security_t,mls_systemhigh) + genfscon selinuxfs / gen_context(system_u:object_r:security_t,s0) + genfscon securityfs / gen_context(system_u:object_r:security_t,s0) + +-neverallow ~{ selinux_unconfined_type can_load_policy } security_t:security load_policy; +-neverallow ~{ selinux_unconfined_type can_setenforce } security_t:security setenforce; +-neverallow ~{ selinux_unconfined_type can_setsecparam } security_t:security setsecparam; ++neverallow ~{ can_load_policy } security_t:security load_policy; ++neverallow ~{ can_setenforce } security_t:security setenforce; ++neverallow ~{ can_setsecparam } security_t:security setsecparam; + + ######################################## + # +@@ -60,11 +61,28 @@ ifdef(`distro_rhel4',` + ') + + if(!secure_mode_policyload) { +- allow selinux_unconfined_type security_t:security { load_policy setenforce }; +- allow selinux_unconfined_type secure_mode_policyload_t:file write_file_perms; ++ allow can_setenforce security_t:security setenforce; ++ dev_getattr_sysfs_fs(can_setenforce) ++ dev_search_sysfs(can_setenforce) ++ allow can_setenforce security_t:dir list_dir_perms; ++ allow can_setenforce security_t:file rw_file_perms; + + ifdef(`distro_rhel4',` + # needed for systems without audit support +- auditallow selinux_unconfined_type security_t:security { load_policy setenforce }; ++ auditallow can_setenforce security_t:security setenforce; ++ ') ++ ++ allow can_load_policy security_t:security load_policy; ++ ++ ifdef(`distro_rhel4',` ++ # needed for systems without audit support ++ auditallow can_load_policy security_t:security load_policy; ++ ') ++ ++ allow can_setbool boolean_type:security setbool; ++ ++ ifdef(`distro_rhel4',` ++ # needed for systems without audit support ++ auditallow can_setbool boolean_type:security setbool; + ') + } +diff --git a/policy/modules/kernel/storage.fc b/policy/modules/kernel/storage.fc +index 54f1827..cc2de1a 100644 +--- a/policy/modules/kernel/storage.fc ++++ b/policy/modules/kernel/storage.fc +@@ -23,12 +23,15 @@ + /dev/ht[0-1] -b gen_context(system_u:object_r:tape_device_t,s0) + /dev/hwcdrom -b gen_context(system_u:object_r:removable_device_t,s0) + /dev/initrd -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) ++/dev/infiniband/.* -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) ++/dev/infiniband/.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) + /dev/jsfd -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) + /dev/jsflash -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) + /dev/loop.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) + /dev/lvm -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) + /dev/mcdx? -b gen_context(system_u:object_r:removable_device_t,s0) +-/dev/megadev.* -c gen_context(system_u:object_r:removable_device_t,s0) ++/dev/megaraid_sas_ioctl_node -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) ++/dev/megadev.* -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) + /dev/mmcblk.* -b gen_context(system_u:object_r:removable_device_t,s0) + /dev/mspblk.* -b gen_context(system_u:object_r:removable_device_t,s0) + /dev/mtd.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) +@@ -51,7 +54,8 @@ ifdef(`distro_redhat', ` + /dev/sjcd -b gen_context(system_u:object_r:removable_device_t,s0) + /dev/sonycd -b gen_context(system_u:object_r:removable_device_t,s0) + /dev/tape.* -c gen_context(system_u:object_r:tape_device_t,s0) +-/dev/tw[a-z][^/]+ -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) ++/dev/tgt -c gen_context(system_u:object_r:scsi_generic_device_t,s0) ++/dev/tw[a-z][^/]* -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) + /dev/ub[a-z][^/]+ -b gen_context(system_u:object_r:removable_device_t,mls_systemhigh) + /dev/ubd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) + /dev/vd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) +@@ -81,3 +85,6 @@ ifdef(`distro_redhat', ` + + /lib/udev/devices/loop.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) + /lib/udev/devices/fuse -c gen_context(system_u:object_r:fuse_device_t,s0) ++ ++/usr/lib/udev/devices/loop.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) ++/usr/lib/udev/devices/fuse -c gen_context(system_u:object_r:fuse_device_t,s0) +diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if +index 1700ef2..38b597e 100644 +--- a/policy/modules/kernel/storage.if ++++ b/policy/modules/kernel/storage.if +@@ -22,6 +22,26 @@ interface(`storage_getattr_fixed_disk_dev',` + + ######################################## + ## ++## Allow the caller to read/write inherited fixed disk ++## device nodes. ++## ++## ++## ++## The domain allowed access. ++## ++## ++# ++interface(`storage_rw_inherited_fixed_disk_dev',` ++ gen_require(` ++ type fixed_disk_device_t; ++ ') ++ ++ allow $1 fixed_disk_device_t:chr_file { read write }; ++ allow $1 fixed_disk_device_t:blk_file { read write }; ++') ++ ++######################################## ++## + ## Do not audit attempts made by the caller to get + ## the attributes of fixed disk device nodes. + ## +@@ -101,6 +121,8 @@ interface(`storage_raw_read_fixed_disk',` + dev_list_all_dev_nodes($1) + allow $1 fixed_disk_device_t:blk_file read_blk_file_perms; + allow $1 fixed_disk_device_t:chr_file read_chr_file_perms; ++ #577012 ++ allow $1 fixed_disk_device_t:lnk_file read_lnk_file_perms; + typeattribute $1 fixed_disk_raw_read; + ') + +@@ -186,6 +208,7 @@ interface(`storage_dontaudit_write_fixed_disk',` + interface(`storage_raw_rw_fixed_disk',` + storage_raw_read_fixed_disk($1) + storage_raw_write_fixed_disk($1) ++ dev_rw_generic_blk_files($1) + ') + + ######################################## +@@ -205,6 +228,7 @@ interface(`storage_create_fixed_disk_dev',` + + allow $1 self:capability mknod; + allow $1 fixed_disk_device_t:blk_file create_blk_file_perms; ++ allow $1 fixed_disk_device_t:chr_file create_chr_file_perms; + dev_add_entry_generic_dirs($1) + ') + +@@ -269,6 +293,48 @@ interface(`storage_dev_filetrans_fixed_disk',` + dev_filetrans($1, fixed_disk_device_t, blk_file) + ') + ++####################################### ++## ++## Create block devices in /dev with the fixed disk type ++## via an automatic type transition. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`storage_dev_filetrans_named_fixed_disk',` ++ gen_require(` ++ type fixed_disk_device_t; ++ ') ++ ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "jsflash") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "lvm") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "megaraid_sas_ioctl_node") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev0") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev1") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev2") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev3") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev4") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev5") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev6") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev7") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev8") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev9") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "device-mapper") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw0") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw1") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw2") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw3") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw4") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw5") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw6") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw7") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw8") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw9") ++') ++ + ######################################## + ## + ## Create block devices in on a tmpfs filesystem with the +@@ -711,6 +777,24 @@ interface(`storage_dontaudit_raw_write_removable_device',` + dontaudit $1 removable_device_t:blk_file write_blk_file_perms; + ') + ++####################################### ++## ++## Alow read and write inherited removable devices. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`storage_rw_inherited_removable_device',` ++ gen_require(` ++ type removable_device_t; ++ ') ++ ++ dontaudit $1 removable_device_t:blk_file { read write }; ++') ++ + ######################################## + ## + ## Allow the caller to directly read +@@ -808,3 +892,401 @@ interface(`storage_unconfined',` + + typeattribute $1 storage_unconfined_type; + ') ++ ++######################################## ++## ++## Create all named devices with the correct label ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`storage_filetrans_all_named_dev',` ++ ++ gen_require(` ++ type tape_device_t; ++ type fixed_disk_device_t; ++ type removable_device_t; ++ type scsi_generic_device_t; ++ type fuse_device_t; ++ ') ++ ++ dev_filetrans($1, tape_device_t, chr_file, "ht00") ++ dev_filetrans($1, tape_device_t, chr_file, "ht01") ++ dev_filetrans($1, tape_device_t, chr_file, "ht02") ++ dev_filetrans($1, tape_device_t, chr_file, "ht03") ++ dev_filetrans($1, tape_device_t, chr_file, "ht04") ++ dev_filetrans($1, tape_device_t, chr_file, "ht05") ++ dev_filetrans($1, tape_device_t, chr_file, "ht06") ++ dev_filetrans($1, tape_device_t, chr_file, "ht07") ++ dev_filetrans($1, tape_device_t, chr_file, "ht08") ++ dev_filetrans($1, tape_device_t, chr_file, "ht09") ++ dev_filetrans($1, tape_device_t, chr_file, "st00") ++ dev_filetrans($1, tape_device_t, chr_file, "st01") ++ dev_filetrans($1, tape_device_t, chr_file, "st02") ++ dev_filetrans($1, tape_device_t, chr_file, "st03") ++ dev_filetrans($1, tape_device_t, chr_file, "st04") ++ dev_filetrans($1, tape_device_t, chr_file, "st05") ++ dev_filetrans($1, tape_device_t, chr_file, "st06") ++ dev_filetrans($1, tape_device_t, chr_file, "st07") ++ dev_filetrans($1, tape_device_t, chr_file, "st08") ++ dev_filetrans($1, tape_device_t, chr_file, "st09") ++ dev_filetrans($1, tape_device_t, chr_file, "qft0") ++ dev_filetrans($1, tape_device_t, chr_file, "qft1") ++ dev_filetrans($1, tape_device_t, chr_file, "qft2") ++ dev_filetrans($1, tape_device_t, chr_file, "qft3") ++ dev_filetrans($1, tape_device_t, chr_file, "osst00") ++ dev_filetrans($1, tape_device_t, chr_file, "osst01") ++ dev_filetrans($1, tape_device_t, chr_file, "osst02") ++ dev_filetrans($1, tape_device_t, chr_file, "osst03") ++ dev_filetrans($1, tape_device_t, chr_file, "osst04") ++ dev_filetrans($1, tape_device_t, chr_file, "osst05") ++ dev_filetrans($1, tape_device_t, chr_file, "osst06") ++ dev_filetrans($1, tape_device_t, chr_file, "osst07") ++ dev_filetrans($1, tape_device_t, chr_file, "osst08") ++ dev_filetrans($1, tape_device_t, chr_file, "osst09") ++ dev_filetrans($1, tape_device_t, chr_file, "pt0") ++ dev_filetrans($1, tape_device_t, chr_file, "pt1") ++ dev_filetrans($1, tape_device_t, chr_file, "pt2") ++ dev_filetrans($1, tape_device_t, chr_file, "pt3") ++ dev_filetrans($1, tape_device_t, chr_file, "pt4") ++ dev_filetrans($1, tape_device_t, chr_file, "pt5") ++ dev_filetrans($1, tape_device_t, chr_file, "pt6") ++ dev_filetrans($1, tape_device_t, chr_file, "pt7") ++ dev_filetrans($1, tape_device_t, chr_file, "pt8") ++ dev_filetrans($1, tape_device_t, chr_file, "pt9") ++ dev_filetrans($1, tape_device_t, chr_file, "tpqic0") ++ dev_filetrans($1, tape_device_t, chr_file, "tpqic1") ++ dev_filetrans($1, tape_device_t, chr_file, "tpqic2") ++ dev_filetrans($1, tape_device_t, chr_file, "tpqic3") ++ dev_filetrans($1, tape_device_t, chr_file, "tpqic4") ++ dev_filetrans($1, tape_device_t, chr_file, "tpqic5") ++ dev_filetrans($1, tape_device_t, chr_file, "tpqic6") ++ dev_filetrans($1, tape_device_t, chr_file, "tpqic7") ++ dev_filetrans($1, tape_device_t, chr_file, "tpqic8") ++ dev_filetrans($1, tape_device_t, chr_file, "tpqic9") ++ dev_filetrans($1, removable_device_t, blk_file, "aztcd") ++ dev_filetrans($1, removable_device_t, blk_file, "bpcd") ++ dev_filetrans($1, removable_device_t, blk_file, "cdu0") ++ dev_filetrans($1, removable_device_t, blk_file, "cdu1") ++ dev_filetrans($1, removable_device_t, blk_file, "cdu2") ++ dev_filetrans($1, removable_device_t, blk_file, "cdu3") ++ dev_filetrans($1, removable_device_t, blk_file, "cdu4") ++ dev_filetrans($1, removable_device_t, blk_file, "cdu5") ++ dev_filetrans($1, removable_device_t, blk_file, "cdu6") ++ dev_filetrans($1, removable_device_t, blk_file, "cdu7") ++ dev_filetrans($1, removable_device_t, blk_file, "cdu8") ++ dev_filetrans($1, removable_device_t, blk_file, "cdu9") ++ dev_filetrans($1, removable_device_t, blk_file, "cm200") ++ dev_filetrans($1, removable_device_t, blk_file, "cm201") ++ dev_filetrans($1, removable_device_t, blk_file, "cm202") ++ dev_filetrans($1, removable_device_t, blk_file, "cm203") ++ dev_filetrans($1, removable_device_t, blk_file, "cm204") ++ dev_filetrans($1, removable_device_t, blk_file, "cm205") ++ dev_filetrans($1, removable_device_t, blk_file, "cm206") ++ dev_filetrans($1, removable_device_t, blk_file, "cm207") ++ dev_filetrans($1, removable_device_t, blk_file, "cm208") ++ dev_filetrans($1, removable_device_t, blk_file, "cm209") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "md0") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "md1") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "md2") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "md3") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "md4") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "md5") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "md6") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "md7") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "md8") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "md9") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "md126p1") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sda") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sda0") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sda1") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sda2") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sda3") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sda4") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sda5") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sda6") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sda7") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sda8") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sda9") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdb") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdb0") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdb1") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdb2") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdb3") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdb4") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdb5") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdb6") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdb7") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdb8") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdb9") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdc") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdc0") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdc1") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdc2") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdc3") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdc4") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdc5") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdc6") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdc7") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdc8") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdc9") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdd") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdd0") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdd1") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdd2") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdd3") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdd4") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdd5") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdd6") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdd7") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdd8") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdd9") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sde") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sde0") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sde1") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sde2") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sde3") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sde4") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sde5") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sde6") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sde7") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sde8") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sde9") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdf") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdf0") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdf1") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdf2") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdf3") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdf4") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdf5") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdf6") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdf7") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdf8") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdf9") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdg") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdg0") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdg1") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdg2") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdg3") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdg4") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdg5") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdg6") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdg7") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdg8") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdg9") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "dm-0") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "dm-1") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "dm-2") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "dm-3") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "dm-4") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "dm-5") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "dm-6") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "dm-7") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "dm-8") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "dm-9") ++ dev_filetrans($1, removable_device_t, blk_file, "gscd") ++ dev_filetrans($1, removable_device_t, blk_file, "hitcd") ++ dev_filetrans($1, tape_device_t, blk_file, "ht0") ++ dev_filetrans($1, tape_device_t, blk_file, "ht1") ++ dev_filetrans($1, removable_device_t, blk_file, "hwcdrom") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "initrd") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "jsfd") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "jsflash") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "loop0") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "loop1") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "loop2") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "loop3") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "loop4") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "loop5") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "loop6") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "loop7") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "loop8") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "loop9") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "lvm") ++ dev_filetrans($1, removable_device_t, blk_file, "mcd") ++ dev_filetrans($1, removable_device_t, blk_file, "mcdx") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "megaraid_sas_ioctl_node") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev0") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev1") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev2") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev3") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev4") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev5") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev6") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev7") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev8") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev9") ++ dev_filetrans($1, removable_device_t, blk_file, "mmcblk0") ++ dev_filetrans($1, removable_device_t, blk_file, "mmcblk1") ++ dev_filetrans($1, removable_device_t, blk_file, "mmcblk2") ++ dev_filetrans($1, removable_device_t, blk_file, "mmcblk3") ++ dev_filetrans($1, removable_device_t, blk_file, "mmcblk4") ++ dev_filetrans($1, removable_device_t, blk_file, "mmcblk5") ++ dev_filetrans($1, removable_device_t, blk_file, "mmcblk6") ++ dev_filetrans($1, removable_device_t, blk_file, "mmcblk7") ++ dev_filetrans($1, removable_device_t, blk_file, "mmcblk8") ++ dev_filetrans($1, removable_device_t, blk_file, "mmcblk9") ++ dev_filetrans($1, removable_device_t, blk_file, "mspblk0") ++ dev_filetrans($1, removable_device_t, blk_file, "mspblk1") ++ dev_filetrans($1, removable_device_t, blk_file, "mspblk2") ++ dev_filetrans($1, removable_device_t, blk_file, "mspblk3") ++ dev_filetrans($1, removable_device_t, blk_file, "mspblk4") ++ dev_filetrans($1, removable_device_t, blk_file, "mspblk5") ++ dev_filetrans($1, removable_device_t, blk_file, "mspblk6") ++ dev_filetrans($1, removable_device_t, blk_file, "mspblk7") ++ dev_filetrans($1, removable_device_t, blk_file, "mspblk8") ++ dev_filetrans($1, removable_device_t, blk_file, "mspblk9") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "mtd0") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "mtd1") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "mtd2") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "mtd3") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "mtd4") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "mtd5") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "mtd6") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "mtd7") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "mtd8") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "mtd9") ++ dev_filetrans($1, removable_device_t, blk_file, "optcd") ++ dev_filetrans($1, removable_device_t, blk_file, "pf0") ++ dev_filetrans($1, removable_device_t, blk_file, "pf1") ++ dev_filetrans($1, removable_device_t, blk_file, "pf2") ++ dev_filetrans($1, removable_device_t, blk_file, "pf3") ++ dev_filetrans($1, removable_device_t, blk_file, "pg0") ++ dev_filetrans($1, removable_device_t, blk_file, "pg1") ++ dev_filetrans($1, removable_device_t, blk_file, "pg2") ++ dev_filetrans($1, removable_device_t, blk_file, "pg3") ++ dev_filetrans($1, removable_device_t, blk_file, "pcd0") ++ dev_filetrans($1, removable_device_t, blk_file, "pcd1") ++ dev_filetrans($1, removable_device_t, blk_file, "pcd2") ++ dev_filetrans($1, removable_device_t, blk_file, "pcd3") ++ dev_filetrans($1, removable_device_t, chr_file, "pg0") ++ dev_filetrans($1, removable_device_t, chr_file, "pg1") ++ dev_filetrans($1, removable_device_t, chr_file, "pg2") ++ dev_filetrans($1, removable_device_t, chr_file, "pg3") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "ps3d0") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "ps3d1") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "ps3d2") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "ps3d3") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "ps3d4") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "ps3d5") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "ps3d6") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "ps3d7") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "ps3d8") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "ps3d9") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "ram0") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "ram1") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "ram2") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "ram3") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "ram4") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "ram5") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "ram6") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "ram7") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "ram8") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "ram9") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "ram10") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "ram11") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "ram12") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "ram13") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "ram14") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "ram15") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "rd0") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "rd1") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "rd2") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "rd3") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "rd4") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "rd5") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "rd6") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "rd7") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "rd8") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "rd9") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "root") ++ dev_filetrans($1, removable_device_t, blk_file, "sbpcd0") ++ dev_filetrans($1, removable_device_t, blk_file, "sbpcd1") ++ dev_filetrans($1, removable_device_t, blk_file, "sbpcd2") ++ dev_filetrans($1, removable_device_t, blk_file, "sbpcd3") ++ dev_filetrans($1, removable_device_t, blk_file, "sbpcd4") ++ dev_filetrans($1, removable_device_t, blk_file, "sbpcd5") ++ dev_filetrans($1, removable_device_t, blk_file, "sbpcd6") ++ dev_filetrans($1, removable_device_t, blk_file, "sbpcd7") ++ dev_filetrans($1, removable_device_t, blk_file, "sbpcd8") ++ dev_filetrans($1, removable_device_t, blk_file, "sbpcd9") ++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg0") ++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg1") ++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg2") ++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg3") ++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg4") ++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg5") ++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg6") ++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg7") ++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg8") ++ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg9") ++ dev_filetrans($1, removable_device_t, blk_file, "sr0") ++ dev_filetrans($1, removable_device_t, blk_file, "sr1") ++ dev_filetrans($1, removable_device_t, blk_file, "sr2") ++ dev_filetrans($1, removable_device_t, blk_file, "sr3") ++ dev_filetrans($1, removable_device_t, blk_file, "sr4") ++ dev_filetrans($1, removable_device_t, blk_file, "sr5") ++ dev_filetrans($1, removable_device_t, blk_file, "sr6") ++ dev_filetrans($1, removable_device_t, blk_file, "sr7") ++ dev_filetrans($1, removable_device_t, blk_file, "sr8") ++ dev_filetrans($1, removable_device_t, blk_file, "sr9") ++ dev_filetrans($1, removable_device_t, blk_file, "sjcd") ++ dev_filetrans($1, removable_device_t, blk_file, "sonycd") ++ dev_filetrans($1, tape_device_t, chr_file, "tape0") ++ dev_filetrans($1, tape_device_t, chr_file, "tape1") ++ dev_filetrans($1, tape_device_t, chr_file, "tape2") ++ dev_filetrans($1, tape_device_t, chr_file, "tape3") ++ dev_filetrans($1, tape_device_t, chr_file, "tape4") ++ dev_filetrans($1, tape_device_t, chr_file, "tape5") ++ dev_filetrans($1, tape_device_t, chr_file, "tape6") ++ dev_filetrans($1, tape_device_t, chr_file, "tape7") ++ dev_filetrans($1, tape_device_t, chr_file, "tape8") ++ dev_filetrans($1, tape_device_t, chr_file, "tape9") ++ dev_filetrans($1, fuse_device_t, chr_file, "fuse") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "device-mapper") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw0") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw1") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw2") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw3") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw4") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw5") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw6") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw7") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw8") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw9") ++ dev_filetrans($1, removable_device_t, chr_file, "rio500") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "tw0") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "tw1") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "tw2") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "tw3") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "tw4") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "tw5") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "tw6") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "tw7") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "tw8") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "tw9") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "twa0") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "twa1") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "twa2") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "twa3") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "twa4") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "twa5") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "twa6") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "twa7") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "twa8") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "twa9") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "twa10") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "twa11") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "twa12") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "twa13") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "twa14") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "twa15") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "twa16") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "twa17") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "twa18") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "twa19") ++ ++') +diff --git a/policy/modules/kernel/storage.te b/policy/modules/kernel/storage.te +index 156c333..02f5a3c 100644 +--- a/policy/modules/kernel/storage.te ++++ b/policy/modules/kernel/storage.te +@@ -57,3 +57,9 @@ dev_node(tape_device_t) + + allow storage_unconfined_type { fixed_disk_device_t removable_device_t }:blk_file *; + allow storage_unconfined_type { scsi_generic_device_t tape_device_t }:chr_file *; ++ ++# Since block devices are some times used before being labeled correctly ++ifdef(`hide_broken_symptoms',` ++ dev_read_generic_blk_files(fixed_disk_raw_read) ++ dev_manage_generic_blk_files(fixed_disk_raw_write) ++') +diff --git a/policy/modules/kernel/terminal.fc b/policy/modules/kernel/terminal.fc +index 7d45d15..22c9cfe 100644 +--- a/policy/modules/kernel/terminal.fc ++++ b/policy/modules/kernel/terminal.fc +@@ -14,11 +14,12 @@ + /dev/ip2[^/]* -c gen_context(system_u:object_r:tty_device_t,s0) + /dev/isdn.* -c gen_context(system_u:object_r:tty_device_t,s0) + /dev/ptmx -c gen_context(system_u:object_r:ptmx_t,s0) +-/dev/pts/ptmx -c gen_context(system_u:object_r:ptmx_t,s0) + /dev/rfcomm[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0) + /dev/slamr[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0) + /dev/tty -c gen_context(system_u:object_r:devtty_t,s0) + /dev/ttySG.* -c gen_context(system_u:object_r:tty_device_t,s0) ++/dev/ttyUSB[0-9]+ -c gen_context(system_u:object_r:usbtty_device_t,s0) ++/dev/vport[0-9]p[0-9]+ -c gen_context(system_u:object_r:virtio_device_t,s0) + /dev/xvc[^/]* -c gen_context(system_u:object_r:tty_device_t,s0) + + /dev/pty/.* -c gen_context(system_u:object_r:bsdpty_device_t,s0) +@@ -41,3 +42,7 @@ ifdef(`distro_gentoo',` + # used by init scripts to initally populate udev /dev + /lib/udev/devices/console -c gen_context(system_u:object_r:console_device_t,s0) + ') ++ ++/lib/udev/devices/pts -d gen_context(system_u:object_r:devpts_t,s0-mls_systemhigh) ++ ++/usr/lib/udev/devices/pts -d gen_context(system_u:object_r:devpts_t,s0-mls_systemhigh) +diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if +index 771bce1..5bbf50b 100644 +--- a/policy/modules/kernel/terminal.if ++++ b/policy/modules/kernel/terminal.if +@@ -124,7 +124,7 @@ interface(`term_user_tty',` + type_change $1 ttynode:chr_file $2; + ') + +- tunable_policy(`console_login',` ++ tunable_policy(`login_console_enabled',` + # When user logs in from /dev/console, relabel it + # to user tty type as well. + type_change $1 console_device_t:chr_file $2; +@@ -133,6 +133,25 @@ interface(`term_user_tty',` + + ######################################## + ## ++## Create the /dev/pts directory. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`term_create_pty_dir',` ++ gen_require(` ++ type devpts_t; ++ ') ++ ++ allow $1 devpts_t:dir create_dir_perms; ++ dev_filetrans($1, devpts_t, dir, "devpts") ++') ++ ++######################################## ++## + ## Create a pty in the /dev/pts directory. + ## + ## +@@ -208,6 +227,27 @@ interface(`term_use_all_terms',` + + ######################################## + ## ++## Read and write the inherited console, all inherited ++## ttys and ptys. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`term_use_all_inherited_terms',` ++ gen_require(` ++ attribute ttynode, ptynode; ++ type console_device_t, devpts_t, tty_device_t; ++ ') ++ ++ allow $1 { devpts_t console_device_t tty_device_t ttynode ptynode }:chr_file rw_inherited_term_perms; ++') ++ ++######################################## ++## + ## Write to the console. + ## + ## +@@ -274,7 +314,6 @@ interface(`term_dontaudit_read_console',` + ## Domain allowed access. + ## + ## +-## + # + interface(`term_use_console',` + gen_require(` +@@ -299,9 +338,12 @@ interface(`term_use_console',` + interface(`term_dontaudit_use_console',` + gen_require(` + type console_device_t; ++ type tty_device_t; + ') + +- dontaudit $1 console_device_t:chr_file rw_chr_file_perms; ++ init_dontaudit_use_fds($1) ++ dontaudit $1 console_device_t:chr_file rw_inherited_chr_file_perms; ++ dontaudit $1 tty_device_t:chr_file rw_inherited_chr_file_perms; + ') + + ######################################## +@@ -384,6 +426,42 @@ interface(`term_getattr_pty_fs',` + + ######################################## + ## ++## Mount a pty filesystem ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`term_mount_pty_fs',` ++ gen_require(` ++ type devpts_t; ++ ') ++ ++ allow $1 devpts_t:filesystem mount; ++') ++ ++######################################## ++## ++## Unmount a pty filesystem ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`term_unmount_pty_fs',` ++ gen_require(` ++ type devpts_t; ++ ') ++ ++ allow $1 devpts_t:filesystem unmount; ++') ++ ++######################################## ++## + ## Relabel from and to pty filesystem. + ## + ## +@@ -481,6 +559,24 @@ interface(`term_list_ptys',` + + ######################################## + ## ++## Relabel the /dev/pts directory ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`term_relabel_ptys_dirs',` ++ gen_require(` ++ type devpts_t; ++ ') ++ ++ allow $1 devpts_t:dir relabel_dir_perms; ++') ++ ++######################################## ++## + ## Do not audit attempts to read the + ## /dev/pts directory. + ## +@@ -620,7 +716,7 @@ interface(`term_use_generic_ptys',` + + ######################################## + ## +-## Dot not audit attempts to read and ++## Do not audit attempts to read and + ## write the generic pty type. This is + ## generally only used in the targeted policy. + ## +@@ -635,6 +731,7 @@ interface(`term_dontaudit_use_generic_ptys',` + type devpts_t; + ') + ++ init_dontaudit_use_fds($1) + dontaudit $1 devpts_t:chr_file { getattr read write ioctl }; + ') + +@@ -879,6 +976,26 @@ interface(`term_use_all_ptys',` + + ######################################## + ## ++## Read and write all inherited ptys. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`term_use_all_inherited_ptys',` ++ gen_require(` ++ attribute ptynode; ++ type devpts_t; ++ ') ++ ++ allow $1 ptynode:chr_file { rw_inherited_term_perms lock }; ++') ++ ++######################################## ++## + ## Do not audit attempts to read or write any ptys. + ## + ## +@@ -892,7 +1009,7 @@ interface(`term_dontaudit_use_all_ptys',` + attribute ptynode; + ') + +- dontaudit $1 ptynode:chr_file { rw_term_perms lock append }; ++ dontaudit $1 ptynode:chr_file { rw_inherited_term_perms lock append }; + ') + + ######################################## +@@ -912,7 +1029,7 @@ interface(`term_relabel_all_ptys',` + ') + + dev_list_all_dev_nodes($1) +- relabel_chr_files_pattern($1, devpts_t, ptynode) ++ relabel_chr_files_pattern($1, devpts_t, { ptynode devpts_t } ) + ') + + ######################################## +@@ -940,7 +1057,7 @@ interface(`term_getattr_all_user_ptys',` + ## + ## + ## +-## Domain allowed access. ++## Domain to not audit. + ## + ## + # +@@ -1259,7 +1376,47 @@ interface(`term_dontaudit_use_unallocated_ttys',` + type tty_device_t; + ') + +- dontaudit $1 tty_device_t:chr_file rw_chr_file_perms; ++ init_dontaudit_use_fds($1) ++ dontaudit $1 tty_device_t:chr_file rw_inherited_chr_file_perms; ++') ++ ++######################################## ++## ++## Read and write USB tty character ++## device nodes. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`term_use_usb_ttys',` ++ gen_require(` ++ type usbtty_device_t; ++ ') ++ ++ dev_list_all_dev_nodes($1) ++ allow $1 usbtty_device_t:chr_file rw_chr_file_perms; ++') ++ ++####################################### ++## ++## Setattr on USB tty character ++## device nodes. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`term_setattr_usb_ttys',` ++ gen_require(` ++ type usbtty_device_t; ++ ') ++ ++ allow $1 usbtty_device_t:chr_file setattr; + ') + + ######################################## +@@ -1275,11 +1432,13 @@ interface(`term_dontaudit_use_unallocated_ttys',` + # + interface(`term_getattr_all_ttys',` + gen_require(` ++ type tty_device_t; + attribute ttynode; + ') + + dev_list_all_dev_nodes($1) + allow $1 ttynode:chr_file getattr; ++ allow $1 tty_device_t:chr_file getattr; + ') + + ######################################## +@@ -1296,10 +1455,12 @@ interface(`term_getattr_all_ttys',` + interface(`term_dontaudit_getattr_all_ttys',` + gen_require(` + attribute ttynode; ++ type tty_device_t; + ') + + dev_list_all_dev_nodes($1) + dontaudit $1 ttynode:chr_file getattr; ++ dontaudit $1 tty_device_t:chr_file getattr; + ') + + ######################################## +@@ -1377,7 +1538,27 @@ interface(`term_use_all_ttys',` + ') + + dev_list_all_dev_nodes($1) +- allow $1 ttynode:chr_file rw_chr_file_perms; ++ allow $1 ttynode:chr_file rw_term_perms; ++') ++ ++######################################## ++## ++## Read and write all inherited ttys. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`term_use_all_inherited_ttys',` ++ gen_require(` ++ attribute ttynode; ++ ') ++ ++ dev_list_all_dev_nodes($1) ++ allow $1 ttynode:chr_file rw_inherited_term_perms; + ') + + ######################################## +@@ -1396,7 +1577,7 @@ interface(`term_dontaudit_use_all_ttys',` + attribute ttynode; + ') + +- dontaudit $1 ttynode:chr_file rw_chr_file_perms; ++ dontaudit $1 ttynode:chr_file rw_inherited_chr_file_perms; + ') + + ######################################## +@@ -1504,7 +1685,7 @@ interface(`term_use_all_user_ttys',` + ## + ## + ## +-## Domain allowed access. ++## Domain to not audit. + ## + ## + # +@@ -1512,3 +1693,436 @@ interface(`term_dontaudit_use_all_user_ttys',` + refpolicywarn(`$0() is deprecated, use term_dontaudit_use_all_ttys() instead.') + term_dontaudit_use_all_ttys($1) + ') ++ ++#################################### ++## ++## Getattr on the virtio console. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`term_getattr_virtio_console',` ++ gen_require(` ++ type virtio_device_t; ++ ') ++ ++ allow $1 virtio_device_t:chr_file getattr_chr_file_perms; ++') ++ ++##################################### ++## ++## Read from and write to the virtio console. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`term_use_virtio_console',` ++ gen_require(` ++ type virtio_device_t; ++ ') ++ ++ dev_list_all_dev_nodes($1) ++ allow $1 virtio_device_t:chr_file rw_chr_file_perms; ++') ++ ++######################################## ++## ++## Create all named term devices with the correct label ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`term_filetrans_all_named_dev',` ++ ++gen_require(` ++ type tty_device_t; ++ type bsdpty_device_t; ++ type console_device_t; ++ type ptmx_t; ++ type devtty_t; ++ type virtio_device_t; ++ type devpts_t; ++ type usbtty_device_t; ++') ++ ++ dev_filetrans($1, devtty_t, chr_file, "tty") ++ dev_filetrans($1, tty_device_t, chr_file, "tty0") ++ dev_filetrans($1, tty_device_t, chr_file, "tty1") ++ dev_filetrans($1, tty_device_t, chr_file, "tty2") ++ dev_filetrans($1, tty_device_t, chr_file, "tty3") ++ dev_filetrans($1, tty_device_t, chr_file, "tty4") ++ dev_filetrans($1, tty_device_t, chr_file, "tty5") ++ dev_filetrans($1, tty_device_t, chr_file, "tty6") ++ dev_filetrans($1, tty_device_t, chr_file, "tty7") ++ dev_filetrans($1, tty_device_t, chr_file, "tty8") ++ dev_filetrans($1, tty_device_t, chr_file, "tty9") ++ dev_filetrans($1, tty_device_t, chr_file, "tty10") ++ dev_filetrans($1, tty_device_t, chr_file, "tty11") ++ dev_filetrans($1, tty_device_t, chr_file, "tty12") ++ dev_filetrans($1, tty_device_t, chr_file, "tty13") ++ dev_filetrans($1, tty_device_t, chr_file, "tty14") ++ dev_filetrans($1, tty_device_t, chr_file, "tty15") ++ dev_filetrans($1, tty_device_t, chr_file, "tty16") ++ dev_filetrans($1, tty_device_t, chr_file, "tty17") ++ dev_filetrans($1, tty_device_t, chr_file, "tty18") ++ dev_filetrans($1, tty_device_t, chr_file, "tty19") ++ dev_filetrans($1, tty_device_t, chr_file, "tty20") ++ dev_filetrans($1, tty_device_t, chr_file, "tty21") ++ dev_filetrans($1, tty_device_t, chr_file, "tty22") ++ dev_filetrans($1, tty_device_t, chr_file, "tty23") ++ dev_filetrans($1, tty_device_t, chr_file, "tty24") ++ dev_filetrans($1, tty_device_t, chr_file, "tty25") ++ dev_filetrans($1, tty_device_t, chr_file, "tty26") ++ dev_filetrans($1, tty_device_t, chr_file, "tty27") ++ dev_filetrans($1, tty_device_t, chr_file, "tty28") ++ dev_filetrans($1, tty_device_t, chr_file, "tty29") ++ dev_filetrans($1, tty_device_t, chr_file, "tty30") ++ dev_filetrans($1, tty_device_t, chr_file, "tty31") ++ dev_filetrans($1, tty_device_t, chr_file, "tty32") ++ dev_filetrans($1, tty_device_t, chr_file, "tty33") ++ dev_filetrans($1, tty_device_t, chr_file, "tty34") ++ dev_filetrans($1, tty_device_t, chr_file, "tty35") ++ dev_filetrans($1, tty_device_t, chr_file, "tty36") ++ dev_filetrans($1, tty_device_t, chr_file, "tty37") ++ dev_filetrans($1, tty_device_t, chr_file, "tty38") ++ dev_filetrans($1, tty_device_t, chr_file, "tty39") ++ dev_filetrans($1, tty_device_t, chr_file, "tty40") ++ dev_filetrans($1, tty_device_t, chr_file, "tty41") ++ dev_filetrans($1, tty_device_t, chr_file, "tty42") ++ dev_filetrans($1, tty_device_t, chr_file, "tty43") ++ dev_filetrans($1, tty_device_t, chr_file, "tty44") ++ dev_filetrans($1, tty_device_t, chr_file, "tty45") ++ dev_filetrans($1, tty_device_t, chr_file, "tty46") ++ dev_filetrans($1, tty_device_t, chr_file, "tty47") ++ dev_filetrans($1, tty_device_t, chr_file, "tty48") ++ dev_filetrans($1, tty_device_t, chr_file, "tty49") ++ dev_filetrans($1, tty_device_t, chr_file, "tty50") ++ dev_filetrans($1, tty_device_t, chr_file, "tty51") ++ dev_filetrans($1, tty_device_t, chr_file, "tty52") ++ dev_filetrans($1, tty_device_t, chr_file, "tty53") ++ dev_filetrans($1, tty_device_t, chr_file, "tty54") ++ dev_filetrans($1, tty_device_t, chr_file, "tty55") ++ dev_filetrans($1, tty_device_t, chr_file, "tty56") ++ dev_filetrans($1, tty_device_t, chr_file, "tty57") ++ dev_filetrans($1, tty_device_t, chr_file, "tty58") ++ dev_filetrans($1, tty_device_t, chr_file, "tty59") ++ dev_filetrans($1, tty_device_t, chr_file, "tty60") ++ dev_filetrans($1, tty_device_t, chr_file, "tty61") ++ dev_filetrans($1, tty_device_t, chr_file, "tty62") ++ dev_filetrans($1, tty_device_t, chr_file, "tty63") ++ dev_filetrans($1, tty_device_t, chr_file, "tty64") ++ dev_filetrans($1, tty_device_t, chr_file, "tty65") ++ dev_filetrans($1, tty_device_t, chr_file, "tty66") ++ dev_filetrans($1, tty_device_t, chr_file, "tty67") ++ dev_filetrans($1, tty_device_t, chr_file, "tty68") ++ dev_filetrans($1, tty_device_t, chr_file, "tty69") ++ dev_filetrans($1, tty_device_t, chr_file, "tty70") ++ dev_filetrans($1, tty_device_t, chr_file, "tty71") ++ dev_filetrans($1, tty_device_t, chr_file, "tty72") ++ dev_filetrans($1, tty_device_t, chr_file, "tty73") ++ dev_filetrans($1, tty_device_t, chr_file, "tty74") ++ dev_filetrans($1, tty_device_t, chr_file, "tty75") ++ dev_filetrans($1, tty_device_t, chr_file, "tty76") ++ dev_filetrans($1, tty_device_t, chr_file, "tty77") ++ dev_filetrans($1, tty_device_t, chr_file, "tty78") ++ dev_filetrans($1, tty_device_t, chr_file, "tty79") ++ dev_filetrans($1, tty_device_t, chr_file, "tty80") ++ dev_filetrans($1, tty_device_t, chr_file, "tty81") ++ dev_filetrans($1, tty_device_t, chr_file, "tty82") ++ dev_filetrans($1, tty_device_t, chr_file, "tty83") ++ dev_filetrans($1, tty_device_t, chr_file, "tty84") ++ dev_filetrans($1, tty_device_t, chr_file, "tty85") ++ dev_filetrans($1, tty_device_t, chr_file, "tty86") ++ dev_filetrans($1, tty_device_t, chr_file, "tty87") ++ dev_filetrans($1, tty_device_t, chr_file, "tty88") ++ dev_filetrans($1, tty_device_t, chr_file, "tty89") ++ dev_filetrans($1, tty_device_t, chr_file, "tty90") ++ dev_filetrans($1, tty_device_t, chr_file, "tty91") ++ dev_filetrans($1, tty_device_t, chr_file, "tty92") ++ dev_filetrans($1, tty_device_t, chr_file, "tty93") ++ dev_filetrans($1, tty_device_t, chr_file, "tty94") ++ dev_filetrans($1, tty_device_t, chr_file, "tty95") ++ dev_filetrans($1, tty_device_t, chr_file, "tty96") ++ dev_filetrans($1, tty_device_t, chr_file, "tty97") ++ dev_filetrans($1, tty_device_t, chr_file, "tty98") ++ dev_filetrans($1, tty_device_t, chr_file, "tty99") ++ dev_filetrans($1, tty_device_t, chr_file, "pty") ++ dev_filetrans($1, tty_device_t, chr_file, "pty0") ++ dev_filetrans($1, tty_device_t, chr_file, "pty1") ++ dev_filetrans($1, tty_device_t, chr_file, "pty2") ++ dev_filetrans($1, tty_device_t, chr_file, "pty3") ++ dev_filetrans($1, tty_device_t, chr_file, "pty4") ++ dev_filetrans($1, tty_device_t, chr_file, "pty5") ++ dev_filetrans($1, tty_device_t, chr_file, "pty6") ++ dev_filetrans($1, tty_device_t, chr_file, "pty7") ++ dev_filetrans($1, tty_device_t, chr_file, "pty8") ++ dev_filetrans($1, tty_device_t, chr_file, "pty9") ++ dev_filetrans($1, tty_device_t, chr_file, "pty10") ++ dev_filetrans($1, tty_device_t, chr_file, "pty11") ++ dev_filetrans($1, tty_device_t, chr_file, "pty12") ++ dev_filetrans($1, tty_device_t, chr_file, "pty13") ++ dev_filetrans($1, tty_device_t, chr_file, "pty14") ++ dev_filetrans($1, tty_device_t, chr_file, "pty15") ++ dev_filetrans($1, tty_device_t, chr_file, "pty16") ++ dev_filetrans($1, tty_device_t, chr_file, "pty17") ++ dev_filetrans($1, tty_device_t, chr_file, "pty18") ++ dev_filetrans($1, tty_device_t, chr_file, "pty19") ++ dev_filetrans($1, tty_device_t, chr_file, "pty20") ++ dev_filetrans($1, tty_device_t, chr_file, "pty21") ++ dev_filetrans($1, tty_device_t, chr_file, "pty22") ++ dev_filetrans($1, tty_device_t, chr_file, "pty23") ++ dev_filetrans($1, tty_device_t, chr_file, "pty24") ++ dev_filetrans($1, tty_device_t, chr_file, "pty25") ++ dev_filetrans($1, tty_device_t, chr_file, "pty26") ++ dev_filetrans($1, tty_device_t, chr_file, "pty27") ++ dev_filetrans($1, tty_device_t, chr_file, "pty28") ++ dev_filetrans($1, tty_device_t, chr_file, "pty29") ++ dev_filetrans($1, tty_device_t, chr_file, "pty30") ++ dev_filetrans($1, tty_device_t, chr_file, "pty31") ++ dev_filetrans($1, tty_device_t, chr_file, "pty32") ++ dev_filetrans($1, tty_device_t, chr_file, "pty33") ++ dev_filetrans($1, tty_device_t, chr_file, "pty34") ++ dev_filetrans($1, tty_device_t, chr_file, "pty35") ++ dev_filetrans($1, tty_device_t, chr_file, "pty36") ++ dev_filetrans($1, tty_device_t, chr_file, "pty37") ++ dev_filetrans($1, tty_device_t, chr_file, "pty38") ++ dev_filetrans($1, tty_device_t, chr_file, "pty39") ++ dev_filetrans($1, tty_device_t, chr_file, "pty40") ++ dev_filetrans($1, tty_device_t, chr_file, "pty41") ++ dev_filetrans($1, tty_device_t, chr_file, "pty42") ++ dev_filetrans($1, tty_device_t, chr_file, "pty43") ++ dev_filetrans($1, tty_device_t, chr_file, "pty44") ++ dev_filetrans($1, tty_device_t, chr_file, "pty45") ++ dev_filetrans($1, tty_device_t, chr_file, "pty46") ++ dev_filetrans($1, tty_device_t, chr_file, "pty47") ++ dev_filetrans($1, tty_device_t, chr_file, "pty48") ++ dev_filetrans($1, tty_device_t, chr_file, "pty49") ++ dev_filetrans($1, tty_device_t, chr_file, "pty50") ++ dev_filetrans($1, tty_device_t, chr_file, "pty51") ++ dev_filetrans($1, tty_device_t, chr_file, "pty52") ++ dev_filetrans($1, tty_device_t, chr_file, "pty53") ++ dev_filetrans($1, tty_device_t, chr_file, "pty54") ++ dev_filetrans($1, tty_device_t, chr_file, "pty55") ++ dev_filetrans($1, tty_device_t, chr_file, "pty56") ++ dev_filetrans($1, tty_device_t, chr_file, "pty57") ++ dev_filetrans($1, tty_device_t, chr_file, "pty58") ++ dev_filetrans($1, tty_device_t, chr_file, "pty59") ++ dev_filetrans($1, tty_device_t, chr_file, "pty60") ++ dev_filetrans($1, tty_device_t, chr_file, "pty61") ++ dev_filetrans($1, tty_device_t, chr_file, "pty62") ++ dev_filetrans($1, tty_device_t, chr_file, "pty63") ++ dev_filetrans($1, tty_device_t, chr_file, "pty64") ++ dev_filetrans($1, tty_device_t, chr_file, "pty65") ++ dev_filetrans($1, tty_device_t, chr_file, "pty66") ++ dev_filetrans($1, tty_device_t, chr_file, "pty67") ++ dev_filetrans($1, tty_device_t, chr_file, "pty68") ++ dev_filetrans($1, tty_device_t, chr_file, "pty69") ++ dev_filetrans($1, tty_device_t, chr_file, "pty70") ++ dev_filetrans($1, tty_device_t, chr_file, "pty71") ++ dev_filetrans($1, tty_device_t, chr_file, "pty72") ++ dev_filetrans($1, tty_device_t, chr_file, "pty73") ++ dev_filetrans($1, tty_device_t, chr_file, "pty74") ++ dev_filetrans($1, tty_device_t, chr_file, "pty75") ++ dev_filetrans($1, tty_device_t, chr_file, "pty76") ++ dev_filetrans($1, tty_device_t, chr_file, "pty77") ++ dev_filetrans($1, tty_device_t, chr_file, "pty78") ++ dev_filetrans($1, tty_device_t, chr_file, "pty79") ++ dev_filetrans($1, tty_device_t, chr_file, "pty80") ++ dev_filetrans($1, tty_device_t, chr_file, "pty81") ++ dev_filetrans($1, tty_device_t, chr_file, "pty82") ++ dev_filetrans($1, tty_device_t, chr_file, "pty83") ++ dev_filetrans($1, tty_device_t, chr_file, "pty84") ++ dev_filetrans($1, tty_device_t, chr_file, "pty85") ++ dev_filetrans($1, tty_device_t, chr_file, "pty86") ++ dev_filetrans($1, tty_device_t, chr_file, "pty87") ++ dev_filetrans($1, tty_device_t, chr_file, "pty88") ++ dev_filetrans($1, tty_device_t, chr_file, "pty89") ++ dev_filetrans($1, tty_device_t, chr_file, "pty90") ++ dev_filetrans($1, tty_device_t, chr_file, "pty91") ++ dev_filetrans($1, tty_device_t, chr_file, "pty92") ++ dev_filetrans($1, tty_device_t, chr_file, "pty93") ++ dev_filetrans($1, tty_device_t, chr_file, "pty94") ++ dev_filetrans($1, tty_device_t, chr_file, "pty95") ++ dev_filetrans($1, tty_device_t, chr_file, "pty96") ++ dev_filetrans($1, tty_device_t, chr_file, "pty97") ++ dev_filetrans($1, tty_device_t, chr_file, "pty98") ++ dev_filetrans($1, tty_device_t, chr_file, "pty99") ++ dev_filetrans($1, tty_device_t, chr_file, "adb0") ++ dev_filetrans($1, tty_device_t, chr_file, "adb1") ++ dev_filetrans($1, tty_device_t, chr_file, "adb2") ++ dev_filetrans($1, tty_device_t, chr_file, "adb3") ++ dev_filetrans($1, tty_device_t, chr_file, "adb4") ++ dev_filetrans($1, tty_device_t, chr_file, "adb5") ++ dev_filetrans($1, tty_device_t, chr_file, "adb6") ++ dev_filetrans($1, tty_device_t, chr_file, "adb7") ++ dev_filetrans($1, tty_device_t, chr_file, "adb8") ++ dev_filetrans($1, tty_device_t, chr_file, "adb9") ++ dev_filetrans($1, tty_device_t, chr_file, "capi0") ++ dev_filetrans($1, tty_device_t, chr_file, "capi1") ++ dev_filetrans($1, tty_device_t, chr_file, "capi2") ++ dev_filetrans($1, tty_device_t, chr_file, "capi3") ++ dev_filetrans($1, tty_device_t, chr_file, "capi4") ++ dev_filetrans($1, tty_device_t, chr_file, "capi5") ++ dev_filetrans($1, tty_device_t, chr_file, "capi6") ++ dev_filetrans($1, tty_device_t, chr_file, "capi7") ++ dev_filetrans($1, tty_device_t, chr_file, "capi8") ++ dev_filetrans($1, tty_device_t, chr_file, "capi9") ++ dev_filetrans($1, console_device_t, chr_file, "console") ++ dev_filetrans($1, tty_device_t, chr_file, "cu0") ++ dev_filetrans($1, tty_device_t, chr_file, "cu1") ++ dev_filetrans($1, tty_device_t, chr_file, "cu2") ++ dev_filetrans($1, tty_device_t, chr_file, "cu3") ++ dev_filetrans($1, tty_device_t, chr_file, "cu4") ++ dev_filetrans($1, tty_device_t, chr_file, "cu5") ++ dev_filetrans($1, tty_device_t, chr_file, "cu6") ++ dev_filetrans($1, tty_device_t, chr_file, "cu7") ++ dev_filetrans($1, tty_device_t, chr_file, "cu8") ++ dev_filetrans($1, tty_device_t, chr_file, "cu9") ++ dev_filetrans($1, tty_device_t, chr_file, "dcbri0") ++ dev_filetrans($1, tty_device_t, chr_file, "dcbri1") ++ dev_filetrans($1, tty_device_t, chr_file, "dcbri2") ++ dev_filetrans($1, tty_device_t, chr_file, "dcbri3") ++ dev_filetrans($1, tty_device_t, chr_file, "dcbri4") ++ dev_filetrans($1, tty_device_t, chr_file, "dcbri5") ++ dev_filetrans($1, tty_device_t, chr_file, "dcbri6") ++ dev_filetrans($1, tty_device_t, chr_file, "dcbri7") ++ dev_filetrans($1, tty_device_t, chr_file, "dcbri8") ++ dev_filetrans($1, tty_device_t, chr_file, "dcbri9") ++ dev_filetrans($1, tty_device_t, chr_file, "vcsa") ++ dev_filetrans($1, tty_device_t, chr_file, "vcsb") ++ dev_filetrans($1, tty_device_t, chr_file, "vcsc") ++ dev_filetrans($1, tty_device_t, chr_file, "vcsd") ++ dev_filetrans($1, tty_device_t, chr_file, "vcse") ++ dev_filetrans($1, tty_device_t, chr_file, "hvc0") ++ dev_filetrans($1, tty_device_t, chr_file, "hvc1") ++ dev_filetrans($1, tty_device_t, chr_file, "hvc2") ++ dev_filetrans($1, tty_device_t, chr_file, "hvc3") ++ dev_filetrans($1, tty_device_t, chr_file, "hvc4") ++ dev_filetrans($1, tty_device_t, chr_file, "hvc5") ++ dev_filetrans($1, tty_device_t, chr_file, "hvc6") ++ dev_filetrans($1, tty_device_t, chr_file, "hvc7") ++ dev_filetrans($1, tty_device_t, chr_file, "hvc8") ++ dev_filetrans($1, tty_device_t, chr_file, "hvc9") ++ dev_filetrans($1, tty_device_t, chr_file, "hvsi0") ++ dev_filetrans($1, tty_device_t, chr_file, "hvsi1") ++ dev_filetrans($1, tty_device_t, chr_file, "hvsi2") ++ dev_filetrans($1, tty_device_t, chr_file, "hvsi3") ++ dev_filetrans($1, tty_device_t, chr_file, "hvsi4") ++ dev_filetrans($1, tty_device_t, chr_file, "hvsi5") ++ dev_filetrans($1, tty_device_t, chr_file, "hvsi6") ++ dev_filetrans($1, tty_device_t, chr_file, "hvsi7") ++ dev_filetrans($1, tty_device_t, chr_file, "hvsi8") ++ dev_filetrans($1, tty_device_t, chr_file, "hvsi9") ++ dev_filetrans($1, tty_device_t, chr_file, "ircomm0") ++ dev_filetrans($1, tty_device_t, chr_file, "ircomm1") ++ dev_filetrans($1, tty_device_t, chr_file, "ircomm2") ++ dev_filetrans($1, tty_device_t, chr_file, "ircomm3") ++ dev_filetrans($1, tty_device_t, chr_file, "ircomm4") ++ dev_filetrans($1, tty_device_t, chr_file, "ircomm5") ++ dev_filetrans($1, tty_device_t, chr_file, "ircomm6") ++ dev_filetrans($1, tty_device_t, chr_file, "ircomm7") ++ dev_filetrans($1, tty_device_t, chr_file, "ircomm8") ++ dev_filetrans($1, tty_device_t, chr_file, "ircomm9") ++ dev_filetrans($1, tty_device_t, chr_file, "isdn0") ++ dev_filetrans($1, tty_device_t, chr_file, "isdn1") ++ dev_filetrans($1, tty_device_t, chr_file, "isdn2") ++ dev_filetrans($1, tty_device_t, chr_file, "isdn3") ++ dev_filetrans($1, tty_device_t, chr_file, "isdn4") ++ dev_filetrans($1, tty_device_t, chr_file, "isdn5") ++ dev_filetrans($1, tty_device_t, chr_file, "isdn6") ++ dev_filetrans($1, tty_device_t, chr_file, "isdn7") ++ dev_filetrans($1, tty_device_t, chr_file, "isdn8") ++ dev_filetrans($1, tty_device_t, chr_file, "isdn9") ++ filetrans_pattern($1, devpts_t, ptmx_t, chr_file, "ptmx") ++ dev_filetrans($1, ptmx_t, chr_file, "ptmx") ++ dev_filetrans($1, tty_device_t, chr_file, "rfcomm0") ++ dev_filetrans($1, tty_device_t, chr_file, "rfcomm1") ++ dev_filetrans($1, tty_device_t, chr_file, "rfcomm2") ++ dev_filetrans($1, tty_device_t, chr_file, "rfcomm3") ++ dev_filetrans($1, tty_device_t, chr_file, "rfcomm4") ++ dev_filetrans($1, tty_device_t, chr_file, "rfcomm5") ++ dev_filetrans($1, tty_device_t, chr_file, "rfcomm6") ++ dev_filetrans($1, tty_device_t, chr_file, "rfcomm7") ++ dev_filetrans($1, tty_device_t, chr_file, "rfcomm8") ++ dev_filetrans($1, tty_device_t, chr_file, "rfcomm9") ++ dev_filetrans($1, tty_device_t, chr_file, "slamr0") ++ dev_filetrans($1, tty_device_t, chr_file, "slamr1") ++ dev_filetrans($1, tty_device_t, chr_file, "slamr2") ++ dev_filetrans($1, tty_device_t, chr_file, "slamr3") ++ dev_filetrans($1, tty_device_t, chr_file, "slamr4") ++ dev_filetrans($1, tty_device_t, chr_file, "slamr5") ++ dev_filetrans($1, tty_device_t, chr_file, "slamr6") ++ dev_filetrans($1, tty_device_t, chr_file, "slamr7") ++ dev_filetrans($1, tty_device_t, chr_file, "slamr8") ++ dev_filetrans($1, tty_device_t, chr_file, "slamr9") ++ dev_filetrans($1, tty_device_t, chr_file, "ttyACM0") ++ dev_filetrans($1, tty_device_t, chr_file, "ttyACM1") ++ dev_filetrans($1, tty_device_t, chr_file, "ttyACM2") ++ dev_filetrans($1, tty_device_t, chr_file, "ttyACM3") ++ dev_filetrans($1, tty_device_t, chr_file, "ttyACM4") ++ dev_filetrans($1, tty_device_t, chr_file, "ttyACM5") ++ dev_filetrans($1, tty_device_t, chr_file, "ttyACM6") ++ dev_filetrans($1, tty_device_t, chr_file, "ttyACM7") ++ dev_filetrans($1, tty_device_t, chr_file, "ttyACM8") ++ dev_filetrans($1, tty_device_t, chr_file, "ttyACM9") ++ dev_filetrans($1, tty_device_t, chr_file, "ttyS0") ++ dev_filetrans($1, tty_device_t, chr_file, "ttyS1") ++ dev_filetrans($1, tty_device_t, chr_file, "ttyS2") ++ dev_filetrans($1, tty_device_t, chr_file, "ttyS3") ++ dev_filetrans($1, tty_device_t, chr_file, "ttyS4") ++ dev_filetrans($1, tty_device_t, chr_file, "ttyS5") ++ dev_filetrans($1, tty_device_t, chr_file, "ttyS6") ++ dev_filetrans($1, tty_device_t, chr_file, "ttyS7") ++ dev_filetrans($1, tty_device_t, chr_file, "ttyS8") ++ dev_filetrans($1, tty_device_t, chr_file, "ttyS9") ++ dev_filetrans($1, tty_device_t, chr_file, "ttySG0") ++ dev_filetrans($1, tty_device_t, chr_file, "ttySG1") ++ dev_filetrans($1, tty_device_t, chr_file, "ttySG2") ++ dev_filetrans($1, tty_device_t, chr_file, "ttySG3") ++ dev_filetrans($1, tty_device_t, chr_file, "ttySG4") ++ dev_filetrans($1, tty_device_t, chr_file, "ttySG5") ++ dev_filetrans($1, tty_device_t, chr_file, "ttySG6") ++ dev_filetrans($1, tty_device_t, chr_file, "ttySG7") ++ dev_filetrans($1, tty_device_t, chr_file, "ttySG8") ++ dev_filetrans($1, tty_device_t, chr_file, "ttySG9") ++ dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB0") ++ dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB1") ++ dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB2") ++ dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB3") ++ dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB4") ++ dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB5") ++ dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB6") ++ dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB7") ++ dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB8") ++ dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB9") ++ dev_filetrans($1, virtio_device_t, chr_file, "vport0p0") ++ dev_filetrans($1, virtio_device_t, chr_file, "vport0p1") ++ dev_filetrans($1, virtio_device_t, chr_file, "vport0p2") ++ dev_filetrans($1, virtio_device_t, chr_file, "vport0p3") ++ dev_filetrans($1, virtio_device_t, chr_file, "vport0p4") ++ dev_filetrans($1, virtio_device_t, chr_file, "vport0p5") ++ dev_filetrans($1, virtio_device_t, chr_file, "vport0p6") ++ dev_filetrans($1, virtio_device_t, chr_file, "vport0p7") ++ dev_filetrans($1, virtio_device_t, chr_file, "vport0p8") ++ dev_filetrans($1, virtio_device_t, chr_file, "vport0p9") ++ dev_filetrans($1, devpts_t, dir, "pts") ++ dev_filetrans($1, tty_device_t, chr_file, "xvc0") ++ dev_filetrans($1, tty_device_t, chr_file, "xvc1") ++ dev_filetrans($1, tty_device_t, chr_file, "xvc2") ++ dev_filetrans($1, tty_device_t, chr_file, "xvc3") ++ dev_filetrans($1, tty_device_t, chr_file, "xvc4") ++ dev_filetrans($1, tty_device_t, chr_file, "xvc5") ++ dev_filetrans($1, tty_device_t, chr_file, "xvc6") ++ dev_filetrans($1, tty_device_t, chr_file, "xvc7") ++ dev_filetrans($1, tty_device_t, chr_file, "xvc8") ++ dev_filetrans($1, tty_device_t, chr_file, "xvc9") ++') +diff --git a/policy/modules/kernel/terminal.te b/policy/modules/kernel/terminal.te +index c0b88bf..a97d7cc 100644 +--- a/policy/modules/kernel/terminal.te ++++ b/policy/modules/kernel/terminal.te +@@ -29,6 +29,7 @@ files_mountpoint(devpts_t) + fs_associate_tmpfs(devpts_t) + fs_type(devpts_t) + fs_use_trans devpts gen_context(system_u:object_r:devpts_t,s0); ++dev_associate(devpts_t) + + # + # devtty_t is the type of /dev/tty. +@@ -54,5 +55,11 @@ dev_node(tty_device_t) + # + # usbtty_device_t is the type of /dev/usr/tty* + # +-type usbtty_device_t, serial_device; +-dev_node(usbtty_device_t) ++type usbtty_device_t; ++term_tty(usbtty_device_t) ++ ++# ++# virtio_device_t is the type of /dev/vport[0-9]p[0-9] ++# ++type virtio_device_t, serial_device; ++dev_node(virtio_device_t) +diff --git a/policy/modules/kernel/unlabelednet.fc b/policy/modules/kernel/unlabelednet.fc +new file mode 100644 +index 0000000..f310b9d +--- /dev/null ++++ b/policy/modules/kernel/unlabelednet.fc +@@ -0,0 +1 @@ ++# No unlabelednet file contexts. +diff --git a/policy/modules/kernel/unlabelednet.if b/policy/modules/kernel/unlabelednet.if +new file mode 100644 +index 0000000..0ce0470 +--- /dev/null ++++ b/policy/modules/kernel/unlabelednet.if +@@ -0,0 +1 @@ ++## Policy for allowing confined domains to use unlabeled_t packets +diff --git a/policy/modules/kernel/unlabelednet.te b/policy/modules/kernel/unlabelednet.te +new file mode 100644 +index 0000000..48caabc +--- /dev/null ++++ b/policy/modules/kernel/unlabelednet.te +@@ -0,0 +1,12 @@ ++policy_module(unlabelednet, 1.0.0) ++ ++corenet_enable_unlabeled_packets() ++ ++gen_require(` ++ type unlabeled_t; ++ attribute domain; ++') ++ ++# temporary hack until labeling on packets is supported ++allow domain unlabeled_t:packet { send recv }; ++ +diff --git a/policy/modules/roles/auditadm.te b/policy/modules/roles/auditadm.te +index 834a065..c769f81 100644 +--- a/policy/modules/roles/auditadm.te ++++ b/policy/modules/roles/auditadm.te +@@ -7,7 +7,7 @@ policy_module(auditadm, 2.2.0) + + role auditadm_r; + role system_r; +-userdom_unpriv_user_template(auditadm) ++userdom_confined_admin_template(auditadm) + + ######################################## + # +@@ -22,16 +22,21 @@ corecmd_exec_shell(auditadm_t) + + domain_kill_all_domains(auditadm_t) + ++selinux_read_policy(auditadm_t) ++ + logging_send_syslog_msg(auditadm_t) + logging_read_generic_logs(auditadm_t) + logging_manage_audit_log(auditadm_t) + logging_manage_audit_config(auditadm_t) + logging_run_auditctl(auditadm_t, auditadm_r) + logging_run_auditd(auditadm_t, auditadm_r) ++logging_stream_connect_syslog(auditadm_t) + + seutil_run_runinit(auditadm_t, auditadm_r) + seutil_read_bin_policy(auditadm_t) + ++userdom_dontaudit_search_admin_dir(auditadm_t) ++ + optional_policy(` + consoletype_exec(auditadm_t) + ') +diff --git a/policy/modules/roles/logadm.te b/policy/modules/roles/logadm.te +index 3a45a3e..7499f24 100644 +--- a/policy/modules/roles/logadm.te ++++ b/policy/modules/roles/logadm.te +@@ -7,13 +7,12 @@ policy_module(logadm, 1.0.0) + + role logadm_r; + +-userdom_base_user_template(logadm) ++userdom_confined_admin_template(logadm) + + ######################################## + # + # logadmin local policy + # + +-allow logadm_t self:capability { dac_override dac_read_search kill sys_ptrace sys_nice }; +- ++allow logadm_t self:capability { dac_override dac_read_search kill sys_nice }; + logging_admin(logadm_t, logadm_r) +diff --git a/policy/modules/roles/secadm.te b/policy/modules/roles/secadm.te +index da11120..d67bcca 100644 +--- a/policy/modules/roles/secadm.te ++++ b/policy/modules/roles/secadm.te +@@ -7,8 +7,10 @@ policy_module(secadm, 2.4.0) + + role secadm_r; + +-userdom_unpriv_user_template(secadm) +-userdom_security_admin_template(secadm_t, secadm_r) ++userdom_confined_admin_template(secadm) ++userdom_security_admin(secadm_t, secadm_r) ++userdom_inherit_append_admin_home_files(secadm_t) ++userdom_read_admin_home_files(secadm_t) + + ######################################## + # +@@ -30,8 +32,7 @@ mls_file_upgrade(secadm_t) + mls_file_downgrade(secadm_t) + + auth_role(secadm_r, secadm_t) +-files_relabel_non_auth_files(secadm_t) +-auth_relabel_shadow(secadm_t) ++files_relabel_all_files(secadm_t) + + init_exec(secadm_t) + +diff --git a/policy/modules/roles/staff.if b/policy/modules/roles/staff.if +index 234a940..d340f20 100644 +--- a/policy/modules/roles/staff.if ++++ b/policy/modules/roles/staff.if +@@ -1,4 +1,4 @@ +-## Administrator's unprivileged user role ++## Administrator's unprivileged user + + ######################################## + ## +diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te +index 5da7870..4f46291 100644 +--- a/policy/modules/roles/staff.te ++++ b/policy/modules/roles/staff.te +@@ -8,12 +8,71 @@ policy_module(staff, 2.3.1) + role staff_r; + + userdom_unpriv_user_template(staff) ++fs_exec_noxattr(staff_t) ++ ++## ++##

    ++## allow staff user to create and transition to svirt domains. ++##

    ++##     ++gen_tunable(staff_use_svirt, false) + + ######################################## + # + # Local policy + # + ++kernel_read_ring_buffer(staff_t) ++kernel_getattr_core_if(staff_t) ++kernel_getattr_message_if(staff_t) ++kernel_read_software_raid_state(staff_t) ++kernel_read_fs_sysctls(staff_t) ++kernel_read_numa_state(staff_t) ++kernel_write_numa_state(staff_t) ++ ++fs_read_hugetlbfs_files(staff_t) ++files_dontaudit_read_all_symlinks(staff_t) ++ ++dev_read_cpuid(staff_t) ++dev_read_kmsg(staff_t) ++ ++domain_read_all_domains_state(staff_t) ++domain_getsched_all_domains(staff_t) ++domain_getattr_all_domains(staff_t) ++domain_obj_id_change_exemption(staff_t) ++ ++files_read_kernel_modules(staff_t) ++ ++seutil_read_module_store(staff_t) ++seutil_run_newrole(staff_t, staff_r) ++seutil_dbus_chat_semanage(staff_t) ++seutil_read_login_config(staff_t) ++ ++storage_read_scsi_generic(staff_t) ++storage_write_scsi_generic(staff_t) ++ ++term_use_unallocated_ttys(staff_t) ++ ++auth_domtrans_pam_console(staff_t) ++ ++init_dbus_chat(staff_t) ++init_dbus_chat_script(staff_t) ++init_status(staff_t) ++ ++miscfiles_read_hwdata(staff_t) ++ ++ifndef(`enable_mls',` ++ selinux_read_policy(staff_t) ++') ++ ++optional_policy(` ++ abrt_read_cache(staff_t) ++') ++ ++optional_policy(` ++ accountsd_read_lib_files(staff_t) ++') ++ + optional_policy(` + apache_role(staff_r, staff_t) + ') +@@ -23,11 +82,110 @@ optional_policy(` + ') + + optional_policy(` ++ blueman_dbus_chat(staff_t) ++') ++ ++optional_policy(` ++ kdumpgui_dbus_chat(staff_t) ++') ++ ++optional_policy(` ++ bluetooth_role(staff_r, staff_t) ++') ++ ++optional_policy(` ++ chrome_role(staff_r, staff_t) ++') ++ ++optional_policy(` ++ colord_dbus_chat(staff_t) ++') ++ ++optional_policy(` + dbadm_role_change(staff_r) + ') + + optional_policy(` +- git_role(staff_r, staff_t) ++ dnsmasq_read_pid_files(staff_t) ++') ++ ++optional_policy(` ++ dmesg_exec(staff_t) ++') ++ ++optional_policy(` ++ firewalld_dbus_chat(staff_t) ++') ++ ++optional_policy(` ++ firewallgui_dbus_chat(staff_t) ++') ++ ++optional_policy(` ++ gnome_role(staff_r, staff_t) ++') ++ ++optional_policy(` ++ irc_role(staff_r, staff_t) ++') ++ ++optional_policy(` ++ journalctl_role(staff_r, staff_t) ++') ++ ++optional_policy(` ++ kerneloops_dbus_chat(staff_t) ++') ++ ++optional_policy(` ++ logadm_role_change(staff_r) ++') ++ ++optional_policy(` ++ lpd_list_spool(staff_t) ++') ++ ++optional_policy(` ++ mock_role(staff_r, staff_t) ++') ++ ++optional_policy(` ++ mozilla_run_plugin(staff_t, staff_r) ++') ++ ++optional_policy(` ++ modutils_read_module_config(staff_t) ++ modutils_read_module_deps(staff_t) ++') ++ ++optional_policy(` ++ netutils_run_ping(staff_t, staff_r) ++ netutils_run_traceroute(staff_t, staff_r) ++ netutils_signal_ping(staff_t) ++ netutils_kill_ping(staff_t) ++') ++ ++optional_policy(` ++ oident_manage_user_content(staff_t) ++ oident_relabel_user_content(staff_t) ++') ++ ++optional_policy(` ++ mta_role(staff_r, staff_t) ++') ++ ++optional_policy(` ++ mysql_exec(staff_t) ++') ++ ++optional_policy(` ++ polipo_role(staff_r, staff_t) ++ polipo_named_filetrans_cache_home_dirs(staff_t) ++ polipo_named_filetrans_config_home_files(staff_t) ++') ++ ++optional_policy(` ++ openvpn_exec(staff_t) + ') + + optional_policy(` +@@ -35,15 +193,31 @@ optional_policy(` + ') + + optional_policy(` ++ rtkit_scheduled(staff_t) ++') ++ ++optional_policy(` ++ rpm_dbus_chat(staff_t) ++') ++ ++optional_policy(` ++ rwho_read_spool_files(staff_t) ++') ++ ++optional_policy(` + secadm_role_change(staff_r) + ') + + optional_policy(` +- ssh_role_template(staff, staff_r, staff_t) ++ sandbox_transition(staff_t, staff_r) + ') + + optional_policy(` +- sudo_role_template(staff, staff_r, staff_t) ++ sandbox_x_transition(staff_t, staff_r) ++') ++ ++optional_policy(` ++ screen_role_template(staff, staff_r, staff_t) + ') + + optional_policy(` +@@ -52,10 +226,55 @@ optional_policy(` + ') + + optional_policy(` ++ systemd_read_unit_files(staff_t) ++ systemd_exec_systemctl(staff_t) ++') ++ ++optional_policy(` ++ setroubleshoot_stream_connect(staff_t) ++ setroubleshoot_dbus_chat(staff_t) ++ setroubleshoot_dbus_chat_fixit(staff_t) ++') ++ ++optional_policy(` ++ ssh_role_template(staff, staff_r, staff_t) ++') ++ ++optional_policy(` ++ sudo_role_template(staff, staff_r, staff_t) ++') ++ ++optional_policy(` ++ userhelper_console_role_template(staff, staff_r, staff_t) ++') ++ ++optional_policy(` ++ unconfined_role_change(staff_r) ++') ++ ++optional_policy(` ++ usbmuxd_stream_connect(staff_t) ++') ++ ++optional_policy(` ++ virt_getattr_exec(staff_t) ++ virt_search_images(staff_t) ++ virt_stream_connect(staff_t) ++') ++ ++optional_policy(` + vlock_run(staff_t, staff_r) + ') + + optional_policy(` ++ vnstatd_read_lib_files(staff_t) ++') ++ ++optional_policy(` ++ webadm_role_change(staff_r) ++') ++ ++optional_policy(` + xserver_role(staff_r, staff_t) + ') + +@@ -65,10 +284,6 @@ ifndef(`distro_redhat',` + ') + + optional_policy(` +- bluetooth_role(staff_r, staff_t) +- ') +- +- optional_policy(` + cdrecord_role(staff_r, staff_t) + ') + +@@ -78,10 +293,6 @@ ifndef(`distro_redhat',` + + optional_policy(` + dbus_role_template(staff, staff_r, staff_t) +- +- optional_policy(` +- gnome_role_template(staff, staff_r, staff_t) +- ') + ') + + optional_policy(` +@@ -101,10 +312,6 @@ ifndef(`distro_redhat',` + ') + + optional_policy(` +- irc_role(staff_r, staff_t) +- ') +- +- optional_policy(` + java_role(staff_r, staff_t) + ') + +@@ -125,10 +332,6 @@ ifndef(`distro_redhat',` + ') + + optional_policy(` +- mta_role(staff_r, staff_t) +- ') +- +- optional_policy(` + pyzor_role(staff_r, staff_t) + ') + +@@ -141,10 +344,6 @@ ifndef(`distro_redhat',` + ') + + optional_policy(` +- screen_role_template(staff, staff_r, staff_t) +- ') +- +- optional_policy(` + spamassassin_role(staff_r, staff_t) + ') + +@@ -176,3 +375,22 @@ ifndef(`distro_redhat',` + wireshark_role(staff_r, staff_t) + ') + ') ++ ++tunable_policy(`selinuxuser_execmod',` ++ userdom_execmod_user_home_files(staff_t) ++') ++ ++optional_policy(` ++ virt_transition_svirt(staff_t, staff_r) ++ virt_filetrans_home_content(staff_t) ++') ++ ++optional_policy(` ++ tunable_policy(`staff_use_svirt',` ++ allow staff_t self:fifo_file relabelfrom; ++ dev_rw_kvm(staff_t) ++ virt_manage_images(staff_t) ++ virt_stream_connect_svirt(staff_t) ++ virt_exec(staff_t) ++ ') ++') +diff --git a/policy/modules/roles/sysadm.if b/policy/modules/roles/sysadm.if +index ff92430..36740ea 100644 +--- a/policy/modules/roles/sysadm.if ++++ b/policy/modules/roles/sysadm.if +@@ -70,6 +70,23 @@ interface(`sysadm_shell_domtrans',` + allow sysadm_t $1:process sigchld; + ') + ++####################################### ++## ++## sysadm stub interface. No access allowed. ++## ++## ++## ++## Domain allowed access ++## ++## ++# ++interface(`sysadm_stub',` ++ gen_require(` ++ type sysadm_t; ++ role sysadm_r; ++ ') ++') ++ + ######################################## + ## + ## Execute a generic bin program in the sysadm domain. +diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te +index 88d0028..f520b74 100644 +--- a/policy/modules/roles/sysadm.te ++++ b/policy/modules/roles/sysadm.te +@@ -5,39 +5,85 @@ policy_module(sysadm, 2.5.1) + # Declarations + # + +-## +-##

    +-## Allow sysadm to debug or ptrace all processes. +-##

    +-##     +-gen_tunable(allow_ptrace, false) +- + role sysadm_r; + + userdom_admin_user_template(sysadm) + +-ifndef(`enable_mls',` +- userdom_security_admin_template(sysadm_t, sysadm_r) +-') +- + ######################################## + # + # Local policy + # ++kernel_read_fs_sysctls(sysadm_t) + + corecmd_exec_shell(sysadm_t) + ++dev_filetrans_all_named_dev(sysadm_t) ++ ++domain_dontaudit_read_all_domains_state(sysadm_t) ++ ++files_read_kernel_modules(sysadm_t) ++files_filetrans_named_content(sysadm_t) ++files_status_etc(sysadm_t) ++ ++fs_mount_fusefs(sysadm_t) ++ ++storage_filetrans_all_named_dev(sysadm_t) ++ ++term_filetrans_all_named_dev(sysadm_t) ++ + mls_process_read_up(sysadm_t) ++mls_file_read_all_levels(sysadm_t) ++mls_file_write_all_levels(sysadm_t) ++mls_file_read_to_clearance(sysadm_t) ++mls_process_write_to_clearance(sysadm_t) ++ ++storage_setattr_fixed_disk_dev(sysadm_t) + + ubac_process_exempt(sysadm_t) + ubac_file_exempt(sysadm_t) + ubac_fd_exempt(sysadm_t) + ++application_exec(sysadm_t) ++ ++init_filetrans_named_content(sysadm_t) ++init_disable_services(sysadm_t) ++init_enable_services(sysadm_t) ++init_reload_services(sysadm_t) + init_exec(sysadm_t) ++init_exec_script_files(sysadm_t) ++init_dbus_chat(sysadm_t) ++init_script_role_transition(sysadm_r) ++init_status(sysadm_t) ++init_reboot(sysadm_t) ++init_halt(sysadm_t) ++init_undefined(sysadm_t) ++ ++logging_filetrans_named_content(sysadm_t) ++ ++miscfiles_filetrans_named_content(sysadm_t) ++miscfiles_read_hwdata(sysadm_t) ++ ++sysnet_filetrans_named_content(sysadm_t) + + # Add/remove user home directories ++userdom_manage_user_tmp_chr_files(sysadm_t) + userdom_manage_user_home_dirs(sysadm_t) + userdom_home_filetrans_user_home_dir(sysadm_t) ++userdom_manage_tmp_role(sysadm_r, sysadm_t) ++userdom_exec_admin_home_files(sysadm_t) ++ ++optional_policy(` ++ abrt_filetrans_named_content(sysadm_t) ++') ++ ++optional_policy(` ++ alsa_filetrans_named_content(sysadm_t) ++') ++ ++optional_policy(` ++ ssh_filetrans_admin_home_content(sysadm_t) ++ ssh_filetrans_keys(sysadm_t) ++') + + ifdef(`direct_sysadm_daemon',` + optional_policy(` +@@ -55,13 +101,7 @@ ifdef(`distro_gentoo',` + init_exec_rc(sysadm_t) + ') + +-ifndef(`enable_mls',` +- logging_manage_audit_log(sysadm_t) +- logging_manage_audit_config(sysadm_t) +- logging_run_auditctl(sysadm_t, sysadm_r) +-') +- +-tunable_policy(`allow_ptrace',` ++tunable_policy(`deny_ptrace',`',` + domain_ptrace_all_domains(sysadm_t) + ') + +@@ -71,9 +111,9 @@ optional_policy(` + + optional_policy(` + apache_run_helper(sysadm_t, sysadm_r) ++ apache_filetrans_named_content(sysadm_t) + #apache_run_all_scripts(sysadm_t, sysadm_r) + #apache_domtrans_sys_script(sysadm_t) +- apache_role(sysadm_r, sysadm_t) + ') + + optional_policy(` +@@ -87,6 +127,7 @@ optional_policy(` + + optional_policy(` + asterisk_stream_connect(sysadm_t) ++ asterisk_exec(sysadm_t) + ') + + optional_policy(` +@@ -110,11 +151,17 @@ optional_policy(` + ') + + optional_policy(` ++ certmonger_dbus_chat(sysadm_t) ++') ++ ++optional_policy(` + certwatch_run(sysadm_t, sysadm_r) + ') + + optional_policy(` + clock_run(sysadm_t, sysadm_r) ++ clock_manage_adjtime(sysadm_t) ++ clock_filetrans_named_content(sysadm_t) + ') + + optional_policy(` +@@ -122,11 +169,19 @@ optional_policy(` + ') + + optional_policy(` +- consoletype_run(sysadm_t, sysadm_r) ++ cron_admin_role(sysadm_r, sysadm_t) + ') + + optional_policy(` +- cvs_exec(sysadm_t) ++ consoletype_exec(sysadm_t) ++') ++ ++optional_policy(` ++ daemonstools_run_start(sysadm_t, sysadm_r) ++') ++ ++optional_policy(` ++ dbus_role_template(sysadm, sysadm_r, sysadm_t) + ') + + optional_policy(` +@@ -140,6 +195,10 @@ optional_policy(` + ') + + optional_policy(` ++ devicekit_filetrans_named_content(sysadm_t) ++') ++ ++optional_policy(` + dmesg_exec(sysadm_t) + ') + +@@ -156,11 +215,11 @@ optional_policy(` + ') + + optional_policy(` +- fstools_run(sysadm_t, sysadm_r) ++ firewalld_dbus_chat(sysadm_t) + ') + + optional_policy(` +- git_role(sysadm_r, sysadm_t) ++ fstools_run(sysadm_t, sysadm_r) + ') + + optional_policy(` +@@ -179,6 +238,13 @@ optional_policy(` + ipsec_stream_connect(sysadm_t) + # for lsof + ipsec_getattr_key_sockets(sysadm_t) ++ ipsec_run_setkey(sysadm_t, sysadm_r) ++ ipsec_run_racoon(sysadm_t, sysadm_r) ++ ipsec_stream_connect_racoon(sysadm_t) ++ ++ optional_policy(` ++ ipsec_mgmt_dbus_chat(sysadm_t) ++ ') + ') + + optional_policy(` +@@ -186,15 +252,20 @@ optional_policy(` + ') + + optional_policy(` +- kudzu_run(sysadm_t, sysadm_r) ++ irc_role(sysadm_r, sysadm_t) + ') + + optional_policy(` +- libs_run_ldconfig(sysadm_t, sysadm_r) ++ kerberos_exec_kadmind(sysadm_t) ++ kerberos_filetrans_named_content(sysadm_t) + ') + + optional_policy(` +- lockdev_role(sysadm_r, sysadm_t) ++ kudzu_run(sysadm_t, sysadm_r) ++') ++ ++optional_policy(` ++ libs_run_ldconfig(sysadm_t, sysadm_r) + ') + + optional_policy(` +@@ -214,22 +285,20 @@ optional_policy(` + modutils_run_depmod(sysadm_t, sysadm_r) + modutils_run_insmod(sysadm_t, sysadm_r) + modutils_run_update_mods(sysadm_t, sysadm_r) ++ modutils_read_module_deps(sysadm_t) ++ modules_filetrans_named_content(sysadm_t) + ') + + optional_policy(` + mount_run(sysadm_t, sysadm_r) +-') +- +-optional_policy(` +- mozilla_role(sysadm_r, sysadm_t) +-') +- +-optional_policy(` +- mplayer_role(sysadm_r, sysadm_t) ++ mount_run_showmount(sysadm_t, sysadm_r) + ') + + optional_policy(` + mta_role(sysadm_r, sysadm_t) ++ # this is defined in userdom_common_user_template ++ #mta_filetrans_home_content(sysadm_t) ++ mta_filetrans_admin_home_content(sysadm_t) + ') + + optional_policy(` +@@ -241,14 +310,27 @@ optional_policy(` + ') + + optional_policy(` ++ ncftool_run(sysadm_t, sysadm_r) ++') ++ ++optional_policy(` + netutils_run(sysadm_t, sysadm_r) + netutils_run_ping(sysadm_t, sysadm_r) + netutils_run_traceroute(sysadm_t, sysadm_r) + ') + + optional_policy(` ++ networkmanager_filetrans_named_content(sysadm_t) ++') ++ ++optional_policy(` + ntp_stub() + corenet_udp_bind_ntp_port(sysadm_t) ++ ntp_admin(sysadm_t, sysadm_r) ++') ++ ++optional_policy(` ++ nx_filetrans_named_content(sysadm_t) + ') + + optional_policy(` +@@ -256,10 +338,20 @@ optional_policy(` + ') + + optional_policy(` ++ openvpn_run(sysadm_t, sysadm_r) ++') ++ ++optional_policy(` + pcmcia_run_cardctl(sysadm_t, sysadm_r) + ') + + optional_policy(` ++ polipo_role(sysadm_r, sysadm_t) ++ polipo_named_filetrans_admin_cache_home_dirs(sysadm_t) ++ polipo_named_filetrans_admin_config_home_files(sysadm_t) ++') ++ ++optional_policy(` + portage_run(sysadm_t, sysadm_r) + portage_run_fetch(sysadm_t, sysadm_r) + portage_run_gcc_config(sysadm_t, sysadm_r) +@@ -270,35 +362,41 @@ optional_policy(` + ') + + optional_policy(` +- pyzor_role(sysadm_r, sysadm_t) ++ postfix_admin(sysadm_t, sysadm_r) + ') + + optional_policy(` +- quota_run(sysadm_t, sysadm_r) ++ postgresql_admin(sysadm_t, sysadm_r) + ') + + optional_policy(` +- raid_run_mdadm(sysadm_r, sysadm_t) ++ prelink_run(sysadm_t, sysadm_r) + ') + + optional_policy(` +- razor_role(sysadm_r, sysadm_t) ++ puppet_run_puppetca(sysadm_t, sysadm_r) + ') + + optional_policy(` +- rpc_domtrans_nfsd(sysadm_t) ++ quota_filetrans_named_content(sysadm_t) + ') + + optional_policy(` +- rpm_run(sysadm_t, sysadm_r) ++ raid_domtrans_mdadm(sysadm_t) + ') + + optional_policy(` +- rssh_role(sysadm_r, sysadm_t) ++ rpc_domtrans_nfsd(sysadm_t) ++') ++ ++optional_policy(` ++ rpm_run(sysadm_t, sysadm_r) ++ rpm_dbus_chat(sysadm_t, sysadm_r) + ') + + optional_policy(` + rsync_exec(sysadm_t) ++ rsync_filetrans_named_content(sysadm_t) + ') + + optional_policy(` +@@ -312,6 +410,7 @@ optional_policy(` + + optional_policy(` + screen_role_template(sysadm, sysadm_r, sysadm_t) ++ allow sysadm_screen_t self:capability dac_override; + ') + + optional_policy(` +@@ -319,12 +418,20 @@ optional_policy(` + ') + + optional_policy(` ++ setroubleshoot_stream_connect(sysadm_t) ++ setroubleshoot_dbus_chat(sysadm_t) ++ setroubleshoot_dbus_chat_fixit(sysadm_t) ++') ++ ++optional_policy(` + seutil_run_setfiles(sysadm_t, sysadm_r) + seutil_run_runinit(sysadm_t, sysadm_r) ++ seutil_dbus_chat_semanage(sysadm_t) ++ seutil_read_login_config(sysadm_t) + ') + + optional_policy(` +- spamassassin_role(sysadm_r, sysadm_t) ++ shutdown_run(sysadm_t, sysadm_r) + ') + + optional_policy(` +@@ -349,7 +456,18 @@ optional_policy(` + ') + + optional_policy(` +- thunderbird_role(sysadm_r, sysadm_t) ++ systemd_passwd_agent_run(sysadm_t, sysadm_r) ++ systemd_config_all_services(sysadm_t) ++ systemd_manage_all_unit_files(sysadm_t) ++ systemd_manage_all_unit_lnk_files(sysadm_t) ++ systemd_login_status(sysadm_t) ++ systemd_login_reboot(sysadm_t) ++ systemd_login_halt(sysadm_t) ++ systemd_login_undefined(sysadm_t) ++') ++ ++optional_policy(` ++ tftp_filetrans_named_content(sysadm_t) + ') + + optional_policy(` +@@ -360,19 +478,15 @@ optional_policy(` + ') + + optional_policy(` +- tvtime_role(sysadm_r, sysadm_t) +-') +- +-optional_policy(` + tzdata_domtrans(sysadm_t) + ') + + optional_policy(` +- uml_role(sysadm_r, sysadm_t) ++ unconfined_domtrans(sysadm_t) + ') + + optional_policy(` +- unconfined_domtrans(sysadm_t) ++ udev_run(sysadm_t, sysadm_r) + ') + + optional_policy(` +@@ -384,10 +498,6 @@ optional_policy(` + ') + + optional_policy(` +- userhelper_role_template(sysadm, sysadm_r, sysadm_t) +-') +- +-optional_policy(` + usermanage_run_admin_passwd(sysadm_t, sysadm_r) + usermanage_run_groupadd(sysadm_t, sysadm_r) + usermanage_run_useradd(sysadm_t, sysadm_r) +@@ -395,6 +505,9 @@ optional_policy(` + + optional_policy(` + virt_stream_connect(sysadm_t) ++ virt_filetrans_home_content(sysadm_t) ++ virt_manage_pid_dirs(sysadm_t) ++ virt_transition_svirt_sandbox(sysadm_t, sysadm_r) + ') + + optional_policy(` +@@ -402,31 +515,34 @@ optional_policy(` + ') + + optional_policy(` +- vpn_run(sysadm_t, sysadm_r) ++ vlock_run(sysadm_t, sysadm_r) + ') + + optional_policy(` +- webalizer_run(sysadm_t, sysadm_r) ++ vpn_run(sysadm_t, sysadm_r) + ') + + optional_policy(` +- wireshark_role(sysadm_r, sysadm_t) ++ webalizer_run(sysadm_t, sysadm_r) + ') + + optional_policy(` +- vlock_run(sysadm_t, sysadm_r) ++ xserver_role(sysadm_r, sysadm_t) + ') + + optional_policy(` +- xserver_role(sysadm_r, sysadm_t) ++ yam_run(sysadm_t, sysadm_r) + ') + + optional_policy(` +- yam_run(sysadm_t, sysadm_r) ++ zebra_stream_connect(sysadm_t) + ') + + ifndef(`distro_redhat',` + optional_policy(` ++ apache_role(sysadm_r, sysadm_t) ++ ') ++ optional_policy(` + auth_role(sysadm_r, sysadm_t) + ') + +@@ -439,10 +555,6 @@ ifndef(`distro_redhat',` + ') + + optional_policy(` +- cron_admin_role(sysadm_r, sysadm_t) +- ') +- +- optional_policy(` + dbus_role_template(sysadm, sysadm_r, sysadm_t) + + optional_policy(` +@@ -463,15 +575,75 @@ ifndef(`distro_redhat',` + ') + + optional_policy(` +- gpg_role(sysadm_r, sysadm_t) ++ gnome_role(sysadm_r, sysadm_t) ++ gnome_filetrans_admin_home_content(sysadm_t) + ') + + optional_policy(` +- irc_role(sysadm_r, sysadm_t) ++ gpg_role(sysadm_r, sysadm_t) + ') + + optional_policy(` + java_role(sysadm_r, sysadm_t) + ') +-') + ++ optional_policy(` ++ lockdev_role(sysadm_r, sysadm_t) ++ ') ++ ++ optional_policy(` ++ mock_admin(sysadm_t) ++ ') ++ ++ optional_policy(` ++ mozilla_role(sysadm_r, sysadm_t) ++ ') ++ ++ optional_policy(` ++ mplayer_role(sysadm_r, sysadm_t) ++ ') ++ ++ optional_policy(` ++ pyzor_role(sysadm_r, sysadm_t) ++ ') ++ ++ optional_policy(` ++ razor_role(sysadm_r, sysadm_t) ++ ') ++ ++ optional_policy(` ++ rssh_role(sysadm_r, sysadm_t) ++ ') ++ ++ optional_policy(` ++ spamassassin_role(sysadm_r, sysadm_t) ++ ') ++ ++ optional_policy(` ++ thunderbird_role(sysadm_r, sysadm_t) ++ ') ++ ++ optional_policy(` ++ tvtime_role(sysadm_r, sysadm_t) ++ ') ++ ++ optional_policy(` ++ uml_role(sysadm_r, sysadm_t) ++ ') ++ ++ optional_policy(` ++ userhelper_role_template(sysadm, sysadm_r, sysadm_t) ++ ') ++ ++ optional_policy(` ++ vmware_role(sysadm_r, sysadm_t) ++ ') ++ ++ optional_policy(` ++ wireshark_role(sysadm_r, sysadm_t) ++ ') ++ ++ optional_policy(` ++ xserver_role(sysadm_r, sysadm_t) ++ ') ++') +diff --git a/policy/modules/roles/sysadm_secadm.fc b/policy/modules/roles/sysadm_secadm.fc +new file mode 100644 +index 0000000..ae3b6db +--- /dev/null ++++ b/policy/modules/roles/sysadm_secadm.fc +@@ -0,0 +1 @@ ++# No context +diff --git a/policy/modules/roles/sysadm_secadm.if b/policy/modules/roles/sysadm_secadm.if +new file mode 100644 +index 0000000..bd83148 +--- /dev/null ++++ b/policy/modules/roles/sysadm_secadm.if +@@ -0,0 +1 @@ ++## No Interfaces +diff --git a/policy/modules/roles/sysadm_secadm.te b/policy/modules/roles/sysadm_secadm.te +new file mode 100644 +index 0000000..63bc797 +--- /dev/null ++++ b/policy/modules/roles/sysadm_secadm.te +@@ -0,0 +1,25 @@ ++policy_module(sysadm_secadm, 1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++gen_require(` ++ type sysadm_t; ++ role sysadm_r; ++') ++ ++userdom_security_admin_template(sysadm_t, sysadm_r) ++ ++####################################### ++# ++# Local policy ++# ++ ++mls_file_write_all_levels(sysadm_t) ++ ++logging_manage_audit_log(sysadm_t) ++logging_manage_audit_config(sysadm_t) ++logging_run_auditctl(sysadm_t, sysadm_r) ++logging_stream_connect_syslog(sysadm_t) +diff --git a/policy/modules/roles/unconfineduser.fc b/policy/modules/roles/unconfineduser.fc +new file mode 100644 +index 0000000..0e8654b +--- /dev/null ++++ b/policy/modules/roles/unconfineduser.fc +@@ -0,0 +1,8 @@ ++# Add programs here which should not be confined by SELinux ++# e.g.: ++# /usr/local/bin/appsrv -- gen_context(system_u:object_r:unconfined_exec_t,s0) ++# For the time being until someone writes a sane policy, we need initrc to transition to unconfined_t ++/usr/bin/vncserver -- gen_context(system_u:object_r:unconfined_exec_t,s0) ++ ++/usr/sbin/xrdp -- gen_context(system_u:object_r:unconfined_exec_t,s0) ++/usr/sbin/xrdp-sesman -- gen_context(system_u:object_r:unconfined_exec_t,s0) +diff --git a/policy/modules/roles/unconfineduser.if b/policy/modules/roles/unconfineduser.if +new file mode 100644 +index 0000000..cf6582f +--- /dev/null ++++ b/policy/modules/roles/unconfineduser.if +@@ -0,0 +1,613 @@ ++## Unconfiend user role ++ ++######################################## ++## ++## Change from the unconfineduser role. ++## ++## ++##

    ++## Change from the unconfineduser role to ++## the specified role. ++##

    ++##

    ++## This is an interface to support third party modules ++## and its use is not allowed in upstream reference ++## policy. ++##

    ++##     ++## ++## ++## Role allowed access. ++## ++## ++## ++# ++interface(`unconfined_role_change_to',` ++ gen_require(` ++ role unconfined_r; ++ ') ++ ++ allow unconfined_r $1; ++') ++ ++######################################## ++## ++## Transition to the unconfined domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`unconfined_domtrans',` ++ gen_require(` ++ type unconfined_t, unconfined_exec_t; ++ ') ++ ++ domtrans_pattern($1,unconfined_exec_t,unconfined_t) ++') ++ ++######################################## ++## ++## Execute specified programs in the unconfined domain. ++## ++## ++## ++## The type of the process performing this action. ++## ++## ++## ++## ++## The role to allow the unconfined domain. ++## ++## ++# ++interface(`unconfined_run',` ++ gen_require(` ++ type unconfined_t; ++ ') ++ ++ unconfined_domtrans($1) ++ role $2 types unconfined_t; ++') ++ ++######################################## ++## ++## Transition to the unconfined domain by executing a shell. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`unconfined_shell_domtrans',` ++ gen_require(` ++ attribute unconfined_login_domain; ++ ') ++ typeattribute $1 unconfined_login_domain; ++') ++ ++######################################## ++## ++## Allow unconfined to execute the specified program in ++## the specified domain. ++## ++## ++##

    ++## Allow unconfined to execute the specified program in ++## the specified domain. ++##

    ++##

    ++## This is a interface to support third party modules ++## and its use is not allowed in upstream reference ++## policy. ++##

    ++##     ++## ++## ++## Domain to execute in. ++## ++## ++## ++## ++## Domain entry point file. ++## ++## ++# ++interface(`unconfined_domtrans_to',` ++ gen_require(` ++ type unconfined_t; ++ ') ++ ++ domtrans_pattern(unconfined_t,$2,$1) ++') ++ ++######################################## ++## ++## Allow unconfined to execute the specified program in ++## the specified domain. Allow the specified domain the ++## unconfined role and use of unconfined user terminals. ++## ++## ++##

    ++## Allow unconfined to execute the specified program in ++## the specified domain. Allow the specified domain the ++## unconfined role and use of unconfined user terminals. ++##

    ++##

    ++## This is a interface to support third party modules ++## and its use is not allowed in upstream reference ++## policy. ++##

    ++##     ++## ++## ++## Domain to execute in. ++## ++## ++## ++## ++## Domain entry point file. ++## ++## ++# ++interface(`unconfined_run_to',` ++ gen_require(` ++ type unconfined_t; ++ role unconfined_r; ++ ') ++ ++ domtrans_pattern(unconfined_t,$2,$1) ++ role unconfined_r types $1; ++ userdom_use_user_terminals($1) ++') ++ ++######################################## ++## ++## Inherit file descriptors from the unconfined domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`unconfined_use_fds',` ++ gen_require(` ++ type unconfined_t; ++ ') ++ ++ allow $1 unconfined_t:fd use; ++') ++ ++######################################## ++## ++## Send a SIGCHLD signal to the unconfined domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`unconfined_sigchld',` ++ gen_require(` ++ type unconfined_t; ++ ') ++ ++ allow $1 unconfined_t:process sigchld; ++') ++ ++######################################## ++## ++## Send a SIGNULL signal to the unconfined domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`unconfined_signull',` ++ gen_require(` ++ type unconfined_t; ++ ') ++ ++ allow $1 unconfined_t:process signull; ++') ++ ++######################################## ++## ++## Send generic signals to the unconfined domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`unconfined_signal',` ++ gen_require(` ++ type unconfined_t; ++ ') ++ ++ allow $1 unconfined_t:process signal; ++') ++ ++######################################## ++## ++## Read unconfined domain unnamed pipes. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`unconfined_read_pipes',` ++ gen_require(` ++ type unconfined_t; ++ ') ++ ++ allow $1 unconfined_t:fifo_file read_fifo_file_perms; ++') ++ ++######################################## ++## ++## Do not audit attempts to read unconfined domain unnamed pipes. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`unconfined_dontaudit_read_pipes',` ++ gen_require(` ++ type unconfined_t; ++ ') ++ ++ dontaudit $1 unconfined_t:fifo_file read; ++') ++ ++######################################## ++## ++## Read and write unconfined domain unnamed pipes. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`unconfined_rw_pipes',` ++ gen_require(` ++ type unconfined_t; ++ ') ++ ++ allow $1 unconfined_t:fifo_file rw_fifo_file_perms; ++') ++ ++######################################## ++## ++## Do not audit attempts to read and write ++## unconfined domain unnamed pipes. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`unconfined_dontaudit_rw_pipes',` ++ gen_require(` ++ type unconfined_t; ++ ') ++ ++ dontaudit $1 unconfined_t:fifo_file rw_file_perms; ++') ++ ++######################################## ++## ++## Do not audit attempts to read and write ++## unconfined domain stream. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`unconfined_dontaudit_rw_stream',` ++ gen_require(` ++ type unconfined_t; ++ ') ++ ++ dontaudit $1 unconfined_t:unix_stream_socket rw_socket_perms; ++') ++ ++######################################## ++## ++## Connect to the unconfined domain using ++## a unix domain stream socket. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`unconfined_stream_connect',` ++ gen_require(` ++ type unconfined_t; ++ ') ++ ++ allow $1 unconfined_t:unix_stream_socket connectto; ++') ++ ++######################################## ++## ++## Do not audit attempts to read or write ++## unconfined domain tcp sockets. ++## ++## ++##

    ++## Do not audit attempts to read or write ++## unconfined domain tcp sockets. ++##

    ++##

    ++## This interface was added due to a broken ++## symptom in ldconfig. ++##

    ++##     ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`unconfined_dontaudit_rw_tcp_sockets',` ++ gen_require(` ++ type unconfined_t; ++ ') ++ ++ dontaudit $1 unconfined_t:tcp_socket { read write }; ++') ++ ++######################################## ++## ++## Do not audit attempts to read or write ++## unconfined domain packet sockets. ++## ++## ++##

    ++## Do not audit attempts to read or write ++## unconfined domain packet sockets. ++##

    ++##

    ++## This interface was added due to a broken ++## symptom. ++##

    ++##     ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`unconfined_dontaudit_rw_packet_sockets',` ++ gen_require(` ++ type unconfined_t; ++ ') ++ ++ dontaudit $1 unconfined_t:packet_socket { read write }; ++') ++ ++######################################## ++## ++## Create keys for the unconfined domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`unconfined_create_keys',` ++ gen_require(` ++ type unconfined_t; ++ ') ++ ++ allow $1 unconfined_t:key create; ++') ++ ++######################################## ++## ++## Write keys for the unconfined domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`unconfined_write_keys',` ++ gen_require(` ++ type unconfined_t; ++ ') ++ ++ allow $1 unconfined_t:key write; ++') ++ ++######################################## ++## ++## Send messages to the unconfined domain over dbus. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`unconfined_dbus_send',` ++ gen_require(` ++ type unconfined_t; ++ class dbus send_msg; ++ ') ++ ++ allow $1 unconfined_t:dbus send_msg; ++') ++ ++######################################## ++## ++## Send and receive messages from ++## unconfined_t over dbus. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`unconfined_dbus_chat',` ++ gen_require(` ++ type unconfined_t; ++ class dbus send_msg; ++ ') ++ ++ allow $1 unconfined_t:dbus send_msg; ++ allow unconfined_t $1:dbus send_msg; ++') ++ ++######################################## ++## ++## Connect to the the unconfined DBUS ++## for service (acquire_svc). ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`unconfined_dbus_connect',` ++ gen_require(` ++ type unconfined_t; ++ class dbus acquire_svc; ++ ') ++ ++ allow $1 unconfined_t:dbus acquire_svc; ++') ++ ++######################################## ++## ++## Allow ptrace of unconfined domain ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`unconfined_ptrace',` ++ gen_require(` ++ type unconfined_t; ++ ') ++ ++ allow $1 unconfined_t:process ptrace; ++') ++ ++######################################## ++## ++## Read and write to unconfined shared memory. ++## ++## ++## ++## The type of the process performing this action. ++## ++## ++# ++interface(`unconfined_rw_shm',` ++ gen_require(` ++ type unconfined_t; ++ ') ++ ++ allow $1 unconfined_t:shm rw_shm_perms; ++') ++ ++######################################## ++## ++## Allow apps to set rlimits on userdomain ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`unconfined_set_rlimitnh',` ++ gen_require(` ++ type unconfined_t; ++ ') ++ ++ allow $1 unconfined_t:process rlimitinh; ++') ++ ++######################################## ++## ++## Get the process group of unconfined. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`unconfined_getpgid',` ++ gen_require(` ++ type unconfined_t; ++ ') ++ ++ allow $1 unconfined_t:process getpgid; ++') ++ ++######################################## ++## ++## Change to the unconfined role. ++## ++## ++## ++## Role allowed access. ++## ++## ++## ++# ++interface(`unconfined_role_change',` ++ gen_require(` ++ role unconfined_r; ++ ') ++ ++ allow $1 unconfined_r; ++') ++ ++######################################## ++## ++## Allow domain to attach to TUN devices created by unconfined_t users. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`unconfined_attach_tun_iface',` ++ gen_require(` ++ type unconfined_t; ++ ') ++ ++ allow $1 unconfined_t:tun_socket relabelfrom; ++ allow $1 self:tun_socket relabelto; ++') ++ +diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te +new file mode 100644 +index 0000000..539c163 +--- /dev/null ++++ b/policy/modules/roles/unconfineduser.te +@@ -0,0 +1,328 @@ ++policy_module(unconfineduser, 1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++attribute unconfined_login_domain; ++ ++## ++##

    ++## allow unconfined users to transition to the chrome sandbox domains when running chrome-sandbox ++##

    ++##     ++gen_tunable(unconfined_chrome_sandbox_transition, false) ++ ++## ++##

    ++## Allow unconfined users to transition to the Mozilla plugin domain when running xulrunner plugin-container. ++##

    ++##     ++gen_tunable(unconfined_mozilla_plugin_transition, false) ++ ++## ++##

    ++## Allow a user to login as an unconfined domain ++##

    ++##     ++gen_tunable(unconfined_login, true) ++ ++# usage in this module of types created by these ++# calls is not correct, however we dont currently ++# have another method to add access to these types ++userdom_base_user_template(unconfined) ++userdom_manage_home_role(unconfined_r, unconfined_t) ++userdom_manage_tmp_role(unconfined_r, unconfined_t) ++userdom_manage_tmpfs_role(unconfined_r, unconfined_t) ++userdom_unpriv_type(unconfined_t) ++ ++type unconfined_exec_t; ++init_system_domain(unconfined_t, unconfined_exec_t) ++role unconfined_r types unconfined_t; ++role_transition system_r unconfined_exec_t unconfined_r; ++allow system_r unconfined_r; ++ ++domain_user_exemption_target(unconfined_t) ++allow system_r unconfined_r; ++allow unconfined_r system_r; ++init_script_role_transition(unconfined_r) ++role system_r types unconfined_t; ++typealias unconfined_t alias unconfined_crontab_t; ++ ++######################################## ++# ++# Local policy ++# ++ ++dontaudit unconfined_t self:dir write; ++dontaudit unconfined_t self:file setattr; ++ ++allow unconfined_t self:system syslog_read; ++dontaudit unconfined_t self:capability sys_module; ++ ++kernel_rw_unlabeled_socket(unconfined_t) ++kernel_rw_unlabeled_rawip_socket(unconfined_t) ++ ++files_create_boot_flag(unconfined_t) ++files_create_default_dir(unconfined_t) ++files_root_filetrans_default(unconfined_t, dir) ++ ++init_run_daemon(unconfined_t, unconfined_r) ++init_domtrans_script(unconfined_t) ++init_telinit(unconfined_t) ++ ++logging_send_syslog_msg(unconfined_t) ++ ++systemd_config_all_services(unconfined_t) ++ ++unconfined_domain_noaudit(unconfined_t) ++domain_named_filetrans(unconfined_t) ++domain_transition_all(unconfined_t) ++ ++usermanage_run_passwd(unconfined_t, unconfined_r) ++ ++tunable_policy(`deny_execmem',`',` ++ allow unconfined_t self:process execmem; ++') ++ ++tunable_policy(`selinuxuser_execstack',` ++ allow unconfined_t self:process execstack; ++') ++ ++tunable_policy(`selinuxuser_execmod',` ++ userdom_execmod_user_home_files(unconfined_t) ++') ++ ++tunable_policy(`unconfined_login',` ++ corecmd_shell_domtrans(unconfined_login_domain,unconfined_t) ++ allow unconfined_t unconfined_login_domain:fd use; ++ allow unconfined_t unconfined_login_domain:fifo_file rw_file_perms; ++ allow unconfined_t unconfined_login_domain:process sigchld; ++') ++ ++optional_policy(` ++ gen_require(` ++ type unconfined_t; ++ ') ++ ++ optional_policy(` ++ abrt_dbus_chat(unconfined_t) ++ abrt_run_helper(unconfined_t, unconfined_r) ++ ') ++ ++ optional_policy(` ++ avahi_dbus_chat(unconfined_t) ++ ') ++ ++ optional_policy(` ++ blueman_dbus_chat(unconfined_t) ++ ') ++ ++ optional_policy(` ++ certmonger_dbus_chat(unconfined_t) ++ ') ++ ++ optional_policy(` ++ devicekit_dbus_chat(unconfined_t) ++ devicekit_dbus_chat_disk(unconfined_t) ++ devicekit_dbus_chat_power(unconfined_t) ++ ') ++ ++ optional_policy(` ++ hal_dbus_chat(unconfined_t) ++ ') ++ ++ optional_policy(` ++ networkmanager_dbus_chat(unconfined_t) ++ ') ++ ++ optional_policy(` ++ rtkit_scheduled(unconfined_t) ++ ') ++ ++ # Might remove later if this proves to be problematic, but would like to gather AVCs ++ optional_policy(` ++ thumb_role(unconfined_r, unconfined_t) ++ ') ++ ++ optional_policy(` ++ setroubleshoot_dbus_chat(unconfined_t) ++ setroubleshoot_dbus_chat_fixit(unconfined_t) ++ ') ++ ++ optional_policy(` ++ sandbox_transition(unconfined_t, unconfined_r) ++ ') ++ ++ optional_policy(` ++ sandbox_x_transition(unconfined_t, unconfined_r) ++ ') ++ ++ optional_policy(` ++ gen_require(` ++ type user_tmpfs_t; ++ ') ++ ++ xserver_rw_session(unconfined_t, user_tmpfs_t) ++ xserver_dbus_chat_xdm(unconfined_t) ++ ') ++') ++ ++ifdef(`distro_gentoo',` ++ seutil_run_runinit(unconfined_t, unconfined_r) ++ seutil_init_script_run_runinit(unconfined_t, unconfined_r) ++') ++ ++optional_policy(` ++ accountsd_dbus_chat(unconfined_t) ++') ++ ++optional_policy(` ++ chrome_role_notrans(unconfined_r, unconfined_t) ++ ++ tunable_policy(`unconfined_chrome_sandbox_transition',` ++ chrome_domtrans_sandbox(unconfined_t) ++ ') ++') ++ ++optional_policy(` ++ dbus_role_template(unconfined, unconfined_r, unconfined_t) ++ role system_r types unconfined_dbusd_t; ++ ++ optional_policy(` ++ unconfined_domain(unconfined_dbusd_t) ++ ++ optional_policy(` ++ xserver_rw_shm(unconfined_dbusd_t) ++ ') ++ ') ++ ++ init_dbus_chat(unconfined_t) ++ init_dbus_chat_script(unconfined_t) ++ ++ dbus_stub(unconfined_t) ++ ++ optional_policy(` ++ bluetooth_dbus_chat(unconfined_t) ++ ') ++ ++ optional_policy(` ++ consolekit_dbus_chat(unconfined_t) ++ ') ++ ++ optional_policy(` ++ cups_dbus_chat_config(unconfined_t) ++ ') ++ ++ optional_policy(` ++ fprintd_dbus_chat(unconfined_t) ++ ') ++ ++ optional_policy(` ++ systemd_dbus_chat_timedated(unconfined_t) ++ gnome_dbus_chat_gconfdefault(unconfined_t) ++ gnome_command_domtrans_gkeyringd(unconfined_dbusd_t,unconfined_t) ++ ') ++ ++ optional_policy(` ++ ipsec_mgmt_dbus_chat(unconfined_t) ++ ') ++ ++ optional_policy(` ++ kerneloops_dbus_chat(unconfined_t) ++ ') ++ ++ optional_policy(` ++ telepathy_command_domtrans(unconfined_dbusd_t, unconfined_t) ++ ') ++ ++ optional_policy(` ++ oddjob_dbus_chat(unconfined_t) ++ ') ++ ++ optional_policy(` ++ vpn_dbus_chat(unconfined_t) ++ ') ++ ++ optional_policy(` ++ firewalld_dbus_chat(unconfined_t) ++ ') ++ ++ optional_policy(` ++ firewallgui_dbus_chat(unconfined_t) ++ ') ++') ++ ++optional_policy(` ++ firstboot_run(unconfined_t, unconfined_r) ++') ++ ++optional_policy(` ++ fsadm_manage_pid(unconfined_t) ++') ++ ++optional_policy(` ++ gpsd_run(unconfined_t, unconfined_r) ++') ++ ++optional_policy(` ++ java_run_unconfined(unconfined_t, unconfined_r) ++') ++ ++optional_policy(` ++ livecd_run(unconfined_t, unconfined_r) ++') ++ ++#optional_policy(` ++# mock_role(unconfined_r, unconfined_t) ++#') ++ ++optional_policy(` ++ mozilla_role_plugin(unconfined_r) ++ ++ tunable_policy(`unconfined_mozilla_plugin_transition', ` ++ mozilla_domtrans_plugin(unconfined_t) ++ ') ++') ++ ++optional_policy(` ++ oddjob_run_mkhomedir(unconfined_t, unconfined_r) ++') ++ ++optional_policy(` ++ rpm_run(unconfined_t, unconfined_r) ++ # Allow SELinux aware applications to request rpm_script execution ++ rpm_transition_script(unconfined_t) ++ rpm_dbus_chat(unconfined_t) ++') ++ ++optional_policy(` ++ optional_policy(` ++ samba_run_unconfined_net(unconfined_t, unconfined_r) ++ ') ++ ++ samba_role_notrans(unconfined_r) ++ samba_run_smbcontrol(unconfined_t, unconfined_r) ++') ++ ++optional_policy(` ++ sysnet_run_dhcpc(unconfined_t, unconfined_r) ++ sysnet_dbus_chat_dhcpc(unconfined_t) ++ sysnet_role_transition_dhcpc(unconfined_r) ++') ++ ++optional_policy(` ++ openshift_run(unconfined_usertype, unconfined_r) ++') ++ ++optional_policy(` ++ virt_transition_svirt(unconfined_t, unconfined_r) ++ virt_transition_svirt_sandbox(unconfined_t, unconfined_r) ++') ++ ++optional_policy(` ++ xserver_run(unconfined_t, unconfined_r) ++ xserver_manage_home_fonts(unconfined_t) ++') ++ ++gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) +diff --git a/policy/modules/roles/unprivuser.if b/policy/modules/roles/unprivuser.if +index 3835596..fbca2be 100644 +--- a/policy/modules/roles/unprivuser.if ++++ b/policy/modules/roles/unprivuser.if +@@ -1,4 +1,4 @@ +-## Generic unprivileged user role ++## Generic unprivileged user + + ######################################## + ## +diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te +index cdfddf4..ad1f001 100644 +--- a/policy/modules/roles/unprivuser.te ++++ b/policy/modules/roles/unprivuser.te +@@ -1,5 +1,12 @@ + policy_module(unprivuser, 2.3.1) + ++## ++##

    ++## Allow unprivledged user to create and transition to svirt domains. ++##

    ++##     ++gen_tunable(unprivuser_use_svirt, false) ++ + # this module should be named user, but that is + # a compile error since user is a keyword. + +@@ -12,12 +19,100 @@ role user_r; + + userdom_unpriv_user_template(user) + ++kernel_read_numa_state(user_t) ++kernel_write_numa_state(user_t) ++ ++fs_exec_noxattr(user_t) ++fs_read_hugetlbfs_files(user_t) ++ ++storage_read_scsi_generic(user_t) ++storage_write_scsi_generic(user_t) ++ ++init_dbus_chat(user_t) ++init_status(user_t) ++ ++tunable_policy(`selinuxuser_execmod',` ++ userdom_execmod_user_home_files(user_t) ++') ++ ++optional_policy(` ++ abrt_read_cache(user_t) ++') ++ + optional_policy(` + apache_role(user_r, user_t) + ') + + optional_policy(` +- git_role(user_r, user_t) ++ blueman_dbus_chat(user_t) ++') ++ ++optional_policy(` ++ bluetooth_role(user_r, user_t) ++') ++ ++optional_policy(` ++ colord_dbus_chat(user_t) ++') ++ ++optional_policy(` ++ chrome_role(user_r, user_t) ++') ++ ++optional_policy(` ++ gnome_role(user_r, user_t) ++') ++ ++optional_policy(` ++ journalctl_role(user_r, user_t) ++') ++ ++optional_policy(` ++ irc_role(user_r, user_t) ++') ++ ++optional_policy(` ++ oident_manage_user_content(user_t) ++ oident_relabel_user_content(user_t) ++') ++ ++optional_policy(` ++ mozilla_run_plugin(user_t, user_r) ++') ++ ++optional_policy(` ++ mta_role(user_r, user_t) ++') ++ ++optional_policy(` ++ netutils_run_ping_cond(user_t, user_r) ++ netutils_run_traceroute_cond(user_t, user_r) ++') ++ ++optional_policy(` ++ polipo_role(user_r, user_t) ++ polipo_named_filetrans_cache_home_dirs(user_t) ++ polipo_named_filetrans_config_home_files(user_t) ++') ++ ++optional_policy(` ++ rpm_dontaudit_dbus_chat(user_t) ++') ++ ++optional_policy(` ++ rtkit_scheduled(user_t) ++') ++ ++optional_policy(` ++ sandbox_transition(user_t, user_r) ++') ++ ++optional_policy(` ++ sandbox_x_transition(user_t, user_r) ++') ++ ++optional_policy(` ++ ssh_role_template(user, user_r, user_t) + ') + + optional_policy(` +@@ -25,6 +120,18 @@ optional_policy(` + ') + + optional_policy(` ++ setroubleshoot_dontaudit_stream_connect(user_t) ++') ++ ++#optional_policy(` ++# telepathy_dbus_session_role(user_r, user_t) ++#') ++ ++optional_policy(` ++ usbmuxd_stream_connect(user_t) ++') ++ ++optional_policy(` + vlock_run(user_t, user_r) + ') + +@@ -102,10 +209,6 @@ ifndef(`distro_redhat',` + ') + + optional_policy(` +- mta_role(user_r, user_t) +- ') +- +- optional_policy(` + postgresql_role(user_r, user_t) + ') + +@@ -128,7 +231,6 @@ ifndef(`distro_redhat',` + optional_policy(` + ssh_role_template(user, user_r, user_t) + ') +- + optional_policy(` + su_role_template(user, user_r, user_t) + ') +@@ -161,3 +263,15 @@ ifndef(`distro_redhat',` + wireshark_role(user_r, user_t) + ') + ') ++ ++ ++optional_policy(` ++ virt_transition_svirt(user_t, user_r) ++ virt_filetrans_home_content(user_t) ++') ++ ++optional_policy(` ++ tunable_policy(`unprivuser_use_svirt',` ++ virt_manage_images(user_t) ++ ') ++') +diff --git a/policy/modules/services/postgresql.fc b/policy/modules/services/postgresql.fc +index a26f84f..947af6c 100644 +--- a/policy/modules/services/postgresql.fc ++++ b/policy/modules/services/postgresql.fc +@@ -10,6 +10,7 @@ + # + /usr/bin/initdb(\.sepgsql)? -- gen_context(system_u:object_r:postgresql_exec_t,s0) + /usr/bin/(se)?postgres -- gen_context(system_u:object_r:postgresql_exec_t,s0) ++/usr/bin/pg_ctl -- gen_context(system_u:object_r:postgresql_exec_t,s0) + + /usr/lib/pgsql/test/regress(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0) + /usr/lib/pgsql/test/regress/pg_regress -- gen_context(system_u:object_r:postgresql_exec_t,s0) +@@ -28,9 +29,10 @@ ifdef(`distro_redhat', ` + # + /var/lib/postgres(ql)?(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0) + +-/var/lib/pgsql/data(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0) ++/var/lib/pgsql(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0) + /var/lib/pgsql/logfile(/.*)? gen_context(system_u:object_r:postgresql_log_t,s0) +-/var/lib/pgsql/pgstartup\.log gen_context(system_u:object_r:postgresql_log_t,s0) ++/var/lib/pgsql/.*\.log gen_context(system_u:object_r:postgresql_log_t,s0) ++/var/lib/pgsql/data/pg_log(/.*)? gen_context(system_u:object_r:postgresql_log_t,s0) + + /var/lib/sepgsql(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0) + /var/lib/sepgsql/pgstartup\.log -- gen_context(system_u:object_r:postgresql_log_t,s0) +@@ -45,4 +47,4 @@ ifdef(`distro_redhat', ` + + /var/run/postgresql(/.*)? gen_context(system_u:object_r:postgresql_var_run_t,s0) + +-/var/run/postmaster.* gen_context(system_u:object_r:postgresql_var_run_t,s0) ++#/var/run/postmaster.* gen_context(system_u:object_r:postgresql_var_run_t,s0) +diff --git a/policy/modules/services/postgresql.if b/policy/modules/services/postgresql.if +index 9d2f311..9e87525 100644 +--- a/policy/modules/services/postgresql.if ++++ b/policy/modules/services/postgresql.if +@@ -10,90 +10,21 @@ + ##     + ## + ## +-## ++## + ## The type of the user domain. + ## + ## + # + interface(`postgresql_role',` + gen_require(` +- class db_database all_db_database_perms; +- class db_schema all_db_schema_perms; +- class db_table all_db_table_perms; +- class db_sequence all_db_sequence_perms; +- class db_view all_db_view_perms; +- class db_procedure all_db_procedure_perms; +- class db_language all_db_language_perms; +- class db_column all_db_column_perms; +- class db_tuple all_db_tuple_perms; +- class db_blob all_db_blob_perms; +- +- attribute sepgsql_client_type, sepgsql_database_type; +- attribute sepgsql_schema_type, sepgsql_sysobj_table_type; +- +- type sepgsql_trusted_proc_exec_t, sepgsql_trusted_proc_t; +- type sepgsql_ranged_proc_exec_t, sepgsql_ranged_proc_t; +- type user_sepgsql_blob_t, user_sepgsql_proc_exec_t; +- type user_sepgsql_schema_t, user_sepgsql_seq_t; +- type user_sepgsql_sysobj_t, user_sepgsql_table_t; +- type user_sepgsql_view_t; +- type sepgsql_temp_object_t; ++ attribute sepgsql_client_type; ++ type sepgsql_trusted_proc_t; ++ type sepgsql_ranged_proc_t; + ') + +- ######################################## +- # +- # Declarations +- # +- + typeattribute $2 sepgsql_client_type; + role $1 types sepgsql_trusted_proc_t; + role $1 types sepgsql_ranged_proc_t; +- +- ############################## +- # +- # Client local policy +- # +- +- tunable_policy(`sepgsql_enable_users_ddl',` +- allow $2 user_sepgsql_schema_t:db_schema { create drop setattr }; +- allow $2 user_sepgsql_table_t:db_table { create drop setattr }; +- allow $2 user_sepgsql_table_t:db_column { create drop setattr }; +- allow $2 user_sepgsql_sysobj_t:db_tuple { update insert delete }; +- allow $2 user_sepgsql_seq_t:db_sequence { create drop setattr set_value }; +- allow $2 user_sepgsql_view_t:db_view { create drop setattr }; +- allow $2 user_sepgsql_proc_exec_t:db_procedure { create drop setattr }; +- ') +- +- allow $2 user_sepgsql_schema_t:db_schema { getattr search add_name remove_name }; +- type_transition $2 sepgsql_database_type:db_schema user_sepgsql_schema_t; +- type_transition $2 sepgsql_database_type:db_schema sepgsql_temp_object_t "pg_temp"; +- +- allow $2 user_sepgsql_table_t:db_table { getattr select update insert delete lock }; +- allow $2 user_sepgsql_table_t:db_column { getattr select update insert }; +- allow $2 user_sepgsql_table_t:db_tuple { select update insert delete }; +- type_transition $2 sepgsql_schema_type:db_table user_sepgsql_table_t; +- +- allow $2 user_sepgsql_sysobj_t:db_tuple { use select }; +- type_transition $2 sepgsql_sysobj_table_type:db_tuple user_sepgsql_sysobj_t; +- +- allow $2 user_sepgsql_seq_t:db_sequence { getattr get_value next_value }; +- type_transition $2 sepgsql_schema_type:db_sequence user_sepgsql_seq_t; +- +- allow $2 user_sepgsql_view_t:db_view { getattr expand }; +- type_transition $2 sepgsql_schema_type:db_view user_sepgsql_view_t; +- +- allow $2 user_sepgsql_proc_exec_t:db_procedure { getattr execute }; +- type_transition $2 sepgsql_schema_type:db_procedure user_sepgsql_proc_exec_t; +- +- allow $2 user_sepgsql_blob_t:db_blob { create drop getattr setattr read write import export }; +- type_transition $2 sepgsql_database_type:db_blob user_sepgsql_blob_t; +- +- allow $2 sepgsql_ranged_proc_t:process transition; +- type_transition $2 sepgsql_ranged_proc_exec_t:process sepgsql_ranged_proc_t; +- allow sepgsql_ranged_proc_t $2:process dyntransition; +- +- allow $2 sepgsql_trusted_proc_t:process transition; +- type_transition $2 sepgsql_trusted_proc_exec_t:process sepgsql_trusted_proc_t; + ') + + ######################################## +@@ -312,7 +243,7 @@ interface(`postgresql_search_db',` + type postgresql_db_t; + ') + +- allow $1 postgresql_db_t:dir search; ++ allow $1 postgresql_db_t:dir search_dir_perms; + ') + + ######################################## +@@ -324,14 +255,16 @@ interface(`postgresql_search_db',` + ## Domain allowed access. + ## + ## ++# + interface(`postgresql_manage_db',` + gen_require(` + type postgresql_db_t; + ') + +- allow $1 postgresql_db_t:dir rw_dir_perms; +- allow $1 postgresql_db_t:file rw_file_perms; +- allow $1 postgresql_db_t:lnk_file { getattr read }; ++ files_search_var_lib($1) ++ manage_dirs_pattern($1, postgresql_db_t, postgresql_db_t) ++ manage_files_pattern($1, postgresql_db_t, postgresql_db_t) ++ manage_lnk_files_pattern($1, postgresql_db_t, postgresql_db_t) + ') + + ######################################## +@@ -354,6 +287,24 @@ interface(`postgresql_domtrans',` + + ###################################### + ## ++## Execute Postgresql in the caller domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`postgresql_exec',` ++ gen_require(` ++ type postgresql_exec_t; ++ ') ++ ++ can_exec($1, postgresql_exec_t) ++') ++ ++###################################### ++## + ## Allow domain to signal postgresql + ## + ## +@@ -421,7 +372,6 @@ interface(`postgresql_tcp_connect',` + ## Domain allowed access. + ##     + ## +-## + # + interface(`postgresql_stream_connect',` + gen_require(` +@@ -432,6 +382,7 @@ interface(`postgresql_stream_connect',` + + files_search_pids($1) + files_search_tmp($1) ++ stream_connect_pattern($1, { postgresql_var_run_t postgresql_tmp_t }, { postgresql_var_run_t postgresql_tmp_t }, postgresql_t) + ') + + ######################################## +@@ -447,83 +398,10 @@ interface(`postgresql_stream_connect',` + # + interface(`postgresql_unpriv_client',` + gen_require(` +- class db_database all_db_database_perms; +- class db_schema all_db_schema_perms; +- class db_table all_db_table_perms; +- class db_sequence all_db_sequence_perms; +- class db_view all_db_view_perms; +- class db_procedure all_db_procedure_perms; +- class db_language all_db_language_perms; +- class db_column all_db_column_perms; +- class db_tuple all_db_tuple_perms; +- class db_blob all_db_blob_perms; +- + attribute sepgsql_client_type; +- attribute sepgsql_database_type, sepgsql_schema_type; +- attribute sepgsql_sysobj_table_type; +- +- type sepgsql_ranged_proc_t, sepgsql_ranged_proc_exec_t; +- type sepgsql_temp_object_t; +- type sepgsql_trusted_proc_t, sepgsql_trusted_proc_exec_t; +- type unpriv_sepgsql_blob_t, unpriv_sepgsql_proc_exec_t; +- type unpriv_sepgsql_schema_t, unpriv_sepgsql_seq_t; +- type unpriv_sepgsql_sysobj_t, unpriv_sepgsql_table_t; +- type unpriv_sepgsql_view_t; + ') + +- ######################################## +- # +- # Declarations +- # +- + typeattribute $1 sepgsql_client_type; +- +- ######################################## +- # +- # Client local policy +- # +- +- type_transition $1 sepgsql_ranged_proc_exec_t:process sepgsql_ranged_proc_t; +- allow $1 sepgsql_ranged_proc_t:process transition; +- allow sepgsql_ranged_proc_t $1:process dyntransition; +- +- type_transition $1 sepgsql_trusted_proc_exec_t:process sepgsql_trusted_proc_t; +- allow $1 sepgsql_trusted_proc_t:process transition; +- +- allow $1 unpriv_sepgsql_blob_t:db_blob { create drop getattr setattr read write import export }; +- type_transition $1 sepgsql_database_type:db_blob unpriv_sepgsql_blob_t; +- +- allow $1 unpriv_sepgsql_proc_exec_t:db_procedure { getattr execute }; +- type_transition $1 sepgsql_schema_type:db_procedure unpriv_sepgsql_proc_exec_t; +- +- allow $1 unpriv_sepgsql_schema_t:db_schema { getattr add_name remove_name }; +- type_transition $1 sepgsql_database_type:db_schema unpriv_sepgsql_schema_t; +- type_transition $1 sepgsql_database_type:db_schema sepgsql_temp_object_t "pg_temp"; +- +- allow $1 unpriv_sepgsql_table_t:db_table { getattr select update insert delete lock }; +- allow $1 unpriv_sepgsql_table_t:db_column { getattr select update insert }; +- allow $1 unpriv_sepgsql_table_t:db_tuple { select update insert delete }; +- type_transition $1 sepgsql_schema_type:db_table unpriv_sepgsql_table_t; +- +- allow $1 unpriv_sepgsql_seq_t:db_sequence { getattr get_value next_value set_value }; +- type_transition $1 sepgsql_schema_type:db_sequence unpriv_sepgsql_seq_t; +- +- allow $1 unpriv_sepgsql_sysobj_t:db_tuple { use select }; +- type_transition $1 sepgsql_sysobj_table_type:db_tuple unpriv_sepgsql_sysobj_t; +- +- allow $1 unpriv_sepgsql_view_t:db_view { getattr expand }; +- type_transition $1 sepgsql_schema_type:db_view unpriv_sepgsql_view_t; +- +- +- tunable_policy(`sepgsql_enable_users_ddl',` +- allow $1 unpriv_sepgsql_schema_t:db_schema { create drop setattr }; +- allow $1 unpriv_sepgsql_table_t:db_table { create drop setattr }; +- allow $1 unpriv_sepgsql_table_t:db_column { create drop setattr }; +- allow $1 unpriv_sepgsql_sysobj_t:db_tuple { update insert delete }; +- allow $1 unpriv_sepgsql_seq_t:db_sequence { create drop setattr }; +- allow $1 unpriv_sepgsql_view_t:db_view { create drop setattr }; +- allow $1 unpriv_sepgsql_proc_exec_t:db_procedure { create drop setattr }; +- ') + ') + + ######################################## +@@ -547,6 +425,29 @@ interface(`postgresql_unconfined',` + + ######################################## + ## ++## Transition to postgresql named content ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`postgresql_filetrans_named_content',` ++ gen_require(` ++ type postgresql_db_t; ++ type postgresql_log_t; ++ ') ++ ++ files_var_lib_filetrans($1, postgresql_db_t, dir, "postgresql") ++ files_var_lib_filetrans($1, postgresql_db_t, dir, "postgres") ++ files_var_lib_filetrans($1, postgresql_db_t, dir, "pgsql") ++ filetrans_pattern($1, postgresql_db_t, postgresql_log_t, dir, "logfile") ++ filetrans_pattern($1, postgresql_db_t, postgresql_log_t, dir, "pg_log") ++') ++ ++######################################## ++## + ## All of the rules required to administrate an postgresql environment + ## + ## +@@ -563,35 +464,41 @@ interface(`postgresql_unconfined',` + # + interface(`postgresql_admin',` + gen_require(` +- attribute sepgsql_admin_type; +- attribute sepgsql_client_type; +- +- type postgresql_t, postgresql_var_run_t; +- type postgresql_tmp_t, postgresql_db_t; +- type postgresql_etc_t, postgresql_log_t; +- type postgresql_initrc_exec_t; ++ attribute sepgsql_admin_type, sepgsql_client_type; ++ type postgresql_t, postgresql_var_run_t, postgresql_initrc_exec_t; ++ type postgresql_tmp_t, postgresql_db_t, postgresql_log_t; ++ type postgresql_etc_t; + ') + + typeattribute $1 sepgsql_admin_type; + +- allow $1 postgresql_t:process { ptrace signal_perms }; ++ allow $1 postgresql_t:process signal_perms; + ps_process_pattern($1, postgresql_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 postgresql_t:process ptrace; ++ ') + + init_labeled_script_domtrans($1, postgresql_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 postgresql_initrc_exec_t system_r; + allow $2 system_r; + ++ files_list_pids($1) + admin_pattern($1, postgresql_var_run_t) + ++ files_list_var_lib($1) + admin_pattern($1, postgresql_db_t) + ++ files_list_etc($1) + admin_pattern($1, postgresql_etc_t) + ++ logging_list_logs($1) + admin_pattern($1, postgresql_log_t) + ++ files_list_tmp($1) + admin_pattern($1, postgresql_tmp_t) + + postgresql_tcp_connect($1) + postgresql_stream_connect($1) ++ postgresql_filetrans_named_content($1) + ') +diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te +index 346d011..3e23acb 100644 +--- a/policy/modules/services/postgresql.te ++++ b/policy/modules/services/postgresql.te +@@ -19,25 +19,32 @@ gen_require(` + # + + ## +-##

    +-## Allow unprived users to execute DDL statement +-##

    ++##

    ++## Allow postgresql to use ssh and rsync for point-in-time recovery ++##

    ++##     ++gen_tunable(postgresql_can_rsync, false) ++ ++## ++##

    ++## Allow unprivileged users to execute DDL statement ++##

    + ##     +-gen_tunable(sepgsql_enable_users_ddl, false) ++gen_tunable(postgresql_selinux_users_ddl, true) + + ## + ##

    + ## Allow transmit client label to foreign database + ##

    + ##     +-gen_tunable(sepgsql_transmit_client_label, false) ++gen_tunable(postgresql_selinux_transmit_client_label, false) + + ## + ##

    + ## Allow database admins to execute DML statement + ##

    + ##     +-gen_tunable(sepgsql_unconfined_dbadm, false) ++gen_tunable(postgresql_selinux_unconfined_dbadm, true) + + type postgresql_t; + type postgresql_exec_t; +@@ -236,7 +243,8 @@ allow postgresql_t self:udp_socket create_stream_socket_perms; + allow postgresql_t self:unix_dgram_socket create_socket_perms; + allow postgresql_t self:unix_stream_socket { create_stream_socket_perms connectto }; + allow postgresql_t self:netlink_selinux_socket create_socket_perms; +-tunable_policy(`sepgsql_transmit_client_label',` ++ ++tunable_policy(`postgresql_selinux_transmit_client_label',` + allow postgresql_t self:process { setsockcreate }; + ') + +@@ -270,18 +278,19 @@ manage_files_pattern(postgresql_t, postgresql_db_t, postgresql_db_t) + manage_lnk_files_pattern(postgresql_t, postgresql_db_t, postgresql_db_t) + manage_fifo_files_pattern(postgresql_t, postgresql_db_t, postgresql_db_t) + manage_sock_files_pattern(postgresql_t, postgresql_db_t, postgresql_db_t) +-files_var_lib_filetrans(postgresql_t, postgresql_db_t, { dir file lnk_file sock_file fifo_file }) ++postgresql_filetrans_named_content(postgresql_t) + + allow postgresql_t postgresql_etc_t:dir list_dir_perms; + read_files_pattern(postgresql_t, postgresql_etc_t, postgresql_etc_t) + read_lnk_files_pattern(postgresql_t, postgresql_etc_t, postgresql_etc_t) + +-allow postgresql_t postgresql_exec_t:lnk_file { getattr read }; ++allow postgresql_t postgresql_exec_t:lnk_file read_lnk_file_perms; + can_exec(postgresql_t, postgresql_exec_t ) + + allow postgresql_t postgresql_lock_t:file manage_file_perms; + files_lock_filetrans(postgresql_t, postgresql_lock_t, file) + ++manage_dirs_pattern(postgresql_t, postgresql_log_t, postgresql_log_t) + manage_files_pattern(postgresql_t, postgresql_log_t, postgresql_log_t) + logging_log_filetrans(postgresql_t, postgresql_log_t, { file dir }) + +@@ -304,7 +313,6 @@ kernel_list_proc(postgresql_t) + kernel_read_all_sysctls(postgresql_t) + kernel_read_proc_symlinks(postgresql_t) + +-corenet_all_recvfrom_unlabeled(postgresql_t) + corenet_all_recvfrom_netlabel(postgresql_t) + corenet_tcp_sendrecv_generic_if(postgresql_t) + corenet_udp_sendrecv_generic_if(postgresql_t) +@@ -342,8 +350,7 @@ domain_dontaudit_list_all_domains_state(postgresql_t) + domain_use_interactive_fds(postgresql_t) + + files_dontaudit_search_home(postgresql_t) +-files_manage_etc_files(postgresql_t) +-files_search_etc(postgresql_t) ++files_read_etc_files(postgresql_t) + files_read_etc_runtime_files(postgresql_t) + files_read_usr_files(postgresql_t) + +@@ -354,7 +361,6 @@ init_read_utmp(postgresql_t) + logging_send_syslog_msg(postgresql_t) + logging_send_audit_msgs(postgresql_t) + +-miscfiles_read_localization(postgresql_t) + + seutil_libselinux_linked(postgresql_t) + seutil_read_default_contexts(postgresql_t) +@@ -364,10 +370,18 @@ userdom_dontaudit_search_user_home_dirs(postgresql_t) + userdom_dontaudit_use_user_terminals(postgresql_t) + + optional_policy(` ++ ccs_read_config(postgresql_t) ++') ++ ++optional_policy(` + mta_getattr_spool(postgresql_t) + ') + +-tunable_policy(`allow_execmem',` ++optional_policy(` ++ rhcs_manage_cluster_pid_files(postgresql_t) ++') ++ ++tunable_policy(`deny_execmem',`',` + allow postgresql_t self:process execmem; + ') + +@@ -485,10 +499,52 @@ dontaudit { postgresql_t sepgsql_admin_type sepgsql_client_type sepgsql_unconfin + # It is always allowed to operate temporary objects for any database client. + allow sepgsql_client_type sepgsql_temp_object_t:{db_schema db_table db_column db_tuple db_sequence db_view db_procedure} ~{ relabelto relabelfrom }; + +-# Note that permission of creation/deletion are eventually controlled by +-# create or drop permission of individual objects within shared schemas. +-# So, it just allows to create/drop user specific types. +-tunable_policy(`sepgsql_enable_users_ddl',` ++############################## ++# ++# Client local policy ++# ++allow sepgsql_client_type user_sepgsql_schema_t:db_schema { getattr search add_name remove_name }; ++type_transition sepgsql_client_type sepgsql_database_type:db_schema user_sepgsql_schema_t; ++type_transition sepgsql_client_type sepgsql_database_type:db_schema sepgsql_temp_object_t "pg_temp"; ++ ++allow sepgsql_client_type user_sepgsql_table_t:db_table { getattr select update insert delete lock }; ++allow sepgsql_client_type user_sepgsql_table_t:db_column { getattr select update insert }; ++allow sepgsql_client_type user_sepgsql_table_t:db_tuple { select update insert delete }; ++type_transition sepgsql_client_type sepgsql_schema_type:db_table user_sepgsql_table_t; ++ ++allow sepgsql_client_type user_sepgsql_sysobj_t:db_tuple { use select }; ++type_transition sepgsql_client_type sepgsql_sysobj_table_type:db_tuple user_sepgsql_sysobj_t; ++ ++allow sepgsql_client_type user_sepgsql_seq_t:db_sequence { getattr get_value next_value }; ++type_transition sepgsql_client_type sepgsql_schema_type:db_sequence user_sepgsql_seq_t; ++ ++allow sepgsql_client_type user_sepgsql_view_t:db_view { getattr expand }; ++type_transition sepgsql_client_type sepgsql_schema_type:db_view user_sepgsql_view_t; ++ ++allow sepgsql_client_type user_sepgsql_proc_exec_t:db_procedure { getattr execute }; ++type_transition sepgsql_client_type sepgsql_schema_type:db_procedure user_sepgsql_proc_exec_t; ++ ++allow sepgsql_client_type user_sepgsql_blob_t:db_blob { create drop getattr setattr read write import export }; ++type_transition sepgsql_client_type sepgsql_database_type:db_blob user_sepgsql_blob_t; ++ ++allow sepgsql_client_type sepgsql_ranged_proc_t:process transition; ++type_transition sepgsql_client_type sepgsql_ranged_proc_exec_t:process sepgsql_ranged_proc_t; ++allow sepgsql_ranged_proc_t sepgsql_client_type:process dyntransition; ++ ++allow sepgsql_client_type sepgsql_trusted_proc_t:process transition; ++type_transition sepgsql_client_type sepgsql_trusted_proc_exec_t:process sepgsql_trusted_proc_t; ++ ++tunable_policy(`postgresql_selinux_users_ddl',` ++ allow sepgsql_client_type user_sepgsql_schema_t:db_schema { create drop setattr }; ++ allow sepgsql_client_type user_sepgsql_table_t:db_table { create drop setattr }; ++ allow sepgsql_client_type user_sepgsql_table_t:db_column { create drop setattr }; ++ allow sepgsql_client_type user_sepgsql_sysobj_t:db_tuple { update insert delete }; ++ allow sepgsql_client_type user_sepgsql_seq_t:db_sequence { create drop setattr set_value }; ++ allow sepgsql_client_type user_sepgsql_view_t:db_view { create drop setattr }; ++ allow sepgsql_client_type user_sepgsql_proc_exec_t:db_procedure { create drop setattr }; ++ # Note that permission of creation/deletion are eventually controlled by ++ # create or drop permission of individual objects within shared schemas. ++ # So, it just allows to create/drop user specific types. + allow sepgsql_client_type sepgsql_schema_t:db_schema { add_name remove_name }; + ') + +@@ -536,7 +592,7 @@ allow sepgsql_admin_type sepgsql_module_type:db_database install_module; + + kernel_relabelfrom_unlabeled_database(sepgsql_admin_type) + +-tunable_policy(`sepgsql_unconfined_dbadm',` ++tunable_policy(`postgresql_selinux_unconfined_dbadm',` + allow sepgsql_admin_type sepgsql_database_type:db_database *; + + allow sepgsql_admin_type sepgsql_schema_type:db_schema *; +@@ -589,3 +645,17 @@ allow sepgsql_unconfined_type sepgsql_blob_type:db_blob *; + allow sepgsql_unconfined_type sepgsql_module_type:db_database install_module; + + kernel_relabelfrom_unlabeled_database(sepgsql_unconfined_type) ++ ++optional_policy(` ++ tunable_policy(`postgresql_can_rsync',` ++ rsync_exec(postgresql_t) ++ ') ++') ++ ++optional_policy(` ++ tunable_policy(`postgresql_can_rsync',` ++ ssh_exec(postgresql_t) ++ ssh_read_user_home_files(postgresql_t) ++ corenet_tcp_connect_ssh_port(postgresql_t) ++ ') ++') +diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc +index 76d9f66..5c271ce 100644 +--- a/policy/modules/services/ssh.fc ++++ b/policy/modules/services/ssh.fc +@@ -1,16 +1,41 @@ + HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) ++HOME_DIR/\.ansible/cp/.* -s gen_context(system_u:object_r:ssh_home_t,s0) ++HOME_DIR/\.shosts gen_context(system_u:object_r:ssh_home_t,s0) + +-/etc/ssh/primes -- gen_context(system_u:object_r:sshd_key_t,s0) +-/etc/ssh/ssh_host.*_key -- gen_context(system_u:object_r:sshd_key_t,s0) ++/var/lib/[^/]+/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) ++/var/lib/amanda/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) ++/var/lib/gitolite/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) ++/var/lib/gitolite3/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) ++/var/lib/nocpulse/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) ++/var/lib/one/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) ++/var/lib/openshift/[^/]+/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) ++/var/lib/openshift/gear/[^/]+/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) ++/var/lib/pgsql/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) ++/var/lib/stickshift/[^/]+/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) ++ ++/etc/rc\.d/init\.d/sshd -- gen_context(system_u:object_r:sshd_initrc_exec_t,s0) ++ ++/etc/ssh/primes -- gen_context(system_u:object_r:sshd_key_t,s0) ++/etc/ssh/ssh_host.*_key -- gen_context(system_u:object_r:sshd_key_t,s0) ++/etc/ssh/ssh_host.*_key\.pub -- gen_context(system_u:object_r:sshd_key_t,s0) + + /usr/bin/ssh -- gen_context(system_u:object_r:ssh_exec_t,s0) + /usr/bin/ssh-agent -- gen_context(system_u:object_r:ssh_agent_exec_t,s0) + /usr/bin/ssh-keygen -- gen_context(system_u:object_r:ssh_keygen_exec_t,s0) + + /usr/lib/openssh/ssh-keysign -- gen_context(system_u:object_r:ssh_keysign_exec_t,s0) ++/usr/lib/systemd/system/sshd.* -- gen_context(system_u:object_r:sshd_unit_file_t,s0) ++/usr/lib/systemd/system/sshd-keygen.* -- gen_context(system_u:object_r:sshd_keygen_unit_file_t,s0) + ++/usr/libexec/nm-ssh-service -- gen_context(system_u:object_r:ssh_exec_t,s0) + /usr/libexec/openssh/ssh-keysign -- gen_context(system_u:object_r:ssh_keysign_exec_t,s0) + + /usr/sbin/sshd -- gen_context(system_u:object_r:sshd_exec_t,s0) ++/usr/sbin/sshd-keygen -- gen_context(system_u:object_r:sshd_keygen_exec_t,s0) ++/usr/sbin/gsisshd -- gen_context(system_u:object_r:sshd_exec_t,s0) + + /var/run/sshd\.init\.pid -- gen_context(system_u:object_r:sshd_var_run_t,s0) ++/var/run/sshd\.pid -- gen_context(system_u:object_r:sshd_var_run_t,s0) ++ ++/root/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) ++/root/\.shosts gen_context(system_u:object_r:ssh_home_t,s0) +diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if +index fe0c682..c0413e8 100644 +--- a/policy/modules/services/ssh.if ++++ b/policy/modules/services/ssh.if +@@ -32,10 +32,11 @@ + ## + # + template(`ssh_basic_client_template',` +- + gen_require(` + attribute ssh_server; + type ssh_exec_t, sshd_key_t, sshd_tmp_t; ++ type ssh_keysign_exec_t, ssh_keysign_t; ++ type ssh_home_t; + ') + + ############################## +@@ -47,10 +48,6 @@ template(`ssh_basic_client_template',` + application_domain($1_ssh_t, ssh_exec_t) + role $3 types $1_ssh_t; + +- type $1_ssh_home_t; +- files_type($1_ssh_home_t) +- typealias $1_ssh_home_t alias $1_home_ssh_t; +- + ############################## + # + # Client local policy +@@ -89,33 +86,38 @@ template(`ssh_basic_client_template',` + # or "regular" (not special like sshd_extern_t) servers + allow $2 ssh_server:unix_stream_socket rw_stream_socket_perms; + ++ # derived domain can execute ssh-keysign ++ domtrans_pattern($1_ssh_t, ssh_keysign_exec_t, ssh_keysign_t) ++ role $3 types ssh_keysign_t; ++ + # allow ps to show ssh + ps_process_pattern($2, $1_ssh_t) + + # user can manage the keys and config +- manage_files_pattern($2, $1_ssh_home_t, $1_ssh_home_t) +- manage_lnk_files_pattern($2, $1_ssh_home_t, $1_ssh_home_t) +- manage_sock_files_pattern($2, $1_ssh_home_t, $1_ssh_home_t) ++ manage_files_pattern($2, ssh_home_t, ssh_home_t) ++ manage_lnk_files_pattern($2, ssh_home_t, ssh_home_t) ++ manage_sock_files_pattern($2, ssh_home_t, ssh_home_t) + + # ssh client can manage the keys and config +- manage_files_pattern($1_ssh_t, $1_ssh_home_t, $1_ssh_home_t) +- read_lnk_files_pattern($1_ssh_t, $1_ssh_home_t, $1_ssh_home_t) ++ manage_files_pattern($1_ssh_t, ssh_home_t, ssh_home_t) ++ read_lnk_files_pattern($1_ssh_t, ssh_home_t, ssh_home_t) + + # ssh servers can read the user keys and config +- allow ssh_server $1_ssh_home_t:dir list_dir_perms; +- read_files_pattern(ssh_server, $1_ssh_home_t, $1_ssh_home_t) +- read_lnk_files_pattern(ssh_server, $1_ssh_home_t, $1_ssh_home_t) ++ allow ssh_server ssh_home_t:dir list_dir_perms; ++ read_files_pattern(ssh_server, ssh_home_t, ssh_home_t) ++ read_lnk_files_pattern(ssh_server, ssh_home_t, ssh_home_t) + + kernel_read_kernel_sysctls($1_ssh_t) + kernel_read_system_state($1_ssh_t) + +- corenet_all_recvfrom_unlabeled($1_ssh_t) + corenet_all_recvfrom_netlabel($1_ssh_t) + corenet_tcp_sendrecv_generic_if($1_ssh_t) + corenet_tcp_sendrecv_generic_node($1_ssh_t) + corenet_tcp_sendrecv_all_ports($1_ssh_t) + corenet_tcp_connect_ssh_port($1_ssh_t) + corenet_sendrecv_ssh_client_packets($1_ssh_t) ++ corenet_tcp_bind_generic_node($1_ssh_t) ++ corenet_tcp_bind_all_unreserved_ports($1_ssh_t) + + dev_read_urand($1_ssh_t) + +@@ -139,7 +141,6 @@ template(`ssh_basic_client_template',` + logging_send_syslog_msg($1_ssh_t) + logging_read_generic_logs($1_ssh_t) + +- miscfiles_read_localization($1_ssh_t) + + seutil_read_config($1_ssh_t) + +@@ -148,6 +149,29 @@ template(`ssh_basic_client_template',` + ') + ') + ++###################################### ++## ++## The template to define a domain to which sshd dyntransition. ++## ++## ++## ++## The prefix of the dyntransition domain ++## ++## ++# ++template(`ssh_dyntransition_domain_template',` ++ gen_require(` ++ attribute ssh_dyntransition_domain; ++ ') ++ ++ type $1, ssh_dyntransition_domain; ++ domain_type($1) ++ role system_r types $1; ++ ++ optional_policy(` ++ ssh_dyntransition_to($1) ++ ') ++') + ####################################### + ## + ## The template to define a ssh server. +@@ -168,7 +192,7 @@ template(`ssh_basic_client_template',` + ## + ## + # +-template(`ssh_server_template', ` ++template(`ssh_server_template',` + type $1_t, ssh_server; + auth_login_pgm_domain($1_t) + +@@ -181,16 +205,18 @@ template(`ssh_server_template', ` + type $1_var_run_t; + files_pid_file($1_var_run_t) + +- allow $1_t self:capability { kill sys_chroot sys_nice sys_resource chown dac_override fowner fsetid setgid setuid sys_tty_config }; ++ allow $1_t self:capability { kill sys_admin sys_chroot sys_nice sys_resource chown dac_override fowner fsetid net_admin setgid setuid sys_tty_config }; + allow $1_t self:fifo_file rw_fifo_file_perms; +- allow $1_t self:process { signal getsched setsched setrlimit setexec setkeycreate }; ++ allow $1_t self:process { getcap signal getsched setsched setrlimit setexec }; ++ allow $1_t self:process { signal getcap getsched setsched setrlimit setexec }; + allow $1_t self:tcp_socket create_stream_socket_perms; + allow $1_t self:udp_socket create_socket_perms; ++ allow $1_t self:tun_socket { create_socket_perms relabelfrom relabelto }; + # ssh agent connections: + allow $1_t self:unix_stream_socket create_stream_socket_perms; + allow $1_t self:shm create_shm_perms; + +- allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr getattr relabelfrom }; ++ allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms getattr_chr_file_perms relabelfrom }; + term_create_pty($1_t, $1_devpts_t) + + manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) +@@ -206,6 +232,7 @@ template(`ssh_server_template', ` + + kernel_read_kernel_sysctls($1_t) + kernel_read_network_state($1_t) ++ kernel_request_load_module($1_t) + + corenet_all_recvfrom_unlabeled($1_t) + corenet_all_recvfrom_netlabel($1_t) +@@ -220,10 +247,13 @@ template(`ssh_server_template', ` + corenet_tcp_bind_generic_node($1_t) + corenet_udp_bind_generic_node($1_t) + corenet_tcp_bind_ssh_port($1_t) +- corenet_tcp_connect_all_ports($1_t) + corenet_sendrecv_ssh_server_packets($1_t) ++ # -R qualifier ++ corenet_sendrecv_ssh_server_packets($1_t) ++ # tunnel feature and -w (net_admin capability also) ++ corenet_rw_tun_tap_dev($1_t) + +- fs_dontaudit_getattr_all_fs($1_t) ++ fs_getattr_all_fs($1_t) + + auth_rw_login_records($1_t) + auth_rw_faillog($1_t) +@@ -234,6 +264,7 @@ template(`ssh_server_template', ` + corecmd_getattr_bin_files($1_t) + + domain_interactive_fd($1_t) ++ domain_dyntrans_type($1_t) + + files_read_etc_files($1_t) + files_read_etc_runtime_files($1_t) +@@ -241,35 +272,33 @@ template(`ssh_server_template', ` + + logging_search_logs($1_t) + +- miscfiles_read_localization($1_t) +- +- userdom_create_all_users_keys($1_t) + userdom_dontaudit_relabelfrom_user_ptys($1_t) +- userdom_search_user_home_dirs($1_t) ++ userdom_read_user_home_content_files($1_t) + + # Allow checking users mail at login + optional_policy(` + mta_getattr_spool($1_t) + ') + +- tunable_policy(`use_nfs_home_dirs',` +- fs_read_nfs_files($1_t) +- fs_read_nfs_symlinks($1_t) +- ') +- +- tunable_policy(`use_samba_home_dirs',` +- fs_read_cifs_files($1_t) +- ') ++ userdom_home_manager($1_t) + + optional_policy(` + kerberos_use($1_t) +- kerberos_manage_host_rcache($1_t) ++ #kerberos_manage_host_rcache($1_t) + ') + + optional_policy(` + files_read_var_lib_symlinks($1_t) + nx_spec_domtrans_server($1_t) + ') ++ ++ optional_policy(` ++ rlogin_read_home_content($1_t) ++ ') ++ ++ optional_policy(` ++ shutdown_getattr_exec_files($1_t) ++ ') + ') + + ######################################## +@@ -292,14 +321,15 @@ template(`ssh_server_template', ` + ## User domain for the role + ##     + ## ++## + # + template(`ssh_role_template',` + gen_require(` + attribute ssh_server, ssh_agent_type; +- + type ssh_t, ssh_exec_t, ssh_tmpfs_t, ssh_home_t; + type ssh_agent_exec_t, ssh_keysign_t, ssh_tmpfs_t; + type ssh_agent_tmp_t; ++ type cache_home_t; + ') + + ############################## +@@ -328,103 +358,56 @@ template(`ssh_role_template',` + + # allow ps to show ssh + ps_process_pattern($3, ssh_t) +- allow $3 ssh_t:process signal; ++ allow $3 ssh_t:process signal_perms; + + # for rsync + allow ssh_t $3:unix_stream_socket rw_socket_perms; + allow ssh_t $3:unix_stream_socket connectto; ++ allow ssh_t $3:key manage_key_perms; ++ allow $3 ssh_t:key read; + + # user can manage the keys and config + manage_files_pattern($3, ssh_home_t, ssh_home_t) + manage_lnk_files_pattern($3, ssh_home_t, ssh_home_t) + manage_sock_files_pattern($3, ssh_home_t, ssh_home_t) + userdom_search_user_home_dirs($1_t) ++ userdom_manage_tmp_role($2, ssh_t) + + ############################## + # + # SSH agent local policy + # + +- allow $1_ssh_agent_t self:process setrlimit; +- allow $1_ssh_agent_t self:capability setgid; +- + allow $1_ssh_agent_t { $1_ssh_agent_t $3 }:process signull; + + allow $1_ssh_agent_t self:unix_stream_socket { create_stream_socket_perms connectto }; + +- manage_dirs_pattern($1_ssh_agent_t, ssh_agent_tmp_t, ssh_agent_tmp_t) +- manage_sock_files_pattern($1_ssh_agent_t, ssh_agent_tmp_t, ssh_agent_tmp_t) +- files_tmp_filetrans($1_ssh_agent_t, ssh_agent_tmp_t, { dir sock_file }) +- + # for ssh-add + stream_connect_pattern($3, ssh_agent_tmp_t, ssh_agent_tmp_t, $1_ssh_agent_t) ++ stream_connect_pattern($3, cache_home_t, cache_home_t, $1_ssh_agent_t) + + # Allow the user shell to signal the ssh program. +- allow $3 $1_ssh_agent_t:process signal; ++ allow $3 $1_ssh_agent_t:process signal_perms; + + # allow ps to show ssh + ps_process_pattern($3, $1_ssh_agent_t) + + domtrans_pattern($3, ssh_agent_exec_t, $1_ssh_agent_t) + +- kernel_read_kernel_sysctls($1_ssh_agent_t) +- +- dev_read_urand($1_ssh_agent_t) +- dev_read_rand($1_ssh_agent_t) +- +- fs_search_auto_mountpoints($1_ssh_agent_t) ++ kernel_read_system_state($1_ssh_agent_t) + + # transition back to normal privs upon exec + corecmd_shell_domtrans($1_ssh_agent_t, $3) + corecmd_bin_domtrans($1_ssh_agent_t, $3) + +- domain_use_interactive_fds($1_ssh_agent_t) +- +- files_read_etc_files($1_ssh_agent_t) +- files_read_etc_runtime_files($1_ssh_agent_t) +- files_search_home($1_ssh_agent_t) +- +- libs_read_lib_files($1_ssh_agent_t) ++ auth_use_nsswitch($1_ssh_agent_t) + + logging_send_syslog_msg($1_ssh_agent_t) + +- miscfiles_read_localization($1_ssh_agent_t) +- miscfiles_read_generic_certs($1_ssh_agent_t) +- +- seutil_dontaudit_read_config($1_ssh_agent_t) +- +- # Write to the user domain tty. +- userdom_use_user_terminals($1_ssh_agent_t) +- +- # for the transition back to normal privs upon exec +- userdom_search_user_home_content($1_ssh_agent_t) + userdom_user_home_domtrans($1_ssh_agent_t, $3) +- allow $3 $1_ssh_agent_t:fd use; +- allow $3 $1_ssh_agent_t:fifo_file rw_file_perms; +- allow $3 $1_ssh_agent_t:process sigchld; +- +- tunable_policy(`use_nfs_home_dirs',` +- fs_manage_nfs_files($1_ssh_agent_t) +- +- # transition back to normal privs upon exec +- fs_nfs_domtrans($1_ssh_agent_t, $3) +- ') +- +- tunable_policy(`use_samba_home_dirs',` +- fs_manage_cifs_files($1_ssh_agent_t) +- +- # transition back to normal privs upon exec +- fs_cifs_domtrans($1_ssh_agent_t, $3) +- ') +- +- optional_policy(` +- nis_use_ypbind($1_ssh_agent_t) +- ') ++ userdom_home_manager($1_ssh_agent_t) + +- optional_policy(` +- xserver_use_xdm_fds($1_ssh_agent_t) +- xserver_rw_xdm_pipes($1_ssh_agent_t) +- ') ++ ssh_exec_keygen($3) + ') + + ######################################## +@@ -496,8 +479,27 @@ interface(`ssh_read_pipes',` + type sshd_t; + ') + +- allow $1 sshd_t:fifo_file { getattr read }; ++ allow $1 sshd_t:fifo_file read_fifo_file_perms; + ') ++ ++###################################### ++## ++## Read and write ssh server unix dgram sockets. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`ssh_rw_dgram_sockets',` ++ gen_require(` ++ type sshd_t; ++ ') ++ ++ allow $1 sshd_t:unix_dgram_socket rw_stream_socket_perms; ++') ++ + ######################################## + ## + ## Read and write a ssh server unnamed pipe. +@@ -513,7 +515,7 @@ interface(`ssh_rw_pipes',` + type sshd_t; + ') + +- allow $1 sshd_t:fifo_file { write read getattr ioctl }; ++ allow $1 sshd_t:fifo_file rw_inherited_fifo_file_perms; + ') + + ######################################## +@@ -605,6 +607,24 @@ interface(`ssh_domtrans',` + + ######################################## + ## ++## Execute sshd server in the sshd domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`ssh_initrc_domtrans',` ++ gen_require(` ++ type sshd_initrc_exec_t; ++ ') ++ ++ init_labeled_script_domtrans($1, sshd_initrc_exec_t) ++') ++ ++######################################## ++## + ## Execute the ssh client in the caller domain. + ## + ## +@@ -637,7 +657,7 @@ interface(`ssh_setattr_key_files',` + type sshd_key_t; + ') + +- allow $1 sshd_key_t:file setattr; ++ allow $1 sshd_key_t:file setattr_file_perms; + files_search_pids($1) + ') + +@@ -662,6 +682,42 @@ interface(`ssh_agent_exec',` + + ######################################## + ## ++## Getattr ssh home directory ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`ssh_getattr_user_home_dir',` ++ gen_require(` ++ type ssh_home_t; ++ ') ++ ++ allow $1 ssh_home_t:dir getattr; ++') ++ ++######################################## ++## ++## Dontaudit search ssh home directory ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`ssh_dontaudit_search_user_home_dir',` ++ gen_require(` ++ type ssh_home_t; ++ ') ++ ++ dontaudit $1 ssh_home_t:dir search_dir_perms; ++') ++ ++######################################## ++## + ## Read ssh home directory content + ## + ## +@@ -701,6 +757,50 @@ interface(`ssh_domtrans_keygen',` + + ######################################## + ## ++## Execute the ssh key generator in the caller domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`ssh_exec_keygen',` ++ gen_require(` ++ type ssh_keygen_exec_t; ++ ') ++ ++ can_exec($1, ssh_keygen_exec_t) ++') ++ ++####################################### ++## ++## Execute ssh-keygen in the iptables domain, and ++## allow the specified role the ssh-keygen domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++## ++## ++## Role allowed access. ++## ++## ++## ++# ++interface(`ssh_run_keygen',` ++ gen_require(` ++ type ssh_keygen_t; ++ ') ++ ++ role $2 types ssh_keygen_t; ++ ssh_domtrans_keygen($1) ++') ++ ++######################################## ++## + ## Read ssh server keys + ## + ## +@@ -714,7 +814,26 @@ interface(`ssh_dontaudit_read_server_keys',` + type sshd_key_t; + ') + +- dontaudit $1 sshd_key_t:file { getattr read }; ++ dontaudit $1 sshd_key_t:file read_file_perms; ++') ++ ++###################################### ++## ++## Append ssh home directory content ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`ssh_append_home_files',` ++ gen_require(` ++ type ssh_home_t; ++ ') ++ ++ append_files_pattern($1, ssh_home_t, ssh_home_t) ++ userdom_search_user_home_dirs($1) + ') + + ###################################### +@@ -754,3 +873,150 @@ interface(`ssh_delete_tmp',` + files_search_tmp($1) + delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t) + ') ++ ++##################################### ++## ++## Allow domain dyntransition to chroot_user_t domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`ssh_dyntransition_to',` ++ gen_require(` ++ type sshd_t; ++ ') ++ ++ allow sshd_t $1:process dyntransition; ++ allow $1 sshd_t:process sigchld; ++ allow sshd_t $1:process { getattr sigkill sigstop signull signal }; ++') ++ ++######################################## ++## ++## Create .ssh directory in the /root directory ++## with an correct label. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`ssh_filetrans_admin_home_content',` ++ gen_require(` ++ type ssh_home_t; ++ ') ++ ++ userdom_admin_home_dir_filetrans($1, ssh_home_t, dir, ".ssh") ++ userdom_admin_home_dir_filetrans($1, ssh_home_t, dir, ".shosts") ++') ++ ++######################################## ++## ++## Create .ssh directory in the user home directory ++## with an correct label. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`ssh_filetrans_home_content',` ++ ++ gen_require(` ++ type ssh_home_t; ++ ') ++ ++ userdom_user_home_dir_filetrans($1, ssh_home_t, dir, ".ssh") ++ userdom_user_home_dir_filetrans($1, ssh_home_t, dir, ".shosts") ++ files_var_lib_filetrans($1, ssh_home_t, dir, ".ssh") ++') ++ ++######################################## ++## ++## Create .ssh directory in the user home directory ++## with an correct label. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`ssh_filetrans_keys',` ++ ++ gen_require(` ++ type sshd_key_t; ++ ') ++ ++ files_etc_filetrans($1, sshd_key_t, file, ".ssh_host_key") ++ files_etc_filetrans($1, sshd_key_t, file, ".ssh_host_dsa_key") ++ files_etc_filetrans($1, sshd_key_t, file, ".ssh_host_rsa_key") ++ files_etc_filetrans($1, sshd_key_t, file, ".ssh_host_key.pub") ++ files_etc_filetrans($1, sshd_key_t, file, ".ssh_host_dsa_key.pub") ++ files_etc_filetrans($1, sshd_key_t, file, ".ssh_host_rsa_key.pub") ++') ++ ++######################################## ++## ++## Do not audit attempts to read and ++## write the sshd pty type. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`ssh_dontaudit_use_ptys',` ++ gen_require(` ++ type sshd_devpts_t; ++ ') ++ ++ dontaudit $1 sshd_devpts_t:chr_file { getattr read write ioctl }; ++') ++ ++######################################## ++## ++## Read and write inherited sshd pty type. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`ssh_use_ptys',` ++ gen_require(` ++ type sshd_devpts_t; ++ ') ++ ++ allow $1 sshd_devpts_t:chr_file rw_inherited_chr_file_perms; ++') ++ ++######################################## ++## ++## Execute sshd server in the sshd domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`ssh_systemctl',` ++ gen_require(` ++ type sshd_t; ++ type sshd_unit_file_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ allow $1 sshd_unit_file_t:file manage_file_perms; ++ allow $1 sshd_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, sshd_t) ++') +diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te +index 5fc0391..692569b 100644 +--- a/policy/modules/services/ssh.te ++++ b/policy/modules/services/ssh.te +@@ -6,43 +6,61 @@ policy_module(ssh, 2.3.3) + # + + ## +-##

    +-## allow host key based authentication +-##

    ++##

    ++## allow host key based authentication ++##

    ++##     ++gen_tunable(ssh_keysign, false) ++ ++## ++##

    ++## Allow ssh logins as sysadm_r:sysadm_t ++##

    + ##     +-gen_tunable(allow_ssh_keysign, false) ++gen_tunable(ssh_sysadm_login, false) + + ## + ##

    +-## Allow ssh logins as sysadm_r:sysadm_t ++## Allow ssh with chroot env to read and write files ++## in the user home directories + ##

    + ##     +-gen_tunable(ssh_sysadm_login, false) ++gen_tunable(ssh_chroot_rw_homedirs, false) + ++attribute ssh_dyntransition_domain; + attribute ssh_server; + attribute ssh_agent_type; + ++ssh_dyntransition_domain_template(chroot_user_t) ++ssh_dyntransition_domain_template(sshd_sandbox_t) ++ssh_dyntransition_domain_template(sshd_net_t) ++ + type ssh_keygen_t; + type ssh_keygen_exec_t; + init_system_domain(ssh_keygen_t, ssh_keygen_exec_t) +-role system_r types ssh_keygen_t; ++ ++type sshd_keygen_t; ++type sshd_keygen_exec_t; ++init_daemon_domain(sshd_keygen_t, sshd_keygen_exec_t) ++ ++type sshd_keygen_unit_file_t; ++systemd_unit_file(sshd_keygen_unit_file_t) + + type sshd_exec_t; + corecmd_executable_file(sshd_exec_t) + + ssh_server_template(sshd) + init_daemon_domain(sshd_t, sshd_exec_t) ++mls_trusted_object(sshd_t) + +-type sshd_key_t; +-files_type(sshd_key_t) ++type sshd_initrc_exec_t; ++init_script_file(sshd_initrc_exec_t) + +-type sshd_tmp_t; +-files_tmp_file(sshd_tmp_t) +-files_poly_parent(sshd_tmp_t) ++type sshd_unit_file_t; ++systemd_unit_file(sshd_unit_file_t) + +-ifdef(`enable_mcs',` +- init_ranged_daemon_domain(sshd_t, sshd_exec_t, s0 - mcs_systemhigh) +-') ++type sshd_key_t; ++files_type(sshd_key_t) + + type ssh_t; + type ssh_exec_t; +@@ -73,6 +91,11 @@ type ssh_home_t; + typealias ssh_home_t alias { home_ssh_t user_ssh_home_t user_home_ssh_t staff_home_ssh_t sysadm_home_ssh_t }; + typealias ssh_home_t alias { auditadm_home_ssh_t secadm_home_ssh_t }; + userdom_user_home_content(ssh_home_t) ++files_poly_parent(ssh_home_t) ++ ++ifdef(`enable_mcs',` ++ init_ranged_daemon_domain(sshd_t, sshd_exec_t, s0 - mcs_systemhigh) ++') + + ############################## + # +@@ -83,6 +106,7 @@ allow ssh_t self:capability { setuid setgid dac_override dac_read_search }; + allow ssh_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; + allow ssh_t self:fd use; + allow ssh_t self:fifo_file rw_fifo_file_perms; ++allow ssh_t self:key manage_key_perms; + allow ssh_t self:unix_dgram_socket { create_socket_perms sendto }; + allow ssh_t self:unix_stream_socket { create_stream_socket_perms connectto }; + allow ssh_t self:shm create_shm_perms; +@@ -90,15 +114,11 @@ allow ssh_t self:sem create_sem_perms; + allow ssh_t self:msgq create_msgq_perms; + allow ssh_t self:msg { send receive }; + allow ssh_t self:tcp_socket create_stream_socket_perms; ++can_exec(ssh_t, ssh_exec_t) + + # Read the ssh key file. + allow ssh_t sshd_key_t:file read_file_perms; + +-# Access the ssh temporary files. +-allow ssh_t sshd_tmp_t:dir manage_dir_perms; +-allow ssh_t sshd_tmp_t:file manage_file_perms; +-files_tmp_filetrans(ssh_t, sshd_tmp_t, { file dir }) +- + manage_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t) + manage_lnk_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t) + manage_fifo_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t) +@@ -107,33 +127,42 @@ fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file } + + manage_dirs_pattern(ssh_t, ssh_home_t, ssh_home_t) + manage_sock_files_pattern(ssh_t, ssh_home_t, ssh_home_t) +-userdom_user_home_dir_filetrans(ssh_t, ssh_home_t, { dir sock_file }) ++userdom_user_home_dir_filetrans(ssh_t, ssh_home_t, sock_file) ++userdom_user_home_content_filetrans(ssh_t, ssh_home_t, sock_file) ++userdom_user_home_dir_filetrans(ssh_t, ssh_home_t, dir, ".ssh") ++userdom_read_all_users_keys(ssh_t) ++userdom_stream_connect(ssh_t) ++userdom_search_admin_dir(sshd_t) + + # Allow the ssh program to communicate with ssh-agent. + stream_connect_pattern(ssh_t, ssh_agent_tmp_t, ssh_agent_tmp_t, ssh_agent_type) + + allow ssh_t sshd_t:unix_stream_socket connectto; ++allow ssh_t sshd_t:peer recv; + + # ssh client can manage the keys and config + manage_files_pattern(ssh_t, ssh_home_t, ssh_home_t) + read_lnk_files_pattern(ssh_t, ssh_home_t, ssh_home_t) + + # ssh servers can read the user keys and config +-allow ssh_server ssh_home_t:dir list_dir_perms; +-read_files_pattern(ssh_server, ssh_home_t, ssh_home_t) +-read_lnk_files_pattern(ssh_server, ssh_home_t, ssh_home_t) ++manage_dirs_pattern(ssh_server, ssh_home_t, ssh_home_t) ++manage_files_pattern(ssh_server, ssh_home_t, ssh_home_t) + + kernel_read_kernel_sysctls(ssh_t) + kernel_read_system_state(ssh_t) + +-corenet_all_recvfrom_unlabeled(ssh_t) + corenet_all_recvfrom_netlabel(ssh_t) + corenet_tcp_sendrecv_generic_if(ssh_t) + corenet_tcp_sendrecv_generic_node(ssh_t) + corenet_tcp_sendrecv_all_ports(ssh_t) + corenet_tcp_connect_ssh_port(ssh_t) ++corenet_tcp_connect_all_unreserved_ports(ssh_t) + corenet_sendrecv_ssh_client_packets(ssh_t) ++corenet_tcp_bind_generic_node(ssh_t) ++#corenet_tcp_bind_all_unreserved_ports(ssh_t) ++corenet_rw_tun_tap_dev(ssh_t) + ++dev_read_rand(ssh_t) + dev_read_urand(ssh_t) + + fs_getattr_all_fs(ssh_t) +@@ -154,40 +183,46 @@ files_read_var_files(ssh_t) + logging_send_syslog_msg(ssh_t) + logging_read_generic_logs(ssh_t) + ++term_use_ptmx(ssh_t) ++ + auth_use_nsswitch(ssh_t) + +-miscfiles_read_localization(ssh_t) ++miscfiles_read_generic_certs(ssh_t) + + seutil_read_config(ssh_t) + + userdom_dontaudit_list_user_home_dirs(ssh_t) + userdom_search_user_home_dirs(ssh_t) ++userdom_search_admin_dir(ssh_t) + # Write to the user domain tty. +-userdom_use_user_terminals(ssh_t) +-# needs to read krb tgt ++userdom_use_inherited_user_terminals(ssh_t) ++# needs to read krb/write tgt + userdom_read_user_tmp_files(ssh_t) +- +-tunable_policy(`allow_ssh_keysign',` +- domain_auto_trans(ssh_t, ssh_keysign_exec_t, ssh_keysign_t) +- allow ssh_keysign_t ssh_t:fd use; +- allow ssh_keysign_t ssh_t:process sigchld; +- allow ssh_keysign_t ssh_t:fifo_file rw_file_perms; ++userdom_write_user_tmp_files(ssh_t) ++userdom_read_user_home_content_symlinks(ssh_t) ++userdom_rw_inherited_user_home_content_files(ssh_t) ++userdom_read_home_certs(ssh_t) ++userdom_home_manager(ssh_t) ++ ++tunable_policy(`ssh_keysign',` ++ domtrans_pattern(ssh_t, ssh_keysign_exec_t, ssh_keysign_t) + ') + +-tunable_policy(`use_nfs_home_dirs',` +- fs_manage_nfs_dirs(ssh_t) +- fs_manage_nfs_files(ssh_t) ++# for port forwarding ++tunable_policy(`selinuxuser_tcp_server',` ++ corenet_tcp_bind_ssh_port(ssh_t) ++ corenet_tcp_bind_generic_node(ssh_t) ++ corenet_tcp_bind_all_unreserved_ports(ssh_t) + ') + +-tunable_policy(`use_samba_home_dirs',` +- fs_manage_cifs_dirs(ssh_t) +- fs_manage_cifs_files(ssh_t) ++ifdef(`enable_mcs',` ++ optional_policy(` ++ condor_startd_ranged_domtrans_to(sshd_t, sshd_exec_t, mcs_systemlow - mcs_systemhigh) ++ ') + ') + +-# for port forwarding +-tunable_policy(`user_tcp_server',` +- corenet_tcp_bind_ssh_port(ssh_t) +- corenet_tcp_bind_generic_node(ssh_t) ++optional_policy(` ++ gnome_stream_connect_gkeyringd(ssh_t) + ') + + optional_policy(` +@@ -195,6 +230,7 @@ optional_policy(` + xserver_domtrans_xauth(ssh_t) + ') + ++ + ############################## + # + # ssh_keysign_t local policy +@@ -206,6 +242,7 @@ allow ssh_keysign_t self:unix_stream_socket create_socket_perms; + allow ssh_keysign_t sshd_key_t:file { getattr read }; + + dev_read_urand(ssh_keysign_t) ++dev_read_rand(ssh_keysign_t) + + files_read_etc_files(ssh_keysign_t) + +@@ -223,33 +260,54 @@ optional_policy(` + # so a tunnel can point to another ssh tunnel + allow sshd_t self:netlink_route_socket r_netlink_socket_perms; + allow sshd_t self:key { search link write }; +- +-manage_dirs_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t) +-manage_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t) +-manage_sock_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t) +-files_tmp_filetrans(sshd_t, sshd_tmp_t, { dir file sock_file }) ++allow sshd_t self:process setcurrent; + + kernel_search_key(sshd_t) + kernel_link_key(sshd_t) + ++files_search_all(sshd_t) ++ ++fs_search_cgroup_dirs(sshd_t) ++fs_rw_cgroup_files(sshd_t) ++ + term_use_all_ptys(sshd_t) + term_setattr_all_ptys(sshd_t) ++term_setattr_all_ttys(sshd_t) + term_relabelto_all_ptys(sshd_t) ++term_use_ptmx(sshd_t) + + # for X forwarding + corenet_tcp_bind_xserver_port(sshd_t) ++corenet_tcp_bind_vnc_port(sshd_t) + corenet_sendrecv_xserver_server_packets(sshd_t) + ++auth_exec_login_program(sshd_t) ++ ++userdom_read_user_home_content_files(sshd_t) ++userdom_read_user_home_content_symlinks(sshd_t) ++userdom_manage_tmp_role(system_r, sshd_t) ++userdom_spec_domtrans_unpriv_users(sshd_t) ++userdom_signal_unpriv_users(sshd_t) ++userdom_dyntransition_unpriv_users(sshd_t) ++ + tunable_policy(`ssh_sysadm_login',` + # Relabel and access ptys created by sshd + # ioctl is necessary for logout() processing for utmp entry and for w to + # display the tty. + # some versions of sshd on the new SE Linux require setattr +- userdom_spec_domtrans_all_users(sshd_t) + userdom_signal_all_users(sshd_t) +-',` +- userdom_spec_domtrans_unpriv_users(sshd_t) +- userdom_signal_unpriv_users(sshd_t) ++ userdom_spec_domtrans_all_users(sshd_t) ++ userdom_dyntransition_admin_users(sshd_t) ++') ++ ++optional_policy(` ++ amanda_search_var_lib(sshd_t) ++') ++ ++optional_policy(` ++ condor_rw_lib_files(sshd_t) ++ condor_rw_tcp_sockets_startd(sshd_t) ++ condor_rw_tcp_sockets_schedd(sshd_t) + ') + + optional_policy(` +@@ -257,11 +315,28 @@ optional_policy(` + ') + + optional_policy(` ++ kerberos_keytab_template(sshd, sshd_t) ++') ++ ++optional_policy(` ++ ftp_dyntrans_sftpd(sshd_t) ++ ftp_dyntrans_anon_sftpd(sshd_t) ++') ++ ++optional_policy(` ++ gitosis_manage_lib_files(sshd_t) ++') ++ ++optional_policy(` + inetd_tcp_service_domain(sshd_t, sshd_exec_t) + ') + + optional_policy(` +- kerberos_keytab_template(sshd, sshd_t) ++ lvm_domtrans(sshd_t) ++') ++ ++optional_policy(` ++ nx_read_home_files(sshd_t) + ') + + optional_policy(` +@@ -269,6 +344,10 @@ optional_policy(` + ') + + optional_policy(` ++ munin_read_var_lib_files(sshd_t) ++') ++ ++optional_policy(` + rpm_use_script_fds(sshd_t) + ') + +@@ -279,13 +358,93 @@ optional_policy(` + ') + + optional_policy(` ++ rsync_read_data(sshd_t) ++') ++ ++optional_policy(` ++ systemd_exec_systemctl(sshd_t) ++') ++ ++optional_policy(` ++ usermanage_domtrans_passwd(sshd_t) ++ usermanage_read_crack_db(sshd_t) ++') ++ ++optional_policy(` ++ openshift_dyntransition(sshd_t) ++ openshift_transition(sshd_t) ++ openshift_manage_tmp_files(sshd_t) ++ openshift_manage_tmp_sockets(sshd_t) ++ openshift_mounton_tmp(sshd_t) ++ openshift_read_lib_files(sshd_t) ++') ++ ++optional_policy(` ++ postgresql_search_db(sshd_t) ++') ++ ++optional_policy(` + unconfined_shell_domtrans(sshd_t) + ') + + optional_policy(` ++ kernel_write_proc_files(sshd_t) ++ virt_transition_svirt_sandbox(sshd_t, system_r) ++ virt_stream_connect_sandbox(sshd_t) ++ virt_stream_connect(sshd_t) ++') ++ ++optional_policy(` + xserver_domtrans_xauth(sshd_t) + ') + ++ifdef(`TODO',` ++ tunable_policy(`ssh_sysadm_login',` ++ # Relabel and access ptys created by sshd ++ # ioctl is necessary for logout() processing for utmp entry and for w to ++ # display the tty. ++ # some versions of sshd on the new SE Linux require setattr ++ allow sshd_t ptyfile:chr_file relabelto; ++ ++ optional_policy(` ++ domain_trans(sshd_t, xauth_exec_t, userdomain) ++ ') ++ ',` ++ optional_policy(` ++ domain_trans(sshd_t, xauth_exec_t, unpriv_userdomain) ++ ') ++ # Relabel and access ptys created by sshd ++ # ioctl is necessary for logout() processing for utmp entry and for w to ++ # display the tty. ++ # some versions of sshd on the new SE Linux require setattr ++ allow sshd_t userpty_type:chr_file { relabelto rw_inherited_chr_file_perms setattr_chr_file_perms }; ++ ') ++') dnl endif TODO ++ ++######################################## ++# ++# sshd-keygen local policy ++# ++ ++allow sshd_keygen_t self:capability { chown fsetid }; ++allow sshd_keygen_t self:fifo_file rw_fifo_file_perms; ++allow sshd_keygen_t self:unix_stream_socket create_stream_socket_perms; ++ ++allow sshd_keygen_t sshd_key_t:file manage_file_perms; ++ ++kernel_read_system_state(sshd_keygen_t) ++ ++corecmd_exec_bin(sshd_keygen_t) ++ ++auth_read_passwd(sshd_keygen_t) ++ ++files_rw_etc_dirs(sshd_keygen_t) ++ ++#run restorecon ++seutil_domtrans_setfiles(sshd_keygen_t) ++ ++ssh_domtrans_keygen(sshd_keygen_t) ++ + ######################################## + # + # ssh_keygen local policy +@@ -294,19 +453,29 @@ optional_policy(` + # ssh_keygen_t is the type of the ssh-keygen program when run at install time + # and by sysadm_t + ++allow ssh_keygen_t self:capability dac_override; + dontaudit ssh_keygen_t self:capability sys_tty_config; + allow ssh_keygen_t self:process { sigchld sigkill sigstop signull signal }; +- + allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms; + + allow ssh_keygen_t sshd_key_t:file manage_file_perms; + files_etc_filetrans(ssh_keygen_t, sshd_key_t, file) + ++manage_dirs_pattern(ssh_keygen_t, ssh_home_t, ssh_home_t) ++manage_files_pattern(ssh_keygen_t, ssh_home_t, ssh_home_t) ++userdom_admin_home_dir_filetrans(ssh_keygen_t, ssh_home_t, dir) ++userdom_user_home_dir_filetrans(ssh_keygen_t, ssh_home_t, dir) ++ ++kernel_read_system_state(ssh_keygen_t) + kernel_read_kernel_sysctls(ssh_keygen_t) + ++corecmd_exec_shell(ssh_keygen_t) ++corecmd_exec_bin(ssh_keygen_t) ++ + fs_search_auto_mountpoints(ssh_keygen_t) + + dev_read_sysfs(ssh_keygen_t) ++dev_read_rand(ssh_keygen_t) + dev_read_urand(ssh_keygen_t) + + term_dontaudit_use_console(ssh_keygen_t) +@@ -323,6 +492,12 @@ auth_use_nsswitch(ssh_keygen_t) + logging_send_syslog_msg(ssh_keygen_t) + + userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t) ++userdom_use_user_terminals(ssh_keygen_t) ++ ++tunable_policy(`use_nfs_home_dirs',` ++ fs_manage_nfs_files(ssh_keygen_t) ++ fs_manage_nfs_dirs(ssh_keygen_t) ++') + + optional_policy(` + seutil_sigchld_newrole(ssh_keygen_t) +@@ -331,3 +506,140 @@ optional_policy(` + optional_policy(` + udev_read_db(ssh_keygen_t) + ') ++ ++#################################### ++# ++# ssh_dyntransition domain local policy ++# ++ ++allow ssh_dyntransition_domain self:capability { setuid sys_chroot setgid }; ++allow ssh_dyntransition_domain self:unix_dgram_socket create_socket_perms; ++ ++allow ssh_dyntransition_domain self:fifo_file rw_fifo_file_perms; ++allow ssh_dyntransition_domain sshd_t:fd use; ++ ++optional_policy(` ++ ssh_rw_stream_sockets(ssh_dyntransition_domain) ++ ssh_rw_tcp_sockets(ssh_dyntransition_domain) ++') ++ ++##################################### ++# ++# ssh_sandbox local policy ++# ++ ++allow sshd_t sshd_sandbox_t:process signal; ++ ++init_ioctl_stream_sockets(sshd_sandbox_t) ++ ++logging_send_audit_msgs(sshd_sandbox_t) ++ ++##################################### ++# ++# sshd [net] child local policy ++# ++ ++allow sshd_t sshd_net_t:process signal; ++ ++allow sshd_net_t self:process setrlimit; ++ ++init_ioctl_stream_sockets(sshd_net_t) ++ ++logging_send_audit_msgs(sshd_net_t) ++ ++ ++###################################### ++# ++# chroot_user_t local policy ++# ++allow chroot_user_t self:fifo_file rw_fifo_file_perms; ++allow chroot_user_t self:unix_dgram_socket create_socket_perms; ++ ++corecmd_exec_shell(chroot_user_t) ++ ++term_search_ptys(chroot_user_t) ++term_use_ptmx(chroot_user_t) ++ ++fs_getattr_all_fs(chroot_user_t) ++ ++userdom_read_user_home_content_files(chroot_user_t) ++userdom_read_inherited_user_home_content_files(chroot_user_t) ++userdom_read_user_home_content_symlinks(chroot_user_t) ++userdom_exec_user_home_content_files(chroot_user_t) ++userdom_use_inherited_user_ptys(chroot_user_t) ++ ++tunable_policy(`ssh_chroot_rw_homedirs',` ++ files_list_home(chroot_user_t) ++ userdom_manage_user_home_content_files(chroot_user_t) ++ userdom_manage_user_home_content_symlinks(chroot_user_t) ++ userdom_manage_user_home_content_pipes(chroot_user_t) ++ userdom_manage_user_home_content_sockets(chroot_user_t) ++ userdom_manage_user_home_content_dirs(chroot_user_t) ++') ++ ++tunable_policy(`ssh_chroot_rw_homedirs && use_nfs_home_dirs',` ++ fs_manage_nfs_dirs(chroot_user_t) ++ fs_manage_nfs_files(chroot_user_t) ++ fs_manage_nfs_symlinks(chroot_user_t) ++') ++ ++tunable_policy(`ssh_chroot_rw_homedirs && use_samba_home_dirs',` ++ fs_manage_cifs_dirs(chroot_user_t) ++ fs_manage_cifs_files(chroot_user_t) ++ fs_manage_cifs_symlinks(chroot_user_t) ++') ++ ++tunable_policy(`ssh_chroot_rw_homedirs && use_fusefs_home_dirs',` ++ fs_manage_fusefs_dirs(chroot_user_t) ++ fs_manage_fusefs_files(chroot_user_t) ++ fs_manage_fusefs_symlinks(chroot_user_t) ++') ++ ++tunable_policy(`use_samba_home_dirs',` ++ fs_read_cifs_files(chroot_user_t) ++ fs_read_cifs_symlinks(chroot_user_t) ++') ++ ++userdom_home_manager(chroot_user_t) ++ ++optional_policy(` ++ ssh_rw_dgram_sockets(chroot_user_t) ++') ++ ++###################################### ++# ++# ssh_agent_type common policy local policy ++# ++allow ssh_agent_type self:process setrlimit; ++allow ssh_agent_type self:capability setgid; ++ ++manage_dirs_pattern(ssh_agent_type, ssh_agent_tmp_t, ssh_agent_tmp_t) ++manage_sock_files_pattern(ssh_agent_type, ssh_agent_tmp_t, ssh_agent_tmp_t) ++files_tmp_filetrans(ssh_agent_type, ssh_agent_tmp_t, { dir sock_file }) ++ ++kernel_read_kernel_sysctls(ssh_agent_type) ++ ++dev_read_urand(ssh_agent_type) ++dev_read_rand(ssh_agent_type) ++ ++fs_search_auto_mountpoints(ssh_agent_type) ++ ++domain_use_interactive_fds(ssh_agent_type) ++ ++files_read_etc_files(ssh_agent_type) ++files_read_etc_runtime_files(ssh_agent_type) ++ ++libs_read_lib_files(ssh_agent_type) ++ ++miscfiles_read_generic_certs(ssh_agent_type) ++ ++# Write to the user domain tty. ++userdom_use_inherited_user_terminals(ssh_agent_type) ++ ++# for the transition back to normal privs upon exec ++userdom_search_user_home_content(ssh_agent_type) ++ ++optional_policy(` ++ xserver_use_xdm_fds(ssh_agent_type) ++ xserver_rw_xdm_pipes(ssh_agent_type) ++') +diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc +index d1f64a0..9a5dab5 100644 +--- a/policy/modules/services/xserver.fc ++++ b/policy/modules/services/xserver.fc +@@ -2,13 +2,35 @@ + # HOME_DIR + # + HOME_DIR/\.fonts\.conf -- gen_context(system_u:object_r:user_fonts_config_t,s0) ++HOME_DIR/\.fonts\.d(/.*)? gen_context(system_u:object_r:user_fonts_config_t,s0) + HOME_DIR/\.fonts(/.*)? gen_context(system_u:object_r:user_fonts_t,s0) ++HOME_DIR/\.fontconfig(/.*)? gen_context(system_u:object_r:user_fonts_cache_t,s0) + HOME_DIR/\.fonts/auto(/.*)? gen_context(system_u:object_r:user_fonts_cache_t,s0) + HOME_DIR/\.fonts\.cache-.* -- gen_context(system_u:object_r:user_fonts_cache_t,s0) ++HOME_DIR/\.DCOP.* -- gen_context(system_u:object_r:iceauth_home_t,s0) + HOME_DIR/\.ICEauthority.* -- gen_context(system_u:object_r:iceauth_home_t,s0) + HOME_DIR/\.serverauth.* -- gen_context(system_u:object_r:xauth_home_t,s0) + HOME_DIR/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0) ++HOME_DIR/\.Xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0) + HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) ++HOME_DIR/\.cache/gdm(/.*)? gen_context(system_u:object_r:xdm_home_t,s0) ++HOME_DIR/\.xsession-errors.* -- gen_context(system_u:object_r:xdm_home_t,s0) ++HOME_DIR/\.dmrc.* -- gen_context(system_u:object_r:xdm_home_t,s0) ++ ++/root/\.fonts\.conf -- gen_context(system_u:object_r:user_fonts_config_t,s0) ++/root/\.fonts\.d(/.*)? gen_context(system_u:object_r:user_fonts_config_t,s0) ++/root/\.fonts(/.*)? gen_context(system_u:object_r:user_fonts_t,s0) ++/root/\.fontconfig(/.*)? gen_context(system_u:object_r:user_fonts_cache_t,s0) ++/root/\.fonts/auto(/.*)? gen_context(system_u:object_r:user_fonts_cache_t,s0) ++/root/\.fonts\.cache-.* -- gen_context(system_u:object_r:user_fonts_cache_t,s0) ++/root/\.DCOP.* -- gen_context(system_u:object_r:iceauth_home_t,s0) ++/root/\.ICEauthority.* -- gen_context(system_u:object_r:iceauth_home_t,s0) ++/root/\.serverauth.* -- gen_context(system_u:object_r:xauth_home_t,s0) ++/root/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0) ++/root/\.Xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0) ++/root/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) ++/root/\.xsession-errors.* -- gen_context(system_u:object_r:xdm_home_t,s0) ++/root/\.dmrc.* -- gen_context(system_u:object_r:xdm_home_t,s0) + + # + # /dev +@@ -22,13 +44,21 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) + /etc/gdm(3)?/PreSession/.* -- gen_context(system_u:object_r:xsession_exec_t,s0) + /etc/gdm(3)?/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0) + ++/etc/X11/xorg\.conf\.d(/.*)? gen_context(system_u:object_r:xserver_etc_t,s0) ++/etc/[mg]dm(/.*)? gen_context(system_u:object_r:xdm_etc_t,s0) ++/etc/[mg]dm/Init(/.*)? gen_context(system_u:object_r:xdm_unconfined_exec_t,s0) ++/etc/[mg]dm/PostLogin(/.*)? gen_context(system_u:object_r:xdm_unconfined_exec_t,s0) ++/etc/[mg]dm/PostSession(/.*)? gen_context(system_u:object_r:xdm_unconfined_exec_t,s0) ++/etc/[mg]dm/PreSession(/.*)? gen_context(system_u:object_r:xdm_unconfined_exec_t,s0) ++ + /etc/kde[34]?/kdm/Xstartup -- gen_context(system_u:object_r:xsession_exec_t,s0) + /etc/kde[34]?/kdm/Xreset -- gen_context(system_u:object_r:xsession_exec_t,s0) + /etc/kde[34]?/kdm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0) + /etc/kde[34]?/kdm/backgroundrc gen_context(system_u:object_r:xdm_var_run_t,s0) + +-/etc/rc\.d/init\.d/x11-common -- gen_context(system_u:object_r:xdm_exec_t,s0) ++/etc/opt/VirtualGL(/.*)? gen_context(system_u:object_r:xdm_rw_etc_t,s0) + ++/etc/rc\.d/init\.d/x11-common -- gen_context(system_u:object_r:xdm_exec_t,s0) + /etc/X11/[wx]dm/Xreset.* -- gen_context(system_u:object_r:xsession_exec_t,s0) + /etc/X11/[wxg]dm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0) + /etc/X11/wdm(/.*)? gen_context(system_u:object_r:xdm_rw_etc_t,s0) +@@ -46,26 +76,32 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) + # /tmp + # + +-/tmp/\.ICE-unix -d gen_context(system_u:object_r:xdm_tmp_t,s0) +-/tmp/\.ICE-unix/.* -s <> +-/tmp/\.X0-lock -- gen_context(system_u:object_r:xserver_tmp_t,s0) +-/tmp/\.X11-unix -d gen_context(system_u:object_r:xdm_tmp_t,s0) +-/tmp/\.X11-unix/.* -s <> ++/tmp/\.X0-lock -- gen_context(system_u:object_r:xdm_tmp_t,s0) ++/tmp/\.X11-unix(/.*)? gen_context(system_u:object_r:xdm_tmp_t,s0) ++/tmp/\.ICE-unix(/.*)? gen_context(system_u:object_r:xdm_tmp_t,s0) ++/tmp/\.font-unix(/.*)? gen_context(system_u:object_r:user_fonts_t,s0) + + # + # /usr + # + +-/usr/(s)?bin/gdm(3)? -- gen_context(system_u:object_r:xdm_exec_t,s0) +-/usr/(s)?bin/gdm-binary -- gen_context(system_u:object_r:xdm_exec_t,s0) +-/usr/(s)?bin/lxdm(-binary)? -- gen_context(system_u:object_r:xdm_exec_t,s0) +-/usr/(s)?bin/[xkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0) ++/usr/sbin/mdm-binary -- gen_context(system_u:object_r:xdm_exec_t,s0) ++/usr/s?bin/gdm3? -- gen_context(system_u:object_r:xdm_exec_t,s0) ++/usr/s?bin/gdm-binary -- gen_context(system_u:object_r:xdm_exec_t,s0) ++/usr/s?bin/lightdm* -- gen_context(system_u:object_r:xdm_exec_t,s0) ++/usr/s?bin/lxdm(-binary)? -- gen_context(system_u:object_r:xdm_exec_t,s0) ++/usr/s?bin/[mxgkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0) ++ + /usr/bin/gpe-dm -- gen_context(system_u:object_r:xdm_exec_t,s0) + /usr/bin/iceauth -- gen_context(system_u:object_r:iceauth_exec_t,s0) ++/usr/bin/razor-lightdm-.* -- gen_context(system_u:object_r:xdm_exec_t,s0) + /usr/bin/slim -- gen_context(system_u:object_r:xdm_exec_t,s0) + /usr/bin/Xair -- gen_context(system_u:object_r:xserver_exec_t,s0) ++/usr/bin/Xephyr -- gen_context(system_u:object_r:xserver_exec_t,s0) + /usr/bin/xauth -- gen_context(system_u:object_r:xauth_exec_t,s0) + /usr/bin/Xorg -- gen_context(system_u:object_r:xserver_exec_t,s0) ++/usr/bin/Xvnc -- gen_context(system_u:object_r:xserver_exec_t,s0) ++/usr/bin/x11vnc -- gen_context(system_u:object_r:xserver_exec_t,s0) + + /usr/lib/qt-.*/etc/settings(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) + +@@ -92,25 +128,49 @@ ifndef(`distro_debian',` + + /var/lib/gdm(3)?(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) + /var/lib/lxdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) +-/var/lib/[xkw]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) ++/var/lib/lightdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) ++/var/lib/[mxkwg]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) + /var/lib/xkb(/.*)? gen_context(system_u:object_r:xkb_var_lib_t,s0) ++/var/lib/xorg(/.*)? gen_context(system_u:object_r:xserver_var_lib_t,s0) ++ ++/var/cache/lightdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) ++/var/cache/[mg]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) + +-/var/log/[kwx]dm\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0) +-/var/log/lxdm\.log -- gen_context(system_u:object_r:xserver_log_t,s0) + /var/log/gdm(3)?(/.*)? gen_context(system_u:object_r:xserver_log_t,s0) +-/var/log/slim\.log -- gen_context(system_u:object_r:xserver_log_t,s0) ++/var/log/[mkwx]dm\.log.* -- gen_context(system_u:object_r:xdm_log_t,s0) ++/var/log/lightdm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0) ++/var/log/lxdm\.log.* -- gen_context(system_u:object_r:xdm_log_t,s0) ++/var/log/mdm(/.*)? gen_context(system_u:object_r:xdm_log_t,s0) ++/var/log/slim\.log -- gen_context(system_u:object_r:xdm_log_t,s0) + /var/log/XFree86.* -- gen_context(system_u:object_r:xserver_log_t,s0) + /var/log/Xorg.* -- gen_context(system_u:object_r:xserver_log_t,s0) ++/var/log/nvidia-installer\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0) ++ ++/var/spool/[mg]dm(/.*)? gen_context(system_u:object_r:xdm_spool_t,s0) + + /var/run/gdm(3)?\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0) ++/var/run/[kgm]dm(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) ++/var/run/gdm_socket -s gen_context(system_u:object_r:xdm_var_run_t,s0) ++/var/run/lightdm(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) + /var/run/xdm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0) + /var/run/lxdm\.auth -- gen_context(system_u:object_r:xdm_var_run_t,s0) + /var/run/lxdm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0) + /var/run/lxdm(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) +-/var/run/slim(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) ++/var/run/slim(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) ++/var/run/slim.* -- gen_context(system_u:object_r:xdm_var_run_t,s0) + /var/run/xauth(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) + /var/run/xdmctl(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) + ++/var/run/video.rom -- gen_context(system_u:object_r:xserver_var_run_t,s0) ++/var/run/xorg(/.*)? gen_context(system_u:object_r:xserver_var_run_t,s0) ++/var/run/systemd/multi-session-x(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) ++ + ifdef(`distro_suse',` + /var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0) + ') ++ ++/var/lib/nxserver/home/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0) ++/var/lib/nxserver/home/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) ++/var/lib/pqsql/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0) ++/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) ++ +diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if +index 6bf0ecc..5a7e2a4 100644 +--- a/policy/modules/services/xserver.if ++++ b/policy/modules/services/xserver.if +@@ -18,100 +18,37 @@ + # + interface(`xserver_restricted_role',` + gen_require(` +- type xserver_t, xserver_exec_t, xserver_tmp_t, xserver_tmpfs_t; +- type user_fonts_t, user_fonts_cache_t, user_fonts_config_t; +- type iceauth_t, iceauth_exec_t, iceauth_home_t; +- type xauth_t, xauth_exec_t, xauth_home_t; ++ type xserver_t, xauth_t, iceauth_t; ++ attribute dridomain, x_userdomain; + ') + + role $1 types { xserver_t xauth_t iceauth_t }; ++ typeattribute $2 x_userdomain, dridomain; + +- # Xserver read/write client shm +- allow xserver_t $2:fd use; +- allow xserver_t $2:shm rw_shm_perms; +- +- allow xserver_t $2:process signal; +- +- allow xserver_t $2:shm rw_shm_perms; +- +- allow $2 user_fonts_t:dir list_dir_perms; +- allow $2 user_fonts_t:file read_file_perms; +- +- allow $2 user_fonts_config_t:dir list_dir_perms; +- allow $2 user_fonts_config_t:file read_file_perms; +- +- manage_dirs_pattern($2, user_fonts_cache_t, user_fonts_cache_t) +- manage_files_pattern($2, user_fonts_cache_t, user_fonts_cache_t) +- +- stream_connect_pattern($2, xserver_tmp_t, xserver_tmp_t, xserver_t) +- files_search_tmp($2) +- +- # Communicate via System V shared memory. +- allow $2 xserver_t:shm r_shm_perms; +- allow $2 xserver_tmpfs_t:file read_file_perms; +- +- # allow ps to show iceauth +- ps_process_pattern($2, iceauth_t) +- +- domtrans_pattern($2, iceauth_exec_t, iceauth_t) +- +- allow $2 iceauth_home_t:file read_file_perms; +- +- domtrans_pattern($2, xauth_exec_t, xauth_t) +- +- allow $2 xauth_t:process signal; +- +- # allow ps to show xauth +- ps_process_pattern($2, xauth_t) +- allow $2 xserver_t:process signal; +- +- allow $2 xauth_home_t:file read_file_perms; +- +- # for when /tmp/.X11-unix is created by the system +- allow $2 xdm_t:fd use; +- allow $2 xdm_t:fifo_file { getattr read write ioctl }; +- allow $2 xdm_tmp_t:dir search; +- allow $2 xdm_tmp_t:sock_file { read write }; +- dontaudit $2 xdm_t:tcp_socket { read write }; +- +- # Client read xserver shm +- allow $2 xserver_t:fd use; +- allow $2 xserver_tmpfs_t:file read_file_perms; +- +- # Read /tmp/.X0-lock +- allow $2 xserver_tmp_t:file { getattr read }; +- +- dev_rw_xserver_misc($2) +- dev_rw_power_management($2) +- dev_read_input($2) +- dev_read_misc($2) +- dev_write_misc($2) +- # open office is looking for the following +- dev_getattr_agp_dev($2) +- dev_dontaudit_rw_dri($2) +- # GNOME checks for usb and other devices: +- dev_rw_usbfs($2) +- +- miscfiles_read_fonts($2) ++ xserver_common_x_domain_template(user,$2) ++ xserver_stream_connect_xdm($2) ++ xserver_xdm_append_log($2) + +- xserver_common_x_domain_template(user, $2) +- xserver_domtrans($2) +- xserver_unconfined($2) +- xserver_xsession_entry_type($2) +- xserver_dontaudit_write_log($2) +- xserver_stream_connect_xdm($2) +- # certain apps want to read xdm.pid file +- xserver_read_xdm_pid($2) +- # gnome-session creates socket under /tmp/.ICE-unix/ +- xserver_create_xdm_tmp_sockets($2) +- # Needed for escd, remove if we get escd policy +- xserver_manage_xdm_tmp_files($2) ++ modutils_run_insmod(xserver_t, $1) ++ xserver_dri_domain($2) ++') + +- # Client write xserver shm +- tunable_policy(`allow_write_xshm',` +- allow $2 xserver_t:shm rw_shm_perms; +- allow $2 xserver_tmpfs_t:file rw_file_perms; ++######################################## ++## ++## Domain wants to use direct io devices ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`xserver_dri_domain',` ++ gen_require(` ++ attribute dridomain; + ') ++ ++ typeattribute $1 dridomain; + ') + + ######################################## +@@ -143,13 +80,15 @@ interface(`xserver_role',` + allow $2 xserver_tmpfs_t:file rw_file_perms; + + allow $2 iceauth_home_t:file manage_file_perms; +- allow $2 iceauth_home_t:file { relabelfrom relabelto }; ++ allow $2 iceauth_home_t:file relabel_file_perms; + + allow $2 xauth_home_t:file manage_file_perms; +- allow $2 xauth_home_t:file { relabelfrom relabelto }; ++ allow $2 xauth_home_t:file relabel_file_perms; + ++ mls_xwin_read_to_clearance($2) + manage_dirs_pattern($2, user_fonts_t, user_fonts_t) + manage_files_pattern($2, user_fonts_t, user_fonts_t) ++ allow $2 user_fonts_t:lnk_file read_lnk_file_perms; + relabel_dirs_pattern($2, user_fonts_t, user_fonts_t) + relabel_files_pattern($2, user_fonts_t, user_fonts_t) + +@@ -162,7 +101,6 @@ interface(`xserver_role',` + manage_files_pattern($2, user_fonts_config_t, user_fonts_config_t) + relabel_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t) + relabel_files_pattern($2, user_fonts_config_t, user_fonts_config_t) +- + ') + + ####################################### +@@ -197,7 +135,7 @@ interface(`xserver_ro_session',` + allow $1 xserver_t:process signal; + + # Read /tmp/.X0-lock +- allow $1 xserver_tmp_t:file { getattr read }; ++ allow $1 xserver_tmp_t:file read_file_perms; + + # Client read xserver shm + allow $1 xserver_t:fd use; +@@ -227,7 +165,7 @@ interface(`xserver_rw_session',` + type xserver_t, xserver_tmpfs_t; + ') + +- xserver_ro_session($1,$2) ++ xserver_ro_session($1, $2) + allow $1 xserver_t:shm rw_shm_perms; + allow $1 xserver_tmpfs_t:file rw_file_perms; + ') +@@ -255,7 +193,7 @@ interface(`xserver_non_drawing_client',` + + allow $1 self:x_gc { create setattr }; + +- allow $1 xdm_var_run_t:dir search; ++ allow $1 xdm_var_run_t:dir search_dir_perms; + allow $1 xserver_t:unix_stream_socket connectto; + + allow $1 xextension_t:x_extension { query use }; +@@ -291,13 +229,13 @@ interface(`xserver_user_client',` + allow $1 self:unix_stream_socket { connectto create_stream_socket_perms }; + + # Read .Xauthority file +- allow $1 xauth_home_t:file { getattr read }; +- allow $1 iceauth_home_t:file { getattr read }; ++ allow $1 xauth_home_t:file read_file_perms; ++ allow $1 iceauth_home_t:file read_file_perms; + + # for when /tmp/.X11-unix is created by the system + allow $1 xdm_t:fd use; +- allow $1 xdm_t:fifo_file { getattr read write ioctl }; +- allow $1 xdm_tmp_t:dir search; ++ allow $1 xdm_t:fifo_file rw_inherited_fifo_file_perms; ++ allow $1 xdm_tmp_t:dir search_dir_perms; + allow $1 xdm_tmp_t:sock_file { read write }; + dontaudit $1 xdm_t:tcp_socket { read write }; + +@@ -316,7 +254,7 @@ interface(`xserver_user_client',` + xserver_read_xdm_tmp_files($1) + + # Client write xserver shm +- tunable_policy(`allow_write_xshm',` ++ tunable_policy(`xserver_clients_write_xshm',` + allow $1 xserver_t:shm rw_shm_perms; + allow $1 xserver_tmpfs_t:file rw_file_perms; + ') +@@ -342,19 +280,23 @@ interface(`xserver_user_client',` + # + template(`xserver_common_x_domain_template',` + gen_require(` +- type root_xdrawable_t; ++ type root_xdrawable_t, xdm_t, xserver_t; + type xproperty_t, $1_xproperty_t; + type xevent_t, client_xevent_t; + type input_xevent_t, $1_input_xevent_t; + +- attribute x_domain; ++ attribute x_domain, input_xevent_type; + attribute xdrawable_type, xcolormap_type; +- attribute input_xevent_type; + + class x_drawable all_x_drawable_perms; + class x_property all_x_property_perms; + class x_event all_x_event_perms; + class x_synthetic_event all_x_synthetic_event_perms; ++ class x_client destroy; ++ class x_server manage; ++ class x_screen { saver_setattr saver_hide saver_show show_cursor hide_cursor }; ++ class x_pointer { get_property set_property manage }; ++ class x_keyboard { read manage freeze }; + ') + + ############################## +@@ -383,9 +325,18 @@ template(`xserver_common_x_domain_template',` + allow $2 $1_input_xevent_t:{ x_event x_synthetic_event } receive; + # can receive default events + allow $2 client_xevent_t:{ x_event x_synthetic_event } receive; +- allow $2 xevent_t:{ x_event x_synthetic_event } receive; ++ allow $2 xevent_t:{ x_event x_synthetic_event } { send receive }; + # dont audit send failures + dontaudit $2 input_xevent_type:x_event send; ++ ++ allow $2 xdm_t:x_drawable { hide read add_child manage }; ++ allow $2 xdm_t:x_client destroy; ++ ++ allow $2 root_xdrawable_t:x_drawable write; ++ allow $2 xserver_t:x_server manage; ++ allow $2 xserver_t:x_screen { show_cursor hide_cursor saver_setattr saver_hide saver_show }; ++ allow $2 xserver_t:x_pointer { get_property set_property manage }; ++ allow $2 xserver_t:x_keyboard { read manage freeze }; + ') + + ####################################### +@@ -444,8 +395,9 @@ template(`xserver_object_types_template',` + # + template(`xserver_user_x_domain_template',` + gen_require(` +- type xdm_t, xdm_tmp_t; +- type xauth_home_t, iceauth_home_t, xserver_t, xserver_tmpfs_t; ++ type xdm_t, xdm_tmp_t, xserver_tmpfs_t; ++ type xdm_home_t; ++ type xauth_home_t, iceauth_home_t, xserver_t; + ') + + allow $2 self:shm create_shm_perms; +@@ -456,11 +408,13 @@ template(`xserver_user_x_domain_template',` + allow $2 xauth_home_t:file read_file_perms; + allow $2 iceauth_home_t:file read_file_perms; + ++ xserver_filetrans_home_content($2) ++ + # for when /tmp/.X11-unix is created by the system + allow $2 xdm_t:fd use; +- allow $2 xdm_t:fifo_file { getattr read write ioctl }; ++ allow $2 xdm_t:fifo_file rw_inherited_fifo_file_perms; + allow $2 xdm_tmp_t:dir search_dir_perms; +- allow $2 xdm_tmp_t:sock_file { read write }; ++ allow $2 xdm_tmp_t:sock_file rw_inherited_sock_file_perms; + dontaudit $2 xdm_t:tcp_socket { read write }; + + # Allow connections to X server. +@@ -472,20 +426,26 @@ template(`xserver_user_x_domain_template',` + # for .xsession-errors + userdom_dontaudit_write_user_home_content_files($2) + +- xserver_ro_session($2,$3) ++ xserver_ro_session($2, $3) + xserver_use_user_fonts($2) + + xserver_read_xdm_tmp_files($2) ++ xserver_read_xdm_pid($2) ++ xserver_xdm_append_log($2) + + # X object manager + xserver_object_types_template($1) +- xserver_common_x_domain_template($1,$2) ++ xserver_common_x_domain_template($1, $2) + + # Client write xserver shm +- tunable_policy(`allow_write_xshm',` ++ tunable_policy(`xserver_clients_write_xshm',` + allow $2 xserver_t:shm rw_shm_perms; + allow $2 xserver_tmpfs_t:file rw_file_perms; + ') ++ ++ tunable_policy(`selinuxuser_direct_dri_enabled',` ++ dev_rw_dri($2) ++ ') + ') + + ######################################## +@@ -517,6 +477,7 @@ interface(`xserver_use_user_fonts',` + # Read per user fonts + allow $1 user_fonts_t:dir list_dir_perms; + allow $1 user_fonts_t:file read_file_perms; ++ allow $1 user_fonts_t:lnk_file read_lnk_file_perms; + + # Manipulate the global font cache + manage_dirs_pattern($1, user_fonts_cache_t, user_fonts_cache_t) +@@ -547,6 +508,42 @@ interface(`xserver_domtrans_xauth',` + domtrans_pattern($1, xauth_exec_t, xauth_t) + ') + ++###################################### ++## ++## Allow exec of Xauthority program.. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`xserver_exec_xauth',` ++ gen_require(` ++ type xauth_t, xauth_exec_t; ++ ') ++ ++ can_exec($1, xauth_exec_t) ++') ++ ++######################################## ++## ++## Dontaudit exec of Xauthority program. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`xserver_dontaudit_exec_xauth',` ++ gen_require(` ++ type xauth_exec_t; ++ ') ++ ++ dontaudit $1 xauth_exec_t:file execute; ++') ++ + ######################################## + ## + ## Create a Xauthority file in the user home directory. +@@ -567,6 +564,24 @@ interface(`xserver_user_home_dir_filetrans_user_xauth',` + + ######################################## + ## ++## Create a Xauthority file in the admin home directory. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`xserver_admin_home_dir_filetrans_xauth',` ++ gen_require(` ++ type xauth_home_t; ++ ') ++ ++ userdom_admin_home_dir_filetrans($1, xauth_home_t, file) ++') ++ ++######################################## ++## + ## Read all users fonts, user font configurations, + ## and manage all users font caches. + ## +@@ -598,6 +613,25 @@ interface(`xserver_read_user_xauth',` + + allow $1 xauth_home_t:file read_file_perms; + userdom_search_user_home_dirs($1) ++ xserver_read_xdm_pid($1) ++') ++ ++######################################## ++## ++## Manage all users .Xauthority. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`xserver_manage_user_xauth',` ++ gen_require(` ++ type xauth_home_t; ++ ') ++ ++ allow $1 xauth_home_t:file manage_file_perms; + ') + + ######################################## +@@ -615,7 +649,7 @@ interface(`xserver_setattr_console_pipes',` + type xconsole_device_t; + ') + +- allow $1 xconsole_device_t:fifo_file setattr; ++ allow $1 xconsole_device_t:fifo_file setattr_fifo_file_perms; + ') + + ######################################## +@@ -638,6 +672,25 @@ interface(`xserver_rw_console',` + + ######################################## + ## ++## Read XDM state files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`xserver_read_state_xdm',` ++ gen_require(` ++ type xdm_t; ++ ') ++ ++ kernel_search_proc($1) ++ ps_process_pattern($1, xdm_t) ++') ++ ++######################################## ++## + ## Use file descriptors for xdm. + ## + ## +@@ -651,7 +704,7 @@ interface(`xserver_use_xdm_fds',` + type xdm_t; + ') + +- allow $1 xdm_t:fd use; ++ allow $1 xdm_t:fd use; + ') + + ######################################## +@@ -670,7 +723,7 @@ interface(`xserver_dontaudit_use_xdm_fds',` + type xdm_t; + ') + +- dontaudit $1 xdm_t:fd use; ++ dontaudit $1 xdm_t:fd use; + ') + + ######################################## +@@ -688,7 +741,7 @@ interface(`xserver_rw_xdm_pipes',` + type xdm_t; + ') + +- allow $1 xdm_t:fifo_file { getattr read write }; ++ allow $1 xdm_t:fifo_file rw_inherited_fifo_file_perms; + ') + + ######################################## +@@ -703,12 +756,11 @@ interface(`xserver_rw_xdm_pipes',` + ## + # + interface(`xserver_dontaudit_rw_xdm_pipes',` +- + gen_require(` + type xdm_t; + ') + +- dontaudit $1 xdm_t:fifo_file rw_fifo_file_perms; ++ dontaudit $1 xdm_t:fifo_file rw_fifo_file_perms; + ') + + ######################################## +@@ -765,11 +817,91 @@ interface(`xserver_manage_xdm_spool_files',` + # + interface(`xserver_stream_connect_xdm',` + gen_require(` +- type xdm_t, xdm_tmp_t; ++ type xdm_t, xdm_tmp_t, xdm_var_run_t; + ') + + files_search_tmp($1) +- stream_connect_pattern($1, xdm_tmp_t, xdm_tmp_t, xdm_t) ++ files_search_pids($1) ++ stream_connect_pattern($1, { xdm_tmp_t xdm_var_run_t }, { xdm_tmp_t xdm_var_run_t }, xdm_t) ++') ++ ++######################################## ++## ++## Allow domain to append XDM unix domain ++## stream socket. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++ ++interface(`xserver_append_xdm_stream_socket',` ++ gen_require(` ++ type xdm_t; ++ ') ++ ++ allow $1 xdm_t:unix_stream_socket append; ++') ++ ++######################################## ++## ++## Read XDM files in user home directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`xserver_read_xdm_home_files',` ++ gen_require(` ++ type xdm_home_t; ++ ') ++ ++ userdom_search_user_home_dirs($1) ++ allow $1 xdm_home_t:file read_file_perms; ++') ++ ++######################################## ++## ++## Read xserver configuration files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`xserver_read_config',` ++ gen_require(` ++ type xserver_etc_t; ++ ') ++ ++ files_search_etc($1) ++ read_files_pattern($1, xserver_etc_t, xserver_etc_t) ++ read_lnk_files_pattern($1, xserver_etc_t, xserver_etc_t) ++') ++ ++######################################## ++## ++## Manage xserver configuration files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`xserver_manage_config',` ++ gen_require(` ++ type xserver_etc_t; ++ ') ++ ++ files_search_etc($1) ++ manage_files_pattern($1, xserver_etc_t, xserver_etc_t) ++ manage_lnk_files_pattern($1, xserver_etc_t, xserver_etc_t) + ') + + ######################################## +@@ -793,6 +925,25 @@ interface(`xserver_read_xdm_rw_config',` + + ######################################## + ## ++## Search XDM temporary directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`xserver_search_xdm_tmp_dirs',` ++ gen_require(` ++ type xdm_tmp_t; ++ ') ++ ++ files_search_tmp($1) ++ allow $1 xdm_tmp_t:dir search_dir_perms; ++') ++ ++######################################## ++## + ## Set the attributes of XDM temporary directories. + ## + ## +@@ -806,7 +957,25 @@ interface(`xserver_setattr_xdm_tmp_dirs',` + type xdm_tmp_t; + ') + +- allow $1 xdm_tmp_t:dir setattr; ++ allow $1 xdm_tmp_t:dir setattr_dir_perms; ++') ++ ++######################################## ++## ++## Dont audit attempts to set the attributes of XDM temporary directories. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`xserver_dontaudit_xdm_tmp_dirs',` ++ gen_require(` ++ type xdm_tmp_t; ++ ') ++ ++ dontaudit $1 xdm_tmp_t:dir setattr_dir_perms; + ') + + ######################################## +@@ -846,7 +1015,26 @@ interface(`xserver_read_xdm_pid',` + ') + + files_search_pids($1) +- allow $1 xdm_var_run_t:file read_file_perms; ++ read_files_pattern($1, xdm_var_run_t, xdm_var_run_t) ++') ++ ++###################################### ++## ++## Dontaudit Read XDM pid files. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`xserver_dontaudit_read_xdm_pid',` ++ gen_require(` ++ type xdm_var_run_t; ++ ') ++ ++ dontaudit $1 xdm_var_run_t:dir search_dir_perms; ++ dontaudit $1 xdm_var_run_t:file read_file_perms; + ') + + ######################################## +@@ -864,7 +1052,26 @@ interface(`xserver_read_xdm_lib_files',` + type xdm_var_lib_t; + ') + +- allow $1 xdm_var_lib_t:file read_file_perms; ++ read_files_pattern($1, xdm_var_lib_t, xdm_var_lib_t) ++ read_lnk_files_pattern($1, xdm_var_lib_t, xdm_var_lib_t) ++') ++ ++######################################## ++## ++## Read inherited XDM var lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`xserver_read_inherited_xdm_lib_files',` ++ gen_require(` ++ type xdm_var_lib_t; ++ ') ++ ++ allow $1 xdm_var_lib_t:file read_inherited_file_perms; + ') + + ######################################## +@@ -938,10 +1145,29 @@ interface(`xserver_getattr_log',` + ') + + logging_search_logs($1) +- allow $1 xserver_log_t:file getattr; ++ allow $1 xserver_log_t:file getattr_file_perms; + ') + +-######################################## ++####################################### ++## ++## Allow domain to read X server logs. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`xserver_read_log',` ++ gen_require(` ++ type xserver_log_t; ++ ') ++ ++ logging_search_logs($1) ++ allow $1 xserver_log_t:file read_file_perms; ++') ++ ++######################################## + ## + ## Do not audit attempts to write the X server + ## log files. +@@ -957,7 +1183,7 @@ interface(`xserver_dontaudit_write_log',` + type xserver_log_t; + ') + +- dontaudit $1 xserver_log_t:file { append write }; ++ dontaudit $1 xserver_log_t:file rw_inherited_file_perms; + ') + + ######################################## +@@ -1004,6 +1230,64 @@ interface(`xserver_read_xkb_libs',` + + ######################################## + ## ++## dontaudit access checks X keyboard extension libraries. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`xserver_dontaudit_xkb_libs_access',` ++ gen_require(` ++ type xkb_var_lib_t; ++ ') ++ ++ dontaudit $1 xkb_var_lib_t:dir audit_access; ++ dontaudit $1 xkb_var_lib_t:file audit_access; ++') ++ ++######################################## ++## ++## Read xdm config files. ++## ++## ++## ++## Domain to not audit ++## ++## ++# ++interface(`xserver_read_xdm_etc_files',` ++ gen_require(` ++ type xdm_etc_t; ++ ') ++ ++ files_search_etc($1) ++ read_files_pattern($1, xdm_etc_t, xdm_etc_t) ++ read_lnk_files_pattern($1, xdm_etc_t, xdm_etc_t) ++') ++ ++######################################## ++## ++## Manage xdm config files. ++## ++## ++## ++## Domain to not audit ++## ++## ++# ++interface(`xserver_manage_xdm_etc_files',` ++ gen_require(` ++ type xdm_etc_t; ++ ') ++ ++ files_search_etc($1) ++ manage_files_pattern($1, xdm_etc_t, xdm_etc_t) ++') ++ ++######################################## ++## + ## Read xdm temporary files. + ## + ## +@@ -1017,7 +1301,7 @@ interface(`xserver_read_xdm_tmp_files',` + type xdm_tmp_t; + ') + +- files_search_tmp($1) ++ files_search_tmp($1) + read_files_pattern($1, xdm_tmp_t, xdm_tmp_t) + ') + +@@ -1079,6 +1363,42 @@ interface(`xserver_manage_xdm_tmp_files',` + + ######################################## + ## ++## Create, read, write, and delete xdm temporary dirs. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`xserver_relabel_xdm_tmp_dirs',` ++ gen_require(` ++ type xdm_tmp_t; ++ ') ++ ++ allow $1 xdm_tmp_t:dir relabel_dir_perms; ++') ++ ++######################################## ++## ++## Create, read, write, and delete xdm temporary dirs. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`xserver_manage_xdm_tmp_dirs',` ++ gen_require(` ++ type xdm_tmp_t; ++ ') ++ ++ manage_dirs_pattern($1, xdm_tmp_t, xdm_tmp_t) ++') ++ ++######################################## ++## + ## Do not audit attempts to get the attributes of + ## xdm temporary named sockets. + ## +@@ -1093,7 +1413,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',` + type xdm_tmp_t; + ') + +- dontaudit $1 xdm_tmp_t:sock_file getattr; ++ dontaudit $1 xdm_tmp_t:sock_file getattr_sock_file_perms; + ') + + ######################################## +@@ -1111,8 +1431,10 @@ interface(`xserver_domtrans',` + type xserver_t, xserver_exec_t; + ') + +- allow $1 xserver_t:process siginh; ++ allow $1 xserver_t:process siginh; + domtrans_pattern($1, xserver_exec_t, xserver_t) ++ ++ allow xserver_t $1:process getpgid; + ') + + ######################################## +@@ -1210,6 +1532,25 @@ interface(`xserver_dontaudit_rw_stream_sockets',` + + ######################################## + ## ++## Do not audit attempts to read and write xdm ++## unix domain stream sockets. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`xserver_dontaudit_xdm_rw_stream_sockets',` ++ gen_require(` ++ type xdm_t; ++ ') ++ ++ dontaudit $1 xdm_t:unix_stream_socket { append getattr ioctl read write }; ++') ++ ++######################################## ++## + ## Connect to the X server over a unix domain + ## stream socket. + ## +@@ -1226,6 +1567,26 @@ interface(`xserver_stream_connect',` + + files_search_tmp($1) + stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t) ++ allow xserver_t $1:shm rw_shm_perms; ++') ++ ++###################################### ++## ++## Dontaudit attempts to connect to xserver ++## over a unix stream socket. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`xserver_dontaudit_stream_connect',` ++ gen_require(` ++ type xserver_t, xserver_tmp_t; ++ ') ++ ++ stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t) + ') + + ######################################## +@@ -1251,7 +1612,7 @@ interface(`xserver_read_tmp_files',` + ## + ## Interface to provide X object permissions on a given X server to + ## an X client domain. Gives the domain permission to read the +-## virtual core keyboard and virtual core pointer devices. ++## virtual core keyboard and virtual core pointer devices. + ## + ## + ## +@@ -1261,13 +1622,27 @@ interface(`xserver_read_tmp_files',` + # + interface(`xserver_manage_core_devices',` + gen_require(` +- type xserver_t; ++ type xserver_t, root_xdrawable_t, xevent_t; + class x_device all_x_device_perms; + class x_pointer all_x_pointer_perms; + class x_keyboard all_x_keyboard_perms; ++ class x_screen all_x_screen_perms; ++ class x_drawable { manage }; ++ attribute x_domain; ++ class x_drawable all_x_drawable_perms; ++ class x_resource all_x_resource_perms; ++ class x_synthetic_event all_x_synthetic_event_perms; ++ class x_cursor all_x_cursor_perms; + ') + + allow $1 xserver_t:{ x_device x_pointer x_keyboard } *; ++ allow $1 xserver_t:{ x_screen } setattr; ++ ++ allow $1 x_domain:x_cursor all_x_cursor_perms; ++ allow $1 x_domain:x_drawable all_x_drawable_perms; ++ allow $1 x_domain:x_resource all_x_resource_perms; ++ allow $1 root_xdrawable_t:x_drawable all_x_drawable_perms; ++ allow $1 xevent_t:x_synthetic_event all_x_synthetic_event_perms; + ') + + ######################################## +@@ -1284,10 +1659,624 @@ interface(`xserver_manage_core_devices',` + # + interface(`xserver_unconfined',` + gen_require(` +- attribute x_domain; +- attribute xserver_unconfined_type; ++ attribute x_domain, xserver_unconfined_type; + ') + + typeattribute $1 x_domain; + typeattribute $1 xserver_unconfined_type; + ') ++ ++######################################## ++## ++## Dontaudit append to .xsession-errors file ++## ++## ++## ++## Domain to not audit ++## ++## ++# ++interface(`xserver_dontaudit_append_xdm_home_files',` ++ gen_require(` ++ type xdm_home_t; ++ ') ++ ++ dontaudit $1 xdm_home_t:file rw_inherited_file_perms; ++ ++ tunable_policy(`use_nfs_home_dirs',` ++ fs_dontaudit_rw_nfs_files($1) ++ ') ++ ++ tunable_policy(`use_samba_home_dirs',` ++ fs_dontaudit_rw_cifs_files($1) ++ ') ++') ++ ++######################################## ++## ++## append to .xsession-errors file ++## ++## ++## ++## Domain to not audit ++## ++## ++# ++interface(`xserver_append_xdm_home_files',` ++ gen_require(` ++ type xdm_home_t, xserver_tmp_t; ++ ') ++ ++ allow $1 xdm_home_t:file append_file_perms; ++ allow $1 xserver_tmp_t:file append_file_perms; ++ ++ tunable_policy(`use_nfs_home_dirs',` ++ fs_append_nfs_files($1) ++ ') ++ ++ tunable_policy(`use_samba_home_dirs',` ++ fs_append_cifs_files($1) ++ ') ++') ++ ++####################################### ++## ++## Allow search the xdm_spool files ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`xserver_xdm_search_spool',` ++ gen_require(` ++ type xdm_spool_t; ++ ') ++ ++ files_search_spool($1) ++ search_dirs_pattern($1, xdm_spool_t, xdm_spool_t) ++') ++ ++###################################### ++## ++## Allow read the xdm_spool files ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`xserver_xdm_read_spool',` ++ gen_require(` ++ type xdm_spool_t; ++ ') ++ ++ files_search_spool($1) ++ read_files_pattern($1, xdm_spool_t, xdm_spool_t) ++') ++ ++######################################## ++## ++## Manage the xdm_spool files ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`xserver_xdm_manage_spool',` ++ gen_require(` ++ type xdm_spool_t; ++ ') ++ ++ files_search_spool($1) ++ manage_files_pattern($1, xdm_spool_t, xdm_spool_t) ++') ++ ++######################################## ++## ++## Send and receive messages from ++## xdm over dbus. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`xserver_dbus_chat_xdm',` ++ gen_require(` ++ type xdm_t; ++ class dbus send_msg; ++ ') ++ ++ allow $1 xdm_t:dbus send_msg; ++ allow xdm_t $1:dbus send_msg; ++') ++ ++######################################## ++## ++## Read xserver files created in /var/run ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`xserver_read_pid',` ++ gen_require(` ++ type xserver_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ read_files_pattern($1, xserver_var_run_t, xserver_var_run_t) ++') ++ ++######################################## ++## ++## Execute xserver files created in /var/run ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`xserver_exec_pid',` ++ gen_require(` ++ type xserver_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ exec_files_pattern($1, xserver_var_run_t, xserver_var_run_t) ++') ++ ++######################################## ++## ++## Write xserver files created in /var/run ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`xserver_write_pid',` ++ gen_require(` ++ type xserver_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ write_files_pattern($1, xserver_var_run_t, xserver_var_run_t) ++') ++ ++######################################## ++## ++## Allow append the xdm ++## log files. ++## ++## ++## ++## Domain to not audit ++## ++## ++# ++interface(`xserver_xdm_append_log',` ++ gen_require(` ++ type xdm_log_t; ++ attribute xdmhomewriter; ++ ') ++ ++ typeattribute $1 xdmhomewriter; ++ allow $1 xdm_log_t:file append_inherited_file_perms; ++') ++ ++######################################## ++## ++## Allow ioctl the xdm log files. ++## ++## ++## ++## Domain to not audit ++## ++## ++# ++interface(`xserver_xdm_ioctl_log',` ++ gen_require(` ++ type xdm_log_t; ++ ') ++ ++ allow $1 xdm_log_t:file ioctl; ++') ++ ++######################################## ++## ++## Allow append the xdm ++## tmp files. ++## ++## ++## ++## Domain to not audit ++## ++## ++# ++interface(`xserver_append_xdm_tmp_files',` ++ gen_require(` ++ type xdm_tmp_t; ++ ') ++ ++ allow $1 xdm_tmp_t:file append_inherited_file_perms; ++') ++ ++######################################## ++## ++## Read a user Iceauthority domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`xserver_read_user_iceauth',` ++ gen_require(` ++ type iceauth_home_t; ++ ') ++ ++ # Read .Iceauthority file ++ allow $1 iceauth_home_t:file read_file_perms; ++') ++ ++######################################## ++## ++## Read/write inherited user homedir fonts. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`xserver_rw_inherited_user_fonts',` ++ gen_require(` ++ type user_fonts_t, user_fonts_config_t; ++ ') ++ ++ allow $1 user_fonts_t:file rw_inherited_file_perms; ++ allow $1 user_fonts_t:file read_lnk_file_perms; ++ ++ allow $1 user_fonts_config_t:file rw_inherited_file_perms; ++') ++ ++######################################## ++## ++## Search XDM var lib dirs. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`xserver_search_xdm_lib',` ++ gen_require(` ++ type xdm_var_lib_t; ++ ') ++ ++ allow $1 xdm_var_lib_t:dir search_dir_perms; ++') ++ ++######################################## ++## ++## Make an X executable an entrypoint for the specified domain. ++## ++## ++## ++## The domain for which the shell is an entrypoint. ++## ++## ++# ++interface(`xserver_entry_type',` ++ gen_require(` ++ type xserver_exec_t; ++ ') ++ ++ domain_entry_file($1, xserver_exec_t) ++') ++ ++######################################## ++## ++## Execute xsever in the xserver domain, and ++## allow the specified role the xserver domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## The role to be allowed the xserver domain. ++## ++## ++## ++# ++interface(`xserver_run',` ++ gen_require(` ++ type xserver_t; ++ ') ++ ++ xserver_domtrans($1) ++ role $2 types xserver_t; ++') ++ ++######################################## ++## ++## Execute xsever in the xserver domain, and ++## allow the specified role the xserver domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## The role to be allowed the xserver domain. ++## ++## ++## ++# ++interface(`xserver_run_xauth',` ++ gen_require(` ++ type xauth_t; ++ ') ++ ++ xserver_domtrans_xauth($1) ++ role $2 types xauth_t; ++') ++ ++######################################## ++## ++## Read user homedir fonts. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`xserver_read_home_fonts',` ++ gen_require(` ++ type user_fonts_t, user_fonts_config_t; ++ ') ++ ++ list_dirs_pattern($1, user_fonts_t, user_fonts_t) ++ read_files_pattern($1, user_fonts_t, user_fonts_t) ++ read_lnk_files_pattern($1, user_fonts_t, user_fonts_t) ++ ++ read_files_pattern($1, user_fonts_config_t, user_fonts_config_t) ++') ++ ++######################################## ++## ++## Manage user fonts dir. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`xserver_manage_user_fonts_dir',` ++ gen_require(` ++ type user_fonts_t; ++ ') ++ ++ manage_dirs_pattern($1, user_fonts_t, user_fonts_t) ++ files_tmp_filetrans($1, user_fonts_t, dir, ".font-unix") ++') ++ ++######################################## ++## ++## Manage user homedir fonts. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`xserver_manage_home_fonts',` ++ gen_require(` ++ type user_fonts_t, user_fonts_config_t, user_fonts_cache_t; ++ ') ++ ++ manage_dirs_pattern($1, user_fonts_t, user_fonts_t) ++ manage_files_pattern($1, user_fonts_t, user_fonts_t) ++ manage_lnk_files_pattern($1, user_fonts_t, user_fonts_t) ++ ++ manage_files_pattern($1, user_fonts_config_t, user_fonts_config_t) ++ ++# userdom_user_home_dir_filetrans($1, user_fonts_t, dir, ".fonts.d") ++# userdom_user_home_dir_filetrans($1, user_fonts_t, dir, ".fonts") ++# userdom_user_home_dir_filetrans($1, user_fonts_cache_t, dir, ".fontconfig") ++') ++ ++####################################### ++## ++## Transition to xserver .fontconfig named content ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`xserver_filetrans_fonts_cache_home_content',` ++ gen_require(` ++ type user_fonts_cache_t; ++ ') ++ ++ userdom_user_home_dir_filetrans($1, user_fonts_cache_t, dir, ".fontconfig") ++') ++ ++######################################## ++## ++## Transition to xserver named content ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`xserver_filetrans_home_content',` ++ gen_require(` ++ type xdm_home_t, xauth_home_t, iceauth_home_t; ++ type user_home_t, user_fonts_t, user_fonts_cache_t; ++ type user_fonts_config_t; ++ ') ++ ++ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".dmrc") ++ userdom_user_home_dir_filetrans($1, iceauth_home_t, file, ".ICEauthority") ++ userdom_user_home_dir_filetrans($1, iceauth_home_t, file, ".ICEauthority-c") ++ userdom_user_home_dir_filetrans($1, iceauth_home_t, file, ".ICEauthority-n") ++ userdom_user_home_dir_filetrans($1, iceauth_home_t, file, ".DCOP") ++ userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".Xauthority") ++ userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".Xauthority-l") ++ userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".Xauthority-c") ++ userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".Xauthority-n") ++ userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".xauth") ++ userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".Xauth") ++ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors") ++ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:0") ++ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:1") ++ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:2") ++ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:3") ++ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:4") ++ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:5") ++ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:6") ++ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:7") ++ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:8") ++ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:9") ++ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-stamped") ++ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-stamped.old") ++ userdom_user_home_dir_filetrans($1, user_fonts_config_t, file, ".fonts.conf") ++ userdom_user_home_dir_filetrans($1, user_fonts_config_t, dir, ".fonts.d") ++ userdom_user_home_dir_filetrans($1, user_fonts_t, dir, ".fonts") ++ userdom_user_home_dir_filetrans($1, user_fonts_cache_t, dir, ".fontconfig") ++ filetrans_pattern($1, user_fonts_t, user_fonts_cache_t, dir, "auto") ++ files_tmp_filetrans($1, user_fonts_t, dir, ".font-unix") ++') ++ ++######################################## ++## ++## Create xserver content in admin home ++## directory with a named file transition. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`xserver_filetrans_admin_home_content',` ++ gen_require(` ++ type xdm_home_t, xauth_home_t, iceauth_home_t; ++ type user_home_t, user_fonts_t, user_fonts_cache_t; ++ type user_fonts_config_t; ++ ') ++ ++ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".dmrc") ++ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors") ++ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:0") ++ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:1") ++ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:2") ++ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:3") ++ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:4") ++ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:5") ++ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:6") ++ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:7") ++ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:8") ++ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:9") ++ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-stamped") ++ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-stamped.old") ++ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors.old") ++ userdom_admin_home_dir_filetrans($1, iceauth_home_t, file, ".DCOP") ++ userdom_admin_home_dir_filetrans($1, iceauth_home_t, file, ".ICEauthority") ++ userdom_admin_home_dir_filetrans($1, xauth_home_t, file, ".Xauthority") ++ userdom_admin_home_dir_filetrans($1, xauth_home_t, file, ".Xauthority-l") ++ userdom_admin_home_dir_filetrans($1, xauth_home_t, file, ".Xauthority-c") ++ userdom_admin_home_dir_filetrans($1, xauth_home_t, file, ".xauth") ++ userdom_admin_home_dir_filetrans($1, xauth_home_t, file, ".Xauth") ++ userdom_admin_home_dir_filetrans($1, user_fonts_config_t, file, ".fonts.conf") ++ userdom_admin_home_dir_filetrans($1, user_fonts_config_t, dir, ".fonts.d") ++ userdom_admin_home_dir_filetrans($1, user_fonts_t, dir, ".fonts") ++ userdom_admin_home_dir_filetrans($1, user_fonts_cache_t, dir, ".fontconfig") ++ ++ optional_policy(` ++ gnome_cache_filetrans($1, xdm_home_t, dir, "xdm") ++ ') ++') ++ ++######################################## ++## ++## Create objects in a xdm temporary directory ++## with an automatic type transition to ++## a specified private type. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## The type of the object to create. ++## ++## ++## ++## ++## The class of the object to be created. ++## ++## ++## ++## ++## The name of the object being created. ++## ++## ++# ++interface(`xserver_xdm_tmp_filetrans',` ++ gen_require(` ++ type xdm_tmp_t; ++ ') ++ ++ filetrans_pattern($1, xdm_tmp_t, $2, $3, $4) ++ files_search_tmp($1) ++') ++ ++######################################## ++## ++## Dontaudit search ssh home directory ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`xserver_dontaudit_search_log',` ++ gen_require(` ++ type xserver_log_t; ++ ') ++ ++ dontaudit $1 xserver_log_t:dir search_dir_perms; ++') +diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te +index 2696452..adbe339 100644 +--- a/policy/modules/services/xserver.te ++++ b/policy/modules/services/xserver.te +@@ -26,28 +26,59 @@ gen_require(` + # + + ## +-##

    +-## Allows clients to write to the X server shared +-## memory segments. +-##

    ++##

    ++## Allows clients to write to the X server shared ++## memory segments. ++##

    ++##     ++gen_tunable(xserver_clients_write_xshm, false) ++ ++## ++##

    ++## Allows XServer to execute writable memory ++##

    + ##     +-gen_tunable(allow_write_xshm, false) ++gen_tunable(xserver_execmem, false) + + ## + ##

    +-## Allow xdm logins as sysadm ++## Allow the graphical login program to execute bootloader + ##

    + ##     ++gen_tunable(xdm_exec_bootloader, false) ++ ++## ++##

    ++## Allow the graphical login program to login directly as sysadm_r:sysadm_t ++##

    ++##     + gen_tunable(xdm_sysadm_login, false) + + ## +-##

    +-## Support X userspace object manager +-##

    ++##

    ++## Allow the graphical login program to create files in HOME dirs as xdm_home_t. ++##

    ++##     ++gen_tunable(xdm_write_home, false) ++ ++## ++##

    ++## Support X userspace object manager ++##

    + ##     + gen_tunable(xserver_object_manager, false) + ++## ++##

    ++## Allow regular users direct dri device access ++##

    ++##     ++gen_tunable(selinuxuser_direct_dri_enabled, false) ++ ++attribute xdmhomewriter; ++attribute x_userdomain; + attribute x_domain; ++attribute dridomain; + + # X Events + attribute xevent_type; +@@ -107,44 +138,54 @@ xserver_object_types_template(remote) + xserver_common_x_domain_template(remote, remote_t) + + type user_fonts_t; +-typealias user_fonts_t alias { staff_fonts_t sysadm_fonts_t }; ++typealias user_fonts_t alias { staff_fonts_t sysadm_fonts_t xfs_fonts_t }; + typealias user_fonts_t alias { auditadm_fonts_t secadm_fonts_t }; ++typealias user_fonts_t alias { xguest_fonts_t unconfined_fonts_t user_fonts_home_t }; ++typealias user_fonts_t alias xfs_tmp_t; + userdom_user_home_content(user_fonts_t) ++files_tmp_file(user_fonts_t) + + type user_fonts_cache_t; + typealias user_fonts_cache_t alias { staff_fonts_cache_t sysadm_fonts_cache_t }; + typealias user_fonts_cache_t alias { auditadm_fonts_cache_t secadm_fonts_cache_t }; ++typealias user_fonts_cache_t alias { xguest_fonts_cache_t unconfined_fonts_cache_t }; + userdom_user_home_content(user_fonts_cache_t) + + type user_fonts_config_t; + typealias user_fonts_config_t alias { staff_fonts_config_t sysadm_fonts_config_t }; + typealias user_fonts_config_t alias { auditadm_fonts_config_t secadm_fonts_config_t }; ++typealias user_fonts_config_t alias { fonts_config_home_t xguest_fonts_config_t unconfined_fonts_config_t }; + userdom_user_home_content(user_fonts_config_t) + + type iceauth_t; + type iceauth_exec_t; + typealias iceauth_t alias { user_iceauth_t staff_iceauth_t sysadm_iceauth_t }; ++typealias iceauth_t alias { xguest_iceauth_t }; + typealias iceauth_t alias { auditadm_iceauth_t secadm_iceauth_t }; + userdom_user_application_domain(iceauth_t, iceauth_exec_t) + + type iceauth_home_t; + typealias iceauth_home_t alias { user_iceauth_home_t staff_iceauth_home_t sysadm_iceauth_home_t }; + typealias iceauth_home_t alias { auditadm_iceauth_home_t secadm_iceauth_home_t }; ++typealias iceauth_home_t alias { xguest_iceauth_home_t }; + userdom_user_home_content(iceauth_home_t) + + type xauth_t; + type xauth_exec_t; + typealias xauth_t alias { user_xauth_t staff_xauth_t sysadm_xauth_t }; + typealias xauth_t alias { auditadm_xauth_t secadm_xauth_t }; ++typealias xauth_t alias { xguest_xauth_t unconfined_xauth_t }; + userdom_user_application_domain(xauth_t, xauth_exec_t) + + type xauth_home_t; + typealias xauth_home_t alias { user_xauth_home_t staff_xauth_home_t sysadm_xauth_home_t }; + typealias xauth_home_t alias { auditadm_xauth_home_t secadm_xauth_home_t }; ++typealias xauth_home_t alias { xguest_xauth_home_t unconfined_xauth_home_t }; + userdom_user_home_content(xauth_home_t) + + type xauth_tmp_t; + typealias xauth_tmp_t alias { user_xauth_tmp_t staff_xauth_tmp_t sysadm_xauth_tmp_t }; ++typealias xauth_tmp_t alias { xguest_xauth_tmp_t unconfined_xauth_tmp_t }; + typealias xauth_tmp_t alias { auditadm_xauth_tmp_t secadm_xauth_tmp_t }; + userdom_user_tmp_file(xauth_tmp_t) + +@@ -154,19 +195,28 @@ files_type(xconsole_device_t) + fs_associate_tmpfs(xconsole_device_t) + files_associate_tmp(xconsole_device_t) + +-type xdm_t; ++type xdm_unconfined_exec_t; ++application_executable_file(xdm_unconfined_exec_t) ++ ++type xdm_t alias xdm_dbusd_t; + type xdm_exec_t; + auth_login_pgm_domain(xdm_t) + init_domain(xdm_t, xdm_exec_t) +-init_daemon_domain(xdm_t, xdm_exec_t) ++init_system_domain(xdm_t, xdm_exec_t) + xserver_object_types_template(xdm) + xserver_common_x_domain_template(xdm, xdm_t) + + type xdm_lock_t; + files_lock_file(xdm_lock_t) + ++type xdm_etc_t; ++files_config_file(xdm_etc_t) ++ + type xdm_rw_etc_t; +-files_type(xdm_rw_etc_t) ++files_config_file(xdm_rw_etc_t) ++ ++type xdm_spool_t; ++files_spool_file(xdm_spool_t) + + type xdm_var_lib_t; + files_type(xdm_var_lib_t) +@@ -174,13 +224,27 @@ files_type(xdm_var_lib_t) + type xdm_var_run_t; + files_pid_file(xdm_var_run_t) + ++type xserver_var_lib_t; ++files_type(xserver_var_lib_t) ++ ++type xserver_var_run_t; ++files_pid_file(xserver_var_run_t) ++ + type xdm_tmp_t; + files_tmp_file(xdm_tmp_t) +-typealias xdm_tmp_t alias ice_tmp_t; ++typealias xdm_tmp_t alias { xserver_tmp_t user_xserver_tmp_t staff_xserver_tmp_t sysadm_xserver_tmp_t ice_tmp_t }; ++typealias xdm_tmp_t alias { auditadm_xserver_tmp_t secadm_xserver_tmp_t xdm_xserver_tmp_t }; ++userdom_user_tmp_file(xserver_tmp_t) + + type xdm_tmpfs_t; + files_tmpfs_file(xdm_tmpfs_t) + ++type xdm_home_t; ++userdom_user_home_content(xdm_home_t) ++ ++type xdm_log_t; ++logging_log_file(xdm_log_t) ++ + # type for /var/lib/xkb + type xkb_var_lib_t; + files_type(xkb_var_lib_t) +@@ -193,14 +257,12 @@ typealias xserver_t alias { auditadm_xserver_t secadm_xserver_t xdm_xserver_t }; + init_system_domain(xserver_t, xserver_exec_t) + ubac_constrained(xserver_t) + +-type xserver_tmp_t; +-typealias xserver_tmp_t alias { user_xserver_tmp_t staff_xserver_tmp_t sysadm_xserver_tmp_t }; +-typealias xserver_tmp_t alias { auditadm_xserver_tmp_t secadm_xserver_tmp_t xdm_xserver_tmp_t }; +-userdom_user_tmp_file(xserver_tmp_t) ++type xserver_etc_t; ++files_config_file(xserver_etc_t) + + type xserver_tmpfs_t; +-typealias xserver_tmpfs_t alias { user_xserver_tmpfs_t staff_xserver_tmpfs_t sysadm_xserver_tmpfs_t }; +-typealias xserver_tmpfs_t alias { auditadm_xserver_tmpfs_t secadm_xserver_tmpfs_t xdm_xserver_tmpfs_t }; ++typealias xserver_tmpfs_t alias { user_xserver_tmpfs_t staff_xserver_tmpfs_t sysadm_xserver_tmpfs_t xguest_xserver_tmpfs_t unconfined_xserver_tmpfs_t xdm_xserver_tmpfs_t }; ++typealias xserver_tmpfs_t alias { auditadm_xserver_tmpfs_t secadm_xserver_tmpfs_t }; + userdom_user_tmpfs_file(xserver_tmpfs_t) + + type xsession_exec_t; +@@ -225,21 +287,33 @@ optional_policy(` + # + + allow iceauth_t iceauth_home_t:file manage_file_perms; +-userdom_user_home_dir_filetrans(iceauth_t, iceauth_home_t, file) + + allow xdm_t iceauth_home_t:file read_file_perms; + ++dev_read_rand(iceauth_t) ++ + fs_search_auto_mountpoints(iceauth_t) + +-userdom_use_user_terminals(iceauth_t) ++userdom_use_inherited_user_terminals(iceauth_t) + userdom_read_user_tmp_files(iceauth_t) +- +-tunable_policy(`use_nfs_home_dirs',` +- fs_manage_nfs_files(iceauth_t) +-') +- +-tunable_policy(`use_samba_home_dirs',` +- fs_manage_cifs_files(iceauth_t) ++userdom_read_all_users_state(iceauth_t) ++userdom_home_manager(iceauth_t) ++ ++ifdef(`hide_broken_symptoms',` ++ dev_dontaudit_read_urand(iceauth_t) ++ dev_dontaudit_rw_dri(iceauth_t) ++ dev_dontaudit_rw_generic_dev_nodes(iceauth_t) ++ fs_dontaudit_list_inotifyfs(iceauth_t) ++ fs_dontaudit_rw_anon_inodefs_files(iceauth_t) ++ term_dontaudit_use_unallocated_ttys(iceauth_t) ++ ++ userdom_dontaudit_read_user_home_content_files(iceauth_t) ++ userdom_dontaudit_write_user_home_content_files(iceauth_t) ++ userdom_dontaudit_write_user_tmp_files(iceauth_t) ++ ++ optional_policy(` ++ mozilla_dontaudit_rw_user_home_files(iceauth_t) ++ ') + ') + + ######################################## +@@ -247,48 +321,89 @@ tunable_policy(`use_samba_home_dirs',` + # Xauth local policy + # + ++allow xauth_t self:capability dac_override; + allow xauth_t self:process signal; ++allow xauth_t self:shm create_shm_perms; + allow xauth_t self:unix_stream_socket create_stream_socket_perms; ++allow xauth_t self:unix_dgram_socket create_socket_perms; ++ ++allow xauth_t xdm_t:process sigchld; ++allow xauth_t xserver_t:unix_stream_socket connectto; ++ ++corenet_tcp_connect_xserver_port(xauth_t) + + allow xauth_t xauth_home_t:file manage_file_perms; +-userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file) ++ ++manage_dirs_pattern(xauth_t, xdm_var_run_t, xdm_var_run_t) ++manage_files_pattern(xauth_t, xdm_var_run_t, xdm_var_run_t) + + manage_dirs_pattern(xauth_t, xauth_tmp_t, xauth_tmp_t) + manage_files_pattern(xauth_t, xauth_tmp_t, xauth_tmp_t) + files_tmp_filetrans(xauth_t, xauth_tmp_t, { file dir }) + +-allow xdm_t xauth_home_t:file manage_file_perms; +-userdom_user_home_dir_filetrans(xdm_t, xauth_home_t, file) ++stream_connect_pattern(xauth_t, xserver_tmp_t, xserver_tmp_t, xserver_t) + ++kernel_read_network_state(xauth_t) ++kernel_read_system_state(xauth_t) + kernel_request_load_module(xauth_t) + ++dev_read_rand(xauth_t) ++dev_read_urand(xauth_t) ++ + domain_use_interactive_fds(xauth_t) ++domain_dontaudit_leaks(xauth_t) + + files_read_etc_files(xauth_t) ++files_read_usr_files(xauth_t) + files_search_pids(xauth_t) ++files_dontaudit_getattr_all_dirs(xauth_t) ++files_dontaudit_leaks(xauth_t) ++files_var_lib_filetrans(xauth_t, xauth_home_t, file) + +-fs_getattr_xattr_fs(xauth_t) ++fs_dontaudit_leaks(xauth_t) ++fs_getattr_all_fs(xauth_t) + fs_search_auto_mountpoints(xauth_t) + +-# cjp: why? +-term_use_ptmx(xauth_t) ++# Probably a leak ++term_dontaudit_use_ptmx(xauth_t) ++term_dontaudit_use_console(xauth_t) + + auth_use_nsswitch(xauth_t) + +-userdom_use_user_terminals(xauth_t) ++userdom_use_inherited_user_terminals(xauth_t) + userdom_read_user_tmp_files(xauth_t) ++userdom_read_all_users_state(xauth_t) ++userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file, ".Xauthority") ++userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file, ".Xauthority-l") ++userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file, ".Xauthority-c") ++userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file, ".Xauthority-n") ++userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file, ".xauth") ++userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file, ".Xauth") + + xserver_rw_xdm_tmp_files(xauth_t) + +-tunable_policy(`use_nfs_home_dirs',` +- fs_manage_nfs_files(xauth_t) ++ifdef(`hide_broken_symptoms',` ++ fs_dontaudit_rw_anon_inodefs_files(xauth_t) ++ fs_dontaudit_list_inotifyfs(xauth_t) ++ userdom_manage_user_home_content_files(xauth_t) ++ userdom_manage_user_tmp_files(xauth_t) ++ dev_dontaudit_rw_generic_dev_nodes(xauth_t) ++ miscfiles_read_fonts(xauth_t) + ') + +-tunable_policy(`use_samba_home_dirs',` +- fs_manage_cifs_files(xauth_t) ++userdom_home_manager(xauth_t) ++ ++ifdef(`hide_broken_symptoms',` ++ term_dontaudit_use_unallocated_ttys(xauth_t) ++ dev_dontaudit_rw_dri(xauth_t) ++') ++ ++optional_policy(` ++ nx_var_lib_filetrans(xauth_t, xauth_home_t, file) + ') + + optional_policy(` ++ ssh_use_ptys(xauth_t) + ssh_sigchld(xauth_t) + ssh_read_pipes(xauth_t) + ssh_dontaudit_rw_tcp_sockets(xauth_t) +@@ -299,64 +414,109 @@ optional_policy(` + # XDM Local policy + # + +-allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service }; +-allow xdm_t self:process { setexec setpgid getsched setsched setrlimit signal_perms setkeycreate }; ++allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service sys_ptrace }; ++allow xdm_t self:capability2 { block_suspend }; ++dontaudit xdm_t self:capability sys_admin; ++tunable_policy(`deny_ptrace',`',` ++ allow xdm_t self:process ptrace; ++') ++ ++allow xdm_t self:process { setexec setpgid getattr getcap setcap getsched getsession setsched setrlimit signal_perms setkeycreate transition }; + allow xdm_t self:fifo_file rw_fifo_file_perms; + allow xdm_t self:shm create_shm_perms; + allow xdm_t self:sem create_sem_perms; + allow xdm_t self:unix_stream_socket { connectto create_stream_socket_perms }; +-allow xdm_t self:unix_dgram_socket create_socket_perms; ++allow xdm_t self:unix_dgram_socket { create_socket_perms sendto }; + allow xdm_t self:tcp_socket create_stream_socket_perms; + allow xdm_t self:udp_socket create_socket_perms; ++allow xdm_t self:netlink_kobject_uevent_socket create_socket_perms; ++allow xdm_t self:netlink_selinux_socket create_socket_perms; + allow xdm_t self:socket create_socket_perms; + allow xdm_t self:appletalk_socket create_socket_perms; + allow xdm_t self:key { search link write }; ++allow xdm_t self:dbus { send_msg acquire_svc }; ++ ++allow xdm_t xauth_home_t:file manage_file_perms; + +-allow xdm_t xconsole_device_t:fifo_file { getattr setattr }; ++allow xdm_t xconsole_device_t:fifo_file { getattr_fifo_file_perms setattr_fifo_file_perms }; ++manage_dirs_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t) ++manage_files_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t) ++ ++manage_dirs_pattern(xdm_t, xdm_home_t, xdm_home_t) ++manage_files_pattern(xdm_t, xdm_home_t, xdm_home_t) ++xserver_filetrans_home_content(xdm_t) ++xserver_filetrans_admin_home_content(xdm_t) ++ ++#Handle mislabeled files in homedir ++userdom_delete_user_home_content_files(xdm_t) ++userdom_signull_unpriv_users(xdm_t) ++userdom_dontaudit_read_admin_home_lnk_files(xdm_t) + + # Allow gdm to run gdm-binary + can_exec(xdm_t, xdm_exec_t) ++can_exec(xdm_t, xsession_exec_t) + + allow xdm_t xdm_lock_t:file manage_file_perms; + files_lock_filetrans(xdm_t, xdm_lock_t, file) + ++read_lnk_files_pattern(xdm_t, xdm_etc_t, xdm_etc_t) ++read_files_pattern(xdm_t, xdm_etc_t, xdm_etc_t) + # wdm has its own config dir /etc/X11/wdm + # this is ugly, daemons should not create files under /etc! + manage_files_pattern(xdm_t, xdm_rw_etc_t, xdm_rw_etc_t) + + manage_dirs_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t) + manage_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t) ++manage_lnk_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t) + manage_sock_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t) +-files_tmp_filetrans(xdm_t, xdm_tmp_t, { file dir sock_file }) ++files_tmp_filetrans(xdm_t, xdm_tmp_t, { file dir sock_file lnk_file }) ++relabelfrom_dirs_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t) ++relabelfrom_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t) ++can_exec(xdm_t, xdm_tmp_t) + + manage_dirs_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t) + manage_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t) + manage_lnk_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t) + manage_fifo_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t) + manage_sock_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t) +-fs_tmpfs_filetrans(xdm_t, xdm_tmpfs_t, { dir file lnk_file sock_file fifo_file }) ++ ++manage_files_pattern(xdm_t, user_fonts_t, user_fonts_t) ++ ++files_search_spool(xdm_t) ++manage_dirs_pattern(xdm_t, xdm_spool_t, xdm_spool_t) ++manage_files_pattern(xdm_t, xdm_spool_t, xdm_spool_t) ++files_spool_filetrans(xdm_t, xdm_spool_t, { file dir }) + + manage_dirs_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t) + manage_files_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t) +-files_var_lib_filetrans(xdm_t, xdm_var_lib_t, file) ++manage_lnk_files_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t) ++manage_sock_files_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t) ++files_var_lib_filetrans(xdm_t, xdm_var_lib_t, { file dir }) ++# Read machine-id ++files_read_var_lib_files(xdm_t) + + manage_dirs_pattern(xdm_t, xdm_var_run_t, xdm_var_run_t) + manage_files_pattern(xdm_t, xdm_var_run_t, xdm_var_run_t) ++manage_lnk_files_pattern(xdm_t, xdm_var_run_t, xdm_var_run_t) + manage_fifo_files_pattern(xdm_t, xdm_var_run_t, xdm_var_run_t) +-files_pid_filetrans(xdm_t, xdm_var_run_t, { dir file fifo_file }) ++manage_sock_files_pattern(xdm_t, xdm_var_run_t, xdm_var_run_t) ++files_pid_filetrans(xdm_t, xdm_var_run_t, { dir file fifo_file sock_file }) + +-allow xdm_t xserver_t:process signal; ++allow xdm_t xserver_t:process { signal signull }; + allow xdm_t xserver_t:unix_stream_socket connectto; + + allow xdm_t xserver_tmp_t:sock_file rw_sock_file_perms; +-allow xdm_t xserver_tmp_t:dir { setattr list_dir_perms }; ++allow xdm_t xserver_tmp_t:dir { setattr_dir_perms list_dir_perms }; + + # transition to the xdm xserver + domtrans_pattern(xdm_t, xserver_exec_t, xserver_t) ++ ++ps_process_pattern(xserver_t, xdm_t) + allow xserver_t xdm_t:process signal; + allow xdm_t xserver_t:process { noatsecure siginh rlimitinh signal sigkill }; + + allow xdm_t xserver_t:shm rw_shm_perms; ++read_files_pattern(xdm_t, xserver_t, xserver_t) + + # connect to xdm xserver over stream socket + stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) +@@ -365,20 +525,29 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) + delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t) + delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t) + ++manage_dirs_pattern(xdm_t, xdm_log_t, xdm_log_t) ++manage_files_pattern(xdm_t, xdm_log_t, xdm_log_t) ++manage_lnk_files_pattern(xdm_t, xdm_log_t, xdm_log_t) ++manage_fifo_files_pattern(xdm_t, xdm_log_t, xdm_log_t) ++logging_log_filetrans(xdm_t, xdm_log_t, { dir file }) ++ + manage_dirs_pattern(xdm_t, xserver_log_t, xserver_log_t) + manage_files_pattern(xdm_t, xserver_log_t, xserver_log_t) ++manage_lnk_files_pattern(xdm_t, xserver_log_t, xserver_log_t) + manage_fifo_files_pattern(xdm_t, xserver_log_t, xserver_log_t) +-logging_log_filetrans(xdm_t, xserver_log_t, file) + + kernel_read_system_state(xdm_t) ++kernel_read_device_sysctls(xdm_t) + kernel_read_kernel_sysctls(xdm_t) + kernel_read_net_sysctls(xdm_t) + kernel_read_network_state(xdm_t) ++kernel_request_load_module(xdm_t) ++kernel_stream_connect(xdm_t) + + corecmd_exec_shell(xdm_t) + corecmd_exec_bin(xdm_t) ++corecmd_dontaudit_access_all_executables(xdm_t) + +-corenet_all_recvfrom_unlabeled(xdm_t) + corenet_all_recvfrom_netlabel(xdm_t) + corenet_tcp_sendrecv_generic_if(xdm_t) + corenet_udp_sendrecv_generic_if(xdm_t) +@@ -388,38 +557,49 @@ corenet_tcp_sendrecv_all_ports(xdm_t) + corenet_udp_sendrecv_all_ports(xdm_t) + corenet_tcp_bind_generic_node(xdm_t) + corenet_udp_bind_generic_node(xdm_t) ++corenet_udp_bind_ipp_port(xdm_t) ++corenet_udp_bind_xdmcp_port(xdm_t) + corenet_tcp_connect_all_ports(xdm_t) + corenet_sendrecv_all_client_packets(xdm_t) + # xdm tries to bind to biff_port_t + corenet_dontaudit_tcp_bind_all_ports(xdm_t) + ++dev_rwx_zero(xdm_t) + dev_read_rand(xdm_t) +-dev_read_sysfs(xdm_t) ++dev_rw_sysfs(xdm_t) + dev_getattr_framebuffer_dev(xdm_t) + dev_setattr_framebuffer_dev(xdm_t) + dev_getattr_mouse_dev(xdm_t) + dev_setattr_mouse_dev(xdm_t) + dev_rw_apm_bios(xdm_t) ++dev_rw_input_dev(xdm_t) + dev_setattr_apm_bios_dev(xdm_t) + dev_rw_dri(xdm_t) + dev_rw_agp(xdm_t) ++dev_rw_wireless(xdm_t) + dev_getattr_xserver_misc_dev(xdm_t) + dev_setattr_xserver_misc_dev(xdm_t) ++dev_rw_xserver_misc(xdm_t) + dev_getattr_misc_dev(xdm_t) + dev_setattr_misc_dev(xdm_t) + dev_dontaudit_rw_misc(xdm_t) +-dev_getattr_video_dev(xdm_t) ++dev_read_video_dev(xdm_t) ++dev_write_video_dev(xdm_t) + dev_setattr_video_dev(xdm_t) + dev_getattr_scanner_dev(xdm_t) + dev_setattr_scanner_dev(xdm_t) +-dev_getattr_sound_dev(xdm_t) +-dev_setattr_sound_dev(xdm_t) ++dev_read_sound(xdm_t) ++dev_write_sound(xdm_t) + dev_getattr_power_mgmt_dev(xdm_t) + dev_setattr_power_mgmt_dev(xdm_t) ++dev_getattr_null_dev(xdm_t) ++dev_setattr_null_dev(xdm_t) + + domain_use_interactive_fds(xdm_t) + # Do not audit denied probes of /proc. + domain_dontaudit_read_all_domains_state(xdm_t) ++domain_dontaudit_signal_all_domains(xdm_t) ++domain_dontaudit_getattr_all_entry_files(xdm_t) + + files_read_etc_files(xdm_t) + files_read_var_files(xdm_t) +@@ -430,9 +610,28 @@ files_list_mnt(xdm_t) + files_read_usr_files(xdm_t) + # Poweroff wants to create the /poweroff file when run from xdm + files_create_boot_flag(xdm_t) ++files_dontaudit_getattr_boot_dirs(xdm_t) ++files_dontaudit_write_usr_files(xdm_t) ++files_dontaudit_access_check_etc(xdm_t) ++files_dontaudit_getattr_all_dirs(xdm_t) ++files_dontaudit_getattr_all_symlinks(xdm_t) ++files_dontaudit_getattr_all_tmp_sockets(xdm_t) ++files_dontaudit_all_access_check(xdm_t) ++files_dontaudit_list_non_security(xdm_t) + + fs_getattr_all_fs(xdm_t) + fs_search_auto_mountpoints(xdm_t) ++fs_search_all(xdm_t) ++fs_rw_anon_inodefs_files(xdm_t) ++fs_mount_tmpfs(xdm_t) ++fs_list_inotifyfs(xdm_t) ++fs_dontaudit_list_noxattr_fs(xdm_t) ++fs_dontaudit_read_noxattr_fs_files(xdm_t) ++fs_manage_cgroup_dirs(xdm_t) ++fs_manage_cgroup_files(xdm_t) ++ ++mls_socket_write_to_clearance(xdm_t) ++mls_trusted_object(xdm_t) + + storage_dontaudit_read_fixed_disk(xdm_t) + storage_dontaudit_write_fixed_disk(xdm_t) +@@ -441,28 +640,45 @@ storage_dontaudit_raw_read_removable_device(xdm_t) + storage_dontaudit_raw_write_removable_device(xdm_t) + storage_dontaudit_setattr_removable_dev(xdm_t) + storage_dontaudit_rw_scsi_generic(xdm_t) ++storage_dontaudit_rw_fuse(xdm_t) + + term_setattr_console(xdm_t) ++term_use_console(xdm_t) ++term_use_virtio_console(xdm_t) + term_use_unallocated_ttys(xdm_t) + term_setattr_unallocated_ttys(xdm_t) ++term_relabel_all_ttys(xdm_t) ++term_relabel_unallocated_ttys(xdm_t) + + auth_domtrans_pam_console(xdm_t) +-auth_manage_pam_pid(xdm_t) ++#auth_manage_pam_pid(xdm_t) + auth_manage_pam_console_data(xdm_t) ++auth_signal_pam(xdm_t) + auth_rw_faillog(xdm_t) + auth_write_login_records(xdm_t) + + # Run telinit->init to shutdown. + init_telinit(xdm_t) ++init_dbus_chat(xdm_t) ++init_pid_filetrans(xdm_t, xdm_var_run_t, dir, "multi-session-x") ++init_status(xdm_t) ++ ++application_exec(xdm_t) + + libs_exec_lib_files(xdm_t) ++libs_exec_ldconfig(xdm_t) + + logging_read_generic_logs(xdm_t) + +-miscfiles_read_localization(xdm_t) ++miscfiles_search_man_pages(xdm_t) + miscfiles_read_fonts(xdm_t) ++miscfiles_manage_fonts_cache(xdm_t) ++miscfiles_manage_localization(xdm_t) ++miscfiles_read_hwdata(xdm_t) + +-sysnet_read_config(xdm_t) ++systemd_write_inhibit_pipes(xdm_t) ++systemd_dbus_chat_localed(xdm_t) ++systemd_start_power_services(xdm_t) + + userdom_dontaudit_use_unpriv_user_fds(xdm_t) + userdom_create_all_users_keys(xdm_t) +@@ -471,24 +687,144 @@ userdom_read_user_home_content_files(xdm_t) + # Search /proc for any user domain processes. + userdom_read_all_users_state(xdm_t) + userdom_signal_all_users(xdm_t) ++userdom_stream_connect(xdm_t) ++userdom_manage_user_tmp_dirs(xdm_t) ++userdom_manage_user_tmp_files(xdm_t) ++userdom_manage_user_tmp_sockets(xdm_t) ++userdom_manage_tmpfs_role(system_r, xdm_t) ++ ++#userdom_home_manager(xdm_t) ++tunable_policy(`xdm_write_home',` ++ userdom_user_home_dir_filetrans(xdm_t, xdm_home_t, file) ++',` ++ userdom_user_home_dir_filetrans_user_home_content(xdm_t, { dir file lnk_file fifo_file sock_file }) ++') ++ ++tunable_policy(`use_nfs_home_dirs',` ++ fs_list_auto_mountpoints(xdm_t) ++ fs_manage_nfs_dirs(xdm_t) ++ fs_manage_nfs_files(xdm_t) ++ fs_manage_nfs_symlinks(xdm_t) ++') ++ ++tunable_policy(`use_samba_home_dirs',` ++ fs_manage_cifs_dirs(xdm_t) ++ fs_manage_cifs_files(xdm_t) ++ fs_manage_cifs_symlinks(xdm_t) ++') ++ ++tunable_policy(`use_fusefs_home_dirs',` ++ fs_manage_fusefs_dirs(xdm_t) ++ fs_manage_fusefs_files(xdm_t) ++ fs_manage_fusefs_symlinks(xdm_t) ++') ++ ++tunable_policy(`use_ecryptfs_home_dirs',` ++ fs_manage_ecryptfs_dirs(xdm_t) ++ fs_manage_ecryptfs_files(xdm_t) ++') ++ ++### filename transitions ### ++userdom_filetrans_generic_home_content(xdm_t) ++ ++optional_policy(` ++ gnome_config_filetrans(xdm_t, home_cert_t, dir, "certificates") ++') ++ ++optional_policy(` ++ apache_filetrans_home_content(xdm_t) ++') ++ ++optional_policy(` ++ auth_filetrans_home_content(xdm_t) ++') ++ ++optional_policy(` ++ gnome_filetrans_home_content(xdm_t) ++') ++ ++optional_policy(` ++ gpg_filetrans_home_content(xdm_t) ++') ++ ++optional_policy(` ++ irc_filetrans_home_content(xdm_t) ++') ++ ++optional_policy(` ++ kerberos_filetrans_home_content(xdm_t) ++') ++ ++optional_policy(` ++ mozilla_filetrans_home_content(xdm_t) ++') ++ ++optional_policy(` ++ mta_filetrans_home_content(xdm_t) ++') ++ ++optional_policy(` ++ pulseaudio_filetrans_home_content(xdm_t) ++') ++ ++optional_policy(` ++ spamassassin_filetrans_home_content(xdm_t) ++ spamassassin_filetrans_admin_home_content(xdm_t) ++') ++ ++optional_policy(` ++ ssh_filetrans_admin_home_content(xdm_t) ++ ssh_filetrans_home_content(xdm_t) ++') ++ ++optional_policy(` ++ telepathy_filetrans_home_content(xdm_t) ++') ++ ++optional_policy(` ++ thumb_filetrans_home_content(xdm_t) ++') ++ ++optional_policy(` ++ tvtime_filetrans_home_content(xdm_t) ++') ++ ++optional_policy(` ++ virt_filetrans_home_content(xdm_t) ++') ++ ++### end of filename transitions ### ++ ++application_signal(xdm_t) + + xserver_rw_session(xdm_t, xdm_tmpfs_t) + xserver_unconfined(xdm_t) ++xserver_domtrans_xauth(xdm_t) ++ ++ifndef(`distro_redhat',` ++ allow xdm_t self:process { execheap execmem }; ++') ++ ++ifdef(`distro_rhel4',` ++ allow xdm_t self:process { execheap execmem }; ++') + + tunable_policy(`use_nfs_home_dirs',` +- fs_manage_nfs_dirs(xdm_t) +- fs_manage_nfs_files(xdm_t) +- fs_manage_nfs_symlinks(xdm_t) + fs_exec_nfs_files(xdm_t) + ') + + tunable_policy(`use_samba_home_dirs',` +- fs_manage_cifs_dirs(xdm_t) +- fs_manage_cifs_files(xdm_t) +- fs_manage_cifs_symlinks(xdm_t) + fs_exec_cifs_files(xdm_t) + ') + ++optional_policy(` ++ tunable_policy(`xdm_exec_bootloader',` ++ bootloader_exec(xdm_t) ++ files_read_boot_files(xdm_t) ++ files_read_boot_symlinks(xdm_t) ++ ') ++') ++ + tunable_policy(`xdm_sysadm_login',` + userdom_xsession_spec_domtrans_all_users(xdm_t) + # FIXME: +@@ -502,11 +838,26 @@ tunable_policy(`xdm_sysadm_login',` + ') + + optional_policy(` ++ accountsd_read_lib_files(xdm_t) ++ accountsd_dbus_chat(xdm_t) ++') ++ ++optional_policy(` ++ acct_dontaudit_list_data(xdm_t) ++') ++ ++optional_policy(` ++ boinc_dontaudit_getattr_lib(xdm_t) ++') ++ ++optional_policy(` + alsa_domtrans(xdm_t) ++ alsa_read_rw_config(xdm_t) + ') + + optional_policy(` + consolekit_dbus_chat(xdm_t) ++ consolekit_read_log(xdm_t) + ') + + optional_policy(` +@@ -514,12 +865,57 @@ optional_policy(` + ') + + optional_policy(` ++ dbus_system_bus_client(xdm_t) ++ dbus_connect_system_bus(xdm_t) ++ ++ optional_policy(` ++ bluetooth_dbus_chat(xdm_t) ++ ') ++ ++ optional_policy(` ++ cpufreqselector_dbus_chat(xdm_t) ++ ') ++ ++ optional_policy(` ++ devicekit_dbus_chat_disk(xdm_t) ++ devicekit_dbus_chat_power(xdm_t) ++ ') ++ ++ optional_policy(` ++ hal_dbus_chat(xdm_t) ++ ') ++ ++ optional_policy(` ++ gnomeclock_dbus_chat(xdm_t) ++ ') ++ ++ optional_policy(` ++ networkmanager_dbus_chat(xdm_t) ++ ') ++') ++ ++optional_policy(` + # Talk to the console mouse server. + gpm_stream_connect(xdm_t) + gpm_setattr_gpmctl(xdm_t) + ') + + optional_policy(` ++ gnome_stream_connect_gkeyringd(xdm_t) ++ gnome_exec_gstreamer_home_files(xdm_t) ++ gnome_exec_keyringd(xdm_t) ++ gnome_delete_gkeyringd_tmp_content(xdm_t) ++ gnome_manage_config(xdm_t) ++ gnome_manage_gconf_home_files(xdm_t) ++ #gnome_filetrans_home_content(xdm_t) ++ gnome_read_config(xdm_t) ++ gnome_read_usr_config(xdm_t) ++ gnome_read_gconf_config(xdm_t) ++ gnome_transition_gkeyringd(xdm_t) ++ gnome_cache_filetrans(xdm_t, xdm_home_t, dir, "gdm") ++') ++ ++optional_policy(` + hostname_exec(xdm_t) + ') + +@@ -537,28 +933,78 @@ optional_policy(` + ') + + optional_policy(` ++ policykit_dbus_chat(xdm_t) ++ policykit_domtrans_auth(xdm_t) ++ policykit_read_lib(xdm_t) ++ policykit_read_reload(xdm_t) ++ policykit_signal_auth(xdm_t) ++') ++ ++optional_policy(` ++ pcscd_stream_connect(xdm_t) ++') ++ ++optional_policy(` ++ plymouthd_search_spool(xdm_t) ++ plymouthd_exec_plymouth(xdm_t) ++ plymouthd_stream_connect(xdm_t) ++ plymouthd_read_log(xdm_t) ++') ++ ++optional_policy(` ++ pulseaudio_exec(xdm_t) ++ pulseaudio_dbus_chat(xdm_t) ++ pulseaudio_stream_connect(xdm_t) ++ pulseaudio_read_state(xserver_t) ++') ++ ++optional_policy(` + resmgr_stream_connect(xdm_t) + ') + + optional_policy(` ++ rhev_stream_connect_agentd(xdm_t) ++ rhev_read_pid_files_agentd(xdm_t) ++') ++ ++# On crash gdm execs gdb to dump stack ++optional_policy(` ++ rpm_exec(xdm_t) ++ rpm_read_db(xdm_t) ++ rpm_dontaudit_manage_db(xdm_t) ++ rpm_dontaudit_dbus_chat(xdm_t) ++') ++ ++optional_policy(` ++ rtkit_scheduled(xdm_t) ++') ++ ++optional_policy(` + seutil_sigchld_newrole(xdm_t) + ') + + optional_policy(` +- udev_read_db(xdm_t) ++ ssh_signull(xdm_t) + ') + + optional_policy(` +- unconfined_domain(xdm_t) +- unconfined_domtrans(xdm_t) ++ shutdown_domtrans(xdm_t) ++') + +- ifndef(`distro_redhat',` +- allow xdm_t self:process { execheap execmem }; +- ') ++optional_policy(` ++ telepathy_exec(xdm_t) ++') + +- ifdef(`distro_rhel4',` +- allow xdm_t self:process { execheap execmem }; +- ') ++optional_policy(` ++ udev_read_db(xdm_t) ++') ++ ++optional_policy(` ++ unconfined_signal(xdm_t) ++') ++ ++optional_policy(` ++ usbmuxd_stream_connect(xdm_t) + ') + + optional_policy(` +@@ -570,6 +1016,14 @@ optional_policy(` + ') + + optional_policy(` ++ vdagent_stream_connect(xdm_t) ++') ++ ++optional_policy(` ++ wm_exec(xdm_t) ++') ++ ++optional_policy(` + xfs_stream_connect(xdm_t) + ') + +@@ -584,7 +1038,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t; + type_transition root_xdrawable_t input_xevent_t:x_event root_input_xevent_t; + + allow xserver_t { root_xdrawable_t x_domain }:x_drawable send; +-allow xserver_t input_xevent_t:x_event send; ++allow xserver_t xevent_type:x_event send; + + # setuid/setgid for the wrapper program to change UID + # sys_rawio is for iopl access - should not be needed for frame-buffer +@@ -594,8 +1048,11 @@ allow xserver_t input_xevent_t:x_event send; + # execheap needed until the X module loader is fixed. + # NVIDIA Needs execstack + +-allow xserver_t self:capability { dac_override fowner fsetid setgid setuid ipc_owner sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service }; ++allow xserver_t self:capability { sys_ptrace dac_override fowner fsetid setgid setuid ipc_owner sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service }; ++ + dontaudit xserver_t self:capability chown; ++allow xserver_t self:capability2 compromise_kernel; ++ + allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; + allow xserver_t self:fd use; + allow xserver_t self:fifo_file rw_fifo_file_perms; +@@ -608,8 +1065,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; + allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto }; + allow xserver_t self:tcp_socket create_stream_socket_perms; + allow xserver_t self:udp_socket create_socket_perms; ++allow xserver_t self:netlink_selinux_socket create_socket_perms; + allow xserver_t self:netlink_kobject_uevent_socket create_socket_perms; + ++allow xserver_t { input_xevent_t input_xevent_type }:x_event send; ++ ++domtrans_pattern(xserver_t, xauth_exec_t, xauth_t) ++ ++allow xserver_t xauth_home_t:file read_file_perms; ++ + manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) + manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) + manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) +@@ -617,6 +1081,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file }) + + filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file) + ++allow xserver_t xserver_etc_t:dir list_dir_perms; ++read_files_pattern(xserver_t, xserver_etc_t, xserver_etc_t) ++read_lnk_files_pattern(xserver_t, xserver_etc_t, xserver_etc_t) ++ + manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) + manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) + manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) +@@ -628,12 +1096,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) + manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) + files_search_var_lib(xserver_t) + +-domtrans_pattern(xserver_t, xauth_exec_t, xauth_t) +-allow xserver_t xauth_home_t:file read_file_perms; ++manage_dirs_pattern(xserver_t, xserver_var_lib_t, xserver_var_lib_t) ++manage_files_pattern(xserver_t, xserver_var_lib_t, xserver_var_lib_t) ++files_var_lib_filetrans(xserver_t, xserver_var_lib_t, dir) ++ ++manage_dirs_pattern(xserver_t, xserver_var_run_t, xserver_var_run_t) ++manage_files_pattern(xserver_t, xserver_var_run_t, xserver_var_run_t) ++manage_sock_files_pattern(xserver_t, xdm_var_run_t, xdm_var_run_t) ++files_pid_filetrans(xserver_t, xserver_var_run_t, { file dir }) + + # Create files in /var/log with the xserver_log_t type. + manage_files_pattern(xserver_t, xserver_log_t, xserver_log_t) + logging_log_filetrans(xserver_t, xserver_log_t, file) ++manage_files_pattern(xserver_t, xdm_log_t, xdm_log_t) + + kernel_read_system_state(xserver_t) + kernel_read_device_sysctls(xserver_t) +@@ -641,12 +1116,12 @@ kernel_read_modprobe_sysctls(xserver_t) + # Xorg wants to check if kernel is tainted + kernel_read_kernel_sysctls(xserver_t) + kernel_write_proc_files(xserver_t) ++kernel_request_load_module(xserver_t) + + # Run helper programs in xserver_t. + corecmd_exec_bin(xserver_t) + corecmd_exec_shell(xserver_t) + +-corenet_all_recvfrom_unlabeled(xserver_t) + corenet_all_recvfrom_netlabel(xserver_t) + corenet_tcp_sendrecv_generic_if(xserver_t) + corenet_udp_sendrecv_generic_if(xserver_t) +@@ -667,23 +1142,28 @@ dev_rw_apm_bios(xserver_t) + dev_rw_agp(xserver_t) + dev_rw_framebuffer(xserver_t) + dev_manage_dri_dev(xserver_t) +-dev_filetrans_dri(xserver_t) + dev_create_generic_dirs(xserver_t) + dev_setattr_generic_dirs(xserver_t) + # raw memory access is needed if not using the frame buffer + dev_read_raw_memory(xserver_t) + dev_wx_raw_memory(xserver_t) ++dev_read_urand(xserver_t) + # for other device nodes such as the NVidia binary-only driver +-dev_rw_xserver_misc(xserver_t) ++dev_manage_xserver_misc(xserver_t) ++dev_filetrans_xserver_misc(xserver_t) ++ + # read events - the synaptics touchpad driver reads raw events + dev_rw_input_dev(xserver_t) ++dev_write_raw_memory(xserver_t) + dev_rwx_zero(xserver_t) + +-domain_dontaudit_search_all_domains_state(xserver_t) ++domain_dontaudit_read_all_domains_state(xserver_t) ++domain_signal_all_domains(xserver_t) + + files_read_etc_files(xserver_t) + files_read_etc_runtime_files(xserver_t) + files_read_usr_files(xserver_t) ++files_rw_tmpfs_files(xserver_t) + + # brought on by rhgb + files_search_mnt(xserver_t) +@@ -694,7 +1174,16 @@ fs_getattr_xattr_fs(xserver_t) + fs_search_nfs(xserver_t) + fs_search_auto_mountpoints(xserver_t) + fs_search_ramfs(xserver_t) +- ++fs_rw_tmpfs_files(xserver_t) ++ ++mls_file_read_to_clearance(xserver_t) ++mls_file_write_all_levels(xserver_t) ++mls_file_upgrade(xserver_t) ++mls_process_write_to_clearance(xserver_t) ++mls_socket_read_to_clearance(xserver_t) ++mls_sysvipc_read_to_clearance(xserver_t) ++mls_sysvipc_write_to_clearance(xserver_t) ++mls_trusted_object(xserver_t) + mls_xwin_read_to_clearance(xserver_t) + + selinux_validate_context(xserver_t) +@@ -708,20 +1197,18 @@ init_getpgid(xserver_t) + term_setattr_unallocated_ttys(xserver_t) + term_use_unallocated_ttys(xserver_t) + +-getty_use_fds(xserver_t) +- + locallogin_use_fds(xserver_t) + + logging_send_syslog_msg(xserver_t) + logging_send_audit_msgs(xserver_t) + +-miscfiles_read_localization(xserver_t) + miscfiles_read_fonts(xserver_t) +- +-modutils_domtrans_insmod(xserver_t) ++miscfiles_read_hwdata(xserver_t) + + # read x_contexts + seutil_read_default_contexts(xserver_t) ++seutil_read_config(xserver_t) ++seutil_read_file_contexts(xserver_t) + + userdom_search_user_home_dirs(xserver_t) + userdom_use_user_ttys(xserver_t) +@@ -729,8 +1216,6 @@ userdom_setattr_user_ttys(xserver_t) + userdom_read_user_tmp_files(xserver_t) + userdom_rw_user_tmpfs_files(xserver_t) + +-xserver_use_user_fonts(xserver_t) +- + ifndef(`distro_redhat',` + allow xserver_t self:process { execmem execheap execstack }; + domain_mmap_low_uncond(xserver_t) +@@ -775,16 +1260,44 @@ optional_policy(` + ') + + optional_policy(` ++ consolekit_read_state(xserver_t) ++') ++ ++optional_policy(` ++ devicekit_signal_power(xserver_t) ++') ++ ++optional_policy(` ++ getty_use_fds(xserver_t) ++') ++ ++optional_policy(` ++ modutils_domtrans_insmod(xserver_t) ++') ++ ++optional_policy(` + rhgb_getpgid(xserver_t) + rhgb_signal(xserver_t) + ') + + optional_policy(` ++ setrans_translate_context(xserver_t) ++') ++ ++optional_policy(` ++ sandbox_rw_xserver_tmpfs_files(xserver_t) ++') ++ ++optional_policy(` ++ tcpd_wrapped_domain(xserver_t, xserver_exec_t) ++') ++ ++optional_policy(` + udev_read_db(xserver_t) + ') + + optional_policy(` +- unconfined_domain_noaudit(xserver_t) ++ unconfined_domain(xserver_t) + unconfined_domtrans(xserver_t) + ') + +@@ -793,6 +1306,10 @@ optional_policy(` + ') + + optional_policy(` ++ wine_rw_shm(xserver_t) ++') ++ ++optional_policy(` + xfs_stream_connect(xserver_t) + ') + +@@ -808,10 +1325,10 @@ allow xserver_t xdm_t:shm rw_shm_perms; + + # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open + # handle of a file inside the dir!!! +-allow xserver_t xdm_var_lib_t:file { getattr read }; +-dontaudit xserver_t xdm_var_lib_t:dir search; ++allow xserver_t xdm_var_lib_t:file read_file_perms; ++dontaudit xserver_t xdm_var_lib_t:dir search_dir_perms; + +-allow xserver_t xdm_var_run_t:file read_file_perms; ++read_files_pattern(xserver_t, xdm_var_run_t, xdm_var_run_t) + + # Label pid and temporary files with derived types. + manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) +@@ -819,7 +1336,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) + manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) + + # Run xkbcomp. +-allow xserver_t xkb_var_lib_t:lnk_file read; ++allow xserver_t xkb_var_lib_t:lnk_file read_lnk_file_perms; + can_exec(xserver_t, xkb_var_lib_t) + + # VNC v4 module in X server +@@ -832,26 +1349,21 @@ init_use_fds(xserver_t) + # to read ROLE_home_t - examine this in more detail + # (xauth?) + userdom_read_user_home_content_files(xserver_t) ++userdom_read_all_users_state(xserver_t) ++userdom_home_manager(xserver_t) + +-tunable_policy(`use_nfs_home_dirs',` +- fs_manage_nfs_dirs(xserver_t) +- fs_manage_nfs_files(xserver_t) +- fs_manage_nfs_symlinks(xserver_t) +-') +- +-tunable_policy(`use_samba_home_dirs',` +- fs_manage_cifs_dirs(xserver_t) +- fs_manage_cifs_files(xserver_t) +- fs_manage_cifs_symlinks(xserver_t) +-') ++xserver_use_user_fonts(xserver_t) + + optional_policy(` + dbus_system_bus_client(xserver_t) +- hal_dbus_chat(xserver_t) ++ ++ optional_policy(` ++ hal_dbus_chat(xserver_t) ++ ') + ') + + optional_policy(` +- resmgr_stream_connect(xdm_t) ++ mono_rw_shm(xserver_t) + ') + + optional_policy(` +@@ -902,7 +1414,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy + allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show }; + # operations allowed on my windows + allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive }; +-allow x_domain self:x_drawable { blend }; ++allow x_domain self:x_drawable blend; + # operations allowed on all windows + allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child }; + +@@ -956,11 +1468,31 @@ allow x_domain self:x_resource { read write }; + # can mess with the screensaver + allow x_domain xserver_t:x_screen { getattr saver_getattr }; + ++# Device rules ++allow x_domain xserver_t:x_device { read getattr use setattr setfocus grab bell }; ++allow x_domain xserver_t:x_screen getattr; ++ + ######################################## + # + # Rules for unconfined access to this module + # + ++allow xserver_unconfined_type xserver_t:x_server *; ++allow xserver_unconfined_type xdrawable_type:x_drawable *; ++allow xserver_unconfined_type xserver_t:x_screen *; ++allow xserver_unconfined_type x_domain:x_gc *; ++allow xserver_unconfined_type xcolormap_type:x_colormap *; ++allow xserver_unconfined_type xproperty_type:x_property *; ++allow xserver_unconfined_type xselection_type:x_selection *; ++allow xserver_unconfined_type x_domain:x_cursor *; ++allow xserver_unconfined_type x_domain:x_client *; ++allow xserver_unconfined_type { x_domain xserver_t }:x_device *; ++allow xserver_unconfined_type { x_domain xserver_t }:x_pointer *; ++allow xserver_unconfined_type { x_domain xserver_t }:x_keyboard *; ++allow xserver_unconfined_type xextension_type:x_extension *; ++allow xserver_unconfined_type { x_domain xserver_t }:x_resource *; ++allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *; ++ + tunable_policy(`! xserver_object_manager',` + # should be xserver_unconfined(x_domain), + # but typeattribute doesnt work in conditionals +@@ -982,18 +1514,150 @@ tunable_policy(`! xserver_object_manager',` + allow x_domain xevent_type:{ x_event x_synthetic_event } *; + ') + +-allow xserver_unconfined_type xserver_t:x_server *; +-allow xserver_unconfined_type xdrawable_type:x_drawable *; +-allow xserver_unconfined_type xserver_t:x_screen *; +-allow xserver_unconfined_type x_domain:x_gc *; +-allow xserver_unconfined_type xcolormap_type:x_colormap *; +-allow xserver_unconfined_type xproperty_type:x_property *; +-allow xserver_unconfined_type xselection_type:x_selection *; +-allow xserver_unconfined_type x_domain:x_cursor *; +-allow xserver_unconfined_type x_domain:x_client *; +-allow xserver_unconfined_type { x_domain xserver_t }:x_device *; +-allow xserver_unconfined_type { x_domain xserver_t }:x_pointer *; +-allow xserver_unconfined_type { x_domain xserver_t }:x_keyboard *; +-allow xserver_unconfined_type xextension_type:x_extension *; +-allow xserver_unconfined_type { x_domain xserver_t }:x_resource *; +-allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *; ++tunable_policy(`xserver_execmem',` ++ allow xserver_t self:process { execheap execmem execstack }; ++') ++ ++# Hack to handle the problem of using the nvidia blobs ++tunable_policy(`deny_execmem',`',` ++ allow xdm_t self:process execmem; ++') ++ ++tunable_policy(`selinuxuser_execstack',` ++ allow xdm_t self:process { execstack execmem }; ++') ++ ++tunable_policy(`use_nfs_home_dirs',` ++ fs_append_nfs_files(xdmhomewriter) ++') ++ ++optional_policy(` ++ unconfined_rw_shm(xserver_t) ++ ++ # xserver signals unconfined user on startx ++ unconfined_signal(xserver_t) ++ unconfined_getpgid(xserver_t) ++') ++ ++allow xdm_t xdm_unconfined_exec_t:dir search_dir_perms; ++can_exec(xdm_t, xdm_unconfined_exec_t) ++ ++optional_policy(` ++ type xdm_unconfined_t; ++ domain_type(xdm_unconfined_t) ++ domain_entry_file(xdm_unconfined_t, xdm_unconfined_exec_t) ++ role system_r types xdm_unconfined_t; ++ ++ domtrans_pattern(xdm_t, xdm_unconfined_exec_t, xdm_unconfined_t) ++ unconfined_domain(xdm_unconfined_t) ++') ++ ++# X Userdomain ++# Xserver read/write client shm ++allow xserver_t x_userdomain:fd use; ++allow xserver_t x_userdomain:shm rw_shm_perms; ++ ++allow xserver_t x_userdomain:process { getpgid signal }; ++ ++allow xserver_t x_userdomain:shm rw_shm_perms; ++ ++allow x_userdomain user_fonts_t:dir list_dir_perms; ++allow x_userdomain user_fonts_t:file read_file_perms; ++allow x_userdomain user_fonts_t:lnk_file read_lnk_file_perms; ++ ++allow x_userdomain user_fonts_config_t:dir list_dir_perms; ++allow x_userdomain user_fonts_config_t:file read_file_perms; ++ ++manage_dirs_pattern(x_userdomain, user_fonts_cache_t, user_fonts_cache_t) ++manage_files_pattern(x_userdomain, user_fonts_cache_t, user_fonts_cache_t) ++ ++stream_connect_pattern(x_userdomain, xserver_tmp_t, xserver_tmp_t, xserver_t) ++allow x_userdomain xserver_tmp_t:sock_file delete_sock_file_perms; ++dontaudit x_userdomain xdm_tmp_t:sock_file setattr_sock_file_perms; ++files_search_tmp(x_userdomain) ++ ++# Communicate via System V shared memory. ++allow x_userdomain xserver_t:shm r_shm_perms; ++allow x_userdomain xserver_tmpfs_t:file read_file_perms; ++ ++# allow ps to show iceauth ++ps_process_pattern(x_userdomain, iceauth_t) ++ ++domtrans_pattern(x_userdomain, iceauth_exec_t, iceauth_t) ++ ++allow x_userdomain iceauth_home_t:file read_file_perms; ++ ++domtrans_pattern(x_userdomain, xauth_exec_t, xauth_t) ++ ++allow x_userdomain xauth_t:process signal; ++ ++# allow ps to show xauth ++ps_process_pattern(x_userdomain, xauth_t) ++allow x_userdomain xserver_t:process signal; ++ ++allow x_userdomain xauth_home_t:file read_file_perms; ++ ++# for when /tmp/.X11-unix is created by the system ++allow x_userdomain xdm_t:fd use; ++allow x_userdomain xdm_t:fifo_file rw_inherited_fifo_file_perms; ++allow x_userdomain xdm_tmp_t:dir search_dir_perms; ++allow x_userdomain xdm_tmp_t:sock_file rw_inherited_sock_file_perms; ++dontaudit x_userdomain xdm_t:tcp_socket { read write }; ++dontaudit x_userdomain xdm_tmp_t:dir setattr_dir_perms; ++ ++allow x_userdomain xdm_t:dbus send_msg; ++allow xdm_t x_userdomain:dbus send_msg; ++ ++# Client read xserver shm ++allow x_userdomain xserver_t:fd use; ++allow x_userdomain xserver_tmpfs_t:file read_file_perms; ++ ++# Read /tmp/.X0-lock ++allow x_userdomain xserver_tmp_t:file read_inherited_file_perms; ++ ++dev_rw_xserver_misc(x_userdomain) ++dev_rw_power_management(x_userdomain) ++dev_read_input(x_userdomain) ++dev_read_misc(x_userdomain) ++dev_write_misc(x_userdomain) ++# open office is looking for the following ++dev_getattr_agp_dev(x_userdomain) ++ ++# GNOME checks for usb and other devices: ++dev_rw_usbfs(x_userdomain) ++ ++miscfiles_read_fonts(x_userdomain) ++miscfiles_setattr_fonts_cache_dirs(x_userdomain) ++miscfiles_read_hwdata(x_userdomain) ++ ++#xserver_common_x_domain_template(user, x_userdomain) ++xserver_domtrans(x_userdomain) ++#xserver_unconfined(x_userdomain) ++xserver_xsession_entry_type(x_userdomain) ++xserver_dontaudit_write_log(x_userdomain) ++#xserver_stream_connect_xdm(x_userdomain) ++# certain apps want to read xdm.pid file ++xserver_read_xdm_pid(x_userdomain) ++# gnome-session creates socket under /tmp/.ICE-unix/ ++xserver_create_xdm_tmp_sockets(x_userdomain) ++# Needed for escd, remove if we get escd policy ++xserver_manage_xdm_tmp_files(x_userdomain) ++xserver_read_xdm_etc_files(x_userdomain) ++#xserver_xdm_append_log(x_userdomain) ++ ++term_use_virtio_console(x_userdomain) ++# Client write xserver shm ++tunable_policy(`xserver_clients_write_xshm',` ++ allow x_userdomain xserver_t:shm rw_shm_perms; ++ allow x_userdomain xserver_tmpfs_t:file rw_file_perms; ++') ++ ++optional_policy(` ++ gnome_read_gconf_config(x_userdomain) ++') ++ ++tunable_policy(`selinuxuser_direct_dri_enabled',` ++ dev_rw_dri(dridomain) ++',` ++ dev_dontaudit_rw_dri(dridomain) ++') +diff --git a/policy/modules/system/application.if b/policy/modules/system/application.if +index 1b6619e..be02b96 100644 +--- a/policy/modules/system/application.if ++++ b/policy/modules/system/application.if +@@ -43,6 +43,27 @@ interface(`application_executable_file',` + corecmd_executable_file($1) + ') + ++####################################### ++## ++## Make the specified type usable for files ++## that are exectuables, such as binary programs. ++## This does not include shared libraries. ++## ++## ++## ++## Type to be used for files. ++## ++## ++# ++interface(`application_executable_ioctl',` ++ gen_require(` ++ attribute application_exec_type; ++ ') ++ ++ allow $1 application_exec_type:file ioctl; ++ ++') ++ + ######################################## + ## + ## Execute application executables in the caller domain. +@@ -76,13 +97,30 @@ interface(`application_exec_all',` + corecmd_dontaudit_exec_all_executables($1) + corecmd_exec_bin($1) + corecmd_exec_shell($1) +- corecmd_exec_chroot($1) + + application_exec($1) + ') + + ######################################## + ## ++## Dontaudit execute all executable files. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`application_dontaudit_exec',` ++ gen_require(` ++ attribute application_exec_type; ++ ') ++ ++ dontaudit $1 application_exec_type:file execute; ++') ++ ++######################################## ++## + ## Create a domain for applications. + ## + ## +@@ -189,6 +227,24 @@ interface(`application_dontaudit_signal',` + + ######################################## + ## ++## Send kill signals to all application domains. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`application_sigkill',` ++ gen_require(` ++ attribute application_domain_type; ++ ') ++ ++ allow $1 application_domain_type:process sigkill; ++') ++ ++######################################## ++## + ## Do not audit attempts to send kill signals + ## to all application domains. + ## +@@ -205,3 +261,21 @@ interface(`application_dontaudit_sigkill',` + + dontaudit $1 application_domain_type:process sigkill; + ') ++ ++####################################### ++## ++## Getattr all application sockets. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`application_getattr_socket',` ++ gen_require(` ++ attribute application_domain_type; ++ ') ++ ++ allow $1 application_domain_type:socket_class_set getattr; ++') +diff --git a/policy/modules/system/application.te b/policy/modules/system/application.te +index c6fdab7..af71c62 100644 +--- a/policy/modules/system/application.te ++++ b/policy/modules/system/application.te +@@ -6,15 +6,40 @@ attribute application_domain_type; + # Executables to be run by user + attribute application_exec_type; + ++domain_use_interactive_fds(application_domain_type) ++ ++userdom_inherit_append_user_home_content_files(application_domain_type) ++userdom_inherit_append_admin_home_files(application_domain_type) ++userdom_inherit_append_user_tmp_files(application_domain_type) ++userdom_rw_inherited_user_tmp_files(application_domain_type) ++userdom_rw_inherited_user_pipes(application_domain_type) ++logging_inherit_append_all_logs(application_domain_type) ++ ++files_dontaudit_search_non_security_dirs(application_domain_type) ++ ++auth_login_pgm_sigchld(application_domain_type) ++ ++optional_policy(` ++ afs_rw_udp_sockets(application_domain_type) ++') ++ + optional_policy(` ++ cfengine_append_inherited_log(application_domain_type) ++') ++ ++optional_policy(` ++ cron_rw_inherited_user_spool_files(application_domain_type) + cron_sigchld(application_domain_type) + ') + + optional_policy(` +- ssh_sigchld(application_domain_type) + ssh_rw_stream_sockets(application_domain_type) + ') + + optional_policy(` ++ screen_sigchld(application_domain_type) ++') ++ ++optional_policy(` + sudo_sigchld(application_domain_type) + ') +diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc +index 28ad538..003b09a 100644 +--- a/policy/modules/system/authlogin.fc ++++ b/policy/modules/system/authlogin.fc +@@ -1,14 +1,28 @@ ++HOME_DIR/\.yubico(/.*)? gen_context(system_u:object_r:auth_home_t,s0) ++HOME_DIR/\.google_authenticator gen_context(system_u:object_r:auth_home_t,s0) ++HOME_DIR/\.google_authenticator~ gen_context(system_u:object_r:auth_home_t,s0) ++/root/\.yubico(/.*)? gen_context(system_u:object_r:auth_home_t,s0) ++/root/\.google_authenticator gen_context(system_u:object_r:auth_home_t,s0) ++/root/\.google_authenticator~ gen_context(system_u:object_r:auth_home_t,s0) + + /bin/login -- gen_context(system_u:object_r:login_exec_t,s0) + +-/etc/\.pwd\.lock -- gen_context(system_u:object_r:shadow_t,s0) +-/etc/group\.lock -- gen_context(system_u:object_r:shadow_t,s0) ++/etc/group\.lock -- gen_context(system_u:object_r:passwd_file_t,s0) + /etc/gshadow.* -- gen_context(system_u:object_r:shadow_t,s0) +-/etc/passwd\.lock -- gen_context(system_u:object_r:shadow_t,s0) ++/etc/nshadow.* -- gen_context(system_u:object_r:shadow_t,s0) + /etc/shadow.* -- gen_context(system_u:object_r:shadow_t,s0) ++/etc/security/opasswd -- gen_context(system_u:object_r:shadow_t,s0) ++/etc/security/opasswd\.old -- gen_context(system_u:object_r:shadow_t,s0) ++/etc/passwd\.lock -- gen_context(system_u:object_r:passwd_file_t,s0) ++/etc/passwd\.adjunct.* -- gen_context(system_u:object_r:passwd_file_t,s0) ++/etc/\.pwd\.lock -- gen_context(system_u:object_r:passwd_file_t,s0) ++/etc/passwd[-\+]? -- gen_context(system_u:object_r:passwd_file_t,s0) ++/etc/passwd\.OLD -- gen_context(system_u:object_r:passwd_file_t,s0) ++/etc/ptmptmp -- gen_context(system_u:object_r:passwd_file_t,s0) ++/etc/group[-\+]? -- gen_context(system_u:object_r:passwd_file_t,s0) + + /sbin/pam_console_apply -- gen_context(system_u:object_r:pam_console_exec_t,s0) +-/sbin/pam_timestamp_check -- gen_context(system_u:object_r:pam_exec_t,s0) ++/sbin/pam_timestamp_check -- gen_context(system_u:object_r:pam_timestamp_exec_t,s0) + /sbin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0) + /sbin/unix_update -- gen_context(system_u:object_r:updpwd_exec_t,s0) + /sbin/unix_verify -- gen_context(system_u:object_r:chkpwd_exec_t,s0) +@@ -16,13 +30,24 @@ ifdef(`distro_suse', ` + /sbin/unix2_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0) + ') + ++/usr/bin/login -- gen_context(system_u:object_r:login_exec_t,s0) ++ + /usr/kerberos/sbin/login\.krb5 -- gen_context(system_u:object_r:login_exec_t,s0) + +-/usr/sbin/utempter -- gen_context(system_u:object_r:utempter_exec_t,s0) +-/usr/sbin/validate -- gen_context(system_u:object_r:chkpwd_exec_t,s0) ++/usr/sbin/pam_console_apply -- gen_context(system_u:object_r:pam_console_exec_t,s0) ++/usr/sbin/pam_timestamp_check -- gen_context(system_u:object_r:pam_timestamp_exec_t,s0) ++/usr/sbin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0) ++/usr/sbin/unix_update -- gen_context(system_u:object_r:updpwd_exec_t,s0) ++/usr/sbin/unix_verify -- gen_context(system_u:object_r:chkpwd_exec_t,s0) + ifdef(`distro_gentoo', ` + /usr/sbin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0) + ') ++/usr/sbin/utempter -- gen_context(system_u:object_r:utempter_exec_t,s0) ++/usr/sbin/validate -- gen_context(system_u:object_r:chkpwd_exec_t,s0) ++ ++/var/ace(/.*)? gen_context(system_u:object_r:var_auth_t,s0) ++ ++/var/opt/quest/vas/vasd(/.*)? gen_context(system_u:object_r:var_auth_t,s0) + + /var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0) + +@@ -30,20 +55,24 @@ ifdef(`distro_gentoo', ` + + /var/lib/abl(/.*)? gen_context(system_u:object_r:var_auth_t,s0) + /var/lib/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0) ++/var/lib/pam_shield(/.*)? gen_context(system_u:object_r:var_auth_t,s0) ++/var/lib/google-authenticator(/.*)? gen_context(system_u:object_r:var_auth_t,s0) + + /var/log/btmp.* -- gen_context(system_u:object_r:faillog_t,s0) + /var/log/dmesg -- gen_context(system_u:object_r:var_log_t,s0) +-/var/log/faillog -- gen_context(system_u:object_r:faillog_t,s0) +-/var/log/lastlog -- gen_context(system_u:object_r:lastlog_t,s0) ++/var/log/faillog.* -- gen_context(system_u:object_r:faillog_t,s0) ++/var/log/lastlog.* -- gen_context(system_u:object_r:lastlog_t,s0) + /var/log/syslog -- gen_context(system_u:object_r:var_log_t,s0) +-/var/log/tallylog -- gen_context(system_u:object_r:faillog_t,s0) ++/var/log/tallylog.* -- gen_context(system_u:object_r:faillog_t,s0) + /var/log/wtmp.* -- gen_context(system_u:object_r:wtmp_t,s0) + ++/var/lib/rsa(/.*)? gen_context(system_u:object_r:var_auth_t,s0) ++/var/rsa(/.*)? gen_context(system_u:object_r:var_auth_t,s0) ++ + /var/run/console(/.*)? gen_context(system_u:object_r:pam_var_console_t,s0) + /var/run/faillock(/.*)? gen_context(system_u:object_r:faillog_t,s0) + /var/run/pam_mount(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) + /var/run/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0) + /var/run/sepermit(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) + /var/run/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) +-/var/run/user(/.*)? gen_context(system_u:object_r:var_auth_t,s0) + /var/(db|lib|adm)/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) +diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if +index 3efd5b6..08c3e93 100644 +--- a/policy/modules/system/authlogin.if ++++ b/policy/modules/system/authlogin.if +@@ -23,11 +23,17 @@ interface(`auth_role',` + role $1 types chkpwd_t; + + # Transition from the user domain to this domain. +- domtrans_pattern($2, chkpwd_exec_t, chkpwd_t) ++ auth_domtrans_chkpwd($2) + + ps_process_pattern($2, chkpwd_t) + + dontaudit $2 shadow_t:file read_file_perms; ++ ++ logging_send_syslog_msg($2) ++ logging_send_audit_msgs($2) ++ ++ usermanage_read_crack_db($2) ++ + ') + + ######################################## +@@ -53,10 +59,13 @@ interface(`auth_use_pam',` + auth_read_login_records($1) + auth_append_login_records($1) + auth_rw_lastlog($1) +- auth_rw_faillog($1) ++ auth_create_lastlog($1) ++ auth_manage_faillog($1) + auth_exec_pam($1) + auth_use_nsswitch($1) + ++ init_rw_stream_sockets($1) ++ + logging_send_audit_msgs($1) + logging_send_syslog_msg($1) + +@@ -78,8 +87,19 @@ interface(`auth_use_pam',` + ') + + optional_policy(` ++ locallogin_getattr_home_content($1) ++ ') ++ ++ optional_policy(` + nis_authenticate($1) + ') ++ ++ optional_policy(` ++ systemd_dbus_chat_logind($1) ++ systemd_use_fds_logind($1) ++ systemd_write_inherited_logind_sessions_pipes($1) ++ systemd_read_logind_sessions_files($1) ++ ') + ') + + ######################################## +@@ -95,48 +115,20 @@ interface(`auth_use_pam',` + interface(`auth_login_pgm_domain',` + gen_require(` + type var_auth_t, auth_cache_t; ++ attribute polydomain; ++ attribute login_pgm; + ') + + domain_type($1) ++ typeattribute $1 polydomain; ++ typeattribute $1 login_pgm; ++ + domain_subj_id_change_exemption($1) + domain_role_change_exemption($1) + domain_obj_id_change_exemption($1) + role system_r types $1; + +- # Needed for pam_selinux_permit to cleanup properly +- domain_read_all_domains_state($1) +- domain_kill_all_domains($1) +- +- # pam_keyring +- allow $1 self:capability ipc_lock; +- allow $1 self:process setkeycreate; +- allow $1 self:key manage_key_perms; +- +- files_list_var_lib($1) +- manage_files_pattern($1, var_auth_t, var_auth_t) +- +- manage_dirs_pattern($1, auth_cache_t, auth_cache_t) +- manage_files_pattern($1, auth_cache_t, auth_cache_t) +- manage_sock_files_pattern($1, auth_cache_t, auth_cache_t) +- files_var_filetrans($1, auth_cache_t, dir) +- +- # needed for afs - https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=253321 +- kernel_rw_afs_state($1) +- +- # for fingerprint readers +- dev_rw_input_dev($1) +- dev_rw_generic_usb_dev($1) +- +- files_read_etc_files($1) +- +- fs_list_auto_mountpoints($1) +- + selinux_get_fs_mount($1) +- selinux_validate_context($1) +- selinux_compute_access_vector($1) +- selinux_compute_create_context($1) +- selinux_compute_relabel_context($1) +- selinux_compute_user_contexts($1) + + mls_file_read_all_levels($1) + mls_file_write_all_levels($1) +@@ -146,18 +138,43 @@ interface(`auth_login_pgm_domain',` + mls_fd_share_all_levels($1) + + auth_use_pam($1) ++') + +- init_rw_utmp($1) +- +- logging_set_loginuid($1) +- logging_set_tty_audit($1) ++######################################## ++## ++## Read authlogin state files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`authlogin_read_state',` ++ gen_require(` ++ attribute polydomain; ++ ') + +- seutil_read_config($1) +- seutil_read_default_contexts($1) ++ kernel_search_proc($1) ++ ps_process_pattern($1, polydomain) ++') + +- tunable_policy(`allow_polyinstantiation',` +- files_polyinstantiate_all($1) ++######################################## ++## ++## Read and write a authlogin unnamed pipe. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`authlogin_rw_pipes',` ++ gen_require(` ++ attribute polydomain; + ') ++ ++ allow $1 polydomain:fifo_file rw_inherited_fifo_file_perms; + ') + + ######################################## +@@ -231,6 +248,25 @@ interface(`auth_domtrans_login_program',` + + ######################################## + ## ++## Execute a login_program in the caller domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`auth_exec_login_program',` ++ gen_require(` ++ type login_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ can_exec($1, login_exec_t) ++') ++ ++######################################## ++## + ## Execute a login_program in the target domain, + ## with a range transition. + ## +@@ -322,6 +358,24 @@ interface(`auth_rw_cache',` + + ######################################## + ## ++## Create authentication cache ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`auth_create_cache',` ++ gen_require(` ++ type auth_cache_t; ++ ') ++ ++ create_files_pattern($1, auth_cache_t, auth_cache_t) ++') ++ ++######################################## ++## + ## Manage authentication cache + ## + ## +@@ -402,6 +456,8 @@ interface(`auth_domtrans_chk_passwd',` + optional_policy(` + samba_stream_connect_winbind($1) + ') ++ ++ auth_domtrans_upd_passwd($1) + ') + + ######################################## +@@ -428,6 +484,24 @@ interface(`auth_domtrans_chkpwd',` + + ######################################## + ## ++## Execute chkpwd in the caller domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`auth_exec_chkpwd',` ++ gen_require(` ++ type chkpwd_exec_t; ++ ') ++ ++ allow $1 chkpwd_exec_t:file execute; ++') ++ ++######################################## ++## + ## Execute chkpwd programs in the chkpwd domain. + ## + ## +@@ -448,6 +522,25 @@ interface(`auth_run_chk_passwd',` + + auth_domtrans_chk_passwd($1) + role $2 types chkpwd_t; ++ auth_run_upd_passwd($1, $2) ++') ++ ++######################################## ++## ++## Send generic signals to chkpwd processes. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`auth_signal_chk_passwd',` ++ gen_require(` ++ type chkpwd_t; ++ ') ++ ++ allow $1 chkpwd_t:process signal; + ') + + ######################################## +@@ -467,7 +560,6 @@ interface(`auth_domtrans_upd_passwd',` + + domtrans_pattern($1, updpwd_exec_t, updpwd_t) + auth_dontaudit_read_shadow($1) +- + ') + + ######################################## +@@ -664,6 +756,10 @@ interface(`auth_manage_shadow',` + + allow $1 shadow_t:file manage_file_perms; + typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords; ++ files_var_filetrans($1, shadow_t, file, "shadow") ++ files_var_filetrans($1, shadow_t, file, "shadow-") ++ files_etc_filetrans($1, shadow_t, file, "gshadow") ++ files_etc_filetrans($1, shadow_t, file, "nshadow") + ') + + ####################################### +@@ -763,7 +859,50 @@ interface(`auth_rw_faillog',` + ') + + logging_search_logs($1) +- allow $1 faillog_t:file rw_file_perms; ++ rw_files_pattern($1, faillog_t, faillog_t) ++') ++ ++######################################## ++## ++## Relabel the login failure log. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`auth_relabel_faillog',` ++ gen_require(` ++ type faillog_t; ++ ') ++ ++ allow $1 faillog_t:dir relabel_dir_perms; ++ allow $1 faillog_t:file relabel_file_perms; ++') ++ ++######################################## ++## ++## Manage the login failure log. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`auth_manage_faillog',` ++ gen_require(` ++ type faillog_t; ++ ') ++ ++ logging_search_logs($1) ++ files_search_pids($1) ++ allow $1 faillog_t:dir manage_dir_perms; ++ allow $1 faillog_t:file manage_file_perms; ++ logging_log_named_filetrans($1, faillog_t, file, "tallylog") ++ logging_log_named_filetrans($1, faillog_t, file, "faillog") ++ logging_log_named_filetrans($1, faillog_t, file, "btmp") + ') + + ####################################### +@@ -824,9 +963,29 @@ interface(`auth_rw_lastlog',` + allow $1 lastlog_t:file { rw_file_perms lock setattr }; + ') + ++####################################### ++## ++## Manage create logins log. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`auth_create_lastlog',` ++ gen_require(` ++ type lastlog_t; ++ ') ++ ++ logging_search_logs($1) ++ allow $1 lastlog_t:file create; ++ logging_log_named_filetrans($1, lastlog_t, file, "lastlog") ++') ++ + ######################################## + ## +-## Execute pam programs in the pam domain. ++## Execute pam timestamp programs in the pam timestamp domain. + ## + ## + ## +@@ -834,12 +993,27 @@ interface(`auth_rw_lastlog',` + ## + ## + # +-interface(`auth_domtrans_pam',` ++interface(`auth_domtrans_pam_timestamp',` + gen_require(` +- type pam_t, pam_exec_t; ++ type pam_timestamp_t, pam_timestamp_exec_t; + ') + +- domtrans_pattern($1, pam_exec_t, pam_t) ++ domtrans_pattern($1, pam_timestamp_exec_t, pam_timestamp_t) ++') ++ ++######################################## ++## ++## Execute pam timestamp programs in the pam timestamp domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`auth_domtrans_pam',` ++ auth_domtrans_pam_timestamp($1) ++ refpolicywarn(`$0() has been deprecated, please use auth_domtrans_pam_timestamp() instead.') + ') + + ######################################## +@@ -854,15 +1028,15 @@ interface(`auth_domtrans_pam',` + # + interface(`auth_signal_pam',` + gen_require(` +- type pam_t; ++ type pam_timestamp_t; + ') + +- allow $1 pam_t:process signal; ++ allow $1 pam_timestamp_t:process signal; + ') + + ######################################## + ## +-## Execute pam programs in the PAM domain. ++## Execute pam_timestamp programs in the PAM timestamp domain. + ## + ## + ## +@@ -875,13 +1049,33 @@ interface(`auth_signal_pam',` + ## + ## + # +-interface(`auth_run_pam',` ++interface(`auth_run_pam_timestamp',` + gen_require(` +- type pam_t; ++ type pam_timestamp_t; + ') + +- auth_domtrans_pam($1) +- role $2 types pam_t; ++ auth_domtrans_pam_timestamp($1) ++ role $2 types pam_timestamp_t; ++') ++ ++######################################## ++## ++## Execute pam_timestamp programs in the PAM timestamp domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++## ++## ++## The role to allow the PAM domain. ++## ++## ++# ++interface(`auth_run_pam',` ++ auth_run_pam_timestamp($1, $2) ++ refpolicywarn(`$0() has been deprecated, please use auth_run_pam_timestamp.') + ') + + ######################################## +@@ -959,9 +1153,30 @@ interface(`auth_manage_var_auth',` + ') + + files_search_var($1) +- allow $1 var_auth_t:dir manage_dir_perms; +- allow $1 var_auth_t:file rw_file_perms; +- allow $1 var_auth_t:lnk_file rw_lnk_file_perms; ++ ++ manage_dirs_pattern($1, var_auth_t, var_auth_t) ++ manage_files_pattern($1, var_auth_t, var_auth_t) ++ manage_lnk_files_pattern($1, var_auth_t, var_auth_t) ++') ++ ++######################################## ++## ++## Relabel all var auth files. Used by various other applications ++## and pam applets etc. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`auth_relabel_var_auth_dirs',` ++ gen_require(` ++ type var_auth_t; ++ ') ++ ++ files_search_var($1) ++ relabel_dirs_pattern($1, var_auth_t, var_auth_t) + ') + + ######################################## +@@ -1040,6 +1255,10 @@ interface(`auth_manage_pam_pid',` + files_search_pids($1) + allow $1 pam_var_run_t:dir manage_dir_perms; + allow $1 pam_var_run_t:file manage_file_perms; ++ files_pid_filetrans($1, pam_var_run_t, dir, "pam_mount") ++ files_pid_filetrans($1, pam_var_run_t, dir, "pam_ssh") ++ files_pid_filetrans($1, pam_var_run_t, dir, "sepermit") ++ files_pid_filetrans($1, pam_var_run_t, dir, "sudo") + ') + + ######################################## +@@ -1176,6 +1395,7 @@ interface(`auth_manage_pam_console_data',` + files_search_pids($1) + manage_files_pattern($1, pam_var_console_t, pam_var_console_t) + manage_lnk_files_pattern($1, pam_var_console_t, pam_var_console_t) ++ files_pid_filetrans($1, pam_var_console_t, dir, "console") + ') + + ####################################### +@@ -1576,6 +1796,25 @@ interface(`auth_setattr_login_records',` + + ######################################## + ## ++## Relabel login record files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`auth_relabel_login_records',` ++ gen_require(` ++ type wtmp_t; ++ ') ++ ++ allow $1 wtmp_t:file relabel_file_perms; ++') ++ ++ ++######################################## ++## + ## Read login records files (/var/log/wtmp). + ## + ## +@@ -1726,24 +1965,7 @@ interface(`auth_manage_login_records',` + + logging_rw_generic_log_dirs($1) + allow $1 wtmp_t:file manage_file_perms; +-') +- +-######################################## +-## +-## Relabel login record files. +-## +-## +-## +-## Domain allowed access. +-## +-## +-# +-interface(`auth_relabel_login_records',` +- gen_require(` +- type wtmp_t; +- ') +- +- allow $1 wtmp_t:file relabel_file_perms; ++ logging_log_named_filetrans($1, wtmp_t, file, "wtmp") + ') + + ######################################## +@@ -1767,11 +1989,13 @@ interface(`auth_relabel_login_records',` + ## + # + interface(`auth_use_nsswitch',` +- gen_require(` +- attribute nsswitch_domain; +- ') ++ gen_require(` ++ attribute nsswitch_domain; ++ ') + + typeattribute $1 nsswitch_domain; ++ ++ corenet_all_recvfrom_netlabel($1) + ') + + ######################################## +@@ -1805,3 +2029,242 @@ interface(`auth_unconfined',` + typeattribute $1 can_write_shadow_passwords; + typeattribute $1 can_relabelto_shadow_passwords; + ') ++ ++######################################## ++## ++## Transition to authlogin named content ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`auth_filetrans_named_content',` ++ gen_require(` ++ type shadow_t; ++ type passwd_file_t; ++ type faillog_t; ++ type lastlog_t; ++ type wtmp_t; ++ type pam_var_console_t; ++ type pam_var_run_t; ++ type auth_cache_t; ++ ') ++ ++ files_etc_filetrans($1, passwd_file_t, file, "group") ++ files_etc_filetrans($1, passwd_file_t, file, "group-") ++ #files_etc_filetrans($1, passwd_file_t, file, "group+") ++ files_etc_filetrans($1, passwd_file_t, file, "passwd") ++ files_etc_filetrans($1, passwd_file_t, file, "passwd-") ++ #files_etc_filetrans($1, passwd_file_t, file, "passwd+") ++ files_etc_filetrans($1, passwd_file_t, file, "passwd.OLD") ++ files_etc_filetrans($1, passwd_file_t, file, "ptmptmp") ++ files_etc_filetrans($1, passwd_file_t, file, "passwd.lock") ++ files_etc_filetrans($1, passwd_file_t, file, "group.lock") ++ files_etc_filetrans($1, passwd_file_t, file, "passwd.adjunct") ++ files_etc_filetrans($1, passwd_file_t, file, ".pwd.lock") ++ files_etc_filetrans($1, shadow_t, file, "shadow") ++ files_etc_filetrans($1, shadow_t, file, "shadow-") ++ files_etc_filetrans($1, shadow_t, file, "gshadow") ++ files_etc_filetrans($1, shadow_t, file, "opasswd") ++ logging_log_named_filetrans($1, lastlog_t, file, "lastlog") ++ logging_log_named_filetrans($1, faillog_t, file, "tallylog") ++ logging_log_named_filetrans($1, faillog_t, file, "faillog") ++ logging_log_named_filetrans($1, faillog_t, file, "btmp") ++ files_pid_filetrans($1, faillog_t, file, "faillog") ++ files_pid_filetrans($1, faillog_t, dir, "faillock") ++ files_pid_filetrans($1, pam_var_console_t, dir, "console") ++ files_pid_filetrans($1, pam_var_run_t, dir, "pam_mount") ++ files_pid_filetrans($1, pam_var_run_t, dir, "pam_ssh") ++ files_pid_filetrans($1, pam_var_run_t, dir, "sepermit") ++ files_pid_filetrans($1, pam_var_run_t, dir, "sudo") ++ logging_log_named_filetrans($1, wtmp_t, file, "wtmp") ++ files_var_filetrans($1, auth_cache_t, dir, "coolkey") ++') ++ ++######################################## ++## ++## Get the attributes of the passwd passwords file. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`auth_getattr_passwd',` ++ gen_require(` ++ type passwd_file_t; ++ ') ++ ++ files_search_etc($1) ++ allow $1 passwd_file_t:file getattr; ++') ++ ++######################################## ++## ++## Do not audit attempts to get the attributes ++## of the passwd passwords file. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`auth_dontaudit_getattr_passwd',` ++ gen_require(` ++ type passwd_file_t; ++ ') ++ ++ dontaudit $1 passwd_file_t:file getattr; ++') ++ ++######################################## ++## ++## Read the passwd passwords file (/etc/passwd) ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`auth_read_passwd',` ++ gen_require(` ++ type passwd_file_t; ++ ') ++ ++ allow $1 passwd_file_t:file read_file_perms; ++') ++ ++######################################## ++## ++## Do not audit attempts to read the passwd ++## password file (/etc/passwd). ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`auth_dontaudit_read_passwd',` ++ gen_require(` ++ type passwd_file_t; ++ ') ++ ++ dontaudit $1 passwd_file_t:file read_file_perms; ++') ++ ++######################################## ++## ++## Create, read, write, and delete the passwd ++## password file. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`auth_manage_passwd',` ++ gen_require(` ++ type passwd_file_t; ++ ') ++ ++ files_rw_etc_dirs($1) ++ allow $1 passwd_file_t:file manage_file_perms; ++ files_etc_filetrans($1, passwd_file_t, file, "passwd") ++ files_etc_filetrans($1, passwd_file_t, file, "passwd-") ++ files_etc_filetrans($1, passwd_file_t, file, "ptmptmp") ++ files_etc_filetrans($1, passwd_file_t, file, "group") ++ files_etc_filetrans($1, passwd_file_t, file, "group-") ++ files_etc_filetrans($1, passwd_file_t, file, ".pwd.lock") ++ files_etc_filetrans($1, passwd_file_t, file, "passwd.lock") ++ files_etc_filetrans($1, passwd_file_t, file, "group.lock") ++') ++ ++######################################## ++## ++## Create auth directory in the /root directory ++## with an correct label. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`auth_filetrans_admin_home_content',` ++ gen_require(` ++ type auth_home_t; ++ ') ++ ++ userdom_admin_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator") ++ userdom_admin_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator~") ++ userdom_admin_home_dir_filetrans($1, auth_home_t, dir, ".yubico") ++') ++ ++ ++######################################## ++## ++## Read the authorization data in the user home directory ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`auth_read_home_content',` ++ ++ gen_require(` ++ type auth_home_t; ++ ') ++ ++ userdom_search_user_home_dirs($1) ++ read_files_pattern($1, auth_home_t, auth_home_t) ++') ++ ++ ++######################################## ++## ++## Create auth directory in the user home directory ++## with an correct label. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`auth_filetrans_home_content',` ++ ++ gen_require(` ++ type auth_home_t; ++ ') ++ ++ userdom_user_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator") ++ userdom_user_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator~") ++ userdom_user_home_dir_filetrans($1, auth_home_t, dir, ".yubico") ++') ++ ++######################################## ++## ++## Send a SIGCHLD signal to login programs. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`auth_login_pgm_sigchld',` ++ gen_require(` ++ attribute login_pgm; ++ ') ++ ++ allow $1 login_pgm:process sigchld; ++') +diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te +index 104037e..348e8cf 100644 +--- a/policy/modules/system/authlogin.te ++++ b/policy/modules/system/authlogin.te +@@ -5,6 +5,19 @@ policy_module(authlogin, 2.4.2) + # Declarations + # + ++## ++##

    ++## Allow users to login using a radius server ++##

    ++##     ++gen_tunable(authlogin_radius, false) ++ ++## ++##

    ++## Allow users to login using a yubikey server ++##

    ++##     ++gen_tunable(authlogin_yubikey, false) + + ## + ##

    +@@ -16,20 +29,26 @@ gen_tunable(authlogin_nsswitch_use_ldap, false) + attribute can_read_shadow_passwords; + attribute can_write_shadow_passwords; + attribute can_relabelto_shadow_passwords; ++attribute polydomain; + attribute nsswitch_domain; ++attribute login_pgm; + + type auth_cache_t; + logging_log_file(auth_cache_t) + ++type auth_home_t; ++userdom_user_home_content(auth_home_t) ++ + type chkpwd_t, can_read_shadow_passwords; + type chkpwd_exec_t; + typealias chkpwd_t alias { user_chkpwd_t staff_chkpwd_t sysadm_chkpwd_t }; +-typealias chkpwd_t alias { auditadm_chkpwd_t secadm_chkpwd_t }; ++typealias chkpwd_t alias { auditadm_chkpwd_t secadm_chkpwd_t system_chkpwd_t }; + application_domain(chkpwd_t, chkpwd_exec_t) + role system_r types chkpwd_t; + + type faillog_t; + logging_log_file(faillog_t) ++mls_trusted_object(faillog_t) + + type lastlog_t; + logging_log_file(lastlog_t) +@@ -42,15 +61,15 @@ type pam_console_exec_t; + init_system_domain(pam_console_t, pam_console_exec_t) + role system_r types pam_console_t; + +-type pam_t; +-domain_type(pam_t) +-role system_r types pam_t; ++type pam_timestamp_t alias pam_t; ++domain_type(pam_timestamp_t) ++role system_r types pam_timestamp_t; + +-type pam_exec_t; +-domain_entry_file(pam_t, pam_exec_t) ++type pam_timestamp_exec_t alias pam_exec_t; ++domain_entry_file(pam_timestamp_t, pam_timestamp_exec_t) + +-type pam_tmp_t; +-files_tmp_file(pam_tmp_t) ++type pam_timestamp_tmp_t; ++files_tmp_file(pam_timestamp_tmp_t) + + type pam_var_console_t; + files_pid_file(pam_var_console_t) +@@ -64,6 +83,9 @@ neverallow ~can_read_shadow_passwords shadow_t:file read; + neverallow ~can_write_shadow_passwords shadow_t:file { create write }; + neverallow ~can_relabelto_shadow_passwords shadow_t:file relabelto; + ++type passwd_file_t; ++files_type(passwd_file_t) ++ + type updpwd_t; + type updpwd_exec_t; + domain_type(updpwd_t) +@@ -109,6 +131,8 @@ dev_read_urand(chkpwd_t) + files_read_etc_files(chkpwd_t) + # for nscd + files_dontaudit_search_var(chkpwd_t) ++files_read_usr_symlinks(chkpwd_t) ++files_list_tmp(chkpwd_t) + + fs_dontaudit_getattr_xattr_fs(chkpwd_t) + +@@ -122,12 +146,11 @@ auth_use_nsswitch(chkpwd_t) + logging_send_audit_msgs(chkpwd_t) + logging_send_syslog_msg(chkpwd_t) + +-miscfiles_read_localization(chkpwd_t) + + seutil_read_config(chkpwd_t) + seutil_dontaudit_use_newrole_fds(chkpwd_t) + +-userdom_use_user_terminals(chkpwd_t) ++userdom_dontaudit_use_user_ttys(chkpwd_t) + + ifdef(`distro_ubuntu',` + optional_policy(` +@@ -153,53 +176,52 @@ optional_policy(` + # PAM local policy + # + +-allow pam_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; +-dontaudit pam_t self:capability sys_tty_config; ++allow pam_timestamp_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; ++dontaudit pam_timestamp_t self:capability sys_tty_config; + +-allow pam_t self:fd use; +-allow pam_t self:fifo_file rw_file_perms; +-allow pam_t self:unix_dgram_socket create_socket_perms; +-allow pam_t self:unix_stream_socket rw_stream_socket_perms; +-allow pam_t self:unix_dgram_socket sendto; +-allow pam_t self:unix_stream_socket connectto; +-allow pam_t self:shm create_shm_perms; +-allow pam_t self:sem create_sem_perms; +-allow pam_t self:msgq create_msgq_perms; +-allow pam_t self:msg { send receive }; ++allow pam_timestamp_t self:fd use; ++allow pam_timestamp_t self:fifo_file rw_file_perms; ++allow pam_timestamp_t self:unix_dgram_socket create_socket_perms; ++allow pam_timestamp_t self:unix_stream_socket rw_stream_socket_perms; ++allow pam_timestamp_t self:unix_dgram_socket sendto; ++allow pam_timestamp_t self:unix_stream_socket connectto; ++allow pam_timestamp_t self:shm create_shm_perms; ++allow pam_timestamp_t self:sem create_sem_perms; ++allow pam_timestamp_t self:msgq create_msgq_perms; ++allow pam_timestamp_t self:msg { send receive }; + +-delete_files_pattern(pam_t, pam_var_run_t, pam_var_run_t) +-read_files_pattern(pam_t, pam_var_run_t, pam_var_run_t) +-files_list_pids(pam_t) ++delete_files_pattern(pam_timestamp_t, pam_var_run_t, pam_var_run_t) ++read_files_pattern(pam_timestamp_t, pam_var_run_t, pam_var_run_t) ++files_list_pids(pam_timestamp_t) + +-allow pam_t pam_tmp_t:dir manage_dir_perms; +-allow pam_t pam_tmp_t:file manage_file_perms; +-files_tmp_filetrans(pam_t, pam_tmp_t, { file dir }) ++allow pam_timestamp_t pam_timestamp_tmp_t:dir manage_dir_perms; ++allow pam_timestamp_t pam_timestamp_tmp_t:file manage_file_perms; ++files_tmp_filetrans(pam_timestamp_t, pam_timestamp_tmp_t, { file dir }) + +-auth_use_nsswitch(pam_t) ++auth_use_nsswitch(pam_timestamp_t) + +-kernel_read_system_state(pam_t) ++kernel_read_system_state(pam_timestamp_t) + +-files_read_etc_files(pam_t) ++files_read_etc_files(pam_timestamp_t) + +-fs_search_auto_mountpoints(pam_t) ++fs_search_auto_mountpoints(pam_timestamp_t) + +-miscfiles_read_localization(pam_t) + +-term_use_all_ttys(pam_t) +-term_use_all_ptys(pam_t) ++term_use_all_ttys(pam_timestamp_t) ++term_use_all_ptys(pam_timestamp_t) + +-init_dontaudit_rw_utmp(pam_t) ++init_dontaudit_rw_utmp(pam_timestamp_t) + +-logging_send_syslog_msg(pam_t) ++logging_send_syslog_msg(pam_timestamp_t) + + ifdef(`distro_ubuntu',` + optional_policy(` +- unconfined_domain(pam_t) ++ unconfined_domain(pam_timestamp_t) + ') + ') + + optional_policy(` +- locallogin_use_fds(pam_t) ++ locallogin_use_fds(pam_timestamp_t) + ') + + ######################################## +@@ -289,7 +311,6 @@ init_use_script_ptys(pam_console_t) + + logging_send_syslog_msg(pam_console_t) + +-miscfiles_read_localization(pam_console_t) + miscfiles_read_generic_certs(pam_console_t) + + seutil_read_file_contexts(pam_console_t) +@@ -341,6 +362,7 @@ kernel_read_system_state(updpwd_t) + dev_read_urand(updpwd_t) + + files_manage_etc_files(updpwd_t) ++auth_manage_passwd(updpwd_t) + + term_dontaudit_use_console(updpwd_t) + term_dontaudit_use_unallocated_ttys(updpwd_t) +@@ -350,9 +372,7 @@ auth_use_nsswitch(updpwd_t) + + logging_send_syslog_msg(updpwd_t) + +-miscfiles_read_localization(updpwd_t) +- +-userdom_use_user_terminals(updpwd_t) ++userdom_use_inherited_user_terminals(updpwd_t) + + ifdef(`distro_ubuntu',` + optional_policy(` +@@ -380,13 +400,15 @@ term_dontaudit_use_all_ttys(utempter_t) + term_dontaudit_use_all_ptys(utempter_t) + term_dontaudit_use_ptmx(utempter_t) + ++auth_use_nsswitch(utempter_t) ++ + init_rw_utmp(utempter_t) + + domain_use_interactive_fds(utempter_t) + + logging_search_logs(utempter_t) + +-userdom_use_user_terminals(utempter_t) ++userdom_use_inherited_user_terminals(utempter_t) + # Allow utemper to write to /tmp/.xses-* + userdom_write_user_tmp_files(utempter_t) + +@@ -397,19 +419,29 @@ ifdef(`distro_ubuntu',` + ') + + optional_policy(` +- nscd_use(utempter_t) ++ xserver_use_xdm_fds(utempter_t) ++ xserver_rw_xdm_pipes(utempter_t) ++') ++ ++tunable_policy(`polyinstantiation_enabled',` ++ files_polyinstantiate_all(polydomain) + ') + + optional_policy(` +- xserver_use_xdm_fds(utempter_t) +- xserver_rw_xdm_pipes(utempter_t) ++ tunable_policy(`polyinstantiation_enabled',` ++ namespace_init_domtrans(polydomain) ++ ') + ') + +-####################################### ++###################################### + # + # nsswitch_domain local policy + # + ++allow nsswitch_domain self:key manage_key_perms; ++ ++auth_read_passwd(nsswitch_domain) ++ + files_list_var_lib(nsswitch_domain) + + # read /etc/nsswitch.conf +@@ -417,15 +449,21 @@ files_read_etc_files(nsswitch_domain) + + sysnet_dns_name_resolve(nsswitch_domain) + +-tunable_policy(`authlogin_nsswitch_use_ldap',` +- files_list_var_lib(nsswitch_domain) ++systemd_hostnamed_read_config(nsswitch_domain) + ++tunable_policy(`authlogin_nsswitch_use_ldap',` + miscfiles_read_generic_certs(nsswitch_domain) + sysnet_use_ldap(nsswitch_domain) + ') + + optional_policy(` + tunable_policy(`authlogin_nsswitch_use_ldap',` ++ dirsrv_stream_connect(nsswitch_domain) ++ ') ++') ++ ++optional_policy(` ++ tunable_policy(`authlogin_nsswitch_use_ldap',` + ldap_stream_connect(nsswitch_domain) + ') + ') +@@ -438,6 +476,7 @@ optional_policy(` + likewise_stream_connect_lsassd(nsswitch_domain) + ') + ++# can not wrap nis_use_ypbind or kerberos_use, but they both have booleans you can turn off. + optional_policy(` + kerberos_use(nsswitch_domain) + ') +@@ -456,6 +495,8 @@ optional_policy(` + + optional_policy(` + sssd_stream_connect(nsswitch_domain) ++ sssd_read_public_files(nsswitch_domain) ++ sssd_read_lib_files(nsswitch_domain) + ') + + optional_policy(` +@@ -463,3 +504,133 @@ optional_policy(` + samba_read_var_files(nsswitch_domain) + samba_dontaudit_write_var_files(nsswitch_domain) + ') ++ ++####################################### ++# ++# Login Program local policy ++# ++ ++domain_read_all_domains_state(login_pgm) ++corecmd_getattr_all_executables(login_pgm) ++domain_kill_all_domains(login_pgm) ++ ++allow login_pgm self:netlink_kobject_uevent_socket create_socket_perms; ++allow login_pgm self:capability ipc_lock; ++allow login_pgm self:process setkeycreate; ++allow login_pgm self:key manage_key_perms; ++userdom_manage_all_users_keys(login_pgm) ++ ++files_list_var_lib(login_pgm) ++manage_dirs_pattern(login_pgm, var_auth_t, var_auth_t) ++manage_files_pattern(login_pgm, var_auth_t, var_auth_t) ++manage_sock_files_pattern(login_pgm, var_auth_t, var_auth_t) ++ ++manage_dirs_pattern(login_pgm, auth_cache_t, auth_cache_t) ++manage_files_pattern(login_pgm, auth_cache_t, auth_cache_t) ++manage_sock_files_pattern(login_pgm, auth_cache_t, auth_cache_t) ++files_var_filetrans(login_pgm, auth_cache_t, dir) ++ ++manage_dirs_pattern(login_pgm, auth_home_t, auth_home_t) ++manage_files_pattern(login_pgm, auth_home_t, auth_home_t) ++auth_filetrans_admin_home_content(login_pgm) ++auth_filetrans_home_content(login_pgm) ++ ++# needed for afs - https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=253321 ++kernel_search_network_sysctl(login_pgm) ++kernel_rw_afs_state(login_pgm) ++ ++tunable_policy(`authlogin_radius',` ++ corenet_udp_bind_all_unreserved_ports(login_pgm) ++') ++ ++tunable_policy(`authlogin_yubikey',` ++ corenet_tcp_connect_http_port(login_pgm) ++') ++ ++corenet_tcp_connect_pki_ca_port(login_pgm) ++ ++# for fingerprint readers ++dev_rw_input_dev(login_pgm) ++dev_rw_generic_usb_dev(login_pgm) ++ ++files_read_config_files(login_pgm) ++ ++fs_list_auto_mountpoints(login_pgm) ++fs_manage_cgroup_dirs(login_pgm) ++fs_manage_cgroup_files(login_pgm) ++fs_read_ecryptfs_symlinks(login_pgm) ++fs_read_ecryptfs_files(login_pgm) ++ ++selinux_validate_context(login_pgm) ++selinux_compute_access_vector(login_pgm) ++selinux_compute_create_context(login_pgm) ++selinux_compute_relabel_context(login_pgm) ++selinux_compute_user_contexts(login_pgm) ++ ++auth_manage_faillog(login_pgm) ++auth_manage_pam_pid(login_pgm) ++ ++init_rw_utmp(login_pgm) ++ ++logging_set_loginuid(login_pgm) ++logging_set_tty_audit(login_pgm) ++ ++miscfiles_dontaudit_write_generic_cert_files(login_pgm) ++ ++seutil_read_config(login_pgm) ++seutil_read_login_config(login_pgm) ++seutil_read_default_contexts(login_pgm) ++systemd_login_read_pid_files(login_pgm) ++ ++userdom_set_rlimitnh(login_pgm) ++userdom_read_user_home_content_symlinks(login_pgm) ++userdom_delete_user_tmp_files(login_pgm) ++userdom_search_admin_dir(login_pgm) ++userdom_stream_connect(login_pgm) ++userdom_manage_user_tmp_dirs(login_pgm) ++userdom_manage_user_tmp_files(login_pgm) ++ ++optional_policy(` ++ afs_read_config(login_pgm) ++ afs_rw_udp_sockets(login_pgm) ++') ++ ++optional_policy(` ++ kerberos_read_config(login_pgm) ++') ++ ++optional_policy(` ++ oddjob_dbus_chat(login_pgm) ++ oddjob_domtrans_mkhomedir(login_pgm) ++') ++ ++optional_policy(` ++ openct_stream_connect(login_pgm) ++ openct_signull(login_pgm) ++ openct_read_pid_files(login_pgm) ++') ++ ++optional_policy(` ++ corecmd_exec_bin(login_pgm) ++ storage_getattr_fixed_disk_dev(login_pgm) ++ mount_domtrans(login_pgm) ++ mount_domtrans_ecryptmount(login_pgm) ++') ++ ++optional_policy(` ++ fprintd_dbus_chat(login_pgm) ++') ++ ++optional_policy(` ++ realmd_dbus_chat(login_pgm) ++') ++ ++optional_policy(` ++ # allow execute tmux ++ screen_exec(login_pgm) ++') ++ ++optional_policy(` ++ ssh_agent_exec(login_pgm) ++ ssh_read_user_home_files(login_pgm) ++') +diff --git a/policy/modules/system/clock.fc b/policy/modules/system/clock.fc +index c5e05ca..c9ddbee 100644 +--- a/policy/modules/system/clock.fc ++++ b/policy/modules/system/clock.fc +@@ -3,3 +3,5 @@ + + /sbin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0) + ++/usr/sbin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0) ++ +diff --git a/policy/modules/system/clock.if b/policy/modules/system/clock.if +index d475c2d..55305d5 100644 +--- a/policy/modules/system/clock.if ++++ b/policy/modules/system/clock.if +@@ -117,3 +117,40 @@ interface(`clock_rw_adjtime',` + allow $1 adjtime_t:file rw_file_perms; + files_list_etc($1) + ') ++ ++######################################## ++##

    ++## Manage clock drift adjustments. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`clock_manage_adjtime',` ++ gen_require(` ++ type adjtime_t; ++ ') ++ ++ allow $1 adjtime_t:file manage_file_perms; ++ files_list_etc($1) ++') ++ ++######################################## ++## ++## Transition to systemd clock content ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`clock_filetrans_named_content',` ++ gen_require(` ++ type adjtime_t; ++ ') ++ ++ files_etc_filetrans($1, adjtime_t, file, "adjtime" ) ++') +diff --git a/policy/modules/system/clock.te b/policy/modules/system/clock.te +index 3694bfe..7fcd27a 100644 +--- a/policy/modules/system/clock.te ++++ b/policy/modules/system/clock.te +@@ -46,18 +46,19 @@ fs_search_auto_mountpoints(hwclock_t) + + term_dontaudit_use_console(hwclock_t) + term_use_unallocated_ttys(hwclock_t) +-term_use_all_ttys(hwclock_t) +-term_use_all_ptys(hwclock_t) ++term_use_all_inherited_ttys(hwclock_t) ++term_use_all_inherited_ptys(hwclock_t) + + domain_use_interactive_fds(hwclock_t) + ++auth_use_nsswitch(hwclock_t) ++ + init_use_fds(hwclock_t) + init_use_script_ptys(hwclock_t) + + logging_send_audit_msgs(hwclock_t) + logging_send_syslog_msg(hwclock_t) + +-miscfiles_read_localization(hwclock_t) + + optional_policy(` + apm_append_log(hwclock_t) +@@ -65,10 +66,6 @@ optional_policy(` + ') + + optional_policy(` +- nscd_use(hwclock_t) +-') +- +-optional_policy(` + seutil_sigchld_newrole(hwclock_t) + ') + +diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc +index a97a096..bf726c3 100644 +--- a/policy/modules/system/fstools.fc ++++ b/policy/modules/system/fstools.fc +@@ -1,4 +1,3 @@ +-/sbin/badblocks -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /sbin/blkid -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /sbin/blockdev -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /sbin/cfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) +@@ -23,7 +22,6 @@ + /sbin/mkfs.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /sbin/mkraid -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /sbin/mkreiserfs -- gen_context(system_u:object_r:fsadm_exec_t,s0) +-/sbin/mkswap -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /sbin/parted -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0) +@@ -35,13 +33,53 @@ + /sbin/sfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /sbin/swapon.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /sbin/tune2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/sbin/xfs_growfs -- gen_context(system_u:object_r:fsadm_exec_t,s0) + + /usr/bin/partition_uuid -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /usr/bin/raw -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /usr/bin/scsi_unique_id -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /usr/bin/syslinux -- gen_context(system_u:object_r:fsadm_exec_t,s0) + ++/usr/lib/systemd/systemd-fsck -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++ ++/usr/sbin/blkid -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/usr/sbin/blockdev -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/usr/sbin/cfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /usr/sbin/clubufflush -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/usr/sbin/dosfsck -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/usr/sbin/dump -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/usr/sbin/dumpe2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/usr/sbin/e2fsck -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/usr/sbin/e4fsck -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/usr/sbin/e2label -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/usr/sbin/fdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/usr/sbin/findfs -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/usr/sbin/fsck.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/usr/sbin/hdparm -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/usr/sbin/install-mbr -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/usr/sbin/jfs_.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/usr/sbin/losetup.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/usr/sbin/lsraid -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/usr/sbin/make_reiser4 -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/usr/sbin/mkdosfs -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/usr/sbin/mke2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/usr/sbin/mke4fs -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/usr/sbin/mkfs.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/usr/sbin/mkraid -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/usr/sbin/mkreiserfs -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/usr/sbin/parted -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/usr/sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/usr/sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/usr/sbin/raidautorun -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/usr/sbin/raidstart -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/usr/sbin/reiserfs(ck|tune) -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/usr/sbin/resize.*fs -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/usr/sbin/scsi_info -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/usr/sbin/sfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /usr/sbin/smartctl -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/usr/sbin/swapon.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/usr/sbin/tune2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0) + + /var/log/fsck(/.*)? gen_context(system_u:object_r:fsadm_log_t,s0) ++ ++/var/run/blkid(/.*)? gen_context(system_u:object_r:fsadm_var_run_t,s0) +diff --git a/policy/modules/system/fstools.if b/policy/modules/system/fstools.if +index 016a770..1effeb4 100644 +--- a/policy/modules/system/fstools.if ++++ b/policy/modules/system/fstools.if +@@ -154,3 +154,24 @@ interface(`fstools_getattr_swap_files',` + + allow $1 swapfile_t:file getattr; + ') ++ ++######################################## ++## ++## Create, read, write, and delete the FSADM pid files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fsadm_manage_pid',` ++ gen_require(` ++ type fsadm_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ manage_dirs_pattern($1, fsadm_var_run_t, fsadm_var_run_t) ++ manage_files_pattern($1, fsadm_var_run_t, fsadm_var_run_t) ++ files_pid_filetrans($1, fsadm_var_run_t, dir, "blkid") ++') +diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te +index 6c4b6ee..f512b72 100644 +--- a/policy/modules/system/fstools.te ++++ b/policy/modules/system/fstools.te +@@ -13,6 +13,9 @@ role system_r types fsadm_t; + type fsadm_log_t; + logging_log_file(fsadm_log_t) + ++type fsadm_var_run_t; ++files_pid_file(fsadm_var_run_t) ++ + type fsadm_tmp_t; + files_tmp_file(fsadm_tmp_t) + +@@ -41,9 +44,15 @@ allow fsadm_t self:msg { send receive }; + + can_exec(fsadm_t, fsadm_exec_t) + ++manage_dirs_pattern(fsadm_t, fsadm_var_run_t, fsadm_var_run_t) ++manage_files_pattern(fsadm_t, fsadm_var_run_t, fsadm_var_run_t) ++files_pid_filetrans(fsadm_t, fsadm_var_run_t, {dir file }) ++ + allow fsadm_t fsadm_tmp_t:dir manage_dir_perms; + allow fsadm_t fsadm_tmp_t:file manage_file_perms; + files_tmp_filetrans(fsadm_t, fsadm_tmp_t, { file dir }) ++files_create_boot_flag(fsadm_t) ++files_setattr_root_dirs(fsadm_t) + + # log files + allow fsadm_t fsadm_log_t:dir setattr; +@@ -53,6 +62,7 @@ logging_log_filetrans(fsadm_t, fsadm_log_t, file) + # Enable swapping to files + allow fsadm_t swapfile_t:file { rw_file_perms swapon }; + ++kernel_get_sysvipc_info(fsadm_t) + kernel_read_system_state(fsadm_t) + kernel_read_kernel_sysctls(fsadm_t) + kernel_request_load_module(fsadm_t) +@@ -101,6 +111,8 @@ files_read_usr_files(fsadm_t) + files_read_etc_files(fsadm_t) + files_manage_lost_found(fsadm_t) + files_manage_isid_type_dirs(fsadm_t) ++# /etc/mtab is a link ++files_read_etc_runtime_files(fsadm_t) + # Write to /etc/mtab. + files_manage_etc_runtime_files(fsadm_t) + files_etc_filetrans_etc_runtime(fsadm_t, file) +@@ -120,6 +132,9 @@ fs_list_auto_mountpoints(fsadm_t) + fs_search_tmpfs(fsadm_t) + fs_getattr_tmpfs_dirs(fsadm_t) + fs_read_tmpfs_symlinks(fsadm_t) ++fs_manage_nfs_files(fsadm_t) ++fs_manage_cifs_files(fsadm_t) ++fs_rw_hugetlbfs_files(fsadm_t) + # Recreate /mnt/cdrom. + files_manage_mnt_dirs(fsadm_t) + # for tune2fs +@@ -133,21 +148,27 @@ storage_raw_write_fixed_disk(fsadm_t) + storage_raw_read_removable_device(fsadm_t) + storage_raw_write_removable_device(fsadm_t) + storage_read_scsi_generic(fsadm_t) ++storage_rw_fuse(fsadm_t) + storage_swapon_fixed_disk(fsadm_t) + + term_use_console(fsadm_t) + ++auth_read_passwd(fsadm_t) ++ ++init_read_state(fsadm_t) + init_use_fds(fsadm_t) + init_use_script_ptys(fsadm_t) + init_dontaudit_getattr_initctl(fsadm_t) ++init_stream_connect(fsadm_t) + + logging_send_syslog_msg(fsadm_t) ++logging_send_audit_msgs(fsadm_t) ++logging_stream_connect_syslog(fsadm_t) + +-miscfiles_read_localization(fsadm_t) + + seutil_read_config(fsadm_t) + +-userdom_use_user_terminals(fsadm_t) ++term_use_all_inherited_terms(fsadm_t) + + ifdef(`distro_redhat',` + optional_policy(` +@@ -166,6 +187,11 @@ optional_policy(` + ') + + optional_policy(` ++ devicekit_dontaudit_read_pid_files(fsadm_t) ++ devicekit_dontaudit_rw_log(fsadm_t) ++') ++ ++optional_policy(` + hal_dontaudit_write_log(fsadm_t) + ') + +@@ -179,6 +205,10 @@ optional_policy(` + ') + + optional_policy(` ++ mount_read_pid_files(fsadm_t) ++') ++ ++optional_policy(` + nis_use_ypbind(fsadm_t) + ') + +@@ -192,6 +222,10 @@ optional_policy(` + ') + + optional_policy(` ++ virt_read_blk_images(fsadm_t) ++') ++ ++optional_policy(` + xen_append_log(fsadm_t) + xen_rw_image_files(fsadm_t) + ') +diff --git a/policy/modules/system/getty.fc b/policy/modules/system/getty.fc +index e1a1848..4927638 100644 +--- a/policy/modules/system/getty.fc ++++ b/policy/modules/system/getty.fc +@@ -3,8 +3,12 @@ + + /sbin/.*getty -- gen_context(system_u:object_r:getty_exec_t,s0) + +-/var/log/mgetty\.log.* -- gen_context(system_u:object_r:getty_log_t,s0) +-/var/log/vgetty\.log\..* -- gen_context(system_u:object_r:getty_log_t,s0) ++/usr/lib/systemd/system/[^/]*getty.* -- gen_context(system_u:object_r:getty_unit_file_t,s0) ++ ++/usr/sbin/.*getty -- gen_context(system_u:object_r:getty_exec_t,s0) ++ ++/var/log/mgetty.*\.log.* -- gen_context(system_u:object_r:getty_log_t,s0) ++/var/log/vgetty.*\.log.* -- gen_context(system_u:object_r:getty_log_t,s0) + + /var/run/mgetty\.pid.* -- gen_context(system_u:object_r:getty_var_run_t,s0) + +diff --git a/policy/modules/system/getty.if b/policy/modules/system/getty.if +index e4376aa..2c98c56 100644 +--- a/policy/modules/system/getty.if ++++ b/policy/modules/system/getty.if +@@ -96,3 +96,45 @@ interface(`getty_rw_config',` + files_search_etc($1) + allow $1 getty_etc_t:file rw_file_perms; + ') ++ ++######################################## ++## ++## Execute getty server in the getty domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`getty_systemctl',` ++ gen_require(` ++ type getty_unit_file_t; ++ type getty_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ allow $1 getty_unit_file_t:file read_file_perms; ++ allow $1 getty_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, getty_t) ++') ++ ++######################################## ++## ++## Start getty unit files domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`getty_start_services',` ++ gen_require(` ++ type getty_unit_file_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ allow $1 getty_unit_file_t:service start; ++') +diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te +index fc38c9c..4740426 100644 +--- a/policy/modules/system/getty.te ++++ b/policy/modules/system/getty.te +@@ -27,6 +27,17 @@ files_tmp_file(getty_tmp_t) + type getty_var_run_t; + files_pid_file(getty_var_run_t) + ++type getty_unit_file_t; ++systemd_unit_file(getty_unit_file_t) ++ ++ifdef(`enable_mcs',` ++ init_ranged_daemon_domain(getty_t, getty_exec_t, s0 - mcs_systemhigh) ++') ++ ++ifdef(`enable_mls',` ++ init_ranged_daemon_domain(getty_t, getty_exec_t, mls_systemhigh) ++') ++ + ######################################## + # + # Getty local policy +@@ -83,8 +94,11 @@ term_use_unallocated_ttys(getty_t) + term_setattr_all_ttys(getty_t) + term_setattr_unallocated_ttys(getty_t) + term_setattr_console(getty_t) ++term_setattr_usb_ttys(getty_t) ++term_use_console(getty_t) + + auth_rw_login_records(getty_t) ++auth_use_nsswitch(getty_t) + + init_rw_utmp(getty_t) + init_use_script_ptys(getty_t) +@@ -94,7 +108,6 @@ locallogin_domtrans(getty_t) + + logging_send_syslog_msg(getty_t) + +-miscfiles_read_localization(getty_t) + + ifdef(`distro_gentoo',` + # Gentoo default /etc/issue makes agetty +@@ -113,7 +126,7 @@ ifdef(`distro_ubuntu',` + ') + ') + +-tunable_policy(`console_login',` ++tunable_policy(`login_console_enabled',` + # Support logging in from /dev/console + term_use_console(getty_t) + ',` +@@ -121,11 +134,15 @@ tunable_policy(`console_login',` + ') + + optional_policy(` +- mta_send_mail(getty_t) ++ hostname_exec(getty_t) + ') + + optional_policy(` +- nscd_use(getty_t) ++ lockdev_manage_files(getty_t) ++') ++ ++optional_policy(` ++ mta_send_mail(getty_t) + ') + + optional_policy(` +diff --git a/policy/modules/system/hostname.fc b/policy/modules/system/hostname.fc +index 9dfecf7..6d00f5c 100644 +--- a/policy/modules/system/hostname.fc ++++ b/policy/modules/system/hostname.fc +@@ -1,2 +1,4 @@ + + /bin/hostname -- gen_context(system_u:object_r:hostname_exec_t,s0) ++ ++/usr/bin/hostname -- gen_context(system_u:object_r:hostname_exec_t,s0) +diff --git a/policy/modules/system/hostname.te b/policy/modules/system/hostname.te +index f6cbda9..51e9aef 100644 +--- a/policy/modules/system/hostname.te ++++ b/policy/modules/system/hostname.te +@@ -23,39 +23,46 @@ dontaudit hostname_t self:capability sys_tty_config; + + kernel_list_proc(hostname_t) + kernel_read_proc_symlinks(hostname_t) ++kernel_read_network_state(hostname_t) + + dev_read_sysfs(hostname_t) + # Early devtmpfs, before udev relabel + dev_dontaudit_rw_generic_chr_files(hostname_t) + ++domain_dontaudit_leaks(hostname_t) + domain_use_interactive_fds(hostname_t) + + files_read_etc_files(hostname_t) ++files_dontaudit_leaks(hostname_t) + files_dontaudit_search_var(hostname_t) + # for when /usr is not mounted: + files_dontaudit_search_isid_type_dirs(hostname_t) + + fs_getattr_xattr_fs(hostname_t) + fs_search_auto_mountpoints(hostname_t) ++fs_dontaudit_leaks(hostname_t) + fs_dontaudit_use_tmpfs_chr_dev(hostname_t) + + term_dontaudit_use_console(hostname_t) +-term_use_all_ttys(hostname_t) +-term_use_all_ptys(hostname_t) ++term_use_all_inherited_terms(hostname_t) + + init_use_fds(hostname_t) + init_use_script_fds(hostname_t) + init_use_script_ptys(hostname_t) ++init_rw_inherited_script_tmp_files(hostname_t) + + logging_send_syslog_msg(hostname_t) + +-miscfiles_read_localization(hostname_t) + + sysnet_dontaudit_rw_dhcpc_unix_stream_sockets(hostname_t) + sysnet_read_config(hostname_t) + sysnet_dns_name_resolve(hostname_t) + + optional_policy(` ++ mock_dontaudit_write_lib_chr_files(hostname_t) ++') ++ ++optional_policy(` + nis_use_ypbind(hostname_t) + ') + +diff --git a/policy/modules/system/hotplug.fc b/policy/modules/system/hotplug.fc +index caf736b..91c4c6f 100644 +--- a/policy/modules/system/hotplug.fc ++++ b/policy/modules/system/hotplug.fc +@@ -7,5 +7,8 @@ + /sbin/hotplug -- gen_context(system_u:object_r:hotplug_exec_t,s0) + /sbin/netplugd -- gen_context(system_u:object_r:hotplug_exec_t,s0) + ++/usr/sbin/hotplug -- gen_context(system_u:object_r:hotplug_exec_t,s0) ++/usr/sbin/netplugd -- gen_context(system_u:object_r:hotplug_exec_t,s0) ++ + /var/run/usb(/.*)? gen_context(system_u:object_r:hotplug_var_run_t,s0) + /var/run/hotplug(/.*)? gen_context(system_u:object_r:hotplug_var_run_t,s0) +diff --git a/policy/modules/system/hotplug.if b/policy/modules/system/hotplug.if +index 40eb10c..2a0a32c 100644 +--- a/policy/modules/system/hotplug.if ++++ b/policy/modules/system/hotplug.if +@@ -34,7 +34,7 @@ interface(`hotplug_domtrans',` + # + interface(`hotplug_exec',` + gen_require(` +- type hotplug_t; ++ type hotplug_exec_t; + ') + + corecmd_search_bin($1) +diff --git a/policy/modules/system/hotplug.te b/policy/modules/system/hotplug.te +index bb5c4a6..7ebb938 100644 +--- a/policy/modules/system/hotplug.te ++++ b/policy/modules/system/hotplug.te +@@ -23,7 +23,7 @@ files_pid_file(hotplug_var_run_t) + # + + allow hotplug_t self:capability { net_admin sys_tty_config mknod sys_rawio }; +-dontaudit hotplug_t self:capability { sys_module sys_admin sys_ptrace sys_tty_config }; ++dontaudit hotplug_t self:capability { sys_module sys_admin sys_tty_config }; + # for access("/etc/bashrc", X_OK) on Red Hat + dontaudit hotplug_t self:capability { dac_override dac_read_search }; + allow hotplug_t self:process { setpgid getsession getattr signal_perms }; +@@ -52,7 +52,6 @@ kernel_rw_net_sysctls(hotplug_t) + + files_read_kernel_modules(hotplug_t) + +-corenet_all_recvfrom_unlabeled(hotplug_t) + corenet_all_recvfrom_netlabel(hotplug_t) + corenet_tcp_sendrecv_generic_if(hotplug_t) + corenet_udp_sendrecv_generic_if(hotplug_t) +@@ -96,6 +95,8 @@ init_domtrans_script(hotplug_t) + # kernel threads inherit from shared descriptor table used by init + init_dontaudit_rw_initctl(hotplug_t) + ++auth_use_nsswitch(hotplug_t) ++ + logging_send_syslog_msg(hotplug_t) + logging_search_logs(hotplug_t) + +@@ -103,9 +104,6 @@ logging_search_logs(hotplug_t) + libs_read_lib_files(hotplug_t) + + miscfiles_read_hwdata(hotplug_t) +-miscfiles_read_localization(hotplug_t) +- +-seutil_dontaudit_search_config(hotplug_t) + + sysnet_read_config(hotplug_t) + +@@ -164,14 +162,6 @@ optional_policy(` + ') + + optional_policy(` +- nis_use_ypbind(hotplug_t) +-') +- +-optional_policy(` +- nscd_use(hotplug_t) +-') +- +-optional_policy(` + seutil_sigchld_newrole(hotplug_t) + ') + +diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc +index 9a4d3a7..9d960bb 100644 +--- a/policy/modules/system/init.fc ++++ b/policy/modules/system/init.fc +@@ -1,6 +1,9 @@ + # + # /etc + # ++/etc/init\.d/.* -- gen_context(system_u:object_r:initrc_exec_t,s0) ++/etc/machine-id -- gen_context(system_u:object_r:machineid_t,s0) ++ + /etc/rc\.d/rc -- gen_context(system_u:object_r:initrc_exec_t,s0) + /etc/rc\.d/rc\.[^/]+ -- gen_context(system_u:object_r:initrc_exec_t,s0) + +@@ -29,6 +32,11 @@ ifdef(`distro_gentoo', ` + # + # /sbin + # ++/bin/systemd -- gen_context(system_u:object_r:init_exec_t,s0) ++ ++# ++# /sbin ++# + /sbin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0) + # because nowadays, /sbin/init is often a symlink to /sbin/upstart + /sbin/upstart -- gen_context(system_u:object_r:init_exec_t,s0) +@@ -42,19 +50,33 @@ ifdef(`distro_gentoo', ` + # + /usr/bin/sepg_ctl -- gen_context(system_u:object_r:initrc_exec_t,s0) + ++/usr/sbin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0) ++# because nowadays, /sbin/init is often a symlink to /sbin/upstart ++/usr/sbin/upstart -- gen_context(system_u:object_r:init_exec_t,s0) ++ ++/usr/lib/systemd/[^/]* -- gen_context(system_u:object_r:init_exec_t,s0) ++/usr/lib/systemd/fedora[^/]* -- gen_context(system_u:object_r:initrc_exec_t,s0) ++/usr/lib/systemd/system-generators/[^/]* -- gen_context(system_u:object_r:init_exec_t,s0) ++ + /usr/libexec/dcc/start-.* -- gen_context(system_u:object_r:initrc_exec_t,s0) + /usr/libexec/dcc/stop-.* -- gen_context(system_u:object_r:initrc_exec_t,s0) + + /usr/sbin/apachectl -- gen_context(system_u:object_r:initrc_exec_t,s0) + /usr/sbin/open_init_pty -- gen_context(system_u:object_r:initrc_exec_t,s0) ++/usr/sbin/startx -- gen_context(system_u:object_r:initrc_exec_t,s0) ++/usr/bin/systemd -- gen_context(system_u:object_r:init_exec_t,s0) ++ ++/usr/share/system-config-services/system-config-services-mechanism\.py -- gen_context(system_u:object_r:initrc_exec_t,s0) + + # + # /var + # ++/var/lib/systemd(/.*)? gen_context(system_u:object_r:init_var_lib_t,s0) + /var/run/utmp -- gen_context(system_u:object_r:initrc_var_run_t,s0) + /var/run/runlevel\.dir gen_context(system_u:object_r:initrc_var_run_t,s0) + /var/run/random-seed -- gen_context(system_u:object_r:initrc_var_run_t,s0) + /var/run/setmixer_flag -- gen_context(system_u:object_r:initrc_var_run_t,s0) ++/var/run/systemd/machine-id -- gen_context(system_u:object_r:machineid_t,s0) + + ifdef(`distro_debian',` + /var/run/hotkey-setup -- gen_context(system_u:object_r:initrc_var_run_t,s0) +@@ -73,3 +95,4 @@ ifdef(`distro_suse', ` + /var/run/setleds-on -- gen_context(system_u:object_r:initrc_var_run_t,s0) + /var/run/sysconfig(/.*)? gen_context(system_u:object_r:initrc_var_run_t,s0) + ') ++/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0) +diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if +index 24e7804..76da5dd 100644 +--- a/policy/modules/system/init.if ++++ b/policy/modules/system/init.if +@@ -1,5 +1,21 @@ + ## System initialization programs (init and init scripts). + ++###################################### ++## ++## initrc stub interface. No access allowed. ++## ++## ++## ++## Domain allowed access ++## ++## ++# ++interface(`init_stub_initrc',` ++ gen_require(` ++ type initrc_t; ++ ') ++') ++ + ######################################## + ## + ## Create a file type used for init scripts. +@@ -106,6 +122,8 @@ interface(`init_domain',` + role system_r types $1; + + domtrans_pattern(init_t, $2, $1) ++ allow init_t $1:unix_stream_socket create_stream_socket_perms; ++ allow $1 init_t:unix_dgram_socket sendto; + + ifdef(`hide_broken_symptoms',` + # RHEL4 systems seem to have a stray +@@ -192,50 +210,43 @@ interface(`init_ranged_domain',` + interface(`init_daemon_domain',` + gen_require(` + attribute direct_run_init, direct_init, direct_init_entry; +- type initrc_t; ++ type init_t; + role system_r; + attribute daemon; ++ attribute initrc_transition_domain; ++ attribute initrc_domain; + ') + + typeattribute $1 daemon; ++ typeattribute $2 direct_init_entry; + + domain_type($1) + domain_entry_file($1, $2) + +- role system_r types $1; +- +- domtrans_pattern(initrc_t, $2, $1) +- +- # daemons started from init will +- # inherit fds from init for the console +- init_dontaudit_use_fds($1) +- term_dontaudit_use_console($1) +- +- # init script ptys are the stdin/out/err +- # when using run_init +- init_use_script_ptys($1) ++ type_transition initrc_domain $2:process $1; + + ifdef(`direct_sysadm_daemon',` +- domtrans_pattern(direct_run_init, $2, $1) +- allow direct_run_init $1:process { noatsecure siginh rlimitinh }; +- ++ type_transition direct_run_init $2:process $1; + typeattribute $1 direct_init; +- typeattribute $2 direct_init_entry; +- +- userdom_dontaudit_use_user_terminals($1) + ') ++') + +- ifdef(`hide_broken_symptoms',` +- # RHEL4 systems seem to have a stray +- # fds open from the initrd +- ifdef(`distro_rhel4',` +- kernel_dontaudit_use_fds($1) +- ') +- ') ++####################################### ++## ++## Create initrc domain. ++## ++## ++## ++## Type to be used as a initrc daemon domain. ++## ++## ++# ++interface(`init_initrc_domain',` ++ gen_require(` ++ attribute initrc_domain; ++ ') + +- optional_policy(` +- nscd_use($1) +- ') ++ typeattribute $1 initrc_domain; + ') + + ######################################## +@@ -283,17 +294,20 @@ interface(`init_daemon_domain',` + interface(`init_ranged_daemon_domain',` + gen_require(` + type initrc_t; ++ type init_t; + ') + +- init_daemon_domain($1, $2) ++# init_daemon_domain($1, $2) + + ifdef(`enable_mcs',` + range_transition initrc_t $2:process $3; ++ range_transition init_t $2:process $3; + ') + + ifdef(`enable_mls',` + range_transition initrc_t $2:process $3; + mls_rangetrans_target($1) ++ range_transition init_t $2:process $3; + ') + ') + +@@ -336,23 +350,19 @@ interface(`init_ranged_daemon_domain',` + # + interface(`init_system_domain',` + gen_require(` +- type initrc_t; ++ type init_t; + role system_r; ++ attribute initrc_transition_domain; ++ attribute systemprocess, systemprocess_entry; ++ attribute initrc_domain; + ') + ++ typeattribute $1 systemprocess; + application_domain($1, $2) +- + role system_r types $1; ++ typeattribute $2 systemprocess_entry; + +- domtrans_pattern(initrc_t, $2, $1) +- +- ifdef(`hide_broken_symptoms',` +- # RHEL4 systems seem to have a stray +- # fds open from the initrd +- ifdef(`distro_rhel4',` +- kernel_dontaudit_use_fds($1) +- ') +- ') ++ type_transition initrc_domain $2:process $1; + ') + + ######################################## +@@ -401,20 +411,41 @@ interface(`init_system_domain',` + interface(`init_ranged_system_domain',` + gen_require(` + type initrc_t; ++ type init_t; + ') + + init_system_domain($1, $2) + + ifdef(`enable_mcs',` + range_transition initrc_t $2:process $3; ++ range_transition init_t $2:process $3; + ') + + ifdef(`enable_mls',` + range_transition initrc_t $2:process $3; ++ range_transition init_t $2:process $3; + mls_rangetrans_target($1) + ') + ') + ++###################################### ++## ++## Allow domain dyntransition to init_t domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`init_dyntrans',` ++ gen_require(` ++ type init_t; ++ ') ++ ++ dyntrans_pattern($1, init_t) ++') ++ + ######################################## + ## + ## Mark the file type as a daemon run dir, allowing initrc_t +@@ -469,7 +500,6 @@ interface(`init_domtrans',` + ## Domain allowed access. + ## + ## +-## + # + interface(`init_exec',` + gen_require(` +@@ -478,6 +508,48 @@ interface(`init_exec',` + + corecmd_search_bin($1) + can_exec($1, init_exec_t) ++ ++ optional_policy(` ++ systemd_exec_systemctl($1) ++ ') ++') ++ ++####################################### ++## ++## Check access to the init/systemd executable. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`init_access_check',` ++ gen_require(` ++ type init_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ allow $1 init_exec_t:file { getattr_file_perms execute }; ++') ++ ++####################################### ++## ++## Dontaudit getattr on the init program. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`init_dontaudit_getattr_exec',` ++ gen_require(` ++ type init_exec_t; ++ ') ++ ++ dontaudit $1 init_exec_t:file getattr; + ') + + ######################################## +@@ -566,6 +638,58 @@ interface(`init_sigchld',` + + ######################################## + ## ++## Send generic signals to init. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`init_signal',` ++ gen_require(` ++ type init_t; ++ ') ++ ++ allow $1 init_t:process signal; ++') ++ ++######################################## ++## ++## Create objects in the init_var_lib_t directories ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## The type of the object to be created ++## ++## ++## ++## ++## The object class. ++## ++## ++## ++## ++## The name of the object being created. ++## ++## ++# ++interface(`init_var_lib_filetrans',` ++ gen_require(` ++ type init_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ filetrans_pattern($1, init_var_lib_t, $2, $3, $4) ++') ++ ++######################################## ++## + ## Connect to init with a unix socket. + ## + ## +@@ -576,10 +700,66 @@ interface(`init_sigchld',` + # + interface(`init_stream_connect',` + gen_require(` +- type init_t; ++ type init_t, init_var_run_t; + ') + +- allow $1 init_t:unix_stream_socket connectto; ++ files_search_pids($1) ++ stream_connect_pattern($1, init_var_run_t, init_var_run_t, init_t) ++ allow $1 init_t:unix_stream_socket getattr; ++') ++ ++####################################### ++## ++## Dontaudit Connect to init with a unix socket. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`init_dontaudit_stream_connect',` ++ gen_require(` ++ type init_t; ++ ') ++ ++ dontaudit $1 init_t:unix_stream_socket connectto; ++') ++ ++###################################### ++## ++## Dontaudit getattr to init with a unix socket. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`init_dontaudit_getattr_stream_socket',` ++ gen_require(` ++ type init_t; ++ ') ++ ++ dontaudit $1 init_t:unix_stream_socket getattr; ++') ++ ++###################################### ++## ++## Dontaudit read and write to init with a unix socket. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`init_dontaudit_rw_stream_socket',` ++ gen_require(` ++ type init_t; ++ ') ++ ++ dontaudit $1 init_t:unix_stream_socket { getattr read write }; + ') + + ######################################## +@@ -743,22 +923,23 @@ interface(`init_write_initctl',` + interface(`init_telinit',` + gen_require(` + type initctl_t; ++ type init_t; + ') + ++ corecmd_exec_bin($1) ++ + dev_list_all_dev_nodes($1) + allow $1 initctl_t:fifo_file rw_fifo_file_perms; + + init_exec($1) + +- tunable_policy(`init_upstart',` +- gen_require(` +- type init_t; +- ') +- +- # upstart uses a datagram socket instead of initctl pipe +- allow $1 self:unix_dgram_socket create_socket_perms; +- allow $1 init_t:unix_dgram_socket sendto; +- ') ++ ps_process_pattern($1, init_t) ++ allow $1 init_t:process signal; ++ # upstart uses a datagram socket instead of initctl pipe ++ allow $1 self:unix_dgram_socket create_socket_perms; ++ allow $1 init_t:unix_dgram_socket sendto; ++ #576913 ++ allow $1 init_t:unix_stream_socket connectto; + ') + + ######################################## +@@ -787,7 +968,7 @@ interface(`init_rw_initctl',` + ## + ## + ## +-## Domain allowed access. ++## Domain to not audit. + ## + ## + # +@@ -830,11 +1011,12 @@ interface(`init_script_file_entry_type',` + # + interface(`init_spec_domtrans_script',` + gen_require(` +- type initrc_t, initrc_exec_t; ++ type initrc_t; ++ attribute init_script_file_type; + ') + + files_list_etc($1) +- spec_domtrans_pattern($1, initrc_exec_t, initrc_t) ++ spec_domtrans_pattern($1, init_script_file_type, initrc_t) + + ifdef(`distro_gentoo',` + gen_require(` +@@ -845,11 +1027,11 @@ interface(`init_spec_domtrans_script',` + ') + + ifdef(`enable_mcs',` +- range_transition $1 initrc_exec_t:process s0; ++ range_transition $1 init_script_file_type:process s0; + ') + + ifdef(`enable_mls',` +- range_transition $1 initrc_exec_t:process s0 - mls_systemhigh; ++ range_transition $1 init_script_file_type:process s0 - mls_systemhigh; + ') + ') + +@@ -865,19 +1047,41 @@ interface(`init_spec_domtrans_script',` + # + interface(`init_domtrans_script',` + gen_require(` +- type initrc_t, initrc_exec_t; ++ type initrc_t; ++ attribute init_script_file_type; ++ attribute initrc_transition_domain; + ') ++ typeattribute $1 initrc_transition_domain; + + files_list_etc($1) +- domtrans_pattern($1, initrc_exec_t, initrc_t) ++ domtrans_pattern($1, init_script_file_type, initrc_t) + + ifdef(`enable_mcs',` +- range_transition $1 initrc_exec_t:process s0; ++ range_transition $1 init_script_file_type:process s0; + ') + + ifdef(`enable_mls',` +- range_transition $1 initrc_exec_t:process s0 - mls_systemhigh; ++ range_transition $1 init_script_file_type:process s0 - mls_systemhigh; ++ ') ++') ++ ++######################################## ++## ++## Execute a file in a bin directory ++## in the initrc_t domain ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`init_bin_domtrans_spec',` ++ gen_require(` ++ type initrc_t; + ') ++ ++ corecmd_bin_domtrans($1, initrc_t) + ') + + ######################################## +@@ -933,9 +1137,14 @@ interface(`init_script_file_domtrans',` + interface(`init_labeled_script_domtrans',` + gen_require(` + type initrc_t; ++ attribute initrc_transition_domain; + ') + ++ typeattribute $1 initrc_transition_domain; ++ # service script searches all filesystems via mountpoint ++ fs_search_all($1) + domtrans_pattern($1, $2, initrc_t) ++ allow $1 $2:file ioctl; + files_search_etc($1) + ') + +@@ -1012,6 +1221,42 @@ interface(`init_read_state',` + + ######################################## + ## ++## Read the process keyring of init. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`init_read_key',` ++ gen_require(` ++ type init_t; ++ ') ++ ++ allow $1 init_t:key read; ++') ++ ++######################################## ++## ++## Write the process keyring of init. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`init_write_key',` ++ gen_require(` ++ type init_t; ++ ') ++ ++ allow $1 init_t:key read; ++') ++ ++######################################## ++## + ## Ptrace init + ## + ## +@@ -1026,7 +1271,9 @@ interface(`init_ptrace',` + type init_t; + ') + +- allow $1 init_t:process ptrace; ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 init_t:process ptrace; ++ ') + ') + + ######################################## +@@ -1125,6 +1372,25 @@ interface(`init_getattr_all_script_files',` + + ######################################## + ## ++## Allow the specified domain to modify the systemd configuration of ++## all init scripts. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`init_config_all_script_files',` ++ gen_require(` ++ attribute init_script_file_type; ++ ') ++ ++ allow $1 init_script_file_type:service all_service_perms; ++') ++ ++######################################## ++## + ## Read all init script files. + ## + ## +@@ -1144,6 +1410,24 @@ interface(`init_read_all_script_files',` + + ####################################### + ## ++## Dontaudit getattr all init script files. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`init_dontaudit_getattr_all_script_files',` ++ gen_require(` ++ attribute init_script_file_type; ++ ') ++ ++ dontaudit $1 init_script_file_type:file getattr; ++') ++ ++####################################### ++## + ## Dontaudit read all init script files. + ## + ## +@@ -1195,12 +1479,7 @@ interface(`init_read_script_state',` + ') + + kernel_search_proc($1) +- read_files_pattern($1, initrc_t, initrc_t) +- read_lnk_files_pattern($1, initrc_t, initrc_t) +- list_dirs_pattern($1, initrc_t, initrc_t) +- +- # should move this to separate interface +- allow $1 initrc_t:process getattr; ++ ps_process_pattern($1, initrc_t) + ') + + ######################################## +@@ -1440,7 +1719,7 @@ interface(`init_dbus_send_script',` + ######################################## + ## + ## Send and receive messages from +-## init scripts over dbus. ++## init over dbus. + ## + ## + ## +@@ -1448,23 +1727,44 @@ interface(`init_dbus_send_script',` + ## + ## + # +-interface(`init_dbus_chat_script',` ++interface(`init_dbus_chat',` + gen_require(` +- type initrc_t; ++ type init_t; + class dbus send_msg; + ') + +- allow $1 initrc_t:dbus send_msg; +- allow initrc_t $1:dbus send_msg; ++ allow $1 init_t:dbus send_msg; ++ allow init_t $1:dbus send_msg; + ') + + ######################################## + ## +-## Read and write the init script pty. ++## Send and receive messages from ++## init scripts over dbus. + ## +-## +-##

    +-## Read and write the init script pty. This ++## ++##

    ++## Domain allowed access. ++## ++## ++# ++interface(`init_dbus_chat_script',` ++ gen_require(` ++ type initrc_t; ++ class dbus send_msg; ++ ') ++ ++ allow $1 initrc_t:dbus send_msg; ++ allow initrc_t $1:dbus send_msg; ++') ++ ++######################################## ++## ++## Read and write the init script pty. ++## ++## ++##

    ++## Read and write the init script pty. This + ## pty is generally opened by the open_init_pty + ## portion of the run_init program so that the + ## daemon does not require direct access to +@@ -1526,6 +1826,25 @@ interface(`init_getattr_script_status_files',` + + ######################################## + ##

    ++## Manage init script ++## status files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`init_manage_script_status_files',` ++ gen_require(` ++ type initrc_state_t; ++ ') ++ ++ manage_files_pattern($1, initrc_state_t, initrc_state_t) ++') ++ ++######################################## ++## + ## Do not audit attempts to read init script + ## status files. + ## +@@ -1584,6 +1903,24 @@ interface(`init_rw_script_tmp_files',` + + ######################################## + ## ++## Read and write init script inherited temporary data. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`init_rw_inherited_script_tmp_files',` ++ gen_require(` ++ type initrc_tmp_t; ++ ') ++ ++ allow $1 initrc_tmp_t:file rw_inherited_file_perms; ++') ++ ++######################################## ++## + ## Create files in a init script + ## temporary data directory. + ## +@@ -1656,6 +1993,43 @@ interface(`init_read_utmp',` + + ######################################## + ## ++## Read utmp. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`init_read_machineid',` ++ gen_require(` ++ type machineid_t; ++ ') ++ ++ files_search_etc($1) ++ allow $1 machineid_t:file read_file_perms; ++') ++ ++######################################## ++## ++## Do not audit attempts to read utmp. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`init_dontaudit_read_utmp',` ++ gen_require(` ++ type initrc_var_run_t; ++ ') ++ ++ dontaudit $1 initrc_var_run_t:file read_file_perms; ++') ++ ++######################################## ++## + ## Do not audit attempts to write utmp. + ## + ## +@@ -1744,7 +2118,7 @@ interface(`init_dontaudit_rw_utmp',` + type initrc_var_run_t; + ') + +- dontaudit $1 initrc_var_run_t:file { getattr read write append lock }; ++ dontaudit $1 initrc_var_run_t:file rw_file_perms; + ') + + ######################################## +@@ -1785,6 +2159,133 @@ interface(`init_pid_filetrans_utmp',` + files_pid_filetrans($1, initrc_var_run_t, file, "utmp") + ') + ++###################################### ++## ++## Allow search directory in the /run/systemd directory. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`init_search_pid_dirs',` ++ gen_require(` ++ type init_var_run_t; ++ ') ++ ++ allow $1 init_var_run_t:dir search_dir_perms; ++') ++ ++###################################### ++## ++## Allow listing of the /run/systemd directory. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`init_list_pid_dirs',` ++ gen_require(` ++ type init_var_run_t; ++ ') ++ ++ allow $1 init_var_run_t:dir list_dir_perms; ++') ++ ++####################################### ++## ++## Create a directory in the /run/systemd directory. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`init_create_pid_dirs',` ++ gen_require(` ++ type init_var_run_t; ++ ') ++ ++ allow $1 init_var_run_t:dir list_dir_perms; ++ create_dirs_pattern($1, init_var_run_t, init_var_run_t) ++') ++ ++####################################### ++## ++## Create objects in /run/systemd directory ++## with an automatic type transition to ++## a specified private type. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## The type of the object to create. ++## ++## ++## ++## ++## The class of the object to be created. ++## ++## ++## ++## ++## The name of the object being created. ++## ++## ++# ++interface(`init_pid_filetrans',` ++ gen_require(` ++ type init_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ filetrans_pattern($1, init_var_run_t, $2, $3, $4) ++') ++ ++####################################### ++## ++## Create objects in /run/systemd directory ++## with an automatic type transition to ++## a specified private type. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## The type of the object to create. ++## ++## ++## ++## ++## The class of the object to be created. ++## ++## ++## ++## ++## The name of the object being created. ++## ++## ++# ++interface(`init_named_pid_filetrans',` ++ gen_require(` ++ type init_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ filetrans_pattern($1, init_var_run_t, $2, $3, $4) ++') ++ + ######################################## + ## + ## Allow the specified domain to connect to daemon with a tcp socket +@@ -1819,3 +2320,360 @@ interface(`init_udp_recvfrom_all_daemons',` + ') + corenet_udp_recvfrom_labeled($1, daemon) + ') ++ ++######################################## ++## ++## Transition to system_r when execute an init script ++## ++## ++##

    ++## Execute a init script in a specified role ++##

    ++##

    ++## No interprocess communication (signals, pipes, ++## etc.) is provided by this interface since ++## the domains are not owned by this module. ++##

    ++##     ++## ++## ++## Role to transition from. ++## ++## ++# ++interface(`init_script_role_transition',` ++ gen_require(` ++ attribute init_script_file_type; ++ ') ++ ++ role_transition $1 init_script_file_type system_r; ++') ++ ++######################################## ++## ++## dontaudit read and write an leaked init scrip file descriptors ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`init_dontaudit_script_leaks',` ++ gen_require(` ++ type initrc_t; ++ ') ++ ++ dontaudit $1 initrc_t:socket_class_set { read write }; ++ dontaudit $1 initrc_t:shm rw_shm_perms; ++ init_dontaudit_use_script_ptys($1) ++ init_dontaudit_use_script_fds($1) ++') ++ ++####################################### ++## ++## Allow the specified domain to ioctl an ++## init with a unix domain stream sockets. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`init_ioctl_stream_sockets',` ++ gen_require(` ++ type init_t; ++ ') ++ ++ allow $1 init_t:unix_stream_socket ioctl; ++') ++ ++######################################## ++## ++## Allow the specified domain to read/write to ++## init with a unix domain stream sockets. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`init_rw_stream_sockets',` ++ gen_require(` ++ type init_t; ++ ') ++ ++ allow $1 init_t:unix_stream_socket rw_stream_socket_perms; ++') ++ ++####################################### ++## ++## Allow the specified domain to write to ++## init sock file. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`init_write_pid_socket',` ++ gen_require(` ++ type init_var_run_t; ++ ') ++ ++ allow $1 init_var_run_t:sock_file write; ++') ++ ++######################################## ++## ++## Send a message to init over a unix domain ++## datagram socket. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`init_dgram_send',` ++ gen_require(` ++ type init_t; ++ ') ++ ++ allow $1 init_t:unix_dgram_socket sendto; ++') ++ ++######################################## ++## ++## Send a message to init over a unix domain ++## stream socket. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`init_stream_send',` ++ gen_require(` ++ type init_t; ++ ') ++ ++ allow $1 init_t:unix_stream_socket sendto; ++') ++ ++######################################## ++## ++## Create a file type used for init socket files. ++## ++## ++##

    ++## This defines a type that init can create sock_file within for ++## impersonation purposes ++##

    ++##     ++## ++## ++## Type to be used for a sock file. ++## ++## ++## ++# ++interface(`init_sock_file',` ++ gen_require(` ++ attribute init_sock_file_type; ++ ') ++ ++ typeattribute $1 init_sock_file_type; ++ ++') ++ ++######################################## ++## ++## Read init unnamed pipes. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`init_read_pipes',` ++ gen_require(` ++ type init_var_run_t; ++ ') ++ ++ read_fifo_files_pattern($1, init_var_run_t, init_var_run_t) ++') ++ ++######################################## ++## ++## Read/Write init unnamed pipes. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`init_rw_pipes',` ++ gen_require(` ++ type init_var_run_t; ++ ') ++ ++ rw_fifo_files_pattern($1, init_var_run_t, init_var_run_t) ++') ++ ++######################################## ++## ++## Get the system status information from init ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`init_status',` ++ gen_require(` ++ type init_t; ++ ') ++ ++ allow $1 init_t:system status; ++ allow $1 init_t:service status; ++') ++ ++######################################## ++## ++## Tell init to reboot the system. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`init_reboot',` ++ gen_require(` ++ type init_t; ++ ') ++ ++ allow $1 init_t:system reboot; ++ systemd_config_power_services($1) ++') ++ ++######################################## ++## ++## Tell init to enable the services. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`init_enable_services',` ++ gen_require(` ++ type init_t; ++ ') ++ ++ allow $1 init_t:system enable; ++') ++ ++######################################## ++## ++## Tell init to disable the services. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`init_disable_services',` ++ gen_require(` ++ type init_t; ++ ') ++ ++ allow $1 init_t:system disable; ++') ++ ++######################################## ++## ++## Tell init to reload the services. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`init_reload_services',` ++ gen_require(` ++ type init_t; ++ ') ++ ++ allow $1 init_t:system reload; ++') ++ ++######################################## ++## ++## Tell init to halt the system. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`init_halt',` ++ gen_require(` ++ type init_t; ++ ') ++ ++ allow $1 init_t:system halt; ++ systemd_config_power_services($1) ++') ++ ++######################################## ++## ++## Tell init to do an unknown access. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`init_undefined',` ++ gen_require(` ++ type init_t; ++ ') ++ ++ allow $1 init_t:system undefined; ++') ++ ++######################################## ++## ++## Transition to init named content ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`init_filetrans_named_content',` ++ gen_require(` ++ type init_var_run_t; ++ type initrc_var_run_t; ++ type machineid_t; ++ ') ++ ++ files_pid_filetrans($1, initrc_var_run_t, file, "utmp") ++ files_pid_filetrans($1, init_var_run_t, file, "random-seed") ++ files_etc_filetrans($1, machineid_t, file, "machine-id" ) ++') +diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te +index dd3be8d..0996734 100644 +--- a/policy/modules/system/init.te ++++ b/policy/modules/system/init.te +@@ -11,10 +11,31 @@ gen_require(` + + ## + ##

    +-## Enable support for upstart as the init program. ++## Allow all daemons to use tcp wrappers. + ##

    + ##     +-gen_tunable(init_upstart, false) ++gen_tunable(daemons_use_tcp_wrapper, false) ++ ++## ++##

    ++## Allow all daemons the ability to read/write terminals ++##

    ++##     ++gen_tunable(daemons_use_tty, false) ++ ++## ++##

    ++## Allow all daemons to write corefiles to / ++##

    ++##     ++gen_tunable(daemons_dump_core, false) ++ ++## ++##

    ++## Enable cluster mode for daemons. ++##

    ++##     ++gen_tunable(daemons_enable_cluster_mode, false) + + # used for direct running of init scripts + # by admin domains +@@ -25,9 +46,17 @@ attribute direct_init_entry; + attribute init_script_domain_type; + attribute init_script_file_type; + attribute init_run_all_scripts_domain; ++attribute initrc_transition_domain; ++# Attribute used for systemd so domains can allow systemd to create sock_files ++attribute init_sock_file_type; + + # Mark process types as daemons + attribute daemon; ++attribute systemprocess; ++attribute systemprocess_entry; ++ ++# Mark process types as initrc domain ++attribute initrc_domain; + + # Mark file type as a daemon run directory + attribute daemonrundir; +@@ -35,12 +64,14 @@ attribute daemonrundir; + # + # init_t is the domain of the init process. + # +-type init_t; ++type init_t, initrc_transition_domain; + type init_exec_t; + domain_type(init_t) + domain_entry_file(init_t, init_exec_t) ++domain_role_change_exemption(init_t) + kernel_domtrans_to(init_t, init_exec_t) + role system_r types init_t; ++init_initrc_domain(init_t) + + # + # init_var_run_t is the type for /var/run/shutdown.pid. +@@ -49,6 +80,15 @@ type init_var_run_t; + files_pid_file(init_var_run_t) + + # ++# init_var_lib_t is the type for /var/lib/systemd ++# ++type init_var_lib_t; ++files_type(init_var_lib_t) ++ ++type machineid_t; ++files_config_file(machineid_t) ++ ++# + # initctl_t is the type of the named pipe created + # by init during initialization. This pipe is used + # to communicate with init. +@@ -57,7 +97,7 @@ type initctl_t; + files_type(initctl_t) + mls_trusted_object(initctl_t) + +-type initrc_t, init_script_domain_type, init_run_all_scripts_domain; ++type initrc_t, initrc_domain, init_script_domain_type, init_run_all_scripts_domain; + type initrc_exec_t, init_script_file_type; + domain_type(initrc_t) + domain_entry_file(initrc_t, initrc_exec_t) +@@ -98,7 +138,9 @@ ifdef(`enable_mls',` + # + + # Use capabilities. old rule: +-allow init_t self:capability ~sys_module; ++allow init_t self:capability ~{ audit_control audit_write sys_module }; ++allow init_t self:capability2 ~{ mac_admin mac_override }; ++allow init_t self:key manage_key_perms; + # is ~sys_module really needed? observed: + # sys_boot + # sys_tty_config +@@ -110,12 +152,33 @@ allow init_t self:fifo_file rw_fifo_file_perms; + + # Re-exec itself + can_exec(init_t, init_exec_t) +- +-allow init_t initrc_t:unix_stream_socket connectto; +- +-# For /var/run/shutdown.pid. +-allow init_t init_var_run_t:file manage_file_perms; +-files_pid_filetrans(init_t, init_var_run_t, file) ++# executing content in /run/initramfs ++manage_files_pattern(init_t, initrc_state_t, initrc_state_t) ++can_exec(init_t, initrc_state_t) ++ ++allow daemon initrc_t:unix_dgram_socket sendto; ++allow init_t initrc_t:unix_stream_socket { connectto create_stream_socket_perms }; ++allow initrc_t init_t:unix_stream_socket { connectto rw_stream_socket_perms sendto }; ++allow initrc_t init_t:fifo_file rw_fifo_file_perms; ++ ++manage_dirs_pattern(init_t, init_var_lib_t, init_var_lib_t) ++manage_files_pattern(init_t, init_var_lib_t, init_var_lib_t) ++manage_lnk_files_pattern(init_t, init_var_lib_t, init_var_lib_t) ++manage_sock_files_pattern(init_t, init_var_lib_t, init_var_lib_t) ++files_var_lib_filetrans(init_t, init_var_lib_t, { dir file }) ++ ++manage_dirs_pattern(init_t, init_var_run_t, init_var_run_t) ++manage_files_pattern(init_t, init_var_run_t, init_var_run_t) ++manage_lnk_files_pattern(init_t, init_var_run_t, init_var_run_t) ++manage_sock_files_pattern(init_t, init_var_run_t, init_var_run_t) ++files_pid_filetrans(init_t, init_var_run_t, { dir file }) ++allow init_t init_var_run_t:dir mounton; ++allow init_t init_var_run_t:sock_file relabelto; ++ ++allow init_t machineid_t:file manage_file_perms; ++files_pid_filetrans(init_t, machineid_t, file, "machine-id") ++files_etc_filetrans(init_t, machineid_t, file, "machine-id") ++allow init_t machineid_t:file mounton; + + allow init_t initctl_t:fifo_file manage_fifo_file_perms; + dev_filetrans(init_t, initctl_t, fifo_file) +@@ -125,13 +188,18 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr }; + + kernel_read_system_state(init_t) + kernel_share_state(init_t) ++kernel_stream_connect(init_t) + + corecmd_exec_chroot(init_t) + corecmd_exec_bin(init_t) + +-dev_read_sysfs(init_t) ++dev_rw_sysfs(init_t) ++dev_read_urand(init_t) ++dev_read_raw_memory(init_t) + # Early devtmpfs + dev_rw_generic_chr_files(init_t) ++dev_filetrans_all_named_dev(init_t) ++dev_write_watchdog(init_t) + + domain_getpgid_all_domains(init_t) + domain_kill_all_domains(init_t) +@@ -139,14 +207,20 @@ domain_signal_all_domains(init_t) + domain_signull_all_domains(init_t) + domain_sigstop_all_domains(init_t) + domain_sigchld_all_domains(init_t) ++domain_read_all_domains_state(init_t) + + files_read_etc_files(init_t) ++files_read_all_pids(init_t) ++files_read_system_conf_files(init_t) + files_rw_generic_pids(init_t) + files_dontaudit_search_isid_type_dirs(init_t) ++files_read_etc_runtime_files(init_t) + files_manage_etc_runtime_files(init_t) ++files_manage_etc_symlinks(init_t) + files_etc_filetrans_etc_runtime(init_t, file) + # Run /etc/X11/prefdm: + files_exec_etc_files(init_t) ++files_read_usr_files(init_t) + # file descriptors inherited from the rootfs: + files_dontaudit_rw_root_files(init_t) + files_dontaudit_rw_root_chr_files(init_t) +@@ -156,28 +230,52 @@ fs_list_inotifyfs(init_t) + fs_write_ramfs_sockets(init_t) + + mcs_process_set_categories(init_t) +-mcs_killall(init_t) + + mls_file_read_all_levels(init_t) + mls_file_write_all_levels(init_t) ++mls_file_downgrade(init_t) ++mls_file_upgrade(init_t) + mls_process_write_down(init_t) + mls_fd_use_all_levels(init_t) ++mls_fd_share_all_levels(init_t) ++mls_socket_read_all_levels(init_t) ++mls_socket_write_all_levels(init_t) ++ ++mls_rangetrans_source(init_t) + + selinux_set_all_booleans(init_t) ++selinux_load_policy(init_t) ++selinux_mounton_fs(init_t) ++allow init_t security_t:security load_policy; + +-term_use_all_terms(init_t) ++term_create_pty_dir(init_t) ++term_use_unallocated_ttys(init_t) ++term_use_console(init_t) ++term_use_all_inherited_terms(init_t) ++term_use_generic_ptys(init_t) + + # Run init scripts. + init_domtrans_script(init_t) + + libs_rw_ld_so_cache(init_t) + ++logging_create_devlog_dev(init_t) + logging_send_syslog_msg(init_t) ++logging_send_audit_msgs(init_t) + logging_rw_generic_logs(init_t) ++logging_relabel_devlog_dev(init_t) + + seutil_read_config(init_t) ++seutil_read_module_store(init_t) ++ ++miscfiles_manage_localization(init_t) ++miscfiles_filetrans_named_content(init_t) + +-miscfiles_read_localization(init_t) ++userdom_use_user_ttys(init_t) ++userdom_manage_tmp_dirs(init_t) ++userdom_manage_tmp_sockets(init_t) ++ ++allow init_t self:process setsched; + + ifdef(`distro_gentoo',` + allow init_t self:process { getcap setcap }; +@@ -186,29 +284,208 @@ ifdef(`distro_gentoo',` + ') + + ifdef(`distro_redhat',` ++ fs_manage_tmpfs_files(init_t) ++ fs_manage_tmpfs_sockets(init_t) ++ fs_exec_tmpfs_files(init_t) + fs_read_tmpfs_symlinks(init_t) + fs_rw_tmpfs_chr_files(init_t) + fs_tmpfs_filetrans(init_t, initctl_t, fifo_file) ++ fs_tmpfs_filetrans_named_content(init_t) ++ ++ logging_stream_connect_syslog(init_t) ++ logging_relabel_syslog_pid_socket(init_t) + ') + +-tunable_policy(`init_upstart',` +- corecmd_shell_domtrans(init_t, initrc_t) +-',` +- # Run the shell in the sysadm role for single-user mode. +- # causes problems with upstart +- sysadm_shell_domtrans(init_t) ++corecmd_shell_domtrans(init_t, initrc_t) ++ ++storage_raw_rw_fixed_disk(init_t) ++ ++sysnet_read_dhcpc_state(init_t) ++ ++optional_policy(` ++ chronyd_read_keys(init_t) ++') ++ ++optional_policy(` ++ kdump_read_crash(init_t) + ') + + optional_policy(` +- auth_rw_login_records(init_t) ++ gnome_filetrans_home_content(init_t) ++ gnome_manage_data(init_t) + ') + + optional_policy(` ++ iscsi_read_lib_files(init_t) ++') ++ ++optional_policy(` ++ modutils_domtrans_insmod(init_t) ++ modutils_list_module_config(init_t) ++') ++ ++optional_policy(` ++ postfix_exec(init_t) ++ postfix_list_spool(init_t) ++ mta_read_config(init_t) ++ mta_manage_aliases(init_t) ++') ++ ++allow init_t self:system all_system_perms; ++allow init_t self:unix_dgram_socket { create_socket_perms sendto }; ++allow init_t self:process { setsockcreate setfscreate setrlimit }; ++allow init_t self:process { getcap setcap }; ++allow init_t self:unix_stream_socket { create_stream_socket_perms connectto }; ++allow init_t self:netlink_kobject_uevent_socket create_socket_perms; ++allow init_t self:netlink_selinux_socket create_socket_perms; ++# Until systemd is fixed ++allow daemon init_t:socket_class_set { getopt read getattr ioctl setopt write }; ++allow init_t self:udp_socket create_socket_perms; ++allow init_t self:netlink_route_socket create_netlink_socket_perms; ++ ++allow init_t initrc_t:unix_dgram_socket create_socket_perms; ++ ++kernel_list_unlabeled(init_t) ++kernel_read_network_state(init_t) ++kernel_rw_all_sysctls(init_t) ++kernel_read_software_raid_state(init_t) ++kernel_unmount_debugfs(init_t) ++kernel_setsched(init_t) ++ ++dev_write_kmsg(init_t) ++dev_write_urand(init_t) ++dev_rw_lvm_control(init_t) ++dev_rw_autofs(init_t) ++dev_manage_generic_symlinks(init_t) ++dev_manage_generic_dirs(init_t) ++dev_manage_generic_files(init_t) ++dev_read_generic_chr_files(init_t) ++dev_relabel_generic_dev_dirs(init_t) ++dev_relabel_all_dev_nodes(init_t) ++dev_relabel_all_dev_files(init_t) ++dev_manage_sysfs_dirs(init_t) ++dev_relabel_sysfs_dirs(init_t) ++ ++files_search_all(init_t) ++files_mounton_all_mountpoints(init_t) ++files_unmount_all_file_type_fs(init_t) ++files_manage_all_pid_dirs(init_t) ++files_manage_etc_dirs(init_t) ++files_manage_generic_tmp_dirs(init_t) ++files_relabel_all_pid_dirs(init_t) ++files_relabel_all_pid_files(init_t) ++files_create_all_pid_sockets(init_t) ++files_delete_all_pids(init_t) ++files_exec_generic_pid_files(init_t) ++files_create_all_pid_pipes(init_t) ++files_create_all_spool_sockets(init_t) ++files_delete_all_spool_sockets(init_t) ++files_manage_urandom_seed(init_t) ++files_list_locks(init_t) ++files_list_spool(init_t) ++files_list_var(init_t) ++files_list_boot(init_t) ++files_list_home(init_t) ++files_create_lock_dirs(init_t) ++files_relabel_all_lock_dirs(init_t) ++files_read_kernel_modules(init_t) ++fs_getattr_all_fs(init_t) ++fs_manage_cgroup_dirs(init_t) ++fs_manage_cgroup_files(init_t) ++fs_manage_hugetlbfs_dirs(init_t) ++fs_manage_tmpfs_dirs(init_t) ++fs_relabel_tmpfs_dirs(init_t) ++fs_relabel_tmpfs_files(init_t) ++fs_relabel_tmpfs_fifo_files(init_t) ++fs_mount_all_fs(init_t) ++fs_unmount_all_fs(init_t) ++fs_remount_all_fs(init_t) ++fs_list_all(init_t) ++fs_list_auto_mountpoints(init_t) ++fs_register_binary_executable_type(init_t) ++fs_relabel_tmpfs_sock_file(init_t) ++fs_rw_tmpfs_files(init_t) ++fs_relabel_cgroup_dirs(init_t) ++fs_search_cgroup_dirs(init_t) ++selinux_compute_access_vector(init_t) ++selinux_compute_create_context(init_t) ++selinux_validate_context(init_t) ++selinux_unmount_fs(init_t) ++ ++storage_getattr_removable_dev(init_t) ++ ++term_relabel_ptys_dirs(init_t) ++ ++auth_relabel_login_records(init_t) ++auth_relabel_pam_console_data_dirs(init_t) ++ ++clock_read_adjtime(init_t) ++ ++init_read_script_state(init_t) ++ ++modutils_read_module_config(init_t) ++ ++seutil_read_file_contexts(init_t) ++ ++systemd_exec_systemctl(init_t) ++systemd_manage_home_content(init_t) ++systemd_manage_unit_dirs(init_t) ++systemd_manage_random_seed(init_t) ++systemd_manage_all_unit_files(init_t) ++systemd_logger_stream_connect(init_t) ++systemd_config_all_services(init_t) ++systemd_relabelto_fifo_file_passwd_run(init_t) ++systemd_relabel_unit_dirs(init_t) ++systemd_relabel_unit_files(init_t) ++systemd_manage_unit_dirs(initrc_t) ++systemd_manage_unit_symlinks(initrc_t) ++systemd_config_all_services(initrc_t) ++systemd_read_unit_files(initrc_t) ++ ++create_sock_files_pattern(init_t, init_sock_file_type, init_sock_file_type) ++ ++auth_use_nsswitch(init_t) ++auth_rw_login_records(init_t) ++auth_domtrans_chk_passwd(init_t) ++ ++optional_policy(` ++ ipsec_read_config(init_t) ++') ++ ++optional_policy(` ++ lvm_rw_pipes(init_t) ++ lvm_read_config(init_t) ++') ++ ++optional_policy(` ++ consolekit_manage_log(init_t) ++') ++ ++optional_policy(` ++ dbus_connect_system_bus(init_t) + dbus_system_bus_client(init_t) ++ dbus_delete_pid_files(init_t) ++ ++ optional_policy(` ++ devicekit_dbus_chat_power(init_t) ++ ') ++') ++ ++optional_policy(` ++ # /var/run/dovecot/login/ssl-parameters.dat is a hard link to ++ # /var/lib/dovecot/ssl-parameters.dat and init tries to clean up ++ # the directory. But we do not want to allow this. ++ # The master process of dovecot will manage this file. ++ dovecot_dontaudit_unlink_lib_files(initrc_t) ++') ++ ++optional_policy(` ++ networkmanager_stream_connect(init_t) + ') + + optional_policy(` +- nscd_use(init_t) ++ plymouthd_stream_connect(init_t) ++ plymouthd_exec_plymouth(init_t) + ') + + optional_policy(` +@@ -216,7 +493,30 @@ optional_policy(` + ') + + optional_policy(` ++ rpcbind_filetrans_named_content(init_t) ++ rpcbind_relabel_sock_file(init_t) ++') ++ ++optional_policy(` ++ systemd_filetrans_named_content(init_t) ++') ++ ++optional_policy(` ++ udev_read_db(init_t) ++ udev_relabelto_db(init_t) ++ udev_create_kobject_uevent_socket(init_t) ++ udev_relabel_pid_sockfile(init_t) ++') ++ ++optional_policy(` ++ xserver_relabel_xdm_tmp_dirs(init_t) ++ xserver_manage_xdm_tmp_dirs(init_t) ++ xserver_read_xdm_lib_files(init_t) ++') ++ ++optional_policy(` + unconfined_domain(init_t) ++ domain_named_filetrans(init_t) + ') + + ######################################## +@@ -225,8 +525,9 @@ optional_policy(` + # + + allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; +-allow initrc_t self:capability ~{ sys_admin sys_module }; +-dontaudit initrc_t self:capability sys_module; # sysctl is triggering this ++allow initrc_t self:capability ~{ sys_ptrace audit_control audit_write sys_admin sys_module }; ++allow initrc_t self:capability2 block_suspend; ++dontaudit initrc_t self:capability { sys_ptrace sys_module }; # sysctl is triggering this + allow initrc_t self:passwd rootok; + allow initrc_t self:key manage_key_perms; + +@@ -257,12 +558,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) + + allow initrc_t initrc_var_run_t:file manage_file_perms; + files_pid_filetrans(initrc_t, initrc_var_run_t, file) ++files_manage_generic_pids_symlinks(initrc_t) ++files_create_var_run_dirs(initrc_t) ++files_relabelfrom_isid_type(initrc_t) + + can_exec(initrc_t, initrc_tmp_t) + manage_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t) + manage_dirs_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t) + manage_lnk_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t) + files_tmp_filetrans(initrc_t, initrc_tmp_t, { file dir }) ++allow initrc_t initrc_tmp_t:dir relabelfrom; + + manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) + manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) +@@ -278,23 +583,36 @@ kernel_change_ring_buffer_level(initrc_t) + kernel_clear_ring_buffer(initrc_t) + kernel_get_sysvipc_info(initrc_t) + kernel_read_all_sysctls(initrc_t) ++kernel_request_load_module(initrc_t) + kernel_rw_all_sysctls(initrc_t) + # for lsof which is used by alsa shutdown: + kernel_dontaudit_getattr_message_if(initrc_t) ++kernel_stream_connect(initrc_t) ++files_read_kernel_modules(initrc_t) ++files_read_config_files(initrc_t) ++files_read_var_lib_symlinks(initrc_t) ++files_setattr_pid_dirs(initrc_t) + + files_create_lock_dirs(initrc_t) + files_pid_filetrans_lock_dir(initrc_t, "lock") + files_read_kernel_symbol_table(initrc_t) +-files_setattr_lock_dirs(initrc_t) ++files_exec_etc_files(initrc_t) ++files_manage_etc_symlinks(initrc_t) ++files_manage_system_conf_files(initrc_t) ++ ++fs_manage_tmpfs_dirs(initrc_t) ++fs_manage_tmpfs_symlinks(initrc_t) ++fs_delete_tmpfs_files(initrc_t) ++fs_tmpfs_filetrans(initrc_t, initrc_state_t, file) ++fs_read_nfsd_files(initrc_t) + + corecmd_exec_all_executables(initrc_t) + +-corenet_all_recvfrom_unlabeled(initrc_t) + corenet_all_recvfrom_netlabel(initrc_t) +-corenet_tcp_sendrecv_all_if(initrc_t) +-corenet_udp_sendrecv_all_if(initrc_t) +-corenet_tcp_sendrecv_all_nodes(initrc_t) +-corenet_udp_sendrecv_all_nodes(initrc_t) ++corenet_tcp_sendrecv_generic_if(initrc_t) ++corenet_udp_sendrecv_generic_if(initrc_t) ++corenet_tcp_sendrecv_generic_node(initrc_t) ++corenet_udp_sendrecv_generic_node(initrc_t) + corenet_tcp_sendrecv_all_ports(initrc_t) + corenet_udp_sendrecv_all_ports(initrc_t) + corenet_tcp_connect_all_ports(initrc_t) +@@ -302,9 +620,11 @@ corenet_sendrecv_all_client_packets(initrc_t) + + dev_read_rand(initrc_t) + dev_read_urand(initrc_t) ++dev_dontaudit_read_kmsg(initrc_t) + dev_write_kmsg(initrc_t) + dev_write_rand(initrc_t) + dev_write_urand(initrc_t) ++dev_write_watchdog(initrc_t) + dev_rw_sysfs(initrc_t) + dev_list_usbfs(initrc_t) + dev_read_framebuffer(initrc_t) +@@ -312,8 +632,10 @@ dev_write_framebuffer(initrc_t) + dev_read_realtime_clock(initrc_t) + dev_read_sound_mixer(initrc_t) + dev_write_sound_mixer(initrc_t) ++dev_setattr_generic_dirs(initrc_t) + dev_setattr_all_chr_files(initrc_t) + dev_rw_lvm_control(initrc_t) ++dev_rw_generic_chr_files(initrc_t) + dev_delete_lvm_control_dev(initrc_t) + dev_manage_generic_symlinks(initrc_t) + dev_manage_generic_files(initrc_t) +@@ -321,8 +643,7 @@ dev_manage_generic_files(initrc_t) + dev_delete_generic_symlinks(initrc_t) + dev_getattr_all_blk_files(initrc_t) + dev_getattr_all_chr_files(initrc_t) +-# Early devtmpfs +-dev_rw_generic_chr_files(initrc_t) ++dev_rw_xserver_misc(initrc_t) + + domain_kill_all_domains(initrc_t) + domain_signal_all_domains(initrc_t) +@@ -331,7 +652,6 @@ domain_sigstop_all_domains(initrc_t) + domain_sigchld_all_domains(initrc_t) + domain_read_all_domains_state(initrc_t) + domain_getattr_all_domains(initrc_t) +-domain_dontaudit_ptrace_all_domains(initrc_t) + domain_getsession_all_domains(initrc_t) + domain_use_interactive_fds(initrc_t) + # for lsof which is used by alsa shutdown: +@@ -339,6 +659,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) + domain_dontaudit_getattr_all_tcp_sockets(initrc_t) + domain_dontaudit_getattr_all_dgram_sockets(initrc_t) + domain_dontaudit_getattr_all_pipes(initrc_t) ++domain_obj_id_change_exemption(initrc_t) + + files_getattr_all_dirs(initrc_t) + files_getattr_all_files(initrc_t) +@@ -346,14 +667,15 @@ files_getattr_all_symlinks(initrc_t) + files_getattr_all_pipes(initrc_t) + files_getattr_all_sockets(initrc_t) + files_purge_tmp(initrc_t) +-files_delete_all_locks(initrc_t) ++files_manage_all_locks(initrc_t) ++files_manage_boot_files(initrc_t) + files_read_all_pids(initrc_t) ++files_delete_root_files(initrc_t) + files_delete_all_pids(initrc_t) + files_delete_all_pid_dirs(initrc_t) + files_read_etc_files(initrc_t) + files_manage_etc_runtime_files(initrc_t) + files_etc_filetrans_etc_runtime(initrc_t, file) +-files_exec_etc_files(initrc_t) + files_read_usr_files(initrc_t) + files_manage_urandom_seed(initrc_t) + files_manage_generic_spool(initrc_t) +@@ -363,8 +685,12 @@ files_list_isid_type_dirs(initrc_t) + files_mounton_isid_type_dirs(initrc_t) + files_list_default(initrc_t) + files_mounton_default(initrc_t) ++files_manage_mnt_dirs(initrc_t) ++files_manage_mnt_files(initrc_t) + +-fs_write_cgroup_files(initrc_t) ++fs_delete_cgroup_dirs(initrc_t) ++fs_list_cgroup_dirs(initrc_t) ++fs_rw_cgroup_files(initrc_t) + fs_list_inotifyfs(initrc_t) + fs_register_binary_executable_type(initrc_t) + # rhgb-console writes to ramfs +@@ -374,10 +700,11 @@ fs_mount_all_fs(initrc_t) + fs_unmount_all_fs(initrc_t) + fs_remount_all_fs(initrc_t) + fs_getattr_all_fs(initrc_t) ++fs_search_all(initrc_t) ++fs_getattr_nfsd_files(initrc_t) ++fs_dontaudit_create_tmpfs_chr_dev(initrc_t) + + # initrc_t needs to do a pidof which requires ptrace +-mcs_ptrace_all(initrc_t) +-mcs_killall(initrc_t) + mcs_process_set_categories(initrc_t) + + mls_file_read_all_levels(initrc_t) +@@ -386,6 +713,7 @@ mls_process_read_up(initrc_t) + mls_process_write_down(initrc_t) + mls_rangetrans_source(initrc_t) + mls_fd_share_all_levels(initrc_t) ++mls_socket_write_to_clearance(initrc_t) + + selinux_get_enforce_mode(initrc_t) + +@@ -397,6 +725,7 @@ term_use_all_terms(initrc_t) + term_reset_tty_labels(initrc_t) + + auth_rw_login_records(initrc_t) ++auth_manage_faillog(initrc_t) + auth_setattr_login_records(initrc_t) + auth_rw_lastlog(initrc_t) + auth_read_pam_pid(initrc_t) +@@ -415,20 +744,18 @@ logging_read_all_logs(initrc_t) + logging_append_all_logs(initrc_t) + logging_read_audit_config(initrc_t) + +-miscfiles_read_localization(initrc_t) + # slapd needs to read cert files from its initscript +-miscfiles_read_generic_certs(initrc_t) ++miscfiles_manage_generic_cert_files(initrc_t) + +-modutils_read_module_config(initrc_t) +-modutils_domtrans_insmod(initrc_t) + + seutil_read_config(initrc_t) + ++userdom_read_admin_home_files(initrc_t) + userdom_read_user_home_content_files(initrc_t) + # Allow access to the sysadm TTYs. Note that this will give access to the + # TTYs to any process in the initrc_t domain. Therefore, daemons and such + # started from init should be placed in their own domain. +-userdom_use_user_terminals(initrc_t) ++userdom_use_inherited_user_terminals(initrc_t) + + ifdef(`distro_debian',` + dev_setattr_generic_dirs(initrc_t) +@@ -450,7 +777,6 @@ ifdef(`distro_gentoo',` + allow initrc_t self:process setfscreate; + dev_create_null_dev(initrc_t) + dev_create_zero_dev(initrc_t) +- dev_create_generic_dirs(initrc_t) + term_create_console_dev(initrc_t) + + # unfortunately /sbin/rc does stupid tricks +@@ -485,6 +811,10 @@ ifdef(`distro_gentoo',` + sysnet_setattr_config(initrc_t) + + optional_policy(` ++ abrt_manage_pid_files(initrc_t) ++ ') ++ ++ optional_policy(` + alsa_read_lib(initrc_t) + ') + +@@ -505,7 +835,7 @@ ifdef(`distro_redhat',` + + # Red Hat systems seem to have a stray + # fd open from the initrd +- kernel_dontaudit_use_fds(initrc_t) ++ kernel_use_fds(initrc_t) + files_dontaudit_read_root_files(initrc_t) + + # These seem to be from the initrd +@@ -520,6 +850,7 @@ ifdef(`distro_redhat',` + files_create_boot_dirs(initrc_t) + files_create_boot_flag(initrc_t) + files_rw_boot_symlinks(initrc_t) ++ + # wants to read /.fonts directory + files_read_default_files(initrc_t) + files_mountpoint(initrc_tmp_t) +@@ -540,6 +871,7 @@ ifdef(`distro_redhat',` + miscfiles_rw_localization(initrc_t) + miscfiles_setattr_localization(initrc_t) + miscfiles_relabel_localization(initrc_t) ++ miscfiles_filetrans_named_content(initrc_t) + + miscfiles_read_fonts(initrc_t) + miscfiles_read_hwdata(initrc_t) +@@ -549,8 +881,44 @@ ifdef(`distro_redhat',` + ') + + optional_policy(` ++ abrt_manage_pid_files(initrc_t) ++ ') ++ ++ optional_policy(` + bind_manage_config_dirs(initrc_t) ++ bind_manage_config(initrc_t) + bind_write_config(initrc_t) ++ bind_setattr_zone_dirs(initrc_t) ++ ') ++ ++ optional_policy(` ++ cyrus_write_data(initrc_t) ++ ') ++ ++ optional_policy(` ++ devicekit_append_inherited_log_files(initrc_t) ++ devicekit_dbus_chat_power(initrc_t) ++ ') ++ ++ optional_policy(` ++ dirsrvadmin_read_config(initrc_t) ++ dirsrv_manage_var_run(initrc_t) ++ ') ++ ++ optional_policy(` ++ gnome_manage_gconf_config(initrc_t) ++ ') ++ ++ optional_policy(` ++ ldap_read_db_files(initrc_t) ++ ') ++ ++ optional_policy(` ++ ntp_filetrans_named_content(initrc_t) ++ ') ++ ++ optional_policy(` ++ pulseaudio_stream_connect(initrc_t) + ') + + optional_policy(` +@@ -558,14 +926,31 @@ ifdef(`distro_redhat',` + rpc_write_exports(initrc_t) + rpc_manage_nfs_state_data(initrc_t) + ') ++ optional_policy(` ++ rpcbind_stream_connect(initrc_t) ++ ') + + optional_policy(` + sysnet_rw_dhcp_config(initrc_t) + sysnet_manage_config(initrc_t) ++ sysnet_manage_dhcpc_state(initrc_t) ++ sysnet_relabelfrom_dhcpc_state(initrc_t) ++ sysnet_relabelfrom_net_conf(initrc_t) ++ sysnet_relabelto_net_conf(initrc_t) ++ sysnet_filetrans_named_content(initrc_t) ++ ') ++ ++ optional_policy(` ++ tgtd_stream_connect(initrc_t) ++ ') ++ ++ optional_policy(` ++ wdmd_manage_pid_files(initrc_t) + ') + + optional_policy(` + xserver_delete_log(initrc_t) ++ xserver_manage_user_fonts_dir(initrc_t) + ') + ') + +@@ -576,6 +961,39 @@ ifdef(`distro_suse',` + ') + ') + ++domain_dontaudit_use_interactive_fds(daemon) ++ ++userdom_dontaudit_list_admin_dir(daemon) ++userdom_dontaudit_search_user_tmp(daemon) ++ ++tunable_policy(`daemons_use_tcp_wrapper',` ++ corenet_tcp_connect_auth_port(daemon) ++') ++ ++tunable_policy(`daemons_use_tty',` ++ term_use_unallocated_ttys(daemon) ++ term_use_generic_ptys(daemon) ++ term_use_all_ttys(daemon) ++ term_use_all_ptys(daemon) ++',` ++ term_dontaudit_use_unallocated_ttys(daemon) ++ term_dontaudit_use_generic_ptys(daemon) ++ term_dontaudit_use_all_ttys(daemon) ++ term_dontaudit_use_all_ptys(daemon) ++ ') ++ ++# system-config-services causes avc messages that should be dontaudited ++tunable_policy(`daemons_dump_core',` ++ files_manage_root_files(daemon) ++') ++ ++optional_policy(` ++ unconfined_dontaudit_rw_pipes(daemon) ++ unconfined_dontaudit_rw_stream(daemon) ++ userdom_dontaudit_read_user_tmp_files(daemon) ++ userdom_dontaudit_write_user_tmp_files(daemon) ++') ++ + optional_policy(` + amavis_search_lib(initrc_t) + amavis_setattr_pid_files(initrc_t) +@@ -588,6 +1006,8 @@ optional_policy(` + optional_policy(` + apache_read_config(initrc_t) + apache_list_modules(initrc_t) ++ # webmin seems to cause this. ++ apache_search_sys_content(daemon) + ') + + optional_policy(` +@@ -609,6 +1029,7 @@ optional_policy(` + + optional_policy(` + cgroup_stream_connect_cgred(initrc_t) ++ domain_setpriority_all_domains(initrc_t) + ') + + optional_policy(` +@@ -625,6 +1046,17 @@ optional_policy(` + ') + + optional_policy(` ++ chronyd_append_keys(initrc_t) ++ chronyd_read_keys(initrc_t) ++') ++ ++optional_policy(` ++ cron_read_pipes(initrc_t) ++ # managing /etc/cron.d/mailman content ++ cron_manage_system_spool(initrc_t) ++') ++ ++optional_policy(` + dev_getattr_printer_dev(initrc_t) + + cups_read_log(initrc_t) +@@ -641,9 +1073,13 @@ optional_policy(` + dbus_connect_system_bus(initrc_t) + dbus_system_bus_client(initrc_t) + dbus_read_config(initrc_t) ++ dbus_manage_lib_files(initrc_t) ++ ++ init_dbus_chat(initrc_t) + + optional_policy(` + consolekit_dbus_chat(initrc_t) ++ consolekit_manage_log(initrc_t) + ') + + optional_policy(` +@@ -656,15 +1092,11 @@ optional_policy(` + ') + + optional_policy(` +- # /var/run/dovecot/login/ssl-parameters.dat is a hard link to +- # /var/lib/dovecot/ssl-parameters.dat and init tries to clean up +- # the directory. But we do not want to allow this. +- # The master process of dovecot will manage this file. +- dovecot_dontaudit_unlink_lib_files(initrc_t) ++ ftp_read_config(initrc_t) + ') + + optional_policy(` +- ftp_read_config(initrc_t) ++ glance_manage_pid_files(initrc_t) + ') + + optional_policy(` +@@ -685,6 +1117,15 @@ optional_policy(` + ') + + optional_policy(` ++ firewalld_dbus_chat(initrc_t) ++') ++ ++optional_policy(` ++ modutils_read_module_config(initrc_t) ++ modutils_domtrans_insmod(initrc_t) ++') ++ ++optional_policy(` + inn_exec_config(initrc_t) + ') + +@@ -725,6 +1166,7 @@ optional_policy(` + lpd_list_spool(initrc_t) + + lpd_read_config(initrc_t) ++ lpd_manage_spool(init_t) + ') + + optional_policy(` +@@ -742,7 +1184,13 @@ optional_policy(` + ') + + optional_policy(` +- mta_read_config(initrc_t) ++ milter_delete_dkim_pid_files(initrc_t) ++ milter_setattr_all_dirs(initrc_t) ++') ++ ++optional_policy(` ++ mta_manage_aliases(initrc_t) ++ mta_manage_config(initrc_t) + mta_dontaudit_read_spool_symlinks(initrc_t) + ') + +@@ -765,6 +1213,10 @@ optional_policy(` + ') + + optional_policy(` ++ plymouthd_stream_connect(initrc_t) ++') ++ ++optional_policy(` + postgresql_manage_db(initrc_t) + postgresql_read_config(initrc_t) + ') +@@ -774,10 +1226,20 @@ optional_policy(` + ') + + optional_policy(` ++ psad_setattr_fifo_file(initrc_t) ++ psad_setattr_log(initrc_t) ++ psad_write_log(initrc_t) ++') ++ ++optional_policy(` + puppet_rw_tmp(initrc_t) + ') + + optional_policy(` ++ qpidd_manage_var_run(initrc_t) ++') ++ ++optional_policy(` + quota_manage_flags(initrc_t) + ') + +@@ -786,6 +1248,10 @@ optional_policy(` + ') + + optional_policy(` ++ ricci_manage_lib_files(initrc_t) ++') ++ ++optional_policy(` + fs_write_ramfs_sockets(initrc_t) + fs_search_ramfs(initrc_t) + +@@ -807,8 +1273,6 @@ optional_policy(` + # bash tries ioctl for some reason + files_dontaudit_ioctl_all_pids(initrc_t) + +- # why is this needed: +- rpm_manage_db(initrc_t) + ') + + optional_policy(` +@@ -817,6 +1281,10 @@ optional_policy(` + ') + + optional_policy(` ++ sendmail_setattr_pid_files(initrc_t) ++') ++ ++optional_policy(` + # shorewall-init script run /var/lib/shorewall/firewall + shorewall_lib_domtrans(initrc_t) + ') +@@ -826,10 +1294,12 @@ optional_policy(` + squid_manage_logs(initrc_t) + ') + ++ifdef(`enabled_mls',` + optional_policy(` + # allow init scripts to su + su_restricted_domain_template(initrc, initrc_t, system_r) + ') ++') + + optional_policy(` + ssh_dontaudit_read_server_keys(initrc_t) +@@ -856,12 +1326,33 @@ optional_policy(` + ') + + optional_policy(` ++ virt_read_config(init_t) ++ virt_stream_connect(init_t) ++') ++ ++optional_policy(` ++ virt_manage_pid_dirs(initrc_t) ++ virt_manage_cache(initrc_t) ++ virt_manage_lib_files(initrc_t) + virt_stream_connect(initrc_t) +- virt_manage_virt_cache(initrc_t) ++') ++ ++# Cron jobs used to start and stop services ++optional_policy(` ++ cron_rw_pipes(daemon) ++ cron_rw_inherited_user_spool_files(daemon) ++') ++ ++optional_policy(` ++ cfengine_append_inherited_log(daemon) + ') + + optional_policy(` + unconfined_domain(initrc_t) ++ domain_named_filetrans(initrc_t) ++ domain_role_change_exemption(initrc_t) ++ ++ files_tmp_filetrans(initrc_t, initrc_tmp_t, { dir_file_class_set }) + + ifdef(`distro_redhat',` + # system-config-services causes avc messages that should be dontaudited +@@ -871,6 +1362,18 @@ optional_policy(` + optional_policy(` + mono_domtrans(initrc_t) + ') ++ ++ # Allow SELinux aware applications to request rpm_script_t execution ++ rpm_transition_script(initrc_t) ++ ++ optional_policy(` ++ rtkit_scheduled(initrc_t) ++ ') ++') ++ ++optional_policy(` ++ rpm_read_db(initrc_t) ++ rpm_delete_db(initrc_t) + ') + + optional_policy(` +@@ -886,6 +1389,10 @@ optional_policy(` + ') + + optional_policy(` ++ sanlock_manage_pid_files(initrc_t) ++') ++ ++optional_policy(` + # Set device ownerships/modes. + xserver_setattr_console_pipes(initrc_t) + +@@ -896,3 +1403,218 @@ optional_policy(` + optional_policy(` + zebra_read_config(initrc_t) + ') ++ ++userdom_inherit_append_user_home_content_files(daemon) ++userdom_inherit_append_user_tmp_files(daemon) ++userdom_dontaudit_rw_stream(daemon) ++ ++logging_inherit_append_all_logs(daemon) ++ ++optional_policy(` ++ # sudo service restart causes this ++ unconfined_signull(daemon) ++') ++ ++ ++optional_policy(` ++ xserver_dontaudit_append_xdm_home_files(daemon) ++ tunable_policy(`use_nfs_home_dirs',` ++ fs_dontaudit_rw_nfs_files(daemon) ++ ') ++ tunable_policy(`use_samba_home_dirs',` ++ fs_dontaudit_rw_cifs_files(daemon) ++ ') ++') ++ ++init_rw_script_stream_sockets(daemon) ++ ++optional_policy(` ++ abrt_stream_connect(daemon) ++') ++ ++optional_policy(` ++ fail2ban_read_lib_files(daemon) ++') ++ ++optional_policy(` ++ firstboot_dontaudit_leaks(daemon) ++') ++ ++init_rw_stream_sockets(daemon) ++init_dontaudit_script_leaks(daemon) ++ ++allow init_t var_run_t:dir relabelto; ++ ++init_stream_connect(initrc_t) ++ ++allow initrc_t daemon:process siginh; ++allow daemon initrc_transition_domain:fifo_file rw_inherited_fifo_file_perms; ++allow daemon initrc_transition_domain:fd use; ++allow daemon init_var_run_t:dir search_dir_perms; ++allow systemprocess init_var_run_t:dir search_dir_perms; ++ ++allow init_t daemon:unix_stream_socket create_stream_socket_perms; ++allow init_t daemon:unix_dgram_socket create_socket_perms; ++allow init_t daemon:tcp_socket create_stream_socket_perms; ++allow init_t daemon:udp_socket create_socket_perms; ++allow daemon init_t:unix_dgram_socket sendto; ++# need write to /var/run/systemd/notify ++init_write_pid_socket(daemon) ++allow daemon init_t:unix_stream_socket { append write read getattr ioctl }; ++ ++# daemons started from init will ++# inherit fds from init for the console ++init_dontaudit_use_fds(daemon) ++term_dontaudit_use_console(daemon) ++# init script ptys are the stdin/out/err ++# when using run_init ++init_use_script_ptys(daemon) ++ ++allow init_t daemon:process siginh; ++ ++ifdef(`hide_broken_symptoms',` ++ # RHEL4 systems seem to have a stray ++ # fds open from the initrd ++ ifdef(`distro_rhel4',` ++ kernel_dontaudit_use_fds(daemon) ++ ') ++ ++ dontaudit daemon init_t:dir search_dir_perms; ++') ++ ++optional_policy(` ++ nscd_socket_use(daemon) ++') ++ ++optional_policy(` ++ puppet_rw_tmp(daemon) ++') ++ ++allow direct_run_init daemon:process { noatsecure siginh rlimitinh }; ++ ++allow initrc_t systemprocess:process siginh; ++allow systemprocess initrc_transition_domain:fifo_file rw_inherited_fifo_file_perms; ++allow systemprocess initrc_transition_domain:fd use; ++ ++dontaudit systemprocess init_t:unix_stream_socket getattr; ++ ++allow init_t daemon:unix_stream_socket create_stream_socket_perms; ++allow init_t daemon:unix_dgram_socket create_socket_perms; ++allow daemon init_t:unix_stream_socket ioctl; ++allow daemon init_t:unix_dgram_socket sendto; ++# need write to /var/run/systemd/notify ++init_write_pid_socket(daemon) ++init_rw_inherited_script_tmp_files(daemon) ++ ++# Handle upstart/systemd direct transition to a executable ++allow init_t systemprocess:process { dyntransition siginh }; ++allow init_t systemprocess:unix_stream_socket create_stream_socket_perms; ++allow init_t systemprocess:unix_dgram_socket create_socket_perms; ++allow systemprocess init_t:unix_dgram_socket sendto; ++allow systemprocess init_t:unix_stream_socket { append write read getattr ioctl }; ++ ++files_dontaudit_rw_inherited_locks(systemprocess) ++files_dontaudit_tmp_file_leaks(systemprocess) ++init_rw_inherited_script_tmp_files(systemprocess) ++ ++logging_dontaudit_rw_inherited_generic_logs(systemprocess) ++ ++userdom_dontaudit_search_user_home_dirs(systemprocess) ++userdom_dontaudit_rw_stream(systemprocess) ++userdom_dontaudit_write_user_tmp_files(systemprocess) ++ ++tunable_policy(`daemons_use_tty',` ++ term_use_all_ttys(systemprocess) ++ term_use_all_ptys(systemprocess) ++',` ++ term_dontaudit_use_all_ttys(systemprocess) ++ term_dontaudit_use_all_ptys(systemprocess) ++') ++ ++# these apps are often redirect output to random log files ++logging_inherit_append_all_logs(systemprocess) ++ ++optional_policy(` ++ abrt_stream_connect(systemprocess) ++') ++ ++optional_policy(` ++ cfengine_append_inherited_log(systemprocess) ++') ++ ++optional_policy(` ++ cron_rw_pipes(systemprocess) ++') ++ ++optional_policy(` ++ puppet_rw_tmp(systemprocess) ++') ++ ++optional_policy(` ++ xserver_dontaudit_append_xdm_home_files(systemprocess) ++') ++ ++optional_policy(` ++ unconfined_dontaudit_rw_pipes(systemprocess) ++ unconfined_dontaudit_rw_stream(systemprocess) ++ userdom_dontaudit_read_user_tmp_files(systemprocess) ++') ++ ++init_rw_script_stream_sockets(systemprocess) ++ ++role system_r types systemprocess; ++role system_r types daemon; ++ ++#ifdef(`enable_mls',` ++# mls_rangetrans_target(systemprocess) ++#') ++ ++allow initrc_domain daemon:process transition; ++allow daemon initrc_domain:fd use; ++allow daemon initrc_domain:fifo_file rw_inherited_fifo_file_perms; ++allow daemon initrc_domain:process sigchld; ++allow initrc_domain direct_init_entry:file { getattr open read execute }; ++ ++allow systemprocess initrc_domain:fd use; ++allow systemprocess initrc_domain:fifo_file rw_inherited_fifo_file_perms; ++allow systemprocess initrc_domain:process sigchld; ++allow initrc_domain systemprocess_entry:file { getattr open read execute }; ++allow initrc_domain systemprocess:process transition; ++ ++optional_policy(` ++ systemd_getattr_unit_dirs(daemon) ++ systemd_getattr_unit_dirs(systemprocess) ++') ++ ++optional_policy(` ++ rgmanager_search_lib(initrc_domain) ++') ++ ++ifdef(`direct_sysadm_daemon',` ++ allow daemon direct_run_init:fd use; ++ allow daemon direct_run_init:fifo_file rw_inherited_fifo_file_perms; ++ allow daemon direct_run_init:process sigchld; ++ allow direct_run_init direct_init_entry:file { getattr open read execute }; ++') ++ ++optional_policy(` ++ tunable_policy(`daemons_enable_cluster_mode',` ++ rhcs_manage_cluster_pid_files(daemon) ++ rhcs_manage_cluster_lib_files(daemon) ++ rhcs_rw_inherited_cluster_tmp_files(daemon) ++ rhcs_stream_connect_cluster_to(daemon,daemon) ++',` ++ rhcs_read_cluster_lib_files(daemon) ++ rhcs_read_cluster_pid_files(daemon) ++ ') ++ ++ ') ++ ++optional_policy(` ++ tunable_policy(`daemons_enable_cluster_mode',` ++ #resource agents placed config files in /etc/cluster ++ ccs_manage_config(daemon) ++',` ++ ccs_read_config(daemon) ++ ') ++ ') +diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc +index 662e79b..a199ffd 100644 +--- a/policy/modules/system/ipsec.fc ++++ b/policy/modules/system/ipsec.fc +@@ -1,14 +1,22 @@ + /etc/rc\.d/init\.d/ipsec -- gen_context(system_u:object_r:ipsec_initrc_exec_t,s0) + /etc/rc\.d/init\.d/racoon -- gen_context(system_u:object_r:ipsec_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/strongswan -- gen_context(system_u:object_r:ipsec_initrc_exec_t,s0) + +-/etc/ipsec\.secrets -- gen_context(system_u:object_r:ipsec_key_file_t,s0) ++/usr/lib/systemd/system/strongswan.* -- gen_context(system_u:object_r:ipsec_mgmt_unit_file_t,s0) ++ ++/etc/ipsec\.secrets.* -- gen_context(system_u:object_r:ipsec_key_file_t,s0) + /etc/ipsec\.conf -- gen_context(system_u:object_r:ipsec_conf_file_t,s0) ++/etc/strongswan/ipsec\.secrets.* -- gen_context(system_u:object_r:ipsec_key_file_t,s0) ++/etc/strongswan/ipsec\.conf -- gen_context(system_u:object_r:ipsec_conf_file_t,s0) + /etc/racoon/psk\.txt -- gen_context(system_u:object_r:ipsec_key_file_t,s0) + + /etc/racoon(/.*)? gen_context(system_u:object_r:ipsec_conf_file_t,s0) + /etc/racoon/certs(/.*)? gen_context(system_u:object_r:ipsec_key_file_t,s0) + ++/etc/strongswan(/.*)? gen_context(system_u:object_r:ipsec_conf_file_t,s0) ++ + /etc/ipsec\.d(/.*)? gen_context(system_u:object_r:ipsec_key_file_t,s0) ++/etc/strongswan/ipsec\.d(/.*)? gen_context(system_u:object_r:ipsec_key_file_t,s0) + + /sbin/setkey -- gen_context(system_u:object_r:setkey_exec_t,s0) + +@@ -26,16 +34,23 @@ + /usr/libexec/ipsec/pluto -- gen_context(system_u:object_r:ipsec_exec_t,s0) + /usr/libexec/ipsec/spi -- gen_context(system_u:object_r:ipsec_exec_t,s0) + /usr/libexec/nm-openswan-service -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0) ++/usr/libexec/strongswan/.* -- gen_context(system_u:object_r:ipsec_exec_t,s0) + + /usr/sbin/ipsec -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0) + /usr/sbin/racoon -- gen_context(system_u:object_r:racoon_exec_t,s0) + /usr/sbin/setkey -- gen_context(system_u:object_r:setkey_exec_t,s0) ++/usr/sbin/strongswan -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0) + + /var/lock/subsys/ipsec -- gen_context(system_u:object_r:ipsec_mgmt_lock_t,s0) ++/var/lock/subsys/strongswan -- gen_context(system_u:object_r:ipsec_mgmt_lock_t,s0) + + /var/log/pluto\.log -- gen_context(system_u:object_r:ipsec_log_t,s0) + + /var/racoon(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0) + ++/var/run/charon\.ctl -s gen_context(system_u:object_r:ipsec_var_run_t,s0) ++/var/run/charon.* -- gen_context(system_u:object_r:ipsec_var_run_t,s0) + /var/run/pluto(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0) + /var/run/racoon\.pid -- gen_context(system_u:object_r:ipsec_var_run_t,s0) ++/var/run/pluto/ipsec\.info -- gen_context(system_u:object_r:ipsec_mgmt_var_run_t, s0) ++/var/run/pluto/ipsec_setup\.pid -- gen_context(system_u:object_r:ipsec_mgmt_var_run_t, s0) +diff --git a/policy/modules/system/ipsec.if b/policy/modules/system/ipsec.if +index 0d4c8d3..e6ffda3 100644 +--- a/policy/modules/system/ipsec.if ++++ b/policy/modules/system/ipsec.if +@@ -55,6 +55,64 @@ interface(`ipsec_domtrans_mgmt',` + domtrans_pattern($1, ipsec_mgmt_exec_t, ipsec_mgmt_t) + ') + ++####################################### ++## ++## Allow to create OBJECT in /etc with ipsec_key_file_t. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`ipsec_filetrans_key_file',` ++ gen_require(` ++ type ipsec_key_file_t; ++ ') ++ ++ files_etc_filetrans($1, ipsec_key_file_t, file) ++') ++ ++####################################### ++## ++## Allow to manage ipsec key files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`ipsec_manage_key_file',` ++ gen_require(` ++ type ipsec_key_file_t; ++ ') ++ ++ manage_files_pattern($1, ipsec_key_file_t, ipsec_key_file_t) ++ files_etc_filetrans($1, ipsec_key_file_t, file, "ipsec.secrets") ++') ++ ++######################################## ++## ++## Read the ipsec_mgmt_var_run_t files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`ipsec_mgmt_read_pid',` ++ gen_require(` ++ type ipsec_var_run_t; ++ type ipsec_mgmt_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ read_files_pattern($1, ipsec_var_run_t, ipsec_mgmt_var_run_t) ++') ++ ++ + ######################################## + ## + ## Connect to racoon using a unix domain stream socket. +@@ -120,7 +178,6 @@ interface(`ipsec_exec_mgmt',` + ## + ## + # +-# + interface(`ipsec_signal_mgmt',` + gen_require(` + type ipsec_mgmt_t; +@@ -139,7 +196,6 @@ interface(`ipsec_signal_mgmt',` + ##     + ## + # +-# + interface(`ipsec_signull_mgmt',` + gen_require(` + type ipsec_mgmt_t; +@@ -158,7 +214,6 @@ interface(`ipsec_signull_mgmt',` + ##     + ## + # +-# + interface(`ipsec_kill_mgmt',` + gen_require(` + type ipsec_mgmt_t; +@@ -167,6 +222,60 @@ interface(`ipsec_kill_mgmt',` + allow $1 ipsec_mgmt_t:process sigkill; + ') + ++######################################## ++## ++## Send ipsec a general signal. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`ipsec_signal',` ++ gen_require(` ++ type ipsec_t; ++ ') ++ ++ allow $1 ipsec_t:process signal; ++') ++ ++######################################## ++## ++## Send ipsec a null signal. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`ipsec_signull',` ++ gen_require(` ++ type ipsec_t; ++ ') ++ ++ allow $1 ipsec_t:process signull; ++') ++ ++######################################## ++## ++## Send ipsec a kill signal. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`ipsec_kill',` ++ gen_require(` ++ type ipsec_t; ++ ') ++ ++ allow $1 ipsec_t:process sigkill; ++') ++ + ###################################### + ## + ## Send and receive messages from +@@ -225,6 +334,7 @@ interface(`ipsec_match_default_spd',` + + allow $1 ipsec_spd_t:association polmatch; + allow $1 self:association sendto; ++ allow $1 self:peer recv; + ') + + ######################################## +@@ -369,3 +479,26 @@ interface(`ipsec_run_setkey',` + ipsec_domtrans_setkey($1) + role $2 types setkey_t; + ') ++ ++####################################### ++## ++## Execute strongswan in the ipsec_mgmt domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`ipsec_mgmt_systemctl',` ++ gen_require(` ++ type ipsec_mgmt_unit_file_t; ++ type ipsec_mgmt_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ allow $1 ipsec_mgmt_unit_file_t:file read_file_perms; ++ allow $1 ipsec_mgmt_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, ipsec_mgmt_t) ++') +diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te +index 9e54bf9..ceb7f99 100644 +--- a/policy/modules/system/ipsec.te ++++ b/policy/modules/system/ipsec.te +@@ -48,6 +48,9 @@ init_system_domain(ipsec_mgmt_t, ipsec_mgmt_exec_t) + corecmd_shell_entry_type(ipsec_mgmt_t) + role system_r types ipsec_mgmt_t; + ++type ipsec_mgmt_unit_file_t; ++systemd_unit_file(ipsec_mgmt_unit_file_t) ++ + type ipsec_mgmt_lock_t; + files_lock_file(ipsec_mgmt_lock_t) + +@@ -72,14 +75,18 @@ role system_r types setkey_t; + # ipsec Local policy + # + +-allow ipsec_t self:capability { net_admin dac_override dac_read_search setpcap sys_nice }; +-dontaudit ipsec_t self:capability { sys_ptrace sys_tty_config }; +-allow ipsec_t self:process { getcap setcap getsched signal setsched }; ++allow ipsec_t self:capability { net_admin dac_override dac_read_search setpcap sys_nice net_raw setuid setgid }; ++dontaudit ipsec_t self:capability sys_tty_config; ++allow ipsec_t self:process { getcap setcap getsched signal signull setsched }; + allow ipsec_t self:tcp_socket create_stream_socket_perms; + allow ipsec_t self:udp_socket create_socket_perms; ++allow ipsec_t self:packet_socket create_socket_perms; + allow ipsec_t self:key_socket create_socket_perms; + allow ipsec_t self:fifo_file read_fifo_file_perms; + allow ipsec_t self:netlink_xfrm_socket { create_netlink_socket_perms nlmsg_write }; ++allow ipsec_t self:netlink_selinux_socket create_socket_perms; ++allow ipsec_t self:unix_stream_socket { create_stream_socket_perms connectto }; ++allow ipsec_t self:netlink_route_socket { create_netlink_socket_perms write }; + + allow ipsec_t ipsec_initrc_exec_t:file read_file_perms; + +@@ -88,8 +95,11 @@ read_files_pattern(ipsec_t, ipsec_conf_file_t, ipsec_conf_file_t) + read_lnk_files_pattern(ipsec_t, ipsec_conf_file_t, ipsec_conf_file_t) + + allow ipsec_t ipsec_key_file_t:dir list_dir_perms; +-manage_files_pattern(ipsec_t, ipsec_key_file_t, ipsec_key_file_t) + read_lnk_files_pattern(ipsec_t, ipsec_key_file_t, ipsec_key_file_t) ++manage_files_pattern(ipsec_t, ipsec_key_file_t, ipsec_key_file_t) ++ ++manage_files_pattern(ipsec_t, ipsec_log_t, ipsec_log_t) ++logging_log_filetrans(ipsec_t, ipsec_log_t, file, "pluto.log") + + manage_dirs_pattern(ipsec_t, ipsec_tmp_t, ipsec_tmp_t) + manage_files_pattern(ipsec_t, ipsec_tmp_t, ipsec_tmp_t) +@@ -110,10 +120,10 @@ corecmd_shell_domtrans(ipsec_t, ipsec_mgmt_t) + allow ipsec_mgmt_t ipsec_t:fd use; + allow ipsec_mgmt_t ipsec_t:fifo_file rw_fifo_file_perms; + allow ipsec_mgmt_t ipsec_t:unix_stream_socket { read write }; +-allow ipsec_mgmt_t ipsec_t:process { rlimitinh sigchld }; ++allow ipsec_mgmt_t ipsec_t:process { rlimitinh sigchld signull }; + + kernel_read_kernel_sysctls(ipsec_t) +-kernel_read_net_sysctls(ipsec_t) ++kernel_rw_net_sysctls(ipsec_t) + kernel_list_proc(ipsec_t) + kernel_read_proc_symlinks(ipsec_t) + # allow pluto to access /proc/net/ipsec_eroute; +@@ -128,20 +138,22 @@ corecmd_exec_shell(ipsec_t) + corecmd_exec_bin(ipsec_t) + + # Pluto needs network access +-corenet_all_recvfrom_unlabeled(ipsec_t) +-corenet_tcp_sendrecv_all_if(ipsec_t) +-corenet_raw_sendrecv_all_if(ipsec_t) +-corenet_tcp_sendrecv_all_nodes(ipsec_t) +-corenet_raw_sendrecv_all_nodes(ipsec_t) ++corenet_tcp_sendrecv_generic_if(ipsec_t) ++corenet_raw_sendrecv_generic_if(ipsec_t) ++corenet_tcp_sendrecv_generic_node(ipsec_t) ++corenet_raw_sendrecv_generic_node(ipsec_t) + corenet_tcp_sendrecv_all_ports(ipsec_t) +-corenet_tcp_bind_all_nodes(ipsec_t) +-corenet_udp_bind_all_nodes(ipsec_t) ++corenet_tcp_bind_generic_node(ipsec_t) ++corenet_udp_bind_generic_node(ipsec_t) + corenet_tcp_bind_reserved_port(ipsec_t) + corenet_tcp_bind_isakmp_port(ipsec_t) + corenet_udp_bind_isakmp_port(ipsec_t) + corenet_udp_bind_ipsecnat_port(ipsec_t) ++corenet_udp_bind_dhcpc_port(ipsec_t) + corenet_sendrecv_generic_server_packets(ipsec_t) + corenet_sendrecv_isakmp_server_packets(ipsec_t) ++corenet_tcp_connect_http_port(ipsec_t) ++corenet_tcp_connect_ldap_port(ipsec_t) + + dev_read_sysfs(ipsec_t) + dev_read_rand(ipsec_t) +@@ -157,24 +169,33 @@ files_dontaudit_search_home(ipsec_t) + fs_getattr_all_fs(ipsec_t) + fs_search_auto_mountpoints(ipsec_t) + ++selinux_compute_access_vector(ipsec_t) ++ + term_use_console(ipsec_t) + term_dontaudit_use_all_ttys(ipsec_t) + + auth_use_nsswitch(ipsec_t) ++auth_read_home_content(ipsec_t) + + init_use_fds(ipsec_t) + init_use_script_ptys(ipsec_t) + ++logging_read_all_logs(ipsec_mgmt_t) + logging_send_syslog_msg(ipsec_t) + +-miscfiles_read_localization(ipsec_t) + + sysnet_domtrans_ifconfig(ipsec_t) ++sysnet_manage_config(ipsec_t) ++sysnet_etc_filetrans_config(ipsec_t) + + userdom_dontaudit_use_unpriv_user_fds(ipsec_t) + userdom_dontaudit_search_user_home_dirs(ipsec_t) + + optional_policy(` ++ iptables_domtrans(ipsec_t) ++') ++ ++optional_policy(` + seutil_sigchld_newrole(ipsec_t) + ') + +@@ -187,10 +208,10 @@ optional_policy(` + # ipsec_mgmt Local policy + # + +-allow ipsec_mgmt_t self:capability { dac_override dac_read_search net_admin setpcap sys_nice }; +-dontaudit ipsec_mgmt_t self:capability { sys_ptrace sys_tty_config }; +-allow ipsec_mgmt_t self:process { getsched ptrace setrlimit setsched signal }; +-allow ipsec_mgmt_t self:unix_stream_socket create_stream_socket_perms; ++allow ipsec_mgmt_t self:capability { dac_override dac_read_search net_admin setpcap sys_nice sys_ptrace }; ++dontaudit ipsec_mgmt_t self:capability sys_tty_config; ++allow ipsec_mgmt_t self:process { getsched setrlimit setsched signal }; ++allow ipsec_mgmt_t self:unix_stream_socket { create_stream_socket_perms connectto }; + allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms; + allow ipsec_mgmt_t self:udp_socket create_socket_perms; + allow ipsec_mgmt_t self:key_socket create_socket_perms; +@@ -208,12 +229,14 @@ logging_log_filetrans(ipsec_mgmt_t, ipsec_log_t, file) + + allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms; + files_pid_filetrans(ipsec_mgmt_t, ipsec_mgmt_var_run_t, file) ++filetrans_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_mgmt_var_run_t, file) + + manage_files_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t) ++manage_dirs_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t) + manage_lnk_files_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t) + + allow ipsec_mgmt_t ipsec_var_run_t:sock_file manage_sock_file_perms; +-files_pid_filetrans(ipsec_mgmt_t, ipsec_var_run_t, sock_file) ++files_pid_filetrans(ipsec_mgmt_t, ipsec_var_run_t, { dir sock_file }) + + # _realsetup needs to be able to cat /var/run/pluto.pid, + # run ps on that pid, and delete the file +@@ -246,6 +269,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t) + kernel_getattr_core_if(ipsec_mgmt_t) + kernel_getattr_message_if(ipsec_mgmt_t) + ++domain_dontaudit_getattr_all_sockets(ipsec_mgmt_t) ++domain_dontaudit_getattr_all_pipes(ipsec_mgmt_t) ++ ++dev_dontaudit_getattr_all_blk_files(ipsec_mgmt_t) ++dev_dontaudit_getattr_all_chr_files(ipsec_mgmt_t) ++ ++dev_read_sysfs(ipsec_mgmt_t) ++ ++files_dontaudit_getattr_all_files(ipsec_mgmt_t) ++files_dontaudit_getattr_all_sockets(ipsec_mgmt_t) + files_read_kernel_symbol_table(ipsec_mgmt_t) + files_getattr_kernel_modules(ipsec_mgmt_t) + +@@ -255,6 +288,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t) + corecmd_exec_bin(ipsec_mgmt_t) + corecmd_exec_shell(ipsec_mgmt_t) + ++corenet_tcp_connect_rndc_port(ipsec_mgmt_t) ++ + dev_read_rand(ipsec_mgmt_t) + dev_read_urand(ipsec_mgmt_t) + +@@ -278,9 +313,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t) + fs_list_tmpfs(ipsec_mgmt_t) + + term_use_console(ipsec_mgmt_t) +-term_dontaudit_getattr_unallocated_ttys(ipsec_mgmt_t) ++term_use_all_inherited_terms(ipsec_mgmt_t) + + auth_dontaudit_read_login_records(ipsec_mgmt_t) ++auth_use_nsswitch(ipsec_mgmt_t) + + init_read_utmp(ipsec_mgmt_t) + init_use_script_ptys(ipsec_mgmt_t) +@@ -290,15 +326,18 @@ init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t) + + logging_send_syslog_msg(ipsec_mgmt_t) + +-miscfiles_read_localization(ipsec_mgmt_t) +- +-seutil_dontaudit_search_config(ipsec_mgmt_t) +- + sysnet_manage_config(ipsec_mgmt_t) + sysnet_domtrans_ifconfig(ipsec_mgmt_t) + sysnet_etc_filetrans_config(ipsec_mgmt_t) + +-userdom_use_user_terminals(ipsec_mgmt_t) ++systemd_exec_systemctl(ipsec_mgmt_t) ++ ++userdom_use_inherited_user_terminals(ipsec_mgmt_t) ++ ++optional_policy(` ++ bind_read_dnssec_keys(ipsec_mgmt_t) ++ bind_read_config(ipsec_mgmt_t) ++') + + optional_policy(` + consoletype_exec(ipsec_mgmt_t) +@@ -322,6 +361,10 @@ optional_policy(` + ') + + optional_policy(` ++ l2tpd_read_pid_files(ipsec_mgmt_t) ++') ++ ++optional_policy(` + modutils_domtrans_insmod(ipsec_mgmt_t) + ') + +@@ -335,7 +378,7 @@ optional_policy(` + # + + allow racoon_t self:capability { net_admin net_bind_service }; +-allow racoon_t self:netlink_route_socket create_netlink_socket_perms; ++allow racoon_t self:netlink_route_socket { create_netlink_socket_perms }; + allow racoon_t self:unix_dgram_socket { connect create ioctl write }; + allow racoon_t self:netlink_selinux_socket { bind create read }; + allow racoon_t self:udp_socket create_socket_perms; +@@ -370,13 +413,12 @@ kernel_request_load_module(racoon_t) + corecmd_exec_shell(racoon_t) + corecmd_exec_bin(racoon_t) + +-corenet_all_recvfrom_unlabeled(racoon_t) +-corenet_tcp_sendrecv_all_if(racoon_t) +-corenet_udp_sendrecv_all_if(racoon_t) +-corenet_tcp_sendrecv_all_nodes(racoon_t) +-corenet_udp_sendrecv_all_nodes(racoon_t) +-corenet_tcp_bind_all_nodes(racoon_t) +-corenet_udp_bind_all_nodes(racoon_t) ++corenet_tcp_sendrecv_generic_if(racoon_t) ++corenet_udp_sendrecv_generic_if(racoon_t) ++corenet_tcp_sendrecv_generic_node(racoon_t) ++corenet_udp_sendrecv_generic_node(racoon_t) ++corenet_tcp_bind_generic_node(racoon_t) ++corenet_udp_bind_generic_node(racoon_t) + corenet_udp_bind_isakmp_port(racoon_t) + corenet_udp_bind_ipsecnat_port(racoon_t) + +@@ -401,10 +443,10 @@ locallogin_use_fds(racoon_t) + logging_send_syslog_msg(racoon_t) + logging_send_audit_msgs(racoon_t) + +-miscfiles_read_localization(racoon_t) +- + sysnet_exec_ifconfig(racoon_t) + ++auth_use_pam(racoon_t) ++ + auth_can_read_shadow_passwords(racoon_t) + tunable_policy(`racoon_read_shadow',` + auth_tunable_read_shadow(racoon_t) +@@ -438,9 +480,8 @@ corenet_setcontext_all_spds(setkey_t) + + locallogin_use_fds(setkey_t) + +-miscfiles_read_localization(setkey_t) + + seutil_read_config(setkey_t) + +-userdom_use_user_terminals(setkey_t) +- ++userdom_use_inherited_user_terminals(setkey_t) ++userdom_read_user_tmp_files(setkey_t) +diff --git a/policy/modules/system/iptables.fc b/policy/modules/system/iptables.fc +index 1b93eb7..b2532aa 100644 +--- a/policy/modules/system/iptables.fc ++++ b/policy/modules/system/iptables.fc +@@ -1,21 +1,27 @@ + /etc/rc\.d/init\.d/ip6?tables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0) +-/etc/rc\.d/init\.d/ebtables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0) +-/etc/sysconfig/ip6?tables.* -- gen_context(system_u:object_r:iptables_conf_t,s0) +-/etc/sysconfig/system-config-firewall.* -- gen_context(system_u:object_r:iptables_conf_t,s0) ++/etc/rc\.d/init\.d/ebtables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0) ++ ++/usr/lib/systemd/system/iptables.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0) ++/usr/lib/systemd/system/ip6tables.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0) + + /sbin/ebtables -- gen_context(system_u:object_r:iptables_exec_t,s0) + /sbin/ebtables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0) + /sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0) +-/sbin/ip6?tables -- gen_context(system_u:object_r:iptables_exec_t,s0) +-/sbin/ip6?tables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0) +-/sbin/ip6?tables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0) ++/sbin/ip6?tables.* -- gen_context(system_u:object_r:iptables_exec_t,s0) ++/sbin/ip6?tables-restore.* -- gen_context(system_u:object_r:iptables_exec_t,s0) ++/sbin/ip6?tables-multi.* -- gen_context(system_u:object_r:iptables_exec_t,s0) + /sbin/ipvsadm -- gen_context(system_u:object_r:iptables_exec_t,s0) + /sbin/ipvsadm-restore -- gen_context(system_u:object_r:iptables_exec_t,s0) + /sbin/ipvsadm-save -- gen_context(system_u:object_r:iptables_exec_t,s0) + /sbin/xtables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0) + ++/usr/sbin/ebtables -- gen_context(system_u:object_r:iptables_exec_t,s0) ++/usr/sbin/ebtables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0) + /usr/sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0) +-/usr/sbin/ipset -- gen_context(system_u:object_r:iptables_exec_t,s0) +-/usr/sbin/iptables -- gen_context(system_u:object_r:iptables_exec_t,s0) +-/usr/sbin/iptables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0) +-/usr/sbin/iptables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0) ++/usr/sbin/ip6?tables.* -- gen_context(system_u:object_r:iptables_exec_t,s0) ++/usr/sbin/ip6?tables-restore.* -- gen_context(system_u:object_r:iptables_exec_t,s0) ++/usr/sbin/ip6?tables-multi.* -- gen_context(system_u:object_r:iptables_exec_t,s0) ++/usr/sbin/ipvsadm -- gen_context(system_u:object_r:iptables_exec_t,s0) ++/usr/sbin/ipvsadm-restore -- gen_context(system_u:object_r:iptables_exec_t,s0) ++/usr/sbin/ipvsadm-save -- gen_context(system_u:object_r:iptables_exec_t,s0) ++/usr/sbin/xtables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0) +diff --git a/policy/modules/system/iptables.if b/policy/modules/system/iptables.if +index c42fbc3..174cfdb 100644 +--- a/policy/modules/system/iptables.if ++++ b/policy/modules/system/iptables.if +@@ -17,10 +17,6 @@ interface(`iptables_domtrans',` + + corecmd_search_bin($1) + domtrans_pattern($1, iptables_exec_t, iptables_t) +- +- ifdef(`hide_broken_symptoms', ` +- dontaudit iptables_t $1:socket_class_set { read write }; +- ') + ') + + ######################################## +@@ -86,6 +82,29 @@ interface(`iptables_initrc_domtrans',` + init_labeled_script_domtrans($1, iptables_initrc_exec_t) + ') + ++######################################## ++## ++## Execute iptables server in the iptables domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`iptables_systemctl',` ++ gen_require(` ++ type iptables_unit_file_t; ++ type iptables_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ allow $1 iptables_unit_file_t:file read_file_perms; ++ allow $1 iptables_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, iptables_t) ++') ++ + ##################################### + ## + ## Set the attributes of iptables config files. +diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te +index 5dfa44b..cafb28e 100644 +--- a/policy/modules/system/iptables.te ++++ b/policy/modules/system/iptables.te +@@ -16,15 +16,15 @@ role iptables_roles types iptables_t; + type iptables_initrc_exec_t; + init_script_file(iptables_initrc_exec_t) + +-type iptables_conf_t; +-files_config_file(iptables_conf_t) +- + type iptables_tmp_t; + files_tmp_file(iptables_tmp_t) + + type iptables_var_run_t; + files_pid_file(iptables_var_run_t) + ++type iptables_unit_file_t; ++systemd_unit_file(iptables_unit_file_t) ++ + ######################################## + # + # Iptables local policy +@@ -37,8 +37,8 @@ allow iptables_t self:process { sigchld sigkill sigstop signull signal }; + allow iptables_t self:netlink_socket create_socket_perms; + allow iptables_t self:rawip_socket create_socket_perms; + +-manage_files_pattern(iptables_t, iptables_conf_t, iptables_conf_t) +-files_etc_filetrans(iptables_t, iptables_conf_t, file) ++files_manage_system_conf_files(iptables_t) ++files_etc_filetrans_system_conf(iptables_t) + + manage_files_pattern(iptables_t, iptables_var_run_t, iptables_var_run_t) + files_pid_filetrans(iptables_t, iptables_var_run_t, file) +@@ -49,6 +49,7 @@ allow iptables_t iptables_tmp_t:dir manage_dir_perms; + allow iptables_t iptables_tmp_t:file manage_file_perms; + files_tmp_filetrans(iptables_t, iptables_tmp_t, { file dir }) + ++kernel_getattr_proc(iptables_t) + kernel_request_load_module(iptables_t) + kernel_read_system_state(iptables_t) + kernel_read_network_state(iptables_t) +@@ -64,6 +65,7 @@ corenet_relabelto_all_packets(iptables_t) + corenet_dontaudit_rw_tun_tap_dev(iptables_t) + + dev_read_sysfs(iptables_t) ++dev_read_urand(iptables_t) + + fs_getattr_xattr_fs(iptables_t) + fs_search_auto_mountpoints(iptables_t) +@@ -72,11 +74,12 @@ fs_list_inotifyfs(iptables_t) + mls_file_read_all_levels(iptables_t) + + term_dontaudit_use_console(iptables_t) ++term_use_all_inherited_terms(iptables_t) + + domain_use_interactive_fds(iptables_t) + +-files_read_etc_files(iptables_t) +-files_read_etc_runtime_files(iptables_t) ++files_rw_etc_runtime_files(iptables_t) ++files_rw_inherited_tmp_file(iptables_t) + + auth_use_nsswitch(iptables_t) + +@@ -85,15 +88,14 @@ init_use_script_ptys(iptables_t) + # to allow rules to be saved on reboot: + init_rw_script_tmp_files(iptables_t) + init_rw_script_stream_sockets(iptables_t) ++init_dontaudit_script_leaks(iptables_t) + + logging_send_syslog_msg(iptables_t) + +-miscfiles_read_localization(iptables_t) +- + sysnet_run_ifconfig(iptables_t, iptables_roles) + sysnet_dns_name_resolve(iptables_t) + +-userdom_use_user_terminals(iptables_t) ++userdom_use_inherited_user_terminals(iptables_t) + userdom_use_all_users_fds(iptables_t) + + ifdef(`hide_broken_symptoms',` +@@ -102,6 +104,8 @@ ifdef(`hide_broken_symptoms',` + + optional_policy(` + fail2ban_append_log(iptables_t) ++ fail2ban_dontaudit_leaks(iptables_t) ++ fail2ban_rw_inherited_tmp_files(iptables_t) + ') + + optional_policy(` +@@ -110,6 +114,11 @@ optional_policy(` + ') + + optional_policy(` ++ firewalld_read_config(iptables_t) ++ firewalld_dontaudit_write_tmp_files(iptables_t) ++') ++ ++optional_policy(` + modutils_run_insmod(iptables_t, iptables_roles) + ') + +@@ -124,6 +133,12 @@ optional_policy(` + + optional_policy(` + psad_rw_tmp_files(iptables_t) ++ psad_write_log(iptables_t) ++') ++ ++optional_policy(` ++ neutron_rw_inherited_pipes(iptables_t) ++ neutron_sigchld(iptables_t) + ') + + optional_policy(` +@@ -135,9 +150,9 @@ optional_policy(` + ') + + optional_policy(` ++ shorewall_read_config(iptables_t) + shorewall_read_tmp_files(iptables_t) + shorewall_rw_lib_files(iptables_t) +- shorewall_read_config(iptables_t) + ') + + optional_policy(` +diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc +index 73bb3c0..5b9420f 100644 +--- a/policy/modules/system/libraries.fc ++++ b/policy/modules/system/libraries.fc +@@ -1,3 +1,4 @@ ++ + # + # /emul + # +@@ -28,14 +29,17 @@ ifdef(`distro_redhat',` + # /etc + # + /etc/ld\.so\.cache -- gen_context(system_u:object_r:ld_so_cache_t,s0) ++/etc/ld\.so\.cache~ -- gen_context(system_u:object_r:ld_so_cache_t,s0) + /etc/ld\.so\.preload -- gen_context(system_u:object_r:ld_so_cache_t,s0) ++/etc/ld\.so\.preload~ -- gen_context(system_u:object_r:ld_so_cache_t,s0) + + /etc/ppp/plugins/rp-pppoe\.so -- gen_context(system_u:object_r:lib_t,s0) + + # + # /lib(64)? + # +-/lib -d gen_context(system_u:object_r:lib_t,s0) ++/lib gen_context(system_u:object_r:lib_t,s0) ++/lib64 gen_context(system_u:object_r:lib_t,s0) + /lib/.* gen_context(system_u:object_r:lib_t,s0) + /lib/ld-[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0) + +@@ -52,9 +56,8 @@ ifdef(`distro_gentoo',` + # + # /opt + # +-/opt/.*\.so gen_context(system_u:object_r:lib_t,s0) ++/opt/.*\.so(\.[^/]*)* gen_context(system_u:object_r:lib_t,s0) + /opt/(.*/)?lib(/.*)? gen_context(system_u:object_r:lib_t,s0) +-/opt/(.*/)?lib64(/.*)? gen_context(system_u:object_r:lib_t,s0) + /opt/(.*/)?java/.+\.jar -- gen_context(system_u:object_r:lib_t,s0) + /opt/(.*/)?jre.*/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /opt/(.*/)?jre/.+\.jar -- gen_context(system_u:object_r:lib_t,s0) +@@ -103,6 +106,12 @@ ifdef(`distro_redhat',` + # + # /usr + # ++/usr/lib -d gen_context(system_u:object_r:lib_t,s0) ++/usr/lib/.* gen_context(system_u:object_r:lib_t,s0) ++/usr/lib/ld-[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0) ++ ++/usr/lib/security/pam_poldi\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++ + /usr/(.*/)?/HelixPlayer/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/(.*/)?/RealPlayer/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +@@ -111,12 +120,12 @@ ifdef(`distro_redhat',` + /usr/(.*/)?java/.+\.jsa -- gen_context(system_u:object_r:lib_t,s0) + + /usr/(.*/)?lib(/.*)? gen_context(system_u:object_r:lib_t,s0) +-/usr/(.*/)?lib64(/.*)? gen_context(system_u:object_r:lib_t,s0) + +-/usr/(.*/)?lib(64)?(/.*)?/ld-[^/]*\.so(\.[^/]*)* gen_context(system_u:object_r:ld_so_t,s0) ++/usr/(.*/)?lib(/.*)?/ld-[^/]*\.so(\.[^/]*)* gen_context(system_u:object_r:ld_so_t,s0) + + /usr/(.*/)?nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) + ++/usr/lib/(sse2/)?libfame-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib/altivec/libavcodec\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib/cedega/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib/dovecot/(.*/)?lib.*\.so.* -- gen_context(system_u:object_r:lib_t,s0) +@@ -125,10 +134,12 @@ ifdef(`distro_redhat',` + /usr/lib/vlc/codec/libdmo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib/vlc/codec/librealaudio_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib/libtfmessbsp\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/sasl2/libsasldb\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib/xorg/libGL\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/X11R6/lib/libGL\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib/libGL\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib/catalyst/libGL\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/catalyst/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib/libADM5.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib/libatiadlxx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib/win32/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +@@ -141,19 +152,21 @@ ifdef(`distro_redhat',` + /usr/lib/ati-fglrx/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib/fglrx/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib/libjs\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/libjavascriptcoregtk[^/]*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/libzvbi\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib/sse2/libx264\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +-/usr/lib(/.*)?/libnvidia.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/libnvidia\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib.*/libnvidia\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib(/.*)?/nvidia_drv.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib/nero/plug-ins/libMP3\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib/nvidia-graphics(-[^/]*/)?libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib/nvidia-graphics(-[^/]*/)?libnvidia.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib/nvidia-graphics(-[^/]*/)?libXvMCNVIDIA\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +-/usr/lib/nvidia/libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/nvidia.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib/xorg/modules/glesx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +-/usr/(local/)?.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:lib_t,s0) +-/usr/(local/)?lib(64)?/wine/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +-/usr/(local/)?lib(64)?/(sse2/)?libfame-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:lib_t,s0) ++/usr/lib/wine/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/NX/lib/libXcomp\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/NX/lib/libjpeg\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +@@ -182,11 +195,13 @@ ifdef(`distro_redhat',` + # Fedora Core packages: gstreamer-plugins, compat-libstdc++, Glide3, libdv + # HelixPlayer, SDL, xorg-x11, xorg-x11-libs, Hermes, valgrind, openoffice.org-libs, httpd - php + HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/(.*/)?nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib/allegro/(.*/)?alleg-vga\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib/firefox-[^/]*/extensions(/.*)?/libqfaservices.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib/firefox-[^/]*/plugins/nppdf.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib/firefox/plugins/libractrl\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib/libFLAC\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/dri/fglrx_dri.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib/libfglrx_gamma\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib/mozilla/plugins/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib/mozilla/plugins/libvlcplugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +@@ -241,13 +256,11 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_ + + # Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame + /usr/lib.*/libmpg123\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +-/usr/local(/.*)?/libmpg123\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/libmpg123\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/libmpg123\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib/codecs/drv[1-9c]\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +-HOME_DIR/.*/plugins/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +-HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib/.*/nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +-/usr/local/(.*/)?nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + + # Jai, Sun Microsystems (Jpackage SPRM) + /usr/lib/libmlib_jai\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +@@ -269,20 +282,19 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te + + # Java, Sun Microsystems (JPackage SRPM) + /usr/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +-/usr/local/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +-/usr/(local/)?Adobe/(.*/)?intellinux/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +-/usr/(local/)?Adobe/(.*/)?intellinux/sidecars/* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/Adobe/(.*/)?intellinux/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/Adobe/(.*/)?intellinux/sidecars/* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +-/usr/(local/)?acroread/(.*/)?intellinux/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +-/usr/(local/)?Adobe/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +-/usr/(local/)?acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +-/usr/(local/)?Adobe/.*\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0) +-/usr/(local/)?lib/xchat/plugins/systray\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +-/usr/(local/)?matlab.*/bin/glnx86/libmwlapack\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +-/usr/(local/)?matlab.*/bin/glnx86/(libmw(lapack|mathutil|services)|lapack|libmkl)\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +-/usr/(local/)?matlab.*/sys/os/glnx86/libtermcap\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/acroread/(.*/)?intellinux/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/Adobe/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/Adobe/.*\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/xchat/plugins/systray\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/matlab.*/bin/glnx86/libmwlapack\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/matlab.*/bin/glnx86/(libmw(lapack|mathutil|services)|lapack|libmkl)\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/matlab.*/sys/os/glnx86/libtermcap\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) + + /usr/(.*/)?intellinux/SPPlugins/ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +@@ -299,17 +311,155 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te + # + /var/cache/ldconfig(/.*)? gen_context(system_u:object_r:ldconfig_cache_t,s0) + +-/var/ftp/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0) +-/var/ftp/lib(64)?/ld[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0) +- +-/var/lib/spamassassin/compiled/.*\.so.* -- gen_context(system_u:object_r:lib_t,s0) ++/var/ftp/lib(/.*)? gen_context(system_u:object_r:lib_t,s0) ++/var/ftp/lib/ld[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0) + + /var/mailman/pythonlib(/.*)?/.+\.so(\..*)? -- gen_context(system_u:object_r:lib_t,s0) + ++/var/named/chroot/lib(/.*)? gen_context(system_u:object_r:lib_t,s0) ++/var/named/chroot/usr/lib(/.*)? gen_context(system_u:object_r:lib_t,s0) ++ ++/usr/lib/pgsql/.*\.so.* -- gen_context(system_u:object_r:lib_t,s0) ++/usr/lib/pgsql/test/regress/.*\.so.* -- gen_context(system_u:object_r:lib_t,s0) ++/var/lib/spamassassin/compiled/.*\.so.* -- gen_context(system_u:object_r:lib_t,s0) ++/usr/lib/xfce4/.*\.so.* -- gen_context(system_u:object_r:lib_t,s0) ++ + ifdef(`distro_suse',` + /var/lib/samba/bin/.+\.so(\.[^/]*)* -l gen_context(system_u:object_r:lib_t,s0) + ') + +-/var/spool/postfix/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0) ++/usr/share/hplip/prnt/plugins(/.*)? gen_context(system_u:object_r:lib_t,s0) ++/usr/share/squeezeboxserver/CPAN/arch/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++ ++/var/spool/postfix/lib(/.*)? gen_context(system_u:object_r:lib_t,s0) ++/var/spool/postfix/lib64(/.*)? gen_context(system_u:object_r:lib_t,s0) + /var/spool/postfix/usr(/.*)? gen_context(system_u:object_r:lib_t,s0) +-/var/spool/postfix/lib(64)?/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0) ++/var/spool/postfix/lib/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0) ++ ++/usr/lib/libbcm_host\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/libmyth[^/]+\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/mythtv/filters/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++ ++/usr/lib/jvm/java(.*/)bin(/.*)?/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++ ++/usr/lib/oracle/.*/lib/libnnz10\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++ ++/opt/altera9.1/quartus/linux/libccl_err\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++ ++/opt/novell/groupwise/client/lib/libgwapijni\.so\.1 -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++ ++/usr/lib/sse2/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/i686/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/google-earth/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/googleearth/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/google-earth/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/opt/google-earth/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++ ++/usr/lib/nspluginwrapper/np.*\.so -- gen_context(system_u:object_r:lib_t,s0) ++ ++/usr/lib/oracle/.*/lib/libnnz.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/oracle/.*/lib/libclntsh\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0) ++ ++/opt/(.*/)?oracle/(.*/)?libnnz.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/libnnz11.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/libxvidcore\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++ ++ ++/opt/matlab.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/matlab.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0) ++/opt/local/matlab.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0) ++ ++/usr/Zend/lib/ZendExtensionManager\.so gen_context(system_u:object_r:textrel_shlib_t,s0) ++ ++/usr/lib/libcncpmslld328\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0) ++ ++/usr/lib/ICAClient/.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0) ++ ++/usr/lib/midori/.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0) ++ ++/usr/lib/libav.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++ ++/usr/lib/xine/plugins/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++ ++/usr/lib/yafaray/libDarkSky.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++ ++/usr/lib/libpostproc\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++ ++/usr/lib/libswscale\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++ ++/usr/lib/libADM.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++ ++/usr/lib/gstreamer-.*/[^/]*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++ ++/usr/lib/libx264\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++ ++/usr/lib/libmp3lame\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/libmpeg2\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++ ++/usr/lib/.*/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++ ++/usr/lib/xorg/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/X11R6/lib/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++ ++ifdef(`fixed',` ++/usr/lib/libavfilter\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/libavdevice\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/libavformat.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/libavcodec.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/libavutil.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/libdv\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/libGLU\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/libgsm\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/libImlib2\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/libjackserver\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/X11R6/lib/libOSMesa.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/libOSMesa.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/libSDL-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/xulrunner-[^/]*/libgtkembedmoz\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/xulrunner-[^/]*/libxul\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++# Flash plugin, Macromedia ++/usr/lib/php/modules/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/httpd/modules/libphp5\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++') ++/opt/VBoxGuestAdditions.*/lib/VBox.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++ ++/usr/lib/nmm/liba52\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/opt/lampp/lib/libct\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/opt/lampp/lib/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/opt/VirtualBox(/.*)?/VBox.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++ ++/usr/lib/chromium-browser/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/zend/lib/apache2/libphp5\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++ ++/usr/lib/python.*/site-packages/pymedia/muxer\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/games/darwinia/lib/libSDL.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++ ++/usr/lib/octagaplayer/libapplication\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/opt/AutoScan/usr/lib/libvte\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++ ++/usr/bin/bsnes -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++ ++/usr/lib/libGLcore\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++ ++/usr/lib/libkmplayercommon\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++ ++/opt/Unify/SQLBase/libgptsblmsui11\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++ ++/opt/real/RealPlayer/plugins(/.*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++ ++/opt/real/RealPlayer/codecs(/.*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++ ++/usr/lib/vdpau/libvdpau_nvidia\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++ ++/usr/lib/libGTL.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++ ++/usr/lib/nsr/(.*/)?.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/opt/lgtonmc/bin/.*\.so(\.[0-9])? -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/opt/google/picasa/.*\.dll -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/opt/google/picasa/.*\.yti -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/opt/google/chrome/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/opt/google/talkplugin/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/opt/google/[^/]*/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++ ++/usr/sbin/ldconfig -- gen_context(system_u:object_r:ldconfig_exec_t,s0) +diff --git a/policy/modules/system/libraries.if b/policy/modules/system/libraries.if +index 808ba93..9d8f729 100644 +--- a/policy/modules/system/libraries.if ++++ b/policy/modules/system/libraries.if +@@ -66,6 +66,25 @@ interface(`libs_exec_ldconfig',` + + ######################################## + ## ++## Make ldconfig_exec_t entrypoint for ++## the specified domain. ++## ++## ++## ++## The domain for which bin_t is an entrypoint. ++## ++## ++# ++interface(`libs_ldconfig_exec_entry_type',` ++ gen_require(` ++ type ldconfig_exec_t; ++ ') ++ ++ domain_entry_file($1, ldconfig_exec_t) ++') ++ ++######################################## ++## + ## Use the dynamic link/loader for automatic loading + ## of shared libraries. + ## +@@ -147,6 +166,7 @@ interface(`libs_manage_ld_so',` + type lib_t, ld_so_t; + ') + ++ read_lnk_files_pattern($1, lib_t, lib_t) + manage_files_pattern($1, lib_t, ld_so_t) + ') + +@@ -205,8 +225,26 @@ interface(`libs_search_lib',` + type lib_t; + ') + ++ read_lnk_files_pattern($1, lib_t, lib_t) + allow $1 lib_t:dir search_dir_perms; + ') ++######################################## ++## ++## dontaudit attempts to setattr on library files ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`libs_dontaudit_setattr_lib_files',` ++ gen_require(` ++ type lib_t; ++ ') ++ ++ dontaudit $1 lib_t:file setattr; ++') + + ######################################## + ## +@@ -248,29 +286,12 @@ interface(`libs_manage_lib_dirs',` + type lib_t; + ') + ++ read_lnk_files_pattern($1, lib_t, lib_t) + allow $1 lib_t:dir manage_dir_perms; + ') + + ######################################## + ## +-## dontaudit attempts to setattr on library files +-## +-## +-## +-## Domain to not audit. +-## +-## +-# +-interface(`libs_dontaudit_setattr_lib_files',` +- gen_require(` +- type lib_t; +- ') +- +- dontaudit $1 lib_t:file setattr; +-') +- +-######################################## +-## + ## Read files in the library directories, such + ## as static libraries. + ## +@@ -345,6 +366,7 @@ interface(`libs_manage_lib_files',` + type lib_t; + ') + ++ read_lnk_files_pattern($1, lib_t, lib_t) + manage_files_pattern($1, lib_t, lib_t) + ') + +@@ -421,7 +443,8 @@ interface(`libs_manage_shared_libs',` + type lib_t, textrel_shlib_t; + ') + +- manage_files_pattern($1, lib_t, { lib_t textrel_shlib_t }) ++ read_lnk_files_pattern($1, lib_t, lib_t) ++ manage_files_pattern($1, { textrel_shlib_t lib_t }, { lib_t textrel_shlib_t }) + ') + + ######################################## +@@ -440,9 +463,10 @@ interface(`libs_use_shared_libs',` + ') + + files_search_usr($1) +- allow $1 lib_t:dir list_dir_perms; +- read_lnk_files_pattern($1, lib_t, { lib_t textrel_shlib_t }) +- mmap_files_pattern($1, lib_t, { lib_t textrel_shlib_t }) ++ allow $1 { textrel_shlib_t lib_t }:dir list_dir_perms; ++ read_lnk_files_pattern($1, { textrel_shlib_t lib_t }, { lib_t textrel_shlib_t }) ++ mmap_files_pattern($1, { textrel_shlib_t lib_t }, { lib_t textrel_shlib_t }) ++# allow $1 lib_t:file execmod; + allow $1 textrel_shlib_t:file execmod; + ') + +@@ -483,7 +507,7 @@ interface(`libs_relabel_shared_libs',` + type lib_t, textrel_shlib_t; + ') + +- relabel_files_pattern($1, lib_t, { lib_t textrel_shlib_t }) ++ relabel_files_pattern($1, { textrel_shlib_t lib_t }, { lib_t textrel_shlib_t }) + ') + + ######################################## +@@ -534,3 +558,26 @@ interface(`lib_filetrans_shared_lib',` + interface(`files_lib_filetrans_shared_lib',` + refpolicywarn(`$0($*) has been deprecated.') + ') ++ ++######################################## ++## ++## Transition to lib named content ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`libs_filetrans_named_content',` ++ gen_require(` ++ type ld_so_cache_t; ++ type ldconfig_cache_t; ++ ') ++ ++ files_var_filetrans($1, ldconfig_cache_t, dir, "ldconfig") ++ files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.cache") ++ files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.cache~") ++ files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.preload") ++ files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.preload~") ++') +diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te +index 23a645e..52a8540 100644 +--- a/policy/modules/system/libraries.te ++++ b/policy/modules/system/libraries.te +@@ -32,14 +32,14 @@ files_tmp_file(ldconfig_tmp_t) + # lib_t is the type of files in the system lib directories. + # + type lib_t alias shlib_t; +-files_type(lib_t) ++files_ro_base_file(lib_t) + + # + # textrel_shlib_t is the type of shared objects in the system lib + # directories, which require text relocation. + # + type textrel_shlib_t alias texrel_shlib_t; +-files_type(textrel_shlib_t) ++files_ro_base_file(textrel_shlib_t) + + ifdef(`distro_gentoo',` + # openrc unfortunately mounts a tmpfs +@@ -59,9 +59,11 @@ optional_policy(` + + allow ldconfig_t self:capability { dac_override sys_chroot }; + ++manage_dirs_pattern(ldconfig_t, ldconfig_cache_t, ldconfig_cache_t) + manage_files_pattern(ldconfig_t, ldconfig_cache_t, ldconfig_cache_t) ++files_var_filetrans(ldconfig_t, ldconfig_cache_t, dir, "ldconfig") + +-allow ldconfig_t ld_so_cache_t:file manage_file_perms; ++manage_files_pattern(ldconfig_t, ld_so_cache_t, ld_so_cache_t) + files_etc_filetrans(ldconfig_t, ld_so_cache_t, file) + + manage_dirs_pattern(ldconfig_t, ldconfig_tmp_t, ldconfig_tmp_t) +@@ -75,11 +77,15 @@ kernel_read_system_state(ldconfig_t) + + fs_getattr_xattr_fs(ldconfig_t) + ++files_list_var_lib(ldconfig_t) ++files_dontaudit_leaks(ldconfig_t) ++files_manage_var_lib_symlinks(ldconfig_t) ++ + corecmd_search_bin(ldconfig_t) + + domain_use_interactive_fds(ldconfig_t) + +-files_search_var_lib(ldconfig_t) ++files_search_home(ldconfig_t) + files_read_etc_files(ldconfig_t) + files_read_usr_files(ldconfig_t) + files_search_tmp(ldconfig_t) +@@ -90,11 +96,11 @@ files_delete_etc_files(ldconfig_t) + init_use_script_ptys(ldconfig_t) + init_read_script_tmp_files(ldconfig_t) + +-miscfiles_read_localization(ldconfig_t) + + logging_send_syslog_msg(ldconfig_t) + +-userdom_use_user_terminals(ldconfig_t) ++term_use_console(ldconfig_t) ++userdom_use_inherited_user_terminals(ldconfig_t) + userdom_use_all_users_fds(ldconfig_t) + + ifdef(`distro_ubuntu',` +@@ -103,6 +109,12 @@ ifdef(`distro_ubuntu',` + ') + ') + ++userdom_dontaudit_list_admin_dir(ldconfig_t) ++userdom_list_user_home_dirs(ldconfig_t) ++userdom_manage_user_home_content_files(ldconfig_t) ++userdom_manage_user_tmp_files(ldconfig_t) ++userdom_manage_user_tmp_symlinks(ldconfig_t) ++ + ifdef(`hide_broken_symptoms',` + ifdef(`distro_gentoo',` + # leaked fds from portage +@@ -114,6 +126,11 @@ ifdef(`hide_broken_symptoms',` + ') + ') + ++ dev_dontaudit_rw_lvm_control(ldconfig_t) ++ dev_dontaudit_read_all_chr_files(ldconfig_t) ++ dev_dontaudit_read_all_blk_files(ldconfig_t) ++ term_dontaudit_use_unallocated_ttys(ldconfig_t) ++ + optional_policy(` + unconfined_dontaudit_rw_tcp_sockets(ldconfig_t) + ') +@@ -131,6 +148,14 @@ optional_policy(` + ') + + optional_policy(` ++ gnome_append_generic_cache_files(ldconfig_t) ++') ++ ++optional_policy(` ++ kdump_manage_kdumpctl_tmp_files(ldconfig_t) ++') ++ ++optional_policy(` + puppet_rw_tmp(ldconfig_t) + ') + +@@ -141,6 +166,3 @@ optional_policy(` + rpm_manage_script_tmp_files(ldconfig_t) + ') + +-optional_policy(` +- unconfined_domain(ldconfig_t) +-') +diff --git a/policy/modules/system/locallogin.fc b/policy/modules/system/locallogin.fc +index be6a81b..a5303e9 100644 +--- a/policy/modules/system/locallogin.fc ++++ b/policy/modules/system/locallogin.fc +@@ -1,3 +1,8 @@ ++HOME_DIR/\.hushlogin -- gen_context(system_u:object_r:local_login_home_t,s0) ++/root/\.hushlogin -- gen_context(system_u:object_r:local_login_home_t,s0) + + /sbin/sulogin -- gen_context(system_u:object_r:sulogin_exec_t,s0) + /sbin/sushell -- gen_context(system_u:object_r:sulogin_exec_t,s0) ++ ++/usr/sbin/sulogin -- gen_context(system_u:object_r:sulogin_exec_t,s0) ++/usr/sbin/sushell -- gen_context(system_u:object_r:sulogin_exec_t,s0) +diff --git a/policy/modules/system/locallogin.if b/policy/modules/system/locallogin.if +index 0e3c2a9..ea9bd57 100644 +--- a/policy/modules/system/locallogin.if ++++ b/policy/modules/system/locallogin.if +@@ -129,3 +129,59 @@ interface(`locallogin_domtrans_sulogin',` + + domtrans_pattern($1, sulogin_exec_t, sulogin_t) + ') ++ ++####################################### ++## ++## Allow domain to gettatr local login home content ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`locallogin_getattr_home_content',` ++ gen_require(` ++ type local_login_home_t; ++ ') ++ ++ getattr_files_pattern($1, local_login_home_t, local_login_home_t) ++') ++ ++######################################## ++## ++## create local login content in the in the /root directory ++## with an correct label. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`locallogin_filetrans_admin_home_content',` ++ gen_require(` ++ type local_login_home_t; ++ ') ++ ++ userdom_admin_home_dir_filetrans($1, local_login_home_t, file, ".hushlogin") ++') ++ ++######################################## ++## ++## Transition to local login named content ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`locallogin_filetrans_home_content',` ++ gen_require(` ++ type local_login_home_t; ++ ') ++ ++ userdom_user_home_dir_filetrans($1, local_login_home_t, file, ".hushlogin") ++ userdom_admin_home_dir_filetrans($1, local_login_home_t, file, ".hushlogin") ++') +diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te +index c04ac46..ed59137 100644 +--- a/policy/modules/system/locallogin.te ++++ b/policy/modules/system/locallogin.te +@@ -13,9 +13,8 @@ auth_login_entry_type(local_login_t) + type local_login_lock_t; + files_lock_file(local_login_lock_t) + +-type local_login_tmp_t; +-files_tmp_file(local_login_tmp_t) +-files_poly_parent(local_login_tmp_t) ++type local_login_home_t; ++userdom_user_home_content(local_login_home_t) + + type sulogin_t; + type sulogin_exec_t; +@@ -27,14 +26,21 @@ init_domain(sulogin_t, sulogin_exec_t) + init_system_domain(sulogin_t, sulogin_exec_t) + role system_r types sulogin_t; + ++ifdef(`enable_mcs',` ++ init_ranged_daemon_domain(sulogin_t, sulogin_exec_t, s0 - mcs_systemhigh) ++') ++ ++ifdef(`enable_mls',` ++ init_ranged_daemon_domain(sulogin_t, sulogin_exec_t, mls_systemhigh) ++') ++ + ######################################## + # + # Local login local policy + # + +-allow local_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid sys_nice sys_resource sys_tty_config }; +-allow local_login_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; +-allow local_login_t self:process { setrlimit setexec }; ++allow local_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid sys_admin sys_nice sys_resource sys_tty_config }; ++allow local_login_t self:process ~{ ptrace setcurrent setfscreate execmem execstack execheap }; + allow local_login_t self:fd use; + allow local_login_t self:fifo_file rw_fifo_file_perms; + allow local_login_t self:sock_file read_sock_file_perms; +@@ -51,9 +57,7 @@ allow local_login_t self:key { search write link }; + allow local_login_t local_login_lock_t:file manage_file_perms; + files_lock_filetrans(local_login_t, local_login_lock_t, file) + +-allow local_login_t local_login_tmp_t:dir manage_dir_perms; +-allow local_login_t local_login_tmp_t:file manage_file_perms; +-files_tmp_filetrans(local_login_t, local_login_tmp_t, { file dir }) ++allow local_login_t local_login_home_t:file read_file_perms; + + kernel_read_system_state(local_login_t) + kernel_read_kernel_sysctls(local_login_t) +@@ -73,6 +77,8 @@ dev_getattr_power_mgmt_dev(local_login_t) + dev_setattr_power_mgmt_dev(local_login_t) + dev_getattr_sound_dev(local_login_t) + dev_setattr_sound_dev(local_login_t) ++dev_rw_generic_usb_dev(local_login_t) ++dev_read_video_dev(local_login_t) + dev_dontaudit_getattr_apm_bios_dev(local_login_t) + dev_dontaudit_setattr_apm_bios_dev(local_login_t) + dev_dontaudit_read_framebuffer(local_login_t) +@@ -117,16 +123,18 @@ term_relabel_unallocated_ttys(local_login_t) + term_relabel_all_ttys(local_login_t) + term_setattr_all_ttys(local_login_t) + term_setattr_unallocated_ttys(local_login_t) ++term_relabel_all_ptys(local_login_t) ++term_setattr_generic_ptys(local_login_t) + + auth_rw_login_records(local_login_t) + auth_rw_faillog(local_login_t) +-auth_manage_pam_pid(local_login_t) + auth_manage_pam_console_data(local_login_t) + auth_domtrans_pam_console(local_login_t) ++auth_use_nsswitch(local_login_t) + + init_dontaudit_use_fds(local_login_t) ++init_stream_connect(local_login_t) + +-miscfiles_read_localization(local_login_t) + + userdom_spec_domtrans_all_users(local_login_t) + userdom_signal_all_users(local_login_t) +@@ -141,19 +149,15 @@ ifdef(`distro_ubuntu',` + ') + ') + +-tunable_policy(`console_login',` +- # Able to relabel /dev/console to user tty types. +- term_relabel_console(local_login_t) +-') +- +-tunable_policy(`use_nfs_home_dirs',` +- fs_read_nfs_files(local_login_t) +- fs_read_nfs_symlinks(local_login_t) +-') ++userdom_home_reader(local_login_t) ++userdom_manage_tmp_files(local_login_t) ++userdom_tmp_filetrans_user_tmp(local_login_t, file) + +-tunable_policy(`use_samba_home_dirs',` +- fs_read_cifs_files(local_login_t) +- fs_read_cifs_symlinks(local_login_t) ++tunable_policy(`login_console_enabled',` ++ term_use_console(local_login_t) ++ # Able to relabel /dev/console to user tty types. ++ term_relabel_console(local_login_t) ++ term_setattr_console(local_login_t) + ') + + optional_policy(` +@@ -177,14 +181,6 @@ optional_policy(` + ') + + optional_policy(` +- nis_use_ypbind(local_login_t) +-') +- +-optional_policy(` +- nscd_use(local_login_t) +-') +- +-optional_policy(` + unconfined_shell_domtrans(local_login_t) + ') + +@@ -215,37 +211,56 @@ allow sulogin_t self:sem create_sem_perms; + allow sulogin_t self:msgq create_msgq_perms; + allow sulogin_t self:msg { send receive }; + ++kernel_read_crypto_sysctls(sulogin_t) + kernel_read_system_state(sulogin_t) + ++dev_getattr_all_chr_files(sulogin_t) ++dev_getattr_all_blk_files(sulogin_t) ++ + fs_search_auto_mountpoints(sulogin_t) + fs_rw_tmpfs_chr_files(sulogin_t) + + files_read_etc_files(sulogin_t) + # because file systems are not mounted: + files_dontaudit_search_isid_type_dirs(sulogin_t) ++files_search_pids(sulogin_t) + + auth_read_shadow(sulogin_t) ++auth_use_nsswitch(sulogin_t) + + init_getpgid_script(sulogin_t) ++init_getpgid(sulogin_t) + + logging_send_syslog_msg(sulogin_t) + ++ + seutil_read_config(sulogin_t) + seutil_read_default_contexts(sulogin_t) + + userdom_use_unpriv_users_fds(sulogin_t) + ++userdom_search_admin_dir(sulogin_t) + userdom_search_user_home_dirs(sulogin_t) + userdom_use_user_ptys(sulogin_t) + +-sysadm_shell_domtrans(sulogin_t) ++term_use_console(sulogin_t) ++term_use_unallocated_ttys(sulogin_t) ++term_use_generic_ptys(sulogin_t) ++ ++ifdef(`enable_mls',` ++ sysadm_shell_domtrans(sulogin_t) ++',` ++ optional_policy(` ++ unconfined_shell_domtrans(sulogin_t) ++ ') ++') + + # suse and debian do not use pam with sulogin... + ifdef(`distro_suse', `define(`sulogin_no_pam')') + ifdef(`distro_debian', `define(`sulogin_no_pam')') + ++allow sulogin_t self:capability sys_tty_config; + ifdef(`sulogin_no_pam', ` +- allow sulogin_t self:capability sys_tty_config; + init_getpgid(sulogin_t) + ', ` + allow sulogin_t self:process setexec; +@@ -256,11 +271,3 @@ ifdef(`sulogin_no_pam', ` + selinux_compute_relabel_context(sulogin_t) + selinux_compute_user_contexts(sulogin_t) + ') +- +-optional_policy(` +- nis_use_ypbind(sulogin_t) +-') +- +-optional_policy(` +- nscd_use(sulogin_t) +-') +diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc +index b50c5fe..2faaaf2 100644 +--- a/policy/modules/system/logging.fc ++++ b/policy/modules/system/logging.fc +@@ -2,10 +2,13 @@ + + /etc/rsyslog.conf gen_context(system_u:object_r:syslog_conf_t,s0) + /etc/syslog.conf gen_context(system_u:object_r:syslog_conf_t,s0) ++/etc/rsyslog.d(/.*)? gen_context(system_u:object_r:syslog_conf_t,s0) + /etc/audit(/.*)? gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh) + /etc/rc\.d/init\.d/auditd -- gen_context(system_u:object_r:auditd_initrc_exec_t,s0) + /etc/rc\.d/init\.d/rsyslog -- gen_context(system_u:object_r:syslogd_initrc_exec_t,s0) + ++/usr/lib/systemd/system/auditd.* -- gen_context(system_u:object_r:auditd_unit_file_t,s0) ++ + /sbin/audispd -- gen_context(system_u:object_r:audisp_exec_t,s0) + /sbin/audisp-remote -- gen_context(system_u:object_r:audisp_remote_exec_t,s0) + /sbin/auditctl -- gen_context(system_u:object_r:auditctl_exec_t,s0) +@@ -17,12 +20,25 @@ + /sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) + /sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0) + ++/opt/zimbra/log(/.*)? gen_context(system_u:object_r:var_log_t,s0) ++/opt/Symantec/scspagent/IDS/system(/.*)? gen_context(system_u:object_r:var_log_t,s0) ++ ++/usr/lib/systemd/systemd-journald -- gen_context(system_u:object_r:syslogd_exec_t,s0) ++/usr/lib/systemd/systemd-kmsg-syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) ++ ++/usr/centreon/log(/.*)? gen_context(system_u:object_r:var_log_t,s0) ++ ++/usr/sbin/audispd -- gen_context(system_u:object_r:audisp_exec_t,s0) ++/usr/sbin/audisp-remote -- gen_context(system_u:object_r:audisp_remote_exec_t,s0) ++/usr/sbin/auditctl -- gen_context(system_u:object_r:auditctl_exec_t,s0) ++/usr/sbin/auditd -- gen_context(system_u:object_r:auditd_exec_t,s0) + /usr/sbin/klogd -- gen_context(system_u:object_r:klogd_exec_t,s0) + /usr/sbin/metalog -- gen_context(system_u:object_r:syslogd_exec_t,s0) ++/usr/sbin/minilogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) + /usr/sbin/rklogd -- gen_context(system_u:object_r:klogd_exec_t,s0) + /usr/sbin/rsyslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) +-/usr/sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0) + /usr/sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) ++/usr/sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0) + + /var/lib/misc/syslog-ng.persist-? -- gen_context(system_u:object_r:syslogd_var_lib_t,s0) + /var/lib/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_lib_t,s0) +@@ -38,13 +54,13 @@ ifdef(`distro_suse', ` + + /var/log -d gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh) + /var/log/.* gen_context(system_u:object_r:var_log_t,s0) +-/var/log/boot\.log -- gen_context(system_u:object_r:var_log_t,mls_systemhigh) + /var/log/messages[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh) + /var/log/secure[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh) + /var/log/maillog[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh) + /var/log/spooler[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh) + /var/log/audit(/.*)? gen_context(system_u:object_r:auditd_log_t,mls_systemhigh) +-/var/log/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh) ++/var/run/log(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh) ++/var/run/systemd/journal(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh) + + ifndef(`distro_gentoo',` + /var/log/audit\.log -- gen_context(system_u:object_r:auditd_log_t,mls_systemhigh) +@@ -53,6 +69,7 @@ ifndef(`distro_gentoo',` + ifdef(`distro_redhat',` + /var/named/chroot/var/log -d gen_context(system_u:object_r:var_log_t,s0) + /var/named/chroot/dev/log -s gen_context(system_u:object_r:devlog_t,s0) ++/var/spool/postfix/dev/log -s gen_context(system_u:object_r:devlog_t,s0) + ') + + /var/run/audit_events -s gen_context(system_u:object_r:auditd_var_run_t,mls_systemhigh) +@@ -65,11 +82,16 @@ ifdef(`distro_redhat',` + /var/run/syslogd\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh) + /var/run/syslog-ng.ctl -- gen_context(system_u:object_r:syslogd_var_run_t,s0) + /var/run/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,s0) ++/var/run/systemd/journal/syslog -s gen_context(system_u:object_r:devlog_t,mls_systemhigh) + + /var/spool/audit(/.*)? gen_context(system_u:object_r:audit_spool_t,mls_systemhigh) + /var/spool/bacula/log(/.*)? gen_context(system_u:object_r:var_log_t,s0) + /var/spool/postfix/pid -d gen_context(system_u:object_r:var_run_t,s0) +-/var/spool/plymouth/boot\.log gen_context(system_u:object_r:var_log_t,mls_systemhigh) + /var/spool/rsyslog(/.*)? gen_context(system_u:object_r:var_log_t,s0) + ++/var/stockmaniac/templates_cache(/.*)? gen_context(system_u:object_r:var_log_t,s0) ++ + /var/tinydns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0) ++ ++/var/webmin(/.*)? gen_context(system_u:object_r:var_log_t,s0) ++ +diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if +index 4e94884..9b82ed0 100644 +--- a/policy/modules/system/logging.if ++++ b/policy/modules/system/logging.if +@@ -233,7 +233,7 @@ interface(`logging_run_auditd',` + + ######################################## + ## +-## Connect to auditdstored over an unix stream socket. ++## Connect to auditdstored over a unix stream socket. + ## + ## + ## +@@ -318,7 +318,7 @@ interface(`logging_dispatcher_domain',` + + ######################################## + ## +-## Connect to the audit dispatcher over an unix stream socket. ++## Connect to the audit dispatcher over a unix stream socket. + ## + ## + ## +@@ -496,6 +496,68 @@ interface(`logging_log_filetrans',` + filetrans_pattern($1, var_log_t, $2, $3, $4) + ') + ++####################################### ++## ++## Create an object in the log directory, with a private type. ++## ++## ++##

    ++## Allow the specified domain to create an object ++## in the general system log directories (e.g., /var/log) ++## with a private type. Typically this is used for creating ++## private log files in /var/log with the private type instead ++## of the general system log type. To accomplish this goal, ++## either the program must be SELinux-aware, or use this interface. ++##

    ++##

    ++## Related interfaces: ++##

    ++##
      ++##
    • logging_log_file()
      • ++##
    ++##

    ++## Example usage with a domain that can create ++## and append to a private log file stored in the ++## general directories (e.g., /var/log): ++##

    ++##

    ++## type mylogfile_t; ++## logging_log_file(mylogfile_t) ++## allow mydomain_t mylogfile_t:file { create_file_perms append_file_perms }; ++## logging_log_filetrans(mydomain_t, mylogfile_t, file) ++##

    ++##     ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## The type of the object to be created. ++## ++## ++## ++## ++## The object class of the object being created. ++## ++## ++## ++## ++## The name of the object being created. ++## ++## ++## ++# ++interface(`logging_log_named_filetrans',` ++ gen_require(` ++ type var_log_t; ++ ') ++ ++ files_search_var($1) ++ filetrans_pattern($1, var_log_t, $2, $3, $4) ++') ++ + ######################################## + ## + ## Send system log messages. +@@ -530,22 +592,85 @@ interface(`logging_log_filetrans',` + # + interface(`logging_send_syslog_msg',` + gen_require(` +- type syslogd_t, devlog_t; ++ attribute syslog_client_type; + ') + +- allow $1 devlog_t:lnk_file read_lnk_file_perms; +- allow $1 devlog_t:sock_file write_sock_file_perms; ++ typeattribute $1 syslog_client_type; ++') + +- # the type of socket depends on the syslog daemon +- allow $1 syslogd_t:unix_dgram_socket sendto; +- allow $1 syslogd_t:unix_stream_socket connectto; +- allow $1 self:unix_dgram_socket create_socket_perms; +- allow $1 self:unix_stream_socket create_socket_perms; ++######################################## ++## ++## Connect to the syslog control unix stream socket. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`logging_create_devlog_dev',` ++ gen_require(` ++ type devlog_t; ++ ') + +- # If syslog is down, the glibc syslog() function +- # will write to the console. +- term_write_console($1) +- term_dontaudit_read_console($1) ++ allow $1 devlog_t:sock_file manage_sock_file_perms; ++ dev_filetrans($1, devlog_t, sock_file) ++ init_pid_filetrans($1, devlog_t, sock_file, "syslog") ++') ++ ++######################################## ++## ++## Relabel the devlog sock_file. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`logging_relabel_devlog_dev',` ++ gen_require(` ++ type devlog_t; ++ ') ++ ++ allow $1 devlog_t:sock_file relabel_sock_file_perms; ++') ++ ++######################################## ++## ++## Relabel the syslog pid sock_file. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`logging_relabel_syslog_pid_socket',` ++ gen_require(` ++ type syslogd_var_run_t; ++ ') ++ ++ allow $1 syslogd_var_run_t:sock_file relabel_sock_file_perms; ++') ++ ++######################################## ++## ++## Connect to the syslog control unix stream socket. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`logging_stream_connect_syslog',` ++ gen_require(` ++ type syslogd_t, syslogd_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ stream_connect_pattern($1, syslogd_var_run_t, syslogd_var_run_t, syslogd_t) + ') + + ######################################## +@@ -776,7 +901,25 @@ interface(`logging_append_all_logs',` + ') + + files_search_var($1) +- append_files_pattern($1, var_log_t, logfile) ++ append_files_pattern($1, logfile, logfile) ++') ++ ++######################################## ++## ++## Append to all log files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`logging_inherit_append_all_logs',` ++ gen_require(` ++ attribute logfile; ++ ') ++ ++ allow $1 logfile:file { getattr append ioctl lock }; + ') + + ######################################## +@@ -859,7 +1002,7 @@ interface(`logging_manage_all_logs',` + + files_search_var($1) + manage_files_pattern($1, logfile, logfile) +- read_lnk_files_pattern($1, logfile, logfile) ++ manage_lnk_files_pattern($1, logfile, logfile) + ') + + ######################################## +@@ -885,6 +1028,44 @@ interface(`logging_read_generic_logs',` + + ######################################## + ## ++## Link generic log files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`logging_link_generic_logs',` ++ gen_require(` ++ type var_log_t; ++ ') ++ ++ allow $1 var_log_t:file link; ++') ++ ++######################################## ++## ++## Delete generic log files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`logging_delete_generic_logs',` ++ gen_require(` ++ type var_log_t; ++ ') ++ ++ allow $1 var_log_t:file unlink; ++') ++ ++######################################## ++## + ## Write generic log files. + ## + ## +@@ -905,6 +1086,24 @@ interface(`logging_write_generic_logs',` + + ######################################## + ## ++## Dontaudit read/Write inherited generic log files. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`logging_dontaudit_rw_inherited_generic_logs',` ++ gen_require(` ++ type var_log_t; ++ ') ++ ++ dontaudit $1 var_log_t:file rw_inherited_file_perms; ++') ++ ++######################################## ++## + ## Dontaudit Write generic log files. + ## + ## +@@ -984,11 +1183,16 @@ interface(`logging_admin_audit',` + type auditd_t, auditd_etc_t, auditd_log_t; + type auditd_var_run_t; + type auditd_initrc_exec_t; ++ type auditd_unit_file_t; + ') + +- allow $1 auditd_t:process { ptrace signal_perms }; ++ allow $1 auditd_t:process signal_perms; + ps_process_pattern($1, auditd_t) + ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 auditd_t:process ptrace; ++ ') ++ + manage_dirs_pattern($1, auditd_etc_t, auditd_etc_t) + manage_files_pattern($1, auditd_etc_t, auditd_etc_t) + +@@ -1004,6 +1208,33 @@ interface(`logging_admin_audit',` + domain_system_change_exemption($1) + role_transition $2 auditd_initrc_exec_t system_r; + allow $2 system_r; ++ ++ logging_systemctl_audit($1) ++ admin_pattern($1, auditd_unit_file_t) ++ allow $1 auditd_unit_file_t:service all_service_perms; ++') ++ ++######################################## ++## ++## Execute auditd server in the auditd domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`logging_systemctl_audit',` ++ gen_require(` ++ type auditd_t; ++ type auditd_unit_file_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ allow $1 auditd_unit_file_t:file read_file_perms; ++ allow $1 auditd_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, auditd_t) + ') + + ######################################## +@@ -1032,10 +1263,15 @@ interface(`logging_admin_syslog',` + type syslogd_initrc_exec_t; + ') + +- allow $1 syslogd_t:process { ptrace signal_perms }; +- allow $1 klogd_t:process { ptrace signal_perms }; ++ allow $1 self:capability2 syslog; ++ allow $1 syslogd_t:process signal_perms; ++ allow $1 klogd_t:process signal_perms; + ps_process_pattern($1, syslogd_t) + ps_process_pattern($1, klogd_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 syslogd_t:process ptrace; ++ allow $1 klogd_t:process ptrace; ++ ') + + manage_dirs_pattern($1, klogd_var_run_t, klogd_var_run_t) + manage_files_pattern($1, klogd_var_run_t, klogd_var_run_t) +@@ -1057,6 +1293,8 @@ interface(`logging_admin_syslog',` + manage_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t) + + logging_manage_all_logs($1) ++ allow $1 logfile:dir relabel_dir_perms; ++ allow $1 logfile:file relabel_file_perms; + + init_labeled_script_domtrans($1, syslogd_initrc_exec_t) + domain_system_change_exemption($1) +@@ -1085,3 +1323,35 @@ interface(`logging_admin',` + logging_admin_audit($1, $2) + logging_admin_syslog($1, $2) + ') ++ ++######################################## ++## ++## Transition to logging named content ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`logging_filetrans_named_content',` ++ gen_require(` ++ type var_log_t; ++ type audit_spool_t; ++ type syslogd_var_run_t; ++ type syslog_conf_t; ++ ') ++ ++ files_pid_filetrans($1, syslogd_var_run_t, dir, "log") ++ files_spool_filetrans($1, var_log_t, dir, "rsyslog") ++ files_spool_filetrans($1, var_log_t, dir, "log") ++ files_spool_filetrans($1, audit_spool_t, dir, "audit") ++ files_var_filetrans($1, var_log_t, dir, "webmin") ++ ++ files_etc_filetrans($1, syslog_conf_t, file, "syslog.conf") ++ files_etc_filetrans($1, syslog_conf_t, file, "rsyslog.conf") ++ ++ init_named_pid_filetrans($1, syslogd_var_run_t, dir, "journal") ++ ++ logging_log_filetrans($1, var_log_t, dir, "anaconda") ++') +diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te +index 39ea221..616d6a8 100644 +--- a/policy/modules/system/logging.te ++++ b/policy/modules/system/logging.te +@@ -4,6 +4,21 @@ policy_module(logging, 1.19.6) + # + # Declarations + # ++attribute syslog_client_type; ++ ++## ++##

    ++## Allow syslogd daemon to send mail ++##

    ++##     ++gen_tunable(logging_syslogd_can_sendmail, false) ++ ++## ++##

    ++## Allow syslogd the ability to read/write terminals ++##

    ++##     ++gen_tunable(logging_syslogd_use_tty, false) + + attribute logfile; + +@@ -20,6 +35,7 @@ files_security_file(auditd_log_t) + files_security_mountpoint(auditd_log_t) + + type audit_spool_t; ++files_spool_file(audit_spool_t) + files_security_file(audit_spool_t) + files_security_mountpoint(audit_spool_t) + +@@ -33,6 +49,9 @@ init_script_file(auditd_initrc_exec_t) + type auditd_var_run_t; + files_pid_file(auditd_var_run_t) + ++type auditd_unit_file_t; ++systemd_unit_file(auditd_unit_file_t) ++ + type audisp_t; + type audisp_exec_t; + init_system_domain(audisp_t, audisp_exec_t) +@@ -64,6 +83,7 @@ files_config_file(syslog_conf_t) + type syslogd_t; + type syslogd_exec_t; + init_daemon_domain(syslogd_t, syslogd_exec_t) ++mls_trusted_object(syslogd_t) + + type syslogd_initrc_exec_t; + init_script_file(syslogd_initrc_exec_t) +@@ -76,6 +96,7 @@ files_type(syslogd_var_lib_t) + + type syslogd_var_run_t; + files_pid_file(syslogd_var_run_t) ++mls_trusted_object(syslogd_var_run_t) + + type var_log_t; + logging_log_file(var_log_t) +@@ -94,6 +115,8 @@ ifdef(`enable_mls',` + allow auditctl_t self:capability { fsetid dac_read_search dac_override }; + allow auditctl_t self:netlink_audit_socket nlmsg_readpriv; + ++allow auditctl_t self:process getcap; ++ + read_files_pattern(auditctl_t, auditd_etc_t, auditd_etc_t) + allow auditctl_t auditd_etc_t:dir list_dir_perms; + +@@ -111,7 +134,7 @@ domain_use_interactive_fds(auditctl_t) + + mls_file_read_all_levels(auditctl_t) + +-term_use_all_terms(auditctl_t) ++term_use_all_inherited_terms(auditctl_t) + + init_dontaudit_use_fds(auditctl_t) + +@@ -148,6 +171,7 @@ kernel_read_kernel_sysctls(auditd_t) + # Needs to be able to run dispatcher. see /etc/audit/auditd.conf + # Probably want a transition, and a new auditd_helper app + kernel_read_system_state(auditd_t) ++kernel_read_network_state(auditd_t) + + dev_read_sysfs(auditd_t) + +@@ -155,9 +179,6 @@ fs_getattr_all_fs(auditd_t) + fs_search_auto_mountpoints(auditd_t) + fs_rw_anon_inodefs_files(auditd_t) + +-selinux_search_fs(auditctl_t) +- +-corenet_all_recvfrom_unlabeled(auditd_t) + corenet_all_recvfrom_netlabel(auditd_t) + corenet_tcp_sendrecv_generic_if(auditd_t) + corenet_tcp_sendrecv_generic_node(auditd_t) +@@ -183,16 +204,17 @@ logging_send_syslog_msg(auditd_t) + logging_domtrans_dispatcher(auditd_t) + logging_signal_dispatcher(auditd_t) + +-miscfiles_read_localization(auditd_t) ++auth_use_nsswitch(auditd_t) + + mls_file_read_all_levels(auditd_t) + mls_file_write_all_levels(auditd_t) # Need to be able to write to /var/run/ directory +- +-seutil_dontaudit_read_config(auditd_t) ++mls_socket_write_all_levels(auditd_t) + + sysnet_dns_name_resolve(auditd_t) + +-userdom_use_user_terminals(auditd_t) ++systemd_start_systemd_services(auditd_t) ++ ++userdom_use_inherited_user_terminals(auditd_t) + userdom_dontaudit_use_unpriv_user_fds(auditd_t) + userdom_dontaudit_search_user_home_dirs(auditd_t) + +@@ -237,19 +259,29 @@ corecmd_exec_shell(audisp_t) + + domain_use_interactive_fds(audisp_t) + ++fs_getattr_all_fs(audisp_t) ++ + files_read_etc_files(audisp_t) + files_read_etc_runtime_files(audisp_t) + ++mls_file_read_all_levels(audisp_t) + mls_file_write_all_levels(audisp_t) ++mls_socket_write_all_levels(audisp_t) ++mls_dbus_send_all_levels(audisp_t) ++ ++auth_use_nsswitch(audisp_t) + + logging_send_syslog_msg(audisp_t) + +-miscfiles_read_localization(audisp_t) + + sysnet_dns_name_resolve(audisp_t) + + optional_policy(` + dbus_system_bus_client(audisp_t) ++ ++ optional_policy(` ++ setroubleshoot_dbus_chat(audisp_t) ++ ') + ') + + ######################################## +@@ -268,7 +300,6 @@ files_spool_filetrans(audisp_remote_t, audit_spool_t, { dir file }) + + corecmd_exec_bin(audisp_remote_t) + +-corenet_all_recvfrom_unlabeled(audisp_remote_t) + corenet_all_recvfrom_netlabel(audisp_remote_t) + corenet_tcp_sendrecv_generic_if(audisp_remote_t) + corenet_tcp_sendrecv_generic_node(audisp_remote_t) +@@ -280,10 +311,18 @@ corenet_sendrecv_audit_client_packets(audisp_remote_t) + + files_read_etc_files(audisp_remote_t) + ++mls_socket_write_all_levels(audisp_remote_t) ++ + logging_send_syslog_msg(audisp_remote_t) + logging_send_audit_msgs(audisp_remote_t) + +-miscfiles_read_localization(audisp_remote_t) ++auth_use_nsswitch(audisp_remote_t) ++auth_append_login_records(audisp_remote_t) ++ ++ ++init_telinit(audisp_remote_t) ++init_read_utmp(audisp_remote_t) ++init_dontaudit_write_utmp(audisp_remote_t) + + sysnet_dns_name_resolve(audisp_remote_t) + +@@ -326,7 +365,6 @@ files_read_etc_files(klogd_t) + + logging_send_syslog_msg(klogd_t) + +-miscfiles_read_localization(klogd_t) + + mls_file_read_all_levels(klogd_t) + +@@ -354,12 +392,12 @@ optional_policy(` + # chown fsetid for syslog-ng + # sys_admin for the integrated klog of syslog-ng and metalog + # cjp: why net_admin! +-allow syslogd_t self:capability { dac_override sys_resource sys_tty_config net_admin sys_admin chown fsetid }; ++allow syslogd_t self:capability { sys_ptrace dac_override sys_resource sys_tty_config ipc_lock net_admin setgid setuid sys_admin sys_nice chown fsetid setuid setgid }; + dontaudit syslogd_t self:capability sys_tty_config; ++allow syslogd_t self:capability2 { syslog block_suspend }; + # setpgid for metalog + # setrlimit for syslog-ng +-# getsched for syslog-ng +-allow syslogd_t self:process { signal_perms setpgid setrlimit getsched }; ++allow syslogd_t self:process { signal_perms getcap setcap setpgid getsched setsched setrlimit }; + # receive messages to be logged + allow syslogd_t self:unix_dgram_socket create_socket_perms; + allow syslogd_t self:unix_stream_socket create_stream_socket_perms; +@@ -369,6 +407,7 @@ allow syslogd_t self:udp_socket create_socket_perms; + allow syslogd_t self:tcp_socket create_stream_socket_perms; + + allow syslogd_t syslog_conf_t:file read_file_perms; ++allow syslogd_t syslog_conf_t:dir list_dir_perms; + + # Create and bind to /dev/log or /var/run/log. + allow syslogd_t devlog_t:sock_file manage_sock_file_perms; +@@ -377,6 +416,7 @@ files_pid_filetrans(syslogd_t, devlog_t, sock_file) + # create/append log files. + manage_files_pattern(syslogd_t, var_log_t, var_log_t) + rw_fifo_files_pattern(syslogd_t, var_log_t, var_log_t) ++files_search_spool(syslogd_t) + + # Allow access for syslog-ng + allow syslogd_t var_log_t:dir { create setattr }; +@@ -386,28 +426,41 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) + manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) + files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file }) + ++manage_sock_files_pattern(syslogd_t, syslogd_var_lib_t, syslogd_var_lib_t) + manage_files_pattern(syslogd_t, syslogd_var_lib_t, syslogd_var_lib_t) + files_search_var_lib(syslogd_t) + +-# manage pid file ++manage_dirs_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t) + manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t) +-files_pid_filetrans(syslogd_t, syslogd_var_run_t, file) ++manage_sock_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t) ++files_pid_filetrans(syslogd_t, syslogd_var_run_t, { file dir }) + ++kernel_rw_stream_socket_perms(syslogd_t) + kernel_read_system_state(syslogd_t) ++kernel_read_network_state(syslogd_t) + kernel_read_kernel_sysctls(syslogd_t) + kernel_read_proc_symlinks(syslogd_t) + # Allow access to /proc/kmsg for syslog-ng + kernel_read_messages(syslogd_t) ++kernel_request_load_module(syslogd_t) + kernel_clear_ring_buffer(syslogd_t) + kernel_change_ring_buffer_level(syslogd_t) ++kernel_read_ring_buffer(syslogd_t) ++ ++ifdef(`hide_broken_symptoms',` ++ kernel_rw_unix_dgram_sockets(syslogd_t) ++') ++ ++corecmd_exec_bin(syslogd_t) ++corecmd_exec_shell(syslogd_t) + +-corenet_all_recvfrom_unlabeled(syslogd_t) + corenet_all_recvfrom_netlabel(syslogd_t) + corenet_udp_sendrecv_generic_if(syslogd_t) + corenet_udp_sendrecv_generic_node(syslogd_t) + corenet_udp_sendrecv_all_ports(syslogd_t) + corenet_udp_bind_generic_node(syslogd_t) + corenet_udp_bind_syslogd_port(syslogd_t) ++corenet_udp_bind_syslog_tls_port(syslogd_t) + # syslog-ng can listen and connect on tcp port 514 (rsh) + corenet_tcp_sendrecv_generic_if(syslogd_t) + corenet_tcp_sendrecv_generic_node(syslogd_t) +@@ -417,6 +470,8 @@ corenet_tcp_bind_rsh_port(syslogd_t) + corenet_tcp_connect_rsh_port(syslogd_t) + # Allow users to define additional syslog ports to connect to + corenet_tcp_bind_syslogd_port(syslogd_t) ++corenet_tcp_bind_syslog_tls_port(syslogd_t) ++corenet_tcp_connect_syslog_tls_port(syslogd_t) + corenet_tcp_connect_syslogd_port(syslogd_t) + corenet_tcp_connect_postgresql_port(syslogd_t) + corenet_tcp_connect_mysqld_port(syslogd_t) +@@ -427,9 +482,26 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t) + corenet_sendrecv_postgresql_client_packets(syslogd_t) + corenet_sendrecv_mysqld_client_packets(syslogd_t) + ++tunable_policy(`logging_syslogd_use_tty',` ++ term_use_all_ttys(syslogd_t) ++ term_use_all_ptys(syslogd_t) ++') ++ ++tunable_policy(`logging_syslogd_can_sendmail',` ++ # support for ommail module to send logs via mail ++ corenet_tcp_connect_smtp_port(syslogd_t) ++') ++ + dev_filetrans(syslogd_t, devlog_t, sock_file) + dev_read_sysfs(syslogd_t) +- ++dev_read_rand(syslogd_t) ++dev_read_urand(syslogd_t) ++# relating to systemd-kmsg-syslogd ++dev_write_kmsg(syslogd_t) ++dev_read_kmsg(syslogd_t) ++ ++domain_read_all_domains_state(syslogd_t) ++domain_getattr_all_domains(syslogd_t) + domain_use_interactive_fds(syslogd_t) + + files_read_etc_files(syslogd_t) +@@ -442,14 +514,19 @@ files_read_kernel_symbol_table(syslogd_t) + files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir }) + + fs_getattr_all_fs(syslogd_t) ++fs_rw_tmpfs_files(syslogd_t) + fs_search_auto_mountpoints(syslogd_t) ++fs_search_cgroup_dirs(syslogd_t) + + mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and /var/log directories ++mls_socket_write_all_levels(syslogd_t) # Neet to be able to sendto dgram + + term_write_console(syslogd_t) + # Allow syslog to a terminal + term_write_unallocated_ttys(syslogd_t) ++term_use_generic_ptys(syslogd_t) + ++init_stream_connect(syslogd_t) + # for sending messages to logged in users + init_read_utmp(syslogd_t) + init_dontaudit_write_utmp(syslogd_t) +@@ -461,11 +538,11 @@ init_use_fds(syslogd_t) + + # cjp: this doesnt make sense + logging_send_syslog_msg(syslogd_t) +- +-miscfiles_read_localization(syslogd_t) ++logging_manage_all_logs(syslogd_t) + + userdom_dontaudit_use_unpriv_user_fds(syslogd_t) +-userdom_dontaudit_search_user_home_dirs(syslogd_t) ++userdom_search_user_home_dirs(syslogd_t) ++userdom_rw_inherited_user_tmpfs_files(syslogd_t) + + ifdef(`distro_gentoo',` + # default gentoo syslog-ng config appends kernel +@@ -502,15 +579,40 @@ optional_policy(` + ') + + optional_policy(` ++ kerberos_keytab_template(syslogd, syslogd_t) ++ kerberos_manage_host_rcache(syslogd_t) ++ kerberos_read_config(syslogd_t) ++') ++ ++optional_policy(` ++ mysql_read_config(syslogd_t) + mysql_stream_connect(syslogd_t) + ') + + optional_policy(` ++ plymouthd_manage_log(syslogd_t) ++') ++ ++optional_policy(` ++ postfix_search_spool(syslogd_t) ++') ++ ++optional_policy(` + postgresql_stream_connect(syslogd_t) + ') + + optional_policy(` ++ psad_search_lib_files(syslogd_t) ++') ++ ++optional_policy(` + seutil_sigchld_newrole(syslogd_t) ++ snmp_read_snmp_var_lib_files(syslogd_t) ++ snmp_dontaudit_write_snmp_var_lib_files(syslogd_t) ++') ++ ++optional_policy(` ++ daemontools_search_svc_dir(syslogd_t) + ') + + optional_policy(` +@@ -521,3 +623,26 @@ optional_policy(` + # log to the xconsole + xserver_rw_console(syslogd_t) + ') ++ ++##################################################### ++# ++# syslog client rules ++# ++allow syslog_client_type devlog_t:lnk_file read_lnk_file_perms; ++allow syslog_client_type devlog_t:sock_file write_sock_file_perms; ++ ++# the type of socket depends on the syslog daemon ++allow syslog_client_type syslogd_t:unix_dgram_socket sendto; ++allow syslog_client_type syslogd_t:unix_stream_socket connectto; ++allow syslog_client_type self:unix_dgram_socket create_socket_perms; ++allow syslog_client_type self:unix_stream_socket create_socket_perms; ++ ++# If syslog is down, the glibc syslog() function ++# will write to the console. ++term_write_console(syslog_client_type) ++term_dontaudit_read_console(syslog_client_type) ++ifdef(`hide_broken_symptoms',` ++ kernel_dgram_send(syslog_client_type) ++') ++ ++logging_stream_connect_syslog(syslog_client_type) +diff --git a/policy/modules/system/lvm.fc b/policy/modules/system/lvm.fc +index 879bb1e..b250b3e 100644 +--- a/policy/modules/system/lvm.fc ++++ b/policy/modules/system/lvm.fc +@@ -23,28 +23,35 @@ ifdef(`distro_gentoo',` + /etc/lvmtab(/.*)? gen_context(system_u:object_r:lvm_metadata_t,s0) + /etc/lvmtab\.d(/.*)? gen_context(system_u:object_r:lvm_metadata_t,s0) + ++/etc/multipath(/.*)? gen_context(system_u:object_r:lvm_metadata_t,s0) ++ + # + # /lib + # + /lib/lvm-10/.* -- gen_context(system_u:object_r:lvm_exec_t,s0) + /lib/lvm-200/.* -- gen_context(system_u:object_r:lvm_exec_t,s0) ++/lib/udev/udisks-lvm-pv-export -- gen_context(system_u:object_r:lvm_exec_t,s0) + + # + # /sbin + # ++/sbin/mount\.crypt -- gen_context(system_u:object_r:lvm_exec_t,s0) ++/sbin/umount\.crypt -- gen_context(system_u:object_r:lvm_exec_t,s0) + /sbin/cryptsetup -- gen_context(system_u:object_r:lvm_exec_t,s0) + /sbin/dmraid -- gen_context(system_u:object_r:lvm_exec_t,s0) + /sbin/dmsetup -- gen_context(system_u:object_r:lvm_exec_t,s0) + /sbin/dmsetup\.static -- gen_context(system_u:object_r:lvm_exec_t,s0) + /sbin/e2fsadm -- gen_context(system_u:object_r:lvm_exec_t,s0) ++/sbin/kpartx -- gen_context(system_u:object_r:lvm_exec_t,s0) + /sbin/lvchange -- gen_context(system_u:object_r:lvm_exec_t,s0) + /sbin/lvcreate -- gen_context(system_u:object_r:lvm_exec_t,s0) + /sbin/lvdisplay -- gen_context(system_u:object_r:lvm_exec_t,s0) + /sbin/lvextend -- gen_context(system_u:object_r:lvm_exec_t,s0) +-/sbin/lvm -- gen_context(system_u:object_r:lvm_exec_t,s0) ++/sbin/lvm -- gen_context(system_u:object_r:lvm_exec_t,s0) + /sbin/lvm\.static -- gen_context(system_u:object_r:lvm_exec_t,s0) + /sbin/lvmchange -- gen_context(system_u:object_r:lvm_exec_t,s0) + /sbin/lvmdiskscan -- gen_context(system_u:object_r:lvm_exec_t,s0) ++/sbin/lvmetad -- gen_context(system_u:object_r:lvm_exec_t,s0) + /sbin/lvmiopversion -- gen_context(system_u:object_r:lvm_exec_t,s0) + /sbin/lvmsadc -- gen_context(system_u:object_r:lvm_exec_t,s0) + /sbin/lvmsar -- gen_context(system_u:object_r:lvm_exec_t,s0) +@@ -88,8 +95,72 @@ ifdef(`distro_gentoo',` + # + # /usr + # +-/usr/sbin/clvmd -- gen_context(system_u:object_r:clvmd_exec_t,s0) +-/usr/sbin/lvm -- gen_context(system_u:object_r:lvm_exec_t,s0) ++/usr/lib/systemd/generator/lvm.* gen_context(system_u:object_r:lvm_unit_file_t,s0) ++/usr/lib/systemd/system/lvm2.*\.service gen_context(system_u:object_r:lvm_unit_file_t,s0) ++ ++/usr/sbin/clvmd -- gen_context(system_u:object_r:clvmd_exec_t,s0) ++/usr/sbin/cryptsetup -- gen_context(system_u:object_r:lvm_exec_t,s0) ++/usr/sbin/dmeventd -- gen_context(system_u:object_r:lvm_exec_t,s0) ++/usr/sbin/dmraid -- gen_context(system_u:object_r:lvm_exec_t,s0) ++/usr/sbin/dmsetup -- gen_context(system_u:object_r:lvm_exec_t,s0) ++/usr/sbin/dmsetup\.static -- gen_context(system_u:object_r:lvm_exec_t,s0) ++/usr/sbin/e2fsadm -- gen_context(system_u:object_r:lvm_exec_t,s0) ++/usr/sbin/kpartx -- gen_context(system_u:object_r:lvm_exec_t,s0) ++/usr/sbin/lvchange -- gen_context(system_u:object_r:lvm_exec_t,s0) ++/usr/sbin/lvcreate -- gen_context(system_u:object_r:lvm_exec_t,s0) ++/usr/sbin/lvdisplay -- gen_context(system_u:object_r:lvm_exec_t,s0) ++/usr/sbin/lvextend -- gen_context(system_u:object_r:lvm_exec_t,s0) ++/usr/sbin/lvm -- gen_context(system_u:object_r:lvm_exec_t,s0) ++/usr/sbin/lvm\.static -- gen_context(system_u:object_r:lvm_exec_t,s0) ++/usr/sbin/lvmchange -- gen_context(system_u:object_r:lvm_exec_t,s0) ++/usr/sbin/lvmdiskscan -- gen_context(system_u:object_r:lvm_exec_t,s0) ++/usr/sbin/lvmetad -- gen_context(system_u:object_r:lvm_exec_t,s0) ++/usr/sbin/lvmiopversion -- gen_context(system_u:object_r:lvm_exec_t,s0) ++/usr/sbin/lvmsadc -- gen_context(system_u:object_r:lvm_exec_t,s0) ++/usr/sbin/lvmsar -- gen_context(system_u:object_r:lvm_exec_t,s0) ++/usr/sbin/lvreduce -- gen_context(system_u:object_r:lvm_exec_t,s0) ++/usr/sbin/lvremove -- gen_context(system_u:object_r:lvm_exec_t,s0) ++/usr/sbin/lvrename -- gen_context(system_u:object_r:lvm_exec_t,s0) ++/usr/sbin/lvresize -- gen_context(system_u:object_r:lvm_exec_t,s0) ++/usr/sbin/lvs -- gen_context(system_u:object_r:lvm_exec_t,s0) ++/usr/sbin/lvscan -- gen_context(system_u:object_r:lvm_exec_t,s0) ++/usr/sbin/mount\.crypt -- gen_context(system_u:object_r:lvm_exec_t,s0) ++/usr/sbin/multipathd -- gen_context(system_u:object_r:lvm_exec_t,s0) ++/usr/sbin/multipath\.static -- gen_context(system_u:object_r:lvm_exec_t,s0) ++/usr/sbin/pvchange -- gen_context(system_u:object_r:lvm_exec_t,s0) ++/usr/sbin/pvcreate -- gen_context(system_u:object_r:lvm_exec_t,s0) ++/usr/sbin/pvdata -- gen_context(system_u:object_r:lvm_exec_t,s0) ++/usr/sbin/pvdisplay -- gen_context(system_u:object_r:lvm_exec_t,s0) ++/usr/sbin/pvmove -- gen_context(system_u:object_r:lvm_exec_t,s0) ++/usr/sbin/pvremove -- gen_context(system_u:object_r:lvm_exec_t,s0) ++/usr/sbin/pvs -- gen_context(system_u:object_r:lvm_exec_t,s0) ++/usr/sbin/pvscan -- gen_context(system_u:object_r:lvm_exec_t,s0) ++/usr/sbin/vgcfgbackup -- gen_context(system_u:object_r:lvm_exec_t,s0) ++/usr/sbin/vgcfgrestore -- gen_context(system_u:object_r:lvm_exec_t,s0) ++/usr/sbin/vgchange -- gen_context(system_u:object_r:lvm_exec_t,s0) ++/usr/sbin/vgchange\.static -- gen_context(system_u:object_r:lvm_exec_t,s0) ++/usr/sbin/vgck -- gen_context(system_u:object_r:lvm_exec_t,s0) ++/usr/sbin/vgcreate -- gen_context(system_u:object_r:lvm_exec_t,s0) ++/usr/sbin/vgdisplay -- gen_context(system_u:object_r:lvm_exec_t,s0) ++/usr/sbin/vgexport -- gen_context(system_u:object_r:lvm_exec_t,s0) ++/usr/sbin/vgextend -- gen_context(system_u:object_r:lvm_exec_t,s0) ++/usr/sbin/vgimport -- gen_context(system_u:object_r:lvm_exec_t,s0) ++/usr/sbin/vgmerge -- gen_context(system_u:object_r:lvm_exec_t,s0) ++/usr/sbin/vgmknodes -- gen_context(system_u:object_r:lvm_exec_t,s0) ++/usr/sbin/vgreduce -- gen_context(system_u:object_r:lvm_exec_t,s0) ++/usr/sbin/vgremove -- gen_context(system_u:object_r:lvm_exec_t,s0) ++/usr/sbin/vgrename -- gen_context(system_u:object_r:lvm_exec_t,s0) ++/usr/sbin/vgs -- gen_context(system_u:object_r:lvm_exec_t,s0) ++/usr/sbin/vgscan -- gen_context(system_u:object_r:lvm_exec_t,s0) ++/usr/sbin/vgscan\.static -- gen_context(system_u:object_r:lvm_exec_t,s0) ++/usr/sbin/vgsplit -- gen_context(system_u:object_r:lvm_exec_t,s0) ++/usr/sbin/vgwrapper -- gen_context(system_u:object_r:lvm_exec_t,s0) ++ ++/usr/lib/lvm-10/.* -- gen_context(system_u:object_r:lvm_exec_t,s0) ++/usr/lib/lvm-200/.* -- gen_context(system_u:object_r:lvm_exec_t,s0) ++/usr/lib/systemd/systemd-cryptsetup -- gen_context(system_u:object_r:lvm_exec_t,s0) ++/usr/lib/systemd/system-generators/lvm2.* -- gen_context(system_u:object_r:lvm_exec_t,s0) ++/usr/lib/udev/udisks-lvm-pv-export -- gen_context(system_u:object_r:lvm_exec_t,s0) + + # + # /var +@@ -97,5 +168,8 @@ ifdef(`distro_gentoo',` + /var/cache/multipathd(/.*)? gen_context(system_u:object_r:lvm_metadata_t,s0) + /var/lib/multipath(/.*)? gen_context(system_u:object_r:lvm_var_lib_t,s0) + /var/lock/lvm(/.*)? gen_context(system_u:object_r:lvm_lock_t,s0) ++/var/lock/dmraid(/.*)? gen_context(system_u:object_r:lvm_lock_t,s0) ++/var/run/lvm(/.*)? gen_context(system_u:object_r:lvm_var_run_t,s0) + /var/run/multipathd\.sock -s gen_context(system_u:object_r:lvm_var_run_t,s0) ++/var/run/clvmd\.pid -- gen_context(system_u:object_r:clvmd_var_run_t,s0) + /var/run/dmevent.* gen_context(system_u:object_r:lvm_var_run_t,s0) +diff --git a/policy/modules/system/lvm.if b/policy/modules/system/lvm.if +index 58bc27f..51e9872 100644 +--- a/policy/modules/system/lvm.if ++++ b/policy/modules/system/lvm.if +@@ -123,3 +123,94 @@ interface(`lvm_domtrans_clvmd',` + corecmd_search_bin($1) + domtrans_pattern($1, clvmd_exec_t, clvmd_t) + ') ++ ++######################################## ++## ++## Read and write to lvm temporary file system. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`lvm_rw_clvmd_tmpfs_files',` ++ gen_require(` ++ type clvmd_tmpfs_t; ++ ') ++ ++ allow $1 clvmd_tmpfs_t:file rw_file_perms; ++') ++ ++######################################## ++## ++## Delete lvm temporary file system. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`lvm_delete_clvmd_tmpfs_files',` ++ gen_require(` ++ type clvmd_tmpfs_t; ++ ') ++ ++ allow $1 clvmd_tmpfs_t:file unlink; ++') ++ ++######################################## ++## ++## Send lvm a null signal. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`lvm_signull',` ++ gen_require(` ++ type lvm_t; ++ ') ++ ++ allow $1 lvm_t:process signull; ++') ++ ++######################################## ++## ++## Send a message to lvm over the ++## datagram socket. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`lvm_dgram_send',` ++ gen_require(` ++ type lvm_t; ++ ') ++ ++ allow $1 lvm_t:unix_dgram_socket sendto; ++') ++ ++######################################## ++## ++## Read and write a lvm unnamed pipe. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`lvm_rw_pipes',` ++ gen_require(` ++ type lvm_var_run_t; ++ ') ++ ++ allow $1 lvm_var_run_t:fifo_file rw_inherited_fifo_file_perms; ++') +diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te +index e8c59a5..b22837c 100644 +--- a/policy/modules/system/lvm.te ++++ b/policy/modules/system/lvm.te +@@ -12,6 +12,9 @@ init_daemon_domain(clvmd_t, clvmd_exec_t) + type clvmd_initrc_exec_t; + init_script_file(clvmd_initrc_exec_t) + ++type clvmd_tmpfs_t alias clmvd_tmpfs_t; ++files_tmpfs_file(clvmd_tmpfs_t) ++ + type clvmd_var_run_t; + files_pid_file(clvmd_var_run_t) + +@@ -24,7 +27,7 @@ domain_obj_id_change_exemption(lvm_t) + role system_r types lvm_t; + + type lvm_etc_t; +-files_type(lvm_etc_t) ++files_config_file(lvm_etc_t) + + type lvm_lock_t; + files_lock_file(lvm_lock_t) +@@ -41,6 +44,9 @@ files_pid_file(lvm_var_run_t) + type lvm_tmp_t; + files_tmp_file(lvm_tmp_t) + ++type lvm_unit_file_t; ++systemd_unit_file(lvm_unit_file_t) ++ + ######################################## + # + # Cluster LVM daemon local policy +@@ -49,15 +55,19 @@ files_tmp_file(lvm_tmp_t) + allow clvmd_t self:capability { sys_nice chown ipc_lock sys_admin mknod }; + dontaudit clvmd_t self:capability sys_tty_config; + allow clvmd_t self:process { signal_perms setsched }; +-dontaudit clvmd_t self:process ptrace; + allow clvmd_t self:socket create_socket_perms; + allow clvmd_t self:fifo_file rw_fifo_file_perms; + allow clvmd_t self:unix_stream_socket { connectto create_stream_socket_perms }; + allow clvmd_t self:tcp_socket create_stream_socket_perms; + allow clvmd_t self:udp_socket create_socket_perms; + ++manage_dirs_pattern(clvmd_t, clvmd_tmpfs_t, clvmd_tmpfs_t) ++manage_files_pattern(clvmd_t, clvmd_tmpfs_t,clvmd_tmpfs_t) ++fs_tmpfs_filetrans(clvmd_t, clvmd_tmpfs_t, { dir file }) ++ ++manage_dirs_pattern(clvmd_t, clvmd_var_run_t, clvmd_var_run_t) + manage_files_pattern(clvmd_t, clvmd_var_run_t, clvmd_var_run_t) +-files_pid_filetrans(clvmd_t, clvmd_var_run_t, file) ++files_pid_filetrans(clvmd_t, clvmd_var_run_t, { file dir }) + + read_files_pattern(clvmd_t, lvm_metadata_t, lvm_metadata_t) + +@@ -71,7 +81,6 @@ kernel_dontaudit_getattr_core_if(clvmd_t) + corecmd_exec_shell(clvmd_t) + corecmd_getattr_bin_files(clvmd_t) + +-corenet_all_recvfrom_unlabeled(clvmd_t) + corenet_all_recvfrom_netlabel(clvmd_t) + corenet_tcp_sendrecv_generic_if(clvmd_t) + corenet_udp_sendrecv_generic_if(clvmd_t) +@@ -120,9 +129,6 @@ init_dontaudit_getattr_initctl(clvmd_t) + + logging_send_syslog_msg(clvmd_t) + +-miscfiles_read_localization(clvmd_t) +- +-seutil_dontaudit_search_config(clvmd_t) + seutil_sigchld_newrole(clvmd_t) + seutil_read_config(clvmd_t) + seutil_read_file_contexts(clvmd_t) +@@ -141,6 +147,11 @@ ifdef(`distro_redhat',` + ') + + optional_policy(` ++ aisexec_stream_connect(clvmd_t) ++ corosync_stream_connect(clvmd_t) ++') ++ ++optional_policy(` + ccs_stream_connect(clvmd_t) + ') + +@@ -170,6 +181,7 @@ dontaudit lvm_t self:capability sys_tty_config; + allow lvm_t self:process { sigchld sigkill sigstop signull signal setfscreate }; + # LVM will complain a lot if it cannot set its priority. + allow lvm_t self:process setsched; ++allow lvm_t self:sem create_sem_perms; + allow lvm_t self:file rw_file_perms; + allow lvm_t self:fifo_file manage_fifo_file_perms; + allow lvm_t self:unix_dgram_socket create_socket_perms; +@@ -179,6 +191,11 @@ allow lvm_t self:sem create_sem_perms; + allow lvm_t self:unix_stream_socket { connectto create_stream_socket_perms }; + allow lvm_t clvmd_t:unix_stream_socket { connectto rw_socket_perms }; + ++allow lvm_t lvm_unit_file_t:file manage_file_perms; ++systemd_unit_file_filetrans(lvm_t, lvm_unit_file_t, file) ++systemd_create_unit_file_dirs(lvm_t) ++systemd_create_unit_file_lnk(lvm_t) ++ + manage_dirs_pattern(lvm_t, lvm_tmp_t, lvm_tmp_t) + manage_files_pattern(lvm_t, lvm_tmp_t, lvm_tmp_t) + files_tmp_filetrans(lvm_t, lvm_tmp_t, { file dir }) +@@ -191,10 +208,12 @@ read_lnk_files_pattern(lvm_t, lvm_exec_t, lvm_exec_t) + can_exec(lvm_t, lvm_exec_t) + + # Creating lock files ++manage_dirs_pattern(lvm_t, lvm_lock_t, lvm_lock_t) + manage_files_pattern(lvm_t, lvm_lock_t, lvm_lock_t) + create_dirs_pattern(lvm_t, lvm_lock_t, lvm_lock_t) + files_lock_filetrans(lvm_t, lvm_lock_t, file) + files_lock_filetrans(lvm_t, lvm_lock_t, dir, "lvm") ++files_lock_filetrans(lvm_t, lvm_lock_t, dir, "dmraid") + + manage_dirs_pattern(lvm_t, lvm_var_lib_t, lvm_var_lib_t) + manage_files_pattern(lvm_t, lvm_var_lib_t, lvm_var_lib_t) +@@ -202,8 +221,10 @@ files_var_lib_filetrans(lvm_t, lvm_var_lib_t, { dir file }) + + manage_dirs_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t) + manage_files_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t) ++manage_fifo_files_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t) + manage_sock_files_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t) +-files_pid_filetrans(lvm_t, lvm_var_run_t, { file sock_file }) ++files_pid_filetrans(lvm_t, lvm_var_run_t, { dir file fifo_file sock_file }) ++init_pid_filetrans(lvm_t, lvm_var_run_t, { dir file fifo_file sock_file }) + + read_files_pattern(lvm_t, lvm_etc_t, lvm_etc_t) + read_lnk_files_pattern(lvm_t, lvm_etc_t, lvm_etc_t) +@@ -220,6 +241,7 @@ kernel_read_kernel_sysctls(lvm_t) + # it has no reason to need this + kernel_dontaudit_getattr_core_if(lvm_t) + kernel_use_fds(lvm_t) ++kernel_request_load_module(lvm_t) + kernel_search_debugfs(lvm_t) + + corecmd_exec_bin(lvm_t) +@@ -230,11 +252,13 @@ dev_delete_generic_dirs(lvm_t) + dev_read_rand(lvm_t) + dev_read_urand(lvm_t) + dev_rw_lvm_control(lvm_t) ++dev_write_kmsg(lvm_t) + dev_manage_generic_symlinks(lvm_t) + dev_relabel_generic_dev_dirs(lvm_t) + dev_manage_generic_blk_files(lvm_t) + # Read /sys/block. Device mapper metadata is kept there. +-dev_read_sysfs(lvm_t) ++# cryptsetup writes read_ahead_kb ++dev_rw_sysfs(lvm_t) + # cjp: this has no effect since LVM does not + # have lnk_file relabelto for anything else. + # perhaps this should be blk_files? +@@ -246,6 +270,7 @@ dev_dontaudit_getattr_generic_chr_files(lvm_t) + dev_dontaudit_getattr_generic_blk_files(lvm_t) + dev_dontaudit_getattr_generic_pipes(lvm_t) + dev_create_generic_dirs(lvm_t) ++dev_rw_generic_files(lvm_t) + + domain_use_interactive_fds(lvm_t) + domain_read_all_domains_state(lvm_t) +@@ -255,17 +280,21 @@ files_read_etc_files(lvm_t) + files_read_etc_runtime_files(lvm_t) + # for when /usr is not mounted: + files_dontaudit_search_isid_type_dirs(lvm_t) ++fs_rw_inherited_tmpfs_files(lvm_t) + +-fs_getattr_xattr_fs(lvm_t) ++fs_getattr_all_fs(lvm_t) + fs_search_auto_mountpoints(lvm_t) + fs_list_tmpfs(lvm_t) + fs_read_tmpfs_symlinks(lvm_t) + fs_dontaudit_read_removable_files(lvm_t) + fs_dontaudit_getattr_tmpfs_files(lvm_t) + fs_rw_anon_inodefs_files(lvm_t) ++fs_list_auto_mountpoints(lvm_t) ++fs_list_hugetlbfs(lvm_t) + + mls_file_read_all_levels(lvm_t) + mls_file_write_to_clearance(lvm_t) ++mls_file_upgrade(lvm_t) + + selinux_get_fs_mount(lvm_t) + selinux_validate_context(lvm_t) +@@ -285,7 +314,7 @@ storage_dev_filetrans_fixed_disk(lvm_t) + # Access raw devices and old /dev/lvm (c 109,0). Is this needed? + storage_manage_fixed_disk(lvm_t) + +-term_use_all_terms(lvm_t) ++term_use_all_inherited_terms(lvm_t) + + init_use_fds(lvm_t) + init_dontaudit_getattr_initctl(lvm_t) +@@ -293,15 +322,22 @@ init_use_script_ptys(lvm_t) + init_read_script_state(lvm_t) + + logging_send_syslog_msg(lvm_t) ++logging_stream_connect_syslog(lvm_t) + +-miscfiles_read_localization(lvm_t) ++authlogin_rw_pipes(lvm_t) ++auth_use_nsswitch(lvm_t) + + seutil_read_config(lvm_t) + seutil_read_file_contexts(lvm_t) + seutil_search_default_contexts(lvm_t) + seutil_sigchld_newrole(lvm_t) + ++userdom_use_inherited_user_terminals(lvm_t) + userdom_use_user_terminals(lvm_t) ++userdom_rw_semaphores(lvm_t) ++userdom_search_user_home_dirs(lvm_t) ++ ++usermanage_read_crack_db(lvm_t) + + ifdef(`distro_redhat',` + # this is from the initrd: +@@ -313,6 +349,11 @@ ifdef(`distro_redhat',` + ') + + optional_policy(` ++ aisexec_stream_connect(lvm_t) ++ corosync_stream_connect(lvm_t) ++') ++ ++optional_policy(` + bootloader_rw_tmp_files(lvm_t) + ') + +@@ -333,14 +374,30 @@ optional_policy(` + ') + + optional_policy(` ++ docker_rw_sem(lvm_t) ++') ++ ++optional_policy(` ++ livecd_rw_semaphores(lvm_t) ++') ++ ++optional_policy(` + modutils_domtrans_insmod(lvm_t) + ') + + optional_policy(` ++ raid_read_mdadm_pid(lvm_t) ++') ++ ++optional_policy(` + rpm_manage_script_tmp_files(lvm_t) + ') + + optional_policy(` ++ systemd_manage_passwd_run(lvm_t) ++') ++ ++optional_policy(` + udev_read_db(lvm_t) + ') + +diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc +index 9fe8e01..83acb32 100644 +--- a/policy/modules/system/miscfiles.fc ++++ b/policy/modules/system/miscfiles.fc +@@ -9,11 +9,13 @@ ifdef(`distro_gentoo',` + # /etc + # + /etc/avahi/etc/localtime -- gen_context(system_u:object_r:locale_t,s0) +-/etc/httpd/alias/[^/]*\.db(\.[^/]*)* -- gen_context(system_u:object_r:cert_t,s0) +-/etc/localtime -- gen_context(system_u:object_r:locale_t,s0) ++/etc/httpd/alias(/.*)? gen_context(system_u:object_r:cert_t,s0) ++/etc/localtime gen_context(system_u:object_r:locale_t,s0) ++/etc/locale.conf -- gen_context(system_u:object_r:locale_t,s0) + /etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0) + /etc/ssl(/.*)? gen_context(system_u:object_r:cert_t,s0) + /etc/timezone -- gen_context(system_u:object_r:locale_t,s0) ++/etc/vconsole.conf -- gen_context(system_u:object_r:locale_t,s0) + + ifdef(`distro_redhat',` + /etc/sysconfig/clock -- gen_context(system_u:object_r:locale_t,s0) +@@ -37,24 +39,20 @@ ifdef(`distro_redhat',` + + /usr/lib/perl5/man(/.*)? gen_context(system_u:object_r:man_t,s0) + +-/usr/local/man(/.*)? gen_context(system_u:object_r:man_t,s0) +-/usr/local/share/man(/.*)? gen_context(system_u:object_r:man_t,s0) +- +-/usr/local/share/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0) +- + /usr/man(/.*)? gen_context(system_u:object_r:man_t,s0) + + /usr/share/ca-certificates(/.*)? gen_context(system_u:object_r:cert_t,s0) + /usr/share/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0) +-/usr/share/X11/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0) + /usr/share/ghostscript/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0) + /usr/share/locale(/.*)? gen_context(system_u:object_r:locale_t,s0) + /usr/share/man(/.*)? gen_context(system_u:object_r:man_t,s0) +-/usr/share/X11/locale(/.*)? gen_context(system_u:object_r:locale_t,s0) +-/usr/share/zoneinfo(/.*)? gen_context(system_u:object_r:locale_t,s0) +- ++/usr/share/pki/ca-certificates(/.*)? gen_context(system_u:object_r:cert_t,s0) ++/usr/share/pki/ca-trust-source(/.*)? gen_context(system_u:object_r:cert_t,s0) + /usr/share/ssl/certs(/.*)? gen_context(system_u:object_r:cert_t,s0) + /usr/share/ssl/private(/.*)? gen_context(system_u:object_r:cert_t,s0) ++/usr/share/X11/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0) ++/usr/share/X11/locale(/.*)? gen_context(system_u:object_r:locale_t,s0) ++/usr/share/zoneinfo(/.*)? gen_context(system_u:object_r:locale_t,s0) + + /usr/X11R6/lib/X11/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0) + +@@ -77,7 +75,7 @@ ifdef(`distro_redhat',` + + /var/cache/fontconfig(/.*)? gen_context(system_u:object_r:fonts_cache_t,s0) + /var/cache/fonts(/.*)? gen_context(system_u:object_r:tetex_data_t,s0) +-/var/cache/man(/.*)? gen_context(system_u:object_r:man_cache_t,s0) ++ + + /var/named/chroot/etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0) + +@@ -90,6 +88,7 @@ ifdef(`distro_debian',` + ') + + ifdef(`distro_redhat',` ++/var/named/chroot/etc/localtime -- gen_context(system_u:object_r:locale_t,s0) + /var/empty/sshd/etc/localtime -- gen_context(system_u:object_r:locale_t,s0) + /var/spool/postfix/etc/localtime -- gen_context(system_u:object_r:locale_t,s0) + ') +diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if +index fc28bc3..416ac0f 100644 +--- a/policy/modules/system/miscfiles.if ++++ b/policy/modules/system/miscfiles.if +@@ -106,6 +106,24 @@ interface(`miscfiles_manage_generic_cert_dirs',` + + ######################################## + ## ++## Dontaudit attempts to write generic SSL certificates. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`miscfiles_dontaudit_write_generic_cert_files',` ++ gen_require(` ++ type cert_t; ++ ') ++ ++ dontaudit $1 cert_t:file write; ++') ++ ++######################################## ++## + ## Manage generic SSL certificates. + ## + ## +@@ -156,6 +174,26 @@ interface(`miscfiles_manage_cert_dirs',` + + ######################################## + ## ++## Do not audit attempts to access check cert dirs/files. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`miscfiles_dontaudit_access_check_cert',` ++ gen_require(` ++ type cert_t; ++ ') ++ ++ dontaudit $1 cert_t:file audit_access; ++ dontaudit $1 cert_t:dir audit_access; ++') ++ ++ ++######################################## ++## + ## Manage SSL certificates. + ## + ## +@@ -434,6 +472,7 @@ interface(`miscfiles_rw_localization',` + files_search_usr($1) + allow $1 locale_t:dir list_dir_perms; + rw_files_pattern($1, locale_t, locale_t) ++ manage_lnk_files_pattern($1, locale_t, locale_t) + ') + + ######################################## +@@ -453,6 +492,7 @@ interface(`miscfiles_relabel_localization',` + + files_search_usr($1) + relabel_files_pattern($1, locale_t, locale_t) ++ relabel_lnk_files_pattern($1, locale_t, locale_t) + ') + + ######################################## +@@ -470,7 +510,6 @@ interface(`miscfiles_legacy_read_localization',` + type locale_t; + ') + +- miscfiles_read_localization($1) + allow $1 locale_t:file execute; + ') + +@@ -531,6 +570,10 @@ interface(`miscfiles_read_man_pages',` + allow $1 { man_cache_t man_t }:dir list_dir_perms; + read_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t }) + read_lnk_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t }) ++ ++ optional_policy(` ++ mandb_read_cache_files($1) ++ ') + ') + + ######################################## +@@ -554,6 +597,29 @@ interface(`miscfiles_delete_man_pages',` + delete_dirs_pattern($1, { man_cache_t man_t }, { man_cache_t man_t }) + delete_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t }) + delete_lnk_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t }) ++ optional_policy(` ++ mandb_setattr_cache_dirs($1) ++ mandb_delete_cache($1) ++ ') ++') ++####################################### ++## ++## Create, read, write, and delete man pages ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`miscfiles_setattr_man_pages',` ++ gen_require(` ++ type man_t; ++ ') ++ ++ files_search_usr($1) ++ ++ allow $1 man_t:dir setattr; + ') + + ######################################## +@@ -622,6 +688,30 @@ interface(`miscfiles_manage_man_cache',` + + ######################################## + ## ++## Allow process to relabel man_pages info ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`miscfiles_relabel_man_pages',` ++ gen_require(` ++ type man_t; ++ ') ++ ++ files_search_usr($1) ++ relabel_dirs_pattern($1, man_t, man_t) ++ relabel_files_pattern($1, man_t, man_t) ++ ++ optional_policy(` ++ mandb_relabel_cache($1) ++ ') ++') ++ ++######################################## ++## + ## Read public files used for file + ## transfer services. + ## +@@ -784,8 +874,11 @@ interface(`miscfiles_etc_filetrans_localization',` + type locale_t; + ') + +- files_etc_filetrans($1, locale_t, file) +- ++ files_etc_filetrans($1, locale_t, lnk_file) ++ files_etc_filetrans($1, locale_t, {lnk_file file}, "localtime" ) ++ files_etc_filetrans($1, locale_t, file, "locale.conf" ) ++ files_etc_filetrans($1, locale_t, file, "timezone" ) ++ files_etc_filetrans($1, locale_t, file, "vconsole.conf" ) + ') + + ######################################## +@@ -809,3 +902,61 @@ interface(`miscfiles_manage_localization',` + manage_lnk_files_pattern($1, locale_t, locale_t) + ') + ++######################################## ++## ++## Transition to miscfiles locale named content ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`miscfiles_filetrans_locale_named_content',` ++ gen_require(` ++ type locale_t; ++ ') ++ ++ files_etc_filetrans($1, locale_t, { lnk_file file }, "localtime") ++ files_etc_filetrans($1, locale_t, file, "locale.conf") ++ files_etc_filetrans($1, locale_t, file, "vconsole.conf") ++ files_etc_filetrans($1, locale_t, file, "locale.conf.new") ++ files_etc_filetrans($1, locale_t, file, "timezone") ++ files_etc_filetrans($1, locale_t, file, "clock") ++ files_usr_filetrans($1, locale_t, dir, "locale") ++ files_usr_filetrans($1, locale_t, dir, "zoneinfo") ++') ++ ++######################################## ++## ++## Transition to miscfiles named content ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`miscfiles_filetrans_named_content',` ++ gen_require(` ++ type man_t; ++ type cert_t; ++ type fonts_t; ++ type fonts_cache_t; ++ type hwdata_t; ++ type tetex_data_t; ++ type public_content_t; ++ ') ++ ++ miscfiles_filetrans_locale_named_content($1) ++ files_var_filetrans($1, man_t, dir, "man") ++ files_etc_filetrans($1, cert_t, dir, "pki") ++ files_usr_filetrans($1, cert_t, dir, "certs") ++ files_usr_filetrans($1, fonts_t, dir, "fonts") ++ files_usr_filetrans($1, hwdata_t, dir, "hwdata") ++ files_var_filetrans($1, fonts_cache_t, dir, "fontconfig") ++ files_var_filetrans($1, tetex_data_t, dir, "fonts") ++ files_spool_filetrans($1, tetex_data_t, dir, "texmf") ++ files_var_lib_filetrans($1, tetex_data_t, dir, "texmf") ++ files_var_filetrans($1, public_content_t, dir, "ftp") ++') +diff --git a/policy/modules/system/miscfiles.te b/policy/modules/system/miscfiles.te +index d6293de..8f8d80d 100644 +--- a/policy/modules/system/miscfiles.te ++++ b/policy/modules/system/miscfiles.te +@@ -4,7 +4,6 @@ policy_module(miscfiles, 1.10.2) + # + # Declarations + # +- + attribute cert_type; + + # +@@ -48,10 +47,10 @@ files_type(man_cache_t) + # Types for public content + # + type public_content_t; #, customizable; +-files_type(public_content_t) ++files_mountpoint(public_content_t) + + type public_content_rw_t; #, customizable; +-files_type(public_content_rw_t) ++files_mountpoint(public_content_rw_t) + + # + # Base type for the tests directory. +diff --git a/policy/modules/system/modutils.fc b/policy/modules/system/modutils.fc +index 9933677..ca14c17 100644 +--- a/policy/modules/system/modutils.fc ++++ b/policy/modules/system/modutils.fc +@@ -23,3 +23,15 @@ ifdef(`distro_gentoo',` + /sbin/update-modules -- gen_context(system_u:object_r:update_modules_exec_t,s0) + + /usr/bin/kmod -- gen_context(system_u:object_r:insmod_exec_t,s0) ++ ++/usr/sbin/depmod.* -- gen_context(system_u:object_r:depmod_exec_t,s0) ++/usr/sbin/generate-modprobe\.conf -- gen_context(system_u:object_r:update_modules_exec_t,s0) ++/usr/sbin/insmod.* -- gen_context(system_u:object_r:insmod_exec_t,s0) ++/usr/sbin/modprobe.* -- gen_context(system_u:object_r:insmod_exec_t,s0) ++/usr/sbin/modules-update -- gen_context(system_u:object_r:update_modules_exec_t,s0) ++/usr/sbin/rmmod.* -- gen_context(system_u:object_r:insmod_exec_t,s0) ++/usr/sbin/update-modules -- gen_context(system_u:object_r:update_modules_exec_t,s0) ++ ++/usr/lib/modules/modprobe\.conf -- gen_context(system_u:object_r:modules_conf_t,s0) ++ ++/var/run/tmpfiles.d/kmod.conf -- gen_context(system_u:object_r:insmod_var_run_t,s0) +diff --git a/policy/modules/system/modutils.if b/policy/modules/system/modutils.if +index 7449974..6375786 100644 +--- a/policy/modules/system/modutils.if ++++ b/policy/modules/system/modutils.if +@@ -12,7 +12,7 @@ + # + interface(`modutils_getattr_module_deps',` + gen_require(` +- type modules_dep_t; ++ type modules_dep_t, modules_object_t; + ') + + getattr_files_pattern($1, modules_object_t, modules_dep_t) +@@ -39,6 +39,44 @@ interface(`modutils_read_module_deps',` + + ######################################## + ## ++## Read the dependencies of kernel modules. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`modutils_delete_module_deps',` ++ gen_require(` ++ type modules_dep_t; ++ ') ++ ++ delete_files_pattern($1, modules_dep_t, modules_dep_t) ++') ++ ++######################################## ++## ++## list the configuration options used when ++## loading modules. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`modutils_list_module_config',` ++ gen_require(` ++ type modules_conf_t; ++ ') ++ ++ list_dirs_pattern($1, modules_conf_t, modules_conf_t) ++') ++ ++######################################## ++## + ## Read the configuration options used when + ## loading modules. + ## +@@ -308,11 +346,18 @@ interface(`modutils_domtrans_update_mods',` + # + interface(`modutils_run_update_mods',` + gen_require(` +- attribute_role update_modules_roles; ++ #attribute_role update_modules_roles; ++ type update_modules_t; + ') + ++ #modutils_domtrans_update_mods($1) ++ #roleattribute $2 update_modules_roles; ++ + modutils_domtrans_update_mods($1) +- roleattribute $2 update_modules_roles; ++ role $2 types update_modules_t; ++ ++ modutils_run_insmod(update_modules_t, $2) ++ + ') + + ######################################## +@@ -333,3 +378,25 @@ interface(`modutils_exec_update_mods',` + corecmd_search_bin($1) + can_exec($1, update_modules_exec_t) + ') ++ ++######################################## ++## ++## Transition to modutils named content ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`modules_filetrans_named_content',` ++ gen_require(` ++ type modules_dep_t; ++ type modules_conf_t; ++ ') ++ ++ files_etc_filetrans($1, modules_conf_t, file, "modprobe.conf") ++ files_etc_filetrans($1, modules_conf_t, file, "modules.conf") ++ files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.dep") ++ files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.dep.bin") ++') +diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te +index 7a49e28..82004c9 100644 +--- a/policy/modules/system/modutils.te ++++ b/policy/modules/system/modutils.te +@@ -5,7 +5,7 @@ policy_module(modutils, 1.13.3) + # Declarations + # + +-attribute_role update_modules_roles; ++#attribute_role update_modules_roles; + + type depmod_t; + type depmod_exec_t; +@@ -16,11 +16,15 @@ type insmod_t; + type insmod_exec_t; + application_domain(insmod_t, insmod_exec_t) + mls_file_write_all_levels(insmod_t) ++mls_process_write_down(insmod_t) + role system_r types insmod_t; + ++type insmod_var_run_t; ++files_pid_file(insmod_var_run_t) ++ + # module loading config + type modules_conf_t; +-files_type(modules_conf_t) ++files_config_file(modules_conf_t) + + # module dependencies + type modules_dep_t; +@@ -29,12 +33,16 @@ files_type(modules_dep_t) + type update_modules_t; + type update_modules_exec_t; + init_system_domain(update_modules_t, update_modules_exec_t) +-roleattribute system_r update_modules_roles; +-role update_modules_roles types update_modules_t; ++#roleattribute system_r update_modules_roles; ++#role update_modules_roles types update_modules_t; ++role system_r types update_modules_t; + + type update_modules_tmp_t; + files_tmp_file(update_modules_tmp_t) + ++type insmod_tmpfs_t; ++files_tmpfs_file(insmod_tmpfs_t) ++ + ######################################## + # + # depmod local policy +@@ -54,12 +62,15 @@ corecmd_search_bin(depmod_t) + + domain_use_interactive_fds(depmod_t) + ++files_delete_kernel_modules(depmod_t) + files_read_kernel_symbol_table(depmod_t) + files_read_kernel_modules(depmod_t) + files_read_etc_runtime_files(depmod_t) + files_read_etc_files(depmod_t) + files_read_usr_src_files(depmod_t) + files_list_usr(depmod_t) ++files_append_var_files(depmod_t) ++files_read_boot_files(depmod_t) + + fs_getattr_xattr_fs(depmod_t) + +@@ -69,10 +80,12 @@ init_use_fds(depmod_t) + init_use_script_fds(depmod_t) + init_use_script_ptys(depmod_t) + +-userdom_use_user_terminals(depmod_t) ++userdom_use_inherited_user_terminals(depmod_t) + # Read System.map from home directories. + files_list_home(depmod_t) + userdom_read_user_home_content_files(depmod_t) ++userdom_manage_user_tmp_files(depmod_t) ++userdom_home_reader(depmod_t) + + ifdef(`distro_ubuntu',` + optional_policy(` +@@ -80,12 +93,8 @@ ifdef(`distro_ubuntu',` + ') + ') + +-tunable_policy(`use_nfs_home_dirs',` +- fs_read_nfs_files(depmod_t) +-') +- +-tunable_policy(`use_samba_home_dirs',` +- fs_read_cifs_files(depmod_t) ++optional_policy(` ++ bootloader_rw_tmp_files(insmod_t) + ') + + optional_policy(` +@@ -94,7 +103,6 @@ optional_policy(` + ') + + optional_policy(` +- # Read System.map from home directories. + unconfined_domain(depmod_t) + ') + +@@ -103,11 +111,12 @@ optional_policy(` + # insmod local policy + # + +-allow insmod_t self:capability { dac_override net_raw sys_nice sys_tty_config }; ++allow insmod_t self:capability { dac_override mknod net_raw sys_nice sys_tty_config }; + allow insmod_t self:process { execmem sigchld sigkill sigstop signull signal }; + + allow insmod_t self:udp_socket create_socket_perms; + allow insmod_t self:rawip_socket create_socket_perms; ++allow insmod_t self:shm create_shm_perms; + + # Read module config and dependency information + list_dirs_pattern(insmod_t, modules_conf_t, modules_conf_t) +@@ -115,16 +124,24 @@ read_files_pattern(insmod_t, modules_conf_t, modules_conf_t) + list_dirs_pattern(insmod_t, modules_dep_t, modules_dep_t) + read_files_pattern(insmod_t, modules_dep_t, modules_dep_t) + ++manage_dirs_pattern(insmod_t, insmod_var_run_t, insmod_var_run_t) ++manage_files_pattern(insmod_t, insmod_var_run_t, insmod_var_run_t) ++files_pid_filetrans(insmod_t, insmod_var_run_t, {dir file }) ++ + can_exec(insmod_t, insmod_exec_t) + ++manage_files_pattern(insmod_t,insmod_tmpfs_t,insmod_tmpfs_t) ++fs_tmpfs_filetrans(insmod_t,insmod_tmpfs_t,file) ++ + kernel_load_module(insmod_t) +-kernel_request_load_module(insmod_t) ++files_manage_kernel_modules(insmod_t) + kernel_read_system_state(insmod_t) + kernel_read_network_state(insmod_t) + kernel_write_proc_files(insmod_t) + kernel_mount_debugfs(insmod_t) + kernel_mount_kvmfs(insmod_t) + kernel_read_debugfs(insmod_t) ++kernel_request_load_module(insmod_t) + # Rules for /proc/sys/kernel/tainted + kernel_read_kernel_sysctls(insmod_t) + kernel_rw_kernel_sysctl(insmod_t) +@@ -142,6 +159,7 @@ dev_rw_agp(insmod_t) + dev_read_sound(insmod_t) + dev_write_sound(insmod_t) + dev_rw_apm_bios(insmod_t) ++dev_create_generic_chr_files(insmod_t) + + domain_signal_all_domains(insmod_t) + domain_use_interactive_fds(insmod_t) +@@ -151,30 +169,38 @@ files_read_etc_runtime_files(insmod_t) + files_read_etc_files(insmod_t) + files_read_usr_files(insmod_t) + files_exec_etc_files(insmod_t) ++# users installing vbox put kernel modules in /var/lib ++files_read_var_lib_files(insmod_t) ++files_read_kernel_symbol_table(insmod_t) + # for nscd: + files_dontaudit_search_pids(insmod_t) + # for when /var is not mounted early in the boot: + files_dontaudit_search_isid_type_dirs(insmod_t) + # for locking: (cjp: ????) + files_write_kernel_modules(insmod_t) ++allow insmod_t modules_dep_t:file manage_file_perms; + + fs_getattr_xattr_fs(insmod_t) + fs_dontaudit_use_tmpfs_chr_dev(insmod_t) ++fs_mount_rpc_pipefs(insmod_t) ++fs_search_rpc(insmod_t) ++ ++auth_use_nsswitch(insmod_t) + + init_rw_initctl(insmod_t) + init_use_fds(insmod_t) + init_use_script_fds(insmod_t) + init_use_script_ptys(insmod_t) ++init_spec_domtrans_script(insmod_t) ++init_rw_script_tmp_files(insmod_t) ++init_dontaudit_getattr_stream_socket(insmod_t) + + logging_send_syslog_msg(insmod_t) + logging_search_logs(insmod_t) + +-miscfiles_read_localization(insmod_t) +- + seutil_read_file_contexts(insmod_t) + +-userdom_use_user_terminals(insmod_t) +- ++term_use_all_inherited_terms(insmod_t) + userdom_dontaudit_search_user_home_dirs(insmod_t) + + kernel_domtrans_to(insmod_t, insmod_exec_t) +@@ -184,28 +210,33 @@ optional_policy(` + ') + + optional_policy(` +- firstboot_dontaudit_rw_pipes(insmod_t) +- firstboot_dontaudit_rw_stream_sockets(insmod_t) ++ devicekit_use_fds_disk(insmod_t) ++ devicekit_dontaudit_read_pid_files(insmod_t) + ') + + optional_policy(` +- hal_write_log(insmod_t) ++ firstboot_dontaudit_leaks(insmod_t) + ') + + optional_policy(` +- hotplug_search_config(insmod_t) ++ firewalld_dontaudit_write_tmp_files(insmod_t) ++ firewallgui_dontaudit_rw_pipes(insmod_t) + ') + + optional_policy(` +- mount_domtrans(insmod_t) ++ hal_write_log(insmod_t) ++') ++ ++optional_policy(` ++ hotplug_search_config(insmod_t) + ') + + optional_policy(` +- nis_use_ypbind(insmod_t) ++ kdump_manage_kdumpctl_tmp_files(insmod_t) + ') + + optional_policy(` +- nscd_use(insmod_t) ++ mount_domtrans(insmod_t) + ') + + optional_policy(` +@@ -225,6 +256,7 @@ optional_policy(` + + optional_policy(` + rpm_rw_pipes(insmod_t) ++ rpm_manage_script_tmp_files(insmod_t) + ') + + optional_policy(` +@@ -233,6 +265,10 @@ optional_policy(` + ') + + optional_policy(` ++ virt_dontaudit_write_pipes(insmod_t) ++') ++ ++optional_policy(` + # cjp: why is this needed: + dev_rw_xserver_misc(insmod_t) + +@@ -291,11 +327,10 @@ init_use_script_ptys(update_modules_t) + + logging_send_syslog_msg(update_modules_t) + +-miscfiles_read_localization(update_modules_t) + +-modutils_run_insmod(update_modules_t, update_modules_roles) ++#modutils_run_insmod(update_modules_t, update_modules_roles) + +-userdom_use_user_terminals(update_modules_t) ++userdom_use_inherited_user_terminals(update_modules_t) + userdom_dontaudit_search_user_home_dirs(update_modules_t) + + ifdef(`distro_gentoo',` +diff --git a/policy/modules/system/mount.fc b/policy/modules/system/mount.fc +index 72c746e..f035d9f 100644 +--- a/policy/modules/system/mount.fc ++++ b/policy/modules/system/mount.fc +@@ -1,4 +1,26 @@ ++/bin/fusermount -- gen_context(system_u:object_r:fusermount_exec_t,s0) + /bin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0) + /bin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0) + +-/usr/bin/fusermount -- gen_context(system_u:object_r:mount_exec_t,s0) ++/dev/\.mount(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0) ++/run/mount(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0) ++ ++/sbin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0) ++/sbin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0) ++ ++/usr/bin/fusermount -- gen_context(system_u:object_r:fusermount_exec_t,s0) ++/usr/bin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0) ++/usr/bin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0) ++ ++/usr/sbin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0) ++/usr/sbin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0) ++/usr/sbin/showmount -- gen_context(system_u:object_r:showmount_exec_t,s0) ++ ++/var/cache/davfs2(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0) ++/var/run/davfs2(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0) ++/var/run/mount(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0) ++ ++/usr/sbin/mount\.ecryptfs_private -- gen_context(system_u:object_r:mount_ecryptfs_exec_t,s0) ++/usr/sbin/mount\.ecryptfs -- gen_context(system_u:object_r:mount_ecryptfs_exec_t,s0) ++/usr/sbin/umount\.ecryptfs_private -- gen_context(system_u:object_r:mount_ecryptfs_exec_t,s0) ++/usr/sbin/umount\.ecryptfs -- gen_context(system_u:object_r:mount_ecryptfs_exec_t,s0) +diff --git a/policy/modules/system/mount.if b/policy/modules/system/mount.if +index 4584457..e432df3 100644 +--- a/policy/modules/system/mount.if ++++ b/policy/modules/system/mount.if +@@ -16,6 +16,13 @@ interface(`mount_domtrans',` + ') + + domtrans_pattern($1, mount_exec_t, mount_t) ++ mount_domtrans_fusermount($1) ++ ++ allow $1 mount_t:fd use; ++ ps_process_pattern(mount_t, $1) ++ ++ allow mount_t $1:key write; ++ allow mount_t $1:unix_stream_socket { read write }; + ') + + ######################################## +@@ -38,11 +45,122 @@ interface(`mount_domtrans',` + # + interface(`mount_run',` + gen_require(` +- attribute_role mount_roles; ++ #attribute_role mount_roles; ++ type mount_t; + ') + ++ #mount_domtrans($1) ++ #roleattribute $2 mount_roles; ++ + mount_domtrans($1) +- roleattribute $2 mount_roles; ++ role $2 types mount_t; ++ ++ optional_policy(` ++ fstools_run(mount_t, $2) ++ ') ++ ++ optional_policy(` ++ lvm_run(mount_t, $2) ++ ') ++ ++ optional_policy(` ++ modutils_run_insmod(mount_t, $2) ++ ') ++ ++ optional_policy(` ++ rpc_run_rpcd(mount_t, $2) ++ ') ++ ++ optional_policy(` ++ samba_run_smbmount(mount_t, $2) ++ ') ++ ++') ++ ++######################################## ++## ++## Execute fusermount in the mount domain, and ++## allow the specified role the mount domain, ++## and use the caller's terminal. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## The role to be allowed the mount domain. ++## ++## ++## ++# ++interface(`mount_run_fusermount',` ++ gen_require(` ++ type mount_t; ++ ') ++ ++ mount_domtrans_fusermount($1) ++ role $2 types mount_t; ++ ++ fstools_run(mount_t, $2) ++') ++ ++######################################## ++## ++## Read mount PID files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`mount_read_pid_files',` ++ gen_require(` ++ type mount_var_run_t; ++ ') ++ ++ read_files_pattern($1, mount_var_run_t, mount_var_run_t) ++ files_search_pids($1) ++') ++ ++######################################## ++## ++## Read/write mount PID files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`mount_rw_pid_files',` ++ gen_require(` ++ type mount_var_run_t; ++ ') ++ ++ rw_files_pattern($1, mount_var_run_t, mount_var_run_t) ++ files_search_pids($1) ++') ++ ++######################################## ++## ++## Manage mount PID files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`mount_manage_pid_files',` ++ gen_require(` ++ type mount_var_run_t; ++ ') ++ ++ allow $1 mount_var_run_t:file manage_file_perms; ++ files_search_pids($1) + ') + + ######################################## +@@ -91,7 +209,7 @@ interface(`mount_signal',` + ##     + ## + ## +-## The type of the process performing this action. ++## Domain allowed access. + ## + ## + # +@@ -131,45 +249,138 @@ interface(`mount_send_nfs_client_request',` + + ######################################## + ## +-## Execute mount in the unconfined mount domain. ++## Read the mount tmp directory + ## + ## + ## +-## Domain allowed to transition. ++## Domain allowed access. + ## + ## + # +-interface(`mount_domtrans_unconfined',` ++interface(`mount_list_tmp',` + gen_require(` +- type unconfined_mount_t, mount_exec_t; ++ type mount_tmp_t; + ') + +- domtrans_pattern($1, mount_exec_t, unconfined_mount_t) ++ allow $1 mount_tmp_t:dir list_dir_perms; + ') + + ######################################## + ## +-## Execute mount in the unconfined mount domain, and +-## allow the specified role the unconfined mount domain, +-## and use the caller's terminal. ++## Execute fusermount in the mount domain. + ## + ## + ## +-## Domain allowed to transition. ++## Domain allowed access. + ## + ## +-## ++# ++interface(`mount_domtrans_fusermount',` ++ gen_require(` ++ type mount_t, fusermount_exec_t; ++ ') ++ ++ domtrans_pattern($1, fusermount_exec_t, mount_t) ++ ps_process_pattern(mount_t, $1) ++ ++ allow mount_t $1:unix_stream_socket { read write }; ++ allow $1 mount_t:fd use; ++') ++ ++######################################## ++## ++## Execute fusermount. ++## ++## + ## +-## Role allowed access. ++## Domain allowed access. + ## + ## +-## + # +-interface(`mount_run_unconfined',` ++interface(`mount_exec_fusermount',` + gen_require(` +- type unconfined_mount_t; ++ type fusermount_exec_t; + ') + +- mount_domtrans_unconfined($1) +- role $2 types unconfined_mount_t; ++ can_exec($1, fusermount_exec_t) ++') ++ ++######################################## ++## ++## dontaudit Execute fusermount. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`mount_dontaudit_exec_fusermount',` ++ gen_require(` ++ type fusermount_exec_t; ++ ') ++ ++ dontaudit $1 fusermount_exec_t:file exec_file_perms; ++') ++ ++###################################### ++## ++## Execute a domain transition to run showmount. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`mount_domtrans_showmount',` ++ gen_require(` ++ type showmount_t, showmount_exec_t; ++ ') ++ ++ domtrans_pattern($1, showmount_exec_t, showmount_t) ++') ++ ++###################################### ++## ++## Execute showmount in the showmount domain, and ++## allow the specified role the showmount domain. ++## ++## ++## ++## Domain allowed access ++## ++## ++## ++## ++## The role to be allowed the showmount domain. ++## ++## ++# ++interface(`mount_run_showmount',` ++ gen_require(` ++ type showmount_t; ++ ') ++ ++ mount_domtrans_showmount($1) ++ role $2 types showmount_t; ++') ++ ++####################################### ++## ++## Transition to ecryptmount. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`mount_domtrans_ecryptmount',` ++ gen_require(` ++ type mount_ecryptfs_t, mount_ecryptfs_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, mount_ecryptfs_exec_t, mount_ecryptfs_t) + ') +diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te +index 6a50270..d941116 100644 +--- a/policy/modules/system/mount.te ++++ b/policy/modules/system/mount.te +@@ -5,40 +5,58 @@ policy_module(mount, 1.15.1) + # Declarations + # + +-## +-##

    +-## Allow the mount command to mount any directory or file. +-##

    +-##     +-gen_tunable(allow_mount_anyfile, false) +- +-attribute_role mount_roles; +-roleattribute system_r mount_roles; ++#attribute_role mount_roles; ++#roleattribute system_r mount_roles; + + type mount_t; + type mount_exec_t; + init_system_domain(mount_t, mount_exec_t) +-role mount_roles types mount_t; ++#role mount_roles types mount_t; ++role system_r types mount_t; ++ ++type fusermount_exec_t; ++domain_entry_file(mount_t, fusermount_exec_t) ++ ++typealias mount_t alias mount_ntfs_t; ++typealias mount_exec_t alias mount_ntfs_exec_t; + + type mount_loopback_t; # customizable + files_type(mount_loopback_t) ++typealias mount_loopback_t alias mount_loop_t; + + type mount_tmp_t; + files_tmp_file(mount_tmp_t) + +-# causes problems with interfaces when +-# this is optionally declared in monolithic +-# policy--duplicate type declaration +-type unconfined_mount_t; +-application_domain(unconfined_mount_t, mount_exec_t) ++type mount_var_run_t; ++files_pid_file(mount_var_run_t) ++dev_associate(mount_var_run_t) ++ ++# showmount - show mount information for an NFS server ++ ++type showmount_t; ++type showmount_exec_t; ++application_domain(showmount_t, showmount_exec_t) ++role system_r types showmount_t; ++ ++type mount_ecryptfs_t; ++type mount_ecryptfs_exec_t; ++application_domain(mount_ecryptfs_t, mount_ecryptfs_exec_t) ++role system_r types mount_ecryptfs_t; ++ ++type mount_ecryptfs_tmpfs_t; ++files_tmpfs_file(mount_ecryptfs_tmpfs_t) + + ######################################## + # + # mount local policy + # + +-# setuid/setgid needed to mount cifs +-allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override chown sys_tty_config setuid setgid }; ++# setuid/setgid needed to mount cifs ++allow mount_t self:capability { fsetid fowner ipc_lock setpcap sys_rawio sys_resource sys_admin dac_override dac_read_search chown sys_tty_config setuid setgid sys_nice }; ++allow mount_t self:process { getcap getsched setsched setcap setrlimit signal }; ++allow mount_t self:fifo_file rw_fifo_file_perms; ++allow mount_t self:unix_stream_socket create_stream_socket_perms; ++allow mount_t self:unix_dgram_socket create_socket_perms; + + allow mount_t mount_loopback_t:file read_file_perms; + +@@ -49,9 +67,24 @@ can_exec(mount_t, mount_exec_t) + + files_tmp_filetrans(mount_t, mount_tmp_t, { file dir }) + ++manage_dirs_pattern(mount_t,mount_var_run_t,mount_var_run_t) ++manage_files_pattern(mount_t,mount_var_run_t,mount_var_run_t) ++files_pid_filetrans(mount_t,mount_var_run_t,{ dir file }) ++files_var_filetrans(mount_t,mount_var_run_t,dir) ++dev_filetrans(mount_t, mount_var_run_t, dir) ++ ++# In order to mount reiserfs_t ++kernel_dontaudit_getattr_core_if(mount_t) ++kernel_list_unlabeled(mount_t) ++kernel_mount_unlabeled(mount_t) ++kernel_unmount_unlabeled(mount_t) + kernel_read_system_state(mount_t) ++kernel_read_network_state(mount_t) + kernel_read_kernel_sysctls(mount_t) +-kernel_dontaudit_getattr_core_if(mount_t) ++kernel_relabelfrom_unlabeled_fs(mount_t) ++kernel_manage_debugfs(mount_t) ++kernel_setsched(mount_t) ++kernel_use_fds(mount_t) + kernel_dontaudit_write_debugfs_dirs(mount_t) + kernel_dontaudit_write_proc_dirs(mount_t) + # To load binfmt_misc kernel module +@@ -60,31 +93,47 @@ kernel_request_load_module(mount_t) + # required for mount.smbfs + corecmd_exec_bin(mount_t) + ++dev_getattr_generic_blk_files(mount_t) + dev_getattr_all_blk_files(mount_t) + dev_list_all_dev_nodes(mount_t) ++dev_read_usbfs(mount_t) ++dev_read_rand(mount_t) ++dev_read_urand(mount_t) + dev_read_sysfs(mount_t) + dev_dontaudit_write_sysfs_dirs(mount_t) + dev_rw_lvm_control(mount_t) + dev_dontaudit_getattr_all_chr_files(mount_t) + dev_dontaudit_getattr_memory_dev(mount_t) + dev_getattr_sound_dev(mount_t) ++dev_rw_loop_control(mount_t) ++ ++ifdef(`hide_broken_symptoms',` ++ dev_rw_generic_blk_files(mount_t) ++') ++ + # Early devtmpfs, before udev relabel + dev_dontaudit_rw_generic_chr_files(mount_t) + + domain_use_interactive_fds(mount_t) ++domain_read_all_domains_state(mount_t) + + files_search_all(mount_t) + files_read_etc_files(mount_t) ++files_read_etc_runtime_files(mount_t) + files_manage_etc_runtime_files(mount_t) + files_etc_filetrans_etc_runtime(mount_t, file) ++# for when /etc/mtab loses its type ++files_delete_etc_files(mount_t) + files_mounton_all_mountpoints(mount_t) ++files_setattr_all_mountpoints(mount_t) ++# ntfs-3g checks whether the mountpoint is writable before mounting ++files_write_all_mountpoints(mount_t) + files_unmount_rootfs(mount_t) ++ + # These rules need to be generalized. Only admin, initrc should have it: +-files_relabelto_all_file_type_fs(mount_t) ++files_relabel_all_file_type_fs(mount_t) + files_mount_all_file_type_fs(mount_t) + files_unmount_all_file_type_fs(mount_t) +-# for when /etc/mtab loses its type +-# cjp: this seems wrong, the type should probably be etc + files_read_isid_type_files(mount_t) + # For reading cert files + files_read_usr_files(mount_t) +@@ -92,28 +141,39 @@ files_list_mnt(mount_t) + files_dontaudit_write_all_mountpoints(mount_t) + files_dontaudit_setattr_all_mountpoints(mount_t) + +-fs_getattr_xattr_fs(mount_t) +-fs_getattr_cifs(mount_t) ++fs_list_all(mount_t) ++fs_getattr_all_fs(mount_t) + fs_mount_all_fs(mount_t) + fs_unmount_all_fs(mount_t) + fs_remount_all_fs(mount_t) + fs_relabelfrom_all_fs(mount_t) +-fs_list_auto_mountpoints(mount_t) ++fs_rw_anon_inodefs_files(mount_t) + fs_rw_tmpfs_chr_files(mount_t) ++fs_rw_nfsd_fs(mount_t) ++fs_rw_removable_blk_files(mount_t) ++#fs_manage_tmpfs_dirs(mount_t) + fs_read_tmpfs_symlinks(mount_t) ++fs_read_fusefs_files(mount_t) ++fs_manage_nfs_dirs(mount_t) ++fs_read_nfs_symlinks(mount_t) ++fs_manage_cgroup_dirs(mount_t) ++fs_manage_cgroup_files(mount_t) + fs_dontaudit_write_tmpfs_dirs(mount_t) + +-mls_file_read_all_levels(mount_t) +-mls_file_write_all_levels(mount_t) ++mls_file_read_to_clearance(mount_t) ++mls_file_write_to_clearance(mount_t) ++mls_process_write_to_clearance(mount_t) + + selinux_get_enforce_mode(mount_t) ++selinux_mounton_fs(mount_t) + + storage_raw_read_fixed_disk(mount_t) + storage_raw_write_fixed_disk(mount_t) + storage_raw_read_removable_device(mount_t) + storage_raw_write_removable_device(mount_t) ++storage_rw_fuse(mount_t) + +-term_use_all_terms(mount_t) ++term_use_all_inherited_terms(mount_t) + term_dontaudit_manage_pty_dirs(mount_t) + + auth_use_nsswitch(mount_t) +@@ -121,16 +181,21 @@ auth_use_nsswitch(mount_t) + init_use_fds(mount_t) + init_use_script_ptys(mount_t) + init_dontaudit_getattr_initctl(mount_t) ++init_stream_connect_script(mount_t) ++init_rw_script_stream_sockets(mount_t) + + logging_send_syslog_msg(mount_t) + +-miscfiles_read_localization(mount_t) +- + sysnet_use_portmap(mount_t) + + seutil_read_config(mount_t) + ++systemd_passwd_agent_domtrans(mount_t) ++ + userdom_use_all_users_fds(mount_t) ++userdom_manage_user_home_content_dirs(mount_t) ++userdom_read_user_home_content_symlinks(mount_t) ++userdom_list_user_tmp(mount_t) + + ifdef(`distro_redhat',` + optional_policy(` +@@ -146,26 +211,27 @@ ifdef(`distro_ubuntu',` + ') + ') + +-tunable_policy(`allow_mount_anyfile',` +- files_list_non_auth_dirs(mount_t) +- files_read_non_auth_files(mount_t) ++corecmd_exec_shell(mount_t) ++ ++tunable_policy(`mount_anyfile',` ++ files_read_non_security_files(mount_t) + files_mounton_non_security(mount_t) ++ files_rw_inherited_non_security_files(mount_t) + ') + + optional_policy(` + # for nfs +- corenet_all_recvfrom_unlabeled(mount_t) + corenet_all_recvfrom_netlabel(mount_t) +- corenet_tcp_sendrecv_all_if(mount_t) +- corenet_raw_sendrecv_all_if(mount_t) +- corenet_udp_sendrecv_all_if(mount_t) +- corenet_tcp_sendrecv_all_nodes(mount_t) +- corenet_raw_sendrecv_all_nodes(mount_t) +- corenet_udp_sendrecv_all_nodes(mount_t) ++ corenet_tcp_sendrecv_generic_if(mount_t) ++ corenet_raw_sendrecv_generic_if(mount_t) ++ corenet_udp_sendrecv_generic_if(mount_t) ++ corenet_tcp_sendrecv_generic_node(mount_t) ++ corenet_raw_sendrecv_generic_node(mount_t) ++ corenet_udp_sendrecv_generic_node(mount_t) + corenet_tcp_sendrecv_all_ports(mount_t) + corenet_udp_sendrecv_all_ports(mount_t) +- corenet_tcp_bind_all_nodes(mount_t) +- corenet_udp_bind_all_nodes(mount_t) ++ corenet_tcp_bind_generic_node(mount_t) ++ corenet_udp_bind_generic_node(mount_t) + corenet_tcp_bind_generic_port(mount_t) + corenet_udp_bind_generic_port(mount_t) + corenet_tcp_bind_reserved_port(mount_t) +@@ -179,6 +245,9 @@ optional_policy(` + fs_search_rpc(mount_t) + + rpc_stub(mount_t) ++ ++ rpc_domtrans_rpcd(mount_t) ++ rpcbind_stream_connect(mount_t) + ') + + optional_policy(` +@@ -186,6 +255,40 @@ optional_policy(` + ') + + optional_policy(` ++ cron_system_entry(mount_t, mount_exec_t) ++') ++ ++optional_policy(` ++ devicekit_read_state_power(mount_t) ++') ++ ++optional_policy(` ++ fsadm_manage_pid(mount_t) ++') ++ ++optional_policy(` ++ glusterd_domtrans(mount_t) ++') ++ ++optional_policy(` ++ dbus_system_bus_client(mount_t) ++ ++ optional_policy(` ++ hal_dbus_chat(mount_t) ++ ') ++') ++ ++optional_policy(` ++ glusterd_domtrans(mount_t) ++') ++ ++optional_policy(` ++ hal_write_log(mount_t) ++ hal_use_fds(mount_t) ++ hal_dontaudit_rw_pipes(mount_t) ++') ++ ++optional_policy(` + ifdef(`hide_broken_symptoms',` + # for a bug in the X server + rhgb_dontaudit_rw_stream_sockets(mount_t) +@@ -194,24 +297,132 @@ optional_policy(` + ') + + optional_policy(` ++ livecd_rw_tmp_files(mount_t) ++') ++ ++# Needed for mount crypt https://bugzilla.redhat.com/show_bug.cgi?id=418711 ++optional_policy(` ++# lvm_run(mount_t, mount_roles) ++ lvm_domtrans(mount_t) ++') ++ ++optional_policy(` ++ #modutils_run_insmod(mount_t, mount_roles) ++ modutils_domtrans_insmod(mount_t) ++ modutils_read_module_deps(mount_t) ++') ++ ++optional_policy(` ++ fstools_domtrans(mount_t) ++ #fstools_run(mount_t, mount_roles) ++') ++ ++optional_policy(` ++ rhcs_stream_connect_gfs_controld(mount_t) ++') ++ ++#optional_policy(` ++# rpc_run_rpcd(mount_t, mount_roles) ++#') ++ ++optional_policy(` + puppet_rw_tmp(mount_t) + ') + + # for kernel package installation + optional_policy(` + rpm_rw_pipes(mount_t) ++ rpm_dontaudit_leaks(mount_t) + ') + + optional_policy(` +- samba_run_smbmount(mount_t, mount_roles) ++ samba_read_config(mount_t) ++ samba_domtrans_smbmount(mount_t) ++ #samba_run_smbmount(mount_t, mount_roles) + ') + +-######################################## +-# +-# Unconfined mount local policy +-# ++optional_policy(` ++ ssh_exec(mount_t) ++ ssh_append_home_files(mount_t) ++') ++ ++optional_policy(` ++ usbmuxd_stream_connect(mount_t) ++') ++ ++optional_policy(` ++ userhelper_exec_console(mount_t) ++') ++ ++optional_policy(` ++ unconfined_write_keys(mount_t) ++') ++ ++optional_policy(` ++ virt_read_blk_images(mount_t) ++') + + optional_policy(` +- files_etc_filetrans_etc_runtime(unconfined_mount_t, file) +- unconfined_domain(unconfined_mount_t) ++ vmware_exec_host(mount_t) + ') ++ ++optional_policy(` ++ unconfined_domain(mount_t) ++') ++ ++###################################### ++# ++# showmount local policy ++# ++ ++allow showmount_t self:tcp_socket create_stream_socket_perms; ++allow showmount_t self:udp_socket create_socket_perms; ++ ++kernel_read_system_state(showmount_t) ++ ++corenet_all_recvfrom_netlabel(showmount_t) ++corenet_tcp_sendrecv_generic_if(showmount_t) ++corenet_udp_sendrecv_generic_if(showmount_t) ++corenet_tcp_sendrecv_generic_node(showmount_t) ++corenet_udp_sendrecv_generic_node(showmount_t) ++corenet_tcp_sendrecv_all_ports(showmount_t) ++corenet_udp_sendrecv_all_ports(showmount_t) ++corenet_tcp_bind_generic_node(showmount_t) ++corenet_udp_bind_generic_node(showmount_t) ++corenet_tcp_bind_all_rpc_ports(showmount_t) ++corenet_udp_bind_all_rpc_ports(showmount_t) ++corenet_tcp_connect_all_ports(showmount_t) ++ ++files_read_etc_files(showmount_t) ++files_read_etc_runtime_files(showmount_t) ++ ++ ++sysnet_dns_name_resolve(showmount_t) ++ ++userdom_use_inherited_user_terminals(showmount_t) ++ ++####################################### ++# ++# mount_ecryptfs local policy ++# ++ ++domtrans_pattern(mount_ecryptfs_t, mount_exec_t, mount_t) ++ ++allow mount_ecryptfs_t self:capability setgid; ++allow mount_ecryptfs_t self:capability { setuid sys_admin }; ++allow mount_ecryptfs_t self:fifo_file rw_fifo_file_perms; ++allow mount_ecryptfs_t self:unix_stream_socket create_stream_socket_perms; ++ ++manage_dirs_pattern(mount_ecryptfs_t, mount_ecryptfs_tmpfs_t, mount_ecryptfs_tmpfs_t) ++manage_files_pattern(mount_ecryptfs_t, mount_ecryptfs_tmpfs_t, mount_ecryptfs_tmpfs_t) ++fs_tmpfs_filetrans(mount_ecryptfs_t, mount_ecryptfs_tmpfs_t, { dir file }) ++userdom_rw_user_tmpfs_files(mount_ecryptfs_t) ++ ++domain_use_interactive_fds(mount_ecryptfs_t) ++ ++files_read_etc_files(mount_ecryptfs_t) ++ ++fs_read_ecryptfs_symlinks(mount_ecryptfs_t) ++fs_read_ecryptfs_files(mount_ecryptfs_t) ++ ++auth_use_nsswitch(mount_ecryptfs_t) +diff --git a/policy/modules/system/netlabel.fc b/policy/modules/system/netlabel.fc +index b263a8a..15576ab 100644 +--- a/policy/modules/system/netlabel.fc ++++ b/policy/modules/system/netlabel.fc +@@ -1 +1,6 @@ + /sbin/netlabelctl -- gen_context(system_u:object_r:netlabel_mgmt_exec_t,s0) ++ ++/usr/lib/systemd/system/netlabel.* -- gen_context(system_u:object_r:netlabel_mgmt_unit_file_t,s0) ++ ++/usr/sbin/netlabelctl -- gen_context(system_u:object_r:netlabel_mgmt_exec_t,s0) ++/usr/sbin/netlabel-config -- gen_context(system_u:object_r:netlabel_mgmt_exec_t,s0) +diff --git a/policy/modules/system/netlabel.te b/policy/modules/system/netlabel.te +index cbbda4a..b569d5f 100644 +--- a/policy/modules/system/netlabel.te ++++ b/policy/modules/system/netlabel.te +@@ -7,9 +7,13 @@ policy_module(netlabel, 1.3.0) + + type netlabel_mgmt_t; + type netlabel_mgmt_exec_t; ++init_daemon_domain(netlabel_mgmt_t, netlabel_mgmt_exec_t) + application_domain(netlabel_mgmt_t, netlabel_mgmt_exec_t) + role system_r types netlabel_mgmt_t; + ++type netlabel_mgmt_unit_file_t; ++systemd_unit_file(netlabel_mgmt_unit_file_t) ++ + ######################################## + # + # NetLabel Management Tools Local policy +@@ -19,10 +23,21 @@ role system_r types netlabel_mgmt_t; + allow netlabel_mgmt_t self:capability net_admin; + allow netlabel_mgmt_t self:netlink_socket create_socket_perms; + ++can_exec(netlabel_mgmt_t, netlabel_mgmt_t) ++ + kernel_read_network_state(netlabel_mgmt_t) ++kernel_read_system_state(netlabel_mgmt_t) ++ ++corecmd_exec_bin(netlabel_mgmt_t) ++corecmd_exec_shell(netlabel_mgmt_t) + + files_read_etc_files(netlabel_mgmt_t) + ++term_use_all_inherited_terms(netlabel_mgmt_t) ++ + seutil_use_newrole_fds(netlabel_mgmt_t) + +-userdom_use_user_terminals(netlabel_mgmt_t) ++auth_read_passwd(netlabel_mgmt_t) ++ ++userdom_use_inherited_user_terminals(netlabel_mgmt_t) ++ +diff --git a/policy/modules/system/selinuxutil.fc b/policy/modules/system/selinuxutil.fc +index d43f3b1..870bc36 100644 +--- a/policy/modules/system/selinuxutil.fc ++++ b/policy/modules/system/selinuxutil.fc +@@ -6,13 +6,14 @@ + /etc/selinux(/.*)? gen_context(system_u:object_r:selinux_config_t,s0) + /etc/selinux/([^/]*/)?contexts(/.*)? gen_context(system_u:object_r:default_context_t,s0) + /etc/selinux/([^/]*/)?contexts/files(/.*)? gen_context(system_u:object_r:file_context_t,s0) +-/etc/selinux/([^/]*/)?policy(/.*)? gen_context(system_u:object_r:policy_config_t,mls_systemhigh) ++/etc/selinux/([^/]*/)?logins(/.*)? gen_context(system_u:object_r:selinux_login_config_t,s0) ++/etc/selinux/([^/]*/)?policy(/.*)? gen_context(system_u:object_r:semanage_store_t,s0) + /etc/selinux/([^/]*/)?setrans\.conf -- gen_context(system_u:object_r:selinux_config_t,mls_systemhigh) +-/etc/selinux/([^/]*/)?seusers -- gen_context(system_u:object_r:selinux_config_t,mls_systemhigh) ++/etc/selinux/([^/]*/)?seusers -- gen_context(system_u:object_r:selinux_config_t,s0) + /etc/selinux/([^/]*/)?modules/(active|tmp|previous)(/.*)? gen_context(system_u:object_r:semanage_store_t,s0) + /etc/selinux/([^/]*/)?modules/semanage\.read\.LOCK -- gen_context(system_u:object_r:semanage_read_lock_t,s0) + /etc/selinux/([^/]*/)?modules/semanage\.trans\.LOCK -- gen_context(system_u:object_r:semanage_trans_lock_t,s0) +-/etc/selinux/([^/]*/)?users(/.*)? -- gen_context(system_u:object_r:selinux_config_t,mls_systemhigh) ++/etc/selinux/([^/]*/)?users(/.*)? -- gen_context(system_u:object_r:selinux_config_t,s0) + + # + # /root +@@ -35,19 +36,27 @@ + /usr/lib/selinux(/.*)? gen_context(system_u:object_r:policy_src_t,s0) + + /usr/sbin/load_policy -- gen_context(system_u:object_r:load_policy_exec_t,s0) ++/usr/sbin/restorecon -- gen_context(system_u:object_r:setfiles_exec_t,s0) + /usr/sbin/restorecond -- gen_context(system_u:object_r:restorecond_exec_t,s0) + /usr/sbin/run_init -- gen_context(system_u:object_r:run_init_exec_t,s0) + /usr/sbin/setfiles.* -- gen_context(system_u:object_r:setfiles_exec_t,s0) +-/usr/sbin/setsebool -- gen_context(system_u:object_r:semanage_exec_t,s0) ++/usr/sbin/setsebool -- gen_context(system_u:object_r:setsebool_exec_t,s0) + /usr/sbin/semanage -- gen_context(system_u:object_r:semanage_exec_t,s0) + /usr/sbin/semodule -- gen_context(system_u:object_r:semanage_exec_t,s0) ++/usr/share/system-config-selinux/system-config-selinux-dbus\.py -- gen_context(system_u:object_r:semanage_exec_t,s0) ++/usr/share/system-config-selinux/selinux_server\.py -- gen_context(system_u:object_r:semanage_exec_t,s0) + + # + # /var/lib + # + /var/lib/selinux(/.*)? gen_context(system_u:object_r:semanage_var_lib_t,s0) ++/var/lib/sepolgen(/.*)? gen_context(system_u:object_r:selinux_config_t,s0) + + # + # /var/run + # + /var/run/restorecond\.pid -- gen_context(system_u:object_r:restorecond_var_run_t,s0) ++ ++ ++/etc/share/selinux/targeted(/.*)? gen_context(system_u:object_r:semanage_store_t,s0) ++/etc/share/selinux/mls(/.*)? gen_context(system_u:object_r:semanage_store_t,s0) +diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if +index 3822072..270bde3 100644 +--- a/policy/modules/system/selinuxutil.if ++++ b/policy/modules/system/selinuxutil.if +@@ -192,11 +192,22 @@ interface(`seutil_domtrans_newrole',` + # + interface(`seutil_run_newrole',` + gen_require(` +- attribute_role newrole_roles; ++ type newrole_t; ++ #attribute_role newrole_roles; + ') + ++ #seutil_domtrans_newrole($1) ++ #roleattribute $2 newrole_roles; ++ + seutil_domtrans_newrole($1) +- roleattribute $2 newrole_roles; ++ role $2 types newrole_t; ++ ++ auth_run_upd_passwd(newrole_t, $2) ++ ++ optional_policy(` ++ namespace_init_run(newrole_t, $2) ++ ') ++ + ') + + ######################################## +@@ -359,6 +370,27 @@ interface(`seutil_exec_restorecon',` + + ######################################## + ## ++## Execute restorecond in the caller domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`seutil_exec_restorecond',` ++ gen_require(` ++ type restorecond_exec_t; ++ ') ++ ++ files_search_usr($1) ++ corecmd_search_bin($1) ++ can_exec($1, restorecond_exec_t) ++') ++ ++######################################## ++## + ## Execute run_init in the run_init domain. + ## + ## +@@ -425,11 +457,20 @@ interface(`seutil_init_script_domtrans_runinit',` + # + interface(`seutil_run_runinit',` + gen_require(` +- attribute_role run_init_roles; ++ #attribute_role run_init_roles; ++ type run_init_t; ++ role system_r; + ') + +- seutil_domtrans_runinit($1) +- roleattribute $2 run_init_roles; ++ #seutil_domtrans_runinit($1) ++ #roleattribute $2 run_init_roles; ++ ++ auth_run_chk_passwd(run_init_t, $2) ++ seutil_domtrans_runinit($1) ++ role $2 types run_init_t; ++ ++ allow $2 system_r; ++ + ') + + ######################################## +@@ -461,11 +502,19 @@ interface(`seutil_run_runinit',` + # + interface(`seutil_init_script_run_runinit',` + gen_require(` +- attribute_role run_init_roles; ++ #attribute_role run_init_roles; ++ type run_init_t; ++ role system_r; + ') + +- seutil_init_script_domtrans_runinit($1) +- roleattribute $2 run_init_roles; ++ #seutil_init_script_domtrans_runinit($1) ++ #roleattribute $2 run_init_roles; ++ auth_run_chk_passwd(run_init_t, $2) ++ seutil_init_script_domtrans_runinit($1) ++ role $2 types run_init_t; ++ ++ allow $2 system_r; ++ + ') + + ######################################## +@@ -535,6 +584,53 @@ interface(`seutil_run_setfiles',` + + ######################################## + ## ++## Execute setfiles in the setfiles domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`seutil_domtrans_setfiles_mac',` ++ gen_require(` ++ type setfiles_mac_t, setfiles_exec_t; ++ ') ++ ++ files_search_usr($1) ++ corecmd_search_bin($1) ++ domtrans_pattern($1, setfiles_exec_t, setfiles_mac_t) ++') ++ ++######################################## ++## ++## Execute setfiles in the setfiles_mac domain, and ++## allow the specified role the setfiles_mac domain, ++## and use the caller's terminal. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## The role to be allowed the setfiles_mac domain. ++## ++## ++## ++# ++interface(`seutil_run_setfiles_mac',` ++ gen_require(` ++ type setfiles_mac_t; ++ ') ++ ++ seutil_domtrans_setfiles_mac($1) ++ role $2 types setfiles_mac_t; ++') ++ ++######################################## ++## + ## Execute setfiles in the caller domain. + ## + ## +@@ -680,10 +776,115 @@ interface(`seutil_manage_config',` + ') + + files_search_etc($1) ++ manage_dirs_pattern($1, selinux_config_t, selinux_config_t) + manage_files_pattern($1, selinux_config_t, selinux_config_t) + read_lnk_files_pattern($1, selinux_config_t, selinux_config_t) + ') + ++###################################### ++## ++## Create, read, write, and delete ++## the general selinux configuration files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`seutil_manage_config_dirs',` ++ gen_require(` ++ type selinux_config_t; ++ ') ++ ++ files_search_etc($1) ++ allow $1 selinux_config_t:dir manage_dir_perms; ++') ++ ++######################################## ++## ++## Do not audit attempts to search the SELinux ++## login configuration directory. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`seutil_dontaudit_search_login_config',` ++ gen_require(` ++ type selinux_login_config_t; ++ ') ++ ++ dontaudit $1 selinux_login_config_t:dir search_dir_perms; ++') ++ ++######################################## ++## ++## Do not audit attempts to read the SELinux ++## login configuration. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`seutil_dontaudit_read_login_config',` ++ gen_require(` ++ type selinux_login_config_t; ++ ') ++ dontaudit $1 selinux_login_config_t:dir search_dir_perms; ++ dontaudit $1 selinux_login_config_t:file read_file_perms; ++') ++ ++######################################## ++## ++## Read the SELinux login configuration files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`seutil_read_login_config',` ++ gen_require(` ++ type selinux_config_t; ++ type selinux_login_config_t; ++ ') ++ ++ files_search_etc($1) ++ allow $1 selinux_config_t:dir search_dir_perms; ++ allow $1 selinux_login_config_t:dir list_dir_perms; ++ read_files_pattern($1, selinux_login_config_t, selinux_login_config_t) ++ read_lnk_files_pattern($1, selinux_login_config_t, selinux_login_config_t) ++') ++ ++######################################## ++## ++## Read and write the SELinux login configuration files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`seutil_rw_login_config',` ++ gen_require(` ++ type selinux_config_t; ++ type selinux_login_config_t; ++ ') ++ ++ files_search_etc($1) ++ allow $1 selinux_config_t:dir search_dir_perms; ++ allow $1 selinux_login_config_t:dir list_dir_perms; ++ rw_files_pattern($1, selinux_login_config_t, selinux_login_config_t) ++') ++ + ####################################### + ## + ## Create, read, write, and delete +@@ -694,15 +895,62 @@ interface(`seutil_manage_config',` + ## Domain allowed access. + ## + ## +-## + # +-interface(`seutil_manage_config_dirs',` ++interface(`seutil_rw_login_config_dirs',` + gen_require(` + type selinux_config_t; ++ type selinux_login_config_t; + ') + + files_search_etc($1) +- allow $1 selinux_config_t:dir manage_dir_perms; ++ allow $1 selinux_config_t:dir search_dir_perms; ++ allow $1 selinux_login_config_t:dir rw_dir_perms; ++') ++ ++###################################### ++## ++## Create, read, write, and delete ++## the general selinux configuration files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`seutil_manage_login_config',` ++ gen_require(` ++ type selinux_config_t; ++ type selinux_login_config_t; ++ ') ++ ++ files_search_etc($1) ++ allow $1 selinux_config_t:dir search_dir_perms; ++ manage_dirs_pattern($1, selinux_login_config_t, selinux_login_config_t) ++ manage_files_pattern($1, selinux_login_config_t, selinux_login_config_t) ++ read_lnk_files_pattern($1, selinux_login_config_t, selinux_login_config_t) ++') ++ ++###################################### ++## ++## manage the login selinux configuration files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`seutil_manage_login_config_files',` ++ gen_require(` ++ type selinux_config_t; ++ type selinux_login_config_t; ++ ') ++ ++ files_search_etc($1) ++ allow $1 selinux_config_t:dir search_dir_perms; ++ manage_files_pattern($1, selinux_login_config_t, selinux_login_config_t) ++ read_lnk_files_pattern($1, selinux_login_config_t, selinux_login_config_t) + ') + + ######################################## +@@ -746,6 +994,29 @@ interface(`seutil_read_default_contexts',` + read_files_pattern($1, default_context_t, default_context_t) + ') + ++####################################### ++## ++## Read and write the default_contexts files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`seutil_rw_default_contexts',` ++ gen_require(` ++ type default_context_t; ++ type selinux_config_t; ++ ') ++ ++ files_search_etc($1) ++ allow $1 selinux_config_t:dir list_dir_perms; ++ allow $1 default_context_t:dir list_dir_perms; ++ rw_files_pattern($1, default_context_t, default_context_t) ++') ++ + ######################################## + ## + ## Create, read, write, and delete the default_contexts files. +@@ -784,7 +1055,9 @@ interface(`seutil_read_file_contexts',` + + files_search_etc($1) + allow $1 { selinux_config_t default_context_t }:dir search_dir_perms; ++ list_dirs_pattern($1, file_context_t, file_context_t) + read_files_pattern($1, file_context_t, file_context_t) ++ read_lnk_files_pattern($1, file_context_t, file_context_t) + ') + + ######################################## +@@ -999,6 +1272,26 @@ interface(`seutil_domtrans_semanage',` + + ######################################## + ## ++## Execute a domain transition to run setsebool. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`seutil_domtrans_setsebool',` ++ gen_require(` ++ type setsebool_t, setsebool_exec_t; ++ ') ++ ++ files_search_usr($1) ++ corecmd_search_bin($1) ++ domtrans_pattern($1, setsebool_exec_t, setsebool_t) ++') ++ ++######################################## ++## + ## Execute semanage in the semanage domain, and + ## allow the specified role the semanage domain, + ## and use the caller's terminal. +@@ -1017,11 +1310,67 @@ interface(`seutil_domtrans_semanage',` + # + interface(`seutil_run_semanage',` + gen_require(` +- attribute_role semanage_roles; ++ #attribute_role semanage_roles; ++ type semanage_t; + ') + ++ #seutil_domtrans_semanage($1) ++ #roleattribute $2 semanage_roles; ++ + seutil_domtrans_semanage($1) +- roleattribute $2 semanage_roles; ++ seutil_run_setfiles(semanage_t, $2) ++ seutil_run_loadpolicy(semanage_t, $2) ++ role $2 types semanage_t; ++ ++') ++ ++######################################## ++## ++## Execute setsebool in the semanage domain, and ++## allow the specified role the semanage domain, ++## and use the caller's terminal. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## The role to be allowed the setsebool domain. ++## ++## ++## ++# ++interface(`seutil_run_setsebool',` ++ gen_require(` ++ type semanage_t; ++ ') ++ ++ seutil_domtrans_setsebool($1) ++ role $2 types setsebool_t; ++') ++ ++######################################## ++## ++## Full management of the semanage ++## module store. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`seutil_read_module_store',` ++ gen_require(` ++ type selinux_config_t, semanage_store_t; ++ ') ++ ++ files_search_etc($1) ++ list_dirs_pattern($1, selinux_config_t, semanage_store_t) ++ read_files_pattern($1, semanage_store_t, semanage_store_t) ++ read_lnk_files_pattern($1, semanage_store_t, semanage_store_t) + ') + + ######################################## +@@ -1043,7 +1392,11 @@ interface(`seutil_manage_module_store',` + files_search_etc($1) + manage_dirs_pattern($1, selinux_config_t, semanage_store_t) + manage_files_pattern($1, semanage_store_t, semanage_store_t) ++ manage_lnk_files_pattern($1, semanage_store_t, semanage_store_t) + filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "modules") ++ filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "active") ++ filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "previous") ++ filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "tmp") + ') + + ####################################### +@@ -1137,3 +1490,122 @@ interface(`seutil_dontaudit_libselinux_linked',` + selinux_dontaudit_get_fs_mount($1) + seutil_dontaudit_read_config($1) + ') ++ ++####################################### ++## ++## All rules necessary to run semanage command ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`seutil_semanage_policy',` ++ gen_require(` ++ type semanage_tmp_t; ++ type policy_config_t; ++ attribute policy_manager_domain; ++ ') ++ typeattribute $1 policy_manager_domain; ++ ++ kernel_read_system_state($1) ++ ++ # Running genhomedircon requires this for finding all users ++ auth_use_nsswitch($1) ++ ++ mls_file_write_all_levels($1) ++ mls_file_read_all_levels($1) ++ ++ selinux_get_enforce_mode($1) ++ selinux_set_enforce_mode($1) ++ ++ seutil_manage_bin_policy($1) ++ ++ logging_send_syslog_msg($1) ++') ++ ++####################################### ++## ++## All rules necessary to run setfiles command ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`seutil_setfiles',` ++ ++ gen_require(` ++ attribute setfiles_domain; ++ ') ++ typeattribute $1 setfiles_domain; ++ ++ kernel_read_system_state($1) ++ seutil_libselinux_linked($1) ++ ++ files_relabel_all_files($1) ++ ++ mls_file_read_all_levels($1) ++ mls_file_write_all_levels($1) ++ mls_file_upgrade($1) ++ mls_file_downgrade($1) ++ ++ # this is to satisfy the assertion: ++ auth_relabelto_shadow($1) ++ ++ logging_send_syslog_msg($1) ++') ++ ++##################################### ++## ++## File name transition for selinux utility content ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`seutil_filetrans_named_content',` ++ gen_require(` ++ type default_context_t, semanage_store_t; ++ type selinux_config_t, semanage_trans_lock_t; ++ type file_context_t, selinux_login_config_t; ++ ') ++ ++ filetrans_pattern($1, selinux_config_t, default_context_t, dir, "contexts") ++ filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "policy") ++ filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "active") ++ filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "tmp") ++ filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "previous") ++ filetrans_pattern($1, selinux_config_t, semanage_trans_lock_t, file, "semanage.read.LOCK") ++ filetrans_pattern($1, selinux_config_t, semanage_trans_lock_t, file, "semanage.trans.LOCK") ++ filetrans_pattern($1, selinux_config_t, selinux_login_config_t, dir, "logins") ++ filetrans_pattern($1, default_context_t, file_context_t, dir, "files") ++ userdom_admin_home_dir_filetrans($1, default_context_t, file, ".default_context") ++') ++ ++######################################## ++## ++## Send and receive messages from ++## semanage dbus server over dbus. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`seutil_dbus_chat_semanage',` ++ gen_require(` ++ type semanage_t; ++ class dbus send_msg; ++ ') ++ ++ ps_process_pattern(semanage_t, $1) ++ ++ allow $1 semanage_t:dbus send_msg; ++ allow semanage_t $1:dbus send_msg; ++') +diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te +index ec01d0b..ececda2 100644 +--- a/policy/modules/system/selinuxutil.te ++++ b/policy/modules/system/selinuxutil.te +@@ -11,14 +11,16 @@ gen_require(` + + attribute can_write_binary_policy; + attribute can_relabelto_binary_policy; ++attribute setfiles_domain; ++attribute policy_manager_domain; + +-attribute_role newrole_roles; ++#attribute_role newrole_roles; + +-attribute_role run_init_roles; +-role system_r types run_init_t; ++#attribute_role run_init_roles; ++#role system_r types run_init_t; + +-attribute_role semanage_roles; +-roleattribute system_r semanage_roles; ++#attribute_role semanage_roles; ++#roleattribute system_r semanage_roles; + + # + # selinux_config_t is the type applied to +@@ -28,7 +30,13 @@ roleattribute system_r semanage_roles; + # in the domain_type interface + # (fix dup decl) + type selinux_config_t; +-files_type(selinux_config_t) ++files_security_file(selinux_config_t) ++ ++type selinux_login_config_t; ++files_security_file(selinux_login_config_t) ++ ++type selinux_var_lib_t; ++files_type(selinux_var_lib_t) + + type checkpolicy_t, can_write_binary_policy; + type checkpolicy_exec_t; +@@ -40,14 +48,14 @@ role system_r types checkpolicy_t; + # /etc/selinux/*/contexts/* + # + type default_context_t; +-files_type(default_context_t) ++files_security_file(default_context_t) + + # + # file_context_t is the type applied to + # /etc/selinux/*/contexts/files + # + type file_context_t; +-files_type(file_context_t) ++files_security_file(file_context_t) + + type load_policy_t; + type load_policy_exec_t; +@@ -60,14 +68,20 @@ application_domain(newrole_t, newrole_exec_t) + domain_role_change_exemption(newrole_t) + domain_obj_id_change_exemption(newrole_t) + domain_interactive_fd(newrole_t) +-role newrole_roles types newrole_t; ++#role newrole_roles types newrole_t; ++role system_r types newrole_t; + + # + # policy_config_t is the type of /etc/security/selinux/* + # the security server policy configuration. + # +-type policy_config_t; +-files_type(policy_config_t) ++#type policy_config_t; ++#files_type(policy_config_t) ++gen_require(` ++ type semanage_store_t; ++') ++ ++typealias semanage_store_t alias policy_config_t; + + neverallow ~can_relabelto_binary_policy policy_config_t:file relabelto; + #neverallow ~can_write_binary_policy policy_config_t:file { write append }; +@@ -83,7 +97,6 @@ type restorecond_t; + type restorecond_exec_t; + init_daemon_domain(restorecond_t, restorecond_exec_t) + domain_obj_id_change_exemption(restorecond_t) +-role system_r types restorecond_t; + + type restorecond_var_run_t; + files_pid_file(restorecond_var_run_t) +@@ -92,25 +105,32 @@ type run_init_t; + type run_init_exec_t; + application_domain(run_init_t, run_init_exec_t) + domain_system_change_exemption(run_init_t) +-role run_init_roles types run_init_t; ++#role run_init_roles types run_init_t; ++role system_r types run_init_t; + + type semanage_t; + type semanage_exec_t; + application_domain(semanage_t, semanage_exec_t) ++init_daemon_domain(semanage_t, semanage_exec_t) + domain_interactive_fd(semanage_t) +-role semanage_roles types semanage_t; ++#role semanage_roles types semanage_t; ++role system_r types semanage_t; ++ ++type setsebool_t; ++type setsebool_exec_t; ++init_system_domain(setsebool_t, setsebool_exec_t) + + type semanage_store_t; +-files_type(semanage_store_t) ++files_security_file(semanage_store_t) + + type semanage_read_lock_t; +-files_type(semanage_read_lock_t) ++files_lock_file(semanage_read_lock_t) + + type semanage_tmp_t; + files_tmp_file(semanage_tmp_t) + +-type semanage_trans_lock_t; +-files_type(semanage_trans_lock_t) ++type semanage_trans_lock_t; ++files_lock_file(semanage_trans_lock_t) + + type semanage_var_lib_t; + files_type(semanage_var_lib_t) +@@ -120,6 +140,11 @@ type setfiles_exec_t alias restorecon_exec_t; + init_system_domain(setfiles_t, setfiles_exec_t) + domain_obj_id_change_exemption(setfiles_t) + ++type setfiles_mac_t; ++domain_type(setfiles_mac_t) ++domain_entry_file(setfiles_mac_t, setfiles_exec_t) ++domain_obj_id_change_exemption(setfiles_mac_t) ++ + ######################################## + # + # Checkpolicy local policy +@@ -137,6 +162,7 @@ filetrans_add_pattern(checkpolicy_t, policy_src_t, policy_config_t, file) + read_files_pattern(checkpolicy_t, policy_src_t, policy_src_t) + read_lnk_files_pattern(checkpolicy_t, policy_src_t, policy_src_t) + allow checkpolicy_t selinux_config_t:dir search_dir_perms; ++allow checkpolicy_t selinux_login_config_t:dir search_dir_perms; + + domain_use_interactive_fds(checkpolicy_t) + +@@ -151,7 +177,7 @@ term_use_console(checkpolicy_t) + init_use_fds(checkpolicy_t) + init_use_script_ptys(checkpolicy_t) + +-userdom_use_user_terminals(checkpolicy_t) ++userdom_use_inherited_user_terminals(checkpolicy_t) + userdom_use_all_users_fds(checkpolicy_t) + + ifdef(`distro_ubuntu',` +@@ -188,13 +214,13 @@ term_list_ptys(load_policy_t) + + init_use_script_fds(load_policy_t) + init_use_script_ptys(load_policy_t) +- +-miscfiles_read_localization(load_policy_t) ++init_write_script_pipes(load_policy_t) + + seutil_libselinux_linked(load_policy_t) + +-userdom_use_user_terminals(load_policy_t) ++userdom_use_inherited_user_terminals(load_policy_t) + userdom_use_all_users_fds(load_policy_t) ++userdom_dontaudit_read_user_tmp_files(load_policy_t) + + ifdef(`distro_ubuntu',` + optional_policy(` +@@ -205,6 +231,7 @@ ifdef(`distro_ubuntu',` + ifdef(`hide_broken_symptoms',` + # cjp: cover up stray file descriptors. + dontaudit load_policy_t selinux_config_t:file write; ++ dontaudit load_policy_t selinux_login_config_t:file write; + + optional_policy(` + unconfined_dontaudit_read_pipes(load_policy_t) +@@ -215,12 +242,17 @@ optional_policy(` + portage_dontaudit_use_fds(load_policy_t) + ') + ++optional_policy(` ++ # pki is leaking ++ pki_dontaudit_write_log(load_policy_t) ++') ++ + ######################################## + # + # Newrole local policy + # + +-allow newrole_t self:capability { fowner setuid setgid dac_override }; ++allow newrole_t self:capability { fowner setpcap setuid setgid dac_override }; + allow newrole_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack }; + allow newrole_t self:process setexec; + allow newrole_t self:fd use; +@@ -232,7 +264,7 @@ allow newrole_t self:msgq create_msgq_perms; + allow newrole_t self:msg { send receive }; + allow newrole_t self:unix_dgram_socket sendto; + allow newrole_t self:unix_stream_socket { create_stream_socket_perms connectto }; +-allow newrole_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; ++logging_send_audit_msgs(newrole_t) + + read_files_pattern(newrole_t, default_context_t, default_context_t) + read_lnk_files_pattern(newrole_t, default_context_t, default_context_t) +@@ -249,6 +281,7 @@ domain_use_interactive_fds(newrole_t) + # for when the user types "exec newrole" at the command line: + domain_sigchld_interactive_fds(newrole_t) + ++files_list_var(newrole_t) + files_read_etc_files(newrole_t) + files_read_var_files(newrole_t) + files_read_var_symlinks(newrole_t) +@@ -276,25 +309,34 @@ term_relabel_all_ptys(newrole_t) + term_getattr_unallocated_ttys(newrole_t) + term_dontaudit_use_unallocated_ttys(newrole_t) + +-auth_use_nsswitch(newrole_t) +-auth_run_chk_passwd(newrole_t, newrole_roles) +-auth_run_upd_passwd(newrole_t, newrole_roles) +-auth_rw_faillog(newrole_t) ++auth_use_pam(newrole_t) + + # Write to utmp. + init_rw_utmp(newrole_t) + init_use_fds(newrole_t) + +-logging_send_syslog_msg(newrole_t) +- +-miscfiles_read_localization(newrole_t) + + seutil_libselinux_linked(newrole_t) + ++userdom_use_unpriv_users_fds(newrole_t) + # for some PAM modules and for cwd + userdom_dontaudit_search_user_home_content(newrole_t) + userdom_search_user_home_dirs(newrole_t) + ++# need to talk with dbus ++optional_policy(` ++ dbus_system_bus_client(newrole_t) ++') ++ ++#optional_policy(` ++# namespace_init_run(newrole_t, newrole_roles) ++#') ++ ++ ++optional_policy(` ++ xserver_dontaudit_exec_xauth(newrole_t) ++') ++ + ifdef(`distro_ubuntu',` + optional_policy(` + unconfined_domain(newrole_t) +@@ -309,7 +351,7 @@ if(secure_mode) { + userdom_spec_domtrans_all_users(newrole_t) + } + +-tunable_policy(`allow_polyinstantiation',` ++tunable_policy(`polyinstantiation_enabled',` + files_polyinstantiate_all(newrole_t) + ') + +@@ -328,9 +370,13 @@ kernel_use_fds(restorecond_t) + kernel_rw_pipes(restorecond_t) + kernel_read_system_state(restorecond_t) + ++dev_relabel_all_dev_nodes(restorecond_t) ++ ++files_dontaudit_read_all_symlinks(restorecond_t) ++ + fs_relabelfrom_noxattr_fs(restorecond_t) + fs_dontaudit_list_nfs(restorecond_t) +-fs_getattr_xattr_fs(restorecond_t) ++fs_getattr_all_fs(restorecond_t) + fs_list_inotifyfs(restorecond_t) + + selinux_validate_context(restorecond_t) +@@ -341,16 +387,17 @@ selinux_compute_user_contexts(restorecond_t) + + files_relabel_non_auth_files(restorecond_t ) + files_read_non_auth_files(restorecond_t) ++ + auth_use_nsswitch(restorecond_t) + + locallogin_dontaudit_use_fds(restorecond_t) + + logging_send_syslog_msg(restorecond_t) + +-miscfiles_read_localization(restorecond_t) +- + seutil_libselinux_linked(restorecond_t) + ++userdom_read_user_home_content_symlinks(restorecond_t) ++ + ifdef(`distro_ubuntu',` + optional_policy(` + unconfined_domain(restorecond_t) +@@ -366,21 +413,24 @@ optional_policy(` + # Run_init local policy + # + +-allow run_init_roles system_r; ++#allow run_init_roles system_r; + + allow run_init_t self:process setexec; + allow run_init_t self:capability setuid; + allow run_init_t self:fifo_file rw_file_perms; +-allow run_init_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; ++logging_send_audit_msgs(run_init_t) + + # often the administrator runs such programs from a directory that is owned + # by a different user or has restrictive SE permissions, do not want to audit + # the failed access to the current directory + dontaudit run_init_t self:capability { dac_override dac_read_search }; + ++kernel_dontaudit_getattr_core_if(run_init_t) ++ + corecmd_exec_bin(run_init_t) + corecmd_exec_shell(run_init_t) + ++dev_dontaudit_getattr_all(run_init_t) + dev_dontaudit_list_all_dev_nodes(run_init_t) + + domain_use_interactive_fds(run_init_t) +@@ -398,23 +448,30 @@ selinux_compute_create_context(run_init_t) + selinux_compute_relabel_context(run_init_t) + selinux_compute_user_contexts(run_init_t) + ++term_use_console(run_init_t) ++ ++#auth_use_nsswitch(run_init_t) ++#auth_run_chk_passwd(run_init_t, run_init_roles) ++#auth_run_upd_passwd(run_init_t, run_init_roles) ++#auth_dontaudit_read_shadow(run_init_t) ++ + auth_use_nsswitch(run_init_t) +-auth_run_chk_passwd(run_init_t, run_init_roles) +-auth_run_upd_passwd(run_init_t, run_init_roles) ++auth_domtrans_chk_passwd(run_init_t) ++auth_domtrans_upd_passwd(run_init_t) + auth_dontaudit_read_shadow(run_init_t) + ++ + init_spec_domtrans_script(run_init_t) + # for utmp + init_rw_utmp(run_init_t) ++init_dontaudit_getattr_initctl(run_init_t) + + logging_send_syslog_msg(run_init_t) + +-miscfiles_read_localization(run_init_t) +- + seutil_libselinux_linked(run_init_t) + seutil_read_default_contexts(run_init_t) + +-userdom_use_user_terminals(run_init_t) ++userdom_use_inherited_user_terminals(run_init_t) + + ifndef(`direct_sysadm_daemon',` + ifdef(`distro_gentoo',` +@@ -425,6 +482,19 @@ ifndef(`direct_sysadm_daemon',` + ') + ') + ++# need to talk with dbus ++optional_policy(` ++ dbus_system_bus_client(run_init_t) ++') ++ ++optional_policy(` ++ gpm_dontaudit_getattr_gpmctl(run_init_t) ++') ++ ++optional_policy(` ++ rpm_domtrans(run_init_t) ++') ++ + ifdef(`distro_ubuntu',` + optional_policy(` + unconfined_domain(run_init_t) +@@ -440,81 +510,87 @@ optional_policy(` + # semodule local policy + # + +-allow semanage_t self:capability { dac_override audit_write }; +-allow semanage_t self:unix_stream_socket create_stream_socket_perms; +-allow semanage_t self:unix_dgram_socket create_socket_perms; + allow semanage_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; +-allow semanage_t self:fifo_file rw_fifo_file_perms; +- +-allow semanage_t policy_config_t:file rw_file_perms; +- +-allow semanage_t semanage_tmp_t:dir manage_dir_perms; +-allow semanage_t semanage_tmp_t:file manage_file_perms; +-files_tmp_filetrans(semanage_t, semanage_tmp_t, { file dir }) + + manage_dirs_pattern(semanage_t, semanage_var_lib_t, semanage_var_lib_t) + manage_files_pattern(semanage_t, semanage_var_lib_t, semanage_var_lib_t) + +-kernel_read_system_state(semanage_t) +-kernel_read_kernel_sysctls(semanage_t) +- +-corecmd_exec_bin(semanage_t) +- +-dev_read_urand(semanage_t) +- +-domain_use_interactive_fds(semanage_t) +- +-files_read_etc_files(semanage_t) +-files_read_etc_runtime_files(semanage_t) +-files_read_usr_files(semanage_t) +-files_list_pids(semanage_t) +- +-mls_file_write_all_levels(semanage_t) +-mls_file_read_all_levels(semanage_t) +- +-selinux_validate_context(semanage_t) +-selinux_get_enforce_mode(semanage_t) +-selinux_getattr_fs(semanage_t) +-# for setsebool: + selinux_set_all_booleans(semanage_t) ++can_exec(semanage_t, semanage_exec_t) + +-term_use_all_terms(semanage_t) +- +-# Running genhomedircon requires this for finding all users +-auth_use_nsswitch(semanage_t) +- +-locallogin_use_fds(semanage_t) +- +-logging_send_syslog_msg(semanage_t) ++# Admins are creating pp files in random locations ++files_read_non_security_files(semanage_t) + +-miscfiles_read_localization(semanage_t) +- +-seutil_libselinux_linked(semanage_t) ++seutil_semanage_policy(semanage_t) + seutil_manage_file_contexts(semanage_t) + seutil_manage_config(semanage_t) +-seutil_run_setfiles(semanage_t, semanage_roles) +-seutil_run_loadpolicy(semanage_t, semanage_roles) +-seutil_manage_bin_policy(semanage_t) +-seutil_use_newrole_fds(semanage_t) +-seutil_manage_module_store(semanage_t) +-seutil_get_semanage_trans_lock(semanage_t) +-seutil_get_semanage_read_lock(semanage_t) ++seutil_domtrans_setfiles(semanage_t) ++ ++#seutil_run_setfiles(semanage_t, semanage_roles) ++#seutil_run_loadpolicy(semanage_t, semanage_roles) ++#seutil_manage_bin_policy(semanage_t) ++#seutil_use_newrole_fds(semanage_t) ++#seutil_manage_module_store(semanage_t) ++#seutil_get_semanage_trans_lock(semanage_t) ++#seutil_get_semanage_read_lock(semanage_t) + # netfilter_contexts: + seutil_manage_default_contexts(semanage_t) + + # Handle pp files created in homedir and /tmp + userdom_read_user_home_content_files(semanage_t) + userdom_read_user_tmp_files(semanage_t) ++userdom_home_reader(semanage_t) + + ifdef(`distro_debian',` + files_read_var_lib_files(semanage_t) + files_read_var_lib_symlinks(semanage_t) + ') + +-ifdef(`distro_ubuntu',` +- optional_policy(` +- unconfined_domain(semanage_t) +- ') ++optional_policy(` ++ dbus_system_domain(semanage_t, semanage_exec_t) ++') ++ ++optional_policy(` ++ mock_manage_lib_files(semanage_t) ++ mock_manage_lib_dirs(semanage_t) ++') ++ ++optional_policy(` ++ unconfined_domain(semanage_t) ++') ++ ++####################################n#### ++# ++# setsebool local policy ++# ++seutil_semanage_policy(setsebool_t) ++selinux_set_all_booleans(setsebool_t) ++ ++init_dontaudit_use_fds(setsebool_t) ++ ++# Bug in semanage ++seutil_domtrans_setfiles(setsebool_t) ++seutil_manage_file_contexts(setsebool_t) ++seutil_manage_default_contexts(setsebool_t) ++seutil_manage_config(setsebool_t) ++ ++######################################## ++# ++# Setfiles mac local policy ++# ++seutil_setfiles(setfiles_mac_t) ++allow setfiles_mac_t self:capability2 mac_admin; ++kernel_relabelto_unlabeled(setfiles_mac_t) ++ ++optional_policy(` ++ files_dontaudit_write_isid_chr_files(setfiles_mac_t) ++ livecd_dontaudit_leaks(setfiles_mac_t) ++ livecd_rw_tmp_files(setfiles_mac_t) ++ dev_dontaudit_write_all_chr_files(setfiles_mac_t) ++') ++ ++optional_policy(` ++ unconfined_domain(setfiles_mac_t) + ') + + ######################################## +@@ -522,108 +598,192 @@ ifdef(`distro_ubuntu',` + # Setfiles local policy + # + +-allow setfiles_t self:capability { dac_override dac_read_search fowner }; +-dontaudit setfiles_t self:capability sys_tty_config; +-allow setfiles_t self:fifo_file rw_file_perms; +- +-allow setfiles_t { policy_src_t policy_config_t file_context_t default_context_t }:dir list_dir_perms; +-allow setfiles_t { policy_src_t policy_config_t file_context_t default_context_t }:file read_file_perms; +-allow setfiles_t { policy_src_t policy_config_t file_context_t default_context_t }:lnk_file { read_lnk_file_perms ioctl lock }; +- +-kernel_read_system_state(setfiles_t) +-kernel_relabelfrom_unlabeled_dirs(setfiles_t) +-kernel_relabelfrom_unlabeled_files(setfiles_t) +-kernel_relabelfrom_unlabeled_symlinks(setfiles_t) +-kernel_relabelfrom_unlabeled_pipes(setfiles_t) +-kernel_relabelfrom_unlabeled_sockets(setfiles_t) +-kernel_use_fds(setfiles_t) +-kernel_rw_pipes(setfiles_t) +-kernel_rw_unix_dgram_sockets(setfiles_t) +-kernel_dontaudit_list_all_proc(setfiles_t) +-kernel_dontaudit_list_all_sysctls(setfiles_t) +- +-dev_relabel_all_dev_nodes(setfiles_t) +- +-domain_use_interactive_fds(setfiles_t) +-domain_dontaudit_search_all_domains_state(setfiles_t) +- +-files_read_etc_runtime_files(setfiles_t) +-files_read_etc_files(setfiles_t) +-files_list_all(setfiles_t) +-files_relabel_all_files(setfiles_t) +-files_read_usr_symlinks(setfiles_t) +- +-fs_getattr_xattr_fs(setfiles_t) +-fs_list_all(setfiles_t) +-fs_search_auto_mountpoints(setfiles_t) +-fs_relabelfrom_noxattr_fs(setfiles_t) +- +-mls_file_read_all_levels(setfiles_t) +-mls_file_write_all_levels(setfiles_t) +-mls_file_upgrade(setfiles_t) +-mls_file_downgrade(setfiles_t) +- +-selinux_validate_context(setfiles_t) +-selinux_compute_access_vector(setfiles_t) +-selinux_compute_create_context(setfiles_t) +-selinux_compute_relabel_context(setfiles_t) +-selinux_compute_user_contexts(setfiles_t) +- +-term_use_all_ttys(setfiles_t) +-term_use_all_ptys(setfiles_t) +-term_use_unallocated_ttys(setfiles_t) +- +-# this is to satisfy the assertion: +-auth_relabelto_shadow(setfiles_t) +- +-init_use_fds(setfiles_t) +-init_use_script_fds(setfiles_t) +-init_use_script_ptys(setfiles_t) +-init_exec_script_files(setfiles_t) ++seutil_setfiles(setfiles_t) ++# During boot in Rawhide ++term_use_generic_ptys(setfiles_t) ++ ++# needs to be able to read symlinks to make restorecon on symlink working ++files_read_all_symlinks(setfiles_t) + + logging_send_audit_msgs(setfiles_t) + logging_send_syslog_msg(setfiles_t) + +-miscfiles_read_localization(setfiles_t) ++optional_policy(` ++ devicekit_dontaudit_read_pid_files(setfiles_t) ++ devicekit_dontaudit_rw_log(setfiles_t) ++') ++ ++optional_policy(` ++ # pki is leaking ++ pki_dontaudit_write_log(setfiles_t) ++') ++ ++optional_policy(` ++ xserver_append_xdm_tmp_files(setfiles_t) ++') ++ ++ifdef(`hide_broken_symptoms',` + +-seutil_libselinux_linked(setfiles_t) ++ optional_policy(` ++ setroubleshoot_fixit_dontaudit_leaks(setfiles_t) ++ setroubleshoot_fixit_dontaudit_leaks(setsebool_t) ++ setroubleshoot_fixit_dontaudit_leaks(load_policy_t) ++ ') ++') ++ifdef(`distro_ubuntu',` ++ optional_policy(` ++ unconfined_domain(setfiles_t) ++ ') ++') + +-userdom_use_all_users_fds(setfiles_t) ++######################################## ++# ++# Setfiles common policy ++# ++allow setfiles_domain self:capability { dac_override dac_read_search fowner }; ++dontaudit setfiles_domain self:capability sys_tty_config; ++allow setfiles_domain self:fifo_file rw_file_perms; ++dontaudit setfiles_domain self:dir relabelfrom; ++dontaudit setfiles_domain self:file relabelfrom; ++dontaudit setfiles_domain self:lnk_file relabelfrom; ++ ++domain_relabelfrom(setfiles_domain) ++ ++allow setfiles_domain { policy_src_t policy_config_t file_context_t default_context_t }:dir list_dir_perms; ++allow setfiles_domain { policy_src_t policy_config_t file_context_t default_context_t }:file read_file_perms; ++allow setfiles_domain { policy_src_t policy_config_t file_context_t default_context_t }:lnk_file { read_lnk_file_perms ioctl lock }; ++ ++logging_send_audit_msgs(setfiles_domain) ++ ++kernel_relabelfrom_unlabeled_dirs(setfiles_domain) ++kernel_relabelfrom_unlabeled_files(setfiles_domain) ++kernel_relabelfrom_unlabeled_symlinks(setfiles_domain) ++kernel_relabelfrom_unlabeled_pipes(setfiles_domain) ++kernel_relabelfrom_unlabeled_sockets(setfiles_domain) ++kernel_use_fds(setfiles_domain) ++kernel_rw_pipes(setfiles_domain) ++kernel_rw_unix_dgram_sockets(setfiles_domain) ++kernel_dontaudit_list_all_proc(setfiles_domain) ++kernel_read_all_sysctls(setfiles_domain) ++kernel_read_network_state_symlinks(setfiles_domain) ++ ++dev_relabel_all_dev_nodes(setfiles_domain) ++dev_dontaudit_rw_lvm_control(setfiles_domain) ++dev_dontaudit_read_rand(setfiles_domain) ++dev_dontaudit_read_urand(setfiles_domain) ++ ++domain_use_interactive_fds(setfiles_domain) ++domain_read_all_domains_state(setfiles_domain) ++ ++files_read_etc_runtime_files(setfiles_domain) ++files_read_etc_files(setfiles_domain) ++files_list_all(setfiles_domain) ++files_list_isid_type_dirs(setfiles_domain) ++files_read_isid_type_files(setfiles_domain) ++files_dontaudit_read_all_symlinks(setfiles_domain) ++ ++fs_getattr_all_fs(setfiles_domain) ++fs_list_all(setfiles_domain) ++fs_getattr_all_files(setfiles_domain) ++fs_search_auto_mountpoints(setfiles_domain) ++fs_relabelfrom_noxattr_fs(setfiles_domain) ++ ++selinux_validate_context(setfiles_domain) ++selinux_compute_access_vector(setfiles_domain) ++selinux_compute_create_context(setfiles_domain) ++selinux_compute_relabel_context(setfiles_domain) ++selinux_compute_user_contexts(setfiles_domain) ++ ++term_use_all_inherited_terms(setfiles_domain) ++ ++init_use_fds(setfiles_domain) ++init_use_script_fds(setfiles_domain) ++init_use_script_ptys(setfiles_domain) ++init_exec_script_files(setfiles_domain) ++ ++userdom_use_all_users_fds(setfiles_domain) + # for config files in a home directory +-userdom_read_user_home_content_files(setfiles_t) ++userdom_read_user_home_content_files(setfiles_domain) ++userdom_rw_inherited_user_home_content_files(setfiles_domain) + + ifdef(`distro_debian',` + # udev tmpfs is populated with static device nodes + # and then relabeled afterwards; thus + # /dev/console has the tmpfs type +- fs_rw_tmpfs_chr_files(setfiles_t) ++ fs_rw_tmpfs_chr_files(setfiles_domain) + ') + +-ifdef(`distro_redhat', ` +- fs_rw_tmpfs_chr_files(setfiles_t) +- fs_rw_tmpfs_blk_files(setfiles_t) +- fs_relabel_tmpfs_blk_file(setfiles_t) +- fs_relabel_tmpfs_chr_file(setfiles_t) ++ifdef(`distro_redhat',` ++ fs_rw_tmpfs_chr_files(setfiles_domain) ++ fs_rw_tmpfs_blk_files(setfiles_domain) ++ fs_relabel_tmpfs_blk_file(setfiles_domain) ++ fs_relabel_tmpfs_chr_file(setfiles_domain) + ') + +-ifdef(`distro_ubuntu',` +- optional_policy(` +- unconfined_domain(setfiles_t) +- ') ++optional_policy(` ++ hotplug_use_fds(setfiles_domain) + ') + +-ifdef(`hide_broken_symptoms',` +- optional_policy(` +- udev_dontaudit_rw_dgram_sockets(setfiles_t) +- ') +- +- # cjp: cover up stray file descriptors. +- optional_policy(` +- unconfined_dontaudit_read_pipes(setfiles_t) +- unconfined_dontaudit_rw_tcp_sockets(setfiles_t) +- ') ++optional_policy(` ++ dbus_read_pid_files(setfiles_domain) + ') + ++allow policy_manager_domain self:capability { dac_override sys_nice sys_resource }; ++dontaudit policy_manager_domain self:capability sys_tty_config; ++allow policy_manager_domain self:process { signal setsched }; ++allow policy_manager_domain self:unix_stream_socket create_stream_socket_perms; ++allow policy_manager_domain self:unix_dgram_socket create_socket_perms; ++allow policy_manager_domain self:fifo_file rw_fifo_file_perms; ++ ++dev_read_rand(policy_manager_domain) ++dev_read_urand(policy_manager_domain) ++ ++logging_send_audit_msgs(policy_manager_domain) ++ ++# Domains that will manage policy ++allow policy_manager_domain policy_config_t:file rw_file_perms; ++ ++allow policy_manager_domain semanage_tmp_t:dir manage_dir_perms; ++allow policy_manager_domain semanage_tmp_t:file manage_file_perms; ++files_tmp_filetrans(policy_manager_domain, semanage_tmp_t, { file dir }) ++ ++kernel_read_kernel_sysctls(policy_manager_domain) ++ ++corecmd_exec_bin(policy_manager_domain) ++corecmd_exec_shell(policy_manager_domain) ++ ++domain_use_interactive_fds(policy_manager_domain) ++ ++files_read_etc_files(policy_manager_domain) ++files_read_etc_runtime_files(policy_manager_domain) ++files_read_usr_files(policy_manager_domain) ++files_list_pids(policy_manager_domain) ++fs_list_inotifyfs(policy_manager_domain) ++fs_getattr_all_fs(policy_manager_domain) ++ ++selinux_validate_context(policy_manager_domain) ++selinux_read_policy(policy_manager_domain) ++ ++term_use_all_inherited_terms(policy_manager_domain) ++ ++locallogin_use_fds(policy_manager_domain) ++ ++seutil_search_default_contexts(policy_manager_domain) ++seutil_domtrans_loadpolicy(policy_manager_domain) ++seutil_read_config(policy_manager_domain) ++seutil_use_newrole_fds(policy_manager_domain) ++seutil_manage_module_store(policy_manager_domain) ++seutil_get_semanage_trans_lock(policy_manager_domain) ++seutil_get_semanage_read_lock(policy_manager_domain) ++ ++userdom_dontaudit_write_user_home_content_files(policy_manager_domain) ++userdom_use_user_ptys(policy_manager_domain) ++ ++files_rw_inherited_generic_pid_files(setfiles_domain) ++files_rw_inherited_generic_pid_files(policy_manager_domain) ++files_create_boot_flag(policy_manager_domain, ".autorelabel") ++files_delete_boot_flag(policy_manager_domain) ++ + optional_policy(` +- hotplug_use_fds(setfiles_t) ++ policykit_dbus_chat(policy_manager_domain) + ') +diff --git a/policy/modules/system/setrans.fc b/policy/modules/system/setrans.fc +index bea4629..06e2834 100644 +--- a/policy/modules/system/setrans.fc ++++ b/policy/modules/system/setrans.fc +@@ -2,4 +2,7 @@ + + /sbin/mcstransd -- gen_context(system_u:object_r:setrans_exec_t,s0) + ++/usr/sbin/mcstransd -- gen_context(system_u:object_r:setrans_exec_t,s0) ++ + /var/run/setrans(/.*)? gen_context(system_u:object_r:setrans_var_run_t,mls_systemhigh) ++/var/run/mcstransd\.pid gen_context(system_u:object_r:setrans_var_run_t,mls_systemhigh) +diff --git a/policy/modules/system/setrans.if b/policy/modules/system/setrans.if +index efa9c27..536a514 100644 +--- a/policy/modules/system/setrans.if ++++ b/policy/modules/system/setrans.if +@@ -40,3 +40,21 @@ interface(`setrans_translate_context',` + stream_connect_pattern($1, setrans_var_run_t, setrans_var_run_t, setrans_t) + files_list_pids($1) + ') ++####################################### ++## ++## Allow a domain to manage pid files ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`setrans_manage_pid_files',` ++ gen_require(` ++ type setrans_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ manage_files_pattern($1, setrans_var_run_t, setrans_var_run_t) ++') +diff --git a/policy/modules/system/setrans.te b/policy/modules/system/setrans.te +index 1447687..d5e6fb9 100644 +--- a/policy/modules/system/setrans.te ++++ b/policy/modules/system/setrans.te +@@ -12,6 +12,7 @@ gen_require(` + type setrans_t; + type setrans_exec_t; + init_daemon_domain(setrans_t, setrans_exec_t) ++mls_trusted_object(setrans_t) + + type setrans_initrc_exec_t; + init_script_file(setrans_initrc_exec_t) +@@ -78,7 +79,6 @@ locallogin_dontaudit_use_fds(setrans_t) + + logging_send_syslog_msg(setrans_t) + +-miscfiles_read_localization(setrans_t) + + seutil_read_config(setrans_t) + +diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc +index 346a7cc..42a48b6 100644 +--- a/policy/modules/system/sysnetwork.fc ++++ b/policy/modules/system/sysnetwork.fc +@@ -17,16 +17,17 @@ ifdef(`distro_debian',` + /etc/dhclient.*conf -- gen_context(system_u:object_r:dhcp_etc_t,s0) + /etc/dhclient-script -- gen_context(system_u:object_r:dhcp_etc_t,s0) + /etc/dhcpc.* gen_context(system_u:object_r:dhcp_etc_t,s0) +-/etc/dhcpd\.conf -- gen_context(system_u:object_r:dhcp_etc_t,s0) +-/etc/dhcp/dhcpd\.conf -- gen_context(system_u:object_r:dhcp_etc_t,s0) ++/etc/dhcpd(6)?\.conf -- gen_context(system_u:object_r:dhcp_etc_t,s0) ++/etc/dhcp/dhcpd(6)?\.conf -- gen_context(system_u:object_r:dhcp_etc_t,s0) + /etc/ethers -- gen_context(system_u:object_r:net_conf_t,s0) +-/etc/hosts -- gen_context(system_u:object_r:net_conf_t,s0) ++/etc/hosts[^/]* -- gen_context(system_u:object_r:net_conf_t,s0) + /etc/hosts\.deny.* -- gen_context(system_u:object_r:net_conf_t,s0) + /etc/denyhosts.* -- gen_context(system_u:object_r:net_conf_t,s0) + /etc/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0) + /etc/yp\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0) ++/etc/ntp\.conf -- gen_context(system_u:object_r:net_conf_t,s0) + +-/etc/dhcp3(/.*)? gen_context(system_u:object_r:dhcp_etc_t,s0) ++/etc/dhcp3?(/.*)? gen_context(system_u:object_r:dhcp_etc_t,s0) + /etc/dhcp3?/dhclient.* gen_context(system_u:object_r:dhcp_etc_t,s0) + + ifdef(`distro_redhat',` +@@ -55,6 +56,20 @@ ifdef(`distro_redhat',` + # + # /usr + # ++/usr/bin/ip -- gen_context(system_u:object_r:ifconfig_exec_t,s0) ++ ++/usr/sbin/dhclient.* -- gen_context(system_u:object_r:dhcpc_exec_t,s0) ++/usr/sbin/dhcdbd -- gen_context(system_u:object_r:dhcpc_exec_t,s0) ++/usr/sbin/dhcpcd -- gen_context(system_u:object_r:dhcpc_exec_t,s0) ++/usr/sbin/ethtool -- gen_context(system_u:object_r:ifconfig_exec_t,s0) ++/usr/sbin/ifconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0) ++/usr/sbin/ip -- gen_context(system_u:object_r:ifconfig_exec_t,s0) ++/usr/sbin/ipx_configure -- gen_context(system_u:object_r:ifconfig_exec_t,s0) ++/usr/sbin/ipx_interface -- gen_context(system_u:object_r:ifconfig_exec_t,s0) ++/usr/sbin/ipx_internal_net -- gen_context(system_u:object_r:ifconfig_exec_t,s0) ++/usr/sbin/iwconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0) ++/usr/sbin/mii-tool -- gen_context(system_u:object_r:ifconfig_exec_t,s0) ++/usr/sbin/pump -- gen_context(system_u:object_r:dhcpc_exec_t,s0) + /usr/sbin/tc -- gen_context(system_u:object_r:ifconfig_exec_t,s0) + + # +@@ -72,3 +87,6 @@ ifdef(`distro_redhat',` + ifdef(`distro_gentoo',` + /var/lib/dhcpc(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0) + ') ++ ++/var/run/netns(/.*)? gen_context(system_u:object_r:ifconfig_var_run_t,s0) ++/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0) +diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if +index 6944526..0bd8d93 100644 +--- a/policy/modules/system/sysnetwork.if ++++ b/policy/modules/system/sysnetwork.if +@@ -38,11 +38,30 @@ interface(`sysnet_domtrans_dhcpc',` + # + interface(`sysnet_run_dhcpc',` + gen_require(` ++ type dhcpc_t; + attribute_role dhcpc_roles; + ') + + sysnet_domtrans_dhcpc($1) + roleattribute $2 dhcpc_roles; ++ ++ optional_policy(` ++ networkmanager_run(dhcpc_t, $2) ++ ') ++ ++ optional_policy(` ++ nis_run_ypbind(dhcpc_t, $2) ++ ') ++ ++ optional_policy(` ++ nscd_run(dhcpc_t, $2) ++ ') ++ ++ optional_policy(` ++ ntp_run(dhcpc_t, $2) ++ ') ++ ++ seutil_run_setfiles(dhcpc_t, $2) + ') + + ######################################## +@@ -250,6 +269,7 @@ interface(`sysnet_read_dhcpc_state',` + type dhcpc_state_t; + ') + ++ list_dirs_pattern($1, dhcpc_state_t, dhcpc_state_t) + read_files_pattern($1, dhcpc_state_t, dhcpc_state_t) + ') + +@@ -271,6 +291,43 @@ interface(`sysnet_delete_dhcpc_state',` + delete_files_pattern($1, dhcpc_state_t, dhcpc_state_t) + ') + ++######################################## ++## ++## Allow caller to relabel dhcpc_state files ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`sysnet_relabelfrom_dhcpc_state',` ++ ++ gen_require(` ++ type dhcpc_state_t; ++ ') ++ ++ allow $1 dhcpc_state_t:file relabelfrom; ++') ++ ++####################################### ++## ++## Manage the dhcp client state files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`sysnet_manage_dhcpc_state',` ++ gen_require(` ++ type dhcpc_state_t; ++ ') ++ ++ manage_files_pattern($1, dhcpc_state_t, dhcpc_state_t) ++') ++ + ####################################### + ## + ## Set the attributes of network config files. +@@ -292,6 +349,44 @@ interface(`sysnet_setattr_config',` + + ####################################### + ## ++## Allow caller to relabel net_conf files ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`sysnet_relabelfrom_net_conf',` ++ ++ gen_require(` ++ type net_conf_t; ++ ') ++ ++ allow $1 net_conf_t:file relabelfrom; ++') ++ ++###################################### ++## ++## Allow caller to relabel net_conf files ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`sysnet_relabelto_net_conf',` ++ ++ gen_require(` ++ type net_conf_t; ++ ') ++ ++ allow $1 net_conf_t:file relabelto; ++') ++ ++####################################### ++## + ## Read network config files. + ## + ## +@@ -331,6 +426,7 @@ interface(`sysnet_read_config',` + + ifdef(`distro_redhat',` + allow $1 net_conf_t:dir list_dir_perms; ++ allow $1 net_conf_t:lnk_file read_lnk_file_perms; + read_files_pattern($1, net_conf_t, net_conf_t) + ') + ') +@@ -415,6 +511,40 @@ interface(`sysnet_etc_filetrans_config',` + files_etc_filetrans($1, net_conf_t, file, $2) + ') + ++######################################## ++## ++## Transition content to the type used for ++## the network config files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## The type of the directory to which the object will be created. ++## ++## ++## ++## ++## The object class. ++## ++## ++## ++## ++## The name of the object being created. ++## ++## ++# ++interface(`sysnet_filetrans_config_fromdir',` ++ gen_require(` ++ type net_conf_t; ++ ') ++ ++ filetrans_pattern($1, $2, net_conf_t, $3, $4) ++') ++ + ####################################### + ## + ## Create, read, write, and delete network config files. +@@ -433,6 +563,7 @@ interface(`sysnet_manage_config',` + allow $1 net_conf_t:file manage_file_perms; + + ifdef(`distro_redhat',` ++ allow $1 net_conf_t:dir list_dir_perms; + manage_files_pattern($1, net_conf_t, net_conf_t) + ') + ') +@@ -471,6 +602,7 @@ interface(`sysnet_delete_dhcpc_pid',` + type dhcpc_var_run_t; + ') + ++ files_rw_pid_dirs($1) + allow $1 dhcpc_var_run_t:file unlink; + ') + +@@ -580,6 +712,25 @@ interface(`sysnet_signull_ifconfig',` + + ######################################## + ## ++## Send a kill signal to iconfig. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`sysnet_kill_ifconfig',` ++ gen_require(` ++ type ifconfig_t; ++ ') ++ ++ allow $1 ifconfig_t:process sigkill; ++') ++ ++######################################## ++## + ## Read the DHCP configuration files. + ## + ## +@@ -596,6 +747,7 @@ interface(`sysnet_read_dhcp_config',` + files_search_etc($1) + allow $1 dhcp_etc_t:dir list_dir_perms; + read_files_pattern($1, dhcp_etc_t, dhcp_etc_t) ++ allow $1 dhcp_etc_t:lnk_file read_lnk_file_perms; + ') + + ######################################## +@@ -681,8 +833,6 @@ interface(`sysnet_dns_name_resolve',` + allow $1 self:udp_socket create_socket_perms; + allow $1 self:netlink_route_socket r_netlink_socket_perms; + +- corenet_all_recvfrom_unlabeled($1) +- corenet_all_recvfrom_netlabel($1) + corenet_tcp_sendrecv_generic_if($1) + corenet_udp_sendrecv_generic_if($1) + corenet_tcp_sendrecv_generic_node($1) +@@ -692,6 +842,8 @@ interface(`sysnet_dns_name_resolve',` + corenet_tcp_connect_dns_port($1) + corenet_sendrecv_dns_client_packets($1) + ++ miscfiles_read_generic_certs($1) ++ + sysnet_read_config($1) + + optional_policy(` +@@ -720,8 +872,6 @@ interface(`sysnet_use_ldap',` + + allow $1 self:tcp_socket create_socket_perms; + +- corenet_all_recvfrom_unlabeled($1) +- corenet_all_recvfrom_netlabel($1) + corenet_tcp_sendrecv_generic_if($1) + corenet_tcp_sendrecv_generic_node($1) + corenet_tcp_sendrecv_ldap_port($1) +@@ -733,6 +883,9 @@ interface(`sysnet_use_ldap',` + dev_read_urand($1) + + sysnet_read_config($1) ++ ++ # LDAP Configuration using encrypted requires ++ dev_read_urand($1) + ') + + ######################################## +@@ -754,7 +907,6 @@ interface(`sysnet_use_portmap',` + allow $1 self:udp_socket create_socket_perms; + + corenet_all_recvfrom_unlabeled($1) +- corenet_all_recvfrom_netlabel($1) + corenet_tcp_sendrecv_generic_if($1) + corenet_udp_sendrecv_generic_if($1) + corenet_tcp_sendrecv_generic_node($1) +@@ -766,3 +918,76 @@ interface(`sysnet_use_portmap',` + + sysnet_read_config($1) + ') ++ ++######################################## ++## ++## Do not audit attempts to use ++## the dhcp file descriptors. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`sysnet_dontaudit_dhcpc_use_fds',` ++ gen_require(` ++ type dhcpc_t; ++ ') ++ ++ dontaudit $1 dhcpc_t:fd use; ++') ++ ++######################################## ++## ++## Transition to system_r when execute an dhclient script ++## ++## ++##

    ++## Execute dhclient script in a specified role ++##

    ++##

    ++## No interprocess communication (signals, pipes, ++## etc.) is provided by this interface since ++## the domains are not owned by this module. ++##

    ++##     ++## ++## ++## Role to transition from. ++## ++## ++interface(`sysnet_role_transition_dhcpc',` ++ gen_require(` ++ type dhcpc_exec_t; ++ ') ++ ++ role_transition $1 dhcpc_exec_t system_r; ++') ++ ++######################################## ++## ++## Transition to sysnet named content ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`sysnet_filetrans_named_content',` ++ gen_require(` ++ type net_conf_t; ++ ') ++ ++ files_etc_filetrans($1, net_conf_t, file, "resolv.conf") ++ files_etc_filetrans($1, net_conf_t, file, "resolv.conf.tmp") ++ files_etc_filetrans($1, net_conf_t, file, "resolv.conf.fp-tmp") ++ files_etc_filetrans($1, net_conf_t, file, "resolv.conf.fp-saved") ++ files_etc_filetrans($1, net_conf_t, file, "denyhosts") ++ files_etc_filetrans($1, net_conf_t, file, "hosts") ++ files_etc_filetrans($1, net_conf_t, file, "hosts.deny") ++ files_etc_filetrans($1, net_conf_t, file, "ethers") ++ files_etc_filetrans($1, net_conf_t, file, "yp.conf") ++ files_etc_filetrans($1, net_conf_t, file, "ntp.conf") ++') +diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te +index b7686d5..087fe08 100644 +--- a/policy/modules/system/sysnetwork.te ++++ b/policy/modules/system/sysnetwork.te +@@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.14.6) + # Declarations + # + ++## ++##

    ++## Allow dhcpc client applications to execute iptables commands ++##

    ++##     ++gen_tunable(dhcpc_exec_iptables, false) ++ + attribute_role dhcpc_roles; + roleattribute system_r dhcpc_roles; + +@@ -20,7 +27,9 @@ files_type(dhcp_state_t) + type dhcpc_t; + type dhcpc_exec_t; + init_daemon_domain(dhcpc_t, dhcpc_exec_t) +-role dhcpc_roles types dhcpc_t; ++ ++type dhcpc_helper_exec_t; ++init_script_file(dhcpc_helper_exec_t) + + type dhcpc_state_t; + files_type(dhcpc_state_t) +@@ -36,18 +45,22 @@ type ifconfig_exec_t; + init_system_domain(ifconfig_t, ifconfig_exec_t) + role system_r types ifconfig_t; + ++type ifconfig_var_run_t; ++files_pid_file(ifconfig_var_run_t) ++files_mountpoint(ifconfig_var_run_t) ++ + type net_conf_t alias resolv_conf_t; +-files_type(net_conf_t) ++files_config_file(net_conf_t) + + ######################################## + # + # DHCP client local policy + # + allow dhcpc_t self:capability { dac_override fsetid net_admin net_raw net_bind_service setpcap sys_nice sys_resource sys_tty_config }; +-dontaudit dhcpc_t self:capability { sys_tty_config sys_ptrace }; ++dontaudit dhcpc_t self:capability sys_tty_config; + # for access("/etc/bashrc", X_OK) on Red Hat + dontaudit dhcpc_t self:capability { dac_read_search sys_module }; +-allow dhcpc_t self:process { getsched getcap setcap setfscreate ptrace signal_perms }; ++allow dhcpc_t self:process { getsched setsched getcap setcap setfscreate signal_perms }; + + allow dhcpc_t self:fifo_file rw_fifo_file_perms; + allow dhcpc_t self:tcp_socket create_stream_socket_perms; +@@ -60,8 +73,11 @@ read_lnk_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t) + exec_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t) + + allow dhcpc_t dhcp_state_t:file read_file_perms; ++allow dhcpc_t dhcp_state_t:file relabel_file_perms; ++ + manage_files_pattern(dhcpc_t, dhcpc_state_t, dhcpc_state_t) + filetrans_pattern(dhcpc_t, dhcp_state_t, dhcpc_state_t, file) ++allow dhcpc_t dhcpc_state_t:file relabel_file_perms; + + # create pid file + manage_files_pattern(dhcpc_t, dhcpc_var_run_t, dhcpc_var_run_t) +@@ -70,6 +86,8 @@ files_pid_filetrans(dhcpc_t, dhcpc_var_run_t, { file dir }) + + # Allow read/write to /etc/resolv.conf and /etc/ntp.conf. Note that any files + # in /etc created by dhcpcd will be labelled net_conf_t. ++allow dhcpc_t net_conf_t:file manage_file_perms; ++allow dhcpc_t net_conf_t:file relabel_file_perms; + sysnet_manage_config(dhcpc_t) + files_etc_filetrans(dhcpc_t, net_conf_t, file) + +@@ -91,14 +109,13 @@ kernel_rw_net_sysctls(dhcpc_t) + corecmd_exec_bin(dhcpc_t) + corecmd_exec_shell(dhcpc_t) + +-corenet_all_recvfrom_unlabeled(dhcpc_t) + corenet_all_recvfrom_netlabel(dhcpc_t) +-corenet_tcp_sendrecv_all_if(dhcpc_t) +-corenet_raw_sendrecv_all_if(dhcpc_t) +-corenet_udp_sendrecv_all_if(dhcpc_t) +-corenet_tcp_sendrecv_all_nodes(dhcpc_t) +-corenet_raw_sendrecv_all_nodes(dhcpc_t) +-corenet_udp_sendrecv_all_nodes(dhcpc_t) ++corenet_tcp_sendrecv_generic_if(dhcpc_t) ++corenet_raw_sendrecv_generic_if(dhcpc_t) ++corenet_udp_sendrecv_generic_if(dhcpc_t) ++corenet_tcp_sendrecv_generic_node(dhcpc_t) ++corenet_raw_sendrecv_generic_node(dhcpc_t) ++corenet_udp_sendrecv_generic_node(dhcpc_t) + corenet_tcp_sendrecv_all_ports(dhcpc_t) + corenet_udp_sendrecv_all_ports(dhcpc_t) + corenet_tcp_bind_all_nodes(dhcpc_t) +@@ -108,21 +125,24 @@ corenet_udp_bind_dhcpc_port(dhcpc_t) + corenet_tcp_connect_all_ports(dhcpc_t) + corenet_sendrecv_dhcpd_client_packets(dhcpc_t) + corenet_sendrecv_dhcpc_server_packets(dhcpc_t) ++corenet_dontaudit_udp_bind_all_reserved_ports(dhcpc_t) ++corenet_udp_bind_all_unreserved_ports(dhcpc_t) + + dev_read_sysfs(dhcpc_t) + # for SSP: + dev_read_urand(dhcpc_t) + ++domain_obj_id_change_exemption(dhcpc_t) + domain_use_interactive_fds(dhcpc_t) + domain_dontaudit_read_all_domains_state(dhcpc_t) + +-files_read_etc_files(dhcpc_t) + files_read_etc_runtime_files(dhcpc_t) +-files_read_usr_files(dhcpc_t) + files_search_home(dhcpc_t) + files_search_var_lib(dhcpc_t) + files_dontaudit_search_locks(dhcpc_t) + files_getattr_generic_locks(dhcpc_t) ++files_rw_inherited_tmp_file(dhcpc_t) ++files_dontaudit_rw_inherited_locks(dhcpc_t) + + fs_getattr_all_fs(dhcpc_t) + fs_search_auto_mountpoints(dhcpc_t) +@@ -132,11 +152,15 @@ term_dontaudit_use_all_ptys(dhcpc_t) + term_dontaudit_use_unallocated_ttys(dhcpc_t) + term_dontaudit_use_generic_ptys(dhcpc_t) + ++auth_use_nsswitch(dhcpc_t) ++ + init_rw_utmp(dhcpc_t) ++init_stream_connect(dhcpc_t) ++init_stream_send(dhcpc_t) + + logging_send_syslog_msg(dhcpc_t) + +-miscfiles_read_localization(dhcpc_t) ++miscfiles_read_generic_certs(dhcpc_t) + + modutils_run_insmod(dhcpc_t, dhcpc_roles) + +@@ -156,7 +180,14 @@ ifdef(`distro_ubuntu',` + ') + + optional_policy(` +- consoletype_run(dhcpc_t, dhcpc_roles) ++ chronyd_initrc_domtrans(dhcpc_t) ++ chronyd_systemctl(dhcpc_t) ++ chronyd_read_keys(dhcpc_t) ++') ++ ++optional_policy(` ++ devicekit_dontaudit_rw_log(dhcpc_t) ++ devicekit_dontaudit_read_pid_files(dhcpc_t) + ') + + optional_policy(` +@@ -174,10 +205,6 @@ optional_policy(` + ') + + optional_policy(` +- hal_dontaudit_rw_dgram_sockets(dhcpc_t) +-') +- +-optional_policy(` + hotplug_getattr_config_dirs(dhcpc_t) + hotplug_search_config(dhcpc_t) + +@@ -190,23 +217,36 @@ optional_policy(` + optional_policy(` + netutils_run_ping(dhcpc_t, dhcpc_roles) + netutils_run(dhcpc_t, dhcpc_roles) ++ netutils_domtrans_ping(dhcpc_t) ++ netutils_domtrans(dhcpc_t) + ',` + allow dhcpc_t self:capability setuid; + allow dhcpc_t self:rawip_socket create_socket_perms; + ') + + optional_policy(` ++ networkmanager_domtrans(dhcpc_t) ++ networkmanager_read_pid_files(dhcpc_t) ++ networkmanager_manage_lib(dhcpc_t) ++ networkmanager_stream_connect(dhcpc_t) ++') ++ ++optional_policy(` ++ nis_initrc_domtrans_ypbind(dhcpc_t) + nis_read_ypbind_pid(dhcpc_t) ++ nis_systemctl_ypbind(dhcpc_t) + ') + + optional_policy(` + nscd_initrc_domtrans(dhcpc_t) ++ nscd_systemctl(dhcpc_t) + nscd_domtrans(dhcpc_t) + nscd_read_pid(dhcpc_t) + ') + + optional_policy(` + ntp_initrc_domtrans(dhcpc_t) ++ ntp_systemctl(dhcpc_t) + ') + + optional_policy(` +@@ -216,7 +256,11 @@ optional_policy(` + + optional_policy(` + seutil_sigchld_newrole(dhcpc_t) +- seutil_dontaudit_search_config(dhcpc_t) ++ seutil_domtrans_setfiles(dhcpc_t) ++') ++optional_policy(` ++ systemd_passwd_agent_domtrans(dhcpc_t) ++ systemd_signal_passwd_agent(dhcpc_t) + ') + + optional_policy(` +@@ -228,6 +272,10 @@ optional_policy(` + ') + + optional_policy(` ++ virt_manage_pid_files(dhcpc_t) ++') ++ ++optional_policy(` + vmware_append_log(dhcpc_t) + ') + +@@ -259,12 +307,23 @@ allow ifconfig_t self:msgq create_msgq_perms; + allow ifconfig_t self:msg { send receive }; + # Create UDP sockets, necessary when called from dhcpc + allow ifconfig_t self:udp_socket create_socket_perms; ++allow ifconfig_t self:appletalk_socket create_socket_perms; + # for /sbin/ip + allow ifconfig_t self:packet_socket create_socket_perms; ++allow ifconfig_t self:netlink_socket create_socket_perms; + allow ifconfig_t self:netlink_route_socket create_netlink_socket_perms; + allow ifconfig_t self:netlink_xfrm_socket { create_netlink_socket_perms nlmsg_read }; ++allow ifconfig_t self:tun_socket { relabelfrom relabelto create_socket_perms }; ++ + allow ifconfig_t self:tcp_socket { create ioctl }; + ++can_exec(ifconfig_t, ifconfig_exec_t) ++ ++manage_files_pattern(ifconfig_t, ifconfig_var_run_t, ifconfig_var_run_t) ++create_dirs_pattern(ifconfig_t, ifconfig_var_run_t, ifconfig_var_run_t) ++files_pid_filetrans(ifconfig_t, ifconfig_var_run_t, { file dir }) ++allow ifconfig_t ifconfig_var_run_t:file mounton; ++ + kernel_use_fds(ifconfig_t) + kernel_read_system_state(ifconfig_t) + kernel_read_network_state(ifconfig_t) +@@ -274,14 +333,30 @@ kernel_rw_net_sysctls(ifconfig_t) + + corenet_rw_tun_tap_dev(ifconfig_t) + ++corecmd_exec_bin(ifconfig_t) ++corecmd_exec_shell(ifconfig_t) ++ + dev_read_sysfs(ifconfig_t) + # for IPSEC setup: + dev_read_urand(ifconfig_t) ++# needed by tuned ++dev_rw_netcontrol(ifconfig_t) ++dev_mounton_sysfs(ifconfig_t) ++dev_mount_sysfs_fs(ifconfig_t) ++dev_unmount_sysfs_fs(ifconfig_t) + + domain_use_interactive_fds(ifconfig_t) + ++read_files_pattern(ifconfig_t, dhcpc_state_t, dhcpc_state_t) ++ ++files_dontaudit_rw_inherited_pipes(ifconfig_t) ++files_dontaudit_rw_inherited_locks(ifconfig_t) ++files_dontaudit_read_root_files(ifconfig_t) ++files_rw_inherited_tmp_file(ifconfig_t) ++ + files_read_etc_files(ifconfig_t) + files_read_etc_runtime_files(ifconfig_t) ++files_read_usr_files(ifconfig_t) + + fs_getattr_xattr_fs(ifconfig_t) + fs_search_auto_mountpoints(ifconfig_t) +@@ -294,22 +369,22 @@ term_dontaudit_use_all_ptys(ifconfig_t) + term_dontaudit_use_ptmx(ifconfig_t) + term_dontaudit_use_generic_ptys(ifconfig_t) + +-files_dontaudit_read_root_files(ifconfig_t) ++auth_use_nsswitch(ifconfig_t) + + init_use_fds(ifconfig_t) + init_use_script_ptys(ifconfig_t) ++init_rw_inherited_script_tmp_files(ifconfig_t) + + libs_read_lib_files(ifconfig_t) + + logging_send_syslog_msg(ifconfig_t) + +-miscfiles_read_localization(ifconfig_t) +- +-modutils_domtrans_insmod(ifconfig_t) + + seutil_use_runinit_fds(ifconfig_t) + +-userdom_use_user_terminals(ifconfig_t) ++sysnet_dns_name_resolve(ifconfig_t) ++ ++userdom_use_inherited_user_terminals(ifconfig_t) + userdom_use_all_users_fds(ifconfig_t) + + ifdef(`distro_ubuntu',` +@@ -318,7 +393,22 @@ ifdef(`distro_ubuntu',` + ') + ') + ++optional_policy(` ++ brctl_domtrans(ifconfig_t) ++') ++ ++optional_policy(` ++ cfengine_dontaudit_write_log(ifconfig_t) ++') ++ ++optional_policy(` ++ ctdbd_read_lib_files(ifconfig_t) ++') ++ + ifdef(`hide_broken_symptoms',` ++ # caused by some bogus kernel code ++ dontaudit ifconfig_t self:capability sys_module; ++ + optional_policy(` + dev_dontaudit_rw_cardmgr(ifconfig_t) + ') +@@ -329,8 +419,11 @@ ifdef(`hide_broken_symptoms',` + ') + + optional_policy(` +- hal_dontaudit_rw_pipes(ifconfig_t) +- hal_dontaudit_rw_dgram_sockets(ifconfig_t) ++ dnsmasq_domtrans(ifconfig_t) ++') ++ ++optional_policy(` ++ devicekit_dontaudit_read_pid_files(ifconfig_t) + ') + + optional_policy(` +@@ -339,7 +432,15 @@ optional_policy(` + ') + + optional_policy(` +- nis_use_ypbind(ifconfig_t) ++ kdump_dontaudit_read_config(ifconfig_t) ++') ++ ++optional_policy(` ++ libs_exec_ldconfig(ifconfig_t) ++') ++ ++optional_policy(` ++ modutils_domtrans_insmod(ifconfig_t) + ') + + optional_policy(` +@@ -360,3 +461,13 @@ optional_policy(` + xen_append_log(ifconfig_t) + xen_dontaudit_rw_unix_stream_sockets(ifconfig_t) + ') ++ ++optional_policy(` ++ iptables_domtrans(ifconfig_t) ++') ++ ++optional_policy(` ++ tunable_policy(`dhcpc_exec_iptables',` ++ iptables_domtrans(dhcpc_t) ++ ') ++') +diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc +new file mode 100644 +index 0000000..e9f1096 +--- /dev/null ++++ b/policy/modules/system/systemd.fc +@@ -0,0 +1,47 @@ ++HOME_DIR/\.local/share/systemd(/.*)? gen_context(system_u:object_r:systemd_home_t,s0) ++/root/\.local/share/systemd(/.*)? gen_context(system_u:object_r:systemd_home_t,s0) ++ ++/etc/hostname -- gen_context(system_u:object_r:hostname_etc_t,s0) ++/etc/machine-info -- gen_context(system_u:object_r:hostname_etc_t,s0) ++ ++/bin/systemd-notify -- gen_context(system_u:object_r:systemd_notify_exec_t,s0) ++/bin/systemctl -- gen_context(system_u:object_r:systemd_systemctl_exec_t,s0) ++/bin/systemd-tty-ask-password-agent -- gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0) ++/bin/systemd-tmpfiles -- gen_context(system_u:object_r:systemd_tmpfiles_exec_t,s0) ++ ++/usr/bin/systemctl -- gen_context(system_u:object_r:systemd_systemctl_exec_t,s0) ++/usr/bin/systemd-gnome-ask-password-agent -- gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0) ++/usr/bin/systemd-notify -- gen_context(system_u:object_r:systemd_notify_exec_t,s0) ++/usr/bin/systemd-tmpfiles -- gen_context(system_u:object_r:systemd_tmpfiles_exec_t,s0) ++/usr/bin/systemd-tty-ask-password-agent -- gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0) ++ ++/usr/lib/dracut/modules.d/.*\.service gen_context(system_u:object_r:systemd_unit_file_t,s0) ++/usr/lib/systemd/system(/.*)? gen_context(system_u:object_r:systemd_unit_file_t,s0) ++/usr/lib/systemd/system/systemd-vconsole-setup\.service gen_context(system_u:object_r:systemd_vconsole_unit_file_t,s0) ++/usr/lib/systemd/system/.*halt.* -- gen_context(system_u:object_r:power_unit_file_t,s0) ++/usr/lib/systemd/system/.*hibernate.* -- gen_context(system_u:object_r:power_unit_file_t,s0) ++/usr/lib/systemd/system/.*power.* -- gen_context(system_u:object_r:power_unit_file_t,s0) ++/usr/lib/systemd/system/.*reboot.* -- gen_context(system_u:object_r:power_unit_file_t,s0) ++/usr/lib/systemd/system/.*sleep.* -- gen_context(system_u:object_r:power_unit_file_t,s0) ++/usr/lib/systemd/system/.*shutdown.* -- gen_context(system_u:object_r:power_unit_file_t,s0) ++/usr/lib/systemd/system/.*suspend.* -- gen_context(system_u:object_r:power_unit_file_t,s0) ++/usr/lib/systemd/systemd-hostnamed -- gen_context(system_u:object_r:systemd_hostnamed_exec_t,s0) ++/usr/lib/systemd/systemd-sysctl -- gen_context(system_u:object_r:systemd_sysctl_exec_t,s0) ++/usr/lib/systemd/systemd-timedated -- gen_context(system_u:object_r:systemd_timedated_exec_t,s0) ++/usr/lib/systemd/systemd-logind -- gen_context(system_u:object_r:systemd_logind_exec_t,s0) ++/usr/lib/systemd/systemd-localed -- gen_context(system_u:object_r:systemd_localed_exec_t,s0) ++/usr/lib/systemd/systemd-logger -- gen_context(system_u:object_r:systemd_logger_exec_t,s0) ++/usr/lib/systemd/systemd-tmpfiles -- gen_context(system_u:object_r:systemd_tmpfiles_exec_t,s0) ++ ++/var/lib/systemd/linger(/.*)? gen_context(system_u:object_r:systemd_logind_var_lib_t,mls_systemhigh) ++/var/lib/random-seed gen_context(system_u:object_r:random_seed_t,mls_systemhigh) ++/usr/var/lib/random-seed gen_context(system_u:object_r:random_seed_t,mls_systemhigh) ++ ++/var/run/nologin gen_context(system_u:object_r:systemd_logind_var_run_t,s0) ++/var/run/systemd/seats(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0) ++/var/run/systemd/sessions(/.*)? gen_context(system_u:object_r:systemd_logind_sessions_t,s0) ++/var/run/systemd/users(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0) ++/var/run/systemd/inhibit(/.*)? gen_context(system_u:object_r:systemd_logind_inhibit_var_run_t,s0) ++/var/run/systemd/ask-password-block(/.*)? gen_context(system_u:object_r:systemd_passwd_var_run_t,s0) ++/var/run/systemd/ask-password(/.*)? gen_context(system_u:object_r:systemd_passwd_var_run_t,s0) ++/var/run/initramfs(/.*)? <> +diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if +new file mode 100644 +index 0000000..35b4178 +--- /dev/null ++++ b/policy/modules/system/systemd.if +@@ -0,0 +1,1400 @@ ++## SELinux policy for systemd components ++ ++###################################### ++## ++## Creates types and rules for a basic ++## systemd domains. ++## ++## ++## ++## Prefix for the domain. ++## ++## ++# ++template(`systemd_domain_template',` ++ gen_require(` ++ attribute systemd_domain; ++ ') ++ ++ type $1_t, systemd_domain; ++ type $1_exec_t; ++ init_daemon_domain($1_t, $1_exec_t) ++ ++ kernel_read_system_state($1_t) ++') ++ ++###################################### ++## ++## Create a domain for processes which are started ++## exuting systemctl. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`systemd_stub_unit_file',` ++ gen_require(` ++ type systemd_unit_file_t; ++ ') ++') ++ ++####################################### ++## ++## Create a domain for processes which are started ++## exuting systemctl. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`systemd_systemctl_domain',` ++ gen_require(` ++ type systemd_systemctl_exec_t; ++ role system_r; ++ attribute systemctl_domain; ++ ') ++ ++ type $1_systemctl_t, systemctl_domain; ++ domain_type($1_systemctl_t) ++ domain_entry_file($1_systemctl_t, systemd_systemctl_exec_t) ++ ++ role system_r types $1_systemctl_t; ++ ++ domtrans_pattern($1_t, systemd_systemctl_exec_t , $1_systemctl_t) ++') ++ ++######################################## ++## ++## Execute systemctl in the caller domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`systemd_exec_systemctl',` ++ gen_require(` ++ type systemd_systemctl_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ can_exec($1, systemd_systemctl_exec_t) ++ ++ fs_list_cgroup_dirs($1) ++ fs_read_cgroup_files($1) ++ systemd_list_unit_dirs($1) ++ init_list_pid_dirs($1) ++ init_read_state($1) ++ init_stream_send($1) ++ init_stream_connect($1) ++ ++ systemd_login_list_pid_dirs($1) ++ systemd_login_read_pid_files($1) ++ systemd_passwd_agent_exec($1) ++') ++ ++####################################### ++## ++## Create a file type used for systemd unit files. ++## ++## ++## ++## Type to be used for an unit file. ++## ++## ++# ++interface(`systemd_unit_file',` ++ gen_require(` ++ attribute systemd_unit_file_type; ++ ') ++ ++ typeattribute $1 systemd_unit_file_type; ++ files_type($1) ++') ++ ++###################################### ++## ++## Allow domain to search systemd unit dirs. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`systemd_search_unit_dirs',` ++ gen_require(` ++ attribute systemd_unit_file_type; ++ ') ++ ++ files_search_var_lib($1) ++ allow $1 systemd_unit_file_type:dir search_dir_perms; ++') ++ ++###################################### ++## ++## Allow domain to list systemd unit dirs. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`systemd_list_unit_dirs',` ++ gen_require(` ++ attribute systemd_unit_file_type; ++ ') ++ ++ files_search_var_lib($1) ++ allow $1 systemd_unit_file_type:dir list_dir_perms; ++') ++ ++###################################### ++## ++## Allow domain to list systemd unit dirs. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`systemd_create_unit_dirs',` ++ gen_require(` ++ attribute systemd_unit_file_type; ++ ') ++ ++ files_search_var_lib($1) ++ allow $1 systemd_unit_file_type:dir create; ++') ++ ++##################################### ++## ++## Allow domain to getattr all systemd unit files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`systemd_getattr_unit_files',` ++ gen_require(` ++ attribute systemd_unit_file_type; ++ ') ++ ++ files_search_var_lib($1) ++ getattr_files_pattern($1, systemd_unit_file_type, systemd_unit_file_type) ++') ++ ++##################################### ++## ++## Allow domain to getattr all systemd unit directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`systemd_getattr_unit_dirs',` ++ gen_require(` ++ attribute systemd_unit_file_type; ++ ') ++ ++ allow $1 systemd_unit_file_type:dir getattr; ++') ++ ++###################################### ++## ++## Allow domain to read all systemd unit files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`systemd_read_unit_files',` ++ gen_require(` ++ attribute systemd_unit_file_type; ++ ') ++ ++ files_search_var_lib($1) ++ allow $1 systemd_unit_file_type:file read_file_perms; ++ allow $1 systemd_unit_file_type:lnk_file read_lnk_file_perms; ++ allow $1 systemd_unit_file_type:dir list_dir_perms; ++') ++ ++##################################### ++## ++## Dontaudit domain to read all systemd unit files. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`systemd_dontaudit_read_unit_files',` ++ gen_require(` ++ attribute systemd_unit_file_type; ++ ') ++ ++ dontaudit $1 systemd_unit_file_type:file read_file_perms; ++') ++ ++###################################### ++## ++## Read systemd_login PID files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`systemd_login_read_pid_files',` ++ gen_require(` ++ type systemd_logind_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ read_files_pattern($1, systemd_logind_var_run_t, systemd_logind_var_run_t) ++') ++ ++###################################### ++## ++## Read systemd_login PID files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`systemd_login_manage_pid_files',` ++ gen_require(` ++ type systemd_logind_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ manage_files_pattern($1, systemd_logind_var_run_t, systemd_logind_var_run_t) ++ files_pid_filetrans($1, systemd_logind_var_run_t, file, "nologin") ++') ++ ++###################################### ++## ++## Read systemd_login PID files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`systemd_login_list_pid_dirs',` ++ gen_require(` ++ type systemd_logind_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ list_dirs_pattern($1, systemd_logind_var_run_t, systemd_logind_var_run_t) ++') ++ ++###################################### ++## ++## Use and and inherited systemd ++## logind file descriptors. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`systemd_use_fds_logind',` ++ gen_require(` ++ type systemd_logind_t; ++ ') ++ ++ allow $1 systemd_logind_t:fd use; ++') ++ ++###################################### ++## ++## Read logind sessions files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`systemd_read_logind_sessions_files',` ++ gen_require(` ++ type systemd_logind_sessions_t; ++ ') ++ ++ init_search_pid_dirs($1) ++ allow $1 systemd_logind_sessions_t:dir list_dir_perms; ++ read_files_pattern($1, systemd_logind_sessions_t, systemd_logind_sessions_t) ++') ++ ++###################################### ++## ++## Write inherited logind sessions pipes. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`systemd_write_inherited_logind_sessions_pipes',` ++ gen_require(` ++ type systemd_logind_sessions_t; ++ type systemd_logind_t; ++ ') ++ ++ allow $1 systemd_logind_t:fd use; ++ allow $1 systemd_logind_sessions_t:fifo_file write; ++') ++ ++###################################### ++## ++## Write systemd inhibit pipes. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`systemd_write_inhibit_pipes',` ++ gen_require(` ++ type systemd_logind_inhibit_var_run_t; ++ ') ++ ++ allow $1 systemd_logind_inhibit_var_run_t:fifo_file write; ++') ++ ++######################################## ++## ++## Send and receive messages from ++## systemd logind over dbus. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`systemd_dbus_chat_logind',` ++ gen_require(` ++ type systemd_logind_t; ++ class dbus send_msg; ++ ') ++ ++ allow $1 systemd_logind_t:dbus send_msg; ++ allow systemd_logind_t $1:dbus send_msg; ++ ps_process_pattern(systemd_logind_t, $1) ++ allow systemd_logind_t $1:process signal; ++ allow $1 systemd_logind_t:fd use; ++') ++ ++####################################### ++## ++## Execute a domain transition to run systemd-tmpfiles. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`systemd_tmpfiles_domtrans',` ++ gen_require(` ++ type systemd_tmpfiles_t, systemd_tmpfiles_exec_t; ++ ') ++ ++ domtrans_pattern($1, systemd_tmpfiles_exec_t, systemd_tmpfiles_t) ++') ++ ++####################################### ++## ++## Execute a domain transition to run systemd-localed. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`systemd_localed_domtrans',` ++ gen_require(` ++ type systemd_localed_t, systemd_localed_exec_t; ++ ') ++ ++ domtrans_pattern($1, systemd_localed_exec_t, systemd_localed_t) ++') ++ ++######################################## ++## ++## Execute a domain transition to run systemd-tty-ask-password-agent. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`systemd_passwd_agent_domtrans',` ++ gen_require(` ++ type systemd_passwd_agent_t, systemd_passwd_agent_exec_t; ++ ') ++ ++ domtrans_pattern($1, systemd_passwd_agent_exec_t, systemd_passwd_agent_t) ++') ++ ++####################################### ++## ++## Execute systemd-tty-ask-password-agent in the caller domain ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`systemd_passwd_agent_exec',` ++ gen_require(` ++ type systemd_passwd_agent_t, systemd_passwd_agent_exec_t; ++ ') ++ ++ can_exec($1, systemd_passwd_agent_exec_t) ++ systemd_manage_passwd_run($1) ++') ++ ++######################################## ++## ++## Execute a domain transition to run systemd_notify. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`systemd_notify_domtrans',` ++ gen_require(` ++ type systemd_notify_t, systemd_notify_exec_t; ++ ') ++ ++ domtrans_pattern($1, systemd_notify_exec_t, systemd_notify_t) ++') ++ ++######################################## ++## ++## Execute systemd-tty-ask-password-agent in the systemd_passwd_agent domain, and ++## allow the specified role the systemd_passwd_agent domain. ++## ++## ++## ++## Domain allowed access ++## ++## ++## ++## ++## The role to be allowed the systemd_passwd_agent domain. ++## ++## ++# ++interface(`systemd_passwd_agent_run',` ++ gen_require(` ++ type systemd_passwd_agent_t; ++ ') ++ ++ systemd_passwd_agent_domtrans($1) ++ role $2 types systemd_passwd_agent_t; ++') ++ ++######################################## ++## ++## Role access for systemd_passwd_agent ++## ++## ++## ++## Role allowed access ++## ++## ++## ++## ++## User domain for the role ++## ++## ++# ++interface(`systemd_passwd_agent_role',` ++ gen_require(` ++ type systemd_passwd_agent_t; ++ ') ++ ++ role $1 types systemd_passwd_agent_t; ++ ++ systemd_passwd_agent_domtrans($2) ++ ++ ps_process_pattern($2, systemd_passwd_agent_t) ++ allow $2 systemd_passwd_agent_t:process signal; ++') ++ ++######################################## ++## ++## Send generic signals to systemd_passwd_agent processes. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`systemd_signal_passwd_agent',` ++ gen_require(` ++ type systemd_passwd_agent_t; ++ ') ++ ++ allow $1 systemd_passwd_agent_t:process signal; ++') ++ ++###################################### ++## ++## Allow to domain to read systemd-passwd pipe ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`systemd_read_fifo_file_passwd_run',` ++ gen_require(` ++ type systemd_passwd_var_run_t; ++ ') ++ ++ init_search_pid_dirs($1) ++ read_sock_files_pattern($1, systemd_passwd_var_run_t, systemd_passwd_var_run_t) ++') ++ ++######################################## ++## ++## Relabel to user home directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`systemd_relabelto_fifo_file_passwd_run',` ++ gen_require(` ++ type systemd_passwd_var_run_t; ++ ') ++ ++ allow $1 systemd_passwd_var_run_t:fifo_file relabelto; ++') ++ ++####################################### ++## ++## Relabel systemd unit directories ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`systemd_relabel_unit_dirs',` ++ gen_require(` ++ attribute systemd_unit_file_type; ++ ') ++ ++ relabel_dirs_pattern($1, systemd_unit_file_type, systemd_unit_file_type) ++') ++ ++####################################### ++## ++## Relabel systemd unit files ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`systemd_relabel_unit_files',` ++ gen_require(` ++ attribute systemd_unit_file_type; ++ ') ++ ++ relabel_files_pattern($1, systemd_unit_file_type, systemd_unit_file_type) ++') ++ ++####################################### ++## ++## Send generic signals to systemd_passwd_agent processes. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`systemd_manage_passwd_run',` ++ gen_require(` ++ type systemd_passwd_agent_t; ++ type systemd_passwd_var_run_t; ++ ') ++ ++ init_search_pid_dirs($1) ++ manage_files_pattern($1, systemd_passwd_var_run_t, systemd_passwd_var_run_t) ++ manage_sock_files_pattern($1, systemd_passwd_var_run_t, systemd_passwd_var_run_t) ++ manage_fifo_files_pattern($1, systemd_passwd_var_run_t, systemd_passwd_var_run_t) ++ ++ allow systemd_passwd_agent_t $1:process signull; ++ allow systemd_passwd_agent_t $1:unix_dgram_socket sendto; ++') ++ ++###################################### ++## ++## Template for temporary sockets and files in /dev/.systemd/ask-password ++## which are used by systemd-passwd-agent ++## ++## ++## ++## The prefix of the domain (e.g., user ++## is the prefix for user_t). ++## ++## ++# ++interface(`systemd_passwd_agent_dev_template',` ++ gen_require(` ++ type systemd_passwd_agent_t; ++ ') ++ ++ type systemd_$1_device_t; ++ files_type(systemd_$1_device_t) ++ dev_associate(systemd_$1_device_t) ++ ++ dev_filetrans($1_t, systemd_$1_device_t, { file sock_file }) ++ init_pid_filetrans($1_t, systemd_$1_device_t, { file sock_file }) ++ allow $1_t systemd_$1_device_t:file manage_file_perms; ++ allow $1_t systemd_$1_device_t:sock_file manage_sock_file_perms; ++ ++ allow systemd_passwd_agent_t $1_t:process signull; ++ allow systemd_passwd_agent_t $1_t:unix_dgram_socket sendto; ++ allow systemd_passwd_agent_t systemd_$1_device_t:sock_file write; ++ allow systemd_passwd_agent_t systemd_$1_device_t:file read_file_perms; ++') ++ ++######################################## ++## ++## Allow the specified domain to connect to ++## systemd_logger with a unix socket. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`systemd_logger_stream_connect',` ++ gen_require(` ++ type systemd_logger_t; ++ ') ++ ++ allow $1 systemd_logger_t:unix_stream_socket connectto; ++') ++ ++######################################## ++## ++## manage systemd unit dirs ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`systemd_manage_unit_dirs',` ++ gen_require(` ++ attribute systemd_unit_file_type; ++ ') ++ ++ manage_dirs_pattern($1, systemd_unit_file_type, systemd_unit_file_type) ++') ++ ++######################################## ++## ++## manage systemd unit link files ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`systemd_manage_unit_symlinks',` ++ gen_require(` ++ attribute systemd_unit_file_type; ++ ') ++ ++ manage_lnk_files_pattern($1, systemd_unit_file_type, systemd_unit_file_type) ++') ++ ++######################################## ++## ++## manage all systemd unit files ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`systemd_manage_all_unit_files',` ++ gen_require(` ++ attribute systemd_unit_file_type; ++ ') ++ ++ manage_files_pattern($1, systemd_unit_file_type, systemd_unit_file_type) ++ manage_lnk_files_pattern($1, systemd_unit_file_type, systemd_unit_file_type) ++') ++ ++######################################## ++## ++## manage all systemd unit lnk_files ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`systemd_manage_all_unit_lnk_files',` ++ gen_require(` ++ attribute systemd_unit_file_type; ++ ') ++ ++ manage_lnk_files_pattern($1, systemd_unit_file_type, systemd_unit_file_type) ++') ++ ++######################################## ++## ++## Allow the specified domain to start all systemd services. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`systemd_start_all_services',` ++ gen_require(` ++ attribute systemd_unit_file_type; ++ ') ++ ++ allow $1 systemd_unit_file_type:service start; ++') ++ ++####################################### ++## ++## Allow the specified domain to reload all systemd services. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`systemd_reload_all_services',` ++ gen_require(` ++ attribute systemd_unit_file_type; ++ ') ++ ++ allow $1 systemd_unit_file_type:service reload; ++') ++ ++######################################## ++## ++## Allow the specified domain to modify the systemd configuration of ++## all systemd services ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`systemd_config_all_services',` ++ gen_require(` ++ attribute systemd_unit_file_type; ++ ') ++ ++ allow $1 systemd_unit_file_type:service all_service_perms; ++ init_config_all_script_files($1) ++') ++ ++######################################## ++## ++## Allow the specified domain to start systemd services. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`systemd_start_systemd_services',` ++ gen_require(` ++ type systemd_unit_file_t; ++ ') ++ ++ allow $1 systemd_unit_file_t:service start; ++') ++ ++####################################### ++## ++## Allow the specified domain to reload all systemd services. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`systemd_reload_systemd_services',` ++ gen_require(` ++ type systemd_unit_file_t; ++ ') ++ ++ allow $1 systemd_unit_file_t:service reload; ++') ++ ++######################################## ++## ++## Allow the specified domain to modify the systemd configuration of ++## all systemd services ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`systemd_config_systemd_services',` ++ gen_require(` ++ type systemd_unit_file_t; ++ ') ++ ++ allow $1 systemd_unit_file_t:service all_service_perms; ++ init_config_all_script_files($1) ++') ++ ++######################################## ++## ++## manage all systemd random seed file ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`systemd_manage_random_seed',` ++ gen_require(` ++ type random_seed_t; ++ ') ++ ++ allow $1 random_seed_t:file manage_file_perms; ++ files_var_lib_filetrans($1, random_seed_t, file, "random_seed") ++') ++ ++######################################## ++## ++## Allow process to read hostname config file. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`systemd_hostnamed_read_config',` ++ gen_require(` ++ type hostname_etc_t; ++ ') ++ ++ files_search_etc($1) ++ allow $1 hostname_etc_t:file read_file_perms; ++') ++ ++####################################### ++## ++## Create objects in /run/systemd/generator directory ++## with an automatic type transition to ++## a specified private type. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## The type of the object to create. ++## ++## ++## ++## ++## The class of the object to be created. ++## ++## ++## ++## ++## The name of the object being created. ++## ++## ++# ++interface(`systemd_unit_file_filetrans',` ++ gen_require(` ++ type systemd_unit_file_t; ++ ') ++ ++ files_search_pids($1) ++ filetrans_pattern($1, systemd_unit_file_t, $2, $3, $4) ++') ++ ++####################################### ++## ++## Create a directory in the /usr/lib/systemd/system directory. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`systemd_create_unit_file_dirs',` ++ gen_require(` ++ type systemd_unit_file_t; ++ ') ++ ++ create_dirs_pattern($1, systemd_unit_file_t, systemd_unit_file_t) ++') ++ ++####################################### ++## ++## Create a link in the /usr/lib/systemd/system directory. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`systemd_create_unit_file_lnk',` ++ gen_require(` ++ type systemd_unit_file_t; ++ ') ++ ++ create_lnk_files_pattern($1, systemd_unit_file_t, systemd_unit_file_t) ++') ++ ++######################################## ++## ++## Transition to systemd named content ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`systemd_filetrans_named_content',` ++ gen_require(` ++ type systemd_passwd_var_run_t; ++ type systemd_logind_var_run_t; ++ type hostname_etc_t; ++ type systemd_home_t; ++ ') ++ ++ files_pid_filetrans($1, systemd_logind_var_run_t, file, "nologin") ++ init_named_pid_filetrans($1, systemd_passwd_var_run_t, dir, "ask-password-block") ++ init_named_pid_filetrans($1, systemd_passwd_var_run_t, dir, "ask-password") ++ files_etc_filetrans($1, hostname_etc_t, file, "hostname" ) ++ files_etc_filetrans($1, hostname_etc_t, file, "machine-info" ) ++') ++ ++######################################## ++## ++## read systemd homedir content ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`systemd_read_home_content',` ++ gen_require(` ++ type systemd_home_t; ++ ') ++ ++ optional_policy(` ++ gnome_search_gconf_data_dir($1) ++ ') ++ read_files_pattern($1, systemd_home_t, systemd_home_t) ++ read_lnk_files_pattern($1, systemd_home_t, systemd_home_t) ++') ++ ++######################################## ++## ++## Manage systemd homedir content ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`systemd_manage_home_content',` ++ gen_require(` ++ type systemd_home_t; ++ ') ++ ++ optional_policy(` ++ gnome_search_gconf_data_dir($1) ++ ') ++ manage_dirs_pattern($1, systemd_home_t, systemd_home_t) ++ manage_files_pattern($1, systemd_home_t, systemd_home_t) ++ manage_lnk_files_pattern($1, systemd_home_t, systemd_home_t) ++ ++ systemd_filetrans_home_content($1) ++') ++ ++######################################## ++## ++## Transition to systemd named content ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`systemd_filetrans_home_content',` ++ gen_require(` ++ type systemd_home_t; ++ ') ++ ++ optional_policy(` ++ gnome_data_filetrans($1, systemd_home_t, dir, "systemd") ++ ') ++') ++ ++######################################## ++## ++## Transition to systemd named content for /etc/hostname ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`systemd_filetrans_named_hostname',` ++ gen_require(` ++ type hostname_etc_t; ++ ') ++ ++ files_etc_filetrans($1, hostname_etc_t, file, "hostname" ) ++ files_etc_filetrans($1, hostname_etc_t, file, "machine-info" ) ++') ++ ++######################################## ++## ++## Get the system status information from systemd_login ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`systemd_login_status',` ++ gen_require(` ++ type systemd_logind_t; ++ ') ++ ++ allow $1 systemd_logind_t:system status; ++') ++ ++######################################## ++## ++## Send systemd_login a null signal. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`systemd_login_signull',` ++ gen_require(` ++ type systemd_logind_t; ++ ') ++ ++ allow $1 systemd_logind_t:process signull; ++') ++ ++######################################## ++## ++## Tell systemd_login to reboot the system. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`systemd_login_reboot',` ++ gen_require(` ++ type systemd_logind_t; ++ ') ++ ++ allow $1 systemd_logind_t:system reboot; ++') ++ ++######################################## ++## ++## Tell systemd_login to halt the system. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`systemd_login_halt',` ++ gen_require(` ++ type systemd_logind_t; ++ ') ++ ++ allow $1 systemd_logind_t:system halt; ++') ++ ++######################################## ++## ++## Tell systemd_login to do an unknown access. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`systemd_login_undefined',` ++ gen_require(` ++ type systemd_logind_t; ++ ') ++ ++ allow $1 systemd_logind_t:system undefined; ++') ++ ++######################################## ++## ++## Configure generic unit files domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`systemd_config_generic_services',` ++ gen_require(` ++ type systemd_unit_file_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ allow $1 systemd_unit_file_t:file read_file_perms; ++ allow $1 systemd_unit_file_t:service manage_service_perms; ++') ++ ++######################################## ++## ++## Configure power unit files domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`systemd_config_power_services',` ++ gen_require(` ++ type power_unit_file_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ allow $1 power_unit_file_t:file read_file_perms; ++ allow $1 power_unit_file_t:service manage_service_perms; ++') ++ ++######################################## ++## ++## Start power unit files domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`systemd_start_power_services',` ++ gen_require(` ++ type power_unit_file_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ allow $1 power_unit_file_t:service start; ++') ++ ++####################################### ++## ++## Start power unit files domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`systemd_start_all_unit_files',` ++ gen_require(` ++ attribute systemd_unit_file_type; ++ ') ++ ++ systemd_exec_systemctl($1) ++ allow $1 systemd_unit_file_type:service start; ++') ++ ++####################################### ++## ++## Start power unit files domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`systemd_status_all_unit_files',` ++ gen_require(` ++ attribute systemd_unit_file_type; ++ ') ++ ++ systemd_exec_systemctl($1) ++ allow $1 systemd_unit_file_type:service status; ++') ++ ++######################################## ++## ++## Send and receive messages from ++## systemd timedated over dbus. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`systemd_dbus_chat_timedated',` ++ gen_require(` ++ type systemd_timedated_t; ++ class dbus send_msg; ++ ') ++ ++ allow $1 systemd_timedated_t:dbus send_msg; ++ allow systemd_timedated_t $1:dbus send_msg; ++ ps_process_pattern(systemd_timedated_t, $1) ++') ++ ++######################################## ++## ++## Send and receive messages from ++## systemd hostnamed over dbus. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`systemd_dbus_chat_hostnamed',` ++ gen_require(` ++ type systemd_hostnamed_t; ++ class dbus send_msg; ++ ') ++ ++ allow $1 systemd_hostnamed_t:dbus send_msg; ++ allow systemd_hostnamed_t $1:dbus send_msg; ++ ps_process_pattern(systemd_hostnamed_t, $1) ++') ++ ++######################################## ++## ++## Send and receive messages from ++## systemd localed over dbus. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`systemd_dbus_chat_localed',` ++ gen_require(` ++ type systemd_localed_t; ++ class dbus send_msg; ++ ') ++ ++ allow $1 systemd_localed_t:dbus send_msg; ++ allow systemd_localed_t $1:dbus send_msg; ++ ps_process_pattern(systemd_localed_t, $1) ++') ++ ++######################################## ++## ++## Dontaudit attempts to send dbus domains chat messages ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`systemd_dontaudit_dbus_chat',` ++ gen_require(` ++ attribute systemd_domain; ++ class dbus send_msg; ++ ') ++ ++ dontaudit $1 systemd_domain:dbus send_msg; ++') +diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te +new file mode 100644 +index 0000000..f758960 +--- /dev/null ++++ b/policy/modules/system/systemd.te +@@ -0,0 +1,650 @@ ++policy_module(systemd, 1.0.0) ++ ++####################################### ++# ++# Declarations ++# ++ ++attribute systemd_unit_file_type; ++attribute systemd_domain; ++attribute systemctl_domain; ++ ++systemd_domain_template(systemd_logger) ++systemd_domain_template(systemd_logind) ++ ++# /run/systemd/sessions ++type systemd_logind_sessions_t; ++files_pid_file(systemd_logind_sessions_t) ++ ++type systemd_logind_var_lib_t; ++files_type(systemd_logind_var_lib_t) ++ ++# /run/systemd/{seats, users} ++type systemd_logind_var_run_t; ++files_pid_file(systemd_logind_var_run_t) ++ ++type systemd_logind_inhibit_var_run_t; ++files_pid_file(systemd_logind_inhibit_var_run_t) ++ ++type systemd_home_t; ++userdom_user_home_content(systemd_home_t) ++ ++type random_seed_t; ++files_security_file(random_seed_t) ++files_mountpoint(random_seed_t) ++ ++# domain for systemd-tty-ask-password-agent and systemd-gnome-ask-password-agent ++# systemd components ++ ++systemd_domain_template(systemd_passwd_agent) ++ ++type systemd_passwd_var_run_t alias systemd_device_t; ++files_pid_file(systemd_passwd_var_run_t) ++ ++# domain for systemd-tmpfiles component ++systemd_domain_template(systemd_tmpfiles) ++systemd_domain_template(systemd_notify) ++ ++# type for systemd unit files ++type systemd_unit_file_t; ++systemd_unit_file(systemd_unit_file_t) ++ ++type systemd_runtime_unit_file_t; ++systemd_unit_file(systemd_runtime_unit_file_t) ++ ++type power_unit_file_t; ++systemd_unit_file(power_unit_file_t) ++ ++type systemd_vconsole_unit_file_t; ++systemd_unit_file(systemd_vconsole_unit_file_t) ++ ++# executable for systemctl ++type systemd_systemctl_exec_t; ++corecmd_executable_file(systemd_systemctl_exec_t) ++ ++systemd_domain_template(systemd_localed) ++systemd_domain_template(systemd_hostnamed) ++ ++type hostname_etc_t; ++files_config_file(hostname_etc_t) ++ ++systemd_domain_template(systemd_timedated) ++typeattribute systemd_timedated_t systemd_domain; ++typealias systemd_timedated_t alias gnomeclock_t; ++ ++systemd_domain_template(systemd_sysctl) ++ ++####################################### ++# ++# Systemd_logind local policy ++# ++ ++# dac_override is for /run/user/$USER ($USER ownership is $USER:$USER) ++allow systemd_logind_t self:capability { chown kill dac_override fowner sys_tty_config }; ++allow systemd_logind_t self:process getcap; ++allow systemd_logind_t self:netlink_kobject_uevent_socket create_socket_perms; ++allow systemd_logind_t self:unix_dgram_socket create_socket_perms; ++ ++mls_file_read_all_levels(systemd_logind_t) ++mls_file_write_all_levels(systemd_logind_t) ++ ++manage_dirs_pattern(systemd_logind_t, systemd_logind_var_lib_t, systemd_logind_var_lib_t) ++manage_files_pattern(systemd_logind_t, systemd_logind_var_lib_t, systemd_logind_var_lib_t) ++init_var_lib_filetrans(systemd_logind_t, systemd_logind_var_lib_t, dir, "linger") ++ ++manage_dirs_pattern(systemd_logind_t, { systemd_logind_sessions_t systemd_logind_var_run_t }, { systemd_logind_sessions_t systemd_logind_var_run_t }) ++manage_files_pattern(systemd_logind_t, { systemd_logind_sessions_t systemd_logind_var_run_t }, { systemd_logind_var_run_t systemd_logind_sessions_t }) ++manage_fifo_files_pattern(systemd_logind_t, systemd_logind_sessions_t, { systemd_logind_sessions_t systemd_logind_var_run_t }) ++init_named_pid_filetrans(systemd_logind_t, systemd_logind_sessions_t, dir, "sessions") ++init_pid_filetrans(systemd_logind_t, systemd_logind_var_run_t, dir) ++files_pid_filetrans(systemd_logind_t, systemd_logind_var_run_t, file, "nologin") ++ ++manage_dirs_pattern(systemd_logind_t, systemd_logind_inhibit_var_run_t, systemd_logind_inhibit_var_run_t) ++manage_files_pattern(systemd_logind_t, systemd_logind_inhibit_var_run_t, systemd_logind_inhibit_var_run_t) ++manage_fifo_files_pattern(systemd_logind_t, systemd_logind_inhibit_var_run_t, systemd_logind_inhibit_var_run_t) ++manage_sock_files_pattern(systemd_logind_t, systemd_logind_inhibit_var_run_t, systemd_logind_inhibit_var_run_t) ++ ++dev_getattr_all_chr_files(systemd_logind_t) ++dev_getattr_all_blk_files(systemd_logind_t) ++dev_rw_sysfs(systemd_logind_t) ++dev_rw_input_dev(systemd_logind_t) ++dev_setattr_all_chr_files(systemd_logind_t) ++dev_setattr_dri_dev(systemd_logind_t) ++dev_setattr_generic_usb_dev(systemd_logind_t) ++dev_setattr_input_dev(systemd_logind_t) ++dev_setattr_kvm_dev(systemd_logind_t) ++dev_setattr_mouse_dev(systemd_logind_t) ++dev_setattr_sound_dev(systemd_logind_t) ++dev_setattr_video_dev(systemd_logind_t) ++dev_write_kmsg(systemd_logind_t) ++ ++domain_read_all_domains_state(systemd_logind_t) ++domain_signal_all_domains(systemd_logind_t) ++domain_signull_all_domains(systemd_logind_t) ++domain_kill_all_domains(systemd_logind_t) ++ ++# /etc/udev/udev.conf should probably have a private type if only for confined administration ++# /etc/nsswitch.conf ++ ++# /sys/fs/cgroup/systemd/user ++fs_manage_cgroup_dirs(systemd_logind_t) ++# write getattr open setattr ++fs_manage_cgroup_files(systemd_logind_t) ++fs_getattr_tmpfs(systemd_logind_t) ++fs_read_tmpfs_symlinks(systemd_logind_t) ++ ++storage_setattr_removable_dev(systemd_logind_t) ++storage_setattr_scsi_generic_dev(systemd_logind_t) ++ ++term_use_unallocated_ttys(systemd_logind_t) ++ ++init_named_pid_filetrans(systemd_logind_t, systemd_logind_inhibit_var_run_t, dir, "inhibit") ++ ++init_status(systemd_logind_t) ++init_signal(systemd_logind_t) ++init_reboot(systemd_logind_t) ++init_halt(systemd_logind_t) ++init_undefined(systemd_logind_t) ++init_signal_script(systemd_logind_t) ++ ++getty_systemctl(systemd_logind_t) ++ ++systemd_config_generic_services(systemd_logind_t) ++ ++# /run/user/.* ++# Actually only have proof of it creating dirs and symlinks (/run/user/$USER/X11/display) ++auth_manage_var_auth(systemd_logind_t) ++auth_use_nsswitch(systemd_logind_t) ++ ++authlogin_read_state(systemd_logind_t) ++ ++init_dbus_chat(systemd_logind_t) ++init_dbus_chat_script(systemd_logind_t) ++init_read_script_state(systemd_logind_t) ++init_read_state(systemd_logind_t) ++init_rw_stream_sockets(systemd_logind_t) ++ ++logging_send_syslog_msg(systemd_logind_t) ++ ++udev_read_db(systemd_logind_t) ++udev_manage_rules_files(systemd_logind_t) ++ ++userdom_read_all_users_state(systemd_logind_t) ++userdom_use_user_ttys(systemd_logind_t) ++userdom_manage_all_user_tmp_content(systemd_logind_t) ++ ++optional_policy(` ++ apache_read_tmp_files(systemd_logind_t) ++') ++ ++optional_policy(` ++ cron_dbus_chat_crond(systemd_logind_t) ++ cron_read_state_crond(systemd_logind_t) ++') ++ ++optional_policy(` ++ dbus_connect_system_bus(systemd_logind_t) ++ dbus_system_bus_client(systemd_logind_t) ++') ++ ++optional_policy(` ++ devicekit_dbus_chat_power(systemd_logind_t) ++ devicekit_dbus_chat_disk(systemd_logind_t) ++') ++ ++optional_policy(` ++ # we label /run/user/$USER/dconf as config_home_t ++ gnome_manage_home_config_dirs(systemd_logind_t) ++ gnome_manage_home_config(systemd_logind_t) ++ gnome_manage_gkeyringd_tmp_dirs(systemd_logind_t) ++ gnome_manage_gstreamer_home_dirs(systemd_logind_t) ++') ++ ++optional_policy(` ++ rpm_dbus_chat(systemd_logind_t) ++') ++ ++optional_policy(` ++ # It links /run/user/$USER/X11/display to /tmp/.X11-unix/X* sock_file ++ xserver_search_xdm_tmp_dirs(systemd_logind_t) ++') ++ ++####################################### ++# ++# Local policy ++# ++ ++allow systemd_passwd_agent_t self:capability { chown sys_tty_config dac_override }; ++allow systemd_passwd_agent_t self:process { setsockcreate }; ++allow systemd_passwd_agent_t self:unix_dgram_socket create_socket_perms; ++ ++manage_dirs_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t); ++manage_files_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t); ++manage_sock_files_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t); ++manage_fifo_files_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t); ++init_pid_filetrans(systemd_passwd_agent_t, systemd_passwd_var_run_t, { dir fifo_file file }) ++ ++kernel_stream_connect(systemd_passwd_agent_t) ++ ++dev_create_generic_dirs(systemd_passwd_agent_t) ++dev_read_generic_files(systemd_passwd_agent_t) ++dev_write_generic_sock_files(systemd_passwd_agent_t) ++dev_write_kmsg(systemd_passwd_agent_t) ++ ++term_read_console(systemd_passwd_agent_t) ++ ++auth_use_nsswitch(systemd_passwd_agent_t) ++ ++init_create_pid_dirs(systemd_passwd_agent_t) ++init_rw_pipes(systemd_passwd_agent_t) ++init_read_utmp(systemd_passwd_agent_t) ++init_stream_connect(systemd_passwd_agent_t) ++ ++logging_send_syslog_msg(systemd_passwd_agent_t) ++ ++userdom_use_user_ptys(systemd_passwd_agent_t) ++userdom_use_inherited_user_ttys(systemd_passwd_agent_t) ++ ++optional_policy(` ++ lvm_signull(systemd_passwd_agent_t) ++') ++ ++optional_policy(` ++ plymouthd_stream_connect(systemd_passwd_agent_t) ++') ++ ++####################################### ++# ++# Local policy ++# ++ ++allow systemd_tmpfiles_t self:capability { chown dac_override fsetid fowner mknod }; ++allow systemd_tmpfiles_t self:process { setfscreate }; ++ ++allow systemd_tmpfiles_t self:unix_dgram_socket create_socket_perms; ++ ++kernel_read_network_state(systemd_tmpfiles_t) ++kernel_request_load_module(systemd_tmpfiles_t) ++ ++dev_write_kmsg(systemd_tmpfiles_t) ++dev_rw_sysfs(systemd_tmpfiles_t) ++dev_relabel_all_sysfs(systemd_tmpfiles_t) ++dev_relabel_cpu_online(systemd_tmpfiles_t) ++dev_read_cpu_online(systemd_tmpfiles_t) ++dev_manage_all_dev_nodes(systemd_tmpfiles_t) ++dev_relabel_all_dev_nodes(systemd_tmpfiles_t) ++ ++domain_obj_id_change_exemption(systemd_tmpfiles_t) ++ ++# systemd-tmpfiles relabel /run/lock and creates /run/lock/lockdev ++fs_manage_tmpfs_dirs(systemd_tmpfiles_t) ++fs_relabel_tmpfs_dirs(systemd_tmpfiles_t) ++fs_list_all(systemd_tmpfiles_t) ++ ++files_getattr_all_dirs(systemd_tmpfiles_t) ++files_getattr_all_files(systemd_tmpfiles_t) ++files_getattr_all_sockets(systemd_tmpfiles_t) ++files_getattr_all_symlinks(systemd_tmpfiles_t) ++files_relabel_all_lock_dirs(systemd_tmpfiles_t) ++files_relabel_all_lock_files(systemd_tmpfiles_t) ++files_relabel_all_pid_dirs(systemd_tmpfiles_t) ++files_relabel_all_pid_files(systemd_tmpfiles_t) ++files_relabel_all_spool_dirs(systemd_tmpfiles_t) ++files_manage_all_pids(systemd_tmpfiles_t) ++files_manage_all_pid_dirs(systemd_tmpfiles_t) ++files_manage_all_locks(systemd_tmpfiles_t) ++files_read_generic_tmp_symlinks(systemd_tmpfiles_t) ++files_setattr_all_tmp_dirs(systemd_tmpfiles_t) ++files_delete_boot_flag(systemd_tmpfiles_t) ++files_delete_all_non_security_files(systemd_tmpfiles_t) ++files_delete_all_pid_sockets(systemd_tmpfiles_t) ++files_delete_all_pid_pipes(systemd_tmpfiles_t) ++files_purge_tmp(systemd_tmpfiles_t) ++files_manage_generic_tmp_files(systemd_tmpfiles_t) ++files_manage_generic_tmp_dirs(systemd_tmpfiles_t) ++files_relabelfrom_tmp_dirs(systemd_tmpfiles_t) ++files_relabelfrom_tmp_files(systemd_tmpfiles_t) ++files_relabel_all_tmp_dirs(systemd_tmpfiles_t) ++files_relabel_all_tmp_files(systemd_tmpfiles_t) ++files_list_lost_found(systemd_tmpfiles_t) ++ ++mls_file_read_all_levels(systemd_tmpfiles_t) ++mls_file_write_all_levels(systemd_tmpfiles_t) ++mls_file_upgrade(systemd_tmpfiles_t) ++ ++selinux_get_enforce_mode(systemd_tmpfiles_t) ++ ++auth_manage_faillog(systemd_tmpfiles_t) ++auth_relabel_faillog(systemd_tmpfiles_t) ++auth_manage_var_auth(systemd_tmpfiles_t) ++auth_manage_login_records(systemd_tmpfiles_t) ++auth_relabel_var_auth_dirs(systemd_tmpfiles_t) ++auth_relabel_login_records(systemd_tmpfiles_t) ++auth_setattr_login_records(systemd_tmpfiles_t) ++auth_use_nsswitch(systemd_tmpfiles_t) ++ ++init_dgram_send(systemd_tmpfiles_t) ++init_rw_stream_sockets(systemd_tmpfiles_t) ++ ++logging_create_devlog_dev(systemd_tmpfiles_t) ++logging_send_syslog_msg(systemd_tmpfiles_t) ++logging_setattr_all_log_dirs(systemd_tmpfiles_t) ++ ++miscfiles_filetrans_named_content(systemd_tmpfiles_t) ++miscfiles_manage_man_pages(systemd_tmpfiles_t) ++miscfiles_relabel_man_pages(systemd_tmpfiles_t) ++miscfiles_delete_man_pages(systemd_tmpfiles_t) ++ ++ifdef(`distro_redhat',` ++ userdom_list_user_home_content(systemd_tmpfiles_t) ++ userdom_delete_all_user_home_content_dirs(systemd_tmpfiles_t) ++ userdom_delete_all_user_home_content_files(systemd_tmpfiles_t) ++ userdom_delete_all_user_home_content_sock_files(systemd_tmpfiles_t) ++ userdom_delete_all_user_home_content_symlinks(systemd_tmpfiles_t) ++ userdom_delete_admin_home_files(systemd_tmpfiles_t) ++') ++ ++optional_policy(` ++ apache_delete_sys_content_rw(systemd_tmpfiles_t) ++ apache_list_cache(systemd_tmpfiles_t) ++ apache_delete_cache_dirs(systemd_tmpfiles_t) ++ apache_delete_cache_files(systemd_tmpfiles_t) ++ apache_setattr_cache_dirs(systemd_tmpfiles_t) ++') ++ ++ ++optional_policy(` ++ auth_rw_login_records(systemd_tmpfiles_t) ++') ++ ++optional_policy(` ++ # we have /run/user/$USER/dconf ++ gnome_delete_home_config(systemd_tmpfiles_t) ++ gnome_delete_home_config_dirs(systemd_tmpfiles_t) ++ gnome_setattr_home_config_dirs(systemd_tmpfiles_t) ++') ++ ++optional_policy(` ++ lpd_manage_spool(systemd_tmpfiles_t) ++ lpd_relabel_spool(systemd_tmpfiles_t) ++') ++ ++optional_policy(` ++ rpm_read_db(systemd_tmpfiles_t) ++ rpm_delete_db(systemd_tmpfiles_t) ++') ++ ++optional_policy(` ++ sandbox_list(systemd_tmpfiles_t) ++ sandbox_delete_dirs(systemd_tmpfiles_t) ++ sandbox_delete_files(systemd_tmpfiles_t) ++ sandbox_delete_lnk_files(systemd_tmpfiles_t) ++ sandbox_delete_pipes(systemd_tmpfiles_t) ++ sandbox_delete_sock_files(systemd_tmpfiles_t) ++ sandbox_setattr_dirs(systemd_tmpfiles_t) ++') ++ ++######################################## ++# ++# systemd_notify local policy ++# ++allow systemd_notify_t self:capability chown; ++allow systemd_notify_t self:process { fork setfscreate setsockcreate }; ++ ++allow systemd_notify_t self:fifo_file rw_fifo_file_perms; ++allow systemd_notify_t self:unix_stream_socket create_stream_socket_perms; ++allow systemd_notify_t self:unix_dgram_socket create_socket_perms; ++ ++domain_use_interactive_fds(systemd_notify_t) ++ ++fs_getattr_cgroup_files(systemd_notify_t) ++ ++auth_use_nsswitch(systemd_notify_t) ++ ++init_rw_stream_sockets(systemd_notify_t) ++ ++optional_policy(` ++ rhcs_read_log_cluster(systemd_notify_t) ++') ++ ++optional_policy(` ++ readahead_manage_pid_files(systemd_notify_t) ++') ++ ++######################################## ++# ++# systemd_logger local policy ++# ++ ++allow systemd_logger_t self:capability { sys_admin chown kill }; ++allow systemd_logger_t self:process { fork setfscreate setsockcreate }; ++ ++allow systemd_logger_t self:fifo_file rw_fifo_file_perms; ++allow systemd_logger_t self:unix_stream_socket create_stream_socket_perms; ++ ++kernel_use_fds(systemd_logger_t) ++ ++dev_write_kmsg(systemd_logger_t) ++ ++domain_use_interactive_fds(systemd_logger_t) ++ ++# only needs write ++term_use_generic_ptys(systemd_logger_t) ++ ++auth_use_nsswitch(systemd_logger_t) ++ ++# /run/systemd/notify ++init_write_pid_socket(systemd_logger_t) ++ ++logging_send_syslog_msg(systemd_logger_t) ++ ++######################################## ++# ++# systemd_sysctl domains local policy ++# ++ ++allow systemctl_domain systemd_unit_file_type:dir search_dir_perms; ++ ++fs_list_cgroup_dirs(systemctl_domain) ++fs_read_cgroup_files(systemctl_domain) ++ ++# needed by systemctl ++init_dgram_send(systemctl_domain) ++init_stream_connect(systemctl_domain) ++init_read_state(systemctl_domain) ++init_list_pid_dirs(systemctl_domain) ++init_use_fds(systemctl_domain) ++ ++####################################### ++# ++# Localed policy ++# ++allow systemd_localed_t self:process setfscreate; ++allow systemd_localed_t self:fifo_file rw_fifo_file_perms; ++allow systemd_localed_t self:unix_stream_socket create_stream_socket_perms; ++allow systemd_localed_t self:unix_dgram_socket create_socket_perms; ++ ++dev_write_kmsg(systemd_localed_t) ++ ++init_dbus_chat(systemd_localed_t) ++init_reload_services(systemd_localed_t) ++ ++logging_stream_connect_syslog(systemd_localed_t) ++logging_send_syslog_msg(systemd_localed_t) ++ ++allow systemd_localed_t systemd_vconsole_unit_file_t:service start; ++ ++miscfiles_manage_localization(systemd_localed_t) ++miscfiles_etc_filetrans_localization(systemd_localed_t) ++ ++userdom_dbus_send_all_users(systemd_localed_t) ++ ++xserver_manage_config(systemd_localed_t) ++ ++optional_policy(` ++ dbus_connect_system_bus(systemd_localed_t) ++ dbus_system_bus_client(systemd_localed_t) ++') ++ ++####################################### ++# ++# Hostnamed policy ++# ++allow systemd_hostnamed_t self:capability sys_admin; ++dontaudit systemd_hostnamed_t self:capability sys_ptrace; ++ ++allow systemd_hostnamed_t self:fifo_file rw_fifo_file_perms; ++allow systemd_hostnamed_t self:unix_stream_socket create_stream_socket_perms; ++allow systemd_hostnamed_t self:unix_dgram_socket create_socket_perms; ++ ++manage_files_pattern(systemd_hostnamed_t, hostname_etc_t, hostname_etc_t) ++manage_lnk_files_pattern(systemd_hostnamed_t, hostname_etc_t, hostname_etc_t) ++files_etc_filetrans(systemd_hostnamed_t, hostname_etc_t, file, "hostname" ) ++files_etc_filetrans(systemd_hostnamed_t, hostname_etc_t, file, "machine-info" ) ++ ++kernel_dgram_send(systemd_hostnamed_t) ++ ++dev_write_kmsg(systemd_hostnamed_t) ++dev_read_sysfs(systemd_hostnamed_t) ++ ++init_status(systemd_hostnamed_t) ++init_read_state(systemd_hostnamed_t) ++init_stream_connect(systemd_hostnamed_t) ++ ++logging_send_syslog_msg(systemd_hostnamed_t) ++ ++userdom_read_all_users_state(systemd_hostnamed_t) ++userdom_dbus_send_all_users(systemd_hostnamed_t) ++ ++optional_policy(` ++ dbus_system_bus_client(systemd_hostnamed_t) ++ dbus_connect_system_bus(systemd_hostnamed_t) ++') ++ ++####################################### ++# ++# Timedated policy ++# ++allow systemd_timedated_t self:capability { sys_nice sys_time dac_override }; ++allow systemd_timedated_t self:process { getattr getsched setfscreate }; ++allow systemd_timedated_t self:fifo_file rw_fifo_file_perms; ++allow systemd_timedated_t self:unix_stream_socket create_stream_socket_perms; ++allow systemd_timedated_t self:unix_dgram_socket create_socket_perms; ++ ++corecmd_exec_bin(systemd_timedated_t) ++corecmd_exec_shell(systemd_timedated_t) ++corecmd_dontaudit_access_check_bin(systemd_timedated_t) ++ ++corenet_tcp_connect_time_port(systemd_timedated_t) ++ ++dev_rw_realtime_clock(systemd_timedated_t) ++dev_write_kmsg(systemd_timedated_t) ++dev_read_sysfs(systemd_timedated_t) ++ ++fs_getattr_xattr_fs(systemd_timedated_t) ++ ++auth_use_nsswitch(systemd_timedated_t) ++ ++init_dbus_chat(systemd_timedated_t) ++init_status(systemd_timedated_t) ++ ++logging_send_syslog_msg(systemd_timedated_t) ++ ++miscfiles_manage_localization(systemd_timedated_t) ++miscfiles_etc_filetrans_localization(systemd_timedated_t) ++ ++userdom_read_all_users_state(systemd_timedated_t) ++ ++optional_policy(` ++ chronyd_systemctl(systemd_timedated_t) ++') ++ ++optional_policy(` ++ clock_manage_adjtime(systemd_timedated_t) ++ clock_filetrans_named_content(systemd_timedated_t) ++ clock_domtrans(systemd_timedated_t) ++') ++ ++optional_policy(` ++ consolekit_dbus_chat(systemd_timedated_t) ++') ++ ++optional_policy(` ++ consoletype_exec(systemd_timedated_t) ++') ++ ++optional_policy(` ++ dbus_system_bus_client(systemd_timedated_t) ++ dbus_connect_system_bus(systemd_timedated_t) ++') ++ ++optional_policy(` ++ gnome_manage_usr_config(systemd_timedated_t) ++ gnome_manage_home_config(systemd_timedated_t) ++ gnome_manage_home_config_dirs(systemd_timedated_t) ++') ++ ++optional_policy(` ++ ntp_domtrans_ntpdate(systemd_timedated_t) ++ ntp_initrc_domtrans(systemd_timedated_t) ++ init_dontaudit_getattr_all_script_files(systemd_timedated_t) ++ init_dontaudit_getattr_exec(systemd_timedated_t) ++ ntp_systemctl(systemd_timedated_t) ++') ++ ++optional_policy(` ++ policykit_domtrans_auth(systemd_timedated_t) ++ policykit_read_lib(systemd_timedated_t) ++ policykit_read_reload(systemd_timedated_t) ++') ++ ++optional_policy(` ++ xserver_manage_config(systemd_timedated_t) ++ xserver_read_state_xdm(systemd_timedated_t) ++') ++ ++######################################## ++# ++# systemd_sysctl domains local policy ++# ++allow systemd_sysctl_t self:capability net_admin; ++allow systemd_sysctl_t self:unix_dgram_socket create_socket_perms; ++ ++kernel_dgram_send(systemd_sysctl_t) ++kernel_rw_all_sysctls(systemd_sysctl_t) ++ ++files_read_system_conf_files(systemd_sysctl_t) ++ ++dev_write_kmsg(systemd_sysctl_t) ++ ++domain_use_interactive_fds(systemd_sysctl_t) ++ ++init_stream_connect(systemd_sysctl_t) ++ ++logging_send_syslog_msg(systemd_sysctl_t) ++ ++######################################## ++# ++# Common rules for systemd domains ++# ++allow systemd_domain self:process { setfscreate signal_perms }; ++ ++dev_read_urand(systemd_domain) ++ ++files_read_etc_files(systemd_domain) ++files_read_etc_runtime_files(systemd_domain) ++files_read_usr_files(systemd_domain) ++ ++init_search_pid_dirs(systemd_domain) ++ ++logging_stream_connect_syslog(systemd_domain) ++ ++seutil_read_config(systemd_domain) ++seutil_read_file_contexts(systemd_domain) ++ ++optional_policy(` ++ policykit_dbus_chat(systemd_domain) ++') ++ ++read_files_pattern(systemd_domain, systemd_home_t, systemd_home_t) ++read_lnk_files_pattern(systemd_domain, systemd_home_t, systemd_home_t) +diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc +index 40928d8..49fd32e 100644 +--- a/policy/modules/system/udev.fc ++++ b/policy/modules/system/udev.fc +@@ -1,6 +1,8 @@ +-/dev/\.udev(/.*)? -- gen_context(system_u:object_r:udev_tbl_t,s0) +-/dev/\.udevdb -- gen_context(system_u:object_r:udev_tbl_t,s0) +-/dev/udev\.tbl -- gen_context(system_u:object_r:udev_tbl_t,s0) ++/bin/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0) ++ ++/dev/\.udev(/.*)? -- gen_context(system_u:object_r:udev_var_run_t,s0) ++/dev/\.udevdb -- gen_context(system_u:object_r:udev_var_run_t,s0) ++/dev/udev\.tbl -- gen_context(system_u:object_r:udev_var_run_t,s0) + + /etc/dev\.d/.+ -- gen_context(system_u:object_r:udev_helper_exec_t,s0) + +@@ -10,6 +12,7 @@ + /etc/udev/scripts/.+ -- gen_context(system_u:object_r:udev_helper_exec_t,s0) + + /lib/udev/udev-acl -- gen_context(system_u:object_r:udev_exec_t,s0) ++/lib/udev/udevd -- gen_context(system_u:object_r:udev_exec_t,s0) + + ifdef(`distro_debian',` + /lib/udev/create_static_nodes -- gen_context(system_u:object_r:udev_exec_t,s0) +@@ -27,11 +30,23 @@ ifdef(`distro_redhat',` + ') + + /usr/bin/udevinfo -- gen_context(system_u:object_r:udev_exec_t,s0) +- +-/usr/lib/systemd/systemd-udevd -- gen_context(system_u:object_r:udev_exec_t,s0) +- +-/var/run/PackageKit/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0) +-/var/run/udev(/.*)? gen_context(system_u:object_r:udev_tbl_t,s0) ++/usr/bin/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0) ++ ++/usr/sbin/start_udev -- gen_context(system_u:object_r:udev_exec_t,s0) ++/usr/sbin/udev -- gen_context(system_u:object_r:udev_exec_t,s0) ++/usr/sbin/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0) ++/usr/sbin/udevd -- gen_context(system_u:object_r:udev_exec_t,s0) ++/usr/sbin/udevsend -- gen_context(system_u:object_r:udev_exec_t,s0) ++/usr/sbin/udevstart -- gen_context(system_u:object_r:udev_exec_t,s0) ++/usr/sbin/wait_for_sysfs -- gen_context(system_u:object_r:udev_exec_t,s0) ++ ++/usr/lib/systemd/systemd-udevd -- gen_context(system_u:object_r:udev_exec_t,s0) ++/usr/lib/udev/udev-acl -- gen_context(system_u:object_r:udev_exec_t,s0) ++/usr/lib/udev/udevd -- gen_context(system_u:object_r:udev_exec_t,s0) ++ ++/var/run/PackageKit/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0) ++/var/run/libgpod(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0) ++/var/run/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0) + + ifdef(`distro_debian',` + /var/run/xen-hotplug -d gen_context(system_u:object_r:udev_var_run_t,s0) +diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if +index 0f64692..d7e8a01 100644 +--- a/policy/modules/system/udev.if ++++ b/policy/modules/system/udev.if +@@ -34,6 +34,7 @@ interface(`udev_domtrans',` + ') + + domtrans_pattern($1, udev_exec_t, udev_t) ++ allow $1 udev_t:process noatsecure; + ') + + ######################################## +@@ -88,8 +89,7 @@ interface(`udev_read_state',` + ') + + kernel_search_proc($1) +- allow $1 udev_t:file read_file_perms; +- allow $1 udev_t:lnk_file read_lnk_file_perms; ++ ps_process_pattern($1, udev_t) + ') + + ######################################## +@@ -164,10 +164,10 @@ interface(`udev_manage_rules_files',` + # + interface(`udev_dontaudit_search_db',` + gen_require(` +- type udev_tbl_t; ++ type udev_var_run_t; + ') + +- dontaudit $1 udev_tbl_t:dir search_dir_perms; ++ dontaudit $1 udev_var_run_t:dir search_dir_perms; + ') + + ######################################## +@@ -187,25 +187,70 @@ interface(`udev_dontaudit_search_db',` + ## + # + interface(`udev_read_db',` ++ udev_read_pid_files($1) ++') ++ ++######################################## ++## ++## Allow process to modify list of devices. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`udev_rw_db',` + gen_require(` +- type udev_tbl_t; ++ type udev_var_run_t; + ') + +- allow $1 udev_tbl_t:dir list_dir_perms; ++ files_search_pids($1) ++ dev_list_all_dev_nodes($1) ++ rw_files_pattern($1, udev_var_run_t, udev_var_run_t) ++') + +- read_files_pattern($1, udev_tbl_t, udev_tbl_t) +- read_lnk_files_pattern($1, udev_tbl_t, udev_tbl_t) ++######################################## ++## ++## Allow process to modify relabelto udev database ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`udev_relabelto_db',` ++ gen_require(` ++ type udev_var_run_t; ++ ') + +- dev_list_all_dev_nodes($1) ++ files_search_pids($1) ++ allow $1 udev_var_run_t:file relabelto_file_perms; ++') + +- files_search_etc($1) ++######################################## ++## ++## Relabel the udev sock_file. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`udev_relabel_pid_sockfile',` ++ gen_require(` ++ type udev_var_run_t; ++ ') + +- udev_search_pids($1) ++ allow $1 udev_var_run_t:sock_file relabel_sock_file_perms; + ') + + ######################################## + ## +-## Allow process to modify list of devices. ++## Create, read, write, and delete ++## udev pid files. + ## + ## + ## +@@ -213,13 +258,16 @@ interface(`udev_read_db',` + ## + ## + # +-interface(`udev_rw_db',` ++interface(`udev_read_pid_files',` + gen_require(` +- type udev_tbl_t; ++ type udev_var_run_t; + ') + + dev_list_all_dev_nodes($1) +- allow $1 udev_tbl_t:file rw_file_perms; ++ files_search_pids($1) ++ allow $1 udev_var_run_t:dir list_dir_perms; ++ read_files_pattern($1, udev_var_run_t, udev_var_run_t) ++ read_lnk_files_pattern($1, udev_var_run_t, udev_var_run_t) + ') + + ######################################## +@@ -263,7 +311,8 @@ interface(`udev_manage_pid_dirs',` + + ######################################## + ## +-## Read udev pid files. ++## Create, read, write, and delete ++## udev pid files. + ## + ## + ## +@@ -271,19 +320,44 @@ interface(`udev_manage_pid_dirs',` + ## + ## + # +-interface(`udev_read_pid_files',` ++interface(`udev_manage_pid_files',` + gen_require(` + type udev_var_run_t; + ') + + files_search_pids($1) +- read_files_pattern($1, udev_var_run_t, udev_var_run_t) ++ manage_files_pattern($1, udev_var_run_t, udev_var_run_t) + ') + +-######################################## ++####################################### + ## +-## Create, read, write, and delete +-## udev pid files. ++## Execute udev in the udev domain, and ++## allow the specified role the udev domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## The role to be allowed the iptables domain. ++## ++## ++## ++# ++interface(`udev_run',` ++ gen_require(` ++ type udev_t; ++ ') ++ ++ udev_domtrans($1) ++ role $2 types udev_t; ++') ++ ++####################################### ++## ++## Allow caller to create kobject uevent socket for udev + ## + ## + ## +@@ -291,13 +365,45 @@ interface(`udev_read_pid_files',` + ## + ## + # +-interface(`udev_manage_pid_files',` ++interface(`udev_create_kobject_uevent_socket',` + gen_require(` +- type udev_var_run_t; ++ type udev_t; ++ role system_r; + ') + +- files_search_var_lib($1) +- manage_files_pattern($1, udev_var_run_t, udev_var_run_t) ++ allow $1 udev_t:netlink_kobject_uevent_socket create_socket_perms; ++') ++ ++######################################## ++## ++## Create a domain for processes ++## which can be started by udev. ++## ++## ++## ++## Type to be used as a domain. ++## ++## ++## ++## ++## Type of the program to be used as an entry point to this domain. ++## ++## ++# ++interface(`udev_system_domain',` ++ gen_require(` ++ type udev_t; ++ role system_r; ++ ') ++ ++ domain_type($1) ++ domain_entry_file($1, $2) ++ ++ role system_r types $1; ++ ++ domtrans_pattern(udev_t, $2, $1) ++ ++ dontaudit $1 udev_t:unix_dgram_socket { read write }; + ') + + ######################################## +diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te +index a5ec88b..de9d585 100644 +--- a/policy/modules/system/udev.te ++++ b/policy/modules/system/udev.te +@@ -17,16 +17,17 @@ init_daemon_domain(udev_t, udev_exec_t) + type udev_etc_t alias etc_udev_t; + files_config_file(udev_etc_t) + +-type udev_tbl_t alias udev_tdb_t; +-files_type(udev_tbl_t) +- + type udev_rules_t; + files_type(udev_rules_t) + + type udev_var_run_t; + files_pid_file(udev_var_run_t) ++typealias udev_var_run_t alias udev_tbl_t; + init_daemon_run_dir(udev_var_run_t, "udev") + ++type udev_tmp_t; ++files_tmp_file(udev_tmp_t) ++ + ifdef(`enable_mcs',` + kernel_ranged_domtrans_to(udev_t, udev_exec_t, s0 - mcs_systemhigh) + init_ranged_daemon_domain(udev_t, udev_exec_t, s0 - mcs_systemhigh) +@@ -37,9 +38,11 @@ ifdef(`enable_mcs',` + # Local policy + # + +-allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio sys_resource setuid setgid sys_nice sys_ptrace }; ++allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio sys_resource setuid setgid sys_nice }; ++allow udev_t self:capability2 { block_suspend compromise_kernel }; + dontaudit udev_t self:capability sys_tty_config; +-allow udev_t self:process ~{ setcurrent setexec setfscreate setrlimit execmem execstack execheap }; ++ ++allow udev_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; + allow udev_t self:process { execmem setfscreate }; + allow udev_t self:fd use; + allow udev_t self:fifo_file rw_fifo_file_perms; +@@ -53,6 +56,7 @@ allow udev_t self:unix_dgram_socket sendto; + allow udev_t self:unix_stream_socket connectto; + allow udev_t self:netlink_kobject_uevent_socket create_socket_perms; + allow udev_t self:rawip_socket create_socket_perms; ++allow udev_t self:netlink_socket create_socket_perms; + + allow udev_t udev_exec_t:file write; + can_exec(udev_t, udev_exec_t) +@@ -63,31 +67,40 @@ can_exec(udev_t, udev_helper_exec_t) + # read udev config + allow udev_t udev_etc_t:file read_file_perms; + +-# create udev database in /dev/.udevdb +-allow udev_t udev_tbl_t:file manage_file_perms; +-dev_filetrans(udev_t, udev_tbl_t, file) ++allow udev_t udev_tmp_t:dir manage_dir_perms; ++allow udev_t udev_tmp_t:file manage_file_perms; ++files_tmp_filetrans(udev_t, udev_tmp_t, { file dir }) + + list_dirs_pattern(udev_t, udev_rules_t, udev_rules_t) +-read_files_pattern(udev_t, udev_rules_t, udev_rules_t) ++manage_files_pattern(udev_t, udev_rules_t, udev_rules_t) ++manage_lnk_files_pattern(udev_t, udev_rules_t, udev_rules_t) + + manage_dirs_pattern(udev_t, udev_var_run_t, udev_var_run_t) ++manage_sock_files_pattern(udev_t, udev_var_run_t, udev_var_run_t) + manage_files_pattern(udev_t, udev_var_run_t, udev_var_run_t) + manage_lnk_files_pattern(udev_t, udev_var_run_t, udev_var_run_t) +-files_pid_filetrans(udev_t, udev_var_run_t, { dir file }) ++files_pid_filetrans(udev_t, udev_var_run_t, { file dir }) ++allow udev_t udev_var_run_t:file mounton; ++allow udev_t udev_var_run_t:lnk_file relabel_lnk_file_perms; ++dev_filetrans(udev_t, udev_var_run_t, { file lnk_file } ) + ++kernel_load_module(udev_t) + kernel_read_system_state(udev_t) + kernel_request_load_module(udev_t) + kernel_getattr_core_if(udev_t) + kernel_use_fds(udev_t) + kernel_read_device_sysctls(udev_t) ++kernel_read_fs_sysctls(udev_t) + kernel_read_hotplug_sysctls(udev_t) + kernel_read_modprobe_sysctls(udev_t) + kernel_read_kernel_sysctls(udev_t) + kernel_rw_hotplug_sysctls(udev_t) + kernel_rw_unix_dgram_sockets(udev_t) + kernel_dgram_send(udev_t) +-kernel_signal(udev_t) + kernel_search_debugfs(udev_t) ++kernel_setsched(udev_t) ++kernel_stream_connect(udev_t) ++kernel_signal(udev_t) + + #https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=235182 + kernel_rw_net_sysctls(udev_t) +@@ -98,6 +111,7 @@ corecmd_exec_all_executables(udev_t) + + dev_rw_sysfs(udev_t) + dev_manage_all_dev_nodes(udev_t) ++dev_rw_generic_usb_dev(udev_t) + dev_rw_generic_files(udev_t) + dev_delete_generic_files(udev_t) + dev_search_usbfs(udev_t) +@@ -106,23 +120,31 @@ dev_relabel_all_dev_nodes(udev_t) + # preserved, instead of short circuiting the relabel + dev_relabel_generic_symlinks(udev_t) + dev_manage_generic_symlinks(udev_t) ++dev_filetrans_all_named_dev(udev_t) + + domain_read_all_domains_state(udev_t) +-domain_dontaudit_ptrace_all_domains(udev_t) #pidof triggers these + + files_read_usr_files(udev_t) + files_read_etc_runtime_files(udev_t) +-files_read_etc_files(udev_t) ++files_read_kernel_modules(udev_t) ++files_read_system_conf_files(udev_t) ++ ++ ++# console_init manages files in /etc/sysconfig ++files_manage_etc_files(udev_t) + files_exec_etc_files(udev_t) ++files_exec_usr_files(udev_t) + files_dontaudit_search_isid_type_dirs(udev_t) + files_getattr_generic_locks(udev_t) + files_search_mnt(udev_t) ++files_list_tmp(udev_t) + + fs_getattr_all_fs(udev_t) + fs_list_inotifyfs(udev_t) + fs_rw_anon_inodefs_files(udev_t) +- +-mcs_ptrace_all(udev_t) ++fs_list_auto_mountpoints(udev_t) ++fs_list_hugetlbfs(udev_t) ++fs_read_cgroup_files(udev_t) + + mls_file_read_all_levels(udev_t) + mls_file_write_all_levels(udev_t) +@@ -144,17 +166,20 @@ auth_use_nsswitch(udev_t) + init_read_utmp(udev_t) + init_dontaudit_write_utmp(udev_t) + init_getattr_initctl(udev_t) ++init_stream_connect(udev_t) + + logging_search_logs(udev_t) + logging_send_syslog_msg(udev_t) + logging_send_audit_msgs(udev_t) ++logging_stream_connect_syslog(udev_t) + +-miscfiles_read_localization(udev_t) + miscfiles_read_hwdata(udev_t) + + modutils_domtrans_insmod(udev_t) + # read modules.inputmap: + modutils_read_module_deps(udev_t) ++modutils_list_module_config(udev_t) ++modutils_read_module_config(udev_t) + + seutil_read_config(udev_t) + seutil_read_default_contexts(udev_t) +@@ -168,7 +193,11 @@ sysnet_read_dhcpc_pid(udev_t) + sysnet_delete_dhcpc_pid(udev_t) + sysnet_signal_dhcpc(udev_t) + sysnet_manage_config(udev_t) +-sysnet_etc_filetrans_config(udev_t) ++sysnet_filetrans_named_content(udev_t) ++#sysnet_etc_filetrans_config(udev_t) ++ ++systemd_login_read_pid_files(udev_t) ++systemd_getattr_unit_files(udev_t) + + userdom_dontaudit_search_user_home_content(udev_t) + +@@ -179,16 +208,9 @@ ifdef(`distro_gentoo',` + ') + + ifdef(`distro_redhat',` +- fs_manage_tmpfs_dirs(udev_t) +- fs_manage_tmpfs_files(udev_t) +- fs_manage_tmpfs_symlinks(udev_t) +- fs_manage_tmpfs_sockets(udev_t) +- fs_manage_tmpfs_blk_files(udev_t) +- fs_manage_tmpfs_chr_files(udev_t) +- fs_relabel_tmpfs_blk_file(udev_t) +- fs_relabel_tmpfs_chr_file(udev_t) ++ fs_manage_hugetlbfs_dirs(udev_t) + +- term_search_ptys(udev_t) ++ term_use_generic_ptys(udev_t) + + # for arping used for static IP addresses on PCMCIA ethernet + netutils_domtrans(udev_t) +@@ -226,19 +248,34 @@ optional_policy(` + + optional_policy(` + cups_domtrans_config(udev_t) ++ cups_read_config(udev_t) + ') + + optional_policy(` + dbus_system_bus_client(udev_t) ++ ++ optional_policy(` ++ systemd_dbus_chat_logind(udev_t) ++ ') + ') + + optional_policy(` + devicekit_read_pid_files(udev_t) + devicekit_dgram_send(udev_t) ++ devicekit_domtrans_disk(udev_t) ++') ++ ++optional_policy(` ++ gnome_read_home_config(udev_t) ++') ++ ++optional_policy(` ++ gpsd_domtrans(udev_t) + ') + + optional_policy(` + lvm_domtrans(udev_t) ++ lvm_dgram_send(udev_t) + ') + + optional_policy(` +@@ -264,6 +301,10 @@ optional_policy(` + ') + + optional_policy(` ++ networkmanager_dbus_chat(udev_t) ++') ++ ++optional_policy(` + openct_read_pid_files(udev_t) + openct_domtrans(udev_t) + ') +@@ -278,6 +319,15 @@ optional_policy(` + ') + + optional_policy(` ++ radvd_read_pid_files(udev_t) ++') ++ ++optional_policy(` ++ usbmuxd_domtrans(udev_t) ++ usbmuxd_stream_connect(udev_t) ++') ++ ++optional_policy(` + unconfined_signal(udev_t) + ') + +@@ -290,6 +340,7 @@ optional_policy(` + kernel_read_xen_state(udev_t) + xen_manage_log(udev_t) + xen_read_image_files(udev_t) ++ xen_stream_connect_xenstore(udev_t) + ') + + optional_policy(` +diff --git a/policy/modules/system/unconfined.fc b/policy/modules/system/unconfined.fc +index 0abaf84..8b34dbc 100644 +--- a/policy/modules/system/unconfined.fc ++++ b/policy/modules/system/unconfined.fc +@@ -1,21 +1 @@ + # Add programs here which should not be confined by SELinux +-# e.g.: +-# /usr/local/bin/appsrv -- gen_context(system_u:object_r:unconfined_exec_t,s0) +-# For the time being until someone writes a sane policy, we need initrc to transition to unconfined_t +-/usr/bin/valgrind -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) +-/usr/bin/vncserver -- gen_context(system_u:object_r:unconfined_exec_t,s0) +- +-/usr/lib/ia32el/ia32x_loader -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) +-/usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) +- +-/usr/local/RealPlayer/realplay\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) +- +-ifdef(`distro_debian',` +-/usr/bin/gcj-dbtool-4\.1 -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) +-/usr/bin/gij-4\.1 -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) +-/usr/lib/openoffice/program/soffice\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) +-') +- +-ifdef(`distro_gentoo',` +-/usr/lib/openoffice/program/[^/]+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) +-') +diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if +index db7aabb..01e03ec 100644 +--- a/policy/modules/system/unconfined.if ++++ b/policy/modules/system/unconfined.if +@@ -12,53 +12,57 @@ + # + interface(`unconfined_domain_noaudit',` + gen_require(` +- type unconfined_t; + class dbus all_dbus_perms; + class nscd all_nscd_perms; + class passwd all_passwd_perms; + ') + +- # Use most Linux capabilities +- allow $1 self:capability ~sys_module; +- allow $1 self:fifo_file manage_fifo_file_perms; ++ # Use any Linux capability. ++ ++ allow $1 self:capability ~{ sys_module }; ++ allow $1 self:capability2 ~{ mac_admin mac_override }; ++ allow $1 self:fifo_file { manage_fifo_file_perms relabelfrom relabelto }; + + # Transition to myself, to make get_ordered_context_list happy. +- allow $1 self:process transition; ++ allow $1 self:process { dyntransition transition }; + + # Write access is for setting attributes under /proc/self/attr. + allow $1 self:file rw_file_perms; ++ allow $1 self:dir rw_dir_perms; + + # Userland object managers +- allow $1 self:nscd *; +- allow $1 self:dbus *; +- allow $1 self:passwd *; +- allow $1 self:association *; ++ allow $1 self:nscd all_nscd_perms; ++ allow $1 self:dbus all_dbus_perms; ++ allow $1 self:passwd all_passwd_perms; ++ allow $1 self:association all_association_perms; ++ allow $1 self:socket_class_set create_socket_perms; + + kernel_unconfined($1) + corenet_unconfined($1) + dev_unconfined($1) + domain_unconfined($1) +- domain_dontaudit_read_all_domains_state($1) +- domain_dontaudit_ptrace_all_domains($1) + files_unconfined($1) + fs_unconfined($1) + selinux_unconfined($1) ++ systemd_config_all_services($1) ++ ++ domain_mmap_low($1) ++ ++ ubac_process_exempt($1) + +- tunable_policy(`allow_execheap',` ++ tunable_policy(`selinuxuser_execheap',` + # Allow making the stack executable via mprotect. + allow $1 self:process execheap; + ') + +- tunable_policy(`allow_execmem',` ++ tunable_policy(`deny_execmem',`',` + # Allow making anonymous memory executable, e.g. + # for runtime-code generation or executable stack. + allow $1 self:process execmem; + ') + +- tunable_policy(`allow_execstack',` +- # Allow making the stack executable via mprotect; +- # execstack implies execmem; +- allow $1 self:process { execstack execmem }; ++ tunable_policy(`selinuxuser_execstack',` ++ allow $1 self:process execstack; + # auditallow $1 self:process execstack; + ') + +@@ -69,6 +73,7 @@ interface(`unconfined_domain_noaudit',` + optional_policy(` + # Communicate via dbusd. + dbus_system_bus_unconfined($1) ++ dbus_unconfined($1) + ') + + optional_policy(` +@@ -122,9 +127,13 @@ interface(`unconfined_domain_noaudit',` + ## + # + interface(`unconfined_domain',` ++ gen_require(` ++ attribute unconfined_services; ++ ') ++ + unconfined_domain_noaudit($1) + +- tunable_policy(`allow_execheap',` ++ tunable_policy(`selinuxuser_execheap',` + auditallow $1 self:process execheap; + ') + ') +@@ -150,7 +159,7 @@ interface(`unconfined_domain',` + ## + # + interface(`unconfined_alias_domain',` +- refpolicywarn(`$0($1) has been deprecated.') ++ refpolicywarn(`$0() has been deprecated.') + ') + + ######################################## +@@ -176,414 +185,5 @@ interface(`unconfined_alias_domain',` + ## + # + interface(`unconfined_execmem_alias_program',` +- refpolicywarn(`$0($1) has been deprecated.') +-') +- +-######################################## +-## +-## Transition to the unconfined domain. +-## +-## +-## +-## Domain allowed to transition. +-## +-## +-# +-interface(`unconfined_domtrans',` +- gen_require(` +- type unconfined_t, unconfined_exec_t; +- ') +- +- domtrans_pattern($1, unconfined_exec_t, unconfined_t) +-') +- +-######################################## +-## +-## Execute specified programs in the unconfined domain. +-## +-## +-## +-## Domain allowed to transition. +-## +-## +-## +-## +-## The role to allow the unconfined domain. +-## +-## +-# +-interface(`unconfined_run',` +- gen_require(` +- type unconfined_t; +- ') +- +- unconfined_domtrans($1) +- role $2 types unconfined_t; +-') +- +-######################################## +-## +-## Transition to the unconfined domain by executing a shell. +-## +-## +-## +-## Domain allowed to transition. +-## +-## +-# +-interface(`unconfined_shell_domtrans',` +- gen_require(` +- type unconfined_t; +- ') +- +- corecmd_shell_domtrans($1, unconfined_t) +- allow unconfined_t $1:fd use; +- allow unconfined_t $1:fifo_file rw_file_perms; +- allow unconfined_t $1:process sigchld; +-') +- +-######################################## +-## +-## Allow unconfined to execute the specified program in +-## the specified domain. +-## +-## +-##

    +-## Allow unconfined to execute the specified program in +-## the specified domain. +-##

    +-##

    +-## This is a interface to support third party modules +-## and its use is not allowed in upstream reference +-## policy. +-##

    +-##     +-## +-## +-## Domain to execute in. +-## +-## +-## +-## +-## Domain entry point file. +-## +-## +-# +-interface(`unconfined_domtrans_to',` +- gen_require(` +- type unconfined_t; +- ') +- +- domtrans_pattern(unconfined_t,$2,$1) +-') +- +-######################################## +-## +-## Allow unconfined to execute the specified program in +-## the specified domain. Allow the specified domain the +-## unconfined role and use of unconfined user terminals. +-## +-## +-##

    +-## Allow unconfined to execute the specified program in +-## the specified domain. Allow the specified domain the +-## unconfined role and use of unconfined user terminals. +-##

    +-##

    +-## This is a interface to support third party modules +-## and its use is not allowed in upstream reference +-## policy. +-##

    +-##     +-## +-## +-## Domain to execute in. +-## +-## +-## +-## +-## Domain entry point file. +-## +-## +-# +-interface(`unconfined_run_to',` +- gen_require(` +- type unconfined_t; +- role unconfined_r; +- ') +- +- domtrans_pattern(unconfined_t,$2,$1) +- role unconfined_r types $1; +- userdom_use_user_terminals($1) +-') +- +-######################################## +-## +-## Inherit file descriptors from the unconfined domain. +-## +-## +-## +-## Domain allowed access. +-## +-## +-# +-interface(`unconfined_use_fds',` +- gen_require(` +- type unconfined_t; +- ') +- +- allow $1 unconfined_t:fd use; +-') +- +-######################################## +-## +-## Send a SIGCHLD signal to the unconfined domain. +-## +-## +-## +-## Domain allowed access. +-## +-## +-# +-interface(`unconfined_sigchld',` +- gen_require(` +- type unconfined_t; +- ') +- +- allow $1 unconfined_t:process sigchld; +-') +- +-######################################## +-## +-## Send a SIGNULL signal to the unconfined domain. +-## +-## +-## +-## Domain allowed access. +-## +-## +-# +-interface(`unconfined_signull',` +- gen_require(` +- type unconfined_t; +- ') +- +- allow $1 unconfined_t:process signull; +-') +- +-######################################## +-## +-## Send generic signals to the unconfined domain. +-## +-## +-## +-## Domain allowed access. +-## +-## +-# +-interface(`unconfined_signal',` +- gen_require(` +- type unconfined_t; +- ') +- +- allow $1 unconfined_t:process signal; +-') +- +-######################################## +-## +-## Read unconfined domain unnamed pipes. +-## +-## +-## +-## Domain allowed access. +-## +-## +-# +-interface(`unconfined_read_pipes',` +- gen_require(` +- type unconfined_t; +- ') +- +- allow $1 unconfined_t:fifo_file read_fifo_file_perms; +-') +- +-######################################## +-## +-## Do not audit attempts to read unconfined domain unnamed pipes. +-## +-## +-## +-## Domain to not audit. +-## +-## +-# +-interface(`unconfined_dontaudit_read_pipes',` +- gen_require(` +- type unconfined_t; +- ') +- +- dontaudit $1 unconfined_t:fifo_file read; +-') +- +-######################################## +-## +-## Read and write unconfined domain unnamed pipes. +-## +-## +-## +-## Domain allowed access. +-## +-## +-# +-interface(`unconfined_rw_pipes',` +- gen_require(` +- type unconfined_t; +- ') +- +- allow $1 unconfined_t:fifo_file rw_fifo_file_perms; +-') +- +-######################################## +-## +-## Do not audit attempts to read and write +-## unconfined domain unnamed pipes. +-## +-## +-## +-## Domain to not audit. +-## +-## +-# +-interface(`unconfined_dontaudit_rw_pipes',` +- gen_require(` +- type unconfined_t; +- ') +- +- dontaudit $1 unconfined_t:fifo_file rw_file_perms; +-') +- +-######################################## +-## +-## Connect to the unconfined domain using +-## a unix domain stream socket. +-## +-## +-## +-## Domain allowed access. +-## +-## +-# +-interface(`unconfined_stream_connect',` +- gen_require(` +- type unconfined_t; +- ') +- +- allow $1 unconfined_t:unix_stream_socket connectto; +-') +- +-######################################## +-## +-## Do not audit attempts to read or write +-## unconfined domain tcp sockets. +-## +-## +-##

    +-## Do not audit attempts to read or write +-## unconfined domain tcp sockets. +-##

    +-##

    +-## This interface was added due to a broken +-## symptom in ldconfig. +-##

    +-##     +-## +-## +-## Domain to not audit. +-## +-## +-# +-interface(`unconfined_dontaudit_rw_tcp_sockets',` +- gen_require(` +- type unconfined_t; +- ') +- +- dontaudit $1 unconfined_t:tcp_socket { read write }; +-') +- +-######################################## +-## +-## Create keys for the unconfined domain. +-## +-## +-## +-## Domain allowed access. +-## +-## +-# +-interface(`unconfined_create_keys',` +- gen_require(` +- type unconfined_t; +- ') +- +- allow $1 unconfined_t:key create; +-') +- +-######################################## +-## +-## Send messages to the unconfined domain over dbus. +-## +-## +-## +-## Domain allowed access. +-## +-## +-# +-interface(`unconfined_dbus_send',` +- gen_require(` +- type unconfined_t; +- class dbus send_msg; +- ') +- +- allow $1 unconfined_t:dbus send_msg; +-') +- +-######################################## +-## +-## Send and receive messages from +-## unconfined_t over dbus. +-## +-## +-## +-## Domain allowed access. +-## +-## +-# +-interface(`unconfined_dbus_chat',` +- gen_require(` +- type unconfined_t; +- class dbus send_msg; +- ') +- +- allow $1 unconfined_t:dbus send_msg; +- allow unconfined_t $1:dbus send_msg; +-') +- +-######################################## +-## +-## Connect to the the unconfined DBUS +-## for service (acquire_svc). +-## +-## +-## +-## Domain allowed access. +-## +-## +-# +-interface(`unconfined_dbus_connect',` +- gen_require(` +- type unconfined_t; +- class dbus acquire_svc; +- ') +- +- allow $1 unconfined_t:dbus acquire_svc; ++ refpolicywarn(`$0() has been deprecated.') + ') +diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te +index 0280b32..61f19e9 100644 +--- a/policy/modules/system/unconfined.te ++++ b/policy/modules/system/unconfined.te +@@ -4,237 +4,4 @@ policy_module(unconfined, 3.5.0) + # + # Declarations + # +- +-# usage in this module of types created by these +-# calls is not correct, however we dont currently +-# have another method to add access to these types +-userdom_base_user_template(unconfined) +-userdom_manage_home_role(unconfined_r, unconfined_t) +-userdom_manage_tmp_role(unconfined_r, unconfined_t) +-userdom_manage_tmpfs_role(unconfined_r, unconfined_t) +- +-type unconfined_exec_t; +-init_system_domain(unconfined_t, unconfined_exec_t) +- +-type unconfined_execmem_t; +-type unconfined_execmem_exec_t; +-init_system_domain(unconfined_execmem_t, unconfined_execmem_exec_t) +-role unconfined_r types unconfined_execmem_t; +- +-######################################## +-# +-# Local policy +-# +- +-domtrans_pattern(unconfined_t, unconfined_execmem_exec_t, unconfined_execmem_t) +- +-files_create_boot_flag(unconfined_t) +- +-mcs_killall(unconfined_t) +-mcs_ptrace_all(unconfined_t) +- +-init_run_daemon(unconfined_t, unconfined_r) +- +-libs_run_ldconfig(unconfined_t, unconfined_r) +- +-logging_send_syslog_msg(unconfined_t) +-logging_run_auditctl(unconfined_t, unconfined_r) +- +-mount_run_unconfined(unconfined_t, unconfined_r) +- +-seutil_run_setfiles(unconfined_t, unconfined_r) +-seutil_run_semanage(unconfined_t, unconfined_r) +- +-unconfined_domain(unconfined_t) +- +-userdom_user_home_dir_filetrans_user_home_content(unconfined_t, { dir file lnk_file fifo_file sock_file }) +- +-ifdef(`distro_gentoo',` +- seutil_run_runinit(unconfined_t, unconfined_r) +- seutil_init_script_run_runinit(unconfined_t, unconfined_r) +-') +- +-optional_policy(` +- ada_domtrans(unconfined_t) +-') +- +-optional_policy(` +- apache_run_helper(unconfined_t, unconfined_r) +- apache_role(unconfined_r, unconfined_t) +-') +- +-optional_policy(` +- bind_run_ndc(unconfined_t, unconfined_r) +-') +- +-optional_policy(` +- bootloader_run(unconfined_t, unconfined_r) +-') +- +-optional_policy(` +- cron_unconfined_role(unconfined_r, unconfined_t) +-') +- +-optional_policy(` +- init_dbus_chat_script(unconfined_t) +- +- dbus_stub(unconfined_t) +- +- optional_policy(` +- avahi_dbus_chat(unconfined_t) +- ') +- +- optional_policy(` +- bluetooth_dbus_chat(unconfined_t) +- ') +- +- optional_policy(` +- consolekit_dbus_chat(unconfined_t) +- ') +- +- optional_policy(` +- cups_dbus_chat_config(unconfined_t) +- ') +- +- optional_policy(` +- hal_dbus_chat(unconfined_t) +- ') +- +- optional_policy(` +- networkmanager_dbus_chat(unconfined_t) +- ') +- +- optional_policy(` +- oddjob_dbus_chat(unconfined_t) +- ') +-') +- +-optional_policy(` +- firstboot_run(unconfined_t, unconfined_r) +-') +- +-optional_policy(` +- ftp_run_ftpdctl(unconfined_t, unconfined_r) +-') +- +-optional_policy(` +- hadoop_role(unconfined_r, unconfined_t) +-') +- +-optional_policy(` +- inn_domtrans(unconfined_t) +-') +- +-optional_policy(` +- java_run_unconfined(unconfined_t, unconfined_r) +-') +- +-optional_policy(` +- lpd_run_checkpc(unconfined_t, unconfined_r) +-') +- +-optional_policy(` +- modutils_run_update_mods(unconfined_t, unconfined_r) +-') +- +-optional_policy(` +- mono_domtrans(unconfined_t) +-') +- +-optional_policy(` +- mta_role(unconfined_r, unconfined_t) +-') +- +-optional_policy(` +- oddjob_domtrans_mkhomedir(unconfined_t) +-') +- +-optional_policy(` +- portage_run(unconfined_t, unconfined_r) +- portage_run_fetch(unconfined_t, unconfined_r) +- portage_run_gcc_config(unconfined_t, unconfined_r) +-') +- +-optional_policy(` +- prelink_run(unconfined_t, unconfined_r) +-') +- +-optional_policy(` +- portmap_run_helper(unconfined_t, unconfined_r) +-') +- +-optional_policy(` +- postfix_run_map(unconfined_t, unconfined_r) +- # cjp: this should probably be removed: +- postfix_domtrans_master(unconfined_t) +-') +- +-optional_policy(` +- pyzor_role(unconfined_r, unconfined_t) +-') +- +-optional_policy(` +- # cjp: this should probably be removed: +- rpc_domtrans_nfsd(unconfined_t) +-') +- +-optional_policy(` +- rpm_run(unconfined_t, unconfined_r) +-') +- +-optional_policy(` +- samba_run_net(unconfined_t, unconfined_r) +- samba_run_winbind_helper(unconfined_t, unconfined_r) +-') +- +-optional_policy(` +- spamassassin_role(unconfined_r, unconfined_t) +-') +- +-optional_policy(` +- sysnet_run_dhcpc(unconfined_t, unconfined_r) +- sysnet_dbus_chat_dhcpc(unconfined_t) +-') +- +-optional_policy(` +- tzdata_run(unconfined_t, unconfined_r) +-') +- +-optional_policy(` +- usermanage_run_admin_passwd(unconfined_t, unconfined_r) +-') +- +-optional_policy(` +- vpn_run(unconfined_t, unconfined_r) +-') +- +-optional_policy(` +- webalizer_run(unconfined_t, unconfined_r) +-') +- +-optional_policy(` +- wine_domtrans(unconfined_t) +-') +- +-optional_policy(` +- xserver_domtrans(unconfined_t) +-') +- +-######################################## +-# +-# Unconfined Execmem Local policy +-# +- +-allow unconfined_execmem_t self:process { execstack execmem }; +-unconfined_domain_noaudit(unconfined_execmem_t) +- +-optional_policy(` +- dbus_stub(unconfined_execmem_t) +- +- init_dbus_chat_script(unconfined_execmem_t) +- unconfined_dbus_chat(unconfined_execmem_t) +- +- optional_policy(` +- hal_dbus_chat(unconfined_execmem_t) +- ') +-') ++attribute unconfined_services; +diff --git a/policy/modules/system/userdomain.fc b/policy/modules/system/userdomain.fc +index db75976..65191bd 100644 +--- a/policy/modules/system/userdomain.fc ++++ b/policy/modules/system/userdomain.fc +@@ -1,4 +1,21 @@ + HOME_DIR -d gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh) ++HOME_DIR -l gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh) + HOME_DIR/.+ gen_context(system_u:object_r:user_home_t,s0) +- + /tmp/gconfd-USER -d gen_context(system_u:object_r:user_tmp_t,s0) ++/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0) ++/root/\.cert(/.*)? gen_context(system_u:object_r:home_cert_t,s0) ++/root/\.pki(/.*)? gen_context(system_u:object_r:home_cert_t,s0) ++/root/\.debug(/.*)? <> ++/dev/shm/pulse-shm.* gen_context(system_u:object_r:user_tmpfs_t,s0) ++/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0) ++HOME_DIR/bin(/.*)? gen_context(system_u:object_r:home_bin_t,s0) ++HOME_DIR/\.local/bin(/.*)? gen_context(system_u:object_r:home_bin_t,s0) ++HOME_DIR/Audio(/.*)? gen_context(system_u:object_r:audio_home_t,s0) ++HOME_DIR/Music(/.*)? gen_context(system_u:object_r:audio_home_t,s0) ++HOME_DIR/\.cert(/.*)? gen_context(system_u:object_r:home_cert_t,s0) ++HOME_DIR/.kde/share/apps/networkmanagement/certificates(/.*)? gen_context(system_u:object_r:home_cert_t,s0) ++HOME_DIR/\.pki(/.*)? gen_context(system_u:object_r:home_cert_t,s0) ++HOME_DIR/\.gvfs/.* <> ++HOME_DIR/\.debug(/.*)? <> ++ ++/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0) +diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if +index 3c5dba7..2890de8 100644 +--- a/policy/modules/system/userdomain.if ++++ b/policy/modules/system/userdomain.if +@@ -30,9 +30,11 @@ template(`userdom_base_user_template',` + ') + + attribute $1_file_type; ++ attribute $1_usertype; + +- type $1_t, userdomain; ++ type $1_t, userdomain, $1_usertype; + domain_type($1_t) ++ role $1_r; + corecmd_shell_entry_type($1_t) + corecmd_bin_entry_type($1_t) + domain_user_exemption_target($1_t) +@@ -44,79 +46,132 @@ template(`userdom_base_user_template',` + term_user_pty($1_t, user_devpts_t) + + term_user_tty($1_t, user_tty_device_t) +- +- allow $1_t self:process { signal_perms getsched setsched share getpgid setpgid setcap getsession getattr }; +- allow $1_t self:fd use; +- allow $1_t self:fifo_file rw_fifo_file_perms; +- allow $1_t self:unix_dgram_socket { create_socket_perms sendto }; +- allow $1_t self:unix_stream_socket { create_stream_socket_perms connectto }; +- allow $1_t self:shm create_shm_perms; +- allow $1_t self:sem create_sem_perms; +- allow $1_t self:msgq create_msgq_perms; +- allow $1_t self:msg { send receive }; +- allow $1_t self:context contains; +- dontaudit $1_t self:socket create; +- +- allow $1_t user_devpts_t:chr_file { setattr rw_chr_file_perms }; +- term_create_pty($1_t, user_devpts_t) ++ term_dontaudit_getattr_generic_ptys($1_t) ++ ++ allow $1_usertype $1_usertype:process { signal_perms getsched setsched share getpgid setpgid getcap setcap getsession getattr }; ++ tunable_policy(`deny_ptrace',`',` ++ allow $1_usertype $1_usertype:process ptrace; ++ ') ++ allow $1_usertype $1_usertype:fd use; ++ allow $1_usertype $1_t:key { create view read write search link setattr }; ++ ++ allow $1_usertype $1_usertype:fifo_file rw_fifo_file_perms; ++ allow $1_usertype $1_usertype:unix_dgram_socket { create_socket_perms sendto }; ++ allow $1_usertype $1_usertype:unix_stream_socket { create_stream_socket_perms connectto }; ++ allow $1_usertype $1_usertype:shm create_shm_perms; ++ allow $1_usertype $1_usertype:sem create_sem_perms; ++ allow $1_usertype $1_usertype:msgq create_msgq_perms; ++ allow $1_usertype $1_usertype:msg { send receive }; ++ allow $1_usertype $1_usertype:context contains; ++ dontaudit $1_usertype $1_usertype:socket create; ++ ++ allow $1_usertype user_devpts_t:chr_file { setattr rw_chr_file_perms }; ++ term_create_pty($1_usertype, user_devpts_t) + # avoid annoying messages on terminal hangup on role change +- dontaudit $1_t user_devpts_t:chr_file ioctl; ++ dontaudit $1_usertype user_devpts_t:chr_file ioctl; + +- allow $1_t user_tty_device_t:chr_file { setattr rw_chr_file_perms }; ++ allow $1_usertype user_tty_device_t:chr_file { setattr rw_chr_file_perms }; + # avoid annoying messages on terminal hangup on role change +- dontaudit $1_t user_tty_device_t:chr_file ioctl; +- +- kernel_read_kernel_sysctls($1_t) +- kernel_dontaudit_list_unlabeled($1_t) +- kernel_dontaudit_getattr_unlabeled_files($1_t) +- kernel_dontaudit_getattr_unlabeled_symlinks($1_t) +- kernel_dontaudit_getattr_unlabeled_pipes($1_t) +- kernel_dontaudit_getattr_unlabeled_sockets($1_t) +- kernel_dontaudit_getattr_unlabeled_blk_files($1_t) +- kernel_dontaudit_getattr_unlabeled_chr_files($1_t) +- +- dev_dontaudit_getattr_all_blk_files($1_t) +- dev_dontaudit_getattr_all_chr_files($1_t) ++ dontaudit $1_usertype user_tty_device_t:chr_file ioctl; ++ ++ application_exec_all($1_usertype) ++ ++ kernel_read_kernel_sysctls($1_usertype) ++ kernel_read_all_sysctls($1_usertype) ++ kernel_dontaudit_list_unlabeled($1_usertype) ++ kernel_dontaudit_getattr_unlabeled_files($1_usertype) ++ kernel_dontaudit_getattr_unlabeled_symlinks($1_usertype) ++ kernel_dontaudit_getattr_unlabeled_pipes($1_usertype) ++ kernel_dontaudit_getattr_unlabeled_sockets($1_usertype) ++ kernel_dontaudit_getattr_unlabeled_blk_files($1_usertype) ++ kernel_dontaudit_getattr_unlabeled_chr_files($1_usertype) ++ kernel_dontaudit_list_proc($1_usertype) ++ ++ dev_dontaudit_getattr_all_blk_files($1_usertype) ++ dev_dontaudit_getattr_all_chr_files($1_usertype) ++ dev_getattr_mtrr_dev($1_t) + + # When the user domain runs ps, there will be a number of access + # denials when ps tries to search /proc. Do not audit these denials. +- domain_dontaudit_read_all_domains_state($1_t) +- domain_dontaudit_getattr_all_domains($1_t) +- domain_dontaudit_getsession_all_domains($1_t) +- +- files_read_etc_files($1_t) +- files_read_etc_runtime_files($1_t) +- files_read_usr_files($1_t) ++ domain_dontaudit_read_all_domains_state($1_usertype) ++ domain_dontaudit_getattr_all_domains($1_usertype) ++ domain_dontaudit_getsession_all_domains($1_usertype) ++ dev_dontaudit_all_access_check($1_usertype) ++ ++ files_read_etc_files($1_usertype) ++ files_list_mnt($1_usertype) ++ files_list_var($1_usertype) ++ files_read_mnt_files($1_usertype) ++ files_dontaudit_all_access_check($1_usertype) ++ files_read_etc_runtime_files($1_usertype) ++ files_read_usr_files($1_usertype) ++ files_read_usr_src_files($1_usertype) + # Read directories and files with the readable_t type. + # This type is a general type for "world"-readable files. +- files_list_world_readable($1_t) +- files_read_world_readable_files($1_t) +- files_read_world_readable_symlinks($1_t) +- files_read_world_readable_pipes($1_t) +- files_read_world_readable_sockets($1_t) ++ files_list_world_readable($1_usertype) ++ files_read_world_readable_files($1_usertype) ++ files_read_world_readable_symlinks($1_usertype) ++ files_read_world_readable_pipes($1_usertype) ++ files_read_world_readable_sockets($1_usertype) + # old broswer_domain(): +- files_dontaudit_list_non_security($1_t) +- files_dontaudit_getattr_non_security_files($1_t) +- files_dontaudit_getattr_non_security_symlinks($1_t) +- files_dontaudit_getattr_non_security_pipes($1_t) +- files_dontaudit_getattr_non_security_sockets($1_t) ++ files_dontaudit_getattr_all_dirs($1_usertype) ++ files_dontaudit_list_non_security($1_usertype) ++ files_dontaudit_getattr_all_files($1_usertype) ++ files_dontaudit_getattr_non_security_symlinks($1_usertype) ++ files_dontaudit_getattr_non_security_pipes($1_usertype) ++ files_dontaudit_getattr_non_security_sockets($1_usertype) ++ files_dontaudit_setattr_etc_runtime_files($1_usertype) ++ ++ files_exec_usr_files($1_t) ++ ++ fs_list_cgroup_dirs($1_usertype) ++ fs_dontaudit_rw_cgroup_files($1_usertype) ++ ++ storage_rw_fuse($1_usertype) ++ ++ auth_use_nsswitch($1_t) ++ ++ init_stream_connect($1_usertype) ++ # The library functions always try to open read-write first, ++ # then fall back to read-only if it fails. ++ init_dontaudit_rw_utmp($1_usertype) + +- libs_exec_ld_so($1_t) ++ libs_exec_ld_so($1_usertype) + +- miscfiles_read_localization($1_t) + miscfiles_read_generic_certs($1_t) + +- sysnet_read_config($1_t) ++ miscfiles_read_all_certs($1_usertype) ++ miscfiles_read_public_files($1_usertype) + +- tunable_policy(`allow_execmem',` ++ systemd_dbus_chat_logind($1_usertype) ++ systemd_read_logind_sessions_files($1_usertype) ++ systemd_write_inhibit_pipes($1_usertype) ++ systemd_write_inherited_logind_sessions_pipes($1_usertype) ++ systemd_login_read_pid_files($1_usertype) ++ ++ tunable_policy(`deny_execmem',`', ` + # Allow loading DSOs that require executable stack. + allow $1_t self:process execmem; + ') + +- tunable_policy(`allow_execmem && allow_execstack',` ++ tunable_policy(`selinuxuser_execstack',` + # Allow making the stack executable via mprotect. + allow $1_t self:process execstack; + ') ++ ++ optional_policy(` ++ abrt_stream_connect($1_usertype) ++ ') ++ ++ optional_policy(` ++ fs_list_cgroup_dirs($1_usertype) ++ ') ++ ++ optional_policy(` ++ ssh_rw_stream_sockets($1_usertype) ++ ssh_delete_tmp($1_t) ++ ssh_signal($1_t) ++ ') + ') + + ####################################### +@@ -150,6 +205,8 @@ interface(`userdom_ro_home_role',` + type user_home_t, user_home_dir_t; + ') + ++ role $1 types { user_home_t user_home_dir_t }; ++ + ############################## + # + # Domain access to home dir +@@ -167,27 +224,6 @@ interface(`userdom_ro_home_role',` + read_sock_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t) + files_list_home($2) + +- tunable_policy(`use_nfs_home_dirs',` +- fs_list_nfs($2) +- fs_read_nfs_files($2) +- fs_read_nfs_symlinks($2) +- fs_read_nfs_named_sockets($2) +- fs_read_nfs_named_pipes($2) +- ',` +- fs_dontaudit_list_nfs($2) +- fs_dontaudit_read_nfs_files($2) +- ') +- +- tunable_policy(`use_samba_home_dirs',` +- fs_list_cifs($2) +- fs_read_cifs_files($2) +- fs_read_cifs_symlinks($2) +- fs_read_cifs_named_sockets($2) +- fs_read_cifs_named_pipes($2) +- ',` +- fs_dontaudit_list_cifs($2) +- fs_dontaudit_read_cifs_files($2) +- ') + ') + + ####################################### +@@ -219,8 +255,11 @@ interface(`userdom_ro_home_role',` + interface(`userdom_manage_home_role',` + gen_require(` + type user_home_t, user_home_dir_t; ++ attribute user_home_type; + ') + ++ role $1 types { user_home_type user_home_dir_t }; ++ + ############################## + # + # Domain access to home dir +@@ -229,43 +268,46 @@ interface(`userdom_manage_home_role',` + type_member $2 user_home_dir_t:dir user_home_dir_t; + + # full control of the home directory ++ allow $2 user_home_t:dir mounton; + allow $2 user_home_t:file entrypoint; +- manage_dirs_pattern($2, { user_home_dir_t user_home_t }, user_home_t) +- manage_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t) +- manage_lnk_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t) +- manage_sock_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t) +- manage_fifo_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t) +- relabel_dirs_pattern($2, { user_home_dir_t user_home_t }, user_home_t) +- relabel_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t) +- relabel_lnk_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t) +- relabel_sock_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t) +- relabel_fifo_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t) +- filetrans_pattern($2, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file }) ++ ++ allow $2 user_home_type:dir_file_class_set { relabelto relabelfrom }; ++ allow $2 user_home_dir_t:lnk_file read_lnk_file_perms; ++ manage_dirs_pattern($2, { user_home_dir_t user_home_type }, user_home_type) ++ manage_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type) ++ manage_lnk_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type) ++ manage_sock_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type) ++ manage_fifo_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type) ++ relabel_dirs_pattern($2, { user_home_dir_t user_home_type }, user_home_type) ++ relabel_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type) ++ relabel_lnk_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type) ++ relabel_sock_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type) ++ relabel_fifo_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type) ++ userdom_filetrans_home_content($2) ++ + files_list_home($2) + + # cjp: this should probably be removed: + allow $2 user_home_dir_t:dir { manage_dir_perms relabel_dir_perms }; + + tunable_policy(`use_nfs_home_dirs',` ++ fs_mount_nfs($2) ++ fs_mounton_nfs($2) + fs_manage_nfs_dirs($2) + fs_manage_nfs_files($2) + fs_manage_nfs_symlinks($2) + fs_manage_nfs_named_sockets($2) + fs_manage_nfs_named_pipes($2) +- ',` +- fs_dontaudit_manage_nfs_dirs($2) +- fs_dontaudit_manage_nfs_files($2) + ') + + tunable_policy(`use_samba_home_dirs',` ++ fs_mount_cifs($2) ++ fs_mounton_cifs($2) + fs_manage_cifs_dirs($2) + fs_manage_cifs_files($2) + fs_manage_cifs_symlinks($2) + fs_manage_cifs_named_sockets($2) + fs_manage_cifs_named_pipes($2) +- ',` +- fs_dontaudit_manage_cifs_dirs($2) +- fs_dontaudit_manage_cifs_files($2) + ') + ') + +@@ -273,6 +315,63 @@ interface(`userdom_manage_home_role',` + ## + ## Manage user temporary files + ## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`userdom_manage_tmp_files',` ++ gen_require(` ++ type user_tmp_t; ++ ') ++ ++ manage_files_pattern($1, user_tmp_t, user_tmp_t) ++') ++ ++####################################### ++## ++## Manage user temporary sockets ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`userdom_manage_tmp_sockets',` ++ gen_require(` ++ type user_tmp_t; ++ ') ++ ++ manage_sock_files_pattern($1, user_tmp_t, user_tmp_t) ++') ++ ++####################################### ++## ++## Manage user temporary directories ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`userdom_manage_tmp_dirs',` ++ gen_require(` ++ type user_tmp_t; ++ ') ++ ++ manage_dirs_pattern($1, user_tmp_t, user_tmp_t) ++') ++ ++####################################### ++## ++## Manage user temporary files ++## + ## + ## + ## Role allowed access. +@@ -287,17 +386,64 @@ interface(`userdom_manage_home_role',` + # + interface(`userdom_manage_tmp_role',` + gen_require(` ++ attribute user_tmp_type; + type user_tmp_t; + ') + ++ role $1 types user_tmp_t; ++ + files_poly_member_tmp($2, user_tmp_t) + +- manage_dirs_pattern($2, user_tmp_t, user_tmp_t) +- manage_files_pattern($2, user_tmp_t, user_tmp_t) +- manage_lnk_files_pattern($2, user_tmp_t, user_tmp_t) +- manage_sock_files_pattern($2, user_tmp_t, user_tmp_t) +- manage_fifo_files_pattern($2, user_tmp_t, user_tmp_t) ++ allow $2 user_tmp_type:dir mounton; ++ manage_dirs_pattern($2, user_tmp_type, user_tmp_type) ++ manage_files_pattern($2, user_tmp_type, user_tmp_type) ++ manage_lnk_files_pattern($2, user_tmp_type, user_tmp_type) ++ manage_sock_files_pattern($2, user_tmp_type, user_tmp_type) ++ manage_fifo_files_pattern($2, user_tmp_type, user_tmp_type) + files_tmp_filetrans($2, user_tmp_t, { dir file lnk_file sock_file fifo_file }) ++ relabel_dirs_pattern($2, user_tmp_type, user_tmp_type) ++ relabel_files_pattern($2, user_tmp_type, user_tmp_type) ++ relabel_lnk_files_pattern($2, user_tmp_type, user_tmp_type) ++ relabel_sock_files_pattern($2, user_tmp_type, user_tmp_type) ++ relabel_fifo_files_pattern($2, user_tmp_type, user_tmp_type) ++') ++ ++####################################### ++## ++## Dontaudit search of user bin dirs. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`userdom_dontaudit_search_user_bin_dirs',` ++ gen_require(` ++ type home_bin_t; ++ ') ++ ++ dontaudit $1 home_bin_t:dir search_dir_perms; ++') ++ ++####################################### ++## ++## Execute user bin files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_exec_user_bin_files',` ++ gen_require(` ++ attribute user_home_type; ++ type home_bin_t, user_home_dir_t; ++ ') ++ ++ exec_files_pattern($1, { user_home_dir_t user_home_type }, home_bin_t) ++ files_search_home($1) + ') + + ####################################### +@@ -317,11 +463,31 @@ interface(`userdom_exec_user_tmp_files',` + ') + + exec_files_pattern($1, user_tmp_t, user_tmp_t) ++ dontaudit $1 user_tmp_t:sock_file execute; + files_search_tmp($1) + ') + + ####################################### + ## ++## Manage user temporary file system files ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`userdom_manage_tmpfs_files',` ++ gen_require(` ++ type user_tmpfs_t; ++ ') ++ ++ allow $1 user_tmpfs_t:file manage_file_perms; ++') ++ ++####################################### ++## + ## Role access for the user tmpfs type + ## that the user has full access. + ## +@@ -348,59 +514,60 @@ interface(`userdom_exec_user_tmp_files',` + # + interface(`userdom_manage_tmpfs_role',` + gen_require(` ++ attribute user_tmpfs_type; + type user_tmpfs_t; + ') + +- manage_dirs_pattern($2, user_tmpfs_t, user_tmpfs_t) +- manage_files_pattern($2, user_tmpfs_t, user_tmpfs_t) +- manage_lnk_files_pattern($2, user_tmpfs_t, user_tmpfs_t) +- manage_sock_files_pattern($2, user_tmpfs_t, user_tmpfs_t) +- manage_fifo_files_pattern($2, user_tmpfs_t, user_tmpfs_t) ++ role $1 types user_tmpfs_t; ++ ++ manage_dirs_pattern($2, user_tmpfs_type, user_tmpfs_type) ++ manage_files_pattern($2, user_tmpfs_type, user_tmpfs_type) ++ manage_lnk_files_pattern($2, user_tmpfs_type, user_tmpfs_type) ++ manage_sock_files_pattern($2, user_tmpfs_type, user_tmpfs_type) ++ manage_fifo_files_pattern($2, user_tmpfs_type, user_tmpfs_type) + fs_tmpfs_filetrans($2, user_tmpfs_t, { dir file lnk_file sock_file fifo_file }) ++ relabel_dirs_pattern($2, user_tmpfs_type, user_tmpfs_type) ++ relabel_files_pattern($2, user_tmpfs_type, user_tmpfs_type) ++ relabel_lnk_files_pattern($2, user_tmpfs_type, user_tmpfs_type) ++ relabel_sock_files_pattern($2, user_tmpfs_type, user_tmpfs_type) ++ relabel_fifo_files_pattern($2, user_tmpfs_type, user_tmpfs_type) + ') + + ####################################### + ## +-## The template allowing the user basic ++## The interface allowing the user basic + ## network permissions + ## +-## ++## + ## +-## The prefix of the user domain (e.g., user +-## is the prefix for user_t). ++## The user domain + ## + ## + ## + # +-template(`userdom_basic_networking_template',` +- gen_require(` +- type $1_t; +- ') ++interface(`userdom_basic_networking',` + +- allow $1_t self:tcp_socket create_stream_socket_perms; +- allow $1_t self:udp_socket create_socket_perms; ++ allow $1 self:tcp_socket create_stream_socket_perms; ++ allow $1 self:udp_socket create_socket_perms; + +- corenet_all_recvfrom_unlabeled($1_t) +- corenet_all_recvfrom_netlabel($1_t) +- corenet_tcp_sendrecv_generic_if($1_t) +- corenet_udp_sendrecv_generic_if($1_t) +- corenet_tcp_sendrecv_generic_node($1_t) +- corenet_udp_sendrecv_generic_node($1_t) +- corenet_tcp_sendrecv_all_ports($1_t) +- corenet_udp_sendrecv_all_ports($1_t) +- corenet_tcp_connect_all_ports($1_t) +- corenet_sendrecv_all_client_packets($1_t) +- +- corenet_all_recvfrom_labeled($1_t, $1_t) ++ corenet_tcp_sendrecv_generic_if($1) ++ corenet_udp_sendrecv_generic_if($1) ++ corenet_tcp_sendrecv_generic_node($1) ++ corenet_udp_sendrecv_generic_node($1) ++ corenet_tcp_sendrecv_all_ports($1) ++ corenet_udp_sendrecv_all_ports($1) ++ corenet_tcp_connect_all_ports($1) ++ corenet_sendrecv_all_client_packets($1) + + optional_policy(` +- init_tcp_recvfrom_all_daemons($1_t) +- init_udp_recvfrom_all_daemons($1_t) ++ init_tcp_recvfrom_all_daemons($1) ++ init_udp_recvfrom_all_daemons($1) + ') + + optional_policy(` +- ipsec_match_default_spd($1_t) ++ ipsec_match_default_spd($1) + ') ++ + ') + + ####################################### +@@ -431,6 +598,7 @@ template(`userdom_xwindows_client_template',` + dev_dontaudit_rw_dri($1_t) + # GNOME checks for usb and other devices: + dev_rw_usbfs($1_t) ++ dev_rw_generic_usb_dev($1_t) + + xserver_user_x_domain_template($1, $1_t, user_tmpfs_t) + xserver_xsession_entry_type($1_t) +@@ -463,8 +631,8 @@ template(`userdom_change_password_template',` + ') + + optional_policy(` +- usermanage_run_chfn($1_t, $1_r) +- usermanage_run_passwd($1_t, $1_r) ++ usermanage_run_chfn($1_t,$1_r) ++ usermanage_run_passwd($1_t,$1_r) + ') + ') + +@@ -491,7 +659,8 @@ template(`userdom_common_user_template',` + attribute unpriv_userdomain; + ') + +- userdom_basic_networking_template($1) ++ userdom_basic_networking($1_usertype) ++ corenet_all_recvfrom_netlabel($1_t) + + ############################## + # +@@ -501,41 +670,51 @@ template(`userdom_common_user_template',` + # evolution and gnome-session try to create a netlink socket + dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; + dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write }; ++ allow $1_t self:netlink_kobject_uevent_socket create_socket_perms; ++ allow $1_t self:socket create_socket_perms; + +- allow $1_t unpriv_userdomain:fd use; ++ allow $1_usertype unpriv_userdomain:fd use; + + kernel_read_system_state($1_t) +- kernel_read_network_state($1_t) +- kernel_read_net_sysctls($1_t) ++ kernel_read_network_state($1_usertype) ++ kernel_read_software_raid_state($1_usertype) ++ kernel_read_net_sysctls($1_usertype) + # Very permissive allowing every domain to see every type: +- kernel_get_sysvipc_info($1_t) ++ kernel_get_sysvipc_info($1_usertype) + # Find CDROM devices: +- kernel_read_device_sysctls($1_t) +- +- corecmd_exec_bin($1_t) ++ kernel_read_device_sysctls($1_usertype) ++ kernel_request_load_module($1_usertype) + +- corenet_udp_bind_generic_node($1_t) +- corenet_udp_bind_generic_port($1_t) ++ corenet_udp_bind_generic_node($1_usertype) ++ corenet_udp_bind_generic_port($1_usertype) + +- dev_read_rand($1_t) +- dev_write_sound($1_t) +- dev_read_sound($1_t) +- dev_read_sound_mixer($1_t) +- dev_write_sound_mixer($1_t) ++ dev_read_rand($1_usertype) ++ dev_write_sound($1_usertype) ++ dev_read_sound($1_usertype) ++ dev_read_sound_mixer($1_usertype) ++ dev_write_sound_mixer($1_usertype) + +- files_exec_etc_files($1_t) +- files_search_locks($1_t) ++ files_exec_etc_files($1_usertype) ++ files_search_locks($1_usertype) + # Check to see if cdrom is mounted +- files_search_mnt($1_t) ++ files_search_mnt($1_usertype) + # cjp: perhaps should cut back on file reads: +- files_read_var_files($1_t) +- files_read_var_symlinks($1_t) +- files_read_generic_spool($1_t) +- files_read_var_lib_files($1_t) ++ files_read_var_files($1_usertype) ++ files_read_var_symlinks($1_usertype) ++ files_read_generic_spool($1_usertype) ++ files_read_var_lib_files($1_usertype) + # Stat lost+found. +- files_getattr_lost_found_dirs($1_t) ++ files_getattr_lost_found_dirs($1_usertype) ++ files_read_config_files($1_usertype) ++ fs_read_noxattr_fs_files($1_usertype) ++ fs_read_noxattr_fs_symlinks($1_usertype) ++ fs_rw_cgroup_files($1_usertype) ++ ++ application_getattr_socket($1_usertype) ++ ++ logging_send_syslog_msg($1_t) + +- fs_rw_cgroup_files($1_t) ++ selinux_get_enforce_mode($1_t) + + # cjp: some of this probably can be removed + selinux_get_fs_mount($1_t) +@@ -546,93 +725,120 @@ template(`userdom_common_user_template',` + selinux_compute_user_contexts($1_t) + + # for eject +- storage_getattr_fixed_disk_dev($1_t) ++ storage_getattr_fixed_disk_dev($1_usertype) + +- auth_use_nsswitch($1_t) +- auth_read_login_records($1_t) +- auth_search_pam_console_data($1_t) +- auth_run_pam($1_t, $1_r) +- auth_run_utempter($1_t, $1_r) ++ auth_read_login_records($1_usertype) ++ auth_run_pam_timestamp($1_t,$1_r) ++ auth_run_utempter($1_t,$1_r) ++ auth_filetrans_admin_home_content($1_t) + +- init_read_utmp($1_t) ++ init_read_utmp($1_usertype) + +- seutil_read_file_contexts($1_t) +- seutil_read_default_contexts($1_t) +- seutil_run_newrole($1_t, $1_r) ++ seutil_read_file_contexts($1_usertype) ++ seutil_read_default_contexts($1_usertype) ++ seutil_run_newrole($1_t,$1_r) + seutil_exec_checkpolicy($1_t) +- seutil_exec_setfiles($1_t) ++ seutil_exec_setfiles($1_usertype) + # for when the network connection is killed + # this is needed when a login role can change + # to this one. + seutil_dontaudit_signal_newrole($1_t) + +- tunable_policy(`user_direct_mouse',` +- dev_read_mouse($1_t) +- ') ++ term_getattr_all_ttys($1_t) + +- tunable_policy(`user_ttyfile_stat',` +- term_getattr_all_ttys($1_t) ++ optional_policy(` ++ # Allow graphical boot to check battery lifespan ++ apm_stream_connect($1_usertype) + ') + + optional_policy(` +- alsa_home_filetrans_alsa_home($1_t, file, ".asoundrc") +- alsa_manage_home_files($1_t) +- alsa_read_rw_config($1_t) +- alsa_relabel_home_files($1_t) ++ chrome_role($1_r, $1_usertype) + ') + + optional_policy(` +- # Allow graphical boot to check battery lifespan +- apm_stream_connect($1_t) ++ canna_stream_connect($1_usertype) + ') + + optional_policy(` +- canna_stream_connect($1_t) ++ colord_read_lib_files($1_usertype) + ') + + optional_policy(` +- dbus_system_bus_client($1_t) ++ dbus_system_bus_client($1_usertype) ++ ++ allow $1_usertype $1_usertype:dbus send_msg; ++ ++ optional_policy(` ++ avahi_dbus_chat($1_usertype) ++ ') ++ ++ optional_policy(` ++ bluetooth_dbus_chat($1_usertype) ++ ') ++ ++ optional_policy(` ++ consolekit_dbus_chat($1_usertype) ++ consolekit_read_log($1_usertype) ++ ') ++ ++ optional_policy(` ++ devicekit_dbus_chat($1_usertype) ++ devicekit_dbus_chat_power($1_usertype) ++ devicekit_dbus_chat_disk($1_usertype) ++ ') ++ ++ optional_policy(` ++ evolution_dbus_chat($1_usertype) ++ evolution_alarm_dbus_chat($1_usertype) ++ ') ++ ++ optional_policy(` ++ gnome_dbus_chat_gconfdefault($1_usertype) ++ ') + + optional_policy(` +- bluetooth_dbus_chat($1_t) ++ hal_dbus_chat($1_usertype) + ') + + optional_policy(` +- consolekit_dbus_chat($1_t) ++ kde_dbus_chat_backlighthelper($1_usertype) + ') + + optional_policy(` +- cups_dbus_chat_config($1_t) ++ modemmanager_dbus_chat($1_usertype) + ') + + optional_policy(` +- hal_dbus_chat($1_t) ++ networkmanager_dbus_chat($1_usertype) ++ networkmanager_read_lib_files($1_usertype) + ') + + optional_policy(` +- networkmanager_dbus_chat($1_t) ++ policykit_dbus_chat($1_usertype) + ') + + optional_policy(` +- policykit_dbus_chat($1_t) ++ vpn_dbus_chat($1_usertype) + ') + ') + + optional_policy(` +- inetd_use_fds($1_t) +- inetd_rw_tcp_sockets($1_t) ++ git_role($1_r, $1_t) ++ ') ++ ++ optional_policy(` ++ inetd_use_fds($1_usertype) ++ inetd_rw_tcp_sockets($1_usertype) + ') + + optional_policy(` +- inn_read_config($1_t) +- inn_read_news_lib($1_t) +- inn_read_news_spool($1_t) ++ inn_read_config($1_usertype) ++ inn_read_news_lib($1_usertype) ++ inn_read_news_spool($1_usertype) + ') + + optional_policy(` +- kerberos_manage_krb5_home_files($1_t) +- kerberos_relabel_krb5_home_files($1_t) +- kerberos_home_filetrans_krb5_home($1_t, file, ".k5login") ++ lircd_stream_connect($1_usertype) + ') + + optional_policy(` +@@ -642,23 +848,21 @@ template(`userdom_common_user_template',` + optional_policy(` + mpd_manage_user_data_content($1_t) + mpd_relabel_user_data_content($1_t) ++ mpd_stream_connect($1_t) + ') + + # for running depmod as part of the kernel packaging process + optional_policy(` +- modutils_read_module_config($1_t) ++ modutils_read_module_config($1_usertype) + ') + + optional_policy(` +- mta_rw_spool($1_t) ++ mta_rw_spool($1_usertype) ++ mta_manage_queue($1_usertype) + ') + + optional_policy(` +- mysql_manage_mysqld_home_files($1_t) +- mysql_relabel_mysqld_home_files($1_t) +- mysql_home_filetrans_mysqld_home($1_t, file, ".my.cnf") +- +- tunable_policy(`allow_user_mysql_connect',` ++ tunable_policy(`selinuxuser_mysql_connect_enabled',` + mysql_stream_connect($1_t) + ') + ') +@@ -671,7 +875,7 @@ template(`userdom_common_user_template',` + + optional_policy(` + # to allow monitoring of pcmcia status +- pcmcia_read_pid($1_t) ++ pcmcia_read_pid($1_usertype) + ') + + optional_policy(` +@@ -680,9 +884,9 @@ template(`userdom_common_user_template',` + ') + + optional_policy(` +- tunable_policy(`allow_user_postgresql_connect',` +- postgresql_stream_connect($1_t) +- postgresql_tcp_connect($1_t) ++ tunable_policy(`selinuxuser_postgresql_connect_enabled',` ++ postgresql_stream_connect($1_usertype) ++ postgresql_tcp_connect($1_usertype) + ') + ') + +@@ -693,32 +897,35 @@ template(`userdom_common_user_template',` + ') + + optional_policy(` +- resmgr_stream_connect($1_t) ++ resmgr_stream_connect($1_usertype) ++ ') ++ ++ optional_policy(` ++ rpc_dontaudit_getattr_exports($1_usertype) + ') + + optional_policy(` +- rpc_dontaudit_getattr_exports($1_t) +- rpc_manage_nfs_rw_content($1_t) ++ rpcbind_stream_connect($1_usertype) + ') + + optional_policy(` +- samba_stream_connect_winbind($1_t) ++ samba_stream_connect_winbind($1_usertype) + ') + + optional_policy(` +- slrnpull_search_spool($1_t) ++ sandbox_transition($1_usertype, $1_r) + ') + + optional_policy(` +- usernetctl_run($1_t, $1_r) ++ seunshare_role_template($1, $1_r, $1_t) + ') + + optional_policy(` +- virt_home_filetrans_virt_home($1_t, dir, ".libvirt") +- virt_home_filetrans_virt_home($1_t, dir, ".virtinst") +- virt_home_filetrans_virt_content($1_t, dir, "isos") +- virt_home_filetrans_svirt_home($1_t, dir, "qemu") +- virt_home_filetrans_virt_home($1_t, dir, "VirtualMachines") ++ slrnpull_search_spool($1_usertype) ++ ') ++ ++ optional_policy(` ++ thumb_role($1_r, $1_usertype) + ') + ') + +@@ -743,17 +950,33 @@ template(`userdom_common_user_template',` + template(`userdom_login_user_template', ` + gen_require(` + class context contains; ++ attribute login_userdomain; + ') + + userdom_base_user_template($1) + ++ typeattribute $1_t login_userdomain; ++ + userdom_manage_home_role($1_r, $1_t) + +- userdom_manage_tmp_role($1_r, $1_t) +- userdom_manage_tmpfs_role($1_r, $1_t) ++ userdom_manage_tmp_role($1_r, $1_usertype) ++ userdom_manage_tmpfs_role($1_r, $1_usertype) + +- userdom_exec_user_tmp_files($1_t) +- userdom_exec_user_home_content_files($1_t) ++ ifelse(`$1',`unconfined',`',` ++ gen_tunable($1_exec_content, true) ++ ++ tunable_policy(`$1_exec_content',` ++ userdom_exec_user_tmp_files($1_usertype) ++ userdom_exec_user_home_content_files($1_usertype) ++ ') ++ tunable_policy(`$1_exec_content && use_nfs_home_dirs',` ++ fs_exec_nfs_files($1_usertype) ++ ') ++ ++ tunable_policy(`$1_exec_content && use_samba_home_dirs',` ++ fs_exec_cifs_files($1_usertype) ++ ') ++ ') + + userdom_change_password_template($1) + +@@ -761,82 +984,101 @@ template(`userdom_login_user_template', ` + # + # User domain Local policy + # +- +- allow $1_t self:capability { setgid chown fowner }; + dontaudit $1_t self:capability { sys_nice fsetid }; ++ allow $1_t self:process ~{ ptrace execmem execstack execheap }; ++ ++ tunable_policy(`selinuxuser_use_ssh_chroot',` ++ allow $1_t self:capability { setuid setgid sys_chroot }; ++ ') + +- allow $1_t self:process ~{ setcurrent setexec setrlimit execmem execstack execheap }; + dontaudit $1_t self:process setrlimit; + dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write }; ++ domain_dyntrans_type($1_t) + + allow $1_t self:context contains; + +- kernel_dontaudit_read_system_state($1_t) ++ kernel_dontaudit_read_system_state($1_usertype) ++ kernel_dontaudit_list_all_proc($1_usertype) + +- dev_read_sysfs($1_t) +- dev_read_urand($1_t) ++ dev_read_sysfs($1_usertype) ++ dev_read_rand($1_usertype) ++ dev_read_urand($1_usertype) + +- domain_use_interactive_fds($1_t) ++ domain_use_interactive_fds($1_usertype) + # Command completion can fire hundreds of denials +- domain_dontaudit_exec_all_entry_files($1_t) ++ domain_dontaudit_exec_all_entry_files($1_usertype) + +- files_dontaudit_list_default($1_t) +- files_dontaudit_read_default_files($1_t) ++ files_dontaudit_list_default($1_usertype) ++ files_dontaudit_read_default_files($1_usertype) + # Stat lost+found. +- files_getattr_lost_found_dirs($1_t) ++ files_getattr_lost_found_dirs($1_usertype) + +- fs_get_all_fs_quotas($1_t) +- fs_getattr_all_fs($1_t) +- fs_getattr_all_dirs($1_t) +- fs_search_auto_mountpoints($1_t) +- fs_list_cgroup_dirs($1_t) +- fs_list_inotifyfs($1_t) +- fs_rw_anon_inodefs_files($1_t) +- fs_dontaudit_rw_cgroup_files($1_t) ++ fs_get_all_fs_quotas($1_usertype) ++ fs_getattr_all_fs($1_usertype) ++ fs_search_all($1_usertype) ++ fs_list_inotifyfs($1_usertype) ++ fs_rw_anon_inodefs_files($1_usertype) + ++ auth_role($1_r, $1_t) ++ auth_create_cache($1_t) ++ auth_rw_cache($1_t) ++ auth_search_pam_console_data($1_t) ++ auth_dontaudit_read_login_records($1_t) + auth_dontaudit_write_login_records($1_t) + + application_exec_all($1_t) +- + # The library functions always try to open read-write first, + # then fall back to read-only if it fails. + init_dontaudit_rw_utmp($1_t) ++ + # Stop warnings about access to /dev/console +- init_dontaudit_use_fds($1_t) +- init_dontaudit_use_script_fds($1_t) ++ init_dontaudit_use_fds($1_usertype) ++ init_dontaudit_use_script_fds($1_usertype) + +- libs_exec_lib_files($1_t) ++ libs_exec_lib_files($1_usertype) + +- logging_dontaudit_getattr_all_logs($1_t) ++ logging_dontaudit_getattr_all_logs($1_usertype) + +- miscfiles_read_man_pages($1_t) + # for running TeX programs +- miscfiles_read_tetex_data($1_t) +- miscfiles_exec_tetex_data($1_t) ++ miscfiles_read_tetex_data($1_usertype) ++ miscfiles_exec_tetex_data($1_usertype) ++ ++ seutil_read_config($1_usertype) ++ seutil_read_file_contexts($1_usertype) ++ seutil_read_default_contexts($1_usertype) ++ seutil_exec_setfiles($1_usertype) + +- seutil_read_config($1_t) ++ optional_policy(` ++ cups_read_config($1_usertype) ++ cups_stream_connect($1_usertype) ++ cups_stream_connect_ptal($1_usertype) ++ ') ++ ++ optional_policy(` ++ kerberos_use($1_usertype) ++ init_write_key($1_usertype) ++ ') + + optional_policy(` +- cups_read_config($1_t) +- cups_stream_connect($1_t) +- cups_stream_connect_ptal($1_t) ++ mysql_filetrans_named_content($1_usertype) + ') + + optional_policy(` +- kerberos_use($1_t) ++ mta_dontaudit_read_spool_symlinks($1_usertype) + ') + + optional_policy(` +- mta_dontaudit_read_spool_symlinks($1_t) ++ quota_dontaudit_getattr_db($1_usertype) + ') + + optional_policy(` +- quota_dontaudit_getattr_db($1_t) ++ rpm_read_db($1_usertype) ++ rpm_dontaudit_manage_db($1_usertype) ++ rpm_read_cache($1_usertype) + ') + + optional_policy(` +- rpm_read_db($1_t) +- rpm_dontaudit_manage_db($1_t) ++ oddjob_run_mkhomedir($1_t, $1_r) + ') + ') + +@@ -868,6 +1110,12 @@ template(`userdom_restricted_user_template',` + typeattribute $1_t unpriv_userdomain; + domain_interactive_fd($1_t) + ++ allow $1_usertype self:netlink_kobject_uevent_socket create_socket_perms; ++ dontaudit $1_usertype self:netlink_audit_socket create_socket_perms; ++ ++ seutil_read_file_contexts($1_t) ++ seutil_read_default_contexts($1_t) ++ + ############################## + # + # Local policy +@@ -907,42 +1155,99 @@ template(`userdom_restricted_xwindows_user_template',` + # + # Local policy + # ++ kernel_stream_connect($1_usertype) + +- auth_role($1_r, $1_t) +- auth_search_pam_console_data($1_t) +- +- dev_read_sound($1_t) +- dev_write_sound($1_t) ++ dev_read_sound($1_usertype) ++ dev_write_sound($1_usertype) + # gnome keyring wants to read this. +- dev_dontaudit_read_rand($1_t) ++ dev_dontaudit_read_rand($1_usertype) ++ # temporarily allow since openoffice requires this ++ dev_read_rand($1_usertype) ++ ++ dev_read_video_dev($1_usertype) ++ dev_write_video_dev($1_usertype) ++ dev_rw_wireless($1_usertype) ++ ++ libs_dontaudit_setattr_lib_files($1_usertype) ++ ++ init_read_state($1_usertype) ++ ++ tunable_policy(`selinuxuser_rw_noexattrfile',` ++ dev_rw_usbfs($1_t) ++ dev_rw_generic_usb_dev($1_usertype) ++ ++ fs_manage_noxattr_fs_files($1_usertype) ++ fs_manage_noxattr_fs_dirs($1_usertype) ++ fs_manage_dos_dirs($1_usertype) ++ fs_manage_dos_files($1_usertype) ++ storage_raw_read_removable_device($1_usertype) ++ storage_raw_write_removable_device($1_usertype) ++ ') + + logging_send_syslog_msg($1_t) + logging_dontaudit_send_audit_msgs($1_t) + + # Need to to this just so screensaver will work. Should be moved to screensaver domain +- logging_send_audit_msgs($1_t) + selinux_get_enforce_mode($1_t) ++ seutil_exec_restorecond($1_t) ++ seutil_read_file_contexts($1_t) ++ seutil_read_default_contexts($1_t) + + xserver_restricted_role($1_r, $1_t) + + optional_policy(` +- alsa_read_rw_config($1_t) ++ alsa_read_rw_config($1_usertype) ++ ') ++ ++ # cjp: needed by KDE apps ++ # bug: #682499 ++ optional_policy(` ++ gnome_read_usr_config($1_usertype) ++ gnome_role_gkeyringd($1, $1_r, $1_usertype) ++ # cjp: telepathy F15 bugs ++ telepathy_role($1_r, $1_t, $1) ++ ') ++ ++ optional_policy(` ++ obex_role($1_r, $1_t, $1) + ') + + optional_policy(` +- dbus_role_template($1, $1_r, $1_t) +- dbus_system_bus_client($1_t) ++ dbus_role_template($1, $1_r, $1_usertype) ++ dbus_system_bus_client($1_usertype) ++ allow $1_usertype $1_usertype:dbus send_msg; ++ ++ optional_policy(` ++ abrt_dbus_chat($1_usertype) ++ abrt_run_helper($1_usertype, $1_r) ++ ') ++ ++ optional_policy(` ++ accountsd_dbus_chat($1_usertype) ++ ') ++ ++ optional_policy(` ++ consolekit_dontaudit_read_log($1_usertype) ++ consolekit_dbus_chat($1_usertype) ++ ') ++ ++ optional_policy(` ++ cups_dbus_chat($1_usertype) ++ cups_dbus_chat_config($1_usertype) ++ ') + + optional_policy(` +- consolekit_dbus_chat($1_t) ++ devicekit_dbus_chat($1_usertype) ++ devicekit_dbus_chat_disk($1_usertype) ++ devicekit_dbus_chat_power($1_usertype) + ') + + optional_policy(` +- cups_dbus_chat($1_t) ++ fprintd_dbus_chat($1_t) + ') + + optional_policy(` +- gnome_role_template($1, $1_r, $1_t) ++ realmd_dbus_chat($1_t) + ') + + optional_policy(` +@@ -951,15 +1256,36 @@ template(`userdom_restricted_xwindows_user_template',` + ') + + optional_policy(` +- java_role($1_r, $1_t) ++ policykit_role($1_r, $1_usertype) ++ ') ++ ++ optional_policy(` ++ pulseaudio_role($1_r, $1_usertype) ++ pulseaudio_filetrans_admin_home_content($1_usertype) ++ ') ++ ++ optional_policy(` ++ rtkit_scheduled($1_usertype) ++ ') ++ ++ optional_policy(` ++ systemd_filetrans_home_content($1_usertype) + ') + + optional_policy(` + setroubleshoot_dontaudit_stream_connect($1_t) + ') +-') + +-####################################### ++ optional_policy(` ++ udev_read_db($1_usertype) ++ ') ++ ++ optional_policy(` ++ xserver_xdm_ioctl_log($1_t) ++ ') ++') ++ ++####################################### + ## + ## The template for creating a unprivileged user roughly + ## equivalent to a regular linux user. +@@ -990,27 +1316,33 @@ template(`userdom_unpriv_user_template', ` + # + + # Inherit rules for ordinary users. +- userdom_restricted_user_template($1) ++ userdom_restricted_xwindows_user_template($1) + userdom_common_user_template($1) + + ############################## + # + # Local policy + # ++ allow $1_t self:capability { setgid chown fowner }; ++ ++ corecmd_exec_chroot($1_t) + + # port access is audited even if dac would not have allowed it, so dontaudit it here +- corenet_dontaudit_tcp_bind_all_reserved_ports($1_t) ++# corenet_dontaudit_tcp_bind_all_reserved_ports($1_t) + # Need the following rule to allow users to run vpnc + corenet_tcp_bind_xserver_port($1_t) ++ corenet_tcp_bind_generic_node($1_usertype) ++ ++ storage_rw_fuse($1_t) + + files_exec_usr_files($1_t) +- # cjp: why? ++ # cjp: why? + files_read_kernel_symbol_table($1_t) + + ifndef(`enable_mls',` + fs_exec_noxattr($1_t) + +- tunable_policy(`user_rw_noexattrfile',` ++ tunable_policy(`selinuxuser_rw_noexattrfile',` + fs_manage_noxattr_fs_files($1_t) + fs_manage_noxattr_fs_dirs($1_t) + # Write floppies +@@ -1021,23 +1353,60 @@ template(`userdom_unpriv_user_template', ` + ') + ') + +- tunable_policy(`user_dmesg',` +- kernel_read_ring_buffer($1_t) +- ',` +- kernel_dontaudit_read_ring_buffer($1_t) +- ') ++ miscfiles_read_hwdata($1_usertype) ++ ++ fs_mounton_fusefs($1_usertype) + + # Allow users to run TCP servers (bind to ports and accept connection from + # the same domain and outside users) disabling this forces FTP passive mode + # and may change other protocols +- tunable_policy(`user_tcp_server',` +- corenet_tcp_bind_generic_node($1_t) +- corenet_tcp_bind_generic_port($1_t) ++ ++ tunable_policy(`selinuxuser_share_music',` ++ corenet_tcp_bind_daap_port($1_usertype) ++ ') ++ ++ tunable_policy(`selinuxuser_tcp_server',` ++ corenet_tcp_bind_all_unreserved_ports($1_usertype) ++ ') ++ ++ optional_policy(` ++ cdrecord_role($1_r, $1_t) ++ ') ++ ++ optional_policy(` ++ cron_role($1_r, $1_t) ++ ') ++ ++ optional_policy(` ++ games_rw_data($1_usertype) ++ ') ++ ++ optional_policy(` ++ gpg_role($1_r, $1_usertype) ++ ') ++ ++ optional_policy(` ++ systemd_dbus_chat_timedated($1_t) ++ systemd_dbus_chat_hostnamed($1_t) ++ systemd_dbus_chat_localed($1_t) ++ ') ++ ++ optional_policy(` ++ gpm_stream_connect($1_usertype) ++ ') ++ ++ optional_policy(` ++ mount_run_fusermount($1_t, $1_r) ++ mount_read_pid_files($1_t) ++ ') ++ ++ optional_policy(` ++ wine_role_template($1, $1_r, $1_t) + ') + + optional_policy(` +- netutils_run_ping_cond($1_t, $1_r) +- netutils_run_traceroute_cond($1_t, $1_r) ++ postfix_run_postdrop($1_t, $1_r) ++ postfix_search_spool($1_t) + ') + + # Run pppd in pppd_t by default for user +@@ -1046,7 +1415,9 @@ template(`userdom_unpriv_user_template', ` + ') + + optional_policy(` +- setroubleshoot_stream_connect($1_t) ++ vdagent_getattr_log($1_t) ++ vdagent_getattr_exec_files($1_t) ++ vdagent_stream_connect($1_t) + ') + ') + +@@ -1082,7 +1453,9 @@ template(`userdom_unpriv_user_template', ` + template(`userdom_admin_user_template',` + gen_require(` + attribute admindomain; +- class passwd { passwd chfn chsh rootok }; ++ attribute confined_admindomain; ++ ++ class passwd { passwd chfn chsh rootok crontab }; + ') + + ############################## +@@ -1098,6 +1471,7 @@ template(`userdom_admin_user_template',` + role system_r types $1_t; + + typeattribute $1_t admindomain; ++ typeattribute $1_t confined_admindomain; + + ifdef(`direct_sysadm_daemon',` + domain_system_change_exemption($1_t) +@@ -1109,6 +1483,7 @@ template(`userdom_admin_user_template',` + # + + allow $1_t self:capability ~{ sys_module audit_control audit_write }; ++ allow $1_t self:capability2 { block_suspend syslog }; + allow $1_t self:process { setexec setfscreate }; + allow $1_t self:netlink_audit_socket nlmsg_readpriv; + allow $1_t self:tun_socket create; +@@ -1117,6 +1492,9 @@ template(`userdom_admin_user_template',` + # Skip authentication when pam_rootok is specified. + allow $1_t self:passwd rootok; + ++ # Manipulate other users crontab. ++ allow $1_t self:passwd crontab; ++ + kernel_read_software_raid_state($1_t) + kernel_getattr_core_if($1_t) + kernel_getattr_message_if($1_t) +@@ -1131,6 +1509,7 @@ template(`userdom_admin_user_template',` + kernel_sigstop_unlabeled($1_t) + kernel_signull_unlabeled($1_t) + kernel_sigchld_unlabeled($1_t) ++ kernel_signal($1_t) + + corenet_tcp_bind_generic_port($1_t) + # allow setting up tunnels +@@ -1148,10 +1527,14 @@ template(`userdom_admin_user_template',` + dev_rename_all_blk_files($1_t) + dev_rename_all_chr_files($1_t) + dev_create_generic_symlinks($1_t) ++ dev_rw_generic_usb_dev($1_t) ++ dev_rw_usbfs($1_t) ++ dev_read_kmsg($1_t) + + domain_setpriority_all_domains($1_t) + domain_read_all_domains_state($1_t) + domain_getattr_all_domains($1_t) ++ domain_getcap_all_domains($1_t) + domain_dontaudit_ptrace_all_domains($1_t) + # signal all domains: + domain_kill_all_domains($1_t) +@@ -1162,29 +1545,38 @@ template(`userdom_admin_user_template',` + domain_sigchld_all_domains($1_t) + # for lsof + domain_getattr_all_sockets($1_t) ++ domain_dontaudit_getattr_all_sockets($1_t) + + files_exec_usr_src_files($1_t) + + fs_getattr_all_fs($1_t) ++ fs_getattr_all_files($1_t) ++ fs_list_all($1_t) + fs_set_all_quotas($1_t) + fs_exec_noxattr($1_t) + + storage_raw_read_removable_device($1_t) + storage_raw_write_removable_device($1_t) ++ storage_dontaudit_read_fixed_disk($1_t) + +- term_use_all_terms($1_t) ++ term_use_all_inherited_terms($1_t) ++ term_use_unallocated_ttys($1_t) + + auth_getattr_shadow($1_t) + # Manage almost all files +- files_manage_non_auth_files($1_t) ++ files_manage_non_security_dirs($1_t) ++ files_manage_non_security_files($1_t) + # Relabel almost all files +- files_relabel_non_auth_files($1_t) ++ files_relabel_non_security_files($1_t) + + init_telinit($1_t) + + logging_send_syslog_msg($1_t) + +- modutils_domtrans_insmod($1_t) ++ optional_policy(` ++ modutils_domtrans_insmod($1_t) ++ modutils_domtrans_depmod($1_t) ++ ') + + # The following rule is temporary until such time that a complete + # policy management infrastructure is in place so that an administrator +@@ -1194,6 +1586,8 @@ template(`userdom_admin_user_template',` + # But presently necessary for installing the file_contexts file. + seutil_manage_bin_policy($1_t) + ++ systemd_config_all_services($1_t) ++ + userdom_manage_user_home_content_dirs($1_t) + userdom_manage_user_home_content_files($1_t) + userdom_manage_user_home_content_symlinks($1_t) +@@ -1201,13 +1595,17 @@ template(`userdom_admin_user_template',` + userdom_manage_user_home_content_sockets($1_t) + userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file }) + +- tunable_policy(`user_rw_noexattrfile',` ++ tunable_policy(`selinuxuser_rw_noexattrfile',` + fs_manage_noxattr_fs_files($1_t) + fs_manage_noxattr_fs_dirs($1_t) + ',` + fs_read_noxattr_fs_files($1_t) + ') + ++ tunable_policy(`selinuxuser_tcp_server',` ++ corenet_tcp_bind_all_unreserved_ports($1_t) ++ ') ++ + optional_policy(` + postgresql_unconfined($1_t) + ') +@@ -1243,7 +1641,7 @@ template(`userdom_admin_user_template',` + ## + ## + # +-template(`userdom_security_admin_template',` ++template(`userdom_security_admin',` + allow $1 self:capability { dac_read_search dac_override }; + + corecmd_exec_shell($1) +@@ -1253,6 +1651,8 @@ template(`userdom_security_admin_template',` + dev_relabel_all_dev_nodes($1) + + files_create_boot_flag($1) ++ files_create_default_dir($1) ++ files_root_filetrans_default($1, dir) + + # Necessary for managing /boot/efi + fs_manage_dos_files($1) +@@ -1265,8 +1665,10 @@ template(`userdom_security_admin_template',` + selinux_set_enforce_mode($1) + selinux_set_all_booleans($1) + selinux_set_parameters($1) ++ selinux_read_policy($1) ++ ++ files_relabel_all_files($1) + +- files_relabel_non_auth_files($1) + auth_relabel_shadow($1) + + init_exec($1) +@@ -1277,29 +1679,31 @@ template(`userdom_security_admin_template',` + logging_read_audit_config($1) + + seutil_manage_bin_policy($1) +- seutil_run_checkpolicy($1, $2) +- seutil_run_loadpolicy($1, $2) +- seutil_run_semanage($1, $2) ++ seutil_manage_default_contexts($1) ++ seutil_manage_file_contexts($1) ++ seutil_manage_module_store($1) ++ seutil_manage_config($1) ++ seutil_manage_login_config($1) ++ seutil_run_checkpolicy($1,$2) ++ seutil_run_loadpolicy($1,$2) ++ seutil_run_semanage($1,$2) ++ seutil_run_setsebool($1,$2) + seutil_run_setfiles($1, $2) + + optional_policy(` +- aide_run($1, $2) ++ aide_run($1,$2) + ') + + optional_policy(` + consoletype_exec($1) + ') + +- optional_policy(` +- dmesg_exec($1) +- ') +- +- optional_policy(` +- ipsec_run_setkey($1, $2) ++ optional_policy(` ++ ipsec_run_setkey($1,$2) + ') + + optional_policy(` +- netlabel_run_mgmt($1, $2) ++ netlabel_run_mgmt($1,$2) + ') + + optional_policy(` +@@ -1360,14 +1764,17 @@ interface(`userdom_user_home_content',` + gen_require(` + attribute user_home_content_type; + type user_home_t; ++ attribute user_home_type; + ') + + typeattribute $1 user_home_content_type; + + allow $1 user_home_t:filesystem associate; + files_type($1) +- files_poly_member($1) + ubac_constrained($1) ++ ++ files_poly_member($1) ++ typeattribute $1 user_home_type; + ') + + ######################################## +@@ -1408,6 +1815,51 @@ interface(`userdom_user_tmpfs_file',` + ## + ## Allow domain to attach to TUN devices created by administrative users. + ## ++## ++## ++## Type to be used as a file in the ++## generic temporary directory. ++## ++## ++# ++interface(`userdom_user_tmp_content',` ++ gen_require(` ++ attribute user_tmp_type; ++ ') ++ ++ typeattribute $1 user_tmp_type; ++ ++ files_tmp_file($1) ++ ubac_constrained($1) ++') ++ ++######################################## ++## ++## Make the specified type usable in a ++## generic tmpfs_t directory. ++## ++## ++## ++## Type to be used as a file in the ++## generic temporary directory. ++## ++## ++# ++interface(`userdom_user_tmpfs_content',` ++ gen_require(` ++ attribute user_tmpfs_type; ++ ') ++ ++ typeattribute $1 user_tmpfs_type; ++ ++ files_tmpfs_file($1) ++ ubac_constrained($1) ++') ++ ++######################################## ++## ++## Allow domain to attach to TUN devices created by administrative users. ++## + ## + ## + ## Domain allowed access. +@@ -1512,11 +1964,31 @@ interface(`userdom_search_user_home_dirs',` + ') + + allow $1 user_home_dir_t:dir search_dir_perms; ++ allow $1 user_home_dir_t:lnk_file read_lnk_file_perms; + files_search_home($1) + ') + + ######################################## + ## ++## Search user tmp directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_search_user_tmp_dirs',` ++ gen_require(` ++ type user_tmp_t; ++ ') ++ ++ files_search_tmp($1) ++ allow $1 user_tmp_t:dir search_dir_perms; ++') ++ ++######################################## ++## + ## Do not audit attempts to search user home directories. + ## + ## +@@ -1558,6 +2030,14 @@ interface(`userdom_list_user_home_dirs',` + + allow $1 user_home_dir_t:dir list_dir_perms; + files_search_home($1) ++ ++ tunable_policy(`use_nfs_home_dirs',` ++ fs_list_nfs($1) ++ ') ++ ++ tunable_policy(`use_samba_home_dirs',` ++ fs_list_cifs($1) ++ ') + ') + + ######################################## +@@ -1573,9 +2053,11 @@ interface(`userdom_list_user_home_dirs',` + interface(`userdom_dontaudit_list_user_home_dirs',` + gen_require(` + type user_home_dir_t; ++ type user_home_t; + ') + + dontaudit $1 user_home_dir_t:dir list_dir_perms; ++ dontaudit $1 user_home_t:dir list_dir_perms; + ') + + ######################################## +@@ -1632,6 +2114,42 @@ interface(`userdom_relabelto_user_home_dirs',` + allow $1 user_home_dir_t:dir relabelto; + ') + ++ ++######################################## ++## ++## Relabel to user home files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_relabelto_user_home_files',` ++ gen_require(` ++ type user_home_t; ++ ') ++ ++ allow $1 user_home_t:file relabelto; ++') ++######################################## ++## ++## Relabel user home files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_relabel_user_home_files',` ++ gen_require(` ++ type user_home_t; ++ ') ++ ++ allow $1 user_home_t:file relabel_file_perms; ++') ++ + ######################################## + ## + ## Create directories in the home dir root with +@@ -1711,6 +2229,8 @@ interface(`userdom_dontaudit_search_user_home_content',` + ') + + dontaudit $1 user_home_t:dir search_dir_perms; ++ fs_dontaudit_list_nfs($1) ++ fs_dontaudit_list_cifs($1) + ') + + ######################################## +@@ -1744,10 +2264,12 @@ interface(`userdom_list_all_user_home_content',` + # + interface(`userdom_list_user_home_content',` + gen_require(` +- type user_home_t; ++ type user_home_dir_t; ++ attribute user_home_type; + ') + +- allow $1 user_home_t:dir list_dir_perms; ++ files_list_home($1) ++ allow $1 { user_home_dir_t user_home_type }:dir list_dir_perms; + ') + + ######################################## +@@ -1772,7 +2294,25 @@ interface(`userdom_manage_user_home_content_dirs',` + + ######################################## + ## +-## Delete all user home content directories. ++## Delete directories in a user home subdirectory. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_delete_user_home_content_dirs',` ++ gen_require(` ++ type user_home_t; ++ ') ++ ++ allow $1 user_home_t:dir delete_dir_perms; ++') ++ ++######################################## ++## ++## Delete all directories in a user home subdirectory. + ## + ## + ## +@@ -1782,53 +2322,70 @@ interface(`userdom_manage_user_home_content_dirs',` + # + interface(`userdom_delete_all_user_home_content_dirs',` + gen_require(` +- attribute user_home_content_type; +- type user_home_dir_t; ++ attribute user_home_type; + ') + +- userdom_search_user_home_dirs($1) +- delete_files_pattern($1, { user_home_dir_t user_home_content_type }, user_home_content_type) ++ allow $1 user_home_type:dir delete_dir_perms; + ') + + ######################################## + ## +-## Delete directories in a user home subdirectory. ++## Set the attributes of user home files. + ## + ## + ## + ## Domain allowed access. + ## + ## ++## + # +-interface(`userdom_delete_user_home_content_dirs',` ++interface(`userdom_setattr_user_home_content_files',` + gen_require(` + type user_home_t; + ') + +- allow $1 user_home_t:dir delete_dir_perms; ++ allow $1 user_home_t:file setattr; + ') + + ######################################## + ## +-## Set attributes of all user home content directories. ++## Set the attributes of user tmp files. + ## + ## + ## + ## Domain allowed access. + ## + ## ++## + # +-interface(`userdom_setattr_all_user_home_content_dirs',` ++interface(`userdom_setattr_user_tmp_files',` + gen_require(` +- attribute user_home_content_type; ++ type user_tmp_t; + ') + +- userdom_search_user_home_dirs($1) +- allow $1 user_home_content_type:dir setattr_dir_perms; ++ allow $1 user_tmp_t:file setattr; + ') + + ######################################## + ## ++## Relabel user tmp files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`userdom_relabel_user_tmp_files',` ++ gen_require(` ++ type user_tmp_t; ++ ') ++ ++ allow $1 user_tmp_t:file relabel_file_perms; ++') ++######################################## ++## + ## Do not audit attempts to set the + ## attributes of user home files. + ## +@@ -1848,6 +2405,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',` + + ######################################## + ## ++## Set the attributes of all user home directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`userdom_setattr_all_user_home_content_dirs',` ++ gen_require(` ++ attribute user_home_type; ++ ') ++ ++ allow $1 user_home_type:dir setattr_dir_perms; ++') ++ ++######################################## ++## + ## Mmap user home files. + ## + ## +@@ -1878,14 +2454,36 @@ interface(`userdom_mmap_user_home_content_files',` + interface(`userdom_read_user_home_content_files',` + gen_require(` + type user_home_dir_t, user_home_t; ++ attribute user_home_type; + ') + +- read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) ++ allow $1 user_home_dir_t:lnk_file read_lnk_file_perms; ++ list_dirs_pattern($1, { user_home_dir_t user_home_type }, { user_home_dir_t user_home_type }) ++ read_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type) + files_search_home($1) + ') + + ######################################## + ## ++## Do not audit attempts to getattr user home files. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`userdom_dontaudit_getattr_user_home_content',` ++ gen_require(` ++ attribute user_home_type; ++ ') ++ ++ dontaudit $1 user_home_type:dir getattr; ++ dontaudit $1 user_home_type:file getattr; ++') ++ ++######################################## ++## + ## Do not audit attempts to read user home files. + ## + ## +@@ -1896,11 +2494,14 @@ interface(`userdom_read_user_home_content_files',` + # + interface(`userdom_dontaudit_read_user_home_content_files',` + gen_require(` +- type user_home_t; ++ attribute user_home_type; ++ type user_home_dir_t; + ') + +- dontaudit $1 user_home_t:dir list_dir_perms; +- dontaudit $1 user_home_t:file read_file_perms; ++ dontaudit $1 user_home_dir_t:dir list_dir_perms; ++ dontaudit $1 user_home_type:dir list_dir_perms; ++ dontaudit $1 user_home_type:file read_file_perms; ++ dontaudit $1 user_home_type:lnk_file read_lnk_file_perms; + ') + + ######################################## +@@ -1941,7 +2542,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',` + + ######################################## + ## +-## Delete all user home content files. ++## Delete files in a user home subdirectory. + ## + ## + ## +@@ -1949,19 +2550,17 @@ interface(`userdom_dontaudit_write_user_home_content_files',` + ## + ## + # +-interface(`userdom_delete_all_user_home_content_files',` ++interface(`userdom_delete_user_home_content_files',` + gen_require(` +- attribute user_home_content_type; +- type user_home_dir_t; ++ type user_home_t; + ') + +- userdom_search_user_home_content($1) +- delete_files_pattern($1 { user_home_dir_t user_home_content_type }, user_home_content_type) ++ allow $1 user_home_t:file delete_file_perms; + ') + + ######################################## + ## +-## Delete files in a user home subdirectory. ++## Delete all files in a user home subdirectory. + ## + ## + ## +@@ -1969,35 +2568,35 @@ interface(`userdom_delete_all_user_home_content_files',` + ## + ## + # +-interface(`userdom_delete_user_home_content_files',` ++interface(`userdom_delete_all_user_home_content_files',` + gen_require(` +- type user_home_t; ++ attribute user_home_type; + ') + +- allow $1 user_home_t:file delete_file_perms; ++ allow $1 user_home_type:file delete_file_perms; + ') + + ######################################## + ## +-## Do not audit attempts to write user home files. ++## Delete sock files in a user home subdirectory. + ## + ## + ## +-## Domain to not audit. ++## Domain allowed access. + ## + ## + # +-interface(`userdom_dontaudit_relabel_user_home_content_files',` ++interface(`userdom_delete_user_home_content_sock_files',` + gen_require(` + type user_home_t; + ') + +- dontaudit $1 user_home_t:file relabel_file_perms; ++ allow $1 user_home_t:sock_file delete_file_perms; + ') + + ######################################## + ## +-## Read user home subdirectory symbolic links. ++## Delete all sock files in a user home subdirectory. + ## + ## + ## +@@ -2005,45 +2604,92 @@ interface(`userdom_dontaudit_relabel_user_home_content_files',` + ## + ## + # +-interface(`userdom_read_user_home_content_symlinks',` ++interface(`userdom_delete_all_user_home_content_sock_files',` + gen_require(` +- type user_home_dir_t, user_home_t; ++ attribute user_home_type; + ') + +- read_lnk_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) +- files_search_home($1) ++ allow $1 user_home_type:sock_file delete_file_perms; + ') + + ######################################## + ## +-## Execute user home files. ++## Delete all files in a user home subdirectory. + ## + ## + ## + ## Domain allowed access. + ## + ## +-## + # +-interface(`userdom_exec_user_home_content_files',` ++interface(`userdom_delete_all_user_home_content',` + gen_require(` +- type user_home_dir_t, user_home_t; ++ attribute user_home_type; + ') + +- files_search_home($1) +- exec_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) ++ allow $1 user_home_type:dir_file_class_set delete_file_perms; ++') + +- tunable_policy(`use_nfs_home_dirs',` +- fs_exec_nfs_files($1) ++######################################## ++## ++## Do not audit attempts to write user home files. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`userdom_dontaudit_relabel_user_home_content_files',` ++ gen_require(` ++ type user_home_t; + ') + +- tunable_policy(`use_samba_home_dirs',` +- fs_exec_cifs_files($1) ++ dontaudit $1 user_home_t:file relabel_file_perms; ++') ++ ++######################################## ++## ++## Read user home subdirectory symbolic links. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_read_user_home_content_symlinks',` ++ gen_require(` ++ type user_home_dir_t, user_home_t; + ') ++ ++ allow $1 { user_home_dir_t user_home_t }:lnk_file read_lnk_file_perms; + ') + + ######################################## + ## ++## Execute user home files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`userdom_exec_user_home_content_files',` ++ gen_require(` ++ type user_home_dir_t; ++ attribute user_home_type; ++ ') ++ ++ files_search_home($1) ++ exec_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type) ++ dontaudit $1 user_home_type:sock_file execute; ++ ') ++ ++######################################## ++## + ## Do not audit attempts to execute user home files. + ## + ## +@@ -2123,7 +2769,7 @@ interface(`userdom_manage_user_home_content_symlinks',` + + ######################################## + ## +-## Delete all user home content symbolic links. ++## Delete symbolic links in a user home directory. + ## + ## + ## +@@ -2131,19 +2777,17 @@ interface(`userdom_manage_user_home_content_symlinks',` + ## + ## + # +-interface(`userdom_delete_all_user_home_content_symlinks',` ++interface(`userdom_delete_user_home_content_symlinks',` + gen_require(` +- attribute user_home_content_type; +- type user_home_dir_t; ++ type user_home_t; + ') + +- userdom_search_user_home_dirs($1) +- delete_lnk_files_pattern($1, { user_home_dir_t user_home_content_type }, user_home_content_type) ++ allow $1 user_home_t:lnk_file delete_lnk_file_perms; + ') + + ######################################## + ## +-## Delete symbolic links in a user home directory. ++## Delete all symbolic links in a user home directory. + ## + ## + ## +@@ -2151,12 +2795,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',` + ## + ## + # +-interface(`userdom_delete_user_home_content_symlinks',` ++interface(`userdom_delete_all_user_home_content_symlinks',` + gen_require(` +- type user_home_t; ++ attribute user_home_type; + ') + +- allow $1 user_home_t:lnk_file delete_lnk_file_perms; ++ allow $1 user_home_type:lnk_file delete_lnk_file_perms; + ') + + ######################################## +@@ -2393,11 +3037,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',` + # + interface(`userdom_read_user_tmp_files',` + gen_require(` +- type user_tmp_t; ++ attribute user_tmp_type; + ') + +- read_files_pattern($1, user_tmp_t, user_tmp_t) +- allow $1 user_tmp_t:dir list_dir_perms; ++ read_files_pattern($1, user_tmp_type, user_tmp_type) ++ allow $1 user_tmp_type:dir list_dir_perms; + files_search_tmp($1) + ') + +@@ -2417,7 +3061,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` + type user_tmp_t; + ') + +- dontaudit $1 user_tmp_t:file read_file_perms; ++ dontaudit $1 user_tmp_t:file read_inherited_file_perms; + ') + + ######################################## +@@ -2664,6 +3308,25 @@ interface(`userdom_tmp_filetrans_user_tmp',` + files_tmp_filetrans($1, user_tmp_t, $2, $3) + ') + ++####################################### ++## ++## Getattr user tmpfs files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_getattr_user_tmpfs_files',` ++ gen_require(` ++ type user_tmpfs_t; ++ ') ++ ++ getattr_files_pattern($1, user_tmpfs_t, user_tmpfs_t) ++ fs_search_tmpfs($1) ++') ++ + ######################################## + ## + ## Read user tmpfs files. +@@ -2680,13 +3343,14 @@ interface(`userdom_read_user_tmpfs_files',` + ') + + read_files_pattern($1, user_tmpfs_t, user_tmpfs_t) ++ read_lnk_files_pattern($1, user_tmpfs_t, user_tmpfs_t) + allow $1 user_tmpfs_t:dir list_dir_perms; + fs_search_tmpfs($1) + ') + + ######################################## + ## +-## Read user tmpfs files. ++## Read/Write user tmpfs files. + ## + ## + ## +@@ -2707,7 +3371,7 @@ interface(`userdom_rw_user_tmpfs_files',` + + ######################################## + ## +-## Create, read, write, and delete user tmpfs files. ++## Read/Write inherited user tmpfs files. + ## + ## + ## +@@ -2715,14 +3379,30 @@ interface(`userdom_rw_user_tmpfs_files',` + ## + ## + # +-interface(`userdom_manage_user_tmpfs_files',` ++interface(`userdom_rw_inherited_user_tmpfs_files',` + gen_require(` + type user_tmpfs_t; + ') + +- manage_files_pattern($1, user_tmpfs_t, user_tmpfs_t) +- allow $1 user_tmpfs_t:dir list_dir_perms; +- fs_search_tmpfs($1) ++ allow $1 user_tmpfs_t:file rw_inherited_file_perms; ++') ++ ++######################################## ++## ++## Execute user tmpfs files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_execute_user_tmpfs_files',` ++ gen_require(` ++ type user_tmpfs_t; ++ ') ++ ++ allow $1 user_tmpfs_t:file execute; + ') + + ######################################## +@@ -2817,6 +3497,24 @@ interface(`userdom_use_user_ttys',` + + ######################################## + ## ++## Read and write a inherited user domain tty. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_use_inherited_user_ttys',` ++ gen_require(` ++ type user_tty_device_t; ++ ') ++ ++ allow $1 user_tty_device_t:chr_file rw_inherited_term_perms; ++') ++ ++######################################## ++## + ## Read and write a user domain pty. + ## + ## +@@ -2835,22 +3533,34 @@ interface(`userdom_use_user_ptys',` + + ######################################## + ## +-## Read and write a user TTYs and PTYs. ++## Read and write a inherited user domain pty. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_use_inherited_user_ptys',` ++ gen_require(` ++ type user_devpts_t; ++ ') ++ ++ allow $1 user_devpts_t:chr_file rw_inherited_term_perms; ++') ++ ++######################################## ++## ++## Read and write a inherited user TTYs and PTYs. + ## + ## + ##

    +-## Allow the specified domain to read and write user ++## Allow the specified domain to read and write inherited user + ## TTYs and PTYs. This will allow the domain to + ## interact with the user via the terminal. Typically + ## all interactive applications will require this + ## access. + ##

    +-##

    +-## However, this also allows the applications to spy +-## on user sessions or inject information into the +-## user session. Thus, this access should likely +-## not be allowed for non-interactive domains. +-##

    + ##     + ## + ## +@@ -2859,14 +3569,33 @@ interface(`userdom_use_user_ptys',` + ## + ## + # +-interface(`userdom_use_user_terminals',` ++interface(`userdom_use_inherited_user_terminals',` + gen_require(` + type user_tty_device_t, user_devpts_t; + ') + +- allow $1 user_tty_device_t:chr_file rw_term_perms; +- allow $1 user_devpts_t:chr_file rw_term_perms; +- term_list_ptys($1) ++ allow $1 user_tty_device_t:chr_file rw_inherited_term_perms; ++ allow $1 user_devpts_t:chr_file rw_inherited_term_perms; ++') ++ ++####################################### ++## ++## Allow attempts to read and write ++## a user domain tty and pty. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`userdom_use_user_terminals',` ++ gen_require(` ++ type user_tty_device_t, user_devpts_t; ++ ') ++ ++ allow $1 user_tty_device_t:chr_file rw_term_perms; ++ allow $1 user_devpts_t:chr_file rw_term_perms; + ') + + ######################################## +@@ -2885,8 +3614,27 @@ interface(`userdom_dontaudit_use_user_terminals',` + type user_tty_device_t, user_devpts_t; + ') + +- dontaudit $1 user_tty_device_t:chr_file rw_term_perms; +- dontaudit $1 user_devpts_t:chr_file rw_term_perms; ++ dontaudit $1 user_tty_device_t:chr_file rw_inherited_term_perms; ++ dontaudit $1 user_devpts_t:chr_file rw_inherited_term_perms; ++') ++ ++ ++######################################## ++## ++## Get attributes of user domain tty and pty. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_getattr_user_terminals',` ++ gen_require(` ++ type user_tty_device_t, user_devpts_t; ++ ') ++ ++ allow $1 { user_tty_device_t user_devpts_t }:chr_file getattr_chr_file_perms; + ') + + ######################################## +@@ -2958,69 +3706,68 @@ interface(`userdom_spec_domtrans_unpriv_users',` + allow unpriv_userdomain $1:process sigchld; + ') + +-######################################## ++##################################### + ## +-## Execute an Xserver session in all unprivileged user domains. This +-## is an explicit transition, requiring the +-## caller to use setexeccon(). ++## Allow domain dyntrans to unpriv userdomain. + ## + ## +-## +-## Domain allowed to transition. +-## ++## ++## Domain allowed access. ++## + ## + # +-interface(`userdom_xsession_spec_domtrans_unpriv_users',` +- gen_require(` +- attribute unpriv_userdomain; +- ') ++interface(`userdom_dyntransition_unpriv_users',` ++ gen_require(` ++ attribute unpriv_userdomain; ++ ') + +- xserver_xsession_spec_domtrans($1, unpriv_userdomain) +- allow unpriv_userdomain $1:fd use; +- allow unpriv_userdomain $1:fifo_file rw_file_perms; +- allow unpriv_userdomain $1:process sigchld; ++ allow $1 unpriv_userdomain:process dyntransition; + ') + +-####################################### ++#################################### + ## +-## Read and write unpriviledged user SysV sempaphores. ++## Allow domain dyntrans to admin userdomain. + ## + ## +-## +-## Domain allowed access. +-## ++## ++## Domain allowed access. ++## + ## + # +-interface(`userdom_rw_unpriv_user_semaphores',` +- gen_require(` +- attribute unpriv_userdomain; +- ') ++interface(`userdom_dyntransition_admin_users',` ++ gen_require(` ++ attribute admindomain; ++ ') + +- allow $1 unpriv_userdomain:sem rw_sem_perms; ++ allow $1 admindomain:process dyntransition; + ') + + ######################################## + ## +-## Manage unpriviledged user SysV sempaphores. ++## Execute an Xserver session in all unprivileged user domains. This ++## is an explicit transition, requiring the ++## caller to use setexeccon(). + ## + ## + ## +-## Domain allowed access. ++## Domain allowed to transition. + ## + ## + # +-interface(`userdom_manage_unpriv_user_semaphores',` ++interface(`userdom_xsession_spec_domtrans_unpriv_users',` + gen_require(` + attribute unpriv_userdomain; + ') + +- allow $1 unpriv_userdomain:sem create_sem_perms; ++ xserver_xsession_spec_domtrans($1, unpriv_userdomain) ++ allow unpriv_userdomain $1:fd use; ++ allow unpriv_userdomain $1:fifo_file rw_file_perms; ++ allow unpriv_userdomain $1:process sigchld; + ') + +-####################################### ++######################################## + ## +-## Read and write unpriviledged user SysV shared +-## memory segments. ++## Manage unpriviledged user SysV sempaphores. + ## + ## + ## +@@ -3028,12 +3775,12 @@ interface(`userdom_manage_unpriv_user_semaphores',` + ## + ## + # +-interface(`userdom_rw_unpriv_user_shared_mem',` ++interface(`userdom_manage_unpriv_user_semaphores',` + gen_require(` + attribute unpriv_userdomain; + ') + +- allow $1 unpriv_userdomain:shm rw_shm_perms; ++ allow $1 unpriv_userdomain:sem create_sem_perms; + ') + + ######################################## +@@ -3097,7 +3844,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` + + domain_entry_file_spec_domtrans($1, unpriv_userdomain) + allow unpriv_userdomain $1:fd use; +- allow unpriv_userdomain $1:fifo_file rw_file_perms; ++ allow unpriv_userdomain $1:fifo_file rw_fifo_file_perms; + allow unpriv_userdomain $1:process sigchld; + ') + +@@ -3113,29 +3860,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` + # + interface(`userdom_search_user_home_content',` + gen_require(` +- type user_home_dir_t, user_home_t; ++ type user_home_dir_t; ++ attribute user_home_type; + ') + + files_list_home($1) +- allow $1 { user_home_dir_t user_home_t }:dir search_dir_perms; +-') +- +-######################################## +-## +-## Send signull to unprivileged user domains. +-## +-## +-## +-## Domain allowed access. +-## +-## +-# +-interface(`userdom_signull_unpriv_users',` +- gen_require(` +- attribute unpriv_userdomain; +- ') +- +- allow $1 unpriv_userdomain:process signull; ++ allow $1 { user_home_dir_t user_home_type }:dir search_dir_perms; ++ allow $1 { user_home_dir_t user_home_type }:lnk_file read_lnk_file_perms; + ') + + ######################################## +@@ -3217,7 +3948,25 @@ interface(`userdom_dontaudit_use_user_ptys',` + type user_devpts_t; + ') + +- dontaudit $1 user_devpts_t:chr_file rw_file_perms; ++ dontaudit $1 user_devpts_t:chr_file rw_inherited_file_perms; ++') ++ ++######################################## ++## ++## Do not audit attempts to open user ptys. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`userdom_dontaudit_open_user_ptys',` ++ gen_require(` ++ type user_devpts_t; ++ ') ++ ++ dontaudit $1 user_devpts_t:chr_file open; + ') + + ######################################## +@@ -3272,12 +4021,13 @@ interface(`userdom_write_user_tmp_files',` + type user_tmp_t; + ') + +- allow $1 user_tmp_t:file write_file_perms; ++ write_files_pattern($1, user_tmp_t, user_tmp_t) + ') + + ######################################## + ## +-## Do not audit attempts to use user ttys. ++## Do not audit attempts to write users ++## temporary files. + ## + ## + ## +@@ -3285,46 +4035,122 @@ interface(`userdom_write_user_tmp_files',` + ## + ## + # +-interface(`userdom_dontaudit_use_user_ttys',` ++interface(`userdom_dontaudit_write_user_tmp_files',` + gen_require(` +- type user_tty_device_t; ++ type user_tmp_t; + ') + +- dontaudit $1 user_tty_device_t:chr_file rw_file_perms; ++ dontaudit $1 user_tmp_t:file write; + ') + + ######################################## + ## +-## Read the process state of all user domains. ++## Do not audit attempts to delete users ++## temporary files. + ## + ## + ## +-## Domain allowed access. ++## Domain to not audit. + ## + ## + # +-interface(`userdom_read_all_users_state',` ++interface(`userdom_dontaudit_delete_user_tmp_files',` + gen_require(` +- attribute userdomain; ++ type user_tmp_t; + ') + +- read_files_pattern($1, userdomain, userdomain) +- kernel_search_proc($1) ++ dontaudit $1 user_tmp_t:file delete_file_perms; + ') + + ######################################## + ## +-## Get the attributes of all user domains. ++## Do not audit attempts to read/write users ++## temporary fifo files. + ## + ## + ## +-## Domain allowed access. ++## Domain to not audit. + ## + ## + # +-interface(`userdom_getattr_all_users',` ++interface(`userdom_dontaudit_rw_user_tmp_pipes',` + gen_require(` +- attribute userdomain; ++ type user_tmp_t; ++ ') ++ ++ dontaudit $1 user_tmp_t:fifo_file rw_inherited_fifo_file_perms; ++') ++ ++######################################## ++## ++## Allow domain to read/write inherited users ++## fifo files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_rw_inherited_user_pipes',` ++ gen_require(` ++ attribute userdomain; ++ ') ++ ++ allow $1 userdomain:fifo_file rw_inherited_fifo_file_perms; ++') ++ ++######################################## ++## ++## Do not audit attempts to use user ttys. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`userdom_dontaudit_use_user_ttys',` ++ gen_require(` ++ type user_tty_device_t; ++ ') ++ ++ dontaudit $1 user_tty_device_t:chr_file rw_inherited_file_perms; ++') ++ ++######################################## ++## ++## Read the process state of all user domains. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_read_all_users_state',` ++ gen_require(` ++ attribute userdomain; ++ ') ++ ++ read_files_pattern($1, userdomain, userdomain) ++ read_lnk_files_pattern($1,userdomain,userdomain) ++ kernel_search_proc($1) ++') ++ ++######################################## ++## ++## Get the attributes of all user domains. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_getattr_all_users',` ++ gen_require(` ++ attribute userdomain; + ') + + allow $1 userdomain:process getattr; +@@ -3385,6 +4211,42 @@ interface(`userdom_signal_all_users',` + allow $1 userdomain:process signal; + ') + ++####################################### ++## ++## Send signull to all user domains. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_signull_all_users',` ++ gen_require(` ++ attribute userdomain; ++ ') ++ ++ allow $1 userdomain:process signull; ++') ++ ++######################################## ++## ++## Send kill signals to all user domains. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_kill_all_users',` ++ gen_require(` ++ attribute userdomain; ++ ') ++ ++ allow $1 userdomain:process sigkill; ++') ++ + ######################################## + ## + ## Send a SIGCHLD signal to all user domains. +@@ -3405,6 +4267,24 @@ interface(`userdom_sigchld_all_users',` + + ######################################## + ## ++## Read keys for all user domains. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_read_all_users_keys',` ++ gen_require(` ++ attribute userdomain; ++ ') ++ ++ allow $1 userdomain:key read; ++') ++ ++######################################## ++## + ## Create keys for all user domains. + ## + ## +@@ -3438,4 +4318,1630 @@ interface(`userdom_dbus_send_all_users',` + ') + + allow $1 userdomain:dbus send_msg; ++ ps_process_pattern($1, userdomain) ++') ++ ++######################################## ++## ++## Allow apps to set rlimits on userdomain ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_set_rlimitnh',` ++ gen_require(` ++ attribute userdomain; ++ ') ++ ++ allow $1 userdomain:process rlimitinh; ++') ++ ++######################################## ++## ++## Define this type as a Allow apps to set rlimits on userdomain ++## ++## ++## ++## The prefix of the user domain (e.g., user ++## is the prefix for user_t). ++## ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++template(`userdom_unpriv_usertype',` ++ gen_require(` ++ attribute unpriv_userdomain, userdomain; ++ attribute $1_usertype; ++ ') ++ typeattribute $2 $1_usertype; ++ typeattribute $2 unpriv_userdomain; ++ typeattribute $2 userdomain; ++ ++ auth_use_nsswitch($2) ++ ubac_constrained($2) ++') ++ ++####################################### ++## ++## Define this type as a Allow apps to set rlimits on userdomain ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++template(`userdom_unpriv_type',` ++ gen_require(` ++ attribute unpriv_userdomain, userdomain; ++ ') ++ typeattribute $1 unpriv_userdomain; ++ typeattribute $1 userdomain; ++ ++ auth_use_nsswitch($1) ++ ubac_constrained($1) ++') ++ ++######################################## ++## ++## Connect to users over a unix stream socket. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_stream_connect',` ++ gen_require(` ++ type user_tmp_t; ++ attribute userdomain; ++ ') ++ ++ stream_connect_pattern($1, user_tmp_t, user_tmp_t, userdomain) ++') ++ ++######################################## ++## ++## Ptrace user domains. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_ptrace_all_users',` ++ gen_require(` ++ attribute userdomain; ++ ') ++ ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 userdomain:process ptrace; ++ ') ++') ++ ++######################################## ++## ++## dontaudit Search /root ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`userdom_dontaudit_search_admin_dir',` ++ gen_require(` ++ type admin_home_t; ++ ') ++ ++ dontaudit $1 admin_home_t:dir search_dir_perms; ++') ++ ++######################################## ++## ++## dontaudit list /root ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`userdom_dontaudit_list_admin_dir',` ++ gen_require(` ++ type admin_home_t; ++ ') ++ ++ dontaudit $1 admin_home_t:dir list_dir_perms; ++') ++ ++######################################## ++## ++## Allow domain to list /root ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_list_admin_dir',` ++ gen_require(` ++ type admin_home_t; ++ ') ++ ++ allow $1 admin_home_t:dir list_dir_perms; ++') ++ ++######################################## ++## ++## Allow Search /root ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_search_admin_dir',` ++ gen_require(` ++ type admin_home_t; ++ ') ++ ++ allow $1 admin_home_t:dir search_dir_perms; ++') ++ ++######################################## ++## ++## RW unpriviledged user SysV sempaphores. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_rw_semaphores',` ++ gen_require(` ++ attribute unpriv_userdomain; ++ ') ++ ++ allow $1 unpriv_userdomain:sem rw_sem_perms; + ') ++ ++######################################## ++## ++## Send a message to unpriv users over a unix domain ++## datagram socket. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_dgram_send',` ++ gen_require(` ++ attribute unpriv_userdomain; ++ ') ++ ++ allow $1 unpriv_userdomain:unix_dgram_socket sendto; ++') ++ ++###################################### ++## ++## Send a message to users over a unix domain ++## datagram socket. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_users_dgram_send',` ++ gen_require(` ++ attribute userdomain; ++ ') ++ ++ allow $1 userdomain:unix_dgram_socket sendto; ++') ++ ++####################################### ++## ++## Allow execmod on files in homedirectory ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`userdom_execmod_user_home_files',` ++ gen_require(` ++ type user_home_type; ++ ') ++ ++ allow $1 user_home_type:file execmod; ++') ++ ++######################################## ++## ++## Read admin home files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`userdom_read_admin_home_files',` ++ gen_require(` ++ type admin_home_t; ++ ') ++ ++ read_files_pattern($1, admin_home_t, admin_home_t) ++') ++ ++######################################## ++## ++## Delete admin home files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`userdom_delete_admin_home_files',` ++ gen_require(` ++ type admin_home_t; ++ ') ++ ++ allow $1 admin_home_t:file delete_file_perms; ++') ++ ++######################################## ++## ++## Execute admin home files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`userdom_exec_admin_home_files',` ++ gen_require(` ++ type admin_home_t; ++ ') ++ ++ exec_files_pattern($1, admin_home_t, admin_home_t) ++') ++ ++######################################## ++## ++## Append files inherited ++## in the /root directory. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_inherit_append_admin_home_files',` ++ gen_require(` ++ type admin_home_t; ++ ') ++ ++ allow $1 admin_home_t:file { getattr append }; ++') ++ ++ ++####################################### ++## ++## Manage all files/directories in the homedir ++## ++## ++## ++## The user domain ++## ++## ++## ++# ++interface(`userdom_manage_user_home_content',` ++ gen_require(` ++ type user_home_dir_t, user_home_t; ++ attribute user_home_type; ++ ') ++ ++ files_list_home($1) ++ manage_dirs_pattern($1, { user_home_dir_t user_home_type }, user_home_type) ++ manage_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type) ++ manage_lnk_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type) ++ manage_sock_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type) ++ manage_fifo_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type) ++ filetrans_pattern($1, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file }) ++ ++') ++ ++###################################### ++## ++## Manage all dirs in the homedir ++## ++## ++## ++## The user domain ++## ++## ++# ++interface(`userdom_manage_all_user_home_type_dirs',` ++ gen_require(` ++ type user_home_dir_t, user_home_t; ++ attribute user_home_type; ++ ') ++ ++ files_list_home($1) ++ manage_dirs_pattern($1, { user_home_dir_t user_home_type }, user_home_type) ++') ++ ++###################################### ++## ++## Manage all files in the homedir ++## ++## ++## ++## The user domain ++## ++## ++# ++interface(`userdom_manage_all_user_home_type_files',` ++ gen_require(` ++ type user_home_dir_t, user_home_t; ++ attribute user_home_type; ++ ') ++ ++ files_list_home($1) ++ manage_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type) ++ manage_lnk_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type) ++') ++ ++######################################## ++## ++## Create objects in a user home directory ++## with an automatic type transition to ++## the user home file type. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## The class of the object to be created. ++## ++## ++# ++interface(`userdom_user_home_dir_filetrans_pattern',` ++ gen_require(` ++ type user_home_dir_t, user_home_t; ++ ') ++ ++ type_transition $1 user_home_dir_t:$2 user_home_t; ++') ++ ++######################################## ++## ++## Create objects in the /root directory ++## with an automatic type transition to ++## a specified private type. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## The type of the object to create. ++## ++## ++## ++## ++## The class of the object to be created. ++## ++## ++## ++## ++## The name of the object being created. ++## ++## ++# ++interface(`userdom_admin_home_dir_filetrans',` ++ gen_require(` ++ type admin_home_t; ++ ') ++ ++ filetrans_pattern($1, admin_home_t, $2, $3, $4) ++') ++ ++######################################## ++## ++## Send signull to unprivileged user domains. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_signull_unpriv_users',` ++ gen_require(` ++ attribute unpriv_userdomain; ++ ') ++ ++ allow $1 unpriv_userdomain:process signull; ++') ++ ++######################################## ++## ++## Write all users files in /tmp ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_write_user_tmp_dirs',` ++ gen_require(` ++ type user_tmp_t; ++ ') ++ ++ write_files_pattern($1, user_tmp_t, user_tmp_t) ++') ++ ++######################################## ++## ++## Manage keys for all user domains. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_manage_all_users_keys',` ++ gen_require(` ++ attribute userdomain; ++ ') ++ ++ allow $1 userdomain:key manage_key_perms; ++') ++ ++ ++######################################## ++## ++## Do not audit attempts to read and write ++## unserdomain stream. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`userdom_dontaudit_rw_stream',` ++ gen_require(` ++ attribute userdomain; ++ ') ++ ++ dontaudit $1 userdomain:unix_stream_socket rw_socket_perms; ++') ++ ++######################################## ++## ++## Do not audit attempts to read and write ++## unserdomain datagram socket. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`userdom_dontaudit_rw_dgram_socket',` ++ gen_require(` ++ attribute userdomain; ++ ') ++ ++ dontaudit $1 userdomain:unix_dgram_socket { read write }; ++') ++ ++######################################## ++## ++## Append files ++## in a user home subdirectory. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_append_user_home_content_files',` ++ gen_require(` ++ type user_home_dir_t, user_home_t; ++ ') ++ ++ append_files_pattern($1, user_home_t, user_home_t) ++ allow $1 user_home_dir_t:dir search_dir_perms; ++ files_search_home($1) ++') ++ ++######################################## ++## ++## Read files inherited ++## in a user home subdirectory. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_read_inherited_user_home_content_files',` ++ gen_require(` ++ attribute user_home_type; ++ ') ++ ++ allow $1 user_home_type:file { getattr read }; ++') ++ ++######################################## ++## ++## Dontaudit Read files inherited from the admin home dir. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`userdom_dontaudit_read_inherited_admin_home_files',` ++ gen_require(` ++ attribute admin_home_t; ++ ') ++ ++ dontaudit $1 admin_home_t:file read_inherited_file_perms; ++') ++ ++######################################## ++## ++## Dontaudit append files inherited from the admin home dir. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`userdom_dontaudit_append_inherited_admin_home_file',` ++ gen_require(` ++ attribute admin_home_t; ++ ') ++ ++ dontaudit $1 admin_home_t:file append_inherited_file_perms; ++') ++ ++######################################## ++## ++## Read/Write files inherited ++## in a user home subdirectory. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_rw_inherited_user_home_content_files',` ++ gen_require(` ++ attribute user_home_type; ++ ') ++ ++ allow $1 user_home_type:file rw_inherited_file_perms; ++') ++ ++######################################## ++## ++## Append files inherited ++## in a user home subdirectory. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_inherit_append_user_home_content_files',` ++ gen_require(` ++ type user_home_t; ++ ') ++ ++ allow $1 user_home_t:file { getattr append }; ++') ++ ++######################################## ++## ++## Append files inherited ++## in a user tmp files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_inherit_append_user_tmp_files',` ++ gen_require(` ++ type user_tmp_t; ++ ') ++ ++ allow $1 user_tmp_t:file { getattr append }; ++') ++ ++###################################### ++## ++## Read audio files in the users homedir. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`userdom_read_home_audio_files',` ++ gen_require(` ++ type audio_home_t; ++ ') ++ ++ userdom_search_user_home_dirs($1) ++ allow $1 audio_home_t:dir list_dir_perms; ++ read_files_pattern($1, audio_home_t, audio_home_t) ++ read_lnk_files_pattern($1, audio_home_t, audio_home_t) ++') ++ ++######################################## ++## ++## Do not audit attempts to write all user home content files. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`userdom_dontaudit_write_all_user_home_content_files',` ++ gen_require(` ++ attribute user_home_type; ++ ') ++ ++ dontaudit $1 user_home_type:file write_inherited_file_perms; ++') ++ ++######################################## ++## ++## Do not audit attempts to write all user tmp content files. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`userdom_dontaudit_write_all_user_tmp_content_files',` ++ gen_require(` ++ attribute user_tmp_type; ++ ') ++ ++ dontaudit $1 user_tmp_type:file write_inherited_file_perms; ++') ++ ++######################################## ++## ++## Manage all user temporary content. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_manage_all_user_tmp_content',` ++ gen_require(` ++ attribute user_tmp_type; ++ ') ++ ++ manage_dirs_pattern($1, user_tmp_type, user_tmp_type) ++ manage_files_pattern($1, user_tmp_type, user_tmp_type) ++ manage_lnk_files_pattern($1, user_tmp_type, user_tmp_type) ++ manage_sock_files_pattern($1, user_tmp_type, user_tmp_type) ++ manage_fifo_files_pattern($1, user_tmp_type, user_tmp_type) ++ files_search_tmp($1) ++') ++ ++######################################## ++## ++## List all user temporary content. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_list_all_user_tmp_content',` ++ gen_require(` ++ attribute user_tmp_type; ++ ') ++ ++ list_dirs_pattern($1, user_tmp_type, user_tmp_type) ++ getattr_files_pattern($1, user_tmp_type, user_tmp_type) ++ read_lnk_files_pattern($1, user_tmp_type, user_tmp_type) ++ getattr_sock_files_pattern($1, user_tmp_type, user_tmp_type) ++ getattr_fifo_files_pattern($1, user_tmp_type, user_tmp_type) ++ files_search_var($1) ++ files_search_tmp($1) ++') ++ ++######################################## ++## ++## Manage all user tmpfs content. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_manage_all_user_tmpfs_content',` ++ gen_require(` ++ attribute user_tmpfs_type; ++ ') ++ ++ manage_dirs_pattern($1, user_tmpfs_type, user_tmpfs_type) ++ manage_files_pattern($1, user_tmpfs_type, user_tmpfs_type) ++ manage_lnk_files_pattern($1, user_tmpfs_type, user_tmpfs_type) ++ manage_sock_files_pattern($1, user_tmpfs_type, user_tmpfs_type) ++ manage_fifo_files_pattern($1, user_tmpfs_type, user_tmpfs_type) ++ fs_search_tmpfs($1) ++') ++ ++######################################## ++## ++## Delete all user temporary content. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_delete_all_user_tmp_content',` ++ gen_require(` ++ attribute user_tmp_type; ++ ') ++ ++ delete_dirs_pattern($1, user_tmp_type, user_tmp_type) ++ delete_files_pattern($1, user_tmp_type, user_tmp_type) ++ delete_lnk_files_pattern($1, user_tmp_type, user_tmp_type) ++ delete_sock_files_pattern($1, user_tmp_type, user_tmp_type) ++ delete_fifo_files_pattern($1, user_tmp_type, user_tmp_type) ++ # /var/tmp ++ files_search_var($1) ++ files_delete_tmp_dir_entry($1) ++') ++ ++######################################## ++## ++## Read system SSL certificates in the users homedir. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_read_home_certs',` ++ gen_require(` ++ attribute userdom_home_reader_certs_type; ++ ') ++ ++ typeattribute $1 userdom_home_reader_certs_type; ++') ++ ++######################################## ++## ++## Manage system SSL certificates in the users homedir. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_manage_home_certs',` ++ gen_require(` ++ type home_cert_t; ++ ') ++ ++ allow $1 home_cert_t:dir list_dir_perms; ++ manage_dirs_pattern($1, home_cert_t, home_cert_t) ++ manage_files_pattern($1, home_cert_t, home_cert_t) ++ manage_lnk_files_pattern($1, home_cert_t, home_cert_t) ++ ++ userdom_user_home_dir_filetrans($1, home_cert_t, dir, ".cert") ++ userdom_user_home_dir_filetrans($1, home_cert_t, dir, ".pki") ++ userdom_admin_home_dir_filetrans($1, home_cert_t, dir, ".pki") ++ userdom_admin_home_dir_filetrans($1, home_cert_t, dir, ".cert") ++') ++ ++####################################### ++## ++## Dontaudit Write system SSL certificates in the users homedir. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`userdom_dontaudit_write_home_certs',` ++ gen_require(` ++ type home_cert_t; ++ ') ++ ++ dontaudit $1 home_cert_t:file write; ++') ++ ++######################################## ++## ++## dontaudit Search getatrr /root files ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`userdom_dontaudit_getattr_admin_home_files',` ++ gen_require(` ++ type admin_home_t; ++ ') ++ ++ dontaudit $1 admin_home_t:file getattr; ++') ++ ++######################################## ++## ++## dontaudit read /root lnk files ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`userdom_dontaudit_read_admin_home_lnk_files',` ++ gen_require(` ++ type admin_home_t; ++ ') ++ ++ dontaudit $1 admin_home_t:lnk_file read; ++') ++ ++######################################## ++## ++## dontaudit read /root files ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`userdom_dontaudit_read_admin_home_files',` ++ gen_require(` ++ type admin_home_t; ++ ') ++ ++ dontaudit $1 admin_home_t:file read_file_perms; ++') ++ ++######################################## ++## ++## Create, read, write, and delete user ++## temporary chr files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_manage_user_tmp_chr_files',` ++ gen_require(` ++ type user_tmp_t; ++ ') ++ ++ manage_chr_files_pattern($1, user_tmp_t, user_tmp_t) ++ files_search_tmp($1) ++') ++ ++######################################## ++## ++## Create, read, write, and delete user ++## temporary blk files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_manage_user_tmp_blk_files',` ++ gen_require(` ++ type user_tmp_t; ++ ') ++ ++ manage_blk_files_pattern($1, user_tmp_t, user_tmp_t) ++ files_search_tmp($1) ++') ++ ++######################################## ++## ++## Dontaudit attempt to set attributes on user temporary directories. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`userdom_dontaudit_setattr_user_tmp',` ++ gen_require(` ++ type user_tmp_t; ++ ') ++ ++ dontaudit $1 user_tmp_t:dir setattr; ++') ++ ++######################################## ++## ++## Dontaudit attempt to set attributes on user temporary file system files. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`userdom_dontaudit_setattr_user_tmpfs',` ++ gen_require(` ++ type user_tmpfs_t; ++ ') ++ ++ dontaudit $1 user_tmpfs_t:file setattr; ++') ++ ++######################################## ++## ++## Read all inherited users files in /tmp ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_read_inherited_user_tmp_files',` ++ gen_require(` ++ type user_tmp_t; ++ ') ++ ++ allow $1 user_tmp_t:file read_inherited_file_perms; ++') ++ ++######################################## ++## ++## Read/write all inherited users files in /tmp ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_rw_inherited_user_tmp_files',` ++ gen_require(` ++ type user_tmp_t; ++ ') ++ ++ allow $1 user_tmp_t:file rw_inherited_file_perms; ++') ++ ++######################################## ++## ++## Write all inherited users files in /tmp ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_write_inherited_user_tmp_files',` ++ gen_require(` ++ type user_tmp_t; ++ ') ++ ++ allow $1 user_tmp_t:file write; ++') ++ ++######################################## ++## ++## Write all inherited users home files ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_rw_inherited_user_home_sock_files',` ++ gen_require(` ++ attribute user_home_type; ++ ') ++ ++ allow $1 user_home_type:sock_file write; ++') ++ ++######################################## ++## ++## Delete all users files in /tmp ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_delete_user_tmp_files',` ++ gen_require(` ++ type user_tmp_t; ++ ') ++ ++ allow $1 user_tmp_t:file delete_file_perms; ++') ++ ++######################################## ++## ++## Delete user tmpfs files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_delete_user_tmpfs_files',` ++ gen_require(` ++ type user_tmpfs_t; ++ ') ++ ++ allow $1 user_tmpfs_t:file delete_file_perms; ++') ++ ++######################################## ++## ++## Read/Write unpriviledged user SysV shared ++## memory segments. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_rw_unpriv_user_shared_mem',` ++ gen_require(` ++ attribute unpriv_userdomain; ++ ') ++ ++ allow $1 unpriv_userdomain:shm rw_shm_perms; ++') ++ ++######################################## ++## ++## Do not audit attempts to search user ++## temporary directories. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`userdom_dontaudit_search_user_tmp',` ++ gen_require(` ++ type user_tmp_t; ++ ') ++ ++ dontaudit $1 user_tmp_t:dir search_dir_perms; ++') ++ ++######################################## ++## ++## Execute a file in a user home directory ++## in the specified domain. ++## ++## ++##

    ++## Execute a file in a user home directory ++## in the specified domain. ++##

    ++##

    ++## No interprocess communication (signals, pipes, ++## etc.) is provided by this interface since ++## the domains are not owned by this module. ++##

    ++##     ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## The type of the new process. ++## ++## ++# ++interface(`userdom_domtrans_user_home',` ++ gen_require(` ++ type user_home_t; ++ ') ++ ++ read_lnk_files_pattern($1, user_home_t, user_home_t) ++ domain_transition_pattern($1, user_home_t, $2) ++ type_transition $1 user_home_t:process $2; ++') ++ ++######################################## ++## ++## Execute a file in a user tmp directory ++## in the specified domain. ++## ++## ++##

    ++## Execute a file in a user tmp directory ++## in the specified domain. ++##

    ++##

    ++## No interprocess communication (signals, pipes, ++## etc.) is provided by this interface since ++## the domains are not owned by this module. ++##

    ++##     ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## The type of the new process. ++## ++## ++# ++interface(`userdom_domtrans_user_tmp',` ++ gen_require(` ++ type user_tmp_t; ++ ') ++ ++ files_search_tmp($1) ++ read_lnk_files_pattern($1, user_tmp_t, user_tmp_t) ++ domain_transition_pattern($1, user_tmp_t, $2) ++ type_transition $1 user_tmp_t:process $2; ++') ++ ++######################################## ++## ++## Do not audit attempts to read all user home content files. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`userdom_dontaudit_read_all_user_home_content_files',` ++ gen_require(` ++ attribute user_home_type; ++ ') ++ ++ dontaudit $1 user_home_type:file read_file_perms; ++') ++ ++######################################## ++## ++## Do not audit attempts to read all user tmp content files. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`userdom_dontaudit_read_all_user_tmp_content_files',` ++ gen_require(` ++ attribute user_tmp_type; ++ ') ++ ++ dontaudit $1 user_tmp_type:file read_file_perms; ++') ++ ++####################################### ++## ++## Read and write unpriviledged user SysV sempaphores. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_rw_unpriv_user_semaphores',` ++ gen_require(` ++ attribute unpriv_userdomain; ++ ') ++ ++ allow $1 unpriv_userdomain:sem rw_sem_perms; ++') ++ ++######################################## ++## ++## Transition to userdom named content ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_filetrans_home_content',` ++ gen_require(` ++ attribute userdom_filetrans_type; ++ ') ++ ++ typeattribute $1 userdom_filetrans_type; ++') ++ ++######################################## ++## ++## Make the specified type able to read content in user home dirs ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_home_reader',` ++ gen_require(` ++ attribute userdom_home_reader_type; ++ ') ++ ++ typeattribute $1 userdom_home_reader_type; ++') ++ ++ ++######################################## ++## ++## Make the specified type able to manage content in user home dirs ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_home_manager',` ++ gen_require(` ++ attribute userdom_home_manager_type; ++ ') ++ ++ typeattribute $1 userdom_home_manager_type; ++') ++ ++######################################## ++## ++## Create objects in the temporary filesystem directory ++## with an automatic type transition to ++## the user temporary filesystem type. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## The class of the object to be created. ++## ++## ++## ++## ++## The name of the object being created. ++## ++## ++# ++interface(`userdom_tmpfs_filetrans',` ++ gen_require(` ++ type user_tmpfs_t; ++ ') ++ ++ fs_tmpfs_filetrans($1, user_tmpfs_t, $2, $3) ++') ++ ++ ++####################################### ++## ++## Create objects in the temporary filesystem directory ++## with an automatic type transition to ++## the user temporary filesystem type. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## The class of the object to be created. ++## ++## ++## ++## ++## The name of the object being created. ++## ++## ++## ++## ++## The name of the object being created. ++## ++## ++# ++interface(`userdom_tmpfs_filetrans_to',` ++ gen_require(` ++ type user_tmpfs_t; ++ ') ++ ++ filetrans_pattern($1, user_tmpfs_t, $2, $3, $4) ++') ++ ++###################################### ++## ++## File name transition for generic home content files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_filetrans_generic_home_content',` ++ gen_require(` ++ type home_bin_t; ++ type audio_home_t; ++ type home_cert_t; ++ ') ++ ++ userdom_user_home_dir_filetrans($1, home_bin_t, dir, "bin") ++ userdom_user_home_dir_filetrans($1, audio_home_t, dir, "Audio") ++ userdom_user_home_dir_filetrans($1, audio_home_t, dir, "Music") ++ userdom_user_home_dir_filetrans($1, home_cert_t, dir, ".cert") ++ userdom_user_home_dir_filetrans($1, home_cert_t, dir, ".pki") ++ userdom_user_home_dir_filetrans($1, home_cert_t, dir, "certificates") ++') ++ ++######################################## ++## ++## Allow caller to transition to any userdomain ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_transition',` ++ gen_require(` ++ attribute userdomain; ++ ') ++ ++ allow $1 userdomain:process transition; ++') ++ ++######################################## ++## ++## Do not audit attempts to check the ++## access on user content files ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`userdom_dontaudit_access_check_user_content',` ++ gen_require(` ++ attribute user_home_type; ++ ') ++ ++ dontaudit $1 user_home_type:dir_file_class_set audit_access; ++') ++ ++####################################### ++## ++## The template containing the most basic rules common to confined admin. ++## ++## ++##

    ++## The template containing the most basic rules common to all users. ++##

    ++##

    ++## This template creates a user domain, types, and ++## rules for the user's tty and pty. ++##

    ++##     ++## ++## ++## The prefix of the user domain (e.g., user ++## is the prefix for user_t). ++## ++## ++## ++# ++template(`userdom_confined_admin_template',` ++ ++ gen_require(` ++ attribute confined_admindomain; ++ attribute userdomain; ++ type user_devpts_t, user_tty_device_t; ++ class context contains; ++ ') ++ ++ type $1_t, userdomain, confined_admindomain; ++ role $1_r; ++ role $1_r types $1_t; ++ domain_type($1_t) ++ domain_user_exemption_target($1_t) ++ ubac_constrained($1_t) ++ ++ auth_use_nsswitch($1_t) ++') ++ ++######################################## ++## ++## Allow user to run as a secadm ++## ++## ++##

    ++## Create objects in a user home directory ++## with an automatic type transition to ++## a specified private type. ++##

    ++##

    ++## This is a templated interface, and should only ++## be called from a per-userdomain template. ++##

    ++##     ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## The role of the object to create. ++## ++## ++# ++template(`userdom_security_admin_template',` ++ allow $1 self:capability { dac_read_search dac_override }; ++ ++ corecmd_exec_shell($1) ++ ++ domain_obj_id_change_exemption($1) ++ ++ dev_relabel_all_dev_nodes($1) ++ ++ files_create_boot_flag($1) ++ files_create_default_dir($1) ++ files_root_filetrans_default($1, dir) ++ ++ # Necessary for managing /boot/efi ++ fs_manage_dos_files($1) ++ ++ mls_process_read_up($1) ++ mls_file_read_all_levels($1) ++ mls_file_upgrade($1) ++ mls_file_downgrade($1) ++ ++ selinux_set_enforce_mode($1) ++ selinux_set_all_booleans($1) ++ selinux_set_parameters($1) ++ selinux_read_policy($1) ++ ++ files_relabel_all_files($1) ++ ++ auth_relabel_shadow($1) ++ ++ init_exec($1) ++ ++ logging_send_syslog_msg($1) ++ logging_read_audit_log($1) ++ logging_read_generic_logs($1) ++ logging_read_audit_config($1) ++ ++ seutil_manage_bin_policy($1) ++ seutil_manage_default_contexts($1) ++ seutil_manage_file_contexts($1) ++ seutil_manage_module_store($1) ++ seutil_manage_config($1) ++ seutil_manage_login_config($1) ++ seutil_run_checkpolicy($1,$2) ++ seutil_run_loadpolicy($1,$2) ++ seutil_run_semanage($1,$2) ++ seutil_run_setsebool($1,$2) ++ seutil_run_setfiles($1, $2) ++ ++ optional_policy(` ++ aide_run($1,$2) ++ ') ++ ++ optional_policy(` ++ consoletype_exec($1) ++ ') ++ ++ optional_policy(` ++ ipsec_run_setkey($1,$2) ++ ') ++ ++ optional_policy(` ++ netlabel_run_mgmt($1,$2) ++ ') ++ ++ optional_policy(` ++ samhain_run($1, $2) ++ ') ++') ++ +diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te +index e2b538b..e0c6eeb 100644 +--- a/policy/modules/system/userdomain.te ++++ b/policy/modules/system/userdomain.te +@@ -7,48 +7,43 @@ policy_module(userdomain, 4.8.5) + + ## + ##

    +-## Allow users to connect to mysql ++## Allow users to connect to the local mysql server + ##

    + ##     +-gen_tunable(allow_user_mysql_connect, false) ++gen_tunable(selinuxuser_mysql_connect_enabled, false) + + ## + ##

    + ## Allow users to connect to PostgreSQL + ##

    + ##     +-gen_tunable(allow_user_postgresql_connect, false) ++gen_tunable(selinuxuser_postgresql_connect_enabled, false) + + ## + ##

    +-## Allow regular users direct mouse access +-##

    +-##     +-gen_tunable(user_direct_mouse, false) +- +-## +-##

    +-## Allow users to read system messages. ++## Allow user to r/w files on filesystems ++## that do not have extended attributes (FAT, CDROM, FLOPPY) + ##

    + ##     +-gen_tunable(user_dmesg, false) ++gen_tunable(selinuxuser_rw_noexattrfile, false) + + ## + ##

    +-## Allow user to r/w files on filesystems +-## that do not have extended attributes (FAT, CDROM, FLOPPY) ++## Allow user music sharing + ##

    + ##     +-gen_tunable(user_rw_noexattrfile, false) ++gen_tunable(selinuxuser_share_music, false) + + ## + ##

    +-## Allow w to display everyone ++## Allow user to use ssh chroot environment. + ##

    + ##     +-gen_tunable(user_ttyfile_stat, false) ++gen_tunable(selinuxuser_use_ssh_chroot, false) + + attribute admindomain; ++attribute login_userdomain; ++attribute confined_admindomain; + + # all user domains + attribute userdomain; +@@ -58,6 +53,24 @@ attribute unpriv_userdomain; + + attribute user_home_content_type; + ++attribute userdom_home_reader_certs_type; ++attribute userdom_home_reader_type; ++attribute userdom_home_manager_type; ++attribute userdom_filetrans_type; ++ ++# unprivileged user domains ++attribute user_home_type; ++attribute user_tmp_type; ++attribute user_tmpfs_type; ++ ++type admin_home_t; ++files_type(admin_home_t) ++files_associate_tmp(admin_home_t) ++fs_associate_tmpfs(admin_home_t) ++files_mountpoint(admin_home_t) ++files_poly_member(admin_home_t) ++files_poly_parent(admin_home_t) ++ + type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t }; + fs_associate_tmpfs(user_home_dir_t) + files_type(user_home_dir_t) +@@ -70,26 +83,359 @@ ubac_constrained(user_home_dir_t) + + type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t }; + typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t }; ++typeattribute user_home_t user_home_type; + userdom_user_home_content(user_home_t) + fs_associate_tmpfs(user_home_t) + files_associate_tmp(user_home_t) ++files_poly_member(user_home_t) + files_poly_parent(user_home_t) + files_mountpoint(user_home_t) ++ubac_constrained(user_home_t) + + type user_devpts_t alias { staff_devpts_t sysadm_devpts_t secadm_devpts_t auditadm_devpts_t unconfined_devpts_t }; + dev_node(user_devpts_t) + files_type(user_devpts_t) + ubac_constrained(user_devpts_t) + +-type user_tmp_t alias { staff_tmp_t sysadm_tmp_t secadm_tmp_t auditadm_tmp_t unconfined_tmp_t }; ++type user_tmp_t, user_tmp_type; ++typealias user_tmp_t alias { screen_tmp_t winbind_tmp_t wine_tmp_t sshd_tmp_t staff_tmp_t sysadm_tmp_t secadm_tmp_t auditadm_tmp_t unconfined_tmp_t }; + typealias user_tmp_t alias { staff_untrusted_content_tmp_t sysadm_untrusted_content_tmp_t secadm_untrusted_content_tmp_t auditadm_untrusted_content_tmp_t unconfined_untrusted_content_tmp_t }; + files_tmp_file(user_tmp_t) + userdom_user_home_content(user_tmp_t) ++files_poly_parent(user_tmp_t) ++files_mountpoint(user_tmp_t) + +-type user_tmpfs_t alias { staff_tmpfs_t sysadm_tmpfs_t secadm_tmpfs_t auditadm_tmpfs_t unconfined_tmpfs_t }; ++type user_tmpfs_t, user_tmpfs_type; ++typealias user_tmpfs_t alias { staff_tmpfs_t sysadm_tmpfs_t secadm_tmpfs_t auditadm_tmpfs_t unconfined_tmpfs_t }; + files_tmpfs_file(user_tmpfs_t) + userdom_user_home_content(user_tmpfs_t) + + type user_tty_device_t alias { staff_tty_device_t sysadm_tty_device_t secadm_tty_device_t auditadm_tty_device_t unconfined_tty_device_t }; + dev_node(user_tty_device_t) + ubac_constrained(user_tty_device_t) ++ ++type audio_home_t; ++userdom_user_home_content(audio_home_t) ++ubac_constrained(audio_home_t) ++ ++type home_bin_t; ++userdom_user_home_content(home_bin_t) ++ubac_constrained(home_bin_t) ++ ++type home_cert_t; ++miscfiles_cert_type(home_cert_t) ++userdom_user_home_content(home_cert_t) ++ubac_constrained(home_cert_t) ++ ++tunable_policy(`login_console_enabled',` ++ term_use_console(userdomain) ++') ++ ++allow userdomain userdomain:process signull; ++allow userdomain userdomain:fifo_file rw_inherited_fifo_file_perms; ++ ++# Nautilus causes this avc ++domain_dontaudit_access_check(unpriv_userdomain) ++dontaudit unpriv_userdomain self:dir setattr; ++allow unpriv_userdomain self:key manage_key_perms; ++ ++optional_policy(` ++ alsa_read_rw_config(unpriv_userdomain) ++ alsa_manage_home_files(unpriv_userdomain) ++ alsa_relabel_home_files(unpriv_userdomain) ++') ++ ++optional_policy(` ++ gssproxy_stream_connect(userdomain) ++') ++ ++optional_policy(` ++ gnome_filetrans_home_content(userdomain) ++') ++ ++optional_policy(` ++ locallogin_filetrans_home_content(userdomain) ++') ++ ++optional_policy(` ++ ssh_filetrans_home_content(userdomain) ++ ssh_rw_tcp_sockets(userdomain) ++') ++ ++optional_policy(` ++ telepathy_filetrans_home_content(userdomain) ++') ++ ++optional_policy(` ++ xserver_filetrans_home_content(userdomain) ++') ++ ++ ++# rules for types which can read home certs ++allow userdom_home_reader_certs_type home_cert_t:dir list_dir_perms; ++read_files_pattern(userdom_home_reader_certs_type, home_cert_t, home_cert_t) ++read_lnk_files_pattern(userdom_home_reader_certs_type, home_cert_t, home_cert_t) ++userdom_search_user_home_content(userdom_home_reader_certs_type) ++ ++tunable_policy(`use_ecryptfs_home_dirs',` ++ fs_read_ecryptfs_files(userdom_home_reader_certs_type) ++') ++ ++tunable_policy(`use_nfs_home_dirs',` ++ fs_list_auto_mountpoints(userdom_home_reader_type) ++ fs_read_nfs_files(userdom_home_reader_type) ++') ++ ++tunable_policy(`use_samba_home_dirs',` ++ fs_read_cifs_files(userdom_home_reader_type) ++') ++ ++tunable_policy(`use_fusefs_home_dirs',` ++ fs_read_fusefs_files(userdom_home_reader_type) ++') ++ ++tunable_policy(`use_ecryptfs_home_dirs',` ++ fs_read_ecryptfs_files(userdom_home_reader_type) ++') ++ ++tunable_policy(`use_nfs_home_dirs',` ++ fs_list_auto_mountpoints(userdom_home_manager_type) ++ fs_manage_nfs_dirs(userdom_home_manager_type) ++ fs_manage_nfs_files(userdom_home_manager_type) ++ fs_manage_nfs_symlinks(userdom_home_manager_type) ++') ++ ++tunable_policy(`use_samba_home_dirs',` ++ fs_manage_cifs_dirs(userdom_home_manager_type) ++ fs_manage_cifs_files(userdom_home_manager_type) ++ fs_manage_cifs_symlinks(userdom_home_manager_type) ++') ++ ++tunable_policy(`use_fusefs_home_dirs',` ++ fs_manage_fusefs_dirs(userdom_home_manager_type) ++ fs_manage_fusefs_files(userdom_home_manager_type) ++ fs_manage_fusefs_symlinks(userdom_home_manager_type) ++') ++ ++tunable_policy(`use_ecryptfs_home_dirs',` ++ fs_manage_ecryptfs_dirs(userdom_home_manager_type) ++ fs_manage_ecryptfs_files(userdom_home_manager_type) ++') ++# vi /etc/mtab can cause an avc trying to relabel to self. ++dontaudit userdomain self:file relabelto; ++ ++userdom_user_home_dir_filetrans_user_home_content(userdom_filetrans_type, { dir file lnk_file fifo_file sock_file }) ++userdom_user_home_dir_filetrans(userdom_filetrans_type, home_bin_t, dir, "bin") ++userdom_user_home_dir_filetrans(userdom_filetrans_type, audio_home_t, dir, "Audio") ++userdom_user_home_dir_filetrans(userdom_filetrans_type, audio_home_t, dir, "Music") ++userdom_user_home_dir_filetrans(userdom_filetrans_type, home_cert_t, dir, ".cert") ++userdom_user_home_dir_filetrans(userdom_filetrans_type, home_cert_t, dir, ".pki") ++userdom_user_home_dir_filetrans(userdom_filetrans_type, home_cert_t, dir, "certificates") ++ ++optional_policy(` ++ gnome_config_filetrans(userdom_filetrans_type, home_cert_t, dir, "certificates") ++ #gnome_admin_home_gconf_filetrans(userdom_filetrans_type, home_bin_t, dir, "bin") ++') ++ ++optional_policy(` ++ alsa_filetrans_home_content(userdom_filetrans_type) ++') ++ ++optional_policy(` ++ apache_filetrans_home_content(userdom_filetrans_type) ++') ++ ++optional_policy(` ++ auth_filetrans_home_content(userdom_filetrans_type) ++') ++ ++optional_policy(` ++ gnome_filetrans_home_content(userdom_filetrans_type) ++') ++ ++optional_policy(` ++ gpg_filetrans_home_content(userdom_filetrans_type) ++') ++ ++optional_policy(` ++ irc_filetrans_home_content(userdom_filetrans_type) ++') ++ ++optional_policy(` ++ kerberos_filetrans_home_content(userdom_filetrans_type) ++') ++ ++optional_policy(` ++ mozilla_filetrans_home_content(userdom_filetrans_type) ++') ++ ++optional_policy(` ++ mta_filetrans_home_content(userdom_filetrans_type) ++') ++ ++optional_policy(` ++ pulseaudio_filetrans_home_content(userdom_filetrans_type) ++') ++ ++optional_policy(` ++ spamassassin_filetrans_home_content(userdom_filetrans_type) ++ spamassassin_filetrans_admin_home_content(userdom_filetrans_type) ++') ++ ++optional_policy(` ++ ssh_filetrans_admin_home_content(userdom_filetrans_type) ++ ssh_filetrans_home_content(userdom_filetrans_type) ++') ++ ++optional_policy(` ++ telepathy_filetrans_home_content(userdom_filetrans_type) ++') ++ ++optional_policy(` ++ thumb_filetrans_home_content(userdom_filetrans_type) ++') ++ ++optional_policy(` ++ tvtime_filetrans_home_content(userdom_filetrans_type) ++') ++ ++optional_policy(` ++ virt_filetrans_home_content(userdom_filetrans_type) ++') ++ ++optional_policy(` ++ xserver_filetrans_home_content(userdom_filetrans_type) ++ xserver_filetrans_admin_home_content(userdom_filetrans_type) ++') ++ ++############################################################ ++# Local Policy Confined Admin ++# ++gen_require(` ++ class context contains; ++') ++ ++corecmd_shell_entry_type(confined_admindomain) ++corecmd_bin_entry_type(confined_admindomain) ++ ++term_user_pty(confined_admindomain, user_devpts_t) ++term_user_tty(confined_admindomain, user_tty_device_t) ++term_dontaudit_getattr_generic_ptys(confined_admindomain) ++ ++allow confined_admindomain self:process { signal_perms getsched setsched share getpgid setpgid getcap setcap getsession getattr }; ++tunable_policy(`deny_ptrace',`',` ++ allow confined_admindomain self:process ptrace; ++') ++allow confined_admindomain self:fd use; ++allow confined_admindomain self:key manage_key_perms; ++ ++allow confined_admindomain self:fifo_file rw_fifo_file_perms; ++allow confined_admindomain self:unix_dgram_socket { create_socket_perms sendto }; ++allow confined_admindomain self:unix_stream_socket { create_stream_socket_perms connectto }; ++allow confined_admindomain self:shm create_shm_perms; ++allow confined_admindomain self:sem create_sem_perms; ++allow confined_admindomain self:msgq create_msgq_perms; ++allow confined_admindomain self:msg { send receive }; ++allow confined_admindomain self:context contains; ++dontaudit confined_admindomain self:socket create; ++ ++allow confined_admindomain user_devpts_t:chr_file { setattr rw_chr_file_perms }; ++term_create_pty(confined_admindomain, user_devpts_t) ++# avoid annoying messages on terminal hangup on role change ++dontaudit confined_admindomain user_devpts_t:chr_file ioctl; ++ ++allow confined_admindomain user_tty_device_t:chr_file { setattr rw_chr_file_perms }; ++# avoid annoying messages on terminal hangup on role change ++dontaudit confined_admindomain user_tty_device_t:chr_file ioctl; ++ ++application_exec_all(confined_admindomain) ++ ++kernel_read_kernel_sysctls(confined_admindomain) ++kernel_read_all_sysctls(confined_admindomain) ++kernel_dontaudit_list_unlabeled(confined_admindomain) ++kernel_dontaudit_getattr_unlabeled_files(confined_admindomain) ++kernel_dontaudit_getattr_unlabeled_symlinks(confined_admindomain) ++kernel_dontaudit_getattr_unlabeled_pipes(confined_admindomain) ++kernel_dontaudit_getattr_unlabeled_sockets(confined_admindomain) ++kernel_dontaudit_getattr_unlabeled_blk_files(confined_admindomain) ++kernel_dontaudit_getattr_unlabeled_chr_files(confined_admindomain) ++kernel_dontaudit_list_proc(confined_admindomain) ++ ++dev_dontaudit_getattr_all_blk_files(confined_admindomain) ++dev_dontaudit_getattr_all_chr_files(confined_admindomain) ++dev_getattr_mtrr_dev(confined_admindomain) ++ ++# When the user domain runs ps, there will be a number of access ++# denials when ps tries to search /proc. Do not audit these denials. ++domain_dontaudit_read_all_domains_state(confined_admindomain) ++domain_dontaudit_getattr_all_domains(confined_admindomain) ++domain_dontaudit_getsession_all_domains(confined_admindomain) ++dev_dontaudit_all_access_check(confined_admindomain) ++ ++files_read_etc_files(confined_admindomain) ++files_list_mnt(confined_admindomain) ++files_list_var(confined_admindomain) ++files_read_mnt_files(confined_admindomain) ++files_dontaudit_all_access_check(confined_admindomain) ++files_read_etc_runtime_files(confined_admindomain) ++files_read_usr_files(confined_admindomain) ++files_read_usr_src_files(confined_admindomain) ++# Read directories and files with the readable_t type. ++# This type is a general type for "world"-readable files. ++files_list_world_readable(confined_admindomain) ++files_read_world_readable_files(confined_admindomain) ++files_read_world_readable_symlinks(confined_admindomain) ++files_read_world_readable_pipes(confined_admindomain) ++files_read_world_readable_sockets(confined_admindomain) ++# old broswer_domain(): ++files_dontaudit_getattr_all_dirs(confined_admindomain) ++files_dontaudit_list_non_security(confined_admindomain) ++files_dontaudit_getattr_all_files(confined_admindomain) ++files_dontaudit_getattr_non_security_symlinks(confined_admindomain) ++files_dontaudit_getattr_non_security_pipes(confined_admindomain) ++files_dontaudit_getattr_non_security_sockets(confined_admindomain) ++files_dontaudit_setattr_etc_runtime_files(confined_admindomain) ++ ++files_exec_usr_files(confined_admindomain) ++ ++fs_list_cgroup_dirs(confined_admindomain) ++fs_dontaudit_rw_cgroup_files(confined_admindomain) ++ ++storage_rw_fuse(confined_admindomain) ++ ++init_stream_connect(confined_admindomain) ++# The library functions always try to open read-write first, ++# then fall back to read-only if it fails. ++init_dontaudit_rw_utmp(confined_admindomain) ++ ++libs_exec_ld_so(confined_admindomain) ++ ++miscfiles_read_generic_certs(confined_admindomain) ++ ++miscfiles_read_all_certs(confined_admindomain) ++miscfiles_read_public_files(confined_admindomain) ++ ++systemd_dbus_chat_logind(confined_admindomain) ++systemd_read_logind_sessions_files(confined_admindomain) ++systemd_write_inhibit_pipes(confined_admindomain) ++systemd_write_inherited_logind_sessions_pipes(confined_admindomain) ++systemd_login_read_pid_files(confined_admindomain) ++tunable_policy(`deny_execmem',`', ` ++ # Allow loading DSOs that require executable stack. ++ allow confined_admindomain self:process execmem; ++') ++ ++tunable_policy(`selinuxuser_execstack',` ++ # Allow making the stack executable via mprotect. ++ allow confined_admindomain self:process execstack; ++') ++ ++optional_policy(` ++ fs_list_cgroup_dirs(confined_admindomain) ++') ++ ++optional_policy(` ++ ssh_rw_stream_sockets(confined_admindomain) ++ ssh_delete_tmp(confined_admindomain) ++ ssh_signal(confined_admindomain) ++') +diff --git a/policy/support/misc_patterns.spt b/policy/support/misc_patterns.spt +index e79d545..101086d 100644 +--- a/policy/support/misc_patterns.spt ++++ b/policy/support/misc_patterns.spt +@@ -4,7 +4,7 @@ + define(`domain_transition_pattern',` + allow $1 $2:file { getattr open read execute }; + allow $1 $3:process transition; +- dontaudit $1 $3:process { noatsecure siginh rlimitinh }; ++# dontaudit $1 $3:process { noatsecure siginh rlimitinh }; + ') + + # compatibility: +@@ -15,7 +15,7 @@ define(`spec_domtrans_pattern',` + domain_transition_pattern($1,$2,$3) + + allow $3 $1:fd use; +- allow $3 $1:fifo_file rw_fifo_file_perms; ++ allow $3 $1:fifo_file rw_inherited_fifo_file_perms; + allow $3 $1:process sigchld; + ') + +@@ -34,7 +34,7 @@ define(`domtrans_pattern',` + domain_auto_transition_pattern($1,$2,$3) + + allow $3 $1:fd use; +- allow $3 $1:fifo_file rw_fifo_file_perms; ++ allow $3 $1:fifo_file rw_inherited_fifo_file_perms; + allow $3 $1:process sigchld; + ') + +diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt +index 6e91317..64e135a 100644 +--- a/policy/support/obj_perm_sets.spt ++++ b/policy/support/obj_perm_sets.spt +@@ -28,8 +28,7 @@ define(`devfile_class_set', `{ chr_file blk_file }') + # + # All socket classes. + # +-define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket }') +- ++define(`socket_class_set', `{ socket dccp_socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket }') + + # + # Datagram socket classes. +@@ -59,7 +58,7 @@ define(`mount_fs_perms', `{ mount remount unmount getattr }') + # + # Permissions for using sockets. + # +-define(`rw_socket_perms', `{ ioctl read getattr write setattr append bind connect getopt setopt shutdown }') ++define(`rw_socket_perms', `{ ioctl read getattr lock write setattr append bind connect getopt setopt shutdown }') + + # + # Permissions for creating and using sockets. +@@ -153,12 +152,16 @@ define(`relabel_dir_perms',`{ getattr relabelfrom relabelto }') + # + define(`getattr_file_perms',`{ getattr }') + define(`setattr_file_perms',`{ setattr }') +-define(`read_file_perms',`{ getattr open read lock ioctl }') ++define(`read_inherited_file_perms',`{ getattr read ioctl lock }') ++define(`read_file_perms',`{ open read_inherited_file_perms }') + define(`mmap_file_perms',`{ getattr open read execute ioctl }') + define(`exec_file_perms',`{ getattr open read execute ioctl execute_no_trans }') +-define(`append_file_perms',`{ getattr open append lock ioctl }') +-define(`write_file_perms',`{ getattr open write append lock ioctl }') +-define(`rw_file_perms',`{ getattr open read write append ioctl lock }') ++define(`append_inherited_file_perms',`{ getattr append }') ++define(`append_file_perms',`{ open lock ioctl append_inherited_file_perms }') ++define(`write_inherited_file_perms',`{ getattr write append lock ioctl }') ++define(`write_file_perms',`{ open write_inherited_file_perms }') ++define(`rw_inherited_file_perms',`{ getattr read write append ioctl lock }') ++define(`rw_file_perms',`{ open rw_inherited_file_perms }') + define(`create_file_perms',`{ getattr create open }') + define(`rename_file_perms',`{ getattr rename }') + define(`delete_file_perms',`{ getattr unlink }') +@@ -179,7 +182,7 @@ define(`rw_lnk_file_perms',`{ getattr read write lock ioctl }') + define(`create_lnk_file_perms',`{ create getattr }') + define(`rename_lnk_file_perms',`{ getattr rename }') + define(`delete_lnk_file_perms',`{ getattr unlink }') +-define(`manage_lnk_file_perms',`{ create read write getattr setattr link unlink rename }') ++define(`manage_lnk_file_perms',`{ create getattr setattr read write append rename link unlink ioctl lock }') + define(`relabelfrom_lnk_file_perms',`{ getattr relabelfrom }') + define(`relabelto_lnk_file_perms',`{ getattr relabelto }') + define(`relabel_lnk_file_perms',`{ getattr relabelfrom relabelto }') +@@ -192,7 +195,8 @@ define(`setattr_fifo_file_perms',`{ setattr }') + define(`read_fifo_file_perms',`{ getattr open read lock ioctl }') + define(`append_fifo_file_perms',`{ getattr open append lock ioctl }') + define(`write_fifo_file_perms',`{ getattr open write append lock ioctl }') +-define(`rw_fifo_file_perms',`{ getattr open read write append ioctl lock }') ++define(`rw_inherited_fifo_file_perms',`{ getattr read write append ioctl lock }') ++define(`rw_fifo_file_perms',`{ open rw_inherited_fifo_file_perms }') + define(`create_fifo_file_perms',`{ getattr create open }') + define(`rename_fifo_file_perms',`{ getattr rename }') + define(`delete_fifo_file_perms',`{ getattr unlink }') +@@ -208,7 +212,8 @@ define(`getattr_sock_file_perms',`{ getattr }') + define(`setattr_sock_file_perms',`{ setattr }') + define(`read_sock_file_perms',`{ getattr open read }') + define(`write_sock_file_perms',`{ getattr write open append }') +-define(`rw_sock_file_perms',`{ getattr open read write append }') ++define(`rw_inherited_sock_file_perms',`{ getattr read write append }') ++define(`rw_sock_file_perms',`{ open rw_inherited_sock_file_perms }') + define(`create_sock_file_perms',`{ getattr create open }') + define(`rename_sock_file_perms',`{ getattr rename }') + define(`delete_sock_file_perms',`{ getattr unlink }') +@@ -225,7 +230,8 @@ define(`setattr_blk_file_perms',`{ setattr }') + define(`read_blk_file_perms',`{ getattr open read lock ioctl }') + define(`append_blk_file_perms',`{ getattr open append lock ioctl }') + define(`write_blk_file_perms',`{ getattr open write append lock ioctl }') +-define(`rw_blk_file_perms',`{ getattr open read write append ioctl lock }') ++define(`rw_inherited_blk_file_perms',`{ getattr read write append ioctl lock }') ++define(`rw_blk_file_perms',`{ open rw_inherited_blk_file_perms }') + define(`create_blk_file_perms',`{ getattr create }') + define(`rename_blk_file_perms',`{ getattr rename }') + define(`delete_blk_file_perms',`{ getattr unlink }') +@@ -242,7 +248,8 @@ define(`setattr_chr_file_perms',`{ setattr }') + define(`read_chr_file_perms',`{ getattr open read lock ioctl }') + define(`append_chr_file_perms',`{ getattr open append lock ioctl }') + define(`write_chr_file_perms',`{ getattr open write append lock ioctl }') +-define(`rw_chr_file_perms',`{ getattr open read write append ioctl lock }') ++define(`rw_inherited_chr_file_perms',`{ getattr read write append ioctl lock }') ++define(`rw_chr_file_perms',`{ open rw_inherited_chr_file_perms }') + define(`create_chr_file_perms',`{ getattr create }') + define(`rename_chr_file_perms',`{ getattr rename }') + define(`delete_chr_file_perms',`{ getattr unlink }') +@@ -259,7 +266,8 @@ define(`relabel_chr_file_perms',`{ getattr relabelfrom relabelto }') + # + # Use (read and write) terminals + # +-define(`rw_term_perms', `{ getattr open read write append ioctl }') ++define(`rw_inherited_term_perms', `{ getattr lock read write append ioctl }') ++define(`rw_term_perms', `{ rw_inherited_term_perms open }') + + # + # Sockets +@@ -271,3 +279,8 @@ define(`server_stream_socket_perms', `{ client_stream_socket_perms listen accept + # Keys + # + define(`manage_key_perms', `{ create link read search setattr view write } ') ++ ++# ++# Service ++# ++define(`manage_service_perms', `{ start stop status reload } ') +diff --git a/policy/users b/policy/users +index c4ebc7e..30d6d7a 100644 +--- a/policy/users ++++ b/policy/users +@@ -15,7 +15,7 @@ + # and a user process should never be assigned the system user + # identity. + # +-gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats) ++gen_user(system_u,, system_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats) + + # + # user_u is a generic user identity for Linux users who have no +@@ -24,12 +24,9 @@ gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats) + # SELinux user identity for a Linux user. If you do not want to + # permit any access to such users, then remove this entry. + # +-gen_user(user_u, user, user_r, s0, s0) +-gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats) +-gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats) +- +-# Until order dependence is fixed for users: +-gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats) ++gen_user(user_u, user, user_r, s0, s0 - mls_systemhigh, mcs_allcats) ++gen_user(staff_u, user, staff_r system_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats) ++gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats) + + # + # The following users correspond to Unix identities. +@@ -38,8 +35,4 @@ gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_al + # role should use the staff_r role instead of the user_r role when + # not in the sysadm_r. + # +-ifdef(`direct_sysadm_daemon',` +- gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats) +-',` +- gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats) +-') ++gen_user(root, user, unconfined_r sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats) +diff --git a/support/Makefile.devel b/support/Makefile.devel +index b96e9b3..ff7340f 100644 +--- a/support/Makefile.devel ++++ b/support/Makefile.devel +@@ -26,7 +26,6 @@ XMLLINT := $(BINDIR)/xmllint + # set default build options if missing + TYPE ?= standard + DIRECT_INITRC ?= n +-POLY ?= n + QUIET ?= y + + genxml := $(PYTHON) $(HEADERDIR)/support/segenxml.py diff --git a/policy-f20-contrib.patch b/policy-f20-contrib.patch new file mode 100644 index 0000000..dd591e7 --- /dev/null +++ b/policy-f20-contrib.patch @@ -0,0 +1,100911 @@ +diff --git a/abrt.fc b/abrt.fc +index e4f84de..2ed712d 100644 +--- a/abrt.fc ++++ b/abrt.fc +@@ -1,30 +1,42 @@ +-/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0) +-/etc/rc\.d/init\.d/abrt -- gen_context(system_u:object_r:abrt_initrc_exec_t,s0) ++/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0) ++/etc/rc\.d/init\.d/abrt -- gen_context(system_u:object_r:abrt_initrc_exec_t,s0) + +-/usr/bin/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0) +-/usr/bin/abrt-retrace-worker -- gen_context(system_u:object_r:abrt_retrace_worker_exec_t,s0) +-/usr/bin/coredump2packages -- gen_context(system_u:object_r:abrt_retrace_coredump_exec_t,s0) +-/usr/bin/retrace-server-worker -- gen_context(system_u:object_r:abrt_retrace_worker_exec_t,s0) ++/usr/lib/systemd/system/abrt.* -- gen_context(system_u:object_r:abrt_unit_file_t,s0) ++ ++/usr/bin/abrt-dump-oops -- gen_context(system_u:object_r:abrt_dump_oops_exec_t,s0) ++/usr/bin/abrt-uefioops-oops -- gen_context(system_u:object_r:abrt_dump_oops_exec_t,s0) ++/usr/bin/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0) ++/usr/bin/abrt-watch-log -- gen_context(system_u:object_r:abrt_watch_log_exec_t,s0) ++ ++/usr/sbin/abrtd -- gen_context(system_u:object_r:abrt_exec_t,s0) ++/usr/sbin/abrt-dbus -- gen_context(system_u:object_r:abrt_exec_t,s0) ++/usr/sbin/abrt-harvest.* -- gen_context(system_u:object_r:abrt_exec_t,s0) ++/usr/sbin/abrt-install-ccpp-hook -- gen_context(system_u:object_r:abrt_exec_t,s0) ++/usr/sbin/abrt-upload-watch -- gen_context(system_u:object_r:abrt_upload_watch_exec_t,s0) + +-/usr/libexec/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0) + /usr/libexec/abrt-handle-event -- gen_context(system_u:object_r:abrt_handle_event_exec_t,s0) +-/usr/libexec/abrt-hook-python -- gen_context(system_u:object_r:abrt_helper_exec_t,s0) + +-/usr/sbin/abrtd -- gen_context(system_u:object_r:abrt_exec_t,s0) +-/usr/sbin/abrt-dbus -- gen_context(system_u:object_r:abrt_exec_t,s0) ++/var/cache/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0) ++/var/cache/abrt-di(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0) ++ ++/var/log/abrt-logger.* -- gen_context(system_u:object_r:abrt_var_log_t,s0) ++ ++/var/run/abrt\.pid -- gen_context(system_u:object_r:abrt_var_run_t,s0) ++/var/run/abrtd?\.lock -- gen_context(system_u:object_r:abrt_var_run_t,s0) ++/var/run/abrtd?\.socket -- gen_context(system_u:object_r:abrt_var_run_t,s0) ++/var/run/abrt(/.*)? gen_context(system_u:object_r:abrt_var_run_t,s0) + +-/var/cache/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0) +-/var/cache/abrt-di(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0) +-/var/cache/abrt-retrace(/.*)? gen_context(system_u:object_r:abrt_retrace_cache_t,s0) +-/var/cache/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_cache_t,s0) ++/var/spool/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0) ++/var/tmp/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0) + +-/var/log/abrt-logger.* -- gen_context(system_u:object_r:abrt_var_log_t,s0) ++# ABRT retrace server ++/usr/bin/abrt-retrace-worker -- gen_context(system_u:object_r:abrt_retrace_worker_exec_t,s0) ++/usr/bin/coredump2packages -- gen_context(system_u:object_r:abrt_retrace_coredump_exec_t,s0) + +-/var/run/abrt\.pid -- gen_context(system_u:object_r:abrt_var_run_t,s0) +-/var/run/abrtd?\.lock -- gen_context(system_u:object_r:abrt_var_run_t,s0) +-/var/run/abrtd?\.socket -s gen_context(system_u:object_r:abrt_var_run_t,s0) +-/var/run/abrt(/.*)? gen_context(system_u:object_r:abrt_var_run_t,s0) ++/var/cache/abrt-retrace(/.*)? gen_context(system_u:object_r:abrt_retrace_cache_t,s0) ++/var/spool/abrt-retrace(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0) + +-/var/spool/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0) +-/var/spool/abrt-retrace(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0) +-/var/spool/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0) ++# cjp: new version ++/usr/bin/retrace-server-worker -- gen_context(system_u:object_r:abrt_retrace_worker_exec_t,s0) ++/var/cache/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_cache_t,s0) ++/var/spool/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0) +diff --git a/abrt.if b/abrt.if +index 058d908..702b716 100644 +--- a/abrt.if ++++ b/abrt.if +@@ -1,4 +1,26 @@ +-## Automated bug-reporting tool. ++## ABRT - automated bug-reporting tool ++ ++###################################### ++## ++## Creates types and rules for a basic ++## ABRT daemon domain. ++## ++## ++## ++## Prefix for the domain. ++## ++## ++# ++template(`abrt_basic_types_template',` ++ gen_require(` ++ attribute abrt_domain; ++ ') ++ ++ type $1_t, abrt_domain; ++ type $1_exec_t; ++ ++ kernel_read_system_state($1_t) ++') + + ###################################### + ## +@@ -40,7 +62,7 @@ interface(`abrt_exec',` + + ######################################## + ## +-## Send null signals to abrt. ++## Send a null signal to abrt. + ## + ## + ## +@@ -58,7 +80,7 @@ interface(`abrt_signull',` + + ######################################## + ## +-## Read process state of abrt. ++## Allow the domain to read abrt state files in /proc. + ## + ## + ## +@@ -71,12 +93,13 @@ interface(`abrt_read_state',` + type abrt_t; + ') + ++ kernel_search_proc($1) + ps_process_pattern($1, abrt_t) + ') + + ######################################## + ## +-## Connect to abrt over an unix stream socket. ++## Connect to abrt over a unix stream socket. + ## + ## + ## +@@ -116,8 +139,7 @@ interface(`abrt_dbus_chat',` + + ##################################### + ## +-## Execute abrt-helper in the abrt +-## helper domain. ++## Execute abrt-helper in the abrt-helper domain. + ## + ## + ## +@@ -130,15 +152,13 @@ interface(`abrt_domtrans_helper',` + type abrt_helper_t, abrt_helper_exec_t; + ') + +- corecmd_search_bin($1) + domtrans_pattern($1, abrt_helper_exec_t, abrt_helper_t) + ') + + ######################################## + ## +-## Execute abrt helper in the abrt +-## helper domain, and allow the +-## specified role the abrt helper domain. ++## Execute abrt helper in the abrt_helper domain, and ++## allow the specified role the abrt_helper domain. + ## + ## + ## +@@ -154,17 +174,35 @@ interface(`abrt_domtrans_helper',` + # + interface(`abrt_run_helper',` + gen_require(` +- attribute_role abrt_helper_roles; ++ type abrt_helper_t; + ') + + abrt_domtrans_helper($1) +- roleattribute $2 abrt_helper_roles; ++ role $2 types abrt_helper_t; ++') ++ ++######################################## ++## ++## Read abrt cache ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`abrt_read_cache',` ++ gen_require(` ++ type abrt_var_cache_t; ++ ') ++ ++ read_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t) ++ read_lnk_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t) + ') + + ######################################## + ## +-## Create, read, write, and delete +-## abrt cache files. ++## Append abrt cache + ## + ## + ## +@@ -172,15 +210,37 @@ interface(`abrt_run_helper',` + ## + ## + # +-interface(`abrt_cache_manage',` +- refpolicywarn(`$0($*) has been deprecated, use abrt_manage_cache() instead.') +- abrt_manage_cache($1) ++interface(`abrt_append_cache',` ++ gen_require(` ++ type abrt_var_cache_t; ++ ') ++ ++ ++ allow $1 abrt_var_cache_t:file append_inherited_file_perms; + ') + + ######################################## + ## +-## Create, read, write, and delete +-## abrt cache content. ++## Read/Write inherited abrt cache ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`abrt_rw_inherited_cache',` ++ gen_require(` ++ type abrt_var_cache_t; ++ ') ++ ++ ++ allow $1 abrt_var_cache_t:file rw_inherited_file_perms; ++') ++ ++######################################## ++## ++## Manage abrt cache + ## + ## + ## +@@ -193,7 +253,6 @@ interface(`abrt_manage_cache',` + type abrt_var_cache_t; + ') + +- files_search_var($1) + manage_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t) + manage_lnk_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t) + manage_dirs_pattern($1, abrt_var_cache_t, abrt_var_cache_t) +@@ -201,7 +260,7 @@ interface(`abrt_manage_cache',` + + #################################### + ## +-## Read abrt configuration files. ++## Read abrt configuration file. + ## + ## + ## +@@ -220,7 +279,7 @@ interface(`abrt_read_config',` + + ###################################### + ## +-## Read abrt log files. ++## Read abrt logs. + ## + ## + ## +@@ -258,8 +317,7 @@ interface(`abrt_read_pid_files',` + + ###################################### + ## +-## Create, read, write, and delete +-## abrt PID files. ++## Create, read, write, and delete abrt PID files. + ## + ## + ## +@@ -276,10 +334,51 @@ interface(`abrt_manage_pid_files',` + manage_files_pattern($1, abrt_var_run_t, abrt_var_run_t) + ') + ++######################################## ++## ++## Read and write abrt fifo files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`abrt_rw_fifo_file',` ++ gen_require(` ++ type abrt_t; ++ ') ++ ++ allow $1 abrt_t:fifo_file rw_inherited_fifo_file_perms; ++') ++ ++######################################## ++## ++## Execute abrt server in the abrt domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`abrt_systemctl',` ++ gen_require(` ++ type abrt_t; ++ type abrt_unit_file_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ allow $1 abrt_unit_file_t:file manage_file_perms; ++ allow $1 abrt_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, abrt_t) ++') ++ + ##################################### + ## +-## All of the rules required to +-## administrate an abrt environment, ++## All of the rules required to administrate ++## an abrt environment + ## + ## + ## +@@ -288,39 +387,172 @@ interface(`abrt_manage_pid_files',` + ## + ## + ## +-## Role allowed access. ++## The role to be allowed to manage the abrt domain. + ## + ## + ## + # + interface(`abrt_admin',` + gen_require(` +- attribute abrt_domain; +- type abrt_t, abrt_etc_t, abrt_initrc_exec_t; +- type abrt_var_cache_t, abrt_var_log_t, abrt_retrace_cache_t; +- type abrt_var_run_t, abrt_tmp_t, abrt_retrace_spool_t; ++ type abrt_t, abrt_etc_t; ++ type abrt_var_cache_t, abrt_var_log_t; ++ type abrt_var_run_t, abrt_tmp_t; ++ type abrt_initrc_exec_t; ++ type abrt_unit_file_t; + ') + +- allow $1 abrt_domain:process { ptrace signal_perms }; +- ps_process_pattern($1, abrt_domain) ++ allow $1 abrt_t:process { signal_perms }; ++ ps_process_pattern($1, abrt_t) ++ ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 abrt_t:process ptrace; ++ ') + + init_labeled_script_domtrans($1, abrt_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 abrt_initrc_exec_t system_r; + allow $2 system_r; + +- files_search_etc($1) ++ files_list_etc($1) + admin_pattern($1, abrt_etc_t) + +- logging_search_logs($1) ++ logging_list_logs($1) + admin_pattern($1, abrt_var_log_t) + +- files_search_var($1) +- admin_pattern($1, { abrt_retrace_cache_t abrt_var_cache_t abrt_retrace_spool_t }) ++ files_list_var($1) ++ admin_pattern($1, abrt_var_cache_t) + +- files_search_pids($1) ++ files_list_pids($1) + admin_pattern($1, abrt_var_run_t) + +- files_search_tmp($1) ++ files_list_tmp($1) + admin_pattern($1, abrt_tmp_t) ++ ++ abrt_systemctl($1) ++ admin_pattern($1, abrt_unit_file_t) ++ allow $1 abrt_unit_file_t:service all_service_perms; ++') ++ ++#################################### ++## ++## Execute abrt-retrace in the abrt-retrace domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`abrt_domtrans_retrace_worker',` ++ gen_require(` ++ type abrt_retrace_worker_t, abrt_retrace_worker_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, abrt_retrace_worker_exec_t, abrt_retrace_worker_t) ++') ++ ++###################################### ++## ++## Manage abrt retrace server cache ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`abrt_manage_spool_retrace',` ++ gen_require(` ++ type abrt_retrace_spool_t; ++ ') ++ ++ manage_dirs_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t) ++ manage_files_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t) ++ manage_lnk_files_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t) ++') ++ ++##################################### ++## ++## Read abrt retrace server cache ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`abrt_read_spool_retrace',` ++ gen_require(` ++ type abrt_retrace_spool_t; ++ ') ++ ++ list_dirs_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t) ++ read_files_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t) ++ read_lnk_files_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t) ++') ++ ++ ++##################################### ++## ++## Read abrt retrace server cache ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`abrt_read_cache_retrace',` ++ gen_require(` ++ type abrt_retrace_cache_t; ++ ') ++ ++ list_dirs_pattern($1, abrt_retrace_cache_t, abrt_retrace_cache_t) ++ read_files_pattern($1, abrt_retrace_cache_t, abrt_retrace_cache_t) ++ read_lnk_files_pattern($1, abrt_retrace_cache_t, abrt_retrace_cache_t) + ') ++ ++######################################## ++## ++## Do not audit attempts to write abrt sock files ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`abrt_dontaudit_write_sock_file',` ++ gen_require(` ++ type abrt_t; ++ ') ++ ++ dontaudit $1 abrt_t:sock_file write; ++') ++ ++######################################## ++## ++## Transition to abrt named content ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`abrt_filetrans_named_content',` ++ gen_require(` ++ type abrt_tmp_t; ++ type abrt_etc_t; ++ type abrt_var_cache_t; ++ type abrt_var_run_t; ++ ') ++ ++ files_tmp_filetrans($1, abrt_tmp_t, dir, "abrt") ++ files_etc_filetrans($1, abrt_etc_t, dir, "abrt") ++ files_var_filetrans($1, abrt_var_cache_t, dir, "abrt") ++ files_var_filetrans($1, abrt_var_cache_t, dir, "abrt-dix") ++ files_pid_filetrans($1, abrt_var_run_t, dir, "abrt") ++') ++ +diff --git a/abrt.te b/abrt.te +index cc43d25..1ec0046 100644 +--- a/abrt.te ++++ b/abrt.te +@@ -1,4 +1,4 @@ +-policy_module(abrt, 1.3.4) ++policy_module(abrt, 1.2.0) + + ######################################## + # +@@ -6,105 +6,131 @@ policy_module(abrt, 1.3.4) + # + + ## +-##

    +-## Determine whether ABRT can modify +-## public files used for public file +-## transfer services. +-##

    ++##

    ++## Allow ABRT to modify public files ++## used for public file transfer services. ++##

    + ##     + gen_tunable(abrt_anon_write, false) + + ## +-##

    +-## Determine whether ABRT can run in +-## the abrt_handle_event_t domain to +-## handle ABRT event scripts. +-##

    ++##

    ++## Allow abrt-handle-upload to modify public files ++## used for public file transfer services in /var/spool/abrt-upload/. ++##

    ++##     ++gen_tunable(abrt_upload_watch_anon_write, true) ++ ++## ++##

    ++## Allow ABRT to run in abrt_handle_event_t domain ++## to handle ABRT event scripts ++##

    + ##     + gen_tunable(abrt_handle_event, false) + + attribute abrt_domain; + +-attribute_role abrt_helper_roles; +-roleattribute system_r abrt_helper_roles; +- +-type abrt_t, abrt_domain; +-type abrt_exec_t; ++abrt_basic_types_template(abrt) + init_daemon_domain(abrt_t, abrt_exec_t) + + type abrt_initrc_exec_t; + init_script_file(abrt_initrc_exec_t) + ++type abrt_unit_file_t; ++systemd_unit_file(abrt_unit_file_t) ++ ++# etc files + type abrt_etc_t; + files_config_file(abrt_etc_t) + ++# log files + type abrt_var_log_t; + logging_log_file(abrt_var_log_t) + + type abrt_tmp_t; + files_tmp_file(abrt_tmp_t) + ++# var/cache files + type abrt_var_cache_t; + files_type(abrt_var_cache_t) ++files_tmp_file(abrt_var_cache_t) ++userdom_user_tmp_content(abrt_var_cache_t) + ++# pid files + type abrt_var_run_t; + files_pid_file(abrt_var_run_t) + +-type abrt_dump_oops_t, abrt_domain; +-type abrt_dump_oops_exec_t; ++abrt_basic_types_template(abrt_dump_oops) + init_system_domain(abrt_dump_oops_t, abrt_dump_oops_exec_t) + +-type abrt_handle_event_t, abrt_domain; +-type abrt_handle_event_exec_t; +-domain_type(abrt_handle_event_t) +-domain_entry_file(abrt_handle_event_t, abrt_handle_event_exec_t) ++# type for abrt-handle-event to handle ++# ABRT event scripts ++abrt_basic_types_template(abrt_handle_event) ++application_domain(abrt_handle_event_t, abrt_handle_event_exec_t) + role system_r types abrt_handle_event_t; + +-type abrt_helper_t, abrt_domain; +-type abrt_helper_exec_t; ++# type needed to allow all domains ++# to handle /var/cache/abrt ++# type needed to allow all domains ++# to handle /var/cache/abrt ++abrt_basic_types_template(abrt_helper) + application_domain(abrt_helper_t, abrt_helper_exec_t) +-role abrt_helper_roles types abrt_helper_t; ++role system_r types abrt_helper_t; + +-type abrt_retrace_coredump_t, abrt_domain; +-type abrt_retrace_coredump_exec_t; +-domain_type(abrt_retrace_coredump_t) +-domain_entry_file(abrt_retrace_coredump_t, abrt_retrace_coredump_exec_t) +-role system_r types abrt_retrace_coredump_t; ++ifdef(`enable_mcs',` ++ init_ranged_daemon_domain(abrt_t, abrt_exec_t, s0 - mcs_systemhigh) ++') ++ ++# ++# Support for ABRT retrace server + +-type abrt_retrace_worker_t, abrt_domain; +-type abrt_retrace_worker_exec_t; +-domain_type(abrt_retrace_worker_t) +-domain_entry_file(abrt_retrace_worker_t, abrt_retrace_worker_exec_t) ++# ++abrt_basic_types_template(abrt_retrace_worker) ++application_domain(abrt_retrace_worker_t, abrt_retrace_worker_exec_t) + role system_r types abrt_retrace_worker_t; + ++abrt_basic_types_template(abrt_retrace_coredump) ++application_domain(abrt_retrace_coredump_t, abrt_retrace_coredump_exec_t) ++role system_r types abrt_retrace_coredump_t; ++ + type abrt_retrace_cache_t; + files_type(abrt_retrace_cache_t) + + type abrt_retrace_spool_t; +-files_type(abrt_retrace_spool_t) ++files_spool_file(abrt_retrace_spool_t) + +-type abrt_watch_log_t, abrt_domain; +-type abrt_watch_log_exec_t; ++# Support abrt-watch log ++abrt_basic_types_template(abrt_watch_log) + init_daemon_domain(abrt_watch_log_t, abrt_watch_log_exec_t) + +-ifdef(`enable_mcs',` +- init_ranged_daemon_domain(abrt_t, abrt_exec_t, s0 - mcs_systemhigh) +-') ++# Support for abrt-upload-watch ++abrt_basic_types_template(abrt_upload_watch) ++init_daemon_domain(abrt_upload_watch_t, abrt_upload_watch_exec_t) ++ ++type abrt_upload_watch_tmp_t; ++files_tmp_file(abrt_upload_watch_tmp_t) + + ######################################## + # +-# Local policy ++# abrt local policy + # + +-allow abrt_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_nice }; +-dontaudit abrt_t self:capability sys_rawio; ++allow abrt_t self:capability { chown dac_override fowner fsetid ipc_lock kill setgid setuid sys_nice sys_ptrace }; ++dontaudit abrt_t self:capability { sys_rawio sys_ptrace }; + allow abrt_t self:process { setpgid sigkill signal signull setsched getsched }; ++ + allow abrt_t self:fifo_file rw_fifo_file_perms; +-allow abrt_t self:tcp_socket { accept listen }; ++allow abrt_t self:tcp_socket create_stream_socket_perms; ++allow abrt_t self:udp_socket create_socket_perms; ++allow abrt_t self:unix_dgram_socket create_socket_perms; ++allow abrt_t self:netlink_route_socket r_netlink_socket_perms; + +-allow abrt_t abrt_etc_t:dir list_dir_perms; ++# abrt etc files ++list_dirs_pattern(abrt_t, abrt_etc_t, abrt_etc_t) + rw_files_pattern(abrt_t, abrt_etc_t, abrt_etc_t) + ++# log file + manage_files_pattern(abrt_t, abrt_var_log_t, abrt_var_log_t) + logging_log_filetrans(abrt_t, abrt_var_log_t, file) + +@@ -112,23 +138,29 @@ manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) + manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) + manage_lnk_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) + files_tmp_filetrans(abrt_t, abrt_tmp_t, { file dir }) ++can_exec(abrt_t, abrt_tmp_t) + ++# abrt var/cache files + manage_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t) + manage_dirs_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t) + manage_lnk_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t) + files_var_filetrans(abrt_t, abrt_var_cache_t, { file dir }) + files_spool_filetrans(abrt_t, abrt_var_cache_t, dir) ++files_tmp_filetrans(abrt_t, abrt_var_cache_t, dir, "abrt") + ++# abrt pid files + manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) + manage_dirs_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) + manage_sock_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) + manage_lnk_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) + files_pid_filetrans(abrt_t, abrt_var_run_t, { file dir sock_file }) + +-can_exec(abrt_t, abrt_tmp_t) ++manage_files_pattern(abrt_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t) ++manage_dirs_pattern(abrt_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t) ++manage_lnk_files_pattern(abrt_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t) + + kernel_read_ring_buffer(abrt_t) +-kernel_read_system_state(abrt_t) ++kernel_read_network_state(abrt_t) + kernel_request_load_module(abrt_t) + kernel_rw_kernel_sysctl(abrt_t) + +@@ -137,16 +169,14 @@ corecmd_exec_shell(abrt_t) + corecmd_read_all_executables(abrt_t) + + corenet_all_recvfrom_netlabel(abrt_t) +-corenet_all_recvfrom_unlabeled(abrt_t) + corenet_tcp_sendrecv_generic_if(abrt_t) + corenet_tcp_sendrecv_generic_node(abrt_t) +-corenet_tcp_sendrecv_all_ports(abrt_t) ++corenet_tcp_sendrecv_generic_port(abrt_t) + corenet_tcp_bind_generic_node(abrt_t) +- +-corenet_sendrecv_all_client_packets(abrt_t) + corenet_tcp_connect_http_port(abrt_t) + corenet_tcp_connect_ftp_port(abrt_t) + corenet_tcp_connect_all_ports(abrt_t) ++corenet_sendrecv_http_client_packets(abrt_t) + + dev_getattr_all_chr_files(abrt_t) + dev_getattr_all_blk_files(abrt_t) +@@ -163,29 +193,37 @@ files_getattr_all_files(abrt_t) + files_read_config_files(abrt_t) + files_read_etc_runtime_files(abrt_t) + files_read_var_symlinks(abrt_t) +-files_read_usr_files(abrt_t) ++files_read_var_lib_files(abrt_t) ++files_read_generic_tmp_files(abrt_t) + files_read_kernel_modules(abrt_t) ++files_dontaudit_list_default(abrt_t) + files_dontaudit_read_default_files(abrt_t) + files_dontaudit_read_all_symlinks(abrt_t) + files_dontaudit_getattr_all_sockets(abrt_t) + files_list_mnt(abrt_t) ++fs_list_all(abrt_t) + ++fs_list_inotifyfs(abrt_t) + fs_getattr_all_fs(abrt_t) + fs_getattr_all_dirs(abrt_t) +-fs_list_inotifyfs(abrt_t) + fs_read_fusefs_files(abrt_t) + fs_read_noxattr_fs_files(abrt_t) + fs_read_nfs_files(abrt_t) + fs_read_nfs_symlinks(abrt_t) + fs_search_all(abrt_t) + ++logging_read_generic_logs(abrt_t) ++logging_send_syslog_msg(abrt_t) ++ + auth_use_nsswitch(abrt_t) + +-logging_read_generic_logs(abrt_t) ++init_read_utmp(abrt_t) + ++miscfiles_read_generic_certs(abrt_t) + miscfiles_read_public_files(abrt_t) + + userdom_dontaudit_read_user_home_content_files(abrt_t) ++userdom_dontaudit_read_admin_home_files(abrt_t) + + tunable_policy(`abrt_anon_write',` + miscfiles_manage_public_files(abrt_t) +@@ -193,15 +231,11 @@ tunable_policy(`abrt_anon_write',` + + optional_policy(` + apache_list_modules(abrt_t) +- apache_read_module_files(abrt_t) ++ apache_read_modules(abrt_t) + ') + + optional_policy(` + dbus_system_domain(abrt_t, abrt_exec_t) +- +- optional_policy(` +- policykit_dbus_chat(abrt_t) +- ') + ') + + optional_policy(` +@@ -209,6 +243,20 @@ optional_policy(` + ') + + optional_policy(` ++ kdump_read_crash(abrt_t) ++') ++ ++optional_policy(` ++ mcelog_read_log(abrt_t) ++') ++ ++optional_policy(` ++ mozilla_plugin_dontaudit_rw_tmp_files(abrt_t) ++ mozilla_plugin_read_rw_files(abrt_t) ++') ++ ++optional_policy(` ++ policykit_dbus_chat(abrt_t) + policykit_domtrans_auth(abrt_t) + policykit_read_lib(abrt_t) + policykit_read_reload(abrt_t) +@@ -220,6 +268,7 @@ optional_policy(` + corecmd_exec_all_executables(abrt_t) + ') + ++# to install debuginfo packages + optional_policy(` + rpm_exec(abrt_t) + rpm_dontaudit_manage_db(abrt_t) +@@ -230,6 +279,7 @@ optional_policy(` + rpm_signull(abrt_t) + ') + ++# to run mailx plugin + optional_policy(` + sendmail_domtrans(abrt_t) + ') +@@ -240,9 +290,17 @@ optional_policy(` + sosreport_delete_tmp_files(abrt_t) + ') + ++optional_policy(` ++ sssd_stream_connect(abrt_t) ++') ++ ++optional_policy(` ++ xserver_read_log(abrt_t) ++') ++ + ####################################### + # +-# Handle-event local policy ++# abrt-handle-event local policy + # + + allow abrt_handle_event_t self:fifo_file rw_fifo_file_perms; +@@ -253,9 +311,13 @@ tunable_policy(`abrt_handle_event',` + can_exec(abrt_t, abrt_handle_event_exec_t) + ') + ++optional_policy(` ++ unconfined_domain(abrt_handle_event_t) ++') ++ + ######################################## + # +-# Helper local policy ++# abrt--helper local policy + # + + allow abrt_helper_t self:capability { chown setgid sys_nice }; +@@ -268,6 +330,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) + manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) + manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) + files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir }) ++files_tmp_filetrans(abrt_helper_t, abrt_var_cache_t, dir, "abrt") + + read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) + read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) +@@ -276,15 +339,20 @@ corecmd_read_all_executables(abrt_helper_t) + + domain_read_all_domains_state(abrt_helper_t) + ++files_dontaudit_all_non_security_leaks(abrt_helper_t) ++ + fs_list_inotifyfs(abrt_helper_t) + fs_getattr_all_fs(abrt_helper_t) + + auth_use_nsswitch(abrt_helper_t) + ++logging_send_syslog_msg(abrt_helper_t) ++ + term_dontaudit_use_all_ttys(abrt_helper_t) + term_dontaudit_use_all_ptys(abrt_helper_t) + + ifdef(`hide_broken_symptoms',` ++ domain_dontaudit_leaks(abrt_helper_t) + userdom_dontaudit_read_user_home_content_files(abrt_helper_t) + userdom_dontaudit_read_user_tmp_files(abrt_helper_t) + dev_dontaudit_read_all_blk_files(abrt_helper_t) +@@ -292,11 +360,25 @@ ifdef(`hide_broken_symptoms',` + dev_dontaudit_write_all_chr_files(abrt_helper_t) + dev_dontaudit_write_all_blk_files(abrt_helper_t) + fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t) ++ ++ optional_policy(` ++ rpm_dontaudit_leaks(abrt_helper_t) ++ ') ++') ++ ++ifdef(`hide_broken_symptoms',` ++ gen_require(` ++ attribute domain; ++ ') ++ ++ allow abrt_t self:capability sys_resource; ++ allow abrt_t domain:file write; ++ allow abrt_t domain:process setrlimit; + ') + + ####################################### + # +-# Retrace coredump policy ++# abrt retrace coredump policy + # + + allow abrt_retrace_coredump_t self:fifo_file rw_fifo_file_perms; +@@ -314,10 +396,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t) + + dev_read_urand(abrt_retrace_coredump_t) + +-files_read_usr_files(abrt_retrace_coredump_t) ++ ++logging_send_syslog_msg(abrt_retrace_coredump_t) + + sysnet_dns_name_resolve(abrt_retrace_coredump_t) + ++# to install debuginfo packages + optional_policy(` + rpm_exec(abrt_retrace_coredump_t) + rpm_dontaudit_manage_db(abrt_retrace_coredump_t) +@@ -330,10 +414,11 @@ optional_policy(` + + ####################################### + # +-# Retrace worker policy ++# abrt retrace worker policy + # + +-allow abrt_retrace_worker_t self:capability setuid; ++allow abrt_retrace_worker_t self:capability { setuid }; ++ + allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms; + + domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t) +@@ -352,46 +437,56 @@ corecmd_exec_shell(abrt_retrace_worker_t) + + dev_read_urand(abrt_retrace_worker_t) + +-files_read_usr_files(abrt_retrace_worker_t) ++ ++logging_send_syslog_msg(abrt_retrace_worker_t) + + sysnet_dns_name_resolve(abrt_retrace_worker_t) + ++optional_policy(` ++ mock_domtrans(abrt_retrace_worker_t) ++ mock_manage_lib_files(abrt_t) ++') ++ + ######################################## + # +-# Dump oops local policy ++# abrt_dump_oops local policy + # + + allow abrt_dump_oops_t self:capability dac_override; + allow abrt_dump_oops_t self:fifo_file rw_fifo_file_perms; +-allow abrt_dump_oops_t self:unix_stream_socket { accept listen }; ++allow abrt_dump_oops_t self:unix_stream_socket create_stream_socket_perms; + + files_search_spool(abrt_dump_oops_t) + manage_dirs_pattern(abrt_dump_oops_t, abrt_var_cache_t, abrt_var_cache_t) + manage_files_pattern(abrt_dump_oops_t, abrt_var_cache_t, abrt_var_cache_t) + manage_lnk_files_pattern(abrt_dump_oops_t, abrt_var_cache_t, abrt_var_cache_t) + files_var_filetrans(abrt_dump_oops_t, abrt_var_cache_t, { file dir }) ++files_tmp_filetrans(abrt_dump_oops_t, abrt_var_cache_t, dir, "abrt") + + read_files_pattern(abrt_dump_oops_t, abrt_var_run_t, abrt_var_run_t) + read_lnk_files_pattern(abrt_dump_oops_t, abrt_var_run_t, abrt_var_run_t) + + read_files_pattern(abrt_dump_oops_t, abrt_etc_t, abrt_etc_t) + ++kernel_read_debugfs(abrt_dump_oops_t) + kernel_read_kernel_sysctls(abrt_dump_oops_t) + kernel_read_ring_buffer(abrt_dump_oops_t) + + domain_use_interactive_fds(abrt_dump_oops_t) + + fs_list_inotifyfs(abrt_dump_oops_t) ++fs_list_pstorefs(abrt_dump_oops_t) + + logging_read_generic_logs(abrt_dump_oops_t) ++logging_send_syslog_msg(abrt_dump_oops_t) + + ####################################### + # +-# Watch log local policy ++# abrt_watch_log local policy + # + + allow abrt_watch_log_t self:fifo_file rw_fifo_file_perms; +-allow abrt_watch_log_t self:unix_stream_socket { accept listen }; ++allow abrt_watch_log_t self:unix_stream_socket create_stream_socket_perms; + + read_files_pattern(abrt_watch_log_t, abrt_etc_t, abrt_etc_t) + +@@ -400,16 +495,50 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t) + corecmd_exec_bin(abrt_watch_log_t) + + logging_read_all_logs(abrt_watch_log_t) ++logging_send_syslog_msg(abrt_watch_log_t) ++ ++#optional_policy(` ++# unconfined_domain(abrt_watch_log_t) ++#') + + ####################################### + # +-# Global local policy ++# abrt-upload-watch local policy + # + +-kernel_read_system_state(abrt_domain) ++allow abrt_upload_watch_t self:capability dac_override; + +-files_read_etc_files(abrt_domain) ++manage_files_pattern(abrt_upload_watch_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t) ++manage_dirs_pattern(abrt_upload_watch_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t) ++manage_lnk_files_pattern(abrt_upload_watch_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t) ++files_tmp_filetrans(abrt_upload_watch_t, abrt_upload_watch_tmp_t, {file dir}) ++ ++read_files_pattern(abrt_upload_watch_t, abrt_etc_t, abrt_etc_t) ++ ++manage_dirs_pattern(abrt_upload_watch_t, abrt_var_cache_t, abrt_var_cache_t) ++ ++corecmd_exec_bin(abrt_upload_watch_t) ++ ++dev_read_urand(abrt_upload_watch_t) ++ ++files_search_spool(abrt_upload_watch_t) ++ ++auth_read_passwd(abrt_upload_watch_t) + +-logging_send_syslog_msg(abrt_domain) ++tunable_policy(`abrt_upload_watch_anon_write',` ++ miscfiles_manage_public_files(abrt_upload_watch_t) ++') ++ ++optional_policy(` ++ dbus_system_bus_client(abrt_upload_watch_t) ++') ++ ++####################################### ++# ++# Local policy for all abrt domain ++# + +-miscfiles_read_localization(abrt_domain) ++allow abrt_domain abrt_var_run_t:sock_file write_sock_file_perms; ++allow abrt_domain abrt_var_run_t:unix_stream_socket connectto; ++ ++files_read_etc_files(abrt_domain) +diff --git a/accountsd.fc b/accountsd.fc +index f9d8d7a..0682710 100644 +--- a/accountsd.fc ++++ b/accountsd.fc +@@ -1,3 +1,5 @@ ++/usr/lib/systemd/system/accountsd.* -- gen_context(system_u:object_r:accountsd_unit_file_t,s0) ++ + /usr/libexec/accounts-daemon -- gen_context(system_u:object_r:accountsd_exec_t,s0) + + /usr/lib/accountsservice/accounts-daemon -- gen_context(system_u:object_r:accountsd_exec_t,s0) +diff --git a/accountsd.if b/accountsd.if +index bd5ec9a..a5ed692 100644 +--- a/accountsd.if ++++ b/accountsd.if +@@ -126,23 +126,50 @@ interface(`accountsd_manage_lib_files',` + ##     + ## + ## +-## Domain allowed access. ++## Domain allowed to transition. + ## + ## +-## ++# ++interface(`accountsd_systemctl',` ++ gen_require(` ++ type accountsd_t; ++ type accountsd_unit_file_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ allow $1 accountsd_unit_file_t:file read_file_perms; ++ allow $1 accountsd_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, accountsd_t) ++') ++ ++######################################## ++## ++## All of the rules required to administrate ++## an accountsd environment ++## ++## + ## +-## Role allowed access. ++## Domain allowed access. + ## + ## +-## + # + interface(`accountsd_admin',` + gen_require(` + type accountsd_t; ++ type accountsd_unit_file_t; + ') + +- allow $1 accountsd_t:process { ptrace signal_perms }; ++ allow $1 accountsd_t:process signal_perms; + ps_process_pattern($1, accountsd_t) + ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 accountsd_t:process ptrace; ++ ') ++ + accountsd_manage_lib_files($1) ++ ++ accountsd_systemctl($1) ++ admin_pattern($1, accountsd_unit_file_t) ++ allow $1 accountsd_unit_file_t:service all_service_perms; + ') +diff --git a/accountsd.te b/accountsd.te +index 313b33f..6e0a894 100644 +--- a/accountsd.te ++++ b/accountsd.te +@@ -4,6 +4,10 @@ gen_require(` + class passwd all_passwd_perms; + ') + ++gen_require(` ++ class passwd { passwd chfn chsh rootok crontab }; ++') ++ + ######################################## + # + # Declarations +@@ -11,11 +15,15 @@ gen_require(` + + type accountsd_t; + type accountsd_exec_t; +-dbus_system_domain(accountsd_t, accountsd_exec_t) ++init_daemon_domain(accountsd_t, accountsd_exec_t) ++role system_r types accountsd_t; + + type accountsd_var_lib_t; + files_type(accountsd_var_lib_t) + ++type accountsd_unit_file_t; ++systemd_unit_file(accountsd_unit_file_t) ++ + ######################################## + # + # Local policy +@@ -38,7 +46,6 @@ corecmd_exec_bin(accountsd_t) + dev_read_sysfs(accountsd_t) + + files_read_mnt_files(accountsd_t) +-files_read_usr_files(accountsd_t) + + fs_getattr_xattr_fs(accountsd_t) + fs_list_inotifyfs(accountsd_t) +@@ -48,8 +55,9 @@ auth_use_nsswitch(accountsd_t) + auth_read_login_records(accountsd_t) + auth_read_shadow(accountsd_t) + +-miscfiles_read_localization(accountsd_t) ++init_dbus_chat(accountsd_t) + ++logging_list_logs(accountsd_t) + logging_send_syslog_msg(accountsd_t) + logging_set_loginuid(accountsd_t) + +@@ -65,9 +73,16 @@ optional_policy(` + ') + + optional_policy(` ++ dbus_system_domain(accountsd_t, accountsd_exec_t) ++') ++ ++optional_policy(` + policykit_dbus_chat(accountsd_t) + ') + + optional_policy(` + xserver_read_xdm_tmp_files(accountsd_t) ++ xserver_read_state_xdm(accountsd_t) ++ xserver_dbus_chat_xdm(accountsd_t) ++ xserver_manage_xdm_etc_files(accountsd_t) + ') +diff --git a/acct.if b/acct.if +index 81280d0..bc4038b 100644 +--- a/acct.if ++++ b/acct.if +@@ -83,6 +83,24 @@ interface(`acct_manage_data',` + + ######################################## + ## ++## Dontaudit Attempts to list acct_data directory ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`acct_dontaudit_list_data',` ++ gen_require(` ++ type acct_data_t; ++ ') ++ ++ dontaudit $1 acct_data_t:dir list_dir_perms; ++') ++ ++####################################### ++## + ## All of the rules required to + ## administrate an acct environment. + ## +@@ -103,9 +121,13 @@ interface(`acct_admin',` + type acct_t, acct_initrc_exec_t, acct_data_t; + ') + +- allow $1 acct_t:process { ptrace signal_perms }; ++ allow $1 acct_t:process { signal_perms }; + ps_process_pattern($1, acct_t) + ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 acct_t:process ptrace; ++ ') ++ + init_labeled_script_domtrans($1, acct_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 acct_initrc_exec_t system_r; +diff --git a/acct.te b/acct.te +index 1a1c91a..d538827 100644 +--- a/acct.te ++++ b/acct.te +@@ -40,8 +40,6 @@ corecmd_exec_shell(acct_t) + dev_read_sysfs(acct_t) + dev_read_urand(acct_t) + +-domain_use_interactive_fds(acct_t) +- + fs_search_auto_mountpoints(acct_t) + fs_getattr_xattr_fs(acct_t) + +@@ -49,7 +47,6 @@ term_dontaudit_use_console(acct_t) + term_dontaudit_use_generic_ptys(acct_t) + + files_read_etc_runtime_files(acct_t) +-files_list_usr(acct_t) + + auth_use_nsswitch(acct_t) + +@@ -59,8 +56,6 @@ init_exec_script_files(acct_t) + + logging_send_syslog_msg(acct_t) + +-miscfiles_read_localization(acct_t) +- + userdom_dontaudit_search_user_home_dirs(acct_t) + userdom_dontaudit_use_unpriv_user_fds(acct_t) + +diff --git a/ada.te b/ada.te +index 8b5ad06..8ce8f26 100644 +--- a/ada.te ++++ b/ada.te +@@ -20,7 +20,7 @@ role ada_roles types ada_t; + + allow ada_t self:process { execstack execmem }; + +-userdom_use_user_terminals(ada_t) ++userdom_use_inherited_user_terminals(ada_t) + + optional_policy(` + unconfined_domain(ada_t) +diff --git a/afs.if b/afs.if +index 3b41be6..97d99f9 100644 +--- a/afs.if ++++ b/afs.if +@@ -40,6 +40,24 @@ interface(`afs_rw_udp_sockets',` + + ######################################## + ## ++## Read AFS config data ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`afs_read_config',` ++ gen_require(` ++ type afs_config_t; ++ ') ++ ++ read_files_pattern($1, afs_config_t, afs_config_t) ++') ++ ++######################################## ++## + ## Read and write afs cache files. + ## + ## +@@ -95,13 +113,17 @@ interface(`afs_initrc_domtrans',` + interface(`afs_admin',` + gen_require(` + attribute afs_domain; +- type afs_initrc_exec_t, afs_dbdir_t, afs_pt_db_t; ++ type afs_t, afs_initrc_exec_t, afs_dbdir_t, afs_pt_db_t; + type afs_ka_db_t, afs_vl_db_t, afs_config_t; + type afs_logfile_t, afs_cache_t, afs_files_t; + ') + +- allow $1 afs_domain:process { ptrace signal_perms }; +- ps_process_pattern($1, afs_domain) ++ allow $1 afs_t:process signal_perms; ++ ps_process_pattern($1, afs_t) ++ ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 afs_t:process ptrace; ++ ') + + afs_initrc_domtrans($1) + domain_system_change_exemption($1) +diff --git a/afs.te b/afs.te +index 6690cdf..7726644 100644 +--- a/afs.te ++++ b/afs.te +@@ -83,8 +83,16 @@ files_var_filetrans(afs_t, afs_cache_t, { file dir }) + + kernel_rw_afs_state(afs_t) + ++corenet_all_recvfrom_netlabel(afs_t) ++corenet_tcp_sendrecv_generic_if(afs_t) ++corenet_udp_sendrecv_generic_if(afs_t) ++corenet_tcp_sendrecv_generic_node(afs_t) ++corenet_udp_sendrecv_generic_node(afs_t) ++corenet_tcp_sendrecv_all_ports(afs_t) ++corenet_udp_sendrecv_all_ports(afs_t) ++corenet_udp_bind_generic_node(afs_t) ++ + files_mounton_mnt(afs_t) +-files_read_usr_files(afs_t) + files_rw_etc_runtime_files(afs_t) + + fs_getattr_xattr_fs(afs_t) +@@ -93,6 +101,12 @@ fs_read_nfs_symlinks(afs_t) + + logging_send_syslog_msg(afs_t) + ++sysnet_dns_name_resolve(afs_t) ++ ++ifdef(`hide_broken_symptoms',` ++ kernel_rw_unlabeled_files(afs_t) ++') ++ + ######################################## + # + # AFS bossserver local policy +@@ -125,7 +139,6 @@ domtrans_pattern(afs_bosserver_t, afs_vlserver_exec_t, afs_vlserver_t) + + kernel_read_kernel_sysctls(afs_bosserver_t) + +-corenet_all_recvfrom_unlabeled(afs_bosserver_t) + corenet_all_recvfrom_netlabel(afs_bosserver_t) + corenet_udp_sendrecv_generic_if(afs_bosserver_t) + corenet_udp_sendrecv_generic_node(afs_bosserver_t) +@@ -136,7 +149,6 @@ corenet_sendrecv_afs_bos_server_packets(afs_bosserver_t) + corenet_udp_sendrecv_afs_bos_port(afs_bosserver_t) + + files_list_home(afs_bosserver_t) +-files_read_usr_files(afs_bosserver_t) + + seutil_read_config(afs_bosserver_t) + +@@ -151,9 +163,6 @@ allow afs_fsserver_t self:process { setsched signal_perms }; + allow afs_fsserver_t self:fifo_file rw_fifo_file_perms; + allow afs_fsserver_t self:tcp_socket create_stream_socket_perms; + +-read_files_pattern(afs_fsserver_t, afs_config_t, afs_config_t) +-allow afs_fsserver_t afs_config_t:dir list_dir_perms; +- + manage_dirs_pattern(afs_fsserver_t, afs_config_t, afs_config_t) + manage_files_pattern(afs_fsserver_t, afs_config_t, afs_config_t) + +@@ -175,12 +184,14 @@ kernel_read_kernel_sysctls(afs_fsserver_t) + + corenet_all_recvfrom_unlabeled(afs_fsserver_t) + corenet_all_recvfrom_netlabel(afs_fsserver_t) ++corenet_tcp_bind_generic_node(afs_fsserver_t) ++corenet_udp_bind_generic_node(afs_fsserver_t) + corenet_tcp_sendrecv_generic_if(afs_fsserver_t) + corenet_udp_sendrecv_generic_if(afs_fsserver_t) + corenet_tcp_sendrecv_generic_node(afs_fsserver_t) + corenet_udp_sendrecv_generic_node(afs_fsserver_t) +-corenet_tcp_bind_generic_node(afs_fsserver_t) +-corenet_udp_bind_generic_node(afs_fsserver_t) ++corenet_tcp_sendrecv_all_ports(afs_fsserver_t) ++corenet_udp_sendrecv_all_ports(afs_fsserver_t) + + corenet_sendrecv_afs_fs_server_packets(afs_fsserver_t) + corenet_tcp_bind_afs_fs_port(afs_fsserver_t) +@@ -190,7 +201,6 @@ corenet_udp_sendrecv_afs_fs_port(afs_fsserver_t) + + files_read_etc_runtime_files(afs_fsserver_t) + files_list_home(afs_fsserver_t) +-files_read_usr_files(afs_fsserver_t) + files_list_pids(afs_fsserver_t) + files_dontaudit_search_mnt(afs_fsserver_t) + +@@ -224,7 +234,6 @@ manage_files_pattern(afs_kaserver_t, afs_logfile_t, afs_logfile_t) + + kernel_read_kernel_sysctls(afs_kaserver_t) + +-corenet_all_recvfrom_unlabeled(afs_kaserver_t) + corenet_all_recvfrom_netlabel(afs_kaserver_t) + corenet_udp_sendrecv_generic_if(afs_kaserver_t) + corenet_udp_sendrecv_generic_node(afs_kaserver_t) +@@ -239,7 +248,6 @@ corenet_udp_bind_kerberos_port(afs_kaserver_t) + corenet_udp_sendrecv_kerberos_port(afs_kaserver_t) + + files_list_home(afs_kaserver_t) +-files_read_usr_files(afs_kaserver_t) + + seutil_read_config(afs_kaserver_t) + +@@ -253,16 +261,12 @@ userdom_dontaudit_use_user_terminals(afs_kaserver_t) + allow afs_ptserver_t self:unix_stream_socket create_stream_socket_perms; + allow afs_ptserver_t self:tcp_socket create_stream_socket_perms; + +-read_files_pattern(afs_ptserver_t, afs_config_t, afs_config_t) +-allow afs_ptserver_t afs_config_t:dir list_dir_perms; +- + manage_dirs_pattern(afs_ptserver_t, afs_logfile_t, afs_logfile_t) + manage_files_pattern(afs_ptserver_t, afs_logfile_t, afs_logfile_t) + + manage_files_pattern(afs_ptserver_t, afs_dbdir_t, afs_pt_db_t) + filetrans_pattern(afs_ptserver_t, afs_dbdir_t, afs_pt_db_t, file) + +-corenet_all_recvfrom_unlabeled(afs_ptserver_t) + corenet_all_recvfrom_netlabel(afs_ptserver_t) + corenet_tcp_sendrecv_generic_if(afs_ptserver_t) + corenet_udp_sendrecv_generic_if(afs_ptserver_t) +@@ -274,6 +278,8 @@ corenet_udp_bind_generic_node(afs_ptserver_t) + corenet_udp_bind_afs_pt_port(afs_ptserver_t) + corenet_sendrecv_afs_pt_server_packets(afs_ptserver_t) + ++sysnet_read_config(afs_ptserver_t) ++ + userdom_dontaudit_use_user_terminals(afs_ptserver_t) + + ######################################## +@@ -284,16 +290,12 @@ userdom_dontaudit_use_user_terminals(afs_ptserver_t) + allow afs_vlserver_t self:unix_stream_socket create_stream_socket_perms; + allow afs_vlserver_t self:tcp_socket create_stream_socket_perms; + +-read_files_pattern(afs_vlserver_t, afs_config_t, afs_config_t) +-allow afs_vlserver_t afs_config_t:dir list_dir_perms; +- + manage_dirs_pattern(afs_vlserver_t, afs_logfile_t, afs_logfile_t) + manage_files_pattern(afs_vlserver_t, afs_logfile_t, afs_logfile_t) + + manage_files_pattern(afs_vlserver_t, afs_dbdir_t, afs_vl_db_t) + filetrans_pattern(afs_vlserver_t, afs_dbdir_t, afs_vl_db_t, file) + +-corenet_all_recvfrom_unlabeled(afs_vlserver_t) + corenet_all_recvfrom_netlabel(afs_vlserver_t) + corenet_tcp_sendrecv_generic_if(afs_vlserver_t) + corenet_udp_sendrecv_generic_if(afs_vlserver_t) +@@ -314,8 +316,8 @@ userdom_dontaudit_use_user_terminals(afs_vlserver_t) + + allow afs_domain self:udp_socket create_socket_perms; + +-files_read_etc_files(afs_domain) +- +-miscfiles_read_localization(afs_domain) ++read_files_pattern(afs_domain, afs_config_t, afs_config_t) ++allow afs_domain afs_config_t:dir list_dir_perms; + + sysnet_read_config(afs_domain) ++ +diff --git a/aiccu.if b/aiccu.if +index 3b5dcb9..fbe187f 100644 +--- a/aiccu.if ++++ b/aiccu.if +@@ -79,9 +79,13 @@ interface(`aiccu_admin',` + type aiccu_var_run_t; + ') + +- allow $1 aiccu_t:process { ptrace signal_perms }; ++ allow $1 aiccu_t:process signal_perms; + ps_process_pattern($1, aiccu_t) + ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 aiccu_t:process ptrace; ++ ') ++ + aiccu_initrc_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 aiccu_initrc_exec_t system_r; +diff --git a/aiccu.te b/aiccu.te +index 72c33c2..6e4206c 100644 +--- a/aiccu.te ++++ b/aiccu.te +@@ -48,7 +48,6 @@ corenet_all_recvfrom_unlabeled(aiccu_t) + corenet_tcp_bind_generic_node(aiccu_t) + corenet_tcp_sendrecv_generic_if(aiccu_t) + corenet_tcp_sendrecv_generic_node(aiccu_t) +- + corenet_sendrecv_sixxsconfig_client_packets(aiccu_t) + corenet_tcp_connect_sixxsconfig_port(aiccu_t) + corenet_tcp_sendrecv_sixxsconfig_port(aiccu_t) +@@ -60,11 +59,10 @@ domain_use_interactive_fds(aiccu_t) + dev_read_rand(aiccu_t) + dev_read_urand(aiccu_t) + +-files_read_etc_files(aiccu_t) + +-logging_send_syslog_msg(aiccu_t) ++auth_read_passwd(aiccu_t) + +-miscfiles_read_localization(aiccu_t) ++logging_send_syslog_msg(aiccu_t) + + optional_policy(` + modutils_domtrans_insmod(aiccu_t) +diff --git a/aide.if b/aide.if +index 01cbb67..94a4a24 100644 +--- a/aide.if ++++ b/aide.if +@@ -67,9 +67,13 @@ interface(`aide_admin',` + type aide_t, aide_db_t, aide_log_t; + ') + +- allow $1 aide_t:process { ptrace signal_perms }; ++ allow $1 aide_t:process signal_perms; + ps_process_pattern($1, aide_t) + ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 aide_t:process ptrace; ++ ') ++ + aide_run($1, $2) + + files_list_etc($1) +diff --git a/aide.te b/aide.te +index 4b28ab3..f781a7a 100644 +--- a/aide.te ++++ b/aide.te +@@ -10,6 +10,7 @@ attribute_role aide_roles; + type aide_t; + type aide_exec_t; + application_domain(aide_t, aide_exec_t) ++cron_system_entry(aide_t, aide_exec_t) + role aide_roles types aide_t; + + type aide_log_t; +@@ -23,22 +24,30 @@ files_type(aide_db_t) + # Local policy + # + +-allow aide_t self:capability { dac_override fowner }; ++allow aide_t self:capability { dac_override fowner ipc_lock sys_admin }; + + manage_files_pattern(aide_t, aide_db_t, aide_db_t) ++files_var_lib_filetrans(aide_t, aide_db_t, { dir file }) + +-create_files_pattern(aide_t, aide_log_t, aide_log_t) +-append_files_pattern(aide_t, aide_log_t, aide_log_t) +-setattr_files_pattern(aide_t, aide_log_t, aide_log_t) ++manage_files_pattern(aide_t, aide_log_t, aide_log_t) + logging_log_filetrans(aide_t, aide_log_t, file) + + files_read_all_files(aide_t) + files_read_all_symlinks(aide_t) ++files_getattr_all_pipes(aide_t) ++files_getattr_all_sockets(aide_t) ++ ++mls_file_read_to_clearance(aide_t) ++mls_file_write_to_clearance(aide_t) + + logging_send_audit_msgs(aide_t) + logging_send_syslog_msg(aide_t) + +-userdom_use_user_terminals(aide_t) ++userdom_use_inherited_user_terminals(aide_t) ++ ++optional_policy(` ++ prelink_domtrans(aide_t) ++') + + optional_policy(` + seutil_use_newrole_fds(aide_t) +diff --git a/aisexec.if b/aisexec.if +index a2997fa..861cebd 100644 +--- a/aisexec.if ++++ b/aisexec.if +@@ -83,9 +83,13 @@ interface(`aisexecd_admin',` + type aisexec_initrc_exec_t; + ') + +- allow $1 aisexec_t:process { ptrace signal_perms }; ++ allow $1 aisexec_t:process signal_perms; + ps_process_pattern($1, aisexec_t) + ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 aisexec_t:process ptrace; ++ ') ++ + init_labeled_script_domtrans($1, aisexec_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 aisexec_initrc_exec_t system_r; +diff --git a/aisexec.te b/aisexec.te +index 196f7cf..3b5354f 100644 +--- a/aisexec.te ++++ b/aisexec.te +@@ -63,6 +63,7 @@ files_pid_filetrans(aisexec_t, aisexec_var_run_t, { file sock_file }) + kernel_read_system_state(aisexec_t) + + corecmd_exec_bin(aisexec_t) ++corecmd_exec_shell(aisexec_t) + + corenet_all_recvfrom_unlabeled(aisexec_t) + corenet_all_recvfrom_netlabel(aisexec_t) +@@ -95,8 +96,6 @@ init_rw_script_tmp_files(aisexec_t) + + logging_send_syslog_msg(aisexec_t) + +-miscfiles_read_localization(aisexec_t) +- + userdom_rw_unpriv_user_semaphores(aisexec_t) + userdom_rw_unpriv_user_shared_mem(aisexec_t) + +@@ -105,6 +104,11 @@ optional_policy(` + ') + + optional_policy(` ++ corosync_domtrans(aisexec_t) ++') ++ ++optional_policy(` ++ # to communication with RHCS + rhcs_rw_dlm_controld_semaphores(aisexec_t) + + rhcs_rw_fenced_semaphores(aisexec_t) +diff --git a/ajaxterm.fc b/ajaxterm.fc +new file mode 100644 +index 0000000..aeb1888 +--- /dev/null ++++ b/ajaxterm.fc +@@ -0,0 +1,6 @@ ++ ++/etc/rc\.d/init\.d/ajaxterm -- gen_context(system_u:object_r:ajaxterm_initrc_exec_t,s0) ++ ++/usr/share/ajaxterm/ajaxterm\.py -- gen_context(system_u:object_r:ajaxterm_exec_t,s0) ++ ++/var/run/ajaxterm\.pid -- gen_context(system_u:object_r:ajaxterm_var_run_t,s0) +diff --git a/ajaxterm.if b/ajaxterm.if +new file mode 100644 +index 0000000..7abe946 +--- /dev/null ++++ b/ajaxterm.if +@@ -0,0 +1,90 @@ ++## policy for ajaxterm ++ ++######################################## ++## ++## Execute a domain transition to run ajaxterm. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`ajaxterm_domtrans',` ++ gen_require(` ++ type ajaxterm_t, ajaxterm_exec_t; ++ ') ++ ++ domtrans_pattern($1, ajaxterm_exec_t, ajaxterm_t) ++') ++ ++######################################## ++## ++## Execute ajaxterm server in the ajaxterm domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`ajaxterm_initrc_domtrans',` ++ gen_require(` ++ type ajaxterm_initrc_exec_t; ++ ') ++ ++ init_labeled_script_domtrans($1, ajaxterm_initrc_exec_t) ++') ++ ++####################################### ++## ++## Read and write the ajaxterm pty type. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`ajaxterm_rw_ptys',` ++ gen_require(` ++ type ajaxterm_devpts_t; ++ ') ++ ++ allow $1 ajaxterm_devpts_t:chr_file rw_inherited_term_perms; ++') ++ ++######################################## ++## ++## All of the rules required to administrate ++## an ajaxterm environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## Role allowed access. ++## ++## ++## ++# ++interface(`ajaxterm_admin',` ++ gen_require(` ++ type ajaxterm_t, ajaxterm_initrc_exec_t; ++ ') ++ ++ allow $1 ajaxterm_t:process signal_perms; ++ ps_process_pattern($1, ajaxterm_t) ++ ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 ajaxterm_t:process ptrace; ++ ') ++ ++ ajaxterm_initrc_domtrans($1) ++ domain_system_change_exemption($1) ++ role_transition $2 ajaxterm_initrc_exec_t system_r; ++ allow $2 system_r; ++') +diff --git a/ajaxterm.te b/ajaxterm.te +new file mode 100644 +index 0000000..a95a4ad +--- /dev/null ++++ b/ajaxterm.te +@@ -0,0 +1,60 @@ ++policy_module(ajaxterm, 1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type ajaxterm_t; ++type ajaxterm_exec_t; ++init_daemon_domain(ajaxterm_t, ajaxterm_exec_t) ++ ++type ajaxterm_initrc_exec_t; ++init_script_file(ajaxterm_initrc_exec_t) ++ ++type ajaxterm_var_run_t; ++files_pid_file(ajaxterm_var_run_t) ++ ++type ajaxterm_devpts_t; ++term_login_pty(ajaxterm_devpts_t) ++ ++######################################## ++# ++# ajaxterm local policy ++# ++allow ajaxterm_t self:capability setuid; ++allow ajaxterm_t self:process { setpgid signal }; ++allow ajaxterm_t self:fifo_file rw_fifo_file_perms; ++allow ajaxterm_t self:unix_stream_socket create_stream_socket_perms; ++allow ajaxterm_t self:tcp_socket create_stream_socket_perms; ++ ++allow ajaxterm_t ajaxterm_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms relabelfrom }; ++term_create_pty(ajaxterm_t, ajaxterm_devpts_t) ++ ++manage_dirs_pattern(ajaxterm_t, ajaxterm_var_run_t, ajaxterm_var_run_t) ++manage_files_pattern(ajaxterm_t, ajaxterm_var_run_t, ajaxterm_var_run_t) ++files_pid_filetrans(ajaxterm_t, ajaxterm_var_run_t, { file dir }) ++ ++kernel_read_system_state(ajaxterm_t) ++ ++corecmd_exec_bin(ajaxterm_t) ++ ++corenet_tcp_bind_generic_node(ajaxterm_t) ++corenet_tcp_bind_oa_system_port(ajaxterm_t) ++ ++dev_read_urand(ajaxterm_t) ++ ++domain_use_interactive_fds(ajaxterm_t) ++ ++ ++sysnet_dns_name_resolve(ajaxterm_t) ++ ++####################################### ++# ++# SSH component local policy ++# ++ ++optional_policy(` ++ ssh_basic_client_template(ajaxterm, ajaxterm_t, system_r) ++') ++ +diff --git a/alsa.fc b/alsa.fc +index 5de1e01..e5ab7ff 100644 +--- a/alsa.fc ++++ b/alsa.fc +@@ -19,4 +19,8 @@ HOME_DIR/\.asoundrc -- gen_context(system_u:object_r:alsa_home_t,s0) + /usr/share/alsa/alsa\.conf gen_context(system_u:object_r:alsa_etc_rw_t,s0) + /usr/share/alsa/pcm(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0) + +-/var/lib/alsa(/.*)? gen_context(system_u:object_r:alsa_var_lib_t,s0) ++/var/lib/alsa(/.*)? gen_context(system_u:object_r:alsa_var_lib_t,s0) ++ ++/usr/lib/systemd/system/alsa.* -- gen_context(system_u:object_r:alsa_unit_file_t,s0) ++ ++/var/run/alsactl\.pid -- gen_context(system_u:object_r:alsa_var_run_t,s0) +diff --git a/alsa.if b/alsa.if +index 708b743..cc78465 100644 +--- a/alsa.if ++++ b/alsa.if +@@ -168,6 +168,7 @@ interface(`alsa_manage_home_files',` + + userdom_search_user_home_dirs($1) + allow $1 alsa_home_t:file manage_file_perms; ++ alsa_filetrans_home_content($1) + ') + + ######################################## +@@ -210,49 +211,85 @@ interface(`alsa_relabel_home_files',` + + ######################################## + ## +-## Create objects in user home +-## directories with the generic alsa +-## home type. ++## Read Alsa lib files. + ## + ## + ## + ## Domain allowed access. + ## + ## +-## ++# ++interface(`alsa_read_lib',` ++ gen_require(` ++ type alsa_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ read_files_pattern($1, alsa_var_lib_t, alsa_var_lib_t) ++') ++ ++######################################## ++## ++## Transition to alsa named content ++## ++## + ## +-## Class of the object being created. ++## Domain allowed access. + ## + ## +-## ++# ++interface(`alsa_filetrans_home_content',` ++ gen_require(` ++ type alsa_home_t; ++ ') ++ ++ userdom_user_home_dir_filetrans($1, alsa_home_t, file, ".asoundrc") ++') ++ ++######################################## ++## ++## Transition to alsa named content ++## ++## + ## +-## The name of the object being created. ++## Domain allowed access. + ## + ## + # +-interface(`alsa_home_filetrans_alsa_home',` ++interface(`alsa_filetrans_named_content',` + gen_require(` + type alsa_home_t; ++ type alsa_etc_rw_t; ++ type alsa_var_lib_t; + ') + +- userdom_user_home_dir_filetrans($1, alsa_home_t, $2, $3) ++ files_etc_filetrans($1, alsa_etc_rw_t, file, "asound.state") ++ files_etc_filetrans($1, alsa_etc_rw_t, dir, "pcm") ++ files_etc_filetrans($1, alsa_etc_rw_t, dir, "asound") ++ files_usr_filetrans($1, alsa_etc_rw_t, file, "alsa.conf") ++ files_usr_filetrans($1, alsa_etc_rw_t, dir, "pcm") ++ files_var_lib_filetrans($1, alsa_var_lib_t, dir, "alsa") + ') + + ######################################## + ## +-## Read Alsa lib files. ++## Execute alsa server in the alsa domain. + ## + ## + ## +-## Domain allowed access. ++## Domain allowed to transition. + ## + ## + # +-interface(`alsa_read_lib',` ++interface(`alsa_systemctl',` + gen_require(` +- type alsa_var_lib_t; ++ type alsa_t; ++ type alsa_unit_file_t; + ') + +- files_search_var_lib($1) +- read_files_pattern($1, alsa_var_lib_t, alsa_var_lib_t) ++ systemd_exec_systemctl($1) ++ allow $1 alsa_unit_file_t:file read_file_perms; ++ allow $1 alsa_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, alsa_t) + ') +diff --git a/alsa.te b/alsa.te +index cda6d20..443ce3c 100644 +--- a/alsa.te ++++ b/alsa.te +@@ -21,16 +21,23 @@ files_tmp_file(alsa_tmp_t) + type alsa_var_lib_t; + files_type(alsa_var_lib_t) + ++type alsa_var_run_t; ++files_pid_file(alsa_var_run_t) ++ + type alsa_home_t; + userdom_user_home_content(alsa_home_t) + ++type alsa_unit_file_t; ++systemd_unit_file(alsa_unit_file_t) ++ + ######################################## + # + # Local policy + # + +-allow alsa_t self:capability { dac_read_search dac_override setgid setuid ipc_owner }; +-dontaudit alsa_t self:capability sys_admin; ++allow alsa_t self:capability { dac_read_search dac_override setgid setuid ipc_owner sys_nice }; ++dontaudit alsa_t self:capability { sys_tty_config sys_admin }; ++allow alsa_t self:process { getsched setsched signal_perms }; + allow alsa_t self:sem create_sem_perms; + allow alsa_t self:shm create_shm_perms; + allow alsa_t self:unix_stream_socket { accept listen }; +@@ -51,6 +58,11 @@ userdom_user_tmp_filetrans(alsa_t, alsa_tmp_t, { dir file }) + manage_dirs_pattern(alsa_t, alsa_var_lib_t, alsa_var_lib_t) + manage_files_pattern(alsa_t, alsa_var_lib_t, alsa_var_lib_t) + ++manage_files_pattern(alsa_t, alsa_var_run_t, alsa_var_run_t) ++manage_dirs_pattern(alsa_t, alsa_var_run_t, alsa_var_run_t) ++manage_lnk_files_pattern(alsa_t, alsa_var_run_t, alsa_var_run_t) ++files_pid_filetrans(alsa_t, alsa_var_run_t, { file dir }) ++ + kernel_read_system_state(alsa_t) + + corecmd_exec_bin(alsa_t) +@@ -59,7 +71,6 @@ dev_read_sound(alsa_t) + dev_read_sysfs(alsa_t) + dev_write_sound(alsa_t) + +-files_read_usr_files(alsa_t) + files_search_var_lib(alsa_t) + + term_dontaudit_use_console(alsa_t) +@@ -72,8 +83,6 @@ init_use_fds(alsa_t) + + logging_send_syslog_msg(alsa_t) + +-miscfiles_read_localization(alsa_t) +- + userdom_manage_unpriv_user_semaphores(alsa_t) + userdom_manage_unpriv_user_shared_mem(alsa_t) + userdom_search_user_home_dirs(alsa_t) +diff --git a/amanda.fc b/amanda.fc +index 7f4dfbc..e5c9f45 100644 +--- a/amanda.fc ++++ b/amanda.fc +@@ -1,5 +1,6 @@ + /etc/amanda(/.*)? gen_context(system_u:object_r:amanda_config_t,s0) + /etc/amanda/.*/tapelist(/.*)? gen_context(system_u:object_r:amanda_data_t,s0) ++/etc/amanda/DailySet1(/.*)? gen_context(system_u:object_r:amanda_data_t,s0) + /etc/amandates gen_context(system_u:object_r:amanda_amandates_t,s0) + /etc/dumpdates gen_context(system_u:object_r:amanda_dumpdates_t,s0) + # empty m4 string so the index macro is not invoked +@@ -13,6 +14,8 @@ + /usr/lib/amanda/amidxtaped -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0) + /usr/lib/amanda/amindexd -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0) + ++/usr/lib/systemd/system/amanda.* -- gen_context(system_u:object_r:amanda_unit_file_t,s0) ++ + /usr/sbin/amandad -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0) + /usr/sbin/amrecover -- gen_context(system_u:object_r:amanda_recover_exec_t,s0) + +diff --git a/amanda.te b/amanda.te +index ed45974..ec7bb41 100644 +--- a/amanda.te ++++ b/amanda.te +@@ -9,11 +9,14 @@ attribute_role amanda_recover_roles; + roleattribute system_r amanda_recover_roles; + + type amanda_t; ++type amanda_exec_t; + type amanda_inetd_exec_t; +-inetd_service_domain(amanda_t, amanda_inetd_exec_t) ++application_executable_file(amanda_exec_t) ++init_daemon_domain(amanda_t, amanda_inetd_exec_t) ++role system_r types amanda_t; + +-type amanda_exec_t; +-domain_entry_file(amanda_t, amanda_exec_t) ++type amanda_unit_file_t; ++systemd_unit_file(amanda_unit_file_t) + + type amanda_log_t; + logging_log_file(amanda_log_t) +@@ -60,7 +63,7 @@ optional_policy(` + # + + allow amanda_t self:capability { chown dac_override setuid kill }; +-allow amanda_t self:process { setpgid signal }; ++allow amanda_t self:process { getsched setsched setpgid signal }; + allow amanda_t self:fifo_file rw_fifo_file_perms; + allow amanda_t self:unix_stream_socket { accept listen }; + allow amanda_t self:tcp_socket { accept listen }; +@@ -71,6 +74,7 @@ allow amanda_t amanda_config_t:file read_file_perms; + + manage_dirs_pattern(amanda_t, amanda_data_t, amanda_data_t) + manage_files_pattern(amanda_t, amanda_data_t, amanda_data_t) ++manage_lnk_files_pattern(amanda_t, amanda_data_t, amanda_data_t) + filetrans_pattern(amanda_t, amanda_config_t, amanda_data_t, { file dir }) + + allow amanda_t amanda_dumpdates_t:file rw_file_perms; +@@ -100,13 +104,14 @@ kernel_dontaudit_read_proc_symlinks(amanda_t) + corecmd_exec_shell(amanda_t) + corecmd_exec_bin(amanda_t) + +-corenet_all_recvfrom_unlabeled(amanda_t) + corenet_all_recvfrom_netlabel(amanda_t) + corenet_tcp_sendrecv_generic_if(amanda_t) + corenet_tcp_sendrecv_generic_node(amanda_t) + corenet_tcp_sendrecv_all_ports(amanda_t) + corenet_tcp_bind_generic_node(amanda_t) + ++corenet_tcp_bind_amanda_port(amanda_t) ++ + corenet_sendrecv_all_server_packets(amanda_t) + corenet_tcp_bind_all_rpc_ports(amanda_t) + corenet_tcp_bind_generic_port(amanda_t) +@@ -114,6 +119,7 @@ corenet_dontaudit_tcp_bind_all_ports(amanda_t) + + dev_getattr_all_blk_files(amanda_t) + dev_getattr_all_chr_files(amanda_t) ++dev_read_urand(amanda_t) + + files_read_etc_runtime_files(amanda_t) + files_list_all(amanda_t) +@@ -170,7 +176,6 @@ kernel_read_system_state(amanda_recover_t) + corecmd_exec_shell(amanda_recover_t) + corecmd_exec_bin(amanda_recover_t) + +-corenet_all_recvfrom_unlabeled(amanda_recover_t) + corenet_all_recvfrom_netlabel(amanda_recover_t) + corenet_tcp_sendrecv_generic_if(amanda_recover_t) + corenet_udp_sendrecv_generic_if(amanda_recover_t) +@@ -195,12 +200,16 @@ files_search_tmp(amanda_recover_t) + + auth_use_nsswitch(amanda_recover_t) + +-fstools_domtrans(amanda_t) +-fstools_signal(amanda_t) +- + logging_search_logs(amanda_recover_t) + +-miscfiles_read_localization(amanda_recover_t) +- +-userdom_use_user_terminals(amanda_recover_t) ++userdom_use_inherited_user_terminals(amanda_recover_t) + userdom_search_user_home_content(amanda_recover_t) ++ ++optional_policy(` ++ inetd_service_domain(amanda_t, amanda_inetd_exec_t) ++') ++ ++optional_policy(` ++ fstools_domtrans(amanda_t) ++ fstools_signal(amanda_t) ++') +diff --git a/amavis.fc b/amavis.fc +index 17689a7..8aa6849 100644 +--- a/amavis.fc ++++ b/amavis.fc +@@ -12,8 +12,6 @@ ifdef(`distro_debian',` + /usr/sbin/amavisd-new-cronjob -- gen_context(system_u:object_r:amavis_exec_t,s0) + ') + +-/var/opt/f-secure(/.*)? gen_context(system_u:object_r:amavis_var_lib_t,s0) +- + /var/amavis(/.*)? gen_context(system_u:object_r:amavis_var_lib_t,s0) + + /var/lib/amavis(/.*)? gen_context(system_u:object_r:amavis_var_lib_t,s0) +diff --git a/amavis.if b/amavis.if +index 60d4f8c..18ef077 100644 +--- a/amavis.if ++++ b/amavis.if +@@ -54,6 +54,7 @@ interface(`amavis_read_spool_files',` + + files_search_spool($1) + read_files_pattern($1, amavis_spool_t, amavis_spool_t) ++ allow $1 amavis_spool_t:dir list_dir_perms; + ') + + ######################################## +@@ -153,6 +154,26 @@ interface(`amavis_read_lib_files',` + + ######################################## + ## ++## Read and write amavis lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`amavis_rw_lib_files',` ++ gen_require(` ++ type amavis_var_lib_t; ++ ') ++ ++ rw_files_pattern($1, amavis_var_lib_t, amavis_var_lib_t) ++ allow $1 amavis_var_lib_t:dir list_dir_perms; ++ files_search_var_lib($1) ++') ++ ++######################################## ++## + ## Create, read, write, and delete + ## amavis lib files. + ## +@@ -234,9 +255,13 @@ interface(`amavis_admin',` + type amavis_etc_t, amavis_quarantine_t, amavis_initrc_exec_t; + ') + +- allow $1 amavis_t:process { ptrace signal_perms }; ++ allow $1 amavis_t:process signal_perms; + ps_process_pattern($1, amavis_t) + ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 amavis_t:process ptrace; ++ ') ++ + amavis_initrc_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 amavis_initrc_exec_t system_r; +diff --git a/amavis.te b/amavis.te +index ab55ba7..a95b541 100644 +--- a/amavis.te ++++ b/amavis.te +@@ -39,7 +39,7 @@ type amavis_quarantine_t; + files_type(amavis_quarantine_t) + + type amavis_spool_t; +-files_type(amavis_spool_t) ++files_spool_file(amavis_spool_t) + + ######################################## + # +@@ -67,9 +67,12 @@ manage_lnk_files_pattern(amavis_t, amavis_spool_t, amavis_spool_t) + manage_sock_files_pattern(amavis_t, amavis_spool_t, amavis_spool_t) + filetrans_pattern(amavis_t, amavis_spool_t, amavis_var_run_t, sock_file) + ++# tmp files ++manage_dirs_pattern(amavis_t, amavis_tmp_t, amavis_tmp_t) + manage_files_pattern(amavis_t, amavis_tmp_t, amavis_tmp_t) ++manage_sock_files_pattern(amavis_t, amavis_tmp_t, amavis_tmp_t) + allow amavis_t amavis_tmp_t:dir setattr_dir_perms; +-files_tmp_filetrans(amavis_t, amavis_tmp_t, file) ++files_tmp_filetrans(amavis_t, amavis_tmp_t, { file dir sock_file } ) + + manage_dirs_pattern(amavis_t, amavis_var_lib_t, amavis_var_lib_t) + manage_files_pattern(amavis_t, amavis_var_lib_t, amavis_var_lib_t) +@@ -95,7 +98,6 @@ kernel_dontaudit_read_proc_symlinks(amavis_t) + corecmd_exec_bin(amavis_t) + corecmd_exec_shell(amavis_t) + +-corenet_all_recvfrom_unlabeled(amavis_t) + corenet_all_recvfrom_netlabel(amavis_t) + corenet_tcp_sendrecv_generic_if(amavis_t) + corenet_udp_sendrecv_generic_if(amavis_t) +@@ -118,6 +120,7 @@ corenet_dontaudit_udp_bind_all_ports(amavis_t) + + corenet_sendrecv_razor_client_packets(amavis_t) + corenet_tcp_connect_razor_port(amavis_t) ++corenet_tcp_connect_agentx_port(amavis_t) + + dev_read_rand(amavis_t) + dev_read_sysfs(amavis_t) +@@ -127,7 +130,6 @@ domain_use_interactive_fds(amavis_t) + domain_dontaudit_read_all_domains_state(amavis_t) + + files_read_etc_runtime_files(amavis_t) +-files_read_usr_files(amavis_t) + files_search_spool(amavis_t) + + fs_getattr_xattr_fs(amavis_t) +@@ -141,14 +143,20 @@ init_stream_connect_script(amavis_t) + + logging_send_syslog_msg(amavis_t) + +-miscfiles_read_localization(amavis_t) ++miscfiles_read_generic_certs(amavis_t) ++ ++sysnet_use_ldap(amavis_t) + + userdom_dontaudit_search_user_home_dirs(amavis_t) + + tunable_policy(`amavis_use_jit',` +- allow amavis_t self:process execmem; ++ allow amavis_t self:process execmem; + ',` +- dontaudit amavis_t self:process execmem; ++ dontaudit amavis_t self:process execmem; ++') ++ ++optional_policy(` ++ antivirus_domain_template(amavis_t) + ') + + optional_policy(` +@@ -173,6 +181,10 @@ optional_policy(` + ') + + optional_policy(` ++ nslcd_stream_connect(amavis_t) ++') ++ ++optional_policy(` + postfix_read_config(amavis_t) + postfix_list_spool(amavis_t) + ') +diff --git a/amtu.te b/amtu.te +index c960f92..486e9ed 100644 +--- a/amtu.te ++++ b/amtu.te +@@ -24,11 +24,10 @@ kernel_read_system_state(amtu_t) + + files_manage_boot_files(amtu_t) + files_read_etc_runtime_files(amtu_t) +-files_read_etc_files(amtu_t) + + logging_send_audit_msgs(amtu_t) + +-userdom_use_user_terminals(amtu_t) ++userdom_use_inherited_user_terminals(amtu_t) + + optional_policy(` + nscd_dontaudit_search_pid(amtu_t) +diff --git a/anaconda.te b/anaconda.te +index 6f1384c..9f23456 100644 +--- a/anaconda.te ++++ b/anaconda.te +@@ -4,6 +4,10 @@ gen_require(` + class passwd all_passwd_perms; + ') + ++gen_require(` ++ class passwd { passwd chfn chsh rootok crontab }; ++') ++ + ######################################## + # + # Declarations +@@ -34,8 +38,9 @@ modutils_domtrans_insmod(anaconda_t) + modutils_domtrans_depmod(anaconda_t) + + seutil_domtrans_semanage(anaconda_t) ++seutil_domtrans_setsebool(anaconda_t) + +-userdom_user_home_dir_filetrans_user_home_content(anaconda_t, { dir file lnk_file fifo_file sock_file }) ++userdom_filetrans_home_content(anaconda_t) + + optional_policy(` + rpm_domtrans(anaconda_t) +diff --git a/antivirus.fc b/antivirus.fc +new file mode 100644 +index 0000000..e44bff0 +--- /dev/null ++++ b/antivirus.fc +@@ -0,0 +1,43 @@ ++/etc/amavis(d)?\.conf -- gen_context(system_u:object_r:antivirus_conf_t,s0) ++/etc/amavisd(/.*)? gen_context(system_u:object_r:antivirus_conf_t,s0) ++ ++/etc/rc\.d/init\.d/amavis -- gen_context(system_u:object_r:antivirus_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/amavisd-snmp -- gen_context(system_u:object_r:antivirus_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/clamd.* -- gen_context(system_u:object_r:antivirus_initrc_exec_t,s0) ++ ++/usr/lib/systemd/system/clamd.* -- gen_context(system_u:object_r:antivirus_unit_file_t,s0) ++ ++/usr/lib/AntiVir/antivir -- gen_context(system_u:object_r:antivirus_exec_t,s0) ++ ++/usr/sbin/amavisd.* -- gen_context(system_u:object_r:antivirus_exec_t,s0) ++/usr/bin/clamscan -- gen_context(system_u:object_r:antivirus_exec_t,s0) ++/usr/bin/clamdscan -- gen_context(system_u:object_r:antivirus_exec_t,s0) ++/usr/bin/freshclam -- gen_context(system_u:object_r:antivirus_exec_t,s0) ++ ++/usr/sbin/clamd -- gen_context(system_u:object_r:antivirus_exec_t,s0) ++/usr/sbin/clamav-milter -- gen_context(system_u:object_r:antivirus_exec_t,s0) ++ ++/var/clamav(/.*)? gen_context(system_u:object_r:antivirus_db_t,s0) ++ ++ ++/var/amavis(/.*)? gen_context(system_u:object_r:antivirus_db_t,s0) ++/var/lib/amavis(/.*)? gen_context(system_u:object_r:antivirus_db_t,s0) ++/var/lib/clamav(/.*)? gen_context(system_u:object_r:antivirus_db_t,s0) ++/var/lib/clamd.* gen_context(system_u:object_r:antivirus_db_t,s0) ++/var/opt/f-secure(/.*)? gen_context(system_u:object_r:antivirus_db_t,s0) ++/var/spool/amavisd(/.*)? gen_context(system_u:object_r:antivirus_db_t,s0) ++/var/virusmails(/.*)? gen_context(system_u:object_r:antivirus_db_t,s0) ++ ++/var/log/amavisd\.log.* -- gen_context(system_u:object_r:antivirus_log_t,s0) ++/var/log/clamav.* gen_context(system_u:object_r:antivirus_log_t,s0) ++/var/log/freshclam.* -- gen_context(system_u:object_r:antivirus_log_t,s0) ++/var/log/clamav/freshclam.* -- gen_context(system_u:object_r:antivirus_log_t,s0) ++/var/log/clamd.* gen_context(system_u:object_r:antivirus_log_t,s0) ++ ++/var/run/amavis(d)?(/.*)? gen_context(system_u:object_r:antivirus_var_run_t,s0) ++/var/run/amavisd-snmp-subagent\.pid -- gen_context(system_u:object_r:antivirus_var_run_t,s0) ++ ++/var/run/amavis(d)?/clamd\.pid -- gen_context(system_u:object_r:antivirus_var_run_t,s0) ++/var/run/clamav.* gen_context(system_u:object_r:antivirus_var_run_t,s0) ++/var/run/clamd.* gen_context(system_u:object_r:antivirus_var_run_t,s0) ++ +diff --git a/antivirus.if b/antivirus.if +new file mode 100644 +index 0000000..df5b3be +--- /dev/null ++++ b/antivirus.if +@@ -0,0 +1,322 @@ ++## SELinux policy for antivirus programs - amavis, clamd, freshclam and clamscan ++ ++###################################### ++## ++## Creates types and rules for a basic ++## antivirus domain. ++## ++## ++## ++## Prefix for the domain. ++## ++## ++# ++interface(`antivirus_domain_template',` ++ gen_require(` ++ attribute antivirus_domain; ++ ') ++ ++ typeattribute $1 antivirus_domain; ++') ++ ++####################################### ++## ++## Execute a domain transition to run antivirus program. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`antivirus_domtrans',` ++ gen_require(` ++ type antivirus_t, antivirus_exec_t; ++ ') ++ ++ domtrans_pattern($1, antivirus_exec_t, antivirus_t) ++') ++ ++####################################### ++## ++## Execute antivirus program without a transition. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`antivirus_exec',` ++ gen_require(` ++ type antivirus_exec_t; ++ ') ++ ++ can_exec($1, antivirus_exec_t) ++') ++ ++####################################### ++## ++## Connect to run antivirus program. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`antivirus_stream_connect',` ++ gen_require(` ++ type antivirus_t, antivirus_db_t, antivirus_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ stream_connect_pattern($1, antivirus_var_run_t, antivirus_var_run_t, antivirus_t) ++ stream_connect_pattern($1, antivirus_db_t, antivirus_db_t, antivirus_t) ++') ++ ++####################################### ++## ++## Allow the specified domain to append ++## to antivirus log files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`antivirus_append_log',` ++ gen_require(` ++ type antivirus_log_t; ++ ') ++ ++ logging_search_logs($1) ++ allow $1 antivirus_log_t:dir list_dir_perms; ++ append_files_pattern($1, antivirus_log_t, antivirus_log_t) ++') ++ ++####################################### ++## ++## Read antivirus configuration files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`antivirus_read_config',` ++ gen_require(` ++ type antivirus_conf_t; ++ ') ++ ++ files_search_etc($1) ++ allow $1 antivirus_conf_t:file read_file_perms; ++') ++ ++####################################### ++## ++## Search antivirus db content directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`antivirus_search_db',` ++ gen_require(` ++ type antivirus_db_t; ++ ') ++ ++ files_search_var_lib($1) ++ files_search_spool($1) ++ allow $1 antivirus_db_t:dir search_dir_perms; ++') ++ ++###################################### ++## ++## Read antivirus db content directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`antivirus_read_db',` ++ gen_require(` ++ type antivirus_db_t; ++ ') ++ ++ files_search_var_lib($1) ++ files_search_spool($1) ++ read_files_pattern($1, antivirus_db_t, antivirus_db_t) ++ read_lnk_files_pattern($1, antivirus_db_t, antivirus_db_t) ++') ++ ++##################################### ++## ++## Read and write antivirus db content directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`antivirus_rw_db',` ++ gen_require(` ++ type antivirus_db_t; ++ ') ++ ++ files_search_var_lib($1) ++ files_search_spool($1) ++ write_files_pattern($1, antivirus_db_t, antivirus_db_t) ++') ++ ++#################################### ++## ++## Manage antivirus db content directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`antivirus_manage_db',` ++ gen_require(` ++ type antivirus_db_t; ++ ') ++ ++ files_search_var_lib($1) ++ files_search_spool($1) ++ manage_files_pattern($1, antivirus_db_t, antivirus_db_t) ++ manage_dirs_pattern($1, antivirus_db_t, antivirus_db_t) ++') ++ ++####################################### ++## ++## Manage antivirus pid content. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`antivirus_manage_pid',` ++ gen_require(` ++ type antivirus_var_run_t; ++ ') ++ ++ manage_dirs_pattern($1, antivirus_var_run_t, antivirus_var_run_t) ++ manage_files_pattern($1, antivirus_var_run_t, antivirus_var_run_t) ++') ++ ++###################################### ++## ++## Read antivirus state files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`antivirus_read_state_clamd',` ++ gen_require(` ++ type antivirus_t; ++ ') ++ ++ kernel_search_proc($1) ++ ps_process_pattern($1, antivirus_t) ++') ++ ++###################################### ++## ++## Execute antivirus server in the antivirus domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`antivirus_systemctl',` ++ gen_require(` ++ type antivirus_t; ++ type antivirus_unit_file_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ systemd_read_fifo_file_passwd_run($1) ++ allow $1 antivirus_unit_file_t:file read_file_perms; ++ allow $1 antivirus_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, antivirus_t) ++') ++ ++####################################### ++## ++## All of the rules required to administrate ++## an antivirus programs environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## The role to be allowed to manage the clamav domain. ++## ++## ++## ++# ++interface(`antivirus_admin',` ++ gen_require(` ++ attribute antivirus_domain; ++ type antivirus_t, antivirus_conf_t, antivirus_tmp_t; ++ type antivirus_log_t, antivirus_db_t, antivirus_var_run_t; ++ type antivirus_initrc_exec_t, antivirus_unit_file_t; ++ ') ++ ++ allow $1 antivirus_t:process signal_perms; ++ ps_process_pattern($1, antivirus_t) ++ ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 antivirus_t:process ptrace; ++ ') ++ ++ init_labeled_script_domtrans($1, antivirus_initrc_exec_t) ++ domain_system_change_exemption($1) ++ role_transition $2 antivirus_initrc_exec_t system_r; ++ allow $2 system_r; ++ ++ antivirus_systemctl($1) ++ admin_pattern($1, antivirus_unit_file_t) ++ allow $1 antivirus_unit_file_t:service all_service_perms; ++ ++ files_list_etc($1) ++ admin_pattern($1, antivirus_conf_t) ++ ++ files_list_var_lib($1) ++ admin_pattern($1, antivirus_db_t) ++ ++ logging_list_logs($1) ++ admin_pattern($1, antivirus_log_t) ++ ++ files_list_pids($1) ++ admin_pattern($1, antivirus_var_run_t) ++ ++ files_list_tmp($1) ++ admin_pattern($1, antivirus_tmp_t) ++ ++ optional_policy(` ++ systemd_passwd_agent_exec($1) ++ systemd_read_fifo_file_passwd_run($1) ++ ') ++') +diff --git a/antivirus.te b/antivirus.te +new file mode 100644 +index 0000000..8ba9c95 +--- /dev/null ++++ b/antivirus.te +@@ -0,0 +1,274 @@ ++policy_module(antivirus, 1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++## ++##

    ++## Allow antivirus programs to read non security files on a system ++##

    ++##     ++gen_tunable(antivirus_can_scan_system, false) ++ ++## ++##

    ++## Determine whether can antivirus programs use JIT compiler. ++##

    ++##     ++gen_tunable(antivirus_use_jit, false) ++ ++attribute antivirus_domain; ++ ++type antivirus_t; ++type antivirus_exec_t; ++typeattribute antivirus_t antivirus_domain; ++typealias antivirus_t alias { amavis_t clamd_t clamscan_t freshclam_t } ; ++typealias antivirus_exec_t alias { amavis_exec_t clamd_exec_t clamscan_exec_t freshclam_exec_t }; ++init_daemon_domain(antivirus_t, antivirus_exec_t) ++ ++type antivirus_initrc_exec_t; ++typealias antivirus_initrc_exec_t alias { clamd_initrc_exec_t amavis_initrc_exec_t }; ++init_script_file(antivirus_initrc_exec_t) ++ ++type antivirus_unit_file_t; ++typealias antivirus_unit_file_t alias { clamd_unit_file_t }; ++systemd_unit_file(antivirus_unit_file_t) ++ ++type antivirus_conf_t; ++typealias antivirus_conf_t alias { clamd_etc_t }; ++files_config_file(antivirus_conf_t) ++ ++type antivirus_var_run_t; ++typealias antivirus_var_run_t alias { amavis_var_run_t clamd_var_run_t clamd_sock_t }; ++files_pid_file(antivirus_var_run_t) ++ ++type antivirus_log_t; ++typealias antivirus_log_t alias { amavis_var_log_t clamd_var_log_t freshclam_var_log_t }; ++logging_log_file(antivirus_log_t) ++ ++type antivirus_db_t; ++typealias antivirus_db_t alias { amavis_var_lib_t amavis_quarantine_t amavis_spool_t clamd_var_lib_t }; ++files_type(antivirus_db_t) ++ ++type antivirus_home_t; ++userdom_user_home_content(antivirus_home_t) ++ ++type antivirus_tmp_t; ++typealias antivirus_tmp_t alias { amavis_tmp_t clamd_tmp_t clamscan_tmp_t }; ++files_tmp_file(antivirus_tmp_t) ++ ++######################################## ++# ++# antivirus domain local policy ++# ++ ++allow antivirus_domain self:capability { dac_override chown kill setgid setuid }; ++dontaudit antivirus_domain self:capability sys_tty_config; ++allow antivirus_domain self:process signal_perms; ++ ++allow antivirus_domain self:fifo_file rw_fifo_file_perms; ++allow antivirus_domain self:unix_stream_socket { accept connectto listen }; ++allow antivirus_domain self:tcp_socket { listen accept }; ++ ++allow antivirus_domain antivirus_conf_t:dir list_dir_perms; ++read_files_pattern(antivirus_domain, antivirus_conf_t, antivirus_conf_t) ++read_lnk_files_pattern(antivirus_domain, antivirus_conf_t, antivirus_conf_t) ++ ++manage_files_pattern(antivirus_domain, antivirus_db_t, antivirus_db_t) ++manage_dirs_pattern(antivirus_domain, antivirus_db_t, antivirus_db_t) ++manage_lnk_files_pattern(antivirus_domain, antivirus_db_t, antivirus_db_t) ++manage_sock_files_pattern(antivirus_domain, antivirus_db_t, antivirus_db_t) ++ ++manage_files_pattern(antivirus_domain, antivirus_home_t, antivirus_home_t) ++manage_dirs_pattern(antivirus_domain, antivirus_home_t, antivirus_home_t) ++manage_lnk_files_pattern(antivirus_domain, antivirus_home_t, antivirus_home_t) ++manage_sock_files_pattern(antivirus_domain, antivirus_home_t, antivirus_home_t) ++ ++manage_dirs_pattern(antivirus_domain, antivirus_tmp_t, antivirus_tmp_t) ++manage_files_pattern(antivirus_domain, antivirus_tmp_t, antivirus_tmp_t) ++manage_sock_files_pattern(antivirus_domain, antivirus_tmp_t, antivirus_tmp_t) ++files_tmp_filetrans(antivirus_domain, antivirus_tmp_t, { file dir sock_file } ) ++ ++manage_dirs_pattern(antivirus_domain, antivirus_log_t, antivirus_log_t) ++manage_files_pattern(antivirus_domain, antivirus_log_t, antivirus_log_t) ++manage_sock_files_pattern(antivirus_domain, antivirus_log_t, antivirus_log_t) ++logging_log_filetrans(antivirus_domain, antivirus_log_t, { sock_file file dir }) ++ ++manage_dirs_pattern(antivirus_domain, antivirus_var_run_t, antivirus_var_run_t) ++manage_files_pattern(antivirus_domain, antivirus_var_run_t, antivirus_var_run_t) ++manage_sock_files_pattern(antivirus_domain, antivirus_var_run_t, antivirus_var_run_t) ++files_pid_filetrans(antivirus_domain, antivirus_var_run_t, {file}) ++ ++can_exec(antivirus_domain, antivirus_exec_t) ++ ++kernel_read_network_state(antivirus_t) ++kernel_read_net_sysctls(antivirus_t) ++kernel_read_kernel_sysctls(antivirus_domain) ++kernel_read_sysctl(antivirus_domain) ++kernel_read_system_state(antivirus_t) ++ ++corecmd_exec_bin(antivirus_domain) ++corecmd_exec_shell(antivirus_domain) ++ ++corenet_all_recvfrom_netlabel(antivirus_t) ++corenet_tcp_sendrecv_generic_if(antivirus_t) ++corenet_udp_sendrecv_generic_if(antivirus_t) ++corenet_tcp_sendrecv_generic_node(antivirus_domain) ++corenet_udp_sendrecv_generic_node(antivirus_domain) ++corenet_tcp_sendrecv_all_ports(antivirus_domain) ++corenet_udp_sendrecv_all_ports(antivirus_domain) ++corenet_tcp_bind_generic_node(antivirus_domain) ++corenet_udp_bind_generic_node(antivirus_domain) ++ ++corenet_sendrecv_amavisd_send_client_packets(antivirus_domain) ++corenet_tcp_connect_amavisd_send_port(antivirus_domain) ++ ++corenet_sendrecv_amavisd_recv_server_packets(antivirus_domain) ++corenet_tcp_bind_amavisd_recv_port(antivirus_domain) ++ ++corenet_sendrecv_generic_server_packets(antivirus_domain) ++corenet_udp_bind_generic_port(antivirus_domain) ++corenet_dontaudit_udp_bind_all_ports(antivirus_domain) ++ ++corenet_sendrecv_razor_client_packets(antivirus_domain) ++corenet_tcp_connect_razor_port(antivirus_domain) ++corenet_tcp_connect_agentx_port(antivirus_domain) ++ ++corenet_tcp_connect_clamd_port(antivirus_domain) ++ ++corenet_sendrecv_clamd_server_packets(antivirus_domain) ++corenet_tcp_bind_clamd_port(antivirus_domain) ++ ++corenet_sendrecv_http_client_packets(antivirus_domain) ++corenet_tcp_connect_http_port(antivirus_domain) ++corenet_tcp_sendrecv_http_port(antivirus_domain) ++ ++corenet_sendrecv_http_cache_client_packets(antivirus_domain) ++corenet_tcp_connect_http_cache_port(antivirus_domain) ++corenet_tcp_sendrecv_http_cache_port(antivirus_domain) ++ ++#support for MySQL/PostgreSQL ++corenet_tcp_connect_mysqld_port(antivirus_domain) ++corenet_tcp_connect_postgresql_port(antivirus_domain) ++ ++corenet_sendrecv_snmp_client_packets(antivirus_domain) ++corenet_tcp_connect_snmp_port(antivirus_domain) ++ ++corenet_sendrecv_squid_client_packets(antivirus_domain) ++corenet_tcp_connect_squid_port(antivirus_domain) ++corenet_tcp_sendrecv_squid_port(antivirus_domain) ++ ++dev_read_rand(antivirus_domain) ++dev_read_sysfs(antivirus_domain) ++dev_read_urand(antivirus_domain) ++ ++domain_dontaudit_read_all_domains_state(antivirus_domain) ++ ++files_read_etc_runtime_files(antivirus_domain) ++files_search_spool(antivirus_domain) ++ ++fs_getattr_xattr_fs(antivirus_domain) ++ ++auth_use_nsswitch(antivirus_t) ++auth_dontaudit_read_shadow(antivirus_domain) ++ ++init_read_state(antivirus_domain) ++init_read_utmp(antivirus_domain) ++init_stream_connect_script(antivirus_domain) ++init_dontaudit_write_utmp(antivirus_domain) ++ ++logging_send_syslog_msg(antivirus_t) ++ ++miscfiles_read_generic_certs(antivirus_domain) ++ ++sysnet_use_ldap(antivirus_domain) ++ ++userdom_stream_connect(antivirus_domain) ++userdom_dontaudit_search_user_home_dirs(antivirus_domain) ++ ++tunable_policy(`antivirus_can_scan_system',` ++ files_read_non_security_files(antivirus_domain) ++ #files_dontaudit_read_all_non_security_files(antivirus_domain) ++ files_dontaudit_read_security_files(antivirus_domain) ++ files_getattr_all_pipes(antivirus_domain) ++ files_getattr_all_sockets(antivirus_domain) ++ dev_getattr_all_blk_files(antivirus_domain) ++ dev_getattr_all_chr_files(antivirus_domain) ++') ++ ++tunable_policy(`antivirus_use_jit',` ++ allow antivirus_domain self:process execmem; ++ allow antivirus_domain self:process execmem; ++',` ++ dontaudit antivirus_domain self:process execmem; ++ dontaudit antivirus_domain self:process execmem; ++') ++ ++optional_policy(` ++ apache_read_sys_content(antivirus_domain) ++') ++ ++optional_policy(` ++ antivirus_systemctl(antivirus_domain) ++') ++ ++optional_policy(` ++ cron_system_entry(antivirus_t, antivirus_exec_t) ++ cron_use_fds(antivirus_domain) ++ cron_use_system_job_fds(antivirus_domain) ++ cron_rw_pipes(antivirus_domain) ++') ++ ++optional_policy(` ++ dcc_domtrans_client(antivirus_domain) ++ dcc_stream_connect_dccifd(antivirus_domain) ++') ++ ++optional_policy(` ++ exim_read_spool_files(antivirus_domain) ++') ++ ++optional_policy(` ++ mta_read_config(antivirus_domain) ++ mta_read_queue(antivirus_domain) ++ mta_send_mail(antivirus_domain) ++') ++ ++optional_policy(` ++ nslcd_stream_connect(antivirus_domain) ++') ++ ++optional_policy(` ++ mysql_stream_connect(antivirus_domain) ++ corenet_tcp_connect_mysqld_port(antivirus_domain) ++') ++ ++optional_policy(` ++ postfix_read_config(antivirus_domain) ++ postfix_list_spool(antivirus_domain) ++') ++ ++optional_policy(` ++ pyzor_domtrans(antivirus_domain) ++ pyzor_signal(antivirus_domain) ++') ++ ++optional_policy(` ++ razor_domtrans(antivirus_domain) ++') ++ ++optional_policy(` ++ snmp_manage_var_lib_dirs(antivirus_domain) ++ snmp_manage_var_lib_files(antivirus_domain) ++ snmp_stream_connect(antivirus_domain) ++') ++ ++optional_policy(` ++ spamd_stream_connect(clamd_t) ++ spamassassin_exec(antivirus_domain) ++ spamassassin_exec_client(antivirus_domain) ++ spamassassin_read_lib_files(antivirus_domain) ++ spamassassin_read_pid_files(antivirus_domain) ++') +diff --git a/apache.fc b/apache.fc +index 550a69e..66ba451 100644 +--- a/apache.fc ++++ b/apache.fc +@@ -1,161 +1,200 @@ +-HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0) +-HOME_DIR/((www)|(web)|(public_html))/cgi-bin(/.+)? gen_context(system_u:object_r:httpd_user_script_exec_t,s0) ++HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0) ++HOME_DIR/((www)|(web)|(public_html))/cgi-bin(/.+)? gen_context(system_u:object_r:httpd_user_script_exec_t,s0) + HOME_DIR/((www)|(web)|(public_html))(/.*)?/\.htaccess -- gen_context(system_u:object_r:httpd_user_htaccess_t,s0) + HOME_DIR/((www)|(web)|(public_html))(/.*)?/logs(/.*)? gen_context(system_u:object_r:httpd_user_ra_content_t,s0) + +-/etc/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) +-/etc/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) +-/etc/cherokee(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) +-/etc/drupal.* gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +-/etc/horde(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +-/etc/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) +-/etc/httpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) +-/etc/httpd/conf/keytab -- gen_context(system_u:object_r:httpd_keytab_t,s0) +-/etc/httpd/logs gen_context(system_u:object_r:httpd_log_t,s0) +-/etc/httpd/modules gen_context(system_u:object_r:httpd_modules_t,s0) +-/etc/lighttpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) +-/etc/mock/koji(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +-/etc/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +- +-/etc/rc\.d/init\.d/cherokee -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0) ++/etc/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) ++/etc/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) ++/etc/cherokee(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) ++/etc/drupal.* gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) ++/etc/owncloud(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) ++/etc/horde(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) ++/etc/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) ++/etc/httpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) ++/etc/httpd/conf/keytab -- gen_context(system_u:object_r:httpd_keytab_t,s0) ++/etc/httpd/logs gen_context(system_u:object_r:httpd_log_t,s0) ++/etc/httpd/modules gen_context(system_u:object_r:httpd_modules_t,s0) ++/etc/init\.d/cherokee -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0) ++/etc/lighttpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) ++/etc/mock/koji(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) ++/etc/nginx(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) + /etc/rc\.d/init\.d/httpd -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0) + /etc/rc\.d/init\.d/lighttpd -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0) + +-/etc/vhosts -- gen_context(system_u:object_r:httpd_config_t,s0) +-/etc/WebCalendar(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +-/etc/zabbix/web(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) ++/etc/vhosts -- gen_context(system_u:object_r:httpd_config_t,s0) ++/etc/WebCalendar(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) ++/etc/zabbix/web(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) ++/etc/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) + +-/opt/.*\.cgi -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) +-/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) ++/usr/.*\.cgi -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) ++/opt/.*\.cgi -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) ++/usr/lib/systemd/system/httpd.* -- gen_context(system_u:object_r:httpd_unit_file_t,s0) ++/usr/lib/systemd/system/jetty.* -- gen_context(system_u:object_r:httpd_unit_file_t,s0) ++/usr/lib/systemd/system/php-fpm.* -- gen_context(system_u:object_r:httpd_unit_file_t,s0) ++/usr/lib/systemd/system/nginx.* -- gen_context(system_u:object_r:httpd_unit_file_t,s0) + +-/srv/([^/]*/)?www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) +-/srv/gallery2(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) ++/usr/libexec/httpd-ssl-pass-dialog -- gen_context(system_u:object_r:httpd_passwd_exec_t,s0) + +-/usr/.*\.cgi -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) ++/srv/([^/]*/)?www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) ++/srv/([^/]*/)?www/logs(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) ++/srv/gallery2(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) ++/srv/gallery2/smarty(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) + +-/usr/bin/htsslpass -- gen_context(system_u:object_r:httpd_helper_exec_t,s0) +-/usr/bin/mongrel_rails -- gen_context(system_u:object_r:httpd_exec_t,s0) ++/usr/bin/htsslpass -- gen_context(system_u:object_r:httpd_helper_exec_t,s0) ++/usr/bin/mongrel_rails -- gen_context(system_u:object_r:httpd_exec_t,s0) + +-/usr/lib/apache-ssl/.+ -- gen_context(system_u:object_r:httpd_exec_t,s0) +-/usr/lib/apache(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0) +-/usr/lib/apache2/modules(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0) +-/usr/lib/apache(2)?/suexec(2)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0) +-/usr/lib/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) +-/usr/lib/cgi-bin/(nph-)?cgiwrap(d)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0) +-/usr/lib/cherokee(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0) +-/usr/lib/dirsrv/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) +-/usr/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0) +-/usr/lib/lighttpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0) ++/usr/share/jetty/bin/jetty.sh -- gen_context(system_u:object_r:httpd_exec_t,s0) + +-/usr/libexec/httpd-ssl-pass-dialog -- gen_context(system_u:object_r:httpd_passwd_exec_t,s0) ++/usr/lib/apache-ssl/.+ -- gen_context(system_u:object_r:httpd_exec_t,s0) ++/usr/lib/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) ++/usr/lib/apache(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0) ++/usr/lib/apache2/modules(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0) ++/usr/lib/apache(2)?/suexec(2)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0) ++/usr/lib/cgi-bin/(nph-)?cgiwrap(d)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0) ++/usr/lib/cherokee(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0) ++/usr/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0) ++/usr/lib/lighttpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0) + +-/usr/sbin/apache(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0) ++/usr/sbin/apache(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0) + /usr/sbin/apache-ssl(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0) +-/usr/sbin/cherokee -- gen_context(system_u:object_r:httpd_exec_t,s0) +-/usr/sbin/httpd\.event -- gen_context(system_u:object_r:httpd_exec_t,s0) ++/usr/sbin/cherokee -- gen_context(system_u:object_r:httpd_exec_t,s0) ++/usr/sbin/httpd\.event -- gen_context(system_u:object_r:httpd_exec_t,s0) + /usr/sbin/httpd(\.worker)? -- gen_context(system_u:object_r:httpd_exec_t,s0) +-/usr/sbin/lighttpd -- gen_context(system_u:object_r:httpd_exec_t,s0) +-/usr/sbin/rotatelogs -- gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0) +-/usr/sbin/suexec -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0) +- +-ifdef(`distro_suse',` +-/usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0) ++/usr/sbin/lighttpd -- gen_context(system_u:object_r:httpd_exec_t,s0) ++/usr/sbin/nginx -- gen_context(system_u:object_r:httpd_exec_t,s0) ++/usr/sbin/php-fpm -- gen_context(system_u:object_r:httpd_exec_t,s0) ++/usr/sbin/rotatelogs -- gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0) ++/usr/sbin/suexec -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0) ++ ++ifdef(`distro_suse', ` ++/usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0) + ') + +-/usr/share/dirsrv(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) +-/usr/share/doc/ghc/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) +-/usr/share/drupal.* gen_context(system_u:object_r:httpd_sys_content_t,s0) +-/usr/share/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) +-/usr/share/icecast(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) +-/usr/share/jetty/bin/jetty\.sh -- gen_context(system_u:object_r:httpd_exec_t,s0) +-/usr/share/mythweb(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) +-/usr/share/mythweb/mythweb\.pl gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) +-/usr/share/mythtv/mythweather/scripts(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) +-/usr/share/mythtv/data(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) +-/usr/share/ntop/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) +-/usr/share/openca/htdocs(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) +-/usr/share/selinux-policy[^/]*/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) +-/usr/share/wordpress/.*\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) +-/usr/share/wordpress-mu/wp-config\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) +-/usr/share/wordpress-mu/wp-content(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +-/usr/share/wordpress/wp-content/uploads(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +-/usr/share/wordpress/wp-content/upgrade(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +-/usr/share/wordpress/wp-includes/.*\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) +- +-/var/cache/apache2(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) +-/var/cache/httpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) +-/var/cache/lighttpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) +-/var/cache/mason(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) +-/var/cache/mediawiki(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) +-/var/cache/mod_.* gen_context(system_u:object_r:httpd_cache_t,s0) +-/var/cache/mod_gnutls(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) +-/var/cache/mod_proxy(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) +-/var/cache/mod_ssl(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) +-/var/cache/php-.* gen_context(system_u:object_r:httpd_cache_t,s0) ++/usr/share/drupal.* gen_context(system_u:object_r:httpd_sys_content_t,s0) ++/usr/share/doc/ghc/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) ++ ++/usr/share/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) ++/usr/share/icecast(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) ++/usr/share/ntop/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) ++/usr/share/openca/htdocs(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) ++/usr/share/selinux-policy[^/]*/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) ++/usr/share/wordpress/.*\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) ++/usr/share/wordpress-mu/wp-config\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) ++/usr/share/wordpress-mu/wp-content(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) ++/usr/share/wordpress/wp-content/uploads(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) ++/usr/share/wordpress/wp-content/upgrade(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) ++/usr/share/wordpress/wp-includes/.*\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) ++/usr/share/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) ++ ++/var/cache/httpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) ++/var/cache/lighttpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) ++/var/cache/mason(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) ++/var/cache/mediawiki(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) ++/var/cache/mod_.* gen_context(system_u:object_r:httpd_cache_t,s0) ++/var/cache/mod_gnutls(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) ++/var/cache/mod_proxy(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) ++/var/cache/mod_ssl(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) ++/var/cache/php-.* gen_context(system_u:object_r:httpd_cache_t,s0) + /var/cache/php-eaccelerator(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) +-/var/cache/php-mmcache(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) +-/var/cache/rt3(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) +-/var/cache/ssl.*\.sem -- gen_context(system_u:object_r:httpd_cache_t,s0) +- +-/var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) +-/var/lib/cherokee(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) +-/var/lib/dav(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) +-/var/lib/php(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) +-/var/lib/dokuwiki(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +-/var/lib/drupal.* gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +-/var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) +-/var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) +-/var/lib/lighttpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) +-/var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) +-/var/lib/pootle/po(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +-/var/lib/rt3/data/RT-Shredder(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) ++/var/cache/php-mmcache(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) ++/var/cache/rt(3|4)(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) ++/var/cache/ssl.*\.sem -- gen_context(system_u:object_r:httpd_cache_t,s0) ++ ++/var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) ++/var/lib/cherokee(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) ++/var/lib/dav(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) ++/var/lib/php(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) ++/var/lib/dokuwiki(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) ++/var/lib/drupal.* gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) ++/var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) ++/var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) ++/var/lib/lighttpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) ++/var/lib/mod_security(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) ++/var/lib/nginx(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) ++/var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) ++/var/lib/php/wsdlcache(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) ++ + /var/lib/squirrelmail/prefs(/.*)? gen_context(system_u:object_r:httpd_squirrelmail_t,s0) +-/var/lib/stickshift/.httpd.d(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) +-/var/lib/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +-/var/lib/trac(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) +-/var/lib/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +- +-/var/log/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) +-/var/log/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) +-/var/log/cacti(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) +-/var/log/cgiwrap\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0) +-/var/log/cherokee(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) +-/var/log/dirsrv/admin-serv(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) +-/var/log/httpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) +-/var/log/horde2(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) +-/var/log/lighttpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) +-/var/log/piranha(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) ++/var/lib/openshift/\.httpd\.d(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) ++/var/lib/openshift/\.log/httpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) ++/var/lib/owncloud(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) ++/var/lib/stickshift/\.httpd\.d(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) ++/var/lib/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) ++/var/lib/trac(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) ++/var/lib/z-push(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) ++ ++/var/log/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) ++/var/log/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) ++/var/log/cacti(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) ++/var/log/cgiwrap\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0) ++/var/log/cherokee(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) ++/var/log/httpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) ++/var/log/lighttpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) ++/var/log/nginx(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) ++/var/log/php-fpm(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) + /var/log/roundcubemail(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) + /var/log/suphp\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0) +-/var/log/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) ++/var/log/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) ++ifdef(`distro_debian', ` ++/var/log/horde2(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) ++') ++ ++/var/lib/pootle/po(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) ++/var/lib/rt(3|4)/data/RT-Shredder(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) ++ ++/var/run/apache.* gen_context(system_u:object_r:httpd_var_run_t,s0) ++/var/run/cherokee\.pid -- gen_context(system_u:object_r:httpd_var_run_t,s0) ++/var/run/gcache_port -s gen_context(system_u:object_r:httpd_var_run_t,s0) ++/var/run/httpd.* gen_context(system_u:object_r:httpd_var_run_t,s0) ++/var/run/lighttpd(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) ++/var/run/mod_.* gen_context(system_u:object_r:httpd_var_run_t,s0) ++/var/run/nginx.* gen_context(system_u:object_r:httpd_var_run_t,s0) ++/var/run/php-fpm(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) ++/var/run/wsgi.* -s gen_context(system_u:object_r:httpd_var_run_t,s0) ++/var/run/user/apache(/.*)? gen_context(system_u:object_r:httpd_tmp_t,s0) ++ ++/var/spool/gosa(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) ++/var/spool/squirrelmail(/.*)? gen_context(system_u:object_r:squirrelmail_spool_t,s0) ++/var/spool/viewvc(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t, s0) ++ ++/var/www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) ++/var/www(/.*)?/logs(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) ++/var/www/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) ++/var/www/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) ++/var/www/icons(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) ++/var/www/miq/vmdb/log(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) ++/var/www/perl(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) + +-/var/run/apache.* gen_context(system_u:object_r:httpd_var_run_t,s0) +-/var/run/cherokee\.pid -- gen_context(system_u:object_r:httpd_var_run_t,s0) +-/var/run/dirsrv/admin-serv.* gen_context(system_u:object_r:httpd_var_run_t,s0) +-/var/run/gcache_port -s gen_context(system_u:object_r:httpd_var_run_t,s0) +-/var/run/httpd.* gen_context(system_u:object_r:httpd_var_run_t,s0) +-/var/run/lighttpd(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) +-/var/run/mod_.* gen_context(system_u:object_r:httpd_var_run_t,s0) +-/var/run/wsgi.* -s gen_context(system_u:object_r:httpd_var_run_t,s0) +-/var/run/user/apache(/.*)? gen_context(system_u:object_r:httpd_tmp_t,s0) +- +-/var/spool/gosa(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +-/var/spool/squirrelmail(/.*)? gen_context(system_u:object_r:squirrelmail_spool_t,s0) +-/var/spool/viewvc(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t, s0) +- +-/var/www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) +-/var/www(/.*)?/logs(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) +-/var/www/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) +-/var/www/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) +-/var/www/gallery/albums(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) + /var/www/html/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) +-/var/www/html/[^/]*/sites/default/settings\.php -- gen_context(system_u:object_r:httpd_sys_rw_content_t, s0) +-/var/www/html/[^/]*/sites/default/files(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t, s0) +-/var/www/html/configuration\.php gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +-/var/www/html/wp-content(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +-/var/www/icons(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) +-/var/www/moodledata(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +-/var/www/perl(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) +-/var/www/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +-/var/www/svn/conf(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) +-/var/www/svn/hooks(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) ++ ++/var/www/html(/.*)?/sites/default/settings\.php -- gen_context(system_u:object_r:httpd_sys_rw_content_t, s0) ++/var/www/html(/.*)?/sites/default/files(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t, s0) ++ ++/var/www/html/configuration\.php gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) ++ ++/var/www/html(/.*)?/wp-content(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) ++ ++/var/www/gallery/albums(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) ++ ++/var/www/moodledata(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) ++ ++/var/www/moodle/data(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) ++ ++/var/lib/moodle(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) ++ ++/var/www/openshift/console/tmp(/.*)? gen_context(system_u:object_r:httpd_tmp_t,s0) ++/var/www/openshift/console/log(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) ++ ++/var/www/openshift/broker/httpd/logs(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) ++/var/www/openshift/console/httpd/logs(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) ++/var/www/openshift/broker/httpd/run(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) ++/var/www/openshift/console/httpd/run(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) ++ ++/var/www/stickshift/[^/]*/log(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) ++/var/www/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) ++/var/www/svn/hooks(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) ++/var/www/svn/conf(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) ++ ++/var/log/dirsrv/admin-serv(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) ++/var/run/dirsrv/admin-serv.* gen_context(system_u:object_r:httpd_var_run_t,s0) ++/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) +diff --git a/apache.if b/apache.if +index 83e899c..fac6fe5 100644 +--- a/apache.if ++++ b/apache.if +@@ -1,9 +1,9 @@ +-## Various web servers. ++## Apache web server + + ######################################## + ## +-## Create a set of derived types for +-## httpd web content. ++## Create a set of derived types for apache ++## web content. + ## + ## + ## +@@ -13,118 +13,101 @@ + # + template(`apache_content_template',` + gen_require(` +- attribute httpdcontent, httpd_exec_scripts, httpd_script_exec_type; +- attribute httpd_script_domains, httpd_htaccess_type; +- type httpd_t, httpd_suexec_t; ++ attribute httpd_exec_scripts, httpd_script_exec_type; ++ type httpd_t, httpd_suexec_t, httpd_log_t; ++ type httpd_sys_content_t; ++ attribute httpd_script_type, httpd_content_type; + ') + +- ######################################## +- # +- # Declarations +- # +- +- ## +- ##

    +- ## Determine whether the script domain can +- ## modify public files used for public file +- ## transfer services. Directories/Files must +- ## be labeled public_content_rw_t. +- ##

    +- ##     +- gen_tunable(allow_httpd_$1_script_anon_write, false) +- +- type httpd_$1_content_t, httpdcontent; # customizable ++ #This type is for webpages ++ type httpd_$1_content_t; # customizable; ++ typeattribute httpd_$1_content_t httpd_content_type; + typealias httpd_$1_content_t alias httpd_$1_script_ro_t; + files_type(httpd_$1_content_t) + +- type httpd_$1_htaccess_t, httpd_htaccess_type; # customizable; ++ # This type is used for .htaccess files ++ type httpd_$1_htaccess_t, httpd_content_type; # customizable; ++ typeattribute httpd_$1_htaccess_t httpd_content_type; + files_type(httpd_$1_htaccess_t) + +- type httpd_$1_script_t, httpd_script_domains; ++ # Type that CGI scripts run as ++ type httpd_$1_script_t, httpd_script_type; + domain_type(httpd_$1_script_t) + role system_r types httpd_$1_script_t; + ++ kernel_read_system_state(httpd_$1_script_t) ++ ++ # This type is used for executable scripts files + type httpd_$1_script_exec_t, httpd_script_exec_type; # customizable; +- corecmd_shell_entry_type(httpd_$1_script_t) ++ typeattribute httpd_$1_script_exec_t httpd_content_type; + domain_entry_file(httpd_$1_script_t, httpd_$1_script_exec_t) + +- type httpd_$1_rw_content_t, httpdcontent; # customizable ++ type httpd_$1_rw_content_t; # customizable ++ typeattribute httpd_$1_rw_content_t httpd_content_type; + typealias httpd_$1_rw_content_t alias { httpd_$1_script_rw_t httpd_$1_content_rw_t }; + files_type(httpd_$1_rw_content_t) + +- type httpd_$1_ra_content_t, httpdcontent; # customizable ++ type httpd_$1_ra_content_t, httpd_content_type; # customizable ++ typeattribute httpd_$1_ra_content_t httpd_content_type; + typealias httpd_$1_ra_content_t alias { httpd_$1_script_ra_t httpd_$1_content_ra_t }; + files_type(httpd_$1_ra_content_t) + +- ######################################## +- # +- # Policy +- # ++ # Allow the script process to search the cgi directory, and users directory ++ allow httpd_$1_script_t httpd_$1_content_t:dir search_dir_perms; + + can_exec(httpd_$1_script_t, httpd_$1_script_exec_t) ++ allow httpd_$1_script_t httpd_$1_script_exec_t:dir list_dir_perms; + +- allow httpd_$1_script_t httpd_$1_ra_content_t:dir { list_dir_perms add_entry_dir_perms setattr_dir_perms }; +- allow httpd_$1_script_t httpd_$1_ra_content_t:file { append_file_perms read_file_perms create_file_perms setattr_file_perms }; +- allow httpd_$1_script_t httpd_$1_ra_content_t:lnk_file read_lnk_file_perms; ++ allow httpd_$1_script_t httpd_$1_ra_content_t:dir { list_dir_perms add_entry_dir_perms }; ++ read_files_pattern(httpd_$1_script_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t) ++ append_files_pattern(httpd_$1_script_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t) ++ create_files_pattern(httpd_$1_script_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t) ++ read_lnk_files_pattern(httpd_$1_script_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t) + +- allow httpd_$1_script_t { httpd_$1_content_t httpd_$1_script_exec_t }:dir list_dir_perms; +- allow httpd_$1_script_t httpd_$1_content_t:file read_file_perms; +- allow httpd_$1_script_t { httpd_$1_content_t httpd_$1_script_exec_t }:lnk_file read_lnk_file_perms; ++ allow httpd_$1_script_t httpd_$1_content_t:dir list_dir_perms; ++ read_files_pattern(httpd_$1_script_t, httpd_$1_content_t, httpd_$1_content_t) ++ read_lnk_files_pattern(httpd_$1_script_t, httpd_$1_content_t, httpd_$1_content_t) + + manage_dirs_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) + manage_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) + manage_lnk_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) + manage_fifo_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) + manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) +- files_tmp_filetrans(httpd_$1_script_t, httpd_$1_rw_content_t, { dir file lnk_file sock_file fifo_file }) +- +- allow { httpd_t httpd_suexec_t } httpd_$1_content_t:dir list_dir_perms; +- allow { httpd_t httpd_suexec_t } { httpd_$1_content_t httpd_$1_htaccess_t }:file read_file_perms; +- allow { httpd_t httpd_suexec_t } httpd_$1_content_t:lnk_file read_lnk_file_perms; +- +- tunable_policy(`allow_httpd_$1_script_anon_write',` +- miscfiles_manage_public_files(httpd_$1_script_t) +- ') + ++ # Allow the web server to run scripts and serve pages + tunable_policy(`httpd_builtin_scripting',` + manage_dirs_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) + manage_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) +- manage_fifo_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) + manage_lnk_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) +- manage_sock_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) ++ rw_sock_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) + +- allow httpd_t httpd_$1_ra_content_t:dir { list_dir_perms add_entry_dir_perms setattr_dir_perms }; +- allow httpd_t httpd_$1_ra_content_t:file { append_file_perms read_file_perms create_file_perms setattr_file_perms }; +- allow httpd_t httpd_$1_ra_content_t:lnk_file read_lnk_file_perms; +- ') ++ allow httpd_t httpd_$1_ra_content_t:dir { add_entry_dir_perms }; ++ read_files_pattern(httpd_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t) ++ append_files_pattern(httpd_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t) ++ create_files_pattern(httpd_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t) ++ read_lnk_files_pattern(httpd_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t) + +- tunable_policy(`httpd_builtin_scripting && httpd_tmp_exec',` +- can_exec(httpd_t, httpd_$1_rw_content_t) + ') + + tunable_policy(`httpd_enable_cgi',` + allow httpd_$1_script_t httpd_$1_script_exec_t:file entrypoint; +- domtrans_pattern({ httpd_t httpd_suexec_t httpd_exec_scripts }, httpd_$1_script_exec_t, httpd_$1_script_t) +- ') + +- tunable_policy(`httpd_enable_cgi && httpd_tmp_exec',` +- can_exec(httpd_$1_script_t, httpd_$1_rw_content_t) +- ') ++ domtrans_pattern(httpd_suexec_t, httpd_$1_script_exec_t, httpd_$1_script_t) + +- tunable_policy(`httpd_enable_cgi && httpd_unified',` +- allow httpd_$1_script_t { httpd_$1_content_t httpd_$1_ra_content_t }:file entrypoint; +- allow httpd_$1_script_t { httpd_$1_content_t httpd_$1_ra_content_t }:dir manage_dir_perms; +- allow httpd_$1_script_t { httpd_$1_content_t httpd_$1_ra_content_t }:file manage_file_perms; +- ') ++ # privileged users run the script: ++ domtrans_pattern(httpd_exec_scripts, httpd_$1_script_exec_t, httpd_$1_script_t) ++ ++ allow httpd_exec_scripts httpd_$1_script_exec_t:file read_file_perms; + +- tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',` +- filetrans_pattern(httpd_t, httpd_$1_content_t, httpd_$1_rw_content_t, { file dir fifo_file lnk_file sock_file }) ++ # apache runs the script: ++ domtrans_pattern(httpd_t, httpd_$1_script_exec_t, httpd_$1_script_t) ++ allow httpd_t httpd_$1_script_t:unix_dgram_socket sendto; + ') + ') + + ######################################## + ## +-## Role access for apache. ++## Role access for apache + ## + ## + ## +@@ -133,47 +116,61 @@ template(`apache_content_template',` + ## + ## + ## +-## User domain for the role. ++## User domain for the role + ## + ## + # + interface(`apache_role',` + gen_require(` + attribute httpdcontent; +- type httpd_user_content_t, httpd_user_htaccess_t; +- type httpd_user_script_t, httpd_user_script_exec_t; +- type httpd_user_ra_content_t, httpd_user_rw_content_t; ++ type httpd_user_content_t, httpd_user_htaccess_t, httpd_user_script_t; ++ type httpd_user_ra_content_t, httpd_user_rw_content_t, httpd_user_script_exec_t; + ') + + role $1 types httpd_user_script_t; + +- allow $2 httpd_user_htaccess_t:file { manage_file_perms relabel_file_perms }; +- +- allow $2 httpd_user_content_t:dir { manage_dir_perms relabel_dir_perms }; +- allow $2 httpd_user_content_t:file { manage_file_perms relabel_file_perms }; +- allow $2 httpd_user_content_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; +- +- allow $2 httpd_user_ra_content_t:dir { manage_dir_perms relabel_dir_perms }; +- allow $2 httpd_user_ra_content_t:file { manage_file_perms relabel_file_perms }; +- allow $2 httpd_user_ra_content_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; +- +- allow $2 httpd_user_rw_content_t:dir { manage_dir_perms relabel_dir_perms }; +- allow $2 httpd_user_rw_content_t:file { manage_file_perms relabel_file_perms }; +- allow $2 httpd_user_rw_content_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; +- +- allow $2 httpd_user_script_exec_t:dir { manage_dir_perms relabel_dir_perms }; +- allow $2 httpd_user_script_exec_t:file { manage_file_perms relabel_file_perms }; +- allow $2 httpd_user_script_exec_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; +- +- userdom_user_home_dir_filetrans($2, httpd_user_content_t, dir, "public_html") +- userdom_user_home_dir_filetrans($2, httpd_user_content_t, dir, "web") +- userdom_user_home_dir_filetrans($2, httpd_user_content_t, dir, "www") +- +- filetrans_pattern($2, httpd_user_content_t, httpd_user_htaccess_t, file, ".htaccess") +- filetrans_pattern($2, httpd_user_content_t, httpd_user_script_exec_t, dir, "cgi-bin") +- filetrans_pattern($2, httpd_user_content_t, httpd_user_ra_content_t, dir, "logs") ++ allow $2 httpd_user_htaccess_t:file { manage_file_perms relabelto relabelfrom }; ++ ++ manage_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t) ++ manage_files_pattern($2, httpd_user_content_t, httpd_user_content_t) ++ manage_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t) ++ relabel_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t) ++ relabel_files_pattern($2, httpd_user_content_t, httpd_user_content_t) ++ relabel_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t) ++ ++ manage_dirs_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t) ++ manage_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t) ++ manage_lnk_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t) ++ relabel_dirs_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t) ++ relabel_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t) ++ relabel_lnk_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t) ++ ++ manage_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t) ++ manage_files_pattern($2, httpd_user_content_t, httpd_user_content_t) ++ manage_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t) ++ relabel_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t) ++ relabel_files_pattern($2, httpd_user_content_t, httpd_user_content_t) ++ relabel_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t) ++ ++ manage_dirs_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t) ++ manage_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t) ++ manage_lnk_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t) ++ relabel_dirs_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t) ++ relabel_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t) ++ relabel_lnk_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t) ++ ++ manage_dirs_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t) ++ manage_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t) ++ manage_lnk_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t) ++ relabel_dirs_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t) ++ relabel_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t) ++ relabel_lnk_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t) ++ ++ apache_exec_modules($2) ++ apache_filetrans_home_content($2) + + tunable_policy(`httpd_enable_cgi',` ++ # If a user starts a script by hand it gets the proper context + domtrans_pattern($2, httpd_user_script_exec_t, httpd_user_script_t) + ') + +@@ -184,7 +181,7 @@ interface(`apache_role',` + + ######################################## + ## +-## Read user httpd script executable files. ++## Read httpd user scripts executables. + ## + ## + ## +@@ -204,7 +201,7 @@ interface(`apache_read_user_scripts',` + + ######################################## + ## +-## Read user httpd content. ++## Read user web content. + ## + ## + ## +@@ -224,7 +221,7 @@ interface(`apache_read_user_content',` + + ######################################## + ## +-## Execute httpd with a domain transition. ++## Transition to apache. + ## + ## + ## +@@ -241,27 +238,47 @@ interface(`apache_domtrans',` + domtrans_pattern($1, httpd_exec_t, httpd_t) + ') + +-######################################## ++###################################### + ## +-## Execute httpd server in the httpd domain. ++## Allow the specified domain to execute apache ++## in the caller domain. + ## + ## + ## +-## Domain allowed to transition. ++## Domain allowed access. + ## + ## + # +-interface(`apache_initrc_domtrans',` ++interface(`apache_exec',` + gen_require(` +- type httpd_initrc_exec_t; ++ type httpd_exec_t; + ') + +- init_labeled_script_domtrans($1, httpd_initrc_exec_t) ++ can_exec($1, httpd_exec_t) ++') ++ ++###################################### ++## ++## Allow the specified domain to execute apache suexec ++## in the caller domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`apache_exec_suexec',` ++ gen_require(` ++ type httpd_suexec_exec_t; ++ ') ++ ++ can_exec($1, httpd_suexec_exec_t) + ') + + ####################################### + ## +-## Send generic signals to httpd. ++## Send a generic signal to apache. + ## + ## + ## +@@ -279,7 +296,7 @@ interface(`apache_signal',` + + ######################################## + ## +-## Send null signals to httpd. ++## Send a null signal to apache. + ## + ## + ## +@@ -297,7 +314,7 @@ interface(`apache_signull',` + + ######################################## + ## +-## Send child terminated signals to httpd. ++## Send a SIGCHLD signal to apache. + ## + ## + ## +@@ -315,8 +332,7 @@ interface(`apache_sigchld',` + + ######################################## + ## +-## Inherit and use file descriptors +-## from httpd. ++## Inherit and use file descriptors from Apache. + ## + ## + ## +@@ -334,8 +350,8 @@ interface(`apache_use_fds',` + + ######################################## + ## +-## Do not audit attempts to read and +-## write httpd unnamed pipes. ++## Do not audit attempts to read and write Apache ++## unnamed pipes. + ## + ## + ## +@@ -348,13 +364,13 @@ interface(`apache_dontaudit_rw_fifo_file',` + type httpd_t; + ') + +- dontaudit $1 httpd_t:fifo_file rw_fifo_file_perms; ++ dontaudit $1 httpd_t:fifo_file rw_inherited_fifo_file_perms; + ') + + ######################################## + ## +-## Do not audit attempts to read and +-## write httpd unix domain stream sockets. ++## Do not audit attempts to read and write Apache ++## unix domain stream sockets. + ## + ## + ## +@@ -372,8 +388,8 @@ interface(`apache_dontaudit_rw_stream_sockets',` + + ######################################## + ## +-## Do not audit attempts to read and +-## write httpd TCP sockets. ++## Do not audit attempts to read and write Apache ++## TCP sockets. + ## + ## + ## +@@ -391,8 +407,7 @@ interface(`apache_dontaudit_rw_tcp_sockets',` + + ######################################## + ## +-## Create, read, write, and delete +-## all httpd content. ++## Create, read, write, and delete all web content. + ## + ## + ## +@@ -417,7 +432,8 @@ interface(`apache_manage_all_content',` + + ######################################## + ## +-## Set attributes httpd cache directories. ++## Allow domain to set the attributes ++## of the APACHE cache directory. + ## + ## + ## +@@ -435,7 +451,8 @@ interface(`apache_setattr_cache_dirs',` + + ######################################## + ## +-## List httpd cache directories. ++## Allow the specified domain to list ++## Apache cache. + ## + ## + ## +@@ -453,7 +470,8 @@ interface(`apache_list_cache',` + + ######################################## + ## +-## Read and write httpd cache files. ++## Allow the specified domain to read ++## and write Apache cache files. + ## + ## + ## +@@ -471,7 +489,8 @@ interface(`apache_rw_cache_files',` + + ######################################## + ## +-## Delete httpd cache directories. ++## Allow the specified domain to delete ++## Apache cache dirs. + ## + ## + ## +@@ -489,7 +508,8 @@ interface(`apache_delete_cache_dirs',` + + ######################################## + ## +-## Delete httpd cache files. ++## Allow the specified domain to delete ++## Apache cache. + ## + ## + ## +@@ -507,49 +527,51 @@ interface(`apache_delete_cache_files',` + + ######################################## + ## +-## Read httpd configuration files. ++## Allow the specified domain to search ++## apache configuration dirs. + ## + ## + ## + ## Domain allowed access. + ## + ## +-## + # +-interface(`apache_read_config',` ++interface(`apache_search_config',` + gen_require(` + type httpd_config_t; + ') + + files_search_etc($1) +- allow $1 httpd_config_t:dir list_dir_perms; +- read_files_pattern($1, httpd_config_t, httpd_config_t) +- read_lnk_files_pattern($1, httpd_config_t, httpd_config_t) ++ allow $1 httpd_config_t:dir search_dir_perms; + ') + + ######################################## + ## +-## Search httpd configuration directories. ++## Allow the specified domain to read ++## apache configuration files. + ## + ## + ## + ## Domain allowed access. + ## + ## ++## + # +-interface(`apache_search_config',` ++interface(`apache_read_config',` + gen_require(` + type httpd_config_t; + ') + + files_search_etc($1) +- allow $1 httpd_config_t:dir search_dir_perms; ++ allow $1 httpd_config_t:dir list_dir_perms; ++ read_files_pattern($1, httpd_config_t, httpd_config_t) ++ read_lnk_files_pattern($1, httpd_config_t, httpd_config_t) + ') + + ######################################## + ## +-## Create, read, write, and delete +-## httpd configuration files. ++## Allow the specified domain to manage ++## apache configuration files. + ## + ## + ## +@@ -570,8 +592,8 @@ interface(`apache_manage_config',` + + ######################################## + ## +-## Execute the Apache helper program +-## with a domain transition. ++## Execute the Apache helper program with ++## a domain transition. + ## + ## + ## +@@ -608,16 +630,38 @@ interface(`apache_domtrans_helper',` + # + interface(`apache_run_helper',` + gen_require(` +- attribute_role httpd_helper_roles; ++ type httpd_helper_t; + ') + + apache_domtrans_helper($1) +- roleattribute $2 httpd_helper_roles; ++ role $2 types httpd_helper_t; ++') ++ ++######################################## ++## ++## dontaudit attempts to read ++## apache log files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`apache_dontaudit_read_log',` ++ gen_require(` ++ type httpd_log_t; ++ ') ++ ++ dontaudit $1 httpd_log_t:file read_file_perms; ++ dontaudit $1 httpd_log_t:lnk_file read_lnk_file_perms; + ') + + ######################################## + ## +-## Read httpd log files. ++## Allow the specified domain to read ++## apache log files. + ## + ## + ## +@@ -639,7 +683,8 @@ interface(`apache_read_log',` + + ######################################## + ## +-## Append httpd log files. ++## Allow the specified domain to append ++## to apache log files. + ## + ## + ## +@@ -657,10 +702,29 @@ interface(`apache_append_log',` + append_files_pattern($1, httpd_log_t, httpd_log_t) + ') + ++####################################### ++## ++## Allow the specified domain to write ++## to apache log files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`apache_write_log',` ++ gen_require(` ++ type httpd_log_t; ++ ') ++ ++ allow $1 httpd_log_t:file write; ++') ++ + ######################################## + ## +-## Do not audit attempts to append +-## httpd log files. ++## Do not audit attempts to append to the ++## Apache logs. + ## + ## + ## +@@ -678,8 +742,8 @@ interface(`apache_dontaudit_append_log',` + + ######################################## + ## +-## Create, read, write, and delete +-## httpd log files. ++## Allow the specified domain to manage ++## to apache log files. + ## + ## + ## +@@ -698,47 +762,49 @@ interface(`apache_manage_log',` + read_lnk_files_pattern($1, httpd_log_t, httpd_log_t) + ') + +-####################################### ++######################################## + ## +-## Write apache log files. ++## Do not audit attempts to search Apache ++## module directories. + ## + ## + ## +-## Domain allowed access. ++## Domain to not audit. + ## + ## + # +-interface(`apache_write_log',` ++interface(`apache_dontaudit_search_modules',` + gen_require(` +- type httpd_log_t; ++ type httpd_modules_t; + ') + +- logging_search_logs($1) +- write_files_pattern($1, httpd_log_t, httpd_log_t) ++ dontaudit $1 httpd_modules_t:dir search_dir_perms; + ') + + ######################################## + ## +-## Do not audit attempts to search +-## httpd module directories. ++## Allow the specified domain to read ++## the apache module directories. + ## + ## + ## +-## Domain to not audit. ++## Domain allowed access. + ## + ## + # +-interface(`apache_dontaudit_search_modules',` ++interface(`apache_read_modules',` + gen_require(` + type httpd_modules_t; + ') + +- dontaudit $1 httpd_modules_t:dir search_dir_perms; ++ read_files_pattern($1, httpd_modules_t, httpd_modules_t) + ') + + ######################################## + ## +-## List httpd module directories. ++## Allow the specified domain to list ++## the contents of the apache modules ++## directory. + ## + ## + ## +@@ -752,11 +818,13 @@ interface(`apache_list_modules',` + ') + + allow $1 httpd_modules_t:dir list_dir_perms; ++ read_lnk_files_pattern($1, httpd_modules_t, httpd_modules_t) + ') + + ######################################## + ## +-## Execute httpd module files. ++## Allow the specified domain to execute ++## apache modules. + ## + ## + ## +@@ -776,46 +844,63 @@ interface(`apache_exec_modules',` + + ######################################## + ## +-## Read httpd module files. ++## Execute a domain transition to run httpd_rotatelogs. + ## + ## + ## +-## Domain allowed access. ++## Domain allowed to transition. + ## + ## + # +-interface(`apache_read_module_files',` ++interface(`apache_domtrans_rotatelogs',` + gen_require(` +- type httpd_modules_t; ++ type httpd_rotatelogs_t, httpd_rotatelogs_exec_t; + ') + +- libs_search_lib($1) +- read_files_pattern($1, httpd_modules_t, httpd_modules_t) ++ domtrans_pattern($1, httpd_rotatelogs_exec_t, httpd_rotatelogs_t) + ') + +-######################################## ++####################################### + ## +-## Execute a domain transition to +-## run httpd_rotatelogs. ++## Execute httpd_rotatelogs in the caller domain. + ## + ## +-## +-## Domain allowed to transition. +-## ++## ++## Domain allowed to transition. ++## + ## + # +-interface(`apache_domtrans_rotatelogs',` ++interface(`apache_exec_rotatelogs',` ++ gen_require(` ++ type httpd_rotatelogs_exec_t; ++ ') ++ ++ can_exec($1, httpd_rotatelogs_exec_t) ++') ++ ++####################################### ++## ++## Execute httpd system scripts in the caller domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`apache_exec_sys_script',` + gen_require(` +- type httpd_rotatelogs_t, httpd_rotatelogs_exec_t; ++ type httpd_sys_script_exec_t; + ') + +- corecmd_search_bin($1) +- domtrans_pattern($1, httpd_rotatelogs_exec_t, httpd_rotatelogs_t) ++ allow $1 httpd_sys_script_exec_t:dir search_dir_perms; ++ can_exec($1, httpd_sys_script_exec_t) + ') + + ######################################## + ## +-## List httpd system content directories. ++## Allow the specified domain to list ++## apache system content files. + ## + ## + ## +@@ -829,13 +914,14 @@ interface(`apache_list_sys_content',` + ') + + list_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t) ++ read_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t) + files_search_var($1) + ') + + ######################################## + ## +-## Create, read, write, and delete +-## httpd system content files. ++## Allow the specified domain to manage ++## apache system content files. + ## + ## + ## +@@ -844,6 +930,7 @@ interface(`apache_list_sys_content',` + ## + ## + # ++# Note that httpd_sys_content_t is found in /var, /etc, /srv and /usr + interface(`apache_manage_sys_content',` + gen_require(` + type httpd_sys_content_t; +@@ -855,32 +942,98 @@ interface(`apache_manage_sys_content',` + manage_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t) + ') + +-######################################## ++###################################### + ## +-## Create, read, write, and delete +-## httpd system rw content. ++## Allow the specified domain to read ++## apache system content rw files. + ## + ## + ## + ## Domain allowed access. + ## + ## ++## ++# ++interface(`apache_read_sys_content_rw_files',` ++ gen_require(` ++ type httpd_sys_rw_content_t; ++ ') ++ ++ read_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) ++') ++ ++###################################### ++## ++## Allow the specified domain to read ++## apache system content rw dirs. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`apache_read_sys_content_rw_dirs',` ++ gen_require(` ++ type httpd_sys_rw_content_t; ++ ') ++ ++ list_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) ++') ++ ++###################################### ++## ++## Allow the specified domain to manage ++## apache system content rw files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## + # +-interface(`apache_manage_sys_rw_content',` ++interface(`apache_manage_sys_content_rw',` + gen_require(` + type httpd_sys_rw_content_t; + ') + +- apache_search_sys_content($1) ++ files_search_var($1) + manage_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) +- manage_files_pattern($1,httpd_sys_rw_content_t, httpd_sys_rw_content_t) ++ manage_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) + manage_lnk_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) + ') + + ######################################## + ## +-## Execute all httpd scripts in the +-## system script domain. ++## Allow the specified domain to delete ++## apache system content rw files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`apache_delete_sys_content_rw',` ++ gen_require(` ++ type httpd_sys_rw_content_t; ++ ') ++ ++ files_search_tmp($1) ++ delete_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) ++ delete_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) ++ delete_lnk_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) ++ delete_fifo_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) ++ delete_sock_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) ++') ++ ++######################################## ++## ++## Execute all web scripts in the system ++## script domain. + ## + ## + ## +@@ -888,10 +1041,17 @@ interface(`apache_manage_sys_rw_content',` + ## + ## + # ++# cjp: this interface specifically added to allow ++# sysadm_t to run scripts + interface(`apache_domtrans_sys_script',` + gen_require(` + attribute httpdcontent; +- type httpd_sys_script_t; ++ type httpd_sys_script_exec_t; ++ type httpd_sys_script_t, httpd_sys_content_t; ++ ') ++ ++ tunable_policy(`httpd_enable_cgi',` ++ domtrans_pattern($1, httpd_sys_script_exec_t, httpd_sys_script_t) + ') + + tunable_policy(`httpd_enable_cgi && httpd_unified',` +@@ -901,9 +1061,8 @@ interface(`apache_domtrans_sys_script',` + + ######################################## + ## +-## Do not audit attempts to read and +-## write httpd system script unix +-## domain stream sockets. ++## Do not audit attempts to read and write Apache ++## system script unix domain stream sockets. + ## + ## + ## +@@ -941,7 +1100,7 @@ interface(`apache_domtrans_all_scripts',` + ######################################## + ## + ## Execute all user scripts in the user +-## script domain. Add user script domains ++## script domain. Add user script domains + ## to the specified role. + ## + ## +@@ -954,6 +1113,7 @@ interface(`apache_domtrans_all_scripts',` + ## Role allowed access. + ## + ## ++## + # + interface(`apache_run_all_scripts',` + gen_require(` +@@ -966,7 +1126,8 @@ interface(`apache_run_all_scripts',` + + ######################################## + ## +-## Read httpd squirrelmail data files. ++## Allow the specified domain to read ++## apache squirrelmail data. + ## + ## + ## +@@ -979,12 +1140,13 @@ interface(`apache_read_squirrelmail_data',` + type httpd_squirrelmail_t; + ') + +- allow $1 httpd_squirrelmail_t:file read_file_perms; ++ read_files_pattern($1, httpd_squirrelmail_t, httpd_squirrelmail_t) + ') + + ######################################## + ## +-## Append httpd squirrelmail data files. ++## Allow the specified domain to append ++## apache squirrelmail data. + ## + ## + ## +@@ -1002,7 +1164,7 @@ interface(`apache_append_squirrelmail_data',` + + ######################################## + ## +-## Search httpd system content. ++## Search apache system content. + ## + ## + ## +@@ -1015,13 +1177,12 @@ interface(`apache_search_sys_content',` + type httpd_sys_content_t; + ') + +- files_search_var($1) + allow $1 httpd_sys_content_t:dir search_dir_perms; + ') + + ######################################## + ## +-## Read httpd system content. ++## Read apache system content. + ## + ## + ## +@@ -1041,7 +1202,7 @@ interface(`apache_read_sys_content',` + + ######################################## + ## +-## Search httpd system CGI directories. ++## Search apache system CGI directories. + ## + ## + ## +@@ -1059,8 +1220,7 @@ interface(`apache_search_sys_scripts',` + + ######################################## + ## +-## Create, read, write, and delete all +-## user httpd content. ++## Create, read, write, and delete all user web content. + ## + ## + ## +@@ -1070,13 +1230,22 @@ interface(`apache_search_sys_scripts',` + ## + # + interface(`apache_manage_all_user_content',` +- refpolicywarn(`$0($*) has been deprecated, use apache_manage_all_content() instead.') +- apache_manage_all_content($1) ++ gen_require(` ++ attribute httpd_user_content_type, httpd_user_script_exec_type; ++ ') ++ ++ manage_dirs_pattern($1, httpd_user_content_type, httpd_user_content_type) ++ manage_files_pattern($1, httpd_user_content_type, httpd_user_content_type) ++ manage_lnk_files_pattern($1, httpd_user_content_type, httpd_user_content_type) ++ ++ manage_dirs_pattern($1, httpd_user_script_exec_type, httpd_user_script_exec_type) ++ manage_files_pattern($1, httpd_user_script_exec_type, httpd_user_script_exec_type) ++ manage_lnk_files_pattern($1, httpd_user_script_exec_type, httpd_user_script_exec_type) + ') + + ######################################## + ## +-## Search system script state directories. ++## Search system script state directory. + ## + ## + ## +@@ -1094,7 +1263,8 @@ interface(`apache_search_sys_script_state',` + + ######################################## + ## +-## Read httpd tmp files. ++## Allow the specified domain to read ++## apache tmp files. + ## + ## + ## +@@ -1111,10 +1281,29 @@ interface(`apache_read_tmp_files',` + read_files_pattern($1, httpd_tmp_t, httpd_tmp_t) + ') + ++###################################### ++## ++## Dontaudit attempts to read and write ++## apache tmp files. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`apache_dontaudit_rw_tmp_files',` ++ gen_require(` ++ type httpd_tmp_t; ++ ') ++ ++ dontaudit $1 httpd_tmp_t:file { read write }; ++') ++ + ######################################## + ## +-## Do not audit attempts to write +-## httpd tmp files. ++## Dontaudit attempts to write ++## apache tmp files. + ## + ## + ## +@@ -1127,7 +1316,7 @@ interface(`apache_dontaudit_write_tmp_files',` + type httpd_tmp_t; + ') + +- dontaudit $1 httpd_tmp_t:file write_file_perms; ++ dontaudit $1 httpd_tmp_t:file write; + ') + + ######################################## +@@ -1136,6 +1325,9 @@ interface(`apache_dontaudit_write_tmp_files',` + ## + ## + ##

    ++## Execute CGI in the specified domain. ++##

    ++##

    + ## This is an interface to support third party modules + ## and its use is not allowed in upstream reference + ## policy. +@@ -1165,8 +1357,30 @@ interface(`apache_cgi_domain',` + + ######################################## + ##

    +-## All of the rules required to +-## administrate an apache environment. ++## Execute httpd server in the httpd domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`apache_systemctl',` ++ gen_require(` ++ type httpd_t; ++ type httpd_unit_file_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ allow $1 httpd_unit_file_t:file read_file_perms; ++ allow $1 httpd_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, httpd_t) ++') ++ ++######################################## ++## ++## All of the rules required to administrate an apache environment + ## + ## + ## +@@ -1183,18 +1397,19 @@ interface(`apache_cgi_domain',` + interface(`apache_admin',` + gen_require(` + attribute httpdcontent, httpd_script_exec_type; +- attribute httpd_script_domains, httpd_htaccess_type; + type httpd_t, httpd_config_t, httpd_log_t; +- type httpd_modules_t, httpd_lock_t, httpd_helper_t; +- type httpd_var_run_t, httpd_keytab_t, httpd_passwd_t; +- type httpd_suexec_tmp_t, httpd_tmp_t, httpd_rotatelogs_t; +- type httpd_initrc_exec_t, httpd_suexec_t; ++ type httpd_modules_t, httpd_lock_t, httpd_bool_t; ++ type httpd_var_run_t, httpd_php_tmp_t, httpd_initrc_exec_t; ++ type httpd_suexec_tmp_t, httpd_tmp_t; ++ type httpd_unit_file_t; + ') + +- allow $1 { httpd_script_domains httpd_t httpd_helper_t }:process { ptrace signal_perms }; +- allow $1 { httpd_rotatelogs_t httpd_suexec_t httpd_passwd_t }:process { ptrace signal_perms }; +- ps_process_pattern($1, { httpd_script_domains httpd_t httpd_helper_t }) +- ps_process_pattern($1, { httpd_rotatelogs_t httpd_suexec_t httpd_passwd_t }) ++ allow $1 httpd_t:process signal_perms; ++ ps_process_pattern($1, httpd_t) ++ ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 httpd_t:process ptrace; ++ ') + + init_labeled_script_domtrans($1, httpd_initrc_exec_t) + domain_system_change_exemption($1) +@@ -1204,10 +1419,10 @@ interface(`apache_admin',` + apache_manage_all_content($1) + miscfiles_manage_public_files($1) + +- files_search_etc($1) +- admin_pattern($1, { httpd_config_t httpd_keytab_t }) ++ files_list_etc($1) ++ admin_pattern($1, httpd_config_t) + +- logging_search_logs($1) ++ logging_list_logs($1) + admin_pattern($1, httpd_log_t) + + admin_pattern($1, httpd_modules_t) +@@ -1218,9 +1433,129 @@ interface(`apache_admin',` + admin_pattern($1, httpd_var_run_t) + files_pid_filetrans($1, httpd_var_run_t, file) + +- admin_pattern($1, { httpdcontent httpd_script_exec_type httpd_htaccess_type }) +- admin_pattern($1, { httpd_tmp_t httpd_suexec_tmp_t }) ++ admin_pattern($1, httpdcontent) ++ admin_pattern($1, httpd_script_exec_type) ++ ++ seutil_domtrans_setfiles($1) ++ ++ files_list_tmp($1) ++ admin_pattern($1, httpd_tmp_t) ++ admin_pattern($1, httpd_php_tmp_t) ++ admin_pattern($1, httpd_suexec_tmp_t) ++ ++ apache_systemctl($1) ++ admin_pattern($1, httpd_unit_file_t) ++ allow $1 httpd_unit_file_t:service all_service_perms; ++ ++ apache_filetrans_named_content($1) ++') ++ ++######################################## ++## ++## dontaudit read and write an leaked file descriptors ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`apache_dontaudit_leaks',` ++ gen_require(` ++ type httpd_t; ++ type httpd_tmp_t; ++ ') ++ ++ dontaudit $1 httpd_t:fifo_file rw_inherited_fifo_file_perms; ++ dontaudit $1 httpd_t:tcp_socket { read write }; ++ dontaudit $1 httpd_t:unix_dgram_socket { read write }; ++ dontaudit $1 httpd_t:unix_stream_socket { read write }; ++ dontaudit $1 httpd_tmp_t:file { read write }; ++') ++ ++######################################## ++## ++## Transition to apache named content ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`apache_filetrans_named_content',` ++ gen_require(` ++ type httpd_sys_content_t, httpd_sys_rw_content_t; ++ type httpd_tmp_t; ++ ') ++ ++ ++ apache_filetrans_home_content($1) ++ filetrans_pattern($1, httpd_sys_content_t, httpd_sys_rw_content_t, file, "settings.php") ++ userdom_user_tmp_filetrans($1, httpd_tmp_t, dir, "apache") ++') ++ ++######################################## ++## ++## Allow any httpd_exec_t to be an entrypoint of this domain ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`apache_entrypoint',` ++ gen_require(` ++ type httpd_exec_t; ++ ') ++ allow $1 httpd_exec_t:file entrypoint; ++') ++ ++######################################## ++## ++## Execute a httpd_exec_t in the specified domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++## ++## ++## The type of the new process. ++## ++## ++# ++interface(`apache_exec_domtrans',` ++ gen_require(` ++ type httpd_exec_t; ++ ') ++ ++ domtrans_pattern($1, httpd_exec_t, $2) ++') ++ ++######################################## ++## ++## Transition to apache home content ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`apache_filetrans_home_content',` ++ gen_require(` ++ type httpd_user_content_t, httpd_user_script_exec_t, httpd_user_htaccess_t; ++ type httpd_user_content_ra_t; ++ ') + +- apache_run_all_scripts($1, $2) +- apache_run_helper($1, $2) ++ userdom_user_home_dir_filetrans($1, httpd_user_content_t, dir, "public_html") ++ userdom_user_home_dir_filetrans($1, httpd_user_content_t, dir, "www") ++ userdom_user_home_dir_filetrans($1, httpd_user_content_t, dir, "web") ++ filetrans_pattern($1, httpd_user_content_t, httpd_user_script_exec_t, dir, "cgi-bin") ++ filetrans_pattern($1, httpd_user_content_t, httpd_user_content_ra_t, dir, "logs") ++ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess") + ') +diff --git a/apache.te b/apache.te +index 1a82e29..bfe87eb 100644 +--- a/apache.te ++++ b/apache.te +@@ -1,297 +1,367 @@ +-policy_module(apache, 2.6.10) ++policy_module(apache, 2.4.0) ++ ++# ++# NOTES: ++# This policy will work with SUEXEC enabled as part of the Apache ++# configuration. However, the user CGI scripts will run under the ++# system_u:system_r:httpd_user_script_t. ++# ++# The user CGI scripts must be labeled with the httpd_user_script_exec_t ++# type, and the directory containing the scripts should also be labeled ++# with these types. This policy allows the user role to perform that ++# relabeling. If it is desired that only admin role should be able to relabel ++# the user CGI scripts, then relabel rule for user roles should be removed. ++# + + ######################################## + # + # Declarations + # + ++selinux_genbool(httpd_bool_t) ++ + ## +-##

    +-## Determine whether httpd can modify +-## public files used for public file +-## transfer services. Directories/Files must +-## be labeled public_content_rw_t. +-##

    ++##

    ++## Allow Apache to modify public files ++## used for public file transfer services. Directories/Files must ++## be labeled public_content_rw_t. ++##

    + ##     +-gen_tunable(allow_httpd_anon_write, false) ++gen_tunable(httpd_anon_write, false) + + ## +-##

    +-## Determine whether httpd can use mod_auth_pam. +-##

    ++##

    ++## Allow Apache to use mod_auth_pam ++##

    + ##     +-gen_tunable(allow_httpd_mod_auth_pam, false) ++gen_tunable(httpd_mod_auth_pam, false) + + ## +-##

    +-## Determine whether httpd can use built in scripting. +-##

    ++##

    ++## Allow Apache to use mod_auth_ntlm_winbind ++##

    + ##     +-gen_tunable(httpd_builtin_scripting, false) ++gen_tunable(httpd_mod_auth_ntlm_winbind, false) + + ## +-##

    +-## Determine whether httpd can check spam. +-##

    ++##

    ++## Allow httpd scripts and modules execmem/execstack ++##

    + ##     +-gen_tunable(httpd_can_check_spam, false) ++gen_tunable(httpd_execmem, false) + + ## +-##

    +-## Determine whether httpd scripts and modules +-## can connect to the network using TCP. +-##

    ++##

    ++## Allow httpd processes to manage IPA content ++##

    ++##     ++gen_tunable(httpd_manage_ipa, false) ++ ++## ++##

    ++## Allow httpd to use built in scripting (usually php) ++##

    ++##     ++gen_tunable(httpd_builtin_scripting, false) ++ ++## ++##

    ++## Allow HTTPD scripts and modules to connect to the network using TCP. ++##

    + ##     + gen_tunable(httpd_can_network_connect, false) + + ## +-##

    +-## Determine whether httpd scripts and modules +-## can connect to cobbler over the network. +-##

    ++##

    ++## Allow HTTPD scripts and modules to connect to cobbler over the network. ++##

    + ##     + gen_tunable(httpd_can_network_connect_cobbler, false) + + ## +-##

    +-## Determine whether scripts and modules can +-## connect to databases over the network. +-##

    ++##

    ++## Allow HTTPD scripts and modules to server cobbler files. ++##

    + ##     +-gen_tunable(httpd_can_network_connect_db, false) ++gen_tunable(httpd_serve_cobbler_files, false) + + ## +-##

    +-## Determine whether httpd can connect to +-## ldap over the network. +-##

    ++##

    ++## Allow HTTPD to connect to port 80 for graceful shutdown ++##

    + ##     +-gen_tunable(httpd_can_network_connect_ldap, false) ++gen_tunable(httpd_graceful_shutdown, false) + + ## +-##

    +-## Determine whether httpd can connect +-## to memcache server over the network. +-##

    ++##

    ++## Allow HTTPD scripts and modules to connect to databases over the network. ++##

    + ##     +-gen_tunable(httpd_can_network_connect_memcache, false) ++gen_tunable(httpd_can_network_connect_db, false) + + ## +-##

    +-## Determine whether httpd can act as a relay. +-##

    ++##

    ++## Allow httpd to connect to memcache server ++##

    ++##     ++gen_tunable(httpd_can_network_memcache, false) ++ ++## ++##

    ++## Allow httpd to act as a relay ++##

    + ##     + gen_tunable(httpd_can_network_relay, false) + + ## +-##

    +-## Determine whether httpd daemon can +-## connect to zabbix over the network. +-##

    ++##

    ++## Allow http daemon to connect to zabbix ++##

    + ##     +-gen_tunable(httpd_can_network_connect_zabbix, false) ++gen_tunable(httpd_can_connect_zabbix, false) + + ## +-##

    +-## Determine whether httpd can send mail. +-##

    ++##

    ++## Allow http daemon to connect to mythtv ++##

    + ##     +-gen_tunable(httpd_can_sendmail, false) ++gen_tunable(httpd_can_connect_mythtv, false) + + ## +-##

    +-## Determine whether httpd can communicate +-## with avahi service via dbus. +-##

    ++##

    ++## Allow http daemon to check spam ++##

    + ##     +-gen_tunable(httpd_dbus_avahi, false) ++gen_tunable(httpd_can_check_spam, false) + + ## +-##

    +-## Determine wether httpd can use support. +-##

    ++##

    ++## Allow http daemon to send mail ++##

    + ##     +-gen_tunable(httpd_enable_cgi, false) ++gen_tunable(httpd_can_sendmail, false) + + ## +-##

    +-## Determine whether httpd can act as a +-## FTP server by listening on the ftp port. +-##

    ++##

    ++## Allow Apache to communicate with avahi service via dbus ++##

    + ##     +-gen_tunable(httpd_enable_ftp_server, false) ++gen_tunable(httpd_dbus_avahi, false) + + ## +-##

    +-## Determine whether httpd can traverse +-## user home directories. +-##

    ++##

    ++## Allow httpd cgi support ++##

    + ##     +-gen_tunable(httpd_enable_homedirs, false) ++gen_tunable(httpd_enable_cgi, false) + + ## +-##

    +-## Determine whether httpd gpg can modify +-## public files used for public file +-## transfer services. Directories/Files must +-## be labeled public_content_rw_t. +-##

    ++##

    ++## Allow httpd to act as a FTP server by ++## listening on the ftp port. ++##

    + ##     +-gen_tunable(httpd_gpg_anon_write, false) ++gen_tunable(httpd_enable_ftp_server, false) + + ## +-##

    +-## Determine whether httpd can execute +-## its temporary content. +-##

    ++##

    ++## Allow httpd to act as a FTP client ++## connecting to the ftp port and ephemeral ports ++##

    + ##     +-gen_tunable(httpd_tmp_exec, false) ++gen_tunable(httpd_can_connect_ftp, false) + + ## +-##

    +-## Determine whether httpd scripts and +-## modules can use execmem and execstack. +-##

    ++##

    ++## Allow httpd to connect to the ldap port ++##

    + ##     +-gen_tunable(httpd_execmem, false) ++gen_tunable(httpd_can_connect_ldap, false) + + ## +-##

    +-## Determine whether httpd can connect +-## to port 80 for graceful shutdown. +-##

    ++##

    ++## Allow httpd to read home directories ++##

    + ##     +-gen_tunable(httpd_graceful_shutdown, false) ++gen_tunable(httpd_enable_homedirs, false) + + ## +-##

    +-## Determine whether httpd can +-## manage IPA content files. +-##

    ++##

    ++## Allow httpd to read user content ++##

    + ##     +-gen_tunable(httpd_manage_ipa, false) ++gen_tunable(httpd_read_user_content, false) + + ## +-##

    +-## Determine whether httpd can use mod_auth_ntlm_winbind. +-##

    ++##

    ++## Allow Apache to run in stickshift mode, not transition to passenger ++##

    + ##     +-gen_tunable(httpd_mod_auth_ntlm_winbind, false) ++gen_tunable(httpd_run_stickshift, false) + + ## +-##

    +-## Determine whether httpd can read +-## generic user home content files. +-##

    ++##

    ++## Allow Apache to query NS records ++##

    + ##     +-gen_tunable(httpd_read_user_content, false) ++gen_tunable(httpd_verify_dns, false) + + ## +-##

    +-## Determine whether httpd can change +-## its resource limits. +-##

    ++##

    ++## Allow httpd daemon to change its resource limits ++##

    + ##     + gen_tunable(httpd_setrlimit, false) + + ## +-##

    +-## Determine whether httpd can run +-## SSI executables in the same domain +-## as system CGI scripts. +-##

    ++##

    ++## Allow HTTPD to run SSI executables in the same domain as system CGI scripts. ++##

    + ##     + gen_tunable(httpd_ssi_exec, false) + + ## +-##

    +-## Determine whether httpd can communicate +-## with the terminal. Needed for entering the +-## passphrase for certificates at the terminal. +-##

    ++##

    ++## Allow Apache to execute tmp content. ++##

    ++##     ++gen_tunable(httpd_tmp_exec, false) ++ ++## ++##

    ++## Unify HTTPD to communicate with the terminal. ++## Needed for entering the passphrase for certificates at ++## the terminal. ++##

    + ##     + gen_tunable(httpd_tty_comm, false) + + ## +-##

    +-## Determine whether httpd can have full access +-## to its content types. +-##

    ++##

    ++## Unify HTTPD handling of all content files. ++##

    + ##     + gen_tunable(httpd_unified, false) + + ## +-##

    +-## Determine whether httpd can use +-## cifs file systems. +-##

    ++##

    ++## Allow httpd to access openstack ports ++##

    ++##     ++gen_tunable(httpd_use_openstack, false) ++ ++## ++##

    ++## Allow httpd to access cifs file systems ++##

    + ##     + gen_tunable(httpd_use_cifs, false) + + ## + ##

    +-## Determine whether httpd can +-## use fuse file systems. ++## Allow httpd to access FUSE file systems + ##

    + ##     + gen_tunable(httpd_use_fusefs, false) + + ## +-##

    +-## Determine whether httpd can use gpg. +-##

    ++##

    ++## Allow httpd to run gpg ++##

    + ##     + gen_tunable(httpd_use_gpg, false) + + ## +-##

    +-## Determine whether httpd can use +-## nfs file systems. +-##

    ++##

    ++## Allow httpd to connect to sasl ++##

    ++##     ++gen_tunable(httpd_use_sasl, false) ++ ++## ++##

    ++## Allow httpd to access nfs file systems ++##

    + ##     + gen_tunable(httpd_use_nfs, false) + ++## ++##

    ++## Allow apache scripts to write to public content, directories/files must be labeled public_rw_content_t. ++##

    ++##     ++gen_tunable(httpd_sys_script_anon_write, false) ++ + attribute httpdcontent; +-attribute httpd_htaccess_type; ++attribute httpd_user_content_type; ++attribute httpd_content_type; + +-# domains that can exec all scripts ++# domains that can exec all users scripts + attribute httpd_exec_scripts; + ++attribute httpd_script_type; + attribute httpd_script_exec_type; ++attribute httpd_user_script_exec_type; + +-# all script domains ++# user script domains + attribute httpd_script_domains; + +-attribute_role httpd_helper_roles; +-roleattribute system_r httpd_helper_roles; +- + type httpd_t; + type httpd_exec_t; ++ifdef(`distro_redhat',` ++ typealias httpd_t alias phpfpm_t; ++ typealias httpd_exec_t alias phpfpm_exec_t; ++') + init_daemon_domain(httpd_t, httpd_exec_t) ++role system_r types httpd_t; + ++# httpd_cache_t is the type given to the /var/cache/httpd ++# directory and the files under that directory + type httpd_cache_t; + files_type(httpd_cache_t) + ++# httpd_config_t is the type given to the configuration files + type httpd_config_t; + files_config_file(httpd_config_t) + + type httpd_helper_t; + type httpd_helper_exec_t; +-application_domain(httpd_helper_t, httpd_helper_exec_t) +-role httpd_helper_roles types httpd_helper_t; ++domain_type(httpd_helper_t) ++domain_entry_file(httpd_helper_t, httpd_helper_exec_t) ++role system_r types httpd_helper_t; + + type httpd_initrc_exec_t; + init_script_file(httpd_initrc_exec_t) + ++type httpd_unit_file_t; ++ifdef(`distro_redhat',` ++ typealias httpd_unit_file_t alias phpfpm_unit_file_t; ++') ++systemd_unit_file(httpd_unit_file_t) ++ + type httpd_lock_t; + files_lock_file(httpd_lock_t) + + type httpd_log_t; ++ifdef(`distro_redhat',` ++ typealias httpd_log_t alias phpfpm_log_t; ++') + logging_log_file(httpd_log_t) + ++# httpd_modules_t is the type given to module files (libraries) ++# that come with Apache /etc/httpd/modules and /usr/lib/apache + type httpd_modules_t; + files_type(httpd_modules_t) + ++type httpd_php_t; ++type httpd_php_exec_t; ++domain_type(httpd_php_t) ++domain_entry_file(httpd_php_t, httpd_php_exec_t) ++role system_r types httpd_php_t; ++ ++type httpd_php_tmp_t; ++files_tmp_file(httpd_php_tmp_t) ++ + type httpd_rotatelogs_t; + type httpd_rotatelogs_exec_t; + init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t) +@@ -299,10 +369,8 @@ init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t) + type httpd_squirrelmail_t; + files_type(httpd_squirrelmail_t) + +-type squirrelmail_spool_t; +-files_tmp_file(squirrelmail_spool_t) +- +-type httpd_suexec_t; ++# SUEXEC runs user scripts as their own user ID ++type httpd_suexec_t; #, daemon; + type httpd_suexec_exec_t; + domain_type(httpd_suexec_t) + domain_entry_file(httpd_suexec_t, httpd_suexec_exec_t) +@@ -311,9 +379,19 @@ role system_r types httpd_suexec_t; + type httpd_suexec_tmp_t; + files_tmp_file(httpd_suexec_tmp_t) + ++# setup the system domain for system CGI scripts + apache_content_template(sys) +-corecmd_shell_entry_type(httpd_sys_script_t) +-typealias httpd_sys_content_t alias ntop_http_content_t; ++ ++typeattribute httpd_sys_content_t httpdcontent; # customizable ++typeattribute httpd_sys_rw_content_t httpdcontent; # customizable ++typeattribute httpd_sys_ra_content_t httpdcontent; # customizable ++ ++# Removal of fastcgi, will cause problems without the following ++typealias httpd_sys_script_exec_t alias httpd_fastcgi_script_exec_t; ++typealias httpd_sys_content_t alias { httpd_fastcgi_content_t httpd_fastcgi_script_ro_t }; ++typealias httpd_sys_rw_content_t alias { httpd_fastcgi_rw_content_t httpd_fastcgi_script_rw_t }; ++typealias httpd_sys_ra_content_t alias httpd_fastcgi_script_ra_t; ++typealias httpd_sys_script_t alias httpd_fastcgi_script_t; + + type httpd_tmp_t; + files_tmp_file(httpd_tmp_t) +@@ -323,12 +401,19 @@ files_tmpfs_file(httpd_tmpfs_t) + + apache_content_template(user) + ubac_constrained(httpd_user_script_t) ++ ++typeattribute httpd_user_content_t httpdcontent; ++typeattribute httpd_user_rw_content_t httpdcontent; ++typeattribute httpd_user_ra_content_t httpdcontent; ++ + userdom_user_home_content(httpd_user_content_t) + userdom_user_home_content(httpd_user_htaccess_t) + userdom_user_home_content(httpd_user_script_exec_t) + userdom_user_home_content(httpd_user_ra_content_t) + userdom_user_home_content(httpd_user_rw_content_t) ++typeattribute httpd_user_script_t httpd_script_domains; + typealias httpd_user_content_t alias { httpd_staff_content_t httpd_sysadm_content_t }; ++typealias httpd_user_content_t alias httpd_unconfined_content_t; + typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t }; + typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t }; + typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t }; +@@ -343,33 +428,40 @@ typealias httpd_user_rw_content_t alias { httpd_auditadm_script_rw_t httpd_secad + typealias httpd_user_ra_content_t alias { httpd_staff_script_ra_t httpd_sysadm_script_ra_t }; + typealias httpd_user_ra_content_t alias { httpd_auditadm_script_ra_t httpd_secadm_script_ra_t }; + ++# for apache2 memory mapped files + type httpd_var_lib_t; + files_type(httpd_var_lib_t) + + type httpd_var_run_t; ++ifdef(`distro_redhat',` ++ typealias httpd_var_run_t alias phpfpm_var_run_t; ++') + files_pid_file(httpd_var_run_t) + +-type httpd_passwd_t; +-type httpd_passwd_exec_t; +-domain_type(httpd_passwd_t) +-domain_entry_file(httpd_passwd_t, httpd_passwd_exec_t) +-role system_r types httpd_passwd_t; ++# Removal of fastcgi, will cause problems without the following ++typealias httpd_var_run_t alias httpd_fastcgi_var_run_t; + +-type httpd_gpg_t; +-domain_type(httpd_gpg_t) +-role system_r types httpd_gpg_t; ++# File Type of squirrelmail attachments ++type squirrelmail_spool_t; ++files_tmp_file(squirrelmail_spool_t) ++files_spool_file(squirrelmail_spool_t) + + optional_policy(` + prelink_object_file(httpd_modules_t) + ') + ++type httpd_passwd_t; ++type httpd_passwd_exec_t; ++application_domain(httpd_passwd_t, httpd_passwd_exec_t) ++role system_r types httpd_passwd_t; ++ + ######################################## + # +-# Local policy ++# Apache server local policy + # + + allow httpd_t self:capability { chown dac_override kill setgid setuid sys_nice sys_tty_config }; +-dontaudit httpd_t self:capability net_admin; ++dontaudit httpd_t self:capability { net_admin sys_tty_config }; + allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; + allow httpd_t self:fd use; + allow httpd_t self:sock_file read_sock_file_perms; +@@ -378,28 +470,36 @@ allow httpd_t self:shm create_shm_perms; + allow httpd_t self:sem create_sem_perms; + allow httpd_t self:msgq create_msgq_perms; + allow httpd_t self:msg { send receive }; +-allow httpd_t self:unix_dgram_socket sendto; +-allow httpd_t self:unix_stream_socket { accept connectto listen }; +-allow httpd_t self:tcp_socket { accept listen }; ++allow httpd_t self:unix_dgram_socket { create_socket_perms sendto }; ++allow httpd_t self:unix_stream_socket { create_stream_socket_perms connectto }; ++allow httpd_t self:tcp_socket create_stream_socket_perms; ++allow httpd_t self:udp_socket create_socket_perms; ++dontaudit httpd_t self:netlink_audit_socket create_socket_perms; + ++# Allow httpd_t to put files in /var/cache/httpd etc + manage_dirs_pattern(httpd_t, httpd_cache_t, httpd_cache_t) + manage_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t) + manage_lnk_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t) +-files_var_filetrans(httpd_t, httpd_cache_t, dir) ++files_var_filetrans(httpd_t, httpd_cache_t, { file dir }) + ++# Allow the httpd_t to read the web servers config files + allow httpd_t httpd_config_t:dir list_dir_perms; + read_files_pattern(httpd_t, httpd_config_t, httpd_config_t) + read_lnk_files_pattern(httpd_t, httpd_config_t, httpd_config_t) + ++can_exec(httpd_t, httpd_exec_t) ++ + allow httpd_t httpd_lock_t:file manage_file_perms; + files_lock_filetrans(httpd_t, httpd_lock_t, file) + +-allow httpd_t httpd_log_t:dir setattr_dir_perms; ++allow httpd_t httpd_log_t:dir setattr; + create_dirs_pattern(httpd_t, httpd_log_t, httpd_log_t) + create_files_pattern(httpd_t, httpd_log_t, httpd_log_t) + append_files_pattern(httpd_t, httpd_log_t, httpd_log_t) + read_files_pattern(httpd_t, httpd_log_t, httpd_log_t) + read_lnk_files_pattern(httpd_t, httpd_log_t, httpd_log_t) ++# cjp: need to refine create interfaces to ++# cut this back to add_name only + logging_log_filetrans(httpd_t, httpd_log_t, file) + + allow httpd_t httpd_modules_t:dir list_dir_perms; +@@ -407,6 +507,8 @@ mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) + read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) + read_lnk_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) + ++apache_domtrans_rotatelogs(httpd_t) ++# Apache-httpd needs to be able to send signals to the log rotate procs. + allow httpd_t httpd_rotatelogs_t:process signal_perms; + + manage_dirs_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t) +@@ -415,6 +517,10 @@ manage_lnk_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t) + + allow httpd_t httpd_suexec_exec_t:file read_file_perms; + ++allow httpd_t httpd_sys_content_t:dir list_dir_perms; ++read_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t) ++read_lnk_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t) ++ + allow httpd_t httpd_sys_script_t:unix_stream_socket connectto; + + manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) +@@ -445,140 +551,167 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) + manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) + manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) + +-can_exec(httpd_t, httpd_exec_t) +- +-domtrans_pattern(httpd_t, httpd_helper_exec_t, httpd_helper_t) +-domtrans_pattern(httpd_t, httpd_passwd_exec_t, httpd_passwd_t) +-domtrans_pattern(httpd_t, httpd_rotatelogs_exec_t, httpd_rotatelogs_t) +-domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t) +- + kernel_read_kernel_sysctls(httpd_t) +-kernel_read_network_state(httpd_t) ++# for modules that want to access /proc/meminfo + kernel_read_system_state(httpd_t) ++kernel_read_network_state(httpd_t) + kernel_search_network_sysctl(httpd_t) + +-corenet_all_recvfrom_unlabeled(httpd_t) + corenet_all_recvfrom_netlabel(httpd_t) + corenet_tcp_sendrecv_generic_if(httpd_t) ++corenet_udp_sendrecv_generic_if(httpd_t) + corenet_tcp_sendrecv_generic_node(httpd_t) ++corenet_udp_sendrecv_generic_node(httpd_t) ++corenet_tcp_sendrecv_all_ports(httpd_t) ++corenet_udp_sendrecv_all_ports(httpd_t) + corenet_tcp_bind_generic_node(httpd_t) +- +-corenet_sendrecv_http_server_packets(httpd_t) ++corenet_udp_bind_generic_node(httpd_t) + corenet_tcp_bind_http_port(httpd_t) +-corenet_tcp_sendrecv_http_port(httpd_t) +- +-corenet_sendrecv_http_cache_server_packets(httpd_t) ++corenet_udp_bind_http_port(httpd_t) + corenet_tcp_bind_http_cache_port(httpd_t) +-corenet_tcp_sendrecv_http_cache_port(httpd_t) +- +-corecmd_exec_bin(httpd_t) +-corecmd_exec_shell(httpd_t) ++corenet_tcp_bind_ntop_port(httpd_t) ++corenet_tcp_bind_jboss_management_port(httpd_t) ++corenet_tcp_bind_jboss_messaging_port(httpd_t) ++corenet_sendrecv_http_server_packets(httpd_t) ++corenet_tcp_bind_puppet_port(httpd_t) ++# Signal self for shutdown ++tunable_policy(`httpd_graceful_shutdown',` ++ corenet_tcp_connect_http_port(httpd_t) ++') + + dev_read_sysfs(httpd_t) + dev_read_rand(httpd_t) + dev_read_urand(httpd_t) + dev_rw_crypto(httpd_t) + +-domain_use_interactive_fds(httpd_t) +- + fs_getattr_all_fs(httpd_t) + fs_search_auto_mountpoints(httpd_t) +- +-fs_getattr_all_fs(httpd_t) +-fs_read_anon_inodefs_files(httpd_t) + fs_read_iso9660_files(httpd_t) +-fs_search_auto_mountpoints(httpd_t) ++fs_rw_anon_inodefs_files(httpd_t) ++fs_read_hugetlbfs_files(httpd_t) ++ ++auth_use_nsswitch(httpd_t) ++ ++application_exec_all(httpd_t) ++ ++# execute perl ++corecmd_exec_bin(httpd_t) ++corecmd_exec_shell(httpd_t) ++ ++domain_use_interactive_fds(httpd_t) ++domain_dontaudit_read_all_domains_state(httpd_t) + + files_dontaudit_getattr_all_pids(httpd_t) +-files_read_usr_files(httpd_t) ++files_exec_usr_files(httpd_t) + files_list_mnt(httpd_t) ++files_read_mnt_symlinks(httpd_t) + files_search_spool(httpd_t) + files_read_var_symlinks(httpd_t) + files_read_var_lib_files(httpd_t) + files_search_home(httpd_t) + files_getattr_home_dir(httpd_t) ++# for modules that want to access /etc/mtab + files_read_etc_runtime_files(httpd_t) ++# Allow httpd_t to have access to files such as nisswitch.conf ++# for tomcat + files_read_var_lib_symlinks(httpd_t) + +-auth_use_nsswitch(httpd_t) ++fs_search_auto_mountpoints(httpd_sys_script_t) ++# php uploads a file to /tmp and then execs programs to acton them ++manage_dirs_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t) ++manage_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t) ++manage_sock_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t) ++manage_fifo_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t) ++manage_lnk_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t) ++files_tmp_filetrans(httpd_sys_script_t, httpd_sys_rw_content_t, { dir file lnk_file sock_file fifo_file }) + + libs_read_lib_files(httpd_t) + ++ifdef(`hide_broken_symptoms',` ++ libs_exec_lib_files(httpd_t) ++') ++ + logging_send_syslog_msg(httpd_t) + +-miscfiles_read_localization(httpd_t) ++init_dontaudit_read_utmp(httpd_t) ++ + miscfiles_read_fonts(httpd_t) + miscfiles_read_public_files(httpd_t) + miscfiles_read_generic_certs(httpd_t) + miscfiles_read_tetex_data(httpd_t) +- +-seutil_dontaudit_search_config(httpd_t) ++miscfiles_dontaudit_access_check_cert(httpd_t) + + userdom_use_unpriv_users_fds(httpd_t) + +-ifdef(`TODO',` +- tunable_policy(`allow_httpd_mod_auth_pam',` +- auth_domtrans_chk_passwd(httpd_t) ++tunable_policy(`httpd_setrlimit',` ++ allow httpd_t self:process setrlimit; ++ allow httpd_t self:capability sys_resource; ++') + +- logging_send_audit_msgs(httpd_t) +- ') ++tunable_policy(`httpd_anon_write',` ++ miscfiles_manage_public_files(httpd_t) + ') + +-ifdef(`hide_broken_symptoms',` +- libs_exec_lib_files(httpd_t) ++# ++# We need optionals to be able to be within booleans to make this work ++# ++tunable_policy(`httpd_mod_auth_pam',` ++ auth_domtrans_chkpwd(httpd_t) ++ logging_send_audit_msgs(httpd_t) + ') + +-tunable_policy(`allow_httpd_anon_write',` +- miscfiles_manage_public_files(httpd_t) ++optional_policy(` ++ tunable_policy(`httpd_mod_auth_ntlm_winbind',` ++ samba_domtrans_winbind_helper(httpd_t) ++ ') + ') + + tunable_policy(`httpd_can_network_connect',` +- corenet_sendrecv_all_client_packets(httpd_t) + corenet_tcp_connect_all_ports(httpd_t) +- corenet_tcp_sendrecv_all_ports(httpd_t) + ') + + tunable_policy(`httpd_can_network_connect_db',` +- corenet_sendrecv_gds_db_client_packets(httpd_t) + corenet_tcp_connect_gds_db_port(httpd_t) +- corenet_tcp_sendrecv_gds_db_port(httpd_t) +- corenet_sendrecv_mssql_client_packets(httpd_t) + corenet_tcp_connect_mssql_port(httpd_t) +- corenet_tcp_sendrecv_mssql_port(httpd_t) +- corenet_sendrecv_oracledb_client_packets(httpd_t) +- corenet_tcp_connect_oracledb_port(httpd_t) +- corenet_tcp_sendrecv_oracledb_port(httpd_t) ++ corenet_sendrecv_mssql_client_packets(httpd_t) ++ corenet_tcp_connect_oracle_port(httpd_t) ++ corenet_sendrecv_oracle_client_packets(httpd_t) ++') ++ ++tunable_policy(`httpd_can_network_memcache',` ++ corenet_tcp_connect_memcache_port(httpd_t) + ') + + tunable_policy(`httpd_can_network_relay',` +- corenet_sendrecv_gopher_client_packets(httpd_t) ++ # allow httpd to work as a relay + corenet_tcp_connect_gopher_port(httpd_t) +- corenet_tcp_sendrecv_gopher_port(httpd_t) +- corenet_sendrecv_ftp_client_packets(httpd_t) + corenet_tcp_connect_ftp_port(httpd_t) +- corenet_tcp_sendrecv_ftp_port(httpd_t) +- corenet_sendrecv_http_client_packets(httpd_t) + corenet_tcp_connect_http_port(httpd_t) +- corenet_tcp_sendrecv_http_port(httpd_t) +- corenet_sendrecv_http_cache_client_packets(httpd_t) + corenet_tcp_connect_http_cache_port(httpd_t) +- corenet_tcp_sendrecv_http_cache_port(httpd_t) +- corenet_sendrecv_squid_client_packets(httpd_t) + corenet_tcp_connect_squid_port(httpd_t) +- corenet_tcp_sendrecv_squid_port(httpd_t) ++ corenet_tcp_connect_memcache_port(httpd_t) ++ corenet_sendrecv_gopher_client_packets(httpd_t) ++ corenet_sendrecv_ftp_client_packets(httpd_t) ++ corenet_sendrecv_http_client_packets(httpd_t) ++ corenet_sendrecv_http_cache_client_packets(httpd_t) ++ corenet_sendrecv_squid_client_packets(httpd_t) ++ corenet_tcp_connect_all_ephemeral_ports(httpd_t) + ') + +-tunable_policy(`httpd_builtin_scripting',` +- exec_files_pattern(httpd_t, httpd_script_exec_type, httpd_script_exec_type) ++tunable_policy(`httpd_execmem',` ++ allow httpd_t self:process { execmem execstack }; ++ allow httpd_sys_script_t self:process { execmem execstack }; ++ allow httpd_suexec_t self:process { execmem execstack }; ++') + +- allow httpd_t httpdcontent:dir list_dir_perms; +- allow httpd_t httpdcontent:file read_file_perms; +- allow httpd_t httpdcontent:lnk_file read_lnk_file_perms; ++tunable_policy(`httpd_enable_cgi && httpd_unified',` ++ allow httpd_sys_script_t httpd_sys_content_t:file entrypoint; ++ filetrans_pattern(httpd_sys_script_t, httpd_sys_content_t, httpd_sys_rw_content_t, { file dir lnk_file }) ++ can_exec(httpd_sys_script_t, httpd_sys_content_t) + ') + +-tunable_policy(`httpd_enable_cgi',` +- allow httpd_t httpd_script_domains:process { signal sigkill sigstop }; +- allow httpd_t httpd_script_exec_type:dir list_dir_perms; ++tunable_policy(`httpd_sys_script_anon_write',` ++ miscfiles_manage_public_files(httpd_sys_script_t) + ') + + tunable_policy(`httpd_enable_cgi && httpd_use_nfs',` +@@ -589,28 +722,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` + fs_cifs_domtrans(httpd_t, httpd_sys_script_t) + ') + +-# tunable_policy(`httpd_enable_cgi && httpd_use_fusefs',` +-# fs_fusefs_domtrans(httpd_t, httpd_sys_script_t) +-# ') ++tunable_policy(`httpd_enable_cgi && httpd_use_fusefs',` ++ fs_fusefs_domtrans(httpd_t, httpd_sys_script_t) ++') + + tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',` + domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t) ++ filetrans_pattern(httpd_t, httpd_sys_content_t, httpd_sys_rw_content_t, { file dir lnk_file }) ++ manage_dirs_pattern(httpd_t, httpdcontent, httpd_sys_rw_content_t) ++ manage_files_pattern(httpd_t, httpdcontent, httpd_sys_rw_content_t) ++ manage_lnk_files_pattern(httpd_t, httpdcontent, httpd_sys_rw_content_t) + + manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent) + manage_files_pattern(httpd_t, httpdcontent, httpdcontent) +- manage_fifo_files_pattern(httpd_t, httpdcontent, httpdcontent) + manage_lnk_files_pattern(httpd_t, httpdcontent, httpdcontent) +- manage_sock_files_pattern(httpd_t, httpdcontent, httpdcontent) ++') ++ ++tunable_policy(`httpd_can_connect_ftp',` ++ corenet_tcp_connect_ftp_port(httpd_t) ++ corenet_tcp_connect_all_ephemeral_ports(httpd_t) ++') ++ ++tunable_policy(`httpd_can_connect_ldap',` ++ corenet_tcp_connect_ldap_port(httpd_t) ++') ++ ++tunable_policy(`httpd_can_connect_mythtv',` ++ corenet_tcp_connect_mythtv_port(httpd_t) ++') ++ ++tunable_policy(`httpd_can_connect_zabbix',` ++ corenet_tcp_connect_zabbix_port(httpd_t) + ') + + tunable_policy(`httpd_enable_ftp_server',` +- corenet_sendrecv_ftp_server_packets(httpd_t) + corenet_tcp_bind_ftp_port(httpd_t) +- corenet_tcp_sendrecv_ftp_port(httpd_t) ++ corenet_tcp_bind_all_ephemeral_ports(httpd_t) + ') + +-tunable_policy(`httpd_enable_homedirs',` +- userdom_search_user_home_dirs(httpd_t) ++tunable_policy(`httpd_tmp_exec && httpd_builtin_scripting',` ++ can_exec(httpd_t, httpd_tmp_t) ++') ++ ++tunable_policy(`httpd_tmp_exec && httpd_enable_cgi',` ++ can_exec(httpd_sys_script_t, httpd_tmp_t) + ') + + tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` +@@ -619,68 +774,44 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` + fs_read_nfs_symlinks(httpd_t) + ') + +-tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs && httpd_builtin_scripting',` +- fs_exec_nfs_files(httpd_t) +-') +- +-tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` ++tunable_policy(`httpd_use_nfs',` + fs_list_auto_mountpoints(httpd_t) +- fs_read_cifs_files(httpd_t) +- fs_read_cifs_symlinks(httpd_t) ++ fs_manage_nfs_dirs(httpd_t) ++ fs_manage_nfs_files(httpd_t) ++ fs_manage_nfs_symlinks(httpd_t) + ') + +-tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs && httpd_builtin_scripting',` +- fs_exec_cifs_files(httpd_t) ++ ++tunable_policy(`httpd_use_nfs',` ++ automount_search_tmp_dirs(httpd_t) + ') + +-tunable_policy(`httpd_execmem',` +- allow httpd_t self:process { execmem execstack }; ++tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` ++ fs_read_cifs_files(httpd_t) ++ fs_read_cifs_symlinks(httpd_t) + ') + + tunable_policy(`httpd_can_sendmail',` +- corenet_sendrecv_smtp_client_packets(httpd_t) ++ # allow httpd to connect to mail servers + corenet_tcp_connect_smtp_port(httpd_t) +- corenet_tcp_sendrecv_smtp_port(httpd_t) +- corenet_sendrecv_pop_client_packets(httpd_t) ++ corenet_sendrecv_smtp_client_packets(httpd_t) + corenet_tcp_connect_pop_port(httpd_t) +- corenet_tcp_sendrecv_pop_port(httpd_t) +- ++ corenet_sendrecv_pop_client_packets(httpd_t) + mta_send_mail(httpd_t) + mta_signal_system_mail(httpd_t) ++ postfix_rw_spool_maildrop_files(httpd_t) + ') + +-optional_policy(` +- tunable_policy(`httpd_can_network_connect_zabbix',` +- zabbix_tcp_connect(httpd_t) +- ') +-') +- +-optional_policy(` +- tunable_policy(`httpd_can_sendmail && httpd_can_check_spam',` +- spamassassin_domtrans_client(httpd_t) +- ') +-') +- +-tunable_policy(`httpd_graceful_shutdown',` +- corenet_sendrecv_http_client_packets(httpd_t) +- corenet_tcp_connect_http_port(httpd_t) +- corenet_tcp_sendrecv_http_port(httpd_t) +-') +- +-optional_policy(` +- tunable_policy(`httpd_enable_cgi && httpd_use_gpg',` +- gpg_spec_domtrans(httpd_t, httpd_gpg_t) +- ') +-') +- +-optional_policy(` +- tunable_policy(`httpd_mod_auth_ntlm_winbind',` +- samba_domtrans_winbind_helper(httpd_t) +- ') ++tunable_policy(`httpd_use_cifs',` ++ fs_manage_cifs_dirs(httpd_t) ++ fs_manage_cifs_files(httpd_t) ++ fs_manage_cifs_symlinks(httpd_t) + ') + +-tunable_policy(`httpd_read_user_content',` +- userdom_read_user_home_content_files(httpd_t) ++tunable_policy(`httpd_use_fusefs',` ++ fs_manage_fusefs_dirs(httpd_t) ++ fs_manage_fusefs_files(httpd_t) ++ fs_manage_fusefs_symlinks(httpd_t) + ') + + tunable_policy(`httpd_setrlimit',` +@@ -690,49 +821,48 @@ tunable_policy(`httpd_setrlimit',` + + tunable_policy(`httpd_ssi_exec',` + corecmd_shell_domtrans(httpd_t, httpd_sys_script_t) ++ allow httpd_sys_script_t httpd_t:fd use; ++ allow httpd_sys_script_t httpd_t:fifo_file rw_file_perms; ++ allow httpd_sys_script_t httpd_t:process sigchld; + ') + +-tunable_policy(`httpd_tmp_exec && httpd_builtin_scripting',` +- can_exec(httpd_t, httpd_tmp_t) +-') +- ++# When the admin starts the server, the server wants to access ++# the TTY or PTY associated with the session. The httpd appears ++# to run correctly without this permission, so the permission ++# are dontaudited here. + tunable_policy(`httpd_tty_comm',` +- userdom_use_user_terminals(httpd_t) +-',` +- userdom_dontaudit_use_user_terminals(httpd_t) ++ userdom_use_inherited_user_terminals(httpd_t) ++ userdom_use_inherited_user_terminals(httpd_suexec_t) + ') + +-tunable_policy(`httpd_use_cifs',` +- fs_list_auto_mountpoints(httpd_t) +- fs_manage_cifs_dirs(httpd_t) +- fs_manage_cifs_files(httpd_t) +- fs_manage_cifs_symlinks(httpd_t) +-') +- +-tunable_policy(`httpd_use_cifs && httpd_builtin_scripting',` +- fs_exec_cifs_files(httpd_t) +-') ++optional_policy(` ++ cobbler_list_config(httpd_t) ++ cobbler_read_config(httpd_t) + +-tunable_policy(`httpd_use_fusefs',` +- fs_list_auto_mountpoints(httpd_t) +- fs_manage_fusefs_dirs(httpd_t) +- fs_manage_fusefs_files(httpd_t) +- fs_read_fusefs_symlinks(httpd_t) +-') ++ tunable_policy(`httpd_serve_cobbler_files',` ++ cobbler_manage_lib_files(httpd_t) ++',` ++ cobbler_read_lib_files(httpd_t) ++ cobbler_search_lib(httpd_t) ++ ') + +-tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',` +- fs_exec_fusefs_files(httpd_t) ++ tunable_policy(`httpd_can_network_connect_cobbler',` ++ corenet_tcp_connect_cobbler_port(httpd_t) ++ ') + ') + +-tunable_policy(`httpd_use_nfs',` +- fs_list_auto_mountpoints(httpd_t) +- fs_manage_nfs_dirs(httpd_t) +- fs_manage_nfs_files(httpd_t) +- fs_manage_nfs_symlinks(httpd_t) ++optional_policy(` ++ tunable_policy(`httpd_use_sasl',` ++ sasl_connect(httpd_t) ++ ') + ') + +-tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',` +- fs_exec_nfs_files(httpd_t) ++optional_policy(` ++ # Support for ABRT retrace server ++ # mod_wsgi ++ abrt_manage_spool_retrace(httpd_t) ++ abrt_domtrans_retrace_worker(httpd_t) ++ abrt_read_config(httpd_t) + ') + + optional_policy(` +@@ -743,14 +873,6 @@ optional_policy(` + ccs_read_config(httpd_t) + ') + +-optional_policy(` +- clamav_domtrans_clamscan(httpd_t) +-') +- +-optional_policy(` +- cobbler_read_config(httpd_t) +- cobbler_read_lib_files(httpd_t) +-') + + optional_policy(` + cron_system_entry(httpd_t, httpd_exec_t) +@@ -765,6 +887,23 @@ optional_policy(` + ') + + optional_policy(` ++ #needed by FreeIPA ++ dirsrv_stream_connect(httpd_t) ++') ++ ++optional_policy(` ++ dirsrv_manage_config(httpd_t) ++ dirsrv_manage_log(httpd_t) ++ dirsrv_manage_var_run(httpd_t) ++ dirsrv_read_share(httpd_t) ++ dirsrv_signal(httpd_t) ++ dirsrv_signull(httpd_t) ++ dirsrvadmin_manage_config(httpd_t) ++ dirsrvadmin_manage_tmp(httpd_t) ++ dirsrvadmin_domtrans_unconfined_script_t(httpd_t) ++') ++ ++ optional_policy(` + dbus_system_bus_client(httpd_t) + + tunable_policy(`httpd_dbus_avahi',` +@@ -781,34 +920,46 @@ optional_policy(` + ') + + optional_policy(` ++ tunable_policy(`httpd_enable_cgi && httpd_use_gpg',` ++ gpg_domtrans_web(httpd_t) ++ ') ++') ++ ++optional_policy(` ++ gssproxy_stream_connect(httpd_t) ++') ++ ++optional_policy(` ++ jetty_admin(httpd_t) ++') ++ ++optional_policy(` + kerberos_keytab_template(httpd, httpd_t) +- kerberos_manage_host_rcache(httpd_t) +- kerberos_tmp_filetrans_host_rcache(httpd_t, file, "HTTP_23") +- kerberos_tmp_filetrans_host_rcache(httpd_t, file, "HTTP_48") ++ kerberos_tmp_filetrans_host_rcache(httpd_t, "HTTP_23") ++ kerberos_tmp_filetrans_host_rcache(httpd_t, "HTTP_48") + ') + + optional_policy(` ++ # needed by FreeIPA + ldap_stream_connect(httpd_t) +- +- tunable_policy(`httpd_can_network_connect_ldap',` +- ldap_tcp_connect(httpd_t) +- ') + ') + + optional_policy(` + mailman_signal_cgi(httpd_t) + mailman_domtrans_cgi(httpd_t) + mailman_read_data_files(httpd_t) ++ # should have separate types for public and private archives + mailman_search_data(httpd_t) + mailman_read_archive(httpd_t) + ') + + optional_policy(` +- memcached_stream_connect(httpd_t) ++ mediawiki_read_tmp_files(httpd_t) ++ mediawiki_delete_tmp_files(httpd_t) ++') + +- tunable_policy(`httpd_can_network_connect_memcache',` +- memcached_tcp_connect(httpd_t) +- ') ++optional_policy(` ++ memcached_stream_connect(httpd_t) + + tunable_policy(`httpd_manage_ipa',` + memcached_manage_pid_files(httpd_t) +@@ -816,8 +967,18 @@ optional_policy(` + ') + + optional_policy(` ++ munin_read_config(httpd_t) ++') ++ ++optional_policy(` ++ # Allow httpd to work with mysql + mysql_read_config(httpd_t) + mysql_stream_connect(httpd_t) ++ mysql_rw_db_sockets(httpd_t) ++ ++ optional_policy(` ++ postgresql_stream_connect(httpd_t) ++ ') + + tunable_policy(`httpd_can_network_connect_db',` + mysql_tcp_connect(httpd_t) +@@ -826,6 +987,7 @@ optional_policy(` + + optional_policy(` + nagios_read_config(httpd_t) ++ nagios_read_log(httpd_t) + ') + + optional_policy(` +@@ -836,20 +998,39 @@ optional_policy(` + ') + + optional_policy(` ++ openshift_search_lib(httpd_t) ++ openshift_initrc_signull(httpd_t) ++ openshift_initrc_signal(httpd_t) ++') ++ ++optional_policy(` ++ passenger_exec(httpd_t) ++ passenger_manage_pid_content(httpd_t) ++') ++ ++optional_policy(` + pcscd_read_pid_files(httpd_t) + ') + + optional_policy(` +- postgresql_stream_connect(httpd_t) +- postgresql_unpriv_client(httpd_t) ++ pki_apache_domain_signal(httpd_t) ++ pki_manage_apache_config_files(httpd_t) ++ pki_manage_apache_lib(httpd_t) ++ pki_manage_apache_log_files(httpd_t) ++ pki_manage_apache_run(httpd_t) ++ pki_read_tomcat_cert(httpd_t) ++') + +- tunable_policy(`httpd_can_network_connect_db',` +- postgresql_tcp_connect(httpd_t) +- ') ++optional_policy(` ++ puppet_read_lib(httpd_t) + ') + + optional_policy(` +- puppet_read_lib_files(httpd_t) ++ pwauth_domtrans(httpd_t) ++') ++ ++optional_policy(` ++ rpm_dontaudit_read_db(httpd_t) + ') + + optional_policy(` +@@ -857,19 +1038,35 @@ optional_policy(` + ') + + optional_policy(` ++ # Allow httpd to work with postgresql ++ postgresql_stream_connect(httpd_t) ++ postgresql_unpriv_client(httpd_t) ++ ++ tunable_policy(`httpd_can_network_connect_db',` ++ postgresql_tcp_connect(httpd_t) ++ ') ++') ++ ++optional_policy(` + seutil_sigchld_newrole(httpd_t) + ') + + optional_policy(` + smokeping_read_lib_files(httpd_t) ++ smokeping_read_pid_files(httpd_t) + ') + + optional_policy(` ++ files_dontaudit_rw_usr_dirs(httpd_t) + snmp_dontaudit_read_snmp_var_lib_files(httpd_t) + snmp_dontaudit_write_snmp_var_lib_files(httpd_t) + ') + + optional_policy(` ++ thin_stream_connect(httpd_t) ++') ++ ++optional_policy(` + udev_read_db(httpd_t) + ') + +@@ -877,65 +1074,173 @@ optional_policy(` + yam_read_content(httpd_t) + ') + ++optional_policy(` ++ zarafa_manage_lib_files(httpd_t) ++ zarafa_stream_connect_server(httpd_t) ++ zarafa_search_config(httpd_t) ++') ++ ++optional_policy(` ++ zoneminder_append_log(httpd_t) ++ zoneminder_manage_lib_dirs(httpd_t) ++ zoneminder_manage_lib_files(httpd_t) ++ zoneminder_stream_connect(httpd_t) ++ zoneminder_exec(httpd_t) ++') ++ + ######################################## + # +-# Helper local policy ++# Apache helper local policy + # + +-read_files_pattern(httpd_helper_t, httpd_config_t, httpd_config_t) ++domtrans_pattern(httpd_t, httpd_helper_exec_t, httpd_helper_t) + +-append_files_pattern(httpd_helper_t, httpd_log_t, httpd_log_t) +-read_lnk_files_pattern(httpd_helper_t, httpd_log_t, httpd_log_t) ++allow httpd_helper_t httpd_config_t:file read_file_perms; + +-files_search_etc(httpd_helper_t) ++allow httpd_helper_t httpd_log_t:file append_file_perms; + +-logging_search_logs(httpd_helper_t) + logging_send_syslog_msg(httpd_helper_t) + ++tunable_policy(`httpd_verify_dns',` ++ corenet_udp_bind_all_ephemeral_ports(httpd_t) ++') ++ ++tunable_policy(`httpd_run_stickshift', ` ++ allow httpd_t self:capability { fowner fsetid sys_resource }; ++ dontaudit httpd_t self:capability sys_ptrace; ++ allow httpd_t self:process setexec; ++ ++ files_dontaudit_getattr_all_files(httpd_t) ++ domain_getpgid_all_domains(httpd_t) ++') ++ ++optional_policy(` ++ tunable_policy(`httpd_run_stickshift', ` ++ passenger_manage_lib_files(httpd_t) ++ passenger_getattr_log_files(httpd_t) ++ ',` ++ passenger_domtrans(httpd_t) ++ passenger_read_lib_files(httpd_t) ++ passenger_stream_connect(httpd_t) ++ passenger_manage_tmp_files(httpd_t) ++ ') ++') ++ ++optional_policy(` ++ tunable_policy(`httpd_run_stickshift', ` ++ oddjob_dbus_chat(httpd_t) ++ ') ++') ++ + tunable_policy(`httpd_tty_comm',` +- userdom_use_user_terminals(httpd_helper_t) +-',` +- userdom_dontaudit_use_user_terminals(httpd_helper_t) ++ userdom_use_inherited_user_terminals(httpd_helper_t) ++') ++ ++######################################## ++# ++# Apache PHP script local policy ++# ++ ++allow httpd_php_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; ++allow httpd_php_t self:fd use; ++allow httpd_php_t self:fifo_file rw_fifo_file_perms; ++allow httpd_php_t self:sock_file read_sock_file_perms; ++allow httpd_php_t self:unix_dgram_socket create_socket_perms; ++allow httpd_php_t self:unix_stream_socket create_stream_socket_perms; ++allow httpd_php_t self:unix_dgram_socket sendto; ++allow httpd_php_t self:unix_stream_socket connectto; ++allow httpd_php_t self:shm create_shm_perms; ++allow httpd_php_t self:sem create_sem_perms; ++allow httpd_php_t self:msgq create_msgq_perms; ++allow httpd_php_t self:msg { send receive }; ++ ++domtrans_pattern(httpd_t, httpd_php_exec_t, httpd_php_t) ++ ++# allow php to read and append to apache logfiles ++allow httpd_php_t httpd_log_t:file { read_file_perms append_file_perms }; ++ ++manage_dirs_pattern(httpd_php_t, httpd_php_tmp_t, httpd_php_tmp_t) ++manage_files_pattern(httpd_php_t, httpd_php_tmp_t, httpd_php_tmp_t) ++files_tmp_filetrans(httpd_php_t, httpd_php_tmp_t, { file dir }) ++ ++fs_search_auto_mountpoints(httpd_php_t) ++ ++auth_use_nsswitch(httpd_php_t) ++ ++libs_exec_lib_files(httpd_php_t) ++ ++userdom_use_unpriv_users_fds(httpd_php_t) ++ ++tunable_policy(`httpd_can_network_connect_db',` ++ corenet_tcp_connect_gds_db_port(httpd_php_t) ++ corenet_tcp_connect_mssql_port(httpd_php_t) ++ corenet_sendrecv_mssql_client_packets(httpd_php_t) ++ corenet_tcp_connect_oracle_port(httpd_php_t) ++ corenet_sendrecv_oracle_client_packets(httpd_php_t) ++') ++ ++optional_policy(` ++ mysql_stream_connect(httpd_php_t) ++ mysql_rw_db_sockets(httpd_php_t) ++ mysql_read_config(httpd_php_t) ++ ++ tunable_policy(`httpd_can_network_connect_db',` ++ mysql_tcp_connect(httpd_php_t) ++ ') ++') ++ ++optional_policy(` ++ postgresql_stream_connect(httpd_php_t) ++ postgresql_unpriv_client(httpd_php_t) ++ ++ tunable_policy(`httpd_can_network_connect_db',` ++ postgresql_tcp_connect(httpd_php_t) ++ ') + ') + + ######################################## + # +-# Suexec local policy ++# Apache suexec local policy + # + + allow httpd_suexec_t self:capability { setuid setgid }; + allow httpd_suexec_t self:process signal_perms; + allow httpd_suexec_t self:fifo_file rw_fifo_file_perms; +-allow httpd_suexec_t self:tcp_socket { accept listen }; +-allow httpd_suexec_t self:unix_stream_socket { accept listen }; ++allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms; ++ ++domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t) + + create_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t) + append_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t) + read_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t) +-read_lnk_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t) ++ ++allow httpd_suexec_t httpd_t:fifo_file read_fifo_file_perms; + + manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) + manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) + files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir }) + ++can_exec(httpd_suexec_t, httpd_sys_script_exec_t) ++ ++read_files_pattern(httpd_suexec_t, httpd_user_content_t, httpd_user_content_t) ++read_files_pattern(httpd_suexec_t, httpd_user_rw_content_t, httpd_user_rw_content_t) ++read_files_pattern(httpd_suexec_t, httpd_user_ra_content_t, httpd_user_ra_content_t) ++ + kernel_read_kernel_sysctls(httpd_suexec_t) + kernel_list_proc(httpd_suexec_t) + kernel_read_proc_symlinks(httpd_suexec_t) + +-corenet_all_recvfrom_unlabeled(httpd_suexec_t) +-corenet_all_recvfrom_netlabel(httpd_suexec_t) +-corenet_tcp_sendrecv_generic_if(httpd_suexec_t) +-corenet_tcp_sendrecv_generic_node(httpd_suexec_t) +- +-corecmd_exec_bin(httpd_suexec_t) +-corecmd_exec_shell(httpd_suexec_t) +- + dev_read_urand(httpd_suexec_t) + + fs_read_iso9660_files(httpd_suexec_t) + fs_search_auto_mountpoints(httpd_suexec_t) + +-files_read_usr_files(httpd_suexec_t) ++application_exec_all(httpd_suexec_t) ++ ++# for shell scripts ++corecmd_exec_bin(httpd_suexec_t) ++corecmd_exec_shell(httpd_suexec_t) ++ + files_dontaudit_search_pids(httpd_suexec_t) + files_search_home(httpd_suexec_t) + +@@ -944,123 +1249,74 @@ auth_use_nsswitch(httpd_suexec_t) + logging_search_logs(httpd_suexec_t) + logging_send_syslog_msg(httpd_suexec_t) + +-miscfiles_read_localization(httpd_suexec_t) + miscfiles_read_public_files(httpd_suexec_t) + +-tunable_policy(`httpd_builtin_scripting',` +- exec_files_pattern(httpd_suexec_t, httpd_script_exec_type, httpd_script_exec_type) +- +- allow httpd_suexec_t httpdcontent:dir list_dir_perms; +- allow httpd_suexec_t httpdcontent:file read_file_perms; +- allow httpd_suexec_t httpdcontent:lnk_file read_lnk_file_perms; +-') ++corenet_all_recvfrom_netlabel(httpd_suexec_t) + + tunable_policy(`httpd_can_network_connect',` ++ allow httpd_suexec_t self:tcp_socket create_stream_socket_perms; ++ allow httpd_suexec_t self:udp_socket create_socket_perms; ++ ++ corenet_tcp_sendrecv_generic_if(httpd_suexec_t) ++ corenet_udp_sendrecv_generic_if(httpd_suexec_t) ++ corenet_tcp_sendrecv_generic_node(httpd_suexec_t) ++ corenet_udp_sendrecv_generic_node(httpd_suexec_t) ++ corenet_tcp_sendrecv_all_ports(httpd_suexec_t) ++ corenet_udp_sendrecv_all_ports(httpd_suexec_t) + corenet_tcp_connect_all_ports(httpd_suexec_t) + corenet_sendrecv_all_client_packets(httpd_suexec_t) +- corenet_tcp_sendrecv_all_ports(httpd_suexec_t) + ') + + tunable_policy(`httpd_can_network_connect_db',` +- corenet_sendrecv_gds_db_client_packets(httpd_suexec_t) + corenet_tcp_connect_gds_db_port(httpd_suexec_t) +- corenet_tcp_sendrecv_gds_db_port(httpd_suexec_t) +- corenet_sendrecv_mssql_client_packets(httpd_suexec_t) + corenet_tcp_connect_mssql_port(httpd_suexec_t) +- corenet_tcp_sendrecv_mssql_port(httpd_suexec_t) +- corenet_sendrecv_oracledb_client_packets(httpd_suexec_t) +- corenet_tcp_connect_oracledb_port(httpd_suexec_t) +- corenet_tcp_sendrecv_oracledb_port(httpd_suexec_t) ++ corenet_sendrecv_mssql_client_packets(httpd_suexec_t) ++ corenet_tcp_connect_oracle_port(httpd_suexec_t) ++ corenet_sendrecv_oracle_client_packets(httpd_suexec_t) + ') + ++domain_entry_file(httpd_sys_script_t, httpd_sys_content_t) ++ + tunable_policy(`httpd_can_sendmail',` +- corenet_sendrecv_smtp_client_packets(httpd_suexec_t) +- corenet_tcp_connect_smtp_port(httpd_suexec_t) +- corenet_tcp_sendrecv_smtp_port(httpd_suexec_t) +- corenet_sendrecv_pop_client_packets(httpd_suexec_t) +- corenet_tcp_connect_pop_port(httpd_suexec_t) +- corenet_tcp_sendrecv_pop_port(httpd_suexec_t) + mta_send_mail(httpd_suexec_t) +- mta_signal_system_mail(httpd_suexec_t) + ') + + tunable_policy(`httpd_enable_cgi && httpd_unified',` ++ allow httpd_sys_script_t httpdcontent:file entrypoint; + domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t) +-') +- +-tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` +- fs_list_auto_mountpoints(httpd_suexec_t) +- fs_read_cifs_files(httpd_suexec_t) +- fs_read_cifs_symlinks(httpd_suexec_t) +-') +- +-tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs && httpd_builtin_scripting',` +- fs_exec_cifs_files(httpd_suexec_t) ++ manage_dirs_pattern(httpd_sys_script_t, httpdcontent, httpdcontent) ++ manage_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent) ++ manage_sock_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent) ++ manage_lnk_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent) + ') + + tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` +- fs_list_auto_mountpoints(httpd_suexec_t) ++ fs_list_auto_mountpoints(httpd_suexec_t) + fs_read_nfs_files(httpd_suexec_t) + fs_read_nfs_symlinks(httpd_suexec_t) +-') +- +-tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs && httpd_builtin_scripting',` + fs_exec_nfs_files(httpd_suexec_t) + ') + +-tunable_policy(`httpd_execmem',` +- allow httpd_suexec_t self:process { execmem execstack }; +-') +- +-tunable_policy(`httpd_tmp_exec',` +- can_exec(httpd_suexec_t, httpd_suexec_tmp_t) +-') +- +-tunable_policy(`httpd_tty_comm',` +- userdom_use_user_terminals(httpd_suexec_t) +-',` +- userdom_dontaudit_use_user_terminals(httpd_suexec_t) +-') +- +-tunable_policy(`httpd_use_cifs',` +- fs_list_auto_mountpoints(httpd_suexec_t) +- fs_manage_cifs_dirs(httpd_suexec_t) +- fs_manage_cifs_files(httpd_suexec_t) +- fs_manage_cifs_symlinks(httpd_suexec_t) +-') +- +-tunable_policy(`httpd_use_cifs && httpd_builtin_scripting',` ++tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` ++ fs_read_cifs_files(httpd_suexec_t) ++ fs_read_cifs_symlinks(httpd_suexec_t) + fs_exec_cifs_files(httpd_suexec_t) + ') + +-tunable_policy(`httpd_use_fusefs',` +- fs_list_auto_mountpoints(httpd_suexec_t) +- fs_manage_fusefs_dirs(httpd_suexec_t) +- fs_manage_fusefs_files(httpd_suexec_t) +- fs_read_fusefs_symlinks(httpd_suexec_t) +-') +- +-tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',` +- fs_exec_fusefs_files(httpd_suexec_t) +-') +- +-tunable_policy(`httpd_use_nfs',` +- fs_list_auto_mountpoints(httpd_suexec_t) +- fs_manage_nfs_dirs(httpd_suexec_t) +- fs_manage_nfs_files(httpd_suexec_t) +- fs_manage_nfs_symlinks(httpd_suexec_t) +-') +- +-tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',` +- fs_exec_nfs_files(httpd_suexec_t) ++optional_policy(` ++ mailman_domtrans_cgi(httpd_suexec_t) + ') + + optional_policy(` +- mailman_domtrans_cgi(httpd_suexec_t) ++ mta_stub(httpd_suexec_t) ++ ++ # apache should set close-on-exec ++ dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write }; + ') + + optional_policy(` + mysql_stream_connect(httpd_suexec_t) ++ mysql_rw_db_sockets(httpd_suexec_t) + mysql_read_config(httpd_suexec_t) + + tunable_policy(`httpd_can_network_connect_db',` +@@ -1077,172 +1333,106 @@ optional_policy(` + ') + ') + +-tunable_policy(`httpd_read_user_content',` +- userdom_read_user_home_content_files(httpd_suexec_t) +-') +- +-tunable_policy(`httpd_enable_homedirs',` +- userdom_search_user_home_dirs(httpd_suexec_t) +-') +- + ######################################## + # +-# Common script local policy ++# Apache system script local policy + # + +-allow httpd_script_domains self:fifo_file rw_file_perms; +-allow httpd_script_domains self:unix_stream_socket connectto; +- +-allow httpd_script_domains httpd_sys_content_t:dir search_dir_perms; +- +-append_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t) +-read_lnk_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t) ++allow httpd_sys_script_t self:process getsched; + +-kernel_dontaudit_search_sysctl(httpd_script_domains) +-kernel_dontaudit_search_kernel_sysctl(httpd_script_domains) +- +-corenet_all_recvfrom_unlabeled(httpd_script_domains) +-corenet_all_recvfrom_netlabel(httpd_script_domains) +-corenet_tcp_sendrecv_generic_if(httpd_script_domains) +-corenet_tcp_sendrecv_generic_node(httpd_script_domains) ++allow httpd_sys_script_t httpd_t:unix_stream_socket rw_stream_socket_perms; ++allow httpd_sys_script_t httpd_t:tcp_socket { read write }; + +-corecmd_exec_all_executables(httpd_script_domains) ++dontaudit httpd_sys_script_t httpd_config_t:dir search; + +-dev_read_rand(httpd_script_domains) +-dev_read_urand(httpd_script_domains) ++allow httpd_sys_script_t httpd_squirrelmail_t:file { append_file_perms read_file_perms }; + +-files_exec_etc_files(httpd_script_domains) +-files_read_etc_files(httpd_script_domains) +-files_search_home(httpd_script_domains) ++allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms; ++read_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_spool_t) ++read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_spool_t) + +-libs_exec_ld_so(httpd_script_domains) +-libs_exec_lib_files(httpd_script_domains) ++kernel_read_kernel_sysctls(httpd_sys_script_t) + +-logging_search_logs(httpd_script_domains) ++dev_list_sysfs(httpd_sys_script_t) + +-miscfiles_read_fonts(httpd_script_domains) +-miscfiles_read_public_files(httpd_script_domains) ++files_read_var_symlinks(httpd_sys_script_t) ++files_search_var_lib(httpd_sys_script_t) ++files_search_spool(httpd_sys_script_t) + +-seutil_dontaudit_search_config(httpd_script_domains) ++logging_inherit_append_all_logs(httpd_sys_script_t) + +-tunable_policy(`httpd_enable_cgi && httpd_unified',` +- allow httpd_script_domains httpdcontent:file entrypoint; ++# Should we add a boolean? ++apache_domtrans_rotatelogs(httpd_sys_script_t) + +- manage_dirs_pattern(httpd_script_domains, httpdcontent, httpdcontent) +- manage_files_pattern(httpd_script_domains, httpdcontent, httpdcontent) +- manage_lnk_files_pattern(httpd_script_domains, httpdcontent, httpdcontent) ++auth_use_nsswitch(httpd_sys_script_t) + +- can_exec(httpd_script_domains, httpdcontent) ++ifdef(`distro_redhat',` ++ allow httpd_sys_script_t httpd_log_t:file append_file_perms; + ') + +-tunable_policy(`httpd_enable_cgi',` +- allow httpd_script_domains self:process { setsched signal_perms }; +- allow httpd_script_domains self:unix_stream_socket create_stream_socket_perms; +- +- kernel_read_system_state(httpd_script_domains) +- +- fs_getattr_all_fs(httpd_script_domains) +- +- files_read_etc_runtime_files(httpd_script_domains) +- files_read_usr_files(httpd_script_domains) +- +- libs_read_lib_files(httpd_script_domains) +- +- miscfiles_read_localization(httpd_script_domains) ++tunable_policy(`httpd_can_sendmail',` ++ mta_send_mail(httpd_sys_script_t) + ') + + optional_policy(` +- tunable_policy(`httpd_enable_cgi && allow_ypbind',` +- nis_use_ypbind_uncond(httpd_script_domains) ++ tunable_policy(`httpd_can_sendmail && httpd_can_check_spam',` ++ spamassassin_domtrans_client(httpd_t) + ') + ') + +-tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',` +- corenet_sendrecv_gds_db_client_packets(httpd_script_domains) +- corenet_tcp_connect_gds_db_port(httpd_script_domains) +- corenet_tcp_sendrecv_gds_db_port(httpd_script_domains) +- corenet_sendrecv_mssql_client_packets(httpd_script_domains) +- corenet_tcp_connect_mssql_port(httpd_script_domains) +- corenet_tcp_sendrecv_mssql_port(httpd_script_domains) +- corenet_sendrecv_oracledb_client_packets(httpd_script_domains) +- corenet_tcp_connect_oracledb_port(httpd_script_domains) +- corenet_tcp_sendrecv_oracledb_port(httpd_script_domains) +-') +- +-optional_policy(` +- mysql_read_config(httpd_script_domains) +- mysql_stream_connect(httpd_script_domains) +- +- tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',` +- mysql_tcp_connect(httpd_script_domains) +- ') ++tunable_policy(`httpd_can_network_connect_db',` ++ corenet_tcp_connect_gds_db_port(httpd_sys_script_t) ++ corenet_tcp_connect_mssql_port(httpd_sys_script_t) ++ corenet_sendrecv_mssql_client_packets(httpd_sys_script_t) ++ corenet_tcp_connect_oracle_port(httpd_sys_script_t) ++ corenet_sendrecv_oracle_client_packets(httpd_sys_script_t) + ') + +-optional_policy(` +- postgresql_stream_connect(httpd_script_domains) ++fs_cifs_entry_type(httpd_sys_script_t) ++fs_read_iso9660_files(httpd_sys_script_t) ++fs_nfs_entry_type(httpd_sys_script_t) ++fs_rw_anon_inodefs_files(httpd_sys_script_t) + +- tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',` +- postgresql_tcp_connect(httpd_script_domains) +- ') +-') ++tunable_policy(`httpd_use_nfs',` ++ fs_list_auto_mountpoints(httpd_sys_script_t) ++ fs_manage_nfs_dirs(httpd_sys_script_t) ++ fs_manage_nfs_files(httpd_sys_script_t) ++ fs_manage_nfs_symlinks(httpd_sys_script_t) ++ fs_exec_nfs_files(httpd_sys_script_t) + +-optional_policy(` +- nscd_use(httpd_script_domains) ++ fs_list_auto_mountpoints(httpd_suexec_t) ++ fs_manage_nfs_dirs(httpd_suexec_t) ++ fs_manage_nfs_files(httpd_suexec_t) ++ fs_manage_nfs_symlinks(httpd_suexec_t) ++ fs_exec_nfs_files(httpd_suexec_t) + ') + +-######################################## +-# +-# System script local policy +-# +- +-allow httpd_sys_script_t self:tcp_socket { accept listen }; +- +-allow httpd_sys_script_t httpd_t:tcp_socket { read write }; +- +-dontaudit httpd_sys_script_t httpd_config_t:dir search; +- +-allow httpd_sys_script_t httpd_squirrelmail_t:file { append_file_perms read_file_perms }; +- +-allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms; +-allow httpd_sys_script_t squirrelmail_spool_t:file read_file_perms; +-allow httpd_sys_script_t squirrelmail_spool_t:lnk_file read_lnk_file_perms; +- +-kernel_read_kernel_sysctls(httpd_sys_script_t) +- +-fs_search_auto_mountpoints(httpd_sys_script_t) +- +-files_read_var_symlinks(httpd_sys_script_t) +-files_search_var_lib(httpd_sys_script_t) +-files_search_spool(httpd_sys_script_t) +- +-apache_domtrans_rotatelogs(httpd_sys_script_t) +- +-auth_use_nsswitch(httpd_sys_script_t) +- +-tunable_policy(`httpd_can_sendmail',` +- corenet_sendrecv_smtp_client_packets(httpd_sys_script_t) +- corenet_tcp_connect_smtp_port(httpd_sys_script_t) +- corenet_tcp_sendrecv_smtp_port(httpd_sys_script_t) +- corenet_sendrecv_pop_client_packets(httpd_sys_script_t) +- corenet_tcp_connect_pop_port(httpd_sys_script_t) +- corenet_tcp_sendrecv_pop_port(httpd_sys_script_t) ++corenet_all_recvfrom_netlabel(httpd_sys_script_t) + +- mta_send_mail(httpd_sys_script_t) +- mta_signal_system_mail(httpd_sys_script_t) ++tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` ++ allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms; ++ allow httpd_sys_script_t self:udp_socket create_socket_perms; ++ ++ corenet_tcp_bind_generic_node(httpd_sys_script_t) ++ corenet_udp_bind_generic_node(httpd_sys_script_t) ++ corenet_tcp_sendrecv_generic_if(httpd_sys_script_t) ++ corenet_udp_sendrecv_generic_if(httpd_sys_script_t) ++ corenet_tcp_sendrecv_generic_node(httpd_sys_script_t) ++ corenet_udp_sendrecv_generic_node(httpd_sys_script_t) ++ corenet_tcp_sendrecv_all_ports(httpd_sys_script_t) ++ corenet_udp_sendrecv_all_ports(httpd_sys_script_t) ++ corenet_tcp_connect_all_ports(httpd_sys_script_t) ++ corenet_sendrecv_all_client_packets(httpd_sys_script_t) + ') + + tunable_policy(`httpd_enable_homedirs',` + userdom_search_user_home_dirs(httpd_sys_script_t) + ') + +-tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` +- corenet_tcp_connect_all_ports(httpd_sys_script_t) +- corenet_sendrecv_all_client_packets(httpd_sys_script_t) +- corenet_tcp_sendrecv_all_ports(httpd_sys_script_t) +-') +- +-tunable_policy(`httpd_execmem',` +- allow httpd_sys_script_t self:process { execmem execstack }; ++tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` ++ fs_list_auto_mountpoints(httpd_sys_script_t) ++ fs_read_nfs_files(httpd_sys_script_t) ++ fs_read_nfs_symlinks(httpd_sys_script_t) + ') + + tunable_policy(`httpd_read_user_content',` +@@ -1250,64 +1440,74 @@ tunable_policy(`httpd_read_user_content',` + ') + + tunable_policy(`httpd_use_cifs',` +- fs_list_auto_mountpoints(httpd_sys_script_t) + fs_manage_cifs_dirs(httpd_sys_script_t) + fs_manage_cifs_files(httpd_sys_script_t) + fs_manage_cifs_symlinks(httpd_sys_script_t) +-') +- +-tunable_policy(`httpd_use_cifs && httpd_builtin_scripting',` +- fs_exec_cifs_files(httpd_sys_script_t) ++ fs_manage_cifs_dirs(httpd_suexec_t) ++ fs_manage_cifs_files(httpd_suexec_t) ++ fs_manage_cifs_symlinks(httpd_suexec_t) ++ fs_exec_cifs_files(httpd_suexec_t) + ') + + tunable_policy(`httpd_use_fusefs',` +- fs_list_auto_mountpoints(httpd_sys_script_t) + fs_manage_fusefs_dirs(httpd_sys_script_t) + fs_manage_fusefs_files(httpd_sys_script_t) +- fs_read_fusefs_symlinks(httpd_sys_script_t) ++ fs_manage_fusefs_symlinks(httpd_sys_script_t) ++ fs_manage_fusefs_dirs(httpd_suexec_t) ++ fs_manage_fusefs_files(httpd_suexec_t) ++ fs_manage_fusefs_symlinks(httpd_suexec_t) ++ fs_exec_fusefs_files(httpd_suexec_t) + ') + +-tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',` +- fs_exec_fusefs_files(httpd_sys_script_t) ++tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` ++ fs_read_cifs_files(httpd_sys_script_t) ++ fs_read_cifs_symlinks(httpd_sys_script_t) + ') + +-tunable_policy(`httpd_use_nfs',` +- fs_list_auto_mountpoints(httpd_sys_script_t) +- fs_manage_nfs_dirs(httpd_sys_script_t) +- fs_manage_nfs_files(httpd_sys_script_t) +- fs_manage_nfs_symlinks(httpd_sys_script_t) ++optional_policy(` ++ clamav_domtrans_clamscan(httpd_sys_script_t) ++ clamav_domtrans_clamscan(httpd_t) + ') + +-tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',` +- fs_exec_nfs_files(httpd_sys_script_t) ++optional_policy(` ++ mysql_stream_connect(httpd_sys_script_t) ++ mysql_rw_db_sockets(httpd_sys_script_t) ++ mysql_read_config(httpd_sys_script_t) ++ ++ tunable_policy(`httpd_can_network_connect_db',` ++ mysql_tcp_connect(httpd_sys_script_t) ++ ') + ') + + optional_policy(` +- clamav_domtrans_clamscan(httpd_sys_script_t) ++ postgresql_stream_connect(httpd_sys_script_t) ++ postgresql_unpriv_client(httpd_sys_script_t) ++ ++ tunable_policy(`httpd_can_network_connect_db',` ++ postgresql_tcp_connect(httpd_sys_script_t) ++ ') + ') + + optional_policy(` +- postgresql_unpriv_client(httpd_sys_script_t) ++ snmp_read_snmp_var_lib_files(httpd_sys_script_t) + ') + + ######################################## + # +-# Rotatelogs local policy ++# httpd_rotatelogs local policy + # + + allow httpd_rotatelogs_t self:capability dac_override; + + manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t) +-read_lnk_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t) + + kernel_read_kernel_sysctls(httpd_rotatelogs_t) + kernel_dontaudit_list_proc(httpd_rotatelogs_t) ++kernel_dontaudit_read_proc_symlinks(httpd_rotatelogs_t) + +-files_read_etc_files(httpd_rotatelogs_t) + + logging_search_logs(httpd_rotatelogs_t) + +-miscfiles_read_localization(httpd_rotatelogs_t) + + ######################################## + # +@@ -1315,8 +1515,15 @@ miscfiles_read_localization(httpd_rotatelogs_t) + # + + optional_policy(` +- apache_content_template(unconfined) ++ type httpd_unconfined_script_t; ++ type httpd_unconfined_script_exec_t; ++ domain_type(httpd_unconfined_script_t) ++ domain_entry_file(httpd_unconfined_script_t, httpd_unconfined_script_exec_t) ++ domtrans_pattern(httpd_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t) + unconfined_domain(httpd_unconfined_script_t) ++ ++ role system_r types httpd_unconfined_script_t; ++ allow httpd_t httpd_unconfined_script_t:process signal_perms; + ') + + ######################################## +@@ -1324,49 +1531,38 @@ optional_policy(` + # User content local policy + # + +-tunable_policy(`httpd_enable_homedirs',` +- userdom_search_user_home_dirs(httpd_user_script_t) +-') +- +-tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` +- fs_list_auto_mountpoints(httpd_user_script_t) +- fs_read_cifs_files(httpd_user_script_t) +- fs_read_cifs_symlinks(httpd_user_script_t) +-') +- +-tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs && httpd_builtin_scripting',` +- fs_exec_cifs_files(httpd_user_script_t) +-') ++auth_use_nsswitch(httpd_user_script_t) + +-tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` +- fs_list_auto_mountpoints(httpd_user_script_t) +- fs_read_nfs_files(httpd_user_script_t) +- fs_read_nfs_symlinks(httpd_user_script_t) ++tunable_policy(`httpd_enable_cgi && httpd_unified',` ++ allow httpd_user_script_t httpdcontent:file entrypoint; ++ manage_dirs_pattern(httpd_user_script_t, httpd_user_content_t, httpd_user_content_t) ++ manage_files_pattern(httpd_user_script_t, httpd_user_content_t, httpd_user_content_t) ++ manage_dirs_pattern(httpd_user_script_t, httpd_user_ra_content_t, httpd_user_ra_content_t) ++ manage_files_pattern(httpd_user_script_t, httpd_user_ra_content_t, httpd_user_ra_content_t) + ') + +-tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs && httpd_builtin_scripting',` +- fs_exec_nfs_files(httpd_user_script_t) ++# allow accessing files/dirs below the users home dir ++tunable_policy(`httpd_enable_homedirs',` ++ userdom_search_user_home_content(httpd_t) ++ userdom_search_user_home_content(httpd_suexec_t) ++ userdom_search_user_home_content(httpd_user_script_t) + ') + + tunable_policy(`httpd_read_user_content',` ++ userdom_read_user_home_content_files(httpd_t) ++ userdom_read_user_home_content_files(httpd_suexec_t) + userdom_read_user_home_content_files(httpd_user_script_t) + ') + +-optional_policy(` +- postgresql_unpriv_client(httpd_user_script_t) +-') +- + ######################################## + # +-# Passwd local policy ++# httpd_passwd local policy + # + + allow httpd_passwd_t self:fifo_file manage_fifo_file_perms; + allow httpd_passwd_t self:unix_stream_socket create_stream_socket_perms; + allow httpd_passwd_t self:unix_dgram_socket create_socket_perms; + +-dontaudit httpd_passwd_t httpd_config_t:file read_file_perms; +- + kernel_read_system_state(httpd_passwd_t) + + corecmd_exec_bin(httpd_passwd_t) +@@ -1376,38 +1572,99 @@ dev_read_urand(httpd_passwd_t) + + domain_use_interactive_fds(httpd_passwd_t) + ++ + auth_use_nsswitch(httpd_passwd_t) + +-miscfiles_read_generic_certs(httpd_passwd_t) +-miscfiles_read_localization(httpd_passwd_t) ++miscfiles_read_certs(httpd_passwd_t) + +-######################################## +-# +-# GPG local policy +-# ++systemd_manage_passwd_run(httpd_passwd_t) ++systemd_manage_passwd_run(httpd_t) ++#systemd_passwd_agent_dev_template(httpd) ++ ++domtrans_pattern(httpd_t, httpd_passwd_exec_t, httpd_passwd_t) ++dontaudit httpd_passwd_t httpd_config_t:file read; ++ ++search_dirs_pattern(httpd_script_type, httpd_sys_content_t, httpd_script_exec_type) ++corecmd_shell_entry_type(httpd_script_type) ++ ++allow httpd_script_type self:fifo_file rw_file_perms; ++allow httpd_script_type self:unix_stream_socket connectto; ++ ++allow httpd_script_type httpd_t:fifo_file write; ++# apache should set close-on-exec ++apache_dontaudit_leaks(httpd_script_type) ++ ++append_files_pattern(httpd_script_type, httpd_log_t, httpd_log_t) ++logging_search_logs(httpd_script_type) ++ ++kernel_dontaudit_search_sysctl(httpd_script_type) ++kernel_dontaudit_search_kernel_sysctl(httpd_script_type) ++ ++dev_read_rand(httpd_script_type) ++dev_read_urand(httpd_script_type) ++ ++corecmd_exec_all_executables(httpd_script_type) ++application_exec_all(httpd_script_type) ++ ++files_exec_etc_files(httpd_script_type) ++files_search_home(httpd_script_type) ++ ++libs_exec_ld_so(httpd_script_type) ++libs_exec_lib_files(httpd_script_type) ++ ++miscfiles_read_fonts(httpd_script_type) ++miscfiles_read_public_files(httpd_script_type) + +-allow httpd_gpg_t self:process setrlimit; ++allow httpd_t httpd_script_type:unix_stream_socket connectto; + +-allow httpd_gpg_t httpd_t:fd use; +-allow httpd_gpg_t httpd_t:fifo_file rw_fifo_file_perms; +-allow httpd_gpg_t httpd_t:process sigchld; ++allow httpd_t httpd_script_exec_type:file read_file_perms; ++allow httpd_t httpd_script_exec_type:lnk_file read_lnk_file_perms; ++allow httpd_t httpd_script_type:process { signal sigkill sigstop }; ++allow httpd_t httpd_script_exec_type:dir list_dir_perms; + +-dev_read_rand(httpd_gpg_t) +-dev_read_urand(httpd_gpg_t) ++allow httpd_script_type self:process { setsched signal_perms }; ++allow httpd_script_type self:unix_stream_socket create_stream_socket_perms; ++allow httpd_script_type self:unix_dgram_socket create_socket_perms; + +-files_read_usr_files(httpd_gpg_t) ++allow httpd_script_type httpd_t:fd use; ++allow httpd_script_type httpd_t:process sigchld; + +-miscfiles_read_localization(httpd_gpg_t) ++dontaudit httpd_script_type httpd_t:tcp_socket { read write }; + +-tunable_policy(`httpd_gpg_anon_write',` +- miscfiles_manage_public_files(httpd_gpg_t) ++fs_getattr_xattr_fs(httpd_script_type) ++ ++files_read_etc_runtime_files(httpd_script_type) ++ ++libs_read_lib_files(httpd_script_type) ++ ++allow httpd_script_type httpd_sys_content_t:dir search_dir_perms; ++ ++tunable_policy(`httpd_enable_cgi && nis_enabled',` ++ nis_use_ypbind_uncond(httpd_script_type) + ') + + optional_policy(` +- apache_manage_sys_rw_content(httpd_gpg_t) ++ nscd_socket_use(httpd_script_type) + ') + +-optional_policy(` +- gpg_entry_type(httpd_gpg_t) +- gpg_exec(httpd_gpg_t) ++read_files_pattern(httpd_t, httpd_content_type, httpd_content_type) ++ ++tunable_policy(`httpd_builtin_scripting',` ++ allow httpd_t httpd_content_type:dir search_dir_perms; ++ allow httpd_suexec_t httpd_content_type:dir search_dir_perms; ++ ++ allow httpd_t httpd_content_type:dir list_dir_perms; ++ read_files_pattern(httpd_t, httpd_content_type, httpd_content_type) ++ read_lnk_files_pattern(httpd_t, httpd_content_type, httpd_content_type) ++') ++ ++tunable_policy(`httpd_use_openstack',` ++ corenet_tcp_connect_keystone_port(httpd_sys_script_t) ++ corenet_tcp_connect_all_ephemeral_ports(httpd_t) ++ corenet_tcp_connect_glance_port(httpd_sys_script_t) ++ corenet_tcp_connect_osapi_compute_port(httpd_sys_script_t) ++') ++ ++tunable_policy(`httpd_use_openstack',` ++ corenet_tcp_connect_osapi_compute_port(httpd_t) + ') +diff --git a/apcupsd.fc b/apcupsd.fc +index 5ec0e13..1c37fe1 100644 +--- a/apcupsd.fc ++++ b/apcupsd.fc +@@ -1,10 +1,13 @@ + /etc/rc\.d/init\.d/apcupsd -- gen_context(system_u:object_r:apcupsd_initrc_exec_t,s0) + ++/usr/lib/systemd/system/apcupsd.* -- gen_context(system_u:object_r:apcupsd_unit_file_t,s0) ++ + /sbin/apcupsd -- gen_context(system_u:object_r:apcupsd_exec_t,s0) + + /usr/sbin/apcupsd -- gen_context(system_u:object_r:apcupsd_exec_t,s0) + + /var/lock/subsys/apcupsd -- gen_context(system_u:object_r:apcupsd_lock_t,s0) ++/var/lock/LCK.. -- gen_context(system_u:object_r:apcupsd_lock_t,s0) + + /var/log/apcupsd\.events.* -- gen_context(system_u:object_r:apcupsd_log_t,s0) + /var/log/apcupsd\.status.* -- gen_context(system_u:object_r:apcupsd_log_t,s0) +diff --git a/apcupsd.if b/apcupsd.if +index f3c0aba..b6afc90 100644 +--- a/apcupsd.if ++++ b/apcupsd.if +@@ -125,6 +125,49 @@ interface(`apcupsd_cgi_script_domtrans',` + + ######################################## + ## ++## Execute apcupsd server in the apcupsd domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`apcupsd_systemctl',` ++ gen_require(` ++ type apcupsd_t; ++ type apcupsd_unit_file_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ allow $1 apcupsd_unit_file_t:file read_file_perms; ++ allow $1 apcupsd_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, apcupsd_t) ++') ++ ++######################################## ++## ++## Create configuration files in /var/lock ++## with a named file type transition. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`apcupsd_filetrans_named_content',` ++ gen_require(` ++ type apcupsd_lock_t; ++ ') ++ ++ files_lock_filetrans($1, apcupsd_lock_t, file, "apcupsd") ++ files_lock_filetrans($1, apcupsd_lock_t, file, "LCK..") ++') ++ ++######################################## ++## + ## All of the rules required to + ## administrate an apcupsd environment. + ## +@@ -144,11 +187,16 @@ interface(`apcupsd_admin',` + gen_require(` + type apcupsd_t, apcupsd_tmp_t, apcupsd_log_t; + type apcupsd_var_run_t, apcupsd_initrc_exec_t, apcupsd_lock_t; ++ type apcupsd_unit_file_t; + ') + +- allow $1 apcupsd_t:process { ptrace signal_perms }; ++ allow $1 apcupsd_t:process signal_perms; + ps_process_pattern($1, apcupsd_t) + ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 apcupsd_t:process ptrace; ++ ') ++ + apcupsd_initrc_domtrans($1, apcupsd_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 apcupsd_initrc_exec_t system_r; +@@ -165,4 +213,8 @@ interface(`apcupsd_admin',` + + files_list_pids($1) + admin_pattern($1, apcupsd_var_run_t) ++ ++ apcupsd_systemctl($1) ++ admin_pattern($1, apcupsd_unit_file_t) ++ allow $1 apcupsd_unit_file_t:service all_service_perms; + ') +diff --git a/apcupsd.te b/apcupsd.te +index b236327..7b2142b 100644 +--- a/apcupsd.te ++++ b/apcupsd.te +@@ -24,6 +24,9 @@ files_tmp_file(apcupsd_tmp_t) + type apcupsd_var_run_t; + files_pid_file(apcupsd_var_run_t) + ++type apcupsd_unit_file_t; ++systemd_unit_file(apcupsd_unit_file_t) ++ + ######################################## + # + # Local policy +@@ -38,9 +41,7 @@ allow apcupsd_t self:tcp_socket create_stream_socket_perms; + allow apcupsd_t apcupsd_lock_t:file manage_file_perms; + files_lock_filetrans(apcupsd_t, apcupsd_lock_t, file) + +-append_files_pattern(apcupsd_t, apcupsd_log_t, apcupsd_log_t) +-create_files_pattern(apcupsd_t, apcupsd_log_t, apcupsd_log_t) +-setattr_files_pattern(apcupsd_t, apcupsd_log_t, apcupsd_log_t) ++manage_files_pattern(apcupsd_t, apcupsd_log_t, apcupsd_log_t) + logging_log_filetrans(apcupsd_t, apcupsd_log_t, file) + + manage_files_pattern(apcupsd_t, apcupsd_tmp_t, apcupsd_tmp_t) +@@ -54,7 +55,6 @@ kernel_read_system_state(apcupsd_t) + corecmd_exec_bin(apcupsd_t) + corecmd_exec_shell(apcupsd_t) + +-corenet_all_recvfrom_unlabeled(apcupsd_t) + corenet_all_recvfrom_netlabel(apcupsd_t) + corenet_tcp_sendrecv_generic_if(apcupsd_t) + corenet_tcp_sendrecv_generic_node(apcupsd_t) +@@ -67,6 +67,8 @@ corenet_tcp_bind_apcupsd_port(apcupsd_t) + corenet_sendrecv_apcupsd_server_packets(apcupsd_t) + corenet_tcp_sendrecv_apcupsd_port(apcupsd_t) + corenet_tcp_connect_apcupsd_port(apcupsd_t) ++corenet_udp_bind_apc_port(apcupsd_t) ++corenet_udp_bind_snmp_port(apcupsd_t) + + corenet_udp_bind_snmp_port(apcupsd_t) + corenet_sendrecv_snmp_server_packets(apcupsd_t) +@@ -74,19 +76,25 @@ corenet_udp_sendrecv_snmp_port(apcupsd_t) + + dev_rw_generic_usb_dev(apcupsd_t) + +-files_read_etc_files(apcupsd_t) + files_manage_etc_runtime_files(apcupsd_t) + files_etc_filetrans_etc_runtime(apcupsd_t, file, "nologin") + + term_use_unallocated_ttys(apcupsd_t) ++term_use_usb_ttys(apcupsd_t) + +-logging_send_syslog_msg(apcupsd_t) ++#apcupsd runs shutdown, probably need a shutdown domain ++init_rw_utmp(apcupsd_t) ++init_telinit(apcupsd_t) + +-miscfiles_read_localization(apcupsd_t) ++auth_use_nsswitch(apcupsd_t) ++ ++logging_send_syslog_msg(apcupsd_t) + + sysnet_dns_name_resolve(apcupsd_t) + +-userdom_use_user_ttys(apcupsd_t) ++systemd_start_power_services(apcupsd_t) ++ ++userdom_use_inherited_user_ttys(apcupsd_t) + + optional_policy(` + hostname_exec(apcupsd_t) +@@ -112,7 +120,6 @@ optional_policy(` + allow httpd_apcupsd_cgi_script_t self:tcp_socket create_stream_socket_perms; + allow httpd_apcupsd_cgi_script_t self:udp_socket create_socket_perms; + +- corenet_all_recvfrom_unlabeled(httpd_apcupsd_cgi_script_t) + corenet_all_recvfrom_netlabel(httpd_apcupsd_cgi_script_t) + corenet_tcp_sendrecv_generic_if(httpd_apcupsd_cgi_script_t) + corenet_tcp_sendrecv_generic_node(httpd_apcupsd_cgi_script_t) +diff --git a/apm.fc b/apm.fc +index ce27d2f..d20377e 100644 +--- a/apm.fc ++++ b/apm.fc +@@ -1,3 +1,4 @@ ++/usr/lib/systemd/system/apmd.* -- gen_context(system_u:object_r:apmd_unit_file_t,s0) + /etc/rc\.d/init\.d/acpid -- gen_context(system_u:object_r:apmd_initrc_exec_t,s0) + + /usr/bin/apm -- gen_context(system_u:object_r:apm_exec_t,s0) +diff --git a/apm.if b/apm.if +index 1a7a97e..1d29dce 100644 +--- a/apm.if ++++ b/apm.if +@@ -141,6 +141,29 @@ interface(`apm_stream_connect',` + + ######################################## + ## ++## Execute apmd server in the apmd domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`apmd_systemctl',` ++ gen_require(` ++ type apmd_t; ++ type apmd_unit_file_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ allow $1 apmd_unit_file_t:file read_file_perms; ++ allow $1 apmd_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, apmd_t) ++') ++ ++######################################## ++## + ## All of the rules required to + ## administrate an apm environment. + ## +@@ -163,9 +186,13 @@ interface(`apm_admin',` + type apmd_tmp_t; + ') + +- allow $1 apmd_t:process { ptrace signal_perms }; ++ allow $1 apmd_t:process { signal_perms }; + ps_process_pattern($1, apmd_t) + ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 apmd_t:process ptrace; ++ ') ++ + init_labeled_script_domtrans($1, apmd_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 apmd_initrc_exec_t system_r; +diff --git a/apm.te b/apm.te +index 3590e2f..e1494bd 100644 +--- a/apm.te ++++ b/apm.te +@@ -35,6 +35,9 @@ files_type(apmd_var_lib_t) + type apmd_var_run_t; + files_pid_file(apmd_var_run_t) + ++type apmd_unit_file_t; ++systemd_unit_file(apmd_unit_file_t) ++ + ######################################## + # + # Client local policy +@@ -48,7 +51,7 @@ dev_rw_apm_bios(apm_t) + + fs_getattr_xattr_fs(apm_t) + +-term_use_all_terms(apm_t) ++term_use_all_inherited_terms(apm_t) + + domain_use_interactive_fds(apm_t) + +@@ -60,7 +63,7 @@ logging_send_syslog_msg(apm_t) + # + + allow apmd_t self:capability { sys_admin sys_nice sys_time kill mknod }; +-dontaudit apmd_t self:capability { setuid dac_override dac_read_search sys_ptrace sys_tty_config }; ++dontaudit apmd_t self:capability { setuid dac_override dac_read_search sys_tty_config }; + allow apmd_t self:process { signal_perms getsession }; + allow apmd_t self:fifo_file rw_fifo_file_perms; + allow apmd_t self:netlink_socket create_socket_perms; +@@ -114,8 +117,7 @@ fs_dontaudit_getattr_all_files(apmd_t) + fs_dontaudit_getattr_all_symlinks(apmd_t) + fs_dontaudit_getattr_all_pipes(apmd_t) + fs_dontaudit_getattr_all_sockets(apmd_t) +- +-selinux_search_fs(apmd_t) ++fs_read_cgroup_files(apmd_t) + + corecmd_exec_all_executables(apmd_t) + +@@ -129,6 +131,8 @@ domain_dontaudit_list_all_domains_state(apmd_t) + auth_use_nsswitch(apmd_t) + + init_domtrans_script(apmd_t) ++init_read_utmp(apmd_t) ++init_telinit(apmd_t) + + libs_exec_ld_so(apmd_t) + libs_exec_lib_files(apmd_t) +@@ -136,17 +140,16 @@ libs_exec_lib_files(apmd_t) + logging_send_audit_msgs(apmd_t) + logging_send_syslog_msg(apmd_t) + +-miscfiles_read_localization(apmd_t) + miscfiles_read_hwdata(apmd_t) + + modutils_domtrans_insmod(apmd_t) + modutils_read_module_config(apmd_t) + +-seutil_dontaudit_read_config(apmd_t) ++seutil_sigchld_newrole(apmd_t) + + userdom_dontaudit_use_unpriv_user_fds(apmd_t) + userdom_dontaudit_search_user_home_dirs(apmd_t) +-userdom_dontaudit_search_user_home_content(apmd_t) ++userdom_dontaudit_search_user_home_content(apmd_t) # Excessive? + + optional_policy(` + automount_domtrans(apmd_t) +@@ -206,11 +209,15 @@ optional_policy(` + ') + + optional_policy(` +- seutil_sigchld_newrole(apmd_t) ++ shutdown_domtrans(apmd_t) + ') + + optional_policy(` +- shutdown_domtrans(apmd_t) ++ sssd_search_lib(apmd_t) ++') ++ ++optional_policy(` ++ systemd_dbus_chat_logind(apmd_t) + ') + + optional_policy(` +diff --git a/apt.if b/apt.if +index e2414c4..970736b 100644 +--- a/apt.if ++++ b/apt.if +@@ -152,7 +152,7 @@ interface(`apt_read_cache',` + + files_search_var($1) + allow $1 apt_var_cache_t:dir list_dir_perms; +- dontaudit $1 apt_var_cache_t:dir write_dir_perms; ++ dontaudit $1 apt_var_cache_t:dir rw_dir_perms; + allow $1 apt_var_cache_t:file read_file_perms; + ') + +diff --git a/apt.te b/apt.te +index e2d8d52..d82403c 100644 +--- a/apt.te ++++ b/apt.te +@@ -83,7 +83,6 @@ kernel_read_kernel_sysctls(apt_t) + corecmd_exec_bin(apt_t) + corecmd_exec_shell(apt_t) + +-corenet_all_recvfrom_unlabeled(apt_t) + corenet_all_recvfrom_netlabel(apt_t) + corenet_tcp_sendrecv_generic_if(apt_t) + corenet_tcp_sendrecv_generic_node(apt_t) +@@ -98,27 +97,24 @@ domain_getattr_all_domains(apt_t) + domain_use_interactive_fds(apt_t) + + files_exec_usr_files(apt_t) +-files_read_etc_files(apt_t) + files_read_etc_runtime_files(apt_t) + + fs_getattr_all_fs(apt_t) + + term_create_pty(apt_t, apt_devpts_t) + term_list_ptys(apt_t) +-term_use_all_terms(apt_t) ++term_use_all_inherited_terms(apt_t) + + libs_exec_ld_so(apt_t) + libs_exec_lib_files(apt_t) + + logging_send_syslog_msg(apt_t) + +-miscfiles_read_localization(apt_t) +- + seutil_use_newrole_fds(apt_t) + + sysnet_read_config(apt_t) + +-userdom_use_user_terminals(apt_t) ++userdom_use_inherited_user_terminals(apt_t) + + optional_policy(` + cron_system_entry(apt_t, apt_exec_t) +diff --git a/arpwatch.fc b/arpwatch.fc +index 9ca0d0f..9a1a61f 100644 +--- a/arpwatch.fc ++++ b/arpwatch.fc +@@ -1,5 +1,7 @@ + /etc/rc\.d/init\.d/arpwatch -- gen_context(system_u:object_r:arpwatch_initrc_exec_t,s0) + ++/usr/lib/systemd/system/arpwatch.* -- gen_context(system_u:object_r:arpwatch_unit_file_t,s0) ++ + /usr/sbin/arpwatch -- gen_context(system_u:object_r:arpwatch_exec_t,s0) + + /var/arpwatch(/.*)? gen_context(system_u:object_r:arpwatch_data_t,s0) +diff --git a/arpwatch.if b/arpwatch.if +index 50c9b9c..51c8cc0 100644 +--- a/arpwatch.if ++++ b/arpwatch.if +@@ -119,6 +119,29 @@ interface(`arpwatch_dontaudit_rw_packet_sockets',` + + ######################################## + ## ++## Execute arpwatch server in the arpwatch domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`arpwatch_systemctl',` ++ gen_require(` ++ type arpwatch_t; ++ type arpwatch_unit_file_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ allow $1 arpwatch_unit_file_t:file read_file_perms; ++ allow $1 arpwatch_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, arpwatch_t) ++') ++ ++######################################## ++## + ## All of the rules required to + ## administrate an arpwatch environment. + ## +@@ -138,11 +161,16 @@ interface(`arpwatch_admin',` + gen_require(` + type arpwatch_t, arpwatch_tmp_t, arpwatch_initrc_exec_t; + type arpwatch_data_t, arpwatch_var_run_t; ++ type arpwatch_unit_file_t; + ') + +- allow $1 arpwatch_t:process { ptrace signal_perms }; ++ allow $1 arpwatch_t:process signal_perms; + ps_process_pattern($1, arpwatch_t) + ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 arpwatch_t:process ptrace; ++ ') ++ + arpwatch_initrc_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 arpwatch_initrc_exec_t system_r; +@@ -156,4 +184,8 @@ interface(`arpwatch_admin',` + + files_list_pids($1) + admin_pattern($1, arpwatch_var_run_t) ++ ++ arpwatch_systemctl($1) ++ admin_pattern($1, arpwatch_unit_file_t) ++ allow $1 arpwatch_unit_file_t:service all_service_perms; + ') +diff --git a/arpwatch.te b/arpwatch.te +index fa18c76..fd6911a 100644 +--- a/arpwatch.te ++++ b/arpwatch.te +@@ -21,6 +21,9 @@ files_tmp_file(arpwatch_tmp_t) + type arpwatch_var_run_t; + files_pid_file(arpwatch_var_run_t) + ++type arpwatch_unit_file_t; ++systemd_unit_file(arpwatch_unit_file_t) ++ + ######################################## + # + # Local policy +@@ -33,6 +36,7 @@ allow arpwatch_t self:unix_stream_socket { accept listen }; + allow arpwatch_t self:tcp_socket { accept listen }; + allow arpwatch_t self:packet_socket create_socket_perms; + allow arpwatch_t self:socket create_socket_perms; ++allow arpwatch_t self:netlink_socket create_socket_perms; + + manage_dirs_pattern(arpwatch_t, arpwatch_data_t, arpwatch_data_t) + manage_files_pattern(arpwatch_t, arpwatch_data_t, arpwatch_data_t) +@@ -45,11 +49,23 @@ files_tmp_filetrans(arpwatch_t, arpwatch_tmp_t, { file dir }) + manage_files_pattern(arpwatch_t, arpwatch_var_run_t, arpwatch_var_run_t) + files_pid_filetrans(arpwatch_t, arpwatch_var_run_t, file) + +-kernel_read_kernel_sysctls(arpwatch_t) + kernel_read_network_state(arpwatch_t) ++# meminfo + kernel_read_system_state(arpwatch_t) ++kernel_read_kernel_sysctls(arpwatch_t) ++kernel_read_proc_symlinks(arpwatch_t) + kernel_request_load_module(arpwatch_t) + ++corenet_all_recvfrom_netlabel(arpwatch_t) ++corenet_tcp_sendrecv_generic_if(arpwatch_t) ++corenet_udp_sendrecv_generic_if(arpwatch_t) ++corenet_raw_sendrecv_generic_if(arpwatch_t) ++corenet_tcp_sendrecv_generic_node(arpwatch_t) ++corenet_udp_sendrecv_generic_node(arpwatch_t) ++corenet_raw_sendrecv_generic_node(arpwatch_t) ++corenet_tcp_sendrecv_all_ports(arpwatch_t) ++corenet_udp_sendrecv_all_ports(arpwatch_t) ++ + dev_read_sysfs(arpwatch_t) + dev_read_usbmon_dev(arpwatch_t) + dev_rw_generic_usb_dev(arpwatch_t) +@@ -59,15 +75,12 @@ fs_search_auto_mountpoints(arpwatch_t) + + domain_use_interactive_fds(arpwatch_t) + +-files_read_usr_files(arpwatch_t) + files_search_var_lib(arpwatch_t) + + auth_use_nsswitch(arpwatch_t) + + logging_send_syslog_msg(arpwatch_t) + +-miscfiles_read_localization(arpwatch_t) +- + userdom_dontaudit_search_user_home_dirs(arpwatch_t) + userdom_dontaudit_use_unpriv_user_fds(arpwatch_t) + +diff --git a/asterisk.if b/asterisk.if +index 7268a04..6ffd87d 100644 +--- a/asterisk.if ++++ b/asterisk.if +@@ -19,6 +19,25 @@ interface(`asterisk_domtrans',` + domtrans_pattern($1, asterisk_exec_t, asterisk_t) + ') + ++###################################### ++## ++## Execute asterisk in the caller domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`asterisk_exec',` ++ gen_require(` ++ type asterisk_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ can_exec($1, asterisk_exec_t) ++') ++ + ##################################### + ## + ## Connect to asterisk over a unix domain. +@@ -105,9 +124,13 @@ interface(`asterisk_admin',` + type asterisk_var_lib_t, asterisk_initrc_exec_t; + ') + +- allow $1 asterisk_t:process { ptrace signal_perms }; ++ allow $1 asterisk_t:process signal_perms; + ps_process_pattern($1, asterisk_t) + ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 asterisk_t:process ptrace; ++ ') ++ + init_labeled_script_domtrans($1, asterisk_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 asterisk_initrc_exec_t system_r; +diff --git a/asterisk.te b/asterisk.te +index 5439f1c..4f8a8a5 100644 +--- a/asterisk.te ++++ b/asterisk.te +@@ -19,7 +19,7 @@ type asterisk_log_t; + logging_log_file(asterisk_log_t) + + type asterisk_spool_t; +-files_type(asterisk_spool_t) ++files_spool_file(asterisk_spool_t) + + type asterisk_tmp_t; + files_tmp_file(asterisk_tmp_t) +@@ -52,13 +52,14 @@ allow asterisk_t asterisk_etc_t:dir list_dir_perms; + read_files_pattern(asterisk_t, asterisk_etc_t, asterisk_etc_t) + read_lnk_files_pattern(asterisk_t, asterisk_etc_t, asterisk_etc_t) + +-append_files_pattern(asterisk_t, asterisk_log_t, asterisk_log_t) +-create_files_pattern(asterisk_t, asterisk_log_t, asterisk_log_t) +-setattr_files_pattern(asterisk_t, asterisk_log_t, asterisk_log_t) ++manage_dirs_pattern(asterisk_t, asterisk_log_t, asterisk_log_t) ++manage_files_pattern(asterisk_t, asterisk_log_t, asterisk_log_t) ++logging_log_filetrans(asterisk_t, asterisk_log_t, {file dir}) + + manage_dirs_pattern(asterisk_t, asterisk_spool_t, asterisk_spool_t) + manage_files_pattern(asterisk_t, asterisk_spool_t, asterisk_spool_t) + manage_lnk_files_pattern(asterisk_t, asterisk_spool_t, asterisk_spool_t) ++files_spool_file(asterisk_t, asterisk_spool_t, {dir file}) + + manage_dirs_pattern(asterisk_t, asterisk_tmp_t, asterisk_tmp_t) + manage_files_pattern(asterisk_t, asterisk_tmp_t, asterisk_tmp_t) +@@ -72,11 +73,11 @@ fs_tmpfs_filetrans(asterisk_t, asterisk_tmpfs_t, { dir file lnk_file sock_file f + + manage_files_pattern(asterisk_t, asterisk_var_lib_t, asterisk_var_lib_t) + ++manage_dirs_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t) + manage_files_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t) + manage_fifo_files_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t) + manage_sock_files_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t) +-files_pid_filetrans(asterisk_t, asterisk_var_run_t, file) +- ++files_pid_filetrans(asterisk_t, asterisk_var_run_t, { dir file sock_file fifo_file }) + can_exec(asterisk_t, asterisk_exec_t) + + kernel_read_kernel_sysctls(asterisk_t) +@@ -87,7 +88,6 @@ kernel_request_load_module(asterisk_t) + corecmd_exec_bin(asterisk_t) + corecmd_exec_shell(asterisk_t) + +-corenet_all_recvfrom_unlabeled(asterisk_t) + corenet_all_recvfrom_netlabel(asterisk_t) + corenet_tcp_sendrecv_generic_if(asterisk_t) + corenet_udp_sendrecv_generic_if(asterisk_t) +@@ -135,7 +135,6 @@ dev_read_urand(asterisk_t) + + domain_use_interactive_fds(asterisk_t) + +-files_read_usr_files(asterisk_t) + files_search_spool(asterisk_t) + files_dontaudit_search_home(asterisk_t) + +@@ -148,8 +147,6 @@ auth_use_nsswitch(asterisk_t) + + logging_send_syslog_msg(asterisk_t) + +-miscfiles_read_localization(asterisk_t) +- + userdom_dontaudit_use_unpriv_user_fds(asterisk_t) + userdom_dontaudit_search_user_home_dirs(asterisk_t) + +diff --git a/authconfig.fc b/authconfig.fc +new file mode 100644 +index 0000000..4579cfe +--- /dev/null ++++ b/authconfig.fc +@@ -0,0 +1,3 @@ ++/usr/share/authconfig/authconfig\.py -- gen_context(system_u:object_r:authconfig_exec_t,s0) ++ ++/var/lib/authconfig(/.*)? gen_context(system_u:object_r:authconfig_var_lib_t,s0) +diff --git a/authconfig.if b/authconfig.if +new file mode 100644 +index 0000000..316c324 +--- /dev/null ++++ b/authconfig.if +@@ -0,0 +1,127 @@ ++ ++## policy for authconfig ++ ++######################################## ++## ++## Execute TEMPLATE in the authconfig domin. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`authconfig_domtrans',` ++ gen_require(` ++ type authconfig_t, authconfig_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, authconfig_exec_t, authconfig_t) ++') ++ ++######################################## ++## ++## Search authconfig lib directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`authconfig_search_lib',` ++ gen_require(` ++ type authconfig_var_lib_t; ++ ') ++ ++ allow $1 authconfig_var_lib_t:dir search_dir_perms; ++ files_search_var_lib($1) ++') ++ ++######################################## ++## ++## Read authconfig lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`authconfig_read_lib_files',` ++ gen_require(` ++ type authconfig_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ read_files_pattern($1, authconfig_var_lib_t, authconfig_var_lib_t) ++') ++ ++######################################## ++## ++## Manage authconfig lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`authconfig_manage_lib_files',` ++ gen_require(` ++ type authconfig_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ manage_files_pattern($1, authconfig_var_lib_t, authconfig_var_lib_t) ++') ++ ++######################################## ++## ++## Manage authconfig lib directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`authconfig_manage_lib_dirs',` ++ gen_require(` ++ type authconfig_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ manage_dirs_pattern($1, authconfig_var_lib_t, authconfig_var_lib_t) ++') ++ ++ ++######################################## ++## ++## All of the rules required to administrate ++## an authconfig environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`authconfig_admin',` ++ gen_require(` ++ type authconfig_t; ++ type authconfig_var_lib_t; ++ ') ++ ++ allow $1 authconfig_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, authconfig_t) ++ ++ files_search_var_lib($1) ++ admin_pattern($1, authconfig_var_lib_t) ++ ++ optional_policy(` ++ systemd_passwd_agent_exec($1) ++ systemd_read_fifo_file_passwd_run($1) ++ ') ++') +diff --git a/authconfig.te b/authconfig.te +new file mode 100644 +index 0000000..f2aa4e6 +--- /dev/null ++++ b/authconfig.te +@@ -0,0 +1,32 @@ ++policy_module(authconfig, 1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type authconfig_t; ++type authconfig_exec_t; ++application_domain(authconfig_t, authconfig_exec_t) ++role system_r types authconfig_t; ++ ++type authconfig_var_lib_t; ++files_type(authconfig_var_lib_t) ++ ++######################################## ++# ++# authconfig local policy ++# ++allow authconfig_t self:fifo_file rw_fifo_file_perms; ++allow authconfig_t self:unix_stream_socket create_stream_socket_perms; ++ ++manage_dirs_pattern(authconfig_t, authconfig_var_lib_t, authconfig_var_lib_t) ++manage_files_pattern(authconfig_t, authconfig_var_lib_t, authconfig_var_lib_t) ++manage_lnk_files_pattern(authconfig_t, authconfig_var_lib_t, authconfig_var_lib_t) ++files_var_lib_filetrans(authconfig_t, authconfig_var_lib_t, { dir file lnk_file }) ++ ++domain_use_interactive_fds(authconfig_t) ++ ++init_domtrans_script(authconfig_t) ++ ++unconfined_domain_noaudit(authconfig_t) +diff --git a/automount.fc b/automount.fc +index 92adb37..0a2ffc6 100644 +--- a/automount.fc ++++ b/automount.fc +@@ -1,6 +1,8 @@ + /etc/apm/event\.d/autofs -- gen_context(system_u:object_r:automount_exec_t,s0) + /etc/rc\.d/init\.d/autofs -- gen_context(system_u:object_r:automount_initrc_exec_t,s0) + ++/usr/lib/systemd/system/autofs.* -- gen_context(system_u:object_r:automount_unit_file_t,s0) ++ + /usr/sbin/automount -- gen_context(system_u:object_r:automount_exec_t,s0) + + /var/lock/subsys/autofs -- gen_context(system_u:object_r:automount_lock_t,s0) +diff --git a/automount.if b/automount.if +index 089430a..b0bed70 100644 +--- a/automount.if ++++ b/automount.if +@@ -29,7 +29,6 @@ interface(`automount_domtrans',` + ## + ## + # +-# + interface(`automount_signal',` + gen_require(` + type automount_t; +@@ -114,6 +113,25 @@ interface(`automount_dontaudit_write_pipes',` + + ######################################## + ## ++## Allow domain to search of automount temporary ++## directories. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`automount_search_tmp_dirs',` ++ gen_require(` ++ type automount_tmp_t; ++ ') ++ ++ search_dirs_pattern($1, automount_tmp_t, automount_tmp_t) ++') ++ ++######################################## ++## + ## Do not audit attempts to get + ## attributes of automount temporary + ## directories. +@@ -134,6 +152,29 @@ interface(`automount_dontaudit_getattr_tmp_dirs',` + + ######################################## + ## ++## Execute automount server in the automount domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`automount_systemctl',` ++ gen_require(` ++ type automount_t; ++ type automount_unit_file_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ allow $1 automount_unit_file_t:file read_file_perms; ++ allow $1 automount_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, automount_t) ++') ++ ++######################################## ++## + ## All of the rules required to + ## administrate an automount environment. + ## +@@ -153,11 +194,16 @@ interface(`automount_admin',` + gen_require(` + type automount_t, automount_lock_t, automount_tmp_t; + type automount_var_run_t, automount_initrc_exec_t; ++ type automount_unit_file_t; + ') + +- allow $1 automount_t:process { ptrace signal_perms }; ++ allow $1 automount_t:process signal_perms; + ps_process_pattern($1, automount_t) + ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 automount_t:process ptrace; ++ ') ++ + init_labeled_script_domtrans($1, automount_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 automount_initrc_exec_t system_r; +@@ -171,4 +217,8 @@ interface(`automount_admin',` + + files_list_pids($1) + admin_pattern($1, automount_var_run_t) ++ ++ automount_systemctl($1) ++ admin_pattern($1, automount_unit_file_t) ++ allow $1 automount_unit_file_t:service all_service_perms; + ') +diff --git a/automount.te b/automount.te +index a579c3b..294b5f4 100644 +--- a/automount.te ++++ b/automount.te +@@ -22,12 +22,16 @@ type automount_tmp_t; + files_tmp_file(automount_tmp_t) + files_mountpoint(automount_tmp_t) + ++type automount_unit_file_t; ++systemd_unit_file(automount_unit_file_t) ++ + ######################################## + # + # Local policy + # + +-allow automount_t self:capability { setgid setuid sys_nice sys_resource dac_override sys_admin }; ++allow automount_t self:capability { setgid setuid sys_nice sys_resource dac_override sys_admin }; ++allow automount_t self:capability2 block_suspend; + dontaudit automount_t self:capability sys_tty_config; + allow automount_t self:process { signal_perms getpgid setpgid setsched setrlimit }; + allow automount_t self:fifo_file rw_fifo_file_perms; +@@ -62,7 +66,6 @@ kernel_dontaudit_search_xen_state(automount_t) + corecmd_exec_bin(automount_t) + corecmd_exec_shell(automount_t) + +-corenet_all_recvfrom_unlabeled(automount_t) + corenet_all_recvfrom_netlabel(automount_t) + corenet_tcp_sendrecv_generic_if(automount_t) + corenet_udp_sendrecv_generic_if(automount_t) +@@ -96,7 +99,6 @@ files_mount_all_file_type_fs(automount_t) + files_mounton_all_mountpoints(automount_t) + files_mounton_mnt(automount_t) + files_read_etc_runtime_files(automount_t) +-files_read_usr_files(automount_t) + files_search_boot(automount_t) + files_search_all(automount_t) + files_unmount_all_file_type_fs(automount_t) +@@ -130,15 +132,18 @@ auth_use_nsswitch(automount_t) + logging_send_syslog_msg(automount_t) + logging_search_logs(automount_t) + +-miscfiles_read_localization(automount_t) + miscfiles_read_generic_certs(automount_t) + +-mount_domtrans(automount_t) +-mount_signal(automount_t) +- + userdom_dontaudit_use_unpriv_user_fds(automount_t) + + optional_policy(` ++ # Run mount in the mount_t domain. ++ mount_domtrans(automount_t) ++ mount_domtrans_showmount(automount_t) ++ mount_signal(automount_t) ++') ++ ++optional_policy(` + fstools_domtrans(automount_t) + ') + +@@ -160,3 +165,8 @@ optional_policy(` + optional_policy(` + udev_read_db(automount_t) + ') ++ ++tunable_policy(`mount_anyfile',` ++ files_mounton_non_security(automount_t) ++') ++ +diff --git a/avahi.fc b/avahi.fc +index e9fe2ca..4c2d076 100644 +--- a/avahi.fc ++++ b/avahi.fc +@@ -1,5 +1,7 @@ + /etc/rc\.d/init\.d/avahi.* -- gen_context(system_u:object_r:avahi_initrc_exec_t,s0) + ++/usr/lib/systemd/system/avahi.* -- gen_context(system_u:object_r:avahi_unit_file_t,s0) ++ + /usr/sbin/avahi-daemon -- gen_context(system_u:object_r:avahi_exec_t,s0) + /usr/sbin/avahi-dnsconfd -- gen_context(system_u:object_r:avahi_exec_t,s0) + /usr/sbin/avahi-autoipd -- gen_context(system_u:object_r:avahi_exec_t,s0) +diff --git a/avahi.if b/avahi.if +index aebe7cb..33fe57b 100644 +--- a/avahi.if ++++ b/avahi.if +@@ -97,7 +97,7 @@ interface(`avahi_dbus_chat',` + ######################################## + ## + ## Connect to avahi using a unix +-$$ stream socket. ++## stream socket. + ## + ## + ## +@@ -135,6 +135,29 @@ interface(`avahi_dontaudit_search_pid',` + + ######################################## + ## ++## Execute avahi server in the avahi domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`avahi_systemctl',` ++ gen_require(` ++ type avahi_t; ++ type avahi_unit_file_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ allow $1 avahi_unit_file_t:file read_file_perms; ++ allow $1 avahi_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, avahi_t) ++') ++ ++######################################## ++## + ## All of the rules required to + ## administrate an avahi environment. + ## +@@ -153,12 +176,17 @@ interface(`avahi_dontaudit_search_pid',` + interface(`avahi_admin',` + gen_require(` + type avahi_t, avahi_var_run_t, avahi_initrc_exec_t; ++ type avahi_unit_file_t; + type avahi_var_lib_t; + ') + +- allow $1 avahi_t:process { ptrace signal_perms }; ++ allow $1 avahi_t:process signal_perms; + ps_process_pattern($1, avahi_t) + ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 avahi_t:process ptrace; ++ ') ++ + init_labeled_script_domtrans($1, avahi_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 avahi_initrc_exec_t system_r; +@@ -169,4 +197,8 @@ interface(`avahi_admin',` + + files_search_var_lib($1) + admin_pattern($1, avahi_var_lib_t) ++ ++ avahi_systemctl($1) ++ admin_pattern($1, avahi_unit_file_t) ++ allow $1 avahi_unit_file_t:service all_service_perms; + ') +diff --git a/avahi.te b/avahi.te +index 60e76be..0730647 100644 +--- a/avahi.te ++++ b/avahi.te +@@ -17,6 +17,10 @@ files_pid_file(avahi_var_lib_t) + + type avahi_var_run_t; + files_pid_file(avahi_var_run_t) ++init_sock_file(avahi_var_run_t) ++ ++type avahi_unit_file_t; ++systemd_unit_file(avahi_unit_file_t) + + ######################################## + # +@@ -49,7 +53,6 @@ kernel_request_load_module(avahi_t) + corecmd_exec_bin(avahi_t) + corecmd_exec_shell(avahi_t) + +-corenet_all_recvfrom_unlabeled(avahi_t) + corenet_all_recvfrom_netlabel(avahi_t) + corenet_tcp_sendrecv_generic_if(avahi_t) + corenet_udp_sendrecv_generic_if(avahi_t) +@@ -72,9 +75,9 @@ fs_search_auto_mountpoints(avahi_t) + fs_list_inotifyfs(avahi_t) + + domain_use_interactive_fds(avahi_t) ++domain_dontaudit_signull_all_domains(avahi_t) + + files_read_etc_runtime_files(avahi_t) +-files_read_usr_files(avahi_t) + + auth_use_nsswitch(avahi_t) + +@@ -83,13 +86,14 @@ init_signull_script(avahi_t) + + logging_send_syslog_msg(avahi_t) + +-miscfiles_read_localization(avahi_t) + miscfiles_read_generic_certs(avahi_t) + + sysnet_domtrans_ifconfig(avahi_t) + sysnet_manage_config(avahi_t) + sysnet_etc_filetrans_config(avahi_t) + ++systemd_login_signull(avahi_t) ++ + userdom_dontaudit_use_unpriv_user_fds(avahi_t) + userdom_dontaudit_search_user_home_dirs(avahi_t) + +diff --git a/awstats.te b/awstats.te +index d6ab824..116176d 100644 +--- a/awstats.te ++++ b/awstats.te +@@ -52,8 +52,6 @@ corecmd_exec_shell(awstats_t) + dev_read_urand(awstats_t) + + files_dontaudit_search_all_mountpoints(awstats_t) +-files_read_etc_files(awstats_t) +-files_read_usr_files(awstats_t) + + fs_list_inotifyfs(awstats_t) + +@@ -61,8 +59,6 @@ libs_read_lib_files(awstats_t) + + logging_read_generic_logs(awstats_t) + +-miscfiles_read_localization(awstats_t) +- + sysnet_dns_name_resolve(awstats_t) + + tunable_policy(`awstats_purge_apache_log_files',` +@@ -90,9 +86,13 @@ optional_policy(` + # CGI local policy + # + ++apache_read_log(httpd_awstats_script_t) ++ ++manage_dirs_pattern(httpd_awstats_script_t, awstats_tmp_t, awstats_tmp_t) ++manage_files_pattern(httpd_awstats_script_t, awstats_tmp_t, awstats_tmp_t) ++files_tmp_filetrans(httpd_awstats_script_t, awstats_tmp_t, { dir file }) ++ + allow httpd_awstats_script_t awstats_var_lib_t:dir list_dir_perms; + + read_files_pattern(httpd_awstats_script_t, awstats_var_lib_t, awstats_var_lib_t) + files_search_var_lib(httpd_awstats_script_t) +- +-apache_read_log(httpd_awstats_script_t) +diff --git a/backup.te b/backup.te +index d6ceef4..c10d39c 100644 +--- a/backup.te ++++ b/backup.te +@@ -38,7 +38,6 @@ kernel_read_kernel_sysctls(backup_t) + corecmd_exec_bin(backup_t) + corecmd_exec_shell(backup_t) + +-corenet_all_recvfrom_unlabeled(backup_t) + corenet_all_recvfrom_netlabel(backup_t) + corenet_tcp_sendrecv_generic_if(backup_t) + corenet_tcp_sendrecv_generic_node(backup_t) +@@ -67,7 +66,7 @@ logging_send_syslog_msg(backup_t) + + sysnet_read_config(backup_t) + +-userdom_use_user_terminals(backup_t) ++userdom_use_inherited_user_terminals(backup_t) + + optional_policy(` + cron_system_entry(backup_t, backup_exec_t) +diff --git a/bacula.te b/bacula.te +index 3beba2f..7ca4480 100644 +--- a/bacula.te ++++ b/bacula.te +@@ -148,9 +148,7 @@ corenet_tcp_connect_hplip_port(bacula_admin_t) + + domain_use_interactive_fds(bacula_admin_t) + +-files_read_etc_files(bacula_admin_t) + +-miscfiles_read_localization(bacula_admin_t) + + sysnet_dns_name_resolve(bacula_admin_t) + +diff --git a/bcfg2.fc b/bcfg2.fc +index fb42e35..8af0e14 100644 +--- a/bcfg2.fc ++++ b/bcfg2.fc +@@ -1,5 +1,7 @@ + /etc/rc\.d/init\.d/bcfg2-server -- gen_context(system_u:object_r:bcfg2_initrc_exec_t,s0) + ++/usr/lib/systemd/system/bcfg2-server.* -- gen_context(system_u:object_r:bcfg2_unit_file_t,s0) ++ + /usr/sbin/bcfg2-server -- gen_context(system_u:object_r:bcfg2_exec_t,s0) + + /var/lib/bcfg2(/.*)? gen_context(system_u:object_r:bcfg2_var_lib_t,s0) +diff --git a/bcfg2.if b/bcfg2.if +index ec95d36..7132e1e 100644 +--- a/bcfg2.if ++++ b/bcfg2.if +@@ -117,6 +117,31 @@ interface(`bcfg2_manage_lib_dirs',` + + ######################################## + ## ++## Execute bcfg2 server in the bcfg2 domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`bcfg2_systemctl',` ++ gen_require(` ++ type bcfg2_t; ++ type bcfg2_unit_file_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ systemd_read_fifo_file_passwd_run($1) ++ allow $1 bcfg2_unit_file_t:file read_file_perms; ++ allow $1 bcfg2_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, bcfg2_t) ++') ++ ++ ++######################################## ++## + ## All of the rules required to + ## administrate an bcfg2 environment. + ## +@@ -136,11 +161,16 @@ interface(`bcfg2_admin',` + gen_require(` + type bcfg2_t, bcfg2_initrc_exec_t, bcfg2_var_lib_t; + type bcfg2_var_run_t; ++ type bcfg2_unit_file_t; + ') + +- allow $1 bcfg2_t:process { ptrace signal_perms }; ++ allow $1 bcfg2_t:process { signal_perms }; + ps_process_pattern($1, bcfg2_t) + ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 bcfg2_t:process ptrace; ++ ') ++ + bcfg2_initrc_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 bcfg2_initrc_exec_t system_r; +@@ -151,4 +181,13 @@ interface(`bcfg2_admin',` + + files_search_var_lib($1) + admin_pattern($1, bcfg2_var_lib_t) ++ ++ bcfg2_systemctl($1) ++ admin_pattern($1, bcfg2_unit_file_t) ++ allow $1 bcfg2_unit_file_t:service all_service_perms; ++ ++ optional_policy(` ++ systemd_passwd_agent_exec($1) ++ systemd_read_fifo_file_passwd_run($1) ++ ') + ') +diff --git a/bcfg2.te b/bcfg2.te +index 536ec3c..271b976 100644 +--- a/bcfg2.te ++++ b/bcfg2.te +@@ -15,6 +15,9 @@ init_script_file(bcfg2_initrc_exec_t) + type bcfg2_var_lib_t; + files_type(bcfg2_var_lib_t) + ++type bcfg2_unit_file_t; ++systemd_unit_file(bcfg2_unit_file_t) ++ + type bcfg2_var_run_t; + files_pid_file(bcfg2_var_run_t) + +@@ -52,10 +55,7 @@ dev_read_urand(bcfg2_t) + + domain_use_interactive_fds(bcfg2_t) + +-files_read_usr_files(bcfg2_t) + + auth_use_nsswitch(bcfg2_t) + + logging_send_syslog_msg(bcfg2_t) +- +-miscfiles_read_localization(bcfg2_t) +diff --git a/bind.fc b/bind.fc +index 2b9a3a1..1742ebf 100644 +--- a/bind.fc ++++ b/bind.fc +@@ -1,54 +1,71 @@ +-/etc/rc\.d/init\.d/named -- gen_context(system_u:object_r:named_initrc_exec_t,s0) +-/etc/rc\.d/init\.d/unbound -- gen_context(system_u:object_r:named_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/named -- gen_context(system_u:object_r:named_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/unbound -- gen_context(system_u:object_r:named_initrc_exec_t,s0) + +-/etc/bind(/.*)? gen_context(system_u:object_r:named_zone_t,s0) +-/etc/bind/named\.conf.* -- gen_context(system_u:object_r:named_conf_t,s0) +-/etc/bind/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0) +-/etc/dnssec-trigger/dnssec_trigger_server\.key -- gen_context(system_u:object_r:dnssec_t,s0) +-/etc/named\.rfc1912\.zones -- gen_context(system_u:object_r:named_conf_t,s0) +-/etc/named\.root\.hints -- gen_context(system_u:object_r:named_conf_t,s0) +-/etc/named\.conf -- gen_context(system_u:object_r:named_conf_t,s0) +-/etc/named\.caching-nameserver\.conf -- gen_context(system_u:object_r:named_conf_t,s0) +-/etc/rndc.* -- gen_context(system_u:object_r:named_conf_t,s0) +-/etc/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0) +-/etc/unbound(/.*)? gen_context(system_u:object_r:named_conf_t,s0) +-/etc/unbound/.*\.key -- gen_context(system_u:object_r:dnssec_t,s0) ++/etc/rndc.* -- gen_context(system_u:object_r:named_conf_t,s0) ++/etc/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0) ++/etc/unbound(/.*)? gen_context(system_u:object_r:named_conf_t,s0) ++/etc/unbound/.*\.key -- gen_context(system_u:object_r:dnssec_t,s0) ++/etc/dnssec-trigger/dnssec_trigger_server\.key -- gen_context(system_u:object_r:dnssec_t,s0) ++ ++/usr/lib/systemd/system/unbound.* -- gen_context(system_u:object_r:named_unit_file_t,s0) ++/usr/lib/systemd/system/named.* -- gen_context(system_u:object_r:named_unit_file_t,s0) + + /usr/sbin/lwresd -- gen_context(system_u:object_r:named_exec_t,s0) +-/usr/sbin/named -- gen_context(system_u:object_r:named_exec_t,s0) +-/usr/sbin/named-checkconf -- gen_context(system_u:object_r:named_checkconf_exec_t,s0) +-/usr/sbin/r?ndc -- gen_context(system_u:object_r:ndc_exec_t,s0) ++/usr/sbin/named -- gen_context(system_u:object_r:named_exec_t,s0) ++/usr/sbin/named-checkconf -- gen_context(system_u:object_r:named_checkconf_exec_t,s0) ++/usr/sbin/r?ndc -- gen_context(system_u:object_r:ndc_exec_t,s0) + /usr/sbin/unbound -- gen_context(system_u:object_r:named_exec_t,s0) ++/usr/sbin/unbound-anchor -- gen_context(system_u:object_r:named_exec_t,s0) ++/usr/sbin/unbound-checkconf -- gen_context(system_u:object_r:named_exec_t,s0) + +-/var/bind(/.*)? gen_context(system_u:object_r:named_cache_t,s0) +-/var/bind/pri(/.*)? gen_context(system_u:object_r:named_zone_t,s0) ++/var/log/named.* -- gen_context(system_u:object_r:named_log_t,s0) + +-/var/cache/bind(/.*)? gen_context(system_u:object_r:named_cache_t,s0) ++/var/run/ndc -s gen_context(system_u:object_r:named_var_run_t,s0) ++/var/run/bind(/.*)? gen_context(system_u:object_r:named_var_run_t,s0) ++/var/run/named(/.*)? gen_context(system_u:object_r:named_var_run_t,s0) ++/var/run/unbound(/.*)? gen_context(system_u:object_r:named_var_run_t,s0) + +-/var/log/named.* -- gen_context(system_u:object_r:named_log_t,s0) ++ifdef(`distro_debian',` ++/etc/bind(/.*)? gen_context(system_u:object_r:named_zone_t,s0) ++/etc/bind/named\.conf -- gen_context(system_u:object_r:named_conf_t,s0) ++/etc/bind/named\.conf\.local -- gen_context(system_u:object_r:named_conf_t,s0) ++/etc/bind/named\.conf\.options -- gen_context(system_u:object_r:named_conf_t,s0) ++/etc/bind/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0) ++/var/cache/bind(/.*)? gen_context(system_u:object_r:named_cache_t,s0) ++') ++ ++ifdef(`distro_gentoo',` ++/etc/bind(/.*)? gen_context(system_u:object_r:named_zone_t,s0) ++/etc/bind/named\.conf -- gen_context(system_u:object_r:named_conf_t,s0) ++/etc/bind/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0) ++/var/bind(/.*)? gen_context(system_u:object_r:named_cache_t,s0) ++/var/bind/pri(/.*)? gen_context(system_u:object_r:named_zone_t,s0) ++') + +-/var/named(/.*)? gen_context(system_u:object_r:named_zone_t,s0) +-/var/named/slaves(/.*)? gen_context(system_u:object_r:named_cache_t,s0) +-/var/named/data(/.*)? gen_context(system_u:object_r:named_cache_t,s0) ++ifdef(`distro_redhat',` ++/etc/named\.rfc1912.zones -- gen_context(system_u:object_r:named_conf_t,s0) ++/etc/named\.root\.hints -- gen_context(system_u:object_r:named_conf_t,s0) ++/etc/named\.conf -- gen_context(system_u:object_r:named_conf_t,s0) ++/etc/named\.caching-nameserver\.conf -- gen_context(system_u:object_r:named_conf_t,s0) ++/var/lib/unbound(/.*)? gen_context(system_u:object_r:named_cache_t,s0) ++/var/named(/.*)? gen_context(system_u:object_r:named_zone_t,s0) ++/var/named/slaves(/.*)? gen_context(system_u:object_r:named_cache_t,s0) ++/var/named/data(/.*)? gen_context(system_u:object_r:named_cache_t,s0) + /var/named/named\.ca -- gen_context(system_u:object_r:named_conf_t,s0) +-/var/named/chroot(/.*)? gen_context(system_u:object_r:named_conf_t,s0) +-/var/named/chroot/etc/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0) +-/var/named/chroot/etc/named\.conf -- gen_context(system_u:object_r:named_conf_t,s0) +-/var/named/chroot/etc/named\.rfc1912\.zones -- gen_context(system_u:object_r:named_conf_t,s0) +-/var/named/chroot/etc/named\.root\.hints -- gen_context(system_u:object_r:named_conf_t,s0) +-/var/named/chroot/etc/named\.caching-nameserver\.conf -- gen_context(system_u:object_r:named_conf_t,s0) ++/var/named/chroot(/.*)? gen_context(system_u:object_r:named_conf_t,s0) ++/var/named/chroot/etc/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0) ++/var/named/chroot/etc/named\.conf -- gen_context(system_u:object_r:named_conf_t,s0) ++/var/named/chroot/etc/named\.rfc1912.zones -- gen_context(system_u:object_r:named_conf_t,s0) ++/var/named/chroot/etc/named\.root\.hints -- gen_context(system_u:object_r:named_conf_t,s0) ++/var/named/chroot/etc/named\.caching-nameserver\.conf -- gen_context(system_u:object_r:named_conf_t,s0) + /var/named/chroot/proc(/.*)? <> +-/var/named/chroot/var/run/named.* gen_context(system_u:object_r:named_var_run_t,s0) +-/var/named/chroot/var/tmp(/.*)? gen_context(system_u:object_r:named_cache_t,s0) +-/var/named/chroot/var/named(/.*)? gen_context(system_u:object_r:named_zone_t,s0) +-/var/named/chroot/var/named/slaves(/.*)? gen_context(system_u:object_r:named_cache_t,s0) +-/var/named/chroot/var/named/data(/.*)? gen_context(system_u:object_r:named_cache_t,s0) ++/var/named/chroot/var/run/named.* gen_context(system_u:object_r:named_var_run_t,s0) ++/var/named/chroot/var/tmp(/.*)? gen_context(system_u:object_r:named_cache_t,s0) ++/var/named/chroot/var/named(/.*)? gen_context(system_u:object_r:named_zone_t,s0) ++/var/named/chroot/var/named/slaves(/.*)? gen_context(system_u:object_r:named_cache_t,s0) ++/var/named/chroot/var/named/data(/.*)? gen_context(system_u:object_r:named_cache_t,s0) + /var/named/chroot/var/named/dynamic(/.*)? gen_context(system_u:object_r:named_cache_t,s0) +-/var/named/chroot/var/named/named\.ca -- gen_context(system_u:object_r:named_conf_t,s0) ++/var/named/chroot/var/named/named\.ca -- gen_context(system_u:object_r:named_conf_t,s0) + /var/named/chroot/var/log/named.* -- gen_context(system_u:object_r:named_log_t,s0) +-/var/named/dynamic(/.*)? gen_context(system_u:object_r:named_cache_t,s0) +- +-/var/run/ndc -s gen_context(system_u:object_r:named_var_run_t,s0) +-/var/run/bind(/.*)? gen_context(system_u:object_r:named_var_run_t,s0) +-/var/run/named(/.*)? gen_context(system_u:object_r:named_var_run_t,s0) +-/var/run/unbound(/.*)? gen_context(system_u:object_r:named_var_run_t,s0) ++/var/named/dynamic(/.*)? gen_context(system_u:object_r:named_cache_t,s0) ++') +diff --git a/bind.if b/bind.if +index 866a1e2..6c2dbe4 100644 +--- a/bind.if ++++ b/bind.if +@@ -20,6 +20,29 @@ interface(`bind_initrc_domtrans',` + + ######################################## + ## ++## Execute bind server in the bind domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`bind_systemctl',` ++ gen_require(` ++ type named_unit_file_t; ++ type named_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ allow $1 named_unit_file_t:file read_file_perms; ++ allow $1 named_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, named_t) ++') ++ ++######################################## ++## + ## Execute ndc in the ndc domain. + ## + ## +@@ -169,6 +192,7 @@ interface(`bind_read_config',` + type named_conf_t; + ') + ++ allow $1 named_conf_t:dir list_dir_perms; + read_files_pattern($1, named_conf_t, named_conf_t) + ') + +@@ -212,6 +236,25 @@ interface(`bind_manage_config_dirs',` + + ######################################## + ## ++## Create, read, write, and delete ++## BIND configuration files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`bind_manage_config',` ++ gen_require(` ++ type named_conf_t; ++ ') ++ ++ manage_files_pattern($1, named_conf_t, named_conf_t) ++') ++ ++######################################## ++## + ## Search bind cache directories. + ## + ## +@@ -310,6 +353,27 @@ interface(`bind_read_zone',` + + ######################################## + ## ++## Read BIND zone files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`bind_read_log',` ++ gen_require(` ++ type named_zone_t; ++ type named_log_t; ++ ') ++ ++ files_search_var($1) ++ allow $1 named_zone_t:dir search_dir_perms; ++ read_files_pattern($1, named_log_t, named_log_t) ++') ++ ++######################################## ++## + ## Create, read, write, and delete + ## bind zone files. + ## +@@ -362,12 +426,20 @@ interface(`bind_udp_chat_named',` + interface(`bind_admin',` + gen_require(` + type named_t, named_tmp_t, named_log_t; +- type named_cache_t, named_zone_t, named_initrc_exec_t; +- type dnssec_t, ndc_t, named_conf_t, named_var_run_t; ++ type named_conf_t, named_var_run_t, named_cache_t; ++ type named_zone_t, named_initrc_exec_t; ++ type dnssec_t, ndc_t, named_keytab_t; ++ type named_unit_file_t; + ') + +- allow $1 { named_t ndc_t }:process { ptrace signal_perms }; +- ps_process_pattern($1, { named_t ndc_t }) ++ allow $1 named_t:process signal_perms; ++ ps_process_pattern($1, named_t) ++ ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 named_t:process ptrace; ++ ') ++ ++ bind_run_ndc($1, $2) + + init_labeled_script_domtrans($1, named_initrc_exec_t) + domain_system_change_exemption($1) +@@ -383,11 +455,15 @@ interface(`bind_admin',` + files_list_etc($1) + admin_pattern($1, named_conf_t) + ++ admin_pattern($1, named_keytab_t) ++ + files_list_var($1) + admin_pattern($1, { dnssec_t named_cache_t named_zone_t }) + + files_list_pids($1) + admin_pattern($1, named_var_run_t) + +- bind_run_ndc($1, $2) ++ admin_pattern($1, named_unit_file_t) ++ bind_systemctl($1) ++ allow $1 named_unit_file_t:service all_service_perms; + ') +diff --git a/bind.te b/bind.te +index 076ffee..1672ca4 100644 +--- a/bind.te ++++ b/bind.te +@@ -34,7 +34,7 @@ type named_checkconf_exec_t; + init_system_domain(named_t, named_checkconf_exec_t) + + type named_conf_t; +-files_type(named_conf_t) ++files_config_file(named_conf_t) + files_mountpoint(named_conf_t) + + # for secondary zone files +@@ -44,6 +44,9 @@ files_type(named_cache_t) + type named_initrc_exec_t; + init_script_file(named_initrc_exec_t) + ++type named_unit_file_t; ++systemd_unit_file(named_unit_file_t) ++ + type named_log_t; + logging_log_file(named_log_t) + +@@ -68,8 +71,9 @@ role ndc_roles types ndc_t; + # Local policy + # + +-allow named_t self:capability { chown dac_override fowner setgid setuid sys_chroot sys_nice sys_resource }; ++allow named_t self:capability { chown dac_override fowner net_admin setgid setuid sys_chroot sys_nice sys_resource }; + dontaudit named_t self:capability sys_tty_config; ++allow named_t self:capability2 block_suspend; + allow named_t self:process { setsched getcap setcap setrlimit signal_perms }; + allow named_t self:fifo_file rw_fifo_file_perms; + allow named_t self:unix_stream_socket { accept listen }; +@@ -86,9 +90,7 @@ manage_lnk_files_pattern(named_t, named_cache_t, named_cache_t) + + can_exec(named_t, named_exec_t) + +-append_files_pattern(named_t, named_log_t, named_log_t) +-create_files_pattern(named_t, named_log_t, named_log_t) +-setattr_files_pattern(named_t, named_log_t, named_log_t) ++manage_files_pattern(named_t, named_log_t, named_log_t) + logging_log_filetrans(named_t, named_log_t, file) + + manage_dirs_pattern(named_t, named_tmp_t, named_tmp_t) +@@ -110,7 +112,6 @@ kernel_read_network_state(named_t) + + corecmd_search_bin(named_t) + +-corenet_all_recvfrom_unlabeled(named_t) + corenet_all_recvfrom_netlabel(named_t) + corenet_tcp_sendrecv_generic_if(named_t) + corenet_udp_sendrecv_generic_if(named_t) +@@ -139,6 +140,7 @@ corenet_tcp_sendrecv_all_ports(named_t) + dev_read_sysfs(named_t) + dev_read_rand(named_t) + dev_read_urand(named_t) ++dev_dontaudit_write_urand(named_t) + + domain_use_interactive_fds(named_t) + +@@ -170,6 +172,15 @@ tunable_policy(`named_write_master_zones',` + ') + + optional_policy(` ++ # needed by FreeIPA with DNS support ++ dirsrv_stream_connect(named_t) ++') ++ ++optional_policy(` ++ cron_system_entry(named_t, named_exec_t) ++') ++ ++optional_policy(` + dbus_system_domain(named_t, named_exec_t) + + init_dbus_chat_script(named_t) +@@ -183,6 +194,7 @@ optional_policy(` + + optional_policy(` + kerberos_keytab_template(named, named_t) ++ kerberos_tmp_filetrans_host_rcache(named_t, "DNS_25") + ') + + optional_policy(` +@@ -209,7 +221,8 @@ optional_policy(` + # + + allow ndc_t self:capability { dac_override net_admin }; +-allow ndc_t self:process signal_perms; ++allow ndc_t self:capability2 block_suspend; ++allow ndc_t self:process { fork signal_perms }; + allow ndc_t self:fifo_file rw_fifo_file_perms; + allow ndc_t self:unix_stream_socket { accept listen }; + +@@ -223,10 +236,9 @@ allow ndc_t named_conf_t:lnk_file read_lnk_file_perms; + + allow ndc_t named_zone_t:dir search_dir_perms; + +-kernel_read_kernel_sysctls(ndc_t) + kernel_read_system_state(ndc_t) ++kernel_read_kernel_sysctls(ndc_t) + +-corenet_all_recvfrom_unlabeled(ndc_t) + corenet_all_recvfrom_netlabel(ndc_t) + corenet_tcp_sendrecv_generic_if(ndc_t) + corenet_tcp_sendrecv_generic_node(ndc_t) +@@ -251,7 +263,7 @@ init_use_script_ptys(ndc_t) + + logging_send_syslog_msg(ndc_t) + +-miscfiles_read_localization(ndc_t) ++userdom_use_inherited_user_terminals(ndc_t) + + userdom_use_user_terminals(ndc_t) + +diff --git a/bird.te b/bird.te +index d4d71ec..f53b135 100644 +--- a/bird.te ++++ b/bird.te +@@ -51,7 +51,6 @@ corenet_tcp_connect_bgp_port(bird_t) + corenet_tcp_sendrecv_bgp_port(bird_t) + + # /etc/iproute2/rt_realms +-files_read_etc_files(bird_t) + + logging_send_syslog_msg(bird_t) + +diff --git a/bitlbee.if b/bitlbee.if +index e73fb79..2badfc0 100644 +--- a/bitlbee.if ++++ b/bitlbee.if +@@ -44,9 +44,13 @@ interface(`bitlbee_admin',` + type bitlbee_log_t, bitlbee_tmp_t; + ') + +- allow $1 bitlbee_t:process { ptrace signal_perms }; ++ allow $1 bitlbee_t:process signal_perms; + ps_process_pattern($1, bitlbee_t) + ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 bitlbee_t:process ptrace; ++ ') ++ + init_labeled_script_domtrans($1, bitlbee_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 bitlbee_initrc_exec_t system_r; +diff --git a/bitlbee.te b/bitlbee.te +index ac8c91e..80ecd7e 100644 +--- a/bitlbee.te ++++ b/bitlbee.te +@@ -35,9 +35,12 @@ files_pid_file(bitlbee_var_run_t) + + allow bitlbee_t self:capability { dac_override kill setgid setuid sys_nice }; + allow bitlbee_t self:process { setsched signal }; ++ + allow bitlbee_t self:fifo_file rw_fifo_file_perms; +-allow bitlbee_t self:tcp_socket { accept listen }; +-allow bitlbee_t self:unix_stream_socket { accept listen }; ++allow bitlbee_t self:udp_socket create_socket_perms; ++allow bitlbee_t self:tcp_socket { create_stream_socket_perms connected_stream_socket_perms }; ++allow bitlbee_t self:unix_stream_socket create_stream_socket_perms; ++allow bitlbee_t self:netlink_route_socket r_netlink_socket_perms; + + allow bitlbee_t bitlbee_conf_t:dir list_dir_perms; + allow bitlbee_t bitlbee_conf_t:file read_file_perms; +@@ -45,6 +48,7 @@ allow bitlbee_t bitlbee_conf_t:file read_file_perms; + manage_dirs_pattern(bitlbee_t, bitlbee_log_t, bitlbee_log_t) + append_files_pattern(bitlbee_t, bitlbee_log_t, bitlbee_log_t) + create_files_pattern(bitlbee_t, bitlbee_log_t, bitlbee_log_t) ++read_files_pattern(bitlbee_t, bitlbee_log_t, bitlbee_log_t) + setattr_files_pattern(bitlbee_t, bitlbee_log_t, bitlbee_log_t) + + manage_files_pattern(bitlbee_t, bitlbee_tmp_t, bitlbee_tmp_t) +@@ -59,8 +63,8 @@ manage_files_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t) + manage_sock_files_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t) + files_pid_filetrans(bitlbee_t, bitlbee_var_run_t, { dir file sock_file }) + +-kernel_read_kernel_sysctls(bitlbee_t) + kernel_read_system_state(bitlbee_t) ++kernel_read_kernel_sysctls(bitlbee_t) + + corenet_all_recvfrom_unlabeled(bitlbee_t) + corenet_all_recvfrom_netlabel(bitlbee_t) +@@ -109,16 +113,12 @@ corenet_tcp_sendrecv_interwise_port(bitlbee_t) + dev_read_rand(bitlbee_t) + dev_read_urand(bitlbee_t) + +-files_read_usr_files(bitlbee_t) +- + libs_legacy_use_shared_libs(bitlbee_t) + + auth_use_nsswitch(bitlbee_t) + + logging_send_syslog_msg(bitlbee_t) + +-miscfiles_read_localization(bitlbee_t) +- + optional_policy(` + tcpd_wrapped_domain(bitlbee_t, bitlbee_exec_t) + ') +diff --git a/blueman.fc b/blueman.fc +index c295d2e..4f84e9c 100644 +--- a/blueman.fc ++++ b/blueman.fc +@@ -1,3 +1,4 @@ ++ + /usr/libexec/blueman-mechanism -- gen_context(system_u:object_r:blueman_exec_t,s0) + + /var/lib/blueman(/.*)? gen_context(system_u:object_r:blueman_var_lib_t,s0) +diff --git a/blueman.if b/blueman.if +index 16ec525..1dd4059 100644 +--- a/blueman.if ++++ b/blueman.if +@@ -38,6 +38,7 @@ interface(`blueman_dbus_chat',` + + allow $1 blueman_t:dbus send_msg; + allow blueman_t $1:dbus send_msg; ++ ps_process_pattern(blueman_t, $1) + ') + + ######################################## +diff --git a/blueman.te b/blueman.te +index bc5c984..63a4b1d 100644 +--- a/blueman.te ++++ b/blueman.te +@@ -7,7 +7,7 @@ policy_module(blueman, 1.0.4) + + type blueman_t; + type blueman_exec_t; +-dbus_system_domain(blueman_t, blueman_exec_t) ++init_daemon_domain(blueman_t, blueman_exec_t) + + type blueman_var_lib_t; + files_type(blueman_var_lib_t) +@@ -21,7 +21,8 @@ files_pid_file(blueman_var_run_t) + # + + allow blueman_t self:capability { net_admin sys_nice }; +-allow blueman_t self:process { signal_perms setsched }; ++allow blueman_t self:process { execmem signal_perms setsched }; ++ + allow blueman_t self:fifo_file rw_fifo_file_perms; + + manage_dirs_pattern(blueman_t, blueman_var_lib_t, blueman_var_lib_t) +@@ -32,7 +33,7 @@ manage_dirs_pattern(blueman_t, blueman_var_run_t, blueman_var_run_t) + manage_files_pattern(blueman_t, blueman_var_run_t, blueman_var_run_t) + files_pid_filetrans(blueman_t, blueman_var_run_t, { dir file }) + +-kernel_read_net_sysctls(blueman_t) ++kernel_rw_net_sysctls(blueman_t) + kernel_read_system_state(blueman_t) + kernel_request_load_module(blueman_t) + +@@ -41,29 +42,44 @@ corecmd_exec_bin(blueman_t) + dev_read_rand(blueman_t) + dev_read_urand(blueman_t) + dev_rw_wireless(blueman_t) ++dev_rwx_zero(blueman_t) + + domain_use_interactive_fds(blueman_t) + + files_list_tmp(blueman_t) +-files_read_usr_files(blueman_t) + + auth_use_nsswitch(blueman_t) + + logging_send_syslog_msg(blueman_t) + +-miscfiles_read_localization(blueman_t) +- + sysnet_domtrans_ifconfig(blueman_t) ++sysnet_dns_name_resolve(blueman_t) + + optional_policy(` + avahi_domtrans(blueman_t) + ') + + optional_policy(` ++ bluetooth_read_config(blueman_t) ++') ++ ++optional_policy(` ++ dbus_system_domain(blueman_t, blueman_exec_t) ++') ++ ++optional_policy(` + dnsmasq_domtrans(blueman_t) + dnsmasq_read_pid_files(blueman_t) + ') + + optional_policy(` ++ gnome_search_gconf(blueman_t) ++') ++ ++optional_policy(` + iptables_domtrans(blueman_t) + ') ++ ++optional_policy(` ++ xserver_read_state_xdm(blueman_t) ++') +diff --git a/bluetooth.fc b/bluetooth.fc +index 2b9c7f3..0086b95 100644 +--- a/bluetooth.fc ++++ b/bluetooth.fc +@@ -5,10 +5,14 @@ + /etc/rc\.d/init\.d/dund -- gen_context(system_u:object_r:bluetooth_initrc_exec_t,s0) + /etc/rc\.d/init\.d/pand -- gen_context(system_u:object_r:bluetooth_initrc_exec_t,s0) + ++/usr/lib/systemd/system/bluetooth.* -- gen_context(system_u:object_r:bluetooth_unit_file_t,s0) ++ + /usr/bin/blue.*pin -- gen_context(system_u:object_r:bluetooth_helper_exec_t,s0) + /usr/bin/dund -- gen_context(system_u:object_r:bluetooth_exec_t,s0) + /usr/bin/hidd -- gen_context(system_u:object_r:bluetooth_exec_t,s0) + /usr/bin/rfcomm -- gen_context(system_u:object_r:bluetooth_exec_t,s0) ++/usr/bin/pand -- gen_context(system_u:object_r:bluetooth_exec_t,s0) ++/usr/libexec/bluetooth/bluetoothd -- gen_context(system_u:object_r:bluetooth_exec_t,s0) + + /usr/sbin/bluetoothd -- gen_context(system_u:object_r:bluetooth_exec_t,s0) + /usr/sbin/hciattach -- gen_context(system_u:object_r:bluetooth_exec_t,s0) +diff --git a/bluetooth.if b/bluetooth.if +index c723a0a..3e8a553 100644 +--- a/bluetooth.if ++++ b/bluetooth.if +@@ -37,7 +37,12 @@ interface(`bluetooth_role',` + domtrans_pattern($2, bluetooth_helper_exec_t, bluetooth_helper_t) + + ps_process_pattern($2, bluetooth_helper_t) +- allow $2 bluetooth_helper_t:process { ptrace signal_perms }; ++ ++ allow $2 bluetooth_helper_t:process signal_perms; ++ ++ tunable_policy(`deny_ptrace',`',` ++ allow $2 bluetooth_helper_t:process ptrace; ++ ') + + allow $2 bluetooth_t:socket rw_socket_perms; + +@@ -45,8 +50,10 @@ interface(`bluetooth_role',` + allow $2 { bluetooth_helper_tmp_t bluetooth_helper_tmpfs_t }:file { manage_file_perms relabel_file_perms }; + allow $2 bluetooth_helper_tmp_t:sock_file { manage_sock_file_perms relabel_sock_file_perms }; + ++ manage_dirs_pattern($2, bluetooth_helper_tmpfs_t, bluetooth_helper_tmpfs_t) ++ manage_files_pattern($2, bluetooth_helper_tmpfs_t, bluetooth_helper_tmpfs_t) ++ bluetooth_stream_connect($2) + stream_connect_pattern($2, bluetooth_var_run_t, bluetooth_var_run_t, bluetooth_t) +- files_search_pids($2) + ') + + ##################################### +@@ -130,6 +137,27 @@ interface(`bluetooth_dbus_chat',` + + ######################################## + ## ++## dontaudit Send and receive messages from ++## bluetooth over dbus. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`bluetooth_dontaudit_dbus_chat',` ++ gen_require(` ++ type bluetooth_t; ++ class dbus send_msg; ++ ') ++ ++ dontaudit $1 bluetooth_t:dbus send_msg; ++ dontaudit bluetooth_t $1:dbus send_msg; ++') ++ ++######################################## ++## + ## Execute bluetooth_helper in the bluetooth_helper domain. (Deprecated) + ## + ## +@@ -190,6 +218,29 @@ interface(`bluetooth_dontaudit_read_helper_state',` + + ######################################## + ## ++## Execute bluetooth server in the bluetooth domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`bluetooth_systemctl',` ++ gen_require(` ++ type bluetooth_t; ++ type bluetooth_unit_file_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ allow $1 bluetooth_unit_file_t:file read_file_perms; ++ allow $1 bluetooth_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, bluetooth_t) ++') ++ ++######################################## ++## + ## All of the rules required to + ## administrate an bluetooth environment. + ## +@@ -210,12 +261,16 @@ interface(`bluetooth_admin',` + type bluetooth_t, bluetooth_tmp_t, bluetooth_lock_t; + type bluetooth_var_lib_t, bluetooth_var_run_t; + type bluetooth_conf_t, bluetooth_conf_rw_t, bluetooth_var_lib_t; +- type bluetooth_initrc_exec_t; ++ type bluetooth_unit_file_t, bluetooth_initrc_exec_t; + ') + +- allow $1 bluetooth_t:process { ptrace signal_perms }; ++ allow $1 bluetooth_t:process signal_perms; + ps_process_pattern($1, bluetooth_t) + ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 bluetooth_t:process ptrace; ++ ') ++ + init_labeled_script_domtrans($1, bluetooth_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 bluetooth_initrc_exec_t system_r; +@@ -235,4 +290,8 @@ interface(`bluetooth_admin',` + + files_list_pids($1) + admin_pattern($1, bluetooth_var_run_t) ++ ++ bluetooth_systemctl($1) ++ admin_pattern($1, bluetooth_unit_file_t) ++ allow $1 bluetooth_unit_file_t:service all_service_perms; + ') +diff --git a/bluetooth.te b/bluetooth.te +index 6f09d24..231de05 100644 +--- a/bluetooth.te ++++ b/bluetooth.te +@@ -49,6 +49,9 @@ files_type(bluetooth_var_lib_t) + type bluetooth_var_run_t; + files_pid_file(bluetooth_var_run_t) + ++type bluetooth_unit_file_t; ++systemd_unit_file(bluetooth_unit_file_t) ++ + ######################################## + # + # Local policy +@@ -78,7 +81,8 @@ files_lock_filetrans(bluetooth_t, bluetooth_lock_t, file) + + manage_dirs_pattern(bluetooth_t, bluetooth_tmp_t, bluetooth_tmp_t) + manage_files_pattern(bluetooth_t, bluetooth_tmp_t, bluetooth_tmp_t) +-files_tmp_filetrans(bluetooth_t, bluetooth_tmp_t, { dir file }) ++manage_fifo_files_pattern(bluetooth_t, bluetooth_tmp_t, bluetooth_tmp_t) ++files_tmp_filetrans(bluetooth_t, bluetooth_tmp_t, { dir file fifo_file }) + + manage_dirs_pattern(bluetooth_t, bluetooth_var_lib_t, bluetooth_var_lib_t) + manage_files_pattern(bluetooth_t, bluetooth_var_lib_t, bluetooth_var_lib_t) +@@ -90,14 +94,24 @@ files_pid_filetrans(bluetooth_t, bluetooth_var_run_t, { file sock_file }) + + can_exec(bluetooth_t, bluetooth_helper_exec_t) + ++corecmd_exec_bin(bluetooth_t) ++corecmd_exec_shell(bluetooth_t) ++ + kernel_read_kernel_sysctls(bluetooth_t) + kernel_read_system_state(bluetooth_t) + kernel_read_network_state(bluetooth_t) + kernel_request_load_module(bluetooth_t) + kernel_search_debugfs(bluetooth_t) + +-corecmd_exec_bin(bluetooth_t) +-corecmd_exec_shell(bluetooth_t) ++corenet_all_recvfrom_netlabel(bluetooth_t) ++corenet_tcp_sendrecv_generic_if(bluetooth_t) ++corenet_udp_sendrecv_generic_if(bluetooth_t) ++corenet_raw_sendrecv_generic_if(bluetooth_t) ++corenet_tcp_sendrecv_generic_node(bluetooth_t) ++corenet_udp_sendrecv_generic_node(bluetooth_t) ++corenet_raw_sendrecv_generic_node(bluetooth_t) ++corenet_tcp_sendrecv_all_ports(bluetooth_t) ++corenet_udp_sendrecv_all_ports(bluetooth_t) + + dev_read_sysfs(bluetooth_t) + dev_rw_usbfs(bluetooth_t) +@@ -110,7 +124,6 @@ domain_use_interactive_fds(bluetooth_t) + domain_dontaudit_search_all_domains_state(bluetooth_t) + + files_read_etc_runtime_files(bluetooth_t) +-files_read_usr_files(bluetooth_t) + + fs_getattr_all_fs(bluetooth_t) + fs_search_auto_mountpoints(bluetooth_t) +@@ -122,7 +135,6 @@ auth_use_nsswitch(bluetooth_t) + + logging_send_syslog_msg(bluetooth_t) + +-miscfiles_read_localization(bluetooth_t) + miscfiles_read_fonts(bluetooth_t) + miscfiles_read_hwdata(bluetooth_t) + +@@ -130,8 +142,13 @@ userdom_dontaudit_use_unpriv_user_fds(bluetooth_t) + userdom_dontaudit_use_user_terminals(bluetooth_t) + userdom_dontaudit_search_user_home_dirs(bluetooth_t) + ++# machine-info ++systemd_hostnamed_read_config(bluetooth_t) ++systemd_dbus_chat_hostnamed(bluetooth_t) ++ + optional_policy(` + dbus_system_bus_client(bluetooth_t) ++ dbus_connect_system_bus(bluetooth_t) + + optional_policy(` + cups_dbus_chat(bluetooth_t) +@@ -199,7 +216,6 @@ dev_read_urand(bluetooth_helper_t) + domain_read_all_domains_state(bluetooth_helper_t) + + files_read_etc_runtime_files(bluetooth_helper_t) +-files_read_usr_files(bluetooth_helper_t) + files_dontaudit_list_default(bluetooth_helper_t) + + term_dontaudit_use_all_ttys(bluetooth_helper_t) +diff --git a/boinc.fc b/boinc.fc +index 6d3ccad..bda740a 100644 +--- a/boinc.fc ++++ b/boinc.fc +@@ -1,9 +1,12 @@ +-/etc/rc\.d/init\.d/boinc-client -- gen_context(system_u:object_r:boinc_initrc_exec_t,s0) + +-/usr/bin/boinc_client -- gen_context(system_u:object_r:boinc_exec_t,s0) ++/etc/rc\.d/init\.d/boinc-client -- gen_context(system_u:object_r:boinc_initrc_exec_t,s0) + +-/var/lib/boinc(/.*)? gen_context(system_u:object_r:boinc_var_lib_t,s0) +-/var/lib/boinc/projects(/.*)? gen_context(system_u:object_r:boinc_project_var_lib_t,s0) +-/var/lib/boinc/slots(/.*)? gen_context(system_u:object_r:boinc_project_var_lib_t,s0) ++/usr/bin/boinc_client -- gen_context(system_u:object_r:boinc_exec_t,s0) + +-/var/log/boinc\.log.* -- gen_context(system_u:object_r:boinc_log_t,s0) ++/usr/lib/systemd/system/boinc-client\.service -- gen_context(system_u:object_r:boinc_unit_file_t,s0) ++ ++/var/lib/boinc(/.*)? gen_context(system_u:object_r:boinc_var_lib_t,s0) ++/var/lib/boinc/projects(/.*)? gen_context(system_u:object_r:boinc_project_var_lib_t,s0) ++/var/lib/boinc/slots(/.*)? gen_context(system_u:object_r:boinc_project_var_lib_t,s0) ++ ++/var/log/boinc\.log.* -- gen_context(system_u:object_r:boinc_log_t,s0) +diff --git a/boinc.if b/boinc.if +index 02fefaa..fbcef10 100644 +--- a/boinc.if ++++ b/boinc.if +@@ -1,9 +1,165 @@ +-## Platform for computing using volunteered resources. ++## policy for boinc + + ######################################## + ## +-## All of the rules required to +-## administrate an boinc environment. ++## Execute a domain transition to run boinc. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`boinc_domtrans',` ++ gen_require(` ++ type boinc_t, boinc_exec_t; ++ ') ++ ++ domtrans_pattern($1, boinc_exec_t, boinc_t) ++') ++ ++####################################### ++## ++## Execute boinc server in the boinc domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`boinc_initrc_domtrans',` ++ gen_require(` ++ type boinc_initrc_exec_t; ++ ') ++ ++ init_labeled_script_domtrans($1, boinc_initrc_exec_t) ++') ++ ++####################################### ++## ++## Dontaudit getattr on boinc lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`boinc_dontaudit_getattr_lib',` ++ gen_require(` ++ type boinc_var_lib_t; ++ ') ++ ++ dontaudit $1 boinc_var_lib_t:file getattr; ++') ++ ++######################################## ++## ++## Search boinc lib directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`boinc_search_lib',` ++ gen_require(` ++ type boinc_var_lib_t; ++ ') ++ ++ allow $1 boinc_var_lib_t:dir search_dir_perms; ++ files_search_var_lib($1) ++') ++ ++######################################## ++## ++## Read boinc lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`boinc_read_lib_files',` ++ gen_require(` ++ type boinc_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ read_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t) ++') ++ ++######################################## ++## ++## Create, read, write, and delete ++## boinc lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`boinc_manage_lib_files',` ++ gen_require(` ++ type boinc_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ manage_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t) ++') ++ ++######################################## ++## ++## Manage boinc var_lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`boinc_manage_var_lib',` ++ gen_require(` ++ type boinc_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ manage_dirs_pattern($1, boinc_var_lib_t, boinc_var_lib_t) ++ manage_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t) ++ manage_lnk_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t) ++') ++ ++####################################### ++## ++## Execute boinc server in the boinc domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`boinc_systemctl',` ++ gen_require(` ++ type boinc_t; ++ type boinc_unit_file_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ allow $1 boinc_unit_file_t:file read_file_perms; ++ allow $1 boinc_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, boinc_t) ++') ++ ++######################################## ++## ++## All of the rules required to administrate ++## an boinc environment. + ## + ## + ## +@@ -19,26 +175,32 @@ + # + interface(`boinc_admin',` + gen_require(` +- +- type boinc_t, boinc_project_t, boinc_log_t; +- type boinc_var_lib_t, boinc_tmp_t, boinc_initrc_exec_t; +- type boinc_project_var_lib_t, boinc_project_tmp_t; ++ type boinc_t, boinc_initrc_exec_t, boinc_var_lib_t; ++ type boinc_unit_file_t; + ') + +- allow $1 { boinc_t boinc_project_t }:process { ptrace signal_perms }; +- ps_process_pattern($1, { boinc_t boinc_project_t }) ++ allow $1 boinc_t:process signal_perms; ++ ps_process_pattern($1, boinc_t) + +- init_labeled_script_domtrans($1, boinc_initrc_exec_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 boinc_t:process ptrace; ++ ') ++ ++ boinc_initrc_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 boinc_initrc_exec_t system_r; + allow $2 system_r; + +- logging_search_logs($1) +- admin_pattern($1, boinc_log_t) ++ files_list_var_lib($1) ++ admin_pattern($1, boinc_var_lib_t) + +- files_search_tmp($1) +- admin_pattern($1, { boinc_project_tmp_t boinc_tmp_t }) ++ boinc_systemctl($1) ++ admin_pattern($1, boinc_unit_file_t) + +- files_search_var_lib($1) +- admin_pattern($1, { boinc_project_var_lib_t boinc_var_lib_t }) ++ allow $1 boinc_unit_file_t:service all_service_perms; ++ ++ optional_policy(` ++ systemd_passwd_agent_exec($1) ++ systemd_read_fifo_file_passwd_run($1) ++ ') + ') +diff --git a/boinc.te b/boinc.te +index 7c92aa1..47619ff 100644 +--- a/boinc.te ++++ b/boinc.te +@@ -1,11 +1,20 @@ +-policy_module(boinc, 1.0.3) ++policy_module(boinc, 1.0.0) + + ######################################## + # + # Declarations + # + +-type boinc_t; ++## ++##

    ++## Allow boinc_domain execmem/execstack. ++##

    ++##     ++gen_tunable(boinc_execmem, true) ++ ++attribute boinc_domain; ++ ++type boinc_t, boinc_domain; + type boinc_exec_t; + init_daemon_domain(boinc_t, boinc_exec_t) + +@@ -21,31 +30,69 @@ files_tmpfs_file(boinc_tmpfs_t) + type boinc_var_lib_t; + files_type(boinc_var_lib_t) + +-type boinc_project_var_lib_t; +-files_type(boinc_project_var_lib_t) +- + type boinc_log_t; + logging_log_file(boinc_log_t) + ++type boinc_unit_file_t; ++systemd_unit_file(boinc_unit_file_t) ++ + type boinc_project_t; + domain_type(boinc_project_t) +-domain_entry_file(boinc_project_t, boinc_project_var_lib_t) + role system_r types boinc_project_t; + + type boinc_project_tmp_t; + files_tmp_file(boinc_project_tmp_t) + ++type boinc_project_var_lib_t; ++files_type(boinc_project_var_lib_t) ++ ++####################################### ++# ++# boinc domain local policy ++# ++ ++allow boinc_domain self:fifo_file rw_fifo_file_perms; ++allow boinc_domain self:process signal; ++allow boinc_domain self:sem create_sem_perms; ++ ++manage_dirs_pattern(boinc_domain, boinc_var_lib_t, boinc_var_lib_t) ++manage_files_pattern(boinc_domain, boinc_var_lib_t, boinc_var_lib_t) ++manage_lnk_files_pattern(boinc_domain, boinc_var_lib_t, boinc_var_lib_t) ++ ++corecmd_exec_bin(boinc_domain) ++corecmd_exec_shell(boinc_domain) ++ ++dev_read_rand(boinc_domain) ++dev_read_urand(boinc_domain) ++dev_read_sysfs(boinc_domain) ++dev_rw_xserver_misc(boinc_domain) ++ ++domain_read_all_domains_state(boinc_domain) ++ ++files_read_etc_runtime_files(boinc_domain) ++ ++fs_getattr_all_fs(boinc_domain) ++ ++miscfiles_read_fonts(boinc_domain) ++ ++tunable_policy(`boinc_execmem',` ++ allow boinc_domain self:process { execstack execmem }; ++') ++ ++optional_policy(` ++ sysnet_dns_name_resolve(boinc_domain) ++') ++ + ######################################## + # +-# Local policy ++# boinc local policy + # + + allow boinc_t self:process { setsched setpgid signull sigkill }; +-allow boinc_t self:unix_stream_socket { accept listen }; +-allow boinc_t self:tcp_socket { accept listen }; ++ ++allow boinc_t self:unix_stream_socket create_stream_socket_perms; ++allow boinc_t self:tcp_socket create_stream_socket_perms; + allow boinc_t self:shm create_shm_perms; +-allow boinc_t self:fifo_file rw_fifo_file_perms; +-allow boinc_t self:sem create_sem_perms; + + manage_dirs_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t) + manage_files_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t) +@@ -54,74 +101,48 @@ files_tmp_filetrans(boinc_t, boinc_tmp_t, { dir file }) + manage_files_pattern(boinc_t, boinc_tmpfs_t, boinc_tmpfs_t) + fs_tmpfs_filetrans(boinc_t, boinc_tmpfs_t, file) + +-manage_dirs_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t) +-manage_files_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t) +-manage_lnk_files_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t) +- +-# entry files to the boinc_project_t domain +-manage_dirs_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t) +-manage_files_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t) ++exec_files_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t) ++# this should be created by default by boinc ++# we need this label for transition to boinc_project_t ++# other boinc lib files will end up with boinc_var_lib_t + filetrans_pattern(boinc_t, boinc_var_lib_t, boinc_project_var_lib_t, dir, "slots") + filetrans_pattern(boinc_t, boinc_var_lib_t, boinc_project_var_lib_t, dir, "projects") + +-append_files_pattern(boinc_t, boinc_log_t, boinc_log_t) +-create_files_pattern(boinc_t, boinc_log_t, boinc_log_t) +-setattr_files_pattern(boinc_t, boinc_log_t, boinc_log_t) +-logging_log_filetrans(boinc_t, boinc_log_t, file) +- +-can_exec(boinc_t, boinc_var_lib_t) ++manage_dirs_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t) ++manage_files_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t) + +-domtrans_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_t) ++manage_files_pattern(boinc_t, boinc_log_t, boinc_log_t) ++logging_log_filetrans(boinc_t, boinc_log_t, { file }) + ++# needs read /proc/interrupts + kernel_read_system_state(boinc_t) ++kernel_read_network_state(boinc_t) + kernel_search_vm_sysctl(boinc_t) + +-corenet_all_recvfrom_unlabeled(boinc_t) ++dev_getattr_mouse_dev(boinc_t) ++ ++files_getattr_all_dirs(boinc_t) ++files_getattr_all_files(boinc_t) ++ + corenet_all_recvfrom_netlabel(boinc_t) + corenet_tcp_sendrecv_generic_if(boinc_t) ++corenet_udp_sendrecv_generic_if(boinc_t) + corenet_tcp_sendrecv_generic_node(boinc_t) ++corenet_udp_sendrecv_generic_node(boinc_t) ++corenet_tcp_sendrecv_all_ports(boinc_t) ++corenet_udp_sendrecv_all_ports(boinc_t) + corenet_tcp_bind_generic_node(boinc_t) +- +-corenet_sendrecv_boinc_client_packets(boinc_t) +-corenet_sendrecv_boinc_server_packets(boinc_t) ++corenet_udp_bind_generic_node(boinc_t) + corenet_tcp_bind_boinc_port(boinc_t) +-corenet_tcp_connect_boinc_port(boinc_t) +-corenet_tcp_sendrecv_boinc_port(boinc_t) +- +-corenet_sendrecv_boinc_client_server_packets(boinc_t) + corenet_tcp_bind_boinc_client_port(boinc_t) +-corenet_tcp_sendrecv_boinc_client_port(boinc_t) +- +-corenet_sendrecv_http_client_packets(boinc_t) ++corenet_tcp_connect_boinc_port(boinc_t) + corenet_tcp_connect_http_port(boinc_t) +-corenet_tcp_sendrecv_http_port(boinc_t) +- +-corenet_sendrecv_http_cache_client_packets(boinc_t) + corenet_tcp_connect_http_cache_port(boinc_t) +-corenet_tcp_sendrecv_http_cache_port(boinc_t) +- +-corenet_sendrecv_squid_client_packets(boinc_t) + corenet_tcp_connect_squid_port(boinc_t) +-corenet_tcp_sendrecv_squid_port(boinc_t) +- +-corecmd_exec_bin(boinc_t) +-corecmd_exec_shell(boinc_t) +- +-dev_read_rand(boinc_t) +-dev_read_urand(boinc_t) +-dev_read_sysfs(boinc_t) +-dev_rw_xserver_misc(boinc_t) +- +-domain_read_all_domains_state(boinc_t) + + files_dontaudit_getattr_boot_dirs(boinc_t) +-files_getattr_all_dirs(boinc_t) +-files_getattr_all_files(boinc_t) +-files_read_etc_files(boinc_t) +-files_read_etc_runtime_files(boinc_t) +-files_read_usr_files(boinc_t) + +-fs_getattr_all_fs(boinc_t) ++auth_read_passwd(boinc_t) + + term_getattr_all_ptys(boinc_t) + term_getattr_unallocated_ttys(boinc_t) +@@ -130,55 +151,67 @@ init_read_utmp(boinc_t) + + logging_send_syslog_msg(boinc_t) + +-miscfiles_read_fonts(boinc_t) +-miscfiles_read_localization(boinc_t) ++xserver_stream_connect(boinc_t) + + optional_policy(` + mta_send_mail(boinc_t) + ') + +-optional_policy(` +- sysnet_dns_name_resolve(boinc_t) +-') +- + ######################################## + # +-# Project local policy ++# boinc-projects local policy + # + + allow boinc_project_t self:capability { setuid setgid }; +-allow boinc_project_t self:process { execmem execstack noatsecure ptrace setcap getcap setpgid setsched signal_perms }; ++ ++domtrans_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_t) ++allow boinc_t boinc_project_t:process sigkill; ++allow boinc_t boinc_project_t:process noatsecure; ++ ++allow boinc_project_t self:process { setcap getcap setpgid setsched signal signull sigkill sigstop }; ++tunable_policy(`deny_ptrace',`',` ++ allow boinc_project_t self:process ptrace; ++') ++ ++allow boinc_project_t self:process { execstack }; + + manage_dirs_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t) + manage_files_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t) + manage_sock_files_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t) + files_tmp_filetrans(boinc_project_t, boinc_project_tmp_t, { dir file sock_file}) + ++allow boinc_project_t boinc_project_var_lib_t:file entrypoint; ++exec_files_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t) + manage_dirs_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t) + manage_files_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t) ++files_var_lib_filetrans(boinc_project_t, boinc_project_var_lib_t, dir, "projects") ++files_var_lib_filetrans(boinc_project_t, boinc_project_var_lib_t, dir, "slots" ) + + allow boinc_project_t boinc_project_var_lib_t:file execmod; +-can_exec(boinc_project_t, boinc_project_var_lib_t) + + allow boinc_project_t boinc_t:shm rw_shm_perms; +-allow boinc_project_t boinc_tmpfs_t:file { read write }; ++allow boinc_project_t boinc_tmpfs_t:file rw_inherited_file_perms; + + kernel_read_kernel_sysctls(boinc_project_t) +-kernel_read_network_state(boinc_project_t) + kernel_search_vm_sysctl(boinc_project_t) ++kernel_read_network_state(boinc_project_t) + +-corenet_all_recvfrom_unlabeled(boinc_project_t) +-corenet_all_recvfrom_netlabel(boinc_project_t) +-corenet_tcp_sendrecv_generic_if(boinc_project_t) +-corenet_tcp_sendrecv_generic_node(boinc_project_t) +-corenet_tcp_bind_generic_node(boinc_project_t) +- +-corenet_sendrecv_boinc_client_packets(boinc_project_t) + corenet_tcp_connect_boinc_port(boinc_project_t) +-corenet_tcp_sendrecv_boinc_port(boinc_project_t) + + files_dontaudit_search_home(boinc_project_t) + ++# needed by java ++fs_read_hugetlbfs_files(boinc_project_t) ++ ++optional_policy(` ++ gnome_read_gconf_config(boinc_project_t) ++') ++ + optional_policy(` + java_exec(boinc_project_t) + ') ++ ++# until solution for VirtualBox, java .. ++optional_policy(` ++ unconfined_domain(boinc_project_t) ++') +diff --git a/brctl.te b/brctl.te +index bcd1e87..6294955 100644 +--- a/brctl.te ++++ b/brctl.te +@@ -34,12 +34,9 @@ dev_write_sysfs_dirs(brctl_t) + + domain_use_interactive_fds(brctl_t) + +-files_read_etc_files(brctl_t) + + term_dontaudit_use_console(brctl_t) + +-miscfiles_read_localization(brctl_t) +- + optional_policy(` + xen_append_log(brctl_t) + xen_dontaudit_rw_unix_stream_sockets(brctl_t) +diff --git a/bugzilla.fc b/bugzilla.fc +index fce0b6e..fb6e397 100644 +--- a/bugzilla.fc ++++ b/bugzilla.fc +@@ -1,4 +1,4 @@ +-/usr/share/bugzilla(/.*)? -d gen_context(system_u:object_r:httpd_bugzilla_content_t,s0) +-/usr/share/bugzilla(/.*)? -- gen_context(system_u:object_r:httpd_bugzilla_script_exec_t,s0) ++/usr/share/bugzilla(/.*)? gen_context(system_u:object_r:httpd_bugzilla_content_t,s0) ++/usr/share/bugzilla/.*\.cgi -- gen_context(system_u:object_r:httpd_bugzilla_script_exec_t,s0) + + /var/lib/bugzilla(/.*)? gen_context(system_u:object_r:httpd_bugzilla_rw_content_t,s0) +diff --git a/bugzilla.if b/bugzilla.if +index 1b22262..bf0cefa 100644 +--- a/bugzilla.if ++++ b/bugzilla.if +@@ -48,24 +48,26 @@ interface(`bugzilla_dontaudit_rw_stream_sockets',` + ## Domain allowed access. + ##     + ## +-## +-## +-## Role allowed access. +-## +-## +-## + # + interface(`bugzilla_admin',` + gen_require(` + type httpd_bugzilla_script_t, httpd_bugzilla_content_t, httpd_bugzilla_ra_content_t; + type httpd_bugzilla_rw_content_t, httpd_bugzilla_script_exec_t; +- type httpd_bugzilla_htaccess_t; ++ type httpd_bugzilla_htaccess_t, httpd_bugzilla_tmp_t; + ') + +- allow $1 httpd_bugzilla_script_t:process { ptrace signal_perms }; ++ allow $1 httpd_bugzilla_script_t:process signal_perms; + ps_process_pattern($1, httpd_bugzilla_script_t) + +- files_search_usr($1) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 httpd_bugzilla_script_t:process ptrace; ++ ') ++ ++ files_list_tmp($1) ++ admin_pattern($1, httpd_bugzilla_tmp_t) ++ ++ files_list_var_lib(httpd_bugzilla_script_t) ++ + admin_pattern($1, httpd_bugzilla_script_exec_t) + admin_pattern($1, httpd_bugzilla_script_t) + admin_pattern($1, httpd_bugzilla_content_t) +@@ -76,5 +78,7 @@ interface(`bugzilla_admin',` + files_search_var_lib($1) + admin_pattern($1, httpd_bugzilla_rw_content_t) + +- apache_list_sys_content($1) ++ optional_policy(` ++ apache_list_sys_content($1) ++ ') + ') +diff --git a/bugzilla.te b/bugzilla.te +index 41f8251..57f094e 100644 +--- a/bugzilla.te ++++ b/bugzilla.te +@@ -7,6 +7,9 @@ policy_module(bugzilla, 1.0.4) + + apache_content_template(bugzilla) + ++type httpd_bugzilla_tmp_t; ++files_tmp_file(httpd_bugzilla_tmp_t) ++ + ######################################## + # + # Local policy +@@ -14,7 +17,6 @@ apache_content_template(bugzilla) + + allow httpd_bugzilla_script_t self:tcp_socket { accept listen }; + +-corenet_all_recvfrom_unlabeled(httpd_bugzilla_script_t) + corenet_all_recvfrom_netlabel(httpd_bugzilla_script_t) + corenet_tcp_sendrecv_generic_if(httpd_bugzilla_script_t) + corenet_tcp_sendrecv_generic_node(httpd_bugzilla_script_t) +@@ -27,11 +29,21 @@ corenet_sendrecv_smtp_client_packets(httpd_bugzilla_script_t) + corenet_tcp_connect_smtp_port(httpd_bugzilla_script_t) + corenet_tcp_sendrecv_smtp_port(httpd_bugzilla_script_t) + ++manage_dirs_pattern(httpd_bugzilla_script_t, httpd_bugzilla_tmp_t, httpd_bugzilla_tmp_t) ++manage_files_pattern(httpd_bugzilla_script_t, httpd_bugzilla_tmp_t, httpd_bugzilla_tmp_t) ++files_tmp_filetrans(httpd_bugzilla_script_t, httpd_bugzilla_tmp_t, { file dir }) ++ + files_search_var_lib(httpd_bugzilla_script_t) + +-sysnet_dns_name_resolve(httpd_bugzilla_script_t) ++auth_read_passwd(httpd_bugzilla_script_t) ++ ++dev_read_sysfs(httpd_bugzilla_script_t) ++ ++sysnet_read_config(httpd_bugzilla_script_t) + sysnet_use_ldap(httpd_bugzilla_script_t) + ++miscfiles_read_certs(httpd_bugzilla_script_t) ++ + optional_policy(` + mta_send_mail(httpd_bugzilla_script_t) + ') +diff --git a/cachefilesd.fc b/cachefilesd.fc +index 648c790..aa03fc8 100644 +--- a/cachefilesd.fc ++++ b/cachefilesd.fc +@@ -1,9 +1,34 @@ +-/etc/rc\.d/init\.d/cachefilesd -- gen_context(system_u:object_r:cachefilesd_initrc_exec_t,s0) ++############################################################################### ++# ++# Copyright (C) 2006 Red Hat, Inc. All Rights Reserved. ++# Written by David Howells (dhowells@redhat.com) ++# Karl MacMillan (kmacmill@redhat.com) ++# ++# This program is free software; you can redistribute it and/or ++# modify it under the terms of the GNU General Public License ++# as published by the Free Software Foundation; either version ++# 2 of the License, or (at your option) any later version. ++# ++############################################################################### ++ ++# ++# Define the contexts to be assigned to various files and directories of ++# importance to the CacheFiles kernel module and userspace management daemon. ++# ++ ++# cachefilesd executable will have: ++# label: system_u:object_r:cachefilesd_exec_t ++# MLS sensitivity: s0 ++# MCS categories: ++ ++/dev/cachefiles -c gen_context(system_u:object_r:cachefiles_dev_t,s0) + + /sbin/cachefilesd -- gen_context(system_u:object_r:cachefilesd_exec_t,s0) + + /usr/sbin/cachefilesd -- gen_context(system_u:object_r:cachefilesd_exec_t,s0) + +-/var/cache/fscache(/.*)? gen_context(system_u:object_r:cachefilesd_cache_t,s0) ++/var/cache/fscache(/.*)? gen_context(system_u:object_r:cachefiles_var_t,s0) ++ ++/var/fscache(/.*)? gen_context(system_u:object_r:cachefiles_var_t,s0) + +-/var/run/cachefilesd\.pid -- gen_context(system_u:object_r:cachefilesd_var_run_t,s0) ++/var/run/cachefilesd\.pid -- gen_context(system_u:object_r:cachefilesd_var_run_t,s0) +diff --git a/cachefilesd.if b/cachefilesd.if +index 8de2ab9..3b41945 100644 +--- a/cachefilesd.if ++++ b/cachefilesd.if +@@ -1,39 +1,35 @@ +-## CacheFiles user-space management daemon. ++############################################################################### ++# ++# Copyright (C) 2006 Red Hat, Inc. All Rights Reserved. ++# Written by David Howells (dhowells@redhat.com) ++# Karl MacMillan (kmacmill@redhat.com) ++# ++# This program is free software; you can redistribute it and/or ++# modify it under the terms of the GNU General Public License ++# as published by the Free Software Foundation; either version ++# 2 of the License, or (at your option) any later version. ++# ++############################################################################### ++ ++# ++# Define the policy interface for the CacheFiles userspace management daemon. ++# ++## policy for cachefilesd + + ######################################## + ## +-## All of the rules required to +-## administrate an cachefilesd environment. ++## Execute a domain transition to run cachefilesd. + ## + ## + ## +-## Domain allowed access. ++## Domain allowed to transition. + ## + ## +-## +-## +-## Role allowed access. +-## +-## +-## + # +-interface(`cachefilesd_admin',` ++interface(`cachefilesd_domtrans',` + gen_require(` +- type cachefilesd_t, cachefilesd_initrc_exec_t, cachefilesd_cache_t; +- type cachefilesd_var_run_t; ++ type cachefilesd_t, cachefilesd_exec_t; + ') + +- allow $1 cachefilesd_t:process { ptrace signal_perms }; +- ps_process_pattern($1, cachefilesd_t) +- +- init_labeled_script_domtrans($1, cachefilesd_initrc_exec_t) +- domain_system_change_exemption($1) +- role_transition $2 cachefilesd_initrc_exec_t system_r; +- allow $2 system_r; +- +- files_search_var($1) +- admin_pattern($1, cachefilesd_cache_t) +- +- files_search_pids($1) +- admin_pattern($1, cachefilesd_var_run_t) ++ domtrans_pattern($1, cachefilesd_exec_t, cachefilesd_t) + ') +diff --git a/cachefilesd.te b/cachefilesd.te +index 581c8ef..2c71b1d 100644 +--- a/cachefilesd.te ++++ b/cachefilesd.te +@@ -1,52 +1,143 @@ +-policy_module(cachefilesd, 1.0.1) ++############################################################################### ++# ++# Copyright (C) 2006, 2010 Red Hat, Inc. All Rights Reserved. ++# Written by David Howells (dhowells@redhat.com) ++# Karl MacMillan (kmacmill@redhat.com) ++# ++# This program is free software; you can redistribute it and/or ++# modify it under the terms of the GNU General Public License ++# as published by the Free Software Foundation; either version ++# 2 of the License, or (at your option) any later version. ++# ++############################################################################### ++ ++# ++# This security policy governs access by the CacheFiles kernel module and ++# userspace management daemon to the files and directories in the on-disk ++# cache, on behalf of the processes accessing the cache through a network ++# filesystem such as NFS ++# ++policy_module(cachefilesd, 1.0.17) + +-######################################## ++############################################################################### + # + # Declarations + # + ++# ++# Files in the cache are created by the cachefiles module with security ID ++# cachefiles_var_t ++# ++type cachefiles_var_t; ++files_type(cachefiles_var_t) ++ ++# ++# The /dev/cachefiles character device has security ID cachefiles_dev_t ++# ++type cachefiles_dev_t; ++dev_node(cachefiles_dev_t) ++ ++# ++# The cachefilesd daemon normally runs with security ID cachefilesd_t ++# + type cachefilesd_t; + type cachefilesd_exec_t; + init_daemon_domain(cachefilesd_t, cachefilesd_exec_t) + +-type cachefilesd_initrc_exec_t; +-init_script_file(cachefilesd_initrc_exec_t) +- +-type cachefilesd_cache_t; +-files_type(cachefilesd_cache_t) +- ++# ++# The cachefilesd daemon pid file context ++# + type cachefilesd_var_run_t; + files_pid_file(cachefilesd_var_run_t) + +-######################################## + # +-# Local policy ++# The CacheFiles kernel module causes processes accessing the cache files to do ++# so acting as security ID cachefiles_kernel_t + # ++type cachefiles_kernel_t; ++domain_type(cachefiles_kernel_t) ++domain_obj_id_change_exemption(cachefiles_kernel_t) ++role system_r types cachefiles_kernel_t; ++ ++############################################################################### ++# ++# Permit RPM to deal with files in the cache ++# ++optional_policy(` ++ rpm_use_script_fds(cachefilesd_t) ++') + ++############################################################################### ++# ++# cachefilesd local policy ++# ++# These define what cachefilesd is permitted to do. This doesn't include very ++# much: startup stuff, logging, pid file, scanning the cache superstructure and ++# deleting files from the cache. It is not permitted to read/write files in ++# the cache. ++# ++# Check in /usr/share/selinux/devel/include/ for macros to use instead of allow ++# rules. ++# + allow cachefilesd_t self:capability { setuid setgid sys_admin dac_override }; + ++# Allow manipulation of pid file ++allow cachefilesd_t cachefilesd_var_run_t:file create_file_perms; + manage_files_pattern(cachefilesd_t, cachefilesd_var_run_t, cachefilesd_var_run_t) ++manage_dirs_pattern(cachefilesd_t, cachefilesd_var_run_t, cachefilesd_var_run_t) + files_pid_filetrans(cachefilesd_t, cachefilesd_var_run_t, file) ++files_create_as_is_all_files(cachefilesd_t) + +-manage_dirs_pattern(cachefilesd_t, cachefilesd_cache_t, cachefilesd_cache_t) +-manage_files_pattern(cachefilesd_t, cachefilesd_cache_t, cachefilesd_cache_t) +- +-dev_rw_cachefiles(cachefilesd_t) ++# Allow access to cachefiles device file ++allow cachefilesd_t cachefiles_dev_t:chr_file rw_file_perms; + +-files_create_all_files_as(cachefilesd_t) +-files_read_etc_files(cachefilesd_t) ++# Allow access to cache superstructure ++manage_dirs_pattern(cachefilesd_t, cachefiles_var_t, cachefiles_var_t) ++manage_files_pattern(cachefilesd_t, cachefiles_var_t, cachefiles_var_t) + ++# Permit statfs on the backing filesystem + fs_getattr_xattr_fs(cachefilesd_t) + ++# Basic access ++logging_send_syslog_msg(cachefilesd_t) ++init_dontaudit_use_script_ptys(cachefilesd_t) + term_dontaudit_use_generic_ptys(cachefilesd_t) + term_dontaudit_getattr_unallocated_ttys(cachefilesd_t) + +-logging_send_syslog_msg(cachefilesd_t) ++############################################################################### ++# ++# When cachefilesd invokes the kernel module to begin caching, it has to tell ++# the kernel module the security context in which it should act, and this ++# policy has to approve that. ++# ++# There are two parts to this: ++# ++# (1) the security context used by the module to access files in the cache, ++# as set by the 'secctx' command in /etc/cachefilesd.conf, and ++# ++allow cachefilesd_t cachefiles_kernel_t:kernel_service { use_as_override }; + +-miscfiles_read_localization(cachefilesd_t) ++# ++# (2) the label that will be assigned to new files and directories created in ++# the cache by the module, which will be the same as the label on the ++# directory pointed to by the 'dir' command. ++# ++allow cachefilesd_t cachefiles_var_t:kernel_service { create_files_as }; + +-init_dontaudit_use_script_ptys(cachefilesd_t) ++############################################################################### ++# ++# cachefiles kernel module local policy ++# ++# This governs what the kernel module is allowed to do the contents of the ++# cache. ++# ++allow cachefiles_kernel_t self:capability { dac_override dac_read_search }; + +-optional_policy(` +- rpm_use_script_fds(cachefilesd_t) +-') ++manage_dirs_pattern(cachefiles_kernel_t, cachefiles_var_t, cachefiles_var_t) ++manage_files_pattern(cachefiles_kernel_t, cachefiles_var_t, cachefiles_var_t) ++ ++fs_getattr_xattr_fs(cachefiles_kernel_t) ++ ++dev_search_sysfs(cachefiles_kernel_t) ++ ++init_sigchld_script(cachefiles_kernel_t) +diff --git a/calamaris.te b/calamaris.te +index f4f21d3..de28437 100644 +--- a/calamaris.te ++++ b/calamaris.te +@@ -41,19 +41,23 @@ kernel_read_system_state(calamaris_t) + + corecmd_exec_bin(calamaris_t) + ++corenet_all_recvfrom_netlabel(calamaris_t) ++corenet_tcp_sendrecv_generic_if(calamaris_t) ++corenet_udp_sendrecv_generic_if(calamaris_t) ++corenet_tcp_sendrecv_generic_node(calamaris_t) ++corenet_udp_sendrecv_generic_node(calamaris_t) ++corenet_tcp_sendrecv_all_ports(calamaris_t) ++corenet_udp_sendrecv_all_ports(calamaris_t) ++ + dev_read_urand(calamaris_t) + +-files_read_usr_files(calamaris_t) ++files_search_pids(calamaris_t) + files_read_etc_runtime_files(calamaris_t) + +-libs_read_lib_files(calamaris_t) +- + auth_use_nsswitch(calamaris_t) + + logging_send_syslog_msg(calamaris_t) + +-miscfiles_read_localization(calamaris_t) +- + userdom_dontaudit_list_user_home_dirs(calamaris_t) + + optional_policy(` +diff --git a/callweaver.te b/callweaver.te +index 528051e..44e5b7d 100644 +--- a/callweaver.te ++++ b/callweaver.te +@@ -84,4 +84,3 @@ term_use_ptmx(callweaver_t) + + auth_use_nsswitch(callweaver_t) + +-miscfiles_read_localization(callweaver_t) +diff --git a/canna.if b/canna.if +index 400db07..f416e22 100644 +--- a/canna.if ++++ b/canna.if +@@ -43,9 +43,13 @@ interface(`canna_admin',` + type canna_var_run_t, canna_initrc_exec_t; + ') + +- allow $1 canna_t:process { ptrace signal_perms }; ++ allow $1 canna_t:process signal_perms; + ps_process_pattern($1, canna_t) + ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 canna_t:process ptrace; ++ ') ++ + init_labeled_script_domtrans($1, canna_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 canna_initrc_exec_t system_r; +diff --git a/canna.te b/canna.te +index 4ec0626..88e7e89 100644 +--- a/canna.te ++++ b/canna.te +@@ -52,7 +52,6 @@ files_pid_filetrans(canna_t, canna_var_run_t, { dir sock_file }) + kernel_read_kernel_sysctls(canna_t) + kernel_read_system_state(canna_t) + +-corenet_all_recvfrom_unlabeled(canna_t) + corenet_all_recvfrom_netlabel(canna_t) + corenet_tcp_sendrecv_generic_if(canna_t) + corenet_tcp_sendrecv_generic_node(canna_t) +@@ -68,16 +67,12 @@ fs_search_auto_mountpoints(canna_t) + + domain_use_interactive_fds(canna_t) + +-files_read_etc_files(canna_t) + files_read_etc_runtime_files(canna_t) +-files_read_usr_files(canna_t) + files_search_tmp(canna_t) + files_dontaudit_read_root_files(canna_t) + + logging_send_syslog_msg(canna_t) + +-miscfiles_read_localization(canna_t) +- + sysnet_read_config(canna_t) + + userdom_dontaudit_use_unpriv_user_fds(canna_t) +diff --git a/ccs.if b/ccs.if +index 5ded72d..cb94e5e 100644 +--- a/ccs.if ++++ b/ccs.if +@@ -98,20 +98,24 @@ interface(`ccs_manage_config',` + interface(`ccs_admin',` + gen_require(` + type ccs_t, ccs_initrc_exec_t, cluster_conf_t; +- type ccs_var_lib_t_t, ccs_var_log_t; ++ type ccs_var_lib_t, ccs_var_log_t; + type ccs_var_run_t, ccs_tmp_t; + ') + +- allow $1 ccs_t:process { ptrace signal_perms }; ++ allow $1 ccs_t:process { signal_perms }; + ps_process_pattern($1, ccs_t) + ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 ccs_t:process ptrace; ++ ') ++ + init_labeled_script_domtrans($1, ccs_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 ccs_initrc_exec_t system_r; + allow $2 system_r; + + files_search_etc($1) +- admin_pattern($1, ccs_conf_t) ++ admin_pattern($1, cluster_conf_t) + + files_search_var_lib($1) + admin_pattern($1, ccs_var_lib_t) +diff --git a/ccs.te b/ccs.te +index b85b53b..476aaa3 100644 +--- a/ccs.te ++++ b/ccs.te +@@ -37,7 +37,7 @@ files_pid_file(ccs_var_run_t) + + allow ccs_t self:capability { ipc_owner ipc_lock sys_nice sys_resource sys_admin }; + allow ccs_t self:process { signal setrlimit setsched }; +-dontaudit ccs_t self:process ptrace; ++ + allow ccs_t self:fifo_file rw_fifo_file_perms; + allow ccs_t self:unix_stream_socket { accept connectto listen }; + allow ccs_t self:tcp_socket { accept listen }; +@@ -75,7 +75,6 @@ kernel_read_kernel_sysctls(ccs_t) + corecmd_list_bin(ccs_t) + corecmd_exec_bin(ccs_t) + +-corenet_all_recvfrom_unlabeled(ccs_t) + corenet_all_recvfrom_netlabel(ccs_t) + corenet_tcp_sendrecv_generic_if(ccs_t) + corenet_udp_sendrecv_generic_if(ccs_t) +@@ -95,15 +94,13 @@ corenet_udp_bind_netsupport_port(ccs_t) + + dev_read_urand(ccs_t) + +-files_read_etc_files(ccs_t) + files_read_etc_runtime_files(ccs_t) + + init_rw_script_tmp_files(ccs_t) ++init_signal(ccs_t) + + logging_send_syslog_msg(ccs_t) + +-miscfiles_read_localization(ccs_t) +- + sysnet_dns_name_resolve(ccs_t) + + userdom_manage_unpriv_user_shared_mem(ccs_t) +@@ -115,8 +112,7 @@ ifdef(`hide_broken_symptoms',` + ') + + optional_policy(` +- aisexec_stream_connect(ccs_t) +- corosync_stream_connect(ccs_t) ++ rhcs_stream_connect_cluster(ccs_t) + ') + + optional_policy(` +diff --git a/cdrecord.if b/cdrecord.if +index fbc20f6..4de4a00 100644 +--- a/cdrecord.if ++++ b/cdrecord.if +@@ -27,6 +27,9 @@ interface(`cdrecord_role',` + + allow cdrecord_t $2:unix_stream_socket rw_socket_perms; + +- allow $2 cdrecord_t:process { ptrace signal_perms }; ++ allow $2 cdrecord_t:process signal_perms; ++ tunable_policy(`deny_ptrace',`',` ++ allow $2 cdrecord_t:process ptrace; ++ ') + ps_process_pattern($2, cdrecord_t) + ') +diff --git a/cdrecord.te b/cdrecord.te +index 55fb26a..a7555c0 100644 +--- a/cdrecord.te ++++ b/cdrecord.te +@@ -41,8 +41,6 @@ dev_read_sysfs(cdrecord_t) + domain_interactive_fd(cdrecord_t) + domain_use_interactive_fds(cdrecord_t) + +-files_read_etc_files(cdrecord_t) +- + term_use_controlling_term(cdrecord_t) + term_list_ptys(cdrecord_t) + +@@ -52,10 +50,7 @@ storage_write_scsi_generic(cdrecord_t) + + logging_send_syslog_msg(cdrecord_t) + +-miscfiles_read_localization(cdrecord_t) +- +-userdom_use_user_terminals(cdrecord_t) +-userdom_read_user_home_content_files(cdrecord_t) ++userdom_use_inherited_user_terminals(cdrecord_t) + + tunable_policy(`cdrecord_read_content && use_nfs_home_dirs',` + fs_list_auto_mountpoints(cdrecord_t) +@@ -104,11 +99,7 @@ tunable_policy(`cdrecord_read_content',` + userdom_dontaudit_read_user_home_content_files(cdrecord_t) + ') + +-tunable_policy(`use_nfs_home_dirs',` +- files_search_mnt(cdrecord_t) +- fs_read_nfs_files(cdrecord_t) +- fs_read_nfs_symlinks(cdrecord_t) +-') ++userdom_home_manager(cdrecord_t) + + optional_policy(` + resmgr_stream_connect(cdrecord_t) +diff --git a/certmaster.if b/certmaster.if +index 0c53b18..ef29f6e 100644 +--- a/certmaster.if ++++ b/certmaster.if +@@ -117,13 +117,16 @@ interface(`certmaster_manage_log',` + interface(`certmaster_admin',` + gen_require(` + type certmaster_t, certmaster_var_run_t, certmaster_var_lib_t; +- type certmaster_etc_rw_t, certmaster_var_log_t; +- type certmaster_initrc_exec_t; ++ type certmaster_etc_rw_t, certmaster_var_log_t, certmaster_initrc_exec_t; + ') + +- allow $1 certmaster_t:process { ptrace signal_perms }; ++ allow $1 certmaster_t:process signal_perms; + ps_process_pattern($1, certmaster_t) + ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 certmaster_t:process ptrace; ++ ') ++ + init_labeled_script_domtrans($1, certmaster_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 certmaster_initrc_exec_t system_r; +diff --git a/certmaster.te b/certmaster.te +index bf82163..2b571c7 100644 +--- a/certmaster.te ++++ b/certmaster.te +@@ -65,11 +65,10 @@ corenet_tcp_sendrecv_certmaster_port(certmaster_t) + dev_read_urand(certmaster_t) + + files_list_var(certmaster_t) +-files_search_etc(certmaster_t) +-files_read_usr_files(certmaster_t) + + auth_use_nsswitch(certmaster_t) + +-miscfiles_read_localization(certmaster_t) + miscfiles_manage_generic_cert_dirs(certmaster_t) + miscfiles_manage_generic_cert_files(certmaster_t) ++ ++mta_send_mail(certmaster_t) +diff --git a/certmonger.fc b/certmonger.fc +index ed298d8..cd8eb4d 100644 +--- a/certmonger.fc ++++ b/certmonger.fc +@@ -2,6 +2,8 @@ + + /usr/sbin/certmonger -- gen_context(system_u:object_r:certmonger_exec_t,s0) + ++/usr/lib/ipa/certmonger(/.*)? gen_context(system_u:object_r:certmonger_unconfined_exec_t,s0) ++ + /var/lib/certmonger(/.*)? gen_context(system_u:object_r:certmonger_var_lib_t,s0) + + /var/run/certmonger.* gen_context(system_u:object_r:certmonger_var_run_t,s0) +diff --git a/certmonger.if b/certmonger.if +index 008f8ef..144c074 100644 +--- a/certmonger.if ++++ b/certmonger.if +@@ -160,16 +160,20 @@ interface(`certmonger_admin',` + ') + + ps_process_pattern($1, certmonger_t) +- allow $1 certmonger_t:process { ptrace signal_perms }; ++ allow $1 certmonger_t:process signal_perms; ++ ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 certmonger_t:process ptrace; ++ ') + + certmonger_initrc_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 certmonger_initrc_exec_t system_r; + allow $2 system_r; + +- files_search_var_lib($1) ++ files_list_var_lib($1) + admin_pattern($1, certmonger_var_lib_t) + +- files_search_pids($1) ++ files_list_pids($1) + admin_pattern($1, certmonger_var_run_t) + ') +diff --git a/certmonger.te b/certmonger.te +index 2354e21..fb8c9ed 100644 +--- a/certmonger.te ++++ b/certmonger.te +@@ -18,6 +18,9 @@ files_type(certmonger_var_lib_t) + type certmonger_var_run_t; + files_pid_file(certmonger_var_run_t) + ++type certmonger_unconfined_exec_t; ++application_executable_file(certmonger_unconfined_exec_t) ++ + ######################################## + # + # Local policy +@@ -26,10 +29,12 @@ files_pid_file(certmonger_var_run_t) + allow certmonger_t self:capability { dac_override dac_read_search setgid setuid kill sys_nice }; + dontaudit certmonger_t self:capability sys_tty_config; + allow certmonger_t self:capability2 block_suspend; ++ + allow certmonger_t self:process { getsched setsched sigkill signal }; +-allow certmonger_t self:fifo_file rw_fifo_file_perms; +-allow certmonger_t self:unix_stream_socket { accept listen }; +-allow certmonger_t self:tcp_socket { accept listen }; ++allow certmonger_t self:fifo_file rw_file_perms; ++allow certmonger_t self:unix_stream_socket create_stream_socket_perms; ++allow certmonger_t self:tcp_socket create_stream_socket_perms; ++allow certmonger_t self:netlink_route_socket r_netlink_socket_perms; + + manage_dirs_pattern(certmonger_t, certmonger_var_lib_t, certmonger_var_lib_t) + manage_files_pattern(certmonger_t, certmonger_var_lib_t, certmonger_var_lib_t) +@@ -41,6 +46,7 @@ files_pid_filetrans(certmonger_t, certmonger_var_run_t, { dir file }) + + kernel_read_kernel_sysctls(certmonger_t) + kernel_read_system_state(certmonger_t) ++kernel_read_network_state(certmonger_t) + + corenet_all_recvfrom_unlabeled(certmonger_t) + corenet_all_recvfrom_netlabel(certmonger_t) +@@ -49,16 +55,21 @@ corenet_tcp_sendrecv_generic_node(certmonger_t) + + corenet_sendrecv_certmaster_client_packets(certmonger_t) + corenet_tcp_connect_certmaster_port(certmonger_t) ++ ++corenet_tcp_connect_http_port(certmonger_t) ++corenet_tcp_connect_http_cache_port(certmonger_t) ++ ++corenet_tcp_connect_pki_ca_port(certmonger_t) + corenet_tcp_sendrecv_certmaster_port(certmonger_t) + + corecmd_exec_bin(certmonger_t) + corecmd_exec_shell(certmonger_t) + ++dev_read_rand(certmonger_t) + dev_read_urand(certmonger_t) + + domain_use_interactive_fds(certmonger_t) + +-files_read_usr_files(certmonger_t) + files_list_tmp(certmonger_t) + + fs_search_cgroup_dirs(certmonger_t) +@@ -70,16 +81,17 @@ init_getattr_all_script_files(certmonger_t) + + logging_send_syslog_msg(certmonger_t) + +-miscfiles_read_localization(certmonger_t) + miscfiles_manage_generic_cert_files(certmonger_t) + ++systemd_exec_systemctl(certmonger_t) ++ + userdom_search_user_home_content(certmonger_t) + + optional_policy(` +- apache_initrc_domtrans(certmonger_t) + apache_search_config(certmonger_t) + apache_signal(certmonger_t) + apache_signull(certmonger_t) ++ apache_systemctl(certmonger_t) + ') + + optional_policy(` +@@ -92,11 +104,47 @@ optional_policy(` + ') + + optional_policy(` +- kerberos_read_keytab(certmonger_t) ++ dirsrv_manage_config(certmonger_t) ++ dirsrv_signal(certmonger_t) ++ dirsrv_signull(certmonger_t) ++') ++ ++optional_policy(` + kerberos_use(certmonger_t) ++ kerberos_read_keytab(certmonger_t) + ') + + optional_policy(` + pcscd_read_pid_files(certmonger_t) + pcscd_stream_connect(certmonger_t) + ') ++ ++optional_policy(` ++ pki_rw_tomcat_cert(certmonger_t) ++ pki_read_tomcat_lib_files(certmonger_t) ++') ++ ++######################################## ++# ++# certmonger_unconfined_script_t local policy ++# ++ ++optional_policy(` ++ type certmonger_unconfined_t; ++ domain_type(certmonger_unconfined_t) ++ ++ domain_entry_file(certmonger_unconfined_t, certmonger_unconfined_exec_t) ++ role system_r types certmonger_unconfined_t; ++ ++ domtrans_pattern(certmonger_t, certmonger_unconfined_exec_t, certmonger_unconfined_t) ++ ++ allow certmonger_t certmonger_unconfined_exec_t:dir search_dir_perms; ++ allow certmonger_t certmonger_unconfined_exec_t:dir read_file_perms; ++ allow certmonger_t certmonger_unconfined_exec_t:file ioctl; ++ ++ init_domtrans_script(certmonger_unconfined_t) ++ ++ optional_policy(` ++ unconfined_domain(certmonger_unconfined_t) ++ ') ++') +diff --git a/certwatch.te b/certwatch.te +index 403af41..1a4bd9c 100644 +--- a/certwatch.te ++++ b/certwatch.te +@@ -20,33 +20,45 @@ role certwatch_roles types certwatch_t; + + allow certwatch_t self:capability sys_nice; + allow certwatch_t self:process { setsched getsched }; ++allow certwatch_t self:tcp_socket create_stream_socket_perms; + ++kernel_read_system_state(certwatch_t) ++ ++corecmd_exec_bin(certwatch_t) ++ ++dev_read_rand(certwatch_t) + dev_read_urand(certwatch_t) + +-files_read_etc_files(certwatch_t) +-files_read_usr_files(certwatch_t) + files_read_usr_symlinks(certwatch_t) + files_list_tmp(certwatch_t) + + fs_list_inotifyfs(certwatch_t) + + auth_manage_cache(certwatch_t) ++auth_read_passwd(certwatch_t) + auth_var_filetrans_cache(certwatch_t) + + logging_send_syslog_msg(certwatch_t) + + miscfiles_read_all_certs(certwatch_t) +-miscfiles_read_localization(certwatch_t) ++miscfiles_manage_generic_cert_dirs(certwatch_t) ++ ++sysnet_read_config(certwatch_t) + +-userdom_use_user_terminals(certwatch_t) +-userdom_dontaudit_list_user_home_dirs(certwatch_t) ++userdom_use_inherited_user_terminals(certwatch_t) ++userdom_dontaudit_list_admin_dir(certwatch_t) + + optional_policy(` ++ apache_domtrans(certwatch_t) + apache_exec_modules(certwatch_t) + apache_read_config(certwatch_t) + ') + + optional_policy(` ++ mta_send_mail(certwatch_t) ++') ++ ++optional_policy(` + cron_system_entry(certwatch_t, certwatch_exec_t) + ') + +diff --git a/cfengine.if b/cfengine.if +index a731122..5279d4e 100644 +--- a/cfengine.if ++++ b/cfengine.if +@@ -13,7 +13,6 @@ + template(`cfengine_domain_template',` + gen_require(` + attribute cfengine_domain; +- type cfengine_log_t, cfengine_var_lib_t; + ') + + ######################################## +@@ -30,7 +29,29 @@ template(`cfengine_domain_template',` + # Policy + # + ++ kernel_read_system_state(cfengine_$1_t) ++ + auth_use_nsswitch(cfengine_$1_t) ++ ++ logging_send_syslog_msg(cfengine_$1_t) ++') ++ ++###################################### ++## ++## Search cfengine lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`cfengine_search_lib_files',` ++ gen_require(` ++ type cfengine_var_lib_t; ++ ') ++ ++ allow $1 cfengine_var_lib_t:dir search_dir_perms; + ') + + ######################################## +@@ -71,6 +92,43 @@ interface(`cfengine_dontaudit_write_log_files',` + dontaudit $1 cfengine_var_log_t:file write_file_perms; + ') + ++##################################### ++## ++## Allow the specified domain to append cfengine's log files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`cfengine_append_inherited_log',` ++ gen_require(` ++ type cfengine_var_log_t; ++ ') ++ ++ cfengine_search_lib_files($1) ++ allow $1 cfengine_var_log_t:file { getattr append ioctl lock }; ++') ++ ++#################################### ++## ++## Dontaudit the specified domain to write cfengine's log files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`cfengine_dontaudit_write_log',` ++ gen_require(` ++ type cfengine_var_log_t; ++ ') ++ ++ dontaudit $1 cfengine_var_log_t:file write; ++') ++ + ######################################## + ## + ## All of the rules required to +@@ -94,7 +152,7 @@ interface(`cfengine_admin',` + type cfengine_initrc_exec_t, cfengine_log_t, cfengine_var_lib_t; + ') + +- allow $1 cfengine_domain:process { ptrace signal_perms }; ++ allow $1 cfengine_domain:process { signal_perms }; + ps_process_pattern($1, cfengine_domain) + + init_labeled_script_domtrans($1, cfengine_initrc_exec_t) +@@ -105,3 +163,4 @@ interface(`cfengine_admin',` + files_search_var_lib($1) + admin_pattern($1, { cfengine_log_t cfengine_var_lib_t }) + ') ++ +diff --git a/cfengine.te b/cfengine.te +index 8af5bbe..168f01f 100644 +--- a/cfengine.te ++++ b/cfengine.te +@@ -41,18 +41,13 @@ create_files_pattern(cfengine_domain, cfengine_log_t, cfengine_log_t) + setattr_files_pattern(cfengine_domain, cfengine_log_t, cfengine_log_t) + logging_log_filetrans(cfengine_domain, cfengine_log_t, dir) + +-kernel_read_system_state(cfengine_domain) +- + corecmd_exec_bin(cfengine_domain) + corecmd_exec_shell(cfengine_domain) + + dev_read_urand(cfengine_domain) + dev_read_sysfs(cfengine_domain) + +-logging_send_syslog_msg(cfengine_domain) +- +-miscfiles_read_localization(cfengine_domain) +- ++sysnet_dns_name_resolve(cfengine_domain) + sysnet_domtrans_ifconfig(cfengine_domain) + + ######################################## +diff --git a/cgroup.if b/cgroup.if +index 85ca63f..1d1c99c 100644 +--- a/cgroup.if ++++ b/cgroup.if +@@ -171,8 +171,26 @@ interface(`cgroup_admin',` + type cgrules_etc_t, cgclear_t; + ') + +- allow $1 { cgclear_t cgconfig_t cgred_t }:process { ptrace signal_perms }; +- ps_process_pattern($1, { cgclear_t cgconfig_t cgred_t }) ++ allow $1 cgclear_t:process signal_perms; ++ ps_process_pattern($1, cgclear_t) ++ ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 cgclear_t:process ptrace; ++ ') ++ ++ allow $1 cgconfig_t:process signal_perms; ++ ps_process_pattern($1, cgconfig_t) ++ ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 cgconfig_t:process ptrace; ++ ') ++ ++ allow $1 cgred_t:process signal_perms; ++ ps_process_pattern($1, cgred_t) ++ ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 cgred_t:process ptrace; ++ ') + + admin_pattern($1, { cgconfig_etc_t cgrules_etc_t }) + files_list_etc($1) +diff --git a/cgroup.te b/cgroup.te +index fdee107..7a38b63 100644 +--- a/cgroup.te ++++ b/cgroup.te +@@ -25,8 +25,8 @@ files_pid_file(cgred_var_run_t) + type cgrules_etc_t; + files_config_file(cgrules_etc_t) + +-type cgconfig_t; +-type cgconfig_exec_t; ++type cgconfig_t alias cgconfigparser_t; ++type cgconfig_exec_t alias cgconfigparser_exec_t; + init_daemon_domain(cgconfig_t, cgconfig_exec_t) + + type cgconfig_initrc_exec_t; +@@ -42,10 +42,12 @@ files_config_file(cgconfig_etc_t) + + allow cgclear_t self:capability { dac_read_search dac_override sys_admin }; + +-allow cgclear_t cgconfig_etc_t:file read_file_perms; ++read_files_pattern(cgclear_t, cgconfig_etc_t, cgconfig_etc_t) + + kernel_read_system_state(cgclear_t) + ++auth_use_nsswitch(cgclear_t) ++ + domain_setpriority_all_domains(cgclear_t) + + fs_manage_cgroup_dirs(cgclear_t) +@@ -64,20 +66,21 @@ allow cgconfig_t cgconfig_etc_t:file read_file_perms; + kernel_list_unlabeled(cgconfig_t) + kernel_read_system_state(cgconfig_t) + +-files_read_etc_files(cgconfig_t) +- + fs_manage_cgroup_dirs(cgconfig_t) + fs_manage_cgroup_files(cgconfig_t) + fs_mount_cgroup(cgconfig_t) + fs_mounton_cgroup(cgconfig_t) + fs_unmount_cgroup(cgconfig_t) + ++auth_use_nsswitch(cgconfig_t) ++ + ######################################## + # + # cgred local policy + # ++allow cgred_t self:capability { chown fsetid net_admin sys_admin dac_override sys_ptrace }; ++allow cgred_t self:process signal_perms; + +-allow cgred_t self:capability { chown fsetid net_admin sys_admin sys_ptrace dac_override }; + allow cgred_t self:netlink_socket { write bind create read }; + allow cgred_t self:unix_dgram_socket { write create connect }; + +@@ -99,10 +102,10 @@ domain_setpriority_all_domains(cgred_t) + files_getattr_all_files(cgred_t) + files_getattr_all_sockets(cgred_t) + files_read_all_symlinks(cgred_t) +-files_read_etc_files(cgred_t) + + fs_write_cgroup_files(cgred_t) ++fs_list_inotifyfs(cgred_t) + +-logging_send_syslog_msg(cgred_t) ++auth_use_nsswitch(cgred_t) + +-miscfiles_read_localization(cgred_t) ++logging_send_syslog_msg(cgred_t) +diff --git a/chrome.fc b/chrome.fc +new file mode 100644 +index 0000000..57866f6 +--- /dev/null ++++ b/chrome.fc +@@ -0,0 +1,9 @@ ++/opt/google/chrome/chrome-sandbox -- gen_context(system_u:object_r:chrome_sandbox_exec_t,s0) ++ ++/usr/lib/chromium-browser/chrome-sandbox -- gen_context(system_u:object_r:chrome_sandbox_exec_t,s0) ++ ++/opt/google/chrome/nacl_helper_bootstrap -- gen_context(system_u:object_r:chrome_sandbox_nacl_exec_t,s0) ++/usr/lib/chromium-browser/nacl_helper_bootstrap -- gen_context(system_u:object_r:chrome_sandbox_nacl_exec_t,s0) ++ ++HOME_DIR/\.cache/google-chrome(/.*)? gen_context(system_u:object_r:chrome_sandbox_home_t,s0) ++HOME_DIR/\.cache/chromium(/.*)? gen_context(system_u:object_r:chrome_sandbox_home_t,s0) +diff --git a/chrome.if b/chrome.if +new file mode 100644 +index 0000000..5977d96 +--- /dev/null ++++ b/chrome.if +@@ -0,0 +1,134 @@ ++ ++## policy for chrome ++ ++######################################## ++## ++## Execute a domain transition to run chrome_sandbox. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`chrome_domtrans_sandbox',` ++ gen_require(` ++ type chrome_sandbox_t, chrome_sandbox_exec_t; ++ ') ++ ++ domtrans_pattern($1, chrome_sandbox_exec_t, chrome_sandbox_t) ++ ps_process_pattern(chrome_sandbox_t, $1) ++ ++ allow $1 chrome_sandbox_t:fd use; ++ ++ ifdef(`hide_broken_symptoms',` ++ fs_dontaudit_rw_anon_inodefs_files(chrome_sandbox_t) ++ ') ++') ++ ++ ++######################################## ++## ++## Execute chrome_sandbox in the chrome_sandbox domain, and ++## allow the specified role the chrome_sandbox domain. ++## ++## ++## ++## Domain allowed access ++## ++## ++## ++## ++## The role to be allowed the chrome_sandbox domain. ++## ++## ++# ++interface(`chrome_run_sandbox',` ++ gen_require(` ++ type chrome_sandbox_t; ++ type chrome_sandbox_nacl_t; ++ ') ++ ++ chrome_domtrans_sandbox($1) ++ role $2 types chrome_sandbox_t; ++ role $2 types chrome_sandbox_nacl_t; ++') ++ ++######################################## ++## ++## Role access for chrome sandbox ++## ++## ++## ++## Role allowed access ++## ++## ++## ++## ++## User domain for the role ++## ++## ++# ++interface(`chrome_role_notrans',` ++ gen_require(` ++ type chrome_sandbox_t; ++ type chrome_sandbox_tmpfs_t; ++ type chrome_sandbox_nacl_t; ++ ') ++ ++ role $1 types chrome_sandbox_t; ++ role $1 types chrome_sandbox_nacl_t; ++ ++ ps_process_pattern($2, chrome_sandbox_t) ++ allow $2 chrome_sandbox_t:process signal_perms; ++ ++ allow chrome_sandbox_t $2:unix_dgram_socket { read write }; ++ allow $2 chrome_sandbox_t:unix_dgram_socket { read write }; ++ allow chrome_sandbox_t $2:unix_stream_socket rw_inherited_sock_file_perms;; ++ dontaudit chrome_sandbox_t $2:unix_stream_socket shutdown; ++ allow chrome_sandbox_nacl_t $2:unix_stream_socket rw_inherited_sock_file_perms; ++ allow $2 chrome_sandbox_nacl_t:unix_stream_socket { getattr read write }; ++ allow $2 chrome_sandbox_t:unix_stream_socket { getattr read write }; ++ ++ allow $2 chrome_sandbox_t:shm rw_shm_perms; ++ ++ allow $2 chrome_sandbox_tmpfs_t:file rw_file_perms; ++') ++ ++######################################## ++## ++## Role access for chrome sandbox ++## ++## ++## ++## Role allowed access ++## ++## ++## ++## ++## User domain for the role ++## ++## ++# ++interface(`chrome_role',` ++ chrome_role_notrans($1, $2) ++ chrome_domtrans_sandbox($2) ++') ++ ++######################################## ++## ++## Dontaudit read/write to a chrome_sandbox leaks ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`chrome_dontaudit_sandbox_leaks',` ++ gen_require(` ++ type chrome_sandbox_t; ++ ') ++ ++ dontaudit $1 chrome_sandbox_t:unix_stream_socket { read write }; ++') +diff --git a/chrome.te b/chrome.te +new file mode 100644 +index 0000000..406f3a0 +--- /dev/null ++++ b/chrome.te +@@ -0,0 +1,242 @@ ++policy_module(chrome,1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type chrome_sandbox_t; ++type chrome_sandbox_exec_t; ++application_domain(chrome_sandbox_t, chrome_sandbox_exec_t) ++role system_r types chrome_sandbox_t; ++ubac_constrained(chrome_sandbox_t) ++ ++type chrome_sandbox_tmp_t; ++files_tmp_file(chrome_sandbox_tmp_t) ++ ++type chrome_sandbox_tmpfs_t; ++files_tmpfs_file(chrome_sandbox_tmpfs_t) ++ubac_constrained(chrome_sandbox_tmpfs_t) ++ ++type chrome_sandbox_nacl_t; ++type chrome_sandbox_nacl_exec_t; ++application_domain(chrome_sandbox_nacl_t, chrome_sandbox_nacl_exec_t) ++role system_r types chrome_sandbox_nacl_t; ++ubac_constrained(chrome_sandbox_nacl_t) ++ ++type chrome_sandbox_home_t; ++userdom_user_home_content(chrome_sandbox_home_t) ++ ++######################################## ++# ++# chrome_sandbox local policy ++# ++allow chrome_sandbox_t self:capability2 block_suspend; ++allow chrome_sandbox_t self:capability { chown dac_override fsetid setgid setuid sys_admin sys_chroot sys_ptrace }; ++dontaudit chrome_sandbox_t self:capability sys_nice; ++allow chrome_sandbox_t self:process { signal_perms setrlimit execmem execstack }; ++allow chrome_sandbox_t self:process setsched; ++allow chrome_sandbox_t self:fifo_file manage_fifo_file_perms; ++allow chrome_sandbox_t self:unix_stream_socket create_stream_socket_perms; ++allow chrome_sandbox_t self:unix_dgram_socket { create_socket_perms sendto }; ++allow chrome_sandbox_t self:shm create_shm_perms; ++allow chrome_sandbox_t self:sem create_sem_perms; ++allow chrome_sandbox_t self:msgq create_msgq_perms; ++allow chrome_sandbox_t self:netlink_route_socket r_netlink_socket_perms; ++dontaudit chrome_sandbox_t self:memprotect mmap_zero; ++ ++manage_dirs_pattern(chrome_sandbox_t, chrome_sandbox_home_t, chrome_sandbox_home_t) ++manage_files_pattern(chrome_sandbox_t, chrome_sandbox_home_t, chrome_sandbox_home_t) ++manage_lnk_files_pattern(chrome_sandbox_t, chrome_sandbox_home_t, chrome_sandbox_home_t) ++ ++manage_dirs_pattern(chrome_sandbox_t, chrome_sandbox_tmp_t, chrome_sandbox_tmp_t) ++manage_files_pattern(chrome_sandbox_t, chrome_sandbox_tmp_t, chrome_sandbox_tmp_t) ++files_tmp_filetrans(chrome_sandbox_t, chrome_sandbox_tmp_t, { dir file }) ++userdom_user_tmp_filetrans(chrome_sandbox_t, chrome_sandbox_tmp_t, { dir file }) ++ ++manage_files_pattern(chrome_sandbox_t, chrome_sandbox_tmpfs_t, chrome_sandbox_tmpfs_t) ++fs_tmpfs_filetrans(chrome_sandbox_t, chrome_sandbox_tmpfs_t, { file dir }) ++ ++kernel_read_system_state(chrome_sandbox_t) ++kernel_read_kernel_sysctls(chrome_sandbox_t) ++ ++fs_manage_cgroup_dirs(chrome_sandbox_t) ++fs_manage_cgroup_files(chrome_sandbox_t) ++fs_read_dos_files(chrome_sandbox_t) ++fs_read_hugetlbfs_files(chrome_sandbox_t) ++ ++corecmd_exec_bin(chrome_sandbox_t) ++ ++corenet_all_recvfrom_netlabel(chrome_sandbox_t) ++corenet_tcp_connect_all_ephemeral_ports(chrome_sandbox_t) ++corenet_tcp_connect_aol_port(chrome_sandbox_t) ++corenet_tcp_connect_asterisk_port(chrome_sandbox_t) ++corenet_tcp_connect_commplex_link_port(chrome_sandbox_t) ++corenet_tcp_connect_couchdb_port(chrome_sandbox_t) ++corenet_tcp_connect_flash_port(chrome_sandbox_t) ++corenet_tcp_connect_ftp_port(chrome_sandbox_t) ++corenet_tcp_connect_gatekeeper_port(chrome_sandbox_t) ++corenet_tcp_connect_generic_port(chrome_sandbox_t) ++corenet_tcp_connect_http_cache_port(chrome_sandbox_t) ++corenet_tcp_connect_http_port(chrome_sandbox_t) ++corenet_tcp_connect_ipp_port(chrome_sandbox_t) ++corenet_tcp_connect_ipsecnat_port(chrome_sandbox_t) ++corenet_tcp_connect_jabber_client_port(chrome_sandbox_t) ++corenet_tcp_connect_jboss_management_port(chrome_sandbox_t) ++corenet_tcp_connect_mmcc_port(chrome_sandbox_t) ++corenet_tcp_connect_monopd_port(chrome_sandbox_t) ++corenet_tcp_connect_msnp_port(chrome_sandbox_t) ++corenet_tcp_connect_ms_streaming_port(chrome_sandbox_t) ++corenet_tcp_connect_pulseaudio_port(chrome_sandbox_t) ++corenet_tcp_connect_rtsp_port(chrome_sandbox_t) ++corenet_tcp_connect_soundd_port(chrome_sandbox_t) ++corenet_tcp_connect_speech_port(chrome_sandbox_t) ++corenet_tcp_connect_squid_port(chrome_sandbox_t) ++corenet_tcp_connect_tor_port(chrome_sandbox_t) ++corenet_tcp_connect_transproxy_port(chrome_sandbox_t) ++corenet_tcp_connect_vnc_port(chrome_sandbox_t) ++corenet_tcp_connect_whois_port(chrome_sandbox_t) ++corenet_tcp_sendrecv_generic_if(chrome_sandbox_t) ++corenet_tcp_sendrecv_generic_node(chrome_sandbox_t) ++ ++domain_dontaudit_read_all_domains_state(chrome_sandbox_t) ++ ++dev_read_urand(chrome_sandbox_t) ++dev_read_sysfs(chrome_sandbox_t) ++dev_rwx_zero(chrome_sandbox_t) ++dev_dontaudit_getattr_all_chr_files(chrome_sandbox_t) ++ ++fs_dontaudit_getattr_all_fs(chrome_sandbox_t) ++ ++libs_legacy_use_shared_libs(chrome_sandbox_t) ++ ++miscfiles_read_fonts(chrome_sandbox_t) ++ ++sysnet_dns_name_resolve(chrome_sandbox_t) ++ ++userdom_rw_inherited_user_tmpfs_files(chrome_sandbox_t) ++userdom_execute_user_tmpfs_files(chrome_sandbox_t) ++ ++userdom_use_user_ptys(chrome_sandbox_t) ++userdom_write_inherited_user_tmp_files(chrome_sandbox_t) ++userdom_read_inherited_user_home_content_files(chrome_sandbox_t) ++userdom_dontaudit_use_user_terminals(chrome_sandbox_t) ++userdom_search_user_home_content(chrome_sandbox_t) ++# This one we should figure a way to make it more secure ++userdom_manage_home_certs(chrome_sandbox_t) ++ ++optional_policy(` ++ gnome_rw_inherited_config(chrome_sandbox_t) ++ gnome_read_home_config(chrome_sandbox_t) ++ gnome_cache_filetrans(chrome_sandbox_t, chrome_sandbox_home_t, dir, "chromium") ++ gnome_cache_filetrans(chrome_sandbox_t, chrome_sandbox_home_t, dir, "chrome") ++ ++') ++ ++optional_policy(` ++ mozilla_write_user_home_files(chrome_sandbox_t) ++') ++ ++optional_policy(` ++ xserver_use_user_fonts(chrome_sandbox_t) ++ xserver_user_x_domain_template(chrome_sandbox, chrome_sandbox_t, chrome_sandbox_tmpfs_t) ++') ++ ++tunable_policy(`use_nfs_home_dirs',` ++ fs_search_nfs(chrome_sandbox_t) ++ fs_exec_nfs_files(chrome_sandbox_t) ++ fs_read_nfs_files(chrome_sandbox_t) ++ fs_rw_inherited_nfs_files(chrome_sandbox_t) ++ fs_read_nfs_symlinks(chrome_sandbox_t) ++ fs_dontaudit_append_nfs_files(chrome_sandbox_t) ++') ++ ++tunable_policy(`use_samba_home_dirs',` ++ fs_search_cifs(chrome_sandbox_t) ++ fs_exec_cifs_files(chrome_sandbox_t) ++ fs_rw_inherited_cifs_files(chrome_sandbox_t) ++ fs_read_cifs_files(chrome_sandbox_t) ++ fs_read_cifs_symlinks(chrome_sandbox_t) ++ fs_dontaudit_append_cifs_files(chrome_sandbox_t) ++') ++ ++tunable_policy(`use_fusefs_home_dirs',` ++ fs_search_fusefs(chrome_sandbox_t) ++ fs_read_fusefs_files(chrome_sandbox_t) ++ fs_exec_fusefs_files(chrome_sandbox_t) ++ fs_read_fusefs_symlinks(chrome_sandbox_t) ++') ++ ++tunable_policy(`use_ecryptfs_home_dirs',` ++ fs_read_ecryptfs_files(chrome_sandbox_t) ++ fs_dontaudit_append_ecryptfs_files(chrome_sandbox_t) ++ fs_read_ecryptfs_symlinks(chrome_sandbox_t) ++') ++ ++optional_policy(` ++ cups_stream_connect(chrome_sandbox_t) ++') ++ ++optional_policy(` ++ sandbox_use_ptys(chrome_sandbox_t) ++') ++ ++ ++######################################## ++# ++# chrome_sandbox_nacl local policy ++# ++ ++allow chrome_sandbox_nacl_t self:process { execmem setsched sigkill sigstop signull signal }; ++ ++allow chrome_sandbox_nacl_t self:fifo_file manage_fifo_file_perms; ++allow chrome_sandbox_nacl_t self:unix_stream_socket create_stream_socket_perms; ++allow chrome_sandbox_nacl_t self:shm create_shm_perms; ++allow chrome_sandbox_nacl_t self:unix_dgram_socket { create_socket_perms sendto }; ++allow chrome_sandbox_nacl_t chrome_sandbox_t:unix_stream_socket { getattr write read }; ++allow chrome_sandbox_t chrome_sandbox_nacl_t:unix_stream_socket { getattr write read }; ++allow chrome_sandbox_nacl_t chrome_sandbox_t:unix_dgram_socket { read write }; ++ ++allow chrome_sandbox_nacl_t chrome_sandbox_t:shm rw_shm_perms; ++allow chrome_sandbox_nacl_t chrome_sandbox_tmpfs_t:file rw_inherited_file_perms; ++allow chrome_sandbox_t chrome_sandbox_nacl_t:process { sigkill sigstop signull signal share }; ++ ++manage_files_pattern(chrome_sandbox_nacl_t, chrome_sandbox_tmpfs_t, chrome_sandbox_tmpfs_t) ++fs_tmpfs_filetrans(chrome_sandbox_nacl_t, chrome_sandbox_tmpfs_t, file) ++ ++domain_use_interactive_fds(chrome_sandbox_nacl_t) ++ ++dontaudit chrome_sandbox_nacl_t self:memprotect mmap_zero; ++ ++domtrans_pattern(chrome_sandbox_t, chrome_sandbox_nacl_exec_t, chrome_sandbox_nacl_t) ++ps_process_pattern(chrome_sandbox_t, chrome_sandbox_nacl_t) ++ps_process_pattern(chrome_sandbox_nacl_t, chrome_sandbox_t) ++ ++manage_dirs_pattern(chrome_sandbox_nacl_t, chrome_sandbox_home_t, chrome_sandbox_home_t) ++manage_files_pattern(chrome_sandbox_nacl_t, chrome_sandbox_home_t, chrome_sandbox_home_t) ++manage_lnk_files_pattern(chrome_sandbox_nacl_t, chrome_sandbox_home_t, chrome_sandbox_home_t) ++ ++kernel_read_state(chrome_sandbox_nacl_t) ++kernel_read_system_state(chrome_sandbox_nacl_t) ++ ++corecmd_bin_entry_type(chrome_sandbox_nacl_t) ++ ++dev_read_urand(chrome_sandbox_nacl_t) ++dev_read_sysfs(chrome_sandbox_nacl_t) ++dev_rwx_zero(chrome_sandbox_nacl_t) ++ ++init_read_state(chrome_sandbox_nacl_t) ++ ++libs_legacy_use_shared_libs(chrome_sandbox_nacl_t) ++ ++userdom_use_inherited_user_ptys(chrome_sandbox_nacl_t) ++userdom_rw_inherited_user_tmpfs_files(chrome_sandbox_nacl_t) ++userdom_execute_user_tmpfs_files(chrome_sandbox_nacl_t) ++userdom_rw_inherited_user_tmp_files(chrome_sandbox_nacl_t) ++userdom_dontaudit_read_user_home_content_files(chrome_sandbox_nacl_t) ++userdom_dontaudit_use_user_terminals(chrome_sandbox_nacl_t) ++ ++optional_policy(` ++ gnome_dontaudit_append_config_files(chrome_sandbox_nacl_t) ++ gnome_dontaudit_write_config_files(chrome_sandbox_nacl_t) ++') +diff --git a/chronyd.fc b/chronyd.fc +index 4e4143e..a665b32 100644 +--- a/chronyd.fc ++++ b/chronyd.fc +@@ -2,6 +2,8 @@ + + /etc/rc\.d/init\.d/chronyd -- gen_context(system_u:object_r:chronyd_initrc_exec_t,s0) + ++/usr/lib/systemd/system/chrony.* -- gen_context(system_u:object_r:chronyd_unit_file_t,s0) ++ + /usr/sbin/chronyd -- gen_context(system_u:object_r:chronyd_exec_t,s0) + + /var/lib/chrony(/.*)? gen_context(system_u:object_r:chronyd_var_lib_t,s0) +diff --git a/chronyd.if b/chronyd.if +index 32e8265..0de4af3 100644 +--- a/chronyd.if ++++ b/chronyd.if +@@ -100,8 +100,7 @@ interface(`chronyd_rw_shm',` + + ######################################## + ## +-## Connect to chronyd using a unix +-## domain stream socket. ++## Read chronyd keys files. + ## + ## + ## +@@ -109,19 +108,17 @@ interface(`chronyd_rw_shm',` + ## + ## + # +-interface(`chronyd_stream_connect',` ++interface(`chronyd_read_keys',` + gen_require(` +- type chronyd_t, chronyd_var_run_t; ++ type chronyd_keys_t; + ') + +- files_search_pids($1) +- stream_connect_pattern($1, chronyd_var_run_t, chronyd_var_run_t, chronyd_t) ++ read_files_pattern($1, chronyd_keys_t, chronyd_keys_t) + ') + + ######################################## + ## +-## Send to chronyd using a unix domain +-## datagram socket. ++## Append chronyd keys files. + ## + ## + ## +@@ -129,18 +126,61 @@ interface(`chronyd_stream_connect',` + ## + ## + # +-interface(`chronyd_dgram_send',` ++interface(`chronyd_append_keys',` ++ gen_require(` ++ type chronyd_keys_t; ++ ') ++ ++ append_files_pattern($1, chronyd_keys_t, chronyd_keys_t) ++') ++ ++######################################## ++## ++## Execute chronyd server in the chronyd domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`chronyd_systemctl',` ++ gen_require(` ++ type chronyd_t; ++ type chronyd_unit_file_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ allow $1 chronyd_unit_file_t:file read_file_perms; ++ allow $1 chronyd_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, chronyd_t) ++') ++ ++####################################### ++## ++## Connect to chronyd using a unix ++## domain stream socket. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`chronyd_stream_connect',` + gen_require(` + type chronyd_t, chronyd_var_run_t; + ') + + files_search_pids($1) +- dgram_send_pattern($1, chronyd_var_run_t, chronyd_var_run_t, chronyd_t) ++ stream_connect_pattern($1, chronyd_var_run_t, chronyd_var_run_t, chronyd_t) + ') + + ######################################## + ## +-## Read chronyd key files. ++## Send to chronyd using a unix domain ++## datagram socket. + ## + ## + ## +@@ -148,13 +188,13 @@ interface(`chronyd_dgram_send',` + ## + ## + # +-interface(`chronyd_read_key_files',` ++interface(`chronyd_dgram_send',` + gen_require(` +- type chronyd_keys_t; ++ type chronyd_t, chronyd_var_run_t; + ') + +- files_search_etc($1) +- read_files_pattern($1, chronyd_keys_t, chronyd_keys_t) ++ files_search_pids($1) ++ dgram_send_pattern($1, chronyd_var_run_t, chronyd_var_run_t, chronyd_t) + ') + + #################################### +@@ -176,28 +216,38 @@ interface(`chronyd_read_key_files',` + # + interface(`chronyd_admin',` + gen_require(` +- type chronyd_t, chronyd_var_log_t; +- type chronyd_var_run_t, chronyd_var_lib_t; +- type chronyd_initrc_exec_t, chronyd_keys_t; ++ type chronyd_t, chronyd_var_log_t, chronyd_var_run_t; ++ type chronyd_var_lib_t, chronyd_tmpfs_t, chronyd_initrc_exec_t; ++ type chronyd_keys_t, chronyd_unit_file_t; + ') + +- allow $1 chronyd_t:process { ptrace signal_perms }; ++ allow $1 chronyd_t:process signal_perms; + ps_process_pattern($1, chronyd_t) + +- chronyd_initrc_domtrans($1) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 chronyd_t:process ptrace; ++ ') ++ ++ init_labeled_script_domtrans($1, chronyd_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 chronyd_initrc_exec_t system_r; + allow $2 system_r; + +- files_search_etc($1) ++ files_list_etc($1) + admin_pattern($1, chronyd_keys_t) + +- logging_search_logs($1) ++ logging_list_logs($1) + admin_pattern($1, chronyd_var_log_t) + +- files_search_var_lib($1) ++ files_list_var_lib($1) + admin_pattern($1, chronyd_var_lib_t) + +- files_search_pids($1) ++ files_list_pids($1) + admin_pattern($1, chronyd_var_run_t) ++ ++ admin_pattern($1, chronyd_tmpfs_t) ++ ++ admin_pattern($1, chronyd_unit_file_t) ++ chronyd_systemctl($1) ++ allow $1 chronyd_unit_file_t:service all_service_perms; + ') +diff --git a/chronyd.te b/chronyd.te +index 914ee2d..7d723c0 100644 +--- a/chronyd.te ++++ b/chronyd.te +@@ -18,6 +18,9 @@ files_type(chronyd_keys_t) + type chronyd_tmpfs_t; + files_tmpfs_file(chronyd_tmpfs_t) + ++type chronyd_unit_file_t; ++systemd_unit_file(chronyd_unit_file_t) ++ + type chronyd_var_lib_t; + files_type(chronyd_var_lib_t) + +@@ -32,11 +35,15 @@ files_pid_file(chronyd_var_run_t) + # Local policy + # + +-allow chronyd_t self:capability { dac_override ipc_lock setuid setgid sys_resource sys_time }; +-allow chronyd_t self:process { getcap setcap setrlimit signal }; ++allow chronyd_t self:capability { dac_override ipc_lock fsetid setuid setgid sys_nice sys_resource sys_time }; ++allow chronyd_t self:process { getsched setsched getcap setcap setrlimit signal }; + allow chronyd_t self:shm create_shm_perms; ++allow chronyd_t self:udp_socket create_socket_perms; ++allow chronyd_t self:unix_dgram_socket create_socket_perms; + allow chronyd_t self:fifo_file rw_fifo_file_perms; + ++allow chronyd_t chronyd_keys_t:file append_file_perms; ++allow chronyd_t chronyd_keys_t:file setattr_file_perms; + allow chronyd_t chronyd_keys_t:file read_file_perms; + + manage_dirs_pattern(chronyd_t, chronyd_tmpfs_t, chronyd_tmpfs_t) +@@ -76,18 +83,19 @@ corenet_sendrecv_chronyd_server_packets(chronyd_t) + corenet_udp_bind_chronyd_port(chronyd_t) + corenet_udp_sendrecv_chronyd_port(chronyd_t) + ++domain_dontaudit_getsession_all_domains(chronyd_t) ++ ++dev_read_rand(chronyd_t) ++dev_read_urand(chronyd_t) ++ + dev_rw_realtime_clock(chronyd_t) + + auth_use_nsswitch(chronyd_t) + + logging_send_syslog_msg(chronyd_t) + +-miscfiles_read_localization(chronyd_t) ++mta_send_mail(chronyd_t) + + optional_policy(` + gpsd_rw_shm(chronyd_t) + ') +- +-optional_policy(` +- mta_send_mail(chronyd_t) +-') +diff --git a/cipe.te b/cipe.te +index 28c8475..9b86dd1 100644 +--- a/cipe.te ++++ b/cipe.te +@@ -29,7 +29,6 @@ kernel_read_system_state(ciped_t) + corecmd_exec_shell(ciped_t) + corecmd_exec_bin(ciped_t) + +-corenet_all_recvfrom_unlabeled(ciped_t) + corenet_all_recvfrom_netlabel(ciped_t) + corenet_udp_sendrecv_generic_if(ciped_t) + corenet_udp_sendrecv_generic_node(ciped_t) +@@ -45,7 +44,6 @@ dev_read_urand(ciped_t) + + domain_use_interactive_fds(ciped_t) + +-files_read_etc_files(ciped_t) + files_read_etc_runtime_files(ciped_t) + files_dontaudit_search_var(ciped_t) + +@@ -53,8 +51,6 @@ fs_search_auto_mountpoints(ciped_t) + + logging_send_syslog_msg(ciped_t) + +-miscfiles_read_localization(ciped_t) +- + sysnet_read_config(ciped_t) + + userdom_dontaudit_use_unpriv_user_fds(ciped_t) +diff --git a/clamav.fc b/clamav.fc +index d72afcc..c53b80d 100644 +--- a/clamav.fc ++++ b/clamav.fc +@@ -6,6 +6,8 @@ + /usr/bin/clamdscan -- gen_context(system_u:object_r:clamscan_exec_t,s0) + /usr/bin/freshclam -- gen_context(system_u:object_r:freshclam_exec_t,s0) + ++/usr/lib/systemd/system/clamd.* -- gen_context(system_u:object_r:clamd_unit_file_t,s0) ++ + /usr/sbin/clamd -- gen_context(system_u:object_r:clamd_exec_t,s0) + /usr/sbin/clamav-milter -- gen_context(system_u:object_r:clamd_exec_t,s0) + +diff --git a/clamav.if b/clamav.if +index 4cc4a5c..99c5cca 100644 +--- a/clamav.if ++++ b/clamav.if +@@ -1,4 +1,4 @@ +-## ClamAV Virus Scanner. ++## ClamAV Virus Scanner + + ######################################## + ## +@@ -15,14 +15,12 @@ interface(`clamav_domtrans',` + type clamd_t, clamd_exec_t; + ') + +- corecmd_search_bin($1) + domtrans_pattern($1, clamd_exec_t, clamd_t) + ') + + ######################################## + ## +-## Connect to clamd using a unix +-## domain stream socket. ++## Connect to run clamd. + ## + ## + ## +@@ -41,7 +39,8 @@ interface(`clamav_stream_connect',` + + ######################################## + ## +-## Append clamav log files. ++## Allow the specified domain to append ++## to clamav log files. + ## + ## + ## +@@ -61,27 +60,6 @@ interface(`clamav_append_log',` + + ######################################## + ## +-## Create, read, write, and delete +-## clamav pid content. +-## +-## +-## +-## Domain allowed access. +-## +-## +-# +-interface(`clamav_manage_pid_content',` +- gen_require(` +- type clamd_var_run_t; +- ') +- +- files_search_pids($1) +- manage_dirs_pattern($1, clamd_var_run_t, clamd_var_run_t) +- manage_files_pattern($1, clamd_var_run_t, clamd_var_run_t) +-') +- +-######################################## +-## + ## Read clamav configuration files. + ## + ## +@@ -101,7 +79,7 @@ interface(`clamav_read_config',` + + ######################################## + ## +-## Search clamav library directories. ++## Search clamav libraries directories. + ## + ## + ## +@@ -133,13 +111,12 @@ interface(`clamav_domtrans_clamscan',` + type clamscan_t, clamscan_exec_t; + ') + +- corecmd_search_bin($1) + domtrans_pattern($1, clamscan_exec_t, clamscan_t) + ') + + ######################################## + ## +-## Execute clamscan in the caller domain. ++## Execute clamscan without a transition. + ## + ## + ## +@@ -152,13 +129,12 @@ interface(`clamav_exec_clamscan',` + type clamscan_exec_t; + ') + +- corecmd_search_bin($1) + can_exec($1, clamscan_exec_t) + ') + +-####################################### ++######################################## + ## +-## Read clamd process state files. ++## Manage clamd pid content. + ## + ## + ## +@@ -166,21 +142,62 @@ interface(`clamav_exec_clamscan',` + ## + ## + # +-interface(`clamav_read_state_clamd',` ++interface(`clamav_manage_clamd_pid',` + gen_require(` +- type clamd_t; ++ type clamd_var_run_t; + ') + +- kernel_search_proc($1) +- allow $1 clamd_t:dir list_dir_perms; +- read_files_pattern($1, clamd_t, clamd_t) +- read_lnk_files_pattern($1, clamd_t, clamd_t) ++ manage_dirs_pattern($1, clamd_var_run_t, clamd_var_run_t) ++ manage_files_pattern($1, clamd_var_run_t, clamd_var_run_t) ++') ++ ++####################################### ++## ++## Read clamd state files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`clamav_read_state_clamd',` ++ gen_require(` ++ type clamd_t; ++ ') ++ ++ kernel_search_proc($1) ++ ps_process_pattern($1, clamd_t) ++') ++ ++####################################### ++## ++## Execute clamd server in the clamd domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`clamd_systemctl',` ++ gen_require(` ++ type clamd_t; ++ type clamd_unit_file_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ systemd_read_fifo_file_passwd_run($1) ++ allow $1 clamd_unit_file_t:file read_file_perms; ++ allow $1 clamd_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, clamd_t) + ') + + ######################################## + ## +-## All of the rules required to +-## administrate an clamav environment. ++## All of the rules required to administrate ++## an clamav environment + ## + ## + ## +@@ -189,7 +206,7 @@ interface(`clamav_read_state_clamd',` + ## + ## + ## +-## Role allowed access. ++## The role to be allowed to manage the clamav domain. + ## + ## + ## +@@ -197,19 +214,36 @@ interface(`clamav_read_state_clamd',` + interface(`clamav_admin',` + gen_require(` + type clamd_t, clamd_etc_t, clamd_tmp_t; +- type clamd_var_log_t, clamd_var_lib_t, clamd_initrc_exec_t; +- type clamd_var_run_t, clamscan_t, clamscan_tmp_t; ++ type clamd_var_log_t, clamd_var_lib_t, clamd_var_run_t; ++ type clamscan_t, clamscan_tmp_t, clamd_initrc_exec_t; + type freshclam_t, freshclam_var_log_t; ++ type clamd_unit_file_t; + ') + +- allow $1 { clamd_t clamscan_t freshclam_t }:process { ptrace signal_perms }; +- ps_process_pattern($1, { clamd_t clamscan_t freshclam_t }) ++ allow $1 clamd_t:process signal_perms; ++ ps_process_pattern($1, clamd_t) ++ ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 clamd_t:process ptrace; ++ allow $1 clamscan_t:process ptrace; ++ allow $1 freshclam_t:process ptrace; ++ ') ++ ++ allow $1 clamscan_t:process signal_perms; ++ ps_process_pattern($1, clamscan_t) ++ ++ allow $1 freshclam_t:process signal_perms; ++ ps_process_pattern($1, freshclam_t) + + init_labeled_script_domtrans($1, clamd_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 clamd_initrc_exec_t system_r; + allow $2 system_r; + ++ clamd_systemctl($1) ++ admin_pattern($1, clamd_unit_file_t) ++ allow $1 clamd_unit_file_t:service all_service_perms; ++ + files_list_etc($1) + admin_pattern($1, clamd_etc_t) + +@@ -217,11 +251,21 @@ interface(`clamav_admin',` + admin_pattern($1, clamd_var_lib_t) + + logging_list_logs($1) +- admin_pattern($1, { clamd_var_log_t freshclam_var_log_t }) ++ admin_pattern($1, clamd_var_log_t) + + files_list_pids($1) + admin_pattern($1, clamd_var_run_t) + + files_list_tmp($1) +- admin_pattern($1, { clamd_tmp_t clamscan_tmp_t }) ++ admin_pattern($1, clamd_tmp_t) ++ ++ admin_pattern($1, clamscan_tmp_t) ++ ++ admin_pattern($1, freshclam_var_log_t) ++ ++ optional_policy(` ++ systemd_passwd_agent_exec($1) ++ systemd_read_fifo_file_passwd_run($1) ++ ') ++ + ') +diff --git a/clamav.te b/clamav.te +index 8e1fef9..c8c9a5a 100644 +--- a/clamav.te ++++ b/clamav.te +@@ -38,6 +38,9 @@ files_config_file(clamd_etc_t) + type clamd_initrc_exec_t; + init_script_file(clamd_initrc_exec_t) + ++type clamd_unit_file_t; ++systemd_unit_file(clamd_unit_file_t) ++ + type clamd_tmp_t; + files_tmp_file(clamd_tmp_t) + +@@ -73,6 +76,7 @@ logging_log_file(freshclam_var_log_t) + allow clamd_t self:capability { kill setgid setuid dac_override }; + dontaudit clamd_t self:capability sys_tty_config; + allow clamd_t self:process signal; ++ + allow clamd_t self:fifo_file rw_fifo_file_perms; + allow clamd_t self:unix_stream_socket { accept connectto listen }; + allow clamd_t self:tcp_socket { listen accept }; +@@ -107,7 +111,6 @@ kernel_read_system_state(clamd_t) + + corecmd_exec_shell(clamd_t) + +-corenet_all_recvfrom_unlabeled(clamd_t) + corenet_all_recvfrom_netlabel(clamd_t) + corenet_tcp_sendrecv_generic_if(clamd_t) + corenet_tcp_sendrecv_generic_node(clamd_t) +@@ -119,6 +122,7 @@ corenet_tcp_bind_generic_port(clamd_t) + + corenet_sendrecv_generic_client_packets(clamd_t) + corenet_tcp_connect_generic_port(clamd_t) ++corenet_tcp_connect_clamd_port(clamd_t) + + corenet_sendrecv_clamd_server_packets(clamd_t) + corenet_tcp_bind_clamd_port(clamd_t) +@@ -135,18 +139,10 @@ auth_use_nsswitch(clamd_t) + + logging_send_syslog_msg(clamd_t) + +-miscfiles_read_localization(clamd_t) +- +-tunable_policy(`clamd_use_jit',` +- allow clamd_t self:process execmem; +-',` +- dontaudit clamd_t self:process execmem; +-') +- + optional_policy(` + amavis_read_lib_files(clamd_t) + amavis_read_spool_files(clamd_t) +- amavis_spool_filetrans(clamd_t, clamd_var_run_t, sock_file) ++ amavis_spool_filetrans(clamd_t, clamd_var_run_t, { file dir sock_file }) + amavis_create_pid_files(clamd_t) + ') + +@@ -165,6 +161,31 @@ optional_policy(` + mta_send_mail(clamd_t) + ') + ++optional_policy(` ++ spamd_stream_connect(clamd_t) ++ spamassassin_read_pid_files(clamd_t) ++') ++ ++tunable_policy(`clamd_use_jit',` ++ allow clamd_t self:process execmem; ++ allow clamscan_t self:process execmem; ++',` ++ dontaudit clamd_t self:process execmem; ++ dontaudit clamscan_t self:process execmem; ++') ++ ++optional_policy(` ++ antivirus_domain_template(clamd_t) ++') ++ ++optional_policy(` ++ antivirus_domain_template(clamscan_t) ++') ++ ++optional_policy(` ++ antivirus_domain_template(freshclam_t) ++') ++ + ######################################## + # + # Freshclam local policy +@@ -228,7 +249,6 @@ auth_use_nsswitch(freshclam_t) + + logging_send_syslog_msg(freshclam_t) + +-miscfiles_read_localization(freshclam_t) + + tunable_policy(`clamd_use_jit',` + allow freshclam_t self:process execmem; +@@ -241,6 +261,10 @@ optional_policy(` + ') + + optional_policy(` ++ clamd_systemctl(freshclam_t) ++') ++ ++optional_policy(` + cron_system_entry(freshclam_t, freshclam_exec_t) + ') + +@@ -275,7 +299,6 @@ kernel_dontaudit_list_proc(clamscan_t) + kernel_read_kernel_sysctls(clamscan_t) + kernel_read_system_state(clamscan_t) + +-corenet_all_recvfrom_unlabeled(clamscan_t) + corenet_all_recvfrom_netlabel(clamscan_t) + corenet_tcp_sendrecv_generic_if(clamscan_t) + corenet_tcp_sendrecv_generic_node(clamscan_t) +@@ -286,14 +309,12 @@ corenet_tcp_sendrecv_clamd_port(clamscan_t) + + corecmd_read_all_executables(clamscan_t) + +-files_read_etc_files(clamscan_t) + files_read_etc_runtime_files(clamscan_t) + files_search_var_lib(clamscan_t) + + init_read_utmp(clamscan_t) + init_dontaudit_write_utmp(clamscan_t) + +-miscfiles_read_localization(clamscan_t) + miscfiles_read_public_files(clamscan_t) + + sysnet_dns_name_resolve(clamscan_t) +@@ -310,10 +331,6 @@ tunable_policy(`clamav_read_all_non_security_files_clamscan',` + ') + + optional_policy(` +- amavis_read_spool_files(clamscan_t) +-') +- +-optional_policy(` + apache_read_sys_content(clamscan_t) + ') + +diff --git a/clockspeed.te b/clockspeed.te +index b59c592..4b8cddc 100644 +--- a/clockspeed.te ++++ b/clockspeed.te +@@ -29,7 +29,6 @@ allow clockspeed_cli_t self:udp_socket create_socket_perms; + + read_files_pattern(clockspeed_cli_t, clockspeed_var_lib_t, clockspeed_var_lib_t) + +-corenet_all_recvfrom_unlabeled(clockspeed_cli_t) + corenet_all_recvfrom_netlabel(clockspeed_cli_t) + corenet_udp_sendrecv_generic_if(clockspeed_cli_t) + corenet_udp_sendrecv_generic_node(clockspeed_cli_t) +@@ -38,11 +37,9 @@ corenet_sendrecv_ntp_client_packets(clockspeed_cli_t) + corenet_udp_sendrecv_ntp_port(clockspeed_cli_t) + + files_list_var_lib(clockspeed_cli_t) +-files_read_etc_files(clockspeed_cli_t) + +-miscfiles_read_localization(clockspeed_cli_t) + +-userdom_use_user_terminals(clockspeed_cli_t) ++userdom_use_inherited_user_terminals(clockspeed_cli_t) + + ######################################## + # +@@ -57,7 +54,6 @@ allow clockspeed_srv_t self:unix_stream_socket create_socket_perms; + manage_files_pattern(clockspeed_srv_t, clockspeed_var_lib_t, clockspeed_var_lib_t) + manage_fifo_files_pattern(clockspeed_srv_t, clockspeed_var_lib_t, clockspeed_var_lib_t) + +-corenet_all_recvfrom_unlabeled(clockspeed_srv_t) + corenet_all_recvfrom_netlabel(clockspeed_srv_t) + corenet_udp_sendrecv_generic_if(clockspeed_srv_t) + corenet_udp_sendrecv_generic_node(clockspeed_srv_t) +@@ -68,9 +64,7 @@ corenet_udp_bind_clockspeed_port(clockspeed_srv_t) + corenet_udp_sendrecv_clockspeed_port(clockspeed_srv_t) + + files_list_var_lib(clockspeed_srv_t) +-files_read_etc_files(clockspeed_srv_t) + +-miscfiles_read_localization(clockspeed_srv_t) + + optional_policy(` + daemontools_service_domain(clockspeed_srv_t, clockspeed_srv_exec_t) +diff --git a/clogd.te b/clogd.te +index 29782b8..685edff 100644 +--- a/clogd.te ++++ b/clogd.te +@@ -41,9 +41,6 @@ storage_raw_write_fixed_disk(clogd_t) + + logging_send_syslog_msg(clogd_t) + +-miscfiles_read_localization(clogd_t) +- + optional_policy(` +- aisexec_stream_connect(clogd_t) +- corosync_stream_connect(clogd_t) ++ rhcs_stream_connect_cluster(clogd_t) + ') +diff --git a/cloudform.fc b/cloudform.fc +new file mode 100644 +index 0000000..3a0de96 +--- /dev/null ++++ b/cloudform.fc +@@ -0,0 +1,27 @@ ++/etc/rc\.d/init\.d/iwhd -- gen_context(system_u:object_r:iwhd_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/mongod -- gen_context(system_u:object_r:mongod_initrc_exec_t,s0) ++ ++/usr/bin/cloud-init -- gen_context(system_u:object_r:cloud_init_exec_t,s0) ++/usr/bin/deltacloudd -- gen_context(system_u:object_r:deltacloudd_exec_t,s0) ++/usr/bin/iwhd -- gen_context(system_u:object_r:iwhd_exec_t,s0) ++/usr/bin/mongod -- gen_context(system_u:object_r:mongod_exec_t,s0) ++ ++/usr/share/aeolus-conductor/dbomatic/dbomatic -- gen_context(system_u:object_r:mongod_exec_t,s0) ++ ++/usr/lib/systemd/system/cloud-config.* -- gen_context(system_u:object_r:cloud_init_unit_file_t,s0) ++ ++/usr/lib/systemd/system/cloud-init.* -- gen_context(system_u:object_r:cloud_init_unit_file_t,s0) ++ ++/var/lib/cloud(/.*)? gen_context(system_u:object_r:cloud_var_lib_t,s0) ++/var/log/cloud-init\.log -- gen_context(system_u:object_r:cloud_log_t,s0) ++/var/lib/iwhd(/.*)? gen_context(system_u:object_r:iwhd_var_lib_t,s0) ++/var/lib/mongo.* gen_context(system_u:object_r:mongod_var_lib_t,s0) ++ ++/var/log/deltacloud-core(/.*)? gen_context(system_u:object_r:deltacloudd_log_t,s0) ++/var/log/iwhd\.log.* -- gen_context(system_u:object_r:iwhd_log_t,s0) ++/var/log/mongo.* gen_context(system_u:object_r:mongod_log_t,s0) ++/var/log/aeolus-conductor/dbomatic\.log.* -- gen_context(system_u:object_r:mongod_log_t,s0) ++ ++/var/run/mongo.* gen_context(system_u:object_r:mongod_var_run_t,s0) ++/var/run/aeolus/dbomatic\.pid -- gen_context(system_u:object_r:mongod_var_run_t,s0) ++/var/run/iwhd\.pid -- gen_context(system_u:object_r:iwhd_var_run_t,s0) +diff --git a/cloudform.if b/cloudform.if +new file mode 100644 +index 0000000..8ac848b +--- /dev/null ++++ b/cloudform.if +@@ -0,0 +1,42 @@ ++## cloudform policy ++ ++####################################### ++## ++## Creates types and rules for a basic ++## cloudform daemon domain. ++## ++## ++## ++## Prefix for the domain. ++## ++## ++# ++template(`cloudform_domain_template',` ++ gen_require(` ++ attribute cloudform_domain; ++ ') ++ ++ type $1_t, cloudform_domain; ++ type $1_exec_t; ++ init_daemon_domain($1_t, $1_exec_t) ++ ++ kernel_read_system_state($1_t) ++') ++ ++###################################### ++## ++## Execute mongod in the caller domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`cloudform_exec_mongod',` ++ gen_require(` ++ type mongod_exec_t; ++ ') ++ ++ can_exec($1, mongod_exec_t) ++') +diff --git a/cloudform.te b/cloudform.te +new file mode 100644 +index 0000000..4e41e84 +--- /dev/null ++++ b/cloudform.te +@@ -0,0 +1,298 @@ ++policy_module(cloudform, 1.0) ++######################################## ++# ++# Declarations ++# ++ ++attribute cloudform_domain; ++ ++cloudform_domain_template(deltacloudd) ++cloudform_domain_template(iwhd) ++cloudform_domain_template(mongod) ++cloudform_domain_template(cloud_init) ++ ++type cloud_init_tmp_t; ++files_tmp_file(cloud_init_tmp_t) ++ ++type cloud_init_unit_file_t; ++systemd_unit_file(cloud_init_unit_file_t) ++ ++type cloud_var_lib_t; ++files_type(cloud_var_lib_t) ++ ++type cloud_log_t; ++logging_log_file(cloud_log_t) ++ ++type deltacloudd_log_t; ++logging_log_file(deltacloudd_log_t) ++ ++type deltacloudd_var_run_t; ++files_pid_file(deltacloudd_var_run_t) ++ ++type deltacloudd_tmp_t; ++files_tmp_file(deltacloudd_tmp_t) ++ ++type iwhd_initrc_exec_t; ++init_script_file(iwhd_initrc_exec_t) ++ ++type iwhd_var_lib_t; ++files_type(iwhd_var_lib_t) ++ ++type iwhd_var_run_t; ++files_pid_file(iwhd_var_run_t) ++ ++type mongod_initrc_exec_t; ++init_script_file(mongod_initrc_exec_t) ++ ++type mongod_log_t; ++logging_log_file(mongod_log_t) ++ ++type mongod_var_lib_t; ++files_type(mongod_var_lib_t) ++ ++type mongod_tmp_t; ++files_tmp_file(mongod_tmp_t) ++ ++type mongod_var_run_t; ++files_pid_file(mongod_var_run_t) ++ ++type iwhd_log_t; ++logging_log_file(iwhd_log_t) ++ ++######################################## ++# ++# cloudform_domain local policy ++# ++ ++allow cloudform_domain self:fifo_file rw_fifo_file_perms; ++allow cloudform_domain self:tcp_socket create_stream_socket_perms; ++ ++dev_read_rand(cloudform_domain) ++dev_read_urand(cloudform_domain) ++dev_read_sysfs(cloudform_domain) ++ ++auth_read_passwd(cloudform_domain) ++ ++miscfiles_read_certs(cloudform_domain) ++ ++################################# ++# ++# cloud-init local policy ++# ++ ++allow cloud_init_t self:capability { fowner chown fsetid dac_override }; ++ ++allow cloud_init_t self:udp_socket create_socket_perms; ++ ++manage_files_pattern(cloud_init_t, cloud_init_tmp_t, cloud_init_tmp_t) ++manage_dirs_pattern(cloud_init_t, cloud_init_tmp_t, cloud_init_tmp_t) ++files_tmp_filetrans(cloud_init_t, cloud_init_tmp_t, { file dir }) ++ ++manage_dirs_pattern(cloud_init_t, cloud_var_lib_t, cloud_var_lib_t) ++manage_files_pattern(cloud_init_t, cloud_var_lib_t, cloud_var_lib_t) ++manage_lnk_files_pattern(cloud_init_t, cloud_var_lib_t, cloud_var_lib_t) ++ ++manage_files_pattern(cloud_init_t, cloud_log_t, cloud_log_t) ++logging_log_filetrans(cloud_init_t, cloud_log_t, { file }) ++ ++kernel_read_network_state(cloud_init_t) ++ ++corenet_tcp_connect_http_port(cloud_init_t) ++ ++corecmd_exec_bin(cloud_init_t) ++corecmd_exec_shell(cloud_init_t) ++ ++domain_read_all_domains_state(cloud_init_t) ++ ++fs_getattr_all_fs(cloud_init_t) ++ ++storage_raw_read_fixed_disk(cloud_init_t) ++ ++libs_exec_ldconfig(cloud_init_t) ++ ++logging_send_syslog_msg(cloud_init_t) ++ ++miscfiles_read_localization(cloud_init_t) ++ ++selinux_validate_context(cloud_init_t) ++ ++systemd_dbus_chat_hostnamed(cloud_init_t) ++systemd_exec_systemctl(cloud_init_t) ++systemd_start_all_services(cloud_init_t) ++ ++usermanage_domtrans_passwd(cloud_init_t) ++ ++optional_policy(` ++ dbus_system_bus_client(cloud_init_t) ++') ++ ++optional_policy(` ++ dmidecode_domtrans(cloud_init_t) ++') ++ ++optional_policy(` ++ fstools_domtrans(cloud_init_t) ++') ++ ++optional_policy(` ++ hostname_exec(cloud_init_t) ++') ++ ++optional_policy(` ++ mount_domtrans(cloud_init_t) ++') ++ ++optional_policy(` ++ # it check file context and run restorecon ++ seutil_read_file_contexts(cloud_init_t) ++ seutil_domtrans_setfiles(cloud_init_t) ++') ++ ++optional_policy(` ++ ssh_exec_keygen(cloud_init_t) ++ ssh_read_user_home_files(cloud_init_t) ++') ++ ++optional_policy(` ++ sysnet_domtrans_ifconfig(cloud_init_t) ++ sysnet_read_dhcpc_state(cloud_init_t) ++ sysnet_dns_name_resolve(cloud_init_t) ++') ++ ++optional_policy(` ++ rpm_domtrans(cloud_init_t) ++ unconfined_domain(cloud_init_t) ++') ++ ++######################################## ++# ++# deltacloudd local policy ++# ++ ++allow deltacloudd_t self:capability { dac_override setuid setgid }; ++ ++allow deltacloudd_t self:netlink_route_socket r_netlink_socket_perms; ++allow deltacloudd_t self:udp_socket create_socket_perms; ++ ++allow deltacloudd_t self:process signal; ++ ++allow deltacloudd_t self:fifo_file rw_fifo_file_perms; ++allow deltacloudd_t self:tcp_socket create_stream_socket_perms; ++allow deltacloudd_t self:unix_stream_socket create_stream_socket_perms; ++ ++manage_dirs_pattern(deltacloudd_t, deltacloudd_tmp_t, deltacloudd_tmp_t) ++manage_files_pattern(deltacloudd_t, deltacloudd_tmp_t, deltacloudd_tmp_t) ++files_tmp_filetrans(deltacloudd_t, deltacloudd_tmp_t, { file dir }) ++ ++manage_files_pattern(deltacloudd_t, deltacloudd_var_run_t, deltacloudd_var_run_t) ++manage_dirs_pattern(deltacloudd_t, deltacloudd_var_run_t, deltacloudd_var_run_t) ++manage_lnk_files_pattern(deltacloudd_t, deltacloudd_var_run_t, deltacloudd_var_run_t) ++files_pid_filetrans(deltacloudd_t, deltacloudd_var_run_t, { file dir }) ++ ++manage_files_pattern(deltacloudd_t, deltacloudd_log_t, deltacloudd_log_t) ++manage_dirs_pattern(deltacloudd_t, deltacloudd_log_t, deltacloudd_log_t) ++logging_log_filetrans(deltacloudd_t, deltacloudd_log_t, { file dir }) ++ ++kernel_read_kernel_sysctls(deltacloudd_t) ++kernel_read_system_state(deltacloudd_t) ++ ++corecmd_exec_bin(deltacloudd_t) ++ ++corenet_tcp_bind_generic_node(deltacloudd_t) ++corenet_tcp_bind_generic_port(deltacloudd_t) ++corenet_tcp_connect_http_port(deltacloudd_t) ++corenet_tcp_connect_keystone_port(deltacloudd_t) ++ ++auth_use_nsswitch(deltacloudd_t) ++ ++logging_send_syslog_msg(deltacloudd_t) ++ ++optional_policy(` ++ sysnet_read_config(deltacloudd_t) ++') ++ ++######################################## ++# ++# iwhd local policy ++# ++ ++allow iwhd_t self:capability { chown kill }; ++allow iwhd_t self:process { fork }; ++ ++allow iwhd_t self:netlink_route_socket r_netlink_socket_perms; ++allow iwhd_t self:unix_stream_socket create_stream_socket_perms; ++ ++manage_dirs_pattern(iwhd_t, iwhd_var_lib_t, iwhd_var_lib_t) ++manage_files_pattern(iwhd_t, iwhd_var_lib_t, iwhd_var_lib_t) ++ ++manage_files_pattern(iwhd_t, iwhd_log_t, iwhd_log_t) ++logging_log_filetrans(iwhd_t, iwhd_log_t, { file }) ++ ++manage_dirs_pattern(iwhd_t, iwhd_var_run_t, iwhd_var_run_t) ++manage_files_pattern(iwhd_t, iwhd_var_run_t, iwhd_var_run_t) ++files_pid_filetrans(iwhd_t, iwhd_var_run_t, { dir file }) ++ ++kernel_read_system_state(iwhd_t) ++ ++corenet_tcp_bind_generic_node(iwhd_t) ++corenet_tcp_bind_websm_port(iwhd_t) ++corenet_tcp_connect_all_ports(iwhd_t) ++ ++dev_read_rand(iwhd_t) ++dev_read_urand(iwhd_t) ++ ++userdom_home_manager(iwhd_t) ++ ++######################################## ++# ++# mongod local policy ++# ++ ++allow mongod_t self:process { execmem setsched signal }; ++ ++allow mongod_t self:netlink_route_socket r_netlink_socket_perms; ++allow mongod_t self:unix_stream_socket create_stream_socket_perms; ++allow mongod_t self:udp_socket create_socket_perms; ++ ++manage_dirs_pattern(mongod_t, mongod_log_t, mongod_log_t) ++manage_files_pattern(mongod_t, mongod_log_t, mongod_log_t) ++logging_log_filetrans(mongod_t, mongod_log_t, file, "dbomatic.log") ++logging_log_filetrans(mongod_t, mongod_log_t, file, "mongod.log") ++ ++manage_dirs_pattern(mongod_t, mongod_var_lib_t, mongod_var_lib_t) ++manage_files_pattern(mongod_t, mongod_var_lib_t, mongod_var_lib_t) ++ ++manage_dirs_pattern(mongod_t, mongod_tmp_t, mongod_tmp_t) ++manage_files_pattern(mongod_t, mongod_tmp_t, mongod_tmp_t) ++manage_sock_files_pattern(mongod_t, mongod_tmp_t, mongod_tmp_t) ++files_tmp_filetrans(mongod_t, mongod_tmp_t, { file dir sock_file }) ++ ++manage_dirs_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t) ++manage_files_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t) ++#needed by dbomatic ++files_pid_filetrans(mongod_t, mongod_var_run_t, { file }) ++ ++corecmd_exec_bin(mongod_t) ++corecmd_exec_shell(mongod_t) ++ ++corenet_tcp_bind_generic_node(mongod_t) ++corenet_tcp_bind_mongod_port(mongod_t) ++corenet_tcp_connect_mongod_port(mongod_t) ++corenet_tcp_connect_postgresql_port(mongod_t) ++ ++kernel_read_vm_sysctls(mongod_t) ++kernel_read_system_state(mongod_t) ++ ++fs_getattr_all_fs(mongod_t) ++ ++optional_policy(` ++ mysql_stream_connect(mongod_t) ++') ++ ++optional_policy(` ++ postgresql_stream_connect(mongod_t) ++') ++ ++optional_policy(` ++ sysnet_dns_name_resolve(mongod_t) ++') +diff --git a/cmirrord.if b/cmirrord.if +index cc4e7cb..f348d27 100644 +--- a/cmirrord.if ++++ b/cmirrord.if +@@ -73,10 +73,11 @@ interface(`cmirrord_rw_shm',` + type cmirrord_t, cmirrord_tmpfs_t; + ') + +- allow $1 cmirrord_t:shm rw_shm_perms; ++ allow $1 cmirrord_t:shm { rw_shm_perms destroy }; + + allow $1 cmirrord_tmpfs_t:dir list_dir_perms; + rw_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t) ++ delete_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t) + read_lnk_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t) + fs_search_tmpfs($1) + ') +@@ -103,9 +104,13 @@ interface(`cmirrord_admin',` + type cmirrord_t, cmirrord_initrc_exec_t, cmirrord_var_run_t; + ') + +- allow $1 cmirrord_t:process { ptrace signal_perms }; ++ allow $1 cmirrord_t:process signal_perms; + ps_process_pattern($1, cmirrord_t) + ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 cmirrord_t:process ptrace; ++ ') ++ + cmirrord_initrc_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 cmirrord_initrc_exec_t system_r; +diff --git a/cmirrord.te b/cmirrord.te +index d8e9958..d2303a4 100644 +--- a/cmirrord.te ++++ b/cmirrord.te +@@ -23,7 +23,7 @@ files_pid_file(cmirrord_var_run_t) + # Local policy + # + +-allow cmirrord_t self:capability { net_admin kill }; ++allow cmirrord_t self:capability { sys_admin net_admin kill }; + dontaudit cmirrord_t self:capability sys_tty_config; + allow cmirrord_t self:process { setfscreate signal }; + allow cmirrord_t self:fifo_file rw_fifo_file_perms; +@@ -42,16 +42,17 @@ files_pid_filetrans(cmirrord_t, cmirrord_var_run_t, file) + domain_use_interactive_fds(cmirrord_t) + domain_obj_id_change_exemption(cmirrord_t) + +-files_read_etc_files(cmirrord_t) +- + storage_create_fixed_disk_dev(cmirrord_t) ++storage_rw_inherited_fixed_disk_dev(cmirrord_t) + + seutil_read_file_contexts(cmirrord_t) + + logging_send_syslog_msg(cmirrord_t) + +-miscfiles_read_localization(cmirrord_t) +- + optional_policy(` + corosync_stream_connect(cmirrord_t) + ') ++ ++optional_policy(` ++ rhcs_rw_cluster_tmpfs(cmirrord_t) ++') +diff --git a/cobbler.fc b/cobbler.fc +index 973d208..2b650a7 100644 +--- a/cobbler.fc ++++ b/cobbler.fc +@@ -4,6 +4,7 @@ + + /usr/bin/cobblerd -- gen_context(system_u:object_r:cobblerd_exec_t,s0) + ++/var/cache/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0) + /var/lib/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0) + + /var/lib/tftpboot/etc(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0) +diff --git a/cobbler.if b/cobbler.if +index c223f81..8b567c1 100644 +--- a/cobbler.if ++++ b/cobbler.if +@@ -38,6 +38,28 @@ interface(`cobblerd_initrc_domtrans',` + init_labeled_script_domtrans($1, cobblerd_initrc_exec_t) + ') + ++ ++ ++######################################## ++## ++## Read cobbler configuration dirs. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`cobbler_list_config',` ++ gen_require(` ++ type cobbler_etc_t; ++ ') ++ ++ list_dirs_pattern($1, cobbler_etc_t, cobbler_etc_t) ++ files_search_etc($1) ++') ++ ++ + ######################################## + ## + ## Read cobbler configuration files. +@@ -112,6 +134,7 @@ interface(`cobbler_read_lib_files',` + + files_search_var_lib($1) + read_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t) ++ read_lnk_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t) + ') + + ######################################## +@@ -132,6 +155,8 @@ interface(`cobbler_manage_lib_files',` + + files_search_var_lib($1) + manage_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t) ++ manage_lnk_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t) ++ manage_dirs_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t) + ') + + ######################################## +@@ -176,8 +201,8 @@ interface(`cobblerd_admin',` + interface(`cobbler_admin',` + gen_require(` + type cobblerd_t, cobbler_var_lib_t, cobbler_var_log_t; +- type cobbler_etc_t, cobblerd_initrc_exec_t, httpd_cobbler_content_t; +- type httpd_cobbler_content_ra_t, httpd_cobbler_content_rw_t, cobbler_tmp_t; ++ type cobbler_etc_t, cobblerd_initrc_exec_t; ++ type cobbler_tmp_t; + ') + + allow $1 cobblerd_t:process { ptrace signal_perms }; +@@ -199,7 +224,4 @@ interface(`cobbler_admin',` + + logging_search_logs($1) + admin_pattern($1, cobbler_var_log_t) +- +- apache_search_sys_content($1) +- admin_pattern($1, { httpd_cobbler_content_t httpd_cobbler_content_ra_t httpd_cobbler_content_rw_t }) + ') +diff --git a/cobbler.te b/cobbler.te +index 2a71346..8c4ac39 100644 +--- a/cobbler.te ++++ b/cobbler.te +@@ -81,6 +81,7 @@ manage_dirs_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t) + manage_files_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t) + manage_lnk_files_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t) + files_var_lib_filetrans(cobblerd_t, cobbler_var_lib_t, dir) ++files_var_filetrans(cobblerd_t, cobbler_var_lib_t, dir, "cobbler") + + append_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t) + create_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t) +@@ -89,7 +90,7 @@ setattr_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t) + logging_log_filetrans(cobblerd_t, cobbler_var_log_t, file) + + kernel_read_system_state(cobblerd_t) +-kernel_dontaudit_search_network_state(cobblerd_t) ++kernel_read_network_state(cobblerd_t) + + corecmd_exec_bin(cobblerd_t) + corecmd_exec_shell(cobblerd_t) +@@ -112,14 +113,13 @@ corenet_tcp_sendrecv_http_port(cobblerd_t) + corenet_tcp_connect_http_port(cobblerd_t) + corenet_sendrecv_http_client_packets(cobblerd_t) + ++dev_read_sysfs(cobblerd_t) + dev_read_urand(cobblerd_t) + + files_list_boot(cobblerd_t) + files_list_tmp(cobblerd_t) + files_read_boot_files(cobblerd_t) +-files_read_etc_files(cobblerd_t) + files_read_etc_runtime_files(cobblerd_t) +-files_read_usr_files(cobblerd_t) + + fs_getattr_all_fs(cobblerd_t) + fs_read_iso9660_files(cobblerd_t) +@@ -128,6 +128,8 @@ selinux_get_enforce_mode(cobblerd_t) + + term_use_console(cobblerd_t) + ++auth_use_nsswitch(cobblerd_t) ++ + logging_send_syslog_msg(cobblerd_t) + + miscfiles_read_localization(cobblerd_t) +@@ -160,6 +162,7 @@ tunable_policy(`cobbler_use_nfs',` + ') + + optional_policy(` ++ apache_domtrans(cobblerd_t) + apache_search_sys_content(cobblerd_t) + ') + +@@ -188,17 +191,25 @@ optional_policy(` + ') + + optional_policy(` ++ libs_exec_ldconfig(cobblerd_t) ++') ++ ++optional_policy(` ++ mysql_stream_connect(cobblerd_t) ++') ++ ++optional_policy(` + rpm_exec(cobblerd_t) + ') + + optional_policy(` ++ rsync_exec(cobblerd_t) + rsync_read_config(cobblerd_t) +- rsync_manage_config_files(cobblerd_t) ++ rsync_manage_config(cobblerd_t) + rsync_etc_filetrans_config(cobblerd_t, file, "rsync.conf") + ') + + optional_policy(` +- tftp_manage_config_files(cobblerd_t) +- tftp_etc_filetrans_config(cobblerd_t, file, "tftp") ++ tftp_manage_config(cobblerd_t) + tftp_filetrans_tftpdir(cobblerd_t, cobbler_var_lib_t, { dir file }) + ') +diff --git a/collectd.fc b/collectd.fc +index 79a3abe..2e7d7ed 100644 +--- a/collectd.fc ++++ b/collectd.fc +@@ -1,5 +1,7 @@ + /etc/rc\.d/init\.d/collectd -- gen_context(system_u:object_r:collectd_initrc_exec_t,s0) + ++/usr/lib/systemd/system/collectd.* -- gen_context(system_u:object_r:collectd_unit_file_t,s0) ++ + /usr/sbin/collectd -- gen_context(system_u:object_r:collectd_exec_t,s0) + + /var/lib/collectd(/.*)? gen_context(system_u:object_r:collectd_var_lib_t,s0) +diff --git a/collectd.if b/collectd.if +index 954309e..f4db2ca 100644 +--- a/collectd.if ++++ b/collectd.if +@@ -2,8 +2,144 @@ + + ######################################## + ## +-## All of the rules required to +-## administrate an collectd environment. ++## Transition to collectd. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`collectd_domtrans',` ++ gen_require(` ++ type collectd_t, collectd_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, collectd_exec_t, collectd_t) ++') ++ ++######################################## ++## ++## Execute collectd server in the collectd domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`collectd_initrc_domtrans',` ++ gen_require(` ++ type collectd_initrc_exec_t; ++ ') ++ ++ init_labeled_script_domtrans($1, collectd_initrc_exec_t) ++') ++ ++######################################## ++## ++## Search collectd lib directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`collectd_search_lib',` ++ gen_require(` ++ type collectd_var_lib_t; ++ ') ++ ++ allow $1 collectd_var_lib_t:dir search_dir_perms; ++ files_search_var_lib($1) ++') ++ ++######################################## ++## ++## Read collectd lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`collectd_read_lib_files',` ++ gen_require(` ++ type collectd_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ read_files_pattern($1, collectd_var_lib_t, collectd_var_lib_t) ++') ++ ++######################################## ++## ++## Manage collectd lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`collectd_manage_lib_files',` ++ gen_require(` ++ type collectd_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ manage_files_pattern($1, collectd_var_lib_t, collectd_var_lib_t) ++') ++ ++######################################## ++## ++## Manage collectd lib directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`collectd_manage_lib_dirs',` ++ gen_require(` ++ type collectd_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ manage_dirs_pattern($1, collectd_var_lib_t, collectd_var_lib_t) ++') ++ ++######################################## ++## ++## Execute collectd server in the collectd domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`collectd_systemctl',` ++ gen_require(` ++ type collectd_t; ++ type collectd_unit_file_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ allow $1 collectd_unit_file_t:file read_file_perms; ++ allow $1 collectd_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, collectd_t) ++') ++ ++######################################## ++## ++## All of the rules required to administrate ++## an collectd environment + ## + ## + ## +@@ -20,13 +156,17 @@ + interface(`collectd_admin',` + gen_require(` + type collectd_t, collectd_initrc_exec_t, collectd_var_run_t; +- type collectd_var_lib_t; ++ type collectd_var_lib_t, collectd_unit_file_t; + ') + +- allow $1 collectd_t:process { ptrace signal_perms }; ++ allow $1 collectd_t:process signal_perms; + ps_process_pattern($1, collectd_t) + +- init_labeled_script_domtrans($1, collectd_initrc_exec_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 collectd_t:process ptrace; ++ ') ++ ++ collectd_initrc_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 collectd_initrc_exec_t system_r; + allow $2 system_r; +@@ -36,4 +176,9 @@ interface(`collectd_admin',` + + files_search_var_lib($1) + admin_pattern($1, collectd_var_lib_t) ++ ++ collectd_systemctl($1) ++ admin_pattern($1, collectd_unit_file_t) ++ allow $1 collectd_unit_file_t:service all_service_perms; + ') ++ +diff --git a/collectd.te b/collectd.te +index 6471fa8..dc0423c 100644 +--- a/collectd.te ++++ b/collectd.te +@@ -26,8 +26,14 @@ files_type(collectd_var_lib_t) + type collectd_var_run_t; + files_pid_file(collectd_var_run_t) + ++type collectd_unit_file_t; ++systemd_unit_file(collectd_unit_file_t) ++ + apache_content_template(collectd) + ++type httpd_collectd_script_tmp_t; ++files_tmp_file(httpd_collectd_script_tmp_t) ++ + ######################################## + # + # Local policy +@@ -38,6 +44,9 @@ allow collectd_t self:process { getsched setsched signal }; + allow collectd_t self:fifo_file rw_fifo_file_perms; + allow collectd_t self:packet_socket create_socket_perms; + allow collectd_t self:unix_stream_socket { accept listen }; ++allow collectd_t self:netlink_tcpdiag_socket create_netlink_socket_perms; ++allow collectd_t self:udp_socket create_socket_perms; ++allow collectd_t self:rawip_socket create_socket_perms; + + manage_dirs_pattern(collectd_t, collectd_var_lib_t, collectd_var_lib_t) + manage_files_pattern(collectd_t, collectd_var_lib_t, collectd_var_lib_t) +@@ -46,23 +55,28 @@ files_var_lib_filetrans(collectd_t, collectd_var_lib_t, dir) + manage_files_pattern(collectd_t, collectd_var_run_t, collectd_var_run_t) + files_pid_filetrans(collectd_t, collectd_var_run_t, file) + +-domain_use_interactive_fds(collectd_t) ++kernel_read_all_sysctls(collectd_t) ++kernel_read_all_proc(collectd_t) ++kernel_list_all_proc(collectd_t) ++ ++auth_getattr_passwd(collectd_t) ++auth_read_passwd(collectd_t) + +-kernel_read_network_state(collectd_t) +-kernel_read_net_sysctls(collectd_t) +-kernel_read_system_state(collectd_t) ++corenet_udp_bind_generic_node(collectd_t) ++corenet_udp_bind_collectd_port(collectd_t) + + dev_read_rand(collectd_t) + dev_read_sysfs(collectd_t) + dev_read_urand(collectd_t) + ++domain_use_interactive_fds(collectd_t) ++domain_read_all_domains_state(collectd_t) ++ + files_getattr_all_dirs(collectd_t) +-files_read_etc_files(collectd_t) +-files_read_usr_files(collectd_t) + + fs_getattr_all_fs(collectd_t) + +-miscfiles_read_localization(collectd_t) ++init_read_utmp(collectd_t) + + logging_send_syslog_msg(collectd_t) + +@@ -75,16 +89,26 @@ tunable_policy(`collectd_tcp_network_connect',` + ') + + optional_policy(` ++ netutils_domtrans_ping(collectd_t) ++') ++ ++optional_policy(` + virt_read_config(collectd_t) + ') + + ######################################## + # +-# Web local policy ++# Web collectd local policy + # + +-optional_policy(` +- read_files_pattern(httpd_collectd_script_t, collectd_var_lib_t, collectd_var_lib_t) +- list_dirs_pattern(httpd_collectd_script_t, collectd_var_lib_t, collectd_var_lib_t) +- miscfiles_setattr_fonts_cache_dirs(httpd_collectd_script_t) +-') ++ ++files_search_var_lib(httpd_collectd_script_t) ++read_files_pattern(httpd_collectd_script_t, collectd_var_lib_t, collectd_var_lib_t) ++list_dirs_pattern(httpd_collectd_script_t, collectd_var_lib_t, collectd_var_lib_t) ++miscfiles_setattr_fonts_cache_dirs(httpd_collectd_script_t) ++ ++manage_dirs_pattern(httpd_collectd_script_t, httpd_collectd_script_tmp_t, httpd_collectd_script_tmp_t) ++manage_files_pattern(httpd_collectd_script_t, httpd_collectd_script_tmp_t, httpd_collectd_script_tmp_t) ++files_tmp_filetrans(httpd_collectd_script_t, httpd_collectd_script_tmp_t, { file dir }) ++ ++auth_read_passwd(httpd_collectd_script_t) +diff --git a/colord.fc b/colord.fc +index 717ea0b..22e0385 100644 +--- a/colord.fc ++++ b/colord.fc +@@ -4,5 +4,7 @@ + /usr/libexec/colord -- gen_context(system_u:object_r:colord_exec_t,s0) + /usr/libexec/colord-sane -- gen_context(system_u:object_r:colord_exec_t,s0) + ++/usr/lib/systemd/system/colord.* -- gen_context(system_u:object_r:colord_unit_file_t,s0) ++ + /var/lib/color(/.*)? gen_context(system_u:object_r:colord_var_lib_t,s0) + /var/lib/colord(/.*)? gen_context(system_u:object_r:colord_var_lib_t,s0) +diff --git a/colord.if b/colord.if +index 8e27a37..825f537 100644 +--- a/colord.if ++++ b/colord.if +@@ -1,4 +1,4 @@ +-## GNOME color manager. ++## GNOME color manager + + ######################################## + ## +@@ -15,7 +15,6 @@ interface(`colord_domtrans',` + type colord_t, colord_exec_t; + ') + +- corecmd_search_bin($1) + domtrans_pattern($1, colord_exec_t, colord_t) + ') + +@@ -38,6 +37,7 @@ interface(`colord_dbus_chat',` + + allow $1 colord_t:dbus send_msg; + allow colord_t $1:dbus send_msg; ++ ps_process_pattern(colord_t, $1) + ') + + ###################################### +@@ -58,3 +58,26 @@ interface(`colord_read_lib_files',` + files_search_var_lib($1) + read_files_pattern($1, colord_var_lib_t, colord_var_lib_t) + ') ++ ++######################################## ++## ++## Execute colord server in the colord domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`colord_systemctl',` ++ gen_require(` ++ type colord_t; ++ type colord_unit_file_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ allow $1 colord_unit_file_t:file read_file_perms; ++ allow $1 colord_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, colord_t) ++') +diff --git a/colord.te b/colord.te +index 09f18e2..3547d05 100644 +--- a/colord.te ++++ b/colord.te +@@ -8,6 +8,7 @@ policy_module(colord, 1.0.2) + type colord_t; + type colord_exec_t; + dbus_system_domain(colord_t, colord_exec_t) ++init_daemon_domain(colord_t, colord_exec_t) + + type colord_tmp_t; + files_tmp_file(colord_tmp_t) +@@ -18,6 +19,9 @@ files_tmpfs_file(colord_tmpfs_t) + type colord_var_lib_t; + files_type(colord_var_lib_t) + ++type colord_unit_file_t; ++systemd_unit_file(colord_unit_file_t) ++ + ######################################## + # + # Local policy +@@ -26,10 +30,13 @@ files_type(colord_var_lib_t) + allow colord_t self:capability { dac_read_search dac_override }; + dontaudit colord_t self:capability sys_admin; + allow colord_t self:process signal; ++ + allow colord_t self:fifo_file rw_fifo_file_perms; + allow colord_t self:netlink_kobject_uevent_socket create_socket_perms; +-allow colord_t self:tcp_socket { accept listen }; ++allow colord_t self:tcp_socket create_stream_socket_perms; + allow colord_t self:shm create_shm_perms; ++allow colord_t self:udp_socket create_socket_perms; ++allow colord_t self:unix_dgram_socket create_socket_perms; + + manage_dirs_pattern(colord_t, colord_tmp_t, colord_tmp_t) + manage_files_pattern(colord_t, colord_tmp_t, colord_tmp_t) +@@ -74,22 +81,21 @@ dev_read_video_dev(colord_t) + dev_write_video_dev(colord_t) + dev_rw_printer(colord_t) + dev_read_rand(colord_t) +-dev_read_sysfs(colord_t) + dev_read_urand(colord_t) +-dev_list_sysfs(colord_t) ++dev_read_sysfs(colord_t) + dev_rw_generic_usb_dev(colord_t) + + domain_use_interactive_fds(colord_t) + + files_list_mnt(colord_t) +-files_read_usr_files(colord_t) + +-fs_getattr_noxattr_fs(colord_t) +-fs_getattr_tmpfs(colord_t) ++fs_getattr_all_fs(colord_t) + fs_list_noxattr_fs(colord_t) + fs_read_noxattr_fs_files(colord_t) + fs_search_all(colord_t) + fs_dontaudit_getattr_all_fs(colord_t) ++fs_getattr_tmpfs(colord_t) ++fs_read_cgroup_files(colord_t) + + storage_getattr_fixed_disk_dev(colord_t) + storage_getattr_removable_dev(colord_t) +@@ -98,25 +104,29 @@ storage_write_scsi_generic(colord_t) + + auth_use_nsswitch(colord_t) + ++init_read_state(colord_t) ++ + logging_send_syslog_msg(colord_t) + +-miscfiles_read_localization(colord_t) ++systemd_read_logind_sessions_files(colord_t) + +-tunable_policy(`use_nfs_home_dirs',` +- fs_getattr_nfs(colord_t) +- fs_read_nfs_files(colord_t) +-') +- +-tunable_policy(`use_samba_home_dirs',` +- fs_getattr_cifs(colord_t) +- fs_read_cifs_files(colord_t) +-') ++userdom_rw_user_tmpfs_files(colord_t) ++userdom_home_reader(colord_t) ++userdom_list_user_home_content(colord_t) ++userdom_read_inherited_user_home_content_files(colord_t) + + optional_policy(` + cups_read_config(colord_t) + cups_read_rw_config(colord_t) + cups_stream_connect(colord_t) + cups_dbus_chat(colord_t) ++ cups_read_state(colord_t) ++') ++ ++optional_policy(` ++ gnome_read_home_icc_data_content(colord_t) ++ # Fixes lots of breakage in F16 on upgrade ++ gnome_read_generic_data_home_files(colord_t) + ') + + optional_policy(` +@@ -133,3 +143,16 @@ optional_policy(` + optional_policy(` + udev_read_db(colord_t) + ') ++ ++optional_policy(` ++ xserver_dbus_chat_xdm(colord_t) ++ xserver_read_xdm_state(colord_t) ++ # /var/lib/gdm/.local/share/icc/edid-0a027915105823af34f99b1704e80336.icc ++ xserver_read_inherited_xdm_lib_files(colord_t) ++ # allow to read /run/initial-setup-$username ++ xserver_read_xdm_pid(colord_t) ++') ++ ++optional_policy(` ++ zoneminder_rw_tmpfs_files(colord_t) ++') +diff --git a/comsat.te b/comsat.te +index 3f6e4dc..88c4f19 100644 +--- a/comsat.te ++++ b/comsat.te +@@ -37,6 +37,13 @@ kernel_read_kernel_sysctls(comsat_t) + kernel_read_network_state(comsat_t) + kernel_read_system_state(comsat_t) + ++corenet_all_recvfrom_netlabel(comsat_t) ++corenet_tcp_sendrecv_generic_if(comsat_t) ++corenet_udp_sendrecv_generic_if(comsat_t) ++corenet_tcp_sendrecv_generic_node(comsat_t) ++corenet_udp_sendrecv_generic_node(comsat_t) ++corenet_udp_sendrecv_all_ports(comsat_t) ++ + dev_read_urand(comsat_t) + + fs_getattr_xattr_fs(comsat_t) +@@ -52,8 +59,6 @@ init_dontaudit_write_utmp(comsat_t) + + logging_send_syslog_msg(comsat_t) + +-miscfiles_read_localization(comsat_t) +- + userdom_dontaudit_getattr_user_ttys(comsat_t) + + mta_getattr_spool(comsat_t) +diff --git a/condor.fc b/condor.fc +index 23dc348..c4450f7 100644 +--- a/condor.fc ++++ b/condor.fc +@@ -1,4 +1,5 @@ + /etc/rc\.d/init\.d/condor -- gen_context(system_u:object_r:condor_initrc_exec_t,s0) ++/usr/lib/systemd/system/condor.* -- gen_context(system_u:object_r:condor_unit_file_t,s0) + + /usr/sbin/condor_collector -- gen_context(system_u:object_r:condor_collector_exec_t,s0) + /usr/sbin/condor_master -- gen_context(system_u:object_r:condor_master_exec_t,s0) +@@ -8,6 +9,8 @@ + /usr/sbin/condor_startd -- gen_context(system_u:object_r:condor_startd_exec_t,s0) + /usr/sbin/condor_starter -- gen_context(system_u:object_r:condor_startd_exec_t,s0) + ++/etc/condor(/.*)? gen_context(system_u:object_r:condor_etc_rw_t,s0) ++ + /var/lib/condor(/.*)? gen_context(system_u:object_r:condor_var_lib_t,s0) + + /var/lib/condor/execute(/.*)? gen_context(system_u:object_r:condor_var_lib_t,s0) +diff --git a/condor.if b/condor.if +index 3fe3cb8..5fe84a6 100644 +--- a/condor.if ++++ b/condor.if +@@ -1,81 +1,397 @@ +-## High-Throughput Computing System. ++ ++## policy for condor ++ ++##################################### ++## ++## Creates types and rules for a basic ++## condor init daemon domain. ++## ++## ++## ++## Prefix for the domain. ++## ++## ++# ++template(`condor_domain_template',` ++ gen_require(` ++ type condor_master_t; ++ attribute condor_domain; ++ ') ++ ++ ############################# ++ # ++ # Declarations ++ # ++ ++ type condor_$1_t, condor_domain; ++ type condor_$1_exec_t; ++ init_daemon_domain(condor_$1_t, condor_$1_exec_t) ++ role system_r types condor_$1_t; ++ ++ domtrans_pattern(condor_master_t, condor_$1_exec_t, condor_$1_t) ++ allow condor_master_t condor_$1_exec_t:file ioctl; ++ ++ kernel_read_system_state(condor_$1_t) ++ ++ corenet_all_recvfrom_netlabel(condor_$1_t) ++ corenet_all_recvfrom_unlabeled(condor_$1_t) ++ ++ auth_use_nsswitch(condor_$1_t) ++ ++ logging_send_syslog_msg(condor_$1_t) ++') ++ ++######################################## ++## ++## Transition to condor. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`condor_domtrans',` ++ gen_require(` ++ type condor_t, condor_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, condor_exec_t, condor_t) ++') ++ ++####################################### ++## ++## Allows to start userland processes ++## by transitioning to the specified domain, ++## with a range transition. ++## ++## ++## ++## The process type entered by condor_startd. ++## ++## ++## ++## ++## The executable type for the entrypoint. ++## ++## ++## ++## ++## Range for the domain. ++## ++## ++# ++interface(`condor_startd_ranged_domtrans_to',` ++ gen_require(` ++ type sshd_t; ++ ') ++ condor_startd_domtrans_to($1, $2) ++ ++ ++ ifdef(`enable_mcs',` ++ range_transition condor_startd_t $2:process $3; ++ ') ++ ++') + + ####################################### + ## +-## The template to define a condor domain. ++## Allows to start userlandprocesses ++## by transitioning to the specified domain. + ## +-## ++## ++## ++## The process type entered by condor_startd. ++## ++## ++## ++## ++## The executable type for the entrypoint. ++## ++## ++# ++interface(`condor_startd_domtrans_to',` ++ gen_require(` ++ type condor_startd_t; ++ ') ++ ++ domtrans_pattern(condor_startd_t, $2, $1) ++') ++ ++######################################## ++## ++## Read condor's log files. ++## ++## + ## +-## Domain prefix to be used. ++## Domain allowed access. + ## + ## ++## + # +-template(`condor_domain_template',` ++interface(`condor_read_log',` + gen_require(` +- attribute condor_domain; +- type condor_master_t; ++ type condor_log_t; + ') + +- ############################# +- # +- # Declarations +- # ++ logging_search_logs($1) ++ read_files_pattern($1, condor_log_t, condor_log_t) ++') + +- type condor_$1_t, condor_domain; +- type condor_$1_exec_t; +- domain_type(condor_$1_t) +- domain_entry_file(condor_$1_t, condor_$1_exec_t) +- role system_r types condor_$1_t; ++######################################## ++## ++## Append to condor log files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`condor_append_log',` ++ gen_require(` ++ type condor_log_t; ++ ') + +- ############################# +- # +- # Policy +- # ++ logging_search_logs($1) ++ append_files_pattern($1, condor_log_t, condor_log_t) ++') + +- domtrans_pattern(condor_master_t, condor_$1_exec_t, condor_$1_t) +- allow condor_master_t condor_$1_exec_t:file ioctl; ++######################################## ++## ++## Manage condor log files ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`condor_manage_log',` ++ gen_require(` ++ type condor_log_t; ++ ') + +- auth_use_nsswitch(condor_$1_t) ++ logging_search_logs($1) ++ manage_dirs_pattern($1, condor_log_t, condor_log_t) ++ manage_files_pattern($1, condor_log_t, condor_log_t) ++ manage_lnk_files_pattern($1, condor_log_t, condor_log_t) + ') + + ######################################## + ## +-## All of the rules required to +-## administrate an condor environment. ++## Search condor lib directories. + ## + ## + ## + ## Domain allowed access. + ## + ## +-## ++# ++interface(`condor_search_lib',` ++ gen_require(` ++ type condor_var_lib_t; ++ ') ++ ++ allow $1 condor_var_lib_t:dir search_dir_perms; ++ files_search_var_lib($1) ++') ++ ++######################################## ++## ++## Read condor lib files. ++## ++## + ## +-## Role allowed access. ++## Domain allowed access. + ## + ## +-## + # +-interface(`condor_admin',` ++interface(`condor_read_lib_files',` ++ gen_require(` ++ type condor_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ read_files_pattern($1, condor_var_lib_t, condor_var_lib_t) ++') ++ ++###################################### ++## ++## Read and write condor lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`condor_rw_lib_files',` ++ gen_require(` ++ type condor_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ rw_files_pattern($1, condor_var_lib_t, condor_var_lib_t) ++') ++ ++######################################## ++## ++## Manage condor lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`condor_manage_lib_files',` ++ gen_require(` ++ type condor_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ manage_files_pattern($1, condor_var_lib_t, condor_var_lib_t) ++') ++ ++######################################## ++## ++## Manage condor lib directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`condor_manage_lib_dirs',` ++ gen_require(` ++ type condor_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ manage_dirs_pattern($1, condor_var_lib_t, condor_var_lib_t) ++') ++ ++######################################## ++## ++## Read condor PID files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`condor_read_pid_files',` + gen_require(` +- attribute condor_domain; +- type condor_initrc_exec_config_t, condor_log_t; +- type condor_var_lib_t, condor_var_lock_t, condor_schedd_tmp_t; +- type condor_var_run_t, condor_startd_tmp_t; ++ type condor_var_run_t; + ') + +- allow $1 condor_domain:process { ptrace signal_perms }; ++ files_search_pids($1) ++ allow $1 condor_var_run_t:file read_file_perms; ++') ++ ++######################################## ++## ++## Execute condor server in the condor domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`condor_systemctl',` ++ gen_require(` ++ type condor_t; ++ type condor_unit_file_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ systemd_read_fifo_file_passwd_run($1) ++ allow $1 condor_unit_file_t:file read_file_perms; ++ allow $1 condor_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, condor_t) ++') ++ ++ ++####################################### ++## ++## Read and write condor_startd server TCP sockets. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`condor_rw_tcp_sockets_startd',` ++ gen_require(` ++ type condor_startd_t; ++ ') ++ ++ allow $1 condor_startd_t:tcp_socket rw_socket_perms; ++') ++ ++###################################### ++## ++## Read and write condor_schedd server TCP sockets. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`condor_rw_tcp_sockets_schedd',` ++ gen_require(` ++ type condor_schedd_t; ++ ') ++ ++ allow $1 condor_schedd_t:tcp_socket rw_socket_perms; ++') ++ ++######################################## ++## ++## All of the rules required to administrate ++## an condor environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`condor_admin',` ++ gen_require(` ++ attribute condor_domain; ++ type condor_initrc_exec_t, condor_log_t; ++ type condor_var_lib_t, condor_var_lock_t, condor_schedd_tmp_t; ++ type condor_var_run_t, condor_startd_tmp_t; ++ type condor_unit_file_t; ++ ') ++ ++ allow $1 condor_domain:process { signal_perms }; + ps_process_pattern($1, condor_domain) + +- init_labeled_script_domtrans($1, condor_initrc_exec_t) +- domain_system_change_exemption($1) +- role_transition $2 condor_initrc_exec_t system_r; +- allow $2 system_r; ++ init_labeled_script_domtrans($1, condor_initrc_exec_t) ++ domain_system_change_exemption($1) ++ role_transition $2 condor_initrc_exec_t system_r; ++ allow $2 system_r; + + logging_search_logs($1) + admin_pattern($1, condor_log_t) + +- files_search_locks($1) +- admin_pattern($1, condor_var_lock_t) ++ files_search_locks($1) ++ admin_pattern($1, condor_var_lock_t) + + files_search_var_lib($1) + admin_pattern($1, condor_var_lib_t) +@@ -85,4 +401,13 @@ interface(`condor_admin',` + + files_search_tmp($1) + admin_pattern($1, { condor_schedd_tmp_t condor_startd_tmp_t }) ++ ++ condor_systemctl($1) ++ admin_pattern($1, condor_unit_file_t) ++ allow $1 condor_unit_file_t:service all_service_perms; ++ ++ optional_policy(` ++ systemd_passwd_agent_exec($1) ++ systemd_read_fifo_file_passwd_run($1) ++ ') + ') +diff --git a/condor.te b/condor.te +index 3f2b672..ff94f23 100644 +--- a/condor.te ++++ b/condor.te +@@ -34,6 +34,9 @@ files_tmp_file(condor_startd_tmp_t) + type condor_startd_tmpfs_t; + files_tmpfs_file(condor_startd_tmpfs_t) + ++type condor_etc_rw_t; ++files_config_file(condor_etc_rw_t) ++ + type condor_log_t; + logging_log_file(condor_log_t) + +@@ -46,6 +49,9 @@ files_lock_file(condor_var_lock_t) + type condor_var_run_t; + files_pid_file(condor_var_run_t) + ++type condor_unit_file_t; ++systemd_unit_file(condor_unit_file_t) ++ + condor_domain_template(collector) + condor_domain_template(negotiator) + condor_domain_template(procd) +@@ -57,15 +63,21 @@ condor_domain_template(startd) + # Global local policy + # + ++allow condor_domain self:capability dac_override; ++allow condor_domain self:capability2 block_suspend; ++ + allow condor_domain self:process signal_perms; + allow condor_domain self:fifo_file rw_fifo_file_perms; +-allow condor_domain self:tcp_socket { accept listen }; +-allow condor_domain self:unix_stream_socket { accept listen }; ++allow condor_domain self:tcp_socket create_stream_socket_perms; ++allow condor_domain self:udp_socket create_socket_perms; ++allow condor_domain self:unix_stream_socket create_stream_socket_perms; ++allow condor_domain self:netlink_route_socket r_netlink_socket_perms; ++ ++allow condor_domain condor_etc_rw_t:dir list_dir_perms; ++rw_files_pattern(condor_domain, condor_etc_rw_t, condor_etc_rw_t) + + manage_dirs_pattern(condor_domain, condor_log_t, condor_log_t) +-append_files_pattern(condor_domain, condor_log_t, condor_log_t) +-create_files_pattern(condor_domain, condor_log_t, condor_log_t) +-getattr_files_pattern(condor_domain, condor_log_t, condor_log_t) ++manage_files_pattern(condor_domain, condor_log_t, condor_log_t) + logging_log_filetrans(condor_domain, condor_log_t, { dir file }) + + manage_dirs_pattern(condor_domain, condor_var_lib_t, condor_var_lib_t) +@@ -86,13 +98,10 @@ allow condor_domain condor_master_t:tcp_socket getattr; + + kernel_read_kernel_sysctls(condor_domain) + kernel_read_network_state(condor_domain) +-kernel_read_system_state(condor_domain) + + corecmd_exec_bin(condor_domain) + corecmd_exec_shell(condor_domain) + +-corenet_all_recvfrom_netlabel(condor_domain) +-corenet_all_recvfrom_unlabeled(condor_domain) + corenet_tcp_sendrecv_generic_if(condor_domain) + corenet_tcp_sendrecv_generic_node(condor_domain) + +@@ -106,9 +115,9 @@ dev_read_rand(condor_domain) + dev_read_sysfs(condor_domain) + dev_read_urand(condor_domain) + +-logging_send_syslog_msg(condor_domain) ++auth_read_passwd(condor_domain) + +-miscfiles_read_localization(condor_domain) ++sysnet_dns_name_resolve(condor_domain) + + tunable_policy(`condor_tcp_network_connect',` + corenet_sendrecv_all_client_packets(condor_domain) +@@ -125,7 +134,7 @@ optional_policy(` + # Master local policy + # + +-allow condor_master_t self:capability { setuid setgid dac_override sys_ptrace }; ++allow condor_master_t self:capability { setuid setgid sys_ptrace }; + + allow condor_master_t condor_domain:process { sigkill signal }; + +@@ -133,6 +142,10 @@ manage_dirs_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t) + manage_files_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t) + files_tmp_filetrans(condor_master_t, condor_master_tmp_t, { file dir }) + ++can_exec(condor_master_t, condor_master_exec_t) ++ ++kernel_read_system_state(condor_master_t) ++ + corenet_udp_sendrecv_generic_if(condor_master_t) + corenet_udp_sendrecv_generic_node(condor_master_t) + corenet_tcp_bind_generic_node(condor_master_t) +@@ -152,6 +165,8 @@ domain_read_all_domains_state(condor_master_t) + + auth_use_nsswitch(condor_master_t) + ++logging_send_syslog_msg(condor_master_t) ++ + optional_policy(` + mta_send_mail(condor_master_t) + mta_read_config(condor_master_t) +@@ -169,6 +184,8 @@ allow condor_collector_t condor_master_t:udp_socket rw_socket_perms; + + kernel_read_network_state(condor_collector_t) + ++corenet_tcp_bind_http_port(condor_collector_t) ++ + ##################################### + # + # Negotiator local policy +@@ -178,6 +195,8 @@ allow condor_negotiator_t self:capability { setuid setgid }; + allow condor_negotiator_t condor_master_t:tcp_socket rw_stream_socket_perms; + allow condor_negotiator_t condor_master_t:udp_socket getattr; + ++corenet_tcp_connect_all_ephemeral_ports(condor_negotiator_t) ++ + ###################################### + # + # Procd local policy +@@ -185,7 +204,8 @@ allow condor_negotiator_t condor_master_t:udp_socket getattr; + + allow condor_procd_t self:capability { fowner chown kill dac_override sys_ptrace }; + +-allow condor_procd_t condor_startd_t:process sigkill; ++allow condor_procd_t condor_domain:process sigkill; ++ + + domain_read_all_domains_state(condor_procd_t) + +@@ -201,6 +221,8 @@ allow condor_schedd_t condor_master_t:udp_socket getattr; + + allow condor_schedd_t condor_var_lock_t:dir manage_file_perms; + ++allow condor_schedd_t condor_master_tmp_t:dir getattr; ++ + domtrans_pattern(condor_schedd_t, condor_procd_exec_t, condor_procd_t) + domtrans_pattern(condor_schedd_t, condor_startd_exec_t, condor_startd_t) + +@@ -209,6 +231,8 @@ manage_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t) + relabel_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t) + files_tmp_filetrans(condor_schedd_t, condor_schedd_tmp_t, { file dir }) + ++corenet_tcp_connect_all_ephemeral_ports(condor_schedd_t) ++ + ##################################### + # + # Startd local policy +@@ -233,11 +257,10 @@ domain_read_all_domains_state(condor_startd_t) + mcs_process_set_categories(condor_startd_t) + + init_domtrans_script(condor_startd_t) ++init_initrc_domain(condor_startd_t) + + libs_exec_lib_files(condor_startd_t) + +-files_read_usr_files(condor_startd_t) +- + optional_policy(` + ssh_basic_client_template(condor_startd, condor_startd_t, system_r) + ssh_domtrans(condor_startd_t) +@@ -249,3 +272,7 @@ optional_policy(` + kerberos_use(condor_startd_ssh_t) + ') + ') ++ ++optional_policy(` ++ unconfined_domain(condor_startd_t) ++') +diff --git a/consolekit.fc b/consolekit.fc +index 23c9558..29e5fd3 100644 +--- a/consolekit.fc ++++ b/consolekit.fc +@@ -1,3 +1,5 @@ ++/usr/lib/systemd/system/console-kit.* -- gen_context(system_u:object_r:consolekit_unit_file_t,s0) ++ + /usr/sbin/console-kit-daemon -- gen_context(system_u:object_r:consolekit_exec_t,s0) + + /var/log/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_log_t,s0) +diff --git a/consolekit.if b/consolekit.if +index 5b830ec..0647a3b 100644 +--- a/consolekit.if ++++ b/consolekit.if +@@ -21,6 +21,27 @@ interface(`consolekit_domtrans',` + + ######################################## + ## ++## dontaudit Send and receive messages from ++## consolekit over dbus. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`consolekit_dontaudit_dbus_chat',` ++ gen_require(` ++ type consolekit_t; ++ class dbus send_msg; ++ ') ++ ++ dontaudit $1 consolekit_t:dbus send_msg; ++ dontaudit consolekit_t $1:dbus send_msg; ++') ++ ++######################################## ++## + ## Send and receive messages from + ## consolekit over dbus. + ## +@@ -42,6 +63,24 @@ interface(`consolekit_dbus_chat',` + + ######################################## + ## ++## Dontaudit attempts to read consolekit log files. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`consolekit_dontaudit_read_log',` ++ gen_require(` ++ type consolekit_log_t; ++ ') ++ ++ dontaudit $1 consolekit_log_t:file read_file_perms; ++') ++ ++######################################## ++## + ## Read consolekit log files. + ## + ## +@@ -98,3 +137,64 @@ interface(`consolekit_read_pid_files',` + allow $1 consolekit_var_run_t:dir list_dir_perms; + read_files_pattern($1, consolekit_var_run_t, consolekit_var_run_t) + ') ++ ++######################################## ++## ++## List consolekit PID files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`consolekit_list_pid_files',` ++ gen_require(` ++ type consolekit_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ list_dirs_pattern($1, consolekit_var_run_t, consolekit_var_run_t) ++') ++ ++######################################## ++## ++## Allow the domain to read consolekit state files in /proc. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`consolekit_read_state',` ++ gen_require(` ++ type consolekit_t; ++ ') ++ ++ kernel_search_proc($1) ++ ps_process_pattern($1, consolekit_t) ++') ++ ++######################################## ++## ++## Execute consolekit server in the consolekit domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`consolekit_systemctl',` ++ gen_require(` ++ type consolekit_t; ++ type consolekit_unit_file_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ allow $1 consolekit_unit_file_t:file read_file_perms; ++ allow $1 consolekit_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, consolekit_t) ++') +diff --git a/consolekit.te b/consolekit.te +index 5f0c793..d11e25b 100644 +--- a/consolekit.te ++++ b/consolekit.te +@@ -19,12 +19,16 @@ type consolekit_var_run_t; + files_pid_file(consolekit_var_run_t) + init_daemon_run_dir(consolekit_var_run_t, "ConsoleKit") + ++type consolekit_unit_file_t; ++systemd_unit_file(consolekit_unit_file_t) ++ + ######################################## + # + # Local policy + # + + allow consolekit_t self:capability { chown setuid setgid sys_tty_config dac_override sys_nice sys_ptrace }; ++ + allow consolekit_t self:process { getsched signal }; + allow consolekit_t self:fifo_file rw_fifo_file_perms; + allow consolekit_t self:unix_stream_socket { accept listen }; +@@ -54,37 +58,36 @@ dev_read_sysfs(consolekit_t) + + domain_read_all_domains_state(consolekit_t) + domain_use_interactive_fds(consolekit_t) +-domain_dontaudit_ptrace_all_domains(consolekit_t) + +-files_read_usr_files(consolekit_t) + # needs to read /var/lib/dbus/machine-id + files_read_var_lib_files(consolekit_t) + files_search_all_mountpoints(consolekit_t) + + fs_list_inotifyfs(consolekit_t) + +-mcs_ptrace_all(consolekit_t) +- + term_use_all_terms(consolekit_t) + + auth_use_nsswitch(consolekit_t) + auth_manage_pam_console_data(consolekit_t) + auth_write_login_records(consolekit_t) + ++init_read_utmp(consolekit_t) ++ + logging_send_syslog_msg(consolekit_t) + logging_send_audit_msgs(consolekit_t) + +-miscfiles_read_localization(consolekit_t) ++systemd_exec_systemctl(consolekit_t) ++systemd_start_power_services(consolekit_t) + ++userdom_read_all_users_state(consolekit_t) + userdom_dontaudit_read_user_home_content_files(consolekit_t) ++userdom_dontaudit_getattr_admin_home_files(consolekit_t) + userdom_read_user_tmp_files(consolekit_t) + +-tunable_policy(`use_nfs_home_dirs',` +- fs_read_nfs_files(consolekit_t) +-') ++userdom_home_reader(consolekit_t) + +-tunable_policy(`use_samba_home_dirs',` +- fs_read_cifs_files(consolekit_t) ++optional_policy(` ++ cron_read_system_job_lib_files(consolekit_t) + ') + + ifdef(`distro_debian',` +@@ -112,13 +115,6 @@ optional_policy(` + ') + ') + +-optional_policy(` +- hal_ptrace(consolekit_t) +-') +- +-optional_policy(` +- networkmanager_append_log_files(consolekit_t) +-') + + optional_policy(` + policykit_domtrans_auth(consolekit_t) +diff --git a/corosync.fc b/corosync.fc +index da39f0f..6a96733 100644 +--- a/corosync.fc ++++ b/corosync.fc +@@ -1,5 +1,7 @@ + /etc/rc\.d/init\.d/corosync -- gen_context(system_u:object_r:corosync_initrc_exec_t,s0) + ++/usr/lib/systemd/system/corosync.* -- gen_context(system_u:object_r:corosync_unit_file_t,s0) ++ + /usr/sbin/corosync -- gen_context(system_u:object_r:corosync_exec_t,s0) + /usr/sbin/corosync-notifyd -- gen_context(system_u:object_r:corosync_exec_t,s0) + +diff --git a/corosync.if b/corosync.if +index 694a037..b836c07 100644 +--- a/corosync.if ++++ b/corosync.if +@@ -77,6 +77,25 @@ interface(`corosync_read_log',` + read_files_pattern($1, corosync_var_log_t, corosync_var_log_t) + ') + ++####################################### ++## ++## Setattr corosync log files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`corosync_setattr_log',` ++ gen_require(` ++ type corosync_var_log_t; ++ ') ++ ++ setattr_files_pattern($1, corosync_var_log_t, corosync_var_log_t) ++') ++ ++ + ##################################### + ## + ## Connect to corosync over a unix +@@ -91,29 +110,54 @@ interface(`corosync_read_log',` + interface(`corosync_stream_connect',` + gen_require(` + type corosync_t, corosync_var_run_t; ++ type corosync_var_lib_t; + ') + + files_search_pids($1) ++ stream_connect_pattern($1, corosync_var_lib_t, corosync_var_lib_t, corosync_t) + stream_connect_pattern($1, corosync_var_run_t, corosync_var_run_t, corosync_t) + ') + + ###################################### + ## +-## Read and write corosync tmpfs files. ++## Allow the specified domain to read/write corosync's tmpfs files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`corosync_rw_tmpfs',` ++ gen_require(` ++ type corosync_tmpfs_t; ++ ') ++ ++ rw_files_pattern($1, corosync_tmpfs_t, corosync_tmpfs_t) ++ ++') ++ ++######################################## ++## ++## Execute corosync server in the corosync domain. + ## + ## + ## +-## Domain allowed access. ++## Domain allowed to transition. + ## + ## + # +-interface(`corosync_rw_tmpfs',` ++interface(`corosync_systemctl',` + gen_require(` +- type corosync_tmpfs_t; ++ type corosync_t; ++ type corosync_unit_file_t; + ') + +- fs_search_tmpfs($1) +- rw_files_pattern($1, corosync_tmpfs_t, corosync_tmpfs_t) ++ systemd_exec_systemctl($1) ++ allow $1 corosync_unit_file_t:file read_file_perms; ++ allow $1 corosync_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, corosync_t) + ') + + ###################################### +@@ -160,12 +204,17 @@ interface(`corosync_admin',` + type corosync_t, corosync_var_lib_t, corosync_var_log_t; + type corosync_var_run_t, corosync_tmp_t, corosync_tmpfs_t; + type corosync_initrc_exec_t; ++ type corosync_unit_file_t; + ') + +- allow $1 corosync_t:process { ptrace signal_perms }; ++ allow $1 corosync_t:process signal_perms; + ps_process_pattern($1, corosync_t) + +- corosync_initrc_domtrans($1) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 corosync_t:process ptrace; ++ ') ++ ++ init_labeled_script_domtrans($1, corosync_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 corosync_initrc_exec_t system_r; + allow $2 system_r; +@@ -183,4 +232,8 @@ interface(`corosync_admin',` + + files_list_pids($1) + admin_pattern($1, corosync_var_run_t) ++ ++ corosync_systemctl($1) ++ admin_pattern($1, corosync_unit_file_t) ++ allow $1 corosync_unit_file_t:service all_service_perms; + ') +diff --git a/corosync.te b/corosync.te +index eeea48d..691ca11 100644 +--- a/corosync.te ++++ b/corosync.te +@@ -28,6 +28,9 @@ logging_log_file(corosync_var_log_t) + type corosync_var_run_t; + files_pid_file(corosync_var_run_t) + ++type corosync_unit_file_t; ++systemd_unit_file(corosync_unit_file_t) ++ + ######################################## + # + # Local policy +@@ -93,7 +96,6 @@ dev_read_urand(corosync_t) + domain_read_all_domains_state(corosync_t) + + files_manage_mounttab(corosync_t) +-files_read_usr_files(corosync_t) + + auth_use_nsswitch(corosync_t) + +@@ -106,7 +108,13 @@ logging_send_syslog_msg(corosync_t) + miscfiles_read_localization(corosync_t) + + userdom_read_user_tmp_files(corosync_t) +-userdom_manage_user_tmpfs_files(corosync_t) ++userdom_delete_user_tmpfs_files(corosync_t) ++userdom_rw_user_tmpfs_files(corosync_t) ++ ++optional_policy(` ++ fs_manage_tmpfs_files(corosync_t) ++ init_manage_script_status_files(corosync_t) ++') + + optional_policy(` + ccs_read_config(corosync_t) +@@ -129,20 +137,29 @@ optional_policy(` + ') + + optional_policy(` ++ lvm_rw_clvmd_tmpfs_files(corosync_t) ++ lvm_delete_clvmd_tmpfs_files(corosync_t) ++') ++ ++optional_policy(` + qpidd_rw_shm(corosync_t) + ') + + optional_policy(` +- rhcs_getattr_fenced_exec_files(corosync_t) ++ rhcs_getattr_fenced(corosync_t) ++ # to communication with RHCS + rhcs_rw_cluster_shm(corosync_t) + rhcs_rw_cluster_semaphores(corosync_t) + rhcs_stream_connect_cluster(corosync_t) ++ rhcs_read_cluster_lib_files(corosync_t) ++ rhcs_manage_cluster_lib_files(corosync_t) ++ rhcs_relabel_cluster_lib_files(corosync_t) + ') + + optional_policy(` +- rgmanager_manage_tmpfs_files(corosync_t) ++ rpc_search_nfs_state_data(corosync_t) + ') + + optional_policy(` +- rpc_search_nfs_state_data(corosync_t) +-') +\ No newline at end of file ++ wdmd_rw_tmpfs(corosync_t) ++') +diff --git a/couchdb.fc b/couchdb.fc +index c086302..4f33119 100644 +--- a/couchdb.fc ++++ b/couchdb.fc +@@ -1,3 +1,6 @@ ++ ++/usr/lib/systemd/system/couchdb.* -- gen_context(system_u:object_r:couchdb_unit_file_t,s0) ++ + /etc/couchdb(/.*)? gen_context(system_u:object_r:couchdb_conf_t,s0) + + /etc/rc\.d/init\.d/couchdb -- gen_context(system_u:object_r:couchdb_initrc_exec_t,s0) +diff --git a/couchdb.if b/couchdb.if +index 83d6744..afa2f78 100644 +--- a/couchdb.if ++++ b/couchdb.if +@@ -2,6 +2,44 @@ + + ######################################## + ## ++## Allow to read couchdb log files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`couchdb_read_log_files',` ++ gen_require(` ++ type couchdb_log_t; ++ ') ++ ++ files_search_var_lib($1) ++ read_files_pattern($1, couchdb_log_t, couchdb_log_t) ++') ++ ++######################################## ++## ++## Allow to read couchdb lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`couchdb_read_lib_files',` ++ gen_require(` ++ type couchdb_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ read_files_pattern($1, couchdb_var_lib_t, couchdb_var_lib_t) ++') ++ ++######################################## ++## + ## All of the rules required to + ## administrate an couchdb environment. + ## +@@ -10,6 +48,127 @@ + ## Domain allowed access. + ## + ## ++# ++interface(`couchdb_manage_lib_files',` ++ gen_require(` ++ type couchdb_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ manage_files_pattern($1, couchdb_var_lib_t, couchdb_var_lib_t) ++') ++ ++######################################## ++## ++## Manage couchdb lib directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`couchdb_manage_lib_dirs',` ++ gen_require(` ++ type couchdb_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ manage_dirs_pattern($1, couchdb_var_lib_t, couchdb_var_lib_t) ++') ++ ++######################################## ++## ++## Allow to read couchdb conf files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`couchdb_read_conf_files',` ++ gen_require(` ++ type couchdb_conf_t; ++ ') ++ ++ files_search_var_lib($1) ++ read_files_pattern($1, couchdb_conf_t, couchdb_conf_t) ++') ++ ++######################################## ++## ++## Read couchdb PID files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`couchdb_read_pid_files',` ++ gen_require(` ++ type couchdb_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ allow $1 couchdb_var_run_t:file read_file_perms; ++') ++ ++####################################### ++## ++## Search couchdb PID dirs. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`couchdb_search_pid_dirs',` ++ gen_require(` ++ type couchdb_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ allow $1 couchdb_var_run_t:dir search_dir_perms; ++') ++ ++######################################## ++## ++## Execute couchdb server in the couchdb domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`couchdb_systemctl',` ++ gen_require(` ++ type couchdb_t; ++ type couchdb_unit_file_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ systemd_read_fifo_file_passwd_run($1) ++ allow $1 couchdb_unit_file_t:file read_file_perms; ++ allow $1 couchdb_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, couchdb_t) ++') ++ ++ ++######################################## ++## ++## All of the rules required to administrate ++## an couchdb environment ++## ++## ++## ++## Domain allowed access. ++## ++## + ## + ## + ## Role allowed access. +@@ -19,14 +178,19 @@ + # + interface(`couchdb_admin',` + gen_require(` ++ type couchdb_unit_file_t; + type couchdb_t, couchdb_conf_t, couchdb_initrc_exec_t; + type couchdb_log_t, couchdb_var_lib_t, couchdb_var_run_t; + type couchdb_tmp_t; + ') + +- allow $1 couchdb_t:process { ptrace signal_perms }; ++ allow $1 couchdb_t:process { signal_perms }; + ps_process_pattern($1, couchdb_t) + ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 couchdb_t:process ptrace; ++ ') ++ + init_labeled_script_domtrans($1, couchdb_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 couchdb_initrc_exec_t system_r; +@@ -46,4 +210,13 @@ interface(`couchdb_admin',` + + files_search_pids($1) + admin_pattern($1, couchdb_var_run_t) ++ ++ admin_pattern($1, couchdb_unit_file_t) ++ couchdb_systemctl($1) ++ allow $1 couchdb_unit_file_t:service all_service_perms; ++ ++ optional_policy(` ++ systemd_passwd_agent_exec($1) ++ systemd_read_fifo_file_passwd_run($1) ++ ') + ') +diff --git a/couchdb.te b/couchdb.te +index 503adab..046fe9b 100644 +--- a/couchdb.te ++++ b/couchdb.te +@@ -27,6 +27,9 @@ files_type(couchdb_var_lib_t) + type couchdb_var_run_t; + files_pid_file(couchdb_var_run_t) + ++type couchdb_unit_file_t; ++systemd_unit_file(couchdb_unit_file_t) ++ + ######################################## + # + # Local policy +@@ -79,10 +82,7 @@ dev_list_sysfs(couchdb_t) + dev_read_sysfs(couchdb_t) + dev_read_urand(couchdb_t) + +-files_read_usr_files(couchdb_t) +- + fs_getattr_xattr_fs(couchdb_t) + + auth_use_nsswitch(couchdb_t) + +-miscfiles_read_localization(couchdb_t) +diff --git a/courier.fc b/courier.fc +index 8a4b596..cbecde8 100644 +--- a/courier.fc ++++ b/courier.fc +@@ -9,17 +9,18 @@ + /usr/sbin/couriertcpd -- gen_context(system_u:object_r:courier_tcpd_exec_t,s0) + + /usr/lib/courier/authlib/.* -- gen_context(system_u:object_r:courier_authdaemon_exec_t,s0) +-/usr/lib/courier/courier-authlib/.* -- gen_context(system_u:object_r:courier_authdaemon_exec_t,s0) + /usr/lib/courier/courier/.* -- gen_context(system_u:object_r:courier_exec_t,s0) +-/usr/lib/courier/courier/courierpop.* -- gen_context(system_u:object_r:courier_pop_exec_t,s0) +-/usr/lib/courier/courier/imaplogin -- gen_context(system_u:object_r:courier_pop_exec_t,s0) ++/usr/lib/courier/courier/courierpop.* -- gen_context(system_u:object_r:courier_pop_exec_t,s0) ++/usr/lib/courier/courier/imaplogin -- gen_context(system_u:object_r:courier_pop_exec_t,s0) + /usr/lib/courier/courier/pcpd -- gen_context(system_u:object_r:courier_pcp_exec_t,s0) +-/usr/lib/courier/imapd -- gen_context(system_u:object_r:courier_pop_exec_t,s0) +-/usr/lib/courier/pop3d -- gen_context(system_u:object_r:courier_pop_exec_t,s0) +-/usr/lib/courier/rootcerts(/.*)? gen_context(system_u:object_r:courier_etc_t,s0) +-/usr/lib/courier/sqwebmail/cleancache\.pl -- gen_context(system_u:object_r:sqwebmail_cron_exec_t,s0) +-/usr/lib/courier-imap/couriertcpd -- gen_context(system_u:object_r:courier_tcpd_exec_t,s0) ++/usr/lib/courier/imapd -- gen_context(system_u:object_r:courier_pop_exec_t,s0) ++/usr/lib/courier/pop3d -- gen_context(system_u:object_r:courier_pop_exec_t,s0) ++/usr/lib/courier/rootcerts(/.*)? gen_context(system_u:object_r:courier_etc_t,s0) ++/usr/lib/courier/sqwebmail/cleancache\.pl -- gen_context(system_u:object_r:sqwebmail_cron_exec_t,s0) + ++ifdef(`distro_gentoo',` ++/usr/lib/courier-imap/couriertcpd -- gen_context(system_u:object_r:courier_tcpd_exec_t,s0) ++') + + /var/lib/courier(/.*)? gen_context(system_u:object_r:courier_var_lib_t,s0) + /var/lib/courier-imap(/.*)? gen_context(system_u:object_r:courier_var_lib_t,s0) +diff --git a/courier.if b/courier.if +index 10f820f..acdb179 100644 +--- a/courier.if ++++ b/courier.if +@@ -1,12 +1,12 @@ +-## Courier IMAP and POP3 email servers. ++## Courier IMAP and POP3 email servers + +-####################################### ++######################################## + ## +-## The template to define a courier domain. ++## Template for creating courier server processes. + ## +-## ++## + ## +-## Domain prefix to be used. ++## Prefix name of the server process. + ## + ## + # +@@ -15,7 +15,7 @@ template(`courier_domain_template',` + attribute courier_domain; + ') + +- ######################################## ++ ############################## + # + # Declarations + # +@@ -24,18 +24,30 @@ template(`courier_domain_template',` + type courier_$1_exec_t; + init_daemon_domain(courier_$1_t, courier_$1_exec_t) + +- ######################################## ++ ############################## + # +- # Policy ++ # Declarations + # + + can_exec(courier_$1_t, courier_$1_exec_t) ++ ++ kernel_read_system_state(courier_$1_t) ++ ++ corenet_all_recvfrom_netlabel(courier_$1_t) ++ corenet_tcp_sendrecv_generic_if(courier_$1_t) ++ corenet_udp_sendrecv_generic_if(courier_$1_t) ++ corenet_tcp_sendrecv_generic_node(courier_$1_t) ++ corenet_udp_sendrecv_generic_node(courier_$1_t) ++ corenet_tcp_sendrecv_all_ports(courier_$1_t) ++ corenet_udp_sendrecv_all_ports(courier_$1_t) ++ ++ logging_send_syslog_msg(courier_$1_t) + ') + + ######################################## + ## +-## Execute the courier authentication +-## daemon with a domain transition. ++## Execute the courier authentication daemon with ++## a domain transition. + ## + ## + ## +@@ -48,34 +60,32 @@ interface(`courier_domtrans_authdaemon',` + type courier_authdaemon_t, courier_authdaemon_exec_t; + ') + +- corecmd_search_bin($1) + domtrans_pattern($1, courier_authdaemon_exec_t, courier_authdaemon_t) + ') + + ####################################### + ## +-## Connect to courier-authdaemon over +-## a unix stream socket. ++## Connect to courier-authdaemon over a unix stream socket. + ## + ## +-## +-## Domain allowed access. +-## ++## ++## Domain allowed access. ++## + ## + # + interface(`courier_stream_connect_authdaemon',` +- gen_require(` +- type courier_authdaemon_t, courier_spool_t; +- ') ++ gen_require(` ++ type courier_authdaemon_t, courier_spool_t; ++ ') + + files_search_spool($1) +- stream_connect_pattern($1, courier_spool_t, courier_spool_t, courier_authdaemon_t) ++ stream_connect_pattern($1, courier_spool_t, courier_spool_t, courier_authdaemon_t) + ') + + ######################################## + ## +-## Execute the courier POP3 and IMAP +-## server with a domain transition. ++## Execute the courier POP3 and IMAP server with ++## a domain transition. + ## + ## + ## +@@ -88,13 +98,12 @@ interface(`courier_domtrans_pop',` + type courier_pop_t, courier_pop_exec_t; + ') + +- corecmd_search_bin($1) + domtrans_pattern($1, courier_pop_exec_t, courier_pop_t) + ') + + ######################################## + ## +-## Read courier config files. ++## Read courier config files + ## + ## + ## +@@ -127,7 +136,7 @@ interface(`courier_manage_spool_dirs',` + type courier_spool_t; + ') + +- files_search_var($1) ++ files_search_spool($1) + manage_dirs_pattern($1, courier_spool_t, courier_spool_t) + ') + +@@ -136,7 +145,7 @@ interface(`courier_manage_spool_dirs',` + ## Create, read, write, and delete courier + ## spool files. + ## +-## ++## + ## + ## Domain allowed access. + ## +@@ -147,7 +156,7 @@ interface(`courier_manage_spool_files',` + type courier_spool_t; + ') + +- files_search_var($1) ++ files_search_spool($1) + manage_files_pattern($1, courier_spool_t, courier_spool_t) + ') + +@@ -166,13 +175,13 @@ interface(`courier_read_spool',` + type courier_spool_t; + ') + +- files_search_var($1) ++ files_search_spool($1) + read_files_pattern($1, courier_spool_t, courier_spool_t) + ') + + ######################################## + ## +-## Read and write courier spool pipes. ++## Read and write to courier spool pipes. + ## + ## + ## +@@ -185,6 +194,5 @@ interface(`courier_rw_spool_pipes',` + type courier_spool_t; + ') + +- files_search_var($1) + allow $1 courier_spool_t:fifo_file rw_fifo_file_perms; + ') +diff --git a/courier.te b/courier.te +index 77bb077..1499c3f 100644 +--- a/courier.te ++++ b/courier.te +@@ -18,7 +18,7 @@ type courier_etc_t; + files_config_file(courier_etc_t) + + type courier_spool_t; +-files_type(courier_spool_t) ++files_spool_file(courier_spool_t) + + type courier_var_lib_t; + files_type(courier_var_lib_t) +@@ -51,7 +51,6 @@ manage_sock_files_pattern(courier_domain, courier_var_run_t, courier_var_run_t) + files_pid_filetrans(courier_domain, courier_var_run_t, dir) + + kernel_read_kernel_sysctls(courier_domain) +-kernel_read_system_state(courier_domain) + + corecmd_exec_bin(courier_domain) + +@@ -59,15 +58,11 @@ dev_read_sysfs(courier_domain) + + domain_use_interactive_fds(courier_domain) + +-files_read_etc_files(courier_domain) + files_read_etc_runtime_files(courier_domain) +-files_read_usr_files(courier_domain) + + fs_getattr_xattr_fs(courier_domain) + fs_search_auto_mountpoints(courier_domain) + +-logging_send_syslog_msg(courier_domain) +- + sysnet_read_config(courier_domain) + + userdom_dontaudit_use_unpriv_user_fds(courier_domain) +@@ -77,6 +72,10 @@ optional_policy(` + ') + + optional_policy(` ++ mysql_stream_connect(courier_domain) ++') ++ ++optional_policy(` + udev_read_db(courier_domain) + ') + +@@ -91,6 +90,7 @@ allow courier_authdaemon_t self:unix_stream_socket { accept connectto listen }; + create_dirs_pattern(courier_authdaemon_t, courier_var_lib_t, courier_var_lib_t) + manage_sock_files_pattern(courier_authdaemon_t, courier_var_lib_t, courier_var_lib_t) + ++manage_files_pattern(courier_authdaemon_t, courier_spool_t, courier_spool_t) + manage_sock_files_pattern(courier_authdaemon_t, courier_spool_t, courier_spool_t) + + allow courier_authdaemon_t courier_tcpd_t:process sigchld; +@@ -112,7 +112,6 @@ auth_domtrans_chk_passwd(courier_authdaemon_t) + + libs_read_lib_files(courier_authdaemon_t) + +-miscfiles_read_localization(courier_authdaemon_t) + + userdom_dontaudit_search_user_home_dirs(courier_authdaemon_t) + +@@ -135,7 +134,7 @@ allow courier_pop_t courier_authdaemon_t:process sigchld; + + allow courier_pop_t courier_tcpd_t:{ unix_stream_socket tcp_socket } rw_stream_socket_perms; + +-allow courier_pop_t courier_var_lib_t:file { read write }; ++allow courier_pop_t courier_var_lib_t:file rw_inherited_file_perms; + + domtrans_pattern(courier_pop_t, courier_authdaemon_exec_t, courier_authdaemon_t) + +@@ -172,7 +171,6 @@ corenet_tcp_sendrecv_pop_port(courier_tcpd_t) + dev_read_rand(courier_tcpd_t) + dev_read_urand(courier_tcpd_t) + +-miscfiles_read_localization(courier_tcpd_t) + + ######################################## + # +diff --git a/cpucontrol.te b/cpucontrol.te +index 2f1aad6..155a337 100644 +--- a/cpucontrol.te ++++ b/cpucontrol.te +@@ -42,8 +42,6 @@ term_dontaudit_use_console(cpucontrol_domain) + init_use_fds(cpucontrol_domain) + init_use_script_ptys(cpucontrol_domain) + +-logging_send_syslog_msg(cpucontrol_domain) +- + userdom_dontaudit_use_unpriv_user_fds(cpucontrol_domain) + + optional_policy(` +@@ -69,12 +67,13 @@ allow cpucontrol_t cpucontrol_conf_t:dir list_dir_perms; + read_files_pattern(cpucontrol_t, cpucontrol_conf_t, cpucontrol_conf_t) + read_lnk_files_pattern(cpucontrol_t, cpucontrol_conf_t, cpucontrol_conf_t) + +-kernel_list_proc(cpucontrol_t) + kernel_read_proc_symlinks(cpucontrol_t) + + dev_read_sysfs(cpucontrol_t) + dev_rw_cpu_microcode(cpucontrol_t) + ++logging_send_syslog_msg(cpucontrol_t) ++ + optional_policy(` + rhgb_use_ptys(cpucontrol_t) + ') +@@ -98,7 +97,6 @@ dev_rw_sysfs(cpuspeed_t) + + domain_read_all_domains_state(cpuspeed_t) + +-files_read_etc_files(cpuspeed_t) + files_read_etc_runtime_files(cpuspeed_t) + +-miscfiles_read_localization(cpuspeed_t) ++logging_send_syslog_msg(cpuspeed_t) +diff --git a/cpufreqselector.te b/cpufreqselector.te +index a3bbc21..7fd7d8f 100644 +--- a/cpufreqselector.te ++++ b/cpufreqselector.te +@@ -14,21 +14,17 @@ init_daemon_domain(cpufreqselector_t, cpufreqselector_exec_t) + # Local policy + # + +-allow cpufreqselector_t self:capability { sys_nice sys_ptrace }; ++allow cpufreqselector_t self:capability sys_nice; + allow cpufreqselector_t self:process getsched; + allow cpufreqselector_t self:fifo_file rw_fifo_file_perms; ++allow cpufreqselector_t self:process getsched; + + kernel_read_system_state(cpufreqselector_t) + +-files_read_etc_files(cpufreqselector_t) +-files_read_usr_files(cpufreqselector_t) +- + dev_rw_sysfs(cpufreqselector_t) + +-miscfiles_read_localization(cpufreqselector_t) +- + userdom_read_all_users_state(cpufreqselector_t) +-userdom_dontaudit_search_user_home_dirs(cpufreqselector_t) ++userdom_dontaudit_search_admin_dir(cpufreqselector_t) + + optional_policy(` + dbus_system_domain(cpufreqselector_t, cpufreqselector_exec_t) +@@ -51,3 +47,7 @@ optional_policy(` + policykit_read_lib(cpufreqselector_t) + policykit_read_reload(cpufreqselector_t) + ') ++ ++optional_policy(` ++ xserver_dbus_chat_xdm(cpufreqselector_t) ++') +diff --git a/cron.fc b/cron.fc +index 6e76215..224142a 100644 +--- a/cron.fc ++++ b/cron.fc +@@ -3,6 +3,9 @@ + /etc/cron\.d(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0) + /etc/crontab -- gen_context(system_u:object_r:system_cron_spool_t,s0) + ++/usr/lib/systemd/system/atd.* -- gen_context(system_u:object_r:crond_unit_file_t,s0) ++/usr/lib/systemd/system/crond.* -- gen_context(system_u:object_r:crond_unit_file_t,s0) ++ + /usr/bin/at -- gen_context(system_u:object_r:crontab_exec_t,s0) + /usr/bin/(f)?crontab -- gen_context(system_u:object_r:crontab_exec_t,s0) + +@@ -12,9 +15,6 @@ + /usr/sbin/fcron -- gen_context(system_u:object_r:crond_exec_t,s0) + /usr/sbin/fcronsighup -- gen_context(system_u:object_r:crontab_exec_t,s0) + +-/var/lib/glpi/files(/.*)? gen_context(system_u:object_r:cron_var_lib_t,s0) +- +-/var/log/cron.* gen_context(system_u:object_r:cron_log_t,s0) + /var/log/rpmpkgs.* -- gen_context(system_u:object_r:cron_log_t,s0) + + /var/run/anacron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0) +@@ -27,13 +27,23 @@ + + /var/spool/anacron(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0) + /var/spool/at(/.*)? gen_context(system_u:object_r:user_cron_spool_t,s0) +-/var/spool/at/atspool(/.*)? gen_context(system_u:object_r:user_cron_spool_log_t,s0) + +-/var/spool/cron -d gen_context(system_u:object_r:cron_spool_t,s0) ++/var/spool/cron -d gen_context(system_u:object_r:user_cron_spool_t,s0) + #/var/spool/cron/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0) + /var/spool/cron/[^/]* -- <> + +-/var/spool/cron/crontabs -d gen_context(system_u:object_r:cron_spool_t,s0) ++ifdef(`distro_gentoo',` ++/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0) ++/var/spool/cron/lastrun/[^/]* -- <> ++') ++ ++ifdef(`distro_suse', ` ++/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0) ++/var/spool/cron/lastrun/[^/]* -- <> ++/var/spool/cron/tabs -d gen_context(system_u:object_r:cron_spool_t,s0) ++') ++ ++/var/spool/cron/crontabs -d gen_context(system_u:object_r:cron_spool_t,s0) + /var/spool/cron/crontabs/.* -- <> + #/var/spool/cron/crontabs/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0) + +@@ -43,19 +53,23 @@ + /var/spool/fcron/systab -- gen_context(system_u:object_r:system_cron_spool_t,s0) + /var/spool/fcron/new\.systab -- gen_context(system_u:object_r:system_cron_spool_t,s0) + ++/var/lib/glpi/files(/.*)? gen_context(system_u:object_r:cron_var_lib_t,s0) ++ + ifdef(`distro_debian',` +-/var/spool/cron/atjobs -d gen_context(system_u:object_r:cron_spool_t,s0) ++/var/log/prelink.log.* -- gen_context(system_u:object_r:cron_log_t,s0) ++ ++/var/spool/cron/atjobs -d gen_context(system_u:object_r:cron_spool_t,s0) + /var/spool/cron/atjobs/[^/]* -- <> +-/var/spool/cron/atspool -d gen_context(system_u:object_r:cron_spool_t,s0) ++/var/spool/cron/atspool -d gen_context(system_u:object_r:cron_spool_t,s0) + ') + + ifdef(`distro_gentoo',` +-/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0) ++/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0) + /var/spool/cron/lastrun/[^/]* -- <> + ') + +-ifdef(`distro_suse',` +-/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0) ++ifdef(`distro_suse', ` ++/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0) + /var/spool/cron/lastrun/[^/]* -- <> +-/var/spool/cron/tabs -d gen_context(system_u:object_r:cron_spool_t,s0) ++/var/spool/cron/tabs -d gen_context(system_u:object_r:cron_spool_t,s0) + ') +diff --git a/cron.if b/cron.if +index 1303b30..058864e 100644 +--- a/cron.if ++++ b/cron.if +@@ -2,11 +2,12 @@ + + ####################################### + ## +-## The template to define a crontab domain. ++## The common rules for a crontab domain. + ## +-## ++## + ## +-## Domain prefix to be used. ++## The prefix of the user domain (e.g., user ++## is the prefix for user_t). + ## + ## + # +@@ -36,22 +37,29 @@ template(`cron_common_crontab_template',` + manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t) + files_tmp_filetrans($1_t, $1_tmp_t, { dir file }) + ++ kernel_read_system_state($1_t) ++ + auth_domtrans_chk_passwd($1_t) + auth_use_nsswitch($1_t) ++ ++ logging_send_syslog_msg($1_t) ++ ++ userdom_home_reader($1_t) ++ + ') + + ######################################## + ## +-## Role access for cron. ++## Role access for cron + ## + ## + ## +-## Role allowed access. ++## Role allowed access + ## + ## + ## + ## +-## User domain for the role. ++## User domain for the role + ## + ## + ## +@@ -60,57 +68,37 @@ interface(`cron_role',` + gen_require(` + type cronjob_t, crontab_t, crontab_exec_t; + type user_cron_spool_t, crond_t; +- bool cron_userdomain_transition; + ') + +- ############################## +- # +- # Declarations +- # +- + role $1 types { cronjob_t crontab_t }; + +- ############################## +- # +- # Local policy +- # ++ # cronjob shows up in user ps ++ ps_process_pattern($2, cronjob_t) + ++ # Transition from the user domain to the derived domain. + domtrans_pattern($2, crontab_exec_t, crontab_t) + ++ allow crond_t $2:process transition; + dontaudit crond_t $2:process { noatsecure siginh rlimitinh }; + allow $2 crond_t:process sigchld; + +- allow $2 user_cron_spool_t:file { getattr read write ioctl }; ++ # needs to be authorized SELinux context for cron ++ allow $2 user_cron_spool_t:file { getattr read write ioctl entrypoint }; + +- allow $2 crontab_t:process { ptrace signal_perms }; ++ # crontab shows up in user ps + ps_process_pattern($2, crontab_t) ++ allow $2 crontab_t:process signal_perms; ++ ++ tunable_policy(`deny_ptrace',`',` ++ allow $2 crontab_t:process ptrace; ++ ') + ++ # Run helper programs as the user domain ++ #corecmd_bin_domtrans(crontab_t, $2) ++ #corecmd_shell_domtrans(crontab_t, $2) + corecmd_exec_bin(crontab_t) + corecmd_exec_shell(crontab_t) + +- tunable_policy(`cron_userdomain_transition',` +- allow crond_t $2:process transition; +- allow crond_t $2:fd use; +- allow crond_t $2:key manage_key_perms; +- +- allow $2 user_cron_spool_t:file entrypoint; +- +- allow $2 crond_t:fifo_file rw_fifo_file_perms; +- +- allow $2 cronjob_t:process { ptrace signal_perms }; +- ps_process_pattern($2, cronjob_t) +- ',` +- dontaudit crond_t $2:process transition; +- dontaudit crond_t $2:fd use; +- dontaudit crond_t $2:key manage_key_perms; +- +- dontaudit $2 user_cron_spool_t:file entrypoint; +- +- dontaudit $2 crond_t:fifo_file rw_fifo_file_perms; +- +- dontaudit $2 cronjob_t:process { ptrace signal_perms }; +- ') +- + optional_policy(` + gen_require(` + class dbus send_msg; +@@ -119,78 +107,38 @@ interface(`cron_role',` + dbus_stub(cronjob_t) + + allow cronjob_t $2:dbus send_msg; +- ') ++ ') + ') + + ######################################## + ## +-## Role access for unconfined cron. ++## Role access for unconfined cronjobs + ## + ## + ## +-## Role allowed access. ++## Role allowed access + ## + ## + ## + ## +-## User domain for the role. ++## User domain for the role + ## + ## ++## + # + interface(`cron_unconfined_role',` + gen_require(` +- type unconfined_cronjob_t, crontab_t, crontab_exec_t; +- type crond_t, user_cron_spool_t; +- bool cron_userdomain_transition; ++ type unconfined_cronjob_t; + ') + +- ############################## +- # +- # Declarations +- # +- +- role $1 types { unconfined_cronjob_t crontab_t }; ++ role $1 types unconfined_cronjob_t; + +- ############################## +- # +- # Local policy +- # +- +- domtrans_pattern($2, crontab_exec_t, crontab_t) +- +- dontaudit crond_t $2:process { noatsecure siginh rlimitinh }; +- allow $2 crond_t:process sigchld; +- +- allow $2 user_cron_spool_t:file { getattr read write ioctl }; +- +- allow $2 crontab_t:process { ptrace signal_perms }; +- ps_process_pattern($2, crontab_t) +- +- corecmd_exec_bin(crontab_t) +- corecmd_exec_shell(crontab_t) +- +- tunable_policy(`cron_userdomain_transition',` +- allow crond_t $2:process transition; +- allow crond_t $2:fd use; +- allow crond_t $2:key manage_key_perms; +- +- allow $2 user_cron_spool_t:file entrypoint; +- +- allow $2 crond_t:fifo_file rw_fifo_file_perms; +- +- allow $2 unconfined_cronjob_t:process { ptrace signal_perms }; +- ps_process_pattern($2, unconfined_cronjob_t) +- ',` +- dontaudit crond_t $2:process transition; +- dontaudit crond_t $2:fd use; +- dontaudit crond_t $2:key manage_key_perms; +- +- dontaudit $2 user_cron_spool_t:file entrypoint; +- +- dontaudit $2 crond_t:fifo_file rw_fifo_file_perms; +- +- dontaudit $2 unconfined_cronjob_t:process { ptrace signal_perms }; +-') ++ # cronjob shows up in user ps ++ ps_process_pattern($2, unconfined_cronjob_t) ++ allow $2 unconfined_cronjob_t:process signal_perms; ++ tunable_policy(`deny_ptrace',`',` ++ allow $2 unconfined_cronjob_t:process ptrace; ++ ') + + optional_policy(` + gen_require(` +@@ -198,85 +146,65 @@ interface(`cron_unconfined_role',` + ') + + dbus_stub(unconfined_cronjob_t) +- + allow unconfined_cronjob_t $2:dbus send_msg; + ') + ') + + ######################################## + ## +-## Role access for admin cron. ++## Role access for cron + ## + ## + ## +-## Role allowed access. ++## Role allowed access + ## + ## + ## + ## +-## User domain for the role. ++## User domain for the role + ## + ## ++## + # + interface(`cron_admin_role',` + gen_require(` +- type cronjob_t, crontab_exec_t, admin_crontab_t; ++ type cronjob_t, crontab_exec_t, admin_crontab_t, admin_crontab_tmp_t; ++ type user_cron_spool_t, crond_t; + class passwd crontab; +- type crond_t, user_cron_spool_t; +- bool cron_userdomain_transition; + ') + +- ############################## +- # +- # Declarations +- # ++ role $1 types { cronjob_t admin_crontab_t admin_crontab_tmp_t }; + +- role $1 types { cronjob_t admin_crontab_t }; ++ # cronjob shows up in user ps ++ ps_process_pattern($2, cronjob_t) + +- ############################## +- # +- # Local policy +- # ++ # Manipulate other users crontab. ++ allow $2 self:passwd crontab; + ++ # Transition from the user domain to the derived domain. + domtrans_pattern($2, crontab_exec_t, admin_crontab_t) + +- dontaudit crond_t $2:process { noatsecure siginh rlimitinh }; +- allow $2 crond_t:process sigchld; ++ # crontab shows up in user ps ++ ps_process_pattern($2, admin_crontab_t) ++ allow $2 admin_crontab_t:process signal_perms; ++ tunable_policy(`deny_ptrace',`',` ++ allow $2 admin_crontab_t:process ptrace; ++ ') + +- allow $2 user_cron_spool_t:file { getattr read write ioctl }; ++ allow $2 crond_t:process sigchld; ++ allow crond_t $2:process transition; + +- allow $2 admin_crontab_t:process { ptrace signal_perms }; +- ps_process_pattern($2, admin_crontab_t) ++ dontaudit crond_t $2:process { noatsecure siginh rlimitinh }; + +- # Manipulate other users crontab. +- allow $2 self:passwd crontab; ++ # needs to be authorized SELinux context for cron ++ allow $2 user_cron_spool_t:file entrypoint; + ++ # Run helper programs as the user domain ++ #corecmd_bin_domtrans(admin_crontab_t, $2) ++ #corecmd_shell_domtrans(admin_crontab_t, $2) + corecmd_exec_bin(admin_crontab_t) + corecmd_exec_shell(admin_crontab_t) + +- tunable_policy(`cron_userdomain_transition',` +- allow crond_t $2:process transition; +- allow crond_t $2:fd use; +- allow crond_t $2:key manage_key_perms; +- +- allow $2 user_cron_spool_t:file entrypoint; +- +- allow $2 crond_t:fifo_file rw_fifo_file_perms; +- +- allow $2 cronjob_t:process { ptrace signal_perms }; +- ps_process_pattern($2, cronjob_t) +- ',` +- dontaudit crond_t $2:process transition; +- dontaudit crond_t $2:fd use; +- dontaudit crond_t $2:key manage_key_perms; +- +- dontaudit $2 user_cron_spool_t:file entrypoint; +- +- dontaudit $2 crond_t:fifo_file rw_fifo_file_perms; +- +- dontaudit $2 cronjob_t:process { ptrace signal_perms }; +- ') +- + optional_policy(` + gen_require(` + class dbus send_msg; +@@ -285,13 +213,13 @@ interface(`cron_admin_role',` + dbus_stub(admin_cronjob_t) + + allow cronjob_t $2:dbus send_msg; +- ') ++ ') + ') + + ######################################## + ## +-## Make the specified program domain +-## accessable from the system cron jobs. ++## Make the specified program domain accessable ++## from the system cron jobs. + ## + ## + ## +@@ -307,15 +235,15 @@ interface(`cron_admin_role',` + interface(`cron_system_entry',` + gen_require(` + type crond_t, system_cronjob_t; +- type user_cron_spool_log_t; + ') + +- rw_files_pattern($1, user_cron_spool_log_t, user_cron_spool_log_t) +- + domtrans_pattern(system_cronjob_t, $2, $1) + domtrans_pattern(crond_t, $2, $1) + + role system_r types $1; ++ ++ allow $1 crond_t:fifo_file rw_fifo_file_perms; ++ allow $1 system_cronjob_t:fifo_file rw_fifo_file_perms; + ') + + ######################################## +@@ -333,13 +261,12 @@ interface(`cron_domtrans',` + type system_cronjob_t, crond_exec_t; + ') + +- corecmd_search_bin($1) + domtrans_pattern($1, crond_exec_t, system_cronjob_t) + ') + + ######################################## + ## +-## Execute crond in the caller domain. ++## Execute crond_exec_t + ## + ## + ## +@@ -352,7 +279,6 @@ interface(`cron_exec',` + type crond_exec_t; + ') + +- corecmd_search_bin($1) + can_exec($1, crond_exec_t) + ') + +@@ -376,7 +302,31 @@ interface(`cron_initrc_domtrans',` + + ######################################## + ## +-## Use crond file descriptors. ++## Execute crond server in the crond domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`cron_systemctl',` ++ gen_require(` ++ type crond_unit_file_t; ++ type crond_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ allow $1 crond_unit_file_t:file read_file_perms; ++ allow $1 crond_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, crond_t) ++') ++ ++######################################## ++## ++## Inherit and use a file descriptor ++## from the cron daemon. + ## + ## + ## +@@ -394,7 +344,7 @@ interface(`cron_use_fds',` + + ######################################## + ## +-## Send child terminated signals to crond. ++## Send a SIGCHLD signal to the cron daemon. + ## + ## + ## +@@ -412,7 +362,7 @@ interface(`cron_sigchld',` + + ######################################## + ## +-## Set the attributes of cron log files. ++## Send a generic signal to cron daemon. + ## + ## + ## +@@ -420,17 +370,17 @@ interface(`cron_sigchld',` + ## + ## + # +-interface(`cron_setattr_log_files',` ++interface(`cron_signal',` + gen_require(` +- type cron_log_t; ++ type crond_t; + ') + +- allow $1 cron_log_t:file setattr_file_perms; ++ allow $1 crond_t:process signal; + ') + + ######################################## + ## +-## Create cron log files. ++## Read a cron daemon unnamed pipe. + ## + ## + ## +@@ -438,17 +388,17 @@ interface(`cron_setattr_log_files',` + ## + ## + # +-interface(`cron_create_log_files',` ++interface(`cron_read_pipes',` + gen_require(` +- type cron_log_t; ++ type crond_t; + ') + +- create_files_pattern($1, cron_log_t, cron_log_t) ++ allow $1 crond_t:fifo_file read_fifo_file_perms; + ') + + ######################################## + ## +-## Write to cron log files. ++## Read crond state files. + ## + ## + ## +@@ -456,18 +406,20 @@ interface(`cron_create_log_files',` + ## + ## + # +-interface(`cron_write_log_files',` ++interface(`cron_read_state_crond',` + gen_require(` +- type cron_log_t; ++ type crond_t; + ') + +- allow $1 cron_log_t:file write_file_perms; ++ kernel_search_proc($1) ++ ps_process_pattern($1, crond_t) + ') + ++ + ######################################## + ## +-## Create, read, write and delete +-## cron log files. ++## Send and receive messages from ++## crond over dbus. + ## + ## + ## +@@ -475,48 +427,37 @@ interface(`cron_write_log_files',` + ## + ## + # +-interface(`cron_manage_log_files',` ++interface(`cron_dbus_chat_crond',` + gen_require(` +- type cron_log_t; ++ type crond_t; ++ class dbus send_msg; + ') + +- manage_files_pattern($1, cron_log_t, cron_log_t) +- +- logging_search_logs($1) ++ allow $1 crond_t:dbus send_msg; ++ allow crond_t $1:dbus send_msg; + ') + + ######################################## + ## +-## Create specified objects in generic +-## log directories with the cron log file type. ++## Do not audit attempts to write cron daemon unnamed pipes. + ## + ## + ## +-## Domain allowed access. +-## +-## +-## +-## +-## Class of the object being created. +-## +-## +-## +-## +-## The name of the object being created. ++## Domain to not audit. + ## + ## + # +-interface(`cron_generic_log_filetrans_log',` ++interface(`cron_dontaudit_write_pipes',` + gen_require(` +- type cron_log_t; ++ type crond_t; + ') + +- logging_log_filetrans($1, cron_log_t, $2, $3) ++ dontaudit $1 crond_t:fifo_file write; + ') + + ######################################## + ## +-## Read cron daemon unnamed pipes. ++## Read and write a cron daemon unnamed pipe. + ## + ## + ## +@@ -524,36 +465,35 @@ interface(`cron_generic_log_filetrans_log',` + ## + ## + # +-interface(`cron_read_pipes',` ++interface(`cron_rw_pipes',` + gen_require(` + type crond_t; + ') + +- allow $1 crond_t:fifo_file read_fifo_file_perms; ++ allow $1 crond_t:fifo_file rw_inherited_fifo_file_perms; + ') + + ######################################## + ## +-## Do not audit attempts to write +-## cron daemon unnamed pipes. ++## Read and write inherited user spool files. + ## + ## + ## +-## Domain to not audit. ++## Domain allowed access. + ## + ## + # +-interface(`cron_dontaudit_write_pipes',` ++interface(`cron_rw_inherited_user_spool_files',` + gen_require(` +- type crond_t; ++ type user_cron_spool_t; + ') + +- dontaudit $1 crond_t:fifo_file write; ++ allow $1 user_cron_spool_t:file rw_inherited_file_perms; + ') + + ######################################## + ## +-## Read and write crond unnamed pipes. ++## Read and write inherited spool files. + ## + ## + ## +@@ -561,17 +501,17 @@ interface(`cron_dontaudit_write_pipes',` + ## + ## + # +-interface(`cron_rw_pipes',` ++interface(`cron_rw_inherited_spool_files',` + gen_require(` +- type crond_t; ++ type cron_spool_t; + ') + +- allow $1 crond_t:fifo_file rw_fifo_file_perms; ++ allow $1 cron_spool_t:file rw_inherited_file_perms; + ') + + ######################################## + ## +-## Read and write crond TCP sockets. ++## Read, and write cron daemon TCP sockets. + ## + ## + ## +@@ -589,8 +529,7 @@ interface(`cron_rw_tcp_sockets',` + + ######################################## + ## +-## Do not audit attempts to read and +-## write cron daemon TCP sockets. ++## Dontaudit Read, and write cron daemon TCP sockets. + ## + ## + ## +@@ -608,7 +547,7 @@ interface(`cron_dontaudit_rw_tcp_sockets',` + + ######################################## + ## +-## Search cron spool directories. ++## Search the directory containing user cron tables. + ## + ## + ## +@@ -627,8 +566,26 @@ interface(`cron_search_spool',` + + ######################################## + ## +-## Create, read, write, and delete +-## crond pid files. ++## Search the directory containing user cron tables. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`cron_manage_system_spool',` ++ gen_require(` ++ type cron_system_spool_t; ++ ') ++ ++ files_search_spool($1) ++ manage_files_pattern($1, cron_system_spool_t, cron_system_spool_t) ++') ++ ++######################################## ++## ++## Manage pid files used by cron + ## + ## + ## +@@ -641,13 +598,13 @@ interface(`cron_manage_pid_files',` + type crond_var_run_t; + ') + ++ files_search_pids($1) + manage_files_pattern($1, crond_var_run_t, crond_var_run_t) + ') + + ######################################## + ## +-## Execute anacron in the cron +-## system domain. ++## Execute anacron in the cron system domain. + ## + ## + ## +@@ -660,13 +617,13 @@ interface(`cron_anacron_domtrans_system_job',` + type system_cronjob_t, anacron_exec_t; + ') + +- corecmd_search_bin($1) + domtrans_pattern($1, anacron_exec_t, system_cronjob_t) + ') + + ######################################## + ## +-## Use system cron job file descriptors. ++## Inherit and use a file descriptor ++## from system cron jobs. + ## + ## + ## +@@ -684,7 +641,7 @@ interface(`cron_use_system_job_fds',` + + ######################################## + ## +-## Read system cron job lib files. ++## Write a system cron job unnamed pipe. + ## + ## + ## +@@ -692,19 +649,17 @@ interface(`cron_use_system_job_fds',` + ## + ## + # +-interface(`cron_read_system_job_lib_files',` ++interface(`cron_write_system_job_pipes',` + gen_require(` +- type system_cronjob_var_lib_t; ++ type system_cronjob_t; + ') + +- files_search_var_lib($1) +- read_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t) ++ allow $1 system_cronjob_t:fifo_file write; + ') + + ######################################## + ## +-## Create, read, write, and delete +-## system cron job lib files. ++## Read and write a system cron job unnamed pipe. + ## + ## + ## +@@ -712,18 +667,17 @@ interface(`cron_read_system_job_lib_files',` + ## + ## + # +-interface(`cron_manage_system_job_lib_files',` ++interface(`cron_rw_system_job_pipes',` + gen_require(` +- type system_cronjob_var_lib_t; ++ type system_cronjob_t; + ') + +- files_search_var_lib($1) +- manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t) ++ allow $1 system_cronjob_t:fifo_file rw_inherited_fifo_file_perms; + ') + + ######################################## + ## +-## Write system cron job unnamed pipes. ++## Allow read/write unix stream sockets from the system cron jobs. + ## + ## + ## +@@ -731,18 +685,17 @@ interface(`cron_manage_system_job_lib_files',` + ## + ## + # +-interface(`cron_write_system_job_pipes',` ++interface(`cron_rw_system_job_stream_sockets',` + gen_require(` + type system_cronjob_t; + ') + +- allow $1 system_cronjob_t:file write; ++ allow $1 system_cronjob_t:unix_stream_socket { read write }; + ') + + ######################################## + ## +-## Read and write system cron job +-## unnamed pipes. ++## Read temporary files from the system cron jobs. + ## + ## + ## +@@ -750,86 +703,142 @@ interface(`cron_write_system_job_pipes',` + ## + ## + # +-interface(`cron_rw_system_job_pipes',` ++interface(`cron_read_system_job_tmp_files',` + gen_require(` +- type system_cronjob_t; ++ type system_cronjob_tmp_t, cron_var_run_t; + ') + +- allow $1 system_cronjob_t:fifo_file rw_fifo_file_perms; ++ files_search_tmp($1) ++ allow $1 system_cronjob_tmp_t:file read_file_perms; ++ ++ files_search_pids($1) ++ allow $1 cron_var_run_t:file read_file_perms; + ') + + ######################################## + ## +-## Read and write inherited system cron +-## job unix domain stream sockets. ++## Do not audit attempts to append temporary ++## files from the system cron jobs. + ## + ## + ## +-## Domain allowed access. ++## Domain to not audit. + ## + ## + # +-interface(`cron_rw_system_job_stream_sockets',` ++interface(`cron_dontaudit_append_system_job_tmp_files',` + gen_require(` +- type system_cronjob_t; ++ type system_cronjob_tmp_t; + ') + +- allow $1 system_cronjob_t:unix_stream_socket { read write }; ++ dontaudit $1 system_cronjob_tmp_t:file append_file_perms; + ') + + ######################################## + ## +-## Read system cron job temporary files. ++## Do not audit attempts to write temporary ++## files from the system cron jobs. + ## + ## + ## +-## Domain allowed access. ++## Domain to not audit. + ## + ## + # +-interface(`cron_read_system_job_tmp_files',` ++interface(`cron_dontaudit_write_system_job_tmp_files',` + gen_require(` + type system_cronjob_tmp_t; ++ type cron_var_run_t; + ') + +- files_search_tmp($1) +- allow $1 system_cronjob_tmp_t:file read_file_perms; ++ dontaudit $1 system_cronjob_tmp_t:file write_file_perms; ++ dontaudit $1 cron_var_run_t:file write_file_perms; + ') + + ######################################## + ## +-## Do not audit attempts to append temporary +-## system cron job files. ++## Read temporary files from the system cron jobs. + ## + ## + ## +-## Domain to not audit. ++## Domain allowed access. + ## + ## + # +-interface(`cron_dontaudit_append_system_job_tmp_files',` ++interface(`cron_read_system_job_lib_files',` + gen_require(` +- type system_cronjob_tmp_t; ++ type system_cronjob_var_lib_t; + ') + +- dontaudit $1 system_cronjob_tmp_t:file append_file_perms; ++ files_search_var_lib($1) ++ read_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t) + ') + + ######################################## + ## +-## Do not audit attempts to write temporary +-## system cron job files. ++## Manage files from the system cron jobs. + ## + ## + ## +-## Domain to not audit. ++## Domain allowed access. + ## + ## + # +-interface(`cron_dontaudit_write_system_job_tmp_files',` ++interface(`cron_manage_system_job_lib_files',` + gen_require(` +- type system_cronjob_tmp_t; ++ type system_cronjob_var_lib_t; + ') + +- dontaudit $1 system_cronjob_tmp_t:file write_file_perms; ++ files_search_var_lib($1) ++ manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t) ++') ++ ++####################################### ++## ++## Create, read, write and delete ++## cron log files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`cron_manage_log_files',` ++ gen_require(` ++ type cron_log_t; ++ ') ++ ++ manage_files_pattern($1, cron_log_t, cron_log_t) ++ ++ logging_search_logs($1) ++') ++ ++####################################### ++## ++## Create specified objects in generic ++## log directories with the cron log file type. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## Class of the object being created. ++## ++## ++## ++## ++## The name of the object being created. ++## ++## ++# ++interface(`cron_generic_log_filetrans_log',` ++ gen_require(` ++ type cron_log_t; ++ ') ++ ++ logging_log_filetrans($1, cron_log_t, $2, $3) + ') +diff --git a/cron.te b/cron.te +index 28e1b86..f871609 100644 +--- a/cron.te ++++ b/cron.te +@@ -1,4 +1,4 @@ +-policy_module(cron, 2.5.10) ++policy_module(cron, 2.2.1) + + gen_require(` + class passwd rootok; +@@ -11,46 +11,37 @@ gen_require(` + + ## + ##

    +-## Determine whether system cron jobs +-## can relabel filesystem for +-## restoring file contexts. ++## Allow system cron jobs to relabel filesystem ++## for restoring file contexts. + ##

    + ##     + gen_tunable(cron_can_relabel, false) + + ## + ##

    +-## Determine whether crond can execute jobs +-## in the user domain as opposed to the +-## the generic cronjob domain. +-##

    +-##     +-gen_tunable(cron_userdomain_transition, false) +- +-## +-##

    +-## Determine whether extra rules +-## should be enabled to support fcron. ++## Enable extra rules in the cron domain ++## to support fcron. + ##

    + ##     + gen_tunable(fcron_crond, false) + +-attribute cron_spool_type; + attribute crontab_domain; ++attribute cron_spool_type; + + type anacron_exec_t; + application_executable_file(anacron_exec_t) + + type cron_spool_t; +-files_type(cron_spool_t) +-mta_system_content(cron_spool_t) ++files_spool_file(cron_spool_t) + ++# var/lib files + type cron_var_lib_t; + files_type(cron_var_lib_t) + + type cron_var_run_t; + files_pid_file(cron_var_run_t) + ++# var/log files + type cron_log_t; + logging_log_file(cron_log_t) + +@@ -71,6 +62,9 @@ domain_cron_exemption_source(crond_t) + type crond_initrc_exec_t; + init_script_file(crond_initrc_exec_t) + ++type crond_unit_file_t; ++systemd_unit_file(crond_unit_file_t) ++ + type crond_tmp_t; + files_tmp_file(crond_tmp_t) + files_poly_parent(crond_tmp_t) +@@ -92,15 +86,16 @@ typealias crontab_t alias { user_crontab_t staff_crontab_t }; + typealias crontab_t alias { auditadm_crontab_t secadm_crontab_t }; + typealias crontab_tmp_t alias { user_crontab_tmp_t staff_crontab_tmp_t }; + typealias crontab_tmp_t alias { auditadm_crontab_tmp_t secadm_crontab_tmp_t }; ++allow admin_crontab_t crond_t:process signal; + + type system_cron_spool_t, cron_spool_type; +-files_type(system_cron_spool_t) +-mta_system_content(system_cron_spool_t) ++files_spool_file(system_cron_spool_t) + + type system_cronjob_t alias system_crond_t; + init_daemon_domain(system_cronjob_t, anacron_exec_t) + corecmd_shell_entry_type(system_cronjob_t) +-domain_entry_file(system_cronjob_t, system_cron_spool_t) ++role system_r types system_cronjob_t; ++domtrans_pattern(crond_t, anacron_exec_t, system_cronjob_t) + + type system_cronjob_lock_t alias system_crond_lock_t; + files_lock_file(system_cronjob_lock_t) +@@ -108,94 +103,38 @@ files_lock_file(system_cronjob_lock_t) + type system_cronjob_tmp_t alias system_crond_tmp_t; + files_tmp_file(system_cronjob_tmp_t) + +-type system_cronjob_var_lib_t; +-files_type(system_cronjob_var_lib_t) +- +-type system_cronjob_var_run_t; +-files_pid_file(system_cronjob_var_run_t) ++type unconfined_cronjob_t; ++domain_type(unconfined_cronjob_t) ++domain_cron_exemption_target(unconfined_cronjob_t) + ++# Type of user crontabs once moved to cron spool. + type user_cron_spool_t, cron_spool_type; + typealias user_cron_spool_t alias { staff_cron_spool_t sysadm_cron_spool_t unconfined_cron_spool_t }; + typealias user_cron_spool_t alias { auditadm_cron_spool_t secadm_cron_spool_t }; +-files_type(user_cron_spool_t) ++files_spool_file(user_cron_spool_t) + ubac_constrained(user_cron_spool_t) + mta_system_content(user_cron_spool_t) + +-type user_cron_spool_log_t; +-logging_log_file(user_cron_spool_log_t) +-ubac_constrained(user_cron_spool_log_t) +-mta_system_content(user_cron_spool_log_t) ++type system_cronjob_var_lib_t; ++files_type(system_cronjob_var_lib_t) ++typealias system_cronjob_var_lib_t alias system_crond_var_lib_t; ++ ++type system_cronjob_var_run_t; ++files_pid_file(system_cronjob_var_run_t) + + ifdef(`enable_mcs',` + init_ranged_daemon_domain(crond_t, crond_exec_t, s0 - mcs_systemhigh) + ') + +-############################## +-# +-# Common crontab local policy +-# +- +-allow crontab_domain self:capability { fowner setuid setgid chown dac_override }; +-allow crontab_domain self:process { getcap setsched signal_perms }; +-allow crontab_domain self:fifo_file rw_fifo_file_perms; +- +-manage_files_pattern(crontab_domain, { cron_spool_t user_cron_spool_t }, user_cron_spool_t) +-filetrans_pattern(crontab_domain, cron_spool_t, user_cron_spool_t, file) +- +-allow crontab_domain cron_spool_t:dir setattr_dir_perms; +- +-allow crontab_domain crond_t:process signal; +-allow crontab_domain crond_var_run_t:file read_file_perms; +- +-kernel_read_system_state(crontab_domain) +- +-selinux_dontaudit_search_fs(crontab_domain) +- +-files_list_spool(crontab_domain) +-files_read_etc_files(crontab_domain) +-files_read_usr_files(crontab_domain) +-files_search_pids(crontab_domain) +- +-fs_getattr_xattr_fs(crontab_domain) +-fs_manage_cgroup_dirs(crontab_domain) +-fs_rw_cgroup_files(crontab_domain) +- +-domain_use_interactive_fds(crontab_domain) +- +-fs_dontaudit_rw_anon_inodefs_files(crontab_domain) +- +-auth_rw_var_auth(crontab_domain) +- +-logging_send_syslog_msg(crontab_domain) +-logging_send_audit_msgs(crontab_domain) +-logging_set_loginuid(crontab_domain) +- +-init_dontaudit_write_utmp(crontab_domain) +-init_read_utmp(crontab_domain) +-init_read_state(crontab_domain) +- +-miscfiles_read_localization(crontab_domain) +- +-seutil_read_config(crontab_domain) +- +-userdom_manage_user_tmp_dirs(crontab_domain) +-userdom_manage_user_tmp_files(crontab_domain) +-userdom_use_user_terminals(crontab_domain) +-userdom_read_user_home_content_files(crontab_domain) +-userdom_read_user_home_content_symlinks(crontab_domain) +- +-tunable_policy(`fcron_crond',` +- dontaudit crontab_domain crond_t:process signal; +-') +- + ######################################## + # +-# Admin local policy ++# Admin crontab local policy + # + +-allow admin_crontab_t self:capability fsetid; +-allow admin_crontab_t crond_t:process signal; ++# Allow our crontab domain to unlink a user cron spool file. ++allow admin_crontab_t user_cron_spool_t:file { read_file_perms delete_file_perms }; + ++# Manipulate other users crontab. + selinux_get_fs_mount(admin_crontab_t) + selinux_validate_context(admin_crontab_t) + selinux_compute_access_vector(admin_crontab_t) +@@ -204,12 +143,14 @@ selinux_compute_relabel_context(admin_crontab_t) + selinux_compute_user_contexts(admin_crontab_t) + + tunable_policy(`fcron_crond',` ++ # fcron wants an instant update of a crontab change for the administrator ++ # also crontab does a security check for crontab -u + allow admin_crontab_t self:process setfscreate; + ') + + ######################################## + # +-# Daemon local policy ++# Cron daemon local policy + # + + allow crond_t self:capability { dac_override chown fowner setgid setuid sys_nice dac_read_search }; +@@ -218,8 +159,10 @@ allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate execmem exec + allow crond_t self:process { setexec setfscreate }; + allow crond_t self:fd use; + allow crond_t self:fifo_file rw_fifo_file_perms; ++allow crond_t self:unix_dgram_socket create_socket_perms; ++allow crond_t self:unix_stream_socket create_stream_socket_perms; + allow crond_t self:unix_dgram_socket sendto; +-allow crond_t self:unix_stream_socket { accept connectto listen }; ++allow crond_t self:unix_stream_socket connectto; + allow crond_t self:shm create_shm_perms; + allow crond_t self:sem create_sem_perms; + allow crond_t self:msgq create_msgq_perms; +@@ -227,7 +170,7 @@ allow crond_t self:msg { send receive }; + allow crond_t self:key { search write link }; + dontaudit crond_t self:netlink_audit_socket nlmsg_tty_audit; + +-allow crond_t cron_log_t:file { append_file_perms create_file_perms setattr_file_perms }; ++manage_files_pattern(crond_t, cron_log_t, cron_log_t) + logging_log_filetrans(crond_t, cron_log_t, file) + + manage_files_pattern(crond_t, crond_var_run_t, crond_var_run_t) +@@ -237,72 +180,68 @@ manage_files_pattern(crond_t, cron_spool_t, cron_spool_t) + + manage_dirs_pattern(crond_t, crond_tmp_t, crond_tmp_t) + manage_files_pattern(crond_t, crond_tmp_t, crond_tmp_t) +-files_tmp_filetrans(crond_t, crond_tmp_t, { dir file }) ++files_tmp_filetrans(crond_t, crond_tmp_t, { file dir }) + + list_dirs_pattern(crond_t, system_cron_spool_t, system_cron_spool_t) + read_files_pattern(crond_t, system_cron_spool_t, system_cron_spool_t) + +-rw_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) +-manage_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) +-manage_lnk_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) +- +-manage_files_pattern(crond_t, user_cron_spool_log_t, user_cron_spool_log_t) ++kernel_read_kernel_sysctls(crond_t) ++kernel_read_fs_sysctls(crond_t) ++kernel_search_key(crond_t) + +-allow crond_t system_cronjob_t:process transition; +-allow crond_t system_cronjob_t:fd use; +-allow crond_t system_cronjob_t:key manage_key_perms; ++dev_read_sysfs(crond_t) ++selinux_get_fs_mount(crond_t) ++selinux_validate_context(crond_t) ++selinux_compute_access_vector(crond_t) ++selinux_compute_create_context(crond_t) ++selinux_compute_relabel_context(crond_t) ++selinux_compute_user_contexts(crond_t) + +-dontaudit crond_t { cronjob_t system_cronjob_t }:process { noatsecure siginh rlimitinh }; ++dev_read_urand(crond_t) + +-domtrans_pattern(crond_t, anacron_exec_t, system_cronjob_t) ++fs_getattr_all_fs(crond_t) ++fs_search_auto_mountpoints(crond_t) ++fs_list_inotifyfs(crond_t) + +-kernel_read_kernel_sysctls(crond_t) +-kernel_read_fs_sysctls(crond_t) +-kernel_search_key(crond_t) ++# need auth_chkpwd to check for locked accounts. ++auth_domtrans_chk_passwd(crond_t) ++auth_manage_var_auth(crond_t) + + corecmd_exec_shell(crond_t) +-corecmd_exec_bin(crond_t) + corecmd_list_bin(crond_t) +- +-dev_read_sysfs(crond_t) +-dev_read_urand(crond_t) ++corecmd_exec_bin(crond_t) ++corecmd_read_bin_symlinks(crond_t) + + domain_use_interactive_fds(crond_t) + domain_subj_id_change_exemption(crond_t) + domain_role_change_exemption(crond_t) + +-fs_getattr_all_fs(crond_t) +-fs_list_inotifyfs(crond_t) +-fs_manage_cgroup_dirs(crond_t) +-fs_rw_cgroup_files(crond_t) +-fs_search_auto_mountpoints(crond_t) +- +-files_read_usr_files(crond_t) + files_read_etc_runtime_files(crond_t) + files_read_generic_spool(crond_t) + files_list_usr(crond_t) ++# Read from /var/spool/cron. + files_search_var_lib(crond_t) + files_search_default(crond_t) ++files_read_all_locks(crond_t) + +-mls_fd_share_all_levels(crond_t) ++fs_manage_cgroup_dirs(crond_t) ++fs_manage_cgroup_files(crond_t) ++ ++# needed by "crontab -e" + mls_file_read_all_levels(crond_t) + mls_file_write_all_levels(crond_t) ++ ++# needed because of kernel check of transition + mls_process_set_level(crond_t) +-mls_trusted_object(crond_t) + +-selinux_get_fs_mount(crond_t) +-selinux_validate_context(crond_t) +-selinux_compute_access_vector(crond_t) +-selinux_compute_create_context(crond_t) +-selinux_compute_relabel_context(crond_t) +-selinux_compute_user_contexts(crond_t) ++# to make cronjob working ++mls_fd_share_all_levels(crond_t) ++mls_trusted_object(crond_t) + + init_read_state(crond_t) + init_rw_utmp(crond_t) + init_spec_domtrans_script(crond_t) + +-auth_domtrans_chk_passwd(crond_t) +-auth_manage_var_auth(crond_t) + auth_use_nsswitch(crond_t) + + logging_send_audit_msgs(crond_t) +@@ -311,41 +250,46 @@ logging_set_loginuid(crond_t) + + seutil_read_config(crond_t) + seutil_read_default_contexts(crond_t) ++seutil_sigchld_newrole(crond_t) + +-miscfiles_read_localization(crond_t) + ++userdom_use_unpriv_users_fds(crond_t) ++# Not sure why this is needed + userdom_list_user_home_dirs(crond_t) ++userdom_list_admin_dir(crond_t) ++userdom_manage_all_users_keys(crond_t) + +-tunable_policy(`cron_userdomain_transition',` +- dontaudit crond_t cronjob_t:process transition; +- dontaudit crond_t cronjob_t:fd use; +- dontaudit crond_t cronjob_t:key manage_key_perms; +-',` +- allow crond_t cronjob_t:process transition; +- allow crond_t cronjob_t:fd use; +- allow crond_t cronjob_t:key manage_key_perms; +-') ++mta_send_mail(crond_t) ++mta_system_content(cron_spool_t) + + ifdef(`distro_debian',` ++ # pam_limits is used + allow crond_t self:process setrlimit; + +- optional_policy(` +- logwatch_search_cache_dir(crond_t) +- ') ++') ++ ++optional_policy(` ++ logwatch_search_cache_dir(crond_t) ++') ++ ++optional_policy(` ++ bind_read_config(crond_t) + ') + + ifdef(`distro_redhat',` ++ # Run the rpm program in the rpm_t domain. Allow creation of RPM log files ++ # via redirection of standard out. + optional_policy(` + rpm_manage_log(crond_t) + ') + ') + +-tunable_policy(`allow_polyinstantiation',` ++tunable_policy(`polyinstantiation_enabled',` + files_polyinstantiate_all(crond_t) + ') + +-tunable_policy(`fcron_crond',` +- allow crond_t { system_cron_spool_t user_cron_spool_t }:file manage_file_perms; ++tunable_policy(`fcron_crond', ` ++ allow crond_t system_cron_spool_t:file manage_file_perms; + ') + + optional_policy(` +@@ -353,102 +297,136 @@ optional_policy(` + ') + + optional_policy(` +- dbus_system_bus_client(crond_t) +- +- optional_policy(` +- hal_dbus_chat(crond_t) +- ') +- +- optional_policy(` +- unconfined_dbus_send(crond_t) +- ') ++ djbdns_search_tinydns_keys(crond_t) ++ djbdns_link_tinydns_keys(crond_t) + ') + + optional_policy(` +- amanda_search_var_lib(crond_t) ++ locallogin_search_keys(crond_t) ++ locallogin_link_keys(crond_t) + ') + + optional_policy(` +- amavis_search_lib(crond_t) ++ # these should probably be unconfined_crond_t ++ dbus_system_bus_client(crond_t) ++ init_dbus_send_script(crond_t) ++ init_dbus_chat(crond_t) + ') + + optional_policy(` +- djbdns_search_tinydns_keys(crond_t) +- djbdns_link_tinydns_keys(crond_t) ++ amanda_search_var_lib(crond_t) + ') + + optional_policy(` +- hal_write_log(crond_t) ++ antivirus_search_db(crond_t) + ') + + optional_policy(` +- locallogin_search_keys(crond_t) +- locallogin_link_keys(crond_t) ++ hal_dbus_chat(crond_t) ++ hal_write_log(crond_t) ++ hal_dbus_chat(system_cronjob_t) + ') + + optional_policy(` +- mta_send_mail(crond_t) ++ # cjp: why? ++ munin_search_lib(crond_t) + ') + + optional_policy(` +- munin_search_lib(crond_t) ++ rpc_search_nfs_state_data(crond_t) + ') + + optional_policy(` +- postgresql_search_db(crond_t) ++ # Commonly used from postinst scripts ++ rpm_read_pipes(crond_t) + ') + + optional_policy(` +- rpc_search_nfs_state_data(crond_t) ++ # allow crond to find /usr/lib/postgresql/bin/do.maintenance ++ postgresql_search_db(crond_t) + ') + + optional_policy(` +- rpm_read_pipes(crond_t) ++ systemd_use_fds_logind(crond_t) ++ systemd_write_inherited_logind_sessions_pipes(crond_t) + ') + + optional_policy(` +- seutil_sigchld_newrole(crond_t) ++ udev_read_db(crond_t) + ') + + optional_policy(` +- udev_read_db(crond_t) ++ vnstatd_search_lib(crond_t) + ') + + ######################################## + # +-# System local policy ++# System cron process domain + # + + allow system_cronjob_t self:capability { dac_override dac_read_search chown setgid setuid fowner net_bind_service fsetid sys_nice }; ++ + allow system_cronjob_t self:process { signal_perms getsched setsched }; + allow system_cronjob_t self:fifo_file rw_fifo_file_perms; + allow system_cronjob_t self:passwd rootok; + +-allow system_cronjob_t cron_log_t:file { append_file_perms create_file_perms setattr_file_perms }; ++# This is to handle creation of files in /var/log directory. ++# Used currently by rpm script log files ++allow system_cronjob_t cron_log_t:file manage_file_perms; + logging_log_filetrans(system_cronjob_t, cron_log_t, file) + ++# This is to handle /var/lib/misc directory. Used currently ++# by prelink var/lib files for cron + allow system_cronjob_t cron_var_lib_t:file { manage_file_perms relabel_file_perms }; + files_var_lib_filetrans(system_cronjob_t, cron_var_lib_t, file) + + allow system_cronjob_t cron_var_run_t:file manage_file_perms; + files_pid_filetrans(system_cronjob_t, cron_var_run_t, file) + ++allow system_cronjob_t system_cron_spool_t:file read_file_perms; ++ ++mls_file_read_to_clearance(system_cronjob_t) ++ ++# anacron forces the following + manage_files_pattern(system_cronjob_t, system_cron_spool_t, system_cron_spool_t) + ++# The entrypoint interface is not used as this is not ++# a regular entrypoint. Since crontab files are ++# not directly executed, crond must ensure that ++# the crontab file has a type that is appropriate ++# for the domain of the user cron job. It ++# performs an entrypoint permission check ++# for this purpose. ++allow system_cronjob_t system_cron_spool_t:file entrypoint; ++ ++# Permit a transition from the crond_t domain to this domain. ++# The transition is requested explicitly by the modified crond ++# via setexeccon. There is no way to set up an automatic ++# transition, since crontabs are configuration files, not executables. ++allow crond_t system_cronjob_t:process transition; ++dontaudit crond_t system_cronjob_t:process { noatsecure siginh rlimitinh }; ++allow crond_t system_cronjob_t:fd use; ++allow system_cronjob_t crond_t:fd use; ++allow system_cronjob_t crond_t:fifo_file rw_file_perms; ++allow system_cronjob_t crond_t:process sigchld; ++allow crond_t system_cronjob_t:key manage_key_perms; ++ ++# Write /var/lock/makewhatis.lock. + allow system_cronjob_t system_cronjob_lock_t:file manage_file_perms; + files_lock_filetrans(system_cronjob_t, system_cronjob_lock_t, file) + ++# write temporary files ++manage_dirs_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t) + manage_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t) + manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t) +-filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file }) +-files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file) ++filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { dir file lnk_file }) ++files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, { dir file }) + ++# var/lib files for system_crond ++files_search_var_lib(system_cronjob_t) + manage_files_pattern(system_cronjob_t, system_cronjob_var_lib_t, system_cronjob_var_lib_t) + +-allow system_cronjob_t crond_t:fd use; +-allow system_cronjob_t crond_t:fifo_file rw_fifo_file_perms; +-allow system_cronjob_t crond_t:process sigchld; +- ++# Read from /var/spool/cron. + allow system_cronjob_t cron_spool_t:dir list_dir_perms; + allow system_cronjob_t cron_spool_t:file rw_file_perms; + +@@ -457,11 +435,11 @@ kernel_read_network_state(system_cronjob_t) + kernel_read_system_state(system_cronjob_t) + kernel_read_software_raid_state(system_cronjob_t) + ++# ps does not need to access /boot when run from cron + files_dontaudit_search_boot(system_cronjob_t) + + corecmd_exec_all_executables(system_cronjob_t) + +-corenet_all_recvfrom_unlabeled(system_cronjob_t) + corenet_all_recvfrom_netlabel(system_cronjob_t) + corenet_tcp_sendrecv_generic_if(system_cronjob_t) + corenet_udp_sendrecv_generic_if(system_cronjob_t) +@@ -481,6 +459,7 @@ fs_getattr_all_symlinks(system_cronjob_t) + fs_getattr_all_pipes(system_cronjob_t) + fs_getattr_all_sockets(system_cronjob_t) + ++# quiet other ps operations + domain_dontaudit_read_all_domains_state(system_cronjob_t) + + files_exec_etc_files(system_cronjob_t) +@@ -491,15 +470,19 @@ files_getattr_all_files(system_cronjob_t) + files_getattr_all_symlinks(system_cronjob_t) + files_getattr_all_pipes(system_cronjob_t) + files_getattr_all_sockets(system_cronjob_t) +-files_read_usr_files(system_cronjob_t) + files_read_var_files(system_cronjob_t) ++# for nscd: + files_dontaudit_search_pids(system_cronjob_t) ++# Access other spool directories like ++# /var/spool/anacron and /var/spool/slrnpull. + files_manage_generic_spool(system_cronjob_t) + files_create_boot_flag(system_cronjob_t) + +-mls_file_read_to_clearance(system_cronjob_t) +- + init_use_script_fds(system_cronjob_t) ++init_read_utmp(system_cronjob_t) ++init_dontaudit_rw_utmp(system_cronjob_t) ++# prelink tells init to restart it self, we either need to allow or dontaudit ++init_telinit(system_cronjob_t) + init_domtrans_script(system_cronjob_t) + + auth_use_nsswitch(system_cronjob_t) +@@ -511,20 +494,26 @@ logging_read_generic_logs(system_cronjob_t) + logging_send_audit_msgs(system_cronjob_t) + logging_send_syslog_msg(system_cronjob_t) + +-miscfiles_read_localization(system_cronjob_t) +- + seutil_read_config(system_cronjob_t) + ++userdom_manage_tmpfs_files(system_cronjob_t, file) ++userdom_tmpfs_filetrans(system_cronjob_t, file) ++ + ifdef(`distro_redhat',` ++ # Run the rpm program in the rpm_t domain. Allow creation of RPM log files ++ allow crond_t system_cron_spool_t:file manage_file_perms; ++ ++ # via redirection of standard out. + optional_policy(` + rpm_manage_log(system_cronjob_t) + ') + ') + ++selinux_get_fs_mount(system_cronjob_t) ++ + tunable_policy(`cron_can_relabel',` + seutil_domtrans_setfiles(system_cronjob_t) + ',` +- selinux_get_fs_mount(system_cronjob_t) + selinux_validate_context(system_cronjob_t) + selinux_compute_access_vector(system_cronjob_t) + selinux_compute_create_context(system_cronjob_t) +@@ -534,10 +523,17 @@ tunable_policy(`cron_can_relabel',` + ') + + optional_policy(` ++ # Needed for certwatch + apache_exec_modules(system_cronjob_t) + apache_read_config(system_cronjob_t) + apache_read_log(system_cronjob_t) + apache_read_sys_content(system_cronjob_t) ++ apache_delete_cache_dirs(system_cronjob_t) ++ apache_delete_cache_files(system_cronjob_t) ++') ++ ++optional_policy(` ++ bind_read_config(system_cronjob_t) + ') + + optional_policy(` +@@ -546,10 +542,6 @@ optional_policy(` + + optional_policy(` + dbus_system_bus_client(system_cronjob_t) +- +- optional_policy(` +- networkmanager_dbus_chat(system_cronjob_t) +- ') + ') + + optional_policy(` +@@ -581,6 +573,7 @@ optional_policy(` + optional_policy(` + mta_read_config(system_cronjob_t) + mta_send_mail(system_cronjob_t) ++ mta_system_content(system_cron_spool_t) + ') + + optional_policy(` +@@ -588,15 +581,19 @@ optional_policy(` + ') + + optional_policy(` +- postfix_read_config(system_cronjob_t) ++ networkmanager_dbus_chat(system_cronjob_t) + ') + + optional_policy(` ++ postfix_read_config(system_cronjob_t) ++') ++ ++optional_policy(` + prelink_delete_cache(system_cronjob_t) + prelink_manage_lib(system_cronjob_t) + prelink_manage_log(system_cronjob_t) + prelink_read_cache(system_cronjob_t) +- prelink_relabelfrom_lib(system_cronjob_t) ++ prelink_relabel_lib(system_cronjob_t) + ') + + optional_policy(` +@@ -606,6 +603,7 @@ optional_policy(` + + optional_policy(` + spamassassin_manage_lib_files(system_cronjob_t) ++ spamassassin_manage_home_client(system_cronjob_t) + ') + + optional_policy(` +@@ -613,12 +611,24 @@ optional_policy(` + ') + + optional_policy(` +- userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file }) ++ systemd_dbus_chat_logind(system_cronjob_t) ++ systemd_write_inherited_logind_sessions_pipes(system_cronjob_t) ++') ++ ++optional_policy(` ++ unconfined_domain(crond_t) ++ unconfined_domain(system_cronjob_t) ++') ++ ++optional_policy(` ++ unconfined_shell_domtrans(crond_t) ++ unconfined_dbus_send(crond_t) ++ userdom_filetrans_home_content(crond_t) + ') + + ######################################## + # +-# Cronjob local policy ++# User cronjobs local policy + # + + allow cronjob_t self:process { signal_perms setsched }; +@@ -626,12 +636,32 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms; + allow cronjob_t self:unix_stream_socket create_stream_socket_perms; + allow cronjob_t self:unix_dgram_socket create_socket_perms; + ++# The entrypoint interface is not used as this is not ++# a regular entrypoint. Since crontab files are ++# not directly executed, crond must ensure that ++# the crontab file has a type that is appropriate ++# for the domain of the user cron job. It ++# performs an entrypoint permission check ++# for this purpose. ++allow cronjob_t user_cron_spool_t:file entrypoint; ++ ++# Permit a transition from the crond_t domain to this domain. ++# The transition is requested explicitly by the modified crond ++# via setexeccon. There is no way to set up an automatic ++# transition, since crontabs are configuration files, not executables. ++allow crond_t cronjob_t:process transition; ++dontaudit crond_t cronjob_t:process { noatsecure siginh rlimitinh }; ++allow crond_t cronjob_t:fd use; ++allow cronjob_t crond_t:fd use; ++allow cronjob_t crond_t:fifo_file rw_file_perms; ++allow cronjob_t crond_t:process sigchld; ++ + kernel_read_system_state(cronjob_t) + kernel_read_kernel_sysctls(cronjob_t) + ++# ps does not need to access /boot when run from cron + files_dontaudit_search_boot(cronjob_t) + +-corenet_all_recvfrom_unlabeled(cronjob_t) + corenet_all_recvfrom_netlabel(cronjob_t) + corenet_tcp_sendrecv_generic_if(cronjob_t) + corenet_udp_sendrecv_generic_if(cronjob_t) +@@ -639,84 +669,148 @@ corenet_tcp_sendrecv_generic_node(cronjob_t) + corenet_udp_sendrecv_generic_node(cronjob_t) + corenet_tcp_sendrecv_all_ports(cronjob_t) + corenet_udp_sendrecv_all_ports(cronjob_t) +- +-corenet_sendrecv_all_client_packets(cronjob_t) + corenet_tcp_connect_all_ports(cronjob_t) +- +-corecmd_exec_all_executables(cronjob_t) ++corenet_sendrecv_all_client_packets(cronjob_t) + + dev_read_urand(cronjob_t) + + fs_getattr_all_fs(cronjob_t) + ++corecmd_exec_all_executables(cronjob_t) ++ ++# quiet other ps operations + domain_dontaudit_read_all_domains_state(cronjob_t) + domain_dontaudit_getattr_all_domains(cronjob_t) + + files_exec_etc_files(cronjob_t) +-files_read_etc_runtime_files(cronjob_t) +-files_read_var_files(cronjob_t) +-files_read_usr_files(cronjob_t) +-files_search_spool(cronjob_t) ++# for nscd: + files_dontaudit_search_pids(cronjob_t) + + libs_exec_lib_files(cronjob_t) + libs_exec_ld_so(cronjob_t) + ++files_read_etc_runtime_files(cronjob_t) ++files_read_var_files(cronjob_t) ++files_search_spool(cronjob_t) ++ + logging_search_logs(cronjob_t) + + seutil_read_config(cronjob_t) + +-miscfiles_read_localization(cronjob_t) + + userdom_manage_user_tmp_files(cronjob_t) + userdom_manage_user_tmp_symlinks(cronjob_t) + userdom_manage_user_tmp_pipes(cronjob_t) + userdom_manage_user_tmp_sockets(cronjob_t) ++# Run scripts in user home directory and access shared libs. + userdom_exec_user_home_content_files(cronjob_t) ++# Access user files and dirs. + userdom_manage_user_home_content_files(cronjob_t) + userdom_manage_user_home_content_symlinks(cronjob_t) + userdom_manage_user_home_content_pipes(cronjob_t) + userdom_manage_user_home_content_sockets(cronjob_t) + +-tunable_policy(`cron_userdomain_transition',` +- dontaudit cronjob_t crond_t:fd use; +- dontaudit cronjob_t crond_t:fifo_file rw_fifo_file_perms; +- dontaudit cronjob_t crond_t:process sigchld; +- +- dontaudit cronjob_t user_cron_spool_t:file entrypoint; +-',` +- allow cronjob_t crond_t:fd use; +- allow cronjob_t crond_t:fifo_file rw_fifo_file_perms; +- allow cronjob_t crond_t:process sigchld; ++list_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) ++rw_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) ++read_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) ++read_lnk_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) ++allow crond_t user_cron_spool_t:file manage_lnk_file_perms; + +- allow cronjob_t user_cron_spool_t:file entrypoint; ++tunable_policy(`fcron_crond',` ++ allow crond_t user_cron_spool_t:file manage_file_perms; + ') + ++# need a per-role version of this: ++#optional_policy(` ++# mono_domtrans(cronjob_t) ++#') ++ + optional_policy(` + nis_use_ypbind(cronjob_t) + ') + + ######################################## + # +-# Unconfined local policy ++# Unconfined cronjobs local policy + # + + optional_policy(` +- type unconfined_cronjob_t; +- domain_type(unconfined_cronjob_t) +- domain_cron_exemption_target(unconfined_cronjob_t) +- ++ # Permit a transition from the crond_t domain to this domain. ++ # The transition is requested explicitly by the modified crond ++ # via setexeccon. There is no way to set up an automatic ++ # transition, since crontabs are configuration files, not executables. ++ allow crond_t unconfined_cronjob_t:process transition; + dontaudit crond_t unconfined_cronjob_t:process { noatsecure siginh rlimitinh }; ++ allow crond_t unconfined_cronjob_t:fd use; + + unconfined_domain(unconfined_cronjob_t) ++') + +- tunable_policy(`cron_userdomain_transition',` +- dontaudit crond_t unconfined_cronjob_t:process transition; +- dontaudit crond_t unconfined_cronjob_t:fd use; +- dontaudit crond_t unconfined_cronjob_t:key manage_key_perms; +- ',` +- allow crond_t unconfined_cronjob_t:process transition; +- allow crond_t unconfined_cronjob_t:fd use; +- allow crond_t unconfined_cronjob_t:key manage_key_perms; +- ') ++############################## ++# ++# crontab common policy ++# ++ ++# dac_override is to create the file in the directory under /tmp ++allow crontab_domain self:capability { fowner setuid setgid chown dac_override }; ++allow crontab_domain self:process { getcap setsched signal_perms }; ++allow crontab_domain self:fifo_file rw_fifo_file_perms; ++ ++allow crontab_domain crond_t:process signal; ++allow crontab_domain crond_var_run_t:file read_file_perms; ++ ++# create files in /var/spool/cron ++manage_files_pattern(crontab_domain, { cron_spool_t user_cron_spool_t }, user_cron_spool_t) ++filetrans_pattern(crontab_domain, cron_spool_t, user_cron_spool_t, file) ++files_list_spool(crontab_domain) ++ ++# crontab signals crond by updating the mtime on the spooldir ++allow crontab_domain cron_spool_t:dir setattr_dir_perms; ++ ++# for the checks used by crontab -u ++selinux_dontaudit_search_fs(crontab_domain) ++ ++fs_getattr_xattr_fs(crontab_domain) ++fs_manage_cgroup_dirs(crontab_domain) ++fs_manage_cgroup_files(crontab_domain) ++ ++domain_use_interactive_fds(crontab_domain) ++ ++files_dontaudit_search_pids(crontab_domain) ++ ++fs_dontaudit_rw_anon_inodefs_files(crontab_domain) ++ ++auth_rw_var_auth(crontab_domain) ++ ++logging_send_audit_msgs(crontab_domain) ++logging_set_loginuid(crontab_domain) ++ ++init_dontaudit_write_utmp(crontab_domain) ++init_read_utmp(crontab_domain) ++init_read_state(crontab_domain) ++ ++ ++seutil_read_config(crontab_domain) ++ ++userdom_manage_user_tmp_dirs(crontab_domain) ++userdom_manage_user_tmp_files(crontab_domain) ++# Access terminals. ++userdom_use_inherited_user_terminals(crontab_domain) ++# Read user crontabs ++userdom_read_user_home_content_files(crontab_domain) ++userdom_read_user_home_content_symlinks(crontab_domain) ++ ++tunable_policy(`fcron_crond',` ++ # fcron wants an instant update of a crontab change for the administrator ++ # also crontab does a security check for crontab -u ++ dontaudit crontab_domain crond_t:process signal; ++') ++ ++optional_policy(` ++ ssh_dontaudit_use_ptys(crontab_domain) ++') ++ ++optional_policy(` ++ openshift_dontaudit_rw_inherited_fifo_files(crontab_domain) ++ openshift_transition(system_cronjob_t) + ') +diff --git a/ctdb.fc b/ctdb.fc +index 8401fe6..507804b 100644 +--- a/ctdb.fc ++++ b/ctdb.fc +@@ -2,6 +2,8 @@ + + /usr/sbin/ctdbd -- gen_context(system_u:object_r:ctdbd_exec_t,s0) + ++/var/ctdb(/.*)? gen_context(system_u:object_r:ctdbd_var_t,s0) ++ + /var/lib/ctdbd(/.*)? gen_context(system_u:object_r:ctdbd_var_lib_t,s0) + + /var/log/ctdb\.log.* -- gen_context(system_u:object_r:ctdbd_log_t,s0) +diff --git a/ctdb.if b/ctdb.if +index b25b01d..e99c5c6 100644 +--- a/ctdb.if ++++ b/ctdb.if +@@ -1,9 +1,144 @@ +-## Clustered Database based on Samba Trivial Database. ++ ++## policy for ctdbd ++ ++######################################## ++## ++## Transition to ctdbd. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`ctdbd_domtrans',` ++ gen_require(` ++ type ctdbd_t, ctdbd_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, ctdbd_exec_t, ctdbd_t) ++') ++ ++######################################## ++## ++## Execute ctdbd server in the ctdbd domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`ctdbd_initrc_domtrans',` ++ gen_require(` ++ type ctdbd_initrc_exec_t; ++ ') ++ ++ init_labeled_script_domtrans($1, ctdbd_initrc_exec_t) ++') ++ ++######################################## ++## ++## Read ctdbd's log files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`ctdbd_read_log',` ++ gen_require(` ++ type ctdbd_log_t; ++ ') ++ ++ logging_search_logs($1) ++ read_files_pattern($1, ctdbd_log_t, ctdbd_log_t) ++') ++ ++######################################## ++## ++## Append to ctdbd log files. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`ctdbd_append_log',` ++ gen_require(` ++ type ctdbd_log_t; ++ ') ++ ++ logging_search_logs($1) ++ append_files_pattern($1, ctdbd_log_t, ctdbd_log_t) ++') + + ######################################## + ## +-## Create, read, write, and delete +-## ctdbd lib files. ++## Manage ctdbd log files ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`ctdbd_manage_log',` ++ gen_require(` ++ type ctdbd_log_t; ++ ') ++ ++ logging_search_logs($1) ++ manage_dirs_pattern($1, ctdbd_log_t, ctdbd_log_t) ++ manage_files_pattern($1, ctdbd_log_t, ctdbd_log_t) ++ manage_lnk_files_pattern($1, ctdbd_log_t, ctdbd_log_t) ++') ++ ++######################################## ++## ++## Search ctdbd lib directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`ctdbd_search_lib',` ++ gen_require(` ++ type ctdbd_var_lib_t; ++ ') ++ ++ allow $1 ctdbd_var_lib_t:dir search_dir_perms; ++ files_search_var_lib($1) ++') ++ ++######################################## ++## ++## Read ctdbd lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`ctdbd_read_lib_files',` ++ gen_require(` ++ type ctdbd_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ read_files_pattern($1, ctdbd_var_lib_t, ctdbd_var_lib_t) ++') ++ ++######################################## ++## ++## Manage ctdbd lib files. + ## + ## + ## +@@ -17,13 +152,12 @@ interface(`ctdbd_manage_lib_files',` + ') + + files_search_var_lib($1) +- manage_files_pattern($1, ctdbd_var_lib_t, ctdbd_var_lib_t) ++ manage_files_pattern($1, ctdbd_var_lib_t, ctdbd_var_lib_t) + ') + +-####################################### ++######################################## + ## +-## Connect to ctdbd with a unix +-## domain stream socket. ++## Manage ctdbd lib files. + ## + ## + ## +@@ -31,19 +165,77 @@ interface(`ctdbd_manage_lib_files',` + ## + ## + # +-interface(`ctdbd_stream_connect',` ++interface(`ctdbd_manage_var_files',` + gen_require(` +- type ctdbd_t, ctdbd_var_run_t, ctdbd_tmp_t; ++ type ctdbd_var_t; ++ ') ++ ++ files_search_var_lib($1) ++ manage_files_pattern($1, ctdbd_var_t, ctdbd_var_t) ++') ++ ++######################################## ++## ++## Manage ctdbd lib directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`ctdbd_manage_lib_dirs',` ++ gen_require(` ++ type ctdbd_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ manage_dirs_pattern($1, ctdbd_var_lib_t, ctdbd_var_lib_t) ++') ++ ++######################################## ++## ++## Read ctdbd PID files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`ctdbd_read_pid_files',` ++ gen_require(` ++ type ctdbd_var_run_t; + ') + + files_search_pids($1) +- stream_connect_pattern($1, { ctdbd_tmp_t ctdbd_var_run_t }, { ctdbd_tmp_t ctdbd_var_run_t }, ctdbd_t) ++ allow $1 ctdbd_var_run_t:file read_file_perms; ++') ++ ++####################################### ++## ++## Connect to ctdbd over a unix stream socket. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`ctdbd_stream_connect',` ++ gen_require(` ++ type ctdbd_t, ctdbd_var_run_t, ctdbd_tmp_t; ++ ') ++ ++ files_search_pids($1) ++ stream_connect_pattern($1, ctdbd_var_run_t, ctdbd_var_run_t, ctdbd_t) ++ stream_connect_pattern($1, ctdbd_tmp_t, ctdbd_tmp_t, ctdbd_t) + ') + + ######################################## + ## +-## All of the rules required to +-## administrate an ctdb environment. ++## All of the rules required to administrate ++## an ctdbd environment + ## + ## + ## +@@ -57,16 +249,19 @@ interface(`ctdbd_stream_connect',` + ## + ## + # +-interface(`ctdb_admin',` ++interface(`ctdbd_admin',` + gen_require(` +- type ctdbd_t, ctdbd_initrc_exec_t, ctdbd_tmp_t; ++ type ctdbd_t, ctdbd_initrc_exec_t; + type ctdbd_log_t, ctdbd_var_lib_t, ctdbd_var_run_t; + ') + +- allow $1 ctdbd_t:process { ptrace signal_perms }; ++ allow $1 ctdbd_t:process signal_perms; + ps_process_pattern($1, ctdbd_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 ctdbd_t:process ptrace; ++ ') + +- init_labeled_script_domtrans($1, ctdbd_initrc_exec_t) ++ ctdbd_initrc_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 ctdbd_initrc_exec_t system_r; + allow $2 system_r; +@@ -74,12 +269,10 @@ interface(`ctdb_admin',` + logging_search_logs($1) + admin_pattern($1, ctdbd_log_t) + +- files_search_tmp($1) +- admin_pattern($1, ctdbd_tmp_t) +- + files_search_var_lib($1) + admin_pattern($1, ctdbd_var_lib_t) + + files_search_pids($1) + admin_pattern($1, ctdbd_var_run_t) + ') ++ +diff --git a/ctdb.te b/ctdb.te +index 6ce66e7..03bc338 100644 +--- a/ctdb.te ++++ b/ctdb.te +@@ -24,6 +24,9 @@ files_tmp_file(ctdbd_tmp_t) + type ctdbd_var_lib_t; + files_type(ctdbd_var_lib_t) + ++type ctdbd_var_t; ++files_type(ctdbd_var_t) ++ + type ctdbd_var_run_t; + files_pid_file(ctdbd_var_run_t) + +@@ -33,12 +36,14 @@ files_pid_file(ctdbd_var_run_t) + # + + allow ctdbd_t self:capability { chown ipc_lock net_admin net_raw sys_nice }; ++allow ctdbd_t self:capability2 block_suspend; + allow ctdbd_t self:process { setpgid signal_perms setsched }; + allow ctdbd_t self:fifo_file rw_fifo_file_perms; + allow ctdbd_t self:unix_stream_socket { accept connectto listen }; + allow ctdbd_t self:netlink_route_socket r_netlink_socket_perms; + allow ctdbd_t self:packet_socket create_socket_perms; + allow ctdbd_t self:tcp_socket create_stream_socket_perms; ++allow ctdbd_t self:udp_socket create_socket_perms; + + append_files_pattern(ctdbd_t, ctdbd_log_t, ctdbd_log_t) + create_files_pattern(ctdbd_t, ctdbd_log_t, ctdbd_log_t) +@@ -59,6 +64,11 @@ manage_dirs_pattern(ctdbd_t, ctdbd_var_lib_t, ctdbd_var_lib_t) + manage_files_pattern(ctdbd_t, ctdbd_var_lib_t, ctdbd_var_lib_t) + files_var_lib_filetrans(ctdbd_t, ctdbd_var_lib_t, dir) + ++manage_dirs_pattern(ctdbd_t, ctdbd_var_t, ctdbd_var_t) ++manage_files_pattern(ctdbd_t, ctdbd_var_t, ctdbd_var_t) ++manage_lnk_files_pattern(ctdbd_t, ctdbd_var_t, ctdbd_var_t) ++files_var_filetrans(ctdbd_t, ctdbd_var_t, dir, "ctdb") ++ + manage_dirs_pattern(ctdbd_t, ctdbd_var_run_t, ctdbd_var_run_t) + manage_files_pattern(ctdbd_t, ctdbd_var_run_t, ctdbd_var_run_t) + files_pid_filetrans(ctdbd_t, ctdbd_var_run_t, dir) +@@ -72,9 +82,11 @@ corenet_all_recvfrom_netlabel(ctdbd_t) + corenet_tcp_sendrecv_generic_if(ctdbd_t) + corenet_tcp_sendrecv_generic_node(ctdbd_t) + corenet_tcp_bind_generic_node(ctdbd_t) ++corenet_udp_bind_generic_node(ctdbd_t) + + corenet_sendrecv_ctdb_server_packets(ctdbd_t) + corenet_tcp_bind_ctdb_port(ctdbd_t) ++corenet_udp_bind_ctdb_port(ctdbd_t) + corenet_tcp_sendrecv_ctdb_port(ctdbd_t) + + corecmd_exec_bin(ctdbd_t) +@@ -85,12 +97,12 @@ dev_read_urand(ctdbd_t) + + domain_dontaudit_read_all_domains_state(ctdbd_t) + +-files_read_etc_files(ctdbd_t) + files_search_all_mountpoints(ctdbd_t) + ++auth_read_passwd(ctdbd_t) ++ + logging_send_syslog_msg(ctdbd_t) + +-miscfiles_read_localization(ctdbd_t) + miscfiles_read_public_files(ctdbd_t) + + optional_policy(` +@@ -109,6 +121,7 @@ optional_policy(` + samba_initrc_domtrans(ctdbd_t) + samba_domtrans_net(ctdbd_t) + samba_rw_var_files(ctdbd_t) ++ samba_systemctl(ctdbd_t) + ') + + optional_policy(` +diff --git a/cups.fc b/cups.fc +index 949011e..afe482b 100644 +--- a/cups.fc ++++ b/cups.fc +@@ -1,77 +1,87 @@ +-/etc/alchemist/namespace/printconf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) + +-/etc/cups(/.*)? gen_context(system_u:object_r:cupsd_etc_t,s0) +-/etc/cups/classes\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) +-/etc/cups/cupsd\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) +-/etc/cups/lpoptions.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) +-/etc/cups/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) ++/etc/alchemist/namespace/printconf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) ++ ++/etc/cups(/.*)? gen_context(system_u:object_r:cupsd_etc_t,s0) ++/etc/cups/classes\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) ++/etc/cups/cupsd\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) ++/etc/cups/lpoptions.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) ++/etc/cups/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) + /etc/cups/ppds\.dat -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) +-/etc/cups/printers\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) +-/etc/cups/subscriptions.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) +-/etc/cups/certs -d gen_context(system_u:object_r:cupsd_rw_etc_t,s0) ++/etc/cups/printers\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) ++/etc/cups/subscriptions.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) ++/etc/cups/certs -d gen_context(system_u:object_r:cupsd_rw_etc_t,s0) + /etc/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) + /etc/rc\.d/init\.d/cups -- gen_context(system_u:object_r:cupsd_initrc_exec_t,s0) + + /etc/cups/interfaces(/.*)? gen_context(system_u:object_r:cupsd_interface_t,s0) + +-/etc/hp(/.*)? gen_context(system_u:object_r:hplip_etc_t,s0) +- +-/etc/printcap.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) ++/etc/hp(/.*)? gen_context(system_u:object_r:cupsd_etc_t,s0) + +-/lib/udev/udev-configure-printer -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) ++/etc/printcap.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) + +-/opt/brother/Printers(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) +-/opt/gutenprint/ppds(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) ++/usr/lib/systemd/system/cups.* -- gen_context(system_u:object_r:cupsd_unit_file_t,s0) + +-/usr/bin/cups-config-daemon -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) +-/usr/bin/hpijs -- gen_context(system_u:object_r:hplip_exec_t,s0) ++/usr/lib/udev/udev-configure-printer -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) + +-/usr/Brother/fax/.*\.log.* gen_context(system_u:object_r:cupsd_log_t,s0) +-/usr/Brother/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) +-/usr/Printer/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) ++/opt/gutenprint/ppds(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) + +-/usr/lib/cups-pk-helper/cups-pk-helper-mechanism -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) +-/usr/lib/cups/daemon/cups-lpd -- gen_context(system_u:object_r:cupsd_lpd_exec_t,s0) +-/usr/lib/cups/backend/cups-pdf -- gen_context(system_u:object_r:cups_pdf_exec_t,s0) +-/usr/lib/cups/backend/hp.* -- gen_context(system_u:object_r:hplip_exec_t,s0) +-/usr/lib/udev/udev-configure-printer -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) ++/usr/bin/cups-config-daemon -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) ++/usr/bin/hpijs -- gen_context(system_u:object_r:cupsd_exec_t,s0) + +-/usr/libexec/cups-pk-helper-mechanism -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) +-/usr/libexec/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) ++/usr/lib/cups/daemon/cups-lpd -- gen_context(system_u:object_r:cupsd_lpd_exec_t,s0) ++/usr/lib/cups/backend/cups-pdf -- gen_context(system_u:object_r:cups_pdf_exec_t,s0) ++/usr/lib/cups/backend/hp.* -- gen_context(system_u:object_r:cupsd_exec_t,s0) + +-/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) ++/usr/libexec/cups-pk-helper-mechanism -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) ++/usr/libexec/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) + +-/usr/sbin/hp-[^/]+ -- gen_context(system_u:object_r:hplip_exec_t,s0) +-/usr/sbin/cupsd -- gen_context(system_u:object_r:cupsd_exec_t,s0) +-/usr/sbin/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) +-/usr/sbin/hpiod -- gen_context(system_u:object_r:hplip_exec_t,s0) +-/usr/sbin/printconf-backend -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) ++/usr/sbin/hp-[^/]+ -- gen_context(system_u:object_r:cupsd_exec_t,s0) ++/usr/sbin/cupsd -- gen_context(system_u:object_r:cupsd_exec_t,s0) ++/usr/sbin/cups-browsed -- gen_context(system_u:object_r:cupsd_exec_t,s0) ++/usr/sbin/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) ++/usr/sbin/hpiod -- gen_context(system_u:object_r:cupsd_exec_t,s0) ++/usr/sbin/printconf-backend -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) + /usr/sbin/ptal-printd -- gen_context(system_u:object_r:ptal_exec_t,s0) + /usr/sbin/ptal-mlcd -- gen_context(system_u:object_r:ptal_exec_t,s0) + /usr/sbin/ptal-photod -- gen_context(system_u:object_r:ptal_exec_t,s0) + +-/usr/share/cups(/.*)? gen_context(system_u:object_r:cupsd_etc_t,s0) +-/usr/share/foomatic/db/oldprinterids -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) +-/usr/share/hplip/.*\.py -- gen_context(system_u:object_r:hplip_exec_t,s0) ++/usr/share/cups(/.*)? gen_context(system_u:object_r:cupsd_etc_t,s0) ++/usr/share/foomatic/db/oldprinterids -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) ++/usr/share/hplip/.*\.py -- gen_context(system_u:object_r:cupsd_exec_t,s0) + +-/var/cache/alchemist/printconf.* gen_context(system_u:object_r:cupsd_rw_etc_t,s0) +-/var/cache/foomatic(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) +-/var/cache/cups(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,mls_systemhigh) ++/var/cache/alchemist/printconf.* gen_context(system_u:object_r:cupsd_rw_etc_t,s0) ++/var/cache/foomatic(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) ++/var/cache/cups(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,mls_systemhigh) + + /var/lib/cups/certs -d gen_context(system_u:object_r:cupsd_rw_etc_t,s0) + /var/lib/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) ++/usr/lib/bjlib(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,mls_systemhigh) ++ ++/var/lib/hp(/.*)? gen_context(system_u:object_r:cupsd_var_lib_t,s0) ++/var/lib/iscan(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) + +-/var/lib/hp(/.*)? gen_context(system_u:object_r:hplip_var_lib_t,s0) ++/var/log/cups(/.*)? gen_context(system_u:object_r:cupsd_log_t,s0) ++/var/log/turboprint.* gen_context(system_u:object_r:cupsd_log_t,s0) + +-/var/log/cups(/.*)? gen_context(system_u:object_r:cupsd_log_t,s0) +-/var/log/turboprint.* gen_context(system_u:object_r:cupsd_log_t,s0) ++/var/log/hp(/.*)? gen_context(system_u:object_r:cupsd_log_t,s0) + +-/var/ccpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0) +-/var/ekpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0) +-/var/run/cups(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0) +-/var/run/hp.*\.pid -- gen_context(system_u:object_r:hplip_var_run_t,s0) +-/var/run/hp.*\.port -- gen_context(system_u:object_r:hplip_var_run_t,s0) ++/var/ccpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0) ++/var/ekpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0) ++/var/run/cups(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,mls_systemhigh) ++/var/run/hplip(/.*) gen_context(system_u:object_r:cupsd_var_run_t,s0) ++/var/run/hp.*\.pid -- gen_context(system_u:object_r:cupsd_var_run_t,s0) ++/var/run/hp.*\.port -- gen_context(system_u:object_r:cupsd_var_run_t,s0) + /var/run/ptal-printd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0) + /var/run/ptal-mlcd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0) +-/var/run/udev-configure-printer(/.*)? gen_context(system_u:object_r:cupsd_config_var_run_t,s0) +-/var/turboprint(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0) ++/var/run/udev-configure-printer(/.*)? gen_context(system_u:object_r:cupsd_config_var_run_t,s0) ++/var/turboprint(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0) ++ ++/usr/Brother/fax/.*\.log.* gen_context(system_u:object_r:cupsd_log_t,s0) ++/usr/Brother/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) ++/etc/opt/Brother/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) ++/usr/Printer/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) ++ ++/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) ++ ++/etc/opt/brother/Printers/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) ++/opt/brother/Printers(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) +diff --git a/cups.if b/cups.if +index 06da9a0..c7834c8 100644 +--- a/cups.if ++++ b/cups.if +@@ -200,10 +200,13 @@ interface(`cups_dbus_chat_config',` + interface(`cups_read_config',` + gen_require(` + type cupsd_etc_t, cupsd_rw_etc_t; ++ type hplip_etc_t; + ') + + files_search_etc($1) +- read_files_pattern($1, cupsd_etc_t, { cupsd_etc_t cupsd_rw_etc_t }) ++ read_files_pattern($1, cupsd_etc_t, cupsd_etc_t) ++ read_files_pattern($1, hplip_etc_t, hplip_etc_t) ++ read_files_pattern($1, cupsd_etc_t, cupsd_rw_etc_t) + ') + + ######################################## +@@ -306,6 +309,29 @@ interface(`cups_stream_connect_ptal',` + + ######################################## + ## ++## Execute cupsd server in the cupsd domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`cupsd_systemctl',` ++ gen_require(` ++ type cupsd_t; ++ type cupsd_unit_file_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ allow $1 cupsd_unit_file_t:file read_file_perms; ++ allow $1 cupsd_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, cupsd_t) ++') ++ ++######################################## ++## + ## All of the rules required to + ## administrate an cups environment. + ## +@@ -324,18 +350,23 @@ interface(`cups_stream_connect_ptal',` + interface(`cups_admin',` + gen_require(` + type cupsd_t, cupsd_tmp_t, cupsd_lpd_tmp_t; +- type cupsd_etc_t, cupsd_log_t, cupsd_spool_t; ++ type cupsd_etc_t, cupsd_log_t; + type cupsd_config_var_run_t, cupsd_lpd_var_run_t; + type cupsd_var_run_t, ptal_etc_t, cupsd_rw_etc_t; + type ptal_var_run_t, hplip_var_run_t, cupsd_initrc_exec_t; + type cupsd_config_t, cupsd_lpd_t, cups_pdf_t; +- type hplip_t, ptal_t; ++ type ptal_t; ++ type cupsd_unit_file_t; + ') + +- allow $1 { cupsd_t cupsd_config_t cupsd_lpd_t }:process { ptrace signal_perms }; +- allow $1 { cups_pdf_t hplip_t ptal_t }:process { ptrace signal_perms }; ++ allow $1 { cupsd_t cupsd_config_t cupsd_lpd_t }:process { signal_perms }; ++ allow $1 { cups_pdf_t ptal_t }:process { signal_perms }; + ps_process_pattern($1, { cupsd_t cupsd_config_t cupsd_lpd_t }) +- ps_process_pattern($1, { cups_pdf_t hplip_t ptal_t }) ++ ps_process_pattern($1, { cups_pdf_t ptal_t }) ++ ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 { cupsd_t cupsd_config_t cupsd_lpd_t }:process ptrace; ++ ') + + init_labeled_script_domtrans($1, cupsd_initrc_exec_t) + domain_system_change_exemption($1) +@@ -348,13 +379,63 @@ interface(`cups_admin',` + logging_list_logs($1) + admin_pattern($1, cupsd_log_t) + +- files_list_spool($1) +- admin_pattern($1, cupsd_spool_t) +- + files_list_tmp($1) + admin_pattern($1, { cupsd_tmp_t cupsd_lpd_tmp_t }) +- +- files_list_pids($1) + admin_pattern($1, { cupsd_config_var_run_t cupsd_var_run_t hplip_var_run_t }) + admin_pattern($1, { ptal_var_run_t cupsd_lpd_var_run_t }) ++ ++ cupsd_systemctl($1) ++ admin_pattern($1, cupsd_unit_file_t) ++ allow $1 cupsd_unit_file_t:service all_service_perms; ++') ++ ++######################################## ++## ++## Transition to cups named content ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`cups_filetrans_named_content',` ++ gen_require(` ++ type cupsd_rw_etc_t; ++ type cupsd_etc_t; ++ ') ++ ++ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "classes.conf") ++ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "printers.conf") ++ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "printers.conf.O") ++ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "cupsd.conf") ++ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "cupsd.conf.default") ++ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "lpoptions") ++ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "subscriptions.conf") ++ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "subscriptions.conf.O") ++ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "subscriptions.conf.N") ++ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "ppds.dat") ++ files_etc_filetrans($1, cupsd_rw_etc_t, file, "ppds.dat") ++ files_etc_filetrans($1, cupsd_rw_etc_t, dir, "inf") ++ files_usr_filetrans($1, cupsd_rw_etc_t, dir, "inf") ++ corecmd_bin_filetrans($1, cupsd_rw_etc_t, dir, "inf") ++') ++ ++######################################## ++## ++## Allow the domain to read cups state files in /proc. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`cups_read_state',` ++ gen_require(` ++ type cupsd_t; ++ ') ++ ++ kernel_search_proc($1) ++ ps_process_pattern($1, cupsd_t) + ') +diff --git a/cups.te b/cups.te +index 9f34c2e..d084359 100644 +--- a/cups.te ++++ b/cups.te +@@ -5,19 +5,24 @@ policy_module(cups, 1.15.9) + # Declarations + # + +-type cupsd_config_t; ++attribute cups_domain; ++ ++type cupsd_config_t, cups_domain; + type cupsd_config_exec_t; + init_daemon_domain(cupsd_config_t, cupsd_config_exec_t) + + type cupsd_config_var_run_t; + files_pid_file(cupsd_config_var_run_t) + +-type cupsd_t; ++type cupsd_t, cups_domain; + type cupsd_exec_t; ++typealias cupsd_t alias hplip_t; ++typealias cupsd_exec_t alias hplip_exec_t; + init_daemon_domain(cupsd_t, cupsd_exec_t) + mls_trusted_object(cupsd_t) + + type cupsd_etc_t; ++typealias cupsd_etc_t alias hplip_etc_t; + files_config_file(cupsd_etc_t) + + type cupsd_initrc_exec_t; +@@ -33,13 +38,15 @@ type cupsd_lock_t; + files_lock_file(cupsd_lock_t) + + type cupsd_log_t; ++typealias cupsd_log_t alias hplip_var_log_t; + logging_log_file(cupsd_log_t) + +-type cupsd_lpd_t; ++type cupsd_var_lib_t alias hplip_var_lib_t; ++files_type(cupsd_var_lib_t) ++ ++type cupsd_lpd_t, cups_domain; + type cupsd_lpd_exec_t; +-domain_type(cupsd_lpd_t) +-domain_entry_file(cupsd_lpd_t, cupsd_lpd_exec_t) +-role system_r types cupsd_lpd_t; ++init_domain(cupsd_lpd_t, cupsd_lpd_exec_t) + + type cupsd_lpd_tmp_t; + files_tmp_file(cupsd_lpd_tmp_t) +@@ -47,7 +54,7 @@ files_tmp_file(cupsd_lpd_tmp_t) + type cupsd_lpd_var_run_t; + files_pid_file(cupsd_lpd_var_run_t) + +-type cups_pdf_t; ++type cups_pdf_t, cups_domain; + type cups_pdf_exec_t; + cups_backend(cups_pdf_t, cups_pdf_exec_t) + +@@ -55,29 +62,17 @@ type cups_pdf_tmp_t; + files_tmp_file(cups_pdf_tmp_t) + + type cupsd_tmp_t; ++typealias cupsd_tmp_t alias hplip_tmp_t; + files_tmp_file(cupsd_tmp_t) + + type cupsd_var_run_t; ++typealias cupsd_var_run_t alias hplip_var_run_t; + files_pid_file(cupsd_var_run_t) + init_daemon_run_dir(cupsd_var_run_t, "cups") + mls_trusted_object(cupsd_var_run_t) + +-type hplip_t; +-type hplip_exec_t; +-init_daemon_domain(hplip_t, hplip_exec_t) +-cups_backend(hplip_t, hplip_exec_t) +- +-type hplip_etc_t; +-files_config_file(hplip_etc_t) +- +-type hplip_tmp_t; +-files_tmp_file(hplip_tmp_t) +- +-type hplip_var_lib_t; +-files_type(hplip_var_lib_t) +- +-type hplip_var_run_t; +-files_pid_file(hplip_var_run_t) ++type cupsd_unit_file_t; ++systemd_unit_file(cupsd_unit_file_t) + + type ptal_t; + type ptal_exec_t; +@@ -97,21 +92,49 @@ ifdef(`enable_mls',` + init_ranged_daemon_domain(cupsd_t, cupsd_exec_t, mls_systemhigh) + ') + ++####################################### ++# ++# Cups general local policy ++# ++ ++allow cups_domain self:capability { setuid setgid sys_nice }; ++allow cups_domain self:process { getsched setsched signal_perms }; ++allow cups_domain self:fifo_file rw_fifo_file_perms; ++allow cups_domain self:tcp_socket { accept listen }; ++allow cups_domain self:netlink_kobject_uevent_socket create_socket_perms; ++ ++kernel_read_kernel_sysctls(cups_domain) ++kernel_read_network_state(cups_domain) ++ ++corecmd_exec_bin(cups_domain) ++corecmd_exec_shell(cups_domain) ++ ++dev_read_urand(cups_domain) ++dev_read_rand(cups_domain) ++dev_read_sysfs(cups_domain) ++ ++fs_getattr_all_fs(cups_domain) ++ ++miscfiles_read_fonts(cups_domain) ++miscfiles_setattr_fonts_cache_dirs(cups_domain) ++ ++optional_policy(` ++ lpd_manage_spool(cups_domain) ++') ++ + ######################################## + # + # Cups local policy + # + +-allow cupsd_t self:capability { ipc_lock sys_admin dac_override dac_read_search kill setgid setuid fsetid fowner chown dac_override sys_rawio sys_resource sys_tty_config }; ++allow cupsd_t self:capability { ipc_lock sys_admin dac_override dac_read_search kill fsetid fowner chown dac_override sys_rawio sys_resource sys_tty_config }; + dontaudit cupsd_t self:capability { sys_tty_config net_admin }; + allow cupsd_t self:capability2 block_suspend; +-allow cupsd_t self:process { getpgid setpgid setsched signal_perms }; +-allow cupsd_t self:fifo_file rw_fifo_file_perms; ++allow cupsd_t self:process { getpgid setpgid setsched }; + allow cupsd_t self:unix_stream_socket { accept connectto listen }; + allow cupsd_t self:netlink_selinux_socket create_socket_perms; + allow cupsd_t self:shm create_shm_perms; + allow cupsd_t self:sem create_sem_perms; +-allow cupsd_t self:tcp_socket { accept listen }; + allow cupsd_t self:appletalk_socket create_socket_perms; + + allow cupsd_t cupsd_etc_t:dir setattr_dir_perms; +@@ -120,11 +143,13 @@ read_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t) + read_lnk_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t) + + manage_files_pattern(cupsd_t, cupsd_interface_t, cupsd_interface_t) ++can_exec(cupsd_t, cupsd_interface_t) + + manage_dirs_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t) + manage_files_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t) + filetrans_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t, file) + files_var_filetrans(cupsd_t, cupsd_rw_etc_t, { dir file }) ++cups_filetrans_named_content(cupsd_t) + + allow cupsd_t cupsd_exec_t:dir search_dir_perms; + allow cupsd_t cupsd_exec_t:lnk_file read_lnk_file_perms; +@@ -133,28 +158,26 @@ allow cupsd_t cupsd_lock_t:file manage_file_perms; + files_lock_filetrans(cupsd_t, cupsd_lock_t, file) + + manage_dirs_pattern(cupsd_t, cupsd_log_t, cupsd_log_t) +-append_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t) +-create_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t) +-read_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t) +-setattr_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t) ++manage_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t) + logging_log_filetrans(cupsd_t, cupsd_log_t, { file dir }) + ++manage_files_pattern(cupsd_t, cupsd_var_lib_t, cupsd_var_lib_t) ++manage_lnk_files_pattern(cupsd_t, cupsd_var_lib_t, cupsd_var_lib_t) ++ + manage_dirs_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t) + manage_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t) + manage_fifo_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t) + files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { dir fifo_file file }) + ++allow cupsd_t cupsd_var_run_t:dir setattr_dir_perms; + manage_dirs_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t) + manage_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t) + manage_sock_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t) + manage_fifo_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t) + files_pid_filetrans(cupsd_t, cupsd_var_run_t, { dir fifo_file file }) + +-allow cupsd_t hplip_t:process { signal sigkill }; +- +-read_files_pattern(cupsd_t, hplip_etc_t, hplip_etc_t) ++allow cupsd_t cupsd_unit_file_t:file read_file_perms; + +-allow cupsd_t hplip_var_run_t:file read_file_perms; + + stream_connect_pattern(cupsd_t, ptal_var_run_t, ptal_var_run_t, ptal_t) + allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms; +@@ -162,11 +185,9 @@ allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms; + can_exec(cupsd_t, { cupsd_exec_t cupsd_interface_t }) + + kernel_read_system_state(cupsd_t) +-kernel_read_network_state(cupsd_t) + kernel_read_all_sysctls(cupsd_t) + kernel_request_load_module(cupsd_t) + +-corenet_all_recvfrom_unlabeled(cupsd_t) + corenet_all_recvfrom_netlabel(cupsd_t) + corenet_tcp_sendrecv_generic_if(cupsd_t) + corenet_udp_sendrecv_generic_if(cupsd_t) +@@ -189,12 +210,20 @@ corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t) + corenet_tcp_bind_all_rpc_ports(cupsd_t) + corenet_tcp_connect_all_ports(cupsd_t) + +-corecmd_exec_bin(cupsd_t) +-corecmd_exec_shell(cupsd_t) ++corenet_sendrecv_hplip_client_packets(cupsd_t) ++corenet_receive_hplip_server_packets(cupsd_t) ++corenet_tcp_bind_hplip_port(cupsd_t) ++corenet_tcp_connect_hplip_port(cupsd_t) ++corenet_tcp_bind_glance_port(cupsd_t) ++corenet_tcp_connect_glance_port(cupsd_t) ++ ++corenet_sendrecv_ipp_client_packets(cupsd_t) ++corenet_tcp_connect_ipp_port(cupsd_t) ++ ++corenet_sendrecv_howl_server_packets(cupsd_t) ++corenet_udp_bind_howl_port(cupsd_t) + + dev_rw_printer(cupsd_t) +-dev_read_urand(cupsd_t) +-dev_read_sysfs(cupsd_t) + dev_rw_input_dev(cupsd_t) + dev_rw_generic_usb_dev(cupsd_t) + dev_rw_usbfs(cupsd_t) +@@ -206,7 +235,6 @@ domain_use_interactive_fds(cupsd_t) + files_getattr_boot_dirs(cupsd_t) + files_list_spool(cupsd_t) + files_read_etc_runtime_files(cupsd_t) +-files_read_usr_files(cupsd_t) + files_exec_usr_files(cupsd_t) + # for /var/lib/defoma + files_read_var_lib_files(cupsd_t) +@@ -215,16 +243,17 @@ files_read_world_readable_files(cupsd_t) + files_read_world_readable_symlinks(cupsd_t) + files_read_var_files(cupsd_t) + files_read_var_symlinks(cupsd_t) +-files_write_generic_pid_pipes(cupsd_t) + files_dontaudit_getattr_all_tmp_files(cupsd_t) + files_dontaudit_list_home(cupsd_t) + # for /etc/printcap + files_dontaudit_write_etc_files(cupsd_t) ++files_dontaudit_write_usr_dirs(cupsd_t) + +-fs_getattr_all_fs(cupsd_t) + fs_search_auto_mountpoints(cupsd_t) + fs_search_fusefs(cupsd_t) + fs_read_anon_inodefs_files(cupsd_t) ++fs_rw_anon_inodefs_files(cupsd_t) ++fs_rw_inherited_tmpfs_files(cupsd_t) + + mls_fd_use_all_levels(cupsd_t) + mls_file_downgrade(cupsd_t) +@@ -235,6 +264,8 @@ mls_socket_write_all_levels(cupsd_t) + + term_search_ptys(cupsd_t) + term_use_unallocated_ttys(cupsd_t) ++term_use_ptmx(cupsd_t) ++term_use_usb_ttys(cupsd_t) + + selinux_compute_access_vector(cupsd_t) + selinux_validate_context(cupsd_t) +@@ -247,21 +278,20 @@ auth_dontaudit_read_pam_pid(cupsd_t) + auth_rw_faillog(cupsd_t) + auth_use_nsswitch(cupsd_t) + +-libs_read_lib_files(cupsd_t) + libs_exec_lib_files(cupsd_t) + + logging_send_audit_msgs(cupsd_t) + logging_send_syslog_msg(cupsd_t) + +-miscfiles_read_localization(cupsd_t) +-miscfiles_read_fonts(cupsd_t) +-miscfiles_setattr_fonts_cache_dirs(cupsd_t) +- + seutil_read_config(cupsd_t) + + sysnet_exec_ifconfig(cupsd_t) ++sysnet_dns_name_resolve(cupsd_t) + + userdom_dontaudit_use_unpriv_user_fds(cupsd_t) ++userdom_dontaudit_search_user_home_dirs(cupsd_t) ++userdom_dontaudit_search_user_home_content(cupsd_t) ++userdom_dontaudit_use_unpriv_user_fds(cupsd_t) + userdom_dontaudit_search_user_home_content(cupsd_t) + + optional_policy(` +@@ -275,6 +305,8 @@ optional_policy(` + optional_policy(` + dbus_system_bus_client(cupsd_t) + ++ init_dbus_chat(cupsd_t) ++ + userdom_dbus_send_all_users(cupsd_t) + + optional_policy(` +@@ -285,8 +317,10 @@ optional_policy(` + hal_dbus_chat(cupsd_t) + ') + ++ # talk to processes that do not have policy + optional_policy(` + unconfined_dbus_chat(cupsd_t) ++ files_write_generic_pid_pipes(cupsd_t) + ') + ') + +@@ -299,8 +333,8 @@ optional_policy(` + ') + + optional_policy(` ++ kerberos_tmp_filetrans_host_rcache(cupsd_t, "host_0") + kerberos_manage_host_rcache(cupsd_t) +- kerberos_tmp_filetrans_host_rcache(cupsd_t, file, "host_0") + ') + + optional_policy(` +@@ -309,7 +343,6 @@ optional_policy(` + + optional_policy(` + lpd_exec_lpr(cupsd_t) +- lpd_manage_spool(cupsd_t) + lpd_read_config(cupsd_t) + lpd_relabel_spool(cupsd_t) + ') +@@ -337,7 +370,11 @@ optional_policy(` + ') + + optional_policy(` +- virt_rw_all_image_chr_files(cupsd_t) ++ virt_rw_chr_files(cupsd_t) ++') ++ ++optional_policy(` ++ vmware_read_system_config(cupsd_t) + ') + + ######################################## +@@ -345,12 +382,11 @@ optional_policy(` + # Configuration daemon local policy + # + +-allow cupsd_config_t self:capability { chown dac_override sys_tty_config setuid setgid }; ++allow cupsd_config_t self:capability { chown dac_override sys_tty_config }; + dontaudit cupsd_config_t self:capability sys_tty_config; +-allow cupsd_config_t self:process { getsched signal_perms }; +-allow cupsd_config_t self:fifo_file rw_fifo_file_perms; +-allow cupsd_config_t self:tcp_socket { accept listen }; ++allow cupsd_config_t self:process { getsched }; + ++domtrans_pattern(cupsd_config_t, cupsd_exec_t, cupsd_t) + allow cupsd_config_t cupsd_t:process signal; + ps_process_pattern(cupsd_config_t, cupsd_t) + +@@ -375,18 +411,16 @@ manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run + manage_files_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t) + files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, { dir file }) + +-read_files_pattern(cupsd_config_t, hplip_etc_t, hplip_etc_t) ++read_files_pattern(cupsd_config_t, cupsd_etc_t, cupsd_etc_t) + + stream_connect_pattern(cupsd_config_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t) + + can_exec(cupsd_config_t, cupsd_config_exec_t) +- +-domtrans_pattern(cupsd_config_t, hplip_exec_t, hplip_t) ++can_exec(cupsd_config_t, cupsd_exec_t) + + kernel_read_system_state(cupsd_config_t) + kernel_read_all_sysctls(cupsd_config_t) + +-corenet_all_recvfrom_unlabeled(cupsd_config_t) + corenet_all_recvfrom_netlabel(cupsd_config_t) + corenet_tcp_sendrecv_generic_if(cupsd_config_t) + corenet_tcp_sendrecv_generic_node(cupsd_config_t) +@@ -395,20 +429,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t) + corenet_sendrecv_all_client_packets(cupsd_config_t) + corenet_tcp_connect_all_ports(cupsd_config_t) + +-corecmd_exec_bin(cupsd_config_t) +-corecmd_exec_shell(cupsd_config_t) +- +-dev_read_sysfs(cupsd_config_t) +-dev_read_urand(cupsd_config_t) +-dev_read_rand(cupsd_config_t) + dev_rw_generic_usb_dev(cupsd_config_t) + + files_read_etc_runtime_files(cupsd_config_t) +-files_read_usr_files(cupsd_config_t) + files_read_var_symlinks(cupsd_config_t) + files_search_all_mountpoints(cupsd_config_t) + +-fs_getattr_all_fs(cupsd_config_t) + fs_search_auto_mountpoints(cupsd_config_t) + + domain_use_interactive_fds(cupsd_config_t) +@@ -420,11 +446,6 @@ auth_use_nsswitch(cupsd_config_t) + + logging_send_syslog_msg(cupsd_config_t) + +-miscfiles_read_localization(cupsd_config_t) +-miscfiles_read_hwdata(cupsd_config_t) +- +-seutil_dontaudit_search_config(cupsd_config_t) +- + userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t) + userdom_dontaudit_search_user_home_dirs(cupsd_config_t) + userdom_read_all_users_state(cupsd_config_t) +@@ -452,9 +473,12 @@ optional_policy(` + ') + + optional_policy(` ++ gnome_dontaudit_search_config(cupsd_config_t) ++') ++ ++optional_policy(` + hal_domtrans(cupsd_config_t) + hal_read_tmp_files(cupsd_config_t) +- hal_dontaudit_use_fds(hplip_t) + ') + + optional_policy(` +@@ -490,10 +514,6 @@ optional_policy(` + # Lpd local policy + # + +-allow cupsd_lpd_t self:capability { setuid setgid }; +-allow cupsd_lpd_t self:process signal_perms; +-allow cupsd_lpd_t self:fifo_file rw_fifo_file_perms; +-allow cupsd_lpd_t self:tcp_socket { accept listen }; + allow cupsd_lpd_t self:netlink_tcpdiag_socket r_netlink_socket_perms; + + allow cupsd_lpd_t { cupsd_etc_t cupsd_rw_etc_t }:dir list_dir_perms; +@@ -511,31 +531,23 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t) + + kernel_read_kernel_sysctls(cupsd_lpd_t) + kernel_read_system_state(cupsd_lpd_t) +-kernel_read_network_state(cupsd_lpd_t) + +-corenet_all_recvfrom_unlabeled(cupsd_lpd_t) + corenet_all_recvfrom_netlabel(cupsd_lpd_t) + corenet_tcp_sendrecv_generic_if(cupsd_lpd_t) + corenet_tcp_sendrecv_generic_node(cupsd_lpd_t) + + corenet_sendrecv_ipp_client_packets(cupsd_lpd_t) + corenet_tcp_connect_ipp_port(cupsd_lpd_t) ++corenet_tcp_bind_printer_port(cupsd_lpd_t) ++corenet_tcp_connect_printer_port(cupsd_lpd_t) + corenet_tcp_sendrecv_ipp_port(cupsd_lpd_t) + +-dev_read_urand(cupsd_lpd_t) +-dev_read_rand(cupsd_lpd_t) +- +-fs_getattr_xattr_fs(cupsd_lpd_t) +- + files_search_home(cupsd_lpd_t) + + auth_use_nsswitch(cupsd_lpd_t) + + logging_send_syslog_msg(cupsd_lpd_t) + +-miscfiles_read_localization(cupsd_lpd_t) +-miscfiles_setattr_fonts_cache_dirs(cupsd_lpd_t) +- + optional_policy(` + inetd_service_domain(cupsd_lpd_t, cupsd_lpd_exec_t) + ') +@@ -546,7 +558,6 @@ optional_policy(` + # + + allow cups_pdf_t self:capability { chown fowner fsetid setuid setgid dac_override }; +-allow cups_pdf_t self:fifo_file rw_fifo_file_perms; + allow cups_pdf_t self:unix_stream_socket create_stream_socket_perms; + + append_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t) +@@ -562,148 +573,23 @@ fs_search_auto_mountpoints(cups_pdf_t) + + kernel_read_system_state(cups_pdf_t) + +-files_read_usr_files(cups_pdf_t) +- +-corecmd_exec_bin(cups_pdf_t) +-corecmd_exec_shell(cups_pdf_t) +- + auth_use_nsswitch(cups_pdf_t) + +-miscfiles_read_localization(cups_pdf_t) +-miscfiles_read_fonts(cups_pdf_t) +-miscfiles_setattr_fonts_cache_dirs(cups_pdf_t) +- + userdom_manage_user_home_content_dirs(cups_pdf_t) + userdom_manage_user_home_content_files(cups_pdf_t) +-userdom_home_filetrans_user_home_dir(cups_pdf_t) ++userdom_filetrans_home_content(cups_pdf_t) + + tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_dirs(cups_pdf_t) + fs_manage_nfs_files(cups_pdf_t) + ') + +-tunable_policy(`use_samba_home_dirs',` +- fs_manage_cifs_dirs(cups_pdf_t) +- fs_manage_cifs_files(cups_pdf_t) +-') ++userdom_home_manager(cups_pdf_t) + + optional_policy(` +- lpd_manage_spool(cups_pdf_t) ++ gnome_read_config(cups_pdf_t) + ') + +-######################################## +-# +-# HPLIP local policy +-# +- +-allow hplip_t self:capability { dac_override dac_read_search net_raw }; +-dontaudit hplip_t self:capability sys_tty_config; +-allow hplip_t self:fifo_file rw_fifo_file_perms; +-allow hplip_t self:process signal_perms; +-allow hplip_t self:tcp_socket { accept listen }; +-allow hplip_t self:rawip_socket create_socket_perms; +- +-allow hplip_t cupsd_etc_t:dir search_dir_perms; +- +-manage_dirs_pattern(hplip_t, cupsd_tmp_t, cupsd_tmp_t) +-manage_files_pattern(hplip_t, cupsd_tmp_t, cupsd_tmp_t) +-files_tmp_filetrans(hplip_t, cupsd_tmp_t, { dir file }) +- +-allow hplip_t hplip_etc_t:dir list_dir_perms; +-allow hplip_t hplip_etc_t:file read_file_perms; +-allow hplip_t hplip_etc_t:lnk_file read_lnk_file_perms; +- +-manage_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t) +-manage_lnk_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t) +- +-manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t) +-files_tmp_filetrans(hplip_t, hplip_tmp_t, fifo_file) +- +-manage_files_pattern(hplip_t, hplip_var_run_t, hplip_var_run_t) +-files_pid_filetrans(hplip_t, hplip_var_run_t, file) +- +-stream_connect_pattern(hplip_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t) +- +-kernel_read_system_state(hplip_t) +-kernel_read_kernel_sysctls(hplip_t) +- +-corenet_all_recvfrom_unlabeled(hplip_t) +-corenet_all_recvfrom_netlabel(hplip_t) +-corenet_tcp_sendrecv_generic_if(hplip_t) +-corenet_udp_sendrecv_generic_if(hplip_t) +-corenet_raw_sendrecv_generic_if(hplip_t) +-corenet_tcp_sendrecv_generic_node(hplip_t) +-corenet_udp_sendrecv_generic_node(hplip_t) +-corenet_raw_sendrecv_generic_node(hplip_t) +-corenet_tcp_sendrecv_all_ports(hplip_t) +-corenet_udp_sendrecv_all_ports(hplip_t) +-corenet_tcp_bind_generic_node(hplip_t) +-corenet_udp_bind_generic_node(hplip_t) +- +-corenet_sendrecv_hplip_client_packets(hplip_t) +-corenet_receive_hplip_server_packets(hplip_t) +-corenet_tcp_bind_hplip_port(hplip_t) +-corenet_tcp_connect_hplip_port(hplip_t) +- +-corenet_sendrecv_ipp_client_packets(hplip_t) +-corenet_tcp_connect_ipp_port(hplip_t) +- +-corenet_sendrecv_howl_server_packets(hplip_t) +-corenet_udp_bind_howl_port(hplip_t) +- +-corecmd_exec_bin(hplip_t) +- +-dev_read_sysfs(hplip_t) +-dev_rw_printer(hplip_t) +-dev_read_urand(hplip_t) +-dev_read_rand(hplip_t) +-dev_rw_generic_usb_dev(hplip_t) +-dev_rw_usbfs(hplip_t) +- +-domain_use_interactive_fds(hplip_t) +- +-files_read_etc_files(hplip_t) +-files_read_etc_runtime_files(hplip_t) +-files_read_usr_files(hplip_t) +- +-fs_getattr_all_fs(hplip_t) +-fs_search_auto_mountpoints(hplip_t) +-fs_rw_anon_inodefs_files(hplip_t) +- +-logging_send_syslog_msg(hplip_t) +- +-miscfiles_read_localization(hplip_t) +- +-sysnet_dns_name_resolve(hplip_t) +- +-userdom_dontaudit_use_unpriv_user_fds(hplip_t) +-userdom_dontaudit_search_user_home_dirs(hplip_t) +-userdom_dontaudit_search_user_home_content(hplip_t) +- +-optional_policy(` +- dbus_system_bus_client(hplip_t) +- +- optional_policy(` +- userdom_dbus_send_all_users(hplip_t) +- ') +-') +- +-optional_policy(` +- lpd_read_config(hplip_t) +- lpd_manage_spool(hplip_t) +-') +- +-optional_policy(` +- seutil_sigchld_newrole(hplip_t) +-') +- +-optional_policy(` +- snmp_read_snmp_var_lib_files(hplip_t) +-') +- +-optional_policy(` +- udev_read_db(hplip_t) +-') + + ######################################## + # +@@ -731,7 +617,6 @@ kernel_read_kernel_sysctls(ptal_t) + kernel_list_proc(ptal_t) + kernel_read_proc_symlinks(ptal_t) + +-corenet_all_recvfrom_unlabeled(ptal_t) + corenet_all_recvfrom_netlabel(ptal_t) + corenet_tcp_sendrecv_generic_if(ptal_t) + corenet_tcp_sendrecv_generic_node(ptal_t) +@@ -741,13 +626,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t) + corenet_tcp_bind_ptal_port(ptal_t) + corenet_tcp_sendrecv_ptal_port(ptal_t) + +-dev_read_sysfs(ptal_t) + dev_read_usbfs(ptal_t) + dev_rw_printer(ptal_t) + + domain_use_interactive_fds(ptal_t) + +-files_read_etc_files(ptal_t) + files_read_etc_runtime_files(ptal_t) + + fs_getattr_all_fs(ptal_t) +@@ -755,8 +638,6 @@ fs_search_auto_mountpoints(ptal_t) + + logging_send_syslog_msg(ptal_t) + +-miscfiles_read_localization(ptal_t) +- + sysnet_read_config(ptal_t) + + userdom_dontaudit_use_unpriv_user_fds(ptal_t) +@@ -769,3 +650,4 @@ optional_policy(` + optional_policy(` + udev_read_db(ptal_t) + ') ++ +diff --git a/cvs.if b/cvs.if +index 9fa7ffb..fd3262c 100644 +--- a/cvs.if ++++ b/cvs.if +@@ -1,5 +1,23 @@ + ## Concurrent versions system. + ++###################################### ++## ++## Dontaudit Attempts to list the CVS data and metadata. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`cvs_dontaudit_list_data',` ++ gen_require(` ++ type cvs_data_t; ++ ') ++ ++ dontaudit $1 cvs_data_t:dir list_dir_perms; ++') ++ + ######################################## + ## + ## Read CVS data and metadata content. +@@ -62,9 +80,14 @@ interface(`cvs_admin',` + type cvs_data_t, cvs_var_run_t; + ') + +- allow $1 cvs_t:process { ptrace signal_perms }; ++ allow $1 cvs_t:process signal_perms; + ps_process_pattern($1, cvs_t) + ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 cvs_t:process ptrace; ++ ') ++ ++ # Allow cvs_t to restart the apache service + init_labeled_script_domtrans($1, cvs_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 cvs_initrc_exec_t system_r; +diff --git a/cvs.te b/cvs.te +index 53fc3af..897ad64 100644 +--- a/cvs.te ++++ b/cvs.te +@@ -11,11 +11,12 @@ policy_module(cvs, 1.9.1) + ## password files. + ##

    + ## +-gen_tunable(allow_cvs_read_shadow, false) ++gen_tunable(cvs_read_shadow, false) + + type cvs_t; + type cvs_exec_t; + inetd_tcp_service_domain(cvs_t, cvs_exec_t) ++init_domain(cvs_t, cvs_exec_t) + application_executable_file(cvs_exec_t) + + type cvs_data_t; # customizable +@@ -58,6 +59,15 @@ kernel_read_network_state(cvs_t) + corecmd_exec_bin(cvs_t) + corecmd_exec_shell(cvs_t) + ++corenet_all_recvfrom_netlabel(cvs_t) ++corenet_tcp_sendrecv_generic_if(cvs_t) ++corenet_udp_sendrecv_generic_if(cvs_t) ++corenet_tcp_sendrecv_generic_node(cvs_t) ++corenet_udp_sendrecv_generic_node(cvs_t) ++corenet_tcp_sendrecv_all_ports(cvs_t) ++corenet_udp_sendrecv_all_ports(cvs_t) ++corenet_tcp_bind_cvs_port(cvs_t) ++ + dev_read_urand(cvs_t) + + files_read_etc_runtime_files(cvs_t) +@@ -70,18 +80,18 @@ auth_use_nsswitch(cvs_t) + + init_read_utmp(cvs_t) + ++init_dontaudit_read_utmp(cvs_t) ++ + logging_send_syslog_msg(cvs_t) + logging_send_audit_msgs(cvs_t) + +-miscfiles_read_localization(cvs_t) +- + mta_send_mail(cvs_t) + + userdom_dontaudit_search_user_home_dirs(cvs_t) + + # cjp: typeattribute doesnt work in conditionals yet + auth_can_read_shadow_passwords(cvs_t) +-tunable_policy(`allow_cvs_read_shadow',` ++tunable_policy(`cvs_read_shadow',` + allow cvs_t self:capability dac_override; + auth_tunable_read_shadow(cvs_t) + ') +@@ -103,4 +113,5 @@ optional_policy(` + read_files_pattern(httpd_cvs_script_t, cvs_data_t, cvs_data_t) + manage_dirs_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t) + manage_files_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t) ++ files_tmp_filetrans(httpd_cvs_script_t, cvs_tmp_t, { file dir }) + ') +diff --git a/cyphesis.te b/cyphesis.te +index 916427f..556f1ac 100644 +--- a/cyphesis.te ++++ b/cyphesis.te +@@ -48,7 +48,6 @@ kernel_read_kernel_sysctls(cyphesis_t) + corecmd_search_bin(cyphesis_t) + corecmd_getattr_bin_files(cyphesis_t) + +-corenet_all_recvfrom_unlabeled(cyphesis_t) + corenet_tcp_sendrecv_generic_if(cyphesis_t) + corenet_tcp_sendrecv_generic_node(cyphesis_t) + corenet_tcp_bind_generic_node(cyphesis_t) +@@ -61,13 +60,9 @@ dev_read_urand(cyphesis_t) + + domain_use_interactive_fds(cyphesis_t) + +-files_read_etc_files(cyphesis_t) +-files_read_usr_files(cyphesis_t) + + logging_send_syslog_msg(cyphesis_t) + +-miscfiles_read_localization(cyphesis_t) +- + sysnet_dns_name_resolve(cyphesis_t) + + optional_policy(` +diff --git a/cyrus.if b/cyrus.if +index 6508280..a2860e3 100644 +--- a/cyrus.if ++++ b/cyrus.if +@@ -20,6 +20,25 @@ interface(`cyrus_manage_data',` + manage_files_pattern($1, cyrus_var_lib_t, cyrus_var_lib_t) + ') + ++####################################### ++## ++## Allow write cyrus data files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`cyrus_write_data',` ++ gen_require(` ++ type cyrus_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ write_files_pattern($1, cyrus_var_lib_t, cyrus_var_lib_t) ++') ++ + ######################################## + ## + ## Connect to Cyrus using a unix +@@ -63,9 +82,13 @@ interface(`cyrus_admin',` + type cyrus_var_run_t, cyrus_initrc_exec_t; + ') + +- allow $1 cyrus_t:process { ptrace signal_perms }; ++ allow $1 cyrus_t:process signal_perms; + ps_process_pattern($1, cyrus_t) + ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 cyrus_t:process ptrace; ++ ') ++ + init_labeled_script_domtrans($1, cyrus_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 cyrus_initrc_exec_t system_r; +diff --git a/cyrus.te b/cyrus.te +index 395f97c..bf8db3c 100644 +--- a/cyrus.te ++++ b/cyrus.te +@@ -26,7 +26,7 @@ files_pid_file(cyrus_var_run_t) + # Local policy + # + +-allow cyrus_t self:capability { dac_override setgid setuid sys_resource }; ++allow cyrus_t self:capability { fsetid dac_override net_bind_service setgid setuid sys_resource }; + dontaudit cyrus_t self:capability sys_tty_config; + allow cyrus_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; + allow cyrus_t self:process setrlimit; +@@ -58,7 +58,6 @@ kernel_read_kernel_sysctls(cyrus_t) + kernel_read_system_state(cyrus_t) + kernel_read_all_sysctls(cyrus_t) + +-corenet_all_recvfrom_unlabeled(cyrus_t) + corenet_all_recvfrom_netlabel(cyrus_t) + corenet_tcp_sendrecv_generic_if(cyrus_t) + corenet_tcp_sendrecv_generic_node(cyrus_t) +@@ -71,6 +70,9 @@ corenet_tcp_bind_mail_port(cyrus_t) + corenet_sendrecv_lmtp_server_packets(cyrus_t) + corenet_tcp_bind_lmtp_port(cyrus_t) + ++corenet_sendrecv_innd_server_packets(cyrus_t) ++corenet_tcp_bind_innd_port(cyrus_t) ++ + corenet_sendrecv_pop_server_packets(cyrus_t) + corenet_tcp_bind_pop_port(cyrus_t) + +@@ -90,8 +92,6 @@ domain_use_interactive_fds(cyrus_t) + + files_list_var_lib(cyrus_t) + files_read_etc_runtime_files(cyrus_t) +-files_read_usr_files(cyrus_t) +-files_dontaudit_write_usr_dirs(cyrus_t) + + fs_getattr_all_fs(cyrus_t) + fs_search_auto_mountpoints(cyrus_t) +@@ -102,7 +102,6 @@ libs_exec_lib_files(cyrus_t) + + logging_send_syslog_msg(cyrus_t) + +-miscfiles_read_localization(cyrus_t) + miscfiles_read_generic_certs(cyrus_t) + + userdom_use_unpriv_users_fds(cyrus_t) +@@ -116,6 +115,10 @@ optional_policy(` + ') + + optional_policy(` ++ dirsrv_stream_connect(cyrus_t) ++') ++ ++optional_policy(` + kerberos_keytab_template(cyrus, cyrus_t) + ') + +@@ -128,8 +131,8 @@ optional_policy(` + ') + + optional_policy(` +- snmp_read_snmp_var_lib_files(cyrus_t) +- snmp_dontaudit_write_snmp_var_lib_files(cyrus_t) ++ files_dontaudit_write_usr_dirs(cyrus_t) ++ snmp_manage_var_lib_files(cyrus_t) + snmp_stream_connect(cyrus_t) + ') + +diff --git a/daemontools.if b/daemontools.if +index 3b3d9a0..6c8106a 100644 +--- a/daemontools.if ++++ b/daemontools.if +@@ -218,3 +218,4 @@ interface(`daemontools_manage_svc',` + allow $1 svc_svc_t:file manage_file_perms; + allow $1 svc_svc_t:lnk_file manage_lnk_file_perms; + ') ++ +diff --git a/daemontools.te b/daemontools.te +index 0165962..2569147 100644 +--- a/daemontools.te ++++ b/daemontools.te +@@ -44,7 +44,10 @@ allow svc_multilog_t svc_start_t:process sigchld; + allow svc_multilog_t svc_start_t:fd use; + allow svc_multilog_t svc_start_t:fifo_file rw_fifo_file_perms; + ++term_write_console(svc_multilog_t) ++ + init_use_fds(svc_multilog_t) ++init_dontaudit_use_script_fds(svc_multilog_t) + + logging_manage_generic_logs(svc_multilog_t) + +@@ -77,7 +80,8 @@ dev_read_urand(svc_run_t) + corecmd_exec_bin(svc_run_t) + corecmd_exec_shell(svc_run_t) + +-files_read_etc_files(svc_run_t) ++term_write_console(svc_run_t) ++ + files_read_etc_runtime_files(svc_run_t) + files_search_pids(svc_run_t) + files_search_var_lib(svc_run_t) +@@ -109,6 +113,7 @@ allow svc_start_t svc_run_t:process { signal setrlimit }; + + can_exec(svc_start_t, svc_start_exec_t) + ++mmap_files_pattern(svc_start_t, svc_svc_t, svc_svc_t) + domtrans_pattern(svc_start_t, svc_run_exec_t, svc_run_t) + + kernel_read_kernel_sysctls(svc_start_t) +@@ -117,11 +122,13 @@ kernel_read_system_state(svc_start_t) + corecmd_exec_bin(svc_start_t) + corecmd_exec_shell(svc_start_t) + +-files_read_etc_files(svc_start_t) ++corenet_tcp_bind_generic_node(svc_start_t) ++corenet_tcp_bind_generic_port(svc_start_t) ++ ++term_write_console(svc_start_t) ++ + files_read_etc_runtime_files(svc_start_t) + files_search_var(svc_start_t) + files_search_pids(svc_start_t) + + logging_send_syslog_msg(svc_start_t) +- +-miscfiles_read_localization(svc_start_t) +diff --git a/dante.te b/dante.te +index 98a2d6a..fff0987 100644 +--- a/dante.te ++++ b/dante.te +@@ -53,7 +53,6 @@ dev_read_sysfs(dante_t) + + domain_use_interactive_fds(dante_t) + +-files_read_etc_files(dante_t) + files_read_etc_runtime_files(dante_t) + + fs_getattr_all_fs(dante_t) +diff --git a/dbadm.te b/dbadm.te +index a67870a..f7c0e61 100644 +--- a/dbadm.te ++++ b/dbadm.te +@@ -23,14 +23,14 @@ gen_tunable(dbadm_read_user_files, false) + + role dbadm_r; + +-userdom_base_user_template(dbadm) ++userdom_confined_admin_template(dbadm) + + ######################################## + # + # Local policy + # + +-allow dbadm_t self:capability { dac_override dac_read_search sys_ptrace }; ++allow dbadm_t self:capability { dac_override dac_read_search }; + + files_dontaudit_search_all_dirs(dbadm_t) + files_delete_generic_locks(dbadm_t) +@@ -39,6 +39,7 @@ files_list_var(dbadm_t) + selinux_get_enforce_mode(dbadm_t) + + logging_send_syslog_msg(dbadm_t) ++logging_send_audit_msgs(dbadm_t) + + userdom_dontaudit_search_user_home_dirs(dbadm_t) + +@@ -60,3 +61,7 @@ optional_policy(` + optional_policy(` + postgresql_admin(dbadm_t, dbadm_r) + ') ++ ++optional_policy(` ++ sudo_role_template(dbadm, dbadm_r, dbadm_t) ++') +diff --git a/dbskk.te b/dbskk.te +index 188e2e6..719583e 100644 +--- a/dbskk.te ++++ b/dbskk.te +@@ -36,7 +36,6 @@ kernel_read_kernel_sysctls(dbskkd_t) + kernel_read_system_state(dbskkd_t) + kernel_read_network_state(dbskkd_t) + +-corenet_all_recvfrom_unlabeled(dbskkd_t) + corenet_all_recvfrom_netlabel(dbskkd_t) + corenet_tcp_sendrecv_generic_if(dbskkd_t) + corenet_udp_sendrecv_generic_if(dbskkd_t) +@@ -49,10 +48,7 @@ dev_read_urand(dbskkd_t) + + fs_getattr_xattr_fs(dbskkd_t) + +-files_read_etc_files(dbskkd_t) + + auth_use_nsswitch(dbskkd_t) + + logging_send_syslog_msg(dbskkd_t) +- +-miscfiles_read_localization(dbskkd_t) +diff --git a/dbus.fc b/dbus.fc +index dda905b..31f269b 100644 +--- a/dbus.fc ++++ b/dbus.fc +@@ -1,20 +1,26 @@ +-HOME_DIR/\.dbus(/.*)? gen_context(system_u:object_r:session_dbusd_home_t,s0) ++/etc/dbus-1(/.*)? gen_context(system_u:object_r:dbusd_etc_t,s0) + +-/etc/dbus-.*(/.*)? gen_context(system_u:object_r:dbusd_etc_t,s0) ++/bin/dbus-daemon -- gen_context(system_u:object_r:dbusd_exec_t,s0) + +-/bin/dbus-daemon -- gen_context(system_u:object_r:dbusd_exec_t,s0) ++ifdef(`distro_redhat',` ++/lib/dbus-1/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0) ++/usr/lib/dbus-1/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0) ++') + +-/lib/dbus-.*/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0) ++/usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:dbusd_exec_t,s0) + +-/usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:dbusd_exec_t,s0) ++ifdef(`distro_debian',` ++/usr/lib/dbus-1.0/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0) ++') + +-/usr/lib/dbus-.*/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0) ++ifdef(`distro_gentoo',` ++/usr/libexec/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0) ++') + +-/usr/libexec/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0) ++/var/lib/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_lib_t,s0) + +-/var/lib/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_lib_t,s0) +- +-/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0) +-/var/run/messagebus\.pid -- gen_context(system_u:object_r:system_dbusd_var_run_t,s0) ++/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0) + ++ifdef(`distro_redhat',` + /var/named/chroot/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0) ++') +diff --git a/dbus.if b/dbus.if +index afcf3a2..e6ecc4d 100644 +--- a/dbus.if ++++ b/dbus.if +@@ -1,4 +1,4 @@ +-## Desktop messaging bus. ++## Desktop messaging bus + + ######################################## + ## +@@ -19,7 +19,7 @@ interface(`dbus_stub',` + + ######################################## + ## +-## Role access for dbus. ++## Role access for dbus + ## + ## + ## +@@ -41,59 +41,68 @@ interface(`dbus_stub',` + template(`dbus_role_template',` + gen_require(` + class dbus { send_msg acquire_svc }; +- attribute session_bus_type; +- type system_dbusd_t, dbusd_exec_t; +- type session_dbusd_tmp_t, session_dbusd_home_t; ++ attribute dbusd_unconfined, session_bus_type; ++ type system_dbusd_t, session_dbusd_tmp_t, dbusd_exec_t, dbusd_etc_t; ++ type $1_t; + ') + + ############################## + # +- # Declarations ++ # Delcarations + # + + type $1_dbusd_t, session_bus_type; +- domain_type($1_dbusd_t) +- domain_entry_file($1_dbusd_t, dbusd_exec_t) ++ application_domain($1_dbusd_t, dbusd_exec_t) + ubac_constrained($1_dbusd_t) +- + role $2 types $1_dbusd_t; + ++ kernel_read_system_state($1_dbusd_t) ++ ++ selinux_get_fs_mount($1_dbusd_t) ++ ++ userdom_home_manager($1_dbusd_t) ++ + ############################## + # + # Local policy + # + ++ # For connecting to the bus + allow $3 $1_dbusd_t:unix_stream_socket connectto; +- allow $3 $1_dbusd_t:dbus { send_msg acquire_svc }; +- allow $3 $1_dbusd_t:fd use; +- +- allow $3 system_dbusd_t:dbus { send_msg acquire_svc }; + +- allow $3 { session_dbusd_home_t session_dbusd_tmp_t }:dir { manage_dir_perms relabel_dir_perms }; +- allow $3 { session_dbusd_home_t session_dbusd_tmp_t }:file { manage_file_perms relabel_file_perms }; +- userdom_user_home_dir_filetrans($3, session_dbusd_home_t, dir, ".dbus") ++ # SE-DBus specific permissions ++ allow { dbusd_unconfined $3 } $1_dbusd_t:dbus { send_msg acquire_svc }; ++ allow $3 system_dbusd_t:dbus { send_msg acquire_svc }; + + domtrans_pattern($3, dbusd_exec_t, $1_dbusd_t) + + ps_process_pattern($3, $1_dbusd_t) +- allow $3 $1_dbusd_t:process { ptrace signal_perms }; ++ allow $3 $1_dbusd_t:process signal_perms; + +- allow $1_dbusd_t $3:process sigkill; ++ tunable_policy(`deny_ptrace',`',` ++ allow $3 $1_dbusd_t:process ptrace; ++ ') + +- corecmd_bin_domtrans($1_dbusd_t, $3) +- corecmd_shell_domtrans($1_dbusd_t, $3) ++ # cjp: this seems very broken ++ corecmd_bin_domtrans($1_dbusd_t, $1_t) ++ corecmd_shell_domtrans($1_dbusd_t, $1_t) ++ allow $1_dbusd_t $3:process sigkill; ++ allow $3 $1_dbusd_t:fd use; ++ allow $3 $1_dbusd_t:fifo_file rw_fifo_file_perms; + + auth_use_nsswitch($1_dbusd_t) + +- ifdef(`hide_broken_symptoms',` +- dontaudit $3 $1_dbusd_t:netlink_selinux_socket { read write }; ++ logging_send_syslog_msg($1_dbusd_t) ++ ++ optional_policy(` ++ mozilla_domtrans_spec($1_dbusd_t, $1_t) + ') + ') + + ####################################### + ## + ## Template for creating connections to +-## the system bus. ++## the system DBUS. + ## + ## + ## +@@ -103,65 +112,29 @@ template(`dbus_role_template',` + # + interface(`dbus_system_bus_client',` + gen_require(` +- attribute dbusd_system_bus_client; +- type system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_lib_t; ++ type system_dbusd_t, system_dbusd_t; ++ type system_dbusd_var_run_t, system_dbusd_var_lib_t; + class dbus send_msg; ++ attribute dbusd_unconfined; + ') + +- typeattribute $1 dbusd_system_bus_client; +- ++ # SE-DBus specific permissions + allow $1 { system_dbusd_t self }:dbus send_msg; +- allow system_dbusd_t $1:dbus send_msg; ++ allow { system_dbusd_t dbusd_unconfined } $1:dbus send_msg; + +- files_search_var_lib($1) + read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t) ++ files_search_var_lib($1) + ++ # For connecting to the bus + files_search_pids($1) + stream_connect_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t, system_dbusd_t) +- + dbus_read_config($1) + ') + + ####################################### + ## +-## Acquire service on DBUS +-## session bus. +-## +-## +-## +-## Domain allowed access. +-## +-## +-# +-interface(`dbus_connect_session_bus',` +- refpolicywarn(`$0($*) has been deprecated, use dbus_connect_all_session_bus() instead.') +- dbus_connect_all_session_bus($1) +-') +- +-####################################### +-## +-## Acquire service on all DBUS +-## session busses. +-## +-## +-## +-## Domain allowed access. +-## +-## +-# +-interface(`dbus_connect_all_session_bus',` +- gen_require(` +- attribute session_bus_type; +- class dbus acquire_svc; +- ') +- +- allow $1 session_bus_type:dbus acquire_svc; +-') +- +-####################################### +-## +-## Acquire service on specified +-## DBUS session bus. ++## Creating connections to specified ++## DBUS sessions. + ## + ## + ## +@@ -175,19 +148,21 @@ interface(`dbus_connect_all_session_bus',` + ## + ## + # +-interface(`dbus_connect_spec_session_bus',` ++interface(`dbus_session_client',` + gen_require(` ++ class dbus send_msg; + type $1_dbusd_t; +- class dbus acquire_svc; + ') + +- allow $2 $1_dbusd_t:dbus acquire_svc; ++ allow $2 $1_dbusd_t:fd use; ++ allow $2 { $1_dbusd_t self }:dbus send_msg; ++ allow $2 $1_dbusd_t:unix_stream_socket connectto; + ') + + ####################################### + ## +-## Creating connections to DBUS +-## session bus. ++## Template for creating connections to ++## a user DBUS. + ## + ## + ## +@@ -196,72 +171,23 @@ interface(`dbus_connect_spec_session_bus',` + ## + # + interface(`dbus_session_bus_client',` +- refpolicywarn(`$0($*) has been deprecated, use dbus_all_session_bus_client() instead.') +- dbus_all_session_bus_client($1) +-') +- +-####################################### +-## +-## Creating connections to all +-## DBUS session busses. +-## +-## +-## +-## Domain allowed access. +-## +-## +-# +-interface(`dbus_all_session_bus_client',` + gen_require(` +- attribute session_bus_type, dbusd_session_bus_client; ++ attribute session_bus_type; + class dbus send_msg; + ') + +- typeattribute $1 dbusd_session_bus_client; +- ++ # SE-DBus specific permissions + allow $1 { session_bus_type self }:dbus send_msg; +- allow session_bus_type $1:dbus send_msg; +- +- allow $1 session_bus_type:unix_stream_socket connectto; +- allow $1 session_bus_type:fd use; +-') + +-####################################### +-## +-## Creating connections to specified +-## DBUS session bus. +-## +-## +-## +-## The prefix of the user role (e.g., user +-## is the prefix for user_r). +-## +-## +-## +-## +-## Domain allowed access. +-## +-## +-# +-interface(`dbus_spec_session_bus_client',` +- gen_require(` +- attribute dbusd_session_bus_client; +- type $1_dbusd_t; +- class dbus send_msg; +- ') +- +- typeattribute $2 dbusd_session_bus_client; +- +- allow $2 { $1_dbusd_t self }:dbus send_msg; +- allow $1_dbusd_t $2:dbus send_msg; ++ # For connecting to the bus ++ allow $1 session_bus_type:unix_stream_socket connectto; + +- allow $2 $1_dbusd_t:unix_stream_socket connectto; +- allow $2 $1_dbusd_t:fd use; ++ allow session_bus_type $1:process sigkill; + ') + +-####################################### ++######################################## + ## +-## Send messages to DBUS session bus. ++## Send a message the session DBUS. + ## + ## + ## +@@ -270,59 +196,17 @@ interface(`dbus_spec_session_bus_client',` + ## + # + interface(`dbus_send_session_bus',` +- refpolicywarn(`$0($*) has been deprecated, use dbus_send_all_session_bus() instead.') +- dbus_send_all_session_bus($1) +-') +- +-####################################### +-## +-## Send messages to all DBUS +-## session busses. +-## +-## +-## +-## Domain allowed access. +-## +-## +-# +-interface(`dbus_send_all_session_bus',` + gen_require(` + attribute session_bus_type; + class dbus send_msg; + ') + +- allow $1 dbus_session_bus_type:dbus send_msg; +-') +- +-####################################### +-## +-## Send messages to specified +-## DBUS session busses. +-## +-## +-## +-## The prefix of the user role (e.g., user +-## is the prefix for user_r). +-## +-## +-## +-## +-## Domain allowed access. +-## +-## +-# +-interface(`dbus_send_spec_session_bus',` +- gen_require(` +- type $1_dbusd_t; +- class dbus send_msg; +- ') +- +- allow $2 $1_dbusd_t:dbus send_msg; ++ allow $1 session_bus_type:dbus send_msg; + ') + + ######################################## + ## +-## Read dbus configuration content. ++## Read dbus configuration. + ## + ## + ## +@@ -380,69 +264,32 @@ interface(`dbus_manage_lib_files',` + + ######################################## + ## +-## Allow a application domain to be +-## started by the specified session bus. +-## +-## +-## +-## The prefix of the user role (e.g., user +-## is the prefix for user_r). +-## +-## +-## +-## +-## Type to be used as a domain. +-## +-## +-## +-## +-## Type of the program to be used as an +-## entry point to this domain. +-## +-## +-# +-interface(`dbus_session_domain',` +- refpolicywarn(`$0($*) has been deprecated, use dbus_all_session_domain() instead.') +- dbus_all_session_domain($1, $2) +-') +- +-######################################## +-## +-## Allow a application domain to be +-## started by the specified session bus. ++## Connect to the system DBUS ++## for service (acquire_svc). + ## + ## + ## +-## Type to be used as a domain. +-## +-## +-## +-## +-## Type of the program to be used as an +-## entry point to this domain. ++## Domain allowed access. + ## + ## + # +-interface(`dbus_all_session_domain',` ++interface(`dbus_connect_session_bus',` + gen_require(` +- type session_bus_type; ++ attribute session_bus_type; ++ class dbus acquire_svc; + ') + +- domtrans_pattern(session_bus_type, $2, $1) +- +- dbus_all_session_bus_client($1) +- dbus_connect_all_session_bus($1) ++ allow $1 session_bus_type:dbus acquire_svc; + ') + + ######################################## + ## +-## Allow a application domain to be +-## started by the specified session bus. ++## Allow a application domain to be started ++## by the session dbus. + ## +-## ++## + ## +-## The prefix of the user role (e.g., user +-## is the prefix for user_r). ++## User domain prefix to be used. + ## + ## + ## +@@ -457,20 +304,21 @@ interface(`dbus_all_session_domain',` + ## + ## + # +-interface(`dbus_spec_session_domain',` ++interface(`dbus_session_domain',` + gen_require(` + type $1_dbusd_t; + ') + + domtrans_pattern($1_dbusd_t, $2, $3) + +- dbus_spec_session_bus_client($1, $2) +- dbus_connect_spec_session_bus($1, $2) ++ dbus_session_bus_client($3) ++ dbus_connect_session_bus($3) + ') + + ######################################## + ## +-## Acquire service on the DBUS system bus. ++## Connect to the system DBUS ++## for service (acquire_svc). + ## + ## + ## +@@ -489,7 +337,7 @@ interface(`dbus_connect_system_bus',` + + ######################################## + ## +-## Send messages to the DBUS system bus. ++## Send a message on the system DBUS. + ## + ## + ## +@@ -508,7 +356,7 @@ interface(`dbus_send_system_bus',` + + ######################################## + ## +-## Unconfined access to DBUS system bus. ++## Allow unconfined access to the system DBUS. + ## + ## + ## +@@ -527,8 +375,8 @@ interface(`dbus_system_bus_unconfined',` + + ######################################## + ## +-## Create a domain for processes which +-## can be started by the DBUS system bus. ++## Create a domain for processes ++## which can be started by the system dbus + ## + ## + ## +@@ -543,33 +391,24 @@ interface(`dbus_system_bus_unconfined',` + # + interface(`dbus_system_domain',` + gen_require(` ++ attribute system_bus_type; + type system_dbusd_t; + role system_r; + ') ++ typeattribute $1 system_bus_type; + + domain_type($1) + domain_entry_file($1, $2) + +- role system_r types $1; +- + domtrans_pattern(system_dbusd_t, $2, $1) + +- dbus_system_bus_client($1) +- dbus_connect_system_bus($1) +- +- ps_process_pattern(system_dbusd_t, $1) +- +- userdom_read_all_users_state($1) ++ ps_process_pattern($1, system_dbusd_t) + +- ifdef(`hide_broken_symptoms', ` +- dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write }; +- ') + ') + + ######################################## + ## +-## Use and inherit DBUS system bus +-## file descriptors. ++## Use and inherit system DBUS file descriptors. + ## + ## + ## +@@ -587,26 +426,25 @@ interface(`dbus_use_system_bus_fds',` + + ######################################## + ## +-## Do not audit attempts to read and +-## write DBUS system bus TCP sockets. ++## Allow unconfined access to the system DBUS. + ## + ## + ## +-## Domain to not audit. ++## Domain allowed access. + ## + ## + # +-interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',` ++interface(`dbus_unconfined',` + gen_require(` +- type system_dbusd_t; ++ attribute dbusd_unconfined; + ') + +- dontaudit $1 system_dbusd_t:tcp_socket { read write }; ++ typeattribute $1 dbusd_unconfined; + ') + + ######################################## + ## +-## Unconfined access to DBUS. ++## Delete all dbus pid files + ## + ## + ## +@@ -614,10 +452,91 @@ interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',` + ## + ## + # +-interface(`dbus_unconfined',` ++interface(`dbus_delete_pid_files',` + gen_require(` +- attribute dbusd_unconfined; ++ type system_dbusd_var_run_t; + ') + +- typeattribute $1 dbusd_unconfined; ++ files_search_pids($1) ++ delete_files_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t) ++') ++ ++######################################## ++## ++## Read all dbus pid files ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dbus_read_pid_files',` ++ gen_require(` ++ type system_dbusd_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ read_files_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t) ++') ++ ++######################################## ++## ++## Do not audit attempts to connect to ++## session bus types with a unix ++## stream socket. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`dbus_dontaudit_stream_connect_session_bus',` ++ gen_require(` ++ attribute session_bus_type; ++ ') ++ ++ dontaudit $1 session_bus_type:unix_stream_socket connectto; ++') ++ ++######################################## ++## ++## Do not audit attempts to send dbus ++## messages to session bus types. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`dbus_dontaudit_chat_session_bus',` ++ gen_require(` ++ attribute session_bus_type; ++ class dbus send_msg; ++ ') ++ ++ dontaudit $1 session_bus_type:dbus send_msg; ++') ++ ++######################################## ++## ++## Do not audit attempts to send dbus ++## messages to system bus types. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`dbus_dontaudit_chat_system_bus',` ++ gen_require(` ++ attribute system_bus_type; ++ class dbus send_msg; ++ ') ++ ++ dontaudit $1 system_bus_type:dbus send_msg; ++ dontaudit system_bus_type $1:dbus send_msg; + ') +diff --git a/dbus.te b/dbus.te +index 2c2e7e1..493ab48 100644 +--- a/dbus.te ++++ b/dbus.te +@@ -1,20 +1,18 @@ +-policy_module(dbus, 1.18.8) ++policy_module(dbus, 1.17.0) + + gen_require(` + class dbus all_dbus_perms; + ') + +-######################################## ++############################## + # +-# Declarations ++# Delcarations + # + + attribute dbusd_unconfined; ++attribute system_bus_type; + attribute session_bus_type; + +-attribute dbusd_system_bus_client; +-attribute dbusd_session_bus_client; +- + type dbusd_etc_t; + files_config_file(dbusd_etc_t) + +@@ -22,9 +20,6 @@ type dbusd_exec_t; + corecmd_executable_file(dbusd_exec_t) + typealias dbusd_exec_t alias system_dbusd_exec_t; + +-type session_dbusd_home_t; +-userdom_user_home_content(session_dbusd_home_t) +- + type session_dbusd_tmp_t; + typealias session_dbusd_tmp_t alias { user_dbusd_tmp_t staff_dbusd_tmp_t sysadm_dbusd_tmp_t }; + typealias session_dbusd_tmp_t alias { auditadm_dbusd_tmp_t secadm_dbusd_tmp_t }; +@@ -41,7 +36,8 @@ files_type(system_dbusd_var_lib_t) + + type system_dbusd_var_run_t; + files_pid_file(system_dbusd_var_run_t) +-init_daemon_run_dir(system_dbusd_var_run_t, "dbus") ++init_sock_file(system_dbusd_var_run_t) ++mls_trusted_object(system_dbusd_var_run_t) + + ifdef(`enable_mcs',` + init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mcs_systemhigh) +@@ -51,59 +47,58 @@ ifdef(`enable_mls',` + init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mls_systemhigh) + ') + +-######################################## ++############################## + # +-# Local policy ++# System bus local policy + # + ++# dac_override: /var/run/dbus is owned by messagebus on Debian ++# cjp: dac_override should probably go in a distro_debian ++allow system_dbusd_t self:capability2 block_suspend; + allow system_dbusd_t self:capability { sys_resource dac_override setgid setpcap setuid }; + dontaudit system_dbusd_t self:capability sys_tty_config; + allow system_dbusd_t self:process { getattr getsched signal_perms setpgid getcap setcap setrlimit }; + allow system_dbusd_t self:fifo_file rw_fifo_file_perms; + allow system_dbusd_t self:dbus { send_msg acquire_svc }; +-allow system_dbusd_t self:unix_stream_socket { accept connectto listen }; ++allow system_dbusd_t self:unix_stream_socket { connectto create_stream_socket_perms connectto }; ++allow system_dbusd_t self:unix_dgram_socket create_socket_perms; ++# Receive notifications of policy reloads and enforcing status changes. + allow system_dbusd_t self:netlink_selinux_socket { create bind read }; + ++can_exec(system_dbusd_t, dbusd_exec_t) ++ + allow system_dbusd_t dbusd_etc_t:dir list_dir_perms; + read_files_pattern(system_dbusd_t, dbusd_etc_t, dbusd_etc_t) + read_lnk_files_pattern(system_dbusd_t, dbusd_etc_t, dbusd_etc_t) + + manage_dirs_pattern(system_dbusd_t, system_dbusd_tmp_t, system_dbusd_tmp_t) + manage_files_pattern(system_dbusd_t, system_dbusd_tmp_t, system_dbusd_tmp_t) +-files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { dir file }) ++files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { file dir }) + + read_files_pattern(system_dbusd_t, system_dbusd_var_lib_t, system_dbusd_var_lib_t) + + manage_dirs_pattern(system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_run_t) + manage_files_pattern(system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_run_t) + manage_sock_files_pattern(system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_run_t) +-files_pid_filetrans(system_dbusd_t, system_dbusd_var_run_t, { dir file }) +- +-can_exec(system_dbusd_t, dbusd_exec_t) ++files_pid_filetrans(system_dbusd_t, system_dbusd_var_run_t, { file dir }) + + kernel_read_system_state(system_dbusd_t) + kernel_read_kernel_sysctls(system_dbusd_t) + +-corecmd_list_bin(system_dbusd_t) +-corecmd_read_bin_pipes(system_dbusd_t) +-corecmd_read_bin_sockets(system_dbusd_t) +-corecmd_exec_shell(system_dbusd_t) +- + dev_read_urand(system_dbusd_t) + dev_read_sysfs(system_dbusd_t) + +-domain_use_interactive_fds(system_dbusd_t) +-domain_read_all_domains_state(system_dbusd_t) +- +-files_list_home(system_dbusd_t) +-files_read_usr_files(system_dbusd_t) ++files_rw_inherited_non_security_files(system_dbusd_t) + + fs_getattr_all_fs(system_dbusd_t) + fs_list_inotifyfs(system_dbusd_t) + fs_search_auto_mountpoints(system_dbusd_t) +-fs_search_cgroup_dirs(system_dbusd_t) + fs_dontaudit_list_nfs(system_dbusd_t) + ++storage_rw_inherited_fixed_disk_dev(system_dbusd_t) ++storage_rw_inherited_removable_device(system_dbusd_t) ++ ++mls_trusted_object(system_dbusd_t) + mls_fd_use_all_levels(system_dbusd_t) + mls_rangetrans_target(system_dbusd_t) + mls_file_read_all_levels(system_dbusd_t) +@@ -123,66 +118,159 @@ term_dontaudit_use_console(system_dbusd_t) + auth_use_nsswitch(system_dbusd_t) + auth_read_pam_console_data(system_dbusd_t) + ++corecmd_list_bin(system_dbusd_t) ++corecmd_read_bin_pipes(system_dbusd_t) ++corecmd_read_bin_sockets(system_dbusd_t) ++# needed for system-tools-backends ++corecmd_exec_shell(system_dbusd_t) ++ ++domain_use_interactive_fds(system_dbusd_t) ++domain_read_all_domains_state(system_dbusd_t) ++ ++files_list_home(system_dbusd_t) ++ + init_use_fds(system_dbusd_t) + init_use_script_ptys(system_dbusd_t) +-init_all_labeled_script_domtrans(system_dbusd_t) ++init_bin_domtrans_spec(system_dbusd_t) ++init_domtrans_script(system_dbusd_t) ++init_rw_stream_sockets(system_dbusd_t) ++init_status(system_dbusd_t) + + logging_send_audit_msgs(system_dbusd_t) + logging_send_syslog_msg(system_dbusd_t) + +-miscfiles_read_localization(system_dbusd_t) + miscfiles_read_generic_certs(system_dbusd_t) + + seutil_read_config(system_dbusd_t) + seutil_read_default_contexts(system_dbusd_t) ++seutil_sigchld_newrole(system_dbusd_t) + + userdom_dontaudit_use_unpriv_user_fds(system_dbusd_t) + userdom_dontaudit_search_user_home_dirs(system_dbusd_t) + ++userdom_home_reader(system_dbusd_t) ++ ++optional_policy(` ++ bind_domtrans(system_dbusd_t) ++') ++ + optional_policy(` + bluetooth_stream_connect(system_dbusd_t) + ') + + optional_policy(` +- policykit_read_lib(system_dbusd_t) ++ cpufreqselector_dbus_chat(system_dbusd_t) ++') ++ ++optional_policy(` ++ getty_start_services(system_dbusd_t) ++') ++ ++optional_policy(` ++ gnome_exec_gconf(system_dbusd_t) ++ gnome_read_inherited_home_icc_data_files(system_dbusd_t) + ') + + optional_policy(` +- seutil_sigchld_newrole(system_dbusd_t) ++ nis_use_ypbind(system_dbusd_t) ++') ++ ++optional_policy(` ++ networkmanager_initrc_domtrans(system_dbusd_t) ++ networkmanager_systemctl(system_dbusd_t) ++') ++ ++optional_policy(` ++ policykit_dbus_chat(system_dbusd_t) ++ policykit_domtrans_auth(system_dbusd_t) ++ policykit_search_lib(system_dbusd_t) ++') ++ ++optional_policy(` ++ sysnet_domtrans_dhcpc(system_dbusd_t) ++') ++ ++optional_policy(` ++ systemd_use_fds_logind(system_dbusd_t) ++ systemd_write_inherited_logind_sessions_pipes(system_dbusd_t) ++ systemd_write_inhibit_pipes(system_dbusd_t) ++# These are caused by broken systemd patch ++ systemd_start_power_services(system_dbusd_t) ++ systemd_config_all_services(system_dbusd_t) ++ files_config_all_files(system_dbusd_t) + ') + + optional_policy(` + udev_read_db(system_dbusd_t) + ') + ++optional_policy(` ++ # /var/lib/gdm/.local/share/icc/edid-0a027915105823af34f99b1704e80336.icc ++ xserver_read_inherited_xdm_lib_files(system_dbusd_t) ++') ++ + ######################################## + # +-# Common session bus local policy ++# system_bus_type rules + # ++role system_r types system_bus_type; ++ ++fs_search_all(system_bus_type) ++ ++dbus_system_bus_client(system_bus_type) ++dbus_connect_system_bus(system_bus_type) ++ ++init_status(system_bus_type) ++init_stream_connect(system_bus_type) ++init_dgram_send(system_bus_type) ++init_use_fds(system_bus_type) ++init_rw_stream_sockets(system_bus_type) ++ ++ps_process_pattern(system_dbusd_t, system_bus_type) ++ ++userdom_dontaudit_search_admin_dir(system_bus_type) ++userdom_read_all_users_state(system_bus_type) ++ ++optional_policy(` ++ abrt_stream_connect(system_bus_type) ++') ++ ++optional_policy(` ++ rpm_script_dbus_chat(system_bus_type) ++') ++ ++optional_policy(` ++ unconfined_dbus_send(system_bus_type) ++') + ++ifdef(`hide_broken_symptoms',` ++ dontaudit system_bus_type system_dbusd_t:netlink_selinux_socket { read write }; ++') ++ ++######################################## ++# ++# session_bus_type rules ++# ++allow session_bus_type self:capability2 block_suspend; + dontaudit session_bus_type self:capability sys_resource; + allow session_bus_type self:process { getattr sigkill signal }; +-dontaudit session_bus_type self:process { ptrace setrlimit }; ++dontaudit session_bus_type self:process setrlimit; + allow session_bus_type self:file { getattr read write }; + allow session_bus_type self:fifo_file rw_fifo_file_perms; + allow session_bus_type self:dbus { send_msg acquire_svc }; +-allow session_bus_type self:unix_stream_socket { accept listen }; +-allow session_bus_type self:tcp_socket { accept listen }; ++allow session_bus_type self:unix_stream_socket create_stream_socket_perms; ++allow session_bus_type self:unix_dgram_socket create_socket_perms; ++allow session_bus_type self:tcp_socket create_stream_socket_perms; + allow session_bus_type self:netlink_selinux_socket create_socket_perms; + + allow session_bus_type dbusd_etc_t:dir list_dir_perms; + read_files_pattern(session_bus_type, dbusd_etc_t, dbusd_etc_t) + read_lnk_files_pattern(session_bus_type, dbusd_etc_t, dbusd_etc_t) + +-manage_dirs_pattern(session_bus_type, session_dbusd_home_t, session_dbusd_home_t) +-manage_files_pattern(session_bus_type, session_dbusd_home_t, session_dbusd_home_t) +-userdom_user_home_dir_filetrans(session_bus_type, session_dbusd_home_t, dir, ".dbus") +- + manage_dirs_pattern(session_bus_type, session_dbusd_tmp_t, session_dbusd_tmp_t) + manage_files_pattern(session_bus_type, session_dbusd_tmp_t, session_dbusd_tmp_t) +-files_tmp_filetrans(session_bus_type, session_dbusd_tmp_t, { dir file }) ++files_tmp_filetrans(session_bus_type, session_dbusd_tmp_t, { file dir }) + +-kernel_read_system_state(session_bus_type) + kernel_read_kernel_sysctls(session_bus_type) + + corecmd_list_bin(session_bus_type) +@@ -191,23 +279,18 @@ corecmd_read_bin_files(session_bus_type) + corecmd_read_bin_pipes(session_bus_type) + corecmd_read_bin_sockets(session_bus_type) + +-corenet_all_recvfrom_unlabeled(session_bus_type) +-corenet_all_recvfrom_netlabel(session_bus_type) + corenet_tcp_sendrecv_generic_if(session_bus_type) + corenet_tcp_sendrecv_generic_node(session_bus_type) + corenet_tcp_sendrecv_all_ports(session_bus_type) + corenet_tcp_bind_generic_node(session_bus_type) +- +-corenet_sendrecv_all_server_packets(session_bus_type) + corenet_tcp_bind_reserved_port(session_bus_type) + + dev_read_urand(session_bus_type) + +-domain_read_all_domains_state(session_bus_type) + domain_use_interactive_fds(session_bus_type) ++domain_read_all_domains_state(session_bus_type) + + files_list_home(session_bus_type) +-files_read_usr_files(session_bus_type) + files_dontaudit_search_var(session_bus_type) + + fs_getattr_romfs(session_bus_type) +@@ -215,7 +298,6 @@ fs_getattr_xattr_fs(session_bus_type) + fs_list_inotifyfs(session_bus_type) + fs_dontaudit_list_nfs(session_bus_type) + +-selinux_get_fs_mount(session_bus_type) + selinux_validate_context(session_bus_type) + selinux_compute_access_vector(session_bus_type) + selinux_compute_create_context(session_bus_type) +@@ -225,18 +307,36 @@ selinux_compute_user_contexts(session_bus_type) + auth_read_pam_console_data(session_bus_type) + + logging_send_audit_msgs(session_bus_type) +-logging_send_syslog_msg(session_bus_type) +- +-miscfiles_read_localization(session_bus_type) + + seutil_read_config(session_bus_type) + seutil_read_default_contexts(session_bus_type) + +-term_use_all_terms(session_bus_type) ++term_use_all_inherited_terms(session_bus_type) ++ ++userdom_dontaudit_search_admin_dir(session_bus_type) ++userdom_manage_user_home_content_dirs(session_bus_type) ++userdom_manage_user_home_content_files(session_bus_type) ++userdom_manage_tmpfs_files(session_bus_type, file) ++userdom_tmpfs_filetrans(session_bus_type, file) + + optional_policy(` +- xserver_use_xdm_fds(session_bus_type) ++ gnome_read_config(session_bus_type) ++ gnome_read_gconf_home_files(session_bus_type) ++') ++ ++optional_policy(` ++ hal_dbus_chat(session_bus_type) ++') ++ ++optional_policy(` ++ thumb_domtrans(session_bus_type) ++') ++ ++optional_policy(` ++ xserver_search_xdm_lib(session_bus_type) + xserver_rw_xdm_pipes(session_bus_type) ++ xserver_use_xdm_fds(session_bus_type) ++ xserver_append_xdm_home_files(session_bus_type) + ') + + ######################################## +@@ -244,5 +344,6 @@ optional_policy(` + # Unconfined access to this module + # + +-allow dbusd_unconfined { dbusd_session_bus_client dbusd_system_bus_client }:dbus send_msg; +-allow dbusd_unconfined { system_dbusd_t session_bus_type }:dbus all_dbus_perms; ++allow dbusd_unconfined session_bus_type:dbus all_dbus_perms; ++allow dbusd_unconfined dbusd_unconfined:dbus all_dbus_perms; ++allow session_bus_type dbusd_unconfined:dbus send_msg; +diff --git a/dcc.fc b/dcc.fc +index 62d3c4e..cef59a7 100644 +--- a/dcc.fc ++++ b/dcc.fc +@@ -10,6 +10,8 @@ + /usr/libexec/dcc/dccifd -- gen_context(system_u:object_r:dccifd_exec_t,s0) + /usr/libexec/dcc/dccm -- gen_context(system_u:object_r:dccm_exec_t,s0) + ++/usr/libexec/dcc/start-dccifd -- gen_context(system_u:object_r:dccifd_exec_t,s0) ++ + /usr/sbin/dbclean -- gen_context(system_u:object_r:dcc_dbclean_exec_t,s0) + /usr/sbin/dccd -- gen_context(system_u:object_r:dccd_exec_t,s0) + /usr/sbin/dccifd -- gen_context(system_u:object_r:dccifd_exec_t,s0) +diff --git a/dcc.if b/dcc.if +index a5c21e0..4639421 100644 +--- a/dcc.if ++++ b/dcc.if +@@ -173,6 +173,6 @@ interface(`dcc_stream_connect_dccifd',` + type dcc_var_t, dccifd_var_run_t, dccifd_t; + ') + +- files_search_var($1) ++ files_search_pids($1) + stream_connect_pattern($1, dcc_var_t, dccifd_var_run_t, dccifd_t) + ') +diff --git a/dcc.te b/dcc.te +index 15d908f..cecb0da 100644 +--- a/dcc.te ++++ b/dcc.te +@@ -45,7 +45,7 @@ type dcc_var_t; + files_type(dcc_var_t) + + type dcc_var_run_t; +-files_type(dcc_var_run_t) ++files_pid_file(dcc_var_run_t) + + type dccd_t; + type dccd_exec_t; +@@ -94,15 +94,18 @@ allow cdcc_t dcc_var_t:dir list_dir_perms; + read_files_pattern(cdcc_t, dcc_var_t, dcc_var_t) + read_lnk_files_pattern(cdcc_t, dcc_var_t, dcc_var_t) + ++corenet_all_recvfrom_netlabel(cdcc_t) ++corenet_udp_sendrecv_generic_if(cdcc_t) ++corenet_udp_sendrecv_generic_node(cdcc_t) ++corenet_udp_sendrecv_all_ports(cdcc_t) ++ + files_read_etc_runtime_files(cdcc_t) + + auth_use_nsswitch(cdcc_t) + + logging_send_syslog_msg(cdcc_t) + +-miscfiles_read_localization(cdcc_t) +- +-userdom_use_user_terminals(cdcc_t) ++userdom_use_inherited_user_terminals(cdcc_t) + + ######################################## + # +@@ -113,6 +116,8 @@ allow dcc_client_t self:capability { setuid setgid }; + + allow dcc_client_t dcc_client_map_t:file rw_file_perms; + ++domtrans_pattern(dcc_client_t, dccifd_exec_t, dccifd_t) ++ + manage_dirs_pattern(dcc_client_t, dcc_client_tmp_t, dcc_client_tmp_t) + manage_files_pattern(dcc_client_t, dcc_client_tmp_t, dcc_client_tmp_t) + files_tmp_filetrans(dcc_client_t, dcc_client_tmp_t, { file dir }) +@@ -123,6 +128,12 @@ read_lnk_files_pattern(dcc_client_t, dcc_var_t, dcc_var_t) + + kernel_read_system_state(dcc_client_t) + ++corenet_all_recvfrom_netlabel(dcc_client_t) ++corenet_udp_sendrecv_generic_if(dcc_client_t) ++corenet_udp_sendrecv_generic_node(dcc_client_t) ++corenet_udp_sendrecv_all_ports(dcc_client_t) ++corenet_udp_bind_generic_node(dcc_client_t) ++ + files_read_etc_runtime_files(dcc_client_t) + + fs_getattr_all_fs(dcc_client_t) +@@ -131,12 +142,10 @@ auth_use_nsswitch(dcc_client_t) + + logging_send_syslog_msg(dcc_client_t) + +-miscfiles_read_localization(dcc_client_t) +- +-userdom_use_user_terminals(dcc_client_t) ++userdom_use_inherited_user_terminals(dcc_client_t) + + optional_policy(` +- amavis_read_spool_files(dcc_client_t) ++ antivirus_read_db(dcc_client_t) + ') + + optional_policy(` +@@ -160,15 +169,18 @@ manage_lnk_files_pattern(dcc_dbclean_t, dcc_var_t, dcc_var_t) + + kernel_read_system_state(dcc_dbclean_t) + ++corenet_all_recvfrom_netlabel(dcc_dbclean_t) ++corenet_udp_sendrecv_generic_if(dcc_dbclean_t) ++corenet_udp_sendrecv_generic_node(dcc_dbclean_t) ++corenet_udp_sendrecv_all_ports(dcc_dbclean_t) ++ + files_read_etc_runtime_files(dcc_dbclean_t) + + auth_use_nsswitch(dcc_dbclean_t) + + logging_send_syslog_msg(dcc_dbclean_t) + +-miscfiles_read_localization(dcc_dbclean_t) +- +-userdom_use_user_terminals(dcc_dbclean_t) ++userdom_use_inherited_user_terminals(dcc_dbclean_t) + + ######################################## + # +@@ -202,7 +214,6 @@ files_pid_filetrans(dccd_t, dccd_var_run_t, { dir file }) + kernel_read_system_state(dccd_t) + kernel_read_kernel_sysctls(dccd_t) + +-corenet_all_recvfrom_unlabeled(dccd_t) + corenet_all_recvfrom_netlabel(dccd_t) + corenet_udp_sendrecv_generic_if(dccd_t) + corenet_udp_sendrecv_generic_node(dccd_t) +@@ -227,8 +238,6 @@ auth_use_nsswitch(dccd_t) + + logging_send_syslog_msg(dccd_t) + +-miscfiles_read_localization(dccd_t) +- + userdom_dontaudit_use_unpriv_user_fds(dccd_t) + userdom_dontaudit_search_user_home_dirs(dccd_t) + +@@ -269,6 +278,11 @@ files_pid_filetrans(dccifd_t, dccifd_var_run_t, file) + kernel_read_system_state(dccifd_t) + kernel_read_kernel_sysctls(dccifd_t) + ++corenet_all_recvfrom_netlabel(dccifd_t) ++corenet_udp_sendrecv_generic_if(dccifd_t) ++corenet_udp_sendrecv_generic_node(dccifd_t) ++corenet_udp_sendrecv_all_ports(dccifd_t) ++ + dev_read_sysfs(dccifd_t) + + domain_use_interactive_fds(dccifd_t) +@@ -282,8 +296,6 @@ auth_use_nsswitch(dccifd_t) + + logging_send_syslog_msg(dccifd_t) + +-miscfiles_read_localization(dccifd_t) +- + userdom_dontaudit_use_unpriv_user_fds(dccifd_t) + userdom_dontaudit_search_user_home_dirs(dccifd_t) + +@@ -324,6 +336,11 @@ files_pid_filetrans(dccm_t, dccm_var_run_t, file) + kernel_read_system_state(dccm_t) + kernel_read_kernel_sysctls(dccm_t) + ++corenet_all_recvfrom_netlabel(dccm_t) ++corenet_udp_sendrecv_generic_if(dccm_t) ++corenet_udp_sendrecv_generic_node(dccm_t) ++corenet_udp_sendrecv_all_ports(dccm_t) ++ + dev_read_sysfs(dccm_t) + + domain_use_interactive_fds(dccm_t) +@@ -337,8 +354,6 @@ auth_use_nsswitch(dccm_t) + + logging_send_syslog_msg(dccm_t) + +-miscfiles_read_localization(dccm_t) +- + userdom_dontaudit_use_unpriv_user_fds(dccm_t) + userdom_dontaudit_search_user_home_dirs(dccm_t) + +diff --git a/ddclient.if b/ddclient.if +index 5606b40..cd18cf2 100644 +--- a/ddclient.if ++++ b/ddclient.if +@@ -70,9 +70,13 @@ interface(`ddclient_admin',` + type ddclient_var_run_t, ddclient_initrc_exec_t; + ') + +- allow $1 ddclient_t:process { ptrace signal_perms }; ++ allow $1 ddclient_t:process signal_perms; + ps_process_pattern($1, ddclient_t) + ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 ddclient_t:process ptrace; ++ ') ++ + init_labeled_script_domtrans($1, ddclient_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 ddclient_initrc_exec_t system_r; +diff --git a/ddclient.te b/ddclient.te +index 0b4b8b9..2efb435 100644 +--- a/ddclient.te ++++ b/ddclient.te +@@ -38,9 +38,13 @@ files_pid_file(ddclient_var_run_t) + # Declarations + # + ++ + dontaudit ddclient_t self:capability sys_tty_config; + allow ddclient_t self:process signal_perms; + allow ddclient_t self:fifo_file rw_fifo_file_perms; ++allow ddclient_t self:tcp_socket create_socket_perms; ++allow ddclient_t self:udp_socket create_socket_perms; ++allow ddclient_t self:netlink_route_socket r_netlink_socket_perms; + + read_files_pattern(ddclient_t, ddclient_etc_t, ddclient_etc_t) + setattr_files_pattern(ddclient_t, ddclient_etc_t, ddclient_etc_t) +@@ -75,7 +79,6 @@ kernel_search_network_sysctl(ddclient_t) + corecmd_exec_shell(ddclient_t) + corecmd_exec_bin(ddclient_t) + +-corenet_all_recvfrom_unlabeled(ddclient_t) + corenet_all_recvfrom_netlabel(ddclient_t) + corenet_tcp_sendrecv_generic_if(ddclient_t) + corenet_udp_sendrecv_generic_if(ddclient_t) +@@ -83,6 +86,8 @@ corenet_tcp_sendrecv_generic_node(ddclient_t) + corenet_udp_sendrecv_generic_node(ddclient_t) + corenet_tcp_sendrecv_all_ports(ddclient_t) + corenet_udp_sendrecv_all_ports(ddclient_t) ++corenet_tcp_bind_generic_node(ddclient_t) ++corenet_udp_bind_generic_node(ddclient_t) + + corenet_sendrecv_all_client_packets(ddclient_t) + corenet_tcp_connect_all_ports(ddclient_t) +@@ -92,16 +97,16 @@ dev_read_urand(ddclient_t) + + domain_use_interactive_fds(ddclient_t) + +-files_read_etc_files(ddclient_t) + files_read_etc_runtime_files(ddclient_t) +-files_read_usr_files(ddclient_t) + + fs_getattr_all_fs(ddclient_t) + fs_search_auto_mountpoints(ddclient_t) + ++auth_read_passwd(ddclient_t) ++ + logging_send_syslog_msg(ddclient_t) + +-miscfiles_read_localization(ddclient_t) ++mta_send_mail(ddclient_t) + + sysnet_exec_ifconfig(ddclient_t) + sysnet_dns_name_resolve(ddclient_t) +diff --git a/ddcprobe.te b/ddcprobe.te +index ceb9bf4..2496e02 100644 +--- a/ddcprobe.te ++++ b/ddcprobe.te +@@ -34,9 +34,7 @@ dev_read_urand(ddcprobe_t) + dev_read_raw_memory(ddcprobe_t) + dev_wx_raw_memory(ddcprobe_t) + +-files_read_etc_files(ddcprobe_t) + files_read_etc_runtime_files(ddcprobe_t) +-files_read_usr_files(ddcprobe_t) + + term_use_all_ttys(ddcprobe_t) + term_use_all_ptys(ddcprobe_t) +diff --git a/denyhosts.if b/denyhosts.if +index a7326da..c87b5b7 100644 +--- a/denyhosts.if ++++ b/denyhosts.if +@@ -53,6 +53,7 @@ interface(`denyhosts_initrc_domtrans',` + ## Role allowed access. + ## + ## ++## + # + interface(`denyhosts_admin',` + gen_require(` +@@ -60,20 +61,24 @@ interface(`denyhosts_admin',` + type denyhosts_var_log_t, denyhosts_initrc_exec_t; + ') + +- allow $1 denyhosts_t:process { ptrace signal_perms }; ++ allow $1 denyhosts_t:process signal_perms; + ps_process_pattern($1, denyhosts_t) + ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 denyhosts_t:process ptrace; ++ ') ++ + denyhosts_initrc_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 denyhosts_initrc_exec_t system_r; + allow $2 system_r; + +- files_search_var_lib($1) ++ files_list_var_lib($1) + admin_pattern($1, denyhosts_var_lib_t) + +- logging_search_logs($1) ++ logging_list_logs($1) + admin_pattern($1, denyhosts_var_log_t) + +- files_search_locks($1) ++ files_list_locks($1) + admin_pattern($1, denyhosts_var_lock_t) + ') +diff --git a/denyhosts.te b/denyhosts.te +index bcb9770..b53e611 100644 +--- a/denyhosts.te ++++ b/denyhosts.te +@@ -25,6 +25,9 @@ logging_log_file(denyhosts_var_log_t) + # + # Local policy + # ++# Bug #588563 ++allow denyhosts_t self:capability sys_tty_config; ++allow denyhosts_t self:fifo_file rw_fifo_file_perms; + + allow denyhosts_t self:capability sys_tty_config; + allow denyhosts_t self:fifo_file rw_fifo_file_perms; +@@ -48,7 +51,6 @@ kernel_read_system_state(denyhosts_t) + corecmd_exec_bin(denyhosts_t) + corecmd_exec_shell(denyhosts_t) + +-corenet_all_recvfrom_unlabeled(denyhosts_t) + corenet_all_recvfrom_netlabel(denyhosts_t) + corenet_tcp_sendrecv_generic_if(denyhosts_t) + corenet_tcp_sendrecv_generic_node(denyhosts_t) +@@ -59,11 +61,11 @@ corenet_tcp_sendrecv_smtp_port(denyhosts_t) + + dev_read_urand(denyhosts_t) + ++auth_use_nsswitch(denyhosts_t) ++ + logging_read_generic_logs(denyhosts_t) + logging_send_syslog_msg(denyhosts_t) + +-miscfiles_read_localization(denyhosts_t) +- + sysnet_dns_name_resolve(denyhosts_t) + sysnet_manage_config(denyhosts_t) + sysnet_etc_filetrans_config(denyhosts_t) +@@ -71,3 +73,7 @@ sysnet_etc_filetrans_config(denyhosts_t) + optional_policy(` + cron_system_entry(denyhosts_t, denyhosts_exec_t) + ') ++ ++optional_policy(` ++ gnome_dontaudit_search_config(denyhosts_t) ++') +diff --git a/devicekit.if b/devicekit.if +index d294865..3b4f593 100644 +--- a/devicekit.if ++++ b/devicekit.if +@@ -1,4 +1,4 @@ +-## Devicekit modular hardware abstraction layer. ++## Devicekit modular hardware abstraction layer + + ######################################## + ## +@@ -15,12 +15,29 @@ interface(`devicekit_domtrans',` + type devicekit_t, devicekit_exec_t; + ') + +- corecmd_search_bin($1) + domtrans_pattern($1, devicekit_exec_t, devicekit_t) + ') + + ######################################## + ## ++## Execute a domain transition to run devicekit_disk. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`devicekit_domtrans_disk',` ++ gen_require(` ++ type devicekit_disk_t, devicekit_disk_exec_t; ++ ') ++ ++ domtrans_pattern($1, devicekit_disk_exec_t, devicekit_disk_t) ++') ++ ++######################################## ++## + ## Send to devicekit over a unix domain + ## datagram socket. + ## +@@ -32,11 +49,10 @@ interface(`devicekit_domtrans',` + # + interface(`devicekit_dgram_send',` + gen_require(` +- type devicekit_t, devicekit_var_run_t; ++ type devicekit_t; + ') + +- files_search_pids($1) +- dgram_send_pattern($1, devicekit_var_run_t, devicekit_var_run_t, devicekit_t) ++ allow $1 devicekit_t:unix_dgram_socket sendto; + ') + + ######################################## +@@ -83,7 +99,46 @@ interface(`devicekit_dbus_chat_disk',` + + ######################################## + ## +-## Send generic signals to devicekit power. ++## Use file descriptors for devicekit_disk. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`devicekit_use_fds_disk',` ++ gen_require(` ++ type devicekit_disk_t; ++ ') ++ ++ allow $1 devicekit_disk_t:fd use; ++') ++ ++######################################## ++## ++## Dontaudit Send and receive messages from ++## devicekit disk over dbus. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`devicekit_dontaudit_dbus_chat_disk',` ++ gen_require(` ++ type devicekit_disk_t; ++ class dbus send_msg; ++ ') ++ ++ dontaudit $1 devicekit_disk_t:dbus send_msg; ++ dontaudit devicekit_disk_t $1:dbus send_msg; ++') ++ ++######################################## ++## ++## Send signal devicekit power + ## + ## + ## +@@ -120,29 +175,46 @@ interface(`devicekit_dbus_chat_power',` + allow devicekit_power_t $1:dbus send_msg; + ') + +-######################################## ++####################################### + ## +-## Create, read, write, and delete +-## devicekit log files. ++## Append inherited devicekit log files. + ## + ## +-## +-## Domain allowed access. +-## ++## ++## Domain allowed access. ++## + ## + # +-interface(`devicekit_manage_log_files',` ++interface(`devicekit_append_inherited_log_files',` + gen_require(` + type devicekit_var_log_t; + ') + +- logging_search_logs($1) +- manage_files_pattern($1, devicekit_var_log_t, devicekit_var_log_t) ++ allow $1 devicekit_var_log_t:file append_inherited_file_perms; ++') ++ ++####################################### ++## ++## Do not audit attempts to write the devicekit ++## log files. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`devicekit_dontaudit_rw_log',` ++ gen_require(` ++ type devicekit_var_log_t; ++ ') ++ ++ dontaudit $1 devicekit_var_log_t:file rw_file_perms; + ') + + ######################################## + ## +-## Relabel devicekit log files. ++## Allow the domain to read devicekit_power state files in /proc. + ## + ## + ## +@@ -150,13 +222,13 @@ interface(`devicekit_manage_log_files',` + ## + ## + # +-interface(`devicekit_relabel_log_files',` ++interface(`devicekit_read_state_power',` + gen_require(` +- type devicekit_var_log_t; ++ type devicekit_power_t; + ') + +- logging_search_logs($1) +- relabel_files_pattern($1, devicekit_var_log_t, devicekit_var_log_t) ++ kernel_search_proc($1) ++ ps_process_pattern($1, devicekit_power_t) + ') + + ######################################## +@@ -180,11 +252,30 @@ interface(`devicekit_read_pid_files',` + + ######################################## + ## +-## Create, read, write, and delete ++## Do not audit attempts to read + ## devicekit PID files. + ## + ## + ## ++## Domain to not audit. ++## ++## ++# ++interface(`devicekit_dontaudit_read_pid_files',` ++ gen_require(` ++ type devicekit_var_run_t; ++ ') ++ ++ dontaudit $1 devicekit_var_run_t:file read_inherited_file_perms; ++') ++ ++ ++######################################## ++## ++## Manage devicekit PID files. ++## ++## ++## + ## Domain allowed access. + ## + ## +@@ -195,22 +286,59 @@ interface(`devicekit_manage_pid_files',` + ') + + files_search_pids($1) ++ manage_dirs_pattern($1, devicekit_var_run_t, devicekit_var_run_t) + manage_files_pattern($1, devicekit_var_run_t, devicekit_var_run_t) ++ files_pid_filetrans($1, devicekit_var_run_t, dir, "pm-utils") ++') ++ ++####################################### ++## ++## Relabel devicekit LOG files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`devicekit_relabel_log_files',` ++ gen_require(` ++ type devicekit_var_log_t; ++ ') ++ ++ logging_search_logs($1) ++ relabel_files_pattern($1, devicekit_var_log_t, devicekit_var_log_t) + ') + + ######################################## + ## +-## All of the rules required to +-## administrate an devicekit environment. ++## Manage devicekit LOG files. + ## + ## + ## + ## Domain allowed access. + ## + ## +-## ++# ++interface(`devicekit_manage_log_files',` ++ gen_require(` ++ type devicekit_var_log_t; ++ ') ++ ++ logging_search_logs($1) ++ manage_files_pattern($1, devicekit_var_log_t, devicekit_var_log_t) ++ #logging_log_filetrans($1, devicekit_var_log_t, file, "pm-powersave.log") ++ #logging_log_filetrans($1, devicekit_var_log_t, file, "pm-suspend.log") ++') ++ ++######################################## ++## ++## All of the rules required to administrate ++## an devicekit environment ++## ++## + ## +-## Role allowed access. ++## Domain allowed access. + ## + ## + ## +@@ -219,21 +347,48 @@ interface(`devicekit_admin',` + gen_require(` + type devicekit_t, devicekit_disk_t, devicekit_power_t; + type devicekit_var_lib_t, devicekit_var_run_t, devicekit_tmp_t; +- type devicekit_var_log_t; + ') + +- allow $1 { devicekit_t devicekit_disk_t devicekit_power_t }:process { ptrace signal_perms }; +- ps_process_pattern($1, { devicekit_t devicekit_disk_t devicekit_power_t }) ++ allow $1 devicekit_t:process signal_perms; ++ ps_process_pattern($1, devicekit_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 devicekit_t:process ptrace; ++ allow $1 devicekit_disk_t:process ptrace; ++ allow $1 devicekit_power_t:process ptrace; ++ ') ++ ++ allow $1 devicekit_disk_t:process signal_perms; ++ ps_process_pattern($1, devicekit_disk_t) ++ ++ allow $1 devicekit_power_t:process signal_perms; ++ ps_process_pattern($1, devicekit_power_t) + +- files_search_tmp($1) + admin_pattern($1, devicekit_tmp_t) ++ files_list_tmp($1) + +- files_search_var_lib($1) + admin_pattern($1, devicekit_var_lib_t) ++ files_list_var_lib($1) + +- logging_search_logs($1) +- admin_pattern($1, devicekit_var_log_t) +- +- files_search_pids($1) + admin_pattern($1, devicekit_var_run_t) ++ files_list_pids($1) ++') ++ ++######################################## ++## ++## Transition to devicekit named content ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`devicekit_filetrans_named_content',` ++ gen_require(` ++ type devicekit_var_run_t, devicekit_var_log_t; ++ ') ++ ++ files_pid_filetrans($1, devicekit_var_run_t, dir, "pm-utils") ++ logging_log_filetrans($1, devicekit_var_log_t, file, "pm-powersave.log") ++ logging_log_filetrans($1, devicekit_var_log_t, file, "pm-suspend.log") + ') +diff --git a/devicekit.te b/devicekit.te +index ff933af..cd1d88d 100644 +--- a/devicekit.te ++++ b/devicekit.te +@@ -7,15 +7,15 @@ policy_module(devicekit, 1.2.1) + + type devicekit_t; + type devicekit_exec_t; +-dbus_system_domain(devicekit_t, devicekit_exec_t) ++init_daemon_domain(devicekit_t, devicekit_exec_t) + + type devicekit_power_t; + type devicekit_power_exec_t; +-dbus_system_domain(devicekit_power_t, devicekit_power_exec_t) ++init_daemon_domain(devicekit_power_t, devicekit_power_exec_t) + + type devicekit_disk_t; + type devicekit_disk_exec_t; +-dbus_system_domain(devicekit_disk_t, devicekit_disk_exec_t) ++init_daemon_domain(devicekit_disk_t, devicekit_disk_exec_t) + + type devicekit_tmp_t; + files_tmp_file(devicekit_tmp_t) +@@ -45,11 +45,8 @@ kernel_read_system_state(devicekit_t) + dev_read_sysfs(devicekit_t) + dev_read_urand(devicekit_t) + +-files_read_etc_files(devicekit_t) +- +-miscfiles_read_localization(devicekit_t) +- + optional_policy(` ++ dbus_system_domain(devicekit_t, devicekit_exec_t) + dbus_system_bus_client(devicekit_t) + + allow devicekit_t { devicekit_disk_t devicekit_power_t }:dbus send_msg; +@@ -64,7 +61,8 @@ optional_policy(` + # Disk local policy + # + +-allow devicekit_disk_t self:capability { chown setuid setgid dac_override fowner fsetid net_admin sys_admin sys_nice sys_ptrace sys_rawio }; ++allow devicekit_disk_t self:capability { chown setuid setgid dac_override fowner fsetid net_admin sys_admin sys_nice sys_tty_config sys_rawio }; ++ + allow devicekit_disk_t self:process { getsched signal_perms }; + allow devicekit_disk_t self:fifo_file rw_fifo_file_perms; + allow devicekit_disk_t self:netlink_kobject_uevent_socket create_socket_perms; +@@ -81,10 +79,11 @@ allow devicekit_disk_t devicekit_var_run_t:dir mounton; + manage_dirs_pattern(devicekit_disk_t, devicekit_var_run_t, devicekit_var_run_t) + manage_files_pattern(devicekit_disk_t, devicekit_var_run_t, devicekit_var_run_t) + files_pid_filetrans(devicekit_disk_t, devicekit_var_run_t, { dir file }) ++files_filetrans_named_content(devicekit_disk_t) + ++kernel_dontaudit_getattr_unlabeled_files(devicekit_disk_t) + kernel_getattr_message_if(devicekit_disk_t) + kernel_list_unlabeled(devicekit_disk_t) +-kernel_dontaudit_getattr_unlabeled_files(devicekit_disk_t) + kernel_read_fs_sysctls(devicekit_disk_t) + kernel_read_network_state(devicekit_disk_t) + kernel_read_software_raid_state(devicekit_disk_t) +@@ -98,6 +97,8 @@ corecmd_getattr_all_executables(devicekit_disk_t) + + dev_getattr_all_chr_files(devicekit_disk_t) + dev_getattr_mtrr_dev(devicekit_disk_t) ++dev_rw_generic_blk_files(devicekit_disk_t) ++dev_rw_loop_control(devicekit_disk_t) + dev_getattr_usbfs_dirs(devicekit_disk_t) + dev_manage_generic_files(devicekit_disk_t) + dev_read_urand(devicekit_disk_t) +@@ -116,8 +117,8 @@ files_getattr_all_pipes(devicekit_disk_t) + files_manage_boot_dirs(devicekit_disk_t) + files_manage_isid_type_dirs(devicekit_disk_t) + files_manage_mnt_dirs(devicekit_disk_t) ++files_manage_etc_files(devicekit_disk_t) + files_read_etc_runtime_files(devicekit_disk_t) +-files_read_usr_files(devicekit_disk_t) + + fs_getattr_all_fs(devicekit_disk_t) + fs_list_inotifyfs(devicekit_disk_t) +@@ -134,16 +135,18 @@ storage_raw_write_fixed_disk(devicekit_disk_t) + storage_raw_read_removable_device(devicekit_disk_t) + storage_raw_write_removable_device(devicekit_disk_t) + +-term_use_all_terms(devicekit_disk_t) ++term_use_all_inherited_terms(devicekit_disk_t) + + auth_use_nsswitch(devicekit_disk_t) + +-miscfiles_read_localization(devicekit_disk_t) ++logging_send_syslog_msg(devicekit_disk_t) + + userdom_read_all_users_state(devicekit_disk_t) + userdom_search_user_home_dirs(devicekit_disk_t) ++userdom_manage_user_tmp_dirs(devicekit_disk_t) + + optional_policy(` ++ dbus_system_domain(devicekit_disk_t, devicekit_disk_exec_t) + dbus_system_bus_client(devicekit_disk_t) + + allow devicekit_disk_t devicekit_t:dbus send_msg; +@@ -167,6 +170,7 @@ optional_policy(` + + optional_policy(` + mount_domtrans(devicekit_disk_t) ++ mount_read_pid_files(devicekit_disk_t) + ') + + optional_policy(` +@@ -180,6 +184,11 @@ optional_policy(` + ') + + optional_policy(` ++ systemd_read_logind_sessions_files(devicekit_disk_t) ++ systemd_write_inhibit_pipes(devicekit_disk_t) ++') ++ ++optional_policy(` + udev_domtrans(devicekit_disk_t) + udev_read_db(devicekit_disk_t) + ') +@@ -188,12 +197,19 @@ optional_policy(` + virt_manage_images(devicekit_disk_t) + ') + ++optional_policy(` ++ unconfined_domain(devicekit_t) ++ unconfined_domain(devicekit_power_t) ++ unconfined_domain(devicekit_disk_t) ++') ++ + ######################################## + # + # Power local policy + # + +-allow devicekit_power_t self:capability { dac_override net_admin sys_admin sys_tty_config sys_nice sys_ptrace }; ++allow devicekit_power_t self:capability { dac_override net_admin sys_admin sys_tty_config sys_nice }; ++allow devicekit_power_t self:capability2 compromise_kernel; + allow devicekit_power_t self:process { getsched signal_perms }; + allow devicekit_power_t self:fifo_file rw_fifo_file_perms; + allow devicekit_power_t self:unix_dgram_socket create_socket_perms; +@@ -207,9 +223,7 @@ manage_dirs_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t) + manage_files_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t) + files_var_lib_filetrans(devicekit_power_t, devicekit_var_lib_t, dir) + +-allow devicekit_power_t devicekit_var_log_t:file append_file_perms; +-allow devicekit_power_t devicekit_var_log_t:file create_file_perms; +-allow devicekit_power_t devicekit_var_log_t:file setattr_file_perms; ++manage_files_pattern(devicekit_power_t, devicekit_var_log_t, devicekit_var_log_t) + logging_log_filetrans(devicekit_power_t, devicekit_var_log_t, file) + + manage_dirs_pattern(devicekit_power_t, devicekit_var_run_t, devicekit_var_run_t) +@@ -242,17 +256,16 @@ domain_read_all_domains_state(devicekit_power_t) + + files_read_kernel_img(devicekit_power_t) + files_read_etc_runtime_files(devicekit_power_t) +-files_read_usr_files(devicekit_power_t) + files_dontaudit_list_mnt(devicekit_power_t) + + fs_getattr_all_fs(devicekit_power_t) + fs_list_inotifyfs(devicekit_power_t) + +-term_use_all_terms(devicekit_power_t) ++term_use_all_inherited_terms(devicekit_power_t) + + auth_use_nsswitch(devicekit_power_t) + +-miscfiles_read_localization(devicekit_power_t) ++seutil_exec_setfiles(devicekit_power_t) + + sysnet_domtrans_ifconfig(devicekit_power_t) + sysnet_domtrans_dhcpc(devicekit_power_t) +@@ -269,9 +282,11 @@ optional_policy(` + + optional_policy(` + cron_initrc_domtrans(devicekit_power_t) ++ cron_systemctl(devicekit_power_t) + ') + + optional_policy(` ++ dbus_system_domain(devicekit_power_t, devicekit_power_exec_t) + dbus_system_bus_client(devicekit_power_t) + + allow devicekit_power_t devicekit_t:dbus send_msg; +@@ -302,8 +317,11 @@ optional_policy(` + ') + + optional_policy(` ++ gnome_manage_home_config(devicekit_power_t) ++') ++ ++optional_policy(` + hal_domtrans_mac(devicekit_power_t) +- hal_manage_log(devicekit_power_t) + hal_manage_pid_dirs(devicekit_power_t) + hal_manage_pid_files(devicekit_power_t) + ') +@@ -341,3 +359,9 @@ optional_policy(` + optional_policy(` + vbetool_domtrans(devicekit_power_t) + ') ++ ++optional_policy(` ++ corenet_tcp_connect_xserver_port(devicekit_power_t) ++ xserver_stream_connect(devicekit_power_t) ++') ++ +diff --git a/dhcp.fc b/dhcp.fc +index 7956248..5fee161 100644 +--- a/dhcp.fc ++++ b/dhcp.fc +@@ -1,4 +1,5 @@ + /etc/rc\.d/init\.d/dhcpd(6)? -- gen_context(system_u:object_r:dhcpd_initrc_exec_t,s0) ++/usr/lib/systemd/system/dhcpcd.* -- gen_context(system_u:object_r:dhcpd_unit_file_t,s0) + + /usr/sbin/dhcpd.* -- gen_context(system_u:object_r:dhcpd_exec_t,s0) + +diff --git a/dhcp.if b/dhcp.if +index c697edb..31d45bf 100644 +--- a/dhcp.if ++++ b/dhcp.if +@@ -36,7 +36,7 @@ interface(`dhcpd_setattr_state_files',` + ') + + sysnet_search_dhcp_state($1) +- allow $1 dhcpd_state_t:file setattr; ++ allow $1 dhcpd_state_t:file setattr_file_perms; + ') + + ######################################## +@@ -60,6 +60,30 @@ interface(`dhcpd_initrc_domtrans',` + + ######################################## + ## ++## Execute dhcpd server in the dhcpd domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`dhcpd_systemctl',` ++ gen_require(` ++ type dhcpd_unit_file_t; ++ type dhcpd_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ systemd_search_unit_dirs($1) ++ allow $1 dhcpd_unit_file_t:file read_file_perms; ++ allow $1 dhcpd_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, dhcpd_t) ++') ++ ++######################################## ++## + ## All of the rules required to + ## administrate an dhcpd environment. + ## +@@ -79,11 +103,16 @@ interface(`dhcpd_admin',` + gen_require(` + type dhcpd_t, dhcpd_tmp_t, dhcpd_state_t; + type dhcpd_var_run_t, dhcpd_initrc_exec_t; ++ type dhcpd_unit_file_t; + ') + +- allow $1 dhcpd_t:process { ptrace signal_perms }; ++ allow $1 dhcpd_t:process signal_perms; + ps_process_pattern($1, dhcpd_t) + ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 dhcpd_t:process ptrace; ++ ') ++ + init_labeled_script_domtrans($1, dhcpd_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 dhcpd_initrc_exec_t system_r; +@@ -97,4 +126,8 @@ interface(`dhcpd_admin',` + + files_list_pids($1) + admin_pattern($1, dhcpd_var_run_t) ++ ++ dhcpd_systemctl($1) ++ admin_pattern($1, dhcpd_unit_file_t) ++ allow $1 dhcpd_unit_file_t:service all_service_perms; + ') +diff --git a/dhcp.te b/dhcp.te +index c93c3db..cdb4d60 100644 +--- a/dhcp.te ++++ b/dhcp.te +@@ -20,6 +20,9 @@ init_daemon_domain(dhcpd_t, dhcpd_exec_t) + type dhcpd_initrc_exec_t; + init_script_file(dhcpd_initrc_exec_t) + ++type dhcpd_unit_file_t; ++systemd_unit_file(dhcpd_unit_file_t) ++ + type dhcpd_state_t; + files_type(dhcpd_state_t) + +@@ -58,7 +61,6 @@ kernel_read_system_state(dhcpd_t) + kernel_read_kernel_sysctls(dhcpd_t) + kernel_read_network_state(dhcpd_t) + +-corenet_all_recvfrom_unlabeled(dhcpd_t) + corenet_all_recvfrom_netlabel(dhcpd_t) + corenet_tcp_sendrecv_generic_if(dhcpd_t) + corenet_udp_sendrecv_generic_if(dhcpd_t) +@@ -94,7 +96,6 @@ fs_search_auto_mountpoints(dhcpd_t) + + domain_use_interactive_fds(dhcpd_t) + +-files_read_usr_files(dhcpd_t) + files_read_etc_runtime_files(dhcpd_t) + files_search_var_lib(dhcpd_t) + +@@ -102,8 +103,6 @@ auth_use_nsswitch(dhcpd_t) + + logging_send_syslog_msg(dhcpd_t) + +-miscfiles_read_localization(dhcpd_t) +- + sysnet_read_dhcp_config(dhcpd_t) + + userdom_dontaudit_use_unpriv_user_fds(dhcpd_t) +@@ -113,11 +112,20 @@ tunable_policy(`dhcpd_use_ldap',` + sysnet_use_ldap(dhcpd_t) + ') + ++ifdef(`distro_gentoo',` ++ allow dhcpd_t self:capability { chown dac_override setgid setuid sys_chroot }; ++') ++ + optional_policy(` ++ # used for dynamic DNS + bind_read_dnssec_keys(dhcpd_t) + ') + + optional_policy(` ++ cobbler_dontaudit_rw_log(dhcpd_t) ++') ++ ++optional_policy(` + dbus_system_bus_client(dhcpd_t) + dbus_connect_system_bus(dhcpd_t) + ') +diff --git a/dictd.if b/dictd.if +index 3cc3494..cb0a1f4 100644 +--- a/dictd.if ++++ b/dictd.if +@@ -38,8 +38,11 @@ interface(`dictd_admin',` + type dictd_var_run_t, dictd_initrc_exec_t; + ') + +- allow $1 dictd_t:process { ptrace signal_perms }; ++ allow $1 dictd_t:process signal_perms; + ps_process_pattern($1, dictd_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 dictd_t:process ptrace; ++ ') + + init_labeled_script_domtrans($1, dictd_initrc_exec_t) + domain_system_change_exemption($1) +diff --git a/dictd.te b/dictd.te +index fd4a602..43b800a 100644 +--- a/dictd.te ++++ b/dictd.te +@@ -43,7 +43,6 @@ files_pid_filetrans(dictd_t, dictd_var_run_t, file) + kernel_read_system_state(dictd_t) + kernel_read_kernel_sysctls(dictd_t) + +-corenet_all_recvfrom_unlabeled(dictd_t) + corenet_all_recvfrom_netlabel(dictd_t) + corenet_tcp_sendrecv_generic_if(dictd_t) + corenet_tcp_sendrecv_generic_node(dictd_t) +@@ -58,7 +57,6 @@ dev_read_sysfs(dictd_t) + domain_use_interactive_fds(dictd_t) + + files_read_etc_runtime_files(dictd_t) +-files_read_usr_files(dictd_t) + files_search_var_lib(dictd_t) + + fs_getattr_xattr_fs(dictd_t) +@@ -68,8 +66,6 @@ auth_use_nsswitch(dictd_t) + + logging_send_syslog_msg(dictd_t) + +-miscfiles_read_localization(dictd_t) +- + userdom_dontaudit_use_unpriv_user_fds(dictd_t) + + optional_policy(` +diff --git a/dirmngr.te b/dirmngr.te +index b3b2188..5f91705 100644 +--- a/dirmngr.te ++++ b/dirmngr.te +@@ -53,6 +53,5 @@ files_pid_filetrans(dirmngr_t, dirmngr_var_run_t, { dir file }) + + kernel_read_crypto_sysctls(dirmngr_t) + +-files_read_etc_files(dirmngr_t) + + miscfiles_read_localization(dirmngr_t) +diff --git a/dirsrv-admin.fc b/dirsrv-admin.fc +new file mode 100644 +index 0000000..8c44697 +--- /dev/null ++++ b/dirsrv-admin.fc +@@ -0,0 +1,15 @@ ++/etc/dirsrv/admin-serv(/.*)? gen_context(system_u:object_r:dirsrvadmin_config_t,s0) ++ ++/etc/dirsrv/dsgw(/.*)? gen_context(system_u:object_r:dirsrvadmin_config_t,s0) ++ ++/usr/sbin/restart-ds-admin -- gen_context(system_u:object_r:dirsrvadmin_exec_t,s0) ++/usr/sbin/start-ds-admin -- gen_context(system_u:object_r:dirsrvadmin_exec_t,s0) ++/usr/sbin/stop-ds-admin -- gen_context(system_u:object_r:dirsrvadmin_exec_t,s0) ++ ++/usr/lib/dirsrv/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_dirsrvadmin_script_exec_t,s0) ++/usr/lib/dirsrv/dsgw-cgi-bin(/.*)? gen_context(system_u:object_r:httpd_dirsrvadmin_script_exec_t,s0) ++ ++/usr/lib/dirsrv/cgi-bin/ds_create -- gen_context(system_u:object_r:dirsrvadmin_unconfined_script_exec_t,s0) ++/usr/lib/dirsrv/cgi-bin/ds_remove -- gen_context(system_u:object_r:dirsrvadmin_unconfined_script_exec_t,s0) ++ ++/var/lock/subsys/dirsrv-admin -- gen_context(system_u:object_r:dirsrvadmin_lock_t,s0) +diff --git a/dirsrv-admin.if b/dirsrv-admin.if +new file mode 100644 +index 0000000..30416f2 +--- /dev/null ++++ b/dirsrv-admin.if +@@ -0,0 +1,133 @@ ++## Administration Server for Directory Server, dirsrv-admin. ++ ++######################################## ++## ++## Exec dirsrv-admin programs. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dirsrvadmin_run_exec',` ++ gen_require(` ++ type dirsrvadmin_exec_t; ++ ') ++ ++ allow $1 dirsrvadmin_exec_t:dir search_dir_perms; ++ can_exec($1, dirsrvadmin_exec_t) ++') ++ ++######################################## ++## ++## Exec cgi programs. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dirsrvadmin_run_httpd_script_exec',` ++ gen_require(` ++ type httpd_dirsrvadmin_script_exec_t; ++ ') ++ ++ allow $1 httpd_dirsrvadmin_script_exec_t:dir search_dir_perms; ++ can_exec($1, httpd_dirsrvadmin_script_exec_t) ++') ++ ++######################################## ++## ++## Manage dirsrv-adminserver configuration files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dirsrvadmin_read_config',` ++ gen_require(` ++ type dirsrvadmin_config_t; ++ ') ++ ++ read_files_pattern($1, dirsrvadmin_config_t, dirsrvadmin_config_t) ++') ++ ++######################################## ++## ++## Manage dirsrv-adminserver configuration files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dirsrvadmin_manage_config',` ++ gen_require(` ++ type dirsrvadmin_config_t; ++ ') ++ ++ allow $1 dirsrvadmin_config_t:dir manage_dir_perms; ++ allow $1 dirsrvadmin_config_t:file manage_file_perms; ++') ++ ++####################################### ++## ++## Read dirsrv-adminserver tmp files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dirsrvadmin_read_tmp',` ++ gen_require(` ++ type dirsrvadmin_tmp_t; ++ ') ++ ++ read_files_pattern($1, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t) ++') ++ ++######################################## ++## ++## Manage dirsrv-adminserver tmp files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dirsrvadmin_manage_tmp',` ++ gen_require(` ++ type dirsrvadmin_tmp_t; ++ ') ++ ++ manage_files_pattern($1, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t) ++ manage_dirs_pattern($1, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t) ++') ++ ++####################################### ++## ++## Execute admin cgi programs in caller domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dirsrvadmin_domtrans_unconfined_script_t',` ++ gen_require(` ++ type dirsrvadmin_unconfined_script_t; ++ type dirsrvadmin_unconfined_script_exec_t; ++ ') ++ ++ domtrans_pattern($1, dirsrvadmin_unconfined_script_exec_t, dirsrvadmin_unconfined_script_t) ++ allow $1 dirsrvadmin_unconfined_script_t:process signal_perms; ++') +diff --git a/dirsrv-admin.te b/dirsrv-admin.te +new file mode 100644 +index 0000000..021c5ae +--- /dev/null ++++ b/dirsrv-admin.te +@@ -0,0 +1,157 @@ ++policy_module(dirsrv-admin,1.0.0) ++ ++######################################## ++# ++# Declarations for the daemon ++# ++ ++type dirsrvadmin_t; ++type dirsrvadmin_exec_t; ++init_daemon_domain(dirsrvadmin_t, dirsrvadmin_exec_t) ++role system_r types dirsrvadmin_t; ++ ++type dirsrvadmin_config_t; ++files_type(dirsrvadmin_config_t) ++ ++type dirsrvadmin_lock_t; ++files_lock_file(dirsrvadmin_lock_t) ++ ++type dirsrvadmin_tmp_t; ++files_tmp_file(dirsrvadmin_tmp_t) ++ ++type dirsrvadmin_unconfined_script_t; ++type dirsrvadmin_unconfined_script_exec_t; ++domain_type(dirsrvadmin_unconfined_script_t) ++domain_entry_file(dirsrvadmin_unconfined_script_t, dirsrvadmin_unconfined_script_exec_t) ++corecmd_shell_entry_type(dirsrvadmin_unconfined_script_t) ++role system_r types dirsrvadmin_unconfined_script_t; ++ ++######################################## ++# ++# Local policy for the daemon ++# ++ ++allow dirsrvadmin_t self:fifo_file rw_fifo_file_perms; ++allow dirsrvadmin_t self:capability { dac_read_search dac_override sys_tty_config sys_resource }; ++allow dirsrvadmin_t self:process { setrlimit signal_perms }; ++ ++manage_files_pattern(dirsrvadmin_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t) ++manage_dirs_pattern(dirsrvadmin_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t) ++files_tmp_filetrans(dirsrvadmin_t, dirsrvadmin_tmp_t, { file dir }) ++ ++kernel_read_system_state(dirsrvadmin_t) ++ ++corecmd_exec_bin(dirsrvadmin_t) ++corecmd_read_bin_symlinks(dirsrvadmin_t) ++corecmd_search_bin(dirsrvadmin_t) ++corecmd_shell_entry_type(dirsrvadmin_t) ++ ++files_exec_etc_files(dirsrvadmin_t) ++ ++libs_exec_ld_so(dirsrvadmin_t) ++ ++logging_search_logs(dirsrvadmin_t) ++ ++# Needed for stop and restart scripts ++dirsrv_read_var_run(dirsrvadmin_t) ++ ++optional_policy(` ++ apache_domtrans(dirsrvadmin_t) ++ apache_signal(dirsrvadmin_t) ++') ++ ++######################################## ++# ++# Local policy for the CGIs ++# ++# ++# ++# Create a domain for the CGI scripts ++ ++optional_policy(` ++ apache_content_template(dirsrvadmin) ++ ++ allow httpd_dirsrvadmin_script_t self:process { getsched getpgid }; ++ allow httpd_dirsrvadmin_script_t self:capability { fowner fsetid setuid net_bind_service setgid chown sys_nice kill dac_read_search dac_override }; ++ allow httpd_dirsrvadmin_script_t self:tcp_socket create_stream_socket_perms; ++ allow httpd_dirsrvadmin_script_t self:udp_socket create_socket_perms; ++ allow httpd_dirsrvadmin_script_t self:unix_dgram_socket create_socket_perms; ++ allow httpd_dirsrvadmin_script_t self:netlink_route_socket r_netlink_socket_perms; ++ allow httpd_dirsrvadmin_script_t self:sem create_sem_perms; ++ ++ ++ manage_files_pattern(httpd_dirsrvadmin_script_t, dirsrvadmin_lock_t, dirsrvadmin_lock_t) ++ files_lock_filetrans(httpd_dirsrvadmin_script_t, dirsrvadmin_lock_t, { file }) ++ ++ kernel_read_kernel_sysctls(httpd_dirsrvadmin_script_t) ++ ++ ++ corenet_tcp_bind_generic_node(httpd_dirsrvadmin_script_t) ++ corenet_udp_bind_generic_node(httpd_dirsrvadmin_script_t) ++ corenet_all_recvfrom_netlabel(httpd_dirsrvadmin_script_t) ++ ++ corenet_tcp_bind_http_port(httpd_dirsrvadmin_script_t) ++ corenet_tcp_connect_generic_port(httpd_dirsrvadmin_script_t) ++ corenet_tcp_connect_ldap_port(httpd_dirsrvadmin_script_t) ++ corenet_tcp_connect_http_port(httpd_dirsrvadmin_script_t) ++ ++ files_search_var_lib(httpd_dirsrvadmin_script_t) ++ ++ sysnet_read_config(httpd_dirsrvadmin_script_t) ++ ++ manage_files_pattern(httpd_dirsrvadmin_script_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t) ++ manage_dirs_pattern(httpd_dirsrvadmin_script_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t) ++ files_tmp_filetrans(httpd_dirsrvadmin_script_t, dirsrvadmin_tmp_t, { file dir }) ++ ++ optional_policy(` ++ apache_read_modules(httpd_dirsrvadmin_script_t) ++ apache_read_config(httpd_dirsrvadmin_script_t) ++ apache_signal(httpd_dirsrvadmin_script_t) ++ apache_signull(httpd_dirsrvadmin_script_t) ++ ') ++ ++ optional_policy(` ++ # The CGI scripts must be able to manage dirsrv-admin ++ dirsrvadmin_run_exec(httpd_dirsrvadmin_script_t) ++ dirsrvadmin_manage_config(httpd_dirsrvadmin_script_t) ++ dirsrv_domtrans(httpd_dirsrvadmin_script_t) ++ dirsrv_signal(httpd_dirsrvadmin_script_t) ++ dirsrv_signull(httpd_dirsrvadmin_script_t) ++ dirsrv_manage_log(httpd_dirsrvadmin_script_t) ++ dirsrv_manage_var_lib(httpd_dirsrvadmin_script_t) ++ dirsrv_pid_filetrans(httpd_dirsrvadmin_script_t) ++ dirsrv_manage_var_run(httpd_dirsrvadmin_script_t) ++ dirsrv_manage_config(httpd_dirsrvadmin_script_t) ++ dirsrv_read_share(httpd_dirsrvadmin_script_t) ++ ') ++') ++ ++####################################### ++# ++# Local policy for the admin CGIs ++# ++# ++ ++ ++manage_files_pattern(dirsrvadmin_unconfined_script_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t) ++manage_dirs_pattern(dirsrvadmin_unconfined_script_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t) ++files_tmp_filetrans(dirsrvadmin_unconfined_script_t, dirsrvadmin_tmp_t, { file dir }) ++ ++# needed because of filetrans rules ++dirsrvadmin_run_exec(dirsrvadmin_unconfined_script_t) ++dirsrvadmin_manage_config(dirsrvadmin_unconfined_script_t) ++dirsrv_domtrans(dirsrvadmin_unconfined_script_t) ++dirsrv_signal(dirsrvadmin_unconfined_script_t) ++dirsrv_signull(dirsrvadmin_unconfined_script_t) ++dirsrv_manage_log(dirsrvadmin_unconfined_script_t) ++dirsrv_manage_var_lib(dirsrvadmin_unconfined_script_t) ++dirsrv_pid_filetrans(dirsrvadmin_unconfined_script_t) ++dirsrv_manage_var_run(dirsrvadmin_unconfined_script_t) ++dirsrv_manage_config(dirsrvadmin_unconfined_script_t) ++dirsrv_read_share(dirsrvadmin_unconfined_script_t) ++ ++optional_policy(` ++ unconfined_domain(dirsrvadmin_unconfined_script_t) ++') ++ ++ +diff --git a/dirsrv.fc b/dirsrv.fc +new file mode 100644 +index 0000000..5d30dab +--- /dev/null ++++ b/dirsrv.fc +@@ -0,0 +1,23 @@ ++/etc/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_config_t,s0) ++ ++/usr/sbin/ns-slapd -- gen_context(system_u:object_r:dirsrv_exec_t,s0) ++/usr/sbin/ldap-agent -- gen_context(system_u:object_r:initrc_exec_t,s0) ++/usr/sbin/ldap-agent-bin -- gen_context(system_u:object_r:dirsrv_snmp_exec_t,s0) ++/usr/sbin/start-dirsrv -- gen_context(system_u:object_r:initrc_exec_t,s0) ++/usr/sbin/restart-dirsrv -- gen_context(system_u:object_r:initrc_exec_t,s0) ++ ++/usr/share/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_share_t,s0) ++ ++/var/run/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_var_run_t,s0) ++/var/run/ldap-agent\.pid gen_context(system_u:object_r:dirsrv_snmp_var_run_t,s0) ++ ++# BZ: ++/var/run/slapd.* -s gen_context(system_u:object_r:dirsrv_var_run_t,s0) ++ ++/var/lib/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_var_lib_t,s0) ++ ++/var/lock/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_var_lock_t,s0) ++ ++/var/log/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_var_log_t,s0) ++ ++/var/log/dirsrv/ldap-agent.log.* gen_context(system_u:object_r:dirsrv_snmp_var_log_t,s0) +diff --git a/dirsrv.if b/dirsrv.if +new file mode 100644 +index 0000000..b214253 +--- /dev/null ++++ b/dirsrv.if +@@ -0,0 +1,208 @@ ++## policy for dirsrv ++ ++######################################## ++## ++## Execute a domain transition to run dirsrv. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`dirsrv_domtrans',` ++ gen_require(` ++ type dirsrv_t, dirsrv_exec_t; ++ ') ++ ++ domtrans_pattern($1, dirsrv_exec_t,dirsrv_t) ++') ++ ++ ++######################################## ++## ++## Allow caller to signal dirsrv. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dirsrv_signal',` ++ gen_require(` ++ type dirsrv_t; ++ ') ++ ++ allow $1 dirsrv_t:process signal; ++') ++ ++ ++######################################## ++## ++## Send a null signal to dirsrv. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dirsrv_signull',` ++ gen_require(` ++ type dirsrv_t; ++ ') ++ ++ allow $1 dirsrv_t:process signull; ++') ++ ++####################################### ++## ++## Allow a domain to manage dirsrv logs. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dirsrv_manage_log',` ++ gen_require(` ++ type dirsrv_var_log_t; ++ ') ++ ++ allow $1 dirsrv_var_log_t:dir manage_dir_perms; ++ allow $1 dirsrv_var_log_t:file manage_file_perms; ++ allow $1 dirsrv_var_log_t:fifo_file manage_fifo_file_perms; ++') ++ ++####################################### ++## ++## Allow a domain to manage dirsrv /var/lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dirsrv_manage_var_lib',` ++ gen_require(` ++ type dirsrv_var_lib_t; ++ ') ++ allow $1 dirsrv_var_lib_t:dir manage_dir_perms; ++ allow $1 dirsrv_var_lib_t:file manage_file_perms; ++') ++ ++######################################## ++## ++## Connect to dirsrv over a unix stream socket. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dirsrv_stream_connect',` ++ gen_require(` ++ type dirsrv_t, dirsrv_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ stream_connect_pattern($1, dirsrv_var_run_t, dirsrv_var_run_t, dirsrv_t) ++') ++ ++####################################### ++## ++## Allow a domain to manage dirsrv /var/run files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dirsrv_manage_var_run',` ++ gen_require(` ++ type dirsrv_var_run_t; ++ ') ++ allow $1 dirsrv_var_run_t:dir manage_dir_perms; ++ allow $1 dirsrv_var_run_t:file manage_file_perms; ++ allow $1 dirsrv_var_run_t:sock_file manage_file_perms; ++') ++ ++###################################### ++## ++## Allow a domain to create dirsrv pid directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dirsrv_pid_filetrans',` ++ gen_require(` ++ type dirsrv_var_run_t; ++ ') ++ # Allow creating a dir in /var/run with this type ++ files_pid_filetrans($1, dirsrv_var_run_t, dir) ++') ++ ++####################################### ++## ++## Allow a domain to read dirsrv /var/run files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dirsrv_read_var_run',` ++ gen_require(` ++ type dirsrv_var_run_t; ++ ') ++ allow $1 dirsrv_var_run_t:dir list_dir_perms; ++ allow $1 dirsrv_var_run_t:file read_file_perms; ++') ++ ++######################################## ++## ++## Manage dirsrv configuration files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dirsrv_manage_config',` ++ gen_require(` ++ type dirsrv_config_t; ++ ') ++ ++ allow $1 dirsrv_config_t:dir manage_dir_perms; ++ allow $1 dirsrv_config_t:file manage_file_perms; ++') ++ ++######################################## ++## ++## Read dirsrv share files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dirsrv_read_share',` ++ gen_require(` ++ type dirsrv_share_t; ++ ') ++ ++ allow $1 dirsrv_share_t:dir list_dir_perms; ++ allow $1 dirsrv_share_t:file read_file_perms; ++ allow $1 dirsrv_share_t:lnk_file read; ++') +diff --git a/dirsrv.te b/dirsrv.te +new file mode 100644 +index 0000000..73d1b46 +--- /dev/null ++++ b/dirsrv.te +@@ -0,0 +1,196 @@ ++policy_module(dirsrv,1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++# main daemon ++type dirsrv_t; ++type dirsrv_exec_t; ++domain_type(dirsrv_t) ++init_daemon_domain(dirsrv_t, dirsrv_exec_t) ++ ++type dirsrv_snmp_t; ++type dirsrv_snmp_exec_t; ++domain_type(dirsrv_snmp_t) ++init_daemon_domain(dirsrv_snmp_t, dirsrv_snmp_exec_t) ++ ++type dirsrv_var_lib_t; ++files_type(dirsrv_var_lib_t) ++ ++type dirsrv_var_log_t; ++logging_log_file(dirsrv_var_log_t) ++ ++type dirsrv_snmp_var_log_t; ++logging_log_file(dirsrv_snmp_var_log_t) ++ ++type dirsrv_var_run_t; ++files_pid_file(dirsrv_var_run_t) ++ ++type dirsrv_snmp_var_run_t; ++files_pid_file(dirsrv_snmp_var_run_t) ++ ++type dirsrv_var_lock_t; ++files_lock_file(dirsrv_var_lock_t) ++ ++type dirsrv_config_t; ++files_type(dirsrv_config_t) ++ ++type dirsrv_tmp_t; ++files_tmp_file(dirsrv_tmp_t) ++ ++type dirsrv_tmpfs_t; ++files_tmpfs_file(dirsrv_tmpfs_t) ++ ++type dirsrv_share_t; ++files_type(dirsrv_share_t); ++ ++######################################## ++# ++# dirsrv local policy ++# ++allow dirsrv_t self:process { getsched setsched setfscreate signal_perms}; ++allow dirsrv_t self:capability { sys_nice setuid setgid fsetid chown dac_override fowner }; ++allow dirsrv_t self:fifo_file manage_fifo_file_perms; ++allow dirsrv_t self:sem create_sem_perms; ++allow dirsrv_t self:tcp_socket create_stream_socket_perms; ++ ++manage_dirs_pattern(dirsrv_t, dirsrv_tmpfs_t, dirsrv_tmpfs_t) ++manage_files_pattern(dirsrv_t, dirsrv_tmpfs_t, dirsrv_tmpfs_t) ++manage_lnk_files_pattern(dirsrv_t, dirsrv_tmpfs_t, dirsrv_tmpfs_t) ++fs_tmpfs_filetrans(dirsrv_t, dirsrv_tmpfs_t, { dir file }) ++ ++manage_dirs_pattern(dirsrv_t, dirsrv_var_lib_t, dirsrv_var_lib_t) ++manage_files_pattern(dirsrv_t, dirsrv_var_lib_t, dirsrv_var_lib_t) ++manage_sock_files_pattern(dirsrv_t, dirsrv_var_lib_t, dirsrv_var_lib_t) ++files_var_lib_filetrans(dirsrv_t,dirsrv_var_lib_t, { file dir sock_file }) ++ ++manage_dirs_pattern(dirsrv_t, dirsrv_var_log_t, dirsrv_var_log_t) ++manage_files_pattern(dirsrv_t, dirsrv_var_log_t, dirsrv_var_log_t) ++manage_fifo_files_pattern(dirsrv_t, dirsrv_var_log_t, dirsrv_var_log_t) ++allow dirsrv_t dirsrv_var_log_t:dir { setattr }; ++logging_log_filetrans(dirsrv_t,dirsrv_var_log_t,{ sock_file file dir }) ++ ++manage_dirs_pattern(dirsrv_t, dirsrv_var_run_t, dirsrv_var_run_t) ++manage_files_pattern(dirsrv_t, dirsrv_var_run_t, dirsrv_var_run_t) ++manage_sock_files_pattern(dirsrv_t, dirsrv_var_run_t, dirsrv_var_run_t) ++files_pid_filetrans(dirsrv_t, dirsrv_var_run_t, { file dir sock_file }) ++ ++manage_files_pattern(dirsrv_t, dirsrv_var_lock_t, dirsrv_var_lock_t) ++manage_dirs_pattern(dirsrv_t, dirsrv_var_lock_t, dirsrv_var_lock_t) ++files_lock_filetrans(dirsrv_t, dirsrv_var_lock_t, file) ++files_setattr_lock_dirs(dirsrv_t) ++ ++manage_files_pattern(dirsrv_t, dirsrv_config_t, dirsrv_config_t) ++manage_dirs_pattern(dirsrv_t, dirsrv_config_t, dirsrv_config_t) ++manage_lnk_files_pattern(dirsrv_t, dirsrv_config_t, dirsrv_config_t) ++ ++manage_files_pattern(dirsrv_t, dirsrv_tmp_t, dirsrv_tmp_t) ++manage_dirs_pattern(dirsrv_t, dirsrv_tmp_t, dirsrv_tmp_t) ++files_tmp_filetrans(dirsrv_t, dirsrv_tmp_t, { file dir }) ++allow dirsrv_t dirsrv_tmp_t:file relabel_file_perms; ++ ++kernel_read_network_state(dirsrv_t) ++kernel_read_system_state(dirsrv_t) ++kernel_read_kernel_sysctls(dirsrv_t) ++ ++corecmd_search_bin(dirsrv_t) ++ ++corenet_all_recvfrom_netlabel(dirsrv_t) ++corenet_tcp_sendrecv_generic_if(dirsrv_t) ++corenet_tcp_sendrecv_generic_node(dirsrv_t) ++corenet_tcp_sendrecv_all_ports(dirsrv_t) ++corenet_tcp_bind_generic_node(dirsrv_t) ++corenet_tcp_bind_ldap_port(dirsrv_t) ++corenet_tcp_bind_dogtag_port(dirsrv_t) ++corenet_tcp_bind_all_rpc_ports(dirsrv_t) ++corenet_udp_bind_all_rpc_ports(dirsrv_t) ++corenet_tcp_connect_all_ports(dirsrv_t) ++corenet_sendrecv_ldap_server_packets(dirsrv_t) ++corenet_sendrecv_all_client_packets(dirsrv_t) ++ ++dev_read_sysfs(dirsrv_t) ++dev_read_urand(dirsrv_t) ++ ++files_read_usr_symlinks(dirsrv_t) ++ ++fs_getattr_all_fs(dirsrv_t) ++ ++auth_use_pam(dirsrv_t) ++ ++logging_send_syslog_msg(dirsrv_t) ++ ++sysnet_dns_name_resolve(dirsrv_t) ++ ++optional_policy(` ++ apache_dontaudit_leaks(dirsrv_t) ++') ++ ++optional_policy(` ++ dirsrvadmin_read_tmp(dirsrv_t) ++') ++ ++optional_policy(` ++ kerberos_use(dirsrv_t) ++ kerberos_tmp_filetrans_host_rcache(dirsrv_t, "ldapmap1_0") ++ kerberos_tmp_filetrans_host_rcache(dirsrv_t, "ldap_487") ++ kerberos_tmp_filetrans_host_rcache(dirsrv_t, "ldap_55") ++') ++ ++# FIPS mode ++optional_policy(` ++ prelink_exec(dirsrv_t) ++') ++ ++optional_policy(` ++ rpcbind_stream_connect(dirsrv_t) ++') ++ ++optional_policy(` ++ uuidd_stream_connect_manager(dirsrv_t) ++') ++ ++######################################## ++# ++# dirsrv-snmp local policy ++# ++allow dirsrv_snmp_t self:capability { dac_override dac_read_search }; ++allow dirsrv_snmp_t self:fifo_file rw_fifo_file_perms; ++ ++rw_files_pattern(dirsrv_snmp_t, dirsrv_tmpfs_t, dirsrv_tmpfs_t) ++ ++read_files_pattern(dirsrv_snmp_t, dirsrv_var_run_t, dirsrv_var_run_t) ++ ++read_files_pattern(dirsrv_snmp_t, dirsrv_config_t, dirsrv_config_t) ++ ++manage_files_pattern(dirsrv_snmp_t, dirsrv_snmp_var_run_t, dirsrv_snmp_var_run_t) ++files_pid_filetrans(dirsrv_snmp_t, dirsrv_snmp_var_run_t, { file sock_file }) ++search_dirs_pattern(dirsrv_snmp_t, dirsrv_var_run_t, dirsrv_var_run_t) ++ ++manage_files_pattern(dirsrv_snmp_t, dirsrv_var_log_t, dirsrv_snmp_var_log_t); ++filetrans_pattern(dirsrv_snmp_t, dirsrv_var_log_t, dirsrv_snmp_var_log_t, file) ++ ++corenet_tcp_connect_agentx_port(dirsrv_snmp_t) ++ ++dev_read_rand(dirsrv_snmp_t) ++dev_read_urand(dirsrv_snmp_t) ++ ++domain_use_interactive_fds(dirsrv_snmp_t) ++ ++#files_manage_var_files(dirsrv_snmp_t) ++ ++fs_getattr_tmpfs(dirsrv_snmp_t) ++fs_search_tmpfs(dirsrv_snmp_t) ++ ++ ++sysnet_read_config(dirsrv_snmp_t) ++sysnet_dns_name_resolve(dirsrv_snmp_t) ++ ++optional_policy(` ++ snmp_dontaudit_read_snmp_var_lib_files(dirsrv_snmp_t) ++ snmp_dontaudit_write_snmp_var_lib_files(dirsrv_snmp_t) ++ snmp_manage_var_lib_dirs(dirsrv_snmp_t) ++ snmp_manage_var_lib_files(dirsrv_snmp_t) ++ snmp_stream_connect(dirsrv_snmp_t) ++') +diff --git a/distcc.if b/distcc.if +index 24d8c74..1790ec5 100644 +--- a/distcc.if ++++ b/distcc.if +@@ -19,7 +19,7 @@ + # + interface(`distcc_admin',` + gen_require(` +- type distccd_t, distccd_t, distccd_log_t; ++ type distccd_t, distccd_t, distccd_log_t, distccd_var_run_t; + type disccd_var_run_t, distccd_tmp_t, distccd_initrc_exec_t; + ') + +diff --git a/distcc.te b/distcc.te +index b441a4d..83fb340 100644 +--- a/distcc.te ++++ b/distcc.te +@@ -47,7 +47,6 @@ files_pid_filetrans(distccd_t, distccd_var_run_t, file) + kernel_read_system_state(distccd_t) + kernel_read_kernel_sysctls(distccd_t) + +-corenet_all_recvfrom_unlabeled(distccd_t) + corenet_all_recvfrom_netlabel(distccd_t) + corenet_tcp_sendrecv_generic_if(distccd_t) + corenet_tcp_sendrecv_generic_node(distccd_t) +@@ -74,8 +73,6 @@ libs_exec_lib_files(distccd_t) + + logging_send_syslog_msg(distccd_t) + +-miscfiles_read_localization(distccd_t) +- + userdom_dontaudit_use_unpriv_user_fds(distccd_t) + userdom_dontaudit_search_user_home_dirs(distccd_t) + +diff --git a/djbdns.if b/djbdns.if +index 671d3c0..6d36c95 100644 +--- a/djbdns.if ++++ b/djbdns.if +@@ -39,6 +39,23 @@ template(`djbdns_daemontools_domain_template',` + + allow djbdns_$1_t djbdns_$1_conf_t:dir list_dir_perms; + allow djbdns_$1_t djbdns_$1_conf_t:file read_file_perms; ++ ++ corenet_all_recvfrom_netlabel(djbdns_$1_t) ++ corenet_tcp_sendrecv_generic_if(djbdns_$1_t) ++ corenet_udp_sendrecv_generic_if(djbdns_$1_t) ++ corenet_tcp_sendrecv_generic_node(djbdns_$1_t) ++ corenet_udp_sendrecv_generic_node(djbdns_$1_t) ++ corenet_tcp_sendrecv_all_ports(djbdns_$1_t) ++ corenet_udp_sendrecv_all_ports(djbdns_$1_t) ++ corenet_tcp_bind_generic_node(djbdns_$1_t) ++ corenet_udp_bind_generic_node(djbdns_$1_t) ++ corenet_tcp_bind_dns_port(djbdns_$1_t) ++ corenet_udp_bind_dns_port(djbdns_$1_t) ++ corenet_udp_bind_generic_port(djbdns_$1_t) ++ corenet_sendrecv_dns_server_packets(djbdns_$1_t) ++ corenet_sendrecv_generic_server_packets(djbdns_$1_t) ++ ++ files_search_var(djbdns_$1_t) + ') + + ##################################### +diff --git a/djbdns.te b/djbdns.te +index 463d290..df50e4c 100644 +--- a/djbdns.te ++++ b/djbdns.te +@@ -48,6 +48,10 @@ corenet_udp_bind_generic_port(djbdns_domain) + + files_search_var(djbdns_domain) + ++daemontools_ipc_domain(djbdns_axfrdns_t) ++daemontools_read_svc(djbdns_axfrdns_t) ++ ++ + ######################################## + # + # axfrdns local policy +diff --git a/dkim.fc b/dkim.fc +index 5818418..674367b 100644 +--- a/dkim.fc ++++ b/dkim.fc +@@ -9,7 +9,6 @@ + + /var/lib/dkim-milter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0) + +-/var/run/dkim-filter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0) + /var/run/dkim-milter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0) + /var/run/dkim-milter\.pid -- gen_context(system_u:object_r:dkim_milter_data_t,s0) + +diff --git a/dmidecode.if b/dmidecode.if +index 41c3f67..653a1ec 100644 +--- a/dmidecode.if ++++ b/dmidecode.if +@@ -19,6 +19,25 @@ interface(`dmidecode_domtrans',` + domtrans_pattern($1, dmidecode_exec_t, dmidecode_t) + ') + ++###################################### ++## ++## Execute dmidecode in the caller domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dmidecode_exec',` ++ gen_require(` ++ type dmidecode_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ can_exec($1, dmidecode_exec_t) ++') ++ + ######################################## + ## + ## Execute dmidecode in the dmidecode +diff --git a/dmidecode.te b/dmidecode.te +index c947c2c..8d4d843 100644 +--- a/dmidecode.te ++++ b/dmidecode.te +@@ -29,4 +29,8 @@ files_list_usr(dmidecode_t) + + locallogin_use_fds(dmidecode_t) + +-userdom_use_user_terminals(dmidecode_t) ++userdom_use_inherited_user_terminals(dmidecode_t) ++ ++optional_policy(` ++ rhsmcertd_rw_inherited_lock_files(dmidecode_t) ++') +diff --git a/dnsmasq.fc b/dnsmasq.fc +index 23ab808..84735a8 100644 +--- a/dnsmasq.fc ++++ b/dnsmasq.fc +@@ -1,13 +1,16 @@ + /etc/dnsmasq\.conf -- gen_context(system_u:object_r:dnsmasq_etc_t,s0) ++/etc/dnsmasq\.d(/.*)? gen_context(system_u:object_r:dnsmasq_etc_t,s0) + + /etc/rc\.d/init\.d/dnsmasq -- gen_context(system_u:object_r:dnsmasq_initrc_exec_t,s0) + ++/usr/lib/systemd/system/dnsmasq.* -- gen_context(system_u:object_r:dnsmasq_unit_file_t,s0) ++ + /usr/sbin/dnsmasq -- gen_context(system_u:object_r:dnsmasq_exec_t,s0) + + /var/lib/misc/dnsmasq\.leases -- gen_context(system_u:object_r:dnsmasq_lease_t,s0) + /var/lib/dnsmasq(/.*)? gen_context(system_u:object_r:dnsmasq_lease_t,s0) + +-/var/log/dnsmasq.* -- gen_context(system_u:object_r:dnsmasq_var_log_t,s0) ++/var/log/dnsmasq.* gen_context(system_u:object_r:dnsmasq_var_log_t,s0) + +-/var/run/dnsmasq.* -- gen_context(system_u:object_r:dnsmasq_var_run_t,s0) ++/var/run/dnsmasq.* gen_context(system_u:object_r:dnsmasq_var_run_t,s0) + /var/run/libvirt/network(/.*)? gen_context(system_u:object_r:dnsmasq_var_run_t,s0) +diff --git a/dnsmasq.if b/dnsmasq.if +index 19aa0b8..e34a540 100644 +--- a/dnsmasq.if ++++ b/dnsmasq.if +@@ -10,7 +10,6 @@ + ## + ## + # +-# + interface(`dnsmasq_domtrans',` + gen_require(` + type dnsmasq_exec_t, dnsmasq_t; +@@ -20,6 +19,42 @@ interface(`dnsmasq_domtrans',` + domtrans_pattern($1, dnsmasq_exec_t, dnsmasq_t) + ') + ++####################################### ++## ++## Execute dnsmasq server in the caller domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`dnsmasq_exec',` ++ gen_require(` ++ type dnsmasq_exec_t; ++ ') ++ ++ can_exec($1, dnsmasq_exec_t) ++') ++ ++######################################## ++## ++## Allow read/write dnsmasq pipes ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dnsmasq_rw_inherited_pipes',` ++ gen_require(` ++ type dnsmasq_t; ++ ') ++ ++ allow $1 dnsmasq_t:fifo_file rw_inherited_fifo_file_perms; ++') ++ + ######################################## + ## + ## Execute the dnsmasq init script in +@@ -42,6 +77,48 @@ interface(`dnsmasq_initrc_domtrans',` + + ######################################## + ## ++## Execute dnsmasq server in the dnsmasq domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`dnsmasq_systemctl',` ++ gen_require(` ++ type dnsmasq_unit_file_t; ++ type dnsmasq_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ allow $1 dnsmasq_unit_file_t:file read_file_perms; ++ allow $1 dnsmasq_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, dnsmasq_t) ++') ++ ++######################################## ++## ++## Send sigchld to dnsmasq. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++# ++interface(`dnsmasq_sigchld',` ++ gen_require(` ++ type dnsmasq_t; ++ ') ++ ++ allow $1 dnsmasq_t:process sigchld; ++') ++ ++######################################## ++## + ## Send generic signals to dnsmasq. + ## + ## +@@ -145,15 +222,16 @@ interface(`dnsmasq_write_config',` + ## + ## + # +-# + interface(`dnsmasq_delete_pid_files',` + gen_require(` + type dnsmasq_var_run_t; + ') + ++ files_search_pids($1) + delete_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t) + ') + ++ + ######################################## + ## + ## Create, read, write, and delete +@@ -176,7 +254,7 @@ interface(`dnsmasq_manage_pid_files',` + + ######################################## + ## +-## Read dnsmasq pid files. ++## Read dnsmasq pid files + ## + ## + ## +@@ -184,12 +262,12 @@ interface(`dnsmasq_manage_pid_files',` + ## + ## + # +-# + interface(`dnsmasq_read_pid_files',` + gen_require(` + type dnsmasq_var_run_t; + ') + ++ files_search_pids($1) + read_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t) + ') + +@@ -214,37 +292,49 @@ interface(`dnsmasq_create_pid_dirs',` + + ######################################## + ## +-## Create specified objects in specified +-## directories with a type transition to +-## the dnsmasq pid file type. ++## Transition to dnsmasq named content + ## + ## + ## +-## Domain allowed access. +-## +-## +-## +-## +-## Directory to transition on. +-## +-## +-## +-## +-## The object class of the object being created. ++## Domain allowed access. + ## + ## +-## ++## + ## +-## The name of the object being created. ++## The type of the directory for the object to be created. + ## + ## + # +-interface(`dnsmasq_spec_filetrans_pid',` ++interface(`dnsmasq_filetrans_named_content_fromdir',` + gen_require(` + type dnsmasq_var_run_t; + ') + +- filetrans_pattern($1, $2, dnsmasq_var_run_t, $3, $4) ++ filetrans_pattern($1, $2, dnsmasq_var_run_t, dir, "network") ++ filetrans_pattern($1, $2, dnsmasq_var_run_t, file, "dnsmasq.pid") ++') ++ ++####################################### ++## ++## Transition to dnsmasq named content ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dnsmasq_filetrans_named_content',` ++ gen_require(` ++ type dnsmasq_etc_t; ++ type dnsmasq_var_run_t; ++ ') ++ ++ files_pid_filetrans($1, dnsmasq_var_run_t, dir, "network") ++ files_pid_filetrans($1, dnsmasq_var_run_t, file, "dnsmasq.pid") ++ virt_pid_filetrans($1, dnsmasq_var_run_t, file, "network") ++ files_etc_filetrans($1, dnsmasq_etc_t, file, "dnsmasq.conf") ++ files_etc_filetrans($1, dnsmasq_etc_t, dir, "dnsmasq.d") + ') + + ######################################## +@@ -267,12 +357,18 @@ interface(`dnsmasq_spec_filetrans_pid',` + interface(`dnsmasq_admin',` + gen_require(` + type dnsmasq_t, dnsmasq_lease_t, dnsmasq_var_run_t; +- type dnsmasq_initrc_exec_t, dnsmasq_var_log_t; ++ type dnsmasq_var_log_t; ++ type dnsmasq_initrc_exec_t; ++ type dnsmasq_unit_file_t; + ') + +- allow $1 dnsmasq_t:process { ptrace signal_perms }; ++ allow $1 dnsmasq_t:process signal_perms; + ps_process_pattern($1, dnsmasq_t) + ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 dnsmasq_t:process ptrace; ++ ') ++ + init_labeled_script_domtrans($1, dnsmasq_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 dnsmasq_initrc_exec_t system_r; +@@ -281,9 +377,13 @@ interface(`dnsmasq_admin',` + files_list_var_lib($1) + admin_pattern($1, dnsmasq_lease_t) + +- logging_seearch_logs($1) ++ logging_search_logs($1) + admin_pattern($1, dnsmasq_var_log_t) + + files_list_pids($1) + admin_pattern($1, dnsmasq_var_run_t) ++ ++ dnsmasq_systemctl($1) ++ admin_pattern($1, dnsmasq_unit_file_t) ++ allow $1 dnsmasq_unit_file_t:service all_service_perms; + ') +diff --git a/dnsmasq.te b/dnsmasq.te +index ba14bcf..a3e6c7c 100644 +--- a/dnsmasq.te ++++ b/dnsmasq.te +@@ -24,6 +24,9 @@ logging_log_file(dnsmasq_var_log_t) + type dnsmasq_var_run_t; + files_pid_file(dnsmasq_var_run_t) + ++type dnsmasq_unit_file_t; ++systemd_unit_file(dnsmasq_unit_file_t) ++ + ######################################## + # + # Local policy +@@ -52,11 +55,14 @@ manage_files_pattern(dnsmasq_t, dnsmasq_var_run_t, dnsmasq_var_run_t) + files_pid_filetrans(dnsmasq_t, dnsmasq_var_run_t, { dir file }) + + kernel_read_kernel_sysctls(dnsmasq_t) ++kernel_read_net_sysctls(dnsmasq_t) + kernel_read_network_state(dnsmasq_t) + kernel_read_system_state(dnsmasq_t) + kernel_request_load_module(dnsmasq_t) + +-corenet_all_recvfrom_unlabeled(dnsmasq_t) ++corecmd_exec_bin(dnsmasq_t) ++corecmd_exec_shell(dnsmasq_t) ++ + corenet_all_recvfrom_netlabel(dnsmasq_t) + corenet_tcp_sendrecv_generic_if(dnsmasq_t) + corenet_udp_sendrecv_generic_if(dnsmasq_t) +@@ -86,9 +92,9 @@ fs_search_auto_mountpoints(dnsmasq_t) + + auth_use_nsswitch(dnsmasq_t) + +-logging_send_syslog_msg(dnsmasq_t) ++libs_exec_ldconfig(dnsmasq_t) + +-miscfiles_read_localization(dnsmasq_t) ++logging_send_syslog_msg(dnsmasq_t) + + userdom_dontaudit_use_unpriv_user_fds(dnsmasq_t) + userdom_dontaudit_search_user_home_dirs(dnsmasq_t) +@@ -98,12 +104,21 @@ optional_policy(` + ') + + optional_policy(` ++ cron_manage_pid_files(dnsmasq_t) ++') ++ ++optional_policy(` + dbus_connect_system_bus(dnsmasq_t) + dbus_system_bus_client(dnsmasq_t) + ') + + optional_policy(` +- networkmanager_read_pid_files(dnsmasq_t) ++ dnsmasq_domtrans(dnsmasq_t) ++') ++ ++optional_policy(` ++ networkmanager_read_conf(dnsmasq_t) ++ networkmanager_manage_pid_files(dnsmasq_t) + ') + + optional_policy(` +@@ -124,6 +139,14 @@ optional_policy(` + + optional_policy(` + virt_manage_lib_files(dnsmasq_t) ++ virt_read_lib_files(dnsmasq_t) + virt_read_pid_files(dnsmasq_t) + virt_pid_filetrans(dnsmasq_t, dnsmasq_var_run_t, { dir file }) + ') ++ ++optional_policy(` ++ neutron_manage_lib_files(dnsmasq_t) ++ neutron_stream_connect(dnsmasq_t) ++ neutron_rw_fifo_file(dnsmasq_t) ++ neutron_sigchld(dnsmasq_t) ++') +diff --git a/dnssec.fc b/dnssec.fc +new file mode 100644 +index 0000000..9e231a8 +--- /dev/null ++++ b/dnssec.fc +@@ -0,0 +1,3 @@ ++/usr/sbin/dnssec-triggerd -- gen_context(system_u:object_r:dnssec_trigger_exec_t,s0) ++ ++/var/run/dnssec.* gen_context(system_u:object_r:dnssec_trigger_var_run_t,s0) +diff --git a/dnssec.if b/dnssec.if +new file mode 100644 +index 0000000..a952041 +--- /dev/null ++++ b/dnssec.if +@@ -0,0 +1,64 @@ ++ ++## policy for dnssec_trigger ++ ++######################################## ++## ++## Transition to dnssec_trigger. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`dnssec_trigger_domtrans',` ++ gen_require(` ++ type dnssec_trigger_t, dnssec_trigger_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, dnssec_trigger_exec_t, dnssec_trigger_t) ++') ++######################################## ++## ++## Read dnssec_trigger PID files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dnssec_trigger_read_pid_files',` ++ gen_require(` ++ type dnssec_trigger_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ allow $1 dnssec_trigger_var_run_t:file read_file_perms; ++') ++ ++ ++######################################## ++## ++## All of the rules required to administrate ++## an dnssec_trigger environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dnssec_trigger_admin',` ++ gen_require(` ++ type dnssec_trigger_t; ++ type dnssec_trigger_var_run_t; ++ ') ++ ++ allow $1 dnssec_trigger_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, dnssec_trigger_t) ++ ++ files_search_pids($1) ++ admin_pattern($1, dnssec_trigger_var_run_t) ++') +diff --git a/dnssec.te b/dnssec.te +new file mode 100644 +index 0000000..7f715f8 +--- /dev/null ++++ b/dnssec.te +@@ -0,0 +1,58 @@ ++policy_module(dnssec, 1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type dnssec_trigger_t; ++type dnssec_trigger_exec_t; ++init_daemon_domain(dnssec_trigger_t, dnssec_trigger_exec_t) ++ ++type dnssec_trigger_var_run_t; ++files_pid_file(dnssec_trigger_var_run_t) ++ ++######################################## ++# ++# dnssec_trigger local policy ++# ++allow dnssec_trigger_t self:capability linux_immutable; ++allow dnssec_trigger_t self:process signal; ++allow dnssec_trigger_t self:fifo_file rw_fifo_file_perms; ++allow dnssec_trigger_t self:unix_stream_socket create_stream_socket_perms; ++allow dnssec_trigger_t self:tcp_socket create_stream_socket_perms; ++allow dnssec_trigger_t self:udp_socket create_socket_perms; ++ ++manage_dirs_pattern(dnssec_trigger_t, dnssec_trigger_var_run_t, dnssec_trigger_var_run_t) ++manage_files_pattern(dnssec_trigger_t, dnssec_trigger_var_run_t, dnssec_trigger_var_run_t) ++files_pid_filetrans(dnssec_trigger_t, dnssec_trigger_var_run_t, { dir file }) ++ ++kernel_read_system_state(dnssec_trigger_t) ++ ++corecmd_exec_bin(dnssec_trigger_t) ++corecmd_exec_shell(dnssec_trigger_t) ++ ++corenet_tcp_bind_generic_node(dnssec_trigger_t) ++corenet_tcp_bind_dnssec_port(dnssec_trigger_t) ++corenet_tcp_connect_rndc_port(dnssec_trigger_t) ++corenet_tcp_connect_http_port(dnssec_trigger_t) ++ ++dev_read_urand(dnssec_trigger_t) ++ ++domain_use_interactive_fds(dnssec_trigger_t) ++ ++files_read_etc_runtime_files(dnssec_trigger_t) ++ ++logging_send_syslog_msg(dnssec_trigger_t) ++ ++auth_read_passwd(dnssec_trigger_t) ++ ++sysnet_dns_name_resolve(dnssec_trigger_t) ++sysnet_manage_config(dnssec_trigger_t) ++ ++optional_policy(` ++ bind_read_config(dnssec_trigger_t) ++ bind_read_dnssec_keys(dnssec_trigger_t) ++') ++ ++ +diff --git a/dnssectrigger.te b/dnssectrigger.te +index ef36d73..fddd51f 100644 +--- a/dnssectrigger.te ++++ b/dnssectrigger.te +@@ -67,8 +67,6 @@ files_read_etc_runtime_files(dnssec_triggerd_t) + + logging_send_syslog_msg(dnssec_triggerd_t) + +-miscfiles_read_localization(dnssec_triggerd_t) +- + sysnet_dns_name_resolve(dnssec_triggerd_t) + sysnet_manage_config(dnssec_triggerd_t) + sysnet_etc_filetrans_config(dnssec_triggerd_t) +diff --git a/docker.fc b/docker.fc +new file mode 100644 +index 0000000..484dd44 +--- /dev/null ++++ b/docker.fc +@@ -0,0 +1,12 @@ ++/usr/bin/docker -- gen_context(system_u:object_r:docker_exec_t,s0) ++ ++/usr/lib/systemd/system/docker.service -- gen_context(system_u:object_r:docker_unit_file_t,s0) ++ ++/var/lib/docker(/.*)? gen_context(system_u:object_r:docker_var_lib_t,s0) ++ ++/var/run/docker\.pid -- gen_context(system_u:object_r:docker_var_run_t,s0) ++/var/run/docker\.sock -s gen_context(system_u:object_r:docker_var_run_t,s0) ++ ++/var/log/lxc(/.*)? gen_context(system_u:object_r:docker_log_t,s0) ++ ++/usr/lib/lxc/rootfs gen_context(system_u:object_r:mnt_t,s0) +\ No newline at end of file +diff --git a/docker.if b/docker.if +new file mode 100644 +index 0000000..097c75c +--- /dev/null ++++ b/docker.if +@@ -0,0 +1,202 @@ ++ ++## policy for docker ++ ++######################################## ++## ++## Execute TEMPLATE in the docker domin. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`docker_domtrans',` ++ gen_require(` ++ type docker_t, docker_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, docker_exec_t, docker_t) ++') ++ ++######################################## ++## ++## Search docker lib directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`docker_search_lib',` ++ gen_require(` ++ type docker_var_lib_t; ++ ') ++ ++ allow $1 docker_var_lib_t:dir search_dir_perms; ++ files_search_var_lib($1) ++') ++ ++######################################## ++## ++## Read docker lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`docker_read_lib_files',` ++ gen_require(` ++ type docker_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ read_files_pattern($1, docker_var_lib_t, docker_var_lib_t) ++') ++ ++######################################## ++## ++## Manage docker lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`docker_manage_lib_files',` ++ gen_require(` ++ type docker_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ manage_files_pattern($1, docker_var_lib_t, docker_var_lib_t) ++') ++ ++######################################## ++## ++## Manage docker lib directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`docker_manage_lib_dirs',` ++ gen_require(` ++ type docker_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ manage_dirs_pattern($1, docker_var_lib_t, docker_var_lib_t) ++') ++ ++######################################## ++## ++## Read docker PID files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`docker_read_pid_files',` ++ gen_require(` ++ type docker_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ read_files_pattern($1, docker_var_run_t, docker_var_run_t) ++') ++ ++######################################## ++## ++## Execute docker server in the docker domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`docker_systemctl',` ++ gen_require(` ++ type docker_t; ++ type docker_unit_file_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ systemd_read_fifo_file_passwd_run($1) ++ allow $1 docker_unit_file_t:file read_file_perms; ++ allow $1 docker_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, docker_t) ++') ++ ++ ++######################################## ++## ++## All of the rules required to administrate ++## an docker environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## Role allowed access. ++## ++## ++## ++# ++interface(`docker_admin',` ++ gen_require(` ++ type docker_t; ++ type docker_var_lib_t; ++ type docker_var_run_t; ++ type docker_unit_file_t; ++ ') ++ ++ allow $1 docker_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, docker_t) ++ ++ files_search_var_lib($1) ++ admin_pattern($1, docker_var_lib_t) ++ ++ files_search_pids($1) ++ admin_pattern($1, docker_var_run_t) ++ ++ docker_systemctl($1) ++ admin_pattern($1, docker_unit_file_t) ++ allow $1 docker_unit_file_t:service all_service_perms; ++ optional_policy(` ++ systemd_passwd_agent_exec($1) ++ systemd_read_fifo_file_passwd_run($1) ++ ') ++') ++ ++######################################## ++## ++## Read and write docker shared memory. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`docker_rw_sem',` ++ gen_require(` ++ type docker_t; ++ ') ++ ++ allow $1 docker_t:sem rw_sem_perms; ++') +diff --git a/docker.te b/docker.te +new file mode 100644 +index 0000000..1229d66 +--- /dev/null ++++ b/docker.te +@@ -0,0 +1,133 @@ ++policy_module(docker, 1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type docker_t; ++type docker_exec_t; ++init_daemon_domain(docker_t, docker_exec_t) ++ ++type docker_var_lib_t; ++files_type(docker_var_lib_t) ++ ++type docker_log_t; ++logging_log_file(docker_log_t) ++ ++type docker_tmp_t; ++files_tmp_file(docker_tmp_t) ++ ++type docker_var_run_t; ++files_pid_file(docker_var_run_t) ++ ++type docker_unit_file_t; ++systemd_unit_file(docker_unit_file_t) ++ ++######################################## ++# ++# docker local policy ++# ++allow docker_t self:capability { chown fowner fsetid mknod net_admin }; ++allow docker_t self:process signal_perms; ++allow docker_t self:fifo_file rw_fifo_file_perms; ++allow docker_t self:unix_stream_socket create_stream_socket_perms; ++allow docker_t self:capability2 block_suspend; ++ ++manage_dirs_pattern(docker_t, docker_log_t, docker_log_t) ++manage_files_pattern(docker_t, docker_log_t, docker_log_t) ++manage_lnk_files_pattern(docker_t, docker_log_t, docker_log_t) ++logging_log_filetrans(docker_t, docker_log_t, { dir file lnk_file }) ++ ++manage_dirs_pattern(docker_t, docker_tmp_t, docker_tmp_t) ++manage_files_pattern(docker_t, docker_tmp_t, docker_tmp_t) ++manage_lnk_files_pattern(docker_t, docker_tmp_t, docker_tmp_t) ++files_tmp_filetrans(docker_t, docker_tmp_t, { dir file lnk_file }) ++ ++manage_dirs_pattern(docker_t, docker_var_lib_t, docker_var_lib_t) ++manage_chr_files_pattern(docker_t, docker_var_lib_t, docker_var_lib_t) ++manage_blk_files_pattern(docker_t, docker_var_lib_t, docker_var_lib_t) ++manage_files_pattern(docker_t, docker_var_lib_t, docker_var_lib_t) ++manage_lnk_files_pattern(docker_t, docker_var_lib_t, docker_var_lib_t) ++files_var_lib_filetrans(docker_t, docker_var_lib_t, { dir file lnk_file }) ++ ++manage_dirs_pattern(docker_t, docker_var_run_t, docker_var_run_t) ++manage_files_pattern(docker_t, docker_var_run_t, docker_var_run_t) ++manage_sock_files_pattern(docker_t, docker_var_run_t, docker_var_run_t) ++manage_lnk_files_pattern(docker_t, docker_var_run_t, docker_var_run_t) ++files_pid_filetrans(docker_t, docker_var_run_t, { dir file lnk_file sock_file }) ++ ++kernel_read_system_state(docker_t) ++kernel_read_network_state(docker_t) ++kernel_read_all_sysctls(docker_t) ++ ++domain_use_interactive_fds(docker_t) ++ ++corecmd_exec_bin(docker_t) ++corecmd_exec_shell(docker_t) ++ ++corenet_tcp_bind_generic_node(docker_t) ++ ++files_read_etc_files(docker_t) ++ ++fs_read_cgroup_files(docker_t) ++ ++auth_use_nsswitch(docker_t) ++ ++miscfiles_read_localization(docker_t) ++ ++mount_domtrans(docker_t) ++ ++sysnet_dns_name_resolve(docker_t) ++sysnet_exec_ifconfig(docker_t) ++ ++optional_policy(` ++ fstools_domtrans(docker_t) ++') ++ ++optional_policy(` ++ iptables_domtrans(docker_t) ++') ++ ++# ++# lxc rules ++# ++ ++allow docker_t self:capability { sys_admin sys_boot dac_override setpcap sys_ptrace }; ++allow docker_t self:process { setsched signal_perms }; ++allow docker_t self:netlink_route_socket nlmsg_write; ++allow docker_t self:unix_dgram_socket create_socket_perms; ++ ++allow docker_t docker_var_lib_t:dir mounton; ++ ++kernel_setsched(docker_t) ++ ++dev_getattr_all_blk_files(docker_t) ++dev_read_urand(docker_t) ++dev_read_lvm_control(docker_t) ++dev_read_sysfs(docker_t) ++ ++files_manage_isid_type_dirs(docker_t) ++files_manage_isid_type_files(docker_t) ++files_manage_isid_type_symlinks(docker_t) ++files_manage_isid_type_chr_files(docker_t) ++files_exec_isid_files(docker_t) ++files_mounton_isid(docker_t) ++files_mounton_non_security(docker_t) ++ ++fs_mount_all_fs(docker_t) ++fs_unmount_all_fs(docker_t) ++fs_remount_all_fs(docker_t) ++fs_manage_cgroup_dirs(docker_t) ++fs_manage_cgroup_files(docker_t) ++ ++term_use_generic_ptys(docker_t) ++term_use_ptmx(docker_t) ++term_getattr_pty_fs(docker_t) ++ ++modutils_domtrans_insmod(docker_t) ++ ++optional_policy(` ++ virt_read_config(docker_t) ++ virt_exec(docker_t) ++') +diff --git a/dovecot.fc b/dovecot.fc +index c880070..4448055 100644 +--- a/dovecot.fc ++++ b/dovecot.fc +@@ -1,36 +1,48 @@ +-/etc/dovecot(/.*)? gen_context(system_u:object_r:dovecot_etc_t,s0) +-/etc/dovecot/passwd.* gen_context(system_u:object_r:dovecot_passwd_t,s0) + +-/etc/dovecot\.conf.* gen_context(system_u:object_r:dovecot_etc_t,s0) +-/etc/dovecot\.passwd.* gen_context(system_u:object_r:dovecot_passwd_t,s0) +- +-/etc/pki/dovecot(/.*)? gen_context(system_u:object_r:dovecot_cert_t,s0) ++# ++# /etc ++# ++/etc/dovecot(/.*)? gen_context(system_u:object_r:dovecot_etc_t,s0) ++/etc/dovecot\.conf.* gen_context(system_u:object_r:dovecot_etc_t,s0) ++/etc/dovecot\.passwd.* gen_context(system_u:object_r:dovecot_passwd_t,s0) + ++/etc/pki/dovecot(/.*)? gen_context(system_u:object_r:dovecot_cert_t,s0) + /etc/rc\.d/init\.d/dovecot -- gen_context(system_u:object_r:dovecot_initrc_exec_t,s0) + +-/usr/sbin/dovecot -- gen_context(system_u:object_r:dovecot_exec_t,s0) ++# Debian uses /etc/dovecot/ ++ifdef(`distro_debian',` ++/etc/dovecot/passwd.* gen_context(system_u:object_r:dovecot_passwd_t,s0) ++') + +-/usr/share/ssl/certs/dovecot\.pem -- gen_context(system_u:object_r:dovecot_cert_t,s0) +-/usr/share/ssl/private/dovecot\.pem -- gen_context(system_u:object_r:dovecot_cert_t,s0) ++# ++# /usr ++# ++/usr/sbin/dovecot -- gen_context(system_u:object_r:dovecot_exec_t,s0) + +-/etc/ssl/dovecot(/.*)? gen_context(system_u:object_r:dovecot_cert_t,s0) ++/usr/share/ssl/certs/dovecot\.pem -- gen_context(system_u:object_r:dovecot_cert_t,s0) ++/usr/share/ssl/private/dovecot\.pem -- gen_context(system_u:object_r:dovecot_cert_t,s0) + +-/usr/lib/dovecot/auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0) +-/usr/lib/dovecot/deliver -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0) ++ifdef(`distro_debian', ` + /usr/lib/dovecot/dovecot-auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0) +-/usr/lib/dovecot/dovecot-lda -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0) ++/usr/lib/dovecot/deliver -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0) ++') + +-/usr/libexec/dovecot/auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0) ++ifdef(`distro_redhat', ` ++/usr/libexec/dovecot/auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0) + /usr/libexec/dovecot/deliver -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0) +-/usr/libexec/dovecot/deliver-lda -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0) +-/usr/libexec/dovecot/dovecot-auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0) ++/usr/libexec/dovecot/dovecot-lda -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0) ++/usr/libexec/dovecot/dovecot-auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0) ++') + +-/var/run/dovecot(-login)?(/.*)? gen_context(system_u:object_r:dovecot_var_run_t,s0) +-/var/run/dovecot/login/ssl-parameters.dat -- gen_context(system_u:object_r:dovecot_var_lib_t,s0) ++# ++# /var ++# ++/var/run/dovecot(-login)?(/.*)? gen_context(system_u:object_r:dovecot_var_run_t,s0) ++/var/run/dovecot/login/ssl-parameters.dat -- gen_context(system_u:object_r:dovecot_var_lib_t,s0) + +-/var/lib/dovecot(/.*)? gen_context(system_u:object_r:dovecot_var_lib_t,s0) ++/var/lib/dovecot(/.*)? gen_context(system_u:object_r:dovecot_var_lib_t,s0) + +-/var/log/dovecot(/.*)? gen_context(system_u:object_r:dovecot_var_log_t,s0) +-/var/log/dovecot\.log.* gen_context(system_u:object_r:dovecot_var_log_t,s0) ++/var/log/dovecot(/.*)? gen_context(system_u:object_r:dovecot_var_log_t,s0) ++/var/log/dovecot\.log.* gen_context(system_u:object_r:dovecot_var_log_t,s0) + +-/var/spool/dovecot(/.*)? gen_context(system_u:object_r:dovecot_spool_t,s0) ++/var/spool/dovecot(/.*)? gen_context(system_u:object_r:dovecot_spool_t,s0) +diff --git a/dovecot.if b/dovecot.if +index dbcac59..66d42bb 100644 +--- a/dovecot.if ++++ b/dovecot.if +@@ -1,29 +1,49 @@ +-## POP and IMAP mail server. ++## Dovecot POP and IMAP mail server ++ ++###################################### ++## ++## Creates types and rules for a basic ++## dovecot daemon domain. ++## ++## ++## ++## Prefix for the domain. ++## ++## ++# ++template(`dovecot_basic_types_template',` ++ gen_require(` ++ attribute dovecot_domain; ++ ') ++ ++ type $1_t, dovecot_domain; ++ type $1_exec_t; ++ ++ kernel_read_system_state($1_t) ++') + + ####################################### + ## +-## Connect to dovecot using a unix +-## domain stream socket. ++## Connect to dovecot unix domain stream socket. + ## + ## +-## +-## Domain allowed access. +-## ++## ++## Domain allowed access. ++## + ## + # + interface(`dovecot_stream_connect',` +- gen_require(` +- type dovecot_t, dovecot_var_run_t; +- ') ++ gen_require(` ++ type dovecot_t, dovecot_var_run_t; ++ ') + +- files_search_pids($1) +- stream_connect_pattern($1, dovecot_var_run_t, dovecot_var_run_t, dovecot_t) ++ files_search_pids($1) ++ stream_connect_pattern($1, dovecot_var_run_t, dovecot_var_run_t, dovecot_t) + ') + + ######################################## + ## +-## Connect to dovecot using a unix +-## domain stream socket. ++## Connect to dovecot auth unix domain stream socket. + ## + ## + ## +@@ -43,8 +63,7 @@ interface(`dovecot_stream_connect_auth',` + + ######################################## + ## +-## Execute dovecot_deliver in the +-## dovecot_deliver domain. ++## Execute dovecot_deliver in the dovecot_deliver domain. + ## + ## + ## +@@ -57,14 +76,12 @@ interface(`dovecot_domtrans_deliver',` + type dovecot_deliver_t, dovecot_deliver_exec_t; + ') + +- corecmd_search_bin($1) + domtrans_pattern($1, dovecot_deliver_exec_t, dovecot_deliver_t) + ') + + ######################################## + ## +-## Create, read, write, and delete +-## dovecot spool files. ++## Create, read, write, and delete the dovecot spool files. + ## + ## + ## +@@ -78,15 +95,13 @@ interface(`dovecot_manage_spool',` + ') + + files_search_spool($1) +- allow $1 dovecot_spool_t:dir manage_dir_perms; +- allow $1 dovecot_spool_t:file manage_file_perms; +- allow $1 dovecot_spool_t:lnk_file manage_lnk_file_perms; ++ manage_files_pattern($1, dovecot_spool_t, dovecot_spool_t) ++ manage_lnk_files_pattern($1, dovecot_spool_t, dovecot_spool_t) + ') + + ######################################## + ## +-## Do not audit attempts to delete +-## dovecot lib files. ++## Do not audit attempts to delete dovecot lib files. + ## + ## + ## +@@ -99,12 +114,13 @@ interface(`dovecot_dontaudit_unlink_lib_files',` + type dovecot_var_lib_t; + ') + +- dontaudit $1 dovecot_var_lib_t:file delete_file_perms; ++ dontaudit $1 dovecot_var_lib_t:file unlink; + ') + + ###################################### + ## +-## Write inherited dovecot tmp files. ++## Allow attempts to write inherited ++## dovecot tmp files. + ## + ## + ## +@@ -122,8 +138,8 @@ interface(`dovecot_write_inherited_tmp_files',` + + ######################################## + ## +-## All of the rules required to +-## administrate an dovecot environment. ++## All of the rules required to administrate ++## an dovecot environment + ## + ## + ## +@@ -132,21 +148,24 @@ interface(`dovecot_write_inherited_tmp_files',` + ## + ## + ## +-## Role allowed access. ++## The role to be allowed to manage the dovecot domain. + ## + ## + ## + # + interface(`dovecot_admin',` + gen_require(` +- type dovecot_t, dovecot_etc_t, dovecot_var_log_t; +- type dovecot_spool_t, dovecot_var_lib_t, dovecot_initrc_exec_t; +- type dovecot_var_run_t, dovecot_cert_t, dovecot_passwd_t; +- type dovecot_tmp_t, dovecot_auth_tmp_t, dovecot_deliver_tmp_t; ++ type dovecot_t, dovecot_etc_t, dovecot_auth_tmp_t; ++ type dovecot_spool_t, dovecot_var_lib_t, dovecot_var_log_t; ++ type dovecot_var_run_t, dovecot_tmp_t, dovecot_keytab_t; ++ type dovecot_cert_t, dovecot_passwd_t, dovecot_initrc_exec_t; + ') + +- allow $1 dovecot_t:process { ptrace signal_perms }; ++ allow $1 dovecot_t:process signal_perms; + ps_process_pattern($1, dovecot_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 dovecot_t:process ptrace; ++ ') + + init_labeled_script_domtrans($1, dovecot_initrc_exec_t) + domain_system_change_exemption($1) +@@ -156,20 +175,25 @@ interface(`dovecot_admin',` + files_list_etc($1) + admin_pattern($1, dovecot_etc_t) + +- logging_list_logs($1) +- admin_pattern($1, dovecot_var_log_t) ++ files_list_tmp($1) ++ admin_pattern($1, dovecot_auth_tmp_t) ++ admin_pattern($1, dovecot_tmp_t) ++ ++ admin_pattern($1, dovecot_keytab_t) + + files_list_spool($1) + admin_pattern($1, dovecot_spool_t) + +- files_search_tmp($1) +- admin_pattern($1, { dovecot_tmp_t dovecot_auth_tmp_t dovecot_deliver_tmp_t }) +- + files_list_var_lib($1) + admin_pattern($1, dovecot_var_lib_t) + ++ logging_search_logs($1) ++ admin_pattern($1, dovecot_var_log_t) ++ + files_list_pids($1) + admin_pattern($1, dovecot_var_run_t) + +- admin_pattern($1, { dovecot_cert_t dovecot_passwd_t }) ++ admin_pattern($1, dovecot_cert_t) ++ ++ admin_pattern($1, dovecot_passwd_t) + ') +diff --git a/dovecot.te b/dovecot.te +index a7bfaf0..d4a79a1 100644 +--- a/dovecot.te ++++ b/dovecot.te +@@ -1,4 +1,4 @@ +-policy_module(dovecot, 1.15.6) ++policy_module(dovecot, 1.14.0) + + ######################################## + # +@@ -7,12 +7,10 @@ policy_module(dovecot, 1.15.6) + + attribute dovecot_domain; + +-type dovecot_t, dovecot_domain; +-type dovecot_exec_t; ++dovecot_basic_types_template(dovecot) + init_daemon_domain(dovecot_t, dovecot_exec_t) + +-type dovecot_auth_t, dovecot_domain; +-type dovecot_auth_exec_t; ++dovecot_basic_types_template(dovecot_auth) + domain_type(dovecot_auth_t) + domain_entry_file(dovecot_auth_t, dovecot_auth_exec_t) + role system_r types dovecot_auth_t; +@@ -23,8 +21,7 @@ files_tmp_file(dovecot_auth_tmp_t) + type dovecot_cert_t; + miscfiles_cert_type(dovecot_cert_t) + +-type dovecot_deliver_t, dovecot_domain; +-type dovecot_deliver_exec_t; ++dovecot_basic_types_template(dovecot_deliver) + domain_type(dovecot_deliver_t) + domain_entry_file(dovecot_deliver_t, dovecot_deliver_exec_t) + role system_r types dovecot_deliver_t; +@@ -42,11 +39,12 @@ type dovecot_passwd_t; + files_type(dovecot_passwd_t) + + type dovecot_spool_t; +-files_type(dovecot_spool_t) ++files_spool_file(dovecot_spool_t) + + type dovecot_tmp_t; + files_tmp_file(dovecot_tmp_t) + ++# /var/lib/dovecot holds SSL parameters file + type dovecot_var_lib_t; + files_type(dovecot_var_lib_t) + +@@ -56,20 +54,18 @@ logging_log_file(dovecot_var_log_t) + type dovecot_var_run_t; + files_pid_file(dovecot_var_run_t) + +-######################################## ++####################################### + # +-# Common local policy ++# dovecot domain local policy + # + + allow dovecot_domain self:capability2 block_suspend; +-allow dovecot_domain self:fifo_file rw_fifo_file_perms; + +-allow dovecot_domain dovecot_etc_t:dir list_dir_perms; +-allow dovecot_domain dovecot_etc_t:file read_file_perms; +-allow dovecot_domain dovecot_etc_t:lnk_file read_lnk_file_perms; ++allow dovecot_domain self:unix_dgram_socket create_socket_perms; ++allow dovecot_domain self:fifo_file rw_fifo_file_perms; + + kernel_read_all_sysctls(dovecot_domain) +-kernel_read_system_state(dovecot_domain) ++kernel_read_network_state(dovecot_domain) + + corecmd_exec_bin(dovecot_domain) + corecmd_exec_shell(dovecot_domain) +@@ -78,37 +74,46 @@ dev_read_sysfs(dovecot_domain) + dev_read_rand(dovecot_domain) + dev_read_urand(dovecot_domain) + ++# Dovecot now has quota support and it uses getmntent() to find the mountpoints. + files_read_etc_runtime_files(dovecot_domain) + +-logging_send_syslog_msg(dovecot_domain) +- +-miscfiles_read_localization(dovecot_domain) +- + ######################################## + # +-# Local policy ++# dovecot local policy + # + +-allow dovecot_t self:capability { dac_override dac_read_search chown fsetid kill setgid setuid sys_chroot }; ++allow dovecot_t self:capability { dac_override dac_read_search chown fsetid kill net_bind_service setgid setuid sys_chroot }; + dontaudit dovecot_t self:capability sys_tty_config; + allow dovecot_t self:process { setrlimit signal_perms getcap setcap setsched }; +-allow dovecot_t self:tcp_socket { accept listen }; +-allow dovecot_t self:unix_stream_socket { accept connectto listen }; ++allow dovecot_t self:tcp_socket create_stream_socket_perms; ++allow dovecot_t self:unix_stream_socket { create_stream_socket_perms connectto }; ++ ++domtrans_pattern(dovecot_t, dovecot_auth_exec_t, dovecot_auth_t) ++ ++allow dovecot_t dovecot_auth_t:process signal; + + allow dovecot_t dovecot_cert_t:dir list_dir_perms; +-allow dovecot_t dovecot_cert_t:file read_file_perms; +-allow dovecot_t dovecot_cert_t:lnk_file read_lnk_file_perms; ++read_files_pattern(dovecot_t, dovecot_cert_t, dovecot_cert_t) ++read_lnk_files_pattern(dovecot_t, dovecot_cert_t, dovecot_cert_t) ++ ++allow dovecot_t dovecot_etc_t:dir list_dir_perms; ++read_files_pattern(dovecot_t, dovecot_etc_t, dovecot_etc_t) ++read_lnk_files_pattern(dovecot_t, dovecot_etc_t, dovecot_etc_t) ++files_search_etc(dovecot_t) ++ ++can_exec(dovecot_t, dovecot_exec_t) + + manage_dirs_pattern(dovecot_t, dovecot_tmp_t, dovecot_tmp_t) + manage_files_pattern(dovecot_t, dovecot_tmp_t, dovecot_tmp_t) + files_tmp_filetrans(dovecot_t, dovecot_tmp_t, { file dir }) + ++# Allow dovecot to create and read SSL parameters file + manage_files_pattern(dovecot_t, dovecot_var_lib_t, dovecot_var_lib_t) ++files_search_var_lib(dovecot_t) ++files_read_var_symlinks(dovecot_t) + + manage_dirs_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t) +-append_files_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t) +-create_files_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t) +-setattr_files_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t) ++manage_files_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t) + logging_log_filetrans(dovecot_t, dovecot_var_log_t, { file dir }) + + manage_dirs_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t) +@@ -120,45 +125,35 @@ manage_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t) + manage_lnk_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t) + manage_sock_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t) + manage_fifo_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t) +-files_pid_filetrans(dovecot_t, dovecot_var_run_t, { dir file fifo_file }) +- +-can_exec(dovecot_t, dovecot_exec_t) +- +-allow dovecot_t dovecot_auth_t:process signal; +- +-domtrans_pattern(dovecot_t, dovecot_auth_exec_t, dovecot_auth_t) ++files_pid_filetrans(dovecot_t, dovecot_var_run_t, { dir file fifo_file sock_file }) + +-corenet_all_recvfrom_unlabeled(dovecot_t) + corenet_all_recvfrom_netlabel(dovecot_t) + corenet_tcp_sendrecv_generic_if(dovecot_t) + corenet_tcp_sendrecv_generic_node(dovecot_t) + corenet_tcp_sendrecv_all_ports(dovecot_t) + corenet_tcp_bind_generic_node(dovecot_t) +- +-corenet_sendrecv_mail_server_packets(dovecot_t) + corenet_tcp_bind_mail_port(dovecot_t) +-corenet_sendrecv_pop_server_packets(dovecot_t) + corenet_tcp_bind_pop_port(dovecot_t) +-corenet_sendrecv_sieve_server_packets(dovecot_t) ++corenet_tcp_bind_lmtp_port(dovecot_t) + corenet_tcp_bind_sieve_port(dovecot_t) +- +-corenet_sendrecv_all_client_packets(dovecot_t) + corenet_tcp_connect_all_ports(dovecot_t) + corenet_tcp_connect_postgresql_port(dovecot_t) ++corenet_sendrecv_pop_server_packets(dovecot_t) ++corenet_sendrecv_all_client_packets(dovecot_t) ++ ++fs_getattr_all_fs(dovecot_t) ++fs_getattr_all_dirs(dovecot_t) ++fs_search_auto_mountpoints(dovecot_t) ++fs_list_inotifyfs(dovecot_t) + + domain_use_interactive_fds(dovecot_t) + +-files_read_var_lib_files(dovecot_t) +-files_read_var_symlinks(dovecot_t) + files_search_spool(dovecot_t) ++files_search_tmp(dovecot_t) + files_dontaudit_list_default(dovecot_t) + files_dontaudit_search_all_dirs(dovecot_t) + files_search_all_mountpoints(dovecot_t) +- +-fs_getattr_all_fs(dovecot_t) +-fs_getattr_all_dirs(dovecot_t) +-fs_search_auto_mountpoints(dovecot_t) +-fs_list_inotifyfs(dovecot_t) ++files_read_var_lib_files(dovecot_t) + + init_getattr_utmp(dovecot_t) + +@@ -166,44 +161,42 @@ auth_use_nsswitch(dovecot_t) + + miscfiles_read_generic_certs(dovecot_t) + +-userdom_dontaudit_use_unpriv_user_fds(dovecot_t) +-userdom_use_user_terminals(dovecot_t) ++logging_send_syslog_msg(dovecot_t) + +-tunable_policy(`use_nfs_home_dirs',` +- fs_manage_nfs_dirs(dovecot_t) +- fs_manage_nfs_files(dovecot_t) +- fs_manage_nfs_symlinks(dovecot_t) +-') ++userdom_home_manager(dovecot_t) ++userdom_dontaudit_use_unpriv_user_fds(dovecot_t) ++userdom_manage_user_home_content_dirs(dovecot_t) ++userdom_manage_user_home_content_files(dovecot_t) ++userdom_manage_user_home_content_symlinks(dovecot_t) ++userdom_manage_user_home_content_pipes(dovecot_t) ++userdom_manage_user_home_content_sockets(dovecot_t) ++userdom_filetrans_home_content(dovecot_t) + +-tunable_policy(`use_samba_home_dirs',` +- fs_manage_cifs_dirs(dovecot_t) +- fs_manage_cifs_files(dovecot_t) +- fs_manage_cifs_symlinks(dovecot_t) ++optional_policy(` ++ mta_manage_home_rw(dovecot_t) ++ mta_manage_spool(dovecot_t) + ') + + optional_policy(` + kerberos_keytab_template(dovecot, dovecot_t) +- kerberos_manage_host_rcache(dovecot_t) +- kerberos_tmp_filetrans_host_rcache(dovecot_t, file, "imap_0") ++ kerberos_tmp_filetrans_host_rcache(dovecot_t, "imap_0") + ') + + optional_policy(` +- mta_manage_spool(dovecot_t) +- mta_manage_mail_home_rw_content(dovecot_t) +- mta_home_filetrans_mail_home_rw(dovecot_t, dir, "Maildir") +- mta_home_filetrans_mail_home_rw(dovecot_t, dir, ".maildir") ++ gnome_manage_data(dovecot_t) + ') + + optional_policy(` +- postgresql_stream_connect(dovecot_t) ++ postfix_manage_private_sockets(dovecot_t) ++ postfix_search_spool(dovecot_t) + ') + + optional_policy(` +- postfix_manage_private_sockets(dovecot_t) +- postfix_search_spool(dovecot_t) ++ postgresql_stream_connect(dovecot_t) + ') + + optional_policy(` ++ # Handle sieve scripts + sendmail_domtrans(dovecot_t) + ') + +@@ -221,46 +214,65 @@ optional_policy(` + + ######################################## + # +-# Auth local policy ++# dovecot auth local policy + # + + allow dovecot_auth_t self:capability { chown dac_override ipc_lock setgid setuid sys_nice }; + allow dovecot_auth_t self:process { getsched setsched signal_perms getcap setcap }; +-allow dovecot_auth_t self:unix_stream_socket { accept connectto listen }; ++allow dovecot_auth_t self:unix_stream_socket create_stream_socket_perms; ++ ++allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_perms }; + + read_files_pattern(dovecot_auth_t, dovecot_passwd_t, dovecot_passwd_t) + ++read_files_pattern(dovecot_auth_t, dovecot_etc_t, dovecot_etc_t) ++read_lnk_files_pattern(dovecot_auth_t, dovecot_etc_t, dovecot_etc_t) ++ ++manage_files_pattern(dovecot_auth_t, dovecot_var_run_t, dovecot_var_run_t) ++ + manage_dirs_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t) + manage_files_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t) + files_tmp_filetrans(dovecot_auth_t, dovecot_auth_tmp_t, { file dir }) + + allow dovecot_auth_t dovecot_var_run_t:dir list_dir_perms; + manage_sock_files_pattern(dovecot_auth_t, dovecot_var_run_t, dovecot_var_run_t) ++dovecot_stream_connect_auth(dovecot_auth_t) + +-allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_perms }; ++corecmd_exec_bin(dovecot_auth_t) + +-files_search_pids(dovecot_auth_t) +-files_read_usr_files(dovecot_auth_t) +-files_read_var_lib_files(dovecot_auth_t) ++logging_send_audit_msgs(dovecot_auth_t) + + auth_domtrans_chk_passwd(dovecot_auth_t) + auth_use_nsswitch(dovecot_auth_t) + +-init_rw_utmp(dovecot_auth_t) ++logging_send_syslog_msg(dovecot_auth_t) + +-logging_send_audit_msgs(dovecot_auth_t) ++files_search_pids(dovecot_auth_t) ++files_read_usr_symlinks(dovecot_auth_t) ++files_read_var_lib_files(dovecot_auth_t) ++files_search_tmp(dovecot_auth_t) + +-seutil_dontaudit_search_config(dovecot_auth_t) ++fs_getattr_xattr_fs(dovecot_auth_t) ++ ++init_rw_utmp(dovecot_auth_t) + + sysnet_use_ldap(dovecot_auth_t) + ++systemd_login_read_pid_files(dovecot_auth_t) ++ ++userdom_getattr_user_home_dirs(dovecot_auth_t) ++ + optional_policy(` ++ kerberos_use(dovecot_auth_t) ++ ++ # for gssapi (kerberos) + userdom_list_user_tmp(dovecot_auth_t) + userdom_read_user_tmp_files(dovecot_auth_t) + userdom_read_user_tmp_symlinks(dovecot_auth_t) + ') + + optional_policy(` ++ mysql_search_db(dovecot_auth_t) + mysql_stream_connect(dovecot_auth_t) + mysql_read_config(dovecot_auth_t) + mysql_tcp_connect(dovecot_auth_t) +@@ -271,15 +283,30 @@ optional_policy(` + ') + + optional_policy(` ++ dbus_system_bus_client(dovecot_auth_t) ++ optional_policy(` ++ oddjob_dbus_chat(dovecot_auth_t) ++ oddjob_domtrans_mkhomedir(dovecot_auth_t) ++ ') ++') ++ ++optional_policy(` + postfix_manage_private_sockets(dovecot_auth_t) ++ postfix_rw_inherited_master_pipes(dovecot_deliver_t) + postfix_search_spool(dovecot_auth_t) + ') + + ######################################## + # +-# Deliver local policy ++# dovecot deliver local policy + # + ++allow dovecot_deliver_t dovecot_t:process signull; ++ ++allow dovecot_deliver_t dovecot_etc_t:dir list_dir_perms; ++read_files_pattern(dovecot_deliver_t, dovecot_etc_t, dovecot_etc_t) ++read_lnk_files_pattern(dovecot_deliver_t, dovecot_etc_t, dovecot_etc_t) ++ + allow dovecot_deliver_t dovecot_cert_t:dir search_dir_perms; + + append_files_pattern(dovecot_deliver_t, dovecot_var_log_t, dovecot_var_log_t) +@@ -289,35 +316,43 @@ manage_files_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_t + files_tmp_filetrans(dovecot_deliver_t, dovecot_deliver_tmp_t, { file dir }) + + allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms; +-allow dovecot_deliver_t dovecot_var_run_t:file read_file_perms; +-allow dovecot_deliver_t dovecot_var_run_t:sock_file read_sock_file_perms; +- +-stream_connect_pattern(dovecot_deliver_t, dovecot_var_run_t, dovecot_var_run_t, { dovecot_t dovecot_auth_t }) ++read_files_pattern(dovecot_deliver_t, dovecot_var_run_t, dovecot_var_run_t) ++read_sock_files_pattern(dovecot_deliver_t, dovecot_var_run_t, dovecot_var_run_t) ++dovecot_stream_connect(dovecot_deliver_t) + + can_exec(dovecot_deliver_t, dovecot_deliver_exec_t) + +-allow dovecot_deliver_t dovecot_t:process signull; ++auth_use_nsswitch(dovecot_deliver_t) + +-fs_getattr_all_fs(dovecot_deliver_t) ++logging_append_all_logs(dovecot_deliver_t) ++logging_send_syslog_msg(dovecot_deliver_t) + +-auth_use_nsswitch(dovecot_deliver_t) ++dovecot_stream_connect_auth(dovecot_deliver_t) + +-logging_search_logs(dovecot_deliver_t) ++files_search_tmp(dovecot_deliver_t) ++files_dontaudit_getattr_all_dirs(dovecot_deliver_t) + +-tunable_policy(`use_nfs_home_dirs',` +- fs_manage_nfs_dirs(dovecot_deliver_t) +- fs_manage_nfs_files(dovecot_deliver_t) +- fs_manage_nfs_symlinks(dovecot_deliver_t) +-') ++fs_getattr_all_fs(dovecot_deliver_t) ++fs_dontaudit_getattr_all_fs(dovecot_deliver_t) ++fs_dontaudit_getattr_all_dirs(dovecot_deliver_t) ++fs_dontaudit_search_cgroup_dirs(dovecot_deliver_t) ++ ++userdom_manage_user_home_content_dirs(dovecot_deliver_t) ++userdom_manage_user_home_content_files(dovecot_deliver_t) ++userdom_manage_user_home_content_symlinks(dovecot_deliver_t) ++userdom_manage_user_home_content_pipes(dovecot_deliver_t) ++userdom_manage_user_home_content_sockets(dovecot_deliver_t) ++userdom_filetrans_home_content(dovecot_deliver_t) + +-tunable_policy(`use_samba_home_dirs',` +- fs_manage_cifs_dirs(dovecot_deliver_t) +- fs_manage_cifs_files(dovecot_deliver_t) +- fs_manage_cifs_symlinks(dovecot_deliver_t) ++userdom_home_manager(dovecot_deliver_t) ++ ++optional_policy(` ++ gnome_manage_data(dovecot_deliver_t) + ') + + optional_policy(` + mta_mailserver_delivery(dovecot_deliver_t) ++ mta_manage_spool(dovecot_deliver_t) + mta_read_queue(dovecot_deliver_t) + ') + +@@ -326,5 +361,6 @@ optional_policy(` + ') + + optional_policy(` ++ # Handle sieve scripts + sendmail_domtrans(dovecot_deliver_t) + ') +diff --git a/drbd.if b/drbd.if +index 9a21639..26c5986 100644 +--- a/drbd.if ++++ b/drbd.if +@@ -2,12 +2,11 @@ + + ######################################## + ## +-## Execute a domain transition to +-## run drbd. ++## Execute a domain transition to run drbd. + ## + ## + ## +-## Domain allowed to transition. ++## Domain allowed access. + ## + ## + # +@@ -16,14 +15,91 @@ interface(`drbd_domtrans',` + type drbd_t, drbd_exec_t; + ') + +- corecmd_search_bin($1) + domtrans_pattern($1, drbd_exec_t, drbd_t) + ') + + ######################################## + ## +-## All of the rules required to +-## administrate an drbd environment. ++## Search drbd lib directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`drbd_search_lib',` ++ gen_require(` ++ type drbd_var_lib_t; ++ ') ++ ++ allow $1 drbd_var_lib_t:dir search_dir_perms; ++ files_search_var_lib($1) ++') ++ ++######################################## ++## ++## Read drbd lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`drbd_read_lib_files',` ++ gen_require(` ++ type drbd_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ read_files_pattern($1, drbd_var_lib_t, drbd_var_lib_t) ++') ++ ++######################################## ++## ++## Create, read, write, and delete ++## drbd lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`drbd_manage_lib_files',` ++ gen_require(` ++ type drbd_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ manage_files_pattern($1, drbd_var_lib_t, drbd_var_lib_t) ++') ++ ++######################################## ++## ++## Manage drbd lib dirs files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`drbd_manage_lib_dirs',` ++ gen_require(` ++ type drbd_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ manage_dirs_pattern($1, drbd_var_lib_t, drbd_var_lib_t) ++') ++ ++ ++######################################## ++## ++## All of the rules required to administrate ++## an drbd environment + ## + ## + ## +@@ -35,7 +111,6 @@ interface(`drbd_domtrans',` + ## Role allowed access. + ## + ## +-## + # + interface(`drbd_admin',` + gen_require(` +@@ -43,9 +118,13 @@ interface(`drbd_admin',` + type drbd_var_lib_t; + ') + +- allow $1 drbd_t:process { ptrace signal_perms }; ++ allow $1 drbd_t:process signal_perms; + ps_process_pattern($1, drbd_t) + ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 drbd_t:process ptrace; ++ ') ++ + init_labeled_script_domtrans($1, drbd_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 drbd_initrc_exec_t system_r; +@@ -57,3 +136,4 @@ interface(`drbd_admin',` + files_search_var_lib($1) + admin_pattern($1, drbd_var_lib_t) + ') ++ +diff --git a/drbd.te b/drbd.te +index 8e5ee54..6e11edb 100644 +--- a/drbd.te ++++ b/drbd.te +@@ -28,7 +28,7 @@ dontaudit drbd_t self:capability sys_tty_config; + allow drbd_t self:fifo_file rw_fifo_file_perms; + allow drbd_t self:unix_stream_socket create_stream_socket_perms; + allow drbd_t self:netlink_socket create_socket_perms; +-allow drbd_t self:netlink_route_socket nlmsg_write; ++allow drbd_t self:netlink_route_socket rw_netlink_socket_perms; + + manage_dirs_pattern(drbd_t, drbd_var_lib_t, drbd_var_lib_t) + manage_files_pattern(drbd_t, drbd_var_lib_t, drbd_var_lib_t) +@@ -46,10 +46,6 @@ dev_read_rand(drbd_t) + dev_read_sysfs(drbd_t) + dev_read_urand(drbd_t) + +-files_read_etc_files(drbd_t) +- + storage_raw_read_fixed_disk(drbd_t) + +-miscfiles_read_localization(drbd_t) +- + sysnet_dns_name_resolve(drbd_t) +diff --git a/dspam.fc b/dspam.fc +index 5eddac5..3ea0423 100644 +--- a/dspam.fc ++++ b/dspam.fc +@@ -5,8 +5,13 @@ + /usr/share/dspam-web/dspam\.cgi -- gen_context(system_u:object_r:httpd_dspam_script_exec_t,s0) + + /var/lib/dspam(/.*)? gen_context(system_u:object_r:dspam_var_lib_t,s0) +-/var/lib/dspam/data(/.*)? gen_context(system_u:object_r:httpd_dspam_rw_content_t,s0) + + /var/log/dspam(/.*)? gen_context(system_u:object_r:dspam_log_t,s0) + + /var/run/dspam(/.*)? gen_context(system_u:object_r:dspam_var_run_t,s0) ++ ++# web ++/var/www/dspam/.*\.cgi -- gen_context(system_u:object_r:httpd_dspam_script_exec_t,s0) ++/var/www/dspam(/.*?) gen_context(system_u:object_r:httpd_dspam_content_t,s0) ++ ++/var/lib/dspam/data(/.*)? gen_context(system_u:object_r:httpd_dspam_rw_content_t,s0) +diff --git a/dspam.if b/dspam.if +index 18f2452..a446210 100644 +--- a/dspam.if ++++ b/dspam.if +@@ -1,13 +1,15 @@ +-## Content-based spam filter designed for multi-user enterprise systems. ++ ++## policy for dspam ++ + + ######################################## + ## + ## Execute a domain transition to run dspam. + ## + ## +-## ++## + ## Domain allowed access. +-## ++## + ## + # + interface(`dspam_domtrans',` +@@ -15,35 +17,211 @@ interface(`dspam_domtrans',` + type dspam_t, dspam_exec_t; + ') + +- corecmd_search_bin($1) + domtrans_pattern($1, dspam_exec_t, dspam_t) + ') + +-####################################### ++ ++######################################## + ## +-## Connect to dspam using a unix +-## domain stream socket. ++## Execute dspam server in the dspam domain. ++## ++## ++## ++## The type of the process performing this action. ++## ++## ++# ++interface(`dspam_initrc_domtrans',` ++ gen_require(` ++ type dspam_initrc_exec_t; ++ ') ++ ++ init_labeled_script_domtrans($1, dspam_initrc_exec_t) ++') ++ ++######################################## ++## ++## Allow the specified domain to read dspam's log files. + ## + ## + ## + ## Domain allowed access. + ## + ## ++## + # +-interface(`dspam_stream_connect',` ++interface(`dspam_read_log',` ++ gen_require(` ++ type dspam_log_t; ++ ') ++ ++ logging_search_logs($1) ++ read_files_pattern($1, dspam_log_t, dspam_log_t) ++') ++ ++######################################## ++## ++## Allow the specified domain to append ++## dspam log files. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`dspam_append_log',` ++ gen_require(` ++ type dspam_log_t; ++ ') ++ ++ logging_search_logs($1) ++ append_files_pattern($1, dspam_log_t, dspam_log_t) ++') ++ ++######################################## ++## ++## Allow domain to manage dspam log files ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`dspam_manage_log',` ++ gen_require(` ++ type dspam_log_t; ++ ') ++ ++ logging_search_logs($1) ++ manage_dirs_pattern($1, dspam_log_t, dspam_log_t) ++ manage_files_pattern($1, dspam_log_t, dspam_log_t) ++ manage_lnk_files_pattern($1, dspam_log_t, dspam_log_t) ++') ++ ++######################################## ++## ++## Search dspam lib directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dspam_search_lib',` ++ gen_require(` ++ type dspam_var_lib_t; ++ ') ++ ++ allow $1 dspam_var_lib_t:dir search_dir_perms; ++ files_search_var_lib($1) ++') ++ ++######################################## ++## ++## Read dspam lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dspam_read_lib_files',` ++ gen_require(` ++ type dspam_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ read_files_pattern($1, dspam_var_lib_t, dspam_var_lib_t) ++') ++ ++######################################## ++## ++## Create, read, write, and delete ++## dspam lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dspam_manage_lib_files',` ++ gen_require(` ++ type dspam_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ manage_files_pattern($1, dspam_var_lib_t, dspam_var_lib_t) ++') ++ ++######################################## ++## ++## Manage dspam lib dirs files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dspam_manage_lib_dirs',` + gen_require(` +- type dspam_t, dspam_var_run_t, dspam_tmp_t; ++ type dspam_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ manage_dirs_pattern($1, dspam_var_lib_t, dspam_var_lib_t) ++') ++ ++ ++######################################## ++## ++## Read dspam PID files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dspam_read_pid_files',` ++ gen_require(` ++ type dspam_var_run_t; + ') + + files_search_pids($1) ++ allow $1 dspam_var_run_t:file read_file_perms; ++') ++ ++####################################### ++## ++## Connect to DSPAM using a unix domain stream socket. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dspam_stream_connect',` ++ gen_require(` ++ type dspam_t, dspam_var_run_t, dspam_tmp_t; ++ ') ++ ++ files_search_pids($1) + files_search_tmp($1) +- stream_connect_pattern($1, { dspam_tmp_t dspam_var_run_t }, { dspam_tmp_t dspam_var_run_t }, dspam_t) ++ stream_connect_pattern($1, dspam_var_run_t, dspam_var_run_t, dspam_t) ++ stream_connect_pattern($1, dspam_tmp_t, dspam_tmp_t, dspam_t) + ') + + ######################################## + ## +-## All of the rules required to +-## administrate an dspam environment. ++## All of the rules required to administrate ++## an dspam environment + ## + ## + ## +@@ -59,14 +237,20 @@ interface(`dspam_stream_connect',` + # + interface(`dspam_admin',` + gen_require(` +- type dspam_t, dspam_initrc_exec_t, dspam_log_t; +- type dspam_var_lib_t, dspam_var_run_t; ++ type dspam_t; ++ type dspam_initrc_exec_t; ++ type dspam_log_t; ++ type dspam_var_lib_t; ++ type dspam_var_run_t; + ') + +- allow $1 dspam_t:process { ptrace signal_perms }; ++ allow $1 dspam_t:process signal_perms; + ps_process_pattern($1, dspam_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 dspam_t:process ptrace; ++ ') + +- init_labeled_script_domtrans($1, dspam_initrc_exec_t) ++ dspam_initrc_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 dspam_initrc_exec_t system_r; + allow $2 system_r; +@@ -79,4 +263,5 @@ interface(`dspam_admin',` + + files_search_pids($1) + admin_pattern($1, dspam_var_run_t) ++ + ') +diff --git a/dspam.te b/dspam.te +index 266cb8f..b619351 100644 +--- a/dspam.te ++++ b/dspam.te +@@ -28,6 +28,9 @@ files_pid_file(dspam_var_run_t) + + allow dspam_t self:capability net_admin; + allow dspam_t self:process signal; ++ ++allow dspam_t self:tcp_socket { listen accept }; ++ + allow dspam_t self:fifo_file rw_fifo_file_perms; + allow dspam_t self:unix_stream_socket { accept listen }; + +@@ -57,6 +60,12 @@ corenet_sendrecv_spamd_server_packets(dspam_t) + corenet_tcp_bind_spamd_port(dspam_t) + corenet_tcp_connect_spamd_port(dspam_t) + corenet_tcp_sendrecv_spamd_port(dspam_t) ++corenet_tcp_bind_lmtp_port(dspam_t) ++corenet_tcp_connect_lmtp_port(dspam_t) ++ ++kernel_read_system_state(dspam_t) ++ ++corecmd_exec_shell(dspam_t) + + files_search_spool(dspam_t) + +@@ -64,14 +73,32 @@ auth_use_nsswitch(dspam_t) + + logging_send_syslog_msg(dspam_t) + +-miscfiles_read_localization(dspam_t) +- + optional_policy(` + apache_content_template(dspam) + ++ read_files_pattern(httpd_dspam_script_t, dspam_var_lib_t, dspam_var_lib_t) ++ ++ files_search_var_lib(httpd_dspam_script_t) + list_dirs_pattern(dspam_t, httpd_dspam_content_t, httpd_dspam_content_t) +- manage_dirs_pattern(dspam_t, httpd_dspam_rw_content_t, httpd_dspam_rw_content_t) +- manage_files_pattern(dspam_t, httpd_dspam_rw_content_t, httpd_dspam_rw_content_t) ++ manage_dirs_pattern(dspam_t, httpd_dspam_content_rw_t, httpd_dspam_content_rw_t) ++ manage_files_pattern(dspam_t, httpd_dspam_content_rw_t, httpd_dspam_content_rw_t) ++ ++ domain_dontaudit_read_all_domains_state(httpd_dspam_script_t) ++ ++ term_dontaudit_search_ptys(httpd_dspam_script_t) ++ term_dontaudit_getattr_all_ttys(httpd_dspam_script_t) ++ term_dontaudit_getattr_all_ptys(httpd_dspam_script_t) ++ ++ init_read_utmp(httpd_dspam_script_t) ++ ++ logging_send_syslog_msg(httpd_dspam_script_t) ++ ++ mta_send_mail(httpd_dspam_script_t) ++ ++ optional_policy(` ++ mysql_tcp_connect(httpd_dspam_script_t) ++ mysql_stream_connect(httpd_dspam_script_t) ++ ') + ') + + optional_policy(` +@@ -87,3 +114,12 @@ optional_policy(` + + postgresql_tcp_connect(dspam_t) + ') ++ ++optional_policy(` ++ postfix_rw_inherited_master_pipes(dspam_t) ++ postfix_list_spool(dspam_t) ++') ++ ++optional_policy(` ++ procmail_domtrans(dspam_t) ++') +diff --git a/entropyd.te b/entropyd.te +index a0da189..d8bc9d5 100644 +--- a/entropyd.te ++++ b/entropyd.te +@@ -45,9 +45,6 @@ dev_write_urand(entropyd_t) + dev_read_rand(entropyd_t) + dev_write_rand(entropyd_t) + +-files_read_etc_files(entropyd_t) +-files_read_usr_files(entropyd_t) +- + fs_getattr_all_fs(entropyd_t) + fs_search_auto_mountpoints(entropyd_t) + +@@ -55,7 +52,7 @@ domain_use_interactive_fds(entropyd_t) + + logging_send_syslog_msg(entropyd_t) + +-miscfiles_read_localization(entropyd_t) ++auth_use_nsswitch(entropyd_t) + + userdom_dontaudit_use_unpriv_user_fds(entropyd_t) + userdom_dontaudit_search_user_home_dirs(entropyd_t) +diff --git a/evolution.fc b/evolution.fc +index 597f305..8520653 100644 +--- a/evolution.fc ++++ b/evolution.fc +@@ -1,5 +1,6 @@ + HOME_DIR/\.camel_certs(/.*)? gen_context(system_u:object_r:evolution_home_t,s0) + HOME_DIR/\.evolution(/.*)? gen_context(system_u:object_r:evolution_home_t,s0) ++HOME_DIR/\.cache/evolution(/.*)? gen_context(system_u:object_r:evolution_home_t,s0) + + /tmp/\.exchange-USER(/.*)? gen_context(system_u:object_r:evolution_exchange_tmp_t,s0) + +diff --git a/evolution.te b/evolution.te +index 94fb625..3742ee1 100644 +--- a/evolution.te ++++ b/evolution.te +@@ -168,7 +168,6 @@ dev_read_urand(evolution_t) + + domain_dontaudit_read_all_domains_state(evolution_t) + +-files_read_usr_files(evolution_t) + + fs_search_auto_mountpoints(evolution_t) + +@@ -187,7 +186,7 @@ userdom_manage_user_tmp_files(evolution_t) + + userdom_manage_user_home_content_dirs(evolution_t) + userdom_manage_user_home_content_files(evolution_t) +-userdom_user_home_dir_filetrans_user_home_content(evolution_t, { dir file }) ++userdom_filetrans_home_content(evolution_t) + + userdom_write_user_tmp_sockets(evolution_t) + +@@ -286,7 +285,6 @@ stream_connect_pattern(evolution_alarm_t, evolution_server_orbit_tmp_t, evolutio + + dev_read_urand(evolution_alarm_t) + +-files_read_usr_files(evolution_alarm_t) + + fs_search_auto_mountpoints(evolution_alarm_t) + +@@ -354,7 +352,6 @@ corecmd_exec_bin(evolution_exchange_t) + + dev_read_urand(evolution_exchange_t) + +-files_read_usr_files(evolution_exchange_t) + + fs_search_auto_mountpoints(evolution_exchange_t) + +@@ -423,7 +420,6 @@ corenet_tcp_connect_http_port(evolution_server_t) + + dev_read_urand(evolution_server_t) + +-files_read_usr_files(evolution_server_t) + + fs_search_auto_mountpoints(evolution_server_t) + +diff --git a/exim.if b/exim.if +index 6041113..ef3b449 100644 +--- a/exim.if ++++ b/exim.if +@@ -21,35 +21,51 @@ interface(`exim_domtrans',` + + ######################################## + ## +-## Execute exim in the exim domain, +-## and allow the specified role +-## the exim domain. ++## Execute the mailman program in the mailman domain. + ## + ## +-## +-## Domain allowed to transition. +-## ++## ++## Domain allowed to transition. ++## + ## + ## +-## +-## Role allowed access. +-## ++## ++## The role to allow the mailman domain. ++## + ## + ## + # + interface(`exim_run',` ++ gen_require(` ++ type exim_t; ++ ') ++ ++ exim_domtrans($1) ++ role $2 types exim_t; ++') ++ ++######################################## ++## ++## Execute exim in the exim domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`exim_initrc_domtrans',` + gen_require(` +- attribute_role exim_roles; ++ type exim_initrc_exec_t; + ') + +- exim_domtrans($1) +- roleattribute $2 exim_roles; ++ init_labeled_script_domtrans($1, exim_initrc_exec_t) + ') + + ######################################## + ## +-## Do not audit attempts to read exim +-## temporary tmp files. ++## Do not audit attempts to read, ++## exim tmp files + ## + ## + ## +@@ -67,7 +83,7 @@ interface(`exim_dontaudit_read_tmp_files',` + + ######################################## + ## +-## Read exim temporary files. ++## Allow domain to read, exim tmp files + ## + ## + ## +@@ -86,7 +102,7 @@ interface(`exim_read_tmp_files',` + + ######################################## + ## +-## Read exim pid files. ++## Read exim PID files. + ## + ## + ## +@@ -105,7 +121,7 @@ interface(`exim_read_pid_files',` + + ######################################## + ## +-## Read exim log files. ++## Allow the specified domain to read exim's log files. + ## + ## + ## +@@ -125,7 +141,8 @@ interface(`exim_read_log',` + + ######################################## + ## +-## Append exim log files. ++## Allow the specified domain to append ++## exim log files. + ## + ## + ## +@@ -144,8 +161,7 @@ interface(`exim_append_log',` + + ######################################## + ## +-## Create, read, write, and delete +-## exim log files. ++## Allow the specified domain to manage exim's log files. + ## + ## + ## +@@ -166,7 +182,7 @@ interface(`exim_manage_log',` + ######################################## + ## + ## Create, read, write, and delete +-## exim spool directories. ++## exim spool dirs. + ## + ## + ## +@@ -225,8 +241,8 @@ interface(`exim_manage_spool_files',` + + ######################################## + ## +-## All of the rules required to +-## administrate an exim environment. ++## All of the rules required to administrate ++## an exim environment. + ## + ## + ## +@@ -238,18 +254,21 @@ interface(`exim_manage_spool_files',` + ## Role allowed access. + ## + ## +-## + # + interface(`exim_admin',` + gen_require(` +- type exim_t, exim_spool_t, exim_log_t; +- type exim_var_run_t, exim_initrc_exec_t, exim_tmp_t; ++ type exim_t, exim_initrc_exec_t, exim_log_t; ++ type exim_tmp_t, exim_spool_t, exim_var_run_t; + ') + +- allow $1 exim_t:process { ptrace signal_perms }; ++ allow $1 exim_t:process signal_perms; + ps_process_pattern($1, exim_t) + +- init_labeled_script_domtrans($1, exim_initrc_exec_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 exim_t:process ptrace; ++ ') ++ ++ exim_initrc_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 exim_initrc_exec_t system_r; + allow $2 system_r; +diff --git a/exim.te b/exim.te +index 19325ce..3e86b12 100644 +--- a/exim.te ++++ b/exim.te +@@ -49,7 +49,7 @@ type exim_log_t; + logging_log_file(exim_log_t) + + type exim_spool_t; +-files_type(exim_spool_t) ++files_spool_file(exim_spool_t) + + type exim_tmp_t; + files_tmp_file(exim_tmp_t) +@@ -90,11 +90,10 @@ can_exec(exim_t, exim_exec_t) + + kernel_read_kernel_sysctls(exim_t) + kernel_read_network_state(exim_t) +-kernel_dontaudit_read_system_state(exim_t) ++kernel_read_system_state(exim_t) + + corecmd_search_bin(exim_t) + +-corenet_all_recvfrom_unlabeled(exim_t) + corenet_all_recvfrom_netlabel(exim_t) + corenet_tcp_sendrecv_generic_if(exim_t) + corenet_udp_sendrecv_generic_if(exim_t) +@@ -138,7 +137,6 @@ auth_use_nsswitch(exim_t) + + logging_send_syslog_msg(exim_t) + +-miscfiles_read_localization(exim_t) + miscfiles_read_generic_certs(exim_t) + + userdom_dontaudit_search_user_home_dirs(exim_t) +@@ -154,9 +152,9 @@ tunable_policy(`exim_can_connect_db',` + corenet_sendrecv_mssql_client_packets(exim_t) + corenet_tcp_connect_mssql_port(exim_t) + corenet_tcp_sendrecv_mssql_port(exim_t) +- corenet_sendrecv_oracledb_client_packets(exim_t) +- corenet_tcp_connect_oracledb_port(exim_t) +- corenet_tcp_sendrecv_oracledb_port(exim_t) ++ corenet_sendrecv_oracle_client_packets(exim_t) ++ corenet_tcp_connect_oracle_port(exim_t) ++ corenet_tcp_sendrecv_oracle_port(exim_t) + ') + + tunable_policy(`exim_read_user_files',` +@@ -170,8 +168,8 @@ tunable_policy(`exim_manage_user_files',` + ') + + optional_policy(` +- clamav_domtrans_clamscan(exim_t) +- clamav_stream_connect(exim_t) ++ antivirus_domtrans(exim_t) ++ antivirus_stream_connect(exim_t) + ') + + optional_policy(` +@@ -192,11 +190,6 @@ optional_policy(` + ') + + optional_policy(` +- mailman_read_data_files(exim_t) +- mailman_domtrans(exim_t) +-') +- +-optional_policy(` + nagios_search_spool(exim_t) + ') + +@@ -218,6 +211,7 @@ optional_policy(` + + optional_policy(` + procmail_domtrans(exim_t) ++ procmail_read_home_files(exim_t) + ') + + optional_policy(` +diff --git a/fail2ban.if b/fail2ban.if +index 50d0084..6565422 100644 +--- a/fail2ban.if ++++ b/fail2ban.if +@@ -19,57 +19,57 @@ interface(`fail2ban_domtrans',` + domtrans_pattern($1, fail2ban_exec_t, fail2ban_t) + ') + +-######################################## ++####################################### + ## +-## Execute the fail2ban client in +-## the fail2ban client domain. ++## Execute the fail2ban client in ++## the fail2ban client domain. + ## + ## +-## +-## Domain allowed to transition. +-## ++## ++## Domain allowed to transition. ++## + ## + # + interface(`fail2ban_domtrans_client',` +- gen_require(` +- type fail2ban_client_t, fail2ban_client_exec_t; +- ') ++ gen_require(` ++ type fail2ban_client_t, fail2ban_client_exec_t; ++ ') + +- corecmd_search_bin($1) +- domtrans_pattern($1, fail2ban_client_exec_t, fail2ban_client_t) ++ corecmd_search_bin($1) ++ domtrans_pattern($1, fail2ban_client_exec_t, fail2ban_client_t) + ') + +-######################################## ++####################################### + ## +-## Execute fail2ban client in the +-## fail2ban client domain, and allow +-## the specified role the fail2ban +-## client domain. ++## Execute fail2ban client in the ++## fail2ban client domain, and allow ++## the specified role the fail2ban ++## client domain. + ## + ## +-## +-## Domain allowed to transition. +-## ++## ++## Domain allowed to transition. ++## + ## + ## +-## +-## Role allowed access. +-## ++## ++## Role allowed access. ++## + ## + # + interface(`fail2ban_run_client',` +- gen_require(` +- attribute_role fail2ban_client_roles; +- ') ++ gen_require(` ++ attribute_role fail2ban_client_roles; ++ ') + +- fail2ban_domtrans_client($1) +- roleattribute $2 fail2ban_client_roles; ++ fail2ban_domtrans_client($1) ++ roleattribute $2 fail2ban_client_roles; + ') + + ##################################### + ## +-## Connect to fail2ban over a +-## unix domain stream socket. ++## Connect to fail2ban over a unix domain ++## stream socket. + ## + ## + ## +@@ -102,51 +102,12 @@ interface(`fail2ban_rw_inherited_tmp_files',` + ') + + files_search_tmp($1) +- allow $1 fail2ban_tmp_t:file { read write }; +-') +- +-######################################## +-## +-## Do not audit attempts to use +-## fail2ban file descriptors. +-## +-## +-## +-## Domain to not audit. +-## +-## +-# +-interface(`fail2ban_dontaudit_use_fds',` +- gen_require(` +- type fail2ban_t; +- ') +- +- dontaudit $1 fail2ban_t:fd use; +-') +- +-######################################## +-## +-## Do not audit attempts to read and +-## write fail2ban unix stream sockets +-## +-## +-## +-## Domain to not audit. +-## +-## +-# +-interface(`fail2ban_dontaudit_rw_stream_sockets',` +- gen_require(` +- type fail2ban_t; +- ') +- +- dontaudit $1 fail2ban_t:unix_stream_socket { read write }; ++ allow $1 fail2ban_tmp_t:file rw_inherited_file_perms; + ') + + ######################################## + ## +-## Read and write fail2ban unix +-## stream sockets. ++## Read and write to an fail2ba unix stream socket. + ## + ## + ## +@@ -178,12 +139,12 @@ interface(`fail2ban_read_lib_files',` + ') + + files_search_var_lib($1) +- allow $1 fail2ban_var_lib_t:file read_file_perms; ++ read_files_pattern($1, fail2ban_var_lib_t, fail2ban_var_lib_t) + ') + + ######################################## + ## +-## Read fail2ban log files. ++## Allow the specified domain to read fail2ban's log files. + ## + ## + ## +@@ -198,12 +159,14 @@ interface(`fail2ban_read_log',` + ') + + logging_search_logs($1) ++ allow $1 fail2ban_log_t:dir list_dir_perms; + allow $1 fail2ban_log_t:file read_file_perms; + ') + + ######################################## + ## +-## Append fail2ban log files. ++## Allow the specified domain to append ++## fail2ban log files. + ## + ## + ## +@@ -217,12 +180,13 @@ interface(`fail2ban_append_log',` + ') + + logging_search_logs($1) ++ allow $1 fail2ban_log_t:dir list_dir_perms; + allow $1 fail2ban_log_t:file append_file_perms; + ') + + ######################################## + ## +-## Read fail2ban pid files. ++## Read fail2ban PID files. + ## + ## + ## +@@ -241,8 +205,28 @@ interface(`fail2ban_read_pid_files',` + + ######################################## + ## +-## All of the rules required to +-## administrate an fail2ban environment. ++## dontaudit read and write an leaked file descriptors ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`fail2ban_dontaudit_leaks',` ++ gen_require(` ++ type fail2ban_t; ++ ') ++ ++ dontaudit $1 fail2ban_t:tcp_socket { read write }; ++ dontaudit $1 fail2ban_t:unix_dgram_socket { read write }; ++ dontaudit $1 fail2ban_t:unix_stream_socket { read write }; ++') ++ ++######################################## ++## ++## All of the rules required to administrate ++## an fail2ban environment + ## + ## + ## +@@ -251,21 +235,25 @@ interface(`fail2ban_read_pid_files',` + ## + ## + ## +-## Role allowed access. ++## The role to be allowed to manage the fail2ban domain. + ## + ## + ## + # + interface(`fail2ban_admin',` + gen_require(` +- type fail2ban_t, fail2ban_log_t, fail2ban_tmp_t; +- type fail2ban_var_run_t, fail2ban_initrc_exec_t; +- type fail2ban_var_lib_t, fail2ban_client_t; ++ type fail2ban_t, fail2ban_log_t, fail2ban_initrc_exec_t; ++ type fail2ban_var_run_t, fail2ban_var_lib_t, fail2ban_tmp_t; ++ type fail2ban_client_t; + ') + +- allow $1 { fail2ban_t fail2ban_client_t }:process { ptrace signal_perms }; ++ allow $1 { fail2ban_t fail2ban_client_t }:process signal_perms; + ps_process_pattern($1, { fail2ban_t fail2ban_client_t }) + ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 { fail2ban_t fail2ban_client_t }:process ptrace; ++ ') ++ + init_labeled_script_domtrans($1, fail2ban_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 fail2ban_initrc_exec_t system_r; +@@ -277,10 +265,10 @@ interface(`fail2ban_admin',` + files_list_pids($1) + admin_pattern($1, fail2ban_var_run_t) + +- files_search_var_lib($1) ++ files_list_var_lib($1) + admin_pattern($1, fail2ban_var_lib_t) + +- files_search_tmp($1) ++ files_list_tmp($1) + admin_pattern($1, fail2ban_tmp_t) + + fail2ban_run_client($1, $2) +diff --git a/fail2ban.te b/fail2ban.te +index 0872e50..95bb886 100644 +--- a/fail2ban.te ++++ b/fail2ban.te +@@ -37,7 +37,7 @@ role fail2ban_client_roles types fail2ban_client_t; + # + + allow fail2ban_t self:capability { dac_read_search dac_override sys_tty_config }; +-allow fail2ban_t self:process signal; ++allow fail2ban_t self:process { setsched signal }; + allow fail2ban_t self:fifo_file rw_fifo_file_perms; + allow fail2ban_t self:unix_stream_socket { accept connectto listen }; + allow fail2ban_t self:tcp_socket { accept listen }; +@@ -65,7 +65,6 @@ kernel_read_system_state(fail2ban_t) + corecmd_exec_bin(fail2ban_t) + corecmd_exec_shell(fail2ban_t) + +-corenet_all_recvfrom_unlabeled(fail2ban_t) + corenet_all_recvfrom_netlabel(fail2ban_t) + corenet_tcp_sendrecv_generic_if(fail2ban_t) + corenet_tcp_sendrecv_generic_node(fail2ban_t) +@@ -80,7 +79,6 @@ domain_use_interactive_fds(fail2ban_t) + domain_dontaudit_read_all_domains_state(fail2ban_t) + + files_read_etc_runtime_files(fail2ban_t) +-files_read_usr_files(fail2ban_t) + files_list_var(fail2ban_t) + files_dontaudit_list_tmp(fail2ban_t) + +@@ -92,22 +90,33 @@ auth_use_nsswitch(fail2ban_t) + logging_read_all_logs(fail2ban_t) + logging_send_syslog_msg(fail2ban_t) + +-miscfiles_read_localization(fail2ban_t) ++mta_send_mail(fail2ban_t) + + sysnet_manage_config(fail2ban_t) +-sysnet_etc_filetrans_config(fail2ban_t) +- +-mta_send_mail(fail2ban_t) ++sysnet_filetrans_named_content(fail2ban_t) + + optional_policy(` + apache_read_log(fail2ban_t) + ') + + optional_policy(` ++ dbus_system_bus_client(fail2ban_t) ++ dbus_connect_system_bus(fail2ban_t) ++ ++ optional_policy(` ++ firewalld_dbus_chat(fail2ban_t) ++ ') ++') ++ ++optional_policy(` + ftp_read_log(fail2ban_t) + ') + + optional_policy(` ++ gnome_dontaudit_search_config(fail2ban_t) ++') ++ ++optional_policy(` + iptables_domtrans(fail2ban_t) + ') + +@@ -116,6 +125,10 @@ optional_policy(` + ') + + optional_policy(` ++ rpm_exec(fail2ban_t) ++') ++ ++optional_policy(` + shorewall_domtrans(fail2ban_t) + ') + +@@ -129,22 +142,25 @@ allow fail2ban_client_t self:unix_stream_socket { create connect write read }; + + domtrans_pattern(fail2ban_client_t, fail2ban_exec_t, fail2ban_t) + ++dontaudit fail2ban_client_t fail2ban_var_run_t:dir_file_class_set audit_access; ++allow fail2ban_client_t fail2ban_var_run_t:dir write; + stream_connect_pattern(fail2ban_client_t, fail2ban_var_run_t, fail2ban_var_run_t, fail2ban_t) + + kernel_read_system_state(fail2ban_client_t) + + corecmd_exec_bin(fail2ban_client_t) + ++dev_read_urand(fail2ban_client_t) ++dev_read_rand(fail2ban_client_t) ++ + domain_use_interactive_fds(fail2ban_client_t) + +-files_read_etc_files(fail2ban_client_t) +-files_read_usr_files(fail2ban_client_t) + files_search_pids(fail2ban_client_t) + ++auth_use_nsswitch(fail2ban_client_t) ++ + logging_getattr_all_logs(fail2ban_client_t) + logging_search_all_logs(fail2ban_client_t) + +-miscfiles_read_localization(fail2ban_client_t) +- + userdom_dontaudit_search_user_home_dirs(fail2ban_client_t) + userdom_use_user_terminals(fail2ban_client_t) +diff --git a/fcoe.te b/fcoe.te +index 79b9273..76b7ed5 100644 +--- a/fcoe.te ++++ b/fcoe.te +@@ -20,20 +20,20 @@ files_pid_file(fcoemon_var_run_t) + # Local policy + # + +-allow fcoemon_t self:capability { dac_override kill net_admin }; ++allow fcoemon_t self:capability { net_admin net_raw dac_override }; + allow fcoemon_t self:fifo_file rw_fifo_file_perms; + allow fcoemon_t self:unix_stream_socket { accept listen }; + allow fcoemon_t self:netlink_socket create_socket_perms; + allow fcoemon_t self:netlink_route_socket create_netlink_socket_perms; ++allow fcoemon_t self:packet_socket create_socket_perms; ++allow fcoemon_t self:udp_socket create_socket_perms; + + manage_dirs_pattern(fcoemon_t, fcoemon_var_run_t, fcoemon_var_run_t) + manage_files_pattern(fcoemon_t, fcoemon_var_run_t, fcoemon_var_run_t) + manage_sock_files_pattern(fcoemon_t, fcoemon_var_run_t, fcoemon_var_run_t) + files_pid_filetrans(fcoemon_t, fcoemon_var_run_t, { dir file }) + +-files_read_etc_files(fcoemon_t) +- +-dev_read_sysfs(fcoemon_t) ++dev_rw_sysfs(fcoemon_t) + + logging_send_syslog_msg(fcoemon_t) + +diff --git a/fetchmail.fc b/fetchmail.fc +index 2486e2a..fef9bff 100644 +--- a/fetchmail.fc ++++ b/fetchmail.fc +@@ -1,4 +1,5 @@ + HOME_DIR/\.fetchmailrc -- gen_context(system_u:object_r:fetchmail_home_t,s0) ++/root/\.fetchmailrc -- gen_context(system_u:object_r:fetchmail_home_t, s0) + + /etc/fetchmailrc -- gen_context(system_u:object_r:fetchmail_etc_t,s0) + +@@ -12,4 +13,4 @@ HOME_DIR/\.fetchmailrc -- gen_context(system_u:object_r:fetchmail_home_t,s0) + + /var/mail/\.fetchmail-UIDL-cache -- gen_context(system_u:object_r:fetchmail_uidl_cache_t,s0) + +-/var/run/fetchmail/.* -- gen_context(system_u:object_r:fetchmail_var_run_t,s0) ++/var/run/fetchmail.* gen_context(system_u:object_r:fetchmail_var_run_t,s0) +diff --git a/fetchmail.if b/fetchmail.if +index c3f7916..cab3954 100644 +--- a/fetchmail.if ++++ b/fetchmail.if +@@ -23,14 +23,16 @@ interface(`fetchmail_admin',` + type fetchmail_var_run_t, fetchmail_initrc_exec_t, fetchmail_log_t; + ') + ++ ps_process_pattern($1, fetchmail_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 fetchmail_t:process ptrace; ++ ') ++ + init_labeled_script_domtrans($1, fetchmail_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 fetchmail_initrc_exec_t system_r; + allow $2 system_r; + +- allow $1 fetchmail_t:process { ptrace signal_perms }; +- ps_process_pattern($1, fetchmail_t) +- + files_list_etc($1) + admin_pattern($1, fetchmail_etc_t) + +diff --git a/fetchmail.te b/fetchmail.te +index f0388cb..2e94f0e 100644 +--- a/fetchmail.te ++++ b/fetchmail.te +@@ -32,15 +32,13 @@ files_type(fetchmail_uidl_cache_t) + # + # Local policy + # +- ++allow fetchmail_t self:capability setuid; + dontaudit fetchmail_t self:capability sys_tty_config; + allow fetchmail_t self:process { signal_perms setrlimit }; + allow fetchmail_t self:unix_stream_socket { accept listen }; + + allow fetchmail_t fetchmail_etc_t:file read_file_perms; + +-read_files_pattern(fetchmail_t, fetchmail_home_t, fetchmail_home_t) +- + manage_dirs_pattern(fetchmail_t, fetchmail_log_t, fetchmail_log_t) + append_files_pattern(fetchmail_t, fetchmail_log_t, fetchmail_log_t) + create_files_pattern(fetchmail_t, fetchmail_log_t, fetchmail_log_t) +@@ -52,7 +50,12 @@ mta_spool_filetrans(fetchmail_t, fetchmail_uidl_cache_t, file) + + manage_dirs_pattern(fetchmail_t, fetchmail_var_run_t, fetchmail_var_run_t) + manage_files_pattern(fetchmail_t, fetchmail_var_run_t, fetchmail_var_run_t) +-files_pid_filetrans(fetchmail_t, fetchmail_var_run_t, dir) ++files_pid_filetrans(fetchmail_t, fetchmail_var_run_t, {file dir}) ++ ++list_dirs_pattern(fetchmail_t, fetchmail_home_t, fetchmail_home_t) ++read_files_pattern(fetchmail_t, fetchmail_home_t, fetchmail_home_t) ++userdom_search_user_home_dirs(fetchmail_t) ++userdom_search_admin_dir(fetchmail_t) + + kernel_read_kernel_sysctls(fetchmail_t) + kernel_list_proc(fetchmail_t) +@@ -63,7 +66,6 @@ kernel_dontaudit_read_system_state(fetchmail_t) + corecmd_exec_bin(fetchmail_t) + corecmd_exec_shell(fetchmail_t) + +-corenet_all_recvfrom_unlabeled(fetchmail_t) + corenet_all_recvfrom_netlabel(fetchmail_t) + corenet_tcp_sendrecv_generic_if(fetchmail_t) + corenet_tcp_sendrecv_generic_node(fetchmail_t) +@@ -84,15 +86,23 @@ fs_search_auto_mountpoints(fetchmail_t) + + domain_use_interactive_fds(fetchmail_t) + +-auth_use_nsswitch(fetchmail_t) ++auth_read_passwd(fetchmail_t) + + logging_send_syslog_msg(fetchmail_t) + +-miscfiles_read_localization(fetchmail_t) + miscfiles_read_generic_certs(fetchmail_t) + ++sysnet_dns_name_resolve(fetchmail_t) ++ + userdom_dontaudit_use_unpriv_user_fds(fetchmail_t) +-userdom_search_user_home_dirs(fetchmail_t) ++ ++optional_policy(` ++ mta_send_mail(fetchmail_t) ++') ++ ++optional_policy(` ++ kerberos_use(fetchmail_t) ++') + + optional_policy(` + procmail_domtrans(fetchmail_t) +diff --git a/finger.te b/finger.te +index af4b6d7..92245bf 100644 +--- a/finger.te ++++ b/finger.te +@@ -45,7 +45,6 @@ logging_log_filetrans(fingerd_t, fingerd_log_t, file) + kernel_read_kernel_sysctls(fingerd_t) + kernel_read_system_state(fingerd_t) + +-corenet_all_recvfrom_unlabeled(fingerd_t) + corenet_all_recvfrom_netlabel(fingerd_t) + corenet_tcp_sendrecv_generic_if(fingerd_t) + corenet_tcp_sendrecv_generic_node(fingerd_t) +@@ -63,6 +62,7 @@ dev_read_sysfs(fingerd_t) + domain_use_interactive_fds(fingerd_t) + + files_read_etc_runtime_files(fingerd_t) ++files_search_home(fingerd_t) + + fs_getattr_all_fs(fingerd_t) + fs_search_auto_mountpoints(fingerd_t) +@@ -71,6 +71,7 @@ term_getattr_all_ttys(fingerd_t) + term_getattr_all_ptys(fingerd_t) + + auth_read_lastlog(fingerd_t) ++auth_use_nsswitch(fingerd_t) + + init_read_utmp(fingerd_t) + init_dontaudit_write_utmp(fingerd_t) +@@ -79,7 +80,7 @@ logging_send_syslog_msg(fingerd_t) + + mta_getattr_spool(fingerd_t) + +-miscfiles_read_localization(fingerd_t) ++sysnet_read_config(fingerd_t) + + userdom_dontaudit_use_unpriv_user_fds(fingerd_t) + +diff --git a/firewalld.fc b/firewalld.fc +index 21d7b84..0e272bd 100644 +--- a/firewalld.fc ++++ b/firewalld.fc +@@ -1,3 +1,5 @@ ++/usr/lib/systemd/system/firewalld.* -- gen_context(system_u:object_r:firewalld_unit_file_t,s0) ++ + /etc/rc\.d/init\.d/firewalld -- gen_context(system_u:object_r:firewalld_initrc_exec_t,s0) + + /etc/firewalld(/.*)? gen_context(system_u:object_r:firewalld_etc_rw_t,s0) +diff --git a/firewalld.if b/firewalld.if +index 5cf6ac6..0fc685b 100644 +--- a/firewalld.if ++++ b/firewalld.if +@@ -2,6 +2,66 @@ + + ######################################## + ## ++## Read firewalld config ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`firewalld_read_config',` ++ gen_require(` ++ type firewalld_etc_rw_t; ++ ') ++ ++ files_search_etc($1) ++ read_files_pattern($1, firewalld_etc_rw_t, firewalld_etc_rw_t) ++') ++ ++######################################## ++## ++## Execute firewalld server in the firewalld domain. ++## ++## ++## ++## The type of the process performing this action. ++## ++## ++# ++interface(`firewalld_initrc_domtrans',` ++ gen_require(` ++ type firewalld_initrc_exec_t; ++ ') ++ ++ init_labeled_script_domtrans($1, firewalld_initrc_exec_t) ++') ++ ++######################################## ++## ++## Execute firewalld server in the firewalld domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`firewalld_systemctl',` ++ gen_require(` ++ type firewalld_t; ++ type firewalld_unit_file_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ allow $1 firewalld_unit_file_t:file read_file_perms; ++ allow $1 firewalld_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, firewalld_t) ++') ++ ++######################################## ++## + ## Send and receive messages from + ## firewalld over dbus. + ## +@@ -23,8 +83,27 @@ interface(`firewalld_dbus_chat',` + + ######################################## + ## +-## All of the rules required to +-## administrate an firewalld environment. ++## Dontaudit attempts to write ++## firewalld tmp files. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`firewalld_dontaudit_write_tmp_files',` ++ gen_require(` ++ type firewalld_tmp_t; ++ ') ++ ++ dontaudit $1 firewalld_tmp_t:file write; ++') ++ ++######################################## ++## ++## All of the rules required to administrate ++## an firewalld environment + ## + ## + ## +@@ -45,10 +124,14 @@ interface(`firewalld_admin',` + type firewalld_var_log_t; + ') + +- allow $1 firewalld_t:process { ptrace signal_perms }; ++ allow $1 firewalld_t:process signal_perms; + ps_process_pattern($1, firewalld_t) + +- init_labeled_script_domtrans($1, firewalld_initrc_exec_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 firewalld_t:process ptrace; ++ ') ++ ++ firewalld_initrc_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 firewalld_initrc_exec_t system_r; + allow $2 system_r; +@@ -59,6 +142,9 @@ interface(`firewalld_admin',` + logging_search_logs($1) + admin_pattern($1, firewalld_var_log_t) + +- files_search_etc($1) + admin_pattern($1, firewall_etc_rw_t) ++ ++ admin_pattern($1, firewalld_unit_file_t) ++ firewalld_systemctl($1) ++ allow $1 firewalld_unit_file_t:service all_service_perms; + ') +diff --git a/firewalld.te b/firewalld.te +index c8014f8..bacc80c 100644 +--- a/firewalld.te ++++ b/firewalld.te +@@ -21,11 +21,20 @@ logging_log_file(firewalld_var_log_t) + type firewalld_var_run_t; + files_pid_file(firewalld_var_run_t) + ++type firewalld_unit_file_t; ++systemd_unit_file(firewalld_unit_file_t) ++ ++type firewalld_tmp_t; ++files_tmp_file(firewalld_tmp_t) ++ ++type firewalld_tmpfs_t; ++files_tmpfs_file(firewalld_tmpfs_t) ++ + ######################################## + # + # Local policy + # +- ++allow firewalld_t self:capability { dac_override net_admin }; + dontaudit firewalld_t self:capability sys_tty_config; + allow firewalld_t self:fifo_file rw_fifo_file_perms; + allow firewalld_t self:unix_stream_socket { accept listen }; +@@ -33,6 +42,7 @@ allow firewalld_t self:udp_socket create_socket_perms; + + manage_dirs_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t) + manage_files_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t) ++manage_lnk_files_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t) + + allow firewalld_t firewalld_var_log_t:file append_file_perms; + allow firewalld_t firewalld_var_log_t:file create_file_perms; +@@ -40,11 +50,21 @@ allow firewalld_t firewalld_var_log_t:file read_file_perms; + allow firewalld_t firewalld_var_log_t:file setattr_file_perms; + logging_log_filetrans(firewalld_t, firewalld_var_log_t, file) + ++manage_files_pattern(firewalld_t, firewalld_tmp_t, firewalld_tmp_t) ++files_tmp_filetrans(firewalld_t, firewalld_tmp_t, file) ++allow firewalld_t firewalld_tmp_t:file execute; ++ ++manage_files_pattern(firewalld_t, firewalld_tmpfs_t, firewalld_tmpfs_t) ++fs_tmpfs_filetrans(firewalld_t, firewalld_tmpfs_t, file) ++allow firewalld_t firewalld_tmpfs_t:file execute; ++ + manage_files_pattern(firewalld_t, firewalld_var_run_t, firewalld_var_run_t) + files_pid_filetrans(firewalld_t, firewalld_var_run_t, file) ++can_exec(firewalld_t, firewalld_var_run_t) + + kernel_read_network_state(firewalld_t) + kernel_read_system_state(firewalld_t) ++kernel_rw_net_sysctls(firewalld_t) + + corecmd_exec_bin(firewalld_t) + corecmd_exec_shell(firewalld_t) +@@ -53,20 +73,17 @@ dev_read_urand(firewalld_t) + + domain_use_interactive_fds(firewalld_t) + +-files_read_etc_files(firewalld_t) +-files_read_usr_files(firewalld_t) ++files_dontaudit_access_check_tmp(firewalld_t) + files_dontaudit_list_tmp(firewalld_t) + + fs_getattr_xattr_fs(firewalld_t) ++fs_dontaudit_all_access_check(firewalld_t) + +-logging_send_syslog_msg(firewalld_t) +- +-miscfiles_read_localization(firewalld_t) ++auth_use_nsswitch(firewalld_t) + +-seutil_exec_setfiles(firewalld_t) +-seutil_read_file_contexts(firewalld_t) ++logging_send_syslog_msg(firewalld_t) + +-sysnet_read_config(firewalld_t) ++sysnet_dns_name_resolve(firewalld_t) + + optional_policy(` + dbus_system_domain(firewalld_t, firewalld_exec_t) +@@ -85,9 +102,17 @@ optional_policy(` + ') + + optional_policy(` ++ gnome_read_generic_data_home_dirs(firewalld_t) ++') ++ ++optional_policy(` + iptables_domtrans(firewalld_t) + ') + + optional_policy(` + modutils_domtrans_insmod(firewalld_t) + ') ++ ++optional_policy(` ++ NetworkManager_read_state(firewalld_t) ++') +diff --git a/firewallgui.if b/firewallgui.if +index e6866d1..941f4ef 100644 +--- a/firewallgui.if ++++ b/firewallgui.if +@@ -37,5 +37,5 @@ interface(`firewallgui_dontaudit_rw_pipes',` + type firewallgui_t; + ') + +- dontaudit $1 firewallgui_t:fifo_file rw_fifo_file_perms; ++ dontaudit $1 firewallgui_t:fifo_file rw_inherited_fifo_file_perms; + ') +diff --git a/firewallgui.te b/firewallgui.te +index c5ceab1..86b8098 100644 +--- a/firewallgui.te ++++ b/firewallgui.te +@@ -36,8 +36,10 @@ corecmd_exec_shell(firewallgui_t) + dev_read_sysfs(firewallgui_t) + dev_read_urand(firewallgui_t) + ++files_manage_system_conf_files(firewallgui_t) ++files_etc_filetrans_system_conf(firewallgui_t) ++files_search_kernel_modules(firewallgui_t) + files_list_kernel_modules(firewallgui_t) +-files_read_usr_files(firewallgui_t) + + auth_use_nsswitch(firewallgui_t) + +@@ -60,12 +62,13 @@ optional_policy(` + ') + + optional_policy(` +- gnome_read_generic_gconf_home_content(firewallgui_t) ++ gnome_read_gconf_home_files(firewallgui_t) + ') + + optional_policy(` + iptables_domtrans(firewallgui_t) + iptables_initrc_domtrans(firewallgui_t) ++ iptables_systemctl(firewallgui_t) + ') + + optional_policy(` +diff --git a/firstboot.fc b/firstboot.fc +index 12c782c..ba614e4 100644 +--- a/firstboot.fc ++++ b/firstboot.fc +@@ -1,5 +1,3 @@ +-/etc/rc\.d/init\.d/firstboot.* -- gen_context(system_u:object_r:firstboot_initrc_exec_t,s0) ++/usr/sbin/firstboot -- gen_context(system_u:object_r:firstboot_exec_t,s0) + +-/usr/sbin/firstboot -- gen_context(system_u:object_r:firstboot_exec_t,s0) +- +-/usr/share/firstboot/firstboot\.py -- gen_context(system_u:object_r:firstboot_exec_t,s0) ++/usr/share/firstboot/firstboot\.py -- gen_context(system_u:object_r:firstboot_exec_t,s0) +diff --git a/firstboot.if b/firstboot.if +index 280f875..f3a67c9 100644 +--- a/firstboot.if ++++ b/firstboot.if +@@ -1,4 +1,7 @@ +-## Initial system configuration utility. ++## ++## Final system configuration run during the first boot ++## after installation of Red Hat/Fedora systems. ++## + + ######################################## + ## +@@ -15,15 +18,13 @@ interface(`firstboot_domtrans',` + type firstboot_t, firstboot_exec_t; + ') + +- corecmd_search_bin($1) + domtrans_pattern($1, firstboot_exec_t, firstboot_t) + ') + + ######################################## + ## +-## Execute firstboot in the firstboot +-## domain, and allow the specified role +-## the firstboot domain. ++## Execute firstboot in the firstboot domain, and ++## allow the specified role the firstboot domain. + ## + ## + ## +@@ -38,16 +39,16 @@ interface(`firstboot_domtrans',` + # + interface(`firstboot_run',` + gen_require(` +- attribute_role firstboot_roles; ++ type firstboot_t; + ') + + firstboot_domtrans($1) +- roleattribute $2 firstboot_roles; ++ role $2 types firstboot_t; + ') + + ######################################## + ## +-## Inherit and use firstboot file descriptors. ++## Inherit and use a file descriptor from firstboot. + ## + ## + ## +@@ -65,8 +66,8 @@ interface(`firstboot_use_fds',` + + ######################################## + ## +-## Do not audit attempts to inherit +-## firstboot file descriptors. ++## Do not audit attempts to inherit a ++## file descriptor from firstboot. + ## + ## + ## +@@ -84,7 +85,26 @@ interface(`firstboot_dontaudit_use_fds',` + + ######################################## + ## +-## Write firstboot unnamed pipes. ++## dontaudit read and write an leaked file descriptors ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`firstboot_dontaudit_leaks',` ++ gen_require(` ++ type firstboot_t; ++ ') ++ ++ dontaudit $1 firstboot_t:socket_class_set { read write }; ++ dontaudit $1 firstboot_t:fifo_file rw_inherited_fifo_file_perms; ++') ++ ++######################################## ++## ++## Write to a firstboot unnamed pipe. + ## + ## + ## +@@ -97,12 +117,13 @@ interface(`firstboot_write_pipes',` + type firstboot_t; + ') + ++ allow $1 firstboot_t:fd use; + allow $1 firstboot_t:fifo_file write; + ') + + ######################################## + ## +-## Read and Write firstboot unnamed pipes. ++## Read and Write to a firstboot unnamed pipe. + ## + ## + ## +@@ -120,8 +141,7 @@ interface(`firstboot_rw_pipes',` + + ######################################## + ## +-## Do not audit attemps to read and +-## write firstboot unnamed pipes. ++## Do not audit attemps to read and write to a firstboot unnamed pipe. + ## + ## + ## +@@ -139,9 +159,8 @@ interface(`firstboot_dontaudit_rw_pipes',` + + ######################################## + ## +-## Do not audit attemps to read and +-## write firstboot unix domain +-## stream sockets. ++## Do not audit attemps to read and write to a firstboot ++## unix domain stream socket. + ## + ## + ## +diff --git a/firstboot.te b/firstboot.te +index c12c067..a415012 100644 +--- a/firstboot.te ++++ b/firstboot.te +@@ -1,7 +1,7 @@ +-policy_module(firstboot, 1.12.3) ++policy_module(firstboot, 1.12.0) + + gen_require(` +- class passwd { passwd chfn chsh rootok }; ++ class passwd { passwd chfn chsh rootok crontab }; + ') + + ######################################## +@@ -9,17 +9,12 @@ gen_require(` + # Declarations + # + +-attribute_role firstboot_roles; +- + type firstboot_t; + type firstboot_exec_t; + init_system_domain(firstboot_t, firstboot_exec_t) + domain_obj_id_change_exemption(firstboot_t) + domain_subj_id_change_exemption(firstboot_t) +-role firstboot_roles types firstboot_t; +- +-type firstboot_initrc_exec_t; +-init_script_file(firstboot_initrc_exec_t) ++role system_r types firstboot_t; + + type firstboot_etc_t; + files_config_file(firstboot_etc_t) +@@ -32,28 +27,25 @@ files_config_file(firstboot_etc_t) + allow firstboot_t self:capability { dac_override setgid }; + allow firstboot_t self:process setfscreate; + allow firstboot_t self:fifo_file rw_fifo_file_perms; +-allow firstboot_t self:tcp_socket { accept listen }; ++allow firstboot_t self:tcp_socket create_stream_socket_perms; ++allow firstboot_t self:unix_stream_socket { connect create }; + allow firstboot_t self:passwd { rootok passwd chfn chsh }; + + allow firstboot_t firstboot_etc_t:file read_file_perms; + ++files_manage_generic_tmp_dirs(firstboot_t) ++files_manage_generic_tmp_files(firstboot_t) ++ + kernel_read_system_state(firstboot_t) + kernel_read_kernel_sysctls(firstboot_t) + +-corecmd_exec_all_executables(firstboot_t) ++corenet_all_recvfrom_netlabel(firstboot_t) ++corenet_tcp_sendrecv_generic_if(firstboot_t) ++corenet_tcp_sendrecv_generic_node(firstboot_t) ++corenet_tcp_sendrecv_all_ports(firstboot_t) + + dev_read_urand(firstboot_t) + +-files_exec_etc_files(firstboot_t) +-files_manage_etc_files(firstboot_t) +-files_manage_etc_runtime_files(firstboot_t) +-files_read_usr_files(firstboot_t) +-files_manage_var_dirs(firstboot_t) +-files_manage_var_files(firstboot_t) +-files_manage_var_symlinks(firstboot_t) +-files_create_boot_flag(firstboot_t) +-files_delete_boot_flag(firstboot_t) +- + selinux_get_fs_mount(firstboot_t) + selinux_validate_context(firstboot_t) + selinux_compute_access_vector(firstboot_t) +@@ -63,6 +55,17 @@ selinux_compute_user_contexts(firstboot_t) + + auth_dontaudit_getattr_shadow(firstboot_t) + ++corecmd_exec_all_executables(firstboot_t) ++ ++files_exec_etc_files(firstboot_t) ++files_manage_etc_files(firstboot_t) ++files_manage_etc_runtime_files(firstboot_t) ++files_manage_var_dirs(firstboot_t) ++files_manage_var_files(firstboot_t) ++files_manage_var_symlinks(firstboot_t) ++files_create_boot_flag(firstboot_t) ++files_delete_boot_flag(firstboot_t) ++ + init_domtrans_script(firstboot_t) + init_rw_utmp(firstboot_t) + +@@ -73,18 +76,18 @@ locallogin_use_fds(firstboot_t) + + logging_send_syslog_msg(firstboot_t) + +-miscfiles_read_localization(firstboot_t) +- + sysnet_dns_name_resolve(firstboot_t) + +-userdom_use_user_terminals(firstboot_t) ++userdom_use_inherited_user_terminals(firstboot_t) ++ ++# Add/remove user home directories + userdom_manage_user_home_content_dirs(firstboot_t) + userdom_manage_user_home_content_files(firstboot_t) + userdom_manage_user_home_content_symlinks(firstboot_t) + userdom_manage_user_home_content_pipes(firstboot_t) + userdom_manage_user_home_content_sockets(firstboot_t) + userdom_home_filetrans_user_home_dir(firstboot_t) +-userdom_user_home_dir_filetrans_user_home_content(firstboot_t, { dir file lnk_file fifo_file sock_file }) ++userdom_filetrans_home_content(firstboot_t) + + optional_policy(` + dbus_system_bus_client(firstboot_t) +@@ -102,20 +105,18 @@ optional_policy(` + ') + + optional_policy(` +- nis_use_ypbind(firstboot_t) +-') +- +-optional_policy(` + samba_rw_config(firstboot_t) + ') + + optional_policy(` + unconfined_domtrans(firstboot_t) +- unconfined_domain(firstboot_t) ++ # The big hammer ++ unconfined_domain_noaudit(firstboot_t) + ') + + optional_policy(` +- gnome_manage_generic_home_content(firstboot_t) ++ gnome_admin_home_gconf_filetrans(firstboot_t, dir) ++ gnome_manage_config(firstboot_t) + ') + + optional_policy(` +diff --git a/fprintd.te b/fprintd.te +index c81b6e8..34e1f1c 100644 +--- a/fprintd.te ++++ b/fprintd.te +@@ -20,6 +20,7 @@ files_type(fprintd_var_lib_t) + allow fprintd_t self:capability sys_nice; + allow fprintd_t self:process { getsched setsched signal sigkill }; + allow fprintd_t self:fifo_file rw_fifo_file_perms; ++allow fprintd_t self:netlink_kobject_uevent_socket create_socket_perms; + + manage_dirs_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t) + manage_files_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t) +@@ -28,16 +29,13 @@ kernel_read_system_state(fprintd_t) + + dev_list_usbfs(fprintd_t) + dev_read_sysfs(fprintd_t) ++dev_read_urand(fprintd_t) + dev_rw_generic_usb_dev(fprintd_t) + +-files_read_usr_files(fprintd_t) +- + fs_getattr_all_fs(fprintd_t) + + auth_use_nsswitch(fprintd_t) + +-miscfiles_read_localization(fprintd_t) +- + userdom_use_user_ptys(fprintd_t) + userdom_read_all_users_state(fprintd_t) + +@@ -54,8 +52,13 @@ optional_policy(` + ') + ') + ++ + optional_policy(` +- policykit_domtrans_auth(fprintd_t) + policykit_read_reload(fprintd_t) + policykit_read_lib(fprintd_t) ++ policykit_domtrans_auth(fprintd_t) ++') ++ ++optional_policy(` ++ xserver_read_state_xdm(fprintd_t) + ') +diff --git a/ftp.fc b/ftp.fc +index ddb75c1..44f74e6 100644 +--- a/ftp.fc ++++ b/ftp.fc +@@ -1,5 +1,8 @@ + /etc/proftpd\.conf -- gen_context(system_u:object_r:ftpd_etc_t,s0) + ++/usr/lib/systemd/system/vsftpd.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0) ++/usr/lib/systemd/system/proftpd.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0) ++ + /etc/cron\.monthly/proftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0) + + /etc/rc\.d/init\.d/vsftpd -- gen_context(system_u:object_r:ftpd_initrc_exec_t,s0) +diff --git a/ftp.if b/ftp.if +index d062080..97fb494 100644 +--- a/ftp.if ++++ b/ftp.if +@@ -1,5 +1,66 @@ + ## File transfer protocol service. + ++###################################### ++## ++## Execute a domain transition to run ftpd. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`ftp_domtrans',` ++ gen_require(` ++ type ftpd_t, ftpd_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1,ftpd_exec_t, ftpd_t) ++ ++') ++ ++####################################### ++## ++## Execute ftpd server in the ftpd domain. ++## ++## ++## ++## The type of the process performing this action. ++## ++## ++# ++interface(`ftp_initrc_domtrans',` ++ gen_require(` ++ type ftpd_initrc_exec_t; ++ ') ++ ++ init_labeled_script_domtrans($1, ftpd_initrc_exec_t) ++') ++ ++######################################## ++## ++## Execute ftpd server in the ftpd domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`ftp_systemctl',` ++ gen_require(` ++ type ftpd_unit_file_t; ++ type ftpd_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ allow $1 ftpd_unit_file_t:file read_file_perms; ++ allow $1 ftpd_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, ftpd_t) ++') ++ + ####################################### + ## + ## Execute a dyntransition to run anon sftpd. +@@ -178,8 +239,11 @@ interface(`ftp_admin',` + type ftpd_initrc_exec_t, ftpdctl_tmp_t; + ') + +- allow $1 { ftpd_t ftpdctl_t sftpd_t anon_sftpd }:process { ptrace signal_perms }; ++ allow $1 ftpd_t:process signal_perms; + ps_process_pattern($1, { ftpd_t ftpdctl_t sftpd_t anon_sftpd_t }) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 { ftpd_t ftpdctl_t sftpd_t anon_sftpd_t }:process ptrace; ++ ') + + init_labeled_script_domtrans($1, ftpd_initrc_exec_t) + domain_system_change_exemption($1) +@@ -203,5 +267,9 @@ interface(`ftp_admin',` + logging_list_logs($1) + admin_pattern($1, xferlog_t) + ++ ftp_systemctl($1) ++ admin_pattern($1, ftpd_unit_file_t) ++ allow $1 ftpd_unit_file_t:service all_service_perms; ++ + ftp_run_ftpdctl($1, $2) + ') +diff --git a/ftp.te b/ftp.te +index e50f33c..6edd471 100644 +--- a/ftp.te ++++ b/ftp.te +@@ -13,7 +13,7 @@ policy_module(ftp, 1.14.1) + ## be labeled public_content_rw_t. + ##

    + ## +-gen_tunable(allow_ftpd_anon_write, false) ++gen_tunable(ftpd_anon_write, false) + + ## + ##

    +@@ -22,7 +22,7 @@ gen_tunable(allow_ftpd_anon_write, false) + ## all files on the system, governed by DAC. + ##

    + ##     +-gen_tunable(allow_ftpd_full_access, false) ++gen_tunable(ftpd_full_access, false) + + ## + ##

    +@@ -30,7 +30,14 @@ gen_tunable(allow_ftpd_full_access, false) + ## used for public file transfer services. + ##

    + ##     +-gen_tunable(allow_ftpd_use_cifs, false) ++gen_tunable(ftpd_use_cifs, false) ++ ++## ++##

    ++## Allow ftpd to use ntfs/fusefs volumes. ++##

    ++##     ++gen_tunable(ftpd_use_fusefs, false) + + ## + ##

    +@@ -38,7 +45,7 @@ gen_tunable(allow_ftpd_use_cifs, false) + ## used for public file transfer services. + ##

    + ##     +-gen_tunable(allow_ftpd_use_nfs, false) ++gen_tunable(ftpd_use_nfs, false) + + ## + ##

    +@@ -124,6 +131,9 @@ files_config_file(ftpd_etc_t) + type ftpd_initrc_exec_t; + init_script_file(ftpd_initrc_exec_t) + ++type ftpd_unit_file_t; ++systemd_unit_file(ftpd_unit_file_t) ++ + type ftpd_lock_t; + files_lock_file(ftpd_lock_t) + +@@ -179,6 +189,9 @@ allow ftpd_t ftpd_etc_t:file read_file_perms; + allow ftpd_t ftpd_lock_t:file manage_file_perms; + files_lock_filetrans(ftpd_t, ftpd_lock_t, file) + ++manage_dirs_pattern(ftpd_t, ftpd_tmp_t, ftpd_tmp_t) ++manage_files_pattern(ftpd_t, ftpd_tmp_t, ftpd_tmp_t) ++ + manage_dirs_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t) + manage_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t) + manage_lnk_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t) +@@ -201,14 +214,13 @@ logging_log_filetrans(ftpd_t, xferlog_t, file) + + kernel_read_kernel_sysctls(ftpd_t) + kernel_read_system_state(ftpd_t) +-kernel_search_network_state(ftpd_t) ++kernel_read_network_state(ftpd_t) + + dev_read_sysfs(ftpd_t) + dev_read_urand(ftpd_t) + + corecmd_exec_bin(ftpd_t) + +-corenet_all_recvfrom_unlabeled(ftpd_t) + corenet_all_recvfrom_netlabel(ftpd_t) + corenet_tcp_sendrecv_generic_if(ftpd_t) + corenet_udp_sendrecv_generic_if(ftpd_t) +@@ -224,9 +236,12 @@ corenet_tcp_bind_ftp_port(ftpd_t) + corenet_sendrecv_ftp_data_server_packets(ftpd_t) + corenet_tcp_bind_ftp_data_port(ftpd_t) + ++corenet_tcp_bind_generic_port(ftpd_t) ++corenet_tcp_bind_all_ephemeral_ports(ftpd_t) ++corenet_tcp_connect_all_ephemeral_ports(ftpd_t) ++ + domain_use_interactive_fds(ftpd_t) + +-files_read_etc_files(ftpd_t) + files_read_etc_runtime_files(ftpd_t) + files_search_var_lib(ftpd_t) + +@@ -245,7 +260,6 @@ logging_send_audit_msgs(ftpd_t) + logging_send_syslog_msg(ftpd_t) + logging_set_loginuid(ftpd_t) + +-miscfiles_read_localization(ftpd_t) + miscfiles_read_public_files(ftpd_t) + + seutil_dontaudit_search_config(ftpd_t) +@@ -254,32 +268,49 @@ sysnet_use_ldap(ftpd_t) + + userdom_dontaudit_use_unpriv_user_fds(ftpd_t) + userdom_dontaudit_search_user_home_dirs(ftpd_t) ++userdom_filetrans_home_content(ftpd_t) + +-tunable_policy(`allow_ftpd_anon_write',` ++tunable_policy(`ftpd_anon_write',` + miscfiles_manage_public_files(ftpd_t) + ') + +-tunable_policy(`allow_ftpd_use_cifs',` ++tunable_policy(`ftpd_use_cifs',` + fs_read_cifs_files(ftpd_t) + fs_read_cifs_symlinks(ftpd_t) + ') + +-tunable_policy(`allow_ftpd_use_cifs && allow_ftpd_anon_write',` ++tunable_policy(`ftpd_use_cifs && ftpd_anon_write',` + fs_manage_cifs_files(ftpd_t) + ') + +-tunable_policy(`allow_ftpd_use_nfs',` ++tunable_policy(`ftpd_use_fusefs',` ++ fs_manage_fusefs_dirs(ftpd_t) ++ fs_manage_fusefs_files(ftpd_t) ++',` ++ fs_search_fusefs(ftpd_t) ++') ++ ++tunable_policy(`ftpd_use_nfs',` + fs_read_nfs_files(ftpd_t) + fs_read_nfs_symlinks(ftpd_t) + ') + +-tunable_policy(`allow_ftpd_use_nfs && allow_ftpd_anon_write',` ++tunable_policy(`ftpd_use_nfs && ftpd_anon_write',` + fs_manage_nfs_files(ftpd_t) + ') + +-tunable_policy(`allow_ftpd_full_access',` ++tunable_policy(`ftpd_full_access',` + allow ftpd_t self:capability { dac_override dac_read_search }; +- files_manage_non_auth_files(ftpd_t) ++ files_manage_non_security_dirs(ftpd_t) ++ files_manage_non_security_files(ftpd_t) ++') ++ ++tunable_policy(`ftpd_use_passive_mode',` ++ corenet_tcp_bind_all_unreserved_ports(ftpd_t) ++') ++ ++tunable_policy(`ftpd_connect_all_unreserved',` ++ corenet_tcp_connect_all_unreserved_ports(ftpd_t) + ') + + tunable_policy(`ftpd_use_passive_mode',` +@@ -299,22 +330,19 @@ tunable_policy(`ftpd_connect_db',` + corenet_sendrecv_mssql_client_packets(ftpd_t) + corenet_tcp_connect_mssql_port(ftpd_t) + corenet_tcp_sendrecv_mssql_port(ftpd_t) +- corenet_sendrecv_oracledb_client_packets(ftpd_t) +- corenet_tcp_connect_oracledb_port(ftpd_t) +- corenet_tcp_sendrecv_oracledb_port(ftpd_t) ++ corenet_sendrecv_oracle_client_packets(ftpd_t) ++ corenet_tcp_connect_oracle_port(ftpd_t) ++ corenet_tcp_sendrecv_oracle_port(ftpd_t) + ') + + tunable_policy(`ftp_home_dir',` + allow ftpd_t self:capability { dac_override dac_read_search }; + +- userdom_manage_user_home_content_dirs(ftpd_t) +- userdom_manage_user_home_content_files(ftpd_t) +- userdom_user_home_dir_filetrans_user_home_content(ftpd_t, { dir file }) ++ userdom_manage_all_user_home_type_dirs(ftpd_t) ++ userdom_manage_all_user_home_type_files(ftpd_t) + userdom_manage_user_tmp_dirs(ftpd_t) + userdom_manage_user_tmp_files(ftpd_t) +- userdom_tmp_filetrans_user_tmp(ftpd_t, { dir file }) + ',` +- userdom_user_home_dir_filetrans_user_home_content(ftpd_t, { dir file }) + userdom_tmp_filetrans_user_tmp(ftpd_t, { dir file }) + ') + +@@ -360,7 +388,7 @@ optional_policy(` + selinux_validate_context(ftpd_t) + + kerberos_keytab_template(ftpd, ftpd_t) +- kerberos_tmp_filetrans_host_rcache(ftpd_t, file, "host_0") ++ kerberos_tmp_filetrans_host_rcache(ftpd_t, "host_0") + ') + + optional_policy(` +@@ -410,21 +438,20 @@ optional_policy(` + # + + stream_connect_pattern(ftpdctl_t, ftpd_var_run_t, ftpd_var_run_t, ftpd_t) ++files_search_pids(ftpdctl_t) + + allow ftpdctl_t ftpdctl_tmp_t:sock_file manage_sock_file_perms; + files_tmp_filetrans(ftpdctl_t, ftpdctl_tmp_t, sock_file) + +-files_read_etc_files(ftpdctl_t) + files_search_pids(ftpdctl_t) + +-userdom_use_user_terminals(ftpdctl_t) ++userdom_use_inherited_user_terminals(ftpdctl_t) + + ######################################## + # + # Anon sftpd local policy + # + +-files_read_etc_files(anon_sftpd_t) + + miscfiles_read_public_files(anon_sftpd_t) + +@@ -437,23 +464,34 @@ tunable_policy(`sftpd_anon_write',` + # Sftpd local policy + # + +-files_read_etc_files(sftpd_t) + + userdom_read_user_home_content_files(sftpd_t) + userdom_read_user_home_content_symlinks(sftpd_t) ++userdom_dontaudit_list_admin_dir(sftpd_t) ++ ++tunable_policy(`sftpd_full_access',` ++ allow sftpd_t self:capability { dac_override dac_read_search }; ++ fs_read_noxattr_fs_files(sftpd_t) ++ files_manage_non_security_dirs(sftpd_t) ++ files_manage_non_security_files(sftpd_t) ++') ++ ++optional_policy(` ++ tunable_policy(`sftpd_write_ssh_home',` ++ ssh_manage_home_files(sftpd_t) ++ ') ++') ++ ++userdom_filetrans_home_content(sftpd_t) ++userdom_tmp_filetrans_user_tmp(sftpd_t, { dir file }) + + tunable_policy(`sftpd_enable_homedirs',` + allow sftpd_t self:capability { dac_override dac_read_search }; + + userdom_manage_user_home_content_dirs(sftpd_t) + userdom_manage_user_home_content_files(sftpd_t) +- userdom_user_home_dir_filetrans_user_home_content(sftpd_t, { dir file }) + userdom_manage_user_tmp_dirs(sftpd_t) + userdom_manage_user_tmp_files(sftpd_t) +- userdom_tmp_filetrans_user_tmp(sftpd_t, { dir file }) +-',` +- userdom_user_home_dir_filetrans_user_home_content(sftpd_t, { dir file }) +- userdom_tmp_filetrans_user_tmp(sftpd_t, { dir file }) + ') + + tunable_policy(`sftpd_enable_homedirs && use_nfs_home_dirs',` +@@ -475,21 +513,11 @@ tunable_policy(`sftpd_anon_write',` + tunable_policy(`sftpd_full_access',` + allow sftpd_t self:capability { dac_override dac_read_search }; + fs_read_noxattr_fs_files(sftpd_t) +- files_manage_non_auth_files(sftpd_t) ++ files_manage_non_security_files(sftpd_t) + ') + ++userdom_home_reader(sftpd_t) ++ + tunable_policy(`sftpd_write_ssh_home',` + ssh_manage_home_files(sftpd_t) + ') +- +-tunable_policy(`use_samba_home_dirs',` +- fs_list_cifs(sftpd_t) +- fs_read_cifs_files(sftpd_t) +- fs_read_cifs_symlinks(sftpd_t) +-') +- +-tunable_policy(`use_nfs_home_dirs',` +- fs_list_nfs(sftpd_t) +- fs_read_nfs_files(sftpd_t) +- fs_read_nfs_symlinks(ftpd_t) +-') +diff --git a/games.te b/games.te +index 572fb12..879c59a 100644 +--- a/games.te ++++ b/games.te +@@ -76,8 +76,6 @@ init_use_script_ptys(games_srv_t) + + logging_send_syslog_msg(games_srv_t) + +-miscfiles_read_localization(games_srv_t) +- + userdom_dontaudit_use_unpriv_user_fds(games_srv_t) + + userdom_dontaudit_search_user_home_dirs(games_srv_t) +@@ -120,7 +118,6 @@ kernel_read_system_state(games_t) + + corecmd_exec_bin(games_t) + +-corenet_all_recvfrom_unlabeled(games_t) + corenet_all_recvfrom_netlabel(games_t) + corenet_tcp_sendrecv_generic_if(games_t) + corenet_tcp_sendrecv_generic_node(games_t) +@@ -142,8 +139,6 @@ dev_write_sound(games_t) + files_list_var(games_t) + files_search_var_lib(games_t) + files_dontaudit_search_var(games_t) +-files_read_etc_files(games_t) +-files_read_usr_files(games_t) + files_read_var_files(games_t) + + init_dontaudit_rw_utmp(games_t) +@@ -151,7 +146,6 @@ init_dontaudit_rw_utmp(games_t) + logging_dontaudit_search_logs(games_t) + + miscfiles_read_man_pages(games_t) +-miscfiles_read_localization(games_t) + + sysnet_dns_name_resolve(games_t) + +@@ -161,7 +155,7 @@ userdom_manage_user_tmp_symlinks(games_t) + userdom_manage_user_tmp_sockets(games_t) + userdom_dontaudit_read_user_home_content_files(games_t) + +-tunable_policy(`allow_execmem',` ++tunable_policy(`deny_execmem',`', ` + allow games_t self:process execmem; + ') + +diff --git a/gatekeeper.te b/gatekeeper.te +index fc3b036..10a1bbe 100644 +--- a/gatekeeper.te ++++ b/gatekeeper.te +@@ -57,7 +57,6 @@ kernel_read_kernel_sysctls(gatekeeper_t) + + corecmd_list_bin(gatekeeper_t) + +-corenet_all_recvfrom_unlabeled(gatekeeper_t) + corenet_all_recvfrom_netlabel(gatekeeper_t) + corenet_tcp_sendrecv_generic_if(gatekeeper_t) + corenet_udp_sendrecv_generic_if(gatekeeper_t) +@@ -77,15 +76,11 @@ dev_read_urand(gatekeeper_t) + + domain_use_interactive_fds(gatekeeper_t) + +-files_read_etc_files(gatekeeper_t) +- + fs_getattr_all_fs(gatekeeper_t) + fs_search_auto_mountpoints(gatekeeper_t) + + logging_send_syslog_msg(gatekeeper_t) + +-miscfiles_read_localization(gatekeeper_t) +- + sysnet_read_config(gatekeeper_t) + + userdom_dontaudit_use_unpriv_user_fds(gatekeeper_t) +diff --git a/gift.te b/gift.te +index 395238e..af76abb 100644 +--- a/gift.te ++++ b/gift.te +@@ -67,17 +67,7 @@ auth_use_nsswitch(gift_t) + + userdom_dontaudit_read_user_home_content_files(gift_t) + +-tunable_policy(`use_nfs_home_dirs',` +- fs_manage_nfs_dirs(gift_t) +- fs_manage_nfs_files(gift_t) +- fs_manage_nfs_symlinks(gift_t) +-') +- +-tunable_policy(`use_samba_home_dirs',` +- fs_manage_cifs_dirs(gift_t) +- fs_manage_cifs_files(gift_t) +- fs_manage_cifs_symlinks(gift_t) +-') ++userdom_home_manager(gift_t) + + optional_policy(` + xserver_user_x_domain_template(gift, gift_t, gift_tmpfs_t) +@@ -119,22 +109,8 @@ corenet_sendrecv_all_client_packets(giftd_t) + corenet_tcp_connect_all_ports(giftd_t) + + files_read_etc_runtime_files(giftd_t) +-files_read_usr_files(giftd_t) +- +-miscfiles_read_localization(giftd_t) + + sysnet_dns_name_resolve(giftd_t) + +-userdom_use_user_terminals(giftd_t) +- +-tunable_policy(`use_nfs_home_dirs',` +- fs_manage_nfs_dirs(giftd_t) +- fs_manage_nfs_files(giftd_t) +- fs_manage_nfs_symlinks(giftd_t) +-') +- +-tunable_policy(`use_samba_home_dirs',` +- fs_manage_cifs_dirs(giftd_t) +- fs_manage_cifs_files(giftd_t) +- fs_manage_cifs_symlinks(giftd_t) +-') ++userdom_use_inherited_user_terminals(giftd_t) ++userdom_home_manager(gitd_t) +diff --git a/git.if b/git.if +index 1e29af1..6c64f55 100644 +--- a/git.if ++++ b/git.if +@@ -37,7 +37,10 @@ template(`git_role',` + allow $2 git_user_content_t:file { exec_file_perms manage_file_perms relabel_file_perms }; + userdom_user_home_dir_filetrans($2, git_user_content_t, dir, "public_git") + +- allow $2 git_session_t:process { ptrace signal_perms }; ++ allow $2 git_session_t:process signal_perms; ++ tunable_policy(`deny_ptrace',`',` ++ allow $2 git_session_t:process ptrace; ++ ') + ps_process_pattern($2, git_session_t) + + tunable_policy(`git_session_users',` +@@ -64,6 +67,7 @@ interface(`git_read_generic_sys_content_files',` + + list_dirs_pattern($1, git_sys_content_t, git_sys_content_t) + read_files_pattern($1, git_sys_content_t, git_sys_content_t) ++ read_lnk_files_pattern($1, git_sys_content_t, git_sys_content_t) + + files_search_var_lib($1) + +@@ -79,3 +83,21 @@ interface(`git_read_generic_sys_content_files',` + fs_read_nfs_files($1) + ') + ') ++ ++####################################### ++##

    ++## Create Git user content with a ++## named file transition. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`git_filetrans_user_content',` ++ gen_require(` ++ type git_user_content_t; ++ ') ++ userdom_user_home_dir_filetrans($1, git_user_content_t, dir, "public_git") ++') +diff --git a/git.te b/git.te +index 93b0301..ad8eb38 100644 +--- a/git.te ++++ b/git.te +@@ -49,14 +49,6 @@ gen_tunable(git_session_users, false) + + ## + ##

    +-## Determine whether Git session daemons +-## can send syslog messages. +-##

    +-##     +-gen_tunable(git_session_send_syslog_msg, false) +- +-## +-##

    + ## Determine whether Git system daemon + ## can search home directories. + ##

    +@@ -92,10 +84,10 @@ type git_session_t, git_daemon; + userdom_user_application_domain(git_session_t, gitd_exec_t) + role git_session_roles types git_session_t; + +-type git_sys_content_t; ++type git_sys_content_t alias git_system_content_t; + files_type(git_sys_content_t) + +-type git_user_content_t; ++type git_user_content_t alias git_session_content_t; + userdom_user_home_content(git_user_content_t) + + ######################################## +@@ -109,6 +101,8 @@ list_dirs_pattern(git_session_t, git_user_content_t, git_user_content_t) + read_files_pattern(git_session_t, git_user_content_t, git_user_content_t) + userdom_search_user_home_dirs(git_session_t) + ++kernel_read_system_state(git_session_t) ++ + corenet_all_recvfrom_netlabel(git_session_t) + corenet_all_recvfrom_unlabeled(git_session_t) + corenet_tcp_bind_generic_node(git_session_t) +@@ -129,9 +123,7 @@ tunable_policy(`git_session_bind_all_unreserved_ports',` + corenet_tcp_sendrecv_all_ports(git_session_t) + ') + +-tunable_policy(`git_session_send_syslog_msg',` +- logging_send_syslog_msg(git_session_t) +-') ++logging_send_syslog_msg(git_session_t) + + tunable_policy(`use_nfs_home_dirs',` + fs_getattr_nfs(git_session_t) +@@ -157,6 +149,11 @@ tunable_policy(`use_samba_home_dirs',` + list_dirs_pattern(git_system_t, git_sys_content_t, git_sys_content_t) + read_files_pattern(git_system_t, git_sys_content_t, git_sys_content_t) + ++kernel_read_network_state(git_system_t) ++kernel_read_system_state(git_system_t) ++ ++corenet_tcp_bind_git_port(git_system_t) ++ + files_search_var_lib(git_system_t) + + auth_use_nsswitch(git_system_t) +@@ -255,12 +252,9 @@ tunable_policy(`git_cgi_use_nfs',` + + allow git_daemon self:fifo_file rw_fifo_file_perms; + +-kernel_read_system_state(git_daemon) ++#kernel_read_system_state(git_daemon) + + corecmd_exec_bin(git_daemon) + +-files_read_usr_files(git_daemon) +- + fs_search_auto_mountpoints(git_daemon) + +-miscfiles_read_localization(git_daemon) +diff --git a/gitosis.te b/gitosis.te +index 3194b76..d3acb1a 100644 +--- a/gitosis.te ++++ b/gitosis.te +@@ -52,12 +52,8 @@ corecmd_exec_shell(gitosis_t) + + dev_read_urand(gitosis_t) + +-files_read_etc_files(gitosis_t) +-files_read_usr_files(gitosis_t) + files_search_var_lib(gitosis_t) + +-miscfiles_read_localization(gitosis_t) +- + sysnet_read_config(gitosis_t) + + tunable_policy(`gitosis_can_sendmail',` +diff --git a/glance.if b/glance.if +index 9eacb2c..229782f 100644 +--- a/glance.if ++++ b/glance.if +@@ -1,5 +1,30 @@ + ## OpenStack image registry and delivery service. + ++####################################### ++## ++## Creates types and rules for a basic ++## glance daemon domain. ++## ++## ++## ++## Prefix for the domain. ++## ++## ++# ++template(`glance_basic_types_template',` ++ gen_require(` ++ attribute glance_domain; ++ ') ++ ++ type $1_t, glance_domain; ++ type $1_exec_t; ++ ++ kernel_read_system_state($1_t) ++ ++ corenet_all_recvfrom_unlabeled($1_t) ++ corenet_all_recvfrom_netlabel($1_t) ++') ++ + ######################################## + ## + ## Execute a domain transition to +@@ -26,9 +51,9 @@ interface(`glance_domtrans_registry',` + ## run glance api. + ## + ## +-## ++## + ## Domain allowed to transition. +-## ++## + ## + # + interface(`glance_domtrans_api',` +@@ -242,8 +267,13 @@ interface(`glance_admin',` + type glance_registry_initrc_exec_t, glance_api_initrc_exec_t; + ') + +- allow $1 { glance_api_t glance_registry_t }:process signal_perms; +- ps_process_pattern($1, { glance_api_t glance_registry_t }) ++ allow $1 glance_registry_t:process signal_perms; ++ ps_process_pattern($1, glance_registry_t) ++ ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 glance_registry_t:process ptrace; ++ allow $1 glance_api_t:process ptrace; ++ ') + + init_labeled_script_domtrans($1, { glance_api_initrc_exec_t glance_registry_initrc_exec_t }) + domain_system_change_exemption($1) +diff --git a/glance.te b/glance.te +index e0a4f46..16dcb5b 100644 +--- a/glance.te ++++ b/glance.te +@@ -7,8 +7,7 @@ policy_module(glance, 1.0.2) + + attribute glance_domain; + +-type glance_registry_t, glance_domain; +-type glance_registry_exec_t; ++glance_basic_types_template(glance_registry) + init_daemon_domain(glance_registry_t, glance_registry_exec_t) + + type glance_registry_initrc_exec_t; +@@ -17,8 +16,10 @@ init_script_file(glance_registry_initrc_exec_t) + type glance_registry_tmp_t; + files_tmp_file(glance_registry_tmp_t) + +-type glance_api_t, glance_domain; +-type glance_api_exec_t; ++type glance_registry_tmpfs_t; ++files_tmpfs_file(glance_registry_tmpfs_t) ++ ++glance_basic_types_template(glance_api) + init_daemon_domain(glance_api_t, glance_api_exec_t) + + type glance_api_initrc_exec_t; +@@ -41,6 +42,7 @@ files_pid_file(glance_var_run_t) + # Common local policy + # + ++allow glance_domain self:process signal_perms; + allow glance_domain self:fifo_file rw_fifo_file_perms; + allow glance_domain self:unix_stream_socket create_stream_socket_perms; + allow glance_domain self:tcp_socket { accept listen }; +@@ -56,27 +58,23 @@ manage_files_pattern(glance_domain, glance_var_lib_t, glance_var_lib_t) + manage_dirs_pattern(glance_domain, glance_var_run_t, glance_var_run_t) + manage_files_pattern(glance_domain, glance_var_run_t, glance_var_run_t) + +-kernel_read_system_state(glance_domain) +- +-corenet_all_recvfrom_unlabeled(glance_domain) +-corenet_all_recvfrom_netlabel(glance_domain) + corenet_tcp_sendrecv_generic_if(glance_domain) + corenet_tcp_sendrecv_generic_node(glance_domain) + corenet_tcp_sendrecv_all_ports(glance_domain) + corenet_tcp_bind_generic_node(glance_domain) ++corenet_tcp_connect_mysqld_port(glance_domain) ++corenet_tcp_connect_http_port(glance_domain) + + corecmd_exec_bin(glance_domain) + corecmd_exec_shell(glance_domain) + + dev_read_urand(glance_domain) ++dev_read_sysfs(glance_domain) + +-files_read_etc_files(glance_domain) +-files_read_usr_files(glance_domain) ++auth_read_passwd(glance_domain) + + libs_exec_ldconfig(glance_domain) + +-miscfiles_read_localization(glance_domain) +- + sysnet_dns_name_resolve(glance_domain) + + ######################################## +@@ -88,8 +86,14 @@ manage_dirs_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tm + manage_files_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tmp_t) + files_tmp_filetrans(glance_registry_t, glance_registry_tmp_t, { dir file }) + ++manage_dirs_pattern(glance_registry_t, glance_registry_tmpfs_t, glance_registry_tmpfs_t) ++manage_files_pattern(glance_registry_t, glance_registry_tmpfs_t, glance_registry_tmpfs_t) ++fs_tmpfs_filetrans(glance_registry_t, glance_registry_tmpfs_t,{ dir file }) ++ ++corenet_tcp_bind_generic_node(glance_registry_t) + corenet_sendrecv_glance_registry_server_packets(glance_registry_t) + corenet_tcp_bind_glance_registry_port(glance_registry_t) ++corenet_tcp_connect_all_ephemeral_ports(glance_registry_t) + + logging_send_syslog_msg(glance_registry_t) + +@@ -108,13 +112,22 @@ manage_files_pattern(glance_api_t, glance_tmp_t, glance_tmp_t) + files_tmp_filetrans(glance_api_t, glance_tmp_t, { dir file }) + can_exec(glance_api_t, glance_tmp_t) + +-corenet_sendrecv_armtechdaemon_server_packets(glance_api_t) +-corenet_tcp_bind_armtechdaemon_port(glance_api_t) +- +-corenet_sendrecv_hplip_server_packets(glance_api_t) +-corenet_tcp_bind_hplip_port(glance_api_t) ++corenet_tcp_bind_generic_node(glance_api_t) + ++corenet_tcp_bind_glance_port(glance_api_t) + corenet_sendrecv_glance_registry_client_packets(glance_api_t) ++corenet_tcp_connect_amqp_port(glance_api_t) + corenet_tcp_connect_glance_registry_port(glance_api_t) ++corenet_tcp_connect_mysqld_port(glance_api_t) ++corenet_tcp_connect_http_port(glance_api_t) ++ ++corenet_tcp_connect_all_ephemeral_ports(glance_api_t) ++ ++corenet_sendrecv_hplip_server_packets(glance_api_t) ++corenet_tcp_bind_hplip_port(glance_api_t) + + fs_getattr_xattr_fs(glance_api_t) ++ ++optional_policy(` ++ mysql_stream_connect(glance_api_t) ++') +diff --git a/glusterd.fc b/glusterd.fc +new file mode 100644 +index 0000000..9614520 +--- /dev/null ++++ b/glusterd.fc +@@ -0,0 +1,16 @@ ++/etc/rc\.d/init\.d/gluster.* -- gen_context(system_u:object_r:glusterd_initrc_exec_t,s0) ++ ++/etc/glusterfs(/.*)? gen_context(system_u:object_r:glusterd_conf_t,s0) ++/etc/glusterd(/.*)? gen_context(system_u:object_r:glusterd_conf_t,s0) ++ ++/usr/sbin/glusterd -- gen_context(system_u:object_r:glusterd_initrc_exec_t,s0) ++/usr/sbin/glusterfsd -- gen_context(system_u:object_r:glusterd_exec_t,s0) ++ ++/opt/glusterfs/[^/]+/sbin/glusterfsd -- gen_context(system_u:object_r:glusterd_exec_t,s0) ++ ++/var/lib/glusterd(/.*)? gen_context(system_u:object_r:glusterd_var_lib_t,s0) ++ ++/var/log/glusterfs(/.*)? gen_context(system_u:object_r:glusterd_log_t,s0) ++ ++/var/run/glusterd(/.*)? gen_context(system_u:object_r:glusterd_var_run_t,s0) ++/var/run/glusterd\.pid -- gen_context(system_u:object_r:glusterd_var_run_t,s0) +diff --git a/glusterd.if b/glusterd.if +new file mode 100644 +index 0000000..1ed97fe +--- /dev/null ++++ b/glusterd.if +@@ -0,0 +1,150 @@ ++ ++## policy for glusterd ++ ++ ++######################################## ++## ++## Transition to glusterd. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`glusterd_domtrans',` ++ gen_require(` ++ type glusterd_t, glusterd_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, glusterd_exec_t, glusterd_t) ++') ++ ++ ++######################################## ++## ++## Execute glusterd server in the glusterd domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`glusterd_initrc_domtrans',` ++ gen_require(` ++ type glusterd_initrc_exec_t; ++ ') ++ ++ init_labeled_script_domtrans($1, glusterd_initrc_exec_t) ++') ++ ++ ++######################################## ++## ++## Read glusterd's log files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`glusterd_read_log',` ++ gen_require(` ++ type glusterd_log_t; ++ ') ++ ++ logging_search_logs($1) ++ read_files_pattern($1, glusterd_log_t, glusterd_log_t) ++') ++ ++######################################## ++## ++## Append to glusterd log files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`glusterd_append_log',` ++ gen_require(` ++ type glusterd_log_t; ++ ') ++ ++ logging_search_logs($1) ++ append_files_pattern($1, glusterd_log_t, glusterd_log_t) ++') ++ ++######################################## ++## ++## Manage glusterd log files ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`glusterd_manage_log',` ++ gen_require(` ++ type glusterd_log_t; ++ ') ++ ++ logging_search_logs($1) ++ manage_dirs_pattern($1, glusterd_log_t, glusterd_log_t) ++ manage_files_pattern($1, glusterd_log_t, glusterd_log_t) ++ manage_lnk_files_pattern($1, glusterd_log_t, glusterd_log_t) ++') ++ ++######################################## ++## ++## All of the rules required to administrate ++## an glusterd environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## Role allowed access. ++## ++## ++## ++# ++interface(`glusterd_admin',` ++ gen_require(` ++ type glusterd_t; ++ type glusterd_initrc_exec_t; ++ type glusterd_log_t; ++ type glusterd_tmp_t; ++ type glusterd_conf_t; ++ ') ++ ++ allow $1 glusterd_t:process { signal_perms }; ++ ps_process_pattern($1, glusterd_t) ++ ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 glusterd_t:process ptrace; ++ ') ++ ++ glusterd_initrc_domtrans($1) ++ domain_system_change_exemption($1) ++ role_transition $2 glusterd_initrc_exec_t system_r; ++ allow $2 system_r; ++ ++ logging_search_logs($1) ++ admin_pattern($1, glusterd_log_t) ++ ++ admin_pattern($1, glusterd_tmp_t) ++ ++ admin_pattern($1, glusterd_conf_t) ++ ++') ++ +diff --git a/glusterd.te b/glusterd.te +new file mode 100644 +index 0000000..0f9d485 +--- /dev/null ++++ b/glusterd.te +@@ -0,0 +1,189 @@ ++policy_module(glusterfs, 1.0.1) ++ ++## ++##

    ++## Allow glusterfsd to modify public files used for public file ++## transfer services. Files/Directories must be labeled ++## public_content_rw_t. ++##

    ++##     ++gen_tunable(gluster_anon_write, false) ++ ++## ++##

    ++## Allow glusterfsd to share any file/directory read only. ++##

    ++##     ++gen_tunable(gluster_export_all_ro, false) ++ ++## ++##

    ++## Allow glusterfsd to share any file/directory read/write. ++##

    ++##     ++gen_tunable(gluster_export_all_rw, true) ++ ++######################################## ++# ++# Declarations ++# ++ ++type glusterd_t; ++type glusterd_exec_t; ++init_daemon_domain(glusterd_t, glusterd_exec_t) ++ ++type glusterd_conf_t; ++files_type(glusterd_conf_t) ++ ++type glusterd_initrc_exec_t; ++init_script_file(glusterd_initrc_exec_t) ++ ++type glusterd_tmp_t; ++files_tmp_file(glusterd_tmp_t) ++ ++type glusterd_log_t; ++logging_log_file(glusterd_log_t) ++ ++type glusterd_var_run_t; ++files_pid_file(glusterd_var_run_t) ++ ++type glusterd_var_lib_t; ++files_type(glusterd_var_lib_t) ++ ++######################################## ++# ++# Local policy ++# ++ ++allow glusterd_t self:capability { sys_admin sys_resource dac_override chown dac_read_search fowner fsetid kill setgid setuid net_admin }; ++ ++allow glusterd_t self:capability2 block_suspend; ++allow glusterd_t self:process { getcap setcap setrlimit signal_perms }; ++allow glusterd_t self:fifo_file rw_fifo_file_perms; ++allow glusterd_t self:tcp_socket { accept listen }; ++allow glusterd_t self:unix_stream_socket { accept listen connectto }; ++ ++manage_dirs_pattern(glusterd_t, glusterd_conf_t, glusterd_conf_t) ++manage_files_pattern(glusterd_t, glusterd_conf_t, glusterd_conf_t) ++files_etc_filetrans(glusterd_t, glusterd_conf_t, { dir file }, "glusterfs") ++ ++manage_dirs_pattern(glusterd_t, glusterd_tmp_t, glusterd_tmp_t) ++manage_files_pattern(glusterd_t, glusterd_tmp_t, glusterd_tmp_t) ++manage_sock_files_pattern(glusterd_t, glusterd_tmp_t, glusterd_tmp_t) ++files_tmp_filetrans(glusterd_t, glusterd_tmp_t, { dir file sock_file }) ++allow glusterd_t glusterd_tmp_t:dir mounton; ++ ++manage_dirs_pattern(glusterd_t, glusterd_log_t, glusterd_log_t) ++append_files_pattern(glusterd_t, glusterd_log_t, glusterd_log_t) ++create_files_pattern(glusterd_t, glusterd_log_t, glusterd_log_t) ++setattr_files_pattern(glusterd_t, glusterd_log_t, glusterd_log_t) ++logging_log_filetrans(glusterd_t, glusterd_log_t, dir) ++ ++manage_dirs_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t) ++manage_files_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t) ++manage_sock_files_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t) ++files_pid_filetrans(glusterd_t, glusterd_var_run_t, { dir file sock_file }) ++ ++manage_dirs_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t) ++manage_files_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t) ++#manage_sock_files_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t) ++files_var_lib_filetrans(glusterd_t, glusterd_var_lib_t, dir) ++relabel_files_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t) ++ ++can_exec(glusterd_t, glusterd_exec_t) ++ ++kernel_read_system_state(glusterd_t) ++kernel_read_network_state(glusterd_t) ++kernel_read_net_sysctls(glusterd_t) ++kernel_request_load_module(glusterd_t) ++ ++corecmd_exec_bin(glusterd_t) ++corecmd_exec_shell(glusterd_t) ++ ++corenet_all_recvfrom_unlabeled(glusterd_t) ++corenet_all_recvfrom_netlabel(glusterd_t) ++corenet_tcp_sendrecv_generic_if(glusterd_t) ++corenet_udp_sendrecv_generic_if(glusterd_t) ++corenet_tcp_sendrecv_generic_node(glusterd_t) ++corenet_udp_sendrecv_generic_node(glusterd_t) ++corenet_tcp_sendrecv_all_ports(glusterd_t) ++corenet_udp_sendrecv_all_ports(glusterd_t) ++corenet_tcp_bind_generic_node(glusterd_t) ++corenet_udp_bind_generic_node(glusterd_t) ++ ++corenet_tcp_connect_gluster_port(glusterd_t) ++corenet_tcp_bind_gluster_port(glusterd_t) ++ ++# replacement for rpc.mountd ++corenet_sendrecv_all_server_packets(glusterd_t) ++corenet_tcp_bind_all_reserved_ports(glusterd_t) ++corenet_udp_bind_all_rpc_ports(glusterd_t) ++corenet_tcp_bind_all_rpc_ports(glusterd_t) ++corenet_tcp_bind_nfs_port(glusterd_t) ++corenet_udp_bind_nfs_port(glusterd_t) ++corenet_udp_bind_mountd_port(glusterd_t) ++corenet_tcp_bind_mountd_port(glusterd_t) ++corenet_udp_bind_ipp_port(glusterd_t) ++ ++corenet_sendrecv_all_client_packets(glusterd_t) ++corenet_tcp_bind_all_unreserved_ports(glusterd_t) ++corenet_tcp_connect_all_unreserved_ports(glusterd_t) ++corenet_tcp_connect_ssh_port(glusterd_t) ++ ++dev_read_sysfs(glusterd_t) ++dev_read_urand(glusterd_t) ++ ++domain_read_all_domains_state(glusterd_t) ++ ++domain_use_interactive_fds(glusterd_t) ++ ++fs_mount_all_fs(glusterd_t) ++fs_unmount_all_fs(glusterd_t) ++fs_getattr_all_fs(glusterd_t) ++ ++files_mounton_mnt(glusterd_t) ++ ++storage_rw_fuse(glusterd_t) ++ ++auth_use_nsswitch(glusterd_t) ++ ++fs_getattr_all_fs(glusterd_t) ++ ++logging_send_syslog_msg(glusterd_t) ++libs_exec_ldconfig(glusterd_t) ++ ++miscfiles_read_localization(glusterd_t) ++miscfiles_read_public_files(glusterd_t) ++ ++userdom_manage_user_home_dirs(glusterd_t) ++userdom_filetrans_home_content(glusterd_t) ++ ++mount_domtrans(glusterd_t) ++tunable_policy(`gluster_anon_write',` ++ miscfiles_manage_public_files(glusterd_t) ++') ++ ++tunable_policy(`gluster_export_all_ro',` ++ fs_read_noxattr_fs_files(glusterd_t) ++ files_read_non_security_files(glusterd_t) ++') ++ ++tunable_policy(`gluster_export_all_rw',` ++ fs_manage_noxattr_fs_files(glusterd_t) ++ files_manage_non_security_dirs(glusterd_t) ++ files_manage_non_security_files(glusterd_t) ++ files_relabel_base_file_types(glusterd_t) ++') ++ ++optional_policy(` ++ rpc_domtrans_rpcd(glusterd_t) ++ rpc_kill_rpcd(glusterd_t) ++') ++ ++optional_policy(` ++ rsync_exec(glusterd_t) ++') ++ ++optional_policy(` ++ ssh_exec(glusterd_t) ++') +diff --git a/glusterfs.fc b/glusterfs.fc +deleted file mode 100644 +index 4bd6ade..0000000 +--- a/glusterfs.fc ++++ /dev/null +@@ -1,16 +0,0 @@ +-/etc/rc\.d/init\.d/gluster.* -- gen_context(system_u:object_r:glusterd_initrc_exec_t,s0) +- +-/etc/glusterfs(/.*)? gen_context(system_u:object_r:glusterd_conf_t,s0) +-/etc/glusterd(/.*)? gen_context(system_u:object_r:glusterd_conf_t,s0) +- +-/usr/sbin/glusterd -- gen_context(system_u:object_r:glusterd_initrc_exec_t,s0) +-/usr/sbin/glusterfsd -- gen_context(system_u:object_r:glusterd_exec_t,s0) +- +-/opt/glusterfs/[^/]+/sbin/glusterfsd -- gen_context(system_u:object_r:glusterd_exec_t,s0) +- +-/var/lib/gluster.* gen_context(system_u:object_r:glusterd_var_lib_t,s0) +- +-/var/log/glusterfs(/.*)? gen_context(system_u:object_r:glusterd_log_t,s0) +- +-/var/run/glusterd(/.*)? gen_context(system_u:object_r:glusterd_var_run_t,s0) +-/var/run/glusterd\.pid -- gen_context(system_u:object_r:glusterd_var_run_t,s0) +diff --git a/glusterfs.if b/glusterfs.if +deleted file mode 100644 +index 05233c8..0000000 +--- a/glusterfs.if ++++ /dev/null +@@ -1,71 +0,0 @@ +-## Cluster File System binary, daemon and command line. +- +-######################################## +-## +-## All of the rules required to +-## administrate an glusterfs environment. +-## +-## +-## +-## Domain allowed access. +-## +-## +-## +-## +-## Role allowed access. +-## +-## +-## +-# +-interface(`glusterd_admin',` +- refpolicywarn(`$0($*) has been deprecated, use glusterfs_admin() instead.') +- glusterfs_admin($1, $2) +-') +- +-######################################## +-## +-## All of the rules required to +-## administrate an glusterfs environment. +-## +-## +-## +-## Domain allowed access. +-## +-## +-## +-## +-## Role allowed access. +-## +-## +-## +-# +-interface(`glusterfs_admin',` +- gen_require(` +- type glusterd_t, glusterd_initrc_exec_t, glusterd_log_t; +- type glusterd_tmp_t, glusterd_conf_t, glusterd_var_lib_t; +- type glusterd_var_run_t; +- ') +- +- init_labeled_script_domtrans($1, glusterd_initrc_exec_t) +- domain_system_change_exemption($1) +- role_transition $2 glusterd_initrc_exec_t system_r; +- allow $2 system_r; +- +- allow $1 glusterd_t:process { ptrace signal_perms }; +- ps_process_pattern($1, glusterd_t) +- +- files_search_etc($1) +- admin_pattern($1, glusterd_conf_t) +- +- logging_search_logs($1) +- admin_pattern($1, glusterd_log_t) +- +- files_search_tmp($1) +- admin_pattern($1, glusterd_tmp_t) +- +- files_search_var_lib($1) +- admin_pattern($1, glusterd_var_lib_t) +- +- files_search_pids($1) +- admin_pattern($1, glusterd_var_run_t) +-') +diff --git a/glusterfs.te b/glusterfs.te +deleted file mode 100644 +index fd02acc..0000000 +--- a/glusterfs.te ++++ /dev/null +@@ -1,102 +0,0 @@ +-policy_module(glusterfs, 1.0.1) +- +-######################################## +-# +-# Declarations +-# +- +-type glusterd_t; +-type glusterd_exec_t; +-init_daemon_domain(glusterd_t, glusterd_exec_t) +- +-type glusterd_conf_t; +-files_type(glusterd_conf_t) +- +-type glusterd_initrc_exec_t; +-init_script_file(glusterd_initrc_exec_t) +- +-type glusterd_tmp_t; +-files_tmp_file(glusterd_tmp_t) +- +-type glusterd_log_t; +-logging_log_file(glusterd_log_t) +- +-type glusterd_var_run_t; +-files_pid_file(glusterd_var_run_t) +- +-type glusterd_var_lib_t; +-files_type(glusterd_var_lib_t); +- +-######################################## +-# +-# Local policy +-# +- +-allow glusterd_t self:capability { sys_admin sys_resource dac_override chown dac_read_search fowner }; +-allow glusterd_t self:process { setrlimit signal }; +-allow glusterd_t self:fifo_file rw_fifo_file_perms; +-allow glusterd_t self:tcp_socket { accept listen }; +-allow glusterd_t self:unix_stream_socket { accept listen }; +- +-manage_dirs_pattern(glusterd_t, glusterd_conf_t, glusterd_conf_t) +-manage_files_pattern(glusterd_t, glusterd_conf_t, glusterd_conf_t) +-files_etc_filetrans(glusterd_t, glusterd_conf_t, dir) +- +-manage_dirs_pattern(glusterd_t, glusterd_tmp_t, glusterd_tmp_t) +-manage_files_pattern(glusterd_t, glusterd_tmp_t, glusterd_tmp_t) +-manage_sock_files_pattern(glusterd_t, glusterd_tmp_t, glusterd_tmp_t) +-files_tmp_filetrans(glusterd_t, glusterd_tmp_t, { dir file sock_file }) +- +-manage_dirs_pattern(glusterd_t, glusterd_log_t, glusterd_log_t) +-append_files_pattern(glusterd_t, glusterd_log_t, glusterd_log_t) +-create_files_pattern(glusterd_t, glusterd_log_t, glusterd_log_t) +-setattr_files_pattern(glusterd_t, glusterd_log_t, glusterd_log_t) +-logging_log_filetrans(glusterd_t, glusterd_log_t, dir) +- +-manage_dirs_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t) +-manage_files_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t) +-files_pid_filetrans(glusterd_t, glusterd_var_run_t, { dir file }) +- +-manage_dirs_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t) +-manage_files_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t) +-files_var_lib_filetrans(glusterd_t, glusterd_var_lib_t, dir) +- +-can_exec(glusterd_t, glusterd_exec_t) +- +-kernel_read_system_state(glusterd_t) +- +-corecmd_exec_bin(glusterd_t) +-corecmd_exec_shell(glusterd_t) +- +-corenet_all_recvfrom_unlabeled(glusterd_t) +-corenet_all_recvfrom_netlabel(glusterd_t) +-corenet_tcp_sendrecv_generic_if(glusterd_t) +-corenet_udp_sendrecv_generic_if(glusterd_t) +-corenet_tcp_sendrecv_generic_node(glusterd_t) +-corenet_udp_sendrecv_generic_node(glusterd_t) +-corenet_tcp_sendrecv_all_ports(glusterd_t) +-corenet_udp_sendrecv_all_ports(glusterd_t) +-corenet_tcp_bind_generic_node(glusterd_t) +-corenet_udp_bind_generic_node(glusterd_t) +- +-# Too coarse? +-corenet_sendrecv_all_server_packets(glusterd_t) +-corenet_tcp_bind_all_reserved_ports(glusterd_t) +-corenet_udp_bind_all_rpc_ports(glusterd_t) +-corenet_udp_bind_ipp_port(glusterd_t) +- +-corenet_sendrecv_all_client_packets(glusterd_t) +-corenet_tcp_connect_all_unreserved_ports(glusterd_t) +- +-dev_read_sysfs(glusterd_t) +-dev_read_urand(glusterd_t) +- +-domain_use_interactive_fds(glusterd_t) +- +-files_read_usr_files(glusterd_t) +- +-auth_use_nsswitch(glusterd_t) +- +-logging_send_syslog_msg(glusterd_t) +- +-miscfiles_read_localization(glusterd_t) +diff --git a/gnome.fc b/gnome.fc +index e39de43..5818f74 100644 +--- a/gnome.fc ++++ b/gnome.fc +@@ -1,15 +1,58 @@ +-HOME_DIR/\.gconf(/.*)? gen_context(system_u:object_r:gconf_home_t,s0) +-HOME_DIR/\.gconfd(/.*)? gen_context(system_u:object_r:gconf_home_t,s0) +-HOME_DIR/\.gnome(/.*)? gen_context(system_u:object_r:gnome_home_t,s0) +-HOME_DIR/\.gnome2(/.*)? gen_context(system_u:object_r:gnome_home_t,s0) +-HOME_DIR/\.gnome2/keyrings(/.*)? gen_context(system_u:object_r:gnome_keyring_home_t,s0) +-HOME_DIR/\.gnome2_private(/.*)? gen_context(system_u:object_r:gnome_home_t,s0) ++HOME_DIR/\.cache(/.*)? gen_context(system_u:object_r:cache_home_t,s0) ++HOME_DIR/\.cache/dconf(/.*)? gen_context(system_u:object_r:config_home_t,s0) ++HOME_DIR/\.color/icc(/.*)? gen_context(system_u:object_r:icc_data_home_t,s0) ++HOME_DIR/\.dbus(/.*)? gen_context(system_u:object_r:dbus_home_t,s0) ++HOME_DIR/\.config(/.*)? gen_context(system_u:object_r:config_home_t,s0) ++HOME_DIR/\.kde(/.*)? gen_context(system_u:object_r:config_home_t,s0) ++HOME_DIR/\.nv(/.*)? gen_context(system_u:object_r:cache_home_t,s0) ++HOME_DIR/\.gconf(d)?(/.*)? gen_context(system_u:object_r:gconf_home_t,s0) ++HOME_DIR/\.gnome2(/.*)? gen_context(system_u:object_r:gnome_home_t,s0) ++HOME_DIR/\.gnome2/keyrings(/.*)? gen_context(system_u:object_r:gkeyringd_gnome_home_t,s0) ++HOME_DIR/\.grl-bookmarks gen_context(system_u:object_r:gstreamer_home_t,s0) ++HOME_DIR/\.grl-metadata-store gen_context(system_u:object_r:gstreamer_home_t,s0) ++HOME_DIR/\.grl-bookmarks gen_context(system_u:object_r:gstreamer_home_t,s0) ++HOME_DIR/\.gstreamer-.* gen_context(system_u:object_r:gstreamer_home_t,s0) ++HOME_DIR/\.cache/gstreamer-.* gen_context(system_u:object_r:gstreamer_home_t,s0) ++HOME_DIR/\.orc(/.*)? gen_context(system_u:object_r:gstreamer_home_t,s0) ++HOME_DIR/\.local.* gen_context(system_u:object_r:gconf_home_t,s0) ++HOME_DIR/\.local/share(/.*)? gen_context(system_u:object_r:data_home_t,s0) ++HOME_DIR/\.local/share/icc(/.*)? gen_context(system_u:object_r:icc_data_home_t,s0) ++HOME_DIR/\.local/share/keyrings(/.*)? gen_context(system_u:object_r:gkeyringd_gnome_home_t,s0) ++HOME_DIR/\.Xdefaults gen_context(system_u:object_r:config_home_t,s0) ++HOME_DIR/\.xine(/.*)? gen_context(system_u:object_r:config_home_t,s0) + +-/etc/gconf(/.*)? gen_context(system_u:object_r:gconf_etc_t,s0) ++/var/run/user/[^/]*/\.orc(/.*)? gen_context(system_u:object_r:gstreamer_home_t,s0) ++/var/run/user/[^/]*/dconf(/.*)? gen_context(system_u:object_r:config_home_t,s0) ++/var/run/user/[^/]*/keyring.* gen_context(system_u:object_r:gkeyringd_tmp_t,s0) ++ ++/root/\.cache(/.*)? gen_context(system_u:object_r:cache_home_t,s0) ++/root/\.color/icc(/.*)? gen_context(system_u:object_r:icc_data_home_t,s0) ++/root/\.config(/.*)? gen_context(system_u:object_r:config_home_t,s0) ++/root/\.kde(/.*)? gen_context(system_u:object_r:config_home_t,s0) ++/root/\.gconf(d)?(/.*)? gen_context(system_u:object_r:gconf_home_t,s0) ++/root/\.dbus(/.*)? gen_context(system_u:object_r:dbus_home_t,s0) ++/root/\.gnome2(/.*)? gen_context(system_u:object_r:gnome_home_t,s0) ++/root/\.gnome2/keyrings(/.*)? gen_context(system_u:object_r:gkeyringd_gnome_home_t,s0) ++/root/\.gstreamer-.* gen_context(system_u:object_r:gstreamer_home_t,s0) ++/root/\.cache/gstreamer-.* gen_context(system_u:object_r:gstreamer_home_t,s0) ++/root/\.local.* gen_context(system_u:object_r:gconf_home_t,s0) ++/root/\.local/share(/.*)? gen_context(system_u:object_r:data_home_t,s0) ++/root/\.local/share/icc(/.*)? gen_context(system_u:object_r:icc_data_home_t,s0) ++/root/\.Xdefaults gen_context(system_u:object_r:config_home_t,s0) ++/root/\.xine(/.*)? gen_context(system_u:object_r:config_home_t,s0) ++ ++/etc/gconf(/.*)? gen_context(system_u:object_r:gconf_etc_t,s0) + + /tmp/gconfd-USER/.* -- gen_context(system_u:object_r:gconf_tmp_t,s0) + ++/usr/share/config(/.*)? gen_context(system_u:object_r:config_usr_t,s0) ++ + /usr/bin/gnome-keyring-daemon -- gen_context(system_u:object_r:gkeyringd_exec_t,s0) + +-/usr/lib/[^/]*/gconf/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0) +-/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0) ++# Don't use because toolchain is broken ++#/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0) ++ ++/usr/libexec/gconf-defaults-mechanism -- gen_context(system_u:object_r:gconfdefaultsm_exec_t,s0) ++ ++/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) ++/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) +diff --git a/gnome.if b/gnome.if +index d03fd43..0e04529 100644 +--- a/gnome.if ++++ b/gnome.if +@@ -1,123 +1,157 @@ +-## GNU network object model environment. ++## GNU network object model environment (GNOME) + +-######################################## ++########################################################### + ## +-## Role access for gnome. (Deprecated) ++## Role access for gnome + ## + ## +-## +-## Role allowed access. +-## ++## ++## Role allowed access ++## + ## + ## +-## +-## User domain for the role. +-## ++## ++## User domain for the role ++## + ## + # + interface(`gnome_role',` +- refpolicywarn(`$0($*) has been deprecated') ++ gen_require(` ++ type gconfd_t, gconfd_exec_t; ++ type gconf_tmp_t; ++ ') ++ ++ role $1 types gconfd_t; ++ ++ domain_auto_trans($2, gconfd_exec_t, gconfd_t) ++ allow gconfd_t $2:fd use; ++ allow gconfd_t $2:fifo_file write; ++ allow gconfd_t $2:unix_stream_socket connectto; ++ ++ ps_process_pattern($2, gconfd_t) ++ ++ #gnome_stream_connect_gconf_template($1, $2) ++ read_files_pattern($2, gconf_tmp_t, gconf_tmp_t) ++ allow $2 gconfd_t:unix_stream_socket connectto; + ') + +-####################################### ++###################################### + ## +-## The role template for gnome. ++## The role template for the gnome-keyring-daemon. + ## +-## +-## +-## The prefix of the user domain (e.g., user +-## is the prefix for user_t). +-## ++## ++## ++## The user prefix. ++## + ## + ## +-## +-## The role associated with the user domain. +-## ++## ++## The user role. ++## + ## + ## +-## +-## The type of the user domain. +-## ++## ++## The user domain associated with the role. ++## + ## + # +-template(`gnome_role_template',` +- gen_require(` +- attribute gnomedomain, gkeyringd_domain; +- attribute_role gconfd_roles; +- type gkeyringd_exec_t, gnome_keyring_home_t, gnome_keyring_tmp_t; +- type gconfd_t, gconfd_exec_t, gconf_tmp_t; +- type gconf_home_t; +- ') +- +- ######################################## +- # +- # Gconf declarations +- # +- +- roleattribute $2 gconfd_roles; +- +- ######################################## +- # +- # Gkeyringd declarations +- # ++interface(`gnome_role_gkeyringd',` ++ gen_require(` ++ attribute gkeyringd_domain; ++ attribute gnomedomain; ++ type gnome_home_t; ++ type gkeyringd_exec_t, gkeyringd_tmp_t, gkeyringd_gnome_home_t; ++ class dbus send_msg; ++ ') + + type $1_gkeyringd_t, gnomedomain, gkeyringd_domain; +- userdom_user_application_domain($1_gkeyringd_t, gkeyringd_exec_t) ++ typealias $1_gkeyringd_t alias gkeyringd_$1_t; ++ application_domain($1_gkeyringd_t, gkeyringd_exec_t) ++ ubac_constrained($1_gkeyringd_t) + domain_user_exemption_target($1_gkeyringd_t) + ++ userdom_home_manager($1_gkeyringd_t) ++ + role $2 types $1_gkeyringd_t; + +- ######################################## +- # +- # Gconf policy +- # ++ domtrans_pattern($3, gkeyringd_exec_t, $1_gkeyringd_t) + +- domtrans_pattern($3, gconfd_exec_t, gconfd_t) ++ allow $3 gkeyringd_gnome_home_t:dir { relabel_dir_perms manage_dir_perms }; ++ allow $3 gkeyringd_gnome_home_t:file { relabel_file_perms manage_file_perms }; + +- allow $3 { gconf_home_t gconf_tmp_t }:dir { manage_dir_perms relabel_dir_perms }; +- allow $3 { gconf_home_t gconf_tmp_t }:file { manage_file_perms relabel_file_perms }; +- userdom_user_home_dir_filetrans($3, gconf_home_t, dir, ".gconf") +- userdom_user_home_dir_filetrans($3, gconf_home_t, dir, ".gconfd") ++ allow $3 gkeyringd_tmp_t:dir { relabel_dir_perms manage_dir_perms }; ++ allow $3 gkeyringd_tmp_t:sock_file { relabel_sock_file_perms manage_sock_file_perms }; + +- allow $3 gconfd_t:process { ptrace signal_perms }; +- ps_process_pattern($3, gconfd_t) ++ corecmd_bin_domtrans($1_gkeyringd_t, $1_t) ++ corecmd_shell_domtrans($1_gkeyringd_t, $1_t) ++ allow $1_gkeyringd_t $3:process sigkill; ++ allow $3 $1_gkeyringd_t:fd use; ++ allow $3 $1_gkeyringd_t:fifo_file rw_fifo_file_perms; ++ dontaudit $1_gkeyringd_t $3:unix_stream_socket { getattr read write }; + +- ######################################## +- # +- # Gkeyringd policy +- # + +- domtrans_pattern($3, gkeyringd_exec_t, $1_gkeyringd_t) ++ kernel_read_system_state($1_gkeyringd_t) + +- allow $3 { gnome_home_t gnome_keyring_home_t gnome_keyring_tmp_t }:dir { relabel_dir_perms manage_dir_perms }; +- allow $3 { gnome_home_t gnome_keyring_home_t }:file { relabel_file_perms manage_file_perms }; ++ ps_process_pattern($1_gkeyringd_t, $3) + +- userdom_user_home_dir_filetrans($3, gnome_home_t, dir, ".gnome") +- userdom_user_home_dir_filetrans($3, gnome_home_t, dir, ".gnome2") +- userdom_user_home_dir_filetrans($3, gnome_home_t, dir, ".gnome2_private") +- +- gnome_home_filetrans($3, gnome_keyring_home_t, dir, "keyrings") ++ auth_use_nsswitch($1_gkeyringd_t) + +- allow $3 gnome_keyring_tmp_t:sock_file { relabel_sock_file_perms manage_sock_file_perms }; ++ logging_send_syslog_msg($1_gkeyringd_t) + + ps_process_pattern($3, $1_gkeyringd_t) +- allow $3 $1_gkeyringd_t:process { ptrace signal_perms }; +- +- corecmd_bin_domtrans($1_gkeyringd_t, $3) +- corecmd_shell_domtrans($1_gkeyringd_t, $3) ++ allow $3 $1_gkeyringd_t:process signal_perms; ++ dontaudit $3 gkeyringd_exec_t:file entrypoint; + +- gnome_stream_connect_gkeyringd($1, $3) ++ stream_connect_pattern($3, gkeyringd_tmp_t, gkeyringd_tmp_t, $1_gkeyringd_t) + ++ allow $1_gkeyringd_t $3:dbus send_msg; ++ allow $3 $1_gkeyringd_t:dbus send_msg; + optional_policy(` +- dbus_spec_session_domain($1, gkeyringd_exec_t, $1_gkeyringd_t) ++ dbus_session_domain($1, gkeyringd_exec_t, $1_gkeyringd_t) ++ dbus_session_bus_client($1_gkeyringd_t) ++ gnome_manage_generic_home_dirs($1_gkeyringd_t) ++ gnome_read_generic_data_home_files($1_gkeyringd_t) ++ gnome_read_generic_data_home_dirs($1_gkeyringd_t) ++ ++ optional_policy(` ++ telepathy_mission_control_read_state($1_gkeyringd_t) ++ telepathy_gabble_stream_connect_to($1_gkeyringd_t,gkeyringd_tmp_t,gkeyringd_tmp_t) ++ ') ++ ') ++') + +- gnome_dbus_chat_gkeyringd($1, $3) ++####################################### ++## ++## Allow domain to run gkeyring in the $1_gkeyringd_t domain. ++## ++## ++## ++## The user prefix. ++## ++## ++## ++## ++## The user role. ++## ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`gnome_run_gkeyringd',` ++ gen_require(` ++ type $1_gkeyringd_t; ++ type gkeyringd_exec_t; + ') ++ role $2 types $1_gkeyringd_t; ++ domtrans_pattern($3, gkeyringd_exec_t, $1_gkeyringd_t) + ') + + ######################################## + ## +-## Execute gconf in the caller domain. ++## gconf connection template. + ## + ## + ## +@@ -125,18 +159,18 @@ template(`gnome_role_template',` + ## + ## + # +-interface(`gnome_exec_gconf',` ++interface(`gnome_stream_connect_gconf',` + gen_require(` +- type gconfd_exec_t; ++ type gconfd_t, gconf_tmp_t; + ') + +- corecmd_search_bin($1) +- can_exec($1, gconfd_exec_t) ++ read_files_pattern($1, gconf_tmp_t, gconf_tmp_t) ++ allow $1 gconfd_t:unix_stream_socket connectto; + ') + + ######################################## + ## +-## Read gconf configuration content. ++## Connect to gkeyringd with a unix stream socket. + ## + ## + ## +@@ -144,119 +178,114 @@ interface(`gnome_exec_gconf',` + ## + ## + # +-interface(`gnome_read_gconf_config',` ++interface(`gnome_stream_connect_gkeyringd',` + gen_require(` +- type gconf_etc_t; ++ attribute gkeyringd_domain; ++ type gkeyringd_tmp_t; ++ type gconf_tmp_t; ++ type cache_home_t; + ') + +- files_search_etc($1) +- allow $1 gconf_etc_t:dir list_dir_perms; +- allow $1 gconf_etc_t:file read_file_perms; +- allow $1 gconf_etc_t:lnk_file read_lnk_file_perms; ++ allow $1 gconf_tmp_t:dir search_dir_perms; ++ userdom_search_user_tmp_dirs($1) ++ stream_connect_pattern($1, gkeyringd_tmp_t, gkeyringd_tmp_t, gkeyringd_domain) ++ stream_connect_pattern($1, cache_home_t, cache_home_t, gkeyringd_domain) + ') + + ######################################## + ## +-## Do not audit attempts to read +-## inherited gconf configuration files. ++## Run gconfd in gconfd domain. + ## + ## + ## +-## Domain to not audit. ++## Domain allowed access. + ## + ## + # +-interface(`gnome_dontaudit_read_inherited_gconf_config_files',` ++interface(`gnome_domtrans_gconfd',` + gen_require(` +- type gconf_etc_t; ++ type gconfd_t, gconfd_exec_t; + ') + +- dontaudit $1 gconf_etc_t:file read; ++ domtrans_pattern($1, gconfd_exec_t, gconfd_t) + ') + +-####################################### ++######################################## + ## +-## Create, read, write, and delete +-## gconf configuration content. ++## Dontaudit read gnome homedir content (.config) + ## + ## + ## +-## Domain allowed access. ++## Domain to not audit. + ## + ## + # +-interface(`gnome_manage_gconf_config',` ++interface(`gnome_dontaudit_read_config',` + gen_require(` +- type gconf_etc_t; ++ attribute gnome_home_type; + ') + +- files_search_etc($1) +- allow $1 gconf_etc_t:dir manage_dir_perms; +- allow $1 gconf_etc_t:file manage_file_perms; +- allow $1 gconf_etc_t:lnk_file manage_lnk_file_perms; ++ dontaudit $1 gnome_home_type:dir read_inherited_file_perms; + ') + + ######################################## + ## +-## Connect to gconf using a unix +-## domain stream socket. ++## Dontaudit search gnome homedir content (.config) + ## + ## + ## +-## Domain allowed access. ++## Domain to not audit. + ## + ## + # +-interface(`gnome_stream_connect_gconf',` ++interface(`gnome_dontaudit_search_config',` + gen_require(` +- type gconfd_t, gconf_tmp_t; ++ attribute gnome_home_type; + ') + +- files_search_tmp($1) +- stream_connect_pattern($1, gconf_tmp_t, gconf_tmp_t, gconfd_t) ++ dontaudit $1 gnome_home_type:dir search_dir_perms; + ') + + ######################################## + ## +-## Run gconfd in gconfd domain. ++## Dontaudit write gnome homedir content (.config) + ## + ## + ## +-## Domain allowed to transition. ++## Domain to not audit. + ## + ## + # +-interface(`gnome_domtrans_gconfd',` ++interface(`gnome_dontaudit_append_config_files',` + gen_require(` +- type gconfd_t, gconfd_exec_t; ++ attribute gnome_home_type; + ') + +- corecmd_search_bin($1) +- domtrans_pattern($1, gconfd_exec_t, gconfd_t) ++ dontaudit $1 gnome_home_type:file append; + ') + ++ + ######################################## + ## +-## Create generic gnome home directories. ++## Dontaudit write gnome homedir content (.config) + ## + ## + ## +-## Domain allowed access. ++## Domain to not audit. + ## + ## + # +-interface(`gnome_create_generic_home_dirs',` ++interface(`gnome_dontaudit_write_config_files',` + gen_require(` +- type gnome_home_t; ++ attribute gnome_home_type; + ') + +- allow $1 gnome_home_t:dir create_dir_perms; ++ dontaudit $1 gnome_home_type:file write; + ') + + ######################################## + ## +-## Set attributes of generic gnome +-## user home directories. (Deprecated) ++## manage gnome homedir content (.config) + ## + ## + ## +@@ -264,15 +293,21 @@ interface(`gnome_create_generic_home_dirs',` + ## + ## + # +-interface(`gnome_setattr_config_dirs',` +- refpolicywarn(`$0($*) has been deprecated, use gnome_setattr_generic_home_dirs() instead.') +- gnome_setattr_generic_home_dirs($1) ++interface(`gnome_manage_config',` ++ gen_require(` ++ attribute gnome_home_type; ++ ') ++ ++ allow $1 gnome_home_type:dir manage_dir_perms; ++ allow $1 gnome_home_type:file manage_file_perms; ++ allow $1 gnome_home_type:lnk_file manage_lnk_file_perms; ++ allow $1 gnome_home_type:sock_file manage_sock_file_perms; ++ userdom_search_user_home_dirs($1) + ') + + ######################################## + ## +-## Set attributes of generic gnome +-## user home directories. ++## Send general signals to all gconf domains. + ## + ## + ## +@@ -280,57 +315,89 @@ interface(`gnome_setattr_config_dirs',` + ## + ## + # +-interface(`gnome_setattr_generic_home_dirs',` ++interface(`gnome_signal_all',` + gen_require(` +- type gnome_home_t; ++ attribute gnomedomain; + ') + +- userdom_search_user_home_dirs($1) +- setattr_dirs_pattern($1, gnome_home_t, gnome_home_t) ++ allow $1 gnomedomain:process signal; + ') + + ######################################## + ## +-## Read generic gnome user home content. (Deprecated) ++## Create objects in a Gnome cache home directory ++## with an automatic type transition to ++## a specified private type. + ## + ## + ## + ## Domain allowed access. + ## + ## ++## ++## ++## The type of the object to create. ++## ++## ++## ++## ++## The class of the object to be created. ++## ++## ++## ++## ++## The name of the object being created. ++## ++## + # +-interface(`gnome_read_config',` +- refpolicywarn(`$0($*) has been deprecated, use gnome_read_generic_home_content() instead.') +- gnome_read_generic_home_content($1) ++interface(`gnome_cache_filetrans',` ++ gen_require(` ++ type cache_home_t; ++ ') ++ ++ filetrans_pattern($1, cache_home_t, $2, $3, $4) ++ userdom_search_user_home_dirs($1) + ') + + ######################################## + ## +-## Read generic gnome home content. ++## Create objects in a Gnome cache home directory ++## with an automatic type transition to ++## a specified private type. + ## + ## + ## + ## Domain allowed access. + ## + ## ++## ++## ++## The type of the object to create. ++## ++## ++## ++## ++## The class of the object to be created. ++## ++## ++## ++## ++## The name of the object being created. ++## ++## + # +-interface(`gnome_read_generic_home_content',` ++interface(`gnome_config_filetrans',` + gen_require(` +- type gnome_home_t; ++ type config_home_t; + ') + ++ filetrans_pattern($1, config_home_t, $2, $3, $4) + userdom_search_user_home_dirs($1) +- allow $1 gnome_home_t:dir list_dir_perms; +- allow $1 gnome_home_t:file read_file_perms; +- allow $1 gnome_home_t:fifo_file read_fifo_file_perms; +- allow $1 gnome_home_t:lnk_file read_lnk_file_perms; +- allow $1 gnome_home_t:sock_file read_sock_file_perms; + ') + + ######################################## + ## +-## Create, read, write, and delete +-## generic gnome user home content. (Deprecated) ++## Read generic cache home files (.cache) + ## + ## + ## +@@ -338,15 +405,18 @@ interface(`gnome_read_generic_home_content',` + ## + ## + # +-interface(`gnome_manage_config',` +- refpolicywarn(`$0($*) has been deprecated, use gnome_manage_generic_home_content() instead.') +- gnome_manage_generic_home_content($1) ++interface(`gnome_read_generic_cache_files',` ++ gen_require(` ++ type cache_home_t; ++ ') ++ ++ read_files_pattern($1, cache_home_t, cache_home_t) ++ userdom_search_user_home_dirs($1) + ') + + ######################################## + ## +-## Create, read, write, and delete +-## generic gnome home content. ++## Create generic cache home dir (.cache) + ## + ## + ## +@@ -354,22 +424,18 @@ interface(`gnome_manage_config',` + ## + ## + # +-interface(`gnome_manage_generic_home_content',` ++interface(`gnome_create_generic_cache_dir',` + gen_require(` +- type gnome_home_t; ++ type cache_home_t; + ') + +- userdom_search_user_home_dirs($1) +- allow $1 gnome_home_t:dir manage_dir_perms; +- allow $1 gnome_home_t:file manage_file_perms; +- allow $1 gnome_home_t:fifo_file manage_fifo_file_perms; +- allow $1 gnome_home_t:lnk_file manage_lnk_file_perms; +- allow $1 gnome_home_t:sock_file manage_sock_file_perms; ++ allow $1 cache_home_t:dir create_dir_perms; ++ userdom_user_home_dir_filetrans($1, cache_home_t, dir, ".cache") + ') + + ######################################## + ## +-## Search generic gnome home directories. ++## Set attributes of cache home dir (.cache) + ## + ## + ## +@@ -377,53 +443,37 @@ interface(`gnome_manage_generic_home_content',` + ## + ## + # +-interface(`gnome_search_generic_home',` ++interface(`gnome_setattr_cache_home_dir',` + gen_require(` +- type gnome_home_t; ++ type cache_home_t; + ') + ++ setattr_dirs_pattern($1, cache_home_t, cache_home_t) + userdom_search_user_home_dirs($1) +- allow $1 gnome_home_t:dir search_dir_perms; + ') + + ######################################## + ## +-## Create objects in gnome user home +-## directories with a private type. ++## Manage cache home dir (.cache) + ## + ## + ## + ## Domain allowed access. + ## + ## +-## +-## +-## Private file type. +-## +-## +-## +-## +-## Class of the object being created. +-## +-## +-## +-## +-## The name of the object being created. +-## +-## + # +-interface(`gnome_home_filetrans',` ++interface(`gnome_manage_cache_home_dir',` + gen_require(` +- type gnome_home_t; ++ type cache_home_t; + ') + ++ manage_dirs_pattern($1, cache_home_t, cache_home_t) + userdom_search_user_home_dirs($1) +- filetrans_pattern($1, gnome_home_t, $2, $3, $4) + ') + + ######################################## + ## +-## Create generic gconf home directories. ++## append to generic cache home files (.cache) + ## + ## + ## +@@ -431,17 +481,18 @@ interface(`gnome_home_filetrans',` + ## + ## + # +-interface(`gnome_create_generic_gconf_home_dirs',` ++interface(`gnome_append_generic_cache_files',` + gen_require(` +- type gconf_home_t; ++ type cache_home_t; + ') + +- allow $1 gconf_home_t:dir create_dir_perms; ++ append_files_pattern($1, cache_home_t, cache_home_t) ++ userdom_search_user_home_dirs($1) + ') + + ######################################## + ## +-## Read generic gconf home content. ++## write to generic cache home files (.cache) + ## + ## + ## +@@ -449,23 +500,18 @@ interface(`gnome_create_generic_gconf_home_dirs',` + ## + ## + # +-interface(`gnome_read_generic_gconf_home_content',` ++interface(`gnome_write_generic_cache_files',` + gen_require(` +- type gconf_home_t; ++ type cache_home_t; + ') + ++ write_files_pattern($1, cache_home_t, cache_home_t) + userdom_search_user_home_dirs($1) +- allow $1 gconf_home_t:dir list_dir_perms; +- allow $1 gconf_home_t:file read_file_perms; +- allow $1 gconf_home_t:fifo_file read_fifo_file_perms; +- allow $1 gconf_home_t:lnk_file read_lnk_file_perms; +- allow $1 gconf_home_t:sock_file read_sock_file_perms; + ') + + ######################################## + ## +-## Create, read, write, and delete +-## generic gconf home content. ++## Manage a sock_file in the generic cache home files (.cache) + ## + ## + ## +@@ -473,82 +519,73 @@ interface(`gnome_read_generic_gconf_home_content',` + ## + ## + # +-interface(`gnome_manage_generic_gconf_home_content',` ++interface(`gnome_manage_generic_cache_sockets',` + gen_require(` +- type gconf_home_t; ++ type cache_home_t; + ') + + userdom_search_user_home_dirs($1) +- allow $1 gconf_home_t:dir manage_dir_perms; +- allow $1 gconf_home_t:file manage_file_perms; +- allow $1 gconf_home_t:fifo_file manage_fifo_file_perms; +- allow $1 gconf_home_t:lnk_file manage_lnk_file_perms; +- allow $1 gconf_home_t:sock_file manage_sock_file_perms; ++ manage_sock_files_pattern($1, cache_home_t, cache_home_t) + ') + + ######################################## + ## +-## Search generic gconf home directories. ++## Dontaudit read/write to generic cache home files (.cache) + ## + ## + ## +-## Domain allowed access. ++## Domain to not audit. + ## + ## + # +-interface(`gnome_search_generic_gconf_home',` ++interface(`gnome_dontaudit_rw_generic_cache_files',` + gen_require(` +- type gconf_home_t; ++ type cache_home_t; + ') + +- userdom_search_user_home_dirs($1) +- allow $1 gconf_home_t:dir search_dir_perms; ++ dontaudit $1 cache_home_t:file rw_inherited_file_perms; + ') + + ######################################## + ## +-## Create objects in user home +-## directories with the generic gconf +-## home type. ++## read gnome homedir content (.config) + ## + ## + ## + ## Domain allowed access. + ## + ## +-## +-## +-## Class of the object being created. +-## +-## +-## +-## +-## The name of the object being created. +-## +-## + # +-interface(`gnome_home_filetrans_gconf_home',` ++interface(`gnome_read_config',` + gen_require(` +- type gconf_home_t; ++ attribute gnome_home_type; + ') + +- userdom_user_home_dir_filetrans($1, gconf_home_t, $2, $3) ++ list_dirs_pattern($1, gnome_home_type, gnome_home_type) ++ read_files_pattern($1, gnome_home_type, gnome_home_type) ++ read_lnk_files_pattern($1, gnome_home_type, gnome_home_type) ++ gnome_read_usr_config($1) + ') + + ######################################## + ## +-## Create objects in user home +-## directories with the generic gnome +-## home type. ++## Create objects in a Gnome gconf home directory ++## with an automatic type transition to ++## a specified private type. + ## + ## + ## + ## Domain allowed access. + ## + ## ++## ++## ++## The type of the object to create. ++## ++## + ## + ## +-## Class of the object being created. ++## The class of the object to be created. + ## + ## + ## +@@ -557,52 +594,77 @@ interface(`gnome_home_filetrans_gconf_home',` + ##     + ## + # +-interface(`gnome_home_filetrans_gnome_home',` ++interface(`gnome_data_filetrans',` + gen_require(` +- type gnome_home_t; ++ type data_home_t; + ') + +- userdom_user_home_dir_filetrans($1, gnome_home_t, $2, $3) ++ filetrans_pattern($1, data_home_t, $2, $3, $4) ++ gnome_search_gconf($1) + ') + +-######################################## ++####################################### + ## +-## Create objects in gnome gconf home +-## directories with a private type. ++## Read generic data home files. + ## + ## + ## + ## Domain allowed access. + ## + ## +-## +-## +-## Private file type. +-## +-## +-## +-## +-## Class of the object being created. +-## ++# ++interface(`gnome_read_generic_data_home_files',` ++ gen_require(` ++ type data_home_t, gconf_home_t; ++ ') ++ ++ read_files_pattern($1, { gconf_home_t data_home_t }, data_home_t) ++ read_lnk_files_pattern($1, { gconf_home_t data_home_t }, data_home_t) ++') ++ ++###################################### ++## ++## Read generic data home dirs. ++## ++## ++## ++## Domain allowed access. ++## + ## +-## ++# ++interface(`gnome_read_generic_data_home_dirs',` ++ gen_require(` ++ type data_home_t, gconf_home_t; ++ ') ++ ++ list_dirs_pattern($1, { gconf_home_t data_home_t }, data_home_t) ++') ++ ++####################################### ++## ++## Manage gconf data home files ++## ++## + ## +-## The name of the object being created. ++## Domain allowed access. + ## + ## + # +-interface(`gnome_gconf_home_filetrans',` ++interface(`gnome_manage_data',` + gen_require(` ++ type data_home_t; + type gconf_home_t; + ') + +- userdom_search_user_home_dirs($1) +- filetrans_pattern($1, gconf_home_t, $2, $3, $4) ++ allow $1 gconf_home_t:dir search_dir_perms; ++ manage_dirs_pattern($1, data_home_t, data_home_t) ++ manage_files_pattern($1, data_home_t, data_home_t) ++ manage_lnk_files_pattern($1, data_home_t, data_home_t) + ') + + ######################################## + ## +-## Read generic gnome keyring home files. ++## Read icc data home content. + ## + ## + ## +@@ -610,93 +672,126 @@ interface(`gnome_gconf_home_filetrans',` + ## + ## + # +-interface(`gnome_read_keyring_home_files',` ++interface(`gnome_read_home_icc_data_content',` + gen_require(` +- type gnome_home_t, gnome_keyring_home_t; ++ type icc_data_home_t, gconf_home_t, data_home_t; + ') + + userdom_search_user_home_dirs($1) +- read_files_pattern($1, { gnome_home_t gnome_keyring_home_t }, gnome_keyring_home_t) ++ allow $1 { gconf_home_t data_home_t }:dir search_dir_perms; ++ list_dirs_pattern($1, icc_data_home_t, icc_data_home_t) ++ read_files_pattern($1, icc_data_home_t, icc_data_home_t) ++ read_lnk_files_pattern($1, icc_data_home_t, icc_data_home_t) + ') + + ######################################## + ## +-## Send and receive messages from +-## gnome keyring daemon over dbus. ++## Read inherited icc data home files. + ## +-## +-## +-## The prefix of the user domain (e.g., user +-## is the prefix for user_t). +-## +-## + ## + ## + ## Domain allowed access. + ## + ## + # +-interface(`gnome_dbus_chat_gkeyringd',` ++interface(`gnome_read_inherited_home_icc_data_files',` + gen_require(` +- type $1_gkeyringd_t; +- class dbus send_msg; ++ type icc_data_home_t; + ') + +- allow $2 $1_gkeyringd_t:dbus send_msg; +- allow $1_gkeyringd_t $2:dbus send_msg; ++ allow $1 icc_data_home_t:file read_inherited_file_perms; + ') + + ######################################## + ## +-## Send and receive messages from all +-## gnome keyring daemon over dbus. ++## Create gconf_home_t objects in the /root directory + ## + ## + ## + ## Domain allowed access. + ## + ## ++## ++## ++## The class of the object to be created. ++## ++## ++## ++## ++## The name of the object being created. ++## ++## + # +-interface(`gnome_dbus_chat_all_gkeyringd',` ++interface(`gnome_admin_home_gconf_filetrans',` + gen_require(` +- attribute gkeyringd_domain; +- class dbus send_msg; ++ type gconf_home_t; + ') + +- allow $1 gkeyringd_domain:dbus send_msg; +- allow gkeyringd_domain $1:dbus send_msg; ++ userdom_admin_home_dir_filetrans($1, gconf_home_t, $2, $3) + ') + + ######################################## + ## +-## Connect to gnome keyring daemon +-## with a unix stream socket. ++## Do not audit attempts to read ++## inherited gconf config files. + ## +-## ++## + ## +-## The prefix of the user domain (e.g., user +-## is the prefix for user_t). ++## Domain to not audit. + ## + ## ++# ++interface(`gnome_dontaudit_read_inherited_gconf_config_files',` ++ gen_require(` ++ type gconf_etc_t; ++ ') ++ ++ dontaudit $1 gconf_etc_t:file read_inherited_file_perms; ++') ++ ++######################################## ++## ++## read gconf config files ++## + ## + ## + ## Domain allowed access. + ## + ## + # +-interface(`gnome_stream_connect_gkeyringd',` ++interface(`gnome_read_gconf_config',` + gen_require(` +- type $1_gkeyringd_t, gnome_keyring_tmp_t; ++ type gconf_etc_t; + ') + +- files_search_tmp($2) +- stream_connect_pattern($2, gnome_keyring_tmp_t, gnome_keyring_tmp_t, $1_gkeyringd_t) ++ allow $1 gconf_etc_t:dir list_dir_perms; ++ read_files_pattern($1, gconf_etc_t, gconf_etc_t) ++ files_search_etc($1) ++') ++ ++####################################### ++## ++## Manage gconf config files ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`gnome_manage_gconf_config',` ++ gen_require(` ++ type gconf_etc_t; ++ ') ++ ++ allow $1 gconf_etc_t:dir list_dir_perms; ++ manage_files_pattern($1, gconf_etc_t, gconf_etc_t) + ') + + ######################################## + ## +-## Connect to all gnome keyring daemon +-## with a unix stream socket. ++## Execute gconf programs in ++## in the caller domain. + ## + ## + ## +@@ -704,12 +799,872 @@ interface(`gnome_stream_connect_gkeyringd',` + ## + ## + # +-interface(`gnome_stream_connect_all_gkeyringd',` ++interface(`gnome_exec_gconf',` ++ gen_require(` ++ type gconfd_exec_t; ++ ') ++ ++ can_exec($1, gconfd_exec_t) ++') ++ ++######################################## ++## ++## Execute gnome keyringd in the caller domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`gnome_exec_keyringd',` ++ gen_require(` ++ type gkeyringd_exec_t; ++ ') ++ ++ can_exec($1, gkeyringd_exec_t) ++ corecmd_search_bin($1) ++') ++ ++######################################## ++## ++## Search gconf home data dirs ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`gnome_search_gconf_data_dir',` ++ gen_require(` ++ type gconf_home_t; ++ type data_home_t; ++ ') ++ ++ userdom_search_user_home_dirs($1) ++ allow $1 gconf_home_t:dir list_dir_perms; ++ allow $1 data_home_t:dir search_dir_perms; ++') ++ ++######################################## ++## ++## Read gconf home files ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`gnome_read_gconf_home_files',` ++ gen_require(` ++ type gconf_home_t; ++ type data_home_t; ++ ') ++ ++ userdom_search_user_home_dirs($1) ++ allow $1 gconf_home_t:dir list_dir_perms; ++ allow $1 data_home_t:dir list_dir_perms; ++ read_files_pattern($1, gconf_home_t, gconf_home_t) ++ read_files_pattern($1, data_home_t, data_home_t) ++ read_lnk_files_pattern($1, gconf_home_t, gconf_home_t) ++ read_lnk_files_pattern($1, data_home_t, data_home_t) ++') ++ ++######################################## ++## ++## Search gkeyringd temporary directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`gnome_search_gkeyringd_tmp_dirs',` ++ gen_require(` ++ type gkeyringd_tmp_t; ++ ') ++ ++ files_search_tmp($1) ++ allow $1 gkeyringd_tmp_t:dir search_dir_perms; ++') ++ ++######################################## ++## ++## List gkeyringd temporary directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`gnome_list_gkeyringd_tmp_dirs',` ++ gen_require(` ++ type gkeyringd_tmp_t; ++ ') ++ ++ files_search_tmp($1) ++ allow $1 gkeyringd_tmp_t:dir list_dir_perms; ++') ++ ++####################################### ++## ++## Delete gkeyringd temporary ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`gnome_delete_gkeyringd_tmp_content',` ++ gen_require(` ++ type gkeyringd_tmp_t; ++ ') ++ ++ files_search_tmp($1) ++ delete_dirs_pattern($1, gkeyringd_tmp_t, gkeyringd_tmp_t) ++ delete_files_pattern($1, gkeyringd_tmp_t, gkeyringd_tmp_t) ++ delete_sock_files_pattern($1, gkeyringd_tmp_t, gkeyringd_tmp_t) ++') ++ ++####################################### ++## ++## Manage gkeyringd temporary directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`gnome_manage_gkeyringd_tmp_dirs',` ++ gen_require(` ++ type gkeyringd_tmp_t; ++ ') ++ ++ files_search_tmp($1) ++ manage_dirs_pattern($1, gkeyringd_tmp_t, gkeyringd_tmp_t) ++') ++ ++######################################## ++## ++## search gconf homedir (.local) ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`gnome_search_gconf',` ++ gen_require(` ++ type gconf_home_t; ++ ') ++ ++ allow $1 gconf_home_t:dir search_dir_perms; ++ userdom_search_user_home_dirs($1) ++') ++ ++######################################## ++## ++## Set attributes of Gnome config dirs. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`gnome_setattr_config_dirs',` ++ gen_require(` ++ type gnome_home_t; ++ ') ++ ++ setattr_dirs_pattern($1, gnome_home_t, gnome_home_t) ++ files_search_home($1) ++') ++ ++######################################## ++## ++## Manage generic gnome home files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`gnome_manage_generic_home_files',` ++ gen_require(` ++ type gnome_home_t; ++ ') ++ ++ userdom_search_user_home_dirs($1) ++ manage_files_pattern($1, gnome_home_t, gnome_home_t) ++') ++ ++######################################## ++## ++## Manage generic gnome home directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`gnome_manage_generic_home_dirs',` ++ gen_require(` ++ type gnome_home_t; ++ ') ++ ++ userdom_search_user_home_dirs($1) ++ allow $1 gnome_home_t:dir manage_dir_perms; ++') ++ ++######################################## ++## ++## Append gconf home files ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`gnome_append_gconf_home_files',` ++ gen_require(` ++ type gconf_home_t; ++ ') ++ ++ append_files_pattern($1, gconf_home_t, gconf_home_t) ++') ++ ++######################################## ++## ++## manage gconf home files ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`gnome_manage_gconf_home_files',` ++ gen_require(` ++ type gconf_home_t; ++ ') ++ ++ allow $1 gconf_home_t:dir list_dir_perms; ++ manage_files_pattern($1, gconf_home_t, gconf_home_t) ++') ++ ++######################################## ++## ++## Connect to gnome over a unix stream socket. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## The type of the user domain. ++## ++## ++# ++interface(`gnome_stream_connect',` ++ gen_require(` ++ attribute gnome_home_type; ++ ') ++ ++ # Connect to pulseaudit server ++ stream_connect_pattern($1, gnome_home_type, gnome_home_type, $2) ++') ++ ++######################################## ++## ++## list gnome homedir content (.config) ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`gnome_list_home_config',` ++ gen_require(` ++ type config_home_t; ++ ') ++ ++ allow $1 config_home_t:dir list_dir_perms; ++') ++ ++######################################## ++## ++## Set attributes of gnome homedir content (.config) ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`gnome_setattr_home_config',` ++ gen_require(` ++ type config_home_t; ++ ') ++ ++ setattr_dirs_pattern($1, config_home_t, config_home_t) ++ userdom_search_user_home_dirs($1) ++') ++ ++######################################## ++## ++## read gnome homedir content (.config) ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`gnome_read_home_config',` ++ gen_require(` ++ type config_home_t; ++ ') ++ ++ list_dirs_pattern($1, config_home_t, config_home_t) ++ read_files_pattern($1, config_home_t, config_home_t) ++ read_lnk_files_pattern($1, config_home_t, config_home_t) ++') ++ ++####################################### ++## ++## delete gnome homedir content (.config) ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`gnome_delete_home_config',` ++ gen_require(` ++ type config_home_t; ++ ') ++ ++ delete_files_pattern($1, config_home_t, config_home_t) ++') ++ ++####################################### ++## ++## setattr gnome homedir content (.config) ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`gnome_setattr_home_config_dirs',` ++ gen_require(` ++ type config_home_t; ++ ') ++ ++ setattr_dirs_pattern($1, config_home_t, config_home_t) ++') ++ ++######################################## ++## ++## manage gnome homedir content (.config) ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`gnome_manage_home_config',` ++ gen_require(` ++ type config_home_t; ++ ') ++ ++ manage_files_pattern($1, config_home_t, config_home_t) ++') ++ ++####################################### ++## ++## delete gnome homedir content (.config) ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`gnome_delete_home_config_dirs',` ++ gen_require(` ++ type config_home_t; ++ ') ++ ++ delete_dirs_pattern($1, config_home_t, config_home_t) ++') ++ ++######################################## ++## ++## manage gnome homedir content (.config) ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`gnome_manage_home_config_dirs',` ++ gen_require(` ++ type config_home_t; ++ ') ++ ++ manage_dirs_pattern($1, config_home_t, config_home_t) ++') ++ ++######################################## ++## ++## manage gstreamer home content files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`gnome_manage_gstreamer_home_files',` ++ gen_require(` ++ type gstreamer_home_t; ++ ') ++ ++ manage_dirs_pattern($1, gstreamer_home_t, gstreamer_home_t) ++ manage_files_pattern($1, gstreamer_home_t, gstreamer_home_t) ++ gnome_filetrans_gstreamer_home_content($1) ++') ++ ++###################################### ++## ++## Allow to execute gstreamer home content files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`gnome_exec_gstreamer_home_files',` ++ gen_require(` ++ type gstreamer_home_t; ++ ') ++ ++ can_exec($1, gstreamer_home_t) ++') ++ ++####################################### ++## ++## file name transition gstreamer home content files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`gnome_filetrans_gstreamer_home_content',` ++ gen_require(` ++ type gstreamer_home_t; ++ ') ++ ++ userdom_user_home_dir_filetrans($1, gstreamer_home_t, file, ".grl-bookmarks") ++ userdom_user_home_dir_filetrans($1, gstreamer_home_t, file, ".grl-metadata-store") ++ userdom_user_home_dir_filetrans($1, gstreamer_home_t, file, ".grl-podcasts") ++ userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-0.12") ++ userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-0.10") ++ userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-1.0") ++ userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-1.2") ++ userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-10") ++ userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-12") ++ userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".orc") ++ userdom_user_tmp_filetrans($1, gstreamer_home_t, dir, ".orc") ++ gnome_cache_filetrans($1, gstreamer_home_t, dir, "gstreamer-0.12") ++ gnome_cache_filetrans($1, gstreamer_home_t, dir, "gstreamer-0.10") ++ gnome_cache_filetrans($1, gstreamer_home_t, dir, "gstreamer-1.0") ++ gnome_cache_filetrans($1, gstreamer_home_t, dir, "gstreamer-1.2") ++ gnome_cache_filetrans($1, gstreamer_home_t, dir, "gstreamer-10") ++ gnome_cache_filetrans($1, gstreamer_home_t, dir, "gstreamer-12") ++') ++ ++####################################### ++## ++## manage gstreamer home content files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`gnome_manage_gstreamer_home_dirs',` ++ gen_require(` ++ type gstreamer_home_t; ++ ') ++ ++ manage_dirs_pattern($1, gstreamer_home_t, gstreamer_home_t) ++') ++ ++######################################## ++## ++## Read/Write all inherited gnome home config ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`gnome_rw_inherited_config',` ++ gen_require(` ++ attribute gnome_home_type; ++ ') ++ ++ allow $1 gnome_home_type:file rw_inherited_file_perms; ++') ++ ++######################################## ++## ++## Dontaudit Read/Write all inherited gnome home config ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`gnome_dontaudit_rw_inherited_config',` ++ gen_require(` ++ attribute gnome_home_type; ++ ') ++ ++ dontaudit $1 gnome_home_type:file rw_inherited_file_perms; ++') ++ ++######################################## ++## ++## Send and receive messages from ++## gconf system service over dbus. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`gnome_dbus_chat_gconfdefault',` ++ gen_require(` ++ type gconfdefaultsm_t; ++ class dbus send_msg; ++ ') ++ ++ allow $1 gconfdefaultsm_t:dbus send_msg; ++ allow gconfdefaultsm_t $1:dbus send_msg; ++') ++ ++######################################## ++## ++## Send and receive messages from ++## gkeyringd over dbus. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`gnome_dbus_chat_gkeyringd',` + gen_require(` + attribute gkeyringd_domain; +- type gnome_keyring_tmp_t; ++ class dbus send_msg; + ') + +- files_search_tmp($1) +- stream_connect_pattern($1, gnome_keyring_tmp_t, gnome_keyring_tmp_t, gkeyringd_domain) ++ allow $1 gkeyringd_domain:dbus send_msg; ++ allow gkeyringd_domain $1:dbus send_msg; ++') ++ ++######################################## ++## ++## Send signull signal to gkeyringd processes. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`gnome_signull_gkeyringd',` ++ gen_require(` ++ attribute gkeyringd_domain; ++ ') ++ ++ allow $1 gkeyringd_domain:process signull; ++') ++ ++######################################## ++## ++## Allow the domain to read gkeyringd state files in /proc. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`gnome_read_gkeyringd_state',` ++ gen_require(` ++ attribute gkeyringd_domain; ++ ') ++ ++ ps_process_pattern($1, gkeyringd_domain) ++') ++ ++######################################## ++## ++## Create directories in user home directories ++## with the gnome home file type. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`gnome_home_dir_filetrans',` ++ gen_require(` ++ type gnome_home_t; ++ ') ++ ++ userdom_user_home_dir_filetrans($1, gnome_home_t, dir) ++ userdom_search_user_home_dirs($1) ++') ++ ++###################################### ++## ++## Allow read kde config content ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`gnome_read_usr_config',` ++ gen_require(` ++ type config_usr_t; ++ ') ++ ++ files_search_usr($1) ++ list_dirs_pattern($1, config_usr_t, config_usr_t) ++ read_files_pattern($1, config_usr_t, config_usr_t) ++ read_lnk_files_pattern($1, config_usr_t, config_usr_t) ++') ++ ++####################################### ++## ++## Allow manage kde config content ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`gnome_manage_usr_config',` ++ gen_require(` ++ type config_usr_t; ++ ') ++ ++ files_search_usr($1) ++ manage_dirs_pattern($1, config_usr_t, config_usr_t) ++ manage_files_pattern($1, config_usr_t, config_usr_t) ++ manage_lnk_files_pattern($1, config_usr_t, config_usr_t) ++') ++ ++######################################## ++## ++## Execute gnome-keyring in the user gkeyring domain ++## ++## ++## ++## Domain allowed access ++## ++## ++# ++interface(`gnome_transition_gkeyringd',` ++ gen_require(` ++ attribute gkeyringd_domain; ++ ') ++ ++ allow $1 gkeyringd_domain:process transition; ++ dontaudit $1 gkeyringd_domain:process { noatsecure siginh rlimitinh }; ++ allow gkeyringd_domain $1:process { sigchld signull }; ++ allow gkeyringd_domain $1:fifo_file rw_inherited_fifo_file_perms; ++') ++ ++######################################## ++## ++## Create gnome content in the user home directory ++## with an correct label. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`gnome_filetrans_home_content',` ++ ++gen_require(` ++ type config_home_t; ++ type cache_home_t; ++ type dbus_home_t; ++ type gconf_home_t; ++ type gnome_home_t; ++ type data_home_t, icc_data_home_t; ++ type gkeyringd_gnome_home_t; ++') ++ ++ userdom_user_home_dir_filetrans($1, config_home_t, dir, ".config") ++ userdom_user_home_dir_filetrans($1, config_home_t, file, ".Xdefaults") ++ userdom_user_home_dir_filetrans($1, config_home_t, dir, ".xine") ++ userdom_user_home_dir_filetrans($1, cache_home_t, dir, ".cache") ++ userdom_user_home_dir_filetrans($1, dbus_home_t, dir, ".dbus") ++ userdom_user_home_dir_filetrans($1, cache_home_t, dir, ".nv") ++ userdom_user_home_dir_filetrans($1, config_home_t, dir, ".kde") ++ userdom_user_home_dir_filetrans($1, gconf_home_t, dir, ".gconf") ++ userdom_user_home_dir_filetrans($1, gconf_home_t, dir, ".gconfd") ++ userdom_user_home_dir_filetrans($1, gconf_home_t, dir, ".local") ++ userdom_user_home_dir_filetrans($1, gnome_home_t, dir, ".gnome2") ++ ++ # ~/.color/icc: legacy ++ userdom_user_home_content_filetrans($1, icc_data_home_t, dir, "icc") ++ filetrans_pattern($1, gnome_home_t, gkeyringd_gnome_home_t, dir, "keyrings") ++ filetrans_pattern($1, data_home_t, gkeyringd_gnome_home_t, dir, "keyrings") ++ filetrans_pattern($1, gconf_home_t, data_home_t, dir, "share") ++ filetrans_pattern($1, data_home_t, icc_data_home_t, dir, "icc") ++ filetrans_pattern($1, cache_home_t, cache_home_t, dir, "fontconfig") ++ userdom_user_tmp_filetrans($1, config_home_t, dir, "dconf") ++ gnome_cache_filetrans($1, config_home_t, dir, "dconf") ++ gnome_filetrans_gstreamer_home_content($1) ++') ++ ++######################################## ++## ++## Create gnome dconf dir in the user home directory ++## with an correct label. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`gnome_filetrans_config_home_content',` ++ gen_require(` ++ type config_home_t; ++ ') ++ ++ gnome_cache_filetrans($1, config_home_t, dir, "dconf") ++') ++ ++######################################## ++## ++## Create gnome directory in the /root directory ++## with an correct label. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`gnome_filetrans_admin_home_content',` ++ ++gen_require(` ++ type config_home_t; ++ type cache_home_t; ++ type dbus_home_t; ++ type gstreamer_home_t; ++ type gconf_home_t; ++ type gnome_home_t; ++ type icc_data_home_t; ++') ++ ++ userdom_admin_home_dir_filetrans($1, config_home_t, dir, ".config") ++ userdom_admin_home_dir_filetrans($1, config_home_t, file, ".Xdefaults") ++ userdom_admin_home_dir_filetrans($1, config_home_t, dir, ".xine") ++ userdom_admin_home_dir_filetrans($1, cache_home_t, dir, ".cache") ++ userdom_admin_home_dir_filetrans($1, dbus_home_t, dir, ".dbus") ++ userdom_admin_home_dir_filetrans($1, config_home_t, dir, ".kde") ++ userdom_admin_home_dir_filetrans($1, gconf_home_t, dir, ".gconf") ++ userdom_admin_home_dir_filetrans($1, gconf_home_t, dir, ".gconfd") ++ userdom_admin_home_dir_filetrans($1, gconf_home_t, dir, ".local") ++ userdom_admin_home_dir_filetrans($1, gnome_home_t, dir, ".gnome2") ++ gnome_filetrans_gstreamer_home_content($1) ++ # /root/.color/icc: legacy ++ userdom_admin_home_dir_filetrans($1, icc_data_home_t, dir, "icc") ++') ++ ++##################################### ++## ++## Execute gnome-keyring executable ++## in the specified domain. ++## ++## ++##

    ++## Execute a telepathy executable ++## in the specified domain. This allows ++## the specified domain to execute any file ++## on these filesystems in the specified ++## domain. ++##

    ++##

    ++## No interprocess communication (signals, pipes, ++## etc.) is provided by this interface since ++## the domains are not owned by this module. ++##

    ++##

    ++## This interface was added to handle ++## the ssh-agent policy. ++##

    ++##     ++## ++## ++## Domain allowed to transition. ++## ++## ++## ++## ++## The type of the new process. ++## ++## ++# ++interface(`gnome_command_domtrans_gkeyringd', ` ++ gen_require(` ++ type gkeyringd_exec_t; ++ ') ++ ++ allow $2 gkeyringd_exec_t:file entrypoint; ++ domain_transition_pattern($1, gkeyringd_exec_t, $2) ++ type_transition $1 gkeyringd_exec_t:process $2; + ') +diff --git a/gnome.te b/gnome.te +index 20f726b..c6ff2a1 100644 +--- a/gnome.te ++++ b/gnome.te +@@ -1,18 +1,36 @@ +-policy_module(gnome, 2.2.5) ++policy_module(gnome, 2.2.0) + + ############################## + # + # Declarations + # + +-attribute gkeyringd_domain; + attribute gnomedomain; +-attribute_role gconfd_roles; ++attribute gnome_home_type; ++attribute gkeyringd_domain; + + type gconf_etc_t; + files_config_file(gconf_etc_t) + +-type gconf_home_t; ++type data_home_t, gnome_home_type; ++userdom_user_home_content(data_home_t) ++ ++type config_home_t, gnome_home_type; ++userdom_user_home_content(config_home_t) ++ ++type cache_home_t, gnome_home_type; ++userdom_user_home_content(cache_home_t) ++ ++type gstreamer_home_t, gnome_home_type; ++userdom_user_home_content(gstreamer_home_t) ++ ++type dbus_home_t, gnome_home_type; ++userdom_user_home_content(dbus_home_t) ++ ++type icc_data_home_t, gnome_home_type; ++userdom_user_home_content(icc_data_home_t) ++ ++type gconf_home_t, gnome_home_type; + typealias gconf_home_t alias { user_gconf_home_t staff_gconf_home_t sysadm_gconf_home_t }; + typealias gconf_home_t alias { auditadm_gconf_home_t secadm_gconf_home_t }; + typealias gconf_home_t alias unconfined_gconf_home_t; +@@ -29,107 +47,226 @@ type gconfd_exec_t; + typealias gconfd_t alias { user_gconfd_t staff_gconfd_t sysadm_gconfd_t }; + typealias gconfd_t alias { auditadm_gconfd_t secadm_gconfd_t }; + userdom_user_application_domain(gconfd_t, gconfd_exec_t) +-role gconfd_roles types gconfd_t; + +-type gnome_home_t; ++type gnome_home_t, gnome_home_type; + typealias gnome_home_t alias { user_gnome_home_t staff_gnome_home_t sysadm_gnome_home_t }; + typealias gnome_home_t alias { auditadm_gnome_home_t secadm_gnome_home_t }; + typealias gnome_home_t alias unconfined_gnome_home_t; + userdom_user_home_content(gnome_home_t) + ++# type KDE /usr/share/config files ++type config_usr_t; ++files_type(config_usr_t) ++ + type gkeyringd_exec_t; +-application_executable_file(gkeyringd_exec_t) ++corecmd_executable_file(gkeyringd_exec_t) + +-type gnome_keyring_home_t; +-userdom_user_home_content(gnome_keyring_home_t) ++type gkeyringd_gnome_home_t; ++userdom_user_home_content(gkeyringd_gnome_home_t) + +-type gnome_keyring_tmp_t; +-userdom_user_tmp_file(gnome_keyring_tmp_t) ++type gkeyringd_tmp_t; ++userdom_user_tmp_content(gkeyringd_tmp_t) ++ ++type gconfdefaultsm_t; ++type gconfdefaultsm_exec_t; ++init_daemon_domain(gconfdefaultsm_t, gconfdefaultsm_exec_t) ++ ++type gnomesystemmm_t; ++type gnomesystemmm_exec_t; ++init_daemon_domain(gnomesystemmm_t, gnomesystemmm_exec_t) + + ############################## + # +-# Common local Policy ++# Local Policy + # + +-allow gnomedomain self:process { getsched signal }; +-allow gnomedomain self:fifo_file rw_fifo_file_perms; ++allow gconfd_t self:process getsched; ++allow gconfd_t self:fifo_file rw_fifo_file_perms; + +-dev_read_urand(gnomedomain) ++manage_dirs_pattern(gconfd_t, gconf_home_t, gconf_home_t) ++manage_files_pattern(gconfd_t, gconf_home_t, gconf_home_t) ++userdom_user_home_dir_filetrans(gconfd_t, gconf_home_t, dir) + +-domain_use_interactive_fds(gnomedomain) ++manage_dirs_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t) ++manage_files_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t) ++userdom_user_tmp_filetrans(gconfd_t, gconf_tmp_t, { dir file }) + +-files_read_etc_files(gnomedomain) ++allow gconfd_t gconf_etc_t:dir list_dir_perms; ++read_files_pattern(gconfd_t, gconf_etc_t, gconf_etc_t) ++ ++dev_read_urand(gconfd_t) + +-miscfiles_read_localization(gnomedomain) + +-logging_send_syslog_msg(gnomedomain) + +-userdom_use_user_terminals(gnomedomain) ++logging_send_syslog_msg(gconfd_t) ++ ++userdom_manage_user_tmp_sockets(gconfd_t) ++userdom_manage_user_tmp_dirs(gconfd_t) ++userdom_tmp_filetrans_user_tmp(gconfd_t, dir) + + optional_policy(` +- xserver_rw_xdm_pipes(gnomedomain) +- xserver_use_xdm_fds(gnomedomain) ++ nscd_dontaudit_search_pid(gconfd_t) + ') + +-############################## ++optional_policy(` ++ xserver_use_xdm_fds(gconfd_t) ++ xserver_rw_xdm_pipes(gconfd_t) ++') ++ ++####################################### + # +-# Conf daemon local Policy ++# gconf-defaults-mechanisms local policy + # + +-allow gconfd_t gconf_etc_t:dir list_dir_perms; +-read_files_pattern(gconfd_t, gconf_etc_t, gconf_etc_t) ++allow gconfdefaultsm_t self:capability { dac_override sys_nice }; ++allow gconfdefaultsm_t self:process getsched; ++allow gconfdefaultsm_t self:fifo_file rw_fifo_file_perms; + +-manage_dirs_pattern(gconfd_t, gconf_home_t, gconf_home_t) +-manage_files_pattern(gconfd_t, gconf_home_t, gconf_home_t) +-userdom_user_home_dir_filetrans(gconfd_t, gconf_home_t, dir) ++corecmd_search_bin(gconfdefaultsm_t) + +-manage_dirs_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t) +-manage_files_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t) +-userdom_user_tmp_filetrans(gconfd_t, gconf_tmp_t, { dir file }) ++auth_read_passwd(gconfdefaultsm_t) + +-userdom_manage_user_tmp_dirs(gconfd_t) +-userdom_tmp_filetrans_user_tmp(gconfd_t, dir) ++gnome_manage_gconf_home_files(gconfdefaultsm_t) ++gnome_manage_gconf_config(gconfdefaultsm_t) ++ ++userdom_read_all_users_state(gconfdefaultsm_t) ++userdom_search_user_home_dirs(gconfdefaultsm_t) ++ ++userdom_dontaudit_search_admin_dir(gconfdefaultsm_t) + + optional_policy(` +- nscd_dontaudit_search_pid(gconfd_t) ++ consolekit_dbus_chat(gconfdefaultsm_t) + ') + +-############################## ++optional_policy(` ++ dbus_system_domain(gconfdefaultsm_t, gconfdefaultsm_exec_t) ++') ++ ++optional_policy(` ++ nscd_dontaudit_search_pid(gconfdefaultsm_t) ++') ++ ++optional_policy(` ++ policykit_domtrans_auth(gconfdefaultsm_t) ++ policykit_dbus_chat(gconfdefaultsm_t) ++ policykit_read_lib(gconfdefaultsm_t) ++ policykit_read_reload(gconfdefaultsm_t) ++') ++ ++userdom_home_manager(gconfdefaultsm_t) ++ ++####################################### ++# ++# gnome-system-monitor-mechanisms local policy ++# ++ ++allow gnomesystemmm_t self:capability { sys_admin sys_nice }; ++allow gnomesystemmm_t self:fifo_file rw_fifo_file_perms; ++ ++rw_files_pattern(gnomesystemmm_t, config_usr_t, config_usr_t) ++ ++kernel_read_system_state(gnomesystemmm_t) ++ ++corecmd_search_bin(gnomesystemmm_t) ++ ++domain_kill_all_domains(gnomesystemmm_t) ++domain_search_all_domains_state(gnomesystemmm_t) ++domain_setpriority_all_domains(gnomesystemmm_t) ++domain_signal_all_domains(gnomesystemmm_t) ++domain_sigstop_all_domains(gnomesystemmm_t) ++ ++fs_getattr_xattr_fs(gnomesystemmm_t) ++ ++auth_read_passwd(gnomesystemmm_t) ++ ++logging_send_syslog_msg(gnomesystemmm_t) ++ ++userdom_read_all_users_state(gnomesystemmm_t) ++userdom_dontaudit_search_admin_dir(gnomesystemmm_t) ++ ++optional_policy(` ++ consolekit_dbus_chat(gnomesystemmm_t) ++') ++ ++optional_policy(` ++ dbus_system_domain(gnomesystemmm_t, gnomesystemmm_exec_t) ++') ++ ++optional_policy(` ++ gnome_manage_home_config(gnomesystemmm_t) ++') ++ ++optional_policy(` ++ nscd_dontaudit_search_pid(gnomesystemmm_t) ++') ++ ++optional_policy(` ++ policykit_dbus_chat(gnomesystemmm_t) ++ policykit_domtrans_auth(gnomesystemmm_t) ++ policykit_read_lib(gnomesystemmm_t) ++ policykit_read_reload(gnomesystemmm_t) ++') ++ ++###################################### + # +-# Keyring-daemon local policy ++# gnome-keyring-daemon local policy + # + + allow gkeyringd_domain self:capability ipc_lock; +-allow gkeyringd_domain self:process { getcap setcap }; ++allow gkeyringd_domain self:process { getcap getsched setcap signal }; ++allow gkeyringd_domain self:fifo_file rw_fifo_file_perms; + allow gkeyringd_domain self:unix_stream_socket { connectto accept listen }; + +-allow gkeyringd_domain gnome_home_t:dir create_dir_perms; +-gnome_home_filetrans_gnome_home(gkeyringd_domain, dir, ".gnome2") ++manage_files_pattern(gkeyringd_domain, config_home_t, config_home_t) + +-manage_dirs_pattern(gkeyringd_domain, gnome_keyring_home_t, gnome_keyring_home_t) +-manage_files_pattern(gkeyringd_domain, gnome_keyring_home_t, gnome_keyring_home_t) +-gnome_home_filetrans(gkeyringd_domain, gnome_keyring_home_t, dir, "keyrings") ++manage_dirs_pattern(gkeyringd_domain, gkeyringd_gnome_home_t, gkeyringd_gnome_home_t) ++manage_files_pattern(gkeyringd_domain, gkeyringd_gnome_home_t, gkeyringd_gnome_home_t) ++allow gkeyringd_domain data_home_t:dir create_dir_perms; ++allow gkeyringd_domain gconf_home_t:dir create_dir_perms; ++filetrans_pattern(gkeyringd_domain, gconf_home_t, data_home_t, dir, "share") ++filetrans_pattern(gkeyringd_domain, gnome_home_t, gkeyringd_gnome_home_t, dir, "keyrings") ++filetrans_pattern(gkeyringd_domain, data_home_t, gkeyringd_gnome_home_t, dir, "keyrings") ++filetrans_pattern(gkeyringd_domain, gnome_home_t, data_home_t, dir, "keyrings") + +-manage_dirs_pattern(gkeyringd_domain, gnome_keyring_tmp_t, gnome_keyring_tmp_t) +-manage_sock_files_pattern(gkeyringd_domain, gnome_keyring_tmp_t, gnome_keyring_tmp_t) +-files_tmp_filetrans(gkeyringd_domain, gnome_keyring_tmp_t, dir) ++manage_dirs_pattern(gkeyringd_domain, gkeyringd_tmp_t, gkeyringd_tmp_t) ++manage_sock_files_pattern(gkeyringd_domain, gkeyringd_tmp_t, gkeyringd_tmp_t) ++files_tmp_filetrans(gkeyringd_domain, gkeyringd_tmp_t, dir) ++userdom_user_tmp_filetrans(gkeyringd_domain, gkeyringd_tmp_t, { sock_file dir }) + +-kernel_read_system_state(gkeyringd_domain) + kernel_read_crypto_sysctls(gkeyringd_domain) + ++corecmd_search_bin(gkeyringd_domain) ++ + dev_read_rand(gkeyringd_domain) ++dev_read_urand(gkeyringd_domain) + dev_read_sysfs(gkeyringd_domain) + +-files_read_usr_files(gkeyringd_domain) ++# for nscd? ++files_search_pids(gkeyringd_domain) + +-fs_getattr_all_fs(gkeyringd_domain) ++fs_getattr_xattr_fs(gkeyringd_domain) ++fs_getattr_tmpfs(gkeyringd_domain) + +-selinux_getattr_fs(gkeyringd_domain) ++userdom_user_home_dir_filetrans(gkeyringd_domain, gconf_home_t, dir, ".local") + + optional_policy(` +- ssh_read_user_home_files(gkeyringd_domain) ++ xserver_append_xdm_home_files(gkeyringd_domain) ++ xserver_read_xdm_home_files(gkeyringd_domain) ++ xserver_use_xdm_fds(gkeyringd_domain) + ') + + optional_policy(` +- telepathy_mission_control_read_state(gkeyringd_domain) ++ gnome_read_home_config(gkeyringd_domain) ++ gnome_read_generic_cache_files(gkeyringd_domain) ++ gnome_write_generic_cache_files(gkeyringd_domain) ++ gnome_manage_cache_home_dir(gkeyringd_domain) ++ gnome_manage_generic_cache_sockets(gkeyringd_domain) + ') ++ ++optional_policy(` ++ ssh_read_user_home_files(gkeyringd_domain) ++') ++ ++domain_use_interactive_fds(gnomedomain) ++ ++userdom_use_inherited_user_terminals(gnomedomain) +diff --git a/gnomeclock.fc b/gnomeclock.fc +index b687443..e4c1b83 100644 +--- a/gnomeclock.fc ++++ b/gnomeclock.fc +@@ -1,5 +1,9 @@ ++/usr/lib/systemd/systemd-timedated -- gen_context(system_u:object_r:gnomeclock_exec_t,s0) ++ + /usr/libexec/gnome-clock-applet-mechanism -- gen_context(system_u:object_r:gnomeclock_exec_t,s0) + +-/usr/libexec/gsd-datetime-mechanism -- gen_context(system_u:object_r:gnomeclock_exec_t,s0) ++/usr/libexec/gsd-datetime-mechanism -- gen_context(system_u:object_r:gnomeclock_exec_t,s0) ++ ++/usr/libexec/kde3/kcmdatetimehelper -- gen_context(system_u:object_r:gnomeclock_exec_t,s0) ++/usr/libexec/kde4/kcmdatetimehelper -- gen_context(system_u:object_r:gnomeclock_exec_t,s0) + +-/usr/libexec/kde(3|4)/kcmdatetimehelper -- gen_context(system_u:object_r:gnomeclock_exec_t,s0) +diff --git a/gnomeclock.if b/gnomeclock.if +index 3f55702..25c7ab8 100644 +--- a/gnomeclock.if ++++ b/gnomeclock.if +@@ -2,8 +2,7 @@ + + ######################################## + ## +-## Execute a domain transition to +-## run gnomeclock. ++## Execute a domain transition to run gnomeclock. + ## + ## + ## +@@ -16,15 +15,13 @@ interface(`gnomeclock_domtrans',` + type gnomeclock_t, gnomeclock_exec_t; + ') + +- corecmd_search_bin($1) + domtrans_pattern($1, gnomeclock_exec_t, gnomeclock_t) + ') + + ######################################## + ## +-## Execute gnomeclock in the gnomeclock +-## domain, and allow the specified +-## role the gnomeclock domain. ++## Execute gnomeclock in the gnomeclock domain, and ++## allow the specified role the gnomeclock domain. + ## + ## + ## +@@ -39,11 +36,11 @@ interface(`gnomeclock_domtrans',` + # + interface(`gnomeclock_run',` + gen_require(` +- attribute_role gnomeclock_roles; ++ type gnomeclock_t; + ') + + gnomeclock_domtrans($1) +- roleattribute $2 gnomeclock_roles; ++ role $2 types gnomeclock_t; + ') + + ######################################## +@@ -69,9 +66,8 @@ interface(`gnomeclock_dbus_chat',` + + ######################################## + ## +-## Do not audit attempts to send and +-## receive messages from gnomeclock +-## over dbus. ++## Do not audit send and receive messages from ++## gnomeclock over dbus. + ## + ## + ## +diff --git a/gnomeclock.te b/gnomeclock.te +index 6d79eb5..c728009 100644 +--- a/gnomeclock.te ++++ b/gnomeclock.te +@@ -1,86 +1,99 @@ +-policy_module(gnomeclock, 1.0.5) ++policy_module(gnomeclock, 1.0.0) + + ######################################## + # + # Declarations + # + +-attribute_role gnomeclock_roles; +- + type gnomeclock_t; + type gnomeclock_exec_t; +-init_system_domain(gnomeclock_t, gnomeclock_exec_t) +-role gnomeclock_roles types gnomeclock_t; ++init_daemon_domain(gnomeclock_t, gnomeclock_exec_t) ++ ++type gnomeclock_tmp_t; ++files_tmp_file(gnomeclock_tmp_t) + + ######################################## + # +-# Local policy ++# gnomeclock local policy + # + +-allow gnomeclock_t self:capability { sys_nice sys_time }; ++allow gnomeclock_t self:capability { sys_nice sys_time dac_override }; + allow gnomeclock_t self:process { getattr getsched signal }; + allow gnomeclock_t self:fifo_file rw_fifo_file_perms; +-allow gnomeclock_t self:unix_stream_socket { accept listen }; ++allow gnomeclock_t self:unix_stream_socket create_stream_socket_perms; ++allow gnomeclock_t self:unix_dgram_socket create_socket_perms; ++ ++manage_dirs_pattern(gnomeclock_t, gnomeclock_tmp_t, gnomeclock_tmp_t) ++manage_files_pattern(gnomeclock_t, gnomeclock_tmp_t, gnomeclock_tmp_t) ++manage_lnk_files_pattern(gnomeclock_t, gnomeclock_tmp_t, gnomeclock_tmp_t) ++files_tmp_filetrans(gnomeclock_t, gnomeclock_tmp_t, { file dir }) + + kernel_read_system_state(gnomeclock_t) + + corecmd_exec_bin(gnomeclock_t) + corecmd_exec_shell(gnomeclock_t) ++corecmd_dontaudit_access_check_bin(gnomeclock_t) + +-corenet_all_recvfrom_unlabeled(gnomeclock_t) +-corenet_all_recvfrom_netlabel(gnomeclock_t) +-corenet_tcp_sendrecv_generic_if(gnomeclock_t) +-corenet_tcp_sendrecv_generic_node(gnomeclock_t) ++corenet_tcp_connect_time_port(gnomeclock_t) + +-# tcp:37 (time) +-corenet_sendrecv_inetd_child_client_packets(gnomeclock_t) +-corenet_tcp_connect_inetd_child_port(gnomeclock_t) +-corenet_tcp_sendrecv_inetd_child_port(gnomeclock_t) +- +-dev_read_sysfs(gnomeclock_t) +-dev_read_urand(gnomeclock_t) + dev_rw_realtime_clock(gnomeclock_t) ++dev_read_urand(gnomeclock_t) ++dev_write_kmsg(gnomeclock_t) ++dev_read_sysfs(gnomeclock_t) + +-files_read_usr_files(gnomeclock_t) ++files_read_etc_runtime_files(gnomeclock_t) + + fs_getattr_xattr_fs(gnomeclock_t) + + auth_use_nsswitch(gnomeclock_t) + ++init_dbus_chat(gnomeclock_t) ++ ++logging_stream_connect_syslog(gnomeclock_t) + logging_send_syslog_msg(gnomeclock_t) + +-miscfiles_etc_filetrans_localization(gnomeclock_t) + miscfiles_manage_localization(gnomeclock_t) +-miscfiles_read_localization(gnomeclock_t) ++miscfiles_etc_filetrans_localization(gnomeclock_t) + + userdom_read_all_users_state(gnomeclock_t) + + optional_policy(` +- chronyd_initrc_domtrans(gnomeclock_t) ++ chronyd_systemctl(gnomeclock_t) + ') + + optional_policy(` ++ clock_read_adjtime(gnomeclock_t) + clock_domtrans(gnomeclock_t) + ') + + optional_policy(` +- dbus_system_domain(gnomeclock_t, gnomeclock_exec_t) ++ consolekit_dbus_chat(gnomeclock_t) ++') + +- optional_policy(` +- consolekit_dbus_chat(gnomeclock_t) +- ') ++optional_policy(` ++ consoletype_exec(gnomeclock_t) ++') + +- optional_policy(` +- policykit_dbus_chat(gnomeclock_t) +- ') ++optional_policy(` ++dbus_system_domain(gnomeclock_t, gnomeclock_exec_t) ++') ++ ++optional_policy(` ++ gnome_manage_usr_config(gnomeclock_t) ++ gnome_manage_home_config(gnomeclock_t) ++ gnome_filetrans_admin_home_content(gnomeclock_t) + ') + + optional_policy(` + ntp_domtrans_ntpdate(gnomeclock_t) + ntp_initrc_domtrans(gnomeclock_t) ++ init_dontaudit_getattr_all_script_files(gnomeclock_t) ++ init_dontaudit_getattr_exec(gnomeclock_t) ++ ntp_systemctl(gnomeclock_t) + ') + + optional_policy(` ++ policykit_dbus_chat(gnomeclock_t) + policykit_domtrans_auth(gnomeclock_t) + policykit_read_lib(gnomeclock_t) + policykit_read_reload(gnomeclock_t) +diff --git a/gpg.fc b/gpg.fc +index 888cd2c..c02fa56 100644 +--- a/gpg.fc ++++ b/gpg.fc +@@ -1,10 +1,14 @@ +-HOME_DIR/\.gnupg(/.+)? gen_context(system_u:object_r:gpg_secret_t,s0) +-HOME_DIR/\.gnupg/log-socket -s gen_context(system_u:object_r:gpg_agent_tmp_t,s0) ++HOME_DIR/\.gnupg(/.+)? gen_context(system_u:object_r:gpg_secret_t,s0) ++HOME_DIR/\.gnupg/log-socket gen_context(system_u:object_r:gpg_agent_tmp_t,s0) ++ ++/etc/mail/spamassassin/sa-update-keys(/.*)? gen_context(system_u:object_r:gpg_secret_t,s0) ++ ++/root/\.gnupg(/.+)? gen_context(system_u:object_r:gpg_secret_t,s0) + + /usr/bin/gpg(2)? -- gen_context(system_u:object_r:gpg_exec_t,s0) +-/usr/bin/gpgsm -- gen_context(system_u:object_r:gpg_exec_t,s0) ++/usr/bin/gpgsm -- gen_context(system_u:object_r:gpg_exec_t,s0) + /usr/bin/gpg-agent -- gen_context(system_u:object_r:gpg_agent_exec_t,s0) + /usr/bin/pinentry.* -- gen_context(system_u:object_r:pinentry_exec_t,s0) + + /usr/lib/gnupg/.* -- gen_context(system_u:object_r:gpg_exec_t,s0) +-/usr/lib/gnupg/gpgkeys.* -- gen_context(system_u:object_r:gpg_helper_exec_t,s0) ++/usr/lib/gnupg/gpgkeys.* -- gen_context(system_u:object_r:gpg_helper_exec_t,s0) +diff --git a/gpg.if b/gpg.if +index 180f1b7..951b790 100644 +--- a/gpg.if ++++ b/gpg.if +@@ -2,57 +2,75 @@ + + ############################################################ + ## +-## Role access for gpg. ++## Role access for gpg + ## + ## + ## +-## Role allowed access. ++## Role allowed access + ## + ## + ## + ## +-## User domain for the role. ++## User domain for the role + ## + ## + # + interface(`gpg_role',` + gen_require(` +- attribute_role gpg_roles, gpg_agent_roles, gpg_helper_roles, gpg_pinentry_roles; +- type gpg_t, gpg_exec_t, gpg_agent_t; +- type gpg_agent_exec_t, gpg_agent_tmp_t, gpg_helper_t; +- type gpg_pinentry_t, gpg_pinentry_tmp_t, gpg_secret_t; ++ type gpg_t, gpg_exec_t; ++ type gpg_agent_t, gpg_agent_exec_t; ++ type gpg_agent_tmp_t; ++ type gpg_helper_t, gpg_pinentry_t; ++ type gpg_pinentry_tmp_t; + ') + +- roleattribute $1 gpg_roles; +- roleattribute $1 gpg_agent_roles; +- roleattribute $1 gpg_helper_roles; +- roleattribute $1 gpg_pinentry_roles; ++ role $1 types { gpg_t gpg_agent_t gpg_helper_t gpg_pinentry_t }; + ++ # transition from the userdomain to the derived domain + domtrans_pattern($2, gpg_exec_t, gpg_t) +- domtrans_pattern($2, gpg_agent_exec_t, gpg_agent_t) + +- allow $2 { gpg_t gpg_agent_t gpg_helper_t gpg_pinentry_t }:process { ptrace signal_perms }; +- ps_process_pattern($2, { gpg_t gpg_agent_t gpg_helper_t gpg_pinentry_t }) ++ # allow ps to show gpg ++ ps_process_pattern($2, gpg_t) ++ allow $2 gpg_t:process { signull sigstop signal sigkill }; + +- allow gpg_pinentry_t $2:process signull; ++ # communicate with the user + allow gpg_helper_t $2:fd use; +- allow { gpg_t gpg_agent_t gpg_helper_t gpg_pinentry_t } $2:fifo_file { read write }; ++ allow gpg_helper_t $2:fifo_file write; ++ ++ # allow ps to show gpg-agent ++ ps_process_pattern($2, gpg_agent_t) + +- allow $2 { gpg_agent_tmp_t gpg_secret_t }:dir { manage_dir_perms relabel_dir_perms }; +- allow $2 { gpg_agent_tmp_t gpg_secret_t }:file { manage_file_perms relabel_file_perms }; +- allow $2 gpg_secret_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; +- allow $2 { gpg_agent_tmp_t gpg_pinentry_tmp_t gpg_secret_t }:sock_file { manage_sock_file_perms relabel_sock_file_perms }; +- filetrans_pattern($2, gpg_secret_t, gpg_agent_tmp_t, sock_file, "log-socket") +- userdom_user_home_dir_filetrans($2, gpg_secret_t, dir, ".gnupg") ++ # Allow the user shell to signal the gpg-agent program. ++ allow $2 gpg_agent_t:process { signal sigkill }; ++ ++ manage_dirs_pattern($2, gpg_agent_tmp_t, gpg_agent_tmp_t) ++ manage_files_pattern($2, gpg_agent_tmp_t, gpg_agent_tmp_t) ++ manage_sock_files_pattern($2, gpg_agent_tmp_t, gpg_agent_tmp_t) ++ files_tmp_filetrans(gpg_agent_t, gpg_agent_tmp_t, { file sock_file dir }) ++ ++ # Transition from the user domain to the agent domain. ++ domtrans_pattern($2, gpg_agent_exec_t, gpg_agent_t) ++ ++ manage_sock_files_pattern($2, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t) ++ relabel_sock_files_pattern($2, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t) ++ ++ allow gpg_pinentry_t $2:fifo_file { read write }; + + optional_policy(` + gpg_pinentry_dbus_chat($2) + ') ++ ++ allow $2 gpg_agent_t:unix_stream_socket { rw_socket_perms connectto }; ++ ifdef(`hide_broken_symptoms',` ++ #Leaked File Descriptors ++ dontaudit gpg_t $2:fifo_file rw_fifo_file_perms; ++ dontaudit gpg_agent_t $2:fifo_file rw_fifo_file_perms; ++ ') + ') + + ######################################## + ## +-## Execute the gpg in the gpg domain. ++## Transition to a user gpg domain. + ## + ## + ## +@@ -65,13 +83,12 @@ interface(`gpg_domtrans',` + type gpg_t, gpg_exec_t; + ') + +- corecmd_search_bin($1) + domtrans_pattern($1, gpg_exec_t, gpg_t) + ') + +-######################################## ++###################################### + ## +-## Execute the gpg in the caller domain. ++## Execute gpg in the caller domain. + ## + ## + ## +@@ -88,76 +105,46 @@ interface(`gpg_exec',` + can_exec($1, gpg_exec_t) + ') + +-######################################## +-## +-## Execute gpg in a specified domain. +-## +-## +-##

    +-## Execute gpg in a specified domain. +-##

    +-##

    +-## No interprocess communication (signals, pipes, +-## etc.) is provided by this interface since +-## the domains are not owned by this module. +-##

    +-##     +-## +-## +-## Domain allowed to transition. +-## +-## +-## +-## +-## Domain to transition to. +-## +-## +-# +-interface(`gpg_spec_domtrans',` +- gen_require(` +- type gpg_exec_t; +- ') +- +- corecmd_search_bin($1) +- domain_auto_trans($1, gpg_exec_t, $2) +-') +- + ###################################### + ## +-## Execute gpg in the gpg web domain. (Deprecated) ++## Transition to a gpg web domain. + ## + ## +-## +-## Domain allowed to transition. +-## ++## ++## Domain allowed access. ++## + ## + # + interface(`gpg_domtrans_web',` +- refpolicywarn(`$0($*) has been deprecated.') ++ gen_require(` ++ type gpg_web_t, gpg_exec_t; ++ ') ++ ++ domtrans_pattern($1, gpg_exec_t, gpg_web_t) + ') + + ###################################### + ## +-## Make gpg executable files an +-## entrypoint for the specified domain. ++## Make gpg an entrypoint for ++## the specified domain. + ## + ## +-## +-## The domain for which gpg_exec_t is an entrypoint. +-## ++## ++## The domain for which cifs_t is an entrypoint. ++## + ## + # + interface(`gpg_entry_type',` +- gen_require(` +- type gpg_exec_t; +- ') ++ gen_require(` ++ type gpg_exec_t; ++ ') + +- domain_entry_file($1, gpg_exec_t) ++ domain_entry_file($1, gpg_exec_t) + ') + + ######################################## + ## +-## Send generic signals to gpg. ++## Send generic signals to user gpg processes. + ## + ## + ## +@@ -175,7 +162,7 @@ interface(`gpg_signal',` + + ######################################## + ## +-## Read and write gpg agent pipes. ++## Read and write GPG agent pipes. + ## + ## + ## +@@ -184,6 +171,7 @@ interface(`gpg_signal',` + ## + # + interface(`gpg_rw_agent_pipes',` ++ # Just wants read/write could this be a leak? + gen_require(` + type gpg_agent_t; + ') +@@ -193,8 +181,8 @@ interface(`gpg_rw_agent_pipes',` + + ######################################## + ## +-## Send messages to and from gpg +-## pinentry over DBUS. ++## Send messages to and from GPG ++## Pinentry over DBUS. + ## + ## + ## +@@ -214,7 +202,7 @@ interface(`gpg_pinentry_dbus_chat',` + + ######################################## + ## +-## List gpg user secrets. ++## List Gnu Privacy Guard user secrets. + ## + ## + ## +@@ -230,3 +218,39 @@ interface(`gpg_list_user_secrets',` + list_dirs_pattern($1, gpg_secret_t, gpg_secret_t) + userdom_search_user_home_dirs($1) + ') ++########################### ++## ++## Allow to manage gpg named home content ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`gpg_manage_home_content',` ++ gen_require(` ++ type gpg_secret_t; ++ ') ++ ++ manage_files_pattern($1, gpg_secret_t, gpg_secret_t) ++ manage_dirs_pattern($1, gpg_secret_t, gpg_secret_t) ++ userdom_user_home_dir_filetrans($1, gpg_secret_t, dir, ".gnupg") ++') ++######################################## ++## ++## Transition to gpg named home content ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`gpg_filetrans_home_content',` ++ gen_require(` ++ type gpg_secret_t; ++ ') ++ ++ userdom_user_home_dir_filetrans($1, gpg_secret_t, dir, ".gnupg") ++') +diff --git a/gpg.te b/gpg.te +index 44cf341..8aa9dd9 100644 +--- a/gpg.te ++++ b/gpg.te +@@ -1,47 +1,47 @@ +-policy_module(gpg, 2.7.3) ++policy_module(gpg, 2.6.0) + + ######################################## + # + # Declarations + # ++attribute gpgdomain; + + ## +-##

    +-## Determine whether GPG agent can manage +-## generic user home content files. This is +-## required by the --write-env-file option. +-##

    ++##

    ++## Allow usage of the gpg-agent --write-env-file option. ++## This also allows gpg-agent to manage user files. ++##

    + ##     + gen_tunable(gpg_agent_env_file, false) + +-attribute_role gpg_roles; +-roleattribute system_r gpg_roles; +- +-attribute_role gpg_agent_roles; +- +-attribute_role gpg_helper_roles; +-roleattribute system_r gpg_helper_roles; +- +-attribute_role gpg_pinentry_roles; ++## ++##

    ++## Allow gpg web domain to modify public files ++## used for public file transfer services. ++##

    ++##     ++gen_tunable(gpg_web_anon_write, false) + +-type gpg_t; ++type gpg_t, gpgdomain; + type gpg_exec_t; + typealias gpg_t alias { user_gpg_t staff_gpg_t sysadm_gpg_t }; + typealias gpg_t alias { auditadm_gpg_t secadm_gpg_t }; +-userdom_user_application_domain(gpg_t, gpg_exec_t) +-role gpg_roles types gpg_t; ++application_domain(gpg_t, gpg_exec_t) ++ubac_constrained(gpg_t) ++role system_r types gpg_t; + + type gpg_agent_t; + type gpg_agent_exec_t; + typealias gpg_agent_t alias { user_gpg_agent_t staff_gpg_agent_t sysadm_gpg_agent_t }; + typealias gpg_agent_t alias { auditadm_gpg_agent_t secadm_gpg_agent_t }; +-userdom_user_application_domain(gpg_agent_t, gpg_agent_exec_t) +-role gpg_agent_roles types gpg_agent_t; ++application_domain(gpg_agent_t, gpg_agent_exec_t) ++ubac_constrained(gpg_agent_t) + + type gpg_agent_tmp_t; + typealias gpg_agent_tmp_t alias { user_gpg_agent_tmp_t staff_gpg_agent_tmp_t sysadm_gpg_agent_tmp_t }; + typealias gpg_agent_tmp_t alias { auditadm_gpg_agent_tmp_t secadm_gpg_agent_tmp_t }; +-userdom_user_tmp_file(gpg_agent_tmp_t) ++files_tmp_file(gpg_agent_tmp_t) ++ubac_constrained(gpg_agent_tmp_t) + + type gpg_secret_t; + typealias gpg_secret_t alias { user_gpg_secret_t staff_gpg_secret_t sysadm_gpg_secret_t }; +@@ -52,112 +52,116 @@ type gpg_helper_t; + type gpg_helper_exec_t; + typealias gpg_helper_t alias { user_gpg_helper_t staff_gpg_helper_t sysadm_gpg_helper_t }; + typealias gpg_helper_t alias { auditadm_gpg_helper_t secadm_gpg_helper_t }; +-userdom_user_application_domain(gpg_helper_t, gpg_helper_exec_t) +-role gpg_helper_roles types gpg_helper_t; ++application_domain(gpg_helper_t, gpg_helper_exec_t) ++ubac_constrained(gpg_helper_t) ++role system_r types gpg_helper_t; + + type gpg_pinentry_t; + type pinentry_exec_t; + typealias gpg_pinentry_t alias { user_gpg_pinentry_t staff_gpg_pinentry_t sysadm_gpg_pinentry_t }; + typealias gpg_pinentry_t alias { auditadm_gpg_pinentry_t secadm_gpg_pinentry_t }; +-userdom_user_application_domain(gpg_pinentry_t, pinentry_exec_t) +-role gpg_pinentry_roles types gpg_pinentry_t; ++application_domain(gpg_pinentry_t, pinentry_exec_t) ++ubac_constrained(gpg_pinentry_t) + + type gpg_pinentry_tmp_t; +-userdom_user_tmp_file(gpg_pinentry_tmp_t) ++files_tmp_file(gpg_pinentry_tmp_t) ++ubac_constrained(gpg_pinentry_tmp_t) + + type gpg_pinentry_tmpfs_t; +-userdom_user_tmpfs_file(gpg_pinentry_tmpfs_t) ++files_tmpfs_file(gpg_pinentry_tmpfs_t) ++ubac_constrained(gpg_pinentry_tmpfs_t) + +-optional_policy(` +- pulseaudio_tmpfs_content(gpg_pinentry_tmpfs_t) +-') ++type gpg_web_t; ++domain_type(gpg_web_t) ++gpg_entry_type(gpg_web_t) ++role system_r types gpg_web_t; + + ######################################## + # +-# Local policy ++# GPG local policy + # + +-allow gpg_t self:capability { ipc_lock setuid }; +-allow gpg_t self:process { signal signull setrlimit getcap setcap getsched setsched setpgid }; +-dontaudit gpg_t self:netlink_audit_socket r_netlink_socket_perms; +-allow gpg_t self:fifo_file rw_fifo_file_perms; +-allow gpg_t self:tcp_socket { accept listen }; ++allow gpgdomain self:capability { ipc_lock setuid }; ++allow gpgdomain self:process { getsched setsched }; ++#at setrlimit is for ulimit -c 0 ++allow gpgdomain self:process { signal signull setrlimit getcap setcap setpgid }; ++dontaudit gpgdomain self:netlink_audit_socket r_netlink_socket_perms; ++ ++allow gpgdomain self:fifo_file rw_fifo_file_perms; ++allow gpgdomain self:tcp_socket create_stream_socket_perms; + + manage_dirs_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t) + manage_files_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t) + files_tmp_filetrans(gpg_t, gpg_agent_tmp_t, { dir file }) + +-manage_dirs_pattern(gpg_t, gpg_secret_t, gpg_secret_t) ++ ++allow gpg_t gpg_secret_t:dir create_dir_perms; + manage_sock_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t) + manage_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t) + manage_lnk_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t) +-userdom_user_home_dir_filetrans(gpg_t, gpg_secret_t, dir) +- +-stream_connect_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t, gpg_agent_t) +- +-domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t) +-domtrans_pattern(gpg_t, gpg_helper_exec_t, gpg_helper_t) ++userdom_user_home_dir_filetrans(gpg_t, gpg_secret_t, dir, ".gnupg") + + kernel_read_sysctl(gpg_t) ++kernel_read_system_state(gpg_t) ++kernel_getattr_core_if(gpg_t) + + corecmd_exec_shell(gpg_t) + corecmd_exec_bin(gpg_t) + +-corenet_all_recvfrom_unlabeled(gpg_t) + corenet_all_recvfrom_netlabel(gpg_t) + corenet_tcp_sendrecv_generic_if(gpg_t) ++corenet_udp_sendrecv_generic_if(gpg_t) + corenet_tcp_sendrecv_generic_node(gpg_t) +- +-corenet_sendrecv_all_client_packets(gpg_t) +-corenet_tcp_connect_all_ports(gpg_t) ++corenet_udp_sendrecv_generic_node(gpg_t) + corenet_tcp_sendrecv_all_ports(gpg_t) ++corenet_udp_sendrecv_all_ports(gpg_t) ++corenet_tcp_connect_all_ports(gpg_t) ++corenet_sendrecv_all_client_packets(gpg_t) + +-dev_read_generic_usb_dev(gpg_t) + dev_read_rand(gpg_t) + dev_read_urand(gpg_t) +- +-files_read_usr_files(gpg_t) +-files_dontaudit_search_var(gpg_t) ++dev_read_generic_usb_dev(gpg_t) ++dev_dontaudit_getattr_all(gpg_t) + + fs_getattr_xattr_fs(gpg_t) + fs_list_inotifyfs(gpg_t) + + domain_use_interactive_fds(gpg_t) + +-auth_use_nsswitch(gpg_t) ++files_dontaudit_search_var(gpg_t) + +-logging_send_syslog_msg(gpg_t) ++auth_use_nsswitch(gpg_t) + +-miscfiles_read_localization(gpg_t) ++init_dontaudit_getattr_initctl(gpg_t) + +-userdom_use_user_terminals(gpg_t) ++logging_send_syslog_msg(gpg_t) + +-userdom_manage_user_tmp_files(gpg_t) ++userdom_use_inherited_user_terminals(gpg_t) ++# sign/encrypt user files ++userdom_manage_all_user_tmp_content(gpg_t) ++#userdom_manage_user_home_content(gpg_t) + userdom_manage_user_home_content_files(gpg_t) +-userdom_user_home_dir_filetrans_user_home_content(gpg_t, file) ++userdom_manage_user_home_content_dirs(gpg_t) ++userdom_filetrans_home_content(gpg_t) ++userdom_stream_connect(gpg_t) + +-tunable_policy(`use_nfs_home_dirs',` +- fs_manage_nfs_dirs(gpg_t) +- fs_manage_nfs_files(gpg_t) +-') ++mta_manage_config(gpg_t) ++mta_read_spool(gpg_t) + +-tunable_policy(`use_samba_home_dirs',` +- fs_manage_cifs_dirs(gpg_t) +- fs_manage_cifs_files(gpg_t) +-') ++userdom_home_manager(gpg_t) + + optional_policy(` +- gnome_read_generic_home_content(gpg_t) +- gnome_stream_connect_all_gkeyringd(gpg_t) ++ gpm_dontaudit_getattr_gpmctl(gpg_t) + ') + + optional_policy(` +- mozilla_dontaudit_rw_user_home_files(gpg_t) ++ gnome_manage_config(gpg_t) ++ gnome_stream_connect_gkeyringd(gpg_t) + ') + + optional_policy(` +- mta_read_spool_files(gpg_t) +- mta_write_config(gpg_t) ++ mozilla_read_user_home_files(gpg_t) ++ mozilla_write_user_home_files(gpg_t) + ') + + optional_policy(` +@@ -165,37 +169,51 @@ optional_policy(` + ') + + optional_policy(` +- cron_system_entry(gpg_t, gpg_exec_t) +- cron_read_system_job_tmp_files(gpg_t) +-') +- +-optional_policy(` + xserver_use_xdm_fds(gpg_t) + xserver_rw_xdm_pipes(gpg_t) + ') + ++#optional_policy(` ++# cron_system_entry(gpg_t, gpg_exec_t) ++# cron_read_system_job_tmp_files(gpg_t) ++#') ++ + ######################################## + # +-# Helper local policy ++# GPG helper local policy + # + ++domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t) ++ + allow gpg_helper_t self:process { getsched setsched }; ++ ++# for helper programs (which automatically fetch keys) ++# Note: this is only tested with the hkp interface. If you use eg the ++# mail interface you will likely need additional permissions. ++ + allow gpg_helper_t self:unix_stream_socket create_stream_socket_perms; ++allow gpg_helper_t self:tcp_socket { connect connected_socket_perms }; ++allow gpg_helper_t self:udp_socket { connect connected_socket_perms }; + +-dontaudit gpg_helper_t gpg_secret_t:file read_file_perms; ++dontaudit gpg_helper_t gpg_secret_t:file read; + +-corenet_all_recvfrom_unlabeled(gpg_helper_t) + corenet_all_recvfrom_netlabel(gpg_helper_t) + corenet_tcp_sendrecv_generic_if(gpg_helper_t) ++corenet_raw_sendrecv_generic_if(gpg_helper_t) ++corenet_udp_sendrecv_generic_if(gpg_helper_t) + corenet_tcp_sendrecv_generic_node(gpg_helper_t) ++corenet_udp_sendrecv_generic_node(gpg_helper_t) ++corenet_raw_sendrecv_generic_node(gpg_helper_t) + corenet_tcp_sendrecv_all_ports(gpg_helper_t) +- +-corenet_sendrecv_all_client_packets(gpg_helper_t) ++corenet_udp_sendrecv_all_ports(gpg_helper_t) ++corenet_tcp_bind_generic_node(gpg_helper_t) ++corenet_udp_bind_generic_node(gpg_helper_t) + corenet_tcp_connect_all_ports(gpg_helper_t) + ++ + auth_use_nsswitch(gpg_helper_t) + +-userdom_use_user_terminals(gpg_helper_t) ++userdom_use_inherited_user_terminals(gpg_helper_t) + + tunable_policy(`use_nfs_home_dirs',` + fs_dontaudit_rw_nfs_files(gpg_helper_t) +@@ -207,29 +225,35 @@ tunable_policy(`use_samba_home_dirs',` + + ######################################## + # +-# Agent local policy ++# GPG agent local policy + # ++domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t) + ++# rlimit: gpg-agent wants to prevent coredumps + allow gpg_agent_t self:process setrlimit; +-allow gpg_agent_t self:unix_stream_socket { create_stream_socket_perms connectto }; ++ ++allow gpg_agent_t self:unix_stream_socket { create_stream_socket_perms connectto } ; + allow gpg_agent_t self:fifo_file rw_fifo_file_perms; + ++# read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d ) + manage_dirs_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t) + manage_sock_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t) + manage_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t) + manage_lnk_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t) + ++# Allow the gpg-agent to manage its tmp files (socket) + manage_dirs_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t) + manage_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t) + manage_sock_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t) + files_tmp_filetrans(gpg_agent_t, gpg_agent_tmp_t, { file sock_file dir }) + +-filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file, "log-socket") +- +-domtrans_pattern(gpg_agent_t, pinentry_exec_t, gpg_pinentry_t) ++# allow gpg to connect to the gpg agent ++stream_connect_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t, gpg_agent_t) + +-kernel_dontaudit_search_sysctl(gpg_agent_t) ++kernel_read_system_state(gpg_agent_t) + ++corecmd_read_bin_symlinks(gpg_agent_t) ++corecmd_search_bin(gpg_agent_t) + corecmd_exec_shell(gpg_agent_t) + + dev_read_rand(gpg_agent_t) +@@ -239,37 +263,40 @@ domain_use_interactive_fds(gpg_agent_t) + + fs_dontaudit_list_inotifyfs(gpg_agent_t) + +-miscfiles_read_localization(gpg_agent_t) + +-userdom_use_user_terminals(gpg_agent_t) ++# Write to the user domain tty. ++userdom_use_inherited_user_terminals(gpg_agent_t) ++# read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d ) + userdom_search_user_home_dirs(gpg_agent_t) ++userdom_filetrans_home_content(gpg_agent_t) + + ifdef(`hide_broken_symptoms',` + userdom_dontaudit_read_user_tmp_files(gpg_agent_t) ++ userdom_dontaudit_write_user_tmp_files(gpg_agent_t) + ') + + tunable_policy(`gpg_agent_env_file',` ++ # write ~/.gpg-agent-info or a similar to the users home dir ++ # or subdir (gpg-agent --write-env-file option) ++ # + userdom_manage_user_home_content_dirs(gpg_agent_t) + userdom_manage_user_home_content_files(gpg_agent_t) +- userdom_user_home_dir_filetrans_user_home_content(gpg_agent_t, file) + ') + +-tunable_policy(`use_nfs_home_dirs',` +- fs_manage_nfs_dirs(gpg_agent_t) +- fs_manage_nfs_files(gpg_agent_t) +- fs_manage_nfs_symlinks(gpg_agent_t) +-') ++userdom_home_manager(gpg_agent_t) + +-tunable_policy(`use_samba_home_dirs',` +- fs_manage_cifs_dirs(gpg_agent_t) +- fs_manage_cifs_files(gpg_agent_t) +- fs_manage_cifs_symlinks(gpg_agent_t) ++optional_policy(` ++ gnome_manage_config(gpg_agent_t) + ') + + optional_policy(` + mozilla_dontaudit_rw_user_home_files(gpg_agent_t) + ') + ++optional_policy(` ++ pcscd_stream_connect(gpg_agent_t) ++') ++ + ############################## + # + # Pinentry local policy +@@ -277,8 +304,17 @@ optional_policy(` + + allow gpg_pinentry_t self:process { getcap getsched setsched signal }; + allow gpg_pinentry_t self:fifo_file rw_fifo_file_perms; ++allow gpg_pinentry_t self:netlink_route_socket create_netlink_socket_perms; + allow gpg_pinentry_t self:shm create_shm_perms; +-allow gpg_pinentry_t self:tcp_socket { accept listen }; ++allow gpg_pinentry_t self:tcp_socket create_stream_socket_perms; ++allow gpg_pinentry_t self:unix_dgram_socket sendto; ++allow gpg_pinentry_t self:unix_stream_socket { connect create getattr read shutdown write }; ++ ++can_exec(gpg_pinentry_t, pinentry_exec_t) ++ ++# we need to allow gpg-agent to call pinentry so it can get the passphrase ++# from the user. ++domtrans_pattern(gpg_agent_t, pinentry_exec_t, gpg_pinentry_t) + + manage_sock_files_pattern(gpg_pinentry_t, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t) + userdom_user_tmp_filetrans(gpg_pinentry_t, gpg_pinentry_tmp_t, sock_file) +@@ -287,53 +323,89 @@ manage_dirs_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t) + manage_files_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t) + fs_tmpfs_filetrans(gpg_pinentry_t, gpg_pinentry_tmpfs_t, { file dir }) + +-can_exec(gpg_pinentry_t, pinentry_exec_t) +- ++# read /proc/meminfo + kernel_read_system_state(gpg_pinentry_t) + + corecmd_exec_shell(gpg_pinentry_t) + corecmd_exec_bin(gpg_pinentry_t) + + corenet_all_recvfrom_netlabel(gpg_pinentry_t) +-corenet_all_recvfrom_unlabeled(gpg_pinentry_t) ++corenet_sendrecv_pulseaudio_client_packets(gpg_pinentry_t) ++corenet_tcp_bind_generic_node(gpg_pinentry_t) ++corenet_tcp_connect_pulseaudio_port(gpg_pinentry_t) + corenet_tcp_sendrecv_generic_if(gpg_pinentry_t) + corenet_tcp_sendrecv_generic_node(gpg_pinentry_t) ++corenet_tcp_sendrecv_generic_port(gpg_pinentry_t) + + dev_read_urand(gpg_pinentry_t) + dev_read_rand(gpg_pinentry_t) + +-domain_use_interactive_fds(gpg_pinentry_t) +- +-files_read_usr_files(gpg_pinentry_t) ++# read /etc/X11/qtrc + + fs_dontaudit_list_inotifyfs(gpg_pinentry_t) ++fs_getattr_tmpfs(gpg_pinentry_t) + + auth_use_nsswitch(gpg_pinentry_t) + + logging_send_syslog_msg(gpg_pinentry_t) + + miscfiles_read_fonts(gpg_pinentry_t) +-miscfiles_read_localization(gpg_pinentry_t) + ++# for .Xauthority ++userdom_read_user_home_content_files(gpg_pinentry_t) ++userdom_read_user_tmpfs_files(gpg_pinentry_t) ++# Bug: user pulseaudio files need open,read and unlink: ++allow gpg_pinentry_t user_tmpfs_t:file unlink; ++userdom_signull_unpriv_users(gpg_pinentry_t) + userdom_use_user_terminals(gpg_pinentry_t) + +-tunable_policy(`use_nfs_home_dirs',` +- fs_read_nfs_files(gpg_pinentry_t) +-') ++userdom_home_reader(gpg_pinentry_t) + +-tunable_policy(`use_samba_home_dirs',` +- fs_read_cifs_files(gpg_pinentry_t) ++optional_policy(` ++ gnome_read_home_config(gpg_pinentry_t) + ') + + optional_policy(` +- dbus_all_session_bus_client(gpg_pinentry_t) ++ dbus_session_bus_client(gpg_pinentry_t) + dbus_system_bus_client(gpg_pinentry_t) + ') + + optional_policy(` +- pulseaudio_run(gpg_pinentry_t, gpg_pinentry_roles) ++ gnome_write_generic_cache_files(gpg_pinentry_t) ++ gnome_read_generic_cache_files(gpg_pinentry_t) ++ gnome_read_gconf_home_files(gpg_pinentry_t) ++') ++ ++optional_policy(` ++ pulseaudio_exec(gpg_pinentry_t) ++ pulseaudio_rw_home_files(gpg_pinentry_t) ++ pulseaudio_setattr_home_dir(gpg_pinentry_t) ++ pulseaudio_stream_connect(gpg_pinentry_t) ++ pulseaudio_signull(gpg_pinentry_t) + ') + + optional_policy(` + xserver_user_x_domain_template(gpg_pinentry, gpg_pinentry_t, gpg_pinentry_tmpfs_t) ++ ++') ++ ++############################# ++# ++# gpg web local policy ++# ++ ++allow gpg_web_t self:process setrlimit; ++ ++dev_read_rand(gpg_web_t) ++dev_read_urand(gpg_web_t) ++ ++can_exec(gpg_web_t, gpg_exec_t) ++ ++ ++ ++apache_dontaudit_rw_tmp_files(gpg_web_t) ++apache_manage_sys_content_rw(gpg_web_t) ++ ++tunable_policy(`gpg_web_anon_write',` ++ miscfiles_manage_public_files(gpg_web_t) + ') +diff --git a/gpm.te b/gpm.te +index 3226f52..68b2eb8 100644 +--- a/gpm.te ++++ b/gpm.te +@@ -13,7 +13,7 @@ type gpm_initrc_exec_t; + init_script_file(gpm_initrc_exec_t) + + type gpm_conf_t; +-files_type(gpm_conf_t) ++files_config_file(gpm_conf_t) + + type gpm_tmp_t; + files_tmp_file(gpm_tmp_t) +@@ -57,7 +57,6 @@ dev_read_sysfs(gpm_t) + dev_rw_input_dev(gpm_t) + dev_rw_mouse(gpm_t) + +-files_read_etc_files(gpm_t) + + fs_getattr_all_fs(gpm_t) + fs_search_auto_mountpoints(gpm_t) +@@ -68,11 +67,9 @@ domain_use_interactive_fds(gpm_t) + + logging_send_syslog_msg(gpm_t) + +-miscfiles_read_localization(gpm_t) +- +-userdom_use_user_terminals(gpm_t) + userdom_dontaudit_use_unpriv_user_fds(gpm_t) + userdom_dontaudit_search_user_home_dirs(gpm_t) ++userdom_use_inherited_user_terminals(gpm_t) + + optional_policy(` + seutil_sigchld_newrole(gpm_t) +diff --git a/gpsd.te b/gpsd.te +index 25f09ae..3085534 100644 +--- a/gpsd.te ++++ b/gpsd.te +@@ -28,11 +28,12 @@ files_pid_file(gpsd_var_run_t) + # + + allow gpsd_t self:capability { fowner fsetid setuid setgid sys_nice sys_time sys_tty_config }; +-dontaudit gpsd_t self:capability { dac_read_search dac_override }; ++dontaudit gpsd_t self:capability { sys_ptrace dac_read_search dac_override }; + allow gpsd_t self:process { setsched signal_perms }; + allow gpsd_t self:shm create_shm_perms; + allow gpsd_t self:unix_dgram_socket sendto; + allow gpsd_t self:tcp_socket { accept listen }; ++allow gpsd_t self:netlink_kobject_uevent_socket create_socket_perms; + + manage_dirs_pattern(gpsd_t, gpsd_tmpfs_t, gpsd_tmpfs_t) + manage_files_pattern(gpsd_t, gpsd_tmpfs_t, gpsd_tmpfs_t) +@@ -62,13 +63,13 @@ domain_dontaudit_read_all_domains_state(gpsd_t) + + term_use_unallocated_ttys(gpsd_t) + term_setattr_unallocated_ttys(gpsd_t) ++term_use_usb_ttys(gpsd_t) ++term_setattr_usb_ttys(gpsd_t) + + auth_use_nsswitch(gpsd_t) + + logging_send_syslog_msg(gpsd_t) + +-miscfiles_read_localization(gpsd_t) +- + optional_policy(` + chronyd_rw_shm(gpsd_t) + chronyd_stream_connect(gpsd_t) +diff --git a/gssproxy.fc b/gssproxy.fc +new file mode 100644 +index 0000000..f4659d1 +--- /dev/null ++++ b/gssproxy.fc +@@ -0,0 +1,8 @@ ++/usr/lib/systemd/system/gssproxy.service -- gen_context(system_u:object_r:gssproxy_unit_file_t,s0) ++ ++/usr/sbin/gssproxy -- gen_context(system_u:object_r:gssproxy_exec_t,s0) ++ ++/var/lib/gssproxy(/.*)? gen_context(system_u:object_r:gssproxy_var_lib_t,s0) ++ ++/var/run/gssproxy\.pid -- gen_context(system_u:object_r:gssproxy_var_run_t,s0) ++/var/run/gssproxy\.sock -s gen_context(system_u:object_r:gssproxy_var_run_t,s0) +diff --git a/gssproxy.if b/gssproxy.if +new file mode 100644 +index 0000000..3ce0ac0 +--- /dev/null ++++ b/gssproxy.if +@@ -0,0 +1,198 @@ ++ ++## policy for gssproxy ++ ++######################################## ++## ++## Execute TEMPLATE in the gssproxy domin. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`gssproxy_domtrans',` ++ gen_require(` ++ type gssproxy_t, gssproxy_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, gssproxy_exec_t, gssproxy_t) ++') ++ ++######################################## ++## ++## Search gssproxy lib directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`gssproxy_search_lib',` ++ gen_require(` ++ type gssproxy_var_lib_t; ++ ') ++ ++ allow $1 gssproxy_var_lib_t:dir search_dir_perms; ++ files_search_var_lib($1) ++') ++ ++######################################## ++## ++## Read gssproxy lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`gssproxy_read_lib_files',` ++ gen_require(` ++ type gssproxy_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ read_files_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t) ++') ++ ++######################################## ++## ++## Manage gssproxy lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`gssproxy_manage_lib_files',` ++ gen_require(` ++ type gssproxy_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ manage_files_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t) ++') ++ ++######################################## ++## ++## Manage gssproxy lib directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`gssproxy_manage_lib_dirs',` ++ gen_require(` ++ type gssproxy_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ manage_dirs_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t) ++') ++ ++######################################## ++## ++## Read gssproxy PID files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`gssproxy_read_pid_files',` ++ gen_require(` ++ type gssproxy_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ read_files_pattern($1, gssproxy_var_run_t, gssproxy_var_run_t) ++') ++ ++######################################## ++## ++## Execute gssproxy server in the gssproxy domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`gssproxy_systemctl',` ++ gen_require(` ++ type gssproxy_t; ++ type gssproxy_unit_file_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ allow $1 gssproxy_unit_file_t:file read_file_perms; ++ allow $1 gssproxy_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, gssproxy_t) ++') ++ ++######################################## ++## ++## Connect to gssproxy over an unix ++## domain stream socket. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`gssproxy_stream_connect',` ++ gen_require(` ++ type gssproxy_t, gssproxy_var_run_t, gssproxy_var_lib_t; ++ ') ++ ++ files_search_pids($1) ++ stream_connect_pattern($1, gssproxy_var_run_t, gssproxy_var_run_t, gssproxy_t) ++ stream_connect_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t, gssproxy_t) ++') ++ ++######################################## ++## ++## All of the rules required to administrate ++## an gssproxy environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`gssproxy_admin',` ++ gen_require(` ++ type gssproxy_t; ++ type gssproxy_var_lib_t; ++ type gssproxy_var_run_t; ++ type gssproxy_unit_file_t; ++ ') ++ ++ allow $1 gssproxy_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, gssproxy_t) ++ ++ files_search_var_lib($1) ++ admin_pattern($1, gssproxy_var_lib_t) ++ ++ files_search_pids($1) ++ admin_pattern($1, gssproxy_var_run_t) ++ ++ gssproxy_systemctl($1) ++ admin_pattern($1, gssproxy_unit_file_t) ++ allow $1 gssproxy_unit_file_t:service all_service_perms; ++ optional_policy(` ++ systemd_passwd_agent_exec($1) ++ systemd_read_fifo_file_passwd_run($1) ++ ') ++') +diff --git a/gssproxy.te b/gssproxy.te +new file mode 100644 +index 0000000..5044e7b +--- /dev/null ++++ b/gssproxy.te +@@ -0,0 +1,66 @@ ++policy_module(gssproxy, 1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type gssproxy_t; ++type gssproxy_exec_t; ++init_daemon_domain(gssproxy_t, gssproxy_exec_t) ++ ++type gssproxy_var_lib_t; ++files_type(gssproxy_var_lib_t) ++ ++type gssproxy_var_run_t; ++files_pid_file(gssproxy_var_run_t) ++ ++type gssproxy_unit_file_t; ++systemd_unit_file(gssproxy_unit_file_t) ++ ++######################################## ++# ++# gssproxy local policy ++# ++allow gssproxy_t self:capability2 block_suspend; ++allow gssproxy_t self:fifo_file rw_fifo_file_perms; ++allow gssproxy_t self:unix_stream_socket create_stream_socket_perms; ++ ++manage_dirs_pattern(gssproxy_t, gssproxy_var_lib_t, gssproxy_var_lib_t) ++manage_files_pattern(gssproxy_t, gssproxy_var_lib_t, gssproxy_var_lib_t) ++manage_sock_files_pattern(gssproxy_t, gssproxy_var_lib_t, gssproxy_var_lib_t) ++manage_lnk_files_pattern(gssproxy_t, gssproxy_var_lib_t, gssproxy_var_lib_t) ++files_var_lib_filetrans(gssproxy_t, gssproxy_var_lib_t, { dir file lnk_file }) ++ ++manage_dirs_pattern(gssproxy_t, gssproxy_var_run_t, gssproxy_var_run_t) ++manage_files_pattern(gssproxy_t, gssproxy_var_run_t, gssproxy_var_run_t) ++manage_sock_files_pattern(gssproxy_t, gssproxy_var_run_t, gssproxy_var_run_t) ++manage_lnk_files_pattern(gssproxy_t, gssproxy_var_run_t, gssproxy_var_run_t) ++files_pid_filetrans(gssproxy_t, gssproxy_var_run_t, { dir file lnk_file sock_file }) ++ ++kernel_rw_rpc_sysctls(gssproxy_t) ++ ++domain_use_interactive_fds(gssproxy_t) ++ ++files_read_etc_files(gssproxy_t) ++ ++auth_use_nsswitch(gssproxy_t) ++ ++dev_read_urand(gssproxy_t) ++ ++logging_send_syslog_msg(gssproxy_t) ++ ++miscfiles_read_localization(gssproxy_t) ++ ++userdom_manage_user_tmp_dirs(gssproxy_t) ++userdom_manage_user_tmp_files(gssproxy_t) ++ ++optional_policy(` ++ kerberos_use(gssproxy_t) ++ kerberos_filetrans_named_content(gssproxy_t) ++') ++ ++optional_policy(` ++ kerberos_keytab_template(gssproxy, gssproxy_t) ++ kerberos_manage_host_rcache(gssproxy_t) ++') +diff --git a/guest.te b/guest.te +index d928711..93d2d83 100644 +--- a/guest.te ++++ b/guest.te +@@ -20,4 +20,4 @@ optional_policy(` + apache_role(guest_r, guest_t) + ') + +-#gen_user(guest_u, user, guest_r, s0, s0) ++gen_user(guest_u, user, guest_r, s0, s0) +diff --git a/hadoop.te b/hadoop.te +index e62bcb7..f44ad99 100644 +--- a/hadoop.te ++++ b/hadoop.te +@@ -155,7 +155,6 @@ dev_read_urand(hadoop_t) + domain_use_interactive_fds(hadoop_t) + + files_dontaudit_search_spool(hadoop_t) +-files_read_usr_files(hadoop_t) + + fs_getattr_xattr_fs(hadoop_t) + +@@ -263,8 +262,6 @@ kernel_read_system_state(hadoop_initrc_domain) + corecmd_exec_bin(hadoop_initrc_domain) + corecmd_exec_shell(hadoop_initrc_domain) + +-files_read_etc_files(hadoop_initrc_domain) +-files_read_usr_files(hadoop_initrc_domain) + files_search_locks(hadoop_initrc_domain) + files_search_pids(hadoop_initrc_domain) + +@@ -453,7 +450,6 @@ dev_read_urand(zookeeper_t) + + domain_use_interactive_fds(zookeeper_t) + +-files_read_usr_files(zookeeper_t) + + auth_use_nsswitch(zookeeper_t) + +@@ -537,7 +533,6 @@ dev_read_rand(zookeeper_server_t) + dev_read_sysfs(zookeeper_server_t) + dev_read_urand(zookeeper_server_t) + +-files_read_usr_files(zookeeper_server_t) + + fs_getattr_xattr_fs(zookeeper_server_t) + +diff --git a/hal.te b/hal.te +index 0801fe1..85b6f3e 100644 +--- a/hal.te ++++ b/hal.te +@@ -61,7 +61,6 @@ files_type(hald_var_lib_t) + # Common local policy + # + +-files_read_usr_files(hald_domain) + + miscfiles_read_localization(hald_domain) + +@@ -437,7 +436,6 @@ write_files_pattern(hald_keymap_t, hald_log_t, hald_log_t) + + dev_rw_input_dev(hald_keymap_t) + +-files_read_etc_files(hald_keymap_t) + + logging_search_logs(hald_keymap_t) + +diff --git a/hddtemp.if b/hddtemp.if +index 1728071..77e71ea 100644 +--- a/hddtemp.if ++++ b/hddtemp.if +@@ -60,9 +60,13 @@ interface(`hddtemp_admin',` + type hddtemp_t, hddtemp_etc_t, hddtemp_initrc_exec_t; + ') + +- allow $1 hddtemp_t:process { ptrace signal_perms }; ++ allow $1 hddtemp_t:process signal_perms; + ps_process_pattern($1, hddtemp_t) + ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 hddtemp_t:process ptrace; ++ ') ++ + init_labeled_script_domtrans($1, hddtemp_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 hddtemp_initrc_exec_t system_r; +diff --git a/hddtemp.te b/hddtemp.te +index 18d76bb..588c964 100644 +--- a/hddtemp.te ++++ b/hddtemp.te +@@ -26,7 +26,6 @@ allow hddtemp_t self:tcp_socket { accept listen }; + + allow hddtemp_t hddtemp_etc_t:file read_file_perms; + +-corenet_all_recvfrom_unlabeled(hddtemp_t) + corenet_all_recvfrom_netlabel(hddtemp_t) + corenet_tcp_sendrecv_generic_if(hddtemp_t) + corenet_tcp_sendrecv_generic_node(hddtemp_t) +@@ -36,9 +35,6 @@ corenet_tcp_bind_hddtemp_port(hddtemp_t) + corenet_sendrecv_hddtemp_server_packets(hddtemp_t) + corenet_tcp_sendrecv_hddtemp_port(hddtemp_t) + +-files_search_etc(hddtemp_t) +-files_read_usr_files(hddtemp_t) +- + storage_raw_read_fixed_disk(hddtemp_t) + storage_raw_read_removable_device(hddtemp_t) + +@@ -46,4 +42,3 @@ auth_use_nsswitch(hddtemp_t) + + logging_send_syslog_msg(hddtemp_t) + +-miscfiles_read_localization(hddtemp_t) +diff --git a/howl.te b/howl.te +index e207823..4e0f8ba 100644 +--- a/howl.te ++++ b/howl.te +@@ -36,7 +36,6 @@ kernel_request_load_module(howl_t) + kernel_list_proc(howl_t) + kernel_read_proc_symlinks(howl_t) + +-corenet_all_recvfrom_unlabeled(howl_t) + corenet_all_recvfrom_netlabel(howl_t) + corenet_tcp_sendrecv_generic_if(howl_t) + corenet_udp_sendrecv_generic_if(howl_t) +@@ -65,8 +64,6 @@ init_dontaudit_write_utmp(howl_t) + + logging_send_syslog_msg(howl_t) + +-miscfiles_read_localization(howl_t) +- + userdom_dontaudit_use_unpriv_user_fds(howl_t) + userdom_dontaudit_search_user_home_dirs(howl_t) + +diff --git a/hypervkvp.fc b/hypervkvp.fc +new file mode 100644 +index 0000000..e2ae3b2 +--- /dev/null ++++ b/hypervkvp.fc +@@ -0,0 +1,10 @@ ++/etc/rc\.d/init\.d/hypervkvpd -- gen_context(system_u:object_r:hypervkvp_initrc_exec_t,s0) ++ ++/usr/lib/systemd/system/hypervvssd.* -- gen_context(system_u:object_r:hypervvssd_unit_file_t,s0) ++ ++/usr/sbin/hv_kvp_daemon -- gen_context(system_u:object_r:hypervkvp_exec_t,s0) ++/usr/sbin/hypervkvpd -- gen_context(system_u:object_r:hypervkvp_exec_t,s0) ++ ++/usr/sbin/hypervvssd -- gen_context(system_u:object_r:hypervvssd_exec_t,s0) ++ ++/var/lib/hyperv(/.*)? gen_context(system_u:object_r:hypervkvp_var_lib_t,s0) +diff --git a/hypervkvp.if b/hypervkvp.if +new file mode 100644 +index 0000000..17c3627 +--- /dev/null ++++ b/hypervkvp.if +@@ -0,0 +1,111 @@ ++ ++## policy for hypervkvp ++ ++######################################## ++## ++## Execute TEMPLATE in the hypervkvp domin. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`hypervkvp_domtrans',` ++ gen_require(` ++ type hypervkvp_t, hypervkvp_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, hypervkvp_exec_t, hypervkvp_t) ++') ++ ++######################################## ++## ++## Search hypervkvp lib directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`hypervkvp_search_lib',` ++ gen_require(` ++ type hypervkvp_var_lib_t; ++ ') ++ ++ allow $1 hypervkvp_var_lib_t:dir search_dir_perms; ++ files_search_var_lib($1) ++') ++ ++######################################## ++## ++## Read hypervkvp lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`hypervkvp_read_lib_files',` ++ gen_require(` ++ type hypervkvp_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ allow $1 hypervkvp_var_lib_t:dir list_dir_perms; ++ read_files_pattern($1, hypervkvp_var_lib_t, hypervkvp_var_lib_t) ++') ++ ++######################################## ++## ++## Create, read, write, and delete ++## hypervkvp lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`hypervkvp_manage_lib_files',` ++ gen_require(` ++ type hypervkvp_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ manage_files_pattern($1, hypervkvp_var_lib_t, hypervkvp_var_lib_t) ++') ++ ++######################################## ++## ++## All of the rules required to administrate ++## an hypervkvp environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`hypervkvp_admin',` ++ gen_require(` ++ type hypervkvp_t; ++ type hypervkvp_unit_file_t; ++ ') ++ ++ allow $1 hypervkvp_t:process signal_perms; ++ ps_process_pattern($1, hypervkvp_t) ++ ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 hypervkvp_t:process ptrace; ++ ') ++ ++ hypervkvp_manage_lib_files($1) ++ ++ hypervkvp_systemctl($1) ++ admin_pattern($1, hypervkvp_unit_file_t) ++ allow $1 hypervkvp_unit_file_t:service all_service_perms; ++') +diff --git a/hypervkvp.te b/hypervkvp.te +new file mode 100644 +index 0000000..d2ad022 +--- /dev/null ++++ b/hypervkvp.te +@@ -0,0 +1,59 @@ ++policy_module(hypervkvp, 1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++attribute hyperv_domain; ++ ++type hypervkvp_t, hyperv_domain; ++type hypervkvp_exec_t; ++init_daemon_domain(hypervkvp_t, hypervkvp_exec_t) ++ ++type hypervkvp_initrc_exec_t; ++init_script_file(hypervkvp_initrc_exec_t) ++ ++type hypervkvp_unit_file_t; ++systemd_unit_file(hypervkvp_unit_file_t) ++ ++type hypervkvp_var_lib_t; ++files_type(hypervkvp_var_lib_t) ++ ++type hypervvssd_t, hyperv_domain; ++type hypervvssd_exec_t; ++init_daemon_domain(hypervvssd_t, hypervvssd_exec_t) ++ ++type hypervvssd_unit_file_t; ++systemd_unit_file(hypervvssd_unit_file_t) ++ ++######################################## ++# ++# hyperv domain local policy ++# ++ ++allow hyperv_domain self:capability net_admin; ++allow hyperv_domain self:netlink_socket create_socket_perms; ++ ++allow hyperv_domain self:fifo_file rw_fifo_file_perms; ++allow hyperv_domain self:unix_stream_socket create_stream_socket_perms; ++ ++######################################## ++# ++# hypervkvp local policy ++# ++ ++manage_dirs_pattern(hypervkvp_t, hypervkvp_var_lib_t, hypervkvp_var_lib_t) ++manage_files_pattern(hypervkvp_t, hypervkvp_var_lib_t, hypervkvp_var_lib_t) ++files_var_lib_filetrans(hypervkvp_t, hypervkvp_var_lib_t, dir) ++ ++logging_send_syslog_msg(hypervkvp_t) ++ ++sysnet_dns_name_resolve(hypervkvp_t) ++ ++######################################## ++# ++# hypervvssd local policy ++# ++ ++logging_send_syslog_msg(hypervvssd_t) +diff --git a/i18n_input.te b/i18n_input.te +index 3bed8fa..a738d7f 100644 +--- a/i18n_input.te ++++ b/i18n_input.te +@@ -45,7 +45,6 @@ can_exec(i18n_input_t, i18n_input_exec_t) + kernel_read_kernel_sysctls(i18n_input_t) + kernel_read_system_state(i18n_input_t) + +-corenet_all_recvfrom_unlabeled(i18n_input_t) + corenet_all_recvfrom_netlabel(i18n_input_t) + corenet_tcp_sendrecv_generic_if(i18n_input_t) + corenet_tcp_sendrecv_generic_node(i18n_input_t) +@@ -68,7 +67,6 @@ fs_getattr_all_fs(i18n_input_t) + fs_search_auto_mountpoints(i18n_input_t) + + files_read_etc_runtime_files(i18n_input_t) +-files_read_usr_files(i18n_input_t) + + auth_use_nsswitch(i18n_input_t) + +@@ -76,20 +74,9 @@ init_stream_connect_script(i18n_input_t) + + logging_send_syslog_msg(i18n_input_t) + +-miscfiles_read_localization(i18n_input_t) +- + userdom_dontaudit_use_unpriv_user_fds(i18n_input_t) + userdom_read_user_home_content_files(i18n_input_t) +- +-tunable_policy(`use_nfs_home_dirs',` +- fs_read_nfs_files(i18n_input_t) +- fs_read_nfs_symlinks(i18n_input_t) +-') +- +-tunable_policy(`use_samba_home_dirs',` +- fs_read_cifs_files(i18n_input_t) +- fs_read_cifs_symlinks(i18n_input_t) +-') ++userdom_home_reader(i18n_input_t) + + optional_policy(` + canna_stream_connect(i18n_input_t) +diff --git a/icecast.if b/icecast.if +index 580b533..c267cea 100644 +--- a/icecast.if ++++ b/icecast.if +@@ -176,6 +176,14 @@ interface(`icecast_admin',` + type icecast_var_run_t; + ') + ++ allow $1 icecast_t:process signal_perms; ++ ps_process_pattern($1, icecast_t) ++ ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 icecast_t:process ptrace; ++ ') ++ ++ # Allow icecast_t to restart the apache service + icecast_initrc_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 icecast_initrc_exec_t system_r; +diff --git a/icecast.te b/icecast.te +index ac6f9d5..6097225 100644 +--- a/icecast.te ++++ b/icecast.te +@@ -65,12 +65,8 @@ dev_read_sysfs(icecast_t) + dev_read_urand(icecast_t) + dev_read_rand(icecast_t) + +-domain_use_interactive_fds(icecast_t) +- + auth_use_nsswitch(icecast_t) + +-miscfiles_read_localization(icecast_t) +- + tunable_policy(`icecast_use_any_tcp_ports',` + corenet_tcp_connect_all_ports(icecast_t) + corenet_sendrecv_all_client_packets(icecast_t) +diff --git a/ifplugd.if b/ifplugd.if +index 8999899..96909ae 100644 +--- a/ifplugd.if ++++ b/ifplugd.if +@@ -119,7 +119,7 @@ interface(`ifplugd_admin',` + type ifplugd_initrc_exec_t; + ') + +- allow $1 ifplugd_t:process { ptrace signal_perms }; ++ allow $1 ifplugd_t:process signal_perms; + ps_process_pattern($1, ifplugd_t) + + init_labeled_script_domtrans($1, ifplugd_initrc_exec_t) +diff --git a/ifplugd.te b/ifplugd.te +index 6910e49..c4a9fcb 100644 +--- a/ifplugd.te ++++ b/ifplugd.te +@@ -10,7 +10,7 @@ type ifplugd_exec_t; + init_daemon_domain(ifplugd_t, ifplugd_exec_t) + + type ifplugd_etc_t; +-files_type(ifplugd_etc_t) ++files_config_file(ifplugd_etc_t) + + type ifplugd_initrc_exec_t; + init_script_file(ifplugd_initrc_exec_t) +@@ -49,14 +49,11 @@ corecmd_exec_shell(ifplugd_t) + dev_read_sysfs(ifplugd_t) + + domain_read_confined_domains_state(ifplugd_t) +-domain_dontaudit_read_all_domains_state(ifplugd_t) + + auth_use_nsswitch(ifplugd_t) + + logging_send_syslog_msg(ifplugd_t) + +-miscfiles_read_localization(ifplugd_t) +- + netutils_domtrans(ifplugd_t) + + sysnet_domtrans_ifconfig(ifplugd_t) +diff --git a/imaze.te b/imaze.te +index 05387d1..08a489c 100644 +--- a/imaze.te ++++ b/imaze.te +@@ -45,7 +45,6 @@ kernel_list_proc(imazesrv_t) + kernel_read_kernel_sysctls(imazesrv_t) + kernel_read_proc_symlinks(imazesrv_t) + +-corenet_all_recvfrom_unlabeled(imazesrv_t) + corenet_all_recvfrom_netlabel(imazesrv_t) + corenet_tcp_sendrecv_generic_if(imazesrv_t) + corenet_udp_sendrecv_generic_if(imazesrv_t) +@@ -71,8 +70,6 @@ auth_use_nsswitch(imazesrv_t) + + logging_send_syslog_msg(imazesrv_t) + +-miscfiles_read_localization(imazesrv_t) +- + userdom_use_unpriv_users_fds(imazesrv_t) + userdom_dontaudit_search_user_home_dirs(imazesrv_t) + +diff --git a/inetd.if b/inetd.if +index fbb54e7..05c3777 100644 +--- a/inetd.if ++++ b/inetd.if +@@ -37,6 +37,12 @@ interface(`inetd_core_service_domain',` + + domtrans_pattern(inetd_t, $2, $1) + allow inetd_t $1:process { siginh sigkill }; ++ ++ init_domain($1, $2) ++ ++ optional_policy(` ++ abrt_stream_connect($1) ++ ') + ') + + ######################################## +diff --git a/inetd.te b/inetd.te +index 1a5ed62..420305b 100644 +--- a/inetd.te ++++ b/inetd.te +@@ -37,9 +37,9 @@ ifdef(`enable_mcs',` + # Local policy + # + +-allow inetd_t self:capability { setuid setgid sys_resource }; ++allow inetd_t self:capability { setuid setgid }; + dontaudit inetd_t self:capability sys_tty_config; +-allow inetd_t self:process { setsched setexec setrlimit }; ++allow inetd_t self:process { setsched setexec }; + allow inetd_t self:fifo_file rw_fifo_file_perms; + allow inetd_t self:tcp_socket { accept listen }; + allow inetd_t self:fd use; +@@ -61,6 +61,7 @@ kernel_read_system_state(inetd_t) + kernel_tcp_recvfrom_unlabeled(inetd_t) + + corecmd_bin_domtrans(inetd_t, inetd_child_t) ++corecmd_exec_shell(inetd_t) + + corenet_all_recvfrom_unlabeled(inetd_t) + corenet_all_recvfrom_netlabel(inetd_t) +@@ -98,6 +99,11 @@ corenet_sendrecv_inetd_child_server_packets(inetd_t) + corenet_tcp_bind_inetd_child_port(inetd_t) + corenet_udp_bind_inetd_child_port(inetd_t) + ++corenet_tcp_bind_echo_port(inetd_t) ++corenet_udp_bind_echo_port(inetd_t) ++corenet_tcp_bind_time_port(inetd_t) ++corenet_udp_bind_time_port(inetd_t) ++ + corenet_sendrecv_ircd_server_packets(inetd_t) + corenet_tcp_bind_ircd_port(inetd_t) + +@@ -157,8 +163,6 @@ auth_use_nsswitch(inetd_t) + + logging_send_syslog_msg(inetd_t) + +-miscfiles_read_localization(inetd_t) +- + mls_fd_share_all_levels(inetd_t) + mls_socket_read_to_clearance(inetd_t) + mls_socket_write_to_clearance(inetd_t) +@@ -188,7 +192,7 @@ optional_policy(` + ') + + optional_policy(` +- tftp_read_config_files(inetd_t) ++ tftp_read_config(inetd_t) + ') + + optional_policy(` +@@ -220,6 +224,14 @@ kernel_read_kernel_sysctls(inetd_child_t) + kernel_read_network_state(inetd_child_t) + kernel_read_system_state(inetd_child_t) + ++corenet_all_recvfrom_netlabel(inetd_child_t) ++corenet_tcp_sendrecv_generic_if(inetd_child_t) ++corenet_udp_sendrecv_generic_if(inetd_child_t) ++corenet_tcp_sendrecv_generic_node(inetd_child_t) ++corenet_udp_sendrecv_generic_node(inetd_child_t) ++corenet_tcp_sendrecv_all_ports(inetd_child_t) ++corenet_udp_sendrecv_all_ports(inetd_child_t) ++ + dev_read_urand(inetd_child_t) + + fs_getattr_xattr_fs(inetd_child_t) +@@ -230,7 +242,11 @@ auth_use_nsswitch(inetd_child_t) + + logging_send_syslog_msg(inetd_child_t) + +-miscfiles_read_localization(inetd_child_t) ++sysnet_read_config(inetd_child_t) ++ ++optional_policy(` ++ kerberos_use(inetd_child_t) ++') + + optional_policy(` + unconfined_domain(inetd_child_t) +diff --git a/inn.if b/inn.if +index eb87f23..d3d32c3 100644 +--- a/inn.if ++++ b/inn.if +@@ -124,6 +124,7 @@ interface(`inn_read_config',` + type innd_etc_t; + ') + ++ files_search_etc($1) + allow $1 innd_etc_t:dir list_dir_perms; + allow $1 innd_etc_t:file read_file_perms; + allow $1 innd_etc_t:lnk_file read_lnk_file_perms; +@@ -144,12 +145,31 @@ interface(`inn_read_news_lib',` + type innd_var_lib_t; + ') + ++ files_search_var_lib($1) + allow $1 innd_var_lib_t:dir list_dir_perms; + allow $1 innd_var_lib_t:file read_file_perms; + ') + + ######################################## + ## ++## Write innd inherited news library content. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`inn_write_inherited_news_lib',` ++ gen_require(` ++ type innd_var_lib_t; ++ ') ++ ++ allow $1 innd_var_lib_t:file write_inherited_file_perms; ++') ++ ++######################################## ++## + ## Read innd news spool content. + ## + ## +@@ -163,6 +183,7 @@ interface(`inn_read_news_spool',` + type news_spool_t; + ') + ++ files_search_spool($1) + allow $1 news_spool_t:dir list_dir_perms; + allow $1 news_spool_t:file read_file_perms; + allow $1 news_spool_t:lnk_file read_lnk_file_perms; +@@ -226,8 +247,15 @@ interface(`inn_domtrans',` + interface(`inn_admin',` + gen_require(` + type innd_t, innd_etc_t, innd_log_t; +- type news_spool_t, innd_var_lib_t; +- type innd_var_run_t, innd_initrc_exec_t; ++ type news_spool_t, innd_var_lib_t, innd_var_run_t; ++ type innd_initrc_exec_t; ++ ') ++ ++ allow $1 innd_t:process signal_perms; ++ ps_process_pattern($1, innd_t) ++ ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 innd_t:process ptrace; + ') + + init_labeled_script_domtrans($1, innd_initrc_exec_t) +diff --git a/inn.te b/inn.te +index 5aab5d0..5967395 100644 +--- a/inn.te ++++ b/inn.te +@@ -26,6 +26,7 @@ files_pid_file(innd_var_run_t) + + type news_spool_t; + files_mountpoint(news_spool_t) ++files_spool_file(news_spool_t) + + ######################################## + # +@@ -54,7 +55,7 @@ manage_files_pattern(innd_t, innd_var_lib_t, innd_var_lib_t) + manage_dirs_pattern(innd_t, innd_var_run_t, innd_var_run_t) + manage_files_pattern(innd_t, innd_var_run_t, innd_var_run_t) + manage_sock_files_pattern(innd_t, innd_var_run_t, innd_var_run_t) +-files_pid_filetrans(innd_t, innd_var_run_t, file) ++files_pid_filetrans(innd_t, innd_var_run_t, { dir file }) + + manage_dirs_pattern(innd_t, news_spool_t, news_spool_t) + manage_files_pattern(innd_t, news_spool_t, news_spool_t) +@@ -65,7 +66,6 @@ can_exec(innd_t, innd_exec_t) + kernel_read_kernel_sysctls(innd_t) + kernel_read_system_state(innd_t) + +-corenet_all_recvfrom_unlabeled(innd_t) + corenet_all_recvfrom_netlabel(innd_t) + corenet_tcp_sendrecv_generic_if(innd_t) + corenet_tcp_sendrecv_generic_node(innd_t) +@@ -91,18 +91,16 @@ fs_search_auto_mountpoints(innd_t) + + files_list_spool(innd_t) + files_read_etc_runtime_files(innd_t) +-files_read_usr_files(innd_t) + + auth_use_nsswitch(innd_t) + + logging_send_syslog_msg(innd_t) + +-miscfiles_read_localization(innd_t) +- + seutil_dontaudit_search_config(innd_t) + + userdom_dontaudit_use_unpriv_user_fds(innd_t) + userdom_dontaudit_search_user_home_dirs(innd_t) ++userdom_dgram_send(innd_t) + + mta_send_mail(innd_t) + +diff --git a/iodine.fc b/iodine.fc +index ca07a87..6ea129c 100644 +--- a/iodine.fc ++++ b/iodine.fc +@@ -1,3 +1,5 @@ + /etc/rc\.d/init\.d/((iodined)|(iodine-server)) -- gen_context(system_u:object_r:iodined_initrc_exec_t,s0) + ++/usr/lib/systemd/system/iodine-server.* -- gen_context(system_u:object_r:iodined_unit_file_t,s0) ++ + /usr/sbin/iodined -- gen_context(system_u:object_r:iodined_exec_t,s0) +diff --git a/iodine.if b/iodine.if +index a0bfbd0..47f7c75 100644 +--- a/iodine.if ++++ b/iodine.if +@@ -2,6 +2,30 @@ + + ######################################## + ## ++## Execute iodined server in the iodined domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`iodined_systemctl',` ++ gen_require(` ++ type iodined_t; ++ type iodined_unit_file_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ systemd_read_fifo_file_passwd_run($1) ++ allow $1 iodined_unit_file_t:file read_file_perms; ++ allow $1 iodined_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, iodined_t) ++') ++ ++######################################## ++## + ## All of the rules required to + ## administrate an iodined environment + ## +diff --git a/iodine.te b/iodine.te +index 94ec5f8..8556c27 100644 +--- a/iodine.te ++++ b/iodine.te +@@ -12,6 +12,9 @@ init_daemon_domain(iodined_t, iodined_exec_t) + type iodined_initrc_exec_t; + init_script_file(iodined_initrc_exec_t) + ++type iodined_unit_file_t; ++systemd_unit_file(iodined_unit_file_t) ++ + ######################################## + # + # Local policy +@@ -43,7 +46,6 @@ corenet_udp_sendrecv_dns_port(iodined_t) + + corecmd_exec_shell(iodined_t) + +-files_read_etc_files(iodined_t) + + logging_send_syslog_msg(iodined_t) + +diff --git a/irc.fc b/irc.fc +index 48e7739..c3285c2 100644 +--- a/irc.fc ++++ b/irc.fc +@@ -1,6 +1,6 @@ + HOME_DIR/\.ircmotd -- gen_context(system_u:object_r:irc_home_t,s0) + HOME_DIR/\.irssi(/.*)? gen_context(system_u:object_r:irc_home_t,s0) +-HOME_DIR/irclogs(/.*)? gen_context(system_u:object_r:irc_log_home_t,s0) ++HOME_DIR/irclog(/.*)? gen_context(system_u:object_r:issi_home_t,s0) + + /etc/irssi\.conf -- gen_context(system_u:object_r:irc_conf_t,s0) + +diff --git a/irc.if b/irc.if +index ac00fb0..36ef2e5 100644 +--- a/irc.if ++++ b/irc.if +@@ -20,6 +20,7 @@ interface(`irc_role',` + attribute_role irc_roles; + type irc_t, irc_exec_t, irc_home_t; + type irc_tmp_t, irc_log_home_t; ++ type irssi_t, irssi_exec_t, irssi_home_t; + ') + + ######################################## +@@ -37,12 +38,42 @@ interface(`irc_role',` + domtrans_pattern($2, irc_exec_t, irc_t) + + ps_process_pattern($2, irc_t) +- allow $2 irc_t:process { ptrace signal_perms }; +- +- allow $2 { irc_home_t irc_log_home_t irc_tmp_t }:dir { manage_dir_perms relabel_dir_perms }; +- allow $2 { irc_home_t irc_log_home_t irc_tmp_t }:file { manage_file_perms relabel_file_perms }; +- allow $2 { irc_home_t irc_log_home_t irc_tmp_t }:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; +- userdom_user_home_dir_filetrans($2, irc_home_t, dir, ".irssi") +- userdom_user_home_dir_filetrans($2, irc_home_t, file, ".ircmotd") +- userdom_user_home_dir_filetrans($2, irc_log_home_t, dir, "irclogs") ++ allow $2 irc_t:process signal_perms; ++ tunable_policy(`deny_ptrace',`',` ++ allow $2 irc_t:process ptrace; ++ ') ++ ++ domtrans_pattern($2, irssi_exec_t, irssi_t) ++ ++ allow $2 irssi_t:process signal_perms; ++ ps_process_pattern($2, irssi_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $2 irssi_t:process ptrace; ++ ') ++ ++ allow $2 { irc_home_t irc_log_home_t irc_tmp_t irssi_home_t }:dir { manage_dir_perms relabel_dir_perms }; ++ allow $2 { irc_home_t irc_log_home_t irc_tmp_t irssi_home_t }:file { manage_file_perms relabel_file_perms }; ++ allow $2 { irc_home_t irc_log_home_t irc_tmp_t irssi_home_t }:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; ++ ++ irc_filetrans_home_content($2) ++') ++ ++####################################### ++## ++## Transition to alsa named content ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`irc_filetrans_home_content',` ++ gen_require(` ++ type irc_home_t; ++ type irssi_home_t; ++ ') ++ userdom_user_home_dir_filetrans($1, irc_home_t, file, ".ircmotd") ++ userdom_user_home_dir_filetrans($1, irc_home_t, dir, ".irssi") ++ userdom_user_home_dir_filetrans($1, irssi_home_t, dir, "irclogs") + ') +diff --git a/irc.te b/irc.te +index ecad9c7..e413e5a 100644 +--- a/irc.te ++++ b/irc.te +@@ -31,13 +31,35 @@ typealias irc_home_t alias { user_irc_home_t staff_irc_home_t sysadm_irc_home_t + typealias irc_home_t alias { auditadm_irc_home_t secadm_irc_home_t }; + userdom_user_home_content(irc_home_t) + +-type irc_log_home_t; +-userdom_user_home_content(irc_log_home_t) +- + type irc_tmp_t; + typealias irc_tmp_t alias { user_irc_tmp_t staff_irc_tmp_t sysadm_irc_tmp_t }; + typealias irc_tmp_t alias { auditadm_irc_tmp_t secadm_irc_tmp_t }; +-userdom_user_tmp_file(irc_tmp_t) ++userdom_user_home_content(irc_tmp_t) ++ ++######################################## ++# ++# Irssi personal declarations. ++# ++ ++## ++##

    ++## Allow the Irssi IRC Client to connect to any port, ++## and to bind to any unreserved port. ++##

    ++##     ++gen_tunable(irssi_use_full_network, false) ++ ++type irssi_t; ++type irssi_exec_t; ++application_domain(irssi_t, irssi_exec_t) ++ubac_constrained(irssi_t) ++role irc_roles types irssi_t; ++ ++type irssi_etc_t; ++files_config_file(irssi_etc_t) ++ ++type irssi_home_t alias irc_log_home_t; ++userdom_user_home_content(irssi_home_t) + + ######################################## + # +@@ -53,13 +75,7 @@ allow irc_t irc_conf_t:file read_file_perms; + manage_dirs_pattern(irc_t, irc_home_t, irc_home_t) + manage_files_pattern(irc_t, irc_home_t, irc_home_t) + manage_lnk_files_pattern(irc_t, irc_home_t, irc_home_t) +-userdom_user_home_dir_filetrans(irc_t, irc_home_t, dir, ".irssi") +-userdom_user_home_dir_filetrans(irc_t, irc_home_t, file, ".ircmotd") +- +-manage_dirs_pattern(irc_t, irc_log_home_t, irc_log_home_t) +-create_files_pattern(irc_t, irc_log_home_t, irc_log_home_t) +-append_files_pattern(irc_t, irc_log_home_t, irc_log_home_t) +-userdom_user_home_dir_filetrans(irc_t, irc_log_home_t, dir, "irclogs") ++irc_filetrans_home_content(irc_t) + + manage_dirs_pattern(irc_t, irc_tmp_t, irc_tmp_t) + manage_files_pattern(irc_t, irc_tmp_t, irc_tmp_t) +@@ -70,7 +86,6 @@ files_tmp_filetrans(irc_t, irc_tmp_t, { file dir lnk_file sock_file fifo_file }) + + kernel_read_system_state(irc_t) + +-corenet_all_recvfrom_unlabeled(irc_t) + corenet_all_recvfrom_netlabel(irc_t) + corenet_tcp_sendrecv_generic_if(irc_t) + corenet_tcp_sendrecv_generic_node(irc_t) +@@ -93,7 +108,6 @@ dev_read_rand(irc_t) + + domain_use_interactive_fds(irc_t) + +-files_read_usr_files(irc_t) + + fs_getattr_all_fs(irc_t) + fs_search_auto_mountpoints(irc_t) +@@ -106,15 +120,18 @@ auth_use_nsswitch(irc_t) + init_read_utmp(irc_t) + init_dontaudit_lock_utmp(irc_t) + +-miscfiles_read_localization(irc_t) + + userdom_use_user_terminals(irc_t) + + userdom_manage_user_home_content_dirs(irc_t) + userdom_manage_user_home_content_files(irc_t) +-userdom_user_home_dir_filetrans_user_home_content(irc_t, { dir file }) ++userdom_filetrans_home_content(irc_t) ++ ++# Write to the user domain tty. ++userdom_use_inherited_user_terminals(irc_t) + + tunable_policy(`irc_use_any_tcp_ports',` ++ allow irc_t self:tcp_socket create_stream_socket_perms; + corenet_sendrecv_all_server_packets(irc_t) + corenet_tcp_bind_all_unreserved_ports(irc_t) + corenet_sendrecv_all_client_packets(irc_t) +@@ -122,18 +139,71 @@ tunable_policy(`irc_use_any_tcp_ports',` + corenet_tcp_sendrecv_all_ports(irc_t) + ') + +-tunable_policy(`use_nfs_home_dirs',` +- fs_manage_nfs_dirs(irc_t) +- fs_manage_nfs_files(irc_t) +- fs_manage_nfs_symlinks(irc_t) ++userdom_home_manager(irc_t) ++ ++optional_policy(` ++ nis_use_ypbind(irc_t) + ') + +-tunable_policy(`use_samba_home_dirs',` +- fs_manage_cifs_dirs(irc_t) +- fs_manage_cifs_files(irc_t) +- fs_manage_cifs_symlinks(irc_t) ++######################################## ++# ++# Irssi personal declarations. ++# ++ ++allow irssi_t self:process { signal sigkill }; ++allow irssi_t self:fifo_file rw_fifo_file_perms; ++allow irssi_t self:tcp_socket create_stream_socket_perms; ++ ++read_files_pattern(irssi_t, irssi_etc_t, irssi_etc_t) ++ ++manage_dirs_pattern(irssi_t, irssi_home_t, irssi_home_t) ++manage_files_pattern(irssi_t, irssi_home_t, irssi_home_t) ++manage_lnk_files_pattern(irssi_t, irssi_home_t, irssi_home_t) ++irc_filetrans_home_content(irssi_t) ++userdom_search_user_home_dirs(irssi_t) ++ ++kernel_read_system_state(irssi_t) ++ ++corecmd_search_bin(irssi_t) ++corecmd_read_bin_symlinks(irssi_t) ++ ++corenet_tcp_connect_ircd_port(irssi_t) ++corenet_tcp_sendrecv_ircd_port(irssi_t) ++corenet_sendrecv_ircd_client_packets(irssi_t) ++ ++# tcp:7000 is often used for SSL irc ++corenet_tcp_connect_gatekeeper_port(irssi_t) ++corenet_tcp_sendrecv_gatekeeper_port(irssi_t) ++corenet_sendrecv_gatekeeper_client_packets(irssi_t) ++ ++# Privoxy ++corenet_tcp_connect_http_cache_port(irssi_t) ++corenet_tcp_sendrecv_http_cache_port(irssi_t) ++corenet_sendrecv_http_cache_client_packets(irssi_t) ++ ++corenet_tcp_bind_generic_node(irssi_t) ++ ++dev_read_urand(irssi_t) ++# irssi-otr genkey. ++dev_read_rand(irssi_t) ++ ++ ++fs_search_auto_mountpoints(irssi_t) ++ ++auth_use_nsswitch(irssi_t) ++ ++ ++userdom_use_inherited_user_terminals(irssi_t) ++ ++tunable_policy(`irssi_use_full_network', ` ++ corenet_tcp_bind_all_unreserved_ports(irssi_t) ++ corenet_tcp_connect_all_ports(irssi_t) ++ corenet_sendrecv_generic_server_packets(irssi_t) ++ corenet_sendrecv_all_client_packets(irssi_t) + ') + ++userdom_home_manager(irssi_t) ++ + optional_policy(` + seutil_use_newrole_fds(irc_t) + ') +diff --git a/ircd.if b/ircd.if +index ade9803..3620c9a 100644 +--- a/ircd.if ++++ b/ircd.if +@@ -33,8 +33,8 @@ interface(`ircd_admin',` + + files_search_etc($1) + admin_pattern($1, ircd_etc_t) +- +- logging_search_log($1) ++ ++ logging_search_logs($1) + admin_pattern($1, ircd_log_t) + + files_search_var_lib($1) +diff --git a/ircd.te b/ircd.te +index e9f746e..40e440c 100644 +--- a/ircd.te ++++ b/ircd.te +@@ -52,7 +52,6 @@ kernel_read_kernel_sysctls(ircd_t) + + corecmd_exec_bin(ircd_t) + +-corenet_all_recvfrom_unlabeled(ircd_t) + corenet_all_recvfrom_netlabel(ircd_t) + corenet_tcp_sendrecv_generic_if(ircd_t) + corenet_tcp_sendrecv_generic_node(ircd_t) +@@ -75,8 +74,6 @@ auth_use_nsswitch(ircd_t) + + logging_send_syslog_msg(ircd_t) + +-miscfiles_read_localization(ircd_t) +- + userdom_dontaudit_use_unpriv_user_fds(ircd_t) + userdom_dontaudit_search_user_home_dirs(ircd_t) + +diff --git a/irqbalance.te b/irqbalance.te +index c5a8112..947efe0 100644 +--- a/irqbalance.te ++++ b/irqbalance.te +@@ -22,6 +22,12 @@ files_pid_file(irqbalance_var_run_t) + + allow irqbalance_t self:capability { setpcap net_admin }; + dontaudit irqbalance_t self:capability sys_tty_config; ++ ++ifdef(`hide_broken_symptoms',` ++ # caused by some bogus kernel code ++ dontaudit irqbalance_t self:capability sys_module; ++') ++ + allow irqbalance_t self:process { getcap setcap signal_perms }; + allow irqbalance_t self:udp_socket create_socket_perms; + +@@ -35,7 +41,6 @@ kernel_rw_irq_sysctls(irqbalance_t) + + dev_read_sysfs(irqbalance_t) + +-files_read_etc_files(irqbalance_t) + files_read_etc_runtime_files(irqbalance_t) + + fs_getattr_all_fs(irqbalance_t) +@@ -45,8 +50,6 @@ domain_use_interactive_fds(irqbalance_t) + + logging_send_syslog_msg(irqbalance_t) + +-miscfiles_read_localization(irqbalance_t) +- + userdom_dontaudit_use_unpriv_user_fds(irqbalance_t) + userdom_dontaudit_search_user_home_dirs(irqbalance_t) + +diff --git a/iscsi.fc b/iscsi.fc +index 08b7560..417e630 100644 +--- a/iscsi.fc ++++ b/iscsi.fc +@@ -1,19 +1,18 @@ +-/etc/rc\.d/init\.d/((iscsi)|(iscsid)) -- gen_context(system_u:object_r:iscsi_initrc_exec_t,s0) +- + /sbin/iscsid -- gen_context(system_u:object_r:iscsid_exec_t,s0) +-/sbin/brcm_iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0) + /sbin/iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0) + + /usr/sbin/iscsid -- gen_context(system_u:object_r:iscsid_exec_t,s0) +-/usr/sbin/brcm_iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0) + /usr/sbin/iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0) ++/usr/sbin/iscsiadm -- gen_context(system_u:object_r:iscsid_exec_t,s0) + + /var/lib/iscsi(/.*)? gen_context(system_u:object_r:iscsi_var_lib_t,s0) + + /var/lock/iscsi(/.*)? gen_context(system_u:object_r:iscsi_lock_t,s0) + +-/var/log/brcm-iscsi\.log.* -- gen_context(system_u:object_r:iscsi_log_t,s0) + /var/log/iscsiuio\.log.* -- gen_context(system_u:object_r:iscsi_log_t,s0) + + /var/run/iscsid\.pid -- gen_context(system_u:object_r:iscsi_var_run_t,s0) + /var/run/iscsiuio\.pid -- gen_context(system_u:object_r:iscsi_var_run_t,s0) ++ ++/usr/lib/systemd/system/((iscsi)|(iscsid)|(iscsiuio))\.service -- gen_context(system_u:object_r:iscsi_unit_file_t,s0) ++/usr/lib/systemd/system/((iscsid)|(iscsiuio))\.socket -- gen_context(system_u:object_r:iscsi_unit_file_t,s0) +diff --git a/iscsi.if b/iscsi.if +index 1a35420..4b9b978 100644 +--- a/iscsi.if ++++ b/iscsi.if +@@ -80,17 +80,31 @@ interface(`iscsi_read_lib_files',` + + ######################################## + ## +-## All of the rules required to +-## administrate an iscsi environment. ++## Transition to iscsi named content + ## + ## + ## +-## Domain allowed access. ++## Domain allowed access. + ## + ## +-## ++# ++interface(`iscsi_filetrans_named_content',` ++ gen_require(` ++ type iscsi_lock_t; ++ ') ++ ++ files_lock_filetrans($1, iscsi_lock_t, dir, "iscsi") ++') ++ ++ ++######################################## ++## ++## All of the rules required to ++## administrate an iscsi environment. ++## ++## + ## +-## Role allowed access. ++## Domain allowed access. + ## + ## + ## +@@ -99,16 +113,15 @@ interface(`iscsi_admin',` + gen_require(` + type iscsid_t, iscsi_lock_t, iscsi_log_t; + type iscsi_var_lib_t, iscsi_var_run_t, iscsi_tmp_t; +- type iscsi_initrc_exec_t; ++ type iscsi_unit_file_t; + ') + + allow $1 iscsid_t:process { ptrace signal_perms }; + ps_process_pattern($1, iscsid_t) + +- init_labeled_script_domtrans($1, iscsi_initrc_exec_t) +- domain_system_change_exemption($1) +- role_transition $2 iscsi_initrc_exec_t system_r; +- allow $2 system_r; ++ systemd_exec_systemctl($1) ++ allow $1 iscsi_unit_file_t:file manage_file_perms; ++ allow $1 iscsi_unit_file_t:service manage_service_perms; + + logging_search_logs($1) + admin_pattern($1, iscsi_log_t) +diff --git a/iscsi.te b/iscsi.te +index 57304e4..46e5e3d 100644 +--- a/iscsi.te ++++ b/iscsi.te +@@ -9,8 +9,8 @@ type iscsid_t; + type iscsid_exec_t; + init_daemon_domain(iscsid_t, iscsid_exec_t) + +-type iscsi_initrc_exec_t; +-init_script_file(iscsi_initrc_exec_t) ++type iscsi_unit_file_t; ++systemd_unit_file(iscsi_unit_file_t) + + type iscsi_lock_t; + files_lock_file(iscsi_lock_t) +@@ -32,8 +32,7 @@ files_pid_file(iscsi_var_run_t) + # Local policy + # + +-allow iscsid_t self:capability { dac_override ipc_lock net_admin net_raw sys_admin sys_nice sys_resource }; +-dontaudit iscsid_t self:capability sys_ptrace; ++allow iscsid_t self:capability { dac_override ipc_lock net_admin net_raw sys_admin sys_nice sys_module sys_resource }; + allow iscsid_t self:process { setrlimit setsched signal }; + allow iscsid_t self:fifo_file rw_fifo_file_perms; + allow iscsid_t self:unix_stream_socket { accept connectto listen }; +@@ -64,11 +63,12 @@ files_pid_filetrans(iscsid_t, iscsi_var_run_t, file) + + can_exec(iscsid_t, iscsid_exec_t) + ++kernel_request_load_module(iscsid_t) + kernel_read_network_state(iscsid_t) + kernel_read_system_state(iscsid_t) + kernel_setsched(iscsid_t) ++kernel_request_load_module(iscsid_t) + +-corenet_all_recvfrom_unlabeled(iscsid_t) + corenet_all_recvfrom_netlabel(iscsid_t) + corenet_tcp_sendrecv_generic_if(iscsid_t) + corenet_tcp_sendrecv_generic_node(iscsid_t) +@@ -85,21 +85,26 @@ corenet_sendrecv_isns_client_packets(iscsid_t) + corenet_tcp_connect_isns_port(iscsid_t) + corenet_tcp_sendrecv_isns_port(iscsid_t) + +-dev_read_raw_memory(iscsid_t) ++corenet_sendrecv_winshadow_client_packets(iscsid_t) ++corenet_tcp_connect_winshadow_port(iscsid_t) ++corenet_tcp_sendrecv_winshadow_port(iscsid_t) ++ ++dev_read_urand(iscsid_t) + dev_rw_sysfs(iscsid_t) + dev_rw_userio_dev(iscsid_t) +-dev_write_raw_memory(iscsid_t) + + domain_use_interactive_fds(iscsid_t) + domain_dontaudit_read_all_domains_state(iscsid_t) + ++files_read_kernel_modules(iscsid_t) ++ + auth_use_nsswitch(iscsid_t) + + init_stream_connect_script(iscsid_t) + + logging_send_syslog_msg(iscsid_t) + +-miscfiles_read_localization(iscsid_t) ++modutils_read_module_config(iscsid_t) + + optional_policy(` + tgtd_manage_semaphores(iscsid_t) +diff --git a/isns.te b/isns.te +index bc11034..107ed2f 100644 +--- a/isns.te ++++ b/isns.te +@@ -26,6 +26,7 @@ files_pid_file(isnsd_var_run_t) + allow isnsd_t self:capability kill; + allow isnsd_t self:process signal; + allow isnsd_t self:fifo_file rw_fifo_file_perms; ++allow isnsd_t self:tcp_socket { listen }; + allow isnsd_t self:udp_socket { accept listen }; + allow isnsd_t self:unix_stream_socket { accept listen }; + +@@ -46,8 +47,6 @@ corenet_tcp_bind_generic_node(isnsd_t) + corenet_sendrecv_isns_server_packets(isnsd_t) + corenet_tcp_bind_isns_port(isnsd_t) + +-files_read_etc_files(isnsd_t) +- + logging_send_syslog_msg(isnsd_t) + + miscfiles_read_localization(isnsd_t) +diff --git a/jabber.fc b/jabber.fc +index 59ad3b3..bd02cc8 100644 +--- a/jabber.fc ++++ b/jabber.fc +@@ -1,25 +1,18 @@ +-/etc/rc\.d/init\.d/((jabber)|(ejabberd)|(jabberd)) -- gen_context(system_u:object_r:jabberd_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/jabberd -- gen_context(system_u:object_r:jabberd_initrc_exec_t,s0) + +-/usr/bin/router -- gen_context(system_u:object_r:jabberd_router_exec_t,s0) +-/usr/bin/c2s -- gen_context(system_u:object_r:jabberd_router_exec_t,s0) +-/usr/bin/s2s -- gen_context(system_u:object_r:jabberd_exec_t,s0) +-/usr/bin/sm -- gen_context(system_u:object_r:jabberd_exec_t,s0) ++/usr/bin/router -- gen_context(system_u:object_r:jabberd_router_exec_t,s0) ++/usr/bin/c2s -- gen_context(system_u:object_r:jabberd_router_exec_t,s0) ++/usr/bin/s2s -- gen_context(system_u:object_r:jabberd_exec_t,s0) ++/usr/bin/sm -- gen_context(system_u:object_r:jabberd_exec_t,s0) + +-/usr/sbin/ejabberd -- gen_context(system_u:object_r:jabberd_exec_t,s0) +-/usr/sbin/ejabberdctl -- gen_context(system_u:object_r:jabberd_exec_t,s0) +-/usr/sbin/jabberd -- gen_context(system_u:object_r:jabberd_exec_t,s0) ++/var/lib/jabberd(/.*)? gen_context(system_u:object_r:jabberd_var_lib_t,s0) + +-/var/lock/ejabberdctl(/.*) gen_context(system_u:object_r:jabberd_lock_t,s0) ++# pyicq-t + +-/var/log/ejabberd(/.*)? gen_context(system_u:object_r:jabberd_log_t,s0) +-/var/log/jabber(/.*)? gen_context(system_u:object_r:jabberd_log_t,s0) ++/usr/share/pyicq-t/PyICQt\.py -- gen_context(system_u:object_r:pyicqt_exec_t,s0) + +-/var/lib/ejabberd(/.*)? gen_context(system_u:object_r:jabberd_var_lib_t,s0) +-/var/lib/ejabberd/spool(/.*)? gen_context(system_u:object_r:jabberd_spool_t,s0) +-/var/lib/jabber(/.*)? gen_context(system_u:object_r:jabberd_var_lib_t,s0) +-/var/lib/jabberd(/.*)? gen_context(system_u:object_r:jabberd_var_lib_t,s0) +-/var/lib/jabberd/log(/.*)? gen_context(system_u:object_r:jabberd_log_t,s0) +-/var/lib/jabberd/pid(/.*)? gen_context(system_u:object_r:jabberd_var_run_t,s0) ++/var/log/pyicq-t\.log.* gen_context(system_u:object_r:pyicqt_log_t,s0) + +-/var/run/ejabber\.pid -- gen_context(system_u:object_r:jabberd_var_run_t,s0) +-/var/run/jabber\.pid -- gen_context(system_u:object_r:jabberd_var_run_t,s0) ++/var/run/pyicq-t(/.*)? gen_context(system_u:object_r:pyicqt_var_run_t,s0) ++ ++/var/spool/pyicq-t(/.*)? gen_context(system_u:object_r:pyicqt_var_spool_t,s0) +diff --git a/jabber.if b/jabber.if +index 16b1666..01673a4 100644 +--- a/jabber.if ++++ b/jabber.if +@@ -1,29 +1,76 @@ +-## Jabber instant messaging servers. ++## Jabber instant messaging server ++ ++##################################### ++## ++## Creates types and rules for a basic ++## jabber init daemon domain. ++## ++## ++## ++## Prefix for the domain. ++## ++## ++# ++template(`jabber_domain_template',` ++ gen_require(` ++ attribute jabberd_domain; ++ ') ++ ++ ############################## ++ # ++ # $1_t declarations ++ # ++ ++ type $1_t, jabberd_domain; ++ type $1_exec_t; ++ init_daemon_domain($1_t, $1_exec_t) ++ ++ kernel_read_system_state($1_t) ++ ++ corenet_all_recvfrom_netlabel($1_t) ++ ++ logging_send_syslog_msg($1_t) ++') + + ####################################### + ## +-## The template to define a jabber domain. ++## Execute a domain transition to run jabberd services + ## +-## ++## + ## +-## Domain prefix to be used. ++## Domain allowed to transition. + ## + ## + # +-template(`jabber_domain_template',` ++interface(`jabber_domtrans_jabberd',` + gen_require(` +- attribute jabberd_domain; ++ type jabberd_t, jabberd_exec_t; + ') + +- type $1_t, jabberd_domain; +- type $1_exec_t; +- init_daemon_domain($1_t, $1_exec_t) ++ domtrans_pattern($1, jabberd_exec_t, jabberd_t) + ') + +-######################################## ++###################################### + ## +-## Create, read, write, and delete +-## jabber lib files. ++## Execute a domain transition to run jabberd router service ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`jabber_domtrans_jabberd_router',` ++ gen_require(` ++ type jabberd_router_t, jabberd_router_exec_t; ++ ') ++ ++ domtrans_pattern($1, jabberd_router_exec_t, jabberd_router_t) ++') ++ ++####################################### ++## ++## Read jabberd lib files. + ## + ## + ## +@@ -31,18 +78,37 @@ template(`jabber_domain_template',` + ## + ## + # +-interface(`jabber_manage_lib_files',` ++interface(`jabberd_read_lib_files',` + gen_require(` + type jabberd_var_lib_t; + ') + + files_search_var_lib($1) +- manage_files_pattern($1, jabberd_var_lib_t, jabberd_var_lib_t) ++ read_files_pattern($1, jabberd_var_lib_t, jabberd_var_lib_t) + ') + +-######################################## ++####################################### ++## ++## Dontaudit inherited read jabberd lib files. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`jabberd_dontaudit_read_lib_files',` ++ gen_require(` ++ type jabberd_var_lib_t; ++ ') ++ ++ dontaudit $1 jabberd_var_lib_t:file read_inherited_file_perms; ++') ++ ++####################################### + ## +-## Connect to jabber over a TCP socket (Deprecated) ++## Create, read, write, and delete ++## jabberd lib files. + ## + ## + ## +@@ -50,14 +116,19 @@ interface(`jabber_manage_lib_files',` + ## + ## + # +-interface(`jabber_tcp_connect',` +- refpolicywarn(`$0($*) has been deprecated.') ++interface(`jabberd_manage_lib_files',` ++ gen_require(` ++ type jabberd_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ manage_files_pattern($1, jabberd_var_lib_t, jabberd_var_lib_t) + ') + + ######################################## + ## +-## All of the rules required to +-## administrate an jabber environment. ++## All of the rules required to administrate ++## an jabber environment + ## + ## + ## +@@ -66,38 +137,32 @@ interface(`jabber_tcp_connect',` + ## + ## + ## +-## Role allowed access. ++## The role to be allowed to manage the jabber domain. + ## + ## + ## + # + interface(`jabber_admin',` + gen_require(` +- attribute jabberd_domain; +- type jabberd_lock_t, jabberd_log_t, jabberd_spool_t; +- type jabberd_var_lib_t, jabberd_var_run_t, jabberd_initrc_exec_t; ++ type jabberd_t, jabberd_var_lib_t; ++ type jabberd_initrc_exec_t, jabberd_router_t; + ') + +- allow $1 jabberd_domain:process { ptrace signal_perms }; +- ps_process_pattern($1, jabberd_domain) ++ allow $1 jabberd_t:process signal_perms; ++ ps_process_pattern($1, jabberd_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 jabberd_t:process ptrace; ++ allow $1 jabberd_router_t:process ptrace; ++ ') ++ ++ allow $1 jabberd_router_t:process signal_perms; ++ ps_process_pattern($1, jabberd_router_t) + + init_labeled_script_domtrans($1, jabberd_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 jabberd_initrc_exec_t system_r; + allow $2 system_r; + +- files_search_locks($1)) +- admin_pattern($1, jabberd_lock_t) +- +- logging_search_logs($1) +- admin_pattern($1, jabberd_log_t) +- +- files_search_spool($1) +- admin_pattern($1, jabberd_spool_t) +- +- files_search_var_lib($1) ++ files_list_var_lib($1) + admin_pattern($1, jabberd_var_lib_t) +- +- files_search_pids($1) +- admin_pattern($1, jabberd_var_run_t) + ') +diff --git a/jabber.te b/jabber.te +index bb12c90..62d511b 100644 +--- a/jabber.te ++++ b/jabber.te +@@ -1,4 +1,4 @@ +-policy_module(jabber, 1.9.1) ++policy_module(jabber, 1.8.0) + + ######################################## + # +@@ -9,129 +9,133 @@ attribute jabberd_domain; + + jabber_domain_template(jabberd) + jabber_domain_template(jabberd_router) ++jabber_domain_template(pyicqt) + + type jabberd_initrc_exec_t; + init_script_file(jabberd_initrc_exec_t) + +-type jabberd_lock_t; +-files_lock_file(jabberd_lock_t) +- +-type jabberd_log_t; +-logging_log_file(jabberd_log_t) +- +-type jabberd_spool_t; +-files_type(jabberd_spool_t) +- ++# type which includes log/pid files pro jabberd components + type jabberd_var_lib_t; + files_type(jabberd_var_lib_t) + +-type jabberd_var_run_t; +-files_pid_file(jabberd_var_run_t) ++# pyicq-t types ++type pyicqt_log_t; ++logging_log_file(pyicqt_log_t); + +-######################################## +-# +-# Common local policy +-# ++type pyicqt_var_spool_t; ++files_spool_file(pyicqt_var_spool_t) + +-allow jabberd_domain self:process signal_perms; +-allow jabberd_domain self:fifo_file rw_fifo_file_perms; +-allow jabberd_domain self:tcp_socket { accept listen }; ++type pyicqt_var_run_t; ++files_pid_file(pyicqt_var_run_t) + +-manage_files_pattern(jabberd_domain, jabberd_var_lib_t, jabberd_var_lib_t) ++###################################### ++# ++# Local policy for jabberd-router and c2s components ++# + +-kernel_read_system_state(jabberd_domain) ++allow jabberd_router_t self:netlink_route_socket r_netlink_socket_perms; + +-corenet_all_recvfrom_unlabeled(jabberd_domain) +-corenet_all_recvfrom_netlabel(jabberd_domain) +-corenet_tcp_sendrecv_generic_if(jabberd_domain) +-corenet_tcp_sendrecv_generic_node(jabberd_domain) +-corenet_tcp_bind_generic_node(jabberd_domain) ++manage_files_pattern(jabberd_router_t, jabberd_var_lib_t, jabberd_var_lib_t) ++manage_dirs_pattern(jabberd_router_t, jabberd_var_lib_t, jabberd_var_lib_t) + +-dev_read_urand(jabberd_domain) +-dev_read_sysfs(jabberd_domain) ++kernel_read_network_state(jabberd_router_t) + +-fs_getattr_all_fs(jabberd_domain) ++corenet_tcp_bind_jabber_client_port(jabberd_router_t) ++corenet_tcp_bind_jabber_router_port(jabberd_router_t) ++corenet_tcp_connect_jabber_router_port(jabberd_router_t) ++corenet_sendrecv_jabber_router_server_packets(jabberd_router_t) ++corenet_sendrecv_jabber_client_server_packets(jabberd_router_t) + +-logging_send_syslog_msg(jabberd_domain) ++fs_getattr_all_fs(jabberd_router_t) + +-miscfiles_read_localization(jabberd_domain) ++miscfiles_read_generic_certs(jabberd_router_t) + + optional_policy(` +- nis_use_ypbind(jabberd_domain) ++ kerberos_use(jabberd_router_t) + ') + + optional_policy(` +- seutil_sigchld_newrole(jabberd_domain) ++ nis_use_ypbind(jabberd_router_t) + ') + +-######################################## ++##################################### + # +-# Local policy ++# Local policy for other jabberd components + # + +-allow jabberd_t self:capability dac_override; +-dontaudit jabberd_t self:capability sys_tty_config; +-allow jabberd_t self:tcp_socket create_socket_perms; +-allow jabberd_t self:udp_socket create_socket_perms; ++manage_files_pattern(jabberd_t, jabberd_var_lib_t, jabberd_var_lib_t) ++manage_dirs_pattern(jabberd_t, jabberd_var_lib_t, jabberd_var_lib_t) + +-manage_files_pattern(jabberd_t, jabberd_lock_t, jabberd_lock_t) ++corenet_tcp_bind_jabber_interserver_port(jabberd_t) ++corenet_tcp_connect_jabber_interserver_port(jabberd_t) ++corenet_tcp_connect_jabber_router_port(jabberd_t) + +-allow jabberd_t jabberd_log_t:dir setattr_dir_perms; +-append_files_pattern(jabberd_t, jabberd_log_t, jabberd_log_t) +-create_files_pattern(jabberd_t, jabberd_log_t, jabberd_log_t) +-setattr_files_pattern(jabberd_t, jabberd_log_t, jabberd_log_t) +-logging_log_filetrans(jabberd_t, jabberd_log_t, { file dir }) ++userdom_dontaudit_use_unpriv_user_fds(jabberd_t) ++userdom_dontaudit_search_user_home_dirs(jabberd_t) + +-manage_files_pattern(jabberd_domain, jabberd_spool_t, jabberd_spool_t) ++miscfiles_read_certs(jabberd_t) + +-manage_files_pattern(jabberd_t, jabberd_var_run_t, jabberd_var_run_t) +-files_pid_filetrans(jabberd_t, jabberd_var_run_t, file) ++optional_policy(` ++ seutil_sigchld_newrole(jabberd_t) ++') + +-kernel_read_kernel_sysctls(jabberd_t) ++optional_policy(` ++ udev_read_db(jabberd_t) ++') + +-corenet_sendrecv_jabber_client_server_packets(jabberd_t) +-corenet_tcp_bind_jabber_client_port(jabberd_t) +-corenet_tcp_sendrecv_jabber_client_port(jabberd_t) ++###################################### ++# ++# Local policy for pyicq-t ++# + +-corenet_sendrecv_jabber_interserver_server_packets(jabberd_t) +-corenet_tcp_bind_jabber_interserver_port(jabberd_t) +-corenet_tcp_sendrecv_jabber_interserver_port(jabberd_t) ++# need for /var/log/pyicq-t.log ++manage_files_pattern(pyicqt_t, pyicqt_log_t, pyicqt_log_t) ++logging_log_filetrans(pyicqt_t, pyicqt_log_t, file) + +-dev_read_rand(jabberd_t) ++manage_files_pattern(pyicqt_t, pyicqt_var_run_t, pyicqt_var_run_t); + +-domain_use_interactive_fds(jabberd_t) ++files_search_spool(pyicqt_t) ++manage_files_pattern(pyicqt_t, pyicqt_var_spool_t, pyicqt_var_spool_t); + +-files_read_etc_files(jabberd_t) +-files_read_etc_runtime_files(jabberd_t) ++corenet_tcp_bind_jabber_router_port(pyicqt_t) ++corenet_tcp_connect_jabber_router_port(pyicqt_t) + +-fs_search_auto_mountpoints(jabberd_t) ++corecmd_exec_bin(pyicqt_t) + +-sysnet_read_config(jabberd_t) ++dev_read_urand(pyicqt_t) + +-userdom_dontaudit_use_unpriv_user_fds(jabberd_t) +-userdom_dontaudit_search_user_home_dirs(jabberd_t) ++auth_use_nsswitch(pyicqt_t) + ++# needed for pyicq-t-mysql + optional_policy(` +- udev_read_db(jabberd_t) ++ corenet_tcp_connect_mysqld_port(pyicqt_t) + ') + +-######################################## ++optional_policy(` ++ sysnet_use_ldap(pyicqt_t) ++') ++ ++####################################### + # +-# Router local policy ++# Local policy for jabberd domains + # + +-manage_dirs_pattern(jabberd_router_t, jabberd_var_lib_t, jabberd_var_lib_t) ++allow jabberd_domain self:process signal_perms; ++allow jabberd_domain self:fifo_file rw_fifo_file_perms; ++allow jabberd_domain self:tcp_socket create_stream_socket_perms; ++allow jabberd_domain self:udp_socket create_socket_perms; + +-kernel_read_network_state(jabberd_router_t) ++corenet_tcp_sendrecv_generic_if(jabberd_domain) ++corenet_udp_sendrecv_generic_if(jabberd_domain) ++corenet_tcp_sendrecv_generic_node(jabberd_domain) ++corenet_udp_sendrecv_generic_node(jabberd_domain) ++corenet_tcp_sendrecv_all_ports(jabberd_domain) ++corenet_udp_sendrecv_all_ports(jabberd_domain) ++corenet_tcp_bind_generic_node(jabberd_domain) + +-corenet_sendrecv_jabber_client_server_packets(jabberd_router_t) +-corenet_tcp_bind_jabber_client_port(jabberd_router_t) +-corenet_tcp_sendrecv_jabber_client_port(jabberd_router_t) ++dev_read_sysfs(jabberd_domain) ++dev_read_urand(jabberd_domain) + +-# corenet_sendrecv_jabber_router_server_packets(jabberd_router_t) +-# corenet_tcp_bind_jabber_router_port(jabberd_router_t) +-# corenet_sendrecv_jabber_router_client_packets(jabberd_router_t) +-# corenet_tcp_connect_jabber_router_port(jabberd_router_t) +-# corenet_tcp_sendrecv_jabber_router_port(jabberd_router_t) ++files_read_etc_runtime_files(jabberd_domain) + +-auth_use_nsswitch(jabberd_router_t) ++sysnet_read_config(jabberd_domain) +diff --git a/java.te b/java.te +index b3fcfbb..5459aa3 100644 +--- a/java.te ++++ b/java.te +@@ -11,7 +11,7 @@ policy_module(java, 2.6.3) + ## its stack executable. + ##

    + ## +-gen_tunable(allow_java_execstack, false) ++gen_tunable(java_execstack, false) + + attribute java_domain; + +@@ -90,7 +90,6 @@ dev_read_urand(java_domain) + dev_read_rand(java_domain) + dev_dontaudit_append_rand(java_domain) + +-files_read_usr_files(java_domain) + files_read_etc_runtime_files(java_domain) + + fs_getattr_all_fs(java_domain) +@@ -108,11 +107,11 @@ userdom_manage_user_home_content_files(java_domain) + userdom_manage_user_home_content_symlinks(java_domain) + userdom_manage_user_home_content_pipes(java_domain) + userdom_manage_user_home_content_sockets(java_domain) +-userdom_user_home_dir_filetrans_user_home_content(java_domain, { file lnk_file sock_file fifo_file }) ++userdom_filetrans_home_content(java_domain_t) + + userdom_write_user_tmp_sockets(java_domain) + +-tunable_policy(`allow_java_execstack',` ++tunable_policy(`java_execstack',` + allow java_domain self:process { execmem execstack }; + + libs_legacy_use_shared_libs(java_domain) +diff --git a/jetty.fc b/jetty.fc +new file mode 100644 +index 0000000..1725b7e +--- /dev/null ++++ b/jetty.fc +@@ -0,0 +1,9 @@ ++ ++/var/cache/jetty(/.*)? gen_context(system_u:object_r:jetty_cache_t,s0) ++ ++/var/lib/jetty(/.*)? gen_context(system_u:object_r:jetty_var_lib_t,s0) ++ ++/var/log/jetty(/.*)? gen_context(system_u:object_r:jetty_log_t,s0) ++ ++/var/run/jetty(/.*)? gen_context(system_u:object_r:jetty_var_run_t,s0) ++ +diff --git a/jetty.if b/jetty.if +new file mode 100644 +index 0000000..2abc285 +--- /dev/null ++++ b/jetty.if +@@ -0,0 +1,268 @@ ++ ++## policy for jetty ++ ++######################################## ++## ++## Search jetty cache directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`jetty_search_cache',` ++ gen_require(` ++ type jetty_cache_t; ++ ') ++ ++ allow $1 jetty_cache_t:dir search_dir_perms; ++ files_search_var($1) ++') ++ ++######################################## ++## ++## Read jetty cache files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`jetty_read_cache_files',` ++ gen_require(` ++ type jetty_cache_t; ++ ') ++ ++ files_search_var($1) ++ read_files_pattern($1, jetty_cache_t, jetty_cache_t) ++') ++ ++######################################## ++## ++## Create, read, write, and delete ++## jetty cache files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`jetty_manage_cache_files',` ++ gen_require(` ++ type jetty_cache_t; ++ ') ++ ++ files_search_var($1) ++ manage_files_pattern($1, jetty_cache_t, jetty_cache_t) ++') ++ ++######################################## ++## ++## Manage jetty cache dirs. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`jetty_manage_cache_dirs',` ++ gen_require(` ++ type jetty_cache_t; ++ ') ++ ++ files_search_var($1) ++ manage_dirs_pattern($1, jetty_cache_t, jetty_cache_t) ++') ++ ++######################################## ++## ++## Read jetty's log files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`jetty_read_log',` ++ gen_require(` ++ type jetty_log_t; ++ ') ++ ++ logging_search_logs($1) ++ read_files_pattern($1, jetty_log_t, jetty_log_t) ++') ++ ++######################################## ++## ++## Append to jetty log files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`jetty_append_log',` ++ gen_require(` ++ type jetty_log_t; ++ ') ++ ++ logging_search_logs($1) ++ append_files_pattern($1, jetty_log_t, jetty_log_t) ++') ++ ++######################################## ++## ++## Manage jetty log files ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`jetty_manage_log',` ++ gen_require(` ++ type jetty_log_t; ++ ') ++ ++ logging_search_logs($1) ++ manage_dirs_pattern($1, jetty_log_t, jetty_log_t) ++ manage_files_pattern($1, jetty_log_t, jetty_log_t) ++ manage_lnk_files_pattern($1, jetty_log_t, jetty_log_t) ++') ++ ++######################################## ++## ++## Search jetty lib directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`jetty_search_lib',` ++ gen_require(` ++ type jetty_var_lib_t; ++ ') ++ ++ allow $1 jetty_var_lib_t:dir search_dir_perms; ++ files_search_var_lib($1) ++') ++ ++######################################## ++## ++## Read jetty lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`jetty_read_lib_files',` ++ gen_require(` ++ type jetty_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ read_files_pattern($1, jetty_var_lib_t, jetty_var_lib_t) ++') ++ ++######################################## ++## ++## Manage jetty lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`jetty_manage_lib_files',` ++ gen_require(` ++ type jetty_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ manage_files_pattern($1, jetty_var_lib_t, jetty_var_lib_t) ++') ++ ++######################################## ++## ++## Manage jetty lib directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`jetty_manage_lib_dirs',` ++ gen_require(` ++ type jetty_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ manage_dirs_pattern($1, jetty_var_lib_t, jetty_var_lib_t) ++') ++ ++######################################## ++## ++## Read jetty PID files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`jetty_read_pid_files',` ++ gen_require(` ++ type jetty_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ allow $1 jetty_var_run_t:file read_file_perms; ++') ++ ++ ++######################################## ++## ++## All of the rules required to administrate ++## an jetty environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`jetty_admin',` ++ gen_require(` ++ type jetty_cache_t; ++ type jetty_log_t; ++ type jetty_var_lib_t; ++ type jetty_var_run_t; ++ ') ++ ++ files_search_var($1) ++ admin_pattern($1, jetty_cache_t) ++ ++ logging_search_logs($1) ++ admin_pattern($1, jetty_log_t) ++ ++ files_search_var_lib($1) ++ admin_pattern($1, jetty_var_lib_t) ++ ++ files_search_pids($1) ++ admin_pattern($1, jetty_var_run_t) ++') +diff --git a/jetty.te b/jetty.te +new file mode 100644 +index 0000000..af510ea +--- /dev/null ++++ b/jetty.te +@@ -0,0 +1,25 @@ ++policy_module(jetty, 1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type jetty_cache_t; ++files_type(jetty_cache_t) ++ ++type jetty_log_t; ++logging_log_file(jetty_log_t) ++ ++type jetty_var_lib_t; ++files_type(jetty_var_lib_t) ++ ++type jetty_var_run_t; ++files_pid_file(jetty_var_run_t) ++ ++######################################## ++# ++# jetty local policy ++# ++ ++# No local policy. This module just contains type definitions +diff --git a/jockey.if b/jockey.if +index 2fb7a20..c6ba007 100644 +--- a/jockey.if ++++ b/jockey.if +@@ -1 +1,131 @@ +-## Jockey driver manager. ++ ++## policy for jockey ++ ++######################################## ++## ++## Transition to jockey. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`jockey_domtrans',` ++ gen_require(` ++ type jockey_t, jockey_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, jockey_exec_t, jockey_t) ++') ++ ++######################################## ++## ++## Search jockey cache directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`jockey_search_cache',` ++ gen_require(` ++ type jockey_cache_t; ++ ') ++ ++ allow $1 jockey_cache_t:dir search_dir_perms; ++ files_search_var($1) ++') ++ ++######################################## ++## ++## Read jockey cache files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`jockey_read_cache_files',` ++ gen_require(` ++ type jockey_cache_t; ++ ') ++ ++ files_search_var($1) ++ read_files_pattern($1, jockey_cache_t, jockey_cache_t) ++') ++ ++######################################## ++## ++## Create, read, write, and delete ++## jockey cache files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`jockey_manage_cache_files',` ++ gen_require(` ++ type jockey_cache_t; ++ ') ++ ++ files_search_var($1) ++ manage_files_pattern($1, jockey_cache_t, jockey_cache_t) ++') ++ ++######################################## ++## ++## Manage jockey cache dirs. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`jockey_manage_cache_dirs',` ++ gen_require(` ++ type jockey_cache_t; ++ ') ++ ++ files_search_var($1) ++ manage_dirs_pattern($1, jockey_cache_t, jockey_cache_t) ++') ++ ++######################################## ++## ++## All of the rules required to administrate ++## an jockey environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`jockey_admin',` ++ gen_require(` ++ type jockey_t; ++ type jockey_cache_t; ++ type jockey_var_log_t; ++ ') ++ ++ allow $1 jockey_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, jockey_t) ++ ++ files_search_var($1) ++ admin_pattern($1, jockey_cache_t) ++ ++ logging_search_logs($1) ++ admin_pattern($1, jockey_var_log_t) ++ ++ optional_policy(` ++ systemd_passwd_agent_exec($1) ++ systemd_read_fifo_file_passwd_run($1) ++ ') ++') +diff --git a/jockey.te b/jockey.te +index d59ec10..dec1b3b 100644 +--- a/jockey.te ++++ b/jockey.te +@@ -44,16 +44,19 @@ dev_read_urand(jockey_t) + + domain_use_interactive_fds(jockey_t) + +-files_read_etc_files(jockey_t) +-files_read_usr_files(jockey_t) + +-miscfiles_read_localization(jockey_t) ++auth_read_passwd(jockey_t) + + optional_policy(` + dbus_system_domain(jockey_t, jockey_exec_t) + ') + + optional_policy(` ++ gnome_dontaudit_search_config(jockey_t) ++') ++ ++optional_policy(` + modutils_domtrans_insmod(jockey_t) + modutils_read_module_config(jockey_t) ++ modutils_list_module_config(jockey_t) + ') +diff --git a/journalctl.fc b/journalctl.fc +new file mode 100644 +index 0000000..f270652 +--- /dev/null ++++ b/journalctl.fc +@@ -0,0 +1 @@ ++/usr/bin/journalctl -- gen_context(system_u:object_r:journalctl_exec_t,s0) +diff --git a/journalctl.if b/journalctl.if +new file mode 100644 +index 0000000..9d32f23 +--- /dev/null ++++ b/journalctl.if +@@ -0,0 +1,76 @@ ++ ++## policy for journalctl ++ ++######################################## ++## ++## Execute TEMPLATE in the journalctl domin. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`journalctl_domtrans',` ++ gen_require(` ++ type journalctl_t, journalctl_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, journalctl_exec_t, journalctl_t) ++') ++ ++######################################## ++## ++## Execute journalctl in the journalctl domain, and ++## allow the specified role the journalctl domain. ++## ++## ++## ++## Domain allowed to transition ++## ++## ++## ++## ++## The role to be allowed the journalctl domain. ++## ++## ++# ++interface(`journalctl_run',` ++ gen_require(` ++ type journalctl_t; ++ attribute_role journalctl_roles; ++ ') ++ ++ journalctl_domtrans($1) ++ roleattribute $2 journalctl_roles; ++') ++ ++######################################## ++## ++## Role access for journalctl ++## ++## ++## ++## Role allowed access ++## ++## ++## ++## ++## User domain for the role ++## ++## ++# ++interface(`journalctl_role',` ++ gen_require(` ++ type journalctl_t; ++ attribute_role journalctl_roles; ++ ') ++ ++ roleattribute $1 journalctl_roles; ++ ++ journalctl_domtrans($2) ++ ++ ps_process_pattern($2, journalctl_t) ++ allow $2 journalctl_t:process { signull signal sigkill }; ++') +diff --git a/journalctl.te b/journalctl.te +new file mode 100644 +index 0000000..5de3229 +--- /dev/null ++++ b/journalctl.te +@@ -0,0 +1,44 @@ ++policy_module(journalctl, 1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++attribute_role journalctl_roles; ++roleattribute system_r journalctl_roles; ++ ++type journalctl_t; ++type journalctl_exec_t; ++application_domain(journalctl_t, journalctl_exec_t) ++ ++role journalctl_roles types journalctl_t; ++ ++######################################## ++# ++# journalctl local policy ++# ++allow journalctl_t self:process { fork signal_perms }; ++ ++allow journalctl_t self:fifo_file manage_fifo_file_perms; ++allow journalctl_t self:unix_stream_socket create_stream_socket_perms; ++ ++kernel_read_system_state(journalctl_t) ++ ++corecmd_exec_bin(journalctl_t) ++ ++domain_use_interactive_fds(journalctl_t) ++ ++files_read_etc_files(journalctl_t) ++ ++fs_getattr_all_fs(journalctl_t) ++ ++userdom_list_user_home_dirs(journalctl_t) ++userdom_read_user_home_content_files(journalctl_t) ++userdom_use_inherited_user_ptys(journalctl_t) ++userdom_write_inherited_user_tmp_files(journalctl_t) ++userdom_rw_inherited_user_tmpfs_files(journalctl_t) ++userdom_rw_inherited_user_home_content_files(journalctl_t) ++ ++miscfiles_read_localization(journalctl_t) ++logging_read_generic_logs(journalctl_t) +diff --git a/kde.fc b/kde.fc +new file mode 100644 +index 0000000..25e4b68 +--- /dev/null ++++ b/kde.fc +@@ -0,0 +1 @@ ++#/usr/libexec/kde(3|4)/backlighthelper -- gen_context(system_u:object_r:kdebacklighthelper_exec_t,s0) +diff --git a/kde.if b/kde.if +new file mode 100644 +index 0000000..cf65577 +--- /dev/null ++++ b/kde.if +@@ -0,0 +1,22 @@ ++## Policy for KDE components ++ ++####################################### ++## ++## Send and receive messages from ++## firewallgui over dbus. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`kde_dbus_chat_backlighthelper',` ++ gen_require(` ++ type kdebacklighthelper_t; ++ class dbus send_msg; ++ ') ++ ++ allow $1 kdebacklighthelper_t:dbus send_msg; ++ allow kdebacklighthelper_t $1:dbus send_msg; ++') +diff --git a/kde.te b/kde.te +new file mode 100644 +index 0000000..dbe3f03 +--- /dev/null ++++ b/kde.te +@@ -0,0 +1,41 @@ ++policy_module(kde,1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type kdebacklighthelper_t; ++type kdebacklighthelper_exec_t; ++init_daemon_domain(kdebacklighthelper_t, kdebacklighthelper_exec_t) ++ ++######################################## ++# ++# backlighthelper local policy ++# ++ ++allow kdebacklighthelper_t self:fifo_file rw_fifo_file_perms; ++ ++kernel_read_system_state(kdebacklighthelper_t) ++ ++# r/w brightness values ++dev_rw_sysfs(kdebacklighthelper_t) ++ ++files_read_etc_runtime_files(kdebacklighthelper_t) ++ ++fs_getattr_all_fs(kdebacklighthelper_t) ++ ++logging_send_syslog_msg(kdebacklighthelper_t) ++ ++optional_policy(` ++ dbus_system_domain(kdebacklighthelper_t, kdebacklighthelper_exec_t) ++') ++ ++optional_policy(` ++ consolekit_dbus_chat(kdebacklighthelper_t) ++') ++ ++optional_policy(` ++ policykit_dbus_chat(kdebacklighthelper_t) ++') ++ +diff --git a/kdump.fc b/kdump.fc +index a49ae4e..0c0e987 100644 +--- a/kdump.fc ++++ b/kdump.fc +@@ -1,13 +1,16 @@ + /etc/kdump\.conf -- gen_context(system_u:object_r:kdump_etc_t,s0) ++/etc/rc\.d/init\.d/kdump -- gen_context(system_u:object_r:kdump_initrc_exec_t,s0) + +-/etc/rc\.d/init\.d/kdump -- gen_context(system_u:object_r:kdump_initrc_exec_t,s0) ++/sbin/kdump -- gen_context(system_u:object_r:kdump_exec_t,s0) ++/sbin/kexec -- gen_context(system_u:object_r:kdump_exec_t,s0) + +-/bin/kdumpctl -- gen_context(system_u:object_r:kdumpctl_exec_t,s0) + +-/usr/bin/kdumpctl -- gen_context(system_u:object_r:kdumpctl_exec_t,s0) ++/usr/lib/systemd/system/kdump\.service -- gen_context(system_u:object_r:kdump_unit_file_t,s0) + +-/sbin/kdump -- gen_context(system_u:object_r:kdump_exec_t,s0) +-/sbin/kexec -- gen_context(system_u:object_r:kdump_exec_t,s0) ++/usr/bin/kdumpctl -- gen_context(system_u:object_r:kdumpctl_exec_t,s0) ++/usr/sbin/kdump -- gen_context(system_u:object_r:kdump_exec_t,s0) ++/usr/sbin/kexec -- gen_context(system_u:object_r:kdump_exec_t,s0) + +-/usr/sbin/kdump -- gen_context(system_u:object_r:kdump_exec_t,s0) +-/usr/sbin/kexec -- gen_context(system_u:object_r:kdump_exec_t,s0) ++/var/crash(/.*)? gen_context(system_u:object_r:kdump_crash_t,s0) ++ ++/var/lock/kdump(/.*)? gen_context(system_u:object_r:kdump_lock_t,s0) +diff --git a/kdump.if b/kdump.if +index 3a00b3a..21efcc4 100644 +--- a/kdump.if ++++ b/kdump.if +@@ -1,4 +1,4 @@ +-## Kernel crash dumping mechanism. ++## Kernel crash dumping mechanism + + ###################################### + ## +@@ -19,6 +19,26 @@ interface(`kdump_domtrans',` + domtrans_pattern($1, kdump_exec_t, kdump_t) + ') + ++###################################### ++## ++## Execute kdumpctl in the kdumpctl domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`kdumpctl_domtrans',` ++ gen_require(` ++ type kdumpctl_t, kdumpctl_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, kdumpctl_exec_t, kdumpctl_t) ++') ++ ++ + ####################################### + ## + ## Execute kdump in the kdump domain. +@@ -37,9 +57,33 @@ interface(`kdump_initrc_domtrans',` + init_labeled_script_domtrans($1, kdump_initrc_exec_t) + ') + ++######################################## ++## ++## Execute kdump server in the kdump domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`kdump_systemctl',` ++ gen_require(` ++ type kdump_unit_file_t; ++ type kdump_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ systemd_search_unit_dirs($1) ++ allow $1 kdump_unit_file_t:file read_file_perms; ++ allow $1 kdump_unit_file_t:service all_service_perms; ++ ++ ps_process_pattern($1, kdump_t) ++') ++ + ##################################### + ## +-## Read kdump configuration files. ++## Read kdump configuration file. + ## + ## + ## +@@ -56,10 +100,67 @@ interface(`kdump_read_config',` + allow $1 kdump_etc_t:file read_file_perms; + ') + ++##################################### ++## ++## Read kdump crash files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`kdump_read_crash',` ++ gen_require(` ++ type kdump_crash_t; ++ ') ++ ++ files_search_var($1) ++ read_files_pattern($1, kdump_crash_t, kdump_crash_t) ++ list_dirs_pattern($1, kdump_crash_t, kdump_crash_t) ++') ++ ++##################################### ++## ++## Read kdump crash files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`kdump_manage_crash',` ++ gen_require(` ++ type kdump_crash_t; ++ ') ++ ++ files_search_var($1) ++ manage_files_pattern($1, kdump_crash_t, kdump_crash_t) ++ list_dirs_pattern($1, kdump_crash_t, kdump_crash_t) ++') ++ ++##################################### ++## ++## Dontaudit read kdump configuration file. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`kdump_dontaudit_read_config',` ++ gen_require(` ++ type kdump_etc_t; ++ ') ++ ++ dontaudit $1 kdump_etc_t:file read_inherited_file_perms; ++') ++ + #################################### + ## +-## Create, read, write, and delete +-## kdmup configuration files. ++## Manage kdump configuration file. + ## + ## + ## +@@ -76,10 +177,69 @@ interface(`kdump_manage_config',` + allow $1 kdump_etc_t:file manage_file_perms; + ') + ++##################################### ++## ++## Read and write kdump lock files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`kdump_rw_lock',` ++ gen_require(` ++ type kdump_lock_t; ++ ') ++ ++ files_search_locks($1) ++ rw_files_pattern($1, kdump_lock_t, kdump_lock_t) ++') ++ ++################################### ++## ++## Manage kdump /var/tmp files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`kdump_manage_kdumpctl_tmp_files',` ++ gen_require(` ++ type kdumpctl_tmp_t; ++ ') ++ ++ files_search_tmp($1) ++ manage_files_pattern($1, kdumpctl_tmp_t, kdumpctl_tmp_t) ++ manage_dirs_pattern($1, kdumpctl_tmp_t, kdumpctl_tmp_t) ++ manage_fifo_files_pattern($1, kdumpctl_tmp_t, kdumpctl_tmp_t) ++ manage_lnk_files_pattern($1, kdumpctl_tmp_t, kdumpctl_tmp_t) ++') ++ ++####################################### ++## ++## Transition content labels to kdump named content ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`kdump_filetrans_named_content',` ++ gen_require(` ++ type kdump_lock_t; ++ ') ++ ++ files_lock_filetrans($1, kdump_lock_t, file, "kdump") ++') ++ + ###################################### + ## +-## All of the rules required to +-## administrate an kdump environment. ++## All of the rules required to administrate ++## an kdump environment + ## + ## + ## +@@ -88,19 +248,24 @@ interface(`kdump_manage_config',` + ## + ## + ## +-## Role allowed access. ++## The role to be allowed to manage the kdump domain. + ## + ## + ## + # + interface(`kdump_admin',` + gen_require(` +- type kdump_t, kdump_etc_t, kdumpctl_tmp_t; +- type kdump_initrc_exec_t, kdumpctl_t; ++ type kdump_t, kdump_etc_t; ++ type kdump_initrc_exec_t; ++ type kdump_unit_file_t; ++ type kdump_crash_t; + ') + +- allow $1 { kdump_t kdumpctl_t }:process { ptrace signal_perms }; +- ps_process_pattern($1, { kdump_t kdumpctl_t }) ++ allow $1 kdump_t:process signal_perms; ++ ps_process_pattern($1, kdump_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 kdump_t:process ptrace; ++ ') + + init_labeled_script_domtrans($1, kdump_initrc_exec_t) + domain_system_change_exemption($1) +@@ -110,6 +275,10 @@ interface(`kdump_admin',` + files_search_etc($1) + admin_pattern($1, kdump_etc_t) + +- files_search_tmp($1) +- admin_pattern($1, kdumpctl_tmp_t) ++ files_search_var($1) ++ admin_pattern($1, kdump_crash_t) ++ ++ kdump_systemctl($1) ++ admin_pattern($1, kdump_unit_file_t) ++ allow $1 kdump_unit_file_t:service all_service_perms; + ') +diff --git a/kdump.te b/kdump.te +index 70f3007..f8b68bf 100644 +--- a/kdump.te ++++ b/kdump.te +@@ -1,4 +1,4 @@ +-policy_module(kdump, 1.2.3) ++policy_module(kdump, 1.2.0) + + ####################################### + # +@@ -12,35 +12,55 @@ init_system_domain(kdump_t, kdump_exec_t) + type kdump_etc_t; + files_config_file(kdump_etc_t) + ++type kdump_crash_t; ++files_type(kdump_crash_t) ++ + type kdump_initrc_exec_t; + init_script_file(kdump_initrc_exec_t) + ++type kdump_unit_file_t alias kdumpctl_unit_file_t; ++systemd_unit_file(kdump_unit_file_t) ++ ++type kdump_lock_t; ++files_lock_file(kdump_lock_t) ++ + type kdumpctl_t; + type kdumpctl_exec_t; + init_daemon_domain(kdumpctl_t, kdumpctl_exec_t) +-application_executable_file(kdumpctl_exec_t) ++init_initrc_domain(kdumpctl_t) + + type kdumpctl_tmp_t; + files_tmp_file(kdumpctl_tmp_t) + + ##################################### + # +-# Local policy ++# kdump local policy + # + + allow kdump_t self:capability { sys_boot dac_override }; ++allow kdump_t self:capability2 compromise_kernel; ++ ++manage_dirs_pattern(kdump_t, kdump_crash_t, kdump_crash_t) ++manage_files_pattern(kdump_t, kdump_crash_t, kdump_crash_t) ++manage_lnk_files_pattern(kdump_t, kdump_crash_t, kdump_crash_t) ++files_var_filetrans(kdump_t, kdump_crash_t, dir, "crash") ++ ++read_files_pattern(kdump_t, kdump_etc_t, kdump_etc_t) + +-allow kdump_t kdump_etc_t:file read_file_perms; ++manage_dirs_pattern(kdump_t, kdump_lock_t, kdump_lock_t) ++manage_files_pattern(kdump_t, kdump_lock_t, kdump_lock_t) ++files_lock_filetrans(kdump_t, kdump_lock_t, { dir file }) + +-files_read_etc_files(kdump_t) + files_read_etc_runtime_files(kdump_t) + files_read_kernel_img(kdump_t) + ++kernel_read_system_state(kdump_t) + kernel_read_core_if(kdump_t) + kernel_read_debugfs(kdump_t) +-kernel_read_system_state(kdump_t) + kernel_request_load_module(kdump_t) + ++mls_file_read_all_levels(kdump_t) ++ + dev_read_framebuffer(kdump_t) + dev_read_sysfs(kdump_t) + +@@ -48,22 +68,32 @@ term_use_console(kdump_t) + + ####################################### + # +-# Ctl local policy ++# kdumpctl local policy + # + ++#cjp:almost all rules are needed by dracut ++ ++kdump_domtrans(kdumpctl_t) ++ + allow kdumpctl_t self:capability { dac_override sys_chroot }; + allow kdumpctl_t self:process setfscreate; +-allow kdumpctl_t self:fifo_file rw_fifo_file_perms; +-allow kdumpctl_t self:unix_stream_socket { accept listen }; + +-allow kdumpctl_t kdump_etc_t:file read_file_perms; ++allow kdumpctl_t self:fifo_file rw_fifo_file_perms; ++allow kdumpctl_t self:unix_stream_socket create_stream_socket_perms; + + manage_dirs_pattern(kdumpctl_t, kdumpctl_tmp_t, kdumpctl_tmp_t) ++manage_chr_files_pattern(kdumpctl_t, kdumpctl_tmp_t, kdumpctl_tmp_t) + manage_files_pattern(kdumpctl_t, kdumpctl_tmp_t, kdumpctl_tmp_t) + manage_lnk_files_pattern(kdumpctl_t, kdumpctl_tmp_t, kdumpctl_tmp_t) + files_tmp_filetrans(kdumpctl_t, kdumpctl_tmp_t, { file dir lnk_file }) ++can_exec(kdumpctl_t, kdumpctl_tmp_t) ++ ++manage_dirs_pattern(kdumpctl_t, kdump_crash_t, kdump_crash_t) ++manage_files_pattern(kdumpctl_t, kdump_crash_t, kdump_crash_t) ++manage_lnk_files_pattern(kdumpctl_t, kdump_crash_t, kdump_crash_t) ++files_var_filetrans(kdumpctl_t, kdump_crash_t, dir, "crash") + +-domtrans_pattern(kdumpctl_t, kdump_exec_t, kdump_t) ++read_files_pattern(kdumpctl_t, kdump_etc_t, kdump_etc_t) + + kernel_read_system_state(kdumpctl_t) + +@@ -71,46 +101,56 @@ corecmd_exec_bin(kdumpctl_t) + corecmd_exec_shell(kdumpctl_t) + + dev_read_sysfs(kdumpctl_t) ++# dracut + dev_manage_all_dev_nodes(kdumpctl_t) + + domain_use_interactive_fds(kdumpctl_t) + + files_create_kernel_img(kdumpctl_t) +-files_read_etc_files(kdumpctl_t) + files_read_etc_runtime_files(kdumpctl_t) +-files_read_usr_files(kdumpctl_t) + files_read_kernel_modules(kdumpctl_t) + files_getattr_all_dirs(kdumpctl_t) ++files_delete_kernel(kdumpctl_t) + + fs_getattr_all_fs(kdumpctl_t) + fs_search_all(kdumpctl_t) + +-init_domtrans_script(kdumpctl_t) ++application_executable_ioctl(kdumpctl_t) ++ ++auth_read_passwd(kdumpctl_t) ++ + init_exec(kdumpctl_t) ++systemd_exec_systemctl(kdumpctl_t) ++systemd_read_unit_files(kdumpctl_t) + + libs_exec_ld_so(kdumpctl_t) + + logging_send_syslog_msg(kdumpctl_t) ++# Need log file from /var/log/dracut.log ++logging_write_generic_logs(kdumpctl_t) + +-miscfiles_read_localization(kdumpctl_t) ++optional_policy(` ++ gpg_exec(kdumpctl_t) ++') + + optional_policy(` +- gpg_exec(kdumpctl_t) ++ lvm_read_config(kdumpctl_t) + ') + + optional_policy(` +- lvm_read_config(kdumpctl_t) ++ modutils_domtrans_insmod(kdumpctl_t) ++ modutils_list_module_config(kdumpctl_t) ++ modutils_read_module_config(kdumpctl_t) + ') + + optional_policy(` +- modutils_domtrans_insmod(kdumpctl_t) +- modutils_read_module_config(kdumpctl_t) ++ plymouthd_domtrans_plymouth(kdumpctl_t) + ') + + optional_policy(` +- plymouthd_domtrans_plymouth(kdumpctl_t) ++ ssh_exec(kdumpctl_t) + ') + + optional_policy(` +- ssh_exec(kdumpctl_t) ++ unconfined_domain(kdumpctl_t) + ') +diff --git a/kdumpgui.if b/kdumpgui.if +index 182ab8b..8b1d9c2 100644 +--- a/kdumpgui.if ++++ b/kdumpgui.if +@@ -1 +1,23 @@ +-## System-config-kdump GUI. ++## system-config-kdump GUI ++ ++######################################## ++## ++## Send and receive messages from ++## kdumpgui over dbus. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`kdumpgui_dbus_chat',` ++ gen_require(` ++ type kdumpgui_t; ++ class dbus send_msg; ++ ') ++ ++ allow $1 kdumpgui_t:dbus send_msg; ++ allow kdumpgui_t $1:dbus send_msg; ++') ++ +diff --git a/kdumpgui.te b/kdumpgui.te +index e7f5c81..8c75bc8 100644 +--- a/kdumpgui.te ++++ b/kdumpgui.te +@@ -1,83 +1,92 @@ +-policy_module(kdumpgui, 1.1.4) ++policy_module(kdumpgui, 1.1.0) + + ######################################## + # + # Declarations + # + ++## ++##

    ++## Allow s-c-kdump to run bootloader in bootloader_t. ++##

    ++##     ++gen_tunable(kdumpgui_run_bootloader, false) ++ + type kdumpgui_t; + type kdumpgui_exec_t; +-init_system_domain(kdumpgui_t, kdumpgui_exec_t) ++init_daemon_domain(kdumpgui_t, kdumpgui_exec_t) + + type kdumpgui_tmp_t; + files_tmp_file(kdumpgui_tmp_t) + + ###################################### + # +-# Local policy ++# system-config-kdump local policy + # + + allow kdumpgui_t self:capability { net_admin sys_admin sys_nice sys_rawio }; +-allow kdumpgui_t self:process { setsched sigkill }; + allow kdumpgui_t self:fifo_file rw_fifo_file_perms; + allow kdumpgui_t self:netlink_kobject_uevent_socket create_socket_perms; ++allow kdumpgui_t self:process { setsched sigkill }; + + manage_dirs_pattern(kdumpgui_t, kdumpgui_tmp_t, kdumpgui_tmp_t) + manage_files_pattern(kdumpgui_t, kdumpgui_tmp_t, kdumpgui_tmp_t) + files_tmp_filetrans(kdumpgui_t, kdumpgui_tmp_t, { dir file }) + +-kernel_getattr_core_if(kdumpgui_t) + kernel_read_system_state(kdumpgui_t) + kernel_read_network_state(kdumpgui_t) ++kernel_getattr_core_if(kdumpgui_t) + + corecmd_exec_bin(kdumpgui_t) + corecmd_exec_shell(kdumpgui_t) + +-dev_getattr_all_blk_files(kdumpgui_t) + dev_dontaudit_getattr_all_chr_files(kdumpgui_t) + dev_read_sysfs(kdumpgui_t) ++dev_read_urand(kdumpgui_t) ++dev_getattr_all_blk_files(kdumpgui_t) + + files_manage_boot_files(kdumpgui_t) + files_manage_boot_symlinks(kdumpgui_t) ++# Needed for running chkconfig + files_manage_etc_symlinks(kdumpgui_t) ++# for blkid.tab + files_manage_etc_runtime_files(kdumpgui_t) + files_etc_filetrans_etc_runtime(kdumpgui_t, file) +-files_read_usr_files(kdumpgui_t) + ++fs_manage_dos_files(kdumpgui_t) + fs_getattr_all_fs(kdumpgui_t) + fs_list_hugetlbfs(kdumpgui_t) +-fs_read_dos_files(kdumpgui_t) + + storage_raw_read_fixed_disk(kdumpgui_t) + storage_raw_write_fixed_disk(kdumpgui_t) ++storage_getattr_removable_dev(kdumpgui_t) + + auth_use_nsswitch(kdumpgui_t) + ++logging_send_syslog_msg(kdumpgui_t) + logging_list_logs(kdumpgui_t) + logging_read_generic_logs(kdumpgui_t) +-logging_send_syslog_msg(kdumpgui_t) +- +-miscfiles_read_localization(kdumpgui_t) + + mount_exec(kdumpgui_t) + + init_dontaudit_read_all_script_files(kdumpgui_t) ++init_access_check(kdumpgui_t) + +-optional_policy(` +- bootloader_exec(kdumpgui_t) +- bootloader_rw_config(kdumpgui_t) +-') ++userdom_dontaudit_search_admin_dir(kdumpgui_t) + + optional_policy(` +- consoletype_exec(kdumpgui_t) ++ tunable_policy(`kdumpgui_run_bootloader',` ++ bootloader_domtrans(kdumpgui_t) ++ #if s-c-kdump is involved ++ bootloader_manage_config(kdumpgui_t) ++ ',` ++ bootloader_exec(kdumpgui_t) ++ bootloader_manage_config(kdumpgui_t) ++ ') + ') + + optional_policy(` + dbus_system_domain(kdumpgui_t, kdumpgui_exec_t) +- +- optional_policy(` +- policykit_dbus_chat(kdumpgui_t) +- ') + ') + + optional_policy(` +@@ -87,4 +96,10 @@ optional_policy(` + optional_policy(` + kdump_manage_config(kdumpgui_t) + kdump_initrc_domtrans(kdumpgui_t) ++ kdump_systemctl(kdumpgui_t) ++ kdumpctl_domtrans(kdumpgui_t) ++') ++ ++optional_policy(` ++ policykit_dbus_chat(kdumpgui_t) + ') +diff --git a/kerberos.fc b/kerberos.fc +index 4fe75fd..8c702c9 100644 +--- a/kerberos.fc ++++ b/kerberos.fc +@@ -1,52 +1,44 @@ +-HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0) +-/root/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0) ++HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0) ++/root/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0) + +-/etc/krb5\.conf -- gen_context(system_u:object_r:krb5_conf_t,s0) +-/etc/krb5\.keytab -- gen_context(system_u:object_r:krb5_keytab_t,s0) ++/etc/krb5\.conf -- gen_context(system_u:object_r:krb5_conf_t,s0) ++/etc/krb5\.keytab gen_context(system_u:object_r:krb5_keytab_t,s0) + +-/etc/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0) +-/etc/krb5kdc/kadm5\.keytab -- gen_context(system_u:object_r:krb5_keytab_t,s0) +-/etc/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0) ++/etc/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0) ++/etc/krb5kdc/kadm5\.keytab -- gen_context(system_u:object_r:krb5_keytab_t,s0) ++/etc/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0) + + /etc/rc\.d/init\.d/kadmind -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0) + /etc/rc\.d/init\.d/kprop -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0) + /etc/rc\.d/init\.d/krb524d -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0) + /etc/rc\.d/init\.d/krb5kdc -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0) + +-/usr/kerberos/sbin/krb5kdc -- gen_context(system_u:object_r:krb5kdc_exec_t,s0) +-/usr/kerberos/sbin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0) +-/usr/kerberos/sbin/kadmin\.local -- gen_context(system_u:object_r:kadmind_exec_t,s0) ++/usr/(kerberos/)?sbin/krb5kdc -- gen_context(system_u:object_r:krb5kdc_exec_t,s0) ++/usr/(kerberos/)?sbin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0) ++/usr/kerberos/sbin/kadmin\.local -- gen_context(system_u:object_r:kadmind_exec_t,s0) + /usr/kerberos/sbin/kpropd -- gen_context(system_u:object_r:kpropd_exec_t,s0) ++/usr/sbin/kpropd -- gen_context(system_u:object_r:kpropd_exec_t,s0) + +-/usr/local/kerberos/sbin/krb5kdc -- gen_context(system_u:object_r:krb5kdc_exec_t,s0) +-/usr/local/kerberos/sbin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0) +- +-/usr/sbin/krb5kdc -- gen_context(system_u:object_r:krb5kdc_exec_t,s0) +-/usr/sbin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0) +- +-/usr/local/var/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0) +-/usr/local/var/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0) +- +-/usr/var/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0) ++/usr/var/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0) + /usr/var/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0) + +-/var/cache/krb5rcache(/.*)? gen_context(system_u:object_r:krb5_host_rcache_t,s0) +- +-/var/kerberos/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0) ++/var/kerberos/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0) + /var/kerberos/krb5kdc/from_master.* gen_context(system_u:object_r:krb5kdc_lock_t,s0) +-/var/kerberos/krb5kdc/kadm5\.keytab -- gen_context(system_u:object_r:krb5_keytab_t,s0) ++/var/kerberos/krb5kdc/kadm5\.keytab -- gen_context(system_u:object_r:krb5_keytab_t,s0) + /var/kerberos/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0) +-/var/kerberos/krb5kdc/principal.*\.ok -- gen_context(system_u:object_r:krb5kdc_lock_t,s0) +- +-/var/log/krb5kdc\.log.* -- gen_context(system_u:object_r:krb5kdc_log_t,s0) +-/var/log/kadmin\.log.* -- gen_context(system_u:object_r:kadmind_log_t,s0) +-/var/log/kadmind\.log.* -- gen_context(system_u:object_r:kadmind_log_t,s0) +- +-/var/tmp/host_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) +-/var/tmp/HTTP_23 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) +-/var/tmp/HTTP_48 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) +-/var/tmp/imap_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) +-/var/tmp/nfs_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) +-/var/tmp/ldapmap1_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) +-/var/tmp/ldap_487 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) +-/var/tmp/ldap_55 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) ++/var/kerberos/krb5kdc/principal.*\.ok gen_context(system_u:object_r:krb5kdc_lock_t,s0) ++ ++/var/log/krb5kdc\.log.* gen_context(system_u:object_r:krb5kdc_log_t,s0) ++/var/log/kadmin(d)?\.log.* gen_context(system_u:object_r:kadmind_log_t,s0) ++ ++/var/cache/krb5rcache(/.*)? gen_context(system_u:object_r:krb5_host_rcache_t,s0) ++ ++/var/tmp/DNS_25 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) ++/var/tmp/host_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) ++/var/tmp/HTTP_23 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) ++/var/tmp/HTTP_48 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) ++/var/tmp/imap_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) ++/var/tmp/nfs_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) ++/var/tmp/ldapmap1_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) ++/var/tmp/ldap_487 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) ++/var/tmp/ldap_55 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) +diff --git a/kerberos.if b/kerberos.if +index f9de9fc..11e6268 100644 +--- a/kerberos.if ++++ b/kerberos.if +@@ -1,27 +1,29 @@ +-## MIT Kerberos admin and KDC. ++## MIT Kerberos admin and KDC ++## ++##

    ++## This policy supports: ++##

    ++##

    ++## Servers: ++##

      ++##
    • kadmind
      • ++##
    • krb5kdc
      • ++##
    ++##

    ++##

    ++## Clients: ++##

      ++##
    • kinit
      • ++##
    • kdestroy
      • ++##
    • klist
      • ++##
    • ksu (incomplete)
      • ++##
    ++##

    ++##     + + ######################################## + ## +-## Role access for kerberos. +-## +-## +-## +-## Role allowed access. +-## +-## +-## +-## +-## User domain for the role. +-## +-## +-# +-template(`kerberos_role',` +- refpolicywarn(`$0($*) has been deprecated') +-') +- +-######################################## +-## +-## Execute kadmind in the caller domain. ++## Execute kadmind in the current domain + ## + ## + ## +@@ -34,7 +36,6 @@ interface(`kerberos_exec_kadmind',` + type kadmind_exec_t; + ') + +- corecmd_search_bin($1) + can_exec($1, kadmind_exec_t) + ') + +@@ -53,13 +54,12 @@ interface(`kerberos_domtrans_kpropd',` + type kpropd_t, kpropd_exec_t; + ') + +- corecmd_search_bin($1) + domtrans_pattern($1, kpropd_exec_t, kpropd_t) + ') + + ######################################## + ## +-## Support kerberos services. ++## Use kerberos services + ## + ## + ## +@@ -69,45 +69,44 @@ interface(`kerberos_domtrans_kpropd',` + # + interface(`kerberos_use',` + gen_require(` +- type krb5kdc_conf_t, krb5_host_rcache_t; ++ type krb5_conf_t, krb5kdc_conf_t; ++ type krb5_host_rcache_t; + ') + +- kerberos_read_config($1) +- +- dontaudit $1 krb5_conf_t:file write_file_perms; ++ files_search_etc($1) ++ read_files_pattern($1, krb5_conf_t, krb5_conf_t) ++ dontaudit $1 krb5_conf_t:file write; + dontaudit $1 krb5kdc_conf_t:dir list_dir_perms; + dontaudit $1 krb5kdc_conf_t:file rw_file_perms; + ++ #kerberos libraries are attempting to set the correct file context + dontaudit $1 self:process setfscreate; +- + selinux_dontaudit_validate_context($1) +- seutil_dontaudit_read_file_contexts($1) ++ seutil_read_file_contexts($1) + +- tunable_policy(`allow_kerberos',` ++ tunable_policy(`kerberos_enabled',` + allow $1 self:tcp_socket create_socket_perms; + allow $1 self:udp_socket create_socket_perms; + +- corenet_all_recvfrom_unlabeled($1) +- corenet_all_recvfrom_netlabel($1) + corenet_tcp_sendrecv_generic_if($1) + corenet_udp_sendrecv_generic_if($1) + corenet_tcp_sendrecv_generic_node($1) + corenet_udp_sendrecv_generic_node($1) +- +- corenet_sendrecv_kerberos_client_packets($1) +- corenet_tcp_connect_kerberos_port($1) + corenet_tcp_sendrecv_kerberos_port($1) + corenet_udp_sendrecv_kerberos_port($1) +- +- corenet_sendrecv_ocsp_client_packets($1) ++ corenet_tcp_bind_generic_node($1) ++ corenet_udp_bind_generic_node($1) ++ corenet_tcp_connect_kerberos_port($1) + corenet_tcp_connect_ocsp_port($1) +- corenet_tcp_sendrecv_ocsp_port($1) ++ corenet_sendrecv_kerberos_client_packets($1) ++ corenet_sendrecv_ocsp_client_packets($1) + ++ allow $1 krb5_host_rcache_t:dir search_dir_perms; + allow $1 krb5_host_rcache_t:file getattr_file_perms; + ') + + optional_policy(` +- tunable_policy(`allow_kerberos',` ++ tunable_policy(`kerberos_enabled',` + pcscd_stream_connect($1) + ') + ') +@@ -119,7 +118,7 @@ interface(`kerberos_use',` + + ######################################## + ## +-## Read kerberos configuration files. ++## Read the kerberos configuration file (/etc/krb5.conf). + ## + ## + ## +@@ -135,15 +134,13 @@ interface(`kerberos_read_config',` + + files_search_etc($1) + allow $1 krb5_conf_t:file read_file_perms; +- +- userdom_search_user_home_dirs($1) + allow $1 krb5_home_t:file read_file_perms; + ') + + ######################################## + ## +-## Do not audit attempts to write +-## kerberos configuration files. ++## Do not audit attempts to write the kerberos ++## configuration file (/etc/krb5.conf). + ## + ## + ## +@@ -156,13 +153,12 @@ interface(`kerberos_dontaudit_write_config',` + type krb5_conf_t; + ') + +- dontaudit $1 krb5_conf_t:file write_file_perms; ++ dontaudit $1 krb5_conf_t:file write; + ') + + ######################################## + ## +-## Read and write kerberos +-## configuration files. ++## Read and write the kerberos configuration file (/etc/krb5.conf). + ## + ## + ## +@@ -182,75 +178,7 @@ interface(`kerberos_rw_config',` + + ######################################## + ## +-## Create, read, write, and delete +-## kerberos home files. +-## +-## +-## +-## Domain allowed access. +-## +-## +-# +-interface(`kerberos_manage_krb5_home_files',` +- gen_require(` +- type krb5_home_t; +- ') +- +- userdom_search_user_home_dirs($1) +- allow $1 krb5_home_t:file manage_file_perms; +-') +- +-######################################## +-## +-## Relabel kerberos home files. +-## +-## +-## +-## Domain allowed access. +-## +-## +-# +-interface(`kerberos_relabel_krb5_home_files',` +- gen_require(` +- type krb5_home_t; +- ') +- +- userdom_search_user_home_dirs($1) +- allow $1 krb5_home_t:file relabel_file_perms; +-') +- +-######################################## +-## +-## Create objects in user home +-## directories with the krb5 home type. +-## +-## +-## +-## Domain allowed access. +-## +-## +-## +-## +-## Class of the object being created. +-## +-## +-## +-## +-## The name of the object being created. +-## +-## +-# +-interface(`kerberos_home_filetrans_krb5_home',` +- gen_require(` +- type krb5_home_t; +- ') +- +- userdom_user_home_dir_filetrans($1, krb5_home_t, $2, $3) +-') +- +-######################################## +-## +-## Read kerberos key table files. ++## Read the kerberos key table. + ## + ## + ## +@@ -270,7 +198,7 @@ interface(`kerberos_read_keytab',` + + ######################################## + ## +-## Read and write kerberos key table files. ++## Read/Write the kerberos key table. + ## + ## + ## +@@ -289,40 +217,13 @@ interface(`kerberos_rw_keytab',` + + ######################################## + ## +-## Create, read, write, and delete +-## kerberos key table files. +-## +-## +-## +-## Domain allowed access. +-## +-## +-# +-interface(`kerberos_manage_keytab_files',` +- gen_require(` +- type krb5_keytab_t; +- ') +- +- files_search_etc($1) +- allow $1 krb5_keytab_t:file manage_file_perms; +-') +- +-######################################## +-## +-## Create specified objects in generic +-## etc directories with the kerberos +-## keytab file type. ++## Create keytab file in /etc + ## + ## + ## + ## Domain allowed access. + ## + ## +-## +-## +-## Class of the object being created. +-## +-## + ## + ## + ## The name of the object being created. +@@ -334,13 +235,13 @@ interface(`kerberos_etc_filetrans_keytab',` + type krb5_keytab_t; + ') + +- files_etc_filetrans($1, krb5_keytab_t, $2, $3) ++ allow $1 krb5_keytab_t:file manage_file_perms; ++ files_etc_filetrans($1, krb5_keytab_t, file, $2) + ') + + ######################################## + ## +-## Create a derived type for kerberos +-## keytab files. ++## Create a derived type for kerberos keytab + ## + ## + ## +@@ -354,21 +255,15 @@ interface(`kerberos_etc_filetrans_keytab',` + ## + # + template(`kerberos_keytab_template',` +- +- ######################################## +- # +- # Declarations +- # +- + type $1_keytab_t; + files_type($1_keytab_t) + +- ######################################## +- # +- # Policy +- # ++ allow $2 self:process setfscreate; ++ allow $2 $1_keytab_t:file read_file_perms; + +- allow $2 $1_keytab_t:file read_file_perms; ++ seutil_read_file_contexts($2) ++ seutil_read_config($2) ++ selinux_get_enforce_mode($2) + + kerberos_read_keytab($2) + kerberos_use($2) +@@ -376,7 +271,7 @@ template(`kerberos_keytab_template',` + + ######################################## + ## +-## Read kerberos kdc configuration files. ++## Read the kerberos kdc configuration file (/etc/krb5kdc.conf). + ## + ## + ## +@@ -396,8 +291,7 @@ interface(`kerberos_read_kdc_config',` + + ######################################## + ## +-## Create, read, write, and delete +-## kerberos host rcache files. ++## Read the kerberos kdc configuration file (/etc/krb5kdc.conf). + ## + ## + ## +@@ -411,34 +305,99 @@ interface(`kerberos_manage_host_rcache',` + type krb5_host_rcache_t; + ') + ++ # creates files as system_u no matter what the selinux user ++ # cjp: should be in the below tunable but typeattribute ++ # does not work in conditionals + domain_obj_id_change_exemption($1) + +- tunable_policy(`allow_kerberos',` ++ tunable_policy(`kerberos_enabled',` + allow $1 self:process setfscreate; + + selinux_validate_context($1) + + seutil_read_file_contexts($1) + ++ files_rw_generic_tmp_dir($1) ++ manage_files_pattern($1, krb5_host_rcache_t, krb5_host_rcache_t) + files_search_tmp($1) +- allow $1 krb5_host_rcache_t:file manage_file_perms; + ') + ') + + ######################################## + ## +-## Create objects in generic temporary +-## directories with the kerberos host +-## rcache type. ++## All of the rules required to administrate ++## an kerberos environment + ## + ## + ## +-## Domain allowed to transition. ++## Domain allowed access. + ## + ## +-## ++## + ## +-## Class of the object being created. ++## The role to be allowed to manage the kerberos domain. ++## ++## ++## ++# ++interface(`kerberos_admin',` ++ gen_require(` ++ type kadmind_t, krb5kdc_t, kerberos_initrc_exec_t; ++ type kadmind_log_t, kadmind_tmp_t, kadmind_var_run_t; ++ type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t; ++ type krb5kdc_principal_t, krb5kdc_tmp_t, kpropd_t; ++ type krb5kdc_var_run_t, krb5_host_rcache_t; ++ ') ++ ++ allow $1 kadmind_t:process signal_perms; ++ ps_process_pattern($1, kadmind_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 kadmind_t:process ptrace; ++ allow $1 krb5kdc_t:process ptrace; ++ allow $1 kpropd_t:process ptrace; ++ ') ++ ++ allow $1 krb5kdc_t:process signal_perms; ++ ps_process_pattern($1, krb5kdc_t) ++ ++ allow $1 kpropd_t:process signal_perms; ++ ps_process_pattern($1, kpropd_t) ++ ++ init_labeled_script_domtrans($1, kerberos_initrc_exec_t) ++ domain_system_change_exemption($1) ++ role_transition $2 kerberos_initrc_exec_t system_r; ++ allow $2 system_r; ++ ++ logging_list_logs($1) ++ admin_pattern($1, kadmind_log_t) ++ ++ files_list_tmp($1) ++ admin_pattern($1, kadmind_tmp_t) ++ ++ files_list_pids($1) ++ admin_pattern($1, kadmind_var_run_t) ++ ++ admin_pattern($1, krb5_conf_t) ++ ++ admin_pattern($1, krb5_host_rcache_t) ++ ++ admin_pattern($1, krb5_keytab_t) ++ ++ admin_pattern($1, krb5kdc_principal_t) ++ ++ admin_pattern($1, krb5kdc_tmp_t) ++ ++ admin_pattern($1, krb5kdc_var_run_t) ++') ++ ++######################################## ++## ++## Type transition files created in /tmp ++## to the krb5_host_rcache type. ++## ++## ++## ++## Domain allowed access. + ## + ## + ## +@@ -452,12 +411,13 @@ interface(`kerberos_tmp_filetrans_host_rcache',` + type krb5_host_rcache_t; + ') + +- files_tmp_filetrans($1, krb5_host_rcache_t, $2, $3) ++ manage_files_pattern($1, krb5_host_rcache_t, krb5_host_rcache_t) ++ files_tmp_filetrans($1, krb5_host_rcache_t, file, $2) + ') + + ######################################## + ## +-## Connect to krb524 service. ++## read kerberos homedir content (.k5login) + ## + ## + ## +@@ -465,82 +425,85 @@ interface(`kerberos_tmp_filetrans_host_rcache',` + ## + ## + # +-interface(`kerberos_connect_524',` +- tunable_policy(`allow_kerberos',` +- allow $1 self:udp_socket create_socket_perms; +- +- corenet_all_recvfrom_unlabeled($1) +- corenet_all_recvfrom_netlabel($1) +- corenet_udp_sendrecv_generic_if($1) +- corenet_udp_sendrecv_generic_node($1) +- +- corenet_sendrecv_kerberos_master_client_packets($1) +- corenet_udp_sendrecv_kerberos_master_port($1) ++interface(`kerberos_read_home_content',` ++ gen_require(` ++ type krb5_home_t; + ') ++ ++ userdom_search_user_home_dirs($1) ++ read_files_pattern($1, krb5_home_t, krb5_home_t) + ') + + ######################################## + ## +-## All of the rules required to +-## administrate an kerberos environment. ++## create kerberos content in the in the /root directory ++## with an correct label. + ## + ## + ## + ## Domain allowed access. + ## + ## +-## ++# ++interface(`kerberos_filetrans_admin_home_content',` ++ gen_require(` ++ type krb5_home_t; ++ ') ++ ++ userdom_admin_home_dir_filetrans($1, krb5_home_t, file, ".k5login") ++') ++ ++######################################## ++## ++## Transition to kerberos named content ++## ++## + ## +-## Role allowed access. ++## Domain allowed access. + ## + ## +-## + # +-interface(`kerberos_admin',` ++interface(`kerberos_filetrans_home_content',` + gen_require(` +- type kadmind_t, krb5kdc_t, kerberos_initrc_exec_t; +- type kadmind_log_t, kadmind_tmp_t, kadmind_var_run_t; +- type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t; +- type krb5kdc_principal_t, krb5kdc_tmp_t, kpropd_t; +- type krb5kdc_var_run_t, krb5_host_rcache_t; ++ type krb5_home_t; + ') + +- allow $1 { kadmind_t krb5kdc_t kpropd }:process { ptrace signal_perms }; +- ps_process_pattern($1, { kadmind_t krb5kdc_t kpropd }) +- +- init_labeled_script_domtrans($1, kerberos_initrc_exec_t) +- domain_system_change_exemption($1) +- role_transition $2 kerberos_initrc_exec_t system_r; +- allow $2 system_r; +- +- logging_list_logs($1) +- admin_pattern($1, kadmind_log_t) +- +- files_list_tmp($1) +- admin_pattern($1, { kadmind_tmp_t krb5_host_rcache_t krb5kdc_tmp_t }) +- +- kerberos_tmp_filetrans_host_rcache($1, file, "host_0") +- kerberos_tmp_filetrans_host_rcache($1, file, "HTTP_23") +- kerberos_tmp_filetrans_host_rcache($1, file, "HTTP_48") +- kerberos_tmp_filetrans_host_rcache($1, file, "imap_0") +- kerberos_tmp_filetrans_host_rcache($1, file, "nfs_0") +- kerberos_tmp_filetrans_host_rcache($1, file, "ldapmap1_0") +- kerberos_tmp_filetrans_host_rcache($1, file, "ldap_487") +- kerberos_tmp_filetrans_host_rcache($1, file, "ldap_55") +- +- files_list_pids($1) +- admin_pattern($1, { kadmind_var_run_t krb5kdc_var_run_t }) ++ userdom_user_home_dir_filetrans($1, krb5_home_t, file, ".k5login") ++') + +- files_list_etc($1) +- admin_pattern($1, krb5_conf_t) ++######################################## ++## ++## Transition to kerberos named content ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`kerberos_filetrans_named_content',` ++ gen_require(` ++ type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t; ++ type krb5kdc_principal_t; ++ ') + + files_etc_filetrans($1, krb5_conf_t, file, "krb5.conf") +- +- admin_pattern($1, { krb5_keytab_t krb5kdc_principal_t }) +- ++ filetrans_pattern($1, krb5kdc_conf_t, krb5_keytab_t, file, "kadm5.keytab") + filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal") + filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal0") + filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal1") +- +- kerberos_etc_filetrans_keytab($1, file, "kadm5.keytab") ++ #filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal1") ++ ++ kerberos_etc_filetrans_keytab($1, "krb5.keytab") ++ kerberos_filetrans_admin_home_content($1) ++ ++ kerberos_tmp_filetrans_host_rcache($1, "DNS_25") ++ kerberos_tmp_filetrans_host_rcache($1, "host_0") ++ kerberos_tmp_filetrans_host_rcache($1, "HTTP_23") ++ kerberos_tmp_filetrans_host_rcache($1, "HTTP_48") ++ kerberos_tmp_filetrans_host_rcache($1, "imap_0") ++ kerberos_tmp_filetrans_host_rcache($1, "nfs_0") ++ kerberos_tmp_filetrans_host_rcache($1, "ldapmap1_0") ++ kerberos_tmp_filetrans_host_rcache($1, "ldap_487") ++ kerberos_tmp_filetrans_host_rcache($1, "ldap_55") + ') +diff --git a/kerberos.te b/kerberos.te +index 3465a9a..353c4ce 100644 +--- a/kerberos.te ++++ b/kerberos.te +@@ -1,4 +1,4 @@ +-policy_module(kerberos, 1.11.7) ++policy_module(kerberos, 1.11.0) + + ######################################## + # +@@ -6,11 +6,11 @@ policy_module(kerberos, 1.11.7) + # + + ## +-##

    +-## Determine whether kerberos is supported. +-##

    ++##

    ++## Allow confined applications to run with kerberos. ++##

    + ##     +-gen_tunable(allow_kerberos, false) ++gen_tunable(kerberos_enabled, false) + + type kadmind_t; + type kadmind_exec_t; +@@ -35,23 +35,27 @@ init_daemon_domain(kpropd_t, kpropd_exec_t) + domain_obj_id_change_exemption(kpropd_t) + + type krb5_conf_t; +-files_type(krb5_conf_t) ++files_config_file(krb5_conf_t) + + type krb5_home_t; + userdom_user_home_content(krb5_home_t) + +-type krb5_host_rcache_t; ++type krb5_host_rcache_t alias saslauthd_tmp_t; + files_tmp_file(krb5_host_rcache_t) + ++# types for general configuration files in /etc + type krb5_keytab_t; + files_security_file(krb5_keytab_t) + ++# types for KDC configs and principal file(s) + type krb5kdc_conf_t; +-files_type(krb5kdc_conf_t) ++files_config_file(krb5kdc_conf_t) + + type krb5kdc_lock_t; +-files_type(krb5kdc_lock_t) ++files_lock_file(krb5kdc_lock_t) + ++ ++# types for KDC principal file(s) + type krb5kdc_principal_t; + files_type(krb5kdc_principal_t) + +@@ -74,28 +78,31 @@ files_pid_file(krb5kdc_var_run_t) + # kadmind local policy + # + ++# Use capabilities. Surplus capabilities may be allowed. + allow kadmind_t self:capability { setuid setgid chown fowner dac_override sys_nice }; +-dontaudit kadmind_t self:capability sys_tty_config; + allow kadmind_t self:capability2 block_suspend; ++dontaudit kadmind_t self:capability sys_tty_config; + allow kadmind_t self:process { setfscreate setsched getsched signal_perms }; + allow kadmind_t self:netlink_route_socket r_netlink_socket_perms; +-allow kadmind_t self:tcp_socket { accept listen }; ++allow kadmind_t self:unix_dgram_socket { connect create write }; ++allow kadmind_t self:tcp_socket connected_stream_socket_perms; + allow kadmind_t self:udp_socket create_socket_perms; + +-allow kadmind_t kadmind_log_t:file { append_file_perms create_file_perms setattr_file_perms }; ++allow kadmind_t kadmind_log_t:file manage_file_perms; + logging_log_filetrans(kadmind_t, kadmind_log_t, file) + + allow kadmind_t krb5_conf_t:file read_file_perms; +-dontaudit kadmind_t krb5_conf_t:file write_file_perms; ++dontaudit kadmind_t krb5_conf_t:file write; + +-read_files_pattern(kadmind_t, krb5kdc_conf_t, krb5kdc_conf_t) +-dontaudit kadmind_t krb5kdc_conf_t:file { write_file_perms setattr_file_perms }; ++manage_files_pattern(kadmind_t, krb5kdc_conf_t, krb5kdc_conf_t) + + allow kadmind_t krb5kdc_lock_t:file { rw_file_perms setattr_file_perms }; + + allow kadmind_t krb5kdc_principal_t:file manage_file_perms; + filetrans_pattern(kadmind_t, krb5kdc_conf_t, krb5kdc_principal_t, file) + ++can_exec(kadmind_t, kadmind_exec_t) ++ + manage_dirs_pattern(kadmind_t, kadmind_tmp_t, kadmind_tmp_t) + manage_files_pattern(kadmind_t, kadmind_tmp_t, kadmind_tmp_t) + files_tmp_filetrans(kadmind_t, kadmind_tmp_t, { file dir }) +@@ -103,13 +110,15 @@ files_tmp_filetrans(kadmind_t, kadmind_tmp_t, { file dir }) + manage_files_pattern(kadmind_t, kadmind_var_run_t, kadmind_var_run_t) + files_pid_filetrans(kadmind_t, kadmind_var_run_t, file) + +-can_exec(kadmind_t, kadmind_exec_t) +- + kernel_read_kernel_sysctls(kadmind_t) ++kernel_list_proc(kadmind_t) + kernel_read_network_state(kadmind_t) ++kernel_read_proc_symlinks(kadmind_t) + kernel_read_system_state(kadmind_t) + +-corenet_all_recvfrom_unlabeled(kadmind_t) ++corecmd_exec_bin(kadmind_t) ++corecmd_exec_shell(kadmind_t) ++ + corenet_all_recvfrom_netlabel(kadmind_t) + corenet_tcp_sendrecv_generic_if(kadmind_t) + corenet_udp_sendrecv_generic_if(kadmind_t) +@@ -119,31 +128,41 @@ corenet_tcp_sendrecv_all_ports(kadmind_t) + corenet_udp_sendrecv_all_ports(kadmind_t) + corenet_tcp_bind_generic_node(kadmind_t) + corenet_udp_bind_generic_node(kadmind_t) +- +-corenet_sendrecv_all_server_packets(kadmind_t) + corenet_tcp_bind_kerberos_admin_port(kadmind_t) ++corenet_tcp_bind_kerberos_password_port(kadmind_t) + corenet_udp_bind_kerberos_admin_port(kadmind_t) ++corenet_udp_bind_kerberos_password_port(kadmind_t) + corenet_tcp_bind_reserved_port(kadmind_t) ++corenet_dontaudit_tcp_bind_all_reserved_ports(kadmind_t) ++corenet_sendrecv_kerberos_admin_server_packets(kadmind_t) ++corenet_sendrecv_kerberos_password_server_packets(kadmind_t) ++corenet_tcp_connect_kprop_port(kadmind_t) + + dev_read_sysfs(kadmind_t) ++dev_read_rand(kadmind_t) ++dev_read_urand(kadmind_t) + + fs_getattr_all_fs(kadmind_t) + fs_search_auto_mountpoints(kadmind_t) ++fs_rw_anon_inodefs_files(kadmind_t) + + domain_use_interactive_fds(kadmind_t) + +-files_read_etc_files(kadmind_t) +-files_read_usr_files(kadmind_t) ++files_read_usr_symlinks(kadmind_t) + files_read_var_files(kadmind_t) + + selinux_validate_context(kadmind_t) + ++auth_read_passwd(kadmind_t) ++ + logging_send_syslog_msg(kadmind_t) + +-miscfiles_read_localization(kadmind_t) ++miscfiles_read_generic_certs(kadmind_t) + ++seutil_read_config(kadmind_t) + seutil_read_file_contexts(kadmind_t) + ++sysnet_read_config(kadmind_t) + sysnet_use_ldap(kadmind_t) + + userdom_dontaudit_use_unpriv_user_fds(kadmind_t) +@@ -154,6 +173,10 @@ optional_policy(` + ') + + optional_policy(` ++ dirsrv_stream_connect(kadmind_t) ++') ++ ++optional_policy(` + nis_use_ypbind(kadmind_t) + ') + +@@ -174,24 +197,27 @@ optional_policy(` + # Krb5kdc local policy + # + ++# Use capabilities. Surplus capabilities may be allowed. + allow krb5kdc_t self:capability { setuid setgid net_admin chown fowner dac_override sys_nice }; +-dontaudit krb5kdc_t self:capability sys_tty_config; + allow krb5kdc_t self:capability2 block_suspend; ++dontaudit krb5kdc_t self:capability sys_tty_config; + allow krb5kdc_t self:process { setfscreate setsched getsched signal_perms }; + allow krb5kdc_t self:netlink_route_socket r_netlink_socket_perms; +-allow krb5kdc_t self:tcp_socket { accept listen }; ++allow krb5kdc_t self:tcp_socket create_stream_socket_perms; + allow krb5kdc_t self:udp_socket create_socket_perms; + allow krb5kdc_t self:fifo_file rw_fifo_file_perms; + + allow krb5kdc_t krb5_conf_t:file read_file_perms; + dontaudit krb5kdc_t krb5_conf_t:file write; + ++can_exec(krb5kdc_t, krb5kdc_exec_t) ++ + read_files_pattern(krb5kdc_t, krb5kdc_conf_t, krb5kdc_conf_t) +-dontaudit krb5kdc_t krb5kdc_conf_t:file write_file_perms; ++dontaudit krb5kdc_t krb5kdc_conf_t:file write; + + allow krb5kdc_t krb5kdc_lock_t:file { rw_file_perms setattr_file_perms }; + +-allow krb5kdc_t krb5kdc_log_t:file { append_file_perms create_file_perms setattr_file_perms }; ++allow krb5kdc_t krb5kdc_log_t:file manage_file_perms; + logging_log_filetrans(krb5kdc_t, krb5kdc_log_t, file) + + allow krb5kdc_t krb5kdc_principal_t:file rw_file_perms; +@@ -203,54 +229,53 @@ files_tmp_filetrans(krb5kdc_t, krb5kdc_tmp_t, { file dir }) + manage_files_pattern(krb5kdc_t, krb5kdc_var_run_t, krb5kdc_var_run_t) + files_pid_filetrans(krb5kdc_t, krb5kdc_var_run_t, file) + +-can_exec(krb5kdc_t, krb5kdc_exec_t) +- + kernel_read_system_state(krb5kdc_t) + kernel_read_kernel_sysctls(krb5kdc_t) ++kernel_list_proc(krb5kdc_t) ++kernel_read_proc_symlinks(krb5kdc_t) + kernel_read_network_state(krb5kdc_t) + kernel_search_network_sysctl(krb5kdc_t) + + corecmd_exec_bin(krb5kdc_t) + +-corenet_all_recvfrom_unlabeled(krb5kdc_t) + corenet_all_recvfrom_netlabel(krb5kdc_t) + corenet_tcp_sendrecv_generic_if(krb5kdc_t) + corenet_udp_sendrecv_generic_if(krb5kdc_t) + corenet_tcp_sendrecv_generic_node(krb5kdc_t) + corenet_udp_sendrecv_generic_node(krb5kdc_t) ++corenet_tcp_sendrecv_all_ports(krb5kdc_t) ++corenet_udp_sendrecv_all_ports(krb5kdc_t) + corenet_tcp_bind_generic_node(krb5kdc_t) + corenet_udp_bind_generic_node(krb5kdc_t) +- +-corenet_sendrecv_kerberos_server_packets(krb5kdc_t) + corenet_tcp_bind_kerberos_port(krb5kdc_t) + corenet_udp_bind_kerberos_port(krb5kdc_t) +-corenet_tcp_sendrecv_kerberos_port(krb5kdc_t) +-corenet_udp_sendrecv_kerberos_port(krb5kdc_t) +- +-corenet_sendrecv_ocsp_client_packets(krb5kdc_t) + corenet_tcp_connect_ocsp_port(krb5kdc_t) +-corenet_tcp_sendrecv_ocsp_port(krb5kdc_t) ++corenet_sendrecv_kerberos_server_packets(krb5kdc_t) ++corenet_sendrecv_ocsp_client_packets(krb5kdc_t) + + dev_read_sysfs(krb5kdc_t) ++dev_read_urand(krb5kdc_t) + + fs_getattr_all_fs(krb5kdc_t) + fs_search_auto_mountpoints(krb5kdc_t) ++fs_rw_anon_inodefs_files(krb5kdc_t) + + domain_use_interactive_fds(krb5kdc_t) + +-files_read_etc_files(krb5kdc_t) + files_read_usr_symlinks(krb5kdc_t) + files_read_var_files(krb5kdc_t) + + selinux_validate_context(krb5kdc_t) + ++auth_read_passwd(krb5kdc_t) ++ + logging_send_syslog_msg(krb5kdc_t) + + miscfiles_read_generic_certs(krb5kdc_t) +-miscfiles_read_localization(krb5kdc_t) + + seutil_read_file_contexts(krb5kdc_t) + ++sysnet_read_config(krb5kdc_t) + sysnet_use_ldap(krb5kdc_t) + + userdom_dontaudit_use_unpriv_user_fds(krb5kdc_t) +@@ -261,11 +286,11 @@ optional_policy(` + ') + + optional_policy(` +- nis_use_ypbind(krb5kdc_t) ++ dirsrv_stream_connect(krb5kdc_t) + ') + + optional_policy(` +- sssd_read_public_files(krb5kdc_t) ++ nis_use_ypbind(krb5kdc_t) + ') + + optional_policy(` +@@ -273,6 +298,10 @@ optional_policy(` + ') + + optional_policy(` ++ sssd_read_public_files(krb5kdc_t) ++') ++ ++optional_policy(` + udev_read_db(krb5kdc_t) + ') + +@@ -281,10 +310,12 @@ optional_policy(` + # kpropd local policy + # + ++allow kpropd_t self:capability net_bind_service; + allow kpropd_t self:process setfscreate; +-allow kpropd_t self:fifo_file rw_fifo_file_perms; +-allow kpropd_t self:unix_stream_socket { accept listen }; +-allow kpropd_t self:tcp_socket { accept listen }; ++ ++allow kpropd_t self:fifo_file rw_file_perms; ++allow kpropd_t self:unix_stream_socket create_stream_socket_perms; ++allow kpropd_t self:tcp_socket create_stream_socket_perms; + + allow kpropd_t krb5_host_rcache_t:file manage_file_perms; + +@@ -303,26 +334,20 @@ files_tmp_filetrans(kpropd_t, krb5kdc_tmp_t, { file dir }) + + corecmd_exec_bin(kpropd_t) + +-corenet_all_recvfrom_unlabeled(kpropd_t) + corenet_tcp_sendrecv_generic_if(kpropd_t) + corenet_tcp_sendrecv_generic_node(kpropd_t) ++corenet_tcp_sendrecv_all_ports(kpropd_t) + corenet_tcp_bind_generic_node(kpropd_t) +- +-corenet_sendrecv_kprop_server_packets(kpropd_t) + corenet_tcp_bind_kprop_port(kpropd_t) +-corenet_tcp_sendrecv_kprop_port(kpropd_t) + + dev_read_urand(kpropd_t) + +-files_read_etc_files(kpropd_t) + files_search_tmp(kpropd_t) + + selinux_validate_context(kpropd_t) + + logging_send_syslog_msg(kpropd_t) + +-miscfiles_read_localization(kpropd_t) +- + seutil_read_file_contexts(kpropd_t) + + sysnet_dns_name_resolve(kpropd_t) +diff --git a/kerneloops.if b/kerneloops.if +index 714448f..fa0c994 100644 +--- a/kerneloops.if ++++ b/kerneloops.if +@@ -101,13 +101,16 @@ interface(`kerneloops_manage_tmp_files',` + # + interface(`kerneloops_admin',` + gen_require(` +- type kerneloops_t, kerneloops_initrc_exec_t; +- type kerneloops_tmp_t; ++ type kerneloops_t, kerneloops_initrc_exec_t, kerneloops_tmp_t; + ') + +- allow $1 kerneloops_t:process { ptrace signal_perms }; ++ allow $1 kerneloops_t:process signal_perms; + ps_process_pattern($1, kerneloops_t) + ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 kerneloops_t:process ptrace; ++ ') ++ + init_labeled_script_domtrans($1, kerneloops_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 kerneloops_initrc_exec_t system_r; +diff --git a/kerneloops.te b/kerneloops.te +index 1101985..7f1061d 100644 +--- a/kerneloops.te ++++ b/kerneloops.te +@@ -31,7 +31,6 @@ kernel_read_ring_buffer(kerneloops_t) + + domain_use_interactive_fds(kerneloops_t) + +-corenet_all_recvfrom_unlabeled(kerneloops_t) + corenet_all_recvfrom_netlabel(kerneloops_t) + corenet_tcp_sendrecv_generic_if(kerneloops_t) + corenet_tcp_sendrecv_generic_node(kerneloops_t) +@@ -45,8 +44,6 @@ auth_use_nsswitch(kerneloops_t) + logging_send_syslog_msg(kerneloops_t) + logging_read_generic_logs(kerneloops_t) + +-miscfiles_read_localization(kerneloops_t) +- + optional_policy(` + dbus_system_domain(kerneloops_t, kerneloops_exec_t) + ') +diff --git a/keyboardd.if b/keyboardd.if +index 8982b91..6134ef2 100644 +--- a/keyboardd.if ++++ b/keyboardd.if +@@ -1,19 +1,39 @@ +-## Xorg.conf keyboard layout callout. + +-###################################### ++## policy for system-setup-keyboard daemon ++ ++######################################## + ## +-## Read keyboardd unnamed pipes. ++## Execute a domain transition to run keyboard setup daemon. + ## + ## +-## ++## + ## Domain allowed access. +-## ++## + ## + # +-interface(`keyboardd_read_pipes',` ++interface(`keyboardd_domtrans',` + gen_require(` +- type keyboardd_t; ++ type keyboardd_t, keyboardd_exec_t; ++ ') ++ ++ domtrans_pattern($1, keyboardd_exec_t, keyboardd_t) ++') ++ ++###################################### ++## ++## Allow attempts to read to ++## keyboardd unnamed pipes. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`keyboardd_read_pipes',` ++ gen_require(` ++ type keyboardd_t; + ') + +- allow $1 keyboardd_t:fifo_file read_fifo_file_perms; ++ allow $1 keyboardd_t:fifo_file read_fifo_file_perms; + ') +diff --git a/keyboardd.te b/keyboardd.te +index adfe3dc..a60b664 100644 +--- a/keyboardd.te ++++ b/keyboardd.te +@@ -19,6 +19,3 @@ allow keyboardd_t self:unix_stream_socket create_stream_socket_perms; + + files_manage_etc_runtime_files(keyboardd_t) + files_etc_filetrans_etc_runtime(keyboardd_t, file) +-files_read_etc_files(keyboardd_t) +- +-miscfiles_read_localization(keyboardd_t) +diff --git a/keystone.fc b/keystone.fc +index b273d80..186cd86 100644 +--- a/keystone.fc ++++ b/keystone.fc +@@ -1,3 +1,5 @@ ++/usr/lib/systemd/system/openstack-keystone.* -- gen_context(system_u:object_r:keystone_unit_file_t,s0) ++ + /etc/rc\.d/init\.d/openstack-keystone -- gen_context(system_u:object_r:keystone_initrc_exec_t,s0) + + /usr/bin/keystone-all -- gen_context(system_u:object_r:keystone_exec_t,s0) +diff --git a/keystone.if b/keystone.if +index d3e7fc9..f20248c 100644 +--- a/keystone.if ++++ b/keystone.if +@@ -1,42 +1,218 @@ +-## Python implementation of the OpenStack identity service API. ++ ++## policy for keystone + + ######################################## + ## +-## All of the rules required to +-## administrate an keystone environment. ++## Transition to keystone. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`keystone_domtrans',` ++ gen_require(` ++ type keystone_t, keystone_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, keystone_exec_t, keystone_t) ++') ++######################################## ++## ++## Read keystone's log files. + ## + ## + ## + ## Domain allowed access. + ## + ## +-## ++## ++# ++interface(`keystone_read_log',` ++ gen_require(` ++ type keystone_log_t; ++ ') ++ ++ logging_search_logs($1) ++ read_files_pattern($1, keystone_log_t, keystone_log_t) ++') ++ ++######################################## ++## ++## Append to keystone log files. ++## ++## + ## +-## Role allowed access. ++## Domain allowed access. ++## ++## ++# ++interface(`keystone_append_log',` ++ gen_require(` ++ type keystone_log_t; ++ ') ++ ++ logging_search_logs($1) ++ append_files_pattern($1, keystone_log_t, keystone_log_t) ++') ++ ++######################################## ++## ++## Manage keystone log files ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`keystone_manage_log',` ++ gen_require(` ++ type keystone_log_t; ++ ') ++ ++ logging_search_logs($1) ++ manage_dirs_pattern($1, keystone_log_t, keystone_log_t) ++ manage_files_pattern($1, keystone_log_t, keystone_log_t) ++ manage_lnk_files_pattern($1, keystone_log_t, keystone_log_t) ++') ++ ++######################################## ++## ++## Search keystone lib directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`keystone_search_lib',` ++ gen_require(` ++ type keystone_var_lib_t; ++ ') ++ ++ allow $1 keystone_var_lib_t:dir search_dir_perms; ++ files_search_var_lib($1) ++') ++ ++######################################## ++## ++## Read keystone lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`keystone_read_lib_files',` ++ gen_require(` ++ type keystone_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ read_files_pattern($1, keystone_var_lib_t, keystone_var_lib_t) ++') ++ ++######################################## ++## ++## Manage keystone lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`keystone_manage_lib_files',` ++ gen_require(` ++ type keystone_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ manage_files_pattern($1, keystone_var_lib_t, keystone_var_lib_t) ++') ++ ++######################################## ++## ++## Manage keystone lib directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`keystone_manage_lib_dirs',` ++ gen_require(` ++ type keystone_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ manage_dirs_pattern($1, keystone_var_lib_t, keystone_var_lib_t) ++') ++ ++######################################## ++## ++## Execute keystone server in the keystone domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`keystone_systemctl',` ++ gen_require(` ++ type keystone_t; ++ type keystone_unit_file_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ systemd_read_fifo_file_passwd_run($1) ++ allow $1 keystone_unit_file_t:file read_file_perms; ++ allow $1 keystone_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, keystone_t) ++') ++ ++ ++######################################## ++## ++## All of the rules required to administrate ++## an keystone environment ++## ++## ++## ++## Domain allowed access. + ## + ## +-## + # + interface(`keystone_admin',` + gen_require(` +- type keystone_t, keystone_initrc_exec_t, keystone_log_t; +- type keystone_var_lib_t, keystone_tmp_t; ++ type keystone_t; ++ type keystone_log_t; ++ type keystone_var_lib_t; ++ type keystone_unit_file_t; + ') + + allow $1 keystone_t:process { ptrace signal_perms }; + ps_process_pattern($1, keystone_t) + +- init_labeled_script_domtrans($1, keystone_initrc_exec_t) +- domain_system_change_exemption($1) +- role_transition $2 keystone_initrc_exec_t system_r; +- allow $2 system_r; +- + logging_search_logs($1) + admin_pattern($1, keystone_log_t) + +- files_search_var_lib($1 ++ files_search_var_lib($1) + admin_pattern($1, keystone_var_lib_t) + +- files_search_tmp($1) +- admin_pattern($1, keystone_tmp_t) ++ keystone_systemctl($1) ++ admin_pattern($1, keystone_unit_file_t) ++ allow $1 keystone_unit_file_t:service all_service_perms; ++ optional_policy(` ++ systemd_passwd_agent_exec($1) ++ systemd_read_fifo_file_passwd_run($1) ++ ') + ') +diff --git a/keystone.te b/keystone.te +index 3494d9b..a82637c 100644 +--- a/keystone.te ++++ b/keystone.te +@@ -21,10 +21,14 @@ files_type(keystone_var_lib_t) + type keystone_tmp_t; + files_tmp_file(keystone_tmp_t) + ++type keystone_unit_file_t; ++systemd_unit_file(keystone_unit_file_t) ++ + ######################################## + # + # Local policy + # ++allow keystone_t self:process { getsched setsched }; + + allow keystone_t self:fifo_file rw_fifo_file_perms; + allow keystone_t self:unix_stream_socket { accept listen }; +@@ -57,20 +61,29 @@ corenet_all_recvfrom_netlabel(keystone_t) + corenet_tcp_sendrecv_generic_if(keystone_t) + corenet_tcp_sendrecv_generic_node(keystone_t) + corenet_tcp_bind_generic_node(keystone_t) ++corenet_tcp_connect_mysqld_port(keystone_t) ++ ++corenet_tcp_connect_mysqld_port(keystone_t) + + corenet_sendrecv_commplex_main_server_packets(keystone_t) + corenet_tcp_bind_commplex_main_port(keystone_t) + corenet_tcp_sendrecv_commplex_main_port(keystone_t) + +-files_read_usr_files(keystone_t) ++corenet_tcp_bind_keystone_port(keystone_t) + + auth_use_pam(keystone_t) + + libs_exec_ldconfig(keystone_t) + +-miscfiles_read_localization(keystone_t) +- + optional_policy(` + mysql_stream_connect(keystone_t) + mysql_tcp_connect(keystone_t) + ') ++ ++optional_policy(` ++ postgresql_stream_connect(keystone_t) ++') ++ ++optional_policy(` ++ rpm_exec(keystone_t) ++') +diff --git a/kismet.if b/kismet.if +index aa2a337..7ff229f 100644 +--- a/kismet.if ++++ b/kismet.if +@@ -283,7 +283,7 @@ interface(`kismet_manage_log',` + interface(`kismet_admin',` + gen_require(` + type kismet_t, kismet_var_lib_t, kismet_var_run_t; +- type kismet_log_t, kismet_tmp_t; ++ type kismet_log_t, kismet_tmp_t, kismet_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, kismet_initrc_exec_t) +@@ -292,7 +292,11 @@ interface(`kismet_admin',` + allow $2 system_r; + + ps_process_pattern($1, kismet_t) +- allow $1 kismet_t:process { ptrace signal_perms }; ++ allow $1 kismet_t:process signal_perms; ++ ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 kismet_t:process ptrace; ++ ') + + files_search_var_lib($1) + admin_pattern($1, kismet_var_lib_t) +diff --git a/kismet.te b/kismet.te +index ea64ed5..e60f701 100644 +--- a/kismet.te ++++ b/kismet.te +@@ -81,25 +81,22 @@ kernel_read_network_state(kismet_t) + + corecmd_exec_bin(kismet_t) + +-corenet_all_recvfrom_unlabeled(kismet_t) + corenet_all_recvfrom_netlabel(kismet_t) + corenet_tcp_sendrecv_generic_if(kismet_t) + corenet_tcp_sendrecv_generic_node(kismet_t) + corenet_tcp_bind_generic_node(kismet_t) + +-corenet_sendrecv_kismet_server_packets(kismet_t) +-corenet_tcp_bind_kismet_port(kismet_t) +-corenet_sendrecv_kismet_client_packets(kismet_t) +-corenet_tcp_connect_kismet_port(kismet_t) +-corenet_tcp_sendrecv_kismet_port(kismet_t) ++corenet_tcp_connect_pulseaudio_port(kismet_t) + +-auth_use_nsswitch(kismet_t) +- +-files_read_usr_files(kismet_t) ++corenet_sendrecv_rtsclient_server_packets(kismet_t) ++corenet_tcp_bind_rtsclient_port(kismet_t) ++corenet_sendrecv_rtsclient_client_packets(kismet_t) ++corenet_tcp_connect_rtsclient_port(kismet_t) + +-miscfiles_read_localization(kismet_t) ++auth_use_nsswitch(kismet_t) + +-userdom_use_user_terminals(kismet_t) ++userdom_use_inherited_user_terminals(kismet_t) ++userdom_read_user_tmpfs_files(kismet_t) + + optional_policy(` + dbus_system_bus_client(kismet_t) +diff --git a/ksmtuned.fc b/ksmtuned.fc +index e736c45..4b1e1e4 100644 +--- a/ksmtuned.fc ++++ b/ksmtuned.fc +@@ -1,5 +1,7 @@ + /etc/rc\.d/init\.d/ksmtuned -- gen_context(system_u:object_r:ksmtuned_initrc_exec_t,s0) + ++/usr/lib/systemd/system/ksmtuned.* -- gen_context(system_u:object_r:ksmtuned_unit_file_t,s0) ++ + /usr/sbin/ksmtuned -- gen_context(system_u:object_r:ksmtuned_exec_t,s0) + + /var/log/ksmtuned.* gen_context(system_u:object_r:ksmtuned_log_t,s0) +diff --git a/ksmtuned.if b/ksmtuned.if +index c530214..3ac0b8b 100644 +--- a/ksmtuned.if ++++ b/ksmtuned.if +@@ -38,6 +38,29 @@ interface(`ksmtuned_initrc_domtrans',` + init_labeled_script_domtrans($1, ksmtuned_initrc_exec_t) + ') + ++####################################### ++## ++## Execute ksmtuned server in the ksmtunedd domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`ksmtuned_systemctl',` ++ gen_require(` ++ type ksmtuned_unit_file_t; ++ type ksmtuned_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ allow $1 ksmtuned_unit_file_t:file read_file_perms; ++ allow $1 ksmtuned_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, ksmtuned_t) ++') ++ + ######################################## + ## + ## All of the rules required to +@@ -48,30 +71,28 @@ interface(`ksmtuned_initrc_domtrans',` + ## Domain allowed access. + ## + ## +-## +-## +-## Role allowed access. +-## +-## + ## + # + interface(`ksmtuned_admin',` + gen_require(` +- type ksmtuned_t, ksmtuned_var_run_t; +- type ksmtuned_initrc_exec_t, ksmtuned_log_t; ++ type ksmtuned_t, ksmtuned_var_run_t, ksmtuned_initrc_exec_t, ksmtuned_unit_file_t; ++ type ksmtuned_log_t; + ') + +- ksmtuned_initrc_domtrans($1) +- domain_system_change_exemption($1) +- role_transition $2 ksmtuned_initrc_exec_t system_r; +- allow $2 system_r; ++ allow $1 ksmtuned_t:process signal_perms; ++ ps_process_pattern($1, ksmtuned_t) + +- allow $1 ksmtuned_t:process { ptrace signal_perms }; +- ps_process_pattern(ksmtumed_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 ksmtuned_t:process ptrace; ++ ') + + files_list_pids($1) + admin_pattern($1, ksmtuned_var_run_t) + + logging_search_logs($1) + admin_pattern($1, ksmtuned_log_t) ++ ++ ksmtuned_systemctl($1) ++ admin_pattern($1, ksmtuned_unit_file_t) ++ allow $1 ksmtuned_unit_file_t:service all_service_perms; + ') +diff --git a/ksmtuned.te b/ksmtuned.te +index c1539b5..fd0a17f 100644 +--- a/ksmtuned.te ++++ b/ksmtuned.te +@@ -5,10 +5,27 @@ policy_module(ksmtuned, 1.0.1) + # Declarations + # + ++## ++##

    ++## Allow ksmtuned to use nfs file systems ++##

    ++##     ++gen_tunable(ksmtuned_use_nfs, false) ++ ++## ++##

    ++## Allow ksmtuned to use cifs/Samba file systems ++##

    ++##     ++gen_tunable(ksmtuned_use_cifs, false) ++ + type ksmtuned_t; + type ksmtuned_exec_t; + init_daemon_domain(ksmtuned_t, ksmtuned_exec_t) + ++type ksmtuned_unit_file_t; ++systemd_unit_file(ksmtuned_unit_file_t) ++ + type ksmtuned_initrc_exec_t; + init_script_file(ksmtuned_initrc_exec_t) + +@@ -43,6 +60,7 @@ corecmd_exec_shell(ksmtuned_t) + dev_rw_sysfs(ksmtuned_t) + + domain_read_all_domains_state(ksmtuned_t) ++domain_dontaudit_read_all_domains_state(ksmtuned_t) + + mls_file_read_to_clearance(ksmtuned_t) + +@@ -52,4 +70,11 @@ auth_use_nsswitch(ksmtuned_t) + + logging_send_syslog_msg(ksmtuned_t) + +-miscfiles_read_localization(ksmtuned_t) ++tunable_policy(`ksmtuned_use_nfs',` ++ fs_read_nfs_files(ksmtuned_t) ++') ++ ++tunable_policy(`ksmtuned_use_cifs',` ++ fs_read_cifs_files(ksmtuned_t) ++ samba_read_share_files(ksmtuned_t) ++') +diff --git a/ktalk.fc b/ktalk.fc +index 38ecb07..451067e 100644 +--- a/ktalk.fc ++++ b/ktalk.fc +@@ -1,3 +1,5 @@ ++/usr/lib/systemd/system/ntalk.* -- gen_context(system_u:object_r:ktalkd_unit_file_t,s0) ++ + /usr/bin/ktalkd -- gen_context(system_u:object_r:ktalkd_exec_t,s0) + + /usr/sbin/in\.talkd -- gen_context(system_u:object_r:ktalkd_exec_t,s0) +diff --git a/ktalk.if b/ktalk.if +index 19777b8..55d1556 100644 +--- a/ktalk.if ++++ b/ktalk.if +@@ -1 +1,76 @@ +-## KDE Talk daemon. ++ ++## talk-server - daemon programs for the Internet talk ++ ++######################################## ++## ++## Execute TEMPLATE in the ktalkd domin. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`ktalk_domtrans',` ++ gen_require(` ++ type ktalkd_t, ktalkd_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, ktalkd_exec_t, ktalkd_t) ++') ++######################################## ++## ++## Execute ktalkd server in the ktalkd domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`ktalk_systemctl',` ++ gen_require(` ++ type ktalkd_t; ++ type ktalkd_unit_file_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ systemd_read_fifo_file_passwd_run($1) ++ allow $1 ktalkd_unit_file_t:file read_file_perms; ++ allow $1 ktalkd_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, ktalkd_t) ++') ++ ++ ++######################################## ++## ++## All of the rules required to administrate ++## an ktalkd environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`ktalk_admin',` ++ gen_require(` ++ type ktalkd_t; ++ type ktalkd_unit_file_t; ++ ') ++ ++ allow $1 ktalkd_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, ktalkd_t) ++ ++ ktalk_systemctl($1) ++ admin_pattern($1, ktalkd_unit_file_t) ++ allow $1 ktalkd_unit_file_t:service all_service_perms; ++ ++ optional_policy(` ++ systemd_passwd_agent_exec($1) ++ systemd_read_fifo_file_passwd_run($1) ++ ') ++') +diff --git a/ktalk.te b/ktalk.te +index 2cf3815..a43a4f6 100644 +--- a/ktalk.te ++++ b/ktalk.te +@@ -7,11 +7,15 @@ policy_module(ktalk, 1.8.1) + + type ktalkd_t; + type ktalkd_exec_t; ++init_domain(ktalkd_t, ktalkd_exec_t) + inetd_udp_service_domain(ktalkd_t, ktalkd_exec_t) + + type ktalkd_log_t; + logging_log_file(ktalkd_log_t) + ++type ktalkd_unit_file_t; ++systemd_unit_file(ktalkd_unit_file_t) ++ + type ktalkd_tmp_t; + files_tmp_file(ktalkd_tmp_t) + +@@ -35,16 +39,24 @@ kernel_read_kernel_sysctls(ktalkd_t) + kernel_read_system_state(ktalkd_t) + kernel_read_network_state(ktalkd_t) + ++corenet_all_recvfrom_netlabel(ktalkd_t) ++corenet_tcp_sendrecv_generic_if(ktalkd_t) ++corenet_udp_sendrecv_generic_if(ktalkd_t) ++corenet_tcp_sendrecv_generic_node(ktalkd_t) ++corenet_udp_sendrecv_generic_node(ktalkd_t) ++corenet_tcp_sendrecv_all_ports(ktalkd_t) ++corenet_udp_sendrecv_all_ports(ktalkd_t) ++corenet_udp_bind_ktalkd_port(ktalkd_t) ++ + dev_read_urand(ktalkd_t) + + fs_getattr_xattr_fs(ktalkd_t) + +-term_use_all_terms(ktalkd_t) ++term_search_ptys(ktalkd_t) ++term_use_all_inherited_terms(ktalkd_t) + + auth_use_nsswitch(ktalkd_t) + + init_read_utmp(ktalkd_t) + + logging_send_syslog_msg(ktalkd_t) +- +-miscfiles_read_localization(ktalkd_t) +diff --git a/kudzu.if b/kudzu.if +index 5297064..6ba8108 100644 +--- a/kudzu.if ++++ b/kudzu.if +@@ -86,9 +86,13 @@ interface(`kudzu_admin',` + type kudzu_tmp_t; + ') + +- allow $1 kudzu_t:process { ptrace signal_perms }; ++ allow $1 kudzu_t:process { signal_perms }; + ps_process_pattern($1, kudzu_t) + ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 kudzu_t:process ptrace; ++ ') ++ + init_labeled_script_domtrans($1, kudzu_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 kudzu_initrc_exec_t system_r; +diff --git a/kudzu.te b/kudzu.te +index 9725f1a..34aa63b 100644 +--- a/kudzu.te ++++ b/kudzu.te +@@ -63,7 +63,6 @@ dev_rwx_zero(kudzu_t) + domain_use_interactive_fds(kudzu_t) + + files_read_kernel_modules(kudzu_t) +-files_read_usr_files(kudzu_t) + files_search_locks(kudzu_t) + files_manage_etc_files(kudzu_t) + files_manage_etc_runtime_files(kudzu_t) +@@ -101,11 +100,10 @@ libs_read_lib_files(kudzu_t) + logging_send_syslog_msg(kudzu_t) + + miscfiles_read_hwdata(kudzu_t) +-miscfiles_read_localization(kudzu_t) + + sysnet_read_config(kudzu_t) + +-userdom_use_user_terminals(kudzu_t) ++userdom_use_inherited_user_terminals(kudzu_t) + userdom_dontaudit_use_unpriv_user_fds(kudzu_t) + userdom_search_user_home_dirs(kudzu_t) + +@@ -122,10 +120,6 @@ optional_policy(` + ') + + optional_policy(` +- nscd_use(kudzu_t) +-') +- +-optional_policy(` + seutil_sigchld_newrole(kudzu_t) + ') + +diff --git a/l2tp.fc b/l2tp.fc +index d5d1572..82267a7 100644 +--- a/l2tp.fc ++++ b/l2tp.fc +@@ -5,6 +5,7 @@ + /etc/sysconfig/.*l2tpd -- gen_context(system_u:object_r:l2tp_conf_t,s0) + + /usr/sbin/.*l2tpd -- gen_context(system_u:object_r:l2tpd_exec_t,s0) ++/usr/libexec/nm-l2tp-service -- gen_context(system_u:object_r:l2tpd_exec_t,s0) + + /var/run/.*l2tpd(/.*)? gen_context(system_u:object_r:l2tpd_var_run_t,s0) + /var/run/prol2tpd\.ctl -s gen_context(system_u:object_r:l2tpd_var_run_t,s0) +diff --git a/l2tp.if b/l2tp.if +index 73e2803..2fc7570 100644 +--- a/l2tp.if ++++ b/l2tp.if +@@ -1,9 +1,45 @@ +-## Layer 2 Tunneling Protocol. ++## Layer 2 Tunneling Protocol daemons. + + ######################################## + ## +-## Send to l2tpd with a unix +-## domain dgram socket. ++## Transition to l2tpd. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`l2tpd_domtrans',` ++ gen_require(` ++ type l2tpd_t, l2tpd_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, l2tpd_exec_t, l2tpd_t) ++') ++ ++######################################## ++## ++## Execute l2tpd server in the l2tpd domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`l2tpd_initrc_domtrans',` ++ gen_require(` ++ type l2tpd_initrc_exec_t; ++ ') ++ ++ init_labeled_script_domtrans($1, l2tpd_initrc_exec_t) ++') ++ ++######################################## ++## ++## Send to l2tpd via a unix dgram socket. + ## + ## + ## +@@ -16,7 +52,6 @@ interface(`l2tpd_dgram_send',` + type l2tpd_t, l2tpd_tmp_t, l2tpd_var_run_t; + ') + +- files_search_pids($1) + files_search_tmp($1) + dgram_send_pattern($1, { l2tpd_tmp_t l2tpd_var_run_t }, { l2tpd_tmp_t l2tpd_var_run_t }, l2tpd_t) + ') +@@ -39,10 +74,29 @@ interface(`l2tpd_rw_socket',` + allow $1 l2tpd_t:socket rw_socket_perms; + ') + ++######################################## ++## ++## Read l2tpd PID files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`l2tpd_read_pid_files',` ++ gen_require(` ++ type l2tpd_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ allow $1 l2tpd_var_run_t:file read_file_perms; ++') ++ + ##################################### + ## +-## Connect to l2tpd with a unix +-## domain stream socket. ++## Connect to l2tpd over a unix domain ++## stream socket. + ## + ## + ## +@@ -56,14 +110,107 @@ interface(`l2tpd_stream_connect',` + ') + + files_search_pids($1) +- files_search_tmp($1) +- stream_connect_pattern($1, { l2tpd_tmp_t l2tpd_var_run_t }, { l2tpd_tmp_t l2tpd_var_run_t }, l2tpd_t) ++ stream_connect_pattern($1, l2tpd_tmp_t, l2tpd_tmp_t, l2tpd_t) ++ stream_connect_pattern($1, l2tpd_var_run_t, l2tpd_var_run_t, l2tpd_t) + ') + + ######################################## + ## +-## All of the rules required to +-## administrate an l2tp environment. ++## Read and write l2tpd unnamed pipes. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`l2tpd_rw_pipes',` ++ gen_require(` ++ type l2tpd_t; ++ ') ++ ++ allow $1 l2tpd_t:fifo_file rw_fifo_file_perms; ++') ++ ++######################################## ++## ++## Allow send a signal to l2tpd. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`l2tpd_signal',` ++ gen_require(` ++ type l2tpd_t; ++ ') ++ ++ allow $1 l2tpd_t:process signal; ++') ++ ++######################################## ++## ++## Allow send signull to l2tpd. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`l2tpd_signull',` ++ gen_require(` ++ type l2tpd_t; ++ ') ++ ++ allow $1 l2tpd_t:process signull; ++') ++ ++######################################## ++## ++## Allow send sigkill to l2tpd. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`l2tpd_sigkill',` ++ gen_require(` ++ type l2tpd_t; ++ ') ++ ++ allow $1 l2tpd_t:process sigkill; ++') ++ ++######################################## ++## ++## Send and receive messages from ++## l2tpd over dbus. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`l2tpd_dbus_chat',` ++ gen_require(` ++ type l2tpd_t; ++ class dbus send_msg; ++ ') ++ ++ allow $1 l2tpd_t:dbus send_msg; ++ allow l2tpd_t $1:dbus send_msg; ++') ++ ++######################################## ++## ++## All of the rules required to administrate ++## an l2tpd environment + ## + ## + ## +@@ -77,22 +224,26 @@ interface(`l2tpd_stream_connect',` + ## + ## + # +-interface(`l2tp_admin',` ++interface(`l2tpd_admin',` + gen_require(` + type l2tpd_t, l2tpd_initrc_exec_t, l2tpd_var_run_t; +- type l2tp_conf_t, l2tpd_tmp_t; ++ type l2tp_etc_t, l2tpd_tmp_t; + ') + +- allow $1 l2tpd_t:process { ptrace signal_perms }; ++ allow $1 l2tpd_t:process signal_perms; + ps_process_pattern($1, l2tpd_t) + +- init_labeled_script_domtrans($1, l2tpd_initrc_exec_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 l2tpd_t:process ptrace; ++ ') ++ ++ l2tpd_initrc_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 l2tpd_initrc_exec_t system_r; + allow $2 system_r; + + files_search_etc($1) +- admin_pattern($1, l2tp_conf_t) ++ admin_pattern($1, l2tp_etc_t) + + files_search_pids($1) + admin_pattern($1, l2tpd_var_run_t) +diff --git a/l2tp.te b/l2tp.te +index 19f2b97..bbbda10 100644 +--- a/l2tp.te ++++ b/l2tp.te +@@ -27,7 +27,7 @@ files_pid_file(l2tpd_var_run_t) + # + + allow l2tpd_t self:capability net_admin; +-allow l2tpd_t self:process signal; ++allow l2tpd_t self:process signal_perms; + allow l2tpd_t self:fifo_file rw_fifo_file_perms; + allow l2tpd_t self:netlink_socket create_socket_perms; + allow l2tpd_t self:rawip_socket create_socket_perms; +@@ -42,11 +42,13 @@ manage_dirs_pattern(l2tpd_t, l2tpd_var_run_t, l2tpd_var_run_t) + manage_files_pattern(l2tpd_t, l2tpd_var_run_t, l2tpd_var_run_t) + manage_sock_files_pattern(l2tpd_t, l2tpd_var_run_t, l2tpd_var_run_t) + manage_fifo_files_pattern(l2tpd_t, l2tpd_var_run_t, l2tpd_var_run_t) +-files_pid_filetrans(l2tpd_t, l2tpd_var_run_t, { dir file sock_file }) ++files_pid_filetrans(l2tpd_t, l2tpd_var_run_t, { dir file sock_file fifo_file }) + + manage_sock_files_pattern(l2tpd_t, l2tpd_tmp_t, l2tpd_tmp_t) + files_tmp_filetrans(l2tpd_t, l2tpd_tmp_t, sock_file) + ++can_exec(l2tpd_t, l2tpd_exec_t) ++ + corenet_all_recvfrom_unlabeled(l2tpd_t) + corenet_all_recvfrom_netlabel(l2tpd_t) + corenet_raw_sendrecv_generic_if(l2tpd_t) +@@ -75,19 +77,37 @@ corecmd_exec_bin(l2tpd_t) + + dev_read_urand(l2tpd_t) + +-files_read_etc_files(l2tpd_t) +- + term_setattr_generic_ptys(l2tpd_t) + term_use_generic_ptys(l2tpd_t) + term_use_ptmx(l2tpd_t) + +-logging_send_syslog_msg(l2tpd_t) ++auth_read_passwd(l2tpd_t) + +-miscfiles_read_localization(l2tpd_t) ++logging_send_syslog_msg(l2tpd_t) + + sysnet_dns_name_resolve(l2tpd_t) + + optional_policy(` ++ dbus_system_bus_client(l2tpd_t) ++ dbus_connect_system_bus(l2tpd_t) ++ ++ optional_policy(` ++ networkmanager_dbus_chat(l2tpd_t) ++ ') ++') ++ ++optional_policy(` ++ ipsec_domtrans_mgmt(l2tpd_t) ++ ipsec_mgmt_read_pid(l2tpd_t) ++ ipsec_filetrans_key_file(l2tpd_t) ++ ipsec_manage_key_file(l2tpd_t) ++') ++ ++optional_policy(` ++ networkmanager_read_pid_files(l2tpd_t) ++') ++ ++optional_policy(` + ppp_domtrans(l2tpd_t) + ppp_signal(l2tpd_t) + ppp_kill(l2tpd_t) +diff --git a/ldap.fc b/ldap.fc +index bc25c95..6692d91 100644 +--- a/ldap.fc ++++ b/ldap.fc +@@ -1,8 +1,11 @@ + /etc/ldap/slapd\.conf -- gen_context(system_u:object_r:slapd_etc_t,s0) +-/etc/openldap/certs(/.*)? gen_context(system_u:object_r:slapd_cert_t,s0) ++ ++/etc/openldap/certs(/.*)? gen_context(system_u:object_r:slapd_cert_t,s0) + /etc/openldap/slapd\.d(/.*)? gen_context(system_u:object_r:slapd_db_t,s0) + +-/etc/rc\.d/init\.d/ldap -- gen_context(system_u:object_r:slapd_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/slapd -- gen_context(system_u:object_r:slapd_initrc_exec_t,s0) ++ ++/usr/lib/systemd/system/slapd.* -- gen_context(system_u:object_r:slapd_unit_file_t,s0) + + /usr/sbin/slapd -- gen_context(system_u:object_r:slapd_exec_t,s0) + +@@ -17,8 +20,7 @@ + /var/log/ldap.* gen_context(system_u:object_r:slapd_log_t,s0) + /var/log/slapd.* gen_context(system_u:object_r:slapd_log_t,s0) + +-/var/run/ldapi -s gen_context(system_u:object_r:slapd_var_run_t,s0) +-/var/run/openldap(/.*)? gen_context(system_u:object_r:slapd_var_run_t,s0) +-/var/run/slapd.* -s gen_context(system_u:object_r:slapd_var_run_t,s0) +-/var/run/slapd\.args -- gen_context(system_u:object_r:slapd_var_run_t,s0) +-/var/run/slapd\.pid -- gen_context(system_u:object_r:slapd_var_run_t,s0) ++/var/run/ldapi -s gen_context(system_u:object_r:slapd_var_run_t,s0) ++/var/run/openldap(/.*)? gen_context(system_u:object_r:slapd_var_run_t,s0) ++/var/run/slapd\.args -- gen_context(system_u:object_r:slapd_var_run_t,s0) ++/var/run/slapd\.pid -- gen_context(system_u:object_r:slapd_var_run_t,s0) +diff --git a/ldap.if b/ldap.if +index ee0c7cc..c54e3d2 100644 +--- a/ldap.if ++++ b/ldap.if +@@ -1,8 +1,68 @@ +-## OpenLDAP directory server. ++## OpenLDAP directory server ++ ++####################################### ++## ++## Execute OpenLDAP in the ldap domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`ldap_domtrans',` ++ gen_require(` ++ type slapd_t, slapd_exec_t; ++ ') ++ ++ domtrans_pattern($1, slapd_exec_t, slapd_t) ++') ++ ++####################################### ++## ++## Execute OpenLDAP server in the ldap domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`ldap_initrc_domtrans',` ++ gen_require(` ++ type slapd_initrc_exec_t; ++ ') ++ ++ init_labeled_script_domtrans($1, slapd_initrc_exec_t) ++') ++ ++######################################## ++## ++## Execute slapd server in the slapd domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`ldap_systemctl',` ++ gen_require(` ++ type slapd_unit_file_t; ++ type slapd_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ allow $1 slapd_unit_file_t:file read_file_perms; ++ allow $1 slapd_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, slapd_t) ++') + + ######################################## + ## +-## List ldap database directories. ++## Read the contents of the OpenLDAP ++## database directories. + ## + ## + ## +@@ -15,13 +75,31 @@ interface(`ldap_list_db',` + type slapd_db_t; + ') + +- files_search_etc($1) + allow $1 slapd_db_t:dir list_dir_perms; + ') + + ######################################## + ## +-## Read ldap configuration files. ++## Read the contents of the OpenLDAP ++## database files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`ldap_read_db_files',` ++ gen_require(` ++ type slapd_db_t; ++ ') ++ ++ read_files_pattern($1, slapd_db_t, slapd_db_t) ++') ++ ++######################################## ++## ++## Read the OpenLDAP configuration files. + ## + ## + ## +@@ -41,22 +119,27 @@ interface(`ldap_read_config',` + + ######################################## + ## +-## Use LDAP over TCP connection. (Deprecated) ++## Read the OpenLDAP cert files. + ## + ## + ## + ## Domain allowed access. + ## + ## ++## + # +-interface(`ldap_use',` +- refpolicywarn(`$0($*) has been deprecated.') ++interface(`ldap_read_certs',` ++ gen_require(` ++ type slapd_cert_t; ++ ') ++ ++ files_search_etc($1) ++ read_files_pattern($1, slapd_cert_t, slapd_cert_t) + ') + + ######################################## + ## +-## Connect to slapd over an unix +-## stream socket. ++## Use LDAP over TCP connection. (Deprecated) + ## + ## + ## +@@ -64,18 +147,13 @@ interface(`ldap_use',` + ## + ## + # +-interface(`ldap_stream_connect',` +- gen_require(` +- type slapd_t, slapd_var_run_t; +- ') +- +- files_search_pids($1) +- stream_connect_pattern($1, slapd_var_run_t, slapd_var_run_t, slapd_t) ++interface(`ldap_use',` ++ refpolicywarn(`$0($*) has been deprecated.') + ') + + ######################################## + ## +-## Connect to ldap over the network. ++## Connect to slapd over an unix stream socket. + ## + ## + ## +@@ -83,21 +161,19 @@ interface(`ldap_stream_connect',` + ## + ## + # +-interface(`ldap_tcp_connect',` ++interface(`ldap_stream_connect',` + gen_require(` +- type slapd_t; ++ type slapd_t, slapd_var_run_t; + ') + +- corenet_sendrecv_ldap_client_packets($1) +- corenet_tcp_connect_ldap_port($1) +- corenet_tcp_recvfrom_labeled($1, slapd_t) +- corenet_tcp_sendrecv_ldap_port($1) ++ files_search_pids($1) ++ stream_connect_pattern($1, slapd_var_run_t, slapd_var_run_t, slapd_t) + ') + + ######################################## + ## +-## All of the rules required to +-## administrate an ldap environment. ++## All of the rules required to administrate ++## an ldap environment + ## + ## + ## +@@ -106,7 +182,7 @@ interface(`ldap_tcp_connect',` + ## + ## + ## +-## Role allowed access. ++## The role to be allowed to manage the ldap domain. + ## + ## + ## +@@ -115,28 +191,28 @@ interface(`ldap_admin',` + gen_require(` + type slapd_t, slapd_tmp_t, slapd_replog_t; + type slapd_lock_t, slapd_etc_t, slapd_var_run_t; +- type slapd_initrc_exec_t, slapd_log_t, slapd_cert_t; +- type slapd_db_t; ++ type slapd_initrc_exec_t; ++ type slapd_unit_file_t; + ') + +- allow $1 slapd_t:process { ptrace signal_perms }; ++ allow $1 slapd_t:process signal_perms; + ps_process_pattern($1, slapd_t) + ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 slapd_t:process ptrace; ++ ') ++ + init_labeled_script_domtrans($1, slapd_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 slapd_initrc_exec_t system_r; + allow $2 system_r; + + files_list_etc($1) +- admin_pattern($1, { slapd_etc_t slapd_db_t slapd_cert_t }) ++ admin_pattern($1, slapd_etc_t) + +- files_list_locks($1) + admin_pattern($1, slapd_lock_t) + +- logging_list_logs($1) +- admin_pattern($1, slapd_log_t) +- +- files_search_var_lib($1) ++ files_list_var_lib($1) + admin_pattern($1, slapd_replog_t) + + files_list_tmp($1) +@@ -144,4 +220,8 @@ interface(`ldap_admin',` + + files_list_pids($1) + admin_pattern($1, slapd_var_run_t) ++ ++ ldap_systemctl($1) ++ admin_pattern($1, slapd_unit_file_t) ++ allow $1 slapd_unit_file_t:service all_service_perms; + ') +diff --git a/ldap.te b/ldap.te +index d7d9b09..562c288 100644 +--- a/ldap.te ++++ b/ldap.te +@@ -21,6 +21,9 @@ files_config_file(slapd_etc_t) + type slapd_initrc_exec_t; + init_script_file(slapd_initrc_exec_t) + ++type slapd_unit_file_t; ++systemd_unit_file(slapd_unit_file_t) ++ + type slapd_lock_t; + files_lock_file(slapd_lock_t) + +@@ -88,7 +91,6 @@ files_pid_filetrans(slapd_t, slapd_var_run_t, { dir file sock_file }) + kernel_read_system_state(slapd_t) + kernel_read_kernel_sysctls(slapd_t) + +-corenet_all_recvfrom_unlabeled(slapd_t) + corenet_all_recvfrom_netlabel(slapd_t) + corenet_tcp_sendrecv_generic_if(slapd_t) + corenet_tcp_sendrecv_generic_node(slapd_t) +@@ -110,25 +112,23 @@ fs_getattr_all_fs(slapd_t) + fs_search_auto_mountpoints(slapd_t) + + files_read_etc_runtime_files(slapd_t) +-files_read_usr_files(slapd_t) + files_list_var_lib(slapd_t) + + auth_use_nsswitch(slapd_t) ++auth_rw_cache(slapd_t) + + logging_send_syslog_msg(slapd_t) + + miscfiles_read_generic_certs(slapd_t) +-miscfiles_read_localization(slapd_t) + + userdom_dontaudit_use_unpriv_user_fds(slapd_t) + userdom_dontaudit_search_user_home_dirs(slapd_t) + + optional_policy(` + kerberos_keytab_template(slapd, slapd_t) +- kerberos_manage_host_rcache(slapd_t) +- kerberos_tmp_filetrans_host_rcache(slapd_t, file, "ldapmap1_0") +- kerberos_tmp_filetrans_host_rcache(slapd_t, file, "ldap_487") +- kerberos_tmp_filetrans_host_rcache(slapd_t, file, "ldap_55") ++ kerberos_tmp_filetrans_host_rcache(slapd_t, "ldapmap1_0") ++ kerberos_tmp_filetrans_host_rcache(slapd_t, "ldap_487") ++ kerberos_tmp_filetrans_host_rcache(slapd_t, "ldap_55") + ') + + optional_policy(` +diff --git a/lightsquid.if b/lightsquid.if +index 33a28b9..33ffe24 100644 +--- a/lightsquid.if ++++ b/lightsquid.if +@@ -76,5 +76,7 @@ interface(`lightsquid_admin',` + files_search_var_lib($1) + admin_pattern($1, lightsquid_rw_content_t) + +- apache_list_sys_content($1) ++ optional_policy(` ++ apache_list_sys_content($1) ++ ') + ') +diff --git a/lightsquid.te b/lightsquid.te +index 40a2607..308accb 100644 +--- a/lightsquid.te ++++ b/lightsquid.te +@@ -31,11 +31,6 @@ corecmd_exec_shell(lightsquid_t) + + dev_read_urand(lightsquid_t) + +-files_read_etc_files(lightsquid_t) +-files_read_usr_files(lightsquid_t) +- +-miscfiles_read_localization(lightsquid_t) +- + squid_read_config(lightsquid_t) + squid_read_log(lightsquid_t) + +diff --git a/likewise.if b/likewise.if +index bd20e8c..3393a01 100644 +--- a/likewise.if ++++ b/likewise.if +@@ -1,9 +1,22 @@ + ## Likewise Active Directory support for UNIX. ++## ++##

    ++## Likewise Open is a free, open source application that joins Linux, Unix, ++## and Mac machines to Microsoft Active Directory to securely authenticate ++## users with their domain credentials. ++##

    ++##     + + ####################################### + ## + ## The template to define a likewise domain. + ## ++## ++##

    ++## This template creates a domain to be used for ++## a new likewise daemon. ++##

    ++##     + ## + ## + ## The type of daemon to be used. +@@ -11,6 +24,7 @@ + ## + # + template(`likewise_domain_template',` ++ + gen_require(` + attribute likewise_domains; + type likewise_var_lib_t; +@@ -24,6 +38,7 @@ template(`likewise_domain_template',` + type $1_t; + type $1_exec_t; + init_daemon_domain($1_t, $1_exec_t) ++ domain_use_interactive_fds($1_t) + + typeattribute $1_t likewise_domains; + +@@ -38,15 +53,18 @@ template(`likewise_domain_template',` + + #################################### + # +- # Policy ++ # Local Policy + # + + allow $1_t self:process { signal_perms getsched setsched }; + allow $1_t self:fifo_file rw_fifo_file_perms; +- allow $1_t self:unix_stream_socket { accept listen }; ++ allow $1_t self:unix_dgram_socket create_socket_perms; ++ allow $1_t self:unix_stream_socket create_stream_socket_perms; + allow $1_t self:tcp_socket create_stream_socket_perms; + allow $1_t self:udp_socket create_socket_perms; + ++ allow $1_t likewise_var_lib_t:dir setattr_dir_perms; ++ + manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t) + files_pid_filetrans($1_t, $1_var_run_t, file) + +@@ -55,12 +73,15 @@ template(`likewise_domain_template',` + + manage_sock_files_pattern($1_t, likewise_var_lib_t, $1_var_socket_t) + filetrans_pattern($1_t, likewise_var_lib_t, $1_var_socket_t, sock_file) ++ ++ kernel_read_system_state($1_t) ++ ++ logging_send_syslog_msg($1_t) + ') + + ######################################## + ## +-## Connect to lsassd with a unix domain +-## stream socket. ++## Connect to lsassd. + ## + ## + ## +@@ -76,59 +97,3 @@ interface(`likewise_stream_connect_lsassd',` + files_search_pids($1) + stream_connect_pattern($1, likewise_var_lib_t, lsassd_var_socket_t, lsassd_t) + ') +- +-######################################## +-## +-## All of the rules required to +-## administrate an likewise environment. +-## +-## +-## +-## Domain allowed access. +-## +-## +-## +-## +-## Role allowed access. +-## +-## +-## +-# +-interface(`likewise_admin',` +- gen_require(` +- attribute likewise_domains; +- type likewise_initrc_exec_t, likewise_etc_t, likewise_pstore_lock_t; +- type likewise_krb5_ad_t, likewise_var_lib_t, eventlogd_var_socket_t; +- type lsassd_var_socket_t, lwiod_var_socket_t, lwregd_var_socket_t; +- type lwsmd_var_socket_t, lwsmd_var_lib_t, netlogond_var_socket_t; +- type netlogond_var_lib_t, lsassd_var_lib_t, lwregd_var_lib_t; +- type eventlogd_var_lib_t, dcerpcd_var_lib_t, lsassd_tmp_t; +- type eventlogd_var_run_t, lsassd_var_run_t, lwiod_var_run_t; +- type lwregd_var_run_t, netlogond_var_run_t, srvsvcd_var_run_t; +- ') +- +- allow $1 likewise_domains:process { ptrace signal_perms }; +- ps_process_pattern($1, likewise_domains) +- +- init_labeled_script_domtrans($1, likewise_initrc_exec_t) +- domain_system_change_exemption($1) +- role_transition $2 likewise_initrc_exec_t system_r; +- allow $2 system_r; +- +- files_list_etc($1) +- admin_pattern($1, { likewise_etc_t likewise_pstore_lock_t likewise_krb5_ad_t }) +- +- files_search_var_lib($1) +- admin_pattern($1, { likewise_var_lib_t eventlogd_var_socket_t lsassd_var_socket_t }) +- admin_pattern($1, { lwiod_var_socket_t lwregd_var_socket_t lwsmd_var_socket_t }) +- admin_pattern($1, { lwsmd_var_lib_t netlogond_var_socket_t netlogond_var_lib_t }) +- admin_pattern($1, { lsassd_var_lib_t lwregd_var_lib_t eventlogd_var_lib_t }) +- admin_pattern($1, dcerpcd_var_lib_t) +- +- files_list_tmp($1) +- admin_pattern($1, lsassd_tmp_t) +- +- files_list_pids($1) +- admin_pattern($1, { eventlogd_var_run_t lsassd_var_run_t lwiod_var_run_t }) +- admin_pattern($1, { lwregd_var_run_t netlogond_var_run_t srvsvcd_var_run_t }) +-') +diff --git a/likewise.te b/likewise.te +index 408fbe3..e86ead6 100644 +--- a/likewise.te ++++ b/likewise.te +@@ -26,7 +26,7 @@ type likewise_var_lib_t; + files_type(likewise_var_lib_t) + + type likewise_pstore_lock_t; +-files_type(likewise_pstore_lock_t) ++files_lock_file(likewise_pstore_lock_t) + + type likewise_krb5_ad_t; + files_type(likewise_krb5_ad_t) +@@ -41,20 +41,13 @@ files_tmp_file(lsassd_tmp_t) + + allow likewise_domains likewise_var_lib_t:dir setattr_dir_perms; + +-kernel_read_system_state(likewise_domains) +- + dev_read_rand(likewise_domains) + dev_read_urand(likewise_domains) + + domain_use_interactive_fds(likewise_domains) + +-files_read_etc_files(likewise_domains) + files_search_var_lib(likewise_domains) + +-logging_send_syslog_msg(likewise_domains) +- +-miscfiles_read_localization(likewise_domains) +- + ################################# + # + # dcerpcd local policy +@@ -126,7 +119,6 @@ corecmd_exec_bin(lsassd_t) + corecmd_exec_shell(lsassd_t) + + corenet_all_recvfrom_netlabel(lsassd_t) +-corenet_all_recvfrom_unlabeled(lsassd_t) + corenet_tcp_sendrecv_generic_if(lsassd_t) + corenet_tcp_sendrecv_generic_node(lsassd_t) + +@@ -242,7 +234,6 @@ stream_connect_pattern(srvsvcd_t, likewise_var_lib_t, lwiod_var_socket_t, lwiod_ + stream_connect_pattern(srvsvcd_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_t) + + corenet_all_recvfrom_netlabel(srvsvcd_t) +-corenet_all_recvfrom_unlabeled(srvsvcd_t) + corenet_sendrecv_generic_server_packets(srvsvcd_t) + corenet_tcp_sendrecv_generic_if(srvsvcd_t) + corenet_tcp_sendrecv_generic_node(srvsvcd_t) +diff --git a/lircd.if b/lircd.if +index dff21a7..b6981c8 100644 +--- a/lircd.if ++++ b/lircd.if +@@ -81,8 +81,11 @@ interface(`lircd_admin',` + type lircd_initrc_exec_t, lircd_etc_t; + ') + +- allow $1 lircd_t:process { ptrace signal_perms }; ++ allow $1 lircd_t:process signal_perms; + ps_process_pattern($1, lircd_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 lircd_t:process ptrace; ++ ') + + init_labeled_script_domtrans($1, lircd_initrc_exec_t) + domain_system_change_exemption($1) +diff --git a/lircd.te b/lircd.te +index 98b5405..7d982bb 100644 +--- a/lircd.te ++++ b/lircd.te +@@ -13,7 +13,7 @@ type lircd_initrc_exec_t; + init_script_file(lircd_initrc_exec_t) + + type lircd_etc_t; +-files_type(lircd_etc_t) ++files_config_file(lircd_etc_t) + + type lircd_var_run_t alias lircd_sock_t; + files_pid_file(lircd_var_run_t) +@@ -27,6 +27,7 @@ allow lircd_t self:capability { chown kill sys_admin }; + allow lircd_t self:process signal; + allow lircd_t self:fifo_file rw_fifo_file_perms; + allow lircd_t self:tcp_socket { accept listen }; ++allow lircd_t self:netlink_kobject_uevent_socket create_socket_perms; + + read_files_pattern(lircd_t, lircd_etc_t, lircd_etc_t) + +@@ -64,9 +65,8 @@ files_manage_generic_locks(lircd_t) + files_read_all_locks(lircd_t) + + term_use_ptmx(lircd_t) ++term_use_usb_ttys(lircd_t) + + logging_send_syslog_msg(lircd_t) + +-miscfiles_read_localization(lircd_t) +- + sysnet_dns_name_resolve(lircd_t) +diff --git a/livecd.if b/livecd.if +index e354181..c6b2383 100644 +--- a/livecd.if ++++ b/livecd.if +@@ -38,11 +38,32 @@ interface(`livecd_domtrans',` + # + interface(`livecd_run',` + gen_require(` ++ type livecd_t; ++ type livecd_exec_t; + attribute_role livecd_roles; + ') + + livecd_domtrans($1) + roleattribute $2 livecd_roles; ++ role_transition $2 livecd_exec_t system_r; ++') ++ ++######################################## ++## ++## Dontaudit read/write to a livecd leaks ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`livecd_dontaudit_leaks',` ++ gen_require(` ++ type livecd_t; ++ ') ++ ++ dontaudit $1 livecd_t:unix_dgram_socket { read write }; + ') + + ######################################## +diff --git a/livecd.te b/livecd.te +index 33f64b5..a920c08 100644 +--- a/livecd.te ++++ b/livecd.te +@@ -21,9 +21,11 @@ files_tmp_file(livecd_tmp_t) + # Local policy + # + +-dontaudit livecd_t self:capability2 mac_admin; ++allow livecd_t self:capability2 mac_admin; + +-domain_ptrace_all_domains(livecd_t) ++tunable_policy(`deny_ptrace',`',` ++ domain_ptrace_all_domains(livecd_t) ++') + + manage_dirs_pattern(livecd_t, livecd_tmp_t, livecd_tmp_t) + manage_files_pattern(livecd_t, livecd_tmp_t, livecd_tmp_t) +@@ -35,12 +37,17 @@ sysnet_etc_filetrans_config(livecd_t) + optional_policy(` + hal_dbus_chat(livecd_t) + ') ++ ++optional_policy(` ++ mount_run(livecd_t, livecd_roles) ++') ++ + optional_policy(` +- mount_run(livecd_t, livecd_roles) ++ rpm_transition_script(livecd_t) + ') + + optional_policy(` +- rpm_domtrans(livecd_t) ++ seutil_run_setfiles_mac(livecd_t, livecd_roles) + ') + + optional_policy(` +diff --git a/lldpad.if b/lldpad.if +index d18c960..fb5b674 100644 +--- a/lldpad.if ++++ b/lldpad.if +@@ -2,6 +2,25 @@ + + ####################################### + ## ++## Transition to lldpad. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`lldpad_domtrans',` ++ gen_require(` ++ type lldpad_t, lldpad_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, lldpad_exec_t, lldpad_t) ++') ++ ++####################################### ++## + ## Send to lldpad with a unix dgram socket. + ## + ## +@@ -42,9 +61,13 @@ interface(`lldpad_admin',` + type lldpad_var_run_t; + ') + +- allow $1 lldpad_t:process { ptrace signal_perms }; ++ allow $1 lldpad_t:process { signal_perms }; + ps_process_pattern($1, lldpad_t) + ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 lldpad_t:process ptrace; ++ ') ++ + init_labeled_script_domtrans($1, lldpad_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 lldpad_initrc_exec_t system_r; +diff --git a/lldpad.te b/lldpad.te +index 648def0..b17392a 100644 +--- a/lldpad.te ++++ b/lldpad.te +@@ -26,7 +26,7 @@ files_pid_file(lldpad_var_run_t) + # Local policy + # + +-allow lldpad_t self:capability { net_admin net_raw }; ++allow lldpad_t self:capability { net_admin net_raw sys_resource }; + allow lldpad_t self:shm create_shm_perms; + allow lldpad_t self:fifo_file rw_fifo_file_perms; + allow lldpad_t self:unix_stream_socket { accept listen }; +@@ -51,11 +51,9 @@ kernel_request_load_module(lldpad_t) + + dev_read_sysfs(lldpad_t) + +-files_read_etc_files(lldpad_t) +- + logging_send_syslog_msg(lldpad_t) + +-miscfiles_read_localization(lldpad_t) ++userdom_dgram_send(lldpad_t) + + optional_policy(` + fcoe_dgram_send_fcoemon(lldpad_t) +diff --git a/loadkeys.te b/loadkeys.te +index 6cbb977..bd5406a 100644 +--- a/loadkeys.te ++++ b/loadkeys.te +@@ -25,20 +25,19 @@ kernel_read_system_state(loadkeys_t) + corecmd_exec_bin(loadkeys_t) + corecmd_exec_shell(loadkeys_t) + +-files_read_etc_files(loadkeys_t) + files_read_etc_runtime_files(loadkeys_t) + + term_dontaudit_use_console(loadkeys_t) + term_use_unallocated_ttys(loadkeys_t) + ++auth_read_passwd(loadkeys_t) ++ + init_dontaudit_use_fds(loadkeys_t) + init_dontaudit_use_script_ptys(loadkeys_t) + + locallogin_use_fds(loadkeys_t) + +-miscfiles_read_localization(loadkeys_t) +- +-userdom_use_user_ttys(loadkeys_t) ++userdom_use_inherited_user_ttys(loadkeys_t) + userdom_list_user_home_content(loadkeys_t) + + ifdef(`hide_broken_symptoms',` +diff --git a/lockdev.if b/lockdev.if +index 4313b8b..cd1435c 100644 +--- a/lockdev.if ++++ b/lockdev.if +@@ -1,5 +1,25 @@ + ## Library for locking devices. + ++####################################### ++## ++## Create, read, write, and delete ++## lockdev lock files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`lockdev_manage_files',` ++ gen_require(` ++ type lockdev_lock_t; ++ ') ++ ++ files_search_var_lib($1) ++ manage_files_pattern($1, lockdev_lock_t, lockdev_lock_t) ++') ++ + ######################################## + ## + ## Role access for lockdev. +diff --git a/lockdev.te b/lockdev.te +index db87831..30bfb76 100644 +--- a/lockdev.te ++++ b/lockdev.te +@@ -36,4 +36,5 @@ fs_getattr_xattr_fs(lockdev_t) + + logging_send_syslog_msg(lockdev_t) + +-userdom_use_user_terminals(lockdev_t) ++userdom_use_inherited_user_terminals(lockdev_t) ++ +diff --git a/logrotate.fc b/logrotate.fc +index a11d5be..36c8de7 100644 +--- a/logrotate.fc ++++ b/logrotate.fc +@@ -1,6 +1,9 @@ +-/etc/cron\.(daily|weekly)/sysklogd -- gen_context(system_u:object_r:logrotate_exec_t,s0) ++/etc/cron\.(daily|weekly)/sysklogd -- gen_context(system_u:object_r:logrotate_exec_t,s0) + + /usr/sbin/logrotate -- gen_context(system_u:object_r:logrotate_exec_t,s0) + ++ifdef(`distro_debian', ` + /var/lib/logrotate(/.*)? gen_context(system_u:object_r:logrotate_var_lib_t,s0) +-/var/lib/logrotate\.status -- gen_context(system_u:object_r:logrotate_var_lib_t,s0) ++', ` ++/var/lib/logrotate\.status -- gen_context(system_u:object_r:logrotate_var_lib_t,s0) ++') +diff --git a/logrotate.if b/logrotate.if +index dd8e01a..9cd6b0b 100644 +--- a/logrotate.if ++++ b/logrotate.if +@@ -1,4 +1,4 @@ +-## Rotates, compresses, removes and mails system log files. ++## Rotate and archive system logs + + ######################################## + ## +@@ -21,9 +21,8 @@ interface(`logrotate_domtrans',` + + ######################################## + ## +-## Execute logrotate in the logrotate +-## domain, and allow the specified +-## role the logrotate domain. ++## Execute logrotate in the logrotate domain, and ++## allow the specified role the logrotate domain. + ## + ## + ## +@@ -39,11 +38,11 @@ interface(`logrotate_domtrans',` + # + interface(`logrotate_run',` + gen_require(` +- attribute_role logrotate_roles; ++ type logrotate_t; + ') + + logrotate_domtrans($1) +- roleattribute $2 logrotate_roles; ++ role $2 types logrotate_t; + ') + + ######################################## +@@ -85,8 +84,7 @@ interface(`logrotate_use_fds',` + + ######################################## + ## +-## Do not audit attempts to inherit +-## logrotate file descriptors. ++## Do not audit attempts to inherit logrotate file descriptors. + ## + ## + ## +@@ -104,7 +102,7 @@ interface(`logrotate_dontaudit_use_fds',` + + ######################################## + ## +-## Read logrotate temporary files. ++## Read a logrotate temporary files. + ## + ## + ## +diff --git a/logrotate.te b/logrotate.te +index 7bab8e5..b88bbf3 100644 +--- a/logrotate.te ++++ b/logrotate.te +@@ -1,20 +1,18 @@ +-policy_module(logrotate, 1.14.5) ++policy_module(logrotate, 1.14.0) + + ######################################## + # + # Declarations + # + +-attribute_role logrotate_roles; +-roleattribute system_r logrotate_roles; +- + type logrotate_t; +-type logrotate_exec_t; + domain_type(logrotate_t) + domain_obj_id_change_exemption(logrotate_t) + domain_system_change_exemption(logrotate_t) ++role system_r types logrotate_t; ++ ++type logrotate_exec_t; + domain_entry_file(logrotate_t, logrotate_exec_t) +-role logrotate_roles types logrotate_t; + + type logrotate_lock_t; + files_lock_file(logrotate_lock_t) +@@ -25,21 +23,27 @@ files_tmp_file(logrotate_tmp_t) + type logrotate_var_lib_t; + files_type(logrotate_var_lib_t) + +-mta_base_mail_template(logrotate) +-role system_r types logrotate_mail_t; +- + ######################################## + # + # Local policy + # + +-allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner setuid setgid sys_resource sys_nice }; +-allow logrotate_t self:process ~{ ptrace setcurrent setexec setrlimit execmem execstack execheap }; ++# Change ownership on log files. ++allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner setuid setgid sys_resource sys_nice sys_ptrace }; ++dontaudit logrotate_t self:capability sys_resource; ++ ++allow logrotate_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; ++ ++# Set a context other than the default one for newly created files. ++allow logrotate_t self:process setfscreate; ++ + allow logrotate_t self:fd use; + allow logrotate_t self:key manage_key_perms; + allow logrotate_t self:fifo_file rw_fifo_file_perms; ++allow logrotate_t self:unix_dgram_socket create_socket_perms; ++allow logrotate_t self:unix_stream_socket create_stream_socket_perms; + allow logrotate_t self:unix_dgram_socket sendto; +-allow logrotate_t self:unix_stream_socket { accept connectto listen }; ++allow logrotate_t self:unix_stream_socket connectto; + allow logrotate_t self:shm create_shm_perms; + allow logrotate_t self:sem create_sem_perms; + allow logrotate_t self:msgq create_msgq_perms; +@@ -48,79 +52,94 @@ allow logrotate_t self:msg { send receive }; + allow logrotate_t logrotate_lock_t:file manage_file_perms; + files_lock_filetrans(logrotate_t, logrotate_lock_t, file) + ++can_exec(logrotate_t, logrotate_tmp_t) ++ + manage_dirs_pattern(logrotate_t, logrotate_tmp_t, logrotate_tmp_t) + manage_files_pattern(logrotate_t, logrotate_tmp_t, logrotate_tmp_t) + files_tmp_filetrans(logrotate_t, logrotate_tmp_t, { file dir }) + ++# for /var/lib/logrotate.status and /var/lib/logcheck + create_dirs_pattern(logrotate_t, logrotate_var_lib_t, logrotate_var_lib_t) + manage_files_pattern(logrotate_t, logrotate_var_lib_t, logrotate_var_lib_t) + read_lnk_files_pattern(logrotate_t, logrotate_var_lib_t, logrotate_var_lib_t) + files_var_lib_filetrans(logrotate_t, logrotate_var_lib_t, file) + +-can_exec(logrotate_t, logrotate_tmp_t) +- + kernel_read_system_state(logrotate_t) + kernel_read_kernel_sysctls(logrotate_t) + ++dev_read_urand(logrotate_t) ++dev_read_sysfs(logrotate_t) ++ ++fs_search_auto_mountpoints(logrotate_t) ++fs_getattr_all_fs(logrotate_t) ++fs_list_inotifyfs(logrotate_t) ++ ++mls_file_read_all_levels(logrotate_t) ++mls_file_write_all_levels(logrotate_t) ++mls_file_upgrade(logrotate_t) ++mls_process_write_to_clearance(logrotate_t) ++ ++selinux_get_fs_mount(logrotate_t) ++selinux_get_enforce_mode(logrotate_t) ++ ++auth_manage_login_records(logrotate_t) ++auth_use_nsswitch(logrotate_t) ++ ++# Run helper programs. + corecmd_exec_bin(logrotate_t) + corecmd_exec_shell(logrotate_t) + corecmd_getattr_all_executables(logrotate_t) + +-dev_read_urand(logrotate_t) +- + domain_signal_all_domains(logrotate_t) + domain_use_interactive_fds(logrotate_t) + domain_getattr_all_entry_files(logrotate_t) ++# Read /proc/PID directories for all domains. + domain_read_all_domains_state(logrotate_t) + +-files_read_usr_files(logrotate_t) + files_read_etc_runtime_files(logrotate_t) + files_read_all_pids(logrotate_t) + files_search_all(logrotate_t) + files_read_var_lib_files(logrotate_t) ++# Write to /var/spool/slrnpull - should be moved into its own type. + files_manage_generic_spool(logrotate_t) + files_manage_generic_spool_dirs(logrotate_t) + files_getattr_generic_locks(logrotate_t) + files_dontaudit_list_mnt(logrotate_t) + +-fs_search_auto_mountpoints(logrotate_t) +-fs_getattr_xattr_fs(logrotate_t) +-fs_list_inotifyfs(logrotate_t) +- +-mls_file_read_all_levels(logrotate_t) +-mls_file_write_all_levels(logrotate_t) +-mls_file_upgrade(logrotate_t) +-mls_process_write_to_clearance(logrotate_t) +- +-selinux_get_fs_mount(logrotate_t) +-selinux_get_enforce_mode(logrotate_t) +- +-auth_manage_login_records(logrotate_t) +-auth_use_nsswitch(logrotate_t) +- ++# cjp: why is this needed? + init_domtrans_script(logrotate_t) + + logging_manage_all_logs(logrotate_t) + logging_send_syslog_msg(logrotate_t) + logging_send_audit_msgs(logrotate_t) ++# cjp: why is this needed? + logging_exec_all_logs(logrotate_t) + +-miscfiles_read_localization(logrotate_t) ++systemd_exec_systemctl(logrotate_t) ++systemd_getattr_unit_files(logrotate_t) ++systemd_start_all_unit_files(logrotate_t) ++systemd_reload_all_services(logrotate_t) ++systemd_status_all_unit_files(logrotate_t) ++init_stream_connect(logrotate_t) + +-seutil_dontaudit_read_config(logrotate_t) ++miscfiles_read_hwdata(logrotate_t) + +-userdom_use_user_terminals(logrotate_t) ++userdom_use_inherited_user_terminals(logrotate_t) + userdom_list_user_home_dirs(logrotate_t) + userdom_use_unpriv_users_fds(logrotate_t) ++userdom_list_admin_dir(logrotate_t) ++userdom_dontaudit_getattr_user_home_content(logrotate_t) + +-mta_sendmail_domtrans(logrotate_t, logrotate_mail_t) +- +-ifdef(`distro_debian',` ++ifdef(`distro_debian', ` + allow logrotate_t logrotate_tmp_t:file relabel_file_perms; ++ # for savelog + can_exec(logrotate_t, logrotate_exec_t) + +- logging_check_exec_syslog(logrotate_t) ++ # for syslogd-listfiles + logging_read_syslog_config(logrotate_t) ++ ++ # for "test -x /sbin/syslogd" ++ logging_check_exec_syslog(logrotate_t) + ') + + optional_policy(` +@@ -135,16 +154,17 @@ optional_policy(` + + optional_policy(` + apache_read_config(logrotate_t) ++ apache_read_sys_content_rw_dirs(logrotate_t) + apache_domtrans(logrotate_t) + apache_signull(logrotate_t) + ') + + optional_policy(` +- asterisk_domtrans(logrotate_t) ++ awstats_domtrans(logrotate_t) + ') + + optional_policy(` +- awstats_domtrans(logrotate_t) ++ asterisk_domtrans(logrotate_t) + ') + + optional_policy(` +@@ -178,7 +198,7 @@ optional_policy(` + ') + + optional_policy(` +- chronyd_read_key_files(logrotate_t) ++ chronyd_read_keys(logrotate_t) + ') + + optional_policy(` +@@ -198,21 +218,26 @@ optional_policy(` + ') + + optional_policy(` ++ mysql_read_home_content(logrotate_t) + mysql_read_config(logrotate_t) ++ mysql_search_db(logrotate_t) + mysql_stream_connect(logrotate_t) + ') + + optional_policy(` +- openvswitch_read_pid_files(logrotate_t) +- openvswitch_domtrans(logrotate_t) ++ polipo_named_filetrans_log_files(logrotate_t) ++') ++ ++optional_policy(` ++ psad_domtrans(logrotate_t) + ') + + optional_policy(` +- polipo_log_filetrans_log(logrotate_t, file, "polipo") ++ rabbitmq_domtrans_beam(logrotate_t) + ') + + optional_policy(` +- psad_domtrans(logrotate_t) ++ raid_domtrans_mdadm(logrotate_t) + ') + + optional_policy(` +@@ -228,10 +253,20 @@ optional_policy(` + ') + + optional_policy(` ++ openshift_manage_lib_files(logrotate_t) ++') ++ ++optional_policy(` ++ openvswitch_read_pid_files(logrotate_t) ++ openvswitch_domtrans(logrotate_t) ++') ++ ++optional_policy(` + squid_domtrans(logrotate_t) + ') + + optional_policy(` ++ #Red Hat bug 564565 + su_exec(logrotate_t) + ') + +@@ -241,13 +276,11 @@ optional_policy(` + + ####################################### + # +-# Mail local policy ++# logrotate_mail local policy + # + +-allow logrotate_mail_t logrotate_t:fd use; +-allow logrotate_mail_t logrotate_t:fifo_file rw_fifo_file_perms; +-allow logrotate_mail_t logrotate_t:process sigchld; +- +-manage_files_pattern(logrotate_mail_t, logrotate_tmp_t, logrotate_tmp_t) +- ++mta_base_mail_template(logrotate) ++mta_sendmail_domtrans(logrotate_t, logrotate_mail_t) ++role system_r types logrotate_mail_t; + logging_read_all_logs(logrotate_mail_t) ++manage_files_pattern(logrotate_mail_t, logrotate_tmp_t, logrotate_tmp_t) +diff --git a/logwatch.te b/logwatch.te +index 4256a4c..30e3cd2 100644 +--- a/logwatch.te ++++ b/logwatch.te +@@ -5,9 +5,17 @@ policy_module(logwatch, 1.11.6) + # Declarations + # + ++## ++##

    ++## Allow epylog to send mail ++##

    ++##     ++gen_tunable(logwatch_can_sendmail, false) ++ + type logwatch_t; + type logwatch_exec_t; +-init_system_domain(logwatch_t, logwatch_exec_t) ++init_daemon_domain(logwatch_t, logwatch_exec_t) ++application_domain(logwatch_t, logwatch_exec_t) + + type logwatch_cache_t; + files_type(logwatch_cache_t) +@@ -37,7 +45,8 @@ allow logwatch_t self:unix_stream_socket { accept listen }; + manage_dirs_pattern(logwatch_t, logwatch_cache_t, logwatch_cache_t) + manage_files_pattern(logwatch_t, logwatch_cache_t, logwatch_cache_t) + +-allow logwatch_t logwatch_lock_t:file manage_file_perms; ++manage_files_pattern(logwatch_t, logwatch_lock_t, logwatch_lock_t) ++manage_dirs_pattern(logwatch_t, logwatch_lock_t, logwatch_lock_t) + files_lock_filetrans(logwatch_t, logwatch_lock_t, file) + + manage_dirs_pattern(logwatch_t, logwatch_tmp_t, logwatch_tmp_t) +@@ -67,10 +76,11 @@ files_list_var(logwatch_t) + files_search_all(logwatch_t) + files_read_var_symlinks(logwatch_t) + files_read_etc_runtime_files(logwatch_t) +-files_read_usr_files(logwatch_t) ++files_read_system_conf_files(logwatch_t) + + fs_getattr_all_dirs(logwatch_t) + fs_getattr_all_fs(logwatch_t) ++fs_getattr_all_dirs(logwatch_t) + fs_dontaudit_list_auto_mountpoints(logwatch_t) + fs_list_inotifyfs(logwatch_t) + +@@ -92,13 +102,12 @@ libs_read_lib_files(logwatch_t) + logging_read_all_logs(logwatch_t) + logging_send_syslog_msg(logwatch_t) + +-miscfiles_read_localization(logwatch_t) +- + selinux_dontaudit_getattr_dir(logwatch_t) + + sysnet_exec_ifconfig(logwatch_t) + + userdom_dontaudit_search_user_home_dirs(logwatch_t) ++userdom_dontaudit_list_admin_dir(logwatch_t) + + mta_sendmail_domtrans(logwatch_t, logwatch_mail_t) + mta_getattr_spool(logwatch_t) +@@ -137,6 +146,11 @@ optional_policy(` + ') + + optional_policy(` ++ raid_domtrans_mdadm(logwatch_t) ++ raid_access_check_mdadm(logwatch_t) ++') ++ ++optional_policy(` + rpc_search_nfs_state_data(logwatch_t) + ') + +@@ -145,6 +159,13 @@ optional_policy(` + samba_read_share_files(logwatch_t) + ') + ++tunable_policy(`logwatch_can_sendmail',` ++ corenet_tcp_connect_smtp_port(logwatch_t) ++ corenet_sendrecv_smtp_client_packets(logwatch_t) ++ corenet_tcp_connect_pop_port(logwatch_t) ++ corenet_sendrecv_pop_client_packets(logwatch_t) ++') ++ + ######################################## + # + # Mail local policy +@@ -164,6 +185,12 @@ dev_read_sysfs(logwatch_mail_t) + + logging_read_all_logs(logwatch_mail_t) + ++mta_read_home(logwatch_mail_t) ++ + optional_policy(` + cron_use_system_job_fds(logwatch_mail_t) + ') ++ ++optional_policy(` ++ courier_stream_connect_authdaemon(logwatch_mail_t) ++') +diff --git a/lpd.fc b/lpd.fc +index 2fb9b2e..08974e3 100644 +--- a/lpd.fc ++++ b/lpd.fc +@@ -19,6 +19,7 @@ + /usr/sbin/lpinfo -- gen_context(system_u:object_r:lpr_exec_t,s0) + /usr/sbin/lpmove -- gen_context(system_u:object_r:lpr_exec_t,s0) + ++/usr/linuxprinter/bin/l?lpr -- gen_context(system_u:object_r:lpr_exec_t,s0) + /usr/local/linuxprinter/bin/l?lpr -- gen_context(system_u:object_r:lpr_exec_t,s0) + + /usr/share/printconf/.* -- gen_context(system_u:object_r:printconf_t,s0) +diff --git a/lpd.if b/lpd.if +index 6256371..7826e38 100644 +--- a/lpd.if ++++ b/lpd.if +@@ -1,44 +1,49 @@ +-## Line printer daemon. ++## Line printer daemon + + ######################################## + ## +-## Role access for lpd. ++## Role access for lpd + ## + ## + ## +-## Role allowed access. ++## Role allowed access + ## + ## + ## + ## +-## User domain for the role. ++## User domain for the role + ## + ## ++## + # + interface(`lpd_role',` + gen_require(` + attribute_role lpr_roles; +- type lpr_t, lpr_exec_t; ++ type lpr_t, lpr_exec_t, print_spool_t; + ') + +- ######################################## +- # +- # Declarations +- # ++ ######################################## ++ # ++ # Declarations ++ # + + roleattribute $1 lpr_roles; + +- ######################################## +- # +- # Policy +- # ++ ######################################## ++ # ++ # Policy ++ # + ++ # Transition from the user domain to the derived domain. + domtrans_pattern($2, lpr_exec_t, lpr_t) ++ dontaudit lpr_t $2:unix_stream_socket { read write }; + +- allow $2 lpr_t:process { ptrace signal_perms }; + ps_process_pattern($2, lpr_t) ++ allow $2 lpr_t:process signal_perms; + +- dontaudit lpr_t $2:unix_stream_socket { read write }; ++ tunable_policy(`deny_ptrace',`',` ++ allow $2 lpr_t:process ptrace; ++ ') + + optional_policy(` + cups_read_config($2) +@@ -60,15 +65,13 @@ interface(`lpd_domtrans_checkpc',` + type checkpc_t, checkpc_exec_t; + ') + +- corecmd_search_bin($1) + domtrans_pattern($1, checkpc_exec_t, checkpc_t) + ') + + ######################################## + ## +-## Execute amrecover in the lpd +-## domain, and allow the specified +-## role the lpd domain. ++## Execute amrecover in the lpd domain, and ++## allow the specified role the lpd domain. + ## + ## + ## +@@ -84,16 +87,16 @@ interface(`lpd_domtrans_checkpc',` + # + interface(`lpd_run_checkpc',` + gen_require(` +- attribute_role checkpc_roles; ++ type checkpc_t; + ') + + lpd_domtrans_checkpc($1) +- roleattribute $2 checkpc_roles; ++ role $2 types checkpc_t; + ') + + ######################################## + ## +-## List printer spool directories. ++## List the contents of the printer spool directories. + ## + ## + ## +@@ -112,7 +115,7 @@ interface(`lpd_list_spool',` + + ######################################## + ## +-## Read printer spool files. ++## Read the printer spool files. + ## + ## + ## +@@ -131,8 +134,7 @@ interface(`lpd_read_spool',` + + ######################################## + ## +-## Create, read, write, and delete +-## printer spool content. ++## Create, read, write, and delete printer spool files. + ## + ## + ## +@@ -153,7 +155,7 @@ interface(`lpd_manage_spool',` + + ######################################## + ## +-## Relabel spool files. ++## Relabel from and to the spool files. + ## + ## + ## +@@ -172,7 +174,7 @@ interface(`lpd_relabel_spool',` + + ######################################## + ## +-## Read printer configuration files. ++## List the contents of the printer spool directories. + ## + ## + ## +@@ -200,12 +202,11 @@ interface(`lpd_read_config',` + ## + ## + # +-template(`lpd_domtrans_lpr',` ++interface(`lpd_domtrans_lpr',` + gen_require(` + type lpr_t, lpr_exec_t; + ') + +- corecmd_search_bin($1) + domtrans_pattern($1, lpr_exec_t, lpr_t) + ') + +@@ -237,7 +238,8 @@ interface(`lpd_run_lpr',` + + ######################################## + ## +-## Execute lpr in the caller domain. ++## Allow the specified domain to execute lpr ++## in the caller domain. + ## + ## + ## +@@ -250,6 +252,5 @@ interface(`lpd_exec_lpr',` + type lpr_exec_t; + ') + +- corecmd_search_bin($1) + can_exec($1, lpr_exec_t) + ') +diff --git a/lpd.te b/lpd.te +index b9270f7..15f3748 100644 +--- a/lpd.te ++++ b/lpd.te +@@ -48,7 +48,7 @@ userdom_user_tmp_file(lpr_tmp_t) + type print_spool_t; + typealias print_spool_t alias { user_print_spool_t staff_print_spool_t sysadm_print_spool_t }; + typealias print_spool_t alias { auditadm_print_spool_t secadm_print_spool_t }; +-files_type(print_spool_t) ++files_spool_file(print_spool_t) + ubac_constrained(print_spool_t) + + type printer_t; +@@ -81,7 +81,6 @@ allow checkpc_t printconf_t:dir list_dir_perms; + + kernel_read_system_state(checkpc_t) + +-corenet_all_recvfrom_unlabeled(checkpc_t) + corenet_all_recvfrom_netlabel(checkpc_t) + corenet_tcp_sendrecv_generic_if(checkpc_t) + corenet_tcp_sendrecv_generic_node(checkpc_t) +@@ -97,7 +96,6 @@ dev_append_printer(checkpc_t) + + domain_use_interactive_fds(checkpc_t) + +-files_read_etc_files(checkpc_t) + files_read_etc_runtime_files(checkpc_t) + files_search_pids(checkpc_t) + files_search_spool(checkpc_t) +@@ -107,7 +105,7 @@ init_use_fds(checkpc_t) + + sysnet_read_config(checkpc_t) + +-userdom_use_user_terminals(checkpc_t) ++userdom_use_inherited_user_terminals(checkpc_t) + + optional_policy(` + cron_system_entry(checkpc_t, checkpc_exec_t) +@@ -155,7 +153,6 @@ can_exec(lpd_t, printconf_t) + kernel_read_kernel_sysctls(lpd_t) + kernel_read_system_state(lpd_t) + +-corenet_all_recvfrom_unlabeled(lpd_t) + corenet_all_recvfrom_netlabel(lpd_t) + corenet_tcp_sendrecv_generic_if(lpd_t) + corenet_tcp_sendrecv_generic_node(lpd_t) +@@ -174,14 +171,12 @@ dev_rw_printer(lpd_t) + domain_use_interactive_fds(lpd_t) + + files_read_etc_runtime_files(lpd_t) +-files_read_usr_files(lpd_t) + files_list_world_readable(lpd_t) + files_read_world_readable_files(lpd_t) + files_read_world_readable_symlinks(lpd_t) + files_list_var_lib(lpd_t) + files_read_var_lib_files(lpd_t) + files_read_var_lib_symlinks(lpd_t) +-files_read_etc_files(lpd_t) + files_search_spool(lpd_t) + + fs_getattr_all_fs(lpd_t) +@@ -190,7 +185,6 @@ fs_search_auto_mountpoints(lpd_t) + logging_send_syslog_msg(lpd_t) + + miscfiles_read_fonts(lpd_t) +-miscfiles_read_localization(lpd_t) + + sysnet_read_config(lpd_t) + +@@ -224,7 +218,6 @@ can_exec(lpr_t, lpr_exec_t) + kernel_read_crypto_sysctls(lpr_t) + kernel_read_kernel_sysctls(lpr_t) + +-corenet_all_recvfrom_unlabeled(lpr_t) + corenet_all_recvfrom_netlabel(lpr_t) + corenet_tcp_sendrecv_generic_if(lpr_t) + corenet_tcp_sendrecv_generic_node(lpr_t) +@@ -239,7 +232,6 @@ dev_read_urand(lpr_t) + domain_use_interactive_fds(lpr_t) + + files_search_spool(lpr_t) +-files_read_usr_files(lpr_t) + files_list_home(lpr_t) + + fs_getattr_all_fs(lpr_t) +@@ -249,23 +241,27 @@ term_use_generic_ptys(lpr_t) + + auth_use_nsswitch(lpr_t) + +-logging_send_syslog_msg(lpr_t) +- + miscfiles_read_fonts(lpr_t) +-miscfiles_read_localization(lpr_t) + + userdom_read_user_tmp_symlinks(lpr_t) +-userdom_use_user_terminals(lpr_t) ++# Write to the user domain tty. ++userdom_use_inherited_user_terminals(lpr_t) + userdom_read_user_home_content_files(lpr_t) + userdom_read_user_tmp_files(lpr_t) ++userdom_write_user_tmp_sockets(lpr_t) ++userdom_stream_connect(lpr_t) + + tunable_policy(`use_lpd_server',` +- allow lpr_t lpd_t:process signal; +- +- write_sock_files_pattern(lpr_t, lpd_var_run_t, lpd_var_run_t) ++ # lpr can run in lightweight mode, without a local print spooler. ++ allow lpr_t lpd_var_run_t:dir search_dir_perms; ++ allow lpr_t lpd_var_run_t:sock_file write_sock_file_perms; + files_read_var_files(lpr_t) + ++ # Connect to lpd via a Unix domain socket. ++ allow lpr_t printer_t:sock_file read_sock_file_perms; + stream_connect_pattern(lpr_t, printer_t, printer_t, lpd_t) ++ # Send SIGHUP to lpd. ++ allow lpr_t lpd_t:process signal; + + manage_dirs_pattern(lpr_t, lpr_tmp_t, lpr_tmp_t) + manage_files_pattern(lpr_t, lpr_tmp_t, lpr_tmp_t) +@@ -279,17 +275,7 @@ tunable_policy(`use_lpd_server',` + allow lpr_t printconf_t:lnk_file read_lnk_file_perms; + ') + +-tunable_policy(`use_nfs_home_dirs',` +- fs_list_auto_mountpoints(lpr_t) +- fs_read_nfs_files(lpr_t) +- fs_read_nfs_symlinks(lpr_t) +-') +- +-tunable_policy(`use_samba_home_dirs',` +- fs_list_auto_mountpoints(lpr_t) +- fs_read_cifs_files(lpr_t) +- fs_read_cifs_symlinks(lpr_t) +-') ++userdom_home_reader(lpr_t) + + optional_policy(` + cups_read_config(lpr_t) +@@ -298,5 +284,13 @@ optional_policy(` + ') + + optional_policy(` +- gnome_stream_connect_all_gkeyringd(lpr_t) ++ gnome_stream_connect_gkeyringd(lpr_t) ++') ++ ++optional_policy(` ++ logging_send_syslog_msg(lpr_t) ++') ++ ++optional_policy(` ++ mozilla_plugin_dontaudit_rw_tmp_files(lpr_t) + ') +diff --git a/lsm.fc b/lsm.fc +new file mode 100644 +index 0000000..81cd4e0 +--- /dev/null ++++ b/lsm.fc +@@ -0,0 +1,5 @@ ++/usr/bin/lsmd -- gen_context(system_u:object_r:lsmd_exec_t,s0) ++ ++/usr/lib/systemd/system/libstoragemgmt.* -- gen_context(system_u:object_r:lsmd_unit_file_t,s0) ++ ++/var/run/lsm(/.*)? gen_context(system_u:object_r:lsmd_var_run_t,s0) +diff --git a/lsm.if b/lsm.if +new file mode 100644 +index 0000000..da30c5d +--- /dev/null ++++ b/lsm.if +@@ -0,0 +1,99 @@ ++ ++## libStorageMgmt plug-in daemon ++ ++######################################## ++## ++## Execute TEMPLATE in the lsmd domin. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`lsmd_domtrans',` ++ gen_require(` ++ type lsmd_t, lsmd_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, lsmd_exec_t, lsmd_t) ++') ++######################################## ++## ++## Read lsmd PID files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`lsmd_read_pid_files',` ++ gen_require(` ++ type lsmd_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ read_files_pattern($1, lsmd_var_run_t, lsmd_var_run_t) ++') ++ ++######################################## ++## ++## Execute lsmd server in the lsmd domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`lsmd_systemctl',` ++ gen_require(` ++ type lsmd_t; ++ type lsmd_unit_file_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ systemd_read_fifo_file_passwd_run($1) ++ allow $1 lsmd_unit_file_t:file read_file_perms; ++ allow $1 lsmd_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, lsmd_t) ++') ++ ++ ++######################################## ++## ++## All of the rules required to administrate ++## an lsmd environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`lsmd_admin',` ++ gen_require(` ++ type lsmd_t; ++ type lsmd_var_run_t; ++ type lsmd_unit_file_t; ++ ') ++ ++ allow $1 lsmd_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, lsmd_t) ++ ++ files_search_pids($1) ++ admin_pattern($1, lsmd_var_run_t) ++ ++ lsmd_systemctl($1) ++ admin_pattern($1, lsmd_unit_file_t) ++ allow $1 lsmd_unit_file_t:service all_service_perms; ++ ++ optional_policy(` ++ systemd_passwd_agent_exec($1) ++ systemd_read_fifo_file_passwd_run($1) ++ ') ++') +diff --git a/lsm.te b/lsm.te +new file mode 100644 +index 0000000..6611d9f +--- /dev/null ++++ b/lsm.te +@@ -0,0 +1,34 @@ ++policy_module(lsm, 1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type lsmd_t; ++type lsmd_exec_t; ++init_daemon_domain(lsmd_t, lsmd_exec_t) ++ ++type lsmd_var_run_t; ++files_pid_file(lsmd_var_run_t) ++ ++type lsmd_unit_file_t; ++systemd_unit_file(lsmd_unit_file_t) ++ ++######################################## ++# ++# lsmd local policy ++# ++allow lsmd_t self:capability { setgid }; ++allow lsmd_t self:process { fork }; ++allow lsmd_t self:unix_stream_socket create_stream_socket_perms; ++ ++manage_dirs_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t) ++manage_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t) ++manage_lnk_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t) ++manage_sock_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t) ++files_pid_filetrans(lsmd_t, lsmd_var_run_t, { dir file sock_file }) ++ ++corecmd_exec_bin(lsmd_t) ++ ++logging_send_syslog_msg(lsmd_t) +diff --git a/mailman.fc b/mailman.fc +index 7fa381b..bbe6b01 100644 +--- a/mailman.fc ++++ b/mailman.fc +@@ -3,10 +3,12 @@ + + /etc/mailman.* gen_context(system_u:object_r:mailman_data_t,s0) + ++/usr/lib/mailman/bin/mailmanctl -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) + /usr/lib/mailman.*/bin/mailmanctl -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) ++/usr/lib/mailman/bin/mm-handler.* -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) + /usr/lib/mailman.*/bin/mm-handler.* -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) + /usr/lib/mailman.*/cron/.* -- gen_context(system_u:object_r:mailman_queue_exec_t,s0) +-/var/lib/mailman.* gen_context(system_u:object_r:mailman_data_t,s0) ++/var/lib/mailman(/.*)? gen_context(system_u:object_r:mailman_data_t,s0) + /var/lib/mailman.*/archives(/.*)? gen_context(system_u:object_r:mailman_archive_t,s0) + + /var/lock/mailman.* gen_context(system_u:object_r:mailman_lock_t,s0) +diff --git a/mailman.if b/mailman.if +index 108c0f1..a248501 100644 +--- a/mailman.if ++++ b/mailman.if +@@ -1,44 +1,70 @@ +-## Manage electronic mail discussion and e-newsletter lists. ++## Mailman is for managing electronic mail discussion and e-newsletter lists + + ####################################### + ## +-## The template to define a mailman domain. ++## The template to define a mailmain domain. + ## +-## ++## ++##

    ++## This template creates a domain to be used for ++## a new mailman daemon. ++##

    ++##     ++## + ## +-## Domain prefix to be used. ++## The type of daemon to be used eg, cgi would give mailman_cgi_ + ## + ## + # +-template(`mailman_domain_template',` +- gen_require(` +- attribute mailman_domain; +- ') ++template(`mailman_domain_template', ` + +- ######################################## +- # +- # Declarations +- # ++ ######################################## ++ # ++ # Declarations ++ # + +- type mailman_$1_t; +- type mailman_$1_exec_t; ++ gen_require(` ++ attribute mailman_domain; ++ ') ++ ++ type mailman_$1_t, mailman_domain; + domain_type(mailman_$1_t) ++ type mailman_$1_exec_t; + domain_entry_file(mailman_$1_t, mailman_$1_exec_t) + role system_r types mailman_$1_t; + + type mailman_$1_tmp_t; + files_tmp_file(mailman_$1_tmp_t) + +- #################################### +- # +- # Policy +- # ++ #################################### ++ # ++ # Policy ++ # + + manage_dirs_pattern(mailman_$1_t, mailman_$1_tmp_t, mailman_$1_tmp_t) + manage_files_pattern(mailman_$1_t, mailman_$1_tmp_t, mailman_$1_tmp_t) + files_tmp_filetrans(mailman_$1_t, mailman_$1_tmp_t, { file dir }) + ++ kernel_read_system_state(mailman_$1_t) ++ ++ corenet_all_recvfrom_unlabeled(mailman_$1_t) ++ corenet_all_recvfrom_netlabel(mailman_$1_t) ++ corenet_tcp_sendrecv_generic_if(mailman_$1_t) ++ corenet_udp_sendrecv_generic_if(mailman_$1_t) ++ corenet_raw_sendrecv_generic_if(mailman_$1_t) ++ corenet_tcp_sendrecv_generic_node(mailman_$1_t) ++ corenet_udp_sendrecv_generic_node(mailman_$1_t) ++ corenet_raw_sendrecv_generic_node(mailman_$1_t) ++ corenet_tcp_sendrecv_all_ports(mailman_$1_t) ++ corenet_udp_sendrecv_all_ports(mailman_$1_t) ++ corenet_tcp_bind_generic_node(mailman_$1_t) ++ corenet_udp_bind_generic_node(mailman_$1_t) ++ corenet_tcp_connect_smtp_port(mailman_$1_t) ++ corenet_sendrecv_smtp_client_packets(mailman_$1_t) ++ + auth_use_nsswitch(mailman_$1_t) ++ ++ logging_send_syslog_msg(mailman_$1_t) + ') + + ####################################### +@@ -56,15 +82,12 @@ interface(`mailman_domtrans',` + type mailman_mail_exec_t, mailman_mail_t; + ') + +- libs_search_lib($1) + domtrans_pattern($1, mailman_mail_exec_t, mailman_mail_t) + ') + + ######################################## + ## +-## Execute the mailman program in the +-## mailman domain and allow the +-## specified role the mailman domain. ++## Execute the mailman program in the mailman domain. + ## + ## + ## +@@ -73,18 +96,18 @@ interface(`mailman_domtrans',` + ## + ## + ## +-## Role allowed access. ++## The role to allow the mailman domain. + ## + ## + ## + # + interface(`mailman_run',` + gen_require(` +- attribute_role mailman_roles; ++ type mailman_mail_t; + ') + + mailman_domtrans($1) +- roleattribute $2 mailman_roles; ++ role $2 types mailman_mail_t; + ') + + ####################################### +@@ -103,7 +126,6 @@ interface(`mailman_domtrans_cgi',` + type mailman_cgi_exec_t, mailman_cgi_t; + ') + +- libs_search_lib($1) + domtrans_pattern($1, mailman_cgi_exec_t, mailman_cgi_t) + ') + +@@ -122,13 +144,12 @@ interface(`mailman_exec',` + type mailman_mail_exec_t; + ') + +- libs_search_lib($1) + can_exec($1, mailman_mail_exec_t) + ') + + ####################################### + ## +-## Send generic signals to mailman cgi. ++## Send generic signals to the mailman cgi domain. + ## + ## + ## +@@ -146,7 +167,7 @@ interface(`mailman_signal_cgi',` + + ####################################### + ## +-## Search mailman data directories. ++## Allow domain to search data directories. + ## + ## + ## +@@ -159,13 +180,12 @@ interface(`mailman_search_data',` + type mailman_data_t; + ') + +- files_search_spool($1) + allow $1 mailman_data_t:dir search_dir_perms; + ') + + ####################################### + ## +-## Read mailman data content. ++## Allow domain to to read mailman data files. + ## + ## + ## +@@ -178,7 +198,6 @@ interface(`mailman_read_data_files',` + type mailman_data_t; + ') + +- files_search_spool($1) + list_dirs_pattern($1, mailman_data_t, mailman_data_t) + read_files_pattern($1, mailman_data_t, mailman_data_t) + read_lnk_files_pattern($1, mailman_data_t, mailman_data_t) +@@ -186,8 +205,8 @@ interface(`mailman_read_data_files',` + + ####################################### + ## +-## Create, read, write, and delete +-## mailman data files. ++## Allow domain to to create mailman data files ++## and write the directory. + ## + ## + ## +@@ -200,14 +219,13 @@ interface(`mailman_manage_data_files',` + type mailman_data_t; + ') + +- files_search_spool($1) + manage_dirs_pattern($1, mailman_data_t, mailman_data_t) + manage_files_pattern($1, mailman_data_t, mailman_data_t) + ') + + ####################################### + ## +-## List mailman data directories. ++## List the contents of mailman data directories. + ## + ## + ## +@@ -220,13 +238,12 @@ interface(`mailman_list_data',` + type mailman_data_t; + ') + +- files_search_spool($1) + allow $1 mailman_data_t:dir list_dir_perms; + ') + + ####################################### + ## +-## Read mailman data symbolic links. ++## Allow read acces to mailman data symbolic links. + ## + ## + ## +@@ -244,7 +261,7 @@ interface(`mailman_read_data_symlinks',` + + ####################################### + ## +-## Read mailman log files. ++## Read mailman logs. + ## + ## + ## +@@ -257,13 +274,12 @@ interface(`mailman_read_log',` + type mailman_log_t; + ') + +- logging_search_logs($1) + read_files_pattern($1, mailman_log_t, mailman_log_t) + ') + + ####################################### + ## +-## Append mailman log files. ++## Append to mailman logs. + ## + ## + ## +@@ -276,14 +292,13 @@ interface(`mailman_append_log',` + type mailman_log_t; + ') + +- logging_search_logs($1) + append_files_pattern($1, mailman_log_t, mailman_log_t) + ') + + ####################################### + ## + ## Create, read, write, and delete +-## mailman log content. ++## mailman logs. + ## + ## + ## +@@ -296,14 +311,13 @@ interface(`mailman_manage_log',` + type mailman_log_t; + ') + +- logging_search_logs($1) + manage_files_pattern($1, mailman_log_t, mailman_log_t) + manage_lnk_files_pattern($1, mailman_log_t, mailman_log_t) + ') + + ####################################### + ## +-## Read mailman archive content. ++## Allow domain to read mailman archive files. + ## + ## + ## +@@ -316,7 +330,6 @@ interface(`mailman_read_archive',` + type mailman_archive_t; + ') + +- files_search_var_lib($1) + allow $1 mailman_archive_t:dir list_dir_perms; + read_files_pattern($1, mailman_archive_t, mailman_archive_t) + read_lnk_files_pattern($1, mailman_archive_t, mailman_archive_t) +@@ -324,8 +337,7 @@ interface(`mailman_read_archive',` + + ####################################### + ## +-## Execute mailman_queue in the +-## mailman_queue domain. ++## Execute mailman_queue in the mailman_queue domain. + ## + ## + ## +@@ -338,6 +350,5 @@ interface(`mailman_domtrans_queue',` + type mailman_queue_exec_t, mailman_queue_t; + ') + +- libs_search_lib($1) + domtrans_pattern($1, mailman_queue_exec_t, mailman_queue_t) + ') +diff --git a/mailman.te b/mailman.te +index 8eaf51b..a057913 100644 +--- a/mailman.te ++++ b/mailman.te +@@ -4,6 +4,12 @@ policy_module(mailman, 1.9.4) + # + # Declarations + # ++## ++##

    ++## Allow mailman to access FUSE file systems ++##

    ++##     ++gen_tunable(mailman_use_fusefs, false) + + attribute mailman_domain; + +@@ -50,16 +56,11 @@ manage_lnk_files_pattern(mailman_domain, mailman_data_t, mailman_data_t) + manage_files_pattern(mailman_domain, mailman_lock_t, mailman_lock_t) + files_lock_filetrans(mailman_domain, mailman_lock_t, file) + +-append_files_pattern(mailman_domain, mailman_log_t, mailman_log_t) +-create_files_pattern(mailman_domain, mailman_log_t, mailman_log_t) +-setattr_files_pattern(mailman_domain, mailman_log_t, mailman_log_t) ++manage_files_pattern(mailman_domain, mailman_log_t, mailman_log_t) + logging_log_filetrans(mailman_domain, mailman_log_t, file) + + kernel_read_kernel_sysctls(mailman_domain) +-kernel_read_system_state(mailman_domain) + +-corenet_all_recvfrom_unlabeled(mailman_domain) +-corenet_all_recvfrom_netlabel(mailman_domain) + corenet_tcp_sendrecv_generic_if(mailman_domain) + corenet_tcp_sendrecv_generic_node(mailman_domain) + +@@ -82,10 +83,6 @@ fs_getattr_all_fs(mailman_domain) + libs_exec_ld_so(mailman_domain) + libs_exec_lib_files(mailman_domain) + +-logging_send_syslog_msg(mailman_domain) +- +-miscfiles_read_localization(mailman_domain) +- + ######################################## + # + # CGI local policy +@@ -115,20 +112,23 @@ optional_policy(` + # Mail local policy + # + +-allow mailman_mail_t self:capability { kill dac_override setuid setgid sys_tty_config }; +-allow mailman_mail_t self:process { signal signull }; ++allow mailman_mail_t self:capability { kill dac_override setuid setgid sys_nice sys_tty_config }; ++allow mailman_mail_t self:process { setsched signal signull }; ++allow mailman_mail_t self:unix_dgram_socket create_socket_perms; + + manage_files_pattern(mailman_mail_t, mailman_var_run_t, mailman_var_run_t) + manage_dirs_pattern(mailman_mail_t, mailman_var_run_t, mailman_var_run_t) + files_pid_filetrans(mailman_mail_t, mailman_var_run_t, { file dir }) + ++can_exec(mailman_mail_t, mailman_mail_exec_t) ++ + corenet_sendrecv_innd_client_packets(mailman_mail_t) + corenet_tcp_connect_innd_port(mailman_mail_t) + corenet_tcp_sendrecv_innd_port(mailman_mail_t) + + corenet_sendrecv_spamd_client_packets(mailman_mail_t) +-corenet_tcp_connect_spamd_port(mailman_mail_t) + corenet_tcp_sendrecv_spamd_port(mailman_mail_t) ++corenet_tcp_connect_spamd_port(mailman_mail_t) + + dev_read_urand(mailman_mail_t) + +@@ -142,6 +142,10 @@ optional_policy(` + ') + + optional_policy(` ++ gnome_dontaudit_search_config(mailman_mail_t) ++') ++ ++optional_policy(` + cron_read_pipes(mailman_mail_t) + ') + +@@ -182,3 +186,9 @@ optional_policy(` + optional_policy(` + su_exec(mailman_queue_t) + ') ++ ++tunable_policy(`mailman_use_fusefs',` ++ fs_manage_fusefs_dirs(mailman_domain) ++ fs_manage_fusefs_files(mailman_domain) ++ fs_manage_fusefs_symlinks(mailman_domain) ++') +diff --git a/mailscanner.if b/mailscanner.if +index 0293f34..bd1d48e 100644 +--- a/mailscanner.if ++++ b/mailscanner.if +@@ -2,29 +2,27 @@ + + ######################################## + ## +-## Create, read, write, and delete +-## mscan spool content. ++## Execute a domain transition to run ++## MailScanner. + ## + ## + ## +-## Domain allowed access. ++## Domain allowed to transition. + ## + ## + # +-interface(`mscan_manage_spool_content',` ++interface(`mailscanner_initrc_domtrans',` + gen_require(` +- type mscan_spool_t; ++ type mscan_initrc_exec_t; + ') + +- files_search_spool($1) +- manage_dirs_pattern($1, mscan_spool_t, mscan_spool_t) +- manage_files_pattern($1, mscan_spool_t, mscan_spool_t) ++ init_labeled_script_domtrans($1, mscan_initrc_exec_t) + ') + + ######################################## + ## +-## All of the rules required to +-## administrate an mscan environment ++## All of the rules required to administrate ++## an mailscanner environment. + ## + ## + ## +@@ -38,26 +36,26 @@ interface(`mscan_manage_spool_content',` + ## + ## + # +-interface(`mscan_admin',` ++interface(`mailscanner_admin',` + gen_require(` +- type mscan_t, mscan_etc_t, mscan_initrc_exec_t; +- type mscan_var_run_t, mscan_spool_t; ++ type mscan_t, mscan_var_run_t, mscan_etc_t; ++ type mscan_initrc_exec_t; + ') + +- allow $1 mscan_t:process { ptrace signal_perms }; +- ps_process_pattern($1, mscan_t) +- +- init_labeled_script_domtrans($1, mscan_initrc_exec_t) ++ mailscanner_initrc_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 mscan_initrc_exec_t system_r; + allow $2 system_r; + +- files_search_etc($1) ++ allow $1 mscan_t:process signal_perms; ++ ps_process_pattern($1, mscan_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 mscan_t:process ptrace; ++ ') ++ + admin_pattern($1, mscan_etc_t) ++ files_list_etc($1) + +- files_search_pids($1 + admin_pattern($1, mscan_var_run_t) +- +- files_search_spool($1) +- admin_pattern($1, mscan_spool_t) ++ files_list_pids($1) + ') +diff --git a/mailscanner.te b/mailscanner.te +index 725ba32..cec64d0 100644 +--- a/mailscanner.te ++++ b/mailscanner.te +@@ -34,6 +34,7 @@ allow mscan_t self:process signal; + allow mscan_t self:fifo_file rw_fifo_file_perms; + + read_files_pattern(mscan_t, mscan_etc_t, mscan_etc_t) ++list_dirs_pattern(mscan_t, mscan_etc_t, mscan_etc_t) + + manage_files_pattern(mscan_t, mscan_var_run_t, mscan_var_run_t) + files_pid_filetrans(mscan_t, mscan_var_run_t, file) +@@ -72,7 +73,6 @@ corenet_udp_sendrecv_all_ports(mscan_t) + + dev_read_urand(mscan_t) + +-files_read_usr_files(mscan_t) + + fs_getattr_xattr_fs(mscan_t) + +@@ -81,10 +81,9 @@ auth_use_nsswitch(mscan_t) + + logging_send_syslog_msg(mscan_t) + +-miscfiles_read_localization(mscan_t) +- + optional_policy(` +- clamav_domtrans_clamscan(mscan_t) ++ antivirus_domtrans(mscan_t) ++ antivirus_manage_pid(mscan_t) + ') + + optional_policy(` +@@ -97,5 +96,6 @@ optional_policy(` + ') + + optional_policy(` ++ spamassassin_read_home_client(mscan_t) + spamassassin_read_lib_files(mscan_t) + ') +diff --git a/man2html.if b/man2html.if +index 54ec04d..fe43dea 100644 +--- a/man2html.if ++++ b/man2html.if +@@ -1 +1,127 @@ + ## A Unix manpage-to-HTML converter. ++ ++######################################## ++## ++## Transition to httpd_man2html_script. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`httpd_man2html_script_domtrans',` ++ gen_require(` ++ type httpd_man2html_script_t, httpd_man2html_script_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, httpd_man2html_script_exec_t, httpd_man2html_script_t) ++') ++ ++######################################## ++## ++## Search httpd_man2html_script cache directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`httpd_man2html_script_search_cache',` ++ gen_require(` ++ type httpd_man2html_script_cache_t; ++ ') ++ ++ allow $1 httpd_man2html_script_cache_t:dir search_dir_perms; ++ files_search_var($1) ++') ++ ++######################################## ++## ++## Read httpd_man2html_script cache files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`httpd_man2html_script_read_cache_files',` ++ gen_require(` ++ type httpd_man2html_script_cache_t; ++ ') ++ ++ files_search_var($1) ++ read_files_pattern($1, httpd_man2html_script_cache_t, httpd_man2html_script_cache_t) ++') ++ ++######################################## ++## ++## Create, read, write, and delete ++## httpd_man2html_script cache files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`httpd_man2html_script_manage_cache_files',` ++ gen_require(` ++ type httpd_man2html_script_cache_t; ++ ') ++ ++ files_search_var($1) ++ manage_files_pattern($1, httpd_man2html_script_cache_t, httpd_man2html_script_cache_t) ++') ++ ++######################################## ++## ++## Manage httpd_man2html_script cache dirs. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`httpd_man2html_script_manage_cache_dirs',` ++ gen_require(` ++ type httpd_man2html_script_cache_t; ++ ') ++ ++ files_search_var($1) ++ manage_dirs_pattern($1, httpd_man2html_script_cache_t, httpd_man2html_script_cache_t) ++') ++ ++ ++######################################## ++## ++## All of the rules required to administrate ++## an httpd_man2html_script environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`httpd_man2html_script_admin',` ++ gen_require(` ++ type httpd_man2html_script_t; ++ type httpd_man2html_script_cache_t; ++ ') ++ ++ allow $1 httpd_man2html_script_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, httpd_man2html_script_t) ++ ++ files_search_var($1) ++ admin_pattern($1, httpd_man2html_script_cache_t) ++ ++ optional_policy(` ++ systemd_passwd_agent_exec($1) ++ systemd_read_fifo_file_passwd_run($1) ++ ') ++') +diff --git a/man2html.te b/man2html.te +index e08c55d..9e634bd 100644 +--- a/man2html.te ++++ b/man2html.te +@@ -5,22 +5,24 @@ policy_module(man2html, 1.0.0) + # Declarations + # + +-apache_content_template(man2html) + + type httpd_man2html_script_cache_t; + files_type(httpd_man2html_script_cache_t) + + ######################################## + # +-# Local policy ++# httpd_man2html_script local policy + # + +-manage_dirs_pattern(httpd_man2html_script_t, httpd_man2html_script_cache_t, httpd_man2html_script_cache_t) +-manage_files_pattern(httpd_man2html_script_t, httpd_man2html_script_cache_t, httpd_man2html_script_cache_t) +-manage_lnk_files_pattern(httpd_man2html_script_t, httpd_man2html_script_cache_t, httpd_man2html_script_cache_t) +-files_var_filetrans(httpd_man2html_script_t, httpd_man2html_script_cache_t, dir) ++optional_policy(` + +-files_read_etc_files(httpd_man2html_script_t) ++ apache_content_template(man2html) + +-miscfiles_read_localization(httpd_man2html_script_t) +-miscfiles_read_man_pages(httpd_man2html_script_t) ++ allow httpd_man2html_script_t self:process { fork }; ++ ++ manage_dirs_pattern(httpd_man2html_script_t, httpd_man2html_script_cache_t, httpd_man2html_script_cache_t) ++ manage_files_pattern(httpd_man2html_script_t, httpd_man2html_script_cache_t, httpd_man2html_script_cache_t) ++ manage_lnk_files_pattern(httpd_man2html_script_t, httpd_man2html_script_cache_t, httpd_man2html_script_cache_t) ++ files_var_filetrans(httpd_man2html_script_t, httpd_man2html_script_cache_t, { dir file }) ++ ++') +diff --git a/mandb.fc b/mandb.fc +index 2de0f64..3c24286 100644 +--- a/mandb.fc ++++ b/mandb.fc +@@ -1 +1,10 @@ + /etc/cron.daily/man-db\.cron -- gen_context(system_u:object_r:mandb_exec_t,s0) ++ ++/usr/bin/mandb -- gen_context(system_u:object_r:mandb_exec_t,s0) ++ ++/var/cache/man(/.*)? gen_context(system_u:object_r:mandb_cache_t,s0) ++/opt/local/share/man(/.*)? gen_context(system_u:object_r:mandb_cache_t,s0) ++ ++/var/lock/man-db\.lock -- gen_context(system_u:object_r:mandb_lock_t,s0) ++ ++HOME_DIR/\.manpath -- gen_context(system_u:object_r:mandb_home_t,s0) +diff --git a/mandb.if b/mandb.if +index 327f3f7..4f61561 100644 +--- a/mandb.if ++++ b/mandb.if +@@ -1,14 +1,14 @@ +-## On-line manual database. ++ ++## policy for mandb + + ######################################## + ## +-## Execute the mandb program in +-## the mandb domain. ++## Transition to mandb. + ## + ## +-## ++## + ## Domain allowed to transition. +-## ++## + ## + # + interface(`mandb_domtrans',` +@@ -22,33 +22,45 @@ interface(`mandb_domtrans',` + + ######################################## + ## +-## Execute mandb in the mandb +-## domain, and allow the specified +-## role the mandb domain. ++## Search mandb cache directories. + ## + ## + ## +-## Domain allowed to transition. ++## Domain allowed access. + ## + ## +-## ++# ++interface(`mandb_search_cache',` ++ gen_require(` ++ type mandb_cache_t; ++ ') ++ ++ allow $1 mandb_cache_t:dir search_dir_perms; ++ files_search_var($1) ++') ++ ++######################################## ++## ++## Read mandb cache files. ++## ++## + ## +-## Role allowed access. ++## Domain allowed access. + ## + ## + # +-interface(`mandb_run',` ++interface(`mandb_read_cache_files',` + gen_require(` +- attribute_role mandb_roles; ++ type mandb_cache_t; + ') + +- lightsquid_domtrans($1) +- roleattribute $2 mandb_roles; ++ files_search_var($1) ++ read_files_pattern($1, mandb_cache_t, mandb_cache_t) + ') + + ######################################## + ## +-## Search mandb cache directories. ++## Relabel mandb cache files/directories + ## + ## + ## +@@ -56,13 +68,18 @@ interface(`mandb_run',` + ## + ## + # +-interface(`mandb_search_cache',` +- refpolicywarn(`$0($*) has been deprecated') ++interface(`mandb_relabel_cache',` ++ gen_require(` ++ type mandb_cache_t; ++ ') ++ ++ allow $1 mandb_cache_t:dir relabel_dir_perms; ++ allow $1 mandb_cache_t:file relabel_file_perms; + ') + + ######################################## + ## +-## Delete mandb cache content. ++## Set attributes on mandb cache files. + ## + ## + ## +@@ -70,13 +87,18 @@ interface(`mandb_search_cache',` + ## + ## + # +-interface(`mandb_delete_cache_content',` +- refpolicywarn(`$0($*) has been deprecated') ++interface(`mandb_setattr_cache_dirs',` ++ gen_require(` ++ type mandb_cache_t; ++ ') ++ ++ files_search_var($1) ++ allow $1 mandb_cache_t:dir setattr; + ') + + ######################################## + ## +-## Read mandb cache content. ++## Delete mandb cache files. + ## + ## + ## +@@ -84,8 +106,16 @@ interface(`mandb_delete_cache_content',` + ## + ## + # +-interface(`mandb_read_cache_content',` +- refpolicywarn(`$0($*) has been deprecated') ++interface(`mandb_delete_cache',` ++ gen_require(` ++ type mandb_cache_t; ++ ') ++ ++ files_search_var($1) ++ allow $1 mandb_cache_t:dir list_dir_perms; ++ delete_dirs_pattern($1, mandb_cache_t, mandb_cache_t) ++ delete_files_pattern($1, mandb_cache_t, mandb_cache_t) ++ delete_lnk_files_pattern($1, mandb_cache_t, mandb_cache_t) + ') + + ######################################## +@@ -99,37 +129,82 @@ interface(`mandb_read_cache_content',` + ## + ## + # +-interface(`mandb_manage_cache_content',` +- refpolicywarn(`$0($*) has been deprecated') ++interface(`mandb_manage_cache_files',` ++ gen_require(` ++ type mandb_cache_t; ++ ') ++ ++ files_search_var($1) ++ manage_files_pattern($1, mandb_cache_t, mandb_cache_t) ++') ++ ++######################################## ++## ++## Manage mandb cache dirs. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`mandb_manage_cache_dirs',` ++ gen_require(` ++ type mandb_cache_t; ++ ') ++ ++ files_search_var($1) ++ manage_dirs_pattern($1, mandb_cache_t, mandb_cache_t) + ') + + ######################################## + ## +-## All of the rules required to +-## administrate an mandb environment. ++## Create configuration files in user ++## home directories with a named file ++## type transition. + ## + ## + ## + ## Domain allowed access. + ## + ## +-## ++# ++interface(`mandb_filetrans_named_home_content',` ++ gen_require(` ++ type mandb_home_t; ++ ') ++ ++ userdom_user_home_dir_filetrans($1, mandb_home_t, file, ".manpath") ++') ++ ++######################################## ++## ++## All of the rules required to administrate ++## an mandb environment ++## ++## + ## +-## Role allowed access. ++## Domain allowed access. + ## + ## +-## + # + interface(`mandb_admin',` + gen_require(` +- type mandb_t, mandb_cache_t; ++ type mandb_t; ++ type mandb_cache_t, mandb_lock_t; + ') + + allow $1 mandb_t:process { ptrace signal_perms }; + ps_process_pattern($1, mandb_t) + +- mandb_run($1, $2) ++ files_search_var($1) ++ admin_pattern($1, mandb_cache_t) ++ ++ files_search_locks($1) ++ admin_pattern($1, mandb_lock_t) + +- # pending +- # miscfiles_manage_man_cache_content(mandb_t) ++ optional_policy(` ++ systemd_passwd_agent_exec($1) ++ systemd_read_fifo_file_passwd_run($1) ++ ') + ') +diff --git a/mandb.te b/mandb.te +index 5a414e0..7fee444 100644 +--- a/mandb.te ++++ b/mandb.te +@@ -10,28 +10,51 @@ roleattribute system_r mandb_roles; + + type mandb_t; + type mandb_exec_t; +-application_domain(mandb_t, mandb_exec_t) ++init_daemon_domain(mandb_t, mandb_exec_t) + role mandb_roles types mandb_t; + ++type mandb_cache_t; ++files_type(mandb_cache_t) ++ ++type mandb_home_t; ++userdom_user_home_content(mandb_home_t) ++ ++type mandb_lock_t; ++files_lock_file(mandb_lock_t) ++ + ######################################## + # + # Local policy + # + +-allow mandb_t self:process signal; ++allow mandb_t self:process { setsched signal }; + allow mandb_t self:fifo_file rw_fifo_file_perms; + allow mandb_t self:unix_stream_socket create_stream_socket_perms; + ++manage_dirs_pattern(mandb_t, mandb_cache_t, mandb_cache_t) ++manage_files_pattern(mandb_t, mandb_cache_t, mandb_cache_t) ++manage_lnk_files_pattern(mandb_t, mandb_cache_t, mandb_cache_t) ++files_var_filetrans(mandb_t, mandb_cache_t, { dir file lnk_file }) ++can_exec(mandb_t, mandb_exec_t) ++ ++userdom_search_user_home_dirs(mandb_t) ++allow mandb_t mandb_home_t:file read_file_perms; ++ ++allow mandb_t mandb_lock_t:file manage_file_perms; ++files_lock_filetrans(mandb_t, mandb_lock_t, file) ++ + kernel_read_system_state(mandb_t) + + corecmd_exec_bin(mandb_t) + + domain_use_interactive_fds(mandb_t) + +-files_read_etc_files(mandb_t) ++files_search_locks(mandb_t) + + miscfiles_manage_man_cache(mandb_t) ++miscfiles_setattr_man_pages(mandb_t) + + optional_policy(` + cron_system_entry(mandb_t, mandb_exec_t) + ') ++ +diff --git a/mcelog.if b/mcelog.if +index 9dbe694..ea89ab1 100644 +--- a/mcelog.if ++++ b/mcelog.if +@@ -19,6 +19,25 @@ interface(`mcelog_domtrans',` + domtrans_pattern($1, mcelog_exec_t, mcelog_t) + ') + ++###################################### ++## ++## Read mcelog logs. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`mcelog_read_log',` ++ gen_require(` ++ type mcelog_var_log_t; ++ ') ++ ++ logging_search_logs($1) ++ read_files_pattern($1, mcelog_var_log_t, mcelog_var_log_t) ++') ++ + ######################################## + ## + ## All of the rules required to +@@ -56,6 +75,6 @@ interface(`mcelog_admin',` + logging_search_logs($1) + admin_pattern($1, mcelog_log_t) + +- files_search_pids($1 ++ files_search_pids($1) + admin_pattern($1, mcelog_var_run_t) + ') +diff --git a/mcelog.te b/mcelog.te +index 13ea191..c146d9c 100644 +--- a/mcelog.te ++++ b/mcelog.te +@@ -36,13 +36,6 @@ gen_tunable(mcelog_foreground, false) + ## + gen_tunable(mcelog_server, false) + +-## +-##

    +-## Determine whether mcelog can use syslog. +-##

    +-##     +-gen_tunable(mcelog_syslog, false) +- + type mcelog_t; + type mcelog_exec_t; + init_daemon_domain(mcelog_t, mcelog_exec_t) +@@ -84,17 +77,20 @@ files_pid_filetrans(mcelog_t, mcelog_var_run_t, { dir file sock_file }) + + kernel_read_system_state(mcelog_t) + ++corecmd_exec_shell(mcelog_t) ++corecmd_exec_bin(mcelog_t) ++ + dev_read_raw_memory(mcelog_t) + dev_read_kmsg(mcelog_t) + dev_rw_sysfs(mcelog_t) + +-files_read_etc_files(mcelog_t) +- + mls_file_read_all_levels(mcelog_t) + ++auth_use_nsswitch(mcelog_t) ++ + locallogin_use_fds(mcelog_t) + +-miscfiles_read_localization(mcelog_t) ++logging_send_syslog_msg(mcelog_t) + + tunable_policy(`mcelog_client',` + allow mcelog_t self:unix_stream_socket connectto; +@@ -114,9 +110,6 @@ tunable_policy(`mcelog_server',` + allow mcelog_t self:unix_stream_socket { listen accept }; + ') + +-tunable_policy(`mcelog_syslog',` +- logging_send_syslog_msg(mcelog_t) +-') + + optional_policy(` + cron_system_entry(mcelog_t, mcelog_exec_t) +diff --git a/mcollective.fc b/mcollective.fc +new file mode 100644 +index 0000000..821bf88 +--- /dev/null ++++ b/mcollective.fc +@@ -0,0 +1,3 @@ ++/etc/mcollective/facts\.yaml -- gen_context(system_u:object_r:mcollective_etc_rw_t,s0) ++ ++/usr/libexec/mcollective/update_yaml\.rb -- gen_context(system_u:object_r:mcollective_exec_t,s0) +diff --git a/mcollective.if b/mcollective.if +new file mode 100644 +index 0000000..3f433f1 +--- /dev/null ++++ b/mcollective.if +@@ -0,0 +1,109 @@ ++ ++## policy for mcollective ++ ++######################################## ++## ++## Execute TEMPLATE in the mcollective domin. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`mcollective_domtrans',` ++ gen_require(` ++ type mcollective_t, mcollective_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, mcollective_exec_t, mcollective_t) ++') ++ ++######################################## ++## ++## Search mcollective conf directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`mcollective_search_conf',` ++ gen_require(` ++ type mcollective_etc_rw_t; ++ ') ++ ++ allow $1 mcollective_etc_rw_t:dir search_dir_perms; ++ files_search_etc($1) ++') ++ ++######################################## ++## ++## Read mcollective conf files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`mcollective_read_conf_files',` ++ gen_require(` ++ type mcollective_etc_rw_t; ++ ') ++ ++ allow $1 mcollective_etc_rw_t:dir list_dir_perms; ++ read_files_pattern($1, mcollective_etc_rw_t, mcollective_etc_rw_t) ++ files_search_etc($1) ++') ++ ++######################################## ++## ++## Manage mcollective conf files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`mcollective_manage_conf_files',` ++ gen_require(` ++ type mcollective_etc_rw_t; ++ ') ++ ++ manage_files_pattern($1, mcollective_etc_rw_t, mcollective_etc_rw_t) ++ files_search_etc($1) ++') ++ ++ ++######################################## ++## ++## All of the rules required to administrate ++## an mcollective environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`mcollective_admin',` ++ gen_require(` ++ type mcollective_t; ++ type mcollective_etc_rw_t; ++ ') ++ ++ allow $1 mcollective_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, mcollective_t) ++ ++ files_search_etc($1) ++ admin_pattern($1, mcollective_etc_rw_t) ++ ++ optional_policy(` ++ systemd_passwd_agent_exec($1) ++ systemd_read_fifo_file_passwd_run($1) ++ ') ++') +diff --git a/mcollective.te b/mcollective.te +new file mode 100644 +index 0000000..a04dd6b +--- /dev/null ++++ b/mcollective.te +@@ -0,0 +1,29 @@ ++policy_module(mcollective, 1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type mcollective_t; ++type mcollective_exec_t; ++init_daemon_domain(mcollective_t, mcollective_exec_t) ++cron_system_entry(mcollective_t, mcollective_exec_t) ++ ++permissive mcollective_t; ++ ++type mcollective_etc_rw_t; ++files_type(mcollective_etc_rw_t) ++ ++######################################## ++# ++# mcollective local policy ++# ++allow mcollective_t self:fifo_file rw_fifo_file_perms; ++allow mcollective_t self:unix_stream_socket create_stream_socket_perms; ++ ++manage_files_pattern(mcollective_t, mcollective_etc_rw_t, mcollective_etc_rw_t) ++files_etc_filetrans(mcollective_t, mcollective_etc_rw_t, file, "facts.yaml") ++ ++domain_use_interactive_fds(mcollective_t) ++ +diff --git a/mediawiki.if b/mediawiki.if +index 9771b4b..1c1d012 100644 +--- a/mediawiki.if ++++ b/mediawiki.if +@@ -1 +1,40 @@ +-## Open source wiki package written in PHP. ++## Mediawiki policy ++ ++####################################### ++## ++## Allow the specified domain to read ++## mediawiki tmp files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`mediawiki_read_tmp_files',` ++ gen_require(` ++ type httpd_mediawiki_tmp_t; ++ ') ++ ++ files_search_tmp($1) ++ read_files_pattern($1, httpd_mediawiki_tmp_t, httpd_mediawiki_tmp_t) ++ read_lnk_files_pattern($1, httpd_mediawiki_tmp_t, httpd_mediawiki_tmp_t) ++') ++ ++####################################### ++## ++## Delete mediawiki tmp files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`mediawiki_delete_tmp_files',` ++ gen_require(` ++ type httpd_mediawiki_tmp_t; ++ ') ++ ++ delete_files_pattern($1, httpd_mediawiki_tmp_t, httpd_mediawiki_tmp_t) ++') +diff --git a/mediawiki.te b/mediawiki.te +index c528b9f..212712c 100644 +--- a/mediawiki.te ++++ b/mediawiki.te +@@ -5,13 +5,16 @@ policy_module(mediawiki, 1.0.0) + # Declarations + # + +-apache_content_template(mediawiki) ++optional_policy(` ++ ++ apache_content_template(mediawiki) + + ######################################## + # + # Local policy + # + +-files_search_var_lib(httpd_mediawiki_script_t) ++ files_search_var_lib(httpd_mediawiki_script_t) + +-miscfiles_read_tetex_data(httpd_mediawiki_script_t) ++ miscfiles_read_tetex_data(httpd_mediawiki_script_t) ++') +diff --git a/memcached.if b/memcached.if +index 1d4eb19..650014e 100644 +--- a/memcached.if ++++ b/memcached.if +@@ -1,4 +1,4 @@ +-## High-performance memory object caching system. ++## high-performance memory object caching system + + ######################################## + ## +@@ -12,17 +12,16 @@ + # + interface(`memcached_domtrans',` + gen_require(` +- type memcached_t,memcached_exec_t; ++ type memcached_t; ++ type memcached_exec_t; + ') + +- corecmd_search_bin($1) + domtrans_pattern($1, memcached_exec_t, memcached_t) + ') + + ######################################## + ## +-## Create, read, write, and delete +-## memcached pid files. ++## Read memcached PID files. + ## + ## + ## +@@ -30,18 +29,18 @@ interface(`memcached_domtrans',` + ## + ## + # +-interface(`memcached_manage_pid_files',` ++interface(`memcached_read_pid_files',` + gen_require(` + type memcached_var_run_t; + ') + + files_search_pids($1) +- manage_files_pattern($1, memcached_var_run_t, memcached_var_run_t) ++ allow $1 memcached_var_run_t:file read_file_perms; + ') + + ######################################## + ## +-## Read memcached pid files. ++## Manage memcached PID files + ## + ## + ## +@@ -49,19 +48,18 @@ interface(`memcached_manage_pid_files',` + ## + ## + # +-interface(`memcached_read_pid_files',` ++interface(`memcached_manage_pid_files',` + gen_require(` + type memcached_var_run_t; + ') + + files_search_pids($1) +- allow $1 memcached_var_run_t:file read_file_perms; ++ manage_files_pattern($1, memcached_var_run_t, memcached_var_run_t) + ') + + ######################################## + ## +-## Connect to memcached using a unix +-## domain stream socket. ++## Connect to memcached over a unix stream socket. + ## + ## + ## +@@ -80,29 +78,8 @@ interface(`memcached_stream_connect',` + + ######################################## + ## +-## Connect to memcache over the network. +-## +-## +-## +-## Domain allowed access. +-## +-## +-# +-interface(`memcached_tcp_connect',` +- gen_require(` +- type memcached_t; +- ') +- +- corenet_sendrecv_memcache_client_packets($1) +- corenet_tcp_connect_memcache_port($1) +- corenet_tcp_recvfrom_labeled($1, memcached_t) +- corenet_tcp_sendrecv_memcache_port($1) +-') +- +-######################################## +-## +-## All of the rules required to +-## administrate an memcached environment. ++## All of the rules required to administrate ++## an memcached environment + ## + ## + ## +@@ -111,7 +88,7 @@ interface(`memcached_tcp_connect',` + ## + ## + ## +-## Role allowed access. ++## The role to be allowed to manage the memcached domain. + ## + ## + ## +@@ -121,14 +98,17 @@ interface(`memcached_admin',` + type memcached_t, memcached_initrc_exec_t, memcached_var_run_t; + ') + +- allow $1 memcached_t:process { ptrace signal_perms }; ++ allow $1 memcached_t:process signal_perms; + ps_process_pattern($1, memcached_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 memcached_t:process ptrace; ++ ') + + init_labeled_script_domtrans($1, memcached_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 memcached_initrc_exec_t system_r; + allow $2 system_r; + +- files_search_pids($1) ++ files_list_pids($1) + admin_pattern($1, memcached_var_run_t) + ') +diff --git a/memcached.te b/memcached.te +index 4926208..4396320 100644 +--- a/memcached.te ++++ b/memcached.te +@@ -20,7 +20,7 @@ files_pid_file(memcached_var_run_t) + # Local policy + # + +-allow memcached_t self:capability { setuid setgid }; ++allow memcached_t self:capability { setuid setgid sys_resource }; + dontaudit memcached_t self:capability sys_tty_config; + allow memcached_t self:process { setrlimit signal_perms }; + allow memcached_t self:tcp_socket { accept listen }; +@@ -51,10 +51,11 @@ corenet_tcp_sendrecv_all_ports(memcached_t) + corenet_udp_bind_memcache_port(memcached_t) + corenet_udp_sendrecv_all_ports(memcached_t) + ++dev_read_sysfs(memcached_t) ++ + term_dontaudit_use_all_ptys(memcached_t) + term_dontaudit_use_all_ttys(memcached_t) + term_dontaudit_use_console(memcached_t) + + auth_use_nsswitch(memcached_t) + +-miscfiles_read_localization(memcached_t) +diff --git a/milter.fc b/milter.fc +index 89409eb..67e42f6 100644 +--- a/milter.fc ++++ b/milter.fc +@@ -1,18 +1,29 @@ ++/etc/mail/dkim-milter/keys(/.*)? gen_context(system_u:object_r:dkim_milter_private_key_t,s0) ++ ++/usr/sbin/dkim-filter -- gen_context(system_u:object_r:dkim_milter_exec_t,s0) ++/usr/sbin/opendkim -- gen_context(system_u:object_r:dkim_milter_exec_t,s0) ++/usr/sbin/opendmarc -- gen_context(system_u:object_r:dkim_milter_exec_t,s0) + /usr/sbin/milter-greylist -- gen_context(system_u:object_r:greylist_milter_exec_t,s0) +-/usr/sbin/sqlgrey -- gen_context(system_u:object_r:greylist_milter_exec_t,s0) +-/usr/sbin/milter-regex -- gen_context(system_u:object_r:regex_milter_exec_t,s0) ++/usr/sbin/sqlgrey -- gen_context(system_u:object_r:greylist_milter_exec_t,s0) ++/usr/sbin/milter-regex -- gen_context(system_u:object_r:regex_milter_exec_t,s0) + /usr/sbin/spamass-milter -- gen_context(system_u:object_r:spamass_milter_exec_t,s0) + +-/var/lib/milter-greylist(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0) +-/var/lib/sqlgrey(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0) +-/var/lib/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_state_t,s0) ++/var/lib/dkim-milter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0) ++/var/lib/milter-greylist(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0) ++/var/lib/sqlgrey(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0) ++/var/lib/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_state_t,s0) + +-/var/run/milter-greylist(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0) ++/var/run/dkim-milter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0) ++/var/run/opendmarc(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0) ++/var/run/milter-greylist(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0) + /var/run/milter-greylist\.pid -- gen_context(system_u:object_r:greylist_milter_data_t,s0) +-/var/run/spamass(/.*)? gen_context(system_u:object_r:spamass_milter_data_t,s0) +-/var/run/sqlgrey\.pid -- gen_context(system_u:object_r:greylist_milter_data_t,s0) +-/var/run/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_data_t,s0) ++/var/run/spamass(/.*)? gen_context(system_u:object_r:spamass_milter_data_t,s0) ++/var/run/sqlgrey\.pid -- gen_context(system_u:object_r:greylist_milter_data_t,s0) ++/var/run/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_data_t,s0) + /var/run/spamass-milter\.pid -- gen_context(system_u:object_r:spamass_milter_data_t,s0) ++/var/run/opendkim(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0) + +-/var/spool/milter-regex(/.*)? gen_context(system_u:object_r:regex_milter_data_t,s0) ++/var/spool/milter-regex(/.*)? gen_context(system_u:object_r:regex_milter_data_t,s0) + /var/spool/postfix/spamass(/.*)? gen_context(system_u:object_r:spamass_milter_data_t,s0) ++/var/spool/opendkim(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0) ++/var/spool/opendmarc(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0) +diff --git a/milter.if b/milter.if +index cba62db..562833a 100644 +--- a/milter.if ++++ b/milter.if +@@ -1,47 +1,43 @@ +-## Milter mail filters. ++## Milter mail filters + +-####################################### ++######################################## + ## +-## The template to define a milter domain. ++## Create a set of derived types for various ++## mail filter applications using the milter interface. + ## +-## ++## + ## +-## Domain prefix to be used. ++## The name to be used for deriving type names. + ## + ## + # + template(`milter_template',` ++ # attributes common to all milters + gen_require(` + attribute milter_data_type, milter_domains; + ') + +- ######################################## +- # +- # Declarations +- # +- + type $1_milter_t, milter_domains; + type $1_milter_exec_t; + init_daemon_domain($1_milter_t, $1_milter_exec_t) ++ role system_r types $1_milter_t; + ++ # Type for the milter data (e.g. the socket used to communicate with the MTA) + type $1_milter_data_t, milter_data_type; + files_pid_file($1_milter_data_t) + +- ######################################## +- # +- # Policy +- # ++ # Allow communication with MTA over a unix-domain socket ++ manage_sock_files_pattern($1_milter_t, $1_milter_data_t, $1_milter_data_t) + ++ # Create other data files and directories in the data directory + manage_files_pattern($1_milter_t, $1_milter_data_t, $1_milter_data_t) +- manage_sock_files_pattern($1_milter_t, $1_milter_data_t, $1_milter_data_t) + +- auth_use_nsswitch($1_milter_t) ++ logging_send_syslog_msg($1_milter_t) + ') + + ######################################## + ## +-## connect to all milter domains using +-## a unix domain stream socket. ++## MTA communication with milter sockets + ## + ## + ## +@@ -55,12 +51,13 @@ interface(`milter_stream_connect_all',` + ') + + files_search_pids($1) ++ getattr_dirs_pattern($1, milter_data_type, milter_data_type) + stream_connect_pattern($1, milter_data_type, milter_data_type, milter_domains) + ') + + ######################################## + ## +-## Get attributes of all milter sock files. ++## Allow getattr of milter sockets + ## + ## + ## +@@ -73,13 +70,31 @@ interface(`milter_getattr_all_sockets',` + attribute milter_data_type; + ') + ++ getattr_dirs_pattern($1, milter_data_type, milter_data_type) + getattr_sock_files_pattern($1, milter_data_type, milter_data_type) + ') + + ######################################## + ## +-## Create, read, write, and delete +-## spamassissin milter data content. ++## Allow setattr of milter dirs ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`milter_setattr_all_dirs',` ++ gen_require(` ++ attribute milter_data_type; ++ ') ++ ++ setattr_dirs_pattern($1, milter_data_type, milter_data_type) ++') ++ ++######################################## ++## ++## Manage spamassassin milter state + ## + ## + ## +@@ -97,3 +112,22 @@ interface(`milter_manage_spamass_state',` + manage_dirs_pattern($1, spamass_milter_state_t, spamass_milter_state_t) + manage_lnk_files_pattern($1, spamass_milter_state_t, spamass_milter_state_t) + ') ++ ++####################################### ++## ++## Delete dkim-milter PID files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`milter_delete_dkim_pid_files',` ++ gen_require(` ++ type dkim_milter_data_t; ++ ') ++ ++ files_search_pids($1) ++ delete_files_pattern($1, dkim_milter_data_t, dkim_milter_data_t) ++') +diff --git a/milter.te b/milter.te +index 92508b2..db83591 100644 +--- a/milter.te ++++ b/milter.te +@@ -1,77 +1,110 @@ +-policy_module(milter, 1.4.2) ++policy_module(milter, 1.4.0) + + ######################################## + # + # Declarations + # + ++# attributes common to all milters + attribute milter_domains; + attribute milter_data_type; + ++# support for dkim-milter - domainKeys Identified Mail sender authentication sendmail milter ++milter_template(dkim) ++ ++# type for the private key of dkim-milter ++type dkim_milter_private_key_t; ++files_type(dkim_milter_private_key_t) ++ ++# currently-supported milters are milter-greylist, milter-regex and spamass-milter + milter_template(greylist) + milter_template(regex) + milter_template(spamass) + ++# Type for the spamass-milter home directory, under which spamassassin will ++# store system-wide preferences, bayes databases etc. if not configured to ++# use per-user configuration + type spamass_milter_state_t; + files_type(spamass_milter_state_t) + ++ + ####################################### + # +-# Common local policy ++# milter domains local policy + # + ++# Allow communication with MTA over a unix-domain socket ++# Note: usage with TCP sockets requires additional policy ++ + allow milter_domains self:fifo_file rw_fifo_file_perms; +-allow milter_domains self:tcp_socket { accept listen }; ++ ++# Allow communication with MTA over a TCP socket ++allow milter_domains self:tcp_socket create_stream_socket_perms; + + kernel_dontaudit_read_system_state(milter_domains) + +-corenet_all_recvfrom_unlabeled(milter_domains) +-corenet_all_recvfrom_netlabel(milter_domains) +-corenet_tcp_sendrecv_generic_if(milter_domains) +-corenet_tcp_sendrecv_generic_node(milter_domains) + corenet_tcp_bind_generic_node(milter_domains) +- + corenet_tcp_bind_milter_port(milter_domains) +-corenet_tcp_sendrecv_all_ports(milter_domains) + +-miscfiles_read_localization(milter_domains) ++dev_read_rand(milter_domains) ++dev_read_urand(milter_domains) ++ ++mta_read_config(milter_domains) ++ ++sysnet_read_config(greylist_milter_t) ++ ++####################################### ++# ++# dkim-milter local policy ++# ++ ++allow dkim_milter_t self:capability { kill setgid setuid }; ++allow dkim_milter_t self:process signal; ++allow dkim_milter_t self:tcp_socket create_stream_socket_perms; ++allow dkim_milter_t self:unix_stream_socket create_stream_socket_perms; + +-logging_send_syslog_msg(milter_domains) ++read_files_pattern(dkim_milter_t, dkim_milter_private_key_t, dkim_milter_private_key_t) ++ ++kernel_read_kernel_sysctls(dkim_milter_t) ++ ++auth_use_nsswitch(dkim_milter_t) ++ ++sysnet_dns_name_resolve(dkim_milter_t) + + ######################################## + # +-# greylist local policy ++# milter-greylist local policy ++# ensure smtp clients retry mail like real MTAs and not spamware ++# http://hcpnet.free.fr/milter-greylist/ + # + ++# It removes any existing socket (not owned by root) whilst running as root, ++# fixes permissions, renices itself and then calls setgid() and setuid() to ++# drop privileges + allow greylist_milter_t self:capability { chown dac_override setgid setuid sys_nice }; + allow greylist_milter_t self:process { setsched getsched }; + ++allow greylist_milter_t self:tcp_socket create_stream_socket_perms; ++ ++# It creates a pid file /var/run/milter-greylist.pid + files_pid_filetrans(greylist_milter_t, greylist_milter_data_t, file) + + kernel_read_kernel_sysctls(greylist_milter_t) + +-corenet_sendrecv_movaz_ssc_server_packets(greylist_milter_t) +-corenet_tcp_bind_movaz_ssc_port(greylist_milter_t) +-corenet_sendrecv_movaz_ssc_client_packets(greylist_milter_t) +-corenet_tcp_connect_movaz_ssc_port(greylist_milter_t) +-corenet_tcp_sendrecv_movaz_ssc_port(greylist_milter_t) +- +-corenet_sendrecv_kismet_server_packets(greylist_milter_t) +-corenet_tcp_bind_kismet_port(greylist_milter_t) +-corenet_tcp_sendrecv_kismet_port(greylist_milter_t) +- + corecmd_exec_bin(greylist_milter_t) + corecmd_exec_shell(greylist_milter_t) + +-dev_read_rand(greylist_milter_t) +-dev_read_urand(greylist_milter_t) ++corenet_tcp_bind_movaz_ssc_port(greylist_milter_t) ++corenet_tcp_connect_movaz_ssc_port(greylist_milter_t) ++corenet_tcp_bind_rtsclient_port(greylist_milter_t) + +-files_read_usr_files(greylist_milter_t) ++# perl getgroups() reads a bunch of files in /etc ++# Allow the milter to read a GeoIP database in /usr/share ++# The milter runs from /var/lib/milter-greylist and maintains files there + files_search_var_lib(greylist_milter_t) + +-mta_read_config(greylist_milter_t) +- +-miscfiles_read_localization(greylist_milter_t) ++# Look up username for dropping privs ++auth_use_nsswitch(greylist_milter_t) + + optional_policy(` + mysql_stream_connect(greylist_milter_t) +@@ -79,30 +112,45 @@ optional_policy(` + + ######################################## + # +-# regex local policy ++# milter-regex local policy ++# filter emails using regular expressions ++# http://www.benzedrine.cx/milter-regex.html + # + ++# It removes any existing socket (not owned by root) whilst running as root ++# and then calls setgid() and setuid() to drop privileges + allow regex_milter_t self:capability { setuid setgid dac_override }; + ++# The milter's socket directory lives under /var/spool + files_search_spool(regex_milter_t) + +-mta_read_config(regex_milter_t) ++# Look up username for dropping privs ++auth_use_nsswitch(regex_milter_t) + + ######################################## + # +-# spamass local policy ++# spamass-milter local policy ++# pipe emails through SpamAssassin ++# http://savannah.nongnu.org/projects/spamass-milt/ + # + ++# The milter runs from /var/lib/spamass-milter + allow spamass_milter_t spamass_milter_state_t:dir search_dir_perms; ++files_search_var_lib(spamass_milter_t) + + kernel_read_system_state(spamass_milter_t) + ++# When used with -b or -B options, the milter invokes sendmail to send mail ++# to a spamtrap address, using popen() + corecmd_exec_shell(spamass_milter_t) ++corecmd_read_bin_symlinks(spamass_milter_t) ++corecmd_search_bin(spamass_milter_t) + +-files_search_var_lib(spamass_milter_t) ++auth_use_nsswitch(spamass_milter_t) + + mta_send_mail(spamass_milter_t) + ++# The main job of the milter is to pipe spam through spamc and act on the result + optional_policy(` + spamassassin_domtrans_client(spamass_milter_t) + ') +diff --git a/mock.fc b/mock.fc +new file mode 100644 +index 0000000..8d0e473 +--- /dev/null ++++ b/mock.fc +@@ -0,0 +1,5 @@ ++ ++/usr/sbin/mock -- gen_context(system_u:object_r:mock_exec_t,s0) ++ ++/var/lib/mock(/.*)? gen_context(system_u:object_r:mock_var_lib_t,s0) ++/var/cache/mock(/.*)? gen_context(system_u:object_r:mock_cache_t,s0) +diff --git a/mock.if b/mock.if +new file mode 100644 +index 0000000..6568bfe +--- /dev/null ++++ b/mock.if +@@ -0,0 +1,310 @@ ++## policy for mock ++ ++######################################## ++## ++## Execute a domain transition to run mock. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`mock_domtrans',` ++ gen_require(` ++ type mock_t, mock_exec_t; ++ ') ++ ++ domtrans_pattern($1, mock_exec_t, mock_t) ++') ++ ++######################################## ++## ++## Search mock lib directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`mock_search_lib',` ++ gen_require(` ++ type mock_var_lib_t; ++ ') ++ ++ allow $1 mock_var_lib_t:dir search_dir_perms; ++ files_search_var_lib($1) ++') ++ ++######################################## ++## ++## Read mock lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`mock_read_lib_files',` ++ gen_require(` ++ type mock_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ read_files_pattern($1, mock_var_lib_t, mock_var_lib_t) ++') ++ ++######################################## ++## ++## Getattr on mock lib file,dir,sock_file ... ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`mock_getattr_lib',` ++ gen_require(` ++ type mock_var_lib_t; ++ ') ++ ++ allow $1 mock_var_lib_t:dir_file_class_set getattr; ++') ++ ++######################################## ++## ++## Create, read, write, and delete ++## mock lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`mock_manage_lib_files',` ++ gen_require(` ++ type mock_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ manage_files_pattern($1, mock_var_lib_t, mock_var_lib_t) ++') ++ ++######################################## ++## ++## Manage mock lib dirs files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`mock_manage_lib_dirs',` ++ gen_require(` ++ type mock_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ manage_dirs_pattern($1, mock_var_lib_t, mock_var_lib_t) ++') ++ ++######################################### ++## ++## Manage mock lib symlinks. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`mock_manage_lib_symlinks',` ++ gen_require(` ++ type mock_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ manage_lnk_files_pattern($1, mock_var_lib_t, mock_var_lib_t) ++') ++ ++######################################## ++## ++## Manage mock lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`mock_manage_lib_chr_files',` ++ gen_require(` ++ type mock_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ manage_chr_files_pattern($1, mock_var_lib_t, mock_var_lib_t) ++') ++ ++######################################## ++## ++## Manage mock lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`mock_dontaudit_write_lib_chr_files',` ++ gen_require(` ++ type mock_var_lib_t; ++ ') ++ ++ dontaudit $1 mock_var_lib_t:chr_file write; ++') ++ ++####################################### ++## ++## Dontaudit read and write an leaked file descriptors ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`mock_dontaudit_leaks',` ++ gen_require(` ++ type mock_tmp_t; ++ ') ++ ++ dontaudit $1 mock_tmp_t:file rw_inherited_file_perms; ++') ++ ++######################################## ++## ++## Execute mock in the mock domain, and ++## allow the specified role the mock domain. ++## ++## ++## ++## Domain allowed access ++## ++## ++## ++## ++## The role to be allowed the mock domain. ++## ++## ++## ++# ++interface(`mock_run',` ++ gen_require(` ++ type mock_t; ++ type mock_build_t; ++ ') ++ ++ mock_domtrans($1) ++ role $2 types mock_t; ++ role $2 types mock_build_t; ++ ++ mount_run(mock_t, $2) ++') ++ ++######################################## ++## ++## Role access for mock ++## ++## ++## ++## Role allowed access ++## ++## ++## ++## ++## User domain for the role ++## ++## ++## ++# ++interface(`mock_role',` ++ gen_require(` ++ type mock_t; ++ ') ++ ++ role $1 types mock_t; ++ ++ mock_run($2, $1) ++ ++ ps_process_pattern($2, mock_t) ++ allow $2 mock_t:process signal_perms; ++ ++ tunable_policy(`deny_ptrace',`',` ++ allow $2 mock_t:process ptrace; ++ ') ++ ++ optional_policy(` ++ mock_read_lib_files($2) ++ ') ++') ++ ++####################################### ++## ++## Send a generic signal to mock. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`mock_signal',` ++ gen_require(` ++ type mock_t; ++ ') ++ ++ allow $1 mock_t:process signal; ++') ++ ++######################################## ++## ++## All of the rules required to administrate ++## an mock environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`mock_admin',` ++ gen_require(` ++ type mock_t, mock_var_lib_t; ++ type mock_build_t, mock_etc_t, mock_tmp_t; ++ ') ++ ++ allow $1 mock_t:process signal_perms; ++ ps_process_pattern($1, mock_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 mock_t:process ptrace; ++ allow $1 mock_build_t:process ptrace; ++ ') ++ ++ allow $1 mock_build_t:process signal_perms; ++ ps_process_pattern($1, mock_build_t) ++ ++ files_list_var_lib($1) ++ admin_pattern($1, mock_var_lib_t) ++ ++ files_list_tmp($1) ++ admin_pattern($1, mock_tmp_t) ++ ++ files_search_etc($1) ++ admin_pattern($1, mock_etc_t) ++') +diff --git a/mock.te b/mock.te +new file mode 100644 +index 0000000..7245033 +--- /dev/null ++++ b/mock.te +@@ -0,0 +1,273 @@ ++policy_module(mock,1.0.0) ++ ++## ++##

    ++## Allow mock to read files in home directories. ++##

    ++##     ++gen_tunable(mock_enable_homedirs, false) ++ ++######################################## ++# ++# Declarations ++# ++ ++type mock_t; ++type mock_exec_t; ++application_domain(mock_t, mock_exec_t) ++domain_role_change_exemption(mock_t) ++domain_system_change_exemption(mock_t) ++role system_r types mock_t; ++ ++type mock_build_t; ++type mock_build_exec_t; ++application_domain(mock_build_t, mock_build_exec_t) ++role system_r types mock_build_t; ++ ++type mock_cache_t; ++files_type(mock_cache_t) ++ ++type mock_tmp_t; ++files_tmp_file(mock_tmp_t) ++ ++type mock_var_lib_t; ++files_type(mock_var_lib_t) ++ ++type mock_var_run_t; ++files_pid_file(mock_var_run_t) ++ ++type mock_etc_t; ++files_config_file(mock_etc_t) ++ ++######################################## ++# ++# mock local policy ++# ++ ++allow mock_t self:capability { sys_admin sys_ptrace setfcap setuid sys_chroot chown audit_write dac_override sys_nice mknod fsetid setgid fowner }; ++allow mock_t self:process { siginh noatsecure signal_perms transition rlimitinh setsched setpgid }; ++# Needed because mock can run java and mono withing build environment ++allow mock_t self:process { execmem execstack }; ++dontaudit mock_t self:process { siginh noatsecure rlimitinh }; ++allow mock_t self:fifo_file manage_fifo_file_perms; ++allow mock_t self:unix_stream_socket create_stream_socket_perms; ++allow mock_t self:unix_dgram_socket create_socket_perms; ++ ++allow mock_t mock_build_t:process { siginh noatsecure rlimitinh }; ++ ++manage_dirs_pattern(mock_t, mock_cache_t, mock_cache_t) ++manage_files_pattern(mock_t, mock_cache_t, mock_cache_t) ++manage_lnk_files_pattern(mock_t, mock_cache_t, mock_cache_t) ++files_var_filetrans(mock_t, mock_cache_t, { dir file } ) ++ ++read_files_pattern(mock_t, mock_etc_t, mock_etc_t) ++read_lnk_files_pattern(mock_t, mock_etc_t, mock_etc_t) ++ ++manage_dirs_pattern(mock_t, mock_tmp_t, mock_tmp_t) ++manage_files_pattern(mock_t, mock_tmp_t, mock_tmp_t) ++manage_lnk_files_pattern(mock_t, mock_tmp_t, mock_tmp_t) ++files_tmp_filetrans(mock_t, mock_tmp_t, { dir file lnk_file }) ++ ++manage_dirs_pattern(mock_t, mock_var_lib_t, mock_var_lib_t) ++manage_files_pattern(mock_t, mock_var_lib_t, mock_var_lib_t) ++manage_lnk_files_pattern(mock_t, mock_var_lib_t, mock_var_lib_t) ++manage_blk_files_pattern(mock_t, mock_var_lib_t, mock_var_lib_t) ++manage_chr_files_pattern(mock_t, mock_var_lib_t, mock_var_lib_t) ++files_var_lib_filetrans(mock_t, mock_var_lib_t, { dir file }) ++allow mock_t mock_var_lib_t:dir mounton; ++allow mock_t mock_var_lib_t:dir relabel_dir_perms; ++allow mock_t mock_var_lib_t:file relabel_file_perms; ++ ++manage_files_pattern(mock_t, mock_var_run_t, mock_var_run_t) ++manage_dirs_pattern(mock_t, mock_var_run_t, mock_var_run_t) ++manage_sock_files_pattern(mock_t, mock_var_run_t, mock_var_run_t) ++manage_lnk_files_pattern(mock_t, mock_var_run_t, mock_var_run_t) ++files_pid_filetrans(mock_t, mock_var_run_t, { file dir sock_file }) ++ ++kernel_read_irq_sysctls(mock_t) ++kernel_read_system_state(mock_t) ++kernel_read_network_state(mock_t) ++kernel_read_kernel_sysctls(mock_t) ++kernel_request_load_module(mock_t) ++kernel_dontaudit_setattr_proc_dirs(mock_t) ++kernel_read_fs_sysctls(mock_t) ++# we run mount in mock_t ++kernel_mount_proc(mock_t) ++kernel_unmount_proc(mock_t) ++ ++fs_mount_tmpfs(mock_t) ++fs_unmount_tmpfs(mock_t) ++fs_unmount_xattr_fs(mock_t) ++ ++corecmd_exec_bin(mock_t) ++corecmd_exec_shell(mock_t) ++corecmd_dontaudit_exec_all_executables(mock_t) ++ ++corenet_tcp_connect_git_port(mock_t) ++corenet_tcp_connect_http_port(mock_t) ++corenet_tcp_connect_ftp_port(mock_t) ++corenet_tcp_connect_all_ephemeral_ports(mock_t) ++ ++dev_read_urand(mock_t) ++dev_rw_sysfs(mock_t) ++dev_setattr_sysfs_dirs(mock_t) ++dev_mount_sysfs_fs(mock_t) ++dev_unmount_sysfs_fs(mock_t) ++ ++domain_read_all_domains_state(mock_t) ++domain_use_interactive_fds(mock_t) ++ ++files_read_etc_runtime_files(mock_t) ++files_dontaudit_list_boot(mock_t) ++files_list_isid_type_dirs(mock_t) ++ ++fs_getattr_all_fs(mock_t) ++fs_manage_cgroup_dirs(mock_t) ++fs_search_all(mock_t) ++fs_setattr_tmpfs_dirs(mock_t) ++ ++selinux_get_enforce_mode(mock_t) ++ ++term_search_ptys(mock_t) ++term_mount_pty_fs(mock_t) ++term_unmount_pty_fs(mock_t) ++ ++auth_use_nsswitch(mock_t) ++ ++init_exec(mock_t) ++init_dontaudit_stream_connect(mock_t) ++ ++libs_exec_ldconfig(mock_t) ++ ++logging_send_audit_msgs(mock_t) ++logging_send_syslog_msg(mock_t) ++ ++userdom_use_user_ptys(mock_t) ++ ++files_search_home(mock_t) ++ ++tunable_policy(`mock_enable_homedirs',` ++ userdom_manage_user_home_content_dirs(mock_t) ++ userdom_manage_user_home_content_files(mock_t) ++') ++ ++tunable_policy(`mock_enable_homedirs && use_nfs_home_dirs',` ++ rpc_search_nfs_state_data(mock_t) ++ fs_list_auto_mountpoints(mock_t) ++ fs_manage_nfs_files(mock_t) ++') ++ ++tunable_policy(`mock_enable_homedirs && use_samba_home_dirs',` ++ fs_list_auto_mountpoints(mock_t) ++ fs_read_cifs_files(mock_t) ++ fs_manage_cifs_files(mock_t) ++') ++ ++optional_policy(` ++ abrt_read_spool_retrace(mock_t) ++ abrt_read_cache_retrace(mock_t) ++ abrt_stream_connect(mock_t) ++') ++ ++optional_policy(` ++ apache_read_sys_content_rw_files(mock_t) ++') ++ ++optional_policy(` ++ rpm_exec(mock_t) ++ rpm_manage_cache(mock_t) ++ rpm_manage_db(mock_t) ++ rpm_manage_tmp_files(mock_t) ++ rpm_read_log(mock_t) ++') ++ ++optional_policy(` ++ mount_exec(mock_t) ++ mount_rw_pid_files(mock_t) ++') ++ ++ ++######################################## ++# ++# mock_build local policy ++# ++allow mock_build_t self:capability { sys_admin setfcap setuid sys_chroot chown dac_override sys_nice mknod fsetid setgid fowner }; ++dontaudit mock_build_t self:capability audit_write; ++allow mock_build_t self:process { fork setsched setpgid signal_perms }; ++allow mock_build_t self:netlink_audit_socket { create_socket_perms nlmsg_relay }; ++# Needed because mock can run java and mono withing build environment ++allow mock_build_t self:process { execmem execstack }; ++dontaudit mock_build_t self:process { siginh noatsecure rlimitinh }; ++allow mock_build_t self:fifo_file manage_fifo_file_perms; ++allow mock_build_t self:unix_stream_socket create_stream_socket_perms; ++allow mock_build_t self:unix_dgram_socket create_socket_perms; ++allow mock_build_t self:dir list_dir_perms; ++allow mock_build_t self:dir read_file_perms; ++ ++ps_process_pattern(mock_t, mock_build_t) ++allow mock_t mock_build_t:process signal_perms; ++domtrans_pattern(mock_t, mock_build_exec_t, mock_build_t) ++domtrans_pattern(mock_t, mock_tmp_t, mock_build_t) ++domain_entry_file(mock_build_t, mock_tmp_t) ++domtrans_pattern(mock_t, mock_var_lib_t, mock_build_t) ++domain_entry_file(mock_build_t, mock_var_lib_t) ++ ++manage_dirs_pattern(mock_build_t, mock_cache_t, mock_cache_t) ++manage_files_pattern(mock_build_t, mock_cache_t, mock_cache_t) ++manage_lnk_files_pattern(mock_build_t, mock_cache_t, mock_cache_t) ++files_var_filetrans(mock_build_t, mock_cache_t, { dir file } ) ++ ++manage_dirs_pattern(mock_build_t, mock_tmp_t, mock_tmp_t) ++manage_files_pattern(mock_build_t, mock_tmp_t, mock_tmp_t) ++files_tmp_filetrans(mock_build_t, mock_tmp_t, { dir file }) ++can_exec(mock_build_t, mock_tmp_t) ++ ++manage_dirs_pattern(mock_build_t, mock_var_lib_t, mock_var_lib_t) ++manage_files_pattern(mock_build_t, mock_var_lib_t, mock_var_lib_t) ++manage_lnk_files_pattern(mock_build_t, mock_var_lib_t, mock_var_lib_t) ++manage_blk_files_pattern(mock_build_t, mock_var_lib_t, mock_var_lib_t) ++manage_chr_files_pattern(mock_build_t, mock_var_lib_t, mock_var_lib_t) ++files_var_lib_filetrans(mock_build_t, mock_var_lib_t, { dir file }) ++can_exec(mock_build_t, mock_var_lib_t) ++allow mock_build_t mock_var_lib_t:dir mounton; ++allow mock_build_t mock_var_lib_t:dir relabel_dir_perms; ++allow mock_build_t mock_var_lib_t:file relabel_file_perms; ++ ++kernel_list_proc(mock_build_t) ++kernel_read_irq_sysctls(mock_build_t) ++kernel_read_system_state(mock_build_t) ++kernel_read_network_state(mock_build_t) ++kernel_read_kernel_sysctls(mock_build_t) ++kernel_request_load_module(mock_build_t) ++kernel_dontaudit_setattr_proc_dirs(mock_build_t) ++ ++corecmd_exec_bin(mock_build_t) ++corecmd_exec_shell(mock_build_t) ++corecmd_dontaudit_exec_all_executables(mock_build_t) ++ ++dev_getattr_all_chr_files(mock_build_t) ++dev_dontaudit_list_all_dev_nodes(mock_build_t) ++dev_dontaudit_getattr_all(mock_build_t) ++fs_getattr_all_dirs(mock_build_t) ++dev_read_sysfs(mock_build_t) ++ ++domain_dontaudit_read_all_domains_state(mock_build_t) ++domain_use_interactive_fds(mock_build_t) ++ ++files_dontaudit_list_boot(mock_build_t) ++ ++fs_getattr_all_fs(mock_build_t) ++fs_manage_cgroup_dirs(mock_build_t) ++ ++selinux_get_enforce_mode(mock_build_t) ++ ++auth_use_nsswitch(mock_build_t) ++ ++init_exec(mock_build_t) ++init_dontaudit_stream_connect(mock_build_t) ++ ++libs_exec_ldconfig(mock_build_t) ++ ++tunable_policy(`mock_enable_homedirs',` ++ userdom_read_user_home_content_files(mock_build_t) ++') +diff --git a/modemmanager.fc b/modemmanager.fc +index a83894c..481dca3 100644 +--- a/modemmanager.fc ++++ b/modemmanager.fc +@@ -1 +1,4 @@ + /usr/sbin/modem-manager -- gen_context(system_u:object_r:modemmanager_exec_t,s0) ++/usr/sbin/ModemManager -- gen_context(system_u:object_r:modemmanager_exec_t,s0) ++ ++/usr/lib/systemd/system/ModemManager.service -- gen_context(system_u:object_r:modemmanager_unit_file_t,s0) +diff --git a/modemmanager.if b/modemmanager.if +index b1ac8b5..9b22bea 100644 +--- a/modemmanager.if ++++ b/modemmanager.if +@@ -21,6 +21,30 @@ interface(`modemmanager_domtrans',` + + ######################################## + ## ++## Execute modemmanager server in the modemmanager domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`modemmanager_systemctl',` ++ gen_require(` ++ type modemmanager_t; ++ type modemmanager_unit_file_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ systemd_read_fifo_file_passwd_run($1) ++ allow $1 modemmanager_unit_file_t:file read_file_perms; ++ allow $1 modemmanager_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, modemmanager_t) ++') ++ ++######################################## ++## + ## Send and receive messages from + ## modemmanager over dbus. + ## +@@ -39,3 +63,33 @@ interface(`modemmanager_dbus_chat',` + allow $1 modemmanager_t:dbus send_msg; + allow modemmanager_t $1:dbus send_msg; + ') ++ ++######################################## ++## ++## All of the rules required to administrate ++## an modemmanager environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`modemmanager_admin',` ++ gen_require(` ++ type modemmanager_t; ++ type modemmanager_unit_file_t; ++ ') ++ ++ allow $1 modemmanager_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, modemmanager_t) ++ ++ modemmanager_systemctl($1) ++ admin_pattern($1, modemmanager_unit_file_t) ++ allow $1 modemmanager_unit_file_t:service all_service_perms; ++ optional_policy(` ++ systemd_passwd_agent_exec($1) ++ systemd_read_fifo_file_passwd_run($1) ++ ') ++') +diff --git a/modemmanager.te b/modemmanager.te +index cb4c13d..ab6fb25 100644 +--- a/modemmanager.te ++++ b/modemmanager.te +@@ -11,6 +11,9 @@ init_daemon_domain(modemmanager_t, modemmanager_exec_t) + typealias modemmanager_t alias ModemManager_t; + typealias modemmanager_exec_t alias ModemManager_exec_t; + ++type modemmanager_unit_file_t; ++systemd_unit_file(modemmanager_unit_file_t) ++ + ######################################## + # + # Local policy +@@ -27,12 +30,12 @@ kernel_read_system_state(modemmanager_t) + dev_read_sysfs(modemmanager_t) + dev_rw_modem(modemmanager_t) + +-files_read_etc_files(modemmanager_t) + + term_use_generic_ptys(modemmanager_t) + term_use_unallocated_ttys(modemmanager_t) ++term_use_usb_ttys(modemmanager_t) + +-miscfiles_read_localization(modemmanager_t) ++xserver_read_state_xdm(modemmanager_t) + + logging_send_syslog_msg(modemmanager_t) + +diff --git a/mojomojo.if b/mojomojo.if +index 73952f4..b19a6ee 100644 +--- a/mojomojo.if ++++ b/mojomojo.if +@@ -15,7 +15,6 @@ + ## Role allowed access. + ##     + ## +-## + # + interface(`mojomojo_admin',` + refpolicywarn(`$0($*) has been deprecated, use apache_admin() instead.') +diff --git a/mojomojo.te b/mojomojo.te +index 7e534cf..3652584 100644 +--- a/mojomojo.te ++++ b/mojomojo.te +@@ -5,21 +5,41 @@ policy_module(mojomojo, 1.0.1) + # Declarations + # + +-apache_content_template(mojomojo) ++type httpd_mojomojo_tmp_t; ++files_tmp_file(httpd_mojomojo_tmp_t) + + ######################################## + # + # Local policy + # + +-allow httpd_mojomojo_script_t httpd_t:unix_stream_socket rw_stream_socket_perms; ++optional_policy(` ++ apache_content_template(mojomojo) + +-corenet_sendrecv_smtp_client_packets(httpd_mojomojo_script_t) +-corenet_tcp_connect_smtp_port(httpd_mojomojo_script_t) +-corenet_sendrecv_smtp_client_packets(httpd_mojomojo_script_t) ++ allow httpd_mojomojo_script_t httpd_t:unix_stream_socket rw_stream_socket_perms; + +-files_search_var_lib(httpd_mojomojo_script_t) ++ manage_dirs_pattern(httpd_mojomojo_script_t, httpd_mojomojo_tmp_t, httpd_mojomojo_tmp_t) ++ manage_files_pattern(httpd_mojomojo_script_t, httpd_mojomojo_tmp_t, httpd_mojomojo_tmp_t) ++ files_tmp_filetrans(httpd_mojomojo_script_t, httpd_mojomojo_tmp_t, { file dir }) + +-sysnet_dns_name_resolve(httpd_mojomojo_script_t) ++ corenet_tcp_connect_postgresql_port(httpd_mojomojo_script_t) ++ corenet_tcp_connect_mysqld_port(httpd_mojomojo_script_t) ++ corenet_tcp_connect_smtp_port(httpd_mojomojo_script_t) ++ corenet_sendrecv_postgresql_client_packets(httpd_mojomojo_script_t) ++ corenet_sendrecv_mysqld_client_packets(httpd_mojomojo_script_t) ++ corenet_sendrecv_smtp_client_packets(httpd_mojomojo_script_t) + +-mta_send_mail(httpd_mojomojo_script_t) ++ files_search_var_lib(httpd_mojomojo_script_t) ++ ++ sysnet_dns_name_resolve(httpd_mojomojo_script_t) ++ ++ mta_send_mail(httpd_mojomojo_script_t) ++ ++ optional_policy(` ++ mysql_stream_connect(httpd_mojomojo_script_t) ++ ') ++ ++ optional_policy(` ++ postgresql_stream_connect(httpd_mojomojo_script_t) ++ ') ++') +diff --git a/mongodb.te b/mongodb.te +index 4de8949..7bd7e35 100644 +--- a/mongodb.te ++++ b/mongodb.te +@@ -49,13 +49,11 @@ corenet_all_recvfrom_unlabeled(mongod_t) + corenet_all_recvfrom_netlabel(mongod_t) + corenet_tcp_sendrecv_generic_if(mongod_t) + corenet_tcp_sendrecv_generic_node(mongod_t) ++corenet_tcp_connect_mongod_port(mongod_t) + corenet_tcp_bind_generic_node(mongod_t) + + dev_read_sysfs(mongod_t) + dev_read_urand(mongod_t) + +-files_read_etc_files(mongod_t) +- + fs_getattr_all_fs(mongod_t) + +-miscfiles_read_localization(mongod_t) +diff --git a/mono.te b/mono.te +index d287fe9..3dc493c 100644 +--- a/mono.te ++++ b/mono.te +@@ -28,7 +28,7 @@ allow mono_domain self:process { signal getsched execheap execmem execstack }; + # local policy + # + +-userdom_user_home_dir_filetrans_user_home_content(mono_t, { dir file lnk_file fifo_file sock_file }) ++userdom_filetrans_home_content(mono_t) + + init_dbus_chat_script(mono_t) + +diff --git a/monop.if b/monop.if +index 8fdaece..5440757 100644 +--- a/monop.if ++++ b/monop.if +@@ -31,7 +31,7 @@ interface(`monop_admin',` + role_transition $2 monopd_initrc_exec_t system_r; + allow $2 system_r; + +- logging_search_etc($1) ++ logging_search_logs($1) + admin_pattern($1, monopd_etc_t) + + files_search_pids($1) +diff --git a/monop.te b/monop.te +index 4462c0e..84944d1 100644 +--- a/monop.te ++++ b/monop.te +@@ -43,7 +43,6 @@ kernel_read_kernel_sysctls(monopd_t) + kernel_list_proc(monopd_t) + kernel_read_proc_symlinks(monopd_t) + +-corenet_all_recvfrom_unlabeled(monopd_t) + corenet_all_recvfrom_netlabel(monopd_t) + corenet_tcp_sendrecv_generic_if(monopd_t) + corenet_tcp_sendrecv_generic_node(monopd_t) +@@ -57,15 +56,11 @@ dev_read_sysfs(monopd_t) + + domain_use_interactive_fds(monopd_t) + +-files_read_etc_files(monopd_t) +- + fs_getattr_all_fs(monopd_t) + fs_search_auto_mountpoints(monopd_t) + + logging_send_syslog_msg(monopd_t) + +-miscfiles_read_localization(monopd_t) +- + sysnet_dns_name_resolve(monopd_t) + + userdom_dontaudit_use_unpriv_user_fds(monopd_t) +diff --git a/motion.fc b/motion.fc +new file mode 100644 +index 0000000..7415106 +--- /dev/null ++++ b/motion.fc +@@ -0,0 +1,9 @@ ++/usr/bin/motion -- gen_context(system_u:object_r:motion_exec_t,s0) ++ ++/usr/lib/systemd/system/motion.* -- gen_context(system_u:object_r:motion_unit_file_t,s0) ++ ++/var/log/motion\.log.* -- gen_context(system_u:object_r:motion_log_t,s0) ++ ++/var/run/motion\.pid -- gen_context(system_u:object_r:motion_var_run_t,s0) ++ ++/var/motion(/.*)? gen_context(system_u:object_r:motion_data_t,s0) +diff --git a/motion.if b/motion.if +new file mode 100644 +index 0000000..1b1b04c +--- /dev/null ++++ b/motion.if +@@ -0,0 +1,193 @@ ++ ++## Detect motion using a video4linux device ++ ++######################################## ++## ++## Execute TEMPLATE in the motion domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`motion_domtrans',` ++ gen_require(` ++ type motion_t, motion_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, motion_exec_t, motion_t) ++') ++######################################## ++## ++## Read motion's log files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`motion_read_log',` ++ gen_require(` ++ type motion_log_t; ++ ') ++ ++ logging_search_logs($1) ++ read_files_pattern($1, motion_log_t, motion_log_t) ++') ++ ++######################################## ++## ++## Append to motion log files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`motion_append_log',` ++ gen_require(` ++ type motion_log_t; ++ ') ++ ++ logging_search_logs($1) ++ append_files_pattern($1, motion_log_t, motion_log_t) ++') ++ ++######################################## ++## ++## Manage motion log files ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`motion_manage_log',` ++ gen_require(` ++ type motion_log_t; ++ ') ++ ++ logging_search_logs($1) ++ manage_dirs_pattern($1, motion_log_t, motion_log_t) ++ manage_files_pattern($1, motion_log_t, motion_log_t) ++ manage_lnk_files_pattern($1, motion_log_t, motion_log_t) ++') ++ ++######################################## ++## ++## Manage motion pid files ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`motion_manage_pid',` ++ gen_require(` ++ type motion_var_run_t; ++ ') ++ ++ manage_dirs_pattern($1, motion_var_run_t, motion_var_run_t) ++ manage_files_pattern($1, motion_var_run_t, motion_var_run_t) ++') ++ ++######################################## ++## ++## Manage motion data files ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`motion_manage_data',` ++ gen_require(` ++ type motion_data_t; ++ ') ++ ++ manage_dirs_pattern($1, motion_data_t, motion_data_t) ++ manage_files_pattern($1, motion_data_t, motion_data_t) ++') ++ ++######################################## ++## ++## Execute motion server in the motion domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`motion_systemctl',` ++ gen_require(` ++ type motion_t; ++ type motion_unit_file_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ systemd_read_fifo_file_password_run($1) ++ allow $1 motion_unit_file_t:file read_file_perms; ++ allow $1 motion_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, motion_t) ++') ++ ++######################################## ++## ++## Manage all motion files. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`motion_manage_all_files',` ++ ++ motion_manage_log($1) ++ motion_manage_pid($1) ++ motion_manage_data($1) ++') ++ ++######################################## ++## ++## All of the rules required to administrate ++## an motion environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`motion_admin',` ++ gen_require(` ++ type motion_t; ++ type motion_log_t; ++ type motion_unit_file_t; ++ ') ++ ++ allow $1 motion_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, motion_t) ++ ++ logging_search_logs($1) ++ admin_pattern($1, motion_log_t) ++ ++ motion_systemctl($1) ++ admin_pattern($1, motion_unit_file_t) ++ allow $1 motion_unit_file_t:service all_service_perms; ++ optional_policy(` ++ systemd_passwd_agent_exec($1) ++ systemd_read_fifo_file_passwd_run($1) ++ ') ++') +diff --git a/motion.te b/motion.te +new file mode 100644 +index 0000000..b694afc +--- /dev/null ++++ b/motion.te +@@ -0,0 +1,64 @@ ++policy_module(motion, 1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type motion_t; ++type motion_exec_t; ++init_daemon_domain(motion_t, motion_exec_t) ++ ++type motion_log_t; ++logging_log_file(motion_log_t) ++ ++type motion_unit_file_t; ++systemd_unit_file(motion_unit_file_t) ++ ++type motion_var_run_t; ++files_pid_file(motion_var_run_t) ++ ++type motion_data_t; ++files_type(motion_data_t) ++ ++######################################## ++# ++# motion local policy ++# ++allow motion_t self:udp_socket { create connect getattr }; ++allow motion_t self:tcp_socket { bind create setopt listen }; ++allow motion_t self:netlink_route_socket r_netlink_socket_perms; ++ ++manage_dirs_pattern(motion_t, motion_log_t, motion_log_t) ++manage_files_pattern(motion_t, motion_log_t, motion_log_t) ++logging_log_filetrans(motion_t, motion_log_t, { dir file }) ++ ++manage_dirs_pattern(motion_t, motion_var_run_t, motion_var_run_t) ++manage_files_pattern(motion_t, motion_var_run_t, motion_var_run_t) ++files_pid_filetrans(motion_t, motion_var_run_t, { dir file }) ++ ++manage_dirs_pattern(motion_t, motion_data_t, motion_data_t) ++manage_files_pattern(motion_t, motion_data_t, motion_data_t) ++files_var_filetrans(motion_t, motion_data_t, { dir file }) ++ ++corenet_tcp_bind_http_cache_port(motion_t) ++corenet_tcp_bind_transproxy_port(motion_t) ++corenet_tcp_connect_http_port(motion_t) ++corenet_tcp_bind_generic_node(motion_t) ++ ++dev_read_video_dev(motion_t) ++dev_write_video_dev(motion_t) ++ ++domain_use_interactive_fds(motion_t) ++ ++logging_send_syslog_msg(motion_t) ++ ++sysnet_read_config(motion_t) ++ ++userdom_home_manager(motion_t) ++ ++optional_policy(` ++ zoneminder_domtrans(motion_t) ++ zoneminder_manage_lib_files(motion_t) ++') ++ +diff --git a/mozilla.fc b/mozilla.fc +index 6ffaba2..a4d75bf 100644 +--- a/mozilla.fc ++++ b/mozilla.fc +@@ -1,38 +1,69 @@ +-HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) +-HOME_DIR/\.mozilla(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) +-HOME_DIR/\.mozilla/plugins(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0) +-HOME_DIR/\.netscape(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) +-HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) +- +-HOME_DIR/\.adobe(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0) +-HOME_DIR/\.macromedia(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0) +-HOME_DIR/\.gnash(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0) +-HOME_DIR/\.gcjwebplugin(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0) +-HOME_DIR/\.icedteaplugin(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0) +-HOME_DIR/\.spicec(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0) +-HOME_DIR/\.ICAClient(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0) +-HOME_DIR/zimbrauserdata(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0) +- +-/usr/bin/epiphany -- gen_context(system_u:object_r:mozilla_exec_t,s0) +-/usr/bin/epiphany-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0) +-/usr/bin/mozilla -- gen_context(system_u:object_r:mozilla_exec_t,s0) ++HOME_DIR/\.config/chromium(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) ++HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) ++HOME_DIR/\.java(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) ++HOME_DIR/\.mozilla(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) ++HOME_DIR/\.cache/mozilla(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) ++HOME_DIR/\.thunderbird(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) ++HOME_DIR/POkemon.*(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) ++HOME_DIR/\.netscape(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) ++HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) ++HOME_DIR/\.adobe(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) ++HOME_DIR/\.macromedia(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) ++HOME_DIR/\.gnash(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) ++HOME_DIR/\.webex(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) ++HOME_DIR/\.gnashpluginrc gen_context(system_u:object_r:mozilla_home_t,s0) ++HOME_DIR/abc -- gen_context(system_u:object_r:mozilla_home_t,s0) ++HOME_DIR/\.gcjwebplugin(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) ++HOME_DIR/\.grl-podcasts(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) ++HOME_DIR/\.icedteaplugin(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) ++HOME_DIR/\.icedtea(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) ++HOME_DIR/\.juniper_networks(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) ++HOME_DIR/\.lyx(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) ++HOME_DIR/\.quakelive(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) ++HOME_DIR/\.spicec(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) ++HOME_DIR/\.texlive2012(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) ++HOME_DIR/\.texlive2013(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) ++HOME_DIR/\.ICAClient(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) ++HOME_DIR/\.IBMERS(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) ++HOME_DIR/zimbrauserdata(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) ++# ++# /bin ++# ++/usr/bin/netscape -- gen_context(system_u:object_r:mozilla_exec_t,s0) ++/usr/bin/mozilla -- gen_context(system_u:object_r:mozilla_exec_t,s0) + /usr/bin/mozilla-snapshot -- gen_context(system_u:object_r:mozilla_exec_t,s0) ++/usr/bin/epiphany-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0) ++/usr/bin/epiphany -- gen_context(system_u:object_r:mozilla_exec_t,s0) + /usr/bin/mozilla-[0-9].* -- gen_context(system_u:object_r:mozilla_exec_t,s0) + /usr/bin/mozilla-bin-[0-9].* -- gen_context(system_u:object_r:mozilla_exec_t,s0) +-/usr/bin/netscape -- gen_context(system_u:object_r:mozilla_exec_t,s0) +-/usr/bin/nspluginscan -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0) +-/usr/bin/nspluginviewer -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0) + +-/usr/lib/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0) +-/usr/lib/[^/]*firefox[^/]*/firefox-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0) +-/usr/lib/firefox[^/]*/mozilla-.* -- gen_context(system_u:object_r:mozilla_exec_t,s0) +-/usr/lib/galeon/galeon -- gen_context(system_u:object_r:mozilla_exec_t,s0) +-/usr/lib/iceweasel/iceweasel -- gen_context(system_u:object_r:mozilla_exec_t,s0) +-/usr/lib/mozilla[^/]*/reg.+ -- gen_context(system_u:object_r:mozilla_exec_t,s0) +-/usr/lib/mozilla[^/]*/mozilla-.* -- gen_context(system_u:object_r:mozilla_exec_t,s0) +-/usr/lib/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:mozilla_plugin_rw_t,s0) +-/usr/lib/netscape/base-4/wrapper -- gen_context(system_u:object_r:mozilla_exec_t,s0) +-/usr/lib/netscape/.+/communicator/communicator-smotif\.real -- gen_context(system_u:object_r:mozilla_exec_t,s0) ++ifdef(`distro_redhat',` ++/usr/bin/nspluginscan -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0) ++/usr/bin/nspluginviewer -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0) + /usr/lib/nspluginwrapper/npviewer.bin -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0) +-/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0) +-/usr/lib/xulrunner[^/]*/plugin-container -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0) ++') ++ ++ifdef(`distro_debian',` ++/usr/lib/iceweasel/iceweasel -- gen_context(system_u:object_r:mozilla_exec_t,s0) ++') ++ ++# ++# /lib ++# ++ ++/usr/lib/galeon/galeon -- gen_context(system_u:object_r:mozilla_exec_t,s0) ++/usr/lib/netscape/.+/communicator/communicator-smotif\.real -- gen_context(system_u:object_r:mozilla_exec_t,s0) ++/usr/lib/netscape/base-4/wrapper -- gen_context(system_u:object_r:mozilla_exec_t,s0) ++/usr/lib/mozilla[^/]*/reg.+ -- gen_context(system_u:object_r:mozilla_exec_t,s0) ++/usr/lib/mozilla[^/]*/mozilla-.* -- gen_context(system_u:object_r:mozilla_exec_t,s0) ++/usr/lib/firefox[^/]*/mozilla-.* -- gen_context(system_u:object_r:mozilla_exec_t,s0) ++/usr/lib/[^/]*firefox[^/]*/firefox-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0) ++/usr/lib/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0) ++ ++/usr/lib/xulrunner[^/]*/plugin-container -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0) ++ ++/usr/lib/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:mozilla_plugin_rw_t,s0) ++ ++ifdef(`distro_redhat',` ++/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0) ++') +diff --git a/mozilla.if b/mozilla.if +index 6194b80..ada96f0 100644 +--- a/mozilla.if ++++ b/mozilla.if +@@ -1,146 +1,75 @@ +-## Policy for Mozilla and related web browsers. ++## Policy for Mozilla and related web browsers + + ######################################## + ## +-## Role access for mozilla. ++## Role access for mozilla + ## + ## + ## +-## Role allowed access. ++## Role allowed access + ## + ## + ## + ## +-## User domain for the role. ++## User domain for the role + ## + ## + # + interface(`mozilla_role',` + gen_require(` + type mozilla_t, mozilla_exec_t, mozilla_home_t; +- type mozilla_tmp_t, mozilla_tmpfs_t, mozilla_plugin_tmp_t; +- type mozilla_plugin_tmpfs_t, mozilla_plugin_home_t; + attribute_role mozilla_roles; + ') + +- ######################################## +- # +- # Declarations +- # +- + roleattribute $1 mozilla_roles; + +- ######################################## +- # +- # Policy +- # +- +- domtrans_pattern($2, mozilla_exec_t, mozilla_t) ++ domain_auto_trans($2, mozilla_exec_t, mozilla_t) ++ # Unrestricted inheritance from the caller. ++ allow $2 mozilla_t:process { noatsecure siginh rlimitinh }; ++ allow mozilla_t $2:fd use; ++ allow mozilla_t $2:process { sigchld signull }; ++ allow mozilla_t $2:unix_stream_socket connectto; + +- allow $2 mozilla_t:process { noatsecure siginh rlimitinh ptrace signal_perms }; ++ # Allow the user domain to signal/ps. + ps_process_pattern($2, mozilla_t) +- +- allow mozilla_t $2:process signull; +- allow mozilla_t $2:unix_stream_socket connectto; ++ allow $2 mozilla_t:process signal_perms; + + allow $2 mozilla_t:fd use; +- allow $2 mozilla_t:shm rw_shm_perms; +- +- stream_connect_pattern($2, mozilla_tmpfs_t, mozilla_tmpfs_t, mozilla_t) ++ allow $2 mozilla_t:shm { associate getattr }; ++ allow $2 mozilla_t:shm { unix_read unix_write }; ++ allow $2 mozilla_t:unix_stream_socket connectto; + +- allow $2 { mozilla_home_t mozilla_plugin_home_t }:dir { manage_dir_perms relabel_dir_perms }; +- allow $2 { mozilla_home_t mozilla_plugin_home_t }:file { manage_file_perms relabel_file_perms }; +- allow $2 mozilla_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; +- userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".galeon") +- userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".mozilla") +- userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".netscape") +- userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".phoenix") ++ # X access, Home files ++ manage_dirs_pattern($2, mozilla_home_t, mozilla_home_t) ++ manage_files_pattern($2, mozilla_home_t, mozilla_home_t) ++ manage_lnk_files_pattern($2, mozilla_home_t, mozilla_home_t) ++ relabel_dirs_pattern($2, mozilla_home_t, mozilla_home_t) ++ relabel_files_pattern($2, mozilla_home_t, mozilla_home_t) ++ relabel_lnk_files_pattern($2, mozilla_home_t, mozilla_home_t) + +- filetrans_pattern($2, mozilla_home_t, mozilla_plugin_home_t, dir, "plugins") ++ #should be remove then with adding of roleattribute ++ mozilla_run_plugin(mozilla_t, $1) ++ mozilla_dbus_chat($2) + +- allow $2 { mozilla_tmp_t mozilla_plugin_tmp_t }:dir { manage_dir_perms relabel_dir_perms }; +- allow $2 { mozilla_tmp_t mozilla_plugin_tmp_t }:file { manage_file_perms relabel_file_perms }; +- allow $2 mozilla_plugin_tmp_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms }; +- +- allow $2 { mozilla_tmpfs_t mozilla_plugin_tmpfs_t }:dir { manage_dir_perms relabel_dir_perms }; +- allow $2 { mozilla_tmpfs_t mozilla_plugin_tmpfs_t }:file { manage_file_perms relabel_file_perms }; +- allow $2 { mozilla_tmpfs_t mozilla_plugin_tmpfs_t }:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms }; +- allow $2 { mozilla_tmpfs_t mozilla_plugin_tmpfs_t }:sock_file { manage_sock_file_perms relabel_sock_file_perms }; ++ userdom_manage_tmp_role($1, mozilla_t) + + optional_policy(` +- mozilla_dbus_chat($2) ++ nsplugin_role($1, mozilla_t) + ') +-') + +-######################################## +-## +-## Role access for mozilla plugin. +-## +-## +-## +-## Role allowed access. +-## +-## +-## +-## +-## User domain for the role. +-## +-## +-# +-interface(`mozilla_role_plugin',` +- gen_require(` +- type mozilla_plugin_tmp_t, mozilla_plugin_tmpfs_t, mozilla_plugin_rw_t; +- type mozilla_home_t; ++ optional_policy(` ++ pulseaudio_role($1, mozilla_t) ++ pulseaudio_filetrans_admin_home_content(mozilla_t) ++ pulseaudio_filetrans_home_content(mozilla_t) + ') + +- mozilla_run_plugin($2, $1) +- mozilla_run_plugin_config($2, $1) +- +- allow $2 { mozilla_plugin_t mozilla_plugin_config_t }:process { ptrace signal_perms }; +- ps_process_pattern($2, { mozilla_plugin_t mozilla_plugin_config_t }) +- +- allow $2 mozilla_plugin_t:unix_stream_socket rw_socket_perms; +- allow $2 mozilla_plugin_t:fd use; +- +- stream_connect_pattern($2, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_plugin_t) +- +- allow mozilla_plugin_t $2:process signull; +- allow mozilla_plugin_t $2:unix_stream_socket { connectto rw_socket_perms }; +- allow mozilla_plugin_t $2:unix_dgram_socket { sendto rw_socket_perms }; +- allow mozilla_plugin_t $2:shm { rw_shm_perms destroy }; +- allow mozilla_plugin_t $2:sem create_sem_perms; +- +- allow $2 mozilla_home_t:dir { manage_dir_perms relabel_dir_perms }; +- allow $2 mozilla_home_t:file { manage_file_perms relabel_file_perms }; +- allow $2 mozilla_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; +- userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".galeon") +- userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".mozilla") +- userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".netscape") +- userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".phoenix") ++ mozilla_filetrans_home_content($2) + +- allow $2 mozilla_plugin_tmp_t:dir { manage_dir_perms relabel_dir_perms }; +- allow $2 mozilla_plugin_tmp_t:file { manage_file_perms relabel_file_perms }; +- allow $2 mozilla_plugin_tmp_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms }; +- +- allow $2 mozilla_plugin_tmpfs_t:dir { manage_dir_perms relabel_dir_perms }; +- allow $2 mozilla_plugin_tmpfs_t:file { manage_file_perms relabel_file_perms }; +- allow $2 mozilla_plugin_tmpfs_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms }; +- allow $2 mozilla_plugin_tmpfs_t:sock_file { manage_sock_file_perms relabel_sock_file_perms }; +- +- allow $2 mozilla_plugin_rw_t:dir list_dir_perms; +- allow $2 mozilla_plugin_rw_t:file read_file_perms; +- allow $2 mozilla_plugin_rw_t:lnk_file read_lnk_file_perms; +- +- can_exec($2, mozilla_plugin_rw_t) +- +- optional_policy(` +- mozilla_dbus_chat_plugin($2) +- ') + ') + + ######################################## + ## +-## Read mozilla home directory content. ++## Read mozilla home directory content + ## + ## + ## +@@ -153,15 +82,15 @@ interface(`mozilla_read_user_home_files',` + type mozilla_home_t; + ') + +- userdom_search_user_home_dirs($1) + allow $1 mozilla_home_t:dir list_dir_perms; + allow $1 mozilla_home_t:file read_file_perms; + allow $1 mozilla_home_t:lnk_file read_lnk_file_perms; ++ userdom_search_user_home_dirs($1) + ') + + ######################################## + ## +-## Write mozilla home directory files. ++## Write mozilla home directory content + ## + ## + ## +@@ -174,14 +103,13 @@ interface(`mozilla_write_user_home_files',` + type mozilla_home_t; + ') + +- userdom_search_user_home_dirs($1) + write_files_pattern($1, mozilla_home_t, mozilla_home_t) ++ userdom_search_user_home_dirs($1) + ') + + ######################################## + ## +-## Do not audit attempts to read and +-## write mozilla home directory files. ++## Dontaudit attempts to read/write mozilla home directory content + ## + ## + ## +@@ -194,14 +122,12 @@ interface(`mozilla_dontaudit_rw_user_home_files',` + type mozilla_home_t; + ') + +- dontaudit $1 mozilla_home_t:file rw_file_perms; ++ dontaudit $1 mozilla_home_t:file rw_inherited_file_perms; + ') + + ######################################## + ## +-## Do not audit attempt to Create, +-## read, write, and delete mozilla +-## home directory content. ++## Dontaudit attempts to write mozilla home directory content + ## + ## + ## +@@ -216,12 +142,11 @@ interface(`mozilla_dontaudit_manage_user_home_files',` + + dontaudit $1 mozilla_home_t:dir manage_dir_perms; + dontaudit $1 mozilla_home_t:file manage_file_perms; +- dontaudit $1 mozilla_home_t:lnk_file manage_lnk_file_perms; + ') + + ######################################## + ## +-## Execute mozilla home directory files. (Deprecated) ++## Execute mozilla home directory content. + ## + ## + ## +@@ -230,33 +155,16 @@ interface(`mozilla_dontaudit_manage_user_home_files',` + ## + # + interface(`mozilla_exec_user_home_files',` +- refpolicywarn(`$0($*) has been deprecated, use mozilla_exec_user_plugin_home_files() instead.') +- mozilla_exec_user_plugin_home_files($1) +-') +- +-######################################## +-## +-## Execute mozilla plugin home directory files. +-## +-## +-## +-## Domain allowed access. +-## +-## +-# +-interface(`mozilla_exec_user_plugin_home_files',` + gen_require(` +- type mozilla_home_t, mozilla_plugin_home_t; ++ type mozilla_home_t; + ') + +- userdom_search_user_home_dirs($1) +- exec_files_pattern($1, { mozilla_home_t mozilla_plugin_home_t }, mozilla_plugin_home_t) ++ can_exec($1, mozilla_home_t) + ') + + ######################################## + ## +-## Mozilla home directory file +-## text relocation. (Deprecated) ++## Execmod mozilla home directory content. + ## + ## + ## +@@ -265,140 +173,153 @@ interface(`mozilla_exec_user_plugin_home_files',` + ## + # + interface(`mozilla_execmod_user_home_files',` +- refpolicywarn(`$0($*) has been deprecated, use mozilla_execmod_user_plugin_home_files() instead.') +- mozilla_execmod_user_plugin_home_files($1) ++ gen_require(` ++ type mozilla_home_t; ++ ') ++ ++ allow $1 mozilla_home_t:file execmod; + ') + + ######################################## + ## +-## Mozilla plugin home directory file +-## text relocation. ++## Run mozilla in the mozilla domain. + ## + ## + ## +-## Domain allowed access. ++## Domain allowed to transition. + ## + ## + # +-interface(`mozilla_execmod_user_plugin_home_files',` ++interface(`mozilla_domtrans',` + gen_require(` +- type mozilla_plugin_home_t; ++ type mozilla_t, mozilla_exec_t; + ') + +- allow $1 mozilla_plugin_home_t:file execmod; ++ domtrans_pattern($1, mozilla_exec_t, mozilla_t) + ') + + ######################################## + ## +-## Run mozilla in the mozilla domain. ++## Execute a mozilla_exec_t in the specified domain. + ## + ## + ## + ## Domain allowed to transition. + ## + ## ++## ++## ++## The type of the new process. ++## ++## + # +-interface(`mozilla_domtrans',` ++interface(`mozilla_domtrans_spec',` + gen_require(` +- type mozilla_t, mozilla_exec_t; ++ type mozilla_exec_t; + ') + +- corecmd_search_bin($1) +- domtrans_pattern($1, mozilla_exec_t, mozilla_t) ++ domain_entry_file($2, mozilla_exec_t) ++ domtrans_pattern($1, mozilla_exec_t, $2) + ') + + ######################################## + ## +-## Execute a domain transition to +-## run mozilla plugin. ++## Execute a domain transition to run mozilla_plugin. + ## + ## + ## +-## Domain allowed to transition. ++## Domain allowed access. + ## + ## + # + interface(`mozilla_domtrans_plugin',` + gen_require(` + type mozilla_plugin_t, mozilla_plugin_exec_t; ++ type mozilla_plugin_config_t, mozilla_plugin_config_exec_t; ++ type mozilla_plugin_rw_t; ++ class dbus send_msg; + ') + +- corecmd_search_bin($1) + domtrans_pattern($1, mozilla_plugin_exec_t, mozilla_plugin_t) ++ domtrans_pattern($1, mozilla_plugin_config_exec_t, mozilla_plugin_config_t) ++ allow mozilla_plugin_t $1:process signull; ++ dontaudit mozilla_plugin_config_t $1:file read_inherited_file_perms; ++ dontaudit mozilla_plugin_t $1:process signal; ++ allow $1 mozilla_plugin_t:unix_stream_socket { connectto rw_socket_perms }; ++ allow $1 mozilla_plugin_t:fd use; ++ ++ allow mozilla_plugin_t $1:unix_stream_socket rw_socket_perms; ++ allow mozilla_plugin_t $1:unix_dgram_socket { sendto rw_socket_perms }; ++ allow mozilla_plugin_t $1:shm { rw_shm_perms destroy }; ++ allow mozilla_plugin_t $1:sem create_sem_perms; ++ ++ ps_process_pattern($1, mozilla_plugin_t) ++ allow $1 mozilla_plugin_t:process signal_perms; ++ ++ list_dirs_pattern($1, mozilla_plugin_rw_t, mozilla_plugin_rw_t) ++ read_files_pattern($1, mozilla_plugin_rw_t, mozilla_plugin_rw_t) ++ read_lnk_files_pattern($1, mozilla_plugin_rw_t, mozilla_plugin_rw_t) ++ can_exec($1, mozilla_plugin_rw_t) ++ ++ allow $1 mozilla_plugin_t:dbus send_msg; ++ allow mozilla_plugin_t $1:dbus send_msg; ++ ++ allow mozilla_plugin_t $1:process signull; + ') + + ######################################## + ## +-## Execute mozilla plugin in the +-## mozilla plugin domain, and allow +-## the specified role the mozilla +-## plugin domain. ++## Execute mozilla_plugin in the mozilla_plugin domain, and ++## allow the specified role the mozilla_plugin domain. + ## + ## + ## +-## Domain allowed to transition. ++## Domain allowed access + ## + ## + ## + ## +-## Role allowed access. ++## The role to be allowed the mozilla_plugin domain. + ## + ## + # + interface(`mozilla_run_plugin',` + gen_require(` +- attribute_role mozilla_plugin_roles; ++ type mozilla_plugin_t; ++ attribute_role mozilla_plugin_roles, mozilla_plugin_config_roles; + ') + + mozilla_domtrans_plugin($1) + roleattribute $2 mozilla_plugin_roles; +-') ++ roleattribute $2 mozilla_plugin_config_roles; + +-######################################## +-## +-## Execute a domain transition to +-## run mozilla plugin config. +-## +-## +-## +-## Domain allowed to transition. +-## +-## +-# +-interface(`mozilla_domtrans_plugin_config',` +- gen_require(` +- type mozilla_plugin_config_t, mozilla_plugin_config_exec_t; ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 mozilla_plugin_t:process ptrace; + ') + +- corecmd_search_bin($1) +- domtrans_pattern($1, mozilla_plugin_config_exec_t, mozilla_plugin_config_t) ++ optional_policy(` ++ lpd_run_lpr(mozilla_plugin_t, $2) ++ ') + ') + +-######################################## ++####################################### + ## +-## Execute mozilla plugin config in +-## the mozilla plugin config domain, +-## and allow the specified role the +-## mozilla plugin config domain. ++## Execute qemu unconfined programs in the role. + ## +-## +-## +-## Domain allowed to transition. +-## +-## + ## +-## +-## Role allowed access. +-## ++## ++## The role to allow the mozilla_plugin domain. ++## + ## ++## + # +-interface(`mozilla_run_plugin_config',` +- gen_require(` +- attribute_role mozilla_plugin_config_roles; +- ') ++interface(`mozilla_role_plugin',` ++ gen_require(` ++ attribute_role mozilla_plugin_roles, mozilla_plugin_config_roles; ++ ') + +- mozilla_domtrans_plugin_config($1) +- roleattribute $2 mozilla_plugin_config_roles; ++ roleattribute $1 mozilla_plugin_roles; ++ roleattribute $1 mozilla_plugin_config_roles; + ') + + ######################################## +@@ -424,8 +345,7 @@ interface(`mozilla_dbus_chat',` + + ######################################## + ## +-## Send and receive messages from +-## mozilla plugin over dbus. ++## read/write mozilla per user tcp_socket + ## + ## + ## +@@ -433,76 +353,126 @@ interface(`mozilla_dbus_chat',` + ## + ## + # +-interface(`mozilla_dbus_chat_plugin',` ++interface(`mozilla_rw_tcp_sockets',` + gen_require(` +- type mozilla_plugin_t; +- class dbus send_msg; ++ type mozilla_t; + ') + +- allow $1 mozilla_plugin_t:dbus send_msg; +- allow mozilla_plugin_t $1:dbus send_msg; ++ allow $1 mozilla_t:tcp_socket rw_socket_perms; + ') + +-######################################## ++####################################### + ## +-## Read and write mozilla TCP sockets. ++## Read mozilla_plugin tmpfs files + ## + ## +-## +-## Domain allowed access. +-## ++## ++## Domain allowed access ++## + ## + # +-interface(`mozilla_rw_tcp_sockets',` +- gen_require(` +- type mozilla_t; +- ') ++interface(`mozilla_plugin_read_tmpfs_files',` ++ gen_require(` ++ type mozilla_plugin_tmpfs_t; ++ ') + +- allow $1 mozilla_t:tcp_socket rw_socket_perms; ++ allow $1 mozilla_plugin_tmpfs_t:file read_file_perms; ++') ++ ++####################################### ++## ++## Read/Write mozilla_plugin tmpfs files ++## ++## ++## ++## Domain allowed access ++## ++## ++# ++interface(`mozilla_plugin_rw_tmpfs_files',` ++ gen_require(` ++ type mozilla_plugin_tmpfs_t; ++ ') ++ ++ rw_files_pattern($1, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t) + ') + + ######################################## + ## +-## Create, read, write, and delete +-## mozilla plugin rw files. ++## Delete mozilla_plugin tmpfs files + ## + ## + ## +-## Domain allowed access. ++## Domain allowed access + ## + ## + # +-interface(`mozilla_manage_plugin_rw_files',` ++interface(`mozilla_plugin_delete_tmpfs_files',` + gen_require(` +- type mozilla_plugin_rw_t; ++ type mozilla_plugin_tmpfs_t; + ') + +- libs_search_lib($1) +- manage_files_pattern($1, mozilla_plugin_rw_t, mozilla_plugin_rw_t) ++ allow $1 mozilla_plugin_tmpfs_t:file delete_file_perms; ++') ++ ++####################################### ++## ++## Dontaudit generict ipc read/write to a mozilla_plugin ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`mozilla_plugin_dontaudit_rw_sem',` ++ gen_require(` ++ type mozilla_plugin_t; ++ ') ++ ++ allow $1 mozilla_plugin_t:sem { unix_read unix_write }; + ') + + ######################################## + ## +-## Read mozilla_plugin tmpfs files. ++## Dontaudit read/write to a mozilla_plugin leaks + ## + ## + ## +-## Domain allowed access. ++## Domain to not audit. + ## + ## + # +-interface(`mozilla_plugin_read_tmpfs_files',` ++interface(`mozilla_plugin_dontaudit_leaks',` + gen_require(` +- type mozilla_plugin_tmpfs_t; ++ type mozilla_plugin_t; + ') + +- fs_search_tmpfs($1) +- allow $1 mozilla_plugin_tmpfs_t:file read_file_perms; ++ dontaudit $1 mozilla_plugin_t:unix_stream_socket { read write }; ++') ++ ++####################################### ++## ++## Dontaudit read/write to a mozilla_plugin tmp files. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`mozilla_plugin_dontaudit_rw_tmp_files',` ++ gen_require(` ++ type mozilla_plugin_tmp_t; ++ ') ++ ++ dontaudit $1 mozilla_plugin_tmp_t:file { read write }; + ') + + ######################################## + ## +-## Delete mozilla_plugin tmpfs files. ++## Create, read, write, and delete ++## mozilla_plugin rw files. + ## + ## + ## +@@ -510,19 +480,18 @@ interface(`mozilla_plugin_read_tmpfs_files',` + ## + ## + # +-interface(`mozilla_plugin_delete_tmpfs_files',` ++interface(`mozilla_plugin_manage_rw_files',` + gen_require(` +- type mozilla_plugin_tmpfs_t; ++ type mozilla_plugin_rw_t; + ') + +- fs_search_tmpfs($1) +- allow $1 mozilla_plugin_tmpfs_t:file delete_file_perms; ++ allow $1 mozilla_plugin_rw_t:file manage_file_perms; ++ allow $1 mozilla_plugin_rw_t:dir rw_dir_perms; + ') + + ######################################## + ## +-## Create, read, write, and delete +-## generic mozilla plugin home content. ++## read mozilla_plugin rw files. + ## + ## + ## +@@ -530,45 +499,58 @@ interface(`mozilla_plugin_delete_tmpfs_files',` + ## + ## + # +-interface(`mozilla_manage_generic_plugin_home_content',` ++interface(`mozilla_plugin_read_rw_files',` + gen_require(` +- type mozilla_plugin_home_t; ++ type mozilla_plugin_rw_t; + ') + +- userdom_search_user_home_dirs($1) +- allow $1 mozilla_plugin_home_t:dir manage_dir_perms; +- allow $1 mozilla_plugin_home_t:file manage_file_perms; +- allow $1 mozilla_plugin_home_t:fifo_file manage_fifo_file_perms; +- allow $1 mozilla_plugin_home_t:lnk_file manage_lnk_file_perms; +- allow $1 mozilla_plugin_home_t:sock_file manage_sock_file_perms; ++ read_files_pattern($1, mozilla_plugin_rw_t, mozilla_plugin_rw_t) + ') + + ######################################## + ## +-## Create objects in user home +-## directories with the generic mozilla +-## plugin home type. ++## Create mozilla content in the user home directory ++## with an correct label. + ## + ## + ## + ## Domain allowed access. + ## + ## +-## +-## +-## Class of the object being created. +-## +-## +-## +-## +-## The name of the object being created. +-## +-## + # +-interface(`mozilla_home_filetrans_plugin_home',` ++interface(`mozilla_filetrans_home_content',` ++ + gen_require(` +- type mozilla_plugin_home_t; ++ type mozilla_home_t; + ') + +- userdom_user_home_dir_filetrans($1, mozilla_plugin_home_t, $2, $3) ++ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".galeon") ++ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".java") ++ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".mozilla") ++ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".thunderbird") ++ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".netscape") ++ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".phoenix") ++ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".adobe") ++ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".macromedia") ++ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".gnash") ++ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".grl-podcasts") ++ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".gcjwebplugin") ++ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".icedteaplugin") ++ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".icedtea") ++ userdom_user_home_dir_filetrans($1, mozilla_home_t, file, "abc") ++ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".quakelive") ++ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".spicec") ++ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".texlive2012") ++ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".texlive2013") ++ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".ICAClient") ++ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, "zimbrauserdata") ++ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".juniper_networks") ++ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".lyx") ++ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".IBMERS") ++ userdom_user_home_dir_filetrans($1, mozilla_home_t, file, ".gnashpluginrc") ++ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".webex") ++ optional_policy(` ++ gnome_cache_filetrans($1, mozilla_home_t, dir, "mozilla") ++ ') + ') ++ +diff --git a/mozilla.te b/mozilla.te +index 6a306ee..b236449 100644 +--- a/mozilla.te ++++ b/mozilla.te +@@ -1,4 +1,4 @@ +-policy_module(mozilla, 2.7.4) ++policy_module(mozilla, 2.6.0) + + ######################################## + # +@@ -6,17 +6,41 @@ policy_module(mozilla, 2.7.4) + # + + ## +-##

    +-## Determine whether mozilla can +-## make its stack executable. +-##

    ++##

    ++## Allow mozilla plugin domain to connect to the network using TCP. ++##

    + ##     +-gen_tunable(mozilla_execstack, false) ++gen_tunable(mozilla_plugin_can_network_connect, false) ++ ++## ++##

    ++## Allow mozilla plugin to support spice protocols. ++##

    ++##     ++gen_tunable(mozilla_plugin_use_spice, false) ++ ++## ++##

    ++## Allow mozilla plugin to support GPS. ++##

    ++##     ++gen_tunable(mozilla_plugin_use_gps, false) ++ ++## ++##

    ++## Allow confined web browsers to read home directory content ++##

    ++##     ++gen_tunable(mozilla_read_content, false) + + attribute_role mozilla_roles; + attribute_role mozilla_plugin_roles; + attribute_role mozilla_plugin_config_roles; + ++roleattribute system_r mozilla_roles; ++roleattribute system_r mozilla_plugin_roles; ++roleattribute system_r mozilla_plugin_config_roles; ++ + type mozilla_t; + type mozilla_exec_t; + typealias mozilla_t alias { user_mozilla_t staff_mozilla_t sysadm_mozilla_t }; +@@ -24,6 +48,9 @@ typealias mozilla_t alias { auditadm_mozilla_t secadm_mozilla_t }; + userdom_user_application_domain(mozilla_t, mozilla_exec_t) + role mozilla_roles types mozilla_t; + ++type mozilla_conf_t; ++files_config_file(mozilla_conf_t) ++ + type mozilla_home_t; + typealias mozilla_home_t alias { user_mozilla_home_t staff_mozilla_home_t sysadm_mozilla_home_t }; + typealias mozilla_home_t alias { auditadm_mozilla_home_t secadm_mozilla_home_t }; +@@ -31,28 +58,24 @@ userdom_user_home_content(mozilla_home_t) + + type mozilla_plugin_t; + type mozilla_plugin_exec_t; +-userdom_user_application_domain(mozilla_plugin_t, mozilla_plugin_exec_t) ++application_domain(mozilla_plugin_t, mozilla_plugin_exec_t) + role mozilla_plugin_roles types mozilla_plugin_t; + +-type mozilla_plugin_home_t; +-userdom_user_home_content(mozilla_plugin_home_t) +- + type mozilla_plugin_tmp_t; ++userdom_user_tmp_content(mozilla_plugin_tmp_t) + userdom_user_tmp_file(mozilla_plugin_tmp_t) + + type mozilla_plugin_tmpfs_t; ++userdom_user_tmpfs_content(mozilla_plugin_tmpfs_t) + userdom_user_tmpfs_file(mozilla_plugin_tmpfs_t) + +-optional_policy(` +- pulseaudio_tmpfs_content(mozilla_plugin_tmpfs_t) +-') +- + type mozilla_plugin_rw_t; + files_type(mozilla_plugin_rw_t) + + type mozilla_plugin_config_t; + type mozilla_plugin_config_exec_t; +-userdom_user_application_domain(mozilla_plugin_config_t, mozilla_plugin_config_exec_t) ++application_domain(mozilla_plugin_config_t, mozilla_plugin_config_exec_t) ++role mozilla_roles types mozilla_plugin_config_t; + role mozilla_plugin_config_roles types mozilla_plugin_config_t; + + type mozilla_tmp_t; +@@ -63,10 +86,6 @@ typealias mozilla_tmpfs_t alias { user_mozilla_tmpfs_t staff_mozilla_tmpfs_t sys + typealias mozilla_tmpfs_t alias { auditadm_mozilla_tmpfs_t secadm_mozilla_tmpfs_t }; + userdom_user_tmpfs_file(mozilla_tmpfs_t) + +-optional_policy(` +- pulseaudio_tmpfs_content(mozilla_tmpfs_t) +-') +- + ######################################## + # + # Local policy +@@ -75,27 +94,30 @@ optional_policy(` + allow mozilla_t self:capability { sys_nice setgid setuid }; + allow mozilla_t self:process { sigkill signal setsched getsched setrlimit }; + allow mozilla_t self:fifo_file rw_fifo_file_perms; +-allow mozilla_t self:shm create_shm_perms; ++allow mozilla_t self:shm { unix_read unix_write read write destroy create }; + allow mozilla_t self:sem create_sem_perms; + allow mozilla_t self:socket create_socket_perms; +-allow mozilla_t self:unix_stream_socket { accept listen }; ++allow mozilla_t self:unix_stream_socket { listen accept }; ++# Browse the web, connect to printer ++allow mozilla_t self:tcp_socket create_socket_perms; ++allow mozilla_t self:netlink_route_socket r_netlink_socket_perms; + +-allow mozilla_t mozilla_plugin_t:unix_stream_socket rw_socket_perms; +-allow mozilla_t mozilla_plugin_t:fd use; ++# for bash - old mozilla binary ++can_exec(mozilla_t, mozilla_exec_t) + +-allow mozilla_t { mozilla_home_t mozilla_plugin_home_t }:dir manage_dir_perms; +-allow mozilla_t { mozilla_home_t mozilla_plugin_home_t }:file manage_file_perms; +-allow mozilla_t mozilla_home_t:lnk_file manage_lnk_file_perms; +-userdom_user_home_dir_filetrans(mozilla_t, mozilla_home_t, dir, ".galeon") +-userdom_user_home_dir_filetrans(mozilla_t, mozilla_home_t, dir, ".mozilla") +-userdom_user_home_dir_filetrans(mozilla_t, mozilla_home_t, dir, ".netscape") +-userdom_user_home_dir_filetrans(mozilla_t, mozilla_home_t, dir, ".phoenix") ++# X access, Home files ++manage_dirs_pattern(mozilla_t, mozilla_home_t, mozilla_home_t) ++manage_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t) ++manage_lnk_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t) ++userdom_search_user_home_dirs(mozilla_t) + +-filetrans_pattern(mozilla_t, mozilla_home_t, mozilla_plugin_home_t, dir, "plugins") ++# Mozpluggerrc ++allow mozilla_t mozilla_conf_t:file read_file_perms; + + manage_files_pattern(mozilla_t, mozilla_tmp_t, mozilla_tmp_t) + manage_dirs_pattern(mozilla_t, mozilla_tmp_t, mozilla_tmp_t) +-files_tmp_filetrans(mozilla_t, mozilla_tmp_t, { file dir }) ++# mozilla will manage user_tmp_t, so it will transition to it. ++#files_tmp_filetrans(mozilla_t, mozilla_tmp_t, { file dir }) + + manage_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t) + manage_lnk_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t) +@@ -103,76 +125,69 @@ manage_fifo_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t) + manage_sock_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t) + fs_tmpfs_filetrans(mozilla_t, mozilla_tmpfs_t, { file lnk_file sock_file fifo_file }) + +-allow mozilla_t mozilla_plugin_rw_t:dir list_dir_perms; +-allow mozilla_t mozilla_plugin_rw_t:file read_file_perms; +-allow mozilla_t mozilla_plugin_rw_t:lnk_file read_lnk_file_perms; +- +-stream_connect_pattern(mozilla_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_plugin_t) +- +-can_exec(mozilla_t, { mozilla_exec_t mozilla_plugin_rw_t mozilla_plugin_home_t }) +- + kernel_read_kernel_sysctls(mozilla_t) + kernel_read_network_state(mozilla_t) ++# Access /proc, sysctl + kernel_read_system_state(mozilla_t) + kernel_read_net_sysctls(mozilla_t) + ++# Look for plugins + corecmd_list_bin(mozilla_t) ++# for bash - old mozilla binary + corecmd_exec_shell(mozilla_t) + corecmd_exec_bin(mozilla_t) + +-corenet_all_recvfrom_unlabeled(mozilla_t) ++# Browse the web, connect to printer + corenet_all_recvfrom_netlabel(mozilla_t) + corenet_tcp_sendrecv_generic_if(mozilla_t) ++corenet_raw_sendrecv_generic_if(mozilla_t) + corenet_tcp_sendrecv_generic_node(mozilla_t) +- +-corenet_sendrecv_http_client_packets(mozilla_t) +-corenet_tcp_connect_http_port(mozilla_t) ++corenet_raw_sendrecv_generic_node(mozilla_t) + corenet_tcp_sendrecv_http_port(mozilla_t) +- +-corenet_sendrecv_http_cache_client_packets(mozilla_t) +-corenet_tcp_connect_http_cache_port(mozilla_t) + corenet_tcp_sendrecv_http_cache_port(mozilla_t) +- +-corenet_sendrecv_squid_client_packets(mozilla_t) +-corenet_tcp_connect_squid_port(mozilla_t) + corenet_tcp_sendrecv_squid_port(mozilla_t) +- +-corenet_sendrecv_ftp_client_packets(mozilla_t) +-corenet_tcp_connect_ftp_port(mozilla_t) + corenet_tcp_sendrecv_ftp_port(mozilla_t) +- +-corenet_sendrecv_ipp_client_packets(mozilla_t) +-corenet_tcp_connect_ipp_port(mozilla_t) ++corenet_tcp_connect_all_ephemeral_ports(mozilla_t) + corenet_tcp_sendrecv_ipp_port(mozilla_t) +- +-corenet_sendrecv_soundd_client_packets(mozilla_t) ++corenet_tcp_connect_http_port(mozilla_t) ++corenet_tcp_connect_http_cache_port(mozilla_t) ++corenet_tcp_connect_squid_port(mozilla_t) ++corenet_tcp_connect_ftp_port(mozilla_t) ++corenet_tcp_connect_ipp_port(mozilla_t) ++corenet_tcp_connect_generic_port(mozilla_t) + corenet_tcp_connect_soundd_port(mozilla_t) +-corenet_tcp_sendrecv_soundd_port(mozilla_t) +- +-corenet_sendrecv_speech_client_packets(mozilla_t) ++corenet_sendrecv_http_client_packets(mozilla_t) ++corenet_sendrecv_http_cache_client_packets(mozilla_t) ++corenet_sendrecv_squid_client_packets(mozilla_t) ++corenet_sendrecv_ftp_client_packets(mozilla_t) ++corenet_sendrecv_ipp_client_packets(mozilla_t) ++corenet_sendrecv_generic_client_packets(mozilla_t) ++# Should not need other ports ++corenet_dontaudit_tcp_sendrecv_generic_port(mozilla_t) ++corenet_dontaudit_tcp_bind_generic_port(mozilla_t) + corenet_tcp_connect_speech_port(mozilla_t) +-corenet_tcp_sendrecv_speech_port(mozilla_t) + +-dev_getattr_sysfs_dirs(mozilla_t) +-dev_read_sound(mozilla_t) +-dev_read_rand(mozilla_t) + dev_read_urand(mozilla_t) +-dev_rw_dri(mozilla_t) ++dev_read_rand(mozilla_t) + dev_write_sound(mozilla_t) ++dev_read_sound(mozilla_t) ++dev_dontaudit_rw_dri(mozilla_t) ++dev_getattr_sysfs_dirs(mozilla_t) + + domain_dontaudit_read_all_domains_state(mozilla_t) + + files_read_etc_runtime_files(mozilla_t) +-files_read_usr_files(mozilla_t) +-files_read_var_files(mozilla_t) ++# /var/lib + files_read_var_lib_files(mozilla_t) ++# interacting with gstreamer ++files_read_var_files(mozilla_t) + files_read_var_symlinks(mozilla_t) + files_dontaudit_getattr_boot_dirs(mozilla_t) + +-fs_getattr_all_fs(mozilla_t) ++fs_dontaudit_getattr_all_fs(mozilla_t) + fs_search_auto_mountpoints(mozilla_t) + fs_list_inotifyfs(mozilla_t) +-fs_rw_tmpfs_files(mozilla_t) ++fs_rw_inherited_tmpfs_files(mozilla_t) + + term_dontaudit_getattr_pty_dirs(mozilla_t) + +@@ -181,56 +196,73 @@ auth_use_nsswitch(mozilla_t) + logging_send_syslog_msg(mozilla_t) + + miscfiles_read_fonts(mozilla_t) +-miscfiles_read_localization(mozilla_t) + miscfiles_dontaudit_setattr_fonts_dirs(mozilla_t) + +-userdom_use_user_ptys(mozilla_t) +- +-userdom_manage_user_tmp_dirs(mozilla_t) +-userdom_manage_user_tmp_files(mozilla_t) +- +-userdom_manage_user_home_content_dirs(mozilla_t) +-userdom_manage_user_home_content_files(mozilla_t) +-userdom_user_home_dir_filetrans_user_home_content(mozilla_t, { dir file }) ++userdom_use_inherited_user_ptys(mozilla_t) + +-userdom_write_user_tmp_sockets(mozilla_t) +- +-mozilla_run_plugin(mozilla_t, mozilla_roles) +-mozilla_run_plugin_config(mozilla_t, mozilla_roles) ++#mozilla_run_plugin(mozilla_t, mozilla_roles) + + xserver_user_x_domain_template(mozilla, mozilla_t, mozilla_tmpfs_t) + xserver_dontaudit_read_xdm_tmp_files(mozilla_t) + xserver_dontaudit_getattr_xdm_tmp_sockets(mozilla_t) + +-ifndef(`enable_mls',` +- fs_list_dos(mozilla_t) +- fs_read_dos_files(mozilla_t) +- +- fs_search_removable(mozilla_t) +- fs_read_removable_files(mozilla_t) +- fs_read_removable_symlinks(mozilla_t) +- +- fs_read_iso9660_files(mozilla_t) ++tunable_policy(`selinuxuser_execstack',` ++ allow mozilla_t self:process execstack; + ') + +-tunable_policy(`allow_execmem',` ++tunable_policy(`deny_execmem',`',` + allow mozilla_t self:process execmem; + ') + +-tunable_policy(`mozilla_execstack',` +- allow mozilla_t self:process { execmem execstack }; +-') +- +-tunable_policy(`use_nfs_home_dirs',` +- fs_manage_nfs_dirs(mozilla_t) +- fs_manage_nfs_files(mozilla_t) +- fs_manage_nfs_symlinks(mozilla_t) +-') +- +-tunable_policy(`use_samba_home_dirs',` +- fs_manage_cifs_dirs(mozilla_t) +- fs_manage_cifs_files(mozilla_t) +- fs_manage_cifs_symlinks(mozilla_t) ++userdom_home_manager(mozilla_t) ++ ++# Uploads, local html ++tunable_policy(`mozilla_read_content && use_nfs_home_dirs',` ++ fs_list_auto_mountpoints(mozilla_t) ++ files_list_home(mozilla_t) ++ fs_read_nfs_files(mozilla_t) ++ fs_read_nfs_symlinks(mozilla_t) ++ ++',` ++ files_dontaudit_list_home(mozilla_t) ++ fs_dontaudit_list_auto_mountpoints(mozilla_t) ++ fs_dontaudit_read_nfs_files(mozilla_t) ++ fs_dontaudit_list_nfs(mozilla_t) ++') ++ ++tunable_policy(`mozilla_read_content && use_samba_home_dirs',` ++ fs_list_auto_mountpoints(mozilla_t) ++ files_list_home(mozilla_t) ++ fs_read_cifs_files(mozilla_t) ++ fs_read_cifs_symlinks(mozilla_t) ++',` ++ files_dontaudit_list_home(mozilla_t) ++ fs_dontaudit_list_auto_mountpoints(mozilla_t) ++ fs_dontaudit_read_cifs_files(mozilla_t) ++ fs_dontaudit_list_cifs(mozilla_t) ++') ++ ++tunable_policy(`mozilla_read_content',` ++ userdom_list_user_tmp(mozilla_t) ++ userdom_read_user_tmp_files(mozilla_t) ++ userdom_read_user_tmp_symlinks(mozilla_t) ++ userdom_read_user_home_content_files(mozilla_t) ++ userdom_read_user_home_content_symlinks(mozilla_t) ++ ++ ifndef(`enable_mls',` ++ fs_search_removable(mozilla_t) ++ fs_read_removable_files(mozilla_t) ++ fs_read_removable_symlinks(mozilla_t) ++ ') ++',` ++ files_dontaudit_list_tmp(mozilla_t) ++ files_dontaudit_list_home(mozilla_t) ++ fs_dontaudit_list_removable(mozilla_t) ++ fs_dontaudit_read_removable_files(mozilla_t) ++ userdom_dontaudit_list_user_tmp(mozilla_t) ++ userdom_dontaudit_read_user_tmp_files(mozilla_t) ++ userdom_dontaudit_list_user_home_dirs(mozilla_t) ++ userdom_dontaudit_read_user_home_content_files(mozilla_t) + ') + + optional_policy(` +@@ -244,19 +276,12 @@ optional_policy(` + + optional_policy(` + cups_read_rw_config(mozilla_t) ++ cups_dbus_chat(mozilla_t) + ') + + optional_policy(` +- dbus_all_session_bus_client(mozilla_t) + dbus_system_bus_client(mozilla_t) +- +- optional_policy(` +- cups_dbus_chat(mozilla_t) +- ') +- +- optional_policy(` +- mozilla_dbus_chat_plugin(mozilla_t) +- ') ++ dbus_session_bus_client(mozilla_t) + + optional_policy(` + networkmanager_dbus_chat(mozilla_t) +@@ -265,33 +290,32 @@ optional_policy(` + + optional_policy(` + gnome_stream_connect_gconf(mozilla_t) +- gnome_manage_generic_gconf_home_content(mozilla_t) +- gnome_home_filetrans_gconf_home(mozilla_t, dir, ".gconf") +- gnome_home_filetrans_gconf_home(mozilla_t, dir, ".gconfd") +- gnome_manage_generic_home_content(mozilla_t) +- gnome_home_filetrans_gnome_home(mozilla_t, dir, ".gnome") +- gnome_home_filetrans_gnome_home(mozilla_t, dir, ".gnome2") +- gnome_home_filetrans_gnome_home(mozilla_t, dir, ".gnome2_private") ++ gnome_manage_config(mozilla_t) ++ gnome_manage_gconf_home_files(mozilla_t) ++') ++ ++optional_policy(` ++ java_domtrans(mozilla_t) + ') + + optional_policy(` +- java_exec(mozilla_t) +- java_manage_generic_home_content(mozilla_t) +- java_home_filetrans_java_home(mozilla_t, dir, ".java") ++ lpd_domtrans_lpr(mozilla_t) + ') + + optional_policy(` +- lpd_run_lpr(mozilla_t, mozilla_roles) ++ mplayer_domtrans(mozilla_t) ++ mplayer_read_user_home_files(mozilla_t) + ') + + optional_policy(` +- mplayer_exec(mozilla_t) +- mplayer_manage_generic_home_content(mozilla_t) +- mplayer_home_filetrans_mplayer_home(mozilla_t, dir, ".mplayer") ++ nscd_socket_use(mozilla_t) + ') + + optional_policy(` +- pulseaudio_run(mozilla_t, mozilla_roles) ++ #pulseaudio_role(mozilla_roles, mozilla_t) ++ pulseaudio_exec(mozilla_t) ++ pulseaudio_stream_connect(mozilla_t) ++ pulseaudio_manage_home_files(mozilla_t) + ') + + optional_policy(` +@@ -300,259 +324,236 @@ optional_policy(` + + ######################################## + # +-# Plugin local policy ++# mozilla_plugin local policy + # + +-dontaudit mozilla_plugin_t self:capability { ipc_lock sys_nice sys_ptrace sys_tty_config }; +-allow mozilla_plugin_t self:process { setpgid getsched setsched signal_perms setrlimit }; +-allow mozilla_plugin_t self:fifo_file manage_fifo_file_perms; ++dontaudit mozilla_plugin_t self:capability { sys_admin ipc_lock sys_nice sys_tty_config }; ++dontaudit mozilla_plugin_t self:capability2 block_suspend; ++ ++allow mozilla_plugin_t self:process { setpgid getsched setsched signal_perms execmem execstack setrlimit transition }; ++allow mozilla_plugin_t self:netlink_route_socket r_netlink_socket_perms; ++allow mozilla_plugin_t self:netlink_socket create_socket_perms; ++allow mozilla_plugin_t self:tcp_socket create_stream_socket_perms; ++allow mozilla_plugin_t self:udp_socket create_socket_perms; + allow mozilla_plugin_t self:netlink_kobject_uevent_socket create_socket_perms; ++ + allow mozilla_plugin_t self:sem create_sem_perms; + allow mozilla_plugin_t self:shm create_shm_perms; +-allow mozilla_plugin_t self:tcp_socket { accept listen }; +-allow mozilla_plugin_t self:unix_stream_socket { accept connectto listen }; +- +-allow mozilla_plugin_t mozilla_t:unix_stream_socket rw_socket_perms; +-allow mozilla_plugin_t mozilla_t:unix_dgram_socket rw_socket_perms; +-allow mozilla_plugin_t mozilla_t:shm { rw_shm_perms destroy }; +-allow mozilla_plugin_t mozilla_t:sem create_sem_perms; +- +-manage_dirs_pattern(mozilla_plugin_t, { mozilla_home_t mozilla_plugin_home_t }, { mozilla_home_t mozilla_plugin_home_t }) +-manage_files_pattern(mozilla_plugin_t, { mozilla_home_t mozilla_plugin_home_t }, mozilla_plugin_home_t) +-manage_lnk_files_pattern(mozilla_plugin_t, { mozilla_home_t mozilla_plugin_home_t }, mozilla_plugin_home_t) +- +-userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_home_t, dir, ".galeon") +-userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_home_t, dir, ".mozilla") +-userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_home_t, dir, ".netscape") +-userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_home_t, dir, ".phoenix") +- +-userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_plugin_home_t, dir, ".adobe") +-userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_plugin_home_t, dir, ".macromedia") +-userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_plugin_home_t, dir, ".gnash") +-userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_plugin_home_t, dir, ".gcjwebplugin") +-userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_plugin_home_t, dir, ".icedteaplugin") +-userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_plugin_home_t, dir, ".spicec") +-userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_plugin_home_t, dir, ".ICAClient") +-userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_plugin_home_t, dir, "zimbrauserdata") +- +-filetrans_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_plugin_home_t, dir, "plugins") ++allow mozilla_plugin_t self:msgq create_msgq_perms; ++allow mozilla_plugin_t self:fifo_file manage_fifo_file_perms; ++allow mozilla_plugin_t self:unix_dgram_socket sendto; ++allow mozilla_plugin_t self:unix_stream_socket { connectto create_stream_socket_perms }; ++ ++can_exec(mozilla_plugin_t, mozilla_home_t) ++manage_dirs_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t) ++manage_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t) ++manage_lnk_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t) ++manage_fifo_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t) + + manage_dirs_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t) + manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t) ++manage_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t) + manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t) +-files_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file }) +-userdom_user_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file }) ++manage_sock_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t) ++files_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file sock_file lnk_file }) ++userdom_user_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file sock_file }) ++xserver_xdm_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file sock_file lnk_file }) ++can_exec(mozilla_plugin_t, mozilla_plugin_tmp_t) + + manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t) + manage_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t) + manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t) + manage_sock_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t) + fs_tmpfs_filetrans(mozilla_plugin_t, mozilla_plugin_tmpfs_t, { file lnk_file sock_file fifo_file }) ++userdom_tmpfs_filetrans_to(mozilla_plugin_t, mozilla_plugin_tmpfs_t, { file lnk_file sock_file fifo_file }) + + allow mozilla_plugin_t mozilla_plugin_rw_t:dir list_dir_perms; +-allow mozilla_plugin_t mozilla_plugin_rw_t:file read_file_perms; +-allow mozilla_plugin_t mozilla_plugin_rw_t:lnk_file read_lnk_file_perms; +- +-dgram_send_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t) +-stream_connect_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t) ++read_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t) ++read_files_pattern(mozilla_plugin_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t) + +-can_exec(mozilla_plugin_t, { mozilla_exec_t mozilla_plugin_home_t mozilla_plugin_tmp_t }) ++can_exec(mozilla_plugin_t, mozilla_exec_t) + + kernel_read_all_sysctls(mozilla_plugin_t) + kernel_read_system_state(mozilla_plugin_t) + kernel_read_network_state(mozilla_plugin_t) + kernel_request_load_module(mozilla_plugin_t) + kernel_dontaudit_getattr_core_if(mozilla_plugin_t) ++files_dontaudit_read_root_files(mozilla_plugin_t) + + corecmd_exec_bin(mozilla_plugin_t) + corecmd_exec_shell(mozilla_plugin_t) ++corecmd_dontaudit_access_all_executables(mozilla_plugin_t) ++corecmd_getattr_all_executables(mozilla_plugin_t) + +-corenet_all_recvfrom_netlabel(mozilla_plugin_t) +-corenet_all_recvfrom_unlabeled(mozilla_plugin_t) +-corenet_tcp_sendrecv_generic_if(mozilla_plugin_t) +-corenet_tcp_sendrecv_generic_node(mozilla_plugin_t) +- +-corenet_sendrecv_asterisk_client_packets(mozilla_plugin_t) ++corenet_tcp_bind_generic_node(mozilla_plugin_t) ++corenet_tcp_connect_all_ephemeral_ports(mozilla_plugin_t) ++corenet_tcp_connect_aol_port(mozilla_plugin_t) + corenet_tcp_connect_asterisk_port(mozilla_plugin_t) +-corenet_tcp_sendrecv_asterisk_port(mozilla_plugin_t) +- +-corenet_sendrecv_ftp_client_packets(mozilla_plugin_t) ++corenet_tcp_connect_commplex_link_port(mozilla_plugin_t) ++corenet_tcp_connect_couchdb_port(mozilla_plugin_t) ++corenet_tcp_connect_flash_port(mozilla_plugin_t) + corenet_tcp_connect_ftp_port(mozilla_plugin_t) +-corenet_tcp_sendrecv_ftp_port(mozilla_plugin_t) +- +-corenet_sendrecv_gatekeeper_client_packets(mozilla_plugin_t) + corenet_tcp_connect_gatekeeper_port(mozilla_plugin_t) +-corenet_tcp_sendrecv_gatekeeper_port(mozilla_plugin_t) +- +-corenet_sendrecv_http_client_packets(mozilla_plugin_t) +-corenet_tcp_connect_http_port(mozilla_plugin_t) +-corenet_tcp_sendrecv_http_port(mozilla_plugin_t) +- +-corenet_sendrecv_http_cache_client_packets(mozilla_plugin_t) ++corenet_tcp_connect_generic_port(mozilla_plugin_t) + corenet_tcp_connect_http_cache_port(mozilla_plugin_t) +-corenet_tcp_sendrecv_http_cache_port(mozilla_plugin_t) +- +-corenet_sendrecv_ipp_client_packets(mozilla_plugin_t) ++corenet_tcp_connect_http_port(mozilla_plugin_t) + corenet_tcp_connect_ipp_port(mozilla_plugin_t) +-corenet_tcp_sendrecv_ipp_port(mozilla_plugin_t) +- +-corenet_sendrecv_ircd_client_packets(mozilla_plugin_t) ++corenet_tcp_connect_ipsecnat_port(mozilla_plugin_t) + corenet_tcp_connect_ircd_port(mozilla_plugin_t) +-corenet_tcp_sendrecv_ircd_port(mozilla_plugin_t) +- +-corenet_sendrecv_jabber_client_client_packets(mozilla_plugin_t) + corenet_tcp_connect_jabber_client_port(mozilla_plugin_t) +-corenet_tcp_sendrecv_jabber_client_port(mozilla_plugin_t) +- +-corenet_sendrecv_mmcc_client_packets(mozilla_plugin_t) ++corenet_tcp_connect_jboss_management_port(mozilla_plugin_t) + corenet_tcp_connect_mmcc_port(mozilla_plugin_t) +-corenet_tcp_sendrecv_mmcc_port(mozilla_plugin_t) +- +-corenet_sendrecv_monopd_client_packets(mozilla_plugin_t) + corenet_tcp_connect_monopd_port(mozilla_plugin_t) +-corenet_tcp_sendrecv_monopd_port(mozilla_plugin_t) +- +-corenet_sendrecv_soundd_client_packets(mozilla_plugin_t) ++corenet_tcp_connect_msnp_port(mozilla_plugin_t) ++corenet_tcp_connect_ms_streaming_port(mozilla_plugin_t) ++corenet_tcp_connect_pulseaudio_port(mozilla_plugin_t) ++corenet_tcp_connect_rtsp_port(mozilla_plugin_t) + corenet_tcp_connect_soundd_port(mozilla_plugin_t) +-corenet_tcp_sendrecv_soundd_port(mozilla_plugin_t) +- +-corenet_sendrecv_speech_client_packets(mozilla_plugin_t) + corenet_tcp_connect_speech_port(mozilla_plugin_t) +-corenet_tcp_sendrecv_speech_port(mozilla_plugin_t) +- +-corenet_sendrecv_squid_client_packets(mozilla_plugin_t) + corenet_tcp_connect_squid_port(mozilla_plugin_t) +-corenet_tcp_sendrecv_squid_port(mozilla_plugin_t) +- +-corenet_sendrecv_vnc_client_packets(mozilla_plugin_t) ++corenet_tcp_connect_tor_port(mozilla_plugin_t) ++corenet_tcp_connect_transproxy_port(mozilla_plugin_t) + corenet_tcp_connect_vnc_port(mozilla_plugin_t) +-corenet_tcp_sendrecv_vnc_port(mozilla_plugin_t) ++corenet_tcp_connect_whois_port(mozilla_plugin_t) ++corenet_tcp_bind_generic_node(mozilla_plugin_t) ++corenet_udp_bind_generic_node(mozilla_plugin_t) ++corenet_tcp_bind_jboss_debug_port(mozilla_plugin_t) ++corenet_dontaudit_udp_bind_ssdp_port(mozilla_plugin_t) + +-dev_read_generic_usb_dev(mozilla_plugin_t) ++dev_dontaudit_append_rand(mozilla_plugin_t) + dev_read_rand(mozilla_plugin_t) +-dev_read_realtime_clock(mozilla_plugin_t) +-dev_read_sound(mozilla_plugin_t) +-dev_read_sysfs(mozilla_plugin_t) + dev_read_urand(mozilla_plugin_t) ++dev_read_generic_usb_dev(mozilla_plugin_t) + dev_read_video_dev(mozilla_plugin_t) +-dev_write_sound(mozilla_plugin_t) + dev_write_video_dev(mozilla_plugin_t) +-dev_rw_dri(mozilla_plugin_t) ++dev_read_realtime_clock(mozilla_plugin_t) ++dev_read_sysfs(mozilla_plugin_t) ++dev_read_sound(mozilla_plugin_t) ++dev_write_sound(mozilla_plugin_t) ++# for nvidia driver + dev_rw_xserver_misc(mozilla_plugin_t) ++dev_rwx_zero(mozilla_plugin_t) ++dev_dontaudit_read_mtrr(mozilla_plugin_t) ++xserver_dri_domain(mozilla_plugin_t) + +-dev_dontaudit_getattr_generic_files(mozilla_plugin_t) +-dev_dontaudit_getattr_generic_pipes(mozilla_plugin_t) +-dev_dontaudit_getattr_all_blk_files(mozilla_plugin_t) +-dev_dontaudit_getattr_all_chr_files(mozilla_plugin_t) ++dev_dontaudit_getattr_all(mozilla_plugin_t) + + domain_use_interactive_fds(mozilla_plugin_t) + domain_dontaudit_read_all_domains_state(mozilla_plugin_t) + +-files_exec_usr_files(mozilla_plugin_t) +-files_list_mnt(mozilla_plugin_t) + files_read_config_files(mozilla_plugin_t) +-files_read_usr_files(mozilla_plugin_t) ++files_list_mnt(mozilla_plugin_t) ++files_exec_usr_files(mozilla_plugin_t) ++fs_rw_inherited_tmpfs_files(mozilla_plugin_t) ++files_dontaudit_all_access_check(mozilla_plugin_t) + + fs_getattr_all_fs(mozilla_plugin_t) +-# fs_read_hugetlbfs_files(mozilla_plugin_t) +-fs_search_auto_mountpoints(mozilla_plugin_t) +- +-term_getattr_all_ttys(mozilla_plugin_t) +-term_getattr_all_ptys(mozilla_plugin_t) ++fs_list_dos(mozilla_plugin_t) ++fs_read_noxattr_fs_files(mozilla_plugin_t) ++fs_read_hugetlbfs_files(mozilla_plugin_t) ++fs_exec_hugetlbfs_files(mozilla_plugin_t) + + application_exec(mozilla_plugin_t) ++application_dontaudit_signull(mozilla_plugin_t) + + auth_use_nsswitch(mozilla_plugin_t) + ++init_dontaudit_getattr_initctl(mozilla_plugin_t) ++init_read_all_script_files(mozilla_plugin_t) ++ + libs_exec_ld_so(mozilla_plugin_t) + libs_exec_lib_files(mozilla_plugin_t) ++libs_legacy_use_shared_libs(mozilla_plugin_t) + + logging_send_syslog_msg(mozilla_plugin_t) + +-miscfiles_read_localization(mozilla_plugin_t) + miscfiles_read_fonts(mozilla_plugin_t) + miscfiles_read_generic_certs(mozilla_plugin_t) ++miscfiles_dontaudit_write_generic_cert_files(mozilla_plugin_t) + miscfiles_dontaudit_setattr_fonts_dirs(mozilla_plugin_t) + miscfiles_dontaudit_setattr_fonts_cache_dirs(mozilla_plugin_t) + +-userdom_manage_user_tmp_dirs(mozilla_plugin_t) +-userdom_manage_user_tmp_files(mozilla_plugin_t) +- +-userdom_manage_user_home_content_dirs(mozilla_plugin_t) +-userdom_manage_user_home_content_files(mozilla_plugin_t) +-userdom_user_home_dir_filetrans_user_home_content(mozilla_plugin_t, { dir file }) ++systemd_read_logind_sessions_files(mozilla_plugin_t) + +-userdom_write_user_tmp_sockets(mozilla_plugin_t) ++term_getattr_all_ttys(mozilla_plugin_t) ++term_getattr_all_ptys(mozilla_plugin_t) ++term_getattr_ptmx(mozilla_plugin_t) ++term_dontaudit_use_ptmx(mozilla_plugin_t) + ++userdom_dontaudit_setattr_user_tmpfs(mozilla_plugin_t) ++userdom_rw_user_tmpfs_files(mozilla_plugin_t) ++userdom_delete_user_tmpfs_files(mozilla_plugin_t) + userdom_dontaudit_use_user_terminals(mozilla_plugin_t) ++userdom_manage_user_tmp_sockets(mozilla_plugin_t) ++userdom_manage_user_tmp_dirs(mozilla_plugin_t) ++userdom_rw_inherited_user_tmp_files(mozilla_plugin_t) ++userdom_delete_user_tmp_files(mozilla_plugin_t) ++userdom_rw_inherited_user_home_sock_files(mozilla_plugin_t) ++userdom_manage_home_certs(mozilla_plugin_t) ++userdom_read_user_tmp_symlinks(mozilla_plugin_t) ++userdom_stream_connect(mozilla_plugin_t) ++userdom_dontaudit_rw_user_tmp_pipes(mozilla_plugin_t) + +-ifndef(`enable_mls',` +- fs_list_dos(mozilla_plugin_t) +- fs_read_dos_files(mozilla_plugin_t) +- +- fs_search_removable(mozilla_plugin_t) +- fs_read_removable_files(mozilla_plugin_t) +- fs_read_removable_symlinks(mozilla_plugin_t) ++userdom_read_user_home_content_files(mozilla_plugin_t) ++userdom_read_user_home_content_symlinks(mozilla_plugin_t) ++userdom_read_home_certs(mozilla_plugin_t) ++userdom_read_home_audio_files(mozilla_plugin_t) ++userdom_exec_user_tmp_files(mozilla_plugin_t) + +- fs_read_iso9660_files(mozilla_plugin_t) +-') +- +-tunable_policy(`allow_execmem',` +- allow mozilla_plugin_t self:process execmem; +-') ++userdom_home_manager(mozilla_plugin_t) + +-tunable_policy(`mozilla_execstack',` +- allow mozilla_plugin_t self:process { execmem execstack }; ++tunable_policy(`mozilla_plugin_can_network_connect',` ++ corenet_tcp_connect_all_ports(mozilla_plugin_t) + ') + +-tunable_policy(`use_nfs_home_dirs',` +- fs_manage_nfs_dirs(mozilla_plugin_t) +- fs_manage_nfs_files(mozilla_plugin_t) +- fs_manage_nfs_symlinks(mozilla_plugin_t) ++optional_policy(` ++ alsa_read_rw_config(mozilla_plugin_t) ++ alsa_read_home_files(mozilla_plugin_t) + ') + +-tunable_policy(`use_samba_home_dirs',` +- fs_manage_cifs_dirs(mozilla_plugin_t) +- fs_manage_cifs_files(mozilla_plugin_t) +- fs_manage_cifs_symlinks(mozilla_plugin_t) ++optional_policy(` ++ apache_list_modules(mozilla_plugin_t) + ') + + optional_policy(` +- alsa_read_rw_config(mozilla_plugin_t) +- alsa_read_home_files(mozilla_plugin_t) ++ cups_stream_connect(mozilla_plugin_t) + ') + + optional_policy(` +- automount_dontaudit_getattr_tmp_dirs(mozilla_plugin_t) ++ dbus_system_bus_client(mozilla_plugin_t) ++ dbus_session_bus_client(mozilla_plugin_t) ++ dbus_connect_session_bus(mozilla_plugin_t) ++ dbus_read_lib_files(mozilla_plugin_t) + ') + + optional_policy(` +- dbus_all_session_bus_client(mozilla_plugin_t) +- dbus_connect_all_session_bus(mozilla_plugin_t) +- dbus_system_bus_client(mozilla_plugin_t) ++ gnome_manage_config(mozilla_plugin_t) ++ gnome_read_usr_config(mozilla_plugin_t) ++ gnome_filetrans_home_content(mozilla_plugin_t) ++ gnome_exec_gstreamer_home_files(mozilla_plugin_t) + ') + + optional_policy(` +- gnome_manage_generic_home_content(mozilla_plugin_t) +- gnome_home_filetrans_gnome_home(mozilla_plugin_t, dir, ".gnome") +- gnome_home_filetrans_gnome_home(mozilla_plugin_t, dir, ".gnome2") +- gnome_home_filetrans_gnome_home(mozilla_plugin_t, dir, ".gnome2_private") ++ gpm_dontaudit_getattr_gpmctl(mozilla_plugin_t) + ') + + optional_policy(` + java_exec(mozilla_plugin_t) +- java_manage_generic_home_content(mozilla_plugin_t) +- java_home_filetrans_java_home(mozilla_plugin_t, dir, ".java") + ') + + optional_policy(` +- lpd_run_lpr(mozilla_plugin_t, mozilla_plugin_roles) ++ mplayer_exec(mozilla_plugin_t) ++ mplayer_manage_generic_home_content(mozilla_plugin_t) ++ mplayer_home_filetrans_mplayer_home(mozilla_plugin_t, dir, ".mplayer") + ') + + optional_policy(` +- mplayer_exec(mozilla_plugin_t) +- mplayer_manage_generic_home_content(mozilla_plugin_t) +- mplayer_home_filetrans_mplayer_home(mozilla_plugin_t, dir, ".mplayer") ++ pulseaudio_exec(mozilla_plugin_t) ++ pulseaudio_stream_connect(mozilla_plugin_t) ++ pulseaudio_setattr_home_dir(mozilla_plugin_t) ++ pulseaudio_manage_home_dirs(mozilla_plugin_t) ++ pulseaudio_manage_home_files(mozilla_plugin_t) ++ pulseaudio_manage_home_symlinks(mozilla_plugin_t) + ') + + optional_policy(` +@@ -560,7 +561,7 @@ optional_policy(` + ') + + optional_policy(` +- pulseaudio_run(mozilla_plugin_t, mozilla_plugin_roles) ++ rtkit_scheduled(mozilla_plugin_t) + ') + + optional_policy(` +@@ -568,108 +569,130 @@ optional_policy(` + ') + + optional_policy(` +- xserver_read_user_xauth(mozilla_plugin_t) ++ xserver_xdm_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file sock_file }) ++ xserver_dontaudit_read_xdm_tmp_files(mozilla_plugin_t) + xserver_read_xdm_pid(mozilla_plugin_t) + xserver_stream_connect(mozilla_plugin_t) + xserver_use_user_fonts(mozilla_plugin_t) +- xserver_dontaudit_read_xdm_tmp_files(mozilla_plugin_t) ++ xserver_read_user_iceauth(mozilla_plugin_t) ++ xserver_read_user_xauth(mozilla_plugin_t) ++ xserver_append_xdm_home_files(mozilla_plugin_t) ++ xserver_dontaudit_xdm_tmp_dirs(mozilla_plugin_t) ++ xserver_dontaudit_xdm_rw_stream_sockets(mozilla_plugin_t) ++ xserver_filetrans_fonts_cache_home_content(mozilla_plugin_t) + ') + + ######################################## + # +-# Plugin config local policy ++# mozilla_plugin_config local policy + # + + allow mozilla_plugin_config_t self:capability { dac_override dac_read_search sys_nice setuid setgid }; +-allow mozilla_plugin_config_t self:process { setsched signal_perms getsched }; +-allow mozilla_plugin_config_t self:fifo_file rw_fifo_file_perms; +-allow mozilla_plugin_config_t self:unix_stream_socket create_stream_socket_perms; +- +-allow mozilla_plugin_config_t mozilla_plugin_rw_t:dir manage_dir_perms; +-allow mozilla_plugin_config_t mozilla_plugin_rw_t:file manage_file_perms; +-allow mozilla_plugin_config_t mozilla_plugin_rw_t:lnk_file manage_lnk_file_perms; ++allow mozilla_plugin_config_t self:process { setsched signal_perms getsched execmem execstack }; + +-manage_dirs_pattern(mozilla_plugin_config_t, { mozilla_home_t mozilla_plugin_home_t }, { mozilla_home_t mozilla_plugin_home_t }) +-manage_files_pattern(mozilla_plugin_config_t, { mozilla_home_t mozilla_plugin_home_t }, mozilla_plugin_home_t) +-manage_lnk_files_pattern(mozilla_plugin_config_t, { mozilla_home_t mozilla_plugin_home_t }, mozilla_plugin_home_t) +- +-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_home_t, dir, ".galeon") +-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_home_t, dir, ".mozilla") +-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_home_t, dir, ".netscape") +-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_home_t, dir, ".phoenix") ++allow mozilla_plugin_config_t self:fifo_file rw_file_perms; ++allow mozilla_plugin_config_t self:unix_stream_socket create_stream_socket_perms; + +-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".adobe") +-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".macromedia") +-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".gnash") +-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".gcjwebplugin") +-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".icedteaplugin") +-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".spicec") +-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".ICAClient") +-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, "zimbrauserdata") ++ps_process_pattern(mozilla_plugin_config_t,mozilla_plugin_t) + +-filetrans_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_plugin_home_t, dir, "plugins") ++dev_read_sysfs(mozilla_plugin_config_t) ++dev_read_urand(mozilla_plugin_config_t) ++dev_dontaudit_read_rand(mozilla_plugin_config_t) ++dev_dontaudit_rw_dri(mozilla_plugin_config_t) + +-can_exec(mozilla_plugin_config_t, { mozilla_plugin_rw_t mozilla_plugin_home_t }) ++fs_search_auto_mountpoints(mozilla_plugin_config_t) ++fs_list_inotifyfs(mozilla_plugin_config_t) + +-ps_process_pattern(mozilla_plugin_config_t, mozilla_plugin_t) +- +-kernel_read_system_state(mozilla_plugin_config_t) +-kernel_request_load_module(mozilla_plugin_config_t) ++can_exec(mozilla_plugin_config_t, mozilla_plugin_rw_t) ++manage_dirs_pattern(mozilla_plugin_config_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t) ++manage_files_pattern(mozilla_plugin_config_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t) ++manage_lnk_files_pattern(mozilla_plugin_config_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t) ++ ++manage_dirs_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t) ++manage_files_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t) ++manage_lnk_files_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t) ++manage_fifo_files_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t) ++mozilla_filetrans_home_content(mozilla_plugin_t) ++ ++manage_dirs_pattern(mozilla_plugin_config_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t) ++manage_files_pattern(mozilla_plugin_config_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t) ++manage_lnk_files_pattern(mozilla_plugin_config_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t) ++files_tmp_filetrans(mozilla_plugin_config_t, mozilla_plugin_tmp_t, { dir file fifo_file sock_file lnk_file }) ++userdom_user_tmp_filetrans(mozilla_plugin_config_t, mozilla_plugin_tmp_t, { dir file }) ++mozilla_filetrans_home_content(mozilla_plugin_config_t) ++dontaudit mozilla_plugin_t mozilla_plugin_tmp_t:file relabelfrom; + + corecmd_exec_bin(mozilla_plugin_config_t) + corecmd_exec_shell(mozilla_plugin_config_t) + +-dev_read_urand(mozilla_plugin_config_t) +-dev_rw_dri(mozilla_plugin_config_t) +-dev_search_sysfs(mozilla_plugin_config_t) +-dev_dontaudit_read_rand(mozilla_plugin_config_t) ++kernel_read_system_state(mozilla_plugin_config_t) ++kernel_request_load_module(mozilla_plugin_config_t) + + domain_use_interactive_fds(mozilla_plugin_config_t) + +-files_list_tmp(mozilla_plugin_config_t) +-files_read_usr_files(mozilla_plugin_config_t) + files_dontaudit_search_home(mozilla_plugin_config_t) ++files_list_tmp(mozilla_plugin_config_t) + + fs_getattr_all_fs(mozilla_plugin_config_t) +-fs_search_auto_mountpoints(mozilla_plugin_config_t) +-fs_list_inotifyfs(mozilla_plugin_config_t) ++ ++term_dontaudit_use_ptmx(mozilla_plugin_config_t) + + auth_use_nsswitch(mozilla_plugin_config_t) + +-miscfiles_read_localization(mozilla_plugin_config_t) + miscfiles_read_fonts(mozilla_plugin_config_t) + ++userdom_search_user_home_content(mozilla_plugin_config_t) + userdom_read_user_home_content_symlinks(mozilla_plugin_config_t) + userdom_read_user_home_content_files(mozilla_plugin_config_t) ++userdom_dontaudit_search_admin_dir(mozilla_plugin_config_t) ++userdom_use_inherited_user_ptys(mozilla_plugin_config_t) ++userdom_dontaudit_use_user_terminals(mozilla_plugin_config_t) ++userdom_dontaudit_rw_user_tmp_pipes(mozilla_plugin_config_t) ++userdom_dontaudit_write_all_user_home_content_files(mozilla_plugin_config_t) ++userdom_dontaudit_write_all_user_tmp_content_files(mozilla_plugin_config_t) + +-userdom_use_user_ptys(mozilla_plugin_config_t) ++domtrans_pattern(mozilla_plugin_config_t, mozilla_plugin_exec_t, mozilla_plugin_t) + +-mozilla_run_plugin(mozilla_plugin_config_t, mozilla_plugin_config_roles) ++tunable_policy(`use_ecryptfs_home_dirs',` ++ fs_read_ecryptfs_files(mozilla_plugin_config_t) ++') + +-tunable_policy(`allow_execmem',` +- allow mozilla_plugin_config_t self:process execmem; ++optional_policy(` ++ gnome_dontaudit_rw_inherited_config(mozilla_plugin_config_t) + ') + +-tunable_policy(`mozilla_execstack',` +- allow mozilla_plugin_config_t self:process { execmem execstack }; ++optional_policy(` ++ xserver_use_user_fonts(mozilla_plugin_config_t) + ') + +-tunable_policy(`use_nfs_home_dirs',` +- fs_manage_nfs_dirs(mozilla_plugin_config_t) +- fs_manage_nfs_files(mozilla_plugin_config_t) +- fs_manage_nfs_symlinks(mozilla_plugin_config_t) ++ifdef(`distro_redhat',` ++ typealias mozilla_plugin_t alias nsplugin_t; ++ typealias mozilla_plugin_exec_t alias nsplugin_exec_t; ++ typealias mozilla_plugin_rw_t alias nsplugin_rw_t; ++ typealias mozilla_plugin_tmp_t alias nsplugin_tmp_t; ++ typealias mozilla_home_t alias nsplugin_home_t; ++ typealias mozilla_plugin_config_t alias nsplugin_config_t; ++ typealias mozilla_plugin_config_exec_t alias nsplugin_config_exec_t; + ') + +-tunable_policy(`use_samba_home_dirs',` +- fs_manage_cifs_dirs(mozilla_plugin_config_t) +- fs_manage_cifs_files(mozilla_plugin_config_t) +- fs_manage_cifs_symlinks(mozilla_plugin_config_t) ++#tunable_policy(`mozilla_plugin_enable_homedirs',` ++# userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_home_t, { dir file }) ++#', ` ++ ++ #userdom_user_home_dir_filetrans_pattern(mozilla_plugin_t, file) ++ #userdom_user_home_dir_filetrans_pattern(mozilla_plugin_t, dir) ++#') ++ ++tunable_policy(`selinuxuser_execmod',` ++ userdom_execmod_user_home_files(mozilla_plugin_t) + ') + +-optional_policy(` +- automount_dontaudit_getattr_tmp_dirs(mozilla_plugin_config_t) ++tunable_policy(`mozilla_plugin_use_spice',` ++ dev_rw_generic_usb_dev(mozilla_plugin_t) ++ corenet_tcp_bind_vnc_port(mozilla_plugin_t) + ') + +-optional_policy(` +- xserver_use_user_fonts(mozilla_plugin_config_t) ++tunable_policy(`mozilla_plugin_use_gps',` ++ fs_manage_dos_dirs(mozilla_plugin_t) ++ fs_manage_dos_files(mozilla_plugin_t) + ') +diff --git a/mpd.fc b/mpd.fc +index 313ce52..ae93e07 100644 +--- a/mpd.fc ++++ b/mpd.fc +@@ -1,3 +1,5 @@ ++HOME_DIR/\.mpd(/.*)? gen_context(system_u:object_r:mpd_home_t,s0) ++ + /etc/mpd\.conf -- gen_context(system_u:object_r:mpd_etc_t,s0) + + /etc/rc\.d/init\.d/mpd -- gen_context(system_u:object_r:mpd_initrc_exec_t,s0) +@@ -9,3 +11,5 @@ + /var/lib/mpd/playlists(/.*)? gen_context(system_u:object_r:mpd_data_t,s0) + + /var/log/mpd(/.*)? gen_context(system_u:object_r:mpd_log_t,s0) ++ ++/var/run/mpd(/.*)? gen_context(system_u:object_r:mpd_var_run_t,s0) +diff --git a/mpd.if b/mpd.if +index 5fa77c7..2e01c7d 100644 +--- a/mpd.if ++++ b/mpd.if +@@ -322,6 +322,25 @@ interface(`mpd_manage_lib_dirs',` + + ######################################## + ## ++## Connect to mpd over a unix stream socket. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`mpd_stream_connect',` ++ gen_require(` ++ type mpd_t, mpd_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ stream_connect_pattern($1, mpd_var_run_t, mpd_var_run_t, mpd_t) ++') ++ ++######################################## ++## + ## All of the rules required to + ## administrate an mpd environment. + ## +@@ -344,9 +363,13 @@ interface(`mpd_admin',` + type mpd_tmpfs_t, mpd_tmp_t, mpd_user_data_t; + ') + +- allow $1 mpd_t:process { ptrace signal_perms }; ++ allow $1 mpd_t:process signal_perms; + ps_process_pattern($1, mpd_t) + ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 mpd_t:process ptrace; ++ ') ++ + mpd_initrc_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 mpd_initrc_exec_t system_r; +diff --git a/mpd.te b/mpd.te +index 7c8afcc..33b18c8 100644 +--- a/mpd.te ++++ b/mpd.te +@@ -62,18 +62,25 @@ files_type(mpd_var_lib_t) + type mpd_user_data_t; + userdom_user_home_content(mpd_user_data_t) # customizable + ++type mpd_home_t; ++userdom_user_home_content(mpd_home_t) ++ ++type mpd_var_run_t; ++files_pid_file(mpd_var_run_t) ++ + ######################################## + # + # Local policy + # + + allow mpd_t self:capability { dac_override kill setgid setuid }; +-allow mpd_t self:process { getsched setsched setrlimit signal signull }; ++allow mpd_t self:process { getsched setsched setrlimit signal signull setcap }; + allow mpd_t self:fifo_file rw_fifo_file_perms; + allow mpd_t self:unix_stream_socket { accept connectto listen }; + allow mpd_t self:unix_dgram_socket sendto; + allow mpd_t self:tcp_socket { accept listen }; + allow mpd_t self:netlink_kobject_uevent_socket create_socket_perms; ++allow mpd_t self:unix_dgram_socket { create_socket_perms sendto }; + + allow mpd_t mpd_data_t:dir manage_dir_perms; + allow mpd_t mpd_data_t:file manage_file_perms; +@@ -104,13 +111,22 @@ manage_files_pattern(mpd_t, mpd_var_lib_t, mpd_var_lib_t) + manage_lnk_files_pattern(mpd_t, mpd_var_lib_t, mpd_var_lib_t) + files_var_lib_filetrans(mpd_t, mpd_var_lib_t, dir) + ++manage_files_pattern(mpd_t, mpd_var_run_t, mpd_var_run_t) ++manage_dirs_pattern(mpd_t, mpd_var_run_t, mpd_var_run_t) ++manage_sock_files_pattern(mpd_t, mpd_var_run_t, mpd_var_run_t) ++manage_lnk_files_pattern(mpd_t, mpd_var_run_t, mpd_var_run_t) ++files_pid_filetrans(mpd_t, mpd_var_run_t, { file dir sock_file }) ++ ++manage_files_pattern(mpd_t, mpd_home_t, mpd_home_t) ++manage_dirs_pattern(mpd_t, mpd_home_t, mpd_home_t) ++manage_lnk_files_pattern(mpd_t, mpd_home_t, mpd_home_t) ++ + kernel_getattr_proc(mpd_t) + kernel_read_system_state(mpd_t) + kernel_read_kernel_sysctls(mpd_t) + + corecmd_exec_bin(mpd_t) + +-corenet_all_recvfrom_unlabeled(mpd_t) + corenet_all_recvfrom_netlabel(mpd_t) + corenet_tcp_sendrecv_generic_if(mpd_t) + corenet_tcp_sendrecv_generic_node(mpd_t) +@@ -139,9 +155,9 @@ dev_read_sound(mpd_t) + dev_write_sound(mpd_t) + dev_read_sysfs(mpd_t) + +-files_read_usr_files(mpd_t) + + fs_getattr_all_fs(mpd_t) ++fs_getattr_all_dirs(mpd_t) + fs_list_inotifyfs(mpd_t) + fs_rw_anon_inodefs_files(mpd_t) + fs_search_auto_mountpoints(mpd_t) +@@ -150,15 +166,26 @@ auth_use_nsswitch(mpd_t) + + logging_send_syslog_msg(mpd_t) + +-miscfiles_read_localization(mpd_t) ++userdom_home_reader(mpd_t) + + tunable_policy(`mpd_enable_homedirs',` +- userdom_search_user_home_dirs(mpd_t) ++ userdom_stream_connect(mpd_t) ++ userdom_read_home_audio_files(mpd_t) ++ userdom_list_user_tmp(mpd_t) ++ userdom_read_user_tmpfs_files(mpd_t) ++ userdom_dontaudit_setattr_user_tmp(mpd_t) ++') ++ ++optional_policy(` ++ tunable_policy(`mpd_enable_homedirs',` ++ pulseaudio_read_home_files(mpd_t) ++ ') + ') + + tunable_policy(`mpd_enable_homedirs && use_nfs_home_dirs',` + fs_read_nfs_files(mpd_t) + fs_read_nfs_symlinks(mpd_t) ++ + ') + + tunable_policy(`mpd_enable_homedirs && use_samba_home_dirs',` +@@ -191,7 +218,7 @@ optional_policy(` + ') + + optional_policy(` +- pulseaudio_domtrans(mpd_t) ++ pulseaudio_exec(mpd_t) + ') + + optional_policy(` +@@ -199,6 +226,16 @@ optional_policy(` + ') + + optional_policy(` ++ #needed by pulseaudio ++ systemd_read_logind_sessions_files(mpd_t) ++ systemd_login_read_pid_files(mpd_t) ++') ++ ++optional_policy(` ++ rtkit_daemon_dontaudit_dbus_chat(mpd_t) ++') ++ ++optional_policy(` + udev_read_db(mpd_t) + ') + +diff --git a/mplayer.if b/mplayer.if +index 861d5e9..1c3d5a5 100644 +--- a/mplayer.if ++++ b/mplayer.if +@@ -161,3 +161,23 @@ interface(`mplayer_home_filetrans_mplayer_home',` + + userdom_user_home_dir_filetrans($1, mplayer_home_t, $2, $3) + ') ++ ++######################################## ++## ++## Create specified objects in user home ++## directories with the generic mplayer ++## home type. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`mplayer_filetrans_home_content',` ++ gen_require(` ++ type mplayer_home_t; ++ ') ++ ++ userdom_user_home_dir_filetrans($1, mplayer_home_t, dir, ".mplayer") ++') +diff --git a/mplayer.te b/mplayer.te +index 9aca704..f92829c 100644 +--- a/mplayer.te ++++ b/mplayer.te +@@ -11,7 +11,7 @@ policy_module(mplayer, 2.4.4) + ## its stack executable. + ##

    + ## +-gen_tunable(allow_mplayer_execstack, false) ++gen_tunable(mplayer_execstack, false) + + attribute_role mencoder_roles; + attribute_role mplayer_roles; +@@ -67,7 +67,6 @@ kernel_read_kernel_sysctls(mencoder_t) + dev_rwx_zero(mencoder_t) + dev_read_video_dev(mencoder_t) + +-files_read_usr_files(mencoder_t) + + fs_search_auto_mountpoints(mencoder_t) + +@@ -82,7 +81,7 @@ userdom_manage_user_tmp_files(mencoder_t) + + userdom_manage_user_home_content_dirs(mencoder_t) + userdom_manage_user_home_content_files(mencoder_t) +-userdom_user_home_dir_filetrans_user_home_content(mencoder_t, { dir file }) ++userdom_filetrans_home_content(mencoder_t) + + ifndef(`enable_mls',` + fs_list_dos(mencoder_t) +@@ -95,15 +94,15 @@ ifndef(`enable_mls',` + fs_read_iso9660_files(mencoder_t) + ') + +-tunable_policy(`allow_execmem',` +- allow mencoder_t self:process execmem; ++tunable_policy(`deny_execmem',`',` ++ allow mencoder_t self:process execmem; + ') + +-tunable_policy(`allow_execmod',` ++tunable_policy(`selinuxuser_execmod',` + dev_execmod_zero(mencoder_t) + ') + +-tunable_policy(`allow_mplayer_execstack',` ++tunable_policy(`mplayer_execstack',` + allow mencoder_t self:process { execmem execstack }; + ') + +@@ -173,7 +172,6 @@ files_dontaudit_getattr_non_security_files(mplayer_t) + files_read_non_security_files(mplayer_t) + files_list_home(mplayer_t) + files_read_etc_runtime_files(mplayer_t) +-files_read_usr_files(mplayer_t) + + fs_getattr_all_fs(mplayer_t) + fs_search_auto_mountpoints(mplayer_t) +@@ -194,7 +192,7 @@ userdom_tmp_filetrans_user_tmp(mplayer_t, { dir file }) + + userdom_manage_user_home_content_dirs(mplayer_t) + userdom_manage_user_home_content_files(mplayer_t) +-userdom_user_home_dir_filetrans_user_home_content(mplayer_t, { dir file }) ++userdom_filetrans_home_content(mplayer_t) + + userdom_write_user_tmp_sockets(mplayer_t) + +@@ -211,15 +209,15 @@ ifndef(`enable_mls',` + fs_read_iso9660_files(mplayer_t) + ') + +-tunable_policy(`allow_execmem',` +- allow mplayer_t self:process execmem; ++tunable_policy(`deny_execmem',`',` ++ allow mplayer_t self:process execmem; + ') + +-tunable_policy(`allow_execmod',` ++tunable_policy(`selinuxuser_execmod',` + dev_execmod_zero(mplayer_t) + ') + +-tunable_policy(`allow_mplayer_execstack',` ++tunable_policy(`mplayer_execstack',` + allow mplayer_t self:process { execmem execstack }; + ') + +@@ -235,7 +233,7 @@ tunable_policy(`use_samba_home_dirs',` + fs_manage_cifs_symlinks(mplayer_t) + ') + +-tunable_policy(`allow_mplayer_execstack',` ++tunable_policy(`mplayer_execstack',` + allow mplayer_t mplayer_tmpfs_t:file execute; + ') + +diff --git a/mrtg.te b/mrtg.te +index c97c177..9411154 100644 +--- a/mrtg.te ++++ b/mrtg.te +@@ -65,7 +65,6 @@ kernel_read_kernel_sysctls(mrtg_t) + corecmd_exec_bin(mrtg_t) + corecmd_exec_shell(mrtg_t) + +-corenet_all_recvfrom_unlabeled(mrtg_t) + corenet_all_recvfrom_netlabel(mrtg_t) + corenet_tcp_sendrecv_generic_if(mrtg_t) + corenet_tcp_sendrecv_generic_node(mrtg_t) +@@ -82,7 +81,6 @@ domain_dontaudit_search_all_domains_state(mrtg_t) + + files_getattr_tmp_dirs(mrtg_t) + files_read_etc_runtime_files(mrtg_t) +-files_read_usr_files(mrtg_t) + files_search_var(mrtg_t) + files_search_locks(mrtg_t) + files_search_var_lib(mrtg_t) +@@ -105,13 +103,12 @@ libs_read_lib_files(mrtg_t) + + logging_send_syslog_msg(mrtg_t) + +-miscfiles_read_localization(mrtg_t) +- + selinux_dontaudit_getattr_dir(mrtg_t) + +-userdom_use_user_terminals(mrtg_t) ++userdom_use_inherited_user_terminals(mrtg_t) + userdom_dontaudit_read_user_home_content_files(mrtg_t) + userdom_dontaudit_use_unpriv_user_fds(mrtg_t) ++userdom_dontaudit_list_admin_dir(mrtg_t) + + netutils_domtrans_ping(mrtg_t) + +diff --git a/mta.fc b/mta.fc +index f42896c..cb2791a 100644 +--- a/mta.fc ++++ b/mta.fc +@@ -2,33 +2,43 @@ HOME_DIR/\.esmtp_queue -- gen_context(system_u:object_r:mail_home_t,s0) + HOME_DIR/\.forward[^/]* -- gen_context(system_u:object_r:mail_home_t,s0) + HOME_DIR/dead\.letter -- gen_context(system_u:object_r:mail_home_t,s0) + HOME_DIR/\.mailrc -- gen_context(system_u:object_r:mail_home_t,s0) +-HOME_DIR/Maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0) +-HOME_DIR/\.maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0) ++HOME_DIR/Maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0) ++HOME_DIR/.maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0) + +-/bin/mail(x)? -- gen_context(system_u:object_r:sendmail_exec_t,s0) + +-/etc/aliases -- gen_context(system_u:object_r:etc_aliases_t,s0) ++/bin/mail(x)? -- gen_context(system_u:object_r:sendmail_exec_t,s0) ++ ++/etc/aliases -- gen_context(system_u:object_r:etc_aliases_t,s0) + /etc/aliases\.db -- gen_context(system_u:object_r:etc_aliases_t,s0) +-/etc/mail(/.*)? gen_context(system_u:object_r:etc_mail_t,s0) ++/etc/mail(/.*)? gen_context(system_u:object_r:etc_mail_t,s0) + /etc/mail/aliases.* -- gen_context(system_u:object_r:etc_aliases_t,s0) +-/etc/postfix/aliases.* -- gen_context(system_u:object_r:etc_aliases_t,s0) +- +-/usr/bin/esmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0) ++/etc/mail/.*\.db -- gen_context(system_u:object_r:etc_aliases_t,s0) ++ifdef(`distro_redhat',` ++/etc/postfix/aliases.* gen_context(system_u:object_r:etc_aliases_t,s0) ++') ++ ++/root/\.esmtp_queue -- gen_context(system_u:object_r:mail_home_t,s0) ++/root/\.forward -- gen_context(system_u:object_r:mail_home_t,s0) ++/root/dead\.letter -- gen_context(system_u:object_r:mail_home_t,s0) ++/root/\.mailrc -- gen_context(system_u:object_r:mail_home_t,s0) ++/root/Maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0) ++ ++/usr/bin/esmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0) + /usr/bin/mail(x)? -- gen_context(system_u:object_r:sendmail_exec_t,s0) + + /usr/lib/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) + /usr/lib/courier/bin/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) + +-/usr/sbin/rmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) ++/usr/sbin/rmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) + /usr/sbin/sendmail\.postfix -- gen_context(system_u:object_r:sendmail_exec_t,s0) + /usr/sbin/sendmail(\.sendmail)? -- gen_context(system_u:object_r:sendmail_exec_t,s0) +-/usr/sbin/ssmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0) ++/usr/sbin/ssmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0) + +-/var/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) ++/var/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) + + /var/qmail/bin/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) + +-/var/spool/imap(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) ++/var/spool/imap(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) + /var/spool/(client)?mqueue(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0) + /var/spool/mqueue\.in(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0) +-/var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) ++/var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) +diff --git a/mta.if b/mta.if +index ed81cac..566684a 100644 +--- a/mta.if ++++ b/mta.if +@@ -1,4 +1,4 @@ +-## Common e-mail transfer agent policy. ++## Policy common to all email tranfer agents. + + ######################################## + ## +@@ -18,23 +18,37 @@ interface(`mta_stub',` + + ####################################### + ## +-## The template to define a mail domain. ++## Basic mail transfer agent domain template. + ## ++## ++##

    ++## This template creates a derived domain which is ++## a email transfer agent, which sends mail on ++## behalf of the user. ++##

    ++##

    ++## This is the basic types and rules, common ++## to the system agent and user agents. ++##

    ++##     + ## + ## +-## Domain prefix to be used. ++## The prefix of the domain (e.g., user ++## is the prefix for user_t). + ## + ## ++## + # + template(`mta_base_mail_template',` ++ + gen_require(` + attribute user_mail_domain; + type sendmail_exec_t; + ') + +- ######################################## ++ ############################## + # +- # Declarations ++ # $1_mail_t declarations + # + + type $1_mail_t, user_mail_domain; +@@ -43,17 +57,16 @@ template(`mta_base_mail_template',` + type $1_mail_tmp_t; + files_tmp_file($1_mail_tmp_t) + +- ######################################## +- # +- # Declarations +- # +- + manage_dirs_pattern($1_mail_t, $1_mail_tmp_t, $1_mail_tmp_t) + manage_files_pattern($1_mail_t, $1_mail_tmp_t, $1_mail_tmp_t) + files_tmp_filetrans($1_mail_t, $1_mail_tmp_t, { file dir }) + ++ kernel_read_system_state($1_mail_t) ++ + auth_use_nsswitch($1_mail_t) + ++ logging_send_syslog_msg($1_mail_t) ++ + optional_policy(` + postfix_domtrans_user_mail_handler($1_mail_t) + ') +@@ -61,61 +74,41 @@ template(`mta_base_mail_template',` + + ######################################## + ## +-## Role access for mta. ++## Role access for mta + ## + ## + ## +-## Role allowed access. ++## Role allowed access + ## + ## + ## + ## +-## User domain for the role. ++## User domain for the role + ## + ## + # + interface(`mta_role',` + gen_require(` + attribute mta_user_agent; +- attribute_role user_mail_roles; +- type user_mail_t, sendmail_exec_t, mail_home_t; +- type user_mail_tmp_t, mail_home_rw_t; ++ type user_mail_t, sendmail_exec_t; + ') + +- roleattribute $1 user_mail_roles; +- +- # this is something i need to fix +- # i dont know if and why it is needed +- # will role attribute work? +- role $1 types mta_user_agent; ++ role $1 types { user_mail_t mta_user_agent }; + ++ # Transition from the user domain to the derived domain. + domtrans_pattern($2, sendmail_exec_t, user_mail_t) + allow $2 sendmail_exec_t:lnk_file read_lnk_file_perms; + +- allow $2 { user_mail_t mta_user_agent }:process { ptrace signal_perms }; +- ps_process_pattern($2, { user_mail_t mta_user_agent }) +- +- allow $2 mail_home_t:file { manage_file_perms relabel_file_perms }; +- userdom_user_home_dir_filetrans($2, mail_home_t, file, ".esmtp_queue") +- userdom_user_home_dir_filetrans($2, mail_home_t, file, ".forward") +- userdom_user_home_dir_filetrans($2, mail_home_t, file, ".mailrc") +- userdom_user_home_dir_filetrans($2, mail_home_t, file, "dead.letter") +- +- allow $2 mail_home_rw_t:dir { manage_dir_perms relabel_dir_perms }; +- allow $2 mail_home_rw_t:file { manage_file_perms relabel_file_perms }; +- allow $2 mail_home_rw_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; +- userdom_user_home_dir_filetrans($2, mail_home_rw_t, dir, "Maildir") +- userdom_user_home_dir_filetrans($2, mail_home_rw_t, dir, ".maildir") +- +- allow $2 user_mail_tmp_t:dir { manage_dir_perms relabel_dir_perms }; +- allow $2 user_mail_tmp_t:file { manage_file_perms relabel_file_perms }; ++ allow mta_user_agent $2:fd use; ++ allow mta_user_agent $2:process sigchld; ++ allow mta_user_agent $2:fifo_file rw_inherited_fifo_file_perms; + + optional_policy(` + exim_run($2, $1) + ') + + optional_policy(` +- mailman_run($2, $1) ++ mailman_run(mta_user_agent, $1) + ') + ') + +@@ -163,125 +156,23 @@ interface(`mta_agent_executable',` + application_executable_file($1) + ') + +-####################################### +-## +-## Read mta mail home files. +-## +-## +-## +-## Domain allowed access. +-## +-## +-# +-interface(`mta_read_mail_home_files',` +- gen_require(` +- type mail_home_t; +- ') +- +- userdom_search_user_home_dirs($1) +- allow $1 mail_home_t:file read_file_perms; +-') +- +-####################################### +-## +-## Create, read, write, and delete +-## mta mail home files. +-## +-## +-## +-## Domain allowed access. +-## +-## +-# +-interface(`mta_manage_mail_home_files',` +- gen_require(` +- type mail_home_t; +- ') +- +- userdom_search_user_home_dirs($1) +- allow $1 mail_home_t:file manage_file_perms; +-') +- +-######################################## +-## +-## Create specified objects in user home +-## directories with the generic mail +-## home type. +-## +-## +-## +-## Domain allowed access. +-## +-## +-## +-## +-## Class of the object being created. +-## +-## +-## +-## +-## The name of the object being created. +-## +-## +-# +-interface(`mta_home_filetrans_mail_home',` +- gen_require(` +- type mail_home_t; +- ') +- +- userdom_user_home_dir_filetrans($1, mail_home_t, $2, $3) +-') +- +-####################################### +-## +-## Create, read, write, and delete +-## mta mail home rw content. +-## +-## +-## +-## Domain allowed access. +-## +-## +-# +-interface(`mta_manage_mail_home_rw_content',` +- gen_require(` +- type mail_home_rw_t; +- ') +- +- userdom_search_user_home_dirs($1) +- manage_dirs_pattern($1, mail_home_rw_t, mail_home_rw_t) +- manage_files_pattern($1, mail_home_rw_t, mail_home_rw_t) +- manage_lnk_files_pattern($1, mail_home_rw_t, mail_home_rw_t) +-') +- +-######################################## ++###################################### + ## +-## Create specified objects in user home +-## directories with the generic mail +-## home rw type. ++## Dontaudit read and write an leaked file descriptors + ## + ## + ## +-## Domain allowed access. +-## +-## +-## +-## +-## Class of the object being created. +-## +-## +-## +-## +-## The name of the object being created. ++## Domain to not audit. + ## + ## + # +-interface(`mta_home_filetrans_mail_home_rw',` ++interface(`mta_dontaudit_leaks_system_mail',` + gen_require(` +- type mail_home_rw_t; ++ type system_mail_t; + ') + +- userdom_user_home_dir_filetrans($1, mail_home_rw_t, $2, $3) ++ dontaudit $1 system_mail_t:fifo_file write; ++ dontaudit $1 system_mail_t:tcp_socket { read write }; + ') + + ######################################## +@@ -334,7 +225,6 @@ interface(`mta_sendmail_mailserver',` + ') + + init_system_domain($1, sendmail_exec_t) +- + typeattribute $1 mailserver_domain; + ') + +@@ -374,6 +264,15 @@ interface(`mta_mailserver_delivery',` + ') + + typeattribute $1 mailserver_delivery; ++ ++ userdom_home_manager($1) ++ ++ optional_policy(` ++ mta_rw_delivery_tcp_sockets($1) ++ ') ++ ++ userdom_filetrans_home_content($1) ++ + ') + + ####################################### +@@ -394,6 +293,12 @@ interface(`mta_mailserver_user_agent',` + ') + + typeattribute $1 mta_user_agent; ++ ++ optional_policy(` ++ # apache should set close-on-exec ++ apache_dontaudit_rw_stream_sockets($1) ++ apache_dontaudit_rw_sys_script_stream_sockets($1) ++ ') + ') + + ######################################## +@@ -408,14 +313,19 @@ interface(`mta_mailserver_user_agent',` + # + interface(`mta_send_mail',` + gen_require(` ++ attribute mta_user_agent; + type system_mail_t; + attribute mta_exec_type; + ') + +- corecmd_search_bin($1) ++ allow $1 mta_exec_type:lnk_file read_lnk_file_perms; ++ corecmd_read_bin_symlinks($1) + domtrans_pattern($1, mta_exec_type, system_mail_t) + +- allow $1 mta_exec_type:lnk_file read_lnk_file_perms; ++ allow mta_user_agent $1:fd use; ++ allow mta_user_agent $1:process sigchld; ++ allow mta_user_agent $1:fifo_file rw_inherited_fifo_file_perms; ++ dontaudit mta_user_agent $1:unix_stream_socket rw_socket_perms; + ') + + ######################################## +@@ -445,18 +355,24 @@ interface(`mta_send_mail',` + # + interface(`mta_sendmail_domtrans',` + gen_require(` +- type sendmail_exec_t; ++ attribute mta_exec_type; ++ attribute mta_user_agent; + ') + +- corecmd_search_bin($1) +- domain_auto_trans($1, sendmail_exec_t, $2) ++ files_search_usr($1) ++ allow $1 mta_exec_type:lnk_file read_lnk_file_perms; ++ corecmd_read_bin_symlinks($1) + +- allow $1 sendmail_exec_t:lnk_file read_lnk_file_perms; ++ allow $2 mta_exec_type:file entrypoint; ++ domtrans_pattern($1, mta_exec_type, $2) ++ allow mta_user_agent $1:fd use; ++ allow mta_user_agent $1:process sigchld; ++ allow mta_user_agent $1:fifo_file rw_inherited_fifo_file_perms; + ') + + ######################################## + ## +-## Send signals to system mail. ++## Send system mail client a signal + ## + ## + ## +@@ -464,7 +380,6 @@ interface(`mta_sendmail_domtrans',` + ## + ## + # +-# + interface(`mta_signal_system_mail',` + gen_require(` + type system_mail_t; +@@ -475,7 +390,43 @@ interface(`mta_signal_system_mail',` + + ######################################## + ## +-## Send kill signals to system mail. ++## Send all user mail client a signal ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`mta_signal_user_agent',` ++ gen_require(` ++ attribute mta_user_agent; ++ ') ++ ++ allow $1 mta_user_agent:process signal; ++') ++ ++######################################## ++## ++## Send all user mail client a kill signal ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`mta_kill_user_agent',` ++ gen_require(` ++ attribute mta_user_agent; ++ ') ++ ++ allow $1 mta_user_agent:process sigkill; ++') ++ ++######################################## ++## ++## Send system mail client a kill signal + ## + ## + ## +@@ -506,13 +457,32 @@ interface(`mta_sendmail_exec',` + type sendmail_exec_t; + ') + +- corecmd_search_bin($1) + can_exec($1, sendmail_exec_t) + ') + + ######################################## + ## +-## Read mail server configuration content. ++## Check whether sendmail executable ++## files are executable. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`mta_sendmail_access_check',` ++ gen_require(` ++ type sendmail_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ allow $1 sendmail_exec_t:file { getattr_file_perms execute }; ++') ++ ++######################################## ++## ++## Read mail server configuration. + ## + ## + ## +@@ -528,13 +498,13 @@ interface(`mta_read_config',` + + files_search_etc($1) + allow $1 etc_mail_t:dir list_dir_perms; +- allow $1 etc_mail_t:file read_file_perms; +- allow $1 etc_mail_t:lnk_file read_lnk_file_perms; ++ read_files_pattern($1, etc_mail_t, etc_mail_t) ++ read_lnk_files_pattern($1, etc_mail_t, etc_mail_t) + ') + + ######################################## + ## +-## Write mail server configuration files. ++## write mail server configuration. + ## + ## + ## +@@ -548,33 +518,31 @@ interface(`mta_write_config',` + type etc_mail_t; + ') + +- files_search_etc($1) + write_files_pattern($1, etc_mail_t, etc_mail_t) + ') + + ######################################## + ## +-## Read mail address alias files. ++## Manage mail server configuration. + ## + ## + ## + ## Domain allowed access. + ## + ## ++## + # +-interface(`mta_read_aliases',` ++interface(`mta_manage_config',` + gen_require(` +- type etc_aliases_t; ++ type etc_mail_t; + ') + +- files_search_etc($1) +- allow $1 etc_aliases_t:file read_file_perms; ++ manage_files_pattern($1, etc_mail_t, etc_mail_t) + ') + + ######################################## + ## +-## Create, read, write, and delete +-## mail address alias content. ++## Read mail address aliases. + ## + ## + ## +@@ -582,84 +550,66 @@ interface(`mta_read_aliases',` + ## + ## + # +-interface(`mta_manage_aliases',` ++interface(`mta_read_aliases',` + gen_require(` + type etc_aliases_t; + ') + + files_search_etc($1) +- manage_files_pattern($1, etc_aliases_t, etc_aliases_t) +- manage_lnk_files_pattern($1, etc_aliases_t, etc_aliases_t) ++ allow $1 etc_aliases_t:file read_file_perms; ++ allow $1 etc_aliases_t:lnk_file read_lnk_file_perms; + ') + + ######################################## + ## +-## Create specified object in generic +-## etc directories with the mail address +-## alias type. ++## Create, read, write, and delete mail address aliases. + ## + ## + ## + ## Domain allowed access. + ## + ## +-## +-## +-## The object class of the object being created. +-## +-## +-## +-## +-## The name of the object being created. +-## +-## + # +-interface(`mta_etc_filetrans_aliases',` ++interface(`mta_manage_aliases',` + gen_require(` + type etc_aliases_t; + ') + +- files_etc_filetrans($1, etc_aliases_t, $2, $3) ++ files_search_etc($1) ++ manage_files_pattern($1, etc_aliases_t, etc_aliases_t) ++ manage_lnk_files_pattern($1, etc_aliases_t, etc_aliases_t) ++ mta_etc_filetrans_aliases($1, "aliases") ++ mta_etc_filetrans_aliases($1, "aliases.db") ++ mta_etc_filetrans_aliases($1, "aliasesdb-stamp") + ') + + ######################################## + ## +-## Create specified objects in specified +-## directories with a type transition to +-## the mail address alias type. ++## Type transition files created in /etc ++## to the mail address aliases type. + ## + ## + ## + ## Domain allowed access. + ## + ## +-## +-## +-## Directory to transition on. +-## +-## +-## +-## +-## The object class of the object being created. +-## +-## + ## + ## + ## The name of the object being created. + ## + ## + # +-interface(`mta_spec_filetrans_aliases',` ++interface(`mta_etc_filetrans_aliases',` + gen_require(` + type etc_aliases_t; + ') + +- filetrans_pattern($1, $2, etc_aliases_t, $3, $4) ++ files_etc_filetrans($1, etc_aliases_t, file, $2) + ') + + ######################################## + ## +-## Read and write mail alias files. ++## Read and write mail aliases. + ## + ## + ## +@@ -674,14 +624,13 @@ interface(`mta_rw_aliases',` + ') + + files_search_etc($1) +- allow $1 etc_aliases_t:file rw_file_perms; ++ allow $1 etc_aliases_t:file { rw_file_perms setattr_file_perms }; + ') + + ####################################### + ## +-## Do not audit attempts to read +-## and write TCP sockets of mail +-## delivery domains. ++## Do not audit attempts to read and write TCP ++## sockets of mail delivery domains. + ## + ## + ## +@@ -697,6 +646,25 @@ interface(`mta_dontaudit_rw_delivery_tcp_sockets',` + dontaudit $1 mailserver_delivery:tcp_socket { read write }; + ') + ++###################################### ++## ++## Allow attempts to read and write TCP ++## sockets of mail delivery domains. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`mta_rw_delivery_tcp_sockets',` ++ gen_require(` ++ attribute mailserver_delivery; ++ ') ++ ++ allow $1 mailserver_delivery:tcp_socket { read write }; ++') ++ + ####################################### + ## + ## Connect to all mail servers over TCP. (Deprecated) +@@ -713,8 +681,8 @@ interface(`mta_tcp_connect_all_mailservers',` + + ####################################### + ## +-## Do not audit attempts to read +-## mail spool symlinks. ++## Do not audit attempts to read a symlink ++## in the mail spool. + ## + ## + ## +@@ -732,7 +700,7 @@ interface(`mta_dontaudit_read_spool_symlinks',` + + ######################################## + ## +-## Get attributes of mail spool content. ++## Get the attributes of mail spool files. + ## + ## + ## +@@ -753,8 +721,8 @@ interface(`mta_getattr_spool',` + + ######################################## + ## +-## Do not audit attempts to get +-## attributes of mail spool files. ++## Do not audit attempts to get the attributes ++## of mail spool files. + ## + ## + ## +@@ -775,9 +743,8 @@ interface(`mta_dontaudit_getattr_spool_files',` + + ####################################### + ## +-## Create specified objects in the +-## mail spool directory with a +-## private type. ++## Create private objects in the ++## mail spool directory. + ## + ## + ## +@@ -811,7 +778,7 @@ interface(`mta_spool_filetrans',` + + ####################################### + ## +-## Read mail spool files. ++## Read the mail spool. + ## + ## + ## +@@ -819,10 +786,10 @@ interface(`mta_spool_filetrans',` + ## + ## + # +-interface(`mta_read_spool_files',` +- gen_require(` +- type mail_spool_t; +- ') ++interface(`mta_read_spool',` ++ gen_require(` ++ type mail_spool_t; ++ ') + + files_search_spool($1) + read_files_pattern($1, mail_spool_t, mail_spool_t) +@@ -830,7 +797,7 @@ interface(`mta_read_spool_files',` + + ######################################## + ## +-## Read and write mail spool files. ++## Read and write the mail spool. + ## + ## + ## +@@ -845,13 +812,14 @@ interface(`mta_rw_spool',` + + files_search_spool($1) + allow $1 mail_spool_t:dir list_dir_perms; +- allow $1 mail_spool_t:file rw_file_perms; +- allow $1 mail_spool_t:lnk_file read_lnk_file_perms; ++ allow $1 mail_spool_t:file setattr_file_perms; ++ manage_files_pattern($1, mail_spool_t, mail_spool_t) ++ read_lnk_files_pattern($1, mail_spool_t, mail_spool_t) + ') + + ####################################### + ## +-## Create, read, and write mail spool files. ++## Create, read, and write the mail spool. + ## + ## + ## +@@ -866,13 +834,14 @@ interface(`mta_append_spool',` + + files_search_spool($1) + allow $1 mail_spool_t:dir list_dir_perms; +- manage_files_pattern($1, mail_spool_t, mail_spool_t) +- allow $1 mail_spool_t:lnk_file read_lnk_file_perms; ++ create_files_pattern($1, mail_spool_t, mail_spool_t) ++ write_files_pattern($1, mail_spool_t, mail_spool_t) ++ read_lnk_files_pattern($1, mail_spool_t, mail_spool_t) + ') + + ####################################### + ## +-## Delete mail spool files. ++## Delete from the mail spool. + ## + ## + ## +@@ -891,8 +860,7 @@ interface(`mta_delete_spool',` + + ######################################## + ## +-## Create, read, write, and delete +-## mail spool content. ++## Create, read, write, and delete mail spool files. + ## + ## + ## +@@ -911,45 +879,9 @@ interface(`mta_manage_spool',` + manage_lnk_files_pattern($1, mail_spool_t, mail_spool_t) + ') + +-####################################### +-## +-## Create specified objects in the +-## mail queue spool directory with a +-## private type. +-## +-## +-## +-## Domain allowed access. +-## +-## +-## +-## +-## The type of the object to be created. +-## +-## +-## +-## +-## The object class of the object being created. +-## +-## +-## +-## +-## The name of the object being created. +-## +-## +-# +-interface(`mta_queue_filetrans',` +- gen_require(` +- type mqueue_spool_t; +- ') +- +- files_search_spool($1) +- filetrans_pattern($1, mqueue_spool_t, $2, $3, $4) +-') +- + ######################################## + ## +-## Search mail queue directories. ++## Search mail queue dirs. + ## + ## + ## +@@ -968,7 +900,7 @@ interface(`mta_search_queue',` + + ####################################### + ## +-## List mail queue directories. ++## List the mail queue. + ## + ## + ## +@@ -981,13 +913,13 @@ interface(`mta_list_queue',` + type mqueue_spool_t; + ') + +- files_search_spool($1) + allow $1 mqueue_spool_t:dir list_dir_perms; ++ files_search_spool($1) + ') + + ####################################### + ## +-## Read mail queue files. ++## Read the mail queue. + ## + ## + ## +@@ -1000,14 +932,14 @@ interface(`mta_read_queue',` + type mqueue_spool_t; + ') + +- files_search_spool($1) + read_files_pattern($1, mqueue_spool_t, mqueue_spool_t) ++ files_search_spool($1) + ') + + ####################################### + ## + ## Do not audit attempts to read and +-## write mail queue content. ++## write the mail queue. + ## + ## + ## +@@ -1027,7 +959,7 @@ interface(`mta_dontaudit_rw_queue',` + ######################################## + ## + ## Create, read, write, and delete +-## mail queue content. ++## mail queue files. + ## + ## + ## +@@ -1047,6 +979,41 @@ interface(`mta_manage_queue',` + + ####################################### + ## ++## Create private objects in the ++## mqueue spool directory. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## The type of the object to be created. ++## ++## ++## ++## ++## The object class of the object being created. ++## ++## ++## ++## ++## The name of the object being created. ++## ++## ++# ++interface(`mta_spool_filetrans_queue',` ++ gen_require(` ++ type mqueue_spool_t; ++ ') ++ ++ files_search_spool($1) ++ filetrans_pattern($1, mqueue_spool_t, $2, $3, $4) ++') ++ ++####################################### ++## + ## Read sendmail binary. + ## + ## +@@ -1055,6 +1022,7 @@ interface(`mta_manage_queue',` + ## + ## + # ++# cjp: added for postfix + interface(`mta_read_sendmail_bin',` + gen_require(` + type sendmail_exec_t; +@@ -1065,8 +1033,8 @@ interface(`mta_read_sendmail_bin',` + + ####################################### + ## +-## Read and write unix domain stream +-## sockets of all base mail domains. ++## Read and write unix domain stream sockets ++## of user mail domains. + ## + ## + ## +@@ -1081,3 +1049,175 @@ interface(`mta_rw_user_mail_stream_sockets',` + + allow $1 user_mail_domain:unix_stream_socket rw_socket_perms; + ') ++ ++######################################## ++## ++## Type transition files created in calling dir ++## to the mail address aliases type. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## Directory to transition on. ++## ++## ++# ++interface(`mta_filetrans_aliases',` ++ gen_require(` ++ type etc_aliases_t; ++ ') ++ ++ filetrans_pattern($1, $2, etc_aliases_t, file) ++') ++ ++###################################### ++## ++## ALlow domain to read mail content in the homedir ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`mta_read_home',` ++ gen_require(` ++ type mail_home_t; ++ ') ++ ++ userdom_search_user_home_dirs($1) ++ read_files_pattern($1, mail_home_t, mail_home_t) ++ ++ ifdef(`distro_redhat',` ++ userdom_search_admin_dir($1) ++ ') ++') ++ ++#################################### ++## ++## ALlow domain to read mail content in the homedir ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`mta_read_home_rw',` ++ gen_require(` ++ type mail_home_rw_t; ++ ') ++ ++ userdom_search_user_home_dirs($1) ++ read_files_pattern($1, mail_home_rw_t, mail_home_rw_t) ++ read_lnk_files_pattern($1, mail_home_rw_t, mail_home_rw_t) ++ ++ ifdef(`distro_redhat',` ++ userdom_search_admin_dir($1) ++ ') ++') ++ ++#################################### ++## ++## Allow domain to manage mail content in the homedir ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`mta_manage_home_rw',` ++ gen_require(` ++ type mail_home_rw_t; ++ ') ++ ++ userdom_search_user_home_dirs($1) ++ userdom_search_admin_dir($1) ++ manage_files_pattern($1, mail_home_rw_t, mail_home_rw_t) ++ manage_dirs_pattern($1, mail_home_rw_t, mail_home_rw_t) ++ manage_lnk_files_pattern($1, mail_home_rw_t, mail_home_rw_t) ++ userdom_user_home_dir_filetrans($1, mail_home_rw_t, dir, "Maildir") ++ ++ ifdef(`distro_redhat',` ++ userdom_search_admin_dir($1) ++ userdom_admin_home_dir_filetrans($1, mail_home_rw_t, dir, "Maildir") ++ ') ++') ++ ++######################################## ++## ++## create mail content in the in the /root directory ++## with an correct label. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`mta_filetrans_admin_home_content',` ++ gen_require(` ++ type mail_home_t; ++ type mail_home_rw_t; ++ ') ++ ++ userdom_admin_home_dir_filetrans($1, mail_home_t, file, "dead.letter") ++ userdom_admin_home_dir_filetrans($1, mail_home_t, file, ".mailrc") ++ userdom_admin_home_dir_filetrans($1, mail_home_t, file, ".forward") ++ userdom_admin_home_dir_filetrans($1, mail_home_rw_t, dir, "Maildir") ++ userdom_admin_home_dir_filetrans($1, mail_home_rw_t, dir, ".maildir") ++ userdom_admin_home_dir_filetrans($1, mail_home_rw_t, file, ".esmtp_queue") ++') ++ ++######################################## ++## ++## Transition to mta named home content ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`mta_filetrans_home_content',` ++ gen_require(` ++ type mail_home_t; ++ type mail_home_rw_t; ++ ') ++ ++ userdom_user_home_dir_filetrans($1, mail_home_t, file, ".mailrc") ++ userdom_user_home_dir_filetrans($1, mail_home_t, file, "dead.letter") ++ userdom_user_home_dir_filetrans($1, mail_home_t, file, ".forward") ++ userdom_user_home_dir_filetrans($1, mail_home_rw_t, dir, "Maildir") ++ userdom_user_home_dir_filetrans($1, mail_home_rw_t, dir, ".maildir") ++ userdom_user_home_dir_filetrans($1, mail_home_rw_t, file, ".esmtp_queue") ++') ++ ++######################################## ++## ++## Transition to mta named content ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`mta_filetrans_named_content',` ++ gen_require(` ++ type etc_aliases_t; ++ type etc_mail_t; ++ ') ++ ++ filetrans_pattern($1, etc_mail_t, etc_aliases_t, { dir file }) ++ mta_etc_filetrans_aliases($1, "aliases") ++ mta_etc_filetrans_aliases($1, "aliases.db") ++ mta_etc_filetrans_aliases($1, "aliasesdb-stamp") ++ mta_filetrans_home_content($1) ++ mta_filetrans_admin_home_content($1) ++') +diff --git a/mta.te b/mta.te +index afd2fad..09ebbbe 100644 +--- a/mta.te ++++ b/mta.te +@@ -1,4 +1,4 @@ +-policy_module(mta, 2.6.5) ++policy_module(mta, 2.5.0) + + ######################################## + # +@@ -14,8 +14,6 @@ attribute mailserver_sender; + + attribute user_mail_domain; + +-attribute_role user_mail_roles; +- + type etc_aliases_t; + files_type(etc_aliases_t) + +@@ -30,9 +28,11 @@ userdom_user_home_content(mail_home_rw_t) + + type mqueue_spool_t; + files_mountpoint(mqueue_spool_t) ++files_spool_file(mqueue_spool_t) + + type mail_spool_t; + files_mountpoint(mail_spool_t) ++files_spool_file(mail_spool_t) + + type sendmail_exec_t; + mta_agent_executable(sendmail_exec_t) +@@ -43,178 +43,79 @@ role system_r types system_mail_t; + mta_base_mail_template(user) + typealias user_mail_t alias { staff_mail_t sysadm_mail_t }; + typealias user_mail_t alias { auditadm_mail_t secadm_mail_t }; +-userdom_user_application_type(user_mail_t) +-role user_mail_roles types user_mail_t; +- + typealias user_mail_tmp_t alias { staff_mail_tmp_t sysadm_mail_tmp_t }; + typealias user_mail_tmp_t alias { auditadm_mail_tmp_t secadm_mail_tmp_t }; ++userdom_user_application_type(user_mail_t) + userdom_user_tmp_file(user_mail_tmp_t) + + ######################################## + # +-# Common base mail policy +-# +- +-allow user_mail_domain self:capability { setuid setgid chown }; +-allow user_mail_domain self:process { signal_perms setrlimit }; +-allow user_mail_domain self:fifo_file rw_fifo_file_perms; +- +-allow user_mail_domain mta_exec_type:file entrypoint; +- +-allow user_mail_domain mail_home_t:file { append_file_perms read_file_perms }; +- +-manage_dirs_pattern(user_mail_domain, mail_home_rw_t, mail_home_rw_t) +-manage_files_pattern(user_mail_domain, mail_home_rw_t, mail_home_rw_t) +-manage_lnk_files_pattern(user_mail_domain, mail_home_rw_t, mail_home_rw_t) +-userdom_user_home_dir_filetrans(user_mail_domain, mail_home_rw_t, dir, "Maildir") +-userdom_user_home_dir_filetrans(user_mail_domain, mail_home_rw_t, dir, ".maildir") +- +-read_files_pattern(user_mail_domain, { etc_mail_t etc_aliases_t }, { etc_mail_t etc_aliases_t }) +- +-manage_files_pattern(user_mail_domain, { mqueue_spool_t mail_spool_t }, { mqueue_spool_t mail_spool_t }) +-read_lnk_files_pattern(user_mail_domain, { mqueue_spool_t mail_spool_t }, { mqueue_spool_t mail_spool_t }) +- +-allow user_mail_domain sendmail_exec_t:lnk_file read_lnk_file_perms; +- +-can_exec(user_mail_domain, { mta_exec_type sendmail_exec_t }) +- +-kernel_read_system_state(user_mail_domain) +-kernel_read_kernel_sysctls(user_mail_domain) +-kernel_read_network_state(user_mail_domain) +-kernel_request_load_module(user_mail_domain) +- +-corenet_all_recvfrom_netlabel(user_mail_domain) +-corenet_tcp_sendrecv_generic_if(user_mail_domain) +-corenet_tcp_sendrecv_generic_node(user_mail_domain) +- +-corenet_sendrecv_all_client_packets(user_mail_domain) +-corenet_tcp_connect_all_ports(user_mail_domain) +-corenet_tcp_sendrecv_all_ports(user_mail_domain) +- +-corecmd_exec_bin(user_mail_domain) +- +-dev_read_urand(user_mail_domain) +- +-domain_use_interactive_fds(user_mail_domain) +- +-files_read_etc_runtime_files(user_mail_domain) +-files_read_usr_files(user_mail_domain) +-files_search_spool(user_mail_domain) +-files_dontaudit_search_pids(user_mail_domain) +- +-fs_getattr_all_fs(user_mail_domain) +- +-init_dontaudit_rw_utmp(user_mail_domain) +- +-logging_send_syslog_msg(user_mail_domain) +- +-miscfiles_read_localization(user_mail_domain) +- +-tunable_policy(`use_samba_home_dirs',` +- fs_manage_cifs_dirs(user_mail_domain) +- fs_manage_cifs_files(user_mail_domain) +- fs_read_cifs_symlinks(user_mail_domain) +-') +- +-tunable_policy(`use_nfs_home_dirs',` +- fs_manage_nfs_dirs(user_mail_domain) +- fs_manage_nfs_files(user_mail_domain) +- fs_read_nfs_symlinks(user_mail_domain) +-') +- +-optional_policy(` +- courier_manage_spool_dirs(user_mail_domain) +- courier_manage_spool_files(user_mail_domain) +- courier_rw_spool_pipes(user_mail_domain) +-') +- +-optional_policy(` +- exim_domtrans(user_mail_domain) +- exim_manage_log(user_mail_domain) +- exim_manage_spool_files(user_mail_domain) +-') +- +-optional_policy(` +- files_getattr_tmp_dirs(user_mail_domain) +- +- postfix_exec_master(user_mail_domain) +- postfix_read_config(user_mail_domain) +- postfix_search_spool(user_mail_domain) +- postfix_rw_inherited_master_pipes(user_mail_domain) +- +- ifdef(`distro_redhat',` +- postfix_config_filetrans(user_mail_domain, etc_aliases_t, { dir file lnk_file sock_file fifo_file }) +- ') +-') +- +-optional_policy(` +- procmail_exec(user_mail_domain) +-') +- +-optional_policy(` +- qmail_domtrans_inject(user_mail_domain) +-') +- +-optional_policy(` +- sendmail_manage_log(user_mail_domain) +- sendmail_log_filetrans_sendmail_log(user_mail_domain, file) +-') +- +-optional_policy(` +- uucp_manage_spool(user_mail_domain) +-') +- +-######################################## +-# +-# System local policy ++# System mail local policy + # + ++# newalias required this, not sure if it is needed in 'if' file + allow system_mail_t self:capability { dac_override fowner }; +- +-read_files_pattern(system_mail_t, etc_mail_t, etc_mail_t) +- +-read_files_pattern(system_mail_t, mailcontent_type, mailcontent_type) ++dontaudit system_mail_t self:capability net_admin; + + allow system_mail_t mail_home_t:file manage_file_perms; +-userdom_user_home_dir_filetrans(system_mail_t, mail_home_t, file, ".esmtp_queue") +-userdom_user_home_dir_filetrans(system_mail_t, mail_home_t, file, ".forward") +-userdom_user_home_dir_filetrans(system_mail_t, mail_home_t, file, ".mailrc") +-userdom_user_home_dir_filetrans(system_mail_t, mail_home_t, file, "dead.letter") + +-allow system_mail_t user_mail_domain:dir list_dir_perms; +-allow system_mail_t user_mail_domain:file read_file_perms; +-allow system_mail_t user_mail_domain:lnk_file read_lnk_file_perms; ++read_files_pattern(system_mail_t, mailcontent_type, mailcontent_type) + + corecmd_exec_shell(system_mail_t) + +-dev_read_rand(system_mail_t) + dev_read_sysfs(system_mail_t) ++dev_read_rand(system_mail_t) ++dev_read_urand(system_mail_t) + +-fs_rw_anon_inodefs_files(system_mail_t) + +-selinux_getattr_fs(system_mail_t) ++fs_rw_anon_inodefs_files(system_mail_t) + + term_dontaudit_use_unallocated_ttys(system_mail_t) + + init_use_script_ptys(system_mail_t) ++init_dontaudit_rw_stream_socket(system_mail_t) ++ ++userdom_use_inherited_user_terminals(system_mail_t) ++userdom_dontaudit_list_user_home_dirs(system_mail_t) ++userdom_dontaudit_list_admin_dir(system_mail_t) ++ ++manage_dirs_pattern(system_mail_t, mail_home_rw_t, mail_home_rw_t) ++manage_files_pattern(system_mail_t, mail_home_rw_t, mail_home_rw_t) ++ ++allow system_mail_t mail_home_t:file manage_file_perms; ++userdom_admin_home_dir_filetrans(system_mail_t, mail_home_t, file) ++ ++ ++logging_append_all_logs(system_mail_t) + +-userdom_use_user_terminals(system_mail_t) ++logging_send_syslog_msg(system_mail_t) + + optional_policy(` + apache_read_squirrelmail_data(system_mail_t) + apache_append_squirrelmail_data(system_mail_t) ++ ++ # apache should set close-on-exec + apache_dontaudit_append_log(system_mail_t) + apache_dontaudit_rw_stream_sockets(system_mail_t) + apache_dontaudit_rw_tcp_sockets(system_mail_t) + apache_dontaudit_rw_sys_script_stream_sockets(system_mail_t) ++ apache_dontaudit_rw_tmp_files(system_mail_t) ++ ++ apache_dontaudit_rw_fifo_file(user_mail_domain) ++ apache_dontaudit_rw_fifo_file(mta_user_agent) ++ # apache should set close-on-exec ++ apache_dontaudit_rw_stream_sockets(mta_user_agent) ++ apache_dontaudit_rw_sys_script_stream_sockets(mta_user_agent) ++ apache_append_log(mta_user_agent) + ') + + optional_policy(` + arpwatch_manage_tmp_files(system_mail_t) + +- ifdef(`hide_broken_symptoms',` +- arpwatch_dontaudit_rw_packet_sockets(system_mail_t) +- ') ++ ifdef(`hide_broken_symptoms', ` ++ arpwatch_dontaudit_rw_packet_sockets(system_mail_t) ++ ') ++ + ') + + optional_policy(` +@@ -223,18 +124,18 @@ optional_policy(` + ') + + optional_policy(` +- clamav_stream_connect(system_mail_t) +- clamav_append_log(system_mail_t) ++ courier_stream_connect_authdaemon(system_mail_t) + ') + + optional_policy(` + cron_read_system_job_tmp_files(system_mail_t) + cron_dontaudit_write_pipes(system_mail_t) + cron_rw_system_job_stream_sockets(system_mail_t) ++ cron_rw_inherited_spool_files(system_mail_t) ++ cron_rw_inherited_user_spool_files(system_mail_t) + ') + + optional_policy(` +- courier_stream_connect_authdaemon(system_mail_t) + courier_manage_spool_dirs(system_mail_t) + courier_manage_spool_files(system_mail_t) + courier_rw_spool_pipes(system_mail_t) +@@ -245,13 +146,8 @@ optional_policy(` + ') + + optional_policy(` +- exim_domtrans(system_mail_t) +- exim_manage_log(system_mail_t) +-') +- +-optional_policy(` +- fail2ban_dontaudit_rw_stream_sockets(system_mail_t) + fail2ban_append_log(system_mail_t) ++ fail2ban_dontaudit_leaks(system_mail_t) + fail2ban_rw_inherited_tmp_files(system_mail_t) + ') + +@@ -264,10 +160,15 @@ optional_policy(` + ') + + optional_policy(` ++ # newaliases runs as system_mail_t when the sendmail initscript does a restart + milter_getattr_all_sockets(system_mail_t) + ') + + optional_policy(` ++ munin_dontaudit_leaks(system_mail_t) ++') ++ ++optional_policy(` + nagios_read_tmp_files(system_mail_t) + ') + +@@ -278,6 +179,15 @@ optional_policy(` + manage_fifo_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t) + manage_sock_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t) + files_etc_filetrans(system_mail_t, etc_aliases_t, { file lnk_file sock_file fifo_file }) ++ ++ domain_use_interactive_fds(system_mail_t) ++') ++ ++optional_policy(` ++ qmail_domtrans_inject(system_mail_t) ++ qmail_manage_spool_dirs(system_mail_t) ++ qmail_manage_spool_files(system_mail_t) ++ qmail_rw_spool_pipes(system_mail_t) + ') + + optional_policy(` +@@ -293,42 +203,36 @@ optional_policy(` + ') + + optional_policy(` +- spamassassin_stream_connect_spamd(system_mail_t) ++ spamd_stream_connect(system_mail_t) + ') + + optional_policy(` + smartmon_read_tmp_files(system_mail_t) + ') + +-######################################## +-# +-# MTA user agent local policy +-# +- +-userdom_use_user_terminals(mta_user_agent) +- +-optional_policy(` +- apache_append_log(mta_user_agent) +-') ++# should break this up among sections: + + optional_policy(` ++ # why is mail delivered to a directory of type arpwatch_data_t? ++ arpwatch_search_data(mailserver_delivery) + arpwatch_manage_tmp_files(mta_user_agent) + +- ifdef(`hide_broken_symptoms',` +- arpwatch_dontaudit_rw_packet_sockets(mta_user_agent) +- ') +- + optional_policy(` + cron_read_system_job_tmp_files(mta_user_agent) + ') + ') + ++ifdef(`hide_broken_symptoms',` ++ domain_dontaudit_leaks(user_mail_domain) ++ domain_dontaudit_leaks(mta_user_agent) ++') ++ + ######################################## + # + # Mailserver delivery local policy + # + +-allow mailserver_delivery self:fifo_file rw_fifo_file_perms; ++allow mailserver_delivery self:fifo_file rw_inherited_fifo_file_perms; + + allow mailserver_delivery mail_spool_t:dir list_dir_perms; + create_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) +@@ -337,40 +241,26 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) + create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) + read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) + ++userdom_search_admin_dir(mailserver_delivery) ++read_files_pattern(mailserver_delivery, mail_home_t, mail_home_t) ++ + manage_dirs_pattern(mailserver_delivery, mail_home_rw_t, mail_home_rw_t) +-manage_files_pattern(mailserver_delivery, { mail_home_t mail_home_rw_t }, { mail_home_t mail_home_rw_t }) ++manage_files_pattern(mailserver_delivery, mail_home_rw_t, mail_home_rw_t) + manage_lnk_files_pattern(mailserver_delivery, mail_home_rw_t, mail_home_rw_t) +-userdom_user_home_dir_filetrans(mailserver_delivery, mail_home_t, file, ".esmtp_queue") +-userdom_user_home_dir_filetrans(mailserver_delivery, mail_home_t, file, ".forward") +-userdom_user_home_dir_filetrans(mailserver_delivery, mail_home_t, file, ".mailrc") +-userdom_user_home_dir_filetrans(mailserver_delivery, mail_home_t, file, "dead.letter") +-userdom_user_home_dir_filetrans(mailserver_delivery, mail_home_rw_t, dir, "Maildir") +-userdom_user_home_dir_filetrans(mailserver_delivery, mail_home_rw_t, dir, ".maildir") + + read_files_pattern(mailserver_delivery, system_mail_tmp_t, system_mail_tmp_t) + +-tunable_policy(`use_samba_home_dirs',` +- fs_manage_cifs_dirs(mailserver_delivery) +- fs_manage_cifs_files(mailserver_delivery) +- fs_read_cifs_symlinks(mailserver_delivery) +-') +- +-tunable_policy(`use_nfs_home_dirs',` +- fs_manage_nfs_dirs(mailserver_delivery) +- fs_manage_nfs_files(mailserver_delivery) +- fs_read_nfs_symlinks(mailserver_delivery) +-') +- + optional_policy(` +- arpwatch_search_data(mailserver_delivery) ++ dovecot_manage_spool(mailserver_delivery) ++ dovecot_domtrans_deliver(mailserver_delivery) + ') + + optional_policy(` +- dovecot_manage_spool(mailserver_delivery) +- dovecot_domtrans_deliver(mailserver_delivery) ++ logwatch_search_cache_dir(mailserver_delivery) + ') + + optional_policy(` ++ # so MTA can access /var/lib/mailman/mail/wrapper + files_search_var_lib(mailserver_delivery) + + mailman_domtrans(mailserver_delivery) +@@ -387,24 +277,173 @@ optional_policy(` + + ######################################## + # +-# User local policy ++# User send mail local policy + # + +-manage_files_pattern(user_mail_t, mail_home_t, mail_home_t) +-userdom_user_home_dir_filetrans(user_mail_t, mail_home_t, file, ".esmtp_queue") +-userdom_user_home_dir_filetrans(user_mail_t, mail_home_t, file, ".forward") +-userdom_user_home_dir_filetrans(user_mail_t, mail_home_t, file, ".mailrc") +-userdom_user_home_dir_filetrans(user_mail_t, mail_home_t, file, "dead.letter") ++domain_use_interactive_fds(user_mail_t) ++ ++userdom_use_inherited_user_terminals(user_mail_t) ++# Write to the user domain tty. cjp: why? ++userdom_use_inherited_user_terminals(mta_user_agent) ++# Create dead.letter in user home directories. ++userdom_manage_user_home_content_files(user_mail_t) ++userdom_filetrans_home_content(user_mail_t) ++# for reading .forward - maybe we need a new type for it? ++# also for delivering mail to maildir ++userdom_manage_user_home_content_dirs(mailserver_delivery) ++userdom_manage_user_home_content_files(mailserver_delivery) ++userdom_manage_user_home_content_symlinks(mailserver_delivery) ++userdom_manage_user_home_content_pipes(mailserver_delivery) ++userdom_manage_user_home_content_sockets(mailserver_delivery) ++allow mailserver_delivery mailserver_delivery:fifo_file rw_inherited_fifo_file_perms; ++ ++# Read user temporary files. ++userdom_read_user_tmp_files(user_mail_t) ++userdom_dontaudit_append_user_tmp_files(user_mail_t) ++# cjp: this should probably be read all user tmp ++# files in an appropriate place for mta_user_agent ++userdom_read_user_tmp_files(mta_user_agent) + + dev_read_sysfs(user_mail_t) + +-userdom_use_user_terminals(user_mail_t) ++tunable_policy(`use_samba_home_dirs',` ++ fs_manage_cifs_files(user_mail_t) ++ fs_manage_cifs_symlinks(user_mail_t) ++') + + optional_policy(` + allow user_mail_t self:capability dac_override; + ++ # Read user temporary files. ++ # postfix seems to need write access if the file handle is opened read/write + userdom_rw_user_tmp_files(user_mail_t) + + postfix_read_config(user_mail_t) + postfix_list_spool(user_mail_t) + ') ++ ++######################################## ++# ++# Comman user_mail_domain policy ++# ++ ++allow user_mail_domain self:capability { setuid setgid chown }; ++allow user_mail_domain self:process { signal_perms setrlimit }; ++allow user_mail_domain self:tcp_socket create_socket_perms; ++allow user_mail_domain self:fifo_file rw_fifo_file_perms; ++allow user_mail_domain mta_exec_type:file entrypoint; ++ ++append_files_pattern(user_mail_domain, mail_home_t, mail_home_t) ++read_files_pattern(user_mail_domain, mail_home_t, mail_home_t) ++ ++manage_dirs_pattern(user_mail_domain, mail_home_rw_t, mail_home_rw_t) ++manage_files_pattern(user_mail_domain, mail_home_rw_t, mail_home_rw_t) ++ ++read_files_pattern(user_mail_domain, etc_aliases_t, etc_aliases_t) ++ ++can_exec(user_mail_domain, mta_exec_type) ++ ++allow system_mail_t user_mail_domain:file read_file_perms; ++ ++read_files_pattern(user_mail_domain, etc_mail_t, etc_mail_t) ++ ++kernel_read_network_state(user_mail_domain) ++kernel_request_load_module(user_mail_domain) ++ ++dev_read_urand(user_mail_domain) ++ ++ ++# Write to /var/spool/mail and /var/spool/mqueue. ++manage_files_pattern(user_mail_domain, mail_spool_t, mail_spool_t) ++manage_files_pattern(user_mail_domain, mqueue_spool_t, mqueue_spool_t) ++read_lnk_files_pattern(user_mail_domain, mail_spool_t, mail_spool_t) ++read_lnk_files_pattern(user_mail_domain, mqueue_spool_t, mqueue_spool_t) ++ ++# re-exec itself ++can_exec(user_mail_domain, sendmail_exec_t) ++allow user_mail_domain sendmail_exec_t:lnk_file read_lnk_file_perms; ++ ++kernel_read_kernel_sysctls(user_mail_domain) ++ ++corenet_tcp_sendrecv_generic_if(user_mail_domain) ++corenet_tcp_sendrecv_generic_node(user_mail_domain) ++corenet_tcp_sendrecv_all_ports(user_mail_domain) ++corenet_tcp_connect_all_ports(user_mail_domain) ++corenet_tcp_connect_smtp_port(user_mail_domain) ++corenet_sendrecv_smtp_client_packets(user_mail_domain) ++ ++corecmd_exec_bin(user_mail_domain) ++ ++files_search_spool(user_mail_domain) ++# It wants to check for nscd ++files_dontaudit_search_pids(user_mail_domain) ++allow user_mail_domain etc_mail_t:dir search_dir_perms; ++ ++files_read_etc_runtime_files(user_mail_domain) ++ ++# Check available space. ++fs_getattr_xattr_fs(user_mail_domain) ++ ++init_dontaudit_rw_utmp(user_mail_domain) ++ ++optional_policy(` ++ courier_manage_spool_dirs(user_mail_domain) ++ courier_manage_spool_files(user_mail_domain) ++ courier_rw_spool_pipes(user_mail_domain) ++') ++ ++optional_policy(` ++ exim_domtrans(user_mail_domain) ++ exim_manage_log(user_mail_domain) ++ exim_manage_spool_files(user_mail_domain) ++') ++ ++optional_policy(` ++ # postfix needs this for newaliases ++ files_getattr_tmp_dirs(user_mail_domain) ++ ++ postfix_exec_master(user_mail_domain) ++ postfix_read_config(user_mail_domain) ++ postfix_search_spool(user_mail_domain) ++ postfix_rw_inherited_master_pipes(user_mail_domain) ++ ++ ifdef(`distro_redhat',` ++ # compatability for old default main.cf ++ postfix_config_filetrans(user_mail_domain, etc_aliases_t, { dir file lnk_file sock_file fifo_file }) ++ ') ++') ++ ++optional_policy(` ++ openshift_rw_inherited_content(mta_user_agent) ++') ++ ++optional_policy(` ++ procmail_exec(user_mail_domain) ++') ++ ++optional_policy(` ++ qmail_domtrans_inject(user_mail_domain) ++') ++ ++optional_policy(` ++ # Write to /var/log/sendmail.st ++ sendmail_manage_log(user_mail_domain) ++ sendmail_create_log(user_mail_domain) ++') ++ ++optional_policy(` ++ uucp_manage_spool(user_mail_domain) ++') ++ ++optional_policy(` ++ antivirus_stream_connect(user_mail_domain) ++ antivirus_stream_connect(mta_user_agent) ++') ++ ++optional_policy(` ++ mailman_manage_data_files(mailserver_domain) ++ mailman_domtrans(mailserver_domain) ++ mailman_append_log(mailserver_domain) ++ mailman_read_log(mailserver_domain) ++') ++ +diff --git a/munin.fc b/munin.fc +index eb4b72a..4968324 100644 +--- a/munin.fc ++++ b/munin.fc +@@ -1,77 +1,79 @@ +-/etc/munin(/.*)? gen_context(system_u:object_r:munin_etc_t,s0) +- ++/etc/munin(/.*)? gen_context(system_u:object_r:munin_etc_t,s0) + /etc/rc\.d/init\.d/munin-node -- gen_context(system_u:object_r:munin_initrc_exec_t,s0) + +-/usr/bin/munin-.* -- gen_context(system_u:object_r:munin_exec_t,s0) +- +-/usr/sbin/munin-.* -- gen_context(system_u:object_r:munin_exec_t,s0) +- ++/usr/bin/munin-.* -- gen_context(system_u:object_r:munin_exec_t,s0) ++/usr/sbin/munin-.* -- gen_context(system_u:object_r:munin_exec_t,s0) + /usr/share/munin/munin-.* -- gen_context(system_u:object_r:munin_exec_t,s0) + ++# label all plugins as unconfined_munin_plugin_exec_t + /usr/share/munin/plugins/.* -- gen_context(system_u:object_r:unconfined_munin_plugin_exec_t,s0) + +-/usr/share/munin/plugins/diskstat.* -- gen_context(system_u:object_r:disk_munin_plugin_exec_t,s0) ++# disk plugins ++/usr/share/munin/plugins/diskstat.* -- gen_context(system_u:object_r:disk_munin_plugin_exec_t,s0) + /usr/share/munin/plugins/df.* -- gen_context(system_u:object_r:disk_munin_plugin_exec_t,s0) +-/usr/share/munin/plugins/hddtemp.* -- gen_context(system_u:object_r:disk_munin_plugin_exec_t,s0) +-/usr/share/munin/plugins/smart_.* -- gen_context(system_u:object_r:disk_munin_plugin_exec_t,s0) ++/usr/share/munin/plugins/hddtemp.* -- gen_context(system_u:object_r:disk_munin_plugin_exec_t,s0) ++/usr/share/munin/plugins/smart_.* -- gen_context(system_u:object_r:disk_munin_plugin_exec_t,s0) + +-/usr/share/munin/plugins/courier_mta_.* -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0) +-/usr/share/munin/plugins/exim_mail.* -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0) +-/usr/share/munin/plugins/mailman -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0) +-/usr/share/munin/plugins/mailscanner -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0) +-/usr/share/munin/plugins/postfix_mail.* -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0) +-/usr/share/munin/plugins/sendmail_.* -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0) +-/usr/share/munin/plugins/qmail.* -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0) ++# mail plugins ++/usr/share/munin/plugins/courier_mta_.* -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0) ++/usr/share/munin/plugins/exim_mail.* -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0) ++/usr/share/munin/plugins/mailman -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0) ++/usr/share/munin/plugins/mailscanner -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0) ++/usr/share/munin/plugins/postfix_mail.* -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0) ++/usr/share/munin/plugins/sendmail_.* -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0) ++/usr/share/munin/plugins/qmail.* -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0) + +-/usr/share/munin/plugins/apache_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) +-/usr/share/munin/plugins/asterisk_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) +-/usr/share/munin/plugins/http_loadtime -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) +-/usr/share/munin/plugins/fail2ban -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) ++# services plugins ++/usr/share/munin/plugins/apache_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) ++/usr/share/munin/plugins/asterisk_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) ++/usr/share/munin/plugins/http_loadtime -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) ++/usr/share/munin/plugins/fail2ban -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) + /usr/share/munin/plugins/lpstat -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) +-/usr/share/munin/plugins/mysql_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) ++/usr/share/munin/plugins/mysql_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) + /usr/share/munin/plugins/named -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) + /usr/share/munin/plugins/ntp_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) + /usr/share/munin/plugins/nut.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) +-/usr/share/munin/plugins/openvpn -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) +-/usr/share/munin/plugins/ping_ -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) +-/usr/share/munin/plugins/postgres_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) ++/usr/share/munin/plugins/openvpn -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) ++/usr/share/munin/plugins/ping_ -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) ++/usr/share/munin/plugins/postgres_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) + /usr/share/munin/plugins/samba -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) +-/usr/share/munin/plugins/slapd_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) +-/usr/share/munin/plugins/snmp_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) +-/usr/share/munin/plugins/squid_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) +-/usr/share/munin/plugins/tomcat_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) +-/usr/share/munin/plugins/varnish_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) ++/usr/share/munin/plugins/slapd_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) ++/usr/share/munin/plugins/snmp_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) ++/usr/share/munin/plugins/squid_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) ++/usr/share/munin/plugins/tomcat_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) ++/usr/share/munin/plugins/varnish_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) + ++# selinux plugins + /usr/share/munin/plugins/selinux_avcstat -- gen_context(system_u:object_r:selinux_munin_plugin_exec_t,s0) + ++# system plugins + /usr/share/munin/plugins/acpi -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) + /usr/share/munin/plugins/cpu.* -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) + /usr/share/munin/plugins/forks -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) + /usr/share/munin/plugins/if_.* -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) +-/usr/share/munin/plugins/iostat.* -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) +-/usr/share/munin/plugins/interrupts -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) +-/usr/share/munin/plugins/irqstats -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) ++/usr/share/munin/plugins/iostat.* -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) ++/usr/share/munin/plugins/interrupts -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) ++/usr/share/munin/plugins/irqstats -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) + /usr/share/munin/plugins/load -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) + /usr/share/munin/plugins/memory -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) + /usr/share/munin/plugins/munin_.* -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) +-/usr/share/munin/plugins/netstat -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) ++/usr/share/munin/plugins/netstat -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) + /usr/share/munin/plugins/nfs.* -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) +-/usr/share/munin/plugins/open_files -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) +-/usr/share/munin/plugins/proc_pri -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) +-/usr/share/munin/plugins/processes -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) ++/usr/share/munin/plugins/open_files -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) ++/usr/share/munin/plugins/proc_pri -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) ++/usr/share/munin/plugins/processes -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) + /usr/share/munin/plugins/swap -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) +-/usr/share/munin/plugins/threads -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) ++/usr/share/munin/plugins/threads -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) + /usr/share/munin/plugins/unbound -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) + /usr/share/munin/plugins/uptime -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) + /usr/share/munin/plugins/users -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) + /usr/share/munin/plugins/yum -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) + +-/var/lib/munin(/.*)? gen_context(system_u:object_r:munin_var_lib_t,s0) ++/var/lib/munin(/.*)? gen_context(system_u:object_r:munin_var_lib_t,s0) + /var/lib/munin/plugin-state(/.*)? gen_context(system_u:object_r:munin_plugin_state_t,s0) +- +-/var/log/munin.* gen_context(system_u:object_r:munin_log_t,s0) +- +-/var/run/munin.* gen_context(system_u:object_r:munin_var_run_t,s0) +- +-/var/www/html/munin(/.*)? gen_context(system_u:object_r:httpd_munin_content_t,s0) ++/var/log/munin.* gen_context(system_u:object_r:munin_log_t,s0) ++/var/run/munin(/.*)? gen_context(system_u:object_r:munin_var_run_t,s0) ++/var/www/html/munin(/.*)? gen_context(system_u:object_r:httpd_munin_content_t,s0) + /var/www/html/munin/cgi(/.*)? gen_context(system_u:object_r:httpd_munin_script_exec_t,s0) ++/var/www/html/cgi/munin.* gen_context(system_u:object_r:httpd_munin_script_exec_t,s0) ++/var/www/cgi-bin/munin.* gen_context(system_u:object_r:httpd_munin_script_exec_t,s0) +diff --git a/munin.if b/munin.if +index b744fe3..4c1b6a8 100644 +--- a/munin.if ++++ b/munin.if +@@ -1,12 +1,13 @@ +-## Munin network-wide load graphing. ++## Munin network-wide load graphing (formerly LRRD) + +-####################################### ++######################################## + ## +-## The template to define a munin plugin domain. ++## Create a set of derived types for various ++## munin plugins, + ## +-## ++## + ## +-## Domain prefix to be used. ++## The name to be used for deriving type names. + ## + ## + # +@@ -14,12 +15,8 @@ template(`munin_plugin_template',` + gen_require(` + attribute munin_plugin_domain, munin_plugin_tmp_content; + type munin_t; +- ') + +- ######################################## +- # +- # Declarations +- # ++ ') + + type $1_munin_plugin_t, munin_plugin_domain; + type $1_munin_plugin_exec_t; +@@ -33,15 +30,22 @@ template(`munin_plugin_template',` + files_tmp_file($1_munin_plugin_tmp_t) + + ######################################## +- # +- # Policy +- # ++ # ++ # Policy ++ # + ++ # automatic transition rules from munin domain ++ # to specific munin plugin domain + domtrans_pattern(munin_t, $1_munin_plugin_exec_t, $1_munin_plugin_t) + + manage_files_pattern($1_munin_plugin_t, $1_munin_plugin_tmp_t, $1_munin_plugin_tmp_t) + manage_dirs_pattern($1_munin_plugin_t, $1_munin_plugin_tmp_t, $1_munin_plugin_tmp_t) + files_tmp_filetrans($1_munin_plugin_t, $1_munin_plugin_tmp_t, { dir file }) ++ ++ kernel_read_system_state($1_munin_plugin_t) ++ ++ corenet_all_recvfrom_unlabeled($1_munin_plugin_t) ++ corenet_all_recvfrom_netlabel($1_munin_plugin_t) + ') + + ######################################## +@@ -66,7 +70,7 @@ interface(`munin_stream_connect',` + + ####################################### + ## +-## Read munin configuration content. ++## Read munin configuration files. + ## + ## + ## +@@ -80,15 +84,53 @@ interface(`munin_read_config',` + type munin_etc_t; + ') + +- files_search_etc($1) + allow $1 munin_etc_t:dir list_dir_perms; + allow $1 munin_etc_t:file read_file_perms; + allow $1 munin_etc_t:lnk_file read_lnk_file_perms; ++ files_search_etc($1) + ') + + ####################################### + ## +-## Append munin log files. ++## Read munin library files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`munin_read_var_lib_files',` ++ gen_require(` ++ type munin_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ read_files_pattern($1, munin_var_lib_t, munin_var_lib_t) ++ ++') ++ ++###################################### ++## ++## dontaudit read and write an leaked file descriptors ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`munin_dontaudit_leaks',` ++ gen_require(` ++ type munin_t; ++ ') ++ ++ dontaudit $1 munin_t:tcp_socket { read write }; ++') ++ ++####################################### ++## ++## Append to the munin log. + ## + ## + ## +@@ -147,8 +189,8 @@ interface(`munin_dontaudit_search_lib',` + + ######################################## + ## +-## All of the rules required to +-## administrate an munin environment. ++## All of the rules required to administrate ++## an munin environment + ## + ## + ## +@@ -157,7 +199,7 @@ interface(`munin_dontaudit_search_lib',` + ## + ## + ## +-## Role allowed access. ++## The role to be allowed to manage the munin domain. + ## + ## + ## +@@ -170,8 +212,12 @@ interface(`munin_admin',` + type httpd_munin_content_t, munin_plugin_state_t, munin_initrc_exec_t; + ') + +- allow $1 { munin_plugin_domain munin_t }:process { ptrace signal_perms }; +- ps_process_pattern($1, { munin_plugin_domain munin_t }) ++ allow $1 munin_t:process signal_perms; ++ ps_process_pattern($1, munin_t) ++ ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 munin_t:process ptrace; ++ ') + + init_labeled_script_domtrans($1, munin_initrc_exec_t) + domain_system_change_exemption($1) +diff --git a/munin.te b/munin.te +index 97370e4..3549b8f 100644 +--- a/munin.te ++++ b/munin.te +@@ -37,15 +37,22 @@ munin_plugin_template(disk) + munin_plugin_template(mail) + munin_plugin_template(selinux) + munin_plugin_template(services) ++ ++type services_munin_plugin_tmpfs_t; ++files_tmpfs_file(services_munin_plugin_tmpfs_t) ++ + munin_plugin_template(system) + munin_plugin_template(unconfined) + ++type httpd_munin_script_tmp_t; ++files_tmp_file(httpd_munin_script_tmp_t) ++ + ################################ + # + # Common munin plugin local policy + # + +-allow munin_plugin_domain self:process signal; ++allow munin_plugin_domain self:process signal_perms; + allow munin_plugin_domain self:fifo_file rw_fifo_file_perms; + + allow munin_plugin_domain munin_t:tcp_socket rw_socket_perms; +@@ -58,23 +65,17 @@ allow munin_plugin_domain munin_var_lib_t:dir search_dir_perms; + + manage_files_pattern(munin_plugin_domain, munin_plugin_state_t, munin_plugin_state_t) + +-kernel_read_system_state(munin_plugin_domain) +- +-corenet_all_recvfrom_unlabeled(munin_plugin_domain) +-corenet_all_recvfrom_netlabel(munin_plugin_domain) + corenet_tcp_sendrecv_generic_if(munin_plugin_domain) + corenet_tcp_sendrecv_generic_node(munin_plugin_domain) + + corecmd_exec_bin(munin_plugin_domain) + corecmd_exec_shell(munin_plugin_domain) + +-files_read_etc_files(munin_plugin_domain) +-files_read_usr_files(munin_plugin_domain) + files_search_var_lib(munin_plugin_domain) + + fs_getattr_all_fs(munin_plugin_domain) + +-miscfiles_read_localization(munin_plugin_domain) ++auth_read_passwd(munin_plugin_domain) + + optional_policy(` + nscd_use(munin_plugin_domain) +@@ -114,7 +115,7 @@ manage_dirs_pattern(munin_t, munin_var_lib_t, munin_var_lib_t) + manage_files_pattern(munin_t, munin_var_lib_t, munin_var_lib_t) + manage_lnk_files_pattern(munin_t, munin_var_lib_t, munin_var_lib_t) + +-read_files_pattern(munin_t, munin_plugin_state_t, munin_plugin_state_t) ++rw_files_pattern(munin_t, munin_plugin_state_t, munin_plugin_state_t) + + manage_dirs_pattern(munin_t, munin_var_run_t, munin_var_run_t) + manage_files_pattern(munin_t, munin_var_run_t, munin_var_run_t) +@@ -130,7 +131,6 @@ kernel_read_all_sysctls(munin_t) + corecmd_exec_bin(munin_t) + corecmd_exec_shell(munin_t) + +-corenet_all_recvfrom_unlabeled(munin_t) + corenet_all_recvfrom_netlabel(munin_t) + corenet_tcp_sendrecv_generic_if(munin_t) + corenet_tcp_sendrecv_generic_node(munin_t) +@@ -153,7 +153,6 @@ domain_use_interactive_fds(munin_t) + domain_read_all_domains_state(munin_t) + + files_read_etc_runtime_files(munin_t) +-files_read_usr_files(munin_t) + files_list_spool(munin_t) + + fs_getattr_all_fs(munin_t) +@@ -165,7 +164,6 @@ logging_send_syslog_msg(munin_t) + logging_read_all_logs(munin_t) + + miscfiles_read_fonts(munin_t) +-miscfiles_read_localization(munin_t) + miscfiles_setattr_fonts_cache_dirs(munin_t) + + sysnet_exec_ifconfig(munin_t) +@@ -173,13 +171,6 @@ sysnet_exec_ifconfig(munin_t) + userdom_dontaudit_use_unpriv_user_fds(munin_t) + userdom_dontaudit_search_user_home_dirs(munin_t) + +-optional_policy(` +- apache_content_template(munin) +- +- manage_dirs_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t) +- manage_files_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t) +- apache_search_sys_content(munin_t) +-') + + optional_policy(` + cron_system_entry(munin_t, munin_exec_t) +@@ -213,7 +204,6 @@ optional_policy(` + + optional_policy(` + postfix_list_spool(munin_t) +- postfix_getattr_all_spool_files(munin_t) + ') + + optional_policy(` +@@ -242,21 +232,23 @@ allow disk_munin_plugin_t self:tcp_socket create_stream_socket_perms; + + rw_files_pattern(disk_munin_plugin_t, munin_var_lib_t, munin_var_lib_t) + ++kernel_read_fs_sysctls(disk_munin_plugin_t) ++ + corenet_sendrecv_hddtemp_client_packets(disk_munin_plugin_t) + corenet_tcp_connect_hddtemp_port(disk_munin_plugin_t) + corenet_tcp_sendrecv_hddtemp_port(disk_munin_plugin_t) + +-dev_getattr_all_blk_files(disk_munin_plugin_t) ++files_read_etc_runtime_files(disk_munin_plugin_t) ++ + dev_getattr_lvm_control(disk_munin_plugin_t) + dev_read_sysfs(disk_munin_plugin_t) + dev_read_urand(disk_munin_plugin_t) +- +-files_read_etc_runtime_files(disk_munin_plugin_t) ++dev_read_all_blk_files(disk_munin_plugin_t) + + fs_getattr_all_fs(disk_munin_plugin_t) + fs_getattr_all_dirs(disk_munin_plugin_t) + +-storage_getattr_fixed_disk_dev(disk_munin_plugin_t) ++storage_raw_read_fixed_disk(disk_munin_plugin_t) + + sysnet_read_config(disk_munin_plugin_t) + +@@ -268,6 +260,10 @@ optional_policy(` + fstools_exec(disk_munin_plugin_t) + ') + ++optional_policy(` ++ rpc_search_nfs_state_data(disk_munin_plugin_t) ++') ++ + #################################### + # + # Mail local policy +@@ -275,27 +271,36 @@ optional_policy(` + + allow mail_munin_plugin_t self:capability dac_override; + ++allow mail_munin_plugin_t self:tcp_socket create_stream_socket_perms; ++allow mail_munin_plugin_t self:netlink_route_socket r_netlink_socket_perms; ++ + rw_files_pattern(mail_munin_plugin_t, munin_var_lib_t, munin_var_lib_t) + + dev_read_urand(mail_munin_plugin_t) + + logging_read_generic_logs(mail_munin_plugin_t) + ++sysnet_read_config(mail_munin_plugin_t) ++ ++optional_policy(` ++ exim_read_log(mail_munin_plugin_t) ++') ++ + optional_policy(` +- mta_list_queue(mail_munin_plugin_t) + mta_read_config(mail_munin_plugin_t) +- mta_read_queue(mail_munin_plugin_t) + mta_send_mail(mail_munin_plugin_t) ++ mta_list_queue(mail_munin_plugin_t) ++ mta_read_queue(mail_munin_plugin_t) + ') + + optional_policy(` +- nscd_use(mail_munin_plugin_t) ++ nscd_socket_use(mail_munin_plugin_t) + ') + + optional_policy(` +- postfix_getattr_all_spool_files(mail_munin_plugin_t) + postfix_read_config(mail_munin_plugin_t) + postfix_list_spool(mail_munin_plugin_t) ++ postfix_getattr_spool_files(mail_munin_plugin_t) + ') + + optional_policy(` +@@ -320,6 +325,9 @@ allow services_munin_plugin_t self:tcp_socket create_stream_socket_perms; + allow services_munin_plugin_t self:udp_socket create_socket_perms; + allow services_munin_plugin_t self:netlink_route_socket r_netlink_socket_perms; + ++manage_files_pattern(services_munin_plugin_t, services_munin_plugin_tmpfs_t, services_munin_plugin_tmpfs_t) ++manage_dirs_pattern(services_munin_plugin_t, services_munin_plugin_tmpfs_t, services_munin_plugin_tmpfs_t) ++ + corenet_sendrecv_all_client_packets(services_munin_plugin_t) + corenet_tcp_connect_all_ports(services_munin_plugin_t) + corenet_tcp_connect_http_port(services_munin_plugin_t) +@@ -331,7 +339,7 @@ dev_read_rand(services_munin_plugin_t) + sysnet_read_config(services_munin_plugin_t) + + optional_policy(` +- bind_read_config(munin_services_plugin_t) ++ bind_read_config(services_munin_plugin_t) + ') + + optional_policy(` +@@ -353,7 +361,11 @@ optional_policy(` + ') + + optional_policy(` +- nscd_use(services_munin_plugin_t) ++ nscd_socket_use(services_munin_plugin_t) ++') ++ ++optional_policy(` ++ ntp_exec(services_munin_plugin_t) + ') + + optional_policy(` +@@ -385,6 +397,7 @@ read_files_pattern(system_munin_plugin_t, munin_log_t, munin_log_t) + + kernel_read_network_state(system_munin_plugin_t) + kernel_read_all_sysctls(system_munin_plugin_t) ++kernel_read_fs_sysctls(system_munin_plugin_t) + + dev_read_sysfs(system_munin_plugin_t) + dev_read_urand(system_munin_plugin_t) +@@ -413,3 +426,31 @@ optional_policy(` + optional_policy(` + unconfined_domain(unconfined_munin_plugin_t) + ') ++ ++ ++####################################### ++# ++# Munin CGI script local policy ++# ++ ++apache_content_template(munin) ++ ++manage_dirs_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t) ++manage_files_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t) ++ ++manage_dirs_pattern(httpd_munin_script_t, httpd_munin_script_tmp_t, httpd_munin_script_tmp_t) ++manage_files_pattern(httpd_munin_script_t, httpd_munin_script_tmp_t,httpd_munin_script_tmp_t) ++ ++read_files_pattern(httpd_munin_script_t, munin_var_lib_t, munin_var_lib_t) ++read_files_pattern(httpd_munin_script_t, munin_etc_t, munin_etc_t) ++ ++read_files_pattern(httpd_munin_script_t, munin_log_t, munin_log_t) ++append_files_pattern(httpd_munin_script_t, munin_log_t, munin_log_t) ++ ++files_search_var_lib(httpd_munin_script_t) ++ ++auth_read_passwd(httpd_munin_script_t) ++ ++optional_policy(` ++ apache_search_sys_content(munin_t) ++') +diff --git a/mysql.fc b/mysql.fc +index c48dc17..43d56e3 100644 +--- a/mysql.fc ++++ b/mysql.fc +@@ -1,11 +1,24 @@ +-HOME_DIR/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t,s0) +- +-/etc/my\.cnf -- gen_context(system_u:object_r:mysqld_etc_t,s0) +-/etc/mysql(/.*)? gen_context(system_u:object_r:mysqld_etc_t,s0) +- +-/etc/rc\.d/init\.d/mysqld? -- gen_context(system_u:object_r:mysqld_initrc_exec_t,s0) +-/etc/rc\.d/init\.d/mysqlmanager -- gen_context(system_u:object_r:mysqlmanagerd_initrc_exec_t,s0) +- ++# mysql database server ++ ++# ++# /HOME ++# ++HOME_DIR/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t, s0) ++/root/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t, s0) ++ ++/usr/lib/systemd/system/mysqld.* -- gen_context(system_u:object_r:mysqld_unit_file_t,s0) ++ ++# ++# /etc ++# ++/etc/my\.cnf -- gen_context(system_u:object_r:mysqld_etc_t,s0) ++/etc/mysql(/.*)? gen_context(system_u:object_r:mysqld_etc_t,s0) ++/etc/rc\.d/init\.d/mysqld -- gen_context(system_u:object_r:mysqld_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/mysqlmanager -- gen_context(system_u:object_r:mysqlmanagerd_initrc_exec_t,s0) ++ ++# ++# /usr ++# + /usr/bin/mysqld_safe -- gen_context(system_u:object_r:mysqld_safe_exec_t,s0) + /usr/bin/mysql_upgrade -- gen_context(system_u:object_r:mysqld_exec_t,s0) + +@@ -13,13 +26,17 @@ HOME_DIR/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t,s0) + + /usr/sbin/mysqld(-max)? -- gen_context(system_u:object_r:mysqld_exec_t,s0) + /usr/sbin/mysqlmanager -- gen_context(system_u:object_r:mysqlmanagerd_exec_t,s0) +-/usr/sbin/ndbd -- gen_context(system_u:object_r:mysqld_exec_t,s0) ++/usr/sbin/ndbd -- gen_context(system_u:object_r:mysqld_exec_t,s0) + +-/var/lib/mysql(/.*)? gen_context(system_u:object_r:mysqld_db_t,s0) +-/var/lib/mysql/mysql.* -s gen_context(system_u:object_r:mysqld_var_run_t,s0) ++# ++# /var ++# ++/var/lib/mysql(/.*)? gen_context(system_u:object_r:mysqld_db_t,s0) ++/var/lib/mysql/mysql\.sock -s gen_context(system_u:object_r:mysqld_var_run_t,s0) + +-/var/log/mysql.* -- gen_context(system_u:object_r:mysqld_log_t,s0) ++/var/log/mariadb(/.*)? gen_context(system_u:object_r:mysqld_log_t,s0) ++/var/log/mysql.* gen_context(system_u:object_r:mysqld_log_t,s0) + +-/var/run/mysqld.* gen_context(system_u:object_r:mysqld_var_run_t,s0) +-/var/run/mysqlmanager.* -- gen_context(system_u:object_r:mysqlmanagerd_var_run_t,s0) +-/var/run/mysqld/mysqlmanager.* -- gen_context(system_u:object_r:mysqlmanagerd_var_run_t,s0) ++/var/run/mariadb(/.*)? gen_context(system_u:object_r:mysqld_var_run_t,s0) ++/var/run/mysqld(/.*)? gen_context(system_u:object_r:mysqld_var_run_t,s0) ++/var/run/mysqld/mysqlmanager.* -- gen_context(system_u:object_r:mysqlmanagerd_var_run_t,s0) +diff --git a/mysql.if b/mysql.if +index 687af38..404ed6d 100644 +--- a/mysql.if ++++ b/mysql.if +@@ -1,23 +1,4 @@ +-## Open source database. +- +-######################################## +-## +-## Role access for mysql. +-## +-## +-## +-## Role allowed access. +-## +-## +-## +-## +-## User domain for the role. +-## +-## +-# +-interface(`mysql_role',` +- refpolicywarn(`$0($*) has been deprecated') +-') ++## Policy for MySQL + + ###################################### + ## +@@ -34,38 +15,30 @@ interface(`mysql_domtrans',` + type mysqld_t, mysqld_exec_t; + ') + +- corecmd_search_bin($1) + domtrans_pattern($1, mysqld_exec_t, mysqld_t) + ') + +-######################################## ++###################################### + ## +-## Execute mysqld in the mysqld domain, and +-## allow the specified role the mysqld domain. ++## Execute MySQL in the caller domain. + ## + ## + ## +-## Domain allowed to transition. +-## +-## +-## +-## +-## Role allowed access. ++## Domain allowed access. + ## + ## + # +-interface(`mysql_run_mysqld',` ++interface(`mysql_exec',` + gen_require(` +- attribute_role mysqld_roles; ++ type mysqld_exec_t; + ') + +- mysql_domtrans($1) +- roleattribute $2 mysqld_roles; ++ can_exec($1, mysqld_exec_t) + ') + + ######################################## + ## +-## Send generic signals to mysqld. ++## Send a generic signal to MySQL. + ## + ## + ## +@@ -81,9 +54,27 @@ interface(`mysql_signal',` + allow $1 mysqld_t:process signal; + ') + ++####################################### ++## ++## Send a null signal to mysql. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`mysql_signull',` ++ gen_require(` ++ type mysqld_t; ++ ') ++ ++ allow $1 mysqld_t:process signull; ++') ++ + ######################################## + ## +-## Connect to mysqld with a tcp socket. ++## Allow the specified domain to connect to postgresql with a tcp socket. + ## + ## + ## +@@ -104,8 +95,7 @@ interface(`mysql_tcp_connect',` + + ######################################## + ## +-## Connect to mysqld with a unix +-# domain stream socket. ++## Connect to MySQL using a unix domain stream socket. + ## + ## + ## +@@ -120,12 +110,13 @@ interface(`mysql_stream_connect',` + ') + + files_search_pids($1) +- stream_connect_pattern($1, { mysqld_db_t mysqld_var_run_t }, mysqld_var_run_t, mysqld_t) ++ stream_connect_pattern($1, mysqld_var_run_t, mysqld_var_run_t, mysqld_t) ++ stream_connect_pattern($1, mysqld_db_t, mysqld_var_run_t, mysqld_t) + ') + + ######################################## + ## +-## Read mysqld configuration content. ++## Read MySQL configuration files. + ## + ## + ## +@@ -139,7 +130,6 @@ interface(`mysql_read_config',` + type mysqld_etc_t; + ') + +- files_search_etc($1) + allow $1 mysqld_etc_t:dir list_dir_perms; + allow $1 mysqld_etc_t:file read_file_perms; + allow $1 mysqld_etc_t:lnk_file read_lnk_file_perms; +@@ -147,7 +137,8 @@ interface(`mysql_read_config',` + + ######################################## + ## +-## Search mysqld db directories. ++## Search the directories that contain MySQL ++## database storage. + ## + ## + ## +@@ -155,6 +146,8 @@ interface(`mysql_read_config',` + ## + ## + # ++# cjp: "_dir" in the name is added to clarify that this ++# is not searching the database itself. + interface(`mysql_search_db',` + gen_require(` + type mysqld_db_t; +@@ -166,7 +159,27 @@ interface(`mysql_search_db',` + + ######################################## + ## +-## Read and write mysqld database directories. ++## List the directories that contain MySQL ++## database storage. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`mysql_list_db',` ++ gen_require(` ++ type mysqld_db_t; ++ ') ++ ++ files_search_var_lib($1) ++ allow $1 mysqld_db_t:dir list_dir_perms; ++') ++ ++######################################## ++## ++## Read and write to the MySQL database directory. + ## + ## + ## +@@ -185,8 +198,7 @@ interface(`mysql_rw_db_dirs',` + + ######################################## + ## +-## Create, read, write, and delete +-## mysqld database directories. ++## Create, read, write, and delete MySQL database directories. + ## + ## + ## +@@ -205,7 +217,7 @@ interface(`mysql_manage_db_dirs',` + + ####################################### + ## +-## Append mysqld database files. ++## Append to the MySQL database directory. + ## + ## + ## +@@ -224,7 +236,7 @@ interface(`mysql_append_db_files',` + + ####################################### + ## +-## Read and write mysqld database files. ++## Read and write to the MySQL database directory. + ## + ## + ## +@@ -243,8 +255,7 @@ interface(`mysql_rw_db_files',` + + ####################################### + ## +-## Create, read, write, and delete +-## mysqld database files. ++## Create, read, write, and delete MySQL database files. + ## + ## + ## +@@ -263,7 +274,7 @@ interface(`mysql_manage_db_files',` + + ######################################## + ## +-## Read and write mysqld database sockets. ++## Read and write to the MySQL database + ## named socket. + ## + ## +@@ -273,13 +284,18 @@ interface(`mysql_manage_db_files',` + ## + # + interface(`mysql_rw_db_sockets',` +- refpolicywarn(`$0($*) has been deprecated.') ++ gen_require(` ++ type mysqld_db_t; ++ ') ++ ++ files_search_var_lib($1) ++ allow $1 mysqld_db_t:dir search_dir_perms; ++ allow $1 mysqld_db_t:sock_file rw_sock_file_perms; + ') + + ######################################## + ## +-## Create, read, write, and delete +-## mysqld home files. ++## Write to the MySQL log. + ## + ## + ## +@@ -287,86 +303,92 @@ interface(`mysql_rw_db_sockets',` + ## + ## + # +-interface(`mysql_manage_mysqld_home_files',` ++interface(`mysql_write_log',` + gen_require(` +- type mysqld_home_t; ++ type mysqld_log_t; + ') + +- userdom_search_user_home_dirs($1) +- allow $1 mysqld_home_t:file manage_file_perms; ++ logging_search_logs($1) ++ allow $1 mysqld_log_t:file { write_file_perms setattr_file_perms }; + ') + +-######################################## ++###################################### + ## +-## Relabel mysqld home files. ++## Execute MySQL safe script in the mysql safe domain. + ## + ## + ## +-## Domain allowed access. ++## Domain allowed to transition. + ## + ## + # +-interface(`mysql_relabel_mysqld_home_files',` ++interface(`mysql_domtrans_mysql_safe',` + gen_require(` +- type mysqld_home_t; ++ type mysqld_safe_t, mysqld_safe_exec_t; + ') + +- userdom_search_user_home_dirs($1) +- allow $1 mysqld_home_t:file relabel_file_perms; ++ domtrans_pattern($1, mysqld_safe_exec_t, mysqld_safe_t) + ') + +-######################################## ++###################################### + ## +-## Create objects in user home +-## directories with the mysqld home type. ++## Execute MySQL_safe in the caller domain. + ## + ## + ## + ## Domain allowed access. + ## + ## +-## +-## +-## Class of the object being created. +-## +-## +-## ++# ++interface(`mysql_safe_exec',` ++ gen_require(` ++ type mysqld_safe_exec_t; ++ ') ++ ++ can_exec($1, mysqld_safe_exec_t) ++') ++ ++##################################### ++## ++## Read MySQL PID files. ++## ++## + ## +-## The name of the object being created. ++## Domain allowed access. + ## + ## + # +-interface(`mysql_home_filetrans_mysqld_home',` ++interface(`mysql_read_pid_files',` + gen_require(` +- type mysqld_home_t; ++ type mysqld_var_run_t; + ') + +- userdom_user_home_dir_filetrans($1, mysqld_home_t, $2, $3) ++ mysql_search_pid_files($1) ++ read_files_pattern($1, mysqld_var_run_t, mysqld_var_run_t) + ') + +-######################################## ++##################################### + ## +-## Write mysqld log files. ++## Search MySQL PID files. + ## + ## + ## + ## Domain allowed access. + ## + ## ++## + # +-interface(`mysql_write_log',` ++interface(`mysql_search_pid_files',` + gen_require(` +- type mysqld_log_t; ++ type mysqld_var_run_t; + ') + +- logging_search_logs($1) +- allow $1 mysqld_log_t:file write_file_perms; ++ search_dirs_pattern($1, mysqld_var_run_t, mysqld_var_run_t) + ') + +-###################################### ++######################################## + ## +-## Execute mysqld safe in the +-## mysqld safe domain. ++## Execute mysqld server in the mysqld domain. + ## + ## + ## +@@ -374,18 +396,22 @@ interface(`mysql_write_log',` + ## + ## + # +-interface(`mysql_domtrans_mysql_safe',` ++interface(`mysql_systemctl',` + gen_require(` +- type mysqld_safe_t, mysqld_safe_exec_t; ++ type mysqld_unit_file_t; ++ type mysqld_t; + ') + +- corecmd_search_bin($1) +- domtrans_pattern($1, mysqld_safe_exec_t, mysqld_safe_t) ++ systemd_exec_systemctl($1) ++ allow $1 mysqld_unit_file_t:file read_file_perms; ++ allow $1 mysqld_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, mysqld_t) + ') + +-##################################### ++######################################## + ## +-## Read mysqld pid files. ++## read mysqld homedir content (.k5login) + ## + ## + ## +@@ -393,39 +419,37 @@ interface(`mysql_domtrans_mysql_safe',` + ## + ## + # +-interface(`mysql_read_pid_files',` ++interface(`mysql_read_home_content',` + gen_require(` +- type mysqld_var_run_t; ++ type mysqld_home_t; + ') + +- files_search_pids($1) +- read_files_pattern($1, mysqld_var_run_t, mysqld_var_run_t) ++ userdom_search_user_home_dirs($1) ++ read_files_pattern($1, mysqld_home_t, mysqld_home_t) + ') + +-##################################### ++######################################## + ## +-## Search mysqld pid files. ++## Transition to mysqld named content + ## + ## + ## +-## Domain allowed access. ++## Domain allowed access. + ## + ## +-## + # +-interface(`mysql_search_pid_files',` ++interface(`mysql_filetrans_named_content',` + gen_require(` +- type mysqld_var_run_t; ++ type mysqld_home_t; + ') + +- files_search_pids($1) +- search_dirs_pattern($1, mysqld_var_run_t, mysqld_var_run_t) ++ userdom_admin_home_dir_filetrans($1, mysqld_home_t, file, ".my.cnf") ++ userdom_user_home_dir_filetrans($1, mysqld_home_t, file, ".my.cnf") + ') + + ######################################## + ## +-## All of the rules required to +-## administrate an mysqld environment. ++## All of the rules required to administrate an mysql environment + ## + ## + ## +@@ -434,41 +458,52 @@ interface(`mysql_search_pid_files',` + ## + ## + ## +-## Role allowed access. ++## The role to be allowed to manage the mysql domain. + ## + ## + ## + # + interface(`mysql_admin',` + gen_require(` +- type mysqld_t, mysqld_var_run_t, mysqld_etc_t; ++ type mysqld_t, mysqld_var_run_t, mysqld_initrc_exec_t; + type mysqld_tmp_t, mysqld_db_t, mysqld_log_t; +- type mysqld_safe_t, mysqlmanagerd_t, mysqlmanagerd_var_run_t; +- type mysqld_initrc_exec_t, mysqlmanagerd_initrc_exec_t, mysqld_home_t; ++ type mysqld_etc_t; ++ type mysqld_home_t; ++ type mysqld_unit_file_t; + ') + +- allow $1 { mysqld_safe_t mysqld_t mysqlmanagerd_t }:process { ptrace signal_perms }; +- ps_process_pattern($1, { mysqld_safe_t mysqld_t mysqlmanagerd_t }) ++ allow $1 mysqld_t:process signal_perms; ++ ps_process_pattern($1, mysqld_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 mysqld_t:process ptrace; ++ ') + +- init_labeled_script_domtrans($1, { mysqlmanagerd_initrc_exec_t mysqld_initrc_exec_t }) ++ init_labeled_script_domtrans($1, mysqld_initrc_exec_t) + domain_system_change_exemption($1) +- role_transition $2 { mysqlmanagerd_initrc_exec_t mysqld_initrc_exec_t } system_r; ++ role_transition $2 mysqld_initrc_exec_t system_r; + allow $2 system_r; + +- files_search_pids($1) +- admin_pattern($1, { mysqlmanagerd_var_run_t mysqld_var_run_t }) ++ files_list_pids($1) ++ admin_pattern($1, mysqld_var_run_t) + +- files_search_var_lib($1) + admin_pattern($1, mysqld_db_t) + +- files_search_etc($1) +- admin_pattern($1, { mysqld_etc_t mysqld_home_t }) ++ files_list_etc($1) ++ admin_pattern($1, mysqld_etc_t) + +- logging_search_logs($1) ++ logging_list_logs($1) + admin_pattern($1, mysqld_log_t) + +- files_search_tmp($1) ++ files_list_tmp($1) + admin_pattern($1, mysqld_tmp_t) + +- mysql_run_mysqld($1, $2) ++ userdom_search_user_home_dirs($1) ++ files_list_root($1) ++ admin_pattern($1, mysqld_home_t) ++ ++ mysql_systemctl($1) ++ admin_pattern($1, mysqld_unit_file_t) ++ allow $1 mysqld_unit_file_t:service all_service_perms; ++ ++ mysql_stream_connect($1) + ') +diff --git a/mysql.te b/mysql.te +index 9f6179e..4383f87 100644 +--- a/mysql.te ++++ b/mysql.te +@@ -1,4 +1,4 @@ +-policy_module(mysql, 1.13.5) ++policy_module(mysql, 1.13.0) + + ######################################## + # +@@ -6,20 +6,15 @@ policy_module(mysql, 1.13.5) + # + + ## +-##

    +-## Determine whether mysqld can +-## connect to all TCP ports. +-##

    ++##

    ++## Allow mysqld to connect to all ports ++##

    + ##     + gen_tunable(mysql_connect_any, false) + +-attribute_role mysqld_roles; +- + type mysqld_t; + type mysqld_exec_t; + init_daemon_domain(mysqld_t, mysqld_exec_t) +-application_domain(mysqld_t, mysqld_exec_t) +-role mysqld_roles types mysqld_t; + + type mysqld_safe_t; + type mysqld_safe_exec_t; +@@ -27,7 +22,6 @@ init_daemon_domain(mysqld_safe_t, mysqld_safe_exec_t) + + type mysqld_var_run_t; + files_pid_file(mysqld_var_run_t) +-init_daemon_run_dir(mysqld_var_run_t, "mysqld") + + type mysqld_db_t; + files_type(mysqld_db_t) +@@ -38,6 +32,9 @@ files_config_file(mysqld_etc_t) + type mysqld_home_t; + userdom_user_home_content(mysqld_home_t) + ++type mysqld_unit_file_t; ++systemd_unit_file(mysqld_unit_file_t) ++ + type mysqld_initrc_exec_t; + init_script_file(mysqld_initrc_exec_t) + +@@ -62,27 +59,29 @@ files_pid_file(mysqlmanagerd_var_run_t) + # Local policy + # + +-allow mysqld_t self:capability { dac_override ipc_lock setgid setuid sys_resource }; ++allow mysqld_t self:capability { dac_override ipc_lock setgid setuid sys_resource net_bind_service }; + dontaudit mysqld_t self:capability sys_tty_config; + allow mysqld_t self:process { setsched getsched setrlimit signal_perms rlimitinh }; + allow mysqld_t self:fifo_file rw_fifo_file_perms; + allow mysqld_t self:shm create_shm_perms; +-allow mysqld_t self:unix_stream_socket { accept listen }; +-allow mysqld_t self:tcp_socket { accept listen }; ++allow mysqld_t self:unix_stream_socket create_stream_socket_perms; ++allow mysqld_t self:tcp_socket create_stream_socket_perms; ++allow mysqld_t self:udp_socket create_socket_perms; + + manage_dirs_pattern(mysqld_t, mysqld_db_t, mysqld_db_t) + manage_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t) ++manage_sock_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t) + manage_lnk_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t) + files_var_lib_filetrans(mysqld_t, mysqld_db_t, { dir file lnk_file }) + +-filetrans_pattern(mysqld_t, mysqld_db_t, mysqld_var_run_t, sock_file) +- +-allow mysqld_t mysqld_etc_t:dir list_dir_perms; +-allow mysqld_t { mysqld_etc_t mysqld_home_t }:file read_file_perms; ++allow mysqld_t mysqld_etc_t:file read_file_perms; + allow mysqld_t mysqld_etc_t:lnk_file read_lnk_file_perms; ++allow mysqld_t mysqld_etc_t:dir list_dir_perms; + +-allow mysqld_t mysqld_log_t:file { append_file_perms create_file_perms setattr_file_perms }; +-logging_log_filetrans(mysqld_t, mysqld_log_t, file) ++manage_dirs_pattern(mysqld_t, mysqld_log_t, mysqld_log_t) ++manage_files_pattern(mysqld_t, mysqld_log_t, mysqld_log_t) ++manage_lnk_files_pattern(mysqld_t, mysqld_log_t, mysqld_log_t) ++logging_log_filetrans(mysqld_t, mysqld_log_t, { dir file }) + + manage_dirs_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t) + manage_files_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t) +@@ -93,50 +92,54 @@ manage_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t) + manage_sock_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t) + files_pid_filetrans(mysqld_t, mysqld_var_run_t, { dir file sock_file }) + +-kernel_read_kernel_sysctls(mysqld_t) ++userdom_dontaudit_use_unpriv_user_fds(mysqld_t) ++ + kernel_read_network_state(mysqld_t) + kernel_read_system_state(mysqld_t) ++kernel_read_kernel_sysctls(mysqld_t) ++ ++corecmd_exec_bin(mysqld_t) ++corecmd_exec_shell(mysqld_t) + +-corenet_all_recvfrom_unlabeled(mysqld_t) + corenet_all_recvfrom_netlabel(mysqld_t) + corenet_tcp_sendrecv_generic_if(mysqld_t) ++corenet_udp_sendrecv_generic_if(mysqld_t) + corenet_tcp_sendrecv_generic_node(mysqld_t) ++corenet_udp_sendrecv_generic_node(mysqld_t) ++corenet_tcp_sendrecv_all_ports(mysqld_t) ++corenet_udp_sendrecv_all_ports(mysqld_t) + corenet_tcp_bind_generic_node(mysqld_t) +- +-corenet_sendrecv_mysqld_server_packets(mysqld_t) + corenet_tcp_bind_mysqld_port(mysqld_t) +-corenet_sendrecv_mysqld_client_packets(mysqld_t) + corenet_tcp_connect_mysqld_port(mysqld_t) +-corenet_tcp_sendrecv_mysqld_port(mysqld_t) +- +-corecmd_exec_bin(mysqld_t) +-corecmd_exec_shell(mysqld_t) ++corenet_sendrecv_mysqld_client_packets(mysqld_t) ++corenet_sendrecv_mysqld_server_packets(mysqld_t) + + dev_read_sysfs(mysqld_t) + dev_read_urand(mysqld_t) + +-domain_use_interactive_fds(mysqld_t) +- + fs_getattr_all_fs(mysqld_t) + fs_search_auto_mountpoints(mysqld_t) + fs_rw_hugetlbfs_files(mysqld_t) + ++domain_use_interactive_fds(mysqld_t) ++ ++files_getattr_var_lib_dirs(mysqld_t) + files_read_etc_runtime_files(mysqld_t) +-files_read_usr_files(mysqld_t) ++files_search_var_lib(mysqld_t) + + auth_use_nsswitch(mysqld_t) + + logging_send_syslog_msg(mysqld_t) + +-miscfiles_read_localization(mysqld_t) ++sysnet_read_config(mysqld_t) + +-userdom_search_user_home_dirs(mysqld_t) +-userdom_dontaudit_use_unpriv_user_fds(mysqld_t) ++ifdef(`distro_redhat',` ++ filetrans_pattern(mysqld_t, mysqld_db_t, mysqld_var_run_t, sock_file) ++') + + tunable_policy(`mysql_connect_any',` +- corenet_sendrecv_all_client_packets(mysqld_t) + corenet_tcp_connect_all_ports(mysqld_t) +- corenet_tcp_sendrecv_all_ports(mysqld_t) ++ corenet_sendrecv_all_client_packets(mysqld_t) + ') + + optional_policy(` +@@ -144,6 +147,10 @@ optional_policy(` + ') + + optional_policy(` ++ openshift_search_lib(mysqld_t) ++') ++ ++optional_policy(` + seutil_sigchld_newrole(mysqld_t) + ') + +@@ -153,29 +160,24 @@ optional_policy(` + + ####################################### + # +-# Safe local policy ++# Local mysqld_safe policy + # + +-allow mysqld_safe_t self:capability { chown dac_override fowner kill }; ++allow mysqld_safe_t self:capability { chown dac_override fowner kill sys_nice sys_resource }; + allow mysqld_safe_t self:process { setsched getsched setrlimit }; + allow mysqld_safe_t self:fifo_file rw_fifo_file_perms; + +-allow mysqld_safe_t mysqld_t:process signull; +- + read_lnk_files_pattern(mysqld_safe_t, mysqld_db_t, mysqld_db_t) +-manage_files_pattern(mysqld_safe_t, mysqld_db_t, mysqld_db_t) ++delete_sock_files_pattern(mysqld_safe_t, mysqld_db_t, mysqld_db_t) + +-allow mysqld_safe_t mysqld_etc_t:dir list_dir_perms; +-allow mysqld_safe_t { mysqld_etc_t mysqld_home_t }:file read_file_perms; +-allow mysqld_safe_t mysqld_etc_t:lnk_file read_lnk_file_perms; ++domtrans_pattern(mysqld_safe_t, mysqld_exec_t, mysqld_t) + +-allow mysqld_safe_t mysqld_log_t:file { append_file_perms create_file_perms setattr_file_perms }; +-logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file) ++list_dirs_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t) ++manage_lnk_files_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t) ++manage_files_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t) + + manage_files_pattern(mysqld_safe_t, mysqld_var_run_t, mysqld_var_run_t) +-delete_sock_files_pattern(mysqld_safe_t, { mysqld_db_t mysqld_var_run_t }, mysqld_var_run_t) +- +-domtrans_pattern(mysqld_safe_t, mysqld_exec_t, mysqld_t) ++delete_sock_files_pattern(mysqld_safe_t, mysqld_var_run_t, mysqld_var_run_t) + + kernel_read_system_state(mysqld_safe_t) + kernel_read_kernel_sysctls(mysqld_safe_t) +@@ -183,21 +185,27 @@ kernel_read_kernel_sysctls(mysqld_safe_t) + corecmd_exec_bin(mysqld_safe_t) + corecmd_exec_shell(mysqld_safe_t) + ++dev_read_urand(mysqld_safe_t) + dev_list_sysfs(mysqld_safe_t) + + domain_read_all_domains_state(mysqld_safe_t) + +-files_read_etc_files(mysqld_safe_t) +-files_read_usr_files(mysqld_safe_t) +-files_search_pids(mysqld_safe_t) +-files_dontaudit_getattr_all_dirs(mysqld_safe_t) + files_dontaudit_search_all_mountpoints(mysqld_safe_t) ++files_dontaudit_getattr_all_dirs(mysqld_safe_t) ++files_dontaudit_write_root_dirs(mysqld_safe_t) + ++logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file) + logging_send_syslog_msg(mysqld_safe_t) + +-miscfiles_read_localization(mysqld_safe_t) ++auth_read_passwd(mysqld_safe_t) ++ ++domain_dontaudit_signull_all_domains(mysqld_safe_t) + +-userdom_search_user_home_dirs(mysqld_safe_t) ++mysql_manage_db_files(mysqld_safe_t) ++mysql_read_config(mysqld_safe_t) ++mysql_search_pid_files(mysqld_safe_t) ++mysql_signull(mysqld_safe_t) ++mysql_write_log(mysqld_safe_t) + + optional_policy(` + hostname_exec(mysqld_safe_t) +@@ -205,7 +213,7 @@ optional_policy(` + + ######################################## + # +-# Manager local policy ++# MySQL Manager Policy + # + + allow mysqlmanagerd_t self:capability { dac_override kill }; +@@ -214,11 +222,12 @@ allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms; + allow mysqlmanagerd_t self:tcp_socket create_stream_socket_perms; + allow mysqlmanagerd_t self:unix_stream_socket create_stream_socket_perms; + +-allow mysqlmanagerd_t mysqld_t:process signal; +- +-allow mysqlmanagerd_t mysqld_etc_t:dir list_dir_perms; +-allow mysqlmanagerd_t { mysqld_etc_t mysqld_home_t }:file read_file_perms; +-allow mysqlmanagerd_t mysqld_etc_t:lnk_file read_lnk_file_perms; ++mysql_read_config(initrc_t) ++mysql_read_config(mysqlmanagerd_t) ++mysql_read_pid_files(mysqlmanagerd_t) ++mysql_search_db(mysqlmanagerd_t) ++mysql_signal(mysqlmanagerd_t) ++mysql_stream_connect(mysqlmanagerd_t) + + domtrans_pattern(mysqlmanagerd_t, mysqld_exec_t, mysqld_t) + +@@ -226,31 +235,20 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t) + manage_sock_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t) + filetrans_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t, { file sock_file }) + +-stream_connect_pattern(mysqlmanagerd_t, { mysqld_db_t mysqld_var_run_t }, mysqld_var_run_t, mysqld_t) +- + kernel_read_system_state(mysqlmanagerd_t) + + corecmd_exec_shell(mysqlmanagerd_t) + +-corenet_all_recvfrom_unlabeled(mysqlmanagerd_t) + corenet_all_recvfrom_netlabel(mysqlmanagerd_t) + corenet_tcp_sendrecv_generic_if(mysqlmanagerd_t) + corenet_tcp_sendrecv_generic_node(mysqlmanagerd_t) ++corenet_tcp_sendrecv_all_ports(mysqlmanagerd_t) + corenet_tcp_bind_generic_node(mysqlmanagerd_t) +- +-corenet_sendrecv_mysqlmanagerd_server_packets(mysqlmanagerd_t) + corenet_tcp_bind_mysqlmanagerd_port(mysqlmanagerd_t) +-corenet_sendrecv_mysqlmanagerd_client_packets(mysqlmanagerd_t) + corenet_tcp_connect_mysqlmanagerd_port(mysqlmanagerd_t) +-corenet_tcp_sendrecv_mysqlmanagerd_port(mysqlmanagerd_t) ++corenet_sendrecv_mysqlmanagerd_server_packets(mysqlmanagerd_t) ++corenet_sendrecv_mysqlmanagerd_client_packets(mysqlmanagerd_t) + + dev_read_urand(mysqlmanagerd_t) + +-files_read_etc_files(mysqlmanagerd_t) +-files_read_usr_files(mysqlmanagerd_t) +-files_search_pids(mysqlmanagerd_t) +-files_search_var_lib(mysqlmanagerd_t) +- +-miscfiles_read_localization(mysqlmanagerd_t) +- +-userdom_search_user_home_dirs(mysqlmanagerd_t) ++userdom_getattr_user_home_dirs(mysqlmanagerd_t) +diff --git a/mythtv.fc b/mythtv.fc +new file mode 100644 +index 0000000..3a1c423 +--- /dev/null ++++ b/mythtv.fc +@@ -0,0 +1,9 @@ ++/usr/share/mythweb/mythweb\.pl -- gen_context(system_u:object_r:httpd_mythtv_script_exec_t,s0) ++ ++/var/lib/mythtv(/.*)? gen_context(system_u:object_r:mythtv_var_lib_t,s0) ++ ++/var/log/mythtv(/.*)? gen_context(system_u:object_r:mythtv_var_log_t,s0) ++ ++/usr/share/mythtv(/.*)? gen_context(system_u:object_r:httpd_mythtv_content_t,s0) ++/usr/share/mythweb(/.*)? gen_context(system_u:object_r:httpd_mythtv_content_t,s0) ++/usr/share/mythtv/mythweather/scripts(/.*)? gen_context(system_u:object_r:httpd_mythtv_script_exec_t,s0) +diff --git a/mythtv.if b/mythtv.if +new file mode 100644 +index 0000000..171f666 +--- /dev/null ++++ b/mythtv.if +@@ -0,0 +1,152 @@ ++ ++## policy for httpd_mythtv_script ++ ++######################################## ++## ++## Execute TEMPLATE in the httpd_mythtv_script domin. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`httpd_mythtv_script_domtrans',` ++ gen_require(` ++ type httpd_mythtv_script_t, httpd_mythtv_script_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, httpd_mythtv_script_exec_t, httpd_mythtv_script_t) ++') ++ ++####################################### ++## ++## read mythtv libs. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`mythtv_read_lib',` ++ gen_require(` ++ type mythtv_var_lib_t; ++ ') ++ ++ read_files_pattern($1, mythtv_var_lib_t, mythtv_var_lib_t) ++ files_list_var_lib($1) ++') ++ ++####################################### ++## ++## Create, read, write, and delete ++## mythtv lib content. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`mythtv_manage_lib',` ++ gen_require(` ++ type mythtv_var_lib_t; ++ ') ++ ++ manage_files_pattern($1, mythtv_var_lib_t, mythtv_var_lib_t) ++ manage_lnk_files_pattern($1, mythtv_var_lib_t, mythtv_var_lib_t) ++ files_list_var_lib($1) ++') ++ ++####################################### ++## ++## read mythtv logs. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`mythtv_read_log',` ++ gen_require(` ++ type mythtv_var_log_t; ++ ') ++ ++ read_files_pattern($1, mythtv_var_log_t, mythtv_var_log_t) ++ logging_search_logs($1) ++') ++ ++####################################### ++## ++## Append mythtv log files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`mythtv_append_log',` ++ gen_require(` ++ type mythtv_var_log_t; ++ ') ++ ++ append_files_pattern($1, mythtv_var_log_t, mythtv_var_log_t) ++ logging_search_logs($1) ++') ++ ++####################################### ++## ++## Create, read, write, and delete ++## mythtv log content. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`mythtv_manage_log',` ++ gen_require(` ++ type mythtv_var_log_t; ++ ') ++ ++ manage_files_pattern($1, mythtv_var_log_t, mythtv_var_log_t) ++ manage_lnk_files_pattern($1, mythtv_var_log_t, mythtv_var_log_t) ++ logging_search_logs($1) ++') ++ ++######################################## ++## ++## All of the rules required to ++## administrate an mythtv environment. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`mythtv_admin',` ++ gen_require(` ++ type httpd_mythtv_script_t, mythtv_var_lib_t; ++ type mythtv_var_log_t; ++ ') ++ ++ allow $1 httpd_mythtv_script_t:process signal_perms; ++ ps_process_pattern($1, httpd_mythtv_script_t) ++ ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 httpd_mythtv_script_t:process ptrace; ++ ') ++ ++ logging_list_logs($1) ++ admin_pattern($1, mythtv_var_log_t) ++ ++ files_list_var_lib($1) ++ admin_pattern($1, mythtv_var_lib_t) ++') +diff --git a/mythtv.te b/mythtv.te +new file mode 100644 +index 0000000..90129ac +--- /dev/null ++++ b/mythtv.te +@@ -0,0 +1,41 @@ ++policy_module(mythtv, 1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++apache_content_template(mythtv) ++ ++type mythtv_var_lib_t; ++files_type(mythtv_var_lib_t) ++ ++type mythtv_var_log_t; ++logging_log_file(mythtv_var_log_t) ++ ++######################################## ++# ++# httpd_mythtv_script local policy ++# ++ ++manage_files_pattern(httpd_mythtv_script_t, mythtv_var_lib_t, mythtv_var_lib_t) ++manage_dirs_pattern(httpd_mythtv_script_t, mythtv_var_lib_t, mythtv_var_lib_t) ++files_var_lib_filetrans(httpd_mythtv_script_t, mythtv_var_lib_t, { dir file }) ++ ++manage_files_pattern(httpd_mythtv_script_t, mythtv_var_log_t, mythtv_var_log_t) ++manage_dirs_pattern(httpd_mythtv_script_t, mythtv_var_log_t, mythtv_var_log_t) ++logging_log_filetrans(httpd_mythtv_script_t, mythtv_var_log_t, file ) ++ ++domain_use_interactive_fds(httpd_mythtv_script_t) ++ ++files_read_etc_files(httpd_mythtv_script_t) ++ ++fs_read_nfs_files(httpd_mythtv_script_t) ++ ++miscfiles_read_localization(httpd_mythtv_script_t) ++ ++optional_policy(` ++ mysql_read_config(httpd_mythtv_script_t) ++ mysql_stream_connect(httpd_mythtv_script_t) ++ mysql_tcp_connect(httpd_mythtv_script_t) ++') +diff --git a/nagios.fc b/nagios.fc +index d78dfc3..a00cc2d 100644 +--- a/nagios.fc ++++ b/nagios.fc +@@ -1,88 +1,97 @@ +-/etc/nagios(/.*)? gen_context(system_u:object_r:nagios_etc_t,s0) +-/etc/nagios/nrpe\.cfg -- gen_context(system_u:object_r:nrpe_etc_t,s0) ++/etc/nagios(/.*)? gen_context(system_u:object_r:nagios_etc_t,s0) ++/etc/nagios/nrpe\.cfg -- gen_context(system_u:object_r:nrpe_etc_t,s0) ++/etc/rc\.d/init\.d/nagios -- gen_context(system_u:object_r:nagios_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/nrpe -- gen_context(system_u:object_r:nagios_initrc_exec_t,s0) + +-/etc/rc\.d/init\.d/nagios -- gen_context(system_u:object_r:nagios_initrc_exec_t,s0) +-/etc/rc\.d/init\.d/nrpe -- gen_context(system_u:object_r:nagios_initrc_exec_t,s0) ++/usr/s?bin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0) ++/usr/s?bin/nrpe -- gen_context(system_u:object_r:nrpe_exec_t,s0) + +-/usr/bin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0) +-/usr/bin/nrpe -- gen_context(system_u:object_r:nrpe_exec_t,s0) ++/usr/lib/cgi-bin/netsaint(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0) ++/usr/lib/nagios/cgi(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0) + +-/usr/sbin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0) +-/usr/sbin/nrpe -- gen_context(system_u:object_r:nrpe_exec_t,s0) ++/var/log/nagios(/.*)? gen_context(system_u:object_r:nagios_log_t,s0) ++/var/log/netsaint(/.*)? gen_context(system_u:object_r:nagios_log_t,s0) + +-/usr/lib/cgi-bin/nagios(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0) +-/usr/lib/cgi-bin/netsaint(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0) ++/var/run/nagios.* gen_context(system_u:object_r:nagios_var_run_t,s0) + +-/usr/lib/nagios/cgi(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0) +-/usr/lib/nagios/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0) ++/var/spool/nagios(/.*)? gen_context(system_u:object_r:nagios_spool_t,s0) + +-/usr/lib/nagios/plugins/eventhandlers(/.*) gen_context(system_u:object_r:nagios_eventhandler_plugin_exec_t,s0) ++ifdef(`distro_debian',` ++/usr/sbin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0) ++') ++/usr/lib/cgi-bin/nagios(/.+)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0) ++/usr/lib/nagios/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0) + ++# admin plugins + /usr/lib/nagios/plugins/check_file_age -- gen_context(system_u:object_r:nagios_admin_plugin_exec_t,s0) + +-/usr/lib/nagios/plugins/check_disk -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0) ++# check disk plugins ++/usr/lib/nagios/plugins/check_disk -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0) + /usr/lib/nagios/plugins/check_disk_smb -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0) + /usr/lib/nagios/plugins/check_ide_smart -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0) + /usr/lib/nagios/plugins/check_linux_raid -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0) + +-/usr/lib/nagios/plugins/check_mailq -- gen_context(system_u:object_r:nagios_mail_plugin_exec_t,s0) ++# mail plugins ++/usr/lib/nagios/plugins/check_mailq -- gen_context(system_u:object_r:nagios_mail_plugin_exec_t,s0) ++ ++/usr/lib/pnp4nagios(/.*)? gen_context(system_u:object_r:nagios_var_lib_t,s0) + ++# system plugins + /usr/lib/nagios/plugins/check_breeze -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) + /usr/lib/nagios/plugins/check_dummy -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) + /usr/lib/nagios/plugins/check_flexlm -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) + /usr/lib/nagios/plugins/check_ifoperstatus -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) + /usr/lib/nagios/plugins/check_ifstatus -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) +-/usr/lib/nagios/plugins/check_load -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) +-/usr/lib/nagios/plugins/check_log -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) +-/usr/lib/nagios/plugins/check_mrtg -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) ++/usr/lib/nagios/plugins/check_load -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) ++/usr/lib/nagios/plugins/check_log -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) ++/usr/lib/nagios/plugins/check_mrtg -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) + /usr/lib/nagios/plugins/check_mrtgtraf -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) + /usr/lib/nagios/plugins/check_nagios -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) + /usr/lib/nagios/plugins/check_nwstat -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) + /usr/lib/nagios/plugins/check_overcr -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) + /usr/lib/nagios/plugins/check_procs -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) + /usr/lib/nagios/plugins/check_sensors -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) +-/usr/lib/nagios/plugins/check_swap -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) ++/usr/lib/nagios/plugins/check_swap -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) + /usr/lib/nagios/plugins/check_users -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) +-/usr/lib/nagios/plugins/check_wave -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) ++/usr/lib/nagios/plugins/check_wave -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) + ++# services plugins + /usr/lib/nagios/plugins/check_cluster -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +-/usr/lib/nagios/plugins/check_dhcp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +-/usr/lib/nagios/plugins/check_dig -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +-/usr/lib/nagios/plugins/check_dns -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +-/usr/lib/nagios/plugins/check_game -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++/usr/lib/nagios/plugins/check_dhcp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++/usr/lib/nagios/plugins/check_dig -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++/usr/lib/nagios/plugins/check_dns -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++/usr/lib/nagios/plugins/check_game -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) + /usr/lib/nagios/plugins/check_fping -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +-/usr/lib/nagios/plugins/check_hpjd -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +-/usr/lib/nagios/plugins/check_http -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +-/usr/lib/nagios/plugins/check_icmp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +-/usr/lib/nagios/plugins/check_ircd -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +-/usr/lib/nagios/plugins/check_ldap -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++/usr/lib/nagios/plugins/check_hpjd -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++/usr/lib/nagios/plugins/check_http -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++/usr/lib/nagios/plugins/check_icmp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++/usr/lib/nagios/plugins/check_ircd -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++/usr/lib/nagios/plugins/check_ldap -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) + /usr/lib/nagios/plugins/check_mysql -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +-/usr/lib/nagios/plugins/check_mysql_query -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +-/usr/lib/nagios/plugins/check_nrpe -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +-/usr/lib/nagios/plugins/check_nt -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++/usr/lib/nagios/plugins/check_mysql_query -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++/usr/lib/nagios/plugins/check_nrpe -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++/usr/lib/nagios/plugins/check_nt -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) + /usr/lib/nagios/plugins/check_ntp.* -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) + /usr/lib/nagios/plugins/check_oracle -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) + /usr/lib/nagios/plugins/check_pgsql -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +-/usr/lib/nagios/plugins/check_ping -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++/usr/lib/nagios/plugins/check_ping -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) + /usr/lib/nagios/plugins/check_radius -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +-/usr/lib/nagios/plugins/check_real -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +-/usr/lib/nagios/plugins/check_rpc -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +-/usr/lib/nagios/plugins/check_tcp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +-/usr/lib/nagios/plugins/check_time -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +-/usr/lib/nagios/plugins/check_sip -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +-/usr/lib/nagios/plugins/check_smtp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++/usr/lib/nagios/plugins/check_real -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++/usr/lib/nagios/plugins/check_rpc -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++/usr/lib/nagios/plugins/check_tcp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++/usr/lib/nagios/plugins/check_time -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++/usr/lib/nagios/plugins/check_sip -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++/usr/lib/nagios/plugins/check_smtp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) + /usr/lib/nagios/plugins/check_snmp.* -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +-/usr/lib/nagios/plugins/check_ssh -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +-/usr/lib/nagios/plugins/check_ups -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +- +-/usr/lib/nagios/plugins/check_by_ssh -- gen_context(system_u:object_r:nagios_unconfined_plugin_exec_t,s0) ++/usr/lib/nagios/plugins/check_ssh -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++/usr/lib/nagios/plugins/check_ups -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) + +-/usr/lib/pnp4nagios(/.*)? gen_context(system_u:object_r:nagios_var_lib_t,s0) ++# openshift plugins ++/usr/lib64/nagios/plugins/check_node_accept_status -- gen_context(system_u:object_r:nagios_openshift_plugin_exec_t,s0) ++/usr/lib64/nagios/plugins/check_number_openshift_apps -- gen_context(system_u:object_r:nagios_openshift_plugin_exec_t,s0) + +-/var/log/nagios(/.*)? gen_context(system_u:object_r:nagios_log_t,s0) +-/var/log/netsaint(/.*)? gen_context(system_u:object_r:nagios_log_t,s0) ++# label all nagios plugin as unconfined by default ++/usr/lib/nagios/plugins/.* -- gen_context(system_u:object_r:nagios_unconfined_plugin_exec_t,s0) + +-/var/run/nagios.* -- gen_context(system_u:object_r:nagios_var_run_t,s0) +-/var/run/nrpe.* -- gen_context(system_u:object_r:nrpe_var_run_t,s0) +- +-/var/spool/nagios(/.*)? gen_context(system_u:object_r:nagios_spool_t,s0) ++# eventhandlers ++/usr/lib/nagios/plugins/eventhandlers(/.*) gen_context(system_u:object_r:nagios_eventhandler_plugin_exec_t,s0) +diff --git a/nagios.if b/nagios.if +index 0641e97..d7d9a79 100644 +--- a/nagios.if ++++ b/nagios.if +@@ -1,12 +1,13 @@ +-## Network monitoring server. ++## Net Saint / NAGIOS - network monitoring server + +-####################################### ++######################################## + ## +-## The template to define a nagios plugin domain. ++## Create a set of derived types for various ++## nagios plugins, + ## +-## ++## + ## +-## Domain prefix to be used. ++## The name to be used for deriving type names. + ## + ## + # +@@ -16,38 +17,31 @@ template(`nagios_plugin_template',` + type nagios_t, nrpe_t; + ') + +- ######################################## +- # +- # Declarations +- # +- + type nagios_$1_plugin_t, nagios_plugin_domain; + type nagios_$1_plugin_exec_t; + application_domain(nagios_$1_plugin_t, nagios_$1_plugin_exec_t) + role system_r types nagios_$1_plugin_t; + +- ######################################## +- # +- # Policy +- # +- + domtrans_pattern(nrpe_t, nagios_$1_plugin_exec_t, nagios_$1_plugin_t) + allow nagios_t nagios_$1_plugin_exec_t:file ioctl; + ++ # needed by command.cfg + domtrans_pattern(nagios_t, nagios_$1_plugin_exec_t, nagios_$1_plugin_t) ++ ++ kernel_read_system_state(nagios_$1_plugin_t) ++ + ') + + ######################################## + ## +-## Do not audit attempts to read or +-## write nagios unnamed pipes. ++## Do not audit attempts to read or write nagios ++## unnamed pipes. + ## + ## + ## + ## Domain to not audit. + ## + ## +-## + # + interface(`nagios_dontaudit_rw_pipes',` + gen_require(` +@@ -59,7 +53,8 @@ interface(`nagios_dontaudit_rw_pipes',` + + ######################################## + ## +-## Read nagios configuration content. ++## Allow the specified domain to read ++## nagios configuration files. + ## + ## + ## +@@ -73,15 +68,14 @@ interface(`nagios_read_config',` + type nagios_etc_t; + ') + +- files_search_etc($1) + allow $1 nagios_etc_t:dir list_dir_perms; + allow $1 nagios_etc_t:file read_file_perms; +- allow $1 nagios_etc_t:lnk_file read_lnk_file_perms; ++ files_search_etc($1) + ') + + ###################################### + ## +-## Read nagios log files. ++## Read nagios logs. + ## + ## + ## +@@ -100,8 +94,7 @@ interface(`nagios_read_log',` + + ######################################## + ## +-## Do not audit attempts to read or +-## write nagios log files. ++## Do not audit attempts to read or write nagios logs. + ## + ## + ## +@@ -132,13 +125,14 @@ interface(`nagios_search_spool',` + type nagios_spool_t; + ') + +- files_search_spool($1) + allow $1 nagios_spool_t:dir search_dir_perms; ++ files_search_spool($1) + ') + + ######################################## + ## +-## Read nagios temporary files. ++## Allow the specified domain to read ++## nagios temporary files. + ## + ## + ## +@@ -151,13 +145,34 @@ interface(`nagios_read_tmp_files',` + type nagios_tmp_t; + ') + +- files_search_tmp($1) + allow $1 nagios_tmp_t:file read_file_perms; ++ files_search_tmp($1) ++') ++ ++######################################## ++## ++## Allow the specified domain to read ++## nagios temporary files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`nagios_rw_inerited_tmp_files',` ++ gen_require(` ++ type nagios_tmp_t; ++ ') ++ ++ allow $1 nagios_tmp_t:file rw_inherited_file_perms; ++ files_search_tmp($1) + ') + + ######################################## + ## +-## Execute nrpe with a domain transition. ++## Execute the nagios NRPE with ++## a domain transition. + ## + ## + ## +@@ -170,14 +185,13 @@ interface(`nagios_domtrans_nrpe',` + type nrpe_t, nrpe_exec_t; + ') + +- corecmd_search_bin($1) + domtrans_pattern($1, nrpe_exec_t, nrpe_t) + ') + + ######################################## + ## +-## All of the rules required to +-## administrate an nagios environment. ++## All of the rules required to administrate ++## an nagios environment + ## + ## + ## +@@ -186,44 +200,43 @@ interface(`nagios_domtrans_nrpe',` + ## + ## + ## +-## Role allowed access. ++## The role to be allowed to manage the nagios domain. + ## + ## + ## + # + interface(`nagios_admin',` + gen_require(` +- attribute nagios_plugin_domain; + type nagios_t, nrpe_t, nagios_initrc_exec_t; +- type nagios_tmp_t, nagios_log_t, nagios_var_lib_t; +- type nagios_etc_t, nrpe_etc_t, nrpe_var_run_t; +- type nagios_spool_t, nagios_var_run_t, nagios_system_plugin_tmp_t; +- type nagios_eventhandler_plugin_tmp_t; ++ type nagios_tmp_t, nagios_log_t, nagios_var_run_t; ++ type nagios_etc_t, nrpe_etc_t, nagios_spool_t; + ') + +- allow $1 { nagios_t nrpe_t nagios_plugin_domain }:process { ptrace signal_perms }; +- ps_process_pattern($1, { nagios_t nrpe_t nagios_plugin_domain }) ++ allow $1 nagios_t:process signal_perms; ++ ps_process_pattern($1, nagios_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 nagios_t:process ptrace; ++ ') + + init_labeled_script_domtrans($1, nagios_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 nagios_initrc_exec_t system_r; + allow $2 system_r; + +- files_search_tmp($1) +- admin_pattern($1, { nagios_eventhandler_plugin_tmp_t nagios_tmp_t nagios_system_plugin_tmp_t }) ++ files_list_tmp($1) ++ admin_pattern($1, nagios_tmp_t) + +- logging_search_logs($1) ++ logging_list_logs($1) + admin_pattern($1, nagios_log_t) + +- files_search_etc($1) +- admin_pattern($1, { nrpe_etc_t nagios_etc_t }) ++ files_list_etc($1) ++ admin_pattern($1, nagios_etc_t) + +- files_search_spool($1) ++ files_list_spool($1) + admin_pattern($1, nagios_spool_t) + +- files_search_pids($1) +- admin_pattern($1, { nrpe_var_run_t nagios_var_run_t }) ++ files_list_pids($1) ++ admin_pattern($1, nagios_var_run_t) + +- files_search_var_lib($1) +- admin_pattern($1, nagios_var_lib_t) ++ admin_pattern($1, nrpe_etc_t) + ') +diff --git a/nagios.te b/nagios.te +index 44ad3b7..a0488ea 100644 +--- a/nagios.te ++++ b/nagios.te +@@ -27,7 +27,7 @@ type nagios_var_run_t; + files_pid_file(nagios_var_run_t) + + type nagios_spool_t; +-files_type(nagios_spool_t) ++files_spool_file(nagios_spool_t) + + type nagios_var_lib_t; + files_type(nagios_var_lib_t) +@@ -39,6 +39,7 @@ nagios_plugin_template(services) + nagios_plugin_template(system) + nagios_plugin_template(unconfined) + nagios_plugin_template(eventhandler) ++nagios_plugin_template(openshift) + + type nagios_eventhandler_plugin_tmp_t; + files_tmp_file(nagios_eventhandler_plugin_tmp_t) +@@ -46,6 +47,9 @@ files_tmp_file(nagios_eventhandler_plugin_tmp_t) + type nagios_system_plugin_tmp_t; + files_tmp_file(nagios_system_plugin_tmp_t) + ++type nagios_openshift_plugin_tmp_t; ++files_tmp_file(nagios_openshift_plugin_tmp_t) ++ + type nrpe_t; + type nrpe_exec_t; + init_daemon_domain(nrpe_t, nrpe_exec_t) +@@ -63,19 +67,21 @@ files_pid_file(nrpe_var_run_t) + + allow nagios_plugin_domain self:fifo_file rw_fifo_file_perms; + ++allow nrpe_t nagios_plugin_domain:process { signal sigkill }; ++ ++allow nagios_t nagios_plugin_domain:process signal_perms; ++allow nagios_plugin_domain nagios_t:process signal_perms; ++ ++# cjp: leaked file descriptor + dontaudit nagios_plugin_domain nrpe_t:tcp_socket { read write }; + dontaudit nagios_plugin_domain nagios_log_t:file { read write }; + +-kernel_read_system_state(nagios_plugin_domain) +- + dev_read_urand(nagios_plugin_domain) + dev_read_rand(nagios_plugin_domain) ++dev_read_sysfs(nagios_plugin_domain) + +-files_read_usr_files(nagios_plugin_domain) +- +-miscfiles_read_localization(nagios_plugin_domain) +- +-userdom_use_user_terminals(nagios_plugin_domain) ++userdom_use_inherited_user_ptys(nagios_plugin_domain) ++userdom_use_inherited_user_ttys(nagios_plugin_domain) + + ######################################## + # +@@ -96,11 +102,13 @@ allow nagios_t nagios_etc_t:dir list_dir_perms; + allow nagios_t nagios_etc_t:file read_file_perms; + allow nagios_t nagios_etc_t:lnk_file read_lnk_file_perms; + +-allow nagios_t nagios_log_t:dir setattr_dir_perms; +-append_files_pattern(nagios_t, nagios_log_t, nagios_log_t) +-create_files_pattern(nagios_t, nagios_log_t, nagios_log_t) +-setattr_files_pattern(nagios_t, nagios_log_t, nagios_log_t) +-logging_log_filetrans(nagios_t, nagios_log_t, file) ++#allow nagios_t nagios_log_t:dir setattr_dir_perms; ++#append_files_pattern(nagios_t, nagios_log_t, nagios_log_t) ++#create_files_pattern(nagios_t, nagios_log_t, nagios_log_t) ++#setattr_files_pattern(nagios_t, nagios_log_t, nagios_log_t) ++manage_files_pattern(nagios_t, nagios_log_t, nagios_log_t) ++manage_dirs_pattern(nagios_t, nagios_log_t, nagios_log_t) ++logging_log_filetrans(nagios_t, nagios_log_t, { dir file }) + + manage_dirs_pattern(nagios_t, nagios_tmp_t, nagios_tmp_t) + manage_files_pattern(nagios_t, nagios_tmp_t, nagios_tmp_t) +@@ -110,7 +118,8 @@ manage_files_pattern(nagios_t, nagios_var_run_t, nagios_var_run_t) + files_pid_filetrans(nagios_t, nagios_var_run_t, file) + + manage_fifo_files_pattern(nagios_t, nagios_spool_t, nagios_spool_t) +-files_spool_filetrans(nagios_t, nagios_spool_t, fifo_file) ++manage_files_pattern(nagios_t, nagios_spool_t, nagios_spool_t) ++files_spool_filetrans(nagios_t, nagios_spool_t, { file fifo_file}) + + manage_files_pattern(nagios_t, nagios_var_lib_t, nagios_var_lib_t) + manage_fifo_files_pattern(nagios_t, nagios_var_lib_t, nagios_var_lib_t) +@@ -123,7 +132,6 @@ kernel_read_software_raid_state(nagios_t) + corecmd_exec_bin(nagios_t) + corecmd_exec_shell(nagios_t) + +-corenet_all_recvfrom_unlabeled(nagios_t) + corenet_all_recvfrom_netlabel(nagios_t) + corenet_tcp_sendrecv_generic_if(nagios_t) + corenet_tcp_sendrecv_generic_node(nagios_t) +@@ -143,7 +151,6 @@ domain_read_all_domains_state(nagios_t) + + files_read_etc_runtime_files(nagios_t) + files_read_kernel_symbol_table(nagios_t) +-files_read_usr_files(nagios_t) + files_search_spool(nagios_t) + + fs_getattr_all_fs(nagios_t) +@@ -153,8 +160,6 @@ auth_use_nsswitch(nagios_t) + + logging_send_syslog_msg(nagios_t) + +-miscfiles_read_localization(nagios_t) +- + userdom_dontaudit_use_unpriv_user_fds(nagios_t) + userdom_dontaudit_search_user_home_dirs(nagios_t) + +@@ -178,6 +183,7 @@ optional_policy(` + # + # CGI local policy + # ++ + optional_policy(` + apache_content_template(nagios) + typealias httpd_nagios_script_t alias nagios_cgi_t; +@@ -229,9 +235,9 @@ files_pid_filetrans(nrpe_t, nrpe_var_run_t, file) + + domtrans_pattern(nrpe_t, nagios_checkdisk_plugin_exec_t, nagios_checkdisk_plugin_t) + ++kernel_read_system_state(nrpe_t) + kernel_read_kernel_sysctls(nrpe_t) + kernel_read_software_raid_state(nrpe_t) +-kernel_read_system_state(nrpe_t) + + corecmd_exec_bin(nrpe_t) + corecmd_exec_shell(nrpe_t) +@@ -252,8 +258,8 @@ dev_read_urand(nrpe_t) + domain_use_interactive_fds(nrpe_t) + domain_read_all_domains_state(nrpe_t) + ++files_list_var(nrpe_t) + files_read_etc_runtime_files(nrpe_t) +-files_read_usr_files(nrpe_t) + + fs_getattr_all_fs(nrpe_t) + fs_search_auto_mountpoints(nrpe_t) +@@ -262,8 +268,6 @@ auth_use_nsswitch(nrpe_t) + + logging_send_syslog_msg(nrpe_t) + +-miscfiles_read_localization(nrpe_t) +- + userdom_dontaudit_use_unpriv_user_fds(nrpe_t) + + optional_policy(` +@@ -310,15 +314,15 @@ files_getattr_all_file_type_fs(nagios_admin_plugin_t) + # + + allow nagios_mail_plugin_t self:capability { setuid setgid dac_override }; +-allow nagios_mail_plugin_t self:tcp_socket { accept listen }; ++allow nagios_mail_plugin_t self:netlink_route_socket r_netlink_socket_perms; ++allow nagios_mail_plugin_t self:tcp_socket create_stream_socket_perms; ++allow nagios_mail_plugin_t self:udp_socket create_socket_perms; + + kernel_read_kernel_sysctls(nagios_mail_plugin_t) + + corecmd_read_bin_files(nagios_mail_plugin_t) + corecmd_read_bin_symlinks(nagios_mail_plugin_t) + +-files_read_etc_files(nagios_mail_plugin_t) +- + logging_send_syslog_msg(nagios_mail_plugin_t) + + sysnet_dns_name_resolve(nagios_mail_plugin_t) +@@ -345,6 +349,9 @@ allow nagios_checkdisk_plugin_t self:capability { sys_admin sys_rawio }; + + kernel_read_software_raid_state(nagios_checkdisk_plugin_t) + ++corecmd_exec_bin(nagios_checkdisk_plugin_t) ++ ++files_getattr_all_dirs(nagios_checkdisk_plugin_t) + files_getattr_all_mountpoints(nagios_checkdisk_plugin_t) + files_read_etc_runtime_files(nagios_checkdisk_plugin_t) + +@@ -357,9 +364,11 @@ storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t) + # Services local policy + # + +-allow nagios_services_plugin_t self:capability net_raw; ++allow nagios_services_plugin_t self:capability { setuid net_bind_service net_raw }; + allow nagios_services_plugin_t self:process { signal sigkill }; +-allow nagios_services_plugin_t self:tcp_socket { accept listen }; ++allow nagios_services_plugin_t self:tcp_socket create_stream_socket_perms; ++allow nagios_services_plugin_t self:udp_socket create_socket_perms; ++allow nagios_services_plugin_t self:rawip_socket create_socket_perms; + + corecmd_exec_bin(nagios_services_plugin_t) + +@@ -391,6 +400,11 @@ optional_policy(` + + optional_policy(` + mysql_stream_connect(nagios_services_plugin_t) ++ mysql_read_config(nagios_services_plugin_t) ++') ++ ++optional_policy(` ++ postgresql_stream_connect(nagios_services_plugin_t) + ') + + optional_policy(` +@@ -411,6 +425,7 @@ manage_files_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_ + manage_dirs_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_system_plugin_tmp_t) + files_tmp_filetrans(nagios_system_plugin_t, nagios_system_plugin_tmp_t, { dir file }) + ++kernel_read_system_state(nagios_system_plugin_t) + kernel_read_kernel_sysctls(nagios_system_plugin_t) + + corecmd_exec_bin(nagios_system_plugin_t) +@@ -420,10 +435,10 @@ dev_read_sysfs(nagios_system_plugin_t) + + domain_read_all_domains_state(nagios_system_plugin_t) + +-files_read_etc_files(nagios_system_plugin_t) +- + fs_getattr_all_fs(nagios_system_plugin_t) + ++auth_read_passwd(nagios_system_plugin_t) ++ + optional_policy(` + init_read_utmp(nagios_system_plugin_t) + ') +@@ -442,11 +457,44 @@ corecmd_exec_shell(nagios_eventhandler_plugin_t) + + init_domtrans_script(nagios_eventhandler_plugin_t) + ++systemd_exec_systemctl(nagios_eventhandler_plugin_t) ++ ++allow nagios_t nagios_eventhandler_plugin_exec_t:dir list_dir_perms; ++ ++optional_policy(` ++ unconfined_domain(nagios_eventhandler_plugin_t) ++') ++ + ######################################## + # +-# Unconfined plugin policy ++# nagios openshift plugin policy ++# ++ ++allow nagios_openshift_plugin_t self:capability sys_ptrace; ++ ++manage_dirs_pattern(nagios_openshift_plugin_t, nagios_openshift_plugin_tmp_t, nagios_openshift_plugin_tmp_t) ++manage_files_pattern(nagios_openshift_plugin_t, nagios_openshift_plugin_tmp_t, nagios_openshift_plugin_tmp_t) ++files_tmp_filetrans(nagios_openshift_plugin_t, nagios_openshift_plugin_tmp_t, { file dir }) ++ ++corecmd_exec_bin(nagios_openshift_plugin_t) ++corecmd_exec_shell(nagios_openshift_plugin_t) ++ ++domain_read_all_domains_state(nagios_openshift_plugin_t) ++ ++fs_getattr_all_fs(nagios_openshift_plugin_t) ++ ++optional_policy(` ++ apache_read_config(nagios_openshift_plugin_t) ++') ++ ++###################################### ++# ++# nagios plugin domain policy + # + + optional_policy(` + unconfined_domain(nagios_unconfined_plugin_t) + ') ++ ++ ++ +diff --git a/namespace.fc b/namespace.fc +new file mode 100644 +index 0000000..ce51c8d +--- /dev/null ++++ b/namespace.fc +@@ -0,0 +1,3 @@ ++ ++/etc/security/namespace.init -- gen_context(system_u:object_r:namespace_init_exec_t,s0) ++ +diff --git a/namespace.if b/namespace.if +new file mode 100644 +index 0000000..8d7c751 +--- /dev/null ++++ b/namespace.if +@@ -0,0 +1,48 @@ ++ ++## policy for namespace ++ ++######################################## ++## ++## Execute a domain transition to run namespace_init. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`namespace_init_domtrans',` ++ gen_require(` ++ type namespace_init_t, namespace_init_exec_t; ++ ') ++ ++ domtrans_pattern($1, namespace_init_exec_t, namespace_init_t) ++') ++ ++ ++######################################## ++## ++## Execute namespace_init in the namespace_init domain, and ++## allow the specified role the namespace_init domain. ++## ++## ++## ++## Domain allowed access ++## ++## ++## ++## ++## The role to be allowed the namespace_init domain. ++## ++## ++# ++interface(`namespace_init_run',` ++ gen_require(` ++ type namespace_init_t; ++ ') ++ ++ namespace_init_domtrans($1) ++ role $2 types namespace_init_t; ++ ++ seutil_run_setfiles(namespace_init_t, $2) ++') +diff --git a/namespace.te b/namespace.te +new file mode 100644 +index 0000000..c674894 +--- /dev/null ++++ b/namespace.te +@@ -0,0 +1,39 @@ ++policy_module(namespace,1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type namespace_init_t; ++type namespace_init_exec_t; ++init_system_domain(namespace_init_t, namespace_init_exec_t) ++role system_r types namespace_init_t; ++ ++######################################## ++# ++# namespace_init local policy ++# ++ ++allow namespace_init_t self:capability dac_override; ++ ++allow namespace_init_t self:fifo_file manage_fifo_file_perms; ++allow namespace_init_t self:unix_stream_socket create_stream_socket_perms; ++ ++kernel_read_system_state(namespace_init_t) ++ ++corecmd_exec_shell(namespace_init_t) ++ ++domain_use_interactive_fds(namespace_init_t) ++domain_obj_id_change_exemption(namespace_init_t) ++ ++files_polyinstantiate_all(namespace_init_t) ++ ++auth_use_nsswitch(namespace_init_t) ++ ++term_use_console(namespace_init_t) ++ ++userdom_manage_user_home_content(namespace_init_t) ++userdom_relabelto_user_home_dirs(namespace_init_t) ++userdom_relabelto_user_home_files(namespace_init_t) ++userdom_filetrans_home_content(namespace_init_t) +diff --git a/ncftool.if b/ncftool.if +index db9578f..4309e3d 100644 +--- a/ncftool.if ++++ b/ncftool.if +@@ -38,9 +38,11 @@ interface(`ncftool_domtrans',` + # + interface(`ncftool_run',` + gen_require(` ++ type ncftool_t; + attribute_role ncftool_roles; + ') + + ncftool_domtrans($1) + roleattribute $2 ncftool_roles; + ') ++ +diff --git a/ncftool.te b/ncftool.te +index b13c0b1..c8baed2 100644 +--- a/ncftool.te ++++ b/ncftool.te +@@ -22,6 +22,7 @@ role ncftool_roles types ncftool_t; + + allow ncftool_t self:capability net_admin; + allow ncftool_t self:process signal; ++ + allow ncftool_t self:fifo_file manage_fifo_file_perms; + allow ncftool_t self:unix_stream_socket create_stream_socket_perms; + allow ncftool_t self:netlink_route_socket create_netlink_socket_perms; +@@ -41,11 +42,11 @@ domain_read_all_domains_state(ncftool_t) + + dev_read_sysfs(ncftool_t) + +-files_read_etc_files(ncftool_t) ++files_manage_system_conf_files(ncftool_t) ++files_relabelto_system_conf_files(ncftool_t) + files_read_etc_runtime_files(ncftool_t) +-files_read_usr_files(ncftool_t) + +-miscfiles_read_localization(ncftool_t) ++term_use_all_inherited_terms(ncftool_t) + + sysnet_delete_dhcpc_pid(ncftool_t) + sysnet_run_dhcpc(ncftool_t, ncftool_roles) +@@ -53,6 +54,8 @@ sysnet_run_ifconfig(ncftool_t, ncftool_roles) + sysnet_etc_filetrans_config(ncftool_t) + sysnet_manage_config(ncftool_t) + sysnet_read_dhcpc_state(ncftool_t) ++sysnet_relabelfrom_net_conf(ncftool_t) ++sysnet_relabelto_net_conf(ncftool_t) + sysnet_read_dhcpc_pid(ncftool_t) + sysnet_signal_dhcpc(ncftool_t) + +@@ -73,11 +76,14 @@ optional_policy(` + + optional_policy(` + iptables_initrc_domtrans(ncftool_t) ++ iptables_systemctl(ncftool_t) + ') + + optional_policy(` ++ modutils_list_module_config(ncftool_t) + modutils_read_module_config(ncftool_t) + modutils_run_insmod(ncftool_t, ncftool_roles) ++ + ') + + optional_policy(` +diff --git a/nessus.te b/nessus.te +index 56c0fbd..173a2c0 100644 +--- a/nessus.te ++++ b/nessus.te +@@ -58,7 +58,6 @@ kernel_read_kernel_sysctls(nessusd_t) + + corecmd_exec_bin(nessusd_t) + +-corenet_all_recvfrom_unlabeled(nessusd_t) + corenet_all_recvfrom_netlabel(nessusd_t) + corenet_tcp_sendrecv_generic_if(nessusd_t) + corenet_udp_sendrecv_generic_if(nessusd_t) +@@ -82,7 +81,6 @@ dev_read_urand(nessusd_t) + domain_use_interactive_fds(nessusd_t) + + files_list_var_lib(nessusd_t) +-files_read_etc_files(nessusd_t) + files_read_etc_runtime_files(nessusd_t) + + fs_getattr_all_fs(nessusd_t) +@@ -90,8 +88,6 @@ fs_search_auto_mountpoints(nessusd_t) + + logging_send_syslog_msg(nessusd_t) + +-miscfiles_read_localization(nessusd_t) +- + sysnet_read_config(nessusd_t) + + userdom_dontaudit_use_unpriv_user_fds(nessusd_t) +diff --git a/networkmanager.fc b/networkmanager.fc +index a1fb3c3..2b818b9 100644 +--- a/networkmanager.fc ++++ b/networkmanager.fc +@@ -1,43 +1,45 @@ +-/etc/rc\.d/init\.d/wicd -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/wicd -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0) + + /etc/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_etc_t,s0) + /etc/NetworkManager/NetworkManager\.conf gen_context(system_u:object_r:NetworkManager_etc_rw_t,s0) + /etc/NetworkManager/system-connections(/.*)? gen_context(system_u:object_r:NetworkManager_etc_rw_t,s0) + /etc/NetworkManager/dispatcher\.d(/.*)? gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0) + +-/etc/dhcp/manager-settings\.conf -- gen_context(system_u:object_r:NetworkManager_etc_rw_t, s0) +-/etc/dhcp/wireless-settings\.conf -- gen_context(system_u:object_r:NetworkManager_etc_rw_t, s0) +-/etc/dhcp/wired-settings\.conf -- gen_context(system_u:object_r:NetworkManager_etc_rw_t, s0) ++/etc/dhcp/manager-settings.conf -- gen_context(system_u:object_r:NetworkManager_var_lib_t, s0) ++/etc/dhcp/wireless-settings.conf -- gen_context(system_u:object_r:NetworkManager_var_lib_t, s0) ++/etc/dhcp/wired-settings.conf -- gen_context(system_u:object_r:NetworkManager_var_lib_t, s0) + +-/etc/wicd/manager-settings\.conf -- gen_context(system_u:object_r:NetworkManager_etc_rw_t, s0) +-/etc/wicd/wireless-settings\.conf -- gen_context(system_u:object_r:NetworkManager_etc_rw_t, s0) +-/etc/wicd/wired-settings\.conf -- gen_context(system_u:object_r:NetworkManager_etc_rw_t, s0) ++/etc/wicd/manager-settings.conf -- gen_context(system_u:object_r:NetworkManager_var_lib_t, s0) ++/etc/wicd/wireless-settings.conf -- gen_context(system_u:object_r:NetworkManager_var_lib_t, s0) ++/etc/wicd/wired-settings.conf -- gen_context(system_u:object_r:NetworkManager_var_lib_t, s0) + +-/usr/lib/NetworkManager/nm-dispatcher\.action -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0) +-/usr/libexec/nm-dispatcher\.action -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0) ++/usr/lib/systemd/system/NetworkManager.* -- gen_context(system_u:object_r:NetworkManager_unit_file_t,s0) + +-/sbin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0) +-/sbin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) ++/usr/libexec/nm-dispatcher.action -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0) + +-/usr/bin/NetworkManager -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) +-/usr/bin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) ++/sbin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0) ++/sbin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) + +-/usr/sbin/NetworkManager -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) +-/usr/sbin/NetworkManagerDispatcher -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) ++/usr/s?bin/NetworkManager -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) ++/usr/s?bin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) ++/usr/sbin/NetworkManagerDispatcher -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) + /usr/sbin/nm-system-settings -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) +-/usr/sbin/wicd -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) +-/usr/sbin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0) ++/usr/sbin/wicd -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) ++/usr/sbin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0) + /usr/sbin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) + +-/var/lib/wicd(/.*)? gen_context(system_u:object_r:NetworkManager_var_lib_t,s0) +-/var/lib/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_lib_t,s0) ++/var/lib/wicd(/.*)? gen_context(system_u:object_r:NetworkManager_var_lib_t,s0) ++/var/lib/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_lib_t,s0) ++ ++/var/log/wicd.* -- gen_context(system_u:object_r:NetworkManager_log_t,s0) + +-/var/log/wicd(/.*)? gen_context(system_u:object_r:NetworkManager_log_t,s0) + /var/log/wpa_supplicant.* -- gen_context(system_u:object_r:NetworkManager_log_t,s0) + + /var/run/NetworkManager\.pid -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0) +-/var/run/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0) +-/var/run/nm-dhclient.* gen_context(system_u:object_r:NetworkManager_var_run_t,s0) ++/var/run/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0) ++/var/run/nm-dhclient.* gen_context(system_u:object_r:NetworkManager_var_run_t,s0) + /var/run/nm-dns-dnsmasq\.conf -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0) +-/var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0) ++/var/run/nm-xl2tpd.conf.* -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0) ++/var/run/wicd\.pid -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0) ++/var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0) + /var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0) +diff --git a/networkmanager.if b/networkmanager.if +index 0e8508c..ee2e3de 100644 +--- a/networkmanager.if ++++ b/networkmanager.if +@@ -2,7 +2,7 @@ + + ######################################## + ## +-## Read and write networkmanager udp sockets. ++## Read and write NetworkManager UDP sockets. + ## + ## + ## +@@ -10,6 +10,7 @@ + ## + ## + # ++# cjp: added for named. + interface(`networkmanager_rw_udp_sockets',` + gen_require(` + type NetworkManager_t; +@@ -20,7 +21,7 @@ interface(`networkmanager_rw_udp_sockets',` + + ######################################## + ## +-## Read and write networkmanager packet sockets. ++## Read and write NetworkManager packet sockets. + ## + ## + ## +@@ -28,6 +29,7 @@ interface(`networkmanager_rw_udp_sockets',` + ## + ## + # ++# cjp: added for named. + interface(`networkmanager_rw_packet_sockets',` + gen_require(` + type NetworkManager_t; +@@ -38,12 +40,12 @@ interface(`networkmanager_rw_packet_sockets',` + + ####################################### + ## +-## Relabel networkmanager tun socket. ++## Allow caller to relabel tun_socket + ## + ## +-## +-## Domain allowed access. +-## ++## ++## Domain allowed access. ++## + ## + # + interface(`networkmanager_attach_tun_iface',` +@@ -57,7 +59,7 @@ interface(`networkmanager_attach_tun_iface',` + + ######################################## + ## +-## Read and write networkmanager netlink ++## Read and write NetworkManager netlink + ## routing sockets. + ## + ## +@@ -66,6 +68,7 @@ interface(`networkmanager_attach_tun_iface',` + ## + ## + # ++# cjp: added for named. + interface(`networkmanager_rw_routing_sockets',` + gen_require(` + type NetworkManager_t; +@@ -76,7 +79,7 @@ interface(`networkmanager_rw_routing_sockets',` + + ######################################## + ## +-## Execute networkmanager with a domain transition. ++## Execute NetworkManager with a domain transition. + ## + ## + ## +@@ -95,8 +98,7 @@ interface(`networkmanager_domtrans',` + + ######################################## + ## +-## Execute networkmanager scripts with +-## an automatic domain transition to initrc. ++## Execute NetworkManager scripts with an automatic domain transition to NetworkManagerrc. + ## + ## + ## +@@ -104,18 +106,59 @@ interface(`networkmanager_domtrans',` + ## + ## + # ++interface(`networkmanager_NetworkManagerrc_domtrans',` ++ gen_require(` ++ type NetworkManager_NetworkManagerrc_exec_t; ++ ') ++ ++ NetworkManager_labeled_script_domtrans($1, NetworkManager_NetworkManagerrc_exec_t) ++') ++ ++####################################### ++## ++## Execute NetworkManager scripts with an automatic domain transition to initrc. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# + interface(`networkmanager_initrc_domtrans',` ++ gen_require(` ++ type NetworkManager_initrc_exec_t; ++ ') ++ ++ init_labeled_script_domtrans($1, NetworkManager_initrc_exec_t) ++') ++ ++######################################## ++## ++## Execute NetworkManager server in the NetworkManager domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`networkmanager_systemctl',` + gen_require(` +- type NetworkManager_initrc_exec_t; ++ type NetworkManager_unit_file_t; ++ type NetworkManager_t; + ') + +- init_labeled_script_domtrans($1, NetworkManager_initrc_exec_t) ++ systemd_exec_systemctl($1) ++ allow $1 NetworkManager_unit_file_t:file read_file_perms; ++ allow $1 NetworkManager_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, NetworkManager_t) + ') + + ######################################## + ## + ## Send and receive messages from +-## networkmanager over dbus. ++## NetworkManager over dbus. + ## + ## + ## +@@ -135,7 +178,29 @@ interface(`networkmanager_dbus_chat',` + + ######################################## + ## +-## Send generic signals to networkmanager. ++## Do not audit attempts to send and ++## receive messages from NetworkManager ++## over dbus. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`networkmanager_dontaudit_dbus_chat',` ++ gen_require(` ++ type NetworkManager_t; ++ class dbus send_msg; ++ ') ++ ++ dontaudit $1 NetworkManager_t:dbus send_msg; ++ dontaudit NetworkManager_t $1:dbus send_msg; ++') ++ ++######################################## ++## ++## Send a generic signal to NetworkManager + ## + ## + ## +@@ -153,7 +218,7 @@ interface(`networkmanager_signal',` + + ######################################## + ## +-## Read networkmanager lib files. ++## Read NetworkManager lib files. + ## + ## + ## +@@ -171,9 +236,28 @@ interface(`networkmanager_read_lib_files',` + read_files_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t) + ') + ++####################################### ++## ++## Read NetworkManager conf files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`networkmanager_read_conf',` ++ gen_require(` ++ type NetworkManager_etc_t; ++ ') ++ ++ allow $1 NetworkManager_etc_t:dir list_dir_perms; ++ read_files_pattern($1,NetworkManager_etc_t,NetworkManager_etc_t) ++') ++ + ######################################## + ## +-## Append networkmanager log files. ++## Read NetworkManager PID files. + ## + ## + ## +@@ -181,19 +265,18 @@ interface(`networkmanager_read_lib_files',` + ## + ## + # +-interface(`networkmanager_append_log_files',` ++interface(`networkmanager_read_pid_files',` + gen_require(` +- type NetworkManager_log_t; ++ type NetworkManager_var_run_t; + ') + +- logging_search_logs($1) +- allow $1 NetworkManager_log_t:dir list_dir_perms; +- append_files_pattern($1, NetworkManager_log_t, NetworkManager_log_t) ++ files_search_pids($1) ++ read_files_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t) + ') + + ######################################## + ## +-## Read networkmanager pid files. ++## Read NetworkManager PID files. + ## + ## + ## +@@ -201,23 +284,23 @@ interface(`networkmanager_append_log_files',` + ## + ## + # +-interface(`networkmanager_read_pid_files',` ++interface(`networkmanager_manage_pid_files',` + gen_require(` + type NetworkManager_var_run_t; + ') + + files_search_pids($1) +- allow $1 NetworkManager_var_run_t:file read_file_perms; ++ manage_files_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t) + ') + + ######################################## + ## +-## All of the rules required to +-## administrate an networkmanager environment. ++## Execute NetworkManager in the NetworkManager domain, and ++## allow the specified role the NetworkManager domain. + ## + ## + ## +-## Domain allowed access. ++## Domain allowed to transition. + ## + ## + ## +@@ -227,33 +310,133 @@ interface(`networkmanager_read_pid_files',` + ## + ## + # +-interface(`networkmanager_admin',` ++interface(`networkmanager_run',` + gen_require(` +- type NetworkManager_t, NetworkManager_initrc_exec_t, NetworkManager_etc_t; +- type NetworkManager_etc_rw_t, NetworkManager_log_t, NetworkManager_tmp_t; +- type NetworkManager_var_lib_t, NetworkManager_var_run_t, wpa_cli_t; ++ type NetworkManager_t, NetworkManager_exec_t; + ') + +- allow $1 { wpa_cli_t NetworkManager_t }:process { ptrace signal_perms }; +- ps_process_pattern($1, { wpa_cli_t NetworkManager_t }) +- +- init_labeled_script_domtrans($1, NetworkManager_initrc_exec_t) +- domain_system_change_exemption($1) +- role_transition $2 NetworkManager_initrc_exec_t system_r; +- allow $2 system_r; ++ networkmanager_domtrans($1) ++ role $2 types NetworkManager_t; ++') + +- logging_search_etc($1) +- admin_pattern($1, { NetworkManager_etc_t NetworkManager_etc_rw_t }) ++######################################## ++## ++## Allow the specified domain to append ++## to Network Manager log files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`networkmanager_append_log',` ++ gen_require(` ++ type NetworkManager_log_t; ++ ') + + logging_search_logs($1) +- admin_pattern($1, NetworkManager_log_t) ++ allow $1 NetworkManager_log_t:dir list_dir_perms; ++ append_files_pattern($1, NetworkManager_log_t, NetworkManager_log_t) ++') + +- files_search_var_lib($1) +- admin_pattern($1, NetworkManager_var_lib_t) ++####################################### ++## ++## Allow the specified domain to manage ++## to Network Manager lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`networkmanager_manage_lib',` ++ gen_require(` ++ type NetworkManager_var_lib_t; ++ ') + +- files_search_pids($1) +- admin_pattern($1, NetworkManager_var_run_t) ++ manage_files_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t) ++') ++ ++#################################### ++## ++## Connect to NM over a unix domain ++## stream socket. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`networkmanager_stream_connect',` ++ gen_require(` ++ type NetworkManager_t, NetworkManager_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ stream_connect_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t, NetworkManager_t) ++') ++ ++####################################### ++## ++## Read the process state (/proc/pid) of NetworkManager. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`NetworkManager_read_state',` ++ gen_require(` ++ type NetworkManager_t; ++ ') ++ ++ allow $1 NetworkManager_t:dir search_dir_perms; ++ allow $1 NetworkManager_t:file read_file_perms; ++ allow $1 NetworkManager_t:lnk_file read_lnk_file_perms; ++') ++ ++######################################## ++## ++## Transition to networkmanager named content ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`networkmanager_filetrans_named_content',` ++ gen_require(` ++ type NetworkManager_var_run_t; ++ type NetworkManager_var_lib_t; ++ ') + +- files_search_tmp($1) +- admin_pattern($1, NetworkManager_tmp_t) ++ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient.-eth0.conf") ++ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient.-eth1.conf") ++ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient.-eth2.conf") ++ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient.-eth3.conf") ++ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient.-eth4.conf") ++ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient.-eth5.conf") ++ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient.-eth6.conf") ++ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient.-eth7.conf") ++ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient.-eth8.conf") ++ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient.-eth9.conf") ++ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em0.conf") ++ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em1.conf") ++ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em2.conf") ++ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em3.conf") ++ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em4.conf") ++ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em5.conf") ++ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em6.conf") ++ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em7.conf") ++ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em8.conf") ++ files_pid_filetrans($1, NetworkManager_var_run_t, file, "wicd.pid") ++ files_etc_filetrans($1, NetworkManager_var_lib_t, file, "manager-settings.conf") ++ files_etc_filetrans($1, NetworkManager_var_lib_t, file, "wireless-settings.conf") ++ files_etc_filetrans($1, NetworkManager_var_lib_t, file, "wired-settings.conf") ++ logging_log_filetrans($1, NetworkManager_var_lib_t, file, "wpa_supplicant.log") + ') +diff --git a/networkmanager.te b/networkmanager.te +index 0b48a30..b5c140b 100644 +--- a/networkmanager.te ++++ b/networkmanager.te +@@ -1,4 +1,4 @@ +-policy_module(networkmanager, 1.14.7) ++policy_module(networkmanager, 1.14.0) + + ######################################## + # +@@ -9,15 +9,18 @@ type NetworkManager_t; + type NetworkManager_exec_t; + init_daemon_domain(NetworkManager_t, NetworkManager_exec_t) + ++type NetworkManager_initrc_exec_t; ++init_script_file(NetworkManager_initrc_exec_t) ++ ++type NetworkManager_unit_file_t; ++systemd_unit_file(NetworkManager_unit_file_t) ++ + type NetworkManager_etc_t; + files_config_file(NetworkManager_etc_t) + + type NetworkManager_etc_rw_t; + files_config_file(NetworkManager_etc_rw_t) + +-type NetworkManager_initrc_exec_t; +-init_script_file(NetworkManager_initrc_exec_t) +- + type NetworkManager_log_t; + logging_log_file(NetworkManager_log_t) + +@@ -39,25 +42,44 @@ init_system_domain(wpa_cli_t, wpa_cli_exec_t) + # Local policy + # + +-allow NetworkManager_t self:capability { chown fsetid kill setgid setuid sys_nice dac_override net_admin net_raw ipc_lock }; +-dontaudit NetworkManager_t self:capability { sys_tty_config sys_module sys_ptrace }; +-allow NetworkManager_t self:process { ptrace getcap setcap setpgid getsched setsched signal_perms }; ++# networkmanager will ptrace itself if gdb is installed ++# and it receives a unexpected signal (rh bug #204161) ++allow NetworkManager_t self:capability { fowner chown fsetid kill setgid setuid sys_admin sys_nice dac_override net_admin net_raw net_bind_service ipc_lock }; ++dontaudit NetworkManager_t self:capability sys_tty_config; ++ifdef(`hide_broken_symptoms',` ++ # caused by some bogus kernel code ++ dontaudit NetworkManager_t self:capability sys_module; ++') ++allow NetworkManager_t self:process { getcap setcap setpgid getsched setsched signal_perms }; ++tunable_policy(`deny_ptrace',`',` ++ allow NetworkManager_t self:capability sys_ptrace; ++ allow NetworkManager_t self:process ptrace; ++') ++ + allow NetworkManager_t self:fifo_file rw_fifo_file_perms; +-allow NetworkManager_t self:unix_dgram_socket sendto; +-allow NetworkManager_t self:unix_stream_socket { accept listen }; ++allow NetworkManager_t self:unix_dgram_socket { sendto create_socket_perms }; ++allow NetworkManager_t self:unix_stream_socket create_stream_socket_perms; + allow NetworkManager_t self:netlink_route_socket create_netlink_socket_perms; ++allow NetworkManager_t self:netlink_xfrm_socket create_netlink_socket_perms; + allow NetworkManager_t self:netlink_socket create_socket_perms; + allow NetworkManager_t self:netlink_kobject_uevent_socket create_socket_perms; +-allow NetworkManager_t self:tcp_socket { accept listen }; ++allow NetworkManager_t self:tcp_socket create_stream_socket_perms; + allow NetworkManager_t self:tun_socket { create_socket_perms relabelfrom relabelto }; ++allow NetworkManager_t self:udp_socket create_socket_perms; + allow NetworkManager_t self:packet_socket create_socket_perms; ++allow NetworkManager_t self:rawip_socket create_socket_perms; + + allow NetworkManager_t wpa_cli_t:unix_dgram_socket sendto; + +-allow NetworkManager_t NetworkManager_etc_t:dir list_dir_perms; +-allow NetworkManager_t NetworkManager_etc_t:file read_file_perms; +-allow NetworkManager_t NetworkManager_etc_t:lnk_file read_lnk_file_perms; ++can_exec(NetworkManager_t, NetworkManager_exec_t) ++#wicd ++can_exec(NetworkManager_t, wpa_cli_exec_t) + ++list_dirs_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_t) ++read_files_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_t) ++read_lnk_files_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_t) ++ ++read_lnk_files_pattern(NetworkManager_t, NetworkManager_etc_rw_t, NetworkManager_etc_rw_t) + manage_dirs_pattern(NetworkManager_t, NetworkManager_etc_rw_t, NetworkManager_etc_rw_t) + manage_files_pattern(NetworkManager_t, NetworkManager_etc_rw_t, NetworkManager_etc_rw_t) + filetrans_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_rw_t, { dir file }) +@@ -68,6 +90,7 @@ create_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_ + setattr_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_t) + logging_log_filetrans(NetworkManager_t, NetworkManager_log_t, file) + ++can_exec(NetworkManager_t, NetworkManager_tmp_t) + manage_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t) + manage_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t) + files_tmp_filetrans(NetworkManager_t, NetworkManager_tmp_t, { sock_file file }) +@@ -81,17 +104,14 @@ manage_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_ + manage_sock_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t) + files_pid_filetrans(NetworkManager_t, NetworkManager_var_run_t, { dir file sock_file }) + +-can_exec(NetworkManager_t, { NetworkManager_exec_t wpa_cli_exec_t NetworkManager_tmp_t }) +- +-kernel_read_crypto_sysctls(NetworkManager_t) + kernel_read_system_state(NetworkManager_t) + kernel_read_network_state(NetworkManager_t) + kernel_read_kernel_sysctls(NetworkManager_t) + kernel_request_load_module(NetworkManager_t) + kernel_read_debugfs(NetworkManager_t) + kernel_rw_net_sysctls(NetworkManager_t) ++kernel_setsched(NetworkManager_t) + +-corenet_all_recvfrom_unlabeled(NetworkManager_t) + corenet_all_recvfrom_netlabel(NetworkManager_t) + corenet_tcp_sendrecv_generic_if(NetworkManager_t) + corenet_udp_sendrecv_generic_if(NetworkManager_t) +@@ -102,22 +122,15 @@ corenet_raw_sendrecv_generic_node(NetworkManager_t) + corenet_tcp_sendrecv_all_ports(NetworkManager_t) + corenet_udp_sendrecv_all_ports(NetworkManager_t) + corenet_udp_bind_generic_node(NetworkManager_t) +- +-corenet_sendrecv_isakmp_server_packets(NetworkManager_t) + corenet_udp_bind_isakmp_port(NetworkManager_t) +- +-corenet_sendrecv_dhcpc_server_packets(NetworkManager_t) + corenet_udp_bind_dhcpc_port(NetworkManager_t) +- +-corenet_sendrecv_all_client_packets(NetworkManager_t) + corenet_tcp_connect_all_ports(NetworkManager_t) +- ++corenet_sendrecv_isakmp_server_packets(NetworkManager_t) ++corenet_sendrecv_dhcpc_server_packets(NetworkManager_t) ++corenet_sendrecv_all_client_packets(NetworkManager_t) + corenet_rw_tun_tap_dev(NetworkManager_t) + corenet_getattr_ppp_dev(NetworkManager_t) + +-corecmd_exec_shell(NetworkManager_t) +-corecmd_exec_bin(NetworkManager_t) +- + dev_rw_sysfs(NetworkManager_t) + dev_read_rand(NetworkManager_t) + dev_read_urand(NetworkManager_t) +@@ -125,13 +138,6 @@ dev_dontaudit_getattr_generic_blk_files(NetworkManager_t) + dev_getattr_all_chr_files(NetworkManager_t) + dev_rw_wireless(NetworkManager_t) + +-domain_use_interactive_fds(NetworkManager_t) +-domain_read_all_domains_state(NetworkManager_t) +- +-files_read_etc_runtime_files(NetworkManager_t) +-files_read_usr_files(NetworkManager_t) +-files_read_usr_src_files(NetworkManager_t) +- + fs_getattr_all_fs(NetworkManager_t) + fs_search_auto_mountpoints(NetworkManager_t) + fs_list_inotifyfs(NetworkManager_t) +@@ -140,6 +146,17 @@ mls_file_read_all_levels(NetworkManager_t) + + selinux_dontaudit_search_fs(NetworkManager_t) + ++corecmd_exec_shell(NetworkManager_t) ++corecmd_exec_bin(NetworkManager_t) ++ ++domain_use_interactive_fds(NetworkManager_t) ++domain_read_all_domains_state(NetworkManager_t) ++ ++files_read_etc_runtime_files(NetworkManager_t) ++files_read_system_conf_files(NetworkManager_t) ++files_read_usr_src_files(NetworkManager_t) ++files_read_isid_type_files(NetworkManager_t) ++ + storage_getattr_fixed_disk_dev(NetworkManager_t) + + init_read_utmp(NetworkManager_t) +@@ -148,10 +165,11 @@ init_domtrans_script(NetworkManager_t) + + auth_use_nsswitch(NetworkManager_t) + ++libs_exec_ldconfig(NetworkManager_t) ++ + logging_send_syslog_msg(NetworkManager_t) + + miscfiles_read_generic_certs(NetworkManager_t) +-miscfiles_read_localization(NetworkManager_t) + + seutil_read_config(NetworkManager_t) + +@@ -166,21 +184,32 @@ sysnet_kill_dhcpc(NetworkManager_t) + sysnet_read_dhcpc_state(NetworkManager_t) + sysnet_delete_dhcpc_state(NetworkManager_t) + sysnet_search_dhcp_state(NetworkManager_t) ++# in /etc created by NetworkManager will be labelled net_conf_t. + sysnet_manage_config(NetworkManager_t) + sysnet_etc_filetrans_config(NetworkManager_t) + +-# certificates in user home directories (cert_home_t in ~/\.pki) +-userdom_read_user_home_content_files(NetworkManager_t) +- +-userdom_write_user_tmp_sockets(NetworkManager_t) ++userdom_stream_connect(NetworkManager_t) + userdom_dontaudit_use_unpriv_user_fds(NetworkManager_t) + userdom_dontaudit_use_user_ttys(NetworkManager_t) ++# Read gnome-keyring ++userdom_read_home_certs(NetworkManager_t) ++userdom_read_user_home_content_files(NetworkManager_t) ++userdom_dgram_send(NetworkManager_t) ++ ++tunable_policy(`use_nfs_home_dirs',` ++ fs_read_nfs_files(NetworkManager_t) ++') ++ ++tunable_policy(`use_samba_home_dirs',` ++ fs_read_cifs_files(NetworkManager_t) ++') + + optional_policy(` + avahi_domtrans(NetworkManager_t) + avahi_kill(NetworkManager_t) + avahi_signal(NetworkManager_t) + avahi_signull(NetworkManager_t) ++ avahi_dbus_chat(NetworkManager_t) + ') + + optional_policy(` +@@ -196,10 +225,6 @@ optional_policy(` + ') + + optional_policy(` +- consolekit_read_pid_files(NetworkManager_t) +-') +- +-optional_policy(` + consoletype_exec(NetworkManager_t) + ') + +@@ -210,16 +235,11 @@ optional_policy(` + optional_policy(` + dbus_system_domain(NetworkManager_t, NetworkManager_exec_t) + +- optional_policy(` +- avahi_dbus_chat(NetworkManager_t) +- ') ++ init_dbus_chat(NetworkManager_t) + + optional_policy(` + consolekit_dbus_chat(NetworkManager_t) +- ') +- +- optional_policy(` +- policykit_dbus_chat(NetworkManager_t) ++ consolekit_read_pid_files(NetworkManager_t) + ') + ') + +@@ -231,18 +251,19 @@ optional_policy(` + dnsmasq_kill(NetworkManager_t) + dnsmasq_signal(NetworkManager_t) + dnsmasq_signull(NetworkManager_t) ++ dnsmasq_systemctl(NetworkManager_t) + ') + + optional_policy(` +- gnome_stream_connect_all_gkeyringd(NetworkManager_t) ++ hal_write_log(NetworkManager_t) + ') + + optional_policy(` +- hal_write_log(NetworkManager_t) ++ howl_signal(NetworkManager_t) + ') + + optional_policy(` +- howl_signal(NetworkManager_t) ++ gnome_dontaudit_search_config(NetworkManager_t) + ') + + optional_policy(` +@@ -250,6 +271,10 @@ optional_policy(` + ipsec_kill_mgmt(NetworkManager_t) + ipsec_signal_mgmt(NetworkManager_t) + ipsec_signull_mgmt(NetworkManager_t) ++ ipsec_domtrans(NetworkManager_t) ++ ipsec_kill(NetworkManager_t) ++ ipsec_signal(NetworkManager_t) ++ ipsec_signull(NetworkManager_t) + ') + + optional_policy(` +@@ -257,11 +282,10 @@ optional_policy(` + ') + + optional_policy(` +- libs_exec_ldconfig(NetworkManager_t) +-') +- +-optional_policy(` +- modutils_domtrans_insmod(NetworkManager_t) ++ l2tpd_domtrans(NetworkManager_t) ++ l2tpd_sigkill(NetworkManager_t) ++ l2tpd_signal(NetworkManager_t) ++ l2tpd_signull(NetworkManager_t) + ') + + optional_policy(` +@@ -274,10 +298,17 @@ optional_policy(` + nscd_signull(NetworkManager_t) + nscd_kill(NetworkManager_t) + nscd_initrc_domtrans(NetworkManager_t) ++ nscd_systemctl(NetworkManager_t) + ') + + optional_policy(` ++ # Dispatcher starting and stoping ntp + ntp_initrc_domtrans(NetworkManager_t) ++ ntp_systemctl(NetworkManager_t) ++') ++ ++optional_policy(` ++ modutils_domtrans_insmod(NetworkManager_t) + ') + + optional_policy(` +@@ -289,6 +320,7 @@ optional_policy(` + ') + + optional_policy(` ++ policykit_dbus_chat(NetworkManager_t) + policykit_domtrans_auth(NetworkManager_t) + policykit_read_lib(NetworkManager_t) + policykit_read_reload(NetworkManager_t) +@@ -296,7 +328,7 @@ optional_policy(` + ') + + optional_policy(` +- polipo_initrc_domtrans(NetworkManager_t) ++ polipo_systemctl(NetworkManager_t) + ') + + optional_policy(` +@@ -307,6 +339,7 @@ optional_policy(` + ppp_signal(NetworkManager_t) + ppp_signull(NetworkManager_t) + ppp_read_config(NetworkManager_t) ++ ppp_systemctl(NetworkManager_t) + ') + + optional_policy(` +@@ -320,13 +353,19 @@ optional_policy(` + ') + + optional_policy(` +- udev_exec(NetworkManager_t) +- udev_read_db(NetworkManager_t) ++ systemd_write_inhibit_pipes(NetworkManager_t) ++ systemd_read_logind_sessions_files(NetworkManager_t) ++ systemd_dbus_chat_logind(NetworkManager_t) ++ systemd_hostnamed_read_config(NetworkManager_t) + ') + + optional_policy(` +- # unconfined_dgram_send(NetworkManager_t) +- unconfined_stream_connect(NetworkManager_t) ++ ssh_exec(NetworkManager_t) ++') ++ ++optional_policy(` ++ udev_exec(NetworkManager_t) ++ udev_read_db(NetworkManager_t) + ') + + optional_policy(` +@@ -356,6 +395,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru + init_dontaudit_use_fds(wpa_cli_t) + init_use_script_ptys(wpa_cli_t) + +-miscfiles_read_localization(wpa_cli_t) +- + term_dontaudit_use_console(wpa_cli_t) +diff --git a/nis.fc b/nis.fc +index 8aa1bfa..cd0e015 100644 +--- a/nis.fc ++++ b/nis.fc +@@ -2,21 +2,26 @@ + /etc/rc\.d/init\.d/yppasswd -- gen_context(system_u:object_r:nis_initrc_exec_t,s0) + /etc/rc\.d/init\.d/ypserv -- gen_context(system_u:object_r:nis_initrc_exec_t,s0) + /etc/rc\.d/init\.d/ypxfrd -- gen_context(system_u:object_r:nis_initrc_exec_t,s0) +- + /etc/ypserv\.conf -- gen_context(system_u:object_r:ypserv_conf_t,s0) + +-/sbin/ypbind -- gen_context(system_u:object_r:ypbind_exec_t,s0) ++/sbin/ypbind -- gen_context(system_u:object_r:ypbind_exec_t,s0) + + /usr/lib/yp/ypxfr -- gen_context(system_u:object_r:ypxfr_exec_t,s0) + +-/usr/sbin/rpc\.yppasswdd -- gen_context(system_u:object_r:yppasswdd_exec_t,s0) ++/usr/sbin/rpc\.yppasswdd -- gen_context(system_u:object_r:yppasswdd_exec_t,s0) ++/usr/sbin/rpc\.yppasswdd\.env -- gen_context(system_u:object_r:yppasswdd_exec_t,s0) + /usr/sbin/rpc\.ypxfrd -- gen_context(system_u:object_r:ypxfr_exec_t,s0) + /usr/sbin/ypbind -- gen_context(system_u:object_r:ypbind_exec_t,s0) + /usr/sbin/ypserv -- gen_context(system_u:object_r:ypserv_exec_t,s0) + +-/var/yp(/.*)? gen_context(system_u:object_r:var_yp_t,s0) ++/var/yp(/.*)? gen_context(system_u:object_r:var_yp_t,s0) + + /var/run/ypxfrd.* -- gen_context(system_u:object_r:ypxfr_var_run_t,s0) + /var/run/ypbind.* -- gen_context(system_u:object_r:ypbind_var_run_t,s0) + /var/run/ypserv.* -- gen_context(system_u:object_r:ypserv_var_run_t,s0) + /var/run/yppass.* -- gen_context(system_u:object_r:yppasswdd_var_run_t,s0) ++ ++/usr/lib/systemd/system/ypbind.* -- gen_context(system_u:object_r:ypbind_unit_file_t,s0) ++/usr/lib/systemd/system/ypserv.* -- gen_context(system_u:object_r:nis_unit_file_t,s0) ++/usr/lib/systemd/system/yppasswdd.* -- gen_context(system_u:object_r:nis_unit_file_t,s0) ++/usr/lib/systemd/system/ypxfrd.* -- gen_context(system_u:object_r:nis_unit_file_t,s0) +diff --git a/nis.if b/nis.if +index 46e55c3..6e4e061 100644 +--- a/nis.if ++++ b/nis.if +@@ -1,4 +1,4 @@ +-## Policy for NIS (YP) servers and clients. ++## Policy for NIS (YP) servers and clients + + ######################################## + ## +@@ -27,18 +27,15 @@ interface(`nis_use_ypbind_uncond',` + gen_require(` + type var_yp_t; + ') +- +- allow $1 self:capability net_bind_service; ++ dontaudit $1 self:capability net_bind_service; + + allow $1 self:tcp_socket create_stream_socket_perms; + allow $1 self:udp_socket create_socket_perms; + + allow $1 var_yp_t:dir list_dir_perms; +- allow $1 var_yp_t:file read_file_perms; + allow $1 var_yp_t:lnk_file read_lnk_file_perms; ++ allow $1 var_yp_t:file read_file_perms; + +- corenet_all_recvfrom_unlabeled($1) +- corenet_all_recvfrom_netlabel($1) + corenet_tcp_sendrecv_generic_if($1) + corenet_udp_sendrecv_generic_if($1) + corenet_tcp_sendrecv_generic_node($1) +@@ -49,14 +46,11 @@ interface(`nis_use_ypbind_uncond',` + corenet_udp_bind_generic_node($1) + corenet_tcp_bind_generic_port($1) + corenet_udp_bind_generic_port($1) +- corenet_dontaudit_tcp_bind_all_reserved_ports($1) +- corenet_dontaudit_udp_bind_all_reserved_ports($1) + corenet_dontaudit_tcp_bind_all_ports($1) + corenet_dontaudit_udp_bind_all_ports($1) + corenet_tcp_connect_portmap_port($1) +- corenet_tcp_connect_reserved_port($1) ++ corenet_tcp_connect_all_reserved_ports($1) + corenet_tcp_connect_generic_port($1) +- corenet_dontaudit_tcp_connect_all_ports($1) + corenet_sendrecv_portmap_client_packets($1) + corenet_sendrecv_generic_client_packets($1) + corenet_sendrecv_generic_server_packets($1) +@@ -88,14 +82,14 @@ interface(`nis_use_ypbind_uncond',` + ## + # + interface(`nis_use_ypbind',` +- tunable_policy(`allow_ypbind',` ++ tunable_policy(`nis_enabled',` + nis_use_ypbind_uncond($1) + ') + ') + + ######################################## + ## +-## Use nis to authenticate passwords. ++## Use the nis to authenticate passwords + ## + ## + ## +@@ -105,7 +99,7 @@ interface(`nis_use_ypbind',` + ## + # + interface(`nis_authenticate',` +- tunable_policy(`allow_ypbind',` ++ tunable_policy(`nis_enabled',` + nis_use_ypbind_uncond($1) + corenet_tcp_bind_all_rpc_ports($1) + corenet_udp_bind_all_rpc_ports($1) +@@ -133,20 +127,19 @@ interface(`nis_domtrans_ypbind',` + + ####################################### + ## +-## Execute ypbind in the caller domain. ++## Execute ypbind in the caller domain. + ## + ## +-## +-## Domain allowed access. +-## ++## ++## Domain allowed to transition. ++## + ## + # + interface(`nis_exec_ypbind',` +- gen_require(` +- type ypbind_exec_t; +- ') ++ gen_require(` ++ type ypbind_t, ypbind_exec_t; ++ ') + +- corecmd_search_bin($1) + can_exec($1, ypbind_exec_t) + ') + +@@ -169,11 +162,11 @@ interface(`nis_exec_ypbind',` + # + interface(`nis_run_ypbind',` + gen_require(` +- attribute_role ypbind_roles; ++ type ypbind_t; + ') + + nis_domtrans_ypbind($1) +- roleattribute $2 ypbind_roles; ++ role $2 types ypbind_t; + ') + + ######################################## +@@ -196,7 +189,7 @@ interface(`nis_signal_ypbind',` + + ######################################## + ## +-## List nis data directories. ++## List the contents of the NIS data directory. + ## + ## + ## +@@ -272,10 +265,11 @@ interface(`nis_read_ypbind_pid',` + # + interface(`nis_delete_ypbind_pid',` + gen_require(` +- type ypbind_var_run_t; ++ type ypbind_t; + ') + +- allow $1 ypbind_var_run_t:file delete_file_perms; ++ # TODO: add delete pid from dir call to files ++ allow $1 ypbind_t:file unlink; + ') + + ######################################## +@@ -355,8 +349,57 @@ interface(`nis_initrc_domtrans_ypbind',` + + ######################################## + ## +-## All of the rules required to +-## administrate an nis environment. ++## Execute ypbind server in the ypbind domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`nis_systemctl_ypbind',` ++ gen_require(` ++ type ypbind_unit_file_t; ++ type ypbind_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ allow $1 ypbind_unit_file_t:file read_file_perms; ++ allow $1 ypbind_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, ypbind_t) ++') ++ ++######################################## ++## ++## Execute ypbind server in the ypbind domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`nis_systemctl',` ++ gen_require(` ++ type nis_unit_file_t, ypbind_unit_file_t; ++ type ypbind_t, yppasswdd_t, ypserv_t, ypxfr_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ allow $1 nis_unit_file_t:file read_file_perms; ++ allow $1 nis_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, ypbind_t) ++ ps_process_pattern($1, yppasswdd_t) ++ ps_process_pattern($1, ypserv_t) ++ ps_process_pattern($1, ypxfr_t) ++') ++ ++######################################## ++## ++## All of the rules required to administrate ++## an nis environment + ## + ## + ## +@@ -372,32 +415,56 @@ interface(`nis_initrc_domtrans_ypbind',` + # + interface(`nis_admin',` + gen_require(` +- type ypbind_t, yppasswdd_t, ypserv_t, ypxfr_t; +- type ypbind_tmp_t, ypserv_tmp_t, ypserv_conf_t; ++ type ypbind_t, yppasswdd_t, ypserv_t; ++ type ypserv_conf_t; + type ypbind_var_run_t, yppasswdd_var_run_t, ypserv_var_run_t; +- type ypbind_initrc_exec_t, nis_initrc_exec_t, var_yp_t; ++ type ypserv_tmp_t; ++ type ypbind_initrc_exec_t, nis_initrc_exec_t, ypxfr_t; ++ type nis_unit_file_t; ++ type ypbind_unit_file_t; ++ ') ++ ++ allow $1 ypbind_t:process signal_perms; ++ ps_process_pattern($1, ypbind_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 ypbind_t:process ptrace; ++ allow $1 yppasswdd_t:process ptrace; ++ allow $1 ypserv_t:process ptrace; ++ allow $1 ypxfr_t:process ptrace; + ') + +- allow $1 { ypbind_t yppasswdd_t ypserv_t ypxfr_t }:process { ptrace signal_perms }; +- ps_process_pattern($1, { ypbind_t yppasswdd_t ypserv_t ypxfr_t }) ++ allow $1 yppasswdd_t:process signal_perms; ++ ps_process_pattern($1, yppasswdd_t) ++ ++ allow $1 ypserv_t:process signal_perms; ++ ps_process_pattern($1, ypserv_t) ++ ++ allow $1 ypxfr_t:process signal_perms; ++ ps_process_pattern($1, ypxfr_t) + + nis_initrc_domtrans($1) + nis_initrc_domtrans_ypbind($1) + domain_system_change_exemption($1) +- role_transition $2 { nis_initrc_exec_t ypbind_initrc_exec_t } system_r; ++ role_transition $2 nis_initrc_exec_t system_r; ++ role_transition $2 ypbind_initrc_exec_t system_r; + allow $2 system_r; + +- files_list_tmp($1) +- admin_pattern($1, { ypserv_tmp_t ypbind_tmp_t }) +- + files_list_pids($1) +- admin_pattern($1, { ypserv_var_run_t ypbind_var_run_t yppasswdd_var_run_t }) ++ admin_pattern($1, ypbind_var_run_t) ++ nis_systemctl_ypbind($1) ++ admin_pattern($1, ypbind_unit_file_t) ++ allow $1 ypbind_unit_file_t:service all_service_perms; ++ ++ admin_pattern($1, yppasswdd_var_run_t) + + files_list_etc($1) + admin_pattern($1, ypserv_conf_t) + +- files_search_var($1) +- admin_pattern($1, var_yp_t) ++ admin_pattern($1, ypserv_var_run_t) ++ ++ admin_pattern($1, ypserv_tmp_t) + +- nis_run_ypbind($1, $2) ++ nis_systemctl($1) ++ admin_pattern($1, nis_unit_file_t) ++ allow $1 nis_unit_file_t:service all_service_perms; + ') +diff --git a/nis.te b/nis.te +index 3e4a31c..eea788e 100644 +--- a/nis.te ++++ b/nis.te +@@ -1,12 +1,10 @@ +-policy_module(nis, 1.11.1) ++policy_module(nis, 1.11.0) + + ######################################## + # + # Declarations + # + +-attribute_role ypbind_roles; +- + type nis_initrc_exec_t; + init_script_file(nis_initrc_exec_t) + +@@ -16,16 +14,18 @@ files_type(var_yp_t) + type ypbind_t; + type ypbind_exec_t; + init_daemon_domain(ypbind_t, ypbind_exec_t) +-role ypbind_roles types ypbind_t; + + type ypbind_initrc_exec_t; + init_script_file(ypbind_initrc_exec_t) + ++type ypbind_var_run_t; ++files_pid_file(ypbind_var_run_t) ++ + type ypbind_tmp_t; + files_tmp_file(ypbind_tmp_t) + +-type ypbind_var_run_t; +-files_pid_file(ypbind_var_run_t) ++type ypbind_unit_file_t; ++systemd_unit_file(ypbind_unit_file_t) + + type yppasswdd_t; + type yppasswdd_exec_t; +@@ -40,7 +40,7 @@ type ypserv_exec_t; + init_daemon_domain(ypserv_t, ypserv_exec_t) + + type ypserv_conf_t; +-files_type(ypserv_conf_t) ++files_config_file(ypserv_conf_t) + + type ypserv_tmp_t; + files_tmp_file(ypserv_tmp_t) +@@ -55,6 +55,9 @@ init_daemon_domain(ypxfr_t, ypxfr_exec_t) + type ypxfr_var_run_t; + files_pid_file(ypxfr_var_run_t) + ++type nis_unit_file_t; ++systemd_unit_file(nis_unit_file_t) ++ + ######################################## + # + # ypbind local policy +@@ -62,6 +65,7 @@ files_pid_file(ypxfr_var_run_t) + dontaudit ypbind_t self:capability { net_admin sys_tty_config }; + allow ypbind_t self:fifo_file rw_fifo_file_perms; + allow ypbind_t self:process signal_perms; ++allow ypbind_t self:{ unix_dgram_socket unix_stream_socket } create_socket_perms; + allow ypbind_t self:netlink_route_socket r_netlink_socket_perms; + allow ypbind_t self:tcp_socket create_stream_socket_perms; + allow ypbind_t self:udp_socket create_socket_perms; +@@ -78,7 +82,6 @@ manage_files_pattern(ypbind_t, var_yp_t, var_yp_t) + kernel_read_system_state(ypbind_t) + kernel_read_kernel_sysctls(ypbind_t) + +-corenet_all_recvfrom_unlabeled(ypbind_t) + corenet_all_recvfrom_netlabel(ypbind_t) + corenet_tcp_sendrecv_generic_if(ypbind_t) + corenet_udp_sendrecv_generic_if(ypbind_t) +@@ -88,7 +91,6 @@ corenet_tcp_sendrecv_all_ports(ypbind_t) + corenet_udp_sendrecv_all_ports(ypbind_t) + corenet_tcp_bind_generic_node(ypbind_t) + corenet_udp_bind_generic_node(ypbind_t) +- + corenet_tcp_bind_generic_port(ypbind_t) + corenet_udp_bind_generic_port(ypbind_t) + corenet_tcp_bind_reserved_port(ypbind_t) +@@ -96,11 +98,10 @@ corenet_udp_bind_reserved_port(ypbind_t) + corenet_tcp_bind_all_rpc_ports(ypbind_t) + corenet_udp_bind_all_rpc_ports(ypbind_t) + corenet_tcp_connect_all_ports(ypbind_t) +-corenet_sendrecv_all_client_packets(ypbind_t) +-corenet_sendrecv_generic_server_packets(ypbind_t) +- + corenet_dontaudit_tcp_bind_all_reserved_ports(ypbind_t) + corenet_dontaudit_udp_bind_all_reserved_ports(ypbind_t) ++corenet_sendrecv_all_client_packets(ypbind_t) ++corenet_sendrecv_generic_server_packets(ypbind_t) + + dev_read_sysfs(ypbind_t) + +@@ -109,12 +110,11 @@ fs_search_auto_mountpoints(ypbind_t) + + domain_use_interactive_fds(ypbind_t) + +-files_read_etc_files(ypbind_t) + files_list_var(ypbind_t) + +-logging_send_syslog_msg(ypbind_t) ++init_search_pid_dirs(ypbind_t) + +-miscfiles_read_localization(ypbind_t) ++logging_send_syslog_msg(ypbind_t) + + sysnet_read_config(ypbind_t) + +@@ -124,7 +124,6 @@ userdom_dontaudit_search_user_home_dirs(ypbind_t) + optional_policy(` + dbus_system_bus_client(ypbind_t) + dbus_connect_system_bus(ypbind_t) +- + init_dbus_chat_script(ypbind_t) + + optional_policy(` +@@ -149,7 +148,8 @@ allow yppasswdd_t self:capability dac_override; + dontaudit yppasswdd_t self:capability sys_tty_config; + allow yppasswdd_t self:fifo_file rw_fifo_file_perms; + allow yppasswdd_t self:process { getsched setfscreate signal_perms }; +-allow yppasswdd_t self:unix_stream_socket { accept listen }; ++allow yppasswdd_t self:unix_dgram_socket create_socket_perms; ++allow yppasswdd_t self:unix_stream_socket create_stream_socket_perms; + allow yppasswdd_t self:netlink_route_socket r_netlink_socket_perms; + allow yppasswdd_t self:tcp_socket create_stream_socket_perms; + allow yppasswdd_t self:udp_socket create_socket_perms; +@@ -160,14 +160,13 @@ files_pid_filetrans(yppasswdd_t, yppasswdd_var_run_t, file) + manage_files_pattern(yppasswdd_t, var_yp_t, var_yp_t) + manage_lnk_files_pattern(yppasswdd_t, var_yp_t, var_yp_t) + +-can_exec(yppasswdd_t, yppasswdd_exec_t) ++can_exec(yppasswdd_t,yppasswdd_exec_t) + + kernel_list_proc(yppasswdd_t) + kernel_read_proc_symlinks(yppasswdd_t) + kernel_getattr_proc_files(yppasswdd_t) + kernel_read_kernel_sysctls(yppasswdd_t) + +-corenet_all_recvfrom_unlabeled(yppasswdd_t) + corenet_all_recvfrom_netlabel(yppasswdd_t) + corenet_tcp_sendrecv_generic_if(yppasswdd_t) + corenet_udp_sendrecv_generic_if(yppasswdd_t) +@@ -177,23 +176,13 @@ corenet_tcp_sendrecv_all_ports(yppasswdd_t) + corenet_udp_sendrecv_all_ports(yppasswdd_t) + corenet_tcp_bind_generic_node(yppasswdd_t) + corenet_udp_bind_generic_node(yppasswdd_t) +- + corenet_tcp_bind_all_rpc_ports(yppasswdd_t) + corenet_udp_bind_all_rpc_ports(yppasswdd_t) +-corenet_sendrecv_generic_server_packets(yppasswdd_t) +- + corenet_dontaudit_tcp_bind_all_reserved_ports(yppasswdd_t) + corenet_dontaudit_udp_bind_all_reserved_ports(yppasswdd_t) ++corenet_sendrecv_generic_server_packets(yppasswdd_t) + +-corecmd_exec_bin(yppasswdd_t) +-corecmd_exec_shell(yppasswdd_t) +- +-domain_use_interactive_fds(yppasswdd_t) +- +-files_read_etc_files(yppasswdd_t) +-files_read_etc_runtime_files(yppasswdd_t) +-files_relabel_etc_files(yppasswdd_t) +- ++dev_read_urand(yppasswdd_t) + dev_read_sysfs(yppasswdd_t) + + fs_getattr_all_fs(yppasswdd_t) +@@ -203,11 +192,19 @@ selinux_get_fs_mount(yppasswdd_t) + + auth_manage_shadow(yppasswdd_t) + auth_relabel_shadow(yppasswdd_t) ++auth_read_passwd(yppasswdd_t) + auth_etc_filetrans_shadow(yppasswdd_t) + ++corecmd_exec_bin(yppasswdd_t) ++corecmd_exec_shell(yppasswdd_t) ++ ++domain_use_interactive_fds(yppasswdd_t) ++ ++files_read_etc_runtime_files(yppasswdd_t) ++files_relabel_etc_files(yppasswdd_t) ++ + logging_send_syslog_msg(yppasswdd_t) + +-miscfiles_read_localization(yppasswdd_t) + + sysnet_read_config(yppasswdd_t) + +@@ -219,6 +216,14 @@ optional_policy(` + ') + + optional_policy(` ++ mta_send_mail(yppasswdd_t) ++') ++ ++optional_policy(` ++ nis_use_ypbind(yppasswdd_t) ++') ++ ++optional_policy(` + seutil_sigchld_newrole(yppasswdd_t) + ') + +@@ -234,7 +239,8 @@ optional_policy(` + dontaudit ypserv_t self:capability sys_tty_config; + allow ypserv_t self:fifo_file rw_fifo_file_perms; + allow ypserv_t self:process signal_perms; +-allow ypserv_t self:unix_stream_socket { accept listen }; ++allow ypserv_t self:unix_dgram_socket create_socket_perms; ++allow ypserv_t self:unix_stream_socket create_stream_socket_perms; + allow ypserv_t self:netlink_route_socket r_netlink_socket_perms; + allow ypserv_t self:tcp_socket connected_stream_socket_perms; + allow ypserv_t self:udp_socket create_socket_perms; +@@ -254,7 +260,6 @@ kernel_read_kernel_sysctls(ypserv_t) + kernel_list_proc(ypserv_t) + kernel_read_proc_symlinks(ypserv_t) + +-corenet_all_recvfrom_unlabeled(ypserv_t) + corenet_all_recvfrom_netlabel(ypserv_t) + corenet_tcp_sendrecv_generic_if(ypserv_t) + corenet_udp_sendrecv_generic_if(ypserv_t) +@@ -264,31 +269,27 @@ corenet_tcp_sendrecv_all_ports(ypserv_t) + corenet_udp_sendrecv_all_ports(ypserv_t) + corenet_tcp_bind_generic_node(ypserv_t) + corenet_udp_bind_generic_node(ypserv_t) +- + corenet_tcp_bind_reserved_port(ypserv_t) + corenet_udp_bind_reserved_port(ypserv_t) + corenet_tcp_bind_all_rpc_ports(ypserv_t) + corenet_udp_bind_all_rpc_ports(ypserv_t) +-corenet_sendrecv_generic_server_packets(ypserv_t) +- + corenet_dontaudit_tcp_bind_all_reserved_ports(ypserv_t) + corenet_dontaudit_udp_bind_all_reserved_ports(ypserv_t) ++corenet_sendrecv_generic_server_packets(ypserv_t) + +-corecmd_exec_bin(ypserv_t) ++dev_read_sysfs(ypserv_t) + +-files_read_etc_files(ypserv_t) +-files_read_var_files(ypserv_t) ++fs_getattr_all_fs(ypserv_t) ++fs_search_auto_mountpoints(ypserv_t) + +-dev_read_sysfs(ypserv_t) ++corecmd_exec_bin(ypserv_t) + + domain_use_interactive_fds(ypserv_t) + +-fs_getattr_all_fs(ypserv_t) +-fs_search_auto_mountpoints(ypserv_t) ++files_read_var_files(ypserv_t) + + logging_send_syslog_msg(ypserv_t) + +-miscfiles_read_localization(ypserv_t) + + nis_domtrans_ypxfr(ypserv_t) + +@@ -310,8 +311,8 @@ optional_policy(` + # ypxfr local policy + # + +-allow ypxfr_t self:unix_stream_socket { accept listen }; +-allow ypxfr_t self:unix_dgram_socket { accept listen }; ++allow ypxfr_t self:unix_stream_socket create_stream_socket_perms; ++allow ypxfr_t self:unix_dgram_socket create_stream_socket_perms; + allow ypxfr_t self:tcp_socket create_stream_socket_perms; + allow ypxfr_t self:udp_socket create_socket_perms; + allow ypxfr_t self:netlink_route_socket r_netlink_socket_perms; +@@ -326,7 +327,6 @@ allow ypxfr_t ypserv_conf_t:file read_file_perms; + manage_files_pattern(ypxfr_t, ypxfr_var_run_t, ypxfr_var_run_t) + files_pid_filetrans(ypxfr_t, ypxfr_var_run_t, file) + +-corenet_all_recvfrom_unlabeled(ypxfr_t) + corenet_all_recvfrom_netlabel(ypxfr_t) + corenet_tcp_sendrecv_generic_if(ypxfr_t) + corenet_udp_sendrecv_generic_if(ypxfr_t) +@@ -336,23 +336,19 @@ corenet_tcp_sendrecv_all_ports(ypxfr_t) + corenet_udp_sendrecv_all_ports(ypxfr_t) + corenet_tcp_bind_generic_node(ypxfr_t) + corenet_udp_bind_generic_node(ypxfr_t) +- + corenet_tcp_bind_reserved_port(ypxfr_t) + corenet_udp_bind_reserved_port(ypxfr_t) + corenet_tcp_bind_all_rpc_ports(ypxfr_t) + corenet_udp_bind_all_rpc_ports(ypxfr_t) ++corenet_dontaudit_tcp_bind_all_reserved_ports(ypxfr_t) ++corenet_dontaudit_udp_bind_all_reserved_ports(ypxfr_t) + corenet_tcp_connect_all_ports(ypxfr_t) + corenet_sendrecv_generic_server_packets(ypxfr_t) + corenet_sendrecv_all_client_packets(ypxfr_t) + +-corenet_dontaudit_tcp_bind_all_reserved_ports(ypxfr_t) +-corenet_dontaudit_udp_bind_all_reserved_ports(ypxfr_t) +- +-files_read_etc_files(ypxfr_t) + files_search_usr(ypxfr_t) + + logging_send_syslog_msg(ypxfr_t) + +-miscfiles_read_localization(ypxfr_t) + + sysnet_read_config(ypxfr_t) +diff --git a/nova.fc b/nova.fc +new file mode 100644 +index 0000000..02dc6dc +--- /dev/null ++++ b/nova.fc +@@ -0,0 +1,32 @@ ++ ++/usr/bin/nova-ajax-console-proxy -- gen_context(system_u:object_r:nova_ajax_exec_t,s0) ++/usr/bin/nova-console.* -- gen_context(system_u:object_r:nova_console_exec_t,s0) ++/usr/bin/nova-direct-api -- gen_context(system_u:object_r:nova_direct_exec_t,s0) ++/usr/bin/nova-api -- gen_context(system_u:object_r:nova_api_exec_t,s0) ++/usr/bin/nova-cert -- gen_context(system_u:object_r:nova_cert_exec_t,s0) ++/usr//bin/nova-api-metadata -- gen_context(system_u:object_r:nova_api_exec_t,s0) ++/usr/bin/nova-network -- gen_context(system_u:object_r:nova_network_exec_t,s0) ++/usr/bin/nova-objectstore -- gen_context(system_u:object_r:nova_objectstore_exec_t,s0) ++/usr/bin/nova-scheduler -- gen_context(system_u:object_r:nova_scheduler_exec_t,s0) ++/usr/bin/nova-vncproxy -- gen_context(system_u:object_r:nova_vncproxy_exec_t,s0) ++/usr/bin/nova-volume -- gen_context(system_u:object_r:nova_volume_exec_t,s0) ++/usr/bin/nova-xvpvncproxy -- gen_context(system_u:object_r:nova_vncproxy_exec_t,s0) ++ ++/usr/lib/systemd/system/openstack-nova-ajax-console-proxy.* -- gen_context(system_u:object_r:nova_ajax_unit_file_t,s0) ++/usr/lib/systemd/system/openstack-nova-api.* -- gen_context(system_u:object_r:nova_api_unit_file_t,s0) ++/usr/lib/systemd/system/openstack-nova-cert.* -- gen_context(system_u:object_r:nova_cert_unit_file_t,s0) ++/usr/lib/systemd/system/openstack-nova-console.* -- gen_context(system_u:object_r:nova_console_unit_file_t,s0) ++/usr/lib/systemd/system/openstack-nova-direct-api.* -- gen_context(system_u:object_r:nova_direct_unit_file_t,s0) ++/usr/lib/systemd/system/openstack-nova-metadata-api.service.* -- gen_context(system_u:object_r:nova_api_unit_file_t,s0) ++/usr/lib/systemd/system/openstack-nova-network.* -- gen_context(system_u:object_r:nova_network_unit_file_t,s0) ++/usr/lib/systemd/system/openstack-nova-objectstore.* -- gen_context(system_u:object_r:nova_objectstore_unit_file_t,s0) ++/usr/lib/systemd/system/openstack-nova-scheduler.* -- gen_context(system_u:object_r:nova_scheduler_unit_file_t,s0) ++/usr/lib/systemd/system/openstack-nova-vncproxy.* -- gen_context(system_u:object_r:nova_vncproxy_unit_file_t,s0) ++/usr/lib/systemd/system/openstack-nova-xvpvncproxy.* -- gen_context(system_u:object_r:nova_vncproxy_unit_file_t,s0) ++/usr/lib/systemd/system/openstack-nova-volume.* -- gen_context(system_u:object_r:nova_volume_unit_file_t,s0) ++ ++/var/lib/nova(/.*)? gen_context(system_u:object_r:nova_var_lib_t,s0) ++ ++/var/log/nova(/.*)? gen_context(system_u:object_r:nova_log_t,s0) ++ ++/var/run/nova(/.*)? gen_context(system_u:object_r:nova_var_run_t,s0) +diff --git a/nova.if b/nova.if +new file mode 100644 +index 0000000..28936b4 +--- /dev/null ++++ b/nova.if +@@ -0,0 +1,57 @@ ++## openstack-nova ++ ++###################################### ++## ++## Manage nova lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`nova_manage_lib_files',` ++ gen_require(` ++ type nova_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ manage_files_pattern($1, nova_var_lib_t, nova_var_lib_t) ++') ++ ++####################################### ++## ++## Creates types and rules for a basic ++## openstack-nova systemd daemon domain. ++## ++## ++## ++## Prefix for the domain. ++## ++## ++# ++template(`nova_domain_template',` ++ gen_require(` ++ attribute nova_domain; ++ ') ++ ++ type nova_$1_t, nova_domain; ++ type nova_$1_exec_t; ++ init_daemon_domain(nova_$1_t, nova_$1_exec_t) ++ ++ type nova_$1_unit_file_t; ++ systemd_unit_file(nova_$1_unit_file_t) ++ ++ type nova_$1_tmp_t; ++ files_tmp_file(nova_$1_tmp_t) ++ ++ manage_dirs_pattern(nova_$1_t, nova_$1_tmp_t, nova_$1_tmp_t) ++ manage_files_pattern(nova_$1_t, nova_$1_tmp_t, nova_$1_tmp_t) ++ files_tmp_filetrans(nova_$1_t, nova_$1_tmp_t, { file dir }) ++ can_exec(nova_$1_t, nova_$1_tmp_t) ++ ++ kernel_read_system_state(nova_$1_t) ++ ++ logging_send_syslog_msg(nova_$1_t) ++ ++') +diff --git a/nova.te b/nova.te +new file mode 100644 +index 0000000..d5b54e5 +--- /dev/null ++++ b/nova.te +@@ -0,0 +1,320 @@ ++policy_module(nova, 1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++# ++# nova-stack daemons contain security issue with using sudo in the code ++# we make this policy as unconfined until this issue is fixed ++# ++ ++attribute nova_domain; ++attribute nova_sudo_domain; ++ ++nova_domain_template(ajax) ++nova_domain_template(api) ++nova_domain_template(cert) ++nova_domain_template(compute) ++nova_domain_template(console) ++nova_domain_template(direct) ++nova_domain_template(network) ++nova_domain_template(objectstore) ++nova_domain_template(scheduler) ++nova_domain_template(vncproxy) ++nova_domain_template(volume) ++ ++typeattribute nova_api_t nova_sudo_domain; ++typeattribute nova_cert_t nova_sudo_domain; ++typeattribute nova_console_t nova_sudo_domain; ++typeattribute nova_network_t nova_sudo_domain; ++typeattribute nova_volume_t nova_sudo_domain; ++ ++type nova_log_t; ++logging_log_file(nova_log_t) ++ ++type nova_var_lib_t; ++files_type(nova_var_lib_t) ++ ++type nova_var_run_t; ++files_pid_file(nova_var_run_t) ++ ++ ++###################################### ++# ++# nova general domain local policy ++# ++ ++allow nova_domain self:fifo_file rw_fifo_file_perms; ++allow nova_domain self:tcp_socket create_stream_socket_perms; ++allow nova_domain self:unix_stream_socket create_stream_socket_perms; ++ ++manage_dirs_pattern(nova_domain, nova_log_t, nova_log_t) ++manage_files_pattern(nova_domain, nova_log_t, nova_log_t) ++ ++manage_dirs_pattern(nova_domain, nova_var_lib_t, nova_var_lib_t) ++manage_files_pattern(nova_domain, nova_var_lib_t, nova_var_lib_t) ++ ++manage_dirs_pattern(nova_domain, nova_var_run_t, nova_var_run_t) ++manage_files_pattern(nova_domain, nova_var_run_t, nova_var_run_t) ++ ++corenet_tcp_connect_amqp_port(nova_domain) ++corenet_tcp_connect_mysqld_port(nova_domain) ++ ++kernel_read_network_state(nova_domain) ++ ++corecmd_exec_bin(nova_domain) ++corecmd_exec_shell(nova_domain) ++corenet_tcp_connect_mysqld_port(nova_domain) ++ ++dev_read_sysfs(nova_domain) ++dev_read_urand(nova_domain) ++ ++fs_getattr_xattr_fs(nova_domain) ++ ++libs_exec_ldconfig(nova_domain) ++ ++optional_policy(` ++ sysnet_read_config(nova_domain) ++ sysnet_exec_ifconfig(nova_domain) ++') ++ ++###################################### ++# ++# nova ajax local policy ++# ++ ++#optional_policy(` ++# unconfined_domain(nova_ajax_t) ++#') ++ ++####################################### ++# ++# nova api local policy ++# ++ ++allow nova_api_t self:process setfscreate; ++ ++allow nova_api_t self:key write; ++ ++allow nova_api_t self:netlink_route_socket r_netlink_socket_perms; ++ ++allow nova_api_t self:udp_socket create_socket_perms; ++ ++kernel_read_kernel_sysctls(nova_api_t) ++ ++corenet_tcp_bind_generic_node(nova_api_t) ++corenet_udp_bind_generic_node(nova_api_t) ++# should be add to booleans ++corenet_tcp_connect_all_ports(nova_api_t) ++corenet_tcp_bind_all_unreserved_ports(nova_api_t) ++ ++auth_read_passwd(nova_api_t) ++ ++logging_send_syslog_msg(nova_api_t) ++ ++miscfiles_read_certs(nova_api_t) ++ ++optional_policy(` ++ iptables_domtrans(nova_api_t) ++') ++ ++optional_policy(` ++ ssh_exec_keygen(nova_api_t) ++') ++ ++#optional_policy(` ++# unconfined_domain(nova_api_t) ++#') ++ ++###################################### ++# ++# nova cert local policy ++# ++ ++allow nova_cert_t self:process setfscreate; ++ ++allow nova_cert_t self:udp_socket create_socket_perms; ++ ++auth_use_nsswitch(nova_cert_t) ++ ++miscfiles_read_certs(nova_cert_t) ++ ++optional_policy(` ++ mysql_stream_connect(nova_cert_t) ++') ++ ++optional_policy(` ++ postgresql_stream_connect(nova_cert_t) ++') ++ ++####################################### ++# ++# nova compute local policy ++# ++ ++# needs to be re-write since now runs as virtd_t ++ ++allow nova_compute_t self:udp_socket create_socket_perms; ++ ++kernel_read_network_state(nova_compute_t) ++ ++dev_read_rand(nova_compute_t) ++ ++optional_policy(` ++ virt_getattr_exec(nova_compute_t) ++ virt_stream_connect(nova_compute_t) ++') ++ ++###################################### ++# ++# nova console local policy ++# ++ ++allow nova_console_t self:udp_socket create_socket_perms; ++ ++auth_use_nsswitch(nova_console_t) ++ ++optional_policy(` ++ mysql_stream_connect(nova_console_t) ++') ++ ++####################################### ++# ++# nova direct local policy ++# ++ ++#optional_policy(` ++# unconfined_domain(nova_direct_t) ++#') ++ ++####################################### ++# ++# nova network local policy ++# ++ ++allow nova_network_t self:capability { dac_override net_admin net_bind_service }; ++allow nova_network_t self:process { getcap setcap }; ++ ++allow nova_network_t self:netlink_route_socket r_netlink_socket_perms; ++allow nova_network_t self:udp_socket create_socket_perms; ++ ++kernel_read_network_state(nova_network_t) ++kernel_read_kernel_sysctls(nova_network_t) ++ ++# should be added to boolean or fixed in the code ++# dnsmasq domtrans does not work since then dnsmasq_t wants ++# to do some stuff with nova_lib, nova_tmp ++# nova-dhcpbridge runs in dnsmasq domain ++corenet_all_recvfrom_netlabel(nova_network_t) ++corenet_tcp_sendrecv_generic_if(nova_network_t) ++corenet_udp_sendrecv_generic_if(nova_network_t) ++corenet_raw_sendrecv_generic_if(nova_network_t) ++corenet_tcp_sendrecv_generic_node(nova_network_t) ++corenet_udp_sendrecv_generic_node(nova_network_t) ++corenet_raw_sendrecv_generic_node(nova_network_t) ++corenet_tcp_sendrecv_all_ports(nova_network_t) ++corenet_udp_sendrecv_all_ports(nova_network_t) ++corenet_tcp_bind_generic_node(nova_network_t) ++corenet_udp_bind_generic_node(nova_network_t) ++corenet_tcp_bind_dns_port(nova_network_t) ++corenet_udp_bind_all_ports(nova_network_t) ++corenet_sendrecv_dns_server_packets(nova_network_t) ++corenet_sendrecv_dhcpd_server_packets(nova_network_t) ++ ++libs_exec_ldconfig(nova_network_t) ++ ++logging_send_syslog_msg(nova_network_t) ++ ++optional_policy(` ++ brctl_domtrans(nova_network_t) ++') ++ ++optional_policy(` ++ dnsmasq_exec(nova_network_t) ++# dnsmasq_domtrans(nova_network_t) ++') ++ ++optional_policy(` ++ iptables_domtrans(nova_network_t) ++') ++ ++optional_policy(` ++ sysnet_domtrans_ifconfig(nova_network_t) ++') ++ ++#optional_policy(` ++# unconfined_domain(nova_network_t) ++#') ++ ++####################################### ++# ++# nova object store local policy ++# ++ ++allow nova_objectstore_t self:udp_socket create_socket_perms; ++ ++corenet_tcp_bind_generic_node(nova_objectstore_t) ++corenet_udp_bind_generic_node(nova_objectstore_t) ++ ++optional_policy(` ++ unconfined_domain(nova_objectstore_t) ++') ++ ++####################################### ++# ++# nova scheduler local policy ++# ++ ++allow nova_scheduler_t self:netlink_route_socket r_netlink_socket_perms; ++allow nova_scheduler_t self:udp_socket create_socket_perms; ++ ++#optional_policy(` ++# unconfined_domain(nova_scheduler_t) ++#') ++ ++####################################### ++# ++# nova vncproxy local policy ++# ++ ++#optional_policy(` ++# unconfined_domain(nova_vncproxy_t) ++#') ++ ++####################################### ++# ++# nova volume local policy ++# ++ ++allow nova_volume_t self:netlink_route_socket r_netlink_socket_perms; ++ ++allow nova_volume_t self:udp_socket create_socket_perms; ++ ++kernel_read_kernel_sysctls(nova_volume_t) ++ ++logging_send_syslog_msg(nova_volume_t) ++ ++optional_policy(` ++ lvm_domtrans(nova_volume_t) ++') ++ ++#optional_policy(` ++# unconfined_domain(nova_volume_t) ++#') ++ ++####################################### ++# ++# nova sudo domain local policy ++# ++ ++ifdef(`hide_broken_symptoms',` ++ optional_policy(` ++ sudo_exec(nova_sudo_domain) ++ allow nova_sudo_domain self:capability { setuid sys_resource setgid audit_write }; ++ allow nova_sudo_domain self:process { setsched setrlimit }; ++ logging_send_audit_msgs(nova_sudo_domain) ++ ') ++') ++ +diff --git a/nscd.fc b/nscd.fc +index ba64485..429bd79 100644 +--- a/nscd.fc ++++ b/nscd.fc +@@ -1,13 +1,15 @@ + /etc/rc\.d/init\.d/nscd -- gen_context(system_u:object_r:nscd_initrc_exec_t,s0) + +-/usr/sbin/nscd -- gen_context(system_u:object_r:nscd_exec_t,s0) ++/usr/sbin/nscd -- gen_context(system_u:object_r:nscd_exec_t,s0) + +-/var/cache/nscd(/.*)? gen_context(system_u:object_r:nscd_var_run_t,s0) +- +-/var/db/nscd(/.*)? gen_context(system_u:object_r:nscd_var_run_t,s0) ++/var/db/nscd(/.*)? gen_context(system_u:object_r:nscd_var_run_t,s0) ++/var/cache/nscd(/.*)? gen_context(system_u:object_r:nscd_var_run_t,s0) + + /var/log/nscd\.log.* -- gen_context(system_u:object_r:nscd_log_t,s0) + +-/var/run/nscd(/.*)? gen_context(system_u:object_r:nscd_var_run_t,s0) + /var/run/nscd\.pid -- gen_context(system_u:object_r:nscd_var_run_t,s0) + /var/run/\.nscd_socket -s gen_context(system_u:object_r:nscd_var_run_t,s0) ++ ++/var/run/nscd(/.*)? gen_context(system_u:object_r:nscd_var_run_t,s0) ++ ++/usr/lib/systemd/system/nscd\.service -- gen_context(system_u:object_r:nscd_unit_file_t,s0) +diff --git a/nscd.if b/nscd.if +index 8f2ab09..6ab4ea1 100644 +--- a/nscd.if ++++ b/nscd.if +@@ -1,8 +1,8 @@ +-## Name service cache daemon. ++## Name service cache daemon + + ######################################## + ## +-## Send generic signals to nscd. ++## Send generic signals to NSCD. + ## + ## + ## +@@ -20,7 +20,7 @@ interface(`nscd_signal',` + + ######################################## + ## +-## Send kill signals to nscd. ++## Send NSCD the kill signal. + ## + ## + ## +@@ -38,7 +38,7 @@ interface(`nscd_kill',` + + ######################################## + ## +-## Send null signals to nscd. ++## Send signulls to NSCD. + ## + ## + ## +@@ -56,7 +56,7 @@ interface(`nscd_signull',` + + ######################################## + ## +-## Execute nscd in the nscd domain. ++## Execute NSCD in the nscd domain. + ## + ## + ## +@@ -75,7 +75,8 @@ interface(`nscd_domtrans',` + + ######################################## + ## +-## Execute nscd in the caller domain. ++## Allow the specified domain to execute nscd ++## in the caller domain. + ## + ## + ## +@@ -88,14 +89,13 @@ interface(`nscd_exec',` + type nscd_exec_t; + ') + +- corecmd_search_bin($1) + can_exec($1, nscd_exec_t) + ') + + ######################################## + ## +-## Use nscd services by connecting using +-## a unix domain stream socket. ++## Use NSCD services by connecting using ++## a unix stream socket. + ## + ## + ## +@@ -112,22 +112,17 @@ interface(`nscd_socket_use',` + allow $1 self:unix_stream_socket create_socket_perms; + + allow $1 nscd_t:nscd { getpwd getgrp gethost }; +- + dontaudit $1 nscd_t:fd use; + dontaudit $1 nscd_t:nscd { getserv shmempwd shmemgrp shmemhost shmemserv }; +- + files_search_pids($1) + stream_connect_pattern($1, nscd_var_run_t, nscd_var_run_t, nscd_t) + dontaudit $1 nscd_var_run_t:file read_file_perms; +- + ps_process_pattern(nscd_t, $1) + ') + + ######################################## + ## +-## Use nscd services by mapping the +-## database from an inherited nscd +-## file descriptor. ++## Use nscd services + ## + ## + ## +@@ -135,28 +130,38 @@ interface(`nscd_socket_use',` + ## + ## + # +-interface(`nscd_shm_use',` ++interface(`nscd_use',` ++ tunable_policy(`nscd_use_shm',` ++ nscd_shm_use($1) ++ ',` ++ nscd_socket_use($1) ++ ') ++') ++ ++######################################## ++## ++## Do not audit attempts to write nscd sock files ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`nscd_dontaudit_write_sock_file',` + gen_require(` + type nscd_t, nscd_var_run_t; +- class nscd { getpwd getgrp gethost shmempwd shmemgrp shmemhost }; + ') + +- allow $1 self:unix_stream_socket create_stream_socket_perms; +- +- allow $1 nscd_t:nscd { getpwd getgrp gethost shmempwd shmemgrp shmemhost }; +- allow $1 nscd_t:fd use; +- +- files_search_pids($1) +- stream_connect_pattern($1, nscd_var_run_t, nscd_var_run_t, nscd_t) +- dontaudit $1 nscd_var_run_t:file read_file_perms; ++ dontaudit $1 nscd_t:sock_file write; ++ dontaudit $1 nscd_var_run_t:sock_file write; + +- allow $1 nscd_var_run_t:dir list_dir_perms; +- allow $1 nscd_var_run_t:sock_file read_sock_file_perms; + ') + + ######################################## + ## +-## Use nscd services. ++## Use NSCD services by mapping the database from ++## an inherited NSCD file descriptor. + ## + ## + ## +@@ -164,18 +169,34 @@ interface(`nscd_shm_use',` + ## + ## + # +-interface(`nscd_use',` +- tunable_policy(`nscd_use_shm',` +- nscd_shm_use($1) +- ',` +- nscd_socket_use($1) ++interface(`nscd_shm_use',` ++ gen_require(` ++ type nscd_t, nscd_var_run_t; ++ class nscd { getpwd getgrp gethost shmempwd shmemgrp shmemhost }; + ') ++ ++ allow $1 nscd_var_run_t:dir list_dir_perms; ++ allow $1 nscd_t:nscd { shmempwd shmemgrp shmemhost shmemserv }; ++ # Receive fd from nscd and map the backing file with read access. ++ allow $1 nscd_t:fd use; ++ ++ # cjp: these were originally inherited from the ++ # nscd_socket_domain macro. need to investigate ++ # if they are all actually required ++ allow $1 self:unix_stream_socket create_stream_socket_perms; ++ ++ # dg: This may not be required. ++ allow $1 nscd_var_run_t:sock_file read_sock_file_perms; ++ ++ stream_connect_pattern($1, nscd_var_run_t, nscd_var_run_t, nscd_t) ++ files_search_pids($1) ++ allow $1 nscd_t:nscd { getpwd getgrp gethost getserv }; ++ dontaudit $1 nscd_var_run_t:file read_file_perms; + ') + + ######################################## + ## +-## Do not audit attempts to search +-## nscd pid directories. ++## Do not audit attempts to search the NSCD pid directory. + ## + ## + ## +@@ -193,7 +214,7 @@ interface(`nscd_dontaudit_search_pid',` + + ######################################## + ## +-## Read nscd pid files. ++## Read NSCD pid file. + ## + ## + ## +@@ -212,7 +233,7 @@ interface(`nscd_read_pid',` + + ######################################## + ## +-## Unconfined access to nscd services. ++## Unconfined access to NSCD services. + ## + ## + ## +@@ -244,20 +265,20 @@ interface(`nscd_unconfined',` + ## Role allowed access. + ## + ## ++## + # + interface(`nscd_run',` + gen_require(` +- attribute_role nscd_roles; ++ type nscd_t; + ') + + nscd_domtrans($1) +- roleattribute $2 nscd_roles; ++ role $2 types nscd_t; + ') + + ######################################## + ## +-## Execute the nscd server init +-## script in the initrc domain. ++## Execute the nscd server init script. + ## + ## + ## +@@ -275,8 +296,31 @@ interface(`nscd_initrc_domtrans',` + + ######################################## + ## +-## All of the rules required to +-## administrate an nscd environment. ++## Execute nscd server in the nscd domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`nscd_systemctl',` ++ gen_require(` ++ type nscd_unit_file_t; ++ type nscd_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ allow $1 nscd_unit_file_t:file read_file_perms; ++ allow $1 nscd_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, nscd_t) ++') ++ ++######################################## ++## ++## All of the rules required to administrate ++## an nscd environment + ## + ## + ## +@@ -285,7 +329,7 @@ interface(`nscd_initrc_domtrans',` + ## + ## + ## +-## Role allowed access. ++## The role to be allowed to manage the nscd domain. + ## + ## + ## +@@ -294,10 +338,14 @@ interface(`nscd_admin',` + gen_require(` + type nscd_t, nscd_log_t, nscd_var_run_t; + type nscd_initrc_exec_t; ++ type nscd_unit_file_t; + ') + +- allow $1 nscd_t:process { ptrace signal_perms }; ++ allow $1 nscd_t:process signal_perms; + ps_process_pattern($1, nscd_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 nscd_t:process ptrace; ++ ') + + init_labeled_script_domtrans($1, nscd_initrc_exec_t) + domain_system_change_exemption($1) +@@ -310,5 +358,7 @@ interface(`nscd_admin',` + files_list_pids($1) + admin_pattern($1, nscd_var_run_t) + +- nscd_run($1, $2) ++ nscd_systemctl($1) ++ admin_pattern($1, nscd_unit_file_t) ++ allow $1 nscd_unit_file_t:service all_service_perms; + ') +diff --git a/nscd.te b/nscd.te +index df4c10f..8c09c68 100644 +--- a/nscd.te ++++ b/nscd.te +@@ -1,36 +1,37 @@ +-policy_module(nscd, 1.10.3) ++policy_module(nscd, 1.10.0) + + gen_require(` + class nscd all_nscd_perms; + ') + +-######################################## +-# +-# Declarations +-# +- + ## + ##

    +-## Determine whether confined applications +-## can use nscd shared memory. ++## Allow confined applications to use nscd shared memory. + ##

    + ##     + gen_tunable(nscd_use_shm, false) + +-attribute_role nscd_roles; ++######################################## ++# ++# Declarations ++# + ++# cjp: this is out of order because of an ++# ordering problem with loadable modules + type nscd_var_run_t; + files_pid_file(nscd_var_run_t) +-init_daemon_run_dir(nscd_var_run_t, "nscd") + ++# nscd is both the client program and the daemon. + type nscd_t; + type nscd_exec_t; + init_daemon_domain(nscd_t, nscd_exec_t) +-role nscd_roles types nscd_t; + + type nscd_initrc_exec_t; + init_script_file(nscd_initrc_exec_t) + ++type nscd_unit_file_t; ++systemd_unit_file(nscd_unit_file_t) ++ + type nscd_log_t; + logging_log_file(nscd_log_t) + +@@ -43,53 +44,54 @@ allow nscd_t self:capability { kill setgid setuid }; + dontaudit nscd_t self:capability sys_tty_config; + allow nscd_t self:process { getattr getcap setcap setsched signal_perms }; + allow nscd_t self:fifo_file read_fifo_file_perms; +-allow nscd_t self:unix_stream_socket { accept listen }; ++allow nscd_t self:unix_stream_socket create_stream_socket_perms; ++allow nscd_t self:unix_dgram_socket create_socket_perms; + allow nscd_t self:netlink_selinux_socket create_socket_perms; ++allow nscd_t self:tcp_socket create_socket_perms; ++allow nscd_t self:udp_socket create_socket_perms; + ++# For client program operation, invoked from sysadm_t. ++# Transition occurs to nscd_t due to direct_sysadm_daemon. + allow nscd_t self:nscd { admin getstat }; + +-allow nscd_t nscd_log_t:file { append_file_perms create_file_perms setattr_file_perms }; ++allow nscd_t nscd_log_t:file manage_file_perms; + logging_log_filetrans(nscd_t, nscd_log_t, file) + ++manage_dirs_pattern(nscd_t, nscd_var_run_t, nscd_var_run_t) + manage_files_pattern(nscd_t, nscd_var_run_t, nscd_var_run_t) + manage_sock_files_pattern(nscd_t, nscd_var_run_t, nscd_var_run_t) +-files_pid_filetrans(nscd_t, nscd_var_run_t, { file sock_file }) ++files_pid_filetrans(nscd_t, nscd_var_run_t, { file sock_file dir }) + ++corecmd_search_bin(nscd_t) + can_exec(nscd_t, nscd_exec_t) + +-kernel_list_proc(nscd_t) +-kernel_read_kernel_sysctls(nscd_t) + kernel_read_network_state(nscd_t) ++kernel_read_kernel_sysctls(nscd_t) ++kernel_list_proc(nscd_t) + kernel_read_proc_symlinks(nscd_t) + +-corecmd_search_bin(nscd_t) +- + dev_read_sysfs(nscd_t) + dev_read_rand(nscd_t) + dev_read_urand(nscd_t) + +-domain_search_all_domains_state(nscd_t) +-domain_use_interactive_fds(nscd_t) +- +-files_read_generic_tmp_symlinks(nscd_t) +-files_read_etc_runtime_files(nscd_t) +- + fs_getattr_all_fs(nscd_t) + fs_search_auto_mountpoints(nscd_t) + fs_list_inotifyfs(nscd_t) + ++# for when /etc/passwd has just been updated and has the wrong type + auth_getattr_shadow(nscd_t) + auth_use_nsswitch(nscd_t) + +-corenet_all_recvfrom_unlabeled(nscd_t) + corenet_all_recvfrom_netlabel(nscd_t) + corenet_tcp_sendrecv_generic_if(nscd_t) ++corenet_udp_sendrecv_generic_if(nscd_t) + corenet_tcp_sendrecv_generic_node(nscd_t) +- +-corenet_sendrecv_all_client_packets(nscd_t) +-corenet_tcp_connect_all_ports(nscd_t) ++corenet_udp_sendrecv_generic_node(nscd_t) + corenet_tcp_sendrecv_all_ports(nscd_t) +- ++corenet_udp_sendrecv_all_ports(nscd_t) ++corenet_udp_bind_generic_node(nscd_t) ++corenet_tcp_connect_all_ports(nscd_t) ++corenet_sendrecv_all_client_packets(nscd_t) + corenet_rw_tun_tap_dev(nscd_t) + + selinux_get_fs_mount(nscd_t) +@@ -98,16 +100,23 @@ selinux_compute_access_vector(nscd_t) + selinux_compute_create_context(nscd_t) + selinux_compute_relabel_context(nscd_t) + selinux_compute_user_contexts(nscd_t) ++domain_use_interactive_fds(nscd_t) ++domain_search_all_domains_state(nscd_t) ++ ++files_read_generic_tmp_symlinks(nscd_t) ++# Needed to read files created by firstboot "/etc/hesiod.conf" ++files_read_etc_runtime_files(nscd_t) + + logging_send_audit_msgs(nscd_t) + logging_send_syslog_msg(nscd_t) + +-miscfiles_read_localization(nscd_t) + + seutil_read_config(nscd_t) + seutil_read_default_contexts(nscd_t) + seutil_sigchld_newrole(nscd_t) + ++sysnet_read_config(nscd_t) ++ + userdom_dontaudit_use_user_terminals(nscd_t) + userdom_dontaudit_use_unpriv_user_fds(nscd_t) + userdom_dontaudit_search_user_home_dirs(nscd_t) +@@ -121,20 +130,31 @@ optional_policy(` + ') + + optional_policy(` ++ kerberos_use(nscd_t) ++') ++ ++optional_policy(` ++ udev_read_db(nscd_t) ++') ++ ++optional_policy(` ++ xen_dontaudit_rw_unix_stream_sockets(nscd_t) ++ xen_append_log(nscd_t) ++') ++ ++optional_policy(` + tunable_policy(`samba_domain_controller',` + samba_append_log(nscd_t) + samba_dontaudit_use_fds(nscd_t) + ') +- +- samba_read_config(nscd_t) +- samba_read_var_files(nscd_t) + ') + + optional_policy(` +- udev_read_db(nscd_t) ++ samba_read_config(nscd_t) ++ samba_read_var_files(nscd_t) ++ samba_stream_connect_nmbd(nscd_t) + ') + + optional_policy(` +- xen_dontaudit_rw_unix_stream_sockets(nscd_t) +- xen_append_log(nscd_t) ++ unconfined_dontaudit_rw_packet_sockets(nscd_t) + ') +diff --git a/nsd.fc b/nsd.fc +index 4f2b1b6..5348e92 100644 +--- a/nsd.fc ++++ b/nsd.fc +@@ -1,16 +1,13 @@ +-/etc/rc\.d/init\.d/nsd -- gen_context(system_u:object_r:nsd_initrc_exec_t,s0) + +-/etc/nsd(/.*)? gen_context(system_u:object_r:nsd_conf_t,s0) +-/etc/nsd/nsd\.db -- gen_context(system_u:object_r:nsd_db_t,s0) +-/etc/nsd/primary(/.*)? gen_context(system_u:object_r:nsd_zone_t,s0) ++/etc/nsd(/.*)? gen_context(system_u:object_r:nsd_conf_t,s0) ++/etc/nsd/nsd\.db -- gen_context(system_u:object_r:nsd_zone_t,s0) ++/etc/nsd/primary(/.*)? gen_context(system_u:object_r:nsd_zone_t,s0) + /etc/nsd/secondary(/.*)? gen_context(system_u:object_r:nsd_zone_t,s0) + +-/usr/sbin/nsd -- gen_context(system_u:object_r:nsd_exec_t,s0) +-/usr/sbin/nsdc -- gen_context(system_u:object_r:nsd_exec_t,s0) ++/usr/sbin/nsd -- gen_context(system_u:object_r:nsd_exec_t,s0) ++/usr/sbin/nsdc -- gen_context(system_u:object_r:nsd_exec_t,s0) + /usr/sbin/nsd-notify -- gen_context(system_u:object_r:nsd_exec_t,s0) +-/usr/sbin/zonec -- gen_context(system_u:object_r:nsd_exec_t,s0) +- +-/var/lib/nsd(/.*)? gen_context(system_u:object_r:nsd_zone_t,s0) +-/var/lib/nsd/nsd\.db -- gen_context(system_u:object_r:nsd_db_t,s0) ++/usr/sbin/zonec -- gen_context(system_u:object_r:nsd_exec_t,s0) + ++/var/lib/nsd(/.*)? gen_context(system_u:object_r:nsd_zone_t,s0) + /var/run/nsd\.pid -- gen_context(system_u:object_r:nsd_var_run_t,s0) +diff --git a/nsd.if b/nsd.if +index a9c60ff..ad4f14a 100644 +--- a/nsd.if ++++ b/nsd.if +@@ -1,8 +1,8 @@ +-## Authoritative only name server. ++## Authoritative only name server + + ######################################## + ## +-## Send and receive datagrams from NSD. (Deprecated) ++## Read NSD pid file. + ## + ## + ## +@@ -10,13 +10,18 @@ + ## + ## + # +-interface(`nsd_udp_chat',` +- refpolicywarn(`$0($*) has been deprecated.') ++interface(`nsd_read_pid',` ++ gen_require(` ++ type nsd_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ read_files_pattern($1, nsd_var_run_t, nsd_var_run_t) + ') + + ######################################## + ## +-## Connect to NSD over a TCP socket (Deprecated) ++## Send and receive datagrams from NSD. (Deprecated) + ## + ## + ## +@@ -24,47 +29,20 @@ interface(`nsd_udp_chat',` + ## + ## + # +-interface(`nsd_tcp_connect',` ++interface(`nsd_udp_chat',` + refpolicywarn(`$0($*) has been deprecated.') + ') + + ######################################## + ## +-## All of the rules required to +-## administrate an nsd environment. ++## Connect to NSD over a TCP socket (Deprecated) + ## + ## + ## + ## Domain allowed access. + ## + ## +-## +-## +-## Role allowed access. +-## +-## +-## + # +-interface(`nsd_admin',` +- gen_require(` +- type nsd_t, nsd_conf_t, nsd_var_run_t; +- type nsd_initrc_exec_t, nsd_db_t, nsd_zone_t; +- ') +- +- allow $1 nsd_t:process { ptrace signal_perms }; +- ps_process_pattern($1, nsd_t) +- +- init_labeled_script_domtrans($1, nsd_initrc_exec_t) +- domain_system_change_exemption($1) +- role_transition $2 nsd_initrc_exec_t system_r; +- allow $2 system_r; +- +- files_search_etc($1) +- admin_pattern($1, { nsd_conf_t nsd_db_t }) +- +- files_search_var_lib($1) +- admin_pattern($1, nsd_zone_t) +- +- files_list_pids($1) +- admin_pattern($1, nsd_var_run_t) ++interface(`nsd_tcp_connect',` ++ refpolicywarn(`$0($*) has been deprecated.') + ') +diff --git a/nsd.te b/nsd.te +index dde7f42..b3662dd 100644 +--- a/nsd.te ++++ b/nsd.te +@@ -1,4 +1,4 @@ +-policy_module(nsd, 1.7.1) ++policy_module(nsd, 1.7.0) + + ######################################## + # +@@ -9,9 +9,7 @@ type nsd_t; + type nsd_exec_t; + init_daemon_domain(nsd_t, nsd_exec_t) + +-type nsd_initrc_exec_t; +-init_script_file(nsd_initrc_exec_t) +- ++# A type for configuration files of nsd + type nsd_conf_t; + files_type(nsd_conf_t) + +@@ -20,32 +18,28 @@ domain_type(nsd_crond_t) + domain_entry_file(nsd_crond_t, nsd_exec_t) + role system_r types nsd_crond_t; + +-type nsd_db_t; +-files_type(nsd_db_t) +- + type nsd_var_run_t; + files_pid_file(nsd_var_run_t) + +-type nsd_zone_t; ++# A type for zone files ++type nsd_zone_t alias nsd_db_t; + files_type(nsd_zone_t) + + ######################################## + # +-# Local policy ++# NSD Local policy + # + + allow nsd_t self:capability { chown dac_override kill setgid setuid }; + dontaudit nsd_t self:capability sys_tty_config; + allow nsd_t self:process signal_perms; ++allow nsd_t self:tcp_socket create_stream_socket_perms; ++allow nsd_t self:udp_socket create_socket_perms; + allow nsd_t self:fifo_file rw_fifo_file_perms; +-allow nsd_t self:tcp_socket { accept listen }; + + allow nsd_t nsd_conf_t:dir list_dir_perms; +-allow nsd_t nsd_conf_t:file read_file_perms; +-allow nsd_t nsd_conf_t:lnk_file read_lnk_file_perms; +- +-allow nsd_t nsd_db_t:file manage_file_perms; +-filetrans_pattern(nsd_t, nsd_zone_t, nsd_db_t, file) ++read_files_pattern(nsd_t, nsd_conf_t, nsd_conf_t) ++read_lnk_files_pattern(nsd_t, nsd_conf_t, nsd_conf_t) + + manage_files_pattern(nsd_t, nsd_var_run_t, nsd_var_run_t) + files_pid_filetrans(nsd_t, nsd_var_run_t, file) +@@ -62,7 +56,6 @@ kernel_read_kernel_sysctls(nsd_t) + + corecmd_exec_bin(nsd_t) + +-corenet_all_recvfrom_unlabeled(nsd_t) + corenet_all_recvfrom_netlabel(nsd_t) + corenet_tcp_sendrecv_generic_if(nsd_t) + corenet_udp_sendrecv_generic_if(nsd_t) +@@ -72,16 +65,17 @@ corenet_tcp_sendrecv_all_ports(nsd_t) + corenet_udp_sendrecv_all_ports(nsd_t) + corenet_tcp_bind_generic_node(nsd_t) + corenet_udp_bind_generic_node(nsd_t) +- +-corenet_sendrecv_dns_server_packets(nsd_t) + corenet_tcp_bind_dns_port(nsd_t) + corenet_udp_bind_dns_port(nsd_t) ++corenet_sendrecv_dns_server_packets(nsd_t) + + dev_read_sysfs(nsd_t) ++dev_read_urand(nsd_t) + + domain_use_interactive_fds(nsd_t) + + files_read_etc_runtime_files(nsd_t) ++files_search_var_lib(nsd_t) + + fs_getattr_all_fs(nsd_t) + fs_search_auto_mountpoints(nsd_t) +@@ -90,8 +84,6 @@ auth_use_nsswitch(nsd_t) + + logging_send_syslog_msg(nsd_t) + +-miscfiles_read_localization(nsd_t) +- + userdom_dontaudit_use_unpriv_user_fds(nsd_t) + userdom_dontaudit_search_user_home_dirs(nsd_t) + +@@ -105,23 +97,24 @@ optional_policy(` + + ######################################## + # +-# Cron local policy ++# Zone update cron job local policy + # + ++# kill capability for root cron job and non-root daemon + allow nsd_crond_t self:capability { dac_override kill }; + dontaudit nsd_crond_t self:capability sys_nice; + allow nsd_crond_t self:process { setsched signal_perms }; + allow nsd_crond_t self:fifo_file rw_fifo_file_perms; ++allow nsd_crond_t self:tcp_socket create_socket_perms; ++allow nsd_crond_t self:udp_socket create_socket_perms; + +-allow nsd_crond_t nsd_t:process signal; +-ps_process_pattern(nsd_crond_t, nsd_t) +- +-allow nsd_crond_t nsd_conf_t:dir list_dir_perms; + allow nsd_crond_t nsd_conf_t:file read_file_perms; +-allow nsd_crond_t nsd_conf_t:lnk_file read_lnk_file_perms; + +-allow nsd_crond_t nsd_db_t:file manage_file_perms; +-filetrans_pattern(nsd_crond_t, nsd_zone_t, nsd_db_t, file) ++files_search_var_lib(nsd_crond_t) ++ ++allow nsd_crond_t nsd_t:process signal; ++ ++ps_process_pattern(nsd_crond_t, nsd_t) + + manage_files_pattern(nsd_crond_t, nsd_zone_t, nsd_zone_t) + filetrans_pattern(nsd_crond_t, nsd_conf_t, nsd_zone_t, file) +@@ -133,27 +126,27 @@ kernel_read_system_state(nsd_crond_t) + corecmd_exec_bin(nsd_crond_t) + corecmd_exec_shell(nsd_crond_t) + +-corenet_all_recvfrom_unlabeled(nsd_crond_t) + corenet_all_recvfrom_netlabel(nsd_crond_t) + corenet_tcp_sendrecv_generic_if(nsd_crond_t) ++corenet_udp_sendrecv_generic_if(nsd_crond_t) + corenet_tcp_sendrecv_generic_node(nsd_crond_t) +- +-corenet_sendrecv_all_client_packets(nsd_crond_t) +-corenet_tcp_connect_all_ports(nsd_crond_t) ++corenet_udp_sendrecv_generic_node(nsd_crond_t) + corenet_tcp_sendrecv_all_ports(nsd_crond_t) ++corenet_udp_sendrecv_all_ports(nsd_crond_t) ++corenet_tcp_connect_all_ports(nsd_crond_t) ++corenet_sendrecv_all_client_packets(nsd_crond_t) + + dev_read_urand(nsd_crond_t) + + domain_dontaudit_read_all_domains_state(nsd_crond_t) + + files_read_etc_runtime_files(nsd_crond_t) ++files_search_var_lib(nsd_t) + + auth_use_nsswitch(nsd_crond_t) + + logging_send_syslog_msg(nsd_crond_t) + +-miscfiles_read_localization(nsd_crond_t) +- + userdom_dontaudit_search_user_home_dirs(nsd_crond_t) + + optional_policy(` +diff --git a/nslcd.fc b/nslcd.fc +index 402100e..ce913b2 100644 +--- a/nslcd.fc ++++ b/nslcd.fc +@@ -1,7 +1,4 @@ +-/etc/nss-ldapd\.conf -- gen_context(system_u:object_r:nslcd_conf_t,s0) +- +-/etc/rc\.d/init\.d/nslcd -- gen_context(system_u:object_r:nslcd_initrc_exec_t,s0) +- +-/usr/sbin/nslcd -- gen_context(system_u:object_r:nslcd_exec_t,s0) +- +-/var/run/nslcd(/.*)? gen_context(system_u:object_r:nslcd_var_run_t,s0) ++/etc/nss-ldapd.conf -- gen_context(system_u:object_r:nslcd_conf_t,s0) ++/etc/rc\.d/init\.d/nslcd -- gen_context(system_u:object_r:nslcd_initrc_exec_t,s0) ++/usr/sbin/nslcd -- gen_context(system_u:object_r:nslcd_exec_t,s0) ++/var/run/nslcd(/.*)? gen_context(system_u:object_r:nslcd_var_run_t,s0) +diff --git a/nslcd.if b/nslcd.if +index 97df768..852d1c6 100644 +--- a/nslcd.if ++++ b/nslcd.if +@@ -1,4 +1,4 @@ +-## Local LDAP name service daemon. ++## nslcd - local LDAP name service daemon. + + ######################################## + ## +@@ -15,7 +15,6 @@ interface(`nslcd_domtrans',` + type nslcd_t, nslcd_exec_t; + ') + +- corecmd_searh_bin($1) + domtrans_pattern($1, nslcd_exec_t, nslcd_t) + ') + +@@ -39,7 +38,7 @@ interface(`nslcd_initrc_domtrans',` + + ######################################## + ## +-## Read nslcd pid files. ++## Read nslcd PID files. + ## + ## + ## +@@ -58,8 +57,25 @@ interface(`nslcd_read_pid_files',` + + ######################################## + ## +-## Connect to nslcd over an unix +-## domain stream socket. ++## Dontaudit write to nslcd over an unix stream socket. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`nslcd_dontaudit_write_ock_file',` ++ gen_require(` ++ type nslcd_var_run_t; ++ ') ++ ++ dontaudit $1 nslcd_var_run_t:sock_file write; ++') ++ ++######################################## ++## ++## Connect to nslcd over an unix stream socket. + ## + ## + ## +@@ -72,14 +88,33 @@ interface(`nslcd_stream_connect',` + type nslcd_t, nslcd_var_run_t; + ') + +- files_search_pids($1) + stream_connect_pattern($1, nslcd_var_run_t, nslcd_var_run_t, nslcd_t) ++ files_search_pids($1) ++') ++ ++####################################### ++## ++## Do not audit attempts to write nslcd sock files ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`nslcd_dontaudit_write_sock_file',` ++ gen_require(` ++ type nslcd_t, nslcd_var_run_t; ++ ') ++ ++ dontaudit $1 nslcd_t:sock_file write; ++ dontaudit $1 nslcd_var_run_t:sock_file write; + ') + + ######################################## + ## +-## All of the rules required to +-## administrate an nslcd environment. ++## All of the rules required to administrate ++## an nslcd environment + ## + ## + ## +@@ -99,17 +134,21 @@ interface(`nslcd_admin',` + type nslcd_conf_t; + ') + +- allow $1 nslcd_t:process { ptrace signal_perms }; + ps_process_pattern($1, nslcd_t) ++ allow $1 nslcd_t:process signal_perms; ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 nslcd_t:process ptrace; ++ ') + ++ # Allow nslcd_t to restart the apache service + nslcd_initrc_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 nslcd_initrc_exec_t system_r; + allow $2 system_r; + +- files_search_etc($1) ++ files_list_etc($1) + admin_pattern($1, nslcd_conf_t) + +- files_search_pids($1) +- admin_pattern($1, nslcd_var_run_t) ++ files_list_pids($1) ++ admin_pattern($1, nslcd_var_run_t, nslcd_var_run_t) + ') +diff --git a/nslcd.te b/nslcd.te +index a3e56f0..2c5b389 100644 +--- a/nslcd.te ++++ b/nslcd.te +@@ -1,4 +1,4 @@ +-policy_module(nslcd, 1.3.1) ++policy_module(nslcd, 1.3.0) + + ######################################## + # +@@ -20,12 +20,12 @@ files_config_file(nslcd_conf_t) + + ######################################## + # +-# Local policy ++# nslcd local policy + # + +-allow nslcd_t self:capability { setgid setuid dac_override }; +-allow nslcd_t self:process signal; +-allow nslcd_t self:unix_stream_socket { accept listen }; ++allow nslcd_t self:capability { dac_override setgid setuid sys_nice }; ++allow nslcd_t self:process { setsched signal signull }; ++allow nslcd_t self:unix_stream_socket create_stream_socket_perms; + + allow nslcd_t nslcd_conf_t:file read_file_perms; + +@@ -36,14 +36,12 @@ files_pid_filetrans(nslcd_t, nslcd_var_run_t, { file dir }) + + kernel_read_system_state(nslcd_t) + ++dev_read_sysfs(nslcd_t) ++ + corenet_all_recvfrom_unlabeled(nslcd_t) + corenet_all_recvfrom_netlabel(nslcd_t) +-corenet_tcp_sendrecv_generic_if(nslcd_t) +-corenet_tcp_sendrecv_generic_node(nslcd_t) +- +-corenet_sendrecv_ldap_client_packets(nslcd_t) + corenet_tcp_connect_ldap_port(nslcd_t) +-corenet_tcp_sendrecv_ldap_port(nslcd_t) ++corenet_sendrecv_ldap_client_packets(nslcd_t) + + files_read_usr_symlinks(nslcd_t) + files_list_tmp(nslcd_t) +@@ -52,10 +50,14 @@ auth_use_nsswitch(nslcd_t) + + logging_send_syslog_msg(nslcd_t) + +-miscfiles_read_localization(nslcd_t) + + userdom_read_user_tmp_files(nslcd_t) + + optional_policy(` ++ dirsrv_stream_connect(nslcd_t) ++') ++ ++optional_policy(` + ldap_stream_connect(nslcd_t) + ') ++ +diff --git a/nsplugin.fc b/nsplugin.fc +new file mode 100644 +index 0000000..22e6c96 +--- /dev/null ++++ b/nsplugin.fc +@@ -0,0 +1,11 @@ ++HOME_DIR/\.adobe(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0) ++HOME_DIR/\.macromedia(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0) ++HOME_DIR/\.gnash(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0) ++HOME_DIR/\.gcjwebplugin(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0) ++HOME_DIR/\.icedteaplugin(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0) ++ ++/usr/bin/nspluginscan -- gen_context(system_u:object_r:nsplugin_exec_t,s0) ++/usr/bin/nspluginviewer -- gen_context(system_u:object_r:nsplugin_exec_t,s0) ++/usr/lib/nspluginwrapper/npviewer.bin -- gen_context(system_u:object_r:nsplugin_exec_t,s0) ++/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:nsplugin_config_exec_t,s0) ++/usr/lib/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:nsplugin_rw_t,s0) +diff --git a/nsplugin.if b/nsplugin.if +new file mode 100644 +index 0000000..16f4789 +--- /dev/null ++++ b/nsplugin.if +@@ -0,0 +1,474 @@ ++ ++## policy for nsplugin ++ ++######################################## ++## ++## Create, read, write, and delete ++## nsplugin rw files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`nsplugin_manage_rw_files',` ++ gen_require(` ++ type nsplugin_rw_t; ++ ') ++ ++ allow $1 nsplugin_rw_t:file manage_file_perms; ++ allow $1 nsplugin_rw_t:dir rw_dir_perms; ++') ++ ++######################################## ++## ++## Manage nsplugin rw files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`nsplugin_manage_rw',` ++ gen_require(` ++ type nsplugin_rw_t; ++ ') ++ ++ manage_dirs_pattern($1, nsplugin_rw_t, nsplugin_rw_t) ++ manage_files_pattern($1, nsplugin_rw_t, nsplugin_rw_t) ++ manage_lnk_files_pattern($1, nsplugin_rw_t, nsplugin_rw_t) ++') ++ ++####################################### ++## ++## The per role template for the nsplugin module. ++## ++## ++## ++## The role associated with the user domain. ++## ++## ++## ++## ++## The type of the user domain. ++## ++## ++# ++interface(`nsplugin_role_notrans',` ++ gen_require(` ++ type nsplugin_rw_t; ++ type nsplugin_home_t; ++ type nsplugin_exec_t; ++ type nsplugin_config_exec_t; ++ type nsplugin_t; ++ type nsplugin_config_t; ++ class x_drawable all_x_drawable_perms; ++ class x_resource all_x_resource_perms; ++ class dbus send_msg; ++ ') ++ ++ role $1 types nsplugin_t; ++ role $1 types nsplugin_config_t; ++ ++ allow nsplugin_t $2:process signull; ++ allow nsplugin_t $2:dbus send_msg; ++ allow $2 nsplugin_t:dbus send_msg; ++ ++ list_dirs_pattern($2, nsplugin_rw_t, nsplugin_rw_t) ++ read_files_pattern($2, nsplugin_rw_t, nsplugin_rw_t) ++ read_lnk_files_pattern($2, nsplugin_rw_t, nsplugin_rw_t) ++ can_exec($2, nsplugin_rw_t) ++ ++ #Leaked File Descriptors ++ifdef(`hide_broken_symptoms', ` ++ dontaudit nsplugin_t $2:fifo_file rw_inherited_fifo_file_perms; ++ dontaudit nsplugin_config_t $2:fifo_file rw_inherited_fifo_file_perms; ++') ++ allow nsplugin_t $2:unix_stream_socket connectto; ++ dontaudit nsplugin_t $2:process ptrace; ++ allow nsplugin_t $2:sem rw_sem_perms; ++ allow nsplugin_t $2:shm rw_shm_perms; ++ dontaudit nsplugin_t $2:shm destroy; ++ allow $2 nsplugin_t:sem rw_sem_perms; ++ ++ allow $2 nsplugin_t:process { getattr signal_perms }; ++ allow $2 nsplugin_t:unix_stream_socket connectto; ++ ++ # Connect to pulseaudit server ++ stream_connect_pattern(nsplugin_t, user_home_t, user_home_t, $2) ++ optional_policy(` ++ gnome_stream_connect(nsplugin_t, $2) ++ ') ++ ++ userdom_use_inherited_user_terminals(nsplugin_t) ++ userdom_use_inherited_user_terminals(nsplugin_config_t) ++ userdom_dontaudit_setattr_user_home_content_files(nsplugin_t) ++ userdom_manage_tmpfs_role($1, nsplugin_t) ++ ++ optional_policy(` ++ pulseaudio_role($1, nsplugin_t) ++ ') ++') ++ ++####################################### ++## ++## Role access for nsplugin ++## ++## ++## ++## The role associated with the user domain. ++## ++## ++## ++## ++## The type of the user domain. ++## ++## ++# ++interface(`nsplugin_role',` ++ gen_require(` ++ type nsplugin_exec_t; ++ type nsplugin_config_exec_t; ++ type nsplugin_t; ++ type nsplugin_config_t; ++ ') ++ ++ nsplugin_role_notrans($1, $2) ++ ++ domtrans_pattern($2, nsplugin_exec_t, nsplugin_t) ++ domtrans_pattern($2, nsplugin_config_exec_t, nsplugin_config_t) ++ ++') ++ ++####################################### ++## ++## The per role template for the nsplugin module. ++## ++## ++## ++## The type of the user domain. ++## ++## ++# ++interface(`nsplugin_domtrans',` ++ gen_require(` ++ type nsplugin_exec_t; ++ type nsplugin_t; ++ ') ++ ++ domtrans_pattern($1, nsplugin_exec_t, nsplugin_t) ++ allow $1 nsplugin_t:unix_stream_socket connectto; ++ allow nsplugin_t $1:process signal; ++') ++ ++####################################### ++## ++## The per role template for the nsplugin module. ++## ++## ++## ++## The type of the user domain. ++## ++## ++# ++interface(`nsplugin_domtrans_config',` ++ gen_require(` ++ type nsplugin_config_exec_t; ++ type nsplugin_config_t; ++ ') ++ ++ domtrans_pattern($1, nsplugin_config_exec_t, nsplugin_config_t) ++') ++ ++######################################## ++## ++## Search nsplugin rw directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`nsplugin_search_rw_dir',` ++ gen_require(` ++ type nsplugin_rw_t; ++ ') ++ ++ allow $1 nsplugin_rw_t:dir search_dir_perms; ++') ++ ++######################################## ++## ++## Read nsplugin rw files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`nsplugin_read_rw_files',` ++ gen_require(` ++ type nsplugin_rw_t; ++ ') ++ ++ list_dirs_pattern($1, nsplugin_rw_t, nsplugin_rw_t) ++ read_files_pattern($1, nsplugin_rw_t, nsplugin_rw_t) ++ read_lnk_files_pattern($1, nsplugin_rw_t, nsplugin_rw_t) ++') ++ ++######################################## ++## ++## Read nsplugin home files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`nsplugin_read_home',` ++ gen_require(` ++ type nsplugin_home_t; ++ ') ++ ++ list_dirs_pattern($1, nsplugin_home_t, nsplugin_home_t) ++ read_files_pattern($1, nsplugin_home_t, nsplugin_home_t) ++ read_lnk_files_pattern($1, nsplugin_home_t, nsplugin_home_t) ++') ++ ++######################################## ++## ++## Exec nsplugin rw files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`nsplugin_rw_exec',` ++ gen_require(` ++ type nsplugin_rw_t; ++ ') ++ ++ can_exec($1, nsplugin_rw_t) ++') ++ ++######################################## ++## ++## Create, read, write, and delete ++## nsplugin home files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`nsplugin_manage_home_files',` ++ gen_require(` ++ type nsplugin_home_t; ++ ') ++ ++ manage_files_pattern($1, nsplugin_home_t, nsplugin_home_t) ++') ++ ++######################################## ++## ++## manage nnsplugin home dirs. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`nsplugin_manage_home_dirs',` ++ gen_require(` ++ type nsplugin_home_t; ++ ') ++ ++ manage_dirs_pattern($1, nsplugin_home_t, nsplugin_home_t) ++') ++ ++######################################## ++## ++## Allow attempts to read and write to ++## nsplugin named pipes. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`nsplugin_rw_pipes',` ++ gen_require(` ++ type nsplugin_home_t; ++ ') ++ ++ allow $1 nsplugin_home_t:fifo_file rw_fifo_file_perms; ++') ++ ++######################################## ++## ++## Read and write to nsplugin shared memory. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`nsplugin_rw_shm',` ++ gen_require(` ++ type nsplugin_t; ++ ') ++ ++ allow $1 nsplugin_t:shm rw_shm_perms; ++') ++ ++##################################### ++## ++## Allow read and write access to nsplugin semaphores. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`nsplugin_rw_semaphores',` ++ gen_require(` ++ type nsplugin_t; ++ ') ++ ++ allow $1 nsplugin_t:sem rw_sem_perms; ++') ++ ++######################################## ++## ++## Execute nsplugin_exec_t ++## in the specified domain. ++## ++## ++##

    ++## Execute a nsplugin_exec_t ++## in the specified domain. ++##

    ++##

    ++## No interprocess communication (signals, pipes, ++## etc.) is provided by this interface since ++## the domains are not owned by this module. ++##

    ++##     ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## The type of the new process. ++## ++## ++# ++interface(`nsplugin_exec_domtrans',` ++ gen_require(` ++ type nsplugin_exec_t; ++ ') ++ ++ allow $2 nsplugin_exec_t:file entrypoint; ++ domtrans_pattern($1, nsplugin_exec_t, $2) ++') ++ ++######################################## ++## ++## Send generic signals to user nsplugin processes. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`nsplugin_signal',` ++ gen_require(` ++ type nsplugin_t; ++ ') ++ ++ allow $1 nsplugin_t:process signal; ++') ++ ++######################################## ++## ++## Create objects in a user home directory ++## with an automatic type transition to ++## the nsplugin home file type. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## The class of the object to be created. ++## ++## ++# ++interface(`nsplugin_user_home_dir_filetrans',` ++ gen_require(` ++ type nsplugin_home_t; ++ ') ++ ++ userdom_user_home_dir_filetrans($1, nsplugin_home_t, $2) ++') ++ ++####################################### ++## ++## Create objects in a user home directory ++## with an automatic type transition to ++## the nsplugin home file type. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## The class of the object to be created. ++## ++## ++# ++interface(`nsplugin_user_home_filetrans',` ++ gen_require(` ++ type nsplugin_home_t; ++ ') ++ ++ userdom_user_home_content_filetrans($1, nsplugin_home_t, $2) ++') ++ ++######################################## ++## ++## Send signull signal to nsplugin ++## processes. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`nsplugin_signull',` ++ gen_require(` ++ type nsplugin_t; ++ ') ++ ++ allow $1 nsplugin_t:process signull; ++') +diff --git a/nsplugin.te b/nsplugin.te +new file mode 100644 +index 0000000..7d839fe +--- /dev/null ++++ b/nsplugin.te +@@ -0,0 +1,318 @@ ++policy_module(nsplugin, 1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++## ++##

    ++## Allow nsplugin code to execmem/execstack ++##

    ++##     ++gen_tunable(nsplugin_execmem, false) ++ ++## ++##

    ++## Allow nsplugin code to connect to unreserved ports ++##

    ++##     ++gen_tunable(nsplugin_can_network, true) ++ ++type nsplugin_exec_t; ++application_executable_file(nsplugin_exec_t) ++ ++type nsplugin_config_exec_t; ++application_executable_file(nsplugin_config_exec_t) ++ ++type nsplugin_rw_t; ++files_poly_member(nsplugin_rw_t) ++files_type(nsplugin_rw_t) ++ ++type nsplugin_tmp_t; ++files_tmp_file(nsplugin_tmp_t) ++ ++type nsplugin_home_t; ++files_poly_member(nsplugin_home_t) ++userdom_user_home_content(nsplugin_home_t) ++typealias nsplugin_home_t alias user_nsplugin_home_t; ++ ++type nsplugin_t; ++application_domain(nsplugin_t, nsplugin_exec_t) ++ ++type nsplugin_config_t; ++domain_type(nsplugin_config_t) ++domain_entry_file(nsplugin_config_t, nsplugin_config_exec_t) ++ ++######################################## ++# ++# nsplugin local policy ++# ++dontaudit nsplugin_t self:capability { sys_nice sys_tty_config }; ++allow nsplugin_t self:fifo_file rw_file_perms; ++allow nsplugin_t self:process { setpgid getsched setsched signal_perms }; ++ ++allow nsplugin_t self:sem create_sem_perms; ++allow nsplugin_t self:shm create_shm_perms; ++allow nsplugin_t self:msgq create_msgq_perms; ++allow nsplugin_t self:netlink_kobject_uevent_socket create_socket_perms; ++allow nsplugin_t self:unix_stream_socket { connectto create_stream_socket_perms }; ++allow nsplugin_t self:unix_dgram_socket { sendto create_socket_perms }; ++allow nsplugin_t self:tcp_socket create_stream_socket_perms; ++allow nsplugin_t nsplugin_rw_t:dir list_dir_perms; ++read_lnk_files_pattern(nsplugin_t, nsplugin_rw_t, nsplugin_rw_t) ++read_files_pattern(nsplugin_t, nsplugin_rw_t, nsplugin_rw_t) ++ ++tunable_policy(`nsplugin_execmem',` ++ allow nsplugin_t self:process { execstack execmem }; ++ allow nsplugin_config_t self:process { execstack execmem }; ++') ++ ++tunable_policy(`nsplugin_can_network',` ++ corenet_tcp_connect_all_unreserved_ports(nsplugin_t) ++ corenet_tcp_connect_all_ephemeral_ports(nsplugin_t) ++') ++ ++manage_dirs_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t) ++exec_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t) ++manage_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t) ++manage_fifo_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t) ++manage_sock_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t) ++manage_lnk_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t) ++userdom_user_home_dir_filetrans(nsplugin_t, nsplugin_home_t, {file dir}) ++userdom_user_home_content_filetrans(nsplugin_t, nsplugin_home_t, {file dir}) ++userdom_dontaudit_getattr_user_home_content(nsplugin_t) ++userdom_dontaudit_search_user_bin_dirs(nsplugin_t) ++userdom_dontaudit_write_user_home_content_files(nsplugin_t) ++userdom_dontaudit_search_admin_dir(nsplugin_t) ++ ++corecmd_exec_bin(nsplugin_t) ++corecmd_exec_shell(nsplugin_t) ++ ++corenet_all_recvfrom_netlabel(nsplugin_t) ++corenet_tcp_connect_flash_port(nsplugin_t) ++corenet_tcp_connect_ms_streaming_port(nsplugin_t) ++corenet_tcp_connect_rtsp_port(nsplugin_t) ++corenet_tcp_connect_pulseaudio_port(nsplugin_t) ++corenet_tcp_connect_http_port(nsplugin_t) ++corenet_tcp_connect_http_cache_port(nsplugin_t) ++corenet_tcp_connect_squid_port(nsplugin_t) ++corenet_tcp_sendrecv_generic_if(nsplugin_t) ++corenet_tcp_sendrecv_generic_node(nsplugin_t) ++corenet_tcp_connect_ipp_port(nsplugin_t) ++corenet_tcp_connect_speech_port(nsplugin_t) ++ ++domain_dontaudit_read_all_domains_state(nsplugin_t) ++ ++dev_read_urand(nsplugin_t) ++dev_read_rand(nsplugin_t) ++dev_read_sound(nsplugin_t) ++dev_write_sound(nsplugin_t) ++dev_read_video_dev(nsplugin_t) ++dev_write_video_dev(nsplugin_t) ++dev_getattr_dri_dev(nsplugin_t) ++dev_getattr_mouse_dev(nsplugin_t) ++dev_rwx_zero(nsplugin_t) ++dev_read_sysfs(nsplugin_t) ++dev_dontaudit_getattr_all(nsplugin_t) ++ ++kernel_read_kernel_sysctls(nsplugin_t) ++kernel_read_system_state(nsplugin_t) ++kernel_read_network_state(nsplugin_t) ++ ++files_dontaudit_getattr_lost_found_dirs(nsplugin_t) ++files_dontaudit_list_home(nsplugin_t) ++files_read_config_files(nsplugin_t) ++ ++fs_getattr_tmpfs(nsplugin_t) ++fs_getattr_xattr_fs(nsplugin_t) ++fs_search_auto_mountpoints(nsplugin_t) ++fs_rw_anon_inodefs_files(nsplugin_t) ++fs_list_inotifyfs(nsplugin_t) ++fs_dontaudit_list_fusefs(nsplugin_t) ++ ++storage_dontaudit_getattr_fixed_disk_dev(nsplugin_t) ++storage_dontaudit_getattr_removable_dev(nsplugin_t) ++ ++term_dontaudit_getattr_all_ptys(nsplugin_t) ++term_dontaudit_getattr_all_ttys(nsplugin_t) ++ ++auth_use_nsswitch(nsplugin_t) ++ ++libs_exec_ld_so(nsplugin_t) ++ ++miscfiles_read_fonts(nsplugin_t) ++miscfiles_dontaudit_write_fonts(nsplugin_t) ++miscfiles_setattr_fonts_cache_dirs(nsplugin_t) ++ ++userdom_manage_user_tmp_dirs(nsplugin_t) ++userdom_manage_user_tmp_files(nsplugin_t) ++userdom_manage_user_tmp_sockets(nsplugin_t) ++userdom_tmp_filetrans_user_tmp(nsplugin_t, { file dir sock_file }) ++userdom_rw_semaphores(nsplugin_t) ++userdom_dontaudit_rw_user_tmp_pipes(nsplugin_t) ++ ++userdom_read_user_home_content_symlinks(nsplugin_t) ++userdom_read_user_home_content_files(nsplugin_t) ++userdom_read_user_tmp_files(nsplugin_t) ++userdom_write_user_tmp_sockets(nsplugin_t) ++userdom_dontaudit_append_user_home_content_files(nsplugin_t) ++userdom_read_home_audio_files(nsplugin_t) ++ ++optional_policy(` ++ alsa_read_rw_config(nsplugin_t) ++ alsa_read_home_files(nsplugin_t) ++') ++ ++optional_policy(` ++ chrome_dontaudit_sandbox_leaks(nsplugin_t) ++') ++ ++optional_policy(` ++ cups_stream_connect(nsplugin_t) ++') ++ ++optional_policy(` ++ dbus_session_bus_client(nsplugin_t) ++ dbus_connect_session_bus(nsplugin_t) ++ dbus_system_bus_client(nsplugin_t) ++') ++ ++optional_policy(` ++ gnome_exec_gconf(nsplugin_t) ++ gnome_manage_config(nsplugin_t) ++ gnome_read_gconf_home_files(nsplugin_t) ++ gnome_read_usr_config(nsplugin_t) ++') ++ ++optional_policy(` ++ gpm_getattr_gpmctl(nsplugin_t) ++') ++ ++optional_policy(` ++ mozilla_exec_user_home_files(nsplugin_t) ++ mozilla_read_user_home_files(nsplugin_t) ++ mozilla_write_user_home_files(nsplugin_t) ++ mozilla_plugin_delete_tmpfs_files(nsplugin_t) ++') ++ ++optional_policy(` ++ mplayer_exec(nsplugin_t) ++ mplayer_read_user_home_files(nsplugin_t) ++') ++ ++optional_policy(` ++ sandbox_read_tmpfs_files(nsplugin_t) ++') ++ ++optional_policy(` ++ gen_require(` ++ type user_tmpfs_t; ++ ') ++ xserver_user_x_domain_template(nsplugin, nsplugin_t, user_tmpfs_t) ++ xserver_rw_shm(nsplugin_t) ++ xserver_read_xdm_pid(nsplugin_t) ++ xserver_read_xdm_tmp_files(nsplugin_t) ++ xserver_read_user_xauth(nsplugin_t) ++ xserver_read_user_iceauth(nsplugin_t) ++ xserver_use_user_fonts(nsplugin_t) ++ xserver_rw_inherited_user_fonts(nsplugin_t) ++') ++ ++######################################## ++# ++# nsplugin_config local policy ++# ++ ++allow nsplugin_config_t self:capability { dac_override dac_read_search sys_nice setuid setgid }; ++allow nsplugin_config_t self:process { setsched signal_perms getsched execmem }; ++#execing pulseaudio ++dontaudit nsplugin_t self:process { getcap setcap }; ++ ++allow nsplugin_config_t self:fifo_file rw_file_perms; ++allow nsplugin_config_t self:unix_stream_socket create_stream_socket_perms; ++ ++dev_search_sysfs(nsplugin_config_t) ++dev_read_urand(nsplugin_config_t) ++dev_dontaudit_read_rand(nsplugin_config_t) ++dev_dontaudit_rw_dri(nsplugin_config_t) ++ ++fs_search_auto_mountpoints(nsplugin_config_t) ++fs_list_inotifyfs(nsplugin_config_t) ++ ++can_exec(nsplugin_config_t, nsplugin_rw_t) ++manage_dirs_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t) ++manage_files_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t) ++manage_lnk_files_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t) ++ ++manage_dirs_pattern(nsplugin_config_t, nsplugin_home_t, nsplugin_home_t) ++manage_files_pattern(nsplugin_config_t, nsplugin_home_t, nsplugin_home_t) ++manage_lnk_files_pattern(nsplugin_config_t, nsplugin_home_t, nsplugin_home_t) ++ ++corecmd_exec_bin(nsplugin_config_t) ++corecmd_exec_shell(nsplugin_config_t) ++ ++kernel_read_system_state(nsplugin_config_t) ++kernel_request_load_module(nsplugin_config_t) ++ ++domain_use_interactive_fds(nsplugin_config_t) ++ ++files_dontaudit_search_home(nsplugin_config_t) ++files_list_tmp(nsplugin_config_t) ++ ++auth_use_nsswitch(nsplugin_config_t) ++ ++miscfiles_read_fonts(nsplugin_config_t) ++ ++userdom_search_user_home_content(nsplugin_config_t) ++userdom_read_user_home_content_symlinks(nsplugin_config_t) ++userdom_read_user_home_content_files(nsplugin_config_t) ++userdom_dontaudit_search_admin_dir(nsplugin_config_t) ++ ++tunable_policy(`use_nfs_home_dirs',` ++ fs_getattr_nfs(nsplugin_t) ++ fs_manage_nfs_dirs(nsplugin_t) ++ fs_manage_nfs_files(nsplugin_t) ++ fs_manage_nfs_symlinks(nsplugin_t) ++ fs_manage_nfs_named_pipes(nsplugin_t) ++ fs_manage_nfs_dirs(nsplugin_config_t) ++ fs_manage_nfs_files(nsplugin_config_t) ++ fs_manage_nfs_named_pipes(nsplugin_config_t) ++ fs_manage_nfs_symlinks(nsplugin_config_t) ++') ++ ++tunable_policy(`use_samba_home_dirs',` ++ fs_getattr_cifs(nsplugin_t) ++ fs_manage_cifs_dirs(nsplugin_t) ++ fs_manage_cifs_files(nsplugin_t) ++ fs_manage_cifs_symlinks(nsplugin_t) ++ fs_manage_cifs_named_pipes(nsplugin_t) ++ fs_manage_cifs_dirs(nsplugin_config_t) ++ fs_manage_cifs_files(nsplugin_config_t) ++ fs_manage_cifs_named_pipes(nsplugin_config_t) ++ fs_manage_cifs_symlinks(nsplugin_config_t) ++') ++ ++domtrans_pattern(nsplugin_config_t, nsplugin_exec_t, nsplugin_t) ++ ++optional_policy(` ++ xserver_use_user_fonts(nsplugin_config_t) ++') ++ ++optional_policy(` ++ mozilla_read_user_home_files(nsplugin_config_t) ++ mozilla_write_user_home_files(nsplugin_config_t) ++') ++ ++application_signull(nsplugin_t) ++ ++optional_policy(` ++ devicekit_dbus_chat_power(nsplugin_t) ++') ++ ++optional_policy(` ++ pulseaudio_exec(nsplugin_t) ++ pulseaudio_stream_connect(nsplugin_t) ++ pulseaudio_manage_home_files(nsplugin_t) ++ pulseaudio_setattr_home_dir(nsplugin_t) ++') +diff --git a/ntop.te b/ntop.te +index 52757d8..0f7f5e4 100644 +--- a/ntop.te ++++ b/ntop.te +@@ -33,6 +33,7 @@ allow ntop_t self:capability { net_raw setgid setuid sys_admin net_admin }; + dontaudit ntop_t self:capability sys_tty_config; + allow ntop_t self:process signal_perms; + allow ntop_t self:fifo_file rw_fifo_file_perms; ++allow ntop_t self:netlink_socket create_socket_perms; + allow ntop_t self:tcp_socket { accept listen }; + allow ntop_t self:unix_stream_socket { accept listen }; + allow ntop_t self:packet_socket create_socket_perms; +@@ -58,7 +59,6 @@ kernel_read_system_state(ntop_t) + kernel_read_network_state(ntop_t) + kernel_read_kernel_sysctls(ntop_t) + +-corenet_all_recvfrom_unlabeled(ntop_t) + corenet_all_recvfrom_netlabel(ntop_t) + corenet_tcp_sendrecv_generic_if(ntop_t) + corenet_raw_sendrecv_generic_if(ntop_t) +@@ -78,10 +78,11 @@ corenet_tcp_sendrecv_http_port(ntop_t) + + dev_read_sysfs(ntop_t) + dev_rw_generic_usb_dev(ntop_t) ++dev_read_usbmon_dev(ntop_t) ++dev_write_usbmon_dev(ntop_t) + + domain_use_interactive_fds(ntop_t) + +-files_read_usr_files(ntop_t) + + fs_getattr_all_fs(ntop_t) + fs_search_auto_mountpoints(ntop_t) +diff --git a/ntp.fc b/ntp.fc +index af3c91e..6882a3f 100644 +--- a/ntp.fc ++++ b/ntp.fc +@@ -13,6 +13,8 @@ + /usr/sbin/ntpdate -- gen_context(system_u:object_r:ntpdate_exec_t,s0) + /usr/sbin/sntp -- gen_context(system_u:object_r:ntpdate_exec_t,s0) + ++/usr/lib/systemd/system/ntpd.* -- gen_context(system_u:object_r:ntpd_unit_file_t,s0) ++ + /var/lib/ntp(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0) + /var/lib/sntp-kod(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0) + +diff --git a/ntp.if b/ntp.if +index b59196f..017b36f 100644 +--- a/ntp.if ++++ b/ntp.if +@@ -1,4 +1,4 @@ +-## Network time protocol daemon. ++## Network time protocol daemon + + ######################################## + ## +@@ -37,6 +37,25 @@ interface(`ntp_domtrans',` + + ######################################## + ## ++## Execute ntp server in the caller domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`ntp_exec',` ++ gen_require(` ++ type ntpd_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ can_exec($1, ntpd_exec_t) ++') ++ ++######################################## ++## + ## Execute ntp in the ntp domain, and + ## allow the specified role the ntp domain. + ## +@@ -54,11 +73,11 @@ interface(`ntp_domtrans',` + # + interface(`ntp_run',` + gen_require(` +- attribute_role ntpd_roles; ++ type ntpd_t; + ') + + ntp_domtrans($1) +- roleattribute $2 ntpd_roles; ++ role $2 types ntpd_t; + ') + + ######################################## +@@ -98,6 +117,48 @@ interface(`ntp_initrc_domtrans',` + init_labeled_script_domtrans($1, ntpd_initrc_exec_t) + ') + ++##################################### ++## ++## Allow domain to read ntpd systemd unit files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`ntp_read_unit_file',` ++ gen_require(` ++ type ntpd_unit_file_t; ++ ') ++ ++ files_search_var_lib($1) ++ allow $1 ntpd_unit_file_t:file read_file_perms; ++') ++ ++######################################## ++## ++## Execute ntpd server in the ntpd domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`ntp_systemctl',` ++ gen_require(` ++ type ntpd_unit_file_t; ++ type ntpd_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ allow $1 ntpd_unit_file_t:file read_file_perms; ++ allow $1 ntpd_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, ntpd_t) ++') ++ + ######################################## + ## + ## Read and write ntpd shared memory. +@@ -122,8 +183,27 @@ interface(`ntp_rw_shm',` + + ######################################## + ## +-## All of the rules required to +-## administrate an ntp environment. ++## Allow the domain to read ntpd state files in /proc. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`ntp_read_state',` ++ gen_require(` ++ type ntpd_t; ++ ') ++ ++ kernel_search_proc($1) ++ ps_process_pattern($1, ntpd_t) ++') ++ ++######################################## ++## ++## All of the rules required to administrate ++## an ntp environment + ## + ## + ## +@@ -132,7 +212,7 @@ interface(`ntp_rw_shm',` + ## + ## + ## +-## Role allowed access. ++## The role to be allowed to manage the ntp domain. + ## + ## + ## +@@ -140,20 +220,22 @@ interface(`ntp_rw_shm',` + interface(`ntp_admin',` + gen_require(` + type ntpd_t, ntpd_tmp_t, ntpd_log_t; +- type ntpd_key_t, ntpd_var_run_t, ntp_conf_t; +- type ntpd_initrc_exec_t, ntp_drift_t; ++ type ntpd_key_t, ntpd_var_run_t, ntpd_initrc_exec_t; ++ type ntpd_unit_file_t; + ') + +- allow $1 ntpd_t:process { ptrace signal_perms }; ++ allow $1 ntpd_t:process signal_perms; + ps_process_pattern($1, ntpd_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 ntpd_t:process ptrace; ++ ') + + init_labeled_script_domtrans($1, ntpd_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 ntpd_initrc_exec_t system_r; + allow $2 system_r; + +- files_list_etc($1) +- admin_pattern($1, { ntpd_key_t ntp_conf_t ntp_drift_t }) ++ admin_pattern($1, ntpd_key_t) + + logging_list_logs($1) + admin_pattern($1, ntpd_log_t) +@@ -164,5 +246,28 @@ interface(`ntp_admin',` + files_list_pids($1) + admin_pattern($1, ntpd_var_run_t) + +- ntp_run($1, $2) ++ ntp_systemctl($1) ++ admin_pattern($1, ntpd_unit_file_t) ++ allow $1 ntpd_unit_file_t:service all_service_perms; ++ ++ ntp_filetrans_named_content($1) ++') ++ ++######################################## ++## ++## Transition content labels to ntp named content ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`ntp_filetrans_named_content',` ++ gen_require(` ++ type ntp_conf_t; ++ ') ++ ++ files_etc_filetrans($1, ntp_conf_t, file, "ntpd.conf") ++ files_etc_filetrans($1, ntp_conf_t, dir, "ntp") + ') +diff --git a/ntp.te b/ntp.te +index b90e343..8369b61 100644 +--- a/ntp.te ++++ b/ntp.te +@@ -18,6 +18,9 @@ role ntpd_roles types ntpd_t; + type ntpd_initrc_exec_t; + init_script_file(ntpd_initrc_exec_t) + ++type ntpd_unit_file_t; ++systemd_unit_file(ntpd_unit_file_t) ++ + type ntp_conf_t; + files_config_file(ntp_conf_t) + +@@ -60,9 +63,7 @@ read_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t) + read_lnk_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t) + + allow ntpd_t ntpd_log_t:dir setattr_dir_perms; +-append_files_pattern(ntpd_t, ntpd_log_t, ntpd_log_t) +-create_files_pattern(ntpd_t, ntpd_log_t, ntpd_log_t) +-setattr_files_pattern(ntpd_t, ntpd_log_t, ntpd_log_t) ++manage_files_pattern(ntpd_t, ntpd_log_t, ntpd_log_t) + logging_log_filetrans(ntpd_t, ntpd_log_t, { file dir }) + + manage_dirs_pattern(ntpd_t, ntpd_tmp_t, ntpd_tmp_t) +@@ -83,21 +84,16 @@ kernel_read_system_state(ntpd_t) + kernel_read_network_state(ntpd_t) + kernel_request_load_module(ntpd_t) + +-corenet_all_recvfrom_unlabeled(ntpd_t) + corenet_all_recvfrom_netlabel(ntpd_t) + corenet_tcp_sendrecv_generic_if(ntpd_t) + corenet_udp_sendrecv_generic_if(ntpd_t) + corenet_tcp_sendrecv_generic_node(ntpd_t) + corenet_udp_sendrecv_generic_node(ntpd_t) + corenet_udp_bind_generic_node(ntpd_t) +- +-corenet_sendrecv_ntp_server_packets(ntpd_t) + corenet_udp_bind_ntp_port(ntpd_t) +-corenet_udp_sendrecv_ntp_port(ntpd_t) +- +-corenet_sendrecv_ntp_client_packets(ntpd_t) + corenet_tcp_connect_ntp_port(ntpd_t) +-corenet_tcp_sendrecv_ntp_port(ntpd_t) ++corenet_sendrecv_ntp_server_packets(ntpd_t) ++corenet_sendrecv_ntp_client_packets(ntpd_t) + + corecmd_exec_bin(ntpd_t) + corecmd_exec_shell(ntpd_t) +@@ -110,13 +106,15 @@ domain_use_interactive_fds(ntpd_t) + domain_dontaudit_list_all_domains_state(ntpd_t) + + files_read_etc_runtime_files(ntpd_t) +-files_read_usr_files(ntpd_t) + files_list_var_lib(ntpd_t) + + fs_getattr_all_fs(ntpd_t) + fs_search_auto_mountpoints(ntpd_t) ++# Necessary to communicate with gpsd devices ++fs_rw_tmpfs_files(ntpd_t) + + term_use_ptmx(ntpd_t) ++term_use_unallocated_ttys(ntpd_t) + + auth_use_nsswitch(ntpd_t) + +@@ -124,8 +122,6 @@ init_exec_script_files(ntpd_t) + + logging_send_syslog_msg(ntpd_t) + +-miscfiles_read_localization(ntpd_t) +- + userdom_dontaudit_use_unpriv_user_fds(ntpd_t) + userdom_list_user_home_dirs(ntpd_t) + +diff --git a/numad.fc b/numad.fc +index 3488bb0..1f97624 100644 +--- a/numad.fc ++++ b/numad.fc +@@ -1,7 +1,7 @@ +-/etc/rc\.d/init\.d/numad -- gen_context(system_u:object_r:numad_initrc_exec_t,s0) ++/usr/bin/numad -- gen_context(system_u:object_r:numad_exec_t,s0) + +-/usr/bin/numad -- gen_context(system_u:object_r:numad_exec_t,s0) ++/usr/lib/systemd/system/numad.* -- gen_context(system_u:object_r:numad_unit_file_t,s0) + +-/var/log/numad\.log.* -- gen_context(system_u:object_r:numad_log_t,s0) ++/var/log/numad\.log.* -- gen_context(system_u:object_r:numad_var_log_t,s0) + +-/var/run/numad\.pid -- gen_context(system_u:object_r:numad_var_run_t,s0) ++/var/run/numad\.pid -- gen_context(system_u:object_r:numad_var_run_t,s0) +diff --git a/numad.if b/numad.if +index 0d3c270..709dda1 100644 +--- a/numad.if ++++ b/numad.if +@@ -1,39 +1,72 @@ +-## Non-Uniform Memory Alignment Daemon. + ++## policy for numad ++ ++######################################## ++## ++## Transition to numad. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`numad_domtrans',` ++ gen_require(` ++ type numad_t, numad_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, numad_exec_t, numad_t) ++') + ######################################## + ## +-## All of the rules required to +-## administrate an numad environment. ++## Execute numad server in the numad domain. + ## + ## + ## +-## Domain allowed access. ++## Domain allowed to transition. + ## + ## +-## ++# ++interface(`numad_systemctl',` ++ gen_require(` ++ type numad_t; ++ type numad_unit_file_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ systemd_read_fifo_file_passwd_run($1) ++ allow $1 numad_unit_file_t:file read_file_perms; ++ allow $1 numad_unit_file_t:service all_service_perms; ++ ++ ps_process_pattern($1, numad_t) ++') ++ ++ ++######################################## ++## ++## All of the rules required to administrate ++## an numad environment ++## ++## + ## +-## Role allowed access. ++## Domain allowed access. + ## + ## +-## + # + interface(`numad_admin',` + gen_require(` +- type numad_t, numad_initrc_exec_t, numad_log_t; +- type numad_var_run_t; ++ type numad_t; ++ type numad_unit_file_t; + ') + + allow $1 numad_t:process { ptrace signal_perms }; + ps_process_pattern($1, numad_t) + +- init_labeled_script_domtrans($1, numad_initrc_exec_t) +- domain_system_change_exemption($1) +- role_transition $2 numad_initrc_exec_t system_r; +- allow $2 system_r; +- +- logging_search_logs($1) +- admin_pattern($1, numad_log_t) +- +- files_search_pids($1) +- admin_pattern($1, numad_var_run_t) ++ numad_systemctl($1) ++ optional_policy(` ++ systemd_passwd_agent_exec($1) ++ systemd_read_fifo_file_passwd_run($1) ++ ') + ') +diff --git a/numad.te b/numad.te +index f5d145d..97e1148 100644 +--- a/numad.te ++++ b/numad.te +@@ -1,4 +1,4 @@ +-policy_module(numad, 1.0.3) ++policy_module(numad, 1.0.0) + + ######################################## + # +@@ -8,29 +8,29 @@ policy_module(numad, 1.0.3) + type numad_t; + type numad_exec_t; + init_daemon_domain(numad_t, numad_exec_t) +-application_executable_file(numad_exec_t) + +-type numad_initrc_exec_t; +-init_script_file(numad_initrc_exec_t) ++type numad_unit_file_t; ++systemd_unit_file(numad_unit_file_t) + +-type numad_log_t; +-logging_log_file(numad_log_t) ++type numad_var_log_t; ++logging_log_file(numad_var_log_t) + + type numad_var_run_t; + files_pid_file(numad_var_run_t) + + ######################################## + # +-# Local policy ++# numad local policy + # + ++allow numad_t self:capability sys_ptrace; + allow numad_t self:fifo_file rw_fifo_file_perms; +-allow numad_t self:msg { send receive }; + allow numad_t self:msgq create_msgq_perms; ++allow numad_t self:msg { send receive }; + allow numad_t self:unix_stream_socket create_stream_socket_perms; + +-allow numad_t numad_log_t:file { append_file_perms create_file_perms setattr_file_perms }; +-logging_log_filetrans(numad_t, numad_log_t, file) ++manage_files_pattern(numad_t, numad_var_log_t, numad_var_log_t) ++logging_log_filetrans(numad_t, numad_var_log_t, file) + + manage_files_pattern(numad_t, numad_var_run_t, numad_var_run_t) + files_pid_filetrans(numad_t, numad_var_run_t, file) +@@ -39,6 +39,13 @@ kernel_read_system_state(numad_t) + + dev_read_sysfs(numad_t) + +-files_read_etc_files(numad_t) ++domain_use_interactive_fds(numad_t) ++domain_read_all_domains_state(numad_t) ++domain_setpriority_all_domains(numad_t) ++ ++fs_manage_cgroup_dirs(numad_t) ++fs_rw_cgroup_files(numad_t) + +-miscfiles_read_localization(numad_t) ++tunable_policy(`deny_ptrace',`',` ++ virt_ptrace(numad_t) ++') +diff --git a/nut.fc b/nut.fc +index 379af96..41ff159 100644 +--- a/nut.fc ++++ b/nut.fc +@@ -1,23 +1,16 @@ +-/etc/nut(/.*)? gen_context(system_u:object_r:nut_conf_t,s0) +-/etc/ups(/.*)? gen_context(system_u:object_r:nut_conf_t,s0) ++/etc/ups(/.*)? gen_context(system_u:object_r:nut_conf_t,s0) + +-/etc/rc\.d/init\.d/nut-driver -- gen_context(system_u:object_r:nut_initrc_exec_t,s0) +-/etc/rc\.d/init\.d/nut-server -- gen_context(system_u:object_r:nut_initrc_exec_t,s0) +- +-/sbin/upsd -- gen_context(system_u:object_r:nut_upsd_exec_t,s0) + /sbin/upsdrvctl -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0) +-/sbin/upsmon -- gen_context(system_u:object_r:nut_upsmon_exec_t,s0) + +-/usr/lib/cgi-bin/nut/upsimage\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0) +-/usr/lib/cgi-bin/nut/upsset\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0) +-/usr/lib/cgi-bin/nut/upsstats\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0) ++/usr/lib/systemd/system/nut.* -- gen_context(system_u:object_r:nut_unit_file_t,s0) + + /usr/sbin/upsd -- gen_context(system_u:object_r:nut_upsd_exec_t,s0) + /usr/sbin/upsdrvctl -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0) +-/usr/sbin/upsmon -- gen_context(system_u:object_r:nut_upsmon_exec_t,s0) ++/usr/sbin/blazer_usb -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0) ++/usr/sbin/upsmon -- gen_context(system_u:object_r:nut_upsmon_exec_t,s0) + + /var/run/nut(/.*)? gen_context(system_u:object_r:nut_var_run_t,s0) + +-/var/www/nut-cgi-bin/upsimage\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0) +-/var/www/nut-cgi-bin/upsset\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0) +-/var/www/nut-cgi-bin/upsstats\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0) ++/var/www/nut-cgi-bin/upsimage\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0) ++/var/www/nut-cgi-bin/upsset\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0) ++/var/www/nut-cgi-bin/upsstats\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0) +diff --git a/nut.if b/nut.if +index 57c0161..54bd4d7 100644 +--- a/nut.if ++++ b/nut.if +@@ -1,39 +1,24 @@ +-## Network UPS Tools ++## nut - Network UPS Tools + +-######################################## ++####################################### + ## +-## All of the rules required to +-## administrate an nut environment. ++## Execute swift server in the swift domain. + ## + ## +-## +-## Domain allowed access. +-## ++## ++## Domain allowed to transition. ++## + ## +-## +-## +-## Role allowed access. +-## +-## +-## + # +-interface(`nut_admin',` +- gen_require(` +- attribute nut_domain; +- type nut_initrc_exec_t, nut_var_run_t, nut_conf_t; +- ') +- +- allow $1 nut_domain:process { ptrace signal_perms }; +- ps_process_pattern($1, nut_domain_t) +- +- init_labeled_script_domtrans($1, nut_initrc_exec_t) +- domain_system_change_exemption($1) +- role_transition $2 nut_initrc_exec_t system_r; +- allow $2 system_r; ++interface(`nut_systemctl',` ++ gen_require(` ++ type nut_t; ++ type nut_unit_file_t; ++ ') + +- files_search_etc($1) +- admin_pattern($1, nut_conf_t) ++ systemd_exec_systemctl($1) ++ allow $1 nut_unit_file_t:file read_file_perms; ++ allow $1 nut_unit_file_t:service manage_service_perms; + +- files_search_pids($1) +- admin_pattern($1, nut_var_run_t) ++ ps_process_pattern($1, swift_t) + ') +diff --git a/nut.te b/nut.te +index 0c9deb7..76988d6 100644 +--- a/nut.te ++++ b/nut.te +@@ -1,4 +1,4 @@ +-policy_module(nut, 1.2.4) ++policy_module(nut, 1.2.0) + + ######################################## + # +@@ -22,116 +22,126 @@ type nut_upsdrvctl_t, nut_domain; + type nut_upsdrvctl_exec_t; + init_daemon_domain(nut_upsdrvctl_t, nut_upsdrvctl_exec_t) + +-type nut_initrc_exec_t; +-init_script_file(nut_initrc_exec_t) +- + type nut_var_run_t; + files_pid_file(nut_var_run_t) +-init_daemon_run_dir(nut_var_run_t, "nut") + +-######################################## ++type nut_unit_file_t; ++systemd_unit_file(nut_unit_file_t) ++ ++####################################### + # +-# Common nut domain local policy ++# Local policy for upsd + # + +-allow nut_domain self:capability { setgid setuid dac_override kill }; +-allow nut_domain self:process signal_perms; +-allow nut_domain self:fifo_file rw_fifo_file_perms; +-allow nut_domain self:unix_dgram_socket sendto; +- +-allow nut_domain nut_conf_t:dir list_dir_perms; +-allow nut_domain nut_conf_t:file read_file_perms; +-allow nut_domain nut_conf_t:lnk_file read_lnk_file_perms; +- +-manage_files_pattern(nut_domain, nut_var_run_t, nut_var_run_t) +-manage_dirs_pattern(nut_domain, nut_var_run_t, nut_var_run_t) +-files_pid_filetrans(nut_domain, nut_var_run_t, { dir file }) +- +-kernel_read_kernel_sysctls(nut_domain) +- +-logging_send_syslog_msg(nut_domain) +- +-miscfiles_read_localization(nut_domain) ++allow nut_domain self:netlink_kobject_uevent_socket create_socket_perms; + + ######################################## + # +-# Upsd local policy ++# Local policy for upsd + # + +-allow nut_upsd_t self:tcp_socket { accept listen }; ++allow nut_upsd_t self:capability { setgid setuid dac_override }; ++allow nut_upsd_t self:process signal_perms; + +-manage_sock_files_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t) +-files_pid_filetrans(nut_upsd_t, nut_var_run_t, sock_file) ++allow nut_upsd_t self:unix_dgram_socket { create_socket_perms sendto }; ++allow nut_upsd_t self:tcp_socket connected_stream_socket_perms; + +-stream_connect_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t, nut_upsdrvctl_t) ++allow nut_upsd_t nut_upsdrvctl_t:unix_stream_socket connectto; + +-corenet_all_recvfrom_unlabeled(nut_upsd_t) +-corenet_all_recvfrom_netlabel(nut_upsd_t) +-corenet_tcp_sendrecv_generic_if(nut_upsd_t) +-corenet_tcp_sendrecv_generic_node(nut_upsd_t) +-corenet_tcp_sendrecv_all_ports(nut_upsd_t) +-corenet_tcp_bind_generic_node(nut_upsd_t) ++read_files_pattern(nut_upsd_t, nut_conf_t, nut_conf_t) + +-corenet_sendrecv_ups_server_packets(nut_upsd_t) +-corenet_tcp_bind_ups_port(nut_upsd_t) ++# pid file ++manage_files_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t) ++manage_dirs_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t) ++manage_sock_files_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t) ++files_pid_filetrans(nut_upsd_t, nut_var_run_t, { dir file sock_file }) + +-corenet_sendrecv_generic_server_packets(nut_upsd_t) +-corenet_tcp_bind_generic_port(nut_upsd_t) ++kernel_read_kernel_sysctls(nut_upsd_t) + +-files_read_usr_files(nut_upsd_t) ++corenet_tcp_bind_ups_port(nut_upsd_t) ++corenet_tcp_bind_generic_port(nut_upsd_t) ++corenet_tcp_bind_all_nodes(nut_upsd_t) + + auth_use_nsswitch(nut_upsd_t) + ++logging_send_syslog_msg(nut_upsd_t) ++ + ######################################## + # +-# Upsmon local policy ++# Local policy for upsmon + # + +-allow nut_upsmon_t self:capability dac_read_search; +-allow nut_upsmon_t self:unix_stream_socket connectto; ++allow nut_upsmon_t self:capability { dac_override dac_read_search setgid setuid }; ++allow nut_upsmon_t self:fifo_file rw_fifo_file_perms; ++allow nut_upsmon_t self:unix_dgram_socket { create_socket_perms sendto }; ++allow nut_upsmon_t self:unix_stream_socket { create_socket_perms connectto }; ++allow nut_upsmon_t self:tcp_socket create_socket_perms; ++ ++read_files_pattern(nut_upsmon_t, nut_conf_t, nut_conf_t) + ++# pid file ++manage_files_pattern(nut_upsmon_t, nut_var_run_t, nut_var_run_t) ++manage_dirs_pattern(nut_upsmon_t, nut_var_run_t, nut_var_run_t) ++files_pid_filetrans(nut_upsmon_t, nut_var_run_t, file) ++ ++kernel_read_kernel_sysctls(nut_upsmon_t) + kernel_read_system_state(nut_upsmon_t) + + corecmd_exec_bin(nut_upsmon_t) + corecmd_exec_shell(nut_upsmon_t) + +-corenet_all_recvfrom_unlabeled(nut_upsmon_t) +-corenet_all_recvfrom_netlabel(nut_upsmon_t) +-corenet_tcp_sendrecv_generic_if(nut_upsmon_t) +-corenet_tcp_sendrecv_generic_node(nut_upsmon_t) +-corenet_tcp_sendrecv_all_ports(nut_upsmon_t) +-corenet_tcp_bind_generic_node(nut_upsmon_t) +- +-corenet_sendrecv_ups_client_packets(nut_upsmon_t) + corenet_tcp_connect_ups_port(nut_upsmon_t) +- +-corenet_sendrecv_generic_client_packets(nut_upsmon_t) + corenet_tcp_connect_generic_port(nut_upsmon_t) + ++# Creates /etc/killpower + files_manage_etc_runtime_files(nut_upsmon_t) + files_etc_filetrans_etc_runtime(nut_upsmon_t, file) + files_search_usr(nut_upsmon_t) + ++# /usr/bin/wall + term_write_all_terms(nut_upsmon_t) + ++# upsmon runs shutdown, probably need a shutdown domain ++init_rw_utmp(nut_upsmon_t) ++init_telinit(nut_upsmon_t) ++ ++logging_send_syslog_msg(nut_upsmon_t) ++ + auth_use_nsswitch(nut_upsmon_t) + + mta_send_mail(nut_upsmon_t) + ++systemd_start_power_services(nut_upsmon_t) ++ + optional_policy(` + shutdown_domtrans(nut_upsmon_t) + ') + + ######################################## + # +-# Upsdrvctl local policy ++# Local policy for upsdrvctl + # + ++allow nut_upsdrvctl_t self:capability { dac_override kill setgid setuid }; ++allow nut_upsdrvctl_t self:process { sigchld signal signull }; + allow nut_upsdrvctl_t self:fd use; ++allow nut_upsdrvctl_t self:fifo_file rw_fifo_file_perms; ++allow nut_upsdrvctl_t self:unix_dgram_socket { create_socket_perms sendto }; ++allow nut_upsdrvctl_t self:udp_socket create_socket_perms; ++ ++can_exec(nut_upsdrvctl_t, nut_upsdrvctl_exec_t) + ++read_files_pattern(nut_upsdrvctl_t, nut_conf_t, nut_conf_t) ++ ++# pid file ++manage_files_pattern(nut_upsdrvctl_t, nut_var_run_t, nut_var_run_t) ++manage_dirs_pattern(nut_upsdrvctl_t, nut_var_run_t, nut_var_run_t) + manage_sock_files_pattern(nut_upsdrvctl_t, nut_var_run_t, nut_var_run_t) +-files_pid_filetrans(nut_upsdrvctl_t, nut_var_run_t, sock_file) ++files_pid_filetrans(nut_upsdrvctl_t, nut_var_run_t, { file sock_file }) ++ ++kernel_read_kernel_sysctls(nut_upsdrvctl_t) + ++# /sbin/upsdrvctl executes other drivers + corecmd_exec_bin(nut_upsdrvctl_t) + + dev_read_sysfs(nut_upsdrvctl_t) +@@ -139,22 +149,34 @@ dev_read_urand(nut_upsdrvctl_t) + dev_rw_generic_usb_dev(nut_upsdrvctl_t) + + term_use_unallocated_ttys(nut_upsdrvctl_t) ++term_use_usb_ttys(nut_upsdrvctl_t) + + auth_use_nsswitch(nut_upsdrvctl_t) + + init_sigchld(nut_upsdrvctl_t) + ++logging_send_syslog_msg(nut_upsdrvctl_t) ++ ++ + ####################################### + # +-# Cgi local policy ++# Local policy for upscgi scripts ++# requires httpd_enable_cgi and httpd_can_network_connect + # + + optional_policy(` + apache_content_template(nutups_cgi) + +- allow httpd_nutups_cgi_script_t nut_conf_t:dir list_dir_perms; +- allow httpd_nutups_cgi_script_t nut_conf_t:file read_file_perms; +- allow httpd_nutups_cgi_script_t nut_conf_t:lnk_file read_lnk_file_perms; ++ read_files_pattern(httpd_nutups_cgi_script_t, nut_conf_t, nut_conf_t) ++ ++ corenet_all_recvfrom_netlabel(httpd_nutups_cgi_script_t) ++ corenet_tcp_sendrecv_generic_if(httpd_nutups_cgi_script_t) ++ corenet_tcp_sendrecv_generic_node(httpd_nutups_cgi_script_t) ++ corenet_tcp_sendrecv_all_ports(httpd_nutups_cgi_script_t) ++ corenet_tcp_connect_ups_port(httpd_nutups_cgi_script_t) ++ corenet_udp_sendrecv_generic_if(httpd_nutups_cgi_script_t) ++ corenet_udp_sendrecv_generic_node(httpd_nutups_cgi_script_t) ++ corenet_udp_sendrecv_all_ports(httpd_nutups_cgi_script_t) + + sysnet_dns_name_resolve(httpd_nutups_cgi_script_t) + ') +diff --git a/nx.if b/nx.if +index 251d681..50ae2a9 100644 +--- a/nx.if ++++ b/nx.if +@@ -35,7 +35,9 @@ interface(`nx_read_home_files',` + ') + + files_search_var_lib($1) +- read_files_pattern($1, { nx_server_var_lib_t nx_server_home_ssh_t }, nx_server_home_ssh_t) ++ allow $1 nx_server_var_lib_t:dir search_dir_perms; ++ read_files_pattern($1, nx_server_home_ssh_t, nx_server_home_ssh_t) ++ read_lnk_files_pattern($1, nx_server_home_ssh_t, nx_server_home_ssh_t) + ') + + ######################################## +@@ -90,3 +92,21 @@ interface(`nx_var_lib_filetrans',` + + filetrans_pattern($1, nx_server_var_lib_t, $2, $3, $4) + ') ++ ++######################################## ++## ++## Transition to nx named content ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`nx_filetrans_named_content',` ++ gen_require(` ++ type nx_server_home_ssh_t, nx_server_var_lib_t; ++ ') ++ ++ filetrans_pattern($1, nx_server_var_lib_t, nx_server_home_ssh_t, dir, ".ssh") ++') +diff --git a/nx.te b/nx.te +index b1832ca..d181d03 100644 +--- a/nx.te ++++ b/nx.te +@@ -27,6 +27,9 @@ files_type(nx_server_var_lib_t) + type nx_server_var_run_t; + files_pid_file(nx_server_var_run_t) + ++type nx_server_home_ssh_t; ++files_type(nx_server_home_ssh_t) ++ + ######################################## + # + # Local policy +@@ -50,13 +53,15 @@ files_var_lib_filetrans(nx_server_t, nx_server_var_lib_t, { file dir }) + manage_files_pattern(nx_server_t, nx_server_var_run_t, nx_server_var_run_t) + files_pid_filetrans(nx_server_t, nx_server_var_run_t, file) + ++manage_dirs_pattern(nx_server_t, nx_server_home_ssh_t, nx_server_home_ssh_t) ++manage_files_pattern(nx_server_t, nx_server_home_ssh_t, nx_server_home_ssh_t) ++ + kernel_read_system_state(nx_server_t) + kernel_read_kernel_sysctls(nx_server_t) + + corecmd_exec_shell(nx_server_t) + corecmd_exec_bin(nx_server_t) + +-corenet_all_recvfrom_unlabeled(nx_server_t) + corenet_all_recvfrom_netlabel(nx_server_t) + corenet_tcp_sendrecv_generic_if(nx_server_t) + corenet_tcp_sendrecv_generic_node(nx_server_t) +@@ -67,13 +72,7 @@ corenet_sendrecv_all_client_packets(nx_server_t) + + dev_read_urand(nx_server_t) + +-files_read_etc_files(nx_server_t) + files_read_etc_runtime_files(nx_server_t) +-files_read_usr_files(nx_server_t) +- +-miscfiles_read_localization(nx_server_t) +- +-seutil_dontaudit_search_config(nx_server_t) + + sysnet_read_config(nx_server_t) + +diff --git a/oav.te b/oav.te +index 75fdf58..1a9e754 100644 +--- a/oav.te ++++ b/oav.te +@@ -95,7 +95,6 @@ dev_read_sysfs(scannerdaemon_t) + domain_use_interactive_fds(scannerdaemon_t) + + files_exec_etc_files(scannerdaemon_t) +-files_read_etc_files(scannerdaemon_t) + files_read_etc_runtime_files(scannerdaemon_t) + files_search_var_lib(scannerdaemon_t) + +diff --git a/obex.fc b/obex.fc +index 03fa560..000c5fe 100644 +--- a/obex.fc ++++ b/obex.fc +@@ -1 +1 @@ +-/usr/bin/obex-data-server -- gen_context(system_u:object_r:obex_exec_t,s0) ++/usr/bin/obex-data-server -- gen_context(system_u:object_r:obex_exec_t,s0) +diff --git a/obex.if b/obex.if +index 8635ea2..eec20b4 100644 +--- a/obex.if ++++ b/obex.if +@@ -1,15 +1,50 @@ + ## D-Bus service providing high-level OBEX client and server side functionality. + +-####################################### ++######################################## + ## +-## The role template for obex. ++## Transition to obex. + ## +-## +-## +-## The prefix of the user domain (e.g., user +-## is the prefix for user_t). +-## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`obex_domtrans',` ++ gen_require(` ++ type obex_t, obex_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, obex_exec_t, obex_t) ++') ++ ++######################################## ++## ++## Send and receive messages from ++## obex over dbus. ++## ++## ++## ++## Domain allowed access. ++## + ## ++# ++interface(`obex_dbus_chat',` ++ gen_require(` ++ type obex_t; ++ class dbus send_msg; ++ ') ++ ++ allow $1 obex_t:dbus send_msg; ++ allow obex_t $1:dbus send_msg; ++') ++ ++####################################### ++## ++## Role access for obex domains ++## that executes via dbus-session ++## + ## + ## + ## The role associated with the user domain. +@@ -20,69 +55,34 @@ + ## The type of the user domain. + ## + ## ++## ++## ++## User domain prefix to be used. ++## ++## + # +-template(`obex_role_template',` ++template(`obex_role',` + gen_require(` + attribute_role obex_roles; +- type obex_t, obex_exec_exec_t; ++ type obex_t, obex_exec_t; + ') + + ######################################## +- # ++ # + # Declarations + # + +- roleattribute $2 obex_roles; ++ roleattribute $1 obex_roles; + + ######################################## +- # ++ # + # Policy +- # +- +- allow $3 obex_t:process { ptrace signal_perms }; +- ps_process_pattern($3, obex_t) ++ # + +- dbus_spec_session_domain($1, obex_exec_t, obex_t) +- +- obex_dbus_chat($3) +-') ++ allow $2 obex_t:process signal_perms; ++ ps_process_pattern($2, obex_t) + +-######################################## +-## +-## Execute obex in the obex domain. +-## +-## +-## +-## Domain allowed to transition. +-## +-## +-# +-interface(`obex_domtrans',` +- gen_require(` +- type obex_t, obex_exec_t; +- ') +- +- corecmd_search_bin($1) +- domtrans_pattern($1, obex_exec_t, obex_t) +-') +- +-######################################## +-## +-## Send and receive messages from +-## obex over dbus. +-## +-## +-## +-## Domain allowed access. +-## +-## +-# +-interface(`obex_dbus_chat',` +- gen_require(` +- type obex_t; +- class dbus send_msg; +- ') ++ dbus_session_domain($3, obex_exec_t, obex_t) + +- allow $1 obex_t:dbus send_msg; +- allow obex_t $1:dbus send_msg; ++ obex_dbus_chat($2) + ') +diff --git a/obex.te b/obex.te +index cd29ea8..d01d2c8 100644 +--- a/obex.te ++++ b/obex.te +@@ -1,4 +1,4 @@ +-policy_module(obex, 1.0.0) ++policy_module(obex,1.0.0) + + ######################################## + # +@@ -14,30 +14,26 @@ role obex_roles types obex_t; + + ######################################## + # +-# Local policy ++# obex local policy + # + + allow obex_t self:fifo_file rw_fifo_file_perms; + allow obex_t self:socket create_stream_socket_perms; ++allow obex_t self:netlink_kobject_uevent_socket create_socket_perms; + +-dev_read_urand(obex_t) ++kernel_request_load_module(obex_t) + +-files_read_etc_files(obex_t) ++dev_read_urand(obex_t) + + logging_send_syslog_msg(obex_t) + +-miscfiles_read_localization(obex_t) +- + userdom_search_user_home_content(obex_t) + + optional_policy(` +- bluetooth_stream_connect(obex_t) +-') +- +-optional_policy(` + dbus_system_bus_client(obex_t) + + optional_policy(` ++ bluetooth_stream_connect(obex_t) + bluetooth_dbus_chat(obex_t) + ') + ') +diff --git a/oddjob.fc b/oddjob.fc +index dd1d9ef..fbbe3ff 100644 +--- a/oddjob.fc ++++ b/oddjob.fc +@@ -1,10 +1,10 @@ +-/sbin/mkhomedir_helper -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0) + +-/usr/lib/oddjob/mkhomedir -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0) ++/usr/lib/systemd/system/oddjobd.* -- gen_context(system_u:object_r:oddjob_unit_file_t,s0) + ++/usr/lib/oddjob/mkhomedir -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0) + /usr/libexec/oddjob/mkhomedir -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0) + +-/usr/sbin/oddjobd -- gen_context(system_u:object_r:oddjob_exec_t,s0) +-/usr/sbin/mkhomedir_helper -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0) ++/usr/sbin/mkhomedir_helper -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0) ++/usr/sbin/oddjobd -- gen_context(system_u:object_r:oddjob_exec_t,s0) + +-/var/run/oddjobd\.pid gen_context(system_u:object_r:oddjob_var_run_t,s0) ++/var/run/oddjobd\.pid gen_context(system_u:object_r:oddjob_var_run_t,s0) +diff --git a/oddjob.if b/oddjob.if +index c87bd2a..7de054a 100644 +--- a/oddjob.if ++++ b/oddjob.if +@@ -1,4 +1,8 @@ +-## D-BUS service which runs odd jobs on behalf of client applications. ++## ++## Oddjob provides a mechanism by which unprivileged applications can ++## request that specified privileged operations be performed on their ++## behalf. ++## + + ######################################## + ## +@@ -15,14 +19,32 @@ interface(`oddjob_domtrans',` + type oddjob_t, oddjob_exec_t; + ') + +- corecmd_search_bin($1) + domtrans_pattern($1, oddjob_exec_t, oddjob_t) + ') + ++##################################### ++## ++## Do not audit attempts to read and write ++## oddjob fifo file. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`oddjob_dontaudit_rw_fifo_file',` ++ gen_require(` ++ type oddjob_t; ++ ') ++ ++ dontaudit $1 oddjob_t:fifo_file rw_inherited_fifo_file_perms; ++') ++ + ######################################## + ## +-## Make the specified program domain +-## accessable from the oddjob. ++## Make the specified program domain accessable ++## from the oddjob. + ## + ## + ## +@@ -41,6 +63,7 @@ interface(`oddjob_system_entry',` + ') + + domtrans_pattern(oddjob_t, $2, $1) ++ domain_user_exemption_target($1) + ') + + ######################################## +@@ -64,32 +87,45 @@ interface(`oddjob_dbus_chat',` + allow oddjob_t $1:dbus send_msg; + ') + +-######################################## ++###################################### + ## +-## Execute a domain transition to +-## run oddjob mkhomedir. ++## Send a SIGCHLD signal to oddjob. + ## + ## + ## +-## Domain allowed to transition. ++## Domain allowed access. + ## + ## + # ++interface(`oddjob_sigchld',` ++ gen_require(` ++ type oddjob_t; ++ ') ++ ++ allow $1 oddjob_t:process sigchld; ++') ++ ++######################################## ++## ++## Execute a domain transition to run oddjob_mkhomedir. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# + interface(`oddjob_domtrans_mkhomedir',` + gen_require(` + type oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t; + ') + +- corecmd_search_bin($1) + domtrans_pattern($1, oddjob_mkhomedir_exec_t, oddjob_mkhomedir_t) + ') + + ######################################## + ## +-## Execute oddjob mkhomedir in the +-## oddjob mkhomedir domain and allow +-## the specified role the oddjob +-## mkhomedir domain. ++## Execute the oddjob_mkhomedir program in the oddjob_mkhomedir domain. + ## + ## + ## +@@ -105,46 +141,70 @@ interface(`oddjob_domtrans_mkhomedir',` + # + interface(`oddjob_run_mkhomedir',` + gen_require(` +- attribute_role oddjob_mkhomedir_roles; ++ type oddjob_mkhomedir_t; + ') + + oddjob_domtrans_mkhomedir($1) +- roleattribute $2 oddjob_mkhomedir_roles; ++ role $2 types oddjob_mkhomedir_t; + ') + +-##################################### ++####################################### + ## +-## Do not audit attempts to read and write +-## oddjob fifo files. ++## Execute oddjob in the oddjob domain. + ## + ## +-## +-## Domain to not audit. +-## ++## ++## Domain allowed to transition. ++## + ## + # +-interface(`oddjob_dontaudit_rw_fifo_files',` +- gen_require(` +- type oddjob_t; +- ') ++interface(`oddjob_systemctl',` ++ gen_require(` ++ type oddjob_unit_file_t; ++ type oddjob_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ allow $1 oddjob_unit_file_t:file read_file_perms; ++ allow $1 oddjob_unit_file_t:service manage_service_perms; + +- dontaudit $1 oddjob_t:fifo_file rw_fifo_file_perms; ++ ps_process_pattern($1, oddjob_t) + ') + +-###################################### ++######################################## + ## +-## Send child terminated signals to oddjob. ++## Create a domain which can be started by init, ++## with a range transition. + ## + ## + ## +-## Domain allowed access. ++## Type to be used as a domain. ++## ++## ++## ++## ++## Type of the program to be used as an entry point to this domain. ++## ++## ++## ++## ++## Range for the domain. + ## + ## + # +-interface(`oddjob_sigchld',` ++interface(`oddjob_ranged_domain',` + gen_require(` + type oddjob_t; + ') + +- allow $1 oddjob_t:process sigchld; ++ oddjob_system_entry($1, $2) ++ ++ ifdef(`enable_mcs',` ++ range_transition oddjob_t $2:process $3; ++ ') ++ ++ ifdef(`enable_mls',` ++ range_transition oddjob_t $2:process $3; ++ mls_rangetrans_target($1) ++ ') + ') +diff --git a/oddjob.te b/oddjob.te +index 296a1d3..edc3e32 100644 +--- a/oddjob.te ++++ b/oddjob.te +@@ -1,12 +1,10 @@ +-policy_module(oddjob, 1.9.2) ++policy_module(oddjob, 1.9.0) + + ######################################## + # + # Declarations + # + +-attribute_role oddjob_mkhomedir_roles; +- + type oddjob_t; + type oddjob_exec_t; + domain_type(oddjob_t) +@@ -20,18 +18,22 @@ type oddjob_mkhomedir_exec_t; + domain_type(oddjob_mkhomedir_t) + domain_obj_id_change_exemption(oddjob_mkhomedir_t) + init_system_domain(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t) +-role oddjob_mkhomedir_roles types oddjob_mkhomedir_t; ++oddjob_system_entry(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t) + ++# pid files + type oddjob_var_run_t; + files_pid_file(oddjob_var_run_t) + ++type oddjob_unit_file_t; ++systemd_unit_file(oddjob_unit_file_t) ++ + ifdef(`enable_mcs',` + init_ranged_daemon_domain(oddjob_t, oddjob_exec_t, s0 - mcs_systemhigh) + ') + + ######################################## + # +-# Local policy ++# oddjob local policy + # + + allow oddjob_t self:capability setgid; +@@ -43,8 +45,6 @@ manage_files_pattern(oddjob_t, oddjob_var_run_t, oddjob_var_run_t) + manage_sock_files_pattern(oddjob_t, oddjob_var_run_t, oddjob_var_run_t) + files_pid_filetrans(oddjob_t, oddjob_var_run_t, { file sock_file }) + +-domtrans_pattern(oddjob_t, oddjob_mkhomedir_exec_t, oddjob_mkhomedir_t) +- + kernel_read_system_state(oddjob_t) + + corecmd_exec_bin(oddjob_t) +@@ -54,9 +54,9 @@ mcs_process_set_categories(oddjob_t) + + selinux_compute_create_context(oddjob_t) + ++ + auth_use_nsswitch(oddjob_t) + +-miscfiles_read_localization(oddjob_t) + + locallogin_dontaudit_use_fds(oddjob_t) + +@@ -71,13 +71,13 @@ optional_policy(` + + ######################################## + # +-# Mkhomedir local policy ++# oddjob_mkhomedir local policy + # + + allow oddjob_mkhomedir_t self:capability { chown fowner fsetid dac_override }; + allow oddjob_mkhomedir_t self:process setfscreate; + allow oddjob_mkhomedir_t self:fifo_file rw_fifo_file_perms; +-allow oddjob_mkhomedir_t self:unix_stream_socket { accept listen }; ++allow oddjob_mkhomedir_t self:unix_stream_socket create_stream_socket_perms; + + kernel_read_system_state(oddjob_mkhomedir_t) + +@@ -85,7 +85,6 @@ auth_use_nsswitch(oddjob_mkhomedir_t) + + logging_send_syslog_msg(oddjob_mkhomedir_t) + +-miscfiles_read_localization(oddjob_mkhomedir_t) + + selinux_get_fs_mount(oddjob_mkhomedir_t) + selinux_validate_context(oddjob_mkhomedir_t) +@@ -98,8 +97,11 @@ seutil_read_config(oddjob_mkhomedir_t) + seutil_read_file_contexts(oddjob_mkhomedir_t) + seutil_read_default_contexts(oddjob_mkhomedir_t) + ++# Add/remove user home directories + userdom_home_filetrans_user_home_dir(oddjob_mkhomedir_t) +-userdom_manage_user_home_content_dirs(oddjob_mkhomedir_t) +-userdom_manage_user_home_content_files(oddjob_mkhomedir_t) + userdom_manage_user_home_dirs(oddjob_mkhomedir_t) +-userdom_user_home_dir_filetrans_user_home_content(oddjob_mkhomedir_t, notdevfile_class_set) ++userdom_manage_user_home_content_dirs(oddjob_mkhomedir_t) ++userdom_manage_user_home_content(oddjob_mkhomedir_t) ++userdom_home_manager(oddjob_mkhomedir_t) ++userdom_stream_connect(oddjob_mkhomedir_t) ++ +diff --git a/openct.te b/openct.te +index 8467596..428ae48 100644 +--- a/openct.te ++++ b/openct.te +@@ -22,18 +22,19 @@ files_pid_file(openct_var_run_t) + + dontaudit openct_t self:capability sys_tty_config; + allow openct_t self:process signal_perms; ++allow openct_t self:netlink_kobject_uevent_socket create_socket_perms; + + manage_dirs_pattern(openct_t, openct_var_run_t, openct_var_run_t) + manage_files_pattern(openct_t, openct_var_run_t, openct_var_run_t) + manage_sock_files_pattern(openct_t, openct_var_run_t, openct_var_run_t) + files_pid_filetrans(openct_t, openct_var_run_t, { dir file sock_file }) + +-can_exec(openct_t, openct_exec_t) +- + kernel_read_kernel_sysctls(openct_t) + kernel_list_proc(openct_t) + kernel_read_proc_symlinks(openct_t) + ++can_exec(openct_t, openct_exec_t) ++ + dev_read_sysfs(openct_t) + dev_rw_usbfs(openct_t) + dev_rw_smartcard(openct_t) +@@ -41,15 +42,12 @@ dev_rw_generic_usb_dev(openct_t) + + domain_use_interactive_fds(openct_t) + +-files_read_etc_files(openct_t) + + fs_getattr_all_fs(openct_t) + fs_search_auto_mountpoints(openct_t) + + logging_send_syslog_msg(openct_t) + +-miscfiles_read_localization(openct_t) +- + userdom_dontaudit_use_unpriv_user_fds(openct_t) + userdom_dontaudit_search_user_home_dirs(openct_t) + +diff --git a/openhpi.te b/openhpi.te +index 7f398c0..e66751b 100644 +--- a/openhpi.te ++++ b/openhpi.te +@@ -50,7 +50,6 @@ corenet_tcp_sendrecv_openhpid_port(openhpid_t) + + dev_read_urand(openhpid_t) + +-files_read_etc_files(openhpid_t) + + logging_send_syslog_msg(openhpid_t) + +diff --git a/openhpid.fc b/openhpid.fc +new file mode 100644 +index 0000000..9441fd7 +--- /dev/null ++++ b/openhpid.fc +@@ -0,0 +1,8 @@ ++ ++/etc/rc\.d/init\.d/openhpid -- gen_context(system_u:object_r:openhpid_initrc_exec_t,s0) ++ ++/usr/sbin/openhpid -- gen_context(system_u:object_r:openhpid_exec_t,s0) ++ ++/var/lib/openhpi(/.*)? gen_context(system_u:object_r:openhpid_var_lib_t,s0) ++ ++/var/run/openhpid\.pid -- gen_context(system_u:object_r:openhpid_var_run_t,s0) +diff --git a/openhpid.if b/openhpid.if +new file mode 100644 +index 0000000..598789a +--- /dev/null ++++ b/openhpid.if +@@ -0,0 +1,159 @@ ++ ++## policy for openhpid ++ ++ ++######################################## ++## ++## Transition to openhpid. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`openhpid_domtrans',` ++ gen_require(` ++ type openhpid_t, openhpid_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, openhpid_exec_t, openhpid_t) ++') ++ ++ ++######################################## ++## ++## Execute openhpid server in the openhpid domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`openhpid_initrc_domtrans',` ++ gen_require(` ++ type openhpid_initrc_exec_t; ++ ') ++ ++ init_labeled_script_domtrans($1, openhpid_initrc_exec_t) ++') ++ ++ ++######################################## ++## ++## Search openhpid lib directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`openhpid_search_lib',` ++ gen_require(` ++ type openhpid_var_lib_t; ++ ') ++ ++ allow $1 openhpid_var_lib_t:dir search_dir_perms; ++ files_search_var_lib($1) ++') ++ ++######################################## ++## ++## Read openhpid lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`openhpid_read_lib_files',` ++ gen_require(` ++ type openhpid_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ read_files_pattern($1, openhpid_var_lib_t, openhpid_var_lib_t) ++') ++ ++######################################## ++## ++## Manage openhpid lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`openhpid_manage_lib_files',` ++ gen_require(` ++ type openhpid_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ manage_files_pattern($1, openhpid_var_lib_t, openhpid_var_lib_t) ++') ++ ++######################################## ++## ++## Manage openhpid lib directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`openhpid_manage_lib_dirs',` ++ gen_require(` ++ type openhpid_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ manage_dirs_pattern($1, openhpid_var_lib_t, openhpid_var_lib_t) ++') ++ ++ ++######################################## ++## ++## All of the rules required to administrate ++## an openhpid environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## Role allowed access. ++## ++## ++## ++# ++interface(`openhpid_admin',` ++ gen_require(` ++ type openhpid_t; ++ type openhpid_initrc_exec_t; ++ type openhpid_var_lib_t; ++ ') ++ ++ allow $1 openhpid_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, openhpid_t) ++ ++ openhpid_initrc_domtrans($1) ++ domain_system_change_exemption($1) ++ role_transition $2 openhpid_initrc_exec_t system_r; ++ allow $2 system_r; ++ ++ files_search_var_lib($1) ++ admin_pattern($1, openhpid_var_lib_t) ++ ++ ++ ++') ++ +diff --git a/openhpid.te b/openhpid.te +new file mode 100644 +index 0000000..51acfae +--- /dev/null ++++ b/openhpid.te +@@ -0,0 +1,47 @@ ++policy_module(openhpid, 1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type openhpid_t; ++type openhpid_exec_t; ++init_daemon_domain(openhpid_t, openhpid_exec_t) ++ ++type openhpid_initrc_exec_t; ++init_script_file(openhpid_initrc_exec_t) ++ ++type openhpid_var_lib_t; ++files_type(openhpid_var_lib_t) ++ ++type openhpid_var_run_t; ++files_pid_file(openhpid_var_run_t) ++ ++######################################## ++# ++# openhpid local policy ++# ++ ++allow openhpid_t self:capability { kill }; ++allow openhpid_t self:process signal_perms; ++ ++allow openhpid_t self:fifo_file rw_fifo_file_perms; ++allow openhpid_t self:netlink_route_socket r_netlink_socket_perms; ++allow openhpid_t self:unix_stream_socket create_stream_socket_perms; ++allow openhpid_t self:tcp_socket create_stream_socket_perms; ++allow openhpid_t self:udp_socket create_socket_perms; ++ ++manage_dirs_pattern(openhpid_t, openhpid_var_lib_t, openhpid_var_lib_t) ++manage_files_pattern(openhpid_t, openhpid_var_lib_t, openhpid_var_lib_t) ++files_var_lib_filetrans(openhpid_t, openhpid_var_lib_t, { dir file }) ++ ++manage_files_pattern(openhpid_t, openhpid_var_run_t, openhpid_var_run_t) ++files_pid_filetrans(openhpid_t, openhpid_var_run_t, { file }) ++ ++corenet_tcp_bind_generic_node(openhpid_t) ++corenet_tcp_bind_openhpid_port(openhpid_t) ++ ++dev_read_urand(openhpid_t) ++ ++logging_send_syslog_msg(openhpid_t) +diff --git a/openshift-origin.fc b/openshift-origin.fc +new file mode 100644 +index 0000000..30ca148 +--- /dev/null ++++ b/openshift-origin.fc +@@ -0,0 +1 @@ ++# Left Blank +diff --git a/openshift-origin.if b/openshift-origin.if +new file mode 100644 +index 0000000..3eb6a30 +--- /dev/null ++++ b/openshift-origin.if +@@ -0,0 +1 @@ ++## +diff --git a/openshift-origin.te b/openshift-origin.te +new file mode 100644 +index 0000000..a437f80 +--- /dev/null ++++ b/openshift-origin.te +@@ -0,0 +1,13 @@ ++policy_module(openshift-origin,1.0.0) ++gen_require(` ++ attribute openshift_domain; ++') ++ ++######################################## ++# ++# openshift origin standard local policy ++# ++allow openshift_domain self:socket_class_set create_socket_perms; ++corenet_tcp_connect_all_ports(openshift_domain) ++corenet_tcp_bind_all_ports(openshift_domain) ++files_read_config_files(openshift_domain) +diff --git a/openshift.fc b/openshift.fc +new file mode 100644 +index 0000000..f2d6119 +--- /dev/null ++++ b/openshift.fc +@@ -0,0 +1,26 @@ ++/etc/rc\.d/init\.d/libra gen_context(system_u:object_r:openshift_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/mcollective gen_context(system_u:object_r:openshift_initrc_exec_t,s0) ++ ++/etc/cron.minutely/openshift-facts -- gen_context(system_u:object_r:openshift_cron_exec_t,s0) ++ ++/var/lib/stickshift(/.*)? gen_context(system_u:object_r:openshift_var_lib_t,s0) ++/var/lib/stickshift/.*/data(/.*)? gen_context(system_u:object_r:openshift_rw_file_t,s0) ++/var/lib/openshift(/.*)? gen_context(system_u:object_r:openshift_var_lib_t,s0) ++/var/lib/openshift/.*/data(/.*)? gen_context(system_u:object_r:openshift_rw_file_t,s0) ++ ++/var/lib/stickshift/.*/\.tmp(/.*)? gen_context(system_u:object_r:openshift_tmp_t,s0) ++/var/lib/stickshift/.*/\.sandbox(/.*)? gen_context(system_u:object_r:openshift_tmp_t,s0) ++/var/lib/openshift/.*/\.tmp(/.*)? gen_context(system_u:object_r:openshift_tmp_t,s0) ++/var/lib/openshift/.*/\.sandbox(/.*)? gen_context(system_u:object_r:openshift_tmp_t,s0) ++ ++/var/log/mcollective\.log -- gen_context(system_u:object_r:openshift_log_t,s0) ++ ++/usr/s?bin/(oo|rhc)-cgroup-read -- gen_context(system_u:object_r:openshift_cgroup_read_exec_t,s0) ++ ++/usr/s?bin/(oo|rhc)-restorer -- gen_context(system_u:object_r:openshift_initrc_exec_t,s0) ++/usr/s?bin/(oo|rhc)-restorer-wrapper.sh -- gen_context(system_u:object_r:httpd_openshift_script_exec_t,s0) ++/usr/s?bin/oo-admin-ctl-gears -- gen_context(system_u:object_r:openshift_initrc_exec_t,s0) ++/usr/s?bin/mcollectived -- gen_context(system_u:object_r:openshift_initrc_exec_t,s0) ++ ++/var/run/stickshift(/.*)? gen_context(system_u:object_r:openshift_var_run_t,s0) ++/var/run/openshift(/.*)? gen_context(system_u:object_r:openshift_var_run_t,s0) +diff --git a/openshift.if b/openshift.if +new file mode 100644 +index 0000000..e03de01 +--- /dev/null ++++ b/openshift.if +@@ -0,0 +1,700 @@ ++ ++## policy for openshift ++ ++######################################## ++## ++## Execute openshift server in the openshift domain. ++## ++## ++## ++## The type of the process performing this action. ++## ++## ++# ++interface(`openshift_initrc_domtrans',` ++ gen_require(` ++ type openshift_initrc_t; ++ type openshift_initrc_exec_t; ++ ') ++ ++ domtrans_pattern($1, openshift_initrc_exec_t, openshift_initrc_t) ++') ++ ++####################################### ++## ++## Execute openshift server in the openshift domain. ++## ++## ++## ++## The type of the process performing this action. ++## ++## ++## ++## ++## Role access to this domain. ++## ++## ++# ++interface(`openshift_initrc_run',` ++ gen_require(` ++ type openshift_initrc_t; ++ type openshift_initrc_exec_t; ++ ') ++ ++ openshift_initrc_domtrans($1) ++ role $2 types openshift_initrc_t; ++') ++ ++######################################## ++## ++## Send a null signal to openshift init scripts. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`openshift_initrc_signull',` ++ gen_require(` ++ type openshift_initrc_t; ++ ') ++ ++ allow $1 openshift_initrc_t:process signull; ++') ++ ++####################################### ++## ++## Send a signal to openshift init scripts. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`openshift_initrc_signal',` ++ gen_require(` ++ type openshift_initrc_t; ++ ') ++ ++ allow $1 openshift_initrc_t:process signal; ++') ++ ++######################################## ++## ++## Search openshift cache directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`openshift_search_cache',` ++ gen_require(` ++ type openshift_cache_t; ++ ') ++ ++ allow $1 openshift_cache_t:dir search_dir_perms; ++ files_search_var($1) ++') ++ ++######################################## ++## ++## Read openshift cache files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`openshift_read_cache_files',` ++ gen_require(` ++ type openshift_cache_t; ++ ') ++ ++ files_search_var($1) ++ read_files_pattern($1, openshift_cache_t, openshift_cache_t) ++') ++ ++######################################## ++## ++## Create, read, write, and delete ++## openshift cache files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`openshift_manage_cache_files',` ++ gen_require(` ++ type openshift_cache_t; ++ ') ++ ++ files_search_var($1) ++ manage_files_pattern($1, openshift_cache_t, openshift_cache_t) ++') ++ ++######################################## ++## ++## Create, read, write, and delete ++## openshift cache dirs. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`openshift_manage_cache_dirs',` ++ gen_require(` ++ type openshift_cache_t; ++ ') ++ ++ files_search_var($1) ++ manage_dirs_pattern($1, openshift_cache_t, openshift_cache_t) ++') ++ ++ ++######################################## ++## ++## Allow the specified domain to read openshift's log files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`openshift_read_log',` ++ gen_require(` ++ type openshift_log_t; ++ ') ++ ++ logging_search_logs($1) ++ read_files_pattern($1, openshift_log_t, openshift_log_t) ++') ++ ++######################################## ++## ++## Allow the specified domain to append ++## openshift log files. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`openshift_append_log',` ++ gen_require(` ++ type openshift_log_t; ++ ') ++ ++ logging_search_logs($1) ++ append_files_pattern($1, openshift_log_t, openshift_log_t) ++') ++ ++######################################## ++## ++## Allow domain to manage openshift log files ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`openshift_manage_log',` ++ gen_require(` ++ type openshift_log_t; ++ ') ++ ++ logging_search_logs($1) ++ manage_dirs_pattern($1, openshift_log_t, openshift_log_t) ++ manage_files_pattern($1, openshift_log_t, openshift_log_t) ++ manage_lnk_files_pattern($1, openshift_log_t, openshift_log_t) ++') ++ ++######################################## ++## ++## Search openshift lib directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`openshift_search_lib',` ++ gen_require(` ++ type openshift_var_lib_t; ++ ') ++ ++ search_dirs_pattern($1, openshift_var_lib_t, openshift_var_lib_t) ++ getattr_files_pattern($1, openshift_var_lib_t, openshift_var_lib_t) ++ files_search_var_lib($1) ++') ++ ++######################################## ++## ++## Getattr openshift lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`openshift_getattr_lib',` ++ gen_require(` ++ type openshift_var_lib_t; ++ ') ++ ++ getattr_files_pattern($1, openshift_var_lib_t, openshift_var_lib_t) ++ files_search_var_lib($1) ++') ++ ++######################################## ++## ++## Read openshift lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`openshift_read_lib_files',` ++ gen_require(` ++ type openshift_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ read_files_pattern($1, openshift_var_lib_t, openshift_var_lib_t) ++ read_lnk_files_pattern($1, openshift_var_lib_t, openshift_var_lib_t) ++') ++ ++######################################## ++## ++## Read openshift lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`openshift_append_lib_files',` ++ gen_require(` ++ type openshift_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ append_files_pattern($1, openshift_var_lib_t, openshift_var_lib_t) ++') ++ ++######################################## ++## ++## Create, read, write, and delete ++## openshift lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`openshift_manage_lib_files',` ++ gen_require(` ++ type openshift_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ manage_files_pattern($1, openshift_var_lib_t, openshift_var_lib_t) ++ manage_lnk_files_pattern($1, openshift_var_lib_t, openshift_var_lib_t) ++') ++ ++######################################## ++## ++## Create, read, write, and delete ++## openshift lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`openshift_manage_lib_dirs',` ++ gen_require(` ++ type openshift_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ manage_dirs_pattern($1, openshift_var_lib_t, openshift_var_lib_t) ++') ++ ++######################################## ++## ++## Manage openshift lib content. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`openshift_manage_content',` ++ gen_require(` ++ attribute openshift_file_type; ++ ') ++ ++ files_search_var_lib($1) ++ manage_dirs_pattern($1, openshift_file_type, openshift_file_type) ++ manage_files_pattern($1, openshift_file_type, openshift_file_type) ++ manage_lnk_files_pattern($1, openshift_file_type, openshift_file_type) ++ manage_sock_files_pattern($1, openshift_file_type, openshift_file_type) ++') ++ ++####################################### ++## ++## Create private objects in the ++## mail lib directory. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## The type of the object to be created. ++## ++## ++## ++## ++## The object class of the object being created. ++## ++## ++## ++## ++## The name of the object being created. ++## ++## ++# ++interface(`openshift_lib_filetrans',` ++ gen_require(` ++ type openshift_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ filetrans_pattern($1, openshift_var_lib_t, $2, $3, $4) ++') ++ ++######################################## ++## ++## Read openshift PID files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`openshift_read_pid_files',` ++ gen_require(` ++ type openshift_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ allow $1 openshift_var_run_t:file read_file_perms; ++') ++ ++ ++######################################## ++## ++## All of the rules required to administrate ++## an openshift environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## Role allowed access. ++## ++## ++## ++# ++interface(`openshift_admin',` ++ gen_require(` ++ attribute openshift_domain; ++ type openshift_initrc_exec_t; ++ type openshift_cache_t; ++ type openshift_log_t; ++ type openshift_var_lib_t; ++ type openshift_var_run_t; ++ ') ++ ++ allow $1 openshift_domain:process signal_perms; ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 openshift_domain:process ptrace; ++ ') ++ ps_process_pattern($1, openshift_domain) ++ ++ openshift_initrc_domtrans($1) ++ domain_system_change_exemption($1) ++ role_transition $2 openshift_initrc_exec_t system_r; ++ allow $2 system_r; ++ ++ files_search_var($1) ++ admin_pattern($1, openshift_cache_t) ++ ++ logging_search_logs($1) ++ admin_pattern($1, openshift_log_t) ++ ++ files_search_var_lib($1) ++ admin_pattern($1, openshift_var_lib_t) ++ ++ files_search_pids($1) ++ admin_pattern($1, openshift_var_run_t) ++ ++') ++ ++######################################## ++## ++## Make the specified type usable as a openshift domain. ++## ++## ++## ++## The prefix of the domain (e.g., openshift ++## is the prefix for openshift_t). ++## ++## ++# ++template(`openshift_service_domain_template',` ++ gen_require(` ++ attribute openshift_domain; ++ attribute openshift_user_domain; ++ ') ++ ++ type $1_t; ++ typeattribute $1_t openshift_domain, openshift_user_domain; ++ domain_type($1_t) ++ role system_r types $1_t; ++ mcs_constrained($1_t) ++ domain_user_exemption_target($1_t) ++ auth_use_nsswitch($1_t) ++ domain_subj_id_change_exemption($1_t) ++ domain_obj_id_change_exemption($1_t) ++ domain_dyntrans_type($1_t) ++ ++ kernel_read_system_state($1_t) ++ ++ logging_send_syslog_msg($1_t) ++ ++ type $1_app_t; ++ typeattribute $1_app_t openshift_domain; ++ domain_type($1_app_t) ++ role system_r types $1_app_t; ++ mcs_constrained($1_app_t) ++ domain_user_exemption_target($1_app_t) ++ domain_obj_id_change_exemption($1_app_t) ++ domain_dyntrans_type($1_app_t) ++ auth_use_nsswitch($1_app_t) ++ ++ kernel_read_system_state($1_app_t) ++ ++ logging_send_syslog_msg($1_app_t) ++') ++ ++######################################## ++## ++## Make the specified type usable as a openshift domain. ++## ++## ++## ++## Type to be used as a openshift domain type. ++## ++## ++# ++interface(`openshift_net_type',` ++ gen_require(` ++ attribute openshift_net_domain; ++ ') ++ ++ typeattribute $1 openshift_net_domain; ++') ++ ++######################################## ++## ++## Read and write inherited openshift files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`openshift_rw_inherited_content',` ++ gen_require(` ++ attribute openshift_file_type; ++ ') ++ ++ allow $1 openshift_file_type:file rw_inherited_file_perms; ++') ++ ++######################################## ++## ++## Manage openshift tmp files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`openshift_manage_tmp_files',` ++ gen_require(` ++ type openshift_tmp_t; ++ ') ++ ++ manage_files_pattern($1, openshift_tmp_t, openshift_tmp_t) ++') ++ ++######################################## ++## ++## Manage openshift tmp sockets. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`openshift_manage_tmp_sockets',` ++ gen_require(` ++ type openshift_tmp_t; ++ ') ++ ++ manage_sock_files_pattern($1, openshift_tmp_t, openshift_tmp_t) ++') ++ ++######################################## ++## ++## Mounton openshift tmp directory. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`openshift_mounton_tmp',` ++ gen_require(` ++ type openshift_tmp_t; ++ ') ++ ++ allow $1 openshift_tmp_t:dir mounton; ++') ++ ++######################################## ++## ++## Dontaudit Read and write inherited script fifo files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`openshift_dontaudit_rw_inherited_fifo_files',` ++ gen_require(` ++ type openshift_initrc_t; ++ ') ++ ++ dontaudit $1 openshift_initrc_t:fifo_file rw_inherited_fifo_file_perms; ++') ++ ++######################################## ++## ++## Allow calling app to transition to an openshift domain ++## ++## ++## ++## Domain allowed access ++## ++## ++## ++# ++interface(`openshift_transition',` ++ gen_require(` ++ attribute openshift_user_domain; ++ ') ++ ++ allow $1 openshift_user_domain:process transition; ++ dontaudit $1 openshift_user_domain:process { noatsecure siginh rlimitinh }; ++ allow openshift_user_domain $1:fd use; ++ allow openshift_user_domain $1:fifo_file rw_inherited_fifo_file_perms; ++ allow openshift_user_domain $1:process sigchld; ++ dontaudit $1 openshift_user_domain:socket_class_set { read write }; ++') ++ ++######################################## ++## ++## Allow calling app to transition to an openshift domain ++## ++## ++## ++## Domain allowed access ++## ++## ++## ++# ++interface(`openshift_dyntransition',` ++ gen_require(` ++ attribute openshift_domain; ++ attribute openshift_user_domain; ++ ') ++ ++ allow $1 openshift_user_domain:process dyntransition; ++ dontaudit openshift_user_domain $1:key view; ++ allow openshift_user_domain $1:unix_stream_socket { connectto rw_socket_perms }; ++ allow openshift_user_domain $1:unix_dgram_socket rw_socket_perms; ++ allow $1 openshift_user_domain:process { rlimitinh signal }; ++ dontaudit openshift_domain $1:tcp_socket { read write getattr setopt getopt shutdown }; ++') ++ ++######################################## ++## ++## Execute openshift in the openshift domain, and ++## allow the specified role the openshift domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++## ++## ++## Role allowed access. ++## ++## ++# ++interface(`openshift_run',` ++ gen_require(` ++ type openshift_initrc_exec_t; ++ ') ++ ++ openshift_initrc_domtrans($1) ++ role_transition $2 openshift_initrc_exec_t system_r; ++ openshift_transition($1) ++') +diff --git a/openshift.te b/openshift.te +new file mode 100644 +index 0000000..cd25e8e +--- /dev/null ++++ b/openshift.te +@@ -0,0 +1,555 @@ ++policy_module(openshift,1.0.0) ++ ++gen_require(` ++ role system_r; ++') ++ ++######################################## ++# ++# Declarations ++# ++ ++ ++# openshift applications that can use the network. ++attribute openshift_net_domain; ++# Attribute representing all openshift user processes (excludes apache processes) ++attribute openshift_user_domain; ++# Attribute representing all openshift processes ++attribute openshift_domain; ++ ++# Attribute for all openshift content ++attribute openshift_file_type; ++ ++# Type of openshift init script ++type openshift_initrc_t; ++type openshift_initrc_exec_t; ++init_daemon_domain(openshift_initrc_t, openshift_initrc_exec_t) ++init_ranged_daemon_domain(openshift_initrc_t, openshift_initrc_exec_t, s0 - mcs_systemhigh) ++domain_obj_id_change_exemption(openshift_initrc_t) ++optional_policy(` ++ oddjob_ranged_domain(openshift_initrc_t, openshift_initrc_exec_t, s0 - mcs_systemhigh) ++') ++ ++type openshift_initrc_tmp_t; ++files_tmp_file(openshift_initrc_tmp_t) ++ ++type openshift_tmpfs_t; ++files_tmpfs_file(openshift_tmpfs_t) ++ ++type openshift_tmp_t, openshift_file_type; ++files_tmp_file(openshift_tmp_t) ++files_mountpoint(openshift_tmp_t) ++files_poly(openshift_tmp_t) ++files_poly_parent(openshift_tmp_t) ++ ++type openshift_var_run_t; ++files_pid_file(openshift_var_run_t) ++ ++type openshift_var_lib_t, openshift_file_type; ++userdom_user_home_content(openshift_var_lib_t) ++files_poly(openshift_var_lib_t) ++files_poly_parent(openshift_var_lib_t) ++files_mountpoint(openshift_var_lib_t) ++ ++type openshift_rw_file_t, openshift_file_type; ++files_poly(openshift_rw_file_t) ++files_poly_parent(openshift_rw_file_t) ++ ++type openshift_log_t; ++logging_log_file(openshift_log_t) ++ ++type openshift_port_t; ++corenet_port(openshift_port_t) ++corenet_reserved_port(openshift_port_t) ++ ++type openshift_cgroup_read_t; ++type openshift_cgroup_read_exec_t; ++application_domain(openshift_cgroup_read_t, openshift_cgroup_read_exec_t) ++ ++type openshift_cgroup_read_tmp_t, openshift_file_type; ++files_tmp_file(openshift_cgroup_read_tmp_t) ++ ++type openshift_cron_t; ++type openshift_cron_exec_t; ++domain_type(openshift_cron_t) ++domain_entry_file(openshift_cron_t, openshift_cron_exec_t) ++role system_r types openshift_cron_t; ++ ++optional_policy(` ++ cron_system_entry(openshift_cron_t, openshift_cron_exec_t) ++') ++ ++type openshift_cron_tmp_t, openshift_file_type; ++files_tmp_file(openshift_cron_tmp_t) ++ ++######################################## ++# ++# Template to create openshift_t and openshift_app_t ++# ++ ++openshift_service_domain_template(openshift) ++ ++######################################## ++# ++# openshift initrc local policy ++# ++ ++unconfined_domain_noaudit(openshift_initrc_t) ++mcs_process_set_categories(openshift_initrc_t) ++ ++virt_sandbox_domain(openshift_initrc_t) ++ ++systemd_dbus_chat_logind(openshift_initrc_t) ++ ++manage_dirs_pattern(openshift_initrc_t, openshift_initrc_tmp_t, openshift_initrc_tmp_t) ++manage_files_pattern(openshift_initrc_t, openshift_initrc_tmp_t, openshift_initrc_tmp_t) ++manage_lnk_files_pattern(openshift_initrc_t, openshift_initrc_tmp_t, openshift_initrc_tmp_t) ++files_tmp_filetrans(openshift_initrc_t, openshift_initrc_tmp_t, { file dir }) ++ ++manage_dirs_pattern(openshift_initrc_t, openshift_var_run_t, openshift_var_run_t) ++manage_files_pattern(openshift_initrc_t, openshift_var_run_t, openshift_var_run_t) ++manage_lnk_files_pattern(openshift_initrc_t, openshift_var_run_t, openshift_var_run_t) ++files_pid_filetrans(openshift_initrc_t, openshift_var_run_t, { file dir }) ++ ++manage_dirs_pattern(openshift_initrc_t, openshift_log_t, openshift_log_t) ++manage_files_pattern(openshift_initrc_t, openshift_log_t, openshift_log_t) ++logging_log_filetrans(openshift_initrc_t, openshift_log_t, { file dir }) ++ ++allow openshift_initrc_t openshift_domain:process { getattr getsched setsched transition signal signull sigkill }; ++allow openshift_domain openshift_initrc_t:fd use; ++allow openshift_domain openshift_initrc_t:fifo_file rw_inherited_fifo_file_perms; ++allow openshift_domain openshift_initrc_t:process sigchld; ++dontaudit openshift_domain openshift_initrc_t:key view; ++dontaudit openshift_domain openshift_initrc_t:process signull; ++dontaudit openshift_domain openshift_initrc_t:socket_class_set { read write }; ++ ++init_domtrans_script(openshift_initrc_t) ++init_initrc_domain(openshift_initrc_t) ++ ++####################################################### ++# ++# Policy for all openshift domains ++# ++allow openshift_domain self:process ~ptrace; ++tunable_policy(`deny_ptrace',`',` ++ allow openshift_domain self:process ptrace; ++') ++ ++allow openshift_domain self:msg all_msg_perms; ++allow openshift_domain self:msgq create_msgq_perms; ++allow openshift_domain self:shm create_shm_perms; ++allow openshift_domain self:sem create_sem_perms; ++dontaudit openshift_domain self:dir write; ++dontaudit openshift_t self:unix_stream_socket recvfrom; ++dontaudit openshift_domain self:netlink_tcpdiag_socket create; ++dontaudit openshift_domain self:netlink_route_socket nlmsg_write; ++allow openshift_domain self:tcp_socket create_stream_socket_perms; ++allow openshift_domain self:fifo_file manage_fifo_file_perms; ++allow openshift_domain self:unix_stream_socket { create_stream_socket_perms connectto }; ++allow openshift_domain self:unix_dgram_socket { create_socket_perms sendto }; ++dontaudit openshift_domain self:netlink_audit_socket { create_socket_perms nlmsg_relay }; ++ ++manage_dirs_pattern(openshift_domain, openshift_rw_file_t, openshift_rw_file_t) ++manage_files_pattern(openshift_domain, openshift_rw_file_t, openshift_rw_file_t) ++manage_fifo_files_pattern(openshift_domain, openshift_rw_file_t, openshift_rw_file_t) ++manage_sock_files_pattern(openshift_domain, openshift_rw_file_t, openshift_rw_file_t) ++manage_lnk_files_pattern(openshift_domain, openshift_rw_file_t, openshift_rw_file_t) ++allow openshift_domain openshift_rw_file_t:dir_file_class_set { relabelfrom relabelto }; ++ ++list_dirs_pattern(openshift_domain, openshift_file_type, openshift_file_type) ++read_files_pattern(openshift_domain, openshift_file_type, openshift_file_type) ++rw_fifo_files_pattern(openshift_domain, openshift_file_type, openshift_file_type) ++rw_sock_files_pattern(openshift_domain, openshift_file_type, openshift_file_type) ++read_lnk_files_pattern(openshift_domain, openshift_file_type, openshift_file_type) ++allow openshift_domain openshift_file_type:file execmod; ++can_exec(openshift_domain, openshift_file_type) ++allow openshift_domain openshift_file_type:file entrypoint; ++# Allow users to execute files in their home dir ++allow openshift_domain openshift_file_type:file { execute execute_no_trans }; ++ ++# Dontaudit openshift domains trying to search other openshift domains directories, ++# this happens just when users are probing the system ++dontaudit openshift_domain openshift_file_type:dir search_dir_perms ++; ++ ++manage_dirs_pattern(openshift_domain, openshift_tmpfs_t, openshift_tmpfs_t) ++manage_files_pattern(openshift_domain, openshift_tmpfs_t, openshift_tmpfs_t) ++manage_lnk_files_pattern(openshift_domain, openshift_tmpfs_t, openshift_tmpfs_t) ++manage_sock_files_pattern(openshift_domain, openshift_tmpfs_t, openshift_tmpfs_t) ++manage_fifo_files_pattern(openshift_domain, openshift_tmpfs_t, openshift_tmpfs_t) ++fs_tmpfs_filetrans(openshift_domain, openshift_tmpfs_t, { dir file sock_file lnk_file fifo_file }) ++can_exec(openshift_domain, openshift_tmpfs_t) ++ ++manage_dirs_pattern(openshift_domain, openshift_tmp_t, openshift_tmp_t) ++manage_fifo_files_pattern(openshift_domain, openshift_tmp_t, openshift_tmp_t) ++manage_files_pattern(openshift_domain, openshift_tmp_t, openshift_tmp_t) ++manage_lnk_files_pattern(openshift_domain, openshift_tmp_t, openshift_tmp_t) ++manage_sock_files_pattern(openshift_domain, openshift_tmp_t, openshift_tmp_t) ++files_tmp_filetrans(openshift_domain, openshift_tmp_t, { lnk_file file dir sock_file fifo_file }) ++allow openshift_domain openshift_tmp_t:dir_file_class_set { relabelfrom relabelto }; ++ ++allow openshift_domain openshift_log_t:file { getattr append lock ioctl }; ++ ++#lsof ++allow openshift_domain openshift_initrc_t:tcp_socket getattr; ++ ++dontaudit openshift_domain openshift_initrc_tmp_t:file append; ++dontaudit openshift_domain openshift_var_run_t:file append; ++dontaudit openshift_domain openshift_file_type:sock_file execute; ++ ++kernel_read_network_state(openshift_domain) ++kernel_dontaudit_list_all_proc(openshift_domain) ++kernel_dontaudit_list_all_sysctls(openshift_domain) ++kernel_dontaudit_request_load_module(openshift_domain) ++kernel_get_sysvipc_info(openshift_domain) ++ ++corecmd_shell_entry_type(openshift_domain) ++corecmd_bin_entry_type(openshift_domain) ++corecmd_exec_all_executables(openshift_domain) ++ ++dev_read_sysfs(openshift_domain) ++dev_read_rand(openshift_domain) ++dev_read_urand(openshift_domain) ++dev_dontaudit_append_rand(openshift_domain) ++dev_dontaudit_write_urand(openshift_domain) ++dev_dontaudit_getattr_all_blk_files(openshift_domain) ++dev_dontaudit_getattr_all_chr_files(openshift_domain) ++dev_dontaudit_all_access_check(openshift_domain) ++ ++domain_use_interactive_fds(openshift_domain) ++domain_dontaudit_read_all_domains_state(openshift_domain) ++ ++files_read_var_lib_symlinks(openshift_domain) ++ ++fs_rw_hugetlbfs_files(openshift_domain) ++fs_rw_anon_inodefs_files(openshift_domain) ++fs_search_tmpfs(openshift_domain) ++fs_getattr_all_fs(openshift_domain) ++fs_dontaudit_getattr_all_fs(openshift_domain) ++fs_list_inotifyfs(openshift_domain) ++fs_dontaudit_list_auto_mountpoints(openshift_domain) ++fs_dontaudit_list_tmpfs(openshift_domain) ++storage_dontaudit_getattr_fixed_disk_dev(openshift_domain) ++storage_getattr_fixed_disk_dev(openshift_domain) ++fs_get_xattr_fs_quotas(openshift_domain) ++fs_rw_inherited_tmpfs_files(openshift_domain) ++fs_dontaudit_rw_anon_inodefs_files(openshift_domain) ++ ++dontaudit openshift_domain file_type:dir read; ++files_dontaudit_list_home(openshift_domain) ++files_dontaudit_search_all_pids(openshift_domain) ++files_dontaudit_getattr_all_dirs(openshift_domain) ++files_dontaudit_getattr_all_files(openshift_domain) ++files_dontaudit_list_mnt(openshift_domain) ++files_dontaudit_list_var(openshift_domain) ++files_dontaudit_getattr_lost_found_dirs(openshift_domain) ++files_dontaudit_search_all_mountpoints(openshift_domain) ++files_dontaudit_search_spool(openshift_domain) ++files_dontaudit_search_all_dirs(openshift_domain) ++files_exec_etc_files(openshift_domain) ++files_exec_usr_files(openshift_domain) ++files_dontaudit_getattr_non_security_sockets(openshift_domain) ++files_dontaudit_setattr_non_security_dirs(openshift_domain) ++files_dontaudit_setattr_non_security_files(openshift_domain) ++files_dontaudit_rw_inherited_locks(openshift_domain) ++ ++libs_exec_lib_files(openshift_domain) ++libs_exec_ld_so(openshift_domain) ++ ++selinux_validate_context(openshift_domain) ++ ++logging_inherit_append_all_logs(openshift_domain) ++ ++init_dontaudit_read_utmp(openshift_domain) ++ ++miscfiles_read_fonts(openshift_domain) ++miscfiles_dontaudit_setattr_fonts_cache_dirs(openshift_domain) ++ ++mta_dontaudit_read_spool_symlinks(openshift_domain) ++ ++term_dontaudit_search_ptys(openshift_domain) ++term_use_generic_ptys(openshift_domain) ++term_dontaudit_getattr_generic_ptys(openshift_domain) ++term_use_ptmx(openshift_domain) ++ ++userdom_use_inherited_user_ptys(openshift_domain) ++userdom_dontaudit_search_admin_dir(openshift_domain) ++ ++application_exec(openshift_domain) ++ ++optional_policy(` ++ apache_exec_modules(openshift_domain) ++ apache_list_modules(openshift_domain) ++ apache_read_config(openshift_domain) ++ apache_search_config(openshift_domain) ++ apache_read_sys_content(openshift_domain) ++ apache_exec_sys_script(openshift_domain) ++ apache_entrypoint(openshift_domain) ++ apache_dontaudit_read_log(openshift_domain) ++') ++ ++optional_policy(` ++ ############################################# ++ # ++ # openshift cgi script policy ++ # ++ apache_content_template(openshift) ++ domtrans_pattern(httpd_openshift_script_t, openshift_initrc_exec_t, openshift_initrc_t) ++ ++ optional_policy(` ++ dbus_system_bus_client(httpd_openshift_script_t) ++ ++ optional_policy(` ++ oddjob_dbus_chat(httpd_openshift_script_t) ++ oddjob_dontaudit_rw_fifo_file(openshift_domain) ++ ') ++ ') ++') ++ ++optional_policy(` ++ cron_role(system_r, openshift_domain) ++') ++ ++optional_policy(` ++ gpg_entry_type(openshift_domain) ++') ++ ++optional_policy(` ++ mysql_search_db(openshift_domain) ++') ++ ++optional_policy(` ++ screen_exec(openshift_domain) ++') ++ ++optional_policy(` ++ ssh_use_ptys(openshift_domain) ++ ssh_getattr_user_home_dir(openshift_domain) ++ ssh_dontaudit_search_user_home_dir(openshift_domain) ++') ++ ++optional_policy(` ++ udev_read_pid_files(openshift_domain) ++') ++ ++####################################################### ++# ++# Policy for openshift user domain process ++# ++manage_dirs_pattern(openshift_user_domain, openshift_file_type, openshift_file_type) ++manage_files_pattern(openshift_user_domain, openshift_file_type, openshift_file_type) ++manage_fifo_files_pattern(openshift_user_domain, openshift_file_type, openshift_file_type) ++manage_sock_files_pattern(openshift_user_domain, openshift_file_type, openshift_file_type) ++manage_lnk_files_pattern(openshift_user_domain, openshift_file_type, openshift_file_type) ++allow openshift_user_domain openshift_file_type:dir_file_class_set { relabelfrom relabelto }; ++ ++allow openshift_user_domain openshift_domain:process transition; ++allow openshift_domain openshift_user_domain:fd use; ++allow openshift_domain openshift_user_domain:fifo_file rw_inherited_fifo_file_perms; ++allow openshift_domain openshift_user_domain:process sigchld; ++dontaudit openshift_domain openshift_user_domain:key view; ++dontaudit openshift_domain openshift_user_domain:process signull; ++dontaudit openshift_domain openshift_user_domain:socket_class_set { read write }; ++ ++tunable_policy(`deny_ptrace',`',` ++ allow openshift_user_domain openshift_domain:process ptrace; ++') ++ ++mta_signal_user_agent(openshift_user_domain) ++ ++optional_policy(` ++ ssh_rw_tcp_sockets(openshift_user_domain) ++') ++ ++############################################################################ ++# ++# Rules specific to openshift_net_domains ++# ++allow openshift_net_domain openshift_port_t:tcp_socket { name_connect name_bind }; ++allow openshift_net_domain openshift_port_t:udp_socket name_bind; ++ ++corenet_tcp_connect_mssql_port(openshift_net_domain) ++corenet_tcp_connect_mysqld_port(openshift_net_domain) ++corenet_tcp_connect_postgresql_port(openshift_net_domain) ++corenet_tcp_connect_git_port(openshift_net_domain) ++corenet_tcp_connect_oracle_port(openshift_net_domain) ++corenet_tcp_connect_flash_port(openshift_net_domain) ++corenet_tcp_connect_http_port(openshift_net_domain) ++corenet_tcp_connect_ftp_port(openshift_net_domain) ++#/* These ports are the ephemeral ports needed for ftp */ ++corenet_tcp_connect_virt_migration_port(openshift_net_domain) ++corenet_tcp_connect_ssh_port(openshift_net_domain) ++corenet_tcp_connect_jacorb_port(openshift_net_domain) ++corenet_tcp_connect_jboss_management_port(openshift_net_domain) ++corenet_tcp_connect_jboss_debug_port(openshift_net_domain) ++corenet_tcp_connect_jboss_messaging_port(openshift_net_domain) ++corenet_tcp_connect_memcache_port(openshift_net_domain) ++corenet_tcp_connect_http_cache_port(openshift_net_domain) ++corenet_tcp_connect_amqp_port(openshift_net_domain) ++corenet_tcp_connect_generic_port(openshift_net_domain) ++corenet_tcp_connect_mongod_port(openshift_net_domain) ++corenet_tcp_connect_munin_port(openshift_net_domain) ++corenet_tcp_connect_pop_port(openshift_net_domain) ++corenet_tcp_connect_pulseaudio_port(openshift_net_domain) ++corenet_tcp_connect_smtp_port(openshift_net_domain) ++corenet_tcp_connect_whois_port(openshift_net_domain) ++corenet_udp_bind_generic_port(openshift_net_domain) ++corenet_tcp_bind_http_cache_port(openshift_domain) ++corenet_tcp_bind_jacorb_port(openshift_net_domain) ++corenet_tcp_bind_jboss_management_port(openshift_net_domain) ++corenet_tcp_bind_jboss_messaging_port(openshift_net_domain) ++corenet_tcp_bind_jboss_debug_port(openshift_net_domain) ++corenet_tcp_bind_mongod_port(openshift_net_domain) ++corenet_tcp_bind_mysqld_port(openshift_domain) ++corenet_tcp_bind_pulseaudio_port(openshift_net_domain) ++corenet_tcp_bind_postgresql_port(openshift_net_domain) ++ ++############################################################################ ++# ++# Rules specific to openshift and openshift_app_t ++# ++kernel_read_vm_sysctls(openshift_t) ++kernel_read_vm_sysctls(openshift_app_t) ++kernel_search_vm_sysctl(openshift_t) ++kernel_search_vm_sysctl(openshift_app_t) ++netutils_domtrans_ping(openshift_t) ++netutils_kill_ping(openshift_t) ++netutils_signal_ping(openshift_t) ++ ++openshift_net_type(openshift_app_t) ++openshift_net_type(openshift_t) ++ ++optional_policy(` ++ postfix_rw_public_pipes(openshift_t) ++ postfix_manage_spool_maildrop_files(openshift_t) ++') ++ ++######################################## ++# ++# openshift_cgroup_read local policy ++# ++ ++allow openshift_cgroup_read_t self:process { getattr signal_perms }; ++allow openshift_cgroup_read_t self:fifo_file rw_fifo_file_perms; ++allow openshift_cgroup_read_t self:unix_stream_socket create_stream_socket_perms; ++allow openshift_cgroup_read_t openshift_initrc_t:fifo_file rw_inherited_fifo_file_perms; ++ ++allow openshift_cgroup_read_t openshift_file_type:file rw_inherited_file_perms; ++ ++manage_dirs_pattern(openshift_cgroup_read_t, openshift_cgroup_read_tmp_t, openshift_cgroup_read_tmp_t) ++manage_files_pattern(openshift_cgroup_read_t, openshift_cgroup_read_tmp_t, openshift_cgroup_read_tmp_t) ++files_tmp_filetrans(openshift_cgroup_read_t, openshift_cgroup_read_tmp_t, { file dir }) ++ ++kernel_read_system_state(openshift_cgroup_read_t) ++ ++term_dontaudit_use_generic_ptys(openshift_cgroup_read_t) ++ ++auth_read_passwd(openshift_cgroup_read_t) ++ ++miscfiles_read_localization(openshift_cgroup_read_t) ++ ++optional_policy(` ++ ssh_use_ptys(openshift_cgroup_read_t) ++') ++ ++corecmd_exec_bin(openshift_cgroup_read_t) ++corecmd_exec_shell(openshift_cgroup_read_t) ++ ++dev_read_urand(openshift_cgroup_read_t) ++ ++domain_use_interactive_fds(openshift_cgroup_read_t) ++ ++fs_dontaudit_rw_anon_inodefs_files(openshift_cgroup_read_t) ++ ++userdom_use_inherited_user_ptys(openshift_cgroup_read_t) ++ ++miscfiles_read_generic_certs(openshift_cgroup_read_t) ++ ++domtrans_pattern(openshift_domain, openshift_cgroup_read_exec_t, openshift_cgroup_read_t) ++role system_r types openshift_cgroup_read_t; ++ ++allow openshift_domain openshift_cgroup_read_t:process { getattr signal signull sigkill }; ++ ++fs_list_cgroup_dirs(openshift_cgroup_read_t) ++fs_read_cgroup_files(openshift_cgroup_read_t) ++ ++allow openshift_cgroup_read_t openshift_var_lib_t:dir list_dir_perms; ++manage_files_pattern(openshift_cgroup_read_t, openshift_var_lib_t, openshift_var_lib_t) ++allow openshift_cgroup_read_t openshift_file_type:file rw_inherited_file_perms; ++ ++######################################## ++# ++# openshift_cron local policy ++# ++allow openshift_cron_t self:capability { dac_override net_admin sys_admin }; ++allow openshift_cron_t self:process signal_perms; ++allow openshift_cron_t self:tcp_socket create_stream_socket_perms; ++allow openshift_cron_t self:udp_socket create_socket_perms; ++allow openshift_cron_t self:unix_dgram_socket create_socket_perms; ++allow openshift_cron_t self:netlink_route_socket rw_netlink_socket_perms; ++ ++manage_dirs_pattern(openshift_cron_t, openshift_cron_tmp_t, openshift_cron_tmp_t) ++manage_fifo_files_pattern(openshift_cron_t, openshift_cron_tmp_t, openshift_cron_tmp_t) ++manage_files_pattern(openshift_cron_t, openshift_cron_tmp_t, openshift_cron_tmp_t) ++manage_lnk_files_pattern(openshift_cron_t, openshift_cron_tmp_t, openshift_cron_tmp_t) ++manage_sock_files_pattern(openshift_cron_t, openshift_cron_tmp_t, openshift_cron_tmp_t) ++files_tmp_filetrans(openshift_cron_t, openshift_cron_tmp_t, { lnk_file file dir sock_file fifo_file }) ++ ++openshift_manage_lib_dirs(openshift_cron_t) ++openshift_manage_lib_files(openshift_cron_t) ++ ++kernel_search_network_sysctl(openshift_cron_t) ++kernel_read_network_state(openshift_cron_t) ++kernel_read_system_state(openshift_cron_t) ++ ++corecmd_exec_bin(openshift_cron_t) ++corecmd_exec_shell(openshift_cron_t) ++ ++dev_read_raw_memory(openshift_cron_t) ++dev_read_urand(openshift_cron_t) ++ ++corenet_udp_bind_generic_node(openshift_cron_t) ++corenet_udp_bind_generic_port(openshift_cron_t) ++ ++dev_getattr_fs(openshift_cron_t) ++dev_list_sysfs(openshift_cron_t) ++dev_read_sysfs(openshift_cron_t) ++ ++files_getattr_home_dir(openshift_cron_t) ++files_manage_etc_files(openshift_cron_t) ++ ++fs_getattr_tmpfs_dirs(openshift_cron_t) ++fs_getattr_all_fs(openshift_cron_t) ++fs_list_hugetlbfs(openshift_cron_t) ++fs_search_cgroup_dirs(openshift_cron_t) ++ ++seutil_domtrans_setfiles(openshift_cron_t) ++ ++term_getattr_pty_fs(openshift_cron_t) ++term_search_ptys(openshift_cron_t) ++ ++auth_use_nsswitch(openshift_cron_t) ++ ++miscfiles_read_generic_certs(openshift_cron_t) ++miscfiles_read_hwdata(openshift_cron_t) ++ ++sysnet_exec_ifconfig(openshift_cron_t) ++sysnet_read_config(openshift_cron_t) ++ ++optional_policy(` ++ dmidecode_exec(openshift_cron_t) ++') ++ ++optional_policy(` ++ hostname_exec(openshift_cron_t) ++') ++ ++optional_policy(` ++ quota_read_db(openshift_cron_t) ++') ++ ++optional_policy(` ++ ssh_domtrans_keygen(openshift_cron_t) ++ ssh_dontaudit_read_server_keys(openshift_cron_t) ++') ++ +diff --git a/openvpn.fc b/openvpn.fc +index 300213f..4cdfe09 100644 +--- a/openvpn.fc ++++ b/openvpn.fc +@@ -1,10 +1,13 @@ + /etc/openvpn(/.*)? gen_context(system_u:object_r:openvpn_etc_t,s0) ++/etc/openvpn/scripts(/.*)? gen_context(system_u:object_r:openvpn_unconfined_script_exec_t,s0) + /etc/openvpn/ipp\.txt -- gen_context(system_u:object_r:openvpn_etc_rw_t,s0) + + /etc/rc\.d/init\.d/openvpn -- gen_context(system_u:object_r:openvpn_initrc_exec_t,s0) + + /usr/sbin/openvpn -- gen_context(system_u:object_r:openvpn_exec_t,s0) + ++/var/lib/openvpn(/.*)? gen_context(system_u:object_r:openvpn_var_lib_t,s0) ++ + /var/log/openvpn-status\.log.* -- gen_context(system_u:object_r:openvpn_status_t,s0) + /var/log/openvpn.* gen_context(system_u:object_r:openvpn_var_log_t,s0) + +diff --git a/openvpn.if b/openvpn.if +index 6837e9a..21e6dae 100644 +--- a/openvpn.if ++++ b/openvpn.if +@@ -23,6 +23,25 @@ interface(`openvpn_domtrans',` + ######################################## + ## + ## Execute openvpn clients in the ++## caller domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`openvpn_exec',` ++ gen_require(` ++ type openvpn_exec_t; ++ ') ++ ++ can_exec($1, openvpn_exec_t) ++') ++ ++######################################## ++## ++## Execute openvpn clients in the + ## openvpn domain, and allow the + ## specified role the openvpn domain. + ## +@@ -147,9 +166,13 @@ interface(`openvpn_admin',` + type openvpn_status_t; + ') + +- allow $1 openvpn_t:process { ptrace signal_perms }; ++ allow $1 openvpn_t:process signal_perms; + ps_process_pattern($1, openvpn_t) + ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 openvpn_t:process ptrace; ++ ') ++ + init_labeled_script_domtrans($1, openvpn_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 openvpn_initrc_exec_t system_r; +diff --git a/openvpn.te b/openvpn.te +index 3270ff9..265896b 100644 +--- a/openvpn.te ++++ b/openvpn.te +@@ -6,6 +6,13 @@ policy_module(openvpn, 1.11.3) + # + + ## ++##

    ++## Allow openvpn to run unconfined scripts ++##

    ++##     ++gen_tunable(openvpn_run_unconfined, false) ++ ++## + ##

    + ## Determine whether openvpn can + ## read generic user home content files. +@@ -13,6 +20,14 @@ policy_module(openvpn, 1.11.3) + ## + gen_tunable(openvpn_enable_homedirs, false) + ++## ++##

    ++## Determine whether openvpn can ++## connect to the TCP network. ++##

    ++##     ++gen_tunable(openvpn_can_network_connect, false) ++ + attribute_role openvpn_roles; + + type openvpn_t; +@@ -26,12 +41,18 @@ files_config_file(openvpn_etc_t) + type openvpn_etc_rw_t; + files_config_file(openvpn_etc_rw_t) + ++type openvpn_tmp_t; ++files_tmp_file(openvpn_tmp_t) ++ + type openvpn_initrc_exec_t; + init_script_file(openvpn_initrc_exec_t) + + type openvpn_status_t; + logging_log_file(openvpn_status_t) + ++type openvpn_var_lib_t; ++files_type(openvpn_var_lib_t) ++ + type openvpn_var_log_t; + logging_log_file(openvpn_var_log_t) + +@@ -43,7 +64,7 @@ files_pid_file(openvpn_var_run_t) + # Local policy + # + +-allow openvpn_t self:capability { dac_read_search dac_override ipc_lock net_admin setgid setuid sys_chroot sys_tty_config sys_nice }; ++allow openvpn_t self:capability { dac_read_search dac_override ipc_lock net_bind_service net_admin setgid setuid sys_chroot sys_tty_config sys_nice }; + allow openvpn_t self:process { signal getsched setsched }; + allow openvpn_t self:fifo_file rw_fifo_file_perms; + allow openvpn_t self:unix_dgram_socket sendto; +@@ -62,10 +83,14 @@ filetrans_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t, file) + allow openvpn_t openvpn_status_t:file manage_file_perms; + logging_log_filetrans(openvpn_t, openvpn_status_t, file, "openvpn-status.log") + ++manage_files_pattern(openvpn_t, openvpn_tmp_t, openvpn_tmp_t) ++files_tmp_filetrans(openvpn_t, openvpn_tmp_t, file) ++ ++manage_files_pattern(openvpn_t, openvpn_var_lib_t, openvpn_var_lib_t) ++files_var_lib_filetrans(openvpn_t, openvpn_var_lib_t, { dir file }) ++ + manage_dirs_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t) +-append_files_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t) +-create_files_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t) +-setattr_files_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t) ++manage_files_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t) + logging_log_filetrans(openvpn_t, openvpn_var_log_t, file) + + manage_dirs_pattern(openvpn_t, openvpn_var_run_t, openvpn_var_run_t) +@@ -83,7 +108,6 @@ kernel_request_load_module(openvpn_t) + corecmd_exec_bin(openvpn_t) + corecmd_exec_shell(openvpn_t) + +-corenet_all_recvfrom_unlabeled(openvpn_t) + corenet_all_recvfrom_netlabel(openvpn_t) + corenet_tcp_sendrecv_generic_if(openvpn_t) + corenet_udp_sendrecv_generic_if(openvpn_t) +@@ -103,13 +127,15 @@ corenet_udp_sendrecv_openvpn_port(openvpn_t) + corenet_sendrecv_http_server_packets(openvpn_t) + corenet_tcp_bind_http_port(openvpn_t) + corenet_sendrecv_http_client_packets(openvpn_t) ++corenet_tcp_connect_squid_port(openvpn_t) + corenet_tcp_connect_http_port(openvpn_t) + corenet_tcp_sendrecv_http_port(openvpn_t) +- + corenet_sendrecv_http_cache_client_packets(openvpn_t) + corenet_tcp_connect_http_cache_port(openvpn_t) + corenet_tcp_sendrecv_http_cache_port(openvpn_t) + ++corenet_tcp_connect_tor_port(openvpn_t) ++ + corenet_rw_tun_tap_dev(openvpn_t) + + dev_read_rand(openvpn_t) +@@ -121,18 +147,24 @@ fs_search_auto_mountpoints(openvpn_t) + + auth_use_pam(openvpn_t) + +-miscfiles_read_localization(openvpn_t) ++logging_send_syslog_msg(openvpn_t) ++ + miscfiles_read_all_certs(openvpn_t) + ++sysnet_dns_name_resolve(openvpn_t) + sysnet_exec_ifconfig(openvpn_t) + sysnet_manage_config(openvpn_t) + sysnet_etc_filetrans_config(openvpn_t) + sysnet_use_ldap(openvpn_t) + +-userdom_use_user_terminals(openvpn_t) ++userdom_use_inherited_user_terminals(openvpn_t) ++userdom_read_home_certs(openvpn_t) ++userdom_attach_admin_tun_iface(openvpn_t) ++userdom_read_inherited_user_tmp_files(openvpn_t) ++userdom_read_inherited_user_home_content_files(openvpn_t) + + tunable_policy(`openvpn_enable_homedirs',` +- userdom_read_user_home_content_files(openvpn_t) ++ userdom_search_user_home_dirs(openvpn_t) + ') + + tunable_policy(`openvpn_enable_homedirs && use_nfs_home_dirs',` +@@ -143,6 +175,14 @@ tunable_policy(`openvpn_enable_homedirs && use_samba_home_dirs',` + fs_read_cifs_files(openvpn_t) + ') + ++tunable_policy(`openvpn_can_network_connect',` ++ corenet_tcp_connect_all_ports(openvpn_t) ++') ++ ++optional_policy(` ++ brctl_domtrans(openvpn_t) ++') ++ + optional_policy(` + daemontools_service_domain(openvpn_t, openvpn_exec_t) + ') +@@ -155,3 +195,27 @@ optional_policy(` + networkmanager_dbus_chat(openvpn_t) + ') + ') ++ ++optional_policy(` ++ unconfined_attach_tun_iface(openvpn_t) ++') ++ ++type openvpn_unconfined_script_t; ++type openvpn_unconfined_script_exec_t; ++domain_type(openvpn_unconfined_script_t) ++domain_entry_file(openvpn_unconfined_script_t, openvpn_unconfined_script_exec_t) ++corecmd_shell_entry_type(openvpn_unconfined_script_t) ++role system_r types openvpn_unconfined_script_t; ++ ++allow openvpn_t openvpn_unconfined_script_exec_t:dir search_dir_perms; ++allow openvpn_t openvpn_unconfined_script_exec_t:file ioctl; ++ ++optional_policy(` ++ unconfined_domain(openvpn_unconfined_script_t) ++') ++ ++tunable_policy(`openvpn_run_unconfined',` ++ domtrans_pattern(openvpn_t, openvpn_unconfined_script_exec_t, openvpn_unconfined_script_t) ++',` ++ can_exec(openvpn_t, openvpn_unconfined_script_exec_t) ++') +diff --git a/openvswitch.fc b/openvswitch.fc +index 45d7cc5..c5b9607 100644 +--- a/openvswitch.fc ++++ b/openvswitch.fc +@@ -1,12 +1,16 @@ +-/etc/rc\.d/init\.d/openvswitch -- gen_context(system_u:object_r:openvswitch_initrc_exec_t,s0) ++/usr/lib/systemd/system/openvswitch.service -- gen_context(system_u:object_r:openvswitch_unit_file_t,s0) + +-/etc/openvswitch(/.*)? gen_context(system_u:object_r:openvswitch_conf_t,s0) ++/usr/share/openvswitch/scripts/ovs-ctl -- gen_context(system_u:object_r:openvswitch_exec_t,s0) ++/usr/bin/ovs-vsctl -- gen_context(system_u:object_r:openvswitch_exec_t,s0) ++/usr/sbin/ovsdb-ctl -- gen_context(system_u:object_r:openvswitch_exec_t,s0) ++/usr/sbin/ovsdb-server -- gen_context(system_u:object_r:openvswitch_exec_t,s0) ++/usr/sbin/ovs-vswitchd -- gen_context(system_u:object_r:openvswitch_exec_t,s0) ++/usr/bin/ovs-appctl -- gen_context(system_u:object_r:openvswitch_exec_t,s0) + +-/usr/share/openvswitch/scripts/ovs-ctl -- gen_context(system_u:object_r:openvswitch_exec_t,s0) +-/usr/share/openvswitch/scripts/openvswitch\.init -- gen_context(system_u:object_r:openvswitch_exec_t,s0) ++/var/lib/openvswitch(/.*)? gen_context(system_u:object_r:openvswitch_var_lib_t,s0) + +-/var/lib/openvswitch(/.*)? gen_context(system_u:object_r:openvswitch_var_lib_t,s0) ++/var/log/openvswitch(/.*)? gen_context(system_u:object_r:openvswitch_log_t,s0) + +-/var/log/openvswitch(/.*)? gen_context(system_u:object_r:openvswitch_log_t,s0) ++/var/run/openvswitch(/.*)? gen_context(system_u:object_r:openvswitch_var_run_t,s0) + +-/var/run/openvswitch(/.*)? gen_context(system_u:object_r:openvswitch_var_run_t,s0) ++/etc/openvswitch(/.*)? gen_context(system_u:object_r:openvswitch_rw_t,s0) +diff --git a/openvswitch.if b/openvswitch.if +index 9b15730..eedd136 100644 +--- a/openvswitch.if ++++ b/openvswitch.if +@@ -1,13 +1,14 @@ +-## Multilayer virtual switch. ++ ++## policy for openvswitch + + ######################################## + ## +-## Execute openvswitch in the openvswitch domain. ++## Execute TEMPLATE in the openvswitch domin. + ## + ## +-## ++## + ## Domain allowed to transition. +-## ++## + ## + # + interface(`openvswitch_domtrans',` +@@ -18,10 +19,145 @@ interface(`openvswitch_domtrans',` + corecmd_search_bin($1) + domtrans_pattern($1, openvswitch_exec_t, openvswitch_t) + ') ++######################################## ++## ++## Read openvswitch's log files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`openvswitch_read_log',` ++ gen_require(` ++ type openvswitch_log_t; ++ ') ++ ++ logging_search_logs($1) ++ read_files_pattern($1, openvswitch_log_t, openvswitch_log_t) ++') ++ ++######################################## ++## ++## Append to openvswitch log files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`openvswitch_append_log',` ++ gen_require(` ++ type openvswitch_log_t; ++ ') ++ ++ logging_search_logs($1) ++ append_files_pattern($1, openvswitch_log_t, openvswitch_log_t) ++') + + ######################################## + ## +-## Read openvswitch pid files. ++## Manage openvswitch log files ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`openvswitch_manage_log',` ++ gen_require(` ++ type openvswitch_log_t; ++ ') ++ ++ logging_search_logs($1) ++ manage_dirs_pattern($1, openvswitch_log_t, openvswitch_log_t) ++ manage_files_pattern($1, openvswitch_log_t, openvswitch_log_t) ++ manage_lnk_files_pattern($1, openvswitch_log_t, openvswitch_log_t) ++') ++ ++######################################## ++## ++## Search openvswitch lib directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`openvswitch_search_lib',` ++ gen_require(` ++ type openvswitch_var_lib_t; ++ ') ++ ++ allow $1 openvswitch_var_lib_t:dir search_dir_perms; ++ files_search_var_lib($1) ++') ++ ++######################################## ++## ++## Read openvswitch lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`openvswitch_read_lib_files',` ++ gen_require(` ++ type openvswitch_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ read_files_pattern($1, openvswitch_var_lib_t, openvswitch_var_lib_t) ++') ++ ++######################################## ++## ++## Manage openvswitch lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`openvswitch_manage_lib_files',` ++ gen_require(` ++ type openvswitch_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ manage_files_pattern($1, openvswitch_var_lib_t, openvswitch_var_lib_t) ++') ++ ++######################################## ++## ++## Manage openvswitch lib directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`openvswitch_manage_lib_dirs',` ++ gen_require(` ++ type openvswitch_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ manage_dirs_pattern($1, openvswitch_var_lib_t, openvswitch_var_lib_t) ++') ++ ++######################################## ++## ++## Read openvswitch PID files. + ## + ## + ## +@@ -40,44 +176,86 @@ interface(`openvswitch_read_pid_files',` + + ######################################## + ## +-## All of the rules required to +-## administrate an openvswitch environment. ++## Allow stream connect to openvswitch. + ## + ## + ## + ## Domain allowed access. + ## + ## +-## ++# ++ ++interface(`openvswitch_stream_connect',` ++ gen_require(` ++ type openvswitch_t, openvswitch_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ stream_connect_pattern($1, openvswitch_var_run_t, openvswitch_var_run_t, openvswitch_t) ++') ++ ++######################################## ++## ++## Execute openvswitch server in the openvswitch domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`openvswitch_systemctl',` ++ gen_require(` ++ type openvswitch_t; ++ type openvswitch_unit_file_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ allow $1 openvswitch_unit_file_t:file read_file_perms; ++ allow $1 openvswitch_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, openvswitch_t) ++') ++ ++ ++######################################## ++## ++## All of the rules required to administrate ++## an openvswitch environment ++## ++## + ## +-## Role allowed access. ++## Domain allowed access. + ## + ## + ## + # + interface(`openvswitch_admin',` + gen_require(` +- type openvswitch_t, openvswitch_initrc_exec_t, openvswitch_conf_t; +- type openvswitch_var_lib_t, openvswitch_log_t, openvswitch_var_run_t; ++ type openvswitch_t, openvswitch_log_t, openvswitch_var_lib_t; ++ type openvswitch_rw_t, openvswitch_var_run_t, openvswitch_unit_file_t; + ') + + allow $1 openvswitch_t:process { ptrace signal_perms }; + ps_process_pattern($1, openvswitch_t) + +- init_labeled_script_domtrans($1, openvswitch_initrc_exec_t) +- domain_system_change_exemption($1) +- role_transition $2 openvswitch_initrc_exec_t system_r; +- allow $2 system_r; ++ logging_search_logs($1) ++ admin_pattern($1, openvswitch_rw_t) + +- files_search_etc($1) +- admin_pattern($1, openvswitch_conf_t) ++ logging_search_logs($1) ++ admin_pattern($1, openvswitch_log_t) + + files_search_var_lib($1) + admin_pattern($1, openvswitch_var_lib_t) + +- logging_search_logs($1) +- admin_pattern($1, openvswitch_log_t) +- + files_search_pids($1) + admin_pattern($1, openvswitch_var_run_t) ++ ++ openvswitch_systemctl($1) ++ admin_pattern($1, openvswitch_unit_file_t) ++ allow $1 openvswitch_unit_file_t:service all_service_perms; ++ optional_policy(` ++ systemd_passwd_agent_exec($1) ++ systemd_read_fifo_file_passwd_run($1) ++ ') + ') +diff --git a/openvswitch.te b/openvswitch.te +index 508fedf..a499612 100644 +--- a/openvswitch.te ++++ b/openvswitch.te +@@ -1,4 +1,4 @@ +-policy_module(openvswitch, 1.0.1) ++policy_module(openvswitch, 1.0.0) + + ######################################## + # +@@ -9,11 +9,8 @@ type openvswitch_t; + type openvswitch_exec_t; + init_daemon_domain(openvswitch_t, openvswitch_exec_t) + +-type openvswitch_initrc_exec_t; +-init_script_file(openvswitch_initrc_exec_t) +- +-type openvswitch_conf_t; +-files_config_file(openvswitch_conf_t) ++type openvswitch_rw_t; ++files_config_file(openvswitch_rw_t) + + type openvswitch_var_lib_t; + files_type(openvswitch_var_lib_t) +@@ -21,23 +18,33 @@ files_type(openvswitch_var_lib_t) + type openvswitch_log_t; + logging_log_file(openvswitch_log_t) + ++type openvswitch_tmp_t; ++files_tmp_file(openvswitch_tmp_t) ++ + type openvswitch_var_run_t; + files_pid_file(openvswitch_var_run_t) + ++type openvswitch_unit_file_t; ++systemd_unit_file(openvswitch_unit_file_t) ++ + ######################################## + # +-# Local policy ++# openvswitch local policy + # + +-allow openvswitch_t self:capability { net_admin sys_nice sys_resource ipc_lock }; +-allow openvswitch_t self:process { setrlimit setsched signal }; ++allow openvswitch_t self:capability { net_admin ipc_lock sys_module sys_nice sys_resource }; ++allow openvswitch_t self:capability2 block_suspend; ++allow openvswitch_t self:process { fork setsched setrlimit signal }; + allow openvswitch_t self:fifo_file rw_fifo_file_perms; +-allow openvswitch_t self:rawip_socket create_socket_perms; +-allow openvswitch_t self:unix_stream_socket { accept connectto listen }; ++allow openvswitch_t self:unix_stream_socket { create_stream_socket_perms connectto }; ++allow openvswitch_t self:netlink_socket create_socket_perms; ++allow openvswitch_t self:netlink_route_socket rw_netlink_socket_perms; + +-manage_dirs_pattern(openvswitch_t, openvswitch_conf_t, openvswitch_conf_t) +-manage_files_pattern(openvswitch_t, openvswitch_conf_t, openvswitch_conf_t) +-manage_lnk_files_pattern(openvswitch_t, openvswitch_conf_t, openvswitch_conf_t) ++can_exec(openvswitch_t, openvswitch_exec_t) ++ ++manage_dirs_pattern(openvswitch_t, openvswitch_rw_t, openvswitch_rw_t) ++manage_files_pattern(openvswitch_t, openvswitch_rw_t, openvswitch_rw_t) ++manage_lnk_files_pattern(openvswitch_t, openvswitch_rw_t, openvswitch_rw_t) + + manage_dirs_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_lib_t) + manage_files_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_lib_t) +@@ -45,45 +52,53 @@ manage_lnk_files_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_l + files_var_lib_filetrans(openvswitch_t, openvswitch_var_lib_t, { dir file lnk_file }) + + manage_dirs_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t) +-append_files_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t) +-create_files_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t) +-setattr_files_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t) ++manage_files_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t) + manage_lnk_files_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t) + logging_log_filetrans(openvswitch_t, openvswitch_log_t, { dir file lnk_file }) + ++manage_dirs_pattern(openvswitch_t, openvswitch_tmp_t, openvswitch_tmp_t) ++manage_files_pattern(openvswitch_t, openvswitch_tmp_t, openvswitch_tmp_t) ++manage_lnk_files_pattern(openvswitch_t, openvswitch_tmp_t, openvswitch_tmp_t) ++files_tmp_filetrans(openvswitch_t, openvswitch_tmp_t, { file dir }) ++ + manage_dirs_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t) + manage_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t) + manage_sock_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t) + manage_lnk_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t) + files_pid_filetrans(openvswitch_t, openvswitch_var_run_t, { dir file lnk_file }) + +-can_exec(openvswitch_t, openvswitch_exec_t) +- + kernel_read_network_state(openvswitch_t) + kernel_read_system_state(openvswitch_t) +- +-corenet_all_recvfrom_unlabeled(openvswitch_t) +-corenet_all_recvfrom_netlabel(openvswitch_t) +-corenet_raw_sendrecv_generic_if(openvswitch_t) +-corenet_raw_sendrecv_generic_node(openvswitch_t) ++kernel_request_load_module(openvswitch_t) + + corecmd_exec_bin(openvswitch_t) ++corecmd_exec_shell(openvswitch_t) + ++dev_read_rand(openvswitch_t) + dev_read_urand(openvswitch_t) ++dev_read_sysfs(openvswitch_t) + + domain_use_interactive_fds(openvswitch_t) + +-files_read_etc_files(openvswitch_t) ++files_read_kernel_modules(openvswitch_t) + + fs_getattr_all_fs(openvswitch_t) + fs_search_cgroup_dirs(openvswitch_t) + ++auth_read_passwd(openvswitch_t) ++ + logging_send_syslog_msg(openvswitch_t) + +-miscfiles_read_localization(openvswitch_t) ++modutils_exec_insmod(openvswitch_t) ++modutils_list_module_config(openvswitch_t) ++modutils_read_module_config(openvswitch_t) + + sysnet_dns_name_resolve(openvswitch_t) + + optional_policy(` + iptables_domtrans(openvswitch_t) + ') ++ ++optional_policy(` ++ plymouthd_exec_plymouth(openvswitch_t) ++') +diff --git a/oracleasm.fc b/oracleasm.fc +new file mode 100644 +index 0000000..80fb8c3 +--- /dev/null ++++ b/oracleasm.fc +@@ -0,0 +1,4 @@ ++ ++/etc/rc\.d/init\.d/oracleasm -- gen_context(system_u:object_r:oracleasm_initrc_exec_t,s0) ++ ++/usr/sbin/oracleasm -- gen_context(system_u:object_r:oracleasm_exec_t,s0) +diff --git a/oracleasm.if b/oracleasm.if +new file mode 100644 +index 0000000..6ae382c +--- /dev/null ++++ b/oracleasm.if +@@ -0,0 +1,75 @@ ++ ++## policy for oracleasm ++ ++######################################## ++## ++## Transition to oracleasm. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`oracleasm_domtrans',` ++ gen_require(` ++ type oracleasm_t, oracleasm_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, oracleasm_exec_t, oracleasm_t) ++') ++ ++ ++######################################## ++## ++## Execute oracleasm server in the oracleasm domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`oracleasm_initrc_domtrans',` ++ gen_require(` ++ type oracleasm_initrc_exec_t; ++ ') ++ ++ init_labeled_script_domtrans($1, oracleasm_initrc_exec_t) ++') ++ ++ ++######################################## ++## ++## All of the rules required to administrate ++## an oracleasm environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## Role allowed access. ++## ++## ++## ++# ++interface(`oracleasm_admin',` ++ gen_require(` ++ type oracleasm_t; ++ type oracleasm_initrc_exec_t; ++ ') ++ ++ allow $1 oracleasm_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, oracleasm_t) ++ ++ oracleasm_initrc_domtrans($1) ++ domain_system_change_exemption($1) ++ role_transition $2 oracleasm_initrc_exec_t system_r; ++ allow $2 system_r; ++ ++') ++ +diff --git a/oracleasm.te b/oracleasm.te +new file mode 100644 +index 0000000..0493b99 +--- /dev/null ++++ b/oracleasm.te +@@ -0,0 +1,34 @@ ++policy_module(oracleasm, 1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type oracleasm_t; ++type oracleasm_exec_t; ++init_daemon_domain(oracleasm_t, oracleasm_exec_t) ++ ++type oracleasm_initrc_exec_t; ++init_script_file(oracleasm_initrc_exec_t) ++ ++######################################## ++# ++# oracleasm local policy ++# ++ ++allow oracleasm_t self:fifo_file rw_fifo_file_perms; ++allow oracleasm_t self:unix_stream_socket create_stream_socket_perms; ++ ++domain_use_interactive_fds(oracleasm_t) ++ ++corecmd_exec_shell(oracleasm_t) ++corecmd_exec_bin(oracleasm_t) ++ ++optional_policy(` ++ mount_domtrans(oracleasm_t) ++') ++ ++optional_policy(` ++ modutils_domtrans_insmod(oracleasm_t) ++') +diff --git a/pacemaker.fc b/pacemaker.fc +index 2f0ad56..d4da0b8 100644 +--- a/pacemaker.fc ++++ b/pacemaker.fc +@@ -1,5 +1,7 @@ + /etc/rc\.d/init\.d/pacemaker -- gen_context(system_u:object_r:pacemaker_initrc_exec_t,s0) + ++/usr/lib/systemd/system/pacemaker.* -- gen_context(system_u:object_r:pacemaker_unit_file_t,s0) ++ + /usr/sbin/pacemakerd -- gen_context(system_u:object_r:pacemaker_exec_t,s0) + + /var/lib/heartbeat/crm(/.*)? gen_context(system_u:object_r:pacemaker_var_lib_t,s0) +diff --git a/pacemaker.if b/pacemaker.if +index 9682d9a..d47f913 100644 +--- a/pacemaker.if ++++ b/pacemaker.if +@@ -1,9 +1,166 @@ +-## A scalable high-availability cluster resource manager. ++## >A scalable high-availability cluster resource manager. + + ######################################## + ## +-## All of the rules required to +-## administrate an pacemaker environment. ++## Transition to pacemaker. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`pacemaker_domtrans',` ++ gen_require(` ++ type pacemaker_t, pacemaker_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, pacemaker_exec_t, pacemaker_t) ++') ++ ++######################################## ++## ++## Execute pacemaker server in the pacemaker domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`pacemaker_initrc_domtrans',` ++ gen_require(` ++ type pacemaker_initrc_exec_t; ++ ') ++ ++ init_labeled_script_domtrans($1, pacemaker_initrc_exec_t) ++') ++ ++######################################## ++## ++## Search pacemaker lib directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`pacemaker_search_lib',` ++ gen_require(` ++ type pacemaker_var_lib_t; ++ ') ++ ++ allow $1 pacemaker_var_lib_t:dir search_dir_perms; ++ files_search_var_lib($1) ++') ++ ++######################################## ++## ++## Read pacemaker lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`pacemaker_read_lib_files',` ++ gen_require(` ++ type pacemaker_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ read_files_pattern($1, pacemaker_var_lib_t, pacemaker_var_lib_t) ++') ++ ++######################################## ++## ++## Manage pacemaker lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`pacemaker_manage_lib_files',` ++ gen_require(` ++ type pacemaker_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ manage_files_pattern($1, pacemaker_var_lib_t, pacemaker_var_lib_t) ++') ++ ++######################################## ++## ++## Manage pacemaker lib directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`pacemaker_manage_lib_dirs',` ++ gen_require(` ++ type pacemaker_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ manage_dirs_pattern($1, pacemaker_var_lib_t, pacemaker_var_lib_t) ++') ++ ++######################################## ++## ++## Read pacemaker PID files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`pacemaker_read_pid_files',` ++ gen_require(` ++ type pacemaker_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ allow $1 pacemaker_var_run_t:file read_file_perms; ++') ++ ++######################################## ++## ++## Execute pacemaker server in the pacemaker domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`pacemaker_systemctl',` ++ gen_require(` ++ type pacemaker_t; ++ type pacemaker_unit_file_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ systemd_read_fifo_file_passwd_run($1) ++ allow $1 pacemaker_unit_file_t:file read_file_perms; ++ allow $1 pacemaker_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, pacemaker_t) ++') ++ ++ ++######################################## ++## ++## All of the rules required to administrate ++## an pacemaker environment + ## + ## + ## +@@ -19,14 +176,17 @@ + # + interface(`pacemaker_admin',` + gen_require(` +- type pacemaker_t, pacemaker_initrc_exec_t, pacemaker_var_lib_t; ++ type pacemaker_t; ++ type pacemaker_initrc_exec_t; ++ type pacemaker_var_lib_t; + type pacemaker_var_run_t; ++ type pacemaker_unit_file_t; + ') + + allow $1 pacemaker_t:process { ptrace signal_perms }; + ps_process_pattern($1, pacemaker_t) + +- init_labeled_script_domtrans($1, pacemaker_initrc_exec_t) ++ pacemaker_initrc_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 pacemaker_initrc_exec_t system_r; + allow $2 system_r; +@@ -36,4 +196,13 @@ interface(`pacemaker_admin',` + + files_search_pids($1) + admin_pattern($1, pacemaker_var_run_t) ++ ++ pacemaker_systemctl($1) ++ admin_pattern($1, pacemaker_unit_file_t) ++ allow $1 pacemaker_unit_file_t:service all_service_perms; ++ ++ optional_policy(` ++ systemd_passwd_agent_exec($1) ++ systemd_read_fifo_file_passwd_run($1) ++ ') + ') +diff --git a/pacemaker.te b/pacemaker.te +index 3dd8ada..993c92c 100644 +--- a/pacemaker.te ++++ b/pacemaker.te +@@ -5,6 +5,13 @@ policy_module(pacemaker, 1.0.2) + # Declarations + # + ++## ++##

    ++## Allow pacemaker memcheck-amd64- to use executable memory ++##

    ++##     ++gen_tunable(pacemaker_use_execmem, false) ++ + type pacemaker_t; + type pacemaker_exec_t; + init_daemon_domain(pacemaker_t, pacemaker_exec_t) +@@ -12,17 +19,20 @@ init_daemon_domain(pacemaker_t, pacemaker_exec_t) + type pacemaker_initrc_exec_t; + init_script_file(pacemaker_initrc_exec_t) + ++type pacemaker_var_lib_t; ++files_type(pacemaker_var_lib_t) ++ ++type pacemaker_var_run_t; ++files_pid_file(pacemaker_var_run_t) ++ + type pacemaker_tmp_t; + files_tmp_file(pacemaker_tmp_t) + + type pacemaker_tmpfs_t; + files_tmpfs_file(pacemaker_tmpfs_t) + +-type pacemaker_var_lib_t; +-files_type(pacemaker_var_lib_t) +- +-type pacemaker_var_run_t; +-files_pid_file(pacemaker_var_run_t) ++type pacemaker_unit_file_t; ++systemd_unit_file(pacemaker_unit_file_t) + + ######################################## + # +@@ -30,13 +40,15 @@ files_pid_file(pacemaker_var_run_t) + # + + allow pacemaker_t self:capability { fowner fsetid kill chown dac_override setuid }; ++allow pacemaker_t self:capability2 block_suspend; + allow pacemaker_t self:process { setrlimit signal setpgid }; + allow pacemaker_t self:fifo_file rw_fifo_file_perms; + allow pacemaker_t self:unix_stream_socket { connectto accept listen }; + + manage_dirs_pattern(pacemaker_t, pacemaker_tmp_t, pacemaker_tmp_t) + manage_files_pattern(pacemaker_t, pacemaker_tmp_t, pacemaker_tmp_t) +-files_tmp_filetrans(pacemaker_t, pacemaker_tmp_t, { file dir }) ++manage_fifo_files_pattern(pacemaker_t, pacemaker_tmp_t, pacemaker_tmp_t) ++files_tmp_filetrans(pacemaker_t, pacemaker_tmp_t, { fifo_file file dir }) + + manage_dirs_pattern(pacemaker_t, pacemaker_tmpfs_t, pacemaker_tmpfs_t) + manage_files_pattern(pacemaker_t, pacemaker_tmpfs_t, pacemaker_tmpfs_t) +@@ -60,13 +72,13 @@ kernel_read_system_state(pacemaker_t) + corecmd_exec_bin(pacemaker_t) + corecmd_exec_shell(pacemaker_t) + ++domain_use_interactive_fds(pacemaker_t) ++domain_read_all_domains_state(pacemaker_t) ++ + dev_getattr_mtrr_dev(pacemaker_t) + dev_read_rand(pacemaker_t) + dev_read_urand(pacemaker_t) + +-domain_read_all_domains_state(pacemaker_t) +-domain_use_interactive_fds(pacemaker_t) +- + files_read_kernel_symbol_table(pacemaker_t) + + fs_getattr_all_fs(pacemaker_t) +@@ -75,9 +87,20 @@ auth_use_nsswitch(pacemaker_t) + + logging_send_syslog_msg(pacemaker_t) + +-miscfiles_read_localization(pacemaker_t) ++sysnet_domtrans_ifconfig(pacemaker_t) ++ ++tunable_policy(`pacemaker_use_execmem',` ++ allow pacemaker_t self:process { execmem }; ++') + + optional_policy(` + corosync_read_log(pacemaker_t) ++ corosync_setattr_log(pacemaker_t) + corosync_stream_connect(pacemaker_t) ++ corosync_rw_tmpfs(pacemaker_t) ++') ++ ++optional_policy(` ++ #executes heartbeat lib files ++ rgmanager_execute_lib(pacemaker_t) + ') +diff --git a/pads.if b/pads.if +index 6e097c9..503c97a 100644 +--- a/pads.if ++++ b/pads.if +@@ -17,15 +17,19 @@ + ## + ## + # +-interface(`pads_admin', ` ++interface(`pads_admin',` + gen_require(` + type pads_t, pads_config_t, pads_var_run_t; + type pads_initrc_exec_t; + ') + +- allow $1 pads_t:process { ptrace signal_perms }; ++ allow $1 pads_t:process signal_perms; + ps_process_pattern($1, pads_t) + ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 pads_t:process ptrace; ++ ') ++ + init_labeled_script_domtrans($1, pads_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 pads_initrc_exec_t system_r; +diff --git a/pads.te b/pads.te +index 29a7364..446e5ca 100644 +--- a/pads.te ++++ b/pads.te +@@ -25,8 +25,11 @@ files_pid_file(pads_var_run_t) + # + + allow pads_t self:capability { dac_override net_raw }; ++allow pads_t self:netlink_route_socket create_netlink_socket_perms; + allow pads_t self:packet_socket create_socket_perms; + allow pads_t self:socket create_socket_perms; ++allow pads_t self:udp_socket create_socket_perms; ++allow pads_t self:unix_dgram_socket create_socket_perms; + + allow pads_t pads_config_t:file manage_file_perms; + files_etc_filetrans(pads_t, pads_config_t, file) +@@ -39,7 +42,6 @@ kernel_read_network_state(pads_t) + + corecmd_search_bin(pads_t) + +-corenet_all_recvfrom_unlabeled(pads_t) + corenet_all_recvfrom_netlabel(pads_t) + corenet_tcp_sendrecv_generic_if(pads_t) + corenet_tcp_sendrecv_generic_node(pads_t) +@@ -52,11 +54,8 @@ dev_read_rand(pads_t) + dev_read_urand(pads_t) + dev_read_sysfs(pads_t) + +-files_read_etc_files(pads_t) + files_search_spool(pads_t) + +-miscfiles_read_localization(pads_t) +- + logging_send_syslog_msg(pads_t) + + sysnet_dns_name_resolve(pads_t) +diff --git a/passenger.fc b/passenger.fc +index 2c389ea..9155bd0 100644 +--- a/passenger.fc ++++ b/passenger.fc +@@ -1,10 +1,12 @@ +-/usr/.*/gems/.*/passenger-.*/ext/apache2/ApplicationPoolServerExecutable -- gen_context(system_u:object_r:passenger_exec_t,s0) +-/usr/.*/gems/.*/passenger-.*/agents/PassengerWatchdog -- gen_context(system_u:object_r:passenger_exec_t,s0) +-/usr/.*/gems/.*/passenger-.*/agents/PassengerLoggingAgent -- gen_context(system_u:object_r:passenger_exec_t,s0) +-/usr/.*/gems/.*/passenger-.*/agents/apache2/PassengerHelperAgent -- gen_context(system_u:object_r:passenger_exec_t,s0) ++/usr/share/gems/.*/Passenger.* -- gen_context(system_u:object_r:passenger_exec_t,s0) ++/usr/share/gems/.*/ApplicationPoolServerExecutable -- gen_context(system_u:object_r:passenger_exec_t,s0) ++/usr/lib/gems/.*/Passenger.* -- gen_context(system_u:object_r:passenger_exec_t,s0) ++/usr/lib/gems/.*/ApplicationPoolServerExecutable -- gen_context(system_u:object_r:passenger_exec_t,s0) + +-/var/lib/passenger(/.*)? gen_context(system_u:object_r:passenger_var_lib_t,s0) ++/usr/share/.*/gems/.*/helper-scripts/prespawn -- gen_context(system_u:object_r:passenger_exec_t,s0) + +-/var/log/passenger.* gen_context(system_u:object_r:passenger_log_t,s0) ++/var/lib/passenger(/.*)? gen_context(system_u:object_r:passenger_var_lib_t,s0) + +-/var/run/passenger(/.*)? gen_context(system_u:object_r:passenger_var_run_t,s0) ++/var/log/passenger.* gen_context(system_u:object_r:passenger_log_t,s0) ++ ++/var/run/passenger(/.*)? gen_context(system_u:object_r:passenger_var_run_t,s0) +diff --git a/passenger.if b/passenger.if +index bf59ef7..0ec51d4 100644 +--- a/passenger.if ++++ b/passenger.if +@@ -15,17 +15,16 @@ interface(`passenger_domtrans',` + type passenger_t, passenger_exec_t; + ') + +- corecmd_search_bin($1) + domtrans_pattern($1, passenger_exec_t, passenger_t) + ') + + ###################################### + ## +-## Execute passenger in the caller domain. ++## Execute passenger in the current domain. + ## + ## + ## +-## Domain allowed access. ++## Domain allowed to transition. + ## + ## + # +@@ -34,13 +33,30 @@ interface(`passenger_exec',` + type passenger_exec_t; + ') + +- corecmd_search_bin($1) + can_exec($1, passenger_exec_t) + ') + ++####################################### ++## ++## Getattr passenger log files ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`passenger_getattr_log_files',` ++ gen_require(` ++ type passenger_log_t; ++ ') ++ ++ getattr_files_pattern($1, passenger_log_t, passenger_log_t) ++') ++ + ######################################## + ## +-## Read passenger lib files. ++## Read passenger lib files + ## + ## + ## +@@ -53,6 +69,93 @@ interface(`passenger_read_lib_files',` + type passenger_var_lib_t; + ') + +- files_search_var_lib($1) + read_files_pattern($1, passenger_var_lib_t, passenger_var_lib_t) ++ read_lnk_files_pattern($1, passenger_var_lib_t, passenger_var_lib_t) ++ files_search_var_lib($1) ++') ++ ++######################################## ++## ++## Manage passenger lib files ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`passenger_manage_lib_files',` ++ gen_require(` ++ type passenger_var_lib_t; ++ ') ++ ++ manage_dirs_pattern($1, passenger_var_lib_t, passenger_var_lib_t) ++ manage_files_pattern($1, passenger_var_lib_t, passenger_var_lib_t) ++ manage_lnk_files_pattern($1, passenger_var_lib_t, passenger_var_lib_t) ++ files_search_var_lib($1) ++') ++ ++##################################### ++## ++## Manage passenger var_run content. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`passenger_manage_pid_content',` ++ gen_require(` ++ type passenger_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ manage_dirs_pattern($1, passenger_var_run_t, passenger_var_run_t) ++ manage_files_pattern($1, passenger_var_run_t, passenger_var_run_t) ++ manage_fifo_files_pattern($1, passenger_var_run_t, passenger_var_run_t) ++ manage_sock_files_pattern($1, passenger_var_run_t, passenger_var_run_t) ++') ++ ++######################################## ++## ++## Connect to passenger unix stream socket. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`passenger_stream_connect',` ++ gen_require(` ++ type passenger_t; ++ type passenger_tmp_t; ++ type passenger_var_run_t; ++ ') ++ ++ ++ ++ stream_connect_pattern($1, passenger_var_run_t, passenger_var_run_t, passenger_t) ++ stream_connect_pattern($1, passenger_tmp_t, passenger_tmp_t, passenger_t) ++') ++ ++####################################### ++## ++## Allow to manage passenger tmp files/dirs. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`passenger_manage_tmp_files',` ++ gen_require(` ++ type passenger_tmp_t; ++ ') ++ ++ files_search_tmp($1) ++ manage_files_pattern($1, passenger_tmp_t, passenger_tmp_t) ++ manage_dirs_pattern($1, passenger_tmp_t, passenger_tmp_t) + ') +diff --git a/passenger.te b/passenger.te +index 4e114ff..1b1cb71 100644 +--- a/passenger.te ++++ b/passenger.te +@@ -1,4 +1,4 @@ +-policy_module(passanger, 1.0.3) ++policy_module(passanger, 1.0.0) + + ######################################## + # +@@ -14,6 +14,9 @@ role system_r types passenger_t; + type passenger_log_t; + logging_log_file(passenger_log_t) + ++type passenger_tmp_t; ++files_tmp_file(passenger_tmp_t) ++ + type passenger_var_lib_t; + files_type(passenger_var_lib_t) + +@@ -22,22 +25,24 @@ files_pid_file(passenger_var_run_t) + + ######################################## + # +-# Local policy ++# passanger local policy + # + + allow passenger_t self:capability { chown dac_override fsetid fowner kill setuid setgid sys_nice sys_ptrace sys_resource }; +-allow passenger_t self:process { setpgid setsched sigkill signal }; ++allow passenger_t self:process { setpgid setsched sigkill signal signull }; + allow passenger_t self:fifo_file rw_fifo_file_perms; +-allow passenger_t self:unix_stream_socket { accept connectto listen }; ++allow passenger_t self:tcp_socket listen; ++allow passenger_t self:unix_stream_socket { create_stream_socket_perms connectto }; ++ ++can_exec(passenger_t, passenger_exec_t) + + manage_dirs_pattern(passenger_t, passenger_log_t, passenger_log_t) +-append_files_pattern(passenger_t, passenger_log_t, passenger_log_t) +-create_files_pattern(passenger_t, passenger_log_t, passenger_log_t) +-setattr_files_pattern(passenger_t, passenger_log_t, passenger_log_t) +-logging_log_filetrans(passenger_t, passenger_log_t, file) ++manage_files_pattern(passenger_t, passenger_log_t, passenger_log_t) ++logging_log_filetrans(passenger_t, passenger_log_t, { dir file }) + + manage_dirs_pattern(passenger_t, passenger_var_lib_t, passenger_var_lib_t) + manage_files_pattern(passenger_t, passenger_var_lib_t, passenger_var_lib_t) ++files_search_var_lib(passenger_t) + + manage_dirs_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t) + manage_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t) +@@ -45,19 +50,22 @@ manage_fifo_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t) + manage_sock_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t) + files_pid_filetrans(passenger_t, passenger_var_run_t, { file dir sock_file }) + +-can_exec(passenger_t, passenger_exec_t) ++#needed by puppet ++manage_dirs_pattern(passenger_t, passenger_tmp_t, passenger_tmp_t) ++manage_files_pattern(passenger_t, passenger_tmp_t, passenger_tmp_t) ++manage_sock_files_pattern(passenger_t, passenger_tmp_t, passenger_tmp_t) ++files_tmp_filetrans(passenger_t, passenger_tmp_t, { file dir sock_file }) + + kernel_read_system_state(passenger_t) + kernel_read_kernel_sysctls(passenger_t) ++kernel_read_network_state(passenger_t) ++kernel_read_net_sysctls(passenger_t) + + corenet_all_recvfrom_netlabel(passenger_t) +-corenet_all_recvfrom_unlabeled(passenger_t) + corenet_tcp_sendrecv_generic_if(passenger_t) + corenet_tcp_sendrecv_generic_node(passenger_t) +- +-corenet_sendrecv_http_client_packets(passenger_t) + corenet_tcp_connect_http_port(passenger_t) +-corenet_tcp_sendrecv_http_port(passenger_t) ++corenet_tcp_connect_postgresql_port(passenger_t) + + corecmd_exec_bin(passenger_t) + corecmd_exec_shell(passenger_t) +@@ -66,14 +74,14 @@ dev_read_urand(passenger_t) + + domain_read_all_domains_state(passenger_t) + +-files_read_etc_files(passenger_t) +- + auth_use_nsswitch(passenger_t) + + logging_send_syslog_msg(passenger_t) + + miscfiles_read_localization(passenger_t) + ++sysnet_exec_ifconfig(passenger_t) ++ + userdom_dontaudit_use_user_terminals(passenger_t) + + optional_policy(` +@@ -90,14 +98,21 @@ optional_policy(` + ') + + optional_policy(` +- puppet_manage_lib_files(passenger_t) ++ mysql_stream_connect(passenger_t) ++ mysql_list_db(passenger_t) ++') ++ ++optional_policy(` ++ puppet_domtrans_master(passenger_t) ++ puppet_manage_lib(passenger_t) + puppet_read_config(passenger_t) +- puppet_append_log_files(passenger_t) +- puppet_create_log_files(passenger_t) +- puppet_read_log_files(passenger_t) ++ puppet_append_log(passenger_t) ++ puppet_create_log(passenger_t) ++ puppet_read_log(passenger_t) ++ puppet_search_pid(passenger_t) + ') + + optional_policy(` +- rpm_exec(passenger_t) +- rpm_read_db(passenger_t) ++ rpm_exec(passenger_t) ++ rpm_read_db(passenger_t) + ') +diff --git a/pcmcia.te b/pcmcia.te +index 3ad10b5..49baca5 100644 +--- a/pcmcia.te ++++ b/pcmcia.te +@@ -88,20 +88,17 @@ libs_exec_lib_files(cardmgr_t) + + logging_send_syslog_msg(cardmgr_t) + +-miscfiles_read_localization(cardmgr_t) +- + modutils_domtrans_insmod(cardmgr_t) + + sysnet_domtrans_ifconfig(cardmgr_t) + sysnet_etc_filetrans_config(cardmgr_t) + sysnet_manage_config(cardmgr_t) + +-userdom_use_user_terminals(cardmgr_t) ++userdom_use_inherited_user_terminals(cardmgr_t) + userdom_dontaudit_use_unpriv_user_fds(cardmgr_t) + userdom_dontaudit_search_user_home_dirs(cardmgr_t) + + optional_policy(` +- seutil_dontaudit_read_config(cardmgr_t) + seutil_sigchld_newrole(cardmgr_t) + ') + +diff --git a/pcscd.if b/pcscd.if +index 43d50f9..7f77d32 100644 +--- a/pcscd.if ++++ b/pcscd.if +@@ -50,7 +50,7 @@ interface(`pcscd_read_pid_files',` + ') + + files_search_pids($1) +- allow $1 pcscd_var_run_t:file read_file_perms; ++ read_files_pattern($1, pcscd_var_run_t, pcscd_var_run_t) + ') + + ######################################## +diff --git a/pcscd.te b/pcscd.te +index 96db654..ff3aadd 100644 +--- a/pcscd.te ++++ b/pcscd.te +@@ -24,8 +24,9 @@ init_daemon_run_dir(pcscd_var_run_t, "pcscd") + allow pcscd_t self:capability { dac_override dac_read_search fsetid }; + allow pcscd_t self:process signal; + allow pcscd_t self:fifo_file rw_fifo_file_perms; +-allow pcscd_t self:unix_stream_socket { accept listen }; +-allow pcscd_t self:tcp_socket { accept listen }; ++allow pcscd_t self:unix_stream_socket create_stream_socket_perms; ++allow pcscd_t self:unix_dgram_socket create_socket_perms; ++allow pcscd_t self:tcp_socket create_stream_socket_perms; + allow pcscd_t self:netlink_kobject_uevent_socket create_socket_perms; + + manage_dirs_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t) +@@ -36,7 +37,6 @@ files_pid_filetrans(pcscd_t, pcscd_var_run_t, { file sock_file dir }) + + kernel_read_system_state(pcscd_t) + +-corenet_all_recvfrom_unlabeled(pcscd_t) + corenet_all_recvfrom_netlabel(pcscd_t) + corenet_tcp_sendrecv_generic_if(pcscd_t) + corenet_tcp_sendrecv_generic_node(pcscd_t) +@@ -50,7 +50,6 @@ dev_rw_smartcard(pcscd_t) + dev_rw_usbfs(pcscd_t) + dev_read_sysfs(pcscd_t) + +-files_read_etc_files(pcscd_t) + files_read_etc_runtime_files(pcscd_t) + + term_use_unallocated_ttys(pcscd_t) +@@ -60,8 +59,6 @@ locallogin_use_fds(pcscd_t) + + logging_send_syslog_msg(pcscd_t) + +-miscfiles_read_localization(pcscd_t) +- + sysnet_dns_name_resolve(pcscd_t) + + optional_policy(` +@@ -85,3 +82,7 @@ optional_policy(` + optional_policy(` + udev_read_db(pcscd_t) + ') ++ ++optional_policy(` ++ virt_rw_svirt_dev(pcscd_t) ++') +diff --git a/pegasus.fc b/pegasus.fc +index dfd46e4..31122bd 100644 +--- a/pegasus.fc ++++ b/pegasus.fc +@@ -1,15 +1,26 @@ +-/etc/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_conf_t,s0) ++ ++/etc/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_conf_t,s0) + /etc/Pegasus/pegasus_current\.conf gen_context(system_u:object_r:pegasus_data_t,s0) + +-/etc/rc\.d/init\.d/tog-pegasus -- gen_context(system_u:object_r:pegasus_initrc_exec_t,s0) ++/usr/sbin/cimserver -- gen_context(system_u:object_r:pegasus_exec_t,s0) ++/usr/sbin/init_repository -- gen_context(system_u:object_r:pegasus_exec_t,s0) + +-/usr/sbin/cimserver -- gen_context(system_u:object_r:pegasus_exec_t,s0) +-/usr/sbin/init_repository -- gen_context(system_u:object_r:pegasus_exec_t,s0) ++/var/lib/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_data_t,s0) + +-/var/cache/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_cache_t,s0) ++/var/run/tog-pegasus(/.*)? gen_context(system_u:object_r:pegasus_var_run_t,s0) + +-/var/lib/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_data_t,s0) ++/usr/share/Pegasus/mof(/.*)?/.*\.mof gen_context(system_u:object_r:pegasus_mof_t,s0) + +-/var/run/tog-pegasus(/.*)? gen_context(system_u:object_r:pegasus_var_run_t,s0) ++/var/lib/openlmi-storage(/.*)? gen_context(system_u:object_r:pegasus_openlmi_storage_lib_t,s0) + +-/usr/share/Pegasus/mof(/.*)?/.*\.mof gen_context(system_u:object_r:pegasus_mof_t,s0) ++#openlmi agents ++/usr/libexec/pegasus/cmpiLMI_Account-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_account_exec_t,s0) ++/usr/libexec/pegasus/cmpiLMI_Fan-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_system_exec_t,s0) ++/usr/libexec/pegasus/cmpiLMI_LogicalFile-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_logicalfile_exec_t,s0) ++/usr/libexec/pegasus/cmpiLMI_Networking-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_system_exec_t,s0) ++/usr/libexec/pegasus/cmpiLMI_PowerManagement-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_system_exec_t,s0) ++/usr/libexec/pegasus/cmpiLMI_Realmd-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_services_exec_t,s0) ++/usr/libexec/pegasus/cmpiLMI_Service-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_admin_exec_t,s0) ++ ++ ++/usr/libexec/pegasus/pycmpiLMI_Storage-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_storage_exec_t,s0) +diff --git a/pegasus.if b/pegasus.if +index d2fc677..ded726f 100644 +--- a/pegasus.if ++++ b/pegasus.if +@@ -1,52 +1,59 @@ + ## The Open Group Pegasus CIM/WBEM Server. + ++###################################### ++## ++## Creates types and rules for a basic ++## openlmi init daemon domain. ++## ++## ++## ++## Prefix for the domain. ++## ++## ++# ++template(`pegasus_openlmi_domain_template',` ++ gen_require(` ++ attribute pegasus_openlmi_domain; ++ type pegasus_t; ++ ') ++ ++ ############################## ++ # ++ # Declarations ++ # ++ ++ type pegasus_openlmi_$1_t, pegasus_openlmi_domain; ++ type pegasus_openlmi_$1_exec_t; ++ init_daemon_domain(pegasus_openlmi_$1_t, pegasus_openlmi_$1_exec_t) ++ ++ ############################## ++ # ++ # Local policy ++ # ++ ++ domtrans_pattern(pegasus_t, pegasus_openlmi_$1_exec_t, pegasus_openlmi_$1_t) ++ ++ kernel_read_system_state(pegasus_openlmi_$1_t) ++ logging_send_syslog_msg(pegasus_openlmi_$1_t) ++') ++ + ######################################## + ## +-## All of the rules required to +-## administrate an pegasus environment. ++## Connect to pegasus over a unix stream socket. + ## + ## + ## + ## Domain allowed access. + ## + ## +-## +-## +-## Role allowed access. +-## +-## +-## + # +-interface(`pegasus_admin',` ++interface(`pegasus_stream_connect',` + gen_require(` +- type pegasus_t, pegasus_initrc_exec_t, pegasus_tmp_t; +- type pegasus_cache_t, pegasus_data_t, pegasus_conf_t; +- type pegasus_mof_t, pegasus_var_run_t; ++ type pegasus_t, pegasus_var_run_t, pegasus_tmp_t; + ') + +- allow $1 pegasus_t:process { ptrace signal_perms }; +- ps_process_pattern($1, pegasus_t) +- +- init_labeled_script_domtrans($1, pegasus_initrc_exec_t) +- domain_system_change_exemption($1) +- role_transition $2 pegasus_initrc_exec_t system_r; +- allow $2 system_r; +- +- files_search_etc($1) +- admin_pattern($1, pegasus_conf_t) +- +- files_search_usr($1) +- admin_pattern($1, pegasus_mof_t) +- +- files_search_tmp($1) +- admin_pattern($1, pegasus_tmp_t) +- +- files_search_var($1) +- admin_pattern($1, pegasus_cache_t) +- +- files_search_var_lib($1) +- admin_pattern($1, pegasus_data_t) +- + files_search_pids($1) +- admin_pattern($1, pegasus_var_run_t) ++ stream_connect_pattern($1, pegasus_var_run_t, pegasus_var_run_t, pegasus_t) ++ stream_connect_pattern($1, pegasus_tmp_t, pegasus_tmp_t, pegasus_t) + ') ++ +diff --git a/pegasus.te b/pegasus.te +index 7bcf327..22a5b66 100644 +--- a/pegasus.te ++++ b/pegasus.te +@@ -1,17 +1,16 @@ +-policy_module(pegasus, 1.8.3) ++policy_module(pegasus, 1.8.0) + + ######################################## + # + # Declarations + # + ++attribute pegasus_openlmi_domain; ++ + type pegasus_t; + type pegasus_exec_t; + init_daemon_domain(pegasus_t, pegasus_exec_t) + +-type pegasus_initrc_exec_t; +-init_script_file(pegasus_initrc_exec_t) +- + type pegasus_cache_t; + files_type(pegasus_cache_t) + +@@ -30,20 +29,269 @@ files_type(pegasus_mof_t) + type pegasus_var_run_t; + files_pid_file(pegasus_var_run_t) + ++# pegasus openlmi providers ++pegasus_openlmi_domain_template(admin) ++typealias pegasus_openlmi_admin_t alias pegasus_openlmi_service_t; ++ ++pegasus_openlmi_domain_template(account) ++domain_obj_id_change_exemption(pegasus_openlmi_account_t) ++domain_system_change_exemption(pegasus_openlmi_account_t) ++ ++pegasus_openlmi_domain_template(logicalfile) ++pegasus_openlmi_domain_template(services) ++ ++pegasus_openlmi_domain_template(storage) ++type pegasus_openlmi_storage_tmp_t; ++files_tmp_file(pegasus_openlmi_storage_tmp_t) ++ ++type pegasus_openlmi_storage_lib_t; ++files_type(pegasus_openlmi_storage_lib_t) ++ ++pegasus_openlmi_domain_template(system) ++typealias pegasus_openlmi_system_t alias pegasus_openlmi_networking_t; ++pegasus_openlmi_domain_template(unconfined) ++ ++####################################### ++# ++# pegasus openlmi providers local policy ++# ++ ++allow pegasus_openlmi_domain self:capability { setuid setgid }; ++ ++allow pegasus_openlmi_domain self:fifo_file rw_fifo_file_perms; ++allow pegasus_openlmi_domain self:udp_socket create_socket_perms; ++ ++manage_files_pattern(pegasus_openlmi_domain, pegasus_data_t, pegasus_data_t) ++manage_dirs_pattern(pegasus_openlmi_domain, pegasus_data_t, pegasus_data_t) ++ ++corecmd_exec_bin(pegasus_openlmi_domain) ++corecmd_exec_shell(pegasus_openlmi_domain) ++ ++dev_read_sysfs(pegasus_openlmi_domain) ++ ++auth_read_passwd(pegasus_openlmi_domain) ++ ++sysnet_read_config(pegasus_openlmi_domain) ++ ++optional_policy(` ++ pegasus_stream_connect(pegasus_openlmi_domain) ++') ++ ++###################################### ++# ++# pegasus openlmi account local policy ++# ++ ++allow pegasus_openlmi_account_t self:capability { chown dac_override fowner fsetid }; ++allow pegasus_openlmi_account_t self:process setfscreate; ++ ++auth_manage_passwd(pegasus_openlmi_account_t) ++auth_manage_shadow(pegasus_openlmi_account_t) ++auth_relabel_shadow(pegasus_openlmi_account_t) ++auth_read_login_records(pegasus_openlmi_account_t) ++auth_etc_filetrans_shadow(pegasus_openlmi_account_t) ++ ++logging_send_audit_msgs(pegasus_openlmi_account_t) ++logging_send_syslog_msg(pegasus_openlmi_account_t) ++ ++init_rw_utmp(pegasus_openlmi_account_t) ++ ++seutil_semanage_policy(pegasus_openlmi_account_t) ++ ++logging_send_syslog_msg(pegasus_openlmi_account_t) ++ ++seutil_read_config(pegasus_openlmi_account_t) ++seutil_read_file_contexts(pegasus_openlmi_account_t) ++seutil_read_default_contexts(pegasus_openlmi_account_t) ++ ++# Add/remove user home directories ++userdom_home_filetrans_user_home_dir(pegasus_openlmi_account_t) ++userdom_manage_home_role(system_r, pegasus_openlmi_account_t) ++userdom_delete_all_user_home_content(pegasus_openlmi_account_t) ++ ++optional_policy(` ++ # run userdel ++ usermanage_domtrans_useradd(pegasus_openlmi_account_t) ++') ++ ++###################################### ++# ++# pegasus openlmi logicalfile local policy ++# ++ ++allow pegasus_openlmi_logicalfile_t self:capability { dac_override }; ++files_manage_non_security_dirs(pegasus_openlmi_logicalfile_t) ++files_manage_non_security_files(pegasus_openlmi_logicalfile_t) ++ ++dev_getattr_all_blk_files(pegasus_openlmi_logicalfile_t) ++dev_getattr_all_chr_files(pegasus_openlmi_logicalfile_t) ++ ++files_list_all(pegasus_openlmi_logicalfile_t) ++files_read_all_files(pegasus_openlmi_logicalfile_t) ++files_read_all_symlinks(pegasus_openlmi_logicalfile_t) ++files_read_all_blk_files(pegasus_openlmi_logicalfile_t) ++files_read_all_chr_files(pegasus_openlmi_logicalfile_t) ++files_getattr_all_pipes(pegasus_openlmi_logicalfile_t) ++files_getattr_all_sockets(pegasus_openlmi_logicalfile_t) ++ ++# Add/remove user home directories ++userdom_home_filetrans_user_home_dir(pegasus_openlmi_logicalfile_t) ++userdom_manage_home_role(system_r, pegasus_openlmi_logicalfile_t) ++userdom_delete_all_user_home_content(pegasus_openlmi_logicalfile_t) ++ ++optional_policy(` ++ # it can delete/create empty dirs ++ # so we want to have unconfined_domain attribute for filename rules ++ unconfined_domain(pegasus_openlmi_logicalfile_t) ++') ++ ++###################################### ++# ++# pegasus openlmi services local policy ++# ++ ++allow pegasus_openlmi_services_t self:netlink_route_socket r_netlink_socket_perms; ++ ++kernel_read_network_state(pegasus_openlmi_services_t) ++ ++optional_policy(` ++ dbus_system_bus_client(pegasus_openlmi_services_t) ++') ++ ++optional_policy(` ++ realmd_dbus_chat(pegasus_openlmi_services_t) ++') ++ ++optional_policy(` ++ sssd_stream_connect(pegasus_openlmi_services_t) ++') ++ ++###################################### ++# ++# pegasus openlmi system (networking) local policy ++# ++ ++allow pegasus_openlmi_system_t self:capability { net_admin }; ++ ++allow pegasus_openlmi_system_t self:netlink_route_socket r_netlink_socket_perms; ++ ++kernel_read_network_state(pegasus_openlmi_system_t) ++ ++dev_rw_sysfs(pegasus_openlmi_system_t) ++dev_read_urand(pegasus_openlmi_system_t) ++ ++optional_policy(` ++ dbus_system_bus_client(pegasus_openlmi_system_t) ++') ++ ++optional_policy(` ++ networkmanager_dbus_chat(pegasus_openlmi_system_t) ++') ++ ++###################################### ++# ++# pegasus openlmi service local policy ++# ++ ++init_disable_services(pegasus_openlmi_admin_t) ++init_enable_services(pegasus_openlmi_admin_t) ++init_reload_services(pegasus_openlmi_admin_t) ++init_exec(pegasus_openlmi_admin_t) ++ ++systemd_config_all_services(pegasus_openlmi_admin_t) ++systemd_manage_all_unit_files(pegasus_openlmi_admin_t) ++systemd_manage_all_unit_lnk_files(pegasus_openlmi_admin_t) ++ ++allow pegasus_openlmi_service_t self:udp_socket create_socket_perms; ++ ++optional_policy(` ++ dbus_system_bus_client(pegasus_openlmi_admin_t) ++') ++ ++###################################### ++# ++# pegasus openlmi storage local policy ++# ++ ++allow pegasus_openlmi_storage_t self:capability { sys_admin sys_rawio }; ++ ++manage_files_pattern(pegasus_openlmi_storage_t, pegasus_openlmi_storage_lib_t, pegasus_openlmi_storage_lib_t) ++manage_dirs_pattern(pegasus_openlmi_storage_t, pegasus_openlmi_storage_lib_t, pegasus_openlmi_storage_lib_t) ++files_var_lib_filetrans(pegasus_openlmi_storage_t, pegasus_openlmi_storage_lib_t, file) ++ ++manage_files_pattern(pegasus_openlmi_storage_t, pegasus_openlmi_storage_tmp_t, pegasus_openlmi_storage_tmp_t) ++manage_dirs_pattern(pegasus_openlmi_storage_t, pegasus_openlmi_storage_tmp_t, pegasus_openlmi_storage_tmp_t) ++files_tmp_filetrans(pegasus_openlmi_storage_tmp_t, pegasus_openlmi_storage_tmp_t, { file dir}) ++ ++kernel_read_all_sysctls(pegasus_openlmi_storage_t) ++kernel_get_sysvipc_info(pegasus_openlmi_storage_t) ++ ++dev_read_rand(pegasus_openlmi_storage_t) ++dev_read_urand(pegasus_openlmi_storage_t) ++ ++dev_rw_lvm_control(pegasus_openlmi_storage_t) ++dev_rw_sysfs(pegasus_openlmi_storage_t) ++ ++selinux_validate_context(pegasus_openlmi_storage_t) ++ ++seutil_read_file_contexts(pegasus_openlmi_storage_t) ++ ++storage_raw_read_fixed_disk(pegasus_openlmi_storage_t) ++storage_raw_write_fixed_disk(pegasus_openlmi_storage_t) ++ ++fs_getattr_all_fs(pegasus_openlmi_storage_t) ++ ++modutils_domtrans_insmod(pegasus_openlmi_storage_t) ++ ++udev_domtrans(pegasus_openlmi_storage_t) ++udev_read_pid_files(pegasus_openlmi_storage_t) ++ ++optional_policy(` ++ dmidecode_domtrans(pegasus_openlmi_storage_t) ++') ++ ++optional_policy(` ++ fstools_domtrans(pegasus_openlmi_storage_t) ++') ++ ++optional_policy(` ++ lvm_domtrans(pegasus_openlmi_storage_t) ++') ++ ++optional_policy(` ++ mount_domtrans(pegasus_openlmi_storage_t) ++') ++ ++optional_policy(` ++ raid_domtrans_mdadm(pegasus_openlmi_storage_t) ++ raid_filetrans_named_content(pegasus_openlmi_storage_t) ++ raid_manage_conf_files(pegasus_openlmi_storage_t) ++') ++ ++###################################### ++# ++# pegasus openlmi unconfined local policy ++# ++ ++optional_policy(` ++ unconfined_domain(pegasus_openlmi_unconfined_t) ++') ++ + ######################################## + # +-# Local policy ++# pegasus local policy + # + + allow pegasus_t self:capability { chown kill ipc_lock sys_nice setuid setgid dac_override net_admin net_bind_service }; + dontaudit pegasus_t self:capability sys_tty_config; +-allow pegasus_t self:process signal; ++allow pegasus_t self:process { setsched signal }; + allow pegasus_t self:fifo_file rw_fifo_file_perms; +-allow pegasus_t self:unix_stream_socket { connectto accept listen }; +-allow pegasus_t self:tcp_socket { accept listen }; ++allow pegasus_t self:unix_dgram_socket create_socket_perms; ++allow pegasus_t self:unix_stream_socket { connectto create_stream_socket_perms }; ++allow pegasus_t self:tcp_socket create_stream_socket_perms; + + allow pegasus_t pegasus_conf_t:dir rw_dir_perms; +-allow pegasus_t pegasus_conf_t:file { read_file_perms delete_file_perms rename_file_perms }; ++allow pegasus_t pegasus_conf_t:file { read_file_perms link delete_file_perms rename_file_perms }; + allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms; + + manage_dirs_pattern(pegasus_t, pegasus_cache_t, pegasus_cache_t) +@@ -54,22 +302,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file }) + manage_dirs_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) + manage_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) + manage_lnk_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) +-filetrans_pattern(pegasus_t, pegasus_conf_t, pegasus_data_t, { dir file }) ++filetrans_pattern(pegasus_t, pegasus_conf_t, pegasus_data_t, { file dir }) ++ ++can_exec(pegasus_t, pegasus_exec_t) + + allow pegasus_t pegasus_mof_t:dir list_dir_perms; +-allow pegasus_t pegasus_mof_t:file read_file_perms; +-allow pegasus_t pegasus_mof_t:lnk_file read_lnk_file_perms; ++read_files_pattern(pegasus_t, pegasus_mof_t, pegasus_mof_t) ++read_lnk_files_pattern(pegasus_t, pegasus_mof_t, pegasus_mof_t) + + manage_dirs_pattern(pegasus_t, pegasus_tmp_t, pegasus_tmp_t) + manage_files_pattern(pegasus_t, pegasus_tmp_t, pegasus_tmp_t) +-files_tmp_filetrans(pegasus_t, pegasus_tmp_t, { dir file }) ++files_tmp_filetrans(pegasus_t, pegasus_tmp_t, { file dir }) + ++manage_sock_files_pattern(pegasus_t, pegasus_var_run_t, pegasus_var_run_t) + manage_dirs_pattern(pegasus_t, pegasus_var_run_t, pegasus_var_run_t) + manage_files_pattern(pegasus_t, pegasus_var_run_t, pegasus_var_run_t) +-manage_sock_files_pattern(pegasus_t, pegasus_var_run_t, pegasus_var_run_t) +-files_pid_filetrans(pegasus_t, pegasus_var_run_t, { dir file sock_file }) +- +-can_exec(pegasus_t, pegasus_exec_t) ++files_pid_filetrans(pegasus_t, pegasus_var_run_t, { file dir }) + + kernel_read_network_state(pegasus_t) + kernel_read_kernel_sysctls(pegasus_t) +@@ -80,27 +328,21 @@ kernel_read_net_sysctls(pegasus_t) + kernel_read_xen_state(pegasus_t) + kernel_write_xen_state(pegasus_t) + +-corenet_all_recvfrom_unlabeled(pegasus_t) + corenet_all_recvfrom_netlabel(pegasus_t) + corenet_tcp_sendrecv_generic_if(pegasus_t) + corenet_tcp_sendrecv_generic_node(pegasus_t) + corenet_tcp_sendrecv_all_ports(pegasus_t) + corenet_tcp_bind_generic_node(pegasus_t) +- +-corenet_sendrecv_pegasus_http_server_packets(pegasus_t) + corenet_tcp_bind_pegasus_http_port(pegasus_t) +- +-corenet_sendrecv_pegasus_https_server_packets(pegasus_t) + corenet_tcp_bind_pegasus_https_port(pegasus_t) +- +-corenet_sendrecv_pegasus_http_client_packets(pegasus_t) + corenet_tcp_connect_pegasus_http_port(pegasus_t) +- +-corenet_sendrecv_pegasus_https_client_packets(pegasus_t) + corenet_tcp_connect_pegasus_https_port(pegasus_t) +- +-corenet_sendrecv_generic_client_packets(pegasus_t) + corenet_tcp_connect_generic_port(pegasus_t) ++corenet_sendrecv_generic_client_packets(pegasus_t) ++corenet_sendrecv_pegasus_http_client_packets(pegasus_t) ++corenet_sendrecv_pegasus_http_server_packets(pegasus_t) ++corenet_sendrecv_pegasus_https_client_packets(pegasus_t) ++corenet_sendrecv_pegasus_https_server_packets(pegasus_t) + + corecmd_exec_bin(pegasus_t) + corecmd_exec_shell(pegasus_t) +@@ -114,6 +356,7 @@ files_getattr_all_dirs(pegasus_t) + + auth_use_nsswitch(pegasus_t) + auth_domtrans_chk_passwd(pegasus_t) ++auth_read_shadow(pegasus_t) + + domain_use_interactive_fds(pegasus_t) + domain_read_all_domains_state(pegasus_t) +@@ -128,18 +371,25 @@ init_stream_connect_script(pegasus_t) + logging_send_audit_msgs(pegasus_t) + logging_send_syslog_msg(pegasus_t) + +-miscfiles_read_localization(pegasus_t) ++mount_domtrans(pegasus_t) ++ ++sysnet_read_config(pegasus_t) ++sysnet_domtrans_ifconfig(pegasus_t) + + userdom_dontaudit_use_unpriv_user_fds(pegasus_t) + userdom_dontaudit_search_user_home_dirs(pegasus_t) + + optional_policy(` +- dbus_system_bus_client(pegasus_t) +- dbus_connect_system_bus(pegasus_t) ++ dbus_system_bus_client(pegasus_t) ++ dbus_connect_system_bus(pegasus_t) + +- optional_policy(` +- networkmanager_dbus_chat(pegasus_t) +- ') ++ optional_policy(` ++ networkmanager_dbus_chat(pegasus_t) ++ ') ++') ++ ++optional_policy(` ++ rhcs_stream_connect_cluster(pegasus_t) + ') + + optional_policy(` +@@ -151,16 +401,24 @@ optional_policy(` + ') + + optional_policy(` +- rpm_exec(pegasus_t) ++ ricci_stream_connect_modclusterd(pegasus_t) + ') + + optional_policy(` +- samba_manage_config(pegasus_t) ++ realmd_dbus_chat(pegasus_t) + ') + + optional_policy(` +- seutil_sigchld_newrole(pegasus_t) +- seutil_dontaudit_read_config(pegasus_t) ++ rpc_read_exports(pegasus_t) ++ rpc_read_nfs_state_data(pegasus_t) ++') ++ ++optional_policy(` ++ rpm_domtrans(pegasus_t) ++') ++ ++optional_policy(` ++ samba_manage_config(pegasus_t) + ') + + optional_policy(` +@@ -168,7 +426,7 @@ optional_policy(` + ') + + optional_policy(` +- sysnet_domtrans_ifconfig(pegasus_t) ++ seutil_sigchld_newrole(pegasus_t) + ') + + optional_policy(` +diff --git a/pesign.fc b/pesign.fc +new file mode 100644 +index 0000000..7b54c39 +--- /dev/null ++++ b/pesign.fc +@@ -0,0 +1,6 @@ ++/usr/bin/pesign -- gen_context(system_u:object_r:pesign_exec_t,s0) ++ ++/usr/lib/systemd/system/pesign.service -- gen_context(system_u:object_r:pesign_unit_file_t,s0) ++ ++/var/run/pesign(/.*)? gen_context(system_u:object_r:pesign_var_run_t,s0) ++/var/run/pesign\.pid -- gen_context(system_u:object_r:pesign_var_run_t,s0) +diff --git a/pesign.if b/pesign.if +new file mode 100644 +index 0000000..abd5dd8 +--- /dev/null ++++ b/pesign.if +@@ -0,0 +1,98 @@ ++ ++## pesign utility for signing UEFI binaries as well as other associated tools ++ ++######################################## ++## ++## Execute TEMPLATE in the pesign domin. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`pesign_domtrans',` ++ gen_require(` ++ type pesign_t, pesign_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, pesign_exec_t, pesign_t) ++') ++######################################## ++## ++## Read pesign PID files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`pesign_read_pid_files',` ++ gen_require(` ++ type pesign_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ read_files_pattern($1, pesign_var_run_t, pesign_var_run_t) ++') ++ ++######################################## ++## ++## Execute pesign server in the pesign domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`pesign_systemctl',` ++ gen_require(` ++ type pesign_t; ++ type pesign_unit_file_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ systemd_read_fifo_file_passwd_run($1) ++ allow $1 pesign_unit_file_t:file read_file_perms; ++ allow $1 pesign_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, pesign_t) ++') ++ ++ ++######################################## ++## ++## All of the rules required to administrate ++## an pesign environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`pesign_admin',` ++ gen_require(` ++ type pesign_t; ++ type pesign_var_run_t; ++ type pesign_unit_file_t; ++ ') ++ ++ allow $1 pesign_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, pesign_t) ++ ++ files_search_pids($1) ++ admin_pattern($1, pesign_var_run_t) ++ ++ pesign_systemctl($1) ++ admin_pattern($1, pesign_unit_file_t) ++ allow $1 pesign_unit_file_t:service all_service_perms; ++ optional_policy(` ++ systemd_passwd_agent_exec($1) ++ systemd_read_fifo_file_passwd_run($1) ++ ') ++') +diff --git a/pesign.te b/pesign.te +new file mode 100644 +index 0000000..513887d +--- /dev/null ++++ b/pesign.te +@@ -0,0 +1,43 @@ ++policy_module(pesign, 1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type pesign_t; ++type pesign_exec_t; ++init_daemon_domain(pesign_t, pesign_exec_t) ++ ++type pesign_var_run_t; ++files_pid_file(pesign_var_run_t) ++ ++type pesign_unit_file_t; ++systemd_unit_file(pesign_unit_file_t) ++ ++######################################## ++# ++# pesign local policy ++# ++ ++allow pesign_t self:capability { setgid setuid }; ++allow pesign_t self:process setsched; ++allow pesign_t self:fifo_file rw_fifo_file_perms; ++allow pesign_t self:unix_stream_socket create_stream_socket_perms; ++ ++manage_dirs_pattern(pesign_t, pesign_var_run_t, pesign_var_run_t) ++manage_files_pattern(pesign_t, pesign_var_run_t, pesign_var_run_t) ++manage_lnk_files_pattern(pesign_t, pesign_var_run_t, pesign_var_run_t) ++manage_sock_files_pattern(pesign_t, pesign_var_run_t, pesign_var_run_t) ++files_pid_filetrans(pesign_t, pesign_var_run_t, { file dir }) ++ ++dev_read_urand(pesign_t) ++ ++files_dontaudit_list_tmp(pesign_t) ++ ++auth_use_nsswitch(pesign_t) ++ ++logging_send_syslog_msg(pesign_t) ++ ++miscfiles_read_certs(pesign_t) ++miscfiles_read_localization(pesign_t) +diff --git a/pingd.if b/pingd.if +index 21a6ecb..b99e4cb 100644 +--- a/pingd.if ++++ b/pingd.if +@@ -55,7 +55,8 @@ interface(`pingd_manage_config',` + ') + + files_search_etc($1) +- allow $1 pingd_etc_t:file manage_file_perms; ++ manage_dirs_pattern($1, pingd_etc_t, pingd_etc_t) ++ manage_files_pattern($1, pingd_etc_t, pingd_etc_t) + ') + + ####################################### +@@ -81,9 +82,13 @@ interface(`pingd_admin',` + type pingd_initrc_exec_t; + ') + +- allow $1 pingd_t:process { ptrace signal_perms }; ++ allow $1 pingd_t:process signal_perms; + ps_process_pattern($1, pingd_t) + ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 pingd_t:process ptrace; ++ ') ++ + init_labeled_script_domtrans($1, pingd_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 pingd_initrc_exec_t system_r; +diff --git a/pingd.te b/pingd.te +index 0f77942..0e3f230 100644 +--- a/pingd.te ++++ b/pingd.te +@@ -10,7 +10,7 @@ type pingd_exec_t; + init_daemon_domain(pingd_t, pingd_exec_t) + + type pingd_etc_t; +-files_type(pingd_etc_t) ++files_config_file(pingd_etc_t) + + type pingd_initrc_exec_t; + init_script_file(pingd_initrc_exec_t) +@@ -50,5 +50,3 @@ auth_use_nsswitch(pingd_t) + files_search_usr(pingd_t) + + logging_send_syslog_msg(pingd_t) +- +-miscfiles_read_localization(pingd_t) +diff --git a/piranha.fc b/piranha.fc +new file mode 100644 +index 0000000..20ea9f5 +--- /dev/null ++++ b/piranha.fc +@@ -0,0 +1,24 @@ ++ ++/etc/rc\.d/init\.d/pulse -- gen_context(system_u:object_r:piranha_pulse_initrc_exec_t,s0) ++ ++# RHEL6 ++#/etc/sysconfig/ha/lvs\.cf -- gen_context(system_u:object_r:piranha_etc_rw_t,s0) ++ ++/etc/piranha/lvs\.cf -- gen_context(system_u:object_r:piranha_etc_rw_t,s0) ++ ++/usr/sbin/fos -- gen_context(system_u:object_r:piranha_fos_exec_t,s0) ++/usr/sbin/lvsd -- gen_context(system_u:object_r:piranha_lvs_exec_t,s0) ++/usr/sbin/piranha_gui -- gen_context(system_u:object_r:piranha_web_exec_t,s0) ++/usr/sbin/pulse -- gen_context(system_u:object_r:piranha_pulse_exec_t,s0) ++ ++/var/lib/luci(/.*)? gen_context(system_u:object_r:piranha_web_data_t,s0) ++/var/lib/luci/cert(/.*)? gen_context(system_u:object_r:piranha_web_conf_t,s0) ++/var/lib/luci/etc(/.*)? gen_context(system_u:object_r:piranha_web_conf_t,s0) ++ ++/var/log/piranha(/.*)? gen_context(system_u:object_r:piranha_log_t,s0) ++ ++/var/run/fos\.pid -- gen_context(system_u:object_r:piranha_fos_var_run_t,s0) ++/var/run/lvs\.pid -- gen_context(system_u:object_r:piranha_lvs_var_run_t,s0) ++/var/run/piranha-httpd\.pid -- gen_context(system_u:object_r:piranha_web_var_run_t,s0) ++/var/run/pulse\.pid -- gen_context(system_u:object_r:piranha_pulse_var_run_t,s0) ++ +diff --git a/piranha.if b/piranha.if +new file mode 100644 +index 0000000..cf54103 +--- /dev/null ++++ b/piranha.if +@@ -0,0 +1,187 @@ ++## policy for piranha ++ ++####################################### ++## ++## Creates types and rules for a basic ++## cluster init daemon domain. ++## ++## ++## ++## Prefix for the domain. ++## ++## ++# ++template(`piranha_domain_template',` ++ gen_require(` ++ attribute piranha_domain; ++ ') ++ ++ ############################## ++ # ++ # piranha_$1_t declarations ++ # ++ ++ type piranha_$1_t, piranha_domain; ++ type piranha_$1_exec_t; ++ init_daemon_domain(piranha_$1_t, piranha_$1_exec_t) ++ ++ # tmpfs files ++ type piranha_$1_tmpfs_t, piranha_tmpfs; ++ files_tmpfs_file(piranha_$1_tmpfs_t) ++ ++ # pid files ++ type piranha_$1_var_run_t; ++ files_pid_file(piranha_$1_var_run_t) ++ ++ ############################## ++ # ++ # piranha_$1_t local policy ++ # ++ ++ manage_dirs_pattern(piranha_$1_t, piranha_$1_tmpfs_t, piranha_$1_tmpfs_t) ++ manage_files_pattern(piranha_$1_t, piranha_$1_tmpfs_t, piranha_$1_tmpfs_t) ++ fs_tmpfs_filetrans(piranha_$1_t, piranha_$1_tmpfs_t, { dir file }) ++ ++ manage_files_pattern(piranha_$1_t, piranha_$1_var_run_t, piranha_$1_var_run_t) ++ manage_dirs_pattern(piranha_$1_t, piranha_$1_var_run_t, piranha_$1_var_run_t) ++ files_pid_filetrans(piranha_$1_t, piranha_$1_var_run_t, { dir file }) ++ ++ kernel_read_system_state(piranha_$1_t) ++ ++ auth_use_nsswitch(piranha_$1_t) ++ ++ logging_send_syslog_msg(piranha_$1_t) ++') ++ ++######################################## ++## ++## Execute a domain transition to run fos. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`piranha_domtrans_fos',` ++ gen_require(` ++ type piranha_fos_t, piranha_fos_exec_t; ++ ') ++ ++ domtrans_pattern($1, piranha_fos_exec_t, piranha_fos_t) ++') ++ ++####################################### ++## ++## Execute a domain transition to run lvsd. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`piranha_domtrans_lvs',` ++ gen_require(` ++ type piranha_lvs_t, piranha_lvs_exec_t; ++ ') ++ ++ domtrans_pattern($1, piranha_lvs_exec_t, piranha_lvs_t) ++') ++ ++####################################### ++## ++## Execute a domain transition to run pulse. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`piranha_domtrans_pulse',` ++ gen_require(` ++ type piranha_pulse_t, piranha_pulse_exec_t; ++ ') ++ ++ domtrans_pattern($1, piranha_pulse_exec_t, piranha_pulse_t) ++') ++ ++####################################### ++## ++## Execute pulse server in the pulse domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`piranha_pulse_initrc_domtrans',` ++ gen_require(` ++ type piranha_pulse_initrc_exec_t; ++ ') ++ ++ init_labeled_script_domtrans($1, piranha_pulse_initrc_exec_t) ++') ++ ++######################################## ++## ++## Allow the specified domain to read piranha's log files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`piranha_read_log',` ++ gen_require(` ++ type piranha_log_t; ++ ') ++ ++ logging_search_logs($1) ++ read_files_pattern($1, piranha_log_t, piranha_log_t) ++') ++ ++######################################## ++## ++## Allow the specified domain to append ++## piranha log files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`piranha_append_log',` ++ gen_require(` ++ type piranha_log_t; ++ ') ++ ++ logging_search_logs($1) ++ append_files_pattern($1, piranha_log_t, piranha_log_t) ++') ++ ++######################################## ++## ++## Allow domain to manage piranha log files ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`piranha_manage_log',` ++ gen_require(` ++ type piranha_log_t; ++ ') ++ ++ logging_search_logs($1) ++ manage_dirs_pattern($1, piranha_log_t, piranha_log_t) ++ manage_files_pattern($1, piranha_log_t, piranha_log_t) ++ manage_lnk_files_pattern($1, piranha_log_t, piranha_log_t) ++') +diff --git a/piranha.te b/piranha.te +new file mode 100644 +index 0000000..a989aea +--- /dev/null ++++ b/piranha.te +@@ -0,0 +1,292 @@ ++policy_module(piranha, 1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++## ++##

    ++## Allow piranha-lvs domain to connect to the network using TCP. ++##

    ++##     ++gen_tunable(piranha_lvs_can_network_connect, false) ++ ++attribute piranha_domain; ++attribute piranha_tmpfs; ++ ++piranha_domain_template(fos) ++ ++piranha_domain_template(lvs) ++ ++piranha_domain_template(pulse) ++ ++type piranha_pulse_initrc_exec_t; ++init_script_file(piranha_pulse_initrc_exec_t) ++ ++piranha_domain_template(web) ++ ++type piranha_web_conf_t; ++files_config_file(piranha_web_conf_t) ++ ++type piranha_web_data_t; ++files_type(piranha_web_data_t) ++ ++type piranha_web_tmp_t; ++files_tmp_file(piranha_web_tmp_t) ++ ++type piranha_etc_rw_t; ++files_config_file(piranha_etc_rw_t) ++ ++type piranha_log_t; ++logging_log_file(piranha_log_t) ++ ++####################################### ++# ++# piranha-fos local policy ++# ++ ++kernel_read_kernel_sysctls(piranha_fos_t) ++ ++domain_read_all_domains_state(piranha_fos_t) ++ ++optional_policy(` ++ consoletype_exec(piranha_fos_t) ++') ++ ++# start and stop services ++init_domtrans_script(piranha_fos_t) ++ ++######################################## ++# ++# piranha-gui local policy ++# ++ ++allow piranha_web_t self:capability { setuid sys_nice kill setgid }; ++allow piranha_web_t self:process { getsched setsched signal signull }; ++ ++allow piranha_web_t self:rawip_socket create_socket_perms; ++allow piranha_web_t self:netlink_route_socket r_netlink_socket_perms; ++allow piranha_web_t self:sem create_sem_perms; ++allow piranha_web_t self:shm create_shm_perms; ++ ++manage_files_pattern(piranha_web_t, piranha_web_data_t, piranha_web_data_t) ++manage_dirs_pattern(piranha_web_t, piranha_web_data_t, piranha_web_data_t) ++files_var_lib_filetrans(piranha_web_t, piranha_web_data_t, file) ++ ++read_files_pattern(piranha_web_t, piranha_web_conf_t, piranha_web_conf_t) ++ ++rw_files_pattern(piranha_web_t, piranha_etc_rw_t, piranha_etc_rw_t) ++ ++manage_dirs_pattern(piranha_web_t, piranha_log_t, piranha_log_t) ++manage_files_pattern(piranha_web_t, piranha_log_t, piranha_log_t) ++logging_log_filetrans(piranha_web_t, piranha_log_t, { dir file }) ++ ++can_exec(piranha_web_t, piranha_web_tmp_t) ++manage_dirs_pattern(piranha_web_t, piranha_web_tmp_t, piranha_web_tmp_t) ++manage_files_pattern(piranha_web_t, piranha_web_tmp_t, piranha_web_tmp_t) ++files_tmp_filetrans(piranha_web_t, piranha_web_tmp_t, { file dir }) ++ ++piranha_pulse_initrc_domtrans(piranha_web_t) ++ ++kernel_read_kernel_sysctls(piranha_web_t) ++ ++corenet_tcp_bind_http_cache_port(piranha_web_t) ++corenet_tcp_bind_luci_port(piranha_web_t) ++corenet_tcp_bind_servistaitsm_port(piranha_web_t) ++corenet_tcp_connect_ricci_port(piranha_web_t) ++ ++dev_read_rand(piranha_web_t) ++dev_read_urand(piranha_web_t) ++ ++domain_read_all_domains_state(piranha_web_t) ++ ++ ++optional_policy(` ++ consoletype_exec(piranha_web_t) ++') ++ ++optional_policy(` ++ apache_read_config(piranha_web_t) ++ apache_exec_modules(piranha_web_t) ++ apache_exec(piranha_web_t) ++') ++ ++optional_policy(` ++ gnome_dontaudit_search_config(piranha_web_t) ++') ++ ++optional_policy(` ++ sasl_connect(piranha_web_t) ++') ++ ++optional_policy(` ++ snmp_dontaudit_read_snmp_var_lib_files(piranha_web_t) ++ snmp_dontaudit_write_snmp_var_lib_files(piranha_web_t) ++') ++ ++###################################### ++# ++# piranha-lvs local policy ++# ++ ++# neede by nanny ++allow piranha_lvs_t self:capability { net_raw sys_nice }; ++allow piranha_lvs_t self:process signal; ++allow piranha_lvs_t self:unix_dgram_socket create_socket_perms; ++allow piranha_lvs_t self:rawip_socket create_socket_perms; ++ ++manage_files_pattern(piranha_lvs_t, piranha_pulse_tmpfs_t,piranha_pulse_tmpfs_t) ++manage_dirs_pattern(piranha_lvs_t, piranha_pulse_tmpfs_t,piranha_pulse_tmpfs_t) ++ ++kernel_read_kernel_sysctls(piranha_lvs_t) ++ ++# needed by nanny ++corenet_tcp_connect_ftp_port(piranha_lvs_t) ++corenet_tcp_connect_http_port(piranha_lvs_t) ++corenet_tcp_connect_smtp_port(piranha_lvs_t) ++ ++sysnet_dns_name_resolve(piranha_lvs_t) ++ ++# needed by nanny ++tunable_policy(`piranha_lvs_can_network_connect',` ++ corenet_tcp_connect_all_ports(piranha_lvs_t) ++') ++ ++# needed by ipvsadm ++optional_policy(` ++ iptables_domtrans(piranha_lvs_t) ++') ++ ++####################################### ++# ++# piranha-pulse local policy ++# ++ ++allow piranha_pulse_t self:capability net_admin; ++ ++allow piranha_pulse_t self:packet_socket create_socket_perms; ++ ++# pulse starts fos and lvs daemon ++domtrans_pattern(piranha_pulse_t, piranha_fos_exec_t, piranha_fos_t) ++allow piranha_pulse_t piranha_fos_t:process signal; ++ ++domtrans_pattern(piranha_pulse_t, piranha_lvs_exec_t, piranha_lvs_t) ++allow piranha_pulse_t piranha_lvs_t:process signal; ++ ++kernel_read_kernel_sysctls(piranha_pulse_t) ++kernel_read_rpc_sysctls(piranha_pulse_t) ++kernel_rw_rpc_sysctls(piranha_pulse_t) ++kernel_search_debugfs(piranha_pulse_t) ++kernel_search_network_state(piranha_pulse_t) ++ ++corecmd_exec_bin(piranha_pulse_t) ++corecmd_exec_shell(piranha_pulse_t) ++optional_policy(` ++ consoletype_exec(piranha_pulse_t) ++') ++ ++corenet_udp_bind_apertus_ldp_port(piranha_pulse_t) ++corenet_udp_bind_cma_port(piranha_pulse_t) ++ ++domain_read_all_domains_state(piranha_pulse_t) ++domain_getattr_all_domains(piranha_pulse_t) ++ ++fs_getattr_all_fs(piranha_pulse_t) ++ ++init_initrc_domain(piranha_pulse_t) ++ ++logging_send_syslog_msg(piranha_pulse_t) ++ ++# various services to failover ++ ++optional_policy(` ++ apache_domtrans(piranha_pulse_t) ++ apache_signal(piranha_pulse_t) ++') ++ ++optional_policy(` ++ ftp_domtrans(piranha_pulse_t) ++ ftp_initrc_domtrans(piranha_pulse_t) ++ ftp_systemctl(piranha_pulse_t) ++') ++ ++optional_policy(` ++ hostname_exec(piranha_pulse_t) ++') ++ ++optional_policy(` ++ iptables_domtrans(piranha_pulse_t) ++') ++ ++optional_policy(` ++ ldap_systemctl(piranha_pulse_t) ++ ldap_initrc_domtrans(piranha_pulse_t) ++ ldap_domtrans(piranha_pulse_t) ++') ++ ++optional_policy(` ++ mysql_domtrans_mysql_safe(piranha_pulse_t) ++ mysql_stream_connect(piranha_pulse_t) ++') ++ ++optional_policy(` ++ netutils_domtrans(piranha_pulse_t) ++ netutils_domtrans_ping(piranha_pulse_t) ++') ++ ++optional_policy(` ++ postgresql_domtrans(piranha_pulse_t) ++ postgresql_signal(piranha_pulse_t) ++') ++ ++optional_policy(` ++ samba_initrc_domtrans(piranha_pulse_t) ++ samba_systemctl(piranha_pulse_t) ++ samba_domtrans_smbd(piranha_pulse_t) ++ samba_domtrans_nmbd(piranha_pulse_t) ++ samba_manage_var_files(piranha_pulse_t) ++ samba_rw_config(piranha_pulse_t) ++ samba_signal_smbd(piranha_pulse_t) ++ samba_signal_nmbd(piranha_pulse_t) ++') ++ ++optional_policy(` ++ sysnet_domtrans_ifconfig(piranha_pulse_t) ++') ++ ++optional_policy(` ++ udev_read_db(piranha_pulse_t) ++') ++ ++#################################### ++# ++# piranha domains common policy ++# ++ ++allow piranha_domain self:process signal_perms; ++allow piranha_domain self:fifo_file rw_fifo_file_perms; ++allow piranha_domain self:tcp_socket create_stream_socket_perms; ++allow piranha_domain self:udp_socket create_socket_perms; ++allow piranha_domain self:unix_stream_socket create_stream_socket_perms; ++ ++read_files_pattern(piranha_domain, piranha_etc_rw_t, piranha_etc_rw_t) ++ ++manage_files_pattern(piranha_pulse_t, piranha_tmpfs,piranha_tmpfs) ++manage_dirs_pattern(piranha_pulse_t, piranha_tmpfs ,piranha_tmpfs) ++ ++kernel_read_network_state(piranha_domain) ++ ++corenet_tcp_sendrecv_generic_if(piranha_domain) ++corenet_udp_sendrecv_generic_if(piranha_domain) ++corenet_tcp_sendrecv_generic_node(piranha_domain) ++corenet_udp_sendrecv_generic_node(piranha_domain) ++corenet_tcp_sendrecv_all_ports(piranha_domain) ++corenet_udp_sendrecv_all_ports(piranha_domain) ++corenet_tcp_bind_generic_node(piranha_domain) ++corenet_udp_bind_generic_node(piranha_domain) ++ ++corecmd_exec_bin(piranha_domain) ++corecmd_exec_shell(piranha_domain) ++ ++sysnet_read_config(piranha_domain) +diff --git a/pkcs.fc b/pkcs.fc +deleted file mode 100644 +index f9dc0be..0000000 +--- a/pkcs.fc ++++ /dev/null +@@ -1,7 +0,0 @@ +-/etc/rc\.d/init\.d/pkcsslotd -- gen_context(system_u:object_r:pkcs_slotd_initrc_exec_t,s0) +- +-/usr/sbin/pkcsslotd -- gen_context(system_u:object_r:pkcs_slotd_exec_t,s0) +- +-/var/lib/opencryptoki(/.*)? gen_context(system_u:object_r:pkcs_slotd_var_lib_t,s0) +- +-/var/run/pkcsslotd\.pid -- gen_context(system_u:object_r:pkcs_slotd_var_run_t,s0) +diff --git a/pkcs.if b/pkcs.if +deleted file mode 100644 +index 69be2aa..0000000 +--- a/pkcs.if ++++ /dev/null +@@ -1,45 +0,0 @@ +-## Implementations of the Cryptoki specification. +- +-######################################## +-## +-## All of the rules required to +-## administrate an pkcs slotd environment. +-## +-## +-## +-## Domain allowed access. +-## +-## +-## +-## +-## Role allowed access. +-## +-## +-## +-# +-interface(`pkcs_admin_slotd',` +- gen_require(` +- type pkcs_slotd_t, pkcs_slotd_initrc_exec_t, pkcs_slotd_var_lib_t; +- type pkcs_slotd_var_run_t, pkcs_slotd_tmp_t, pkcs_slotd_tmpfs_t; +- ') +- +- allow $1 pkcs_slotd_t:process { ptrace signal_perms }; +- ps_process_pattern($1, pkcs_slotd_t) +- +- init_labeled_script_domtrans($1, pkcs_slotd_initrc_exec_t) +- domain_system_change_exemption($1) +- role_transition $2 pkcs_slotd_initrc_exec_t system_r; +- allow $2 system_r; +- +- files_search_var_lib($1) +- admin_pattern($1, pkcs_slotd_var_lib_t) +- +- files_search_pids($1) +- admin_pattern($1, pkcs_slotd_var_run_t) +- +- files_search_tmp($1) +- admin_pattern($1, pkcs_slotd_tmp_t) +- +- fs_search_tmpfs($1) +- admin_pattern($1, pkcs_slotd_tmpfs_t) +-') +diff --git a/pkcs.te b/pkcs.te +deleted file mode 100644 +index 977b972..0000000 +--- a/pkcs.te ++++ /dev/null +@@ -1,58 +0,0 @@ +-policy_module(pkcs, 1.0.0) +- +-######################################## +-# +-# Declarations +-# +- +-type pkcs_slotd_t; +-type pkcs_slotd_exec_t; +-init_daemon_domain(pkcs_slotd_t, pkcs_slotd_exec_t) +- +-type pkcs_slotd_initrc_exec_t; +-init_script_file(pkcs_slotd_initrc_exec_t) +- +-type pkcs_slotd_var_lib_t; +-files_type(pkcs_slotd_var_lib_t) +- +-type pkcs_slotd_var_run_t; +-files_pid_file(pkcs_slotd_var_run_t) +- +-type pkcs_slotd_tmp_t; +-files_tmp_file(pkcs_slotd_tmp_t) +- +-type pkcs_slotd_tmpfs_t; +-files_tmpfs_file(pkcs_slotd_tmpfs_t) +- +-######################################## +-# +-# Local policy +-# +- +-allow pkcs_slotd_t self:capability kill; +-allow pkcs_slotd_t self:fifo_file rw_fifo_file_perms; +-allow pkcs_slotd_t self:sem create_sem_perms; +-allow pkcs_slotd_t self:shm create_shm_perms; +-allow pkcs_slotd_t self:unix_stream_socket { accept listen }; +- +-manage_dirs_pattern(pkcs_slotd_t, pkcs_slotd_var_lib_t, pkcs_slotd_var_lib_t) +-manage_files_pattern(pkcs_slotd_t, pkcs_slotd_var_lib_t, pkcs_slotd_var_lib_t) +-manage_lnk_files_pattern(pkcs_slotd_t, pkcs_slotd_var_lib_t, pkcs_slotd_var_lib_t) +-files_var_lib_filetrans(pkcs_slotd_t, pkcs_slotd_var_lib_t, dir) +- +-manage_files_pattern(pkcs_slotd_t, pkcs_slotd_var_run_t, pkcs_slotd_var_run_t) +-files_pid_filetrans(pkcs_slotd_t, pkcs_slotd_var_run_t, file) +- +-manage_dirs_pattern(pkcs_slotd_t, pkcs_slotd_tmp_t, pkcs_slotd_tmp_t) +-manage_files_pattern(pkcs_slotd_t, pkcs_slotd_tmp_t, pkcs_slotd_tmp_t) +-files_tmp_filetrans(pkcs_slotd_t, pkcs_slotd_tmp_t, dir) +- +-manage_dirs_pattern(pkcs_slotd_t, pkcs_slotd_tmpfs_t, pkcs_slotd_tmpfs_t) +-manage_files_pattern(pkcs_slotd_t, pkcs_slotd_tmpfs_t, pkcs_slotd_tmpfs_t) +-fs_tmpfs_filetrans(pkcs_slotd_t, pkcs_slotd_tmpfs_t, dir) +- +-files_read_etc_files(pkcs_slotd_t) +- +-logging_send_syslog_msg(pkcs_slotd_t) +- +-miscfiles_read_localization(pkcs_slotd_t) +diff --git a/pkcsslotd.fc b/pkcsslotd.fc +new file mode 100644 +index 0000000..29d7c1c +--- /dev/null ++++ b/pkcsslotd.fc +@@ -0,0 +1,9 @@ ++/usr/lib/systemd/system/pkcsslotd.* -- gen_context(system_u:object_r:pkcsslotd_unit_file_t,s0) ++ ++/usr/sbin/pkcsslotd -- gen_context(system_u:object_r:pkcsslotd_exec_t,s0) ++ ++/var/lib/opencryptoki(/.*)? gen_context(system_u:object_r:pkcsslotd_var_lib_t,s0) ++ ++/var/lock/opencryptoki(/.*)? gen_context(system_u:object_r:pkcsslotd_lock_t,s0) ++ ++/var/run/pkcsslotd.* -- gen_context(system_u:object_r:pkcsslotd_var_run_t,s0) +diff --git a/pkcsslotd.if b/pkcsslotd.if +new file mode 100644 +index 0000000..848ddc9 +--- /dev/null ++++ b/pkcsslotd.if +@@ -0,0 +1,155 @@ ++ ++## policy for pkcsslotd ++ ++######################################## ++## ++## Transition to pkcsslotd. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`pkcsslotd_domtrans',` ++ gen_require(` ++ type pkcsslotd_t, pkcsslotd_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, pkcsslotd_exec_t, pkcsslotd_t) ++') ++ ++######################################## ++## ++## Search pkcsslotd lib directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`pkcsslotd_search_lib',` ++ gen_require(` ++ type pkcsslotd_var_lib_t; ++ ') ++ ++ allow $1 pkcsslotd_var_lib_t:dir search_dir_perms; ++ files_search_var_lib($1) ++') ++ ++######################################## ++## ++## Read pkcsslotd lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`pkcsslotd_read_lib_files',` ++ gen_require(` ++ type pkcsslotd_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ read_files_pattern($1, pkcsslotd_var_lib_t, pkcsslotd_var_lib_t) ++') ++ ++######################################## ++## ++## Manage pkcsslotd lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`pkcsslotd_manage_lib_files',` ++ gen_require(` ++ type pkcsslotd_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ manage_files_pattern($1, pkcsslotd_var_lib_t, pkcsslotd_var_lib_t) ++') ++ ++######################################## ++## ++## Manage pkcsslotd lib directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`pkcsslotd_manage_lib_dirs',` ++ gen_require(` ++ type pkcsslotd_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ manage_dirs_pattern($1, pkcsslotd_var_lib_t, pkcsslotd_var_lib_t) ++') ++ ++######################################## ++## ++## Execute pkcsslotd server in the pkcsslotd domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`pkcsslotd_systemctl',` ++ gen_require(` ++ type pkcsslotd_t; ++ type pkcsslotd_unit_file_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ allow $1 pkcsslotd_unit_file_t:file read_file_perms; ++ allow $1 pkcsslotd_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, pkcsslotd_t) ++') ++ ++ ++######################################## ++## ++## All of the rules required to administrate ++## an pkcsslotd environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`pkcsslotd_admin',` ++ gen_require(` ++ type pkcsslotd_t; ++ type pkcsslotd_var_lib_t; ++ type pkcsslotd_unit_file_t; ++ ') ++ ++ allow $1 pkcsslotd_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, pkcsslotd_t) ++ ++ files_search_var_lib($1) ++ admin_pattern($1, pkcsslotd_var_lib_t) ++ ++ pkcsslotd_systemctl($1) ++ admin_pattern($1, pkcsslotd_unit_file_t) ++ allow $1 pkcsslotd_unit_file_t:service all_service_perms; ++ ++ optional_policy(` ++ systemd_passwd_agent_exec($1) ++ systemd_read_fifo_file_passwd_run($1) ++ ') ++') +diff --git a/pkcsslotd.te b/pkcsslotd.te +new file mode 100644 +index 0000000..2ce92e0 +--- /dev/null ++++ b/pkcsslotd.te +@@ -0,0 +1,67 @@ ++policy_module(pkcsslotd, 1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type pkcsslotd_t; ++type pkcsslotd_exec_t; ++init_daemon_domain(pkcsslotd_t, pkcsslotd_exec_t) ++ ++type pkcsslotd_var_lib_t; ++files_type(pkcsslotd_var_lib_t) ++ ++type pkcsslotd_lock_t; ++files_lock_file(pkcsslotd_lock_t) ++ ++type pkcsslotd_unit_file_t; ++systemd_unit_file(pkcsslotd_unit_file_t) ++ ++type pkcsslotd_tmp_t; ++files_tmp_file(pkcsslotd_tmp_t) ++ ++type pkcsslotd_tmpfs_t; ++files_tmpfs_file(pkcsslotd_tmpfs_t) ++ ++type pkcsslotd_var_run_t; ++files_pid_file(pkcsslotd_var_run_t) ++ ++######################################## ++# ++# pkcsslotd local policy ++# ++ ++allow pkcsslotd_t self:capability { fsetid chown kill }; ++ ++allow pkcsslotd_t self:fifo_file rw_fifo_file_perms; ++allow pkcsslotd_t self:sem create_sem_perms; ++allow pkcsslotd_t self:shm create_shm_perms; ++allow pkcsslotd_t self:unix_stream_socket create_stream_socket_perms; ++ ++manage_files_pattern(pkcsslotd_t, pkcsslotd_lock_t, pkcsslotd_lock_t) ++files_lock_filetrans(pkcsslotd_t, pkcsslotd_lock_t, file) ++ ++manage_dirs_pattern(pkcsslotd_t, pkcsslotd_tmp_t, pkcsslotd_tmp_t) ++manage_files_pattern(pkcsslotd_t, pkcsslotd_tmp_t, pkcsslotd_tmp_t) ++files_tmp_filetrans(pkcsslotd_t, pkcsslotd_tmp_t, { file dir }) ++ ++manage_dirs_pattern(pkcsslotd_t, pkcsslotd_tmpfs_t, pkcsslotd_tmpfs_t) ++manage_files_pattern(pkcsslotd_t, pkcsslotd_tmpfs_t, pkcsslotd_tmpfs_t) ++fs_tmpfs_filetrans(pkcsslotd_t, pkcsslotd_tmpfs_t, { dir file }) ++ ++manage_dirs_pattern(pkcsslotd_t, pkcsslotd_var_lib_t, pkcsslotd_var_lib_t) ++manage_files_pattern(pkcsslotd_t, pkcsslotd_var_lib_t, pkcsslotd_var_lib_t) ++manage_lnk_files_pattern(pkcsslotd_t, pkcsslotd_var_lib_t, pkcsslotd_var_lib_t) ++files_var_lib_filetrans(pkcsslotd_t, pkcsslotd_var_lib_t, { dir file lnk_file }) ++ ++manage_files_pattern(pkcsslotd_t, pkcsslotd_var_run_t, pkcsslotd_var_run_t) ++manage_dirs_pattern(pkcsslotd_t, pkcsslotd_var_run_t,pkcsslotd_var_run_t) ++manage_sock_files_pattern(pkcsslotd_t, pkcsslotd_var_run_t,pkcsslotd_var_run_t) ++files_pid_filetrans(pkcsslotd_t, pkcsslotd_var_run_t, { sock_file file dir }) ++ ++domain_use_interactive_fds(pkcsslotd_t) ++ ++auth_read_passwd(pkcsslotd_t) ++ ++logging_send_syslog_msg(pkcsslotd_t) +diff --git a/pki.fc b/pki.fc +new file mode 100644 +index 0000000..726d992 +--- /dev/null ++++ b/pki.fc +@@ -0,0 +1,56 @@ ++/etc/pki/pki-tomcat(/.*)? gen_context(system_u:object_r:pki_tomcat_etc_rw_t,s0) ++/var/lib/pki/pki-tomcat(/.*)? gen_context(system_u:object_r:pki_tomcat_var_lib_t,s0) ++/var/run/pki/tomcat(/.*)? gen_context(system_u:object_r:pki_tomcat_var_run_t,s0) ++/var/log/pki/pki-tomcat(/.*)? gen_context(system_u:object_r:pki_tomcat_log_t,s0) ++/etc/sysconfig/pki/tomcat(/.*)? gen_context(system_u:object_r:pki_tomcat_etc_rw_t,s0) ++/var/log/pki gen_context(system_u:object_r:pki_log_t,s0) ++/usr/bin/pkidaemon gen_context(system_u:object_r:pki_tomcat_exec_t,s0) ++/etc/pki/pki-tomcat/alias(/.*)? gen_context(system_u:object_r:pki_tomcat_cert_t,s0) ++ ++/etc/pki-ra(/.*)? gen_context(system_u:object_r:pki_ra_etc_rw_t,s0) ++/var/lib/pki-ra(/.*)? gen_context(system_u:object_r:pki_ra_var_lib_t,s0) ++/var/log/pki-ra(/.*)? gen_context(system_u:object_r:pki_ra_log_t,s0) ++/var/run/pki/ra(/.*)? gen_context(system_u:object_r:pki_ra_var_run_t,s0) ++/etc/sysconfig/pki/ra(/.*)? gen_context(system_u:object_r:pki_ra_etc_rw_t,s0) ++/var/lib/pki-ra/pki-ra gen_context(system_u:object_r:pki_ra_exec_t,s0) ++ ++/etc/pki-tps(/.*)? gen_context(system_u:object_r:pki_tps_etc_rw_t,s0) ++/var/lib/pki-tps(/.*)? gen_context(system_u:object_r:pki_tps_var_lib_t,s0) ++/var/log/pki-tps(/.*)? gen_context(system_u:object_r:pki_tps_log_t,s0) ++/var/run/pki/tps(/.*)? gen_context(system_u:object_r:pki_tps_var_run_t,s0) ++/etc/sysconfig/pki/tps(/.*)? gen_context(system_u:object_r:pki_tps_etc_rw_t,s0) ++/var/lib/pki-tps/pki-tps gen_context(system_u:object_r:pki_tps_exec_t,s0) ++ ++# default labeling for nCipher ++/opt/nfast/scripts/init.d/(.*) gen_context(system_u:object_r:initrc_exec_t, s0) ++/opt/nfast/sbin/init.d-ncipher gen_context(system_u:object_r:initrc_exec_t, s0) ++/opt/nfast(/.*)? gen_context(system_u:object_r:pki_common_t, s0) ++/dev/nfast(/.*)? gen_context(system_u:object_r:pki_common_dev_t, s0) ++ ++# old paths (for migration) ++/etc/pki-ca(/.*)? gen_context(system_u:object_r:pki_tomcat_etc_rw_t,s0) ++/var/lib/pki-ca(/.*)? gen_context(system_u:object_r:pki_tomcat_var_lib_t,s0) ++/var/run/pki-ca.pid gen_context(system_u:object_r:pki_tomcat_var_run_t,s0) ++/var/log/pki-ca(/.*)? gen_context(system_u:object_r:pki_tomcat_log_t,s0) ++/var/lib/pki-ca/alias(/.*)? gen_context(system_u:object_r:pki_tomcat_cert_t,s0) ++/var/lib/ipa/pki-ca/publish(/.*)? gen_context(system_u:object_r:pki_tomcat_cert_t,s0) ++/etc/pki-kra(/.*)? gen_context(system_u:object_r:pki_tomcat_etc_rw_t,s0) ++/var/lib/pki-kra(/.*)? gen_context(system_u:object_r:pki_tomcat_var_lib_t,s0) ++/var/run/pki-kra.pid gen_context(system_u:object_r:pki_tomcat_var_run_t,s0) ++/var/log/pki-kra(/.*)? gen_context(system_u:object_r:pki_tomcat_log_t,s0) ++/var/lib/pki-kra/alias(/.*)? gen_context(system_u:object_r:pki_tomcat_cert_t,s0) ++/etc/pki-ocsp(/.*)? gen_context(system_u:object_r:pki_tomcat_etc_rw_t,s0) ++/var/lib/pki-ocsp(/.*)? gen_context(system_u:object_r:pki_tomcat_var_lib_t,s0) ++/var/run/pki-ocsp.pid gen_context(system_u:object_r:pki_tomcat_var_run_t,s0) ++/var/log/pki-ocsp(/.*)? gen_context(system_u:object_r:pki_tomcat_log_t,s0) ++/var/lib/pki-ocsp/alias(/.*)? gen_context(system_u:object_r:pki_tomcat_cert_t,s0) ++/etc/pki-tks(/.*)? gen_context(system_u:object_r:pki_tomcat_etc_rw_t,s0) ++/var/lib/pki-tks(/.*)? gen_context(system_u:object_r:pki_tomcat_var_lib_t,s0) ++/var/run/pki-tks.pid gen_context(system_u:object_r:pki_tomcat_var_run_t,s0) ++/var/log/pki-tks(/.*)? gen_context(system_u:object_r:pki_tomcat_log_t,s0) ++/var/lib/pki-tks/alias(/.*)? gen_context(system_u:object_r:pki_tomcat_cert_t,s0) ++ ++/var/lock/subsys/pkidaemon -- gen_context(system_u:object_r:pki_tomcat_lock_t,s0) ++ ++#/etc/systemd/system/pki-tomcatd\.target\.wants(/.*)? gen_context(system_u:object_r:pki_tomcat_unit_file_t,s0) ++/usr/lib/systemd/system/pki-tomcat.* gen_context(system_u:object_r:pki_tomcat_unit_file_t,s0) +diff --git a/pki.if b/pki.if +new file mode 100644 +index 0000000..b975b85 +--- /dev/null ++++ b/pki.if +@@ -0,0 +1,294 @@ ++ ++## policy for pki ++ ++######################################## ++## ++## Allow read and write pki cert files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`pki_rw_tomcat_cert',` ++ gen_require(` ++ type pki_tomcat_cert_t; ++ type pki_tomcat_etc_rw_t; ++ ') ++ ++ allow $1 pki_tomcat_etc_rw_t:dir search_dir_perms; ++ rw_files_pattern($1, pki_tomcat_cert_t, pki_tomcat_cert_t) ++ create_lnk_files_pattern($1, pki_tomcat_cert_t, pki_tomcat_cert_t) ++') ++ ++######################################## ++## ++## Allow domain to read pki cert files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`pki_read_tomcat_cert',` ++ gen_require(` ++ type pki_tomcat_cert_t; ++ ') ++ ++ read_files_pattern($1, pki_tomcat_cert_t, pki_tomcat_cert_t) ++ read_lnk_files_pattern($1, pki_tomcat_cert_t, pki_tomcat_cert_t) ++') ++ ++######################################## ++## ++## Create a set of derived types for apache ++## web content. ++## ++## ++## ++## The prefix to be used for deriving type names. ++## ++## ++# ++template(`pki_apache_template',` ++ gen_require(` ++ attribute pki_apache_domain; ++ attribute pki_apache_config, pki_apache_var_lib, pki_apache_var_run; ++ attribute pki_apache_executable, pki_apache_script, pki_apache_var_log; ++ ') ++ ++ ######################################## ++ # ++ # Declarations ++ # ++ ++ type $1_t, pki_apache_domain; ++ type $1_exec_t, pki_apache_executable; ++ domain_type($1_t) ++ init_daemon_domain($1_t, $1_exec_t) ++ ++ type $1_script_exec_t, pki_apache_script; ++ init_script_file($1_script_exec_t) ++ ++ type $1_etc_rw_t, pki_apache_config; ++ files_type($1_etc_rw_t) ++ ++ type $1_var_run_t, pki_apache_var_run; ++ files_pid_file($1_var_run_t) ++ ++ type $1_var_lib_t, pki_apache_var_lib; ++ files_type($1_var_lib_t) ++ ++ type $1_log_t, pki_apache_var_log; ++ logging_log_file($1_log_t) ++ ++ type $1_lock_t; ++ files_lock_file($1_lock_t) ++ ++ type $1_tmp_t; ++ files_tmpfs_file($1_tmp_t) ++ ++ ######################################## ++ # ++ # $1 local policy ++ # ++ ++ files_read_etc_files($1_t) ++ allow $1_t $1_etc_rw_t:lnk_file read; ++ ++ manage_dirs_pattern($1_t, $1_etc_rw_t, $1_etc_rw_t) ++ manage_files_pattern($1_t, $1_etc_rw_t, $1_etc_rw_t) ++ files_etc_filetrans($1_t,$1_etc_rw_t, { file dir }) ++ ++ manage_dirs_pattern($1_t, $1_var_run_t, $1_var_run_t) ++ manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t) ++ files_pid_filetrans($1_t,$1_var_run_t, { file dir }) ++ ++ manage_dirs_pattern($1_t, $1_var_lib_t, $1_var_lib_t) ++ manage_files_pattern($1_t, $1_var_lib_t, $1_var_lib_t) ++ read_lnk_files_pattern($1_t, $1_var_lib_t, $1_var_lib_t) ++ files_var_lib_filetrans($1_t, $1_var_lib_t, { file dir } ) ++ ++ manage_dirs_pattern($1_t, $1_log_t, $1_log_t) ++ manage_files_pattern($1_t, $1_log_t, $1_log_t) ++ logging_log_filetrans($1_t, $1_log_t, { file dir } ) ++ ++ manage_dirs_pattern($1_t, $1_lock_t, $1_lock_t) ++ manage_files_pattern($1_t, $1_lock_t, $1_lock_t) ++ manage_lnk_files_pattern($1_t, $1_lock_t, $1_lock_t) ++ files_lock_filetrans($1_t, $1_lock_t, { dir file lnk_file }) ++ ++ manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t) ++ manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t) ++ files_tmp_filetrans($1_t, $1_tmp_t, { file dir }) ++ ++ #talk to lunasa hsm ++ logging_send_syslog_msg($1_t) ++ ++ kernel_read_kernel_sysctls($1_t) ++ kernel_read_system_state($1_t) ++ ++ corenet_all_recvfrom_unlabeled($1_t) ++ ++ # need to resolve addresses? ++ auth_use_nsswitch($1_t) ++ ++ #pki_apache_domain_signal(httpd_t) ++ #pki_apache_domain_signal(httpd_t) ++ #pki_manage_apache_run(httpd_t) ++ #pki_manage_apache_config_files(httpd_t) ++ #pki_manage_apache_log_files(httpd_t) ++ #pki_manage_apache_lib(httpd_t) ++') ++ ++####################################### ++## ++## Send a null signal to pki apache domains. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`pki_apache_domain_signal',` ++ gen_require(` ++ attribute pki_apache_domain; ++ ') ++ ++ allow $1 pki_apache_domain:process signal; ++') ++ ++####################################### ++## ++## Send a null signal to pki apache domains. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`pki_apache_domain_signull',` ++ gen_require(` ++ attribute pki_apache_domain; ++ ') ++ ++ allow $1 pki_apache_domain:process signull; ++') ++ ++################################### ++## ++## Allow domain to read pki apache subsystem pid files ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`pki_manage_apache_run',` ++ gen_require(` ++ attribute pki_apache_var_run; ++ ') ++ ++ files_search_var_lib($1) ++ read_files_pattern($1, pki_apache_var_run, pki_apache_var_run) ++') ++ ++#################################### ++## ++## Allow domain to manage pki apache subsystem lib files ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`pki_manage_apache_lib',` ++ gen_require(` ++ attribute pki_apache_var_lib; ++ ') ++ ++ files_search_var_lib($1) ++ manage_files_pattern($1, pki_apache_var_lib, pki_apache_var_lib) ++ manage_lnk_files_pattern($1, pki_apache_var_lib, pki_apache_var_lib) ++') ++ ++################################## ++## ++## Dontaudit domain to write pki log files ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`pki_dontaudit_write_log',` ++ gen_require(` ++ type pki_log_t; ++ ') ++ ++ dontaudit $1 pki_log_t:file write; ++') ++ ++################################### ++## ++## Allow domain to manage pki apache subsystem log files ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`pki_manage_apache_log_files',` ++ gen_require(` ++ attribute pki_apache_var_log; ++ ') ++ ++ files_search_var_lib($1) ++ manage_files_pattern($1, pki_apache_var_log, pki_apache_var_log) ++') ++ ++################################## ++## ++## Allow domain to manage pki apache subsystem config files ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`pki_manage_apache_config_files',` ++ gen_require(` ++ attribute pki_apache_config; ++ ') ++ ++ files_search_var_lib($1) ++ manage_files_pattern($1, pki_apache_config, pki_apache_config) ++') ++ ++################################# ++## ++## Allow domain to read pki tomcat lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`pki_read_tomcat_lib_files',` ++ gen_require(` ++ type pki_tomcat_var_lib_t; ++ ') ++ ++ read_files_pattern($1, pki_tomcat_var_lib_t, pki_tomcat_var_lib_t) ++ read_lnk_files_pattern($1, pki_tomcat_var_lib_t, pki_tomcat_var_lib_t) ++') +diff --git a/pki.te b/pki.te +new file mode 100644 +index 0000000..17f5d18 +--- /dev/null ++++ b/pki.te +@@ -0,0 +1,284 @@ ++policy_module(pki,10.0.11) ++ ++######################################## ++# ++# Declarations ++# ++ ++attribute pki_apache_domain; ++attribute pki_apache_config; ++attribute pki_apache_executable; ++attribute pki_apache_var_lib; ++attribute pki_apache_var_log; ++attribute pki_apache_var_run; ++attribute pki_apache_pidfiles; ++attribute pki_apache_script; ++ ++type pki_log_t; ++files_type(pki_log_t) ++ ++type pki_common_t; ++files_type(pki_common_t) ++ ++type pki_common_dev_t; ++files_type(pki_common_dev_t) ++ ++type pki_tomcat_etc_rw_t; ++files_type(pki_tomcat_etc_rw_t) ++ ++type pki_tomcat_cert_t; ++files_type(pki_tomcat_cert_t) ++ ++tomcat_domain_template(pki_tomcat) ++ ++type pki_tomcat_unit_file_t; ++systemd_unit_file(pki_tomcat_unit_file_t) ++ ++type pki_tomcat_lock_t; ++files_lock_file(pki_tomcat_lock_t) ++ ++# old type aliases for migration ++typealias pki_tomcat_t alias { pki_ca_t pki_kra_t pki_ocsp_t pki_tks_t }; ++typealias pki_tomcat_etc_rw_t alias { pki_ca_etc_rw_t pki_kra_etc_rw_t pki_ocsp_etc_rw_t pki_tks_etc_rw_t }; ++typealias pki_tomcat_var_lib_t alias { pki_ca_var_lib_t pki_kra_var_lib_t pki_ocsp_var_lib_t pki_tks_var_lib_t }; ++typealias pki_tomcat_var_run_t alias { pki_ca_var_run_t pki_kra_var_run_t pki_ocsp_var_run_t pki_tks_var_run_t }; ++typealias pki_tomcat_log_t alias { pki_ca_log_t pki_kra_log_t pki_ocsp_log_t pki_tks_log_t }; ++# typealias http_port_t alias { pki_ca_port_t pki_kra_port_t pki_ocsp_port_t pki_tks_port_t }; ++ ++ ++# pki policy types ++type pki_tps_tomcat_exec_t; ++files_type(pki_tps_tomcat_exec_t) ++ ++pki_apache_template(pki_tps) ++ ++# ra policy types ++type pki_ra_tomcat_exec_t; ++files_type(pki_ra_tomcat_exec_t) ++ ++pki_apache_template(pki_ra) ++ ++# needed for dogtag 9 style instances ++type pki_tomcat_script_t; ++domain_type(pki_tomcat_script_t) ++role system_r types pki_tomcat_script_t; ++ ++optional_policy(` ++ unconfined_domain(pki_tomcat_script_t) ++') ++ ++######################################## ++# ++# pki-tomcat local policy ++# ++ ++allow pki_tomcat_t self:capability { setuid chown setgid fowner audit_write dac_override sys_nice fsetid}; ++allow pki_tomcat_t self:process { signal setsched signull execmem }; ++ ++allow pki_tomcat_t self:netlink_audit_socket { nlmsg_relay create }; ++allow pki_tomcat_t self:tcp_socket { accept listen }; ++ ++# allow writing to the kernel keyring ++allow pki_tomcat_t self:key { write read }; ++ ++manage_dirs_pattern(pki_tomcat_t, pki_tomcat_etc_rw_t, pki_tomcat_etc_rw_t) ++manage_files_pattern(pki_tomcat_t, pki_tomcat_etc_rw_t, pki_tomcat_etc_rw_t) ++ ++manage_dirs_pattern(pki_tomcat_t, pki_tomcat_cert_t, pki_tomcat_cert_t) ++manage_files_pattern(pki_tomcat_t, pki_tomcat_cert_t, pki_tomcat_cert_t) ++manage_lnk_files_pattern(pki_tomcat_t, pki_tomcat_cert_t, pki_tomcat_cert_t) ++ ++manage_dirs_pattern(pki_tomcat_t, pki_tomcat_lock_t, pki_tomcat_lock_t) ++manage_files_pattern(pki_tomcat_t, pki_tomcat_lock_t, pki_tomcat_lock_t) ++manage_lnk_files_pattern(pki_tomcat_t, pki_tomcat_lock_t, pki_tomcat_lock_t) ++files_lock_filetrans(pki_tomcat_t, pki_tomcat_lock_t, { dir file lnk_file }) ++ ++read_files_pattern(pki_tomcat_t, pki_tomcat_unit_file_t,pki_tomcat_unit_file_t) ++read_lnk_files_pattern(pki_tomcat_t, pki_tomcat_unit_file_t, pki_tomcat_unit_file_t) ++allow pki_tomcat_t pki_tomcat_unit_file_t:file setattr; ++allow pki_tomcat_t pki_tomcat_unit_file_t:lnk_file setattr; ++systemd_search_unit_dirs(pki_tomcat_t) ++ ++# allow java subsystems to talk to the ncipher hsm ++allow pki_tomcat_t pki_common_dev_t:sock_file write; ++allow pki_tomcat_t pki_common_dev_t:dir search; ++allow pki_tomcat_t pki_common_t:dir create_dir_perms; ++manage_files_pattern(pki_tomcat_t, pki_common_t, pki_common_t) ++can_exec(pki_tomcat_t, pki_common_t) ++init_stream_connect_script(pki_tomcat_t) ++ ++search_dirs_pattern(pki_tomcat_t, pki_log_t, pki_log_t) ++ ++kernel_read_kernel_sysctls(pki_tomcat_t) ++ ++corenet_tcp_connect_http_cache_port(pki_tomcat_t) ++corenet_tcp_connect_ldap_port(pki_tomcat_t) ++corenet_tcp_connect_smtp_port(pki_tomcat_t) ++corenet_tcp_connect_pki_ca_port(pki_tomcat_t) ++ ++selinux_get_enforce_mode(pki_tomcat_t) ++ ++logging_send_audit_msgs(pki_tomcat_t) ++ ++miscfiles_read_hwdata(pki_tomcat_t) ++ ++# is this really needed? ++userdom_manage_user_tmp_dirs(pki_tomcat_t) ++userdom_manage_user_tmp_files(pki_tomcat_t) ++ ++# forward proxy ++# need to define ports to fix this ++#corenet_tcp_connect_pki_tomcat_port(httpd_t) ++ ++# for crl publishing ++allow pki_tomcat_t pki_tomcat_var_lib_t:lnk_file { rename create unlink }; ++ ++# for ECC ++auth_getattr_shadow(pki_tomcat_t) ++ ++optional_policy(` ++ consoletype_exec(pki_tomcat_t) ++') ++ ++optional_policy(` ++ dirsrv_manage_var_lib(pki_tomcat_t) ++') ++ ++optional_policy(` ++ hostname_exec(pki_tomcat_t) ++') ++ ++####################################### ++# ++# tps local policy ++# ++ ++# used to serve cgi web pages under /var/lib/pki-tps, formatting, enrollment ++allow pki_tps_t pki_tps_var_lib_t:file {execute execute_no_trans}; ++ ++corenet_tcp_bind_pki_tps_port(pki_tps_t) ++# customer may run an ldap server on 389 ++corenet_tcp_connect_ldap_port(pki_tps_t) ++# connect to other subsystems ++corenet_tcp_connect_pki_ca_port(pki_tps_t) ++corenet_tcp_connect_pki_kra_port(pki_tps_t) ++corenet_tcp_connect_pki_tks_port(pki_tps_t) ++ ++files_exec_usr_files(pki_tps_t) ++ ++# why do I need to add this? ++#allow httpd_t httpd_config_t:file execute; ++ ++###################################### ++# ++# ra local policy ++# ++ ++# RA specific? talking to mysql? ++allow pki_ra_t self:udp_socket { write read create connect }; ++allow pki_ra_t self:unix_dgram_socket { write create connect }; ++ ++corenet_tcp_bind_pki_ra_port(pki_ra_t) ++# talk to other subsystems ++corenet_tcp_connect_pki_ca_port(pki_ra_t) ++corenet_tcp_connect_smtp_port(pki_ra_t) ++ ++fs_getattr_xattr_fs(pki_ra_t) ++ ++files_search_spool(pki_ra_t) ++files_exec_usr_files(pki_ra_t) ++ ++optional_policy(` ++ mta_send_mail(pki_ra_t) ++ mta_manage_spool(pki_ra_t) ++ mta_manage_queue(pki_ra_t) ++ mta_read_config(pki_ra_t) ++') ++ ++##################################### ++# ++# pki_apache_domain local policy ++# ++ ++ ++allow pki_apache_domain self:capability { setuid sys_nice setgid dac_override fowner fsetid kill chown}; ++allow pki_apache_domain self:process { setsched signal getsched signull execstack execmem sigkill}; ++ ++allow pki_apache_domain self:sem all_sem_perms; ++allow pki_apache_domain self:tcp_socket create_stream_socket_perms; ++allow pki_apache_domain self:netlink_route_socket { write getattr read bind create nlmsg_read }; ++ ++# allow writing to the kernel keyring ++allow pki_apache_domain self:key { write read }; ++ ++## internal communication is often done using fifo and unix sockets. ++allow pki_apache_domain self:fifo_file rw_file_perms; ++allow pki_apache_domain self:unix_stream_socket create_stream_socket_perms; ++ ++# talk to the hsm ++allow pki_apache_domain pki_common_dev_t:sock_file write; ++allow pki_apache_domain pki_common_dev_t:dir search; ++allow pki_apache_domain pki_common_t:dir create_dir_perms; ++manage_files_pattern(pki_apache_domain, pki_common_t, pki_common_t) ++can_exec(pki_apache_domain, pki_common_t) ++init_stream_connect_script(pki_apache_domain) ++ ++corenet_sendrecv_unlabeled_packets(pki_apache_domain) ++corenet_tcp_bind_all_nodes(pki_apache_domain) ++corenet_tcp_sendrecv_all_if(pki_apache_domain) ++corenet_tcp_sendrecv_all_nodes(pki_apache_domain) ++corenet_tcp_sendrecv_all_ports(pki_apache_domain) ++#corenet_all_recvfrom_unlabeled(pki_apache_domain) ++corenet_tcp_connect_generic_port(pki_apache_domain) ++ ++# Init script handling ++domain_use_interactive_fds(pki_apache_domain) ++ ++seutil_exec_setfiles(pki_apache_domain) ++ ++init_dontaudit_write_utmp(pki_apache_domain) ++ ++libs_use_ld_so(pki_apache_domain) ++libs_use_shared_libs(pki_apache_domain) ++libs_exec_ld_so(pki_apache_domain) ++libs_exec_lib_files(pki_apache_domain) ++ ++fs_search_cgroup_dirs(pki_apache_domain) ++ ++corecmd_exec_bin(pki_apache_domain) ++corecmd_exec_shell(pki_apache_domain) ++ ++dev_read_urand(pki_apache_domain) ++dev_read_rand(pki_apache_domain) ++ ++# shutdown script uses ps ++domain_dontaudit_read_all_domains_state(pki_apache_domain) ++ps_process_pattern(pki_apache_domain, pki_apache_domain) ++ ++sysnet_read_config(pki_apache_domain) ++ ++ifdef(`targeted_policy',` ++ term_dontaudit_use_unallocated_ttys(pki_apache_domain) ++ term_dontaudit_use_generic_ptys(pki_apache_domain) ++') ++ ++optional_policy(` ++ # apache permissions ++ apache_exec_modules(pki_apache_domain) ++ apache_list_modules(pki_apache_domain) ++ apache_read_config(pki_apache_domain) ++ apache_exec(pki_apache_domain) ++ apache_exec_suexec(pki_apache_domain) ++ apache_entrypoint(pki_apache_domain) ++ ++ # should be started using a script which will execute httpd ++ # start up httpd in pki_apache_domain mode ++ #can_exec(pki_apache_domain, httpd_config_t) ++ #can_exec(pki_apache_domain, httpd_suexec_exec_t) ++') ++ ++# allow rpm -q in init scripts ++optional_policy(` ++ rpm_exec(pki_apache_domain) ++') ++ +diff --git a/plymouthd.fc b/plymouthd.fc +index 735500f..ef1dd7a 100644 +--- a/plymouthd.fc ++++ b/plymouthd.fc +@@ -1,15 +1,15 @@ +-/bin/plymouth -- gen_context(system_u:object_r:plymouth_exec_t,s0) ++/bin/plymouth -- gen_context(system_u:object_r:plymouth_exec_t,s0) + +-/sbin/plymouthd -- gen_context(system_u:object_r:plymouthd_exec_t,s0) ++/sbin/plymouthd -- gen_context(system_u:object_r:plymouthd_exec_t,s0) + +-/usr/bin/plymouth -- gen_context(system_u:object_r:plymouth_exec_t,s0) ++/usr/bin/plymouth -- gen_context(system_u:object_r:plymouth_exec_t,s0) + +-/usr/sbin/plymouthd -- gen_context(system_u:object_r:plymouthd_exec_t,s0) ++/var/lib/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_lib_t,s0) + +-/var/lib/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_lib_t,s0) ++/var/run/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_run_t,s0) ++/var/log/boot\.log gen_context(system_u:object_r:plymouthd_var_log_t,mls_systemhigh) + +-/var/log/boot\.log.* -- gen_context(system_u:object_r:plymouthd_var_log_t,mls_systemhigh) ++/usr/sbin/plymouthd -- gen_context(system_u:object_r:plymouthd_exec_t,s0) + +-/var/run/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_run_t,s0) ++/var/spool/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_spool_t,s0) + +-/var/spool/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_spool_t,s0) +diff --git a/plymouthd.if b/plymouthd.if +index 30e751f..3985ff9 100644 +--- a/plymouthd.if ++++ b/plymouthd.if +@@ -1,4 +1,4 @@ +-## Plymouth graphical boot. ++## Plymouth graphical boot + + ######################################## + ## +@@ -10,18 +10,17 @@ + ## + ## + # +-interface(`plymouthd_domtrans',` ++interface(`plymouthd_domtrans', ` + gen_require(` + type plymouthd_t, plymouthd_exec_t; + ') + +- corecmd_search_bin($1) + domtrans_pattern($1, plymouthd_exec_t, plymouthd_t) + ') + + ######################################## + ## +-## Execute plymouthd in the caller domain. ++## Execute the plymoth daemon in the current domain + ## + ## + ## +@@ -29,19 +28,18 @@ interface(`plymouthd_domtrans',` + ## + ## + # +-interface(`plymouthd_exec',` ++interface(`plymouthd_exec', ` + gen_require(` + type plymouthd_exec_t; + ') + +- corecmd_search_bin($1) + can_exec($1, plymouthd_exec_t) + ') + + ######################################## + ## +-## Connect to plymouthd using a unix +-## domain stream socket. ++## Allow domain to Stream socket connect ++## to Plymouth daemon. + ## + ## + ## +@@ -49,18 +47,17 @@ interface(`plymouthd_exec',` + ## + ## + # +-interface(`plymouthd_stream_connect',` ++interface(`plymouthd_stream_connect', ` + gen_require(` +- type plymouthd_t, plymouthd_spool_t; ++ type plymouthd_t; + ') + +- files_search_spool($1) +- stream_connect_pattern($1, plymouthd_spool_t, plymouthd_spool_t, plymouthd_t) ++ allow $1 plymouthd_t:unix_stream_socket connectto; + ') + + ######################################## + ## +-## Execute plymouth in the caller domain. ++## Execute the plymoth command in the current domain + ## + ## + ## +@@ -68,18 +65,17 @@ interface(`plymouthd_stream_connect',` + ## + ## + # +-interface(`plymouthd_exec_plymouth',` ++interface(`plymouthd_exec_plymouth', ` + gen_require(` + type plymouth_exec_t; + ') + +- corecmd_search_bin($1) + can_exec($1, plymouth_exec_t) + ') + + ######################################## + ## +-## Execute a domain transition to run plymouth. ++## Execute a domain transition to run plymouthd. + ## + ## + ## +@@ -87,12 +83,11 @@ interface(`plymouthd_exec_plymouth',` + ## + ## + # +-interface(`plymouthd_domtrans_plymouth',` ++interface(`plymouthd_domtrans_plymouth', ` + gen_require(` + type plymouth_t, plymouth_exec_t; + ') + +- corecmd_search_bin($1) + domtrans_pattern($1, plymouth_exec_t, plymouth_t) + ') + +@@ -106,13 +101,13 @@ interface(`plymouthd_domtrans_plymouth',` + ##     + ## + # +-interface(`plymouthd_search_spool',` ++interface(`plymouthd_search_spool', ` + gen_require(` + type plymouthd_spool_t; + ') + +- files_search_spool($1) + allow $1 plymouthd_spool_t:dir search_dir_perms; ++ files_search_spool($1) + ') + + ######################################## +@@ -145,7 +140,7 @@ interface(`plymouthd_read_spool_files',` + ##     + ## + # +-interface(`plymouthd_manage_spool_files',` ++interface(`plymouthd_manage_spool_files', ` + gen_require(` + type plymouthd_spool_t; + ') +@@ -164,13 +159,13 @@ interface(`plymouthd_manage_spool_files',` + ##     + ## + # +-interface(`plymouthd_search_lib',` ++interface(`plymouthd_search_lib', ` + gen_require(` + type plymouthd_var_lib_t; + ') + +- files_search_var_lib($1) + allow $1 plymouthd_var_lib_t:dir search_dir_perms; ++ files_search_var_lib($1) + ') + + ######################################## +@@ -183,7 +178,7 @@ interface(`plymouthd_search_lib',` + ##     + ## + # +-interface(`plymouthd_read_lib_files',` ++interface(`plymouthd_read_lib_files', ` + gen_require(` + type plymouthd_var_lib_t; + ') +@@ -203,7 +198,7 @@ interface(`plymouthd_read_lib_files',` + ##     + ## + # +-interface(`plymouthd_manage_lib_files',` ++interface(`plymouthd_manage_lib_files', ` + gen_require(` + type plymouthd_var_lib_t; + ') +@@ -214,7 +209,7 @@ interface(`plymouthd_manage_lib_files',` + + ######################################## + ## +-## Read plymouthd pid files. ++## Read plymouthd PID files. + ## + ## + ## +@@ -222,7 +217,7 @@ interface(`plymouthd_manage_lib_files',` + ## + ## + # +-interface(`plymouthd_read_pid_files',` ++interface(`plymouthd_read_pid_files', ` + gen_require(` + type plymouthd_var_run_t; + ') +@@ -233,36 +228,93 @@ interface(`plymouthd_read_pid_files',` + + ######################################## + ## +-## All of the rules required to +-## administrate an plymouthd environment. ++## Allow the specified domain to read ++## to plymouthd log files. + ## + ## + ## + ## Domain allowed access. + ## + ## +-## ++# ++interface(`plymouthd_read_log',` ++ gen_require(` ++ type plymouthd_var_log_t; ++ ') ++ ++ logging_search_logs($1) ++ read_files_pattern($1, plymouthd_var_log_t, plymouthd_var_log_t) ++') ++ ++######################################## ++## ++## Allow the specified domain to manage ++## to plymouthd log files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`plymouthd_manage_log',` ++ gen_require(` ++ type plymouthd_var_log_t; ++ ') ++ ++ logging_search_logs($1) ++ manage_dirs_pattern($1, plymouthd_var_log_t, plymouthd_var_log_t) ++ manage_files_pattern($1, plymouthd_var_log_t, plymouthd_var_log_t) ++ read_lnk_files_pattern($1, plymouthd_var_log_t, plymouthd_var_log_t) ++') ++ ++####################################### ++## ++## Allow domain to create boot.log ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`plymouthd_create_log',` ++ gen_require(` ++ type plymouthd_var_log_t; ++ ') ++ ++ logging_rw_generic_log_dirs($1) ++ logging_log_named_filetrans($1, plymouthd_var_log_t, file, "boot.log") ++') ++ ++######################################## ++## ++## All of the rules required to administrate ++## an plymouthd environment ++## ++## + ## +-## Role allowed access. ++## Domain allowed access. + ## + ## +-## + # +-interface(`plymouthd_admin',` ++interface(`plymouthd_admin', ` + gen_require(` + type plymouthd_t, plymouthd_spool_t, plymouthd_var_lib_t; + type plymouthd_var_run_t; + ') + +- allow $1 plymouthd_t:process { ptrace signal_perms }; +- read_files_pattern($1, plymouthd_t, plymouthd_t) ++ allow $1 plymouthd_t:process signal_perms; ++ ps_process_pattern($1, plymouthd_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 plymouthd_t:process ptrace; ++ ') + +- files_search_spool($1) ++ files_list_var_lib($1) + admin_pattern($1, plymouthd_spool_t) + +- files_search_var_lib($1) + admin_pattern($1, plymouthd_var_lib_t) + +- files_search_pids($1) ++ files_list_pids($1) + admin_pattern($1, plymouthd_var_run_t) + ') +diff --git a/plymouthd.te b/plymouthd.te +index b1f412b..3a3249a 100644 +--- a/plymouthd.te ++++ b/plymouthd.te +@@ -1,4 +1,4 @@ +-policy_module(plymouthd, 1.1.4) ++policy_module(plymouthd, 1.0.1) + + ######################################## + # +@@ -15,7 +15,7 @@ type plymouthd_exec_t; + init_daemon_domain(plymouthd_t, plymouthd_exec_t) + + type plymouthd_spool_t; +-files_type(plymouthd_spool_t) ++files_spool_file(plymouthd_spool_t) + + type plymouthd_var_lib_t; + files_type(plymouthd_var_lib_t) +@@ -28,12 +28,12 @@ files_pid_file(plymouthd_var_run_t) + + ######################################## + # +-# Daemon local policy ++# Plymouthd private policy + # + + allow plymouthd_t self:capability { sys_admin sys_tty_config }; +-dontaudit plymouthd_t self:capability dac_override; + allow plymouthd_t self:capability2 block_suspend; ++dontaudit plymouthd_t self:capability dac_override; + allow plymouthd_t self:process { signal getsched }; + allow plymouthd_t self:fifo_file rw_fifo_file_perms; + allow plymouthd_t self:unix_stream_socket create_stream_socket_perms; +@@ -48,9 +48,7 @@ manage_files_pattern(plymouthd_t, plymouthd_var_lib_t, plymouthd_var_lib_t) + files_var_lib_filetrans(plymouthd_t, plymouthd_var_lib_t, { file dir }) + + manage_dirs_pattern(plymouthd_t, plymouthd_var_log_t, plymouthd_var_log_t) +-append_files_pattern(plymouthd_t, plymouthd_var_log_t, plymouthd_var_log_t) +-create_files_pattern(plymouthd_t, plymouthd_var_log_t, plymouthd_var_log_t) +-setattr_files_pattern(plymouthd_t, plymouthd_var_log_t, plymouthd_var_log_t) ++manage_files_pattern(plymouthd_t, plymouthd_var_log_t, plymouthd_var_log_t) + logging_log_filetrans(plymouthd_t, plymouthd_var_log_t, { file dir }) + + manage_dirs_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t) +@@ -70,19 +68,27 @@ domain_use_interactive_fds(plymouthd_t) + + fs_getattr_all_fs(plymouthd_t) + +-files_read_etc_files(plymouthd_t) +-files_read_usr_files(plymouthd_t) + + term_getattr_pty_fs(plymouthd_t) + term_use_all_terms(plymouthd_t) + term_use_ptmx(plymouthd_t) + +-miscfiles_read_localization(plymouthd_t) ++init_signal(plymouthd_t) ++ ++logging_link_generic_logs(plymouthd_t) ++logging_delete_generic_logs(plymouthd_t) ++ ++auth_read_passwd(plymouthd_t) ++ + miscfiles_read_fonts(plymouthd_t) + miscfiles_manage_fonts_cache(plymouthd_t) + ++userdom_read_admin_home_files(plymouthd_t) ++ ++term_use_unallocated_ttys(plymouthd_t) ++ + optional_policy(` +- gnome_read_generic_home_content(plymouthd_t) ++ gnome_read_config(plymouthd_t) + ') + + optional_policy(` +@@ -90,35 +96,33 @@ optional_policy(` + ') + + optional_policy(` +- xserver_manage_xdm_spool_files(plymouthd_t) +- xserver_read_xdm_state(plymouthd_t) ++ xserver_xdm_manage_spool(plymouthd_t) ++ xserver_read_state_xdm(plymouthd_t) + ') + + ######################################## + # +-# Client local policy ++# Plymouth private policy + # + + allow plymouth_t self:process signal; +-allow plymouth_t self:fifo_file rw_fifo_file_perms; ++allow plymouth_t self:fifo_file rw_file_perms; + allow plymouth_t self:unix_stream_socket create_stream_socket_perms; + +-stream_connect_pattern(plymouth_t, plymouthd_spool_t, plymouthd_spool_t, plymouthd_t) +- + kernel_read_system_state(plymouth_t) + kernel_stream_connect(plymouth_t) + + domain_use_interactive_fds(plymouth_t) + +-files_read_etc_files(plymouth_t) + + term_use_ptmx(plymouth_t) + +-miscfiles_read_localization(plymouth_t) + + sysnet_read_config(plymouth_t) + +-ifdef(`hide_broken_symptoms',` ++plymouthd_stream_connect(plymouth_t) ++ ++ifdef(`hide_broken_symptoms', ` + optional_policy(` + hal_dontaudit_write_log(plymouth_t) + hal_dontaudit_rw_pipes(plymouth_t) +diff --git a/podsleuth.te b/podsleuth.te +index a14b3bc..b196183 100644 +--- a/podsleuth.te ++++ b/podsleuth.te +@@ -29,7 +29,8 @@ userdom_user_tmpfs_file(podsleuth_tmpfs_t) + # + + allow podsleuth_t self:capability { kill dac_override sys_admin sys_rawio }; +-allow podsleuth_t self:process { ptrace signal signull getsched execheap execmem execstack }; ++allow podsleuth_t self:process { signal signull getsched execheap execmem execstack }; ++ + allow podsleuth_t self:fifo_file rw_fifo_file_perms; + allow podsleuth_t self:unix_stream_socket create_stream_socket_perms; + allow podsleuth_t self:sem create_sem_perms; +@@ -65,7 +66,6 @@ corenet_tcp_sendrecv_http_port(podsleuth_t) + + dev_read_urand(podsleuth_t) + +-files_read_etc_files(podsleuth_t) + + fs_mount_dos_fs(podsleuth_t) + fs_unmount_dos_fs(podsleuth_t) +@@ -76,8 +76,6 @@ fs_getattr_tmpfs(podsleuth_t) + fs_list_tmpfs(podsleuth_t) + fs_rw_removable_blk_files(podsleuth_t) + +-miscfiles_read_localization(podsleuth_t) +- + sysnet_dns_name_resolve(podsleuth_t) + + userdom_signal_unpriv_users(podsleuth_t) +diff --git a/policykit.fc b/policykit.fc +index 1d76c72..93d09d9 100644 +--- a/policykit.fc ++++ b/policykit.fc +@@ -1,23 +1,22 @@ +-/usr/lib/polkit-1/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0) +-/usr/lib/polkit-1/polkit-agent-helper-1 -- gen_context(system_u:object_r:policykit_auth_exec_t,s0) +- +-/usr/lib/policykit/polkit-read-auth-helper -- gen_context(system_u:object_r:policykit_auth_exec_t,s0) +-/usr/lib/policykit/polkit-grant-helper.* -- gen_context(system_u:object_r:policykit_grant_exec_t,s0) +-/usr/lib/policykit/polkit-resolve-exe-helper.* -- gen_context(system_u:object_r:policykit_resolve_exec_t,s0) +-/usr/lib/policykit/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0) +-/usr/lib/policykit-1/polkit-agent-helper-1 -- gen_context(system_u:object_r:policykit_auth_exec_t,s0) +-/usr/lib/policykit-1/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0) ++/usr/lib/policykit/polkit-read-auth-helper -- gen_context(system_u:object_r:policykit_auth_exec_t,s0) ++/usr/bin/pkla-check-authorization -- gen_context(system_u:object_r:policykit_auth_exec_t,s0) ++/usr/lib/policykit/polkit-grant-helper.* -- gen_context(system_u:object_r:policykit_grant_exec_t,s0) ++/usr/lib/policykit/polkit-resolve-exe-helper.* -- gen_context(system_u:object_r:policykit_resolve_exec_t,s0) ++/usr/lib/policykit/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0) ++/usr/lib/polkit-1/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0) + + /usr/libexec/polkit-read-auth-helper -- gen_context(system_u:object_r:policykit_auth_exec_t,s0) + /usr/libexec/polkit-grant-helper.* -- gen_context(system_u:object_r:policykit_grant_exec_t,s0) +-/usr/libexec/polkit-resolve-exe-helper.* -- gen_context(system_u:object_r:policykit_resolve_exec_t,s0) +-/usr/libexec/polkitd.* -- gen_context(system_u:object_r:policykit_exec_t,s0) +-/usr/libexec/polkit-1/polkit-agent-helper-1 -- gen_context(system_u:object_r:policykit_auth_exec_t,s0) +-/usr/libexec/polkit-1/polkitd.* -- gen_context(system_u:object_r:policykit_exec_t,s0) ++/usr/libexec/polkit-resolve-exe-helper.* -- gen_context(system_u:object_r:policykit_resolve_exec_t,s0) ++/usr/libexec/polkitd.* -- gen_context(system_u:object_r:policykit_exec_t,s0) ++/usr/libexec/polkit-1/polkit-agent-helper-1 -- gen_context(system_u:object_r:policykit_auth_exec_t,s0) ++/usr/lib/polkit-1/polkit-agent-helper-1 -- gen_context(system_u:object_r:policykit_auth_exec_t,s0) ++/usr/libexec/kde4/polkit-kde-authentication-agent-1 -- gen_context(system_u:object_r:policykit_auth_exec_t,s0) ++/usr/libexec/polkit-1/polkitd.* -- gen_context(system_u:object_r:policykit_exec_t,s0) + +-/var/lib/misc/PolicyKit.reload gen_context(system_u:object_r:policykit_reload_t,s0) +-/var/lib/PolicyKit(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0) +-/var/lib/polkit-1(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0) +-/var/lib/PolicyKit-public(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0) ++/var/lib/misc/PolicyKit.reload gen_context(system_u:object_r:policykit_reload_t,s0) ++/var/lib/PolicyKit(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0) ++/var/lib/polkit-1(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0) ++/var/lib/PolicyKit-public(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0) ++/var/run/PolicyKit(/.*)? gen_context(system_u:object_r:policykit_var_run_t,s0) + +-/var/run/PolicyKit(/.*)? gen_context(system_u:object_r:policykit_var_run_t,s0) +diff --git a/policykit.if b/policykit.if +index 032a84d..be00a65 100644 +--- a/policykit.if ++++ b/policykit.if +@@ -17,6 +17,8 @@ interface(`policykit_dbus_chat',` + class dbus send_msg; + ') + ++ ps_process_pattern(policykit_t, $1) ++ + allow $1 policykit_t:dbus send_msg; + allow policykit_t $1:dbus send_msg; + ') +@@ -24,7 +26,7 @@ interface(`policykit_dbus_chat',` + ######################################## + ## + ## Send and receive messages from +-## policykit auth over dbus. ++## policykit over dbus. + ## + ## + ## +@@ -38,6 +40,8 @@ interface(`policykit_dbus_chat_auth',` + class dbus send_msg; + ') + ++ ps_process_pattern(policykit_auth_t, $1) ++ + allow $1 policykit_auth_t:dbus send_msg; + allow policykit_auth_t $1:dbus send_msg; + ') +@@ -47,9 +51,9 @@ interface(`policykit_dbus_chat_auth',` + ## Execute a domain transition to run polkit_auth. + ## + ## +-## ++## + ## Domain allowed to transition. +-## ++## + ## + # + interface(`policykit_domtrans_auth',` +@@ -57,15 +61,13 @@ interface(`policykit_domtrans_auth',` + type policykit_auth_t, policykit_auth_exec_t; + ') + +- corecmd_search_bin($1) + domtrans_pattern($1, policykit_auth_exec_t, policykit_auth_t) + ') + + ######################################## + ## +-## Execute a policy_auth in the policy +-## auth domain, and allow the specified +-## role the policy auth domain. ++## Execute a policy_auth in the policy_auth domain, and ++## allow the specified role the policy_auth domain, + ## + ## + ## +@@ -77,24 +79,28 @@ interface(`policykit_domtrans_auth',` + ## Role allowed access. + ## + ## ++## + # + interface(`policykit_run_auth',` + gen_require(` +- attribute_role policykit_auth_roles; ++ type policykit_auth_t; + ') + + policykit_domtrans_auth($1) +- roleattribute $2 policykit_auth_roles; ++ role $2 types policykit_auth_t; ++ ++ allow $1 policykit_auth_t:process signal; ++ ps_process_pattern(policykit_auth_t, $1) + ') + + ######################################## + ## +-## Execute a domain transition to run polkit grant. ++## Execute a domain transition to run polkit_grant. + ## + ## +-## ++## + ## Domain allowed to transition. +-## ++## + ## + # + interface(`policykit_domtrans_grant',` +@@ -102,15 +108,13 @@ interface(`policykit_domtrans_grant',` + type policykit_grant_t, policykit_grant_exec_t; + ') + +- corecmd_search_bin($1) + domtrans_pattern($1, policykit_grant_exec_t, policykit_grant_t) + ') + + ######################################## + ## +-## Execute a policy_grant in the policy +-## grant domain, and allow the specified +-## role the policy grant domain. ++## Execute a policy_grant in the policy_grant domain, and ++## allow the specified role the policy_grant domain, + ## + ## + ## +@@ -126,16 +130,20 @@ interface(`policykit_domtrans_grant',` + # + interface(`policykit_run_grant',` + gen_require(` +- attribute_role policykit_grant_roles; ++ type policykit_grant_t; + ') + + policykit_domtrans_grant($1) +- roleattribute $2 policykit_grant_roles; ++ role $2 types policykit_grant_t; ++ ++ allow $1 policykit_grant_t:process signal; ++ ++ ps_process_pattern(policykit_grant_t, $1) + ') + + ######################################## + ## +-## Read policykit reload files. ++## read policykit reload files + ## + ## + ## +@@ -154,7 +162,7 @@ interface(`policykit_read_reload',` + + ######################################## + ## +-## Read and write policykit reload files. ++## rw policykit reload files + ## + ## + ## +@@ -173,12 +181,12 @@ interface(`policykit_rw_reload',` + + ######################################## + ## +-## Execute a domain transition to run polkit resolve. ++## Execute a domain transition to run polkit_resolve. + ## + ## +-## ++## + ## Domain allowed to transition. +-## ++## + ## + # + interface(`policykit_domtrans_resolve',` +@@ -186,8 +194,9 @@ interface(`policykit_domtrans_resolve',` + type policykit_resolve_t, policykit_resolve_exec_t; + ') + +- corecmd_search_bin($1) + domtrans_pattern($1, policykit_resolve_exec_t, policykit_resolve_t) ++ ++ ps_process_pattern(policykit_resolve_t, $1) + ') + + ######################################## +@@ -205,13 +214,13 @@ interface(`policykit_search_lib',` + type policykit_var_lib_t; + ') + +- files_search_var_lib($1) + allow $1 policykit_var_lib_t:dir search_dir_perms; ++ files_search_var_lib($1) + ') + + ######################################## + ## +-## Read policykit lib files. ++## read policykit lib files + ## + ## + ## +@@ -226,4 +235,50 @@ interface(`policykit_read_lib',` + + files_search_var_lib($1) + read_files_pattern($1, policykit_var_lib_t, policykit_var_lib_t) ++ ++ optional_policy(` ++ # Broken placement ++ cron_read_system_job_lib_files($1) ++ ') ++') ++ ++####################################### ++## ++## The per role template for the policykit module. ++## ++## ++## ++## Role allowed access ++## ++## ++## ++## ++## User domain for the role ++## ++## ++# ++template(`policykit_role',` ++ policykit_run_auth($2, $1) ++ policykit_run_grant($2, $1) ++ policykit_read_lib($2) ++ policykit_read_reload($2) ++ policykit_dbus_chat($2) ++') ++ ++######################################## ++## ++## Send generic signal to policy_auth ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`policykit_signal_auth',` ++ gen_require(` ++ type policykit_auth_t; ++ ') ++ ++ allow $1 policykit_auth_t:process signal; + ') +diff --git a/policykit.te b/policykit.te +index 49694e8..a1497cd 100644 +--- a/policykit.te ++++ b/policykit.te +@@ -1,4 +1,4 @@ +-policy_module(policykit, 1.2.8) ++policy_module(policykit, 1.1.0) + + ######################################## + # +@@ -7,9 +7,6 @@ policy_module(policykit, 1.2.8) + + attribute policykit_domain; + +-attribute_role policykit_auth_roles; +-attribute_role policykit_grant_roles; +- + type policykit_t, policykit_domain; + type policykit_exec_t; + init_daemon_domain(policykit_t, policykit_exec_t) +@@ -17,12 +14,10 @@ init_daemon_domain(policykit_t, policykit_exec_t) + type policykit_auth_t, policykit_domain; + type policykit_auth_exec_t; + init_daemon_domain(policykit_auth_t, policykit_auth_exec_t) +-role policykit_auth_roles types policykit_auth_t; + + type policykit_grant_t, policykit_domain; + type policykit_grant_exec_t; + init_system_domain(policykit_grant_t, policykit_grant_exec_t) +-role policykit_grant_roles types policykit_grant_t; + + type policykit_resolve_t, policykit_domain; + type policykit_resolve_exec_t; +@@ -42,63 +37,68 @@ files_pid_file(policykit_var_run_t) + + ####################################### + # +-# Common policykit domain local policy ++# policykit_domain local policy + # + + allow policykit_domain self:process { execmem getattr }; + allow policykit_domain self:fifo_file rw_fifo_file_perms; + +-kernel_search_proc(policykit_domain) +- +-corecmd_exec_bin(policykit_domain) +- + dev_read_sysfs(policykit_domain) + +-files_read_usr_files(policykit_domain) +- +-logging_send_syslog_msg(policykit_domain) +- +-miscfiles_read_localization(policykit_domain) +- + ######################################## + # +-# Local policy ++# policykit local policy + # + + allow policykit_t self:capability { dac_override dac_read_search setgid setuid sys_nice sys_ptrace }; + allow policykit_t self:process { getsched setsched signal }; +-allow policykit_t self:unix_stream_socket { accept connectto listen }; ++allow policykit_t self:unix_dgram_socket create_socket_perms; ++allow policykit_t self:unix_stream_socket { create_stream_socket_perms connectto }; ++ ++policykit_domtrans_auth(policykit_t) ++allow policykit_t policykit_auth_t:process signal; ++ ++can_exec(policykit_t, policykit_exec_t) ++corecmd_exec_bin(policykit_t) ++ ++dev_read_sysfs(policykit_t) + + rw_files_pattern(policykit_t, policykit_reload_t, policykit_reload_t) + ++policykit_domtrans_resolve(policykit_t) ++ + manage_files_pattern(policykit_t, policykit_var_lib_t, policykit_var_lib_t) + + manage_dirs_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t) + manage_files_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t) + files_pid_filetrans(policykit_t, policykit_var_run_t, { file dir }) + +-can_exec(policykit_t, policykit_exec_t) +- +-domtrans_pattern(policykit_t, policykit_auth_exec_t, policykit_auth_t) +-domtrans_pattern(policykit_t, policykit_resolve_exec_t, policykit_resolve_t) +- +-kernel_read_kernel_sysctls(policykit_t) + kernel_read_system_state(policykit_t) ++kernel_read_kernel_sysctls(policykit_t) + + domain_read_all_domains_state(policykit_t) + + files_dontaudit_search_all_mountpoints(policykit_t) + ++fs_getattr_all_fs(policykit_t) + fs_list_inotifyfs(policykit_t) ++fs_list_cgroup_dirs(policykit_t) + + auth_use_nsswitch(policykit_t) + ++init_list_pid_dirs(policykit_t) ++ ++logging_send_syslog_msg(policykit_t) ++ + userdom_getattr_all_users(policykit_t) + userdom_read_all_users_state(policykit_t) ++userdom_dontaudit_search_admin_dir(policykit_t) + + optional_policy(` + dbus_system_domain(policykit_t, policykit_exec_t) + ++ init_dbus_chat(policykit_t) ++ + optional_policy(` + consolekit_dbus_chat(policykit_t) + ') +@@ -109,29 +109,43 @@ optional_policy(` + ') + + optional_policy(` ++ consolekit_list_pid_files(policykit_t) + consolekit_read_pid_files(policykit_t) + ') + + optional_policy(` +- gnome_read_generic_home_content(policykit_t) ++ kerberos_tmp_filetrans_host_rcache(policykit_t, "host_0") ++ kerberos_manage_host_rcache(policykit_t) + ') + + optional_policy(` +- kerberos_manage_host_rcache(policykit_t) +- kerberos_tmp_filetrans_host_rcache(policykit_t, file, "host_0") ++ gnome_read_config(policykit_t) ++') ++ ++optional_policy(` ++ systemd_read_logind_sessions_files(policykit_t) ++ systemd_login_list_pid_dirs(policykit_t) ++ systemd_login_read_pid_files(policykit_t) + ') + + ######################################## + # +-# Auth local policy ++# polkit_auth local policy + # + +-allow policykit_auth_t self:capability { ipc_lock setgid setuid sys_nice }; ++allow policykit_auth_t self:capability { sys_nice ipc_lock setgid setuid }; + dontaudit policykit_auth_t self:capability sys_tty_config; +-allow policykit_auth_t self:process { getsched setsched signal }; +-allow policykit_auth_t self:unix_stream_socket { accept listen }; ++allow policykit_auth_t self:process { setsched getsched signal }; ++ ++allow policykit_auth_t self:unix_dgram_socket create_socket_perms; ++allow policykit_auth_t self:unix_stream_socket create_stream_socket_perms; + +-ps_process_pattern(policykit_auth_t, policykit_domain) ++policykit_dbus_chat(policykit_auth_t) ++ ++kernel_read_system_state(policykit_auth_t) ++ ++can_exec(policykit_auth_t, policykit_auth_exec_t) ++corecmd_exec_bin(policykit_auth_t) + + rw_files_pattern(policykit_auth_t, policykit_reload_t, policykit_reload_t) + +@@ -145,9 +159,6 @@ manage_dirs_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t) + manage_files_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t) + files_pid_filetrans(policykit_auth_t, policykit_var_run_t, { file dir }) + +-can_exec(policykit_auth_t, policykit_auth_exec_t) +- +-kernel_read_system_state(policykit_auth_t) + kernel_dontaudit_search_kernel_sysctl(policykit_auth_t) + + dev_read_video_dev(policykit_auth_t) +@@ -157,53 +168,64 @@ files_search_home(policykit_auth_t) + + fs_getattr_all_fs(policykit_auth_t) + fs_search_tmpfs(policykit_auth_t) ++fs_dontaudit_append_ecryptfs_files(policykit_auth_t) + + auth_rw_var_auth(policykit_auth_t) + auth_use_nsswitch(policykit_auth_t) + auth_domtrans_chk_passwd(policykit_auth_t) + ++logging_send_syslog_msg(policykit_auth_t) ++ + miscfiles_read_fonts(policykit_auth_t) + miscfiles_setattr_fonts_cache_dirs(policykit_auth_t) + + userdom_dontaudit_read_user_home_content_files(policykit_auth_t) ++userdom_dontaudit_write_user_tmp_files(policykit_auth_t) ++userdom_read_admin_home_files(policykit_auth_t) + + optional_policy(` +- dbus_system_domain(policykit_auth_t, policykit_auth_exec_t) +- dbus_all_session_bus_client(policykit_auth_t) ++ dbus_system_domain( policykit_auth_t, policykit_auth_exec_t) ++ dbus_session_bus_client(policykit_auth_t) + + optional_policy(` + consolekit_dbus_chat(policykit_auth_t) + ') +- +- optional_policy(` +- policykit_dbus_chat(policykit_auth_t) +- ') + ') + + optional_policy(` ++ kernel_search_proc(policykit_auth_t) + hal_read_state(policykit_auth_t) + ') + + optional_policy(` +- kerberos_manage_host_rcache(policykit_auth_t) +- kerberos_tmp_filetrans_host_rcache(policykit_auth_t, file, "host_0") ++ kerberos_tmp_filetrans_host_rcache(policykit_auth_t, "host_0") ++ kerberos_manage_host_rcache(policykit_auth_t) + ') + + optional_policy(` + xserver_stream_connect(policykit_auth_t) ++ xserver_xdm_append_log(policykit_auth_t) + xserver_read_xdm_pid(policykit_auth_t) ++ xserver_search_xdm_lib(policykit_auth_t) ++ xserver_create_xdm_tmp_sockets(policykit_auth_t) + ') + + ######################################## + # +-# Grant local policy ++# polkit_grant local policy + # + + allow policykit_grant_t self:capability setuid; ++ + allow policykit_grant_t self:unix_dgram_socket create_socket_perms; + allow policykit_grant_t self:unix_stream_socket create_stream_socket_perms; + +-ps_process_pattern(policykit_grant_t, policykit_domain) ++policykit_domtrans_auth(policykit_grant_t) ++ ++policykit_domtrans_resolve(policykit_grant_t) ++ ++can_exec(policykit_grant_t, policykit_grant_exec_t) ++corecmd_search_bin(policykit_grant_t) + + rw_files_pattern(policykit_grant_t, policykit_reload_t, policykit_reload_t) + +@@ -211,23 +233,20 @@ manage_files_pattern(policykit_grant_t, policykit_var_run_t, policykit_var_run_t + + manage_files_pattern(policykit_grant_t, policykit_var_lib_t, policykit_var_lib_t) + +-can_exec(policykit_grant_t, policykit_grant_exec_t) +- +-domtrans_pattern(policykit_grant_t, policykit_auth_exec_t, policykit_auth_t) +-domtrans_pattern(policykit_grant_t, policykit_resolve_exec_t, policykit_resolve_t) + + auth_domtrans_chk_passwd(policykit_grant_t) + auth_use_nsswitch(policykit_grant_t) + ++logging_send_syslog_msg(policykit_grant_t) ++ + userdom_read_all_users_state(policykit_grant_t) + + optional_policy(` + cron_manage_system_job_lib_files(policykit_grant_t) + ') + +-optional_policy(` ++ optional_policy(` + dbus_system_bus_client(policykit_grant_t) +- + optional_policy(` + consolekit_dbus_chat(policykit_grant_t) + ') +@@ -235,26 +254,28 @@ optional_policy(` + + ######################################## + # +-# Resolve local policy ++# polkit_resolve local policy + # + + allow policykit_resolve_t self:capability { setuid sys_nice }; +-allow policykit_resolve_t self:unix_stream_socket { accept listen }; + +-ps_process_pattern(policykit_resolve_t, policykit_domain) ++allow policykit_resolve_t self:unix_dgram_socket create_socket_perms; ++allow policykit_resolve_t self:unix_stream_socket create_stream_socket_perms; ++ ++policykit_domtrans_auth(policykit_resolve_t) + + read_files_pattern(policykit_resolve_t, policykit_reload_t, policykit_reload_t) + + read_files_pattern(policykit_resolve_t, policykit_var_lib_t, policykit_var_lib_t) + + can_exec(policykit_resolve_t, policykit_resolve_exec_t) ++corecmd_search_bin(policykit_resolve_t) + +-domtrans_pattern(policykit_resolve_t, policykit_auth_exec_t, policykit_auth_t) +- +-mcs_ptrace_all(policykit_resolve_t) + + auth_use_nsswitch(policykit_resolve_t) + ++logging_send_syslog_msg(policykit_resolve_t) ++ + userdom_read_all_users_state(policykit_resolve_t) + + optional_policy(` +@@ -266,6 +287,6 @@ optional_policy(` + ') + + optional_policy(` ++ kernel_search_proc(policykit_resolve_t) + hal_read_state(policykit_resolve_t) + ') +- +diff --git a/polipo.fc b/polipo.fc +index d35614b..11f77ee 100644 +--- a/polipo.fc ++++ b/polipo.fc +@@ -1,15 +1,16 @@ +-HOME_DIR/\.forbidden -- gen_context(system_u:object_r:polipo_config_home_t,s0) + HOME_DIR/\.polipo -- gen_context(system_u:object_r:polipo_config_home_t,s0) + HOME_DIR/\.polipo-cache(/.*)? gen_context(system_u:object_r:polipo_cache_home_t,s0) + +-/etc/polipo(/.*)? gen_context(system_u:object_r:polipo_conf_t,s0) ++/etc/polipo(/.*)? gen_context(system_u:object_r:polipo_etc_t,s0) + + /etc/rc\.d/init\.d/polipo -- gen_context(system_u:object_r:polipo_initrc_exec_t,s0) + ++/usr/lib/systemd/system/polipo.* -- gen_context(system_u:object_r:polipo_unit_file_t,s0) ++ + /usr/bin/polipo -- gen_context(system_u:object_r:polipo_exec_t,s0) + + /var/cache/polipo(/.*)? gen_context(system_u:object_r:polipo_cache_t,s0) + + /var/log/polipo.* -- gen_context(system_u:object_r:polipo_log_t,s0) + +-/var/run/polipo(/.*)? gen_context(system_u:object_r:polipo_var_run_t,s0) ++/var/run/polipo(/.*)? gen_context(system_u:object_r:polipo_pid_t,s0) +diff --git a/polipo.if b/polipo.if +index ae27bb7..d00f6ba 100644 +--- a/polipo.if ++++ b/polipo.if +@@ -1,8 +1,8 @@ +-## Lightweight forwarding and caching proxy server. ++## Caching web proxy. + + ######################################## + ## +-## Role access for Polipo session. ++## Role access for polipo session. + ## + ## + ## +@@ -11,14 +11,13 @@ + ## + ## + ## +-## User domain for the role. ++## Domain allowed access. + ## + ## + # + template(`polipo_role',` + gen_require(` +- type polipo_session_t, polipo_exec_t, polipo_config_home_t; +- type polipo_cache_home_t; ++ type polipo_session_t, polipo_exec_t; + ') + + ######################################## +@@ -33,15 +32,11 @@ template(`polipo_role',` + # Policy + # + +- allow $2 polipo_cache_home_t:dir { manage_dir_perms relabel_dir_perms }; +- allow $2 { polipo_cache_home_t polipo_config_home_t }:file { manage_file_perms relabel_file_perms }; +- +- userdom_user_home_dir_filetrans($2, polipo_config_home_t, file, ".forbidden") +- userdom_user_home_dir_filetrans($2, polipo_config_home_t, file, ".polipo") +- userdom_user_home_dir_filetrans($2, polipo_cache_home_t, dir, ".polipo-cache") +- +- allow $2 polipo_session_t:process { ptrace signal_perms }; ++ allow $2 polipo_session_t:process signal_perms; + ps_process_pattern($2, polipo_session_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $2 polipo_session_t:process ptrace; ++ ') + + tunable_policy(`polipo_session_users',` + domtrans_pattern($2, polipo_exec_t, polipo_session_t) +@@ -52,57 +47,129 @@ template(`polipo_role',` + + ######################################## + ## +-## Execute Polipo in the Polipo +-## system domain. ++## Create configuration files in user ++## home directories with a named file ++## type transition. + ## + ## + ## +-## Domain allowed to transition. ++## Domain allowed access. + ## + ## + # +-interface(`polipo_initrc_domtrans',` ++interface(`polipo_named_filetrans_config_home_files',` + gen_require(` +- type polipo_initrc_exec_t; ++ type polipo_config_home_t; + ') + +- init_labeled_script_domtrans($1, polipo_initrc_exec_t) ++ userdom_user_home_dir_filetrans($1, polipo_config_home_t, file, ".polipo") ++') ++ ++######################################## ++## ++## Create cache directories in user ++## home directories with a named file ++## type transition. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`polipo_named_filetrans_cache_home_dirs',` ++ gen_require(` ++ type polipo_cache_home_t; ++ ') ++ ++ userdom_user_home_dir_filetrans($1, polipo_cache_home_t, dir, ".polipo-cache") + ') + + ######################################## + ## +-## Create specified objects in generic +-## log directories with the polipo +-## log file type. ++## Create configuration files in admin ++## home directories with a named file ++## type transition. + ## + ## + ## + ## Domain allowed access. + ## + ## +-## ++# ++interface(`polipo_named_filetrans_admin_config_home_files',` ++ gen_require(` ++ type polipo_config_home_t; ++ ') ++ ++ userdom_admin_home_dir_filetrans($1, polipo_config_home_t, file, ".polipo") ++') ++ ++######################################## ++## ++## Create cache directories in admin ++## home directories with a named file ++## type transition. ++## ++## + ## +-## Class of the object being created. ++## Domain allowed access. + ## + ## +-## ++# ++interface(`polipo_named_filetrans_admin_cache_home_dirs',` ++ gen_require(` ++ type polipo_cache_home_t; ++ ') ++ ++ userdom_admin_home_dir_filetrans($1, polipo_cache_home_t, dir, ".polipo-cache") ++') ++ ++######################################## ++## ++## Create log files with a named file ++## type transition. ++## ++## + ## +-## The name of the object being created. ++## Domain allowed access. + ## + ## + # +-interface(`polipo_log_filetrans_log',` ++interface(`polipo_named_filetrans_log_files',` + gen_require(` + type polipo_log_t; + ') + +- logging_log_filetrans($1, polipo_log_t, $2, $3) ++ logging_log_named_filetrans($1, polipo_log_t, file, "polipo") ++') ++ ++######################################## ++## ++## Execute polipo server in the polipo domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`polipo_systemctl',` ++ gen_require(` ++ type polipo_t; ++ type polipo_unit_file_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ allow $1 polipo_unit_file_t:file read_file_perms; ++ allow $1 polipo_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, polipo_t) + ') + + ######################################## + ## +-## All of the rules required to +-## administrate an polipo environment. ++## Administrate an polipo environment. + ## + ## + ## +@@ -118,27 +185,35 @@ interface(`polipo_log_filetrans_log',` + # + interface(`polipo_admin',` + gen_require(` +- type polipo_system_t, polipo_initrc_exec_t, polipo_cache_t; +- type polipo_conf_t, polipo_log_t, polipo_var_run_t; ++ type polipo_t, polipo_pid_t, polipo_cache_t; ++ type polipo_etc_t, polipo_log_t, polipo_initrc_exec_t; ++ type polipo_unit_file_t; + ') + +- allow $1 polipo_system_t:process { ptrace signal_perms }; +- ps_process_pattern($1, polipo_system_t) ++ allow $1 polipo_t:process signal_perms; ++ ps_process_pattern($1, polipo_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 polipo_t:process ptrace; ++ ') + +- polipo_initrc_domtrans($1) ++ init_labeled_script_domtrans($1, polipo_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 polipo_initrc_exec_t system_r; + allow $2 system_r; + +- files_search_var($1) +- admin_pattern($1, polipo_cache_t) +- +- files_search_etc($1) +- admin_pattern($1, polipo_conf_t) ++ files_list_etc($1) ++ admin_pattern($1, polipo_etc_t) + +- logging_search_logs($1) ++ logging_list_logs($1) + admin_pattern($1, polipo_log_t) + +- files_search_pids($1) +- admin_pattern($1, polipo_var_run_t) ++ files_list_var($1) ++ admin_pattern($1, polipo_cache_t) ++ ++ files_list_pids($1) ++ admin_pattern($1, polipo_pid_t) ++ ++ polipo_systemctl($1) ++ admin_pattern($1, polipo_unit_file_t) ++ allow $1 polipo_unit_file_t:service all_service_perms; + ') +diff --git a/polipo.te b/polipo.te +index 316d53a..35d9018 100644 +--- a/polipo.te ++++ b/polipo.te +@@ -1,4 +1,4 @@ +-policy_module(polipo, 1.0.4) ++policy_module(polipo, 1.0.0) + + ######################################## + # +@@ -7,19 +7,27 @@ policy_module(polipo, 1.0.4) + + ## + ##

    +-## Determine whether Polipo system +-## daemon can access CIFS file systems. ++## Determine whether polipo can ++## access cifs file systems. + ##

    + ##     +-gen_tunable(polipo_system_use_cifs, false) ++gen_tunable(polipo_use_cifs, false) + + ## + ##

    +-## Determine whether Polipo system +-## daemon can access NFS file systems. ++## Determine whether Polipo can ++## access nfs file systems. + ##

    + ##     +-gen_tunable(polipo_system_use_nfs, false) ++gen_tunable(polipo_use_nfs, false) ++ ++## ++##

    ++## Determine whether Polipo session daemon ++## can bind tcp sockets to all unreserved ports. ++##

    ++##     ++gen_tunable(polipo_session_bind_all_unreserved_ports, false) + + ## + ##

    +@@ -31,24 +39,23 @@ gen_tunable(polipo_system_use_nfs, false) + gen_tunable(polipo_session_users, false) + + ## +-##

    +-## Determine whether Polipo session daemon +-## can send syslog messages. +-##

    ++##

    ++## Allow polipo to connect to all ports > 1023 ++##

    + ##     +-gen_tunable(polipo_session_send_syslog_msg, false) ++gen_tunable(polipo_connect_all_unreserved, false) + + attribute polipo_daemon; + +-type polipo_system_t, polipo_daemon; ++type polipo_t, polipo_daemon; + type polipo_exec_t; +-init_daemon_domain(polipo_system_t, polipo_exec_t) ++init_daemon_domain(polipo_t, polipo_exec_t) + + type polipo_initrc_exec_t; + init_script_file(polipo_initrc_exec_t) + +-type polipo_conf_t; +-files_config_file(polipo_conf_t) ++type polipo_etc_t; ++files_config_file(polipo_etc_t) + + type polipo_cache_t; + files_type(polipo_cache_t) +@@ -56,112 +63,97 @@ files_type(polipo_cache_t) + type polipo_log_t; + logging_log_file(polipo_log_t) + +-type polipo_var_run_t; +-files_pid_file(polipo_var_run_t) ++type polipo_pid_t; ++files_pid_file(polipo_pid_t) + + type polipo_session_t, polipo_daemon; +-userdom_user_application_domain(polipo_session_t, polipo_exec_t) ++application_domain(polipo_session_t, polipo_exec_t) ++ubac_constrained(polipo_session_t) ++ ++type polipo_config_home_t; ++userdom_user_home_content(polipo_config_home_t) + + type polipo_cache_home_t; + userdom_user_home_content(polipo_cache_home_t) + +-type polipo_config_home_t; +-userdom_user_home_content(polipo_config_home_t) ++type polipo_unit_file_t; ++systemd_unit_file(polipo_unit_file_t) + + ######################################## + # +-# Session local policy ++# Global local policy + # + +-allow polipo_session_t polipo_config_home_t:file read_file_perms; +- +-manage_dirs_pattern(polipo_session_t, polipo_cache_home_t, polipo_cache_home_t) +-manage_files_pattern(polipo_session_t, polipo_cache_home_t, polipo_cache_home_t) +-userdom_user_home_dir_filetrans(polipo_session_t, polipo_cache_home_t, dir, ".polipo-cache") +- +-auth_use_nsswitch(polipo_session_t) +- +-userdom_use_user_terminals(polipo_session_t) ++allow polipo_daemon self:fifo_file rw_fifo_file_perms; ++allow polipo_daemon self:tcp_socket { listen accept }; + +-tunable_policy(`polipo_session_send_syslog_msg',` +- logging_send_syslog_msg(polipo_session_t) +-') ++corenet_tcp_bind_generic_node(polipo_daemon) ++corenet_tcp_sendrecv_generic_if(polipo_daemon) ++corenet_tcp_sendrecv_generic_node(polipo_daemon) ++corenet_tcp_sendrecv_http_cache_port(polipo_daemon) ++corenet_tcp_bind_http_cache_port(polipo_daemon) ++corenet_sendrecv_http_cache_server_packets(polipo_daemon) ++corenet_tcp_connect_http_port(polipo_daemon) ++corenet_tcp_connect_tor_port(polipo_daemon) ++corenet_tcp_connect_flash_port(polipo_daemon) + +-tunable_policy(`use_nfs_home_dirs',` +- fs_read_nfs_files(polipo_session_t) +-',` +- fs_dontaudit_read_nfs_files(polipo_session_t) +-') ++fs_search_auto_mountpoints(polipo_daemon) + +-tunable_policy(`use_samba_home_dirs',` +- fs_read_cifs_files(polipo_session_t) +-',` +- fs_dontaudit_read_cifs_files(polipo_session_t) +-') + + ######################################## + # +-# System local policy ++# Polipo local policy + # + +-read_files_pattern(polipo_system_t, polipo_conf_t, polipo_conf_t) ++read_files_pattern(polipo_t, polipo_etc_t, polipo_etc_t) + +-manage_files_pattern(polipo_system_t, polipo_cache_t, polipo_cache_t) +-manage_dirs_pattern(polipo_system_t, polipo_cache_t, polipo_cache_t) +-files_var_filetrans(polipo_system_t, polipo_cache_t, dir) ++manage_files_pattern(polipo_t, polipo_cache_t, polipo_cache_t) ++manage_dirs_pattern(polipo_t, polipo_cache_t, polipo_cache_t) ++files_var_filetrans(polipo_t, polipo_cache_t, dir) + +-append_files_pattern(polipo_system_t, polipo_log_t, polipo_log_t) +-create_files_pattern(polipo_system_t, polipo_log_t, polipo_log_t) +-setattr_files_pattern(polipo_system_t, polipo_log_t, polipo_log_t) +-logging_log_filetrans(polipo_system_t, polipo_log_t, file) ++manage_files_pattern(polipo_t, polipo_log_t, polipo_log_t) ++logging_log_filetrans(polipo_t, polipo_log_t, file) + +-manage_files_pattern(polipo_system_t, polipo_var_run_t, polipo_var_run_t) +-files_pid_filetrans(polipo_system_t, polipo_var_run_t, file) ++manage_files_pattern(polipo_t, polipo_pid_t, polipo_pid_t) ++files_pid_filetrans(polipo_t, polipo_pid_t, file) + +-auth_use_nsswitch(polipo_system_t) ++auth_use_nsswitch(polipo_t) + +-logging_send_syslog_msg(polipo_system_t) ++logging_send_syslog_msg(polipo_t) + + optional_policy(` +- cron_system_entry(polipo_system_t, polipo_exec_t) ++ cron_system_entry(polipo_t, polipo_exec_t) ++') ++ ++tunable_policy(`polipo_connect_all_unreserved',` ++ corenet_tcp_connect_all_unreserved_ports(polipo_t) + ') + +-tunable_policy(`polipo_system_use_cifs',` +- fs_manage_cifs_files(polipo_system_t) +-',` +- fs_dontaudit_read_cifs_files(polipo_system_t) ++tunable_policy(`polipo_use_cifs',` ++ fs_manage_cifs_files(polipo_t) + ') + +-tunable_policy(`polipo_system_use_nfs',` +- fs_manage_nfs_files(polipo_system_t) +-',` +- fs_dontaudit_read_nfs_files(polipo_system_t) ++tunable_policy(`polipo_use_nfs',` ++ fs_manage_nfs_files(polipo_t) + ') + + ######################################## + # +-# Polipo global local policy ++# Polipo session local policy + # + +-allow polipo_daemon self:fifo_file rw_fifo_file_perms; +-allow polipo_daemon self:tcp_socket { listen accept }; +- +-corenet_all_recvfrom_unlabeled(polipo_daemon) +-corenet_all_recvfrom_netlabel(polipo_daemon) +-corenet_tcp_sendrecv_generic_if(polipo_daemon) +-corenet_tcp_sendrecv_generic_node(polipo_daemon) +-corenet_tcp_bind_generic_node(polipo_daemon) ++read_files_pattern(polipo_session_t, polipo_config_home_t, polipo_config_home_t) ++manage_files_pattern(polipo_session_t, polipo_cache_home_t, polipo_cache_home_t) + +-corenet_sendrecv_http_client_packets(polipo_daemon) +-corenet_tcp_sendrecv_http_port(polipo_daemon) +-corenet_tcp_connect_http_port(polipo_daemon) ++auth_use_nsswitch(polipo_session_t) + +-corenet_sendrecv_http_cache_server_packets(polipo_daemon) +-corenet_tcp_sendrecv_http_cache_port(polipo_daemon) +-corenet_tcp_bind_http_cache_port(polipo_daemon) ++userdom_use_user_terminals(polipo_session_t) + +-files_read_usr_files(polipo_daemon) ++tunable_policy(`polipo_session_bind_all_unreserved_ports',` ++ corenet_tcp_sendrecv_all_ports(polipo_session_t) ++ corenet_tcp_bind_all_unreserved_ports(polipo_session_t) ++') + +-fs_search_auto_mountpoints(polipo_daemon) ++logging_send_syslog_msg(polipo_session_t) + +-miscfiles_read_localization(polipo_daemon) ++userdom_home_manager(polipo_session_t) +diff --git a/portage.if b/portage.if +index 67e8c12..18b89d7 100644 +--- a/portage.if ++++ b/portage.if +@@ -67,6 +67,7 @@ interface(`portage_compile_domain',` + class dbus send_msg; + type portage_devpts_t, portage_log_t, portage_srcrepo_t, portage_tmp_t; + type portage_tmpfs_t; ++ type portage_sandbox_t; + ') + + allow $1 self:capability { fowner fsetid mknod setgid setuid chown dac_override net_raw }; +diff --git a/portage.te b/portage.te +index a95fc4a..b9b5418 100644 +--- a/portage.te ++++ b/portage.te +@@ -108,7 +108,6 @@ domain_use_interactive_fds(gcc_config_t) + + files_manage_etc_files(gcc_config_t) + files_rw_etc_runtime_files(gcc_config_t) +-files_read_usr_files(gcc_config_t) + files_search_var_lib(gcc_config_t) + files_search_pids(gcc_config_t) + # complains loudly about not being able to list +@@ -291,7 +290,6 @@ dev_dontaudit_read_rand(portage_fetch_t) + domain_use_interactive_fds(portage_fetch_t) + + files_read_etc_runtime_files(portage_fetch_t) +-files_read_usr_files(portage_fetch_t) + files_dontaudit_search_pids(portage_fetch_t) + + fs_search_auto_mountpoints(portage_fetch_t) +diff --git a/portmap.fc b/portmap.fc +index cd45831..69406ee 100644 +--- a/portmap.fc ++++ b/portmap.fc +@@ -4,9 +4,14 @@ + /sbin/pmap_set -- gen_context(system_u:object_r:portmap_helper_exec_t,s0) + /sbin/portmap -- gen_context(system_u:object_r:portmap_exec_t,s0) + ++ifdef(`distro_debian',` ++/sbin/pmap_dump -- gen_context(system_u:object_r:portmap_helper_exec_t,s0) ++/sbin/pmap_set -- gen_context(system_u:object_r:portmap_helper_exec_t,s0) ++', ` + /usr/sbin/pmap_dump -- gen_context(system_u:object_r:portmap_helper_exec_t,s0) + /usr/sbin/pmap_set -- gen_context(system_u:object_r:portmap_helper_exec_t,s0) + /usr/sbin/portmap -- gen_context(system_u:object_r:portmap_exec_t,s0) ++') + + /var/run/portmap\.upgrade-state -- gen_context(system_u:object_r:portmap_var_run_t,s0) + /var/run/portmap_mapping -- gen_context(system_u:object_r:portmap_var_run_t,s0) +diff --git a/portmap.te b/portmap.te +index 738c13b..04a202e 100644 +--- a/portmap.te ++++ b/portmap.te +@@ -45,7 +45,6 @@ files_pid_filetrans(portmap_t, portmap_var_run_t, file) + kernel_read_system_state(portmap_t) + kernel_read_kernel_sysctls(portmap_t) + +-corenet_all_recvfrom_unlabeled(portmap_t) + corenet_all_recvfrom_netlabel(portmap_t) + corenet_tcp_sendrecv_generic_if(portmap_t) + corenet_udp_sendrecv_generic_if(portmap_t) +@@ -80,9 +79,11 @@ fs_search_auto_mountpoints(portmap_t) + + domain_use_interactive_fds(portmap_t) + ++auth_use_nsswitch(portmap_t) ++ + logging_send_syslog_msg(portmap_t) + +-miscfiles_read_localization(portmap_t) ++sysnet_read_config(portmap_t) + + userdom_dontaudit_use_unpriv_user_fds(portmap_t) + userdom_dontaudit_search_user_home_dirs(portmap_t) +@@ -106,7 +107,6 @@ allow portmap_helper_t self:tcp_socket { accept listen }; + allow portmap_helper_t portmap_var_run_t:file manage_file_perms; + files_pid_filetrans(portmap_helper_t, portmap_var_run_t, file) + +-corenet_all_recvfrom_unlabeled(portmap_helper_t) + corenet_all_recvfrom_netlabel(portmap_helper_t) + corenet_tcp_sendrecv_generic_if(portmap_helper_t) + corenet_udp_sendrecv_generic_if(portmap_helper_t) +@@ -138,5 +138,7 @@ init_rw_utmp(portmap_helper_t) + + logging_send_syslog_msg(portmap_helper_t) + +-userdom_use_user_terminals(portmap_helper_t) ++sysnet_read_config(portmap_helper_t) ++ ++userdom_use_inherited_user_terminals(portmap_helper_t) + userdom_dontaudit_use_all_users_fds(portmap_helper_t) +diff --git a/portreserve.fc b/portreserve.fc +index 1b2b4f9..575b7d6 100644 +--- a/portreserve.fc ++++ b/portreserve.fc +@@ -1,6 +1,6 @@ + /etc/portreserve(/.*)? gen_context(system_u:object_r:portreserve_etc_t,s0) + +-/etc/rc\.d/init\.d/portreserve -- gen_context(system_u:object_r:portreserve_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/portreserve -- gen_context(system_u:object_r:portreserve_initrc_exec_t,s0) + + /sbin/portreserve -- gen_context(system_u:object_r:portreserve_exec_t,s0) + +diff --git a/portreserve.if b/portreserve.if +index 5ad5291..7f1ae2a 100644 +--- a/portreserve.if ++++ b/portreserve.if +@@ -105,8 +105,11 @@ interface(`portreserve_admin',` + type portreserve_initrc_exec_t; + ') + +- allow $1 portreserve_t:process { ptrace signal_perms }; ++ allow $1 portreserve_t:process signal_perms; + ps_process_pattern($1, portreserve_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 portreserve_t:process ptrace; ++ ') + + portreserve_initrc_domtrans($1) + domain_system_change_exemption($1) +diff --git a/portreserve.te b/portreserve.te +index a38b57a..aa9d604 100644 +--- a/portreserve.te ++++ b/portreserve.te +@@ -41,7 +41,6 @@ files_pid_filetrans(portreserve_t, portreserve_var_run_t, { file sock_file dir } + + corecmd_getattr_bin_files(portreserve_t) + +-corenet_all_recvfrom_unlabeled(portreserve_t) + corenet_all_recvfrom_netlabel(portreserve_t) + corenet_tcp_sendrecv_generic_if(portreserve_t) + corenet_udp_sendrecv_generic_if(portreserve_t) +@@ -56,6 +55,5 @@ corenet_sendrecv_all_server_packets(portreserve_t) + corenet_tcp_bind_all_ports(portreserve_t) + corenet_udp_bind_all_ports(portreserve_t) + +-files_read_etc_files(portreserve_t) + + userdom_dontaudit_search_user_home_content(portreserve_t) +diff --git a/portslave.te b/portslave.te +index e85e33d..a7d7c55 100644 +--- a/portslave.te ++++ b/portslave.te +@@ -48,7 +48,6 @@ kernel_read_kernel_sysctls(portslave_t) + corecmd_exec_bin(portslave_t) + corecmd_exec_shell(portslave_t) + +-corenet_all_recvfrom_unlabeled(portslave_t) + corenet_all_recvfrom_netlabel(portslave_t) + corenet_tcp_sendrecv_generic_if(portslave_t) + corenet_udp_sendrecv_generic_if(portslave_t) +@@ -72,7 +71,7 @@ fs_getattr_xattr_fs(portslave_t) + + term_use_unallocated_ttys(portslave_t) + term_setattr_unallocated_ttys(portslave_t) +-term_use_all_ttys(portslave_t) ++term_use_all_inherited_ttys(portslave_t) + term_search_ptys(portslave_t) + + auth_domtrans_chk_passwd(portslave_t) +diff --git a/postfix.fc b/postfix.fc +index c0e8785..c0e0959 100644 +--- a/postfix.fc ++++ b/postfix.fc +@@ -1,38 +1,38 @@ +-/etc/postfix.* gen_context(system_u:object_r:postfix_etc_t,s0) +-/etc/postfix/postfix-script.* -- gen_context(system_u:object_r:postfix_exec_t,s0) +-/etc/postfix/prng_exch -- gen_context(system_u:object_r:postfix_prng_t,s0) +- +-/etc/rc\.d/init\.d/postfix -- gen_context(system_u:object_r:postfix_initrc_exec_t,s0) +- ++# postfix ++/etc/rc\.d/init\.d/postfix -- gen_context(system_u:object_r:postfix_initrc_exec_t,s0) ++/etc/postfix.* gen_context(system_u:object_r:postfix_etc_t,s0) ++ifdef(`distro_redhat', ` ++/usr/libexec/postfix/.* -- gen_context(system_u:object_r:postfix_exec_t,s0) ++/usr/libexec/postfix/cleanup -- gen_context(system_u:object_r:postfix_cleanup_exec_t,s0) ++/usr/libexec/postfix/lmtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0) ++/usr/libexec/postfix/local -- gen_context(system_u:object_r:postfix_local_exec_t,s0) ++/usr/libexec/postfix/master -- gen_context(system_u:object_r:postfix_master_exec_t,s0) ++/usr/libexec/postfix/pickup -- gen_context(system_u:object_r:postfix_pickup_exec_t,s0) ++/usr/libexec/postfix/(n)?qmgr -- gen_context(system_u:object_r:postfix_qmgr_exec_t,s0) ++/usr/libexec/postfix/showq -- gen_context(system_u:object_r:postfix_showq_exec_t,s0) ++/usr/libexec/postfix/smtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0) ++/usr/libexec/postfix/scache -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0) ++/usr/libexec/postfix/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0) ++/usr/libexec/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0) ++/usr/libexec/postfix/pipe -- gen_context(system_u:object_r:postfix_pipe_exec_t,s0) ++/usr/libexec/postfix/virtual -- gen_context(system_u:object_r:postfix_virtual_exec_t,s0) ++', ` + /usr/lib/postfix/.* -- gen_context(system_u:object_r:postfix_exec_t,s0) +-/usr/lib/postfix/cleanup -- gen_context(system_u:object_r:postfix_cleanup_exec_t,s0) ++/usr/lib/postfix/cleanup -- gen_context(system_u:object_r:postfix_cleanup_exec_t,s0) + /usr/lib/postfix/local -- gen_context(system_u:object_r:postfix_local_exec_t,s0) + /usr/lib/postfix/master -- gen_context(system_u:object_r:postfix_master_exec_t,s0) + /usr/lib/postfix/pickup -- gen_context(system_u:object_r:postfix_pickup_exec_t,s0) +-/usr/lib/postfix/(n)?qmgr -- gen_context(system_u:object_r:postfix_qmgr_exec_t,s0) ++/usr/lib/postfix/(n)?qmgr -- gen_context(system_u:object_r:postfix_qmgr_exec_t,s0) ++/usr/lib/postfix/showq -- gen_context(system_u:object_r:postfix_showq_exec_t,s0) + /usr/lib/postfix/smtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0) + /usr/lib/postfix/lmtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0) + /usr/lib/postfix/scache -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0) + /usr/lib/postfix/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0) + /usr/lib/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0) + /usr/lib/postfix/pipe -- gen_context(system_u:object_r:postfix_pipe_exec_t,s0) +-/usr/lib/postfix/virtual -- gen_context(system_u:object_r:postfix_virtual_exec_t,s0) +- +-/usr/libexec/postfix/.* -- gen_context(system_u:object_r:postfix_exec_t,s0) +-/usr/libexec/postfix/cleanup -- gen_context(system_u:object_r:postfix_cleanup_exec_t,s0) +-/usr/libexec/postfix/lmtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0) +-/usr/libexec/postfix/local -- gen_context(system_u:object_r:postfix_local_exec_t,s0) +-/usr/libexec/postfix/master -- gen_context(system_u:object_r:postfix_master_exec_t,s0) +-/usr/libexec/postfix/pickup -- gen_context(system_u:object_r:postfix_pickup_exec_t,s0) +-/usr/libexec/postfix/(n)?qmgr -- gen_context(system_u:object_r:postfix_qmgr_exec_t,s0) +-/usr/libexec/postfix/showq -- gen_context(system_u:object_r:postfix_showq_exec_t,s0) +-/usr/libexec/postfix/smtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0) +-/usr/libexec/postfix/scache -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0) +-/usr/libexec/postfix/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0) +-/usr/libexec/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0) +-/usr/libexec/postfix/pipe -- gen_context(system_u:object_r:postfix_pipe_exec_t,s0) +-/usr/libexec/postfix/virtual -- gen_context(system_u:object_r:postfix_virtual_exec_t,s0) +- ++') ++/etc/postfix/postfix-script.* -- gen_context(system_u:object_r:postfix_exec_t,s0) ++/etc/postfix/prng_exch -- gen_context(system_u:object_r:postfix_prng_t,s0) + /usr/sbin/postalias -- gen_context(system_u:object_r:postfix_master_exec_t,s0) + /usr/sbin/postcat -- gen_context(system_u:object_r:postfix_master_exec_t,s0) + /usr/sbin/postdrop -- gen_context(system_u:object_r:postfix_postdrop_exec_t,s0) +@@ -44,14 +44,14 @@ + /usr/sbin/postqueue -- gen_context(system_u:object_r:postfix_postqueue_exec_t,s0) + /usr/sbin/postsuper -- gen_context(system_u:object_r:postfix_master_exec_t,s0) + +-/var/lib/postfix.* gen_context(system_u:object_r:postfix_data_t,s0) ++/var/lib/postfix.* gen_context(system_u:object_r:postfix_data_t,s0) + +-/var/spool/postfix.* gen_context(system_u:object_r:postfix_spool_t,s0) +-/var/spool/postfix/deferred(/.*)? -d gen_context(system_u:object_r:postfix_spool_maildrop_t,s0) +-/var/spool/postfix/defer(/.*)? gen_context(system_u:object_r:postfix_spool_maildrop_t,s0) +-/var/spool/postfix/maildrop(/.*)? gen_context(system_u:object_r:postfix_spool_maildrop_t,s0) +-/var/spool/postfix/pid(/.*)? gen_context(system_u:object_r:postfix_var_run_t,s0) +-/var/spool/postfix/private(/.*)? gen_context(system_u:object_r:postfix_private_t,s0) +-/var/spool/postfix/public(/.*)? gen_context(system_u:object_r:postfix_public_t,s0) +-/var/spool/postfix/bounce(/.*)? gen_context(system_u:object_r:postfix_spool_bounce_t,s0) ++/var/spool/postfix.* gen_context(system_u:object_r:postfix_spool_t,s0) ++/var/spool/postfix/deferred(/.*)? gen_context(system_u:object_r:postfix_spool_maildrop_t,s0) ++/var/spool/postfix/defer(/.*)? gen_context(system_u:object_r:postfix_spool_maildrop_t,s0) ++/var/spool/postfix/maildrop(/.*)? gen_context(system_u:object_r:postfix_spool_maildrop_t,s0) ++/var/spool/postfix/pid/.* gen_context(system_u:object_r:postfix_var_run_t,s0) ++/var/spool/postfix/private(/.*)? gen_context(system_u:object_r:postfix_private_t,s0) ++/var/spool/postfix/public(/.*)? gen_context(system_u:object_r:postfix_public_t,s0) ++/var/spool/postfix/bounce(/.*)? gen_context(system_u:object_r:postfix_spool_bounce_t,s0) + /var/spool/postfix/flush(/.*)? gen_context(system_u:object_r:postfix_spool_flush_t,s0) +diff --git a/postfix.if b/postfix.if +index 2e23946..0b76d72 100644 +--- a/postfix.if ++++ b/postfix.if +@@ -1,4 +1,4 @@ +-## Postfix email server. ++## Postfix email server + + ######################################## + ## +@@ -16,13 +16,14 @@ interface(`postfix_stub',` + ') + ') + +-####################################### ++######################################## + ## +-## The template to define a postfix domain. ++## Creates types and rules for a basic ++## postfix process domain. + ## +-## ++## + ## +-## Domain prefix to be used. ++## Prefix for the domain. + ## + ## + # +@@ -31,73 +32,69 @@ template(`postfix_domain_template',` + attribute postfix_domain; + ') + +- ######################################## +- # +- # Declarations +- # +- + type postfix_$1_t, postfix_domain; + type postfix_$1_exec_t; + domain_type(postfix_$1_t) + domain_entry_file(postfix_$1_t, postfix_$1_exec_t) + role system_r types postfix_$1_t; + +- ######################################## +- # +- # Policy +- # +- +- can_exec(postfix_$1_t, postfix_$1_exec_t) ++ kernel_read_system_state(postfix_$1_t) + + auth_use_nsswitch(postfix_$1_t) ++ ++ logging_send_syslog_msg(postfix_$1_t) ++ ++ can_exec(postfix_$1_t, postfix_$1_exec_t) + ') + +-####################################### ++######################################## + ## +-## The template to define a postfix server domain. ++## Creates a postfix server process domain. + ## +-## ++## + ## +-## Domain prefix to be used. ++## Prefix of the domain. + ## + ## + # + template(`postfix_server_domain_template',` +- gen_require(` +- attribute postfix_server_domain, postfix_server_tmp_content; +- ') +- +- ######################################## +- # +- # Declarations +- # +- + postfix_domain_template($1) + +- typeattribute postfix_$1_t postfix_server_domain; +- +- type postfix_$1_tmp_t, postfix_server_tmp_content; ++ type postfix_$1_tmp_t; + files_tmp_file(postfix_$1_tmp_t) + +- ######################################## +- # +- # Declarations +- # ++ allow postfix_$1_t self:capability { setuid setgid sys_chroot dac_override }; ++ allow postfix_$1_t postfix_master_t:unix_stream_socket { connectto rw_stream_socket_perms }; ++ allow postfix_$1_t self:tcp_socket create_socket_perms; ++ allow postfix_$1_t self:udp_socket create_socket_perms; + + manage_dirs_pattern(postfix_$1_t, postfix_$1_tmp_t, postfix_$1_tmp_t) + manage_files_pattern(postfix_$1_t, postfix_$1_tmp_t, postfix_$1_tmp_t) + files_tmp_filetrans(postfix_$1_t, postfix_$1_tmp_t, { file dir }) + + domtrans_pattern(postfix_master_t, postfix_$1_exec_t, postfix_$1_t) ++ ++ corenet_all_recvfrom_netlabel(postfix_$1_t) ++ corenet_tcp_sendrecv_generic_if(postfix_$1_t) ++ corenet_udp_sendrecv_generic_if(postfix_$1_t) ++ corenet_tcp_sendrecv_generic_node(postfix_$1_t) ++ corenet_udp_sendrecv_generic_node(postfix_$1_t) ++ corenet_tcp_sendrecv_all_ports(postfix_$1_t) ++ corenet_udp_sendrecv_all_ports(postfix_$1_t) ++ corenet_tcp_bind_generic_node(postfix_$1_t) ++ corenet_udp_bind_generic_node(postfix_$1_t) ++ corenet_tcp_connect_all_ports(postfix_$1_t) ++ corenet_sendrecv_all_client_packets(postfix_$1_t) + ') + +-####################################### ++######################################## + ## +-## The template to define a postfix user domain. ++## Creates a process domain for programs ++## that are ran by users. + ## +-## ++## + ## +-## Domain prefix to be used. ++## Prefix of the domain. + ## + ## + # +@@ -106,30 +103,22 @@ template(`postfix_user_domain_template',` + attribute postfix_user_domains, postfix_user_domtrans; + ') + +- ######################################## +- # +- # Declarations +- # +- + postfix_domain_template($1) + + typeattribute postfix_$1_t postfix_user_domains; + +- ######################################## +- # +- # Policy +- # +- + allow postfix_$1_t self:capability dac_override; + + domtrans_pattern(postfix_user_domtrans, postfix_$1_exec_t, postfix_$1_t) + + domain_use_interactive_fds(postfix_$1_t) ++ ++ application_domain(postfix_$1_t, postfix_$1_exec_t) + ') + + ######################################## + ## +-## Read postfix configuration content. ++## Read postfix configuration files. + ## + ## + ## +@@ -143,16 +132,15 @@ interface(`postfix_read_config',` + type postfix_etc_t; + ') + ++ read_files_pattern($1, postfix_etc_t, postfix_etc_t) ++ read_lnk_files_pattern($1, postfix_etc_t, postfix_etc_t) + files_search_etc($1) +- allow $1 postfix_etc_t:dir list_dir_perms; +- allow $1 postfix_etc_t:file read_file_perms; +- allow $1 postfix_etc_t:lnk_file read_lnk_file_perms; + ') + + ######################################## + ## +-## Create specified object in postfix +-## etc directories with a type transition. ++## Create files with the specified type in ++## the postfix configuration directories. + ## + ## + ## +@@ -180,6 +168,7 @@ interface(`postfix_config_filetrans',` + type postfix_etc_t; + ') + ++ files_search_etc($1) + filetrans_pattern($1, postfix_etc_t, $2, $3, $4) + ') + +@@ -205,7 +194,8 @@ interface(`postfix_dontaudit_rw_local_tcp_sockets',` + + ######################################## + ## +-## Read and write postfix local pipes. ++## Allow read/write postfix local pipes ++## TCP sockets. + ## + ## + ## +@@ -221,30 +211,28 @@ interface(`postfix_rw_local_pipes',` + allow $1 postfix_local_t:fifo_file rw_fifo_file_perms; + ') + +-######################################## ++####################################### + ## +-## Read postfix local process state files. ++## Allow read/write postfix public pipes ++## TCP sockets. + ## + ## +-## +-## Domain allowed access. +-## ++## ++## Domain allowed access. ++## + ## + # +-interface(`postfix_read_local_state',` +- gen_require(` +- type postfix_local_t; +- ') ++interface(`postfix_rw_public_pipes',` ++ gen_require(` ++ type postfix_public_t; ++ ') + +- kernel_search_proc($1) +- allow $1 postfix_local_t:dir list_dir_perms; +- allow $1 postfix_local_t:file read_file_perms; +- allow $1 postfix_local_t:lnk_file read_lnk_file_perms; ++ allow $1 postfix_public_t:fifo_file rw_fifo_file_perms; + ') + + ######################################## + ## +-## Read and write inherited postfix master pipes. ++## Allow domain to read postfix local process state + ## + ## + ## +@@ -252,18 +240,18 @@ interface(`postfix_read_local_state',` + ## + ## + # +-interface(`postfix_rw_inherited_master_pipes',` ++interface(`postfix_read_local_state',` + gen_require(` +- type postfix_master_t; ++ type postfix_local_t; + ') + +- allow $1 postfix_master_t:fd use; +- allow $1 postfix_master_t:fifo_file { getattr write append lock ioctl read }; ++ kernel_search_proc($1) ++ ps_process_pattern($1, postfix_local_t) + ') + + ######################################## + ## +-## Read postfix master process state files. ++## Allow domain to read postfix master process state + ## + ## + ## +@@ -277,14 +265,13 @@ interface(`postfix_read_master_state',` + ') + + kernel_search_proc($1) +- allow $1 postfix_master_t:dir list_dir_perms; +- allow $1 postfix_master_t:file read_file_perms; +- allow $1 postfix_master_t:lnk_file read_lnk_file_perms; ++ ps_process_pattern($1, postfix_master_t) + ') + + ######################################## + ## +-## Use postfix master file descriptors. ++## Use postfix master process file ++## file descriptors. + ## + ## + ## +@@ -335,15 +322,13 @@ interface(`postfix_domtrans_map',` + type postfix_map_t, postfix_map_exec_t; + ') + +- corecmd_search_bin($1) + domtrans_pattern($1, postfix_map_exec_t, postfix_map_t) + ') + + ######################################## + ## +-## Execute postfix map in the postfix +-## map domain, and allow the specified +-## role the postfix_map domain. ++## Execute postfix_map in the postfix_map domain, and ++## allow the specified role the postfix_map domain. + ## + ## + ## +@@ -359,17 +344,17 @@ interface(`postfix_domtrans_map',` + # + interface(`postfix_run_map',` + gen_require(` +- attribute_role postfix_map_roles; ++ type postfix_map_t; + ') + + postfix_domtrans_map($1) +- roleattribute $2 postfix_map_roles; ++ role $2 types postfix_map_t; + ') + + ######################################## + ## +-## Execute the master postfix program +-## in the postfix_master domain. ++## Execute the master postfix program in the ++## postfix_master domain. + ## + ## + ## +@@ -382,14 +367,32 @@ interface(`postfix_domtrans_master',` + type postfix_master_t, postfix_master_exec_t; + ') + +- corecmd_search_bin($1) + domtrans_pattern($1, postfix_master_exec_t, postfix_master_t) + ') + ++ + ######################################## + ## +-## Execute the master postfix program +-## in the caller domain. ++## Execute the master postfix in the postfix master domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`postfix_initrc_domtrans',` ++ gen_require(` ++ type postfix_initrc_exec_t; ++ ') ++ ++ init_labeled_script_domtrans($1, postfix_initrc_exec_t) ++') ++ ++######################################## ++## ++## Execute the master postfix program in the ++## caller domain. + ## + ## + ## +@@ -402,21 +405,18 @@ interface(`postfix_exec_master',` + type postfix_master_exec_t; + ') + +- corecmd_search_bin($1) + can_exec($1, postfix_master_exec_t) + ') + + ####################################### + ## +-## Connect to postfix master process +-## using a unix domain stream socket. ++## Connect to postfix master process using a unix domain stream socket. + ## + ## + ## + ## Domain allowed access. + ## + ## +-## + # + interface(`postfix_stream_connect_master',` + gen_require(` +@@ -428,8 +428,7 @@ interface(`postfix_stream_connect_master',` + + ######################################## + ## +-## Read and write postfix master +-## unnamed pipes. (Deprecated) ++## Allow read/write postfix master pipes + ## + ## + ## +@@ -437,15 +436,18 @@ interface(`postfix_stream_connect_master',` + ## + ## + # +-interface(`postfix_rw_master_pipes',` +- refpolicywarn(`$0($*) has been deprecated, use postfix_rw_inherited_master_pipes() instead.') +- postfix_rw_inherited_master_pipes($1) ++interface(`postfix_rw_inherited_master_pipes',` ++ gen_require(` ++ type postfix_master_t; ++ ') ++ ++ allow $1 postfix_master_t:fifo_file rw_inherited_fifo_file_perms; + ') + + ######################################## + ## + ## Execute the master postdrop in the +-## postfix postdrop domain. ++## postfix_postdrop domain. + ## + ## + ## +@@ -458,14 +460,13 @@ interface(`postfix_domtrans_postdrop',` + type postfix_postdrop_t, postfix_postdrop_exec_t; + ') + +- corecmd_search_bin($1) + domtrans_pattern($1, postfix_postdrop_exec_t, postfix_postdrop_t) + ') + + ######################################## + ## + ## Execute the master postqueue in the +-## postfix postqueue domain. ++## postfix_postqueue domain. + ## + ## + ## +@@ -478,30 +479,85 @@ interface(`postfix_domtrans_postqueue',` + type postfix_postqueue_t, postfix_postqueue_exec_t; + ') + +- corecmd_search_bin($1) + domtrans_pattern($1, postfix_postqueue_exec_t, postfix_postqueue_t) + ') + +-####################################### ++######################################## + ## +-## Execute the master postqueue in +-## the caller domain. (Deprecated) ++## Execute the master postqueue in the ++## postfix_postdrop domain. + ## + ## + ## +-## Domain allowed access. ++## Domain allowed to transition. + ## + ## ++## ++## ++## The role to be allowed the iptables domain. ++## ++## ++## + # +-interface(`posftix_exec_postqueue',` +- refpolicywarn(`$0($*) has been deprecated.') +- postfix_exec_postqueue($1) ++ ++interface(`postfix_run_postqueue',` ++ gen_require(` ++ type postfix_postqueue_t; ++ ') ++ ++ postfix_domtrans_postqueue($1) ++ role $2 types postfix_postqueue_t; ++ allow postfix_postqueue_t $1:unix_stream_socket { read write getattr }; + ') + ++######################################## ++## ++## Execute postfix_postgqueue in the postfix_postgqueue domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`postfix_domtrans_postgqueue',` ++ gen_require(` ++ type postfix_postgqueue_t; ++ type postfix_postgqueue_exec_t; ++ ') ++ domtrans_pattern($1, postfix_postgqueue_exec_t,postfix_postgqueue_t) ++') ++ ++######################################## ++## ++## Execute postfix_postgqueue in the postfix_postgqueue domain, and ++## allow the specified role the postfix_postgqueue domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++## ++## ++## Role allowed access. ++## ++## ++## ++# ++interface(`postfix_run_postgqueue',` ++ gen_require(` ++ type postfix_postgqueue_t; ++ ') ++ ++ postfix_domtrans_postgqueue($1) ++ role $2 types postfix_postgqueue_t; ++') ++ ++ + ####################################### + ## +-## Execute postfix postqueue in +-## the caller domain. ++## Execute the master postqueue in the caller domain. + ## + ## + ## +@@ -514,13 +570,12 @@ interface(`postfix_exec_postqueue',` + type postfix_postqueue_exec_t; + ') + +- corecmd_search_bin($1) + can_exec($1, postfix_postqueue_exec_t) + ') + + ######################################## + ## +-## Create postfix private sock files. ++## Create a named socket in a postfix private directory. + ## + ## + ## +@@ -533,13 +588,13 @@ interface(`postfix_create_private_sockets',` + type postfix_private_t; + ') + ++ allow $1 postfix_private_t:dir list_dir_perms; + create_sock_files_pattern($1, postfix_private_t, postfix_private_t) + ') + + ######################################## + ## +-## Create, read, write, and delete +-## postfix private sock files. ++## manage named socket in a postfix private directory. + ## + ## + ## +@@ -552,13 +607,14 @@ interface(`postfix_manage_private_sockets',` + type postfix_private_t; + ') + ++ allow $1 postfix_private_t:dir list_dir_perms; + manage_sock_files_pattern($1, postfix_private_t, postfix_private_t) + ') + + ######################################## + ## +-## Execute the smtp postfix program +-## in the postfix smtp domain. ++## Execute the master postfix program in the ++## postfix_master domain. + ## + ## + ## +@@ -571,14 +627,12 @@ interface(`postfix_domtrans_smtp',` + type postfix_smtp_t, postfix_smtp_exec_t; + ') + +- corecmd_search_bin($1) + domtrans_pattern($1, postfix_smtp_exec_t, postfix_smtp_t) + ') + + ######################################## + ## +-## Get attributes of all postfix mail +-## spool files. ++## Getattr postfix mail spool files. + ## + ## + ## +@@ -586,7 +640,7 @@ interface(`postfix_domtrans_smtp',` + ## + ## + # +-interface(`postfix_getattr_all_spool_files',` ++interface(`postfix_getattr_spool_files',` + gen_require(` + attribute postfix_spool_type; + ') +@@ -607,11 +661,11 @@ interface(`postfix_getattr_all_spool_files',` + # + interface(`postfix_search_spool',` + gen_require(` +- type postfix_spool_t; ++ attribute postfix_spool_type; + ') + ++ allow $1 postfix_spool_type:dir search_dir_perms; + files_search_spool($1) +- allow $1 postfix_spool_t:dir search_dir_perms; + ') + + ######################################## +@@ -626,11 +680,11 @@ interface(`postfix_search_spool',` + # + interface(`postfix_list_spool',` + gen_require(` +- type postfix_spool_t; ++ attribute postfix_spool_type; + ') + ++ allow $1 postfix_spool_type:dir list_dir_perms; + files_search_spool($1) +- allow $1 postfix_spool_t:dir list_dir_perms; + ') + + ######################################## +@@ -645,17 +699,16 @@ interface(`postfix_list_spool',` + # + interface(`postfix_read_spool_files',` + gen_require(` +- type postfix_spool_t; ++ attribute postfix_spool_type; + ') + + files_search_spool($1) +- read_files_pattern($1, postfix_spool_t, postfix_spool_t) ++ read_files_pattern($1, postfix_spool_type, postfix_spool_type) + ') + + ######################################## + ## +-## Create, read, write, and delete +-## postfix mail spool files. ++## Create, read, write, and delete postfix mail spool files. + ## + ## + ## +@@ -665,11 +718,50 @@ interface(`postfix_read_spool_files',` + # + interface(`postfix_manage_spool_files',` + gen_require(` +- type postfix_spool_t; ++ attribute postfix_spool_type; + ') + + files_search_spool($1) +- manage_files_pattern($1, postfix_spool_t, postfix_spool_t) ++ manage_files_pattern($1, postfix_spool_type, postfix_spool_type) ++') ++ ++####################################### ++## ++## Read, write, and delete postfix maildrop spool files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`postfix_rw_spool_maildrop_files',` ++ gen_require(` ++ type postfix_spool_maildrop_t; ++ ') ++ ++ files_search_spool($1) ++ rw_files_pattern($1, postfix_spool_maildrop_t, postfix_spool_maildrop_t) ++') ++ ++####################################### ++## ++## Create, read, write, and delete postfix maildrop spool files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`postfix_manage_spool_maildrop_files',` ++ gen_require(` ++ type postfix_spool_maildrop_t; ++ ') ++ ++ files_search_spool($1) ++ manage_dirs_pattern($1, postfix_spool_maildrop_t, postfix_spool_maildrop_t) ++ manage_files_pattern($1, postfix_spool_maildrop_t, postfix_spool_maildrop_t) + ') + + ######################################## +@@ -693,8 +785,8 @@ interface(`postfix_domtrans_user_mail_handler',` + + ######################################## + ## +-## All of the rules required to +-## administrate an postfix environment. ++## All of the rules required to administrate ++## an postfix environment. + ## + ## + ## +@@ -710,37 +802,137 @@ interface(`postfix_domtrans_user_mail_handler',` + # + interface(`postfix_admin',` + gen_require(` +- attribute postfix_domain, postfix_spool_type, postfix_server_tmp_content; +- type postfix_initrc_exec_t, postfix_prng_t, postfix_etc_t; +- type postfix_data_t, postfix_var_run_t, postfix_public_t; +- type postfix_private_t, postfix_map_tmp_t, postfix_exec_t; ++ attribute postfix_spool_type; ++ type postfix_bounce_t, postfix_cleanup_t, postfix_local_t; ++ type postfix_master_t, postfix_pickup_t, postfix_qmgr_t; ++ type postfix_initrc_exec_t, postfix_data_t, postfix_etc_t; ++ type postfix_map_tmp_t, postfix_prng_t, postfix_public_t; ++ type postfix_smtpd_t, postfix_var_run_t; + ') + +- allow $1 postfix_domain:process { ptrace signal_perms }; +- ps_process_pattern($1, postfix_domain) ++ allow $1 postfix_bounce_t:process signal_perms; ++ ps_process_pattern($1, postfix_bounce_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 postfix_bounce_t:process ptrace; ++ ') + +- init_labeled_script_domtrans($1, postfix_initrc_exec_t) ++ allow $1 postfix_cleanup_t:process signal_perms; ++ ps_process_pattern($1, postfix_cleanup_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 postfix_cleanup_t:process ptrace; ++ allow $1 postfix_local_t:process ptrace; ++ allow $1 postfix_master_t:process ptrace; ++ allow $1 postfix_pickup_t:process ptrace; ++ allow $1 postfix_qmgr_t:process ptrace; ++ allow $1 postfix_smtpd_t:process ptrace; ++ ') ++ ++ allow $1 postfix_local_t:process signal_perms; ++ ps_process_pattern($1, postfix_local_t) ++ ++ allow $1 postfix_master_t:process signal_perms; ++ ps_process_pattern($1, postfix_master_t) ++ ++ allow $1 postfix_pickup_t:process signal_perms; ++ ps_process_pattern($1, postfix_pickup_t) ++ ++ allow $1 postfix_qmgr_t:process signal_perms; ++ ps_process_pattern($1, postfix_qmgr_t) ++ ++ allow $1 postfix_smtpd_t:process signal_perms; ++ ps_process_pattern($1, postfix_smtpd_t) ++ ++ postfix_run_map($1, $2) ++ postfix_run_postdrop($1, $2) ++ postfix_run_postqueue($1, $2) ++ ++ postfix_initrc_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 postfix_initrc_exec_t system_r; + allow $2 system_r; + +- files_search_etc($1) +- admin_pattern($1, { postfix_prng_t postfix_etc_t postfix_exec_t }) ++ admin_pattern($1, postfix_data_t) + +- files_search_spool($1) +- admin_pattern($1, { postfix_public_t postfix_private_t postfix_spool_type }) ++ files_list_etc($1) ++ admin_pattern($1, postfix_etc_t) + +- files_search_var_lib($1) +- admin_pattern($1, postfix_data_t) ++ files_list_spool($1) ++ admin_pattern($1, postfix_spool_type) + +- files_search_pids($1) + admin_pattern($1, postfix_var_run_t) + +- files_search_tmp($1) +- admin_pattern($1, { postfix_server_tmp_content postfix_map_tmp_t }) ++ files_list_tmp($1) ++ admin_pattern($1, postfix_map_tmp_t) ++ ++ admin_pattern($1, postfix_prng_t) + +- postfix_exec_master($1) +- postfix_exec_postqueue($1) +- postfix_stream_connect_master($1) +- postfix_run_map($1, $2) ++ admin_pattern($1, postfix_public_t) ++ ++ postfix_filetrans_named_content($1) ++') ++ ++######################################## ++## ++## Execute the master postdrop in the ++## postfix_postdrop domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++## ++## ++## The role to be allowed the iptables domain. ++## ++## ++## ++# ++interface(`postfix_run_postdrop',` ++ gen_require(` ++ type postfix_postdrop_t; ++ ') ++ ++ postfix_domtrans_postdrop($1) ++ role $2 types postfix_postdrop_t; ++ allow postfix_postdrop_t $1:unix_stream_socket { read write getattr }; ++') ++ ++ ++######################################## ++## ++## Execute postfix exec in the users domain ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`postfix_exec',` ++ gen_require(` ++ type postfix_exec_t; ++ ') ++ ++ can_exec($1, postfix_exec_t) ++') ++ ++######################################## ++## ++## Transition to postfix named content ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`postfix_filetrans_named_content',` ++ gen_require(` ++ type postfix_exec_t; ++ type postfix_prng_t; ++ ') ++ ++ postfix_config_filetrans($1, postfix_exec_t, file, "postfix-script") ++ postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch") + ') +diff --git a/postfix.te b/postfix.te +index 191a66f..f19bca4 100644 +--- a/postfix.te ++++ b/postfix.te +@@ -1,4 +1,4 @@ +-policy_module(postfix, 1.14.10) ++policy_module(postfix, 1.14.0) + + ######################################## + # +@@ -6,27 +6,23 @@ policy_module(postfix, 1.14.10) + # + + ## +-##

    +-## Determine whether postfix local +-## can manage mail spool content. +-##

    ++##

    ++## Allow postfix_local domain full write access to mail_spool directories ++##

    + ##     + gen_tunable(postfix_local_write_mail_spool, true) + + attribute postfix_domain; +-attribute postfix_server_domain; +-attribute postfix_server_tmp_content; + attribute postfix_spool_type; + attribute postfix_user_domains; ++# domains that transition to the ++# postfix user domains + attribute postfix_user_domtrans; + +-attribute_role postfix_map_roles; +-roleattribute system_r postfix_map_roles; +- + postfix_server_domain_template(bounce) + + type postfix_spool_bounce_t, postfix_spool_type; +-files_type(postfix_spool_bounce_t) ++files_spool_file(postfix_spool_bounce_t) + + postfix_server_domain_template(cleanup) + +@@ -39,16 +35,19 @@ application_executable_file(postfix_exec_t) + postfix_server_domain_template(local) + mta_mailserver_delivery(postfix_local_t) + ++# Program for creating database files + type postfix_map_t; + type postfix_map_exec_t; + application_domain(postfix_map_t, postfix_map_exec_t) +-role postfix_map_roles types postfix_map_t; ++role system_r types postfix_map_t; + + type postfix_map_tmp_t; + files_tmp_file(postfix_map_tmp_t) + + postfix_domain_template(master) + typealias postfix_master_t alias postfix_t; ++# alias is a hack to make the disable trans bool ++# generation macro work + mta_mailserver(postfix_t, postfix_master_exec_t) + + type postfix_initrc_exec_t; +@@ -60,6 +59,7 @@ postfix_server_domain_template(pipe) + + postfix_user_domain_template(postdrop) + mta_mailserver_user_agent(postfix_postdrop_t) ++mta_agent_executable(postfix_postdrop_t) + + postfix_user_domain_template(postqueue) + mta_mailserver_user_agent(postfix_postqueue_t) +@@ -80,13 +80,13 @@ mta_mailserver_sender(postfix_smtp_t) + postfix_server_domain_template(smtpd) + + type postfix_spool_t, postfix_spool_type; +-files_type(postfix_spool_t) ++files_spool_file(postfix_spool_t) + + type postfix_spool_maildrop_t, postfix_spool_type; +-files_type(postfix_spool_maildrop_t) ++files_spool_file(postfix_spool_maildrop_t) + + type postfix_spool_flush_t, postfix_spool_type; +-files_type(postfix_spool_flush_t) ++files_spool_file(postfix_spool_flush_t) + + type postfix_public_t; + files_type(postfix_public_t) +@@ -94,6 +94,7 @@ files_type(postfix_public_t) + type postfix_var_run_t; + files_pid_file(postfix_var_run_t) + ++# the data_directory config parameter + type postfix_data_t; + files_type(postfix_data_t) + +@@ -102,160 +103,61 @@ mta_mailserver_delivery(postfix_virtual_t) + + ######################################## + # +-# Common postfix domain local policy +-# +- +-allow postfix_domain self:capability { sys_nice sys_chroot }; +-dontaudit postfix_domain self:capability sys_tty_config; +-allow postfix_domain self:process { signal_perms setpgid setsched }; +-allow postfix_domain self:fifo_file rw_fifo_file_perms; +-allow postfix_domain self:unix_stream_socket { accept connectto listen }; +- +-allow postfix_domain postfix_etc_t:dir list_dir_perms; +-allow postfix_domain postfix_etc_t:file read_file_perms; +-allow postfix_domain postfix_etc_t:lnk_file read_lnk_file_perms; +- +-allow postfix_domain postfix_master_t:file read_file_perms; +- +-allow postfix_domain postfix_exec_t:file { mmap_file_perms lock }; +- +-allow postfix_domain postfix_master_t:process sigchld; +- +-allow postfix_domain postfix_spool_t:dir list_dir_perms; +- +-manage_files_pattern(postfix_domain, postfix_var_run_t, postfix_var_run_t) +-files_pid_filetrans(postfix_domain, postfix_var_run_t, file) +- +-kernel_read_system_state(postfix_domain) +-kernel_read_network_state(postfix_domain) +-kernel_read_all_sysctls(postfix_domain) +- +-dev_read_sysfs(postfix_domain) +-dev_read_rand(postfix_domain) +-dev_read_urand(postfix_domain) +- +-fs_search_auto_mountpoints(postfix_domain) +-fs_getattr_all_fs(postfix_domain) +-fs_rw_anon_inodefs_files(postfix_domain) +- +-term_dontaudit_use_console(postfix_domain) +- +-corecmd_exec_shell(postfix_domain) +- +-files_read_etc_runtime_files(postfix_domain) +-files_read_usr_files(postfix_domain) +-files_search_spool(postfix_domain) +-files_getattr_tmp_dirs(postfix_domain) +-files_search_all_mountpoints(postfix_domain) +- +-init_dontaudit_use_fds(postfix_domain) +-init_sigchld(postfix_domain) +- +-logging_send_syslog_msg(postfix_domain) +- +-miscfiles_read_localization(postfix_domain) +-miscfiles_read_generic_certs(postfix_domain) +- +-userdom_dontaudit_use_unpriv_user_fds(postfix_domain) +- +-optional_policy(` +- udev_read_db(postfix_domain) +-') +- +-######################################## +-# +-# Common postfix server domain local policy +-# +- +-allow postfix_server_domain self:capability { setuid setgid dac_override }; +- +-allow postfix_server_domain postfix_master_t:unix_stream_socket { connectto rw_stream_socket_perms }; +- +-corenet_all_recvfrom_unlabeled(postfix_server_domain) +-corenet_all_recvfrom_netlabel(postfix_server_domain) +-corenet_tcp_sendrecv_generic_if(postfix_server_domain) +-corenet_tcp_sendrecv_generic_node(postfix_server_domain) +- +-corenet_sendrecv_all_client_packets(postfix_server_domain) +-corenet_tcp_connect_all_ports(postfix_server_domain) +-corenet_tcp_sendrecv_all_ports(postfix_server_domain) +- +-######################################## +-# +-# Common postfix user domain local policy ++# Postfix master process local policy + # + +-allow postfix_user_domains self:capability dac_override; +- +-domain_use_interactive_fds(postfix_user_domains) +- +-######################################## +-# +-# Master local policy +-# +- +-allow postfix_master_t self:capability { chown dac_override kill fowner setgid setuid sys_tty_config }; ++# chown is to set the correct ownership of queue dirs ++allow postfix_master_t self:capability { chown dac_override kill setgid setuid net_bind_service sys_tty_config }; + allow postfix_master_t self:capability2 block_suspend; ++ + allow postfix_master_t self:process setrlimit; + allow postfix_master_t self:tcp_socket create_stream_socket_perms; + allow postfix_master_t self:udp_socket create_socket_perms; + +-allow postfix_master_t postfix_domain:fifo_file rw_fifo_file_perms; +-allow postfix_master_t postfix_domain:process signal; +- + allow postfix_master_t postfix_etc_t:dir rw_dir_perms; + allow postfix_master_t postfix_etc_t:file rw_file_perms; ++mta_filetrans_aliases(postfix_master_t, postfix_etc_t) ++ ++can_exec(postfix_master_t, postfix_exec_t) + + allow postfix_master_t postfix_data_t:dir manage_dir_perms; + allow postfix_master_t postfix_data_t:file manage_file_perms; + +-allow postfix_master_t postfix_map_exec_t:file { mmap_file_perms ioctl lock }; ++allow postfix_master_t postfix_map_exec_t:file { mmap_file_perms lock }; ++ ++allow postfix_master_t postfix_postdrop_exec_t:file getattr_file_perms; + +-allow postfix_master_t { postfix_postdrop_exec_t postfix_postqueue_exec_t }:file getattr_file_perms; ++allow postfix_master_t postfix_postqueue_exec_t:file getattr_file_perms; ++ ++manage_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t) ++manage_fifo_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t) ++manage_sock_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t) ++ ++domtrans_pattern(postfix_master_t, postfix_postqueue_exec_t, postfix_postqueue_t) + + allow postfix_master_t postfix_prng_t:file rw_file_perms; + ++manage_fifo_files_pattern(postfix_master_t, postfix_public_t, postfix_public_t) ++manage_sock_files_pattern(postfix_master_t, postfix_public_t, postfix_public_t) ++ ++domtrans_pattern(postfix_master_t, postfix_showq_exec_t, postfix_showq_t) ++ ++# allow access to deferred queue and allow removing bogus incoming entries + manage_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_spool_t) + manage_files_pattern(postfix_master_t, postfix_spool_t, postfix_spool_t) + files_spool_filetrans(postfix_master_t, postfix_spool_t, dir) + + allow postfix_master_t postfix_spool_bounce_t:dir manage_dir_perms; + allow postfix_master_t postfix_spool_bounce_t:file getattr_file_perms; +-filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_bounce_t, dir, "bounce") + + manage_dirs_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_flush_t) + manage_files_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_flush_t) + manage_lnk_files_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_flush_t) +-filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_flush_t, dir, "flush") +- +-create_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_private_t) +-manage_fifo_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t) +-manage_sock_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t) +-setattr_dirs_pattern(postfix_master_t, postfix_private_t, postfix_private_t) +-filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_private_t, dir, "private") +- +-create_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_public_t) +-manage_fifo_files_pattern(postfix_master_t, postfix_public_t, postfix_public_t) +-manage_sock_files_pattern(postfix_master_t, postfix_public_t, postfix_public_t) +-setattr_dirs_pattern(postfix_master_t, postfix_public_t, postfix_public_t) +-filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_public_t, dir, "public") + +-create_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_spool_maildrop_t) +-delete_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) +-rename_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) +-setattr_dirs_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) +-filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_maildrop_t, dir, "maildrop") ++manage_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) + +-create_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_var_run_t) +-setattr_dirs_pattern(postfix_master_t, postfix_var_run_t, postfix_var_run_t) +-filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_var_run_t, dir, "pid") ++kernel_read_all_sysctls(postfix_master_t) + +-can_exec(postfix_master_t, postfix_exec_t) +- +-domtrans_pattern(postfix_master_t, postfix_postqueue_exec_t, postfix_postqueue_t) +-domtrans_pattern(postfix_master_t, postfix_showq_exec_t, postfix_showq_t) +- +-corenet_all_recvfrom_unlabeled(postfix_master_t) + corenet_all_recvfrom_netlabel(postfix_master_t) + corenet_tcp_sendrecv_generic_if(postfix_master_t) + corenet_udp_sendrecv_generic_if(postfix_master_t) +@@ -263,64 +165,50 @@ corenet_tcp_sendrecv_generic_node(postfix_master_t) + corenet_udp_sendrecv_generic_node(postfix_master_t) + corenet_tcp_sendrecv_all_ports(postfix_master_t) + corenet_udp_sendrecv_all_ports(postfix_master_t) ++corenet_udp_bind_generic_node(postfix_master_t) ++corenet_udp_bind_all_unreserved_ports(postfix_master_t) ++corenet_dontaudit_udp_bind_all_ports(postfix_master_t) + corenet_tcp_bind_generic_node(postfix_master_t) +- +-corenet_sendrecv_amavisd_send_server_packets(postfix_master_t) + corenet_tcp_bind_amavisd_send_port(postfix_master_t) +- +-corenet_sendrecv_smtp_server_packets(postfix_master_t) + corenet_tcp_bind_smtp_port(postfix_master_t) +- +-corenet_sendrecv_spamd_server_packets(postfix_master_t) +-corenet_tcp_bind_spamd_port(postfix_master_t) +- +-corenet_sendrecv_all_client_packets(postfix_master_t) + corenet_tcp_connect_all_ports(postfix_master_t) ++corenet_sendrecv_amavisd_send_server_packets(postfix_master_t) ++corenet_sendrecv_smtp_server_packets(postfix_master_t) ++corenet_sendrecv_all_client_packets(postfix_master_t) ++# for spampd ++corenet_tcp_bind_spamd_port(postfix_master_t) + +-# Can this be conditional? +-corenet_sendrecv_all_server_packets(postfix_master_t) +-corenet_udp_bind_all_unreserved_ports(postfix_master_t) +-corenet_dontaudit_udp_bind_all_ports(postfix_master_t) +- ++# for a find command + selinux_dontaudit_search_fs(postfix_master_t) + ++corecmd_exec_shell(postfix_master_t) + corecmd_exec_bin(postfix_master_t) + + domain_use_interactive_fds(postfix_master_t) + ++files_search_var_lib(postfix_master_t) + files_search_tmp(postfix_master_t) + +-mcs_file_read_all(postfix_master_t) +- + term_dontaudit_search_ptys(postfix_master_t) + +-miscfiles_read_man_pages(postfix_master_t) +- + seutil_sigchld_newrole(postfix_master_t) +-seutil_dontaudit_search_config(postfix_master_t) + +-mta_manage_aliases(postfix_master_t) +-mta_etc_filetrans_aliases(postfix_master_t, file, "aliases") +-mta_etc_filetrans_aliases(postfix_master_t, file, "aliases.db") +-mta_etc_filetrans_aliases(postfix_master_t, file, "aliasesdb-stamp") +-mta_spec_filetrans_aliases(postfix_master_t, postfix_etc_t, file) ++mta_rw_aliases(postfix_master_t) + mta_read_sendmail_bin(postfix_master_t) + mta_getattr_spool(postfix_master_t) + +-optional_policy(` +- cyrus_stream_connect(postfix_master_t) +-') +- +-optional_policy(` +- kerberos_keytab_template(postfix, postfix_t) ++ifdef(`distro_redhat',` ++ # for newer main.cf that uses /etc/aliases ++ mta_manage_aliases(postfix_master_t) ++ mta_etc_filetrans_aliases(postfix_master_t) + ') + + optional_policy(` +- mailman_manage_data_files(postfix_master_t) ++ cyrus_stream_connect(postfix_master_t) + ') + + optional_policy(` +- mysql_stream_connect(postfix_master_t) ++ kerberos_keytab_template(postfix, postfix_t) + ') + + optional_policy(` +@@ -333,12 +221,14 @@ optional_policy(` + + ######################################## + # +-# Bounce local policy ++# Postfix bounce local policy + # + + allow postfix_bounce_t self:capability dac_read_search; ++allow postfix_bounce_t self:tcp_socket create_socket_perms; + +-write_sock_files_pattern(postfix_bounce_t, postfix_public_t, postfix_public_t) ++allow postfix_bounce_t postfix_public_t:sock_file write; ++allow postfix_bounce_t postfix_public_t:dir search_dir_perms; + + manage_dirs_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t) + manage_files_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t) +@@ -355,37 +245,34 @@ manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool + + ######################################## + # +-# Cleanup local policy ++# Postfix cleanup local policy + # + + allow postfix_cleanup_t self:process setrlimit; +- + allow postfix_cleanup_t postfix_smtpd_t:tcp_socket rw_stream_socket_perms; +-allow postfix_cleanup_t postfix_smtpd_t:unix_stream_socket rw_socket_perms; +- +-allow postfix_cleanup_t postfix_spool_maildrop_t:dir list_dir_perms; +-allow postfix_cleanup_t postfix_spool_maildrop_t:file read_file_perms; +-allow postfix_cleanup_t postfix_spool_maildrop_t:lnk_file read_lnk_file_perms; + ++# connect to master process + stream_connect_pattern(postfix_cleanup_t, postfix_private_t, postfix_private_t, postfix_master_t) + + rw_fifo_files_pattern(postfix_cleanup_t, postfix_public_t, postfix_public_t) + write_sock_files_pattern(postfix_cleanup_t, postfix_public_t, postfix_public_t) ++allow postfix_cleanup_t postfix_smtpd_t:unix_stream_socket rw_socket_perms; + + manage_dirs_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t) + manage_files_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t) + manage_lnk_files_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t) + files_spool_filetrans(postfix_cleanup_t, postfix_spool_t, dir) + ++allow postfix_cleanup_t postfix_spool_maildrop_t:dir list_dir_perms; ++allow postfix_cleanup_t postfix_spool_maildrop_t:file read_file_perms; ++allow postfix_cleanup_t postfix_spool_maildrop_t:lnk_file read_lnk_file_perms; ++ + allow postfix_cleanup_t postfix_spool_bounce_t:dir list_dir_perms; + + corecmd_exec_bin(postfix_cleanup_t) + +-corenet_sendrecv_kismet_client_packets(postfix_cleanup_t) +-corenet_tcp_connect_kismet_port(postfix_cleanup_t) +-corenet_tcp_sendrecv_kismet_port(postfix_cleanup_t) +- +-mta_read_aliases(postfix_cleanup_t) ++# allow postfix to connect to sqlgrey ++corenet_tcp_connect_rtsclient_port(postfix_cleanup_t) + + optional_policy(` + mailman_read_data_files(postfix_cleanup_t) +@@ -393,36 +280,50 @@ optional_policy(` + + ######################################## + # +-# Local local policy ++# Postfix local local policy + # + +-allow postfix_local_t self:capability chown; +-allow postfix_local_t self:process setrlimit; ++allow postfix_local_t self:process { setsched setrlimit }; + ++# connect to master process + stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, postfix_master_t) + ++# for .forward - maybe we need a new type for it? + rw_sock_files_pattern(postfix_local_t, postfix_private_t, postfix_private_t) +- +-allow postfix_local_t postfix_spool_t:file rw_file_perms; ++rw_files_pattern(postfix_local_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) + + domtrans_pattern(postfix_local_t, postfix_postdrop_exec_t, postfix_postdrop_t) + ++allow postfix_local_t postfix_spool_t:file rw_file_perms; ++ ++corecmd_exec_shell(postfix_local_t) + corecmd_exec_bin(postfix_local_t) + + logging_dontaudit_search_logs(postfix_local_t) + + mta_delete_spool(postfix_local_t) +-mta_read_aliases(postfix_local_t) +-mta_read_config(postfix_local_t) ++# Handle vacation script + mta_send_mail(postfix_local_t) + ++userdom_read_user_home_content_files(postfix_local_t) ++userdom_exec_user_bin_files(postfix_local_t) ++ ++tunable_policy(`use_nfs_home_dirs',` ++ fs_exec_nfs_files(postfix_local_t) ++') ++ ++tunable_policy(`use_samba_home_dirs',` ++ fs_exec_cifs_files(postfix_local_t) ++') ++ + tunable_policy(`postfix_local_write_mail_spool',` + mta_manage_spool(postfix_local_t) + ') + + optional_policy(` +- clamav_search_lib(postfix_local_t) +- clamav_exec_clamscan(postfix_local_t) ++ antivirus_search_db(postfix_local_t) ++ antivirus_exec(postfix_local_t) ++ antivirus_stream_connect(postfix_domain) + ') + + optional_policy(` +@@ -434,6 +335,7 @@ optional_policy(` + ') + + optional_policy(` ++# for postalias + mailman_manage_data_files(postfix_local_t) + mailman_append_log(postfix_local_t) + mailman_read_log(postfix_local_t) +@@ -444,6 +346,10 @@ optional_policy(` + ') + + optional_policy(` ++ openshift_search_lib(postfix_local_t) ++') ++ ++optional_policy(` + procmail_domtrans(postfix_local_t) + ') + +@@ -458,15 +364,17 @@ optional_policy(` + + ######################################## + # +-# Map local policy ++# Postfix map local policy + # +- + allow postfix_map_t self:capability { dac_override setgid setuid }; +-allow postfix_map_t self:tcp_socket { accept listen }; ++allow postfix_map_t self:unix_stream_socket create_stream_socket_perms; ++allow postfix_map_t self:unix_dgram_socket create_socket_perms; ++allow postfix_map_t self:tcp_socket create_stream_socket_perms; ++allow postfix_map_t self:udp_socket create_socket_perms; + +-allow postfix_map_t postfix_etc_t:dir manage_dir_perms; +-allow postfix_map_t postfix_etc_t:file manage_file_perms; +-allow postfix_map_t postfix_etc_t:lnk_file manage_lnk_file_perms; ++manage_dirs_pattern(postfix_map_t, postfix_etc_t, postfix_etc_t) ++manage_files_pattern(postfix_map_t, postfix_etc_t, postfix_etc_t) ++manage_lnk_files_pattern(postfix_map_t, postfix_etc_t, postfix_etc_t) + + manage_dirs_pattern(postfix_map_t, postfix_map_tmp_t, postfix_map_tmp_t) + manage_files_pattern(postfix_map_t, postfix_map_tmp_t, postfix_map_tmp_t) +@@ -476,14 +384,15 @@ kernel_read_kernel_sysctls(postfix_map_t) + kernel_dontaudit_list_proc(postfix_map_t) + kernel_dontaudit_read_system_state(postfix_map_t) + +-corenet_all_recvfrom_unlabeled(postfix_map_t) + corenet_all_recvfrom_netlabel(postfix_map_t) + corenet_tcp_sendrecv_generic_if(postfix_map_t) ++corenet_udp_sendrecv_generic_if(postfix_map_t) + corenet_tcp_sendrecv_generic_node(postfix_map_t) +- +-corenet_sendrecv_all_client_packets(postfix_map_t) +-corenet_tcp_connect_all_ports(postfix_map_t) ++corenet_udp_sendrecv_generic_node(postfix_map_t) + corenet_tcp_sendrecv_all_ports(postfix_map_t) ++corenet_udp_sendrecv_all_ports(postfix_map_t) ++corenet_tcp_connect_all_ports(postfix_map_t) ++corenet_sendrecv_all_client_packets(postfix_map_t) + + corecmd_list_bin(postfix_map_t) + corecmd_read_bin_symlinks(postfix_map_t) +@@ -492,7 +401,6 @@ corecmd_read_bin_pipes(postfix_map_t) + corecmd_read_bin_sockets(postfix_map_t) + + files_list_home(postfix_map_t) +-files_read_usr_files(postfix_map_t) + files_read_etc_runtime_files(postfix_map_t) + files_dontaudit_search_var(postfix_map_t) + +@@ -500,21 +408,22 @@ auth_use_nsswitch(postfix_map_t) + + logging_send_syslog_msg(postfix_map_t) + +-miscfiles_read_localization(postfix_map_t) +- + optional_policy(` + locallogin_dontaudit_use_fds(postfix_map_t) + ') + + optional_policy(` ++# for postalias + mailman_manage_data_files(postfix_map_t) + ') + + ######################################## + # +-# Pickup local policy ++# Postfix pickup local policy + # + ++allow postfix_pickup_t self:tcp_socket create_socket_perms; ++ + stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, postfix_master_t) + + rw_fifo_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t) +@@ -524,16 +433,15 @@ allow postfix_pickup_t postfix_spool_t:dir list_dir_perms; + read_files_pattern(postfix_pickup_t, postfix_spool_t, postfix_spool_t) + delete_files_pattern(postfix_pickup_t, postfix_spool_t, postfix_spool_t) + ++postfix_list_spool(postfix_pickup_t) ++ + allow postfix_pickup_t postfix_spool_maildrop_t:dir list_dir_perms; + read_files_pattern(postfix_pickup_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) + delete_files_pattern(postfix_pickup_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) + +-mcs_file_read_all(postfix_pickup_t) +-mcs_file_write_all(postfix_pickup_t) +- + ######################################## + # +-# Pipe local policy ++# Postfix pipe local policy + # + + allow postfix_pipe_t self:process setrlimit; +@@ -576,19 +484,26 @@ optional_policy(` + + ######################################## + # +-# Postdrop local policy ++# Postfix postdrop local policy + # + ++# usually it does not need a UDP socket + allow postfix_postdrop_t self:capability sys_resource; ++allow postfix_postdrop_t self:tcp_socket create; ++allow postfix_postdrop_t self:udp_socket create_socket_perms; ++ ++# Might be a leak, but I need a postfix expert to explain ++allow postfix_postdrop_t postfix_local_t:unix_stream_socket { read write }; ++allow postfix_postdrop_t postfix_master_t:unix_stream_socket connectto; + + rw_fifo_files_pattern(postfix_postdrop_t, postfix_public_t, postfix_public_t) ++rw_sock_files_pattern(postfix_postdrop_t, postfix_public_t, postfix_public_t) + ++postfix_list_spool(postfix_postdrop_t) + manage_files_pattern(postfix_postdrop_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) + +-allow postfix_postdrop_t postfix_local_t:unix_stream_socket { read write }; +- +-mcs_file_read_all(postfix_postdrop_t) +-mcs_file_write_all(postfix_postdrop_t) ++corenet_udp_sendrecv_generic_if(postfix_postdrop_t) ++corenet_udp_sendrecv_generic_node(postfix_postdrop_t) + + term_dontaudit_use_all_ptys(postfix_postdrop_t) + term_dontaudit_use_all_ttys(postfix_postdrop_t) +@@ -603,10 +518,7 @@ optional_policy(` + cron_system_entry(postfix_postdrop_t, postfix_postdrop_exec_t) + ') + +-optional_policy(` +- fail2ban_dontaudit_use_fds(postfix_postdrop_t) +-') +- ++# https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=239951 + optional_policy(` + fstools_read_pipes(postfix_postdrop_t) + ') +@@ -621,17 +533,24 @@ optional_policy(` + + ####################################### + # +-# Postqueue local policy ++# Postfix postqueue local policy + # + ++allow postfix_postqueue_t self:capability2 block_suspend; ++allow postfix_postqueue_t self:tcp_socket create; ++allow postfix_postqueue_t self:udp_socket { create ioctl }; ++ ++# wants to write to /var/spool/postfix/public/showq + stream_connect_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t, postfix_master_t) + ++# write to /var/spool/postfix/public/qmgr + write_fifo_files_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t) + + domtrans_pattern(postfix_postqueue_t, postfix_showq_exec_t, postfix_showq_t) + +-term_use_all_ptys(postfix_postqueue_t) +-term_use_all_ttys(postfix_postqueue_t) ++# to write the mailq output, it really should not need read access! ++term_use_all_inherited_ptys(postfix_postqueue_t) ++term_use_all_inherited_ttys(postfix_postqueue_t) + + init_sigchld_script(postfix_postqueue_t) + init_use_script_fds(postfix_postqueue_t) +@@ -647,67 +566,77 @@ optional_policy(` + + ######################################## + # +-# Qmgr local policy ++# Postfix qmgr local policy + # + +-allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms; +-allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms; +-allow postfix_qmgr_t postfix_spool_bounce_t:lnk_file read_lnk_file_perms; +- + stream_connect_pattern(postfix_qmgr_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t) + + rw_fifo_files_pattern(postfix_qmgr_t, postfix_public_t, postfix_public_t) + +-manage_files_pattern(postfix_qmgr_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) +-manage_dirs_pattern(postfix_qmgr_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) +-allow postfix_qmgr_t postfix_spool_maildrop_t:lnk_file read_lnk_file_perms; +- ++# for /var/spool/postfix/active + manage_dirs_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t) + manage_files_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t) + manage_lnk_files_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t) + files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir) + ++allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms; ++allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms; ++allow postfix_qmgr_t postfix_spool_bounce_t:lnk_file read_lnk_file_perms; ++ ++manage_files_pattern(postfix_qmgr_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) ++manage_dirs_pattern(postfix_qmgr_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) ++allow postfix_qmgr_t postfix_spool_maildrop_t:lnk_file read_lnk_file_perms; ++ + corecmd_exec_bin(postfix_qmgr_t) + + ######################################## + # +-# Showq local policy ++# Postfix showq local policy + # + + allow postfix_showq_t self:capability { setuid setgid }; ++allow postfix_showq_t self:tcp_socket create_socket_perms; + + allow postfix_showq_t postfix_master_t:unix_stream_socket { accept rw_socket_perms }; + ++allow postfix_showq_t postfix_spool_t:file read_file_perms; ++ ++postfix_list_spool(postfix_showq_t) ++ + allow postfix_showq_t postfix_spool_maildrop_t:dir list_dir_perms; + allow postfix_showq_t postfix_spool_maildrop_t:file read_file_perms; + allow postfix_showq_t postfix_spool_maildrop_t:lnk_file read_lnk_file_perms; + +-allow postfix_showq_t postfix_spool_t:file read_file_perms; +- +-mcs_file_read_all(postfix_showq_t) +- ++# to write the mailq output, it really should not need read access! + term_use_all_ptys(postfix_showq_t) + term_use_all_ttys(postfix_showq_t) + + ######################################## + # +-# Smtp delivery local policy ++# Postfix smtp delivery local policy + # + ++# connect to master process + allow postfix_smtp_t self:capability sys_chroot; +- + stream_connect_pattern(postfix_smtp_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t) + +-allow postfix_smtp_t { postfix_prng_t postfix_spool_t }:file rw_file_perms; ++allow postfix_smtp_t postfix_prng_t:file rw_file_perms; ++ ++allow postfix_smtp_t postfix_spool_t:file rw_file_perms; + + rw_files_pattern(postfix_smtp_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) + ++# for spampd ++corenet_tcp_connect_spamd_port(postfix_master_t) ++ ++files_search_all_mountpoints(postfix_smtp_t) ++ + optional_policy(` + cyrus_stream_connect(postfix_smtp_t) + ') + + optional_policy(` +- dovecot_stream_connect(postfix_smtp_t) ++ dovecot_stream_connect(postfix_smtp_t) + ') + + optional_policy(` +@@ -720,29 +649,30 @@ optional_policy(` + + ######################################## + # +-# Smtpd local policy ++# Postfix smtpd local policy + # +- + allow postfix_smtpd_t postfix_master_t:tcp_socket rw_stream_socket_perms; + ++# connect to master process + stream_connect_pattern(postfix_smtpd_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t) + ++# Connect to policy server ++corenet_tcp_connect_postfix_policyd_port(postfix_smtpd_t) ++ ++# for prng_exch + manage_dirs_pattern(postfix_smtpd_t, postfix_spool_t, postfix_spool_t) + manage_files_pattern(postfix_smtpd_t, postfix_spool_t, postfix_spool_t) + manage_lnk_files_pattern(postfix_smtpd_t, postfix_spool_t, postfix_spool_t) + allow postfix_smtpd_t postfix_prng_t:file rw_file_perms; + +-corenet_sendrecv_postfix_policyd_client_packets(postfix_smtpd_t) +-corenet_tcp_connect_postfix_policyd_port(postfix_smtpd_t) +-corenet_tcp_sendrecv_postfix_policyd_port(postfix_smtpd_t) +- + corecmd_exec_bin(postfix_smtpd_t) + ++# for OpenSSL certificates ++ ++# postfix checks the size of all mounted file systems + fs_getattr_all_dirs(postfix_smtpd_t) + fs_getattr_all_fs(postfix_smtpd_t) + +-mta_read_aliases(postfix_smtpd_t) +- + optional_policy(` + dovecot_stream_connect_auth(postfix_smtpd_t) + dovecot_stream_connect(postfix_smtpd_t) +@@ -754,6 +684,7 @@ optional_policy(` + + optional_policy(` + milter_stream_connect_all(postfix_smtpd_t) ++ spamassassin_read_pid_files(postfix_smtpd_t) + ') + + optional_policy(` +@@ -764,31 +695,99 @@ optional_policy(` + sasl_connect(postfix_smtpd_t) + ') + +-optional_policy(` +- spamassassin_read_spamd_pid_files(postfix_smtpd_t) +- spamassassin_stream_connect_spamd(postfix_smtpd_t) +-') +- + ######################################## + # +-# Virtual local policy ++# Postfix virtual local policy + # + +-allow postfix_virtual_t self:process setrlimit; ++allow postfix_virtual_t self:process { setsched setrlimit }; + +-allow postfix_virtual_t postfix_spool_t:file rw_file_perms; ++manage_files_pattern(postfix_virtual_t, postfix_spool_t, postfix_spool_t) + ++# connect to master process + stream_connect_pattern(postfix_virtual_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t) + ++corecmd_exec_shell(postfix_virtual_t) + corecmd_exec_bin(postfix_virtual_t) + +-mta_read_aliases(postfix_virtual_t) + mta_delete_spool(postfix_virtual_t) +-mta_read_config(postfix_virtual_t) + mta_manage_spool(postfix_virtual_t) + + userdom_manage_user_home_dirs(postfix_virtual_t) +-userdom_manage_user_home_content_dirs(postfix_virtual_t) +-userdom_manage_user_home_content_files(postfix_virtual_t) +-userdom_home_filetrans_user_home_dir(postfix_virtual_t) +-userdom_user_home_dir_filetrans_user_home_content(postfix_virtual_t, { file dir }) ++userdom_manage_user_home_content(postfix_virtual_t) ++userdom_filetrans_home_content(postfix_virtual_t) ++ ++######################################## ++# ++# postfix_domain common policy ++# ++allow postfix_domain self:capability { sys_nice sys_chroot }; ++dontaudit postfix_domain self:capability sys_tty_config; ++allow postfix_domain self:process { signal_perms setpgid setsched }; ++allow postfix_domain self:unix_dgram_socket create_socket_perms; ++allow postfix_domain self:unix_stream_socket create_stream_socket_perms; ++allow postfix_domain self:unix_stream_socket connectto; ++allow postfix_domain self:fifo_file rw_fifo_file_perms; ++ ++allow postfix_master_t postfix_domain:fifo_file { read write }; ++allow postfix_master_t postfix_domain:process signal; ++#https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=244456 ++allow postfix_domain postfix_master_t:file read; ++allow postfix_domain postfix_etc_t:dir list_dir_perms; ++read_files_pattern(postfix_domain, postfix_etc_t, postfix_etc_t) ++read_lnk_files_pattern(postfix_domain, postfix_etc_t, postfix_etc_t) ++ ++allow postfix_domain postfix_exec_t:file { mmap_file_perms lock }; ++ ++allow postfix_domain postfix_master_t:process sigchld; ++ ++allow postfix_domain postfix_spool_t:dir list_dir_perms; ++ ++manage_files_pattern(postfix_domain, postfix_var_run_t, postfix_var_run_t) ++files_pid_filetrans(postfix_domain, postfix_var_run_t, file) ++ ++kernel_read_network_state(postfix_domain) ++kernel_read_all_sysctls(postfix_domain) ++ ++dev_read_sysfs(postfix_domain) ++dev_read_rand(postfix_domain) ++dev_read_urand(postfix_domain) ++ ++fs_search_auto_mountpoints(postfix_domain) ++fs_getattr_xattr_fs(postfix_domain) ++fs_rw_anon_inodefs_files(postfix_domain) ++ ++term_dontaudit_use_console(postfix_domain) ++ ++corecmd_exec_shell(postfix_domain) ++ ++files_read_etc_runtime_files(postfix_domain) ++files_read_usr_symlinks(postfix_domain) ++files_search_spool(postfix_domain) ++files_list_tmp(postfix_domain) ++files_search_all_mountpoints(postfix_domain) ++ ++init_dontaudit_use_fds(postfix_domain) ++init_sigchld(postfix_domain) ++init_dontaudit_rw_stream_socket(postfix_domain) ++ ++# For reading spamassasin ++mta_read_config(postfix_domain) ++mta_read_aliases(postfix_domain) ++ ++miscfiles_read_generic_certs(postfix_domain) ++ ++userdom_dontaudit_use_unpriv_user_fds(postfix_domain) ++ ++optional_policy(` ++ mysql_stream_connect(postfix_domain) ++') ++ ++optional_policy(` ++ spamd_stream_connect(postfix_domain) ++ spamassassin_domtrans_client(postfix_domain) ++') ++ ++optional_policy(` ++ udev_read_db(postfix_domain) ++') +diff --git a/postfixpolicyd.if b/postfixpolicyd.if +index 5de8173..985b877 100644 +--- a/postfixpolicyd.if ++++ b/postfixpolicyd.if +@@ -23,8 +23,11 @@ interface(`postfixpolicyd_admin',` + type postfix_policyd_var_run_t, postfix_policyd_initrc_exec_t; + ') + +- allow $1 postfix_policyd_t:process { ptrace signal_perms }; ++ allow $1 postfix_policyd_t:process signal_perms; + ps_process_pattern($1, postfix_policyd_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 postfix_policyd_t:process ptrace; ++ ') + + init_labeled_script_domtrans($1, postfix_policyd_initrc_exec_t) + domain_system_change_exemption($1) +diff --git a/postfixpolicyd.te b/postfixpolicyd.te +index 70f0533..77d4cd9 100644 +--- a/postfixpolicyd.te ++++ b/postfixpolicyd.te +@@ -34,7 +34,6 @@ allow postfix_policyd_t postfix_policyd_conf_t:lnk_file read_lnk_file_perms; + manage_files_pattern(postfix_policyd_t, postfix_policyd_var_run_t, postfix_policyd_var_run_t) + files_pid_filetrans(postfix_policyd_t, postfix_policyd_var_run_t, file) + +-corenet_all_recvfrom_unlabeled(postfix_policyd_t) + corenet_tcp_sendrecv_generic_if(postfix_policyd_t) + corenet_tcp_sendrecv_generic_node(postfix_policyd_t) + corenet_tcp_bind_generic_node(postfix_policyd_t) +@@ -47,11 +46,7 @@ corenet_sendrecv_mysqld_server_packets(postfix_policyd_t) + corenet_tcp_bind_mysqld_port(postfix_policyd_t) + corenet_tcp_sendrecv_mysqld_port(postfix_policyd_t) + +-files_read_etc_files(postfix_policyd_t) +-files_read_usr_files(postfix_policyd_t) + + logging_send_syslog_msg(postfix_policyd_t) + +-miscfiles_read_localization(postfix_policyd_t) +- + sysnet_dns_name_resolve(postfix_policyd_t) +diff --git a/postgrey.if b/postgrey.if +index b9e71b5..a7502cd 100644 +--- a/postgrey.if ++++ b/postgrey.if +@@ -16,9 +16,9 @@ interface(`postgrey_stream_connect',` + type postgrey_var_run_t, postgrey_t, postgrey_spool_t; + ') + ++ stream_connect_pattern($1, { postgrey_spool_t postgrey_var_run_t }, { postgrey_spool_t postgrey_var_run_t }, postgrey_t) + files_search_pids($1) + files_search_spool($1) +- stream_connect_pattern($1, { postgrey_spool_t postgrey_var_run_t }, { postgrey_spool_t postgrey_var_run_t }, postgrey_t) + ') + + ######################################## +@@ -59,14 +59,17 @@ interface(`postgrey_search_spool',` + # + interface(`postgrey_admin',` + gen_require(` +- type postgrey_t, postgrey_etc_t, postgrey_spool_t; +- type postgrey_var_lib_t, postgrey_var_run_t; +- type postgrey_initrc_exec_t; ++ type postgrey_t, postgrey_etc_t, postgrey_initrc_exec_t; ++ type postgrey_spool_t, postgrey_var_lib_t, postgrey_var_run_t; + ') + +- allow $1 postgrey_t:process { ptrace signal_perms }; ++ allow $1 postgrey_t:process signal_perms; + ps_process_pattern($1, postgrey_t) + ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 postgrey_t:process ptrace; ++ ') ++ + init_labeled_script_domtrans($1, postgrey_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 postgrey_initrc_exec_t system_r; +diff --git a/postgrey.te b/postgrey.te +index 3b11496..04e3809 100644 +--- a/postgrey.te ++++ b/postgrey.te +@@ -16,7 +16,7 @@ type postgrey_initrc_exec_t; + init_script_file(postgrey_initrc_exec_t) + + type postgrey_spool_t; +-files_type(postgrey_spool_t) ++files_spool_file(postgrey_spool_t) + + type postgrey_var_lib_t; + files_type(postgrey_var_lib_t) +@@ -57,7 +57,6 @@ kernel_read_kernel_sysctls(postgrey_t) + + corecmd_search_bin(postgrey_t) + +-corenet_all_recvfrom_unlabeled(postgrey_t) + corenet_all_recvfrom_netlabel(postgrey_t) + corenet_tcp_sendrecv_generic_if(postgrey_t) + corenet_tcp_sendrecv_generic_node(postgrey_t) +@@ -72,17 +71,15 @@ dev_read_sysfs(postgrey_t) + + domain_use_interactive_fds(postgrey_t) + +-files_read_etc_files(postgrey_t) + files_read_etc_runtime_files(postgrey_t) +-files_read_usr_files(postgrey_t) + files_getattr_tmp_dirs(postgrey_t) + + fs_getattr_all_fs(postgrey_t) + fs_search_auto_mountpoints(postgrey_t) + +-logging_send_syslog_msg(postgrey_t) ++auth_read_passwd(postgrey_t) + +-miscfiles_read_localization(postgrey_t) ++logging_send_syslog_msg(postgrey_t) + + sysnet_read_config(postgrey_t) + +diff --git a/ppp.fc b/ppp.fc +index efcb653..ff2c96a 100644 +--- a/ppp.fc ++++ b/ppp.fc +@@ -1,30 +1,45 @@ +-HOME_DIR/\.ppprc -- gen_context(system_u:object_r:ppp_home_t,s0) ++# ++# /etc ++# ++/etc/rc\.d/init\.d/ppp -- gen_context(system_u:object_r:pppd_initrc_exec_t,s0) + +-/etc/rc\.d/init\.d/ppp -- gen_context(system_u:object_r:pppd_initrc_exec_t,s0) ++/etc/ppp -d gen_context(system_u:object_r:pppd_etc_t,s0) ++/etc/ppp(/.*)? -- gen_context(system_u:object_r:pppd_etc_rw_t,s0) ++/etc/ppp/peers(/.*)? gen_context(system_u:object_r:pppd_etc_rw_t,s0) ++/etc/ppp/.*secrets -- gen_context(system_u:object_r:pppd_secret_t,s0) ++/etc/ppp/resolv\.conf -- gen_context(system_u:object_r:pppd_etc_rw_t,s0) ++# Fix /etc/ppp {up,down} family scripts (see man pppd) ++/etc/ppp/(auth|ip(v6|x)?)-(up|down) -- gen_context(system_u:object_r:pppd_initrc_exec_t,s0) + +-/etc/ppp -d gen_context(system_u:object_r:pppd_etc_t,s0) +-/etc/ppp(/.*)? -- gen_context(system_u:object_r:pppd_etc_rw_t,s0) +-/etc/ppp/peers(/.*)? gen_context(system_u:object_r:pppd_etc_rw_t,s0) +-/etc/ppp/.*secrets -- gen_context(system_u:object_r:pppd_secret_t,s0) +-/etc/ppp/resolv\.conf -- gen_context(system_u:object_r:pppd_etc_rw_t,s0) +-/etc/ppp/(auth|ip(v6|x)?)-(up|down) -- gen_context(system_u:object_r:pppd_initrc_exec_t,s0) ++/usr/lib/systemd/system/ppp.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0) + +-/sbin/ppp-watch -- gen_context(system_u:object_r:pppd_exec_t,s0) +-/sbin/pppoe-server -- gen_context(system_u:object_r:pppd_exec_t,s0) ++/root/.ppprc -- gen_context(system_u:object_r:pppd_etc_t,s0) + +-/usr/sbin/ipppd -- gen_context(system_u:object_r:pppd_exec_t,s0) +-/usr/sbin/ppp-watch -- gen_context(system_u:object_r:pppd_exec_t,s0) +-/usr/sbin/pppd -- gen_context(system_u:object_r:pppd_exec_t,s0) +-/usr/sbin/pppoe-server -- gen_context(system_u:object_r:pppd_exec_t,s0) +-/usr/sbin/pptp -- gen_context(system_u:object_r:pptp_exec_t,s0) ++# ++# /sbin ++# ++/sbin/pppoe-server -- gen_context(system_u:object_r:pppd_exec_t,s0) ++/sbin/ppp-watch -- gen_context(system_u:object_r:pppd_exec_t,s0) + +-/var/lock/ppp(/.*)? gen_context(system_u:object_r:pppd_lock_t,s0) +- +-/var/log/ppp-connect-errors.* -- gen_context(system_u:object_r:pppd_log_t,s0) +-/var/log/ppp/.* -- gen_context(system_u:object_r:pppd_log_t,s0) +-/var/log/pptp.* -- gen_context(system_u:object_r:pptp_log_t,s0) ++# ++# /usr ++# ++/usr/sbin/ipppd -- gen_context(system_u:object_r:pppd_exec_t,s0) ++/usr/sbin/ppp-watch -- gen_context(system_u:object_r:pppd_exec_t,s0) ++/usr/sbin/pppd -- gen_context(system_u:object_r:pppd_exec_t,s0) ++/usr/sbin/pppoe-server -- gen_context(system_u:object_r:pppd_exec_t,s0) ++/usr/sbin/pptp -- gen_context(system_u:object_r:pptp_exec_t,s0) + ++# ++# /var ++# + /var/run/(i)?ppp.*pid[^/]* -- gen_context(system_u:object_r:pppd_var_run_t,s0) + /var/run/pppd[0-9]*\.tdb -- gen_context(system_u:object_r:pppd_var_run_t,s0) +-/var/run/ppp(/.*)? gen_context(system_u:object_r:pppd_var_run_t,s0) +-/var/run/pptp(/.*)? gen_context(system_u:object_r:pptp_var_run_t,s0) ++/var/run/ppp(/.*)? gen_context(system_u:object_r:pppd_var_run_t,s0) ++# Fix pptp sockets ++/var/run/pptp(/.*)? gen_context(system_u:object_r:pptp_var_run_t,s0) ++ ++/var/lock/ppp(/.*)? gen_context(system_u:object_r:pppd_lock_t,s0) ++ ++/var/log/ppp-connect-errors.* -- gen_context(system_u:object_r:pppd_log_t,s0) ++/var/log/ppp(/.*)? gen_context(system_u:object_r:pppd_log_t,s0) +diff --git a/ppp.if b/ppp.if +index cd8b8b9..6c73980 100644 +--- a/ppp.if ++++ b/ppp.if +@@ -1,110 +1,91 @@ +-## Point to Point Protocol daemon creates links in ppp networks. ++## Point to Point Protocol daemon creates links in ppp networks + +-######################################## ++####################################### + ## +-## Role access for ppp. ++## Create, read, write, and delete ++## ppp home files. + ## +-## +-## +-## Role allowed access. +-## +-## + ## +-## +-## User domain for the role. +-## +-## +-# +-interface(`ppp_role',` +- refpolicywarn(`$0($*) has been deprecated') +-') +- +-######################################## +-## +-## Create, read, write, and delete +-## ppp home files. +-## +-## +-## +-## Domain allowed access. +-## ++## ++## Domain allowed access. ++## + ## + # + interface(`ppp_manage_home_files',` +- gen_require(` +- type ppp_home_t; +- ') ++ gen_require(` ++ type ppp_home_t; ++ ') + +- userdom_search_user_home_dirs($1) +- allow $1 ppp_home_t:file manage_file_perms; ++ userdom_search_user_home_dirs($1) ++ allow $1 ppp_home_t:file manage_file_perms; + ') + +-######################################## ++####################################### + ## +-## Read ppp user home content files. ++## Read ppp user home content files. + ## + ## +-## +-## Domain allowed access. +-## ++## ++## Domain allowed access. ++## + ## + # + interface(`ppp_read_home_files',` +- gen_require(` +- type ppp_home_t; ++ gen_require(` ++ type ppp_home_t; + +- ') ++ ') + +- userdom_search_user_home_dirs($1) +- allow $1 ppp_home_t:file read_file_perms; ++ userdom_search_user_home_dirs($1) ++ allow $1 ppp_home_t:file read_file_perms; + ') + +-######################################## ++####################################### + ## +-## Relabel ppp home files. ++## Relabel ppp home files. + ## + ## +-## +-## Domain allowed access. +-## ++## ++## Domain allowed access. ++## + ## + # + interface(`ppp_relabel_home_files',` +- gen_require(` +- type ppp_home_t; +- ') ++ gen_require(` ++ type ppp_home_t; ++ ') + +- userdom_search_user_home_dirs($1) +- allow $1 ppp_home_t:file relabel_file_perms; ++ userdom_search_user_home_dirs($1) ++ allow $1 ppp_home_t:file relabel_file_perms; + ') + +-######################################## ++####################################### + ## +-## Create objects in user home +-## directories with the ppp home type. ++## Create objects in user home ++## directories with the ppp home type. + ## + ## +-## +-## Domain allowed access. +-## ++## ++## Domain allowed access. ++## + ## + ## +-## +-## Class of the object being created. +-## ++## ++## Class of the object being created. ++## + ## + ## +-## +-## The name of the object being created. +-## ++## ++## The name of the object being created. ++## + ## + # + interface(`ppp_home_filetrans_ppp_home',` +- gen_require(` +- type ppp_home_t; +- ') ++ gen_require(` ++ type ppp_home_t; ++ ') + +- userdom_user_home_dir_filetrans($1, ppp_home_t, $2, $3) ++ userdom_user_home_dir_filetrans($1, ppp_home_t, $2, $3) + ') + + ######################################## +@@ -128,7 +109,7 @@ interface(`ppp_use_fds',` + ######################################## + ## + ## Do not audit attempts to inherit +-## and use ppp file discriptors. ++## and use PPP file discriptors. + ## + ## + ## +@@ -146,7 +127,7 @@ interface(`ppp_dontaudit_use_fds',` + + ######################################## + ## +-## Send child terminated signals to ppp. ++## Send a SIGCHLD signal to PPP. + ## + ## + ## +@@ -165,7 +146,7 @@ interface(`ppp_sigchld',` + + ######################################## + ## +-## Send kill signals to ppp. ++## Send ppp a kill signal + ## + ## + ## +@@ -173,7 +154,6 @@ interface(`ppp_sigchld',` + ## + ## + # +-# + interface(`ppp_kill',` + gen_require(` + type pppd_t; +@@ -184,7 +164,7 @@ interface(`ppp_kill',` + + ######################################## + ## +-## Send generic signals to ppp. ++## Send a generic signal to PPP. + ## + ## + ## +@@ -202,7 +182,7 @@ interface(`ppp_signal',` + + ######################################## + ## +-## Send null signals to ppp. ++## Send a generic signull to PPP. + ## + ## + ## +@@ -220,7 +200,7 @@ interface(`ppp_signull',` + + ######################################## + ## +-## Execute pppd in the pppd domain. ++## Execute domain in the ppp domain. + ## + ## + ## +@@ -239,8 +219,7 @@ interface(`ppp_domtrans',` + + ######################################## + ## +-## Conditionally execute pppd on +-## behalf of a user or staff type. ++## Conditionally execute ppp daemon on behalf of a user or staff type. + ## + ## + ## +@@ -249,7 +228,7 @@ interface(`ppp_domtrans',` + ## + ## + ## +-## Role allowed access. ++## The role to allow the ppp domain. + ## + ## + ## +@@ -268,8 +247,7 @@ interface(`ppp_run_cond',` + + ######################################## + ## +-## Unconditionally execute ppp daemon +-## on behalf of a user or staff type. ++## Unconditionally execute ppp daemon on behalf of a user or staff type. + ## + ## + ## +@@ -278,7 +256,7 @@ interface(`ppp_run_cond',` + ## + ## + ## +-## Role allowed access. ++## The role to allow the ppp domain. + ## + ## + ## +@@ -294,7 +272,7 @@ interface(`ppp_run',` + + ######################################## + ## +-## Execute domain in the caller domain. ++## Execute domain in the ppp caller. + ## + ## + ## +@@ -326,13 +304,13 @@ interface(`ppp_read_config',` + type pppd_etc_t; + ') + +- files_search_etc($1) + read_files_pattern($1, pppd_etc_t, pppd_etc_t) ++ files_search_etc($1) + ') + + ######################################## + ## +-## Read ppp writable configuration content. ++## Read PPP-writable configuration files. + ## + ## + ## +@@ -345,15 +323,14 @@ interface(`ppp_read_rw_config',` + type pppd_etc_t, pppd_etc_rw_t; + ') + +- files_search_etc($1) +- allow $1 { pppd_etc_t pppd_etc_rw_t }:dir list_dir_perms; ++ allow $1 pppd_etc_t:dir list_dir_perms; + allow $1 pppd_etc_rw_t:file read_file_perms; +- allow $1 { pppd_etc_t pppd_etc_rw_t }:lnk_file read_lnk_file_perms; ++ files_search_etc($1) + ') + + ######################################## + ## +-## Read ppp secret files. ++## Read PPP secrets. + ## + ## + ## +@@ -366,15 +343,14 @@ interface(`ppp_read_secrets',` + type pppd_etc_t, pppd_secret_t; + ') + +- files_search_etc($1) + allow $1 pppd_etc_t:dir list_dir_perms; + allow $1 pppd_secret_t:file read_file_perms; +- allow $1 pppd_etc_t:lnk_file read_lnk_file_perms; ++ files_search_etc($1) + ') + + ######################################## + ## +-## Read ppp pid files. ++## Read PPP pid files. + ## + ## + ## +@@ -388,13 +364,12 @@ interface(`ppp_read_pid_files',` + ') + + files_search_pids($1) +- allow $1 pppd_var_run_t:file read_file_perms; ++ read_files_pattern($1, pppd_var_run_t, pppd_var_run_t) + ') + + ######################################## + ## +-## Create, read, write, and delete +-## ppp pid files. ++## Create, read, write, and delete PPP pid files. + ## + ## + ## +@@ -408,42 +383,30 @@ interface(`ppp_manage_pid_files',` + ') + + files_search_pids($1) +- allow $1 pppd_var_run_t:file manage_file_perms; ++ manage_files_pattern($1, pppd_var_run_t, pppd_var_run_t) + ') + + ######################################## + ## +-## Create specified pppd pid objects +-## with a type transition. ++## Create, read, write, and delete PPP pid files. + ## + ## + ## + ## Domain allowed access. + ## + ## +-## +-## +-## Class of the object being created. +-## +-## +-## +-## +-## The name of the object being created. +-## +-## + # + interface(`ppp_pid_filetrans',` + gen_require(` + type pppd_var_run_t; + ') + +- files_pid_filetrans($1, pppd_var_run_t, $2, $3) ++ files_pid_filetrans($1, pppd_var_run_t, file) + ') + + ######################################## + ## +-## Execute pppd init script in +-## the initrc domain. ++## Execute ppp server in the ntpd domain. + ## + ## + ## +@@ -461,31 +424,62 @@ interface(`ppp_initrc_domtrans',` + + ######################################## + ## +-## All of the rules required to +-## administrate an ppp environment. ++## Execute pppd server in the pppd domain. + ## + ## + ## +-## Domain allowed access. ++## Domain allowed to transition. + ## + ## +-## ++# ++interface(`ppp_systemctl',` ++ gen_require(` ++ type pppd_unit_file_t; ++ type pppd_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ allow $1 pppd_unit_file_t:file read_file_perms; ++ allow $1 pppd_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, pppd_t) ++') ++ ++######################################## ++## ++## All of the rules required to administrate ++## an ppp environment ++## ++## + ## +-## Role allowed access. ++## Domain allowed access. + ## + ## ++## ++## ++## Role allowed access. ++## ++## + ## + # + interface(`ppp_admin',` + gen_require(` + type pppd_t, pppd_tmp_t, pppd_log_t, pppd_lock_t; +- type pppd_etc_t, pppd_secret_t, pppd_etc_rw_t; +- type pppd_var_run_t, pppd_initrc_exec_t; ++ type pppd_etc_t, pppd_secret_t, pppd_var_run_t; + type pptp_t, pptp_log_t, pptp_var_run_t; ++ type pppd_initrc_exec_t, pppd_etc_rw_t; ++ type pppd_unit_file_t; ++ ') ++ ++ allow $1 pppd_t:process signal_perms; ++ ps_process_pattern($1, pppd_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 pppd_t:process ptrace; ++ allow $1 pptp_t:process ptrace; + ') + +- allow $1 { pptp_t pppd_t }:process { ptrace signal_perms }; +- ps_process_pattern($1, { pptp_t pppd_t }) ++ allow $1 pptp_t:process signal_perms; ++ ps_process_pattern($1, pptp_t) + + ppp_initrc_domtrans($1) + domain_system_change_exemption($1) +@@ -496,14 +490,26 @@ interface(`ppp_admin',` + admin_pattern($1, pppd_tmp_t) + + logging_list_logs($1) +- admin_pattern($1, { pptp_log_t pppd_log_t }) ++ admin_pattern($1, pppd_log_t) + + files_list_locks($1) + admin_pattern($1, pppd_lock_t) + + files_list_etc($1) +- admin_pattern($1, { pppd_etc_rw_t pppd_secret_t pppd_etc_t }) ++ admin_pattern($1, pppd_etc_t) ++ ++ admin_pattern($1, pppd_etc_rw_t) ++ ++ admin_pattern($1, pppd_secret_t) + + files_list_pids($1) +- admin_pattern($1, { pptp_var_run_t pppd_var_run_t }) ++ admin_pattern($1, pppd_var_run_t) ++ ++ admin_pattern($1, pptp_log_t) ++ ++ admin_pattern($1, pptp_var_run_t) ++ ++ ppp_systemctl($1) ++ admin_pattern($1, pppd_unit_file_t) ++ allow $1 pppd_unit_file_t:service all_service_perms; + ') +diff --git a/ppp.te b/ppp.te +index b2b5dba..9bc465c 100644 +--- a/ppp.te ++++ b/ppp.te +@@ -1,4 +1,4 @@ +-policy_module(ppp, 1.13.5) ++policy_module(ppp, 1.13.0) + + ######################################## + # +@@ -6,41 +6,47 @@ policy_module(ppp, 1.13.5) + # + + ## +-##

    +-## Determine whether pppd can +-## load kernel modules. +-##

    ++##

    ++## Allow pppd to load kernel modules for certain modems ++##

    + ##     + gen_tunable(pppd_can_insmod, false) + + ## +-##

    +-## Determine whether common users can +-## run pppd with a domain transition. +-##

    ++##

    ++## Allow pppd to be run for a regular user ++##

    + ##     + gen_tunable(pppd_for_user, false) + + attribute_role pppd_roles; +-attribute_role pptp_roles; + ++# pppd_t is the domain for the pppd program. ++# pppd_exec_t is the type of the pppd executable. + type pppd_t; + type pppd_exec_t; + init_daemon_domain(pppd_t, pppd_exec_t) + role pppd_roles types pppd_t; ++role system_r types pppd_t; + + type pppd_devpts_t; + term_pty(pppd_devpts_t) + ++# Define a separate type for /etc/ppp + type pppd_etc_t; + files_config_file(pppd_etc_t) + ++# Define a separate type for writable files under /etc/ppp + type pppd_etc_rw_t; + files_type(pppd_etc_rw_t) + + type pppd_initrc_exec_t alias pppd_script_exec_t; + init_script_file(pppd_initrc_exec_t) + ++type pppd_unit_file_t; ++systemd_unit_file(pppd_unit_file_t) ++ ++# pppd_secret_t is the type of the pap and chap password files + type pppd_secret_t; + files_type(pppd_secret_t) + +@@ -59,7 +65,8 @@ files_pid_file(pppd_var_run_t) + type pptp_t; + type pptp_exec_t; + init_daemon_domain(pptp_t, pptp_exec_t) +-role pptp_roles types pptp_t; ++#role pppd_roles types pptp_t; ++role system_r types pptp_t; + + type pptp_log_t; + logging_log_file(pptp_log_t) +@@ -67,54 +74,57 @@ logging_log_file(pptp_log_t) + type pptp_var_run_t; + files_pid_file(pptp_var_run_t) + +-type ppp_home_t; +-userdom_user_home_content(ppp_home_t) +- + ######################################## + # +-# PPPD local policy ++# PPPD Local policy + # + + allow pppd_t self:capability { kill net_admin setuid setgid sys_admin fsetid fowner net_raw dac_override sys_nice }; + dontaudit pppd_t self:capability sys_tty_config; +-allow pppd_t self:process { getsched setsched signal }; ++allow pppd_t self:process { getsched setsched signal_perms }; + allow pppd_t self:fifo_file rw_fifo_file_perms; + allow pppd_t self:socket create_socket_perms; +-allow pppd_t self:netlink_route_socket nlmsg_write; +-allow pppd_t self:tcp_socket { accept listen }; ++allow pppd_t self:unix_dgram_socket create_socket_perms; ++allow pppd_t self:unix_stream_socket create_socket_perms; ++allow pppd_t self:netlink_route_socket rw_netlink_socket_perms; ++allow pppd_t self:tcp_socket create_stream_socket_perms; ++allow pppd_t self:udp_socket { connect connected_socket_perms }; + allow pppd_t self:packet_socket create_socket_perms; + ++domtrans_pattern(pppd_t, pptp_exec_t, pptp_t) ++ + allow pppd_t pppd_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms }; + + allow pppd_t pppd_etc_t:dir rw_dir_perms; +-allow pppd_t { pppd_etc_t ppp_home_t }:file read_file_perms; ++allow pppd_t pppd_etc_t:file read_file_perms; + allow pppd_t pppd_etc_t:lnk_file read_lnk_file_perms; + + manage_files_pattern(pppd_t, pppd_etc_rw_t, pppd_etc_rw_t) ++# Automatically label newly created files under /etc/ppp with this type + filetrans_pattern(pppd_t, pppd_etc_t, pppd_etc_rw_t, file) + +-allow pppd_t pppd_lock_t:file manage_file_perms; +-files_lock_filetrans(pppd_t, pppd_lock_t, file) ++manage_files_pattern(pppd_t, pppd_lock_t, pppd_lock_t) ++files_search_locks(pppd_t) + +-allow pppd_t pppd_log_t:file { append_file_perms create_file_perms setattr_file_perms }; ++manage_files_pattern(pppd_t, pppd_log_t, pppd_log_t) + logging_log_filetrans(pppd_t, pppd_log_t, file) + + manage_dirs_pattern(pppd_t, pppd_tmp_t, pppd_tmp_t) + manage_files_pattern(pppd_t, pppd_tmp_t, pppd_tmp_t) +-files_tmp_filetrans(pppd_t, pppd_tmp_t, { dir file}) ++files_tmp_filetrans(pppd_t, pppd_tmp_t, { file dir }) + + manage_dirs_pattern(pppd_t, pppd_var_run_t, pppd_var_run_t) + manage_files_pattern(pppd_t, pppd_var_run_t, pppd_var_run_t) + files_pid_filetrans(pppd_t, pppd_var_run_t, { dir file }) + +-can_exec(pppd_t, pppd_exec_t) +- +-domtrans_pattern(pppd_t, pptp_exec_t, pptp_t) +- + allow pppd_t pptp_t:process signal; + ++# for SSP ++# Access secret files + allow pppd_t pppd_secret_t:file read_file_perms; + ++ppp_initrc_domtrans(pppd_t) ++ + kernel_read_kernel_sysctls(pppd_t) + kernel_read_system_state(pppd_t) + kernel_rw_net_sysctls(pppd_t) +@@ -122,10 +132,10 @@ kernel_read_network_state(pppd_t) + kernel_request_load_module(pppd_t) + + dev_read_urand(pppd_t) ++dev_search_sysfs(pppd_t) + dev_read_sysfs(pppd_t) + dev_rw_modem(pppd_t) + +-corenet_all_recvfrom_unlabeled(pppd_t) + corenet_all_recvfrom_netlabel(pppd_t) + corenet_tcp_sendrecv_generic_if(pppd_t) + corenet_raw_sendrecv_generic_if(pppd_t) +@@ -135,9 +145,21 @@ corenet_raw_sendrecv_generic_node(pppd_t) + corenet_udp_sendrecv_generic_node(pppd_t) + corenet_tcp_sendrecv_all_ports(pppd_t) + corenet_udp_sendrecv_all_ports(pppd_t) +- ++# Access /dev/ppp. + corenet_rw_ppp_dev(pppd_t) + ++fs_getattr_all_fs(pppd_t) ++fs_search_auto_mountpoints(pppd_t) ++ ++term_use_unallocated_ttys(pppd_t) ++term_use_usb_ttys(pppd_t) ++term_setattr_unallocated_ttys(pppd_t) ++term_ioctl_generic_ptys(pppd_t) ++# for pppoe ++term_create_pty(pppd_t, pppd_devpts_t) ++term_use_generic_ptys(pppd_t) ++ ++# allow running ip-up and ip-down scripts and running chat. + corecmd_exec_bin(pppd_t) + corecmd_exec_shell(pppd_t) + +@@ -147,36 +169,31 @@ files_exec_etc_files(pppd_t) + files_manage_etc_runtime_files(pppd_t) + files_dontaudit_write_etc_files(pppd_t) + +-fs_getattr_all_fs(pppd_t) +-fs_search_auto_mountpoints(pppd_t) ++# for scripts + +-term_use_unallocated_ttys(pppd_t) +-term_setattr_unallocated_ttys(pppd_t) +-term_ioctl_generic_ptys(pppd_t) +-term_create_pty(pppd_t, pppd_devpts_t) +-term_use_generic_ptys(pppd_t) +- +-init_labeled_script_domtrans(pppd_t, pppd_initrc_exec_t) + init_read_utmp(pppd_t) +-init_signal_script(pppd_t) + init_dontaudit_write_utmp(pppd_t) ++init_signal_script(pppd_t) + +-auth_run_chk_passwd(pppd_t, pppd_roles) + auth_use_nsswitch(pppd_t) ++auth_domtrans_chk_passwd(pppd_t) ++#auth_run_chk_passwd(pppd_t,pppd_roles) + auth_write_login_records(pppd_t) + + logging_send_syslog_msg(pppd_t) + logging_send_audit_msgs(pppd_t) + +-miscfiles_read_localization(pppd_t) +- + sysnet_exec_ifconfig(pppd_t) + sysnet_manage_config(pppd_t) + sysnet_etc_filetrans_config(pppd_t) ++sysnet_filetrans_config_fromdir(pppd_t, pppd_var_run_t, file, "resolv.conf") + +-userdom_use_user_terminals(pppd_t) ++userdom_use_inherited_user_terminals(pppd_t) + userdom_dontaudit_use_unpriv_user_fds(pppd_t) + userdom_search_user_home_dirs(pppd_t) ++userdom_search_admin_dir(pppd_t) ++ ++ppp_exec(pppd_t) + + optional_policy(` + ddclient_run(pppd_t, pppd_roles) +@@ -186,11 +203,13 @@ optional_policy(` + l2tpd_dgram_send(pppd_t) + l2tpd_rw_socket(pppd_t) + l2tpd_stream_connect(pppd_t) ++ l2tpd_read_pid_files(pppd_t) ++ l2tpd_dbus_chat(pppd_t) + ') + + optional_policy(` + tunable_policy(`pppd_can_insmod',` +- modutils_domtrans_insmod(pppd_t) ++ modutils_domtrans_insmod_uncond(pppd_t) + ') + ') + +@@ -218,16 +237,19 @@ optional_policy(` + + ######################################## + # +-# PPTP local policy ++# PPTP Local policy + # + + allow pptp_t self:capability { dac_override dac_read_search net_raw net_admin }; + dontaudit pptp_t self:capability sys_tty_config; + allow pptp_t self:process signal; + allow pptp_t self:fifo_file rw_fifo_file_perms; +-allow pptp_t self:unix_stream_socket { accept connectto listen }; ++allow pptp_t self:unix_dgram_socket create_socket_perms; ++allow pptp_t self:unix_stream_socket { connectto create_stream_socket_perms }; + allow pptp_t self:rawip_socket create_socket_perms; +-allow pptp_t self:netlink_route_socket nlmsg_write; ++allow pptp_t self:tcp_socket create_socket_perms; ++allow pptp_t self:udp_socket create_socket_perms; ++allow pptp_t self:netlink_route_socket rw_netlink_socket_perms; + + allow pptp_t pppd_etc_t:dir list_dir_perms; + allow pptp_t pppd_etc_t:file read_file_perms; +@@ -236,45 +258,43 @@ allow pptp_t pppd_etc_t:lnk_file read_lnk_file_perms; + allow pptp_t pppd_etc_rw_t:dir list_dir_perms; + allow pptp_t pppd_etc_rw_t:file read_file_perms; + allow pptp_t pppd_etc_rw_t:lnk_file read_lnk_file_perms; ++can_exec(pptp_t, pppd_etc_rw_t) + ++# Allow pptp to append to pppd log files + allow pptp_t pppd_log_t:file append_file_perms; + +-allow pptp_t pptp_log_t:file { append_file_perms create_file_perms setattr_file_perms }; ++allow pptp_t pptp_log_t:file manage_file_perms; + logging_log_filetrans(pptp_t, pptp_log_t, file) + ++manage_dirs_pattern(pptp_t, pptp_var_run_t, pptp_var_run_t) + manage_files_pattern(pptp_t, pptp_var_run_t, pptp_var_run_t) + manage_sock_files_pattern(pptp_t, pptp_var_run_t, pptp_var_run_t) +-files_pid_filetrans(pptp_t, pptp_var_run_t, file) +- +-can_exec(pptp_t, pppd_etc_rw_t) ++files_pid_filetrans(pptp_t, pptp_var_run_t, { file dir }) + ++kernel_list_proc(pptp_t) + kernel_read_kernel_sysctls(pptp_t) + kernel_read_network_state(pptp_t) ++kernel_read_proc_symlinks(pptp_t) + kernel_read_system_state(pptp_t) + kernel_signal(pptp_t) + ++dev_read_sysfs(pptp_t) ++ + corecmd_exec_shell(pptp_t) + corecmd_read_bin_symlinks(pptp_t) + +-corenet_all_recvfrom_unlabeled(pptp_t) + corenet_all_recvfrom_netlabel(pptp_t) + corenet_tcp_sendrecv_generic_if(pptp_t) + corenet_raw_sendrecv_generic_if(pptp_t) + corenet_tcp_sendrecv_generic_node(pptp_t) + corenet_raw_sendrecv_generic_node(pptp_t) + corenet_tcp_sendrecv_all_ports(pptp_t) +- +-corenet_tcp_connect_all_reserved_ports(pptp_t) ++corenet_tcp_bind_generic_node(pptp_t) + corenet_tcp_connect_generic_port(pptp_t) ++corenet_tcp_connect_all_reserved_ports(pptp_t) + corenet_sendrecv_generic_client_packets(pptp_t) +- +-corenet_sendrecv_pptp_client_packets(pptp_t) + corenet_tcp_connect_pptp_port(pptp_t) + +-dev_read_sysfs(pptp_t) +- +-domain_use_interactive_fds(pptp_t) +- + fs_getattr_all_fs(pptp_t) + fs_search_auto_mountpoints(pptp_t) + +@@ -282,12 +302,12 @@ term_ioctl_generic_ptys(pptp_t) + term_search_ptys(pptp_t) + term_use_ptmx(pptp_t) + ++domain_use_interactive_fds(pptp_t) ++ + auth_use_nsswitch(pptp_t) + + logging_send_syslog_msg(pptp_t) + +-miscfiles_read_localization(pptp_t) +- + sysnet_exec_ifconfig(pptp_t) + + userdom_dontaudit_use_unpriv_user_fds(pptp_t) +@@ -299,6 +319,10 @@ optional_policy(` + ') + + optional_policy(` ++ gnome_dontaudit_search_config(pppd_t) ++') ++ ++optional_policy(` + dbus_system_domain(pppd_t, pppd_exec_t) + + optional_policy(` +diff --git a/prelink.fc b/prelink.fc +index a90d623..62af9a4 100644 +--- a/prelink.fc ++++ b/prelink.fc +@@ -1,11 +1,11 @@ + /etc/cron\.daily/prelink -- gen_context(system_u:object_r:prelink_cron_system_exec_t,s0) + +-/etc/prelink\.cache -- gen_context(system_u:object_r:prelink_cache_t,s0) ++/etc/prelink\.cache -- gen_context(system_u:object_r:prelink_cache_t,s0) + + /usr/sbin/prelink(\.bin)? -- gen_context(system_u:object_r:prelink_exec_t,s0) + +-/var/log/prelink\.log.* -- gen_context(system_u:object_r:prelink_log_t,s0) +-/var/log/prelink(/.*)? gen_context(system_u:object_r:prelink_log_t,s0) ++/var/log/prelink\.log.* -- gen_context(system_u:object_r:prelink_log_t,s0) ++/var/log/prelink(/.*)? gen_context(system_u:object_r:prelink_log_t,s0) + +-/var/lib/misc/prelink.* -- gen_context(system_u:object_r:prelink_var_lib_t,s0) +-/var/lib/prelink(/.*)? gen_context(system_u:object_r:prelink_var_lib_t,s0) ++/var/lib/misc/prelink.* -- gen_context(system_u:object_r:prelink_var_lib_t,s0) ++/var/lib/prelink(/.*)? gen_context(system_u:object_r:prelink_var_lib_t,s0) +diff --git a/prelink.if b/prelink.if +index 20d4697..e6605c1 100644 +--- a/prelink.if ++++ b/prelink.if +@@ -2,7 +2,7 @@ + + ######################################## + ## +-## Execute prelink in the prelink domain. ++## Execute the prelink program in the prelink domain. + ## + ## + ## +@@ -18,15 +18,15 @@ interface(`prelink_domtrans',` + corecmd_search_bin($1) + domtrans_pattern($1, prelink_exec_t, prelink_t) + +- ifdef(`hide_broken_symptoms',` ++ ifdef(`hide_broken_symptoms', ` + dontaudit prelink_t $1:socket_class_set { read write }; +- dontaudit prelink_t $1:fifo_file setattr_fifo_file_perms; ++ dontaudit prelink_t $1:fifo_file setattr; + ') + ') + + ######################################## + ## +-## Execute prelink in the caller domain. ++## Execute the prelink program in the current domain. + ## + ## + ## +@@ -45,9 +45,7 @@ interface(`prelink_exec',` + + ######################################## + ## +-## Execute prelink in the prelink +-## domain, and allow the specified role +-## the prelink domain. ++## Execute the prelink program in the prelink domain. + ## + ## + ## +@@ -56,18 +54,18 @@ interface(`prelink_exec',` + ## + ## + ## +-## Role allowed access. ++## The role to allow the prelink domain. + ## + ## + ## + # + interface(`prelink_run',` + gen_require(` +- attribute_role prelink_roles; ++ type prelink_t; + ') + + prelink_domtrans($1) +- roleattribute $2 prelink_roles; ++ role $2 types prelink_t; + ') + + ######################################## +@@ -80,6 +78,7 @@ interface(`prelink_run',` + ## + ## + # ++# cjp: added for misc non-entrypoint objects + interface(`prelink_object_file',` + gen_require(` + attribute prelink_object; +@@ -90,7 +89,7 @@ interface(`prelink_object_file',` + + ######################################## + ## +-## Read prelink cache files. ++## Read the prelink cache. + ## + ## + ## +@@ -109,7 +108,7 @@ interface(`prelink_read_cache',` + + ######################################## + ## +-## Delete prelink cache files. ++## Delete the prelink cache. + ## + ## + ## +@@ -122,8 +121,8 @@ interface(`prelink_delete_cache',` + type prelink_cache_t; + ') + ++ allow $1 prelink_cache_t:file unlink; + files_rw_etc_dirs($1) +- allow $1 prelink_cache_t:file delete_file_perms; + ') + + ######################################## +@@ -168,7 +167,7 @@ interface(`prelink_manage_lib',` + + ######################################## + ## +-## Relabel from prelink lib files. ++## Relabel from files in the /boot directory. + ## + ## + ## +@@ -187,7 +186,7 @@ interface(`prelink_relabelfrom_lib',` + + ######################################## + ## +-## Relabel prelink lib files. ++## Relabel from files in the /boot directory. + ## + ## + ## +@@ -203,3 +202,21 @@ interface(`prelink_relabel_lib',` + files_search_var_lib($1) + relabel_files_pattern($1, prelink_var_lib_t, prelink_var_lib_t) + ') ++ ++######################################## ++## ++## Transition to prelink named content ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`prelink_filetrans_named_content',` ++ gen_require(` ++ type prelink_cache_t; ++ ') ++ ++ files_etc_filetrans($1, prelink_cache_t, file, "prelink.cache") ++') +diff --git a/prelink.te b/prelink.te +index c0f047a..e04bdd6 100644 +--- a/prelink.te ++++ b/prelink.te +@@ -1,4 +1,4 @@ +-policy_module(prelink, 1.10.2) ++policy_module(prelink, 1.10.0) + + ######################################## + # +@@ -6,13 +6,10 @@ policy_module(prelink, 1.10.2) + + attribute prelink_object; + +-attribute_role prelink_roles; +- + type prelink_t; + type prelink_exec_t; + init_system_domain(prelink_t, prelink_exec_t) + domain_obj_id_change_exemption(prelink_t) +-role prelink_roles types prelink_t; + + type prelink_cache_t; + files_type(prelink_cache_t) +@@ -47,24 +44,27 @@ allow prelink_t self:fifo_file rw_fifo_file_perms; + allow prelink_t prelink_cache_t:file manage_file_perms; + files_etc_filetrans(prelink_t, prelink_cache_t, file) + +-allow prelink_t prelink_log_t:dir setattr_dir_perms; ++allow prelink_t prelink_log_t:dir setattr; + create_files_pattern(prelink_t, prelink_log_t, prelink_log_t) + append_files_pattern(prelink_t, prelink_log_t, prelink_log_t) + read_lnk_files_pattern(prelink_t, prelink_log_t, prelink_log_t) + logging_log_filetrans(prelink_t, prelink_log_t, file) + +-allow prelink_t prelink_tmp_t:file { manage_file_perms mmap_file_perms relabel_file_perms execmod }; ++allow prelink_t prelink_tmp_t:file { manage_file_perms execute relabelfrom execmod }; + files_tmp_filetrans(prelink_t, prelink_tmp_t, file) + +-allow prelink_t prelink_tmpfs_t:file { manage_file_perms mmap_file_perms relabel_file_perms execmod }; ++allow prelink_t prelink_tmpfs_t:file { manage_file_perms execute relabelfrom execmod }; + fs_tmpfs_filetrans(prelink_t, prelink_tmpfs_t, file) + + manage_dirs_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t) + manage_files_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t) + relabel_files_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t) + files_var_lib_filetrans(prelink_t, prelink_var_lib_t, { dir file }) ++files_search_var_lib(prelink_t) + +-allow prelink_t prelink_object:file { manage_file_perms mmap_file_perms relabel_file_perms }; ++# prelink misc objects that are not system ++# libraries or entrypoints ++allow prelink_t prelink_object:file { manage_file_perms execute relabel_file_perms }; + + kernel_read_system_state(prelink_t) + kernel_read_kernel_sysctls(prelink_t) +@@ -75,25 +75,23 @@ corecmd_mmap_all_executables(prelink_t) + corecmd_read_bin_symlinks(prelink_t) + + dev_read_urand(prelink_t) ++dev_getattr_all_chr_files(prelink_t) + +-files_getattr_all_files(prelink_t) + files_list_all(prelink_t) ++files_getattr_all_files(prelink_t) ++files_write_non_security_dirs(prelink_t) ++files_read_etc_runtime_files(prelink_t) ++files_dontaudit_read_all_symlinks(prelink_t) + files_manage_usr_files(prelink_t) + files_manage_var_files(prelink_t) +-files_read_etc_files(prelink_t) +-files_read_etc_runtime_files(prelink_t) + files_relabelfrom_usr_files(prelink_t) +-files_search_var_lib(prelink_t) +-files_write_non_security_dirs(prelink_t) +-files_dontaudit_read_all_symlinks(prelink_t) + +-fs_getattr_all_fs(prelink_t) +-fs_search_auto_mountpoints(prelink_t) +- +-selinux_get_enforce_mode(prelink_t) ++fs_getattr_xattr_fs(prelink_t) + + storage_getattr_fixed_disk_dev(prelink_t) + ++selinux_get_enforce_mode(prelink_t) ++ + libs_exec_ld_so(prelink_t) + libs_legacy_use_shared_libs(prelink_t) + libs_manage_ld_so(prelink_t) +@@ -102,32 +100,16 @@ libs_manage_shared_libs(prelink_t) + libs_relabel_shared_libs(prelink_t) + libs_delete_lib_symlinks(prelink_t) + +-miscfiles_read_localization(prelink_t) + +-userdom_use_user_terminals(prelink_t) +-userdom_manage_user_home_content_files(prelink_t) +-# pending +-# userdom_relabel_user_home_content_files(prelink_t) +-# userdom_execmod_user_home_content_files(prelink_t) ++userdom_use_inherited_user_terminals(prelink_t) ++userdom_manage_user_home_content(prelink_t) ++userdom_relabel_user_home_files(prelink_t) ++userdom_execmod_user_home_files(prelink_t) + userdom_exec_user_home_content_files(prelink_t) + +-ifdef(`hide_broken_symptoms',` +- miscfiles_read_man_pages(prelink_t) ++systemd_read_unit_files(prelink_t) + +- optional_policy(` +- dbus_read_config(prelink_t) +- ') +-') +- +-tunable_policy(`use_nfs_home_dirs',` +- fs_exec_nfs_files(prelink_t) +- fs_manage_nfs_files(prelink_t) +-') +- +-tunable_policy(`use_samba_home_dirs',` +- fs_exec_cifs_files(prelink_t) +- fs_manage_cifs_files(prelink_t) +-') ++term_use_all_inherited_terms(prelink_t) + + optional_policy(` + amanda_manage_lib(prelink_t) +@@ -138,11 +120,12 @@ optional_policy(` + ') + + optional_policy(` ++ gnome_dontaudit_read_config(prelink_t) + gnome_dontaudit_read_inherited_gconf_config_files(prelink_t) + ') + + optional_policy(` +- mozilla_manage_plugin_rw_files(prelink_t) ++ mozilla_plugin_manage_rw_files(prelink_t) + ') + + optional_policy(` +@@ -155,17 +138,18 @@ optional_policy(` + + ######################################## + # +-# Cron system local policy ++# Prelink Cron system Policy + # + + optional_policy(` + allow prelink_cron_system_t self:capability setuid; + allow prelink_cron_system_t self:process { setsched setfscreate signal }; + allow prelink_cron_system_t self:fifo_file rw_fifo_file_perms; +- allow prelink_cron_system_t self:unix_dgram_socket create_socket_perms; ++ allow prelink_cron_system_t self:unix_dgram_socket { write bind create setopt }; + + read_files_pattern(prelink_cron_system_t, prelink_cache_t, prelink_cache_t) +- allow prelink_cron_system_t prelink_cache_t:file delete_file_perms; ++ allow prelink_cron_system_t prelink_cache_t:file unlink; ++ files_delete_etc_dir_entry(prelink_cron_system_t) + + domtrans_pattern(prelink_cron_system_t, prelink_exec_t, prelink_t) + allow prelink_cron_system_t prelink_t:process noatsecure; +@@ -174,7 +158,7 @@ optional_policy(` + + manage_files_pattern(prelink_cron_system_t, prelink_var_lib_t, prelink_var_lib_t) + files_var_lib_filetrans(prelink_cron_system_t, prelink_var_lib_t, file) +- allow prelink_cron_system_t prelink_var_lib_t:file relabel_file_perms; ++ allow prelink_cron_system_t prelink_var_lib_t:file { relabelfrom relabelto }; + + kernel_read_system_state(prelink_cron_system_t) + +@@ -184,23 +168,36 @@ optional_policy(` + dev_list_sysfs(prelink_cron_system_t) + dev_read_sysfs(prelink_cron_system_t) + +- files_rw_etc_dirs(prelink_cron_system_t) + files_dontaudit_search_all_mountpoints(prelink_cron_system_t) ++ files_search_var_lib(prelink_cron_system_t) ++ files_dontaudit_list_non_security(prelink_cron_system_t) ++ ++ fs_search_cgroup_dirs(prelink_cron_system_t) + + auth_use_nsswitch(prelink_cron_system_t) + + init_telinit(prelink_cron_system_t) + init_exec(prelink_cron_system_t) ++ init_reload_services(prelink_cron_system_t) + + libs_exec_ld_so(prelink_cron_system_t) + + logging_search_logs(prelink_cron_system_t) + +- miscfiles_read_localization(prelink_cron_system_t) ++ init_stream_connect(prelink_cron_system_t) ++ + + cron_system_entry(prelink_cron_system_t, prelink_cron_system_exec_t) + ++ userdom_dontaudit_list_admin_dir(prelink_cron_system_t) ++ + optional_policy(` + rpm_read_db(prelink_cron_system_t) + ') + ') ++ ++ifdef(`hide_broken_symptoms', ` ++ optional_policy(` ++ dbus_read_config(prelink_t) ++ ') ++') +diff --git a/prelude.if b/prelude.if +index c83a838..f41a4f7 100644 +--- a/prelude.if ++++ b/prelude.if +@@ -1,13 +1,13 @@ +-## Prelude hybrid intrusion detection system. ++## Prelude hybrid intrusion detection system + + ######################################## + ## + ## Execute a domain transition to run prelude. + ## + ## +-## ++## + ## Domain allowed to transition. +-## ++## + ## + # + interface(`prelude_domtrans',` +@@ -15,19 +15,17 @@ interface(`prelude_domtrans',` + type prelude_t, prelude_exec_t; + ') + +- corecmd_search_bin($1) + domtrans_pattern($1, prelude_exec_t, prelude_t) + ') + + ######################################## + ## +-## Execute a domain transition to +-## run prelude audisp. ++## Execute a domain transition to run prelude_audisp. + ## + ## +-## ++## + ## Domain allowed to transition. +-## ++## + ## + # + interface(`prelude_domtrans_audisp',` +@@ -35,18 +33,17 @@ interface(`prelude_domtrans_audisp',` + type prelude_audisp_t, prelude_audisp_exec_t; + ') + +- corecmd_search_bin($1) + domtrans_pattern($1, prelude_audisp_exec_t, prelude_audisp_t) + ') + + ######################################## + ## +-## Send generic signals to prelude audisp. ++## Signal the prelude_audisp domain. + ## + ## +-## +-## Domain allowed access. +-## ++## ++## Domain allowed acccess. ++## + ## + # + interface(`prelude_signal_audisp',` +@@ -59,7 +56,7 @@ interface(`prelude_signal_audisp',` + + ######################################## + ## +-## Read prelude spool files. ++## Read the prelude spool files + ## + ## + ## +@@ -78,13 +75,12 @@ interface(`prelude_read_spool',` + + ######################################## + ## +-## Create, read, write, and delete +-## prelude manager spool files. ++## Manage to prelude-manager spool files. + ## + ## +-## ++## + ## Domain allowed access. +-## ++## + ## + # + interface(`prelude_manage_spool',` +@@ -99,8 +95,8 @@ interface(`prelude_manage_spool',` + + ######################################## + ## +-## All of the rules required to +-## administrate an prelude environment. ++## All of the rules required to administrate ++## an prelude environment + ## + ## + ## +@@ -116,32 +112,42 @@ interface(`prelude_manage_spool',` + # + interface(`prelude_admin',` + gen_require(` +- type prelude_t, prelude_spool_t, prelude_lml_var_run_t; +- type prelude_var_run_t, prelude_var_lib_t, prelude_log_t; +- type prelude_audisp_t, prelude_audisp_var_run_t; +- type prelude_initrc_exec_t, prelude_lml_t, prelude_lml_tmp_t; ++ type prelude_t, prelude_spool_t, prelude_initrc_exec_t; ++ type prelude_var_run_t, prelude_var_lib_t, prelude_lml_var_run_t; ++ type prelude_audisp_t, prelude_audisp_var_run_t, prelude_lml_tmp_t; ++ type prelude_lml_t; + ') + +- allow $1 { prelude_t prelude_audisp_t prelude_lml_t prelude_correlator_t }:process { ptrace signal_perms }; +- ps_process_pattern($1, { prelude_t prelude_audisp_t prelude_lml_t prelude_correlator_t }) ++ allow $1 prelude_t:process signal_perms; ++ ps_process_pattern($1, prelude_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 prelude_t:process ptrace; ++ allow $1 prelude_audisp_t:process ptrace; ++ allow $1 prelude_lml_t:process ptrace; ++ ') ++ ++ allow $1 prelude_audisp_t:process signal_perms; ++ ps_process_pattern($1, prelude_audisp_t) ++ ++ allow $1 prelude_lml_t:process signal_perms; ++ ps_process_pattern($1, prelude_lml_t) + + init_labeled_script_domtrans($1, prelude_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 prelude_initrc_exec_t system_r; + allow $2 system_r; + +- files_search_spool($1) ++ files_list_spool($1) + admin_pattern($1, prelude_spool_t) + +- logging_search_logs($1) +- admin_pattern($1, prelude_log_t) +- +- files_search_var_lib($1) ++ files_list_var_lib($1) + admin_pattern($1, prelude_var_lib_t) + +- files_search_pids($1) +- admin_pattern($1, { prelude_audisp_var_run_t prelude_var_run_t prelude_lml_var_run_t }) ++ files_list_pids($1) ++ admin_pattern($1, prelude_var_run_t) ++ admin_pattern($1, prelude_audisp_var_run_t) ++ admin_pattern($1, prelude_lml_var_run_t) + +- files_search_tmp($1) ++ files_list_tmp($1) + admin_pattern($1, prelude_lml_tmp_t) + ') +diff --git a/prelude.te b/prelude.te +index db864df..f7eb5e0 100644 +--- a/prelude.te ++++ b/prelude.te +@@ -13,7 +13,7 @@ type prelude_initrc_exec_t; + init_script_file(prelude_initrc_exec_t) + + type prelude_spool_t; +-files_type(prelude_spool_t) ++files_spool_file(prelude_spool_t) + + type prelude_log_t; + logging_log_file(prelude_log_t) +@@ -81,7 +81,6 @@ kernel_read_sysctl(prelude_t) + + corecmd_search_bin(prelude_t) + +-corenet_all_recvfrom_unlabeled(prelude_t) + corenet_all_recvfrom_netlabel(prelude_t) + corenet_tcp_sendrecv_generic_if(prelude_t) + corenet_tcp_sendrecv_generic_node(prelude_t) +@@ -97,7 +96,6 @@ dev_read_rand(prelude_t) + dev_read_urand(prelude_t) + + files_read_etc_runtime_files(prelude_t) +-files_read_usr_files(prelude_t) + files_search_spool(prelude_t) + files_search_tmp(prelude_t) + +@@ -108,8 +106,6 @@ auth_use_nsswitch(prelude_t) + logging_send_audit_msgs(prelude_t) + logging_send_syslog_msg(prelude_t) + +-miscfiles_read_localization(prelude_t) +- + optional_policy(` + mysql_stream_connect(prelude_t) + mysql_tcp_connect(prelude_t) +@@ -141,7 +137,6 @@ kernel_read_system_state(prelude_audisp_t) + + corecmd_search_bin(prelude_audisp_t) + +-corenet_all_recvfrom_unlabeled(prelude_audisp_t) + corenet_all_recvfrom_netlabel(prelude_audisp_t) + corenet_tcp_sendrecv_generic_if(prelude_audisp_t) + corenet_tcp_sendrecv_generic_node(prelude_audisp_t) +@@ -155,15 +150,12 @@ dev_read_urand(prelude_audisp_t) + + domain_use_interactive_fds(prelude_audisp_t) + +-files_read_etc_files(prelude_audisp_t) + files_read_etc_runtime_files(prelude_audisp_t) + files_search_spool(prelude_audisp_t) + files_search_tmp(prelude_audisp_t) + + logging_send_syslog_msg(prelude_audisp_t) + +-miscfiles_read_localization(prelude_audisp_t) +- + sysnet_dns_name_resolve(prelude_audisp_t) + + ######################################## +@@ -184,7 +176,6 @@ kernel_read_sysctl(prelude_correlator_t) + + corecmd_search_bin(prelude_correlator_t) + +-corenet_all_recvfrom_unlabeled(prelude_correlator_t) + corenet_all_recvfrom_netlabel(prelude_correlator_t) + corenet_tcp_sendrecv_generic_if(prelude_correlator_t) + corenet_tcp_sendrecv_generic_node(prelude_correlator_t) +@@ -196,14 +187,10 @@ corenet_tcp_sendrecv_prelude_port(prelude_correlator_t) + dev_read_rand(prelude_correlator_t) + dev_read_urand(prelude_correlator_t) + +-files_read_etc_files(prelude_correlator_t) +-files_read_usr_files(prelude_correlator_t) + files_search_spool(prelude_correlator_t) + + logging_send_syslog_msg(prelude_correlator_t) + +-miscfiles_read_localization(prelude_correlator_t) +- + sysnet_dns_name_resolve(prelude_correlator_t) + + ######################################## +@@ -212,6 +199,8 @@ sysnet_dns_name_resolve(prelude_correlator_t) + # + + allow prelude_lml_t self:capability dac_override; ++allow prelude_lml_t self:tcp_socket { setopt create_socket_perms }; ++allow prelude_lml_t self:unix_dgram_socket create_socket_perms; + allow prelude_lml_t self:fifo_file rw_fifo_file_perms; + allow prelude_lml_t self:unix_stream_socket connectto; + +@@ -262,8 +251,6 @@ libs_read_lib_files(prelude_lml_t) + logging_send_syslog_msg(prelude_lml_t) + logging_read_generic_logs(prelude_lml_t) + +-miscfiles_read_localization(prelude_lml_t) +- + userdom_read_all_users_state(prelude_lml_t) + + optional_policy(` +diff --git a/privoxy.if b/privoxy.if +index bdcee30..34f3143 100644 +--- a/privoxy.if ++++ b/privoxy.if +@@ -23,8 +23,11 @@ interface(`privoxy_admin',` + type privoxy_etc_rw_t, privoxy_var_run_t; + ') + +- allow $1 privoxy_t:process { ptrace signal_perms }; ++ allow $1 privoxy_t:process signal_perms; + ps_process_pattern($1, privoxy_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 privoxy_t:process ptrace; ++ ') + + init_labeled_script_domtrans($1, privoxy_initrc_exec_t) + domain_system_change_exemption($1) +diff --git a/privoxy.te b/privoxy.te +index 85b1c9a..072d425 100644 +--- a/privoxy.te ++++ b/privoxy.te +@@ -85,6 +85,7 @@ corenet_sendrecv_tor_client_packets(privoxy_t) + corenet_tcp_connect_tor_port(privoxy_t) + corenet_tcp_sendrecv_tor_port(privoxy_t) + ++ + dev_read_sysfs(privoxy_t) + + domain_use_interactive_fds(privoxy_t) +@@ -96,8 +97,6 @@ auth_use_nsswitch(privoxy_t) + + logging_send_syslog_msg(privoxy_t) + +-miscfiles_read_localization(privoxy_t) +- + userdom_dontaudit_use_unpriv_user_fds(privoxy_t) + userdom_dontaudit_search_user_home_dirs(privoxy_t) + +diff --git a/procmail.fc b/procmail.fc +index bdff6c9..4b36a13 100644 +--- a/procmail.fc ++++ b/procmail.fc +@@ -1,6 +1,7 @@ +-HOME_DIR/\.procmailrc -- gen_context(system_u:object_r:procmail_home_t,s0) ++HOME_DIR/\.procmailrc -- gen_context(system_u:object_r:procmail_home_t, s0) ++/root/\.procmailrc -- gen_context(system_u:object_r:procmail_home_t, s0) + + /usr/bin/procmail -- gen_context(system_u:object_r:procmail_exec_t,s0) + +-/var/log/procmail\.log.* -- gen_context(system_u:object_r:procmail_log_t,s0) +-/var/log/procmail(/.*)? gen_context(system_u:object_r:procmail_log_t,s0) ++/var/log/procmail\.log.* -- gen_context(system_u:object_r:procmail_log_t,s0) ++/var/log/procmail(/.*)? gen_context(system_u:object_r:procmail_log_t,s0) +diff --git a/procmail.if b/procmail.if +index 00edeab..166e9c3 100644 +--- a/procmail.if ++++ b/procmail.if +@@ -1,4 +1,4 @@ +-## Procmail mail delivery agent. ++## Procmail mail delivery agent + + ######################################## + ## +@@ -15,6 +15,7 @@ interface(`procmail_domtrans',` + type procmail_exec_t, procmail_t; + ') + ++ files_search_usr($1) + corecmd_search_bin($1) + domtrans_pattern($1, procmail_exec_t, procmail_t) + ') +@@ -34,101 +35,33 @@ interface(`procmail_exec',` + type procmail_exec_t; + ') + ++ files_search_usr($1) + corecmd_search_bin($1) + can_exec($1, procmail_exec_t) + ') + + ######################################## + ## +-## Create, read, write, and delete +-## procmail home files. +-## +-## +-## +-## Domain allowed access. +-## +-## +-# +-interface(`procmail_manage_home_files',` +- gen_require(` +- type procmail_home_t; +- ') +- +- userdom_search_user_home_dirs($1) +- allow $1 procmail_home_t:file manage_file_perms; +-') +- +-######################################## +-## +-## Read procmail user home content files. +-## +-## +-## +-## Domain allowed access. +-## +-## +-# +-interface(`procmail_read_home_files',` +- gen_require(` +- type procmail_home_t; +- +- ') +- +- userdom_search_user_home_dirs($1) +- allow $1 procmail_home_t:file read_file_perms; +-') +- +-######################################## +-## +-## Relabel procmail home files. +-## +-## +-## +-## Domain allowed access. +-## +-## +-# +-interface(`procmail_relabel_home_files',` +- gen_require(` +- type ppp_home_t; +- ') +- +- userdom_search_user_home_dirs($1) +- allow $1 procmail_home_t:file relabel_file_perms; +-') +- +-######################################## +-## +-## Create objects in user home +-## directories with the procmail home type. ++## Read procmail tmp files. + ## + ## + ## + ## Domain allowed access. + ## + ## +-## +-## +-## Class of the object being created. +-## +-## +-## +-## +-## The name of the object being created. +-## +-## + # +-interface(`procmail_home_filetrans_procmail_home',` ++interface(`procmail_read_tmp_files',` + gen_require(` +- type procmail_home_t; ++ type procmail_tmp_t; + ') + +- userdom_user_home_dir_filetrans($1, procmail_home_t, $2, $3) ++ files_search_tmp($1) ++ allow $1 procmail_tmp_t:file read_file_perms; + ') + + ######################################## + ## +-## Read procmail tmp files. ++## Read/write procmail tmp files. + ## + ## + ## +@@ -136,18 +69,18 @@ interface(`procmail_home_filetrans_procmail_home',` + ## + ## + # +-interface(`procmail_read_tmp_files',` ++interface(`procmail_rw_tmp_files',` + gen_require(` + type procmail_tmp_t; + ') + + files_search_tmp($1) +- allow $1 procmail_tmp_t:file read_file_perms; ++ rw_files_pattern($1, procmail_tmp_t, procmail_tmp_t) + ') + + ######################################## + ## +-## Read and write procmail tmp files. ++## Read procmail home directory content + ## + ## + ## +@@ -155,11 +88,11 @@ interface(`procmail_read_tmp_files',` + ## + ## + # +-interface(`procmail_rw_tmp_files',` ++interface(`procmail_read_home_files',` + gen_require(` +- type procmail_tmp_t; ++ type procmail_home_t; + ') + +- files_search_tmp($1) +- rw_files_pattern($1, procmail_tmp_t, procmail_tmp_t) ++ userdom_search_user_home_dirs($1) ++ read_files_pattern($1, procmail_home_t, procmail_home_t) + ') +diff --git a/procmail.te b/procmail.te +index d447152..73c437c 100644 +--- a/procmail.te ++++ b/procmail.te +@@ -1,4 +1,4 @@ +-policy_module(procmail, 1.12.2) ++policy_module(procmail, 1.12.0) + + ######################################## + # +@@ -14,7 +14,7 @@ type procmail_home_t; + userdom_user_home_content(procmail_home_t) + + type procmail_log_t; +-logging_log_file(procmail_log_t) ++logging_log_file(procmail_log_t) + + type procmail_tmp_t; + files_tmp_file(procmail_tmp_t) +@@ -27,10 +27,14 @@ files_tmp_file(procmail_tmp_t) + allow procmail_t self:capability { sys_nice chown fsetid setuid setgid dac_override }; + allow procmail_t self:process { setsched signal signull }; + allow procmail_t self:fifo_file rw_fifo_file_perms; +-allow procmail_t self:tcp_socket { accept listen }; ++allow procmail_t self:unix_stream_socket create_socket_perms; ++allow procmail_t self:unix_dgram_socket create_socket_perms; ++allow procmail_t self:tcp_socket create_stream_socket_perms; ++allow procmail_t self:udp_socket create_socket_perms; + +-allow procmail_t procmail_home_t:file read_file_perms; ++can_exec(procmail_t, procmail_exec_t) + ++# Write log to /var/log/procmail.log or /var/log/procmail/.* + allow procmail_t procmail_log_t:dir setattr_dir_perms; + create_files_pattern(procmail_t, procmail_log_t, procmail_log_t) + append_files_pattern(procmail_t, procmail_log_t, procmail_log_t) +@@ -40,89 +44,106 @@ logging_log_filetrans(procmail_t, procmail_log_t, { file dir }) + allow procmail_t procmail_tmp_t:file manage_file_perms; + files_tmp_filetrans(procmail_t, procmail_tmp_t, file) + +-can_exec(procmail_t, procmail_exec_t) +- ++kernel_read_network_state(procmail_t) + kernel_read_system_state(procmail_t) + kernel_read_kernel_sysctls(procmail_t) + +-corenet_all_recvfrom_unlabeled(procmail_t) + corenet_all_recvfrom_netlabel(procmail_t) + corenet_tcp_sendrecv_generic_if(procmail_t) ++corenet_udp_sendrecv_generic_if(procmail_t) + corenet_tcp_sendrecv_generic_node(procmail_t) +- +-corenet_sendrecv_spamd_client_packets(procmail_t) ++corenet_udp_sendrecv_generic_node(procmail_t) ++corenet_tcp_sendrecv_all_ports(procmail_t) ++corenet_udp_sendrecv_all_ports(procmail_t) ++corenet_udp_bind_generic_node(procmail_t) + corenet_tcp_connect_spamd_port(procmail_t) +-corenet_tcp_sendrecv_spamd_port(procmail_t) +- ++corenet_sendrecv_spamd_client_packets(procmail_t) + corenet_sendrecv_comsat_client_packets(procmail_t) +-corenet_tcp_connect_comsat_port(procmail_t) +-corenet_tcp_sendrecv_comsat_port(procmail_t) +- +-corecmd_exec_bin(procmail_t) +-corecmd_exec_shell(procmail_t) + + dev_read_urand(procmail_t) + +-fs_getattr_all_fs(procmail_t) ++fs_getattr_xattr_fs(procmail_t) + fs_search_auto_mountpoints(procmail_t) + fs_rw_anon_inodefs_files(procmail_t) + + auth_use_nsswitch(procmail_t) + ++corecmd_exec_bin(procmail_t) ++corecmd_exec_shell(procmail_t) ++ + files_read_etc_runtime_files(procmail_t) +-files_read_usr_files(procmail_t) ++files_search_pids(procmail_t) ++# for spamassasin + +-logging_send_syslog_msg(procmail_t) ++application_exec_all(procmail_t) + +-miscfiles_read_localization(procmail_t) ++init_read_utmp(procmail_t) ++ ++logging_send_syslog_msg(procmail_t) ++logging_append_all_logs(procmail_t) + ++list_dirs_pattern(procmail_t, procmail_home_t, procmail_home_t) ++read_files_pattern(procmail_t, procmail_home_t, procmail_home_t) + userdom_search_user_home_dirs(procmail_t) ++userdom_search_admin_dir(procmail_t) + +-tunable_policy(`use_nfs_home_dirs',` +- fs_manage_nfs_dirs(procmail_t) +- fs_manage_nfs_files(procmail_t) +- fs_manage_nfs_symlinks(procmail_t) +-') ++# only works until we define a different type for maildir ++userdom_manage_user_home_content_dirs(procmail_t) ++userdom_manage_user_home_content_files(procmail_t) ++userdom_manage_user_home_content_symlinks(procmail_t) ++userdom_manage_user_home_content_pipes(procmail_t) ++userdom_manage_user_home_content_sockets(procmail_t) ++userdom_filetrans_home_content(procmail_t) ++ ++userdom_manage_user_tmp_dirs(procmail_t) ++userdom_manage_user_tmp_files(procmail_t) ++userdom_manage_user_tmp_symlinks(procmail_t) ++ ++# Execute user executables ++userdom_exec_user_bin_files(procmail_t) ++ ++mta_manage_spool(procmail_t) ++mta_read_queue(procmail_t) + +-tunable_policy(`use_samba_home_dirs',` +- fs_manage_cifs_dirs(procmail_t) +- fs_manage_cifs_files(procmail_t) +- fs_manage_cifs_symlinks(procmail_t) ++ifdef(`hide_broken_symptoms',` ++ mta_dontaudit_rw_queue(procmail_t) + ') + ++userdom_home_manager(procmail_t) ++ + optional_policy(` +- clamav_domtrans_clamscan(procmail_t) +- clamav_search_lib(procmail_t) ++ antivirus_domtrans(procmail_t) ++ antivirus_search_db(procmail_t) + ') + + optional_policy(` +- cyrus_stream_connect(procmail_t) ++ dovecot_stream_connect(procmail_t) + ') + + optional_policy(` +- mta_manage_spool(procmail_t) +- mta_read_config(procmail_t) +- mta_read_queue(procmail_t) +- mta_manage_mail_home_rw_content(procmail_t) +- mta_home_filetrans_mail_home_rw(procmail_t, dir, "Maildir") +- mta_home_filetrans_mail_home_rw(procmail_t, dir, ".maildir") ++ cyrus_stream_connect(procmail_t) + ') + + optional_policy(` +- munin_dontaudit_search_lib(procmail_t) ++ gnome_manage_data(procmail_t) + ') + + optional_policy(` +- nagios_search_spool(procmail_t) ++ munin_dontaudit_search_lib(procmail_t) + ') + + optional_policy(` ++ # for a bug in the postfix local program + postfix_dontaudit_rw_local_tcp_sockets(procmail_t) + postfix_dontaudit_use_fds(procmail_t) + postfix_read_spool_files(procmail_t) + postfix_read_local_state(procmail_t) + postfix_read_master_state(procmail_t) +- postfix_rw_master_pipes(procmail_t) ++ postfix_rw_inherited_master_pipes(procmail_t) ++') ++ ++optional_policy(` ++ nagios_search_spool(procmail_t) + ') + + optional_policy(` +@@ -131,6 +152,8 @@ optional_policy(` + ') + + optional_policy(` ++ mta_read_config(procmail_t) ++ mta_manage_home_rw(procmail_t) + sendmail_domtrans(procmail_t) + sendmail_signal(procmail_t) + sendmail_dontaudit_rw_tcp_sockets(procmail_t) +diff --git a/prosody.fc b/prosody.fc +new file mode 100644 +index 0000000..96a0d9f +--- /dev/null ++++ b/prosody.fc +@@ -0,0 +1,8 @@ ++/usr/bin/prosody -- gen_context(system_u:object_r:prosody_exec_t,s0) ++/usr/bin/prosodyctl -- gen_context(system_u:object_r:prosody_exec_t,s0) ++ ++/usr/lib/systemd/system/prosody.service -- gen_context(system_u:object_r:prosody_unit_file_t,s0) ++ ++/var/lib/prosody(/.*)? gen_context(system_u:object_r:prosody_var_lib_t,s0) ++ ++/var/run/prosody(/.*)? gen_context(system_u:object_r:prosody_var_run_t,s0) +diff --git a/prosody.if b/prosody.if +new file mode 100644 +index 0000000..19c35c1 +--- /dev/null ++++ b/prosody.if +@@ -0,0 +1,234 @@ ++ ++## policy for prosody ++ ++######################################## ++## ++## Execute TEMPLATE in the prosody domin. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`prosody_domtrans',` ++ gen_require(` ++ type prosody_t, prosody_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, prosody_exec_t, prosody_t) ++') ++ ++######################################## ++## ++## Search prosody lib directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`prosody_search_lib',` ++ gen_require(` ++ type prosody_var_lib_t; ++ ') ++ ++ allow $1 prosody_var_lib_t:dir search_dir_perms; ++ files_search_var_lib($1) ++') ++ ++######################################## ++## ++## Read prosody lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`prosody_read_lib_files',` ++ gen_require(` ++ type prosody_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ read_files_pattern($1, prosody_var_lib_t, prosody_var_lib_t) ++') ++ ++######################################## ++## ++## Manage prosody lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`prosody_manage_lib_files',` ++ gen_require(` ++ type prosody_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ manage_files_pattern($1, prosody_var_lib_t, prosody_var_lib_t) ++') ++ ++######################################## ++## ++## Manage prosody lib directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`prosody_manage_lib_dirs',` ++ gen_require(` ++ type prosody_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ manage_dirs_pattern($1, prosody_var_lib_t, prosody_var_lib_t) ++') ++ ++######################################## ++## ++## Read prosody PID files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`prosody_read_pid_files',` ++ gen_require(` ++ type prosody_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ read_files_pattern($1, prosody_var_run_t, prosody_var_run_t) ++') ++ ++######################################## ++## ++## Execute prosody server in the prosody domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`prosody_systemctl',` ++ gen_require(` ++ type prosody_t; ++ type prosody_unit_file_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ systemd_read_fifo_file_passwd_run($1) ++ allow $1 prosody_unit_file_t:file read_file_perms; ++ allow $1 prosody_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, prosody_t) ++') ++ ++ ++######################################## ++## ++## Execute prosody in the prosody domain, and ++## allow the specified role the prosody domain. ++## ++## ++## ++## Domain allowed to transition ++## ++## ++## ++## ++## The role to be allowed the prosody domain. ++## ++## ++# ++interface(`prosody_run',` ++ gen_require(` ++ type prosody_t; ++ attribute_role prosody_roles; ++ ') ++ ++ prosody_domtrans($1) ++ roleattribute $2 prosody_roles; ++') ++ ++######################################## ++## ++## Role access for prosody ++## ++## ++## ++## Role allowed access ++## ++## ++## ++## ++## User domain for the role ++## ++## ++# ++interface(`prosody_role',` ++ gen_require(` ++ type prosody_t; ++ attribute_role prosody_roles; ++ ') ++ ++ roleattribute $1 prosody_roles; ++ ++ prosody_domtrans($2) ++ ++ ps_process_pattern($2, prosody_t) ++ allow $2 prosody_t:process { signull signal sigkill }; ++') ++ ++######################################## ++## ++## All of the rules required to administrate ++## an prosody environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`prosody_admin',` ++ gen_require(` ++ type prosody_t; ++ type prosody_var_lib_t; ++ type prosody_var_run_t; ++ type prosody_unit_file_t; ++ ') ++ ++ allow $1 prosody_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, prosody_t) ++ ++ files_search_var_lib($1) ++ admin_pattern($1, prosody_var_lib_t) ++ ++ files_search_pids($1) ++ admin_pattern($1, prosody_var_run_t) ++ ++ prosody_systemctl($1) ++ admin_pattern($1, prosody_unit_file_t) ++ allow $1 prosody_unit_file_t:service all_service_perms; ++ optional_policy(` ++ systemd_passwd_agent_exec($1) ++ systemd_read_fifo_file_passwd_run($1) ++ ') ++') +diff --git a/prosody.te b/prosody.te +new file mode 100644 +index 0000000..4f6badd +--- /dev/null ++++ b/prosody.te +@@ -0,0 +1,75 @@ ++policy_module(prosody, 1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++## ++##

    ++## Permit to prosody to bind apache port. ++## Need to be activated to use BOSH. ++##

    ++##     ++gen_tunable(prosody_bind_http_port, false) ++ ++type prosody_t; ++type prosody_exec_t; ++init_daemon_domain(prosody_t, prosody_exec_t) ++ ++type prosody_var_lib_t; ++files_type(prosody_var_lib_t) ++ ++type prosody_var_run_t; ++files_pid_file(prosody_var_run_t) ++ ++type prosody_unit_file_t; ++systemd_unit_file(prosody_unit_file_t) ++ ++######################################## ++# ++# prosody local policy ++# ++allow prosody_t self:capability { setuid setgid }; ++allow prosody_t self:process signal_perms; ++allow prosody_t self:tcp_socket create_stream_socket_perms; ++ ++manage_dirs_pattern(prosody_t, prosody_var_lib_t, prosody_var_lib_t) ++manage_files_pattern(prosody_t, prosody_var_lib_t, prosody_var_lib_t) ++manage_lnk_files_pattern(prosody_t, prosody_var_lib_t, prosody_var_lib_t) ++files_var_lib_filetrans(prosody_t, prosody_var_lib_t, { dir file lnk_file }) ++ ++manage_dirs_pattern(prosody_t, prosody_var_run_t, prosody_var_run_t) ++manage_files_pattern(prosody_t, prosody_var_run_t, prosody_var_run_t) ++manage_lnk_files_pattern(prosody_t, prosody_var_run_t, prosody_var_run_t) ++files_pid_filetrans(prosody_t, prosody_var_run_t, { dir file lnk_file }) ++ ++can_exec(prosody_t, prosody_exec_t) ++ ++kernel_read_system_state(prosody_t) ++ ++corecmd_exec_bin(prosody_t) ++corecmd_exec_shell(prosody_t) ++ ++corenet_udp_bind_generic_node(prosody_t) ++corenet_tcp_connect_jabber_interserver_port(prosody_t) ++corenet_tcp_connect_jabber_client_port(prosody_t) ++corenet_tcp_bind_jabber_client_port(prosody_t) ++corenet_tcp_bind_jabber_interserver_port(prosody_t) ++corenet_tcp_bind_jabber_router_port(prosody_t) ++tunable_policy(`prosody_bind_http_port',` ++ corenet_tcp_bind_http_port(prosody_t) ++') ++ ++dev_read_urand(prosody_t) ++ ++domain_use_interactive_fds(prosody_t) ++ ++files_read_etc_files(prosody_t) ++ ++auth_use_nsswitch(prosody_t) ++sysnet_read_config(prosody_t) ++ ++logging_send_syslog_msg(prosody_t) ++ ++miscfiles_read_localization(prosody_t) +diff --git a/psad.if b/psad.if +index d4dcf78..3cce82e 100644 +--- a/psad.if ++++ b/psad.if +@@ -93,9 +93,8 @@ interface(`psad_manage_config',` + ') + + files_search_etc($1) +- allow $1 psad_etc_t:dir manage_dir_perms; +- allow $1 psad_etc_t:file manage_file_perms; +- allow $1 psad_etc_t:lnk_file manage_lnk_file_perms; ++ manage_dirs_pattern($1, psad_etc_t, psad_etc_t) ++ manage_files_pattern($1, psad_etc_t, psad_etc_t) + ') + + ######################################## +@@ -119,7 +118,7 @@ interface(`psad_read_pid_files',` + + ######################################## + ## +-## Read and write psad pid files. ++## Read and write psad PID files. + ## + ## + ## +@@ -179,6 +178,45 @@ interface(`psad_append_log',` + + ######################################## + ## ++## Allow the specified domain to write to psad's log files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`psad_write_log',` ++ gen_require(` ++ type psad_var_log_t; ++ ') ++ ++ logging_search_logs($1) ++ write_files_pattern($1, psad_var_log_t, psad_var_log_t) ++') ++ ++####################################### ++## ++## Allow the specified domain to setattr to psad's log files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`psad_setattr_log',` ++ gen_require(` ++ type psad_var_log_t; ++ ') ++ ++ logging_search_logs($1) ++ setattr_files_pattern($1, psad_var_log_t, psad_var_log_t) ++') ++ ++######################################## ++## + ## Read and write psad fifo files. + ## + ## +@@ -198,6 +236,45 @@ interface(`psad_rw_fifo_file',` + + ####################################### + ## ++## Allow setattr to psad fifo files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`psad_setattr_fifo_file',` ++ gen_require(` ++ type psad_t, psad_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ allow $1 psad_var_lib_t:fifo_file setattr; ++ search_dirs_pattern($1, psad_var_lib_t, psad_var_lib_t) ++') ++ ++####################################### ++## ++## Allow search to psad lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`psad_search_lib_files',` ++ gen_require(` ++ type psad_t, psad_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ search_dirs_pattern($1, psad_var_lib_t, psad_var_lib_t) ++') ++ ++####################################### ++## + ## Read and write psad temporary files. + ## + ## +@@ -235,30 +312,34 @@ interface(`psad_rw_tmp_files',` + interface(`psad_admin',` + gen_require(` + type psad_t, psad_var_run_t, psad_var_log_t; +- type psad_initrc_exec_t, psad_var_lib_t; ++ type psad_initrc_exec_t, psad_var_lib_t, psad_etc_t; + type psad_tmp_t; + ') + +- allow $1 psad_t:process { ptrace signal_perms }; ++ allow $1 psad_t:process signal_perms; + ps_process_pattern($1, psad_t) + ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 psad_t:process ptrace; ++ ') ++ + init_labeled_script_domtrans($1, psad_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 psad_initrc_exec_t system_r; + allow $2 system_r; + +- files_search_etc($1) ++ files_list_etc($1) + admin_pattern($1, psad_etc_t) + +- files_search_pids($1) ++ files_list_pids($1) + admin_pattern($1, psad_var_run_t) + +- logging_search_logs($1) ++ logging_list_logs($1) + admin_pattern($1, psad_var_log_t) + +- files_search_var_lib($1) ++ files_list_var_lib($1) + admin_pattern($1, psad_var_lib_t) + +- files_search_tmp($1) ++ files_list_tmp($1) + admin_pattern($1, psad_tmp_t) + ') +diff --git a/psad.te b/psad.te +index 5427bb6..718c847 100644 +--- a/psad.te ++++ b/psad.te +@@ -66,7 +66,6 @@ kernel_read_net_sysctls(psad_t) + corecmd_exec_bin(psad_t) + corecmd_exec_shell(psad_t) + +-corenet_all_recvfrom_unlabeled(psad_t) + corenet_all_recvfrom_netlabel(psad_t) + corenet_tcp_sendrecv_generic_if(psad_t) + corenet_tcp_sendrecv_generic_node(psad_t) +@@ -78,7 +77,6 @@ corenet_tcp_sendrecv_whois_port(psad_t) + dev_read_urand(psad_t) + + files_read_etc_runtime_files(psad_t) +-files_read_usr_files(psad_t) + + fs_getattr_all_fs(psad_t) + +@@ -88,8 +86,6 @@ logging_read_generic_logs(psad_t) + logging_read_syslog_config(psad_t) + logging_send_syslog_msg(psad_t) + +-miscfiles_read_localization(psad_t) +- + sysnet_exec_ifconfig(psad_t) + + optional_policy(` +diff --git a/ptchown.te b/ptchown.te +index d67905e..2da9eca 100644 +--- a/ptchown.te ++++ b/ptchown.te +@@ -21,7 +21,6 @@ role ptchown_roles types ptchown_t; + allow ptchown_t self:capability { chown fowner fsetid setuid }; + allow ptchown_t self:process { getcap setcap }; + +-files_read_etc_files(ptchown_t) + + fs_rw_anon_inodefs_files(ptchown_t) + +@@ -31,4 +30,4 @@ term_setattr_all_ptys(ptchown_t) + term_use_generic_ptys(ptchown_t) + term_use_ptmx(ptchown_t) + +-miscfiles_read_localization(ptchown_t) ++auth_read_passwd(ptchown_t) +diff --git a/pulseaudio.fc b/pulseaudio.fc +index 6864479..0e7d875 100644 +--- a/pulseaudio.fc ++++ b/pulseaudio.fc +@@ -1,9 +1,14 @@ + HOME_DIR/\.esd_auth -- gen_context(system_u:object_r:pulseaudio_home_t,s0) +-HOME_DIR/\.pulse(/.*)? gen_context(system_u:object_r:pulseaudio_home_t,s0) + HOME_DIR/\.pulse-cookie -- gen_context(system_u:object_r:pulseaudio_home_t,s0) ++HOME_DIR/\.pulse(/.*)? gen_context(system_u:object_r:pulseaudio_home_t,s0) ++HOME_DIR/\.config/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_home_t,s0) + +-/usr/bin/pulseaudio -- gen_context(system_u:object_r:pulseaudio_exec_t,s0) ++/root/\.esd_auth -- gen_context(system_u:object_r:pulseaudio_home_t,s0) ++/root/\.pulse-cookie -- gen_context(system_u:object_r:pulseaudio_home_t,s0) ++/root/\.pulse(/.*)? gen_context(system_u:object_r:pulseaudio_home_t,s0) ++/root/\.config/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_home_t,s0) + +-/var/lib/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_var_lib_t,s0) ++/usr/bin/pulseaudio -- gen_context(system_u:object_r:pulseaudio_exec_t,s0) + +-/var/run/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_var_run_t,s0) ++/var/lib/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_var_lib_t,s0) ++/var/run/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_var_run_t,s0) +diff --git a/pulseaudio.if b/pulseaudio.if +index fa3dc8e..99cfa95 100644 +--- a/pulseaudio.if ++++ b/pulseaudio.if +@@ -2,47 +2,44 @@ + + ######################################## + ## +-## Role access for pulseaudio. ++## Role access for pulseaudio + ## + ## + ## +-## Role allowed access. ++## Role allowed access + ## + ## + ## + ## +-## User domain for the role. ++## User domain for the role + ## + ## + # + interface(`pulseaudio_role',` + gen_require(` +- attribute pulseaudio_tmpfsfile; +- type pulseaudio_t, pulseaudio_home_t, pulseaudio_tmpfs_t; +- type pulseaudio_tmp_t; ++ type pulseaudio_t, pulseaudio_exec_t; ++ class dbus { acquire_svc send_msg }; + ') + +- pulseaudio_run($2, $1) ++ role $1 types pulseaudio_t; + +- allow $2 pulseaudio_t:process { ptrace signal_perms }; +- ps_process_pattern($2, pulseaudio_t) ++ # Transition from the user domain to the derived domain. ++ domtrans_pattern($2, pulseaudio_exec_t, pulseaudio_t) + +- allow $2 pulseaudio_home_t:dir { manage_dir_perms relabel_dir_perms }; +- allow $2 pulseaudio_home_t:file { manage_file_perms relabel_file_perms }; +- allow $2 pulseaudio_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; ++ ps_process_pattern($2, pulseaudio_t) + +- userdom_user_home_dir_filetrans($2, pulseaudio_home_t, dir, ".pulse") +- userdom_user_home_dir_filetrans($2, pulseaudio_home_t, file, ".esd_auth") +- userdom_user_home_dir_filetrans($2, pulseaudio_home_t, file, ".pulse-cookie") ++ allow pulseaudio_t $2:process { signal signull }; ++ allow $2 pulseaudio_t:process { signal signull sigkill }; ++ ps_process_pattern(pulseaudio_t, $2) + +- allow $2 { pulseaudio_tmpfs_t pulseaudio_tmpfsfile }:dir { manage_dir_perms relabel_dir_perms }; +- allow $2 { pulseaudio_tmpfs_t pulseaudio_tmpfsfile }:file { manage_file_perms relabel_file_perms }; ++ allow pulseaudio_t $2:unix_stream_socket connectto; ++ allow $2 pulseaudio_t:unix_stream_socket connectto; + +- allow $2 pulseaudio_tmp_t:dir { manage_dir_perms relabel_dir_perms }; +- allow $2 pulseaudio_tmp_t:file { manage_file_perms relabel_file_perms }; +- allow $2 pulseaudio_tmp_t:sock_file { manage_sock_file_perms relabel_sock_file_perms }; ++ userdom_manage_tmp_role($1, pulseaudio_t) ++ userdom_manage_tmpfs_role($1, pulseaudio_t) + +- allow pulseaudio_t $2:unix_stream_socket connectto; ++ allow $2 pulseaudio_t:dbus send_msg; ++ allow pulseaudio_t $2:dbus { acquire_svc send_msg }; + ') + + ######################################## +@@ -69,9 +66,8 @@ interface(`pulseaudio_domtrans',` + + ######################################## + ## +-## Execute pulseaudio in the pulseaudio +-## domain, and allow the specified role +-## the pulseaudio domain. ++## Execute pulseaudio in the pulseaudio domain, and ++## allow the specified role the pulseaudio domain. + ## + ## + ## +@@ -86,16 +82,16 @@ interface(`pulseaudio_domtrans',` + # + interface(`pulseaudio_run',` + gen_require(` +- attribute_role pulseaudio_roles; ++ type pulseaudio_t; + ') + + pulseaudio_domtrans($1) +- roleattribute $2 pulseaudio_roles; ++ role $2 types pulseaudio_t; + ') + + ######################################## + ## +-## Execute pulseaudio in the caller domain. ++## Execute a pulseaudio in the current domain. + ## + ## + ## +@@ -108,13 +104,12 @@ interface(`pulseaudio_exec',` + type pulseaudio_exec_t; + ') + +- corecmd_search_bin($1) + can_exec($1, pulseaudio_exec_t) + ') + + ######################################## + ## +-## Do not audit attempts to execute pulseaudio. ++## Do not audit to execute a pulseaudio. + ## + ## + ## +@@ -132,7 +127,7 @@ interface(`pulseaudio_dontaudit_exec',` + + ######################################## + ## +-## Send null signals to pulseaudio. ++## Send signull signal to pulseaudio + ## processes. + ## + ## +@@ -151,8 +146,8 @@ interface(`pulseaudio_signull',` + + ##################################### + ## +-## Connect to pulseaudio with a unix +-## domain stream socket. ++## Connect to pulseaudio over a unix domain ++## stream socket. + ## + ## + ## +@@ -162,11 +157,15 @@ interface(`pulseaudio_signull',` + # + interface(`pulseaudio_stream_connect',` + gen_require(` +- type pulseaudio_t, pulseaudio_var_run_t, pulseaudio_tmp_t; ++ type pulseaudio_t, pulseaudio_var_run_t; ++ type pulseaudio_home_t; + ') + + files_search_pids($1) +- stream_connect_pattern($1, { pulseaudio_tmp_t pulseaudio_var_run_t }, { pulseaudio_tmp_t pulseaudio_var_run_t }, pulseaudio_t) ++ allow $1 pulseaudio_t:process signull; ++ allow pulseaudio_t $1:process signull; ++ stream_connect_pattern($1, pulseaudio_var_run_t, pulseaudio_var_run_t, pulseaudio_t) ++ stream_connect_pattern($1, pulseaudio_home_t, pulseaudio_home_t, pulseaudio_t) + ') + + ######################################## +@@ -192,9 +191,9 @@ interface(`pulseaudio_dbus_chat',` + + ######################################## + ## +-## Set attributes of pulseaudio home directories. ++## Set the attributes of the pulseaudio homedir. + ## +-## ++## + ## + ## Domain allowed access. + ## +@@ -205,148 +204,190 @@ interface(`pulseaudio_setattr_home_dir',` + type pulseaudio_home_t; + ') + +- allow $1 pulseaudio_home_t:dir setattr_dir_perms; ++ allow $1 pulseaudio_home_t:dir setattr; + ') + + ######################################## + ## +-## Read pulseaudio home content. ++## Read pulseaudio homedir files. + ## +-## ++## + ## + ## Domain allowed access. + ## + ## + # + interface(`pulseaudio_read_home_files',` +- refpolicywarn(`$0($*) has been deprecated, use pulseaudio_read_home() instead.') +- pulseaudio_read_home($1) ++ gen_require(` ++ type pulseaudio_home_t; ++ ') ++ ++ userdom_search_user_home_dirs($1) ++ read_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t) ++ read_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t) + ') + + ######################################## + ## +-## Read pulseaudio home content. ++## Read and write Pulse Audio files. + ## +-## ++## + ## + ## Domain allowed access. + ## + ## + # +-interface(`pulseaudio_read_home',` ++interface(`pulseaudio_rw_home_files',` + gen_require(` + type pulseaudio_home_t; + ') + ++ rw_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t) ++ read_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t) + userdom_search_user_home_dirs($1) +- allow $1 pulseaudio_home_t:dir list_dir_perms; +- allow $1 pulseaudio_home_t:file read_file_perms; +- allow $1 pulseaudio_home_t:lnk_file read_lnk_file_perms; + ') + + ######################################## + ## +-## Read and write Pulse Audio files. ++## Create, read, write, and delete pulseaudio ++## home directories. + ## +-## ++## + ## + ## Domain allowed access. + ## + ## + # +-interface(`pulseaudio_rw_home_files',` ++interface(`pulseaudio_manage_home_dirs',` + gen_require(` + type pulseaudio_home_t; + ') + + userdom_search_user_home_dirs($1) +- rw_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t) +- read_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t) ++ manage_dirs_pattern($1, pulseaudio_home_t, pulseaudio_home_t) + ') + + ######################################## + ## +-## Create, read, write, and delete +-## pulseaudio home content. ++## Create, read, write, and delete pulseaudio ++## home directory files. + ## +-## ++## + ## + ## Domain allowed access. + ## + ## + # + interface(`pulseaudio_manage_home_files',` +- refpolicywarn(`$0($*) has been deprecated, use pulseaudio_manage_home() instead.') +- pulseaudio_manage_home($1) ++ gen_require(` ++ type pulseaudio_home_t; ++ ') ++ ++ userdom_search_user_home_dirs($1) ++ manage_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t) ++ read_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t) ++ pulseaudio_filetrans_home_content($1) + ') + + ######################################## + ## +-## Create, read, write, and delete +-## pulseaudio home content. ++## Create, read, write, and delete pulseaudio ++## home directory symlinks. + ## +-## ++## + ## + ## Domain allowed access. + ## + ## + # +-interface(`pulseaudio_manage_home',` ++interface(`pulseaudio_manage_home_symlinks',` + gen_require(` + type pulseaudio_home_t; + ') + + userdom_search_user_home_dirs($1) +- allow $1 pulseaudio_home_t:dir manage_dir_perms; +- allow $1 pulseaudio_home_t:file manage_file_perms; +- allow $1 pulseaudio_home_t:lnk_file manage_lnk_file_perms; ++ manage_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t) + ') + + ######################################## + ## +-## Create objects in user home +-## directories with the pulseaudio +-## home type. ++## Create pulseaudio content in the user home directory ++## with an correct label. + ## + ## + ## + ## Domain allowed access. + ## + ## +-## +-## +-## Class of the object being created. +-## +-## +-## ++# ++interface(`pulseaudio_filetrans_home_content',` ++ gen_require(` ++ type pulseaudio_home_t; ++ ') ++ ++ userdom_user_home_dir_filetrans($1, pulseaudio_home_t, dir, ".pulse") ++ userdom_user_home_dir_filetrans($1, pulseaudio_home_t, file, ".pulse-cookie") ++ userdom_user_home_dir_filetrans($1, pulseaudio_home_t, file, ".esd_auth") ++ optional_policy(` ++ gnome_config_filetrans($1, pulseaudio_home_t, dir, "pulse") ++ ') ++') ++ ++######################################## ++## ++## Create pulseaudio content in the admin home directory ++## with an correct label. ++## ++## + ## +-## The name of the object being created. ++## Domain allowed access. + ## + ## + # +-interface(`pulseaudio_home_filetrans_pulseaudio_home',` ++interface(`pulseaudio_filetrans_admin_home_content',` + gen_require(` + type pulseaudio_home_t; + ') + +- userdom_user_home_dir_filetrans($1, pulseaudio_home_t, $2, $3) ++ userdom_admin_home_dir_filetrans($1, pulseaudio_home_t, dir, ".pulse") ++ userdom_admin_home_dir_filetrans($1, pulseaudio_home_t, file, ".pulse-cookie") ++ userdom_admin_home_dir_filetrans($1, pulseaudio_home_t, file, ".esd_auth") + ') + +-######################################## ++####################################### + ## +-## Make the specified tmpfs file type +-## pulseaudio tmpfs content. ++## Make the specified tmpfs file type ++## pulseaudio tmpfs content. + ## + ## ++## ++## File type to make pulseaudio tmpfs content. ++## ++## ++# ++interface(`pulseaudio_tmpfs_content',` ++ gen_require(` ++ attribute pulseaudio_tmpfsfile; ++ ') ++ ++ typeattribute $1 pulseaudio_tmpfsfile; ++') ++ ++######################################## ++## ++## Allow the domain to read pulseaudio state files in /proc. ++## ++## + ## +-## File type to make pulseaudio tmpfs content. ++## Domain allowed access. + ## + ## + # +-interface(`pulseaudio_tmpfs_content',` ++interface(`pulseaudio_read_state',` + gen_require(` +- attribute pulseaudio_tmpfsfile; ++ type pulseaudio_t; + ') + +- typeattribute $1 pulseaudio_tmpfsfile; ++ kernel_search_proc($1) ++ ps_process_pattern($1, pulseaudio_t) + ') +diff --git a/pulseaudio.te b/pulseaudio.te +index e31bbe1..822ab6c 100644 +--- a/pulseaudio.te ++++ b/pulseaudio.te +@@ -1,4 +1,4 @@ +-policy_module(pulseaudio, 1.5.4) ++policy_module(pulseaudio, 1.5.0) + + ######################################## + # +@@ -8,61 +8,49 @@ policy_module(pulseaudio, 1.5.4) + attribute pulseaudio_client; + attribute pulseaudio_tmpfsfile; + +-attribute_role pulseaudio_roles; +- + type pulseaudio_t; + type pulseaudio_exec_t; + init_daemon_domain(pulseaudio_t, pulseaudio_exec_t) + userdom_user_application_domain(pulseaudio_t, pulseaudio_exec_t) +-role pulseaudio_roles types pulseaudio_t; ++role system_r types pulseaudio_t; + + type pulseaudio_home_t; + userdom_user_home_content(pulseaudio_home_t) + +-type pulseaudio_tmp_t; +-userdom_user_tmp_file(pulseaudio_tmp_t) +- + type pulseaudio_tmpfs_t; + userdom_user_tmpfs_file(pulseaudio_tmpfs_t) + + type pulseaudio_var_lib_t; + files_type(pulseaudio_var_lib_t) ++ubac_constrained(pulseaudio_var_lib_t) + + type pulseaudio_var_run_t; + files_pid_file(pulseaudio_var_run_t) ++ubac_constrained(pulseaudio_var_run_t) + + ######################################## + # +-# Local policy ++# pulseaudio local policy + # + + allow pulseaudio_t self:capability { fowner fsetid chown setgid setuid sys_nice sys_resource sys_tty_config }; + allow pulseaudio_t self:process { getcap setcap setrlimit setsched getsched signal signull }; +-allow pulseaudio_t self:fifo_file rw_fifo_file_perms; +-allow pulseaudio_t self:unix_stream_socket { accept connectto listen }; +-allow pulseaudio_t self:unix_dgram_socket sendto; +-allow pulseaudio_t self:tcp_socket { accept listen }; ++allow pulseaudio_t self:fifo_file rw_file_perms; ++allow pulseaudio_t self:unix_stream_socket { create_stream_socket_perms connectto }; ++allow pulseaudio_t self:unix_dgram_socket { sendto create_socket_perms }; ++allow pulseaudio_t self:tcp_socket create_stream_socket_perms; ++allow pulseaudio_t self:udp_socket create_socket_perms; + allow pulseaudio_t self:netlink_kobject_uevent_socket create_socket_perms; + +-allow pulseaudio_t pulseaudio_home_t:dir manage_dir_perms; +-allow pulseaudio_t pulseaudio_home_t:file manage_file_perms; +-allow pulseaudio_t pulseaudio_home_t:lnk_file manage_lnk_file_perms; +- +-userdom_user_home_dir_filetrans(pulseaudio_t, pulseaudio_home_t, dir, ".pulse") +-userdom_user_home_dir_filetrans(pulseaudio_t, pulseaudio_home_t, file, ".esd_auth") +-userdom_user_home_dir_filetrans(pulseaudio_t, pulseaudio_home_t, file, ".pulse-cookie") +- +-manage_dirs_pattern(pulseaudio_t, pulseaudio_tmp_t, pulseaudio_tmp_t) +-manage_files_pattern(pulseaudio_t, pulseaudio_tmp_t, pulseaudio_tmp_t) +-manage_sock_files_pattern(pulseaudio_t, pulseaudio_tmp_t, pulseaudio_tmp_t) +-files_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, dir) +-userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, file, "pid") +-userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, sock_file, "dbus-socket") +-userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, sock_file, "native") ++manage_dirs_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t) ++manage_files_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t) ++manage_lnk_files_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t) ++userdom_search_user_home_dirs(pulseaudio_t) ++pulseaudio_filetrans_home_content(pulseaudio_t) + +-manage_dirs_pattern(pulseaudio_t, pulseaudio_tmpfs_t, pulseaudio_tmpfs_t) +-manage_files_pattern(pulseaudio_t, pulseaudio_tmpfs_t, pulseaudio_tmpfs_t) +-fs_tmpfs_filetrans(pulseaudio_t, pulseaudio_tmpfs_t, { dir file }) ++# ~/.esd_auth - maybe we should label this pulseaudio_home_t? ++userdom_read_user_home_content_files(pulseaudio_t) ++userdom_search_admin_dir(pulseaudio_t) + + manage_dirs_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t) + manage_files_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t) +@@ -72,10 +60,7 @@ files_var_lib_filetrans(pulseaudio_t, pulseaudio_var_lib_t, { dir file }) + manage_dirs_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t) + manage_files_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t) + manage_sock_files_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t) +-files_pid_filetrans(pulseaudio_t, pulseaudio_var_run_t, { dir file }) +- +-allow pulseaudio_t pulseaudio_client:process signull; +-ps_process_pattern(pulseaudio_t, pulseaudio_client) ++files_pid_filetrans(pulseaudio_t, pulseaudio_var_run_t, { file dir }) + + can_exec(pulseaudio_t, pulseaudio_exec_t) + +@@ -85,60 +70,51 @@ kernel_read_kernel_sysctls(pulseaudio_t) + + corecmd_exec_bin(pulseaudio_t) + +-corenet_all_recvfrom_unlabeled(pulseaudio_t) + corenet_all_recvfrom_netlabel(pulseaudio_t) +-corenet_tcp_sendrecv_generic_if(pulseaudio_t) +-corenet_udp_sendrecv_generic_if(pulseaudio_t) +-corenet_tcp_sendrecv_generic_node(pulseaudio_t) +-corenet_udp_sendrecv_generic_node(pulseaudio_t) +- +-corenet_sendrecv_pulseaudio_server_packets(pulseaudio_t) + corenet_tcp_bind_pulseaudio_port(pulseaudio_t) +-corenet_tcp_sendrecv_pulseaudio_port(pulseaudio_t) +- +-corenet_sendrecv_soundd_server_packets(pulseaudio_t) + corenet_tcp_bind_soundd_port(pulseaudio_t) +-corenet_tcp_sendrecv_soundd_port(pulseaudio_t) +- +-corenet_sendrecv_sap_server_packets(pulseaudio_t) ++corenet_tcp_sendrecv_generic_if(pulseaudio_t) ++corenet_tcp_sendrecv_generic_node(pulseaudio_t) + corenet_udp_bind_sap_port(pulseaudio_t) +-corenet_udp_sendrecv_sap_port(pulseaudio_t) ++corenet_udp_sendrecv_generic_if(pulseaudio_t) ++corenet_udp_sendrecv_generic_node(pulseaudio_t) ++corenet_dontaudit_tcp_connect_xserver_port(pulseaudio_t) + + dev_read_sound(pulseaudio_t) + dev_write_sound(pulseaudio_t) + dev_read_sysfs(pulseaudio_t) + dev_read_urand(pulseaudio_t) + +-files_read_usr_files(pulseaudio_t) + ++fs_rw_anon_inodefs_files(pulseaudio_t) + fs_getattr_tmpfs(pulseaudio_t) +-fs_getattr_all_fs(pulseaudio_t) + fs_list_inotifyfs(pulseaudio_t) +-fs_rw_anon_inodefs_files(pulseaudio_t) +-fs_search_auto_mountpoints(pulseaudio_t) + +-term_use_all_ttys(pulseaudio_t) +-term_use_all_ptys(pulseaudio_t) ++term_use_all_inherited_ttys(pulseaudio_t) ++term_use_all_inherited_ptys(pulseaudio_t) + + auth_use_nsswitch(pulseaudio_t) + + logging_send_syslog_msg(pulseaudio_t) + +-miscfiles_read_localization(pulseaudio_t) +- +-userdom_search_user_home_dirs(pulseaudio_t) +-userdom_write_user_tmp_sockets(pulseaudio_t) +- + tunable_policy(`use_nfs_home_dirs',` ++ fs_mount_nfs(pulseaudio_t) ++ fs_mounton_nfs(pulseaudio_t) + fs_manage_nfs_dirs(pulseaudio_t) + fs_manage_nfs_files(pulseaudio_t) + fs_manage_nfs_symlinks(pulseaudio_t) ++ fs_manage_nfs_named_sockets(pulseaudio_t) ++ fs_manage_nfs_named_pipes(pulseaudio_t) + ') + + tunable_policy(`use_samba_home_dirs',` ++ fs_mount_cifs(pulseaudio_t) ++ fs_mounton_cifs(pulseaudio_t) + fs_manage_cifs_dirs(pulseaudio_t) + fs_manage_cifs_files(pulseaudio_t) + fs_manage_cifs_symlinks(pulseaudio_t) ++ fs_manage_cifs_named_sockets(pulseaudio_t) ++ fs_manage_cifs_named_pipes(pulseaudio_t) + ') + + optional_policy(` +@@ -151,8 +127,9 @@ optional_policy(` + + optional_policy(` + dbus_system_domain(pulseaudio_t, pulseaudio_exec_t) +- dbus_all_session_bus_client(pulseaudio_t) +- dbus_connect_all_session_bus(pulseaudio_t) ++ dbus_system_bus_client(pulseaudio_t) ++ dbus_session_bus_client(pulseaudio_t) ++ dbus_connect_session_bus(pulseaudio_t) + + optional_policy(` + consolekit_dbus_chat(pulseaudio_t) +@@ -172,16 +149,33 @@ optional_policy(` + ') + + optional_policy(` ++ gnome_read_gkeyringd_state(pulseaudio_t) ++ gnome_signull_gkeyringd(pulseaudio_t) ++ gnome_manage_gstreamer_home_files(pulseaudio_t) ++ gnome_exec_gstreamer_home_files(pulseaudio_t) ++') ++ ++optional_policy(` + rtkit_scheduled(pulseaudio_t) + ') + + optional_policy(` ++ mozilla_plugin_delete_tmpfs_files(pulseaudio_t) ++ mozilla_plugin_read_tmpfs_files(pulseaudio_t) ++') ++ ++optional_policy(` + policykit_domtrans_auth(pulseaudio_t) + policykit_read_lib(pulseaudio_t) + policykit_read_reload(pulseaudio_t) + ') + + optional_policy(` ++ systemd_read_logind_sessions_files(pulseaudio_t) ++ systemd_login_read_pid_files(pulseaudio_t) ++') ++ ++optional_policy(` + udev_read_state(pulseaudio_t) + udev_read_db(pulseaudio_t) + ') +@@ -194,7 +188,11 @@ optional_policy(` + xserver_user_x_domain_template(pulseaudio, pulseaudio_t, pulseaudio_tmpfs_t) + ') + +-######################################## ++optional_policy(` ++ virt_manage_tmpfs_files(pulseaudio_t) ++') ++ ++####################################### + # + # Client local policy + # +@@ -208,8 +206,6 @@ delete_files_pattern(pulseaudio_client, pulseaudio_tmpfsfile, pulseaudio_tmpfsfi + + fs_getattr_tmpfs(pulseaudio_client) + +-corenet_all_recvfrom_unlabeled(pulseaudio_client) +-corenet_all_recvfrom_netlabel(pulseaudio_client) + corenet_tcp_sendrecv_generic_if(pulseaudio_client) + corenet_tcp_sendrecv_generic_node(pulseaudio_client) + +@@ -218,36 +214,31 @@ corenet_tcp_connect_pulseaudio_port(pulseaudio_client) + corenet_tcp_sendrecv_pulseaudio_port(pulseaudio_client) + + pulseaudio_stream_connect(pulseaudio_client) +-pulseaudio_manage_home(pulseaudio_client) +-pulseaudio_home_filetrans_pulseaudio_home(pulseaudio_client, dir, ".pulse") +-pulseaudio_home_filetrans_pulseaudio_home(pulseaudio_client, file, ".esd_auth") +-pulseaudio_home_filetrans_pulseaudio_home(pulseaudio_client, file, ".pulse-cookie") ++pulseaudio_manage_home_files(pulseaudio_client) + pulseaudio_signull(pulseaudio_client) + +-# TODO: ~/.cache + userdom_manage_user_home_content_files(pulseaudio_client) + + userdom_read_user_tmpfs_files(pulseaudio_client) +-# userdom_delete_user_tmpfs_files(pulseaudio_client) + + tunable_policy(`use_nfs_home_dirs',` +- fs_getattr_nfs(pulseaudio_client) +- fs_manage_nfs_dirs(pulseaudio_client) +- fs_manage_nfs_files(pulseaudio_client) +- fs_read_nfs_symlinks(pulseaudio_client) ++ fs_getattr_nfs(pulseaudio_client) ++ fs_manage_nfs_dirs(pulseaudio_client) ++ fs_manage_nfs_files(pulseaudio_client) ++ fs_read_nfs_symlinks(pulseaudio_client) + ') + + tunable_policy(`use_samba_home_dirs',` +- fs_getattr_cifs(pulseaudio_client) +- fs_manage_cifs_dirs(pulseaudio_client) +- fs_manage_cifs_files(pulseaudio_client) +- fs_read_cifs_symlinks(pulseaudio_client) ++ fs_getattr_cifs(pulseaudio_client) ++ fs_manage_cifs_dirs(pulseaudio_client) ++ fs_manage_cifs_files(pulseaudio_client) ++ fs_read_cifs_symlinks(pulseaudio_client) + ') + + optional_policy(` +- pulseaudio_dbus_chat(pulseaudio_client) ++ pulseaudio_dbus_chat(pulseaudio_client) + ') + + optional_policy(` +- rtkit_scheduled(pulseaudio_client) ++ rtkit_scheduled(pulseaudio_client) + ') +diff --git a/puppet.fc b/puppet.fc +index 4ecda09..8c0b242 100644 +--- a/puppet.fc ++++ b/puppet.fc +@@ -1,14 +1,12 @@ +-/etc/puppet(/.*)? gen_context(system_u:object_r:puppet_etc_t,s0) ++/etc/puppet(/.*)? gen_context(system_u:object_r:puppet_etc_t,s0) + + /etc/rc\.d/init\.d/puppet -- gen_context(system_u:object_r:puppet_initrc_exec_t,s0) +-/etc/rc\.d/init\.d/puppetmaster -- gen_context(system_u:object_r:puppetmaster_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/puppetmaster -- gen_context(system_u:object_r:puppetmaster_initrc_exec_t,s0) + +-/usr/sbin/puppetca -- gen_context(system_u:object_r:puppetca_exec_t,s0) +-/usr/sbin/puppetd -- gen_context(system_u:object_r:puppet_exec_t,s0) +-/usr/sbin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0) ++/usr/sbin/puppetca -- gen_context(system_u:object_r:puppetca_exec_t,s0) ++/usr/sbin/puppetd -- gen_context(system_u:object_r:puppet_exec_t,s0) ++/usr/sbin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0) + +-/var/lib/puppet(/.*)? gen_context(system_u:object_r:puppet_var_lib_t,s0) +- +-/var/log/puppet(/.*)? gen_context(system_u:object_r:puppet_log_t,s0) +- +-/var/run/puppet(/.*)? gen_context(system_u:object_r:puppet_var_run_t,s0) ++/var/lib/puppet(/.*)? gen_context(system_u:object_r:puppet_var_lib_t,s0) ++/var/log/puppet(/.*)? gen_context(system_u:object_r:puppet_log_t,s0) ++/var/run/puppet(/.*)? gen_context(system_u:object_r:puppet_var_run_t,s0) +diff --git a/puppet.if b/puppet.if +index 7cb8b1f..9422c90 100644 +--- a/puppet.if ++++ b/puppet.if +@@ -1,4 +1,32 @@ +-## Configuration management system. ++## Puppet client daemon ++## ++##

    ++## Puppet is a configuration management system written in Ruby. ++## The client daemon is responsible for periodically requesting the ++## desired system state from the server and ensuring the state of ++## the client system matches. ++##

    ++##     ++ ++######################################## ++## ++## Execute puppet_master in the puppet_master ++## domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`puppet_domtrans_master',` ++ gen_require(` ++ type puppetmaster_t, puppetmaster_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, puppetmaster_exec_t, puppetmaster_t) ++') + + ######################################## + ## +@@ -40,16 +68,19 @@ interface(`puppet_domtrans_puppetca',` + # + interface(`puppet_run_puppetca',` + gen_require(` +- attribute_role puppetca_roles; ++ type puppetca_t, puppetca_exec_t; + ') + + puppet_domtrans_puppetca($1) +- roleattribute $2 puppetca_roles; ++ role $2 types puppetca_t; + ') + +-#################################### ++################################################ + ## +-## Read puppet configuration content. ++## Read / Write to Puppet temp files. Puppet uses ++## some system binaries (groupadd, etc) that run in ++## a non-puppet domain and redirects output into temp ++## files. + ## + ## + ## +@@ -57,15 +88,13 @@ interface(`puppet_run_puppetca',` + ## + ## + # +-interface(`puppet_read_config',` ++interface(`puppet_rw_tmp', ` + gen_require(` +- type puppet_etc_t; ++ type puppet_tmp_t; + ') + +- files_search_etc($1) +- allow $1 puppet_etc_t:dir list_dir_perms; +- allow $1 puppet_etc_t:file read_file_perms; +- allow $1 puppet_etc_t:lnk_file read_lnk_file_perms; ++ allow $1 puppet_tmp_t:file rw_inherited_file_perms; ++ files_search_tmp($1) + ') + + ################################################ +@@ -78,158 +107,164 @@ interface(`puppet_read_config',` + ## + ## + # +-interface(`puppet_read_lib_files',` ++interface(`puppet_read_lib',` + gen_require(` + type puppet_var_lib_t; + ') + +- files_search_var_lib($1) + read_files_pattern($1, puppet_var_lib_t, puppet_var_lib_t) ++ files_search_var_lib($1) + ') + + ############################################### + ## +-## Create, read, write, and delete +-## puppet lib files. ++## Manage Puppet lib files. + ## + ## +-## +-## Domain allowed access. +-## ++## ++## Domain allowed access. ++## + ## + # +-interface(`puppet_manage_lib_files',` +- gen_require(` +- type puppet_var_lib_t; +- ') ++interface(`puppet_manage_lib',` ++ gen_require(` ++ type puppet_var_lib_t; ++ ') + +- files_search_var_lib($1) +- manage_files_pattern($1, puppet_var_lib_t, puppet_var_lib_t) ++ manage_files_pattern($1, puppet_var_lib_t, puppet_var_lib_t) ++ files_search_var_lib($1) + ') + +-##################################### ++###################################### + ## +-## Append puppet log files. ++## Allow the specified domain to search puppet's log files. + ## + ## +-## +-## Domain allowed access. +-## ++## ++## Domain allowed access. ++## + ## + # +-interface(`puppet_append_log_files',` +- gen_require(` +- type puppet_log_t; +- ') ++interface(`puppet_search_log',` ++ gen_require(` ++ type puppet_log_t; ++ ') + +- logging_search_logs($1) +- append_files_pattern($1, puppet_log_t, puppet_log_t) ++ logging_search_logs($1) ++ allow $1 puppet_log_t:dir search_dir_perms; + ') + + ##################################### + ## +-## Create puppet log files. ++## Allow the specified domain to read puppet's log files. + ## + ## +-## +-## Domain allowed access. +-## ++## ++## Domain allowed access. ++## + ## + # +-interface(`puppet_create_log_files',` +- gen_require(` +- type puppet_log_t; +- ') ++interface(`puppet_read_log',` ++ gen_require(` ++ type puppet_log_t; ++ ') + +- logging_search_logs($1) +- create_files_pattern($1, puppet_log_t, puppet_log_t) ++ logging_search_logs($1) ++ read_files_pattern($1, puppet_log_t, puppet_log_t) + ') + + ##################################### + ## +-## Read puppet log files. ++## Allow the specified domain to create puppet's log files. + ## + ## +-## +-## Domain allowed access. +-## ++## ++## Domain allowed access. ++## + ## + # +-interface(`puppet_read_log_files',` +- gen_require(` +- type puppet_log_t; +- ') ++interface(`puppet_create_log',` ++ gen_require(` ++ type puppet_log_t; ++ ') + +- logging_search_logs($1) +- read_files_pattern($1, puppet_log_t, puppet_log_t) ++ logging_search_logs($1) ++ create_files_pattern($1, puppet_log_t, puppet_log_t) + ') + +-################################################ ++#################################### + ## +-## Read and write to puppet tempoprary files. ++## Allow the specified domain to append puppet's log files. + ## + ## +-## +-## Domain allowed access. +-## ++## ++## Domain allowed access. ++## + ## + # +-interface(`puppet_rw_tmp', ` +- gen_require(` +- type puppet_tmp_t; +- ') ++interface(`puppet_append_log',` ++ gen_require(` ++ type puppet_log_t; ++ ') + +- files_search_tmp($1) +- allow $1 puppet_tmp_t:file rw_file_perms; ++ logging_search_logs($1) ++ append_files_pattern($1, puppet_log_t, puppet_log_t) + ') + +-######################################## ++#################################### + ## +-## All of the rules required to +-## administrate an puppet environment. ++## Allow the specified domain to manage puppet's log files. + ## + ## +-## +-## Domain allowed access. +-## ++## ++## Domain allowed access. ++## + ## +-## +-## +-## Role allowed access. +-## +-## +-## + # +-interface(`puppet_admin',` +- gen_require(` +- type puppet_initrc_exec_t, puppetmaster_initrc_exec_t, puppet_log_t; +- type puppet_var_lib_t, puppet_tmp_t, puppet_etc_t; +- type puppet_var_run_t, puppetmaster_tmp_t; +- type puppet_t, puppetca_t, puppetmaster_t; +- ') +- +- allow $1 { puppet_t puppetca_t puppetmaster_t }:process { ptrace signal_perms }; +- ps_process_pattern($1, { puppet_t puppetca_t puppetmaster_t }) ++interface(`puppet_manage_log',` ++ gen_require(` ++ type puppet_log_t; ++ ') + +- init_labeled_script_domtrans($1, { puppet_initrc_exec_t puppetmaster_initrc_exec_t }) +- domain_system_change_exemption($1) +- role_transition $2 { puppet_initrc_exec_t puppetmaster_initrc_exec_t } system_r; +- allow $2 system_r; +- +- files_search_etc($1) +- admin_pattern($1, puppet_etc_t) ++ logging_search_logs($1) ++ manage_files_pattern($1, puppet_log_t, puppet_log_t) ++') + +- logging_search_logs($1) +- admin_pattern($1, puppet_log_t) ++#################################### ++## ++## Allow the specified domain to read puppet's config files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`puppet_read_config',` ++ gen_require(` ++ type puppet_etc_t; ++ ') + +- files_search_var_lib($1) +- admin_pattern($1, puppet_var_lib_t) ++ files_search_etc($1) ++ list_dirs_pattern($1, puppet_etc_t, puppet_etc_t) ++ read_files_pattern($1, puppet_etc_t, puppet_etc_t) ++') + ++##################################### ++## ++## Allow the specified domain to search puppet's pid files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`puppet_search_pid',` ++ gen_require(` ++ type puppet_var_run_t; ++ ') ++ + files_search_pids($1) +- admin_pattern($1, puppet_var_run_t) +- +- files_search_tmp($1) +- admin_pattern($1, { puppet_tmp_t puppetmaster_tmp_t }) +- +- puppet_run_puppetca($1, $2) ++ allow $1 puppet_var_run_t:dir search_dir_perms; + ') +diff --git a/puppet.te b/puppet.te +index f2309f4..a375475 100644 +--- a/puppet.te ++++ b/puppet.te +@@ -1,4 +1,4 @@ +-policy_module(puppet, 1.3.7) ++policy_module(puppet, 1.3.0) + + ######################################## + # +@@ -6,15 +6,19 @@ policy_module(puppet, 1.3.7) + # + + ## +-##

    +-## Determine whether puppet can +-## manage all non-security files. +-##

    ++##

    ++## Allow Puppet client to manage all file ++## types. ++##

    + ##     + gen_tunable(puppet_manage_all_files, false) + +-attribute_role puppetca_roles; +-roleattribute system_r puppetca_roles; ++## ++##

    ++## Allow Puppet master to use connect to MySQL and PostgreSQL database ++##

    ++##     ++gen_tunable(puppetmaster_use_db, false) + + type puppet_t; + type puppet_exec_t; +@@ -37,12 +41,11 @@ files_type(puppet_var_lib_t) + + type puppet_var_run_t; + files_pid_file(puppet_var_run_t) +-init_daemon_run_dir(puppet_var_run_t, "puppet") + + type puppetca_t; + type puppetca_exec_t; + application_domain(puppetca_t, puppetca_exec_t) +-role puppetca_roles types puppetca_t; ++role system_r types puppetca_t; + + type puppetmaster_t; + type puppetmaster_exec_t; +@@ -56,33 +59,29 @@ files_tmp_file(puppetmaster_tmp_t) + + ######################################## + # +-# Local policy ++# Puppet personal policy + # + +-allow puppet_t self:capability { chown fowner fsetid setuid setgid dac_override sys_admin sys_nice sys_tty_config }; ++allow puppet_t self:capability { fowner fsetid setuid setgid dac_override sys_nice sys_tty_config }; + allow puppet_t self:process { signal signull getsched setsched }; + allow puppet_t self:fifo_file rw_fifo_file_perms; + allow puppet_t self:netlink_route_socket create_netlink_socket_perms; +-allow puppet_t self:tcp_socket { accept listen }; ++allow puppet_t self:tcp_socket create_stream_socket_perms; + allow puppet_t self:udp_socket create_socket_perms; + +-allow puppet_t puppet_etc_t:dir list_dir_perms; +-allow puppet_t puppet_etc_t:file read_file_perms; +-allow puppet_t puppet_etc_t:lnk_file read_lnk_file_perms; ++read_files_pattern(puppet_t, puppet_etc_t, puppet_etc_t) + + manage_dirs_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t) + manage_files_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t) +-can_exec(puppet_t, puppet_var_lib_t) ++files_search_var_lib(puppet_t) + +-setattr_dirs_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t) ++manage_dirs_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t) + manage_files_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t) + files_pid_filetrans(puppet_t, puppet_var_run_t, { file dir }) + +-allow puppet_t puppet_log_t:dir { create_dir_perms setattr_dir_perms }; +-append_files_pattern(puppet_t, puppet_log_t, puppet_log_t) ++create_dirs_pattern(puppet_t, var_log_t, puppet_log_t) + create_files_pattern(puppet_t, puppet_log_t, puppet_log_t) +-read_files_pattern(puppet_t, puppet_log_t, puppet_log_t) +-setattr_files_pattern(puppet_t, puppet_log_t, puppet_log_t) ++append_files_pattern(puppet_t, puppet_log_t, puppet_log_t) + logging_log_filetrans(puppet_t, puppet_log_t, { file dir }) + + manage_dirs_pattern(puppet_t, puppet_tmp_t, puppet_tmp_t) +@@ -91,43 +90,37 @@ files_tmp_filetrans(puppet_t, puppet_tmp_t, { file dir }) + + kernel_dontaudit_search_sysctl(puppet_t) + kernel_dontaudit_search_kernel_sysctl(puppet_t) ++kernel_read_system_state(puppet_t) + kernel_read_crypto_sysctls(puppet_t) + kernel_read_kernel_sysctls(puppet_t) +-kernel_read_net_sysctls(puppet_t) +-kernel_read_network_state(puppet_t) + ++corecmd_read_all_executables(puppet_t) ++corecmd_dontaudit_access_all_executables(puppet_t) + corecmd_exec_bin(puppet_t) + corecmd_exec_shell(puppet_t) +-corecmd_read_all_executables(puppet_t) + + corenet_all_recvfrom_netlabel(puppet_t) +-corenet_all_recvfrom_unlabeled(puppet_t) + corenet_tcp_sendrecv_generic_if(puppet_t) + corenet_tcp_sendrecv_generic_node(puppet_t) +- +-corenet_sendrecv_puppet_client_packets(puppet_t) ++corenet_tcp_bind_generic_node(puppet_t) + corenet_tcp_connect_puppet_port(puppet_t) +-corenet_tcp_sendrecv_puppet_port(puppet_t) ++corenet_sendrecv_puppet_client_packets(puppet_t) + + dev_read_rand(puppet_t) + dev_read_sysfs(puppet_t) + dev_read_urand(puppet_t) + +-domain_interactive_fd(puppet_t) + domain_read_all_domains_state(puppet_t) ++domain_interactive_fd(puppet_t) + + files_manage_config_files(puppet_t) + files_manage_config_dirs(puppet_t) + files_manage_etc_dirs(puppet_t) + files_manage_etc_files(puppet_t) +-files_read_usr_files(puppet_t) + files_read_usr_symlinks(puppet_t) + files_relabel_config_dirs(puppet_t) + files_relabel_config_files(puppet_t) +-files_search_var_lib(puppet_t) + +-selinux_get_fs_mount(puppet_t) +-selinux_search_fs(puppet_t) + selinux_set_all_booleans(puppet_t) + selinux_set_generic_booleans(puppet_t) + selinux_validate_context(puppet_t) +@@ -135,6 +128,8 @@ selinux_validate_context(puppet_t) + term_dontaudit_getattr_unallocated_ttys(puppet_t) + term_dontaudit_getattr_all_ttys(puppet_t) + ++auth_use_nsswitch(puppet_t) ++ + init_all_labeled_script_domtrans(puppet_t) + init_domtrans_script(puppet_t) + init_read_utmp(puppet_t) +@@ -143,18 +138,19 @@ init_signull_script(puppet_t) + logging_send_syslog_msg(puppet_t) + + miscfiles_read_hwdata(puppet_t) +-miscfiles_read_localization(puppet_t) +- +-mount_domtrans(puppet_t) + + seutil_domtrans_setfiles(puppet_t) + seutil_domtrans_semanage(puppet_t) ++seutil_read_file_contexts(puppet_t) + + sysnet_run_ifconfig(puppet_t, system_r) +-sysnet_use_ldap(puppet_t) ++ ++usermanage_access_check_groupadd(puppet_t) ++usermanage_access_check_passwd(puppet_t) ++usermanage_access_check_useradd(puppet_t) + + tunable_policy(`puppet_manage_all_files',` +- files_manage_non_auth_files(puppet_t) ++ files_manage_non_security_files(puppet_t) + ') + + optional_policy(` +@@ -196,21 +192,86 @@ optional_policy(` + ') + + optional_policy(` +- usermanage_domtrans_groupadd(puppet_t) +- usermanage_domtrans_useradd(puppet_t) ++ auth_filetrans_named_content(puppet_t) ++') ++ ++optional_policy(` ++ alsa_filetrans_named_content(puppet_t) ++') ++ ++optional_policy(` ++ bootloader_filetrans_config(puppet_t) ++') ++ ++optional_policy(` ++ devicekit_filetrans_named_content(puppet_t) ++') ++ ++optional_policy(` ++ dnsmasq_filetrans_named_content(puppet_t) ++') ++ ++optional_policy(` ++ kerberos_filetrans_named_content(puppet_t) ++') ++ ++optional_policy(` ++ libs_filetrans_named_content(puppet_t) ++') ++ ++optional_policy(` ++ miscfiles_filetrans_named_content(puppet_t) ++') ++ ++optional_policy(` ++ mta_filetrans_named_content(puppet_t) ++') ++ ++optional_policy(` ++ modules_filetrans_named_content(puppet_t) ++') ++ ++optional_policy(` ++ networkmanager_filetrans_named_content(puppet_t) ++') ++ ++optional_policy(` ++ nx_filetrans_named_content(puppet_t) ++') ++ ++optional_policy(` ++ postfix_filetrans_named_content(puppet_t) ++') ++ ++optional_policy(` ++ openshift_initrc_domtrans(puppet_t) ++') ++ ++optional_policy(` ++ quota_filetrans_named_content(puppet_t) ++') ++ ++optional_policy(` ++ sysnet_filetrans_named_content(puppet_t) ++') ++ ++optional_policy(` ++ virt_filetrans_home_content(puppet_t) ++') ++ ++optional_policy(` ++ ssh_filetrans_admin_home_content(puppet_t) + ') + + ######################################## + # +-# Ca local policy ++# PuppetCA personal policy + # + + allow puppetca_t self:capability { dac_override setgid setuid }; + allow puppetca_t self:fifo_file rw_fifo_file_perms; + +-allow puppetca_t puppet_etc_t:dir list_dir_perms; +-allow puppetca_t puppet_etc_t:file read_file_perms; +-allow puppetca_t puppet_etc_t:lnk_file read_lnk_file_perms; ++read_files_pattern(puppetca_t, puppet_etc_t, puppet_etc_t) + + allow puppetca_t puppet_var_lib_t:dir list_dir_perms; + manage_files_pattern(puppetca_t, puppet_var_lib_t, puppet_var_lib_t) +@@ -221,6 +282,7 @@ allow puppetca_t puppet_log_t:dir search_dir_perms; + allow puppetca_t puppet_var_run_t:dir search_dir_perms; + + kernel_read_system_state(puppetca_t) ++# Maybe dontaudit this like we did with other puppet domains? + kernel_read_kernel_sysctls(puppetca_t) + + corecmd_exec_bin(puppetca_t) +@@ -229,15 +291,12 @@ corecmd_exec_shell(puppetca_t) + dev_read_urand(puppetca_t) + dev_search_sysfs(puppetca_t) + +-files_read_etc_files(puppetca_t) +-files_search_pids(puppetca_t) + files_search_var_lib(puppetca_t) + + selinux_validate_context(puppetca_t) + + logging_search_logs(puppetca_t) + +-miscfiles_read_localization(puppetca_t) + miscfiles_read_generic_certs(puppetca_t) + + seutil_read_file_contexts(puppetca_t) +@@ -246,38 +305,47 @@ optional_policy(` + hostname_exec(puppetca_t) + ') + ++optional_policy(` ++ mta_sendmail_access_check(puppetca_t) ++') ++ ++ + ######################################## + # +-# Master local policy ++# Pupper master personal policy + # + + allow puppetmaster_t self:capability { dac_read_search dac_override setuid setgid fowner chown fsetid sys_tty_config }; + allow puppetmaster_t self:process { signal_perms getsched setsched }; + allow puppetmaster_t self:fifo_file rw_fifo_file_perms; +-allow puppetmaster_t self:netlink_route_socket nlmsg_write; ++allow puppetmaster_t self:netlink_route_socket create_netlink_socket_perms; + allow puppetmaster_t self:socket create; +-allow puppetmaster_t self:tcp_socket { accept listen }; ++allow puppetmaster_t self:tcp_socket create_stream_socket_perms; ++allow puppetmaster_t self:udp_socket create_socket_perms; + +-allow puppetmaster_t puppet_etc_t:dir list_dir_perms; +-allow puppetmaster_t puppet_etc_t:file read_file_perms; +-allow puppetmaster_t puppet_etc_t:lnk_file read_lnk_file_perms; ++list_dirs_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t) ++read_files_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t) + +-allow puppetmaster_t puppet_log_t:dir setattr_dir_perms; +-append_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t) +-create_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t) +-setattr_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t) ++allow puppetmaster_t puppet_log_t:dir { rw_dir_perms setattr_dir_perms }; ++allow puppetmaster_t puppet_log_t:file { rw_file_perms create_file_perms setattr_file_perms }; + logging_log_filetrans(puppetmaster_t, puppet_log_t, { file dir }) ++allow puppetmaster_t puppet_log_t:file relabel_file_perms; + +-allow puppetmaster_t puppet_var_lib_t:dir { manage_dir_perms relabel_dir_perms }; +-allow puppetmaster_t puppet_var_lib_t:file { manage_file_perms relabel_file_perms }; ++manage_dirs_pattern(puppetmaster_t, puppet_var_lib_t, puppet_var_lib_t) ++manage_files_pattern(puppetmaster_t, puppet_var_lib_t, puppet_var_lib_t) ++allow puppetmaster_t puppet_var_lib_t:dir relabel_dir_perms; ++allow puppetmaster_t puppet_var_lib_t:file relabel_file_perms; + +-allow puppetmaster_t puppet_var_run_t:dir { create_dir_perms setattr_dir_perms relabel_dir_perms }; +-allow puppetmaster_t puppet_var_run_t:file manage_file_perms; ++setattr_dirs_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t) ++create_dirs_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t) ++manage_files_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t) + files_pid_filetrans(puppetmaster_t, puppet_var_run_t, { file dir }) ++allow puppetmaster_t puppet_var_run_t:dir relabel_dir_perms; + +-allow puppetmaster_t puppetmaster_tmp_t:dir { manage_dir_perms relabel_dir_perms }; +-allow puppetmaster_t puppetmaster_tmp_t:file manage_file_perms; ++manage_dirs_pattern(puppetmaster_t, puppetmaster_tmp_t, puppetmaster_tmp_t) ++manage_files_pattern(puppetmaster_t, puppetmaster_tmp_t, puppetmaster_tmp_t) + files_tmp_filetrans(puppetmaster_t, puppetmaster_tmp_t, { file dir }) ++allow puppetmaster_t puppet_tmp_t:dir relabel_dir_perms; + + kernel_dontaudit_search_kernel_sysctl(puppetmaster_t) + kernel_read_network_state(puppetmaster_t) +@@ -289,23 +357,24 @@ corecmd_exec_bin(puppetmaster_t) + corecmd_exec_shell(puppetmaster_t) + + corenet_all_recvfrom_netlabel(puppetmaster_t) +-corenet_all_recvfrom_unlabeled(puppetmaster_t) + corenet_tcp_sendrecv_generic_if(puppetmaster_t) + corenet_tcp_sendrecv_generic_node(puppetmaster_t) + corenet_tcp_bind_generic_node(puppetmaster_t) +- +-corenet_sendrecv_puppet_server_packets(puppetmaster_t) + corenet_tcp_bind_puppet_port(puppetmaster_t) +-corenet_tcp_sendrecv_puppet_port(puppetmaster_t) ++corenet_sendrecv_puppet_server_packets(puppetmaster_t) ++corenet_tcp_connect_ntop_port(puppetmaster_t) ++ ++# This needs investigation. Puppermasterd is confirmed to bind udp sockets to random high ports. ++corenet_udp_bind_generic_node(puppetmaster_t) ++corenet_udp_bind_generic_port(puppetmaster_t) + + dev_read_rand(puppetmaster_t) + dev_read_urand(puppetmaster_t) + dev_search_sysfs(puppetmaster_t) + +-domain_obj_id_change_exemption(puppetmaster_t) + domain_read_all_domains_state(puppetmaster_t) ++domain_obj_id_change_exemption(puppetmaster_t) + +-files_read_usr_files(puppetmaster_t) + + selinux_validate_context(puppetmaster_t) + +@@ -314,26 +383,31 @@ auth_use_nsswitch(puppetmaster_t) + logging_send_syslog_msg(puppetmaster_t) + + miscfiles_read_generic_certs(puppetmaster_t) +-miscfiles_read_localization(puppetmaster_t) + + seutil_read_file_contexts(puppetmaster_t) + + sysnet_run_ifconfig(puppetmaster_t, system_r) + ++mta_send_mail(puppetmaster_t) ++ + optional_policy(` +- hostname_exec(puppetmaster_t) ++ tunable_policy(`puppetmaster_use_db',` ++ mysql_stream_connect(puppetmaster_t) ++ ') + ') + + optional_policy(` +- mta_send_mail(puppetmaster_t) ++ tunable_policy(`puppetmaster_use_db',` ++ postgresql_stream_connect(puppetmaster_t) ++ ') + ') + + optional_policy(` +- mysql_stream_connect(puppetmaster_t) ++ systemd_dbus_chat_timedated(puppetmaster_t) + ') + + optional_policy(` +- postgresql_stream_connect(puppetmaster_t) ++ hostname_exec(puppetmaster_t) + ') + + optional_policy(` +@@ -342,3 +416,9 @@ optional_policy(` + rpm_exec(puppetmaster_t) + rpm_read_db(puppetmaster_t) + ') ++ ++optional_policy(` ++ usermanage_access_check_groupadd(puppetmaster_t) ++ usermanage_access_check_passwd(puppetmaster_t) ++ usermanage_access_check_useradd(puppetmaster_t) ++') +diff --git a/pwauth.fc b/pwauth.fc +index 7e7b444..e2f8687 100644 +--- a/pwauth.fc ++++ b/pwauth.fc +@@ -1,3 +1,3 @@ +-/usr/bin/pwauth -- gen_context(system_u:object_r:pwauth_exec_t,s0) ++/usr/bin/pwauth -- gen_context(system_u:object_r:pwauth_exec_t,s0) + +-/var/run/pwauth\.lock -- gen_context(system_u:object_r:pwauth_var_run_t,s0) ++/var/run/pwauth.lock -- gen_context(system_u:object_r:pwauth_var_run_t,s0) +diff --git a/pwauth.if b/pwauth.if +index 1148dce..86d25ea 100644 +--- a/pwauth.if ++++ b/pwauth.if +@@ -1,72 +1,74 @@ +-## External plugin for mod_authnz_external authenticator. ++ ++## policy for pwauth + + ######################################## + ## +-## Role access for pwauth. ++## Transition to pwauth. + ## +-## +-## +-## Role allowed access. +-## +-## + ## +-## +-## User domain for the role. +-## ++## ++## Domain allowed to transition. ++## + ## + # +-interface(`pwauth_role',` ++interface(`pwauth_domtrans',` + gen_require(` +- type pwauth_t; ++ type pwauth_t, pwauth_exec_t; + ') + +- pwauth_run($2, $1) +- +- ps_process_pattern($2, pwauth_t) +- allow $2 pwauth_t:process { ptrace signal_perms }; ++ corecmd_search_bin($1) ++ domtrans_pattern($1, pwauth_exec_t, pwauth_t) + ') + + ######################################## + ## +-## Execute pwauth in the pwauth domain. ++## Execute pwauth in the pwauth domain, and ++## allow the specified role the pwauth domain. + ## + ## + ## +-## Domain allowed to transition. ++## Domain allowed to transition ++## ++## ++## ++## ++## The role to be allowed the pwauth domain. + ## + ## + # +-interface(`pwauth_domtrans',` ++interface(`pwauth_run',` + gen_require(` +- type pwauth_t, pwauth_exec_t; ++ type pwauth_t; + ') + +- corecmd_search_bin($1) +- domtrans_pattern($1, pwauth_exec_t, pwauth_t) ++ pwauth_domtrans($1) ++ role $2 types pwauth_t; + ') + + ######################################## + ## +-## Execute pwauth in the pwauth +-## domain, and allow the specified +-## role the pwauth domain. ++## Role access for pwauth + ## +-## ++## + ## +-## Domain allowed to transition. ++## Role allowed access + ## + ## +-## ++## + ## +-## Role allowed access. ++## User domain for the role + ## + ## + # +-interface(`pwauth_run',` ++interface(`pwauth_role',` + gen_require(` +- attribute_role pwauth_roles; ++ type pwauth_t; + ') + +- pwauth_domtrans($1) +- roleattribute $2 pwauth_roles; ++ role $1 types pwauth_t; ++ ++ pwauth_domtrans($2) ++ ++ ps_process_pattern($2, pwauth_t) ++ allow $2 pwauth_t:process signal; + ') +diff --git a/pwauth.te b/pwauth.te +index 3078e34..215df88 100644 +--- a/pwauth.te ++++ b/pwauth.te +@@ -5,26 +5,23 @@ policy_module(pwauth, 1.0.0) + # Declarations + # + +-attribute_role pwauth_roles; +-roleattribute system_r pwauth_roles; +- + type pwauth_t; + type pwauth_exec_t; + application_domain(pwauth_t, pwauth_exec_t) +-role pwauth_roles types pwauth_t; ++role system_r types pwauth_t; + + type pwauth_var_run_t; + files_pid_file(pwauth_var_run_t) + + ######################################## + # +-# Local policy ++# pwauth local policy + # +- + allow pwauth_t self:capability setuid; + allow pwauth_t self:process setrlimit; ++ + allow pwauth_t self:fifo_file manage_fifo_file_perms; +-allow pwauth_t self:unix_stream_socket { accept listen }; ++allow pwauth_t self:unix_stream_socket create_stream_socket_perms; + + manage_files_pattern(pwauth_t, pwauth_var_run_t, pwauth_var_run_t) + files_pid_filetrans(pwauth_t, pwauth_var_run_t, file) +@@ -33,10 +30,10 @@ domain_use_interactive_fds(pwauth_t) + + auth_domtrans_chkpwd(pwauth_t) + auth_use_nsswitch(pwauth_t) ++auth_read_shadow(pwauth_t) ++auth_rw_lastlog(pwauth_t) + + init_read_utmp(pwauth_t) + + logging_send_syslog_msg(pwauth_t) + logging_send_audit_msgs(pwauth_t) +- +-miscfiles_read_localization(pwauth_t) +diff --git a/pxe.te b/pxe.te +index 72db707..6dae5e5 100644 +--- a/pxe.te ++++ b/pxe.te +@@ -50,15 +50,12 @@ dev_read_sysfs(pxe_t) + + domain_use_interactive_fds(pxe_t) + +-files_read_etc_files(pxe_t) + + fs_getattr_all_fs(pxe_t) + fs_search_auto_mountpoints(pxe_t) + + logging_send_syslog_msg(pxe_t) + +-miscfiles_read_localization(pxe_t) +- + userdom_dontaudit_use_unpriv_user_fds(pxe_t) + userdom_dontaudit_search_user_home_dirs(pxe_t) + +diff --git a/pyicqt.fc b/pyicqt.fc +deleted file mode 100644 +index 0c143e3..0000000 +--- a/pyicqt.fc ++++ /dev/null +@@ -1,11 +0,0 @@ +-/etc/pyicq-t(/.*)? gen_context(system_u:object_r:pyicqt_conf_t,s0) +- +-/etc/rc\.d/init\.d/pyicq-t -- gen_context(system_u:object_r:pyicqt_initrc_exec_t,s0) +- +-/usr/share/pyicq-t/PyICQt\.py -- gen_context(system_u:object_r:pyicqt_exec_t,s0) +- +-/var/log/pyicq-t\.log.* -- gen_context(system_u:object_r:pyicqt_log_t,s0) +- +-/var/run/pyicq-t(/.*)? gen_context(system_u:object_r:pyicqt_var_run_t,s0) +- +-/var/spool/pyicq-t(/.*)? gen_context(system_u:object_r:pyicqt_spool_t,s0) +diff --git a/pyicqt.if b/pyicqt.if +deleted file mode 100644 +index 0ccea82..0000000 +--- a/pyicqt.if ++++ /dev/null +@@ -1,45 +0,0 @@ +-## ICQ transport for XMPP server. +- +-######################################## +-## +-## All of the rules required to +-## administrate an pyicqt environment. +-## +-## +-## +-## Domain allowed access. +-## +-## +-## +-## +-## Role allowed access. +-## +-## +-## +-# +-interface(`pyicqt_admin',` +- gen_require(` +- type pyicqt_t, pyicqt_log_t, pyicqt_spool_t; +- type pyicqt_var_run_t, pyicqt_initrc_exec_t, pyicqt_conf_t; +- ') +- +- allow $1 pyicqt_t:process { ptrace signal_perms }; +- ps_process_pattern($1, pyicqt_t) +- +- init_labeled_script_domtrans($1, pyicqt_initrc_exec_t) +- domain_system_change_exemption($1) +- role_transition $2 pyicqt_initrc_exec_t system_r; +- allow $2 system_r; +- +- files_search_etc($1) +- admin_pattern($1, pyicqt_conf_t) +- +- logging_search_logs($1) +- admin_pattern($1, pyicqt_log_t) +- +- files_search_spool($1) +- admin_pattern($1, pyicqt_spool_t) +- +- files_search_pids($1) +- admin_pattern($1, pyicqt_var_run_t) +-') +diff --git a/pyicqt.te b/pyicqt.te +deleted file mode 100644 +index 99bebbd..0000000 +--- a/pyicqt.te ++++ /dev/null +@@ -1,92 +0,0 @@ +-policy_module(pyicqt, 1.0.1) +- +-######################################## +-# +-# Declarations +-# +- +-type pyicqt_t; +-type pyicqt_exec_t; +-init_daemon_domain(pyicqt_t, pyicqt_exec_t) +- +-type pyicqt_initrc_exec_t; +-init_script_file(pyicqt_initrc_exec_t) +- +-type pyicqt_conf_t; +-files_config_file(pyicqt_conf_t) +- +-type pyicqt_log_t; +-logging_log_file(pyicqt_log_t) +- +-type pyicqt_spool_t; +-files_type(pyicqt_spool_t) +- +-type pyicqt_var_run_t; +-files_pid_file(pyicqt_var_run_t) +- +-######################################## +-# +-# Local policy +-# +- +-allow pyicqt_t self:process signal_perms; +-allow pyicqt_t self:fifo_file rw_fifo_file_perms; +-allow pyicqt_t self:tcp_socket { accept listen }; +- +-read_files_pattern(pyicqt_t, pyicqt_conf_t, pyicqt_conf_t) +- +-allow pyicqt_t pyicqt_log_t:file append_file_perms; +-allow pyicqt_t pyicqt_log_t:file create_file_perms; +-allow pyicqt_t pyicqt_log_t:file setattr_file_perms; +-logging_log_filetrans(pyicqt_t, pyicqt_log_t, file) +- +-manage_dirs_pattern(pyicqt_t, pyicqt_spool_t, pyicqt_spool_t) +-manage_files_pattern(pyicqt_t, pyicqt_spool_t, pyicqt_spool_t) +-files_spool_filetrans(pyicqt_t, pyicqt_spool_t, dir) +- +-manage_files_pattern(pyicqt_t, pyicqt_var_run_t, pyicqt_var_run_t) +-files_pid_filetrans(pyicqt_t, pyicqt_var_run_t, file) +- +-kernel_read_system_state(pyicqt_t) +- +-corecmd_exec_bin(pyicqt_t) +- +-corenet_all_recvfrom_unlabeled(pyicqt_t) +-corenet_all_recvfrom_netlabel(pyicqt_t) +-corenet_tcp_sendrecv_generic_if(pyicqt_t) +-corenet_tcp_sendrecv_generic_node(pyicqt_t) +-corenet_tcp_bind_generic_node(pyicqt_t) +- +-# corenet_sendrecv_jabber_router_server_packets(pyicqt_t) +-# corenet_tcp_bind_jabber_router_port(pyicqt_t) +-# corenet_sendrecv_jabber_router_client_packets(pyicqt_t) +-# corenet_tcp_connect_jabber_router_port(pyicqt_t) +-# corenet_tcp_sendrecv_jabber_router_port(pyicqt_t) +- +-dev_read_sysfs(pyicqt_t) +-dev_read_urand(pyicqt_t) +- +-files_read_usr_files(pyicqt_t) +- +-fs_getattr_all_fs(pyicqt_t) +- +-auth_use_nsswitch(pyicqt_t) +- +-libs_read_lib_files(pyicqt_t) +- +-logging_send_syslog_msg(pyicqt_t) +- +-miscfiles_read_localization(pyicqt_t) +- +-optional_policy(` +- jabber_manage_lib_files(pyicqt_t) +-') +- +-optional_policy(` +- mysql_stream_connect(pyicqt_t) +- mysql_tcp_connect(pyicqt_t) +-') +- +-optional_policy(` +- seutil_sigchld_newrole(pyicqt_t) +-') +diff --git a/pyzor.fc b/pyzor.fc +index af13139..a927c5a 100644 +--- a/pyzor.fc ++++ b/pyzor.fc +@@ -1,12 +1,13 @@ +-HOME_DIR/\.pyzor(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0) +- +-/etc/pyzor(/.*)? gen_context(system_u:object_r:pyzor_etc_t, s0) +- ++/etc/pyzor(/.*)? gen_context(system_u:object_r:pyzor_etc_t, s0) + /etc/rc\.d/init\.d/pyzord -- gen_context(system_u:object_r:pyzord_initrc_exec_t,s0) + +-/usr/bin/pyzor -- gen_context(system_u:object_r:pyzor_exec_t,s0) +-/usr/bin/pyzord -- gen_context(system_u:object_r:pyzord_exec_t,s0) ++HOME_DIR/\.pyzor(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0) ++HOME_DIR/\.spamd(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0) ++/root/\.pyzor(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0) ++/root/\.spamd(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0) + +-/var/lib/pyzord(/.*)? gen_context(system_u:object_r:pyzor_var_lib_t,s0) ++/usr/bin/pyzor -- gen_context(system_u:object_r:pyzor_exec_t,s0) ++/usr/bin/pyzord -- gen_context(system_u:object_r:pyzord_exec_t,s0) + ++/var/lib/pyzord(/.*)? gen_context(system_u:object_r:pyzor_var_lib_t,s0) + /var/log/pyzord\.log.* -- gen_context(system_u:object_r:pyzord_log_t,s0) +diff --git a/pyzor.if b/pyzor.if +index 593c03d..2c411af 100644 +--- a/pyzor.if ++++ b/pyzor.if +@@ -2,7 +2,7 @@ + + ######################################## + ## +-## Role access for pyzor. ++## Role access for pyzor + ## + ## + ## +@@ -14,31 +14,30 @@ + ## User domain for the role + ## + ## ++## + # + interface(`pyzor_role',` + gen_require(` +- attribute_role pyzor_roles; +- type pyzor_t, pyzor_exec_t, pyzor_home_t; +- type pyzor_tmp_t; ++ type pyzor_t, pyzor_exec_t; ++ type pyzor_home_t, pyzor_var_lib_t, pyzor_tmp_t; + ') + +- roleattribute $1 pyzor_roles; ++ role $1 types pyzor_t; + ++ # Transition from the user domain to the derived domain. + domtrans_pattern($2, pyzor_exec_t, pyzor_t) + +- allow $2 pyzor_t:process { ptrace signal_perms }; ++ # allow ps to show pyzor and allow the user to kill it + ps_process_pattern($2, pyzor_t) +- +- allow $2 { pyzor_home_t pyzor_tmp_t }:dir { manage_dir_perms relabel_dir_perms }; +- allow $2 { pyzor_home_t pyzor_tmp_t }:file { manage_file_perms relabel_file_perms }; +- allow $2 pyzor_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; +- +- userdom_user_home_dir_filetrans($2, pyzor_home_t, dir, ".pyzor") ++ allow $2 pyzor_t:process signal_perms; ++ tunable_policy(`deny_ptrace',`',` ++ allow $2 pyzor_t:process ptrace; ++ ') + ') + + ######################################## + ## +-## Send generic signals to pyzor. ++## Send generic signals to pyzor + ## + ## + ## +@@ -69,6 +68,7 @@ interface(`pyzor_domtrans',` + type pyzor_exec_t, pyzor_t; + ') + ++ files_search_usr($1) + corecmd_search_bin($1) + domtrans_pattern($1, pyzor_exec_t, pyzor_t) + ') +@@ -88,14 +88,15 @@ interface(`pyzor_exec',` + type pyzor_exec_t; + ') + ++ files_search_usr($1) + corecmd_search_bin($1) + can_exec($1, pyzor_exec_t) + ') + + ######################################## + ## +-## All of the rules required to +-## administrate an pyzor environment. ++## All of the rules required to administrate ++## an pyzor environment + ## + ## + ## +@@ -104,33 +105,37 @@ interface(`pyzor_exec',` + ## + ## + ## +-## Role allowed access. ++## The role to be allowed to manage the pyzor domain. + ## + ## + ## + # + interface(`pyzor_admin',` + gen_require(` +- type pyzord_t, pyzord_initrc_exec_t, pyzord_log_t; +- type pyzor_var_lib_t, pyzor_etc_t; ++ type pyzord_t, pyzor_tmp_t, pyzord_log_t; ++ type pyzor_etc_t, pyzor_var_lib_t, pyzord_initrc_exec_t; + ') + +- allow $1 pyzord_t:process { ptrace signal_perms }; ++ allow $1 pyzord_t:process signal_perms; + ps_process_pattern($1, pyzord_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 pyzord_t:process ptrace; ++ ') + + init_labeled_script_domtrans($1, pyzord_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 pyzord_initrc_exec_t system_r; + allow $2 system_r; + +- files_search_etc($1) +- admin_pattern($1, pyzor_etc_t) ++ files_list_tmp($1) ++ admin_pattern($1, pyzor_tmp_t) + +- logging_search_logs($1) ++ logging_list_logs($1) + admin_pattern($1, pyzord_log_t) + +- files_search_var_lib($1) +- admin_pattern($1, pyzor_var_lib_t) ++ files_list_etc($1) ++ admin_pattern($1, pyzor_etc_t) + +- pyzor_role($2, $1) ++ files_list_var_lib($1) ++ admin_pattern($1, pyzor_var_lib_t) + ') +diff --git a/pyzor.te b/pyzor.te +index 6c456d2..86daaba 100644 +--- a/pyzor.te ++++ b/pyzor.te +@@ -1,61 +1,82 @@ +-policy_module(pyzor, 2.2.1) ++policy_module(pyzor, 2.1.0) + + ######################################## + # + # Declarations + # + +-attribute_role pyzor_roles; +-roleattribute system_r pyzor_roles; +- +-type pyzor_t; +-type pyzor_exec_t; +-typealias pyzor_t alias { user_pyzor_t staff_pyzor_t sysadm_pyzor_t }; +-typealias pyzor_t alias { auditadm_pyzor_t secadm_pyzor_t }; +-userdom_user_application_domain(pyzor_t, pyzor_exec_t) +-role pyzor_roles types pyzor_t; +- +-type pyzor_etc_t; +-files_type(pyzor_etc_t) +- +-type pyzor_home_t; +-typealias pyzor_home_t alias { user_pyzor_home_t staff_pyzor_home_t sysadm_pyzor_home_t }; +-typealias pyzor_home_t alias { auditadm_pyzor_home_t secadm_pyzor_home_t }; +-userdom_user_home_content(pyzor_home_t) +- +-type pyzor_tmp_t; +-typealias pyzor_tmp_t alias { user_pyzor_tmp_t staff_pyzor_tmp_t sysadm_pyzor_tmp_t }; +-typealias pyzor_tmp_t alias { auditadm_pyzor_tmp_t secadm_pyzor_tmp_t }; +-userdom_user_tmp_file(pyzor_tmp_t) +- +-type pyzor_var_lib_t; +-typealias pyzor_var_lib_t alias { user_pyzor_var_lib_t staff_pyzor_var_lib_t sysadm_pyzor_var_lib_t }; +-typealias pyzor_var_lib_t alias { auditadm_pyzor_var_lib_t secadm_pyzor_var_lib_t }; +-files_type(pyzor_var_lib_t) +-ubac_constrained(pyzor_var_lib_t) +- +-type pyzord_t; +-type pyzord_exec_t; +-init_daemon_domain(pyzord_t, pyzord_exec_t) +- +-type pyzord_initrc_exec_t; +-init_script_file(pyzord_initrc_exec_t) +- +-type pyzord_log_t; +-logging_log_file(pyzord_log_t) ++ifdef(`distro_redhat',` ++ gen_require(` ++ type spamc_t, spamc_exec_t, spamd_t; ++ type spamd_initrc_exec_t, spamd_exec_t, spamc_tmp_t; ++ type spamd_log_t, spamd_var_lib_t, spamd_etc_t; ++ type spamc_tmp_t, spamc_home_t; ++ ') ++ ++ typealias spamc_t alias pyzor_t; ++ typealias spamc_exec_t alias pyzor_exec_t; ++ typealias spamd_t alias pyzord_t; ++ typealias spamd_initrc_exec_t alias pyzord_initrc_exec_t; ++ typealias spamd_exec_t alias pyzord_exec_t; ++ typealias spamc_tmp_t alias pyzor_tmp_t; ++ typealias spamd_log_t alias pyzor_log_t; ++ typealias spamd_log_t alias pyzord_log_t; ++ typealias spamd_var_lib_t alias pyzor_var_lib_t; ++ typealias spamd_etc_t alias pyzor_etc_t; ++ typealias spamc_home_t alias pyzor_home_t; ++ typealias spamc_home_t alias user_pyzor_home_t; ++',` ++ type pyzor_t; ++ type pyzor_exec_t; ++ typealias pyzor_t alias { user_pyzor_t staff_pyzor_t sysadm_pyzor_t }; ++ typealias pyzor_t alias { auditadm_pyzor_t secadm_pyzor_t }; ++ application_domain(pyzor_t, pyzor_exec_t) ++ ubac_constrained(pyzor_t) ++ role system_r types pyzor_t; ++ ++ type pyzor_etc_t; ++ files_config_file(pyzor_etc_t) ++ ++ type pyzor_home_t; ++ typealias pyzor_home_t alias { user_pyzor_home_t staff_pyzor_home_t sysadm_pyzor_home_t }; ++ typealias pyzor_home_t alias { auditadm_pyzor_home_t secadm_pyzor_home_t }; ++ userdom_user_home_content(pyzor_home_t) ++ ++ type pyzor_tmp_t; ++ typealias pyzor_tmp_t alias { user_pyzor_tmp_t staff_pyzor_tmp_t sysadm_pyzor_tmp_t }; ++ typealias pyzor_tmp_t alias { auditadm_pyzor_tmp_t secadm_pyzor_tmp_t }; ++ files_tmp_file(pyzor_tmp_t) ++ ubac_constrained(pyzor_tmp_t) ++ ++ type pyzor_var_lib_t; ++ typealias pyzor_var_lib_t alias { user_pyzor_var_lib_t staff_pyzor_var_lib_t sysadm_pyzor_var_lib_t }; ++ typealias pyzor_var_lib_t alias { auditadm_pyzor_var_lib_t secadm_pyzor_var_lib_t }; ++ files_type(pyzor_var_lib_t) ++ ubac_constrained(pyzor_var_lib_t) ++ ++ type pyzord_t; ++ type pyzord_exec_t; ++ init_daemon_domain(pyzord_t, pyzord_exec_t) ++ ++ type pyzord_log_t; ++ logging_log_file(pyzord_log_t) ++') + + ######################################## + # +-# Local policy ++# Pyzor client local policy + # + ++allow pyzor_t self:udp_socket create_socket_perms; ++ + manage_dirs_pattern(pyzor_t, pyzor_home_t, pyzor_home_t) + manage_files_pattern(pyzor_t, pyzor_home_t, pyzor_home_t) + manage_lnk_files_pattern(pyzor_t, pyzor_home_t, pyzor_home_t) +-userdom_user_home_dir_filetrans(pyzor_t, pyzor_home_t, dir, ".pyzor") ++userdom_user_home_dir_filetrans(pyzor_t, pyzor_home_t, { dir file lnk_file }) + + allow pyzor_t pyzor_var_lib_t:dir list_dir_perms; + read_files_pattern(pyzor_t, pyzor_var_lib_t, pyzor_var_lib_t) ++files_search_var_lib(pyzor_t) + + manage_files_pattern(pyzor_t, pyzor_tmp_t, pyzor_tmp_t) + manage_dirs_pattern(pyzor_t, pyzor_tmp_t, pyzor_tmp_t) +@@ -67,41 +88,28 @@ kernel_read_system_state(pyzor_t) + corecmd_list_bin(pyzor_t) + corecmd_getattr_bin_files(pyzor_t) + +-corenet_all_recvfrom_unlabeled(pyzor_t) +-corenet_all_recvfrom_netlabel(pyzor_t) + corenet_tcp_sendrecv_generic_if(pyzor_t) ++corenet_udp_sendrecv_generic_if(pyzor_t) + corenet_tcp_sendrecv_generic_node(pyzor_t) +- +-corenet_sendrecv_http_client_packets(pyzor_t) ++corenet_udp_sendrecv_generic_node(pyzor_t) ++corenet_tcp_sendrecv_all_ports(pyzor_t) ++corenet_udp_sendrecv_all_ports(pyzor_t) + corenet_tcp_connect_http_port(pyzor_t) +-corenet_tcp_sendrecv_http_port(pyzor_t) + + dev_read_urand(pyzor_t) + +-fs_getattr_all_fs(pyzor_t) +-fs_search_auto_mountpoints(pyzor_t) ++fs_getattr_xattr_fs(pyzor_t) ++ + + auth_use_nsswitch(pyzor_t) + +-miscfiles_read_localization(pyzor_t) + + mta_read_queue(pyzor_t) + +-tunable_policy(`use_nfs_home_dirs',` +- fs_manage_nfs_dirs(pyzor_t) +- fs_manage_nfs_files(pyzor_t) +- fs_manage_nfs_symlinks(pyzor_t) +-') +- +-tunable_policy(`use_samba_home_dirs',` +- fs_manage_cifs_dirs(pyzor_t) +- fs_manage_cifs_files(pyzor_t) +- fs_manage_cifs_symlinks(pyzor_t) +-') ++userdom_dontaudit_search_user_home_dirs(pyzor_t) + + optional_policy(` +- amavis_manage_lib_files(pyzor_t) +- amavis_manage_spool_files(pyzor_t) ++ antivirus_manage_db(pyzor_t) + ') + + optional_policy(` +@@ -111,25 +119,24 @@ optional_policy(` + + ######################################## + # +-# Daemon local policy ++# Pyzor server local policy + # + +-allow pyzord_t pyzor_var_lib_t:dir setattr_dir_perms; ++allow pyzord_t self:udp_socket create_socket_perms; ++ + manage_files_pattern(pyzord_t, pyzor_var_lib_t, pyzor_var_lib_t) ++allow pyzord_t pyzor_var_lib_t:dir setattr; + files_var_lib_filetrans(pyzord_t, pyzor_var_lib_t, { file dir }) + ++read_files_pattern(pyzord_t, pyzor_etc_t, pyzor_etc_t) + allow pyzord_t pyzor_etc_t:dir list_dir_perms; +-allow pyzord_t pyzor_etc_t:file read_file_perms; +-allow pyzord_t pyzor_etc_t:lnk_file read_lnk_file_perms; + ++can_exec(pyzord_t, pyzor_exec_t) ++ ++manage_files_pattern(pyzord_t, pyzord_log_t, pyzord_log_t) + allow pyzord_t pyzord_log_t:dir setattr_dir_perms; +-append_files_pattern(pyzord_t, pyzord_log_t, pyzord_log_t) +-create_files_pattern(pyzord_t, pyzord_log_t, pyzord_log_t) +-setattr_files_pattern(pyzord_t, pyzord_log_t, pyzord_log_t) + logging_log_filetrans(pyzord_t, pyzord_log_t, { file dir }) + +-can_exec(pyzord_t, pyzor_exec_t) +- + kernel_read_kernel_sysctls(pyzord_t) + kernel_read_system_state(pyzord_t) + +@@ -137,24 +144,25 @@ dev_read_urand(pyzord_t) + + corecmd_exec_bin(pyzord_t) + +-corenet_all_recvfrom_unlabeled(pyzord_t) + corenet_all_recvfrom_netlabel(pyzord_t) + corenet_udp_sendrecv_generic_if(pyzord_t) + corenet_udp_sendrecv_generic_node(pyzord_t) ++corenet_udp_sendrecv_all_ports(pyzord_t) + corenet_udp_bind_generic_node(pyzord_t) +- +-corenet_sendrecv_pyzor_server_packets(pyzord_t) + corenet_udp_bind_pyzor_port(pyzord_t) +-corenet_udp_sendrecv_pyzor_port(pyzord_t) ++corenet_sendrecv_pyzor_server_packets(pyzord_t) + +-auth_use_nsswitch(pyzord_t) + +-logging_send_syslog_msg(pyzord_t) ++auth_use_nsswitch(pyzord_t) + + locallogin_dontaudit_use_fds(pyzord_t) + +-miscfiles_read_localization(pyzord_t) + ++# Do not audit attempts to access /root. + userdom_dontaudit_search_user_home_dirs(pyzord_t) + + mta_manage_spool(pyzord_t) ++ ++optional_policy(` ++ logging_send_syslog_msg(pyzord_t) ++') +diff --git a/qemu.fc b/qemu.fc +index 6b53fa4..64d877e 100644 +--- a/qemu.fc ++++ b/qemu.fc +@@ -1,5 +1,4 @@ +-/usr/bin/qemu -- gen_context(system_u:object_r:qemu_exec_t,s0) ++/usr/bin/qemu -- gen_context(system_u:object_r:qemu_exec_t,s0) + /usr/bin/qemu-system-.* -- gen_context(system_u:object_r:qemu_exec_t,s0) + /usr/bin/qemu-kvm -- gen_context(system_u:object_r:qemu_exec_t,s0) +- + /usr/libexec/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0) +diff --git a/qemu.if b/qemu.if +index eaf56b8..580f9ee 100644 +--- a/qemu.if ++++ b/qemu.if +@@ -1,19 +1,21 @@ +-## QEMU machine emulator and virtualizer. ++## QEMU machine emulator and virtualizer + +-####################################### ++######################################## + ## +-## The template to define a qemu domain. ++## Creates types and rules for a basic ++## qemu process domain. + ## +-## ++## + ## +-## Domain prefix to be used. ++## Prefix for the domain. + ## + ## + # + template(`qemu_domain_template',` ++ + ############################## + # +- # Declarations ++ # Local Policy + # + + type $1_t; +@@ -24,7 +26,7 @@ template(`qemu_domain_template',` + + ############################## + # +- # Policy ++ # Local Policy + # + + allow $1_t self:capability { dac_read_search dac_override }; +@@ -41,7 +43,6 @@ template(`qemu_domain_template',` + + kernel_read_system_state($1_t) + +- corenet_all_recvfrom_unlabeled($1_t) + corenet_all_recvfrom_netlabel($1_t) + corenet_tcp_sendrecv_generic_if($1_t) + corenet_tcp_sendrecv_generic_node($1_t) +@@ -70,11 +71,10 @@ template(`qemu_domain_template',` + term_getattr_pty_fs($1_t) + term_use_generic_ptys($1_t) + +- miscfiles_read_localization($1_t) + + sysnet_read_config($1_t) + +- userdom_use_user_terminals($1_t) ++ userdom_use_inherited_user_terminals($1_t) + userdom_attach_admin_tun_iface($1_t) + + optional_policy(` +@@ -98,38 +98,12 @@ template(`qemu_domain_template',` + + ######################################## + ## +-## Role access for qemu. +-## +-## +-## +-## Role allowed access. +-## +-## +-## +-## +-## User domain for the role. +-## +-## +-# +-template(`qemu_role',` +- gen_require(` +- type qemu_t; +- ') +- +- qemu_run($2, $1) +- +- allow $2 qemu_t:process { ptrace signal_perms }; +- ps_process_pattern($2, qemu_t) +-') +- +-######################################## +-## + ## Execute a domain transition to run qemu. + ## + ## +-## ++## + ## Domain allowed to transition. +-## ++## + ## + # + interface(`qemu_domtrans',` +@@ -137,18 +111,17 @@ interface(`qemu_domtrans',` + type qemu_t, qemu_exec_t; + ') + +- corecmd_search_bin($1) + domtrans_pattern($1, qemu_exec_t, qemu_t) + ') + + ######################################## + ## +-## Execute a qemu in the caller domain. ++## Execute a qemu in the callers domain + ## + ## +-## ++## + ## Domain allowed access. +-## ++## + ## + # + interface(`qemu_exec',` +@@ -156,15 +129,12 @@ interface(`qemu_exec',` + type qemu_exec_t; + ') + +- corecmd_search_bin($1) + can_exec($1, qemu_exec_t) + ') + + ######################################## + ## +-## Execute qemu in the qemu domain, +-## and allow the specified role the +-## qemu domain. ++## Execute qemu in the qemu domain. + ## + ## + ## +@@ -173,23 +143,25 @@ interface(`qemu_exec',` + ## + ## + ## +-## Role allowed access. ++## The role to allow the qemu domain. + ## + ## + ## + # + interface(`qemu_run',` + gen_require(` +- attribute_role qemu_roles; ++ type qemu_t; + ') + + qemu_domtrans($1) +- roleattribute $2 qemu_roles; ++ role $2 types qemu_t; ++ allow qemu_t $1:process signull; ++ allow $1 qemu_t:process signull; + ') + + ######################################## + ## +-## Read qemu process state files. ++## Allow the domain to read state files in /proc. + ## + ## + ## +@@ -202,15 +174,12 @@ interface(`qemu_read_state',` + type qemu_t; + ') + +- kernel_search_proc($1) +- allow $1 qemu_t:dir list_dir_perms; +- allow $1 qemu_t:file read_file_perms; +- allow $1 qemu_t:lnk_file read_lnk_file_perms; ++ read_files_pattern($1, qemu_t, qemu_t) + ') + + ######################################## + ## +-## Set qemu scheduler. ++## Set the schedule on qemu. + ## + ## + ## +@@ -228,7 +197,7 @@ interface(`qemu_setsched',` + + ######################################## + ## +-## Send generic signals to qemu. ++## Send a signal to qemu. + ## + ## + ## +@@ -246,7 +215,7 @@ interface(`qemu_signal',` + + ######################################## + ## +-## Send kill signals to qemu. ++## Send a sigill to qemu + ## + ## + ## +@@ -264,48 +233,68 @@ interface(`qemu_kill',` + + ######################################## + ## +-## Execute a domain transition to +-## run qemu unconfined. ++## Execute qemu_exec_t ++## in the specified domain but do not ++## do it automatically. This is an explicit ++## transition, requiring the caller to use setexeccon(). + ## ++## ++##

    ++## Execute qemu_exec_t ++## in the specified domain. This allows ++## the specified domain to qemu programs ++## on these filesystems in the specified ++## domain. ++##

    ++##     + ## + ## +-## Domain allowed to transition. ++## Domain allowed access. ++## ++## ++## ++## ++## The type of the new process. + ## + ## + # +-interface(`qemu_domtrans_unconfined',` ++interface(`qemu_spec_domtrans',` + gen_require(` +- type unconfined_qemu_t, qemu_exec_t; ++ type qemu_exec_t; + ') +- +- corecmd_search_bin($1) +- domtrans_pattern($1, qemu_exec_t, unconfined_qemu_t) ++ ++ read_lnk_files_pattern($1, qemu_exec_t, qemu_exec_t) ++ domain_transition_pattern($1, qemu_exec_t, $2) ++ domain_entry_file($2,qemu_exec_t) ++ can_exec($1,qemu_exec_t) ++ ++ allow $2 $1:fd use; ++ allow $2 $1:fifo_file rw_fifo_file_perms; ++ allow $2 $1:process sigchld; + ') + + ######################################## + ## +-## Create, read, write, and delete +-## qemu temporary directories. ++## Execute qemu unconfined programs in the role. + ## +-## ++## + ## +-## Domain allowed access. ++## The role to allow the qemu unconfined domain. + ## + ## + # +-interface(`qemu_manage_tmp_dirs',` ++interface(`qemu_unconfined_role',` + gen_require(` +- type qemu_tmp_t; ++ type unconfined_qemu_t; ++ type qemu_t; + ') +- +- files_search_tmp($1) +- manage_dirs_pattern($1, qemu_tmp_t, qemu_tmp_t) ++ role $1 types unconfined_qemu_t; ++ role $1 types qemu_t; + ') + + ######################################## + ## +-## Create, read, write, and delete +-## qemu temporary files. ++## Manage qemu temporary dirs. + ## + ## + ## +@@ -313,58 +302,41 @@ interface(`qemu_manage_tmp_dirs',` + ## + ## + # +-interface(`qemu_manage_tmp_files',` ++interface(`qemu_manage_tmp_dirs',` + gen_require(` + type qemu_tmp_t; + ') + +- files_search_tmp($1) +- manage_files_pattern($1, qemu_tmp_t, qemu_tmp_t) ++ manage_dirs_pattern($1, qemu_tmp_t, qemu_tmp_t) + ') + + ######################################## + ## +-## Execute qemu in a specified domain. ++## Manage qemu temporary files. + ## +-## +-##

    +-## Execute qemu in a specified domain. +-##

    +-##

    +-## No interprocess communication (signals, pipes, +-## etc.) is provided by this interface since +-## the domains are not owned by this module. +-##

    +-##     +-## +-## +-## Domain allowed to transition. +-## +-## +-## ++## + ## +-## Domain to transition to. ++## Domain allowed access. + ## + ## + # +-interface(`qemu_spec_domtrans',` ++interface(`qemu_manage_tmp_files',` + gen_require(` +- type qemu_exec_t; ++ type qemu_tmp_t; + ') + +- corecmd_search_bin($1) +- domain_auto_trans($1, qemu_exec_t, $2) ++ manage_files_pattern($1, qemu_tmp_t, qemu_tmp_t) + ') + +-###################################### ++######################################## + ## +-## Make qemu executable files an +-## entrypoint for the specified domain. ++## Make qemu_exec_t an entrypoint for ++## the specified domain. + ## + ## +-## +-## The domain for which qemu_exec_t is an entrypoint. +-## ++## ++## The domain for which qemu_exec_t is an entrypoint. ++## + ## + # + interface(`qemu_entry_type',` +diff --git a/qemu.te b/qemu.te +index 2e824eb..695c857 100644 +--- a/qemu.te ++++ b/qemu.te +@@ -1,4 +1,4 @@ +-policy_module(qemu, 1.7.4) ++policy_module(qemu, 1.7.0) + + ######################################## + # +@@ -6,28 +6,58 @@ policy_module(qemu, 1.7.4) + # + + ## +-##

    +-## Determine whether qemu has full +-## access to the network. +-##

    ++##

    ++## Allow qemu to connect fully to the network ++##

    + ##     + gen_tunable(qemu_full_network, false) + +-attribute_role qemu_roles; +-roleattribute system_r qemu_roles; ++## ++##

    ++## Allow qemu to use cifs/Samba file systems ++##

    ++##     ++gen_tunable(qemu_use_cifs, true) ++ ++## ++##

    ++## Allow qemu to use serial/parallel communication ports ++##

    ++##     ++gen_tunable(qemu_use_comm, false) + +-type qemu_exec_t; +-application_executable_file(qemu_exec_t) ++## ++##

    ++## Allow qemu to use nfs file systems ++##

    ++##     ++gen_tunable(qemu_use_nfs, true) ++ ++## ++##

    ++## Allow qemu to use usb devices ++##

    ++##     ++gen_tunable(qemu_use_usb, true) + + virt_domain_template(qemu) +-role qemu_roles types qemu_t; ++role system_r types qemu_t; + + ######################################## + # +-# Local policy ++# qemu local policy + # + ++storage_raw_write_removable_device(qemu_t) ++storage_raw_read_removable_device(qemu_t) ++ ++userdom_search_user_home_content(qemu_t) ++userdom_read_user_tmpfs_files(qemu_t) ++userdom_stream_connect(qemu_t) ++ + tunable_policy(`qemu_full_network',` ++ allow qemu_t self:udp_socket create_socket_perms; ++ + corenet_udp_sendrecv_generic_if(qemu_t) + corenet_udp_sendrecv_generic_node(qemu_t) + corenet_udp_sendrecv_all_ports(qemu_t) +@@ -37,21 +67,57 @@ tunable_policy(`qemu_full_network',` + corenet_tcp_connect_all_ports(qemu_t) + ') + ++tunable_policy(`qemu_use_cifs',` ++ fs_manage_cifs_dirs(qemu_t) ++ fs_manage_cifs_files(qemu_t) ++') ++ ++tunable_policy(`qemu_use_comm',` ++ term_use_unallocated_ttys(qemu_t) ++ dev_rw_printer(qemu_t) ++') ++ ++tunable_policy(`qemu_use_nfs',` ++ fs_manage_nfs_dirs(qemu_t) ++ fs_manage_nfs_files(qemu_t) ++') ++ ++tunable_policy(`qemu_use_usb',` ++ dev_rw_usbfs(qemu_t) ++ fs_manage_dos_dirs(qemu_t) ++ fs_manage_dos_files(qemu_t) ++') ++ + optional_policy(` +- xserver_user_x_domain_template(qemu, qemu_t, qemu_tmpfs_t) ++ dbus_read_lib_files(qemu_t) + ') + +-######################################## +-# +-# Unconfined local policy +-# ++optional_policy(` ++ pulseaudio_manage_home_files(qemu_t) ++ pulseaudio_stream_connect(qemu_t) ++') ++ ++optional_policy(` ++ tunable_policy(`qemu_use_cifs',` ++ samba_domtrans_smbd(qemu_t) ++ ') ++') + + optional_policy(` +- type unconfined_qemu_t; +- typealias unconfined_qemu_t alias qemu_unconfined_t; +- application_type(unconfined_qemu_t) +- unconfined_domain(unconfined_qemu_t) ++ virt_domtrans_bridgehelper(qemu_t) ++') ++ ++optional_policy(` ++ virt_manage_home_files(qemu_t) ++ virt_manage_images(qemu_t) ++ virt_append_log(qemu_t) ++') + +- allow unconfined_qemu_t self:process { execstack execmem }; +- allow unconfined_qemu_t qemu_exec_t:file execmod; ++optional_policy(` ++ xen_rw_image_files(qemu_t) ++') ++ ++optional_policy(` ++ xserver_read_xdm_pid(qemu_t) ++ xserver_stream_connect(qemu_t) + ') +diff --git a/qmail.fc b/qmail.fc +index e53fe5a..edee505 100644 +--- a/qmail.fc ++++ b/qmail.fc +@@ -1,22 +1,6 @@ +-/etc/qmail(/.*)? gen_context(system_u:object_r:qmail_etc_t,s0) +- +-/usr/bin/tcp-env -- gen_context(system_u:object_r:qmail_tcp_env_exec_t,s0) +- +-/usr/sbin/qmail-clean -- gen_context(system_u:object_r:qmail_clean_exec_t,s0) +-/usr/sbin/qmail-getpw -- gen_context(system_u:object_r:qmail_exec_t,s0) +-/usr/sbin/qmail-inject -- gen_context(system_u:object_r:qmail_inject_exec_t,s0) +-/usr/sbin/qmail-local -- gen_context(system_u:object_r:qmail_local_exec_t,s0) +-/usr/sbin/qmail-lspawn -- gen_context(system_u:object_r:qmail_lspawn_exec_t,s0) +-/usr/sbin/qmail-queue -- gen_context(system_u:object_r:qmail_queue_exec_t,s0) +-/usr/sbin/qmail-remote -- gen_context(system_u:object_r:qmail_remote_exec_t,s0) +-/usr/sbin/qmail-rspawn -- gen_context(system_u:object_r:qmail_rspawn_exec_t,s0) +-/usr/sbin/qmail-send -- gen_context(system_u:object_r:qmail_send_exec_t,s0) +-/usr/sbin/qmail-smtpd -- gen_context(system_u:object_r:qmail_smtpd_exec_t,s0) +-/usr/sbin/qmail-start -- gen_context(system_u:object_r:qmail_start_exec_t,s0) +-/usr/sbin/splogger -- gen_context(system_u:object_r:qmail_splogger_exec_t,s0) +- +-/var/qmail/alias -d gen_context(system_u:object_r:qmail_alias_home_t,s0) +-/var/qmail/alias(/.*)? gen_context(system_u:object_r:qmail_alias_home_t,s0) ++ ++/var/qmail/alias -d gen_context(system_u:object_r:qmail_alias_home_t,s0) ++/var/qmail/alias(/.*)? gen_context(system_u:object_r:qmail_alias_home_t,s0) + + /var/qmail/bin/qmail-clean -- gen_context(system_u:object_r:qmail_clean_exec_t,s0) + /var/qmail/bin/qmail-getpw -- gen_context(system_u:object_r:qmail_exec_t,s0) +@@ -29,9 +13,36 @@ + /var/qmail/bin/qmail-send -- gen_context(system_u:object_r:qmail_send_exec_t,s0) + /var/qmail/bin/qmail-smtpd -- gen_context(system_u:object_r:qmail_smtpd_exec_t,s0) + /var/qmail/bin/qmail-start -- gen_context(system_u:object_r:qmail_start_exec_t,s0) +-/var/qmail/bin/splogger -- gen_context(system_u:object_r:qmail_splogger_exec_t,s0) +-/var/qmail/bin/tcp-env -- gen_context(system_u:object_r:qmail_tcp_env_exec_t,s0) ++/var/qmail/bin/splogger -- gen_context(system_u:object_r:qmail_splogger_exec_t,s0) ++/var/qmail/bin/tcp-env -- gen_context(system_u:object_r:qmail_tcp_env_exec_t,s0) ++ ++/var/qmail/control(/.*)? gen_context(system_u:object_r:qmail_etc_t,s0) ++/var/qmail/owners(/.*)? gen_context(system_u:object_r:qmail_etc_t,s0) ++ ++/var/qmail/queue(/.*)? gen_context(system_u:object_r:qmail_spool_t,s0) ++ ++ifdef(`distro_debian', ` ++/etc/qmail(/.*)? gen_context(system_u:object_r:qmail_etc_t,s0) ++ ++/usr/bin/tcp-env -- gen_context(system_u:object_r:qmail_tcp_env_exec_t,s0) ++ ++#/usr/bin/serialmail/.* -- gen_context(system_u:object_r:qmail_serialmail_exec_t,s0) ++ ++/usr/sbin/qmail-clean -- gen_context(system_u:object_r:qmail_clean_exec_t,s0) ++/usr/sbin/qmail-getpw -- gen_context(system_u:object_r:qmail_exec_t,s0) ++/usr/sbin/qmail-inject -- gen_context(system_u:object_r:qmail_inject_exec_t,s0) ++/usr/sbin/qmail-local -- gen_context(system_u:object_r:qmail_local_exec_t,s0) ++/usr/sbin/qmail-lspawn -- gen_context(system_u:object_r:qmail_lspawn_exec_t,s0) ++/usr/sbin/qmail-queue -- gen_context(system_u:object_r:qmail_queue_exec_t,s0) ++/usr/sbin/qmail-remote -- gen_context(system_u:object_r:qmail_remote_exec_t,s0) ++/usr/sbin/qmail-rspawn -- gen_context(system_u:object_r:qmail_rspawn_exec_t,s0) ++/usr/sbin/qmail-send -- gen_context(system_u:object_r:qmail_send_exec_t,s0) ++/usr/sbin/qmail-smtpd -- gen_context(system_u:object_r:qmail_smtpd_exec_t,s0) ++/usr/sbin/qmail-start -- gen_context(system_u:object_r:qmail_start_exec_t,s0) ++/usr/sbin/splogger -- gen_context(system_u:object_r:qmail_splogger_exec_t,s0) ++ ++/var/qmail(/.*)? gen_context(system_u:object_r:qmail_etc_t,s0) + +-/var/qmail(/.*)? gen_context(system_u:object_r:qmail_etc_t,s0) ++/var/spool/qmail(/.*)? gen_context(system_u:object_r:qmail_spool_t,s0) ++') + +-/var/spool/qmail(/.*)? gen_context(system_u:object_r:qmail_spool_t,s0) +diff --git a/qmail.if b/qmail.if +index e4f0000..05e219e 100644 +--- a/qmail.if ++++ b/qmail.if +@@ -1,12 +1,12 @@ +-## Qmail Mail Server. ++## Qmail Mail Server + + ######################################## + ## +-## Template for qmail parent/sub-domain pairs. ++## Template for qmail parent/sub-domain pairs + ## + ## + ## +-## The prefix of the child domain. ++## The prefix of the child domain + ## + ## + ## +@@ -16,35 +16,39 @@ + ## + # + template(`qmail_child_domain_template',` +- gen_require(` +- attribute qmail_child_domain; +- ') +- +- ######################################## +- # +- # Declarations +- # +- +- type $1_t, qmail_child_domain; +- type $1_exec_t; ++ type $1_t; + domain_type($1_t) ++ type $1_exec_t; + domain_entry_file($1_t, $1_exec_t) +- ++ domain_auto_trans($2, $1_exec_t, $1_t) + role system_r types $1_t; + +- ######################################## +- # +- # Policy +- # ++ allow $1_t self:process signal_perms; ++ ++ allow $1_t $2:fd use; ++ allow $1_t $2:fifo_file rw_file_perms; ++ allow $1_t $2:process sigchld; ++ ++ allow $1_t qmail_etc_t:dir list_dir_perms; ++ allow $1_t qmail_etc_t:file read_file_perms; ++ allow $1_t qmail_etc_t:lnk_file read_lnk_file_perms; ++ ++ allow $1_t qmail_start_t:fd use; ++ ++ kernel_list_proc($2) ++ kernel_read_proc_symlinks($2) + +- domtrans_pattern($2, $1_exec_t, $1_t) ++ corecmd_search_bin($1_t) ++ ++ files_search_var($1_t) ++ ++ fs_getattr_xattr_fs($1_t) + +- kernel_read_system_state($2) + ') + + ######################################## + ## +-## Transition to qmail_inject_t. ++## Transition to qmail_inject_t + ## + ## + ## +@@ -57,11 +61,11 @@ interface(`qmail_domtrans_inject',` + type qmail_inject_t, qmail_inject_exec_t; + ') + ++ corecmd_search_bin($1) + domtrans_pattern($1, qmail_inject_exec_t, qmail_inject_t) + + ifdef(`distro_debian',` + files_search_usr($1) +- corecmd_search_bin($1) + ',` + files_search_var($1) + ') +@@ -69,7 +73,7 @@ interface(`qmail_domtrans_inject',` + + ######################################## + ## +-## Transition to qmail_queue_t. ++## Transition to qmail_queue_t + ## + ## + ## +@@ -82,11 +86,11 @@ interface(`qmail_domtrans_queue',` + type qmail_queue_t, qmail_queue_exec_t; + ') + ++ corecmd_search_bin($1) + domtrans_pattern($1, qmail_queue_exec_t, qmail_queue_t) + + ifdef(`distro_debian',` + files_search_usr($1) +- corecmd_search_bin($1) + ',` + files_search_var($1) + ') +@@ -108,20 +112,21 @@ interface(`qmail_read_config',` + type qmail_etc_t; + ') + +- files_search_var($1) + allow $1 qmail_etc_t:dir list_dir_perms; + allow $1 qmail_etc_t:file read_file_perms; + allow $1 qmail_etc_t:lnk_file read_lnk_file_perms; ++ files_search_var($1) + + ifdef(`distro_debian',` ++ # handle /etc/qmail + files_search_etc($1) + ') + ') + + ######################################## + ## +-## Define the specified domain as a +-## qmail-smtp service. ++## Define the specified domain as a qmail-smtp service. ++## Needed by antivirus/antispam filters. + ## + ## + ## +@@ -141,3 +146,59 @@ interface(`qmail_smtpd_service_domain',` + + domtrans_pattern(qmail_smtpd_t, $2, $1) + ') ++ ++######################################## ++## ++## Create, read, write, and delete qmail ++## spool directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`qmail_manage_spool_dirs',` ++ gen_require(` ++ type qmail_spool_t; ++ ') ++ ++ manage_dirs_pattern($1, qmail_spool_t, qmail_spool_t) ++') ++ ++######################################## ++## ++## Create, read, write, and delete qmail ++## spool files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`qmail_manage_spool_files',` ++ gen_require(` ++ type qmail_spool_t; ++ ') ++ ++ manage_files_pattern($1, qmail_spool_t, qmail_spool_t) ++') ++ ++######################################## ++## ++## Read and write to qmail spool pipes. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`qmail_rw_spool_pipes',` ++ gen_require(` ++ type qmail_spool_t; ++ ') ++ ++ allow $1 qmail_spool_t:fifo_file rw_fifo_file_perms; ++') +diff --git a/qmail.te b/qmail.te +index 1bef513..af2850e 100644 +--- a/qmail.te ++++ b/qmail.te +@@ -1,11 +1,11 @@ +-policy_module(qmail, 1.5.1) ++policy_module(qmail, 1.5.0) + + ######################################## + # + # Declarations + # + +-attribute qmail_child_domain; ++attribute qmail_user_domains; + + type qmail_alias_home_t; + files_type(qmail_alias_home_t) +@@ -18,7 +18,7 @@ files_config_file(qmail_etc_t) + type qmail_exec_t; + files_type(qmail_exec_t) + +-type qmail_inject_t; ++type qmail_inject_t, qmail_user_domains; + type qmail_inject_exec_t; + domain_type(qmail_inject_t) + domain_entry_file(qmail_inject_t, qmail_inject_exec_t) +@@ -32,18 +32,22 @@ qmail_child_domain_template(qmail_lspawn, qmail_start_t) + mta_mailserver_delivery(qmail_lspawn_t) + + qmail_child_domain_template(qmail_queue, qmail_inject_t) ++typeattribute qmail_queue_t qmail_user_domains; + mta_mailserver_user_agent(qmail_queue_t) + + qmail_child_domain_template(qmail_remote, qmail_rspawn_t) + mta_mailserver_sender(qmail_remote_t) + + qmail_child_domain_template(qmail_rspawn, qmail_start_t) ++ + qmail_child_domain_template(qmail_send, qmail_start_t) ++ + qmail_child_domain_template(qmail_smtpd, qmail_tcp_env_t) ++ + qmail_child_domain_template(qmail_splogger, qmail_start_t) + + type qmail_spool_t; +-files_type(qmail_spool_t) ++files_spool_file(qmail_spool_t) + + type qmail_start_t; + type qmail_start_exec_t; +@@ -55,28 +59,8 @@ application_domain(qmail_tcp_env_t, qmail_tcp_env_exec_t) + + ######################################## + # +-# Common qmail child domain local policy +-# +- +-allow qmail_child_domain self:process signal_perms; +- +-allow qmail_child_domain qmail_etc_t:dir list_dir_perms; +-allow qmail_child_domain qmail_etc_t:file read_file_perms; +-allow qmail_child_domain qmail_etc_t:lnk_file read_lnk_file_perms; +- +-allow qmail_child_domain qmail_start_t:fd use; +- +-corecmd_search_bin(qmail_child_domain) +- +-files_search_var(qmail_child_domain) +- +-fs_getattr_xattr_fs(qmail_child_domain) +- +-miscfiles_read_localization(qmail_child_domain) +- +-######################################## +-# +-# Clean local policy ++# qmail-clean local policy ++# this component cleans up the queue directory + # + + read_files_pattern(qmail_clean_t, qmail_spool_t, qmail_spool_t) +@@ -84,11 +68,12 @@ delete_files_pattern(qmail_clean_t, qmail_spool_t, qmail_spool_t) + + ######################################## + # +-# Inject local policy ++# qmail-inject local policy ++# this component preprocesses mail from stdin and invokes qmail-queue + # + +-allow qmail_inject_t self:fifo_file write_fifo_file_perms; + allow qmail_inject_t self:process signal_perms; ++allow qmail_inject_t self:fifo_file write_fifo_file_perms; + + allow qmail_inject_t qmail_queue_exec_t:file read_file_perms; + +@@ -96,18 +81,18 @@ corecmd_search_bin(qmail_inject_t) + + files_search_var(qmail_inject_t) + +-miscfiles_read_localization(qmail_inject_t) + + qmail_read_config(qmail_inject_t) + + ######################################## + # +-# Local local policy ++# qmail-local local policy ++# this component delivers a mail message + # + +-allow qmail_local_t self:fifo_file write_fifo_file_perms; + allow qmail_local_t self:process signal_perms; +-allow qmail_local_t self:unix_stream_socket { accept listen }; ++allow qmail_local_t self:fifo_file write_file_perms; ++allow qmail_local_t self:unix_stream_socket create_stream_socket_perms; + + manage_dirs_pattern(qmail_local_t, qmail_alias_home_t, qmail_alias_home_t) + manage_files_pattern(qmail_local_t, qmail_alias_home_t, qmail_alias_home_t) +@@ -134,12 +119,17 @@ mta_append_spool(qmail_local_t) + qmail_domtrans_queue(qmail_local_t) + + optional_policy(` ++ uucp_domtrans(qmail_local_t) ++') ++ ++optional_policy(` + spamassassin_domtrans_client(qmail_local_t) + ') + + ######################################## + # +-# Lspawn local policy ++# qmail-lspawn local policy ++# this component schedules local deliveries + # + + allow qmail_lspawn_t self:capability { setuid setgid }; +@@ -153,21 +143,23 @@ allow qmail_lspawn_t qmail_local_exec_t:file read_file_perms; + + read_files_pattern(qmail_lspawn_t, qmail_spool_t, qmail_spool_t) + +-files_read_etc_files(qmail_lspawn_t) ++corecmd_search_bin(qmail_lspawn_t) ++ + files_search_pids(qmail_lspawn_t) + files_search_tmp(qmail_lspawn_t) + + ######################################## + # +-# Queue local policy ++# qmail-queue local policy ++# this component places a mail in a delivery queue, later to be processed by qmail-send + # + + allow qmail_queue_t qmail_lspawn_t:fd use; + allow qmail_queue_t qmail_lspawn_t:fifo_file write_fifo_file_perms; + ++allow qmail_queue_t qmail_smtpd_t:process sigchld; + allow qmail_queue_t qmail_smtpd_t:fd use; + allow qmail_queue_t qmail_smtpd_t:fifo_file read_fifo_file_perms; +-allow qmail_queue_t qmail_smtpd_t:process sigchld; + + manage_dirs_pattern(qmail_queue_t, qmail_spool_t, qmail_spool_t) + manage_files_pattern(qmail_queue_t, qmail_spool_t, qmail_spool_t) +@@ -183,28 +175,34 @@ optional_policy(` + + ######################################## + # +-# Remote local policy ++# qmail-remote local policy ++# this component sends mail via SMTP + # + ++allow qmail_remote_t self:tcp_socket create_socket_perms; ++allow qmail_remote_t self:udp_socket create_socket_perms; ++ + rw_files_pattern(qmail_remote_t, qmail_spool_t, qmail_spool_t) + +-corenet_all_recvfrom_unlabeled(qmail_remote_t) + corenet_all_recvfrom_netlabel(qmail_remote_t) + corenet_tcp_sendrecv_generic_if(qmail_remote_t) ++corenet_udp_sendrecv_generic_if(qmail_remote_t) + corenet_tcp_sendrecv_generic_node(qmail_remote_t) +- +-corenet_sendrecv_smtp_client_packets(qmail_remote_t) +-corenet_tcp_connect_smtp_port(qmail_remote_t) ++corenet_udp_sendrecv_generic_node(qmail_remote_t) + corenet_tcp_sendrecv_smtp_port(qmail_remote_t) ++corenet_udp_sendrecv_dns_port(qmail_remote_t) ++corenet_tcp_connect_smtp_port(qmail_remote_t) ++corenet_sendrecv_smtp_client_packets(qmail_remote_t) + + dev_read_rand(qmail_remote_t) + dev_read_urand(qmail_remote_t) + +-sysnet_dns_name_resolve(qmail_remote_t) ++sysnet_read_config(qmail_remote_t) + + ######################################## + # +-# Rspawn local policy ++# qmail-rspawn local policy ++# this component scedules remote deliveries + # + + allow qmail_rspawn_t self:process signal_perms; +@@ -214,9 +212,12 @@ allow qmail_rspawn_t qmail_remote_exec_t:file read_file_perms; + + rw_files_pattern(qmail_rspawn_t, qmail_spool_t, qmail_spool_t) + ++corecmd_search_bin(qmail_rspawn_t) ++ + ######################################## + # +-# Send local policy ++# qmail-send local policy ++# this component delivers mail messages from the queue + # + + allow qmail_send_t self:process signal_perms; +@@ -234,7 +235,8 @@ optional_policy(` + + ######################################## + # +-# Smtpd local policy ++# qmail-smtpd local policy ++# this component receives mails via SMTP + # + + allow qmail_smtpd_t self:process signal_perms; +@@ -262,26 +264,26 @@ optional_policy(` + + ######################################## + # +-# Splogger local policy ++# splogger local policy ++# this component creates entries in syslog + # + + allow qmail_splogger_t self:unix_dgram_socket create_socket_perms; + +-files_read_etc_files(qmail_splogger_t) + + init_dontaudit_use_script_fds(qmail_splogger_t) + +-miscfiles_read_localization(qmail_splogger_t) + + ######################################## + # +-# Start local policy ++# qmail-start local policy ++# this component starts up the mail delivery component + # + + allow qmail_start_t self:capability { setgid setuid }; + dontaudit qmail_start_t self:capability sys_tty_config; +-allow qmail_start_t self:fifo_file rw_fifo_file_perms; + allow qmail_start_t self:process signal_perms; ++allow qmail_start_t self:fifo_file rw_fifo_file_perms; + + can_exec(qmail_start_t, qmail_start_exec_t) + +@@ -298,7 +300,8 @@ optional_policy(` + + ######################################## + # +-# Tcp-env local policy ++# tcp-env local policy ++# this component sets up TCP-related environment variables + # + + allow qmail_tcp_env_t qmail_smtpd_exec_t:file read_file_perms; +diff --git a/qpid.if b/qpid.if +index cd51b96..f7e9c70 100644 +--- a/qpid.if ++++ b/qpid.if +@@ -1,4 +1,4 @@ +-## Apache QPID AMQP messaging server. ++## policy for qpidd + + ######################################## + ## +@@ -15,13 +15,12 @@ interface(`qpidd_domtrans',` + type qpidd_t, qpidd_exec_t; + ') + +- corecmd_search_bin($1) + domtrans_pattern($1, qpidd_exec_t, qpidd_t) + ') + +-##################################### ++######################################## + ## +-## Read and write access qpidd semaphores. ++## Execute qpidd server in the qpidd domain. + ## + ## + ## +@@ -29,17 +28,17 @@ interface(`qpidd_domtrans',` + ## + ## + # +-interface(`qpidd_rw_semaphores',` ++interface(`qpidd_initrc_domtrans',` + gen_require(` +- type qpidd_t; ++ type qpidd_initrc_exec_t; + ') + +- allow $1 qpidd_t:sem rw_sem_perms; ++ init_labeled_script_domtrans($1, qpidd_initrc_exec_t) + ') + + ######################################## + ## +-## Read and write qpidd shared memory. ++## Read qpidd PID files. + ## + ## + ## +@@ -47,36 +46,39 @@ interface(`qpidd_rw_semaphores',` + ## + ## + # +-interface(`qpidd_rw_shm',` ++interface(`qpidd_read_pid_files',` + gen_require(` +- type qpidd_t; ++ type qpidd_var_run_t; + ') + +- allow $1 qpidd_t:shm rw_shm_perms; ++ files_search_pids($1) ++ allow $1 qpidd_var_run_t:file read_file_perms; + ') + + ######################################## + ## +-## Execute qpidd init script in +-## the initrc domain. ++## Manage qpidd var_run files. + ## + ## + ## +-## Domain allowed to transition. ++## Domain allowed access. + ## + ## + # +-interface(`qpidd_initrc_domtrans',` ++interface(`qpidd_manage_var_run',` + gen_require(` +- type qpidd_initrc_exec_t; ++ type qpidd_var_run_t; + ') + +- init_labeled_script_domtrans($1, qpidd_initrc_exec_t) ++ files_search_pids($1) ++ manage_dirs_pattern($1, qpidd_var_run_t, qpidd_var_run_t) ++ manage_files_pattern($1, qpidd_var_run_t, qpidd_var_run_t) ++ manage_lnk_files_pattern($1, qpidd_var_run_t, qpidd_var_run_t) + ') + + ######################################## + ## +-## Read qpidd pid files. ++## Search qpidd lib directories. + ## + ## + ## +@@ -84,18 +86,18 @@ interface(`qpidd_initrc_domtrans',` + ## + ## + # +-interface(`qpidd_read_pid_files',` ++interface(`qpidd_search_lib',` + gen_require(` +- type qpidd_var_run_t; ++ type qpidd_var_lib_t; + ') + +- files_search_pids($1) +- allow $1 qpidd_var_run_t:file read_file_perms; ++ allow $1 qpidd_var_lib_t:dir search_dir_perms; ++ files_search_var_lib($1) + ') + + ######################################## + ## +-## Search qpidd lib directories. ++## Read qpidd lib files. + ## + ## + ## +@@ -103,18 +105,19 @@ interface(`qpidd_read_pid_files',` + ## + ## + # +-interface(`qpidd_search_lib',` ++interface(`qpidd_read_lib_files',` + gen_require(` + type qpidd_var_lib_t; + ') + + files_search_var_lib($1) +- allow $1 qpidd_var_lib_t:dir search_dir_perms; ++ read_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t) + ') + + ######################################## + ## +-## Read qpidd lib files. ++## Create, read, write, and delete ++## qpidd lib files. + ## + ## + ## +@@ -122,19 +125,18 @@ interface(`qpidd_search_lib',` + ## + ## + # +-interface(`qpidd_read_lib_files',` ++interface(`qpidd_manage_lib_files',` + gen_require(` + type qpidd_var_lib_t; + ') + + files_search_var_lib($1) +- read_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t) ++ manage_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t) + ') + + ######################################## + ## +-## Create, read, write, and delete +-## qpidd lib files. ++## Manage qpidd var_lib files. + ## + ## + ## +@@ -142,49 +144,94 @@ interface(`qpidd_read_lib_files',` + ## + ## + # +-interface(`qpidd_manage_lib_files',` ++interface(`qpidd_manage_var_lib',` + gen_require(` + type qpidd_var_lib_t; + ') + + files_search_var_lib($1) ++ manage_dirs_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t) + manage_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t) ++ manage_lnk_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t) + ') + +-######################################## ++##################################### + ## +-## All of the rules required to +-## administrate an qpidd environment. ++## Allow read and write access to qpidd semaphores. + ## + ## + ## + ## Domain allowed access. + ## + ## ++# ++interface(`qpidd_rw_semaphores',` ++ gen_require(` ++ type qpidd_t; ++ ') ++ ++ allow $1 qpidd_t:sem rw_sem_perms; ++') ++ ++####################################### ++## ++## Read and write to qpidd shared memory. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`qpidd_rw_shm',` ++ gen_require(` ++ type qpidd_t; ++ type qpidd_tmpfs_t; ++ ') ++ ++ allow $1 qpidd_t:shm rw_shm_perms; ++ fs_search_tmpfs($1) ++ manage_files_pattern($1, qpidd_tmpfs_t, qpidd_tmpfs_t) ++') ++ ++####################################### ++## ++## All of the rules required to ++## administrate an qpidd environment. ++## ++## ++## ++## Domain allowed access. ++## ++## + ## +-## +-## Role allowed access. +-## ++## ++## Role allowed access. ++## + ## + ## + # + interface(`qpidd_admin',` +- gen_require(` +- type qpidd_t, qpidd_initrc_exec_t, qpidd_var_lib_t; +- type qpidd_var_run_t; +- ') ++ gen_require(` ++ type qpidd_t, qpidd_initrc_exec_t, qpidd_var_lib_t; ++ type qpidd_var_run_t; ++ ') + +- allow $1 qpidd_t:process { ptrace signal_perms }; +- ps_process_pattern($1, qpidd_t) ++ allow $1 qpidd_t:process { signal_perms }; ++ ps_process_pattern($1, qpidd_t) + +- qpidd_initrc_domtrans($1) +- domain_system_change_exemption($1) +- role_transition $2 qpidd_initrc_exec_t system_r; +- allow $2 system_r; ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 qpidd_t:process ptrace; ++ ') + +- files_search_var_lib($1( +- admin_pattern($1, qpidd_var_lib_t) ++ qpidd_initrc_domtrans($1) ++ domain_system_change_exemption($1) ++ role_transition $2 qpidd_initrc_exec_t system_r; ++ allow $2 system_r; + +- files_search_pids($1) +- admin_pattern($1, qpidd_var_run_t) ++ files_search_var_lib($1) ++ admin_pattern($1, qpidd_var_lib_t) ++ ++ files_search_pids($1) ++ admin_pattern($1, qpidd_var_run_t) + ') +diff --git a/qpid.te b/qpid.te +index 76f5b39..8bb80a2 100644 +--- a/qpid.te ++++ b/qpid.te +@@ -12,6 +12,9 @@ init_daemon_domain(qpidd_t, qpidd_exec_t) + type qpidd_initrc_exec_t; + init_script_file(qpidd_initrc_exec_t) + ++type qpidd_tmp_t; ++files_tmp_file(qpidd_tmp_t) ++ + type qpidd_tmpfs_t; + files_tmpfs_file(qpidd_tmpfs_t) + +@@ -33,41 +36,52 @@ allow qpidd_t self:shm create_shm_perms; + allow qpidd_t self:tcp_socket { accept listen }; + allow qpidd_t self:unix_stream_socket { accept listen }; + ++manage_dirs_pattern(qpidd_t, qpidd_tmp_t, qpidd_tmp_t) ++manage_files_pattern(qpidd_t, qpidd_tmp_t, qpidd_tmp_t) ++files_tmp_filetrans(qpidd_t, qpidd_tmp_t, { dir file }) ++ + manage_dirs_pattern(qpidd_t, qpidd_tmpfs_t, qpidd_tmpfs_t) + manage_files_pattern(qpidd_t, qpidd_tmpfs_t, qpidd_tmpfs_t) + fs_tmpfs_filetrans(qpidd_t, qpidd_tmpfs_t, { dir file }) + +-manage_dirs_pattern(qpidd_t, qpidd_var_lib_t, qpidd_var_lib_t) +-manage_files_pattern(qpidd_t, qpidd_var_lib_t, qpidd_var_lib_t) ++manage_dirs_pattern(qpidd_t, qpidd_var_lib_t, qpidd_var_lib_t) ++manage_files_pattern(qpidd_t, qpidd_var_lib_t, qpidd_var_lib_t) + files_var_lib_filetrans(qpidd_t, qpidd_var_lib_t, { file dir }) + +-manage_dirs_pattern(qpidd_t, qpidd_var_run_t, qpidd_var_run_t) +-manage_files_pattern(qpidd_t, qpidd_var_run_t, qpidd_var_run_t) ++manage_dirs_pattern(qpidd_t, qpidd_var_run_t, qpidd_var_run_t) ++manage_files_pattern(qpidd_t, qpidd_var_run_t, qpidd_var_run_t) + files_pid_filetrans(qpidd_t, qpidd_var_run_t, { file dir }) + + kernel_read_system_state(qpidd_t) + +-corenet_all_recvfrom_unlabeled(qpidd_t) + corenet_all_recvfrom_netlabel(qpidd_t) ++corenet_tcp_bind_generic_node(qpidd_t) + corenet_tcp_sendrecv_generic_if(qpidd_t) + corenet_tcp_sendrecv_generic_node(qpidd_t) +-corenet_tcp_bind_generic_node(qpidd_t) + + corenet_sendrecv_amqp_server_packets(qpidd_t) + corenet_tcp_bind_amqp_port(qpidd_t) + corenet_tcp_sendrecv_amqp_port(qpidd_t) + ++corenet_tcp_bind_matahari_port(qpidd_t) ++corenet_tcp_connect_matahari_port(qpidd_t) ++ + dev_read_sysfs(qpidd_t) + dev_read_urand(qpidd_t) ++dev_read_rand(qpidd_t) + +-files_read_etc_files(qpidd_t) ++# needed by ssl ++files_list_tmp(qpidd_t) + + logging_send_syslog_msg(qpidd_t) + +-miscfiles_read_localization(qpidd_t) +- + sysnet_dns_name_resolve(qpidd_t) + + optional_policy(` +- corosync_stream_connect(qpidd_t) ++ kerberos_use(qpidd_t) + ') ++ ++optional_policy(` ++ rhcs_stream_connect_cluster(qpidd_t) ++') ++ +diff --git a/quantum.fc b/quantum.fc +index 70ab68b..32dec67 100644 +--- a/quantum.fc ++++ b/quantum.fc +@@ -1,10 +1,28 @@ +-/etc/rc\.d/init\.d/quantum.* -- gen_context(system_u:object_r:quantum_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/neutron.* -- gen_context(system_u:object_r:neutron_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/quantum.* -- gen_context(system_u:object_r:neutron_initrc_exec_t,s0) + +-/usr/bin/quantum-server -- gen_context(system_u:object_r:quantum_exec_t,s0) +-/usr/bin/quantum-openvswitch-agent -- gen_context(system_u:object_r:quantum_exec_t,s0) +-/usr/bin/quantum-linuxbridge-agent -- gen_context(system_u:object_r:quantum_exec_t,s0) +-/usr/bin/quantum-ryu-agent -- gen_context(system_u:object_r:quantum_exec_t,s0) ++/usr/bin/neutron-dhcp-agent -- gen_context(system_u:object_r:neutron_exec_t,s0) ++/usr/bin/neutron-l3-agent -- gen_context(system_u:object_r:neutron_exec_t,s0) ++/usr/bin/neutron-lbaas-agent -- gen_context(system_u:object_r:neutron_exec_t,s0) ++/usr/bin/neutron-rootwrap -- gen_context(system_u:object_r:neutron_exec_t,s0) ++/usr/bin/neutron-linuxbridge-agent -- gen_context(system_u:object_r:neutron_exec_t,s0) ++/usr/bin/neutron-openvswitch-agent -- gen_context(system_u:object_r:neutron_exec_t,s0) ++/usr/bin/neutron-ovs-cleanup -- gen_context(system_u:object_r:neutron_exec_t,s0) ++/usr/bin/neutron-ryu-agent -- gen_context(system_u:object_r:neutron_exec_t,s0) ++/usr/bin/neutron-server -- gen_context(system_u:object_r:neutron_exec_t,s0) ++/usr/bin/quantum-dhcp-agent -- gen_context(system_u:object_r:neutron_exec_t,s0) ++/usr/bin/quantum-l3-agent -- gen_context(system_u:object_r:neutron_exec_t,s0) ++/usr/bin/quantum-linuxbridge-agent -- gen_context(system_u:object_r:neutron_exec_t,s0) ++/usr/bin/quantum-openvswitch-agent -- gen_context(system_u:object_r:neutron_exec_t,s0) ++/usr/bin/quantum-ovs-cleanup -- gen_context(system_u:object_r:neutron_exec_t,s0) ++/usr/bin/quantum-ryu-agent -- gen_context(system_u:object_r:neutron_exec_t,s0) ++/usr/bin/quantum-server -- gen_context(system_u:object_r:neutron_exec_t,s0) + +-/var/lib/quantum(/.*)? gen_context(system_u:object_r:quantum_var_lib_t,s0) ++/usr/lib/systemd/system/neutron.* -- gen_context(system_u:object_r:neutron_unit_file_t,s0) ++/usr/lib/systemd/system/quantum.* -- gen_context(system_u:object_r:neutron_unit_file_t,s0) + +-/var/log/quantum(/.*)? gen_context(system_u:object_r:quantum_log_t,s0) ++/var/lib/neutron(/.*)? gen_context(system_u:object_r:neutron_var_lib_t,s0) ++/var/lib/quantum(/.*)? gen_context(system_u:object_r:neutron_var_lib_t,s0) ++ ++/var/log/neutron(/.*)? gen_context(system_u:object_r:neutron_log_t,s0) ++/var/log/quantum(/.*)? gen_context(system_u:object_r:neutron_log_t,s0) +diff --git a/quantum.if b/quantum.if +index afc0068..3105104 100644 +--- a/quantum.if ++++ b/quantum.if +@@ -2,41 +2,293 @@ + + ######################################## + ## +-## All of the rules required to +-## administrate an quantum environment. ++## Transition to neutron. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`neutron_domtrans',` ++ gen_require(` ++ type neutron_t, neutron_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, neutron_exec_t, neutron_t) ++') ++ ++######################################## ++## ++## Allow read/write neutron pipes + ## + ## + ## + ## Domain allowed access. + ## + ## +-## ++# ++interface(`neutron_rw_inherited_pipes',` ++ gen_require(` ++ type neutron_t; ++ ') ++ ++ allow $1 neutron_t:fifo_file rw_inherited_fifo_file_perms; ++') ++ ++######################################## ++## ++## Send sigchld to neutron. ++## ++## + ## +-## Role allowed access. ++## Domain allowed access. ++## ++## ++# ++# ++interface(`neutron_sigchld',` ++ gen_require(` ++ type neutron_t; ++ ') ++ ++ allow $1 neutron_t:process sigchld; ++') ++ ++######################################## ++## ++## Read neutron's log files. ++## ++## ++## ++## Domain allowed access. + ## + ## + ## + # +-interface(`quantum_admin',` ++interface(`neutron_read_log',` ++ gen_require(` ++ type neutron_log_t; ++ ') ++ ++ logging_search_logs($1) ++ read_files_pattern($1, neutron_log_t, neutron_log_t) ++') ++ ++######################################## ++## ++## Append to neutron log files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`neutron_append_log',` ++ gen_require(` ++ type neutron_log_t; ++ ') ++ ++ logging_search_logs($1) ++ append_files_pattern($1, neutron_log_t, neutron_log_t) ++') ++ ++######################################## ++## ++## Manage neutron log files ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`neutron_manage_log',` ++ gen_require(` ++ type neutron_log_t; ++ ') ++ ++ logging_search_logs($1) ++ manage_dirs_pattern($1, neutron_log_t, neutron_log_t) ++ manage_files_pattern($1, neutron_log_t, neutron_log_t) ++ manage_lnk_files_pattern($1, neutron_log_t, neutron_log_t) ++') ++ ++######################################## ++## ++## Search neutron lib directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`neutron_search_lib',` ++ gen_require(` ++ type neutron_var_lib_t; ++ ') ++ ++ allow $1 neutron_var_lib_t:dir search_dir_perms; ++ files_search_var_lib($1) ++') ++ ++######################################## ++## ++## Read neutron lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`neutron_read_lib_files',` + gen_require(` +- type quantum_t, quantum_initrc_exec_t, quantum_log_t; +- type quantum_var_lib_t, quantum_tmp_t; ++ type neutron_var_lib_t; + ') + +- allow $1 quantum_t:process { ptrace signal_perms }; +- ps_process_pattern($1, quantum_t) ++ files_search_var_lib($1) ++ read_files_pattern($1, neutron_var_lib_t, neutron_var_lib_t) ++') ++ ++######################################## ++## ++## Manage neutron lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`neutron_manage_lib_files',` ++ gen_require(` ++ type neutron_var_lib_t; ++ ') + +- init_labeled_script_domtrans($1, quantum_initrc_exec_t) +- domain_system_change_exemption($1) +- role_transition $2 quantum_initrc_exec_t system_r; +- allow $2 system_r; ++ files_search_var_lib($1) ++ manage_files_pattern($1, neutron_var_lib_t, neutron_var_lib_t) ++') ++ ++######################################## ++## ++## Manage neutron lib directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`neutron_manage_lib_dirs',` ++ gen_require(` ++ type neutron_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ manage_dirs_pattern($1, neutron_var_lib_t, neutron_var_lib_t) ++') ++ ++######################################## ++## ++## Read and write neutron fifo files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`neutron_rw_fifo_file',` ++ gen_require(` ++ type neutron_t; ++ ') ++ ++ allow $1 neutron_t:fifo_file rw_inherited_fifo_file_perms; ++') ++ ++##################################### ++## ++## Connect to neutron over a unix domain ++## stream socket. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`neutron_stream_connect',` ++ gen_require(` ++ type neutron_t; ++ type neutron_var_lib_t; ++ ') ++ ++ files_search_pids($1) ++ stream_connect_pattern($1, neutron_var_lib_t, neutron_var_lib_t, neutron_t ) ++') ++ ++######################################## ++## ++## Execute neutron server in the neutron domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`neutron_systemctl',` ++ gen_require(` ++ type neutron_t; ++ type neutron_unit_file_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ systemd_read_fifo_file_passwd_run($1) ++ allow $1 neutron_unit_file_t:file read_file_perms; ++ allow $1 neutron_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, neutron_t) ++') ++ ++ ++######################################## ++## ++## All of the rules required to administrate ++## an neutron environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`neutron_admin',` ++ gen_require(` ++ type neutron_t; ++ type neutron_log_t; ++ type neutron_var_lib_t; ++ type neutron_unit_file_t; ++ ') ++ ++ allow $1 neutron_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, neutron_t) + + logging_search_logs($1) +- admin_pattern($1, quantum_log_t) ++ admin_pattern($1, neutron_log_t) + + files_search_var_lib($1) +- admin_pattern($1, quantum_var_lib_t) ++ admin_pattern($1, neutron_var_lib_t) + +- files_search_tmp($1) +- admin_pattern($1, quantum_tmp_t) ++ neutron_systemctl($1) ++ admin_pattern($1, neutron_unit_file_t) ++ allow $1 neutron_unit_file_t:service all_service_perms; ++ optional_policy(` ++ systemd_passwd_agent_exec($1) ++ systemd_read_fifo_file_passwd_run($1) ++ ') + ') +diff --git a/quantum.te b/quantum.te +index 769d1fd..0ef5efc 100644 +--- a/quantum.te ++++ b/quantum.te +@@ -1,96 +1,109 @@ +-policy_module(quantum, 1.0.2) ++policy_module(quantum, 1.0.3) + + ######################################## + # + # Declarations + # + +-type quantum_t; +-type quantum_exec_t; +-init_daemon_domain(quantum_t, quantum_exec_t) ++type neutron_t alias quantum_t; ++type neutron_exec_t alias quantum_exec_t; ++init_daemon_domain(neutron_t, neutron_exec_t) + +-type quantum_initrc_exec_t; +-init_script_file(quantum_initrc_exec_t) ++type neutron_initrc_exec_t alias quantum_initrc_exec_t; ++init_script_file(neutron_initrc_exec_t) + +-type quantum_log_t; +-logging_log_file(quantum_log_t) ++type neutron_log_t alias quantum_log_t; ++logging_log_file(neutron_log_t) + +-type quantum_tmp_t; +-files_tmp_file(quantum_tmp_t) ++type neutron_tmp_t alias quantum_tmp_t; ++files_tmp_file(neutron_tmp_t) + +-type quantum_var_lib_t; +-files_type(quantum_var_lib_t) ++type neutron_var_lib_t alias quantum_var_lib_t; ++files_type(neutron_var_lib_t) ++ ++type neutron_unit_file_t alias quantum_unit_file_t; ++systemd_unit_file(neutron_unit_file_t) + + ######################################## + # + # Local policy + # + +-allow quantum_t self:capability { setgid setuid sys_resource }; +-allow quantum_t self:process { setsched setrlimit }; +-allow quantum_t self:fifo_file rw_fifo_file_perms; +-allow quantum_t self:key manage_key_perms; +-allow quantum_t self:tcp_socket { accept listen }; +-allow quantum_t self:unix_stream_socket { accept listen }; ++allow neutron_t self:capability { setgid setuid sys_resource }; ++allow neutron_t self:process { setsched setrlimit }; ++allow neutron_t self:fifo_file rw_fifo_file_perms; ++allow neutron_t self:key manage_key_perms; ++allow neutron_t self:tcp_socket { accept listen }; ++allow neutron_t self:unix_stream_socket { accept listen }; + +-manage_dirs_pattern(quantum_t, quantum_log_t, quantum_log_t) +-append_files_pattern(quantum_t, quantum_log_t, quantum_log_t) +-create_files_pattern(quantum_t, quantum_log_t, quantum_log_t) +-setattr_files_pattern(quantum_t, quantum_log_t, quantum_log_t) +-logging_log_filetrans(quantum_t, quantum_log_t, dir) ++manage_dirs_pattern(neutron_t, neutron_log_t, neutron_log_t) ++append_files_pattern(neutron_t, neutron_log_t, neutron_log_t) ++create_files_pattern(neutron_t, neutron_log_t, neutron_log_t) ++setattr_files_pattern(neutron_t, neutron_log_t, neutron_log_t) ++logging_log_filetrans(neutron_t, neutron_log_t, dir) + +-manage_files_pattern(quantum_t, quantum_tmp_t, quantum_tmp_t) +-files_tmp_filetrans(quantum_t, quantum_tmp_t, file) ++manage_files_pattern(neutron_t, neutron_tmp_t, neutron_tmp_t) ++files_tmp_filetrans(neutron_t, neutron_tmp_t, file) + +-manage_dirs_pattern(quantum_t, quantum_var_lib_t, quantum_var_lib_t) +-manage_files_pattern(quantum_t, quantum_var_lib_t, quantum_var_lib_t) +-files_var_lib_filetrans(quantum_t, quantum_var_lib_t, dir) ++manage_dirs_pattern(neutron_t, neutron_var_lib_t, neutron_var_lib_t) ++manage_files_pattern(neutron_t, neutron_var_lib_t, neutron_var_lib_t) ++files_var_lib_filetrans(neutron_t, neutron_var_lib_t, dir) + +-can_exec(quantum_t, quantum_tmp_t) ++can_exec(neutron_t, neutron_tmp_t) + +-kernel_read_kernel_sysctls(quantum_t) +-kernel_read_system_state(quantum_t) ++kernel_read_kernel_sysctls(neutron_t) ++kernel_read_system_state(neutron_t) + +-corecmd_exec_shell(quantum_t) +-corecmd_exec_bin(quantum_t) ++corecmd_exec_shell(neutron_t) ++corecmd_exec_bin(neutron_t) + +-corenet_all_recvfrom_unlabeled(quantum_t) +-corenet_all_recvfrom_netlabel(quantum_t) +-corenet_tcp_sendrecv_generic_if(quantum_t) +-corenet_tcp_sendrecv_generic_node(quantum_t) +-corenet_tcp_sendrecv_all_ports(quantum_t) +-corenet_tcp_bind_generic_node(quantum_t) ++corenet_all_recvfrom_unlabeled(neutron_t) ++corenet_all_recvfrom_netlabel(neutron_t) ++corenet_tcp_sendrecv_generic_if(neutron_t) ++corenet_tcp_sendrecv_generic_node(neutron_t) ++corenet_tcp_sendrecv_all_ports(neutron_t) ++corenet_tcp_bind_generic_node(neutron_t) + +-dev_list_sysfs(quantum_t) +-dev_read_urand(quantum_t) ++corenet_tcp_bind_neutron_port(neutron_t) ++corenet_tcp_connect_keystone_port(neutron_t) ++corenet_tcp_connect_amqp_port(neutron_t) ++corenet_tcp_connect_mysqld_port(neutron_t) + +-files_read_usr_files(quantum_t) ++dev_list_sysfs(neutron_t) ++dev_read_urand(neutron_t) + +-auth_use_nsswitch(quantum_t) ++auth_use_nsswitch(neutron_t) + +-libs_exec_ldconfig(quantum_t) ++libs_exec_ldconfig(neutron_t) + +-logging_send_audit_msgs(quantum_t) +-logging_send_syslog_msg(quantum_t) ++logging_send_audit_msgs(neutron_t) ++logging_send_syslog_msg(neutron_t) + +-miscfiles_read_localization(quantum_t) ++sysnet_exec_ifconfig(neutron_t) + +-sysnet_domtrans_ifconfig(quantum_t) ++optional_policy(` ++ brctl_domtrans(neutron_t) ++') + + optional_policy(` +- brctl_domtrans(quantum_t) ++ mysql_stream_connect(neutron_t) ++ mysql_read_config(neutron_t) ++ ++ mysql_tcp_connect(neutron_t) + ') + + optional_policy(` +- mysql_stream_connect(quantum_t) +- mysql_read_config(quantum_t) ++ postgresql_stream_connect(neutron_t) ++ postgresql_unpriv_client(neutron_t) + +- mysql_tcp_connect(quantum_t) ++ postgresql_tcp_connect(neutron_t) + ') + + optional_policy(` +- postgresql_stream_connect(quantum_t) +- postgresql_unpriv_client(quantum_t) ++ openvswitch_domtrans(neutron_t) ++ openvswitch_stream_connect(neutron_t) ++') + +- postgresql_tcp_connect(quantum_t) ++optional_policy(` ++ sudo_exec(neutron_t) + ') +diff --git a/quota.fc b/quota.fc +index cadabe3..0ee2489 100644 +--- a/quota.fc ++++ b/quota.fc +@@ -1,6 +1,5 @@ + HOME_ROOT/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0) +- +-HOME_DIR/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0) ++HOME_DIR/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0) + + /a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0) + +@@ -8,24 +7,23 @@ HOME_DIR/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0) + + /etc/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0) + +-/etc/rc\.d/init\.d/quota_nld -- gen_context(system_u:object_r:quota_nld_initrc_exec_t,s0) +- +-/sbin/convertquota -- gen_context(system_u:object_r:quota_exec_t,s0) +-/sbin/quota(check|on) -- gen_context(system_u:object_r:quota_exec_t,s0) ++/sbin/quota(check|on) -- gen_context(system_u:object_r:quota_exec_t,s0) + +-/usr/sbin/convertquota -- gen_context(system_u:object_r:quota_exec_t,s0) + /usr/sbin/quota(check|on) -- gen_context(system_u:object_r:quota_exec_t,s0) +-/usr/sbin/quota_nld -- gen_context(system_u:object_r:quota_nld_exec_t,s0) + + /var/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0) ++/var/lib/quota(/.*)? gen_context(system_u:object_r:quota_flag_t,s0) ++/var/spool/(.*/)?a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0) + +-/var/lib/quota(/.*)? gen_context(system_u:object_r:quota_flag_t,s0) ++ifdef(`distro_redhat',` ++/usr/sbin/convertquota -- gen_context(system_u:object_r:quota_exec_t,s0) ++',` ++/sbin/convertquota -- gen_context(system_u:object_r:quota_exec_t,s0) ++') + +-/var/run/quota_nld\.pid -- gen_context(system_u:object_r:quota_nld_var_run_t,s0) ++/usr/sbin/quota_nld -- gen_context(system_u:object_r:quota_nld_exec_t,s0) + +-/var/spool/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0) ++/var/lib/stickshift/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0) ++/var/lib/openshift/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0) + +-/var/spool/imap/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0) +-/var/spool/(client)?mqueue/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0) +-/var/spool/mqueue\.in/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0) +-/var/spool/mail/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0) ++/var/run/quota_nld\.pid -- gen_context(system_u:object_r:quota_nld_var_run_t,s0) +diff --git a/quota.if b/quota.if +index da64218..3fb8575 100644 +--- a/quota.if ++++ b/quota.if +@@ -1,4 +1,4 @@ +-## File system quota management. ++## File system quota management + + ######################################## + ## +@@ -21,9 +21,8 @@ interface(`quota_domtrans',` + + ######################################## + ## +-## Execute quota management tools in +-## the quota domain, and allow the +-## specified role the quota domain. ++## Execute quota management tools in the quota domain, and ++## allow the specified role the quota domain. + ## + ## + ## +@@ -39,90 +38,54 @@ interface(`quota_domtrans',` + # + interface(`quota_run',` + gen_require(` +- attribute_role quota_roles; ++ type quota_t; + ') + + quota_domtrans($1) +- roleattribute $2 quota_roles; ++ role $2 types quota_t; + ') + + ####################################### + ## +-## Execute quota nld in the quota nld domain. ++## Alow to read of filesystem quota data files. + ## + ## +-## +-## Domain allowed to transition. +-## ++## ++## Domain to not audit. ++## + ## + # +-interface(`quota_domtrans_nld',` +- gen_require(` +- type quota_nld_t, quota_nld_exec_t; +- ') ++interface(`quota_read_db',` ++ gen_require(` ++ type quota_db_t; ++ ') + +- corecmd_search_bin($1) +- domtrans_pattern($1, quota_nld_exec_t, quota_nld_t) ++ allow $1 quota_db_t:file read_file_perms; + ') + + ######################################## + ## +-## Create, read, write, and delete +-## quota db files. +-## +-## +-## +-## Domain allowed access. +-## +-## +-# +-interface(`quota_manage_db_files',` +- gen_require(` +- type quota_db_t; +- ') +- +- allow $1 quota_db_t:file manage_file_perms; +-') +- +-######################################## +-## +-## Create specified objects in specified +-## directories with a type transition to +-## the quota db file type. ++## Do not audit attempts to get the attributes ++## of filesystem quota data files. + ## + ## + ## +-## Domain allowed access. +-## +-## +-## +-## +-## Directory to transition on. +-## +-## +-## +-## +-## The object class of the object being created. +-## +-## +-## +-## +-## The name of the object being created. ++## Domain to not audit. + ## + ## + # +-interface(`quota_spec_filetrans_db',` ++interface(`quota_dontaudit_getattr_db',` + gen_require(` + type quota_db_t; + ') + +- filetrans_pattern($1, $2, quota_db_t, $3, $4) ++ dontaudit $1 quota_db_t:file getattr_file_perms; + ') + + ######################################## + ## +-## Do not audit attempts to get attributes +-## of filesystem quota data files. ++## Create, read, write, and delete quota ++## db files. + ## + ## + ## +@@ -130,18 +93,18 @@ interface(`quota_spec_filetrans_db',` + ## + ## + # +-interface(`quota_dontaudit_getattr_db',` ++interface(`quota_manage_db',` + gen_require(` + type quota_db_t; + ') + +- dontaudit $1 quota_db_t:file getattr_file_perms; ++ allow $1 quota_db_t:file manage_file_perms; + ') + + ######################################## + ## +-## Create, read, write, and delete +-## quota flag files. ++## Create, read, write, and delete quota ++## flag files. + ## + ## + ## +@@ -160,37 +123,56 @@ interface(`quota_manage_flags',` + + ######################################## + ## +-## All of the rules required to +-## administrate an quota environment. ++## Transition to quota named content + ## + ## + ## +-## Domain allowed access. +-## +-## +-## +-## +-## Role allowed access. ++## Domain allowed access. + ## + ## +-## + # +-interface(`quota_admin',` ++interface(`quota_filetrans_named_content',` + gen_require(` +- type quota_nld_t, quota_t, quota_db_t; +- type quota_nld_initrc_exec_t, quota_flag_t, quota_nld_var_run_t; ++ type quota_db_t; + ') + +- allow $1 { quota_nld_t quota_t }:process { ptrace signal_perms }; +- ps_process_pattern($1, { quota_nld_t quota_t }) +- +- init_labeled_script_domtrans($1, quota_nld_initrc_exec_t) +- domain_system_change_exemption($1) +- role_transition $2 quota_nld_initrc_exec_t system_r; +- allow $2 system_r; ++ files_root_filetrans($1, quota_db_t, file, "aquota.user") ++ files_root_filetrans($1, quota_db_t, file, "aquota.group") ++ files_boot_filetrans($1, quota_db_t, file, "aquota.user") ++ files_boot_filetrans($1, quota_db_t, file, "aquota.group") ++ files_etc_filetrans($1, quota_db_t, file, "aquota.user") ++ files_etc_filetrans($1, quota_db_t, file, "aquota.group") ++ files_tmp_filetrans($1, quota_db_t, file, "aquota.user") ++ files_tmp_filetrans($1, quota_db_t, file, "aquota.group") ++ files_home_filetrans($1, quota_db_t, file, "aquota.user") ++ files_home_filetrans($1, quota_db_t, file, "aquota.group") ++ files_usr_filetrans($1, quota_db_t, file, "aquota.user") ++ files_usr_filetrans($1, quota_db_t, file, "aquota.group") ++ files_var_filetrans($1, quota_db_t, file, "aquota.user") ++ files_var_filetrans($1, quota_db_t, file, "aquota.group") ++ files_spool_filetrans($1, quota_db_t, file, "aquota.user") ++ files_spool_filetrans($1, quota_db_t, file, "aquota.group") ++ mta_spool_filetrans($1, quota_db_t, file, "aquota.user") ++ mta_spool_filetrans($1, quota_db_t, file, "aquota.group") ++ mta_spool_filetrans_queue($1, quota_db_t, file, "aquota.user") ++ mta_spool_filetrans_queue($1, quota_db_t, file, "aquota.group") ++') + +- files_list_all($1) +- admin_pattern($1, { quota_db_t quota_flag quota_nld_var_run_t }) ++####################################### ++## ++## Transition to quota_nld. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`quota_domtrans_nld',` ++ gen_require(` ++ type quota_nld_t, quota_nld_exec_t; ++ ') + +- quota_run($1, $2) ++ corecmd_search_bin($1) ++ domtrans_pattern($1, quota_nld_exec_t, quota_nld_t) + ') +diff --git a/quota.te b/quota.te +index 4b2c272..1aee969 100644 +--- a/quota.te ++++ b/quota.te +@@ -1,16 +1,14 @@ +-policy_module(quota, 1.5.2) ++policy_module(quota, 1.5.0) + + ######################################## + # + # Declarations + # + +-attribute_role quota_roles; +- + type quota_t; + type quota_exec_t; +-init_system_domain(quota_t, quota_exec_t) +-role quota_roles types quota_t; ++application_domain(quota_t, quota_exec_t) ++#init_system_domain(quota_t, quota_exec_t) + + type quota_db_t; + files_type(quota_db_t) +@@ -22,9 +20,6 @@ type quota_nld_t; + type quota_nld_exec_t; + init_daemon_domain(quota_nld_t, quota_nld_exec_t) + +-type quota_nld_initrc_exec_t; +-init_script_file(quota_nld_initrc_exec_t) +- + type quota_nld_var_run_t; + files_pid_file(quota_nld_var_run_t) + +@@ -37,6 +32,7 @@ allow quota_t self:capability { sys_admin dac_override }; + dontaudit quota_t self:capability sys_tty_config; + allow quota_t self:process signal_perms; + ++# for /quota.* + allow quota_t quota_db_t:file { manage_file_perms quotaon }; + files_root_filetrans(quota_t, quota_db_t, file) + files_boot_filetrans(quota_t, quota_db_t, file) +@@ -48,7 +44,6 @@ files_var_filetrans(quota_t, quota_db_t, file) + files_spool_filetrans(quota_t, quota_db_t, file) + userdom_user_home_dir_filetrans(quota_t, quota_db_t, file) + +-kernel_request_load_module(quota_t) + kernel_list_proc(quota_t) + kernel_read_proc_symlinks(quota_t) + kernel_read_kernel_sysctls(quota_t) +@@ -58,14 +53,6 @@ dev_read_sysfs(quota_t) + dev_getattr_all_blk_files(quota_t) + dev_getattr_all_chr_files(quota_t) + +-files_list_all(quota_t) +-files_read_all_files(quota_t) +-files_read_all_symlinks(quota_t) +-files_getattr_all_pipes(quota_t) +-files_getattr_all_sockets(quota_t) +-files_getattr_all_file_type_fs(quota_t) +-files_read_etc_runtime_files(quota_t) +- + fs_get_xattr_fs_quotas(quota_t) + fs_set_xattr_fs_quotas(quota_t) + fs_getattr_xattr_fs(quota_t) +@@ -80,17 +67,28 @@ term_dontaudit_use_console(quota_t) + + domain_use_interactive_fds(quota_t) + ++files_list_all(quota_t) ++files_read_all_files(quota_t) ++files_read_all_symlinks(quota_t) ++files_getattr_all_pipes(quota_t) ++files_getattr_all_sockets(quota_t) ++files_getattr_all_file_type_fs(quota_t) ++# Read /etc/mtab. ++files_read_etc_runtime_files(quota_t) ++ + init_use_fds(quota_t) + init_use_script_ptys(quota_t) + + logging_send_syslog_msg(quota_t) + +-userdom_use_user_terminals(quota_t) ++mta_spool_filetrans(quota_t, quota_db_t, file) ++mta_spool_filetrans_queue(quota_t, quota_db_t, file) ++ ++userdom_use_inherited_user_terminals(quota_t) + userdom_dontaudit_use_unpriv_user_fds(quota_t) + + optional_policy(` +- mta_queue_filetrans(quota_t, quota_db_t, file) +- mta_spool_filetrans(quota_t, quota_db_t, file) ++ openshift_lib_filetrans(quota_t, quota_db_t, file) + ') + + optional_policy(` +@@ -103,12 +101,12 @@ optional_policy(` + + ####################################### + # +-# Nld local policy ++# Local policy + # + + allow quota_nld_t self:fifo_file rw_fifo_file_perms; + allow quota_nld_t self:netlink_socket create_socket_perms; +-allow quota_nld_t self:unix_stream_socket { accept listen }; ++allow quota_nld_t self:unix_stream_socket create_stream_socket_perms; + + manage_files_pattern(quota_nld_t, quota_nld_var_run_t, quota_nld_var_run_t) + files_pid_filetrans(quota_nld_t, quota_nld_var_run_t, { file }) +@@ -121,11 +119,9 @@ init_read_utmp(quota_nld_t) + + logging_send_syslog_msg(quota_nld_t) + +-miscfiles_read_localization(quota_nld_t) +- + userdom_use_user_terminals(quota_nld_t) + + optional_policy(` +- dbus_system_bus_client(quota_nld_t) +- dbus_connect_system_bus(quota_nld_t) ++ dbus_system_bus_client(quota_nld_t) ++ dbus_connect_system_bus(quota_nld_t) + ') +diff --git a/rabbitmq.fc b/rabbitmq.fc +index c5ad6de..a48c318 100644 +--- a/rabbitmq.fc ++++ b/rabbitmq.fc +@@ -4,7 +4,11 @@ + /usr/lib/erlang/erts.*/bin/epmd -- gen_context(system_u:object_r:rabbitmq_epmd_exec_t,s0) + + /var/lib/rabbitmq(/.*)? gen_context(system_u:object_r:rabbitmq_var_lib_t,s0) ++/var/lib/ejabberd(/.*)? gen_context(system_u:object_r:rabbitmq_var_lib_t,s0) ++ ++/var/lock/ejabberdctl(/.*)? gen_context(system_u:object_r:rabbitmq_var_lock_t,s0) + + /var/log/rabbitmq(/.*)? gen_context(system_u:object_r:rabbitmq_var_log_t,s0) ++/var/log/ejabberd(/.*)? gen_context(system_u:object_r:rabbitmq_var_log_t,s0) + + /var/run/rabbitmq(/.*)? gen_context(system_u:object_r:rabbitmq_var_run_t,s0) +diff --git a/rabbitmq.if b/rabbitmq.if +index 2c3d338..cf3e5ad 100644 +--- a/rabbitmq.if ++++ b/rabbitmq.if +@@ -10,13 +10,13 @@ + ## + ## + # +-interface(`rabbitmq_domtrans',` ++interface(`rabbitmq_domtrans_beam',` + gen_require(` +- type rabbitmq_t, rabbitmq_exec_t; ++ type rabbitmq_beam_t, rabbitmq_beam_exec_t; + ') + + corecmd_search_bin($1) +- domtrans_pattern($1, rabbitmq_exec_t, rabbitmq_t) ++ domtrans_pattern($1, rabbitmq_beam_exec_t, rabbitmq_beam_t) + ') + + ######################################## +diff --git a/rabbitmq.te b/rabbitmq.te +index 3698b51..136b017 100644 +--- a/rabbitmq.te ++++ b/rabbitmq.te +@@ -19,6 +19,9 @@ init_script_file(rabbitmq_initrc_exec_t) + type rabbitmq_var_lib_t; + files_type(rabbitmq_var_lib_t) + ++type rabbitmq_var_lock_t; ++files_lock_file(rabbitmq_var_lock_t) ++ + type rabbitmq_var_log_t; + logging_log_file(rabbitmq_var_log_t) + +@@ -30,6 +33,8 @@ files_pid_file(rabbitmq_var_run_t) + # Beam local policy + # + ++allow rabbitmq_beam_t self:capability setuid; ++ + allow rabbitmq_beam_t self:process { setsched signal signull }; + allow rabbitmq_beam_t self:fifo_file rw_fifo_file_perms; + allow rabbitmq_beam_t self:tcp_socket { accept listen }; +@@ -38,27 +43,35 @@ manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t) + manage_files_pattern(rabbitmq_beam_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t) + + manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t) +-append_files_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t) +-create_files_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t) +-setattr_files_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t) ++manage_files_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t) ++ ++manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_lock_t, rabbitmq_var_lock_t) ++manage_files_pattern(rabbitmq_beam_t, rabbitmq_var_lock_t, rabbitmq_var_lock_t) ++files_lock_filetrans(rabbitmq_beam_t, rabbitmq_var_lock_t, file) + + manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_run_t, rabbitmq_var_run_t) + manage_files_pattern(rabbitmq_beam_t, rabbitmq_var_run_t, rabbitmq_var_run_t) + ++ps_process_pattern(rabbitmq_beam_t, rabbitmq_epmd_t) ++ + can_exec(rabbitmq_beam_t, rabbitmq_beam_exec_t) + + domtrans_pattern(rabbitmq_beam_t, rabbitmq_epmd_exec_t, rabbitmq_epmd_t) + + kernel_read_system_state(rabbitmq_beam_t) ++kernel_read_fs_sysctls(rabbitmq_beam_t) + + corecmd_exec_bin(rabbitmq_beam_t) + corecmd_exec_shell(rabbitmq_beam_t) + ++corenet_tcp_bind_generic_node(rabbitmq_beam_t) ++corenet_udp_bind_generic_node(rabbitmq_beam_t) + corenet_all_recvfrom_unlabeled(rabbitmq_beam_t) + corenet_all_recvfrom_netlabel(rabbitmq_beam_t) + corenet_tcp_sendrecv_generic_if(rabbitmq_beam_t) + corenet_tcp_sendrecv_generic_node(rabbitmq_beam_t) + corenet_tcp_bind_generic_node(rabbitmq_beam_t) ++corenet_tcp_connect_all_ephemeral_ports(rabbitmq_beam_t) + + corenet_sendrecv_amqp_server_packets(rabbitmq_beam_t) + corenet_tcp_bind_amqp_port(rabbitmq_beam_t) +@@ -68,20 +81,50 @@ corenet_sendrecv_epmd_client_packets(rabbitmq_beam_t) + corenet_tcp_connect_epmd_port(rabbitmq_beam_t) + corenet_tcp_sendrecv_epmd_port(rabbitmq_beam_t) + +-dev_read_sysfs(rabbitmq_beam_t) ++corenet_tcp_bind_couchdb_port(rabbitmq_beam_t) ++ ++corenet_tcp_bind_jabber_client_port(rabbitmq_beam_t) ++corenet_tcp_bind_jabber_interserver_port(rabbitmq_beam_t) ++ ++domain_read_all_domains_state(rabbitmq_beam_t) ++ ++auth_read_passwd(rabbitmq_beam_t) ++auth_use_pam(rabbitmq_beam_t) + +-files_read_etc_files(rabbitmq_beam_t) ++files_getattr_all_mountpoints(rabbitmq_beam_t) + +-miscfiles_read_localization(rabbitmq_beam_t) ++fs_getattr_all_fs(rabbitmq_beam_t) ++fs_getattr_all_dirs(rabbitmq_beam_t) ++fs_getattr_cgroup(rabbitmq_beam_t) ++fs_search_cgroup_dirs(rabbitmq_beam_t) ++ ++corenet_tcp_connect_couchdb_port(rabbitmq_beam_t) ++ ++dev_read_sysfs(rabbitmq_beam_t) ++dev_read_urand(rabbitmq_beam_t) ++ ++storage_getattr_fixed_disk_dev(rabbitmq_beam_t) + + sysnet_dns_name_resolve(rabbitmq_beam_t) + ++logging_send_syslog_msg(rabbitmq_beam_t) ++ ++optional_policy(` ++ couchdb_manage_lib_files(rabbitmq_beam_t) ++ couchdb_read_conf_files(rabbitmq_beam_t) ++ couchdb_read_log_files(rabbitmq_beam_t) ++ couchdb_search_pid_dirs(rabbitmq_beam_t) ++') ++ ++optional_policy(` ++ dbus_system_bus_client(rabbitmq_beam_t) ++') ++ + ######################################## + # + # Epmd local policy + # + +- + allow rabbitmq_epmd_t self:process signal; + allow rabbitmq_epmd_t self:fifo_file rw_fifo_file_perms; + allow rabbitmq_epmd_t self:tcp_socket create_stream_socket_perms; +@@ -99,8 +142,5 @@ corenet_sendrecv_epmd_server_packets(rabbitmq_epmd_t) + corenet_tcp_bind_epmd_port(rabbitmq_epmd_t) + corenet_tcp_sendrecv_epmd_port(rabbitmq_epmd_t) + +-files_read_etc_files(rabbitmq_epmd_t) +- + logging_send_syslog_msg(rabbitmq_epmd_t) + +-miscfiles_read_localization(rabbitmq_epmd_t) +diff --git a/radius.fc b/radius.fc +index c84b7ae..29c453e 100644 +--- a/radius.fc ++++ b/radius.fc +@@ -9,6 +9,8 @@ + /usr/sbin/radiusd -- gen_context(system_u:object_r:radiusd_exec_t,s0) + /usr/sbin/freeradius -- gen_context(system_u:object_r:radiusd_exec_t,s0) + ++/usr/lib/systemd/system/radiusd.* -- gen_context(system_u:object_r:radiusd_unit_file_t,s0) ++ + /var/lib/radiousd(/.*)? gen_context(system_u:object_r:radiusd_var_lib_t,s0) + + /var/log/freeradius(/.*)? gen_context(system_u:object_r:radiusd_log_t,s0) +diff --git a/radius.if b/radius.if +index 4460582..60cf556 100644 +--- a/radius.if ++++ b/radius.if +@@ -14,6 +14,29 @@ interface(`radius_use',` + refpolicywarn(`$0($*) has been deprecated.') + ') + ++####################################### ++## ++## Execute radiusd server in the radiusd domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`radiusd_systemctl',` ++ gen_require(` ++ type radiusd_unit_file_t; ++ type radiusd_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ allow $1 radiusd_unit_file_t:file read_file_perms; ++ allow $1 radiusd_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, radiusd_t) ++') ++ + ######################################## + ## + ## All of the rules required to +@@ -35,11 +58,14 @@ interface(`radius_admin',` + gen_require(` + type radiusd_t, radiusd_etc_t, radiusd_log_t; + type radiusd_etc_rw_t, radiusd_var_lib_t, radiusd_var_run_t; +- type radiusd_initrc_exec_t; ++ type radiusd_initrc_exec_t, radiusd_unit_file_t; + ') + +- allow $1 radiusd_t:process { ptrace signal_perms }; ++ allow $1 radiusd_t:process signal_perms; + ps_process_pattern($1, radiusd_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 radiusd_t:process ptrace; ++ ') + + init_labeled_script_domtrans($1, radiusd_initrc_exec_t) + domain_system_change_exemption($1) +@@ -57,4 +83,9 @@ interface(`radius_admin',` + + files_list_pids($1) + admin_pattern($1, radiusd_var_run_t) ++ ++ admin_pattern($1, radiusd_unit_file_t) ++ bind_systemctl($1) ++ allow $1 radiusd_unit_file_t:service all_service_perms; ++ + ') +diff --git a/radius.te b/radius.te +index 1e7927f..eb72458 100644 +--- a/radius.te ++++ b/radius.te +@@ -27,6 +27,9 @@ files_type(radiusd_var_lib_t) + type radiusd_var_run_t; + files_pid_file(radiusd_var_run_t) + ++type radiusd_unit_file_t; ++systemd_unit_file(radiusd_unit_file_t) ++ + ######################################## + # + # Local policy +@@ -60,11 +63,11 @@ manage_sock_files_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t) + manage_dirs_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t) + manage_files_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t) + files_pid_filetrans(radiusd_t, radiusd_var_run_t, { file sock_file dir }) ++files_dontaudit_list_tmp(radiusd_t) + + kernel_read_kernel_sysctls(radiusd_t) + kernel_read_system_state(radiusd_t) + +-corenet_all_recvfrom_unlabeled(radiusd_t) + corenet_all_recvfrom_netlabel(radiusd_t) + corenet_tcp_sendrecv_generic_if(radiusd_t) + corenet_udp_sendrecv_generic_if(radiusd_t) +@@ -74,6 +77,8 @@ corenet_tcp_sendrecv_all_ports(radiusd_t) + corenet_udp_sendrecv_all_ports(radiusd_t) + corenet_udp_bind_generic_node(radiusd_t) + ++corenet_tcp_connect_postgresql_port(radiusd_t) ++ + corenet_sendrecv_radacct_server_packets(radiusd_t) + corenet_udp_bind_radacct_port(radiusd_t) + +@@ -97,7 +102,6 @@ domain_use_interactive_fds(radiusd_t) + fs_getattr_all_fs(radiusd_t) + fs_search_auto_mountpoints(radiusd_t) + +-files_read_usr_files(radiusd_t) + files_read_etc_runtime_files(radiusd_t) + files_dontaudit_list_tmp(radiusd_t) + +@@ -109,7 +113,6 @@ libs_exec_lib_files(radiusd_t) + + logging_send_syslog_msg(radiusd_t) + +-miscfiles_read_localization(radiusd_t) + miscfiles_read_generic_certs(radiusd_t) + + sysnet_use_ldap(radiusd_t) +@@ -122,6 +125,11 @@ optional_policy(` + ') + + optional_policy(` ++ kerberos_tmp_filetrans_host_rcache(radiusd_t, "host_0") ++ kerberos_manage_host_rcache(radiusd_t) ++') ++ ++optional_policy(` + logrotate_exec(radiusd_t) + ') + +diff --git a/radvd.if b/radvd.if +index ac7058d..48739ac 100644 +--- a/radvd.if ++++ b/radvd.if +@@ -1,5 +1,24 @@ + ## IPv6 router advertisement daemon. + ++###################################### ++## ++## Read radvd PID files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`radvd_read_pid_files',` ++ gen_require(` ++ type radvd_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ read_files_pattern($1, radvd_var_run_t, radvd_var_run_t) ++') ++ + ######################################## + ## + ## All of the rules required to +@@ -23,8 +42,11 @@ interface(`radvd_admin',` + type radvd_var_run_t; + ') + +- allow $1 radvd_t:process { ptrace signal_perms }; ++ allow $1 radvd_t:process signal_perms; + ps_process_pattern($1, radvd_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 radvd_t:process ptrace; ++ ') + + init_labeled_script_domtrans($1, radvd_initrc_exec_t) + domain_system_change_exemption($1) +diff --git a/radvd.te b/radvd.te +index b31f2d7..046f5b8 100644 +--- a/radvd.te ++++ b/radvd.te +@@ -65,8 +65,6 @@ auth_use_nsswitch(radvd_t) + + logging_send_syslog_msg(radvd_t) + +-miscfiles_read_localization(radvd_t) +- + userdom_dontaudit_use_unpriv_user_fds(radvd_t) + userdom_dontaudit_search_user_home_dirs(radvd_t) + +diff --git a/raid.fc b/raid.fc +index 5806046..5578653 100644 +--- a/raid.fc ++++ b/raid.fc +@@ -3,6 +3,9 @@ + + /etc/rc\.d/init\.d/mdmonitor -- gen_context(system_u:object_r:mdadm_initrc_exec_t,s0) + ++/usr/lib/systemd/system/mdmon@.* -- gen_context(system_u:object_r:mdadm_unit_file_t,s0) ++/usr/lib/systemd/system/mdmonitor.* -- gen_context(system_u:object_r:mdadm_unit_file_t,s0) ++ + /sbin/iprdump -- gen_context(system_u:object_r:mdadm_exec_t,s0) + /sbin/iprinit -- gen_context(system_u:object_r:mdadm_exec_t,s0) + /sbin/iprupdate -- gen_context(system_u:object_r:mdadm_exec_t,s0) +@@ -16,6 +19,7 @@ + /usr/sbin/iprupdate -- gen_context(system_u:object_r:mdadm_exec_t,s0) + /usr/sbin/mdadm -- gen_context(system_u:object_r:mdadm_exec_t,s0) + /usr/sbin/mdmpd -- gen_context(system_u:object_r:mdadm_exec_t,s0) ++/usr/sbin/mdmon -- gen_context(system_u:object_r:mdadm_exec_t,s0) + /usr/sbin/raid-check -- gen_context(system_u:object_r:mdadm_exec_t,s0) + + /var/run/mdadm(/.*)? gen_context(system_u:object_r:mdadm_var_run_t,s0) +diff --git a/raid.if b/raid.if +index 951db7f..98a0758 100644 +--- a/raid.if ++++ b/raid.if +@@ -1,9 +1,8 @@ +-## RAID array management tools. ++## RAID array management tools + + ######################################## + ## +-## Execute software raid tools in +-## the mdadm domain. ++## Execute software raid tools in the mdadm domain. + ## + ## + ## +@@ -22,34 +21,56 @@ interface(`raid_domtrans_mdadm',` + + ###################################### + ## +-## Execute mdadm in the mdadm +-## domain, and allow the specified +-## role the mdadm domain. ++## Execute a domain transition to mdadm_t for the ++## specified role, allowing it to use the mdadm_t ++## domain + ## + ## + ## +-## Role allowed access. ++## Role allowed to access mdadm_t domain + ## + ## + ## + ## +-## Domain allowed to transition. ++## Domain allowed to transition to mdadm_t + ## + ## + # + interface(`raid_run_mdadm',` + gen_require(` +- attribute_role mdadm_roles; ++ type mdadm_t; + ') + ++ role $1 types mdadm_t; + raid_domtrans_mdadm($2) +- roleattribute $1 mdadm_roles; ++') ++ ++###################################### ++## ++## Execute mdadm server in the mdadm domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`mdadm_systemctl',` ++ gen_require(` ++ type mdadm_t; ++ type mdadm_unit_file_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ allow $1 mdadm_unit_file_t:file read_file_perms; ++ allow $1 mdadm_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, mdadm_t) + ') + + ######################################## + ## +-## Create, read, write, and delete +-## mdadm pid files. ++## read the mdadm pid files. + ## + ## + ## +@@ -57,47 +78,94 @@ interface(`raid_run_mdadm',` + ## + ## + # +-interface(`raid_manage_mdadm_pid',` ++interface(`raid_read_mdadm_pid',` + gen_require(` + type mdadm_var_run_t; + ') + +- files_search_pids($1) +- allow $1 mdadm_var_run_t:file manage_file_perms; ++ read_files_pattern($1, mdadm_var_run_t, mdadm_var_run_t) + ') + + ######################################## + ## +-## All of the rules required to +-## administrate an mdadm environment. ++## Create, read, write, and delete the mdadm pid files. + ## ++## ++##

    ++## Create, read, write, and delete the mdadm pid files. ++##

    ++##

    ++## Added for use in the init module. ++##

    ++##     + ## + ## + ## Domain allowed access. + ## + ## +-## ++# ++interface(`raid_manage_mdadm_pid',` ++ gen_require(` ++ type mdadm_var_run_t; ++ ') ++ ++ # FIXME: maybe should have a type_transition. not ++ # clear what this is doing, from the original ++ # mdadm policy ++ allow $1 mdadm_var_run_t:file manage_file_perms; ++') ++ ++####################################### ++## ++## Check access to the mdadm executable. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`raid_access_check_mdadm',` ++ gen_require(` ++ type mdadm_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ allow $1 mdadm_exec_t:file { getattr_file_perms execute }; ++') ++ ++######################################## ++## ++## Manage mdadm config files. ++## ++## + ## +-## Role allowed access. ++## Domain allowed access. + ## + ## +-## + # +-interface(`raid_admin_mdadm',` ++interface(`raid_manage_conf_files',` + gen_require(` +- type mdadm_t, mdadm_initrc_exec_t, mdadm_var_run_t; ++ type mdadm_conf_t; + ') + +- allow $1 mdadm_t:process { ptrace signal_perms }; +- ps_process_pattern($1, mdadm_t) +- +- init_labeled_script_domtrans($1, mdadm_initrc_exec_t) +- domain_system_change_exemption($1) +- role_transition $2 mdadm_initrc_exec_t system_r; +- allow $2 system_r; ++ manage_files_pattern($1, mdadm_conf_t, mdadm_conf_t) ++') + +- files_search_pids($1) +- admin_pattern($1, mdadm_var_run_t) ++######################################## ++## ++## Transition to mdadm named content ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`raid_filetrans_named_content',` ++ gen_require(` ++ type mdadm_conf_t; ++ ') + +- raid_run_mdadm($2, $1) ++ files_etc_filetrans($1, mdadm_conf_t, file, "mdadm.conf") + ') +diff --git a/raid.te b/raid.te +index 2c1730b..4699a1e 100644 +--- a/raid.te ++++ b/raid.te +@@ -15,6 +15,15 @@ role mdadm_roles types mdadm_t; + type mdadm_initrc_exec_t; + init_script_file(mdadm_initrc_exec_t) + ++type mdadm_conf_t; ++files_config_file(mdadm_conf_t) ++ ++type mdadm_unit_file_t; ++systemd_unit_file(mdadm_unit_file_t) ++ ++type mdadm_tmp_t; ++files_tmpfs_file(mdadm_tmp_t) ++ + type mdadm_var_run_t alias mdadm_map_t; + files_pid_file(mdadm_var_run_t) + dev_associate(mdadm_var_run_t) +@@ -25,23 +34,34 @@ dev_associate(mdadm_var_run_t) + # + + allow mdadm_t self:capability { dac_override sys_admin ipc_lock }; +-dontaudit mdadm_t self:capability sys_tty_config; +-allow mdadm_t self:process { getsched setsched signal_perms }; ++dontaudit mdadm_t self:capability { sys_tty_config sys_ptrace }; ++allow mdadm_t self:process { getsched setsched sigchld sigkill sigstop signull signal }; + allow mdadm_t self:fifo_file rw_fifo_file_perms; + allow mdadm_t self:netlink_kobject_uevent_socket create_socket_perms; ++allow mdadm_t self:unix_stream_socket { create_stream_socket_perms connectto }; ++ ++manage_files_pattern(mdadm_t, mdadm_conf_t, mdadm_conf_t) ++files_etc_filetrans(mdadm_t, mdadm_conf_t, file, "mdadm.conf") ++ ++manage_files_pattern(mdadm_t, mdadm_tmp_t, mdadm_tmp_t) ++manage_dirs_pattern(mdadm_t, mdadm_tmp_t, mdadm_tmp_t) ++files_tmp_filetrans(mdadm_t, mdadm_tmp_t, file) + + manage_dirs_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t) + manage_files_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t) + manage_lnk_files_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t) + manage_sock_files_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t) +-dev_filetrans(mdadm_t, mdadm_var_run_t, file) +-files_pid_filetrans(mdadm_t, mdadm_var_run_t, { dir file }) ++files_pid_filetrans(mdadm_t, mdadm_var_run_t, { file dir }) ++dev_filetrans(mdadm_t, mdadm_var_run_t, { file dir sock_file }) ++ ++can_exec(mdadm_t, mdadm_exec_t) + + kernel_getattr_core_if(mdadm_t) + kernel_read_system_state(mdadm_t) + kernel_read_kernel_sysctls(mdadm_t) + kernel_request_load_module(mdadm_t) + kernel_rw_software_raid_state(mdadm_t) ++kernel_setsched(mdadm_t) + + corecmd_exec_bin(mdadm_t) + corecmd_exec_shell(mdadm_t) +@@ -49,19 +69,29 @@ corecmd_exec_shell(mdadm_t) + dev_rw_sysfs(mdadm_t) + dev_dontaudit_getattr_all_blk_files(mdadm_t) + dev_dontaudit_getattr_all_chr_files(mdadm_t) ++dev_read_crash(mdadm_t) ++dev_read_framebuffer(mdadm_t) + dev_read_realtime_clock(mdadm_t) + dev_read_raw_memory(mdadm_t) +- ++dev_read_kvm(mdadm_t) ++dev_read_mei(mdadm_t) ++dev_read_nvram(mdadm_t) ++dev_read_generic_files(mdadm_t) ++dev_read_generic_usb_dev(mdadm_t) ++dev_read_urand(mdadm_t) ++ ++domain_read_all_domains_state(mdadm_t) + domain_use_interactive_fds(mdadm_t) + +-files_read_etc_files(mdadm_t) + files_read_etc_runtime_files(mdadm_t) +-files_dontaudit_getattr_all_files(mdadm_t) ++files_dontaudit_getattr_tmpfs_files(mdadm_t) + ++fs_getattr_all_fs(mdadm_t) + fs_list_auto_mountpoints(mdadm_t) + fs_list_hugetlbfs(mdadm_t) + fs_rw_cgroup_files(mdadm_t) + fs_dontaudit_list_tmpfs(mdadm_t) ++fs_manage_cgroup_files(mdadm_t) + + mls_file_read_all_levels(mdadm_t) + mls_file_write_all_levels(mdadm_t) +@@ -70,15 +100,20 @@ storage_dev_filetrans_fixed_disk(mdadm_t) + storage_manage_fixed_disk(mdadm_t) + storage_read_scsi_generic(mdadm_t) + storage_write_scsi_generic(mdadm_t) ++storage_raw_read_removable_device(mdadm_t) + + term_dontaudit_list_ptys(mdadm_t) + term_dontaudit_use_unallocated_ttys(mdadm_t) + ++auth_use_nsswitch(mdadm_t) ++ + init_dontaudit_getattr_initctl(mdadm_t) + ++logging_dontaudit_getattr_all_logs(mdadm_t) + logging_send_syslog_msg(mdadm_t) + +-miscfiles_read_localization(mdadm_t) ++systemd_exec_systemctl(mdadm_t) ++systemd_start_systemd_services(mdadm_t) + + userdom_dontaudit_use_unpriv_user_fds(mdadm_t) + userdom_dontaudit_search_user_home_content(mdadm_t) +@@ -93,13 +128,30 @@ optional_policy(` + ') + + optional_policy(` ++ kdump_manage_kdumpctl_tmp_files(mdadm_t) ++ kdump_rw_lock(mdadm_t) ++') ++ ++optional_policy(` + mta_send_mail(mdadm_t) + ') + + optional_policy(` ++ mdadm_systemctl(mdadm_t) ++') ++ ++optional_policy(` + seutil_sigchld_newrole(mdadm_t) + ') + + optional_policy(` + udev_read_db(mdadm_t) + ') ++ ++optional_policy(` ++ virt_read_blk_images(mdadm_t) ++') ++ ++optional_policy(` ++ xserver_dontaudit_search_log(mdadm_t) ++') +diff --git a/razor.fc b/razor.fc +index 6723f4d..6e26673 100644 +--- a/razor.fc ++++ b/razor.fc +@@ -1,9 +1,9 @@ +-HOME_DIR/\.razor(/.*)? gen_context(system_u:object_r:razor_home_t,s0) ++#/root/\.razor(/.*)? gen_context(system_u:object_r:razor_home_t,s0) ++#HOME_DIR/\.razor(/.*)? gen_context(system_u:object_r:razor_home_t,s0) + +-/etc/razor(/.*)? gen_context(system_u:object_r:razor_etc_t,s0) ++#/etc/razor(/.*)? gen_context(system_u:object_r:razor_etc_t,s0) + +-/usr/bin/razor.* -- gen_context(system_u:object_r:razor_exec_t,s0) ++#/usr/bin/razor.* -- gen_context(system_u:object_r:razor_exec_t,s0) + +-/var/lib/razor(/.*)? gen_context(system_u:object_r:razor_var_lib_t,s0) +- +-/var/log/razor-agent\.log.* -- gen_context(system_u:object_r:razor_log_t,s0) ++#/var/lib/razor(/.*)? gen_context(system_u:object_r:razor_var_lib_t,s0) ++#/var/log/razor-agent\.log.* -- gen_context(system_u:object_r:razor_log_t,s0) +diff --git a/razor.if b/razor.if +index 1e4b523..fee3b7c 100644 +--- a/razor.if ++++ b/razor.if +@@ -1,72 +1,147 @@ + ## A distributed, collaborative, spam detection and filtering network. ++## ++##

    ++## A distributed, collaborative, spam detection and filtering network. ++##

    ++##

    ++## This policy will work with either the ATrpms provided config ++## file in /etc/razor, or with the default of dumping everything into ++## $HOME/.razor. ++##

    ++##     + + ####################################### + ## +-## The template to define a razor domain. ++## Template to create types and rules common to ++## all razor domains. + ## +-## ++## + ## +-## Domain prefix to be used. ++## The prefix of the domain (e.g., user ++## is the prefix for user_t). + ## + ## + # + template(`razor_common_domain_template',` + gen_require(` +- attribute razor_domain; +- type razor_exec_t; ++ type razor_exec_t, razor_etc_t, razor_log_t, razor_var_lib_t; + ') + +- ######################################## +- # +- # Declarations +- # +- +- type $1_t, razor_domain; ++ type $1_t; + domain_type($1_t) + domain_entry_file($1_t, razor_exec_t) + +- ######################################## +- # +- # Declarations +- # +- +- auth_use_nsswitch($1_t) ++ allow $1_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; ++ allow $1_t self:fd use; ++ allow $1_t self:fifo_file rw_fifo_file_perms; ++ allow $1_t self:unix_dgram_socket create_socket_perms; ++ allow $1_t self:unix_stream_socket create_stream_socket_perms; ++ allow $1_t self:unix_dgram_socket sendto; ++ allow $1_t self:unix_stream_socket connectto; ++ allow $1_t self:shm create_shm_perms; ++ allow $1_t self:sem create_sem_perms; ++ allow $1_t self:msgq create_msgq_perms; ++ allow $1_t self:msg { send receive }; ++ allow $1_t self:tcp_socket create_socket_perms; ++ ++ # Read system config file ++ allow $1_t razor_etc_t:dir list_dir_perms; ++ allow $1_t razor_etc_t:file read_file_perms; ++ allow $1_t razor_etc_t:lnk_file read_lnk_file_perms; ++ ++ manage_dirs_pattern($1_t, razor_log_t, razor_log_t) ++ manage_files_pattern($1_t, razor_log_t, razor_log_t) ++ manage_lnk_files_pattern($1_t, razor_log_t, razor_log_t) ++ logging_log_filetrans($1_t, razor_log_t, file) ++ ++ manage_dirs_pattern($1_t, razor_var_lib_t, razor_var_lib_t) ++ manage_files_pattern($1_t, razor_var_lib_t, razor_var_lib_t) ++ manage_lnk_files_pattern($1_t, razor_var_lib_t, razor_var_lib_t) ++ files_search_var_lib($1_t) ++ ++ # Razor is one executable and several symlinks ++ allow $1_t razor_exec_t:file read_file_perms; ++ allow $1_t razor_exec_t:lnk_file read_lnk_file_perms; ++ ++ kernel_read_system_state($1_t) ++ kernel_read_network_state($1_t) ++ kernel_read_software_raid_state($1_t) ++ kernel_getattr_core_if($1_t) ++ kernel_getattr_message_if($1_t) ++ kernel_read_kernel_sysctls($1_t) ++ ++ corecmd_exec_bin($1_t) ++ ++ corenet_all_recvfrom_unlabeled($1_t) ++ corenet_all_recvfrom_netlabel($1_t) ++ corenet_tcp_sendrecv_generic_if($1_t) ++ corenet_raw_sendrecv_generic_if($1_t) ++ corenet_tcp_sendrecv_generic_node($1_t) ++ corenet_raw_sendrecv_generic_node($1_t) ++ corenet_tcp_sendrecv_razor_port($1_t) ++ ++ # mktemp and other randoms ++ dev_read_rand($1_t) ++ dev_read_urand($1_t) ++ ++ files_search_pids($1_t) ++ # Allow access to various files in the /etc/directory including mtab ++ # and nsswitch ++ files_read_etc_files($1_t) ++ files_read_etc_runtime_files($1_t) ++ ++ fs_search_auto_mountpoints($1_t) ++ ++ libs_read_lib_files($1_t) ++ ++ ++ sysnet_read_config($1_t) ++ sysnet_dns_name_resolve($1_t) ++ ++ optional_policy(` ++ nis_use_ypbind($1_t) ++ ') + ') + + ######################################## + ## +-## Role access for razor. ++## Role access for razor + ## + ## + ## +-## Role allowed access. ++## Role allowed access + ## + ## + ## + ## +-## User domain for the role. ++## User domain for the role + ## + ## ++## + # + interface(`razor_role',` + gen_require(` +- attribute_role razor_roles; + type razor_t, razor_exec_t, razor_home_t; +- type razor_tmp_t; + ') + +- roleattribute $1 razor_roles; ++ role $1 types razor_t; + ++ # Transition from the user domain to the derived domain. + domtrans_pattern($2, razor_exec_t, razor_t) + ++ # allow ps to show razor and allow the user to kill it + ps_process_pattern($2, razor_t) +- allow $2 razor_t:process signal; +- +- allow $2 { razor_home_t razor_tmp_t }:dir { manage_dir_perms relabel_dir_perms }; +- allow $2 { razor_home_t razor_tmp_t }:file { manage_file_perms relabel_file_perms }; +- allow $2 razor_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; ++ allow $2 razor_t:process signal_perms; ++ tunable_policy(`deny_ptrace',`',` ++ allow $2 razor_t:process ptrace; ++ ') + +- userdom_user_home_dir_filetrans($2, razor_home_t, dir, ".razor") ++ manage_dirs_pattern($2, razor_home_t, razor_home_t) ++ manage_files_pattern($2, razor_home_t, razor_home_t) ++ manage_lnk_files_pattern($2, razor_home_t, razor_home_t) ++ relabel_dirs_pattern($2, razor_home_t, razor_home_t) ++ relabel_files_pattern($2, razor_home_t, razor_home_t) ++ relabel_lnk_files_pattern($2, razor_home_t, razor_home_t) + ') + + ######################################## +@@ -81,17 +156,16 @@ interface(`razor_role',` + # + interface(`razor_domtrans',` + gen_require(` +- type system_razor_t, razor_exec_t; ++ type razor_t, razor_exec_t; + ') + +- corecmd_search_bin($1) +- domtrans_pattern($1, razor_exec_t, system_razor_t) ++ domtrans_pattern($1, razor_exec_t, razor_t) + ') + + ######################################## + ## +-## Create, read, write, and delete +-## razor home content. ++## Create, read, write, and delete razor files ++## in a user home subdirectory. + ## + ## + ## +@@ -99,20 +173,19 @@ interface(`razor_domtrans',` + ## + ## + # +-interface(`razor_manage_home_content',` ++interface(`razor_manage_user_home_files',` + gen_require(` + type razor_home_t; + ') + + userdom_search_user_home_dirs($1) +- allow $1 razor_home_t:dir manage_dir_perms; +- allow $1 razor_home_t:file manage_file_perms; +- allow $1 razor_home_t:lnk_file manage_lnk_file_perms; ++ manage_files_pattern($1, razor_home_t, razor_home_t) ++ read_lnk_files_pattern($1, razor_home_t, razor_home_t) + ') + + ######################################## + ## +-## Read razor lib files. ++## read razor lib files. + ## + ## + ## +diff --git a/razor.te b/razor.te +index 5ddedbc..4e15f29 100644 +--- a/razor.te ++++ b/razor.te +@@ -1,139 +1,128 @@ +-policy_module(razor, 2.3.2) ++policy_module(razor, 2.3.0) + + ######################################## + # + # Declarations + # + +-attribute razor_domain; ++ifdef(`distro_redhat',` ++ gen_require(` ++ type spamc_t, spamc_exec_t, spamd_log_t; ++ type spamd_spool_t, spamd_var_lib_t, spamd_etc_t; ++ type spamc_home_t, spamc_tmp_t; ++ ') ++ ++ typealias spamc_t alias razor_t; ++ typealias spamc_exec_t alias razor_exec_t; ++ typealias spamd_log_t alias razor_log_t; ++ typealias spamd_var_lib_t alias razor_var_lib_t; ++ typealias spamd_etc_t alias razor_etc_t; ++ typealias spamc_home_t alias razor_home_t; ++ typealias spamc_home_t alias { user_razor_home_t staff_razor_home_t sysadm_razor_home_t }; ++ typealias spamc_home_t alias { auditadm_razor_home_t secadm_razor_home_t }; ++ typealias spamc_tmp_t alias { user_razor_tmp_t staff_razor_tmp_t sysadm_razor_tmp_t }; ++ typealias spamc_tmp_t alias { auditadm_razor_tmp_t secadm_razor_tmp_t }; ++',` ++ type razor_exec_t; ++ corecmd_executable_file(razor_exec_t) ++ ++ type razor_etc_t; ++ files_config_file(razor_etc_t) ++ ++ type razor_home_t; ++ typealias razor_home_t alias { user_razor_home_t staff_razor_home_t sysadm_razor_home_t }; ++ typealias razor_home_t alias { auditadm_razor_home_t secadm_razor_home_t }; ++ userdom_user_home_content(razor_home_t) ++ ++ type razor_log_t; ++ logging_log_file(razor_log_t) ++ ++ type razor_tmp_t; ++ typealias razor_tmp_t alias { user_razor_tmp_t staff_razor_tmp_t sysadm_razor_tmp_t }; ++ typealias razor_tmp_t alias { auditadm_razor_tmp_t secadm_razor_tmp_t }; ++ files_tmp_file(razor_tmp_t) ++ ubac_constrained(razor_tmp_t) ++ ++ type razor_var_lib_t; ++ files_type(razor_var_lib_t) ++ ++ # these are here due to ordering issues: ++ razor_common_domain_template(razor) ++ typealias razor_t alias { user_razor_t staff_razor_t sysadm_razor_t }; ++ typealias razor_t alias { auditadm_razor_t secadm_razor_t }; ++ ubac_constrained(razor_t) ++ ++ razor_common_domain_template(system_razor) ++ role system_r types system_razor_t; ++ ++ ######################################## ++ # ++ # System razor local policy ++ # ++ ++ # this version of razor is invoked typically ++ # via the system spam filter ++ ++ allow system_razor_t self:tcp_socket create_socket_perms; ++ ++ manage_dirs_pattern(system_razor_t, razor_etc_t, razor_etc_t) ++ manage_files_pattern(system_razor_t, razor_etc_t, razor_etc_t) ++ manage_lnk_files_pattern(system_razor_t, razor_etc_t, razor_etc_t) ++ files_search_etc(system_razor_t) ++ ++ allow system_razor_t razor_log_t:file manage_file_perms; ++ logging_log_filetrans(system_razor_t, razor_log_t, file) ++ ++ manage_files_pattern(system_razor_t, razor_var_lib_t, razor_var_lib_t) ++ files_var_lib_filetrans(system_razor_t, razor_var_lib_t, file) ++ ++ corenet_all_recvfrom_netlabel(system_razor_t) ++ corenet_tcp_sendrecv_generic_if(system_razor_t) ++ corenet_raw_sendrecv_generic_if(system_razor_t) ++ corenet_tcp_sendrecv_generic_node(system_razor_t) ++ corenet_raw_sendrecv_generic_node(system_razor_t) ++ corenet_tcp_sendrecv_razor_port(system_razor_t) ++ corenet_tcp_connect_razor_port(system_razor_t) ++ corenet_sendrecv_razor_client_packets(system_razor_t) ++ ++ auth_use_nsswitch(system_razor_t) ++ ++ # cjp: this shouldn't be needed ++ userdom_use_unpriv_users_fds(system_razor_t) ++ ++ optional_policy(` ++ logging_send_syslog_msg(system_razor_t) ++ ') ++ ++ ######################################## ++ # ++ # User razor local policy ++ # ++ ++ # Allow razor to be run by hand. Needed by any action other than ++ # invocation from a spam filter. ++ ++ allow razor_t self:unix_stream_socket create_stream_socket_perms; ++ ++ manage_dirs_pattern(razor_t, razor_home_t, razor_home_t) ++ manage_files_pattern(razor_t, razor_home_t, razor_home_t) ++ manage_lnk_files_pattern(razor_t, razor_home_t, razor_home_t) ++ userdom_user_home_dir_filetrans(razor_t, razor_home_t, dir) ++ ++ manage_dirs_pattern(razor_t, razor_tmp_t, razor_tmp_t) ++ manage_files_pattern(razor_t, razor_tmp_t, razor_tmp_t) ++ files_tmp_filetrans(razor_t, razor_tmp_t, { file dir }) ++ ++ auth_use_nsswitch(razor_t) + +-attribute_role razor_roles; ++ logging_send_syslog_msg(razor_t) + +-type razor_exec_t; +-corecmd_executable_file(razor_exec_t) ++ userdom_search_user_home_dirs(razor_t) ++ userdom_use_inherited_user_terminals(razor_t) + +-type razor_etc_t; +-files_config_file(razor_etc_t) ++ userdom_home_manager(razor_t) + +-type razor_home_t; +-typealias razor_home_t alias { user_razor_home_t staff_razor_home_t sysadm_razor_home_t }; +-typealias razor_home_t alias { auditadm_razor_home_t secadm_razor_home_t }; +-userdom_user_home_content(razor_home_t) +- +-type razor_log_t; +-logging_log_file(razor_log_t) +- +-type razor_tmp_t; +-typealias razor_tmp_t alias { user_razor_tmp_t staff_razor_tmp_t sysadm_razor_tmp_t }; +-typealias razor_tmp_t alias { auditadm_razor_tmp_t secadm_razor_tmp_t }; +-userdom_user_tmp_file(razor_tmp_t) +- +-type razor_var_lib_t; +-files_type(razor_var_lib_t) +- +-razor_common_domain_template(razor) +-typealias razor_t alias { user_razor_t staff_razor_t sysadm_razor_t }; +-typealias razor_t alias { auditadm_razor_t secadm_razor_t }; +-userdom_user_application_type(razor_t) +-role razor_roles types razor_t; +- +-razor_common_domain_template(system_razor) +-role system_r types system_razor_t; +- +-######################################## +-# +-# Common razor domain local policy +-# +- +-allow razor_domain self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; +-allow razor_domain self:fd use; +-allow razor_domain self:fifo_file rw_fifo_file_perms; +-allow razor_domain self:unix_dgram_socket sendto; +-allow razor_domain self:unix_stream_socket { accept connectto listen }; +- +-allow razor_domain razor_etc_t:dir list_dir_perms; +-allow razor_domain razor_etc_t:file read_file_perms; +-allow razor_domain razor_etc_t:lnk_file read_lnk_file_perms; +- +-allow razor_domain razor_exec_t:file read_file_perms; +-allow razor_domain razor_exec_t:lnk_file read_lnk_file_perms; +- +-kernel_read_system_state(razor_domain) +-kernel_read_network_state(razor_domain) +-kernel_read_software_raid_state(razor_domain) +-kernel_getattr_core_if(razor_domain) +-kernel_getattr_message_if(razor_domain) +-kernel_read_kernel_sysctls(razor_domain) +- +-corecmd_exec_bin(razor_domain) +- +-corenet_all_recvfrom_unlabeled(razor_domain) +-corenet_all_recvfrom_netlabel(razor_domain) +-corenet_tcp_sendrecv_generic_if(razor_domain) +-corenet_tcp_sendrecv_generic_node(razor_domain) +- +-corenet_tcp_sendrecv_razor_port(razor_domain) +-corenet_tcp_connect_razor_port(razor_domain) +-corenet_sendrecv_razor_client_packets(razor_domain) +- +-dev_read_rand(razor_domain) +-dev_read_urand(razor_domain) +- +-files_read_etc_runtime_files(razor_domain) +- +-libs_read_lib_files(razor_domain) +- +-miscfiles_read_localization(razor_domain) +- +-######################################## +-# +-# System local policy +-# +- +-manage_dirs_pattern(system_razor_t, razor_etc_t, razor_etc_t) +-manage_files_pattern(system_razor_t, razor_etc_t, razor_etc_t) +-manage_lnk_files_pattern(system_razor_t, razor_etc_t, razor_etc_t) +- +-manage_dirs_pattern(system_razor_t, razor_log_t, razor_log_t) +-append_files_pattern(system_razor_t, razor_log_t, razor_log_t) +-create_files_pattern(system_razor_t, razor_log_t, razor_log_t) +-setattr_files_pattern(system_razor_t, razor_log_t, razor_log_t) +-manage_lnk_files_pattern(system_razor_t, razor_log_t, razor_log_t) +-logging_log_filetrans(system_razor_t, razor_log_t, file) +- +-manage_dirs_pattern(system_razor_t, razor_var_lib_t, razor_var_lib_t) +-manage_files_pattern(system_razor_t, razor_var_lib_t, razor_var_lib_t) +-manage_lnk_files_pattern(system_razor_t, razor_var_lib_t, razor_var_lib_t) +-files_var_lib_filetrans(system_razor_t, razor_var_lib_t, file) +- +-######################################## +-# +-# Session local policy +-# +- +-manage_dirs_pattern(razor_t, razor_home_t, razor_home_t) +-manage_files_pattern(razor_t, razor_home_t, razor_home_t) +-manage_lnk_files_pattern(razor_t, razor_home_t, razor_home_t) +-userdom_user_home_dir_filetrans(razor_t, razor_home_t, dir, ".razor") +- +-manage_dirs_pattern(razor_t, razor_tmp_t, razor_tmp_t) +-manage_files_pattern(razor_t, razor_tmp_t, razor_tmp_t) +-files_tmp_filetrans(razor_t, razor_tmp_t, { file dir }) +- +-fs_getattr_all_fs(razor_t) +-fs_search_auto_mountpoints(razor_t) +- +-userdom_use_unpriv_users_fds(razor_t) +-userdom_use_user_terminals(razor_t) +- +-tunable_policy(`use_nfs_home_dirs',` +- fs_manage_nfs_dirs(razor_t) +- fs_manage_nfs_files(razor_t) +- fs_manage_nfs_symlinks(razor_t) +-') +- +-tunable_policy(`use_samba_home_dirs',` +- fs_manage_cifs_dirs(razor_t) +- fs_manage_cifs_files(razor_t) +- fs_manage_cifs_symlinks(razor_t) ++ optional_policy(` ++ milter_manage_spamass_state(razor_t) ++ ') + ') +diff --git a/rdisc.te b/rdisc.te +index 9196c1d..3dac4d9 100644 +--- a/rdisc.te ++++ b/rdisc.te +@@ -25,7 +25,6 @@ kernel_list_proc(rdisc_t) + kernel_read_proc_symlinks(rdisc_t) + kernel_read_kernel_sysctls(rdisc_t) + +-corenet_all_recvfrom_unlabeled(rdisc_t) + corenet_all_recvfrom_netlabel(rdisc_t) + corenet_udp_sendrecv_generic_if(rdisc_t) + corenet_raw_sendrecv_generic_if(rdisc_t) +@@ -39,12 +38,9 @@ fs_search_auto_mountpoints(rdisc_t) + + domain_use_interactive_fds(rdisc_t) + +-files_read_etc_files(rdisc_t) + + logging_send_syslog_msg(rdisc_t) + +-miscfiles_read_localization(rdisc_t) +- + sysnet_read_config(rdisc_t) + + userdom_dontaudit_use_unpriv_user_fds(rdisc_t) +diff --git a/readahead.fc b/readahead.fc +index f307db4..0428aee 100644 +--- a/readahead.fc ++++ b/readahead.fc +@@ -1,7 +1,10 @@ +-/sbin/readahead.* -- gen_context(system_u:object_r:readahead_exec_t,s0) ++/dev/\.systemd/readahead(/.*)? gen_context(system_u:object_r:readahead_var_run_t,s0) + ++/sbin/readahead.* -- gen_context(system_u:object_r:readahead_exec_t,s0) + /usr/sbin/readahead.* -- gen_context(system_u:object_r:readahead_exec_t,s0) + ++/usr/lib/systemd/systemd-readahead.* -- gen_context(system_u:object_r:readahead_exec_t,s0) ++ + /var/lib/readahead(/.*)? gen_context(system_u:object_r:readahead_var_lib_t,s0) + +-/var/run/readahead,* gen_context(system_u:object_r:readahead_var_run_t,s0) ++/var/run/systemd/readahead(/.*)? gen_context(system_u:object_r:readahead_var_run_t,s0) +diff --git a/readahead.if b/readahead.if +index 661bb88..06f69c4 100644 +--- a/readahead.if ++++ b/readahead.if +@@ -19,3 +19,27 @@ interface(`readahead_domtrans',` + corecmd_search_bin($1) + domtrans_pattern($1, readahead_exec_t, readahead_t) + ') ++ ++######################################## ++## ++## Manage readahead var_run files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`readahead_manage_pid_files',` ++ gen_require(` ++ type readahead_var_run_t; ++ ') ++ ++ manage_dirs_pattern($1, readahead_var_run_t, readahead_var_run_t) ++ manage_files_pattern($1, readahead_var_run_t, readahead_var_run_t) ++ dev_filetrans($1, readahead_var_run_t, { dir file }) ++ init_pid_filetrans($1, readahead_var_run_t, { dir file }) ++ files_search_pids($1) ++ init_search_pid_dirs($1) ++') ++ +diff --git a/readahead.te b/readahead.te +index f1512d6..8ee7e70 100644 +--- a/readahead.te ++++ b/readahead.te +@@ -15,6 +15,7 @@ typealias readahead_var_lib_t alias readahead_etc_rw_t; + + type readahead_var_run_t; + files_pid_file(readahead_var_run_t) ++dev_associate(readahead_var_run_t) + init_daemon_run_dir(readahead_var_run_t, "readahead") + + ######################################## +@@ -31,13 +32,18 @@ manage_files_pattern(readahead_t, readahead_var_lib_t, readahead_var_lib_t) + + manage_dirs_pattern(readahead_t, readahead_var_run_t, readahead_var_run_t) + manage_files_pattern(readahead_t, readahead_var_run_t, readahead_var_run_t) ++dev_filetrans(readahead_t, readahead_var_run_t, { dir file }) + files_pid_filetrans(readahead_t, readahead_var_run_t, { dir file }) + + kernel_read_all_sysctls(readahead_t) + kernel_read_system_state(readahead_t) + kernel_dontaudit_getattr_core_if(readahead_t) ++kernel_list_all_proc(readahead_t) + +-dev_read_sysfs(readahead_t) ++dev_rw_sysfs(readahead_t) ++dev_read_kmsg(readahead_t) ++dev_read_urand(readahead_t) ++dev_write_kmsg(readahead_t) + dev_getattr_generic_chr_files(readahead_t) + dev_getattr_generic_blk_files(readahead_t) + dev_getattr_all_chr_files(readahead_t) +@@ -51,12 +57,22 @@ domain_use_interactive_fds(readahead_t) + domain_read_all_domains_state(readahead_t) + + files_create_boot_flag(readahead_t) ++files_delete_root_files(readahead_t) + files_getattr_all_pipes(readahead_t) + files_list_non_security(readahead_t) + files_read_non_security_files(readahead_t) + files_search_var_lib(readahead_t) + files_dontaudit_getattr_all_sockets(readahead_t) + files_dontaudit_getattr_non_security_blk_files(readahead_t) ++files_dontaudit_all_access_check(readahead_t) ++files_dontaudit_read_security_files(readahead_t) ++files_dontaudit_read_all_sockets(readahead_t) ++ ++ifdef(`hide_broken_symptoms', ` ++ files_dontaudit_write_all_files(readahead_t) ++ dev_dontaudit_write_all_chr_files(readahead_t) ++ dev_dontaudit_write_all_blk_files(readahead_t) ++') + + fs_getattr_all_fs(readahead_t) + fs_search_auto_mountpoints(readahead_t) +@@ -66,13 +82,12 @@ fs_read_cgroup_files(readahead_t) + fs_read_tmpfs_files(readahead_t) + fs_read_tmpfs_symlinks(readahead_t) + fs_list_inotifyfs(readahead_t) ++fs_dontaudit_read_tmpfs_blk_dev(readahead_t) + fs_dontaudit_search_ramfs(readahead_t) + fs_dontaudit_read_ramfs_pipes(readahead_t) + fs_dontaudit_read_ramfs_files(readahead_t) + fs_dontaudit_use_tmpfs_chr_dev(readahead_t) + +-mcs_file_read_all(readahead_t) +- + mls_file_read_all_levels(readahead_t) + + storage_raw_read_fixed_disk(readahead_t) +@@ -84,13 +99,15 @@ auth_dontaudit_read_shadow(readahead_t) + init_use_fds(readahead_t) + init_use_script_ptys(readahead_t) + init_getattr_initctl(readahead_t) ++# needs to write to /run/systemd/notify ++init_write_pid_socket(readahead_t) ++init_create_pid_dirs(readahead_t) ++init_pid_filetrans(readahead_t, readahead_var_run_t, dir, "readahead") + + logging_send_syslog_msg(readahead_t) + logging_set_audit_parameters(readahead_t) + logging_dontaudit_search_audit_config(readahead_t) + +-miscfiles_read_localization(readahead_t) +- + userdom_dontaudit_use_unpriv_user_fds(readahead_t) + userdom_dontaudit_search_user_home_dirs(readahead_t) + +diff --git a/realmd.fc b/realmd.fc +index 04babe3..3b92679 100644 +--- a/realmd.fc ++++ b/realmd.fc +@@ -1 +1,5 @@ +-/usr/lib/realmd/realmd -- gen_context(system_u:object_r:realmd_exec_t,s0) ++/usr/lib/realmd/realmd -- gen_context(system_u:object_r:realmd_exec_t,s0) ++ ++/var/cache/realmd(/.*)? gen_context(system_u:object_r:realmd_var_cache_t,s0) ++ ++/var/lib/ipa-client(/.*)? gen_context(system_u:object_r:realmd_var_lib_t,s0) +diff --git a/realmd.if b/realmd.if +index bff31df..3b2a829 100644 +--- a/realmd.if ++++ b/realmd.if +@@ -1,8 +1,9 @@ +-## Dbus system service which manages discovery and enrollment in realms and domains like Active Directory or IPA. ++ ++## dbus system service which manages discovery and enrollment in realms and domains like Active Directory or IPA + + ######################################## + ## +-## Execute realmd in the realmd domain. ++## Execute realmd in the realmd_t domain. + ## + ## + ## +@@ -39,3 +40,101 @@ interface(`realmd_dbus_chat',` + allow $1 realmd_t:dbus send_msg; + allow realmd_t $1:dbus send_msg; + ') ++ ++######################################## ++## ++## Search realmd cache directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`realmd_search_cache',` ++ gen_require(` ++ type realmd_var_cache_t; ++ ') ++ ++ allow $1 realmd_var_cache_t:dir search_dir_perms; ++ files_search_var($1) ++') ++ ++######################################## ++## ++## Read realmd cache files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`realmd_read_cache_files',` ++ gen_require(` ++ type realmd_var_cache_t; ++ ') ++ ++ files_search_var($1) ++ read_files_pattern($1, realmd_var_cache_t, realmd_var_cache_t) ++') ++ ++######################################## ++## ++## Create, read, write, and delete ++## realmd cache files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`realmd_manage_cache_files',` ++ gen_require(` ++ type realmd_var_cache_t; ++ ') ++ ++ files_search_var($1) ++ manage_files_pattern($1, realmd_var_cache_t, realmd_var_cache_t) ++') ++ ++######################################## ++## ++## Manage realmd cache dirs. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`realmd_manage_cache_dirs',` ++ gen_require(` ++ type realmd_var_cache_t; ++ ') ++ ++ files_search_var($1) ++ manage_dirs_pattern($1, realmd_var_cache_t, realmd_var_cache_t) ++') ++ ++ ++######################################## ++## ++## Read realmd tmp files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`realmd_read_tmp_files',` ++ gen_require(` ++ type realmd_tmp_t; ++ ') ++ ++ files_search_var($1) ++ read_files_pattern($1, realmd_tmp_t, realmd_tmp_t) ++') ++ +diff --git a/realmd.te b/realmd.te +index 9a8f052..3baa71a 100644 +--- a/realmd.te ++++ b/realmd.te +@@ -1,4 +1,4 @@ +-policy_module(realmd, 1.0.2) ++policy_module(realmd, 1.0.0) + + ######################################## + # +@@ -7,47 +7,89 @@ policy_module(realmd, 1.0.2) + + type realmd_t; + type realmd_exec_t; +-init_system_domain(realmd_t, realmd_exec_t) ++init_daemon_domain(realmd_t, realmd_exec_t) ++application_domain(realmd_t, realmd_exec_t) ++role system_r types realmd_t; ++ ++type realmd_tmp_t; ++files_tmp_file(realmd_tmp_t) ++ ++type realmd_var_cache_t; ++files_type(realmd_var_cache_t) ++ ++type realmd_var_lib_t; ++files_type(realmd_var_lib_t) + + ######################################## + # +-# Local policy ++# realmd local policy + # + +-allow realmd_t self:capability sys_nice; ++allow realmd_t self:capability { sys_nice }; ++allow realmd_t self:capability2 block_suspend; + allow realmd_t self:process setsched; ++allow realmd_t self:key manage_key_perms; ++ ++manage_dirs_pattern(realmd_t, realmd_tmp_t, realmd_tmp_t) ++manage_files_pattern(realmd_t, realmd_tmp_t, realmd_tmp_t) ++files_tmp_filetrans(realmd_t, realmd_tmp_t, { dir file }) ++ ++manage_files_pattern(realmd_t, realmd_var_cache_t, realmd_var_cache_t) ++manage_dirs_pattern(realmd_t, realmd_var_cache_t, realmd_var_cache_t) ++ ++manage_dirs_pattern(realmd_t, realmd_var_lib_t, realmd_var_lib_t) ++manage_files_pattern(realmd_t, realmd_var_lib_t, realmd_var_lib_t) ++files_var_lib_filetrans(realmd_t, realmd_var_lib_t, dir) + + kernel_read_system_state(realmd_t) ++kernel_read_network_state(realmd_t) + + corecmd_exec_bin(realmd_t) + corecmd_exec_shell(realmd_t) + +-corenet_all_recvfrom_unlabeled(realmd_t) +-corenet_all_recvfrom_netlabel(realmd_t) +-corenet_tcp_sendrecv_generic_if(realmd_t) +-corenet_tcp_sendrecv_generic_node(realmd_t) +- +-corenet_sendrecv_http_client_packets(realmd_t) + corenet_tcp_connect_http_port(realmd_t) +-corenet_tcp_sendrecv_http_port(realmd_t) ++corenet_tcp_connect_ldap_port(realmd_t) ++corenet_tcp_connect_smbd_port(realmd_t) + + domain_use_interactive_fds(realmd_t) + + dev_read_rand(realmd_t) + dev_read_urand(realmd_t) + +-fs_getattr_all_fs(realmd_t) ++files_manage_etc_files(realmd_t) + +-files_read_usr_files(realmd_t) ++fs_getattr_all_fs(realmd_t) + + auth_use_nsswitch(realmd_t) + ++init_filetrans_named_content(realmd_t) ++ ++logging_manage_generic_logs(realmd_t) + logging_send_syslog_msg(realmd_t) + ++miscfiles_manage_generic_cert_files(realmd_t) ++ ++seutil_domtrans_setfiles(realmd_t) ++seutil_read_file_contexts(realmd_t) ++ ++sysnet_dns_name_resolve(realmd_t) ++systemd_exec_systemctl(realmd_t) ++ ++#userdom_admin_home_dir_filetrans(realmd_t, cache_home_t, dir, ".cache") ++#userdom_user_home_dir_filetrans(realmd_t, cache_home_t, dir, ".cache") ++ ++optional_policy(` ++ authconfig_domtrans(realmd_t) ++') ++ + optional_policy(` + dbus_system_domain(realmd_t, realmd_exec_t) + + optional_policy(` ++ certmonger_dbus_chat(realmd_t) ++ ') ++ ++ optional_policy(` + networkmanager_dbus_chat(realmd_t) + ') + +@@ -63,21 +105,40 @@ optional_policy(` + optional_policy(` + kerberos_use(realmd_t) + kerberos_rw_keytab(realmd_t) ++ kerberos_rw_config(realmd_t) ++ kerberos_filetrans_named_content(realmd_t) ++') ++ ++optional_policy(` ++ ntp_domtrans_ntpdate(realmd_t) ++') ++ ++optional_policy(` ++ ssh_domtrans(realmd_t) ++ ssh_systemctl(realmd_t) + ') + + optional_policy(` + nis_exec_ypbind(realmd_t) +- nis_initrc_domtrans(realmd_t) ++ nis_systemctl_ypbind(realmd_t) + ') + + optional_policy(` +- gnome_read_generic_home_content(realmd_t) ++ gnome_read_config(realmd_t) ++ gnome_read_generic_cache_files(realmd_t) ++ gnome_write_generic_cache_files(realmd_t) ++ gnome_manage_cache_home_dir(realmd_t) ++ + ') + + optional_policy(` + samba_domtrans_net(realmd_t) + samba_manage_config(realmd_t) +- samba_getattr_winbind_exec(realmd_t) ++ samba_getattr_winbind(realmd_t) ++') ++ ++optional_policy(` ++ rpm_dbus_chat(realmd_t) + ') + + optional_policy(` +@@ -86,5 +147,27 @@ optional_policy(` + sssd_manage_lib_files(realmd_t) + sssd_manage_public_files(realmd_t) + sssd_read_pid_files(realmd_t) +- sssd_initrc_domtrans(realmd_t) ++ sssd_systemctl(realmd_t) ++') ++ ++optional_policy(` ++ xserver_read_state_xdm(realmd_t) ++') ++ ++optional_policy(` ++ unconfined_domain(realmd_t) ++') ++ ++##################################### ++# ++# realmd consolehelper local policy ++# ++ ++optional_policy(` ++ userhelper_console_role_template(realmd, system_r, realmd_t) ++ authconfig_manage_lib_files(realmd_consolehelper_t) ++ ++ oddjob_systemctl(realmd_consolehelper_t) ++ ++ unconfined_domain_noaudit(realmd_consolehelper_t) + ') +diff --git a/redis.fc b/redis.fc +new file mode 100644 +index 0000000..638d6b4 +--- /dev/null ++++ b/redis.fc +@@ -0,0 +1,11 @@ ++/etc/rc\.d/init\.d/redis -- gen_context(system_u:object_r:redis_initrc_exec_t,s0) ++ ++/usr/lib/systemd/system/redis.* -- gen_context(system_u:object_r:redis_unit_file_t,s0) ++ ++/usr/sbin/redis-server -- gen_context(system_u:object_r:redis_exec_t,s0) ++ ++/var/lib/redis(/.*)? gen_context(system_u:object_r:redis_var_lib_t,s0) ++ ++/var/log/redis(/.*)? gen_context(system_u:object_r:redis_log_t,s0) ++ ++/var/run/redis(/.*)? gen_context(system_u:object_r:redis_var_run_t,s0) +diff --git a/redis.if b/redis.if +new file mode 100644 +index 0000000..72a2d7b +--- /dev/null ++++ b/redis.if +@@ -0,0 +1,271 @@ ++ ++## redis-server SELinux policy ++ ++######################################## ++## ++## Execute TEMPLATE in the redis domin. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`redis_domtrans',` ++ gen_require(` ++ type redis_t, redis_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, redis_exec_t, redis_t) ++') ++ ++######################################## ++## ++## Execute redis server in the redis domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`redis_initrc_domtrans',` ++ gen_require(` ++ type redis_initrc_exec_t; ++ ') ++ ++ init_labeled_script_domtrans($1, redis_initrc_exec_t) ++') ++######################################## ++## ++## Read redis's log files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`redis_read_log',` ++ gen_require(` ++ type redis_log_t; ++ ') ++ ++ logging_search_logs($1) ++ read_files_pattern($1, redis_log_t, redis_log_t) ++') ++ ++######################################## ++## ++## Append to redis log files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`redis_append_log',` ++ gen_require(` ++ type redis_log_t; ++ ') ++ ++ logging_search_logs($1) ++ append_files_pattern($1, redis_log_t, redis_log_t) ++') ++ ++######################################## ++## ++## Manage redis log files ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`redis_manage_log',` ++ gen_require(` ++ type redis_log_t; ++ ') ++ ++ logging_search_logs($1) ++ manage_dirs_pattern($1, redis_log_t, redis_log_t) ++ manage_files_pattern($1, redis_log_t, redis_log_t) ++ manage_lnk_files_pattern($1, redis_log_t, redis_log_t) ++') ++ ++######################################## ++## ++## Search redis lib directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`redis_search_lib',` ++ gen_require(` ++ type redis_var_lib_t; ++ ') ++ ++ allow $1 redis_var_lib_t:dir search_dir_perms; ++ files_search_var_lib($1) ++') ++ ++######################################## ++## ++## Read redis lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`redis_read_lib_files',` ++ gen_require(` ++ type redis_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ read_files_pattern($1, redis_var_lib_t, redis_var_lib_t) ++') ++ ++######################################## ++## ++## Manage redis lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`redis_manage_lib_files',` ++ gen_require(` ++ type redis_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ manage_files_pattern($1, redis_var_lib_t, redis_var_lib_t) ++') ++ ++######################################## ++## ++## Manage redis lib directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`redis_manage_lib_dirs',` ++ gen_require(` ++ type redis_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ manage_dirs_pattern($1, redis_var_lib_t, redis_var_lib_t) ++') ++ ++######################################## ++## ++## Read redis PID files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`redis_read_pid_files',` ++ gen_require(` ++ type redis_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ read_files_pattern($1, redis_var_run_t, redis_var_run_t) ++') ++ ++######################################## ++## ++## Execute redis server in the redis domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`redis_systemctl',` ++ gen_require(` ++ type redis_t; ++ type redis_unit_file_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ systemd_read_fifo_file_password_run($1) ++ allow $1 redis_unit_file_t:file read_file_perms; ++ allow $1 redis_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, redis_t) ++') ++ ++ ++######################################## ++## ++## All of the rules required to administrate ++## an redis environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## Role allowed access. ++## ++## ++## ++# ++interface(`redis_admin',` ++ gen_require(` ++ type redis_t; ++ type redis_initrc_exec_t; ++ type redis_log_t; ++ type redis_var_lib_t; ++ type redis_var_run_t; ++ type redis_unit_file_t; ++ ') ++ ++ allow $1 redis_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, redis_t) ++ ++ redis_initrc_domtrans($1) ++ domain_system_change_exemption($1) ++ role_transition $2 redis_initrc_exec_t system_r; ++ allow $2 system_r; ++ ++ logging_search_logs($1) ++ admin_pattern($1, redis_log_t) ++ ++ files_search_var_lib($1) ++ admin_pattern($1, redis_var_lib_t) ++ ++ files_search_pids($1) ++ admin_pattern($1, redis_var_run_t) ++ ++ redis_systemctl($1) ++ admin_pattern($1, redis_unit_file_t) ++ allow $1 redis_unit_file_t:service all_service_perms; ++ optional_policy(` ++ systemd_passwd_agent_exec($1) ++ systemd_read_fifo_file_passwd_run($1) ++ ') ++') +diff --git a/redis.te b/redis.te +new file mode 100644 +index 0000000..e5e9cf7 +--- /dev/null ++++ b/redis.te +@@ -0,0 +1,62 @@ ++policy_module(redis, 1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type redis_t; ++type redis_exec_t; ++init_daemon_domain(redis_t, redis_exec_t) ++ ++type redis_initrc_exec_t; ++init_script_file(redis_initrc_exec_t) ++ ++type redis_log_t; ++logging_log_file(redis_log_t) ++ ++type redis_var_lib_t; ++files_type(redis_var_lib_t) ++ ++type redis_var_run_t; ++files_pid_file(redis_var_run_t) ++ ++type redis_unit_file_t; ++systemd_unit_file(redis_unit_file_t) ++ ++######################################## ++# ++# redis local policy ++# ++ ++allow redis_t self:process { setrlimit signal_perms }; ++allow redis_t self:fifo_file rw_fifo_file_perms; ++allow redis_t self:unix_stream_socket create_stream_socket_perms; ++allow redis_t self:tcp_socket create_stream_socket_perms; ++ ++manage_dirs_pattern(redis_t, redis_log_t, redis_log_t) ++manage_files_pattern(redis_t, redis_log_t, redis_log_t) ++manage_lnk_files_pattern(redis_t, redis_log_t, redis_log_t) ++ ++manage_dirs_pattern(redis_t, redis_var_lib_t, redis_var_lib_t) ++manage_files_pattern(redis_t, redis_var_lib_t, redis_var_lib_t) ++manage_lnk_files_pattern(redis_t, redis_var_lib_t, redis_var_lib_t) ++ ++manage_dirs_pattern(redis_t, redis_var_run_t, redis_var_run_t) ++manage_files_pattern(redis_t, redis_var_run_t, redis_var_run_t) ++manage_lnk_files_pattern(redis_t, redis_var_run_t, redis_var_run_t) ++ ++kernel_read_system_state(redis_t) ++ ++corenet_tcp_bind_generic_node(redis_t) ++corenet_tcp_bind_redis_port(redis_t) ++ ++dev_read_sysfs(redis_t) ++dev_read_urand(redis_t) ++ ++logging_send_syslog_msg(redis_t) ++ ++miscfiles_read_localization(redis_t) ++ ++sysnet_dns_name_resolve(redis_t) ++ +diff --git a/remotelogin.fc b/remotelogin.fc +index 327baf0..d8691bd 100644 +--- a/remotelogin.fc ++++ b/remotelogin.fc +@@ -1 +1,2 @@ ++ + # Remote login currently has no file contexts. +diff --git a/remotelogin.if b/remotelogin.if +index a9ce68e..31be971 100644 +--- a/remotelogin.if ++++ b/remotelogin.if +@@ -1,4 +1,4 @@ +-## Rshd, rlogind, and telnetd. ++## Policy for rshd, rlogind, and telnetd. + + ######################################## + ## +@@ -15,13 +15,12 @@ interface(`remotelogin_domtrans',` + type remote_login_t; + ') + +- corecmd_search_bin($1) + auth_domtrans_login_program($1, remote_login_t) + ') + + ######################################## + ## +-## Send generic signals to remote login. ++## allow Domain to signal remote login domain. + ## + ## + ## +@@ -36,44 +35,3 @@ interface(`remotelogin_signal',` + + allow $1 remote_login_t:process signal; + ') +- +-######################################## +-## +-## Create, read, write, and delete +-## remote login temporary content. +-## +-## +-## +-## Domain allowed access. +-## +-## +-# +-interface(`remotelogin_manage_tmp_content',` +- gen_require(` +- type remote_login_tmp_t; +- ') +- +- files_search_tmp($1) +- allow $1 remote_login_tmp_t:dir manage_dir_perms; +- allow $1 remote_login_tmp_t:file manage_file_perms; +-') +- +-######################################## +-## +-## Relabel remote login temporary content. +-## +-## +-## +-## Domain allowed access. +-## +-## +-# +-interface(`remotelogin_relabel_tmp_content',` +- gen_require(` +- type remote_login_tmp_t; +- ') +- +- files_search_tmp($1) +- allow $1 remote_login_tmp_t:dir relabel_dir_perms; +- allow $1 remote_login_tmp_t:file relabel_file_perms; +-') +diff --git a/remotelogin.te b/remotelogin.te +index c51a32c..bef8238 100644 +--- a/remotelogin.te ++++ b/remotelogin.te +@@ -1,4 +1,4 @@ +-policy_module(remotelogin, 1.7.2) ++policy_module(remotelogin, 1.7.0) + + ######################################## + # +@@ -10,12 +10,9 @@ domain_interactive_fd(remote_login_t) + auth_login_pgm_domain(remote_login_t) + auth_login_entry_type(remote_login_t) + +-type remote_login_tmp_t; +-files_tmp_file(remote_login_tmp_t) +- + ######################################## + # +-# Local policy ++# Remote login remote policy + # + + allow remote_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid net_bind_service sys_nice sys_resource sys_tty_config }; +@@ -23,68 +20,79 @@ allow remote_login_t self:process ~{ ptrace setcurrent setexec setfscreate setrl + allow remote_login_t self:process { setrlimit setexec }; + allow remote_login_t self:fd use; + allow remote_login_t self:fifo_file rw_fifo_file_perms; ++allow remote_login_t self:sock_file read_sock_file_perms; ++allow remote_login_t self:unix_dgram_socket create_socket_perms; ++allow remote_login_t self:unix_stream_socket create_stream_socket_perms; + allow remote_login_t self:unix_dgram_socket sendto; +-allow remote_login_t self:unix_stream_socket { accept connectto listen }; +- +-manage_dirs_pattern(remote_login_t, remote_login_tmp_t, remote_login_tmp_t) +-manage_files_pattern(remote_login_t, remote_login_tmp_t, remote_login_tmp_t) +-files_tmp_filetrans(remote_login_t, remote_login_tmp_t, { file dir }) ++allow remote_login_t self:unix_stream_socket connectto; ++allow remote_login_t self:shm create_shm_perms; ++allow remote_login_t self:sem create_sem_perms; ++allow remote_login_t self:msgq create_msgq_perms; ++allow remote_login_t self:msg { send receive }; ++allow remote_login_t self:key write; + + kernel_read_system_state(remote_login_t) + kernel_read_kernel_sysctls(remote_login_t) + + dev_getattr_mouse_dev(remote_login_t) + dev_setattr_mouse_dev(remote_login_t) ++dev_dontaudit_search_sysfs(remote_login_t) + + fs_getattr_xattr_fs(remote_login_t) ++fs_search_auto_mountpoints(remote_login_t) + + term_relabel_all_ptys(remote_login_t) + term_use_all_ptys(remote_login_t) + term_setattr_all_ptys(remote_login_t) + +-auth_manage_pam_console_data(remote_login_t) +-auth_domtrans_pam_console(remote_login_t) + auth_rw_login_records(remote_login_t) + auth_rw_faillog(remote_login_t) ++auth_manage_pam_console_data(remote_login_t) ++auth_domtrans_pam_console(remote_login_t) + + corecmd_list_bin(remote_login_t) + corecmd_read_bin_symlinks(remote_login_t) ++# cjp: these are probably not needed: ++corecmd_read_bin_files(remote_login_t) ++corecmd_read_bin_pipes(remote_login_t) ++corecmd_read_bin_sockets(remote_login_t) + + domain_read_all_entry_files(remote_login_t) + + files_read_etc_runtime_files(remote_login_t) + files_list_home(remote_login_t) +-files_read_usr_files(remote_login_t) + files_list_world_readable(remote_login_t) + files_read_world_readable_files(remote_login_t) + files_read_world_readable_symlinks(remote_login_t) + files_read_world_readable_pipes(remote_login_t) + files_read_world_readable_sockets(remote_login_t) + files_list_mnt(remote_login_t) ++# for when /var/mail is a sym-link + files_read_var_symlinks(remote_login_t) + +-miscfiles_read_localization(remote_login_t) ++auth_use_nsswitch(remote_login_t) ++ + + userdom_use_unpriv_users_fds(remote_login_t) + userdom_search_user_home_content(remote_login_t) ++# Only permit unprivileged user domains to be entered via rlogin, ++# since very weak authentication is used. + userdom_signal_unpriv_users(remote_login_t) + userdom_spec_domtrans_unpriv_users(remote_login_t) ++userdom_use_user_ptys(remote_login_t) + +-tunable_policy(`use_nfs_home_dirs',` +- fs_read_nfs_files(remote_login_t) +- fs_read_nfs_symlinks(remote_login_t) +-') ++userdom_manage_user_tmp_dirs(remote_login_t) ++userdom_manage_user_tmp_files(remote_login_t) ++userdom_tmp_filetrans_user_tmp(remote_login_t, { file dir }) + +-tunable_policy(`use_samba_home_dirs',` +- fs_read_cifs_files(remote_login_t) +- fs_read_cifs_symlinks(remote_login_t) +-') ++userdom_home_reader(remote_login_t) + + optional_policy(` + alsa_domtrans(remote_login_t) + ') + + optional_policy(` ++ # Search for mail spool file. + mta_getattr_spool(remote_login_t) + ') + +diff --git a/resmgr.te b/resmgr.te +index 6f219b3..6bef328 100644 +--- a/resmgr.te ++++ b/resmgr.te +@@ -42,7 +42,6 @@ dev_getattr_scanner_dev(resmgrd_t) + + domain_use_interactive_fds(resmgrd_t) + +-files_read_etc_files(resmgrd_t) + + fs_search_auto_mountpoints(resmgrd_t) + +@@ -54,8 +53,6 @@ storage_write_scsi_generic(resmgrd_t) + + logging_send_syslog_msg(resmgrd_t) + +-miscfiles_read_localization(resmgrd_t) +- + userdom_dontaudit_use_unpriv_user_fds(resmgrd_t) + + optional_policy(` +diff --git a/rgmanager.fc b/rgmanager.fc +index 5421af0..91e69b8 100644 +--- a/rgmanager.fc ++++ b/rgmanager.fc +@@ -1,12 +1,22 @@ +-/etc/rc\.d/init\.d/rgmanager -- gen_context(system_u:object_r:rgmanager_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/cpglockd -- gen_context(system_u:object_r:rgmanager_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/rgmanager -- gen_context(system_u:object_r:rgmanager_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/heartbeat -- gen_context(system_u:object_r:rgmanager_initrc_exec_t,s0) + +-/usr/sbin/rgmanager -- gen_context(system_u:object_r:rgmanager_exec_t,s0) ++/usr/sbin/cpglockd -- gen_context(system_u:object_r:rgmanager_exec_t,s0) ++/usr/sbin/rgmanager -- gen_context(system_u:object_r:rgmanager_exec_t,s0) + +-/usr/sbin/ccs_tool -- gen_context(system_u:object_r:rgmanager_exec_t,s0) +-/usr/sbin/cman_tool -- gen_context(system_u:object_r:rgmanager_exec_t,s0) ++/usr/sbin/ccs_tool -- gen_context(system_u:object_r:rgmanager_exec_t,s0) ++/usr/sbin/cman_tool -- gen_context(system_u:object_r:rgmanager_exec_t,s0) + +-/var/log/cluster/rgmanager\.log.* -- gen_context(system_u:object_r:rgmanager_var_log_t,s0) ++/usr/lib/heartbeat(/.*)? gen_context(system_u:object_r:rgmanager_var_lib_t,s0) ++/usr/lib/heartbeat/heartbeat -- gen_context(system_u:object_r:rgmanager_exec_t,s0) ++/var/lib/heartbeat(/.*)? gen_context(system_u:object_r:rgmanager_var_lib_t,s0) + +-/var/run/cluster/rgmanager\.sk -s gen_context(system_u:object_r:rgmanager_var_run_t,s0) ++/var/log/cluster/cpglockd\.log.* -- gen_context(system_u:object_r:rgmanager_var_log_t,s0) ++/var/log/cluster/rgmanager\.log.* -- gen_context(system_u:object_r:rgmanager_var_log_t,s0) + +-/var/run/rgmanager\.pid -- gen_context(system_u:object_r:rgmanager_var_run_t,s0) ++/var/run/cluster/rgmanager\.sk -s gen_context(system_u:object_r:rgmanager_var_run_t,s0) ++ ++/var/run/cpglockd\.pid -- gen_context(system_u:object_r:rgmanager_var_run_t,s0) ++/var/run/heartbeat(/.*)? gen_context(system_u:object_r:rgmanager_var_run_t,s0) ++/var/run/rgmanager\.pid -- gen_context(system_u:object_r:rgmanager_var_run_t,s0) +diff --git a/rgmanager.if b/rgmanager.if +index 1c2f9aa..a4133dc 100644 +--- a/rgmanager.if ++++ b/rgmanager.if +@@ -1,13 +1,13 @@ +-## Resource Group Manager. ++## rgmanager - Resource Group Manager + + ####################################### + ## + ## Execute a domain transition to run rgmanager. + ## + ## +-## ++## + ## Domain allowed to transition. +-## ++## + ## + # + interface(`rgmanager_domtrans',` +@@ -21,8 +21,7 @@ interface(`rgmanager_domtrans',` + + ######################################## + ## +-## Connect to rgmanager with a unix +-## domain stream socket. ++## Connect to rgmanager over a unix stream socket. + ## + ## + ## +@@ -39,10 +38,28 @@ interface(`rgmanager_stream_connect',` + stream_connect_pattern($1, rgmanager_var_run_t, rgmanager_var_run_t, rgmanager_t) + ') + ++######################################## ++## ++## Manage rgmanager pid files ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`rgmanager_manage_pid_files',` ++ gen_require(` ++ type rgmanager_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ manage_files_pattern($1, rgmanager_var_run_t, rgmanager_var_run_t) ++') ++ + ###################################### + ## +-## Create, read, write, and delete +-## rgmanager tmp files. ++## Allow manage rgmanager tmp files. + ## + ## + ## +@@ -61,8 +78,7 @@ interface(`rgmanager_manage_tmp_files',` + + ###################################### + ## +-## Create, read, write, and delete +-## rgmanager tmpfs files. ++## Allow manage rgmanager tmpfs files. + ## + ## + ## +@@ -79,10 +95,28 @@ interface(`rgmanager_manage_tmpfs_files',` + manage_files_pattern($1, rgmanager_tmpfs_t, rgmanager_tmpfs_t) + ') + ++####################################### ++## ++## Allow read and write access to rgmanager semaphores. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`rgmanager_rw_semaphores',` ++ gen_require(` ++ type rgmanager_t; ++ ') ++ ++ allow $1 rgmanager_t:sem rw_sem_perms; ++') ++ + ###################################### + ## +-## All of the rules required to +-## administrate an rgmanager environment. ++## All of the rules required to administrate ++## an rgmanager environment + ## + ## + ## +@@ -91,7 +125,7 @@ interface(`rgmanager_manage_tmpfs_files',` + ## + ## + ## +-## Role allowed access. ++## The role to be allowed to manage the rgmanager domain. + ## + ## + ## +@@ -102,8 +136,11 @@ interface(`rgmanager_admin',` + type rgmanager_tmpfs_t, rgmanager_var_log_t, rgmanager_var_run_t; + ') + +- allow $1 rgmanager_t:process { ptrace signal_perms }; ++ allow $1 rgmanager_t:process signal_perms; + ps_process_pattern($1, rgmanager_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 rgmanager_t:process ptrace; ++ ') + + init_labeled_script_domtrans($1, rgmanager_initrc_exec_t) + domain_system_change_exemption($1) +@@ -121,3 +158,66 @@ interface(`rgmanager_admin',` + files_list_pids($1) + admin_pattern($1, rgmanager_var_run_t) + ') ++ ++ ++###################################### ++## ++## Allow the specified domain to manage rgmanager's lib/run files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`rgmanager_manage_files',` ++ gen_require(` ++ type rgmanager_var_lib_t; ++ type rgmanager_var_run_t; ++ ') ++ ++ files_list_var_lib($1) ++ admin_pattern($1, rgmanager_var_lib_t) ++ ++ files_list_pids($1) ++ admin_pattern($1, rgmanager_var_run_t) ++') ++ ++###################################### ++## ++## Allow the specified domain to execute rgmanager's lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`rgmanager_execute_lib',` ++ gen_require(` ++ type rgmanager_var_lib_t; ++ ') ++ ++ files_list_var_lib($1) ++ allow $1 rgmanager_var_lib_t:dir search_dir_perms; ++ can_exec($1, rgmanager_var_lib_t) ++') ++ ++###################################### ++## ++## Allow the specified domain to search rgmanager's lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`rgmanager_search_lib',` ++ gen_require(` ++ type rgmanager_var_lib_t; ++ ') ++ ++ files_list_var_lib($1) ++ allow $1 rgmanager_var_lib_t:dir search_dir_perms; ++') +diff --git a/rgmanager.te b/rgmanager.te +index b418d1c..1ad9c12 100644 +--- a/rgmanager.te ++++ b/rgmanager.te +@@ -1,4 +1,4 @@ +-policy_module(rgmanager, 1.2.2) ++policy_module(rgmanager, 1.2.0) + + ######################################## + # +@@ -6,10 +6,9 @@ policy_module(rgmanager, 1.2.2) + # + + ## +-##

    +-## Determine whether rgmanager can +-## connect to the network using TCP. +-##

    ++##

    ++## Allow rgmanager domain to connect to the network using TCP. ++##

    + ##     + gen_tunable(rgmanager_can_network_connect, false) + +@@ -26,6 +25,9 @@ files_tmp_file(rgmanager_tmp_t) + type rgmanager_tmpfs_t; + files_tmpfs_file(rgmanager_tmpfs_t) + ++type rgmanager_var_lib_t; ++files_type(rgmanager_var_lib_t) ++ + type rgmanager_var_log_t; + logging_log_file(rgmanager_var_log_t) + +@@ -34,14 +36,16 @@ files_pid_file(rgmanager_var_run_t) + + ######################################## + # +-# Local policy ++# rgmanager local policy + # + + allow rgmanager_t self:capability { dac_override net_raw sys_resource sys_admin sys_nice ipc_lock }; + allow rgmanager_t self:process { setsched signal }; ++ + allow rgmanager_t self:fifo_file rw_fifo_file_perms; +-allow rgmanager_t self:unix_stream_socket { accept listen }; +-allow rgmanager_t self:tcp_socket { accept listen }; ++allow rgmanager_t self:unix_stream_socket { create_stream_socket_perms }; ++allow rgmanager_t self:unix_dgram_socket create_socket_perms; ++allow rgmanager_t self:tcp_socket create_stream_socket_perms; + + manage_dirs_pattern(rgmanager_t, rgmanager_tmp_t, rgmanager_tmp_t) + manage_files_pattern(rgmanager_t, rgmanager_tmp_t, rgmanager_tmp_t) +@@ -51,77 +55,93 @@ manage_dirs_pattern(rgmanager_t, rgmanager_tmpfs_t, rgmanager_tmpfs_t) + manage_files_pattern(rgmanager_t, rgmanager_tmpfs_t, rgmanager_tmpfs_t) + fs_tmpfs_filetrans(rgmanager_t, rgmanager_tmpfs_t, { dir file }) + +-allow rgmanager_t rgmanager_var_log_t:file { append_file_perms create_file_perms setattr_file_perms }; +-logging_log_filetrans(rgmanager_t, rgmanager_var_log_t, file) ++# var/lib files ++# # needed by hearbeat ++can_exec(rgmanager_t, rgmanager_var_lib_t) ++manage_files_pattern(rgmanager_t, rgmanager_var_lib_t,rgmanager_var_lib_t) ++manage_dirs_pattern(rgmanager_t, rgmanager_var_lib_t,rgmanager_var_lib_t) ++manage_sock_files_pattern(rgmanager_t, rgmanager_var_lib_t,rgmanager_var_lib_t) ++manage_fifo_files_pattern(rgmanager_t, rgmanager_var_lib_t,rgmanager_var_lib_t) ++files_var_lib_filetrans(rgmanager_t,rgmanager_var_lib_t, { file dir fifo_file sock_file }) ++ ++ ++manage_files_pattern(rgmanager_t, rgmanager_var_log_t, rgmanager_var_log_t) ++logging_log_filetrans(rgmanager_t, rgmanager_var_log_t, { file }) + ++manage_dirs_pattern(rgmanager_t, rgmanager_var_run_t, rgmanager_var_run_t) + manage_files_pattern(rgmanager_t, rgmanager_var_run_t, rgmanager_var_run_t) + manage_sock_files_pattern(rgmanager_t, rgmanager_var_run_t, rgmanager_var_run_t) +-files_pid_filetrans(rgmanager_t, rgmanager_var_run_t, { file sock_file }) ++files_pid_filetrans(rgmanager_t, rgmanager_var_run_t, { file sock_file dir }) + ++kernel_kill(rgmanager_t) + kernel_read_kernel_sysctls(rgmanager_t) ++kernel_read_rpc_sysctls(rgmanager_t) + kernel_read_system_state(rgmanager_t) + kernel_rw_rpc_sysctls(rgmanager_t) + kernel_search_debugfs(rgmanager_t) + kernel_search_network_state(rgmanager_t) + +-corenet_all_recvfrom_unlabeled(rgmanager_t) +-corenet_all_recvfrom_netlabel(rgmanager_t) +-corenet_tcp_sendrecv_generic_if(rgmanager_t) +-corenet_tcp_sendrecv_generic_node(rgmanager_t) +- + corecmd_exec_bin(rgmanager_t) + corecmd_exec_shell(rgmanager_t) + ++# need to write to /dev/misc/dlm-control + dev_rw_dlm_control(rgmanager_t) + dev_setattr_dlm_control(rgmanager_t) + dev_search_sysfs(rgmanager_t) + + domain_read_all_domains_state(rgmanager_t) + domain_getattr_all_domains(rgmanager_t) +-domain_dontaudit_ptrace_all_domains(rgmanager_t) + +-files_list_all(rgmanager_t) ++files_create_var_run_dirs(rgmanager_t) + files_getattr_all_symlinks(rgmanager_t) ++files_list_all(rgmanager_t) + files_manage_mnt_dirs(rgmanager_t) ++files_manage_mnt_files(rgmanager_t) ++files_manage_mnt_symlinks(rgmanager_t) ++files_manage_isid_type_files(rgmanager_t) + files_manage_isid_type_dirs(rgmanager_t) +-files_read_non_security_files(rgmanager_t) + ++fs_getattr_xattr_fs(rgmanager_t) + fs_getattr_all_fs(rgmanager_t) + + storage_raw_read_fixed_disk(rgmanager_t) ++storage_getattr_fixed_disk_dev(rgmanager_t) + + term_getattr_pty_fs(rgmanager_t) + ++# needed by resources scripts ++files_read_non_security_files(rgmanager_t) + auth_dontaudit_getattr_shadow(rgmanager_t) + auth_use_nsswitch(rgmanager_t) + + init_domtrans_script(rgmanager_t) ++init_initrc_domain(rgmanager_t) + + logging_send_syslog_msg(rgmanager_t) + +-miscfiles_read_localization(rgmanager_t) ++userdom_kill_all_users(rgmanager_t) + + tunable_policy(`rgmanager_can_network_connect',` +- corenet_sendrecv_all_client_packets(rgmanager_t) + corenet_tcp_connect_all_ports(rgmanager_t) +- corenet_tcp_sendrecv_all_ports(rgmanager_t) + ') + ++# rgmanager can run resource scripts + optional_policy(` + aisexec_stream_connect(rgmanager_t) ++ corosync_stream_connect(rgmanager_t) + ') + + optional_policy(` +- consoletype_exec(rgmanager_t) ++ apache_domtrans(rgmanager_t) ++ apache_signal(rgmanager_t) + ') + + optional_policy(` +- corosync_stream_connect(rgmanager_t) ++ consoletype_exec(rgmanager_t) + ') + + optional_policy(` +- apache_domtrans(rgmanager_t) +- apache_signal(rgmanager_t) ++ dbus_system_bus_client(rgmanager_t) + ') + + optional_policy(` +@@ -130,7 +150,6 @@ optional_policy(` + + optional_policy(` + rhcs_stream_connect_groupd(rgmanager_t) +- rhcs_stream_connect_gfs_controld(rgmanager_t) + ') + + optional_policy(` +@@ -140,6 +159,7 @@ optional_policy(` + optional_policy(` + ccs_manage_config(rgmanager_t) + ccs_stream_connect(rgmanager_t) ++ rhcs_stream_connect_gfs_controld(rgmanager_t) + ') + + optional_policy(` +@@ -147,6 +167,12 @@ optional_policy(` + ') + + optional_policy(` ++ ldap_initrc_domtrans(rgmanager_t) ++ ldap_systemctl(rgmanager_t) ++ ldap_domtrans(rgmanager_t) ++') ++ ++optional_policy(` + mount_domtrans(rgmanager_t) + ') + +@@ -174,12 +200,18 @@ optional_policy(` + ') + + optional_policy(` ++ rpc_initrc_domtrans_nfsd(rgmanager_t) ++ rpc_initrc_domtrans_rpcd(rgmanager_t) ++ rpc_systemctl_nfsd(rgmanager_t) ++ rpc_systemctl_rpcd(rgmanager_t) ++ + rpc_domtrans_nfsd(rgmanager_t) + rpc_domtrans_rpcd(rgmanager_t) + rpc_manage_nfs_state_data(rgmanager_t) + ') + + optional_policy(` ++ samba_initrc_domtrans(rgmanager_t) + samba_domtrans_smbd(rgmanager_t) + samba_domtrans_nmbd(rgmanager_t) + samba_manage_var_files(rgmanager_t) +@@ -201,5 +233,9 @@ optional_policy(` + ') + + optional_policy(` ++ unconfined_domain(rgmanager_t) ++') ++ ++optional_policy(` + xen_domtrans_xm(rgmanager_t) + ') +diff --git a/rhcs.fc b/rhcs.fc +index 47de2d6..98a4280 100644 +--- a/rhcs.fc ++++ b/rhcs.fc +@@ -1,31 +1,85 @@ +-/etc/rc\.d/init\.d/dlm -- gen_context(system_u:object_r:dlm_controld_initrc_exec_t,s0) +-/etc/rc\.d/init\.d/foghorn -- gen_context(system_u:object_r:foghorn_initrc_exec_t,s0) ++/usr/sbin/dlm_controld -- gen_context(system_u:object_r:dlm_controld_exec_t,s0) ++/usr/sbin/fenced -- gen_context(system_u:object_r:fenced_exec_t,s0) ++/usr/sbin/fence_node -- gen_context(system_u:object_r:fenced_exec_t,s0) ++/usr/sbin/fence_sanlockd -- gen_context(system_u:object_r:fenced_exec_t,s0) ++/usr/sbin/fence_tool -- gen_context(system_u:object_r:fenced_exec_t,s0) ++/usr/sbin/fence_virtd -- gen_context(system_u:object_r:fenced_exec_t,s0) ++/usr/sbin/gfs_controld -- gen_context(system_u:object_r:gfs_controld_exec_t,s0) ++/usr/sbin/foghorn -- gen_context(system_u:object_r:foghorn_exec_t,s0) ++/usr/sbin/groupd -- gen_context(system_u:object_r:groupd_exec_t,s0) ++/usr/sbin/haproxy -- gen_context(system_u:object_r:haproxy_exec_t,s0) ++/usr/sbin/qdiskd -- gen_context(system_u:object_r:qdiskd_exec_t,s0) + +-/usr/sbin/dlm_controld -- gen_context(system_u:object_r:dlm_controld_exec_t,s0) +-/usr/sbin/fenced -- gen_context(system_u:object_r:fenced_exec_t,s0) +-/usr/sbin/fence_node -- gen_context(system_u:object_r:fenced_exec_t,s0) +-/usr/sbin/fence_tool -- gen_context(system_u:object_r:fenced_exec_t,s0) +-/usr/sbin/foghorn -- gen_context(system_u:object_r:foghorn_exec_t,s0) +-/usr/sbin/gfs_controld -- gen_context(system_u:object_r:gfs_controld_exec_t,s0) +-/usr/sbin/groupd -- gen_context(system_u:object_r:groupd_exec_t,s0) +-/usr/sbin/qdiskd -- gen_context(system_u:object_r:qdiskd_exec_t,s0) ++/usr/lib/systemd/system/haproxy.* -- gen_context(system_u:object_r:haproxy_unit_file_t,s0) + +-/var/lock/fence_manual\.lock -- gen_context(system_u:object_r:fenced_lock_t,s0) ++/var/lock/fence_manual\.lock -- gen_context(system_u:object_r:fenced_lock_t,s0) + +-/var/lib/qdiskd(/.*)? gen_context(system_u:object_r:qdiskd_var_lib_t,s0) ++/var/lib/cluster(/.*)? gen_context(system_u:object_r:cluster_var_lib_t,s0) ++/var/lib/haproxy(/.*)? gen_context(system_u:object_r:haproxy_var_lib_t,s0) ++/var/lib/qdiskd(/.*)? gen_context(system_u:object_r:qdiskd_var_lib_t,s0) + +-/var/log/cluster/.*\.*log <> ++/var/log/cluster/.*\.*log <> + /var/log/cluster/dlm_controld\.log.* -- gen_context(system_u:object_r:dlm_controld_var_log_t,s0) +-/var/log/cluster/fenced\.log.* -- gen_context(system_u:object_r:fenced_var_log_t,s0) ++/var/log/cluster/fenced\.log.* -- gen_context(system_u:object_r:fenced_var_log_t,s0) + /var/log/cluster/gfs_controld\.log.* -- gen_context(system_u:object_r:gfs_controld_var_log_t,s0) +-/var/log/cluster/qdiskd\.log.* -- gen_context(system_u:object_r:qdiskd_var_log_t,s0) +-/var/log/dlm_controld(/.*)? gen_context(system_u:object_r:dlm_controld_var_log_t,s0) ++/var/log/cluster/qdiskd\.log.* -- gen_context(system_u:object_r:qdiskd_var_log_t,s0) ++/var/log/dlm_controld(/.*)? gen_context(system_u:object_r:dlm_controld_var_log_t,s0) + + /var/run/cluster/fenced_override -- gen_context(system_u:object_r:fenced_var_run_t,s0) +-/var/run/cluster/fence_scsi.* -- gen_context(system_u:object_r:fenced_var_run_t,s0) +-/var/run/dlm_controld\.pid -- gen_context(system_u:object_r:dlm_controld_var_run_t,s0) +-/var/run/dlm_controld(/.*)? gen_context(system_u:object_r:dlm_controld_var_run_t,s0) +-/var/run/fenced\.pid -- gen_context(system_u:object_r:fenced_var_run_t,s0) +-/var/run/gfs_controld\.pid -- gen_context(system_u:object_r:gfs_controld_var_run_t,s0) +-/var/run/groupd\.pid -- gen_context(system_u:object_r:groupd_var_run_t,s0) +-/var/run/qdiskd\.pid -- gen_context(system_u:object_r:qdiskd_var_run_t,s0) ++/var/run/cluster/fence_scsi.* -- gen_context(system_u:object_r:fenced_var_run_t,s0) ++/var/run/dlm_controld\.pid -- gen_context(system_u:object_r:dlm_controld_var_run_t,s0) ++/var/run/dlm_controld(/.*)? gen_context(system_u:object_r:dlm_controld_var_run_t,s0) ++/var/run/fence.* gen_context(system_u:object_r:fenced_var_run_t,s0) ++/var/run/gfs_controld\.pid -- gen_context(system_u:object_r:gfs_controld_var_run_t,s0) ++/var/run/groupd\.pid -- gen_context(system_u:object_r:groupd_var_run_t,s0) ++/var/run/haproxy\.pid -- gen_context(system_u:object_r:haproxy_var_run_t,s0) ++/var/run/qdiskd\.pid -- gen_context(system_u:object_r:qdiskd_var_run_t,s0) ++ ++# cluster administrative domains file spec ++/etc/rc\.d/init\.d/openais -- gen_context(system_u:object_r:cluster_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/cpglockd -- gen_context(system_u:object_r:cluster_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/corosync -- gen_context(system_u:object_r:cluster_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/rgmanager -- gen_context(system_u:object_r:cluster_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/heartbeat -- gen_context(system_u:object_r:cluster_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/pacemaker -- gen_context(system_u:object_r:cluster_initrc_exec_t,s0) ++ ++/usr/lib/systemd/system/corosync.* -- gen_context(system_u:object_r:cluster_unit_file_t,s0) ++/usr/lib/systemd/system/pacemaker.* -- gen_context(system_u:object_r:cluster_unit_file_t,s0) ++/usr/lib/systemd/system/pcsd.* -- gen_context(system_u:object_r:cluster_unit_file_t,s0) ++ ++/usr/sbin/aisexec -- gen_context(system_u:object_r:cluster_exec_t,s0) ++/usr/sbin/corosync -- gen_context(system_u:object_r:cluster_exec_t,s0) ++/usr/sbin/corosync-notifyd -- gen_context(system_u:object_r:cluster_exec_t,s0) ++/usr/sbin/cpglockd -- gen_context(system_u:object_r:cluster_exec_t,s0) ++/usr/sbin/ccs_tool -- gen_context(system_u:object_r:cluster_exec_t,s0) ++/usr/sbin/cman_tool -- gen_context(system_u:object_r:cluster_exec_t,s0) ++/usr/sbin/ldirectord -- gen_context(system_u:object_r:cluster_exec_t,s0) ++/usr/sbin/rgmanager -- gen_context(system_u:object_r:cluster_exec_t,s0) ++/usr/sbin/pacemakerd -- gen_context(system_u:object_r:cluster_exec_t,s0) ++ ++/usr/lib/pcsd/pcsd -- gen_context(system_u:object_r:cluster_exec_t,s0) ++ ++/usr/lib/heartbeat(/.*)? gen_context(system_u:object_r:cluster_var_lib_t,s0) ++/usr/lib/heartbeat/heartbeat -- gen_context(system_u:object_r:cluster_exec_t,s0) ++/var/lib/heartbeat(/.*)? gen_context(system_u:object_r:cluster_var_lib_t,s0) ++/var/lib/corosync(/.*)? gen_context(system_u:object_r:cluster_var_lib_t,s0) ++/var/lib/openais(/.*)? gen_context(system_u:object_r:cluster_var_lib_t,s0) ++/var/lib/pacemaker(/.*)? gen_context(system_u:object_r:cluster_var_lib_t,s0) ++/var/lib/pcsd(/.*)? gen_context(system_u:object_r:cluster_var_lib_t,s0) ++/var/lib/pengine(/.*)? gen_context(system_u:object_r:cluster_var_lib_t,s0) ++ ++/var/run/aisexec.* gen_context(system_u:object_r:cluster_var_run_t,s0) ++/var/run/cman_.* -s gen_context(system_u:object_r:cluster_var_run_t,s0) ++/var/run/cluster/rgmanager\.sk -s gen_context(system_u:object_r:cluster_var_run_t,s0) ++/var/run/cpglockd\.pid -- gen_context(system_u:object_r:cluster_var_run_t,s0) ++/var/run/corosync\.pid -- gen_context(system_u:object_r:cluster_var_run_t,s0) ++/var/run/crm(/.*)? gen_context(system_u:object_r:cluster_var_run_t,s0) ++/var/run/heartbeat(/.*)? gen_context(system_u:object_r:cluster_var_run_t,s0) ++/var/run/rgmanager\.pid -- gen_context(system_u:object_r:cluster_var_run_t,s0) ++/var/run/rsctmp(/.*)? gen_context(system_u:object_r:cluster_var_run_t,s0) ++ ++/var/log/cluster/aisexec\.log.* -- gen_context(system_u:object_r:cluster_var_log_t,s0) ++/var/log/cluster/cpglockd\.log.* -- gen_context(system_u:object_r:cluster_var_log_t,s0) ++/var/log/cluster/corosync\.log.* -- gen_context(system_u:object_r:cluster_var_log_t,s0) ++/var/log/cluster/rgmanager\.log.* -- gen_context(system_u:object_r:cluster_var_log_t,s0) ++/var/log/pcsd(/.*)? gen_context(system_u:object_r:cluster_var_log_t,s0) +diff --git a/rhcs.if b/rhcs.if +index 56bc01f..2e4d698 100644 +--- a/rhcs.if ++++ b/rhcs.if +@@ -1,19 +1,19 @@ +-## Red Hat Cluster Suite. ++## RHCS - Red Hat Cluster Suite + + ####################################### + ## +-## The template to define a rhcs domain. ++## Creates types and rules for a basic ++## rhcs init daemon domain. + ## +-## ++## + ## +-## Domain prefix to be used. ++## Prefix for the domain. + ## + ## + # + template(`rhcs_domain_template',` + gen_require(` +- attribute cluster_domain, cluster_pid, cluster_tmpfs; +- attribute cluster_log; ++ attribute cluster_domain, cluster_tmpfs, cluster_pid, cluster_log; + ') + + ############################## +@@ -43,33 +43,27 @@ template(`rhcs_domain_template',` + manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) + fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { dir file }) + +- manage_dirs_pattern($1_t, $1_var_log_t, $1_var_log_t) +- append_files_pattern($1_t, $1_var_log_t, $1_var_log_t) +- create_files_pattern($1_t, $1_var_log_t, $1_var_log_t) +- setattr_files_pattern($1_t, $1_var_log_t, $1_var_log_t) +- manage_sock_files_pattern($1_t, $1_var_log_t, $1_var_log_t) + logging_log_filetrans($1_t, $1_var_log_t, { dir file sock_file }) + + manage_dirs_pattern($1_t, $1_var_run_t, $1_var_run_t) + manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t) + manage_fifo_files_pattern($1_t, $1_var_run_t, $1_var_run_t) + manage_sock_files_pattern($1_t, $1_var_run_t, $1_var_run_t) +- files_pid_filetrans($1_t, $1_var_run_t, { dir file fifo_file }) ++ files_pid_filetrans($1_t, $1_var_run_t, { file sock_file fifo_file }) + +- optional_policy(` +- dbus_system_bus_client($1_t) +- ') ++ auth_use_nsswitch($1_t) ++ ++ logging_send_syslog_msg($1_t) + ') + + ###################################### + ## +-## Execute a domain transition to +-## run dlm_controld. ++## Execute a domain transition to run dlm_controld. + ## + ## +-## ++## + ## Domain allowed to transition. +-## ++## + ## + # + interface(`rhcs_domtrans_dlm_controld',` +@@ -83,27 +77,8 @@ interface(`rhcs_domtrans_dlm_controld',` + + ##################################### + ## +-## Get attributes of fenced +-## executable files. +-## +-## +-## +-## Domain allowed access. +-## +-## +-# +-interface(`rhcs_getattr_fenced_exec_files',` +- gen_require(` +- type fenced_exec_t; +- ') +- +- allow $1 fenced_exec_t:file getattr_file_perms; +-') +- +-##################################### +-## +-## Connect to dlm_controld with a +-## unix domain stream socket. ++## Connect to dlm_controld over a unix domain ++## stream socket. + ## + ## + ## +@@ -122,7 +97,7 @@ interface(`rhcs_stream_connect_dlm_controld',` + + ##################################### + ## +-## Read and write dlm_controld semaphores. ++## Allow read and write access to dlm_controld semaphores. + ## + ## + ## +@@ -160,9 +135,27 @@ interface(`rhcs_domtrans_fenced',` + domtrans_pattern($1, fenced_exec_t, fenced_t) + ') + ++##################################### ++## ++## Allow a domain to getattr on fenced executable. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`rhcs_getattr_fenced',` ++ gen_require(` ++ type fenced_t, fenced_exec_t; ++ ') ++ ++ allow $1 fenced_exec_t:file getattr; ++') ++ + ###################################### + ## +-## Read and write fenced semaphores. ++## Allow read and write access to fenced semaphores. + ## + ## + ## +@@ -181,10 +174,9 @@ interface(`rhcs_rw_fenced_semaphores',` + manage_files_pattern($1, fenced_tmpfs_t, fenced_tmpfs_t) + ') + +-#################################### ++###################################### + ## +-## Connect to all cluster domains +-## with a unix domain stream socket. ++## Read fenced PID files. + ## + ## + ## +@@ -192,19 +184,18 @@ interface(`rhcs_rw_fenced_semaphores',` + ## + ## + # +-interface(`rhcs_stream_connect_cluster',` ++interface(`rhcs_read_fenced_pid_files',` + gen_require(` +- attribute cluster_domain, cluster_pid; ++ type fenced_var_run_t; + ') + + files_search_pids($1) +- stream_connect_pattern($1, cluster_pid, cluster_pid, cluster_domain) ++ read_files_pattern($1, fenced_var_run_t, fenced_var_run_t) + ') + + ###################################### + ## +-## Connect to fenced with an unix +-## domain stream socket. ++## Connect to fenced over a unix domain stream socket. + ## + ## + ## +@@ -223,8 +214,7 @@ interface(`rhcs_stream_connect_fenced',` + + ##################################### + ## +-## Execute a domain transition +-## to run gfs_controld. ++## Execute a domain transition to run gfs_controld. + ## + ## + ## +@@ -243,7 +233,7 @@ interface(`rhcs_domtrans_gfs_controld',` + + #################################### + ## +-## Read and write gfs_controld semaphores. ++## Allow read and write access to gfs_controld semaphores. + ## + ## + ## +@@ -264,7 +254,7 @@ interface(`rhcs_rw_gfs_controld_semaphores',` + + ######################################## + ## +-## Read and write gfs_controld_t shared memory. ++## Read and write to gfs_controld_t shared memory. + ## + ## + ## +@@ -285,8 +275,7 @@ interface(`rhcs_rw_gfs_controld_shm',` + + ##################################### + ## +-## Connect to gfs_controld_t with +-## a unix domain stream socket. ++## Connect to gfs_controld_t over a unix domain stream socket. + ## + ## + ## +@@ -324,8 +313,8 @@ interface(`rhcs_domtrans_groupd',` + + ##################################### + ## +-## Connect to groupd with a unix +-## domain stream socket. ++## Connect to groupd over a unix domain ++## stream socket. + ## + ## + ## +@@ -342,10 +331,51 @@ interface(`rhcs_stream_connect_groupd',` + stream_connect_pattern($1, groupd_var_run_t, groupd_var_run_t, groupd_t) + ') + ++##################################### ++## ++## Allow read and write access to groupd semaphores. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`rhcs_rw_groupd_semaphores',` ++ gen_require(` ++ type groupd_t, groupd_tmpfs_t; ++ ') ++ ++ allow $1 groupd_t:sem { rw_sem_perms destroy }; ++ ++ fs_search_tmpfs($1) ++ manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t) ++') ++ ++######################################## ++## ++## Read and write to group shared memory. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`rhcs_rw_groupd_shm',` ++ gen_require(` ++ type groupd_t, groupd_tmpfs_t; ++ ') ++ ++ allow $1 groupd_t:shm { rw_shm_perms destroy }; ++ ++ fs_search_tmpfs($1) ++ manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t) ++') ++ + ######################################## + ## +-## Read and write all cluster domains +-## shared memory. ++## Read and write to group shared memory. + ## + ## + ## +@@ -366,8 +396,7 @@ interface(`rhcs_rw_cluster_shm',` + + #################################### + ## +-## Read and write all cluster +-## domains semaphores. ++## Read and write access to cluster domains semaphores. + ## + ## + ## +@@ -383,9 +412,10 @@ interface(`rhcs_rw_cluster_semaphores',` + allow $1 cluster_domain:sem { rw_sem_perms destroy }; + ') + +-##################################### ++#################################### + ## +-## Read and write groupd semaphores. ++## Connect to cluster domains over a unix domain ++## stream socket. + ## + ## + ## +@@ -393,36 +423,39 @@ interface(`rhcs_rw_cluster_semaphores',` + ## + ## + # +-interface(`rhcs_rw_groupd_semaphores',` ++interface(`rhcs_stream_connect_cluster',` + gen_require(` +- type groupd_t, groupd_tmpfs_t; ++ attribute cluster_domain, cluster_pid; + ') + +- allow $1 groupd_t:sem { rw_sem_perms destroy }; +- +- fs_search_tmpfs($1) +- manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t) ++ files_search_pids($1) ++ stream_connect_pattern($1, cluster_pid, cluster_pid, cluster_domain) + ') + +-######################################## ++##################################### + ## +-## Read and write groupd shared memory. ++## Connect to cluster domains over a unix domain ++## stream socket. + ## + ## + ## + ## Domain allowed access. + ## + ## ++## ++## ++## Domain allowed access. ++## ++## + # +-interface(`rhcs_rw_groupd_shm',` ++interface(`rhcs_stream_connect_cluster_to',` + gen_require(` +- type groupd_t, groupd_tmpfs_t; ++ attribute cluster_domain; ++ attribute cluster_pid; + ') + +- allow $1 groupd_t:shm { rw_shm_perms destroy }; +- +- fs_search_tmpfs($1) +- manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t) ++ files_search_pids($1) ++ stream_connect_pattern($1, cluster_pid, cluster_pid, $2) + ') + + ###################################### +@@ -446,52 +479,360 @@ interface(`rhcs_domtrans_qdiskd',` + + ######################################## + ## +-## All of the rules required to +-## administrate an rhcs environment. ++## Allow domain to read qdiskd tmpfs files + ## + ## + ## + ## Domain allowed access. + ## + ## +-## ++# ++interface(`rhcs_read_qdiskd_tmpfs_files',` ++ gen_require(` ++ type qdiskd_tmpfs_t; ++ ') ++ ++ fs_search_tmpfs($1) ++ allow $1 qdiskd_tmpfs_t:file read_file_perms; ++') ++ ++###################################### ++## ++## Allow domain to read cluster lib files ++## ++## + ## +-## Role allowed access. ++## Domain allowed access. + ## + ## +-## + # +-interface(`rhcs_admin',` ++interface(`rhcs_read_cluster_lib_files',` + gen_require(` +- attribute cluster_domain, cluster_pid, cluster_tmpfs; +- attribute cluster_log; +- type dlm_controld_initrc_exec_t, foghorn_initrc_exec_t, fenced_lock_t; +- type fenced_tmp_t, qdiskd_var_lib_t; ++ type cluster_var_lib_t; + ') + +- allow $1 cluster_domain:process { ptrace signal_perms }; +- ps_process_pattern($1, cluster_domain) ++ files_search_var_lib($1) ++ read_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t) ++') ++ ++##################################### ++## ++## Allow domain to manage cluster lib files ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`rhcs_manage_cluster_lib_files',` ++ gen_require(` ++ type cluster_var_lib_t; ++ ') + +- init_labeled_script_domtrans($1, { dlm_controld_initrc_exec_t foghorn_initrc_exec_t }) +- domain_system_change_exemption($1) +- role_transition $2 { dlm_controld_initrc_exec_t foghorn_initrc_exec_t } system_r; +- allow $2 system_r; ++ files_search_var_lib($1) ++ manage_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t) ++') + +- files_search_pids($1) +- admin_pattern($1, cluster_pid) ++#################################### ++## ++## Allow domain to relabel cluster lib files ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`rhcs_relabel_cluster_lib_files',` ++ gen_require(` ++ type cluster_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ relabelto_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t) ++ relabelfrom_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t) ++') + +- files_search_locks($1) +- admin_pattern($1, fenced_lock_t) ++###################################### ++## ++## Execute a domain transition to run cluster administrative domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`rhcs_domtrans_cluster',` ++ gen_require(` ++ type cluster_t, cluster_exec_t; ++ ') + +- files_search_tmp($1) +- admin_pattern($1, fenced_tmp_t) ++ corecmd_search_bin($1) ++ domtrans_pattern($1, cluster_exec_t, cluster_t) ++') + +- files_search_var_lib($1) +- admin_pattern($1, qdiskd_var_lib_t) ++####################################### ++## ++## Execute cluster init scripts in ++## the init script domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`rhcs_initrc_domtrans_cluster',` ++ gen_require(` ++ type cluster_initrc_exec_t; ++ ') + +- fs_search_tmpfs($1) +- admin_pattern($1, cluster_tmpfs) ++ init_labeled_script_domtrans($1, cluster_initrc_exec_t) ++') ++ ++##################################### ++## ++## Execute cluster in the caller domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`rhcs_exec_cluster',` ++ gen_require(` ++ type cluster_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ can_exec($1, cluster_exec_t) ++') ++ ++###################################### ++## ++## Read cluster log files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`rhcs_read_log_cluster',` ++ gen_require(` ++ type cluster_var_log_t; ++ ') ++ ++ logging_search_logs($1) ++ list_dirs_pattern($1, cluster_var_log_t, cluster_var_log_t) ++ read_files_pattern($1, cluster_var_log_t, cluster_var_log_t) ++') ++ ++###################################### ++## ++## Setattr cluster log files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`rhcs_setattr_log_cluster',` ++ gen_require(` ++ type cluster_var_log_t; ++ ') ++ ++ setattr_files_pattern($1, cluster_var_log_t, cluster_var_log_t) ++') ++ ++##################################### ++## ++## Allow the specified domain to read/write inherited cluster's tmpf files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`rhcs_rw_inherited_cluster_tmp_files',` ++ gen_require(` ++ type cluster_tmp_t; ++ ') ++ ++ allow $1 cluster_tmp_t:file rw_inherited_file_perms; ++') ++ ++##################################### ++## ++## Allow manage cluster tmp files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`rhcs_manage_cluster_tmp_files',` ++ gen_require(` ++ type cluster_tmp_t; ++ ') ++ ++ files_search_tmp($1) ++ manage_files_pattern($1, cluster_tmp_t, cluster_tmp_t) ++') ++ ++##################################### ++## ++## Allow the specified domain to read/write cluster's tmpfs files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`rhcs_rw_cluster_tmpfs',` ++ gen_require(` ++ type cluster_tmpfs_t; ++ ') ++ ++ rw_files_pattern($1, cluster_tmpfs_t, cluster_tmpfs_t) ++') ++ ++##################################### ++## ++## Allow manage cluster tmpfs files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`rhcs_manage_cluster_tmpfs_files',` ++ gen_require(` ++ type cluster_tmpfs_t; ++ ') ++ ++ fs_search_tmpfs($1) ++ manage_files_pattern($1, cluster_tmpfs_t, cluster_tmpfs_t) ++') ++ ++##################################### ++## ++## Allow read cluster pid files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`rhcs_read_cluster_pid_files',` ++ gen_require(` ++ type cluster_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ read_files_pattern($1, cluster_var_run_t, cluster_var_run_t) ++') ++ ++ ++##################################### ++## ++## Allow manage cluster pid files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`rhcs_manage_cluster_pid_files',` ++ gen_require(` ++ type cluster_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ manage_files_pattern($1, cluster_var_run_t, cluster_var_run_t) ++') ++ ++####################################### ++## ++## Execute cluster server in the cluster domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`rhcs_systemctl_cluster',` ++ gen_require(` ++ type cluster_t; ++ type cluster_unit_file_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ allow $1 cluster_unit_file_t:file read_file_perms; ++ allow $1 cluster_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, cluster_t) ++') ++ ++##################################### ++## ++## All of the rules required to administrate ++## an cluster environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## The role to be allowed to manage the rgmanager domain. ++## ++## ++## ++# ++interface(`rhcs_admin_cluster',` ++ gen_require(` ++ type cluster_t, cluster_initrc_exec_t, cluster_tmp_t; ++ type cluster_tmpfs_t, cluster_var_log_t, cluster_var_run_t; ++ type cluster_unit_file_t; ++ ') ++ ++ allow $1 cluster_t:process signal_perms; ++ ps_process_pattern($1, cluster_t) ++ ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 cluster_t:process ptrace; ++ ') ++ ++ init_labeled_script_domtrans($1, cluster_initrc_exec_t) ++ domain_system_change_exemption($1) ++ role_transition $2 cluster_initrc_exec_t system_r; ++ allow $2 system_r; ++ ++ files_list_tmp($1) ++ admin_pattern($1, cluster_tmp_t) ++ ++ admin_pattern($1, cluster_tmpfs_t) ++ ++ logging_list_logs($1) ++ admin_pattern($1, cluster_var_log_t) ++ ++ files_list_pids($1) ++ admin_pattern($1, cluster_var_run_t) + +- logging_search_logs($1) +- admin_pattern($1, cluster_log) ++ rhcs_systemctl_cluster($1) ++ admin_pattern($1, cluster_unit_file_t) ++ allow $1 cluster_unit_file_t:service all_service_perms; + ') +diff --git a/rhcs.te b/rhcs.te +index 2c2de9a..26fba30 100644 +--- a/rhcs.te ++++ b/rhcs.te +@@ -20,6 +20,27 @@ gen_tunable(fenced_can_network_connect, false) + ## + gen_tunable(fenced_can_ssh, false) + ++## ++##

    ++## Allow cluster administrative domains to connect to the network using TCP. ++##

    ++##     ++gen_tunable(cluster_can_network_connect, false) ++ ++## ++##

    ++## Allow cluster administrative domains to manage all files on a system. ++##

    ++##     ++gen_tunable(cluster_manage_all_files, false) ++ ++## ++##

    ++## Allow cluster administrative cluster domains memcheck-amd64- to use executable memory ++##

    ++##     ++gen_tunable(cluster_use_execmem, false) ++ + attribute cluster_domain; + attribute cluster_log; + attribute cluster_pid; +@@ -44,34 +65,283 @@ type foghorn_initrc_exec_t; + init_script_file(foghorn_initrc_exec_t) + + rhcs_domain_template(gfs_controld) ++rhcs_domain_template(haproxy) ++ ++type haproxy_var_lib_t; ++files_type(haproxy_var_lib_t) ++ ++type haproxy_unit_file_t; ++systemd_unit_file(haproxy_unit_file_t) ++ + rhcs_domain_template(groupd) + rhcs_domain_template(qdiskd) + + type qdiskd_var_lib_t; + files_type(qdiskd_var_lib_t) + ++# cluster_t is a new domain for administrative generic cluster services ++# (rgmanager, corosync, hearbeat, cman, pacemaker) ++rhcs_domain_template(cluster) ++ ++typealias cluster_t alias { aisexec_t corosync_t pacemaker_t rgmanager_t }; ++typealias cluster_exec_t alias { aisexec_exec_t corosync_exec_t pacemaker_exec_t rgmanager_exec_t }; ++typealias cluster_tmpfs_t alias { aisexec_tmpfs_t corosync_tmpfs_t pacemaker_tmpfs_t rgmanager_tmpfs_t }; ++typealias cluster_var_log_t alias { aisexec_var_log_t corosync_var_log_t rgmanager_var_log_t }; ++typealias cluster_var_run_t alias { aisexec_var_run_t corosync_var_run_t pacemaker_var_run_t rgmanager_var_run_t }; ++ ++type cluster_initrc_exec_t; ++typealias cluster_initrc_exec_t alias { aisexec_initrc_exec_t corosync_initrc_exec_t pacemaker_initrc_exec_t rgmanager_initrc_exec_t }; ++init_script_file(cluster_initrc_exec_t) ++ ++type cluster_tmp_t; ++typealias cluster_tmp_t alias { aisexec_tmp_t corosync_tmp_t pacemaker_tmp_t rgmanager_tmp_t }; ++files_tmp_file(cluster_tmp_t) ++ ++type cluster_var_lib_t; ++typealias cluster_var_lib_t alias { aisexec_var_lib_t corosync_var_lib_t pacemaker_var_lib_t rgmanager_var_lib_t }; ++files_type(cluster_var_lib_t) ++ ++type cluster_unit_file_t; ++typealias cluster_unit_file_t alias { corosync_unit_file_t pacemaker_unit_file_t }; ++systemd_unit_file(cluster_unit_file_t) ++ + ##################################### + # + # Common cluster domains local policy + # + + allow cluster_domain self:capability sys_nice; +-allow cluster_domain self:process setsched; ++allow cluster_domain self:process { signal setsched }; + allow cluster_domain self:sem create_sem_perms; + allow cluster_domain self:fifo_file rw_fifo_file_perms; + allow cluster_domain self:unix_stream_socket create_stream_socket_perms; + allow cluster_domain self:unix_dgram_socket create_socket_perms; + +-logging_send_syslog_msg(cluster_domain) ++manage_dirs_pattern(cluster_domain, cluster_log, cluster_log) ++manage_files_pattern(cluster_domain, cluster_log, cluster_log) ++manage_sock_files_pattern(cluster_domain, cluster_log, cluster_log) + +-miscfiles_read_localization(cluster_domain) ++tunable_policy(`cluster_use_execmem',` ++ allow cluster_domain self:process execmem; ++') + + optional_policy(` + ccs_stream_connect(cluster_domain) + ') + + optional_policy(` +- corosync_stream_connect(cluster_domain) ++ dbus_system_bus_client(cluster_domain) ++') ++ ++##################################### ++# ++# cluster domain local policy ++# ++ ++allow cluster_t self:capability { dac_override fowner setuid setgid sys_nice sys_admin sys_resource ipc_lock ipc_owner }; ++# for hearbeat ++allow cluster_t self:capability { net_raw chown }; ++allow cluster_t self:capability2 block_suspend; ++allow cluster_t self:process { setpgid setrlimit setsched signull }; ++ ++allow cluster_t self:tcp_socket create_stream_socket_perms; ++allow cluster_t self:shm create_shm_perms; ++ ++manage_dirs_pattern(cluster_t, cluster_tmp_t, cluster_tmp_t) ++manage_files_pattern(cluster_t, cluster_tmp_t, cluster_tmp_t) ++files_tmp_filetrans(cluster_t, cluster_tmp_t, { file dir }) ++ ++can_exec(cluster_t, cluster_var_lib_t) ++manage_files_pattern(cluster_t, cluster_var_lib_t,cluster_var_lib_t) ++manage_dirs_pattern(cluster_t, cluster_var_lib_t,cluster_var_lib_t) ++manage_sock_files_pattern(cluster_t, cluster_var_lib_t,cluster_var_lib_t) ++manage_fifo_files_pattern(cluster_t, cluster_var_lib_t,cluster_var_lib_t) ++files_var_lib_filetrans(cluster_t,cluster_var_lib_t, { file dir fifo_file sock_file }) ++ ++can_exec(cluster_t, cluster_exec_t) ++ ++kernel_kill(cluster_t) ++kernel_read_all_sysctls(cluster_t) ++kernel_read_system_state(cluster_t) ++kernel_rw_rpc_sysctls(cluster_t) ++kernel_search_debugfs(cluster_t) ++kernel_search_network_state(cluster_t) ++ ++corecmd_exec_bin(cluster_t) ++corecmd_exec_shell(cluster_t) ++ ++corenet_all_recvfrom_unlabeled(cluster_t) ++corenet_all_recvfrom_netlabel(cluster_t) ++corenet_udp_sendrecv_generic_if(cluster_t) ++corenet_udp_sendrecv_generic_node(cluster_t) ++corenet_udp_bind_generic_node(cluster_t) ++ ++corenet_sendrecv_netsupport_server_packets(cluster_t) ++corenet_udp_bind_netsupport_port(cluster_t) ++corenet_udp_sendrecv_netsupport_port(cluster_t) ++ ++corenet_sendrecv_cluster_server_packets(cluster_t) ++corenet_udp_bind_cluster_port(cluster_t) ++corenet_udp_sendrecv_cluster_port(cluster_t) ++ ++# need to write to /dev/misc/dlm-contro ++dev_rw_dlm_control(cluster_t) ++dev_setattr_dlm_control(cluster_t) ++dev_read_sysfs(cluster_t) ++dev_read_rand(cluster_t) ++dev_read_urand(cluster_t) ++ ++domain_read_all_domains_state(cluster_t) ++ ++fs_getattr_xattr_fs(cluster_t) ++fs_getattr_all_fs(cluster_t) ++ ++storage_raw_read_fixed_disk(cluster_t) ++ ++term_getattr_pty_fs(cluster_t) ++ ++files_manage_mounttab(cluster_t) ++# needed by resources scripts ++files_read_non_security_files(cluster_t) ++auth_dontaudit_getattr_shadow(cluster_t) ++ ++init_domtrans_script(cluster_t) ++init_initrc_domain(cluster_t) ++init_read_script_state(cluster_t) ++init_rw_script_tmp_files(cluster_t) ++init_manage_script_status_files(cluster_t) ++ ++userdom_read_user_tmp_files(cluster_t) ++userdom_delete_user_tmpfs_files(cluster_t) ++userdom_rw_user_tmpfs_files(cluster_t) ++userdom_kill_all_users(cluster_t) ++ ++tunable_policy(`cluster_can_network_connect',` ++ corenet_tcp_connect_all_ports(cluster_t) ++') ++ ++# we need to have dirs created with var_run_t in /run/cluster ++files_create_var_run_dirs(cluster_t) ++ ++tunable_policy(`cluster_manage_all_files',` ++ files_getattr_all_symlinks(cluster_t) ++ files_list_all(cluster_t) ++ files_manage_mnt_dirs(cluster_t) ++ files_manage_mnt_files(cluster_t) ++ files_manage_mnt_symlinks(cluster_t) ++ files_manage_isid_type_files(cluster_t) ++ files_manage_isid_type_dirs(cluster_t) ++ fs_manage_tmpfs_files(cluster_t) ++') ++ ++optional_policy(` ++ ccs_read_config(cluster_t) ++') ++ ++optional_policy(` ++ cmirrord_rw_shm(cluster_t) ++') ++ ++optional_policy(` ++ consoletype_exec(cluster_t) ++') ++ ++optional_policy(` ++ lvm_domtrans(cluster_t) ++ lvm_rw_clvmd_tmpfs_files(cluster_t) ++ lvm_delete_clvmd_tmpfs_files(cluster_t) ++') ++ ++optional_policy(` ++ fstools_domtrans(cluster_t) ++') ++ ++ ++optional_policy(` ++ hostname_exec(cluster_t) ++') ++ ++optional_policy(` ++ ccs_manage_config(cluster_t) ++ ccs_stream_connect(cluster_t) ++') ++ ++optional_policy(` ++ ldap_systemctl(cluster_t) ++') ++ ++optional_policy(` ++ mount_domtrans(cluster_t) ++') ++ ++optional_policy(` ++ mysql_domtrans_mysql_safe(cluster_t) ++ mysql_stream_connect(cluster_t) ++') ++ ++optional_policy(` ++ netutils_domtrans(cluster_t) ++ netutils_domtrans_ping(cluster_t) ++') ++ ++optional_policy(` ++ postgresql_signal(cluster_t) ++') ++ ++optional_policy(` ++ rhcs_getattr_fenced(cluster_t) ++ rhcs_rw_cluster_shm(cluster_t) ++ rhcs_rw_cluster_semaphores(cluster_t) ++ rhcs_stream_connect_cluster(cluster_t) ++ rhcs_relabel_cluster_lib_files(cluster_t) ++') ++ ++optional_policy(` ++ rdisc_exec(cluster_t) ++') ++ ++optional_policy(` ++ ricci_dontaudit_rw_modcluster_pipes(cluster_t) ++') ++ ++optional_policy(` ++ rpc_systemctl_nfsd(cluster_t) ++ rpc_systemctl_rpcd(cluster_t) ++ ++ rpc_domtrans_nfsd(cluster_t) ++ rpc_domtrans_rpcd(cluster_t) ++ rpc_manage_nfs_state_data(cluster_t) ++') ++ ++optional_policy(` ++ samba_manage_var_files(cluster_t) ++ samba_rw_config(cluster_t) ++ samba_signal_smbd(cluster_t) ++ samba_signal_nmbd(cluster_t) ++') ++ ++optional_policy(` ++ sysnet_domtrans_ifconfig(cluster_t) ++') ++ ++optional_policy(` ++ udev_read_db(cluster_t) ++') ++ ++optional_policy(` ++ virt_stream_connect(cluster_t) ++') ++ ++optional_policy(` ++ unconfined_domain(cluster_t) ++') ++ ++optional_policy(` ++ wdmd_rw_tmpfs(cluster_t) ++') ++ ++optional_policy(` ++ xen_domtrans_xm(cluster_t) + ') + + ##################################### +@@ -79,7 +349,7 @@ optional_policy(` + # dlm_controld local policy + # + +-allow dlm_controld_t self:capability { net_admin sys_admin sys_resource }; ++allow dlm_controld_t self:capability { dac_override net_admin sys_admin sys_resource }; + allow dlm_controld_t self:netlink_kobject_uevent_socket create_socket_perms; + + stream_connect_pattern(dlm_controld_t, fenced_var_run_t, fenced_var_run_t, fenced_t) +@@ -98,16 +368,30 @@ fs_manage_configfs_dirs(dlm_controld_t) + + init_rw_script_tmp_files(dlm_controld_t) + ++logging_send_syslog_msg(dlm_controld_t) ++ ++optional_policy(` ++ corosync_rw_tmpfs(dlm_controld_t) ++') ++ ++optional_policy(` ++ rhcs_stream_connect_cluster(dlm_controld_t) ++') ++ + ####################################### + # + # fenced local policy + # + + allow fenced_t self:capability { sys_rawio sys_resource }; +-allow fenced_t self:process { getsched signal_perms }; +-allow fenced_t self:tcp_socket { accept listen }; ++allow fenced_t self:process { getsched setpgid signal_perms }; ++ ++allow fenced_t self:tcp_socket create_stream_socket_perms; ++allow fenced_t self:udp_socket create_socket_perms; + allow fenced_t self:unix_stream_socket connectto; + ++can_exec(fenced_t, fenced_exec_t) ++ + manage_files_pattern(fenced_t, fenced_lock_t, fenced_lock_t) + files_lock_filetrans(fenced_t, fenced_lock_t, file) + +@@ -118,9 +402,8 @@ files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir }) + + stream_connect_pattern(fenced_t, groupd_var_run_t, groupd_var_run_t, groupd_t) + +-can_exec(fenced_t, fenced_exec_t) +- + kernel_read_system_state(fenced_t) ++kernel_read_network_state(fenced_t) + + corecmd_exec_bin(fenced_t) + corecmd_exec_shell(fenced_t) +@@ -148,9 +431,7 @@ corenet_tcp_sendrecv_http_port(fenced_t) + + dev_read_sysfs(fenced_t) + dev_read_urand(fenced_t) +- +-files_read_usr_files(fenced_t) +-files_read_usr_symlinks(fenced_t) ++dev_read_rand(fenced_t) + + storage_raw_read_fixed_disk(fenced_t) + storage_raw_write_fixed_disk(fenced_t) +@@ -160,7 +441,7 @@ term_getattr_pty_fs(fenced_t) + term_use_generic_ptys(fenced_t) + term_use_ptmx(fenced_t) + +-auth_use_nsswitch(fenced_t) ++logging_send_syslog_msg(fenced_t) + + tunable_policy(`fenced_can_network_connect',` + corenet_sendrecv_all_client_packets(fenced_t) +@@ -182,7 +463,8 @@ optional_policy(` + ') + + optional_policy(` +- corosync_exec(fenced_t) ++ rhcs_exec_cluster(fenced_t) ++ rhcs_rw_cluster_tmpfs(fenced_t) + ') + + optional_policy(` +@@ -190,12 +472,12 @@ optional_policy(` + ') + + optional_policy(` +- gnome_read_generic_home_content(fenced_t) ++ lvm_domtrans(fenced_t) ++ lvm_read_config(fenced_t) + ') + + optional_policy(` +- lvm_domtrans(fenced_t) +- lvm_read_config(fenced_t) ++ sanlock_domtrans(fenced_t) + ') + + optional_policy(` +@@ -203,6 +485,13 @@ optional_policy(` + snmp_manage_var_lib_dirs(fenced_t) + ') + ++optional_policy(` ++ virt_domtrans(fenced_t) ++ virt_read_config(fenced_t) ++ virt_read_pid_files(fenced_t) ++ virt_stream_connect(fenced_t) ++') ++ + ####################################### + # + # foghorn local policy +@@ -221,16 +510,18 @@ corenet_sendrecv_agentx_client_packets(foghorn_t) + corenet_tcp_connect_agentx_port(foghorn_t) + corenet_tcp_sendrecv_agentx_port(foghorn_t) + ++corenet_tcp_connect_snmp_port(foghorn_t) ++ + dev_read_urand(foghorn_t) + +-files_read_usr_files(foghorn_t) ++logging_send_syslog_msg(foghorn_t) + + optional_policy(` + dbus_connect_system_bus(foghorn_t) + ') + + optional_policy(` +- snmp_read_snmp_var_lib_files(foghorn_t) ++ snmp_manage_var_lib_files(foghorn_t) + snmp_stream_connect(foghorn_t) + ') + +@@ -257,6 +548,8 @@ storage_getattr_removable_dev(gfs_controld_t) + + init_rw_script_tmp_files(gfs_controld_t) + ++logging_send_syslog_msg(gfs_controld_t) ++ + optional_policy(` + lvm_exec(gfs_controld_t) + dev_rw_lvm_control(gfs_controld_t) +@@ -275,10 +568,39 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t) + + dev_list_sysfs(groupd_t) + +-files_read_etc_files(groupd_t) +- + init_rw_script_tmp_files(groupd_t) + ++logging_send_syslog_msg(groupd_t) ++ ++######################################## ++# ++# haproxy local policy ++# ++ ++# bug in haproxy and process vs pid owner ++allow haproxy_t self:capability dac_override; ++ ++allow haproxy_t self:capability { chown setgid setuid sys_chroot sys_resource }; ++allow haproxy_t self:process { fork setrlimit signal_perms }; ++allow haproxy_t self:fifo_file rw_fifo_file_perms; ++allow haproxy_t self:unix_stream_socket create_stream_socket_perms; ++allow haproxy_t self:tcp_socket { accept listen }; ++ ++manage_dirs_pattern(haproxy_t, haproxy_var_lib_t, haproxy_var_lib_t) ++manage_files_pattern(haproxy_t, haproxy_var_lib_t, haproxy_var_lib_t) ++manage_lnk_files_pattern(haproxy_t, haproxy_var_lib_t, haproxy_var_lib_t) ++manage_sock_files_pattern(haproxy_t, haproxy_var_lib_t, haproxy_var_lib_t) ++files_var_lib_filetrans(haproxy_t, haproxy_var_lib_t, { dir file lnk_file }) ++ ++corenet_tcp_connect_commplex_link_port(haproxy_t) ++corenet_tcp_connect_commplex_main_port(haproxy_t) ++corenet_tcp_bind_commplex_main_port(haproxy_t) ++ ++corenet_tcp_connect_fmpro_internal_port(haproxy_t) ++corenet_tcp_connect_rtp_media_port(haproxy_t) ++ ++sysnet_dns_name_resolve(haproxy_t) ++ + ###################################### + # + # qdiskd local policy +@@ -321,6 +643,8 @@ storage_raw_write_fixed_disk(qdiskd_t) + + auth_use_nsswitch(qdiskd_t) + ++logging_send_syslog_msg(qdiskd_t) ++ + optional_policy(` + netutils_domtrans_ping(qdiskd_t) + ') +diff --git a/rhev.fc b/rhev.fc +new file mode 100644 +index 0000000..4b66adf +--- /dev/null ++++ b/rhev.fc +@@ -0,0 +1,13 @@ ++/usr/share/rhev-agent/rhev-agentd\.py -- gen_context(system_u:object_r:rhev_agentd_exec_t,s0) ++/usr/share/ovirt-guest-agent -- gen_context(system_u:object_r:rhev_agentd_exec_t,s0) ++ ++/usr/share/rhev-agent/LockActiveSession\.py -- gen_context(system_u:object_r:rhev_agentd_exec_t,s0) ++/usr/share/ovirt-guest-agent/LockActiveSession\.py -- gen_context(system_u:object_r:rhev_agentd_exec_t,s0) ++ ++/usr/lib/systemd/system/ovirt-guest-agent.* -- gen_context(system_u:object_r:rhev_agentd_unit_file_t,s0) ++ ++/var/run/rhev-agentd\.pid -- gen_context(system_u:object_r:rhev_agentd_var_run_t,s0) ++/var/run/ovirt-guest-agent\.pid -- gen_context(system_u:object_r:rhev_agentd_var_run_t,s0) ++ ++/var/log/rhev-agent(/.*)? gen_context(system_u:object_r:rhev_agentd_log_t,s0) ++/var/log/ovirt-guest-agent(/.*)? gen_context(system_u:object_r:rhev_agentd_log_t,s0) +diff --git a/rhev.if b/rhev.if +new file mode 100644 +index 0000000..bf11e25 +--- /dev/null ++++ b/rhev.if +@@ -0,0 +1,76 @@ ++## rhev polic module contains policies for rhev apps ++ ++##################################### ++## ++## Execute rhev-agentd in the rhev_agentd domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`rhev_domtrans_agentd',` ++ gen_require(` ++ type rhev_agentd_t, rhev_agentd_exec_t; ++ ') ++ ++ domtrans_pattern($1, rhev_agentd_exec_t, rhev_agentd_t) ++') ++ ++#################################### ++## ++## Read rhev-agentd PID files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`rhev_read_pid_files_agentd',` ++ gen_require(` ++ type rhev_agentd_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ read_files_pattern($1, rhev_agentd_var_run_t, rhev_agentd_var_run_t) ++') ++ ++##################################### ++## ++## Connect to rhev_agentd over a unix domain ++## stream socket. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`rhev_stream_connect_agentd',` ++ gen_require(` ++ type rhev_agentd_var_run_t, rhev_agentd_t; ++ ') ++ ++ files_search_pids($1) ++ stream_connect_pattern($1, rhev_agentd_var_run_t, rhev_agentd_var_run_t, rhev_agentd_t) ++') ++ ++###################################### ++## ++## Send sigchld to rhev-agentd ++## ++## ++## ++## Domain allowed access ++## ++## ++# ++interface(`rhev_sigchld_agentd',` ++ gen_require(` ++ type rhev_agentd_t; ++ ') ++ ++ allow $1 rhev_agentd_t:process sigchld; ++') +diff --git a/rhev.te b/rhev.te +new file mode 100644 +index 0000000..26f7884 +--- /dev/null ++++ b/rhev.te +@@ -0,0 +1,116 @@ ++policy_module(rhev,1.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type rhev_agentd_t; ++type rhev_agentd_exec_t; ++init_daemon_domain(rhev_agentd_t, rhev_agentd_exec_t) ++ ++type rhev_agentd_unit_file_t; ++systemd_unit_file(rhev_agentd_unit_file_t) ++ ++type rhev_agentd_var_run_t; ++files_pid_file(rhev_agentd_var_run_t) ++ ++type rhev_agentd_tmp_t; ++files_tmp_file(rhev_agentd_tmp_t) ++ ++type rhev_agentd_log_t; ++logging_log_file(rhev_agentd_log_t) ++ ++######################################## ++# ++# rhev_agentd_t local policy ++# ++ ++allow rhev_agentd_t self:capability { setuid setgid sys_nice }; ++allow rhev_agentd_t self:process setsched; ++ ++allow rhev_agentd_t self:fifo_file rw_fifo_file_perms; ++allow rhev_agentd_t self:unix_stream_socket create_stream_socket_perms; ++ ++manage_dirs_pattern(rhev_agentd_t, rhev_agentd_var_run_t, rhev_agentd_var_run_t) ++manage_files_pattern(rhev_agentd_t, rhev_agentd_var_run_t, rhev_agentd_var_run_t) ++manage_sock_files_pattern(rhev_agentd_t, rhev_agentd_var_run_t, rhev_agentd_var_run_t) ++files_pid_filetrans(rhev_agentd_t, rhev_agentd_var_run_t, { dir file sock_file }) ++ ++manage_files_pattern(rhev_agentd_t, rhev_agentd_log_t, rhev_agentd_log_t) ++manage_dirs_pattern(rhev_agentd_t, rhev_agentd_log_t, rhev_agentd_log_t) ++logging_log_filetrans(rhev_agentd_t, rhev_agentd_log_t, { dir file }) ++ ++manage_dirs_pattern(rhev_agentd_t, rhev_agentd_tmp_t, rhev_agentd_tmp_t) ++manage_files_pattern(rhev_agentd_t, rhev_agentd_tmp_t, rhev_agentd_tmp_t) ++files_tmp_filetrans(rhev_agentd_t, rhev_agentd_tmp_t, { file dir }) ++can_exec(rhev_agentd_t, rhev_agentd_tmp_t) ++ ++kernel_read_system_state(rhev_agentd_t) ++kernel_read_kernel_sysctls(rhev_agentd_t) ++ ++corecmd_exec_bin(rhev_agentd_t) ++corecmd_exec_shell(rhev_agentd_t) ++ ++dev_read_urand(rhev_agentd_t) ++ ++term_use_virtio_console(rhev_agentd_t) ++ ++fs_getattr_all_fs(rhev_agentd_t) ++ ++files_getattr_all_mountpoints(rhev_agentd_t) ++files_search_all_mountpoints(rhev_agentd_t) ++ ++auth_use_nsswitch(rhev_agentd_t) ++ ++init_read_utmp(rhev_agentd_t) ++ ++libs_exec_ldconfig(rhev_agentd_t) ++logging_send_syslog_msg(rhev_agentd_t) ++ ++optional_policy(` ++ rpm_read_db(rhev_agentd_t) ++ rpm_dontaudit_manage_db(rhev_agentd_t) ++') ++ ++optional_policy(` ++ ssh_signull(rhev_agentd_t) ++') ++ ++optional_policy(` ++ dbus_system_bus_client(rhev_agentd_t) ++ dbus_connect_system_bus(rhev_agentd_t) ++ dbus_session_bus_client(rhev_agentd_t) ++') ++ ++optional_policy(` ++ xserver_dbus_chat_xdm(rhev_agentd_t) ++ xserver_stream_connect(rhev_agentd_t) ++') ++ ++###################################### ++# ++# rhev_agentd_t consolehelper local policy ++# ++ ++optional_policy(` ++ userhelper_console_role_template(rhev_agentd, system_r, rhev_agentd_t) ++ ++ allow rhev_agentd_consolehelper_t rhev_agentd_log_t:file rw_inherited_file_perms; ++ allow rhev_agentd_consolehelper_t rhev_agentd_tmp_t:file rw_inherited_file_perms; ++ ++ can_exec(rhev_agentd_consolehelper_t, rhev_agentd_exec_t) ++ kernel_read_system_state(rhev_agentd_consolehelper_t) ++ ++ term_use_virtio_console(rhev_agentd_consolehelper_t) ++ ++ corenet_tcp_connect_xserver_port(rhev_agentd_consolehelper_t) ++ ++ optional_policy(` ++ dbus_session_bus_client(rhev_agentd_consolehelper_t) ++ ') ++ ++ optional_policy(` ++ unconfined_dbus_chat(rhev_agentd_consolehelper_t) ++ ') ++') +diff --git a/rhgb.if b/rhgb.if +index 1a134a7..793a29f 100644 +--- a/rhgb.if ++++ b/rhgb.if +@@ -1,4 +1,4 @@ +-## Red Hat Graphical Boot. ++## Red Hat Graphical Boot + + ######################################## + ## +@@ -18,7 +18,7 @@ interface(`rhgb_stub',` + + ######################################## + ## +-## Inherit and use rhgb file descriptors. ++## Use a rhgb file descriptor. + ## + ## + ## +@@ -54,7 +54,7 @@ interface(`rhgb_getpgid',` + + ######################################## + ## +-## Send generic signals to rhgb. ++## Send a signal to rhgb. + ## + ## + ## +@@ -72,8 +72,7 @@ interface(`rhgb_signal',` + + ######################################## + ## +-## Read and write inherited rhgb unix +-## domain stream sockets. ++## Read and write to unix stream sockets. + ## + ## + ## +@@ -110,8 +109,7 @@ interface(`rhgb_dontaudit_rw_stream_sockets',` + + ######################################## + ## +-## Connected to rhgb with a unix +-## domain stream socket. ++## Connected to rhgb unix stream socket. + ## + ## + ## +@@ -121,11 +119,10 @@ interface(`rhgb_dontaudit_rw_stream_sockets',` + # + interface(`rhgb_stream_connect',` + gen_require(` +- type rhgb_t, rhgb_tmpfs_t; ++ type rhgb_t; + ') + +- fs_search_tmpfs($1) +- stream_connect_pattern($1, rhgb_tmpfs_t, rhgb_tmpfs_t, rhgb_t) ++ allow $1 rhgb_t:unix_stream_socket connectto; + ') + + ######################################## +@@ -148,7 +145,7 @@ interface(`rhgb_rw_shm',` + + ######################################## + ## +-## Read and write rhgb pty devices. ++## Read from and write to the rhgb devpts. + ## + ## + ## +@@ -161,14 +158,12 @@ interface(`rhgb_use_ptys',` + type rhgb_devpts_t; + ') + +- dev_list_all_dev_nodes($1) + allow $1 rhgb_devpts_t:chr_file rw_term_perms; + ') + + ######################################## + ## +-## Do not audit attempts to read and +-## write rhgb pty devices. ++## dontaudit Read from and write to the rhgb devpts. + ## + ## + ## +@@ -186,7 +181,7 @@ interface(`rhgb_dontaudit_use_ptys',` + + ######################################## + ## +-## Read and write to rhgb tmpfs files. ++## Read and write to rhgb temporary file system. + ## + ## + ## +@@ -199,7 +194,6 @@ interface(`rhgb_rw_tmpfs_files',` + type rhgb_tmpfs_t; + ') + +- + fs_search_tmpfs($1) + allow $1 rhgb_tmpfs_t:file rw_file_perms; + ') +diff --git a/rhgb.te b/rhgb.te +index 3f32e4b..f97ea42 100644 +--- a/rhgb.te ++++ b/rhgb.te +@@ -43,7 +43,6 @@ kernel_read_system_state(rhgb_t) + corecmd_exec_bin(rhgb_t) + corecmd_exec_shell(rhgb_t) + +-corenet_all_recvfrom_unlabeled(rhgb_t) + corenet_all_recvfrom_netlabel(rhgb_t) + corenet_tcp_sendrecv_generic_if(rhgb_t) + corenet_tcp_sendrecv_generic_node(rhgb_t) +@@ -57,11 +56,9 @@ dev_read_urand(rhgb_t) + + domain_use_interactive_fds(rhgb_t) + +-files_read_etc_files(rhgb_t) + files_read_var_files(rhgb_t) + files_read_etc_runtime_files(rhgb_t) + files_search_tmp(rhgb_t) +-files_read_usr_files(rhgb_t) + files_mounton_mnt(rhgb_t) + files_dontaudit_rw_root_dir(rhgb_t) + files_dontaudit_read_default_files(rhgb_t) +@@ -89,7 +86,6 @@ libs_read_lib_files(rhgb_t) + + logging_send_syslog_msg(rhgb_t) + +-miscfiles_read_localization(rhgb_t) + miscfiles_read_fonts(rhgb_t) + miscfiles_dontaudit_write_fonts(rhgb_t) + +diff --git a/rhnsd.fc b/rhnsd.fc +new file mode 100644 +index 0000000..1936028 +--- /dev/null ++++ b/rhnsd.fc +@@ -0,0 +1,5 @@ ++/etc/rc\.d/init\.d/rhnsd -- gen_context(system_u:object_r:rhnsd_initrc_exec_t,s0) ++ ++/usr/sbin/rhnsd -- gen_context(system_u:object_r:rhnsd_exec_t,s0) ++ ++/var/run/rhnsd\.pid -- gen_context(system_u:object_r:rhnsd_var_run_t,s0) +diff --git a/rhnsd.if b/rhnsd.if +new file mode 100644 +index 0000000..88087b7 +--- /dev/null ++++ b/rhnsd.if +@@ -0,0 +1,74 @@ ++## policy for rhnsd ++ ++######################################## ++## ++## Transition to rhnsd. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`rhnsd_domtrans',` ++ gen_require(` ++ type rhnsd_t, rhnsd_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, rhnsd_exec_t, rhnsd_t) ++') ++ ++######################################## ++## ++## Execute rhnsd server in the rhnsd domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`rhnsd_initrc_domtrans',` ++ gen_require(` ++ type rhnsd_initrc_exec_t; ++ ') ++ ++ init_labeled_script_domtrans($1, rhnsd_initrc_exec_t) ++') ++ ++######################################## ++## ++## All of the rules required to administrate ++## an rhnsd environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## Role allowed access. ++## ++## ++## ++# ++interface(`rhnsd_admin',` ++ gen_require(` ++ type rhnsd_t; ++ type rhnsd_initrc_exec_t; ++ ') ++ ++ allow $1 rhnsd_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, rhnsd_t) ++ ++ rhnsd_initrc_domtrans($1) ++ domain_system_change_exemption($1) ++ role_transition $2 rhnsd_initrc_exec_t system_r; ++ allow $2 system_r; ++ optional_policy(` ++ systemd_passwd_agent_exec($1) ++ systemd_read_fifo_file_passwd_run($1) ++ ') ++') +diff --git a/rhnsd.te b/rhnsd.te +new file mode 100644 +index 0000000..0e965c3 +--- /dev/null ++++ b/rhnsd.te +@@ -0,0 +1,40 @@ ++policy_module(rhnsd, 1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type rhnsd_t; ++type rhnsd_exec_t; ++init_daemon_domain(rhnsd_t, rhnsd_exec_t) ++ ++type rhnsd_var_run_t; ++files_pid_file(rhnsd_var_run_t) ++ ++type rhnsd_initrc_exec_t; ++init_script_file(rhnsd_initrc_exec_t) ++ ++######################################## ++# ++# rhnsd local policy ++# ++ ++allow rhnsd_t self:capability { kill }; ++allow rhnsd_t self:process { fork signal }; ++allow rhnsd_t self:fifo_file rw_fifo_file_perms; ++allow rhnsd_t self:unix_stream_socket create_stream_socket_perms; ++ ++manage_dirs_pattern(rhnsd_t, rhnsd_var_run_t, rhnsd_var_run_t) ++manage_files_pattern(rhnsd_t, rhnsd_var_run_t, rhnsd_var_run_t) ++files_pid_filetrans(rhnsd_t, rhnsd_var_run_t, { dir file }) ++ ++corecmd_exec_bin(rhnsd_t) ++ ++ ++logging_send_syslog_msg(rhnsd_t) ++ ++optional_policy(` ++ # execute rhn_check ++ rpm_domtrans(rhnsd_t) ++') +diff --git a/rhsmcertd.if b/rhsmcertd.if +index 6dbc905..78746ef 100644 +--- a/rhsmcertd.if ++++ b/rhsmcertd.if +@@ -1,8 +1,8 @@ +-## Subscription Management Certificate Daemon. ++## Subscription Management Certificate Daemon policy + + ######################################## + ## +-## Execute rhsmcertd in the rhsmcertd domain. ++## Transition to rhsmcertd. + ## + ## + ## +@@ -21,12 +21,11 @@ interface(`rhsmcertd_domtrans',` + + ######################################## + ## +-## Execute rhsmcertd init scripts +-## in the initrc domain. ++## Execute rhsmcertd server in the rhsmcertd domain. + ## + ## + ## +-## Domain allowed to transition. ++## Domain allowed access. + ## + ## + # +@@ -40,7 +39,7 @@ interface(`rhsmcertd_initrc_domtrans',` + + ######################################## + ## +-## Read rhsmcertd log files. ++## Read rhsmcertd's log files. + ## + ## + ## +@@ -60,7 +59,7 @@ interface(`rhsmcertd_read_log',` + + ######################################## + ## +-## Append rhsmcertd log files. ++## Append to rhsmcertd log files. + ## + ## + ## +@@ -79,8 +78,7 @@ interface(`rhsmcertd_append_log',` + + ######################################## + ## +-## Create, read, write, and delete +-## rhsmcertd log files. ++## Manage rhsmcertd log files + ## + ## + ## +@@ -114,8 +112,8 @@ interface(`rhsmcertd_search_lib',` + type rhsmcertd_var_lib_t; + ') + +- files_search_var_lib($1) + allow $1 rhsmcertd_var_lib_t:dir search_dir_perms; ++ files_search_var_lib($1) + ') + + ######################################## +@@ -139,8 +137,7 @@ interface(`rhsmcertd_read_lib_files',` + + ######################################## + ## +-## Create, read, write, and delete +-## rhsmcertd lib files. ++## Manage rhsmcertd lib files. + ## + ## + ## +@@ -159,8 +156,7 @@ interface(`rhsmcertd_manage_lib_files',` + + ######################################## + ## +-## Create, read, write, and delete +-## rhsmcertd lib directories. ++## Manage rhsmcertd lib directories. + ## + ## + ## +@@ -179,7 +175,7 @@ interface(`rhsmcertd_manage_lib_dirs',` + + ######################################## + ## +-## Read rhsmcertd pid files. ++## Read rhsmcertd PID files. + ## + ## + ## +@@ -196,10 +192,9 @@ interface(`rhsmcertd_read_pid_files',` + allow $1 rhsmcertd_var_run_t:file read_file_perms; + ') + +-#################################### ++######################################## + ## +-## Connect to rhsmcertd with a +-## unix domain stream socket. ++## Read/wirte inherited lock files. + ## + ## + ## +@@ -207,6 +202,26 @@ interface(`rhsmcertd_read_pid_files',` + ## + ## + # ++interface(`rhsmcertd_rw_inherited_lock_files',` ++ gen_require(` ++ type rhsmcertd_lock_t; ++ ') ++ ++ files_search_locks($1) ++ allow $1 rhsmcertd_lock_t:file rw_inherited_file_perms; ++') ++ ++#################################### ++## ++## Connect to rhsmcertd over a unix domain ++## stream socket. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# + interface(`rhsmcertd_stream_connect',` + gen_require(` + type rhsmcertd_t, rhsmcertd_var_run_t; +@@ -239,30 +254,29 @@ interface(`rhsmcertd_dbus_chat',` + + ###################################### + ## +-## Do not audit attempts to send +-## and receive messages from +-## rhsmcertd over dbus. ++## Dontaudit Send and receive messages from ++## rhsmcertd over dbus. + ## + ## +-## +-## Domain to not audit. +-## ++## ++## Domain allowed access. ++## + ## + # + interface(`rhsmcertd_dontaudit_dbus_chat',` +- gen_require(` +- type rhsmcertd_t; +- class dbus send_msg; +- ') ++ gen_require(` ++ type rhsmcertd_t; ++ class dbus send_msg; ++ ') + +- dontaudit $1 rhsmcertd_t:dbus send_msg; +- dontaudit rhsmcertd_t $1:dbus send_msg; ++ dontaudit $1 rhsmcertd_t:dbus send_msg; ++ dontaudit rhsmcertd_t $1:dbus send_msg; + ') + + ######################################## + ## +-## All of the rules required to +-## administrate an rhsmcertd environment. ++## All of the rules required to administrate ++## an rhsmcertd environment + ## + ## + ## +@@ -270,35 +284,41 @@ interface(`rhsmcertd_dontaudit_dbus_chat',` + ## + ## + ## +-## +-## Role allowed access. +-## ++## ++## Role allowed access. ++## + ## + ## + # ++ + interface(`rhsmcertd_admin',` + gen_require(` + type rhsmcertd_t, rhsmcertd_initrc_exec_t, rhsmcertd_log_t; +- type rhsmcertd_var_lib_t, rhsmcertd_var_run_t, rhsmcertd_lock_t; ++ type rhsmcertd_var_lib_t, rhsmcertd_lock_t, rhsmcertd_var_run_t; + ') + +- allow $1 rhsmcertd_t:process { ptrace signal_perms }; ++ allow $1 rhsmcertd_t:process signal_perms; + ps_process_pattern($1, rhsmcertd_t) + +- rhsmcertd_initrc_domtrans($1) +- domain_system_change_exemption($1) +- role_transition $2 rhsmcertd_initrc_exec_t system_r; +- allow $2 system_r; ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 rhsmcertd_t:process ptrace; ++ ') + +- logging_search_logs($1) +- admin_pattern($1, rhsmcertd_log_t) ++ rhsmcertd_initrc_domtrans($1) ++ domain_system_change_exemption($1) ++ role_transition $2 rhsmcertd_initrc_exec_t system_r; ++ allow $2 system_r; + +- files_search_var_lib($1) +- admin_pattern($1, rhsmcertd_var_lib_t) ++ logging_search_logs($1) ++ admin_pattern($1, rhsmcertd_log_t) + +- files_search_pids($1) +- admin_pattern($1, rhsmcertd_var_run_t) ++ files_search_var_lib($1) ++ admin_pattern($1, rhsmcertd_var_lib_t) ++ ++ files_search_pids($1) ++ admin_pattern($1, rhsmcertd_var_run_t) ++ ++ files_search_locks($1) ++ admin_pattern($1, rhsmcertd_lock_t) + +- files_search_locks($1) +- admin_pattern($1, rhsmcertd_lock_t) + ') +diff --git a/rhsmcertd.te b/rhsmcertd.te +index 1cedd70..0369e30 100644 +--- a/rhsmcertd.te ++++ b/rhsmcertd.te +@@ -30,14 +30,13 @@ files_pid_file(rhsmcertd_var_run_t) + # + + allow rhsmcertd_t self:capability sys_nice; +-allow rhsmcertd_t self:process { signal setsched }; ++allow rhsmcertd_t self:process { signal_perms setsched }; ++ + allow rhsmcertd_t self:fifo_file rw_fifo_file_perms; + allow rhsmcertd_t self:unix_stream_socket create_stream_socket_perms; + + manage_dirs_pattern(rhsmcertd_t, rhsmcertd_log_t, rhsmcertd_log_t) +-append_files_pattern(rhsmcertd_t, rhsmcertd_log_t, rhsmcertd_log_t) +-create_files_pattern(rhsmcertd_t, rhsmcertd_log_t, rhsmcertd_log_t) +-setattr_files_pattern(rhsmcertd_t, rhsmcertd_log_t, rhsmcertd_log_t) ++manage_files_pattern(rhsmcertd_t, rhsmcertd_log_t, rhsmcertd_log_t) + + manage_files_pattern(rhsmcertd_t, rhsmcertd_lock_t, rhsmcertd_lock_t) + files_lock_filetrans(rhsmcertd_t, rhsmcertd_lock_t, file) +@@ -52,21 +51,39 @@ files_pid_filetrans(rhsmcertd_t, rhsmcertd_var_run_t, { file dir }) + kernel_read_network_state(rhsmcertd_t) + kernel_read_system_state(rhsmcertd_t) + ++corenet_tcp_connect_http_port(rhsmcertd_t) ++ + corecmd_exec_bin(rhsmcertd_t) ++corecmd_exec_shell(rhsmcertd_t) + + dev_read_sysfs(rhsmcertd_t) + dev_read_rand(rhsmcertd_t) + dev_read_urand(rhsmcertd_t) ++dev_read_raw_memory(rhsmcertd_t) + + files_list_tmp(rhsmcertd_t) +-files_read_etc_files(rhsmcertd_t) +-files_read_usr_files(rhsmcertd_t) ++files_manage_generic_locks(rhsmcertd_t) ++files_manage_system_conf_files(rhsmcertd_t) ++ ++auth_read_passwd(rhsmcertd_t) + +-miscfiles_read_localization(rhsmcertd_t) +-miscfiles_read_generic_certs(rhsmcertd_t) ++init_read_state(rhsmcertd_t) ++ ++logging_send_syslog_msg(rhsmcertd_t) ++ ++miscfiles_manage_cert_files(rhsmcertd_t) ++miscfiles_manage_cert_dirs(rhsmcertd_t) + + sysnet_dns_name_resolve(rhsmcertd_t) + + optional_policy(` ++ dmidecode_domtrans(rhsmcertd_t) ++') ++ ++optional_policy(` ++ gnome_dontaudit_search_config(rhsmcertd_t) ++') ++ ++optional_policy(` + rpm_read_db(rhsmcertd_t) + ') +diff --git a/ricci.if b/ricci.if +index 2ab3ed1..23d579c 100644 +--- a/ricci.if ++++ b/ricci.if +@@ -1,13 +1,13 @@ +-## Ricci cluster management agent. ++## Ricci cluster management agent + + ######################################## + ## + ## Execute a domain transition to run ricci. + ## + ## +-## ++## + ## Domain allowed to transition. +-## ++## + ## + # + interface(`ricci_domtrans',` +@@ -15,19 +15,35 @@ interface(`ricci_domtrans',` + type ricci_t, ricci_exec_t; + ') + +- corecmd_search_bin($1) + domtrans_pattern($1, ricci_exec_t, ricci_t) + ') + +-######################################## ++####################################### + ## +-## Execute a domain transition to +-## run ricci modcluster. ++## Execute ricci server in the ricci domain. + ## + ## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`ricci_initrc_domtrans',` ++ gen_require(` ++ type ricci_initrc_exec_t; ++ ') ++ ++ init_labeled_script_domtrans($1, ricci_initrc_exec_t) ++') ++ ++######################################## + ## +-## Domain allowed to transition. ++## Execute a domain transition to run ricci_modcluster. + ## ++## ++## ++## Domain allowed to transition. ++## + ## + # + interface(`ricci_domtrans_modcluster',` +@@ -35,14 +51,13 @@ interface(`ricci_domtrans_modcluster',` + type ricci_modcluster_t, ricci_modcluster_exec_t; + ') + +- corecmd_search_bin($1) + domtrans_pattern($1, ricci_modcluster_exec_t, ricci_modcluster_t) + ') + + ######################################## + ## + ## Do not audit attempts to use +-## ricci modcluster file descriptors. ++## ricci_modcluster file descriptors. + ## + ## + ## +@@ -61,7 +76,7 @@ interface(`ricci_dontaudit_use_modcluster_fds',` + ######################################## + ## + ## Do not audit attempts to read write +-## ricci modcluster unamed pipes. ++## ricci_modcluster unamed pipes. + ## + ## + ## +@@ -74,13 +89,12 @@ interface(`ricci_dontaudit_rw_modcluster_pipes',` + type ricci_modcluster_t; + ') + +- dontaudit $1 ricci_modcluster_t:fifo_file { read write }; ++ dontaudit $1 ricci_modcluster_t:fifo_file rw_inherited_fifo_file_perms; + ') + + ######################################## + ## +-## Connect to ricci_modclusterd with +-## a unix domain stream socket. ++## Connect to ricci_modclusterd over a unix stream socket. + ## + ## + ## +@@ -99,8 +113,26 @@ interface(`ricci_stream_connect_modclusterd',` + + ######################################## + ## +-## Execute a domain transition to +-## run ricci modlog. ++## Read and write to ricci_modcluserd temporary file system. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`ricci_rw_modclusterd_tmpfs_files',` ++ gen_require(` ++ type ricci_modclusterd_tmpfs_t; ++ ') ++ ++ fs_search_tmpfs($1) ++ allow $1 ricci_modclusterd_tmpfs_t:file rw_file_perms; ++') ++ ++######################################## ++## ++## Execute a domain transition to run ricci_modlog. + ## + ## + ## +@@ -113,14 +145,12 @@ interface(`ricci_domtrans_modlog',` + type ricci_modlog_t, ricci_modlog_exec_t; + ') + +- corecmd_search_bin($1) + domtrans_pattern($1, ricci_modlog_exec_t, ricci_modlog_t) + ') + + ######################################## + ## +-## Execute a domain transition to +-## run ricci modrpm. ++## Execute a domain transition to run ricci_modrpm. + ## + ## + ## +@@ -133,14 +163,12 @@ interface(`ricci_domtrans_modrpm',` + type ricci_modrpm_t, ricci_modrpm_exec_t; + ') + +- corecmd_search_bin($1) + domtrans_pattern($1, ricci_modrpm_exec_t, ricci_modrpm_t) + ') + + ######################################## + ## +-## Execute a domain transition to +-## run ricci modservice. ++## Execute a domain transition to run ricci_modservice. + ## + ## + ## +@@ -153,14 +181,12 @@ interface(`ricci_domtrans_modservice',` + type ricci_modservice_t, ricci_modservice_exec_t; + ') + +- corecmd_search_bin($1) + domtrans_pattern($1, ricci_modservice_exec_t, ricci_modservice_t) + ') + + ######################################## + ## +-## Execute a domain transition to +-## run ricci modstorage. ++## Execute a domain transition to run ricci_modstorage. + ## + ## + ## +@@ -173,14 +199,33 @@ interface(`ricci_domtrans_modstorage',` + type ricci_modstorage_t, ricci_modstorage_exec_t; + ') + +- corecmd_search_bin($1) + domtrans_pattern($1, ricci_modstorage_exec_t, ricci_modstorage_t) + ') + ++#################################### ++## ++## Allow the specified domain to manage ricci's lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`ricci_manage_lib_files',` ++ gen_require(` ++ type ricci_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ manage_dirs_pattern($1, ricci_var_lib_t, ricci_var_lib_t) ++ manage_files_pattern($1, ricci_var_lib_t, ricci_var_lib_t) ++') ++ + ######################################## + ## +-## All of the rules required to +-## administrate an ricci environment. ++## All of the rules required to administrate ++## an ricci environment + ## + ## + ## +@@ -200,10 +245,13 @@ interface(`ricci_admin',` + type ricci_var_lib_t, ricci_var_log_t, ricci_var_run_t; + ') + +- allow $1 ricci_t:process { ptrace signal_perms }; ++ allow $1 ricci_t:process signal_perms; + ps_process_pattern($1, ricci_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 ricci_t:process ptrace; ++ ') + +- init_labeled_script_domtrans($1, ricci_initrc_exec_t) ++ ricci_initrc_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 ricci_initrc_exec_t system_r; + allow $2 system_r; +diff --git a/ricci.te b/ricci.te +index 9702ed2..a265af9 100644 +--- a/ricci.te ++++ b/ricci.te +@@ -115,7 +115,6 @@ kernel_read_system_state(ricci_t) + + corecmd_exec_bin(ricci_t) + +-corenet_all_recvfrom_unlabeled(ricci_t) + corenet_all_recvfrom_netlabel(ricci_t) + corenet_tcp_sendrecv_generic_if(ricci_t) + corenet_tcp_sendrecv_generic_node(ricci_t) +@@ -136,7 +135,6 @@ dev_read_urand(ricci_t) + + domain_read_all_domains_state(ricci_t) + +-files_read_etc_files(ricci_t) + files_read_etc_runtime_files(ricci_t) + files_create_boot_flag(ricci_t) + +@@ -149,7 +147,7 @@ locallogin_dontaudit_use_fds(ricci_t) + + logging_send_syslog_msg(ricci_t) + +-miscfiles_read_localization(ricci_t) ++systemd_start_power_services(ricci_t) + + sysnet_dns_name_resolve(ricci_t) + +@@ -235,13 +233,8 @@ init_domtrans_script(ricci_modcluster_t) + + logging_send_syslog_msg(ricci_modcluster_t) + +-miscfiles_read_localization(ricci_modcluster_t) +- +-ricci_stream_connect_modclusterd(ricci_modcluster_t) +- + optional_policy(` +- aisexec_stream_connect(ricci_modcluster_t) +- corosync_stream_connect(ricci_modcluster_t) ++ ricci_stream_connect_modclusterd(ricci_modcluster_t) + ') + + optional_policy(` +@@ -271,7 +264,7 @@ optional_policy(` + ') + + optional_policy(` +- rgmanager_stream_connect(ricci_modcluster_t) ++ rhcs_stream_connect_cluster(ricci_modcluster_t) + ') + + ######################################## +@@ -336,23 +329,16 @@ locallogin_dontaudit_use_fds(ricci_modclusterd_t) + + logging_send_syslog_msg(ricci_modclusterd_t) + +-miscfiles_read_localization(ricci_modclusterd_t) +- + sysnet_domtrans_ifconfig(ricci_modclusterd_t) + + optional_policy(` +- aisexec_stream_connect(ricci_modclusterd_t) +- corosync_stream_connect(ricci_modclusterd_t) +-') +- +-optional_policy(` + ccs_domtrans(ricci_modclusterd_t) + ccs_stream_connect(ricci_modclusterd_t) + ccs_read_config(ricci_modclusterd_t) + ') + + optional_policy(` +- rgmanager_stream_connect(ricci_modclusterd_t) ++ rhcs_stream_connect_cluster(ricci_modclusterd_t) + ') + + optional_policy(` +@@ -374,12 +360,10 @@ corecmd_exec_bin(ricci_modlog_t) + + domain_read_all_domains_state(ricci_modlog_t) + +-files_read_etc_files(ricci_modlog_t) + files_search_usr(ricci_modlog_t) + + logging_read_generic_logs(ricci_modlog_t) + +-miscfiles_read_localization(ricci_modlog_t) + + optional_policy(` + nscd_dontaudit_search_pid(ricci_modlog_t) +@@ -401,9 +385,8 @@ kernel_read_kernel_sysctls(ricci_modrpm_t) + corecmd_exec_bin(ricci_modrpm_t) + + files_search_usr(ricci_modrpm_t) +-files_read_etc_files(ricci_modrpm_t) + +-miscfiles_read_localization(ricci_modrpm_t) ++logging_send_syslog_msg(ricci_modrpm_t) + + optional_policy(` + oddjob_system_entry(ricci_modrpm_t, ricci_modrpm_exec_t) +@@ -428,14 +411,13 @@ kernel_read_system_state(ricci_modservice_t) + corecmd_exec_bin(ricci_modservice_t) + corecmd_exec_shell(ricci_modservice_t) + +-files_read_etc_files(ricci_modservice_t) + files_read_etc_runtime_files(ricci_modservice_t) + files_search_usr(ricci_modservice_t) + files_manage_etc_symlinks(ricci_modservice_t) + + init_domtrans_script(ricci_modservice_t) + +-miscfiles_read_localization(ricci_modservice_t) ++logging_send_syslog_msg(ricci_modservice_t) + + optional_policy(` + ccs_read_config(ricci_modservice_t) +@@ -460,7 +442,6 @@ optional_policy(` + + allow ricci_modstorage_t self:capability { mknod sys_nice }; + allow ricci_modstorage_t self:process { setsched signal }; +-dontaudit ricci_modstorage_t self:process ptrace; + allow ricci_modstorage_t self:fifo_file rw_fifo_file_perms; + + kernel_read_kernel_sysctls(ricci_modstorage_t) +@@ -480,21 +461,21 @@ domain_read_all_domains_state(ricci_modstorage_t) + + files_manage_etc_files(ricci_modstorage_t) + files_read_etc_runtime_files(ricci_modstorage_t) +-files_read_usr_files(ricci_modstorage_t) + files_read_kernel_modules(ricci_modstorage_t) + ++files_create_default_dir(ricci_modstorage_t) ++files_root_filetrans_default(ricci_modstorage_t, dir) ++files_mounton_default(ricci_modstorage_t) ++files_manage_default_dirs(ricci_modstorage_t) ++files_manage_default_files(ricci_modstorage_t) ++ + storage_raw_read_fixed_disk(ricci_modstorage_t) + + term_dontaudit_use_console(ricci_modstorage_t) + +-logging_send_syslog_msg(ricci_modstorage_t) +- +-miscfiles_read_localization(ricci_modstorage_t) ++auth_use_nsswitch(ricci_modstorage_t) + +-optional_policy(` +- aisexec_stream_connect(ricci_modstorage_t) +- corosync_stream_connect(ricci_modstorage_t) +-') ++logging_send_syslog_msg(ricci_modstorage_t) + + optional_policy(` + ccs_stream_connect(ricci_modstorage_t) +diff --git a/rlogin.fc b/rlogin.fc +index f111877..e361ee9 100644 +--- a/rlogin.fc ++++ b/rlogin.fc +@@ -1,5 +1,7 @@ +-HOME_DIR/\.rhosts -- gen_context(system_u:object_r:rlogind_home_t,s0) +-HOME_DIR/\.rlogin -- gen_context(system_u:object_r:rlogind_home_t,s0) ++HOME_DIR/\.rlogin -- gen_context(system_u:object_r:rlogind_home_t,s0) ++HOME_DIR/\.rhosts -- gen_context(system_u:object_r:rlogind_home_t,s0) ++/root/\.rlogin -- gen_context(system_u:object_r:rlogind_home_t,s0) ++/root/\.rhosts -- gen_context(system_u:object_r:rlogind_home_t,s0) + + /usr/kerberos/sbin/klogind -- gen_context(system_u:object_r:rlogind_exec_t,s0) + +diff --git a/rlogin.if b/rlogin.if +index 050479d..0e1b364 100644 +--- a/rlogin.if ++++ b/rlogin.if +@@ -29,7 +29,7 @@ interface(`rlogin_domtrans',` + ## + ## + # +-template(`rlogin_read_home_content',` ++interface(`rlogin_read_home_content',` + gen_require(` + type rlogind_home_t; + ') +diff --git a/rlogin.te b/rlogin.te +index d34cdec..15d7ca6 100644 +--- a/rlogin.te ++++ b/rlogin.te +@@ -30,7 +30,9 @@ files_pid_file(rlogind_var_run_t) + allow rlogind_t self:capability { fsetid chown fowner setuid setgid sys_tty_config dac_override }; + allow rlogind_t self:process signal_perms; + allow rlogind_t self:fifo_file rw_fifo_file_perms; +-allow rlogind_t self:tcp_socket { accept listen }; ++allow rlogind_t self:tcp_socket connected_stream_socket_perms; ++# for identd; cjp: this should probably only be inetd_child rules? ++allow rlogind_t self:netlink_tcpdiag_socket r_netlink_socket_perms; + + allow rlogind_t rlogind_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms }; + term_create_pty(rlogind_t, rlogind_devpts_t) +@@ -39,7 +41,6 @@ allow rlogind_t rlogind_home_t:file read_file_perms; + + manage_dirs_pattern(rlogind_t, rlogind_tmp_t, rlogind_tmp_t) + manage_files_pattern(rlogind_t, rlogind_tmp_t, rlogind_tmp_t) +-files_tmp_filetrans(rlogind_t, rlogind_tmp_t, { dir file }) + + manage_files_pattern(rlogind_t, rlogind_var_run_t, rlogind_var_run_t) + files_pid_filetrans(rlogind_t, rlogind_var_run_t, file) +@@ -50,7 +51,6 @@ kernel_read_kernel_sysctls(rlogind_t) + kernel_read_system_state(rlogind_t) + kernel_read_network_state(rlogind_t) + +-corenet_all_recvfrom_unlabeled(rlogind_t) + corenet_all_recvfrom_netlabel(rlogind_t) + corenet_tcp_sendrecv_generic_if(rlogind_t) + corenet_udp_sendrecv_generic_if(rlogind_t) +@@ -58,6 +58,8 @@ corenet_tcp_sendrecv_generic_node(rlogind_t) + corenet_udp_sendrecv_generic_node(rlogind_t) + corenet_tcp_sendrecv_all_ports(rlogind_t) + corenet_udp_sendrecv_all_ports(rlogind_t) ++corenet_tcp_bind_rlogin_port(rlogind_t) ++corenet_tcp_bind_rlogind_port(rlogind_t) + + dev_read_urand(rlogind_t) + +@@ -67,6 +69,7 @@ fs_getattr_all_fs(rlogind_t) + fs_search_auto_mountpoints(rlogind_t) + + auth_domtrans_chk_passwd(rlogind_t) ++auth_signal_chk_passwd(rlogind_t) + auth_rw_login_records(rlogind_t) + auth_use_nsswitch(rlogind_t) + +@@ -77,30 +80,23 @@ init_rw_utmp(rlogind_t) + + logging_send_syslog_msg(rlogind_t) + +-miscfiles_read_localization(rlogind_t) +- + seutil_read_config(rlogind_t) + + userdom_search_user_home_dirs(rlogind_t) + userdom_setattr_user_ptys(rlogind_t) ++# cjp: this is egregious ++userdom_read_user_home_content_files(rlogind_t) ++userdom_search_admin_dir(rlogind_t) ++userdom_manage_user_tmp_files(rlogind_t) ++userdom_tmp_filetrans_user_tmp(rlogind_t, file) + userdom_use_user_terminals(rlogind_t) ++userdom_home_reader(rlogind_t) + +-tunable_policy(`use_nfs_home_dirs',` +- fs_list_nfs(rlogind_t) +- fs_read_nfs_files(rlogind_t) +- fs_read_nfs_symlinks(rlogind_t) +-') +- +-tunable_policy(`use_samba_home_dirs',` +- fs_list_cifs(rlogind_t) +- fs_read_cifs_files(rlogind_t) +- fs_read_cifs_symlinks(rlogind_t) +-') ++rlogin_read_home_content(rlogind_t) + + optional_policy(` + kerberos_keytab_template(rlogind, rlogind_t) +- kerberos_tmp_filetrans_host_rcache(rlogind_t, file, "host_0") +- kerberos_manage_host_rcache(rlogind_t) ++ kerberos_tmp_filetrans_host_rcache(rlogind_t, "host_0") + ') + + optional_policy(` +diff --git a/rngd.fc b/rngd.fc +index 5dd779e..276eb3a 100644 +--- a/rngd.fc ++++ b/rngd.fc +@@ -1,3 +1,5 @@ + /etc/rc\.d/init\.d/rngd -- gen_context(system_u:object_r:rngd_initrc_exec_t,s0) + ++/usr/lib/systemd/system/rngd.* -- gen_context(system_u:object_r:rngd_unit_file_t,s0) ++ + /usr/sbin/rngd -- gen_context(system_u:object_r:rngd_exec_t,s0) +diff --git a/rngd.if b/rngd.if +index 0e759a2..9c83bc9 100644 +--- a/rngd.if ++++ b/rngd.if +@@ -2,6 +2,28 @@ + + ######################################## + ## ++## Execute rngd in the rngd domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`rng_systemctl_rngd',` ++ gen_require(` ++ type rngd_t, rngd_unit_file_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ allow $1 rngd_unit_file_t:file read_file_perms; ++ allow $1 rngd_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, rngd_t) ++') ++ ++######################################## ++## + ## All of the rules required to + ## administrate an rng environment. + ## +@@ -17,16 +39,24 @@ + ## + ## + # +-interface(`rngd_admin',` ++interface(`rng_admin',` + gen_require(` +- type rngd_t, rngd_initrc_exec_t; ++ type rngd_t, rngd_initrc_exec_t, rngd_unit_file_t; + ') + +- allow $1 rngd_t:process { ptrace signal_perms }; ++ allow $1 rngd_t:process signal_perms; + ps_process_pattern($1, rngd_t) + ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 rngd_t:process ptrace; ++ ') ++ + init_labeled_script_domtrans($1, rngd_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 rngd_initrc_exec_t system_r; + allow $2 system_r; ++ ++ rng_systemctl_rngd($1) ++ admin_pattern($1, rngd_unit_file_t) ++ allow $1 rngd_unit_file_t:service all_service_perms; + ') +diff --git a/rngd.te b/rngd.te +index 35c1427..2519caa 100644 +--- a/rngd.te ++++ b/rngd.te +@@ -12,6 +12,9 @@ init_daemon_domain(rngd_t, rngd_exec_t) + type rngd_initrc_exec_t; + init_script_file(rngd_initrc_exec_t) + ++type rngd_unit_file_t; ++systemd_unit_file(rngd_unit_file_t) ++ + ######################################## + # + # Local policy +@@ -29,8 +32,5 @@ dev_read_urand(rngd_t) + dev_rw_tpm(rngd_t) + dev_write_rand(rngd_t) + +-files_read_etc_files(rngd_t) +- + logging_send_syslog_msg(rngd_t) + +-miscfiles_read_localization(rngd_t) +diff --git a/roundup.if b/roundup.if +index 975bb6a..ce4f5ea 100644 +--- a/roundup.if ++++ b/roundup.if +@@ -23,8 +23,11 @@ interface(`roundup_admin',` + type roundup_initrc_exec_t; + ') + +- allow $1 roundup_t:process { ptrace signal_perms }; ++ allow $1 roundup_t:process signal_perms; + ps_process_pattern($1, roundup_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 roundup_t:process ptrace; ++ ') + + init_labeled_script_domtrans($1, roundup_initrc_exec_t) + domain_system_change_exemption($1) +diff --git a/roundup.te b/roundup.te +index 353960c..3b74aae 100644 +--- a/roundup.te ++++ b/roundup.te +@@ -41,7 +41,6 @@ kernel_read_proc_symlinks(roundup_t) + + corecmd_exec_bin(roundup_t) + +-corenet_all_recvfrom_unlabeled(roundup_t) + corenet_all_recvfrom_netlabel(roundup_t) + corenet_tcp_sendrecv_generic_if(roundup_t) + corenet_tcp_sendrecv_generic_node(roundup_t) +@@ -60,16 +59,11 @@ dev_read_urand(roundup_t) + + domain_use_interactive_fds(roundup_t) + +-files_read_etc_files(roundup_t) +-files_read_usr_files(roundup_t) +- + fs_getattr_all_fs(roundup_t) + fs_search_auto_mountpoints(roundup_t) + + logging_send_syslog_msg(roundup_t) + +-miscfiles_read_localization(roundup_t) +- + sysnet_dns_name_resolve(roundup_t) + + userdom_dontaudit_use_unpriv_user_fds(roundup_t) +diff --git a/rpc.fc b/rpc.fc +index a6fb30c..b0c22f7 100644 +--- a/rpc.fc ++++ b/rpc.fc +@@ -1,12 +1,23 @@ +-/etc/exports -- gen_context(system_u:object_r:exports_t,s0) ++# ++# /etc ++# ++/etc/exports -- gen_context(system_u:object_r:exports_t,s0) ++/etc/rc\.d/init\.d/nfs -- gen_context(system_u:object_r:nfsd_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/nfslock -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/rpcidmapd -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0) + +-/etc/rc\.d/init\.d/nfs -- gen_context(system_u:object_r:nfsd_initrc_exec_t,s0) +-/etc/rc\.d/init\.d/nfslock -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0) +-/etc/rc\.d/init\.d/rpcidmapd -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0) ++/usr/lib/systemd/system/nfs.* -- gen_context(system_u:object_r:nfsd_unit_file_t,s0) ++/usr/lib/systemd/system/rpc.* -- gen_context(system_u:object_r:rpcd_unit_file_t,s0) + +-/sbin/rpc\..* -- gen_context(system_u:object_r:rpcd_exec_t,s0) +-/sbin/sm-notify -- gen_context(system_u:object_r:rpcd_exec_t,s0) ++# ++# /sbin ++# ++/sbin/rpc\..* -- gen_context(system_u:object_r:rpcd_exec_t,s0) ++/sbin/sm-notify -- gen_context(system_u:object_r:rpcd_exec_t,s0) + ++# ++# /usr ++# + /usr/sbin/rpc\..* -- gen_context(system_u:object_r:rpcd_exec_t,s0) + /usr/sbin/rpc\.idmapd -- gen_context(system_u:object_r:rpcd_exec_t,s0) + /usr/sbin/rpc\.gssd -- gen_context(system_u:object_r:gssd_exec_t,s0) +@@ -16,7 +27,11 @@ + /usr/sbin/rpc\.svcgssd -- gen_context(system_u:object_r:gssd_exec_t,s0) + /usr/sbin/sm-notify -- gen_context(system_u:object_r:rpcd_exec_t,s0) + +-/var/lib/nfs(/.*)? gen_context(system_u:object_r:var_lib_nfs_t,s0) ++# ++# /var ++# ++/var/lib/nfs(/.*)? gen_context(system_u:object_r:var_lib_nfs_t,s0) + + /var/run/rpc\.statd(/.*)? gen_context(system_u:object_r:rpcd_var_run_t,s0) +-/var/run/rpc\.statd\.pid -- gen_context(system_u:object_r:rpcd_var_run_t,s0) ++/var/run/rpc\.statd\.pid -- gen_context(system_u:object_r:rpcd_var_run_t,s0) ++ +diff --git a/rpc.if b/rpc.if +index 3bd6446..eec0a35 100644 +--- a/rpc.if ++++ b/rpc.if +@@ -1,4 +1,4 @@ +-## Remote Procedure Call Daemon. ++## Remote Procedure Call Daemon for managment of network based process communication + + ######################################## + ## +@@ -20,15 +20,21 @@ interface(`rpc_stub',` + ## + ## The template to define a rpc domain. + ## +-## ++## ++##

    ++## This template creates a domain to be used for ++## a new rpc daemon. ++##

    ++##     ++## + ## +-## Domain prefix to be used. ++## The type of daemon to be used. + ## + ## + # + template(`rpc_domain_template',` + gen_require(` +- attribute rpc_domain; ++ type var_lib_nfs_t; + ') + + ######################################## +@@ -36,18 +42,86 @@ template(`rpc_domain_template',` + # Declarations + # + +- type $1_t, rpc_domain; ++ type $1_t; + type $1_exec_t; + init_daemon_domain($1_t, $1_exec_t) +- + domain_use_interactive_fds($1_t) + +- ######################################## ++ #################################### + # +- # Policy ++ # Local Policy + # + ++ dontaudit $1_t self:capability { net_admin sys_tty_config }; ++ allow $1_t self:capability net_bind_service; ++ allow $1_t self:process signal_perms; ++ allow $1_t self:unix_dgram_socket create_socket_perms; ++ allow $1_t self:unix_stream_socket create_stream_socket_perms; ++ allow $1_t self:tcp_socket create_stream_socket_perms; ++ allow $1_t self:udp_socket create_socket_perms; ++ ++ manage_dirs_pattern($1_t, var_lib_nfs_t, var_lib_nfs_t) ++ manage_files_pattern($1_t, var_lib_nfs_t, var_lib_nfs_t) ++ ++ kernel_list_proc($1_t) ++ kernel_read_proc_symlinks($1_t) ++ kernel_read_kernel_sysctls($1_t) ++ # bind to arbitary unused ports ++ kernel_rw_rpc_sysctls($1_t) ++ ++ dev_read_sysfs($1_t) ++ dev_read_urand($1_t) ++ dev_read_rand($1_t) ++ ++ corenet_all_recvfrom_netlabel($1_t) ++ corenet_tcp_sendrecv_generic_if($1_t) ++ corenet_udp_sendrecv_generic_if($1_t) ++ corenet_tcp_sendrecv_generic_node($1_t) ++ corenet_udp_sendrecv_generic_node($1_t) ++ corenet_tcp_sendrecv_all_ports($1_t) ++ corenet_udp_sendrecv_all_ports($1_t) ++ corenet_tcp_bind_generic_node($1_t) ++ corenet_udp_bind_generic_node($1_t) ++ corenet_tcp_bind_reserved_port($1_t) ++ corenet_tcp_connect_all_ports($1_t) ++ corenet_sendrecv_portmap_client_packets($1_t) ++ # do not log when it tries to bind to a port belonging to another domain ++ corenet_dontaudit_tcp_bind_all_ports($1_t) ++ corenet_dontaudit_udp_bind_all_ports($1_t) ++ # bind to arbitary unused ports ++ corenet_tcp_bind_generic_port($1_t) ++ corenet_udp_bind_generic_port($1_t) ++ corenet_tcp_bind_all_rpc_ports($1_t) ++ corenet_udp_bind_all_rpc_ports($1_t) ++ corenet_sendrecv_generic_server_packets($1_t) ++ ++ fs_rw_rpc_named_pipes($1_t) ++ fs_search_auto_mountpoints($1_t) ++ ++ files_read_etc_files($1_t) ++ files_read_etc_runtime_files($1_t) ++ files_search_var($1_t) ++ files_search_var_lib($1_t) ++ files_list_home($1_t) ++ + auth_use_nsswitch($1_t) ++ ++ logging_send_syslog_msg($1_t) ++ ++ ++ userdom_dontaudit_use_unpriv_user_fds($1_t) ++ ++ optional_policy(` ++ rpcbind_stream_connect($1_t) ++ ') ++ ++ optional_policy(` ++ seutil_sigchld_newrole($1_t) ++ ') ++ ++ optional_policy(` ++ udev_read_db($1_t) ++ ') + ') + + ######################################## +@@ -66,8 +140,8 @@ interface(`rpc_udp_send',` + + ######################################## + ## +-## Do not audit attempts to get +-## attributes of export files. ++## Do not audit attempts to get the attributes ++## of the NFS export file. + ## + ## + ## +@@ -80,12 +154,12 @@ interface(`rpc_dontaudit_getattr_exports',` + type exports_t; + ') + +- dontaudit $1 exports_t:file getattr; ++ dontaudit $1 exports_t:file getattr_file_perms; + ') + + ######################################## + ## +-## Read export files. ++## Allow read access to exports. + ## + ## + ## +@@ -103,7 +177,7 @@ interface(`rpc_read_exports',` + + ######################################## + ## +-## Write export files. ++## Allow write access to exports. + ## + ## + ## +@@ -116,12 +190,12 @@ interface(`rpc_write_exports',` + type exports_t; + ') + +- allow $1 exports_t:file write; ++ allow $1 exports_t:file write_file_perms; + ') + + ######################################## + ## +-## Execute nfsd in the nfsd domain. ++## Execute domain in nfsd domain. + ## + ## + ## +@@ -134,14 +208,12 @@ interface(`rpc_domtrans_nfsd',` + type nfsd_t, nfsd_exec_t; + ') + +- corecmd_search_bin($1) + domtrans_pattern($1, nfsd_exec_t, nfsd_t) + ') + + ####################################### + ## +-## Execute nfsd init scripts in +-## the initrc domain. ++## Execute domain in nfsd domain. + ## + ## + ## +@@ -159,7 +231,7 @@ interface(`rpc_initrc_domtrans_nfsd',` + + ######################################## + ## +-## Execute rpcd in the rpcd domain. ++## Execute nfsd server in the nfsd domain. + ## + ## + ## +@@ -167,120 +239,126 @@ interface(`rpc_initrc_domtrans_nfsd',` + ## + ## + # +-interface(`rpc_domtrans_rpcd',` ++interface(`rpc_systemctl_nfsd',` + gen_require(` +- type rpcd_t, rpcd_exec_t; ++ type nfsd_unit_file_t; ++ type nfsd_t; + ') + +- corecmd_search_bin($1) +- domtrans_pattern($1, rpcd_exec_t, rpcd_t) ++ systemd_exec_systemctl($1) ++ allow $1 nfsd_unit_file_t:file read_file_perms; ++ allow $1 nfsd_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, nfsd_t) + ') + +-####################################### ++######################################## + ## +-## Execute rpcd init scripts in +-## the initrc domain. ++## Send kill signals to rpcd. + ## + ## + ## +-## Domain allowed to transition. ++## Domain allowed access. + ## + ## + # +-interface(`rpc_initrc_domtrans_rpcd',` ++interface(`rpc_kill_rpcd',` + gen_require(` +- type rpcd_initrc_exec_t; ++ type rpcd_t; + ') + +- init_labeled_script_domtrans($1, rpcd_initrc_exec_t) ++ allow $1 rpcd_t:process sigkill; + ') + + ######################################## + ## +-## Read nfs exported content. ++## Execute domain in rpcd domain. + ## + ## + ## +-## Domain allowed access. ++## Domain allowed to transition. + ## + ## +-## + # +-interface(`rpc_read_nfs_content',` ++interface(`rpc_domtrans_rpcd',` + gen_require(` +- type nfsd_ro_t, nfsd_rw_t; ++ type rpcd_t, rpcd_exec_t; + ') + +- allow $1 { nfsd_ro_t nfsd_rw_t }:dir list_dir_perms; +- allow $1 { nfsd_ro_t nfsd_rw_t }:file read_file_perms; +- allow $1 { nfsd_ro_t nfsd_rw_t }:lnk_file read_lnk_file_perms; ++ domtrans_pattern($1, rpcd_exec_t, rpcd_t) ++ allow rpcd_t $1:process signal; + ') + + ######################################## + ## +-## Create, read, write, and delete +-## nfs exported read write content. ++## Execute rpcd in the rcpd domain, and ++## allow the specified role the rpcd domain. + ## + ## + ## +-## Domain allowed access. ++## Domain allowed to transition. + ## + ## ++## ++## ++## Role allowed access. ++## ++## + ## + # +-interface(`rpc_manage_nfs_rw_content',` ++interface(`rpc_run_rpcd',` + gen_require(` +- type nfsd_rw_t; ++ type rpcd_t; + ') + +- manage_dirs_pattern($1, nfsd_rw_t, nfsd_rw_t) +- manage_files_pattern($1, nfsd_rw_t, nfsd_rw_t) +- manage_lnk_files_pattern($1, nfsd_rw_t, nfsd_rw_t) ++ rpc_domtrans_rpcd($1) ++ role $2 types rpcd_t; + ') + +-######################################## ++####################################### + ## +-## Create, read, write, and delete +-## nfs exported read only content. ++## Execute domain in rpcd domain. + ## + ## + ## +-## Domain allowed access. ++## Domain allowed to transition. + ## + ## +-## + # +-interface(`rpc_manage_nfs_ro_content',` ++interface(`rpc_initrc_domtrans_rpcd',` + gen_require(` +- type nfsd_ro_t; ++ type rpcd_initrc_exec_t; + ') + +- manage_dirs_pattern($1, nfsd_ro_t, nfsd_ro_t) +- manage_files_pattern($1, nfsd_ro_t, nfsd_ro_t) +- manage_lnk_files_pattern($1, nfsd_ro_t, nfsd_ro_t) ++ init_labeled_script_domtrans($1, rpcd_initrc_exec_t) + ') + + ######################################## + ## +-## Read and write to nfsd tcp sockets. ++## Execute rpcd server in the rpcd domain. + ## + ## + ## +-## Domain allowed access. ++## Domain allowed to transition. + ## + ## + # +-interface(`rpc_tcp_rw_nfs_sockets',` ++interface(`rpc_systemctl_rpcd',` + gen_require(` +- type nfsd_t; ++ type rpcd_unit_file_t; ++ type rpcd_t; + ') + +- allow $1 nfsd_t:tcp_socket rw_socket_perms; ++ systemd_exec_systemctl($1) ++ allow $1 rpcd_unit_file_t:file read_file_perms; ++ allow $1 rpcd_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, rpcd_t) + ') + + ######################################## + ## +-## Read and write to nfsd udp sockets. ++## Allow domain to read and write to an NFS UDP socket. + ## + ## + ## +@@ -312,7 +390,7 @@ interface(`rpc_udp_send_nfs',` + + ######################################## + ## +-## Search nfs lib directories. ++## Search NFS state data in /var/lib/nfs. + ## + ## + ## +@@ -326,12 +404,12 @@ interface(`rpc_search_nfs_state_data',` + ') + + files_search_var_lib($1) +- allow $1 var_lib_nfs_t:dir search; ++ allow $1 var_lib_nfs_t:dir search_dir_perms; + ') + + ######################################## + ## +-## Read nfs lib files. ++## List NFS state data in /var/lib/nfs. + ## + ## + ## +@@ -339,19 +417,18 @@ interface(`rpc_search_nfs_state_data',` + ## + ## + # +-interface(`rpc_read_nfs_state_data',` ++interface(`rpc_list_nfs_state_data',` + gen_require(` + type var_lib_nfs_t; + ') + + files_search_var_lib($1) +- read_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t) ++ allow $1 var_lib_nfs_t:dir list_dir_perms; + ') + + ######################################## + ## +-## Create, read, write, and delete +-## nfs lib files. ++## Read NFS state data in /var/lib/nfs. + ## + ## + ## +@@ -359,62 +436,31 @@ interface(`rpc_read_nfs_state_data',` + ## + ## + # +-interface(`rpc_manage_nfs_state_data',` ++interface(`rpc_read_nfs_state_data',` + gen_require(` + type var_lib_nfs_t; + ') + + files_search_var_lib($1) +- manage_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t) ++ read_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t) + ') + + ######################################## + ## +-## All of the rules required to +-## administrate an rpc environment. ++## Manage NFS state data in /var/lib/nfs. + ## + ## + ## + ## Domain allowed access. + ## + ## +-## +-## +-## Role allowed access. +-## +-## +-## + # +-interface(`rpc_admin',` ++interface(`rpc_manage_nfs_state_data',` + gen_require(` +- attribute rpc_domain; +- type nfsd_initrc_exec_t, rpcd_initrc_exec_t, exports_t; +- type var_lib_nfs_t, rpcd_var_run_t, gssd_tmp_t; +- type nfsd_ro_t, nfsd_rw_t; ++ type var_lib_nfs_t; + ') + +- allow $1 rpc_domain:process { ptrace signal_perms }; +- ps_process_pattern($1, rpc_domain) +- +- init_labeled_script_domtrans($1, { nfsd_initrc_exec_t rpcd_initrc_exec_t }) +- domain_system_change_exemption($1) +- role_transition $2 { nfsd_initrc_exec_t rpcd_initrc_exec_t } system_r; +- allow $2 system_r; +- +- files_list_etc($1) +- admin_pattern($1, exports_t) +- +- files_list_var_lib($1) +- admin_pattern($1, var_lib_nfs_t) +- +- files_list_pids($1) +- admin_pattern($1, rpcd_var_run_t) +- +- files_list_all($1) +- admin_pattern($1, { nfsd_ro_t nfsd_rw_t }) +- +- files_list_tmp($1) +- admin_pattern($1, gssd_tmp_t) +- +- fs_search_nfsd_fs($1) ++ files_search_var_lib($1) ++ manage_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t) ++ allow $1 var_lib_nfs_t:file relabel_file_perms; + ') +diff --git a/rpc.te b/rpc.te +index e5212e6..022f7fc 100644 +--- a/rpc.te ++++ b/rpc.te +@@ -1,4 +1,4 @@ +-policy_module(rpc, 1.14.6) ++policy_module(rpc, 1.14.0) + + ######################################## + # +@@ -6,24 +6,20 @@ policy_module(rpc, 1.14.6) + # + + ## +-##

    +-## Determine whether gssd can read +-## generic user temporary content. +-##

    ++##

    ++## Allow gssd to list tmp directories and read the kerberos credential cache. ++##

    + ##     +-gen_tunable(allow_gssd_read_tmp, false) ++gen_tunable(gssd_read_tmp, true) + + ## +-##

    +-## Determine whether nfs can modify +-## public files used for public file +-## transfer services. Directories/Files must +-## be labeled public_content_rw_t. +-##

    ++##

    ++## Allow nfs servers to modify public files ++## used for public file transfer services. Files/Directories must be ++## labeled public_content_rw_t. ++##

    + ##     +-gen_tunable(allow_nfsd_anon_write, false) +- +-attribute rpc_domain; ++gen_tunable(nfsd_anon_write, false) + + type exports_t; + files_config_file(exports_t) +@@ -36,110 +32,49 @@ files_tmp_file(gssd_tmp_t) + type rpcd_var_run_t; + files_pid_file(rpcd_var_run_t) + ++# rpcd_t is the domain of rpc daemons. ++# rpc_exec_t is the type of rpc daemon programs. + rpc_domain_template(rpcd) + + type rpcd_initrc_exec_t; + init_script_file(rpcd_initrc_exec_t) + ++type rpcd_unit_file_t; ++systemd_unit_file(rpcd_unit_file_t) ++ + rpc_domain_template(nfsd) + + type nfsd_initrc_exec_t; + init_script_file(nfsd_initrc_exec_t) + +-type nfsd_rw_t; +-files_type(nfsd_rw_t) +- +-type nfsd_ro_t; +-files_type(nfsd_ro_t) ++type nfsd_unit_file_t; ++systemd_unit_file(nfsd_unit_file_t) + + type var_lib_nfs_t; + files_mountpoint(var_lib_nfs_t) + + ######################################## + # +-# Common rpc domain local policy +-# +- +-dontaudit rpc_domain self:capability { net_admin sys_tty_config }; +-allow rpc_domain self:process signal_perms; +-allow rpc_domain self:unix_stream_socket { accept listen }; +-allow rpc_domain self:tcp_socket { accept listen }; +- +-manage_dirs_pattern(rpc_domain, var_lib_nfs_t, var_lib_nfs_t) +-manage_files_pattern(rpc_domain, var_lib_nfs_t, var_lib_nfs_t) +- +-kernel_read_system_state(rpc_domain) +-kernel_read_kernel_sysctls(rpc_domain) +-kernel_rw_rpc_sysctls(rpc_domain) +- +-dev_read_sysfs(rpc_domain) +-dev_read_urand(rpc_domain) +-dev_read_rand(rpc_domain) +- +-corenet_all_recvfrom_unlabeled(rpc_domain) +-corenet_all_recvfrom_netlabel(rpc_domain) +-corenet_tcp_sendrecv_generic_if(rpc_domain) +-corenet_udp_sendrecv_generic_if(rpc_domain) +-corenet_tcp_sendrecv_generic_node(rpc_domain) +-corenet_udp_sendrecv_generic_node(rpc_domain) +-corenet_tcp_sendrecv_all_ports(rpc_domain) +-corenet_udp_sendrecv_all_ports(rpc_domain) +-corenet_tcp_bind_generic_node(rpc_domain) +-corenet_udp_bind_generic_node(rpc_domain) +- +-corenet_sendrecv_all_server_packets(rpc_domain) +-corenet_tcp_bind_reserved_port(rpc_domain) +-corenet_tcp_connect_all_ports(rpc_domain) +-corenet_sendrecv_portmap_client_packets(rpc_domain) +-corenet_dontaudit_tcp_bind_all_ports(rpc_domain) +-corenet_dontaudit_udp_bind_all_ports(rpc_domain) +-corenet_tcp_bind_generic_port(rpc_domain) +-corenet_udp_bind_generic_port(rpc_domain) +-corenet_tcp_bind_all_rpc_ports(rpc_domain) +-corenet_udp_bind_all_rpc_ports(rpc_domain) +- +-fs_rw_rpc_named_pipes(rpc_domain) +-fs_search_auto_mountpoints(rpc_domain) +- +-files_read_etc_runtime_files(rpc_domain) +-files_read_usr_files(rpc_domain) +-files_list_home(rpc_domain) +- +-logging_send_syslog_msg(rpc_domain) +- +-miscfiles_read_localization(rpc_domain) +- +-userdom_dontaudit_use_unpriv_user_fds(rpc_domain) +- +-optional_policy(` +- rpcbind_stream_connect(rpc_domain) +-') +- +-optional_policy(` +- seutil_sigchld_newrole(rpc_domain) +-') +- +-optional_policy(` +- udev_read_db(rpc_domain) +-') +- +-######################################## +-# +-# Local policy ++# RPC local policy + # + + allow rpcd_t self:capability { setpcap sys_admin chown dac_override setgid setuid }; + allow rpcd_t self:capability2 block_suspend; ++ + allow rpcd_t self:process { getcap setcap }; + allow rpcd_t self:fifo_file rw_fifo_file_perms; + ++allow rpcd_t rpcd_var_run_t:dir setattr_dir_perms; + manage_dirs_pattern(rpcd_t, rpcd_var_run_t, rpcd_var_run_t) + manage_files_pattern(rpcd_t, rpcd_var_run_t, rpcd_var_run_t) + files_pid_filetrans(rpcd_t, rpcd_var_run_t, { file dir }) + ++# rpc.statd executes sm-notify + can_exec(rpcd_t, rpcd_exec_t) + ++kernel_read_system_state(rpcd_t) + kernel_read_network_state(rpcd_t) ++# for rpc.rquotad + kernel_read_sysctl(rpcd_t) + kernel_rw_fs_sysctls(rpcd_t) + kernel_dontaudit_getattr_core_if(rpcd_t) +@@ -160,13 +95,14 @@ fs_getattr_all_fs(rpcd_t) + + storage_getattr_fixed_disk_dev(rpcd_t) + ++init_read_utmp(rpcd_t) ++ + selinux_dontaudit_read_fs(rpcd_t) + + miscfiles_read_generic_certs(rpcd_t) + +-seutil_dontaudit_search_config(rpcd_t) +- +-userdom_signal_all_users(rpcd_t) ++userdom_signal_unpriv_users(rpcd_t) ++userdom_read_user_home_content_files(rpcd_t) + + optional_policy(` + automount_signal(rpcd_t) +@@ -174,19 +110,23 @@ optional_policy(` + ') + + optional_policy(` +- nis_read_ypserv_config(rpcd_t) ++ domain_unconfined_signal(rpcd_t) + ') + + optional_policy(` +- quota_manage_db_files(rpcd_t) ++ quota_manage_db(rpcd_t) + ') + + optional_policy(` +- rgmanager_manage_tmp_files(rpcd_t) ++ nis_read_ypserv_config(rpcd_t) + ') + + optional_policy(` +- unconfined_signal(rpcd_t) ++ quota_read_db(rpcd_t) ++') ++ ++optional_policy(` ++ rhcs_manage_cluster_tmp_files(rpcd_t) + ') + + ######################################## +@@ -195,41 +135,56 @@ optional_policy(` + # + + allow nfsd_t self:capability { dac_override dac_read_search sys_admin sys_resource }; ++dontaudit nfsd_t self:capability sys_rawio; + + allow nfsd_t exports_t:file read_file_perms; +-allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms; + ++# for /proc/fs/nfs/exports - should we have a new type? ++kernel_read_system_state(nfsd_t) + kernel_read_network_state(nfsd_t) + kernel_dontaudit_getattr_core_if(nfsd_t) + kernel_setsched(nfsd_t) + kernel_request_load_module(nfsd_t) +-# kernel_mounton_proc(nfsd_t) ++kernel_mounton_proc(nfsd_t) ++ ++corecmd_exec_shell(nfsd_t) + +-corenet_sendrecv_nfs_server_packets(nfsd_t) ++corenet_tcp_bind_all_rpc_ports(nfsd_t) ++corenet_udp_bind_all_rpc_ports(nfsd_t) + corenet_tcp_bind_nfs_port(nfsd_t) + corenet_udp_bind_nfs_port(nfsd_t) +- +-corecmd_exec_shell(nfsd_t) ++corenet_udp_bind_mountd_port(nfsd_t) ++corenet_tcp_bind_mountd_port(nfsd_t) + + dev_dontaudit_getattr_all_blk_files(nfsd_t) + dev_dontaudit_getattr_all_chr_files(nfsd_t) + dev_rw_lvm_control(nfsd_t) + ++# does not really need this, but it is easier to just allow it ++files_search_pids(nfsd_t) ++# for exportfs and rpc.mountd + files_getattr_tmp_dirs(nfsd_t) ++# cjp: this should really have its own type + files_manage_mounttab(nfsd_t) ++files_read_etc_runtime_files(nfsd_t) + ++fs_mounton_nfsd_fs(nfsd_t) + fs_mount_nfsd_fs(nfsd_t) + fs_getattr_all_fs(nfsd_t) + fs_getattr_all_dirs(nfsd_t) +-fs_rw_nfsd_fs(nfsd_t) +-# fs_manage_nfsd_fs(nfsd_t) ++fs_manage_nfsd_fs(nfsd_t) + + storage_dontaudit_read_fixed_disk(nfsd_t) + storage_raw_read_removable_device(nfsd_t) + ++# Read access to public_content_t and public_content_rw_t + miscfiles_read_public_files(nfsd_t) + +-tunable_policy(`allow_nfsd_anon_write',` ++userdom_filetrans_home_content(nfsd_t) ++userdom_list_user_tmp(nfsd_t) ++ ++# Write access to public_content_t and public_content_rw_t ++tunable_policy(`nfsd_anon_write',` + miscfiles_manage_public_files(nfsd_t) + ') + +@@ -238,7 +193,6 @@ tunable_policy(`nfs_export_all_rw',` + dev_getattr_all_chr_files(nfsd_t) + + fs_read_noxattr_fs_files(nfsd_t) +- files_manage_non_auth_files(nfsd_t) + ') + + tunable_policy(`nfs_export_all_ro',` +@@ -250,12 +204,12 @@ tunable_policy(`nfs_export_all_ro',` + + fs_read_noxattr_fs_files(nfsd_t) + +- files_list_non_auth_dirs(nfsd_t) +- files_read_non_auth_files(nfsd_t) ++ files_read_non_security_files(nfsd_t) + ') + + optional_policy(` + mount_exec(nfsd_t) ++ mount_manage_pid_files(nfsd_t) + ') + + ######################################## +@@ -271,6 +225,7 @@ manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t) + manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t) + files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir }) + ++kernel_read_system_state(gssd_t) + kernel_read_network_state(gssd_t) + kernel_read_network_state_symlinks(gssd_t) + kernel_request_load_module(gssd_t) +@@ -279,25 +234,29 @@ kernel_signal(gssd_t) + + corecmd_exec_bin(gssd_t) + +-fs_list_inotifyfs(gssd_t) + fs_list_rpc(gssd_t) + fs_rw_rpc_sockets(gssd_t) + fs_read_rpc_files(gssd_t) +-fs_read_nfs_files(gssd_t) ++fs_read_nfsd_files(gssd_t) + ++fs_list_inotifyfs(gssd_t) + files_list_tmp(gssd_t) ++files_read_usr_symlinks(gssd_t) + files_dontaudit_write_var_dirs(gssd_t) + ++auth_use_nsswitch(gssd_t) + auth_manage_cache(gssd_t) + + miscfiles_read_generic_certs(gssd_t) + + userdom_signal_all_users(gssd_t) + +-tunable_policy(`allow_gssd_read_tmp',` ++tunable_policy(`gssd_read_tmp',` + userdom_list_user_tmp(gssd_t) + userdom_read_user_tmp_files(gssd_t) + userdom_read_user_tmp_symlinks(gssd_t) ++ userdom_manage_user_tmp_files(gssd_t) ++ files_read_generic_tmp_files(gssd_t) + ') + + optional_policy(` +@@ -306,8 +265,11 @@ optional_policy(` + + optional_policy(` + kerberos_keytab_template(gssd, gssd_t) +- kerberos_manage_host_rcache(gssd_t) +- kerberos_tmp_filetrans_host_rcache(gssd_t, file, "nfs_0") ++ kerberos_tmp_filetrans_host_rcache(gssd_t, "nfs_0") ++') ++ ++optional_policy(` ++ gssproxy_stream_connect(gssd_t) + ') + + optional_policy(` +diff --git a/rpcbind.if b/rpcbind.if +index 3b5e9ee..ff1163f 100644 +--- a/rpcbind.if ++++ b/rpcbind.if +@@ -1,4 +1,4 @@ +-## Universal Addresses to RPC Program Number Mapper. ++## Universal Addresses to RPC Program Number Mapper + + ######################################## + ## +@@ -15,14 +15,12 @@ interface(`rpcbind_domtrans',` + type rpcbind_t, rpcbind_exec_t; + ') + +- corecmd_search_bin($1) + domtrans_pattern($1, rpcbind_exec_t, rpcbind_t) + ') + + ######################################## + ## +-## Connect to rpcbindd with a +-## unix domain stream socket. ++## Connect to rpcbindd over an unix stream socket. + ## + ## + ## +@@ -41,7 +39,7 @@ interface(`rpcbind_stream_connect',` + + ######################################## + ## +-## Read rpcbind pid files. ++## Read rpcbind PID files. + ## + ## + ## +@@ -73,8 +71,8 @@ interface(`rpcbind_search_lib',` + type rpcbind_var_lib_t; + ') + +- files_search_var_lib($1) + allow $1 rpcbind_var_lib_t:dir search_dir_perms; ++ files_search_var_lib($1) + ') + + ######################################## +@@ -92,8 +90,8 @@ interface(`rpcbind_read_lib_files',` + type rpcbind_var_lib_t; + ') + +- files_search_var_lib($1) + read_files_pattern($1, rpcbind_var_lib_t, rpcbind_var_lib_t) ++ files_search_var_lib($1) + ') + + ######################################## +@@ -112,13 +110,13 @@ interface(`rpcbind_manage_lib_files',` + type rpcbind_var_lib_t; + ') + +- files_search_var_lib($1) + manage_files_pattern($1, rpcbind_var_lib_t, rpcbind_var_lib_t) ++ files_search_var_lib($1) + ') + + ######################################## + ## +-## Send null signals to rpcbind. ++## Send a null signal to rpcbind. + ## + ## + ## +@@ -136,8 +134,44 @@ interface(`rpcbind_signull',` + + ######################################## + ## +-## All of the rules required to +-## administrate an rpcbind environment. ++## Transition to rpcbind named content ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`rpcbind_filetrans_named_content',` ++ gen_require(` ++ type rpcbind_var_run_t; ++ ') ++ ++ files_pid_filetrans($1, rpcbind_var_run_t, sock_file, "rpcbind.sock") ++') ++ ++######################################## ++## ++## Relabel from rpcbind sock file. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`rpcbind_relabel_sock_file',` ++ gen_require(` ++ type rpcbind_var_run_t; ++ ') ++ ++ allow $1 rpcbind_var_run_t:sock_file relabel_sock_file_perms; ++') ++ ++######################################## ++## ++## All of the rules required to administrate ++## an rpcbind environment + ## + ## + ## +@@ -146,7 +180,7 @@ interface(`rpcbind_signull',` + ## + ## + ## +-## Role allowed access. ++## The role to be allowed to manage the rpcbind domain. + ## + ## + ## +@@ -157,17 +191,20 @@ interface(`rpcbind_admin',` + type rpcbind_initrc_exec_t; + ') + +- allow $1 rpcbind_t:process { ptrace signal_perms }; ++ allow $1 rpcbind_t:process signal_perms; + ps_process_pattern($1, rpcbind_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 rpcbind_t:process ptrace; ++ ') + +- init_labeled_script_domtrans($1, rbcbind_initrc_exec_t) ++ init_labeled_script_domtrans($1, rpcbind_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 rpcbind_initrc_exec_t system_r; + allow $2 system_r; + +- files_search_pids($1) +- admin_pattern($1, rpcbind_var_run_t) +- +- files_search_var_lib($1) ++ files_list_var_lib($1) + admin_pattern($1, rpcbind_var_lib_t) ++ ++ files_list_pids($1) ++ admin_pattern($1, rpcbind_var_run_t) + ') +diff --git a/rpcbind.te b/rpcbind.te +index c49828c..56cb0c2 100644 +--- a/rpcbind.te ++++ b/rpcbind.te +@@ -42,7 +42,6 @@ kernel_read_system_state(rpcbind_t) + kernel_read_network_state(rpcbind_t) + kernel_request_load_module(rpcbind_t) + +-corenet_all_recvfrom_unlabeled(rpcbind_t) + corenet_all_recvfrom_netlabel(rpcbind_t) + corenet_tcp_sendrecv_generic_if(rpcbind_t) + corenet_udp_sendrecv_generic_if(rpcbind_t) +@@ -62,12 +61,11 @@ corecmd_exec_shell(rpcbind_t) + + domain_use_interactive_fds(rpcbind_t) + +-files_read_etc_files(rpcbind_t) + files_read_etc_runtime_files(rpcbind_t) + +-logging_send_syslog_msg(rpcbind_t) ++auth_use_nsswitch(rpcbind_t) + +-miscfiles_read_localization(rpcbind_t) ++logging_send_syslog_msg(rpcbind_t) + + sysnet_dns_name_resolve(rpcbind_t) + +diff --git a/rpm.fc b/rpm.fc +index ebe91fc..6392cad 100644 +--- a/rpm.fc ++++ b/rpm.fc +@@ -1,61 +1,72 @@ +-/bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0) + +-/etc/rc\.d/init\.d/bcfg2 -- gen_context(system_u:object_r:rpm_initrc_exec_t,s0) +- +-/sbin/yast2 -- gen_context(system_u:object_r:rpm_exec_t,s0) ++/bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0) + ++/usr/bin/anaconda-yum -- gen_context(system_u:object_r:rpm_exec_t,s0) + /usr/bin/debuginfo-install -- gen_context(system_u:object_r:debuginfo_exec_t,s0) +-/usr/bin/fedora-rmdevelrpms -- gen_context(system_u:object_r:rpm_exec_t,s0) +-/usr/bin/online_update -- gen_context(system_u:object_r:rpm_exec_t,s0) +-/usr/bin/rpmdev-rmdevelrpms -- gen_context(system_u:object_r:rpm_exec_t,s0) +-/usr/bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0) +-/usr/bin/smart -- gen_context(system_u:object_r:rpm_exec_t,s0) +-/usr/bin/yum -- gen_context(system_u:object_r:rpm_exec_t,s0) +-/usr/bin/zif -- gen_context(system_u:object_r:rpm_exec_t,s0) ++/usr/bin/dnf -- gen_context(system_u:object_r:rpm_exec_t,s0) ++/usr/bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0) ++/usr/bin/smart -- gen_context(system_u:object_r:rpm_exec_t,s0) ++ ++/bin/yum-builddep -- gen_context(system_u:object_r:rpm_exec_t,s0) ++/usr/bin/yum -- gen_context(system_u:object_r:rpm_exec_t,s0) ++/usr/bin/yum-builddep -- gen_context(system_u:object_r:rpm_exec_t,s0) ++/usr/bin/repoquery -- gen_context(system_u:object_r:rpm_exec_t,s0) ++/usr/bin/zif -- gen_context(system_u:object_r:rpm_exec_t,s0) + + /usr/libexec/packagekitd -- gen_context(system_u:object_r:rpm_exec_t,s0) + /usr/libexec/yumDBUSBackend.py -- gen_context(system_u:object_r:rpm_exec_t,s0) ++/usr/libexec/pegasus/pycmpiLMI_Software-cimprovagt -- gen_context(system_u:object_r:rpm_exec_t,s0) + +-/usr/sbin/bcfg2 -- gen_context(system_u:object_r:rpm_exec_t,s0) +-/usr/sbin/pirut -- gen_context(system_u:object_r:rpm_exec_t,s0) +-/usr/sbin/pup -- gen_context(system_u:object_r:rpm_exec_t,s0) +-/usr/sbin/rhn_check -- gen_context(system_u:object_r:rpm_exec_t,s0) +-/usr/sbin/up2date -- gen_context(system_u:object_r:rpm_exec_t,s0) +-/usr/sbin/yum-complete-transaction -- gen_context(system_u:object_r:rpm_exec_t,s0) +-/usr/sbin/system-install-packages -- gen_context(system_u:object_r:rpm_exec_t,s0) +-/usr/sbin/yum-updatesd -- gen_context(system_u:object_r:rpm_exec_t,s0) +-/usr/sbin/packagekitd -- gen_context(system_u:object_r:rpm_exec_t,s0) +- +-ifdef(`distro_redhat',` +-/usr/bin/apt-get -- gen_context(system_u:object_r:rpm_exec_t,s0) +-/usr/bin/apt-shell -- gen_context(system_u:object_r:rpm_exec_t,s0) +-/usr/bin/aptitude -- gen_context(system_u:object_r:rpm_exec_t,s0) +-/usr/sbin/synaptic -- gen_context(system_u:object_r:rpm_exec_t,s0) +-/var/cache/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0) +-/var/lib/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) +-') ++/usr/sbin/yum-complete-transaction -- gen_context(system_u:object_r:rpm_exec_t,s0) + +-/usr/share/yumex/yumex-yum-backend -- gen_context(system_u:object_r:rpm_exec_t,s0) +-/usr/share/yumex/yum_childtask\.py -- gen_context(system_u:object_r:rpm_exec_t,s0) ++/usr/sbin/system-install-packages -- gen_context(system_u:object_r:rpm_exec_t,s0) ++/usr/sbin/yum-updatesd -- gen_context(system_u:object_r:rpm_exec_t,s0) ++/usr/sbin/yum-cron -- gen_context(system_u:object_r:rpm_exec_t,s0) ++/usr/sbin/packagekitd -- gen_context(system_u:object_r:rpm_exec_t,s0) + +-/var/cache/bcfg2(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0) +-/var/cache/yum(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0) ++/usr/share/yumex/yumex-yum-backend -- gen_context(system_u:object_r:rpm_exec_t,s0) ++/usr/share/yumex/yum_childtask\.py -- gen_context(system_u:object_r:rpm_exec_t,s0) + +-/var/lib/alternatives(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) +-/var/lib/rpm(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) +-/var/lib/YaST2(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) +-/var/lib/yum(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) ++ifdef(`distro_redhat', ` ++/usr/sbin/bcfg2 -- gen_context(system_u:object_r:rpm_exec_t,s0) ++/usr/bin/package-cleanup -- gen_context(system_u:object_r:rpm_exec_t,s0) ++/usr/bin/fedora-rmdevelrpms -- gen_context(system_u:object_r:rpm_exec_t,s0) ++/usr/bin/rpmdev-rmdevelrpms -- gen_context(system_u:object_r:rpm_exec_t,s0) ++/usr/sbin/pirut -- gen_context(system_u:object_r:rpm_exec_t,s0) ++/usr/sbin/pup -- gen_context(system_u:object_r:rpm_exec_t,s0) ++/usr/sbin/rhn_check -- gen_context(system_u:object_r:rpm_exec_t,s0) ++/usr/sbin/rhnreg_ks -- gen_context(system_u:object_r:rpm_exec_t,s0) ++/usr/sbin/up2date -- gen_context(system_u:object_r:rpm_exec_t,s0) ++/usr/sbin/synaptic -- gen_context(system_u:object_r:rpm_exec_t,s0) ++/usr/bin/apt-get -- gen_context(system_u:object_r:rpm_exec_t,s0) ++/usr/bin/apt-shell -- gen_context(system_u:object_r:rpm_exec_t,s0) ++') ++ ++/var/cache/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0) ++/var/cache/yum(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0) ++/var/cache/dnf(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0) + +-/var/lock/bcfg2\.run -- gen_context(system_u:object_r:rpm_lock_t,s0) ++/var/lib/alternatives(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) ++/var/lib/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) ++/var/lib/rpm(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) ++/var/lib/yum(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) ++/var/lib/dnf(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) + +-/var/log/YaST2(/.*)? gen_context(system_u:object_r:rpm_log_t,s0) +-/var/log/yum\.log.* -- gen_context(system_u:object_r:rpm_log_t,s0) ++/var/log/yum\.log.* -- gen_context(system_u:object_r:rpm_log_t,s0) + +-/var/spool/up2date(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0) ++/var/spool/up2date(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0) + +-/var/run/yum.* -- gen_context(system_u:object_r:rpm_var_run_t,s0) +-/var/run/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_run_t,s0) ++/var/run/yum.* -- gen_context(system_u:object_r:rpm_var_run_t,s0) ++/var/run/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_run_t,s0) ++ ++# SuSE ++ifdef(`distro_suse', ` ++/usr/bin/online_update -- gen_context(system_u:object_r:rpm_exec_t,s0) ++/sbin/yast2 -- gen_context(system_u:object_r:rpm_exec_t,s0) ++/var/lib/YaST2(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) ++/var/log/YaST2(/.*)? gen_context(system_u:object_r:rpm_log_t,s0) ++') + + ifdef(`enable_mls',` +-/usr/sbin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0) ++/sbin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0) + ') +diff --git a/rpm.if b/rpm.if +index 0628d50..cafc027 100644 +--- a/rpm.if ++++ b/rpm.if +@@ -1,8 +1,8 @@ +-## Redhat package manager. ++## Policy for the RPM package manager. + + ######################################## + ## +-## Execute rpm in the rpm domain. ++## Execute rpm programs in the rpm domain. + ## + ## + ## +@@ -13,16 +13,18 @@ + interface(`rpm_domtrans',` + gen_require(` + type rpm_t, rpm_exec_t; ++ attribute rpm_transition_domain; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, rpm_exec_t, rpm_t) ++ typeattribute $1 rpm_transition_domain; ++ rpm_debuginfo_domtrans($1) + ') + + ######################################## + ## +-## Execute debuginfo install +-## in the rpm domain. ++## Execute debuginfo_install programs in the rpm domain. + ## + ## + ## +@@ -41,7 +43,7 @@ interface(`rpm_debuginfo_domtrans',` + + ######################################## + ## +-## Execute rpm scripts in the rpm script domain. ++## Execute rpm_script programs in the rpm_script domain. + ## + ## + ## +@@ -54,18 +56,16 @@ interface(`rpm_domtrans_script',` + type rpm_script_t; + ') + ++ # transition to rpm script: + corecmd_shell_domtrans($1, rpm_script_t) +- + allow rpm_script_t $1:fd use; +- allow rpm_script_t $1:fifo_file rw_fifo_file_perms; ++ allow rpm_script_t $1:fifo_file rw_file_perms; + allow rpm_script_t $1:process sigchld; + ') + + ######################################## + ## +-## Execute rpm in the rpm domain, +-## and allow the specified roles the +-## rpm domain. ++## Execute RPM programs in the RPM domain. + ## + ## + ## +@@ -74,23 +74,28 @@ interface(`rpm_domtrans_script',` + ## + ## + ## +-## Role allowed access. ++## The role to allow the RPM domain. + ## + ## + ## + # + interface(`rpm_run',` + gen_require(` +- attribute_role rpm_roles; ++ type rpm_t, rpm_script_t; ++ attribute_role rpm_script_roles; + ') + + rpm_domtrans($1) +- roleattribute $2 rpm_roles; ++ roleattribute $2 rpm_script_roles; ++ ++ domain_system_change_exemption($1) ++ role_transition $2 rpm_exec_t system_r; ++ allow $2 system_r; + ') + + ######################################## + ## +-## Execute the rpm in the caller domain. ++## Execute the rpm client in the caller domain. + ## + ## + ## +@@ -109,7 +114,7 @@ interface(`rpm_exec',` + + ######################################## + ## +-## Send null signals to rpm. ++## Send a null signal to rpm. + ## + ## + ## +@@ -127,7 +132,7 @@ interface(`rpm_signull',` + + ######################################## + ## +-## Inherit and use file descriptors from rpm. ++## Inherit and use file descriptors from RPM. + ## + ## + ## +@@ -145,7 +150,7 @@ interface(`rpm_use_fds',` + + ######################################## + ## +-## Read rpm unnamed pipes. ++## Read from an unnamed RPM pipe. + ## + ## + ## +@@ -163,7 +168,7 @@ interface(`rpm_read_pipes',` + + ######################################## + ## +-## Read and write rpm unnamed pipes. ++## Read and write an unnamed RPM pipe. + ## + ## + ## +@@ -181,6 +186,60 @@ interface(`rpm_rw_pipes',` + + ######################################## + ## ++## Read and write an unnamed RPM script pipe. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`rpm_rw_script_inherited_pipes',` ++ gen_require(` ++ type rpm_script_tmp_t; ++ ') ++ ++ allow $1 rpm_script_tmp_t:fifo_file rw_inherited_fifo_file_perms; ++') ++ ++######################################## ++## ++## dontaudit read and write an leaked file descriptors ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`rpm_dontaudit_leaks',` ++ gen_require(` ++ type rpm_t, rpm_var_cache_t; ++ type rpm_script_t, rpm_var_run_t, rpm_tmp_t; ++ type rpm_tmpfs_t, rpm_script_tmp_t, rpm_var_lib_t; ++ ') ++ ++ dontaudit $1 rpm_t:fifo_file rw_inherited_fifo_file_perms; ++ dontaudit $1 rpm_t:tcp_socket { read write }; ++ dontaudit $1 rpm_t:unix_dgram_socket { read write }; ++ dontaudit $1 rpm_t:shm rw_shm_perms; ++ ++ dontaudit $1 rpm_script_t:fd use; ++ dontaudit $1 rpm_script_t:fifo_file rw_inherited_fifo_file_perms; ++ ++ dontaudit $1 rpm_var_run_t:file rw_inherited_file_perms; ++ ++ dontaudit $1 rpm_tmp_t:file rw_inherited_file_perms; ++ dontaudit $1 rpm_tmpfs_t:dir rw_dir_perms; ++ dontaudit $1 rpm_tmpfs_t:file rw_inherited_file_perms; ++ dontaudit $1 rpm_script_tmp_t:file rw_inherited_file_perms; ++ dontaudit $1 rpm_var_lib_t:dir getattr; ++ dontaudit $1 rpm_var_lib_t:file rw_inherited_file_perms; ++ dontaudit $1 rpm_var_cache_t:file rw_inherited_file_perms; ++') ++ ++######################################## ++## + ## Send and receive messages from + ## rpm over dbus. + ## +@@ -224,7 +283,7 @@ interface(`rpm_dontaudit_dbus_chat',` + ######################################## + ## + ## Send and receive messages from +-## rpm script over dbus. ++## rpm_script over dbus. + ## + ## + ## +@@ -244,7 +303,7 @@ interface(`rpm_script_dbus_chat',` + + ######################################## + ## +-## Search rpm log directories. ++## Search RPM log directory. + ## + ## + ## +@@ -263,7 +322,8 @@ interface(`rpm_search_log',` + + ##################################### + ## +-## Append rpm log files. ++## Allow the specified domain to append ++## to rpm log files. + ## + ## + ## +@@ -276,14 +336,30 @@ interface(`rpm_append_log',` + type rpm_log_t; + ') + +- logging_search_logs($1) +- append_files_pattern($1, rpm_log_t, rpm_log_t) ++ allow $1 rpm_log_t:file append_inherited_file_perms; + ') + + ######################################## + ## +-## Create, read, write, and delete +-## rpm log files. ++## Create, read, write, and delete the RPM log. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`rpm_read_log',` ++ gen_require(` ++ type rpm_log_t; ++ ') ++ ++ read_files_pattern($1, rpm_log_t, rpm_log_t) ++') ++ ++######################################## ++## ++## Create, read, write, and delete the RPM log. + ## + ## + ## +@@ -302,7 +378,7 @@ interface(`rpm_manage_log',` + + ######################################## + ## +-## Inherit and use rpm script file descriptors. ++## Inherit and use file descriptors from RPM scripts. + ## + ## + ## +@@ -320,8 +396,8 @@ interface(`rpm_use_script_fds',` + + ######################################## + ## +-## Create, read, write, and delete +-## rpm script temporary files. ++## Create, read, write, and delete RPM ++## script temporary files. + ## + ## + ## +@@ -335,12 +411,15 @@ interface(`rpm_manage_script_tmp_files',` + ') + + files_search_tmp($1) ++ manage_dirs_pattern($1, rpm_script_tmp_t, rpm_script_tmp_t) + manage_files_pattern($1, rpm_script_tmp_t, rpm_script_tmp_t) ++ manage_lnk_files_pattern($1, rpm_script_tmp_t, rpm_script_tmp_t) + ') + + ##################################### + ## +-## Append rpm temporary files. ++## Allow the specified domain to append ++## to rpm tmp files. + ## + ## + ## +@@ -353,14 +432,13 @@ interface(`rpm_append_tmp_files',` + type rpm_tmp_t; + ') + +- files_search_tmp($1) +- append_files_pattern($1, rpm_tmp_t, rpm_tmp_t) ++ allow $1 rpm_tmp_t:file append_inherited_file_perms; + ') + + ######################################## + ## +-## Create, read, write, and delete +-## rpm temporary files. ++## Create, read, write, and delete RPM ++## temporary files. + ## + ## + ## +@@ -374,12 +452,14 @@ interface(`rpm_manage_tmp_files',` + ') + + files_search_tmp($1) ++ manage_dirs_pattern($1, rpm_tmp_t, rpm_tmp_t) + manage_files_pattern($1, rpm_tmp_t, rpm_tmp_t) ++ manage_lnk_files_pattern($1, rpm_tmp_t, rpm_tmp_t) + ') + + ######################################## + ## +-## Read rpm script temporary files. ++## Read RPM script temporary files. + ## + ## + ## +@@ -399,7 +479,7 @@ interface(`rpm_read_script_tmp_files',` + + ######################################## + ## +-## Read rpm cache content. ++## Read the RPM cache. + ## + ## + ## +@@ -420,8 +500,7 @@ interface(`rpm_read_cache',` + + ######################################## + ## +-## Create, read, write, and delete +-## rpm cache content. ++## Create, read, write, and delete the RPM package database. + ## + ## + ## +@@ -442,7 +521,7 @@ interface(`rpm_manage_cache',` + + ######################################## + ## +-## Read rpm lib content. ++## Read the RPM package database. + ## + ## + ## +@@ -459,11 +538,12 @@ interface(`rpm_read_db',` + allow $1 rpm_var_lib_t:dir list_dir_perms; + read_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t) + read_lnk_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t) ++ rpm_read_cache($1) + ') + + ######################################## + ## +-## Delete rpm lib files. ++## Delete the RPM package database. + ## + ## + ## +@@ -482,8 +562,7 @@ interface(`rpm_delete_db',` + + ######################################## + ## +-## Create, read, write, and delete +-## rpm lib files. ++## Create, read, write, and delete the RPM package database. + ## + ## + ## +@@ -503,8 +582,28 @@ interface(`rpm_manage_db',` + + ######################################## + ## ++## Do not audit attempts to create, read,the RPM package database. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`rpm_dontaudit_read_db',` ++ gen_require(` ++ type rpm_var_lib_t; ++ ') ++ ++ dontaudit $1 rpm_var_lib_t:dir list_dir_perms; ++ dontaudit $1 rpm_var_lib_t:file read_file_perms; ++ dontaudit $1 rpm_var_lib_t:lnk_file read_lnk_file_perms; ++') ++ ++######################################## ++## + ## Do not audit attempts to create, read, +-## write, and delete rpm lib content. ++## write, and delete the RPM package database. + ## + ## + ## +@@ -517,7 +616,7 @@ interface(`rpm_dontaudit_manage_db',` + type rpm_var_lib_t; + ') + +- dontaudit $1 rpm_var_lib_t:dir rw_dir_perms; ++ dontaudit $1 rpm_var_lib_t:dir manage_dir_perms; + dontaudit $1 rpm_var_lib_t:file manage_file_perms; + dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms; + ') +@@ -543,8 +642,7 @@ interface(`rpm_read_pid_files',` + + ##################################### + ## +-## Create, read, write, and delete +-## rpm pid files. ++## Create, read, write, and delete rpm pid files. + ## + ## + ## +@@ -563,8 +661,7 @@ interface(`rpm_manage_pid_files',` + + ###################################### + ## +-## Create files in pid directories +-## with the rpm pid file type. ++## Create files in /var/run with the rpm pid file type. + ## + ## + ## +@@ -573,94 +670,72 @@ interface(`rpm_manage_pid_files',` + ## + # + interface(`rpm_pid_filetrans',` +- refpolicywarn(`$0($*) has been deprecated, rpm_pid_filetrans_rpm_pid() instead.') +- rpm_pid_filetrans_rpm_pid($1, file) ++ gen_require(` ++ type rpm_var_run_t; ++ ') ++ ++ files_pid_filetrans($1, rpm_var_run_t, file) + ') + + ######################################## + ## +-## Create specified objects in pid directories +-## with the rpm pid file type. ++## Send a null signal to rpm. + ## + ## + ## + ## Domain allowed access. + ## + ## +-## +-## +-## Class of the object being created. +-## +-## +-## +-## +-## The name of the object being created. +-## +-## + # +-interface(`rpm_pid_filetrans_rpm_pid',` ++interface(`rpm_inherited_fifo',` + gen_require(` +- type rpm_var_run_t; ++ attribute rpm_transition_domain; + ') + +- files_pid_filetrans($1, rpm_var_run_t, $3, $4) ++ allow $1 rpm_transition_domain:fifo_file rw_inherited_fifo_file_perms; + ') + ++ + ######################################## + ## +-## All of the rules required to +-## administrate an rpm environment. ++## Make rpm_exec_t an entry point for ++## the specified domain. + ## + ## + ## + ## Domain allowed access. + ## + ## +-## ++# ++interface(`rpm_entry_type',` ++ gen_require(` ++ type rpm_exec_t; ++ ') ++ ++ domain_entry_file($1, rpm_exec_t) ++') ++ ++######################################## ++## ++## Allow application to transition to rpm_script domain. ++## ++## + ## +-## Role allowed access. ++## Domain allowed access. + ## + ## +-## + # +-interface(`rpm_admin',` ++interface(`rpm_transition_script',` + gen_require(` +- type rpm_t, rpm_script_t, rpm_initrc_exec_t; +- type rpm_var_cache_t, rpm_var_lib_t, rpm_lock_t; +- type rpm_log_t, rpm_tmpfs_t, rpm_tmp_t; +- type rpm_script_tmp_t, rpm_script_tmpfs_t, rpm_file_t; ++ type rpm_script_t; ++ attribute rpm_transition_domain; + ') + +- allow $1 { rpm_t rpm_script_t }:process { ptrace signal_perms }; +- ps_process_pattern($1, { rpm_t rpm_script_t }) ++ typeattribute $1 rpm_transition_domain; ++ allow $1 rpm_script_t:process transition; + +- init_labeled_script_domtrans($1, rpm_initrc_exec_t) +- domain_system_change_exemption($1) +- role_transition $2 rpm_initrc_exec_t system_r; +- allow $2 system_r; +- +- admin_pattern($1, rpm_file_t) +- +- files_list_var($1) +- admin_pattern($1, rpm_cache_t) +- +- files_list_tmp($1) +- admin_pattern($1, { rpm_tmp_t rpm_script_tmp_t }) +- +- files_list_var_lib($1) +- admin_pattern($1, rpm_var_lib_t) +- +- files_search_locks($1) +- admin_pattern($1, rpm_lock_t) +- +- logging_list_logs($1) +- admin_pattern($1, rpm_log_t) +- +- files_list_pids($1) +- admin_pattern($1, rpm_var_run_t) +- +- fs_search_tmpfs($1) +- admin_pattern($1, { rpm_tmpfs_t rpm_script_tmpfs_t } +- +- rpm_run($1, $2) ++ allow $1 rpm_script_t:fd use; ++ allow rpm_script_t $1:fd use; ++ allow rpm_script_t $1:fifo_file rw_fifo_file_perms; ++ allow rpm_script_t $1:process sigchld; + ') +diff --git a/rpm.te b/rpm.te +index 5cbe81c..5b28e97 100644 +--- a/rpm.te ++++ b/rpm.te +@@ -1,15 +1,13 @@ +-policy_module(rpm, 1.15.3) ++policy_module(rpm, 1.15.0) ++ ++attribute rpm_transition_domain; ++attribute_role rpm_script_roles; ++roleattribute system_r rpm_script_roles; + + ######################################## + # + # Declarations + # +- +-attribute_role rpm_roles; +- +-type debuginfo_exec_t; +-domain_entry_file(rpm_t, debuginfo_exec_t) +- + type rpm_t; + type rpm_exec_t; + init_system_domain(rpm_t, rpm_exec_t) +@@ -17,10 +15,10 @@ domain_obj_id_change_exemption(rpm_t) + domain_role_change_exemption(rpm_t) + domain_system_change_exemption(rpm_t) + domain_interactive_fd(rpm_t) +-role rpm_roles types rpm_t; ++role rpm_script_roles types rpm_t; + +-type rpm_initrc_exec_t; +-init_script_file(rpm_initrc_exec_t) ++type debuginfo_exec_t; ++domain_entry_file(rpm_t, debuginfo_exec_t) + + type rpm_file_t; + files_type(rpm_file_t) +@@ -31,9 +29,6 @@ files_tmp_file(rpm_tmp_t) + type rpm_tmpfs_t; + files_tmpfs_file(rpm_tmpfs_t) + +-type rpm_lock_t; +-files_lock_file(rpm_lock_t) +- + type rpm_log_t; + logging_log_file(rpm_log_t) + +@@ -56,8 +51,7 @@ corecmd_bin_entry_type(rpm_script_t) + domain_type(rpm_script_t) + domain_entry_file(rpm_t, rpm_script_exec_t) + domain_interactive_fd(rpm_script_t) +-role rpm_roles types rpm_script_t; +-role system_r types rpm_script_t; ++role rpm_script_roles types rpm_script_t; + + type rpm_script_tmp_t; + files_tmp_file(rpm_script_tmp_t) +@@ -70,28 +64,34 @@ files_tmpfs_file(rpm_script_tmpfs_t) + # rpm Local policy + # + ++allow rpm_t self:capability2 block_suspend; + allow rpm_t self:capability { chown dac_override fowner setfcap fsetid ipc_lock setgid setuid sys_chroot sys_nice sys_tty_config mknod }; + allow rpm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execstack execheap }; + allow rpm_t self:process { getattr setexec setfscreate setrlimit }; + allow rpm_t self:fd use; + allow rpm_t self:fifo_file rw_fifo_file_perms; ++allow rpm_t self:unix_dgram_socket create_socket_perms; ++allow rpm_t self:unix_stream_socket rw_stream_socket_perms; + allow rpm_t self:unix_dgram_socket sendto; +-allow rpm_t self:unix_stream_socket { accept connectto listen }; +-allow rpm_t self:udp_socket connect; +-allow rpm_t self:tcp_socket { accept listen }; ++allow rpm_t self:unix_stream_socket connectto; ++allow rpm_t self:udp_socket { connect }; ++allow rpm_t self:udp_socket create_socket_perms; ++allow rpm_t self:tcp_socket create_stream_socket_perms; + allow rpm_t self:shm create_shm_perms; + allow rpm_t self:sem create_sem_perms; + allow rpm_t self:msgq create_msgq_perms; + allow rpm_t self:msg { send receive }; +-allow rpm_t self:file rw_file_perms; ++allow rpm_t self:dir search; ++allow rpm_t self:file rw_file_perms;; + allow rpm_t self:netlink_kobject_uevent_socket create_socket_perms; + +-allow rpm_t rpm_log_t:file { append_file_perms create_file_perms setattr_file_perms }; ++allow rpm_t rpm_log_t:file manage_file_perms; + logging_log_filetrans(rpm_t, rpm_log_t, file) + + manage_dirs_pattern(rpm_t, rpm_tmp_t, rpm_tmp_t) + manage_files_pattern(rpm_t, rpm_tmp_t, rpm_tmp_t) + files_tmp_filetrans(rpm_t, rpm_tmp_t, { file dir }) ++can_exec(rpm_t, rpm_tmp_t) + + manage_dirs_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t) + manage_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t) +@@ -99,23 +99,19 @@ manage_lnk_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t) + manage_fifo_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t) + manage_sock_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t) + fs_tmpfs_filetrans(rpm_t, rpm_tmpfs_t, { dir file lnk_file sock_file fifo_file }) ++can_exec(rpm_t, rpm_tmpfs_t) + + manage_dirs_pattern(rpm_t, rpm_var_cache_t, rpm_var_cache_t) + manage_files_pattern(rpm_t, rpm_var_cache_t, rpm_var_cache_t) + files_var_filetrans(rpm_t, rpm_var_cache_t, dir) + +-manage_files_pattern(rpm_t, rpm_lock_t, rpm_lock_t) +-files_lock_filetrans(rpm_t, rpm_lock_t, file) +- +-manage_dirs_pattern(rpm_t, rpm_var_lib_t, rpm_var_lib_t) ++# Access /var/lib/rpm files + manage_files_pattern(rpm_t, rpm_var_lib_t, rpm_var_lib_t) +-files_var_lib_filetrans(rpm_t, rpm_var_lib_t, { dir file }) ++files_var_lib_filetrans(rpm_t, rpm_var_lib_t, dir) + + manage_dirs_pattern(rpm_t, rpm_var_run_t, rpm_var_run_t) + manage_files_pattern(rpm_t, rpm_var_run_t, rpm_var_run_t) +-files_pid_filetrans(rpm_t, rpm_var_run_t, { dir file }) +- +-can_exec(rpm_t, { rpm_tmp_t rpm_tmpfs_t }) ++files_pid_filetrans(rpm_t, rpm_var_run_t, { file dir }) + + kernel_read_crypto_sysctls(rpm_t) + kernel_read_network_state(rpm_t) +@@ -126,41 +122,34 @@ kernel_rw_irq_sysctls(rpm_t) + + corecmd_exec_all_executables(rpm_t) + +-corenet_all_recvfrom_unlabeled(rpm_t) + corenet_all_recvfrom_netlabel(rpm_t) + corenet_tcp_sendrecv_generic_if(rpm_t) ++corenet_raw_sendrecv_generic_if(rpm_t) ++corenet_udp_sendrecv_generic_if(rpm_t) + corenet_tcp_sendrecv_generic_node(rpm_t) ++corenet_raw_sendrecv_generic_node(rpm_t) ++corenet_udp_sendrecv_generic_node(rpm_t) + corenet_tcp_sendrecv_all_ports(rpm_t) +- +-corenet_sendrecv_all_client_packets(rpm_t) ++corenet_udp_sendrecv_all_ports(rpm_t) + corenet_tcp_connect_all_ports(rpm_t) ++corenet_sendrecv_all_client_packets(rpm_t) + + dev_list_sysfs(rpm_t) + dev_list_usbfs(rpm_t) + dev_read_urand(rpm_t) + dev_read_raw_memory(rpm_t) +- + dev_manage_all_dev_nodes(rpm_t) +-dev_relabel_all_dev_nodes(rpm_t) + ++#devices_manage_all_device_types(rpm_t) + dev_create_generic_blk_files(rpm_t) + dev_create_generic_chr_files(rpm_t) +- +-domain_read_all_domains_state(rpm_t) +-domain_getattr_all_domains(rpm_t) +-domain_use_interactive_fds(rpm_t) +-domain_dontaudit_getattr_all_pipes(rpm_t) +-domain_dontaudit_getattr_all_tcp_sockets(rpm_t) +-domain_dontaudit_getattr_all_udp_sockets(rpm_t) +-domain_dontaudit_getattr_all_packet_sockets(rpm_t) +-domain_dontaudit_getattr_all_raw_sockets(rpm_t) +-domain_dontaudit_getattr_all_stream_sockets(rpm_t) +-domain_dontaudit_getattr_all_dgram_sockets(rpm_t) +-domain_signull_all_domains(rpm_t) +- +-files_exec_etc_files(rpm_t) +-files_relabel_non_auth_files(rpm_t) +-files_manage_non_auth_files(rpm_t) ++dev_delete_all_blk_files(rpm_t) ++dev_delete_all_chr_files(rpm_t) ++dev_relabel_all_dev_nodes(rpm_t) ++dev_rename_generic_blk_files(rpm_t) ++dev_rename_generic_chr_files(rpm_t) ++dev_setattr_all_blk_files(rpm_t) ++dev_setattr_all_chr_files(rpm_t) + + fs_getattr_all_dirs(rpm_t) + fs_list_inotifyfs(rpm_t) +@@ -183,29 +172,49 @@ selinux_compute_relabel_context(rpm_t) + selinux_compute_user_contexts(rpm_t) + + storage_raw_write_fixed_disk(rpm_t) ++# for installing kernel packages + storage_raw_read_fixed_disk(rpm_t) + + term_list_ptys(rpm_t) + ++files_relabel_all_files(rpm_t) ++files_manage_all_files(rpm_t) + auth_dontaudit_read_shadow(rpm_t) + auth_use_nsswitch(rpm_t) + ++# transition to rpm script: + rpm_domtrans_script(rpm_t) + ++domain_read_all_domains_state(rpm_t) ++domain_getattr_all_domains(rpm_t) ++domain_use_interactive_fds(rpm_t) ++domain_dontaudit_getattr_all_pipes(rpm_t) ++domain_dontaudit_getattr_all_tcp_sockets(rpm_t) ++domain_dontaudit_getattr_all_udp_sockets(rpm_t) ++domain_dontaudit_getattr_all_packet_sockets(rpm_t) ++domain_dontaudit_getattr_all_raw_sockets(rpm_t) ++domain_dontaudit_getattr_all_stream_sockets(rpm_t) ++domain_dontaudit_getattr_all_dgram_sockets(rpm_t) ++domain_signull_all_domains(rpm_t) ++ ++files_exec_etc_files(rpm_t) ++ + init_domtrans_script(rpm_t) + init_use_script_ptys(rpm_t) + init_signull_script(rpm_t) + + libs_exec_ld_so(rpm_t) + libs_exec_lib_files(rpm_t) +-libs_run_ldconfig(rpm_t, rpm_roles) + + logging_send_syslog_msg(rpm_t) + ++miscfiles_filetrans_named_content(rpm_t) ++ ++# allow compiling and loading new policy + seutil_manage_src_policy(rpm_t) + seutil_manage_bin_policy(rpm_t) + +-userdom_use_user_terminals(rpm_t) ++userdom_use_inherited_user_terminals(rpm_t) + userdom_use_unpriv_users_fds(rpm_t) + + optional_policy(` +@@ -224,13 +233,17 @@ optional_policy(` + networkmanager_dbus_chat(rpm_t) + ') + +- optional_policy(` +- unconfined_dbus_chat(rpm_t) +- ') + ') + + optional_policy(` +- prelink_run(rpm_t, rpm_roles) ++ prelink_domtrans(rpm_t) ++') ++ ++optional_policy(` ++ unconfined_domain_noaudit(rpm_t) ++ # yum-updatesd requires this ++ unconfined_dbus_chat(rpm_t) ++ unconfined_dbus_chat(rpm_script_t) + ') + + ######################################## +@@ -239,18 +252,20 @@ optional_policy(` + # + + allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_admin sys_chroot sys_rawio sys_nice mknod kill net_admin }; ++ + allow rpm_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execheap }; + allow rpm_script_t self:fd use; + allow rpm_script_t self:fifo_file rw_fifo_file_perms; ++allow rpm_script_t self:unix_dgram_socket create_socket_perms; ++allow rpm_script_t self:unix_stream_socket rw_stream_socket_perms; + allow rpm_script_t self:unix_dgram_socket sendto; +-allow rpm_script_t self:unix_stream_socket { accept connectto listen }; ++allow rpm_script_t self:unix_stream_socket connectto; + allow rpm_script_t self:shm create_shm_perms; + allow rpm_script_t self:sem create_sem_perms; + allow rpm_script_t self:msgq create_msgq_perms; + allow rpm_script_t self:msg { send receive }; + allow rpm_script_t self:netlink_kobject_uevent_socket create_socket_perms; +- +-allow rpm_script_t rpm_t:netlink_route_socket { read write }; ++allow rpm_script_t self:netlink_audit_socket { create_socket_perms nlmsg_relay }; + + allow rpm_script_t rpm_tmp_t:file read_file_perms; + +@@ -267,8 +282,9 @@ manage_lnk_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t) + manage_fifo_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t) + manage_sock_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t) + fs_tmpfs_filetrans(rpm_script_t, rpm_script_tmpfs_t, { dir file lnk_file sock_file fifo_file }) ++can_exec(rpm_script_t, rpm_script_tmpfs_t) + +-can_exec(rpm_script_t, { rpm_script_tmp_t rpm_script_tmpfs_t }) ++allow rpm_script_t rpm_t:netlink_route_socket { read write }; + + kernel_read_crypto_sysctls(rpm_script_t) + kernel_read_kernel_sysctls(rpm_script_t) +@@ -277,45 +293,27 @@ kernel_read_network_state(rpm_script_t) + kernel_list_all_proc(rpm_script_t) + kernel_read_software_raid_state(rpm_script_t) + +-corenet_all_recvfrom_unlabeled(rpm_script_t) +-corenet_all_recvfrom_netlabel(rpm_script_t) +-corenet_tcp_sendrecv_generic_if(rpm_script_t) +-corenet_tcp_sendrecv_generic_node(rpm_script_t) +- +-corenet_sendrecv_http_client_packets(rpm_script_t) ++# needed by rhn_check + corenet_tcp_connect_http_port(rpm_script_t) +-corenet_tcp_sendrecv_http_port(rpm_script_t) +- +-corecmd_exec_all_executables(rpm_script_t) + + dev_list_sysfs(rpm_script_t) ++ ++# ideally we would not need this + dev_manage_generic_blk_files(rpm_script_t) + dev_manage_generic_chr_files(rpm_script_t) + dev_manage_all_blk_files(rpm_script_t) + dev_manage_all_chr_files(rpm_script_t) + +-domain_read_all_domains_state(rpm_script_t) +-domain_getattr_all_domains(rpm_script_t) +-domain_use_interactive_fds(rpm_script_t) +-domain_signal_all_domains(rpm_script_t) +-domain_signull_all_domains(rpm_script_t) +- +-files_exec_etc_files(rpm_script_t) +-files_exec_usr_files(rpm_script_t) +-files_manage_non_auth_files(rpm_script_t) +-files_relabel_non_auth_files(rpm_script_t) +- + fs_manage_nfs_files(rpm_script_t) + fs_getattr_nfs(rpm_script_t) + fs_search_all(rpm_script_t) + fs_getattr_all_fs(rpm_script_t) ++# why is this not using mount? + fs_getattr_xattr_fs(rpm_script_t) + fs_mount_xattr_fs(rpm_script_t) + fs_unmount_xattr_fs(rpm_script_t) + fs_search_auto_mountpoints(rpm_script_t) + +-mcs_killall(rpm_script_t) +- + mls_file_read_all_levels(rpm_script_t) + mls_file_write_all_levels(rpm_script_t) + +@@ -331,30 +329,48 @@ storage_raw_write_fixed_disk(rpm_script_t) + + term_getattr_unallocated_ttys(rpm_script_t) + term_list_ptys(rpm_script_t) +-term_use_all_terms(rpm_script_t) ++term_use_all_inherited_terms(rpm_script_t) + + auth_dontaudit_getattr_shadow(rpm_script_t) + auth_use_nsswitch(rpm_script_t) + ++corecmd_exec_all_executables(rpm_script_t) ++can_exec(rpm_script_t, rpm_script_tmp_t) ++can_exec(rpm_script_t, rpm_script_tmpfs_t) ++ ++domain_read_all_domains_state(rpm_script_t) ++domain_getattr_all_domains(rpm_script_t) ++domain_use_interactive_fds(rpm_script_t) ++domain_signal_all_domains(rpm_script_t) ++domain_signull_all_domains(rpm_script_t) ++ ++# ideally we would not need this ++files_manage_all_files(rpm_script_t) ++files_exec_etc_files(rpm_script_t) ++files_read_etc_runtime_files(rpm_script_t) ++files_exec_usr_files(rpm_script_t) ++files_relabel_all_files(rpm_script_t) ++ + init_domtrans_script(rpm_script_t) + init_telinit(rpm_script_t) + ++systemd_config_all_services(rpm_script_t) ++ + libs_exec_ld_so(rpm_script_t) + libs_exec_lib_files(rpm_script_t) +-libs_run_ldconfig(rpm_script_t, rpm_roles) ++libs_ldconfig_exec_entry_type(rpm_script_t) + + logging_send_syslog_msg(rpm_script_t) + +-miscfiles_read_localization(rpm_script_t) +- +-modutils_run_depmod(rpm_script_t, rpm_roles) +-modutils_run_insmod(rpm_script_t, rpm_roles) ++miscfiles_filetrans_named_content(rpm_script_t) + +-seutil_run_loadpolicy(rpm_script_t, rpm_roles) +-seutil_run_setfiles(rpm_script_t, rpm_roles) +-seutil_run_semanage(rpm_script_t, rpm_roles) ++seutil_run_loadpolicy(rpm_script_t, rpm_script_roles) ++seutil_run_setfiles(rpm_script_t, rpm_script_roles) ++seutil_run_semanage(rpm_script_t, rpm_script_roles) ++seutil_run_setsebool(rpm_script_t, rpm_script_roles) + + userdom_use_all_users_fds(rpm_script_t) ++userdom_exec_admin_home_files(rpm_script_t) + + ifdef(`distro_redhat',` + optional_policy(` +@@ -363,41 +379,61 @@ ifdef(`distro_redhat',` + ') + ') + +-tunable_policy(`allow_execmem',` ++tunable_policy(`deny_execmem',`',` + allow rpm_script_t self:process execmem; + ') + + optional_policy(` +- bootloader_run(rpm_script_t, rpm_roles) ++ bootloader_run(rpm_script_t, rpm_script_roles) ++') ++ ++optional_policy(` ++ certmonger_dbus_chat(rpm_script_t) ++') ++ ++optional_policy(` ++ cups_filetrans_named_content(rpm_script_t) + ') + + optional_policy(` + dbus_system_bus_client(rpm_script_t) + +- optional_policy(` +- unconfined_dbus_chat(rpm_script_t) +- ') ++ optional_policy(` ++ systemd_dbus_chat_logind(rpm_script_t) ++ ') ++') ++ ++optional_policy(` ++ lvm_domtrans(rpm_script_t, rpm_script_roles) ++') ++ ++optional_policy(` ++ ntp_run(rpm_script_t, rpm_script_roles) + ') + + optional_policy(` +- lvm_run(rpm_script_t, rpm_roles) ++ modutils_run_depmod(rpm_script_t, rpm_script_roles) ++ modutils_run_insmod(rpm_script_t, rpm_script_roles) + ') + + optional_policy(` +- ntp_domtrans(rpm_script_t) ++ openshift_initrc_run(rpm_script_t, rpm_script_roles) + ') + + optional_policy(` +- tzdata_run(rpm_t, rpm_roles) +- tzdata_run(rpm_script_t, rpm_roles) ++ tzdata_domtrans(rpm_t) ++ tzdata_run(rpm_script_t, rpm_script_roles) + ') + + optional_policy(` +- udev_domtrans(rpm_script_t) ++ udev_run(rpm_script_t, rpm_script_roles) + ') + + optional_policy(` ++ unconfined_domain_noaudit(rpm_script_t) + unconfined_domtrans(rpm_script_t) ++ domain_named_filetrans(rpm_script_t) ++ + + optional_policy(` + java_domtrans_unconfined(rpm_script_t) +@@ -409,6 +445,6 @@ optional_policy(` + ') + + optional_policy(` +- usermanage_run_groupadd(rpm_script_t, rpm_roles) +- usermanage_run_useradd(rpm_script_t, rpm_roles) ++ usermanage_run_groupadd(rpm_script_t, rpm_script_roles) ++ usermanage_run_useradd(rpm_script_t, rpm_script_roles) + ') +diff --git a/rshd.fc b/rshd.fc +index 9ad0d58..6a4db03 100644 +--- a/rshd.fc ++++ b/rshd.fc +@@ -1,3 +1,4 @@ ++ + /usr/kerberos/sbin/kshd -- gen_context(system_u:object_r:rshd_exec_t,s0) + + /usr/sbin/in\.rexecd -- gen_context(system_u:object_r:rshd_exec_t,s0) +diff --git a/rshd.if b/rshd.if +index 7ad29c0..2e87d76 100644 +--- a/rshd.if ++++ b/rshd.if +@@ -2,7 +2,7 @@ + + ######################################## + ## +-## Execute rshd in the rshd domain. ++## Domain transition to rshd. + ## + ## + ## +@@ -15,6 +15,7 @@ interface(`rshd_domtrans',` + type rshd_exec_t, rshd_t; + ') + ++ files_search_usr($1) + corecmd_search_bin($1) + domtrans_pattern($1, rshd_exec_t, rshd_t) + ') +diff --git a/rshd.te b/rshd.te +index f842825..24cf46d 100644 +--- a/rshd.te ++++ b/rshd.te +@@ -1,62 +1,75 @@ +-policy_module(rshd, 1.7.1) ++policy_module(rshd, 1.7.0) + + ######################################## + # + # Declarations + # +- + type rshd_t; + type rshd_exec_t; +-auth_login_pgm_domain(rshd_t) + inetd_tcp_service_domain(rshd_t, rshd_exec_t) ++domain_subj_id_change_exemption(rshd_t) ++domain_role_change_exemption(rshd_t) ++role system_r types rshd_t; + + ######################################## + # + # Local policy + # +- + allow rshd_t self:capability { kill setuid setgid fowner fsetid chown dac_override }; +-allow rshd_t self:process { signal_perms setsched setpgid setexec }; ++allow rshd_t self:process { signal_perms fork setsched setpgid setexec }; + allow rshd_t self:fifo_file rw_fifo_file_perms; + allow rshd_t self:tcp_socket create_stream_socket_perms; + + kernel_read_kernel_sysctls(rshd_t) + +-corenet_all_recvfrom_unlabeled(rshd_t) + corenet_all_recvfrom_netlabel(rshd_t) + corenet_tcp_sendrecv_generic_if(rshd_t) ++corenet_udp_sendrecv_generic_if(rshd_t) + corenet_tcp_sendrecv_generic_node(rshd_t) ++corenet_udp_sendrecv_generic_node(rshd_t) + corenet_tcp_sendrecv_all_ports(rshd_t) ++corenet_udp_sendrecv_all_ports(rshd_t) + corenet_tcp_bind_generic_node(rshd_t) +- +-corenet_sendrecv_all_server_packets(rshd_t) + corenet_tcp_bind_rsh_port(rshd_t) + corenet_tcp_bind_all_rpc_ports(rshd_t) + corenet_tcp_connect_all_ports(rshd_t) + corenet_tcp_connect_all_rpc_ports(rshd_t) ++corenet_sendrecv_rsh_server_packets(rshd_t) ++ ++dev_read_urand(rshd_t) ++ ++domain_interactive_fd(rshd_t) ++ ++selinux_get_fs_mount(rshd_t) ++selinux_validate_context(rshd_t) ++selinux_compute_access_vector(rshd_t) ++selinux_compute_create_context(rshd_t) ++selinux_compute_relabel_context(rshd_t) ++selinux_compute_user_contexts(rshd_t) + + corecmd_read_bin_symlinks(rshd_t) + + files_list_home(rshd_t) ++files_search_tmp(rshd_t) ++ ++auth_login_pgm_domain(rshd_t) ++auth_write_login_records(rshd_t) + ++init_rw_utmp(rshd_t) ++ ++logging_send_syslog_msg(rshd_t) + logging_search_logs(rshd_t) + +-miscfiles_read_localization(rshd_t) ++seutil_read_config(rshd_t) ++seutil_read_default_contexts(rshd_t) + +-tunable_policy(`use_nfs_home_dirs',` +- fs_read_nfs_files(rshd_t) +- fs_read_nfs_symlinks(rshd_t) +-') ++userdom_search_user_home_content(rshd_t) ++userdom_manage_tmp_role(system_r, rshd_t) + +-tunable_policy(`use_samba_home_dirs',` +- fs_read_cifs_files(rshd_t) +- fs_read_cifs_symlinks(rshd_t) +-') ++userdom_home_reader(rshd_t) + + optional_policy(` + kerberos_keytab_template(rshd, rshd_t) +- kerberos_manage_host_rcache(rshd_t) +- kerberos_tmp_filetrans_host_rcache(rshd_t, file, "host_0") + ') + + optional_policy(` +diff --git a/rssh.te b/rssh.te +index d1fd97f..7ee8502 100644 +--- a/rssh.te ++++ b/rssh.te +@@ -60,18 +60,14 @@ manage_files_pattern(rssh_t, rssh_rw_t, rssh_rw_t) + kernel_read_system_state(rssh_t) + kernel_read_kernel_sysctls(rssh_t) + +-files_read_etc_files(rssh_t) + files_read_etc_runtime_files(rssh_t) + files_list_home(rssh_t) +-files_read_usr_files(rssh_t) + files_list_var(rssh_t) + + fs_search_auto_mountpoints(rssh_t) + + logging_send_syslog_msg(rssh_t) + +-miscfiles_read_localization(rssh_t) +- + rssh_domtrans_chroot_helper(rssh_t) + + ssh_rw_tcp_sockets(rssh_t) +@@ -95,5 +91,3 @@ domain_use_interactive_fds(rssh_chroot_helper_t) + auth_use_nsswitch(rssh_chroot_helper_t) + + logging_send_syslog_msg(rssh_chroot_helper_t) +- +-miscfiles_read_localization(rssh_chroot_helper_t) +diff --git a/rsync.fc b/rsync.fc +index d25301b..f3eeec7 100644 +--- a/rsync.fc ++++ b/rsync.fc +@@ -1,7 +1,8 @@ + /etc/rsyncd\.conf -- gen_context(system_u:object_r:rsync_etc_t, s0) + +-/usr/bin/rsync -- gen_context(system_u:object_r:rsync_exec_t,s0) ++/usr/bin/rsync -- gen_context(system_u:object_r:rsync_exec_t,s0) + +-/var/log/rsync\.log.* -- gen_context(system_u:object_r:rsync_log_t,s0) ++/var/log/rsync.* gen_context(system_u:object_r:rsync_log_t,s0) + + /var/run/rsyncd\.lock -- gen_context(system_u:object_r:rsync_var_run_t,s0) ++/var/run/swift_server\.lock -- gen_context(system_u:object_r:rsync_var_run_t,s0) +diff --git a/rsync.if b/rsync.if +index f1140ef..8afe362 100644 +--- a/rsync.if ++++ b/rsync.if +@@ -1,16 +1,32 @@ +-## Fast incremental file transfer for synchronization. ++## Fast incremental file transfer for synchronization ++ ++####################################### ++## ++## Sendmail stub interface. No access allowed. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`sendmail_stub',` ++gen_require(` ++type sendmail_t; ++') ++') + + ######################################## + ## +-## Make rsync executable file an +-## entry point for the specified domain. ++## Make rsync an entry point for ++## the specified domain. + ## + ## + ## +-## The domain for which rsync_exec_t is an entrypoint. ++## The domain for which init scripts are an entrypoint. + ## + ## +-# ++# cjp: added for portage + interface(`rsync_entry_type',` + gen_require(` + type rsync_exec_t; +@@ -43,14 +59,13 @@ interface(`rsync_entry_type',` + ## Domain to transition to. + ## + ## +-# ++# cjp: added for portage + interface(`rsync_entry_spec_domtrans',` + gen_require(` + type rsync_exec_t; + ') + +- corecmd_search_bin($1) +- auto_trans($1, rsync_exec_t, $2) ++ domain_trans($1, rsync_exec_t, $2) + ') + + ######################################## +@@ -77,82 +92,56 @@ interface(`rsync_entry_spec_domtrans',` + ## Domain to transition to. + ## + ## +-# ++# cjp: added for portage + interface(`rsync_entry_domtrans',` + gen_require(` + type rsync_exec_t; + ') + +- corecmd_search_bin($1) + domain_auto_trans($1, rsync_exec_t, $2) + ') + + ######################################## + ## +-## Execute the rsync program in the rsync domain. ++## Execute rsync in the caller domain domain. + ## + ## + ## +-## Domain allowed to transition. ++## Domain allowed access. + ## + ## ++## + # +-interface(`rsync_domtrans',` ++interface(`rsync_exec',` + gen_require(` +- type rsync_t, rsync_exec_t; ++ type rsync_exec_t; + ') + +- corecmd_search_bin($1) +- domtrans_pattern($1, rsync_exec_t, rsync_t) ++ can_exec($1, rsync_exec_t) + ') + + ######################################## + ## +-## Execute rsync in the rsync domain, and +-## allow the specified role the rsync domain. ++## Read rsync config files. + ## + ## +-## +-## Domain allowed to transition. +-## +-## +-## +-## +-## Role allowed access. +-## +-## +-# +-interface(`rsync_run',` +- gen_require(` +- attribute_role rsync_roles; +- ') +- +- rsync_domtrans($1) +- roleattribute $2 rsync_roles; +-') +- +-######################################## + ## +-## Execute rsync in the caller domain. +-## +-## +-## + ## Domain allowed access. +-## ++## + ## + # +-interface(`rsync_exec',` ++interface(`rsync_read_config',` + gen_require(` +- type rsync_exec_t; ++ type rsync_etc_t; + ') + +- corecmd_search_bin($1) +- can_exec($1, rsync_exec_t) ++ read_files_pattern($1, rsync_etc_t, rsync_etc_t) ++ files_search_etc($1) + ') + + ######################################## + ## +-## Read rsync config files. ++## Read rsync data files. + ## + ## + ## +@@ -160,23 +149,23 @@ interface(`rsync_exec',` + ## + ## + # +-interface(`rsync_read_config',` ++interface(`rsync_read_data',` + gen_require(` +- type rsync_etc_t; ++ type rsync_data_t; + ') + +- files_search_etc($1) +- allow $1 rsync_etc_t:file read_file_perms; ++ read_files_pattern($1, rsync_data_t, rsync_data_t) + ') + ++ + ######################################## + ## +-## Write rsync config files. ++## Write to rsync config files. + ## + ## +-## ++## + ## Domain allowed access. +-## ++## + ## + # + interface(`rsync_write_config',` +@@ -184,14 +173,13 @@ interface(`rsync_write_config',` + type rsync_etc_t; + ') + ++ write_files_pattern($1, rsync_etc_t, rsync_etc_t) + files_search_etc($1) +- allow $1 rsync_etc_t:file write_file_perms; + ') + + ######################################## + ## +-## Create, read, write, and delete +-## rsync config files. ++## Manage rsync config files. + ## + ## + ## +@@ -199,18 +187,18 @@ interface(`rsync_write_config',` + ## + ## + # +-interface(`rsync_manage_config_files',` ++interface(`rsync_manage_config',` + gen_require(` + type rsync_etc_t; + ') + +- files_search_etc($1) + manage_files_pattern($1, rsync_etc_t, rsync_etc_t) ++ files_search_etc($1) + ') + + ######################################## + ## +-## Create specified objects in etc directories ++## Create objects in etc directories + ## with rsync etc type. + ## + ## +@@ -239,43 +227,21 @@ interface(`rsync_etc_filetrans_config',` + + ######################################## + ## +-## All of the rules required to +-## administrate an rsync environment. ++## Transition to rsync named content + ## + ## + ## +-## Domain allowed access. +-## +-## +-## +-## +-## Role allowed access. ++## Domain allowed access. + ## + ## +-## + # +-interface(`rsync_admin',` ++interface(`rsync_filetrans_named_content',` + gen_require(` +- type rsync_t, rsync_etc_t, rsync_data_t; +- type rsync_log_t, rsync_tmp_t. rsync_var_run_t; ++ type rsync_etc_t; ++ type rsync_var_run_t; + ') + +- allow $1 rsync_t:process { ptrace signal_perms }; +- ps_process_pattern($1, rsync_t) +- +- files_search_etc($1) +- admin_pattern($1, rsync_etc_t) +- +- admin_pattern($1, rsync_data_t) +- +- logging_search_logs($1) +- admin_pattern($1, rsync_log_t) +- +- files_search_tmp($1) +- admin_pattern($1, rsync_tmp_t) +- +- files_search_pids($1) +- admin_pattern($1, rsync_var_run_t) +- +- rsync_run($1, $2) ++ files_etc_filetrans($1, rsync_etc_t, file, "rsyncd.cond") ++ files_pid_filetrans($1, rsync_var_run_t, file, "swift_server.lock") ++ files_pid_filetrans($1, rsync_var_run_t, file, "rsyncd.lock") + ') +diff --git a/rsync.te b/rsync.te +index e3e7c96..ec50426 100644 +--- a/rsync.te ++++ b/rsync.te +@@ -1,4 +1,4 @@ +-policy_module(rsync, 1.12.2) ++policy_module(rsync, 1.12.0) + + ######################################## + # +@@ -6,67 +6,45 @@ policy_module(rsync, 1.12.2) + # + + ## +-##

    +-## Determine whether rsync can use +-## cifs file systems. +-##

    ++##

    ++## Allow rsync to run as a client ++##

    + ##     +-gen_tunable(rsync_use_cifs, false) ++gen_tunable(rsync_client, false) + + ## +-##

    +-## Determine whether rsync can +-## use fuse file systems. +-##

    ++##

    ++## Allow rsync to export any files/directories read only. ++##

    + ##     +-gen_tunable(rsync_use_fusefs, false) ++gen_tunable(rsync_export_all_ro, false) + + ## +-##

    +-## Determine whether rsync can use +-## nfs file systems. +-##

    ++##

    ++## Allow rsync to modify public files ++## used for public file transfer services. Files/Directories must be ++## labeled public_content_rw_t. ++##

    + ##     +-gen_tunable(rsync_use_nfs, false) ++gen_tunable(rsync_anon_write, false) + + ## + ##

    +-## Determine whether rsync can +-## run as a client ++## Allow rsync server to manage all files/directories on the system. + ##

    + ##     +-gen_tunable(rsync_client, false) ++gen_tunable(rsync_full_access, false) + +-## +-##

    +-## Determine whether rsync can +-## export all content read only. +-##

    +-##     +-gen_tunable(rsync_export_all_ro, false) +- +-## +-##

    +-## Determine whether rsync can modify +-## public files used for public file +-## transfer services. Directories/Files must +-## be labeled public_content_rw_t. +-##

    +-##     +-gen_tunable(allow_rsync_anon_write, false) +- +-attribute_role rsync_roles; + + type rsync_t; + type rsync_exec_t; +-init_daemon_domain(rsync_t, rsync_exec_t) +-application_domain(rsync_t, rsync_exec_t) +-role rsync_roles types rsync_t; ++application_executable_file(rsync_exec_t) ++role system_r types rsync_t; + + type rsync_etc_t; + files_config_file(rsync_etc_t) + +-type rsync_data_t; # customizable ++type rsync_data_t; + files_type(rsync_data_t) + + type rsync_log_t; +@@ -86,15 +64,25 @@ files_pid_file(rsync_var_run_t) + allow rsync_t self:capability { chown dac_read_search dac_override fowner fsetid setuid setgid sys_chroot }; + allow rsync_t self:process signal_perms; + allow rsync_t self:fifo_file rw_fifo_file_perms; +-allow rsync_t self:tcp_socket { accept listen }; ++allow rsync_t self:tcp_socket create_stream_socket_perms; ++allow rsync_t self:udp_socket connected_socket_perms; ++ ++# for identd ++# cjp: this should probably only be inetd_child_t rules? ++# search home and kerberos also. ++allow rsync_t self:netlink_tcpdiag_socket r_netlink_socket_perms; ++#end for identd + +-allow rsync_t rsync_etc_t:file read_file_perms; ++read_files_pattern(rsync_t, rsync_etc_t, rsync_etc_t) + + allow rsync_t rsync_data_t:dir list_dir_perms; +-allow rsync_t rsync_data_t:file read_file_perms; +-allow rsync_t rsync_data_t:lnk_file read_lnk_file_perms; ++read_files_pattern(rsync_t, rsync_data_t, rsync_data_t) ++read_lnk_files_pattern(rsync_t, rsync_data_t, rsync_data_t) ++allow rsync_t rsync_data_t:dir_file_class_set getattr; ++allow rsync_t rsync_data_t:socket_class_set getattr; ++allow rsync_t rsync_data_t:sock_file setattr; + +-allow rsync_t rsync_log_t:file { append_file_perms create_file_perms setattr_file_perms }; ++manage_files_pattern(rsync_t, rsync_log_t, rsync_log_t) + logging_log_filetrans(rsync_t, rsync_log_t, file) + + manage_dirs_pattern(rsync_t, rsync_tmp_t, rsync_tmp_t) +@@ -108,91 +96,80 @@ kernel_read_kernel_sysctls(rsync_t) + kernel_read_system_state(rsync_t) + kernel_read_network_state(rsync_t) + +-corenet_all_recvfrom_unlabeled(rsync_t) + corenet_all_recvfrom_netlabel(rsync_t) + corenet_tcp_sendrecv_generic_if(rsync_t) ++corenet_udp_sendrecv_generic_if(rsync_t) + corenet_tcp_sendrecv_generic_node(rsync_t) ++corenet_udp_sendrecv_generic_node(rsync_t) ++corenet_tcp_sendrecv_all_ports(rsync_t) ++corenet_udp_sendrecv_all_ports(rsync_t) + corenet_tcp_bind_generic_node(rsync_t) +- +-corenet_sendrecv_rsync_server_packets(rsync_t) + corenet_tcp_bind_rsync_port(rsync_t) +-corenet_tcp_sendrecv_rsync_port(rsync_t) ++corenet_sendrecv_rsync_server_packets(rsync_t) + + dev_read_urand(rsync_t) + +-fs_getattr_all_fs(rsync_t) ++fs_getattr_xattr_fs(rsync_t) + fs_search_auto_mountpoints(rsync_t) + + files_search_home(rsync_t) + +-auth_can_read_shadow_passwords(rsync_t) + auth_use_nsswitch(rsync_t) + + logging_send_syslog_msg(rsync_t) + +-miscfiles_read_localization(rsync_t) + miscfiles_read_public_files(rsync_t) + +-tunable_policy(`allow_rsync_anon_write',` +- miscfiles_manage_public_files(rsync_t) ++userdom_home_manager(rsync_t) ++ ++optional_policy(` ++ daemontools_service_domain(rsync_t, rsync_exec_t) + ') + +-tunable_policy(`rsync_client',` +- corenet_sendrecv_rsync_client_packets(rsync_t) +- corenet_tcp_connect_rsync_port(rsync_t) ++optional_policy(` ++ kerberos_use(rsync_t) ++') + +- corenet_sendrecv_ssh_client_packets(rsync_t) +- corenet_tcp_connect_ssh_port(rsync_t) +- corenet_tcp_sendrecv_ssh_port(rsync_t) ++optional_policy(` ++ inetd_service_domain(rsync_t, rsync_exec_t) ++') + +- manage_dirs_pattern(rsync_t, rsync_data_t, rsync_data_t) +- manage_files_pattern(rsync_t, rsync_data_t, rsync_data_t) +- manage_lnk_files_pattern(rsync_t, rsync_data_t, rsync_data_t) ++tunable_policy(`rsync_anon_write',` ++ miscfiles_manage_public_files(rsync_t) ++') ++ ++tunable_policy(`rsync_full_access',` ++ allow rsync_t self:capability { dac_override dac_read_search }; ++ files_manage_non_security_dirs(rsync_t) ++ files_manage_non_security_files(rsync_t) ++ #files_relabel_non_security_files(rsync_t) + ') + + tunable_policy(`rsync_export_all_ro',` +- fs_read_noxattr_fs_files(rsync_t) ++ files_getattr_all_pipes(rsync_t) ++ fs_read_noxattr_fs_files(rsync_t) + fs_read_nfs_files(rsync_t) +- fs_read_fusefs_files(rsync_t) + fs_read_cifs_files(rsync_t) +- files_list_non_auth_dirs(rsync_t) +- files_read_non_auth_files(rsync_t) +- files_read_non_auth_symlinks(rsync_t) ++ files_read_non_security_files(rsync_t) + auth_tunable_read_shadow(rsync_t) + ') + +-tunable_policy(`rsync_use_cifs',` +- fs_list_cifs(rsync_t) +- fs_read_cifs_files(rsync_t) +- fs_read_cifs_symlinks(rsync_t) +-') +- +-tunable_policy(`rsync_use_fusefs',` +- fs_search_fusefs(rsync_t) +- fs_read_fusefs_files(rsync_t) +- fs_read_fusefs_symlinks(rsync_t) +-') +- +-tunable_policy(`rsync_use_nfs',` +- fs_list_nfs(rsync_t) +- fs_read_nfs_files(rsync_t) +- fs_read_nfs_symlinks(rsync_t) ++tunable_policy(`rsync_client',` ++ corenet_tcp_connect_rsync_port(rsync_t) ++ corenet_tcp_connect_ssh_port(rsync_t) ++ manage_dirs_pattern(rsync_t, rsync_data_t, rsync_data_t) ++ manage_files_pattern(rsync_t, rsync_data_t, rsync_data_t) ++ manage_lnk_files_pattern(rsync_t, rsync_data_t, rsync_data_t) + ') + + optional_policy(` + tunable_policy(`rsync_client',` +- ssh_exec(rsync_t) ++ ssh_exec(rsync_t) + ') + ') + +-optional_policy(` +- daemontools_service_domain(rsync_t, rsync_exec_t) +-') +- +-optional_policy(` +- kerberos_use(rsync_t) +-') ++auth_can_read_shadow_passwords(rsync_t) + + optional_policy(` +- inetd_service_domain(rsync_t, rsync_exec_t) ++ swift_manage_data_files(rsync_t) + ') +diff --git a/rtas.fc b/rtas.fc +new file mode 100644 +index 0000000..25d96cb +--- /dev/null ++++ b/rtas.fc +@@ -0,0 +1,13 @@ ++/usr/lib/systemd/system/rtas_errd.* -- gen_context(system_u:object_r:rtas_errd_unit_file_t,s0) ++ ++/usr/sbin/rtas_errd -- gen_context(system_u:object_r:rtas_errd_exec_t,s0) ++ ++/var/lock/subsys/rtas_errd -- gen_context(system_u:object_r:rtas_errd_var_lock_t) ++/var/lock/.*librtas -- gen_context(system_u:object_r:rtas_errd_var_lock_t) ++ ++/var/log/rtas_errd.* -- gen_context(system_u:object_r:rtas_errd_log_t) ++/var/log/platform -- gen_context(system_u:object_r:rtas_errd_log_t) ++/var/log/epow_status -- gen_context(system_u:object_r:rtas_errd_log_t) ++ ++/var/run/rtas_errd.* -- gen_context(system_u:object_r:rtas_errd_var_run_t,s0) ++ +diff --git a/rtas.if b/rtas.if +new file mode 100644 +index 0000000..9381936 +--- /dev/null ++++ b/rtas.if +@@ -0,0 +1,166 @@ ++ ++## rtas_errd - Platform diagnostics report firmware events ++ ++######################################## ++## ++## Execute TEMPLATE in the rtas_errd domin. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`rtas_errd_domtrans',` ++ gen_require(` ++ type rtas_errd_t, rtas_errd_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, rtas_errd_exec_t, rtas_errd_t) ++') ++######################################## ++## ++## Read rtas_errd's log files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`rtas_errd_read_log',` ++ gen_require(` ++ type rtas_errd_log_t; ++ ') ++ ++ logging_search_logs($1) ++ read_files_pattern($1, rtas_errd_log_t, rtas_errd_log_t) ++') ++ ++######################################## ++## ++## Append to rtas_errd log files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`rtas_errd_append_log',` ++ gen_require(` ++ type rtas_errd_log_t; ++ ') ++ ++ logging_search_logs($1) ++ append_files_pattern($1, rtas_errd_log_t, rtas_errd_log_t) ++') ++ ++######################################## ++## ++## Manage rtas_errd log files ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`rtas_errd_manage_log',` ++ gen_require(` ++ type rtas_errd_log_t; ++ ') ++ ++ logging_search_logs($1) ++ manage_dirs_pattern($1, rtas_errd_log_t, rtas_errd_log_t) ++ manage_files_pattern($1, rtas_errd_log_t, rtas_errd_log_t) ++ manage_lnk_files_pattern($1, rtas_errd_log_t, rtas_errd_log_t) ++') ++######################################## ++## ++## Read rtas_errd PID files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`rtas_errd_read_pid_files',` ++ gen_require(` ++ type rtas_errd_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ read_files_pattern($1, rtas_errd_var_run_t, rtas_errd_var_run_t) ++') ++ ++######################################## ++## ++## Execute rtas_errd server in the rtas_errd domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`rtas_errd_systemctl',` ++ gen_require(` ++ type rtas_errd_t; ++ type rtas_errd_unit_file_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ systemd_read_fifo_file_passwd_run($1) ++ allow $1 rtas_errd_unit_file_t:file read_file_perms; ++ allow $1 rtas_errd_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, rtas_errd_t) ++') ++ ++ ++######################################## ++## ++## All of the rules required to administrate ++## an rtas_errd environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## Role allowed access. ++## ++## ++## ++# ++interface(`rtas_errd_admin',` ++ gen_require(` ++ type rtas_errd_t; ++ type rtas_errd_log_t; ++ type rtas_errd_var_run_t; ++ type rtas_errd_unit_file_t; ++ ') ++ ++ allow $1 rtas_errd_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, rtas_errd_t) ++ ++ logging_search_logs($1) ++ admin_pattern($1, rtas_errd_log_t) ++ ++ files_search_pids($1) ++ admin_pattern($1, rtas_errd_var_run_t) ++ ++ rtas_errd_systemctl($1) ++ admin_pattern($1, rtas_errd_unit_file_t) ++ allow $1 rtas_errd_unit_file_t:service all_service_perms; ++ optional_policy(` ++ systemd_passwd_agent_exec($1) ++ systemd_read_fifo_file_passwd_run($1) ++ ') ++') +diff --git a/rtas.te b/rtas.te +new file mode 100644 +index 0000000..4e6663f +--- /dev/null ++++ b/rtas.te +@@ -0,0 +1,60 @@ ++policy_module(rtas, 1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type rtas_errd_t; ++type rtas_errd_exec_t; ++init_daemon_domain(rtas_errd_t, rtas_errd_exec_t) ++ ++type rtas_errd_log_t; ++logging_log_file(rtas_errd_log_t) ++ ++type rtas_errd_var_run_t; ++files_pid_file(rtas_errd_var_run_t) ++ ++type rtas_errd_var_lock_t; ++files_lock_file(rtas_errd_var_lock_t) ++ ++type rtas_errd_unit_file_t; ++systemd_unit_file(rtas_errd_unit_file_t) ++ ++######################################## ++# ++# rtas_errd local policy ++# ++ ++allow rtas_errd_t self:capability sys_admin; ++allow rtas_errd_t self:process fork; ++allow rtas_errd_t self:fifo_file rw_fifo_file_perms; ++allow rtas_errd_t self:unix_stream_socket create_stream_socket_perms; ++ ++manage_dirs_pattern(rtas_errd_t, rtas_errd_log_t, rtas_errd_log_t) ++manage_files_pattern(rtas_errd_t, rtas_errd_log_t, rtas_errd_log_t) ++manage_lnk_files_pattern(rtas_errd_t, rtas_errd_log_t, rtas_errd_log_t) ++logging_log_filetrans(rtas_errd_t, rtas_errd_log_t, { dir file lnk_file }) ++ ++manage_files_pattern(rtas_errd_t,rtas_errd_var_lock_t,rtas_errd_var_lock_t) ++manage_lnk_files_pattern(rtas_errd_t,rtas_errd_var_lock_t,rtas_errd_var_lock_t) ++files_lock_filetrans(rtas_errd_t,rtas_errd_var_lock_t, { dir file } ) ++ ++manage_dirs_pattern(rtas_errd_t, rtas_errd_var_run_t, rtas_errd_var_run_t) ++manage_files_pattern(rtas_errd_t, rtas_errd_var_run_t, rtas_errd_var_run_t) ++manage_lnk_files_pattern(rtas_errd_t, rtas_errd_var_run_t, rtas_errd_var_run_t) ++files_pid_filetrans(rtas_errd_t, rtas_errd_var_run_t, { dir file lnk_file }) ++ ++kernel_read_system_state(rtas_errd_t) ++ ++auth_use_nsswitch(rtas_errd_t) ++ ++corecmd_exec_bin(rtas_errd_t) ++ ++dev_read_raw_memory(rtas_errd_t) ++dev_write_raw_memory(rtas_errd_t) ++ ++files_manage_system_db_files(rtas_errd_t) ++ ++logging_read_generic_logs(rtas_errd_t) ++ +diff --git a/rtkit.if b/rtkit.if +index bd35afe..051addd 100644 +--- a/rtkit.if ++++ b/rtkit.if +@@ -15,7 +15,6 @@ interface(`rtkit_daemon_domtrans',` + type rtkit_daemon_t, rtkit_daemon_exec_t; + ') + +- corecmd_search_bin($1) + domtrans_pattern($1, rtkit_daemon_exec_t, rtkit_daemon_t) + ') + +@@ -42,55 +41,43 @@ interface(`rtkit_daemon_dbus_chat',` + + ######################################## + ## +-## Allow rtkit to control scheduling for your process. ++## Do not audit send and receive messages from ++## rtkit_daemon over dbus. + ## + ## + ## +-## Domain allowed access. ++## Domain to not audit. + ## + ## + # +-interface(`rtkit_scheduled',` ++interface(`rtkit_daemon_dontaudit_dbus_chat',` + gen_require(` + type rtkit_daemon_t; ++ class dbus send_msg; + ') + +- allow rtkit_daemon_t $1:process { getsched setsched }; +- +- ps_process_pattern(rtkit_daemon_t, $1) +- +- optional_policy(` +- rtkit_daemon_dbus_chat($1) +- ') ++ dontaudit $1 rtkit_daemon_t:dbus send_msg; ++ dontaudit rtkit_daemon_t $1:dbus send_msg; ++ dontaudit rtkit_daemon_t $1:process { getsched setsched }; + ') + + ######################################## + ## +-## All of the rules required to +-## administrate an rtkit environment. ++## Allow rtkit to control scheduling for your process + ## + ## + ## + ## Domain allowed access. + ## + ## +-## +-## +-## Role allowed access. +-## +-## +-## + # +-interface(`rtkit_admin',` ++interface(`rtkit_scheduled',` + gen_require(` +- type rtkit_daemon_t, rtkit_daemon_initrc_exec_t; ++ type rtkit_daemon_t; + ') + +- allow $1 rtkit_daemon_t:process { ptrace signal_perms }; +- ps_process_pattern($1, rtkit_daemon_t) +- +- init_labeled_script_domtrans($1, rtkit_daemon_initrc_exec_t) +- domain_system_change_exemption($1) +- role_transition $2 rtkit_daemon_initrc_exec_t system_r; +- allow $2 system_r; ++ kernel_search_proc($1) ++ ps_process_pattern(rtkit_daemon_t, $1) ++ allow rtkit_daemon_t $1:process { getsched setsched }; ++ rtkit_daemon_dbus_chat($1) + ') +diff --git a/rtkit.te b/rtkit.te +index 3f5a8ef..29a8e9e 100644 +--- a/rtkit.te ++++ b/rtkit.te +@@ -31,8 +31,6 @@ auth_use_nsswitch(rtkit_daemon_t) + + logging_send_syslog_msg(rtkit_daemon_t) + +-miscfiles_read_localization(rtkit_daemon_t) +- + optional_policy(` + dbus_system_domain(rtkit_daemon_t, rtkit_daemon_exec_t) + +diff --git a/rwho.if b/rwho.if +index 0360ff0..e6cb34f 100644 +--- a/rwho.if ++++ b/rwho.if +@@ -139,8 +139,11 @@ interface(`rwho_admin',` + type rwho_initrc_exec_t; + ') + +- allow $1 rwho_t:process { ptrace signal_perms }; ++ allow $1 rwho_t:process signal_perms; + ps_process_pattern($1, rwho_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 rwho_t:process ptrace; ++ ') + + init_labeled_script_domtrans($1, rwho_initrc_exec_t) + domain_system_change_exemption($1) +diff --git a/rwho.te b/rwho.te +index 9927d29..6746952 100644 +--- a/rwho.te ++++ b/rwho.te +@@ -16,7 +16,7 @@ type rwho_log_t; + files_type(rwho_log_t) + + type rwho_spool_t; +-files_type(rwho_spool_t) ++files_spool_file(rwho_spool_t) + + ######################################## + # +@@ -38,7 +38,6 @@ files_spool_filetrans(rwho_t, rwho_spool_t, { file dir }) + + kernel_read_system_state(rwho_t) + +-corenet_all_recvfrom_unlabeled(rwho_t) + corenet_all_recvfrom_netlabel(rwho_t) + corenet_udp_sendrecv_generic_if(rwho_t) + corenet_udp_sendrecv_generic_node(rwho_t) +@@ -50,15 +49,13 @@ corenet_udp_sendrecv_rwho_port(rwho_t) + + domain_use_interactive_fds(rwho_t) + +-files_read_etc_files(rwho_t) + + init_read_utmp(rwho_t) + init_dontaudit_write_utmp(rwho_t) + + logging_send_syslog_msg(rwho_t) + +-miscfiles_read_localization(rwho_t) +- + sysnet_dns_name_resolve(rwho_t) + +-# userdom_getattr_user_terminals(rwho_t) ++userdom_getattr_user_terminals(rwho_t) ++ +diff --git a/samba.fc b/samba.fc +index b8b66ff..2ccac49 100644 +--- a/samba.fc ++++ b/samba.fc +@@ -1,42 +1,54 @@ +-/etc/rc\.d/init\.d/nmb -- gen_context(system_u:object_r:samba_initrc_exec_t,s0) +-/etc/rc\.d/init\.d/smb -- gen_context(system_u:object_r:samba_initrc_exec_t,s0) ++ ++# ++# /etc ++# ++/etc/rc\.d/init\.d/nmb -- gen_context(system_u:object_r:samba_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/smb -- gen_context(system_u:object_r:samba_initrc_exec_t,s0) + /etc/rc\.d/init\.d/winbind -- gen_context(system_u:object_r:samba_initrc_exec_t,s0) ++/etc/samba/MACHINE\.SID -- gen_context(system_u:object_r:samba_secrets_t,s0) ++/etc/samba/passdb\.tdb -- gen_context(system_u:object_r:samba_secrets_t,s0) ++/etc/samba/secrets\.tdb -- gen_context(system_u:object_r:samba_secrets_t,s0) ++/etc/samba/smbpasswd -- gen_context(system_u:object_r:samba_secrets_t,s0) ++/etc/samba(/.*)? gen_context(system_u:object_r:samba_etc_t,s0) + +-/etc/samba/MACHINE\.SID -- gen_context(system_u:object_r:samba_secrets_t,s0) +-/etc/samba/passdb\.tdb -- gen_context(system_u:object_r:samba_secrets_t,s0) +-/etc/samba/secrets\.tdb -- gen_context(system_u:object_r:samba_secrets_t,s0) +-/etc/samba/smbpasswd -- gen_context(system_u:object_r:samba_secrets_t,s0) +-/etc/samba(/.*)? gen_context(system_u:object_r:samba_etc_t,s0) ++# ++# /usr ++# ++/usr/lib/systemd/system/smb.* -- gen_context(system_u:object_r:samba_unit_file_t,s0) ++/usr/lib/systemd/system/nmb.* -- gen_context(system_u:object_r:samba_unit_file_t,s0) + +-/usr/bin/net -- gen_context(system_u:object_r:samba_net_exec_t,s0) +-/usr/bin/ntlm_auth -- gen_context(system_u:object_r:winbind_helper_exec_t,s0) +-/usr/bin/smbcontrol -- gen_context(system_u:object_r:smbcontrol_exec_t,s0) +-/usr/bin/smbmount -- gen_context(system_u:object_r:smbmount_exec_t,s0) +-/usr/bin/smbmnt -- gen_context(system_u:object_r:smbmount_exec_t,s0) ++/usr/bin/net -- gen_context(system_u:object_r:samba_net_exec_t,s0) ++/usr/bin/ntlm_auth -- gen_context(system_u:object_r:winbind_helper_exec_t,s0) ++/usr/bin/smbcontrol -- gen_context(system_u:object_r:smbcontrol_exec_t,s0) ++/usr/bin/smbmount -- gen_context(system_u:object_r:smbmount_exec_t,s0) ++/usr/bin/smbmnt -- gen_context(system_u:object_r:smbmount_exec_t,s0) + +-/usr/sbin/swat -- gen_context(system_u:object_r:swat_exec_t,s0) +-/usr/sbin/nmbd -- gen_context(system_u:object_r:nmbd_exec_t,s0) +-/usr/sbin/smbd -- gen_context(system_u:object_r:smbd_exec_t,s0) +-/usr/sbin/winbindd -- gen_context(system_u:object_r:winbind_exec_t,s0) ++/usr/sbin/swat -- gen_context(system_u:object_r:swat_exec_t,s0) ++/usr/sbin/nmbd -- gen_context(system_u:object_r:nmbd_exec_t,s0) ++/usr/sbin/smbd -- gen_context(system_u:object_r:smbd_exec_t,s0) ++/usr/sbin/winbindd -- gen_context(system_u:object_r:winbind_exec_t,s0) + +-/var/cache/samba(/.*)? gen_context(system_u:object_r:samba_var_t,s0) +-/var/cache/samba/winbindd_privileged(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0) ++# ++# /var ++# ++/var/cache/samba(/.*)? gen_context(system_u:object_r:samba_var_t,s0) ++/var/cache/samba/winbindd_privileged(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0) + +-/var/lib/samba(/.*)? gen_context(system_u:object_r:samba_var_t,s0) +-/var/lib/samba/winbindd_privileged(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0) ++/var/nmbd(/.*)? gen_context(system_u:object_r:samba_var_t,s0) + +-/var/log/samba(/.*)? gen_context(system_u:object_r:samba_log_t,s0) ++/var/lib/samba(/.*)? gen_context(system_u:object_r:samba_var_t,s0) ++/var/lib/samba/winbindd_privileged(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0) + +-/var/nmbd(/.*)? gen_context(system_u:object_r:samba_var_t,s0) ++/var/log/samba(/.*)? gen_context(system_u:object_r:samba_log_t,s0) + +-/var/run/nmbd(/.*)? gen_context(system_u:object_r:nmbd_var_run_t,s0) +-/var/run/samba/nmbd(/.*)? gen_context(system_u:object_r:nmbd_var_run_t,s0) ++/var/run/nmbd(/.*)? gen_context(system_u:object_r:nmbd_var_run_t,s0) ++/var/run/samba/nmbd(/.*)? gen_context(system_u:object_r:nmbd_var_run_t,s0) + +-/var/run/samba(/.*)? gen_context(system_u:object_r:smbd_var_run_t,s0) ++/var/run/samba(/.*)? gen_context(system_u:object_r:smbd_var_run_t,s0) + /var/run/samba/brlock\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0) + /var/run/samba/connections\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0) + /var/run/samba/gencache\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0) +-/var/run/samba/locking\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0) ++/var/run/samba/locking\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0) + /var/run/samba/messages\.tdb -- gen_context(system_u:object_r:nmbd_var_run_t,s0) + /var/run/samba/namelist\.debug -- gen_context(system_u:object_r:nmbd_var_run_t,s0) + /var/run/samba/nmbd\.pid -- gen_context(system_u:object_r:nmbd_var_run_t,s0) +@@ -45,7 +57,11 @@ + /var/run/samba/smbd\.pid -- gen_context(system_u:object_r:smbd_var_run_t,s0) + /var/run/samba/unexpected\.tdb -- gen_context(system_u:object_r:nmbd_var_run_t,s0) + +-/var/run/winbindd(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0) +-/var/run/samba/winbindd(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0) ++/var/run/samba/winbindd(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0) ++/var/run/winbindd(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0) ++ ++/var/spool/samba(/.*)? gen_context(system_u:object_r:samba_var_t,s0) + +-/var/spool/samba(/.*)? gen_context(system_u:object_r:samba_var_t,s0) ++ifndef(`enable_mls',` ++/var/lib/samba/scripts(/.*)? gen_context(system_u:object_r:samba_unconfined_script_exec_t,s0) ++') +diff --git a/samba.if b/samba.if +index aee75af..a6bab06 100644 +--- a/samba.if ++++ b/samba.if +@@ -1,8 +1,12 @@ +-## SMB and CIFS client/server programs. ++## ++## SMB and CIFS client/server programs for UNIX and ++## name Service Switch daemon for resolving names ++## from Windows NT servers. ++## + + ######################################## + ## +-## Execute nmbd in the nmbd domain. ++## Execute nmbd net in the nmbd_t domain. + ## + ## + ## +@@ -21,7 +25,7 @@ interface(`samba_domtrans_nmbd',` + + ####################################### + ## +-## Send generic signals to nmbd. ++## Allow domain to signal samba + ## + ## + ## +@@ -38,8 +42,26 @@ interface(`samba_signal_nmbd',` + + ######################################## + ## +-## Connect to nmbd with a unix domain +-## stream socket. ++## Search the samba pid directory. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`samba_search_pid',` ++ gen_require(` ++ type smbd_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ allow $1 smbd_var_run_t:dir search_dir_perms; ++') ++ ++######################################## ++## ++## Connect to nmbd. + ## + ## + ## +@@ -49,17 +71,16 @@ interface(`samba_signal_nmbd',` + # + interface(`samba_stream_connect_nmbd',` + gen_require(` +- type samba_var_t, nmbd_t, nmbd_var_run_t, smbd_var_run_t; ++ type nmbd_t, nmbd_var_run_t; + ') + +- files_search_pids($1) +- stream_connect_pattern($1, { smbd_var_run_t samba_var_t nmbd_var_run_t }, nmbd_var_run_t, nmbd_t) ++ samba_search_pid($1) ++ stream_connect_pattern($1, nmbd_var_run_t, nmbd_var_run_t, nmbd_t) + ') + + ######################################## + ## +-## Execute samba init scripts in +-## the init script domain. ++## Execute samba server in the samba domain. + ## + ## + ## +@@ -77,7 +98,30 @@ interface(`samba_initrc_domtrans',` + + ######################################## + ## +-## Execute samba net in the samba net domain. ++## Execute samba server in the samba domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`samba_systemctl',` ++ gen_require(` ++ type samba_unit_file_t; ++ type smbd_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ allow $1 samba_unit_file_t:file read_file_perms; ++ allow $1 samba_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, smbd_t) ++') ++ ++######################################## ++## ++## Execute samba net in the samba_net domain. + ## + ## + ## +@@ -96,9 +140,27 @@ interface(`samba_domtrans_net',` + + ######################################## + ## +-## Execute samba net in the samba net +-## domain, and allow the specified +-## role the samba net domain. ++## Execute samba net in the samba_unconfined_net domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`samba_domtrans_unconfined_net',` ++ gen_require(` ++ type samba_unconfined_net_t, samba_net_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, samba_net_exec_t, samba_unconfined_net_t) ++') ++ ++######################################## ++## ++## Execute samba net in the samba_net domain, and ++## allow the specified role the samba_net domain. + ## + ## + ## +@@ -114,11 +176,56 @@ interface(`samba_domtrans_net',` + # + interface(`samba_run_net',` + gen_require(` +- attribute_role samba_net_roles; ++ type samba_net_t; + ') + + samba_domtrans_net($1) +- roleattribute $2 samba_net_roles; ++ role $2 types samba_net_t; ++') ++ ++####################################### ++## ++## The role for the samba module. ++## ++## ++## ++## The role to be allowed the samba_net domain. ++## ++## ++## ++# ++interface(`samba_role_notrans',` ++ gen_require(` ++ type smbd_t; ++ ') ++ ++ role $1 types smbd_t; ++') ++ ++######################################## ++## ++## Execute samba net in the samba_unconfined_net domain, and ++## allow the specified role the samba_unconfined_net domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++## ++## ++## The role to be allowed the samba_unconfined_net domain. ++## ++## ++## ++# ++interface(`samba_run_unconfined_net',` ++ gen_require(` ++ type samba_unconfined_net_t; ++ ') ++ ++ samba_domtrans_unconfined_net($1) ++ role $2 types samba_unconfined_net_t; + ') + + ######################################## +@@ -142,9 +249,8 @@ interface(`samba_domtrans_smbmount',` + + ######################################## + ## +-## Execute smbmount in the smbmount +-## domain, and allow the specified +-## role the smbmount domain. ++## Execute smbmount interactively and do ++## a domain transition to the smbmount domain. + ## + ## + ## +@@ -160,16 +266,17 @@ interface(`samba_domtrans_smbmount',` + # + interface(`samba_run_smbmount',` + gen_require(` +- attribute_role smbmount_roles; ++ type smbmount_t; + ') + + samba_domtrans_smbmount($1) +- roleattribute $2 smbmount_roles; ++ role $2 types smbmount_t; + ') + + ######################################## + ## +-## Read samba configuration files. ++## Allow the specified domain to read ++## samba configuration files. + ## + ## + ## +@@ -184,12 +291,14 @@ interface(`samba_read_config',` + ') + + files_search_etc($1) ++ list_dirs_pattern($1, samba_etc_t, samba_etc_t) + read_files_pattern($1, samba_etc_t, samba_etc_t) + ') + + ######################################## + ## +-## Read and write samba configuration files. ++## Allow the specified domain to read ++## and write samba configuration files. + ## + ## + ## +@@ -209,8 +318,8 @@ interface(`samba_rw_config',` + + ######################################## + ## +-## Create, read, write, and delete +-## samba configuration files. ++## Allow the specified domain to read ++## and write samba configuration files. + ## + ## + ## +@@ -231,7 +340,7 @@ interface(`samba_manage_config',` + + ######################################## + ## +-## Read samba log files. ++## Allow the specified domain to read samba's log files. + ## + ## + ## +@@ -252,7 +361,7 @@ interface(`samba_read_log',` + + ######################################## + ## +-## Append to samba log files. ++## Allow the specified domain to append to samba's log files. + ## + ## + ## +@@ -273,7 +382,7 @@ interface(`samba_append_log',` + + ######################################## + ## +-## Execute samba log files in the caller domain. ++## Execute samba log in the caller domain. + ## + ## + ## +@@ -292,7 +401,7 @@ interface(`samba_exec_log',` + + ######################################## + ## +-## Read samba secret files. ++## Allow the specified domain to read samba's secrets. + ## + ## + ## +@@ -311,7 +420,7 @@ interface(`samba_read_secrets',` + + ######################################## + ## +-## Read samba share files. ++## Allow the specified domain to read samba's shares + ## + ## + ## +@@ -330,7 +439,8 @@ interface(`samba_read_share_files',` + + ######################################## + ## +-## Search samba var directories. ++## Allow the specified domain to search ++## samba /var directories. + ## + ## + ## +@@ -343,13 +453,15 @@ interface(`samba_search_var',` + type samba_var_t; + ') + ++ files_search_var($1) + files_search_var_lib($1) + allow $1 samba_var_t:dir search_dir_perms; + ') + + ######################################## + ## +-## Read samba var files. ++## Allow the specified domain to ++## read samba /var files. + ## + ## + ## +@@ -362,14 +474,15 @@ interface(`samba_read_var_files',` + type samba_var_t; + ') + ++ files_search_var($1) + files_search_var_lib($1) + read_files_pattern($1, samba_var_t, samba_var_t) + ') + + ######################################## + ## +-## Do not audit attempts to write +-## samba var files. ++## Do not audit attempts to write samba ++## /var files. + ## + ## + ## +@@ -387,7 +500,8 @@ interface(`samba_dontaudit_write_var_files',` + + ######################################## + ## +-## Read and write samba var files. ++## Allow the specified domain to ++## read and write samba /var files. + ## + ## + ## +@@ -400,14 +514,15 @@ interface(`samba_rw_var_files',` + type samba_var_t; + ') + ++ files_search_var($1) + files_search_var_lib($1) + rw_files_pattern($1, samba_var_t, samba_var_t) + ') + + ######################################## + ## +-## Create, read, write, and delete +-## samba var files. ++## Allow the specified domain to ++## read and write samba /var files. + ## + ## + ## +@@ -421,33 +536,34 @@ interface(`samba_manage_var_files',` + ') + + files_search_var_lib($1) ++ files_search_var_lib($1) + manage_files_pattern($1, samba_var_t, samba_var_t) ++ manage_lnk_files_pattern($1, samba_var_t, samba_var_t) + ') + + ######################################## + ## +-## Execute smbcontrol in the smbcontrol domain. ++## Execute a domain transition to run smbcontrol. + ## + ## +-## ++## + ## Domain allowed to transition. +-## ++## + ## + # + interface(`samba_domtrans_smbcontrol',` + gen_require(` +- type smbcontrol_t, smbcontrol_exec_t; ++ type smbcontrol_t; ++ type smbcontrol_exec_t; + ') + +- corecmd_search_bin($1) + domtrans_pattern($1, smbcontrol_exec_t, smbcontrol_t) + ') + + ######################################## + ## +-## Execute smbcontrol in the smbcontrol +-## domain, and allow the specified +-## role the smbcontrol domain. ++## Execute smbcontrol in the smbcontrol domain, and ++## allow the specified role the smbcontrol domain. + ## + ## + ## +@@ -462,16 +578,16 @@ interface(`samba_domtrans_smbcontrol',` + # + interface(`samba_run_smbcontrol',` + gen_require(` +- attribute_role smbcontrol_roles; ++ type smbcontrol_t; + ') + + samba_domtrans_smbcontrol($1) +- roleattribute $2 smbcontrol_roles; ++ role $2 types smbcontrol_t; + ') + + ######################################## + ## +-## Execute smbd in the smbd domain. ++## Execute smbd in the smbd_t domain. + ## + ## + ## +@@ -490,7 +606,7 @@ interface(`samba_domtrans_smbd',` + + ###################################### + ## +-## Send generic signals to smbd. ++## Allow domain to signal samba + ## + ## + ## +@@ -507,8 +623,7 @@ interface(`samba_signal_smbd',` + + ######################################## + ## +-## Do not audit attempts to inherit +-## and use smbd file descriptors. ++## Do not audit attempts to use file descriptors from samba. + ## + ## + ## +@@ -526,7 +641,7 @@ interface(`samba_dontaudit_use_fds',` + + ######################################## + ## +-## Write smbmount tcp sockets. ++## Allow the specified domain to write to smbmount tcp sockets. + ## + ## + ## +@@ -544,7 +659,7 @@ interface(`samba_write_smbmount_tcp_sockets',` + + ######################################## + ## +-## Read and write smbmount tcp sockets. ++## Allow the specified domain to read and write to smbmount tcp sockets. + ## + ## + ## +@@ -560,49 +675,47 @@ interface(`samba_rw_smbmount_tcp_sockets',` + allow $1 smbmount_t:tcp_socket { read write }; + ') + +-######################################## ++####################################### + ## +-## Execute winbind helper in the +-## winbind helper domain. ++## Allow to getattr on winbind binary. + ## + ## +-## +-## Domain allowed to transition. +-## ++## ++## Domain allowed to transition. ++## + ## + # +-interface(`samba_domtrans_winbind_helper',` +- gen_require(` +- type winbind_helper_t, winbind_helper_exec_t; +- ') ++interface(`samba_getattr_winbind',` ++ gen_require(` ++ type winbind_exec_t; ++ ') + +- corecmd_search_bin($1) +- domtrans_pattern($1, winbind_helper_exec_t, winbind_helper_t) ++ allow $1 winbind_exec_t:file getattr; + ') + +-####################################### ++######################################## + ## +-## Get attributes of winbind executable files. ++## Execute winbind_helper in the winbind_helper domain. + ## + ## + ## +-## Domain allowed access. ++## Domain allowed to transition. + ## + ## + # +-interface(`samba_getattr_winbind_exec',` ++interface(`samba_domtrans_winbind_helper',` + gen_require(` +- type winbind_exec_t; ++ type winbind_helper_t, winbind_helper_exec_t; + ') + +- allow $1 winbind_exec_t:file getattr_file_perms; ++ domtrans_pattern($1, winbind_helper_exec_t, winbind_helper_t) ++ allow $1 winbind_helper_t:process signal; + ') + + ######################################## + ## +-## Execute winbind helper in the winbind +-## helper domain, and allow the specified +-## role the winbind helper domain. ++## Execute winbind_helper in the winbind_helper domain, and ++## allow the specified role the winbind_helper domain. + ## + ## + ## +@@ -618,16 +731,16 @@ interface(`samba_getattr_winbind_exec',` + # + interface(`samba_run_winbind_helper',` + gen_require(` +- attribute_role winbind_helper_roles; ++ type winbind_helper_t; + ') + + samba_domtrans_winbind_helper($1) +- roleattribute $2 winbind_helper_roles; ++ role $2 types winbind_helper_t; + ') + + ######################################## + ## +-## Read winbind pid files. ++## Allow the specified domain to read the winbind pid files. + ## + ## + ## +@@ -637,17 +750,16 @@ interface(`samba_run_winbind_helper',` + # + interface(`samba_read_winbind_pid',` + gen_require(` +- type winbind_var_run_t, smbd_var_run_t; ++ type winbind_var_run_t; + ') + +- files_search_pids($1) +- read_files_pattern($1, { smbd_var_run_t winbind_var_run_t }, winbind_var_run_t) ++ samba_search_pid($1) ++ allow $1 winbind_var_run_t:file read_file_perms; + ') + + ######################################## + ## +-## Connect to winbind with a unix +-## domain stream socket. ++## Connect to winbind. + ## + ## + ## +@@ -657,17 +769,61 @@ interface(`samba_read_winbind_pid',` + # + interface(`samba_stream_connect_winbind',` + gen_require(` +- type samba_var_t, winbind_t, winbind_var_run_t, smbd_var_run_t; ++ type samba_var_t, winbind_t, winbind_var_run_t; + ') + +- files_search_pids($1) +- stream_connect_pattern($1, { smbd_var_run_t samba_var_t winbind_var_run_t }, winbind_var_run_t, winbind_t) ++ samba_search_pid($1) ++ allow $1 samba_var_t:dir search_dir_perms; ++ stream_connect_pattern($1, winbind_var_run_t, winbind_var_run_t, winbind_t) ++ samba_read_config($1) ++ ++ ifndef(`distro_redhat',` ++ gen_require(` ++ type winbind_tmp_t; ++ ') ++ ++ # the default for the socket is (poorly named): ++ # /tmp/.winbindd/pipe ++ files_search_tmp($1) ++ stream_connect_pattern($1, winbind_tmp_t, winbind_tmp_t, winbind_t) ++ ') + ') + + ######################################## + ## +-## All of the rules required to +-## administrate an samba environment. ++## Create a set of derived types for apache ++## web content. ++## ++## ++## ++## The prefix to be used for deriving type names. ++## ++## ++# ++template(`samba_helper_template',` ++ gen_require(` ++ type smbd_t; ++ role system_r; ++ ') ++ ++ #This type is for samba helper scripts ++ type samba_$1_script_t; ++ domain_type(samba_$1_script_t) ++ role system_r types samba_$1_script_t; ++ ++ # This type is used for executable scripts files ++ type samba_$1_script_exec_t; ++ corecmd_shell_entry_type(samba_$1_script_t) ++ domain_entry_file(samba_$1_script_t, samba_$1_script_exec_t) ++ ++ domtrans_pattern(smbd_t, samba_$1_script_exec_t, samba_$1_script_t) ++ allow smbd_t samba_$1_script_exec_t:file ioctl; ++') ++ ++######################################## ++## ++## All of the rules required to administrate ++## an samba environment + ## + ## + ## +@@ -676,7 +832,7 @@ interface(`samba_stream_connect_winbind',` + ## + ## + ## +-## Role allowed access. ++## The role to be allowed to manage the samba domain. + ## + ## + ## +@@ -684,41 +840,71 @@ interface(`samba_stream_connect_winbind',` + interface(`samba_admin',` + gen_require(` + type nmbd_t, nmbd_var_run_t, smbd_var_run_t; +- type smbd_t, smbd_tmp_t, smbd_spool_t; +- type samba_log_t, samba_var_t, samba_secrets_t; +- type samba_etc_t, samba_share_t, samba_initrc_exec_t; +- type swat_var_run_t, swat_tmp_t, winbind_log_t; +- type winbind_var_run_t, winbind_tmp_t; ++ type smbd_t, smbd_tmp_t, samba_secrets_t; ++ type samba_initrc_exec_t, samba_log_t, samba_var_t; ++ type samba_etc_t, samba_share_t, winbind_log_t; ++ type swat_var_run_t, swat_tmp_t, samba_unconfined_script_exec_t; ++ type winbind_var_run_t, winbind_tmp_t, samba_unconfined_script_t; ++ type samba_unit_file_t; + ') + +- allow $1 { nmbd_t smbd_t }:process { ptrace signal_perms }; +- ps_process_pattern($1, { nmbd_t smbd_t }) ++ allow $1 smbd_t:process signal_perms; ++ ps_process_pattern($1, smbd_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 smbd_t:process ptrace; ++ allow $1 nmbd_t:process ptrace; ++ allow $1 samba_unconfined_script_t:process ptrace; ++ ') ++ ++ allow $1 nmbd_t:process signal_perms; ++ ps_process_pattern($1, nmbd_t) ++ ++ allow $1 samba_unconfined_script_t:process signal_perms; ++ ps_process_pattern($1, samba_unconfined_script_t) ++ ++ samba_run_smbcontrol($1, $2) ++ samba_run_winbind_helper($1, $2) ++ samba_run_smbmount($1, $2) ++ samba_run_net($1, $2) + + init_labeled_script_domtrans($1, samba_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 samba_initrc_exec_t system_r; + allow $2 system_r; + +- files_list_etc($1) ++ admin_pattern($1, nmbd_var_run_t) ++ + admin_pattern($1, samba_etc_t) ++ files_list_etc($1) + ++ admin_pattern($1, samba_log_t) + logging_list_logs($1) +- admin_pattern($1, { samba_log_t winbind_log_t }) + +- files_list_var($1) +- admin_pattern($1, { samba_share_t samba_var_t samba_secrets_t }) ++ admin_pattern($1, samba_secrets_t) + +- files_list_spool($1) +- admin_pattern($1, smbd_spool_t) ++ admin_pattern($1, samba_share_t) ++ ++ admin_pattern($1, samba_var_t) ++ files_list_var($1) + ++ admin_pattern($1, smbd_var_run_t) + files_list_pids($1) +- admin_pattern($1, { winbind_var_run_t smbd_var_run_t swat_var_run_t nmbd_var_run_t }) + ++ admin_pattern($1, smbd_tmp_t) + files_list_tmp($1) +- admin_pattern($1, { swat_tmp_t smbd_tmp_t winbind_tmp_t }) + +- samba_run_smbcontrol($1, $2) +- samba_run_winbind_helper($1, $2) +- samba_run_smbmount($1, $2) +- samba_run_net($1, $2) ++ admin_pattern($1, swat_var_run_t) ++ ++ admin_pattern($1, swat_tmp_t) ++ ++ admin_pattern($1, winbind_log_t) ++ ++ admin_pattern($1, winbind_tmp_t) ++ ++ admin_pattern($1, winbind_var_run_t) ++ admin_pattern($1, samba_unconfined_script_exec_t) ++ ++ samba_systemctl($1) ++ admin_pattern($1, samba_unit_file_t) ++ allow $1 samba_unit_file_t:service all_service_perms; + ') +diff --git a/samba.te b/samba.te +index 57c034b..9e91107 100644 +--- a/samba.te ++++ b/samba.te +@@ -1,4 +1,4 @@ +-policy_module(samba, 1.15.7) ++policy_module(samba, 1.15.0) + + ################################# + # +@@ -6,100 +6,80 @@ policy_module(samba, 1.15.7) + # + + ## +-##

    +-## Determine whether samba can modify +-## public files used for public file +-## transfer services. Directories/Files must +-## be labeled public_content_rw_t. +-##

    ++##

    ++## Allow samba to modify public files used for public file ++## transfer services. Files/Directories must be labeled ++## public_content_rw_t. ++##

    + ##     +-gen_tunable(allow_smbd_anon_write, false) ++gen_tunable(smbd_anon_write, false) + + ## +-##

    +-## Determine whether samba can +-## create home directories via pam. +-##

    ++##

    ++## Allow samba to create new home directories (e.g. via PAM) ++##

    + ##     + gen_tunable(samba_create_home_dirs, false) + + ## +-##

    +-## Determine whether samba can act as the +-## domain controller, add users, groups +-## and change passwords. +-##

    ++##

    ++## Allow samba to act as the domain controller, add users, ++## groups and change passwords. ++## ++##

    + ##     + gen_tunable(samba_domain_controller, false) + + ## +-##

    +-## Determine whether samba can +-## act as a portmapper. +-##

    ++##

    ++## Allow samba to act as a portmapper ++## ++##

    + ##     + gen_tunable(samba_portmapper, false) + + ## +-##

    +-## Determine whether samba can share +-## users home directories. +-##

    ++##

    ++## Allow samba to share users home directories. ++##

    + ##     + gen_tunable(samba_enable_home_dirs, false) + + ## +-##

    +-## Determine whether samba can share +-## any content read only. +-##

    ++##

    ++## Allow samba to share any file/directory read only. ++##

    + ##     + gen_tunable(samba_export_all_ro, false) + + ## +-##

    +-## Determine whether samba can share any +-## content readable and writable. +-##

    ++##

    ++## Allow samba to share any file/directory read/write. ++##

    + ##     + gen_tunable(samba_export_all_rw, false) + + ## +-##

    +-## Determine whether samba can +-## run unconfined scripts. +-##

    ++##

    ++## Allow samba to run unconfined scripts ++##

    + ##     + gen_tunable(samba_run_unconfined, false) + + ## +-##

    +-## Determine whether samba can +-## use nfs file systems. +-##

    ++##

    ++## Allow samba to export NFS volumes. ++##

    + ##     + gen_tunable(samba_share_nfs, false) + + ## +-##

    +-## Determine whether samba can +-## use fuse file systems. +-##

    ++##

    ++## Allow samba to export ntfs/fusefs volumes. ++##

    + ##     + gen_tunable(samba_share_fusefs, false) + +-attribute_role samba_net_roles; +-roleattribute system_r samba_net_roles; +- +-attribute_role smbcontrol_roles; +-roleattribute system_r smbcontrol_roles; +- +-attribute_role smbmount_roles; +-roleattribute system_r smbmount_roles; +- +-attribute_role winbind_helper_roles; +-roleattribute system_r winbind_helper_roles; +- + type nmbd_t; + type nmbd_exec_t; + init_daemon_domain(nmbd_t, nmbd_exec_t) +@@ -113,13 +93,16 @@ files_config_file(samba_etc_t) + type samba_initrc_exec_t; + init_script_file(samba_initrc_exec_t) + ++type samba_unit_file_t; ++systemd_unit_file(samba_unit_file_t) ++ + type samba_log_t; + logging_log_file(samba_log_t) + + type samba_net_t; + type samba_net_exec_t; + application_domain(samba_net_t, samba_net_exec_t) +-role samba_net_roles types samba_net_t; ++role system_r types samba_net_t; + + type samba_net_tmp_t; + files_tmp_file(samba_net_tmp_t) +@@ -136,7 +119,7 @@ files_type(samba_var_t) + type smbcontrol_t; + type smbcontrol_exec_t; + application_domain(smbcontrol_t, smbcontrol_exec_t) +-role smbcontrol_roles types smbcontrol_t; ++role system_r types smbcontrol_t; + + type smbd_t; + type smbd_exec_t; +@@ -149,9 +132,10 @@ type smbd_var_run_t; + files_pid_file(smbd_var_run_t) + + type smbmount_t; ++domain_type(smbmount_t) ++ + type smbmount_exec_t; +-application_domain(smbmount_t, smbmount_exec_t) +-role smbmount_roles types smbmount_t; ++domain_entry_file(smbmount_t, smbmount_exec_t) + + type swat_t; + type swat_exec_t; +@@ -170,27 +154,29 @@ type winbind_exec_t; + init_daemon_domain(winbind_t, winbind_exec_t) + + type winbind_helper_t; ++domain_type(winbind_helper_t) ++role system_r types winbind_helper_t; ++ + type winbind_helper_exec_t; +-application_domain(winbind_helper_t, winbind_helper_exec_t) +-role winbind_helper_roles types winbind_helper_t; ++domain_entry_file(winbind_helper_t, winbind_helper_exec_t) + + type winbind_log_t; + logging_log_file(winbind_log_t) + +-type winbind_tmp_t; +-files_tmp_file(winbind_tmp_t) +- + type winbind_var_run_t; + files_pid_file(winbind_var_run_t) + + ######################################## + # +-# Net local policy ++# Samba net local policy + # +- + allow samba_net_t self:capability { sys_chroot sys_nice dac_read_search dac_override }; ++allow samba_net_t self:capability2 block_suspend; + allow samba_net_t self:process { getsched setsched }; +-allow samba_net_t self:unix_stream_socket { accept listen }; ++allow samba_net_t self:unix_dgram_socket create_socket_perms; ++allow samba_net_t self:unix_stream_socket create_stream_socket_perms; ++allow samba_net_t self:udp_socket create_socket_perms; ++allow samba_net_t self:tcp_socket create_socket_perms; + + allow samba_net_t samba_etc_t:file read_file_perms; + +@@ -206,17 +192,22 @@ manage_files_pattern(samba_net_t, samba_var_t, samba_var_t) + manage_lnk_files_pattern(samba_net_t, samba_var_t, samba_var_t) + files_var_filetrans(samba_net_t, samba_var_t, dir, "samba") + ++kernel_read_proc_symlinks(samba_net_t) + kernel_read_system_state(samba_net_t) + kernel_read_network_state(samba_net_t) + +-corenet_all_recvfrom_unlabeled(samba_net_t) + corenet_all_recvfrom_netlabel(samba_net_t) ++corenet_tcp_sendrecv_generic_if(samba_net_t) + corenet_udp_sendrecv_generic_if(samba_net_t) ++corenet_raw_sendrecv_generic_if(samba_net_t) + corenet_tcp_sendrecv_generic_node(samba_net_t) +- +-corenet_sendrecv_smbd_client_packets(samba_net_t) ++corenet_udp_sendrecv_generic_node(samba_net_t) ++corenet_raw_sendrecv_generic_node(samba_net_t) ++corenet_tcp_sendrecv_all_ports(samba_net_t) ++corenet_udp_sendrecv_all_ports(samba_net_t) ++corenet_tcp_bind_generic_node(samba_net_t) ++corenet_udp_bind_generic_node(samba_net_t) + corenet_tcp_connect_smbd_port(samba_net_t) +-corenet_tcp_sendrecv_smbd_port(samba_net_t) + + dev_read_urand(samba_net_t) + +@@ -229,15 +220,16 @@ auth_manage_cache(samba_net_t) + + logging_send_syslog_msg(samba_net_t) + +-miscfiles_read_localization(samba_net_t) +- + samba_read_var_files(samba_net_t) + +-userdom_use_user_terminals(samba_net_t) ++sysnet_use_ldap(samba_net_t) ++ ++userdom_use_inherited_user_terminals(samba_net_t) + userdom_list_user_home_dirs(samba_net_t) + + optional_policy(` +- ldap_stream_connect(samba_net_t) ++ ldap_stream_connect(samba_net_t) ++ dirsrv_stream_connect(samba_net_t) + ') + + optional_policy(` +@@ -245,44 +237,56 @@ optional_policy(` + ') + + optional_policy(` ++ realmd_manage_cache_files(samba_net_t) ++ realmd_read_tmp_files(samba_net_t) ++') ++ ++optional_policy(` + kerberos_use(samba_net_t) +- kerberos_etc_filetrans_keytab(samba_net_t, file) ++ kerberos_etc_filetrans_keytab(samba_net_t) + ') + + ######################################## + # +-# Smbd Local policy ++# smbd Local policy + # + + allow smbd_t self:capability { chown fowner kill fsetid setgid setuid sys_chroot sys_nice sys_admin sys_resource lease dac_override dac_read_search }; + dontaudit smbd_t self:capability sys_tty_config; +-allow smbd_t self:process ~{ ptrace setcurrent setexec setfscreate execmem execstack execheap }; ++allow smbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; ++allow smbd_t self:process setrlimit; + allow smbd_t self:fd use; + allow smbd_t self:fifo_file rw_fifo_file_perms; + allow smbd_t self:msg { send receive }; + allow smbd_t self:msgq create_msgq_perms; + allow smbd_t self:sem create_sem_perms; + allow smbd_t self:shm create_shm_perms; +-allow smbd_t self:tcp_socket { accept listen }; +-allow smbd_t self:unix_dgram_socket sendto; +-allow smbd_t self:unix_stream_socket { accept connectto listen }; ++allow smbd_t self:key manage_key_perms; ++allow smbd_t self:sock_file read_sock_file_perms; ++allow smbd_t self:tcp_socket create_stream_socket_perms; ++allow smbd_t self:udp_socket create_socket_perms; ++allow smbd_t self:unix_dgram_socket { create_socket_perms sendto }; ++allow smbd_t self:unix_stream_socket { create_stream_socket_perms connectto }; + +-allow smbd_t { swat_t winbind_t smbcontrol_t nmbd_t }:process { signal signull }; ++allow smbd_t nmbd_t:process { signal signull }; ++ ++allow smbd_t nmbd_var_run_t:file rw_file_perms; ++stream_connect_pattern(smbd_t, nmbd_var_run_t, nmbd_var_run_t, nmbd_t) + +-allow smbd_t samba_etc_t:file { rw_file_perms setattr_file_perms }; ++allow smbd_t samba_etc_t:file { rw_file_perms setattr }; + + manage_dirs_pattern(smbd_t, samba_log_t, samba_log_t) +-append_files_pattern(smbd_t, samba_log_t, samba_log_t) +-create_files_pattern(smbd_t, samba_log_t, samba_log_t) +-setattr_files_pattern(smbd_t, samba_log_t, samba_log_t) ++manage_files_pattern(smbd_t, samba_log_t, samba_log_t) + +-allow smbd_t samba_net_tmp_t:file getattr_file_perms; ++allow smbd_t samba_net_tmp_t:file getattr; + + manage_files_pattern(smbd_t, samba_secrets_t, samba_secrets_t) + filetrans_pattern(smbd_t, samba_etc_t, samba_secrets_t, file) + + manage_dirs_pattern(smbd_t, samba_share_t, samba_share_t) + manage_files_pattern(smbd_t, samba_share_t, samba_share_t) ++manage_fifo_files_pattern(smbd_t, samba_share_t, samba_share_t) ++manage_sock_files_pattern(smbd_t, samba_share_t, samba_share_t) + manage_lnk_files_pattern(smbd_t, samba_share_t, samba_share_t) + allow smbd_t samba_share_t:filesystem { getattr quotaget }; + +@@ -292,6 +296,8 @@ manage_lnk_files_pattern(smbd_t, samba_var_t, samba_var_t) + manage_sock_files_pattern(smbd_t, samba_var_t, samba_var_t) + files_var_filetrans(smbd_t, samba_var_t, dir, "samba") + ++allow smbd_t smbcontrol_t:process { signal signull }; ++ + manage_dirs_pattern(smbd_t, smbd_tmp_t, smbd_tmp_t) + manage_files_pattern(smbd_t, smbd_tmp_t, smbd_tmp_t) + files_tmp_filetrans(smbd_t, smbd_tmp_t, { file dir }) +@@ -301,11 +307,11 @@ manage_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t) + manage_sock_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t) + files_pid_filetrans(smbd_t, smbd_var_run_t, { dir file }) + +-allow smbd_t winbind_var_run_t:sock_file read_sock_file_perms; +-stream_connect_pattern(smbd_t, winbind_var_run_t, winbind_var_run_t, winbind_t) ++allow smbd_t swat_t:process signal; + +-allow smbd_t nmbd_var_run_t:file read_file_perms; +-stream_connect_pattern(smbd_t, nmbd_var_run_t, nmbd_var_run_t, nmbd_t) ++allow smbd_t winbind_var_run_t:sock_file rw_sock_file_perms; ++ ++allow smbd_t winbind_t:process { signal signull }; + + kernel_getattr_core_if(smbd_t) + kernel_getattr_message_if(smbd_t) +@@ -315,43 +321,33 @@ kernel_read_kernel_sysctls(smbd_t) + kernel_read_software_raid_state(smbd_t) + kernel_read_system_state(smbd_t) + +-corecmd_exec_bin(smbd_t) + corecmd_exec_shell(smbd_t) ++corecmd_exec_bin(smbd_t) + +-corenet_all_recvfrom_unlabeled(smbd_t) + corenet_all_recvfrom_netlabel(smbd_t) + corenet_tcp_sendrecv_generic_if(smbd_t) ++corenet_udp_sendrecv_generic_if(smbd_t) ++corenet_raw_sendrecv_generic_if(smbd_t) + corenet_tcp_sendrecv_generic_node(smbd_t) ++corenet_udp_sendrecv_generic_node(smbd_t) ++corenet_raw_sendrecv_generic_node(smbd_t) ++corenet_tcp_sendrecv_all_ports(smbd_t) ++corenet_udp_sendrecv_all_ports(smbd_t) + corenet_tcp_bind_generic_node(smbd_t) +- +-corenet_sendrecv_smbd_client_packets(smbd_t) +-corenet_tcp_connect_smbd_port(smbd_t) +-corenet_sendrecv_smbd_server_packets(smbd_t) ++corenet_udp_bind_generic_node(smbd_t) + corenet_tcp_bind_smbd_port(smbd_t) +-corenet_tcp_sendrecv_smbd_port(smbd_t) +- +-corenet_sendrecv_ipp_client_packets(smbd_t) + corenet_tcp_connect_ipp_port(smbd_t) +-corenet_tcp_sendrecv_ipp_port(smbd_t) ++corenet_tcp_connect_smbd_port(smbd_t) + + dev_read_sysfs(smbd_t) + dev_read_urand(smbd_t) ++dev_dontaudit_write_urand(smbd_t) + dev_getattr_mtrr_dev(smbd_t) + dev_dontaudit_getattr_usbfs_dirs(smbd_t) ++# For redhat bug 566984 + dev_getattr_all_blk_files(smbd_t) + dev_getattr_all_chr_files(smbd_t) + +-domain_use_interactive_fds(smbd_t) +-domain_dontaudit_list_all_domains_state(smbd_t) +- +-files_list_var_lib(smbd_t) +-files_read_etc_runtime_files(smbd_t) +-files_read_usr_files(smbd_t) +-files_search_spool(smbd_t) +-files_dontaudit_getattr_all_dirs(smbd_t) +-files_dontaudit_list_all_mountpoints(smbd_t) +-files_list_mnt(smbd_t) +- + fs_getattr_all_fs(smbd_t) + fs_getattr_all_dirs(smbd_t) + fs_get_xattr_fs_quotas(smbd_t) +@@ -360,44 +356,54 @@ fs_getattr_rpc_dirs(smbd_t) + fs_list_inotifyfs(smbd_t) + fs_get_all_fs_quotas(smbd_t) + +-term_use_ptmx(smbd_t) +- + auth_use_nsswitch(smbd_t) + auth_domtrans_chk_passwd(smbd_t) + auth_domtrans_upd_passwd(smbd_t) + auth_manage_cache(smbd_t) + auth_write_login_records(smbd_t) + ++domain_use_interactive_fds(smbd_t) ++domain_dontaudit_list_all_domains_state(smbd_t) ++ ++files_list_var_lib(smbd_t) ++files_read_etc_runtime_files(smbd_t) ++files_search_spool(smbd_t) ++# smbd seems to getattr all mountpoints ++files_dontaudit_getattr_all_dirs(smbd_t) ++files_dontaudit_list_all_mountpoints(smbd_t) ++# Allow samba to list mnt_t for potential mounted dirs ++files_list_mnt(smbd_t) ++ + init_rw_utmp(smbd_t) + + logging_search_logs(smbd_t) + logging_send_syslog_msg(smbd_t) + +-miscfiles_read_localization(smbd_t) + miscfiles_read_public_files(smbd_t) + + sysnet_use_ldap(smbd_t) + + userdom_use_unpriv_users_fds(smbd_t) ++userdom_search_user_home_content(smbd_t) + userdom_signal_all_users(smbd_t) +-userdom_home_filetrans_user_home_dir(smbd_t) +-userdom_user_home_dir_filetrans_user_home_content(smbd_t, { dir file lnk_file sock_file fifo_file }) + + usermanage_read_crack_db(smbd_t) + +-ifdef(`hide_broken_symptoms',` ++term_use_ptmx(smbd_t) ++ ++ifdef(`hide_broken_symptoms', ` + files_dontaudit_getattr_default_dirs(smbd_t) + files_dontaudit_getattr_boot_dirs(smbd_t) + fs_dontaudit_getattr_tmpfs_dirs(smbd_t) + ') + +-tunable_policy(`allow_smbd_anon_write',` ++tunable_policy(`smbd_anon_write',` + miscfiles_manage_public_files(smbd_t) +-') ++') + +-tunable_policy(`samba_create_home_dirs',` +- allow smbd_t self:capability chown; +- userdom_create_user_home_dirs(smbd_t) ++tunable_policy(`samba_portmapper',` ++ corenet_tcp_bind_epmap_port(smbd_t) ++ corenet_tcp_bind_all_unreserved_ports(smbd_t) + ') + + tunable_policy(`samba_domain_controller',` +@@ -413,20 +419,10 @@ tunable_policy(`samba_domain_controller',` + ') + + tunable_policy(`samba_enable_home_dirs',` +- userdom_manage_user_home_content_dirs(smbd_t) +- userdom_manage_user_home_content_files(smbd_t) +- userdom_manage_user_home_content_symlinks(smbd_t) +- userdom_manage_user_home_content_sockets(smbd_t) +- userdom_manage_user_home_content_pipes(smbd_t) +-') +- +-tunable_policy(`samba_portmapper',` +- corenet_sendrecv_all_server_packets(smbd_t) +- corenet_tcp_bind_epmap_port(smbd_t) +- corenet_tcp_bind_all_unreserved_ports(smbd_t) +- corenet_tcp_sendrecv_all_ports(smbd_t) ++ userdom_manage_user_home_content(smbd_t) + ') + ++# Support Samba sharing of NFS mount points + tunable_policy(`samba_share_nfs',` + fs_manage_nfs_dirs(smbd_t) + fs_manage_nfs_files(smbd_t) +@@ -435,6 +431,7 @@ tunable_policy(`samba_share_nfs',` + fs_manage_nfs_named_sockets(smbd_t) + ') + ++# Support Samba sharing of ntfs/fusefs mount points + tunable_policy(`samba_share_fusefs',` + fs_manage_fusefs_dirs(smbd_t) + fs_manage_fusefs_files(smbd_t) +@@ -442,17 +439,6 @@ tunable_policy(`samba_share_fusefs',` + fs_search_fusefs(smbd_t) + ') + +-tunable_policy(`samba_export_all_ro',` +- fs_read_noxattr_fs_files(smbd_t) +- files_list_non_auth_dirs(smbd_t) +- files_read_non_auth_files(smbd_t) +-') +- +-tunable_policy(`samba_export_all_rw',` +- fs_read_noxattr_fs_files(smbd_t) +- files_manage_non_auth_files(smbd_t) +-') +- + optional_policy(` + ccs_read_config(smbd_t) + ') +@@ -460,6 +446,7 @@ optional_policy(` + optional_policy(` + ctdbd_stream_connect(smbd_t) + ctdbd_manage_lib_files(smbd_t) ++ ctdbd_manage_var_files(smbd_t) + ') + + optional_policy(` +@@ -473,6 +460,11 @@ optional_policy(` + ') + + optional_policy(` ++ ldap_stream_connect(smbd_t) ++ dirsrv_stream_connect(smbd_t) ++') ++ ++optional_policy(` + lpd_exec_lpr(smbd_t) + ') + +@@ -493,9 +485,33 @@ optional_policy(` + udev_read_db(smbd_t) + ') + ++tunable_policy(`samba_create_home_dirs',` ++ allow smbd_t self:capability chown; ++ userdom_create_user_home_dirs(smbd_t) ++') ++ ++userdom_home_filetrans_user_home_dir(smbd_t) ++ ++tunable_policy(`samba_export_all_ro',` ++ allow nmbd_t self:capability { dac_read_search dac_override }; ++ fs_read_noxattr_fs_files(smbd_t) ++ files_read_non_security_files(smbd_t) ++ fs_read_noxattr_fs_files(nmbd_t) ++ files_read_non_security_files(nmbd_t) ++') ++ ++tunable_policy(`samba_export_all_rw',` ++ allow nmbd_t self:capability { dac_read_search dac_override }; ++ fs_manage_noxattr_fs_files(smbd_t) ++ files_manage_non_security_files(smbd_t) ++ fs_manage_noxattr_fs_files(nmbd_t) ++ files_manage_non_security_files(nmbd_t) ++') ++userdom_filetrans_home_content(nmbd_t) ++ + ######################################## + # +-# Nmbd Local policy ++# nmbd Local policy + # + + dontaudit nmbd_t self:capability sys_tty_config; +@@ -506,9 +522,11 @@ allow nmbd_t self:msg { send receive }; + allow nmbd_t self:msgq create_msgq_perms; + allow nmbd_t self:sem create_sem_perms; + allow nmbd_t self:shm create_shm_perms; +-allow nmbd_t self:tcp_socket { accept listen }; +-allow nmbd_t self:unix_dgram_socket sendto; +-allow nmbd_t self:unix_stream_socket { accept connectto listen }; ++allow nmbd_t self:sock_file read_sock_file_perms; ++allow nmbd_t self:tcp_socket create_stream_socket_perms; ++allow nmbd_t self:udp_socket create_socket_perms; ++allow nmbd_t self:unix_dgram_socket { create_socket_perms sendto }; ++allow nmbd_t self:unix_stream_socket { create_stream_socket_perms connectto }; + + manage_dirs_pattern(nmbd_t, { smbd_var_run_t nmbd_var_run_t }, nmbd_var_run_t) + manage_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t) +@@ -520,20 +538,15 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) + read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) + + manage_dirs_pattern(nmbd_t, samba_log_t, samba_log_t) +-append_files_pattern(nmbd_t, samba_log_t, samba_log_t) +-create_files_pattern(nmbd_t, samba_log_t, samba_log_t) +-setattr_files_pattern(nmbd_t, samba_log_t, samba_log_t) ++manage_files_pattern(nmbd_t, samba_log_t, samba_log_t) + +-manage_files_pattern(nmbd_t, samba_var_t, samba_var_t) ++manage_dirs_pattern(nmbd_t, samba_var_t, samba_var_t) + manage_files_pattern(nmbd_t, samba_var_t, samba_var_t) + manage_lnk_files_pattern(nmbd_t, samba_var_t, samba_var_t) + manage_sock_files_pattern(nmbd_t, samba_var_t, samba_var_t) +-files_var_filetrans(nmbd_t, samba_var_t, dir, "nmbd") + files_var_filetrans(nmbd_t, samba_var_t, dir, "samba") + +-allow nmbd_t { swat_t smbcontrol_t }:process signal; +- +-allow nmbd_t smbd_var_run_t:dir rw_dir_perms; ++allow nmbd_t smbcontrol_t:process signal; + + kernel_getattr_core_if(nmbd_t) + kernel_getattr_message_if(nmbd_t) +@@ -542,52 +555,41 @@ kernel_read_network_state(nmbd_t) + kernel_read_software_raid_state(nmbd_t) + kernel_read_system_state(nmbd_t) + +-corenet_all_recvfrom_unlabeled(nmbd_t) + corenet_all_recvfrom_netlabel(nmbd_t) + corenet_tcp_sendrecv_generic_if(nmbd_t) + corenet_udp_sendrecv_generic_if(nmbd_t) + corenet_tcp_sendrecv_generic_node(nmbd_t) + corenet_udp_sendrecv_generic_node(nmbd_t) ++corenet_tcp_sendrecv_all_ports(nmbd_t) ++corenet_udp_sendrecv_all_ports(nmbd_t) + corenet_udp_bind_generic_node(nmbd_t) +- +-corenet_sendrecv_nmbd_server_packets(nmbd_t) + corenet_udp_bind_nmbd_port(nmbd_t) +-corenet_udp_sendrecv_nmbd_port(nmbd_t) +- +-corenet_sendrecv_smbd_client_packets(nmbd_t) ++corenet_sendrecv_nmbd_server_packets(nmbd_t) ++corenet_sendrecv_nmbd_client_packets(nmbd_t) + corenet_tcp_connect_smbd_port(nmbd_t) +-corenet_tcp_sendrecv_smbd_port(nmbd_t) + +-dev_read_sysfs(nmbd_t) + dev_getattr_mtrr_dev(nmbd_t) ++dev_read_sysfs(nmbd_t) ++dev_read_urand(nmbd_t) ++ ++fs_getattr_all_fs(nmbd_t) ++fs_search_auto_mountpoints(nmbd_t) + + domain_use_interactive_fds(nmbd_t) + +-files_read_usr_files(nmbd_t) + files_list_var_lib(nmbd_t) + +-fs_getattr_all_fs(nmbd_t) +-fs_search_auto_mountpoints(nmbd_t) +- + auth_use_nsswitch(nmbd_t) + + logging_search_logs(nmbd_t) + logging_send_syslog_msg(nmbd_t) + +-miscfiles_read_localization(nmbd_t) +- + userdom_use_unpriv_users_fds(nmbd_t) +-userdom_user_home_dir_filetrans_user_home_content(nmbd_t, { file dir }) ++userdom_dontaudit_search_user_home_dirs(nmbd_t) + +-tunable_policy(`samba_export_all_ro',` +- fs_read_noxattr_fs_files(nmbd_t) +- files_list_non_auth_dirs(nmbd_t) +- files_read_non_auth_files(nmbd_t) +-') +- +-tunable_policy(`samba_export_all_rw',` +- fs_read_noxattr_fs_files(nmbd_t) +- files_manage_non_auth_files(nmbd_t) ++optional_policy(` ++ ctdbd_stream_connect(nmbd_t) ++ ctdbd_manage_var_files(nmbd_t) + ') + + optional_policy(` +@@ -600,19 +602,26 @@ optional_policy(` + + ######################################## + # +-# Smbcontrol local policy ++# smbcontrol local policy + # + ++ + allow smbcontrol_t self:process signal; +-allow smbcontrol_t self:fifo_file rw_fifo_file_perms; ++# internal communication is often done using fifo and unix sockets. ++allow smbcontrol_t self:fifo_file rw_file_perms; + allow smbcontrol_t self:unix_stream_socket create_stream_socket_perms; + allow smbcontrol_t self:process { signal signull }; + +-allow smbcontrol_t { winbind_t nmbd_t smbd_t }:process { signal signull }; +-read_files_pattern(smbcontrol_t, { nmbd_var_run_t smbd_var_run_t }, { nmbd_var_run_t smbd_var_run_t }) ++allow smbcontrol_t nmbd_t:process { signal signull }; ++read_files_pattern(smbcontrol_t, nmbd_var_run_t, nmbd_var_run_t) ++ ++allow smbcontrol_t smbd_t:process { signal signull }; ++read_files_pattern(smbcontrol_t, smbd_var_run_t, smbd_var_run_t) ++allow smbcontrol_t winbind_t:process { signal signull }; + ++files_search_var_lib(smbcontrol_t) + samba_read_config(smbcontrol_t) +-samba_rw_var_files(smbcontrol_t) ++manage_files_pattern(smbcontrol_t, samba_var_t, samba_var_t) + samba_search_var(smbcontrol_t) + samba_read_winbind_pid(smbcontrol_t) + +@@ -620,16 +629,12 @@ domain_use_interactive_fds(smbcontrol_t) + + dev_read_urand(smbcontrol_t) + +-files_read_etc_files(smbcontrol_t) +-files_search_var_lib(smbcontrol_t) + + term_use_console(smbcontrol_t) + +-miscfiles_read_localization(smbcontrol_t) +- + sysnet_use_ldap(smbcontrol_t) + +-userdom_use_user_terminals(smbcontrol_t) ++userdom_use_inherited_user_terminals(smbcontrol_t) + + optional_policy(` + ctdbd_stream_connect(smbcontrol_t) +@@ -637,22 +642,23 @@ optional_policy(` + + ######################################## + # +-# Smbmount Local policy ++# smbmount Local policy + # + +-allow smbmount_t self:capability { sys_rawio sys_admin dac_override chown }; +-allow smbmount_t self:process signal_perms; +-allow smbmount_t self:tcp_socket { accept listen }; ++allow smbmount_t self:capability { sys_rawio sys_admin dac_override chown }; # FIXME: is all of this really necessary? ++allow smbmount_t self:process { fork signal_perms }; ++allow smbmount_t self:tcp_socket create_stream_socket_perms; ++allow smbmount_t self:udp_socket connect; + allow smbmount_t self:unix_dgram_socket create_socket_perms; + allow smbmount_t self:unix_stream_socket create_socket_perms; + + allow smbmount_t samba_etc_t:dir list_dir_perms; + allow smbmount_t samba_etc_t:file read_file_perms; + +-allow smbmount_t samba_log_t:dir list_dir_perms; +-append_files_pattern(smbmount_t, samba_log_t, samba_log_t) +-create_files_pattern(smbmount_t, samba_log_t, samba_log_t) +-setattr_files_pattern(smbmount_t, samba_log_t, samba_log_t) ++can_exec(smbmount_t, smbmount_exec_t) ++ ++allow smbmount_t samba_log_t:dir list_dir_perms; ++allow smbmount_t samba_log_t:file manage_file_perms; + + allow smbmount_t samba_secrets_t:file manage_file_perms; + +@@ -661,26 +667,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t) + manage_lnk_files_pattern(smbmount_t, samba_var_t, samba_var_t) + files_var_filetrans(smbmount_t, samba_var_t, dir, "samba") + +-can_exec(smbmount_t, smbmount_exec_t) ++files_list_var_lib(smbmount_t) + + kernel_read_system_state(smbmount_t) + +-corenet_all_recvfrom_unlabeled(smbmount_t) + corenet_all_recvfrom_netlabel(smbmount_t) + corenet_tcp_sendrecv_generic_if(smbmount_t) ++corenet_raw_sendrecv_generic_if(smbmount_t) ++corenet_udp_sendrecv_generic_if(smbmount_t) + corenet_tcp_sendrecv_generic_node(smbmount_t) +- +-corenet_sendrecv_all_client_packets(smbmount_t) +-corenet_tcp_connect_all_ports(smbmount_t) ++corenet_raw_sendrecv_generic_node(smbmount_t) ++corenet_udp_sendrecv_generic_node(smbmount_t) + corenet_tcp_sendrecv_all_ports(smbmount_t) +- +-corecmd_list_bin(smbmount_t) +- +-files_list_mnt(smbmount_t) +-files_list_var_lib(smbmount_t) +-files_mounton_mnt(smbmount_t) +-files_manage_etc_runtime_files(smbmount_t) +-files_etc_filetrans_etc_runtime(smbmount_t, file) ++corenet_udp_sendrecv_all_ports(smbmount_t) ++corenet_tcp_bind_generic_node(smbmount_t) ++corenet_udp_bind_generic_node(smbmount_t) ++corenet_tcp_connect_all_ports(smbmount_t) + + fs_getattr_cifs(smbmount_t) + fs_mount_cifs(smbmount_t) +@@ -692,58 +694,77 @@ fs_read_cifs_files(smbmount_t) + storage_raw_read_fixed_disk(smbmount_t) + storage_raw_write_fixed_disk(smbmount_t) + +-auth_use_nsswitch(smbmount_t) ++corecmd_list_bin(smbmount_t) + +-miscfiles_read_localization(smbmount_t) ++files_list_mnt(smbmount_t) ++files_mounton_mnt(smbmount_t) ++files_manage_etc_runtime_files(smbmount_t) ++files_etc_filetrans_etc_runtime(smbmount_t, file) ++ ++auth_use_nsswitch(smbmount_t) + +-mount_use_fds(smbmount_t) + + locallogin_use_fds(smbmount_t) + + logging_search_logs(smbmount_t) + +-userdom_use_user_terminals(smbmount_t) ++userdom_use_inherited_user_terminals(smbmount_t) + userdom_use_all_users_fds(smbmount_t) + + optional_policy(` + cups_read_rw_config(smbmount_t) + ') + ++optional_policy(` ++ mount_use_fds(smbmount_t) ++') ++ + ######################################## + # +-# Swat Local policy ++# SWAT Local policy + # + + allow swat_t self:capability { dac_override setuid setgid sys_resource }; ++allow swat_t self:capability2 block_suspend; + allow swat_t self:process { setrlimit signal_perms }; + allow swat_t self:fifo_file rw_fifo_file_perms; + allow swat_t self:netlink_tcpdiag_socket r_netlink_socket_perms; +-allow swat_t self:tcp_socket { accept listen }; ++allow swat_t self:tcp_socket create_stream_socket_perms; ++allow swat_t self:udp_socket create_socket_perms; + allow swat_t self:unix_stream_socket connectto; + +-allow swat_t { nmbd_t smbd_t }:process { signal signull }; ++samba_domtrans_smbd(swat_t) ++allow swat_t smbd_t:process { signal signull }; + +-allow swat_t smbd_var_run_t:file read_file_perms; +-allow swat_t smbd_var_run_t:file { lock delete_file_perms }; ++samba_domtrans_nmbd(swat_t) ++allow swat_t nmbd_t:process { signal signull }; ++allow nmbd_t swat_t:process signal; ++ ++read_files_pattern(swat_t, nmbd_var_run_t, nmbd_var_run_t) ++stream_connect_pattern(swat_t, nmbd_var_run_t, nmbd_var_run_t, nmbd_t) ++ ++allow swat_t smbd_port_t:tcp_socket name_bind; ++ ++allow swat_t nmbd_port_t:udp_socket name_bind; + + rw_files_pattern(swat_t, samba_etc_t, samba_etc_t) + read_lnk_files_pattern(swat_t, samba_etc_t, samba_etc_t) + + manage_dirs_pattern(swat_t, samba_log_t, samba_log_t) +-append_files_pattern(swat_t, samba_log_t, samba_log_t) +-create_files_pattern(swat_t, samba_log_t, samba_log_t) +-setattr_files_pattern(swat_t, samba_log_t, samba_log_t) ++manage_files_pattern(swat_t, samba_log_t, samba_log_t) + + manage_files_pattern(swat_t, samba_etc_t, samba_secrets_t) + + manage_dirs_pattern(swat_t, samba_var_t, samba_var_t) + manage_files_pattern(swat_t, samba_var_t, samba_var_t) +-manage_lnk_files_pattern(swat_t, samba_var_t, samba_var_t) + files_var_filetrans(swat_t, samba_var_t, dir, "samba") + + allow swat_t smbd_exec_t:file mmap_file_perms ; + +-allow swat_t { winbind_t smbd_t }:process { signal signull }; ++allow swat_t smbd_t:process signull; ++ ++allow swat_t smbd_var_run_t:file read_file_perms; ++allow swat_t smbd_var_run_t:file { lock unlink }; + + manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t) + manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t) +@@ -752,17 +773,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir }) + manage_files_pattern(swat_t, swat_var_run_t, swat_var_run_t) + files_pid_filetrans(swat_t, swat_var_run_t, file) + +-read_files_pattern(swat_t, winbind_var_run_t, winbind_var_run_t) +-allow swat_t winbind_var_run_t:dir { add_entry_dir_perms del_entry_dir_perms }; +-allow swat_t winbind_var_run_t:sock_file { create_sock_file_perms delete_sock_file_perms }; +- +-read_files_pattern(swat_t, nmbd_var_run_t, nmbd_var_run_t) +-stream_connect_pattern(swat_t, nmbd_var_run_t, nmbd_var_run_t, nmbd_t) +- +-samba_domtrans_smbd(swat_t) +-samba_domtrans_nmbd(swat_t) +- ++allow swat_t winbind_exec_t:file mmap_file_perms; + domtrans_pattern(swat_t, winbind_exec_t, winbind_t) ++allow swat_t winbind_t:process { signal signull }; ++ ++read_files_pattern(swat_t, winbind_var_run_t, winbind_var_run_t) ++allow swat_t winbind_var_run_t:dir { write add_name remove_name }; ++allow swat_t winbind_var_run_t:sock_file { create unlink }; + + kernel_read_kernel_sysctls(swat_t) + kernel_read_system_state(swat_t) +@@ -770,36 +787,25 @@ kernel_read_network_state(swat_t) + + corecmd_search_bin(swat_t) + +-corenet_all_recvfrom_unlabeled(swat_t) + corenet_all_recvfrom_netlabel(swat_t) + corenet_tcp_sendrecv_generic_if(swat_t) + corenet_udp_sendrecv_generic_if(swat_t) ++corenet_raw_sendrecv_generic_if(swat_t) + corenet_tcp_sendrecv_generic_node(swat_t) + corenet_udp_sendrecv_generic_node(swat_t) +-corenet_tcp_bind_generic_node(swat_t) +-corenet_udp_bind_generic_node(swat_t) +- +-corenet_sendrecv_nmbd_server_packets(swat_t) +-corenet_udp_bind_nmbd_port(swat_t) +-corenet_udp_sendrecv_nmbd_port(swat_t) +- +-corenet_sendrecv_smbd_client_packets(swat_t) ++corenet_raw_sendrecv_generic_node(swat_t) ++corenet_tcp_sendrecv_all_ports(swat_t) ++corenet_udp_sendrecv_all_ports(swat_t) + corenet_tcp_connect_smbd_port(swat_t) +-corenet_sendrecv_smbd_server_packets(swat_t) +-corenet_tcp_bind_smbd_port(swat_t) +-corenet_tcp_sendrecv_smbd_port(swat_t) +- +-corenet_sendrecv_ipp_client_packets(swat_t) + corenet_tcp_connect_ipp_port(swat_t) +-corenet_tcp_sendrecv_ipp_port(swat_t) ++corenet_sendrecv_smbd_client_packets(swat_t) ++corenet_sendrecv_ipp_client_packets(swat_t) + + dev_read_urand(swat_t) + + files_list_var_lib(swat_t) + files_search_home(swat_t) +-files_read_usr_files(swat_t) + fs_getattr_xattr_fs(swat_t) +-files_list_var_lib(swat_t) + + auth_domtrans_chk_passwd(swat_t) + auth_use_nsswitch(swat_t) +@@ -811,10 +817,11 @@ logging_send_syslog_msg(swat_t) + logging_send_audit_msgs(swat_t) + logging_search_logs(swat_t) + +-miscfiles_read_localization(swat_t) +- + sysnet_use_ldap(swat_t) + ++ ++userdom_dontaudit_search_admin_dir(swat_t) ++ + optional_policy(` + cups_read_rw_config(swat_t) + cups_stream_connect(swat_t) +@@ -834,16 +841,19 @@ optional_policy(` + # + + allow winbind_t self:capability { dac_override ipc_lock setuid sys_nice }; ++allow winbind_t self:capability2 block_suspend; + dontaudit winbind_t self:capability sys_tty_config; + allow winbind_t self:process { signal_perms getsched setsched }; + allow winbind_t self:fifo_file rw_fifo_file_perms; +-allow winbind_t self:unix_stream_socket { accept listen }; +-allow winbind_t self:tcp_socket { accept listen }; ++allow winbind_t self:unix_dgram_socket create_socket_perms; ++allow winbind_t self:unix_stream_socket create_stream_socket_perms; ++allow winbind_t self:tcp_socket create_stream_socket_perms; ++allow winbind_t self:udp_socket create_socket_perms; + + allow winbind_t nmbd_t:process { signal signull }; + +-allow winbind_t nmbd_var_run_t:file read_file_perms; +-stream_connect_pattern(winbind_t, nmbd_var_run_t, nmbd_var_run_t, nmbd_t) ++read_files_pattern(winbind_t, nmbd_var_run_t, nmbd_var_run_t) ++samba_stream_connect_nmbd(winbind_t) + + allow winbind_t samba_etc_t:dir list_dir_perms; + read_files_pattern(winbind_t, samba_etc_t, samba_etc_t) +@@ -853,9 +863,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t) + filetrans_pattern(winbind_t, samba_etc_t, samba_secrets_t, file) + + manage_dirs_pattern(winbind_t, samba_log_t, samba_log_t) +-append_files_pattern(winbind_t, samba_log_t, samba_log_t) +-create_files_pattern(winbind_t, samba_log_t, samba_log_t) +-setattr_files_pattern(winbind_t, samba_log_t, samba_log_t) ++manage_files_pattern(winbind_t, samba_log_t, samba_log_t) + manage_lnk_files_pattern(winbind_t, samba_log_t, samba_log_t) + + manage_dirs_pattern(winbind_t, samba_var_t, samba_var_t) +@@ -866,23 +874,21 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba") + + rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t) + +-# This needs a file context specification +-allow winbind_t winbind_log_t:file { append_file_perms create_file_perms setattr_file_perms }; ++allow winbind_t winbind_log_t:file manage_file_perms; + logging_log_filetrans(winbind_t, winbind_log_t, file) + +-manage_dirs_pattern(winbind_t, winbind_tmp_t, winbind_tmp_t) +-manage_files_pattern(winbind_t, winbind_tmp_t, winbind_tmp_t) +-manage_sock_files_pattern(winbind_t, winbind_tmp_t, winbind_tmp_t) +-files_tmp_filetrans(winbind_t, winbind_tmp_t, { file dir }) ++userdom_manage_user_tmp_dirs(winbind_t) ++userdom_manage_user_tmp_files(winbind_t) ++userdom_tmp_filetrans_user_tmp(winbind_t, { file dir }) + + manage_dirs_pattern(winbind_t, { smbd_var_run_t winbind_var_run_t }, winbind_var_run_t) + manage_files_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t) + manage_sock_files_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t) + files_pid_filetrans(winbind_t, winbind_var_run_t, { sock_file file dir }) + filetrans_pattern(winbind_t, smbd_var_run_t, winbind_var_run_t, dir) +- +-manage_dirs_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t) ++# /run/samba/krb5cc_samba + manage_files_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t) ++manage_dirs_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t) + manage_sock_files_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t) + + kernel_read_network_state(winbind_t) +@@ -891,13 +897,17 @@ kernel_read_system_state(winbind_t) + + corecmd_exec_bin(winbind_t) + +-corenet_all_recvfrom_unlabeled(winbind_t) + corenet_all_recvfrom_netlabel(winbind_t) + corenet_tcp_sendrecv_generic_if(winbind_t) ++corenet_udp_sendrecv_generic_if(winbind_t) ++corenet_raw_sendrecv_generic_if(winbind_t) + corenet_tcp_sendrecv_generic_node(winbind_t) ++corenet_udp_sendrecv_generic_node(winbind_t) ++corenet_raw_sendrecv_generic_node(winbind_t) + corenet_tcp_sendrecv_all_ports(winbind_t) +- +-corenet_sendrecv_all_client_packets(winbind_t) ++corenet_udp_sendrecv_all_ports(winbind_t) ++corenet_tcp_bind_generic_node(winbind_t) ++corenet_udp_bind_generic_node(winbind_t) + corenet_tcp_connect_smbd_port(winbind_t) + corenet_tcp_connect_epmap_port(winbind_t) + corenet_tcp_connect_all_unreserved_ports(winbind_t) +@@ -905,10 +915,6 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t) + dev_read_sysfs(winbind_t) + dev_read_urand(winbind_t) + +-domain_use_interactive_fds(winbind_t) +- +-files_read_usr_symlinks(winbind_t) +-files_list_var_lib(winbind_t) + + fs_getattr_all_fs(winbind_t) + fs_search_auto_mountpoints(winbind_t) +@@ -917,26 +923,39 @@ auth_domtrans_chk_passwd(winbind_t) + auth_use_nsswitch(winbind_t) + auth_manage_cache(winbind_t) + ++domain_use_interactive_fds(winbind_t) ++ ++files_read_usr_symlinks(winbind_t) ++files_list_var_lib(winbind_t) ++ + logging_send_syslog_msg(winbind_t) + +-miscfiles_read_localization(winbind_t) + miscfiles_read_generic_certs(winbind_t) + ++sysnet_use_ldap(winbind_t) ++ + userdom_dontaudit_use_unpriv_user_fds(winbind_t) + userdom_manage_user_home_content_dirs(winbind_t) + userdom_manage_user_home_content_files(winbind_t) + userdom_manage_user_home_content_symlinks(winbind_t) + userdom_manage_user_home_content_pipes(winbind_t) + userdom_manage_user_home_content_sockets(winbind_t) +-userdom_user_home_dir_filetrans_user_home_content(winbind_t, { dir file lnk_file fifo_file sock_file }) ++userdom_filetrans_home_content(winbind_t) + + optional_policy(` + ctdbd_stream_connect(winbind_t) + ctdbd_manage_lib_files(winbind_t) ++ ctdbd_manage_var_files(winbind_t) ++') ++ ++ ++optional_policy(` ++ dirsrv_stream_connect(winbind_t) + ') + + optional_policy(` + kerberos_use(winbind_t) ++ kerberos_filetrans_named_content(winbind_t) + ') + + optional_policy(` +@@ -952,31 +971,29 @@ optional_policy(` + # Winbind helper local policy + # + +-allow winbind_helper_t self:unix_stream_socket { accept listen }; ++allow winbind_helper_t self:unix_dgram_socket create_socket_perms; ++allow winbind_helper_t self:unix_stream_socket create_stream_socket_perms; + + allow winbind_helper_t samba_etc_t:dir list_dir_perms; + read_files_pattern(winbind_helper_t, samba_etc_t, samba_etc_t) + read_lnk_files_pattern(winbind_helper_t, samba_etc_t, samba_etc_t) + + allow winbind_helper_t samba_var_t:dir search_dir_perms; ++files_list_var_lib(winbind_helper_t) + + allow winbind_t smbcontrol_t:process signal; + + stream_connect_pattern(winbind_helper_t, winbind_var_run_t, winbind_var_run_t, winbind_t) + +-domain_use_interactive_fds(winbind_helper_t) +- +-files_list_var_lib(winbind_helper_t) +- + term_list_ptys(winbind_helper_t) + ++domain_use_interactive_fds(winbind_helper_t) ++ + auth_use_nsswitch(winbind_helper_t) + + logging_send_syslog_msg(winbind_helper_t) + +-miscfiles_read_localization(winbind_helper_t) +- +-userdom_use_user_terminals(winbind_helper_t) ++userdom_use_inherited_user_terminals(winbind_helper_t) + + optional_policy(` + apache_append_log(winbind_helper_t) +@@ -990,25 +1007,38 @@ optional_policy(` + + ######################################## + # +-# Unconfined script local policy ++# samba_unconfined_script_t local policy + # + + optional_policy(` +- type samba_unconfined_script_t; +- type samba_unconfined_script_exec_t; +- domain_type(samba_unconfined_script_t) +- domain_entry_file(samba_unconfined_script_t, samba_unconfined_script_exec_t) +- corecmd_shell_entry_type(samba_unconfined_script_t) +- role system_r types samba_unconfined_script_t; ++ type samba_unconfined_net_t; ++ domain_type(samba_unconfined_net_t) ++ domain_entry_file(samba_unconfined_net_t, samba_net_exec_t) ++ role system_r types samba_unconfined_net_t; ++ ++ unconfined_domain(samba_unconfined_net_t) ++ ++ manage_files_pattern(samba_unconfined_net_t, samba_etc_t, samba_secrets_t) ++ filetrans_pattern(samba_unconfined_net_t, samba_etc_t, samba_secrets_t, file) ++ userdom_use_inherited_user_terminals(samba_unconfined_net_t) ++') ++ ++type samba_unconfined_script_t; ++type samba_unconfined_script_exec_t; ++domain_type(samba_unconfined_script_t) ++domain_entry_file(samba_unconfined_script_t, samba_unconfined_script_exec_t) ++corecmd_shell_entry_type(samba_unconfined_script_t) ++role system_r types samba_unconfined_script_t; + +- allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms; +- allow smbd_t samba_unconfined_script_exec_t:file ioctl; ++allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms; ++allow smbd_t samba_unconfined_script_exec_t:file ioctl; + ++optional_policy(` + unconfined_domain(samba_unconfined_script_t) ++') + +- tunable_policy(`samba_run_unconfined',` ++tunable_policy(`samba_run_unconfined',` + domtrans_pattern(smbd_t, samba_unconfined_script_exec_t, samba_unconfined_script_t) +- ',` +- can_exec(smbd_t, samba_unconfined_script_exec_t) +- ') ++',` ++ can_exec(smbd_t, samba_unconfined_script_exec_t) + ') +diff --git a/sambagui.te b/sambagui.te +index d9f8784..9c40dbd 100644 +--- a/sambagui.te ++++ b/sambagui.te +@@ -28,14 +28,14 @@ corecmd_exec_shell(sambagui_t) + + dev_dontaudit_read_urand(sambagui_t) + +-files_read_usr_files(sambagui_t) ++files_search_var_lib(sambagui_t) + + auth_use_nsswitch(sambagui_t) + auth_dontaudit_read_shadow(sambagui_t) + +-logging_send_syslog_msg(sambagui_t) ++init_access_check(sambagui_t) + +-miscfiles_read_localization(sambagui_t) ++logging_send_syslog_msg(sambagui_t) + + sysnet_use_ldap(sambagui_t) + +@@ -61,6 +61,7 @@ optional_policy(` + samba_manage_var_files(sambagui_t) + samba_read_secrets(sambagui_t) + samba_initrc_domtrans(sambagui_t) ++ samba_systemctl(sambagui_t) + samba_domtrans_smbd(sambagui_t) + samba_domtrans_nmbd(sambagui_t) + ') +diff --git a/samhain.if b/samhain.if +index f0236d6..78a792a 100644 +--- a/samhain.if ++++ b/samhain.if +@@ -23,6 +23,8 @@ template(`samhain_service_template',` + files_read_all_files($1_t) + + mls_file_write_all_levels($1_t) ++ ++ logging_send_sylog_msg($1_t) + ') + + ######################################## +diff --git a/samhain.te b/samhain.te +index 931312b..bd9a4c7 100644 +--- a/samhain.te ++++ b/samhain.te +@@ -88,8 +88,6 @@ auth_read_login_records(samhain_domain) + + init_read_utmp(samhain_domain) + +-logging_send_syslog_msg(samhain_domain) +- + ######################################## + # + # Client local policy +@@ -102,7 +100,7 @@ domain_use_interactive_fds(samhain_t) + + seutil_sigchld_newrole(samhain_t) + +-userdom_use_user_terminals(samhain_t) ++userdom_use_inherited_user_terminals(samhain_t) + + ######################################## + # +diff --git a/sandbox.fc b/sandbox.fc +new file mode 100644 +index 0000000..b7db254 +--- /dev/null ++++ b/sandbox.fc +@@ -0,0 +1 @@ ++# Empty +diff --git a/sandbox.if b/sandbox.if +new file mode 100644 +index 0000000..577dfa7 +--- /dev/null ++++ b/sandbox.if +@@ -0,0 +1,55 @@ ++ ++## policy for sandbox ++ ++######################################## ++## ++## Execute sandbox in the sandbox domain, and ++## allow the specified role the sandbox domain. ++## ++## ++## ++## Domain allowed access ++## ++## ++## ++## ++## The role to be allowed the sandbox domain. ++## ++## ++# ++interface(`sandbox_transition',` ++ gen_require(` ++ attribute sandbox_domain; ++ ') ++ ++ allow $1 sandbox_domain:process transition; ++ dontaudit $1 sandbox_domain:process { noatsecure siginh rlimitinh }; ++ role $2 types sandbox_domain; ++ allow sandbox_domain $1:process { sigchld signull }; ++ allow sandbox_domain $1:fifo_file rw_inherited_fifo_file_perms; ++ dontaudit sandbox_domain $1:process signal; ++') ++ ++######################################## ++## ++## Creates types and rules for a basic ++## sandbox process domain. ++## ++## ++## ++## Prefix for the domain. ++## ++## ++# ++template(`sandbox_domain_template',` ++ ++ gen_require(` ++ attribute sandbox_domain; ++ ') ++ type $1_t, sandbox_domain; ++ ++ application_type($1_t) ++ ++ mls_rangetrans_target($1_t) ++ mcs_constrained($1_t) ++') +diff --git a/sandbox.te b/sandbox.te +new file mode 100644 +index 0000000..b12aada +--- /dev/null ++++ b/sandbox.te +@@ -0,0 +1,62 @@ ++policy_module(sandbox,1.0.0) ++ ++attribute sandbox_domain; ++ ++######################################## ++# ++# Declarations ++# ++sandbox_domain_template(sandbox) ++ ++######################################## ++# ++# sandbox local policy ++# ++allow sandbox_domain self:process { getattr signal_perms getsched setsched setpgid execstack }; ++tunable_policy(`deny_execmem',`',` ++ allow sandbox_domain self:process execmem; ++') ++ ++allow sandbox_domain self:fifo_file manage_file_perms; ++allow sandbox_domain self:sem create_sem_perms; ++allow sandbox_domain self:shm create_shm_perms; ++allow sandbox_domain self:msgq create_msgq_perms; ++allow sandbox_domain self:unix_stream_socket create_stream_socket_perms; ++allow sandbox_domain self:unix_dgram_socket { sendto create_socket_perms }; ++dontaudit sandbox_domain self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; ++ ++dev_rw_all_inherited_chr_files(sandbox_domain) ++dev_rw_all_inherited_blk_files(sandbox_domain) ++ ++# sandbox_file_t was moved to sandboxX.te ++optional_policy(` ++ sandbox_exec_file(sandbox_domain) ++ sandbox_manage_content(sandbox_domain) ++ sandbox_dontaudit_mounton(sandbox_domain) ++ sandbox_manage_tmpfs_files(sandbox_domain) ++') ++ ++gen_require(` ++ type usr_t, lib_t, locale_t, device_t; ++ type var_t, var_run_t, rpm_log_t, locale_t; ++ attribute exec_type, configfile; ++') ++ ++kernel_dontaudit_read_system_state(sandbox_domain) ++ ++corecmd_exec_all_executables(sandbox_domain) ++ ++dev_dontaudit_getattr_all(sandbox_domain) ++ ++files_rw_all_inherited_files(sandbox_domain, -exec_type -configfile -usr_t -lib_t -locale_t -var_t -var_run_t -device_t -rpm_log_t ) ++files_entrypoint_all_files(sandbox_domain) ++ ++files_read_config_files(sandbox_domain) ++files_read_var_files(sandbox_domain) ++files_dontaudit_search_all_dirs(sandbox_domain) ++ ++fs_dontaudit_getattr_all_fs(sandbox_domain) ++ ++userdom_use_inherited_user_terminals(sandbox_domain) ++ ++mta_dontaudit_read_spool_symlinks(sandbox_domain) +diff --git a/sandboxX.fc b/sandboxX.fc +new file mode 100644 +index 0000000..6caef63 +--- /dev/null ++++ b/sandboxX.fc +@@ -0,0 +1,2 @@ ++ ++/usr/share/sandbox/start -- gen_context(system_u:object_r:sandbox_exec_t,s0) +diff --git a/sandboxX.if b/sandboxX.if +new file mode 100644 +index 0000000..5da5bff +--- /dev/null ++++ b/sandboxX.if +@@ -0,0 +1,392 @@ ++ ++## policy for sandboxX ++ ++######################################## ++## ++## Execute sandbox in the sandbox domain, and ++## allow the specified role the sandbox domain. ++## ++## ++## ++## Domain allowed access ++## ++## ++## ++## ++## The role to be allowed the sandbox domain. ++## ++## ++# ++interface(`sandbox_x_transition',` ++ gen_require(` ++ type sandbox_xserver_t; ++ type sandbox_file_t; ++ attribute sandbox_x_domain; ++ attribute sandbox_tmpfs_type; ++ ') ++ ++ allow $1 sandbox_x_domain:process { signal_perms transition }; ++ dontaudit $1 sandbox_x_domain:process { noatsecure siginh rlimitinh }; ++ allow sandbox_x_domain $1:process { sigchld signull }; ++ allow { sandbox_x_domain sandbox_xserver_t } $1:fd use; ++ role $2 types sandbox_x_domain; ++ role $2 types sandbox_xserver_t; ++ allow $1 sandbox_xserver_t:process signal_perms; ++ dontaudit sandbox_xserver_t $1:fifo_file rw_inherited_fifo_file_perms; ++ dontaudit sandbox_xserver_t $1:tcp_socket rw_socket_perms; ++ dontaudit sandbox_xserver_t $1:udp_socket rw_socket_perms; ++ allow sandbox_xserver_t $1:unix_stream_socket { connectto rw_socket_perms }; ++ dontaudit sandbox_xserver_t $1:file read; ++ allow sandbox_x_domain sandbox_x_domain:process signal; ++ # Dontaudit leaked file descriptors ++ dontaudit sandbox_x_domain $1:fifo_file { read write }; ++ dontaudit sandbox_x_domain $1:tcp_socket rw_socket_perms; ++ dontaudit sandbox_x_domain $1:udp_socket rw_socket_perms; ++ dontaudit sandbox_x_domain $1:unix_stream_socket { read write }; ++ dontaudit sandbox_x_domain $1:process { signal sigkill }; ++ ++ allow $1 sandbox_tmpfs_type:file manage_file_perms; ++ dontaudit $1 sandbox_tmpfs_type:file manage_file_perms; ++ ++ can_exec($1, sandbox_file_t) ++ allow $1 sandbox_file_t:filesystem getattr; ++ manage_files_pattern($1, sandbox_file_t, sandbox_file_t); ++ manage_dirs_pattern($1, sandbox_file_t, sandbox_file_t); ++ manage_sock_files_pattern($1, sandbox_file_t, sandbox_file_t); ++ manage_fifo_files_pattern($1, sandbox_file_t, sandbox_file_t); ++ manage_lnk_files_pattern($1, sandbox_file_t, sandbox_file_t); ++ relabel_dirs_pattern($1, sandbox_file_t, sandbox_file_t) ++ relabel_files_pattern($1, sandbox_file_t, sandbox_file_t) ++ relabel_lnk_files_pattern($1, sandbox_file_t, sandbox_file_t) ++ relabel_fifo_files_pattern($1, sandbox_file_t, sandbox_file_t) ++ relabel_sock_files_pattern($1, sandbox_file_t, sandbox_file_t) ++') ++ ++######################################## ++## ++## Creates types and rules for a basic ++## sandbox process domain. ++## ++## ++## ++## Prefix for the domain. ++## ++## ++# ++template(`sandbox_x_domain_template',` ++ gen_require(` ++ type xserver_exec_t, sandbox_devpts_t; ++ type sandbox_xserver_t; ++ type sandbox_exec_t; ++ attribute sandbox_x_domain; ++ attribute sandbox_tmpfs_type; ++ attribute sandbox_type; ++ ') ++ ++ type $1_t, sandbox_x_domain, sandbox_type; ++ application_type($1_t) ++ mcs_constrained($1_t) ++ ++ kernel_read_system_state($1_t) ++ selinux_get_fs_mount($1_t) ++ ++ auth_use_nsswitch($1_t) ++ ++ logging_send_syslog_msg($1_t) ++ ++ # window manager ++ miscfiles_setattr_fonts_cache_dirs($1_t) ++ allow $1_t self:capability setuid; ++ ++ type $1_client_t, sandbox_x_domain; ++ application_type($1_client_t) ++ kernel_read_system_state($1_client_t) ++ ++ mcs_constrained($1_t) ++ ++ type $1_client_tmpfs_t, sandbox_tmpfs_type; ++ files_tmpfs_file($1_client_tmpfs_t) ++ ++ manage_files_pattern($1_client_t, $1_client_tmpfs_t, $1_client_tmpfs_t) ++ manage_files_pattern($1_t, $1_client_tmpfs_t, $1_client_tmpfs_t) ++ fs_tmpfs_filetrans($1_client_t, $1_client_tmpfs_t, file ) ++ fs_tmpfs_filetrans($1_t, $1_client_tmpfs_t, file ) ++ # Pulseaudio tmpfs files with different MCS labels ++ dontaudit $1_client_t $1_client_tmpfs_t:file { read write }; ++ dontaudit $1_t $1_client_tmpfs_t:file { read write }; ++ allow sandbox_xserver_t $1_client_tmpfs_t:file { read write }; ++ ++ domtrans_pattern($1_t, xserver_exec_t, sandbox_xserver_t) ++ allow $1_t sandbox_xserver_t:process signal_perms; ++ ++ domtrans_pattern($1_t, sandbox_exec_t, $1_client_t) ++ domain_entry_file($1_client_t, sandbox_exec_t) ++ ++ ps_process_pattern(sandbox_xserver_t, $1_client_t) ++ ps_process_pattern(sandbox_xserver_t, $1_t) ++ allow sandbox_xserver_t $1_client_t:shm rw_shm_perms; ++ allow sandbox_xserver_t $1_t:shm rw_shm_perms; ++ allow $1_client_t $1_t:unix_stream_socket connectto; ++ allow $1_t $1_client_t:unix_stream_socket connectto; ++') ++ ++######################################## ++## ++## allow domain to read, ++## write sandbox_xserver tmp files ++## ++## ++## ++## Domain allowed access ++## ++## ++# ++interface(`sandbox_rw_xserver_tmpfs_files',` ++ gen_require(` ++ type sandbox_xserver_tmpfs_t; ++ ') ++ ++ allow $1 sandbox_xserver_tmpfs_t:file rw_file_perms; ++') ++ ++######################################## ++## ++## allow domain to read ++## sandbox tmpfs files ++## ++## ++## ++## Domain allowed access ++## ++## ++# ++interface(`sandbox_read_tmpfs_files',` ++ gen_require(` ++ attribute sandbox_tmpfs_type; ++ ') ++ ++ allow $1 sandbox_tmpfs_type:file read_file_perms; ++') ++ ++######################################## ++## ++## allow domain to manage ++## sandbox tmpfs files ++## ++## ++## ++## Domain allowed access ++## ++## ++# ++interface(`sandbox_manage_tmpfs_files',` ++ gen_require(` ++ attribute sandbox_tmpfs_type; ++ ') ++ ++ allow $1 sandbox_tmpfs_type:file manage_file_perms; ++') ++ ++######################################## ++## ++## Delete sandbox files ++## ++## ++## ++## Domain allowed access ++## ++## ++# ++interface(`sandbox_delete_files',` ++ gen_require(` ++ type sandbox_file_t; ++ ') ++ ++ delete_files_pattern($1, sandbox_file_t, sandbox_file_t) ++') ++ ++######################################## ++## ++## Manage sandbox content ++## ++## ++## ++## Domain allowed access ++## ++## ++# ++interface(`sandbox_manage_content',` ++ gen_require(` ++ type sandbox_file_t; ++ ') ++ ++ allow $1 sandbox_file_t:filesystem getattr; ++ manage_files_pattern($1, sandbox_file_t, sandbox_file_t); ++ manage_dirs_pattern($1, sandbox_file_t, sandbox_file_t); ++ manage_sock_files_pattern($1, sandbox_file_t, sandbox_file_t); ++ manage_fifo_files_pattern($1, sandbox_file_t, sandbox_file_t); ++ manage_lnk_files_pattern($1, sandbox_file_t, sandbox_file_t); ++') ++ ++######################################## ++## ++## Delete sandbox symbolic links ++## ++## ++## ++## Domain allowed access ++## ++## ++# ++interface(`sandbox_delete_lnk_files',` ++ gen_require(` ++ type sandbox_file_t; ++ ') ++ ++ delete_lnk_files_pattern($1, sandbox_file_t, sandbox_file_t) ++') ++ ++######################################## ++## ++## Delete sandbox fifo files ++## ++## ++## ++## Domain allowed access ++## ++## ++# ++interface(`sandbox_delete_pipes',` ++ gen_require(` ++ type sandbox_file_t; ++ ') ++ ++ delete_fifo_files_pattern($1, sandbox_file_t, sandbox_file_t) ++') ++ ++######################################## ++## ++## Delete sandbox sock files ++## ++## ++## ++## Domain allowed access ++## ++## ++# ++interface(`sandbox_delete_sock_files',` ++ gen_require(` ++ type sandbox_file_t; ++ ') ++ ++ delete_sock_files_pattern($1, sandbox_file_t, sandbox_file_t) ++') ++ ++######################################## ++## ++## Allow domain to set the attributes ++## of the sandbox directory. ++## ++## ++## ++## Domain allowed access ++## ++## ++# ++interface(`sandbox_setattr_dirs',` ++ gen_require(` ++ type sandbox_file_t; ++ ') ++ ++ allow $1 sandbox_file_t:dir setattr; ++') ++ ++######################################## ++## ++## Delete sandbox directories ++## ++## ++## ++## Domain allowed access ++## ++## ++# ++interface(`sandbox_delete_dirs',` ++ gen_require(` ++ type sandbox_file_t; ++ ') ++ ++ delete_dirs_pattern($1, sandbox_file_t, sandbox_file_t) ++') ++ ++######################################## ++## ++## allow domain to list sandbox dirs ++## ++## ++## ++## Domain allowed access ++## ++## ++# ++interface(`sandbox_list',` ++ gen_require(` ++ type sandbox_file_t; ++ ') ++ ++ allow $1 sandbox_file_t:dir list_dir_perms; ++') ++ ++######################################## ++## ++## Read and write a sandbox domain pty. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`sandbox_use_ptys',` ++ gen_require(` ++ type sandbox_devpts_t; ++ ') ++ ++ allow $1 sandbox_devpts_t:chr_file rw_inherited_term_perms; ++') ++ ++####################################### ++## ++## Allow domain to execute sandbox_file_t in the caller domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`sandbox_exec_file',` ++ gen_require(` ++ type sandbox_file_t; ++ ') ++ ++ can_exec($1, sandbox_file_t) ++') ++ ++###################################### ++## ++## Allow domain to execute sandbox_file_t in the caller domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`sandbox_dontaudit_mounton',` ++ gen_require(` ++ type sandbox_file_t; ++ ') ++ ++ dontaudit $1 sandbox_file_t:dir mounton; ++') +diff --git a/sandboxX.te b/sandboxX.te +new file mode 100644 +index 0000000..710df6b +--- /dev/null ++++ b/sandboxX.te +@@ -0,0 +1,483 @@ ++policy_module(sandboxX,1.0.0) ++ ++dbus_stub() ++attribute sandbox_x_domain; ++attribute sandbox_web_type; ++attribute sandbox_file_type; ++attribute sandbox_tmpfs_type; ++attribute sandbox_type; ++ ++type sandbox_exec_t; ++files_type(sandbox_exec_t) ++ ++type sandbox_file_t, sandbox_file_type; ++userdom_user_home_content(sandbox_file_t) ++ ++typealias sandbox_file_t alias { sandbox_x_file_t sandbox_web_file_t sandbox_net_file_t sandbox_min_file_t }; ++ ++######################################## ++# ++# Declarations ++# ++sandbox_x_domain_template(sandbox_min) ++sandbox_x_domain_template(sandbox_x) ++sandbox_x_domain_template(sandbox_web) ++sandbox_x_domain_template(sandbox_net) ++ ++type sandbox_xserver_t; ++domain_type(sandbox_xserver_t) ++xserver_user_x_domain_template(sandbox_xserver, sandbox_xserver_t, sandbox_xserver_tmpfs_t) ++ ++type sandbox_xserver_tmpfs_t; ++files_tmpfs_file(sandbox_xserver_tmpfs_t) ++ ++type sandbox_devpts_t; ++term_pty(sandbox_devpts_t) ++files_type(sandbox_devpts_t) ++ ++######################################## ++# ++# sandbox xserver policy ++# ++allow sandbox_xserver_t self:process { signal_perms execstack }; ++ ++tunable_policy(`deny_execmem',`',` ++ allow sandbox_xserver_t self:process execmem; ++') ++ ++allow sandbox_xserver_t self:fifo_file manage_fifo_file_perms; ++allow sandbox_xserver_t self:shm create_shm_perms; ++allow sandbox_xserver_t self:tcp_socket create_stream_socket_perms; ++ ++manage_dirs_pattern(sandbox_xserver_t, sandbox_file_t, sandbox_file_t) ++manage_files_pattern(sandbox_xserver_t, sandbox_file_t, sandbox_file_t) ++manage_sock_files_pattern(sandbox_xserver_t, sandbox_file_t, sandbox_file_t) ++allow sandbox_xserver_t sandbox_file_t:sock_file create_sock_file_perms; ++ ++manage_dirs_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t) ++manage_files_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t) ++manage_lnk_files_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t) ++manage_fifo_files_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t) ++manage_sock_files_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t) ++fs_tmpfs_filetrans(sandbox_xserver_t, sandbox_xserver_tmpfs_t, { dir file lnk_file sock_file fifo_file }) ++ ++kernel_dontaudit_request_load_module(sandbox_xserver_t) ++kernel_read_system_state(sandbox_xserver_t) ++ ++corecmd_exec_bin(sandbox_xserver_t) ++corecmd_exec_shell(sandbox_xserver_t) ++ ++corenet_all_recvfrom_netlabel(sandbox_xserver_t) ++corenet_tcp_sendrecv_generic_if(sandbox_xserver_t) ++corenet_udp_sendrecv_generic_if(sandbox_xserver_t) ++corenet_tcp_sendrecv_generic_node(sandbox_xserver_t) ++corenet_udp_sendrecv_generic_node(sandbox_xserver_t) ++corenet_tcp_sendrecv_all_ports(sandbox_xserver_t) ++corenet_udp_sendrecv_all_ports(sandbox_xserver_t) ++corenet_tcp_bind_generic_node(sandbox_xserver_t) ++corenet_tcp_bind_xserver_port(sandbox_xserver_t) ++corenet_sendrecv_xserver_server_packets(sandbox_xserver_t) ++corenet_sendrecv_all_client_packets(sandbox_xserver_t) ++ ++dev_read_sysfs(sandbox_xserver_t) ++dev_rwx_zero(sandbox_xserver_t) ++dev_read_urand(sandbox_xserver_t) ++ ++domain_use_interactive_fds(sandbox_xserver_t) ++ ++files_read_config_files(sandbox_xserver_t) ++files_search_home(sandbox_xserver_t) ++fs_dontaudit_rw_tmpfs_files(sandbox_xserver_t) ++fs_list_inotifyfs(sandbox_xserver_t) ++fs_search_auto_mountpoints(sandbox_xserver_t) ++ ++miscfiles_read_fonts(sandbox_xserver_t) ++ ++selinux_validate_context(sandbox_xserver_t) ++selinux_compute_access_vector(sandbox_xserver_t) ++selinux_compute_create_context(sandbox_xserver_t) ++ ++auth_use_nsswitch(sandbox_xserver_t) ++ ++logging_send_syslog_msg(sandbox_xserver_t) ++logging_send_audit_msgs(sandbox_xserver_t) ++ ++userdom_use_inherited_user_terminals(sandbox_xserver_t) ++userdom_dontaudit_search_user_home_content(sandbox_xserver_t) ++userdom_dontaudit_rw_user_tmp_pipes(sandbox_xserver_t) ++ ++xserver_read_xkb_libs(sandbox_xserver_t) ++xserver_dontaudit_xkb_libs_access(sandbox_xserver_t) ++xserver_entry_type(sandbox_xserver_t) ++ ++optional_policy(` ++ dbus_system_bus_client(sandbox_xserver_t) ++ ++ optional_policy(` ++ hal_dbus_chat(sandbox_xserver_t) ++ ') ++') ++ ++######################################## ++# ++# sandbox_x_domain local policy ++# ++allow sandbox_x_domain self:process { getattr signal_perms getsched setsched setpgid execstack }; ++tunable_policy(`deny_execmem',`',` ++ allow sandbox_x_domain self:process execmem; ++') ++ ++allow sandbox_x_domain self:fifo_file manage_file_perms; ++allow sandbox_x_domain self:sem create_sem_perms; ++allow sandbox_x_domain self:shm create_shm_perms; ++allow sandbox_x_domain self:msgq create_msgq_perms; ++allow sandbox_x_domain self:netlink_selinux_socket create_socket_perms; ++allow sandbox_x_domain self:unix_dgram_socket { sendto create_socket_perms }; ++allow sandbox_x_domain self:unix_stream_socket { connectto create_stream_socket_perms }; ++ ++dontaudit sandbox_x_domain sandbox_x_domain:process signal; ++dontaudit sandbox_x_domain sandbox_xserver_t:process signal; ++dontaudit sandbox_x_domain self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; ++ ++allow sandbox_x_domain sandbox_xserver_t:unix_stream_socket connectto; ++ ++allow sandbox_x_domain sandbox_devpts_t:chr_file { rw_term_perms setattr }; ++term_create_pty(sandbox_x_domain,sandbox_devpts_t) ++ ++can_exec(sandbox_x_domain, sandbox_file_t) ++allow sandbox_x_domain sandbox_file_t:filesystem getattr; ++manage_files_pattern(sandbox_x_domain, sandbox_file_t, sandbox_file_t); ++manage_dirs_pattern(sandbox_x_domain, sandbox_file_t, sandbox_file_t); ++manage_sock_files_pattern(sandbox_x_domain, sandbox_file_t, sandbox_file_t); ++manage_fifo_files_pattern(sandbox_x_domain, sandbox_file_t, sandbox_file_t); ++manage_lnk_files_pattern(sandbox_x_domain, sandbox_file_t, sandbox_file_t); ++dontaudit sandbox_x_domain sandbox_file_t:dir mounton; ++ ++kernel_getattr_proc(sandbox_x_domain) ++kernel_read_network_state(sandbox_x_domain) ++kernel_dontaudit_search_kernel_sysctl(sandbox_x_domain) ++ ++domain_dontaudit_read_all_domains_state(sandbox_x_domain) ++ ++corecmd_exec_all_executables(sandbox_x_domain) ++ ++dev_read_urand(sandbox_x_domain) ++dev_dontaudit_read_rand(sandbox_x_domain) ++dev_read_sysfs(sandbox_x_domain) ++dev_dontaudit_rw_dri(sandbox_x_domain) ++ ++files_search_home(sandbox_x_domain) ++files_dontaudit_list_all_mountpoints(sandbox_x_domain) ++files_entrypoint_all_files(sandbox_x_domain) ++files_read_config_files(sandbox_x_domain) ++files_read_usr_symlinks(sandbox_x_domain) ++ ++fs_getattr_tmpfs(sandbox_x_domain) ++fs_getattr_xattr_fs(sandbox_x_domain) ++fs_list_inotifyfs(sandbox_x_domain) ++fs_dontaudit_getattr_xattr_fs(sandbox_x_domain) ++# Random tmpfs_t that gets created when you run X. ++fs_rw_tmpfs_files(sandbox_x_domain) ++fs_get_xattr_fs_quotas(sandbox_x_domain) ++ ++auth_dontaudit_read_login_records(sandbox_x_domain) ++auth_dontaudit_write_login_records(sandbox_x_domain) ++auth_search_pam_console_data(sandbox_x_domain) ++ ++init_read_utmp(sandbox_x_domain) ++init_dontaudit_write_utmp(sandbox_x_domain) ++ ++libs_dontaudit_setattr_lib_files(sandbox_x_domain) ++ ++miscfiles_dontaudit_setattr_fonts_cache_dirs(sandbox_x_domain) ++ ++mta_dontaudit_read_spool_symlinks(sandbox_x_domain) ++ ++selinux_validate_context(sandbox_x_domain) ++selinux_compute_access_vector(sandbox_x_domain) ++selinux_compute_create_context(sandbox_x_domain) ++selinux_compute_relabel_context(sandbox_x_domain) ++selinux_compute_user_contexts(sandbox_x_domain) ++seutil_read_default_contexts(sandbox_x_domain) ++ ++term_getattr_pty_fs(sandbox_x_domain) ++term_use_ptmx(sandbox_x_domain) ++term_search_ptys(sandbox_x_domain) ++ ++application_dontaudit_signal(sandbox_x_domain) ++application_dontaudit_sigkill(sandbox_x_domain) ++ ++logging_dontaudit_search_logs(sandbox_x_domain) ++ ++miscfiles_read_fonts(sandbox_x_domain) ++ ++storage_dontaudit_rw_fuse(sandbox_x_domain) ++ ++optional_policy(` ++ consolekit_dbus_chat(sandbox_x_domain) ++') ++ ++optional_policy(` ++ cups_stream_connect(sandbox_x_domain) ++ cups_read_rw_config(sandbox_x_domain) ++') ++ ++optional_policy(` ++ dbus_system_bus_client(sandbox_x_domain) ++') ++ ++optional_policy(` ++ devicekit_dontaudit_dbus_chat_disk(sandbox_x_domain) ++') ++ ++optional_policy(` ++ gnome_read_gconf_config(sandbox_x_domain) ++') ++ ++optional_policy(` ++ nscd_dontaudit_search_pid(sandbox_x_domain) ++') ++ ++optional_policy(` ++ sssd_dontaudit_search_lib(sandbox_x_domain) ++') ++ ++optional_policy(` ++ udev_read_db(sandbox_x_domain) ++') ++ ++userdom_use_inherited_user_terminals(sandbox_x_domain) ++userdom_read_user_home_content_symlinks(sandbox_x_domain) ++userdom_search_user_home_content(sandbox_x_domain) ++userdom_dontaudit_rw_user_tmp_pipes(sandbox_x_domain) ++ ++fs_search_auto_mountpoints(sandbox_x_domain) ++fs_read_hugetlbfs_files(sandbox_x_domain) ++ ++tunable_policy(`use_nfs_home_dirs',` ++ fs_search_auto_mountpoints(sandbox_x_domain) ++ fs_search_nfs(sandbox_xserver_t) ++ fs_read_nfs_files(sandbox_xserver_t) ++ fs_manage_nfs_dirs(sandbox_x_domain) ++ fs_manage_nfs_files(sandbox_x_domain) ++ fs_exec_nfs_files(sandbox_x_domain) ++') ++ ++tunable_policy(`use_samba_home_dirs',` ++ fs_search_cifs(sandbox_xserver_t) ++ fs_read_cifs_files(sandbox_xserver_t) ++ fs_manage_cifs_dirs(sandbox_x_domain) ++ fs_manage_cifs_files(sandbox_x_domain) ++ fs_exec_cifs_files(sandbox_x_domain) ++') ++ ++tunable_policy(`use_fusefs_home_dirs',` ++ fs_search_fusefs(sandbox_xserver_t) ++ fs_read_fusefs_files(sandbox_xserver_t) ++ fs_manage_fusefs_dirs(sandbox_x_domain) ++ fs_manage_fusefs_files(sandbox_x_domain) ++ fs_exec_fusefs_files(sandbox_x_domain) ++') ++ ++files_search_home(sandbox_x_t) ++userdom_use_user_ptys(sandbox_x_t) ++ ++######################################## ++# ++# sandbox_x_client_t local policy ++# ++allow sandbox_x_client_t self:tcp_socket create_stream_socket_perms; ++allow sandbox_x_client_t self:udp_socket create_socket_perms; ++allow sandbox_x_client_t self:dbus { acquire_svc send_msg }; ++ ++dev_read_rand(sandbox_x_client_t) ++ ++corenet_tcp_connect_ipp_port(sandbox_x_client_t) ++corenet_dontaudit_tcp_connect_xserver_port(sandbox_x_client_t) ++ ++auth_use_nsswitch(sandbox_x_client_t) ++ ++logging_send_syslog_msg(sandbox_x_client_t) ++ ++optional_policy(` ++ colord_dbus_chat(sandbox_x_client_t) ++') ++ ++optional_policy(` ++ hal_dbus_chat(sandbox_x_client_t) ++') ++ ++optional_policy(` ++ nsplugin_read_rw_files(sandbox_x_client_t) ++') ++ ++######################################## ++# ++# sandbox_web_client_t local policy ++# ++typeattribute sandbox_web_client_t sandbox_web_type; ++ ++selinux_get_fs_mount(sandbox_web_client_t) ++ ++auth_use_nsswitch(sandbox_web_client_t) ++ ++logging_send_syslog_msg(sandbox_web_client_t) ++ ++allow sandbox_web_type self:capability { setuid setgid }; ++allow sandbox_web_type self:netlink_audit_socket nlmsg_relay; ++dontaudit sandbox_web_type self:process setrlimit; ++ ++allow sandbox_web_type self:tcp_socket create_stream_socket_perms; ++allow sandbox_web_type self:udp_socket create_socket_perms; ++allow sandbox_web_type self:dbus { acquire_svc send_msg }; ++ ++kernel_dontaudit_search_kernel_sysctl(sandbox_web_type) ++kernel_request_load_module(sandbox_web_type) ++ ++dev_read_rand(sandbox_web_type) ++dev_write_sound(sandbox_web_type) ++dev_read_sound(sandbox_web_type) ++ ++corenet_tcp_sendrecv_generic_if(sandbox_web_type) ++corenet_raw_sendrecv_generic_if(sandbox_web_type) ++corenet_tcp_sendrecv_generic_node(sandbox_web_type) ++corenet_raw_sendrecv_generic_node(sandbox_web_type) ++corenet_tcp_sendrecv_http_port(sandbox_web_type) ++corenet_tcp_sendrecv_http_cache_port(sandbox_web_type) ++corenet_tcp_sendrecv_squid_port(sandbox_web_type) ++corenet_tcp_sendrecv_ftp_port(sandbox_web_type) ++corenet_tcp_sendrecv_ipp_port(sandbox_web_type) ++corenet_tcp_connect_all_ephemeral_ports(sandbox_web_type) ++corenet_tcp_connect_aol_port(sandbox_web_type) ++corenet_tcp_connect_asterisk_port(sandbox_web_type) ++corenet_tcp_connect_commplex_link_port(sandbox_web_type) ++corenet_tcp_connect_couchdb_port(sandbox_web_type) ++corenet_tcp_connect_flash_port(sandbox_web_type) ++corenet_tcp_connect_ftp_port(sandbox_web_type) ++corenet_tcp_connect_gatekeeper_port(sandbox_web_type) ++corenet_tcp_connect_generic_port(sandbox_web_type) ++corenet_tcp_connect_http_cache_port(sandbox_web_type) ++corenet_tcp_connect_http_port(sandbox_web_type) ++corenet_tcp_connect_ipp_port(sandbox_web_type) ++corenet_tcp_connect_ipsecnat_port(sandbox_web_type) ++corenet_tcp_connect_ircd_port(sandbox_web_type) ++corenet_tcp_connect_jabber_client_port(sandbox_web_type) ++corenet_tcp_connect_jboss_management_port(sandbox_web_type) ++corenet_tcp_connect_mmcc_port(sandbox_web_type) ++corenet_tcp_connect_monopd_port(sandbox_web_type) ++corenet_tcp_connect_msnp_port(sandbox_web_type) ++corenet_tcp_connect_ms_streaming_port(sandbox_web_type) ++corenet_tcp_connect_pulseaudio_port(sandbox_web_type) ++corenet_tcp_connect_rtsp_port(sandbox_web_type) ++corenet_tcp_connect_soundd_port(sandbox_web_type) ++corenet_tcp_connect_speech_port(sandbox_web_type) ++corenet_tcp_connect_squid_port(sandbox_web_type) ++corenet_tcp_connect_tor_port(sandbox_web_type) ++corenet_tcp_connect_transproxy_port(sandbox_web_type) ++corenet_tcp_connect_vnc_port(sandbox_web_type) ++corenet_tcp_connect_whois_port(sandbox_web_type) ++corenet_sendrecv_http_client_packets(sandbox_web_type) ++corenet_sendrecv_http_cache_client_packets(sandbox_web_type) ++corenet_sendrecv_squid_client_packets(sandbox_web_type) ++corenet_sendrecv_ftp_client_packets(sandbox_web_type) ++corenet_sendrecv_ipp_client_packets(sandbox_web_type) ++corenet_sendrecv_generic_client_packets(sandbox_web_type) ++corenet_dontaudit_tcp_connect_xserver_port(sandbox_web_type) ++ ++corenet_dontaudit_tcp_sendrecv_generic_port(sandbox_web_type) ++corenet_dontaudit_tcp_bind_generic_port(sandbox_web_type) ++ ++files_dontaudit_getattr_all_dirs(sandbox_web_type) ++ ++fs_dontaudit_rw_anon_inodefs_files(sandbox_web_type) ++fs_dontaudit_getattr_all_fs(sandbox_web_type) ++ ++storage_dontaudit_getattr_fixed_disk_dev(sandbox_web_type) ++ ++dbus_system_bus_client(sandbox_web_type) ++dbus_read_config(sandbox_web_type) ++selinux_validate_context(sandbox_web_type) ++selinux_compute_access_vector(sandbox_web_type) ++selinux_compute_create_context(sandbox_web_type) ++selinux_compute_relabel_context(sandbox_web_type) ++selinux_compute_user_contexts(sandbox_web_type) ++seutil_read_default_contexts(sandbox_web_type) ++ ++userdom_rw_user_tmpfs_files(sandbox_web_type) ++userdom_delete_user_tmpfs_files(sandbox_web_type) ++ ++optional_policy(` ++ alsa_read_rw_config(sandbox_web_type) ++') ++ ++optional_policy(` ++ bluetooth_dontaudit_dbus_chat(sandbox_web_type) ++') ++ ++optional_policy(` ++ hal_dbus_chat(sandbox_web_type) ++') ++ ++optional_policy(` ++ chrome_domtrans_sandbox(sandbox_web_type) ++') ++ ++optional_policy(` ++ nsplugin_manage_rw(sandbox_web_type) ++ nsplugin_read_rw_files(sandbox_web_type) ++ nsplugin_rw_exec(sandbox_web_type) ++') ++ ++optional_policy(` ++ pulseaudio_stream_connect(sandbox_web_type) ++ allow sandbox_web_type self:netlink_kobject_uevent_socket create_socket_perms; ++') ++ ++optional_policy(` ++ rtkit_daemon_dontaudit_dbus_chat(sandbox_web_type) ++') ++ ++optional_policy(` ++ # needed by pulseaudio ++ systemd_read_logind_sessions_files(sandbox_web_type) ++ systemd_login_read_pid_files(sandbox_web_type) ++') ++ ++optional_policy(` ++ networkmanager_dontaudit_dbus_chat(sandbox_web_type) ++') ++ ++optional_policy(` ++ udev_read_state(sandbox_web_type) ++') ++ ++######################################## ++# ++# sandbox_net_client_t local policy ++# ++typeattribute sandbox_net_client_t sandbox_web_type; ++ ++corenet_tcp_sendrecv_generic_if(sandbox_net_client_t) ++corenet_udp_sendrecv_generic_if(sandbox_net_client_t) ++corenet_tcp_sendrecv_generic_node(sandbox_net_client_t) ++corenet_udp_sendrecv_generic_node(sandbox_net_client_t) ++corenet_tcp_sendrecv_all_ports(sandbox_net_client_t) ++corenet_udp_sendrecv_all_ports(sandbox_net_client_t) ++corenet_tcp_connect_all_ports(sandbox_net_client_t) ++corenet_sendrecv_all_client_packets(sandbox_net_client_t) ++ ++selinux_get_fs_mount(sandbox_net_client_t) ++ ++auth_use_nsswitch(sandbox_net_client_t) ++ ++logging_send_syslog_msg(sandbox_net_client_t) ++ ++optional_policy(` ++ mozilla_plugin_rw_tmpfs_files(sandbox_x_domain) ++ mozilla_dontaudit_rw_user_home_files(sandbox_x_t) ++ mozilla_dontaudit_rw_user_home_files(sandbox_xserver_t) ++ mozilla_dontaudit_rw_user_home_files(sandbox_x_domain) ++ mozilla_plugin_dontaudit_rw_sem(sandbox_x_domain) ++ mozilla_plugin_dontaudit_leaks(sandbox_x_domain) ++') ++userdom_dontaudit_open_user_ptys(sandbox_x_domain) +diff --git a/sanlock.fc b/sanlock.fc +index 3df2a0f..9059165 100644 +--- a/sanlock.fc ++++ b/sanlock.fc +@@ -1,7 +1,10 @@ ++ + /etc/rc\.d/init\.d/sanlock -- gen_context(system_u:object_r:sanlock_initrc_exec_t,s0) + +-/usr/sbin/sanlock -- gen_context(system_u:object_r:sanlock_exec_t,s0) ++/var/run/sanlock(/.*)? gen_context(system_u:object_r:sanlock_var_run_t,s0) ++ ++/var/log/sanlock\.log.* gen_context(system_u:object_r:sanlock_log_t,s0) + +-/var/run/sanlock(/.*)? gen_context(system_u:object_r:sanlock_var_run_t,s0) ++/usr/sbin/sanlock -- gen_context(system_u:object_r:sanlock_exec_t,s0) + +-/var/log/sanlock\.log.* -- gen_context(system_u:object_r:sanlock_log_t,s0) ++/usr/lib/systemd/system/sanlock\.service -- gen_context(system_u:object_r:sanlock_unit_file_t,s0) +diff --git a/sanlock.if b/sanlock.if +index cd6c213..34b861a 100644 +--- a/sanlock.if ++++ b/sanlock.if +@@ -1,4 +1,5 @@ +-## shared storage lock manager. ++ ++## policy for sanlock + + ######################################## + ## +@@ -15,18 +16,17 @@ interface(`sanlock_domtrans',` + type sanlock_t, sanlock_exec_t; + ') + +- corecmd_search_bin($1) + domtrans_pattern($1, sanlock_exec_t, sanlock_t) + ') + ++ + ######################################## + ## +-## Execute sanlock init scripts in +-## the initrc domain. ++## Execute sanlock server in the sanlock domain. + ## + ## + ## +-## Domain allowed to transition. ++## The type of the process performing this action. + ## + ## + # +@@ -40,8 +40,7 @@ interface(`sanlock_initrc_domtrans',` + + ###################################### + ## +-## Create, read, write, and delete +-## sanlock pid files. ++## Create, read, write, and delete sanlock PID files. + ## + ## + ## +@@ -60,28 +59,50 @@ interface(`sanlock_manage_pid_files',` + + ######################################## + ## +-## Connect to sanlock with a unix +-## domain stream socket. ++## Connect to sanlock over a unix stream socket. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`sanlock_stream_connect',` ++ gen_require(` ++ type sanlock_t, sanlock_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ stream_connect_pattern($1, sanlock_var_run_t, sanlock_var_run_t, sanlock_t) ++') ++ ++######################################## ++## ++## Execute virt server in the virt domain. + ## + ## + ## +-## Domain allowed access. ++## Domain allowed to transition. + ## + ## + # +-interface(`sanlock_stream_connect',` ++interface(`sanlock_systemctl',` + gen_require(` +- type sanlock_t, sanlock_var_run_t; ++ type sanlock_unit_file_t; ++ type sanlock_t; + ') + +- files_search_pids($1) +- stream_connect_pattern($1, sanlock_var_run_t, sanlock_var_run_t, sanlock_t) ++ systemd_exec_systemctl($1) ++ allow $1 sanlock_unit_file_t:file read_file_perms; ++ allow $1 sanlock_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, sanlock_t) + ') + + ######################################## + ## +-## All of the rules required to +-## administrate an sanlock environment. ++## All of the rules required to administrate ++## an sanlock environment + ## + ## + ## +@@ -97,21 +118,23 @@ interface(`sanlock_stream_connect',` + # + interface(`sanlock_admin',` + gen_require(` +- type sanlock_t, sanlock_initrc_exec_t, sanlock_var_run_t; +- type sanlock_log_t; ++ type sanlock_t; ++ type sanlock_initrc_exec_t; ++ type sanlock_unit_file_t; + ') + +- allow $1 sanlock_t:process { ptrace signal_perms }; ++ allow $1 sanlock_t:process signal_perms; + ps_process_pattern($1, sanlock_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 sanlock_t:process ptrace; ++ ') + + sanlock_initrc_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 sanlock_initrc_exec_t system_r; + allow $2 system_r; + +- files_search_pids($1) +- admin_pattern($1, sanlock_var_run_t) +- +- logging_search_logs($1) +- admin_pattern($1, sanlock_log_t) ++ virt_systemctl($1) ++ admin_pattern($1, sanlock_unit_file_t) ++ allow $1 sanlock_unit_file_t:service all_service_perms; + ') +diff --git a/sanlock.te b/sanlock.te +index a34eac4..b144d40 100644 +--- a/sanlock.te ++++ b/sanlock.te +@@ -1,4 +1,4 @@ +-policy_module(sanlock, 1.0.2) ++policy_module(sanlock,1.0.0) + + ######################################## + # +@@ -6,21 +6,26 @@ policy_module(sanlock, 1.0.2) + # + + ## +-##

    +-## Determine whether sanlock can use +-## nfs file systems. +-##

    ++##

    ++## Allow sanlock to manage nfs files ++##

    + ##     + gen_tunable(sanlock_use_nfs, false) + + ## +-##

    +-## Determine whether sanlock can use +-## cifs file systems. +-##

    ++##

    ++## Allow sanlock to manage cifs files ++##

    + ##     + gen_tunable(sanlock_use_samba, false) + ++## ++##

    ++## Allow sanlock to read/write fuse files ++##

    ++##     ++gen_tunable(sanlock_use_fusefs, false) ++ + type sanlock_t; + type sanlock_exec_t; + init_daemon_domain(sanlock_t, sanlock_exec_t) +@@ -34,6 +39,9 @@ logging_log_file(sanlock_log_t) + type sanlock_initrc_exec_t; + init_script_file(sanlock_initrc_exec_t) + ++type sanlock_unit_file_t; ++systemd_unit_file(sanlock_unit_file_t) ++ + ifdef(`enable_mcs',` + init_ranged_daemon_domain(sanlock_t, sanlock_exec_t, s0 - mcs_systemhigh) + ') +@@ -44,17 +52,15 @@ ifdef(`enable_mls',` + + ######################################## + # +-# Local policy ++# sanlock local policy + # +- + allow sanlock_t self:capability { chown dac_override ipc_lock kill setgid setuid sys_nice sys_resource }; + allow sanlock_t self:process { setrlimit setsched signull signal sigkill }; ++ + allow sanlock_t self:fifo_file rw_fifo_file_perms; +-allow sanlock_t self:unix_stream_socket { accept listen }; ++allow sanlock_t self:unix_stream_socket create_stream_socket_perms; + +-append_files_pattern(sanlock_t, sanlock_log_t, sanlock_log_t) +-create_files_pattern(sanlock_t, sanlock_log_t, sanlock_log_t) +-setattr_files_pattern(sanlock_t, sanlock_log_t, sanlock_log_t) ++manage_files_pattern(sanlock_t, sanlock_log_t, sanlock_log_t) + logging_log_filetrans(sanlock_t, sanlock_log_t, file) + + manage_dirs_pattern(sanlock_t, sanlock_var_run_t, sanlock_var_run_t) +@@ -65,13 +71,15 @@ files_pid_filetrans(sanlock_t, sanlock_var_run_t, { file dir sock_file }) + kernel_read_system_state(sanlock_t) + kernel_read_kernel_sysctls(sanlock_t) + +-dev_read_rand(sanlock_t) +-dev_read_urand(sanlock_t) +- + domain_use_interactive_fds(sanlock_t) + ++files_read_mnt_symlinks(sanlock_t) ++ + storage_raw_rw_fixed_disk(sanlock_t) + ++dev_read_rand(sanlock_t) ++dev_read_urand(sanlock_t) ++ + auth_use_nsswitch(sanlock_t) + + init_read_utmp(sanlock_t) +@@ -79,20 +87,29 @@ init_dontaudit_write_utmp(sanlock_t) + + logging_send_syslog_msg(sanlock_t) + +-miscfiles_read_localization(sanlock_t) ++tunable_policy(`sanlock_use_fusefs',` ++ fs_manage_fusefs_dirs(sanlock_t) ++ fs_manage_fusefs_files(sanlock_t) ++ fs_read_fusefs_symlinks(sanlock_t) ++ fs_getattr_fusefs(sanlock_t) ++') + + tunable_policy(`sanlock_use_nfs',` +- fs_manage_nfs_dirs(sanlock_t) +- fs_manage_nfs_files(sanlock_t) +- fs_manage_nfs_named_sockets(sanlock_t) +- fs_read_nfs_symlinks(sanlock_t) ++ fs_manage_nfs_dirs(sanlock_t) ++ fs_manage_nfs_files(sanlock_t) ++ fs_manage_nfs_named_sockets(sanlock_t) ++ fs_read_nfs_symlinks(sanlock_t) + ') + + tunable_policy(`sanlock_use_samba',` +- fs_manage_cifs_dirs(sanlock_t) +- fs_manage_cifs_files(sanlock_t) +- fs_manage_cifs_named_sockets(sanlock_t) +- fs_read_cifs_symlinks(sanlock_t) ++ fs_manage_cifs_dirs(sanlock_t) ++ fs_manage_cifs_files(sanlock_t) ++ fs_manage_cifs_named_sockets(sanlock_t) ++ fs_read_cifs_symlinks(sanlock_t) ++') ++ ++optional_policy(` ++ rhcs_domtrans_fenced(sanlock_t) + ') + + optional_policy(` +@@ -100,7 +117,8 @@ optional_policy(` + ') + + optional_policy(` +- virt_kill_all_virt_domains(sanlock_t) ++ virt_kill_svirt(sanlock_t) ++ virt_kill(sanlock_t) + virt_manage_lib_files(sanlock_t) +- virt_signal_all_virt_domains(sanlock_t) ++ virt_signal_svirt(sanlock_t) + ') +diff --git a/sasl.fc b/sasl.fc +index 54f41c2..7e58679 100644 +--- a/sasl.fc ++++ b/sasl.fc +@@ -1,7 +1,12 @@ + /etc/rc\.d/init\.d/sasl -- gen_context(system_u:object_r:saslauthd_initrc_exec_t,s0) + ++# ++# /usr ++# + /usr/sbin/saslauthd -- gen_context(system_u:object_r:saslauthd_exec_t,s0) + +-/var/lib/sasl2(/.*)? gen_context(system_u:object_r:saslauthd_var_run_t,s0) +- ++# ++# /var ++# ++/var/lib/sasl2(/.*)? gen_context(system_u:object_r:saslauthd_var_run_t,s0) + /var/run/saslauthd(/.*)? gen_context(system_u:object_r:saslauthd_var_run_t,s0) +diff --git a/sasl.if b/sasl.if +index b2f388a..3e6a93f 100644 +--- a/sasl.if ++++ b/sasl.if +@@ -1,4 +1,4 @@ +-## SASL authentication server. ++## SASL authentication server + + ######################################## + ## +@@ -21,8 +21,8 @@ interface(`sasl_connect',` + + ######################################## + ## +-## All of the rules required to +-## administrate an sasl environment. ++## All of the rules required to administrate ++## an sasl environment + ## + ## + ## +@@ -38,11 +38,15 @@ interface(`sasl_connect',` + # + interface(`sasl_admin',` + gen_require(` +- type saslauthd_t, saslauthd_var_run_t, saslauthd_initrc_exec_t; ++ type saslauthd_t, saslauthd_var_run_t; ++ type saslauthd_initrc_exec_t; + ') + +- allow $1 saslauthd_t:process { ptrace signal_perms }; ++ allow $1 saslauthd_t:process signal_perms; + ps_process_pattern($1, saslauthd_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 saslauthd_t:process ptrace; ++ ') + + init_labeled_script_domtrans($1, saslauthd_initrc_exec_t) + domain_system_change_exemption($1) +diff --git a/sasl.te b/sasl.te +index a63b875..1c9e41b 100644 +--- a/sasl.te ++++ b/sasl.te +@@ -1,4 +1,4 @@ +-policy_module(sasl, 1.14.3) ++policy_module(sasl, 1.14.0) + + ######################################## + # +@@ -6,12 +6,11 @@ policy_module(sasl, 1.14.3) + # + + ## +-##

    +-## Determine whether sasl can +-## read shadow files. +-##

    ++##

    ++## Allow sasl to read shadow ++##

    + ##     +-gen_tunable(allow_saslauthd_read_shadow, false) ++gen_tunable(saslauthd_read_shadow, false) + + type saslauthd_t; + type saslauthd_exec_t; +@@ -32,7 +31,9 @@ allow saslauthd_t self:capability { setgid setuid sys_nice }; + dontaudit saslauthd_t self:capability sys_tty_config; + allow saslauthd_t self:process { setsched signal_perms }; + allow saslauthd_t self:fifo_file rw_fifo_file_perms; +-allow saslauthd_t self:unix_stream_socket { accept listen }; ++allow saslauthd_t self:unix_dgram_socket create_socket_perms; ++allow saslauthd_t self:unix_stream_socket create_stream_socket_perms; ++allow saslauthd_t self:tcp_socket create_socket_perms; + + manage_dirs_pattern(saslauthd_t, saslauthd_var_run_t, saslauthd_var_run_t) + manage_files_pattern(saslauthd_t, saslauthd_var_run_t, saslauthd_var_run_t) +@@ -43,29 +44,20 @@ kernel_read_kernel_sysctls(saslauthd_t) + kernel_read_system_state(saslauthd_t) + kernel_rw_afs_state(saslauthd_t) + +-corenet_all_recvfrom_unlabeled(saslauthd_t) ++#577519 ++corecmd_exec_bin(saslauthd_t) ++ + corenet_all_recvfrom_netlabel(saslauthd_t) + corenet_tcp_sendrecv_generic_if(saslauthd_t) + corenet_tcp_sendrecv_generic_node(saslauthd_t) +- +-corenet_sendrecv_pop_client_packets(saslauthd_t) ++corenet_tcp_sendrecv_all_ports(saslauthd_t) ++corenet_tcp_connect_ldap_port(saslauthd_t) + corenet_tcp_connect_pop_port(saslauthd_t) +-corenet_tcp_sendrecv_pop_port(saslauthd_t) +- +-corenet_sendrecv_zarafa_client_packets(saslauthd_t) + corenet_tcp_connect_zarafa_port(saslauthd_t) +-corenet_tcp_sendrecv_zarafa_port(saslauthd_t) +- +-corecmd_exec_bin(saslauthd_t) ++corenet_sendrecv_pop_client_packets(saslauthd_t) + + dev_read_urand(saslauthd_t) + +-domain_use_interactive_fds(saslauthd_t) +- +-files_dontaudit_read_etc_runtime_files(saslauthd_t) +-files_dontaudit_getattr_home_dir(saslauthd_t) +-files_dontaudit_getattr_tmp_dirs(saslauthd_t) +- + fs_getattr_all_fs(saslauthd_t) + fs_search_auto_mountpoints(saslauthd_t) + +@@ -73,33 +65,37 @@ selinux_compute_access_vector(saslauthd_t) + + auth_use_pam(saslauthd_t) + ++domain_use_interactive_fds(saslauthd_t) ++ ++files_dontaudit_read_etc_runtime_files(saslauthd_t) ++files_search_var_lib(saslauthd_t) ++files_dontaudit_getattr_home_dir(saslauthd_t) ++files_dontaudit_getattr_tmp_dirs(saslauthd_t) ++ + init_dontaudit_stream_connect_script(saslauthd_t) + + logging_send_syslog_msg(saslauthd_t) + +-miscfiles_read_localization(saslauthd_t) + miscfiles_read_generic_certs(saslauthd_t) + +-seutil_dontaudit_read_config(saslauthd_t) +- + userdom_dontaudit_use_unpriv_user_fds(saslauthd_t) + userdom_dontaudit_search_user_home_dirs(saslauthd_t) + ++# cjp: typeattribute doesnt work in conditionals + auth_can_read_shadow_passwords(saslauthd_t) +-tunable_policy(`allow_saslauthd_read_shadow',` ++tunable_policy(`saslauthd_read_shadow',` + allow saslauthd_t self:capability dac_override; + auth_tunable_read_shadow(saslauthd_t) + ') + + optional_policy(` ++ kerberos_tmp_filetrans_host_rcache(saslauthd_t, "host_0") + kerberos_keytab_template(saslauthd, saslauthd_t) +- kerberos_manage_host_rcache(saslauthd_t) +- kerberos_tmp_filetrans_host_rcache(saslauthd_t, file, "host_0") + ') + + optional_policy(` ++ mysql_search_db(saslauthd_t) + mysql_stream_connect(saslauthd_t) +- mysql_tcp_connect(saslauthd_t) + ') + + optional_policy(` +diff --git a/sblim.fc b/sblim.fc +index 68a550d..e976fc6 100644 +--- a/sblim.fc ++++ b/sblim.fc +@@ -1,6 +1,10 @@ + /etc/rc\.d/init\.d/gatherer -- gen_context(system_u:object_r:sblim_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/sblim-sfcbd -- gen_context(system_u:object_r:sblim_initrc_exec_t,s0) + + /usr/sbin/gatherd -- gen_context(system_u:object_r:sblim_gatherd_exec_t,s0) + /usr/sbin/reposd -- gen_context(system_u:object_r:sblim_reposd_exec_t,s0) ++/usr/sbin/sfcbd -- gen_context(system_u:object_r:sblim_sfcbd_exec_t,s0) ++ ++/var/lib/sfcb(/.*)? gen_context(system_u:object_r:sblim_var_lib_t,s0) + + /var/run/gather(/.*)? gen_context(system_u:object_r:sblim_var_run_t,s0) +diff --git a/sblim.if b/sblim.if +index 98c9e0a..df51942 100644 +--- a/sblim.if ++++ b/sblim.if +@@ -1,8 +1,36 @@ +-## Standards Based Linux Instrumentation for Manageability. ++## Standards Based Linux Instrumentation for Manageability. ++ ++###################################### ++## ++## Creates types and rules for a basic ++## sblim daemon domain. ++## ++## ++## ++## Prefix for the domain. ++## ++## ++# ++template(`sblim_domain_template',` ++ gen_require(` ++ attribute sblim_domain; ++ ') ++ ++ type sblim_$1_t, sblim_domain; ++ type sblim_$1_exec_t; ++ init_daemon_domain(sblim_$1_t, sblim_$1_exec_t) ++ ++ kernel_read_system_state(sblim_$1_t) ++ ++ corenet_all_recvfrom_unlabeled(sblim_$1_t) ++ corenet_all_recvfrom_netlabel(sblim_$1_t) ++ ++ logging_send_syslog_msg(sblim_$1_t) ++') + + ######################################## + ## +-## Execute gatherd in the gatherd domain. ++## Transition to gatherd. + ## + ## + ## +@@ -21,7 +49,7 @@ interface(`sblim_domtrans_gatherd',` + + ######################################## + ## +-## Read gatherd pid files. ++## Read gatherd PID files. + ## + ## + ## +@@ -40,34 +68,33 @@ interface(`sblim_read_pid_files',` + + ######################################## + ## +-## All of the rules required to +-## administrate an sblim environment. ++## All of the rules required to administrate ++## an gatherd environment + ## + ## + ## + ## Domain allowed access. + ## + ## +-## +-## +-## Role allowed access. +-## +-## + ## + # + interface(`sblim_admin',` + gen_require(` +- attribute sblim_domain; +- type sblim_initrc_exec_t, sblim_var_run_t; ++ type sblim_gatherd_t; ++ type sblim_reposd_t; ++ type sblim_var_run_t; + ') + +- allow $1 sblim_domain:process { ptrace signal_perms }; +- ps_process_pattern($1, sblim_domain) ++ allow $1 sblim_gatherd_t:process signal_perms; ++ ps_process_pattern($1, sblim_gatherd_t) ++ ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 sblim_gatherd_t:process ptrace; ++ allow $1 sblim_reposd_t:process ptrace; ++ ') + +- init_labeled_script_domtrans($1, sblim_initrc_exec_t) +- domain_system_change_exemption($1) +- role_transition $2 sblim_initrc_exec_t system_r; +- allow $2 system_r; ++ allow $1 sblim_reposd_t:process signal_perms; ++ ps_process_pattern($1, sblim_reposd_t) + + files_search_pids($1) + admin_pattern($1, sblim_var_run_t) +diff --git a/sblim.te b/sblim.te +index 4a23d84..62df1db 100644 +--- a/sblim.te ++++ b/sblim.te +@@ -7,13 +7,11 @@ policy_module(sblim, 1.0.3) + + attribute sblim_domain; + +-type sblim_gatherd_t, sblim_domain; +-type sblim_gatherd_exec_t; +-init_daemon_domain(sblim_gatherd_t, sblim_gatherd_exec_t) ++sblim_domain_template(gatherd) + +-type sblim_reposd_t, sblim_domain; +-type sblim_reposd_exec_t; +-init_daemon_domain(sblim_reposd_t, sblim_reposd_exec_t) ++sblim_domain_template(reposd) ++ ++sblim_domain_template(sfcbd) + + type sblim_initrc_exec_t; + init_script_file(sblim_initrc_exec_t) +@@ -21,6 +19,15 @@ init_script_file(sblim_initrc_exec_t) + type sblim_var_run_t; + files_pid_file(sblim_var_run_t) + ++type sblim_var_lib_t; ++files_type(sblim_var_lib_t) ++ ++type sblim_tmp_t; ++files_tmp_file(sblim_tmp_t) ++ ++type sblim_sfcb_tmpfs_t; ++files_tmpfs_file(sblim_sfcb_tmpfs_t) ++ + ###################################### + # + # Common sblim domain local policy +@@ -32,11 +39,18 @@ manage_dirs_pattern(sblim_domain, sblim_var_run_t, sblim_var_run_t) + manage_files_pattern(sblim_domain, sblim_var_run_t, sblim_var_run_t) + manage_sock_files_pattern(sblim_domain, sblim_var_run_t, sblim_var_run_t) + ++manage_dirs_pattern(sblim_domain, sblim_var_lib_t, sblim_var_lib_t) ++manage_files_pattern(sblim_domain, sblim_var_lib_t, sblim_var_lib_t) ++manage_lnk_files_pattern(sblim_domain, sblim_var_lib_t, sblim_var_lib_t) ++files_var_lib_filetrans(sblim_domain, sblim_var_lib_t, { dir file lnk_file }) ++ ++manage_dirs_pattern(sblim_domain, sblim_tmp_t, sblim_tmp_t) ++manage_files_pattern(sblim_domain, sblim_tmp_t, sblim_tmp_t) ++manage_sock_files_pattern(sblim_domain, sblim_tmp_t, sblim_tmp_t) ++files_tmp_filetrans(sblim_domain, sblim_tmp_t, { dir file sock_file}) ++ + kernel_read_network_state(sblim_domain) +-kernel_read_system_state(sblim_domain) + +-corenet_all_recvfrom_unlabeled(sblim_domain) +-corenet_all_recvfrom_netlabel(sblim_domain) + corenet_tcp_sendrecv_generic_if(sblim_domain) + corenet_tcp_sendrecv_generic_node(sblim_domain) + +@@ -44,19 +58,15 @@ corenet_tcp_sendrecv_repository_port(sblim_domain) + + dev_read_sysfs(sblim_domain) + +-logging_send_syslog_msg(sblim_domain) +- +-files_read_etc_files(sblim_domain) +- +-miscfiles_read_localization(sblim_domain) ++auth_read_passwd(sblim_domain) + + ######################################## + # + # Gatherd local policy + # + +-allow sblim_gatherd_t self:capability dac_override; +-allow sblim_gatherd_t self:process signal; ++allow sblim_gatherd_t self:capability { dac_override sys_nice }; ++allow sblim_gatherd_t self:process { setsched signal }; + allow sblim_gatherd_t self:fifo_file rw_fifo_file_perms; + allow sblim_gatherd_t self:unix_stream_socket { accept listen }; + +@@ -84,6 +94,8 @@ storage_raw_read_removable_device(sblim_gatherd_t) + + init_read_utmp(sblim_gatherd_t) + ++logging_send_syslog_msg(sblim_gatherd_t) ++ + sysnet_dns_name_resolve(sblim_gatherd_t) + + term_getattr_pty_fs(sblim_gatherd_t) +@@ -103,8 +115,9 @@ optional_policy(` + ') + + optional_policy(` +- virt_getattr_virtd_exec_files(sblim_gatherd_t) ++ virt_read_config(sblim_gatherd_t) + virt_stream_connect(sblim_gatherd_t) ++ virt_getattr_exec(sblim_gatherd_t) + ') + + optional_policy(` +@@ -117,6 +130,29 @@ optional_policy(` + # Reposd local policy + # + ++corenet_tcp_bind_generic_node(sblim_reposd_t) ++ + corenet_sendrecv_repository_server_packets(sblim_reposd_t) + corenet_tcp_bind_repository_port(sblim_reposd_t) +-corenet_tcp_bind_generic_node(sblim_domain) ++ ++logging_send_syslog_msg(sblim_reposd_t) ++ ++####################################### ++# ++# Sfcbd local policy ++# ++ ++allow sblim_sfcbd_t self:capability { sys_ptrace setgid }; ++allow sblim_sfcbd_t self:process signal; ++allow sblim_sfcbd_t self:unix_stream_socket connectto; ++ ++manage_dirs_pattern(sblim_sfcbd_t, sblim_sfcb_tmpfs_t, sblim_sfcb_tmpfs_t) ++manage_files_pattern(sblim_sfcbd_t, sblim_sfcb_tmpfs_t, sblim_sfcb_tmpfs_t) ++fs_tmpfs_filetrans(sblim_sfcbd_t, sblim_sfcb_tmpfs_t, { dir file }) ++ ++auth_use_nsswitch(sblim_sfcbd_t) ++ ++corenet_tcp_bind_pegasus_https_port(sblim_sfcbd_t) ++ ++domain_read_all_domains_state(sblim_sfcbd_t) ++domain_use_interactive_fds(sblim_sfcbd_t) +diff --git a/screen.fc b/screen.fc +index ac04d27..b73334e 100644 +--- a/screen.fc ++++ b/screen.fc +@@ -1,8 +1,19 @@ +-HOME_DIR/\.screen(/.*)? gen_context(system_u:object_r:screen_home_t,s0) +-HOME_DIR/\.screenrc -- gen_context(system_u:object_r:screen_home_t,s0) ++# ++# /home ++# ++HOME_DIR/\.screenrc -- gen_context(system_u:object_r:screen_home_t,s0) ++HOME_DIR/\.screen(/.*)? gen_context(system_u:object_r:screen_home_t,s0) + +-/usr/bin/screen -- gen_context(system_u:object_r:screen_exec_t,s0) +-/usr/bin/tmux -- gen_context(system_u:object_r:screen_exec_t,s0) ++/root/\.screen(/.*)? gen_context(system_u:object_r:screen_home_t,s0) + +-/var/run/screen(/.*)? gen_context(system_u:object_r:screen_var_run_t,s0) +-/var/run/tmux(/.*)? gen_context(system_u:object_r:screen_var_run_t,s0) ++# ++# /usr ++# ++/usr/bin/screen -- gen_context(system_u:object_r:screen_exec_t,s0) ++/usr/bin/tmux -- gen_context(system_u:object_r:screen_exec_t,s0) ++ ++# ++# /var ++# ++/var/run/screen(/.*)? gen_context(system_u:object_r:screen_var_run_t,s0) ++/var/run/tmux(/.*)? gen_context(system_u:object_r:screen_var_run_t,s0) +diff --git a/screen.if b/screen.if +index c21ddcc..4dd623e 100644 +--- a/screen.if ++++ b/screen.if +@@ -1,4 +1,4 @@ +-## GNU terminal multiplexer. ++## GNU terminal multiplexer + + ####################################### + ## +@@ -23,10 +23,9 @@ + # + template(`screen_role_template',` + gen_require(` +- attribute screen_domain; +- attribute_role screen_roles; + type screen_exec_t, screen_tmp_t; + type screen_home_t, screen_var_run_t; ++ attribute screen_domain; + ') + + ######################################## +@@ -35,49 +34,48 @@ template(`screen_role_template',` + # + + type $1_screen_t, screen_domain; +- userdom_user_application_domain($1_screen_t, screen_exec_t) ++ application_domain($1_screen_t, screen_exec_t) + domain_interactive_fd($1_screen_t) +- role screen_roles types $1_screen_t; ++ ubac_constrained($1_screen_t) ++ role $2 types $1_screen_t; + +- roleattribute $2 screen_roles; ++ tunable_policy(`deny_ptrace',`',` ++ allow $3 $1_screen_t:process ptrace; ++ ') + +- ######################################## +- # +- # Local policy +- # ++ userdom_home_reader($1_screen_t) + + domtrans_pattern($3, screen_exec_t, $1_screen_t) +- +- ps_process_pattern($3, $1_screen_t) +- allow $3 $1_screen_t:process { ptrace signal_perms }; +- ++ allow $3 $1_screen_t:process { signal sigchld }; + dontaudit $3 $1_screen_t:unix_stream_socket { read write }; ++ allow $1_screen_t $3:unix_stream_socket { connectto }; + allow $1_screen_t $3:process signal; ++ ps_process_pattern($1_screen_t, $3) + +- allow $3 screen_tmp_t:dir { manage_dir_perms relabel_dir_perms }; +- allow $3 screen_tmp_t:file { manage_file_perms relabel_file_perms }; +- allow $3 screen_tmp_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms }; +- +- allow $3 screen_home_t:dir { manage_dir_perms relabel_dir_perms }; +- allow $3 screen_home_t:file { manage_file_perms relabel_file_perms }; +- allow $3 screen_home_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms }; +- allow $3 screen_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; +- +- userdom_user_home_dir_filetrans($3, screen_home_t, dir, ".screen") +- userdom_user_home_dir_filetrans($3, screen_home_t, file, ".screenrc") ++ manage_fifo_files_pattern($3, screen_home_t, screen_home_t) ++ manage_dirs_pattern($3, screen_home_t, screen_home_t) ++ manage_files_pattern($3, screen_home_t, screen_home_t) ++ manage_lnk_files_pattern($3, screen_home_t, screen_home_t) ++ relabel_dirs_pattern($3, screen_home_t, screen_home_t) ++ relabel_files_pattern($3, screen_home_t, screen_home_t) ++ relabel_lnk_files_pattern($3, screen_home_t, screen_home_t) + + manage_dirs_pattern($3, screen_var_run_t, screen_var_run_t) +- manage_files_pattern($3, screen_var_run_t, screen_var_run_t) +- manage_lnk_files_pattern($3, screen_var_run_t, screen_var_run_t) + manage_fifo_files_pattern($3, screen_var_run_t, screen_var_run_t) + +- corecmd_bin_domtrans($1_screen_t, $3) ++ kernel_read_system_state($1_screen_t) ++ ++ # Revert to the user domain when a shell is executed. + corecmd_shell_domtrans($1_screen_t, $3) ++ corecmd_bin_domtrans($1_screen_t, $3) + + auth_domtrans_chk_passwd($1_screen_t) + auth_use_nsswitch($1_screen_t) + ++ logging_send_syslog_msg($1_screen_t) ++ + userdom_user_home_domtrans($1_screen_t, $3) ++ userdom_manage_tmp_role($2, $1_screen_t) + + tunable_policy(`use_samba_home_dirs',` + fs_cifs_domtrans($1_screen_t, $3) +@@ -87,3 +85,41 @@ template(`screen_role_template',` + fs_nfs_domtrans($1_screen_t, $3) + ') + ') ++ ++####################################### ++## ++## Execute the rssh program ++## in the caller domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`screen_exec',` ++ gen_require(` ++ type screen_exec_t; ++ ') ++ ++ can_exec($1, screen_exec_t) ++') ++ ++######################################## ++## ++## Send a SIGCHLD signal to the screen domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`screen_sigchld',` ++ gen_require(` ++ attribute screen_domain; ++ ') ++ ++ allow $1 screen_domain:process sigchld; ++') ++ +diff --git a/screen.te b/screen.te +index f095081..ee69aa7 100644 +--- a/screen.te ++++ b/screen.te +@@ -1,13 +1,11 @@ +-policy_module(screen, 2.5.3) ++policy_module(screen, 2.5.0) + + ######################################## + # + # Declarations + # + +-attribute screen_domain; +- +-attribute_role screen_roles; ++attribute screen_domain; + + type screen_exec_t; + application_executable_file(screen_exec_t) +@@ -17,11 +15,6 @@ typealias screen_home_t alias { user_screen_home_t staff_screen_home_t sysadm_sc + typealias screen_home_t alias { auditadm_screen_home_t secadm_screen_home_t }; + userdom_user_home_content(screen_home_t) + +-type screen_tmp_t; +-typealias screen_tmp_t alias { user_screen_tmp_t staff_screen_tmp_t sysadm_screen_tmp_t }; +-typealias screen_tmp_t alias { auditadm_screen_tmp_t secadm_screen_tmp_t }; +-userdom_user_tmp_file(screen_tmp_t) +- + type screen_var_run_t; + typealias screen_var_run_t alias { user_screen_var_run_t staff_screen_var_run_t sysadm_screen_var_run_t }; + typealias screen_var_run_t alias { auditadm_screen_var_run_t secadm_screen_var_run_t screen_dir_t }; +@@ -30,33 +23,35 @@ ubac_constrained(screen_var_run_t) + + ######################################## + # +-# Common screen domain local policy ++# Local policy + # + +-allow screen_domain self:capability { setuid setgid fsetid }; ++allow screen_domain self:capability { fsetid setgid setuid sys_tty_config }; ++dontaudit screen_domain self:capability dac_override; + allow screen_domain self:process signal_perms; +-allow screen_domain self:fd use; + allow screen_domain self:fifo_file rw_fifo_file_perms; +-allow screen_domain self:tcp_socket { accept listen }; +-allow screen_domain self:unix_stream_socket connectto; +- +-manage_dirs_pattern(screen_domain, screen_tmp_t, screen_tmp_t) +-manage_files_pattern(screen_domain, screen_tmp_t, screen_tmp_t) +-manage_fifo_files_pattern(screen_domain, screen_tmp_t, screen_tmp_t) +-files_tmp_filetrans(screen_domain, screen_tmp_t, { file dir }) ++allow screen_domain self:tcp_socket create_stream_socket_perms; ++allow screen_domain self:udp_socket create_socket_perms; ++# Internal screen networking ++allow screen_domain self:fd use; ++allow screen_domain self:unix_stream_socket { create_socket_perms connectto }; ++allow screen_domain self:unix_dgram_socket create_socket_perms; + ++# Create fifo + manage_fifo_files_pattern(screen_domain, screen_var_run_t, screen_var_run_t) + manage_dirs_pattern(screen_domain, screen_var_run_t, screen_var_run_t) + manage_sock_files_pattern(screen_domain, screen_var_run_t, screen_var_run_t) + files_pid_filetrans(screen_domain, screen_var_run_t, dir) + ++allow screen_domain screen_home_t:dir list_dir_perms; + manage_dirs_pattern(screen_domain, screen_home_t, screen_home_t) +-read_files_pattern(screen_domain, screen_home_t, screen_home_t) + manage_fifo_files_pattern(screen_domain, screen_home_t, screen_home_t) ++manage_sock_files_pattern(screen_domain, screen_home_t, screen_home_t) ++userdom_user_home_dir_filetrans(screen_domain, screen_home_t, dir) ++userdom_admin_home_dir_filetrans(screen_domain, screen_home_t, dir) ++read_files_pattern(screen_domain, screen_home_t, screen_home_t) + read_lnk_files_pattern(screen_domain, screen_home_t, screen_home_t) +-userdom_user_home_dir_filetrans(screen_domain, screen_home_t, dir, ".screen") + +-kernel_read_system_state(screen_domain) + kernel_read_kernel_sysctls(screen_domain) + + corecmd_list_bin(screen_domain) +@@ -65,55 +60,39 @@ corecmd_read_bin_symlinks(screen_domain) + corecmd_read_bin_pipes(screen_domain) + corecmd_read_bin_sockets(screen_domain) + +-corenet_all_recvfrom_unlabeled(screen_domain) +-corenet_all_recvfrom_netlabel(screen_domain) + corenet_tcp_sendrecv_generic_if(screen_domain) ++corenet_udp_sendrecv_generic_if(screen_domain) + corenet_tcp_sendrecv_generic_node(screen_domain) ++corenet_udp_sendrecv_generic_node(screen_domain) + corenet_tcp_sendrecv_all_ports(screen_domain) +- +-corenet_sendrecv_all_client_packets(screen_domain) ++corenet_udp_sendrecv_all_ports(screen_domain) + corenet_tcp_connect_all_ports(screen_domain) + + dev_dontaudit_getattr_all_chr_files(screen_domain) + dev_dontaudit_getattr_all_blk_files(screen_domain) ++# for SSP + dev_read_urand(screen_domain) + +-domain_use_interactive_fds(screen_domain) + domain_sigchld_interactive_fds(screen_domain) ++domain_use_interactive_fds(screen_domain) + domain_read_all_domains_state(screen_domain) + ++files_search_tmp(screen_domain) ++files_search_home(screen_domain) + files_list_home(screen_domain) +-files_read_usr_files(screen_domain) + + fs_search_auto_mountpoints(screen_domain) +-fs_getattr_all_fs(screen_domain) ++fs_getattr_xattr_fs(screen_domain) + + auth_dontaudit_read_shadow(screen_domain) + auth_dontaudit_exec_utempter(screen_domain) + ++# Write to utmp. + init_rw_utmp(screen_domain) + +-logging_send_syslog_msg(screen_domain) +- +-miscfiles_read_localization(screen_domain) +- + seutil_read_config(screen_domain) + + userdom_use_user_terminals(screen_domain) + userdom_create_user_pty(screen_domain) + userdom_setattr_user_ptys(screen_domain) + userdom_setattr_user_ttys(screen_domain) +- +-tunable_policy(`use_samba_home_dirs',` +- fs_manage_cifs_dirs(screen_domain) +- fs_read_cifs_files(screen_domain) +- fs_manage_cifs_named_pipes(screen_domain) +- fs_read_cifs_symlinks(screen_domain) +-') +- +-tunable_policy(`use_nfs_home_dirs',` +- fs_manage_nfs_dirs(screen_domain) +- fs_read_nfs_files(screen_domain) +- fs_manage_nfs_named_pipes(screen_domain) +- fs_read_nfs_symlinks(screen_domain) +-') +diff --git a/sectoolm.fc b/sectoolm.fc +index 64a2394..3f1dac5 100644 +--- a/sectoolm.fc ++++ b/sectoolm.fc +@@ -1,5 +1,4 @@ + /usr/libexec/sectool-mechanism\.py -- gen_context(system_u:object_r:sectoolm_exec_t,s0) + +-/var/lib/sectool(/.*)? gen_context(system_u:object_r:sectool_var_lib_t,s0) +- +-/var/log/sectool\.log.* -- gen_context(system_u:object_r:sectool_var_log_t,s0) ++/var/lib/sectool(/.*)? gen_context(system_u:object_r:sectool_var_lib_t,s0) ++/var/log/sectool\.log.* -- gen_context(system_u:object_r:sectool_var_log_t,s0) +diff --git a/sectoolm.if b/sectoolm.if +index c78a569..9007451 100644 +--- a/sectoolm.if ++++ b/sectoolm.if +@@ -1,24 +1,2 @@ +-## Sectool security audit tool. ++## Sectool security audit tool + +-######################################## +-## +-## Role access for sectoolm. +-## +-## +-## +-## Role allowed access. +-## +-## +-## +-## +-## User domain for the role. +-## +-## +-# +-interface(`sectoolm_role',` +- gen_require(` +- type sectoolm_t; +- ') +- +- allow sectoolm_t $2:unix_dgram_socket sendto; +-') +diff --git a/sectoolm.te b/sectoolm.te +index 8193bf1..b6a0bbd 100644 +--- a/sectoolm.te ++++ b/sectoolm.te +@@ -1,4 +1,4 @@ +-policy_module(sectoolm, 1.0.1) ++policy_module(sectoolm, 1.0.0) + + ######################################## + # +@@ -7,7 +7,7 @@ policy_module(sectoolm, 1.0.1) + + type sectoolm_t; + type sectoolm_exec_t; +-init_system_domain(sectoolm_t, sectoolm_exec_t) ++init_daemon_domain(sectoolm_t, sectoolm_exec_t) + + type sectool_var_lib_t; + files_type(sectool_var_lib_t) +@@ -20,14 +20,14 @@ files_tmp_file(sectool_tmp_t) + + ######################################## + # +-# Local policy ++# sectool local policy + # + +-allow sectoolm_t self:capability { dac_override net_admin sys_nice }; ++allow sectoolm_t self:capability { dac_override net_admin sys_nice sys_ptrace }; + allow sectoolm_t self:process { getcap getsched signull setsched }; + dontaudit sectoolm_t self:process { execstack execmem }; + allow sectoolm_t self:fifo_file rw_fifo_file_perms; +-allow sectoolm_t self:unix_dgram_socket sendto; ++allow sectoolm_t self:unix_dgram_socket { create_socket_perms sendto }; + + manage_dirs_pattern(sectoolm_t, sectool_tmp_t, sectool_tmp_t) + manage_files_pattern(sectoolm_t, sectool_tmp_t, sectool_tmp_t) +@@ -37,7 +37,7 @@ manage_files_pattern(sectoolm_t, sectool_var_lib_t, sectool_var_lib_t) + manage_dirs_pattern(sectoolm_t, sectool_var_lib_t, sectool_var_lib_t) + files_var_lib_filetrans(sectoolm_t, sectool_var_lib_t, { file dir }) + +-allow sectoolm_t sectool_var_log_t:file { append_file_perms create_file_perms setattr_file_perms }; ++manage_files_pattern(sectoolm_t, sectool_var_log_t, sectool_var_log_t) + logging_log_filetrans(sectoolm_t, sectool_var_log_t, file) + + kernel_read_net_sysctls(sectoolm_t) +@@ -65,6 +65,7 @@ fs_list_noxattr_fs(sectoolm_t) + + selinux_validate_context(sectoolm_t) + ++# tcp_wrappers test + application_exec_all(sectoolm_t) + + auth_use_nsswitch(sectoolm_t) +@@ -73,30 +74,36 @@ libs_exec_ld_so(sectoolm_t) + + logging_send_syslog_msg(sectoolm_t) + ++# tests related to network + sysnet_domtrans_ifconfig(sectoolm_t) + +-userdom_write_user_tmp_sockets(sectoolm_t) ++userdom_manage_user_tmp_sockets(sectoolm_t) ++userdom_dgram_send(sectoolm_t) + + optional_policy(` +- mount_exec(sectoolm_t) ++ dbus_system_domain(sectoolm_t, sectoolm_exec_t) + ') + + optional_policy(` +- dbus_system_domain(sectoolm_t, sectoolm_exec_t) ++ # tests related to network ++ hostname_exec(sectoolm_t) ++') + +- optional_policy(` +- policykit_dbus_chat(sectoolm_t) +- ') ++optional_policy(` ++ # tests related to network ++ iptables_domtrans(sectoolm_t) + ') + + optional_policy(` +- hostname_exec(sectoolm_t) ++ mount_exec(sectoolm_t) + ') + + optional_policy(` +- iptables_domtrans(sectoolm_t) ++ policykit_dbus_chat(sectoolm_t) + ') + ++# suid test using ++# rpm -Vf option + optional_policy(` + prelink_domtrans(sectoolm_t) + ') +diff --git a/sendmail.fc b/sendmail.fc +index d14b6bf..da5d41d 100644 +--- a/sendmail.fc ++++ b/sendmail.fc +@@ -1,7 +1,8 @@ +-/etc/rc\.d/init\.d/sendmail -- gen_context(system_u:object_r:sendmail_initrc_exec_t,s0) + +-/var/log/sendmail\.st.* -- gen_context(system_u:object_r:sendmail_log_t,s0) +-/var/log/mail(/.*)? gen_context(system_u:object_r:sendmail_log_t,s0) ++/etc/rc\.d/init\.d/sendmail -- gen_context(system_u:object_r:sendmail_initrc_exec_t,s0) + +-/var/run/sendmail\.pid -- gen_context(system_u:object_r:sendmail_var_run_t,s0) +-/var/run/sm-client\.pid -- gen_context(system_u:object_r:sendmail_var_run_t,s0) ++/var/log/sendmail\.st.* -- gen_context(system_u:object_r:sendmail_log_t,s0) ++/var/log/mail(/.*)? gen_context(system_u:object_r:sendmail_log_t,s0) ++ ++/var/run/sendmail\.pid -- gen_context(system_u:object_r:sendmail_var_run_t,s0) ++/var/run/sm-client\.pid -- gen_context(system_u:object_r:sendmail_var_run_t,s0) +diff --git a/sendmail.if b/sendmail.if +index 88e753f..133d993 100644 +--- a/sendmail.if ++++ b/sendmail.if +@@ -1,4 +1,4 @@ +-## Internetwork email routing facility. ++## Policy for sendmail. + + ######################################## + ## +@@ -10,7 +10,7 @@ + ## + ## + # +-interface(`sendmail_stub',` ++interface(`rsync_stub',` + gen_require(` + type sendmail_t; + ') +@@ -18,7 +18,8 @@ interface(`sendmail_stub',` + + ######################################## + ## +-## Read and write sendmail unnamed pipes. ++## Allow attempts to read and write to ++## sendmail unnamed pipes. + ## + ## + ## +@@ -36,7 +37,7 @@ interface(`sendmail_rw_pipes',` + + ######################################## + ## +-## Execute a domain transition to run sendmail. ++## Domain transition to sendmail. + ## + ## + ## +@@ -49,19 +50,30 @@ interface(`sendmail_domtrans',` + type sendmail_t; + ') + +- corecmd_search_bin($1) + mta_sendmail_domtrans($1, sendmail_t) ++') + +- allow sendmail_t $1:fd use; +- allow sendmail_t $1:fifo_file rw_fifo_file_perms; +- allow sendmail_t $1:process sigchld; ++####################################### ++## ++## Execute sendmail in the sendmail domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`sendmail_initrc_domtrans',` ++ gen_require(` ++ type sendmail_initrc_exec_t; ++ ') ++ ++ init_labeled_script_domtrans($1, sendmail_initrc_exec_t) + ') + + ######################################## + ## +-## Execute the sendmail program in the +-## sendmail domain, and allow the +-## specified role the sendmail domain. ++## Execute the sendmail program in the sendmail domain. + ## + ## + ## +@@ -70,18 +82,18 @@ interface(`sendmail_domtrans',` + ## + ## + ## +-## Role allowed access. ++## The role to allow the sendmail domain. + ## + ## + ## + # + interface(`sendmail_run',` + gen_require(` +- attribute_role sendmail_roles; ++ type sendmail_t; + ') + + sendmail_domtrans($1) +- roleattribute $2 sendmail_roles; ++ role $2 types sendmail_t; + ') + + ######################################## +@@ -141,8 +153,7 @@ interface(`sendmail_dontaudit_rw_tcp_sockets',` + + ######################################## + ## +-## Read and write sendmail unix +-## domain stream sockets. ++## Read and write sendmail unix_stream_sockets. + ## + ## + ## +@@ -179,7 +190,7 @@ interface(`sendmail_dontaudit_rw_unix_stream_sockets',` + + ######################################## + ## +-## Read sendmail log files. ++## Read sendmail logs. + ## + ## + ## +@@ -199,8 +210,7 @@ interface(`sendmail_read_log',` + + ######################################## + ## +-## Create, read, write, and delete +-## sendmail log files. ++## Create, read, write, and delete sendmail logs. + ## + ## + ## +@@ -220,8 +230,7 @@ interface(`sendmail_manage_log',` + + ######################################## + ## +-## Create specified objects in generic +-## log directories sendmail log file type. ++## Create sendmail logs with the correct type. + ## + ## + ## +@@ -230,43 +239,16 @@ interface(`sendmail_manage_log',` + ## + # + interface(`sendmail_create_log',` +- refpolicywarn(`$0($*) has been deprecated, use sendmail_log_filetrans_sendmail_log() instead.') +- sendmail_log_filetrans_sendmail_log($1, $2, $3) +-') +- +-######################################## +-## +-## Create specified objects in generic +-## log directories sendmail log file type. +-## +-## +-## +-## Domain allowed access. +-## +-## +-## +-## +-## Class of the object being created. +-## +-## +-## +-## +-## The name of the object being created. +-## +-## +-# +-interface(`sendmail_log_filetrans_sendmail_log',` + gen_require(` + type sendmail_log_t; + ') + +- logging_log_filetrans($1, sendmail_log_t, $2, $3) ++ logging_log_filetrans($1, sendmail_log_t, file) + ') + + ######################################## + ## +-## Create, read, write, and delete +-## sendmail tmp files. ++## Manage sendmail tmp files. + ## + ## + ## +@@ -285,58 +267,27 @@ interface(`sendmail_manage_tmp_files',` + + ######################################## + ## +-## Execute sendmail in the unconfined sendmail domain. +-## +-## +-## +-## Domain allowed to transition. +-## +-## +-# +-interface(`sendmail_domtrans_unconfined',` +- gen_require(` +- type unconfined_sendmail_t; +- ') +- +- mta_sendmail_domtrans($1, unconfined_sendmail_t) +- +- allow unconfined_sendmail_t $1:fd use; +- allow unconfined_sendmail_t $1:fifo_file rw_fifo_file_perms; +- allow unconfined_sendmail_t $1:process sigchld; +-') +- +-######################################## +-## +-## Execute sendmail in the unconfined +-## sendmail domain, and allow the +-## specified role the unconfined +-## sendmail domain. ++## Set the attributes of sendmail pid files. + ## + ## + ## +-## Domain allowed to transition. +-## +-## +-## +-## +-## Role allowed access. ++## Domain allowed access. + ## + ## +-## + # +-interface(`sendmail_run_unconfined',` ++interface(`sendmail_setattr_pid_files',` + gen_require(` +- attribute_role sendmail_unconfined_roles; ++ type sendmail_var_run_t; + ') + +- sendmail_domtrans_unconfined($1) +- roleattribute $2 sendmail_unconfined_roles; ++ allow $1 sendmail_var_run_t:file setattr_file_perms; ++ files_search_pids($1) + ') + + ######################################## + ## +-## All of the rules required to +-## administrate an sendmail environment. ++## All of the rules required to administrate ++## an sendmail environment + ## + ## + ## +@@ -353,13 +304,17 @@ interface(`sendmail_run_unconfined',` + interface(`sendmail_admin',` + gen_require(` + type sendmail_t, sendmail_initrc_exec_t, sendmail_log_t; +- type sendmail_tmp_t, sendmail_var_run_t, unconfined_sendmail_t; ++ type sendmail_tmp_t, sendmail_var_run_t; ++ type mail_spool_t; + ') + +- allow $1 { unconfined_sendmail_t sendmail_t }:process { ptrace signal_perms }; +- ps_process_pattern($1, { unconfined_sendmail_t sendmail_t }) ++ allow $1 sendmail_t:process signal_perms; ++ ps_process_pattern($1, sendmail_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 sendmail_t:process ptrace; ++ ') + +- init_labeled_script_domtrans($1, sendmail_initrc_exec_t) ++ sendmail_initrc_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 sendmail_initrc_exec_t system_r; + +@@ -372,6 +327,6 @@ interface(`sendmail_admin',` + files_list_pids($1) + admin_pattern($1, sendmail_var_run_t) + +- sendmail_run($1, $2) +- sendmail_run_unconfined($1, $2) ++ files_list_spool($1) ++ admin_pattern($1, mail_spool_t) + ') +diff --git a/sendmail.te b/sendmail.te +index 5f35d78..50651d2 100644 +--- a/sendmail.te ++++ b/sendmail.te +@@ -1,18 +1,10 @@ +-policy_module(sendmail, 1.11.5) ++policy_module(sendmail, 1.11.0) + + ######################################## + # + # Declarations + # + +-attribute_role sendmail_roles; +- +-attribute_role sendmail_unconfined_roles; +-roleattribute system_r sendmail_unconfined_roles; +- +-type sendmail_initrc_exec_t; +-init_script_file(sendmail_initrc_exec_t) +- + type sendmail_log_t; + logging_log_file(sendmail_log_t) + +@@ -26,27 +18,27 @@ type sendmail_t; + mta_sendmail_mailserver(sendmail_t) + mta_mailserver_delivery(sendmail_t) + mta_mailserver_sender(sendmail_t) +-role sendmail_roles types sendmail_t; + +-type unconfined_sendmail_t; +-application_domain(unconfined_sendmail_t, sendmail_exec_t) +-role sendmail_unconfined_roles types unconfined_sendmail_t; ++type sendmail_initrc_exec_t; ++init_script_file(sendmail_initrc_exec_t) + + ######################################## + # +-# Local policy ++# Sendmail local policy + # + +-allow sendmail_t self:capability { dac_override setuid setgid sys_nice chown sys_tty_config }; ++allow sendmail_t self:capability { dac_override setuid setgid net_bind_service sys_nice chown sys_tty_config }; ++dontaudit sendmail_t self:capability net_admin; ++dontaudit sendmail_t self:capability2 block_suspend; + allow sendmail_t self:process { setsched setpgid setrlimit signal signull }; + allow sendmail_t self:fifo_file rw_fifo_file_perms; +-allow sendmail_t self:unix_stream_socket { accept listen }; +-allow sendmail_t self:tcp_socket { accept listen }; ++allow sendmail_t self:unix_stream_socket create_stream_socket_perms; ++allow sendmail_t self:unix_dgram_socket create_socket_perms; ++allow sendmail_t self:tcp_socket create_stream_socket_perms; ++allow sendmail_t self:udp_socket create_socket_perms; + +-allow sendmail_t sendmail_log_t:dir setattr_dir_perms; +-append_files_pattern(sendmail_t, sendmail_log_t, sendmail_log_t) +-create_files_pattern(sendmail_t, sendmail_log_t, sendmail_log_t) +-setattr_files_pattern(sendmail_t, sendmail_log_t, sendmail_log_t) ++allow sendmail_t sendmail_log_t:dir setattr; ++manage_files_pattern(sendmail_t, sendmail_log_t, sendmail_log_t) + logging_log_filetrans(sendmail_t, sendmail_log_t, { file dir }) + + manage_dirs_pattern(sendmail_t, sendmail_tmp_t, sendmail_tmp_t) +@@ -58,33 +50,21 @@ files_pid_filetrans(sendmail_t, sendmail_var_run_t, file) + + kernel_read_network_state(sendmail_t) + kernel_read_kernel_sysctls(sendmail_t) ++# for piping mail to a command + kernel_read_system_state(sendmail_t) + +-corenet_all_recvfrom_unlabeled(sendmail_t) + corenet_all_recvfrom_netlabel(sendmail_t) + corenet_tcp_sendrecv_generic_if(sendmail_t) + corenet_tcp_sendrecv_generic_node(sendmail_t) + corenet_tcp_sendrecv_all_ports(sendmail_t) + corenet_tcp_bind_generic_node(sendmail_t) +- +-corenet_sendrecv_smtp_server_packets(sendmail_t) + corenet_tcp_bind_smtp_port(sendmail_t) +- +-corenet_sendrecv_all_client_packets(sendmail_t) + corenet_tcp_connect_all_ports(sendmail_t) ++corenet_sendrecv_smtp_server_packets(sendmail_t) ++corenet_sendrecv_smtp_client_packets(sendmail_t) + +-corecmd_exec_bin(sendmail_t) +-corecmd_exec_shell(sendmail_t) +- +-dev_read_sysfs(sendmail_t) + dev_read_urand(sendmail_t) +- +-domain_use_interactive_fds(sendmail_t) +- +-files_read_all_tmp_files(sendmail_t) +-files_read_etc_runtime_files(sendmail_t) +-files_read_usr_files(sendmail_t) +-files_search_spool(sendmail_t) ++dev_read_sysfs(sendmail_t) + + fs_getattr_all_fs(sendmail_t) + fs_search_auto_mountpoints(sendmail_t) +@@ -93,35 +73,49 @@ fs_rw_anon_inodefs_files(sendmail_t) + term_dontaudit_use_console(sendmail_t) + term_dontaudit_use_generic_ptys(sendmail_t) + ++# for piping mail to a command ++corecmd_exec_shell(sendmail_t) ++corecmd_exec_bin(sendmail_t) ++ ++domain_use_interactive_fds(sendmail_t) ++ ++files_search_spool(sendmail_t) ++# for piping mail to a command ++files_read_etc_runtime_files(sendmail_t) ++files_read_all_tmp_files(sendmail_t) ++ + init_use_fds(sendmail_t) + init_use_script_ptys(sendmail_t) ++# sendmail wants to read /var/run/utmp if the controlling tty is /dev/console + init_read_utmp(sendmail_t) + init_dontaudit_write_utmp(sendmail_t) + init_rw_script_tmp_files(sendmail_t) + + auth_use_nsswitch(sendmail_t) + ++# Read /usr/lib/sasl2/.* + libs_read_lib_files(sendmail_t) + + logging_send_syslog_msg(sendmail_t) + logging_dontaudit_write_generic_logs(sendmail_t) + + miscfiles_read_generic_certs(sendmail_t) +-miscfiles_read_localization(sendmail_t) + + userdom_dontaudit_use_unpriv_user_fds(sendmail_t) ++userdom_read_user_home_content_files(sendmail_t) ++userdom_dontaudit_list_user_home_dirs(sendmail_t) + +-mta_etc_filetrans_aliases(sendmail_t, file, "aliases") +-mta_etc_filetrans_aliases(sendmail_t, file, "aliases.db") +-mta_etc_filetrans_aliases(sendmail_t, file, "aliasesdb-stamp") ++mta_read_config(sendmail_t) ++mta_etc_filetrans_aliases(sendmail_t) ++# Write to /etc/aliases and /etc/mail. + mta_manage_aliases(sendmail_t) ++# Write to /var/spool/mail and /var/spool/mqueue. + mta_manage_queue(sendmail_t) + mta_manage_spool(sendmail_t) +-mta_read_config(sendmail_t) + mta_sendmail_exec(sendmail_t) + + optional_policy(` +- cfengine_dontaudit_write_log_files(sendmail_t) ++ cfengine_dontaudit_write_log(sendmail_t) + ') + + optional_policy(` +@@ -129,8 +123,8 @@ optional_policy(` + ') + + optional_policy(` +- clamav_search_lib(sendmail_t) +- clamav_stream_connect(sendmail_t) ++ antivirus_search_db(sendmail_t) ++ antivirus_stream_connect(sendmail_t) + ') + + optional_policy(` +@@ -158,6 +152,10 @@ optional_policy(` + ') + + optional_policy(` ++ inn_write_inherited_news_lib(sendmail_t) ++') ++ ++optional_policy(` + milter_stream_connect_all(sendmail_t) + ') + +@@ -166,6 +164,11 @@ optional_policy(` + ') + + optional_policy(` ++ openshift_dontaudit_rw_inherited_fifo_files(sendmail_t) ++ openshift_rw_inherited_content(sendmail_t) ++') ++ ++optional_policy(` + postfix_domtrans_postdrop(sendmail_t) + postfix_domtrans_master(sendmail_t) + postfix_domtrans_postqueue(sendmail_t) +@@ -187,21 +190,13 @@ optional_policy(` + ') + + optional_policy(` +- udev_read_db(sendmail_t) ++ spamd_stream_connect(sendmail_t) + ') + + optional_policy(` +- uucp_domtrans_uux(sendmail_t) ++ udev_read_db(sendmail_t) + ') + +-######################################## +-# +-# Unconfined local policy +-# +- + optional_policy(` +- mta_etc_filetrans_aliases(unconfined_sendmail_t, file, "aliases") +- mta_etc_filetrans_aliases(unconfined_sendmail_t, file, "aliases.db") +- mta_etc_filetrans_aliases(unconfined_sendmail_t, file, "aliasesdb-stamp") +- unconfined_domain(unconfined_sendmail_t) ++ uucp_domtrans_uux(sendmail_t) + ') +diff --git a/sensord.fc b/sensord.fc +index 8185d5a..719ac47 100644 +--- a/sensord.fc ++++ b/sensord.fc +@@ -1,3 +1,5 @@ ++/lib/systemd/system/sensord.service -- gen_context(system_u:object_r:sensord_unit_file_t,s0) ++ + /etc/rc\.d/init\.d/sensord -- gen_context(system_u:object_r:sensord_initrc_exec_t,s0) + + /usr/sbin/sensord -- gen_context(system_u:object_r:sensord_exec_t,s0) +diff --git a/sensord.if b/sensord.if +index d204752..5eba5fd 100644 +--- a/sensord.if ++++ b/sensord.if +@@ -1,35 +1,75 @@ +-## Sensor information logging daemon. ++ ++## Sensor information logging daemon + + ######################################## + ## +-## All of the rules required to +-## administrate an sensord environment. ++## Execute sensord in the sensord domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`sensord_domtrans',` ++ gen_require(` ++ type sensord_t, sensord_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, sensord_exec_t, sensord_t) ++') ++######################################## ++## ++## Execute sensord server in the sensord domain. + ## + ## + ## +-## Domain allowed access. ++## Domain allowed to transition. + ## + ## +-## ++# ++interface(`sensord_systemctl',` ++ gen_require(` ++ type sensord_t; ++ type sensord_unit_file_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ allow $1 sensord_unit_file_t:file read_file_perms; ++ allow $1 sensord_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, sensord_t) ++') ++ ++ ++######################################## ++## ++## All of the rules required to administrate ++## an sensord environment ++## ++## + ## +-## Role allowed access. ++## Domain allowed access. + ## + ## + ## + # + interface(`sensord_admin',` + gen_require(` +- type sensord_t, sensord_initrc_exec_t, sensord_var_run_t; ++ type sensord_t; ++ type sensord_unit_file_t; + ') + + allow $1 sensord_t:process { ptrace signal_perms }; + ps_process_pattern($1, sensord_t) + +- init_labeled_script_domtrans($1, sensord_initrc_exec_t) +- domain_system_change_exemption($1) +- role_transition $2 sensord_initrc_exec_t system_r; +- allow $2 system_r; ++ sensord_systemctl($1) ++ admin_pattern($1, sensord_unit_file_t) ++ allow $1 sensord_unit_file_t:service all_service_perms; + +- files_search_pids($1) +- admin_pattern($1, sensord_var_run_t) ++ optional_policy(` ++ systemd_passwd_agent_exec($1) ++ systemd_read_fifo_file_passwd_run($1) ++ ') + ') +diff --git a/sensord.te b/sensord.te +index 5e82fd6..fa352d8 100644 +--- a/sensord.te ++++ b/sensord.te +@@ -9,6 +9,9 @@ type sensord_t; + type sensord_exec_t; + init_daemon_domain(sensord_t, sensord_exec_t) + ++type sensord_unit_file_t; ++systemd_unit_file(sensord_unit_file_t) ++ + type sensord_initrc_exec_t; + init_script_file(sensord_initrc_exec_t) + +@@ -28,8 +31,5 @@ files_pid_filetrans(sensord_t, sensord_var_run_t, file) + + dev_read_sysfs(sensord_t) + +-files_read_etc_files(sensord_t) +- + logging_send_syslog_msg(sensord_t) + +-miscfiles_read_localization(sensord_t) +diff --git a/setroubleshoot.fc b/setroubleshoot.fc +index 0b3a971..397a522 100644 +--- a/setroubleshoot.fc ++++ b/setroubleshoot.fc +@@ -1,9 +1,9 @@ + /usr/sbin/setroubleshootd -- gen_context(system_u:object_r:setroubleshootd_exec_t,s0) + +-/usr/share/setroubleshoot/SetroubleshootFixit\.py* -- gen_context(system_u:object_r:setroubleshoot_fixit_exec_t,s0) ++/usr/share/setroubleshoot/SetroubleshootFixit\.py* -- gen_context(system_u:object_r:setroubleshoot_fixit_exec_t,s0) + +-/var/run/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_run_t,s0) ++/var/run/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_run_t,s0) + +-/var/log/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_log_t,s0) ++/var/log/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_log_t,s0) + +-/var/lib/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_lib_t,s0) ++/var/lib/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_lib_t,s0) +diff --git a/setroubleshoot.if b/setroubleshoot.if +index 3a9a70b..039b0c8 100644 +--- a/setroubleshoot.if ++++ b/setroubleshoot.if +@@ -1,9 +1,8 @@ +-## SELinux troubleshooting service. ++## SELinux troubleshooting service + + ######################################## + ## +-## Connect to setroubleshootd with a +-## unix domain stream socket. ++## Connect to setroubleshootd over a unix stream socket. + ## + ## + ## +@@ -23,9 +22,8 @@ interface(`setroubleshoot_stream_connect',` + + ######################################## + ## +-## Do not audit attempts to connect to +-## setroubleshootd with a unix +-## domain stream socket. ++## Dontaudit attempts to connect to setroubleshootd ++## over a unix stream socket. + ## + ## + ## +@@ -107,8 +105,27 @@ interface(`setroubleshoot_dbus_chat_fixit',` + + ######################################## + ## +-## All of the rules required to +-## administrate an setroubleshoot environment. ++## Dontaudit read/write to a setroubleshoot leaked sockets. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`setroubleshoot_fixit_dontaudit_leaks',` ++ gen_require(` ++ type setroubleshoot_fixit_t; ++ ') ++ ++ dontaudit $1 setroubleshoot_fixit_t:unix_dgram_socket { read write }; ++ dontaudit $1 setroubleshoot_fixit_t:unix_stream_socket { read write }; ++') ++ ++######################################## ++## ++## All of the rules required to administrate ++## an setroubleshoot environment + ## + ## + ## +@@ -119,12 +136,15 @@ interface(`setroubleshoot_dbus_chat_fixit',` + # + interface(`setroubleshoot_admin',` + gen_require(` +- type setroubleshootd_t, setroubleshoot_var_log_t, setroubleshoot_fixit_t; +- type setroubleshoot_var_lib_t, setroubleshoot_var_run_t; ++ type setroubleshootd_t, setroubleshoot_var_log_t, setroubleshoot_var_run_t; ++ type setroubleshoot_var_lib_t; + ') + +- allow $1 { setroubleshoot_fixit_t setroubleshootd_t }:process { ptrace signal_perms }; +- ps_process_pattern($1, { setroubleshootd_t setroubleshoot_fixit_t }) ++ allow $1 setroubleshootd_t:process signal_perms; ++ ps_process_pattern($1, setroubleshootd_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 setroubleshootd_t:process ptrace; ++ ') + + logging_list_logs($1) + admin_pattern($1, setroubleshoot_var_log_t) +diff --git a/setroubleshoot.te b/setroubleshoot.te +index 49b12ae..d686e4a 100644 +--- a/setroubleshoot.te ++++ b/setroubleshoot.te +@@ -1,4 +1,4 @@ +-policy_module(setroubleshoot, 1.11.2) ++policy_module(setroubleshoot, 1.11.0) + + ######################################## + # +@@ -7,43 +7,50 @@ policy_module(setroubleshoot, 1.11.2) + + type setroubleshootd_t alias setroubleshoot_t; + type setroubleshootd_exec_t; +-init_system_domain(setroubleshootd_t, setroubleshootd_exec_t) ++domain_type(setroubleshootd_t) ++init_daemon_domain(setroubleshootd_t, setroubleshootd_exec_t) + + type setroubleshoot_fixit_t; + type setroubleshoot_fixit_exec_t; +-init_system_domain(setroubleshoot_fixit_t, setroubleshoot_fixit_exec_t) ++init_daemon_domain(setroubleshoot_fixit_t, setroubleshoot_fixit_exec_t) + + type setroubleshoot_var_lib_t; + files_type(setroubleshoot_var_lib_t) + ++# log files + type setroubleshoot_var_log_t; + logging_log_file(setroubleshoot_var_log_t) + ++# pid files + type setroubleshoot_var_run_t; + files_pid_file(setroubleshoot_var_run_t) + + ######################################## + # +-# Local policy ++# setroubleshootd local policy + # + + allow setroubleshootd_t self:capability { dac_override sys_nice sys_ptrace sys_tty_config }; +-allow setroubleshootd_t self:process { getattr getsched setsched sigkill signull signal execmem execstack }; ++allow setroubleshootd_t self:process { getattr getsched setsched sigkill signull signal }; ++# if bad library causes setroubleshoot to require these, we want to give it so setroubleshoot can continue to run ++allow setroubleshootd_t self:process { execmem execstack }; + allow setroubleshootd_t self:fifo_file rw_fifo_file_perms; +-allow setroubleshootd_t self:tcp_socket { accept listen }; +-allow setroubleshootd_t self:unix_stream_socket { accept connectto listen }; ++allow setroubleshootd_t self:tcp_socket create_stream_socket_perms; ++allow setroubleshootd_t self:unix_stream_socket { create_stream_socket_perms connectto }; ++allow setroubleshootd_t self:unix_dgram_socket create_socket_perms; + +-allow setroubleshootd_t setroubleshoot_var_lib_t:dir setattr_dir_perms; ++# database files ++allow setroubleshootd_t setroubleshoot_var_lib_t:dir setattr; + manage_files_pattern(setroubleshootd_t, setroubleshoot_var_lib_t, setroubleshoot_var_lib_t) + files_var_lib_filetrans(setroubleshootd_t, setroubleshoot_var_lib_t, { file dir }) + +-allow setroubleshootd_t setroubleshoot_var_log_t:dir setattr_dir_perms; +-append_files_pattern(setroubleshootd_t, setroubleshoot_var_log_t, setroubleshoot_var_log_t) +-create_files_pattern(setroubleshootd_t, setroubleshoot_var_log_t, setroubleshoot_var_log_t) +-setattr_files_pattern(setroubleshootd_t, setroubleshoot_var_log_t, setroubleshoot_var_log_t) ++# log files ++allow setroubleshootd_t setroubleshoot_var_log_t:dir setattr; ++manage_files_pattern(setroubleshootd_t, setroubleshoot_var_log_t, setroubleshoot_var_log_t) + manage_sock_files_pattern(setroubleshootd_t, setroubleshoot_var_log_t, setroubleshoot_var_log_t) + logging_log_filetrans(setroubleshootd_t, setroubleshoot_var_log_t, { file dir }) + ++# pid file + manage_dirs_pattern(setroubleshootd_t, setroubleshoot_var_run_t, setroubleshoot_var_run_t) + manage_files_pattern(setroubleshootd_t, setroubleshoot_var_run_t, setroubleshoot_var_run_t) + manage_sock_files_pattern(setroubleshootd_t, setroubleshoot_var_run_t, setroubleshoot_var_run_t) +@@ -61,14 +68,13 @@ corecmd_exec_bin(setroubleshootd_t) + corecmd_exec_shell(setroubleshootd_t) + corecmd_read_all_executables(setroubleshootd_t) + +-corenet_all_recvfrom_unlabeled(setroubleshootd_t) + corenet_all_recvfrom_netlabel(setroubleshootd_t) + corenet_tcp_sendrecv_generic_if(setroubleshootd_t) + corenet_tcp_sendrecv_generic_node(setroubleshootd_t) +- +-corenet_sendrecv_smtp_client_packets(setroubleshootd_t) ++corenet_tcp_sendrecv_all_ports(setroubleshootd_t) ++corenet_tcp_bind_generic_node(setroubleshootd_t) + corenet_tcp_connect_smtp_port(setroubleshootd_t) +-corenet_tcp_sendrecv_smtp_port(setroubleshootd_t) ++corenet_sendrecv_smtp_client_packets(setroubleshootd_t) + + dev_read_urand(setroubleshootd_t) + dev_read_sysfs(setroubleshootd_t) +@@ -76,10 +82,9 @@ dev_getattr_all_blk_files(setroubleshootd_t) + dev_getattr_all_chr_files(setroubleshootd_t) + dev_getattr_mtrr_dev(setroubleshootd_t) + +-domain_dontaudit_search_all_domains_state(setroubleshootd_t) ++domain_read_all_domains_state(setroubleshootd_t) + domain_signull_all_domains(setroubleshootd_t) + +-files_read_usr_files(setroubleshootd_t) + files_list_all(setroubleshootd_t) + files_getattr_all_files(setroubleshootd_t) + files_getattr_all_pipes(setroubleshootd_t) +@@ -101,33 +106,32 @@ selinux_read_policy(setroubleshootd_t) + term_dontaudit_use_all_ptys(setroubleshootd_t) + term_dontaudit_use_all_ttys(setroubleshootd_t) + ++mls_dbus_recv_all_levels(setroubleshootd_t) ++ + auth_use_nsswitch(setroubleshootd_t) + + init_read_utmp(setroubleshootd_t) + init_dontaudit_write_utmp(setroubleshootd_t) + + libs_exec_ld_so(setroubleshootd_t) ++libs_exec_ldconfig(setroubleshootd_t) + + locallogin_dontaudit_use_fds(setroubleshootd_t) + + logging_send_audit_msgs(setroubleshootd_t) + logging_send_syslog_msg(setroubleshootd_t) + logging_stream_connect_dispatcher(setroubleshootd_t) ++logging_stream_connect_syslog(setroubleshootd_t) + +-miscfiles_read_localization(setroubleshootd_t) +- ++seutil_read_bin_policy(setroubleshootd_t) + seutil_read_config(setroubleshootd_t) ++seutil_read_default_contexts(setroubleshootd_t) + seutil_read_file_contexts(setroubleshootd_t) +-seutil_read_bin_policy(setroubleshootd_t) + + userdom_dontaudit_read_user_home_content_files(setroubleshootd_t) + + optional_policy(` +- dbus_system_domain(setroubleshootd_t, setroubleshootd_exec_t) +- +- optional_policy(` +- abrt_dbus_chat(setroubleshootd_t) +- ') ++ abrt_dbus_chat(setroubleshootd_t) + ') + + optional_policy(` +@@ -135,10 +139,18 @@ optional_policy(` + ') + + optional_policy(` ++ mock_getattr_lib(setroubleshootd_t) ++') ++ ++optional_policy(` + modutils_read_module_config(setroubleshootd_t) + ') + + optional_policy(` ++ dbus_system_domain(setroubleshootd_t, setroubleshootd_exec_t) ++') ++ ++optional_policy(` + rpm_exec(setroubleshootd_t) + rpm_signull(setroubleshootd_t) + rpm_read_db(setroubleshootd_t) +@@ -148,26 +160,36 @@ optional_policy(` + + ######################################## + # +-# Fixit local policy ++# setroubleshoot_fixit local policy + # + + allow setroubleshoot_fixit_t self:capability sys_nice; + allow setroubleshoot_fixit_t self:process { setsched getsched }; ++dontaudit setroubleshoot_fixit_t self:process execmem; + allow setroubleshoot_fixit_t self:fifo_file rw_fifo_file_perms; ++allow setroubleshoot_fixit_t self:unix_dgram_socket create_socket_perms; + + allow setroubleshoot_fixit_t setroubleshootd_t:process signull; + ++setroubleshoot_dbus_chat(setroubleshoot_fixit_t) + setroubleshoot_stream_connect(setroubleshoot_fixit_t) + + kernel_read_system_state(setroubleshoot_fixit_t) ++kernel_read_network_state(setroubleshoot_fixit_t) + + corecmd_exec_bin(setroubleshoot_fixit_t) + corecmd_exec_shell(setroubleshoot_fixit_t) + corecmd_getattr_all_executables(setroubleshoot_fixit_t) + ++dev_read_sysfs(setroubleshoot_fixit_t) ++dev_read_urand(setroubleshoot_fixit_t) ++ ++selinux_read_policy(setroubleshoot_fixit_t) ++ + seutil_domtrans_setfiles(setroubleshoot_fixit_t) ++seutil_domtrans_setsebool(setroubleshoot_fixit_t) ++seutil_read_module_store(setroubleshoot_fixit_t) + +-files_read_usr_files(setroubleshoot_fixit_t) + files_list_tmp(setroubleshoot_fixit_t) + + auth_use_nsswitch(setroubleshoot_fixit_t) +@@ -175,23 +197,26 @@ auth_use_nsswitch(setroubleshoot_fixit_t) + logging_send_audit_msgs(setroubleshoot_fixit_t) + logging_send_syslog_msg(setroubleshoot_fixit_t) + +-miscfiles_read_localization(setroubleshoot_fixit_t) +- +-userdom_read_all_users_state(setroubleshoot_fixit_t) ++userdom_dontaudit_search_admin_dir(setroubleshoot_fixit_t) + userdom_signull_unpriv_users(setroubleshoot_fixit_t) + + optional_policy(` + dbus_system_domain(setroubleshoot_fixit_t, setroubleshoot_fixit_exec_t) +- setroubleshoot_dbus_chat(setroubleshoot_fixit_t) ++') + +- optional_policy(` +- policykit_dbus_chat(setroubleshoot_fixit_t) +- ') ++optional_policy(` ++ gnome_dontaudit_search_config(setroubleshoot_fixit_t) + ') + + optional_policy(` ++ rpm_exec(setroubleshoot_fixit_t) + rpm_signull(setroubleshoot_fixit_t) + rpm_read_db(setroubleshoot_fixit_t) + rpm_dontaudit_manage_db(setroubleshoot_fixit_t) + rpm_use_script_fds(setroubleshoot_fixit_t) + ') ++ ++optional_policy(` ++ policykit_dbus_chat(setroubleshoot_fixit_t) ++ userdom_read_all_users_state(setroubleshoot_fixit_t) ++') +diff --git a/sge.fc b/sge.fc +new file mode 100644 +index 0000000..160ddc2 +--- /dev/null ++++ b/sge.fc +@@ -0,0 +1,6 @@ ++ ++/usr/bin/sge_execd -- gen_context(system_u:object_r:sge_execd_exec_t,s0) ++/usr/bin/sge_shepherd -- gen_context(system_u:object_r:sge_shepherd_exec_t,s0) ++ ++/var/spool/gridengine(/.*)? gen_context(system_u:object_r:sge_spool_t,s0) ++ +diff --git a/sge.if b/sge.if +new file mode 100644 +index 0000000..c9d2d9c +--- /dev/null ++++ b/sge.if +@@ -0,0 +1,24 @@ ++## Policy for gridengine MPI jobs ++ ++###################################### ++## ++## Creates types and rules for a basic ++## sge domain. ++## ++## ++## ++## Prefix for the domain. ++## ++## ++# ++template(`sge_basic_types_template',` ++ gen_require(` ++ attribute sge_domain; ++ ') ++ ++ type $1_t, sge_domain; ++ type $1_exec_t; ++ ++ kernel_read_system_state($1_t) ++') ++ +diff --git a/sge.te b/sge.te +new file mode 100644 +index 0000000..af30acf +--- /dev/null ++++ b/sge.te +@@ -0,0 +1,195 @@ ++policy_module(sge, 1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++## ++##

    ++## Allow sge to access nfs file systems. ++##

    ++##     ++gen_tunable(sge_use_nfs, false) ++ ++## ++##

    ++## Allow sge to connect to the network using any TCP port ++##

    ++##     ++gen_tunable(sge_domain_can_network_connect, false) ++ ++attribute sge_domain; ++ ++sge_basic_types_template(sge_execd) ++init_daemon_domain(sge_execd_t, sge_execd_exec_t) ++ ++type sge_spool_t; ++files_type(sge_spool_t) ++ ++type sge_tmp_t; ++files_tmp_file(sge_tmp_t) ++ ++sge_basic_types_template(sge_shepherd) ++application_domain(sge_shepherd_t, sge_shepherd_exec_t) ++role system_r types sge_shepherd_t; ++ ++sge_basic_types_template(sge_job) ++application_domain(sge_job_t, sge_job_exec_t) ++corecmd_shell_entry_type(sge_job_t) ++role system_r types sge_job_t; ++ ++####################################### ++# ++# sge_execd local policy ++# ++ ++allow sge_execd_t self:capability { dac_override kill setuid chown setgid }; ++allow sge_execd_t self:process { setsched signal setpgid }; ++ ++allow sge_execd_t sge_shepherd_t:process signal; ++ ++kernel_read_kernel_sysctls(sge_execd_t) ++ ++corenet_tcp_bind_sge_port(sge_execd_t) ++corenet_tcp_connect_sge_port(sge_execd_t) ++ ++dev_read_sysfs(sge_execd_t) ++ ++files_exec_usr_files(sge_execd_t) ++files_search_spool(sge_execd_t) ++ ++fs_getattr_xattr_fs(sge_execd_t) ++fs_read_cgroup_files(sge_execd_t) ++ ++auth_use_nsswitch(sge_execd_t) ++ ++logging_send_syslog_msg(sge_execd_t) ++ ++init_read_utmp(sge_execd_t) ++ ++optional_policy(` ++ sendmail_domtrans(sge_execd_t) ++') ++ ++###################################### ++# ++# sge_shepherd local policy ++# ++ ++allow sge_shepherd_t self:capability { setuid sys_nice chown kill setgid dac_override }; ++allow sge_shepherd_t self:process { setsched setrlimit setpgid }; ++allow sge_shepherd_t self:process signal_perms; ++ ++domtrans_pattern(sge_execd_t, sge_shepherd_exec_t, sge_shepherd_t) ++ ++kernel_read_sysctl(sge_shepherd_t) ++kernel_read_kernel_sysctls(sge_shepherd_t) ++ ++dev_read_sysfs(sge_shepherd_t) ++ ++fs_getattr_all_fs(sge_shepherd_t) ++ ++logging_send_syslog_msg(sge_shepherd_t) ++ ++optional_policy(` ++ mta_send_mail(sge_shepherd_t) ++') ++ ++optional_policy(` ++ ssh_domtrans(sge_shepherd_t) ++') ++ ++optional_policy(` ++ unconfined_domain(sge_shepherd_t) ++') ++ ++##################################### ++# ++# sge_job local policy ++# ++ ++allow sge_shepherd_t sge_job_t:process signal_perms; ++ ++corecmd_shell_domtrans(sge_shepherd_t, sge_job_t) ++ ++kernel_read_kernel_sysctls(sge_job_t) ++ ++term_use_all_terms(sge_job_t) ++ ++logging_send_syslog_msg(sge_job_t) ++ ++optional_policy(` ++ ssh_basic_client_template(sge_job, sge_job_t, system_r) ++ ssh_domtrans(sge_job_t) ++ ++ allow sge_job_t sge_job_ssh_t:process sigkill; ++ allow sge_shepherd_t sge_job_ssh_t:process sigkill; ++ ++ xserver_exec_xauth(sge_job_ssh_t) ++ ++ tunable_policy(`sge_use_nfs',` ++ fs_list_auto_mountpoints(sge_job_ssh_t) ++ fs_manage_nfs_dirs(sge_job_ssh_t) ++ fs_manage_nfs_files(sge_job_ssh_t) ++ fs_read_nfs_symlinks(sge_job_ssh_t) ++ ') ++ ') ++ ++optional_policy(` ++ xserver_domtrans_xauth(sge_job_t) ++') ++ ++optional_policy(` ++ unconfined_domain(sge_job_t) ++') ++ ++##################################### ++# ++# sge_domain local policy ++# ++ ++allow sge_domain self:fifo_file rw_fifo_file_perms; ++allow sge_domain self:tcp_socket create_stream_socket_perms; ++ ++manage_dirs_pattern(sge_domain, sge_spool_t, sge_spool_t) ++manage_files_pattern(sge_domain, sge_spool_t, sge_spool_t) ++manage_lnk_files_pattern(sge_domain, sge_spool_t, sge_spool_t) ++ ++manage_files_pattern(sge_domain, sge_tmp_t, sge_tmp_t) ++manage_dirs_pattern(sge_domain, sge_tmp_t, sge_tmp_t) ++files_tmp_filetrans(sge_domain, sge_tmp_t, { file dir }) ++ ++kernel_read_network_state(sge_domain) ++ ++corecmd_exec_bin(sge_domain) ++corecmd_exec_shell(sge_domain) ++ ++domain_read_all_domains_state(sge_domain) ++ ++ ++dev_read_urand(sge_domain) ++ ++tunable_policy(`sge_domain_can_network_connect',` ++ corenet_tcp_connect_all_ports(sge_domain) ++') ++ ++tunable_policy(`sge_use_nfs',` ++ fs_list_auto_mountpoints(sge_domain) ++ fs_manage_nfs_dirs(sge_domain) ++ fs_manage_nfs_files(sge_domain) ++ fs_read_nfs_symlinks(sge_domain) ++ fs_exec_nfs_files(sge_domain) ++') ++ ++optional_policy(` ++ sysnet_dns_name_resolve(sge_domain) ++') ++ ++optional_policy(` ++ hostname_exec(sge_domain) ++') ++ ++optional_policy(` ++ nslcd_stream_connect(sge_domain) ++') +diff --git a/shorewall.if b/shorewall.if +index 1aeef8a..d5ce40a 100644 +--- a/shorewall.if ++++ b/shorewall.if +@@ -1,4 +1,4 @@ +-## Shoreline Firewall high-level tool for configuring netfilter. ++## Shoreline Firewall high-level tool for configuring netfilter + + ######################################## + ## +@@ -15,7 +15,6 @@ interface(`shorewall_domtrans',` + type shorewall_t, shorewall_exec_t; + ') + +- corecmd_search_bin($1) + domtrans_pattern($1, shorewall_exec_t, shorewall_t) + ') + +@@ -34,13 +33,12 @@ interface(`shorewall_lib_domtrans',` + type shorewall_t, shorewall_var_lib_t; + ') + +- files_search_var_lib($1) + domtrans_pattern($1, shorewall_var_lib_t, shorewall_t) + ') + + ####################################### + ## +-## Read shorewall configuration files. ++## Read shorewall etc configuration files. + ## + ## + ## +@@ -57,47 +55,9 @@ interface(`shorewall_read_config',` + read_files_pattern($1, shorewall_etc_t, shorewall_etc_t) + ') + +-####################################### +-## +-## Read shorewall pid files. +-## +-## +-## +-## Domain allowed access. +-## +-## +-# +-interface(`shorewall_read_pid_files',` +- gen_require(` +- type shorewall_var_run_t; +- ') +- +- files_search_pids($1) +- read_files_pattern($1, shorewall_var_run_t, shorewall_var_run_t) +-') +- +-####################################### +-## +-## Read and write shorewall pid files. +-## +-## +-## +-## Domain allowed access. +-## +-## +-# +-interface(`shorewall_rw_pid_files',` +- gen_require(` +- type shorewall_var_run_t; +- ') +- +- files_search_pids($1) +- rw_files_pattern($1, shorewall_var_run_t, shorewall_var_run_t) +-') +- + ###################################### + ## +-## Read shorewall lib files. ++## Read shorewall /var/lib files. + ## + ## + ## +@@ -106,36 +66,38 @@ interface(`shorewall_rw_pid_files',` + ## + # + interface(`shorewall_read_lib_files',` +- gen_require(` ++ gen_require(` + type shorewall_var_lib_t; +- ') ++ ') + +- files_search_var_lib($1) +- read_files_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t) ++ files_search_var_lib($1) ++ search_dirs_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t) ++ read_files_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t) + ') + + ####################################### + ## +-## Read and write shorewall lib files. ++## Read and write shorewall /var/lib files. + ## + ## +-## +-## Domain allowed access. +-## ++## ++## Domain allowed access. ++## + ## + # + interface(`shorewall_rw_lib_files',` +- gen_require(` +- type shorewall_var_lib_t; +- ') ++ gen_require(` ++ type shorewall_var_lib_t; ++ ') + +- files_search_var_lib($1) +- rw_files_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t) ++ files_search_var_lib($1) ++ search_dirs_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t) ++ rw_files_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t) + ') + + ####################################### + ## +-## Read shorewall temporary files. ++## Read shorewall tmp files. + ## + ## + ## +@@ -154,8 +116,8 @@ interface(`shorewall_read_tmp_files',` + + ####################################### + ## +-## All of the rules required to +-## administrate an shorewall environment. ++## All of the rules required to administrate ++## an shorewall environment + ## + ## + ## +@@ -164,28 +126,30 @@ interface(`shorewall_read_tmp_files',` + ## + ## + ## +-## Role allowed access. ++## The role to be allowed to manage the syslog domain. + ## + ## + ## + # + interface(`shorewall_admin',` + gen_require(` +- type shorewall_t, shorewall_lock_t, shorewall_log_t; +- type shorewall_exec_t, shorewall_initrc_exec_t, shorewall_var_lib_t; ++ type shorewall_t, shorewall_lock_t; ++ type shorewall_log_t; ++ type shorewall_initrc_exec_t, shorewall_var_lib_t; + type shorewall_tmp_t, shorewall_etc_t; + ') + +- allow $1 shorewall_t:process { ptrace signal_perms }; ++ allow $1 shorewall_t:process signal_perms; + ps_process_pattern($1, shorewall_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 shorewall_t:process ptrace; ++ ') + + init_labeled_script_domtrans($1, shorewall_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 shorewall_initrc_exec_t system_r; + allow $2 system_r; + +- can_exec($1, shorewall_exec_t) +- + files_list_etc($1) + admin_pattern($1, shorewall_etc_t) + +diff --git a/shorewall.te b/shorewall.te +index ca03de6..c3b5559 100644 +--- a/shorewall.te ++++ b/shorewall.te +@@ -44,9 +44,7 @@ manage_files_pattern(shorewall_t, shorewall_lock_t, shorewall_lock_t) + files_lock_filetrans(shorewall_t, shorewall_lock_t, file) + + manage_dirs_pattern(shorewall_t, shorewall_log_t, shorewall_log_t) +-append_files_pattern(shorewall_t, shorewall_log_t, shorewall_log_t) +-create_files_pattern(shorewall_t, shorewall_log_t, shorewall_log_t) +-setattr_files_pattern(shorewall_t, shorewall_log_t, shorewall_log_t) ++manage_files_pattern(shorewall_t, shorewall_log_t, shorewall_log_t) + logging_log_filetrans(shorewall_t, shorewall_log_t, { file dir }) + + manage_dirs_pattern(shorewall_t, shorewall_tmp_t, shorewall_tmp_t) +@@ -57,6 +55,9 @@ exec_files_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t) + manage_dirs_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t) + manage_files_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t) + files_var_lib_filetrans(shorewall_t, shorewall_var_lib_t, { dir file }) ++allow shorewall_t shorewall_var_lib_t:file entrypoint; ++ ++allow shorewall_t shorewall_initrc_exec_t:file read_file_perms; + + allow shorewall_t shorewall_initrc_exec_t:file read_file_perms; + +@@ -74,7 +75,6 @@ dev_read_urand(shorewall_t) + domain_read_all_domains_state(shorewall_t) + + files_getattr_kernel_modules(shorewall_t) +-files_read_usr_files(shorewall_t) + files_search_kernel_modules(shorewall_t) + + fs_getattr_all_fs(shorewall_t) +@@ -86,12 +86,11 @@ init_rw_utmp(shorewall_t) + logging_read_generic_logs(shorewall_t) + logging_send_syslog_msg(shorewall_t) + +-miscfiles_read_localization(shorewall_t) +- + sysnet_domtrans_ifconfig(shorewall_t) + +-userdom_dontaudit_list_user_home_dirs(shorewall_t) +-userdom_use_user_terminals(shorewall_t) ++userdom_dontaudit_list_admin_dir(shorewall_t) ++userdom_use_inherited_user_ttys(shorewall_t) ++userdom_use_inherited_user_ptys(shorewall_t) + + optional_policy(` + brctl_domtrans(shorewall_t) +diff --git a/shutdown.fc b/shutdown.fc +index a91f33b..631dbc1 100644 +--- a/shutdown.fc ++++ b/shutdown.fc +@@ -8,4 +8,4 @@ + + /usr/sbin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0) + +-/var/run/shutdown\.pid -- gen_context(system_u:object_r:shutdown_var_run_t,s0) ++/var/run/shutdown\.pid -- gen_context(system_u:object_r:shutdown_var_run_t,s0) +diff --git a/shutdown.if b/shutdown.if +index d1706bf..87ab4a7 100644 +--- a/shutdown.if ++++ b/shutdown.if +@@ -1,30 +1,4 @@ +-## System shutdown command. +- +-######################################## +-## +-## Role access for shutdown. +-## +-## +-## +-## Role allowed access. +-## +-## +-## +-## +-## User domain for the role. +-## +-## +-# +-interface(`shutdown_role',` +- gen_require(` +- type shutdown_t; +- ') +- +- shutdown_run($2, $1) +- +- allow $2 shutdown_t:process { ptrace signal_perms }; +- ps_process_pattern($2, shutdown_t) +-') ++## System shutdown command + + ######################################## + ## +@@ -43,13 +17,26 @@ interface(`shutdown_domtrans',` + + corecmd_search_bin($1) + domtrans_pattern($1, shutdown_exec_t, shutdown_t) ++ ++ init_reboot($1) ++ init_halt($1) ++ ++ optional_policy(` ++ systemd_exec_systemctl($1) ++ init_stream_connect($1) ++ systemd_login_reboot($1) ++ systemd_login_halt($1) ++ ') ++ ++ ifdef(`hide_broken_symptoms', ` ++ dontaudit shutdown_t $1:fifo_file rw_inherited_fifo_file_perms; ++ ') + ') + + ######################################## + ## +-## Execute shutdown in the shutdown +-## domain, and allow the specified role +-## the shutdown domain. ++## Execute shutdown in the shutdown domain, and ++## allow the specified role the shutdown domain. + ## + ## + ## +@@ -64,16 +51,62 @@ interface(`shutdown_domtrans',` + # + interface(`shutdown_run',` + gen_require(` ++ type shutdown_t; + attribute_role shutdown_roles; + ') + +- shutdown_domtrans($1) +- roleattribute $2 shutdown_roles; ++ shutdown_domtrans($1) ++ roleattribute $2 shutdown_roles; + ') + + ######################################## + ## +-## Send generic signals to shutdown. ++## Role access for shutdown ++## ++## ++## ++## Role allowed access ++## ++## ++## ++## ++## User domain for the role ++## ++## ++# ++interface(`shutdown_role',` ++ gen_require(` ++ type shutdown_t; ++ ') ++ ++ shutdown_run($2, $1) ++ ++ allow $2 shutdown_t:process { ptrace signal_perms }; ++ ps_process_pattern($2, shutdown_t) ++') ++ ++######################################## ++## ++## Recieve sigchld from shutdown ++## ++## ++## ++## Domain allowed access ++## ++## ++# ++interface(`shutdown_send_sigchld',` ++ gen_require(` ++ type shutdown_t; ++ ') ++ ++ allow shutdown_t $1:process signal; ++') ++ ++######################################## ++## ++## Send and receive messages from ++## shutdown over dbus. + ## + ## + ## +@@ -81,17 +114,19 @@ interface(`shutdown_run',` + ## + ## + # +-interface(`shutdown_signal',` ++interface(`shutdown_dbus_chat',` + gen_require(` + type shutdown_t; ++ class dbus send_msg; + ') + +- allow shutdown_t $1:process signal; ++ allow $1 shutdown_t:dbus send_msg; ++ allow shutdown_t $1:dbus send_msg; + ') + + ######################################## + ## +-## Get attributes of shutdown executable files. ++## Get attributes of shutdown executable. + ## + ## + ## +diff --git a/shutdown.te b/shutdown.te +index 7880d1f..8804935 100644 +--- a/shutdown.te ++++ b/shutdown.te +@@ -44,7 +44,7 @@ files_read_generic_pids(shutdown_t) + + mls_file_write_to_clearance(shutdown_t) + +-term_use_all_terms(shutdown_t) ++term_use_all_inherited_terms(shutdown_t) + + auth_use_nsswitch(shutdown_t) + auth_write_login_records(shutdown_t) +@@ -56,8 +56,6 @@ init_telinit(shutdown_t) + logging_search_logs(shutdown_t) + logging_send_audit_msgs(shutdown_t) + +-miscfiles_read_localization(shutdown_t) +- + optional_policy(` + cron_system_entry(shutdown_t, shutdown_exec_t) + ') +@@ -68,10 +66,15 @@ optional_policy(` + ') + + optional_policy(` +- oddjob_dontaudit_rw_fifo_files(shutdown_t) +- oddjob_sigchld(shutdown_t) ++ oddjob_dontaudit_rw_fifo_file(shutdown_t) ++ oddjob_sigchld(shutdown_t) ++') ++ ++optional_policy(` ++ rhev_sigchld_agentd(shutdown_t) + ') + + optional_policy(` + xserver_dontaudit_write_log(shutdown_t) ++ xserver_xdm_append_log(shutdown_t) + ') +diff --git a/slocate.te b/slocate.te +index ba26427..83d21aa 100644 +--- a/slocate.te ++++ b/slocate.te +@@ -53,7 +53,6 @@ fs_read_noxattr_fs_symlinks(locate_t) + + auth_use_nsswitch(locate_t) + +-miscfiles_read_localization(locate_t) + + ifdef(`enable_mls',` + files_dontaudit_getattr_all_dirs(locate_t) +diff --git a/slpd.if b/slpd.if +index ca32e89..98278dd 100644 +--- a/slpd.if ++++ b/slpd.if +@@ -2,6 +2,43 @@ + + ######################################## + ## ++## Transition to slpd. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`slpd_domtrans',` ++ gen_require(` ++ type slpd_t, slpd_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, slpd_exec_t, slpd_t) ++') ++ ++######################################## ++## ++## Execute slpd server in the slpd domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`slpd_initrc_domtrans',` ++ gen_require(` ++ type slpd_initrc_exec_t; ++ ') ++ ++ init_labeled_script_domtrans($1, slpd_initrc_exec_t) ++') ++ ++######################################## ++## + ## All of the rules required to + ## administrate an slpd environment. + ## +@@ -26,7 +63,7 @@ interface(`slpd_admin',` + allow $1 slpd_t:process { ptrace signal_perms }; + ps_process_pattern($1, slpd_t) + +- init_labeled_script_domtrans($1, slpd_initrc_exec_t) ++ slpd_initrc_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 slpd_initrc_exec_t system_r; + allow $2 system_r; +@@ -36,4 +73,10 @@ interface(`slpd_admin',` + + files_search_pids($1) + admin_pattern($1, slpd_var_run_t) ++ ++ optional_policy(` ++ systemd_passwd_agent_exec($1) ++ systemd_read_fifo_file_passwd_run($1) ++ ') ++ + ') +diff --git a/slpd.te b/slpd.te +index 66ac42a..1a4c952 100644 +--- a/slpd.te ++++ b/slpd.te +@@ -50,6 +50,10 @@ corenet_sendrecv_svrloc_server_packets(slpd_t) + corenet_tcp_bind_svrloc_port(slpd_t) + corenet_udp_bind_svrloc_port(slpd_t) + ++corenet_udp_bind_dhcpc_port(slpd_t) ++ ++dev_read_urand(slpd_t) ++ + auth_use_nsswitch(slpd_t) + +-miscfiles_read_localization(slpd_t) ++sysnet_dns_name_resolve(slpd_t) +diff --git a/slrnpull.te b/slrnpull.te +index 5437237..3dfc982 100644 +--- a/slrnpull.te ++++ b/slrnpull.te +@@ -13,7 +13,7 @@ type slrnpull_var_run_t; + files_pid_file(slrnpull_var_run_t) + + type slrnpull_spool_t; +-files_type(slrnpull_spool_t) ++files_spool_file(slrnpull_spool_t) + + type slrnpull_log_t; + logging_log_file(slrnpull_log_t) +@@ -44,7 +44,6 @@ dev_read_sysfs(slrnpull_t) + + domain_use_interactive_fds(slrnpull_t) + +-files_read_etc_files(slrnpull_t) + files_search_spool(slrnpull_t) + + fs_getattr_all_fs(slrnpull_t) +@@ -52,8 +51,6 @@ fs_search_auto_mountpoints(slrnpull_t) + + logging_send_syslog_msg(slrnpull_t) + +-miscfiles_read_localization(slrnpull_t) +- + userdom_dontaudit_use_unpriv_user_fds(slrnpull_t) + userdom_dontaudit_search_user_home_dirs(slrnpull_t) + +diff --git a/smartmon.if b/smartmon.if +index e0644b5..ea347cc 100644 +--- a/smartmon.if ++++ b/smartmon.if +@@ -42,9 +42,13 @@ interface(`smartmon_admin',` + type fsdaemon_var_lib_t, fsdaemon_initrc_exec_t; + ') + +- allow $1 fsdaemon_t:process { ptrace signal_perms }; ++ allow $1 fsdaemon_t:process signal_perms; + ps_process_pattern($1, fsdaemon_t) + ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 fsdaemon_t:process ptrace; ++ ') ++ + init_labeled_script_domtrans($1, fsdaemon_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 fsdaemon_initrc_exec_t system_r; +diff --git a/smartmon.te b/smartmon.te +index 9ade9c5..60d6c41 100644 +--- a/smartmon.te ++++ b/smartmon.te +@@ -60,21 +60,27 @@ kernel_read_system_state(fsdaemon_t) + + corecmd_exec_all_executables(fsdaemon_t) + ++corenet_all_recvfrom_netlabel(fsdaemon_t) ++corenet_udp_sendrecv_generic_if(fsdaemon_t) ++corenet_udp_sendrecv_generic_node(fsdaemon_t) ++corenet_udp_sendrecv_all_ports(fsdaemon_t) ++ + dev_read_sysfs(fsdaemon_t) + dev_read_urand(fsdaemon_t) + + domain_use_interactive_fds(fsdaemon_t) + + files_exec_etc_files(fsdaemon_t) +-files_read_etc_files(fsdaemon_t) + files_read_etc_runtime_files(fsdaemon_t) +-files_read_usr_files(fsdaemon_t) + + fs_getattr_all_fs(fsdaemon_t) + fs_search_auto_mountpoints(fsdaemon_t) ++fs_read_removable_files(fsdaemon_t) + + mls_file_read_all_levels(fsdaemon_t) + ++storage_create_fixed_disk_dev(fsdaemon_t) ++storage_dev_filetrans_named_fixed_disk(fsdaemon_t) + storage_raw_read_fixed_disk(fsdaemon_t) + storage_raw_write_fixed_disk(fsdaemon_t) + storage_raw_read_removable_device(fsdaemon_t) +@@ -83,7 +89,9 @@ storage_write_scsi_generic(fsdaemon_t) + + term_dontaudit_search_ptys(fsdaemon_t) + +-application_signull(fsdaemon_t) ++domain_signull_all_domains(fsdaemon_t) ++ ++auth_read_passwd(fsdaemon_t) + + init_read_utmp(fsdaemon_t) + +@@ -92,12 +100,13 @@ libs_exec_lib_files(fsdaemon_t) + + logging_send_syslog_msg(fsdaemon_t) + +-miscfiles_read_localization(fsdaemon_t) ++seutil_sigchld_newrole(fsdaemon_t) + + sysnet_dns_name_resolve(fsdaemon_t) + + userdom_dontaudit_use_unpriv_user_fds(fsdaemon_t) + userdom_dontaudit_search_user_home_dirs(fsdaemon_t) ++userdom_use_user_ptys(fsdaemon_t) + + tunable_policy(`smartmon_3ware',` + allow fsdaemon_t self:process setfscreate; +@@ -116,9 +125,9 @@ optional_policy(` + ') + + optional_policy(` +- seutil_sigchld_newrole(fsdaemon_t) ++ udev_read_db(fsdaemon_t) + ') + + optional_policy(` +- udev_read_db(fsdaemon_t) ++ virt_read_images(fsdaemon_t) + ') +diff --git a/smokeping.if b/smokeping.if +index 1fa51c1..82e111c 100644 +--- a/smokeping.if ++++ b/smokeping.if +@@ -158,8 +158,11 @@ interface(`smokeping_admin',` + type smokeping_var_run_t; + ') + +- allow $1 smokeping_t:process { ptrace signal_perms }; ++ allow $1 smokeping_t:process signal_perms; + ps_process_pattern($1, smokeping_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 smokeping_t:process ptrace; ++ ') + + smokeping_initrc_domtrans($1) + domain_system_change_exemption($1) +diff --git a/smokeping.te b/smokeping.te +index a8b1aaf..fc0a2be 100644 +--- a/smokeping.te ++++ b/smokeping.te +@@ -24,6 +24,7 @@ files_type(smokeping_var_lib_t) + # + + dontaudit smokeping_t self:capability { dac_read_search dac_override }; ++allow smokeping_t self:process signal_perms; + allow smokeping_t self:fifo_file rw_fifo_file_perms; + allow smokeping_t self:unix_stream_socket { accept listen }; + +@@ -39,7 +40,6 @@ corecmd_exec_bin(smokeping_t) + + dev_read_urand(smokeping_t) + +-files_read_usr_files(smokeping_t) + files_search_tmp(smokeping_t) + + auth_use_nsswitch(smokeping_t) +@@ -47,8 +47,6 @@ auth_dontaudit_read_shadow(smokeping_t) + + logging_send_syslog_msg(smokeping_t) + +-miscfiles_read_localization(smokeping_t) +- + mta_send_mail(smokeping_t) + + netutils_domtrans_ping(smokeping_t) +@@ -70,6 +68,8 @@ optional_policy(` + files_search_tmp(httpd_smokeping_cgi_script_t) + files_search_var_lib(httpd_smokeping_cgi_script_t) + ++ auth_read_passwd(httpd_smokeping_cgi_script_t) ++ + sysnet_dns_name_resolve(httpd_smokeping_cgi_script_t) + + netutils_domtrans_ping(httpd_smokeping_cgi_script_t) +diff --git a/smoltclient.te b/smoltclient.te +index 9c8f9a5..14f15a4 100644 +--- a/smoltclient.te ++++ b/smoltclient.te +@@ -51,14 +51,12 @@ fs_list_auto_mountpoints(smoltclient_t) + + files_getattr_generic_locks(smoltclient_t) + files_read_etc_runtime_files(smoltclient_t) +-files_read_usr_files(smoltclient_t) + + auth_use_nsswitch(smoltclient_t) + + logging_send_syslog_msg(smoltclient_t) + + miscfiles_read_hwdata(smoltclient_t) +-miscfiles_read_localization(smoltclient_t) + + optional_policy(` + abrt_stream_connect(smoltclient_t) +diff --git a/smsd.fc b/smsd.fc +new file mode 100644 +index 0000000..4c3fcec +--- /dev/null ++++ b/smsd.fc +@@ -0,0 +1,11 @@ ++/etc/rc\.d/init\.d/smsd -- gen_context(system_u:object_r:smsd_initrc_exec_t,s0) ++ ++/usr/sbin/smsd -- gen_context(system_u:object_r:smsd_exec_t,s0) ++ ++/var/lib/smstools(/.*)? gen_context(system_u:object_r:smsd_var_lib_t,s0) ++ ++/var/log/smsd(/.*)? gen_context(system_u:object_r:smsd_log_t,s0) ++ ++/var/run/smsd(/.*)? gen_context(system_u:object_r:smsd_var_run_t,s0) ++ ++/var/spool/sms(/.*)? gen_context(system_u:object_r:smsd_spool_t,s0) +diff --git a/smsd.if b/smsd.if +new file mode 100644 +index 0000000..52450c7 +--- /dev/null ++++ b/smsd.if +@@ -0,0 +1,240 @@ ++## The SMS Server Tools are made to send and receive short messages through GSM modems. It supports easy file interfaces and it can run external programs for automatic actions. ++ ++######################################## ++## ++## Execute smsd in the smsd domin. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`smsd_domtrans',` ++ gen_require(` ++ type smsd_t, smsd_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, smsd_exec_t, smsd_t) ++') ++ ++######################################## ++## ++## Execute smsd server in the smsd domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`smsd_initrc_domtrans',` ++ gen_require(` ++ type smsd_initrc_exec_t; ++ ') ++ ++ init_labeled_script_domtrans($1, smsd_initrc_exec_t) ++') ++ ++######################################## ++## ++## Read smsd's log files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`smsd_read_log',` ++ gen_require(` ++ type smsd_log_t; ++ ') ++ ++ logging_search_logs($1) ++ read_files_pattern($1, smsd_log_t, smsd_log_t) ++') ++ ++######################################## ++## ++## Append to smsd log files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`smsd_append_log',` ++ gen_require(` ++ type smsd_log_t; ++ ') ++ ++ logging_search_logs($1) ++ append_files_pattern($1, smsd_log_t, smsd_log_t) ++') ++ ++######################################## ++## ++## Manage smsd log files ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`smsd_manage_log',` ++ gen_require(` ++ type smsd_log_t; ++ ') ++ ++ logging_search_logs($1) ++ manage_dirs_pattern($1, smsd_log_t, smsd_log_t) ++ manage_files_pattern($1, smsd_log_t, smsd_log_t) ++ manage_lnk_files_pattern($1, smsd_log_t, smsd_log_t) ++') ++######################################## ++## ++## Read smsd PID files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`smsd_read_pid_files',` ++ gen_require(` ++ type smsd_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ read_files_pattern($1, smsd_var_run_t, smsd_var_run_t) ++') ++ ++######################################## ++## ++## Search smsd spool directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`smsd_search_spool',` ++ gen_require(` ++ type smsd_spool_t; ++ ') ++ ++ allow $1 smsd_spool_t:dir search_dir_perms; ++ files_search_spool($1) ++') ++ ++######################################## ++## ++## Read smsd spool files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`smsd_read_spool_files',` ++ gen_require(` ++ type smsd_spool_t; ++ ') ++ ++ files_search_spool($1) ++ read_files_pattern($1, smsd_spool_t, smsd_spool_t) ++') ++ ++######################################## ++## ++## Manage smsd spool files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`smsd_manage_spool_files',` ++ gen_require(` ++ type smsd_spool_t; ++ ') ++ ++ files_search_spool($1) ++ manage_files_pattern($1, smsd_spool_t, smsd_spool_t) ++') ++ ++######################################## ++## ++## Manage smsd spool dirs. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`smsd_manage_spool_dirs',` ++ gen_require(` ++ type smsd_spool_t; ++ ') ++ ++ files_search_spool($1) ++ manage_dirs_pattern($1, smsd_spool_t, smsd_spool_t) ++') ++ ++######################################## ++## ++## All of the rules required to administrate ++## an smsd environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## Role allowed access. ++## ++## ++## ++# ++interface(`smsd_admin',` ++ gen_require(` ++ type smsd_t; ++ type smsd_initrc_exec_t; ++ type smsd_log_t; ++ type smsd_var_run_t; ++ type smsd_spool_t; ++ ') ++ ++ allow $1 smsd_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, smsd_t) ++ ++ smsd_initrc_domtrans($1) ++ domain_system_change_exemption($1) ++ role_transition $2 smsd_initrc_exec_t system_r; ++ allow $2 system_r; ++ ++ logging_search_logs($1) ++ admin_pattern($1, smsd_log_t) ++ ++ files_search_pids($1) ++ admin_pattern($1, smsd_var_run_t) ++ ++ files_search_spool($1) ++ admin_pattern($1, smsd_spool_t) ++ ++ optional_policy(` ++ systemd_passwd_agent_exec($1) ++ systemd_read_fifo_file_passwd_run($1) ++ ') ++') +diff --git a/smsd.te b/smsd.te +new file mode 100644 +index 0000000..1fad7b8 +--- /dev/null ++++ b/smsd.te +@@ -0,0 +1,73 @@ ++policy_module(smsd, 1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type smsd_t; ++type smsd_exec_t; ++init_daemon_domain(smsd_t, smsd_exec_t) ++ ++type smsd_initrc_exec_t; ++init_script_file(smsd_initrc_exec_t) ++ ++type smsd_log_t; ++logging_log_file(smsd_log_t) ++ ++type smsd_var_lib_t; ++files_type(smsd_var_lib_t) ++ ++type smsd_var_run_t; ++files_pid_file(smsd_var_run_t) ++ ++type smsd_spool_t; ++files_type(smsd_spool_t) ++ ++type smsd_tmp_t; ++files_tmp_file(smsd_tmp_t) ++ ++######################################## ++# ++# smsd local policy ++# ++ ++allow smsd_t self:capability { kill setgid setuid }; ++allow smsd_t self:process { fork signal }; ++allow smsd_t self:fifo_file rw_fifo_file_perms; ++allow smsd_t self:unix_stream_socket create_stream_socket_perms; ++ ++manage_dirs_pattern(smsd_t, smsd_log_t, smsd_log_t) ++manage_files_pattern(smsd_t, smsd_log_t, smsd_log_t) ++manage_lnk_files_pattern(smsd_t, smsd_log_t, smsd_log_t) ++logging_log_filetrans(smsd_t, smsd_log_t, { dir }) ++ ++manage_dirs_pattern(smsd_t, smsd_var_lib_t, smsd_var_lib_t) ++manage_files_pattern(smsd_t, smsd_var_lib_t, smsd_var_lib_t) ++manage_lnk_files_pattern(smsd_t, smsd_var_lib_t, smsd_var_lib_t) ++ ++manage_dirs_pattern(smsd_t, smsd_var_run_t, smsd_var_run_t) ++manage_files_pattern(smsd_t, smsd_var_run_t, smsd_var_run_t) ++manage_lnk_files_pattern(smsd_t, smsd_var_run_t, smsd_var_run_t) ++files_pid_filetrans(smsd_t, smsd_var_run_t, { dir }) ++ ++manage_dirs_pattern(smsd_t, smsd_spool_t, smsd_spool_t) ++manage_files_pattern(smsd_t, smsd_spool_t, smsd_spool_t) ++manage_lnk_files_pattern(smsd_t, smsd_spool_t, smsd_spool_t) ++files_spool_filetrans(smsd_t, smsd_spool_t, { dir }) ++can_exec(smsd_t, smsd_spool_t) ++ ++manage_dirs_pattern(smsd_t, smsd_tmp_t, smsd_tmp_t) ++manage_files_pattern(smsd_t, smsd_tmp_t, smsd_tmp_t) ++files_tmp_filetrans(smsd_t, smsd_tmp_t, { file dir }) ++ ++kernel_read_system_state(smsd_t) ++kernel_read_kernel_sysctls(smsd_t) ++ ++corecmd_exec_shell(smsd_t) ++ ++auth_use_nsswitch(smsd_t) ++ ++logging_send_syslog_msg(smsd_t) ++ ++sysnet_dns_name_resolve(smsd_t) +diff --git a/smstools.if b/smstools.if +index cbfe369..6594af3 100644 +--- a/smstools.if ++++ b/smstools.if +@@ -1,5 +1,81 @@ + ## Tools to send and receive short messages through GSM modems or mobile phones. + ++####################################### ++## ++## Search smsd lib directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`smsd_search_lib',` ++ gen_require(` ++ type smsd_var_lib_t; ++ ') ++ ++ allow $1 smsd_var_lib_t:dir search_dir_perms; ++ files_search_var_lib($1) ++') ++ ++####################################### ++## ++## Read smsd lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`smsd_read_lib_files',` ++ gen_require(` ++ type smsd_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ read_files_pattern($1, smsd_var_lib_t, smsd_var_lib_t) ++') ++ ++####################################### ++## ++## Manage smsd lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`smsd_manage_lib_files',` ++ gen_require(` ++ type smsd_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ manage_files_pattern($1, smsd_var_lib_t, smsd_var_lib_t) ++') ++ ++####################################### ++## ++## Manage smsd lib directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`smsd_manage_lib_dirs',` ++ gen_require(` ++ type smsd_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ manage_dirs_pattern($1, smsd_var_lib_t, smsd_var_lib_t) ++') ++ + ######################################## + ## + ## All of the rules required to +@@ -32,7 +108,7 @@ interface(`smstools_admin',` + role_transition $2 smsd_initrc_exec_t system_r; + allow $2 system_r; + +- files_search_config($1) ++ files_search_etc($1) + admin_pattern($1, smsd_conf_t) + + files_search_var_lib($1) +diff --git a/snapper.fc b/snapper.fc +new file mode 100644 +index 0000000..3f412d5 +--- /dev/null ++++ b/snapper.fc +@@ -0,0 +1 @@ ++/usr/sbin/snapperd -- gen_context(system_u:object_r:snapperd_exec_t,s0) +diff --git a/snapper.if b/snapper.if +new file mode 100644 +index 0000000..94105ee +--- /dev/null ++++ b/snapper.if +@@ -0,0 +1,42 @@ ++ ++## policy for snapperd ++ ++######################################## ++## ++## Execute TEMPLATE in the snapperd domin. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`snapper_domtrans',` ++ gen_require(` ++ type snapperd_t, snapperd_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, snapperd_exec_t, snapperd_t) ++') ++ ++######################################## ++## ++## Send and receive messages from ++## snapperd over dbus. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`snapper_dbus_chat',` ++ gen_require(` ++ type snapperd_t; ++ class dbus send_msg; ++ ') ++ ++ allow $1 snapperd_t:dbus send_msg; ++ allow snapperd_t $1:dbus send_msg; ++') +diff --git a/snapper.te b/snapper.te +new file mode 100644 +index 0000000..ad232be +--- /dev/null ++++ b/snapper.te +@@ -0,0 +1,33 @@ ++policy_module(snapper, 1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type snapperd_t; ++type snapperd_exec_t; ++init_daemon_domain(snapperd_t, snapperd_exec_t) ++ ++######################################## ++# ++# snapperd local policy ++# ++ ++allow snapperd_t self:fifo_file rw_fifo_file_perms; ++allow snapperd_t self:unix_stream_socket create_stream_socket_perms; ++ ++storage_raw_read_fixed_disk(snapperd_t) ++ ++auth_use_nsswitch(snapperd_t) ++ ++miscfiles_read_localization(snapperd_t) ++ ++optional_policy(` ++ dbus_system_bus_client(snapperd_t) ++ dbus_connect_system_bus(snapperd_t) ++') ++ ++optional_policy(` ++ mount_domtrans(snapperd_t) ++') +diff --git a/snmp.fc b/snmp.fc +index c73fa24..408ff61 100644 +--- a/snmp.fc ++++ b/snmp.fc +@@ -1,6 +1,6 @@ + /etc/rc\.d/init\.d/((snmpd)|(snmptrapd)) -- gen_context(system_u:object_r:snmpd_initrc_exec_t,s0) + +-/usr/sbin/snmptrap -- gen_context(system_u:object_r:snmpd_exec_t,s0) ++/usr/sbin/snmpd -- gen_context(system_u:object_r:snmpd_exec_t,s0) + /usr/sbin/snmptrapd -- gen_context(system_u:object_r:snmpd_exec_t,s0) + + /usr/share/snmp/mibs/\.index -- gen_context(system_u:object_r:snmpd_var_lib_t,s0) +@@ -10,9 +10,12 @@ + + /var/lib/net-snmp(/.*)? gen_context(system_u:object_r:snmpd_var_lib_t,s0) + /var/lib/snmp(/.*)? gen_context(system_u:object_r:snmpd_var_lib_t,s0) ++/var/spool/snmptt(/.*)? gen_context(system_u:object_r:snmpd_var_lib_t,s0) + + /var/log/snmpd\.log.* -- gen_context(system_u:object_r:snmpd_log_t,s0) + ++/var/net-snmp(/.*)? gen_context(system_u:object_r:snmpd_var_lib_t,s0) ++ + /var/run/net-snmpd(/.*)? gen_context(system_u:object_r:snmpd_var_run_t,s0) +-/var/run/snmpd(/.*)? gen_context(system_u:object_r:snmpd_var_run_t,s0) ++/var/run/snmpd(/.*)? gen_context(system_u:object_r:snmpd_var_run_t,s0) + /var/run/snmpd\.pid -- gen_context(system_u:object_r:snmpd_var_run_t,s0) +diff --git a/snmp.if b/snmp.if +index 7a9cc9d..86cbca9 100644 +--- a/snmp.if ++++ b/snmp.if +@@ -57,8 +57,7 @@ interface(`snmp_udp_chat',` + + ######################################## + ## +-## Create, read, write, and delete +-## snmp lib directories. ++## Read snmpd lib content. + ## + ## + ## +@@ -66,19 +65,39 @@ interface(`snmp_udp_chat',` + ## + ## + # +-interface(`snmp_manage_var_lib_dirs',` ++interface(`snmp_read_snmp_var_lib_files',` + gen_require(` + type snmpd_var_lib_t; + ') + + files_search_var_lib($1) +- allow $1 snmpd_var_lib_t:dir manage_dir_perms; ++ allow $1 snmpd_var_lib_t:dir list_dir_perms; ++ read_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t) ++ read_lnk_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t) ++') ++ ++####################################### ++## ++## Read snmpd libraries directories ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`snmp_read_snmp_var_lib_dirs',` ++ gen_require(` ++ type snmpd_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ allow $1 snmpd_var_lib_t:dir list_dir_perms; + ') + + ######################################## + ## +-## Create, read, write, and delete +-## snmp lib files. ++## Manage snmpd libraries directories + ## + ## + ## +@@ -86,19 +105,18 @@ interface(`snmp_manage_var_lib_dirs',` + ## + ## + # +-interface(`snmp_manage_var_lib_files',` ++interface(`snmp_manage_var_lib_dirs',` + gen_require(` + type snmpd_var_lib_t; + ') + +- files_search_var_lib($1) +- allow $1 snmpd_var_lib_t:dir list_dir_perms; +- manage_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t) ++ allow $1 snmpd_var_lib_t:dir manage_dir_perms; ++ files_var_lib_filetrans($1, snmpd_var_lib_t, dir) + ') + + ######################################## + ## +-## Read snmpd lib content. ++## Manage snmpd libraries. + ## + ## + ## +@@ -106,14 +124,14 @@ interface(`snmp_manage_var_lib_files',` + ## + ## + # +-interface(`snmp_read_snmp_var_lib_files',` ++interface(`snmp_manage_var_lib_files',` + gen_require(` + type snmpd_var_lib_t; + ') + ++ files_search_var_lib($1) + allow $1 snmpd_var_lib_t:dir list_dir_perms; +- read_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t) +- read_lnk_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t) ++ manage_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t) + ') + + ######################################## +@@ -179,8 +197,12 @@ interface(`snmp_admin',` + type snmpd_var_lib_t, snmpd_var_run_t; + ') + +- allow $1 snmpd_t:process { ptrace signal_perms }; ++ allow $1 snmpd_t:process signal_perms; ++ + ps_process_pattern($1, snmpd_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 snmpd_t:process ptrace; ++ ') + + init_labeled_script_domtrans($1, snmpd_initrc_exec_t) + domain_system_change_exemption($1) +diff --git a/snmp.te b/snmp.te +index 81864ce..4b6b771 100644 +--- a/snmp.te ++++ b/snmp.te +@@ -27,14 +27,16 @@ files_type(snmpd_var_lib_t) + # + + allow snmpd_t self:capability { chown dac_override kill ipc_lock setgid setuid net_admin sys_nice sys_tty_config sys_ptrace }; ++ + dontaudit snmpd_t self:capability { sys_module sys_tty_config }; + allow snmpd_t self:process { signal_perms getsched setsched }; + allow snmpd_t self:fifo_file rw_fifo_file_perms; +-allow snmpd_t self:unix_stream_socket { accept connectto listen }; +-allow snmpd_t self:tcp_socket { accept listen }; ++allow snmpd_t self:unix_dgram_socket create_socket_perms; ++allow snmpd_t self:unix_stream_socket { create_stream_socket_perms connectto }; ++allow snmpd_t self:tcp_socket create_stream_socket_perms; + allow snmpd_t self:udp_socket connected_stream_socket_perms; + +-allow snmpd_t snmpd_log_t:file { append_file_perms create_file_perms setattr_file_perms }; ++manage_files_pattern(snmpd_t, snmpd_log_t, snmpd_log_t) + logging_log_filetrans(snmpd_t, snmpd_log_t, file) + + manage_dirs_pattern(snmpd_t, snmpd_var_lib_t, snmpd_var_lib_t) +@@ -53,12 +55,13 @@ kernel_read_kernel_sysctls(snmpd_t) + kernel_read_fs_sysctls(snmpd_t) + kernel_read_net_sysctls(snmpd_t) + kernel_read_network_state(snmpd_t) ++kernel_read_proc_symlinks(snmpd_t) ++kernel_read_all_proc(snmpd_t) + kernel_read_system_state(snmpd_t) + + corecmd_exec_bin(snmpd_t) + corecmd_exec_shell(snmpd_t) + +-corenet_all_recvfrom_unlabeled(snmpd_t) + corenet_all_recvfrom_netlabel(snmpd_t) + corenet_tcp_sendrecv_generic_if(snmpd_t) + corenet_udp_sendrecv_generic_if(snmpd_t) +@@ -75,9 +78,7 @@ corenet_udp_bind_snmp_port(snmpd_t) + corenet_tcp_sendrecv_snmp_port(snmpd_t) + corenet_udp_sendrecv_snmp_port(snmpd_t) + +-corenet_sendrecv_snmp_client_packets(snmpd_t) + corenet_tcp_connect_agentx_port(snmpd_t) +-corenet_sendrecv_snmp_server_packets(snmpd_t) + corenet_tcp_bind_agentx_port(snmpd_t) + corenet_udp_bind_agentx_port(snmpd_t) + corenet_tcp_sendrecv_agentx_port(snmpd_t) +@@ -94,7 +95,6 @@ domain_signull_all_domains(snmpd_t) + domain_read_all_domains_state(snmpd_t) + domain_exec_all_entry_files(snmpd_t) + +-files_read_usr_files(snmpd_t) + files_read_etc_runtime_files(snmpd_t) + files_search_home(snmpd_t) + +@@ -112,10 +112,12 @@ auth_use_nsswitch(snmpd_t) + + init_read_utmp(snmpd_t) + init_dontaudit_write_utmp(snmpd_t) ++# need write to /var/run/systemd/notify ++init_write_pid_socket(snmpd_t) + + logging_send_syslog_msg(snmpd_t) + +-miscfiles_read_localization(snmpd_t) ++sysnet_read_config(snmpd_t) + + seutil_dontaudit_search_config(snmpd_t) + +@@ -131,7 +133,11 @@ optional_policy(` + ') + + optional_policy(` +- corosync_stream_connect(snmpd_t) ++ fstools_domtrans(snmpd_t) ++') ++ ++optional_policy(` ++ rhcs_stream_connect_cluster(snmpd_t) + ') + + optional_policy(` +diff --git a/snort.if b/snort.if +index 7d86b34..5f58180 100644 +--- a/snort.if ++++ b/snort.if +@@ -42,8 +42,11 @@ interface(`snort_admin',` + type snort_etc_t, snort_initrc_exec_t; + ') + +- allow $1 snort_t:process { ptrace signal_perms }; ++ allow $1 snort_t:process signal_perms; + ps_process_pattern($1, snort_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 snort_t:process ptrace; ++ ') + + init_labeled_script_domtrans($1, snort_initrc_exec_t) + domain_system_change_exemption($1) +@@ -51,11 +54,11 @@ interface(`snort_admin',` + allow $2 system_r; + + admin_pattern($1, snort_etc_t) +- files_search_etc($1) ++ files_list_etc($1) + + admin_pattern($1, snort_log_t) +- logging_search_logs($1) ++ logging_list_logs($1) + + admin_pattern($1, snort_var_run_t) +- files_search_pids($1) ++ files_list_pids($1) + ') +diff --git a/snort.te b/snort.te +index ccd28bb..80106ac 100644 +--- a/snort.te ++++ b/snort.te +@@ -32,10 +32,13 @@ files_pid_file(snort_var_run_t) + allow snort_t self:capability { setgid setuid net_admin net_raw dac_override }; + dontaudit snort_t self:capability sys_tty_config; + allow snort_t self:process signal_perms; ++allow snort_t self:netlink_route_socket create_netlink_socket_perms; + allow snort_t self:netlink_socket create_socket_perms; +-allow snort_t self:tcp_socket { accept listen }; ++allow snort_t self:tcp_socket create_stream_socket_perms; ++allow snort_t self:udp_socket create_socket_perms; + allow snort_t self:packet_socket create_socket_perms; + allow snort_t self:socket create_socket_perms; ++# Snort IPS node. unverified. + allow snort_t self:netlink_firewall_socket create_socket_perms; + + allow snort_t snort_etc_t:dir list_dir_perms; +@@ -63,7 +66,6 @@ kernel_request_load_module(snort_t) + kernel_dontaudit_read_system_state(snort_t) + kernel_read_network_state(snort_t) + +-corenet_all_recvfrom_unlabeled(snort_t) + corenet_all_recvfrom_netlabel(snort_t) + corenet_tcp_sendrecv_generic_if(snort_t) + corenet_udp_sendrecv_generic_if(snort_t) +@@ -86,18 +88,17 @@ dev_rw_generic_usb_dev(snort_t) + + domain_use_interactive_fds(snort_t) + +-files_read_etc_files(snort_t) + files_dontaudit_read_etc_runtime_files(snort_t) + + fs_getattr_all_fs(snort_t) + fs_search_auto_mountpoints(snort_t) + ++auth_read_passwd(snort_t) ++ + init_read_utmp(snort_t) + + logging_send_syslog_msg(snort_t) + +-miscfiles_read_localization(snort_t) +- + sysnet_dns_name_resolve(snort_t) + + userdom_dontaudit_use_unpriv_user_fds(snort_t) +diff --git a/sosreport.if b/sosreport.if +index 634c6b4..e1edfd9 100644 +--- a/sosreport.if ++++ b/sosreport.if +@@ -42,7 +42,7 @@ interface(`sosreport_run',` + ') + + sosreport_domtrans($1) +- roleattribute $2 sospreport_roles; ++ roleattribute $2 sosreport_roles; + ') + + ######################################## +diff --git a/sosreport.te b/sosreport.te +index 703efa3..9610be1 100644 +--- a/sosreport.te ++++ b/sosreport.te +@@ -19,6 +19,9 @@ files_tmp_file(sosreport_tmp_t) + type sosreport_tmpfs_t; + files_tmpfs_file(sosreport_tmpfs_t) + ++type sosreport_var_run_t; ++files_pid_file(sosreport_var_run_t) ++ + optional_policy(` + pulseaudio_tmpfs_content(sosreport_tmpfs_t) + ') +@@ -29,10 +32,13 @@ optional_policy(` + # + + allow sosreport_t self:capability { kill net_admin net_raw setuid sys_admin sys_nice dac_override }; ++dontaudit sosreport_t self:capability { sys_ptrace }; + allow sosreport_t self:process { setsched signull }; + allow sosreport_t self:fifo_file rw_fifo_file_perms; + allow sosreport_t self:tcp_socket { accept listen }; + allow sosreport_t self:unix_stream_socket { accept listen }; ++allow sosreport_t self:rawip_socket create_socket_perms; ++allow sosreport_t self:netlink_kobject_uevent_socket create_socket_perms; + + manage_dirs_pattern(sosreport_t, sosreport_tmp_t, sosreport_tmp_t) + manage_files_pattern(sosreport_t, sosreport_tmp_t, sosreport_tmp_t) +@@ -40,6 +46,12 @@ manage_lnk_files_pattern(sosreport_t, sosreport_tmp_t, sosreport_tmp_t) + files_root_filetrans(sosreport_t, sosreport_tmp_t, file, ".ismount-test-file") + files_tmp_filetrans(sosreport_t, sosreport_tmp_t, { file dir }) + ++manage_files_pattern(sosreport_t, sosreport_var_run_t, sosreport_var_run_t) ++manage_dirs_pattern(sosreport_t, sosreport_var_run_t, sosreport_var_run_t) ++manage_sock_files_pattern(sosreport_t, sosreport_var_run_t, sosreport_var_run_t) ++manage_lnk_files_pattern(sosreport_t, sosreport_var_run_t, sosreport_var_run_t) ++files_pid_filetrans(sosreport_t, sosreport_var_run_t, { file dir sock_file }) ++ + manage_files_pattern(sosreport_t, sosreport_tmpfs_t, sosreport_tmpfs_t) + fs_tmpfs_filetrans(sosreport_t, sosreport_tmpfs_t, file) + +@@ -58,6 +70,9 @@ dev_read_rand(sosreport_t) + dev_read_urand(sosreport_t) + dev_read_raw_memory(sosreport_t) + dev_read_sysfs(sosreport_t) ++dev_rw_generic_usb_dev(sosreport_t) ++dev_getattr_all_chr_files(sosreport_t) ++dev_getattr_all_blk_files(sosreport_t) + + domain_getattr_all_domains(sosreport_t) + domain_read_all_domains_state(sosreport_t) +@@ -65,12 +80,13 @@ domain_getattr_all_sockets(sosreport_t) + domain_getattr_all_pipes(sosreport_t) + + files_getattr_all_sockets(sosreport_t) ++files_getattr_all_files(sosreport_t) ++files_getattr_all_pipes(sosreport_t) + files_exec_etc_files(sosreport_t) + files_list_all(sosreport_t) + files_read_config_files(sosreport_t) + files_read_generic_tmp_files(sosreport_t) + files_read_non_auth_files(sosreport_t) +-files_read_usr_files(sosreport_t) + files_read_var_lib_files(sosreport_t) + files_read_var_symlinks(sosreport_t) + files_read_kernel_modules(sosreport_t) +@@ -79,27 +95,42 @@ files_manage_etc_runtime_files(sosreport_t) + files_etc_filetrans_etc_runtime(sosreport_t, file) + + fs_getattr_all_fs(sosreport_t) ++fs_getattr_all_dirs(sosreport_t) + fs_list_inotifyfs(sosreport_t) + + storage_dontaudit_read_fixed_disk(sosreport_t) + storage_dontaudit_read_removable_device(sosreport_t) + ++term_getattr_pty_fs(sosreport_t) ++term_getattr_all_ptys(sosreport_t) ++term_use_generic_ptys(sosreport_t) ++ ++# some config files do not have configfile attribute ++# sosreport needs to read various files on system ++files_read_non_security_files(sosreport_t) ++ + auth_use_nsswitch(sosreport_t) ++auth_dontaudit_read_shadow(sosreport_t) + + init_domtrans_script(sosreport_t) ++init_getattr_initctl(sosreport_t) + + libs_domtrans_ldconfig(sosreport_t) + + logging_read_all_logs(sosreport_t) + logging_send_syslog_msg(sosreport_t) + +-miscfiles_read_localization(sosreport_t) ++sysnet_read_config(sosreport_t) + +-modutils_read_module_deps(sosreport_t) + + optional_policy(` + abrt_manage_pid_files(sosreport_t) + abrt_manage_cache(sosreport_t) ++ abrt_stream_connect(sosreport_t) ++') ++ ++optional_policy(` ++ brctl_domtrans(sosreport_t) + ') + + optional_policy(` +@@ -111,6 +142,11 @@ optional_policy(` + ') + + optional_policy(` ++ # needed by modinfo ++ modutils_read_module_deps(sosreport_t) ++') ++ ++optional_policy(` + fstools_domtrans(sosreport_t) + ') + +diff --git a/soundserver.if b/soundserver.if +index a5abc5a..b9eff74 100644 +--- a/soundserver.if ++++ b/soundserver.if +@@ -38,9 +38,13 @@ interface(`soundserver_admin',` + type soundd_state_t; + ') + +- allow $1 soundd_t:process { ptrace signal_perms }; ++ allow $1 soundd_t:process signal_perms; + ps_process_pattern($1, soundd_t) + ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 soundd_t:process ptrace; ++ ') ++ + init_labeled_script_domtrans($1, soundd_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 soundd_initrc_exec_t system_r; +diff --git a/soundserver.te b/soundserver.te +index db1bc6f..b6c0d16 100644 +--- a/soundserver.te ++++ b/soundserver.te +@@ -65,7 +65,6 @@ kernel_read_kernel_sysctls(soundd_t) + kernel_list_proc(soundd_t) + kernel_read_proc_symlinks(soundd_t) + +-corenet_all_recvfrom_unlabeled(soundd_t) + corenet_all_recvfrom_netlabel(soundd_t) + corenet_tcp_sendrecv_generic_if(soundd_t) + corenet_tcp_sendrecv_generic_node(soundd_t) +@@ -81,7 +80,6 @@ dev_write_sound(soundd_t) + + domain_use_interactive_fds(soundd_t) + +-files_read_etc_files(soundd_t) + files_read_etc_runtime_files(soundd_t) + + fs_getattr_all_fs(soundd_t) +@@ -89,8 +87,6 @@ fs_search_auto_mountpoints(soundd_t) + + logging_send_syslog_msg(soundd_t) + +-miscfiles_read_localization(soundd_t) +- + sysnet_read_config(soundd_t) + + userdom_dontaudit_use_unpriv_user_fds(soundd_t) +diff --git a/spamassassin.fc b/spamassassin.fc +index e9bd097..e059e27 100644 +--- a/spamassassin.fc ++++ b/spamassassin.fc +@@ -1,20 +1,26 @@ +-HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamassassin_home_t,s0) +-HOME_DIR/\.spamd(/.*)? gen_context(system_u:object_r:spamd_home_t,s0) ++HOME_DIR/\.pyzor(/.*)? gen_context(system_u:object_r:spamc_home_t,s0) ++HOME_DIR/\.razor(/.*)? gen_context(system_u:object_r:spamc_home_t,s0) ++HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamc_home_t,s0) ++HOME_DIR/\.spamd(/.*)? gen_context(system_u:object_r:spamc_home_t,s0) ++/root/\.pyzor(/.*)? gen_context(system_u:object_r:spamc_home_t,s0) ++/root/\.razor(/.*)? gen_context(system_u:object_r:spamc_home_t,s0) ++/root/\.spamassassin(/.*)? gen_context(system_u:object_r:spamc_home_t,s0) ++/root/\.spamd(/.*)? gen_context(system_u:object_r:spamc_home_t,s0) + + /etc/rc\.d/init\.d/spamd -- gen_context(system_u:object_r:spamd_initrc_exec_t,s0) +-/etc/rc\.d/init\.d/spampd -- gen_context(system_u:object_r:spamd_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/spampd -- gen_context(system_u:object_r:spamd_initrc_exec_t,s0) + /etc/rc\.d/init\.d/mimedefang.* -- gen_context(system_u:object_r:spamd_initrc_exec_t,s0) + + /usr/bin/sa-learn -- gen_context(system_u:object_r:spamc_exec_t,s0) + /usr/bin/spamassassin -- gen_context(system_u:object_r:spamc_exec_t,s0) +-/usr/bin/spamc -- gen_context(system_u:object_r:spamc_exec_t,s0) +-/usr/bin/spamd -- gen_context(system_u:object_r:spamd_exec_t,s0) ++/usr/bin/spamc -- gen_context(system_u:object_r:spamc_exec_t,s0) ++/usr/bin/spamd -- gen_context(system_u:object_r:spamd_exec_t,s0) + /usr/bin/sa-update -- gen_context(system_u:object_r:spamd_update_exec_t,s0) + +-/usr/sbin/spamd -- gen_context(system_u:object_r:spamd_exec_t,s0) +-/usr/sbin/spampd -- gen_context(system_u:object_r:spamd_exec_t,s0) ++/usr/sbin/spamd -- gen_context(system_u:object_r:spamd_exec_t,s0) ++/usr/sbin/spampd -- gen_context(system_u:object_r:spamd_exec_t,s0) + /usr/bin/mimedefang -- gen_context(system_u:object_r:spamd_exec_t,s0) +-/usr/bin/mimedefang-multiplexor -- gen_context(system_u:object_r:spamd_exec_t,s0) ++/usr/bin/mimedefang-multiplexor -- gen_context(system_u:object_r:spamd_exec_t,s0) + + /var/lib/spamassassin(/.*)? gen_context(system_u:object_r:spamd_var_lib_t,s0) + /var/lib/spamassassin/compiled(/.*)? gen_context(system_u:object_r:spamd_compiled_t,s0) +@@ -25,7 +31,22 @@ HOME_DIR/\.spamd(/.*)? gen_context(system_u:object_r:spamd_home_t,s0) + /var/run/spamassassin(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0) + + /var/spool/spamassassin(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0) +-/var/spool/spamd(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0) +-/var/spool/spampd(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0) ++/var/spool/spamd(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0) ++/var/spool/spampd(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0) + /var/spool/MD-Quarantine(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0) + /var/spool/MIMEDefang(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0) ++ ++/etc/pyzor(/.*)? gen_context(system_u:object_r:spamd_etc_t, s0) ++/etc/razor(/.*)? gen_context(system_u:object_r:spamd_etc_t,s0) ++/etc/rc\.d/init\.d/pyzord -- gen_context(system_u:object_r:spamd_initrc_exec_t,s0) ++ ++/usr/bin/razor.* -- gen_context(system_u:object_r:spamc_exec_t,s0) ++ ++/var/lib/pyzord(/.*)? gen_context(system_u:object_r:spamd_var_lib_t,s0) ++/var/lib/razor(/.*)? gen_context(system_u:object_r:spamd_var_lib_t,s0) ++ ++/var/log/pyzord\.log.* -- gen_context(system_u:object_r:spamd_log_t,s0) ++/var/log/razor-agent\.log.* -- gen_context(system_u:object_r:spamd_log_t,s0) ++ ++/usr/bin/pyzor -- gen_context(system_u:object_r:spamc_exec_t,s0) ++/usr/bin/pyzord -- gen_context(system_u:object_r:spamd_exec_t,s0) +diff --git a/spamassassin.if b/spamassassin.if +index 1499b0b..6950cab 100644 +--- a/spamassassin.if ++++ b/spamassassin.if +@@ -2,39 +2,45 @@ + + ######################################## + ## +-## Role access for spamassassin. ++## Role access for spamassassin + ## + ## + ## +-## Role allowed access. ++## Role allowed access + ## + ## + ## + ## +-## User domain for the role. ++## User domain for the role + ## + ## ++## + # + interface(`spamassassin_role',` + gen_require(` + type spamc_t, spamc_exec_t, spamc_tmp_t; +- type spamassassin_t, spamassassin_exec_t, spamd_home_t; ++ type spamassassin_t, spamassassin_exec_t; + type spamassassin_home_t, spamassassin_tmp_t; + ') + + role $1 types { spamc_t spamassassin_t }; + + domtrans_pattern($2, spamassassin_exec_t, spamassassin_t) ++ ++ allow $2 spamassassin_t:process signal_perms; ++ ps_process_pattern($2, spamassassin_t) ++ + domtrans_pattern($2, spamc_exec_t, spamc_t) + +- allow $2 { spamc_t spamassassin_t}:process { ptrace signal_perms }; +- ps_process_pattern($2, { spamc_t spamassassin_t }) ++ allow $2 spamc_t:process signal_perms; ++ ps_process_pattern($2, spamc_t) + +- allow $2 { spamc_tmp_t spamd_home_t spamassassin_home_t spamassassin_tmp_t }:dir { manage_dir_perms relabel_dir_perms }; +- allow $2 { spamc_tmp_t spamd_home_t spamassassin_home_t spamassassin_tmp_t }:file { manage_file_perms relabel_file_perms }; +- allow $2 { spamc_tmp_t spamd_home_t spamassassin_home_t spamassassin_tmp_t }:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; +- userdom_user_home_dir_filetrans($2, spamassassin_home_t, dir, ".spamassassin") +- userdom_user_home_dir_filetrans($2, spamd_home_t, dir, ".spamd") ++ manage_dirs_pattern($2, spamassassin_home_t, spamassassin_home_t) ++ manage_files_pattern($2, spamassassin_home_t, spamassassin_home_t) ++ manage_lnk_files_pattern($2, spamassassin_home_t, spamassassin_home_t) ++ relabel_dirs_pattern($2, spamassassin_home_t, spamassassin_home_t) ++ relabel_files_pattern($2, spamassassin_home_t, spamassassin_home_t) ++ relabel_lnk_files_pattern($2, spamassassin_home_t, spamassassin_home_t) + ') + + ######################################## +@@ -53,13 +59,12 @@ interface(`spamassassin_exec',` + type spamassassin_exec_t; + ') + +- corecmd_search_bin($1) + can_exec($1, spamassassin_exec_t) + ') + + ######################################## + ## +-## Send generic signals to spamd. ++## Singnal the spam assassin daemon + ## + ## + ## +@@ -77,7 +82,8 @@ interface(`spamassassin_signal_spamd',` + + ######################################## + ## +-## Execute spamd in the caller domain. ++## Execute the spamassassin daemon ++## program in the caller directory. + ## + ## + ## +@@ -90,13 +96,12 @@ interface(`spamassassin_exec_spamd',` + type spamd_exec_t; + ') + +- corecmd_search_bin($1) + can_exec($1, spamd_exec_t) + ') + + ######################################## + ## +-## Execute spamc in the spamc domain. ++## Execute spamassassin client in the spamassassin client domain. + ## + ## + ## +@@ -109,32 +114,13 @@ interface(`spamassassin_domtrans_client',` + type spamc_t, spamc_exec_t; + ') + +- corecmd_search_bin($1) + domtrans_pattern($1, spamc_exec_t, spamc_t) ++ allow $1 spamc_exec_t:file ioctl; + ') + + ######################################## + ## +-## Execute spamc in the caller domain. +-## +-## +-## +-## Domain allowed access. +-## +-## +-# +-interface(`spamassassin_exec_client',` +- gen_require(` +- type spamc_exec_t; +- ') +- +- corecmd_search_bin($1) +- can_exec($1, spamc_exec_t) +-') +- +-######################################## +-## +-## Send kill signals to spamc. ++## Send kill signal to spamassassin client + ## + ## + ## +@@ -152,28 +138,28 @@ interface(`spamassassin_kill_client',` + + ######################################## + ## +-## Execute spamassassin standalone client +-## in the user spamassassin domain. ++## Manage spamc home files. + ## + ## + ## +-## Domain allowed to transition. ++## Domain allowed access. + ## + ## + # +-interface(`spamassassin_domtrans_local_client',` ++interface(`spamassassin_manage_home_client',` + gen_require(` +- type spamassassin_t, spamassassin_exec_t; ++ type spamc_home_t; + ') + +- corecmd_search_bin($1) +- domtrans_pattern($1, spamassassin_exec_t, spamassassin_t) ++ userdom_search_user_home_dirs($1) ++ manage_dirs_pattern($1, spamc_home_t, spamc_home_t) ++ manage_files_pattern($1, spamc_home_t, spamc_home_t) ++ manage_lnk_files_pattern($1, spamc_home_t, spamc_home_t) + ') + + ######################################## + ## +-## Create, read, write, and delete +-## spamd home content. ++## Read spamc home files. + ## + ## + ## +@@ -181,20 +167,21 @@ interface(`spamassassin_domtrans_local_client',` + ## + ## + # +-interface(`spamassassin_manage_spamd_home_content',` ++interface(`spamassassin_read_home_client',` + gen_require(` +- type spamd_home_t; ++ type spamc_home_t; + ') + + userdom_search_user_home_dirs($1) +- allow $1 spamd_home_t:dir manage_dir_perms; +- allow $1 spamd_home_t:file manage_file_perms; +- allow $1 spamd_home_t:lnk_file manage_lnk_file_perms; ++ list_dirs_pattern($1, spamc_home_t, spamc_home_t) ++ read_files_pattern($1, spamc_home_t, spamc_home_t) ++ read_lnk_files_pattern($1, spamc_home_t, spamc_home_t) + ') + + ######################################## + ## +-## Relabel spamd home content. ++## Execute the spamassassin client ++## program in the caller directory. + ## + ## + ## +@@ -202,49 +189,35 @@ interface(`spamassassin_manage_spamd_home_content',` + ## + ## + # +-interface(`spamassassin_relabel_spamd_home_content',` ++interface(`spamassassin_exec_client',` + gen_require(` +- type spamd_home_t; ++ type spamc_exec_t; + ') + +- userdom_search_user_home_dirs($1) +- allow $1 spamd_home_t:dir relabel_dir_perms; +- allow $1 spamd_home_t:file relabel_file_perms; +- allow $1 spamd_home_t:lnk_file relabel_lnk_file_perms; ++ can_exec($1, spamc_exec_t) + ') + + ######################################## + ## +-## Create objects in user home +-## directories with the spamd home type. ++## Execute spamassassin standalone client in the user spamassassin domain. + ## + ## + ## +-## Domain allowed access. +-## +-## +-## +-## +-## Class of the object being created. +-## +-## +-## +-## +-## The name of the object being created. ++## Domain allowed to transition. + ## + ## + # +-interface(`spamassassin_home_filetrans_spamd_home',` ++interface(`spamassassin_domtrans_local_client',` + gen_require(` +- type spamd_home_t; ++ type spamassassin_t, spamassassin_exec_t; + ') + +- userdom_user_home_dir_filetrans($1, spamd_home_t, $2, $3) ++ domtrans_pattern($1, spamassassin_exec_t, spamassassin_t) + ') + + ######################################## + ## +-## Read spamd lib files. ++## read spamd lib files. + ## + ## + ## +@@ -258,7 +231,9 @@ interface(`spamassassin_read_lib_files',` + ') + + files_search_var_lib($1) ++ list_dirs_pattern($1, spamd_var_lib_t, spamd_var_lib_t) + read_files_pattern($1, spamd_var_lib_t, spamd_var_lib_t) ++ read_lnk_files_pattern($1, spamd_var_lib_t, spamd_var_lib_t) + ') + + ######################################## +@@ -283,7 +258,7 @@ interface(`spamassassin_manage_lib_files',` + + ######################################## + ## +-## Read spamd pid files. ++## Read temporary spamd file. + ## + ## + ## +@@ -291,56 +266,56 @@ interface(`spamassassin_manage_lib_files',` + ## + ## + # +-interface(`spamassassin_read_spamd_pid_files',` ++interface(`spamassassin_read_spamd_tmp_files',` + gen_require(` +- type spamd_var_run_t; ++ type spamd_tmp_t; + ') + +- files_search_pids($1) +- read_files_pattern($1, spamd_var_run_t, spamd_var_run_t) ++ files_search_tmp($1) ++ allow $1 spamd_tmp_t:file read_file_perms; + ') + + ######################################## + ## +-## Read temporary spamd files. ++## Do not audit attempts to get attributes of temporary ++## spamd sockets/ + ## + ## + ## +-## Domain allowed access. ++## Domain to not audit. + ## + ## + # +-interface(`spamassassin_read_spamd_tmp_files',` ++interface(`spamassassin_dontaudit_getattr_spamd_tmp_sockets',` + gen_require(` + type spamd_tmp_t; + ') + +- allow $1 spamd_tmp_t:file read_file_perms; ++ dontaudit $1 spamd_tmp_t:sock_file getattr_sock_file_perms; + ') + + ######################################## + ## +-## Do not audit attempts to get +-## attributes of temporary spamd sockets. ++## Connect to run spamd. + ## + ## + ## +-## Domain to not audit. ++## Domain allowed to connect. + ## + ## + # +-interface(`spamassassin_dontaudit_getattr_spamd_tmp_sockets',` ++interface(`spamd_stream_connect',` + gen_require(` +- type spamd_tmp_t; ++ type spamd_t, spamd_var_run_t; + ') + +- dontaudit $1 spamd_tmp_t:sock_file getattr; ++ files_search_pids($1) ++ stream_connect_pattern($1, spamd_var_run_t, spamd_var_run_t, spamd_t) + ') + + ######################################## + ## +-## Connect to spamd with a unix +-## domain stream socket. ++## Read spamd pid files. + ## + ## + ## +@@ -348,19 +323,62 @@ interface(`spamassassin_dontaudit_getattr_spamd_tmp_sockets',` + ## + ## + # +-interface(`spamassassin_stream_connect_spamd',` ++interface(`spamassassin_read_pid_files',` + gen_require(` +- type spamd_t, spamd_var_run_t; ++ type spamd_var_run_t; + ') + + files_search_pids($1) +- stream_connect_pattern($1, spamd_var_run_t, spamd_var_run_t, spamd_t) ++ read_files_pattern($1, spamd_var_run_t, spamd_var_run_t) + ') + ++###################################### ++## ++## Transition to spamassassin named content ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`spamassassin_filetrans_home_content',` ++ gen_require(` ++ type spamc_home_t; ++ ') ++ ++ userdom_user_home_dir_filetrans($1, spamc_home_t, dir, ".pyzor") ++ userdom_user_home_dir_filetrans($1, spamc_home_t, file, ".spamassassin") ++ userdom_user_home_dir_filetrans($1, spamc_home_t, dir, ".spamd") ++ userdom_user_home_dir_filetrans($1, spamc_home_t, dir, ".razor") ++') ++ ++###################################### ++## ++## Transition to spamassassin named content ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`spamassassin_filetrans_admin_home_content',` ++ gen_require(` ++ type spamc_home_t; ++ ') ++ ++ userdom_admin_home_dir_filetrans($1, spamc_home_t, dir, ".pyzor") ++ userdom_admin_home_dir_filetrans($1, spamc_home_t, file, ".spamassassin") ++ userdom_admin_home_dir_filetrans($1, spamc_home_t, dir, ".spamd") ++ userdom_admin_home_dir_filetrans($1, spamc_home_t, dir, ".razor") ++') ++ ++ + ######################################## + ## +-## All of the rules required to +-## administrate an spamassassin environment. ++## All of the rules required to administrate ++## an spamassassin environment + ## + ## + ## +@@ -369,20 +387,22 @@ interface(`spamassassin_stream_connect_spamd',` + ## + ## + ## +-## Role allowed access. ++## The role to be allowed to manage the spamassassin domain. + ## + ## +-## + # +-interface(`spamassassin_admin',` ++interface(`spamassassin_spamd_admin',` + gen_require(` + type spamd_t, spamd_tmp_t, spamd_log_t; + type spamd_spool_t, spamd_var_lib_t, spamd_var_run_t; + type spamd_initrc_exec_t; + ') + +- allow $1 spamd_t:process { ptrace signal_perms }; ++ allow $1 spamd_t:process signal_perms; + ps_process_pattern($1, spamd_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 spamd_t:process ptrace; ++ ') + + init_labeled_script_domtrans($1, spamd_initrc_exec_t) + domain_system_change_exemption($1) +@@ -403,6 +423,4 @@ interface(`spamassassin_admin',` + + files_list_pids($1) + admin_pattern($1, spamd_var_run_t) +- +- spamassassin_role($2, $1) + ') +diff --git a/spamassassin.te b/spamassassin.te +index 4faa7e0..4babad1 100644 +--- a/spamassassin.te ++++ b/spamassassin.te +@@ -1,4 +1,4 @@ +-policy_module(spamassassin, 2.5.8) ++policy_module(spamassassin, 2.5.0) + + ######################################## + # +@@ -7,50 +7,23 @@ policy_module(spamassassin, 2.5.8) + + ## + ##

    +-## Determine whether spamassassin +-## clients can use the network. ++## Allow user spamassassin clients to use the network. + ##

    + ##     + gen_tunable(spamassassin_can_network, false) + + ## + ##

    +-## Determine whether spamd can manage +-## generic user home content. ++## Allow spamd to read/write user home directories. + ##

    + ##     +-gen_tunable(spamd_enable_home_dirs, false) ++gen_tunable(spamd_enable_home_dirs, true) ++ + + type spamd_update_t; + type spamd_update_exec_t; +-init_system_domain(spamd_update_t, spamd_update_exec_t) +- +-type spamassassin_t; +-type spamassassin_exec_t; +-typealias spamassassin_t alias { user_spamassassin_t staff_spamassassin_t sysadm_spamassassin_t }; +-typealias spamassassin_t alias { auditadm_spamassassin_t secadm_spamassassin_t }; +-userdom_user_application_domain(spamassassin_t, spamassassin_exec_t) +- +-type spamassassin_home_t; +-typealias spamassassin_home_t alias { user_spamassassin_home_t staff_spamassassin_home_t sysadm_spamassassin_home_t }; +-typealias spamassassin_home_t alias { auditadm_spamassassin_home_t secadm_spamassassin_home_t }; +-userdom_user_home_content(spamassassin_home_t) +- +-type spamassassin_tmp_t; +-typealias spamassassin_tmp_t alias { user_spamassassin_tmp_t staff_spamassassin_tmp_t sysadm_spamassassin_tmp_t }; +-typealias spamassassin_tmp_t alias { auditadm_spamassassin_tmp_t secadm_spamassassin_tmp_t }; +-userdom_user_tmp_file(spamassassin_tmp_t) +- +-type spamc_t; +-type spamc_exec_t; +-typealias spamc_t alias { user_spamc_t staff_spamc_t sysadm_spamc_t }; +-typealias spamc_t alias { auditadm_spamc_t secadm_spamc_t }; +-userdom_user_application_domain(spamc_t, spamc_exec_t) +- +-type spamc_tmp_t; +-typealias spamc_tmp_t alias { user_spamc_tmp_t staff_spamc_tmp_t sysadm_spamc_tmp_t }; +-typealias spamc_tmp_t alias { auditadm_spamc_tmp_t secadm_spamc_tmp_t }; +-userdom_user_tmp_file(spamc_tmp_t) ++application_domain(spamd_update_t, spamd_update_exec_t) ++role system_r types spamd_update_t; + + type spamd_t; + type spamd_exec_t; +@@ -59,12 +32,6 @@ init_daemon_domain(spamd_t, spamd_exec_t) + type spamd_compiled_t; + files_type(spamd_compiled_t) + +-type spamd_etc_t; +-files_config_file(spamd_etc_t) +- +-type spamd_home_t; +-userdom_user_home_content(spamd_home_t) +- + type spamd_initrc_exec_t; + init_script_file(spamd_initrc_exec_t) + +@@ -72,87 +39,196 @@ type spamd_log_t; + logging_log_file(spamd_log_t) + + type spamd_spool_t; +-files_type(spamd_spool_t) ++files_spool_file(spamd_spool_t) + + type spamd_tmp_t; + files_tmp_file(spamd_tmp_t) + ++# var/lib files + type spamd_var_lib_t; + files_type(spamd_var_lib_t) + + type spamd_var_run_t; + files_pid_file(spamd_var_run_t) + +-######################################## ++ifdef(`distro_redhat',` ++ # spamassassin client executable ++ type spamc_t; ++ type spamc_exec_t; ++ application_domain(spamc_t, spamc_exec_t) ++ role system_r types spamc_t; ++ ++ type spamd_etc_t; ++ files_config_file(spamd_etc_t) ++ ++ typealias spamc_exec_t alias spamassassin_exec_t; ++ typealias spamc_t alias spamassassin_t; ++ ++ type spamc_home_t; ++ userdom_user_home_content(spamc_home_t) ++ typealias spamc_home_t alias { spamassassin_home_t user_spamassassin_home_t staff_spamassassin_home_t sysadm_spamassassin_home_t }; ++ typealias spamc_home_t alias { auditadm_spamassassin_home_t secadm_spamassassin_home_t }; ++ typealias spamc_home_t alias { user_spamc_home_t staff_spamc_home_t sysadm_spamc_home_t }; ++ typealias spamc_home_t alias { auditadm_spamc_home_t secadm_spamc_home_t }; ++ ++ type spamc_tmp_t; ++ files_tmp_file(spamc_tmp_t) ++ typealias spamc_tmp_t alias spamassassin_tmp_t; ++ typealias spamc_tmp_t alias { user_spamassassin_tmp_t staff_spamassassin_tmp_t sysadm_spamassassin_tmp_t }; ++ typealias spamc_tmp_t alias { auditadm_spamassassin_tmp_t secadm_spamassassin_tmp_t }; ++ ++ typealias spamc_tmp_t alias { user_spamc_tmp_t staff_spamc_tmp_t sysadm_spamc_tmp_t }; ++ typealias spamc_tmp_t alias { auditadm_spamc_tmp_t secadm_spamc_tmp_t }; ++ typealias spamc_t alias pyzor_t; ++ typealias spamc_exec_t alias pyzor_exec_t; ++ typealias spamd_t alias pyzord_t; ++ typealias spamd_initrc_exec_t alias pyzord_initrc_exec_t; ++ typealias spamd_exec_t alias pyzord_exec_t; ++ typealias spamc_tmp_t alias pyzor_tmp_t; ++ typealias spamd_log_t alias pyzor_log_t; ++ typealias spamd_log_t alias pyzord_log_t; ++ typealias spamd_var_lib_t alias pyzor_var_lib_t; ++ typealias spamd_etc_t alias pyzor_etc_t; ++ typealias spamc_home_t alias pyzor_home_t; ++ typealias spamc_home_t alias user_pyzor_home_t; ++ typealias spamc_t alias razor_t; ++ typealias spamc_exec_t alias razor_exec_t; ++ typealias spamd_log_t alias razor_log_t; ++ typealias spamd_var_lib_t alias razor_var_lib_t; ++ typealias spamd_etc_t alias razor_etc_t; ++ typealias spamc_home_t alias razor_home_t; ++ typealias spamc_home_t alias { user_razor_home_t staff_razor_home_t sysadm_razor_home_t }; ++ typealias spamc_home_t alias { auditadm_razor_home_t secadm_razor_home_t }; ++ typealias spamc_tmp_t alias { user_razor_tmp_t staff_razor_tmp_t sysadm_razor_tmp_t }; ++ typealias spamc_tmp_t alias { auditadm_razor_tmp_t secadm_razor_tmp_t }; ++',` ++ type spamassassin_t; ++ type spamassassin_exec_t; ++ typealias spamassassin_t alias { user_spamassassin_t staff_spamassassin_t sysadm_spamassassin_t }; ++ typealias spamassassin_t alias { auditadm_spamassassin_t secadm_spamassassin_t }; ++ application_domain(spamassassin_t, spamassassin_exec_t) ++ ubac_constrained(spamassassin_t) ++ ++ type spamassassin_home_t; ++ typealias spamassassin_home_t alias { user_spamassassin_home_t staff_spamassassin_home_t sysadm_spamassassin_home_t }; ++ typealias spamassassin_home_t alias { auditadm_spamassassin_home_t secadm_spamassassin_home_t }; ++ userdom_user_home_content(spamassassin_home_t) ++ ++ type spamassassin_tmp_t; ++ typealias spamassassin_tmp_t alias { user_spamassassin_tmp_t staff_spamassassin_tmp_t sysadm_spamassassin_tmp_t }; ++ typealias spamassassin_tmp_t alias { auditadm_spamassassin_tmp_t secadm_spamassassin_tmp_t }; ++ files_tmp_file(spamassassin_tmp_t) ++ ubac_constrained(spamassassin_tmp_t) ++ ++ type spamc_t; ++ type spamc_exec_t; ++ typealias spamc_t alias { user_spamc_t staff_spamc_t sysadm_spamc_t }; ++ typealias spamc_t alias { auditadm_spamc_t secadm_spamc_t }; ++ application_domain(spamc_t, spamc_exec_t) ++ ubac_constrained(spamc_t) ++ ++ type spamc_tmp_t; ++ typealias spamc_tmp_t alias { user_spamc_tmp_t staff_spamc_tmp_t sysadm_spamc_tmp_t }; ++ typealias spamc_tmp_t alias { auditadm_spamc_tmp_t secadm_spamc_tmp_t }; ++ files_tmp_file(spamc_tmp_t) ++ ubac_constrained(spamc_tmp_t) ++') ++ ++############################## + # +-# Standalone local policy ++# Standalone program local policy + # + + allow spamassassin_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; + allow spamassassin_t self:fd use; + allow spamassassin_t self:fifo_file rw_fifo_file_perms; ++allow spamassassin_t self:sock_file read_sock_file_perms; ++allow spamassassin_t self:unix_dgram_socket create_socket_perms; ++allow spamassassin_t self:unix_stream_socket create_stream_socket_perms; + allow spamassassin_t self:unix_dgram_socket sendto; +-allow spamassassin_t self:unix_stream_socket { accept connectto listen }; ++allow spamassassin_t self:unix_stream_socket connectto; ++allow spamassassin_t self:shm create_shm_perms; ++allow spamassassin_t self:sem create_sem_perms; ++allow spamassassin_t self:msgq create_msgq_perms; ++allow spamassassin_t self:msg { send receive }; + + manage_dirs_pattern(spamassassin_t, spamassassin_home_t, spamassassin_home_t) + manage_files_pattern(spamassassin_t, spamassassin_home_t, spamassassin_home_t) + manage_lnk_files_pattern(spamassassin_t, spamassassin_home_t, spamassassin_home_t) + manage_fifo_files_pattern(spamassassin_t, spamassassin_home_t, spamassassin_home_t) + manage_sock_files_pattern(spamassassin_t, spamassassin_home_t, spamassassin_home_t) +-userdom_user_home_dir_filetrans(spamassassin_t, spamassassin_home_t, dir, ".spamassassin") + + manage_dirs_pattern(spamassassin_t, spamassassin_tmp_t, spamassassin_tmp_t) + manage_files_pattern(spamassassin_t, spamassassin_tmp_t, spamassassin_tmp_t) + files_tmp_filetrans(spamassassin_t, spamassassin_tmp_t, { file dir }) + ++manage_dirs_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t) ++manage_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t) ++manage_lnk_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t) ++manage_fifo_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t) ++manage_sock_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t) ++userdom_home_manager(spamassassin_t) ++ + kernel_read_kernel_sysctls(spamassassin_t) + + dev_read_urand(spamassassin_t) + +-fs_getattr_all_fs(spamassassin_t) + fs_search_auto_mountpoints(spamassassin_t) ++fs_getattr_all_fs(spamassassin_t) ++ ++# this should probably be removed ++corecmd_list_bin(spamassassin_t) ++corecmd_read_bin_symlinks(spamassassin_t) ++corecmd_read_bin_files(spamassassin_t) ++corecmd_read_bin_pipes(spamassassin_t) ++corecmd_read_bin_sockets(spamassassin_t) + + domain_use_interactive_fds(spamassassin_t) + +-files_read_etc_files(spamassassin_t) + files_read_etc_runtime_files(spamassassin_t) + files_list_home(spamassassin_t) +-files_read_usr_files(spamassassin_t) + files_dontaudit_search_var(spamassassin_t) + + logging_send_syslog_msg(spamassassin_t) + +-miscfiles_read_localization(spamassassin_t) ++# cjp: this could probably be removed ++seutil_read_config(spamassassin_t) + + sysnet_dns_name_resolve(spamassassin_t) + ++# set tunable if you have spamassassin do DNS lookups + tunable_policy(`spamassassin_can_network',` +- allow spamassassin_t self:tcp_socket { accept listen }; ++ allow spamassassin_t self:tcp_socket create_stream_socket_perms; ++ allow spamassassin_t self:udp_socket create_socket_perms; + +- corenet_all_recvfrom_unlabeled(spamassassin_t) +- corenet_all_recvfrom_netlabel(spamassassin_t) + corenet_tcp_sendrecv_generic_if(spamassassin_t) ++ corenet_udp_sendrecv_generic_if(spamassassin_t) + corenet_tcp_sendrecv_generic_node(spamassassin_t) ++ corenet_udp_sendrecv_generic_node(spamassassin_t) + corenet_tcp_sendrecv_all_ports(spamassassin_t) +- ++ corenet_udp_sendrecv_all_ports(spamassassin_t) + corenet_tcp_connect_all_ports(spamassassin_t) + corenet_sendrecv_all_client_packets(spamassassin_t) ++ corenet_udp_bind_generic_node(spamassassin_t) ++ corenet_udp_bind_generic_port(spamassassin_t) ++ corenet_dontaudit_udp_bind_all_ports(spamassassin_t) ++ ++ sysnet_read_config(spamassassin_t) + ') + +-tunable_policy(`use_nfs_home_dirs',` +- fs_manage_nfs_dirs(spamassassin_t) +- fs_manage_nfs_files(spamassassin_t) +- fs_manage_nfs_symlinks(spamassassin_t) ++tunable_policy(`spamd_enable_home_dirs',` ++ userdom_manage_user_home_content_dirs(spamd_t) ++ userdom_manage_user_home_content_files(spamd_t) ++ userdom_manage_user_home_content_symlinks(spamd_t) + ') + +-tunable_policy(`use_samba_home_dirs',` +- fs_manage_cifs_dirs(spamassassin_t) +- fs_manage_cifs_files(spamassassin_t) +- fs_manage_cifs_symlinks(spamassassin_t) ++optional_policy(` ++ # Write pid file and socket in ~/.evolution/cache/tmp ++ evolution_home_filetrans(spamd_t, spamd_tmp_t, { file sock_file }) + ') + + optional_policy(` +- tunable_policy(`spamassassin_can_network && allow_ypbind',` ++ tunable_policy(`spamassassin_can_network && nis_enabled',` + nis_use_ypbind_uncond(spamassassin_t) + ') + ') +@@ -160,6 +236,8 @@ optional_policy(` + optional_policy(` + mta_read_config(spamassassin_t) + sendmail_stub(spamassassin_t) ++ sendmail_dontaudit_rw_unix_stream_sockets(spamassassin_t) ++ sendmail_dontaudit_rw_tcp_sockets(spamassassin_t) + ') + + ######################################## +@@ -167,72 +245,85 @@ optional_policy(` + # Client local policy + # + +-allow spamc_t self:capability dac_override; + allow spamc_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; + allow spamc_t self:fd use; + allow spamc_t self:fifo_file rw_fifo_file_perms; ++allow spamc_t self:sock_file read_sock_file_perms; ++allow spamc_t self:shm create_shm_perms; ++allow spamc_t self:sem create_sem_perms; ++allow spamc_t self:msgq create_msgq_perms; ++allow spamc_t self:msg { send receive }; ++allow spamc_t self:unix_dgram_socket create_socket_perms; ++allow spamc_t self:unix_stream_socket create_stream_socket_perms; + allow spamc_t self:unix_dgram_socket sendto; +-allow spamc_t self:unix_stream_socket { accept connectto listen }; +-allow spamc_t self:tcp_socket { accept listen }; ++allow spamc_t self:unix_stream_socket connectto; ++allow spamc_t self:tcp_socket create_stream_socket_perms; ++allow spamc_t self:udp_socket create_socket_perms; ++ ++can_exec(spamc_t, spamc_exec_t) + + manage_dirs_pattern(spamc_t, spamc_tmp_t, spamc_tmp_t) + manage_files_pattern(spamc_t, spamc_tmp_t, spamc_tmp_t) + files_tmp_filetrans(spamc_t, spamc_tmp_t, { file dir }) + +-manage_dirs_pattern(spamc_t, spamassassin_home_t, spamassassin_home_t) +-manage_files_pattern(spamc_t, spamassassin_home_t, spamassassin_home_t) +-manage_lnk_files_pattern(spamc_t, spamassassin_home_t, spamassassin_home_t) +-manage_fifo_files_pattern(spamc_t, spamassassin_home_t, spamassassin_home_t) +-manage_sock_files_pattern(spamc_t, spamassassin_home_t, spamassassin_home_t) +-userdom_user_home_dir_filetrans(spamc_t, spamassassin_home_t, dir, ".spamassassin") ++manage_dirs_pattern(spamc_t, spamc_home_t, spamc_home_t) ++manage_files_pattern(spamc_t, spamc_home_t, spamc_home_t) ++manage_lnk_files_pattern(spamc_t, spamc_home_t, spamc_home_t) ++manage_fifo_files_pattern(spamc_t, spamc_home_t, spamc_home_t) ++manage_sock_files_pattern(spamc_t, spamc_home_t, spamc_home_t) ++userdom_append_user_home_content_files(spamc_t) ++# for /root/.pyzor ++allow spamc_t self:capability dac_override; + + list_dirs_pattern(spamc_t, spamd_var_lib_t, spamd_var_lib_t) + read_files_pattern(spamc_t, spamd_var_lib_t, spamd_var_lib_t) + +-stream_connect_pattern(spamc_t, { spamd_var_run_t spamd_tmp_t }, { spamd_var_run_t spamd_tmp_t }, spamd_t) ++# Allow connecting to a local spamd ++allow spamc_t spamd_t:unix_stream_socket connectto; ++allow spamc_t spamd_tmp_t:sock_file rw_sock_file_perms; ++spamd_stream_connect(spamc_t) ++allow spamc_t spamd_tmp_t:file read_inherited_file_perms; + + kernel_read_kernel_sysctls(spamc_t) + kernel_read_system_state(spamc_t) + +-corenet_all_recvfrom_unlabeled(spamc_t) ++corecmd_exec_bin(spamc_t) ++ + corenet_all_recvfrom_netlabel(spamc_t) + corenet_tcp_sendrecv_generic_if(spamc_t) ++corenet_udp_sendrecv_generic_if(spamc_t) + corenet_tcp_sendrecv_generic_node(spamc_t) ++corenet_udp_sendrecv_generic_node(spamc_t) + corenet_tcp_sendrecv_all_ports(spamc_t) +- +-corenet_sendrecv_all_client_packets(spamc_t) ++corenet_udp_sendrecv_all_ports(spamc_t) + corenet_tcp_connect_all_ports(spamc_t) ++corenet_sendrecv_all_client_packets(spamc_t) ++corenet_tcp_connect_spamd_port(spamc_t) + +-corecmd_exec_bin(spamc_t) ++fs_search_auto_mountpoints(spamc_t) + +-domain_use_interactive_fds(spamc_t) ++# cjp: these should probably be removed: ++corecmd_list_bin(spamc_t) ++corecmd_read_bin_symlinks(spamc_t) ++corecmd_read_bin_files(spamc_t) ++corecmd_read_bin_pipes(spamc_t) ++corecmd_read_bin_sockets(spamc_t) + +-fs_getattr_all_fs(spamc_t) +-fs_search_auto_mountpoints(spamc_t) ++domain_use_interactive_fds(spamc_t) + + files_read_etc_runtime_files(spamc_t) +-files_read_usr_files(spamc_t) + files_dontaudit_search_var(spamc_t) ++# cjp: this may be removable: + files_list_home(spamc_t) + files_list_var_lib(spamc_t) + +-auth_use_nsswitch(spamc_t) ++fs_search_auto_mountpoints(spamc_t) + + logging_send_syslog_msg(spamc_t) + +-miscfiles_read_localization(spamc_t) +- +-tunable_policy(`use_nfs_home_dirs',` +- fs_manage_nfs_dirs(spamc_t) +- fs_manage_nfs_files(spamc_t) +- fs_manage_nfs_symlinks(spamc_t) +-') ++auth_use_nsswitch(spamc_t) + +-tunable_policy(`use_samba_home_dirs',` +- fs_manage_cifs_dirs(spamc_t) +- fs_manage_cifs_files(spamc_t) +- fs_manage_cifs_symlinks(spamc_t) +-') ++userdom_home_manager(spamc_t) + + optional_policy(` + abrt_stream_connect(spamc_t) +@@ -243,6 +334,7 @@ optional_policy(` + ') + + optional_policy(` ++ # Allow connection to spamd socket above + evolution_stream_connect(spamc_t) + ') + +@@ -251,52 +343,55 @@ optional_policy(` + ') + + optional_policy(` ++ postfix_domtrans_postdrop(spamc_t) ++ postfix_search_spool(spamc_t) ++ postfix_rw_local_pipes(spamc_t) ++ postfix_rw_inherited_master_pipes(spamc_t) ++') ++ ++optional_policy(` + mta_send_mail(spamc_t) + mta_read_config(spamc_t) + mta_read_queue(spamc_t) +- sendmail_rw_pipes(spamc_t) + sendmail_stub(spamc_t) +-') +- +-optional_policy(` +- postfix_domtrans_postdrop(spamc_t) +- postfix_search_spool(spamc_t) +- postfix_rw_local_pipes(spamc_t) +- postfix_rw_master_pipes(spamc_t) ++ sendmail_rw_pipes(spamc_t) ++ sendmail_dontaudit_rw_tcp_sockets(spamc_t) + ') + + ######################################## + # +-# Daemon local policy ++# Server local policy + # + ++# Spamassassin, when run as root and using per-user config files, ++# setuids to the user running spamc. Comment this if you are not ++# using this ability. ++ + allow spamd_t self:capability { kill setuid setgid dac_override sys_tty_config }; + dontaudit spamd_t self:capability sys_tty_config; + allow spamd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; + allow spamd_t self:fd use; + allow spamd_t self:fifo_file rw_fifo_file_perms; ++allow spamd_t self:sock_file read_sock_file_perms; ++allow spamd_t self:shm create_shm_perms; ++allow spamd_t self:sem create_sem_perms; ++allow spamd_t self:msgq create_msgq_perms; ++allow spamd_t self:msg { send receive }; ++allow spamd_t self:unix_dgram_socket create_socket_perms; ++allow spamd_t self:unix_stream_socket create_stream_socket_perms; + allow spamd_t self:unix_dgram_socket sendto; +-allow spamd_t self:unix_stream_socket { accept connectto listen }; +-allow spamd_t self:tcp_socket { accept listen }; +- +-manage_dirs_pattern(spamd_t, spamd_home_t, spamd_home_t) +-manage_files_pattern(spamd_t, spamd_home_t, spamd_home_t) +-manage_lnk_files_pattern(spamd_t, spamd_home_t, spamd_home_t) +-manage_fifo_files_pattern(spamd_t, spamd_home_t, spamd_home_t) +-manage_sock_files_pattern(spamd_t, spamd_home_t, spamd_home_t) +-userdom_user_home_dir_filetrans(spamd_t, spamd_home_t, dir, ".spamd") ++allow spamd_t self:unix_stream_socket connectto; ++allow spamd_t self:tcp_socket create_stream_socket_perms; ++allow spamd_t self:udp_socket create_socket_perms; + +-manage_dirs_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t) +-manage_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t) +-manage_lnk_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t) +-manage_fifo_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t) +-manage_sock_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t) +-userdom_user_home_dir_filetrans(spamd_t, spamassassin_home_t, dir, ".spamassassin") ++# needed by razor ++rw_files_pattern(spamd_t, spamd_etc_t, spamd_etc_t) + ++can_exec(spamd_t, spamd_compiled_t) + manage_dirs_pattern(spamd_t, spamd_compiled_t, spamd_compiled_t) + manage_files_pattern(spamd_t, spamd_compiled_t, spamd_compiled_t) + +-allow spamd_t spamd_log_t:file { append_file_perms create_file_perms setattr_file_perms }; ++manage_files_pattern(spamd_t, spamd_log_t, spamd_log_t) + logging_log_filetrans(spamd_t, spamd_log_t, file) + + manage_dirs_pattern(spamd_t, spamd_spool_t, spamd_spool_t) +@@ -308,7 +403,8 @@ manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t) + manage_files_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t) + files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir }) + +-allow spamd_t spamd_var_lib_t:dir list_dir_perms; ++# var/lib files for spamd ++manage_dirs_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t) + manage_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t) + manage_lnk_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t) + +@@ -317,12 +413,13 @@ manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t) + manage_sock_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t) + files_pid_filetrans(spamd_t, spamd_var_run_t, { file dir }) + +-can_exec(spamd_t, { spamd_exec_t spamd_compiled_t }) ++read_files_pattern(spamd_t, spamc_home_t, spamc_home_t) ++ ++can_exec(spamd_t, spamd_exec_t) + + kernel_read_all_sysctls(spamd_t) + kernel_read_system_state(spamd_t) + +-corenet_all_recvfrom_unlabeled(spamd_t) + corenet_all_recvfrom_netlabel(spamd_t) + corenet_tcp_sendrecv_generic_if(spamd_t) + corenet_udp_sendrecv_generic_if(spamd_t) +@@ -331,78 +428,58 @@ corenet_udp_sendrecv_generic_node(spamd_t) + corenet_tcp_sendrecv_all_ports(spamd_t) + corenet_udp_sendrecv_all_ports(spamd_t) + corenet_tcp_bind_generic_node(spamd_t) +-corenet_udp_bind_generic_node(spamd_t) +- +-corenet_sendrecv_spamd_server_packets(spamd_t) + corenet_tcp_bind_spamd_port(spamd_t) +- +-corenet_sendrecv_razor_client_packets(spamd_t) + corenet_tcp_connect_razor_port(spamd_t) +- +-corenet_sendrecv_smtp_client_packets(spamd_t) + corenet_tcp_connect_smtp_port(spamd_t) +- +-corenet_sendrecv_generic_server_packets(spamd_t) ++corenet_sendrecv_razor_client_packets(spamd_t) ++corenet_sendrecv_spamd_server_packets(spamd_t) ++# spamassassin 3.1 needs this for its ++# DnsResolver.pm module which binds to ++# random ports >= 1024. ++corenet_udp_bind_generic_node(spamd_t) + corenet_udp_bind_generic_port(spamd_t) +- +-corenet_sendrecv_imaze_server_packets(spamd_t) + corenet_udp_bind_imaze_port(spamd_t) +- + corenet_dontaudit_udp_bind_all_ports(spamd_t) +- +-corecmd_exec_bin(spamd_t) ++corenet_sendrecv_imaze_server_packets(spamd_t) ++corenet_sendrecv_generic_server_packets(spamd_t) + + dev_read_sysfs(spamd_t) + dev_read_urand(spamd_t) + +-domain_use_interactive_fds(spamd_t) +- +-files_read_usr_files(spamd_t) +-files_read_etc_runtime_files(spamd_t) +- + fs_getattr_all_fs(spamd_t) + fs_search_auto_mountpoints(spamd_t) + +-auth_use_nsswitch(spamd_t) + auth_dontaudit_read_shadow(spamd_t) + ++corecmd_exec_bin(spamd_t) ++ ++domain_use_interactive_fds(spamd_t) ++ ++files_read_etc_runtime_files(spamd_t) ++# /var/lib/spamassin ++files_read_var_lib_files(spamd_t) ++ + init_dontaudit_rw_utmp(spamd_t) + ++auth_use_nsswitch(spamd_t) ++ + libs_use_ld_so(spamd_t) + libs_use_shared_libs(spamd_t) + + logging_send_syslog_msg(spamd_t) + +-miscfiles_read_localization(spamd_t) +- +-sysnet_use_ldap(spamd_t) +- + userdom_use_unpriv_users_fds(spamd_t) +- +-tunable_policy(`spamd_enable_home_dirs',` +- userdom_manage_user_home_content_dirs(spamd_t) +- userdom_manage_user_home_content_files(spamd_t) +- userdom_manage_user_home_content_symlinks(spamd_t) +-') +- +-tunable_policy(`use_nfs_home_dirs',` +- fs_manage_nfs_dirs(spamd_t) +- fs_manage_nfs_files(spamd_t) +- fs_manage_nfs_symlinks(spamd_t) +-') +- +-tunable_policy(`use_samba_home_dirs',` +- fs_manage_cifs_dirs(spamd_t) +- fs_manage_cifs_files(spamd_t) +- fs_manage_cifs_symlinks(spamd_t) +-') ++userdom_search_user_home_dirs(spamd_t) ++userdom_home_manager(spamd_t) + + optional_policy(` +- amavis_manage_lib_files(spamd_t) ++ antivirus_stream_connect(spamd_t) ++ antivirus_manage_db(spamd_t) + ') + + optional_policy(` +- clamav_stream_connect(spamd_t) ++ exim_manage_spool_dirs(spamd_t) ++ exim_manage_spool_files(spamd_t) + ') + + optional_policy(` +@@ -421,21 +498,13 @@ optional_policy(` + ') + + optional_policy(` +- evolution_home_filetrans(spamd_t, spamd_tmp_t, { file sock_file }) +-') +- +-optional_policy(` +- exim_manage_spool_dirs(spamd_t) +- exim_manage_spool_files(spamd_t) +-') +- +-optional_policy(` + milter_manage_spamass_state(spamd_t) + ') + + optional_policy(` +- mysql_stream_connect(spamd_t) + mysql_tcp_connect(spamd_t) ++ mysql_search_db(spamd_t) ++ mysql_stream_connect(spamd_t) + ') + + optional_policy(` +@@ -443,8 +512,8 @@ optional_policy(` + ') + + optional_policy(` +- postgresql_stream_connect(spamd_t) + postgresql_tcp_connect(spamd_t) ++ postgresql_stream_connect(spamd_t) + ') + + optional_policy(` +@@ -455,7 +524,12 @@ optional_policy(` + optional_policy(` + razor_domtrans(spamd_t) + razor_read_lib_files(spamd_t) +- razor_manage_home_content(spamd_t) ++') ++ ++optional_policy(` ++ tunable_policy(`spamd_enable_home_dirs',` ++ razor_manage_user_home_files(spamd_t) ++ ') + ') + + optional_policy(` +@@ -463,9 +537,9 @@ optional_policy(` + ') + + optional_policy(` ++ mta_send_mail(spamd_t) + sendmail_stub(spamd_t) + mta_read_config(spamd_t) +- mta_send_mail(spamd_t) + ') + + optional_policy(` +@@ -474,32 +548,32 @@ optional_policy(` + + ######################################## + # +-# Update local policy ++# spamd_update local policy + # + +-allow spamd_update_t self:capability dac_override; + allow spamd_update_t self:fifo_file manage_fifo_file_perms; + allow spamd_update_t self:unix_stream_socket create_stream_socket_perms; ++allow spamd_update_t self:capability dac_read_search; ++dontaudit spamd_update_t self:capability dac_override; + + manage_dirs_pattern(spamd_update_t, spamd_tmp_t, spamd_tmp_t) + manage_files_pattern(spamd_update_t, spamd_tmp_t, spamd_tmp_t) + files_tmp_filetrans(spamd_update_t, spamd_tmp_t, { file dir }) + ++allow spamd_update_t spamd_var_lib_t:dir list_dir_perms; + manage_dirs_pattern(spamd_update_t, spamd_var_lib_t, spamd_var_lib_t) + manage_files_pattern(spamd_update_t, spamd_var_lib_t, spamd_var_lib_t) + manage_lnk_files_pattern(spamd_update_t, spamd_var_lib_t, spamd_var_lib_t) + +-kernel_read_system_state(spamd_update_t) ++allow spamd_update_t spamc_home_t:dir search_dir_perms; ++allow spamd_update_t spamd_tmp_t:file read_file_perms; + +-corenet_all_recvfrom_unlabeled(spamd_update_t) +-corenet_all_recvfrom_netlabel(spamd_update_t) +-corenet_tcp_sendrecv_generic_if(spamd_update_t) +-corenet_tcp_sendrecv_generic_node(spamd_update_t) +-corenet_tcp_sendrecv_all_ports(spamd_update_t) ++allow spamd_update_t spamc_home_t:dir search_dir_perms; + +-corenet_sendrecv_http_client_packets(spamd_update_t) ++kernel_read_system_state(spamd_update_t) ++ ++# for updating rules + corenet_tcp_connect_http_port(spamd_update_t) +-corenet_tcp_sendrecv_http_port(spamd_update_t) + + corecmd_exec_bin(spamd_update_t) + corecmd_exec_shell(spamd_update_t) +@@ -508,25 +582,21 @@ dev_read_urand(spamd_update_t) + + domain_use_interactive_fds(spamd_update_t) + +-files_read_usr_files(spamd_update_t) + + auth_use_nsswitch(spamd_update_t) + auth_dontaudit_read_shadow(spamd_update_t) + +-miscfiles_read_localization(spamd_update_t) ++mta_read_config(spamd_update_t) + +-userdom_use_user_terminals(spamd_update_t) ++userdom_search_admin_dir(spamd_update_t) ++userdom_use_inherited_user_ptys(spamd_update_t) + + optional_policy(` + cron_system_entry(spamd_update_t, spamd_update_exec_t) + ') + +-# probably want a solution same as httpd_use_gpg since this will +-# give spamd_update a path to users gpg keys +-# optional_policy(` +-# gpg_domtrans(spamd_update_t) +-# ') +- + optional_policy(` +- mta_read_config(spamd_update_t) ++ gpg_domtrans(spamd_update_t) ++ gpg_manage_home_content(spamd_update_t) + ') ++ +diff --git a/speedtouch.te b/speedtouch.te +index 9025dbd..388ce0a 100644 +--- a/speedtouch.te ++++ b/speedtouch.te +@@ -39,16 +39,12 @@ dev_read_usbfs(speedmgmt_t) + + domain_use_interactive_fds(speedmgmt_t) + +-files_read_etc_files(speedmgmt_t) +-files_read_usr_files(speedmgmt_t) + + fs_getattr_all_fs(speedmgmt_t) + fs_search_auto_mountpoints(speedmgmt_t) + + logging_send_syslog_msg(speedmgmt_t) + +-miscfiles_read_localization(speedmgmt_t) +- + userdom_dontaudit_use_unpriv_user_fds(speedmgmt_t) + userdom_dontaudit_search_user_home_dirs(speedmgmt_t) + +diff --git a/squid.fc b/squid.fc +index 0a8b0f7..ebbec17 100644 +--- a/squid.fc ++++ b/squid.fc +@@ -1,12 +1,15 @@ +-/etc/squid(/.*)? gen_context(system_u:object_r:squid_conf_t,s0) +- +-/etc/rc\.d/init\.d/squid -- gen_context(system_u:object_r:squid_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/squid -- gen_context(system_u:object_r:squid_initrc_exec_t,s0) ++/etc/squid(/.*)? gen_context(system_u:object_r:squid_conf_t,s0) ++/etc/lightsquid(/.*)? gen_context(system_u:object_r:squid_conf_t,s0) + + /usr/lib/squid/cachemgr\.cgi -- gen_context(system_u:object_r:httpd_squid_script_exec_t,s0) + ++/usr/sbin/lightparser.pl -- gen_context(system_u:object_r:squid_cron_exec_t,s0) ++ + /usr/sbin/squid -- gen_context(system_u:object_r:squid_exec_t,s0) + + /usr/share/squid(/.*)? gen_context(system_u:object_r:squid_conf_t,s0) ++/usr/share/lightsquid/cgi(/.*)? gen_context(system_u:object_r:httpd_squid_script_exec_t,s0) + + /var/cache/squid(/.*)? gen_context(system_u:object_r:squid_cache_t,s0) + +@@ -15,6 +18,7 @@ + + /var/run/squid\.pid -- gen_context(system_u:object_r:squid_var_run_t,s0) + +-/var/spool/squid(/.*)? gen_context(system_u:object_r:squid_cache_t,s0) ++/var/spool/squid(/.*)? gen_context(system_u:object_r:squid_cache_t,s0) ++/var/squidGuard(/.*)? gen_context(system_u:object_r:squid_cache_t,s0) + +-/var/squidGuard(/.*)? gen_context(system_u:object_r:squid_cache_t,s0) ++/var/lightsquid(/.*)? gen_context(system_u:object_r:squid_cache_t,s0) +diff --git a/squid.if b/squid.if +index 5e1f053..e7820bc 100644 +--- a/squid.if ++++ b/squid.if +@@ -72,7 +72,7 @@ interface(`squid_rw_stream_sockets',` + type squid_t; + ') + +- allow $1 squid_t:unix_stream_socket { getattr read write }; ++ allow $1 squid_t:unix_stream_socket rw_socket_perms; + ') + + ######################################## +@@ -85,7 +85,6 @@ interface(`squid_rw_stream_sockets',` + ## Domain to not audit. + ##     + ## +-## + # + interface(`squid_dontaudit_search_cache',` + gen_require(` +@@ -213,9 +212,13 @@ interface(`squid_admin',` + type squid_initrc_exec_t, squid_tmp_t; + ') + +- allow $1 squid_t:process { ptrace signal_perms }; ++ allow $1 squid_t:process signal_perms; + ps_process_pattern($1, squid_t) + ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 squid_t:process ptrace; ++ ') ++ + init_labeled_script_domtrans($1, squid_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 squid_initrc_exec_t system_r; +diff --git a/squid.te b/squid.te +index 221c560..fcf6da0 100644 +--- a/squid.te ++++ b/squid.te +@@ -29,7 +29,7 @@ type squid_cache_t; + files_type(squid_cache_t) + + type squid_conf_t; +-files_type(squid_conf_t) ++files_config_file(squid_conf_t) + + type squid_initrc_exec_t; + init_script_file(squid_initrc_exec_t) +@@ -37,15 +37,21 @@ init_script_file(squid_initrc_exec_t) + type squid_log_t; + logging_log_file(squid_log_t) + +-type squid_tmp_t; +-files_tmp_file(squid_tmp_t) +- + type squid_tmpfs_t; + files_tmpfs_file(squid_tmpfs_t) + ++type squid_tmp_t; ++files_tmp_file(squid_tmp_t) ++ + type squid_var_run_t; + files_pid_file(squid_var_run_t) + ++type squid_cron_t; ++type squid_cron_exec_t; ++init_daemon_domain(squid_cron_t, squid_cron_exec_t) ++application_domain(squid_cron_t, squid_cron_exec_t) ++role system_r types squid_cron_t; ++ + ######################################## + # + # Local policy +@@ -74,19 +80,17 @@ allow squid_t squid_conf_t:file read_file_perms; + allow squid_t squid_conf_t:lnk_file read_lnk_file_perms; + + manage_dirs_pattern(squid_t, squid_log_t, squid_log_t) +-append_files_pattern(squid_t, squid_log_t, squid_log_t) +-create_files_pattern(squid_t, squid_log_t, squid_log_t) +-setattr_files_pattern(squid_t, squid_log_t, squid_log_t) ++manage_files_pattern(squid_t, squid_log_t, squid_log_t) + manage_lnk_files_pattern(squid_t, squid_log_t, squid_log_t) + logging_log_filetrans(squid_t, squid_log_t, { file dir }) + ++manage_files_pattern(squid_t, squid_tmpfs_t, squid_tmpfs_t) ++fs_tmpfs_filetrans(squid_t, squid_tmpfs_t, file) ++ + manage_dirs_pattern(squid_t, squid_tmp_t, squid_tmp_t) + manage_files_pattern(squid_t, squid_tmp_t, squid_tmp_t) + files_tmp_filetrans(squid_t, squid_tmp_t, { file dir }) + +-manage_files_pattern(squid_t, squid_tmpfs_t, squid_tmpfs_t) +-fs_tmpfs_filetrans(squid_t, squid_tmpfs_t, file) +- + manage_files_pattern(squid_t, squid_var_run_t, squid_var_run_t) + files_pid_filetrans(squid_t, squid_var_run_t, file) + +@@ -96,7 +100,6 @@ kernel_read_kernel_sysctls(squid_t) + kernel_read_system_state(squid_t) + kernel_read_network_state(squid_t) + +-corenet_all_recvfrom_unlabeled(squid_t) + corenet_all_recvfrom_netlabel(squid_t) + corenet_tcp_sendrecv_generic_if(squid_t) + corenet_udp_sendrecv_generic_if(squid_t) +@@ -134,6 +137,7 @@ corenet_tcp_sendrecv_gopher_port(squid_t) + corenet_udp_sendrecv_gopher_port(squid_t) + + corenet_sendrecv_squid_server_packets(squid_t) ++corenet_sendrecv_squid_client_packets(squid_t) + corenet_tcp_bind_squid_port(squid_t) + corenet_udp_bind_squid_port(squid_t) + corenet_tcp_sendrecv_squid_port(squid_t) +@@ -156,7 +160,6 @@ dev_read_urand(squid_t) + domain_use_interactive_fds(squid_t) + + files_read_etc_runtime_files(squid_t) +-files_read_usr_files(squid_t) + files_search_spool(squid_t) + files_dontaudit_getattr_tmp_dirs(squid_t) + files_getattr_home_dir(squid_t) +@@ -178,7 +181,6 @@ libs_exec_lib_files(squid_t) + logging_send_syslog_msg(squid_t) + + miscfiles_read_generic_certs(squid_t) +-miscfiles_read_localization(squid_t) + + userdom_use_unpriv_users_fds(squid_t) + userdom_dontaudit_search_user_home_dirs(squid_t) +@@ -200,6 +202,8 @@ tunable_policy(`squid_use_tproxy',` + optional_policy(` + apache_content_template(squid) + ++ allow httpd_squid_script_t self:tcp_socket create_socket_perms; ++ + corenet_all_recvfrom_unlabeled(httpd_squid_script_t) + corenet_all_recvfrom_netlabel(httpd_squid_script_t) + corenet_tcp_sendrecv_generic_if(httpd_squid_script_t) +@@ -209,18 +213,18 @@ optional_policy(` + corenet_tcp_connect_http_cache_port(httpd_squid_script_t) + corenet_tcp_sendrecv_http_cache_port(httpd_squid_script_t) + +- sysnet_dns_name_resolve(httpd_squid_script_t) ++ corenet_tcp_connect_squid_port(httpd_squid_script_t) + +- squid_read_config(httpd_squid_script_t) +-') ++ sysnet_dns_name_resolve(httpd_squid_script_t) + +-optional_policy(` +- cron_system_entry(squid_t, squid_exec_t) ++ optional_policy(` ++ squid_read_config(httpd_squid_script_t) ++ ') + ') + + optional_policy(` +- kerberos_manage_host_rcache(squid_t) +- kerberos_tmp_filetrans_host_rcache(squid_t, file, "host_0") ++ kerberos_tmp_filetrans_host_rcache(squid_t, "host_0") ++ kerberos_manage_host_rcache(squid_t) + ') + + optional_policy(` +@@ -238,3 +242,24 @@ optional_policy(` + optional_policy(` + udev_read_db(squid_t) + ') ++ ++######################################## ++# ++# squid cron Local policy ++# ++manage_dirs_pattern(squid_cron_t, squid_cache_t, squid_cache_t) ++manage_files_pattern(squid_cron_t, squid_cache_t, squid_cache_t) ++manage_lnk_files_pattern(squid_cron_t, squid_cache_t, squid_cache_t) ++files_var_filetrans(squid_cron_t, squid_cache_t, dir, "squid") ++ ++read_files_pattern(squid_cron_t, squid_conf_t, squid_conf_t) ++ ++read_files_pattern(squid_cron_t, squid_log_t, squid_log_t) ++ ++corecmd_exec_bin(squid_cron_t) ++ ++dev_read_urand(squid_cron_t) ++ ++optional_policy(` ++ cron_system_entry(squid_cron_t, squid_cron_exec_t) ++') +diff --git a/sssd.fc b/sssd.fc +index dbb005a..45291bb 100644 +--- a/sssd.fc ++++ b/sssd.fc +@@ -1,15 +1,17 @@ + /etc/rc\.d/init\.d/sssd -- gen_context(system_u:object_r:sssd_initrc_exec_t,s0) + +-/etc/sssd(/.*)? gen_context(system_u:object_r:sssd_conf_t,s0) ++/etc/sssd(/.*)? gen_context(system_u:object_r:sssd_conf_t,s0) + +-/usr/sbin/sssd -- gen_context(system_u:object_r:sssd_exec_t,s0) ++/usr/sbin/sssd -- gen_context(system_u:object_r:sssd_exec_t,s0) + +-/var/lib/sss(/.*)? gen_context(system_u:object_r:sssd_var_lib_t,s0) ++/usr/lib/systemd/system/sssd.* -- gen_context(system_u:object_r:sssd_unit_file_t,s0) + +-/var/lib/sss/mc(/.*)? gen_context(system_u:object_r:sssd_public_t,s0) ++/var/lib/sss(/.*)? gen_context(system_u:object_r:sssd_var_lib_t,s0) ++ ++/var/lib/sss/mc(/.*)? gen_context(system_u:object_r:sssd_public_t,s0) + + /var/lib/sss/pubconf(/.*)? gen_context(system_u:object_r:sssd_public_t,s0) + +-/var/log/sssd(/.*)? gen_context(system_u:object_r:sssd_var_log_t,s0) ++/var/log/sssd(/.*)? gen_context(system_u:object_r:sssd_var_log_t,s0) + +-/var/run/sssd\.pid -- gen_context(system_u:object_r:sssd_var_run_t,s0) ++/var/run/sssd.pid -- gen_context(system_u:object_r:sssd_var_run_t,s0) +diff --git a/sssd.if b/sssd.if +index a240455..16a04bf 100644 +--- a/sssd.if ++++ b/sssd.if +@@ -1,21 +1,21 @@ +-## System Security Services Daemon. ++## System Security Services Daemon + + ####################################### + ## +-## Get attributes of sssd executable files. ++## Allow a domain to getattr on sssd binary. + ## + ## +-## +-## Domain allowed access. +-## ++## ++## Domain allowed to transition. ++## + ## + # + interface(`sssd_getattr_exec',` +- gen_require(` +- type sssd_exec_t; +- ') ++ gen_require(` ++ type sssd_t, sssd_exec_t; ++ ') + +- allow $1 sssd_exec_t:file getattr_file_perms; ++ allow $1 sssd_exec_t:file getattr; + ') + + ######################################## +@@ -33,14 +33,12 @@ interface(`sssd_domtrans',` + type sssd_t, sssd_exec_t; + ') + +- corecmd_search_bin($1) + domtrans_pattern($1, sssd_exec_t, sssd_t) + ') + + ######################################## + ## +-## Execute sssd init scripts in +-## the initrc domain. ++## Execute sssd server in the sssd domain. + ## + ## + ## +@@ -56,49 +54,90 @@ interface(`sssd_initrc_domtrans',` + init_labeled_script_domtrans($1, sssd_initrc_exec_t) + ') + ++######################################## ++## ++## Execute sssd server in the sssd domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`sssd_systemctl',` ++ gen_require(` ++ type sssd_t; ++ type sssd_unit_file_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ allow $1 sssd_unit_file_t:file read_file_perms; ++ allow $1 sssd_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, sssd_t) ++') ++ + ####################################### + ## +-## Read sssd configuration content. ++## Read sssd configuration. + ## + ## +-## +-## Domain allowed access. +-## ++## ++## Domain allowed access. ++## + ## + # + interface(`sssd_read_config',` +- gen_require(` +- type sssd_conf_t; +- ') ++ gen_require(` ++ type sssd_conf_t; ++ ') + +- files_search_etc($1) +- list_dirs_pattern($1, sssd_conf_t, sssd_conf_t) +- read_files_pattern($1, sssd_conf_t, sssd_conf_t) ++ files_search_etc($1) ++ list_dirs_pattern($1, sssd_conf_t, sssd_conf_t) ++ read_files_pattern($1, sssd_conf_t, sssd_conf_t) + ') + + ###################################### + ## +-## Write sssd configuration files. ++## Write sssd configuration. + ## + ## +-## +-## Domain allowed access. +-## ++## ++## Domain allowed access. ++## + ## + # + interface(`sssd_write_config',` +- gen_require(` +- type sssd_conf_t; +- ') ++ gen_require(` ++ type sssd_conf_t; ++ ') + +- files_search_etc($1) +- write_files_pattern($1, sssd_conf_t, sssd_conf_t) ++ files_search_etc($1) ++ write_files_pattern($1, sssd_conf_t, sssd_conf_t) ++') ++ ++##################################### ++## ++## Write sssd configuration. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`sssd_create_config',` ++ gen_require(` ++ type sssd_conf_t; ++ ') ++ ++ files_search_etc($1) ++ create_files_pattern($1, sssd_conf_t, sssd_conf_t) + ') + + #################################### + ## +-## Create, read, write, and delete +-## sssd configuration files. ++## Manage sssd configuration. + ## + ## + ## +@@ -107,12 +146,12 @@ interface(`sssd_write_config',` + ## + # + interface(`sssd_manage_config',` +- gen_require(` +- type sssd_conf_t; +- ') ++ gen_require(` ++ type sssd_conf_t; ++ ') + +- files_search_etc($1) +- manage_files_pattern($1, sssd_conf_t, sssd_conf_t) ++ files_search_etc($1) ++ manage_files_pattern($1, sssd_conf_t, sssd_conf_t) + ') + + ######################################## +@@ -131,14 +170,13 @@ interface(`sssd_read_public_files',` + ') + + sssd_search_lib($1) +- allow $1 sssd_public_t:dir list_dir_perms; ++ list_dirs_pattern($1, sssd_public_t, sssd_public_t) + read_files_pattern($1, sssd_public_t, sssd_public_t) + ') + +-####################################### ++######################################## + ## +-## Create, read, write, and delete +-## sssd public files. ++## Dontaudit read sssd public files. + ## + ## + ## +@@ -146,18 +184,36 @@ interface(`sssd_read_public_files',` + ## + ## + # +-interface(`sssd_manage_public_files',` ++interface(`sssd_dontaudit_read_public_files',` + gen_require(` + type sssd_public_t; + ') + +- sssd_search_lib($1) +- manage_files_pattern($1, sssd_public_t, sssd_public_t) ++ dontaudit $1 sssd_public_t:file read_file_perms; ++') ++ ++####################################### ++## ++## Manage sssd public files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`sssd_manage_public_files',` ++ gen_require(` ++ type sssd_public_t; ++ ') ++ ++ sssd_search_lib($1) ++ manage_files_pattern($1, sssd_public_t, sssd_public_t) + ') + + ######################################## + ## +-## Read sssd pid files. ++## Read sssd PID files. + ## + ## + ## +@@ -176,8 +232,7 @@ interface(`sssd_read_pid_files',` + + ######################################## + ## +-## Create, read, write, and delete +-## sssd pid content. ++## Manage sssd var_run files. + ## + ## + ## +@@ -216,8 +271,7 @@ interface(`sssd_search_lib',` + + ######################################## + ## +-## Do not audit attempts to search +-## sssd lib directories. ++## Do not audit attempts to search sssd lib directories. + ## + ## + ## +@@ -235,6 +289,24 @@ interface(`sssd_dontaudit_search_lib',` + + ######################################## + ## ++## Do not audit attempts to read sssd lib files. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`sssd_dontaudit_read_lib',` ++ gen_require(` ++ type sssd_var_lib_t; ++ ') ++ ++ dontaudit $1 sssd_var_lib_t:file read_file_perms; ++') ++ ++######################################## ++## + ## Read sssd lib files. + ## + ## +@@ -297,8 +369,7 @@ interface(`sssd_dbus_chat',` + + ######################################## + ## +-## Connect to sssd with a unix +-## domain stream socket. ++## Connect to sssd over a unix stream socket. + ## + ## + ## +@@ -317,8 +388,27 @@ interface(`sssd_stream_connect',` + + ######################################## + ## +-## All of the rules required to +-## administrate an sssd environment. ++## Dontaudit attempts to connect to sssd over a unix stream socket. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`sssd_dontaudit_stream_connect',` ++ gen_require(` ++ type sssd_t, sssd_var_lib_t; ++ ') ++ ++ dontaudit $1 sssd_t:unix_stream_socket connectto; ++ dontaudit $1 sssd_var_lib_t:sock_file { read write }; ++') ++ ++######################################## ++## ++## All of the rules required to administrate ++## an sssd environment + ## + ## + ## +@@ -327,7 +417,7 @@ interface(`sssd_stream_connect',` + ## + ## + ## +-## Role allowed access. ++## The role to be allowed to manage the sssd domain. + ## + ## + ## +@@ -335,27 +425,29 @@ interface(`sssd_stream_connect',` + interface(`sssd_admin',` + gen_require(` + type sssd_t, sssd_public_t, sssd_initrc_exec_t; +- type sssd_var_lib_t, sssd_var_run_t, sssd_conf_t; +- type sssd_log_t; ++ type sssd_unit_file_t; + ') + +- allow $1 sssd_t:process { ptrace signal_perms }; ++ allow $1 sssd_t:process signal_perms; + ps_process_pattern($1, sssd_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 sssd_t:process ptrace; ++ ') + ++ # Allow sssd_t to restart the apache service + sssd_initrc_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 sssd_initrc_exec_t system_r; + allow $2 system_r; + +- files_search_etc($1) +- admin_pattern($1, sssd_conf_t) ++ sssd_manage_pids($1) + +- files_search_var_lib($1) +- admin_pattern($1, { sssd_var_lib_t sssd_public_t }) ++ sssd_manage_lib_files($1) + +- files_search_pids($1) +- admin_pattern($1, sssd_var_run_t) ++ admin_pattern($1, sssd_public_t) ++ ++ sssd_systemctl($1) ++ admin_pattern($1, sssd_unit_file_t) ++ allow $1 sssd_unit_file_t:service all_service_perms; + +- logging_search_logs($1) +- admin_pattern($1, sssd_log_t) + ') +diff --git a/sssd.te b/sssd.te +index 8b537aa..3bce4df 100644 +--- a/sssd.te ++++ b/sssd.te +@@ -1,4 +1,4 @@ +-policy_module(sssd, 1.1.4) ++policy_module(sssd, 1.1.0) + + ######################################## + # +@@ -28,9 +28,12 @@ logging_log_file(sssd_var_log_t) + type sssd_var_run_t; + files_pid_file(sssd_var_run_t) + ++type sssd_unit_file_t; ++systemd_unit_file(sssd_unit_file_t) ++ + ######################################## + # +-# Local policy ++# sssd local policy + # + + allow sssd_t self:capability { chown dac_read_search dac_override kill net_admin sys_nice setgid setuid sys_admin sys_resource }; +@@ -38,7 +41,7 @@ allow sssd_t self:capability2 block_suspend; + allow sssd_t self:process { setfscreate setsched sigkill signal getsched setrlimit }; + allow sssd_t self:fifo_file rw_fifo_file_perms; + allow sssd_t self:key manage_key_perms; +-allow sssd_t self:unix_stream_socket { accept connectto listen }; ++allow sssd_t self:unix_stream_socket { create_stream_socket_perms connectto }; + + read_files_pattern(sssd_t, sssd_conf_t, sssd_conf_t) + +@@ -51,9 +54,7 @@ manage_lnk_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t) + manage_sock_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t) + files_var_lib_filetrans(sssd_t, sssd_var_lib_t, { file dir }) + +-append_files_pattern(sssd_t, sssd_var_log_t, sssd_var_log_t) +-create_files_pattern(sssd_t, sssd_var_log_t, sssd_var_log_t) +-setattr_files_pattern(sssd_t, sssd_var_log_t, sssd_var_log_t) ++manage_files_pattern(sssd_t, sssd_var_log_t, sssd_var_log_t) + logging_log_filetrans(sssd_t, sssd_var_log_t, file) + + manage_dirs_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t) +@@ -63,16 +64,9 @@ files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir }) + kernel_read_network_state(sssd_t) + kernel_read_system_state(sssd_t) + +-corenet_all_recvfrom_unlabeled(sssd_t) +-corenet_all_recvfrom_netlabel(sssd_t) +-corenet_udp_sendrecv_generic_if(sssd_t) +-corenet_udp_sendrecv_generic_node(sssd_t) +-corenet_udp_sendrecv_all_ports(sssd_t) +-corenet_udp_bind_generic_node(sssd_t) +- +-corenet_sendrecv_generic_server_packets(sssd_t) + corenet_udp_bind_generic_port(sssd_t) + corenet_dontaudit_udp_bind_all_ports(sssd_t) ++corenet_tcp_connect_kerberos_password_port(sssd_t) + + corecmd_exec_bin(sssd_t) + +@@ -83,9 +77,7 @@ domain_read_all_domains_state(sssd_t) + domain_obj_id_change_exemption(sssd_t) + + files_list_tmp(sssd_t) +-files_read_etc_files(sssd_t) + files_read_etc_runtime_files(sssd_t) +-files_read_usr_files(sssd_t) + files_list_var_lib(sssd_t) + + fs_list_inotifyfs(sssd_t) +@@ -94,14 +86,15 @@ selinux_validate_context(sssd_t) + + seutil_read_file_contexts(sssd_t) + # sssd wants to write /etc/selinux//logins/ for SELinux PAM module +-# seutil_rw_login_config_dirs(sssd_t) +-# seutil_manage_login_config_files(sssd_t) ++seutil_rw_login_config_dirs(sssd_t) ++seutil_manage_login_config_files(sssd_t) + + mls_file_read_to_clearance(sssd_t) + mls_socket_read_to_clearance(sssd_t) + mls_socket_write_to_clearance(sssd_t) + mls_trusted_object(sssd_t) + ++# auth_use_nsswitch(sssd_t) + auth_domtrans_chk_passwd(sssd_t) + auth_domtrans_upd_passwd(sssd_t) + auth_manage_cache(sssd_t) +@@ -112,18 +105,32 @@ logging_send_syslog_msg(sssd_t) + logging_send_audit_msgs(sssd_t) + + miscfiles_read_generic_certs(sssd_t) +-miscfiles_read_localization(sssd_t) + + sysnet_dns_name_resolve(sssd_t) + sysnet_use_ldap(sssd_t) + ++userdom_manage_tmp_role(system_r, sssd_t) ++userdom_manage_all_users_keys(sssd_t) ++ + optional_policy(` + dbus_system_bus_client(sssd_t) + dbus_connect_system_bus(sssd_t) + ') + + optional_policy(` +- kerberos_read_config(sssd_t) + kerberos_manage_host_rcache(sssd_t) +- kerberos_tmp_filetrans_host_rcache(sssd_t, file, "host_0") ++ kerberos_tmp_filetrans_host_rcache(sssd_t, "host_0") ++ kerberos_read_home_content(sssd_t) ++') ++ ++optional_policy(` ++ dirsrv_stream_connect(sssd_t) + ') ++ ++optional_policy(` ++ ldap_stream_connect(sssd_t) ++ ldap_read_certs(sssd_t) ++') ++ ++userdom_home_reader(sssd_t) ++ +diff --git a/stapserver.fc b/stapserver.fc +new file mode 100644 +index 0000000..0ccce59 +--- /dev/null ++++ b/stapserver.fc +@@ -0,0 +1,7 @@ ++/usr/bin/stap-server -- gen_context(system_u:object_r:stapserver_exec_t,s0) ++ ++/var/lib/stap-server(/.*)? gen_context(system_u:object_r:stapserver_var_lib_t,s0) ++ ++/var/log/stap-server(/.*)? gen_context(system_u:object_r:stapserver_log_t,s0) ++ ++/var/run/stap-server(/.*)? gen_context(system_u:object_r:stapserver_var_run_t,s0) +diff --git a/stapserver.if b/stapserver.if +new file mode 100644 +index 0000000..80c6480 +--- /dev/null ++++ b/stapserver.if +@@ -0,0 +1,151 @@ ++ ++## Instrumentation System Server ++ ++######################################## ++## ++## Execute stapserver in the stapserver domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`stapserver_domtrans',` ++ gen_require(` ++ type stapserver_t, stapserver_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, stapserver_exec_t, stapserver_t) ++') ++######################################## ++## ++## Read stapserver's log files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`stapserver_read_log',` ++ gen_require(` ++ type stapserver_log_t; ++ ') ++ ++ logging_search_logs($1) ++ read_files_pattern($1, stapserver_log_t, stapserver_log_t) ++') ++ ++######################################## ++## ++## Append to stapserver log files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`stapserver_append_log',` ++ gen_require(` ++ type stapserver_log_t; ++ ') ++ ++ logging_search_logs($1) ++ append_files_pattern($1, stapserver_log_t, stapserver_log_t) ++') ++ ++######################################## ++## ++## Manage stapserver log files ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`stapserver_manage_log',` ++ gen_require(` ++ type stapserver_log_t; ++ ') ++ ++ logging_search_logs($1) ++ manage_dirs_pattern($1, stapserver_log_t, stapserver_log_t) ++ manage_files_pattern($1, stapserver_log_t, stapserver_log_t) ++ manage_lnk_files_pattern($1, stapserver_log_t, stapserver_log_t) ++') ++######################################## ++## ++## Read stapserver PID files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`stapserver_read_pid_files',` ++ gen_require(` ++ type stapserver_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ allow $1 stapserver_var_run_t:file read_file_perms; ++') ++ ++####################################### ++## ++## Manage stapserver lib files ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`stapserver_manage_lib',` ++ gen_require(` ++ type stapserver_var_lib_t; ++ ') ++ ++ manage_dirs_pattern($1, stapserver_var_lib_t, stapserver_var_lib_t) ++ manage_files_pattern($1, stapserver_var_lib_t, stapserver_var_lib_t) ++') ++ ++######################################## ++## ++## All of the rules required to administrate ++## an stapserver environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`stapserver_admin',` ++ gen_require(` ++ type stapserver_t; ++ type stapserver_log_t; ++ type stapserver_var_run_t; ++ ') ++ ++ allow $1 stapserver_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, stapserver_t) ++ ++ logging_search_logs($1) ++ admin_pattern($1, stapserver_log_t) ++ ++ files_search_pids($1) ++ admin_pattern($1, stapserver_var_run_t) ++ ++ optional_policy(` ++ systemd_passwd_agent_exec($1) ++ systemd_read_fifo_file_passwd_run($1) ++ ') ++') +diff --git a/stapserver.te b/stapserver.te +new file mode 100644 +index 0000000..e472397 +--- /dev/null ++++ b/stapserver.te +@@ -0,0 +1,113 @@ ++policy_module(stapserver, 1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type stapserver_t; ++type stapserver_exec_t; ++init_daemon_domain(stapserver_t, stapserver_exec_t) ++ ++type stapserver_var_lib_t; ++files_type(stapserver_var_lib_t) ++ ++type stapserver_log_t; ++logging_log_file(stapserver_log_t) ++ ++type stapserver_var_run_t; ++files_pid_file(stapserver_var_run_t) ++ ++type stapserver_tmp_t; ++files_tmp_file(stapserver_tmp_t) ++ ++######################################## ++# ++# stapserver local policy ++# ++ ++#runuser ++allow stapserver_t self:capability { setuid setgid }; ++allow stapserver_t self:process setsched; ++ ++allow stapserver_t self:capability { dac_override kill }; ++allow stapserver_t self:process { setrlimit signal }; ++ ++allow stapserver_t self:fifo_file rw_fifo_file_perms; ++allow stapserver_t self:key write; ++allow stapserver_t self:unix_stream_socket create_stream_socket_perms; ++allow stapserver_t self:tcp_socket { accept listen }; ++ ++manage_dirs_pattern(stapserver_t, stapserver_var_lib_t, stapserver_var_lib_t) ++manage_files_pattern(stapserver_t, stapserver_var_lib_t, stapserver_var_lib_t) ++files_var_lib_filetrans(stapserver_t, stapserver_var_lib_t, dir) ++ ++manage_dirs_pattern(stapserver_t, stapserver_log_t, stapserver_log_t) ++manage_files_pattern(stapserver_t, stapserver_log_t, stapserver_log_t) ++logging_log_filetrans(stapserver_t, stapserver_log_t, dir ) ++ ++manage_dirs_pattern(stapserver_t, stapserver_tmp_t, stapserver_tmp_t) ++manage_files_pattern(stapserver_t, stapserver_tmp_t, stapserver_tmp_t) ++manage_lnk_files_pattern(stapserver_t, stapserver_tmp_t, stapserver_tmp_t) ++files_tmp_filetrans(stapserver_t, stapserver_tmp_t, { file dir }) ++ ++manage_dirs_pattern(stapserver_t, stapserver_var_run_t, stapserver_var_run_t) ++manage_files_pattern(stapserver_t, stapserver_var_run_t, stapserver_var_run_t) ++files_pid_filetrans(stapserver_t, stapserver_var_run_t, dir ) ++ ++kernel_read_system_state(stapserver_t) ++kernel_read_kernel_sysctls(stapserver_t) ++ ++corecmd_exec_bin(stapserver_t) ++corecmd_exec_shell(stapserver_t) ++ ++domain_read_all_domains_state(stapserver_t) ++domain_use_interactive_fds(stapserver_t) ++ ++dev_read_sysfs(stapserver_t) ++dev_read_rand(stapserver_t) ++dev_read_urand(stapserver_t) ++ ++files_list_tmp(stapserver_t) ++files_search_kernel_modules(stapserver_t) ++ ++fs_search_cgroup_dirs(stapserver_t) ++ ++auth_use_nsswitch(stapserver_t) ++ ++init_read_utmp(stapserver_t) ++ ++logging_send_audit_msgs(stapserver_t) ++logging_send_syslog_msg(stapserver_t) ++ ++#lspci ++miscfiles_read_hwdata(stapserver_t) ++ ++systemd_dbus_chat_logind(stapserver_t) ++ ++userdom_use_user_terminals(stapserver_t) ++ ++optional_policy(` ++ avahi_dbus_chat(stapserver_t) ++') ++ ++optional_policy(` ++ consoletype_exec(stapserver_t) ++') ++ ++optional_policy(` ++ dbus_system_bus_client(stapserver_t) ++') ++ ++optional_policy(` ++ hostname_exec(stapserver_t) ++') ++ ++optional_policy(` ++ plymouthd_exec_plymouth(stapserver_t) ++') ++ ++optional_policy(` ++ rpm_exec(stapserver_t) ++') ++ +diff --git a/stunnel.te b/stunnel.te +index 9992e62..47f1802 100644 +--- a/stunnel.te ++++ b/stunnel.te +@@ -48,7 +48,6 @@ kernel_read_network_state(stunnel_t) + + corecmd_exec_bin(stunnel_t) + +-corenet_all_recvfrom_unlabeled(stunnel_t) + corenet_all_recvfrom_netlabel(stunnel_t) + corenet_tcp_sendrecv_generic_if(stunnel_t) + corenet_tcp_sendrecv_generic_node(stunnel_t) +@@ -75,7 +74,6 @@ auth_use_nsswitch(stunnel_t) + logging_send_syslog_msg(stunnel_t) + + miscfiles_read_generic_certs(stunnel_t) +-miscfiles_read_localization(stunnel_t) + + userdom_dontaudit_use_unpriv_user_fds(stunnel_t) + userdom_dontaudit_search_user_home_dirs(stunnel_t) +@@ -105,4 +103,5 @@ optional_policy(` + gen_require(` + type stunnel_port_t; + ') ++ + allow stunnel_t stunnel_port_t:tcp_socket name_bind; +diff --git a/svnserve.fc b/svnserve.fc +index effffd0..12ca090 100644 +--- a/svnserve.fc ++++ b/svnserve.fc +@@ -1,8 +1,13 @@ +-/etc/rc\.d/init\.d/svnserve -- gen_context(system_u:object_r:svnserve_initrc_exec_t,s0) ++/etc/rc.d/init.d/svnserve -- gen_context(system_u:object_r:svnserve_initrc_exec_t,s0) + +-/usr/bin/svnserve -- gen_context(system_u:object_r:svnserve_exec_t,s0) ++/usr/bin/svnserve -- gen_context(system_u:object_r:svnserve_exec_t,s0) + +-/var/lib/subversion/repo(/.*)? gen_context(system_u:object_r:svnserve_content_t,s0) ++/lib/systemd/system/svnserve\.service -- gen_context(system_u:object_r:svnserve_unit_file_t,s0) ++/usr/lib/systemd/system/svnserve\.service -- gen_context(system_u:object_r:svnserve_unit_file_t,s0) + +-/var/run/svnserve(/.*)? gen_context(system_u:object_r:svnserve_var_run_t,s0) +-/var/run/svnserve\.pid -- gen_context(system_u:object_r:svnserve_var_run_t,s0) ++/var/run/svnserve(/.*)? gen_context(system_u:object_r:svnserve_var_run_t,s0) ++/var/run/svnserve.pid -- gen_context(system_u:object_r:svnserve_var_run_t,s0) ++ ++/var/svn(/.*)? gen_context(system_u:object_r:svnserve_content_t,s0) ++/var/subversion/repo(/.*)? gen_context(system_u:object_r:svnserve_content_t,s0) ++/var/lib/subversion/repo(/.*)? gen_context(system_u:object_r:svnserve_content_t,s0) +diff --git a/svnserve.if b/svnserve.if +index 2ac91b6..dd2ac36 100644 +--- a/svnserve.if ++++ b/svnserve.if +@@ -1,35 +1,118 @@ +-## Server for the svn repository access method. ++ ++## policy for svnserve ++ ++ ++######################################## ++## ++## Transition to svnserve. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`svnserve_domtrans',` ++ gen_require(` ++ type svnserve_t, svnserve_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, svnserve_exec_t, svnserve_t) ++') ++ ++ ++######################################## ++## ++## Execute svnserve server in the svnserve domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`svnserve_initrc_domtrans',` ++ gen_require(` ++ type svnserve_initrc_exec_t; ++ ') ++ ++ init_labeled_script_domtrans($1, svnserve_initrc_exec_t) ++') ++ ++####################################### ++## ++## Execute svnserve server in the svnserve domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`svnserve_systemctl',` ++ gen_require(` ++ type svnserve_t; ++ type svnserve_unit_file_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ allow $1 svnserve_unit_file_t:file read_file_perms; ++ allow $1 svnserve_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, svnserve_t) ++') + + ######################################## + ## +-## All of the rules required to +-## administrate an svnserve environment. ++## Read svnserve PID files. + ## + ## + ## + ## Domain allowed access. + ## + ## +-## ++# ++interface(`svnserve_read_pid_files',` ++ gen_require(` ++ type svnserve_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ allow $1 svnserve_var_run_t:file read_file_perms; ++') ++ ++ ++######################################## ++## ++## All of the rules required to administrate ++## an svnserve environment ++## ++## + ## +-## Role allowed access. ++## Domain allowed access. + ## + ## +-## + # + interface(`svnserve_admin',` + gen_require(` +- type svnserve_t, svnserve_initrc_exec_t, svnserve_var_run_t; ++ type svnserve_t; ++ type svnserve_var_run_t; ++ type svnserve_unit_file_t; + ') + + allow $1 svnserve_t:process { ptrace signal_perms }; + ps_process_pattern($1, svnserve_t) + +- init_labeled_script_domtrans($1, svnserve_initrc_exec_t) +- domain_system_change_exemption($1) +- role_transition $2 svnserve_initrc_exec_t system_r; +- allow $2 system_r; +- + files_search_pids($1) +- admin_pattern($1, httpd_var_run_t) ++ admin_pattern($1, svnserve_var_run_t) ++ ++ svnserve_systemctl($1) ++ admin_pattern($1, svnserve_unit_file_t) ++ allow $1 svnserve_unit_file_t:service all_service_perms; ++ optional_policy(` ++ systemd_passwd_agent_exec($1) ++ systemd_read_fifo_file_passwd_run($1) ++ ') + ') ++ +diff --git a/svnserve.te b/svnserve.te +index c6aaac7..a5600a8 100644 +--- a/svnserve.te ++++ b/svnserve.te +@@ -12,12 +12,18 @@ init_daemon_domain(svnserve_t, svnserve_exec_t) + type svnserve_initrc_exec_t; + init_script_file(svnserve_initrc_exec_t) + ++type svnserve_unit_file_t; ++systemd_unit_file(svnserve_unit_file_t) ++ + type svnserve_content_t; + files_type(svnserve_content_t) + + type svnserve_var_run_t; + files_pid_file(svnserve_var_run_t) + ++type svnserve_tmp_t; ++files_tmp_file(svnserve_tmp_t) ++ + ######################################## + # + # Local policy +@@ -27,6 +33,11 @@ allow svnserve_t self:fifo_file rw_fifo_file_perms; + allow svnserve_t self:tcp_socket create_stream_socket_perms; + allow svnserve_t self:unix_stream_socket { listen accept }; + ++manage_dirs_pattern(svnserve_t, svnserve_tmp_t, svnserve_tmp_t) ++manage_files_pattern(svnserve_t, svnserve_tmp_t, svnserve_tmp_t) ++manage_lnk_files_pattern(svnserve_t, svnserve_tmp_t, svnserve_tmp_t) ++files_tmp_filetrans(svnserve_t, svnserve_tmp_t, { file dir }) ++ + manage_dirs_pattern(svnserve_t, svnserve_content_t, svnserve_content_t) + manage_files_pattern(svnserve_t, svnserve_content_t, svnserve_content_t) + +@@ -34,9 +45,6 @@ manage_dirs_pattern(svnserve_t, svnserve_var_run_t, svnserve_var_run_t) + manage_files_pattern(svnserve_t, svnserve_var_run_t, svnserve_var_run_t) + files_pid_filetrans(svnserve_t, svnserve_var_run_t, { dir file }) + +-files_read_etc_files(svnserve_t) +-files_read_usr_files(svnserve_t) +- + corenet_all_recvfrom_unlabeled(svnserve_t) + corenet_all_recvfrom_netlabel(svnserve_t) + corenet_tcp_sendrecv_generic_if(svnserve_t) +@@ -54,6 +62,4 @@ corenet_udp_sendrecv_svn_port(svnserve_t) + + logging_send_syslog_msg(svnserve_t) + +-miscfiles_read_localization(svnserve_t) +- + sysnet_dns_name_resolve(svnserve_t) +diff --git a/swift.fc b/swift.fc +new file mode 100644 +index 0000000..744f0ce +--- /dev/null ++++ b/swift.fc +@@ -0,0 +1,29 @@ ++/usr/bin/swift-account-auditor -- gen_context(system_u:object_r:swift_exec_t,s0) ++/usr/bin/swift-account-reaper -- gen_context(system_u:object_r:swift_exec_t,s0) ++/usr/bin/swift-account-replicator -- gen_context(system_u:object_r:swift_exec_t,s0) ++/usr/bin/swift-account-server -- gen_context(system_u:object_r:swift_exec_t,s0) ++ ++/usr/bin/swift-container-auditor -- gen_context(system_u:object_r:swift_exec_t,s0) ++/usr/bin/swift-container-replicator -- gen_context(system_u:object_r:swift_exec_t,s0) ++/usr/bin/swift-container-server -- gen_context(system_u:object_r:swift_exec_t,s0) ++/usr/bin/swift-container-sync -- gen_context(system_u:object_r:swift_exec_t,s0) ++/usr/bin/swift-container-updater -- gen_context(system_u:object_r:swift_exec_t,s0) ++ ++/usr/bin/swift-object-auditor -- gen_context(system_u:object_r:swift_exec_t,s0) ++/usr/bin/swift-object-info -- gen_context(system_u:object_r:swift_exec_t,s0) ++/usr/bin/swift-object-replicator -- gen_context(system_u:object_r:swift_exec_t,s0) ++/usr/bin/swift-object-server -- gen_context(system_u:object_r:swift_exec_t,s0) ++/usr/bin/swift-object-updater -- gen_context(system_u:object_r:swift_exec_t,s0) ++ ++/usr/lib/systemd/system/openstack-swift.* -- gen_context(system_u:object_r:swift_unit_file_t,s0) ++ ++/var/cache/swift(/.*)? -- gen_context(system_u:object_r:swift_var_cache_t,s0) ++/var/run/swift(/.*)? -- gen_context(system_u:object_r:swift_var_run_t,s0) ++ ++# This seems to be a de-facto standard when using swift. ++/srv/node(/.*)? gen_context(system_u:object_r:swift_data_t,s0) ++ ++# This is specific to RHOS's packstack utility ++ifdef(`distro_redhat', ` ++/srv/loopback-device(/.*)? gen_context(system_u:object_r:swift_data_t,s0) ++') +diff --git a/swift.if b/swift.if +new file mode 100644 +index 0000000..df82c36 +--- /dev/null ++++ b/swift.if +@@ -0,0 +1,118 @@ ++ ++## policy for swift ++ ++######################################## ++## ++## Execute TEMPLATE in the swift domin. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`swift_domtrans',` ++ gen_require(` ++ type swift_t, swift_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, swift_exec_t, swift_t) ++') ++ ++######################################## ++## ++## Read swift PID files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`swift_read_pid_files',` ++ gen_require(` ++ type swift_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ read_files_pattern($1, swift_var_run_t, swift_var_run_t) ++') ++ ++######################################## ++## ++## Manage swift data files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`swift_manage_data_files',` ++ gen_require(` ++ type swift_data_t; ++ ') ++ ++ files_search_pids($1) ++ manage_files_pattern($1, swift_data_t, swift_data_t) ++ manage_dirs_pattern($1, swift_data_t, swift_data_t) ++') ++ ++######################################## ++## ++## Execute swift server in the swift domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`swift_systemctl',` ++ gen_require(` ++ type swift_t; ++ type swift_unit_file_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ allow $1 swift_unit_file_t:file read_file_perms; ++ allow $1 swift_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, swift_t) ++') ++ ++ ++######################################## ++## ++## All of the rules required to administrate ++## an swift environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`swift_admin',` ++ gen_require(` ++ type swift_t; ++ type swift_var_run_t; ++ type swift_unit_file_t; ++ ') ++ ++ allow $1 swift_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, swift_t) ++ ++ files_search_pids($1) ++ admin_pattern($1, swift_var_run_t) ++ ++ swift_systemctl($1) ++ admin_pattern($1, swift_unit_file_t) ++ allow $1 swift_unit_file_t:service all_service_perms; ++ optional_policy(` ++ systemd_passwd_agent_exec($1) ++ systemd_read_fifo_file_passwd_run($1) ++ ') ++') +diff --git a/swift.te b/swift.te +new file mode 100644 +index 0000000..c7b2bf6 +--- /dev/null ++++ b/swift.te +@@ -0,0 +1,69 @@ ++policy_module(swift, 1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type swift_t; ++type swift_exec_t; ++init_daemon_domain(swift_t, swift_exec_t) ++ ++type swift_var_cache_t; ++files_type(swift_var_cache_t) ++ ++type swift_var_run_t; ++files_pid_file(swift_var_run_t) ++ ++type swift_unit_file_t; ++systemd_unit_file(swift_unit_file_t) ++ ++type swift_data_t; ++files_type(swift_data_t) ++ ++######################################## ++# ++# swift local policy ++# ++ ++allow swift_t self:process signal; ++ ++allow swift_t self:fifo_file rw_fifo_file_perms; ++allow swift_t self:tcp_socket create_stream_socket_perms; ++allow swift_t self:unix_stream_socket create_stream_socket_perms; ++allow swift_t self:unix_dgram_socket create_socket_perms; ++ ++manage_dirs_pattern(swift_t, swift_var_cache_t, swift_var_cache_t) ++manage_files_pattern(swift_t, swift_var_cache_t, swift_var_cache_t) ++manage_lnk_files_pattern(swift_t, swift_var_cache_t, swift_var_cache_t) ++files_var_filetrans(swift_t,swift_var_cache_t, { dir file }) ++ ++manage_dirs_pattern(swift_t, swift_var_run_t, swift_var_run_t) ++manage_files_pattern(swift_t, swift_var_run_t, swift_var_run_t) ++manage_lnk_files_pattern(swift_t, swift_var_run_t, swift_var_run_t) ++files_pid_filetrans(swift_t, swift_var_run_t, { dir }) ++ ++# swift makes use of rsync, so we need to give rsync permissions ++# to edit swift_data_t files as well as swift_t those permissions ++manage_dirs_pattern(swift_t, swift_data_t, swift_data_t) ++manage_files_pattern(swift_t, swift_data_t, swift_data_t) ++ ++kernel_dgram_send(swift_t) ++kernel_read_system_state(swift_t) ++kernel_read_network_state(swift_t) ++ ++corecmd_exec_shell(swift_t) ++ ++dev_read_urand(swift_t) ++ ++domain_use_interactive_fds(swift_t) ++ ++files_dontaudit_search_home(swift_t) ++ ++auth_use_nsswitch(swift_t) ++ ++libs_exec_ldconfig(swift_t) ++ ++logging_send_syslog_msg(swift_t) ++ ++userdom_dontaudit_search_user_home_dirs(swift_t) +diff --git a/swift_alias.fc b/swift_alias.fc +new file mode 100644 +index 0000000..b7db254 +--- /dev/null ++++ b/swift_alias.fc +@@ -0,0 +1 @@ ++# Empty +diff --git a/swift_alias.if b/swift_alias.if +new file mode 100644 +index 0000000..3fed1a3 +--- /dev/null ++++ b/swift_alias.if +@@ -0,0 +1,2 @@ ++ ++## swift_alias policy module +diff --git a/swift_alias.te b/swift_alias.te +new file mode 100644 +index 0000000..6e39c4f +--- /dev/null ++++ b/swift_alias.te +@@ -0,0 +1,26 @@ ++policy_module(swift_alias, 1.0.0) ++ ++# ++# swift_alias.pp policy replaces swift.pp policy ++# which is a part of openstack-selinux.rpm package ++# ++ ++######################################## ++# ++# Declarations ++# ++ ++#call stub interfaces for basic types ++init_stub_initrc() ++corecmd_stub_bin() ++files_stub_var_run() ++files_stub_var() ++systemd_stub_unit_file() ++ ++typealias initrc_t alias swift_t; ++typealias bin_t alias swift_exec_t; ++typealias var_run_t alias swift_var_run_t; ++typealias systemd_unit_file_t alias swift_unit_file_t; ++typealias var_t alias swift_data_t; ++ ++ +diff --git a/sxid.te b/sxid.te +index c9824cb..1973f71 100644 +--- a/sxid.te ++++ b/sxid.te +@@ -40,7 +40,6 @@ kernel_read_kernel_sysctls(sxid_t) + corecmd_exec_bin(sxid_t) + corecmd_exec_shell(sxid_t) + +-corenet_all_recvfrom_unlabeled(sxid_t) + corenet_all_recvfrom_netlabel(sxid_t) + corenet_tcp_sendrecv_generic_if(sxid_t) + corenet_udp_sendrecv_generic_if(sxid_t) +@@ -66,7 +65,7 @@ fs_list_all(sxid_t) + + term_dontaudit_use_console(sxid_t) + +-files_read_non_auth_files(sxid_t) ++files_read_non_security_files(sxid_t) + auth_dontaudit_getattr_shadow(sxid_t) + + init_use_fds(sxid_t) +@@ -74,8 +73,6 @@ init_use_script_ptys(sxid_t) + + logging_send_syslog_msg(sxid_t) + +-miscfiles_read_localization(sxid_t) +- + sysnet_read_config(sxid_t) + + userdom_dontaudit_use_unpriv_user_fds(sxid_t) +diff --git a/sysstat.te b/sysstat.te +index c8b80b2..c81d332 100644 +--- a/sysstat.te ++++ b/sysstat.te +@@ -24,9 +24,7 @@ allow sysstat_t self:capability { dac_override sys_admin sys_resource sys_tty_co + allow sysstat_t self:fifo_file rw_fifo_file_perms; + + manage_dirs_pattern(sysstat_t,sysstat_log_t,sysstat_log_t) +-append_files_pattern(sysstat_t, sysstat_log_t, sysstat_log_t) +-create_files_pattern(sysstat_t, sysstat_log_t, sysstat_log_t) +-setattr_files_pattern(sysstat_t, sysstat_log_t, sysstat_log_t) ++manage_files_pattern(sysstat_t, sysstat_log_t, sysstat_log_t) + manage_lnk_files_pattern(sysstat_t,sysstat_log_t,sysstat_log_t) + logging_log_filetrans(sysstat_t, sysstat_log_t, { file dir }) + +@@ -38,6 +36,7 @@ kernel_read_kernel_sysctls(sysstat_t) + kernel_read_fs_sysctls(sysstat_t) + kernel_read_rpc_sysctls(sysstat_t) + ++corecmd_exec_shell(sysstat_t) + corecmd_exec_bin(sysstat_t) + + dev_read_sysfs(sysstat_t) +@@ -46,11 +45,13 @@ dev_read_urand(sysstat_t) + files_search_var(sysstat_t) + files_read_etc_runtime_files(sysstat_t) + +-fs_getattr_xattr_fs(sysstat_t) ++fs_getattr_all_fs(sysstat_t) + fs_list_inotifyfs(sysstat_t) + ++storage_getattr_fixed_disk_dev(sysstat_t) ++ + term_use_console(sysstat_t) +-term_use_all_terms(sysstat_t) ++term_use_all_inherited_terms(sysstat_t) + + auth_use_nsswitch(sysstat_t) + +@@ -60,10 +61,9 @@ locallogin_use_fds(sysstat_t) + + logging_send_syslog_msg(sysstat_t) + +-miscfiles_read_localization(sysstat_t) +- + userdom_dontaudit_list_user_home_dirs(sysstat_t) + + optional_policy(` + cron_system_entry(sysstat_t, sysstat_exec_t) + ') ++ +diff --git a/systemtap.fc b/systemtap.fc +deleted file mode 100644 +index 1710cbb..0000000 +--- a/systemtap.fc ++++ /dev/null +@@ -1,11 +0,0 @@ +-/etc/stap-server(/.*)? -- gen_context(system_u:object_r:stapserver_conf_t,s0) +- +-/etc/rc\.d/init\.d/stap-server -- gen_context(system_u:object_r:stapserver_initrc_exec_t,s0) +- +-/usr/bin/stap-server -- gen_context(system_u:object_r:stapserver_exec_t,s0) +- +-/var/lib/stap-server(/.*)? gen_context(system_u:object_r:stapserver_var_lib_t,s0) +- +-/var/log/stap-server(/.*)? gen_context(system_u:object_r:stapserver_log_t,s0) +- +-/var/run/stap-server(/.*)? gen_context(system_u:object_r:stapserver_var_run_t,s0) +diff --git a/systemtap.if b/systemtap.if +deleted file mode 100644 +index c755e2d..0000000 +--- a/systemtap.if ++++ /dev/null +@@ -1,45 +0,0 @@ +-## instrumentation system for Linux. +- +-######################################## +-## +-## All of the rules required to +-## administrate an stapserver environment. +-## +-## +-## +-## Domain allowed access. +-## +-## +-## +-## +-## Role allowed access. +-## +-## +-## +-# +-interface(`stapserver_admin',` +- gen_require(` +- type stapserver_t, stapserver_conf_t, stapserver_log_t; +- type stap_server_var_run_t, stapserver_initrc_exec_t, stapserver_var_lib_t; +- ') +- +- allow $1 stapserver_t:process { ptrace signal_perms }; +- ps_process_pattern($1, stapserver_t) +- +- init_labeled_script_domtrans($1, stapserver_initrc_exec_t) +- domain_system_change_exemption($1) +- role_transition $2 stapserver_initrc_exec_t system_r; +- allow $2 system_r; +- +- files_search_etc($1) +- admin_pattern($1, stapserver_conf_t) +- +- files_search_var_lib($1) +- admin_pattern($1, stapserver_var_lib_t) +- +- logging_search_logs($1) +- admin_pattern($1, stapserver_log_t) +- +- files_search_pids($1) +- admin_pattern($1, stapserver_var_run_t) +-') +diff --git a/systemtap.te b/systemtap.te +deleted file mode 100644 +index 6c06a84..0000000 +--- a/systemtap.te ++++ /dev/null +@@ -1,101 +0,0 @@ +-policy_module(systemtap, 1.0.2) +- +-######################################## +-# +-# Declarations +-# +- +-type stapserver_t; +-type stapserver_exec_t; +-init_daemon_domain(stapserver_t, stapserver_exec_t) +- +-type stapserver_initrc_exec_t; +-init_script_file(stapserver_initrc_exec_t) +- +-type stapserver_conf_t; +-files_config_file(stapserver_conf_t) +- +-type stapserver_var_lib_t; +-files_type(stapserver_var_lib_t) +- +-type stapserver_log_t; +-logging_log_file(stapserver_log_t) +- +-type stapserver_var_run_t; +-files_pid_file(stapserver_var_run_t) +- +-######################################## +-# +-# Local policy +-# +- +-allow stapserver_t self:capability { dac_override kill setuid setgid }; +-allow stapserver_t self:process { setrlimit setsched signal }; +-allow stapserver_t self:fifo_file rw_fifo_file_perms; +-allow stapserver_t self:key write; +-allow stapserver_t self:unix_stream_socket { accept listen }; +-allow stapserver_t self:tcp_socket create_stream_socket_perms; +- +-allow stapserver_t stapserver_conf_t:file read_file_perms; +- +-manage_dirs_pattern(stapserver_t, stapserver_var_lib_t, stapserver_var_lib_t) +-manage_files_pattern(stapserver_t, stapserver_var_lib_t, stapserver_var_lib_t) +-files_var_lib_filetrans(stapserver_t, stapserver_var_lib_t, dir) +- +-manage_dirs_pattern(stapserver_t, stapserver_log_t, stapserver_log_t) +-append_files_pattern(stapserver_t, stapserver_log_t, stapserver_log_t) +-create_files_pattern(stapserver_t, stapserver_log_t, stapserver_log_t) +-setattr_files_pattern(stapserver_t, stapserver_log_t, stapserver_log_t) +-logging_log_filetrans(stapserver_t, stapserver_log_t, dir ) +- +-manage_dirs_pattern(stapserver_t, stapserver_var_run_t, stapserver_var_run_t) +-manage_files_pattern(stapserver_t, stapserver_var_run_t, stapserver_var_run_t) +-files_pid_filetrans(stapserver_t, stapserver_var_run_t, dir ) +- +-kernel_read_kernel_sysctls(stapserver_t) +-kernel_read_system_state(stapserver_t) +- +-corecmd_exec_bin(stapserver_t) +-corecmd_exec_shell(stapserver_t) +- +-domain_read_all_domains_state(stapserver_t) +- +-dev_read_rand(stapserver_t) +-dev_read_sysfs(stapserver_t) +-dev_read_urand(stapserver_t) +- +-files_list_tmp(stapserver_t) +-files_read_usr_files(stapserver_t) +-files_search_kernel_modules(stapserver_t) +- +-auth_use_nsswitch(stapserver_t) +- +-init_read_utmp(stapserver_t) +- +-logging_send_audit_msgs(stapserver_t) +-logging_send_syslog_msg(stapserver_t) +- +-miscfiles_read_localization(stapserver_t) +-miscfiles_read_hwdata(stapserver_t) +- +-userdom_use_user_terminals(stapserver_t) +- +-optional_policy(` +- consoletype_exec(stapserver_t) +-') +- +-optional_policy(` +- dbus_system_bus_client(stapserver_t) +-') +- +-optional_policy(` +- hostname_exec(stapserver_t) +-') +- +-optional_policy(` +- plymouthd_exec_plymouth(stapserver_t) +-') +- +-optional_policy(` +- rpm_exec(stapserver_t) +-') +diff --git a/tcpd.te b/tcpd.te +index f388db3..1e1a075 100644 +--- a/tcpd.te ++++ b/tcpd.te +@@ -23,7 +23,6 @@ manage_dirs_pattern(tcpd_t, tcpd_tmp_t, tcpd_tmp_t) + manage_files_pattern(tcpd_t, tcpd_tmp_t, tcpd_tmp_t) + files_tmp_filetrans(tcpd_t, tcpd_tmp_t, { file dir }) + +-corenet_all_recvfrom_unlabeled(tcpd_t) + corenet_all_recvfrom_netlabel(tcpd_t) + corenet_tcp_sendrecv_generic_if(tcpd_t) + corenet_tcp_sendrecv_generic_node(tcpd_t) +@@ -31,15 +30,12 @@ corenet_tcp_sendrecv_all_ports(tcpd_t) + + fs_getattr_xattr_fs(tcpd_t) + +-corecmd_search_bin(tcpd_t) ++corecmd_exec_bin(tcpd_t) + +-files_read_etc_files(tcpd_t) + files_dontaudit_search_var(tcpd_t) + + logging_send_syslog_msg(tcpd_t) + +-miscfiles_read_localization(tcpd_t) +- + sysnet_read_config(tcpd_t) + + inetd_domtrans_child(tcpd_t) +diff --git a/tcsd.if b/tcsd.if +index b42ec1d..91b8f71 100644 +--- a/tcsd.if ++++ b/tcsd.if +@@ -138,8 +138,11 @@ interface(`tcsd_admin',` + type tcsd_t, tcsd_initrc_exec_t, tcsd_var_lib_t; + ') + +- allow $1 tcsd_t:process { ptrace signal_perms }; ++ allow $1 tcsd_t:process signal_perms; + ps_process_pattern($1, tcsd_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 tcsd_t:process ptrace; ++ ') + + tcsd_initrc_domtrans($1) + domain_system_change_exemption($1) +diff --git a/tcsd.te b/tcsd.te +index ac8213a..14da480 100644 +--- a/tcsd.te ++++ b/tcsd.te +@@ -41,10 +41,8 @@ corenet_tcp_sendrecv_tcs_port(tcsd_t) + dev_read_urand(tcsd_t) + dev_rw_tpm(tcsd_t) + +-files_read_usr_files(tcsd_t) +- + auth_use_nsswitch(tcsd_t) + +-logging_send_syslog_msg(tcsd_t) ++init_read_utmp(tcsd_t) + +-miscfiles_read_localization(tcsd_t) ++logging_send_syslog_msg(tcsd_t) +diff --git a/telepathy.fc b/telepathy.fc +index c7de0cf..03fc880 100644 +--- a/telepathy.fc ++++ b/telepathy.fc +@@ -1,34 +1,23 @@ +-HOME_DIR/\.cache/\.mc_connections -- gen_context(system_u:object_r:telepathy_mission_control_cache_home_t,s0) ++HOME_DIR/\.cache/\.mc_connections -- gen_context(system_u:object_r:telepathy_mission_control_cache_home_t, s0) + HOME_DIR/\.cache/telepathy(/.*)? gen_context(system_u:object_r:telepathy_cache_home_t, s0) + HOME_DIR/\.cache/telepathy/logger(/.*)? gen_context(system_u:object_r:telepathy_logger_cache_home_t,s0) +-HOME_DIR/\.cache/telepathy/gabble(/.*)? gen_context(system_u:object_r:telepathy_gabble_cache_home_t,s0) +-HOME_DIR/\.cache/wocky(/.*)? gen_context(system_u:object_r:telepathy_gabble_cache_home_t,s0) +-HOME_DIR/\.mission-control(/.*)? gen_context(system_u:object_r:telepathy_mission_control_home_t,s0) ++HOME_DIR/\.cache/telepathy/avatars/gabble(/.*)? gen_context(system_u:object_r:telepathy_gabble_cache_home_t, s0) ++HOME_DIR/\.cache/telepathy/gabble(/.*)? gen_context(system_u:object_r:telepathy_gabble_cache_home_t, s0) ++HOME_DIR/\.cache/wocky(/.*)? gen_context(system_u:object_r:telepathy_gabble_cache_home_t, s0) ++HOME_DIR/\.mission-control(/.*)? gen_context(system_u:object_r:telepathy_mission_control_home_t, s0) + HOME_DIR/\.local/share/telepathy(/.*)? gen_context(system_u:object_r:telepathy_data_home_t,s0) +-HOME_DIR/\.local/share/telepathy/mission-control(/.*)? gen_context(system_u:object_r:telepathy_mission_control_data_home_t,s0) +-HOME_DIR/\.telepathy-sunshine(/.*)? gen_context(system_u:object_r:telepathy_sunshine_home_t,s0) +-HOME_DIR/\.local/share/TpLogger(/.*)? gen_context(system_u:object_r:telepathy_logger_data_home_t,s0) ++HOME_DIR/\.local/share/telepathy/mission-control(/.*)? gen_context(system_u:object_r:telepathy_mission_control_data_home_t, s0) ++HOME_DIR/\.telepathy-sunshine(/.*)? gen_context(system_u:object_r:telepathy_sunshine_home_t, s0) ++HOME_DIR/\.local/share/TpLogger(/.*)? gen_context(system_u:object_r:telepathy_logger_data_home_t,s0) + +-/usr/lib/telepathy/mission-control-5 -- gen_context(system_u:object_r:telepathy_mission_control_exec_t,s0) +-/usr/lib/telepathy/telepathy-butterfly -- gen_context(system_u:object_r:telepathy_msn_exec_t,s0) +-/usr/lib/telepathy/telepathy-gabble -- gen_context(system_u:object_r:telepathy_gabble_exec_t,s0) +-/usr/lib/telepathy/telepathy-haze -- gen_context(system_u:object_r:telepathy_msn_exec_t,s0) +-/usr/lib/telepathy/telepathy-idle -- gen_context(system_u:object_r:telepathy_idle_exec_t,s0) +-/usr/lib/telepathy/telepathy-logger -- gen_context(system_u:object_r:telepathy_logger_exec_t,s0) +-/usr/lib/telepathy/telepathy-salut -- gen_context(system_u:object_r:telepathy_salut_exec_t,s0) +-/usr/lib/telepathy/telepathy-sofiasip -- gen_context(system_u:object_r:telepathy_sofiasip_exec_t,s0) +-/usr/lib/telepathy/telepathy-rakia -- gen_context(system_u:object_r:telepathy_sofiasip_exec_t,s0) +-/usr/lib/telepathy/telepathy-stream-engine -- gen_context(system_u:object_r:telepathy_stream_engine_exec_t,s0) +-/usr/lib/telepathy/telepathy-sunshine -- gen_context(system_u:object_r:telepathy_sunshine_exec_t,s0) +- +-/usr/libexec/mission-control-5 -- gen_context(system_u:object_r:telepathy_mission_control_exec_t,s0) +-/usr/libexec/telepathy-butterfly -- gen_context(system_u:object_r:telepathy_msn_exec_t,s0) +-/usr/libexec/telepathy-gabble -- gen_context(system_u:object_r:telepathy_gabble_exec_t,s0) +-/usr/libexec/telepathy-haze -- gen_context(system_u:object_r:telepathy_msn_exec_t,s0) +-/usr/libexec/telepathy-idle -- gen_context(system_u:object_r:telepathy_idle_exec_t,s0) +-/usr/libexec/telepathy-logger -- gen_context(system_u:object_r:telepathy_logger_exec_t,s0) +-/usr/libexec/telepathy-salut -- gen_context(system_u:object_r:telepathy_salut_exec_t, s0) +-/usr/libexec/telepathy-sofiasip -- gen_context(system_u:object_r:telepathy_sofiasip_exec_t,s0) +-/usr/libexec/telepathy-rakia -- gen_context(system_u:object_r:telepathy_sofiasip_exec_t,s0) +-/usr/libexec/telepathy-stream-engine -- gen_context(system_u:object_r:telepathy_stream_engine_exec_t,s0) +-/usr/libexec/telepathy-sunshine -- gen_context(system_u:object_r:telepathy_sunshine_exec_t,s0) ++/usr/libexec/mission-control-5 -- gen_context(system_u:object_r:telepathy_mission_control_exec_t, s0) ++/usr/libexec/telepathy-butterfly -- gen_context(system_u:object_r:telepathy_msn_exec_t, s0) ++/usr/libexec/telepathy-gabble -- gen_context(system_u:object_r:telepathy_gabble_exec_t, s0) ++/usr/libexec/telepathy-haze -- gen_context(system_u:object_r:telepathy_msn_exec_t, s0) ++/usr/libexec/telepathy-idle -- gen_context(system_u:object_r:telepathy_idle_exec_t, s0) ++/usr/libexec/telepathy-logger -- gen_context(system_u:object_r:telepathy_logger_exec_t,s0) ++/usr/libexec/telepathy-salut -- gen_context(system_u:object_r:telepathy_salut_exec_t, s0) ++/usr/libexec/telepathy-sofiasip -- gen_context(system_u:object_r:telepathy_sofiasip_exec_t, s0) ++/usr/libexec/telepathy-rakia -- gen_context(system_u:object_r:telepathy_sofiasip_exec_t, s0) ++/usr/libexec/telepathy-stream-engine -- gen_context(system_u:object_r:telepathy_stream_engine_exec_t, s0) ++/usr/libexec/telepathy-sunshine -- gen_context(system_u:object_r:telepathy_sunshine_exec_t, s0) +diff --git a/telepathy.if b/telepathy.if +index 42946bc..9f70e4c 100644 +--- a/telepathy.if ++++ b/telepathy.if +@@ -2,45 +2,39 @@ + + ####################################### + ## +-## The template to define a telepathy domain. ++## Creates basic types for telepathy ++## domain + ## +-## ++## + ## +-## Domain prefix to be used. ++## Prefix for the domain. + ## + ## + # + template(`telepathy_domain_template',` + gen_require(` +- attribute telepathy_domain, telepathy_executable, telepathy_tmp_content; ++ attribute telepathy_domain; ++ attribute telepathy_executable; + ') + + type telepathy_$1_t, telepathy_domain; + type telepathy_$1_exec_t, telepathy_executable; +- userdom_user_application_domain(telepathy_$1_t, telepathy_$1_exec_t) ++ application_domain(telepathy_$1_t, telepathy_$1_exec_t) ++ ubac_constrained(telepathy_$1_t) + +- type telepathy_$1_tmp_t, telepathy_tmp_content; ++ type telepathy_$1_tmp_t; + userdom_user_tmp_file(telepathy_$1_tmp_t) + ++ kernel_read_system_state(telepathy_$1_t) ++ + auth_use_nsswitch(telepathy_$1_t) + ') + + ####################################### + ## +-## The role template for the telepathy module. ++## Role access for telepathy domains ++## that executes via dbus-session + ## +-## +-##

    +-## This template creates a derived domains which are used +-## for window manager applications. +-##

    +-##     +-## +-## +-## The prefix of the user domain (e.g., user +-## is the prefix for user_t). +-## +-## + ## + ## + ## The role associated with the user domain. +@@ -51,10 +45,15 @@ template(`telepathy_domain_template',` + ## The type of the user domain. + ## + ## ++## ++## ++## User domain prefix to be used. ++## ++## + # +-template(`telepathy_role_template',` ++template(`telepathy_role',` + gen_require(` +- attribute telepathy_domain, telepathy_tmp_content; ++ attribute telepathy_domain; + type telepathy_gabble_t, telepathy_sofiasip_t, telepathy_idle_t; + type telepathy_mission_control_t, telepathy_salut_t, telepathy_sunshine_t; + type telepathy_stream_engine_t, telepathy_msn_t, telepathy_gabble_exec_t; +@@ -63,91 +62,84 @@ template(`telepathy_role_template',` + type telepathy_mission_control_exec_t, telepathy_salut_exec_t; + type telepathy_sunshine_exec_t, telepathy_stream_engine_exec_t; + type telepathy_msn_exec_t; +- +- type telepathy_mission_control_cache_home_t, telepathy_cache_home_t, telepathy_logger_cache_home_t; +- type telepathy_gabble_cache_home_t, telepathy_mission_control_home_t, telepathy_data_home_t; +- type telepathy_mission_control_data_home_t, telepathy_sunshine_home_t, telepathy_logger_data_home_t; + ') + +- role $2 types telepathy_domain; +- +- allow $3 telepathy_domain:process { ptrace signal_perms }; +- ps_process_pattern($3, telepathy_domain) ++ role $1 types telepathy_domain; + +- telepathy_gabble_stream_connect($3) +- telepathy_msn_stream_connect($3) +- telepathy_salut_stream_connect($3) ++ allow $2 telepathy_domain:process signal_perms; ++ ps_process_pattern($2, telepathy_domain) + +- dbus_spec_session_domain($1, telepathy_gabble_exec_t, telepathy_gabble_t) +- dbus_spec_session_domain($1, telepathy_sofiasip_exec_t, telepathy_sofiasip_t) +- dbus_spec_session_domain($1, telepathy_idle_exec_t, telepathy_idle_t) +- dbus_spec_session_domain($1, telepathy_logger_exec_t, telepathy_logger_t) +- dbus_spec_session_domain($1, telepathy_mission_control_exec_t, telepathy_mission_control_t) +- dbus_spec_session_domain($1, telepathy_salut_exec_t, telepathy_salut_t) +- dbus_spec_session_domain($1, telepathy_sunshine_exec_t, telepathy_sunshine_t) +- dbus_spec_session_domain($1, telepathy_stream_engine_exec_t, telepathy_stream_engine_t) +- dbus_spec_session_domain($1, telepathy_msn_exec_t, telepathy_msn_t) ++ telepathy_gabble_stream_connect($2) ++ telepathy_msn_stream_connect($2) ++ telepathy_salut_stream_connect($2) + +- allow $3 { telepathy_mission_control_cache_home_t telepathy_cache_home_t telepathy_logger_cache_home_t }:dir { manage_dir_perms relabel_dir_perms }; +- allow $3 { telepathy_gabble_cache_home_t telepathy_mission_control_home_t telepathy_data_home_t }:dir { manage_dir_perms relabel_dir_perms }; +- allow $3 { telepathy_mission_control_data_home_t telepathy_sunshine_home_t telepathy_logger_data_home_t }:dir { manage_dir_perms relabel_dir_perms }; ++ dbus_session_domain($3, telepathy_gabble_exec_t, telepathy_gabble_t) ++ dbus_session_domain($3, telepathy_sofiasip_exec_t, telepathy_sofiasip_t) ++ dbus_session_domain($3, telepathy_idle_exec_t, telepathy_idle_t) ++ dbus_session_domain($3, telepathy_logger_exec_t, telepathy_logger_t) ++ dbus_session_domain($3, telepathy_mission_control_exec_t, telepathy_mission_control_t) ++ dbus_session_domain($3, telepathy_salut_exec_t, telepathy_salut_t) ++ dbus_session_domain($3, telepathy_sunshine_exec_t, telepathy_sunshine_t) ++ dbus_session_domain($3, telepathy_stream_engine_exec_t, telepathy_stream_engine_t) ++ dbus_session_domain($3, telepathy_msn_exec_t, telepathy_msn_t) + +- allow $3 { telepathy_mission_control_cache_home_t telepathy_cache_home_t telepathy_logger_cache_home_t }:file { manage_file_perms relabel_file_perms }; +- allow $3 { telepathy_gabble_cache_home_t telepathy_mission_control_home_t telepathy_data_home_t }:file { manage_file_perms relabel_file_perms }; +- allow $3 { telepathy_mission_control_data_home_t telepathy_sunshine_home_t telepathy_logger_data_home_t }:file { manage_file_perms relabel_file_perms }; +- +- filetrans_pattern($3, telepathy_cache_home_t, telepathy_gabble_cache_home_t, dir, "gabble") +- # gnome_cache_filetrans($3, telepathy_gabble_cache_home_t, dir, "wocky") +- +- filetrans_pattern($3, telepathy_cache_home_t, telepathy_logger_cache_home_t, dir, "logger") +- # gnome_data_filetrans($3, telepathy_logger_data_home_t, dir, "TpLogger") +- +- userdom_user_home_dir_filetrans($3, telepathy_mission_control_home_t, dir, ".mission-control") +- filetrans_pattern($3, telepathy_data_home_t, telepathy_mission_control_data_home_t, dir, "mission-control") +- # gnome_cache_filetrans($3, telepathy_mission_control_cache_home_t, file, ".mc_connections") +- +- userdom_user_home_dir_filetrans($3, telepathy_sunshine_home_t, dir, ".telepathy-sunshine") +- +- # gnome_cache_filetrans($3, telepathy_cache_home_t, dir, "telepathy") +- # gnome_data_filetrans($3, telepathy_data_home_t, dir, "telepathy") +- +- allow $3 telepathy_tmp_content:dir { manage_dir_perms relabel_dir_perms }; +- allow $3 telepathy_tmp_content:file { manage_file_perms relabel_file_perms }; +- allow $3 telepathy_tmp_content:sock_file { manage_sock_file_perms relabel_sock_file_perms }; ++ telepathy_dbus_chat($2) + ') + + ######################################## + ## +-## Connect to gabble with a unix +-## domain stream socket. ++## Stream connect to Telepathy Gabble + ## + ## +-## ++## + ## Domain allowed access. + ## + ## + # +-interface(`telepathy_gabble_stream_connect',` ++interface(`telepathy_gabble_stream_connect', ` + gen_require(` + type telepathy_gabble_t, telepathy_gabble_tmp_t; + ') + +- files_search_tmp($1) + stream_connect_pattern($1, telepathy_gabble_tmp_t, telepathy_gabble_tmp_t, telepathy_gabble_t) ++ files_search_tmp($1) + ') + + ######################################## + ## +-## Send dbus messages to and from +-## gabble. ++## Allow Telepathy Gabble to stream connect to a domain. + ## + ## +-## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`telepathy_gabble_stream_connect_to', ` ++ gen_require(` ++ type telepathy_gabble_t; ++ ') ++ ++ stream_connect_pattern(telepathy_gabble_t, $2, $2, $1) ++') ++ ++######################################## ++## ++## Send DBus messages to and from ++## Telepathy Gabble. ++## ++## ++## + ## Domain allowed access. + ## + ## + # +-interface(`telepathy_gabble_dbus_chat',` ++interface(`telepathy_gabble_dbus_chat', ` + gen_require(` + type telepathy_gabble_t; + class dbus send_msg; +@@ -159,10 +151,10 @@ interface(`telepathy_gabble_dbus_chat',` + + ######################################## + ## +-## Read mission control process state files. ++## Read telepathy mission control state. + ## + ## +-## ++## + ## Domain allowed access. + ## + ## +@@ -173,15 +165,12 @@ interface(`telepathy_mission_control_read_state',` + ') + + kernel_search_proc($1) +- allow $1 telepathy_mission_control_t:dir list_dir_perms; +- allow $1 telepathy_mission_control_t:file read_file_perms; +- allow $1 telepathy_mission_control_t:lnk_file read_lnk_file_perms; ++ ps_process_pattern($1, telepathy_mission_control_t) + ') + + ####################################### + ## +-## Connect to msn with a unix +-## domain stream socket. ++## Stream connect to telepathy MSN managers + ## + ## + ## +@@ -189,19 +178,18 @@ interface(`telepathy_mission_control_read_state',` + ## + ## + # +-interface(`telepathy_msn_stream_connect',` ++interface(`telepathy_msn_stream_connect', ` + gen_require(` + type telepathy_msn_t, telepathy_msn_tmp_t; + ') + +- files_search_tmp($1) + stream_connect_pattern($1, telepathy_msn_tmp_t, telepathy_msn_tmp_t, telepathy_msn_t) ++ files_search_tmp($1) + ') + + ######################################## + ## +-## Connect to salut with a unix +-## domain stream socket. ++## Stream connect to Telepathy Salut + ## + ## + ## +@@ -209,11 +197,140 @@ interface(`telepathy_msn_stream_connect',` + ## + ## + # +-interface(`telepathy_salut_stream_connect',` ++interface(`telepathy_salut_stream_connect', ` + gen_require(` + type telepathy_salut_t, telepathy_salut_tmp_t; + ') + +- files_search_tmp($1) + stream_connect_pattern($1, telepathy_salut_tmp_t, telepathy_salut_tmp_t, telepathy_salut_t) ++ files_search_tmp($1) ++') ++ ++####################################### ++## ++## Send DBus messages to and from ++## all Telepathy domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`telepathy_dbus_chat',` ++ gen_require(` ++ attribute telepathy_domain; ++ class dbus send_msg; ++ ') ++ ++ allow $1 telepathy_domain:dbus send_msg; ++ allow telepathy_domain $1:dbus send_msg; ++') ++ ++###################################### ++## ++## Execute telepathy executable ++## in the specified domain. ++## ++## ++##

    ++## Execute a telepathy executable ++## in the specified domain. This allows ++## the specified domain to execute any file ++## on these filesystems in the specified ++## domain. ++##

    ++##

    ++## No interprocess communication (signals, pipes, ++## etc.) is provided by this interface since ++## the domains are not owned by this module. ++##

    ++##     ++## ++## ++## Domain allowed to transition. ++## ++## ++## ++## ++## The type of the new process. ++## ++## ++# ++interface(`telepathy_command_domtrans', ` ++ gen_require(` ++ attribute telepathy_executable; ++ ') ++ ++ allow $2 telepathy_executable:file entrypoint; ++ domain_transition_pattern($1, telepathy_executable, $2) ++ type_transition $1 telepathy_executable:process $2; ++ ++ # needs to dbus chat with unconfined_t and unconfined_dbusd_t ++ optional_policy(` ++ telepathy_dbus_chat($1) ++ telepathy_dbus_chat($2) ++ ') ++') ++ ++######################################## ++## ++## Create telepathy content in the user home directory ++## with an correct label. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`telepathy_filetrans_home_content',` ++ gen_require(` ++ type telepathy_mission_control_cache_home_t; ++ type telepathy_mission_control_home_t; ++ type telepathy_logger_cache_home_t; ++ type telepathy_gabble_cache_home_t; ++ type telepathy_sunshine_home_t; ++ type telepathy_logger_data_home_t; ++ type telepathy_cache_home_t, telepathy_data_home_t; ++ type telepathy_mission_control_data_home_t; ++ ') ++ ++ filetrans_pattern($1, telepathy_cache_home_t, telepathy_logger_cache_home_t, dir, "logger") ++ filetrans_pattern($1, telepathy_cache_home_t, telepathy_logger_cache_home_t, file, "sqlite-data-journal") ++ filetrans_pattern($1, telepathy_cache_home_t, telepathy_gabble_cache_home_t, dir, "gabble") ++ ++ filetrans_pattern($1, telepathy_data_home_t, telepathy_mission_control_data_home_t, dir, "mission-control") ++ ++ userdom_user_home_dir_filetrans($1, telepathy_mission_control_home_t, dir, ".mission-control") ++ userdom_user_home_dir_filetrans($1, telepathy_sunshine_home_t, dir, ".telepathy-sunshine") ++ ++ optional_policy(` ++ gnome_cache_filetrans($1, telepathy_mission_control_cache_home_t, file, ".mc_connections") ++ gnome_cache_filetrans($1, telepathy_gabble_cache_home_t, dir, "gabble") ++ gnome_cache_filetrans($1, telepathy_gabble_cache_home_t, dir, "wocky") ++ gnome_cache_filetrans($1, telepathy_cache_home_t, dir, "telepathy") ++ ++ gnome_data_filetrans($1, telepathy_logger_data_home_t, dir, "TpLogger") ++ gnome_data_filetrans($1, telepathy_data_home_t, dir, "telepathy") ++ ') ++') ++ ++###################################### ++## ++## Execute telepathy in the caller domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`telepathy_exec',` ++ gen_require(` ++ attribute telepathy_executable; ++ ') ++ ++ corecmd_search_bin($1) ++ can_exec($1, telepathy_executable) + ') +diff --git a/telepathy.te b/telepathy.te +index e9c0964..5a41683 100644 +--- a/telepathy.te ++++ b/telepathy.te +@@ -1,29 +1,28 @@ +-policy_module(telepathy, 1.3.5) ++policy_module(telepathy, 1.3.0) + + ######################################## + # +-# Declarations ++# Declarations. + # + + ## +-##

    +-## Determine whether telepathy connection +-## managers can connect to generic tcp ports. +-##

    ++##

    ++## Allow the Telepathy connection managers ++## to connect to any generic TCP port. ++##

    + ##     + gen_tunable(telepathy_tcp_connect_generic_network_ports, false) + + ## +-##

    +-## Determine whether telepathy connection +-## managers can connect to any port. +-##

    ++##

    ++## Allow the Telepathy connection managers ++## to connect to any network port. ++##

    + ##     + gen_tunable(telepathy_connect_all_ports, false) + + attribute telepathy_domain; + attribute telepathy_executable; +-attribute telepathy_tmp_content; + + telepathy_domain_template(gabble) + +@@ -67,176 +66,147 @@ userdom_user_home_content(telepathy_sunshine_home_t) + + ####################################### + # +-# Gabble local policy ++# Telepathy Gabble local policy. + # + +-allow telepathy_gabble_t self:tcp_socket { accept listen }; ++allow telepathy_gabble_t self:tcp_socket create_stream_socket_perms; + allow telepathy_gabble_t self:unix_dgram_socket { create_socket_perms sendto }; + +-# ~/.cache/telepathy/gabble/caps-cache.db-journal +-manage_dirs_pattern(telepathy_gabble_t, telepathy_gabble_cache_home_t, telepathy_gabble_cache_home_t) +-manage_files_pattern(telepathy_gabble_t, telepathy_gabble_cache_home_t, telepathy_gabble_cache_home_t) +-filetrans_pattern(telepathy_gabble_t, telepathy_cache_home_t, telepathy_gabble_cache_home_t, dir, "gabble") +-# gnome_cache_filetrans(telepathy_gabble_t, telepathy_gabble_cache_home_t, dir, "wocky") +- + manage_dirs_pattern(telepathy_gabble_t, telepathy_gabble_tmp_t, telepathy_gabble_tmp_t) + manage_sock_files_pattern(telepathy_gabble_t, telepathy_gabble_tmp_t, telepathy_gabble_tmp_t) + files_tmp_filetrans(telepathy_gabble_t, telepathy_gabble_tmp_t, { dir sock_file }) + +-corenet_all_recvfrom_unlabeled(telepathy_gabble_t) ++# ~/.cache/telepathy/gabble/caps-cache.db-journal ++optional_policy(` ++ manage_dirs_pattern(telepathy_gabble_t, telepathy_gabble_cache_home_t, telepathy_gabble_cache_home_t) ++ manage_files_pattern(telepathy_gabble_t, telepathy_gabble_cache_home_t, telepathy_gabble_cache_home_t) ++ filetrans_pattern(telepathy_gabble_t, telepathy_cache_home_t, telepathy_gabble_cache_home_t, dir) ++ # ~/.cache/wocky ++ gnome_cache_filetrans(telepathy_gabble_t, telepathy_gabble_cache_home_t, dir) ++') ++ + corenet_all_recvfrom_netlabel(telepathy_gabble_t) + corenet_tcp_sendrecv_generic_if(telepathy_gabble_t) + corenet_tcp_sendrecv_generic_node(telepathy_gabble_t) +- +-corenet_sendrecv_http_client_packets(telepathy_gabble_t) + corenet_tcp_connect_http_port(telepathy_gabble_t) +-corenet_tcp_sendrecv_http_port(telepathy_gabble_t) +- +-corenet_sendrecv_jabber_client_client_packets(telepathy_gabble_t) + corenet_tcp_connect_jabber_client_port(telepathy_gabble_t) +-corenet_tcp_sendrecv_jabber_client_port(telepathy_gabble_t) +- +-corenet_sendrecv_vnc_client_packets(telepathy_gabble_t) + corenet_tcp_connect_vnc_port(telepathy_gabble_t) +-corenet_tcp_sendrecv_vnc_port(telepathy_gabble_t) ++corenet_sendrecv_http_client_packets(telepathy_gabble_t) ++corenet_sendrecv_jabber_client_client_packets(telepathy_gabble_t) ++corenet_sendrecv_vnc_client_packets(telepathy_gabble_t) + + dev_read_rand(telepathy_gabble_t) + + files_read_config_files(telepathy_gabble_t) +-files_read_usr_files(telepathy_gabble_t) ++ ++fs_getattr_all_fs(telepathy_gabble_t) + + miscfiles_read_all_certs(telepathy_gabble_t) + + tunable_policy(`telepathy_connect_all_ports',` +- corenet_sendrecv_all_client_packets(telepathy_gabble_t) + corenet_tcp_connect_all_ports(telepathy_gabble_t) + corenet_tcp_sendrecv_all_ports(telepathy_gabble_t) ++ corenet_udp_sendrecv_all_ports(telepathy_gabble_t) + ') + + tunable_policy(`telepathy_tcp_connect_generic_network_ports',` +- corenet_sendrecv_generic_client_packets(telepathy_gabble_t) + corenet_tcp_connect_generic_port(telepathy_gabble_t) +- corenet_tcp_sendrecv_generic_port(telepathy_gabble_t) ++ corenet_sendrecv_generic_client_packets(telepathy_gabble_t) + ') + +-tunable_policy(`use_nfs_home_dirs',` +- fs_manage_nfs_dirs(telepathy_gabble_t) +- fs_manage_nfs_files(telepathy_gabble_t) +-') +- +-tunable_policy(`use_samba_home_dirs',` +- fs_manage_cifs_dirs(telepathy_gabble_t) +- fs_manage_cifs_files(telepathy_gabble_t) +-') ++userdom_home_manager(telepathy_gabble_t) + + optional_policy(` + dbus_system_bus_client(telepathy_gabble_t) + ') + +-# optional_policy(` +- # ~/.config/dconf/user +- # gnome_manage_generic_home_content(telepathy_gabble_t) +-# ') ++optional_policy(` ++ gnome_manage_home_config(telepathy_gabble_t) ++') + + ####################################### + # +-# Idle local policy ++# Telepathy Idle local policy. + # + + corenet_all_recvfrom_netlabel(telepathy_idle_t) +-corenet_all_recvfrom_unlabeled(telepathy_idle_t) + corenet_tcp_sendrecv_generic_if(telepathy_idle_t) + corenet_tcp_sendrecv_generic_node(telepathy_idle_t) +- +-corenet_sendrecv_gatekeeper_client_packets(telepathy_idle_t) + corenet_tcp_connect_gatekeeper_port(telepathy_idle_t) +-corenet_tcp_sendrecv_gatekeeper_port(telepathy_idle_t) +- +-corenet_sendrecv_ircd_client_packets(telepathy_idle_t) + corenet_tcp_connect_ircd_port(telepathy_idle_t) +-corenet_tcp_sendrecv_ircd_port(telepathy_idle_t) ++corenet_sendrecv_ircd_client_packets(telepathy_idle_t) + + dev_read_rand(telepathy_idle_t) + +-files_read_usr_files(telepathy_idle_t) +- + tunable_policy(`telepathy_connect_all_ports',` +- corenet_sendrecv_all_client_packets(telepathy_idle_t) + corenet_tcp_connect_all_ports(telepathy_idle_t) + corenet_tcp_sendrecv_all_ports(telepathy_idle_t) ++ corenet_udp_sendrecv_all_ports(telepathy_idle_t) + ') + + tunable_policy(`telepathy_tcp_connect_generic_network_ports',` +- corenet_sendrecv_generic_client_packets(telepathy_idle_t) + corenet_tcp_connect_generic_port(telepathy_idle_t) +- corenet_tcp_sendrecv_generic_port(telepathy_idle_t) ++ corenet_sendrecv_generic_client_packets(telepathy_idle_t) + ') + + ####################################### + # +-# Logger local policy ++# Telepathy Logger local policy. + # + + allow telepathy_logger_t self:unix_stream_socket create_socket_perms; + + manage_dirs_pattern(telepathy_logger_t, telepathy_logger_cache_home_t, telepathy_logger_cache_home_t) + manage_files_pattern(telepathy_logger_t, telepathy_logger_cache_home_t, telepathy_logger_cache_home_t) +-filetrans_pattern(telepathy_logger_t, telepathy_cache_home_t, telepathy_logger_cache_home_t, dir, "logger") ++filetrans_pattern(telepathy_logger_t, telepathy_cache_home_t, telepathy_logger_cache_home_t, dir) + + manage_dirs_pattern(telepathy_logger_t, telepathy_logger_data_home_t, telepathy_logger_data_home_t) + manage_files_pattern(telepathy_logger_t, telepathy_logger_data_home_t, telepathy_logger_data_home_t) +-# gnome_data_filetrans(telepathy_logger_t, telepathy_logger_data_home_t, dir, "TpLogger") + +-files_read_usr_files(telepathy_logger_t) ++optional_policy(` ++ gnome_data_filetrans(telepathy_logger_t, telepathy_logger_data_home_t, dir) ++') ++ + files_search_pids(telepathy_logger_t) + +-tunable_policy(`use_nfs_home_dirs',` +- fs_manage_nfs_dirs(telepathy_logger_t) +- fs_manage_nfs_files(telepathy_logger_t) +-') ++fs_getattr_all_fs(telepathy_logger_t) + +-tunable_policy(`use_samba_home_dirs',` +- fs_manage_cifs_dirs(telepathy_logger_t) +- fs_manage_cifs_files(telepathy_logger_t) +-') ++userdom_home_manager(telepathy_logger_t) + +-# optional_policy(` ++optional_policy(` + # ~/.config/dconf/user +- # gnome_manage_generic_home_content(telepathy_logger_t) +-# ') ++ gnome_manage_home_config(telepathy_logger_t) ++') + + ####################################### + # +-# Mission-Control local policy ++# Telepathy Mission-Control local policy. + # +- + allow telepathy_mission_control_t self:process setsched; + + manage_dirs_pattern(telepathy_mission_control_t, telepathy_mission_control_home_t, telepathy_mission_control_home_t) + manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_home_t, telepathy_mission_control_home_t) +-userdom_user_home_dir_filetrans(telepathy_mission_control_t, telepathy_mission_control_home_t, dir, ".mission-control") ++userdom_search_user_home_dirs(telepathy_mission_control_t) + +-manage_dirs_pattern(telepathy_mission_control_t, telepathy_mission_control_data_home_t, telepathy_mission_control_data_home_t) ++manage_files_pattern(telepathy_mission_control_t, telepathy_gabble_cache_home_t, telepathy_gabble_cache_home_t) ++manage_dirs_pattern(telepathy_mission_control_t, telepathy_gabble_cache_home_t, telepathy_gabble_cache_home_t) ++ ++manage_dirs_pattern(telepathy_mission_control_t, { telepathy_data_home_t telepathy_mission_control_data_home_t }, { telepathy_data_home_t telepathy_mission_control_data_home_t }) + manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_data_home_t, telepathy_mission_control_data_home_t) +-filetrans_pattern(telepathy_mission_control_t, telepathy_data_home_t, telepathy_mission_control_data_home_t, dir, "mission-control") ++filetrans_pattern(telepathy_mission_control_t, telepathy_data_home_t, telepathy_mission_control_data_home_t, { dir file }) + +-manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_cache_home_t, telepathy_mission_control_cache_home_t) +-# gnome_cache_filetrans(telepathy_mission_control_t, telepathy_mission_control_cache_home_t, file, ".mc_connections") ++optional_policy(` ++ gnome_data_filetrans(telepathy_mission_control_t, telepathy_data_home_t, dir) ++ gnome_manage_home_config(telepathy_mission_control_t) ++') + + dev_read_rand(telepathy_mission_control_t) + +-files_list_tmp(telepathy_mission_control_t) +-files_read_usr_files(telepathy_mission_control_t) ++fs_getattr_all_fs(telepathy_mission_control_t) + +-tunable_policy(`use_nfs_home_dirs',` +- fs_manage_nfs_dirs(telepathy_mission_control_t) +- fs_manage_nfs_files(telepathy_mission_control_t) +-') ++files_list_tmp(telepathy_mission_control_t) + +-tunable_policy(`use_samba_home_dirs',` +- fs_manage_cifs_dirs(telepathy_mission_control_t) +- fs_manage_cifs_files(telepathy_mission_control_t) +-') ++userdom_home_manager(telepathy_mission_control_t) + + optional_policy(` + dbus_system_bus_client(telepathy_mission_control_t) +@@ -245,59 +215,51 @@ optional_policy(` + devicekit_dbus_chat_power(telepathy_mission_control_t) + ') + optional_policy(` +- gnome_dbus_chat_all_gkeyringd(telepathy_mission_control_t) ++ gnome_dbus_chat_gkeyringd(telepathy_mission_control_t) + ') + optional_policy(` + networkmanager_dbus_chat(telepathy_mission_control_t) + ') + ') + +-# optional_policy(` +- # ~/.config/dconf/user +- # gnome_manage_generic_home_content(telepathy_mission_control_t) +-# ') ++# ~/.cache/.mc_connections. ++optional_policy(` ++ manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_cache_home_t, telepathy_mission_control_cache_home_t) ++ gnome_cache_filetrans(telepathy_mission_control_t, telepathy_mission_control_cache_home_t, file) ++') + + ####################################### + # +-# Butterfly and Haze local policy ++# Telepathy Butterfly and Haze local policy. + # + + allow telepathy_msn_t self:process setsched; ++allow telepathy_msn_t self:unix_dgram_socket { write create connect }; + + manage_dirs_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t) + manage_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t) + manage_sock_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t) ++exec_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t) + files_tmp_filetrans(telepathy_msn_t, telepathy_msn_tmp_t, { dir file sock_file }) +- + userdom_user_tmp_filetrans(telepathy_msn_t, telepathy_msn_tmp_t, { dir file sock_file }) +- ++userdom_dontaudit_setattr_user_tmp(telepathy_msn_t) + can_exec(telepathy_msn_t, telepathy_msn_tmp_t) + + corenet_all_recvfrom_netlabel(telepathy_msn_t) +-corenet_all_recvfrom_unlabeled(telepathy_msn_t) + corenet_tcp_sendrecv_generic_if(telepathy_msn_t) + corenet_tcp_sendrecv_generic_node(telepathy_msn_t) +- +-corenet_sendrecv_http_client_packets(telepathy_msn_t) ++corenet_tcp_bind_generic_node(telepathy_msn_t) + corenet_tcp_connect_http_port(telepathy_msn_t) +-corenet_tcp_sendrecv_http_port(telepathy_msn_t) +- +-corenet_sendrecv_mmcc_client_packets(telepathy_msn_t) + corenet_tcp_connect_mmcc_port(telepathy_msn_t) +-corenet_tcp_sendrecv_mmcc_port(telepathy_msn_t) +- +-corenet_sendrecv_msnp_client_packets(telepathy_msn_t) + corenet_tcp_connect_msnp_port(telepathy_msn_t) +-corenet_tcp_sendrecv_msnp_port(telepathy_msn_t) +- +-corenet_sendrecv_sip_client_packets(telepathy_msn_t) + corenet_tcp_connect_sip_port(telepathy_msn_t) +-corenet_tcp_sendrecv_sip_port(telepathy_msn_t) ++corenet_sendrecv_http_client_packets(telepathy_msn_t) ++corenet_sendrecv_mmcc_client_packets(telepathy_msn_t) ++corenet_sendrecv_msnp_client_packets(telepathy_msn_t) + + corecmd_exec_bin(telepathy_msn_t) + corecmd_exec_shell(telepathy_msn_t) +- +-files_read_usr_files(telepathy_msn_t) ++corecmd_read_bin_symlinks(telepathy_msn_t) + + init_read_state(telepathy_msn_t) + +@@ -307,18 +269,19 @@ logging_send_syslog_msg(telepathy_msn_t) + + miscfiles_read_all_certs(telepathy_msn_t) + +-# userdom_dontaudit_setattr_user_tmp(telepathy_msn_t) +- + tunable_policy(`telepathy_connect_all_ports',` +- corenet_sendrecv_all_client_packets(telepathy_msn_t) + corenet_tcp_connect_all_ports(telepathy_msn_t) + corenet_tcp_sendrecv_all_ports(telepathy_msn_t) ++ corenet_udp_sendrecv_all_ports(telepathy_msn_t) + ') + + tunable_policy(`telepathy_tcp_connect_generic_network_ports',` +- corenet_sendrecv_generic_client_packets(telepathy_msn_t) + corenet_tcp_connect_generic_port(telepathy_msn_t) +- corenet_tcp_sendrecv_generic_port(telepathy_msn_t) ++ corenet_sendrecv_generic_client_packets(telepathy_msn_t) ++') ++ ++optional_policy(` ++ gnome_read_gconf_home_files(telepathy_msn_t) + ') + + optional_policy(` +@@ -329,43 +292,33 @@ optional_policy(` + ') + ') + +-# optional_policy(` +- # ~/.config/dconf/user +- # gnome_manage_generic_home_content(telepathy_msn_t) +-# ') +- + ####################################### + # +-# Salut local policy ++# Telepathy Salut local policy. + # + +-allow telepathy_salut_t self:tcp_socket { accept listen }; ++allow telepathy_salut_t self:tcp_socket create_stream_socket_perms; + + manage_sock_files_pattern(telepathy_salut_t, telepathy_salut_tmp_t, telepathy_salut_tmp_t) + files_tmp_filetrans(telepathy_salut_t, telepathy_salut_tmp_t, sock_file) + + corenet_all_recvfrom_netlabel(telepathy_salut_t) +-corenet_all_recvfrom_unlabeled(telepathy_salut_t) + corenet_tcp_sendrecv_generic_if(telepathy_salut_t) + corenet_tcp_sendrecv_generic_node(telepathy_salut_t) + corenet_tcp_bind_generic_node(telepathy_salut_t) +- +-corenet_sendrecv_presence_server_packets(telepathy_salut_t) + corenet_tcp_bind_presence_port(telepathy_salut_t) +-corenet_sendrecv_presence_client_packets(telepathy_salut_t) + corenet_tcp_connect_presence_port(telepathy_salut_t) +-corenet_tcp_sendrecv_presence_port(telepathy_salut_t) ++corenet_sendrecv_presence_server_packets(telepathy_salut_t) + + tunable_policy(`telepathy_connect_all_ports',` +- corenet_sendrecv_all_client_packets(telepathy_salut_t) + corenet_tcp_connect_all_ports(telepathy_salut_t) + corenet_tcp_sendrecv_all_ports(telepathy_salut_t) ++ corenet_udp_sendrecv_all_ports(telepathy_salut_t) + ') + + tunable_policy(`telepathy_tcp_connect_generic_network_ports',` +- corenet_sendrecv_generic_client_packets(telepathy_salut_t) + corenet_tcp_connect_generic_port(telepathy_salut_t) +- corenet_tcp_sendrecv_generic_port(telepathy_salut_t) ++ corenet_sendrecv_generic_client_packets(telepathy_salut_t) + ') + + optional_policy(` +@@ -378,73 +331,53 @@ optional_policy(` + + ####################################### + # +-# Sofiasip local policy ++# Telepathy Sofiasip local policy. + # + +-allow telepathy_sofiasip_t self:rawip_socket create_stream_socket_perms; +-allow telepathy_sofiasip_t self:tcp_socket { accept listen }; ++allow telepathy_sofiasip_t self:rawip_socket { create_socket_perms listen }; ++allow telepathy_sofiasip_t self:tcp_socket create_stream_socket_perms; + + corenet_all_recvfrom_netlabel(telepathy_sofiasip_t) +-corenet_all_recvfrom_unlabeled(telepathy_sofiasip_t) + corenet_tcp_sendrecv_generic_if(telepathy_sofiasip_t) + corenet_raw_sendrecv_generic_if(telepathy_sofiasip_t) + corenet_raw_sendrecv_generic_node(telepathy_sofiasip_t) + corenet_tcp_sendrecv_generic_node(telepathy_sofiasip_t) + corenet_tcp_bind_generic_node(telepathy_sofiasip_t) + corenet_raw_bind_generic_node(telepathy_sofiasip_t) +- +-corenet_sendrecv_all_server_packets(telepathy_sofiasip_t) + corenet_tcp_bind_all_unreserved_ports(telepathy_sofiasip_t) +-corenet_tcp_sendrecv_all_ports(telepathy_sofiasip_t) +- + corenet_dontaudit_tcp_bind_all_ports(telepathy_sofiasip_t) +- +-corenet_sendrecv_sip_client_packets(telepathy_sofiasip_t) + corenet_tcp_connect_sip_port(telepathy_sofiasip_t) +-corenet_tcp_sendrecv_sip_port(telepathy_sofiasip_t) ++corenet_sendrecv_sip_client_packets(telepathy_sofiasip_t) + + kernel_request_load_module(telepathy_sofiasip_t) + + tunable_policy(`telepathy_connect_all_ports',` +- corenet_sendrecv_all_client_packets(telepathy_sofiasip_t) + corenet_tcp_connect_all_ports(telepathy_sofiasip_t) + corenet_tcp_sendrecv_all_ports(telepathy_sofiasip_t) ++ corenet_udp_sendrecv_all_ports(telepathy_sofiasip_t) + ') + + tunable_policy(`telepathy_tcp_connect_generic_network_ports',` +- corenet_sendrecv_generic_client_packets(telepathy_sofiasip_t) + corenet_tcp_connect_generic_port(telepathy_sofiasip_t) +- corenet_tcp_sendrecv_generic_port(telepathy_sofiasip_t) ++ corenet_sendrecv_generic_client_packets(telepathy_sofiasip_t) + ') + + ####################################### + # +-# Sunshine local policy ++# Telepathy Sunshine local policy. + # + + manage_dirs_pattern(telepathy_sunshine_t, telepathy_sunshine_home_t, telepathy_sunshine_home_t) + manage_files_pattern(telepathy_sunshine_t, telepathy_sunshine_home_t, telepathy_sunshine_home_t) +-userdom_user_home_dir_filetrans(telepathy_sunshine_t, telepathy_sunshine_home_t, dir, ".telepathy-sunshine") ++userdom_user_home_dir_filetrans(telepathy_sunshine_t, telepathy_sunshine_home_t, { dir file }) ++userdom_search_user_home_dirs(telepathy_sunshine_t) + + manage_files_pattern(telepathy_sunshine_t, telepathy_sunshine_tmp_t, telepathy_sunshine_tmp_t) ++exec_files_pattern(telepathy_sunshine_t, telepathy_sunshine_tmp_t, telepathy_sunshine_tmp_t) + files_tmp_filetrans(telepathy_sunshine_t, telepathy_sunshine_tmp_t, file) + +-can_exec(telepathy_sunshine_t, telepathy_sunshine_tmp_t) +- + corecmd_exec_bin(telepathy_sunshine_t) + +-files_read_usr_files(telepathy_sunshine_t) +- +-tunable_policy(`use_nfs_home_dirs',` +- fs_manage_nfs_dirs(telepathy_sunshine_t) +- fs_manage_nfs_files(telepathy_sunshine_t) +-') +- +-tunable_policy(`use_samba_home_dirs',` +- fs_manage_cifs_dirs(telepathy_sunshine_t) +- fs_manage_cifs_files(telepathy_sunshine_t) +-') +- + optional_policy(` + xserver_read_xdm_pid(telepathy_sunshine_t) + xserver_stream_connect(telepathy_sunshine_t) +@@ -452,31 +385,49 @@ optional_policy(` + + ####################################### + # +-# Common telepathy domain local policy ++# telepathy domains common policy + # + + allow telepathy_domain self:process { getsched signal sigkill }; + allow telepathy_domain self:fifo_file rw_fifo_file_perms; ++allow telepathy_domain self:tcp_socket create_socket_perms; ++allow telepathy_domain self:udp_socket create_socket_perms; + + manage_dirs_pattern(telepathy_domain, telepathy_cache_home_t, telepathy_cache_home_t) +-# gnome_cache_filetrans(telepathy_domain, telepathy_cache_home_t, dir, "telepathy") +- +-manage_dirs_pattern(telepathy_domain, telepathy_data_home_t, telepathy_data_home_t) +-# gnome_data_filetrans(telepathy_domain, telepathy_data_home_t, dir, "telepathy") ++optional_policy(` ++ gnome_cache_filetrans(telepathy_domain, telepathy_cache_home_t, dir, "telepathy") ++') + + dev_read_urand(telepathy_domain) + +-kernel_read_system_state(telepathy_domain) + + fs_getattr_all_fs(telepathy_domain) + fs_search_auto_mountpoints(telepathy_domain) ++fs_rw_inherited_tmpfs_files(telepathy_domain) + +-miscfiles_read_localization(telepathy_domain) ++userdom_search_user_tmp_dirs(telepathy_domain) ++userdom_search_user_home_dirs(telepathy_domain) + + optional_policy(` + automount_dontaudit_getattr_tmp_dirs(telepathy_domain) + ') + + optional_policy(` ++ gnome_read_generic_cache_files(telepathy_domain) ++ gnome_write_generic_cache_files(telepathy_domain) ++ gnome_filetrans_config_home_content(telepathy_domain) ++') ++ ++optional_policy(` ++ systemd_dbus_chat_logind(telepathy_domain) ++ systemd_write_inhibit_pipes(telepathy_domain) ++') ++ ++optional_policy(` ++ telepathy_dbus_chat(telepathy_domain) ++') ++ ++optional_policy(` + xserver_rw_xdm_pipes(telepathy_domain) + ') ++ +diff --git a/telnet.te b/telnet.te +index 9f89916..1bdef51 100644 +--- a/telnet.te ++++ b/telnet.te +@@ -26,13 +26,17 @@ files_pid_file(telnetd_var_run_t) + allow telnetd_t self:capability { fsetid chown fowner setuid setgid sys_tty_config dac_override }; + allow telnetd_t self:process signal_perms; + allow telnetd_t self:fifo_file rw_fifo_file_perms; ++allow telnetd_t self:tcp_socket connected_stream_socket_perms; ++allow telnetd_t self:udp_socket create_socket_perms; ++# for identd; cjp: this should probably only be inetd_child rules? ++allow telnetd_t self:netlink_tcpdiag_socket r_netlink_socket_perms; + + allow telnetd_t telnetd_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms }; ++ + term_create_pty(telnetd_t, telnetd_devpts_t) + + manage_dirs_pattern(telnetd_t, telnetd_tmp_t, telnetd_tmp_t) + manage_files_pattern(telnetd_t, telnetd_tmp_t, telnetd_tmp_t) +-files_tmp_filetrans(telnetd_t, telnetd_tmp_t, { file dir }) + + manage_files_pattern(telnetd_t, telnetd_var_run_t, telnetd_var_run_t) + files_pid_filetrans(telnetd_t, telnetd_var_run_t, file) +@@ -41,7 +45,6 @@ kernel_read_kernel_sysctls(telnetd_t) + kernel_read_system_state(telnetd_t) + kernel_read_network_state(telnetd_t) + +-corenet_all_recvfrom_unlabeled(telnetd_t) + corenet_all_recvfrom_netlabel(telnetd_t) + corenet_tcp_sendrecv_generic_if(telnetd_t) + corenet_udp_sendrecv_generic_if(telnetd_t) +@@ -49,6 +52,7 @@ corenet_tcp_sendrecv_generic_node(telnetd_t) + corenet_udp_sendrecv_generic_node(telnetd_t) + corenet_tcp_sendrecv_all_ports(telnetd_t) + corenet_udp_sendrecv_all_ports(telnetd_t) ++corenet_tcp_bind_telnetd_port(telnetd_t) + + corecmd_search_bin(telnetd_t) + +@@ -56,7 +60,6 @@ dev_read_urand(telnetd_t) + + domain_interactive_fd(telnetd_t) + +-files_read_usr_files(telnetd_t) + files_read_etc_runtime_files(telnetd_t) + files_search_home(telnetd_t) + +@@ -69,12 +72,12 @@ init_rw_utmp(telnetd_t) + + logging_send_syslog_msg(telnetd_t) + +-miscfiles_read_localization(telnetd_t) +- + seutil_read_config(telnetd_t) + + userdom_search_user_home_dirs(telnetd_t) + userdom_setattr_user_ptys(telnetd_t) ++userdom_manage_user_tmp_files(telnetd_t) ++userdom_tmp_filetrans_user_tmp(telnetd_t, file) + + tunable_policy(`use_nfs_home_dirs',` + fs_search_nfs(telnetd_t) +@@ -86,7 +89,7 @@ tunable_policy(`use_samba_home_dirs',` + + optional_policy(` + kerberos_keytab_template(telnetd, telnetd_t) +- kerberos_tmp_filetrans_host_rcache(telnetd_t, file, "host_0") ++ kerberos_tmp_filetrans_host_rcache(telnetd_t, "host_0") + kerberos_manage_host_rcache(telnetd_t) + ') + +diff --git a/tftp.fc b/tftp.fc +index 93a5bf4..621f343 100644 +--- a/tftp.fc ++++ b/tftp.fc +@@ -1,9 +1,9 @@ +-/etc/xinetd\.d/tftp -- gen_context(system_u:object_r:tftpd_conf_t,s0) ++/etc/xinetd\.d/tftp -- gen_context(system_u:object_r:tftpd_etc_t,s0) + + /usr/sbin/atftpd -- gen_context(system_u:object_r:tftpd_exec_t,s0) + /usr/sbin/in\.tftpd -- gen_context(system_u:object_r:tftpd_exec_t,s0) + +-/tftpboot -d gen_context(system_u:object_r:tftpdir_t,s0) +-/tftpboot/.* gen_context(system_u:object_r:tftpdir_t,s0) ++/tftpboot -d gen_context(system_u:object_r:tftpdir_t,s0) ++/tftpboot/.* gen_context(system_u:object_r:tftpdir_t,s0) + +-/var/lib/tftpboot(/.*)? gen_context(system_u:object_r:tftpdir_rw_t,s0) ++/var/lib/tftpboot(/.*)? gen_context(system_u:object_r:tftpdir_rw_t,s0) +diff --git a/tftp.if b/tftp.if +index 9957e30..cf0b925 100644 +--- a/tftp.if ++++ b/tftp.if +@@ -1,8 +1,8 @@ +-## Trivial file transfer protocol daemon. ++## Trivial file transfer protocol daemon + + ######################################## + ## +-## Read tftp content files. ++## Read tftp content + ## + ## + ## +@@ -13,18 +13,21 @@ + interface(`tftp_read_content',` + gen_require(` + type tftpdir_t; ++ type tftpdir_rw_t; + ') + +- files_search_var_lib($1) +- allow $1 tftpdir_t:dir list_dir_perms; +- allow $1 tftpdir_t:file read_file_perms; +- allow $1 tftpdir_t:lnk_file read_lnk_file_perms; ++ list_dirs_pattern($1, tftpdir_t, tftpdir_t) ++ read_files_pattern($1, tftpdir_t, tftpdir_t) ++ read_lnk_files_pattern($1, tftpdir_t, tftpdir_t) ++ ++ list_dirs_pattern($1, tftpdir_rw_t, tftpdir_rw_t) ++ read_files_pattern($1, tftpdir_rw_t, tftpdir_rw_t) ++ read_lnk_files_pattern($1, tftpdir_rw_t, tftpdir_rw_t) + ') + + ######################################## + ## +-## Create, read, write, and delete +-## tftp rw content. ++## Search tftp /var/lib directories. + ## + ## + ## +@@ -32,20 +35,18 @@ interface(`tftp_read_content',` + ## + ## + # +-interface(`tftp_manage_rw_content',` ++interface(`tftp_search_rw_content',` + gen_require(` + type tftpdir_rw_t; + ') + ++ search_dirs_pattern($1, tftpdir_rw_t, tftpdir_rw_t) + files_search_var_lib($1) +- allow $1 tftpdir_rw_t:dir manage_dir_perms; +- allow $1 tftpdir_rw_t:file manage_file_perms; +- allow $1 tftpdir_rw_t:lnk_file manage_lnk_file_perms; + ') + + ######################################## + ## +-## Read tftpd configuration files. ++## Manage tftp /var/lib files. + ## + ## + ## +@@ -53,19 +54,19 @@ interface(`tftp_manage_rw_content',` + ## + ## + # +-interface(`tftp_read_config_files',` ++interface(`tftp_manage_rw_content',` + gen_require(` +- type tftpd_conf_t; ++ type tftpdir_rw_t; + ') + +- files_search_etc($1) +- allow $1 tftpd_conf_t:file read_file_perms; ++ files_search_var_lib($1) ++ manage_dirs_pattern($1, tftpdir_rw_t, tftpdir_rw_t) ++ manage_files_pattern($1, tftpdir_rw_t, tftpdir_rw_t) + ') + + ######################################## + ## +-## Create, read, write, and delete +-## tftpd configuration files. ++## Read tftp config files. + ## + ## + ## +@@ -73,55 +74,44 @@ interface(`tftp_read_config_files',` + ## + ## + # +-interface(`tftp_manage_config_files',` ++interface(`tftp_read_config',` + gen_require(` +- type tftpd_conf_t; ++ type tftpd_etc_t; + ') + +- files_search_etc($1) +- allow $1 tftpd_conf_t:file manage_file_perms; ++ read_files_pattern($1, tftpd_etc_t, tftpd_etc_t) + ') + + ######################################## + ## +-## Create objects in etc directories +-## with tftp conf type. ++## Manage tftp config files. + ## + ## + ## +-## Domain allowed to transition. +-## +-## +-## +-## +-## Class of the object being created. +-## +-## +-## +-## +-## The name of the object being created. ++## Domain allowed access. + ## + ## + # +-interface(`tftp_etc_filetrans_config',` ++interface(`tftp_manage_config',` + gen_require(` +- type tftp_conf_t; ++ type tftpd_etc_t; + ') + +- files_etc_filetrans($1, tftp_conf_t, $2, $3) ++ manage_files_pattern($1, tftpd_etc_t, tftpd_etc_t) ++ files_etc_filetrans($1, tftpd_etc_t, file, "tftp") + ') + + ######################################## + ## + ## Create objects in tftpdir directories +-## with a private type. ++## with specified types. + ## + ## + ## + ## Domain allowed access. + ## + ## +-## ++## + ## + ## Private file type. + ## +@@ -131,25 +121,38 @@ interface(`tftp_etc_filetrans_config',` + ## Class of the object being created. + ## + ## +-## +-## +-## The name of the object being created. +-## +-## + # + interface(`tftp_filetrans_tftpdir',` + gen_require(` + type tftpdir_rw_t; + ') + ++ filetrans_pattern($1, tftpdir_rw_t, $2, $3) + files_search_var_lib($1) +- filetrans_pattern($1, tftpdir_rw_t, $2, $3, $4) + ') + + ######################################## + ## +-## All of the rules required to +-## administrate an tftp environment. ++## Transition to tftp named content ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`tftp_filetrans_named_content',` ++ gen_require(` ++ type tftpd_etc_t; ++ ') ++ ++ files_etc_filetrans($1, tftpd_etc_t, file, "tftp") ++') ++ ++######################################## ++## ++## All of the rules required to administrate ++## an tftp environment + ## + ## + ## +@@ -161,18 +164,22 @@ interface(`tftp_filetrans_tftpdir',` + interface(`tftp_admin',` + gen_require(` + type tftpd_t, tftpdir_t, tftpdir_rw_t, tftpd_var_run_t; +- type tftpd_conf_t; + ') + +- allow $1 tftpd_t:process { ptrace signal_perms }; ++ allow $1 tftpd_t:process signal_perms; + ps_process_pattern($1, tftpd_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 tftpd_t:process ptrace; ++ ') + +- files_search_etc($1) +- admin_pattern($1, tftpd_conf_t) ++ files_list_var_lib($1) + +- files_search_var_lib($1) +- admin_pattern($1, { tftpdir_t tftpdir_rw_t }) ++ admin_pattern($1, tftpdir_rw_t) ++ ++ admin_pattern($1, tftpdir_t) + + files_list_pids($1) + admin_pattern($1, tftpd_var_run_t) ++ ++ tftp_manage_config($1) + ') +diff --git a/tftp.te b/tftp.te +index f455e70..a3b440c 100644 +--- a/tftp.te ++++ b/tftp.te +@@ -1,4 +1,4 @@ +-policy_module(tftp, 1.12.4) ++policy_module(tftp, 1.12.0) + + ######################################## + # +@@ -6,30 +6,24 @@ policy_module(tftp, 1.12.4) + # + + ## +-##

    +-## Determine whether tftp can modify +-## public files used for public file +-## transfer services. Directories/Files must +-## be labeled public_content_rw_t. +-##

    ++##

    ++## Allow tftp to modify public files ++## used for public file transfer services. ++##

    + ##     + gen_tunable(tftp_anon_write, false) + + ## +-##

    +-## Determine whether tftp can manage +-## generic user home content. +-##

    ++##

    ++## Allow tftp to read and write files in the user home directories ++##

    + ##     +-gen_tunable(tftp_enable_homedir, false) ++gen_tunable(tftp_home_dir, false) + + type tftpd_t; + type tftpd_exec_t; + init_daemon_domain(tftpd_t, tftpd_exec_t) + +-type tftpd_conf_t; +-files_config_file(tftpd_conf_t) +- + type tftpd_var_run_t; + files_pid_file(tftpd_var_run_t) + +@@ -39,6 +33,9 @@ files_type(tftpdir_t) + type tftpdir_rw_t; + files_type(tftpdir_rw_t) + ++type tftpd_etc_t; ++files_config_file(tftpd_etc_t) ++ + ######################################## + # + # Local policy +@@ -46,15 +43,17 @@ files_type(tftpdir_rw_t) + + allow tftpd_t self:capability { setgid setuid sys_chroot }; + dontaudit tftpd_t self:capability sys_tty_config; +-allow tftpd_t self:tcp_socket { accept listen }; +-allow tftpd_t self:unix_stream_socket { accept listen }; +- +-allow tftpd_t tftpd_conf_t:file read_file_perms; ++allow tftpd_t self:tcp_socket create_stream_socket_perms; ++allow tftpd_t self:udp_socket create_socket_perms; ++allow tftpd_t self:unix_dgram_socket create_socket_perms; ++allow tftpd_t self:unix_stream_socket create_stream_socket_perms; + + allow tftpd_t tftpdir_t:dir list_dir_perms; + allow tftpd_t tftpdir_t:file read_file_perms; + allow tftpd_t tftpdir_t:lnk_file read_lnk_file_perms; + ++read_files_pattern(tftpd_t, tftpd_etc_t, tftpd_etc_t) ++ + manage_dirs_pattern(tftpd_t, tftpdir_rw_t, tftpdir_rw_t) + manage_files_pattern(tftpd_t, tftpdir_rw_t, tftpdir_rw_t) + manage_lnk_files_pattern(tftpd_t, tftpdir_rw_t, tftpdir_rw_t) +@@ -65,18 +64,23 @@ files_pid_filetrans(tftpd_t, tftpd_var_run_t, file) + kernel_read_system_state(tftpd_t) + kernel_read_kernel_sysctls(tftpd_t) + +-corenet_all_recvfrom_unlabeled(tftpd_t) + corenet_all_recvfrom_netlabel(tftpd_t) ++corenet_tcp_sendrecv_generic_if(tftpd_t) + corenet_udp_sendrecv_generic_if(tftpd_t) ++corenet_tcp_sendrecv_generic_node(tftpd_t) + corenet_udp_sendrecv_generic_node(tftpd_t) ++corenet_tcp_sendrecv_all_ports(tftpd_t) ++corenet_udp_sendrecv_all_ports(tftpd_t) ++corenet_tcp_bind_generic_node(tftpd_t) + corenet_udp_bind_generic_node(tftpd_t) +- +-corenet_sendrecv_tftp_server_packets(tftpd_t) + corenet_udp_bind_tftp_port(tftpd_t) +-corenet_udp_sendrecv_tftp_port(tftpd_t) ++corenet_sendrecv_tftp_server_packets(tftpd_t) + + dev_read_sysfs(tftpd_t) + ++fs_getattr_all_fs(tftpd_t) ++fs_search_auto_mountpoints(tftpd_t) ++ + domain_use_interactive_fds(tftpd_t) + + files_read_etc_runtime_files(tftpd_t) +@@ -84,43 +88,46 @@ files_read_var_files(tftpd_t) + files_read_var_symlinks(tftpd_t) + files_search_var(tftpd_t) + +-fs_getattr_all_fs(tftpd_t) +-fs_search_auto_mountpoints(tftpd_t) +- + auth_use_nsswitch(tftpd_t) + + logging_send_syslog_msg(tftpd_t) + +-miscfiles_read_localization(tftpd_t) + miscfiles_read_public_files(tftpd_t) + + userdom_dontaudit_use_unpriv_user_fds(tftpd_t) + userdom_dontaudit_use_user_terminals(tftpd_t) +-userdom_user_home_dir_filetrans_user_home_content(tftpd_t, { dir file lnk_file }) ++userdom_dontaudit_search_user_home_dirs(tftpd_t) ++ ++userdom_home_manager(tftpd_t) + + tunable_policy(`tftp_anon_write',` + miscfiles_manage_public_files(tftpd_t) + ') + +-tunable_policy(`tftp_enable_homedir',` +- allow tftpd_t self:capability { dac_override dac_read_search }; ++tunable_policy(`tftp_home_dir',` ++ allow tftpd_t self:capability { dac_override dac_read_search }; + ++ # allow access to /home + files_list_home(tftpd_t) +- userdom_manage_user_home_content_dirs(tftpd_t) +- userdom_manage_user_home_content_files(tftpd_t) +- userdom_manage_user_home_content_symlinks(tftpd_t) ++ userdom_read_user_home_content_files(tftpd_t) ++ userdom_manage_user_home_content(tftpd_t) ++ ++ auth_read_all_dirs_except_shadow(tftpd_t) ++ auth_read_all_files_except_shadow(tftpd_t) ++ auth_read_all_symlinks_except_shadow(tftpd_t) ++',` ++ # Needed for permissive mode, to make sure everything gets labeled correctly ++ userdom_user_home_dir_filetrans_pattern(tftpd_t, { dir file lnk_file }) + ') + +-tunable_policy(`tftp_enable_homedir && use_nfs_home_dirs',` +- fs_manage_nfs_dirs(tftpd_t) +- fs_manage_nfs_files(tftpd_t) +- fs_read_nfs_symlinks(tftpd_t) ++tunable_policy(`tftp_home_dir && use_nfs_home_dirs',` ++ fs_manage_nfs_files(tftpd_t) ++ fs_read_nfs_symlinks(tftpd_t) + ') + +-tunable_policy(`tftp_enable_homedir && use_samba_home_dirs',` +- fs_manage_cifs_dirs(tftpd_t) +- fs_manage_cifs_files(tftpd_t) +- fs_read_cifs_symlinks(tftpd_t) ++tunable_policy(`tftp_home_dir && use_samba_home_dirs',` ++ fs_manage_cifs_files(tftpd_t) ++ fs_read_cifs_symlinks(tftpd_t) + ') + + optional_policy(` +diff --git a/tgtd.fc b/tgtd.fc +index 38389e6..4847b43 100644 +--- a/tgtd.fc ++++ b/tgtd.fc +@@ -1,7 +1,4 @@ +-/etc/rc\.d/init\.d/tgtd -- gen_context(system_u:object_r:tgtd_initrc_exec_t,s0) +- +-/usr/sbin/tgtd -- gen_context(system_u:object_r:tgtd_exec_t,s0) +- +-/var/lib/tgtd(/.*)? gen_context(system_u:object_r:tgtd_var_lib_t,s0) +- +-/var/run/tgtd.* -s gen_context(system_u:object_r:tgtd_var_run_t,s0) ++/etc/rc\.d/init\.d/tgtd -- gen_context(system_u:object_r:tgtd_initrc_exec_t,s0) ++/usr/sbin/tgtd -- gen_context(system_u:object_r:tgtd_exec_t,s0) ++/var/lib/tgtd(/.*)? gen_context(system_u:object_r:tgtd_var_lib_t,s0) ++/var/run/tgtd.* -s gen_context(system_u:object_r:tgtd_var_run_t,s0) +diff --git a/tgtd.if b/tgtd.if +index 5406b6e..dc5b46e 100644 +--- a/tgtd.if ++++ b/tgtd.if +@@ -97,6 +97,6 @@ interface(`tgtd_admin',` + files_search_tmp($1) + admin_pattern($1, tgtd_tmp_t) + +- files_search_tmpfs($1) ++ fs_search_tmpfs($1) + admin_pattern($1, tgtd_tmpfs_t) + ') +diff --git a/tgtd.te b/tgtd.te +index c93c973..60f4ce9 100644 +--- a/tgtd.te ++++ b/tgtd.te +@@ -29,7 +29,7 @@ files_pid_file(tgtd_var_run_t) + # Local policy + # + +-allow tgtd_t self:capability sys_resource; ++allow tgtd_t self:capability { dac_override ipc_lock sys_resource sys_rawio sys_admin }; + allow tgtd_t self:capability2 block_suspend; + allow tgtd_t self:process { setrlimit signal }; + allow tgtd_t self:fifo_file rw_fifo_file_perms; +@@ -58,27 +58,27 @@ kernel_read_system_state(tgtd_t) + kernel_read_fs_sysctls(tgtd_t) + + corenet_all_recvfrom_netlabel(tgtd_t) +-corenet_all_recvfrom_unlabeled(tgtd_t) + corenet_tcp_sendrecv_generic_if(tgtd_t) + corenet_tcp_sendrecv_generic_node(tgtd_t) + corenet_tcp_bind_generic_node(tgtd_t) + + corenet_sendrecv_iscsi_server_packets(tgtd_t) + corenet_tcp_bind_iscsi_port(tgtd_t) ++corenet_tcp_connect_isns_port(tgtd_t) + corenet_tcp_sendrecv_iscsi_port(tgtd_t) + + dev_read_sysfs(tgtd_t) + +-files_read_etc_files(tgtd_t) ++files_list_mnt(tgtd_t) + + fs_read_anon_inodefs_files(tgtd_t) + + storage_manage_fixed_disk(tgtd_t) ++storage_read_scsi_generic(tgtd_t) ++storage_write_scsi_generic(tgtd_t) + + logging_send_syslog_msg(tgtd_t) + +-miscfiles_read_localization(tgtd_t) +- + optional_policy(` + iscsi_manage_semaphores(tgtd_t) + ') +diff --git a/thin.fc b/thin.fc +new file mode 100644 +index 0000000..1f8a908 +--- /dev/null ++++ b/thin.fc +@@ -0,0 +1,12 @@ ++/usr/bin/thin -- gen_context(system_u:object_r:thin_exec_t,s0) ++ ++/usr/bin/aeolus-configserver-thinwrapper -- gen_context(system_u:object_r:thin_aeolus_configserver_exec_t,s0) ++ ++/var/lib/aeolus-configserver(/.*)? gen_context(system_u:object_r:thin_aeolus_configserver_lib_t,s0) ++ ++/var/log/aeolus-configserver(/.*)? gen_context(system_u:object_r:thin_aeolus_configserver_log_t,s0) ++/var/log/thin\.log.* -- gen_context(system_u:object_r:thin_log_t,s0) ++ ++/var/run/aeolus-configserver(/.*)? gen_context(system_u:object_r:thin_aeolus_configserver_var_run_t,s0) ++/var/run/aeolus/thin\.pid -- gen_context(system_u:object_r:thin_var_run_t,s0) ++/var/run/thin(/.*)? gen_context(system_u:object_r:thin_var_run_t,s0) +diff --git a/thin.if b/thin.if +new file mode 100644 +index 0000000..5e3637e +--- /dev/null ++++ b/thin.if +@@ -0,0 +1,64 @@ ++## thin policy ++ ++####################################### ++## ++## Creates types and rules for a basic ++## thin daemon domain. ++## ++## ++## ++## Prefix for the domain. ++## ++## ++# ++template(`thin_domain_template',` ++ gen_require(` ++ attribute thin_domain; ++ ') ++ ++ type $1_t, thin_domain; ++ type $1_exec_t; ++ init_daemon_domain($1_t, $1_exec_t) ++ ++ can_exec($1_t, $1_exec_t) ++ ++ kernel_read_system_state($1_t) ++') ++ ++###################################### ++## ++## Execute mongod in the caller domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`thin_exec',` ++ gen_require(` ++ type thin_exec_t; ++ ') ++ ++ can_exec($1, thin_exec_t) ++') ++ ++##################################### ++## ++## Connect to thin over a unix domain ++## stream socket. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`thin_stream_connect',` ++ gen_require(` ++ type thin_t, thin_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ stream_connect_pattern($1, thin_var_run_t, thin_var_run_t, thin_t) ++') +diff --git a/thin.te b/thin.te +new file mode 100644 +index 0000000..39d17b7 +--- /dev/null ++++ b/thin.te +@@ -0,0 +1,115 @@ ++policy_module(thin, 1.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++attribute thin_domain; ++ ++thin_domain_template(thin) ++ ++type thin_log_t; ++logging_log_file(thin_log_t) ++ ++type thin_var_run_t; ++files_pid_file(thin_var_run_t) ++ ++thin_domain_template(thin_aeolus_configserver) ++ ++type thin_aeolus_configserver_lib_t; ++files_type(thin_aeolus_configserver_lib_t) ++ ++type thin_aeolus_configserver_log_t; ++logging_log_file(thin_aeolus_configserver_log_t) ++ ++type thin_aeolus_configserver_var_run_t; ++files_pid_file(thin_aeolus_configserver_var_run_t) ++ ++######################################## ++# ++# thin_domain local policy ++# ++ ++allow thin_domain self:process signal; ++ ++allow thin_domain self:fifo_file rw_fifo_file_perms; ++allow thin_domain self:tcp_socket create_stream_socket_perms; ++ ++# we want to stay in a new thin domain if we call thin binary from a script ++# # initrc_t@thin_test_exec_t->thin_test_t@thin_exec_t->thin_test_t ++can_exec(thin_domain, thin_exec_t) ++ ++corecmd_exec_bin(thin_domain) ++corecmd_exec_shell(thin_domain) ++ ++corenet_tcp_bind_generic_node(thin_domain) ++ ++dev_read_rand(thin_domain) ++dev_read_urand(thin_domain) ++ ++ ++auth_read_passwd(thin_domain) ++ ++miscfiles_read_certs(thin_domain) ++ ++ ++fs_search_auto_mountpoints(thin_domain) ++ ++init_read_utmp(thin_domain) ++ ++kernel_read_kernel_sysctls(thin_domain) ++ ++optional_policy(` ++ apache_read_sys_content(thin_domain) ++') ++ ++optional_policy(` ++ sysnet_read_config(thin_domain) ++') ++ ++######################################## ++# ++# thin local policy ++# ++ ++allow thin_t self:capability { setuid kill setgid dac_override }; ++allow thin_t self:capability2 block_suspend; ++ ++allow thin_t self:netlink_route_socket r_netlink_socket_perms; ++allow thin_t self:udp_socket create_socket_perms; ++allow thin_t self:unix_stream_socket create_stream_socket_perms; ++ ++manage_files_pattern(thin_t, thin_log_t, thin_log_t) ++manage_dirs_pattern(thin_t, thin_log_t, thin_log_t) ++logging_log_filetrans(thin_t, thin_log_t, { file dir }) ++ ++manage_dirs_pattern(thin_t, thin_var_run_t, thin_var_run_t) ++manage_files_pattern(thin_t, thin_var_run_t, thin_var_run_t) ++manage_lnk_files_pattern(thin_t, thin_var_run_t, thin_var_run_t) ++manage_sock_files_pattern(thin_t, thin_var_run_t, thin_var_run_t) ++files_pid_filetrans(thin_t, thin_var_run_t, { dir file sock_file }) ++ ++corenet_tcp_bind_ntop_port(thin_t) ++corenet_tcp_connect_postgresql_port(thin_t) ++ ++####################################### ++# ++# thin aeolus configserver local policy ++# ++ ++allow thin_aeolus_configserver_t self:capability { setuid setgid }; ++ ++corenet_tcp_bind_tram_port(thin_aeolus_configserver_t) ++ ++manage_files_pattern(thin_aeolus_configserver_t, thin_aeolus_configserver_lib_t, thin_aeolus_configserver_lib_t) ++manage_dirs_pattern(thin_aeolus_configserver_t, thin_aeolus_configserver_lib_t, thin_aeolus_configserver_lib_t) ++files_var_lib_filetrans(thin_aeolus_configserver_t, thin_aeolus_configserver_lib_t, { file dir }) ++ ++manage_files_pattern(thin_aeolus_configserver_t, thin_aeolus_configserver_log_t, thin_aeolus_configserver_log_t) ++manage_dirs_pattern(thin_aeolus_configserver_t, thin_aeolus_configserver_log_t, thin_aeolus_configserver_log_t) ++logging_log_filetrans(thin_aeolus_configserver_t, thin_aeolus_configserver_log_t, { file dir }) ++ ++manage_files_pattern(thin_aeolus_configserver_t, thin_aeolus_configserver_var_run_t, thin_aeolus_configserver_var_run_t) ++manage_dirs_pattern(thin_aeolus_configserver_t, thin_aeolus_configserver_var_run_t, thin_aeolus_configserver_var_run_t) ++files_pid_filetrans(thin_aeolus_configserver_t, thin_aeolus_configserver_var_run_t, { dir file }) +diff --git a/thumb.fc b/thumb.fc +new file mode 100644 +index 0000000..92b6843 +--- /dev/null ++++ b/thumb.fc +@@ -0,0 +1,18 @@ ++HOME_DIR/\.texlive2012(/.*)? gen_context(system_u:object_r:thumb_home_t,s0) ++HOME_DIR/\.thumbnails(/.*)? gen_context(system_u:object_r:thumb_home_t,s0) ++HOME_DIR/\.cache/thumbnails(/.*)? gen_context(system_u:object_r:thumb_home_t,s0) ++HOME_DIR/missfont\.log.* gen_context(system_u:object_r:thumb_home_t,s0) ++ ++/usr/bin/evince-thumbnailer -- gen_context(system_u:object_r:thumb_exec_t,s0) ++/usr/bin/gsf-office-thumbnailer -- gen_context(system_u:object_r:thumb_exec_t,s0) ++/usr/bin/gnome-thumbnail-font -- gen_context(system_u:object_r:thumb_exec_t,s0) ++/usr/bin/gnome-[^/]*-thumbnailer(.sh)? -- gen_context(system_u:object_r:thumb_exec_t,s0) ++/usr/bin/raw-thumbnailer -- gen_context(system_u:object_r:thumb_exec_t,s0) ++/usr/bin/shotwell-video-thumbnailer -- gen_context(system_u:object_r:thumb_exec_t,s0) ++/usr/bin/totem-video-thumbnailer -- gen_context(system_u:object_r:thumb_exec_t,s0) ++/usr/bin/whaaw-thumbnailer -- gen_context(system_u:object_r:thumb_exec_t,s0) ++/usr/bin/[^/]*thumbnailer -- gen_context(system_u:object_r:thumb_exec_t,s0) ++/usr/bin/ffmpegthumbnailer -- gen_context(system_u:object_r:thumb_exec_t,s0) ++/usr/bin/mate-thumbnail-font -- gen_context(system_u:object_r:thumb_exec_t,s0) ++ ++/usr/lib/tumbler[^/]*/tumblerd -- gen_context(system_u:object_r:thumb_exec_t,s0) +diff --git a/thumb.if b/thumb.if +new file mode 100644 +index 0000000..c1fd8b4 +--- /dev/null ++++ b/thumb.if +@@ -0,0 +1,133 @@ ++ ++## policy for thumb ++ ++######################################## ++## ++## Transition to thumb. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`thumb_domtrans',` ++ gen_require(` ++ type thumb_t, thumb_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, thumb_exec_t, thumb_t) ++') ++ ++ ++######################################## ++## ++## Execute thumb in the thumb domain, and ++## allow the specified role the thumb domain. ++## ++## ++## ++## Domain allowed to transition ++## ++## ++## ++## ++## The role to be allowed the thumb domain. ++## ++## ++# ++interface(`thumb_run',` ++ gen_require(` ++ type thumb_t; ++ ') ++ ++ thumb_domtrans($1) ++ role $2 types thumb_t; ++ ++ allow $1 thumb_t:process signal_perms; ++ ++ dontaudit thumb_t $1:dir list_dir_perms; ++ dontaudit thumb_t $1:file read_file_perms; ++ dontaudit thumb_t $1:unix_stream_socket rw_socket_perms; ++ ++ allow thumb_t $1:shm create_shm_perms; ++ allow thumb_t $1:sem create_sem_perms; ++') ++ ++######################################## ++## ++## Role access for thumb ++## ++## ++## ++## Role allowed access ++## ++## ++## ++## ++## User domain for the role ++## ++## ++# ++interface(`thumb_role',` ++ gen_require(` ++ type thumb_t; ++ class dbus send_msg; ++ ') ++ ++ thumb_run($2, $1) ++ ++ ps_process_pattern($2, thumb_t) ++ allow thumb_t $2:unix_stream_socket connectto; ++ ++ thumb_dbus_chat($2) ++ thumb_filetrans_home_content($2) ++') ++ ++######################################## ++## ++## Send and receive messages from ++## thumb over dbus. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`thumb_dbus_chat',` ++ gen_require(` ++ type thumb_t; ++ class dbus send_msg; ++ ') ++ ++ allow $1 thumb_t:dbus send_msg; ++ allow thumb_t $1:dbus send_msg; ++ ps_process_pattern(thumb_t, $1) ++') ++ ++######################################## ++## ++## Create thumb content in the user home directory ++## with an correct label. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`thumb_filetrans_home_content',` ++ ++ gen_require(` ++ type thumb_home_t; ++ ') ++ ++ userdom_user_home_dir_filetrans($1, thumb_home_t, dir, ".thumbnails") ++ userdom_user_home_dir_filetrans($1, thumb_home_t, file, "missfont.log") ++ ++ optional_policy(` ++ gnome_cache_filetrans($1, thumb_home_t, dir, "thumbnails") ++ ') ++') +diff --git a/thumb.te b/thumb.te +new file mode 100644 +index 0000000..b57cc3c +--- /dev/null ++++ b/thumb.te +@@ -0,0 +1,149 @@ ++policy_module(thumb, 1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type thumb_t; ++type thumb_exec_t; ++application_domain(thumb_t, thumb_exec_t) ++ubac_constrained(thumb_t) ++userdom_home_manager(thumb_t) ++ ++type thumb_tmp_t; ++files_tmp_file(thumb_tmp_t) ++ubac_constrained(thumb_tmp_t) ++ ++type thumb_home_t; ++userdom_user_home_content(thumb_home_t) ++ ++type thumb_tmpfs_t; ++files_tmpfs_file(thumb_tmpfs_t) ++ ++######################################## ++# ++# thumb local policy ++# ++ ++allow thumb_t self:process { setsched signal signull setrlimit }; ++dontaudit thumb_t self:capability sys_tty_config; ++ ++tunable_policy(`deny_execmem',`',` ++ allow thumb_t self:process execmem; ++') ++ ++allow thumb_t self:fifo_file manage_fifo_file_perms; ++allow thumb_t self:unix_stream_socket create_stream_socket_perms; ++allow thumb_t self:netlink_route_socket r_netlink_socket_perms; ++allow thumb_t self:udp_socket create_socket_perms; ++allow thumb_t self:tcp_socket create_socket_perms; ++allow thumb_t self:shm create_shm_perms; ++allow thumb_t self:sem create_sem_perms; ++ ++manage_dirs_pattern(thumb_t, thumb_home_t, thumb_home_t) ++manage_files_pattern(thumb_t, thumb_home_t, thumb_home_t) ++userdom_user_home_dir_filetrans(thumb_t, thumb_home_t, dir, ".thumbnails") ++userdom_user_home_dir_filetrans(thumb_t, thumb_home_t, file, "missfont.log") ++userdom_dontaudit_access_check_user_content(thumb_t) ++userdom_rw_inherited_user_tmpfs_files(thumb_t) ++ ++manage_files_pattern(thumb_t, thumb_tmp_t, thumb_tmp_t) ++manage_dirs_pattern(thumb_t, thumb_tmp_t, thumb_tmp_t) ++manage_sock_files_pattern(thumb_t, thumb_tmp_t, thumb_tmp_t) ++exec_files_pattern(thumb_t, thumb_tmp_t, thumb_tmp_t) ++files_tmp_filetrans(thumb_t, thumb_tmp_t, { file dir sock_file }) ++userdom_user_tmp_filetrans(thumb_t, thumb_tmp_t, { file dir sock_file }) ++xserver_xdm_tmp_filetrans(thumb_t, thumb_tmp_t, sock_file) ++ ++manage_dirs_pattern(thumb_t, thumb_tmpfs_t, thumb_tmpfs_t) ++manage_files_pattern(thumb_t, thumb_tmpfs_t, thumb_tmpfs_t) ++fs_tmpfs_filetrans(thumb_t, thumb_tmpfs_t, { dir file }) ++ ++can_exec(thumb_t, thumb_exec_t) ++ ++kernel_read_system_state(thumb_t) ++ ++corecmd_exec_bin(thumb_t) ++corecmd_exec_shell(thumb_t) ++ ++dev_read_sysfs(thumb_t) ++dev_read_urand(thumb_t) ++dev_dontaudit_rw_dri(thumb_t) ++dev_rw_xserver_misc(thumb_t) ++ ++domain_use_interactive_fds(thumb_t) ++domain_dontaudit_read_all_domains_state(thumb_t) ++ ++files_read_non_security_files(thumb_t) ++ ++fs_getattr_all_fs(thumb_t) ++fs_read_dos_files(thumb_t) ++fs_rw_inherited_tmpfs_files(thumb_t) ++ ++auth_read_passwd(thumb_t) ++ ++tunable_policy(`selinuxuser_execmod',` ++ libs_legacy_use_shared_libs(thumb_t) ++') ++ ++miscfiles_read_fonts(thumb_t) ++miscfiles_dontaudit_setattr_fonts_dirs(thumb_t) ++miscfiles_dontaudit_setattr_fonts_cache_dirs(thumb_t) ++ ++sysnet_read_config(thumb_t) ++ ++userdom_dontaudit_setattr_user_tmp(thumb_t) ++userdom_read_user_tmp_files(thumb_t) ++userdom_read_user_home_content_files(thumb_t) ++userdom_exec_user_home_content_files(thumb_t) ++userdom_dontaudit_write_user_tmp_files(thumb_t) ++userdom_dontaudit_delete_user_tmp_files(thumb_t) ++userdom_read_home_audio_files(thumb_t) ++userdom_home_reader(thumb_t) ++ ++userdom_use_user_terminals(thumb_t) ++ ++xserver_read_xdm_home_files(thumb_t) ++xserver_append_xdm_home_files(thumb_t) ++xserver_dontaudit_read_xdm_pid(thumb_t) ++xserver_dontaudit_xdm_tmp_dirs(thumb_t) ++xserver_stream_connect(thumb_t) ++xserver_use_user_fonts(thumb_t) ++ ++optional_policy(` ++ dbus_dontaudit_stream_connect_session_bus(thumb_t) ++ dbus_dontaudit_chat_session_bus(thumb_t) ++') ++ ++optional_policy(` ++ # .config ++ gnome_dontaudit_search_config(thumb_t) ++ gnome_dontaudit_write_config_files(thumb_t) ++ gnome_append_generic_cache_files(thumb_t) ++ gnome_read_generic_data_home_files(thumb_t) ++ gnome_dontaudit_rw_generic_cache_files(thumb_t) ++ gnome_manage_gstreamer_home_files(thumb_t) ++ gnome_manage_gstreamer_home_dirs(thumb_t) ++ gnome_exec_gstreamer_home_files(thumb_t) ++ gnome_create_generic_cache_dir(thumb_t) ++ gnome_cache_filetrans(thumb_t, thumb_home_t, dir, "thumbnails") ++ gnome_cache_filetrans(thumb_t, thumb_home_t, file) ++') ++ ++optional_policy(` ++ sssd_dontaudit_stream_connect(thumb_t) ++') ++ ++optional_policy(` ++ nscd_dontaudit_write_sock_file(thumb_t) ++') ++ ++optional_policy(` ++ nslcd_dontaudit_write_sock_file(thumb_t) ++') ++ ++tunable_policy(`nis_enabled',` ++ corenet_dontaudit_udp_bind_all_ports(thumb_t) ++ corenet_dontaudit_udp_bind_generic_node(thumb_t) ++') +diff --git a/thunderbird.te b/thunderbird.te +index 4257ede..fc265b8 100644 +--- a/thunderbird.te ++++ b/thunderbird.te +@@ -53,7 +53,6 @@ kernel_read_system_state(thunderbird_t) + + corecmd_exec_shell(thunderbird_t) + +-corenet_all_recvfrom_unlabeled(thunderbird_t) + corenet_all_recvfrom_netlabel(thunderbird_t) + corenet_tcp_sendrecv_generic_if(thunderbird_t) + corenet_tcp_sendrecv_generic_node(thunderbird_t) +@@ -82,7 +81,6 @@ dev_read_urand(thunderbird_t) + dev_dontaudit_search_sysfs(thunderbird_t) + + files_list_tmp(thunderbird_t) +-files_read_usr_files(thunderbird_t) + files_read_etc_runtime_files(thunderbird_t) + files_read_var_files(thunderbird_t) + files_read_var_symlinks(thunderbird_t) +@@ -98,7 +96,6 @@ fs_search_auto_mountpoints(thunderbird_t) + auth_use_nsswitch(thunderbird_t) + + miscfiles_read_fonts(thunderbird_t) +-miscfiles_read_localization(thunderbird_t) + + userdom_write_user_tmp_sockets(thunderbird_t) + +@@ -107,23 +104,14 @@ userdom_manage_user_tmp_files(thunderbird_t) + + userdom_manage_user_home_content_dirs(thunderbird_t) + userdom_manage_user_home_content_files(thunderbird_t) +-userdom_user_home_dir_filetrans_user_home_content(thunderbird_t, { dir file }) ++userdom_filetrans_home_content(thunderbird_t) + + xserver_user_x_domain_template(thunderbird, thunderbird_t, thunderbird_tmpfs_t) + xserver_read_xdm_tmp_files(thunderbird_t) + xserver_dontaudit_getattr_xdm_tmp_sockets(thunderbird_t) + +-tunable_policy(`use_nfs_home_dirs',` +- fs_manage_nfs_dirs(thunderbird_t) +- fs_manage_nfs_files(thunderbird_t) +- fs_manage_nfs_symlinks(thunderbird_t) +-') +- +-tunable_policy(`use_samba_home_dirs',` +- fs_manage_cifs_dirs(thunderbird_t) +- fs_manage_cifs_files(thunderbird_t) +- fs_manage_cifs_symlinks(thunderbird_t) +-') ++# Access ~/.thunderbird ++userdom_home_manager(thunderbird_t) + + ifndef(`enable_mls',` + fs_search_removable(thunderbird_t) +diff --git a/timidity.te b/timidity.te +index 67ca5c5..a1ef2d2 100644 +--- a/timidity.te ++++ b/timidity.te +@@ -36,7 +36,6 @@ fs_tmpfs_filetrans(timidity_t, timidity_tmpfs_t, { dir file lnk_file sock_file f + kernel_read_kernel_sysctls(timidity_t) + kernel_read_system_state(timidity_t) + +-corenet_all_recvfrom_unlabeled(timidity_t) + corenet_all_recvfrom_netlabel(timidity_t) + corenet_tcp_sendrecv_generic_if(timidity_t) + corenet_udp_sendrecv_generic_if(timidity_t) +@@ -51,8 +50,6 @@ dev_write_sound(timidity_t) + + domain_use_interactive_fds(timidity_t) + +-files_read_etc_files(timidity_t) +-files_read_usr_files(timidity_t) + files_search_tmp(timidity_t) + + fs_search_auto_mountpoints(timidity_t) +diff --git a/tmpreaper.te b/tmpreaper.te +index a4a949c..9ae28c6 100644 +--- a/tmpreaper.te ++++ b/tmpreaper.te +@@ -8,6 +8,7 @@ policy_module(tmpreaper, 1.6.3) + type tmpreaper_t; + type tmpreaper_exec_t; + init_system_domain(tmpreaper_t, tmpreaper_exec_t) ++application_domain(tmpreaper_t, tmpreaper_exec_t) + + ######################################## + # +@@ -18,20 +19,25 @@ allow tmpreaper_t self:capability { dac_override dac_read_search fowner }; + + kernel_list_unlabeled(tmpreaper_t) + kernel_read_system_state(tmpreaper_t) ++kernel_delete_unlabeled(tmpreaper_t) + + dev_read_urand(tmpreaper_t) + + fs_getattr_xattr_fs(tmpreaper_t) + fs_list_all(tmpreaper_t) ++fs_setattr_tmpfs_dirs(tmpreaper_t) ++fs_delete_tmpfs_files(tmpreaper_t) + +-files_getattr_all_dirs(tmpreaper_t) +-files_getattr_all_files(tmpreaper_t) + files_read_var_lib_files(tmpreaper_t) + files_purge_tmp(tmpreaper_t) ++files_delete_all_non_security_files(tmpreaper_t) ++# why does it need setattr? + files_setattr_all_tmp_dirs(tmpreaper_t) ++files_setattr_isid_type_dirs(tmpreaper_t) ++files_setattr_usr_dirs(tmpreaper_t) ++files_getattr_all_dirs(tmpreaper_t) ++files_getattr_all_files(tmpreaper_t) + +-mcs_file_read_all(tmpreaper_t) +-mcs_file_write_all(tmpreaper_t) + mls_file_read_all_levels(tmpreaper_t) + mls_file_write_all_levels(tmpreaper_t) + +@@ -39,14 +45,16 @@ auth_use_nsswitch(tmpreaper_t) + + logging_send_syslog_msg(tmpreaper_t) + +-miscfiles_read_localization(tmpreaper_t) + miscfiles_delete_man_pages(tmpreaper_t) + + ifdef(`distro_redhat',` +- userdom_list_all_user_home_content(tmpreaper_t) ++ userdom_list_user_home_content(tmpreaper_t) ++ userdom_list_admin_dir(tmpreaper_t) + userdom_delete_all_user_home_content_dirs(tmpreaper_t) + userdom_delete_all_user_home_content_files(tmpreaper_t) ++ userdom_delete_all_user_home_content_sock_files(tmpreaper_t) + userdom_delete_all_user_home_content_symlinks(tmpreaper_t) ++ userdom_setattr_all_user_home_content_dirs(tmpreaper_t) + ') + + optional_policy(` +@@ -54,6 +62,7 @@ optional_policy(` + ') + + optional_policy(` ++ apache_delete_sys_content_rw(tmpreaper_t) + apache_list_cache(tmpreaper_t) + apache_delete_cache_dirs(tmpreaper_t) + apache_delete_cache_files(tmpreaper_t) +@@ -69,7 +78,19 @@ optional_policy(` + ') + + optional_policy(` +- lpd_manage_spool(tmpreaper_t) ++ lpd_manage_spool(tmpreaper_t) ++') ++ ++optional_policy(` ++ mandb_delete_cache(tmpreaper_t) ++') ++ ++optional_policy(` ++ sandbox_list(tmpreaper_t) ++ sandbox_delete_dirs(tmpreaper_t) ++ sandbox_delete_files(tmpreaper_t) ++ sandbox_delete_sock_files(tmpreaper_t) ++ sandbox_setattr_dirs(tmpreaper_t) + ') + + optional_policy(` +diff --git a/tomcat.fc b/tomcat.fc +new file mode 100644 +index 0000000..a8385bc +--- /dev/null ++++ b/tomcat.fc +@@ -0,0 +1,11 @@ ++/usr/lib/systemd/system/tomcat.service -- gen_context(system_u:object_r:tomcat_unit_file_t,s0) ++ ++/usr/sbin/tomcat(6)? -- gen_context(system_u:object_r:tomcat_exec_t,s0) ++ ++/var/cache/tomcat6?(/.*)? gen_context(system_u:object_r:tomcat_cache_t,s0) ++ ++/var/lib/tomcat6?(/.*)? gen_context(system_u:object_r:tomcat_var_lib_t,s0) ++ ++/var/log/tomcat6?(/.*)? gen_context(system_u:object_r:tomcat_log_t,s0) ++ ++/var/run/tomcat6?\.pid -- gen_context(system_u:object_r:tomcat_var_run_t,s0) +diff --git a/tomcat.if b/tomcat.if +new file mode 100644 +index 0000000..9abef48 +--- /dev/null ++++ b/tomcat.if +@@ -0,0 +1,395 @@ ++ ++## policy for tomcat ++ ++###################################### ++## ++## Creates types and rules for a basic ++## tomcat daemon domain. ++## ++## ++## ++## Prefix for the domain. ++## ++## ++# ++template(`tomcat_domain_template',` ++ gen_require(` ++ attribute tomcat_domain; ++ ') ++ ++ type $1_t, tomcat_domain; ++ type $1_exec_t; ++ init_daemon_domain($1_t, $1_exec_t) ++ ++ type $1_cache_t; ++ files_type($1_cache_t) ++ ++ type $1_log_t; ++ logging_log_file($1_log_t) ++ ++ type $1_var_lib_t; ++ files_type($1_var_lib_t) ++ ++ type $1_var_run_t; ++ files_pid_file($1_var_run_t) ++ ++ type $1_tmp_t; ++ files_tmp_file($1_tmp_t) ++ ++ ################################## ++ # ++ # Local policy ++ # ++ ++ manage_dirs_pattern($1_t, $1_cache_t, $1_cache_t) ++ manage_files_pattern($1_t, $1_cache_t, $1_cache_t) ++ manage_lnk_files_pattern($1_t, $1_cache_t, $1_cache_t) ++ files_var_filetrans($1_t, $1_cache_t, { dir file }) ++ ++ manage_dirs_pattern($1_t, $1_log_t, $1_log_t) ++ manage_files_pattern($1_t, $1_log_t, $1_log_t) ++ manage_lnk_files_pattern($1_t, $1_log_t, $1_log_t) ++ logging_log_filetrans($1_t, $1_log_t, { dir file }) ++ ++ manage_dirs_pattern($1_t, $1_var_lib_t, $1_var_lib_t) ++ manage_files_pattern($1_t, $1_var_lib_t, $1_var_lib_t) ++ manage_lnk_files_pattern($1_t, $1_var_lib_t, $1_var_lib_t) ++ files_var_lib_filetrans($1_t, $1_var_lib_t, { dir file lnk_file }) ++ ++ manage_dirs_pattern($1_t, $1_var_run_t, $1_var_run_t) ++ manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t) ++ manage_lnk_files_pattern($1_t, $1_var_run_t, $1_var_run_t) ++ files_pid_filetrans($1_t, $1_var_run_t, { dir file lnk_file }) ++ ++ manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t) ++ manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t) ++ manage_fifo_files_pattern($1_t, $1_tmp_t, $1_tmp_t) ++ files_tmp_filetrans($1_t, $1_tmp_t, { file fifo_file dir }) ++ ++ can_exec($1_t, $1_exec_t) ++ ++ kernel_read_system_state($1_t) ++ ++ logging_send_syslog_msg($1_t) ++') ++ ++######################################## ++## ++## Transition to tomcat. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`tomcat_domtrans',` ++ gen_require(` ++ type tomcat_t, tomcat_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, tomcat_exec_t, tomcat_t) ++') ++ ++######################################## ++## ++## Search tomcat cache directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`tomcat_search_cache',` ++ gen_require(` ++ type tomcat_cache_t; ++ ') ++ ++ allow $1 tomcat_cache_t:dir search_dir_perms; ++ files_search_var($1) ++') ++ ++######################################## ++## ++## Read tomcat cache files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`tomcat_read_cache_files',` ++ gen_require(` ++ type tomcat_cache_t; ++ ') ++ ++ files_search_var($1) ++ read_files_pattern($1, tomcat_cache_t, tomcat_cache_t) ++') ++ ++######################################## ++## ++## Create, read, write, and delete ++## tomcat cache files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`tomcat_manage_cache_files',` ++ gen_require(` ++ type tomcat_cache_t; ++ ') ++ ++ files_search_var($1) ++ manage_files_pattern($1, tomcat_cache_t, tomcat_cache_t) ++') ++ ++######################################## ++## ++## Manage tomcat cache dirs. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`tomcat_manage_cache_dirs',` ++ gen_require(` ++ type tomcat_cache_t; ++ ') ++ ++ files_search_var($1) ++ manage_dirs_pattern($1, tomcat_cache_t, tomcat_cache_t) ++') ++ ++######################################## ++## ++## Read tomcat's log files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`tomcat_read_log',` ++ gen_require(` ++ type tomcat_log_t; ++ ') ++ ++ logging_search_logs($1) ++ read_files_pattern($1, tomcat_log_t, tomcat_log_t) ++') ++ ++######################################## ++## ++## Append to tomcat log files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`tomcat_append_log',` ++ gen_require(` ++ type tomcat_log_t; ++ ') ++ ++ logging_search_logs($1) ++ append_files_pattern($1, tomcat_log_t, tomcat_log_t) ++') ++ ++######################################## ++## ++## Manage tomcat log files ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`tomcat_manage_log',` ++ gen_require(` ++ type tomcat_log_t; ++ ') ++ ++ logging_search_logs($1) ++ manage_dirs_pattern($1, tomcat_log_t, tomcat_log_t) ++ manage_files_pattern($1, tomcat_log_t, tomcat_log_t) ++ manage_lnk_files_pattern($1, tomcat_log_t, tomcat_log_t) ++') ++ ++######################################## ++## ++## Search tomcat lib directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`tomcat_search_lib',` ++ gen_require(` ++ type tomcat_var_lib_t; ++ ') ++ ++ allow $1 tomcat_var_lib_t:dir search_dir_perms; ++ files_search_var_lib($1) ++') ++ ++######################################## ++## ++## Read tomcat lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`tomcat_read_lib_files',` ++ gen_require(` ++ type tomcat_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ read_files_pattern($1, tomcat_var_lib_t, tomcat_var_lib_t) ++') ++ ++######################################## ++## ++## Manage tomcat lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`tomcat_manage_lib_files',` ++ gen_require(` ++ type tomcat_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ manage_files_pattern($1, tomcat_var_lib_t, tomcat_var_lib_t) ++') ++ ++######################################## ++## ++## Manage tomcat lib directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`tomcat_manage_lib_dirs',` ++ gen_require(` ++ type tomcat_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ manage_dirs_pattern($1, tomcat_var_lib_t, tomcat_var_lib_t) ++') ++ ++######################################## ++## ++## Read tomcat PID files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`tomcat_read_pid_files',` ++ gen_require(` ++ type tomcat_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ allow $1 tomcat_var_run_t:file read_file_perms; ++') ++ ++######################################## ++## ++## Execute tomcat server in the tomcat domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`tomcat_systemctl',` ++ gen_require(` ++ type tomcat_t; ++ type tomcat_unit_file_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ allow $1 tomcat_unit_file_t:file read_file_perms; ++ allow $1 tomcat_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, tomcat_t) ++') ++ ++ ++######################################## ++## ++## All of the rules required to administrate ++## an tomcat environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`tomcat_admin',` ++ gen_require(` ++ type tomcat_t; ++ type tomcat_cache_t; ++ type tomcat_log_t; ++ type tomcat_var_lib_t; ++ type tomcat_var_run_t; ++ type tomcat_unit_file_t; ++ ') ++ ++ allow $1 tomcat_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, tomcat_t) ++ ++ files_search_var($1) ++ admin_pattern($1, tomcat_cache_t) ++ ++ logging_search_logs($1) ++ admin_pattern($1, tomcat_log_t) ++ ++ files_search_var_lib($1) ++ admin_pattern($1, tomcat_var_lib_t) ++ ++ files_search_pids($1) ++ admin_pattern($1, tomcat_var_run_t) ++ ++ tomcat_systemctl($1) ++ admin_pattern($1, tomcat_unit_file_t) ++ allow $1 tomcat_unit_file_t:service all_service_perms; ++ optional_policy(` ++ systemd_passwd_agent_exec($1) ++ systemd_read_fifo_file_passwd_run($1) ++ ') ++') +diff --git a/tomcat.te b/tomcat.te +new file mode 100644 +index 0000000..5a263b2 +--- /dev/null ++++ b/tomcat.te +@@ -0,0 +1,69 @@ ++policy_module(tomcat, 1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++attribute tomcat_domain; ++ ++tomcat_domain_template(tomcat) ++ ++type tomcat_unit_file_t; ++systemd_unit_file(tomcat_unit_file_t) ++ ++####################################### ++# ++# tomcat local policy ++# ++ ++optional_policy(` ++ unconfined_domain(tomcat_t) ++') ++ ++######################################## ++# ++# tomcat domain local policy ++# ++ ++allow tomcat_t self:process execmem; ++allow tomcat_t self:process { signal signull }; ++ ++allow tomcat_t self:tcp_socket { accept listen }; ++allow tomcat_domain self:fifo_file rw_fifo_file_perms; ++allow tomcat_domain self:unix_stream_socket create_stream_socket_perms; ++ ++# we want to stay in a new tomcat domain if we call tomcat binary from a script ++# initrc_t@tomcat_test_exec_t->tomcat_test_t@tomcat_exec_t->tomcat_test_t ++can_exec(tomcat_domain, tomcat_exec_t) ++ ++kernel_read_network_state(tomcat_domain) ++ ++corecmd_exec_bin(tomcat_domain) ++corecmd_exec_shell(tomcat_domain) ++ ++corenet_tcp_bind_generic_node(tomcat_domain) ++corenet_udp_bind_generic_node(tomcat_domain) ++corenet_tcp_bind_http_port(tomcat_domain) ++corenet_tcp_bind_http_cache_port(tomcat_domain) ++corenet_tcp_bind_mxi_port(tomcat_domain) ++corenet_tcp_connect_http_port(tomcat_domain) ++corenet_tcp_connect_mxi_port(tomcat_domain) ++ ++dev_read_rand(tomcat_domain) ++dev_read_urand(tomcat_domain) ++dev_read_sysfs(tomcat_domain) ++ ++domain_use_interactive_fds(tomcat_domain) ++ ++fs_getattr_all_fs(tomcat_domain) ++fs_read_hugetlbfs_files(tomcat_domain) ++ ++ ++auth_read_passwd(tomcat_domain) ++ ++sysnet_dns_name_resolve(tomcat_domain) ++ ++optional_policy(` ++ tomcat_search_lib(tomcat_domain) ++') +diff --git a/tor.fc b/tor.fc +index 6b9d449..ac02092 100644 +--- a/tor.fc ++++ b/tor.fc +@@ -6,6 +6,8 @@ + + /usr/sbin/tor -- gen_context(system_u:object_r:tor_exec_t,s0) + ++/usr/lib/systemd/system/tor.* -- gen_context(system_u:object_r:tor_unit_file_t,s0) ++ + /var/lib/tor(/.*)? gen_context(system_u:object_r:tor_var_lib_t,s0) + /var/lib/tor-data(/.*)? gen_context(system_u:object_r:tor_var_lib_t,s0) + +diff --git a/tor.if b/tor.if +index 61c2e07..5e1df41 100644 +--- a/tor.if ++++ b/tor.if +@@ -19,6 +19,29 @@ interface(`tor_domtrans',` + domtrans_pattern($1, tor_exec_t, tor_t) + ') + ++####################################### ++## ++## Execute tor server in the tor domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`tor_systemctl',` ++ gen_require(` ++ type tor_t; ++ type tor_unit_file_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ allow $1 tor_unit_file_t:file read_file_perms; ++ allow $1 tor_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, tor_t) ++') ++ + ######################################## + ## + ## All of the rules required to +@@ -39,12 +62,18 @@ interface(`tor_domtrans',` + interface(`tor_admin',` + gen_require(` + type tor_t, tor_var_log_t, tor_etc_t; +- type tor_var_lib_t, tor_var_run_t, tor_initrc_exec_t; ++ type tor_var_lib_t, tor_var_run_t; ++ type tor_initrc_exec_t; ++ type tor_unit_file_t; + ') + +- allow $1 tor_t:process { ptrace signal_perms }; ++ allow $1 tor_t:process signal_perms; + ps_process_pattern($1, tor_t) + ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 tor_t:process ptrace; ++ ') ++ + init_labeled_script_domtrans($1, tor_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 tor_initrc_exec_t system_r; +@@ -61,4 +90,13 @@ interface(`tor_admin',` + + files_list_pids($1) + admin_pattern($1, tor_var_run_t) ++ ++ tor_systemctl($1) ++ admin_pattern($1, tor_unit_file_t) ++ allow $1 tor_unit_file_t:service all_service_perms; ++ ++ optional_policy(` ++ systemd_passwd_agent_exec($1) ++ systemd_read_fifo_file_passwd_run($1) ++ ') + ') +diff --git a/tor.te b/tor.te +index 964a395..78962c4 100644 +--- a/tor.te ++++ b/tor.te +@@ -13,6 +13,13 @@ policy_module(tor, 1.8.4) + ## + gen_tunable(tor_bind_all_unreserved_ports, false) + ++## ++##

    ++## Allow tor to act as a relay ++##

    ++##     ++gen_tunable(tor_can_network_relay, false) ++ + type tor_t; + type tor_exec_t; + init_daemon_domain(tor_t, tor_exec_t) +@@ -33,6 +40,9 @@ type tor_var_run_t; + files_pid_file(tor_var_run_t) + init_daemon_run_dir(tor_var_run_t, "tor") + ++type tor_unit_file_t; ++systemd_unit_file(tor_unit_file_t) ++ + ######################################## + # + # Local policy +@@ -77,7 +87,6 @@ corenet_tcp_sendrecv_generic_node(tor_t) + corenet_udp_sendrecv_generic_node(tor_t) + corenet_tcp_bind_generic_node(tor_t) + corenet_udp_bind_generic_node(tor_t) +- + corenet_sendrecv_dns_server_packets(tor_t) + corenet_udp_bind_dns_port(tor_t) + corenet_udp_sendrecv_dns_port(tor_t) +@@ -98,19 +107,22 @@ dev_read_urand(tor_t) + domain_use_interactive_fds(tor_t) + + files_read_etc_runtime_files(tor_t) +-files_read_usr_files(tor_t) + + auth_use_nsswitch(tor_t) + + logging_send_syslog_msg(tor_t) + +-miscfiles_read_localization(tor_t) +- + tunable_policy(`tor_bind_all_unreserved_ports',` + corenet_sendrecv_all_server_packets(tor_t) + corenet_tcp_bind_all_unreserved_ports(tor_t) + ') + ++tunable_policy(`tor_can_network_relay',` ++ # allow httpd to work as a relay ++ corenet_tcp_connect_all_ephemeral_ports(tor_t) ++ corenet_tcp_bind_http_port(tor_t) ++') ++ + optional_policy(` + seutil_sigchld_newrole(tor_t) + ') +diff --git a/transproxy.te b/transproxy.te +index 20d1a28..494a46d 100644 +--- a/transproxy.te ++++ b/transproxy.te +@@ -32,7 +32,6 @@ kernel_read_kernel_sysctls(transproxy_t) + kernel_list_proc(transproxy_t) + kernel_read_proc_symlinks(transproxy_t) + +-corenet_all_recvfrom_unlabeled(transproxy_t) + corenet_all_recvfrom_netlabel(transproxy_t) + corenet_tcp_sendrecv_generic_if(transproxy_t) + corenet_tcp_sendrecv_generic_node(transproxy_t) +@@ -46,15 +45,12 @@ dev_read_sysfs(transproxy_t) + + domain_use_interactive_fds(transproxy_t) + +-files_read_etc_files(transproxy_t) + + fs_getattr_all_fs(transproxy_t) + fs_search_auto_mountpoints(transproxy_t) + + logging_send_syslog_msg(transproxy_t) + +-miscfiles_read_localization(transproxy_t) +- + sysnet_read_config(transproxy_t) + + userdom_dontaudit_use_unpriv_user_fds(transproxy_t) +diff --git a/tripwire.te b/tripwire.te +index 2e1110d..2c989b4 100644 +--- a/tripwire.te ++++ b/tripwire.te +@@ -86,7 +86,7 @@ files_getattr_all_sockets(tripwire_t) + + logging_send_syslog_msg(tripwire_t) + +-userdom_use_user_terminals(tripwire_t) ++userdom_use_inherited_user_terminals(tripwire_t) + + optional_policy(` + cron_system_entry(tripwire_t, tripwire_exec_t) +@@ -107,9 +107,7 @@ files_search_etc(twadmin_t) + + logging_send_syslog_msg(twadmin_t) + +-miscfiles_read_localization(twadmin_t) +- +-userdom_use_user_terminals(twadmin_t) ++userdom_use_inherited_user_terminals(twadmin_t) + + ######################################## + # +@@ -135,9 +133,7 @@ files_search_var_lib(twprint_t) + + logging_send_syslog_msg(twprint_t) + +-miscfiles_read_localization(twprint_t) +- +-userdom_use_user_terminals(twprint_t) ++userdom_use_inherited_user_terminals(twprint_t) + + ######################################## + # +@@ -150,6 +146,4 @@ files_read_all_files(siggen_t) + + logging_send_syslog_msg(siggen_t) + +-miscfiles_read_localization(siggen_t) +- +-userdom_use_user_terminals(siggen_t) ++userdom_use_inherited_user_terminals(siggen_t) +diff --git a/tuned.if b/tuned.if +index e29db63..061fb98 100644 +--- a/tuned.if ++++ b/tuned.if +@@ -119,9 +119,13 @@ interface(`tuned_admin',` + type tuned_etc_t, tuned_rw_etc_t, tuned_log_t; + ') + +- allow $1 tuned_t:process { ptrace signal_perms }; ++ allow $1 tuned_t:process signal_perms; + ps_process_pattern($1, tuned_t) + ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 tuned_t:process ptrace; ++ ') ++ + tuned_initrc_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 tuned_initrc_exec_t system_r; +diff --git a/tuned.te b/tuned.te +index 7116181..6b315d8 100644 +--- a/tuned.te ++++ b/tuned.te +@@ -21,6 +21,9 @@ files_config_file(tuned_rw_etc_t) + type tuned_log_t; + logging_log_file(tuned_log_t) + ++type tuned_tmp_t; ++files_tmp_file(tuned_tmp_t) ++ + type tuned_var_run_t; + files_pid_file(tuned_var_run_t) + +@@ -29,10 +32,13 @@ files_pid_file(tuned_var_run_t) + # Local policy + # + +-allow tuned_t self:capability { sys_admin sys_nice }; ++allow tuned_t self:capability { net_admin sys_admin sys_nice sys_rawio }; + dontaudit tuned_t self:capability { dac_override sys_tty_config }; +-allow tuned_t self:process { setsched signal }; ++allow tuned_t self:process { setsched signal }; + allow tuned_t self:fifo_file rw_fifo_file_perms; ++allow tuned_t self:netlink_kobject_uevent_socket create_socket_perms; ++allow tuned_t self:netlink_socket create_socket_perms; ++allow tuned_t self:udp_socket create_socket_perms; + + read_files_pattern(tuned_t, tuned_etc_t, tuned_etc_t) + exec_files_pattern(tuned_t, tuned_etc_t, tuned_etc_t) +@@ -41,14 +47,18 @@ manage_files_pattern(tuned_t, tuned_etc_t, tuned_rw_etc_t) + files_etc_filetrans(tuned_t, tuned_rw_etc_t, file, "active_profile") + + manage_dirs_pattern(tuned_t, tuned_log_t, tuned_log_t) +-append_files_pattern(tuned_t, tuned_log_t, tuned_log_t) +-create_files_pattern(tuned_t, tuned_log_t, tuned_log_t) +-setattr_files_pattern(tuned_t, tuned_log_t, tuned_log_t) +-logging_log_filetrans(tuned_t, tuned_log_t, file) ++manage_files_pattern(tuned_t, tuned_log_t, tuned_log_t) ++logging_log_filetrans(tuned_t, tuned_log_t, file, "tuned.log") ++ ++manage_dirs_pattern(tuned_t, tuned_tmp_t, tuned_tmp_t) ++manage_files_pattern(tuned_t, tuned_tmp_t, tuned_tmp_t) ++files_tmp_filetrans(tuned_t, tuned_tmp_t, { file dir }) ++can_exec(tuned_t, tuned_tmp_t) + + manage_files_pattern(tuned_t, tuned_var_run_t, tuned_var_run_t) + manage_dirs_pattern(tuned_t, tuned_var_run_t, tuned_var_run_t) + files_pid_filetrans(tuned_t, tuned_var_run_t, { dir file }) ++can_exec(tuned_t, tuned_var_run_t) + + kernel_read_system_state(tuned_t) + kernel_read_network_state(tuned_t) +@@ -57,6 +67,8 @@ kernel_request_load_module(tuned_t) + kernel_rw_kernel_sysctl(tuned_t) + kernel_rw_hotplug_sysctls(tuned_t) + kernel_rw_vm_sysctls(tuned_t) ++kernel_setsched(tuned_t) ++kernel_rw_all_sysctls(tuned_t) + + corecmd_exec_bin(tuned_t) + corecmd_exec_shell(tuned_t) +@@ -64,31 +76,55 @@ corecmd_exec_shell(tuned_t) + dev_getattr_all_blk_files(tuned_t) + dev_getattr_all_chr_files(tuned_t) + dev_read_urand(tuned_t) ++dev_rw_cpu_microcode(tuned_t) + dev_rw_sysfs(tuned_t) + dev_rw_netcontrol(tuned_t) + +-files_read_usr_files(tuned_t) ++files_dontaudit_all_access_check(tuned_t) + files_dontaudit_search_home(tuned_t) +-files_dontaudit_list_tmp(tuned_t) ++files_list_tmp(tuned_t) + +-fs_getattr_xattr_fs(tuned_t) ++fs_getattr_all_fs(tuned_t) ++fs_search_all(tuned_t) ++fs_rw_hugetlbfs_files(tuned_t) ++ ++auth_use_nsswitch(tuned_t) + + logging_send_syslog_msg(tuned_t) + +-miscfiles_read_localization(tuned_t) ++mount_read_pid_files(tuned_t) + + udev_read_pid_files(tuned_t) + + userdom_dontaudit_search_user_home_dirs(tuned_t) + + optional_policy(` ++ dbus_system_bus_client(tuned_t) ++ dbus_connect_system_bus(tuned_t) ++') ++ ++optional_policy(` ++ dmidecode_domtrans(tuned_t) ++') ++ ++# to allow disk tuning ++optional_policy(` + fstools_domtrans(tuned_t) + ') + + optional_policy(` ++ gnome_dontaudit_search_config(tuned_t) ++') ++ ++optional_policy(` ++ libs_exec_ldconfig(tuned_t) ++') ++ ++optional_policy(` + mount_domtrans(tuned_t) + ') + ++# to allow network interface tuning + optional_policy(` + sysnet_domtrans_ifconfig(tuned_t) + ') +diff --git a/tvtime.if b/tvtime.if +index 1bb0f7c..372be2f 100644 +--- a/tvtime.if ++++ b/tvtime.if +@@ -1,5 +1,23 @@ + ## High quality television application. + ++####################################### ++## ++## Transition to alsa named content ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`tvtime_filetrans_home_content',` ++ gen_require(` ++ type tvtime_home_t; ++ ') ++ ++ userdom_user_home_dir_filetrans($1, tvtime_home_t, dir, ".tvtime") ++') ++ + ######################################## + ## + ## Role access for tvtime +diff --git a/tvtime.te b/tvtime.te +index 3292fcc..20099b0 100644 +--- a/tvtime.te ++++ b/tvtime.te +@@ -42,7 +42,6 @@ allow tvtime_t self:unix_stream_socket rw_stream_socket_perms; + manage_dirs_pattern(tvtime_t, tvtime_home_t, tvtime_home_t) + manage_files_pattern(tvtime_t, tvtime_home_t, tvtime_home_t) + manage_lnk_files_pattern(tvtime_t, tvtime_home_t, tvtime_home_t) +-userdom_user_home_dir_filetrans(tvtime_t, tvtime_home_t, dir) + + manage_dirs_pattern(tvtime_t, tvtime_tmp_t, tvtime_tmp_t) + manage_files_pattern(tvtime_t, tvtime_tmp_t, tvtime_tmp_t) +@@ -61,7 +60,6 @@ dev_read_realtime_clock(tvtime_t) + dev_read_sound(tvtime_t) + dev_read_urand(tvtime_t) + +-files_read_usr_files(tvtime_t) + + fs_getattr_all_fs(tvtime_t) + fs_search_auto_mountpoints(tvtime_t) +@@ -69,21 +67,12 @@ fs_search_auto_mountpoints(tvtime_t) + auth_use_nsswitch(tvtime_t) + + miscfiles_read_fonts(tvtime_t) +-miscfiles_read_localization(tvtime_t) + +-userdom_use_user_terminals(tvtime_t) ++userdom_use_inherited_user_terminals(tvtime_t) ++userdom_read_user_home_content_files(tvtime_t) + +-tunable_policy(`use_nfs_home_dirs',` +- fs_manage_nfs_dirs(tvtime_t) +- fs_manage_nfs_files(tvtime_t) +- fs_manage_nfs_symlinks(tvtime_t) +-') +- +-tunable_policy(`use_samba_home_dirs',` +- fs_manage_cifs_dirs(tvtime_t) +- fs_manage_cifs_files(tvtime_t) +- fs_manage_cifs_symlinks(tvtime_t) +-') ++# X access, Home files ++userdom_home_manager(tvtime_t) + + optional_policy(` + xserver_user_x_domain_template(tvtime, tvtime_t, tvtime_tmpfs_t) +diff --git a/tzdata.te b/tzdata.te +index aa6ae96..9f86987 100644 +--- a/tzdata.te ++++ b/tzdata.te +@@ -27,11 +27,10 @@ term_dontaudit_list_ptys(tzdata_t) + + locallogin_dontaudit_use_fds(tzdata_t) + +-miscfiles_read_localization(tzdata_t) + miscfiles_manage_localization(tzdata_t) + miscfiles_etc_filetrans_localization(tzdata_t) + +-userdom_use_user_terminals(tzdata_t) ++userdom_use_inherited_user_terminals(tzdata_t) + + optional_policy(` + postfix_search_spool(tzdata_t) +diff --git a/ucspitcp.te b/ucspitcp.te +index 5e365c2..0fbc46e 100644 +--- a/ucspitcp.te ++++ b/ucspitcp.te +@@ -33,7 +33,6 @@ corenet_udp_sendrecv_all_ports(rblsmtpd_t) + corenet_tcp_bind_generic_node(rblsmtpd_t) + corenet_udp_bind_generic_port(rblsmtpd_t) + +-files_read_etc_files(rblsmtpd_t) + files_search_var(rblsmtpd_t) + + optional_policy(` +@@ -82,7 +81,6 @@ corenet_udp_bind_dns_port(ucspitcp_t) + corenet_sendrecv_generic_server_packets(ucspitcp_t) + corenet_udp_bind_generic_port(ucspitcp_t) + +-files_read_etc_files(ucspitcp_t) + files_search_var(ucspitcp_t) + + sysnet_read_config(ucspitcp_t) +diff --git a/ulogd.if b/ulogd.if +index 9b95c3e..a892845 100644 +--- a/ulogd.if ++++ b/ulogd.if +@@ -123,8 +123,11 @@ interface(`ulogd_admin',` + type ulogd_var_log_t, ulogd_initrc_exec_t; + ') + +- allow $1 ulogd_t:process { ptrace signal_perms }; ++ allow $1 ulogd_t:process signal_perms; + ps_process_pattern($1, ulogd_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 ulogd_t:process ptrace; ++ ') + + init_labeled_script_domtrans($1, ulogd_initrc_exec_t) + domain_system_change_exemption($1) +diff --git a/ulogd.te b/ulogd.te +index c6acbbe..bd23e7f 100644 +--- a/ulogd.te ++++ b/ulogd.te +@@ -27,10 +27,12 @@ logging_log_file(ulogd_var_log_t) + # + + allow ulogd_t self:capability { net_admin sys_nice }; +-allow ulogd_t self:process setsched; ++allow ulogd_t self:process { setsched }; + allow ulogd_t self:netlink_nflog_socket create_socket_perms; ++allow ulogd_t self:netlink_route_socket r_netlink_socket_perms; + allow ulogd_t self:netlink_socket create_socket_perms; +-allow ulogd_t self:tcp_socket create_stream_socket_perms; ++allow ulogd_t self:tcp_socket { create_stream_socket_perms connect }; ++allow ulogd_t self:udp_socket create_socket_perms; + + read_files_pattern(ulogd_t, ulogd_etc_t, ulogd_etc_t) + +@@ -42,10 +44,7 @@ create_files_pattern(ulogd_t, ulogd_var_log_t, ulogd_var_log_t) + setattr_files_pattern(ulogd_t, ulogd_var_log_t, ulogd_var_log_t) + logging_log_filetrans(ulogd_t, ulogd_var_log_t, file) + +-files_read_etc_files(ulogd_t) +-files_read_usr_files(ulogd_t) + +-miscfiles_read_localization(ulogd_t) + + sysnet_dns_name_resolve(ulogd_t) + +diff --git a/uml.if b/uml.if +index ab5c1d0..d13105e 100644 +--- a/uml.if ++++ b/uml.if +@@ -32,7 +32,7 @@ interface(`uml_role',` + allow uml_t $2:unix_dgram_socket sendto; + + ps_process_pattern($2, uml_t) +- allow $2 uml_t:process { ptrace signal_perms }; ++ allow $2 uml_t:process signal_perms; + + allow $2 { uml_ro_t uml_rw_t uml_tmp_t uml_exec_t }:dir { manage_dir_perms relabel_dir_perms }; + allow $2 { uml_ro_t uml_rw_t uml_tmp_t uml_tmpfs_t uml_exec_t }:file { manage_file_perms relabel_file_perms }; +diff --git a/uml.te b/uml.te +index dc03cc5..423afe4 100644 +--- a/uml.te ++++ b/uml.te +@@ -90,7 +90,6 @@ kernel_write_proc_files(uml_t) + + corecmd_exec_bin(uml_t) + +-corenet_all_recvfrom_unlabeled(uml_t) + corenet_all_recvfrom_netlabel(uml_t) + corenet_tcp_sendrecv_generic_if(uml_t) + corenet_tcp_sendrecv_generic_node(uml_t) +@@ -115,7 +114,13 @@ init_dontaudit_write_utmp(uml_t) + + libs_exec_lib_files(uml_t) + +-userdom_use_user_terminals(uml_t) ++# Inherit and use descriptors from newrole. ++seutil_use_newrole_fds(uml_t) ++ ++# Use the network. ++sysnet_read_config(uml_t) ++ ++userdom_use_inherited_user_terminals(uml_t) + userdom_attach_admin_tun_iface(uml_t) + + tunable_policy(`use_nfs_home_dirs',` +@@ -133,10 +138,6 @@ tunable_policy(`use_samba_home_dirs',` + ') + + optional_policy(` +- seutil_use_newrole_fds(uml_t) +-') +- +-optional_policy(` + virt_attach_tun_iface(uml_t) + ') + +@@ -171,8 +172,6 @@ init_use_script_ptys(uml_switch_t) + + logging_send_syslog_msg(uml_switch_t) + +-miscfiles_read_localization(uml_switch_t) +- + userdom_dontaudit_use_unpriv_user_fds(uml_switch_t) + userdom_dontaudit_search_user_home_dirs(uml_switch_t) + +diff --git a/updfstab.te b/updfstab.te +index 2d871b8..acbf304 100644 +--- a/updfstab.te ++++ b/updfstab.te +@@ -66,8 +66,6 @@ init_use_script_ptys(updfstab_t) + logging_search_logs(updfstab_t) + logging_send_syslog_msg(updfstab_t) + +-miscfiles_read_localization(updfstab_t) +- + seutil_read_config(updfstab_t) + seutil_read_default_contexts(updfstab_t) + seutil_read_file_contexts(updfstab_t) +@@ -75,9 +73,8 @@ seutil_read_file_contexts(updfstab_t) + userdom_dontaudit_search_user_home_content(updfstab_t) + userdom_dontaudit_use_unpriv_user_fds(updfstab_t) + +-optional_policy(` +- auth_domtrans_pam_console(updfstab_t) +-') ++auth_use_nsswitch(updfstab_t) ++auth_domtrans_pam_console(updfstab_t) + + optional_policy(` + dbus_system_bus_client(updfstab_t) +diff --git a/uptime.if b/uptime.if +index 01a3234..19f4724 100644 +--- a/uptime.if ++++ b/uptime.if +@@ -19,7 +19,7 @@ + # + interface(`uptime_admin',` + gen_require(` +- type uptimed_t, uptimed_initrc_exec_t. uptimed_etc_t; ++ type uptimed_t, uptimed_initrc_exec_t, uptimed_etc_t; + type uptimed_spool_t, uptimed_var_run_t; + ') + +diff --git a/uptime.te b/uptime.te +index 09741f6..8e5b35c 100644 +--- a/uptime.te ++++ b/uptime.te +@@ -16,7 +16,7 @@ type uptimed_initrc_exec_t; + init_script_file(uptimed_initrc_exec_t) + + type uptimed_spool_t; +-files_type(uptimed_spool_t) ++files_spool_file(uptimed_spool_t) + + type uptimed_var_run_t; + files_pid_file(uptimed_var_run_t) +@@ -55,8 +55,6 @@ fs_search_auto_mountpoints(uptimed_t) + + logging_send_syslog_msg(uptimed_t) + +-miscfiles_read_localization(uptimed_t) +- + userdom_dontaudit_use_unpriv_user_fds(uptimed_t) + userdom_dontaudit_search_user_home_dirs(uptimed_t) + +diff --git a/usbmodules.te b/usbmodules.te +index cb9b5bb..3aa7952 100644 +--- a/usbmodules.te ++++ b/usbmodules.te +@@ -24,8 +24,6 @@ files_list_kernel_modules(usbmodules_t) + dev_list_usbfs(usbmodules_t) + dev_rw_usbfs(usbmodules_t) + +-files_list_etc(usbmodules_t) +- + term_read_console(usbmodules_t) + term_write_console(usbmodules_t) + +@@ -35,10 +33,12 @@ logging_send_syslog_msg(usbmodules_t) + + miscfiles_read_hwdata(usbmodules_t) + +-modutils_read_module_deps(usbmodules_t) +- +-userdom_use_user_terminals(usbmodules_t) ++userdom_use_inherited_user_terminals(usbmodules_t) + + optional_policy(` + hotplug_read_config(usbmodules_t) + ') ++ ++optional_policy(` ++ modutils_read_module_deps(usbmodules_t) ++') +diff --git a/usbmuxd.fc b/usbmuxd.fc +index 220f6ad..cd80b9b 100644 +--- a/usbmuxd.fc ++++ b/usbmuxd.fc +@@ -1,3 +1,4 @@ + /usr/sbin/usbmuxd -- gen_context(system_u:object_r:usbmuxd_exec_t,s0) + +-/var/run/usbmuxd.* gen_context(system_u:object_r:usbmuxd_var_run_t,s0) ++/var/run/usbmuxd.* gen_context(system_u:object_r:usbmuxd_var_run_t,s0) ++/usr/lib/systemd/system/usbmuxd.* -- gen_context(system_u:object_r:usbmuxd_unit_file_t,s0) +diff --git a/usbmuxd.if b/usbmuxd.if +index 1ec5e99..88e287d 100644 +--- a/usbmuxd.if ++++ b/usbmuxd.if +@@ -38,3 +38,66 @@ interface(`usbmuxd_stream_connect',` + files_search_pids($1) + stream_connect_pattern($1, usbmuxd_var_run_t, usbmuxd_var_run_t, usbmuxd_t) + ') ++ ++######################################## ++## ++## Execute usbmuxd server in the usbmuxd domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`usbmuxd_systemctl',` ++ gen_require(` ++ type usbmuxd_t; ++ type usbmuxd_unit_file_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ allow $1 usbmuxd_unit_file_t:file read_file_perms; ++ allow $1 usbmuxd_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, usbmuxd_t) ++') ++ ++##################################### ++## ++## All of the rules required to administrate ++## an usbmuxd environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## The role to be allowed to manage the usbmuxd domain. ++## ++## ++## ++# ++interface(`usbmuxd_admin',` ++ gen_require(` ++ type usbmuxd_t,usbmuxd_var_run_t; ++ type usbmuxd_unit_file_t; ++ ') ++ ++ allow $1 usbmuxd_t:process { signal_perms }; ++ ps_process_pattern($1, usbmuxd_t) ++ ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 usbmuxd_t:process ptrace; ++ ') ++ ++ allow $2 system_r; ++ ++ files_list_pids($1) ++ admin_pattern($1, usbmuxd_var_run_t) ++ ++ usbmuxd_systemctl($1) ++ admin_pattern($1, usbmuxd_unit_file_t) ++ allow $1 usbmuxd_unit_file_t:service all_service_perms; ++') +diff --git a/usbmuxd.te b/usbmuxd.te +index 8840be6..d2c7596 100644 +--- a/usbmuxd.te ++++ b/usbmuxd.te +@@ -10,12 +10,16 @@ roleattribute system_r usbmuxd_roles; + + type usbmuxd_t; + type usbmuxd_exec_t; ++init_system_domain(usbmuxd_t, usbmuxd_exec_t) + application_domain(usbmuxd_t, usbmuxd_exec_t) + role usbmuxd_roles types usbmuxd_t; + + type usbmuxd_var_run_t; + files_pid_file(usbmuxd_var_run_t) + ++type usbmuxd_unit_file_t; ++systemd_unit_file(usbmuxd_unit_file_t) ++ + ######################################## + # + # Local policy +@@ -24,6 +28,7 @@ files_pid_file(usbmuxd_var_run_t) + allow usbmuxd_t self:capability { kill setgid setuid }; + allow usbmuxd_t self:process { signal signull }; + allow usbmuxd_t self:fifo_file rw_fifo_file_perms; ++allow usbmuxd_t self:netlink_kobject_uevent_socket create_socket_perms; + + manage_dirs_pattern(usbmuxd_t, usbmuxd_var_run_t, usbmuxd_var_run_t) + manage_files_pattern(usbmuxd_t, usbmuxd_var_run_t, usbmuxd_var_run_t) +@@ -38,6 +43,10 @@ dev_rw_generic_usb_dev(usbmuxd_t) + + auth_use_nsswitch(usbmuxd_t) + +-miscfiles_read_localization(usbmuxd_t) +- + logging_send_syslog_msg(usbmuxd_t) ++ ++seutil_dontaudit_read_file_contexts(usbmuxd_t) ++ ++optional_policy(` ++ virt_dontaudit_read_chr_dev(usbmuxd_t) ++') +diff --git a/userhelper.fc b/userhelper.fc +index c416a83..cd83b89 100644 +--- a/userhelper.fc ++++ b/userhelper.fc +@@ -1,5 +1,10 @@ +-/etc/security/console\.apps(/.*)? gen_context(system_u:object_r:userhelper_conf_t,s0) ++# ++# /etc ++# ++/etc/security/console\.apps(/.*)? gen_context(system_u:object_r:userhelper_conf_t,s0) + +-/usr/bin/consolehelper -- gen_context(system_u:object_r:consolehelper_exec_t,s0) +- +-/usr/sbin/userhelper -- gen_context(system_u:object_r:userhelper_exec_t,s0) +\ No newline at end of file ++# ++# /usr ++# ++/usr/sbin/userhelper -- gen_context(system_u:object_r:userhelper_exec_t,s0) ++/usr/bin/consolehelper -- gen_context(system_u:object_r:consolehelper_exec_t,s0) +diff --git a/userhelper.if b/userhelper.if +index cf118fd..cd80e83 100644 +--- a/userhelper.if ++++ b/userhelper.if +@@ -1,4 +1,4 @@ +-## A wrapper that helps users run system programs. ++## SELinux utility to run a shell with a new role + + ####################################### + ## +@@ -23,9 +23,9 @@ + # + template(`userhelper_role_template',` + gen_require(` +- attribute userhelper_type, consolehelper_type; +- attribute_role userhelper_roles, consolehelper_roles; +- type userhelper_exec_t, consolehelper_exec_t, userhelper_conf_t; ++ attribute userhelper_type; ++ type userhelper_exec_t, userhelper_conf_t; ++ class dbus send_msg; + ') + + ######################################## +@@ -33,64 +33,123 @@ template(`userhelper_role_template',` + # Declarations + # + +- type $1_consolehelper_t, consolehelper_type; +- userdom_user_application_domain($1_consolehelper_t, consolehelper_exec_t) +- +- role consolehelper_roles types $1_consolehelper_t; +- roleattribute $2 consolehelper_roles; +- + type $1_userhelper_t, userhelper_type; + userdom_user_application_domain($1_userhelper_t, userhelper_exec_t) +- + domain_role_change_exemption($1_userhelper_t) + domain_obj_id_change_exemption($1_userhelper_t) + domain_interactive_fd($1_userhelper_t) + domain_subj_id_change_exemption($1_userhelper_t) +- +- role userhelper_roles types $1_userhelper_t; +- roleattribute $2 userhelper_roles; ++ role $2 types $1_userhelper_t; + + ######################################## + # +- # Consolehelper local policy ++ # Local policy + # ++ allow $1_userhelper_t self:capability { setuid setgid net_bind_service dac_override chown sys_tty_config }; ++ allow $1_userhelper_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; ++ allow $1_userhelper_t self:process setexec; ++ allow $1_userhelper_t self:fd use; ++ allow $1_userhelper_t self:fifo_file rw_fifo_file_perms; ++ allow $1_userhelper_t self:shm create_shm_perms; ++ allow $1_userhelper_t self:sem create_sem_perms; ++ allow $1_userhelper_t self:msgq create_msgq_perms; ++ allow $1_userhelper_t self:msg { send receive }; ++ allow $1_userhelper_t self:unix_dgram_socket create_socket_perms; ++ allow $1_userhelper_t self:unix_stream_socket create_stream_socket_perms; ++ allow $1_userhelper_t self:unix_dgram_socket sendto; ++ allow $1_userhelper_t self:unix_stream_socket connectto; ++ allow $1_userhelper_t self:sock_file read_sock_file_perms; + +- allow $1_consolehelper_t $3:unix_stream_socket connectto; ++ #Transition to the derived domain. ++ domtrans_pattern($3, userhelper_exec_t, $1_userhelper_t) + +- domtrans_pattern($3, consolehelper_exec_t, $1_consolehelper_t) ++ allow $1_userhelper_t userhelper_conf_t:dir rw_dir_perms; ++ rw_files_pattern($1_userhelper_t, userhelper_conf_t, userhelper_conf_t) + +- allow $3 $1_consolehelper_t:process { ptrace signal_perms }; +- ps_process_pattern($3, $1_consolehelper_t) ++ can_exec($1_userhelper_t, userhelper_exec_t) + +- auth_use_pam($1_consolehelper_t) ++ dontaudit $3 $1_userhelper_t:process signal; + +- optional_policy(` +- dbus_connect_all_session_bus($1_consolehelper_t) ++ kernel_read_all_sysctls($1_userhelper_t) ++ kernel_getattr_debugfs($1_userhelper_t) ++ kernel_read_system_state($1_userhelper_t) + +- optional_policy(` +- userhelper_dbus_chat_all_consolehelper($3) +- ') +- ') ++ # Execute shells ++ corecmd_exec_shell($1_userhelper_t) ++ # By default, revert to the calling domain when a program is executed ++ corecmd_bin_domtrans($1_userhelper_t, $3) + +- ######################################## +- # +- # Userhelper local policy +- # ++ # Inherit descriptors from the current session. ++ domain_use_interactive_fds($1_userhelper_t) ++ # for when the user types "exec userhelper" at the command line ++ domain_sigchld_interactive_fds($1_userhelper_t) + +- domtrans_pattern($3, userhelper_exec_t, $1_userhelper_t) ++ dev_read_urand($1_userhelper_t) ++ # Read /dev directories and any symbolic links. ++ dev_list_all_dev_nodes($1_userhelper_t) + +- dontaudit $3 $1_userhelper_t:process signal; ++ files_list_var_lib($1_userhelper_t) ++ # Read the /etc/security/default_type file ++ files_read_etc_files($1_userhelper_t) ++ # Read /var. ++ files_read_var_files($1_userhelper_t) ++ files_read_var_symlinks($1_userhelper_t) ++ # for some PAM modules and for cwd ++ files_search_home($1_userhelper_t) + +- corecmd_bin_domtrans($1_userhelper_t, $3) ++ fs_search_auto_mountpoints($1_userhelper_t) ++ fs_read_nfs_files($1_userhelper_t) ++ fs_read_nfs_symlinks($1_userhelper_t) ++ ++ # Allow $1_userhelper to obtain contexts to relabel TTYs ++ selinux_get_fs_mount($1_userhelper_t) ++ selinux_validate_context($1_userhelper_t) ++ selinux_compute_access_vector($1_userhelper_t) ++ selinux_compute_create_context($1_userhelper_t) ++ selinux_compute_relabel_context($1_userhelper_t) ++ selinux_compute_user_contexts($1_userhelper_t) ++ ++ # Read the devpts root directory. ++ term_list_ptys($1_userhelper_t) ++ # Relabel terminals. ++ term_relabel_all_ttys($1_userhelper_t) ++ term_relabel_all_ptys($1_userhelper_t) ++ # Access terminals. ++ term_use_all_ttys($1_userhelper_t) ++ term_use_all_ptys($1_userhelper_t) + + auth_domtrans_chk_passwd($1_userhelper_t) ++ auth_manage_pam_pid($1_userhelper_t) ++ auth_manage_var_auth($1_userhelper_t) ++ auth_search_pam_console_data($1_userhelper_t) + auth_use_nsswitch($1_userhelper_t) + ++ logging_send_syslog_msg($1_userhelper_t) ++ ++ # Inherit descriptors from the current session. ++ init_use_fds($1_userhelper_t) ++ # Write to utmp. ++ init_manage_utmp($1_userhelper_t) ++ init_pid_filetrans_utmp($1_userhelper_t) ++ ++ ++ seutil_read_config($1_userhelper_t) ++ seutil_read_default_contexts($1_userhelper_t) ++ ++ # Allow $1_userhelper_t to transition to user domains. + userdom_bin_spec_domtrans_unpriv_users($1_userhelper_t) + userdom_entry_spec_domtrans_unpriv_users($1_userhelper_t) + ++ ifdef(`distro_redhat',` ++ optional_policy(` ++ # Allow transitioning to rpm_t, for up2date ++ rpm_domtrans($1_userhelper_t) ++ ') ++ ') ++ + optional_policy(` + tunable_policy(`! secure_mode',` ++ #if we are not in secure mode then we can transition to sysadm_t + sysadm_bin_spec_domtrans($1_userhelper_t) + sysadm_entry_spec_domtrans($1_userhelper_t) + ') +@@ -99,7 +158,7 @@ template(`userhelper_role_template',` + + ######################################## + ## +-## Search userhelper configuration directories. ++## Search the userhelper configuration directory. + ## + ## + ## +@@ -118,7 +177,7 @@ interface(`userhelper_search_config',` + ######################################## + ## + ## Do not audit attempts to search +-## userhelper configuration directories. ++## the userhelper configuration directory. + ## + ## + ## +@@ -136,28 +195,26 @@ interface(`userhelper_dontaudit_search_config',` + + ######################################## + ## +-## Send and receive messages from +-## consolehelper over dbus. ++## Do not audit attempts to write ++## the userhelper configuration files. + ## + ## + ## +-## Domain allowed access. ++## Domain to not audit. + ## + ## + # +-interface(`userhelper_dbus_chat_all_consolehelper',` ++interface(`userhelper_dontaudit_write_config',` + gen_require(` +- attribute consolehelper_type; +- class dbus send_msg; ++ type userhelper_conf_t; + ') + +- allow $1 consolehelper_type:dbus send_msg; +- allow consolehelper_type $1:dbus send_msg; ++ dontaudit $1 userhelper_conf_t:file write; + ') + + ######################################## + ## +-## Use userhelper all userhelper file descriptors. ++## Allow domain to use userhelper file descriptor. + ## + ## + ## +@@ -175,7 +232,7 @@ interface(`userhelper_use_fd',` + + ######################################## + ## +-## Send child terminated signals to all userhelper. ++## Allow domain to send sigchld to userhelper. + ## + ## + ## +@@ -206,6 +263,93 @@ interface(`userhelper_exec',` + type userhelper_exec_t; + ') + +- corecmd_search_bin($1) + can_exec($1, userhelper_exec_t) + ') ++ ++####################################### ++## ++## The role template for the consolehelper module. ++## ++## ++##

    ++## This template creates a derived domains which are used ++## for consolehelper applications. ++##

    ++##     ++## ++## ++## The prefix of the user domain (e.g., user ++## is the prefix for user_t). ++## ++## ++## ++## ++## The role associated with the user domain. ++## ++## ++## ++## ++## The type of the user domain. ++## ++## ++# ++template(`userhelper_console_role_template',` ++ gen_require(` ++ type consolehelper_exec_t; ++ attribute consolehelper_domain; ++ class dbus send_msg; ++ ') ++ type $1_consolehelper_t, consolehelper_domain; ++ domain_type($1_consolehelper_t) ++ domain_entry_file($1_consolehelper_t, consolehelper_exec_t) ++ role $2 types $1_consolehelper_t; ++ ++ domtrans_pattern($3, consolehelper_exec_t, $1_consolehelper_t) ++ ++ allow $3 $1_consolehelper_t:process signal; ++ allow $3 $1_consolehelper_t:dbus send_msg; ++ allow $1_consolehelper_t $3:dbus send_msg; ++ allow $1_consolehelper_t $3:unix_stream_socket connectto; ++ ++ kernel_read_system_state($1_consolehelper_t) ++ ++ auth_use_pam($1_consolehelper_t) ++ ++ userdom_manage_tmpfs_role($2, $1_consolehelper_t) ++ ++ optional_policy(` ++ dbus_connect_session_bus($1_consolehelper_t) ++ ') ++ ++ optional_policy(` ++ shutdown_run($1_consolehelper_t, $2) ++ shutdown_send_sigchld($3) ++ ') ++ ++ optional_policy(` ++ mock_run($1_consolehelper_t, $2) ++ ') ++ ++ optional_policy(` ++ xserver_run_xauth($1_consolehelper_t, $2) ++ xserver_read_xdm_pid($1_consolehelper_t) ++ ') ++') ++ ++######################################## ++## ++## Execute the consolehelper program in the caller domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userhelper_exec_console',` ++ gen_require(` ++ type consolehelper_exec_t; ++ ') ++ ++ can_exec($1, consolehelper_exec_t) ++') +diff --git a/userhelper.te b/userhelper.te +index 274ed9c..cc18d6f 100644 +--- a/userhelper.te ++++ b/userhelper.te +@@ -1,15 +1,12 @@ +-policy_module(userhelper, 1.7.3) ++policy_module(userhelper, 1.7.0) + + ######################################## + # + # Declarations + # + +-attribute consolehelper_type; + attribute userhelper_type; +- +-attribute_role consolehelper_roles; +-attribute_role userhelper_roles; ++attribute consolehelper_domain; + + type userhelper_conf_t; + files_config_file(userhelper_conf_t) +@@ -22,141 +19,77 @@ application_executable_file(consolehelper_exec_t) + + ######################################## + # +-# Common consolehelper domain local policy ++# consolehelper local policy + # + +-allow consolehelper_type self:capability { setgid setuid dac_override }; +-allow consolehelper_type self:process signal; +-allow consolehelper_type self:fifo_file rw_fifo_file_perms; +-allow consolehelper_type self:unix_stream_socket create_stream_socket_perms; +-allow consolehelper_type self:shm create_shm_perms; +- +-dontaudit consolehelper_type userhelper_conf_t:file audit_access; +-read_files_pattern(consolehelper_type, userhelper_conf_t, userhelper_conf_t) ++allow consolehelper_domain self:shm create_shm_perms; ++allow consolehelper_domain self:capability { setgid setuid dac_override sys_nice }; ++allow consolehelper_domain self:process { signal_perms getsched setsched }; + +-domain_use_interactive_fds(consolehelper_type) ++allow consolehelper_domain userhelper_conf_t:file audit_access; ++dontaudit consolehelper_domain userhelper_conf_t:file write; ++read_files_pattern(consolehelper_domain, userhelper_conf_t, userhelper_conf_t) + +-kernel_read_system_state(consolehelper_type) +-kernel_read_kernel_sysctls(consolehelper_type) ++# Init script handling ++domain_use_interactive_fds(consolehelper_domain) + +-corecmd_exec_bin(consolehelper_type) ++# internal communication is often done using fifo and unix sockets. ++allow consolehelper_domain self:fifo_file rw_fifo_file_perms; ++allow consolehelper_domain self:unix_stream_socket create_stream_socket_perms; + +-dev_getattr_all_chr_files(consolehelper_type) +-dev_dontaudit_list_all_dev_nodes(consolehelper_type) ++kernel_read_kernel_sysctls(consolehelper_domain) + +-files_read_config_files(consolehelper_type) +-files_read_usr_files(consolehelper_type) ++corecmd_exec_bin(consolehelper_domain) + +-fs_getattr_all_dirs(consolehelper_type) +-fs_getattr_all_fs(consolehelper_type) +-fs_search_auto_mountpoints(consolehelper_type) +-files_search_mnt(consolehelper_type) ++dev_getattr_all_chr_files(consolehelper_domain) ++dev_dontaudit_list_all_dev_nodes(consolehelper_domain) ++dev_dontaudit_getattr_all(consolehelper_domain) ++fs_getattr_all_fs(consolehelper_domain) ++fs_getattr_all_dirs(consolehelper_domain) + +-term_list_ptys(consolehelper_type) ++files_read_config_files(consolehelper_domain) + +-auth_search_pam_console_data(consolehelper_type) +-auth_read_pam_pid(consolehelper_type) ++term_list_ptys(consolehelper_domain) + +-miscfiles_read_localization(consolehelper_type) +-miscfiles_read_fonts(consolehelper_type) ++auth_search_pam_console_data(consolehelper_domain) ++auth_read_pam_pid(consolehelper_domain) + +-userhelper_exec(consolehelper_type) ++init_read_utmp(consolehelper_domain) ++init_telinit(consolehelper_domain) + +-userdom_use_user_terminals(consolehelper_type) ++miscfiles_read_fonts(consolehelper_domain) + +-# might want to make this consolehelper_tmp_t +-userdom_manage_user_tmp_dirs(consolehelper_type) +-userdom_manage_user_tmp_files(consolehelper_type) +-userdom_tmp_filetrans_user_tmp(consolehelper_type, { dir file }) ++userhelper_exec(consolehelper_domain) + +-tunable_policy(`use_nfs_home_dirs',` +- fs_search_nfs(consolehelper_type) +-') ++userdom_use_user_ptys(consolehelper_domain) ++userdom_use_user_ttys(consolehelper_domain) ++userdom_read_user_home_content_files(consolehelper_domain) ++userdom_search_admin_dir(consolehelper_domain) + +-tunable_policy(`use_samba_home_dirs',` +- fs_search_cifs(consolehelper_type) ++optional_policy(` ++ dbus_session_bus_client(consolehelper_domain) ++ optional_policy(` ++ devicekit_dbus_chat_disk(consolehelper_domain) ++ ') + ') + + optional_policy(` +- shutdown_run(consolehelper_type, consolehelper_roles) +- shutdown_signal(consolehelper_type) ++ gnome_read_gconf_home_files(consolehelper_domain) + ') + + optional_policy(` +- xserver_domtrans_xauth(consolehelper_type) +- xserver_read_xdm_pid(consolehelper_type) +- xserver_stream_connect(consolehelper_type) ++ xserver_read_home_fonts(consolehelper_domain) ++ xserver_stream_connect(consolehelper_domain) ++ xserver_admin_home_dir_filetrans_xauth(consolehelper_domain) ++ xserver_manage_user_xauth(consolehelper_domain) + ') + +-######################################## +-# +-# Common userhelper domain local policy +-# +- +-allow userhelper_type self:capability { setuid setgid net_bind_service dac_override chown sys_tty_config }; +-allow userhelper_type self:process ~{ ptrace setcurrent setfscreate setrlimit execmem execstack execheap }; +-allow userhelper_type self:fd use; +-allow userhelper_type self:fifo_file rw_fifo_file_perms; +-allow userhelper_type self:shm create_shm_perms; +-allow userhelper_type self:sem create_sem_perms; +-allow userhelper_type self:msgq create_msgq_perms; +-allow userhelper_type self:msg { send receive }; +-allow userhelper_type self:unix_dgram_socket sendto; +-allow userhelper_type self:unix_stream_socket { accept connectto listen }; +- +-dontaudit userhelper_type userhelper_conf_t:file audit_access; +-read_files_pattern(userhelper_type, userhelper_conf_t, userhelper_conf_t) +- +-can_exec(userhelper_type, userhelper_exec_t) +- +-kernel_read_all_sysctls(userhelper_type) +-kernel_getattr_debugfs(userhelper_type) +-kernel_read_system_state(userhelper_type) +- +-corecmd_exec_shell(userhelper_type) +- +-domain_use_interactive_fds(userhelper_type) +-domain_sigchld_interactive_fds(userhelper_type) +- +-dev_read_urand(userhelper_type) +-dev_list_all_dev_nodes(userhelper_type) +- +-files_list_var_lib(userhelper_type) +-files_read_var_files(userhelper_type) +-files_read_var_symlinks(userhelper_type) +-files_search_home(userhelper_type) +- +-fs_getattr_all_fs(userhelper_type) +-fs_search_auto_mountpoints(userhelper_type) +- +-selinux_get_fs_mount(userhelper_type) +-selinux_validate_context(userhelper_type) +-selinux_compute_access_vector(userhelper_type) +-selinux_compute_create_context(userhelper_type) +-selinux_compute_relabel_context(userhelper_type) +-selinux_compute_user_contexts(userhelper_type) +- +-term_list_ptys(userhelper_type) +-term_relabel_all_ttys(userhelper_type) +-term_relabel_all_ptys(userhelper_type) +-term_use_all_ttys(userhelper_type) +-term_use_all_ptys(userhelper_type) +- +-auth_manage_pam_pid(userhelper_type) +-auth_manage_var_auth(userhelper_type) +-auth_search_pam_console_data(userhelper_type) +- +-init_use_fds(userhelper_type) +-init_manage_utmp(userhelper_type) +-init_pid_filetrans_utmp(userhelper_type) +- +-logging_send_syslog_msg(userhelper_type) +- +-miscfiles_read_localization(userhelper_type) +- +-seutil_read_config(userhelper_type) +-seutil_read_default_contexts(userhelper_type) ++tunable_policy(`use_nfs_home_dirs',` ++ files_search_mnt(consolehelper_domain) ++ fs_search_nfs(consolehelper_domain) ++') + +-optional_policy(` +- rpm_domtrans(userhelper_type) ++tunable_policy(`use_samba_home_dirs',` ++ files_search_mnt(consolehelper_domain) ++ fs_search_cifs(consolehelper_domain) + ') +diff --git a/usernetctl.if b/usernetctl.if +index 7deec55..c542887 100644 +--- a/usernetctl.if ++++ b/usernetctl.if +@@ -39,6 +39,7 @@ interface(`usernetctl_domtrans',` + # + interface(`usernetctl_run',` + gen_require(` ++ type usernetctl_t; + attribute_role usernetctl_roles; + ') + +diff --git a/usernetctl.te b/usernetctl.te +index dd3f01e..465c661 100644 +--- a/usernetctl.te ++++ b/usernetctl.te +@@ -6,12 +6,12 @@ policy_module(usernetctl, 1.6.1) + # + + attribute_role usernetctl_roles; ++roleattribute system_r usernetctl_roles; + + type usernetctl_t; + type usernetctl_exec_t; + application_domain(usernetctl_t, usernetctl_exec_t) + domain_interactive_fd(usernetctl_t) +-role usernetctl_roles types usernetctl_t; + + ######################################## + # +@@ -40,7 +40,6 @@ files_exec_etc_files(usernetctl_t) + files_read_etc_runtime_files(usernetctl_t) + files_list_pids(usernetctl_t) + files_list_home(usernetctl_t) +-files_read_usr_files(usernetctl_t) + + fs_search_auto_mountpoints(usernetctl_t) + +@@ -48,18 +47,14 @@ auth_use_nsswitch(usernetctl_t) + + logging_send_syslog_msg(usernetctl_t) + +-miscfiles_read_localization(usernetctl_t) +- + seutil_read_config(usernetctl_t) + ++sysnet_read_config(usernetctl_t) ++ + sysnet_run_ifconfig(usernetctl_t, usernetctl_roles) + sysnet_run_dhcpc(usernetctl_t, usernetctl_roles) + +-userdom_use_user_terminals(usernetctl_t) +- +-optional_policy(` +- consoletype_run(usernetctl_t, usernetctl_roles) +-') ++userdom_use_inherited_user_terminals(usernetctl_t) + + optional_policy(` + hostname_exec(usernetctl_t) +@@ -74,5 +69,9 @@ optional_policy(` + ') + + optional_policy(` ++ nis_use_ypbind(usernetctl_t) ++') ++ ++optional_policy(` + ppp_run(usernetctl_t, usernetctl_roles) + ') +diff --git a/uucp.if b/uucp.if +index af9acc0..cdaf82e 100644 +--- a/uucp.if ++++ b/uucp.if +@@ -90,11 +90,6 @@ interface(`uucp_domtrans_uux',` + ## Domain allowed access. + ##     + ## +-## +-## +-## Role allowed access. +-## +-## + ## + # + interface(`uucp_admin',` +@@ -104,14 +99,13 @@ interface(`uucp_admin',` + type uucpd_var_run_t, uucpd_initrc_exec_t; + ') + +- init_labeled_script_domtrans($1, uucpd_initrc_exec_t) +- domain_system_change_exemption($1) +- role_transition $2 uucpd_initrc_exec_t system_r; +- allow $2 system_r; +- +- allow $1 uucpd_t:process { ptrace signal_perms }; ++ allow $1 uucpd_t:process signal_perms; + ps_process_pattern($1, uucpd_t) + ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 uucpd_t:process ptrace; ++ ') ++ + logging_list_logs($1) + admin_pattern($1, uucpd_log_t) + +diff --git a/uucp.te b/uucp.te +index 380902c..75545d6 100644 +--- a/uucp.te ++++ b/uucp.te +@@ -31,7 +31,7 @@ type uucpd_ro_t; + files_type(uucpd_ro_t) + + type uucpd_spool_t; +-files_type(uucpd_spool_t) ++files_spool_file(uucpd_spool_t) + + type uucpd_log_t; + logging_log_file(uucpd_log_t) +@@ -84,15 +84,19 @@ kernel_read_kernel_sysctls(uucpd_t) + kernel_read_system_state(uucpd_t) + kernel_read_network_state(uucpd_t) + +-corenet_all_recvfrom_unlabeled(uucpd_t) + corenet_all_recvfrom_netlabel(uucpd_t) + corenet_tcp_sendrecv_generic_if(uucpd_t) + corenet_tcp_sendrecv_generic_node(uucpd_t) ++corenet_udp_sendrecv_generic_node(uucpd_t) ++corenet_tcp_sendrecv_all_ports(uucpd_t) ++corenet_udp_sendrecv_all_ports(uucpd_t) + + corenet_sendrecv_ssh_client_packets(uucpd_t) + corenet_tcp_connect_ssh_port(uucpd_t) + corenet_tcp_sendrecv_ssh_port(uucpd_t) + ++corenet_tcp_connect_uucpd_port(uucpd_t) ++ + corecmd_exec_bin(uucpd_t) + corecmd_exec_shell(uucpd_t) + +@@ -110,7 +114,7 @@ auth_use_nsswitch(uucpd_t) + + logging_send_syslog_msg(uucpd_t) + +-miscfiles_read_localization(uucpd_t) ++mta_send_mail(uucpd_t) + + optional_policy(` + cron_system_entry(uucpd_t, uucpd_exec_t) +@@ -125,10 +129,6 @@ optional_policy(` + ') + + optional_policy(` +- mta_send_mail(uucpd_t) +-') +- +-optional_policy(` + ssh_exec(uucpd_t) + ') + +@@ -160,10 +160,15 @@ auth_use_nsswitch(uux_t) + logging_search_logs(uux_t) + logging_send_syslog_msg(uux_t) + +-miscfiles_read_localization(uux_t) +- + optional_policy(` + mta_send_mail(uux_t) + mta_read_queue(uux_t) ++') ++ ++optional_policy(` + sendmail_dontaudit_rw_unix_stream_sockets(uux_t) + ') ++ ++optional_policy(` ++ postfix_rw_inherited_master_pipes(uux_t) ++') +diff --git a/uuidd.if b/uuidd.if +index 6e48653..6abf74a 100644 +--- a/uuidd.if ++++ b/uuidd.if +@@ -148,11 +148,12 @@ interface(`uuidd_read_pid_files',` + # + interface(`uuidd_stream_connect_manager',` + gen_require(` +- type uuidd_t, uuidd_var_run_t; ++ type uuidd_t, uuidd_var_run_t, uuidd_var_lib_t; + ') + + files_search_pids($1) + stream_connect_pattern($1, uuidd_var_run_t, uuidd_var_run_t, uuidd_t) ++ stream_connect_pattern($1, uuidd_var_lib_t, uuidd_var_lib_t, uuidd_t) + ') + + ######################################## +@@ -180,6 +181,9 @@ interface(`uuidd_admin',` + + allow $1 uuidd_t:process signal_perms; + ps_process_pattern($1, uuidd_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 uuidd_t:process ptrace; ++ ') + + uuidd_initrc_domtrans($1) + domain_system_change_exemption($1) +diff --git a/uuidd.te b/uuidd.te +index e670f55..2b332c5 100644 +--- a/uuidd.te ++++ b/uuidd.te +@@ -42,6 +42,4 @@ dev_read_urand(uuidd_t) + + domain_use_interactive_fds(uuidd_t) + +-files_read_etc_files(uuidd_t) + +-miscfiles_read_localization(uuidd_t) +diff --git a/uwimap.te b/uwimap.te +index b81e5c8..d120c52 100644 +--- a/uwimap.te ++++ b/uwimap.te +@@ -37,7 +37,6 @@ kernel_read_kernel_sysctls(imapd_t) + kernel_list_proc(imapd_t) + kernel_read_proc_symlinks(imapd_t) + +-corenet_all_recvfrom_unlabeled(imapd_t) + corenet_all_recvfrom_netlabel(imapd_t) + corenet_tcp_sendrecv_generic_if(imapd_t) + corenet_tcp_sendrecv_generic_node(imapd_t) +@@ -56,8 +55,6 @@ dev_read_urand(imapd_t) + + domain_use_interactive_fds(imapd_t) + +-files_read_etc_files(imapd_t) +- + fs_getattr_all_fs(imapd_t) + fs_search_auto_mountpoints(imapd_t) + +@@ -65,8 +62,6 @@ auth_domtrans_chk_passwd(imapd_t) + + logging_send_syslog_msg(imapd_t) + +-miscfiles_read_localization(imapd_t) +- + sysnet_dns_name_resolve(imapd_t) + + userdom_dontaudit_use_unpriv_user_fds(imapd_t) +diff --git a/varnishd.if b/varnishd.if +index 1c35171..2cba4df 100644 +--- a/varnishd.if ++++ b/varnishd.if +@@ -153,12 +153,16 @@ interface(`varnishd_manage_log',` + # + interface(`varnishd_admin_varnishlog',` + gen_require(` ++ type varnishd_t; + type varnishlog_t, varnishlog_initrc_exec_t, varnishlog_log_t; + type varnishlog_var_run_t; + ') + +- allow $1 varnishlog_t:process { ptrace signal_perms }; ++ allow $1 varnishlog_t:process signal_perms; + ps_process_pattern($1, varnishlog_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 varnishd_t:process ptrace; ++ ') + + init_labeled_script_domtrans($1, varnishlog_initrc_exec_t) + domain_system_change_exemption($1) +@@ -196,9 +200,13 @@ interface(`varnishd_admin',` + type varnishd_initrc_exec_t; + ') + +- allow $1 varnishd_t:process { ptrace signal_perms }; ++ allow $1 varnishd_t:process signal_perms; + ps_process_pattern($1, varnishd_t) + ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 varnishd_t:process ptrace; ++ ') ++ + init_labeled_script_domtrans($1, varnishd_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 varnishd_initrc_exec_t system_r; +diff --git a/varnishd.te b/varnishd.te +index 9d4d8cb..f50c3ff 100644 +--- a/varnishd.te ++++ b/varnishd.te +@@ -21,7 +21,7 @@ type varnishd_initrc_exec_t; + init_script_file(varnishd_initrc_exec_t) + + type varnishd_etc_t; +-files_type(varnishd_etc_t) ++files_config_file(varnishd_etc_t) + + type varnishd_tmp_t; + files_tmp_file(varnishd_tmp_t) +@@ -43,7 +43,7 @@ type varnishlog_var_run_t; + files_pid_file(varnishlog_var_run_t) + + type varnishlog_log_t; +-files_type(varnishlog_log_t) ++logging_log_file(varnishlog_log_t) + + ######################################## + # +@@ -52,7 +52,7 @@ files_type(varnishlog_log_t) + + allow varnishd_t self:capability { kill dac_override ipc_lock setuid setgid }; + dontaudit varnishd_t self:capability sys_tty_config; +-allow varnishd_t self:process signal; ++allow varnishd_t self:process { execmem signal }; + allow varnishd_t self:fifo_file rw_fifo_file_perms; + allow varnishd_t self:tcp_socket { accept listen }; + +@@ -103,7 +103,6 @@ corenet_tcp_sendrecv_varnishd_port(varnishd_t) + + dev_read_urand(varnishd_t) + +-files_read_usr_files(varnishd_t) + + fs_getattr_all_fs(varnishd_t) + +@@ -111,7 +110,7 @@ auth_use_nsswitch(varnishd_t) + + logging_send_syslog_msg(varnishd_t) + +-miscfiles_read_localization(varnishd_t) ++sysnet_read_config(varnishd_t) + + tunable_policy(`varnishd_connect_any',` + corenet_sendrecv_all_client_packets(varnishd_t) +diff --git a/vbetool.te b/vbetool.te +index 14e1eec..b33d259 100644 +--- a/vbetool.te ++++ b/vbetool.te +@@ -27,6 +27,7 @@ role vbetool_roles types vbetool_t; + # + + allow vbetool_t self:capability { dac_override sys_tty_config sys_admin }; ++allow vbetool_t self:capability2 compromise_kernel; + allow vbetool_t self:process execmem; + + dev_wx_raw_memory(vbetool_t) +@@ -43,7 +44,6 @@ mls_file_write_all_levels(vbetool_t) + + term_use_unallocated_ttys(vbetool_t) + +-miscfiles_read_localization(vbetool_t) + + tunable_policy(`vbetool_mmap_zero_ignore',` + dontaudit vbetool_t self:memprotect mmap_zero; +diff --git a/vdagent.if b/vdagent.if +index 31c752e..ef52235 100644 +--- a/vdagent.if ++++ b/vdagent.if +@@ -24,15 +24,15 @@ interface(`vdagent_domtrans',` + ## Get attributes of vdagent executable files. + ##     + ## +-## ++## + ## Domain allowed access. +-## ++## + ## + # + interface(`vdagent_getattr_exec_files',` +- gen_require(` +- type vdagent_exec_t; +- ') ++ gen_require(` ++ type vdagent_exec_t; ++ ') + + allow $1 vdagent_exec_t:file getattr_file_perms; + ') +@@ -42,18 +42,18 @@ interface(`vdagent_getattr_exec_files',` + ## Get attributes of vdagent log files. + ##     + ## +-## +-## Domain allowed access. +-## ++## ++## Domain allowed access. ++## + ## + # + interface(`vdagent_getattr_log',` +- gen_require(` +- type vdagent_log_t; +- ') ++ gen_require(` ++ type vdagent_log_t; ++ ') + +- logging_search_logs($1) +- allow $1 vdagent_log_t:file getattr_file_perms; ++ logging_search_logs($1) ++ allow $1 vdagent_log_t:file getattr_file_perms; + ') + + ######################################## +@@ -81,18 +81,18 @@ interface(`vdagent_read_pid_files',` + ## domain stream socket. + ##     + ## +-## +-## Domain allowed access. +-## ++## ++## Domain allowed access. ++## + ## + # + interface(`vdagent_stream_connect',` +- gen_require(` +- type vdagent_var_run_t, vdagent_t; +- ') ++ gen_require(` ++ type vdagent_var_run_t, vdagent_t; ++ ') + +- files_search_pids($1) +- stream_connect_pattern($1, vdagent_var_run_t, vdagent_var_run_t, vdagent_t) ++ files_search_pids($1) ++ stream_connect_pattern($1, vdagent_var_run_t, vdagent_var_run_t, vdagent_t) + ') + + ######################################## +@@ -110,7 +110,6 @@ interface(`vdagent_stream_connect',` + ## Role allowed access. + ##     + ## +-## + # + interface(`vdagent_admin',` + gen_require(` +@@ -120,6 +119,9 @@ interface(`vdagent_admin',` + + allow $1 vdagent_t:process signal_perms; + ps_process_pattern($1, vdagent_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 vdagent_t:process ptrace; ++ ') + + init_labeled_script_domtrans($1, vdagentd_initrc_exec_t) + domain_system_change_exemption($1) +diff --git a/vdagent.te b/vdagent.te +index 77be35a..0e9a7d1 100644 +--- a/vdagent.te ++++ b/vdagent.te +@@ -25,6 +25,7 @@ logging_log_file(vdagent_log_t) + + dontaudit vdagent_t self:capability sys_admin; + allow vdagent_t self:process signal; ++ + allow vdagent_t self:fifo_file rw_fifo_file_perms; + allow vdagent_t self:unix_stream_socket { accept listen }; + +@@ -39,17 +40,20 @@ create_files_pattern(vdagent_t, vdagent_log_t, vdagent_log_t) + setattr_files_pattern(vdagent_t, vdagent_log_t, vdagent_log_t) + logging_log_filetrans(vdagent_t, vdagent_log_t, file) + ++kernel_request_load_module(vdagent_t) ++ + dev_rw_input_dev(vdagent_t) + dev_read_sysfs(vdagent_t) + dev_dontaudit_write_mtrr(vdagent_t) + +-files_read_etc_files(vdagent_t) +- + init_read_state(vdagent_t) + +-logging_send_syslog_msg(vdagent_t) ++systemd_read_logind_sessions_files(vdagent_t) ++systemd_login_read_pid_files(vdagent_t) ++ ++term_use_virtio_console(vdagent_t) + +-miscfiles_read_localization(vdagent_t) ++logging_send_syslog_msg(vdagent_t) + + userdom_read_all_users_state(vdagent_t) + +diff --git a/vhostmd.if b/vhostmd.if +index 22edd58..c3a5364 100644 +--- a/vhostmd.if ++++ b/vhostmd.if +@@ -216,9 +216,13 @@ interface(`vhostmd_admin',` + type vhostmd_tmpfs_t; + ') + +- allow $1 vhostmd_t:process { ptrace signal_perms }; ++ allow $1 vhostmd_t:process signal_perms; + ps_process_pattern($1, vhostmd_t) + ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 vhostmd_t:process ptrace; ++ ') ++ + vhostmd_initrc_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 vhostmd_initrc_exec_t system_r; +diff --git a/vhostmd.te b/vhostmd.te +index 0be8535..b96e329 100644 +--- a/vhostmd.te ++++ b/vhostmd.te +@@ -58,14 +58,11 @@ dev_read_urand(vhostmd_t) + dev_read_sysfs(vhostmd_t) + + files_list_tmp(vhostmd_t) +-files_read_usr_files(vhostmd_t) + + auth_use_nsswitch(vhostmd_t) + + logging_send_syslog_msg(vhostmd_t) + +-miscfiles_read_localization(vhostmd_t) +- + optional_policy(` + hostname_exec(vhostmd_t) + ') +@@ -77,6 +74,7 @@ optional_policy(` + + optional_policy(` + virt_stream_connect(vhostmd_t) ++ virt_write_content(vhostmd_t) + ') + + optional_policy(` +diff --git a/virt.fc b/virt.fc +index c30da4c..9bad8b9 100644 +--- a/virt.fc ++++ b/virt.fc +@@ -1,52 +1,92 @@ +-HOME_DIR/\.libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0) +-HOME_DIR/\.libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_home_t,s0) +-HOME_DIR/\.virtinst(/.*)? gen_context(system_u:object_r:virt_home_t,s0) +-HOME_DIR/VirtualMachines(/.*)? gen_context(system_u:object_r:virt_home_t,s0) +-HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0) ++HOME_DIR/\.libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0) ++HOME_DIR/\.libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_home_t,s0) ++HOME_DIR/\.virtinst(/.*)? gen_context(system_u:object_r:virt_home_t,s0) ++HOME_DIR/\.cache/libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0) ++HOME_DIR/\.cache/libvirt-sandbox(/.*)? gen_context(system_u:object_r:virt_home_t,s0) ++HOME_DIR/\.cache/gnome-boxes(/.*)? gen_context(system_u:object_r:virt_home_t,s0) ++HOME_DIR/\.cache/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_home_t,s0) ++HOME_DIR/\.config/libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0) ++HOME_DIR/\.config/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_home_t,s0) ++HOME_DIR/VirtualMachines(/.*)? gen_context(system_u:object_r:virt_home_t,s0) ++HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0) ++HOME_DIR/\.local/share/gnome-boxes/images(/.*)? gen_context(system_u:object_r:svirt_home_t,s0) + +-/etc/libvirt -d gen_context(system_u:object_r:virt_etc_t,s0) ++/etc/libvirt -d gen_context(system_u:object_r:virt_etc_t,s0) + /etc/libvirt/[^/]* -- gen_context(system_u:object_r:virt_etc_t,s0) + /etc/libvirt/[^/]* -d gen_context(system_u:object_r:virt_etc_rw_t,s0) +-/etc/libvirt/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0) ++/etc/libvirt/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0) ++/etc/rc\.d/init\.d/libvirtd -- gen_context(system_u:object_r:virtd_initrc_exec_t,s0) ++/etc/xen -d gen_context(system_u:object_r:virt_etc_t,s0) ++/etc/xen/[^/]* -- gen_context(system_u:object_r:virt_etc_t,s0) ++/etc/xen/[^/]* -d gen_context(system_u:object_r:virt_etc_rw_t,s0) ++/etc/xen/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0) + +-/etc/rc\.d/init\.d/libvirt-bin -- gen_context(system_u:object_r:virtd_initrc_exec_t,s0) +-/etc/rc\.d/init\.d/libvirtd -- gen_context(system_u:object_r:virtd_initrc_exec_t,s0) ++/usr/libexec/libvirt_lxc -- gen_context(system_u:object_r:virtd_lxc_exec_t,s0) ++/usr/libexec/qemu-bridge-helper gen_context(system_u:object_r:virt_bridgehelper_exec_t,s0) + +-/etc/xen -d gen_context(system_u:object_r:virt_etc_t,s0) +-/etc/xen/[^/]* -- gen_context(system_u:object_r:virt_etc_t,s0) +-/etc/xen/[^/]* -d gen_context(system_u:object_r:virt_etc_rw_t,s0) +-/etc/xen/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0) +- +-/usr/libexec/libvirt_lxc -- gen_context(system_u:object_r:virtd_lxc_exec_t,s0) +-/usr/libexec/qemu-bridge-helper gen_context(system_u:object_r:virt_bridgehelper_exec_t,s0) +- +-/usr/bin/virsh -- gen_context(system_u:object_r:virsh_exec_t,s0) +-/usr/bin/virt-sandbox-service.* -- gen_context(system_u:object_r:virsh_exec_t,s0) +- +-/usr/sbin/condor_vm-gahp -- gen_context(system_u:object_r:virtd_exec_t,s0) +-/usr/sbin/fence_virtd -- gen_context(system_u:object_r:virsh_exec_t,s0) + /usr/sbin/libvirt-qmf -- gen_context(system_u:object_r:virt_qmf_exec_t,s0) + /usr/sbin/libvirtd -- gen_context(system_u:object_r:virtd_exec_t,s0) ++/usr/sbin/virtlockd -- gen_context(system_u:object_r:virtd_exec_t,s0) ++/usr/bin/virsh -- gen_context(system_u:object_r:virsh_exec_t,s0) ++/usr/sbin/condor_vm-gahp -- gen_context(system_u:object_r:virtd_exec_t,s0) ++/usr/sbin/xl -- gen_context(system_u:object_r:virsh_exec_t,s0) ++/usr/sbin/xm -- gen_context(system_u:object_r:virsh_exec_t,s0) + + /var/cache/libvirt(/.*)? gen_context(system_u:object_r:virt_cache_t,s0-mls_systemhigh) + +-/var/lib/libvirt(/.*)? gen_context(system_u:object_r:virt_var_lib_t,s0) +-/var/lib/libvirt/boot(/.*)? gen_context(system_u:object_r:virt_content_t,s0) +-/var/lib/libvirt/images(/.*)? gen_context(system_u:object_r:virt_image_t,s0) +-/var/lib/libvirt/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0) +-/var/lib/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_var_run_t,s0-mls_systemhigh) ++/var/lib/libvirt(/.*)? gen_context(system_u:object_r:virt_var_lib_t,s0) ++/var/lib/libvirt/boot(/.*)? gen_context(system_u:object_r:virt_content_t,s0) ++/var/lib/libvirt/images(/.*)? gen_context(system_u:object_r:virt_image_t,s0) ++/var/lib/libvirt/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0) ++/var/lib/libvirt/qemu(/.*)? gen_context(system_u:object_r:qemu_var_run_t,s0-mls_systemhigh) + +-/var/log/log(/.*)? gen_context(system_u:object_r:virt_log_t,s0) +-/var/log/libvirt(/.*)? gen_context(system_u:object_r:virt_log_t,s0) +-/var/log/vdsm(/.*)? gen_context(system_u:object_r:virt_log_t,s0) +- +-/var/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0) +- +-/var/run/libguestfs(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0) ++/var/lock/xl -- gen_context(system_u:object_r:virt_log_t,s0) ++/var/log/log(/.*)? gen_context(system_u:object_r:virt_log_t,s0) ++/var/log/libvirt(/.*)? gen_context(system_u:object_r:virt_log_t,s0) ++/var/log/vdsm(/.*)? gen_context(system_u:object_r:virt_log_t,s0) + /var/run/libvirtd\.pid -- gen_context(system_u:object_r:virt_var_run_t,s0) + /var/run/libvirt(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0) +-/var/run/libvirt/lxc(/.*)? gen_context(system_u:object_r:virtd_lxc_var_run_t,s0) +-/var/run/libvirt-sandbox(/.*)? gen_context(system_u:object_r:virtd_lxc_var_run_t,s0) +-/var/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_var_run_t,s0-mls_systemhigh) +-/var/run/user/[^/]*/libguestfs(/.*)? gen_context(system_u:object_r:virt_home_t,s0) +-/var/run/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0) ++/var/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:qemu_var_run_t,s0-mls_systemhigh) ++/var/run/libvirt/lxc(/.*)? gen_context(system_u:object_r:virt_lxc_var_run_t,s0) ++/var/run/libvirt-sandbox(/.*)? gen_context(system_u:object_r:virt_lxc_var_run_t,s0) ++/var/run/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0) ++ ++/var/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0) ++ ++# support for AEOLUS project ++/usr/bin/imagefactory -- gen_context(system_u:object_r:virtd_exec_t,s0) ++/usr/bin/imgfac\.py -- gen_context(system_u:object_r:virtd_exec_t,s0) ++/var/cache/oz(/.*)? gen_context(system_u:object_r:virt_cache_t,s0) ++/var/lib/imagefactory/images(/.*)? gen_context(system_u:object_r:virt_image_t,s0) ++/var/lib/oz(/.*)? gen_context(system_u:object_r:virt_var_lib_t,s0) ++/var/lib/oz/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0) ++/var/lib/vdsm(/.*)? gen_context(system_u:object_r:virt_content_t,s0) ++ ++# add support vios-proxy-* ++/usr/bin/vios-proxy-host -- gen_context(system_u:object_r:virtd_exec_t,s0) ++/usr/bin/vios-proxy-guest -- gen_context(system_u:object_r:virtd_exec_t,s0) ++ ++# support for nova-stack ++/usr/bin/nova-compute -- gen_context(system_u:object_r:virtd_exec_t,s0) ++/usr/bin/qemu -- gen_context(system_u:object_r:qemu_exec_t,s0) ++/usr/bin/qemu-system-.* -- gen_context(system_u:object_r:qemu_exec_t,s0) ++/usr/bin/qemu-kvm -- gen_context(system_u:object_r:qemu_exec_t,s0) ++/usr/libexec/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0) ++ ++/etc/qemu-ga/fsfreeze-hook.d(/.*)? gen_context(system_u:object_r:virt_qemu_ga_unconfined_exec_t,s0) ++/usr/libexec/qemu-ga/fsfreeze-hook.d(/.*)? gen_context(system_u:object_r:virt_qemu_ga_unconfined_exec_t,s0) ++/var/run/qemu-ga/fsfreeze-hook.d(/.*)? gen_context(system_u:object_r:virt_qemu_ga_unconfined_exec_t,s0) ++ ++/usr/libexec/qemu-ga(/.*)? gen_context(system_u:object_r:virt_qemu_ga_exec_t,s0) ++ ++/usr/lib/systemd/system/virt.*\.service -- gen_context(system_u:object_r:virtd_unit_file_t,s0) ++/usr/lib/systemd/system/libvirt.*\.service -- gen_context(system_u:object_r:virtd_unit_file_t,s0) ++/usr/lib/systemd/system/.*xen.*\.service -- gen_context(system_u:object_r:virtd_unit_file_t,s0) ++ ++/usr/bin/qemu-ga -- gen_context(system_u:object_r:virt_qemu_ga_exec_t,s0) ++ ++/var/run/qemu-ga\.pid -- gen_context(system_u:object_r:virt_qemu_ga_var_run_t,s0) ++/var/run/qga\.state -- gen_context(system_u:object_r:virt_qemu_ga_var_run_t,s0) ++ ++/var/log/qemu-ga\.log -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0) ++/var/log/qemu-ga(/.*)? gen_context(system_u:object_r:virt_qemu_ga_log_t,s0) +diff --git a/virt.if b/virt.if +index 9dec06c..73549fd 100644 +--- a/virt.if ++++ b/virt.if +@@ -1,120 +1,51 @@ +-## Libvirt virtualization API. ++## Libvirt virtualization API + +-####################################### ++######################################## + ## +-## The template to define a virt domain. ++## Creates types and rules for a basic ++## qemu process domain. + ## +-## ++## + ## +-## Domain prefix to be used. ++## Prefix for the domain. + ## + ## + # + template(`virt_domain_template',` + gen_require(` +- attribute_role virt_domain_roles; +- attribute virt_image_type, virt_domain, virt_tmpfs_type; +- attribute virt_ptynode, virt_tmp_type; ++ attribute virt_image_type, virt_domain; ++ attribute virt_tmpfs_type; ++ attribute virt_ptynode; ++ type qemu_exec_t; + ') + +- ######################################## +- # +- # Declarations +- # +- + type $1_t, virt_domain; +- application_type($1_t) +- qemu_entry_type($1_t) ++ application_domain($1_t, qemu_exec_t) + domain_user_exemption_target($1_t) + mls_rangetrans_target($1_t) + mcs_constrained($1_t) +- role virt_domain_roles types $1_t; ++ role system_r types $1_t; + + type $1_devpts_t, virt_ptynode; + term_pty($1_devpts_t) + +- type $1_tmp_t, virt_tmp_type; +- files_tmp_file($1_tmp_t) +- +- type $1_tmpfs_t, virt_tmpfs_type; +- files_tmpfs_file($1_tmpfs_t) ++ kernel_read_system_state($1_t) + +- optional_policy(` +- pulseaudio_tmpfs_content($1_tmpfs_t) +- ') ++ auth_read_passwd($1_t) + +- type $1_image_t, virt_image_type; +- files_type($1_image_t) +- dev_node($1_image_t) +- dev_associate_sysfs($1_image_t) ++ logging_send_syslog_msg($1_t) + +- ######################################## +- # +- # Policy +- # +- +- allow $1_t $1_devpts_t:chr_file { rw_term_perms setattr_chr_file_perms }; ++ allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms }; + term_create_pty($1_t, $1_devpts_t) +- +- manage_dirs_pattern($1_t, $1_image_t, $1_image_t) +- manage_files_pattern($1_t, $1_image_t, $1_image_t) +- manage_fifo_files_pattern($1_t, $1_image_t, $1_image_t) +- read_lnk_files_pattern($1_t, $1_image_t, $1_image_t) +- manage_sock_files_pattern($1_t, $1_image_t, $1_image_t) +- rw_chr_files_pattern($1_t, $1_image_t, $1_image_t) +- rw_blk_files_pattern($1_t, $1_image_t, $1_image_t) +- fs_hugetlbfs_filetrans($1_t, $1_image_t, file) +- +- manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t) +- manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t) +- manage_lnk_files_pattern($1_t, $1_tmp_t, $1_tmp_t) +- files_tmp_filetrans($1_t, $1_tmp_t, { file dir }) +- +- manage_dirs_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) +- manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) +- manage_lnk_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) +- fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { dir file lnk_file }) +- +- optional_policy(` +- pulseaudio_run($1_t, virt_domain_roles) +- ') +- +- optional_policy(` +- xserver_rw_shm($1_t) +- ') +-') +- +-####################################### +-## +-## The template to define a virt lxc domain. +-## +-## +-## +-## Domain prefix to be used. +-## +-## +-# +-template(`virt_lxc_domain_template',` +- gen_require(` +- attribute_role svirt_lxc_domain_roles; +- attribute svirt_lxc_domain; +- ') +- +- type $1_t, svirt_lxc_domain; +- domain_type($1_t) +- domain_user_exemption_target($1_t) +- mls_rangetrans_target($1_t) +- mcs_constrained($1_t) +- role svirt_lxc_domain_roles types $1_t; + ') + + ######################################## + ## +-## Make the specified type virt image type. ++## Make the specified type usable as a virt image + ## + ## + ## +-## Type to be used as a virtual image. ++## Type to be used as a virtual image + ## + ## + # +@@ -125,31 +56,32 @@ interface(`virt_image',` + + typeattribute $1 virt_image_type; + files_type($1) ++ ++ # virt images can be assigned to blk devices + dev_node($1) + ') + +-######################################## ++####################################### + ## +-## Execute a domain transition to run virtd. ++## Getattr on virt executable. + ## + ## +-## +-## Domain allowed to transition. +-## ++## ++## Domain allowed to transition. ++## + ## + # +-interface(`virt_domtrans',` +- gen_require(` +- type virtd_t, virtd_exec_t; +- ') ++interface(`virt_getattr_exec',` ++ gen_require(` ++ type virtd_exec_t; ++ ') + +- corecmd_search_bin($1) +- domtrans_pattern($1, virtd_exec_t, virtd_t) ++ allow $1 virtd_exec_t:file getattr; + ') + + ######################################## + ## +-## Execute a domain transition to run virt qmf. ++## Execute a domain transition to run virt. + ## + ## + ## +@@ -157,162 +89,71 @@ interface(`virt_domtrans',` + ## + ## + # +-interface(`virt_domtrans_qmf',` ++interface(`virt_domtrans',` + gen_require(` +- type virt_qmf_t, virt_qmf_exec_t; ++ type virtd_t, virtd_exec_t; + ') + +- corecmd_search_bin($1) +- domtrans_pattern($1, virt_qmf_exec_t, virt_qmf_t) ++ domtrans_pattern($1, virtd_exec_t, virtd_t) + ') + + ######################################## + ## +-## Execute a domain transition to +-## run virt bridgehelper. ++## Execute virtd in the caller domain. + ## + ## + ## +-## Domain allowed to transition. ++## Domain allowed access. + ## + ## + # +-interface(`virt_domtrans_bridgehelper',` ++interface(`virt_exec',` + gen_require(` +- type virt_bridgehelper_t, virt_bridgehelper_exec_t; ++ type virtd_exec_t; + ') + +- corecmd_search_bin($1) +- domtrans_pattern($1, virt_bridgehelper_exec_t, virt_bridgehelper_t) ++ can_exec($1, virtd_exec_t) + ') + + ######################################## + ## +-## Execute bridgehelper in the bridgehelper +-## domain, and allow the specified role +-## the bridgehelper domain. ++## Transition to virt_qmf. + ## + ## +-## +-## Domain allowed to transition. +-## +-## +-## +-## +-## Role allowed access. +-## +-## +-# +-interface(`virt_run_bridgehelper',` +- gen_require(` +- attribute_role virt_bridgehelper_roles; +- ') +- +- virt_domtrans_bridgehelper($1) +- roleattribute $2 virt_bridgehelper_roles; +-') +- +-######################################## + ## +-## Execute virt domain in the their +-## domain, and allow the specified +-## role that virt domain. +-## +-## +-## + ## Domain allowed to transition. +-## +-## +-## +-## +-## Role allowed access. +-## +-## +-# +-interface(`virt_run_virt_domain',` +- gen_require(` +- attribute virt_domain; +- attribute_role virt_domain_roles; +- ') +- +- allow $1 virt_domain:process { signal transition }; +- roleattribute $2 virt_domain_roles; +- +- allow virt_domain $1:fd use; +- allow virt_domain $1:fifo_file rw_fifo_file_perms; +- allow virt_domain $1:process sigchld; +-') +- +-######################################## +-## +-## Send generic signals to all virt domains. + ## +-## +-## +-## Domain allowed access. +-## + ## + # +-interface(`virt_signal_all_virt_domains',` ++interface(`virt_domtrans_qmf',` + gen_require(` +- attribute virt_domain; ++ type virt_qmf_t, virt_qmf_exec_t; + ') + +- allow $1 virt_domain:process signal; ++ corecmd_search_bin($1) ++ domtrans_pattern($1, virt_qmf_exec_t, virt_qmf_t) + ') + + ######################################## + ## +-## Send kill signals to all virt domains. ++## Transition to virt_bridgehelper. + ## + ## +-## +-## Domain allowed access. +-## +-## +-# +-interface(`virt_kill_all_virt_domains',` +- gen_require(` +- attribute virt_domain; +- ') +- +- allow $1 virt_domain:process sigkill; +-') +- +-######################################## + ## +-## Execute svirt lxc domains in their +-## domain, and allow the specified +-## role that svirt lxc domain. ++## Domain allowed to transition. + ## +-## +-## +-## Domain allowed to transition. +-## +-## +-## +-## +-## Role allowed access. +-## + ## +-# +-interface(`virt_run_svirt_lxc_domain',` ++interface(`virt_domtrans_bridgehelper',` + gen_require(` +- attribute svirt_lxc_domain; +- attribute_role svirt_lxc_domain_roles; ++ type virt_bridgehelper_t, virt_bridgehelper_exec_t; + ') + +- allow $1 svirt_lxc_domain:process { signal transition }; +- roleattribute $2 svirt_lxc_domain_roles; +- +- allow svirt_lxc_domain $1:fd use; +- allow svirt_lxc_domain $1:fifo_file rw_fifo_file_perms; +- allow svirt_lxc_domain $1:process sigchld; ++ domtrans_pattern($1, virt_bridgehelper_exec_t, virt_bridgehelper_t) + ') + + ####################################### + ## +-## Get attributes of virtd executable files. ++## Connect to virt over a unix domain stream socket. + ## + ## + ## +@@ -320,18 +161,18 @@ interface(`virt_run_svirt_lxc_domain',` + ## + ## + # +-interface(`virt_getattr_virtd_exec_files',` ++interface(`virt_stream_connect',` + gen_require(` +- type virtd_exec_t; ++ type virtd_t, virt_var_run_t; + ') + +- allow $1 virtd_exec_t:file getattr_file_perms; ++ files_search_pids($1) ++ stream_connect_pattern($1, virt_var_run_t, virt_var_run_t, virtd_t) + ') + + ####################################### + ## +-## Connect to virt with a unix +-## domain stream socket. ++## Connect to svirt process over a unix domain stream socket. + ## + ## + ## +@@ -339,18 +180,17 @@ interface(`virt_getattr_virtd_exec_files',` + ## + ## + # +-interface(`virt_stream_connect',` ++interface(`virt_stream_connect_svirt',` + gen_require(` +- type virtd_t, virt_var_run_t; ++ type svirt_t; + ') + +- files_search_pids($1) +- stream_connect_pattern($1, virt_var_run_t, virt_var_run_t, virtd_t) ++ allow $1 svirt_t:unix_stream_socket connectto; + ') + + ######################################## + ## +-## Attach to virt tun devices. ++## Allow domain to attach to virt TUN devices + ## + ## + ## +@@ -369,7 +209,7 @@ interface(`virt_attach_tun_iface',` + + ######################################## + ## +-## Read virt configuration content. ++## Read virt config files. + ## + ## + ## +@@ -383,7 +223,6 @@ interface(`virt_read_config',` + ') + + files_search_etc($1) +- allow $1 { virt_etc_t virt_etc_rw_t }:dir list_dir_perms; + read_files_pattern($1, virt_etc_t, virt_etc_t) + read_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t) + read_lnk_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t) +@@ -391,8 +230,7 @@ interface(`virt_read_config',` + + ######################################## + ## +-## Create, read, write, and delete +-## virt configuration content. ++## manage virt config files. + ## + ## + ## +@@ -406,7 +244,6 @@ interface(`virt_manage_config',` + ') + + files_search_etc($1) +- allow $1 { virt_etc_t virt_etc_rw_t }:dir manage_dir_perms; + manage_files_pattern($1, virt_etc_t, virt_etc_t) + manage_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t) + manage_lnk_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t) +@@ -414,8 +251,7 @@ interface(`virt_manage_config',` + + ######################################## + ## +-## Create, read, write, and delete +-## virt image files. ++## Allow domain to manage virt image files + ## + ## + ## +@@ -450,8 +286,7 @@ interface(`virt_read_content',` + + ######################################## + ## +-## Create, read, write, and delete +-## virt content. ++## Allow domain to write virt image files + ## + ## + ## +@@ -459,35 +294,17 @@ interface(`virt_read_content',` + ## + ## + # +-interface(`virt_manage_virt_content',` ++interface(`virt_write_content',` + gen_require(` + type virt_content_t; + ') + +- userdom_search_user_home_dirs($1) +- allow $1 virt_content_t:dir manage_dir_perms; +- allow $1 virt_content_t:file manage_file_perms; +- allow $1 virt_content_t:fifo_file manage_fifo_file_perms; +- allow $1 virt_content_t:lnk_file manage_lnk_file_perms; +- allow $1 virt_content_t:sock_file manage_sock_file_perms; +- allow $1 virt_content_t:blk_file manage_blk_file_perms; +- +- tunable_policy(`virt_use_nfs',` +- fs_manage_nfs_dirs($1) +- fs_manage_nfs_files($1) +- fs_manage_nfs_symlinks($1) +- ') +- +- tunable_policy(`virt_use_samba',` +- fs_manage_cifs_dirs($1) +- fs_manage_cifs_files($1) +- fs_manage_cifs_symlinks($1) +- ') ++ allow $1 virt_content_t:file write_file_perms; + ') + + ######################################## + ## +-## Relabel virt content. ++## Read virt PID symlinks files. + ## + ## + ## +@@ -495,53 +312,37 @@ interface(`virt_manage_virt_content',` + ## + ## + # +-interface(`virt_relabel_virt_content',` ++interface(`virt_read_pid_symlinks',` + gen_require(` +- type virt_content_t; ++ type virt_var_run_t; + ') + +- userdom_search_user_home_dirs($1) +- allow $1 virt_content_t:dir relabel_dir_perms; +- allow $1 virt_content_t:file relabel_file_perms; +- allow $1 virt_content_t:fifo_file relabel_fifo_file_perms; +- allow $1 virt_content_t:lnk_file relabel_lnk_file_perms; +- allow $1 virt_content_t:sock_file relabel_sock_file_perms; +- allow $1 virt_content_t:blk_file relabel_blk_file_perms; ++ files_search_pids($1) ++ read_lnk_files_pattern($1, virt_var_run_t, virt_var_run_t) + ') + + ######################################## + ## +-## Create specified objects in user home +-## directories with the virt content type. ++## Read virt PID files. + ## + ## + ## + ## Domain allowed access. + ## + ## +-## +-## +-## Class of the object being created. +-## +-## +-## +-## +-## The name of the object being created. +-## +-## + # +-interface(`virt_home_filetrans_virt_content',` ++interface(`virt_read_pid_files',` + gen_require(` +- type virt_content_t; ++ type virt_var_run_t; + ') + +- virt_home_filetrans($1, virt_content_t, $2, $3) ++ files_search_pids($1) ++ read_files_pattern($1, virt_var_run_t, virt_var_run_t) + ') + + ######################################## + ## +-## Create, read, write, and delete +-## svirt home content. ++## Manage virt pid directories. + ## + ## + ## +@@ -549,34 +350,21 @@ interface(`virt_home_filetrans_virt_content',` + ## + ## + # +-interface(`virt_manage_svirt_home_content',` ++interface(`virt_manage_pid_dirs',` + gen_require(` +- type svirt_home_t; +- ') +- +- userdom_search_user_home_dirs($1) +- allow $1 svirt_home_t:dir manage_dir_perms; +- allow $1 svirt_home_t:file manage_file_perms; +- allow $1 svirt_home_t:fifo_file manage_fifo_file_perms; +- allow $1 svirt_home_t:lnk_file manage_lnk_file_perms; +- allow $1 svirt_home_t:sock_file manage_sock_file_perms; +- +- tunable_policy(`virt_use_nfs',` +- fs_manage_nfs_dirs($1) +- fs_manage_nfs_files($1) +- fs_manage_nfs_symlinks($1) ++ type virt_var_run_t; ++ type virt_lxc_var_run_t; + ') + +- tunable_policy(`virt_use_samba',` +- fs_manage_cifs_dirs($1) +- fs_manage_cifs_files($1) +- fs_manage_cifs_symlinks($1) +- ') ++ files_search_pids($1) ++ manage_dirs_pattern($1, virt_var_run_t, virt_var_run_t) ++ manage_dirs_pattern($1, virt_lxc_var_run_t, virt_lxc_var_run_t) ++ virt_filetrans_named_content($1) + ') + + ######################################## + ## +-## Relabel svirt home content. ++## Manage virt pid files. + ## + ## + ## +@@ -584,32 +372,36 @@ interface(`virt_manage_svirt_home_content',` + ## + ## + # +-interface(`virt_relabel_svirt_home_content',` ++interface(`virt_manage_pid_files',` + gen_require(` +- type svirt_home_t; ++ type virt_var_run_t; ++ type virt_lxc_var_run_t; + ') + +- userdom_search_user_home_dirs($1) +- allow $1 svirt_home_t:dir relabel_dir_perms; +- allow $1 svirt_home_t:file relabel_file_perms; +- allow $1 svirt_home_t:fifo_file relabel_fifo_file_perms; +- allow $1 svirt_home_t:lnk_file relabel_lnk_file_perms; +- allow $1 svirt_home_t:sock_file relabel_sock_file_perms; ++ files_search_pids($1) ++ manage_files_pattern($1, virt_var_run_t, virt_var_run_t) ++ manage_files_pattern($1, virt_lxc_var_run_t, virt_lxc_var_run_t) + ') + + ######################################## + ## +-## Create specified objects in user home +-## directories with the svirt home type. ++## Create objects in the pid directory ++## with a private type with a type transition. + ## + ## + ## + ## Domain allowed access. + ## + ## +-## ++## ++## ++## Type to which the created node will be transitioned. ++## ++## ++## + ## +-## Class of the object being created. ++## Object class(es) (single or set including {}) for which this ++## the transition will occur. + ## + ## + ## +@@ -618,54 +410,36 @@ interface(`virt_relabel_svirt_home_content',` + ## + ## + # +-interface(`virt_home_filetrans_svirt_home',` ++interface(`virt_pid_filetrans',` + gen_require(` +- type svirt_home_t; ++ type virt_var_run_t; + ') + +- virt_home_filetrans($1, svirt_home_t, $2, $3) ++ filetrans_pattern($1, virt_var_run_t, $2, $3, $4) + ') + + ######################################## + ## +-## Create specified objects in generic +-## virt home directories with private +-## home type. ++## Search virt lib directories. + ## + ## + ## + ## Domain allowed access. + ## + ## +-## +-## +-## Private file type. +-## +-## +-## +-## +-## Class of the object being created. +-## +-## +-## +-## +-## The name of the object being created. +-## +-## + # +-interface(`virt_home_filetrans',` ++interface(`virt_search_lib',` + gen_require(` +- type virt_home_t; ++ type virt_var_lib_t; + ') + +- userdom_search_user_home_dirs($1) +- filetrans_pattern($1, virt_home_t, $2, $3, $4) ++ allow $1 virt_var_lib_t:dir search_dir_perms; ++ files_search_var_lib($1) + ') + + ######################################## + ## +-## Create, read, write, and delete +-## virt home files. ++## Read virt lib files. + ## + ## + ## +@@ -673,54 +447,38 @@ interface(`virt_home_filetrans',` + ## + ## + # +-interface(`virt_manage_home_files',` ++interface(`virt_read_lib_files',` + gen_require(` +- type virt_home_t; ++ type virt_var_lib_t; + ') + +- userdom_search_user_home_dirs($1) +- manage_files_pattern($1, virt_home_t, virt_home_t) ++ files_search_var_lib($1) ++ read_files_pattern($1, virt_var_lib_t, virt_var_lib_t) ++ read_lnk_files_pattern($1, virt_var_lib_t, virt_var_lib_t) + ') + + ######################################## + ## +-## Create, read, write, and delete +-## virt home content. ++## Dontaudit inherited read virt lib files. + ## + ## + ## +-## Domain allowed access. ++## Domain to not audit. + ## + ## + # +-interface(`virt_manage_generic_virt_home_content',` ++interface(`virt_dontaudit_read_lib_files',` + gen_require(` +- type virt_home_t; +- ') +- +- userdom_search_user_home_dirs($1) +- allow $1 virt_home_t:dir manage_dir_perms; +- allow $1 virt_home_t:file manage_file_perms; +- allow $1 virt_home_t:fifo_file manage_fifo_file_perms; +- allow $1 virt_home_t:lnk_file manage_lnk_file_perms; +- allow $1 virt_home_t:sock_file manage_sock_file_perms; +- +- tunable_policy(`virt_use_nfs',` +- fs_manage_nfs_dirs($1) +- fs_manage_nfs_files($1) +- fs_manage_nfs_symlinks($1) ++ type virt_var_lib_t; + ') + +- tunable_policy(`virt_use_samba',` +- fs_manage_cifs_dirs($1) +- fs_manage_cifs_files($1) +- fs_manage_cifs_symlinks($1) +- ') ++ dontaudit $1 virt_var_lib_t:file read_inherited_file_perms; + ') + + ######################################## + ## +-## Relabel virt home content. ++## Create, read, write, and delete ++## virt lib files. + ## + ## + ## +@@ -728,52 +486,39 @@ interface(`virt_manage_generic_virt_home_content',` + ## + ## + # +-interface(`virt_relabel_generic_virt_home_content',` ++interface(`virt_manage_lib_files',` + gen_require(` +- type virt_home_t; ++ type virt_var_lib_t; + ') + +- userdom_search_user_home_dirs($1) +- allow $1 virt_home_t:dir relabel_dir_perms; +- allow $1 virt_home_t:file relabel_file_perms; +- allow $1 virt_home_t:fifo_file relabel_fifo_file_perms; +- allow $1 virt_home_t:lnk_file relabel_lnk_file_perms; +- allow $1 virt_home_t:sock_file relabel_sock_file_perms; ++ files_search_var_lib($1) ++ manage_files_pattern($1, virt_var_lib_t, virt_var_lib_t) + ') + + ######################################## + ## +-## Create specified objects in user home +-## directories with the generic virt +-## home type. ++## Allow the specified domain to read virt's log files. + ## + ## + ## + ## Domain allowed access. + ## + ## +-## +-## +-## Class of the object being created. +-## +-## +-## +-## +-## The name of the object being created. +-## +-## ++## + # +-interface(`virt_home_filetrans_virt_home',` ++interface(`virt_read_log',` + gen_require(` +- type virt_home_t; ++ type virt_log_t; + ') + +- userdom_user_home_dir_filetrans($1, virt_home_t, $2, $3) ++ logging_search_logs($1) ++ read_files_pattern($1, virt_log_t, virt_log_t) + ') + + ######################################## + ## +-## Read virt pid files. ++## Allow the specified domain to append ++## virt log files. + ## + ## + ## +@@ -781,19 +526,18 @@ interface(`virt_home_filetrans_virt_home',` + ## + ## + # +-interface(`virt_read_pid_files',` ++interface(`virt_append_log',` + gen_require(` +- type virt_var_run_t; ++ type virt_log_t; + ') + +- files_search_pids($1) +- read_files_pattern($1, virt_var_run_t, virt_var_run_t) ++ logging_search_logs($1) ++ append_files_pattern($1, virt_log_t, virt_log_t) + ') + + ######################################## + ## +-## Create, read, write, and delete +-## virt pid files. ++## Allow domain to manage virt log files + ## + ## + ## +@@ -801,18 +545,19 @@ interface(`virt_read_pid_files',` + ## + ## + # +-interface(`virt_manage_pid_files',` ++interface(`virt_manage_log',` + gen_require(` +- type virt_var_run_t; ++ type virt_log_t; + ') + +- files_search_pids($1) +- manage_files_pattern($1, virt_var_run_t, virt_var_run_t) ++ manage_dirs_pattern($1, virt_log_t, virt_log_t) ++ manage_files_pattern($1, virt_log_t, virt_log_t) ++ manage_lnk_files_pattern($1, virt_log_t, virt_log_t) + ') + + ######################################## + ## +-## Search virt lib directories. ++## Allow domain to search virt image direcories + ## + ## + ## +@@ -820,18 +565,18 @@ interface(`virt_manage_pid_files',` + ## + ## + # +-interface(`virt_search_lib',` ++interface(`virt_search_images',` + gen_require(` +- type virt_var_lib_t; ++ attribute virt_image_type; + ') + +- files_search_var_lib($1) +- allow $1 virt_var_lib_t:dir search_dir_perms; ++ virt_search_lib($1) ++ allow $1 virt_image_type:dir search_dir_perms; + ') + + ######################################## + ## +-## Read virt lib files. ++## Allow domain to read virt image files + ## + ## + ## +@@ -839,20 +584,73 @@ interface(`virt_search_lib',` + ## + ## + # +-interface(`virt_read_lib_files',` ++interface(`virt_read_images',` + gen_require(` + type virt_var_lib_t; ++ attribute virt_image_type; + ') + +- files_search_var_lib($1) +- read_files_pattern($1, virt_var_lib_t, virt_var_lib_t) +- read_lnk_files_pattern($1, virt_var_lib_t, virt_var_lib_t) ++ virt_search_lib($1) ++ allow $1 virt_image_type:dir list_dir_perms; ++ list_dirs_pattern($1, virt_image_type, virt_image_type) ++ read_files_pattern($1, virt_image_type, virt_image_type) ++ read_lnk_files_pattern($1, virt_image_type, virt_image_type) ++ read_blk_files_pattern($1, virt_image_type, virt_image_type) ++ read_chr_files_pattern($1, virt_image_type, virt_image_type) ++ ++ tunable_policy(`virt_use_nfs',` ++ fs_list_nfs($1) ++ fs_read_nfs_files($1) ++ fs_read_nfs_symlinks($1) ++ ') ++ ++ tunable_policy(`virt_use_samba',` ++ fs_list_cifs($1) ++ fs_read_cifs_files($1) ++ fs_read_cifs_symlinks($1) ++ ') ++') ++ ++######################################## ++## ++## Allow domain to read virt blk image files ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`virt_read_blk_images',` ++ gen_require(` ++ attribute virt_image_type; ++ ') ++ ++ read_blk_files_pattern($1, virt_image_type, virt_image_type) ++') ++ ++######################################## ++## ++## Allow domain to read/write virt image chr files ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`virt_rw_chr_files',` ++ gen_require(` ++ attribute virt_image_type; ++ ') ++ ++ rw_chr_files_pattern($1, virt_image_type, virt_image_type) + ') + + ######################################## + ## + ## Create, read, write, and delete +-## virt lib files. ++## svirt cache files. + ## + ## + ## +@@ -860,94 +658,189 @@ interface(`virt_read_lib_files',` + ## + ## + # +-interface(`virt_manage_lib_files',` ++interface(`virt_manage_cache',` + gen_require(` +- type virt_var_lib_t; ++ type virt_cache_t; + ') + +- files_search_var_lib($1) +- manage_files_pattern($1, virt_var_lib_t, virt_var_lib_t) ++ files_search_var($1) ++ manage_dirs_pattern($1, virt_cache_t, virt_cache_t) ++ manage_files_pattern($1, virt_cache_t, virt_cache_t) ++ manage_lnk_files_pattern($1, virt_cache_t, virt_cache_t) + ') + + ######################################## + ## +-## Create objects in virt pid +-## directories with a private type. ++## Allow domain to manage virt image files + ## + ## + ## + ## Domain allowed access. + ## + ## +-## ++# ++interface(`virt_manage_images',` ++ gen_require(` ++ type virt_var_lib_t; ++ attribute virt_image_type; ++ ') ++ ++ virt_search_lib($1) ++ allow $1 virt_image_type:dir list_dir_perms; ++ manage_dirs_pattern($1, virt_image_type, virt_image_type) ++ manage_files_pattern($1, virt_image_type, virt_image_type) ++ read_lnk_files_pattern($1, virt_image_type, virt_image_type) ++ rw_blk_files_pattern($1, virt_image_type, virt_image_type) ++ rw_chr_files_pattern($1, virt_image_type, virt_image_type) ++') ++ ++####################################### ++## ++## Allow domain to manage virt image files ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`virt_manage_default_image_type',` ++ gen_require(` ++ type virt_var_lib_t; ++ type virt_image_t; ++ ') ++ ++ virt_search_lib($1) ++ manage_dirs_pattern($1, virt_image_t, virt_image_t) ++ manage_files_pattern($1, virt_image_t, virt_image_t) ++ read_lnk_files_pattern($1, virt_image_t, virt_image_t) ++') ++ ++######################################## ++## ++## Execute virt server in the virt domain. ++## ++## + ## +-## The type of the object to be created. ++## Domain allowed to transition. + ## + ## +-## ++# ++interface(`virt_systemctl',` ++ gen_require(` ++ type virtd_unit_file_t; ++ type virtd_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ allow $1 virtd_unit_file_t:file read_file_perms; ++ allow $1 virtd_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, virtd_t) ++') ++ ++######################################## ++## ++## Ptrace the svirt domain ++## ++## + ## +-## The object class of the object being created. ++## Domain allowed to transition. + ## + ## +-## ++# ++interface(`virt_ptrace',` ++ gen_require(` ++ attribute virt_domain; ++ ') ++ ++ allow $1 virt_domain:process ptrace; ++') ++ ++####################################### ++## ++## Connect to virt over a unix domain stream socket. ++## ++## + ## +-## The name of the object being created. ++## Domain allowed access. + ## + ## +-## + # +-interface(`virt_pid_filetrans',` ++interface(`virt_stream_connect_sandbox',` + gen_require(` +- type virt_var_run_t; ++ attribute svirt_sandbox_domain; ++ type svirt_sandbox_file_t; + ') + + files_search_pids($1) +- filetrans_pattern($1, virt_var_run_t, $2, $3, $4) ++ stream_connect_pattern($1, svirt_sandbox_file_t, svirt_sandbox_file_t, svirt_sandbox_domain) ++ ps_process_pattern(svirt_sandbox_domain, $1) + ') + + ######################################## + ## +-## Read virt log files. ++## Execute qemu in the svirt domain, and ++## allow the specified role the svirt domain. + ## + ## + ## +-## Domain allowed access. ++## Domain allowed access ++## ++## ++## ++## ++## The role to be allowed the sandbox domain. + ## + ## + ## + # +-interface(`virt_read_log',` ++interface(`virt_transition_svirt',` + gen_require(` +- type virt_log_t; ++ attribute virt_domain; ++ type virt_bridgehelper_t; ++ type svirt_image_t; ++ type svirt_socket_t; + ') + +- logging_search_logs($1) +- read_files_pattern($1, virt_log_t, virt_log_t) ++ allow $1 virt_domain:process transition; ++ role $2 types virt_domain; ++ role $2 types virt_bridgehelper_t; ++ role $2 types svirt_socket_t; ++ ++ allow $1 virt_domain:process { sigkill sigstop signull signal }; ++ allow $1 svirt_image_t:file { relabelfrom relabelto }; ++ allow $1 svirt_image_t:fifo_file { read_fifo_file_perms relabelto }; ++ allow $1 svirt_image_t:sock_file { create_sock_file_perms relabelto }; ++ allow $1 svirt_socket_t:unix_stream_socket create_stream_socket_perms; ++ ++ optional_policy(` ++ ptchown_run(virt_domain, $2) ++ ') + ') + + ######################################## + ## +-## Append virt log files. ++## Do not audit attempts to write virt daemon unnamed pipes. + ## + ## + ## +-## Domain allowed access. ++## Domain to not audit. + ## + ## + # +-interface(`virt_append_log',` ++interface(`virt_dontaudit_write_pipes',` + gen_require(` +- type virt_log_t; ++ type virtd_t; + ') + +- logging_search_logs($1) +- append_files_pattern($1, virt_log_t, virt_log_t) ++ dontaudit $1 virtd_t:fd use; ++ dontaudit $1 virtd_t:fifo_file write_fifo_file_perms; + ') + + ######################################## + ## +-## Create, read, write, and delete +-## virt log files. ++## Send a sigkill to virtual machines + ## + ## + ## +@@ -955,20 +848,17 @@ interface(`virt_append_log',` + ## + ## + # +-interface(`virt_manage_log',` ++interface(`virt_kill_svirt',` + gen_require(` +- type virt_log_t; ++ attribute virt_domain; + ') + +- logging_search_logs($1) +- manage_dirs_pattern($1, virt_log_t, virt_log_t) +- manage_files_pattern($1, virt_log_t, virt_log_t) +- manage_lnk_files_pattern($1, virt_log_t, virt_log_t) ++ allow $1 virt_domain:process sigkill; + ') + + ######################################## + ## +-## Search virt image directories. ++## Send a sigkill to virtd daemon. + ## + ## + ## +@@ -976,18 +866,17 @@ interface(`virt_manage_log',` + ## + ## + # +-interface(`virt_search_images',` ++interface(`virt_kill',` + gen_require(` +- attribute virt_image_type; ++ type virtd_t; + ') + +- virt_search_lib($1) +- allow $1 virt_image_type:dir search_dir_perms; ++ allow $1 virtd_t:process sigkill; + ') + + ######################################## + ## +-## Read virt image files. ++## Send a signal to virtual machines + ## + ## + ## +@@ -995,73 +884,75 @@ interface(`virt_search_images',` + ## + ## + # +-interface(`virt_read_images',` ++interface(`virt_signal_svirt',` + gen_require(` +- type virt_var_lib_t; +- attribute virt_image_type; ++ attribute virt_domain; + ') + +- virt_search_lib($1) +- allow $1 virt_image_type:dir list_dir_perms; +- list_dirs_pattern($1, virt_image_type, virt_image_type) +- read_files_pattern($1, virt_image_type, virt_image_type) +- read_lnk_files_pattern($1, virt_image_type, virt_image_type) +- read_blk_files_pattern($1, virt_image_type, virt_image_type) ++ allow $1 virt_domain:process signal; ++') + +- tunable_policy(`virt_use_nfs',` +- fs_list_nfs($1) +- fs_read_nfs_files($1) +- fs_read_nfs_symlinks($1) ++######################################## ++## ++## Manage virt home files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`virt_manage_home_files',` ++ gen_require(` ++ type virt_home_t; + ') + +- tunable_policy(`virt_use_samba',` +- fs_list_cifs($1) +- fs_read_cifs_files($1) +- fs_read_cifs_symlinks($1) +- ') ++ userdom_search_user_home_dirs($1) ++ manage_files_pattern($1, virt_home_t, virt_home_t) + ') + + ######################################## + ## +-## Read and write all virt image +-## character files. ++## allow domain to read ++## virt tmpfs files + ## + ## + ## +-## Domain allowed access. ++## Domain allowed access + ## + ## + # +-interface(`virt_rw_all_image_chr_files',` ++interface(`virt_read_tmpfs_files',` + gen_require(` +- attribute virt_image_type; ++ attribute virt_tmpfs_type; + ') + +- virt_search_lib($1) +- allow $1 virt_image_type:dir list_dir_perms; +- rw_chr_files_pattern($1, virt_image_type, virt_image_type) ++ allow $1 virt_tmpfs_type:file read_file_perms; + ') + + ######################################## + ## +-## Create, read, write, and delete +-## svirt cache files. ++## allow domain to manage ++## virt tmpfs files + ## + ## + ## +-## Domain allowed access. ++## Domain allowed access + ## + ## + # +-interface(`virt_manage_svirt_cache',` +- refpolicywarn(`$0($*) has been deprecated, use virt_manage_virt_cache() instead.') +- virt_manage_virt_cache($1) ++interface(`virt_manage_tmpfs_files',` ++ gen_require(` ++ attribute virt_tmpfs_type; ++ ') ++ ++ allow $1 virt_tmpfs_type:file manage_file_perms; + ') + + ######################################## + ## +-## Create, read, write, and delete +-## virt cache content. ++## Create .virt directory in the user home directory ++## with an correct label. + ## + ## + ## +@@ -1069,21 +960,28 @@ interface(`virt_manage_svirt_cache',` + ## + ## + # +-interface(`virt_manage_virt_cache',` ++interface(`virt_filetrans_home_content',` + gen_require(` +- type virt_cache_t; ++ type virt_home_t; ++ type svirt_home_t; + ') + +- files_search_var($1) +- manage_dirs_pattern($1, virt_cache_t, virt_cache_t) +- manage_files_pattern($1, virt_cache_t, virt_cache_t) +- manage_lnk_files_pattern($1, virt_cache_t, virt_cache_t) ++ userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".libvirt") ++ userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".virtinst") ++ filetrans_pattern($1, virt_home_t, svirt_home_t, dir, "qemu") ++ ++ optional_policy(` ++ gnome_config_filetrans($1, virt_home_t, dir, "libvirt") ++ gnome_cache_filetrans($1, virt_home_t, dir, "libvirt") ++ gnome_cache_filetrans($1, virt_home_t, dir, "libvirt-sandbox") ++ gnome_cache_filetrans($1, virt_home_t, dir, "gnome-boxes") ++ gnome_data_filetrans($1, svirt_home_t, dir, "images") ++ ') + ') + + ######################################## + ## +-## Create, read, write, and delete +-## virt image files. ++## Dontaudit attempts to Read virt_image_type devices. + ## + ## + ## +@@ -1091,36 +989,148 @@ interface(`virt_manage_virt_cache',` + ## + ## + # +-interface(`virt_manage_images',` ++interface(`virt_dontaudit_read_chr_dev',` + gen_require(` +- type virt_var_lib_t; + attribute virt_image_type; + ') + +- virt_search_lib($1) +- allow $1 virt_image_type:dir list_dir_perms; +- manage_dirs_pattern($1, virt_image_type, virt_image_type) +- manage_files_pattern($1, virt_image_type, virt_image_type) +- read_lnk_files_pattern($1, virt_image_type, virt_image_type) +- rw_blk_files_pattern($1, virt_image_type, virt_image_type) ++ dontaudit $1 virt_image_type:chr_file read_chr_file_perms; ++') + +- tunable_policy(`virt_use_nfs',` +- fs_manage_nfs_dirs($1) +- fs_manage_nfs_files($1) +- fs_read_nfs_symlinks($1) ++######################################## ++## ++## Creates types and rules for a basic ++## virt_lxc process domain. ++## ++## ++## ++## Prefix for the domain. ++## ++## ++# ++template(`virt_sandbox_domain_template',` ++ gen_require(` ++ attribute svirt_sandbox_domain; + ') + +- tunable_policy(`virt_use_samba',` +- fs_manage_cifs_files($1) +- fs_manage_cifs_files($1) +- fs_read_cifs_symlinks($1) ++ type $1_t, svirt_sandbox_domain; ++ domain_type($1_t) ++ domain_user_exemption_target($1_t) ++ mls_rangetrans_target($1_t) ++ mcs_constrained($1_t) ++ role system_r types $1_t; ++ ++ kernel_read_system_state($1_t) ++') ++ ++######################################## ++## ++## Make the specified type usable as a lxc domain ++## ++## ++## ++## Type to be used as a lxc domain ++## ++## ++# ++template(`virt_sandbox_domain',` ++ gen_require(` ++ attribute svirt_sandbox_domain; ++ ') ++ ++ typeattribute $1 svirt_sandbox_domain; ++') ++ ++######################################## ++## ++## Execute a qemu_exec_t in the callers domain ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`virt_exec_qemu',` ++ gen_require(` ++ type qemu_exec_t; ++ ') ++ ++ can_exec($1, qemu_exec_t) ++') ++ ++######################################## ++## ++## Transition to virt named content ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`virt_filetrans_named_content',` ++ gen_require(` ++ type virt_lxc_var_run_t; ++ type virt_var_run_t; ++ ') ++ ++ files_pid_filetrans($1, virt_lxc_var_run_t, dir, "libvirt-sandbox") ++ files_pid_filetrans($1, virt_var_run_t, dir, "libvirt") ++ files_pid_filetrans($1, virt_var_run_t, dir, "libguestfs") ++') ++ ++######################################## ++## ++## Execute qemu in the svirt domain, and ++## allow the specified role the svirt domain. ++## ++## ++## ++## Domain allowed access ++## ++## ++## ++## ++## The role to be allowed the sandbox domain. ++## ++## ++## ++# ++interface(`virt_transition_svirt_sandbox',` ++ gen_require(` ++ attribute svirt_sandbox_domain; ++ ') ++ ++ allow $1 svirt_sandbox_domain:process transition; ++ role $2 types svirt_sandbox_domain; ++ allow $1 svirt_sandbox_domain:unix_dgram_socket sendto; ++ ++ allow svirt_sandbox_domain $1:process sigchld; ++') ++ ++######################################## ++## ++## Read and write to svirt_image devices. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`virt_rw_svirt_dev',` ++ gen_require(` ++ type svirt_image_t; + ') ++ ++ allow $1 svirt_image_t:chr_file rw_file_perms; + ') + + ######################################## + ## +-## All of the rules required to +-## administrate an virt environment. ++## All of the rules required to administrate ++## an virt environment + ## + ## + ## +@@ -1136,50 +1146,36 @@ interface(`virt_manage_images',` + # + interface(`virt_admin',` + gen_require(` +- attribute virt_domain, virt_image_type, virt_tmpfs_type; +- attribute virt_ptynode, svirt_lxc_domain, virt_tmp_type; +- type virtd_t, virtd_initrc_exec_t, virtd_lxc_t; +- type virsh_t, virtd_lxc_var_run_t, svirt_lxc_file_t; +- type virt_bridgehelper_t, virt_qmf_t, virt_var_lib_t; +- type virt_var_run_t, virt_tmp_t, virt_log_t; +- type virt_lock_t, svirt_var_run_t, virt_etc_rw_t; +- type virt_etc_t, svirt_cache_t; ++ attribute virt_domain; ++ attribute virt_system_domain; ++ attribute svirt_file_type; ++ attribute virt_file_type; ++ type virtd_initrc_exec_t; + ') + +- allow $1 { virt_domain svirt_lxc_domain virtd_t }:process { ptrace signal_perms }; +- allow $1 { virtd_lxc_t virsh_t virt_bridgehelper_t virt_qmf_t }:process { ptrace signal_perms }; +- ps_process_pattern($1, { virt_domain svirt_lxc_domain virtd_t }) +- ps_process_pattern($1, { virtd_lxc_t virsh_t virt_bridgehelper_t virt_qmf_t }) ++ allow $1 virt_system_domain:process signal_perms; ++ allow $1 virt_domain:process signal_perms; ++ ps_process_pattern($1, virt_system_domain) ++ ps_process_pattern($1, virt_domain) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 virt_system_domain:process ptrace; ++ allow $1 virt_domain:process ptrace; ++ ') + + init_labeled_script_domtrans($1, virtd_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 virtd_initrc_exec_t system_r; + allow $2 system_r; + +- fs_search_tmpfs($1) +- admin_pattern($1, virt_tmpfs_type) +- +- files_search_tmp($1) +- admin_pattern($1, { virt_tmp_type virt_tmp_t }) +- +- files_search_etc($1) +- admin_pattern($1, { virt_etc_t virt_etc_rw_t }) +- +- logging_search_logs($1) +- admin_pattern($1, virt_log_t) ++ allow $1 virt_domain:process signal_perms; + +- files_search_pids($1) +- admin_pattern($1, { virt_var_run_t virtd_lxc_var_run_t svirt_var_run_t }) +- +- files_search_var($1) +- admin_pattern($1, svirt_cache_t) +- +- files_search_var_lib($1) +- admin_pattern($1, { virt_image_type virt_var_lib_t svirt_lxc_file_t }) ++ admin_pattern($1, virt_file_type) ++ admin_pattern($1, svirt_file_type) + +- files_search_locks($1) +- admin_pattern($1, virt_lock_t) ++ virt_systemctl($1) ++ allow $1 virtd_unit_file_t:service all_service_perms; + +- dev_list_all_dev_nodes($1) +- allow $1 virt_ptynode:chr_file rw_term_perms; ++ virt_stream_connect_sandbox($1) ++ virt_stream_connect_svirt($1) ++ virt_stream_connect($1) + ') +diff --git a/virt.te b/virt.te +index 1f22fba..15485c6 100644 +--- a/virt.te ++++ b/virt.te +@@ -1,147 +1,173 @@ +-policy_module(virt, 1.6.10) ++policy_module(virt, 1.5.0) + + ######################################## + # + # Declarations + # + ++gen_require(` ++ class passwd rootok; ++ class passwd passwd; ++ ') ++ ++attribute virsh_transition_domain; ++attribute virt_ptynode; ++attribute virt_system_domain; ++attribute virt_domain; ++attribute virt_image_type; ++attribute virt_tmpfs_type; ++attribute svirt_file_type; ++attribute virt_file_type; ++attribute sandbox_net_domain; ++ ++type svirt_tmp_t, svirt_file_type; ++files_tmp_file(svirt_tmp_t) ++ ++type svirt_tmpfs_t, virt_tmpfs_type, svirt_file_type; ++files_tmpfs_file(svirt_tmpfs_t) ++ ++type svirt_image_t, virt_image_type, svirt_file_type; ++files_type(svirt_image_t) ++dev_node(svirt_image_t) ++dev_associate_sysfs(svirt_image_t) ++ + ## +-##

    +-## Determine whether confined virtual guests +-## can use serial/parallel communication ports. +-##

    ++##

    ++## Allow confined virtual guests to use serial/parallel communication ports ++##

    + ##     + gen_tunable(virt_use_comm, false) + + ## +-##

    +-## Determine whether confined virtual guests +-## can use executable memory and can make +-## their stack executable. +-##

    ++##

    ++## Allow virtual processes to run as userdomains ++##

    ++##     ++gen_tunable(virt_transition_userdomain, false) ++ ++## ++##

    ++## Allow confined virtual guests to use executable memory and executable stack ++##

    + ##     + gen_tunable(virt_use_execmem, false) + + ## +-##

    +-## Determine whether confined virtual guests +-## can use fuse file systems. +-##

    ++##

    ++## Allow confined virtual guests to read fuse files ++##

    + ##     + gen_tunable(virt_use_fusefs, false) + + ## +-##

    +-## Determine whether confined virtual guests +-## can use nfs file systems. +-##

    ++##

    ++## Allow confined virtual guests to manage nfs files ++##

    + ##     + gen_tunable(virt_use_nfs, false) + + ## +-##

    +-## Determine whether confined virtual guests +-## can use cifs file systems. +-##

    ++##

    ++## Allow confined virtual guests to manage cifs files ++##

    + ##     + gen_tunable(virt_use_samba, false) + + ## +-##

    +-## Determine whether confined virtual guests +-## can manage device configuration. +-##

    ++##

    ++## Allow confined virtual guests to interact with the sanlock ++##

    + ##     +-gen_tunable(virt_use_sysfs, false) ++gen_tunable(virt_use_sanlock, false) + + ## +-##

    +-## Determine whether confined virtual guests +-## can use usb devices. +-##

    ++##

    ++## Allow confined virtual guests to interact with rawip sockets ++##

    + ##     +-gen_tunable(virt_use_usb, false) ++gen_tunable(virt_use_rawip, false) + + ## +-##

    +-## Determine whether confined virtual guests +-## can interact with xserver. +-##

    ++##

    ++## Allow confined virtual guests to interact with the xserver ++##

    + ##     + gen_tunable(virt_use_xserver, false) + +-attribute virt_ptynode; +-attribute virt_domain; +-attribute virt_image_type; +-attribute virt_tmp_type; +-attribute virt_tmpfs_type; +- +-attribute svirt_lxc_domain; +- +-attribute_role virt_domain_roles; +-roleattribute system_r virt_domain_roles; ++## ++##

    ++## Allow confined virtual guests to use usb devices ++##

    ++##     ++gen_tunable(virt_use_usb, true) + +-attribute_role virt_bridgehelper_roles; +-roleattribute system_r virt_bridgehelper_roles; ++virt_domain_template(svirt) ++role system_r types svirt_t; ++typealias svirt_t alias qemu_t; + +-attribute_role svirt_lxc_domain_roles; +-roleattribute system_r svirt_lxc_domain_roles; ++virt_domain_template(svirt_tcg) ++role system_r types svirt_tcg_t; + +-virt_domain_template(svirt) +-virt_domain_template(svirt_prot_exec) ++type qemu_exec_t, virt_file_type; + +-type virt_cache_t alias svirt_cache_t; ++type virt_cache_t alias svirt_cache_t, virt_file_type; + files_type(virt_cache_t) + +-type virt_etc_t; ++type virt_etc_t, virt_file_type; + files_config_file(virt_etc_t) + +-type virt_etc_rw_t; ++type virt_etc_rw_t, virt_file_type; + files_type(virt_etc_rw_t) + +-type virt_home_t; ++type virt_home_t, virt_file_type; + userdom_user_home_content(virt_home_t) + +-type svirt_home_t; ++type svirt_home_t, svirt_file_type; + userdom_user_home_content(svirt_home_t) + +-type svirt_var_run_t; +-files_pid_file(svirt_var_run_t) +-mls_trusted_object(svirt_var_run_t) +- +-type virt_image_t; # customizable ++# virt Image files ++type virt_image_t, virt_file_type; # customizable + virt_image(virt_image_t) + files_mountpoint(virt_image_t) + +-type virt_content_t; # customizable ++# virt Image files ++type virt_content_t, virt_file_type; # customizable + virt_image(virt_content_t) + userdom_user_home_content(virt_content_t) + +-type virt_lock_t; +-files_lock_file(virt_lock_t) ++type virt_tmp_t, virt_file_type; ++files_tmp_file(virt_tmp_t) + +-type virt_log_t; ++type virt_log_t, virt_file_type; + logging_log_file(virt_log_t) + mls_trusted_object(virt_log_t) + +-type virt_tmp_t; +-files_tmp_file(virt_tmp_t) ++type virt_lock_t, virt_file_type; ++files_lock_file(virt_lock_t) + +-type virt_var_run_t; ++type virt_var_run_t, virt_file_type; + files_pid_file(virt_var_run_t) + +-type virt_var_lib_t; ++type virt_var_lib_t, virt_file_type; + files_mountpoint(virt_var_lib_t) + +-type virtd_t; +-type virtd_exec_t; ++type virtd_t, virt_system_domain; ++type virtd_exec_t, virt_file_type; + init_daemon_domain(virtd_t, virtd_exec_t) + domain_obj_id_change_exemption(virtd_t) + domain_subj_id_change_exemption(virtd_t) + +-type virtd_initrc_exec_t; ++type virtd_unit_file_t, virt_file_type; ++systemd_unit_file(virtd_unit_file_t) ++ ++type virtd_initrc_exec_t, virt_file_type; + init_script_file(virtd_initrc_exec_t) + ++type qemu_var_run_t, virt_file_type; ++typealias qemu_var_run_t alias svirt_var_run_t; ++files_pid_file(qemu_var_run_t) ++mls_trusted_object(qemu_var_run_t) ++ + ifdef(`enable_mcs',` + init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh) + ') +@@ -150,295 +176,142 @@ ifdef(`enable_mls',` + init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mls_systemhigh) + ') + +-type virt_qmf_t; +-type virt_qmf_exec_t; ++type virt_qmf_t, virt_system_domain; ++type virt_qmf_exec_t, virt_file_type; + init_daemon_domain(virt_qmf_t, virt_qmf_exec_t) + +-type virt_bridgehelper_t; +-type virt_bridgehelper_exec_t; ++type virt_bridgehelper_t, virt_system_domain; + domain_type(virt_bridgehelper_t) ++ ++type virt_bridgehelper_exec_t, virt_file_type; + domain_entry_file(virt_bridgehelper_t, virt_bridgehelper_exec_t) +-role virt_bridgehelper_roles types virt_bridgehelper_t; ++role system_r types virt_bridgehelper_t; + +-type virtd_lxc_t; +-type virtd_lxc_exec_t; +-init_system_domain(virtd_lxc_t, virtd_lxc_exec_t) ++# policy for qemu_ga ++type virt_qemu_ga_t, virt_system_domain; ++type virt_qemu_ga_exec_t, virt_file_type; ++init_daemon_domain(virt_qemu_ga_t, virt_qemu_ga_exec_t) + +-type virtd_lxc_var_run_t; +-files_pid_file(virtd_lxc_var_run_t) ++type virt_qemu_ga_var_run_t, virt_file_type; ++files_pid_file(virt_qemu_ga_var_run_t) + +-type svirt_lxc_file_t; +-files_mountpoint(svirt_lxc_file_t) +-fs_noxattr_type(svirt_lxc_file_t) +-term_pty(svirt_lxc_file_t) ++type virt_qemu_ga_log_t, virt_file_type; ++logging_log_file(virt_qemu_ga_log_t) + +-virt_lxc_domain_template(svirt_lxc_net) ++type virt_qemu_ga_tmp_t, virt_file_type; ++files_tmp_file(virt_qemu_ga_tmp_t) + +-type virsh_t; +-type virsh_exec_t; +-init_system_domain(virsh_t, virsh_exec_t) ++type virt_qemu_ga_data_t, virt_file_type; ++files_type(virt_qemu_ga_data_t) ++ ++type virt_qemu_ga_unconfined_exec_t, virt_file_type; ++application_executable_file(virt_qemu_ga_unconfined_exec_t) + + ######################################## + # +-# Common virt domain local policy ++# Declarations + # ++attribute svirt_sandbox_domain; + +-allow virt_domain self:process { signal getsched signull }; +-allow virt_domain self:fifo_file rw_fifo_file_perms; +-allow virt_domain self:netlink_route_socket r_netlink_socket_perms; +-allow virt_domain self:shm create_shm_perms; +-allow virt_domain self:tcp_socket create_stream_socket_perms; +-allow virt_domain self:unix_stream_socket { accept listen }; +-allow virt_domain self:unix_dgram_socket sendto; +- +-allow virt_domain virtd_t:fd use; +-allow virt_domain virtd_t:fifo_file rw_fifo_file_perms; +-allow virt_domain virtd_t:process sigchld; +- +-dontaudit virt_domain virtd_t:unix_stream_socket { read write }; +- +-manage_dirs_pattern(virt_domain, virt_cache_t, virt_cache_t) +-manage_files_pattern(virt_domain, virt_cache_t, virt_cache_t) +-files_var_filetrans(virt_domain, virt_cache_t, { file dir }) +- +-manage_dirs_pattern(virt_domain, svirt_var_run_t, svirt_var_run_t) +-manage_files_pattern(virt_domain, svirt_var_run_t, svirt_var_run_t) +-manage_sock_files_pattern(virt_domain, svirt_var_run_t, svirt_var_run_t) +-manage_lnk_files_pattern(virt_domain, svirt_var_run_t, svirt_var_run_t) +-files_pid_filetrans(virt_domain, svirt_var_run_t, { dir file }) +- +-stream_connect_pattern(virt_domain, svirt_var_run_t, svirt_var_run_t, virtd_t) +- +-dontaudit virt_domain virt_tmpfs_type:file { read write }; +- +-append_files_pattern(virt_domain, virt_log_t, virt_log_t) +- +-append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t) +- +-kernel_read_system_state(virt_domain) +- +-fs_getattr_xattr_fs(virt_domain) +- +-corecmd_exec_bin(virt_domain) +-corecmd_exec_shell(virt_domain) +- +-corenet_all_recvfrom_unlabeled(virt_domain) +-corenet_all_recvfrom_netlabel(virt_domain) +-corenet_tcp_sendrecv_generic_if(virt_domain) +-corenet_tcp_sendrecv_generic_node(virt_domain) +-corenet_tcp_bind_generic_node(virt_domain) +- +-corenet_sendrecv_vnc_server_packets(virt_domain) +-corenet_tcp_bind_vnc_port(virt_domain) +-corenet_tcp_sendrecv_vnc_port(virt_domain) +- +-corenet_sendrecv_virt_migration_server_packets(virt_domain) +-corenet_tcp_bind_virt_migration_port(virt_domain) +-corenet_sendrecv_virt_migration_client_packets(virt_domain) +-corenet_tcp_connect_virt_migration_port(virt_domain) +-corenet_tcp_sendrecv_virt_migration_port(virt_domain) +- +-corenet_rw_tun_tap_dev(virt_domain) +- +-dev_getattr_fs(virt_domain) +-dev_list_sysfs(virt_domain) +-dev_read_generic_symlinks(virt_domain) +-dev_read_rand(virt_domain) +-dev_read_sound(virt_domain) +-dev_read_urand(virt_domain) +-dev_write_sound(virt_domain) +-dev_rw_ksm(virt_domain) +-dev_rw_kvm(virt_domain) +-dev_rw_qemu(virt_domain) +-dev_rw_vhost(virt_domain) +- +-domain_use_interactive_fds(virt_domain) +- +-files_read_etc_files(virt_domain) +-files_read_mnt_symlinks(virt_domain) +-files_read_usr_files(virt_domain) +-files_read_var_files(virt_domain) +-files_search_all(virt_domain) +- +-fs_getattr_all_fs(virt_domain) +-fs_rw_anon_inodefs_files(virt_domain) +-fs_rw_tmpfs_files(virt_domain) +-fs_getattr_hugetlbfs(virt_domain) +- +-# fs_rw_inherited_nfs_files(virt_domain) +-# fs_rw_inherited_cifs_files(virt_domain) +-# fs_rw_inherited_noxattr_fs_files(virt_domain) +- +-storage_raw_write_removable_device(virt_domain) +-storage_raw_read_removable_device(virt_domain) +- +-term_use_all_terms(virt_domain) +-term_getattr_pty_fs(virt_domain) +-term_use_generic_ptys(virt_domain) +-term_use_ptmx(virt_domain) +- +-logging_send_syslog_msg(virt_domain) +- +-miscfiles_read_localization(virt_domain) +-miscfiles_read_public_files(virt_domain) +- +-sysnet_read_config(virt_domain) +- +-userdom_search_user_home_dirs(virt_domain) +-userdom_read_all_users_state(virt_domain) +- +-virt_run_bridgehelper(virt_domain, virt_domain_roles) +-virt_read_config(virt_domain) +-virt_read_lib_files(virt_domain) +-virt_read_content(virt_domain) +-virt_stream_connect(virt_domain) +- +-qemu_exec(virt_domain) +- +-tunable_policy(`virt_use_execmem',` +- allow virt_domain self:process { execmem execstack }; +-') +- +-tunable_policy(`virt_use_comm',` +- term_use_unallocated_ttys(virt_domain) +- dev_rw_printer(virt_domain) +-') +- +-tunable_policy(`virt_use_fusefs',` +- fs_manage_fusefs_dirs(virt_domain) +- fs_manage_fusefs_files(virt_domain) +- fs_read_fusefs_symlinks(virt_domain) +-') +- +-tunable_policy(`virt_use_nfs',` +- fs_manage_nfs_dirs(virt_domain) +- fs_manage_nfs_files(virt_domain) +- fs_manage_nfs_named_sockets(virt_domain) +- fs_read_nfs_symlinks(virt_domain) +-') ++type virtd_lxc_t, virt_system_domain; ++type virtd_lxc_exec_t, virt_file_type; ++init_system_domain(virtd_lxc_t, virtd_lxc_exec_t) + +-tunable_policy(`virt_use_samba',` +- fs_manage_cifs_dirs(virt_domain) +- fs_manage_cifs_files(virt_domain) +- fs_manage_cifs_named_sockets(virt_domain) +- fs_read_cifs_symlinks(virt_domain) +-') ++type virt_lxc_var_run_t, virt_file_type; ++files_pid_file(virt_lxc_var_run_t) ++typealias virt_lxc_var_run_t alias virtd_lxc_var_run_t; + +-tunable_policy(`virt_use_sysfs',` +- dev_rw_sysfs(virt_domain) +-') ++# virt lxc container files ++type svirt_sandbox_file_t alias svirt_lxc_file_t, svirt_file_type; ++files_mountpoint(svirt_sandbox_file_t) + +-tunable_policy(`virt_use_usb',` +- dev_rw_usbfs(virt_domain) +- dev_read_sysfs(virt_domain) +- fs_manage_dos_dirs(virt_domain) +- fs_manage_dos_files(virt_domain) +-') ++######################################## ++# ++# svirt local policy ++# + +-optional_policy(` +- tunable_policy(`virt_use_xserver',` +- xserver_read_xdm_pid(virt_domain) +- xserver_stream_connect(virt_domain) +- ') +-') ++# it was a part of auth_use_nsswitch ++allow svirt_t self:netlink_route_socket r_netlink_socket_perms; + +-optional_policy(` +- dbus_read_lib_files(virt_domain) +-') ++corenet_udp_sendrecv_generic_if(svirt_t) ++corenet_udp_sendrecv_generic_node(svirt_t) ++corenet_udp_sendrecv_all_ports(svirt_t) ++corenet_udp_bind_generic_node(svirt_t) ++corenet_udp_bind_all_ports(svirt_t) ++corenet_tcp_bind_all_ports(svirt_t) ++corenet_tcp_connect_all_ports(svirt_t) + +-optional_policy(` +- nscd_use(virt_domain) +-') ++miscfiles_read_generic_certs(svirt_t) + + optional_policy(` +- samba_domtrans_smbd(virt_domain) ++ nscd_dontaudit_write_sock_file(svirt_t) + ') + + optional_policy(` +- xen_rw_image_files(virt_domain) ++ sssd_dontaudit_stream_connect(svirt_t) ++ sssd_dontaudit_read_lib(svirt_t) ++ sssd_dontaudit_read_public_files(svirt_t) + ') + +-######################################## ++####################################### + # +-# svirt local policy ++# svirt_prot_exec local policy + # + +-list_dirs_pattern(svirt_t, virt_content_t, virt_content_t) +-read_files_pattern(svirt_t, virt_content_t, virt_content_t) +- +-dontaudit svirt_t virt_content_t:file write_file_perms; +-dontaudit svirt_t virt_content_t:dir rw_dir_perms; +- +-append_files_pattern(svirt_t, virt_home_t, virt_home_t) +-manage_dirs_pattern(svirt_t, svirt_home_t, svirt_home_t) +-manage_files_pattern(svirt_t, svirt_home_t, svirt_home_t) +-manage_sock_files_pattern(svirt_t, svirt_home_t, svirt_home_t) +- +-filetrans_pattern(svirt_t, virt_home_t, svirt_home_t, dir, "qemu") +- +-stream_connect_pattern(svirt_t, svirt_home_t, svirt_home_t, virtd_t) +- +-corenet_udp_sendrecv_generic_if(svirt_t) +-corenet_udp_sendrecv_generic_node(svirt_t) +-corenet_udp_sendrecv_all_ports(svirt_t) +-corenet_udp_bind_generic_node(svirt_t) +- +-corenet_all_recvfrom_unlabeled(svirt_t) +-corenet_all_recvfrom_netlabel(svirt_t) +-corenet_tcp_sendrecv_generic_if(svirt_t) +-corenet_udp_sendrecv_generic_if(svirt_t) +-corenet_tcp_sendrecv_generic_node(svirt_t) +-corenet_udp_sendrecv_generic_node(svirt_t) +-corenet_tcp_sendrecv_all_ports(svirt_t) +-corenet_udp_sendrecv_all_ports(svirt_t) +-corenet_tcp_bind_generic_node(svirt_t) +-corenet_udp_bind_generic_node(svirt_t) +- +-corenet_sendrecv_all_server_packets(svirt_t) +-corenet_udp_bind_all_ports(svirt_t) +-corenet_tcp_bind_all_ports(svirt_t) ++allow svirt_tcg_t self:process { execmem execstack }; ++allow svirt_tcg_t self:netlink_route_socket r_netlink_socket_perms; + +-corenet_sendrecv_all_client_packets(svirt_t) +-corenet_tcp_connect_all_ports(svirt_t) ++corenet_udp_sendrecv_generic_if(svirt_tcg_t) ++corenet_udp_sendrecv_generic_node(svirt_tcg_t) ++corenet_udp_sendrecv_all_ports(svirt_tcg_t) ++corenet_udp_bind_generic_node(svirt_tcg_t) ++corenet_udp_bind_all_ports(svirt_tcg_t) ++corenet_tcp_bind_all_ports(svirt_tcg_t) ++corenet_tcp_connect_all_ports(svirt_tcg_t) + + ######################################## + # + # virtd local policy + # + +-allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice }; ++allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice sys_ptrace }; ++allow virtd_t self:capability2 compromise_kernel; + allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setsockcreate setsched }; ++ifdef(`hide_broken_symptoms',` ++ # caused by some bogus kernel code ++ dontaudit virtd_t self:capability { sys_module }; ++') ++ + allow virtd_t self:fifo_file { manage_fifo_file_perms relabelfrom relabelto }; +-allow virtd_t self:unix_stream_socket { accept connectto listen }; +-allow virtd_t self:tcp_socket { accept listen }; ++allow virtd_t self:unix_stream_socket { connectto create_stream_socket_perms relabelfrom relabelto }; ++allow virtd_t self:tcp_socket create_stream_socket_perms; + allow virtd_t self:tun_socket { create_socket_perms relabelfrom relabelto }; + allow virtd_t self:rawip_socket create_socket_perms; + allow virtd_t self:packet_socket create_socket_perms; + allow virtd_t self:netlink_kobject_uevent_socket create_socket_perms; +-allow virtd_t self:netlink_route_socket nlmsg_write; +- +-allow virtd_t virt_domain:process { getattr getsched setsched transition signal signull sigkill }; +-dontaudit virtd_t virt_domain:process { siginh noatsecure rlimitinh }; +- +-allow virtd_t svirt_lxc_domain:unix_stream_socket { create_stream_socket_perms connectto }; +-allow virtd_t svirt_lxc_domain:process signal_perms; +- +-allow virtd_t virtd_lxc_t:process { signal signull sigkill }; +- +-domtrans_pattern(virtd_t, virtd_lxc_exec_t, virtd_lxc_t) ++allow virtd_t self:netlink_route_socket create_netlink_socket_perms; + + manage_dirs_pattern(virtd_t, virt_cache_t, virt_cache_t) + manage_files_pattern(virtd_t, virt_cache_t, virt_cache_t) + + manage_dirs_pattern(virtd_t, virt_content_t, virt_content_t) + manage_files_pattern(virtd_t, virt_content_t, virt_content_t) +-filetrans_pattern(virtd_t, virt_home_t, virt_content_t, dir, "isos") + +-allow virtd_t svirt_var_run_t:file relabel_file_perms; +-manage_dirs_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t) +-manage_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t) +-manage_sock_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t) +-filetrans_pattern(virtd_t, virt_var_run_t, svirt_var_run_t, dir, "qemu") ++allow virtd_t virt_domain:process { getattr getsched setsched transition signal signull sigkill }; ++allow virtd_t svirt_sandbox_domain:process { getattr getsched setsched transition signal signull sigkill }; ++allow virt_domain virtd_t:fd use; ++dontaudit virt_domain virtd_t:unix_stream_socket { read write }; ++allow virtd_t virt_domain:unix_stream_socket { connectto create_stream_socket_perms }; ++ ++can_exec(virtd_t, qemu_exec_t) ++can_exec(virt_domain, qemu_exec_t) ++ ++allow virtd_t qemu_var_run_t:file relabel_file_perms; ++manage_dirs_pattern(virtd_t, qemu_var_run_t, qemu_var_run_t) ++manage_files_pattern(virtd_t, qemu_var_run_t, qemu_var_run_t) ++manage_sock_files_pattern(virtd_t, qemu_var_run_t, qemu_var_run_t) ++stream_connect_pattern(virtd_t, qemu_var_run_t, qemu_var_run_t, virt_domain) ++filetrans_pattern(virtd_t, virt_var_run_t, qemu_var_run_t, dir, "qemu") + + read_files_pattern(virtd_t, virt_etc_t, virt_etc_t) + read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t) +@@ -448,42 +321,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) + manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) + filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir) + +-manage_dirs_pattern(virtd_t, virt_home_t, virt_home_t) +-manage_files_pattern(virtd_t, virt_home_t, virt_home_t) +-manage_sock_files_pattern(virtd_t, virt_home_t, virt_home_t) +-manage_lnk_files_pattern(virtd_t, virt_home_t, virt_home_t) +- +-userdom_user_home_dir_filetrans(virtd_t, virt_home_t, dir, ".libvirt") +-userdom_user_home_dir_filetrans(virtd_t, virt_home_t, dir, ".virtinst") +-userdom_user_home_dir_filetrans(virtd_t, virt_home_t, dir, "VirtualMachines") +- + manage_files_pattern(virtd_t, virt_image_type, virt_image_type) + manage_chr_files_pattern(virtd_t, virt_image_type, virt_image_type) + manage_blk_files_pattern(virtd_t, virt_image_type, virt_image_type) + manage_lnk_files_pattern(virtd_t, virt_image_type, virt_image_type) +- ++allow virtd_t virt_image_type:dir setattr; + allow virtd_t virt_image_type:file relabel_file_perms; + allow virtd_t virt_image_type:blk_file relabel_blk_file_perms; + allow virtd_t virt_image_type:chr_file relabel_chr_file_perms; +-allow virtd_t virt_image_type:chr_file relabel_chr_file_perms; +- ++allow virtd_t virt_image_type:unix_stream_socket relabel_file_perms; + allow virtd_t virt_ptynode:chr_file rw_term_perms; + + manage_dirs_pattern(virtd_t, virt_tmp_t, virt_tmp_t) + manage_files_pattern(virtd_t, virt_tmp_t, virt_tmp_t) + files_tmp_filetrans(virtd_t, virt_tmp_t, { file dir }) ++can_exec(virtd_t, virt_tmp_t) + +-# This needs a file context specification + manage_dirs_pattern(virtd_t, virt_lock_t, virt_lock_t) + manage_files_pattern(virtd_t, virt_lock_t, virt_lock_t) + manage_lnk_files_pattern(virtd_t, virt_lock_t, virt_lock_t) + files_lock_filetrans(virtd_t, virt_lock_t, { dir file lnk_file }) + + manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t) +-append_files_pattern(virtd_t, virt_log_t, virt_log_t) +-create_files_pattern(virtd_t, virt_log_t, virt_log_t) +-read_files_pattern(virtd_t, virt_log_t, virt_log_t) +-setattr_files_pattern(virtd_t, virt_log_t, virt_log_t) ++manage_files_pattern(virtd_t, virt_log_t, virt_log_t) + logging_log_filetrans(virtd_t, virt_log_t, { file dir }) + + manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t) +@@ -496,16 +356,12 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) + manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) + files_pid_filetrans(virtd_t, virt_var_run_t, { file dir }) + +-manage_dirs_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) +-manage_files_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) +-filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc") +- +-stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t) +-stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain) +- +-can_exec(virtd_t, virt_tmp_t) ++manage_dirs_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t) ++manage_files_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t) ++filetrans_pattern(virtd_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc") ++allow virtd_t virt_lxc_var_run_t:file { relabelfrom relabelto }; ++stream_connect_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t, virtd_lxc_t) + +-kernel_read_crypto_sysctls(virtd_t) + kernel_read_system_state(virtd_t) + kernel_read_network_state(virtd_t) + kernel_rw_net_sysctls(virtd_t) +@@ -513,6 +369,7 @@ kernel_read_kernel_sysctls(virtd_t) + kernel_request_load_module(virtd_t) + kernel_search_debugfs(virtd_t) + kernel_setsched(virtd_t) ++kernel_write_proc_files(virtd_t) + + corecmd_exec_bin(virtd_t) + corecmd_exec_shell(virtd_t) +@@ -520,24 +377,16 @@ corecmd_exec_shell(virtd_t) + corenet_all_recvfrom_netlabel(virtd_t) + corenet_tcp_sendrecv_generic_if(virtd_t) + corenet_tcp_sendrecv_generic_node(virtd_t) ++corenet_tcp_sendrecv_all_ports(virtd_t) + corenet_tcp_bind_generic_node(virtd_t) +- +-corenet_sendrecv_virt_server_packets(virtd_t) + corenet_tcp_bind_virt_port(virtd_t) +-corenet_tcp_sendrecv_virt_port(virtd_t) +- +-corenet_sendrecv_vnc_server_packets(virtd_t) + corenet_tcp_bind_vnc_port(virtd_t) +-corenet_sendrecv_vnc_client_packets(virtd_t) + corenet_tcp_connect_vnc_port(virtd_t) +-corenet_tcp_sendrecv_vnc_port(virtd_t) +- +-corenet_sendrecv_soundd_client_packets(virtd_t) + corenet_tcp_connect_soundd_port(virtd_t) +-corenet_tcp_sendrecv_soundd_port(virtd_t) +- + corenet_rw_tun_tap_dev(virtd_t) ++corenet_relabel_tun_tap_dev(virtd_t) + ++dev_rw_vfio_dev(virtd_t) + dev_rw_sysfs(virtd_t) + dev_read_urand(virtd_t) + dev_read_rand(virtd_t) +@@ -548,22 +397,27 @@ dev_rw_vhost(virtd_t) + dev_setattr_generic_usb_dev(virtd_t) + dev_relabel_generic_usb_dev(virtd_t) + ++# Init script handling + domain_use_interactive_fds(virtd_t) + domain_read_all_domains_state(virtd_t) ++domain_signull_all_domains(virtd_t) + +-files_read_usr_files(virtd_t) + files_read_etc_runtime_files(virtd_t) + files_search_all(virtd_t) + files_read_kernel_modules(virtd_t) + files_read_usr_src_files(virtd_t) ++files_relabelto_system_conf_files(virtd_t) ++files_relabelfrom_system_conf_files(virtd_t) ++files_relabelfrom_boot_files(virtd_t) ++files_relabelto_boot_files(virtd_t) ++files_manage_boot_files(virtd_t) + + # Manages /etc/sysconfig/system-config-firewall +-# files_relabelto_system_conf_files(virtd_t) +-# files_relabelfrom_system_conf_files(virtd_t) +-# files_manage_system_conf_files(virtd_t) ++files_manage_system_conf_files(virtd_t) + ++fs_read_tmpfs_symlinks(virtd_t) + fs_list_auto_mountpoints(virtd_t) +-fs_getattr_all_fs(virtd_t) ++fs_getattr_xattr_fs(virtd_t) + fs_rw_anon_inodefs_files(virtd_t) + fs_list_inotifyfs(virtd_t) + fs_manage_cgroup_dirs(virtd_t) +@@ -594,15 +448,18 @@ term_use_ptmx(virtd_t) + + auth_use_nsswitch(virtd_t) + +-miscfiles_read_localization(virtd_t) ++init_dbus_chat(virtd_t) ++ + miscfiles_read_generic_certs(virtd_t) + miscfiles_read_hwdata(virtd_t) + + modutils_read_module_deps(virtd_t) ++modutils_read_module_config(virtd_t) + modutils_manage_module_config(virtd_t) + + logging_send_syslog_msg(virtd_t) + logging_send_audit_msgs(virtd_t) ++logging_stream_connect_syslog(virtd_t) + + selinux_validate_context(virtd_t) + +@@ -613,18 +470,26 @@ seutil_read_file_contexts(virtd_t) + sysnet_signull_ifconfig(virtd_t) + sysnet_signal_ifconfig(virtd_t) + sysnet_domtrans_ifconfig(virtd_t) ++sysnet_read_config(virtd_t) + +-userdom_read_all_users_state(virtd_t) +- +-ifdef(`hide_broken_symptoms',` +- dontaudit virtd_t self:capability { sys_module sys_ptrace }; +-') ++systemd_dbus_chat_logind(virtd_t) ++systemd_write_inhibit_pipes(virtd_t) + +-tunable_policy(`virt_use_fusefs',` +- fs_manage_fusefs_dirs(virtd_t) +- fs_manage_fusefs_files(virtd_t) +- fs_read_fusefs_symlinks(virtd_t) +-') ++userdom_list_admin_dir(virtd_t) ++userdom_getattr_all_users(virtd_t) ++userdom_list_user_home_content(virtd_t) ++userdom_read_all_users_state(virtd_t) ++userdom_read_user_home_content_files(virtd_t) ++userdom_relabel_user_tmp_files(virtd_t) ++userdom_setattr_user_tmp_files(virtd_t) ++userdom_relabel_user_home_files(virtd_t) ++userdom_setattr_user_home_content_files(virtd_t) ++manage_dirs_pattern(virtd_t, virt_home_t, virt_home_t) ++manage_files_pattern(virtd_t, virt_home_t, virt_home_t) ++manage_sock_files_pattern(virtd_t, virt_home_t, virt_home_t) ++manage_lnk_files_pattern(virtd_t, virt_home_t, virt_home_t) ++#userdom_user_home_dir_filetrans(virtd_t, virt_home_t, { dir file }) ++virt_filetrans_home_content(virtd_t) + + tunable_policy(`virt_use_nfs',` + fs_manage_nfs_dirs(virtd_t) +@@ -633,7 +498,7 @@ tunable_policy(`virt_use_nfs',` + ') + + tunable_policy(`virt_use_samba',` +- fs_manage_cifs_files(virtd_t) ++ fs_manage_nfs_files(virtd_t) + fs_manage_cifs_files(virtd_t) + fs_read_cifs_symlinks(virtd_t) + ') +@@ -658,20 +523,12 @@ optional_policy(` + ') + + optional_policy(` +- firewalld_dbus_chat(virtd_t) +- ') +- +- optional_policy(` + hal_dbus_chat(virtd_t) + ') + + optional_policy(` + networkmanager_dbus_chat(virtd_t) + ') +- +- optional_policy(` +- policykit_dbus_chat(virtd_t) +- ') + ') + + optional_policy(` +@@ -684,14 +541,20 @@ optional_policy(` + dnsmasq_kill(virtd_t) + dnsmasq_signull(virtd_t) + dnsmasq_create_pid_dirs(virtd_t) +- dnsmasq_spec_filetrans_pid(virtd_t, virt_var_run_t, dir, "network") +- dnsmasq_spec_filetrans_pid(virtd_t, virt_var_run_t, file, "dnsmasq.pid") ++ dnsmasq_filetrans_named_content_fromdir(virtd_t, virt_var_run_t); + dnsmasq_manage_pid_files(virtd_t) + ') + + optional_policy(` ++ firewalld_dbus_chat(virtd_t) ++') ++ ++optional_policy(` + iptables_domtrans(virtd_t) + iptables_initrc_domtrans(virtd_t) ++ iptables_systemctl(virtd_t) ++ ++ # Manages /etc/sysconfig/system-config-firewall + iptables_manage_config(virtd_t) + ') + +@@ -704,11 +567,13 @@ optional_policy(` + ') + + optional_policy(` ++ # Run mount in the mount_t domain. + mount_domtrans(virtd_t) + mount_signal(virtd_t) + ') + + optional_policy(` ++ policykit_dbus_chat(virtd_t) + policykit_domtrans_auth(virtd_t) + policykit_domtrans_resolve(virtd_t) + policykit_read_lib(virtd_t) +@@ -719,10 +584,18 @@ optional_policy(` + ') + + optional_policy(` ++ sanlock_stream_connect(virtd_t) ++') ++ ++optional_policy(` + sasl_connect(virtd_t) + ') + + optional_policy(` ++ setrans_manage_pid_files(virtd_t) ++') ++ ++optional_policy(` + kernel_read_xen_state(virtd_t) + kernel_write_xen_state(virtd_t) + +@@ -737,44 +610,264 @@ optional_policy(` + udev_read_db(virtd_t) + ') + ++optional_policy(` ++ unconfined_domain(virtd_t) ++') ++ + ######################################## + # +-# Virsh local policy ++# virtual domains common policy + # ++allow virt_domain self:capability2 compromise_kernel; ++allow virt_domain self:process { setrlimit signal_perms getsched setsched }; ++allow virt_domain self:fifo_file rw_fifo_file_perms; ++allow virt_domain self:shm create_shm_perms; ++allow virt_domain self:unix_stream_socket create_stream_socket_perms; ++allow virt_domain self:unix_dgram_socket { create_socket_perms sendto }; ++allow virt_domain self:tcp_socket create_stream_socket_perms; ++allow virt_domain self:udp_socket create_socket_perms; ++allow virt_domain self:netlink_kobject_uevent_socket create_socket_perms; + +-allow virsh_t self:capability { setpcap dac_override ipc_lock sys_nice sys_tty_config }; +-allow virsh_t self:process { getcap getsched setsched setcap signal }; +-allow virsh_t self:fifo_file rw_fifo_file_perms; +-allow virsh_t self:unix_stream_socket { accept connectto listen }; +-allow virsh_t self:tcp_socket { accept listen }; +- +-manage_files_pattern(virsh_t, virt_image_type, virt_image_type) +-manage_blk_files_pattern(virsh_t, virt_image_type, virt_image_type) +-manage_lnk_files_pattern(virsh_t, virt_image_type, virt_image_type) +- +-manage_dirs_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) +-manage_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) +-manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) +-manage_lnk_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) +-manage_sock_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) +-manage_fifo_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) ++list_dirs_pattern(virt_domain, virt_content_t, virt_content_t) ++read_files_pattern(virt_domain, virt_content_t, virt_content_t) ++dontaudit virt_domain virt_content_t:file write_file_perms; ++dontaudit virt_domain virt_content_t:dir write; + +-manage_dirs_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) +-manage_files_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) +-filetrans_pattern(virsh_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc") ++kernel_read_net_sysctls(virt_domain) + +-dontaudit virsh_t virt_var_lib_t:file read_file_perms; ++userdom_search_user_home_content(virt_domain) ++userdom_read_user_home_content_symlinks(virt_domain) ++userdom_read_all_users_state(virt_domain) ++append_files_pattern(virt_domain, virt_home_t, virt_home_t) ++manage_dirs_pattern(virt_domain, svirt_home_t, svirt_home_t) ++manage_files_pattern(virt_domain, svirt_home_t, svirt_home_t) ++manage_sock_files_pattern(virt_domain, svirt_home_t, svirt_home_t) ++filetrans_pattern(virt_domain, virt_home_t, svirt_home_t, { dir sock_file file }) ++stream_connect_pattern(virt_domain, svirt_home_t, svirt_home_t, virtd_t) + +-allow virsh_t svirt_lxc_domain:process transition; ++manage_dirs_pattern(virt_domain, virt_cache_t, virt_cache_t) ++manage_files_pattern(virt_domain, virt_cache_t, virt_cache_t) ++files_var_filetrans(virt_domain, virt_cache_t, { file dir }) + +-can_exec(virsh_t, virsh_exec_t) ++read_lnk_files_pattern(virt_domain, virt_image_t, virt_image_t) ++ ++manage_dirs_pattern(virt_domain, svirt_image_t, svirt_image_t) ++manage_files_pattern(virt_domain, svirt_image_t, svirt_image_t) ++manage_sock_files_pattern(virt_domain, svirt_image_t, svirt_image_t) ++manage_fifo_files_pattern(virt_domain, svirt_image_t, svirt_image_t) ++read_lnk_files_pattern(virt_domain, svirt_image_t, svirt_image_t) ++rw_chr_files_pattern(virt_domain, svirt_image_t, svirt_image_t) ++rw_blk_files_pattern(virt_domain, svirt_image_t, svirt_image_t) ++fs_hugetlbfs_filetrans(virt_domain, svirt_image_t, file) ++ ++manage_dirs_pattern(virt_domain, svirt_tmp_t, svirt_tmp_t) ++manage_files_pattern(virt_domain, svirt_tmp_t, svirt_tmp_t) ++manage_lnk_files_pattern(virt_domain, svirt_tmp_t, svirt_tmp_t) ++files_tmp_filetrans(virt_domain, svirt_tmp_t, { file dir lnk_file }) ++userdom_user_tmp_filetrans(virt_domain, svirt_tmp_t, { dir file lnk_file }) ++ ++manage_dirs_pattern(virt_domain, svirt_tmpfs_t, svirt_tmpfs_t) ++manage_files_pattern(virt_domain, svirt_tmpfs_t, svirt_tmpfs_t) ++manage_lnk_files_pattern(virt_domain, svirt_tmpfs_t, svirt_tmpfs_t) ++fs_tmpfs_filetrans(virt_domain, svirt_tmpfs_t, { dir file lnk_file }) ++ ++manage_dirs_pattern(virt_domain, qemu_var_run_t, qemu_var_run_t) ++manage_files_pattern(virt_domain, qemu_var_run_t, qemu_var_run_t) ++manage_sock_files_pattern(virt_domain, qemu_var_run_t, qemu_var_run_t) ++manage_lnk_files_pattern(virt_domain, qemu_var_run_t, qemu_var_run_t) ++files_pid_filetrans(virt_domain, qemu_var_run_t, { dir file }) ++stream_connect_pattern(virt_domain, qemu_var_run_t, qemu_var_run_t, virtd_t) ++ ++dontaudit virtd_t virt_domain:process { siginh noatsecure rlimitinh }; ++ ++dontaudit virt_domain virt_tmpfs_type:file { read write }; ++ ++append_files_pattern(virt_domain, virt_log_t, virt_log_t) ++ ++append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t) ++ ++corecmd_exec_bin(virt_domain) ++corecmd_exec_shell(virt_domain) ++ ++corenet_tcp_sendrecv_generic_if(virt_domain) ++corenet_tcp_sendrecv_generic_node(virt_domain) ++corenet_tcp_sendrecv_all_ports(virt_domain) ++corenet_tcp_bind_generic_node(virt_domain) ++corenet_tcp_bind_vnc_port(virt_domain) ++corenet_tcp_bind_virt_migration_port(virt_domain) ++corenet_tcp_connect_virt_migration_port(virt_domain) ++corenet_rw_inherited_tun_tap_dev(virt_domain) + ++dev_list_sysfs(virt_domain) ++dev_getattr_fs(virt_domain) ++dev_dontaudit_getattr_all(virt_domain) ++dev_read_generic_symlinks(virt_domain) ++dev_read_rand(virt_domain) ++dev_read_sound(virt_domain) ++dev_read_urand(virt_domain) ++dev_write_sound(virt_domain) ++dev_rw_ksm(virt_domain) ++dev_rw_vfio_dev(virt_domain) ++dev_rw_kvm(virt_domain) ++dev_rw_qemu(virt_domain) ++dev_rw_inherited_vhost(virt_domain) ++ ++domain_use_interactive_fds(virt_domain) ++ ++files_read_mnt_symlinks(virt_domain) ++files_read_var_files(virt_domain) ++files_search_all(virt_domain) ++ ++fs_getattr_xattr_fs(virt_domain) ++fs_getattr_tmpfs(virt_domain) ++fs_rw_anon_inodefs_files(virt_domain) ++fs_rw_inherited_tmpfs_files(virt_domain) ++fs_getattr_hugetlbfs(virt_domain) ++fs_rw_inherited_nfs_files(virt_domain) ++fs_rw_inherited_cifs_files(virt_domain) ++fs_rw_inherited_noxattr_fs_files(virt_domain) ++ ++# I think we need these for now. ++miscfiles_read_public_files(virt_domain) ++storage_raw_read_removable_device(virt_domain) ++ ++sysnet_read_config(virt_domain) ++ ++term_use_all_inherited_terms(virt_domain) ++term_getattr_pty_fs(virt_domain) ++term_use_generic_ptys(virt_domain) ++term_use_ptmx(virt_domain) ++ ++tunable_policy(`virt_use_execmem',` ++ allow virt_domain self:process { execmem execstack }; ++') ++ ++optional_policy(` ++ alsa_read_rw_config(virt_domain) ++') ++ ++optional_policy(` ++ ptchown_domtrans(virt_domain) ++') ++ ++optional_policy(` ++ pulseaudio_dontaudit_exec(virt_domain) ++') ++ ++optional_policy(` ++ virt_read_config(virt_domain) ++ virt_read_lib_files(virt_domain) ++ virt_read_content(virt_domain) ++ virt_stream_connect(virt_domain) ++ virt_read_pid_symlinks(virt_domain) ++ virt_domtrans_bridgehelper(virt_domain) ++') ++ ++optional_policy(` ++ xserver_rw_shm(virt_domain) ++') ++ ++tunable_policy(`virt_use_comm',` ++ term_use_unallocated_ttys(virt_domain) ++ dev_rw_printer(virt_domain) ++') ++ ++tunable_policy(`virt_use_fusefs',` ++ fs_manage_fusefs_dirs(virt_domain) ++ fs_manage_fusefs_files(virt_domain) ++ fs_read_fusefs_symlinks(virt_domain) ++ fs_getattr_fusefs(virt_domain) ++') ++ ++tunable_policy(`virt_use_nfs',` ++ fs_manage_nfs_dirs(virt_domain) ++ fs_manage_nfs_files(virt_domain) ++ fs_manage_nfs_named_sockets(virt_domain) ++ fs_read_nfs_symlinks(virt_domain) ++ fs_getattr_nfs(virt_domain) ++') ++ ++tunable_policy(`virt_use_samba',` ++ fs_manage_cifs_dirs(virt_domain) ++ fs_manage_cifs_files(virt_domain) ++ fs_manage_cifs_named_sockets(virt_domain) ++ fs_read_cifs_symlinks(virt_domain) ++ fs_getattr_cifs(virt_domain) ++') ++ ++tunable_policy(`virt_use_usb',` ++ dev_rw_usbfs(virt_domain) ++ dev_read_sysfs(virt_domain) ++ fs_getattr_dos_fs(virt_domain) ++ fs_manage_dos_dirs(virt_domain) ++ fs_manage_dos_files(virt_domain) ++') ++ ++optional_policy(` ++ tunable_policy(`virt_use_sanlock',` ++ sanlock_stream_connect(virt_domain) ++ ') ++') ++ ++tunable_policy(`virt_use_rawip',` ++ allow virt_domain self:rawip_socket create_socket_perms; ++') ++ ++optional_policy(` ++ tunable_policy(`virt_use_xserver',` ++ xserver_stream_connect(virt_domain) ++ ') ++') ++ ++######################################## ++# ++# xm local policy ++# ++type virsh_t, virt_system_domain; ++type virsh_exec_t, virt_file_type; ++init_system_domain(virsh_t, virsh_exec_t) ++typealias virsh_t alias xm_t; ++typealias virsh_exec_t alias xm_exec_t; ++ ++allow virsh_t self:capability { setpcap dac_override ipc_lock sys_admin sys_chroot sys_nice sys_tty_config }; ++allow virsh_t self:process { getcap getsched setsched setcap setexec signal }; ++allow virsh_t self:fifo_file rw_fifo_file_perms; ++allow virsh_t self:unix_stream_socket { create_stream_socket_perms connectto }; ++allow virsh_t self:tcp_socket create_stream_socket_perms; ++ ++ps_process_pattern(virsh_t, svirt_sandbox_domain) ++ ++can_exec(virsh_t, virsh_exec_t) + virt_domtrans(virsh_t) + virt_manage_images(virsh_t) + virt_manage_config(virsh_t) + virt_stream_connect(virsh_t) + +-kernel_read_crypto_sysctls(virsh_t) ++manage_dirs_pattern(virsh_t, virt_lock_t, virt_lock_t) ++manage_files_pattern(virsh_t, virt_lock_t, virt_lock_t) ++manage_lnk_files_pattern(virsh_t, virt_lock_t, virt_lock_t) ++files_lock_filetrans(virsh_t, virt_lock_t, { dir file lnk_file }) ++ ++manage_files_pattern(virsh_t, virt_image_type, virt_image_type) ++manage_blk_files_pattern(virsh_t, virt_image_type, virt_image_type) ++manage_lnk_files_pattern(virsh_t, virt_image_type, virt_image_type) ++ ++manage_dirs_pattern(virsh_t, svirt_sandbox_file_t, svirt_sandbox_file_t) ++manage_files_pattern(virsh_t, svirt_sandbox_file_t, svirt_sandbox_file_t) ++manage_chr_files_pattern(virsh_t, svirt_sandbox_file_t, svirt_sandbox_file_t) ++manage_lnk_files_pattern(virsh_t, svirt_sandbox_file_t, svirt_sandbox_file_t) ++manage_sock_files_pattern(virsh_t, svirt_sandbox_file_t, svirt_sandbox_file_t) ++manage_fifo_files_pattern(virsh_t, svirt_sandbox_file_t, svirt_sandbox_file_t) ++virt_transition_svirt_sandbox(virsh_t, system_r) ++ ++manage_dirs_pattern(virsh_t, virt_lxc_var_run_t, virt_lxc_var_run_t) ++manage_files_pattern(virsh_t, virt_lxc_var_run_t, virt_lxc_var_run_t) ++virt_filetrans_named_content(virsh_t) ++filetrans_pattern(virsh_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc") ++ ++dontaudit virsh_t virt_var_lib_t:file read_inherited_file_perms; ++ ++kernel_write_proc_files(virsh_t) + kernel_read_system_state(virsh_t) + kernel_read_network_state(virsh_t) + kernel_read_kernel_sysctls(virsh_t) +@@ -785,25 +878,18 @@ kernel_write_xen_state(virsh_t) + corecmd_exec_bin(virsh_t) + corecmd_exec_shell(virsh_t) + +-corenet_all_recvfrom_unlabeled(virsh_t) +-corenet_all_recvfrom_netlabel(virsh_t) + corenet_tcp_sendrecv_generic_if(virsh_t) + corenet_tcp_sendrecv_generic_node(virsh_t) +-corenet_tcp_bind_generic_node(virsh_t) +- +-corenet_sendrecv_soundd_client_packets(virsh_t) + corenet_tcp_connect_soundd_port(virsh_t) +-corenet_tcp_sendrecv_soundd_port(virsh_t) + + dev_read_rand(virsh_t) + dev_read_urand(virsh_t) + dev_read_sysfs(virsh_t) + + files_read_etc_runtime_files(virsh_t) +-files_read_etc_files(virsh_t) +-files_read_usr_files(virsh_t) + files_list_mnt(virsh_t) + files_list_tmp(virsh_t) ++# Some common macros (you might be able to remove some) + + fs_getattr_all_fs(virsh_t) + fs_manage_xenfs_dirs(virsh_t) +@@ -812,23 +898,23 @@ fs_search_auto_mountpoints(virsh_t) + + storage_raw_read_fixed_disk(virsh_t) + +-term_use_all_terms(virsh_t) ++term_use_all_inherited_terms(virsh_t) ++term_dontaudit_use_generic_ptys(virsh_t) ++ ++userdom_search_admin_dir(virsh_t) ++userdom_read_home_certs(virsh_t) + + init_stream_connect_script(virsh_t) + init_rw_script_stream_sockets(virsh_t) + init_use_fds(virsh_t) + +-logging_send_syslog_msg(virsh_t) ++systemd_exec_systemctl(virsh_t) + +-miscfiles_read_localization(virsh_t) ++auth_read_passwd(virsh_t) + +-sysnet_dns_name_resolve(virsh_t) ++logging_send_syslog_msg(virsh_t) + +-tunable_policy(`virt_use_fusefs',` +- fs_manage_fusefs_dirs(virsh_t) +- fs_manage_fusefs_files(virsh_t) +- fs_read_fusefs_symlinks(virsh_t) +-') ++sysnet_dns_name_resolve(virsh_t) + + tunable_policy(`virt_use_nfs',` + fs_manage_nfs_dirs(virsh_t) +@@ -847,14 +933,20 @@ optional_policy(` + ') + + optional_policy(` ++ rhcs_domtrans_fenced(virsh_t) ++') ++ ++optional_policy(` + rpm_exec(virsh_t) + ') + + optional_policy(` + xen_manage_image_dirs(virsh_t) ++ xen_read_image_files(virsh_t) ++ xen_read_lib_files(virsh_t) + xen_append_log(virsh_t) + xen_domtrans(virsh_t) +- xen_read_xenstored_pid_files(virsh_t) ++ xen_read_pid_files_xenstored(virsh_t) + xen_stream_connect(virsh_t) + xen_stream_connect_xenstore(virsh_t) + ') +@@ -879,49 +971,65 @@ optional_policy(` + kernel_read_xen_state(virsh_ssh_t) + kernel_write_xen_state(virsh_ssh_t) + ++ dontaudit virsh_ssh_t virsh_transition_domain:fifo_file rw_inherited_fifo_file_perms; + files_search_tmp(virsh_ssh_t) + + fs_manage_xenfs_dirs(virsh_ssh_t) + fs_manage_xenfs_files(virsh_ssh_t) ++ ++ userdom_search_admin_dir(virsh_ssh_t) + ') + + ######################################## + # +-# Lxc local policy ++# virt_lxc local policy + # ++allow virtd_lxc_t self:capability { dac_override net_admin net_raw setpcap chown sys_admin sys_boot sys_resource setuid sys_nice setgid }; ++allow virtd_lxc_t self:process { transition setpgid signal_perms }; ++allow virtd_lxc_t self:capability2 compromise_kernel; + +-allow virtd_lxc_t self:capability { dac_override net_admin net_raw setpcap chown sys_admin sys_boot sys_resource }; + allow virtd_lxc_t self:process { setexec setrlimit setsched getcap setcap signal_perms }; + allow virtd_lxc_t self:fifo_file rw_fifo_file_perms; +-allow virtd_lxc_t self:netlink_route_socket nlmsg_write; +-allow virtd_lxc_t self:unix_stream_socket { accept listen }; ++allow virtd_lxc_t self:netlink_route_socket rw_netlink_socket_perms; ++allow virtd_lxc_t self:unix_stream_socket { connectto create_stream_socket_perms }; + allow virtd_lxc_t self:packet_socket create_socket_perms; ++ps_process_pattern(virtd_lxc_t, svirt_sandbox_domain) ++allow virtd_t virtd_lxc_t:unix_stream_socket create_stream_socket_perms; + +-allow virtd_lxc_t svirt_lxc_domain:process { getattr getsched setsched transition signal signull sigkill }; ++files_entrypoint_all_files(virtd_lxc_t) + + allow virtd_lxc_t virt_image_type:dir mounton; + manage_files_pattern(virtd_lxc_t, virt_image_t, virt_image_t) + ++domtrans_pattern(virtd_t, virtd_lxc_exec_t, virtd_lxc_t) ++allow virtd_t virtd_lxc_t:process { getattr signal signull sigkill }; ++ + allow virtd_lxc_t virt_var_run_t:dir search_dir_perms; +-manage_dirs_pattern(virtd_lxc_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) +-manage_files_pattern(virtd_lxc_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) +-manage_sock_files_pattern(virtd_lxc_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) +-files_pid_filetrans(virtd_lxc_t, virtd_lxc_var_run_t, { file dir }) +- +-manage_dirs_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t) +-manage_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t) +-manage_chr_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t) +-manage_lnk_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t) +-manage_sock_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t) +-manage_fifo_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t) +-allow virtd_lxc_t svirt_lxc_file_t:dir_file_class_set { relabelto relabelfrom }; +-allow virtd_lxc_t svirt_lxc_file_t:filesystem { relabelto relabelfrom }; ++manage_dirs_pattern(virtd_lxc_t, virt_lxc_var_run_t, virt_lxc_var_run_t) ++manage_files_pattern(virtd_lxc_t, virt_lxc_var_run_t, virt_lxc_var_run_t) ++manage_sock_files_pattern(virtd_lxc_t, virt_lxc_var_run_t, virt_lxc_var_run_t) ++files_pid_filetrans(virtd_lxc_t, virt_lxc_var_run_t, { file dir }) ++filetrans_pattern(virtd_lxc_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc") ++ ++manage_dirs_pattern(virtd_lxc_t, svirt_sandbox_file_t, svirt_sandbox_file_t) ++manage_files_pattern(virtd_lxc_t, svirt_sandbox_file_t, svirt_sandbox_file_t) ++manage_chr_files_pattern(virtd_lxc_t, svirt_sandbox_file_t, svirt_sandbox_file_t) ++manage_lnk_files_pattern(virtd_lxc_t, svirt_sandbox_file_t, svirt_sandbox_file_t) ++manage_sock_files_pattern(virtd_lxc_t, svirt_sandbox_file_t, svirt_sandbox_file_t) ++manage_fifo_files_pattern(virtd_lxc_t, svirt_sandbox_file_t, svirt_sandbox_file_t) ++allow virtd_lxc_t svirt_sandbox_file_t:dir_file_class_set { relabelto relabelfrom }; ++allow virtd_lxc_t svirt_sandbox_file_t:filesystem { relabelto relabelfrom }; ++files_associate_rootfs(svirt_sandbox_file_t) ++ ++seutil_read_file_contexts(virtd_lxc_t) + + storage_manage_fixed_disk(virtd_lxc_t) ++storage_rw_fuse(virtd_lxc_t) + + kernel_read_all_sysctls(virtd_lxc_t) + kernel_read_network_state(virtd_lxc_t) + kernel_read_system_state(virtd_lxc_t) ++kernel_request_load_module(virtd_lxc_t) + + corecmd_exec_bin(virtd_lxc_t) + corecmd_exec_shell(virtd_lxc_t) +@@ -933,17 +1041,16 @@ dev_read_urand(virtd_lxc_t) + + domain_use_interactive_fds(virtd_lxc_t) + +-files_associate_rootfs(svirt_lxc_file_t) + files_search_all(virtd_lxc_t) + files_getattr_all_files(virtd_lxc_t) +-files_read_usr_files(virtd_lxc_t) + files_relabel_rootfs(virtd_lxc_t) + files_mounton_non_security(virtd_lxc_t) + files_mount_all_file_type_fs(virtd_lxc_t) + files_unmount_all_file_type_fs(virtd_lxc_t) + files_list_isid_type_dirs(virtd_lxc_t) +-files_root_filetrans(virtd_lxc_t, svirt_lxc_file_t, dir_file_class_set) ++files_root_filetrans(virtd_lxc_t, svirt_sandbox_file_t, dir_file_class_set) + ++fs_read_fusefs_files(virtd_lxc_t) + fs_getattr_all_fs(virtd_lxc_t) + fs_manage_tmpfs_dirs(virtd_lxc_t) + fs_manage_tmpfs_chr_files(virtd_lxc_t) +@@ -955,8 +1062,23 @@ fs_rw_cgroup_files(virtd_lxc_t) + fs_unmount_all_fs(virtd_lxc_t) + fs_relabelfrom_tmpfs(virtd_lxc_t) + ++logging_send_audit_msgs(virtd_lxc_t) ++ + selinux_mount_fs(virtd_lxc_t) + selinux_unmount_fs(virtd_lxc_t) ++seutil_read_config(virtd_lxc_t) ++ ++term_use_generic_ptys(virtd_lxc_t) ++term_use_ptmx(virtd_lxc_t) ++term_relabel_pty_fs(virtd_lxc_t) ++ ++auth_use_nsswitch(virtd_lxc_t) ++ ++logging_send_syslog_msg(virtd_lxc_t) ++ ++seutil_domtrans_setfiles(virtd_lxc_t) ++seutil_read_default_contexts(virtd_lxc_t) ++ + selinux_get_enforce_mode(virtd_lxc_t) + selinux_get_fs_mount(virtd_lxc_t) + selinux_validate_context(virtd_lxc_t) +@@ -965,194 +1087,246 @@ selinux_compute_create_context(virtd_lxc_t) + selinux_compute_relabel_context(virtd_lxc_t) + selinux_compute_user_contexts(virtd_lxc_t) + +-term_use_generic_ptys(virtd_lxc_t) +-term_use_ptmx(virtd_lxc_t) +-term_relabel_pty_fs(virtd_lxc_t) ++sysnet_exec_ifconfig(virtd_lxc_t) + +-auth_use_nsswitch(virtd_lxc_t) ++userdom_read_admin_home_files(virtd_lxc_t) + +-logging_send_syslog_msg(virtd_lxc_t) ++optional_policy(` ++ dbus_system_bus_client(virtd_lxc_t) ++ init_dbus_chat(virtd_lxc_t) + +-miscfiles_read_localization(virtd_lxc_t) ++ optional_policy(` ++ hal_dbus_chat(virtd_lxc_t) ++ ') ++') + +-seutil_domtrans_setfiles(virtd_lxc_t) +-seutil_read_config(virtd_lxc_t) +-seutil_read_default_contexts(virtd_lxc_t) ++optional_policy(` ++ gnome_read_generic_cache_files(virtd_lxc_t) ++') + +-sysnet_domtrans_ifconfig(virtd_lxc_t) ++optional_policy(` ++ setrans_manage_pid_files(virtd_lxc_t) ++') ++ ++optional_policy(` ++ unconfined_domain(virtd_lxc_t) ++') + + ######################################## + # +-# Common virt lxc domain local policy ++# svirt_sandbox_domain local policy + # ++allow svirt_sandbox_domain self:key manage_key_perms; ++allow svirt_sandbox_domain self:process { getattr signal_perms getsched getpgid getcap setsched setcap setpgid setrlimit }; ++allow svirt_sandbox_domain self:fifo_file manage_file_perms; ++allow svirt_sandbox_domain self:sem create_sem_perms; ++allow svirt_sandbox_domain self:shm create_shm_perms; ++allow svirt_sandbox_domain self:msgq create_msgq_perms; ++allow svirt_sandbox_domain self:unix_stream_socket { create_stream_socket_perms connectto }; ++allow svirt_sandbox_domain self:unix_dgram_socket { sendto create_socket_perms }; ++allow svirt_sandbox_domain self:passwd rootok; ++ ++allow virtd_t svirt_sandbox_domain:unix_stream_socket { create_stream_socket_perms connectto }; ++allow virtd_t svirt_sandbox_domain:process { signal_perms getattr }; ++allow virtd_lxc_t svirt_sandbox_domain:process { getattr getsched setsched setrlimit transition signal_perms }; ++ ++allow svirt_sandbox_domain virtd_lxc_t:process sigchld; ++allow svirt_sandbox_domain virtd_lxc_t:fd use; ++allow svirt_sandbox_domain virtd_lxc_t:unix_stream_socket { connectto rw_socket_perms }; ++ ++manage_dirs_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t) ++manage_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t) ++manage_lnk_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t) ++manage_sock_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t) ++manage_fifo_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t) ++allow svirt_sandbox_domain svirt_sandbox_file_t:chr_file setattr; ++rw_chr_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t) ++ ++allow svirt_sandbox_domain svirt_sandbox_file_t:blk_file setattr; ++rw_blk_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t) ++can_exec(svirt_sandbox_domain, svirt_sandbox_file_t) ++allow svirt_sandbox_domain svirt_sandbox_file_t:dir mounton; ++allow svirt_sandbox_domain svirt_sandbox_file_t:filesystem getattr; ++ ++kernel_getattr_proc(svirt_sandbox_domain) ++kernel_list_all_proc(svirt_sandbox_domain) ++kernel_read_all_sysctls(svirt_sandbox_domain) ++kernel_rw_net_sysctls(svirt_sandbox_domain) ++kernel_dontaudit_search_kernel_sysctl(svirt_sandbox_domain) ++ ++corecmd_exec_all_executables(svirt_sandbox_domain) ++ ++files_dontaudit_getattr_all_dirs(svirt_sandbox_domain) ++files_dontaudit_getattr_all_files(svirt_sandbox_domain) ++files_dontaudit_getattr_all_symlinks(svirt_sandbox_domain) ++files_dontaudit_getattr_all_pipes(svirt_sandbox_domain) ++files_dontaudit_getattr_all_sockets(svirt_sandbox_domain) ++files_dontaudit_list_all_mountpoints(svirt_sandbox_domain) ++files_dontaudit_write_etc_runtime_files(svirt_sandbox_domain) ++files_entrypoint_all_files(svirt_sandbox_domain) ++files_list_var(svirt_sandbox_domain) ++files_list_var_lib(svirt_sandbox_domain) ++files_search_all(svirt_sandbox_domain) ++files_read_config_files(svirt_sandbox_domain) ++files_read_usr_symlinks(svirt_sandbox_domain) ++files_search_locks(svirt_sandbox_domain) ++files_dontaudit_unmount_all_mountpoints(svirt_sandbox_domain) ++ ++fs_getattr_all_fs(svirt_sandbox_domain) ++fs_list_inotifyfs(svirt_sandbox_domain) ++fs_rw_inherited_tmpfs_files(svirt_sandbox_domain) ++fs_read_fusefs_files(svirt_sandbox_domain) ++ ++auth_dontaudit_read_passwd(svirt_sandbox_domain) ++auth_dontaudit_read_login_records(svirt_sandbox_domain) ++auth_dontaudit_write_login_records(svirt_sandbox_domain) ++auth_search_pam_console_data(svirt_sandbox_domain) ++ ++clock_read_adjtime(svirt_sandbox_domain) ++ ++init_read_utmp(svirt_sandbox_domain) ++init_dontaudit_write_utmp(svirt_sandbox_domain) ++ ++libs_dontaudit_setattr_lib_files(svirt_sandbox_domain) ++ ++miscfiles_dontaudit_access_check_cert(svirt_sandbox_domain) ++miscfiles_dontaudit_setattr_fonts_cache_dirs(svirt_sandbox_domain) ++miscfiles_read_fonts(svirt_sandbox_domain) ++miscfiles_read_hwdata(svirt_sandbox_domain) ++ ++systemd_read_unit_files(svirt_sandbox_domain) ++ ++userdom_use_inherited_user_terminals(svirt_sandbox_domain) ++userdom_dontaudit_append_inherited_admin_home_file(svirt_sandbox_domain) ++userdom_dontaudit_read_inherited_admin_home_files(svirt_sandbox_domain) ++ ++optional_policy(` ++ apache_exec_modules(svirt_sandbox_domain) ++ apache_read_sys_content(svirt_sandbox_domain) ++') + +-allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot }; +-allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid }; +-allow svirt_lxc_domain self:fifo_file manage_file_perms; +-allow svirt_lxc_domain self:sem create_sem_perms; +-allow svirt_lxc_domain self:shm create_shm_perms; +-allow svirt_lxc_domain self:msgq create_msgq_perms; +-allow svirt_lxc_domain self:unix_stream_socket { create_stream_socket_perms connectto }; +-allow svirt_lxc_domain self:unix_dgram_socket { sendto create_socket_perms }; +- +-allow svirt_lxc_domain virtd_lxc_t:fd use; +-allow svirt_lxc_domain virtd_lxc_t:fifo_file rw_fifo_file_perms; +-allow svirt_lxc_domain virtd_lxc_t:process sigchld; +- +-allow svirt_lxc_domain virtd_lxc_t:unix_stream_socket { connectto rw_socket_perms }; +- +-allow svirt_lxc_domain virsh_t:fd use; +-allow svirt_lxc_domain virsh_t:fifo_file rw_fifo_file_perms; +-allow svirt_lxc_domain virsh_t:process sigchld; +- +-allow svirt_lxc_domain virtd_lxc_var_run_t:dir list_dir_perms; +-allow svirt_lxc_domain virtd_lxc_var_run_t:file read_file_perms; +- +-manage_dirs_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) +-manage_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) +-manage_lnk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) +-manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) +-manage_fifo_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) +-rw_chr_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) +-rw_blk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) +- +-allow svirt_lxc_net_t svirt_lxc_file_t:dir mounton; +-allow svirt_lxc_net_t svirt_lxc_file_t:filesystem getattr; +- +-can_exec(svirt_lxc_domain, svirt_lxc_file_t) +- +-kernel_getattr_proc(svirt_lxc_domain) +-kernel_list_all_proc(svirt_lxc_domain) +-kernel_read_kernel_sysctls(svirt_lxc_domain) +-kernel_rw_net_sysctls(svirt_lxc_domain) +-kernel_read_system_state(svirt_lxc_domain) +-kernel_dontaudit_search_kernel_sysctl(svirt_lxc_domain) +- +-corecmd_exec_all_executables(svirt_lxc_domain) +- +-files_dontaudit_getattr_all_dirs(svirt_lxc_domain) +-files_dontaudit_getattr_all_files(svirt_lxc_domain) +-files_dontaudit_getattr_all_symlinks(svirt_lxc_domain) +-files_dontaudit_getattr_all_pipes(svirt_lxc_domain) +-files_dontaudit_getattr_all_sockets(svirt_lxc_domain) +-files_dontaudit_list_all_mountpoints(svirt_lxc_domain) +-files_dontaudit_write_etc_runtime_files(svirt_lxc_domain) +-# files_entrypoint_all_files(svirt_lxc_domain) +-files_list_var(svirt_lxc_domain) +-files_list_var_lib(svirt_lxc_domain) +-files_search_all(svirt_lxc_domain) +-files_read_config_files(svirt_lxc_domain) +-files_read_usr_files(svirt_lxc_domain) +-files_read_usr_symlinks(svirt_lxc_domain) +- +-fs_getattr_all_fs(svirt_lxc_domain) +-fs_list_inotifyfs(svirt_lxc_domain) +- +-# fs_rw_inherited_tmpfs_files(svirt_lxc_domain) +-# fs_rw_inherited_cifs_files(svirt_lxc_domain) +-# fs_rw_inherited_noxattr_fs_files(svirt_lxc_domain) +- +-auth_dontaudit_read_login_records(svirt_lxc_domain) +-auth_dontaudit_write_login_records(svirt_lxc_domain) +-auth_search_pam_console_data(svirt_lxc_domain) +- +-clock_read_adjtime(svirt_lxc_domain) +- +-init_read_utmp(svirt_lxc_domain) +-init_dontaudit_write_utmp(svirt_lxc_domain) +- +-libs_dontaudit_setattr_lib_files(svirt_lxc_domain) +- +-miscfiles_read_localization(svirt_lxc_domain) +-miscfiles_dontaudit_setattr_fonts_cache_dirs(svirt_lxc_domain) +-miscfiles_read_fonts(svirt_lxc_domain) +- +-mta_dontaudit_read_spool_symlinks(svirt_lxc_domain) ++optional_policy(` ++ mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain) ++') + + optional_policy(` +- udev_read_pid_files(svirt_lxc_domain) ++ ssh_use_ptys(svirt_sandbox_domain) + ') + + optional_policy(` +- apache_exec_modules(svirt_lxc_domain) +- apache_read_sys_content(svirt_lxc_domain) ++ udev_read_pid_files(svirt_sandbox_domain) ++') ++ ++optional_policy(` ++ userhelper_dontaudit_write_config(svirt_sandbox_domain) + ') + + ######################################## + # +-# Lxc net local policy ++# svirt_lxc_net_t local policy + # ++virt_sandbox_domain_template(svirt_lxc_net) ++typeattribute svirt_lxc_net_t sandbox_net_domain; + +-allow svirt_lxc_net_t self:capability { chown dac_read_search dac_override fowner fsetid net_raw net_admin sys_admin sys_nice sys_ptrace sys_resource setpcap }; ++allow svirt_lxc_net_t self:capability { kill setuid setgid sys_boot ipc_lock chown dac_read_search dac_override fowner fsetid sys_chroot sys_admin sys_nice sys_ptrace sys_resource setpcap }; + dontaudit svirt_lxc_net_t self:capability2 block_suspend; +-allow svirt_lxc_net_t self:process setrlimit; +-allow svirt_lxc_net_t self:tcp_socket { accept listen }; +-allow svirt_lxc_net_t self:netlink_route_socket nlmsg_write; +-allow svirt_lxc_net_t self:packet_socket create_socket_perms; +-allow svirt_lxc_net_t self:socket create_socket_perms; +-allow svirt_lxc_net_t self:rawip_socket create_socket_perms; ++allow svirt_lxc_net_t self:process { execstack execmem }; + allow svirt_lxc_net_t self:netlink_socket create_socket_perms; +-allow svirt_lxc_net_t self:netlink_tcpdiag_socket create_socket_perms; ++allow svirt_lxc_net_t self:netlink_tcpdiag_socket create_netlink_socket_perms; + allow svirt_lxc_net_t self:netlink_kobject_uevent_socket create_socket_perms; + +-kernel_read_network_state(svirt_lxc_net_t) +-kernel_read_irq_sysctls(svirt_lxc_net_t) +- +-corenet_all_recvfrom_unlabeled(svirt_lxc_net_t) +-corenet_all_recvfrom_netlabel(svirt_lxc_net_t) +-corenet_tcp_sendrecv_generic_if(svirt_lxc_net_t) +-corenet_udp_sendrecv_generic_if(svirt_lxc_net_t) +-corenet_tcp_sendrecv_generic_node(svirt_lxc_net_t) +-corenet_udp_sendrecv_generic_node(svirt_lxc_net_t) +-corenet_tcp_sendrecv_all_ports(svirt_lxc_net_t) +-corenet_udp_sendrecv_all_ports(svirt_lxc_net_t) +-corenet_tcp_bind_generic_node(svirt_lxc_net_t) +-corenet_udp_bind_generic_node(svirt_lxc_net_t) ++allow svirt_lxc_net_t virt_lxc_var_run_t:dir list_dir_perms; ++allow svirt_lxc_net_t virt_lxc_var_run_t:file read_file_perms; + +-corenet_sendrecv_all_server_packets(svirt_lxc_net_t) +-corenet_udp_bind_all_ports(svirt_lxc_net_t) +-corenet_tcp_bind_all_ports(svirt_lxc_net_t) +- +-corenet_sendrecv_all_client_packets(svirt_lxc_net_t) +-corenet_tcp_connect_all_ports(svirt_lxc_net_t) ++kernel_read_irq_sysctls(svirt_lxc_net_t) + ++dev_read_sysfs(svirt_lxc_net_t) + dev_getattr_mtrr_dev(svirt_lxc_net_t) + dev_read_rand(svirt_lxc_net_t) +-dev_read_sysfs(svirt_lxc_net_t) + dev_read_urand(svirt_lxc_net_t) + + files_read_kernel_modules(svirt_lxc_net_t) + ++fs_noxattr_type(svirt_sandbox_file_t) + fs_mount_cgroup(svirt_lxc_net_t) + fs_manage_cgroup_dirs(svirt_lxc_net_t) +-fs_rw_cgroup_files(svirt_lxc_net_t) ++fs_manage_cgroup_files(svirt_lxc_net_t) ++ ++term_pty(svirt_sandbox_file_t) + + auth_use_nsswitch(svirt_lxc_net_t) + ++rpm_read_db(svirt_lxc_net_t) ++ + logging_send_audit_msgs(svirt_lxc_net_t) + + userdom_use_user_ptys(svirt_lxc_net_t) + +-optional_policy(` +- rpm_read_db(svirt_lxc_net_t) +-') +- +-####################################### ++######################################## + # +-# Prot exec local policy ++# svirt_lxc_net_t local policy + # ++virt_sandbox_domain_template(svirt_qemu_net) ++typeattribute svirt_qemu_net_t sandbox_net_domain; ++ ++allow svirt_qemu_net_t self:capability { kill setuid setgid sys_boot ipc_lock chown dac_read_search dac_override fowner fsetid sys_chroot sys_admin sys_nice sys_ptrace sys_resource setpcap }; ++dontaudit svirt_qemu_net_t self:capability2 block_suspend; ++allow svirt_qemu_net_t self:process { execstack execmem }; ++allow svirt_qemu_net_t self:netlink_socket create_socket_perms; ++allow svirt_qemu_net_t self:netlink_tcpdiag_socket create_netlink_socket_perms; ++allow svirt_qemu_net_t self:netlink_kobject_uevent_socket create_socket_perms; ++ ++manage_dirs_pattern(sandbox_net_domain, svirt_home_t, svirt_home_t) ++manage_files_pattern(sandbox_net_domain, svirt_home_t, svirt_home_t) ++manage_fifo_files_pattern(sandbox_net_domain, svirt_home_t, svirt_home_t) ++manage_lnk_files_pattern(sandbox_net_domain, svirt_home_t, svirt_home_t) ++manage_sock_files_pattern(sandbox_net_domain, svirt_home_t, svirt_home_t) ++filetrans_pattern(sandbox_net_domain, virt_home_t, svirt_home_t, { dir sock_file file }) ++ ++term_use_generic_ptys(svirt_qemu_net_t) ++term_use_ptmx(svirt_qemu_net_t) ++ ++dev_rw_kvm(svirt_qemu_net_t) ++ ++manage_sock_files_pattern(svirt_qemu_net_t, qemu_var_run_t, qemu_var_run_t) ++ ++list_dirs_pattern(svirt_qemu_net_t, virt_content_t, virt_content_t) ++read_files_pattern(svirt_qemu_net_t, virt_content_t, virt_content_t) ++ ++append_files_pattern(svirt_qemu_net_t, virt_log_t, virt_log_t) ++ ++kernel_read_irq_sysctls(svirt_qemu_net_t) + +-allow svirt_prot_exec_t self:process { execmem execstack }; ++dev_read_sysfs(svirt_qemu_net_t) ++dev_getattr_mtrr_dev(svirt_qemu_net_t) ++dev_read_rand(svirt_qemu_net_t) ++dev_read_urand(svirt_qemu_net_t) ++ ++files_read_kernel_modules(svirt_qemu_net_t) ++ ++fs_noxattr_type(svirt_sandbox_file_t) ++fs_mount_cgroup(svirt_qemu_net_t) ++fs_manage_cgroup_dirs(svirt_qemu_net_t) ++fs_manage_cgroup_files(svirt_qemu_net_t) ++ ++term_pty(svirt_sandbox_file_t) ++ ++auth_use_nsswitch(svirt_qemu_net_t) ++ ++rpm_read_db(svirt_qemu_net_t) ++ ++logging_send_audit_msgs(svirt_qemu_net_t) ++ ++userdom_use_user_ptys(svirt_qemu_net_t) + + ######################################## + # +-# Qmf local policy ++# virt_qmf local policy + # +- + allow virt_qmf_t self:capability { sys_nice sys_tty_config }; + allow virt_qmf_t self:process { setsched signal }; + allow virt_qmf_t self:fifo_file rw_fifo_file_perms; +-allow virt_qmf_t self:unix_stream_socket { accept listen }; ++allow virt_qmf_t self:unix_stream_socket create_stream_socket_perms; + allow virt_qmf_t self:tcp_socket create_stream_socket_perms; + allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms; + +@@ -1165,12 +1339,12 @@ dev_read_sysfs(virt_qmf_t) + dev_read_rand(virt_qmf_t) + dev_read_urand(virt_qmf_t) + ++corenet_tcp_connect_matahari_port(virt_qmf_t) ++ + domain_use_interactive_fds(virt_qmf_t) + + logging_send_syslog_msg(virt_qmf_t) + +-miscfiles_read_localization(virt_qmf_t) +- + sysnet_read_config(virt_qmf_t) + + optional_policy(` +@@ -1183,9 +1357,8 @@ optional_policy(` + + ######################################## + # +-# Bridgehelper local policy ++# virt_bridgehelper local policy + # +- + allow virt_bridgehelper_t self:process { setcap getcap }; + allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin }; + allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; +@@ -1198,5 +1371,193 @@ kernel_read_network_state(virt_bridgehelper_t) + + corenet_rw_tun_tap_dev(virt_bridgehelper_t) + +-userdom_search_user_home_dirs(virt_bridgehelper_t) +-userdom_use_user_ptys(virt_bridgehelper_t) ++userdom_use_inherited_user_ptys(virt_bridgehelper_t) ++ ++####################################### ++# ++# virt_qemu_ga local policy ++# ++ ++allow virt_qemu_ga_t self:capability { sys_admin sys_tty_config }; ++ ++allow virt_qemu_ga_t self:fifo_file rw_fifo_file_perms; ++allow virt_qemu_ga_t self:unix_stream_socket create_stream_socket_perms; ++ ++allow virt_qemu_ga_t virt_qemu_ga_exec_t:dir search_dir_perms; ++can_exec(virt_qemu_ga_t, virt_qemu_ga_exec_t) ++ ++manage_dirs_pattern(virt_qemu_ga_t, virt_qemu_ga_tmp_t, virt_qemu_ga_tmp_t) ++manage_files_pattern(virt_qemu_ga_t, virt_qemu_ga_tmp_t, virt_qemu_ga_tmp_t) ++files_tmp_filetrans(virt_qemu_ga_t, virt_qemu_ga_tmp_t, { file dir }) ++ ++manage_files_pattern(virt_qemu_ga_t, virt_qemu_ga_var_run_t, virt_qemu_ga_var_run_t) ++manage_dirs_pattern(virt_qemu_ga_t, virt_qemu_ga_var_run_t, virt_qemu_ga_var_run_t) ++files_pid_filetrans(virt_qemu_ga_t, virt_qemu_ga_var_run_t, { dir file } ) ++ ++manage_files_pattern(virt_qemu_ga_t, virt_qemu_ga_data_t, virt_qemu_ga_data_t) ++manage_dirs_pattern(virt_qemu_ga_t, virt_qemu_ga_data_t, virt_qemu_ga_data_t) ++ ++manage_dirs_pattern(virt_qemu_ga_t, virt_qemu_ga_log_t, virt_qemu_ga_log_t) ++manage_files_pattern(virt_qemu_ga_t, virt_qemu_ga_log_t, virt_qemu_ga_log_t) ++logging_log_filetrans(virt_qemu_ga_t, virt_qemu_ga_log_t, { dir file }) ++ ++kernel_read_system_state(virt_qemu_ga_t) ++ ++corecmd_exec_shell(virt_qemu_ga_t) ++corecmd_exec_bin(virt_qemu_ga_t) ++ ++dev_rw_sysfs(virt_qemu_ga_t) ++ ++files_list_all_mountpoints(virt_qemu_ga_t) ++files_write_all_mountpoints(virt_qemu_ga_t) ++ ++fs_list_all(virt_qemu_ga_t) ++fs_getattr_all_fs(virt_qemu_ga_t) ++ ++term_use_virtio_console(virt_qemu_ga_t) ++term_use_all_ttys(virt_qemu_ga_t) ++term_use_unallocated_ttys(virt_qemu_ga_t) ++ ++logging_send_syslog_msg(virt_qemu_ga_t) ++ ++sysnet_dns_name_resolve(virt_qemu_ga_t) ++ ++systemd_exec_systemctl(virt_qemu_ga_t) ++systemd_start_power_services(virt_qemu_ga_t) ++ ++userdom_use_user_ptys(virt_qemu_ga_t) ++ ++optional_policy(` ++ bootloader_domtrans(virt_qemu_ga_t) ++') ++ ++optional_policy(` ++ dbus_system_bus_client(virt_qemu_ga_t) ++') ++ ++optional_policy(` ++ cron_initrc_domtrans(virt_qemu_ga_t) ++ cron_domtrans(virt_qemu_ga_t) ++') ++ ++optional_policy(` ++ devicekit_manage_pid_files(virt_qemu_ga_t) ++') ++ ++optional_policy(` ++ fstools_domtrans(virt_qemu_ga_t) ++') ++ ++optional_policy(` ++ shutdown_domtrans(virt_qemu_ga_t) ++') ++ ++####################################### ++# ++# qemu-ga unconfined hook script local policy ++# ++ ++optional_policy(` ++ type virt_qemu_ga_unconfined_t; ++ domain_type(virt_qemu_ga_unconfined_t) ++ ++ domain_entry_file(virt_qemu_ga_unconfined_t, virt_qemu_ga_unconfined_exec_t) ++ role system_r types virt_qemu_ga_unconfined_t; ++ ++ domtrans_pattern(virt_qemu_ga_t, virt_qemu_ga_unconfined_exec_t, virt_qemu_ga_unconfined_t) ++ ++ allow virt_qemu_ga_t virt_qemu_ga_unconfined_exec_t:dir search_dir_perms; ++ allow virt_qemu_ga_t virt_qemu_ga_unconfined_exec_t:dir read_file_perms; ++ allow virt_qemu_ga_t virt_qemu_ga_unconfined_exec_t:file ioctl; ++ ++ init_domtrans_script(virt_qemu_ga_unconfined_t) ++ ++ optional_policy(` ++ unconfined_domain(virt_qemu_ga_unconfined_t) ++ ') ++') ++ ++####################################### ++# ++# tye for svirt sockets ++# ++ ++type svirt_socket_t; ++domain_type(svirt_socket_t) ++role system_r types svirt_socket_t; ++allow virtd_t svirt_socket_t:unix_stream_socket { connectto create_stream_socket_perms }; ++allow virt_domain svirt_socket_t:unix_stream_socket { connectto create_stream_socket_perms }; ++ ++tunable_policy(`virt_transition_userdomain',` ++ userdom_transition(virtd_t) ++ userdom_transition(virtd_lxc_t) ++') ++ ++######################################## ++# ++# svirt_lxc_net_t local policy ++# ++virt_sandbox_domain_template(svirt_kvm_net) ++typeattribute svirt_kvm_net_t sandbox_net_domain; ++ ++allow svirt_kvm_net_t self:capability { kill setuid setgid sys_boot ipc_lock chown dac_read_search dac_override fowner fsetid sys_chroot sys_admin sys_nice sys_ptrace sys_resource setpcap }; ++dontaudit svirt_kvm_net_t self:capability2 block_suspend; ++allow svirt_kvm_net_t self:netlink_socket create_socket_perms; ++allow svirt_kvm_net_t self:netlink_tcpdiag_socket create_netlink_socket_perms; ++allow svirt_kvm_net_t self:netlink_kobject_uevent_socket create_socket_perms; ++ ++term_use_generic_ptys(svirt_kvm_net_t) ++term_use_ptmx(svirt_kvm_net_t) ++ ++dev_rw_kvm(svirt_kvm_net_t) ++ ++manage_sock_files_pattern(svirt_kvm_net_t, virt_var_run_t, virt_var_run_t) ++ ++list_dirs_pattern(svirt_kvm_net_t, virt_content_t, virt_content_t) ++read_files_pattern(svirt_kvm_net_t, virt_content_t, virt_content_t) ++ ++append_files_pattern(svirt_kvm_net_t, virt_log_t, virt_log_t) ++ ++kernel_read_network_state(svirt_kvm_net_t) ++kernel_read_irq_sysctls(svirt_kvm_net_t) ++ ++dev_read_sysfs(svirt_kvm_net_t) ++dev_getattr_mtrr_dev(svirt_kvm_net_t) ++dev_read_rand(svirt_kvm_net_t) ++dev_read_urand(svirt_kvm_net_t) ++ ++files_read_kernel_modules(svirt_kvm_net_t) ++ ++fs_noxattr_type(svirt_sandbox_file_t) ++fs_mount_cgroup(svirt_kvm_net_t) ++fs_manage_cgroup_dirs(svirt_kvm_net_t) ++fs_manage_cgroup_files(svirt_kvm_net_t) ++ ++term_pty(svirt_sandbox_file_t) ++ ++auth_use_nsswitch(svirt_kvm_net_t) ++ ++rpm_read_db(svirt_kvm_net_t) ++ ++logging_send_audit_msgs(svirt_kvm_net_t) ++ ++userdom_use_user_ptys(svirt_kvm_net_t) ++ ++kernel_read_network_state(sandbox_net_domain) ++ ++allow sandbox_net_domain self:capability { net_raw net_admin net_bind_service }; ++ ++allow sandbox_net_domain self:udp_socket create_socket_perms; ++allow sandbox_net_domain self:tcp_socket create_stream_socket_perms; ++allow sandbox_net_domain self:netlink_route_socket create_netlink_socket_perms; ++allow sandbox_net_domain self:packet_socket create_socket_perms; ++allow sandbox_net_domain self:socket create_socket_perms; ++allow sandbox_net_domain self:rawip_socket create_socket_perms; ++ ++corenet_tcp_bind_generic_node(sandbox_net_domain) ++corenet_udp_bind_generic_node(sandbox_net_domain) ++corenet_tcp_sendrecv_all_ports(sandbox_net_domain) ++corenet_udp_sendrecv_all_ports(sandbox_net_domain) ++corenet_udp_bind_all_ports(sandbox_net_domain) ++corenet_tcp_bind_all_ports(sandbox_net_domain) ++corenet_tcp_connect_all_ports(sandbox_net_domain) +diff --git a/vlock.te b/vlock.te +index 9ead775..b5285e7 100644 +--- a/vlock.te ++++ b/vlock.te +@@ -38,7 +38,7 @@ auth_use_pam(vlock_t) + + init_dontaudit_rw_utmp(vlock_t) + +-miscfiles_read_localization(vlock_t) ++logging_send_syslog_msg(vlock_t) + + userdom_dontaudit_search_user_home_dirs(vlock_t) +-userdom_use_user_terminals(vlock_t) ++userdom_use_inherited_user_terminals(vlock_t) +diff --git a/vmware.if b/vmware.if +index 20a1fb2..470ea95 100644 +--- a/vmware.if ++++ b/vmware.if +@@ -26,7 +26,11 @@ interface(`vmware_role',` + domtrans_pattern($2, vmware_exec_t, vmware_t) + + ps_process_pattern($2, vmware_t) +- allow $2 vmware_t:process { ptrace signal_perms }; ++ allow $2 vmware_t:process signal_perms; ++ ++ tunable_policy(`deny_ptrace',`',` ++ allow $2 vmware_t:process ptrace; ++ ') + + allow $2 { vmware_tmp_t vmware_file_t }:dir { manage_dir_perms relabel_dir_perms }; + allow $2 { vmware_conf_t vmware_file_t vmware_tmp_t vmware_tmpfs_t }:file { manage_file_perms relabel_file_perms }; +diff --git a/vmware.te b/vmware.te +index 3a56513..d7ec42b 100644 +--- a/vmware.te ++++ b/vmware.te +@@ -65,7 +65,8 @@ ifdef(`enable_mcs',` + # Host local policy + # + +-allow vmware_host_t self:capability { setgid setuid net_raw sys_nice sys_time sys_ptrace kill dac_override }; ++allow vmware_host_t self:capability { net_admin sys_module }; ++allow vmware_host_t self:capability { setgid setuid net_raw sys_nice sys_time kill dac_override }; + dontaudit vmware_host_t self:capability sys_tty_config; + allow vmware_host_t self:process { execstack execmem signal_perms }; + allow vmware_host_t self:fifo_file rw_fifo_file_perms; +@@ -94,8 +95,8 @@ can_exec(vmware_host_t, vmware_host_exec_t) + kernel_read_kernel_sysctls(vmware_host_t) + kernel_read_system_state(vmware_host_t) + kernel_read_network_state(vmware_host_t) ++kernel_request_load_module(vmware_host_t) + +-corenet_all_recvfrom_unlabeled(vmware_host_t) + corenet_all_recvfrom_netlabel(vmware_host_t) + corenet_tcp_sendrecv_generic_if(vmware_host_t) + corenet_udp_sendrecv_generic_if(vmware_host_t) +@@ -115,14 +116,13 @@ dev_getattr_all_blk_files(vmware_host_t) + dev_read_sysfs(vmware_host_t) + dev_read_urand(vmware_host_t) + dev_rw_vmware(vmware_host_t) ++dev_rw_generic_chr_files(vmware_host_t) + + domain_use_interactive_fds(vmware_host_t) + domain_dontaudit_read_all_domains_state(vmware_host_t) + + files_list_tmp(vmware_host_t) +-files_read_etc_files(vmware_host_t) + files_read_etc_runtime_files(vmware_host_t) +-files_read_usr_files(vmware_host_t) + + fs_getattr_all_fs(vmware_host_t) + fs_search_auto_mountpoints(vmware_host_t) +@@ -138,23 +138,27 @@ libs_exec_ld_so(vmware_host_t) + + logging_send_syslog_msg(vmware_host_t) + +-miscfiles_read_localization(vmware_host_t) +- + sysnet_dns_name_resolve(vmware_host_t) + sysnet_domtrans_ifconfig(vmware_host_t) + ++systemd_start_power_services(vmware_host_t) ++ + userdom_dontaudit_use_unpriv_user_fds(vmware_host_t) + userdom_dontaudit_search_user_home_dirs(vmware_host_t) + + netutils_domtrans_ping(vmware_host_t) + + optional_policy(` +- hostname_exec(vmware_host_t) ++ unconfined_domain(vmware_host_t) + ') + + optional_policy(` ++ hostname_exec(vmware_host_t) ++') ++ ++optional_policy(` + modutils_domtrans_insmod(vmware_host_t) +-') ++') + + optional_policy(` + samba_read_config(vmware_host_t) +@@ -244,9 +248,7 @@ dev_search_sysfs(vmware_t) + + domain_use_interactive_fds(vmware_t) + +-files_read_etc_files(vmware_t) + files_read_etc_runtime_files(vmware_t) +-files_read_usr_files(vmware_t) + files_list_home(vmware_t) + + fs_getattr_all_fs(vmware_t) +@@ -258,9 +260,8 @@ storage_raw_write_removable_device(vmware_t) + libs_exec_ld_so(vmware_t) + libs_read_lib_files(vmware_t) + +-miscfiles_read_localization(vmware_t) + +-userdom_use_user_terminals(vmware_t) ++userdom_use_inherited_user_terminals(vmware_t) + userdom_list_user_home_dirs(vmware_t) + + sysnet_dns_name_resolve(vmware_t) +diff --git a/vnstatd.if b/vnstatd.if +index 137ac44..b644854 100644 +--- a/vnstatd.if ++++ b/vnstatd.if +@@ -157,7 +157,6 @@ interface(`vnstatd_manage_lib_files',` + ## Role allowed access. + ##     + ## +-## + # + interface(`vnstatd_admin',` + gen_require(` +@@ -165,9 +164,13 @@ interface(`vnstatd_admin',` + type vnstatd_var_run_t; + ') + +- allow $1 vnstatd_t:process { ptrace signal_perms }; ++ allow $1 vnstatd_t:process signal_perms; + ps_process_pattern($1, vnstatd_t) + ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 vnstatd_t:process ptrace; ++ ') ++ + init_labeled_script_domtrans($1, vnstatd_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 vnstatd_initrc_exec_t system_r; +diff --git a/vnstatd.te b/vnstatd.te +index febc3e5..ff18188 100644 +--- a/vnstatd.te ++++ b/vnstatd.te +@@ -36,7 +36,7 @@ allow vnstatd_t self:unix_stream_socket { accept listen }; + + manage_dirs_pattern(vnstatd_t, vnstatd_var_lib_t, vnstatd_var_lib_t) + manage_files_pattern(vnstatd_t, vnstatd_var_lib_t, vnstatd_var_lib_t) +-files_var_lib_filetrans(vnstatd_t, vnstatd_var_lib_t, { dir file }) ++files_var_lib_filetrans(vnstatd_t, vnstatd_var_lib_t, dir) + + manage_files_pattern(vnstatd_t, vnstatd_var_run_t, vnstatd_var_run_t) + manage_dirs_pattern(vnstatd_t, vnstatd_var_run_t, vnstatd_var_run_t) +@@ -47,14 +47,10 @@ kernel_read_system_state(vnstatd_t) + + domain_use_interactive_fds(vnstatd_t) + +-files_read_etc_files(vnstatd_t) +- + fs_getattr_xattr_fs(vnstatd_t) + + logging_send_syslog_msg(vnstatd_t) + +-miscfiles_read_localization(vnstatd_t) +- + ######################################## + # + # Client local policy +@@ -64,23 +60,19 @@ allow vnstat_t self:process signal; + allow vnstat_t self:fifo_file rw_fifo_file_perms; + allow vnstat_t self:unix_stream_socket { accept listen }; + ++files_search_var_lib(vnstat_t) + manage_dirs_pattern(vnstat_t, vnstatd_var_lib_t, vnstatd_var_lib_t) + manage_files_pattern(vnstat_t, vnstatd_var_lib_t, vnstatd_var_lib_t) +-files_var_lib_filetrans(vnstat_t, vnstatd_var_lib_t, { dir file }) + + kernel_read_network_state(vnstat_t) + kernel_read_system_state(vnstat_t) + + domain_use_interactive_fds(vnstat_t) + +-files_read_etc_files(vnstat_t) +- + fs_getattr_xattr_fs(vnstat_t) + + logging_send_syslog_msg(vnstat_t) + +-miscfiles_read_localization(vnstat_t) +- + optional_policy(` + cron_system_entry(vnstat_t, vnstat_exec_t) + ') +diff --git a/vpn.fc b/vpn.fc +index 524ac2f..076dcc3 100644 +--- a/vpn.fc ++++ b/vpn.fc +@@ -1,7 +1,13 @@ +-/sbin/vpnc -- gen_context(system_u:object_r:vpnc_exec_t,s0) ++# ++# sbin ++# ++/sbin/vpnc -- gen_context(system_u:object_r:vpnc_exec_t,s0) + ++# ++# /usr ++# + /usr/bin/openconnect -- gen_context(system_u:object_r:vpnc_exec_t,s0) + +-/usr/sbin/vpnc -- gen_context(system_u:object_r:vpnc_exec_t,s0) ++/usr/sbin/vpnc -- gen_context(system_u:object_r:vpnc_exec_t,s0) + +-/var/run/vpnc(/.*)? gen_context(system_u:object_r:vpnc_var_run_t,s0) ++/var/run/vpnc(/.*)? gen_context(system_u:object_r:vpnc_var_run_t,s0) +diff --git a/vpn.if b/vpn.if +index 7a7f342..afedcba 100644 +--- a/vpn.if ++++ b/vpn.if +@@ -1,8 +1,8 @@ +-## Virtual Private Networking client. ++## Virtual Private Networking client + + ######################################## + ## +-## Execute vpn clients in the vpnc domain. ++## Execute VPN clients in the vpnc domain. + ## + ## + ## +@@ -15,15 +15,13 @@ interface(`vpn_domtrans',` + type vpnc_t, vpnc_exec_t; + ') + +- corecmd_search_bin($1) + domtrans_pattern($1, vpnc_exec_t, vpnc_t) + ') + + ######################################## + ## +-## Execute vpn clients in the vpnc +-## domain, and allow the specified +-## role the vpnc domain. ++## Execute VPN clients in the vpnc domain, and ++## allow the specified role the vpnc domain. + ## + ## + ## +@@ -40,6 +38,7 @@ interface(`vpn_domtrans',` + interface(`vpn_run',` + gen_require(` + attribute_role vpnc_roles; ++ type vpnc_t; + ') + + vpn_domtrans($1) +@@ -48,7 +47,7 @@ interface(`vpn_run',` + + ######################################## + ## +-## Send kill signals to vpnc. ++## Send VPN clients the kill signal. + ## + ## + ## +@@ -66,7 +65,7 @@ interface(`vpn_kill',` + + ######################################## + ## +-## Send generic signals to vpnc. ++## Send generic signals to VPN clients. + ## + ## + ## +@@ -84,7 +83,7 @@ interface(`vpn_signal',` + + ######################################## + ## +-## Send null signals to vpnc. ++## Send signull to VPN clients. + ## + ## + ## +@@ -103,7 +102,7 @@ interface(`vpn_signull',` + ######################################## + ## + ## Send and receive messages from +-## vpnc over dbus. ++## Vpnc over dbus. + ## + ## + ## +diff --git a/vpn.te b/vpn.te +index 9329eae..824e86f 100644 +--- a/vpn.te ++++ b/vpn.te +@@ -1,4 +1,4 @@ +-policy_module(vpn, 1.15.1) ++policy_module(vpn, 1.15.0) + + ######################################## + # +@@ -6,6 +6,7 @@ policy_module(vpn, 1.15.1) + # + + attribute_role vpnc_roles; ++roleattribute system_r vpnc_roles; + + type vpnc_t; + type vpnc_exec_t; +@@ -28,9 +29,13 @@ allow vpnc_t self:capability { dac_read_search dac_override net_admin ipc_lock n + allow vpnc_t self:process { getsched signal }; + allow vpnc_t self:fifo_file rw_fifo_file_perms; + allow vpnc_t self:netlink_route_socket rw_netlink_socket_perms; +-allow vpnc_t self:tcp_socket { accept listen }; ++allow vpnc_t self:tcp_socket create_stream_socket_perms; ++allow vpnc_t self:udp_socket create_socket_perms; + allow vpnc_t self:rawip_socket create_socket_perms; ++allow vpnc_t self:unix_dgram_socket create_socket_perms; ++allow vpnc_t self:unix_stream_socket create_socket_perms; + allow vpnc_t self:tun_socket { create_socket_perms relabelfrom }; ++# cjp: this needs to be fixed + allow vpnc_t self:socket create_socket_perms; + + manage_dirs_pattern(vpnc_t, vpnc_tmp_t, vpnc_tmp_t) +@@ -47,7 +52,6 @@ kernel_read_all_sysctls(vpnc_t) + kernel_request_load_module(vpnc_t) + kernel_rw_net_sysctls(vpnc_t) + +-corenet_all_recvfrom_unlabeled(vpnc_t) + corenet_all_recvfrom_netlabel(vpnc_t) + corenet_tcp_sendrecv_generic_if(vpnc_t) + corenet_udp_sendrecv_generic_if(vpnc_t) +@@ -58,38 +62,32 @@ corenet_raw_sendrecv_generic_node(vpnc_t) + corenet_tcp_sendrecv_all_ports(vpnc_t) + corenet_udp_sendrecv_all_ports(vpnc_t) + corenet_udp_bind_generic_node(vpnc_t) +- +-corenet_sendrecv_all_server_packets(vpnc_t) + corenet_udp_bind_generic_port(vpnc_t) +- +-corenet_sendrecv_isakmp_server_packets(vpnc_t) + corenet_udp_bind_isakmp_port(vpnc_t) +- +-corenet_sendrecv_generic_server_packets(vpnc_t) + corenet_udp_bind_ipsecnat_port(vpnc_t) +- +-corenet_sendrecv_all_client_packets(vpnc_t) + corenet_tcp_connect_all_ports(vpnc_t) +- ++corenet_sendrecv_all_client_packets(vpnc_t) ++corenet_sendrecv_isakmp_server_packets(vpnc_t) ++corenet_sendrecv_generic_server_packets(vpnc_t) + corenet_rw_tun_tap_dev(vpnc_t) + +-corecmd_exec_all_executables(vpnc_t) +- + dev_read_rand(vpnc_t) + dev_read_urand(vpnc_t) + dev_read_sysfs(vpnc_t) + + domain_use_interactive_fds(vpnc_t) + +-files_exec_etc_files(vpnc_t) +-files_read_etc_runtime_files(vpnc_t) +-files_dontaudit_search_home(vpnc_t) +- + fs_getattr_xattr_fs(vpnc_t) + fs_getattr_tmpfs(vpnc_t) + +-term_use_all_ptys(vpnc_t) +-term_use_all_ttys(vpnc_t) ++term_use_all_inherited_ptys(vpnc_t) ++term_use_all_inherited_ttys(vpnc_t) ++ ++corecmd_exec_all_executables(vpnc_t) ++ ++files_exec_etc_files(vpnc_t) ++files_read_etc_runtime_files(vpnc_t) ++files_dontaudit_search_home(vpnc_t) + + auth_use_nsswitch(vpnc_t) + +@@ -103,16 +101,15 @@ locallogin_use_fds(vpnc_t) + logging_send_syslog_msg(vpnc_t) + logging_dontaudit_search_logs(vpnc_t) + +-miscfiles_read_localization(vpnc_t) +- +-seutil_dontaudit_search_config(vpnc_t) ++seutil_use_newrole_fds(vpnc_t) + + sysnet_run_ifconfig(vpnc_t, vpnc_roles) + sysnet_etc_filetrans_config(vpnc_t) + sysnet_manage_config(vpnc_t) + + userdom_use_all_users_fds(vpnc_t) +-userdom_dontaudit_search_user_home_content(vpnc_t) ++userdom_read_home_certs(vpnc_t) ++userdom_search_admin_dir(vpnc_t) + + optional_policy(` + dbus_system_bus_client(vpnc_t) +@@ -125,7 +122,3 @@ optional_policy(` + optional_policy(` + networkmanager_attach_tun_iface(vpnc_t) + ') +- +-optional_policy(` +- seutil_use_newrole_fds(vpnc_t) +-') +diff --git a/watchdog.fc b/watchdog.fc +index eecd0e0..8df2e8c 100644 +--- a/watchdog.fc ++++ b/watchdog.fc +@@ -1,7 +1,12 @@ + /etc/rc\.d/init\.d/watchdog -- gen_context(system_u:object_r:watchdog_initrc_exec_t,s0) ++/etc/watchdog\.d(/.*)? gen_context(system_u:object_r:watchdog_unconfined_exec_t,s0) + + /usr/sbin/watchdog -- gen_context(system_u:object_r:watchdog_exec_t,s0) + ++/usr/libexec/watchdog/scripts(/.*)? gen_context(system_u:object_r:watchdog_unconfined_exec_t,s0) ++ ++/var/cache/watchdog(/.*)? gen_context(system_u:object_r:watchdog_cache_t,s0) ++ + /var/log/watchdog.* gen_context(system_u:object_r:watchdog_log_t,s0) + + /var/run/watchdog\.pid -- gen_context(system_u:object_r:watchdog_var_run_t,s0) +diff --git a/watchdog.te b/watchdog.te +index 29f79e8..45b3926 100644 +--- a/watchdog.te ++++ b/watchdog.te +@@ -12,12 +12,18 @@ init_daemon_domain(watchdog_t, watchdog_exec_t) + type watchdog_initrc_exec_t; + init_script_file(watchdog_initrc_exec_t) + ++type watchdog_cache_t; ++files_type(watchdog_cache_t) ++ + type watchdog_log_t; + logging_log_file(watchdog_log_t) + + type watchdog_var_run_t; + files_pid_file(watchdog_var_run_t) + ++type watchdog_unconfined_exec_t; ++application_executable_file(watchdog_unconfined_exec_t) ++ + ######################################## + # + # Local policy +@@ -29,8 +35,12 @@ allow watchdog_t self:process { setsched signal_perms }; + allow watchdog_t self:fifo_file rw_fifo_file_perms; + allow watchdog_t self:tcp_socket { accept listen }; + +-allow watchdog_t watchdog_log_t:file { append_file_perms create_file_perms setattr_file_perms }; +-logging_log_filetrans(watchdog_t, watchdog_log_t, file) ++manage_files_pattern(watchdog_t, watchdog_cache_t, watchdog_cache_t) ++manage_dirs_pattern(watchdog_t, watchdog_cache_t, watchdog_cache_t) ++ ++manage_files_pattern(watchdog_t,watchdog_log_t,watchdog_log_t) ++manage_dirs_pattern(watchdog_t,watchdog_log_t,watchdog_log_t) ++logging_log_filetrans(watchdog_t, watchdog_log_t,{dir file}) + + manage_files_pattern(watchdog_t, watchdog_var_run_t, watchdog_var_run_t) + files_pid_filetrans(watchdog_t, watchdog_var_run_t, file) +@@ -63,7 +73,6 @@ domain_signull_all_domains(watchdog_t) + domain_signal_all_domains(watchdog_t) + domain_kill_all_domains(watchdog_t) + +-files_read_etc_files(watchdog_t) + files_manage_etc_runtime_files(watchdog_t) + files_etc_filetrans_etc_runtime(watchdog_t, file) + +@@ -75,8 +84,6 @@ auth_append_login_records(watchdog_t) + + logging_send_syslog_msg(watchdog_t) + +-miscfiles_read_localization(watchdog_t) +- + sysnet_dns_name_resolve(watchdog_t) + + userdom_dontaudit_use_unpriv_user_fds(watchdog_t) +@@ -97,3 +104,28 @@ optional_policy(` + optional_policy(` + udev_read_db(watchdog_t) + ') ++ ++######################################## ++# ++# watchdog_unconfined_script_t local policy ++# ++ ++optional_policy(` ++ type watchdog_unconfined_t; ++ domain_type(watchdog_unconfined_t) ++ ++ domain_entry_file(watchdog_unconfined_t, watchdog_unconfined_exec_t) ++ role system_r types watchdog_unconfined_t; ++ ++ domtrans_pattern(watchdog_t, watchdog_unconfined_exec_t, watchdog_unconfined_t) ++ ++ allow watchdog_t watchdog_unconfined_exec_t:dir search_dir_perms; ++ allow watchdog_t watchdog_unconfined_exec_t:dir read_file_perms; ++ allow watchdog_t watchdog_unconfined_exec_t:file ioctl; ++ ++ init_domtrans_script(watchdog_unconfined_t) ++ ++ optional_policy(` ++ unconfined_domain(watchdog_unconfined_t) ++ ') ++') +diff --git a/wdmd.fc b/wdmd.fc +index 66f11f7..e051997 100644 +--- a/wdmd.fc ++++ b/wdmd.fc +@@ -1,5 +1,7 @@ + /etc/rc\.d/init\.d/wdmd -- gen_context(system_u:object_r:wdmd_initrc_exec_t,s0) + +-/usr/sbin/wdmd -- gen_context(system_u:object_r:wdmd_exec_t,s0) ++/usr/sbin/wdmd -- gen_context(system_u:object_r:wdmd_exec_t,s0) ++ ++/var/run/wdmd(/.*)? gen_context(system_u:object_r:wdmd_var_run_t,s0) ++/var/run/checkquorum-timer -- gen_context(system_u:object_r:wdmd_var_run_t,s0) + +-/var/run/wdmd(/.*)? gen_context(system_u:object_r:wdmd_var_run_t,s0) +diff --git a/wdmd.if b/wdmd.if +index 1e3aec0..d17ff39 100644 +--- a/wdmd.if ++++ b/wdmd.if +@@ -1,29 +1,47 @@ +-## Watchdog multiplexing daemon. ++ ++## watchdog multiplexing daemon + + ######################################## + ## +-## Connect to wdmd with a unix +-## domain stream socket. ++## Execute a domain transition to run wdmd. + ## + ## +-## ++## + ## Domain allowed access. ++## ++## ++# ++interface(`wdmd_domtrans',` ++ gen_require(` ++ type wdmd_t, wdmd_exec_t; ++ ') ++ ++ domtrans_pattern($1, wdmd_exec_t, wdmd_t) ++') ++ ++ ++######################################## ++## ++## Execute wdmd server in the wdmd domain. ++## ++## ++## ++## The type of the process performing this action. + ## + ## + # +-interface(`wdmd_stream_connect',` ++interface(`wdmd_initrc_domtrans',` + gen_require(` +- type wdmd_t, wdmd_var_run_t; ++ type wdmd_initrc_exec_t; + ') + +- files_search_pids($1) +- stream_connect_pattern($1, wdmd_var_run_t, wdmd_var_run_t, wdmd_t) ++ init_labeled_script_domtrans($1, wdmd_initrc_exec_t) + ') + + ######################################## + ## +-## All of the rules required to +-## administrate an wdmd environment. ++## All of the rules required to administrate ++## an wdmd environment + ## + ## + ## +@@ -39,17 +57,77 @@ interface(`wdmd_stream_connect',` + # + interface(`wdmd_admin',` + gen_require(` +- type wdmd_t, wdmd_initrc_exec_t, wdmd_var_run_t; ++ type wdmd_t; ++ type wdmd_initrc_exec_t; + ') + +- allow $1 wdmd_t:process { ptrace signal_perms }; ++ allow $1 wdmd_t:process signal_perms; + ps_process_pattern($1, wdmd_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 wdmd_t:process ptrace; ++ ') + +- init_labeled_script_domtrans($1, wdmd_initrc_exec_t) ++ wdmd_initrc_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 wdmd_initrc_exec_t system_r; + allow $2 system_r; + ++') ++ ++###################################### ++## ++## Create, read, write, and delete wdmd PID files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`wdmd_manage_pid_files',` ++ gen_require(` ++ type wdmd_var_run_t; ++ ') ++ + files_search_pids($1) +- admin_pattern($1, wdmd_var_run_t) ++ manage_files_pattern($1, wdmd_var_run_t, wdmd_var_run_t) ++') ++ ++######################################## ++## ++## Connect to wdmd over a unix stream socket. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`wdmd_stream_connect',` ++ gen_require(` ++ type wdmd_t, wdmd_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ stream_connect_pattern($1, wdmd_var_run_t, wdmd_var_run_t, wdmd_t) ++') ++ ++ ++#################################### ++## ++## Allow the specified domain to read/write wdmd's tmpfs files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`wdmd_rw_tmpfs',` ++ gen_require(` ++ type wdmd_tmpfs_t; ++ ') ++ ++ rw_files_pattern($1, wdmd_tmpfs_t, wdmd_tmpfs_t) ++ + ') +diff --git a/wdmd.te b/wdmd.te +index ebbdaf6..144c0e7 100644 +--- a/wdmd.te ++++ b/wdmd.te +@@ -45,16 +45,15 @@ corecmd_exec_shell(wdmd_t) + dev_read_watchdog(wdmd_t) + dev_write_watchdog(wdmd_t) + ++fs_getattr_all_fs(wdmd_t) + fs_read_anon_inodefs_files(wdmd_t) + + auth_use_nsswitch(wdmd_t) + + logging_send_syslog_msg(wdmd_t) + +-miscfiles_read_localization(wdmd_t) +- + optional_policy(` +- corosync_initrc_domtrans(wdmd_t) +- corosync_stream_connect(wdmd_t) +- corosync_rw_tmpfs(wdmd_t) ++ rhcs_initrc_domtrans_cluster(wdmd_t) ++ rhcs_stream_connect_cluster(wdmd_t) ++ rhcs_rw_cluster_tmpfs(wdmd_t) + ') +diff --git a/webadm.te b/webadm.te +index 708254f..d26f598 100644 +--- a/webadm.te ++++ b/webadm.te +@@ -25,6 +25,9 @@ role webadm_r; + + userdom_base_user_template(webadm) + ++type webadm_tmp_t; ++files_tmp_file(webadm_tmp_t) ++ + ######################################## + # + # Local policy +@@ -32,6 +35,12 @@ userdom_base_user_template(webadm) + + allow webadm_t self:capability { dac_override dac_read_search kill sys_nice }; + ++manage_dirs_pattern(webadm_t, webadm_tmp_t, webadm_tmp_t) ++manage_files_pattern(webadm_t, webadm_tmp_t, webadm_tmp_t) ++manage_lnk_files_pattern(webadm_t, webadm_tmp_t, webadm_tmp_t) ++files_tmp_filetrans(webadm_t, webadm_tmp_t, { file dir }) ++can_exec(webadm_t, webadm_tmp_t) ++ + files_dontaudit_search_all_dirs(webadm_t) + files_list_var(webadm_t) + +@@ -43,7 +52,9 @@ logging_send_syslog_msg(webadm_t) + + userdom_dontaudit_search_user_home_dirs(webadm_t) + +-apache_admin(webadm_t, webadm_r) ++optional_policy(` ++ apache_admin(webadm_t, webadm_r) ++') + + tunable_policy(`webadm_manage_user_files',` + userdom_manage_user_home_content_files(webadm_t) +diff --git a/webalizer.te b/webalizer.te +index cdca8c7..3c09628 100644 +--- a/webalizer.te ++++ b/webalizer.te +@@ -55,27 +55,35 @@ can_exec(webalizer_t, webalizer_exec_t) + kernel_read_kernel_sysctls(webalizer_t) + kernel_read_system_state(webalizer_t) + +-files_read_etc_runtime_files(webalizer_t) ++corenet_all_recvfrom_netlabel(webalizer_t) ++corenet_tcp_sendrecv_generic_if(webalizer_t) ++corenet_tcp_sendrecv_generic_node(webalizer_t) ++corenet_tcp_sendrecv_all_ports(webalizer_t) + + fs_search_auto_mountpoints(webalizer_t) + fs_getattr_xattr_fs(webalizer_t) + fs_rw_anon_inodefs_files(webalizer_t) + +-auth_use_nsswitch(webalizer_t) ++files_read_etc_runtime_files(webalizer_t) + + logging_list_logs(webalizer_t) + logging_send_syslog_msg(webalizer_t) + +-miscfiles_read_localization(webalizer_t) ++auth_use_nsswitch(webalizer_t) ++ + miscfiles_read_public_files(webalizer_t) + +-userdom_use_user_terminals(webalizer_t) ++sysnet_dns_name_resolve(webalizer_t) ++sysnet_read_config(webalizer_t) ++ ++userdom_use_inherited_user_terminals(webalizer_t) + userdom_use_unpriv_users_fds(webalizer_t) + userdom_dontaudit_search_user_home_content(webalizer_t) + + optional_policy(` + apache_read_log(webalizer_t) + apache_content_template(webalizer) ++ apache_manage_sys_content(webalizer_t) + manage_dirs_pattern(webalizer_t, httpd_webalizer_content_t, httpd_webalizer_content_t) + manage_files_pattern(webalizer_t, httpd_webalizer_content_t, httpd_webalizer_content_t) + ') +diff --git a/wine.if b/wine.if +index fd2b6cc..52a2e72 100644 +--- a/wine.if ++++ b/wine.if +@@ -1,46 +1,57 @@ +-## Run Windows programs in Linux. ++## Wine Is Not an Emulator. Run Windows programs in Linux. + +-######################################## ++####################################### + ## +-## Role access for wine. ++## The per role template for the wine module. + ## +-## ++## ++##

    ++## This template creates a derived domains which are used ++## for wine applications. ++##

    ++##     ++## + ## +-## Role allowed access. ++## The role associated with the user domain. + ## + ## +-## ++## + ## +-## User domain for the role. ++## The type of the user domain. + ## + ## + # +-interface(`wine_role',` ++template(`wine_role',` + gen_require(` +- attribute_role wine_roles; +- type wine_exec_t, wine_t, wine_tmp_t; ++ type wine_t; + type wine_home_t; ++ type wine_exec_t; + ') + +- roleattribute $1 wine_roles; +- +- domtrans_pattern($2, wine_exec_t, wine_t) ++ role $1 types wine_t; + ++ domain_auto_trans($2, wine_exec_t, wine_t) ++ # Unrestricted inheritance from the caller. ++ allow $2 wine_t:process { noatsecure siginh rlimitinh }; ++ allow wine_t $2:fd use; ++ allow wine_t $2:process { sigchld signull }; + allow wine_t $2:unix_stream_socket connectto; +- allow wine_t $2:process signull; + ++ # Allow the user domain to signal/ps. + ps_process_pattern($2, wine_t) +- allow $2 wine_t:process { ptrace signal_perms }; ++ allow $2 wine_t:process signal_perms; + + allow $2 wine_t:fd use; +- allow $2 wine_t:shm { associate getattr }; +- allow $2 wine_t:shm rw_shm_perms; ++ allow $2 wine_t:shm { associate getattr unix_read unix_write }; + allow $2 wine_t:unix_stream_socket connectto; + +- allow $2 { wine_tmp_t wine_home_t }:dir { manage_dir_perms relabel_dir_perms }; +- allow $2 { wine_tmp_t wine_home_t }:file { manage_file_perms relabel_file_perms }; +- allow $2 wine_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; +- userdom_user_home_dir_filetrans($2, wine_home_t, dir, ".wine") ++ # X access, Home files ++ manage_dirs_pattern($2, wine_home_t, wine_home_t) ++ manage_files_pattern($2, wine_home_t, wine_home_t) ++ manage_lnk_files_pattern($2, wine_home_t, wine_home_t) ++ relabel_dirs_pattern($2, wine_home_t, wine_home_t) ++ relabel_files_pattern($2, wine_home_t, wine_home_t) ++ relabel_lnk_files_pattern($2, wine_home_t, wine_home_t) + ') + + ####################################### +@@ -72,31 +83,25 @@ interface(`wine_role',` + # + template(`wine_role_template',` + gen_require(` ++ type wine_t; ++ attribute wine_domain; + type wine_exec_t; + ') + +- type $1_wine_t; +- userdom_user_application_domain($1_wine_t, wine_exec_t) ++ type $1_wine_t, wine_domain; ++ domain_type($1_wine_t) ++ domain_entry_file($1_wine_t, wine_exec_t) ++ ubac_constrained($1_wine_t) + role $2 types $1_wine_t; +- +- allow $1_wine_t self:process { execmem execstack }; +- +- allow $3 $1_wine_t:process { ptrace noatsecure signal_perms }; +- ps_process_pattern($3, $1_wine_t) +- ++ allow $3 $1_wine_t:process { getattr noatsecure signal_perms }; + domtrans_pattern($3, wine_exec_t, $1_wine_t) +- +- corecmd_bin_domtrans($1_wine_t, $3) ++ corecmd_bin_domtrans($1_wine_t, $1_t) + + userdom_unpriv_usertype($1, $1_wine_t) +- userdom_manage_user_tmpfs_files($1_wine_t) ++ userdom_manage_tmpfs_role($2, $1_wine_t) + + domain_mmap_low($1_wine_t) + +- tunable_policy(`wine_mmap_zero_ignore',` +- dontaudit $1_wine_t self:memprotect mmap_zero; +- ') +- + optional_policy(` + xserver_role($1_r, $1_wine_t) + ') +@@ -123,9 +128,8 @@ interface(`wine_domtrans',` + + ######################################## + ## +-## Execute wine in the wine domain, +-## and allow the specified role +-## the wine domain. ++## Execute wine in the wine domain, and ++## allow the specified role the wine domain. + ## + ## + ## +@@ -140,11 +144,11 @@ interface(`wine_domtrans',` + # + interface(`wine_run',` + gen_require(` +- attribute_role wine_roles; ++ type wine_t; + ') + + wine_domtrans($1) +- roleattribute $2 wine_roles; ++ role $2 types wine_t; + ') + + ######################################## +diff --git a/wine.te b/wine.te +index b51923c..8e47110 100644 +--- a/wine.te ++++ b/wine.te +@@ -14,10 +14,11 @@ policy_module(wine, 1.10.1) + ## + gen_tunable(wine_mmap_zero_ignore, false) + ++attribute wine_domain; + attribute_role wine_roles; + roleattribute system_r wine_roles; + +-type wine_t; ++type wine_t, wine_domain; + type wine_exec_t; + userdom_user_application_domain(wine_t, wine_exec_t) + role wine_roles types wine_t; +@@ -25,56 +26,57 @@ role wine_roles types wine_t; + type wine_home_t; + userdom_user_home_content(wine_home_t) + +-type wine_tmp_t; +-userdom_user_tmp_file(wine_tmp_t) +- + ######################################## + # + # Local policy + # ++domain_mmap_low(wine_t) ++ ++optional_policy(` ++ unconfined_domain(wine_t) ++') + +-allow wine_t self:process { execstack execmem execheap }; +-allow wine_t self:fifo_file manage_fifo_file_perms; + +-can_exec(wine_t, wine_exec_t) ++######################################## ++# ++# Common wine domain policy ++# + +-userdom_user_home_dir_filetrans(wine_t, wine_home_t, dir, ".wine") ++allow wine_domain self:process { execstack execmem execheap }; ++allow wine_domain self:fifo_file manage_fifo_file_perms; + +-manage_dirs_pattern(wine_t, wine_tmp_t, wine_tmp_t) +-manage_files_pattern(wine_t, wine_tmp_t, wine_tmp_t) +-files_tmp_filetrans(wine_t, wine_tmp_t, { file dir }) ++can_exec(wine_domain, wine_exec_t) + +-domain_mmap_low(wine_t) ++manage_files_pattern(wine_domain, wine_home_t, wine_home_t) ++manage_dirs_pattern(wine_domain, wine_home_t, wine_home_t) ++userdom_user_home_dir_filetrans(wine_domain, wine_home_t, dir, ".wine") ++userdom_tmpfs_filetrans(wine_domain, file) + +-files_execmod_all_files(wine_t) ++files_execmod_all_files(wine_domain) + +-userdom_use_user_terminals(wine_t) ++userdom_use_inherited_user_terminals(wine_domain) + + tunable_policy(`wine_mmap_zero_ignore',` +- dontaudit wine_t self:memprotect mmap_zero; ++ dontaudit wine_domain self:memprotect mmap_zero; + ') + + optional_policy(` +- dbus_system_bus_client(wine_t) ++ dbus_system_bus_client(wine_domain) + + optional_policy(` +- hal_dbus_chat(wine_t) ++ hal_dbus_chat(wine_domain) + ') + + optional_policy(` +- policykit_dbus_chat(wine_t) ++ policykit_dbus_chat(wine_domain) + ') + ') + + optional_policy(` +- rtkit_scheduled(wine_t) +-') +- +-optional_policy(` +- unconfined_domain(wine_t) ++ rtkit_scheduled(wine_domain) + ') + + optional_policy(` +- xserver_read_xdm_pid(wine_t) +- xserver_rw_shm(wine_t) ++ xserver_read_xdm_pid(wine_domain) ++ xserver_rw_shm(wine_domain) + ') +diff --git a/wireshark.te b/wireshark.te +index cf5cab6..a2d910f 100644 +--- a/wireshark.te ++++ b/wireshark.te +@@ -34,7 +34,7 @@ userdom_user_tmpfs_file(wireshark_tmpfs_t) + # Local Policy + # + +-allow wireshark_t self:capability { net_admin net_raw setgid }; ++allow wireshark_t self:capability { net_admin net_raw }; + allow wireshark_t self:process { signal getsched }; + allow wireshark_t self:fifo_file rw_fifo_file_perms; + allow wireshark_t self:shm create_shm_perms; +@@ -82,7 +82,6 @@ dev_read_rand(wireshark_t) + dev_read_sysfs(wireshark_t) + dev_read_urand(wireshark_t) + +-files_read_usr_files(wireshark_t) + + fs_getattr_all_fs(wireshark_t) + fs_list_inotifyfs(wireshark_t) +@@ -90,31 +89,15 @@ fs_search_auto_mountpoints(wireshark_t) + + auth_use_nsswitch(wireshark_t) + +-libs_read_lib_files(wireshark_t) +- + miscfiles_read_fonts(wireshark_t) +-miscfiles_read_localization(wireshark_t) + + userdom_use_user_terminals(wireshark_t) + + userdom_manage_user_home_content_files(wireshark_t) +-userdom_user_home_dir_filetrans_user_home_content(wireshark_t, file) +- +-tunable_policy(`use_nfs_home_dirs',` +- fs_manage_nfs_dirs(wireshark_t) +- fs_manage_nfs_files(wireshark_t) +- fs_manage_nfs_symlinks(wireshark_t) +-') + +-tunable_policy(`use_samba_home_dirs',` +- fs_manage_cifs_dirs(wireshark_t) +- fs_manage_cifs_files(wireshark_t) +- fs_manage_cifs_symlinks(wireshark_t) +-') ++userdom_filetrans_home_content(wireshark_t) + +-optional_policy(` +- seutil_use_newrole_fds(wireshark_t) +-') ++userdom_home_manager(wireshark_t) + + optional_policy(` + userhelper_use_fd(wireshark_t) +diff --git a/wm.fc b/wm.fc +index 304ae09..c1d10a1 100644 +--- a/wm.fc ++++ b/wm.fc +@@ -1,4 +1,4 @@ + /usr/bin/gnome-shell -- gen_context(system_u:object_r:wm_exec_t,s0) + /usr/bin/openbox -- gen_context(system_u:object_r:wm_exec_t,s0) + /usr/bin/metacity -- gen_context(system_u:object_r:wm_exec_t,s0) +-/usr/bin/twm -- gen_context(system_u:object_r:wm_exec_t,s0) ++/usr/bin/twm -- gen_context(system_u:object_r:wm_exec_t,s0) +diff --git a/wm.if b/wm.if +index 25b702d..36b2f81 100644 +--- a/wm.if ++++ b/wm.if +@@ -1,4 +1,4 @@ +-## X Window Managers. ++## X Window Managers + + ####################################### + ## +@@ -29,54 +29,46 @@ + # + template(`wm_role_template',` + gen_require(` +- attribute wm_domain; + type wm_exec_t; ++ class dbus send_msg; ++ attribute wm_domain; + ') + +- ######################################## +- # +- # Declarations +- # +- + type $1_wm_t, wm_domain; +- userdom_user_application_domain($1_wm_t, wm_exec_t) ++ domain_type($1_wm_t) ++ domain_entry_file($1_wm_t, wm_exec_t) + role $2 types $1_wm_t; + +- ######################################## +- # +- # Policy +- # +- + allow $1_wm_t $3:unix_stream_socket connectto; + allow $3 $1_wm_t:unix_stream_socket connectto; ++ allow $3 $1_wm_t:process { signal sigchld signull }; ++ allow $1_wm_t $3:process { signull sigkill }; + +- allow $3 $1_wm_t:process { ptrace signal_perms }; +- ps_process_pattern($3, $1_wm_t) ++ allow $1_wm_t $3:dbus send_msg; ++ allow $3 $1_wm_t:dbus send_msg; + +- allow $1_wm_t $3:process { signull sigkill }; ++ userdom_manage_home_role($2, $1_wm_t) ++ userdom_manage_tmpfs_role($2, $1_wm_t) ++ userdom_manage_tmp_role($2, $1_wm_t) ++ userdom_exec_user_tmp_files($1_wm_t) + + domtrans_pattern($3, wm_exec_t, $1_wm_t) + + corecmd_bin_domtrans($1_wm_t, $3) + corecmd_shell_domtrans($1_wm_t, $3) + ++ auth_use_nsswitch($1_wm_t) ++ ++ kernel_read_system_state($1_wm_t) ++ ++ auth_use_nsswitch($1_wm_t) ++ + mls_file_read_all_levels($1_wm_t) + mls_file_write_all_levels($1_wm_t) + mls_xwin_read_all_levels($1_wm_t) + mls_xwin_write_all_levels($1_wm_t) + mls_fd_use_all_levels($1_wm_t) + +- auth_use_nsswitch($1_wm_t) +- +- optional_policy(` +- dbus_spec_session_bus_client($1, $1_wm_t) +- dbus_system_bus_client($1_wm_t) +- +- optional_policy(` +- wm_dbus_chat($1, $3) +- ') +- ') +- + optional_policy(` + pulseaudio_run($1_wm_t, $2) + ') +@@ -89,7 +81,7 @@ template(`wm_role_template',` + + ######################################## + ## +-## Execute wm in the caller domain. ++## Execute the wm program in the wm domain. + ## + ## + ## +@@ -102,33 +94,5 @@ interface(`wm_exec',` + type wm_exec_t; + ') + +- corecmd_search_bin($1) + can_exec($1, wm_exec_t) + ') +- +-######################################## +-## +-## Send and receive messages from +-## specified wm over dbus. +-## +-## +-## +-## The prefix of the user domain (e.g., user +-## is the prefix for user_t). +-## +-## +-## +-## +-## Domain allowed access. +-## +-## +-# +-interface(`wm_dbus_chat',` +- gen_require(` +- type $1_wm_t; +- class dbus send_msg; +- ') +- +- allow $2 $1_wm_t:dbus send_msg; +- allow $1_wm_t $2:dbus send_msg; +-') +diff --git a/wm.te b/wm.te +index 7c7f7fa..20ce90b 100644 +--- a/wm.te ++++ b/wm.te +@@ -1,36 +1,88 @@ +-policy_module(wm, 1.2.5) ++policy_module(wm, 1.2.0) ++ ++attribute wm_domain; + + ######################################## + # + # Declarations + # + +-attribute wm_domain; +- + type wm_exec_t; +- +-######################################## +-# +-# Common wm domain local policy +-# ++corecmd_executable_file(wm_exec_t) + + allow wm_domain self:fifo_file rw_fifo_file_perms; +-allow wm_domain self:process getsched; ++allow wm_domain self:process { setcap setrlimit execmem signal_perms getsched setsched }; ++allow wm_domain self:netlink_kobject_uevent_socket create_socket_perms; ++ + allow wm_domain self:shm create_shm_perms; + allow wm_domain self:unix_dgram_socket create_socket_perms; + +-kernel_read_system_state(wm_domain) +- + dev_read_urand(wm_domain) ++dev_read_sound(wm_domain) ++dev_write_sound(wm_domain) ++dev_rw_wireless(wm_domain) ++dev_read_sysfs(wm_domain) ++ ++fs_getattr_all_fs(wm_domain) ++ ++corecmd_dontaudit_access_all_executables(wm_domain) ++corecmd_getattr_all_executables(wm_domain) + +-files_read_usr_files(wm_domain) ++application_signull(wm_domain) ++ ++init_read_state(wm_domain) + + miscfiles_read_fonts(wm_domain) +-miscfiles_read_localization(wm_domain) + +-userdom_manage_user_tmp_sockets(wm_domain) +-userdom_tmp_filetrans_user_tmp(wm_domain, sock_file) ++systemd_dbus_chat_logind(wm_domain) ++systemd_read_logind_sessions_files(wm_domain) ++systemd_write_inhibit_pipes(wm_domain) ++systemd_login_read_pid_files(wm_domain) ++ ++userdom_read_user_home_content_files(wm_domain) ++ ++udev_read_pid_files(wm_domain) ++ ++optional_policy(` ++ gnome_stream_connect_gkeyringd(wm_domain) ++') ++ ++optional_policy(` ++ dbus_system_bus_client(wm_domain) ++ dbus_session_bus_client(wm_domain) ++ optional_policy(` ++ accountsd_dbus_chat(wm_domain) ++ ') ++ ++ optional_policy(` ++ bluetooth_dbus_chat(wm_domain) ++ ') ++ ++ optional_policy(` ++ devicekit_dbus_chat_power(wm_domain) ++ ') ++ ++ optional_policy(` ++ networkmanager_dbus_chat(wm_domain) ++ ') ++ ++ optional_policy(` ++ policykit_dbus_chat(wm_domain) ++ ') ++ ++ optional_policy(` ++ systemd_dbus_chat_logind(wm_domain) ++ ') ++') ++ ++optional_policy(` ++ pulseaudio_stream_connect(wm_domain) ++') ++ ++optional_policy(` ++ userhelper_exec_console(wm_domain) ++') + +-userdom_manage_user_home_content_dirs(wm_domain) +-userdom_manage_user_home_content_files(wm_domain) +-userdom_user_home_dir_filetrans_user_home_content(wm_domain, { dir file }) ++optional_policy(` ++ xserver_manage_core_devices(wm_domain) ++') +diff --git a/xen.fc b/xen.fc +index 42d83b0..651d1cb 100644 +--- a/xen.fc ++++ b/xen.fc +@@ -1,38 +1,42 @@ + /dev/xen/tapctrl.* -p gen_context(system_u:object_r:xenctl_t,s0) + +-/usr/lib/xen-[^/]*/bin/xenconsoled -- gen_context(system_u:object_r:xenconsoled_exec_t,s0) +-/usr/lib/xen-[^/]*/bin/xend -- gen_context(system_u:object_r:xend_exec_t,s0) +-/usr/lib/xen-[^/]*/bin/xenstored -- gen_context(system_u:object_r:xenstored_exec_t,s0) +-/usr/lib/xen-[^/]*/bin/xl -- gen_context(system_u:object_r:xm_exec_t,s0) +-/usr/lib/xen-[^/]*/bin/xm -- gen_context(system_u:object_r:xm_exec_t,s0) +- + /usr/sbin/blktapctrl -- gen_context(system_u:object_r:blktap_exec_t,s0) + /usr/sbin/evtchnd -- gen_context(system_u:object_r:evtchnd_exec_t,s0) + /usr/sbin/tapdisk -- gen_context(system_u:object_r:blktap_exec_t,s0) ++ ++#/usr/lib/xen/bin/qemu-dm -- gen_context(system_u:object_r:qemu_dm_exec_t,s0) ++ ++ifdef(`distro_debian',` ++/usr/lib/xen-[^/]*/bin/xenconsoled -- gen_context(system_u:object_r:xenconsoled_exec_t,s0) ++/usr/lib/xen-[^/]*/bin/xend -- gen_context(system_u:object_r:xend_exec_t,s0) ++/usr/lib/xen-[^/]*/bin/xenstored -- gen_context(system_u:object_r:xenstored_exec_t,s0) ++/usr/lib/xen-[^/]*/bin/xm -- gen_context(system_u:object_r:xm_exec_t,s0) ++',` + /usr/sbin/xenconsoled -- gen_context(system_u:object_r:xenconsoled_exec_t,s0) +-/usr/sbin/xend -- gen_context(system_u:object_r:xend_exec_t,s0) ++/usr/sbin/xend -- gen_context(system_u:object_r:xend_exec_t,s0) + /usr/sbin/xenstored -- gen_context(system_u:object_r:xenstored_exec_t,s0) +-/usr/sbin/xl -- gen_context(system_u:object_r:xm_exec_t,s0) +-/usr/sbin/xm -- gen_context(system_u:object_r:xm_exec_t,s0) ++/usr/sbin/oxenstored -- gen_context(system_u:object_r:xenstored_exec_t,s0) ++') + +-/var/lib/xen(/.*)? gen_context(system_u:object_r:xend_var_lib_t,s0) ++/var/lib/xen(/.*)? gen_context(system_u:object_r:xend_var_lib_t,s0) + /var/lib/xen/images(/.*)? gen_context(system_u:object_r:xen_image_t,s0) +-/var/lib/xend(/.*)? gen_context(system_u:object_r:xend_var_lib_t,s0) ++/var/lib/xend(/.*)? gen_context(system_u:object_r:xend_var_lib_t,s0) + /var/lib/xenstored(/.*)? gen_context(system_u:object_r:xenstored_var_lib_t,s0) + + /var/log/evtchnd\.log.* -- gen_context(system_u:object_r:evtchnd_var_log_t,s0) +-/var/log/xen(/.*)? gen_context(system_u:object_r:xend_var_log_t,s0) ++/var/log/xen(/.*)? gen_context(system_u:object_r:xend_var_log_t,s0) + /var/log/xen-hotplug\.log.* -- gen_context(system_u:object_r:xend_var_log_t,s0) + /var/log/xend\.log.* -- gen_context(system_u:object_r:xend_var_log_t,s0) + /var/log/xend-debug\.log.* -- gen_context(system_u:object_r:xend_var_log_t,s0) ++/var/log/xenstored.* gen_context(system_u:object_r:xenstored_var_log_t,s0) + + /var/run/evtchnd -s gen_context(system_u:object_r:evtchnd_var_run_t,s0) + /var/run/evtchnd\.pid -- gen_context(system_u:object_r:evtchnd_var_run_t,s0) +-/var/run/xenconsoled\.pid -- gen_context(system_u:object_r:xenconsoled_var_run_t,s0) +-/var/run/xend(/.*)? gen_context(system_u:object_r:xend_var_run_t,s0) ++/var/run/xenconsoled\.pid -- gen_context(system_u:object_r:xenconsoled_var_run_t,s0) ++/var/run/xend(/.*)? gen_context(system_u:object_r:xend_var_run_t,s0) + /var/run/xend\.pid -- gen_context(system_u:object_r:xend_var_run_t,s0) +-/var/run/xenner(/.*)? gen_context(system_u:object_r:xend_var_run_t,s0) ++/var/run/xenner(/.*)? gen_context(system_u:object_r:xend_var_run_t,s0) + /var/run/xenstore\.pid -- gen_context(system_u:object_r:xenstored_var_run_t,s0) + /var/run/xenstored(/.*)? gen_context(system_u:object_r:xenstored_var_run_t,s0) + +-/xen(/.*)? gen_context(system_u:object_r:xen_image_t,s0) ++/xen(/.*)? gen_context(system_u:object_r:xen_image_t,s0) +diff --git a/xen.if b/xen.if +index f93558c..16e29c1 100644 +--- a/xen.if ++++ b/xen.if +@@ -1,13 +1,13 @@ +-## Xen hypervisor. ++## Xen hypervisor + + ######################################## + ## + ## Execute a domain transition to run xend. + ## + ## +-## ++## + ## Domain allowed to transition. +-## ++## + ## + # + interface(`xen_domtrans',` +@@ -15,18 +15,18 @@ interface(`xen_domtrans',` + type xend_t, xend_exec_t; + ') + +- corecmd_search_bin($1) + domtrans_pattern($1, xend_exec_t, xend_t) + ') + + ######################################## + ## +-## Execute xend in the caller domain. ++## Allow the specified domain to execute xend ++## in the caller domain. + ## + ## +-## ++## + ## Domain allowed access. +-## ++## + ## + # + interface(`xen_exec',` +@@ -34,7 +34,6 @@ interface(`xen_exec',` + type xend_exec_t; + ') + +- corecmd_search_bin($1) + can_exec($1, xend_exec_t) + ') + +@@ -75,24 +74,43 @@ interface(`xen_dontaudit_use_fds',` + dontaudit $1 xend_t:fd use; + ') + ++####################################### ++## ++## Read xend pid files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`xen_read_pid_files_xenstored',` ++ gen_require(` ++ type xenstored_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ ++ read_files_pattern($1, xenstored_var_run_t, xenstored_var_run_t) ++') ++ + ######################################## + ## +-## Create, read, write, and delete +-## xend image directories. ++## Read xend lib files. + ## + ## +-## ++## + ## Domain allowed access. +-## ++## + ## + # +-interface(`xen_manage_image_dirs',` ++interface(`xen_read_lib_files',` + gen_require(` + type xend_var_lib_t; + ') + +- files_search_var_lib($1) +- manage_dirs_pattern($1, xend_var_lib_t, xend_var_lib_t) ++ files_list_var_lib($1) ++ read_files_pattern($1, xend_var_lib_t, xend_var_lib_t) + ') + + ######################################## +@@ -100,9 +118,9 @@ interface(`xen_manage_image_dirs',` + ## Read xend image files. + ## + ## +-## ++## + ## Domain allowed access. +-## ++## + ## + # + interface(`xen_read_image_files',` +@@ -111,18 +129,40 @@ interface(`xen_read_image_files',` + ') + + files_list_var_lib($1) ++ + list_dirs_pattern($1, xend_var_lib_t, xend_var_lib_t) + read_files_pattern($1, { xend_var_lib_t xen_image_t }, xen_image_t) + ') + + ######################################## + ## +-## Read and write xend image files. ++## Allow the specified domain to read/write ++## xend image files. + ## + ## +-## ++## + ## Domain allowed access. +-## ++## ++## ++# ++interface(`xen_manage_image_dirs',` ++ gen_require(` ++ type xend_var_lib_t; ++ ') ++ ++ files_list_var_lib($1) ++ manage_dirs_pattern($1, xend_var_lib_t, xend_var_lib_t) ++') ++ ++######################################## ++## ++## Allow the specified domain to read/write ++## xend image files. ++## ++## ++## ++## Domain allowed to transition. ++## + ## + # + interface(`xen_rw_image_files',` +@@ -137,7 +177,8 @@ interface(`xen_rw_image_files',` + + ######################################## + ## +-## Append xend log files. ++## Allow the specified domain to append ++## xend log files. + ## + ## + ## +@@ -157,13 +198,13 @@ interface(`xen_append_log',` + + ######################################## + ## +-## Create, read, write, and delete ++## Create, read, write, and delete the + ## xend log files. + ## + ## +-## ++## + ## Domain allowed access. +-## ++## + ## + # + interface(`xen_manage_log',` +@@ -176,29 +217,11 @@ interface(`xen_manage_log',` + manage_files_pattern($1, xend_var_log_t, xend_var_log_t) + ') + +-####################################### +-## +-## Read xenstored pid files. +-## +-## +-## +-## Domain allowed access. +-## +-## +-# +-interface(`xen_read_xenstored_pid_files',` +- gen_require(` +- type xenstored_var_run_t; +- ') +- +- files_search_pids($1) +- read_files_pattern($1, xenstored_var_run_t, xenstored_var_run_t) +-') +- + ######################################## + ## + ## Do not audit attempts to read and write +-## Xen unix domain stream sockets. ++## Xen unix domain stream sockets. These ++## are leaked file descriptors. + ## + ## + ## +@@ -216,8 +239,7 @@ interface(`xen_dontaudit_rw_unix_stream_sockets',` + + ######################################## + ## +-## Connect to xenstored with a unix +-## domain stream socket. ++## Connect to xenstored over a unix stream socket. + ## + ## + ## +@@ -236,8 +258,7 @@ interface(`xen_stream_connect_xenstore',` + + ######################################## + ## +-## Connect to xend with a unix +-## domain stream socket. ++## Connect to xend over a unix domain stream socket. + ## + ## + ## +@@ -270,16 +291,15 @@ interface(`xen_stream_connect',` + interface(`xen_domtrans_xm',` + gen_require(` + type xm_t, xm_exec_t; ++ attribute virsh_transition_domain; + ') +- +- corecmd_search_bin($1) ++ typeattribute $1 virsh_transition_domain; + domtrans_pattern($1, xm_exec_t, xm_t) + ') + + ######################################## + ## +-## Connect to xm with a unix +-## domain stream socket. ++## Connect to xm over a unix stream socket. + ## + ## + ## +@@ -289,7 +309,7 @@ interface(`xen_domtrans_xm',` + # + interface(`xen_stream_connect_xm',` + gen_require(` +- type xm_t; ++ type xm_t, xenstored_var_run_t; + ') + + files_search_pids($1) +diff --git a/xen.te b/xen.te +index ed40676..3fe3e35 100644 +--- a/xen.te ++++ b/xen.te +@@ -1,42 +1,34 @@ +-policy_module(xen, 1.12.5) ++policy_module(xen, 1.12.0) + + ######################################## + # + # Declarations + # ++attribute xm_transition_domain; + + ## +-##

    +-## Determine whether xend can +-## run blktapctrl and tapdisk. ++##

    ++## Allow xend to run blktapctrl/tapdisk. ++## Not required if using dedicated logical volumes for disk images. + ##

    + ##     +-gen_tunable(xend_run_blktap, false) ++gen_tunable(xend_run_blktap, true) + + ## +-##

    +-## Determine whether xen can +-## use fusefs file systems. +-##

    ++##

    ++## Allow xend to run qemu-dm. ++## Not required if using paravirt and no vfb. ++##

    + ##     +-gen_tunable(xen_use_fusefs, false) ++gen_tunable(xend_run_qemu, true) + + ## +-##

    +-## Determine whether xen can +-## use nfs file systems. +-##

    ++##

    ++## Allow xen to manage nfs files ++##

    + ##     + gen_tunable(xen_use_nfs, false) + +-## +-##

    +-## Determine whether xen can +-## use samba file systems. +-##

    +-##     +-gen_tunable(xen_use_samba, false) +- + type blktap_t; + type blktap_exec_t; + domain_type(blktap_t) +@@ -50,41 +42,55 @@ type evtchnd_t; + type evtchnd_exec_t; + init_daemon_domain(evtchnd_t, evtchnd_exec_t) + ++# log files + type evtchnd_var_log_t; + logging_log_file(evtchnd_var_log_t) + ++# pid files + type evtchnd_var_run_t; + files_pid_file(evtchnd_var_run_t) + ++type qemu_dm_t; ++type qemu_dm_exec_t; ++domain_type(qemu_dm_t) ++domain_entry_file(qemu_dm_t, qemu_dm_exec_t) ++role system_r types qemu_dm_t; ++ ++# console ptys + type xen_devpts_t; + term_pty(xen_devpts_t) + files_type(xen_devpts_t) + ++# Xen Image files + type xen_image_t; # customizable + files_type(xen_image_t) ++# xen_image_t can be assigned to blk devices + dev_node(xen_image_t) +- +-optional_policy(` +- virt_image(xen_image_t) +-') ++virt_image(xen_image_t) + + type xenctl_t; + files_type(xenctl_t) + + type xend_t; + type xend_exec_t; ++domain_type(xend_t) + init_daemon_domain(xend_t, xend_exec_t) + ++# tmp files + type xend_tmp_t; + files_tmp_file(xend_tmp_t) + ++# var/lib files + type xend_var_lib_t; + files_type(xend_var_lib_t) ++# for mounting an NFS store + files_mountpoint(xend_var_lib_t) + ++# log files + type xend_var_log_t; + logging_log_file(xend_var_log_t) + ++# pid files + type xend_var_run_t; + files_pid_file(xend_var_run_t) + files_mountpoint(xend_var_run_t) +@@ -96,51 +102,50 @@ init_daemon_domain(xenstored_t, xenstored_exec_t) + type xenstored_tmp_t; + files_tmp_file(xenstored_tmp_t) + ++# var/lib files + type xenstored_var_lib_t; + files_type(xenstored_var_lib_t) + files_mountpoint(xenstored_var_lib_t) + ++# log files + type xenstored_var_log_t; + logging_log_file(xenstored_var_log_t) + ++# pid files + type xenstored_var_run_t; + files_pid_file(xenstored_var_run_t) +-init_daemon_run_dir(xenstored_var_run_t, "xenstored") + + type xenconsoled_t; + type xenconsoled_exec_t; + init_daemon_domain(xenconsoled_t, xenconsoled_exec_t) + ++# pid files + type xenconsoled_var_run_t; + files_pid_file(xenconsoled_var_run_t) + +-type xm_t; +-type xm_exec_t; +-init_system_domain(xm_t, xm_exec_t) +- + ######################################## + # + # blktap local policy + # +- ++# Do we need to allow execution of blktap? + tunable_policy(`xend_run_blktap',` ++ # If yes, transition to its own domain. + domtrans_pattern(xend_t, blktap_exec_t, blktap_t) + +- allow blktap_t self:fifo_file { read write }; ++',` ++ # If no, then silently refuse to run it. ++ dontaudit xend_t blktap_exec_t:file { execute execute_no_trans }; ++') + +- dev_read_sysfs(blktap_t) +- dev_rw_xen(blktap_t) ++allow blktap_t self:fifo_file { read write }; + +- files_read_etc_files(blktap_t) ++dev_read_sysfs(blktap_t) ++dev_rw_xen(blktap_t) + +- logging_send_syslog_msg(blktap_t) + +- miscfiles_read_localization(blktap_t) ++logging_send_syslog_msg(blktap_t) + +- xen_stream_connect_xenstore(blktap_t) +-',` +- dontaudit xend_t blktap_exec_t:file { execute execute_no_trans }; +-') ++xen_stream_connect_xenstore(blktap_t) + + ####################################### + # +@@ -148,9 +153,7 @@ tunable_policy(`xend_run_blktap',` + # + + manage_dirs_pattern(evtchnd_t, evtchnd_var_log_t, evtchnd_var_log_t) +-append_files_pattern(evtchnd_t, evtchnd_var_log_t, evtchnd_var_log_t) +-create_files_pattern(evtchnd_t, evtchnd_var_log_t, evtchnd_var_log_t) +-setattr_files_pattern(evtchnd_t, evtchnd_var_log_t, evtchnd_var_log_t) ++manage_files_pattern(evtchnd_t, evtchnd_var_log_t, evtchnd_var_log_t) + logging_log_filetrans(evtchnd_t, evtchnd_var_log_t, { file dir }) + + manage_dirs_pattern(evtchnd_t, evtchnd_var_run_t, evtchnd_var_run_t) +@@ -160,28 +163,68 @@ files_pid_filetrans(evtchnd_t, evtchnd_var_run_t, { file sock_file dir }) + + ######################################## + # ++# qemu-dm local policy ++# ++ ++# TODO: This part of policy should be removed ++# qemu-dm should run in xend_t domain ++ ++# Do we need to allow execution of qemu-dm? ++tunable_policy(`xend_run_qemu',` ++ allow qemu_dm_t self:capability sys_resource; ++ allow qemu_dm_t self:process setrlimit; ++ allow qemu_dm_t self:fifo_file { read write }; ++ allow qemu_dm_t self:tcp_socket create_stream_socket_perms; ++ ++ # If yes, transition to its own domain. ++ domtrans_pattern(xend_t, qemu_dm_exec_t, qemu_dm_t) ++ ++ append_files_pattern(qemu_dm_t, xend_var_log_t, xend_var_log_t) ++ ++ rw_fifo_files_pattern(qemu_dm_t, xend_var_run_t, xend_var_run_t) ++ ++ corenet_tcp_bind_generic_node(qemu_dm_t) ++ corenet_tcp_bind_vnc_port(qemu_dm_t) ++ ++ dev_rw_xen(qemu_dm_t) ++ ++ ++ fs_manage_xenfs_dirs(qemu_dm_t) ++ fs_manage_xenfs_files(qemu_dm_t) ++ ++ ++ xen_stream_connect_xenstore(qemu_dm_t) ++',` ++ # If no, then silently refuse to run it. ++ dontaudit xend_t qemu_dm_exec_t:file { execute execute_no_trans }; ++') ++ ++######################################## ++# + # xend local policy + # + +-allow xend_t self:capability { dac_override ipc_lock net_admin setuid sys_admin sys_nice sys_tty_config net_raw sys_resource sys_rawio }; +-dontaudit xend_t self:capability { sys_ptrace }; +-allow xend_t self:process { setrlimit signal sigkill }; +-dontaudit xend_t self:process ptrace; ++allow xend_t self:capability { dac_override ipc_lock net_admin setuid sys_admin sys_nice sys_tty_config net_raw sys_rawio }; ++allow xend_t self:process { signal sigkill }; ++ ++# needed by qemu_dm ++allow xend_t self:capability sys_resource; ++allow xend_t self:process setrlimit; ++ ++# internal communication is often done using fifo and unix sockets. + allow xend_t self:fifo_file rw_fifo_file_perms; +-allow xend_t self:unix_stream_socket { accept listen }; +-allow xend_t self:tcp_socket { accept listen }; ++allow xend_t self:unix_stream_socket create_stream_socket_perms; ++allow xend_t self:unix_dgram_socket create_socket_perms; ++allow xend_t self:netlink_route_socket r_netlink_socket_perms; ++allow xend_t self:tcp_socket create_stream_socket_perms; + allow xend_t self:packet_socket create_socket_perms; + allow xend_t self:tun_socket create_socket_perms; + + allow xend_t xen_image_t:dir list_dir_perms; + manage_dirs_pattern(xend_t, xen_image_t, xen_image_t) +-manage_fifo_files_pattern(xend_t, xen_image_t, xen_image_t) + manage_files_pattern(xend_t, xen_image_t, xen_image_t) + read_lnk_files_pattern(xend_t, xen_image_t, xen_image_t) +-read_sock_files_pattern(xend_t, xen_image_t, xen_image_t) +-rw_chr_files_pattern(xend_t, xen_image_t, xen_image_t) + rw_blk_files_pattern(xend_t, xen_image_t, xen_image_t) +-fs_hugetlbfs_filetrans(xend_t, xen_image_t, file) + + allow xend_t xenctl_t:fifo_file manage_fifo_file_perms; + dev_filetrans(xend_t, xenctl_t, fifo_file) +@@ -190,33 +233,37 @@ manage_files_pattern(xend_t, xend_tmp_t, xend_tmp_t) + manage_dirs_pattern(xend_t, xend_tmp_t, xend_tmp_t) + files_tmp_filetrans(xend_t, xend_tmp_t, { file dir }) + ++# pid file + manage_dirs_pattern(xend_t, xend_var_run_t, xend_var_run_t) + manage_files_pattern(xend_t, xend_var_run_t, xend_var_run_t) + manage_sock_files_pattern(xend_t, xend_var_run_t, xend_var_run_t) + manage_fifo_files_pattern(xend_t, xend_var_run_t, xend_var_run_t) + files_pid_filetrans(xend_t, xend_var_run_t, { file sock_file fifo_file dir }) + ++# log files + manage_dirs_pattern(xend_t, xend_var_log_t, xend_var_log_t) +-append_files_pattern(xend_t, xend_var_log_t, xend_var_log_t) +-create_files_pattern(xend_t, xend_var_log_t, xend_var_log_t) +-setattr_files_pattern(xend_t, xend_var_log_t, xend_var_log_t) ++manage_files_pattern(xend_t, xend_var_log_t, xend_var_log_t) + manage_sock_files_pattern(xend_t, xend_var_log_t, xend_var_log_t) + logging_log_filetrans(xend_t, xend_var_log_t, { sock_file file dir }) + ++# var/lib files for xend + manage_dirs_pattern(xend_t, xend_var_lib_t, xend_var_lib_t) + manage_files_pattern(xend_t, xend_var_lib_t, xend_var_lib_t) + manage_sock_files_pattern(xend_t, xend_var_lib_t, xend_var_lib_t) + manage_fifo_files_pattern(xend_t, xend_var_lib_t, xend_var_lib_t) + files_var_lib_filetrans(xend_t, xend_var_lib_t, { file dir }) + ++# transition to store ++domtrans_pattern(xend_t, xenstored_exec_t, xenstored_t) ++ ++# manage xenstored pid file + manage_files_pattern(xend_t, xenstored_var_run_t, xenstored_var_run_t) + +-allow xend_t xenstored_var_lib_t:dir list_dir_perms; ++# mount tmpfs on /var/lib/xenstored ++allow xend_t xenstored_var_lib_t:dir read; + ++# transition to console + domtrans_pattern(xend_t, xenconsoled_exec_t, xenconsoled_t) +-domtrans_pattern(xend_t, xenstored_exec_t, xenstored_t) +- +-xen_stream_connect_xenstore(xend_t) + + kernel_read_kernel_sysctls(xend_t) + kernel_read_system_state(xend_t) +@@ -224,61 +271,44 @@ kernel_write_xen_state(xend_t) + kernel_read_xen_state(xend_t) + kernel_rw_net_sysctls(xend_t) + kernel_read_network_state(xend_t) ++kernel_request_load_module(xend_t) + + corecmd_exec_bin(xend_t) + corecmd_exec_shell(xend_t) + +-corenet_all_recvfrom_unlabeled(xend_t) + corenet_all_recvfrom_netlabel(xend_t) + corenet_tcp_sendrecv_generic_if(xend_t) + corenet_tcp_sendrecv_generic_node(xend_t) + corenet_tcp_sendrecv_all_ports(xend_t) + corenet_tcp_bind_generic_node(xend_t) +- +-corenet_sendrecv_xen_server_packets(xend_t) + corenet_tcp_bind_xen_port(xend_t) +- +-corenet_sendrecv_soundd_server_packets(xend_t) + corenet_tcp_bind_soundd_port(xend_t) +- +-corenet_sendrecv_generic_server_packets(xend_t) + corenet_tcp_bind_generic_port(xend_t) +- +-corenet_sendrecv_vnc_server_packets(xend_t) + corenet_tcp_bind_vnc_port(xend_t) +- +-corenet_sendrecv_xserver_client_packets(xend_t) + corenet_tcp_connect_xserver_port(xend_t) +- +-corenet_sendrecv_xen_client_packets(xend_t) + corenet_tcp_connect_xen_port(xend_t) +- ++corenet_sendrecv_xserver_client_packets(xend_t) ++corenet_sendrecv_xen_server_packets(xend_t) ++corenet_sendrecv_xen_client_packets(xend_t) ++corenet_sendrecv_soundd_server_packets(xend_t) + corenet_rw_tun_tap_dev(xend_t) + +-dev_getattr_all_chr_files(xend_t) + dev_read_urand(xend_t) ++# run lsscsi ++dev_getattr_all_chr_files(xend_t) + dev_filetrans_xen(xend_t) + dev_rw_sysfs(xend_t) + dev_rw_xen(xend_t) + + domain_dontaudit_read_all_domains_state(xend_t) +-domain_dontaudit_ptrace_all_domains(xend_t) + +-files_read_etc_files(xend_t) + files_read_kernel_symbol_table(xend_t) + files_read_kernel_img(xend_t) + files_manage_etc_runtime_files(xend_t) + files_etc_filetrans_etc_runtime(xend_t, file) +-files_read_usr_files(xend_t) + files_read_default_symlinks(xend_t) +-files_search_mnt(xend_t) + +-fs_getattr_all_fs(xend_t) +-fs_list_auto_mountpoints(xend_t) +-fs_read_dos_files(xend_t) + fs_read_removable_blk_files(xend_t) +-fs_manage_xenfs_dirs(xend_t) +-fs_manage_xenfs_files(xend_t) + + storage_read_scsi_generic(xend_t) + +@@ -295,7 +325,8 @@ locallogin_dontaudit_use_fds(xend_t) + + logging_send_syslog_msg(xend_t) + +-miscfiles_read_localization(xend_t) ++auth_read_passwd(xend_t) ++ + miscfiles_read_hwdata(xend_t) + + sysnet_domtrans_dhcpc(xend_t) +@@ -308,23 +339,7 @@ sysnet_rw_dhcp_config(xend_t) + + userdom_dontaudit_search_user_home_dirs(xend_t) + +-tunable_policy(`xen_use_fusefs',` +- fs_manage_fusefs_dirs(xend_t) +- fs_manage_fusefs_files(xend_t) +- fs_read_fusefs_symlinks(xend_t) +-') +- +-tunable_policy(`xen_use_nfs',` +- fs_manage_nfs_dirs(xend_t) +- fs_manage_nfs_files(xend_t) +- fs_read_nfs_symlinks(xend_t) +-') +- +-tunable_policy(`xen_use_samba',` +- fs_manage_cifs_dirs(xend_t) +- fs_manage_cifs_files(xend_t) +- fs_read_cifs_symlinks(xend_t) +-') ++xen_stream_connect_xenstore(xend_t) + + optional_policy(` + brctl_domtrans(xend_t) +@@ -342,7 +357,7 @@ optional_policy(` + mount_domtrans(xend_t) + ') + +-optional_policy(` ++optional_policy(` + netutils_domtrans(xend_t) + ') + +@@ -351,6 +366,7 @@ optional_policy(` + ') + + optional_policy(` ++ virt_manage_default_image_type(xend_t) + virt_search_images(xend_t) + virt_read_config(xend_t) + ') +@@ -365,13 +381,9 @@ allow xenconsoled_t self:process setrlimit; + allow xenconsoled_t self:unix_stream_socket create_stream_socket_perms; + allow xenconsoled_t self:fifo_file rw_fifo_file_perms; + +-allow xenconsoled_t xen_devpts_t:chr_file { rw_term_perms setattr_chr_file_perms }; +- +-manage_dirs_pattern(xenconsoled_t, xend_var_log_t, xend_var_log_t) +-append_files_pattern(xenconsoled_t, xend_var_log_t, xend_var_log_t) +-create_files_pattern(xenconsoled_t, xend_var_log_t, xend_var_log_t) +-setattr_files_pattern(xenconsoled_t, xend_var_log_t, xend_var_log_t) ++allow xenconsoled_t xen_devpts_t:chr_file { rw_term_perms setattr }; + ++# pid file + manage_files_pattern(xenconsoled_t, xenconsoled_var_run_t, xenconsoled_var_run_t) + manage_sock_files_pattern(xenconsoled_t, xenconsoled_var_run_t, xenconsoled_var_run_t) + files_pid_filetrans(xenconsoled_t, xenconsoled_var_run_t, { file sock_file }) +@@ -384,10 +396,6 @@ dev_rw_xen(xenconsoled_t) + dev_filetrans_xen(xenconsoled_t) + dev_rw_sysfs(xenconsoled_t) + +-domain_dontaudit_ptrace_all_domains(xenconsoled_t) +- +-files_read_etc_files(xenconsoled_t) +-files_read_usr_files(xenconsoled_t) + + fs_list_tmpfs(xenconsoled_t) + fs_manage_xenfs_dirs(xenconsoled_t) +@@ -395,15 +403,13 @@ fs_manage_xenfs_files(xenconsoled_t) + + term_create_pty(xenconsoled_t, xen_devpts_t) + term_use_generic_ptys(xenconsoled_t) +-term_use_console(xenconsoled_t) + + init_use_fds(xenconsoled_t) + init_use_script_ptys(xenconsoled_t) + +-logging_search_logs(xenconsoled_t) +- +-miscfiles_read_localization(xenconsoled_t) ++auth_read_passwd(xenconsoled_t) + ++xen_manage_log(xenconsoled_t) + xen_stream_connect_xenstore(xenconsoled_t) + + optional_policy(` +@@ -416,24 +422,26 @@ optional_policy(` + # + + allow xenstored_t self:capability { dac_override ipc_lock sys_resource }; +-allow xenstored_t self:unix_stream_socket { accept listen }; ++allow xenstored_t self:unix_stream_socket create_stream_socket_perms; ++allow xenstored_t self:unix_dgram_socket create_socket_perms; + + manage_files_pattern(xenstored_t, xenstored_tmp_t, xenstored_tmp_t) + manage_dirs_pattern(xenstored_t, xenstored_tmp_t, xenstored_tmp_t) + files_tmp_filetrans(xenstored_t, xenstored_tmp_t, { file dir }) + ++# pid file + manage_dirs_pattern(xenstored_t, xenstored_var_run_t, xenstored_var_run_t) + manage_files_pattern(xenstored_t, xenstored_var_run_t, xenstored_var_run_t) + manage_sock_files_pattern(xenstored_t, xenstored_var_run_t, xenstored_var_run_t) + files_pid_filetrans(xenstored_t, xenstored_var_run_t, { file sock_file dir }) + ++# log files + manage_dirs_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t) +-append_files_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t) +-create_files_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t) +-setattr_files_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t) ++manage_files_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t) + manage_sock_files_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t) + logging_log_filetrans(xenstored_t, xenstored_var_log_t, { sock_file file dir }) + ++# var/lib files for xenstored + manage_dirs_pattern(xenstored_t, xenstored_var_lib_t, xenstored_var_lib_t) + manage_files_pattern(xenstored_t, xenstored_var_lib_t, xenstored_var_lib_t) + manage_sock_files_pattern(xenstored_t, xenstored_var_lib_t, xenstored_var_lib_t) +@@ -448,157 +456,40 @@ dev_filetrans_xen(xenstored_t) + dev_rw_xen(xenstored_t) + dev_read_sysfs(xenstored_t) + +-files_read_etc_files(xenstored_t) +-files_read_usr_files(xenstored_t) ++ + + fs_search_xenfs(xenstored_t) + fs_manage_xenfs_files(xenstored_t) + + term_use_generic_ptys(xenstored_t) ++term_use_console(xenconsoled_t) + + init_use_fds(xenstored_t) + init_use_script_ptys(xenstored_t) + + logging_send_syslog_msg(xenstored_t) + +-miscfiles_read_localization(xenstored_t) +- + xen_append_log(xenstored_t) + +-######################################## +-# +-# xm local policy +-# +- +-allow xm_t self:capability { setpcap dac_override ipc_lock sys_nice sys_tty_config }; +-allow xm_t self:process { getcap getsched setsched setcap signal }; +-allow xm_t self:fifo_file rw_fifo_file_perms; +-allow xm_t self:unix_stream_socket { accept connectto listen }; +-allow xm_t self:tcp_socket { accept listen }; +- +-manage_files_pattern(xm_t, xend_var_lib_t, xend_var_lib_t) +-manage_fifo_files_pattern(xm_t, xend_var_lib_t, xend_var_lib_t) +-manage_sock_files_pattern(xm_t, xend_var_lib_t, xend_var_lib_t) +- +-manage_files_pattern(xm_t, xen_image_t, xen_image_t) +-manage_blk_files_pattern(xm_t, xen_image_t, xen_image_t) +-manage_lnk_files_pattern(xm_t, xen_image_t, xen_image_t) +- +-read_files_pattern(xm_t, xenstored_var_run_t, xenstored_var_run_t) +- +-xen_manage_image_dirs(xm_t) +-xen_append_log(xm_t) +-xen_domtrans(xm_t) +-xen_stream_connect(xm_t) +-xen_stream_connect_xenstore(xm_t) +- +-can_exec(xm_t, xm_exec_t) +- +-kernel_read_system_state(xm_t) +-kernel_read_network_state(xm_t) +-kernel_read_kernel_sysctls(xm_t) +-kernel_read_sysctl(xm_t) +-kernel_read_xen_state(xm_t) +-kernel_write_xen_state(xm_t) +- +-corecmd_exec_bin(xm_t) +-corecmd_exec_shell(xm_t) +- +-corenet_all_recvfrom_unlabeled(xm_t) +-corenet_all_recvfrom_netlabel(xm_t) +-corenet_tcp_sendrecv_generic_if(xm_t) +-corenet_tcp_sendrecv_generic_node(xm_t) +- +-corenet_sendrecv_soundd_client_packets(xm_t) +-corenet_tcp_connect_soundd_port(xm_t) +-corenet_tcp_sendrecv_soundd_port(xm_t) +- +-dev_read_rand(xm_t) +-dev_read_urand(xm_t) +-dev_read_sysfs(xm_t) +- +-files_read_etc_runtime_files(xm_t) +-files_read_etc_files(xm_t) +-files_read_usr_files(xm_t) +-files_search_pids(xm_t) +-files_search_var_lib(xm_t) +-files_list_mnt(xm_t) +-files_list_tmp(xm_t) +- +-fs_getattr_all_fs(xm_t) +-fs_manage_xenfs_dirs(xm_t) +-fs_manage_xenfs_files(xm_t) +-fs_search_auto_mountpoints(xm_t) +- +-storage_raw_read_fixed_disk(xm_t) +- +-term_use_all_terms(xm_t) +- +-init_stream_connect_script(xm_t) +-init_rw_script_stream_sockets(xm_t) +-init_use_fds(xm_t) +- +-logging_send_syslog_msg(xm_t) +- +-miscfiles_read_localization(xm_t) +- +-sysnet_dns_name_resolve(xm_t) +- +-tunable_policy(`xen_use_fusefs',` +- fs_manage_fusefs_dirs(xm_t) +- fs_manage_fusefs_files(xm_t) +- fs_read_fusefs_symlinks(xm_t) +-') +- +-tunable_policy(`xen_use_nfs',` +- fs_manage_nfs_dirs(xm_t) +- fs_manage_nfs_files(xm_t) +- fs_read_nfs_symlinks(xm_t) +-') +- +-tunable_policy(`xen_use_samba',` +- fs_manage_cifs_dirs(xm_t) +- fs_manage_cifs_files(xm_t) +- fs_read_cifs_symlinks(xm_t) +-') +- + optional_policy(` +- cron_system_entry(xm_t, xm_exec_t) ++ virt_read_config(xenstored_t) + ') + ++######################################## ++# ++# SSH component local policy ++# + optional_policy(` +- dbus_system_bus_client(xm_t) +- +- optional_policy(` +- hal_dbus_chat(xm_t) ++ #Should have a boolean wrapping these ++ fs_list_auto_mountpoints(xend_t) ++ files_search_mnt(xend_t) ++ fs_getattr_all_fs(xend_t) ++ fs_read_dos_files(xend_t) ++ fs_manage_xenfs_dirs(xend_t) ++ fs_manage_xenfs_files(xend_t) ++ ++ tunable_policy(`xen_use_nfs',` ++ fs_manage_nfs_files(xend_t) ++ fs_read_nfs_symlinks(xend_t) + ') + ') +- +-optional_policy(` +- rpm_exec(xm_t) +-') +- +-optional_policy(` +- vhostmd_rw_tmpfs_files(xm_t) +- vhostmd_stream_connect(xm_t) +- vhostmd_dontaudit_rw_stream_connect(xm_t) +-') +- +-optional_policy(` +- virt_domtrans(xm_t) +- virt_manage_images(xm_t) +- virt_manage_config(xm_t) +- virt_stream_connect(xm_t) +-') +- +-optional_policy(` +- ssh_basic_client_template(xm, xm_t, system_r) +- +- kernel_read_xen_state(xm_ssh_t) +- kernel_write_xen_state(xm_ssh_t) +- +- files_search_tmp(xm_ssh_t) +- +- fs_manage_xenfs_dirs(xm_ssh_t) +- fs_manage_xenfs_files(xm_ssh_t) +-') +diff --git a/xfs.te b/xfs.te +index 0cea2cd..7668014 100644 +--- a/xfs.te ++++ b/xfs.te +@@ -41,7 +41,6 @@ can_exec(xfs_t, xfs_exec_t) + kernel_read_kernel_sysctls(xfs_t) + kernel_read_system_state(xfs_t) + +-corenet_all_recvfrom_unlabeled(xfs_t) + corenet_all_recvfrom_netlabel(xfs_t) + corenet_tcp_sendrecv_generic_if(xfs_t) + corenet_tcp_sendrecv_generic_node(xfs_t) +@@ -63,7 +62,6 @@ fs_search_auto_mountpoints(xfs_t) + domain_use_interactive_fds(xfs_t) + + files_read_etc_runtime_files(xfs_t) +-files_read_usr_files(xfs_t) + + auth_use_nsswitch(xfs_t) + +@@ -71,7 +69,6 @@ init_script_tmp_filetrans(xfs_t, xfs_tmp_t, sock_file, "fs7100") + + logging_send_syslog_msg(xfs_t) + +-miscfiles_read_localization(xfs_t) + miscfiles_read_fonts(xfs_t) + + userdom_dontaudit_use_unpriv_user_fds(xfs_t) +diff --git a/xguest.te b/xguest.te +index 2882821..8cf4841 100644 +--- a/xguest.te ++++ b/xguest.te +@@ -1,4 +1,4 @@ +-policy_module(xguest, 1.1.2) ++policy_module(xguest, 1.1.0) + + ######################################## + # +@@ -6,46 +6,47 @@ policy_module(xguest, 1.1.2) + # + + ## +-##

    +-## Determine whether xguest can +-## mount removable media. +-##

    ++##

    ++## Allow xguest users to mount removable media ++##

    + ##     +-gen_tunable(xguest_mount_media, false) ++gen_tunable(xguest_mount_media, true) + + ## +-##

    +-## Determine whether xguest can +-## configure network manager. +-##

    ++##

    ++## Allow xguest users to configure Network Manager and connect to apache ports ++##

    + ##     +-gen_tunable(xguest_connect_network, false) ++gen_tunable(xguest_connect_network, true) + + ## +-##

    +-## Determine whether xguest can +-## use blue tooth devices. +-##

    ++##

    ++## Allow xguest to use blue tooth devices ++##

    + ##     +-gen_tunable(xguest_use_bluetooth, false) ++gen_tunable(xguest_use_bluetooth, true) + + role xguest_r; + + userdom_restricted_xwindows_user_template(xguest) ++sysnet_dns_name_resolve(xguest_t) ++ ++init_dbus_chat(xguest_t) ++init_status(xguest_t) ++systemd_dontaudit_dbus_chat(xguest_t) + + ######################################## + # + # Local policy + # + +-kernel_dontaudit_request_load_module(xguest_t) +- + ifndef(`enable_mls',` + fs_exec_noxattr(xguest_t) + +- tunable_policy(`user_rw_noexattrfile',` ++ tunable_policy(`selinuxuser_rw_noexattrfile',` + fs_manage_noxattr_fs_files(xguest_t) + fs_manage_noxattr_fs_dirs(xguest_t) ++ # Write floppies + storage_raw_read_removable_device(xguest_t) + storage_raw_write_removable_device(xguest_t) + ',` +@@ -54,9 +55,22 @@ ifndef(`enable_mls',` + ') + + optional_policy(` ++ # Dontaudit fusermount ++ mount_dontaudit_exec_fusermount(xguest_t) ++') ++ ++kernel_dontaudit_request_load_module(xguest_t) ++kernel_read_software_raid_state(xguest_t) ++ ++tunable_policy(`selinuxuser_execstack',` ++ allow xguest_t self:process execstack; ++') ++ ++# Allow mounting of file systems ++optional_policy(` + tunable_policy(`xguest_mount_media',` + kernel_read_fs_sysctls(xguest_t) +- ++ kernel_request_load_module(xguest_t) + files_dontaudit_getattr_boot_dirs(xguest_t) + files_search_mnt(xguest_t) + +@@ -65,10 +79,9 @@ optional_policy(` + fs_manage_noxattr_fs_dirs(xguest_t) + fs_getattr_noxattr_fs(xguest_t) + fs_read_noxattr_fs_symlinks(xguest_t) ++ fs_mount_fusefs(xguest_t) + + auth_list_pam_console_data(xguest_t) +- +- init_read_utmp(xguest_t) + ') + ') + +@@ -84,12 +97,17 @@ optional_policy(` + ') + ') + ++ + optional_policy(` +- apache_role(xguest_r, xguest_t) ++ colord_dbus_chat(xguest_t) ++') ++ ++optional_policy(` ++ chrome_role(xguest_r, xguest_t) + ') + + optional_policy(` +- gnomeclock_dontaudit_dbus_chat(xguest_t) ++ dbus_dontaudit_chat_system_bus(xguest_t) + ') + + optional_policy(` +@@ -97,75 +115,82 @@ optional_policy(` + ') + + optional_policy(` +- java_role(xguest_r, xguest_t) ++ apache_role(xguest_r, xguest_t) + ') + + optional_policy(` +- mozilla_role(xguest_r, xguest_t) ++ gnome_role(xguest_r, xguest_t) + ') + + optional_policy(` +- tunable_policy(`xguest_connect_network',` +- kernel_read_network_state(xguest_t) ++ mozilla_run_plugin(xguest_t, xguest_r) ++') + ++optional_policy(` ++ mount_run_fusermount(xguest_t, xguest_r) ++') ++ ++optional_policy(` ++ pcscd_read_pid_files(xguest_t) ++ pcscd_stream_connect(xguest_t) ++') ++ ++optional_policy(` ++ rhsmcertd_dontaudit_dbus_chat(xguest_t) ++') ++ ++optional_policy(` ++ tunable_policy(`xguest_connect_network',` + networkmanager_dbus_chat(xguest_t) + networkmanager_read_lib_files(xguest_t) ++ ') ++') ++ ++optional_policy(` ++ tunable_policy(`xguest_connect_network',` ++ kernel_read_network_state(xguest_t) + +- corenet_all_recvfrom_unlabeled(xguest_t) +- corenet_all_recvfrom_netlabel(xguest_t) ++ corenet_tcp_connect_pulseaudio_port(xguest_t) + corenet_tcp_sendrecv_generic_if(xguest_t) + corenet_raw_sendrecv_generic_if(xguest_t) + corenet_tcp_sendrecv_generic_node(xguest_t) + corenet_raw_sendrecv_generic_node(xguest_t) +- +- corenet_sendrecv_pulseaudio_client_packets(xguest_t) +- corenet_tcp_connect_pulseaudio_port(xguest_t) +- corenet_tcp_sendrecv_pulseaudio_port(xguest_t) +- +- corenet_sendrecv_http_client_packets(xguest_t) +- corenet_tcp_connect_http_port(xguest_t) ++ corenet_tcp_connect_commplex_link_port(xguest_t) + corenet_tcp_sendrecv_http_port(xguest_t) +- +- corenet_sendrecv_http_cache_client_packets(xguest_t) +- corenet_tcp_connect_http_cache_port(xguest_t) + corenet_tcp_sendrecv_http_cache_port(xguest_t) +- +- corenet_sendrecv_squid_client_packets(xguest_t) +- corenet_tcp_connect_squid_port(xguest_t) + corenet_tcp_sendrecv_squid_port(xguest_t) +- +- corenet_sendrecv_ftp_client_packets(xguest_t) +- corenet_tcp_connect_ftp_port(xguest_t) + corenet_tcp_sendrecv_ftp_port(xguest_t) +- +- corenet_sendrecv_ipp_client_packets(xguest_t) +- corenet_tcp_connect_ipp_port(xguest_t) + corenet_tcp_sendrecv_ipp_port(xguest_t) +- +- corenet_sendrecv_generic_client_packets(xguest_t) ++ corenet_tcp_connect_http_port(xguest_t) ++ corenet_tcp_connect_http_cache_port(xguest_t) ++ corenet_tcp_connect_squid_port(xguest_t) ++ corenet_tcp_connect_flash_port(xguest_t) ++ corenet_tcp_connect_ftp_port(xguest_t) ++ corenet_tcp_connect_ipp_port(xguest_t) + corenet_tcp_connect_generic_port(xguest_t) +- corenet_tcp_sendrecv_generic_port(xguest_t) +- +- corenet_sendrecv_soundd_client_packets(xguest_t) + corenet_tcp_connect_soundd_port(xguest_t) +- corenet_tcp_sendrecv_soundd_port(xguest_t) +- +- corenet_sendrecv_speech_client_packets(xguest_t) +- corenet_tcp_connect_speech_port(xguest_t) +- corenet_tcp_sendrecv_speech_port(xguest_t) +- +- corenet_sendrecv_transproxy_client_packets(xguest_t) +- corenet_tcp_connect_transproxy_port(xguest_t) +- corenet_tcp_sendrecv_transproxy_port(xguest_t) +- ++ corenet_sendrecv_http_client_packets(xguest_t) ++ corenet_sendrecv_http_cache_client_packets(xguest_t) ++ corenet_sendrecv_squid_client_packets(xguest_t) ++ corenet_sendrecv_ftp_client_packets(xguest_t) ++ corenet_sendrecv_ipp_client_packets(xguest_t) ++ corenet_sendrecv_generic_client_packets(xguest_t) ++ # Should not need other ports + corenet_dontaudit_tcp_sendrecv_generic_port(xguest_t) + corenet_dontaudit_tcp_bind_generic_port(xguest_t) ++ corenet_tcp_connect_speech_port(xguest_t) ++ corenet_tcp_sendrecv_transproxy_port(xguest_t) ++ corenet_tcp_connect_transproxy_port(xguest_t) + ') + ') + + optional_policy(` +- pcscd_read_pid_files(xguest_t) +- pcscd_stream_connect(xguest_t) ++ gen_require(` ++ type mozilla_t; ++ ') ++ ++ allow xguest_t mozilla_t:process transition; ++ role xguest_r types mozilla_t; + ') + +-#gen_user(xguest_u,, xguest_r, s0, s0) ++gen_user(xguest_u, user, xguest_r, s0, s0) +diff --git a/xprint.te b/xprint.te +index 3c44d84..ce5e69d 100644 +--- a/xprint.te ++++ b/xprint.te +@@ -32,7 +32,6 @@ kernel_read_kernel_sysctls(xprint_t) + corecmd_exec_bin(xprint_t) + corecmd_exec_shell(xprint_t) + +-corenet_all_recvfrom_unlabeled(xprint_t) + corenet_all_recvfrom_netlabel(xprint_t) + corenet_tcp_sendrecv_generic_if(xprint_t) + corenet_udp_sendrecv_generic_if(xprint_t) +@@ -46,9 +45,7 @@ dev_read_urand(xprint_t) + + domain_use_interactive_fds(xprint_t) + +-files_read_etc_files(xprint_t) + files_read_etc_runtime_files(xprint_t) +-files_read_usr_files(xprint_t) + files_search_var_lib(xprint_t) + files_search_tmp(xprint_t) + +@@ -58,7 +55,6 @@ fs_search_auto_mountpoints(xprint_t) + logging_send_syslog_msg(xprint_t) + + miscfiles_read_fonts(xprint_t) +-miscfiles_read_localization(xprint_t) + + sysnet_read_config(xprint_t) + +diff --git a/xscreensaver.te b/xscreensaver.te +index c9c9650..485e77d 100644 +--- a/xscreensaver.te ++++ b/xscreensaver.te +@@ -25,7 +25,6 @@ allow xscreensaver_t self:fifo_file rw_fifo_file_perms; + + kernel_read_system_state(xscreensaver_t) + +-files_read_usr_files(xscreensaver_t) + + auth_use_nsswitch(xscreensaver_t) + auth_domtrans_chk_passwd(xscreensaver_t) +@@ -35,9 +34,8 @@ init_read_utmp(xscreensaver_t) + logging_send_audit_msgs(xscreensaver_t) + logging_send_syslog_msg(xscreensaver_t) + +-miscfiles_read_localization(xscreensaver_t) +- +-userdom_use_user_terminals(xscreensaver_t) ++userdom_use_inherited_user_ptys(xscreensaver_t) ++#access to .icons and ~/.xscreensaver + userdom_read_user_home_content_files(xscreensaver_t) + + xserver_user_x_domain_template(xscreensaver, xscreensaver_t, xscreensaver_tmpfs_t) +diff --git a/yam.te b/yam.te +index d837e88..910aeec 100644 +--- a/yam.te ++++ b/yam.te +@@ -73,11 +73,11 @@ auth_use_nsswitch(yam_t) + + logging_send_syslog_msg(yam_t) + +-miscfiles_read_localization(yam_t) +- + seutil_read_config(yam_t) + +-userdom_use_user_terminals(yam_t) ++sysnet_read_config(yam_t) ++ ++userdom_use_inherited_user_terminals(yam_t) + userdom_use_unpriv_users_fds(yam_t) + userdom_search_user_home_dirs(yam_t) + +diff --git a/zabbix.fc b/zabbix.fc +index ce10cb1..3181728 100644 +--- a/zabbix.fc ++++ b/zabbix.fc +@@ -4,11 +4,15 @@ + /usr/bin/zabbix_server -- gen_context(system_u:object_r:zabbix_exec_t,s0) + /usr/bin/zabbix_agentd -- gen_context(system_u:object_r:zabbix_agent_exec_t,s0) + +-/usr/sbin/zabbix_server -- gen_context(system_u:object_r:zabbix_exec_t,s0) + /usr/sbin/zabbix_agentd -- gen_context(system_u:object_r:zabbix_agent_exec_t,s0) ++/usr/sbin/zabbix_server -- gen_context(system_u:object_r:zabbix_exec_t,s0) + /usr/sbin/zabbix_server_mysql -- gen_context(system_u:object_r:zabbix_exec_t,s0) + /usr/sbin/zabbix_server_pgsql -- gen_context(system_u:object_r:zabbix_exec_t,s0) + /usr/sbin/zabbix_server_sqlite3 -- gen_context(system_u:object_r:zabbix_exec_t,s0) ++/usr/sbin/zabbix_proxy -- gen_context(system_u:object_r:zabbix_exec_t,s0) ++/usr/sbin/zabbix_proxy_mysql -- gen_context(system_u:object_r:zabbix_exec_t,s0) ++/usr/sbin/zabbix_proxy_pgsql -- gen_context(system_u:object_r:zabbix_exec_t,s0) ++/usr/sbin/zabbix_proxy_sqlite3 -- gen_context(system_u:object_r:zabbix_exec_t,s0) + + /var/log/zabbix(/.*)? gen_context(system_u:object_r:zabbix_log_t,s0) + +diff --git a/zabbix.if b/zabbix.if +index dd63de0..38ce620 100644 +--- a/zabbix.if ++++ b/zabbix.if +@@ -1,4 +1,4 @@ +-## Distributed infrastructure monitoring. ++## Distributed infrastructure monitoring + + ######################################## + ## +@@ -15,13 +15,12 @@ interface(`zabbix_domtrans',` + type zabbix_t, zabbix_exec_t; + ') + +- corecmd_search_bin($1) + domtrans_pattern($1, zabbix_exec_t, zabbix_t) + ') + + ######################################## + ## +-## Connect to zabbit on the TCP network. ++## Allow connectivity to the zabbix server + ## + ## + ## +@@ -34,7 +33,7 @@ interface(`zabbix_tcp_connect',` + type zabbix_t; + ') + +- corenet_sendrecv_zabbix_client_packets($1) ++ corenet_sendrecv_zabbix_agent_client_packets($1) + corenet_tcp_connect_zabbix_port($1) + corenet_tcp_recvfrom_labeled($1, zabbix_t) + corenet_tcp_sendrecv_zabbix_port($1) +@@ -42,7 +41,7 @@ interface(`zabbix_tcp_connect',` + + ######################################## + ## +-## Read zabbix log files. ++## Allow the specified domain to read zabbix's log files. + ## + ## + ## +@@ -62,13 +61,34 @@ interface(`zabbix_read_log',` + + ######################################## + ## +-## Append zabbix log files. ++## Allow the specified domain to read zabbix's tmp files. + ## + ## + ## + ## Domain allowed access. + ## + ## ++## ++# ++interface(`zabbix_read_tmp',` ++ gen_require(` ++ type zabbix_tmp_t; ++ ') ++ ++ files_search_tmp($1) ++ read_files_pattern($1, zabbix_tmp_t, zabbix_tmp_t) ++') ++ ++######################################## ++## ++## Allow the specified domain to append ++## zabbix log files. ++## ++## ++## ++## Domain allowed access. ++## ++## + # + interface(`zabbix_append_log',` + gen_require(` +@@ -81,7 +101,7 @@ interface(`zabbix_append_log',` + + ######################################## + ## +-## Read zabbix pid files. ++## Read zabbix PID files. + ## + ## + ## +@@ -100,7 +120,7 @@ interface(`zabbix_read_pid_files',` + + ######################################## + ## +-## Connect to zabbix agent on the TCP network. ++## Allow connectivity to a zabbix agent + ## + ## + ## +@@ -110,7 +130,7 @@ interface(`zabbix_read_pid_files',` + # + interface(`zabbix_agent_tcp_connect',` + gen_require(` +- type zabbix_agent_t; ++ type zabbix_t, zabbix_agent_t; + ') + + corenet_sendrecv_zabbix_agent_client_packets($1) +@@ -121,8 +141,8 @@ interface(`zabbix_agent_tcp_connect',` + + ######################################## + ## +-## All of the rules required to +-## administrate an zabbix environment. ++## All of the rules required to administrate ++## an zabbix environment + ## + ## + ## +@@ -131,7 +151,7 @@ interface(`zabbix_agent_tcp_connect',` + ## + ## + ## +-## Role allowed access. ++## The role to be allowed to manage the zabbix domain. + ## + ## + ## +@@ -139,16 +159,18 @@ interface(`zabbix_agent_tcp_connect',` + interface(`zabbix_admin',` + gen_require(` + type zabbix_t, zabbix_log_t, zabbix_var_run_t; +- type zabbix_initrc_exec_t, zabbit_agent_initrc_exec_t, zabbix_tmp_t; +- type zabbit_tmpfs_t; ++ type zabbix_initrc_exec_t; + ') + +- allow $1 { zabbix_t zabbix_agent_t }:process { ptrace signal_perms }; +- ps_process_pattern($1, { zabbix_t zabbix_agent_t }) ++ allow $1 zabbix_t:process signal_perms; ++ ps_process_pattern($1, zabbix_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 zabbix_t:process ptrace; ++ ') + +- init_labeled_script_domtrans($1, { zabbix_agent_initrc_exec_t zabbix_initrc_exec_t }) ++ init_labeled_script_domtrans($1, zabbix_initrc_exec_t) + domain_system_change_exemption($1) +- role_transition $2 { zabbix_agent_initrc_exec_t zabbix_initrc_exec_t } system_r; ++ role_transition $2 zabbix_initrc_exec_t system_r; + allow $2 system_r; + + logging_list_logs($1) +@@ -156,10 +178,4 @@ interface(`zabbix_admin',` + + files_list_pids($1) + admin_pattern($1, zabbix_var_run_t) +- +- files_list_tmp($1) +- admin_pattern($1, zabbix_tmp_t) +- +- fs_list_tmpfs($1) +- admin_pattern($1, zabbix_tmpfs_t) + ') +diff --git a/zabbix.te b/zabbix.te +index 46e4cd3..79317e6 100644 +--- a/zabbix.te ++++ b/zabbix.te +@@ -6,21 +6,23 @@ policy_module(zabbix, 1.5.3) + # + + ## +-##

    ++##

    + ## Determine whether zabbix can + ## connect to all TCP ports + ##

    + ##     + gen_tunable(zabbix_can_network, false) + +-type zabbix_t; ++attribute zabbix_domain; ++ ++type zabbix_t, zabbix_domain; + type zabbix_exec_t; + init_daemon_domain(zabbix_t, zabbix_exec_t) + + type zabbix_initrc_exec_t; + init_script_file(zabbix_initrc_exec_t) + +-type zabbix_agent_t; ++type zabbix_agent_t, zabbix_domain; + type zabbix_agent_exec_t; + init_daemon_domain(zabbix_agent_t, zabbix_agent_exec_t) + +@@ -41,22 +43,40 @@ files_pid_file(zabbix_var_run_t) + + ######################################## + # ++# zabbix domain local policy ++# ++ ++allow zabbix_domain self:capability { setuid setgid }; ++allow zabbix_domain self:process { setpgid setsched getsched signal_perms }; ++allow zabbix_domain self:fifo_file rw_fifo_file_perms; ++allow zabbix_domain self:sem create_sem_perms; ++allow zabbix_domain self:shm create_shm_perms; ++allow zabbix_domain self:tcp_socket { accept listen }; ++allow zabbix_domain self:unix_stream_socket create_stream_socket_perms; ++ ++kernel_read_all_sysctls(zabbix_domain) ++ ++corenet_tcp_sendrecv_generic_if(zabbix_domain) ++corenet_tcp_sendrecv_generic_node(zabbix_domain) ++corenet_tcp_bind_generic_node(zabbix_domain) ++ ++corecmd_exec_shell(zabbix_domain) ++corecmd_exec_bin(zabbix_domain) ++ ++dev_read_sysfs(zabbix_domain) ++dev_read_urand(zabbix_domain) ++ ++######################################## ++# + # Local policy + # + +-allow zabbix_t self:capability { dac_read_search dac_override setuid setgid }; +-allow zabbix_t self:process { setsched signal_perms }; +-allow zabbix_t self:fifo_file rw_fifo_file_perms; +-allow zabbix_t self:unix_stream_socket create_stream_socket_perms; +-allow zabbix_t self:sem create_sem_perms; +-allow zabbix_t self:shm create_shm_perms; +-allow zabbix_t self:tcp_socket create_stream_socket_perms; ++allow zabbix_t self:capability { dac_read_search dac_override }; + +-allow zabbix_t zabbix_log_t:dir setattr_dir_perms; +-append_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t) +-create_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t) +-setattr_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t) +-logging_log_filetrans(zabbix_t, zabbix_log_t, file) ++manage_dirs_pattern(zabbix_t, zabbix_log_t, zabbix_log_t) ++manage_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t) ++manage_lnk_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t) ++logging_log_filetrans(zabbix_t, zabbix_log_t, { dir file }) + + manage_dirs_pattern(zabbix_t, zabbix_tmp_t, zabbix_tmp_t) + manage_files_pattern(zabbix_t, zabbix_tmp_t, zabbix_tmp_t) +@@ -70,13 +90,9 @@ manage_files_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t) + files_pid_filetrans(zabbix_t, zabbix_var_run_t, { dir file }) + + kernel_read_system_state(zabbix_t) +-kernel_read_kernel_sysctls(zabbix_t) + + corenet_all_recvfrom_unlabeled(zabbix_t) + corenet_all_recvfrom_netlabel(zabbix_t) +-corenet_tcp_sendrecv_generic_if(zabbix_t) +-corenet_tcp_sendrecv_generic_node(zabbix_t) +-corenet_tcp_bind_generic_node(zabbix_t) + + corenet_sendrecv_ftp_client_packets(zabbix_t) + corenet_tcp_connect_ftp_port(zabbix_t) +@@ -90,17 +106,8 @@ corenet_sendrecv_zabbix_server_packets(zabbix_t) + corenet_tcp_bind_zabbix_port(zabbix_t) + corenet_tcp_sendrecv_zabbix_port(zabbix_t) + +-corecmd_exec_bin(zabbix_t) +-corecmd_exec_shell(zabbix_t) +- +-dev_read_urand(zabbix_t) +- +-files_read_usr_files(zabbix_t) +- + auth_use_nsswitch(zabbix_t) + +-miscfiles_read_localization(zabbix_t) +- + zabbix_agent_tcp_connect(zabbix_t) + + tunable_policy(`zabbix_can_network',` +@@ -110,12 +117,11 @@ tunable_policy(`zabbix_can_network',` + ') + + optional_policy(` +- netutils_domtrans_ping(zabbix_t) ++ mysql_stream_connect(zabbix_t) + ') + + optional_policy(` +- mysql_stream_connect(zabbix_t) +- mysql_tcp_connect(zabbix_t) ++ netutils_domtrans_ping(zabbix_t) + ') + + optional_policy(` +@@ -125,6 +131,7 @@ optional_policy(` + + optional_policy(` + snmp_read_snmp_var_lib_files(zabbix_t) ++ snmp_read_snmp_var_lib_dirs(zabbix_t) + ') + + ######################################## +@@ -132,18 +139,7 @@ optional_policy(` + # Agent local policy + # + +-allow zabbix_agent_t self:capability { setuid setgid }; +-allow zabbix_agent_t self:process { setsched getsched signal }; +-allow zabbix_agent_t self:fifo_file rw_fifo_file_perms; +-allow zabbix_agent_t self:sem create_sem_perms; +-allow zabbix_agent_t self:shm create_shm_perms; +-allow zabbix_agent_t self:tcp_socket { accept listen }; +-allow zabbix_agent_t self:unix_stream_socket create_stream_socket_perms; +- +-append_files_pattern(zabbix_agent_t, zabbix_log_t, zabbix_log_t) +-create_files_pattern(zabbix_agent_t, zabbix_log_t, zabbix_log_t) +-setattr_files_pattern(zabbix_agent_t, zabbix_log_t, zabbix_log_t) +-filetrans_pattern(zabbix_agent_t, zabbix_log_t, zabbix_log_t, file) ++manage_files_pattern(zabbix_agent_t, zabbix_log_t, zabbix_log_t) + + rw_files_pattern(zabbix_agent_t, zabbix_tmpfs_t, zabbix_tmpfs_t) + fs_tmpfs_filetrans(zabbix_agent_t, zabbix_tmpfs_t, file) +@@ -151,16 +147,12 @@ fs_tmpfs_filetrans(zabbix_agent_t, zabbix_tmpfs_t, file) + manage_files_pattern(zabbix_agent_t, zabbix_var_run_t, zabbix_var_run_t) + files_pid_filetrans(zabbix_agent_t, zabbix_var_run_t, file) + +-kernel_read_all_sysctls(zabbix_agent_t) + kernel_read_system_state(zabbix_agent_t) + +-corecmd_read_all_executables(zabbix_agent_t) +- + corenet_all_recvfrom_unlabeled(zabbix_agent_t) + corenet_all_recvfrom_netlabel(zabbix_agent_t) +-corenet_tcp_sendrecv_generic_if(zabbix_agent_t) +-corenet_tcp_sendrecv_generic_node(zabbix_agent_t) +-corenet_tcp_bind_generic_node(zabbix_agent_t) ++ ++corecmd_read_all_executables(zabbix_agent_t) + + corenet_sendrecv_zabbix_agent_server_packets(zabbix_agent_t) + corenet_tcp_bind_zabbix_agent_port(zabbix_agent_t) +@@ -182,7 +174,6 @@ domain_search_all_domains_state(zabbix_agent_t) + files_getattr_all_dirs(zabbix_agent_t) + files_getattr_all_files(zabbix_agent_t) + files_read_all_symlinks(zabbix_agent_t) +-files_read_etc_files(zabbix_agent_t) + + fs_getattr_all_fs(zabbix_agent_t) + +@@ -190,8 +181,11 @@ init_read_utmp(zabbix_agent_t) + + logging_search_logs(zabbix_agent_t) + +-miscfiles_read_localization(zabbix_agent_t) +- + sysnet_dns_name_resolve(zabbix_agent_t) + + zabbix_tcp_connect(zabbix_agent_t) ++ ++optional_policy(` ++ hostname_exec(zabbix_agent_t) ++') ++ +diff --git a/zarafa.fc b/zarafa.fc +index faf99ed..44e94fa 100644 +--- a/zarafa.fc ++++ b/zarafa.fc +@@ -1,33 +1,34 @@ +-/etc/zarafa(/.*)? gen_context(system_u:object_r:zarafa_etc_t,s0) ++/etc/zarafa(/.*)? gen_context(system_u:object_r:zarafa_etc_t,s0) + +-/etc/rc\.d/init\.d/zarafa.* -- gen_context(system_u:object_r:zarafa_initrc_exec_t,s0) ++/usr/bin/zarafa-dagent -- gen_context(system_u:object_r:zarafa_deliver_exec_t,s0) ++/usr/bin/zarafa-gateway -- gen_context(system_u:object_r:zarafa_gateway_exec_t,s0) ++/usr/bin/zarafa-ical -- gen_context(system_u:object_r:zarafa_ical_exec_t,s0) ++/usr/bin/zarafa-indexer -- gen_context(system_u:object_r:zarafa_indexer_exec_t,s0) ++/usr/bin/zarafa-monitor -- gen_context(system_u:object_r:zarafa_monitor_exec_t,s0) ++/usr/bin/zarafa-search -- gen_context(system_u:object_r:zarafa_indexer_exec_t,s0) ++/usr/bin/zarafa-server -- gen_context(system_u:object_r:zarafa_server_exec_t,s0) ++/usr/bin/zarafa-spooler -- gen_context(system_u:object_r:zarafa_spooler_exec_t,s0) + +-/usr/bin/zarafa-dagent -- gen_context(system_u:object_r:zarafa_deliver_exec_t,s0) +-/usr/bin/zarafa-gateway -- gen_context(system_u:object_r:zarafa_gateway_exec_t,s0) +-/usr/bin/zarafa-ical -- gen_context(system_u:object_r:zarafa_ical_exec_t,s0) +-/usr/bin/zarafa-indexer -- gen_context(system_u:object_r:zarafa_indexer_exec_t,s0) +-/usr/bin/zarafa-monitor -- gen_context(system_u:object_r:zarafa_monitor_exec_t,s0) +-/usr/bin/zarafa-server -- gen_context(system_u:object_r:zarafa_server_exec_t,s0) +-/usr/bin/zarafa-spooler -- gen_context(system_u:object_r:zarafa_spooler_exec_t,s0) +- +-/var/lib/zarafa(/.*)? gen_context(system_u:object_r:zarafa_var_lib_t,s0) ++/var/lib/zarafa(/.*)? gen_context(system_u:object_r:zarafa_var_lib_t,s0) + /var/lib/zarafa-webaccess(/.*)? gen_context(system_u:object_r:zarafa_var_lib_t,s0) +-/var/lib/zarafa-webapp(/.*)? gen_context(system_u:object_r:zarafa_var_lib_t,s0) ++/var/lib/zarafa-webapp(/.*)? gen_context(system_u:object_r:zarafa_var_lib_t,s0) + +-/var/log/zarafa/dagent\.log.* -- gen_context(system_u:object_r:zarafa_deliver_log_t,s0) ++/var/log/zarafa/dagent\.log.* -- gen_context(system_u:object_r:zarafa_deliver_log_t,s0) + /var/log/zarafa/gateway\.log.* -- gen_context(system_u:object_r:zarafa_gateway_log_t,s0) + /var/log/zarafa/ical\.log.* -- gen_context(system_u:object_r:zarafa_ical_log_t,s0) + /var/log/zarafa/indexer\.log.* -- gen_context(system_u:object_r:zarafa_indexer_log_t,s0) + /var/log/zarafa/monitor\.log.* -- gen_context(system_u:object_r:zarafa_monitor_log_t,s0) + /var/log/zarafa/server\.log.* -- gen_context(system_u:object_r:zarafa_server_log_t,s0) ++/var/log/zarafa/search\.log.* -- gen_context(system_u:object_r:zarafa_indexer_log_t,s0) + /var/log/zarafa/spooler\.log.* -- gen_context(system_u:object_r:zarafa_spooler_log_t,s0) + +-/var/run/zarafa -s gen_context(system_u:object_r:zarafa_server_var_run_t,s0) +-/var/run/zarafa-dagent\.pid -- gen_context(system_u:object_r:zarafa_deliver_var_run_t,s0) ++/var/run/zarafa -s gen_context(system_u:object_r:zarafa_server_var_run_t,s0) ++/var/run/zarafa-dagent\.pid -- gen_context(system_u:object_r:zarafa_deliver_var_run_t,s0) + /var/run/zarafa-gateway\.pid -- gen_context(system_u:object_r:zarafa_gateway_var_run_t,s0) + /var/run/zarafa-ical\.pid -- gen_context(system_u:object_r:zarafa_ical_var_run_t,s0) +-/var/run/zarafa-indexer -s gen_context(system_u:object_r:zarafa_indexer_var_run_t,s0) ++/var/run/zarafa-indexer -s gen_context(system_u:object_r:zarafa_indexer_var_run_t,s0) + /var/run/zarafa-indexer\.pid -- gen_context(system_u:object_r:zarafa_indexer_var_run_t,s0) + /var/run/zarafa-monitor\.pid -- gen_context(system_u:object_r:zarafa_monitor_var_run_t,s0) + /var/run/zarafa-server\.pid -- gen_context(system_u:object_r:zarafa_server_var_run_t,s0) ++/var/run/zarafa-search\.pid -- gen_context(system_u:object_r:zarafa_indexer_var_run_t,s0) + /var/run/zarafa-spooler\.pid -- gen_context(system_u:object_r:zarafa_spooler_var_run_t,s0) +diff --git a/zarafa.if b/zarafa.if +index 36e32df..3d08962 100644 +--- a/zarafa.if ++++ b/zarafa.if +@@ -1,55 +1,59 @@ + ## Zarafa collaboration platform. + +-####################################### ++###################################### + ## +-## The template to define a zarafa domain. ++## Creates types and rules for a basic ++## zararfa init daemon domain. + ## +-## ++## + ## +-## Domain prefix to be used. ++## Prefix for the domain. + ## + ## + # + template(`zarafa_domain_template',` + gen_require(` +- attribute zarafa_domain, zarafa_logfile, zarafa_pidfile; ++ attribute zarafa_domain; + ') + +- ######################################## ++ ############################## + # +- # Declarations ++ # $1_t declarations + # + + type zarafa_$1_t, zarafa_domain; + type zarafa_$1_exec_t; + init_daemon_domain(zarafa_$1_t, zarafa_$1_exec_t) + +- type zarafa_$1_log_t, zarafa_logfile; ++ type zarafa_$1_log_t; + logging_log_file(zarafa_$1_log_t) + +- type zarafa_$1_var_run_t, zarafa_pidfile; ++ type zarafa_$1_var_run_t; + files_pid_file(zarafa_$1_var_run_t) + +- ######################################## ++ ############################## + # +- # Policy ++ # $1_t local policy + # + + manage_files_pattern(zarafa_$1_t, zarafa_$1_var_run_t, zarafa_$1_var_run_t) + manage_sock_files_pattern(zarafa_$1_t, zarafa_$1_var_run_t, zarafa_$1_var_run_t) + files_pid_filetrans(zarafa_$1_t, zarafa_$1_var_run_t, { file sock_file }) + +- append_files_pattern(zarafa_$1_t, zarafa_$1_log_t, zarafa_$1_log_t) +- create_files_pattern(zarafa_$1_t, zarafa_$1_log_t, zarafa_$1_log_t) +- setattr_files_pattern(zarafa_$1_t, zarafa_$1_log_t, zarafa_$1_log_t) +- logging_log_filetrans(zarafa_$1_t, zarafa_$1_log_t, file) ++ manage_files_pattern(zarafa_$1_t, zarafa_$1_log_t, zarafa_$1_log_t) ++ logging_log_filetrans(zarafa_$1_t, zarafa_$1_log_t, { file }) ++ ++ kernel_read_system_state(zarafa_$1_t) + + auth_use_nsswitch(zarafa_$1_t) ++ ++ logging_send_syslog_msg(zarafa_$1_t) + ') + + ###################################### + ## +-## search zarafa configuration directories. ++## Allow the specified domain to search ++## zarafa configuration dirs. + ## + ## + ## +@@ -68,7 +72,7 @@ interface(`zarafa_search_config',` + + ######################################## + ## +-## Execute a domain transition to run zarafa deliver. ++## Execute a domain transition to run zarafa_deliver. + ## + ## + ## +@@ -81,13 +85,12 @@ interface(`zarafa_domtrans_deliver',` + type zarafa_deliver_t, zarafa_deliver_exec_t; + ') + +- corecmd_search_bin($1) + domtrans_pattern($1, zarafa_deliver_exec_t, zarafa_deliver_t) + ') + + ######################################## + ## +-## Execute a domain transition to run zarafa server. ++## Execute a domain transition to run zarafa_server. + ## + ## + ## +@@ -100,14 +103,12 @@ interface(`zarafa_domtrans_server',` + type zarafa_server_t, zarafa_server_exec_t; + ') + +- corecmd_search_bin($1) + domtrans_pattern($1, zarafa_server_exec_t, zarafa_server_t) + ') + + ####################################### + ## +-## Connect to zarafa server with a unix +-## domain stream socket. ++## Connect to zarafa-server unix domain stream socket. + ## + ## + ## +@@ -124,51 +125,24 @@ interface(`zarafa_stream_connect_server',` + stream_connect_pattern($1, zarafa_server_var_run_t, zarafa_server_var_run_t, zarafa_server_t) + ') + +-######################################## ++#################################### + ## +-## All of the rules required to +-## administrate an zarafa environment. ++## Allow the specified domain to manage ++## zarafa /var/lib files. + ## + ## +-## +-## Domain allowed access. +-## +-## +-## +-## +-## Role allowed access. +-## ++## ++## Domain allowed access. ++## + ## +-## + # +-interface(`zarafa_admin',` +- gen_require(` +- attribute zarafa_domain, zarafa_logfile, zarafa_pidfile; +- type zarafa_etc_t, zarafa_initrc_exec_t, zarafa_deliver_tmp_t; +- type zarafa_indexer_tmp_t, zarafa_server_tmp_t, zarafa_share_t; +- type zarafa_var_lib_t; +- ') +- +- allow $1 zarafa_domain:process { ptrace signal_perms }; +- ps_process_pattern($1, zarafa_domain) +- +- init_labeled_script_domtrans($1, zarafa_initrc_exec_t) +- domain_system_change_exemption($1) +- role_transition $2 zarafa_initrc_exec_t system_r; +- allow $2 system_r; +- +- files_search_etc($1) +- admin_pattern($1, zarafa_etc_t) +- +- files_search_tmp($1) +- admin_pattern($1, { zarafa_deliver_tmp_t zarafa_indexer_tmp_t zarafa_server_tmp_t }) +- +- logging_search_log($1) +- admin_pattern($1, zarafa_logfile) +- +- files_search_var_lib($1) +- admin_pattern($1, { zarafa_var_lib_t zarafa_share_t }) +- +- files_search_pids($1) +- admin_pattern($1, zarafa_pidfile) ++interface(`zarafa_manage_lib_files',` ++ gen_require(` ++ type zarafa_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ manage_files_pattern($1, zarafa_var_lib_t, zarafa_var_lib_t) ++ manage_lnk_files_pattern($1, zarafa_var_lib_t, zarafa_var_lib_t) ++ manage_dirs_pattern($1, zarafa_var_lib_t, zarafa_var_lib_t) + ') +diff --git a/zarafa.te b/zarafa.te +index a4479b1..a40d580 100644 +--- a/zarafa.te ++++ b/zarafa.te +@@ -1,13 +1,18 @@ +-policy_module(zarafa, 1.1.4) ++policy_module(zarafa, 1.1.0) + + ######################################## + # + # Declarations + # + ++## ++##

    ++## Allow zarafa domains to setrlimit/sys_rouserce. ++##

    ++##     ++gen_tunable(zarafa_setrlimit, false) ++ + attribute zarafa_domain; +-attribute zarafa_logfile; +-attribute zarafa_pidfile; + + zarafa_domain_template(deliver) + +@@ -17,9 +22,6 @@ files_tmp_file(zarafa_deliver_tmp_t) + type zarafa_etc_t; + files_config_file(zarafa_etc_t) + +-type zarafa_initrc_exec_t; +-init_script_file(zarafa_initrc_exec_t) +- + zarafa_domain_template(gateway) + zarafa_domain_template(ical) + zarafa_domain_template(indexer) +@@ -43,61 +45,74 @@ files_tmp_file(zarafa_var_lib_t) + + ######################################## + # +-# Deliver local policy ++# zarafa-deliver local policy + # + + manage_dirs_pattern(zarafa_deliver_t, zarafa_deliver_tmp_t, zarafa_deliver_tmp_t) + manage_files_pattern(zarafa_deliver_t, zarafa_deliver_tmp_t, zarafa_deliver_tmp_t) + files_tmp_filetrans(zarafa_deliver_t, zarafa_deliver_tmp_t, { file dir }) + ++auth_use_nsswitch(zarafa_deliver_t) ++ ++corenet_tcp_bind_lmtp_port(zarafa_deliver_t) ++ + ######################################## + # +-# Gateway local policy ++# zarafa_gateway local policy + # +- +-corenet_all_recvfrom_unlabeled(zarafa_gateway_t) + corenet_all_recvfrom_netlabel(zarafa_gateway_t) + corenet_tcp_sendrecv_generic_if(zarafa_gateway_t) + corenet_tcp_sendrecv_generic_node(zarafa_gateway_t) ++corenet_tcp_sendrecv_all_ports(zarafa_gateway_t) + corenet_tcp_bind_generic_node(zarafa_gateway_t) +- +-corenet_sendrecv_pop_server_packets(zarafa_gateway_t) + corenet_tcp_bind_pop_port(zarafa_gateway_t) +-corenet_tcp_sendrecv_pop_port(zarafa_gateway_t) ++ ++###################################### ++# ++# zarafa-indexer local policy ++# ++ ++ ++manage_dirs_pattern(zarafa_indexer_t, zarafa_indexer_tmp_t, zarafa_indexer_tmp_t) ++manage_files_pattern(zarafa_indexer_t, zarafa_indexer_tmp_t, zarafa_indexer_tmp_t) ++files_tmp_filetrans(zarafa_indexer_t, zarafa_indexer_tmp_t, { file dir }) ++ ++manage_dirs_pattern(zarafa_indexer_t, zarafa_var_lib_t, zarafa_var_lib_t) ++manage_files_pattern(zarafa_indexer_t, zarafa_var_lib_t, zarafa_var_lib_t) ++manage_lnk_files_pattern(zarafa_indexer_t, zarafa_var_lib_t, zarafa_var_lib_t) ++ ++auth_use_nsswitch(zarafa_indexer_t) + + ####################################### + # +-# Ical local policy ++# zarafa-ical local policy + # + +-corenet_all_recvfrom_unlabeled(zarafa_ical_t) ++ + corenet_all_recvfrom_netlabel(zarafa_ical_t) + corenet_tcp_sendrecv_generic_if(zarafa_ical_t) + corenet_tcp_sendrecv_generic_node(zarafa_ical_t) ++corenet_tcp_sendrecv_all_ports(zarafa_ical_t) + corenet_tcp_bind_generic_node(zarafa_ical_t) +- +-corenet_sendrecv_http_cache_client_packets(zarafa_ical_t) + corenet_tcp_bind_http_cache_port(zarafa_ical_t) +-corenet_tcp_sendrecv_http_cache_port(zarafa_ical_t) ++ ++auth_use_nsswitch(zarafa_ical_t) + + ###################################### + # +-# Indexer local policy ++# zarafa-monitor local policy + # + +-manage_dirs_pattern(zarafa_indexer_t, zarafa_indexer_tmp_t, zarafa_indexer_tmp_t) +-manage_files_pattern(zarafa_indexer_t, zarafa_indexer_tmp_t, zarafa_indexer_tmp_t) +-files_tmp_filetrans(zarafa_indexer_t, zarafa_indexer_tmp_t, { file dir }) + +-manage_dirs_pattern(zarafa_indexer_t, zarafa_var_lib_t, zarafa_var_lib_t) +-manage_files_pattern(zarafa_indexer_t, zarafa_var_lib_t, zarafa_var_lib_t) +-manage_lnk_files_pattern(zarafa_indexer_t, zarafa_var_lib_t, zarafa_var_lib_t) ++auth_use_nsswitch(zarafa_monitor_t) + + ######################################## + # +-# Server local policy ++# zarafa_server local policy + # + ++allow zarafa_server_t self:capability net_bind_service; ++ + manage_dirs_pattern(zarafa_server_t, zarafa_server_tmp_t, zarafa_server_tmp_t) + manage_files_pattern(zarafa_server_t, zarafa_server_tmp_t, zarafa_server_tmp_t) + files_tmp_filetrans(zarafa_server_t, zarafa_server_tmp_t, { file dir }) +@@ -109,70 +124,85 @@ files_var_lib_filetrans(zarafa_server_t, zarafa_var_lib_t, { file dir lnk_file } + + stream_connect_pattern(zarafa_server_t, zarafa_indexer_var_run_t, zarafa_indexer_var_run_t, zarafa_indexer_t) + +-corenet_all_recvfrom_unlabeled(zarafa_server_t) + corenet_all_recvfrom_netlabel(zarafa_server_t) + corenet_tcp_sendrecv_generic_if(zarafa_server_t) + corenet_tcp_sendrecv_generic_node(zarafa_server_t) ++corenet_tcp_sendrecv_all_ports(zarafa_server_t) + corenet_tcp_bind_generic_node(zarafa_server_t) +- +-corenet_sendrecv_zarafa_server_packets(zarafa_server_t) + corenet_tcp_bind_zarafa_port(zarafa_server_t) +-corenet_tcp_sendrecv_zarafa_port(zarafa_server_t) + +-files_read_usr_files(zarafa_server_t) + ++auth_use_nsswitch(zarafa_server_t) ++ ++logging_send_syslog_msg(zarafa_server_t) + logging_send_audit_msgs(zarafa_server_t) + ++sysnet_dns_name_resolve(zarafa_server_t) ++ + optional_policy(` + kerberos_use(zarafa_server_t) + ') + + optional_policy(` + mysql_stream_connect(zarafa_server_t) +- mysql_tcp_connect(zarafa_server_t) +-') +- +-optional_policy(` +- postgresql_stream_connect(zarafa_server_t) +- postgresql_tcp_connect(zarafa_server_t) + ') + + ######################################## + # +-# Spooler local policy ++# zarafa_spooler local policy + # + + can_exec(zarafa_spooler_t, zarafa_spooler_exec_t) + +-corenet_all_recvfrom_unlabeled(zarafa_spooler_t) + corenet_all_recvfrom_netlabel(zarafa_spooler_t) + corenet_tcp_sendrecv_generic_if(zarafa_spooler_t) + corenet_tcp_sendrecv_generic_node(zarafa_spooler_t) +- +-corenet_sendrecv_smtp_client_packets(zarafa_spooler_t) ++corenet_tcp_sendrecv_all_ports(zarafa_spooler_t) + corenet_tcp_connect_smtp_port(zarafa_spooler_t) +-corenet_tcp_sendrecv_smtp_port(zarafa_spooler_t) ++ ++auth_use_nsswitch(zarafa_spooler_t) + + ######################################## + # +-# Zarafa domain local policy ++# zarafa_gateway local policy + # ++corenet_tcp_bind_pop_port(zarafa_gateway_t) + ++####################################### ++# ++# zarafa-ical local policy ++# ++ ++corenet_tcp_bind_http_cache_port(zarafa_ical_t) ++ ++###################################### ++# ++# zarafa-monitor local policy ++# ++ ++ ++######################################## ++# ++# zarafa domains local policy ++# ++ ++# bad permission on /etc/zarafa + allow zarafa_domain self:capability { kill dac_override chown setgid setuid }; +-allow zarafa_domain self:process { setrlimit signal }; ++allow zarafa_domain self:process { signal_perms }; + allow zarafa_domain self:fifo_file rw_fifo_file_perms; +-allow zarafa_domain self:tcp_socket { accept listen }; +-allow zarafa_domain self:unix_stream_socket { accept listen }; ++allow zarafa_domain self:tcp_socket create_stream_socket_perms; ++allow zarafa_domain self:unix_stream_socket create_stream_socket_perms; ++ ++tunable_policy(`zarafa_setrlimit',` ++ allow zarafa_domain self:capability sys_resource; ++ allow zarafa_domain self:process setrlimit; ++') + + stream_connect_pattern(zarafa_domain, zarafa_server_var_run_t, zarafa_server_var_run_t, zarafa_server_t) + + read_files_pattern(zarafa_domain, zarafa_etc_t, zarafa_etc_t) + +-kernel_read_system_state(zarafa_domain) +- + dev_read_rand(zarafa_domain) + dev_read_urand(zarafa_domain) + +-logging_send_syslog_msg(zarafa_domain) +- +-miscfiles_read_localization(zarafa_domain) ++dev_read_sysfs(zarafa_domain) +diff --git a/zebra.fc b/zebra.fc +index 28ee4ca..bc37f76 100644 +--- a/zebra.fc ++++ b/zebra.fc +@@ -1,21 +1,34 @@ +-/etc/quagga(/.*)? gen_context(system_u:object_r:zebra_conf_t,s0) +-/etc/zebra(/.*)? gen_context(system_u:object_r:zebra_conf_t,s0) +- + /etc/rc\.d/init\.d/bgpd -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0) +-/etc/rc\.d/init\.d/ospf6d -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0) +-/etc/rc\.d/init\.d/ospfd -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/ospf6d -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/ospfd -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0) + /etc/rc\.d/init\.d/ripd -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0) +-/etc/rc\.d/init\.d/ripngd -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0) +-/etc/rc\.d/init\.d/zebra -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/ripngd -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/zebra -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/babeld -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/isisd -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0) ++ ++/usr/lib/systemd/system/babeld.* -- gen_context(system_u:object_r:zebra_unit_file_t,s0) ++/usr/lib/systemd/system/bgpd.* -- gen_context(system_u:object_r:zebra_unit_file_t,s0) ++/usr/lib/systemd/system/isisd.* -- gen_context(system_u:object_r:zebra_unit_file_t,s0) ++/usr/lib/systemd/system/ospf6d.* -- gen_context(system_u:object_r:zebra_unit_file_t,s0) ++/usr/lib/systemd/system/ospfd.* -- gen_context(system_u:object_r:zebra_unit_file_t,s0) ++/usr/lib/systemd/system/ripd.* -- gen_context(system_u:object_r:zebra_unit_file_t,s0) ++/usr/lib/systemd/system/ripngd.* -- gen_context(system_u:object_r:zebra_unit_file_t,s0) ++/usr/lib/systemd/system/zebra.* -- gen_context(system_u:object_r:zebra_unit_file_t,s0) + +-/usr/sbin/bgpd -- gen_context(system_u:object_r:zebra_exec_t,s0) ++/usr/sbin/babeld -- gen_context(system_u:object_r:zebra_exec_t,s0) ++/usr/sbin/bgpd -- gen_context(system_u:object_r:zebra_exec_t,s0) ++/usr/sbin/isisd -- gen_context(system_u:object_r:zebra_exec_t,s0) + /usr/sbin/ospf.* -- gen_context(system_u:object_r:zebra_exec_t,s0) +-/usr/sbin/rip.* -- gen_context(system_u:object_r:zebra_exec_t,s0) +-/usr/sbin/zebra -- gen_context(system_u:object_r:zebra_exec_t,s0) ++/usr/sbin/rip.* -- gen_context(system_u:object_r:zebra_exec_t,s0) ++/usr/sbin/zebra -- gen_context(system_u:object_r:zebra_exec_t,s0) ++ ++/etc/quagga(/.*)? gen_context(system_u:object_r:zebra_conf_t,s0) ++/etc/zebra(/.*)? gen_context(system_u:object_r:zebra_conf_t,s0) + +-/var/log/quagga(/.*)? gen_context(system_u:object_r:zebra_log_t,s0) +-/var/log/zebra(/.*)? gen_context(system_u:object_r:zebra_log_t,s0) ++/var/log/quagga(/.*)? gen_context(system_u:object_r:zebra_log_t,s0) ++/var/log/zebra(/.*)? gen_context(system_u:object_r:zebra_log_t,s0) + + /var/run/\.zebra -s gen_context(system_u:object_r:zebra_var_run_t,s0) + /var/run/\.zserv -s gen_context(system_u:object_r:zebra_var_run_t,s0) +-/var/run/quagga(/.*)? gen_context(system_u:object_r:zebra_var_run_t,s0) ++/var/run/quagga(/.*)? gen_context(system_u:object_r:zebra_var_run_t,s0) +diff --git a/zebra.if b/zebra.if +index 3416401..676925c 100644 +--- a/zebra.if ++++ b/zebra.if +@@ -1,8 +1,8 @@ +-## Zebra border gateway protocol network routing service. ++## Zebra border gateway protocol network routing service + + ######################################## + ## +-## Read zebra configuration content. ++## Read the configuration files for zebra. + ## + ## + ## +@@ -18,14 +18,13 @@ interface(`zebra_read_config',` + + files_search_etc($1) + allow $1 zebra_conf_t:dir list_dir_perms; +- allow $1 zebra_conf_t:file read_file_perms; +- allow $1 zebra_conf_t:lnk_file read_lnk_file_perms; ++ read_files_pattern($1, zebra_conf_t, zebra_conf_t) ++ read_lnk_files_pattern($1, zebra_conf_t, zebra_conf_t) + ') + + ######################################## + ## +-## Connect to zebra with a unix +-## domain stream socket. ++## Connect to zebra over an unix stream socket. + ## + ## + ## +@@ -42,10 +41,33 @@ interface(`zebra_stream_connect',` + stream_connect_pattern($1, zebra_var_run_t, zebra_var_run_t, zebra_t) + ') + ++####################################### ++## ++## Execute zebra services in the zebra domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`zebra_systemctl',` ++ gen_require(` ++ type zebra_t; ++ type zebra_unit_file_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ allow $1 zebra_unit_file_t:file read_file_perms; ++ allow $1 zebra_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, zebra_t) ++') ++ + ######################################## + ## +-## All of the rules required to +-## administrate an zebra environment. ++## All of the rules required to administrate ++## an zebra environment + ## + ## + ## +@@ -54,7 +76,7 @@ interface(`zebra_stream_connect',` + ## + ## + ## +-## Role allowed access. ++## The role to be allowed to manage the zebra domain. + ## + ## + ## +@@ -62,13 +84,16 @@ interface(`zebra_stream_connect',` + interface(`zebra_admin',` + gen_require(` + type zebra_t, zebra_tmp_t, zebra_log_t; +- type zebra_conf_t, zebra_var_run_t; +- type zebra_initrc_exec_t; ++ type zebra_conf_t, zebra_var_run_t, zebra_initrc_exec_t; + ') + +- allow $1 zebra_t:process { ptrace signal_perms }; ++ allow $1 zebra_t:process signal_perms; + ps_process_pattern($1, zebra_t) + ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 zebra_t:process ptrace; ++ ') ++ + init_labeled_script_domtrans($1, zebra_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 zebra_initrc_exec_t system_r; +@@ -85,4 +110,8 @@ interface(`zebra_admin',` + + files_list_pids($1) + admin_pattern($1, zebra_var_run_t) ++ ++ zebra_systemctl($1) ++ admin_pattern($1, zebra_unit_file_t) ++ allow $1 zebra_unit_file_t:service all_service_perms; + ') +diff --git a/zebra.te b/zebra.te +index b0803c2..e2b8723 100644 +--- a/zebra.te ++++ b/zebra.te +@@ -1,4 +1,4 @@ +-policy_module(zebra, 1.12.1) ++policy_module(zebra, 1.12.0) + + ######################################## + # +@@ -6,23 +6,26 @@ policy_module(zebra, 1.12.1) + # + + ## +-##

    +-## Determine whether zebra daemon can +-## manage its configuration files. +-##

    ++##

    ++## Allow zebra daemon to write it configuration files ++##

    + ##     +-gen_tunable(allow_zebra_write_config, false) ++# ++gen_tunable(zebra_write_config, false) + + type zebra_t; + type zebra_exec_t; + init_daemon_domain(zebra_t, zebra_exec_t) + + type zebra_conf_t; +-files_type(zebra_conf_t) ++files_config_file(zebra_conf_t) + + type zebra_initrc_exec_t; + init_script_file(zebra_initrc_exec_t) + ++type zebra_unit_file_t; ++systemd_unit_file(zebra_unit_file_t) ++ + type zebra_log_t; + logging_log_file(zebra_log_t) + +@@ -40,26 +43,27 @@ files_pid_file(zebra_var_run_t) + allow zebra_t self:capability { setgid setuid net_admin net_raw }; + dontaudit zebra_t self:capability sys_tty_config; + allow zebra_t self:process { signal_perms getcap setcap }; +-allow zebra_t self:fifo_file rw_fifo_file_perms; +-allow zebra_t self:unix_stream_socket { accept connectto listen }; ++allow zebra_t self:file rw_file_perms; ++allow zebra_t self:unix_dgram_socket create_socket_perms; ++allow zebra_t self:unix_stream_socket { connectto create_stream_socket_perms }; + allow zebra_t self:netlink_route_socket rw_netlink_socket_perms; + allow zebra_t self:tcp_socket { connect connected_stream_socket_perms }; + allow zebra_t self:udp_socket create_socket_perms; + allow zebra_t self:rawip_socket create_socket_perms; + + allow zebra_t zebra_conf_t:dir list_dir_perms; +-allow zebra_t zebra_conf_t:file read_file_perms; +-allow zebra_t zebra_conf_t:lnk_file read_lnk_file_perms; ++read_files_pattern(zebra_t, zebra_conf_t, zebra_conf_t) ++read_lnk_files_pattern(zebra_t, zebra_conf_t, zebra_conf_t) + + allow zebra_t zebra_log_t:dir setattr_dir_perms; +-append_files_pattern(zebra_t, zebra_log_t, zebra_log_t) +-create_files_pattern(zebra_t, zebra_log_t, zebra_log_t) +-setattr_files_pattern(zebra_t, zebra_log_t, zebra_log_t) ++manage_files_pattern(zebra_t, zebra_log_t, zebra_log_t) + manage_sock_files_pattern(zebra_t, zebra_log_t, zebra_log_t) + logging_log_filetrans(zebra_t, zebra_log_t, { sock_file file dir }) + +-allow zebra_t zebra_tmp_t:sock_file manage_sock_file_perms; +-files_tmp_filetrans(zebra_t, zebra_tmp_t, sock_file) ++# /tmp/.bgpd is such a bad idea! ++manage_sock_files_pattern(zebra_t, zebra_tmp_t, zebra_tmp_t) ++manage_files_pattern(zebra_t, zebra_tmp_t, zebra_tmp_t) ++files_tmp_filetrans(zebra_t, zebra_tmp_t, { file sock_file }) + + manage_dirs_pattern(zebra_t, zebra_var_run_t, zebra_var_run_t) + manage_files_pattern(zebra_t, zebra_var_run_t, zebra_var_run_t) +@@ -71,7 +75,6 @@ kernel_read_network_state(zebra_t) + kernel_read_kernel_sysctls(zebra_t) + kernel_rw_net_sysctls(zebra_t) + +-corenet_all_recvfrom_unlabeled(zebra_t) + corenet_all_recvfrom_netlabel(zebra_t) + corenet_tcp_sendrecv_generic_if(zebra_t) + corenet_udp_sendrecv_generic_if(zebra_t) +@@ -79,48 +82,44 @@ corenet_raw_sendrecv_generic_if(zebra_t) + corenet_tcp_sendrecv_generic_node(zebra_t) + corenet_udp_sendrecv_generic_node(zebra_t) + corenet_raw_sendrecv_generic_node(zebra_t) ++corenet_tcp_sendrecv_all_ports(zebra_t) ++corenet_udp_sendrecv_all_ports(zebra_t) + corenet_tcp_bind_generic_node(zebra_t) + corenet_udp_bind_generic_node(zebra_t) +- +-corenet_sendrecv_bgp_server_packets(zebra_t) + corenet_tcp_bind_bgp_port(zebra_t) +-corenet_sendrecv_bgp_client_packets(zebra_t) ++corenet_tcp_bind_zebra_port(zebra_t) ++corenet_udp_bind_router_port(zebra_t) + corenet_tcp_connect_bgp_port(zebra_t) +-corenet_tcp_sendrecv_bgp_port(zebra_t) +- + corenet_sendrecv_zebra_server_packets(zebra_t) +-corenet_tcp_bind_zebra_port(zebra_t) +-corenet_tcp_sendrecv_zebra_port(zebra_t) +- + corenet_sendrecv_router_server_packets(zebra_t) +-corenet_udp_bind_router_port(zebra_t) +-corenet_udp_sendrecv_router_port(zebra_t) + + dev_associate_usbfs(zebra_var_run_t) + dev_list_all_dev_nodes(zebra_t) ++dev_read_rand(zebra_t) ++dev_read_urand(zebra_t) + dev_read_sysfs(zebra_t) + dev_rw_zero(zebra_t) + +-domain_use_interactive_fds(zebra_t) +- +-files_read_etc_files(zebra_t) +-files_read_etc_runtime_files(zebra_t) +- + fs_getattr_all_fs(zebra_t) + fs_search_auto_mountpoints(zebra_t) + + term_list_ptys(zebra_t) + +-logging_send_syslog_msg(zebra_t) ++domain_use_interactive_fds(zebra_t) ++ ++files_search_etc(zebra_t) ++files_read_etc_runtime_files(zebra_t) + +-miscfiles_read_localization(zebra_t) ++auth_read_passwd(zebra_t) ++ ++logging_send_syslog_msg(zebra_t) + + sysnet_read_config(zebra_t) + + userdom_dontaudit_use_unpriv_user_fds(zebra_t) + userdom_dontaudit_search_user_home_dirs(zebra_t) + +-tunable_policy(`allow_zebra_write_config',` ++tunable_policy(`zebra_write_config',` + manage_files_pattern(zebra_t, zebra_conf_t, zebra_conf_t) + ') + +@@ -139,3 +138,7 @@ optional_policy(` + optional_policy(` + udev_read_db(zebra_t) + ') ++ ++optional_policy(` ++ unconfined_sigchld(zebra_t) ++') +diff --git a/zoneminder.fc b/zoneminder.fc +new file mode 100644 +index 0000000..8c61505 +--- /dev/null ++++ b/zoneminder.fc +@@ -0,0 +1,13 @@ ++/etc/rc\.d/init\.d/zoneminder -- gen_context(system_u:object_r:zoneminder_initrc_exec_t,s0) ++ ++/usr/bin/zmpkg.pl -- gen_context(system_u:object_r:zoneminder_exec_t,s0) ++ ++/usr/lib/systemd/system/zoneminder.* -- gen_context(system_u:object_r:zoneminder_unit_file_t,s0) ++ ++/usr/libexec/zoneminder/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_zoneminder_script_exec_t,s0) ++ ++/var/lib/zoneminder(/.*)? gen_context(system_u:object_r:zoneminder_var_lib_t,s0) ++ ++/var/log/zoneminder(/.*)? gen_context(system_u:object_r:zoneminder_log_t,s0) ++ ++/var/spool/zoneminder-upload(/.*)? gen_context(system_u:object_r:zoneminder_spool_t,s0) +diff --git a/zoneminder.if b/zoneminder.if +new file mode 100644 +index 0000000..d02a6f4 +--- /dev/null ++++ b/zoneminder.if +@@ -0,0 +1,374 @@ ++## policy for zoneminder ++ ++######################################## ++## ++## Transition to zoneminder. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`zoneminder_domtrans',` ++ gen_require(` ++ type zoneminder_t, zoneminder_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, zoneminder_exec_t, zoneminder_t) ++') ++ ++######################################## ++## ++## Allow the specified domain to execute zoneminder ++## in the caller domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`zoneminder_exec',` ++ gen_require(` ++ type zoneminder_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ can_exec($1, zoneminder_exec_t) ++') ++ ++ ++######################################## ++## ++## Execute zoneminder server in the zoneminder domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`zoneminder_initrc_domtrans',` ++ gen_require(` ++ type zoneminder_initrc_exec_t; ++ ') ++ ++ init_labeled_script_domtrans($1, zoneminder_initrc_exec_t) ++') ++ ++ ++######################################## ++## ++## Read zoneminder's log files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`zoneminder_read_log',` ++ gen_require(` ++ type zoneminder_log_t; ++ ') ++ ++ logging_search_logs($1) ++ read_files_pattern($1, zoneminder_log_t, zoneminder_log_t) ++') ++ ++######################################## ++## ++## Append to zoneminder log files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`zoneminder_append_log',` ++ gen_require(` ++ type zoneminder_log_t; ++ ') ++ ++ logging_search_logs($1) ++ append_files_pattern($1, zoneminder_log_t, zoneminder_log_t) ++') ++ ++######################################## ++## ++## Manage zoneminder log files ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`zoneminder_manage_log',` ++ gen_require(` ++ type zoneminder_log_t; ++ ') ++ ++ logging_search_logs($1) ++ manage_dirs_pattern($1, zoneminder_log_t, zoneminder_log_t) ++ manage_files_pattern($1, zoneminder_log_t, zoneminder_log_t) ++ manage_lnk_files_pattern($1, zoneminder_log_t, zoneminder_log_t) ++') ++ ++######################################## ++## ++## Search zoneminder lib directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`zoneminder_search_lib',` ++ gen_require(` ++ type zoneminder_var_lib_t; ++ ') ++ ++ allow $1 zoneminder_var_lib_t:dir search_dir_perms; ++ files_search_var_lib($1) ++') ++ ++######################################## ++## ++## Read zoneminder lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`zoneminder_read_lib_files',` ++ gen_require(` ++ type zoneminder_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ read_files_pattern($1, zoneminder_var_lib_t, zoneminder_var_lib_t) ++') ++ ++######################################## ++## ++## Manage zoneminder lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`zoneminder_manage_lib_files',` ++ gen_require(` ++ type zoneminder_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ manage_files_pattern($1, zoneminder_var_lib_t, zoneminder_var_lib_t) ++') ++ ++######################################## ++## ++## Manage zoneminder lib directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`zoneminder_manage_lib_dirs',` ++ gen_require(` ++ type zoneminder_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ manage_dirs_pattern($1, zoneminder_var_lib_t, zoneminder_var_lib_t) ++') ++ ++######################################## ++## ++## Manage zoneminder sock_files files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`zoneminder_manage_lib_sock_files',` ++ gen_require(` ++ type sock_var_lib_t; ++ ') ++ files_search_var_lib($1) ++ manage_sock_files_pattern($1, zoneminder_var_lib_t, zoneminder_var_lib_t) ++') ++ ++######################################## ++## ++## Search zoneminder spool directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`zoneminder_search_spool',` ++ gen_require(` ++ type zoneminder_spool_t; ++ ') ++ ++ allow $1 zoneminder_spool_t:dir search_dir_perms; ++ files_search_spool($1) ++') ++ ++######################################## ++## ++## Read zoneminder spool files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`zoneminder_read_spool_files',` ++ gen_require(` ++ type zoneminder_spool_t; ++ ') ++ ++ files_search_spool($1) ++ read_files_pattern($1, zoneminder_spool_t, zoneminder_spool_t) ++') ++ ++######################################## ++## ++## Manage zoneminder spool files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`zoneminder_manage_spool_files',` ++ gen_require(` ++ type zoneminder_spool_t; ++ ') ++ ++ files_search_spool($1) ++ manage_files_pattern($1, zoneminder_spool_t, zoneminder_spool_t) ++') ++ ++######################################## ++## ++## Manage zoneminder spool dirs. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`zoneminder_manage_spool_dirs',` ++ gen_require(` ++ type zoneminder_spool_t; ++ ') ++ ++ files_search_spool($1) ++ manage_dirs_pattern($1, zoneminder_spool_t, zoneminder_spool_t) ++') ++ ++######################################## ++## ++## Connect to zoneminder over a unix stream socket. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`zoneminder_stream_connect',` ++ gen_require(` ++ type zoneminder_t, zoneminder_var_lib_t; ++ ') ++ ++ files_search_pids($1) ++ stream_connect_pattern($1, zoneminder_var_lib_t, zoneminder_var_lib_t, zoneminder_t) ++') ++ ++###################################### ++## ++## Read/write zonerimender tmpfs files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`zoneminder_rw_tmpfs_files',` ++ gen_require(` ++ type zoneminder_tmpfs_t; ++ ') ++ ++ fs_search_tmpfs($1) ++ rw_files_pattern($1, zoneminder_tmpfs_t, zoneminder_tmpfs_t) ++') ++ ++######################################## ++## ++## All of the rules required to administrate ++## an zoneminder environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## Role allowed access. ++## ++## ++## ++# ++interface(`zoneminder_admin',` ++ gen_require(` ++ type zoneminder_t; ++ type zoneminder_initrc_exec_t; ++ type zoneminder_log_t; ++ type zoneminder_var_lib_t; ++ type zoneminder_spool_t; ++ ') ++ ++ allow $1 zoneminder_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, zoneminder_t) ++ ++ zoneminder_initrc_domtrans($1) ++ domain_system_change_exemption($1) ++ role_transition $2 zoneminder_initrc_exec_t system_r; ++ allow $2 system_r; ++ ++ logging_search_logs($1) ++ admin_pattern($1, zoneminder_log_t) ++ ++ files_search_var_lib($1) ++ admin_pattern($1, zoneminder_var_lib_t) ++ ++ files_search_spool($1) ++ admin_pattern($1, zoneminder_spool_t) ++ ++') ++ +diff --git a/zoneminder.te b/zoneminder.te +new file mode 100644 +index 0000000..add28f7 +--- /dev/null ++++ b/zoneminder.te +@@ -0,0 +1,187 @@ ++policy_module(zoneminder, 1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++## ++##

    ++## Allow ZoneMinder to run su/sudo. ++##

    ++##     ++gen_tunable(zoneminder_run_sudo, false) ++ ++ ++## ++##

    ++## Allow ZoneMinder to modify public files ++## used for public file transfer services. ++##

    ++##     ++gen_tunable(zoneminder_anon_write, false) ++ ++gen_require(` ++ class passwd rootok; ++ class passwd passwd; ++ ') ++ ++type zoneminder_t; ++type zoneminder_exec_t; ++init_daemon_domain(zoneminder_t, zoneminder_exec_t) ++ ++type zoneminder_unit_file_t; ++systemd_unit_file(zoneminder_unit_file_t) ++ ++type zoneminder_initrc_exec_t; ++init_script_file(zoneminder_initrc_exec_t) ++ ++type zoneminder_log_t; ++logging_log_file(zoneminder_log_t) ++ ++type zoneminder_tmpfs_t; ++files_tmpfs_file(zoneminder_tmpfs_t) ++ ++type zoneminder_spool_t; ++files_type(zoneminder_spool_t) ++ ++type zoneminder_var_lib_t; ++files_type(zoneminder_var_lib_t) ++ ++type zoneminder_var_run_t; ++files_pid_file(zoneminder_var_run_t) ++ ++######################################## ++# ++# zoneminder local policy ++# ++allow zoneminder_t self:capability { chown dac_override }; ++allow zoneminder_t self:process { signal_perms setpgid }; ++allow zoneminder_t self:shm create_shm_perms; ++allow zoneminder_t self:fifo_file rw_fifo_file_perms; ++allow zoneminder_t self:unix_stream_socket { create_stream_socket_perms connectto }; ++allow zoneminder_t self:netlink_selinux_socket create_socket_perms; ++ ++manage_dirs_pattern(zoneminder_t, zoneminder_log_t, zoneminder_log_t) ++manage_files_pattern(zoneminder_t, zoneminder_log_t, zoneminder_log_t) ++logging_log_filetrans(zoneminder_t, zoneminder_log_t, { dir file }) ++ ++manage_dirs_pattern(zoneminder_t, zoneminder_tmpfs_t, zoneminder_tmpfs_t) ++manage_files_pattern(zoneminder_t, zoneminder_tmpfs_t, zoneminder_tmpfs_t) ++manage_lnk_files_pattern(zoneminder_t, zoneminder_tmpfs_t, zoneminder_tmpfs_t) ++fs_tmpfs_filetrans(zoneminder_t, zoneminder_tmpfs_t, { dir file lnk_file }) ++ ++manage_dirs_pattern(zoneminder_t, zoneminder_var_lib_t, zoneminder_var_lib_t) ++manage_files_pattern(zoneminder_t, zoneminder_var_lib_t, zoneminder_var_lib_t) ++manage_sock_files_pattern(zoneminder_t, zoneminder_var_lib_t, zoneminder_var_lib_t) ++manage_lnk_files_pattern(zoneminder_t, zoneminder_var_lib_t, zoneminder_var_lib_t) ++files_var_lib_filetrans(zoneminder_t, zoneminder_var_lib_t, { dir file lnk_file sock_file }) ++ ++manage_dirs_pattern(zoneminder_t, zoneminder_var_run_t, zoneminder_var_run_t) ++manage_files_pattern(zoneminder_t, zoneminder_var_run_t, zoneminder_var_run_t) ++files_pid_filetrans(zoneminder_t, zoneminder_var_run_t, { dir file }) ++ ++manage_dirs_pattern(zoneminder_t, zoneminder_spool_t, zoneminder_spool_t) ++manage_files_pattern(zoneminder_t, zoneminder_spool_t, zoneminder_spool_t) ++manage_lnk_files_pattern(zoneminder_t, zoneminder_spool_t, zoneminder_spool_t) ++files_spool_filetrans(zoneminder_t, zoneminder_spool_t, { dir file }) ++ ++kernel_read_system_state(zoneminder_t) ++ ++domain_read_all_domains_state(zoneminder_t) ++ ++corecmd_exec_bin(zoneminder_t) ++corecmd_exec_shell(zoneminder_t) ++ ++corenet_tcp_bind_http_cache_port(zoneminder_t) ++corenet_tcp_bind_transproxy_port(zoneminder_t) ++corenet_tcp_connect_http_port(zoneminder_t) ++ ++dev_read_sysfs(zoneminder_t) ++dev_read_rand(zoneminder_t) ++dev_read_urand(zoneminder_t) ++dev_read_video_dev(zoneminder_t) ++dev_write_video_dev(zoneminder_t) ++ ++auth_use_nsswitch(zoneminder_t) ++#auth_read_shadow(zoneminder_t) need to debug zmpkg.pl to see why is needed this rule. ++ ++logging_send_syslog_msg(zoneminder_t) ++logging_send_audit_msgs(zoneminder_t) ++ ++mta_send_mail(zoneminder_t) ++ ++tunable_policy(`zoneminder_anon_write',` ++ miscfiles_manage_public_files(zoneminder_t) ++') ++ ++tunable_policy(`zoneminder_run_sudo',` ++ allow zoneminder_t self:capability { setuid setgid sys_resource }; ++ allow zoneminder_t self:process { setrlimit setsched }; ++ allow zoneminder_t self:key write; ++ allow zoneminder_t self:passwd { passwd rootok }; ++ ++ auth_rw_lastlog(zoneminder_t) ++ auth_rw_faillog(zoneminder_t) ++ auth_exec_chkpwd(zoneminder_t) ++ ++ selinux_compute_access_vector(zoneminder_t) ++ ++ systemd_write_inherited_logind_sessions_pipes(zoneminder_t) ++ systemd_dbus_chat_logind(zoneminder_t) ++ ++ xserver_exec_xauth(zoneminder_t) ++') ++ ++optional_policy(` ++ tunable_policy(`zoneminder_run_sudo',` ++ dbus_system_bus_client(zoneminder_t) ++ ') ++') ++ ++optional_policy(` ++ tunable_policy(`zoneminder_run_sudo',` ++ sudo_exec(zoneminder_t) ++ su_exec(zoneminder_t) ++ ') ++') ++optional_policy(` ++ mysql_stream_connect(zoneminder_t) ++') ++ ++optional_policy(` ++ fprintd_dbus_chat(zoneminder_t) ++') ++ ++optional_policy(` ++ motion_manage_all_files(zoneminder_t) ++') ++ ++######################################## ++# ++# zoneminder cgi local policy ++# ++ ++optional_policy(` ++ apache_content_template(zoneminder) ++ ++ # need more testing ++ #allow httpd_zoneminder_script_t self:shm create_shm_perms; ++ ++ manage_sock_files_pattern(httpd_zoneminder_script_t, zoneminder_var_lib_t, zoneminder_var_lib_t) ++ ++ rw_files_pattern(httpd_zoneminder_script_t, zoneminder_tmpfs_t, zoneminder_tmpfs_t) ++ ++ zoneminder_stream_connect(httpd_zoneminder_script_t) ++ ++ can_exec(zoneminder_t, httpd_zoneminder_script_exec_t) ++ ++ files_search_var_lib(httpd_zoneminder_script_t) ++ ++ logging_send_syslog_msg(httpd_zoneminder_script_t) ++ ++ optional_policy(` ++ mysql_stream_connect(httpd_zoneminder_script_t) ++ ') ++ ++') +diff --git a/zosremote.if b/zosremote.if +index b14698c..16e1581 100644 +--- a/zosremote.if ++++ b/zosremote.if +@@ -35,6 +35,7 @@ interface(`zosremote_domtrans',` + ## Role allowed access. + ##     + ## ++## + # + interface(`zosremote_run',` + gen_require(` +diff --git a/zosremote.te b/zosremote.te +index 9ba9f81..983b6c8 100644 +--- a/zosremote.te ++++ b/zosremote.te +@@ -24,6 +24,4 @@ allow zos_remote_t self:unix_stream_socket { accept listen }; + + auth_use_nsswitch(zos_remote_t) + +-miscfiles_read_localization(zos_remote_t) +- + logging_send_syslog_msg(zos_remote_t) diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch deleted file mode 100644 index cbdf5f0..0000000 --- a/policy-rawhide-base.patch +++ /dev/null @@ -1,44998 +0,0 @@ -diff --git a/Makefile b/Makefile -index 85d4cfb..7bfdfc6 100644 ---- a/Makefile -+++ b/Makefile -@@ -61,6 +61,7 @@ SEMODULE ?= $(tc_usrsbindir)/semodule - SEMOD_PKG ?= $(tc_usrbindir)/semodule_package - SEMOD_LNK ?= $(tc_usrbindir)/semodule_link - SEMOD_EXP ?= $(tc_usrbindir)/semodule_expand -+SEPOLGEN ?= $(tc_usrbindir)/sepolgen-ifgen - LOADPOLICY ?= $(tc_usrsbindir)/load_policy - SETFILES ?= $(tc_sbindir)/setfiles - XMLLINT ?= $(BINDIR)/xmllint -@@ -249,7 +250,7 @@ seusers := $(appconf)/seusers - appdir := $(contextpath) - user_default_contexts := $(wildcard config/appconfig-$(TYPE)/*_default_contexts) - user_default_contexts_names := $(addprefix $(contextpath)/users/,$(subst _default_contexts,,$(notdir $(user_default_contexts)))) --appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts sepgsql_contexts x_contexts customizable_types securetty_types virtual_domain_context virtual_image_context) $(contextpath)/files/media $(fcsubspath) $(user_default_contexts_names) -+appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts sepgsql_contexts x_contexts customizable_types securetty_types virtual_image_context virtual_domain_context lxc_contexts systemd_contexts) $(contextpath)/files/media $(user_default_contexts_names) - net_contexts := $(builddir)net_contexts - - all_layers := $(shell find $(wildcard $(moddir)/*) -maxdepth 0 -type d) -@@ -608,15 +609,17 @@ resetlabels: - # Clean everything - # - bare: clean -- rm -f $(polxml) -- rm -f $(layerxml) -- rm -f $(modxml) -- rm -f $(tunxml) -- rm -f $(boolxml) -- rm -f $(mod_conf) -- rm -f $(booleans) -- rm -fR $(htmldir) -- rm -f $(tags) -+ echo "hehe kde jsem asi tak" -+ pwd -+ #rm -f $(polxml) -+ #rm -f $(layerxml) -+ #rm -f $(modxml) -+ #rm -f $(tunxml) -+ #rm -f $(boolxml) -+ #rm -f $(mod_conf) -+ #rm -f $(booleans) -+ #rm -fR $(htmldir) -+ #rm -f $(tags) - # don't remove these files if we're given a local root - ifndef LOCAL_ROOT - rm -f $(fcsort) -diff --git a/Rules.modular b/Rules.modular -index 313d837..ef3c532 100644 ---- a/Rules.modular -+++ b/Rules.modular -@@ -201,6 +201,7 @@ validate: $(base_pkg) $(mod_pkgs) - @echo "Validating policy linking." - $(verbose) $(SEMOD_LNK) -o $(tmpdir)/test.lnk $^ - $(verbose) $(SEMOD_EXP) $(tmpdir)/test.lnk $(tmpdir)/policy.bin -+ $(verbose) $(SEPOLGEN) -p $(tmpdir)/policy.bin -i $(poldir) -o $(tmpdir)/output - @echo "Success." - - ######################################## -diff --git a/config/appconfig-mcs/staff_u_default_contexts b/config/appconfig-mcs/staff_u_default_contexts -index 881a292..80110a4 100644 ---- a/config/appconfig-mcs/staff_u_default_contexts -+++ b/config/appconfig-mcs/staff_u_default_contexts -@@ -1,7 +1,7 @@ - system_r:local_login_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 - system_r:remote_login_t:s0 staff_r:staff_t:s0 - system_r:sshd_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 --system_r:crond_t:s0 staff_r:cronjob_t:s0 -+system_r:crond_t:s0 staff_r:staff_t:s0 - system_r:xdm_t:s0 staff_r:staff_t:s0 - staff_r:staff_su_t:s0 staff_r:staff_t:s0 - staff_r:staff_sudo_t:s0 staff_r:staff_t:s0 -diff --git a/config/appconfig-mcs/systemd_contexts b/config/appconfig-mcs/systemd_contexts -new file mode 100644 -index 0000000..ff32acc ---- /dev/null -+++ b/config/appconfig-mcs/systemd_contexts -@@ -0,0 +1 @@ -+runtime=system_u:object_r:systemd_runtime_unit_file_t:s0 -diff --git a/config/appconfig-mcs/user_u_default_contexts b/config/appconfig-mcs/user_u_default_contexts -index cacbc93..4f59f94 100644 ---- a/config/appconfig-mcs/user_u_default_contexts -+++ b/config/appconfig-mcs/user_u_default_contexts -@@ -1,7 +1,7 @@ - system_r:local_login_t:s0 user_r:user_t:s0 - system_r:remote_login_t:s0 user_r:user_t:s0 - system_r:sshd_t:s0 user_r:user_t:s0 --system_r:crond_t:s0 user_r:cronjob_t:s0 -+system_r:crond_t:s0 user_r:user_t:s0 - system_r:xdm_t:s0 user_r:user_t:s0 - user_r:user_su_t:s0 user_r:user_t:s0 - user_r:user_sudo_t:s0 user_r:user_t:s0 -diff --git a/config/appconfig-mcs/virtual_domain_context b/config/appconfig-mcs/virtual_domain_context -index d387b42..150f281 100644 ---- a/config/appconfig-mcs/virtual_domain_context -+++ b/config/appconfig-mcs/virtual_domain_context -@@ -1 +1,2 @@ - system_u:system_r:svirt_t:s0 -+system_u:system_r:svirt_tcg_t:s0 -diff --git a/config/appconfig-mls/staff_u_default_contexts b/config/appconfig-mls/staff_u_default_contexts -index 881a292..80110a4 100644 ---- a/config/appconfig-mls/staff_u_default_contexts -+++ b/config/appconfig-mls/staff_u_default_contexts -@@ -1,7 +1,7 @@ - system_r:local_login_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 - system_r:remote_login_t:s0 staff_r:staff_t:s0 - system_r:sshd_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 --system_r:crond_t:s0 staff_r:cronjob_t:s0 -+system_r:crond_t:s0 staff_r:staff_t:s0 - system_r:xdm_t:s0 staff_r:staff_t:s0 - staff_r:staff_su_t:s0 staff_r:staff_t:s0 - staff_r:staff_sudo_t:s0 staff_r:staff_t:s0 -diff --git a/config/appconfig-mls/systemd_contexts b/config/appconfig-mls/systemd_contexts -new file mode 100644 -index 0000000..ff32acc ---- /dev/null -+++ b/config/appconfig-mls/systemd_contexts -@@ -0,0 +1 @@ -+runtime=system_u:object_r:systemd_runtime_unit_file_t:s0 -diff --git a/config/appconfig-mls/user_u_default_contexts b/config/appconfig-mls/user_u_default_contexts -index cacbc93..4f59f94 100644 ---- a/config/appconfig-mls/user_u_default_contexts -+++ b/config/appconfig-mls/user_u_default_contexts -@@ -1,7 +1,7 @@ - system_r:local_login_t:s0 user_r:user_t:s0 - system_r:remote_login_t:s0 user_r:user_t:s0 - system_r:sshd_t:s0 user_r:user_t:s0 --system_r:crond_t:s0 user_r:cronjob_t:s0 -+system_r:crond_t:s0 user_r:user_t:s0 - system_r:xdm_t:s0 user_r:user_t:s0 - user_r:user_su_t:s0 user_r:user_t:s0 - user_r:user_sudo_t:s0 user_r:user_t:s0 -diff --git a/config/appconfig-standard/staff_u_default_contexts b/config/appconfig-standard/staff_u_default_contexts -index c2a5ea8..f63999e 100644 ---- a/config/appconfig-standard/staff_u_default_contexts -+++ b/config/appconfig-standard/staff_u_default_contexts -@@ -1,7 +1,7 @@ - system_r:local_login_t staff_r:staff_t sysadm_r:sysadm_t - system_r:remote_login_t staff_r:staff_t - system_r:sshd_t staff_r:staff_t sysadm_r:sysadm_t --system_r:crond_t staff_r:cronjob_t -+system_r:crond_t staff_r:staff_t - system_r:xdm_t staff_r:staff_t - staff_r:staff_su_t staff_r:staff_t - staff_r:staff_sudo_t staff_r:staff_t -diff --git a/config/appconfig-standard/systemd_contexts b/config/appconfig-standard/systemd_contexts -new file mode 100644 -index 0000000..ff32acc ---- /dev/null -+++ b/config/appconfig-standard/systemd_contexts -@@ -0,0 +1 @@ -+runtime=system_u:object_r:systemd_runtime_unit_file_t:s0 -diff --git a/config/appconfig-standard/user_u_default_contexts b/config/appconfig-standard/user_u_default_contexts -index f5bfac3..639555b 100644 ---- a/config/appconfig-standard/user_u_default_contexts -+++ b/config/appconfig-standard/user_u_default_contexts -@@ -1,7 +1,7 @@ - system_r:local_login_t user_r:user_t - system_r:remote_login_t user_r:user_t - system_r:sshd_t user_r:user_t --system_r:crond_t user_r:cronjob_t -+system_r:crond_t user_r:user_t - system_r:xdm_t user_r:user_t - user_r:user_su_t user_r:user_t - user_r:user_sudo_t user_r:user_t -diff --git a/config/appconfig-standard/virtual_domain_context b/config/appconfig-standard/virtual_domain_context -index c049e10..150f281 100644 ---- a/config/appconfig-standard/virtual_domain_context -+++ b/config/appconfig-standard/virtual_domain_context -@@ -1 +1,2 @@ --system_u:system_r:svirt_t -+system_u:system_r:svirt_t:s0 -+system_u:system_r:svirt_tcg_t:s0 -diff --git a/man/man8/ftpd_selinux.8 b/man/man8/ftpd_selinux.8 -deleted file mode 100644 -index 5bebd82..0000000 ---- a/man/man8/ftpd_selinux.8 -+++ /dev/null -@@ -1,65 +0,0 @@ --.TH "ftpd_selinux" "8" "17 Jan 2005" "dwalsh@redhat.com" "ftpd SELinux policy documentation" --.SH "NAME" --.PP --ftpd_selinux \- Security-Enhanced Linux policy for ftp daemons. --.SH "DESCRIPTION" --.PP --Security-Enhanced Linux provides security for ftp daemons via flexible mandatory access control. --.SH FILE_CONTEXTS --.PP --SELinux requires files to have a file type. File types may be specified with semanage and are restored with restorecon. Policy governs the access that daemons have to files. --.TP --Allow ftp servers to read the /var/ftp directory by adding the public_content_t file type to the directory and by restoring the file type. --.PP --.B --semanage fcontext -a -t public_content_t "/var/ftp(/.*)?" --.TP --.B --restorecon -F -R -v /var/ftp --.TP --Allow ftp servers to read and write /var/tmp/incoming by adding the public_content_rw_t type to the directory and by restoring the file type. This also requires the allow_ftpd_anon_write boolean to be set. --.PP --.B --semanage fcontext -a -t public_content_rw_t "/var/ftp/incoming(/.*)?" --.TP --.B --restorecon -F -R -v /var/ftp/incoming -- --.SH BOOLEANS --.PP --SELinux policy is based on least privilege required and may also be customizable by setting a boolean with setsebool. --.TP --Allow ftp servers to read and write files with the public_content_rw_t file type. --.PP --.B --setsebool -P allow_ftpd_anon_write on --.TP --Allow ftp servers to read or write files in the user home directories. --.PP --.B --setsebool -P ftp_home_dir on --.TP --Allow ftp servers to read or write all files on the system. --.PP --.B --setsebool -P allow_ftpd_full_access on --.TP --Allow ftp servers to use cifs for public file transfer services. --.PP --.B --setsebool -P allow_ftpd_use_cifs on --.TP --Allow ftp servers to use nfs for public file transfer services. --.PP --.B --setsebool -P allow_ftpd_use_nfs on --.TP --system-config-selinux is a GUI tool available to customize SELinux policy settings. --.SH AUTHOR --.PP --This manual page was written by Dan Walsh . -- --.SH "SEE ALSO" --.PP -- --selinux(8), ftpd(8), setsebool(8), semanage(8), restorecon(8) -diff --git a/man/man8/git_selinux.8 b/man/man8/git_selinux.8 -deleted file mode 100644 -index e9c43b1..0000000 ---- a/man/man8/git_selinux.8 -+++ /dev/null -@@ -1,109 +0,0 @@ --.TH "git_selinux" "8" "27 May 2010" "domg472@gmail.com" "Git SELinux policy documentation" --.de EX --.nf --.ft CW --.. --.de EE --.ft R --.fi --.. --.SH "NAME" --git_selinux \- Security Enhanced Linux Policy for the Git daemon. --.SH "DESCRIPTION" --Security-Enhanced Linux secures the Git server via flexible mandatory access --control. --.SH FILE_CONTEXTS --SELinux requires files to have an extended attribute to define the file type. --Policy governs the access daemons have to these files. --SELinux Git policy is very flexible allowing users to setup their web services in as secure a method as possible. --.PP --The following file contexts types are by default defined for Git: --.EX --git_system_content_t --.EE --- Set files with git_system_content_t if you want the Git system daemon to read the file, and if you want the file to be modifiable and executable by all "Git shell" users. --.EX --git_session_content_t --.EE --- Set files with git_session_content_t if you want the Git session and system daemon to read the file, and if you want the file to be modifiable and executable by all users. Note that "Git shell" users may not interact with this type. --.SH BOOLEANS --SELinux policy is customizable based on least access required. Git policy is extremely flexible and has several booleans that allow you to manipulate the policy and run Git with the tightest access possible. --.PP --Allow the Git system daemon to search user home directories so that it can find git session content. This is useful if you want the Git system daemon to host users personal repositories. --.EX --sudo setsebool -P git_system_enable_homedirs 1 --.EE --.PP --Allow the Git system daemon to read system shared repositories on NFS shares. --.EX --sudo setsebool -P git_system_use_nfs 1 --.EE --.PP --Allow the Git system daemon to read system shared repositories on Samba shares. --.EX --sudo setsebool -P git_system_use_cifs 1 --.EE --.PP --Allow the Git session daemon to read users personal repositories on NFS mounted home directories. --.EX --sudo setsebool -P use_nfs_home_dirs 1 --.EE --.PP --Allow the Git session daemon to read users personal repositories on Samba mounted home directories. --.EX --sudo setsebool -P use_samba_home_dirs 1 --.EE --.PP --To also allow Git system daemon to read users personal repositories on NFS and Samba mounted home directories you must also allow the Git system daemon to search home directories so that it can find the repositories. --.EX --sudo setsebool -P git_system_enable_homedirs 1 --.EE --.PP --To allow the Git System daemon mass hosting of users personal repositories you can allow the Git daemon to listen to any unreserved ports. --.EX --sudo setsebool -P git_session_bind_all_unreserved_ports 1 --.EE --.SH GIT_SHELL --The Git policy by default provides a restricted user environment to be used with "Git shell". This default git_shell_u SELinux user can modify and execute generic Git system content (generic system shared respositories with type git_system_content_t). --.PP --To add a new Linux user and map him to this Git shell user domain automatically: --.EX --sudo useradd -Z git_shell_u joe --.EE --.SH ADVANCED_SYSTEM_SHARED_REPOSITORY_AND GIT_SHELL_RESTRICTIONS --Alternatively Git SELinux policy can be used to restrict "Git shell" users to git system shared repositories. The policy allows for the creation of new types of Git system content and Git shell user environment. The policy allows for delegation of types of "Git shell" environments to types of Git system content. --.PP --To add a new Git system repository type, for example "project1" create a file named project1.te and add to it: --.EX --policy_module(project1, 1.0.0) --git_content_template(project1) --.EE --Next create a file named project1.fc and add a file context specification for the new repository type to it: --.EX --/srv/git/project1\.git(/.*)? gen_context(system_u:object_r:git_project1_content_t,s0) --.EE --Build a binary representation of this source policy module, load it into the policy store and restore the context of the repository: --.EX --make -f /usr/share/selinux/devel/Makefile project.pp --sudo semodule -i project1.pp --sudo restorecon -R -v /srv/git/project1 --.EE --To create a "Git shell" domain that can interact with this repository create a file named project1user.te in the same directory as where the source policy for the Git systemm content type is and add the following: --.EX --policy_module(project1user, 1.0.0) --git_role_template(project1user) --git_content_delegation(project1user_t, git_project1_content_t) --gen_user(project1user_u, user, project1user_r, s0, s0) --.EE --Build a binary representation of this source policy module, load it into the policy store and map Linux users to the new project1user_u SELinux user: --.EX --make -f /usr/share/selinux/devel/Makefile project1user.pp --sudo semodule -i project1user.pp --sudo useradd -Z project1user_u jane --.EE --.PP --system-config-selinux is a GUI tool available to customize SELinux policy settings. --.SH AUTHOR --This manual page was written by Dominick Grift . --.SH "SEE ALSO" --selinux(8), git(8), chcon(1), semodule(8), setsebool(8) -diff --git a/man/man8/httpd_selinux.8 b/man/man8/httpd_selinux.8 -deleted file mode 100644 -index 16e8b13..0000000 ---- a/man/man8/httpd_selinux.8 -+++ /dev/null -@@ -1,120 +0,0 @@ --.TH "httpd_selinux" "8" "17 Jan 2005" "dwalsh@redhat.com" "httpd Selinux Policy documentation" --.de EX --.nf --.ft CW --.. --.de EE --.ft R --.fi --.. --.SH "NAME" --httpd_selinux \- Security Enhanced Linux Policy for the httpd daemon --.SH "DESCRIPTION" -- --Security-Enhanced Linux secures the httpd server via flexible mandatory access --control. --.SH FILE_CONTEXTS --SELinux requires files to have an extended attribute to define the file type. --Policy governs the access daemons have to these files. --SELinux httpd policy is very flexible allowing users to setup their web services in as secure a method as possible. --.PP --The following file contexts types are defined for httpd: --.EX --httpd_sys_content_t --.EE --- Set files with httpd_sys_content_t if you want httpd_sys_script_exec_t scripts and the daemon to read the file, and disallow other non sys scripts from access. --.EX --httpd_sys_script_exec_t --.EE --- Set cgi scripts with httpd_sys_script_exec_t to allow them to run with access to all sys types. --.EX --httpd_sys_content_rw_t --.EE --- Set files with httpd_sys_content_rw_t if you want httpd_sys_script_exec_t scripts and the daemon to read/write the data, and disallow other non sys scripts from access. --.EX --httpd_sys_content_ra_t --.EE --- Set files with httpd_sys_content_ra_t if you want httpd_sys_script_exec_t scripts and the daemon to read/append to the file, and disallow other non sys scripts from access. --.EX --httpd_unconfined_script_exec_t --.EE --- Set cgi scripts with httpd_unconfined_script_exec_t to allow them to run without any SELinux protection. This should only be used for a very complex httpd scripts, after exhausting all other options. It is better to use this script rather than turning off SELinux protection for httpd. -- --.SH NOTE --With certain policies you can define additional file contexts based on roles like user or staff. httpd_user_script_exec_t can be defined where it would only have access to "user" contexts. -- --.SH SHARING FILES --If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean. allow_DOMAIN_anon_write. So for httpd you would execute: -- --.EX --setsebool -P allow_httpd_anon_write=1 --.EE -- --or -- --.EX --setsebool -P allow_httpd_sys_script_anon_write=1 --.EE -- --.SH BOOLEANS --SELinux policy is customizable based on least access required. SELinux can be setup to prevent certain http scripts from working. httpd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run httpd with the tightest access possible. --.PP --httpd can be setup to allow cgi scripts to be executed, set httpd_enable_cgi to allow this -- --.EX --setsebool -P httpd_enable_cgi 1 --.EE -- --.PP --SELinux policy for httpd can be setup to not allowed to access users home directories. If you want to allow access to users home directories you need to set the httpd_enable_homedirs boolean and change the context of the files that you want people to access off the home dir. -- --.EX --setsebool -P httpd_enable_homedirs 1 --chcon -R -t httpd_sys_content_t ~user/public_html --.EE -- --.PP --SELinux policy for httpd can be setup to not allow access to the controlling terminal. In most cases this is preferred, because an intruder might be able to use the access to the terminal to gain privileges. But in certain situations httpd needs to prompt for a password to open a certificate file, in these cases, terminal access is required. Set the httpd_tty_comm boolean to allow terminal access. -- --.EX --setsebool -P httpd_tty_comm 1 --.EE -- --.PP --httpd can be configured to not differentiate file controls based on context, i.e. all files labeled as httpd context can be read/write/execute. Setting this boolean to false allows you to setup the security policy such that one httpd service can not interfere with another. -- --.EX --setsebool -P httpd_unified 0 --.EE -- --.PP --SELinu policy for httpd can be configured to turn on sending email. This is a security feature, since it would prevent a vulnerabiltiy in http from causing a spam attack. I certain situations, you may want http modules to send mail. You can turn on the httpd_send_mail boolean. -- --.EX --setsebool -P httpd_can_sendmail 1 --.PP --httpd can be configured to turn off internal scripting (PHP). PHP and other --loadable modules run under the same context as httpd. Therefore several policy rules allow httpd greater access to the system then is needed if you only use external cgi scripts. -- --.EX --setsebool -P httpd_builtin_scripting 0 --.EE -- --.PP --SELinux policy can be setup such that httpd scripts are not allowed to connect out to the network. --This would prevent a hacker from breaking into you httpd server and attacking --other machines. If you need scripts to be able to connect you can set the httpd_can_network_connect boolean on. -- --.EX --setsebool -P httpd_can_network_connect 1 --.EE -- --.PP --system-config-selinux is a GUI tool available to customize SELinux policy settings. --.SH AUTHOR --This manual page was written by Dan Walsh . -- --.SH "SEE ALSO" --selinux(8), httpd(8), chcon(1), setsebool(8) -- -- -diff --git a/man/man8/kerberos_selinux.8 b/man/man8/kerberos_selinux.8 -deleted file mode 100644 -index a8f81c8..0000000 ---- a/man/man8/kerberos_selinux.8 -+++ /dev/null -@@ -1,28 +0,0 @@ --.TH "kerberos_selinux" "8" "17 Jan 2005" "dwalsh@redhat.com" "kerberos Selinux Policy documentation" --.de EX --.nf --.ft CW --.. --.de EE --.ft R --.fi --.. --.SH "NAME" --kerberos_selinux \- Security Enhanced Linux Policy for Kerberos. --.SH "DESCRIPTION" -- --Security-Enhanced Linux secures the system via flexible mandatory access --control. SELinux policy can be configured to deny Kerberos access to confined applications, since it requires daemons to be allowed greater access to certain secure files and additional access to the network. --.SH BOOLEANS --.PP --You must set the allow_kerberos boolean to allow your system to work properly in a Kerberos environment. --.EX --setsebool -P allow_kerberos 1 --.EE --.PP --system-config-selinux is a GUI tool available to customize SELinux policy settings. --.SH AUTHOR --This manual page was written by Dan Walsh . -- --.SH "SEE ALSO" --selinux(8), kerberos(1), chcon(1), setsebool(8) -diff --git a/man/man8/named_selinux.8 b/man/man8/named_selinux.8 -deleted file mode 100644 -index fce0b48..0000000 ---- a/man/man8/named_selinux.8 -+++ /dev/null -@@ -1,30 +0,0 @@ --.TH "named_selinux" "8" "17 Jan 2005" "dwalsh@redhat.com" "named Selinux Policy documentation" --.de EX --.nf --.ft CW --.. --.de EE --.ft R --.fi --.. --.SH "NAME" --named_selinux \- Security Enhanced Linux Policy for the Internet Name server (named) daemon --.SH "DESCRIPTION" -- --Security-Enhanced Linux secures the named server via flexible mandatory access --control. --.SH BOOLEANS --SELinux policy is customizable based on least access required. So by --default SELinux policy does not allow named to write master zone files. If you want to have named update the master zone files you need to set the named_write_master_zones boolean. --.EX --setsebool -P named_write_master_zones 1 --.EE --.PP --system-config-selinux is a GUI tool available to customize SELinux policy settings. --.SH AUTHOR --This manual page was written by Dan Walsh . -- --.SH "SEE ALSO" --selinux(8), named(8), chcon(1), setsebool(8) -- -- -diff --git a/man/man8/nfs_selinux.8 b/man/man8/nfs_selinux.8 -deleted file mode 100644 -index 8e30c4c..0000000 ---- a/man/man8/nfs_selinux.8 -+++ /dev/null -@@ -1,31 +0,0 @@ --.TH "nfs_selinux" "8" "9 Feb 2009" "dwalsh@redhat.com" "NFS SELinux Policy documentation" --.SH "NAME" --nfs_selinux \- Security Enhanced Linux Policy for NFS --.SH "DESCRIPTION" -- --Security Enhanced Linux secures the NFS server via flexible mandatory access --control. --.SH BOOLEANS --SELinux policy is customizable based on the least level of access required. SELinux can be configured to not allow NFS to share files. If you want to share NFS partitions, and only allow read-only access to those NFS partitions, turn the nfs_export_all_ro boolean on: -- --.TP --setsebool -P nfs_export_all_ro 1 --.TP --If you want to share files read/write you must set the nfs_export_all_rw boolean. --.TP --setsebool -P nfs_export_all_rw 1 -- --.TP --These booleans are not required when files to be shared are labeled with the public_content_t or public_content_rw_t types. NFS can share files labeled with the public_content_t or public_content_rw_t types even if the nfs_export_all_ro and nfs_export_all_rw booleans are off. -- --.TP --If you want to use a remote NFS server for the home directories on this machine, you must set the use_nfs_home_dirs boolean: --.TP --setsebool -P use_nfs_home_dirs 1 --.TP --system-config-selinux is a GUI tool available to customize SELinux policy settings. --.SH AUTHOR --This manual page was written by Dan Walsh . -- --.SH "SEE ALSO" --selinux(8), chcon(1), setsebool(8) -diff --git a/man/man8/nis_selinux.8 b/man/man8/nis_selinux.8 -deleted file mode 100644 -index 6271c95..0000000 ---- a/man/man8/nis_selinux.8 -+++ /dev/null -@@ -1 +0,0 @@ --.so man8/ypbind_selinux.8 -diff --git a/man/man8/rsync_selinux.8 b/man/man8/rsync_selinux.8 -deleted file mode 100644 -index ad9ccf5..0000000 ---- a/man/man8/rsync_selinux.8 -+++ /dev/null -@@ -1,52 +0,0 @@ --.TH "rsync_selinux" "8" "17 Jan 2005" "dwalsh@redhat.com" "rsync Selinux Policy documentation" --.de EX --.nf --.ft CW --.. --.de EE --.ft R --.fi --.. --.SH "NAME" --rsync_selinux \- Security Enhanced Linux Policy for the rsync daemon --.SH "DESCRIPTION" -- --Security-Enhanced Linux secures the rsync server via flexible mandatory access --control. --.SH FILE_CONTEXTS --SELinux requires files to have an extended attribute to define the file type. --Policy governs the access daemons have to these files. --If you want to share files using the rsync daemon, you must label the files and directories public_content_t. So if you created a special directory /var/rsync, you --would need to label the directory with the chcon tool. --.TP --chcon -t public_content_t /var/rsync --.TP --.TP --To make this change permanent (survive a relabel), use the semanage command to add the change to file context configuration: --.TP --semanage fcontext -a -t public_content_t "/var/rsync(/.*)?" --.TP --This command adds the following entry to /etc/selinux/POLICYTYPE/contexts/files/file_contexts.local: --.TP --/var/rsync(/.*)? system_u:object_r:publix_content_t:s0 --.TP --Run the restorecon command to apply the changes: --.TP --restorecon -R -v /var/rsync/ --.EE -- --.SH SHARING FILES --If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean. allow_DOMAIN_anon_write. So for rsync you would execute: -- --.EX --setsebool -P allow_rsync_anon_write=1 --.EE -- --.SH BOOLEANS --.TP --system-config-selinux is a GUI tool available to customize SELinux policy settings. --.SH AUTHOR --This manual page was written by Dan Walsh . -- --.SH "SEE ALSO" --selinux(8), rsync(1), chcon(1), setsebool(8), semanage(8) -diff --git a/man/man8/samba_selinux.8 b/man/man8/samba_selinux.8 -deleted file mode 100644 -index ca702c7..0000000 ---- a/man/man8/samba_selinux.8 -+++ /dev/null -@@ -1,56 +0,0 @@ --.TH "samba_selinux" "8" "17 Jan 2005" "dwalsh@redhat.com" "Samba Selinux Policy documentation" --.SH "NAME" --samba_selinux \- Security Enhanced Linux Policy for Samba --.SH "DESCRIPTION" -- --Security-Enhanced Linux secures the Samba server via flexible mandatory access --control. --.SH FILE_CONTEXTS --SELinux requires files to have an extended attribute to define the file type. --Policy governs the access daemons have to these files. --If you want to share files other than home directories, those files must be --labeled samba_share_t. So if you created a special directory /var/eng, you --would need to label the directory with the chcon tool. --.TP --chcon -t samba_share_t /var/eng --.TP --To make this change permanent (survive a relabel), use the semanage command to add the change to file context configuration: --.TP --semanage fcontext -a -t samba_share_t "/var/eng(/.*)?" --.TP --This command adds the following entry to /etc/selinux/POLICYTYPE/contexts/files/file_contexts.local: --.TP --/var/eng(/.*)? system_u:object_r:samba_share_t:s0 --.TP --Run the restorecon command to apply the changes: --.TP --restorecon -R -v /var/eng/ -- --.SH SHARING FILES --If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean. allow_DOMAIN_anon_write. So for samba you would execute: -- --setsebool -P allow_smbd_anon_write=1 -- --.SH BOOLEANS --.br --SELinux policy is customizable based on least access required. So by --default SELinux policy turns off SELinux sharing of home directories and --the use of Samba shares from a remote machine as a home directory. --.TP --If you are setting up this machine as a Samba server and wish to share the home directories, you need to set the samba_enable_home_dirs boolean. --.br -- --setsebool -P samba_enable_home_dirs 1 --.TP --If you want to use a remote Samba server for the home directories on this machine, you must set the use_samba_home_dirs boolean. --.br -- --setsebool -P use_samba_home_dirs 1 --.TP --system-config-selinux is a GUI tool available to customize SELinux policy settings. -- --.SH AUTHOR --This manual page was written by Dan Walsh . -- --.SH "SEE ALSO" --selinux(8), samba(7), chcon(1), setsebool(8), semanage(8) -diff --git a/man/man8/ypbind_selinux.8 b/man/man8/ypbind_selinux.8 -deleted file mode 100644 -index 5061a5f..0000000 ---- a/man/man8/ypbind_selinux.8 -+++ /dev/null -@@ -1,19 +0,0 @@ --.TH "ypbind_selinux" "8" "17 Jan 2005" "dwalsh@redhat.com" "ypbind Selinux Policy documentation" --.SH "NAME" --ypbind_selinux \- Security Enhanced Linux Policy for NIS. --.SH "DESCRIPTION" -- --Security-Enhanced Linux secures the system via flexible mandatory access --control. SELinux can be setup deny NIS from working, since it requires daemons to be allowed greater access to the network. --.SH BOOLEANS --.TP --You must set the allow_ypbind boolean to allow your system to work properly in a NIS environment. --.TP --setsebool -P allow_ypbind 1 --.TP --system-config-selinux is a GUI tool available to customize SELinux policy settings. --.SH AUTHOR --This manual page was written by Dan Walsh . -- --.SH "SEE ALSO" --selinux(8), ypbind(8), chcon(1), setsebool(8) -diff --git a/policy/constraints b/policy/constraints -index 3a45f23..f4754f0 100644 ---- a/policy/constraints -+++ b/policy/constraints -@@ -105,6 +105,18 @@ constrain process { transition dyntransition noatsecure siginh rlimitinh } - or ( t1 == process_uncond_exempt ) - ); - -+constrain process dyntransition -+( -+ u1 == u2 -+ or ( t1 == can_change_process_identity and t2 == process_user_target ) -+); -+ -+constrain process dyntransition -+( -+ r1 == r2 -+ or ( t1 == can_change_process_identity and t2 == process_user_target ) -+); -+ - # These permissions do not have ubac constraints: - # fork - # setexec -diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors -index 28802c5..1afd77b 100644 ---- a/policy/flask/access_vectors -+++ b/policy/flask/access_vectors -@@ -329,6 +329,7 @@ class process - execheap - setkeycreate - setsockcreate -+ ptrace_child - } - - -@@ -393,6 +394,13 @@ class system - syslog_mod - syslog_console - module_request -+ halt -+ reboot -+ status -+ undefined -+ enable -+ disable -+ reload - } - - # -@@ -443,10 +451,12 @@ class capability - class capability2 - { - mac_override # unused by SELinux -- mac_admin # unused by SELinux -+ mac_admin - syslog - wake_alarm -+ epolwakeup - block_suspend -+ compromise_kernel - } - - # -@@ -690,6 +700,8 @@ class nscd - shmemhost - getserv - shmemserv -+ getnetgrp -+ shmemnetgrp - } - - # Define the access vector interpretation for controlling -@@ -827,6 +839,9 @@ class kernel_service - - class tun_socket - inherits socket -+{ -+ attach_queue -+} - - class x_pointer - inherits x_device -@@ -862,3 +877,18 @@ inherits database - implement - execute - } -+ -+class service -+{ -+ start -+ stop -+ status -+ reload -+ enable -+ disable -+} -+ -+class proxy -+{ -+ read -+} -diff --git a/policy/flask/security_classes b/policy/flask/security_classes -index 14a4799..db2e4a0 100644 ---- a/policy/flask/security_classes -+++ b/policy/flask/security_classes -@@ -131,4 +131,11 @@ class db_view # userspace - class db_sequence # userspace - class db_language # userspace - -+# systemd services -+class service -+ -+# gssd services -+class proxy -+ -+ - # FLASK -diff --git a/policy/global_booleans b/policy/global_booleans -index 66e85ea..d02654d 100644 ---- a/policy/global_booleans -+++ b/policy/global_booleans -@@ -6,7 +6,7 @@ - - ## - ##

    --## Enabling secure mode disallows programs, such as -+## disallow programs, such as - ## newrole, from transitioning to administrative - ## user domains. - ##

    -diff --git a/policy/global_tunables b/policy/global_tunables -index 4705ab6..b7e7ea5 100644 ---- a/policy/global_tunables -+++ b/policy/global_tunables -@@ -6,52 +6,59 @@ - - ## - ##

    -+## Deny any process from ptracing or debugging any other processes. -+##

    -+##     -+gen_tunable(deny_ptrace, false) -+ -+## -+##

    - ## Allow unconfined executables to make their heap memory executable. Doing this is a really bad idea. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla - ##

    - ##     --gen_tunable(allow_execheap,false) -+gen_tunable(selinuxuser_execheap,false) - - ## - ##

    --## Allow unconfined executables to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla") -+## Deny user domains applications to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla - ##

    - ##     --gen_tunable(allow_execmem,false) -+gen_tunable(deny_execmem,false) - - ## - ##

    --## Allow all unconfined executables to use libraries requiring text relocation that are not labeled textrel_shlib_t") -+## Allow all unconfined executables to use libraries requiring text relocation that are not labeled textrel_shlib_t - ##

    - ##     --gen_tunable(allow_execmod,false) -+gen_tunable(selinuxuser_execmod,false) - - ## - ##

    --## Allow unconfined executables to make their stack executable. This should never, ever be necessary. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla") -+## Allow unconfined executables to make their stack executable. This should never, ever be necessary. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla - ##

    - ##     --gen_tunable(allow_execstack,false) -+gen_tunable(selinuxuser_execstack,false) - - ## - ##

    - ## Enable polyinstantiated directory support. - ##

    - ##     --gen_tunable(allow_polyinstantiation,false) -+gen_tunable(polyinstantiation_enabled,false) - - ## - ##

    - ## Allow system to run with NIS - ##

    - ##     --gen_tunable(allow_ypbind,false) -+gen_tunable(nis_enabled,false) - - ## - ##

    - ## Allow logging in and using the system from /dev/console. - ##

    - ##     --gen_tunable(console_login,true) -+gen_tunable(login_console_enabled,true) - - ## - ##

    -@@ -68,15 +75,6 @@ gen_tunable(global_ssp,false) - - ## - ##

    --## Allow email client to various content. --## nfs, samba, removable devices, and user temp --## files --##

    --##     --gen_tunable(mail_read_content,false) -- --## --##

    - ## Allow any files/directories to be exported read/write via NFS. - ##

    - ##     -@@ -105,9 +103,30 @@ gen_tunable(use_samba_home_dirs,false) - - ## - ##

    -+## Support ecryptfs home directories -+##

    -+##     -+gen_tunable(use_ecryptfs_home_dirs,false) -+ -+## -+##

    -+## Support fusefs home directories -+##

    -+##     -+gen_tunable(use_fusefs_home_dirs,false) -+ -+## -+##

    - ## Allow users to run TCP servers (bind to ports and accept connection from - ## the same domain and outside users) disabling this forces FTP passive mode - ## and may change other protocols. - ##

    - ##     --gen_tunable(user_tcp_server,false) -+gen_tunable(selinuxuser_tcp_server,false) -+ -+## -+##

    -+## Allow the mount commands to mount any directory or file. -+##

    -+##     -+gen_tunable(mount_anyfile, false) -diff --git a/policy/mcs b/policy/mcs -index 216b3d1..275d3d9 100644 ---- a/policy/mcs -+++ b/policy/mcs -@@ -1,4 +1,6 @@ - ifdef(`enable_mcs',` -+default_range dir_file_class_set target low; -+ - # - # Define sensitivities - # -@@ -69,53 +71,50 @@ gen_levels(1,mcs_num_cats) - # - /proc/pid operations are not constrained. - - mlsconstrain file { read ioctl lock execute execute_no_trans } -- (( h1 dom h2 ) or ( t1 == mcsreadall ) or -- (( t1 != mcs_constrained_type ) and (t2 == domain))); -+ (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); - - mlsconstrain file { write setattr append unlink link rename } -- (( h1 dom h2 ) or ( t1 == mcswriteall ) or -- (( t1 != mcs_constrained_type ) and (t2 == domain))); -+ (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); - - mlsconstrain dir { search read ioctl lock } -- (( h1 dom h2 ) or ( t1 == mcsreadall ) or -- (( t1 != mcs_constrained_type ) and (t2 == domain))); -+ (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); - - mlsconstrain dir { write setattr append unlink link rename add_name remove_name } -- (( h1 dom h2 ) or ( t1 == mcswriteall ) or -- (( t1 != mcs_constrained_type ) and (t2 == domain))); -+ (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); - - mlsconstrain fifo_file { open } -- (( h1 dom h2 ) or ( t1 == mcsreadall ) or -- (( t1 != mcs_constrained_type ) and ( t2 == domain ))); -+ (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); - - mlsconstrain { lnk_file chr_file blk_file sock_file } { getattr read ioctl } -- (( h1 dom h2 ) or ( t1 == mcsreadall ) or -- (( t1 != mcs_constrained_type ) and (t2 == domain))); -+ (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); - - mlsconstrain { lnk_file chr_file blk_file sock_file } { write setattr } -- (( h1 dom h2 ) or ( t1 == mcswriteall ) or -- (( t1 != mcs_constrained_type ) and (t2 == domain))); -+ (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); - - # New filesystem object labels must be dominated by the relabeling subject - # clearance, also the objects are single-level. - mlsconstrain file { create relabelto } -- (( h1 dom h2 ) and ( l2 eq h2 )); -+ ((( h1 dom h2 ) and ( l2 eq h2 )) or -+ ( t1 != mcs_constrained_type )); - - # new file labels must be dominated by the relabeling subject clearance - mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { relabelfrom } -- ( h1 dom h2 ); -+ (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); -+ -+mlsconstrain { file lnk_file fifo_file } { create relabelto } -+ (( l2 eq h2 ) or ( t1 != mcs_constrained_type )); - - mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { create relabelto } -- (( h1 dom h2 ) and ( l2 eq h2 )); -+ (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); - - mlsconstrain process { transition dyntransition } -- (( h1 dom h2 ) or ( t1 == mcssetcats )); -+ (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); - - mlsconstrain process { ptrace } -- (( h1 dom h2) or ( t1 == mcsptraceall )); -+ (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); - - mlsconstrain process { sigkill sigstop } -- (( h1 dom h2 ) or ( t1 == mcskillall )); -+ (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); - - mlsconstrain process { signal } - (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); -@@ -135,6 +134,9 @@ mlsconstrain { db_database db_schema db_table db_sequence db_view db_procedure d - mlsconstrain { db_tuple } { insert relabelto } - (( h1 dom h2 ) and ( l2 eq h2 )); - -+mlsconstrain context contains -+ (( h1 dom h2 ) and ( l1 domby l2)); -+ - # Access control for any database objects based on MCS rules. - mlsconstrain db_database { drop getattr setattr relabelfrom access install_module load_module get_param set_param } - ( h1 dom h2 ); -@@ -166,4 +168,23 @@ mlsconstrain db_language { drop getattr setattr relabelfrom execute } - mlsconstrain db_blob { drop getattr setattr relabelfrom read write import export } - ( h1 dom h2 ); - -+mlsconstrain { tcp_socket udp_socket rawip_socket } node_bind -+ (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); -+ -+# the node recvfrom/sendto ops, the recvfrom permission is a "write" operation -+# because the subject in this particular case is the remote domain which is -+# writing data out the network node which is acting as the object -+mlsconstrain { node } { recvfrom sendto } -+ (( l1 dom l2 ) or (t1 != mcs_constrained_type)); -+ -+mlsconstrain { packet peer } { recv } -+ (( l1 dom l2 ) or -+ ((t1 != mcs_constrained_type) and (t2 != mcs_constrained_type))); -+ -+# the netif ingress/egress ops, the ingress permission is a "write" operation -+# because the subject in this particular case is the remote domain which is -+# writing data out the network interface which is acting as the object -+mlsconstrain { netif } { egress ingress } -+ (( l1 dom l2 ) or (t1 != mcs_constrained_type)); -+ - ') dnl end enable_mcs -diff --git a/policy/mls b/policy/mls -index d218387..c2541c2 100644 ---- a/policy/mls -+++ b/policy/mls -@@ -195,7 +195,8 @@ mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_s - (( l1 eq l2 ) or - (( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or - (( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or -- ( t1 == mlsnetwrite )); -+ ( t1 == mlsnetwrite ) or -+ ( t2 == mlstrustedobject )); - - # used by netlabel to restrict normal domains to same level connections - mlsconstrain { tcp_socket udp_socket rawip_socket } recvfrom -@@ -361,9 +362,6 @@ mlsconstrain { peer packet } { recv } - (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or - ( t1 == mlsnetread )); - -- -- -- - # - # MLS policy for the process class - # -diff --git a/policy/modules/admin/bootloader.fc b/policy/modules/admin/bootloader.fc -index 7a6f06f..5745bb2 100644 ---- a/policy/modules/admin/bootloader.fc -+++ b/policy/modules/admin/bootloader.fc -@@ -1,9 +1,16 @@ -+/etc/default/grub -- gen_context(system_u:object_r:bootloader_etc_t,s0) -+/etc/lilo\.conf.* gen_context(system_u:object_r:bootloader_etc_t,s0) -+/etc/yaboot\.conf.* gen_context(system_u:object_r:bootloader_etc_t,s0) -+/etc/zipl\.conf.* gen_context(system_u:object_r:bootloader_etc_t,s0) - --/etc/lilo\.conf.* -- gen_context(system_u:object_r:bootloader_etc_t,s0) --/etc/yaboot\.conf.* -- gen_context(system_u:object_r:bootloader_etc_t,s0) -- --/sbin/grub -- gen_context(system_u:object_r:bootloader_exec_t,s0) -+/sbin/grub.* -- gen_context(system_u:object_r:bootloader_exec_t,s0) - /sbin/lilo.* -- gen_context(system_u:object_r:bootloader_exec_t,s0) - /sbin/ybin.* -- gen_context(system_u:object_r:bootloader_exec_t,s0) -+/sbin/zipl -- gen_context(system_u:object_r:bootloader_exec_t,s0) -+ -+/usr/sbin/grub.* -- gen_context(system_u:object_r:bootloader_exec_t,s0) -+/usr/sbin/lilo.* -- gen_context(system_u:object_r:bootloader_exec_t,s0) -+/usr/sbin/ybin.* -- gen_context(system_u:object_r:bootloader_exec_t,s0) -+/usr/sbin/zipl -- gen_context(system_u:object_r:bootloader_exec_t,s0) - --/usr/sbin/grub -- gen_context(system_u:object_r:bootloader_exec_t,s0) -+/var/lib/os-prober(/.*)? gen_context(system_u:object_r:bootloader_var_lib_t,s0) -diff --git a/policy/modules/admin/bootloader.if b/policy/modules/admin/bootloader.if -index cc8df9d..34c2a4e 100644 ---- a/policy/modules/admin/bootloader.if -+++ b/policy/modules/admin/bootloader.if -@@ -19,6 +19,24 @@ interface(`bootloader_domtrans',` - domtrans_pattern($1, bootloader_exec_t, bootloader_t) - ') - -+###################################### -+## -+## Execute bootloader in the caller domain. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`bootloader_exec',` -+ gen_require(` -+ type bootloader_exec_t; -+ ') -+ -+ can_exec($1, bootloader_exec_t) -+') -+ - ######################################## - ## - ## Execute bootloader interactively and do -@@ -38,16 +56,26 @@ interface(`bootloader_domtrans',` - # - interface(`bootloader_run',` - gen_require(` -- attribute_role bootloader_roles; -+ type bootloader_t; -+ #attribute_role bootloader_roles; - ') - -+ #bootloader_domtrans($1) -+ #roleattribute $2 bootloader_roles; -+ - bootloader_domtrans($1) -- roleattribute $2 bootloader_roles; -+ -+ role $2 types bootloader_t; -+ -+ ifdef(`distro_redhat',` -+ # for mke2fs -+ mount_run(bootloader_t, $2) -+ ') - ') - - ######################################## - ## --## Execute bootloader in the caller domain. -+## Read the bootloader configuration file. - ## - ## - ## -@@ -55,36 +83,37 @@ interface(`bootloader_run',` - ## - ## - # --interface(`bootloader_exec',` -+interface(`bootloader_read_config',` - gen_require(` -- type bootloader_exec_t; -+ type bootloader_etc_t; - ') - -- corecmd_search_bin($1) -- can_exec($1, bootloader_exec_t) -+ allow $1 bootloader_etc_t:file read_file_perms; - ') - - ######################################## - ## --## Read the bootloader configuration file. -+## Read and write the bootloader -+## configuration file. - ## - ## - ## - ## Domain allowed access. - ## - ## -+## - # --interface(`bootloader_read_config',` -+interface(`bootloader_rw_config',` - gen_require(` - type bootloader_etc_t; - ') - -- allow $1 bootloader_etc_t:file read_file_perms; -+ allow $1 bootloader_etc_t:file rw_file_perms; - ') - - ######################################## - ## --## Read and write the bootloader -+## Manage the bootloader - ## configuration file. - ## - ## -@@ -94,12 +123,12 @@ interface(`bootloader_read_config',` - ## - ## - # --interface(`bootloader_rw_config',` -+interface(`bootloader_manage_config',` - gen_require(` - type bootloader_etc_t; - ') - -- allow $1 bootloader_etc_t:file rw_file_perms; -+ manage_files_pattern($1, bootloader_etc_t, bootloader_etc_t) - ') - - ######################################## -@@ -119,7 +148,7 @@ interface(`bootloader_rw_tmp_files',` - ') - - files_search_tmp($1) -- allow $1 bootloader_tmp_t:file rw_file_perms; -+ allow $1 bootloader_tmp_t:file rw_inherited_file_perms; - ') - - ######################################## -@@ -141,3 +170,24 @@ interface(`bootloader_create_runtime_file',` - allow $1 boot_runtime_t:file { create_file_perms rw_file_perms }; - files_boot_filetrans($1, boot_runtime_t, file) - ') -+ -+######################################## -+## -+## Type transition files created in /etc -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`bootloader_filetrans_config',` -+ gen_require(` -+ type bootloader_etc_t; -+ ') -+ -+ files_etc_filetrans($1,bootloader_etc_t,file, "grub") -+ files_etc_filetrans($1,bootloader_etc_t,file, "lilo.conf") -+ files_etc_filetrans($1,bootloader_etc_t,file, "yaboot.conf") -+ files_etc_filetrans($1,bootloader_etc_t,file, "zipl.conf") -+') -diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te -index e3dbbb8..a99f6e9 100644 ---- a/policy/modules/admin/bootloader.te -+++ b/policy/modules/admin/bootloader.te -@@ -5,8 +5,8 @@ policy_module(bootloader, 1.13.2) - # Declarations - # - --attribute_role bootloader_roles; --roleattribute system_r bootloader_roles; -+#attribute_role bootloader_roles; -+#roleattribute system_r bootloader_roles; - - # - # boot_runtime_t is the type for /boot/kernel.h, -@@ -19,14 +19,21 @@ files_type(boot_runtime_t) - type bootloader_t; - type bootloader_exec_t; - application_domain(bootloader_t, bootloader_exec_t) --role bootloader_roles types bootloader_t; -+#role bootloader_roles types bootloader_t; -+role system_r types bootloader_t; -+ -+type bootloader_var_run_t; -+files_pid_file(bootloader_var_run_t) -+ -+type bootloader_var_lib_t; -+files_type(bootloader_var_lib_t) - - # - # bootloader_etc_t is the configuration file, - # grub.conf, lilo.conf, etc. - # - type bootloader_etc_t alias etc_bootloader_t; --files_type(bootloader_etc_t) -+files_config_file(bootloader_etc_t) - - # - # The temp file is used for initrd creation; -@@ -41,7 +48,7 @@ dev_node(bootloader_tmp_t) - # bootloader local policy - # - --allow bootloader_t self:capability { dac_override dac_read_search fsetid sys_rawio sys_admin mknod chown }; -+allow bootloader_t self:capability { dac_override dac_read_search fsetid sys_rawio sys_admin sys_chroot mknod chown }; - allow bootloader_t self:process { signal_perms execmem }; - allow bootloader_t self:fifo_file rw_fifo_file_perms; - -@@ -59,6 +66,15 @@ files_tmp_filetrans(bootloader_t, bootloader_tmp_t, { dir file lnk_file chr_file - # for tune2fs (cjp: ?) - files_root_filetrans(bootloader_t, bootloader_tmp_t, file) - -+manage_dirs_pattern(bootloader_t, bootloader_var_run_t, bootloader_var_run_t) -+manage_files_pattern(bootloader_t, bootloader_var_run_t, bootloader_var_run_t) -+files_pid_filetrans(bootloader_t, bootloader_var_run_t, {dir file }) -+ -+manage_dirs_pattern(bootloader_t, bootloader_var_lib_t, bootloader_var_lib_t) -+manage_files_pattern(bootloader_t, bootloader_var_lib_t, bootloader_var_lib_t) -+manage_lnk_files_pattern(bootloader_t, bootloader_var_lib_t, bootloader_var_lib_t) -+files_var_lib_filetrans(bootloader_t, bootloader_var_lib_t, {dir file }) -+ - kernel_getattr_core_if(bootloader_t) - kernel_read_network_state(bootloader_t) - kernel_read_system_state(bootloader_t) -@@ -81,6 +97,8 @@ dev_rw_nvram(bootloader_t) - - fs_getattr_xattr_fs(bootloader_t) - fs_getattr_tmpfs(bootloader_t) -+fs_list_hugetlbfs(bootloader_t) -+fs_list_tmpfs(bootloader_t) - fs_read_tmpfs_symlinks(bootloader_t) - #Needed for ia64 - fs_manage_dos_files(bootloader_t) -@@ -89,7 +107,10 @@ mls_file_read_all_levels(bootloader_t) - mls_file_write_all_levels(bootloader_t) - - term_getattr_all_ttys(bootloader_t) -+term_getattr_all_ptys(bootloader_t) - term_dontaudit_manage_pty_dirs(bootloader_t) -+term_dontaudit_getattr_generic_ptys(bootloader_t) -+term_use_unallocated_ttys(bootloader_t) - - corecmd_exec_all_executables(bootloader_t) - -@@ -98,12 +119,14 @@ domain_use_interactive_fds(bootloader_t) - files_create_boot_dirs(bootloader_t) - files_manage_boot_files(bootloader_t) - files_manage_boot_symlinks(bootloader_t) -+files_manage_kernel_modules(bootloader_t) - files_read_etc_files(bootloader_t) - files_exec_etc_files(bootloader_t) - files_read_usr_src_files(bootloader_t) - files_read_usr_files(bootloader_t) - files_read_var_files(bootloader_t) - files_read_kernel_modules(bootloader_t) -+files_read_kernel_symbol_table(bootloader_t) - # for nscd - files_dontaudit_search_pids(bootloader_t) - # for blkid.tab -@@ -111,6 +134,7 @@ files_manage_etc_runtime_files(bootloader_t) - files_etc_filetrans_etc_runtime(bootloader_t, file) - files_dontaudit_search_home(bootloader_t) - -+ - init_getattr_initctl(bootloader_t) - init_use_script_ptys(bootloader_t) - init_use_script_fds(bootloader_t) -@@ -118,19 +142,20 @@ init_rw_script_pipes(bootloader_t) - - libs_read_lib_files(bootloader_t) - libs_exec_lib_files(bootloader_t) -+libs_exec_ld_so(bootloader_t) - --logging_send_syslog_msg(bootloader_t) --logging_rw_generic_logs(bootloader_t) -+auth_use_nsswitch(bootloader_t) - --miscfiles_read_localization(bootloader_t) -+logging_send_syslog_msg(bootloader_t) -+logging_manage_generic_logs(bootloader_t) - - modutils_domtrans_insmod(bootloader_t) - - seutil_read_bin_policy(bootloader_t) - seutil_read_loadpolicy(bootloader_t) --seutil_dontaudit_search_config(bootloader_t) - --userdom_use_user_terminals(bootloader_t) -+userdom_getattr_user_tmpfs_files(bootloader_t) -+userdom_use_inherited_user_terminals(bootloader_t) - userdom_dontaudit_search_user_home_dirs(bootloader_t) - - ifdef(`distro_debian',` -@@ -166,7 +191,8 @@ ifdef(`distro_redhat',` - files_manage_isid_type_chr_files(bootloader_t) - - # for mke2fs -- mount_run(bootloader_t, bootloader_roles) -+ #mount_run(bootloader_t, bootloader_roles) -+ mount_domtrans(bootloader_t) - - optional_policy(` - unconfined_domain(bootloader_t) -@@ -174,6 +200,10 @@ ifdef(`distro_redhat',` - ') - - optional_policy(` -+ devicekit_dontaudit_read_pid_files(bootloader_t) -+') -+ -+optional_policy(` - fstools_exec(bootloader_t) - ') - -@@ -183,6 +213,14 @@ optional_policy(` - ') - - optional_policy(` -+ gpm_getattr_gpmctl(bootloader_t) -+') -+ -+optional_policy(` -+ fsadm_manage_pid(bootloader_t) -+') -+ -+optional_policy(` - kudzu_domtrans(bootloader_t) - ') - -@@ -195,17 +233,18 @@ optional_policy(` - - optional_policy(` - modutils_exec_insmod(bootloader_t) -- modutils_read_module_deps(bootloader_t) -- modutils_read_module_config(bootloader_t) -- modutils_exec_insmod(bootloader_t) - modutils_exec_depmod(bootloader_t) - modutils_exec_update_mods(bootloader_t) -+ modutils_domtrans_insmod_uncond(bootloader_t) -+ modutils_list_module_config(bootloader_t) -+ modutils_read_module_deps(bootloader_t) -+ modutils_read_module_config(bootloader_t) - ') - - optional_policy(` -- nscd_use(bootloader_t) -+ rpm_rw_pipes(bootloader_t) - ') - - optional_policy(` -- rpm_rw_pipes(bootloader_t) -+ udev_read_pid_files(bootloader_t) - ') -diff --git a/policy/modules/admin/consoletype.fc b/policy/modules/admin/consoletype.fc -index b7f053b..5d4fc31 100644 ---- a/policy/modules/admin/consoletype.fc -+++ b/policy/modules/admin/consoletype.fc -@@ -1,2 +1,4 @@ - - /sbin/consoletype -- gen_context(system_u:object_r:consoletype_exec_t,s0) -+ -+/usr/sbin/consoletype -- gen_context(system_u:object_r:consoletype_exec_t,s0) -diff --git a/policy/modules/admin/consoletype.if b/policy/modules/admin/consoletype.if -index 0f57d3b..655d07f 100644 ---- a/policy/modules/admin/consoletype.if -+++ b/policy/modules/admin/consoletype.if -@@ -19,10 +19,6 @@ interface(`consoletype_domtrans',` - - corecmd_search_bin($1) - domtrans_pattern($1, consoletype_exec_t, consoletype_t) -- -- ifdef(`hide_broken_symptoms', ` -- dontaudit consoletype_t $1:socket_class_set { read write }; -- ') - ') - - ######################################## -diff --git a/policy/modules/admin/consoletype.te b/policy/modules/admin/consoletype.te -index cd5e005..247259a 100644 ---- a/policy/modules/admin/consoletype.te -+++ b/policy/modules/admin/consoletype.te -@@ -7,8 +7,8 @@ policy_module(consoletype, 1.10.0) - - type consoletype_t; - type consoletype_exec_t; --init_domain(consoletype_t, consoletype_exec_t) --init_system_domain(consoletype_t, consoletype_exec_t) -+application_domain(consoletype_t, consoletype_exec_t) -+role system_r types consoletype_t; - - ######################################## - # -@@ -47,14 +47,16 @@ fs_list_inotifyfs(consoletype_t) - mls_file_read_all_levels(consoletype_t) - mls_file_write_all_levels(consoletype_t) - --term_use_all_terms(consoletype_t) -+term_use_all_inherited_terms(consoletype_t) -+term_use_ptmx(consoletype_t) - - init_use_fds(consoletype_t) - init_use_script_ptys(consoletype_t) - init_use_script_fds(consoletype_t) - init_rw_script_pipes(consoletype_t) -+init_rw_inherited_script_tmp_files(consoletype_t) - --userdom_use_user_terminals(consoletype_t) -+userdom_use_inherited_user_terminals(consoletype_t) - - ifdef(`distro_redhat',` - fs_rw_tmpfs_chr_files(consoletype_t) -@@ -79,16 +81,14 @@ optional_policy(` - ') - - optional_policy(` -- files_read_etc_files(consoletype_t) -- firstboot_use_fds(consoletype_t) -- firstboot_rw_pipes(consoletype_t) -+ devicekit_dontaudit_read_pid_files(consoletype_t) -+ devicekit_dontaudit_rw_log(consoletype_t) - ') - - optional_policy(` -- hal_dontaudit_use_fds(consoletype_t) -- hal_dontaudit_rw_pipes(consoletype_t) -- hal_dontaudit_rw_dgram_sockets(consoletype_t) -- hal_dontaudit_write_log(consoletype_t) -+ files_read_etc_files(consoletype_t) -+ firstboot_use_fds(consoletype_t) -+ firstboot_rw_pipes(consoletype_t) - ') - - optional_policy(` -@@ -114,6 +114,7 @@ optional_policy(` - - optional_policy(` - userdom_use_unpriv_users_fds(consoletype_t) -+ userdom_dontaudit_rw_dgram_socket(consoletype_t) - ') - - optional_policy(` -diff --git a/policy/modules/admin/dmesg.fc b/policy/modules/admin/dmesg.fc -index d6cc2d9..0685b19 100644 ---- a/policy/modules/admin/dmesg.fc -+++ b/policy/modules/admin/dmesg.fc -@@ -1,2 +1,4 @@ - - /bin/dmesg -- gen_context(system_u:object_r:dmesg_exec_t,s0) -+ -+/usr/bin/dmesg -- gen_context(system_u:object_r:dmesg_exec_t,s0) -diff --git a/policy/modules/admin/dmesg.te b/policy/modules/admin/dmesg.te -index 72bc6d8..17357e5 100644 ---- a/policy/modules/admin/dmesg.te -+++ b/policy/modules/admin/dmesg.te -@@ -9,6 +9,10 @@ type dmesg_t; - type dmesg_exec_t; - init_system_domain(dmesg_t, dmesg_exec_t) - -+ifdef(`enable_mls',` -+ init_ranged_daemon_domain(dmesg_t, dmesg_exec_t, mls_systemhigh) -+') -+ - ######################################## - # - # Local policy -@@ -19,14 +23,17 @@ dontaudit dmesg_t self:capability sys_tty_config; - - allow dmesg_t self:process signal_perms; - -+kernel_read_system_state(dmesg_t) - kernel_read_kernel_sysctls(dmesg_t) - kernel_read_ring_buffer(dmesg_t) - kernel_clear_ring_buffer(dmesg_t) - kernel_change_ring_buffer_level(dmesg_t) - kernel_list_proc(dmesg_t) - kernel_read_proc_symlinks(dmesg_t) -+kernel_dontaudit_write_kernel_sysctl(dmesg_t) - - dev_read_sysfs(dmesg_t) -+dev_read_kmsg(dmesg_t) - - fs_search_auto_mountpoints(dmesg_t) - -@@ -44,10 +51,12 @@ init_use_script_ptys(dmesg_t) - logging_send_syslog_msg(dmesg_t) - logging_write_generic_logs(dmesg_t) - --miscfiles_read_localization(dmesg_t) -- - userdom_dontaudit_use_unpriv_user_fds(dmesg_t) --userdom_use_user_terminals(dmesg_t) -+userdom_use_inherited_user_terminals(dmesg_t) -+ -+optional_policy(` -+ abrt_rw_inherited_cache(dmesg_t) -+') - - optional_policy(` - seutil_sigchld_newrole(dmesg_t) -diff --git a/policy/modules/admin/netutils.fc b/policy/modules/admin/netutils.fc -index 407078f..1a09bea 100644 ---- a/policy/modules/admin/netutils.fc -+++ b/policy/modules/admin/netutils.fc -@@ -1,15 +1,22 @@ - /bin/ping.* -- gen_context(system_u:object_r:ping_exec_t,s0) --/bin/tracepath.* -- gen_context(system_u:object_r:traceroute_exec_t,s0) -+/bin/tracepath.* -- gen_context(system_u:object_r:traceroute_exec_t,s0) - /bin/traceroute.* -- gen_context(system_u:object_r:traceroute_exec_t,s0) - - /sbin/arping -- gen_context(system_u:object_r:netutils_exec_t,s0) - - /usr/bin/lft -- gen_context(system_u:object_r:traceroute_exec_t,s0) -+/usr/bin/mtr -- gen_context(system_u:object_r:traceroute_exec_t,s0) - /usr/bin/nmap -- gen_context(system_u:object_r:traceroute_exec_t,s0) -+/usr/bin/ping.* -- gen_context(system_u:object_r:ping_exec_t,s0) -+/usr/bin/tracepath.* -- gen_context(system_u:object_r:traceroute_exec_t,s0) - /usr/bin/traceroute.* -- gen_context(system_u:object_r:traceroute_exec_t,s0) - --/usr/sbin/fping -- gen_context(system_u:object_r:ping_exec_t,s0) -+/usr/lib/heartbeat/send_arp -- gen_context(system_u:object_r:ping_exec_t,s0) -+ -+/usr/sbin/arping -- gen_context(system_u:object_r:netutils_exec_t,s0) -+/usr/sbin/fping.* -- gen_context(system_u:object_r:ping_exec_t,s0) - /usr/sbin/traceroute.* -- gen_context(system_u:object_r:traceroute_exec_t,s0) - /usr/sbin/hping2 -- gen_context(system_u:object_r:ping_exec_t,s0) -+/usr/sbin/mtr -- gen_context(system_u:object_r:traceroute_exec_t,s0) - /usr/sbin/send_arp -- gen_context(system_u:object_r:ping_exec_t,s0) - /usr/sbin/tcpdump -- gen_context(system_u:object_r:netutils_exec_t,s0) -diff --git a/policy/modules/admin/netutils.if b/policy/modules/admin/netutils.if -index c6ca761..0c86bfd 100644 ---- a/policy/modules/admin/netutils.if -+++ b/policy/modules/admin/netutils.if -@@ -42,6 +42,7 @@ interface(`netutils_run',` - ') - - netutils_domtrans($1) -+ allow $1 netutils_t:process { signal sigkill }; - role $2 types netutils_t; - ') - -@@ -161,6 +162,7 @@ interface(`netutils_run_ping',` - - netutils_domtrans_ping($1) - role $2 types ping_t; -+ allow $1 ping_t:process { signal sigkill }; - ') - - ######################################## -@@ -183,13 +185,14 @@ interface(`netutils_run_ping',` - interface(`netutils_run_ping_cond',` - gen_require(` - type ping_t; -- bool user_ping; -+ bool selinuxuser_ping; - ') - - role $2 types ping_t; - -- if ( user_ping ) { -+ if ( selinuxuser_ping ) { - netutils_domtrans_ping($1) -+ allow $1 ping_t:process { signal sigkill }; - } - ') - -@@ -254,6 +257,7 @@ interface(`netutils_run_traceroute',` - ') - - netutils_domtrans_traceroute($1) -+ allow $1 traceroute_t:process { signal sigkill }; - role $2 types traceroute_t; - ') - -@@ -277,13 +281,14 @@ interface(`netutils_run_traceroute',` - interface(`netutils_run_traceroute_cond',` - gen_require(` - type traceroute_t; -- bool user_ping; -+ bool selinuxuser_ping; - ') - - role $2 types traceroute_t; - -- if( user_ping ) { -+ if( selinuxuser_ping ) { - netutils_domtrans_traceroute($1) -+ allow $1 traceroute_t:process { signal sigkill }; - } - ') - -diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te -index 8128de8..b0a385b 100644 ---- a/policy/modules/admin/netutils.te -+++ b/policy/modules/admin/netutils.te -@@ -7,10 +7,10 @@ policy_module(netutils, 1.11.2) - - ## - ##

    --## Control users use of ping and traceroute -+## Allow confined users the ability to execute the ping and traceroute commands. - ##

    - ##     --gen_tunable(user_ping, false) -+gen_tunable(selinuxuser_ping, false) - - type netutils_t; - type netutils_exec_t; -@@ -42,16 +42,17 @@ allow netutils_t self:packet_socket create_socket_perms; - allow netutils_t self:udp_socket create_socket_perms; - allow netutils_t self:tcp_socket create_stream_socket_perms; - allow netutils_t self:socket create_socket_perms; -+allow netutils_t self:netlink_socket create_socket_perms; - - manage_dirs_pattern(netutils_t, netutils_tmp_t, netutils_tmp_t) - manage_files_pattern(netutils_t, netutils_tmp_t, netutils_tmp_t) - files_tmp_filetrans(netutils_t, netutils_tmp_t, { file dir }) - - kernel_search_proc(netutils_t) --kernel_read_network_state(netutils_t) - kernel_read_all_sysctls(netutils_t) -+kernel_read_network_state(netutils_t) -+kernel_request_load_module(netutils_t) - --corenet_all_recvfrom_unlabeled(netutils_t) - corenet_all_recvfrom_netlabel(netutils_t) - corenet_tcp_sendrecv_generic_if(netutils_t) - corenet_raw_sendrecv_generic_if(netutils_t) -@@ -66,6 +67,9 @@ corenet_sendrecv_all_client_packets(netutils_t) - corenet_udp_bind_generic_node(netutils_t) - - dev_read_sysfs(netutils_t) -+dev_read_usbmon_dev(netutils_t) -+dev_write_usbmon_dev(netutils_t) -+dev_rw_generic_usb_dev(netutils_t) - - fs_getattr_xattr_fs(netutils_t) - -@@ -82,10 +86,9 @@ auth_use_nsswitch(netutils_t) - - logging_send_syslog_msg(netutils_t) - --miscfiles_read_localization(netutils_t) - - term_dontaudit_use_console(netutils_t) --userdom_use_user_terminals(netutils_t) -+userdom_use_inherited_user_terminals(netutils_t) - userdom_use_all_users_fds(netutils_t) - - optional_policy(` -@@ -106,13 +109,14 @@ optional_policy(` - # - - allow ping_t self:capability { setuid net_raw }; -+allow ping_t self:process setcap; -+ - dontaudit ping_t self:capability sys_tty_config; - allow ping_t self:tcp_socket create_socket_perms; --allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt }; --allow ping_t self:packet_socket { create ioctl read write bind getopt setopt }; -+allow ping_t self:rawip_socket create_socket_perms; -+allow ping_t self:packet_socket create_socket_perms; - allow ping_t self:netlink_route_socket create_netlink_socket_perms; - --corenet_all_recvfrom_unlabeled(ping_t) - corenet_all_recvfrom_netlabel(ping_t) - corenet_tcp_sendrecv_generic_if(ping_t) - corenet_raw_sendrecv_generic_if(ping_t) -@@ -122,6 +126,7 @@ corenet_raw_bind_generic_node(ping_t) - corenet_tcp_sendrecv_all_ports(ping_t) - - fs_dontaudit_getattr_xattr_fs(ping_t) -+fs_dontaudit_rw_anon_inodefs_files(ping_t) - - domain_use_interactive_fds(ping_t) - -@@ -129,14 +134,13 @@ files_read_etc_files(ping_t) - files_dontaudit_search_var(ping_t) - - kernel_read_system_state(ping_t) -+kernel_read_network_state(ping_t) - - auth_use_nsswitch(ping_t) - --logging_send_syslog_msg(ping_t) -- --miscfiles_read_localization(ping_t) -+init_rw_inherited_script_tmp_files(ping_t) - --userdom_use_user_terminals(ping_t) -+logging_send_syslog_msg(ping_t) - - ifdef(`hide_broken_symptoms',` - init_dontaudit_use_fds(ping_t) -@@ -147,11 +151,25 @@ ifdef(`hide_broken_symptoms',` - ') - ') - -+term_use_all_inherited_terms(ping_t) -+ -+tunable_policy(`selinuxuser_ping',` -+ term_use_all_ttys(ping_t) -+ term_use_all_ptys(ping_t) -+',` -+ term_dontaudit_use_all_ttys(ping_t) -+ term_dontaudit_use_all_ptys(ping_t) -+') -+ - optional_policy(` - munin_append_log(ping_t) - ') - - optional_policy(` -+ nagios_rw_inerited_tmp_files(ping_t) -+') -+ -+optional_policy(` - pcmcia_use_cardmgr_fds(ping_t) - ') - -@@ -159,6 +177,15 @@ optional_policy(` - hotplug_use_fds(ping_t) - ') - -+optional_policy(` -+ openshift_rw_inherited_content(ping_t) -+ openshift_dontaudit_rw_inherited_fifo_files(ping_t) -+') -+ -+optional_policy(` -+ zabbix_read_tmp(ping_t) -+') -+ - ######################################## - # - # Traceroute local policy -@@ -172,7 +199,6 @@ allow traceroute_t self:udp_socket create_socket_perms; - kernel_read_system_state(traceroute_t) - kernel_read_network_state(traceroute_t) - --corenet_all_recvfrom_unlabeled(traceroute_t) - corenet_all_recvfrom_netlabel(traceroute_t) - corenet_tcp_sendrecv_generic_if(traceroute_t) - corenet_udp_sendrecv_generic_if(traceroute_t) -@@ -196,6 +222,7 @@ fs_dontaudit_getattr_xattr_fs(traceroute_t) - domain_use_interactive_fds(traceroute_t) - - files_read_etc_files(traceroute_t) -+files_read_usr_files(traceroute_t) - files_dontaudit_search_var(traceroute_t) - - init_use_fds(traceroute_t) -@@ -204,11 +231,17 @@ auth_use_nsswitch(traceroute_t) - - logging_send_syslog_msg(traceroute_t) - --miscfiles_read_localization(traceroute_t) -- --userdom_use_user_terminals(traceroute_t) - - #rules needed for nmap - dev_read_rand(traceroute_t) - dev_read_urand(traceroute_t) --files_read_usr_files(traceroute_t) -+ -+term_use_all_inherited_terms(traceroute_t) -+ -+tunable_policy(`selinuxuser_ping',` -+ term_use_all_ttys(traceroute_t) -+ term_use_all_ptys(traceroute_t) -+',` -+ term_dontaudit_use_all_ttys(traceroute_t) -+ term_dontaudit_use_all_ptys(traceroute_t) -+') -diff --git a/policy/modules/admin/su.fc b/policy/modules/admin/su.fc -index 688abc2..3d89250 100644 ---- a/policy/modules/admin/su.fc -+++ b/policy/modules/admin/su.fc -@@ -3,3 +3,4 @@ - - /usr/(local/)?bin/ksu -- gen_context(system_u:object_r:su_exec_t,s0) - /usr/bin/kdesu -- gen_context(system_u:object_r:su_exec_t,s0) -+/usr/bin/su -- gen_context(system_u:object_r:su_exec_t,s0) -diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if -index 03ec5ca..025c177 100644 ---- a/policy/modules/admin/su.if -+++ b/policy/modules/admin/su.if -@@ -89,7 +89,6 @@ template(`su_restricted_domain_template', ` - - logging_send_syslog_msg($1_su_t) - -- miscfiles_read_localization($1_su_t) - - ifdef(`distro_redhat',` - # RHEL5 and possibly newer releases incl. Fedora -@@ -119,11 +118,6 @@ template(`su_restricted_domain_template', ` - userdom_spec_domtrans_unpriv_users($1_su_t) - ') - -- ifdef(`hide_broken_symptoms',` -- # dontaudit leaked sockets from parent -- dontaudit $1_su_t $2:socket_class_set { read write }; -- ') -- - optional_policy(` - cron_read_pipes($1_su_t) - ') -@@ -172,14 +166,6 @@ template(`su_role_template',` - role $2 types $1_su_t; - - allow $3 $1_su_t:process signal; -- -- allow $1_su_t self:capability { audit_control audit_write setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource }; -- dontaudit $1_su_t self:capability sys_tty_config; -- allow $1_su_t self:process { setexec setsched setrlimit }; -- allow $1_su_t self:fifo_file rw_fifo_file_perms; -- allow $1_su_t self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms }; -- allow $1_su_t self:key { search write }; -- - allow $1_su_t $3:key search; - - # Transition from the user domain to this domain. -@@ -194,125 +180,12 @@ template(`su_role_template',` - allow $3 $1_su_t:process sigchld; - - kernel_read_system_state($1_su_t) -- kernel_read_kernel_sysctls($1_su_t) -- kernel_search_key($1_su_t) -- kernel_link_key($1_su_t) -- -- # for SSP -- dev_read_urand($1_su_t) -- -- fs_search_auto_mountpoints($1_su_t) - -- # needed for pam_rootok -- selinux_compute_access_vector($1_su_t) -- -- auth_domtrans_chk_passwd($1_su_t) -- auth_dontaudit_read_shadow($1_su_t) -- auth_use_nsswitch($1_su_t) -- auth_rw_faillog($1_su_t) -- -- corecmd_search_bin($1_su_t) -- -- domain_use_interactive_fds($1_su_t) -- -- files_read_etc_files($1_su_t) -- files_read_etc_runtime_files($1_su_t) -- files_search_var_lib($1_su_t) -- files_dontaudit_getattr_tmp_dirs($1_su_t) -- -- init_dontaudit_use_fds($1_su_t) -- # Write to utmp. -- init_rw_utmp($1_su_t) -+ auth_use_pam($1_su_t) - - mls_file_write_all_levels($1_su_t) - - logging_send_syslog_msg($1_su_t) -- -- miscfiles_read_localization($1_su_t) -- -- userdom_use_user_terminals($1_su_t) -- userdom_search_user_home_dirs($1_su_t) -- -- ifdef(`distro_redhat',` -- # RHEL5 and possibly newer releases incl. Fedora -- auth_domtrans_upd_passwd($1_su_t) -- -- optional_policy(` -- locallogin_search_keys($1_su_t) -- ') -- ') -- -- ifdef(`distro_rhel4',` -- domain_role_change_exemption($1_su_t) -- domain_subj_id_change_exemption($1_su_t) -- domain_obj_id_change_exemption($1_su_t) -- -- selinux_get_fs_mount($1_su_t) -- selinux_validate_context($1_su_t) -- selinux_compute_create_context($1_su_t) -- selinux_compute_relabel_context($1_su_t) -- selinux_compute_user_contexts($1_su_t) -- -- # Relabel ttys and ptys. -- term_relabel_all_ttys($1_su_t) -- term_relabel_all_ptys($1_su_t) -- # Close and re-open ttys and ptys to get the fd into the correct domain. -- term_use_all_ttys($1_su_t) -- term_use_all_ptys($1_su_t) -- -- seutil_read_config($1_su_t) -- seutil_read_default_contexts($1_su_t) -- -- if(secure_mode) { -- # Only allow transitions to unprivileged user domains. -- userdom_spec_domtrans_unpriv_users($1_su_t) -- } else { -- # Allow transitions to all user domains -- userdom_spec_domtrans_all_users($1_su_t) -- } -- -- optional_policy(` -- unconfined_domtrans($1_su_t) -- unconfined_signal($1_su_t) -- ') -- ') -- -- ifdef(`hide_broken_symptoms',` -- # dontaudit leaked sockets from parent -- dontaudit $1_su_t $3:socket_class_set { read write }; -- ') -- -- tunable_policy(`allow_polyinstantiation',` -- fs_mount_xattr_fs($1_su_t) -- fs_unmount_xattr_fs($1_su_t) -- ') -- -- tunable_policy(`use_nfs_home_dirs',` -- fs_search_nfs($1_su_t) -- ') -- -- tunable_policy(`use_samba_home_dirs',` -- fs_search_cifs($1_su_t) -- ') -- -- optional_policy(` -- cron_read_pipes($1_su_t) -- ') -- -- optional_policy(` -- kerberos_use($1_su_t) -- ') -- -- optional_policy(` -- # used when the password has expired -- usermanage_read_crack_db($1_su_t) -- ') -- -- # Modify .Xauthority file (via xauth program). -- optional_policy(` -- xserver_user_home_dir_filetrans_user_xauth($1_su_t) -- xserver_domtrans_xauth($1_su_t) -- ') - ') - - ####################################### -diff --git a/policy/modules/admin/su.te b/policy/modules/admin/su.te -index 85bb77e..5f38282 100644 ---- a/policy/modules/admin/su.te -+++ b/policy/modules/admin/su.te -@@ -9,3 +9,82 @@ attribute su_domain_type; - - type su_exec_t; - corecmd_executable_file(su_exec_t) -+ -+allow su_domain_type self:capability { audit_control audit_write setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource }; -+dontaudit su_domain_type self:capability sys_tty_config; -+allow su_domain_type self:process { setexec setsched setrlimit }; -+allow su_domain_type self:fifo_file rw_fifo_file_perms; -+allow su_domain_type self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms }; -+allow su_domain_type self:key { search write }; -+ -+kernel_read_kernel_sysctls(su_domain_type) -+kernel_search_key(su_domain_type) -+kernel_link_key(su_domain_type) -+ -+# for SSP -+dev_read_urand(su_domain_type) -+dev_dontaudit_getattr_all(su_domain_type) -+ -+fs_search_auto_mountpoints(su_domain_type) -+ -+# needed for pam_rootok -+selinux_compute_access_vector(su_domain_type) -+ -+corecmd_search_bin(su_domain_type) -+ -+domain_use_interactive_fds(su_domain_type) -+ -+files_read_etc_files(su_domain_type) -+files_read_etc_runtime_files(su_domain_type) -+files_search_var_lib(su_domain_type) -+files_dontaudit_getattr_tmp_dirs(su_domain_type) -+ -+init_dontaudit_use_fds(su_domain_type) -+# Write to utmp. -+init_rw_utmp(su_domain_type) -+init_read_state(su_domain_type) -+ -+userdom_use_user_terminals(su_domain_type) -+userdom_search_user_home_dirs(su_domain_type) -+userdom_search_admin_dir(su_domain_type) -+ -+ifdef(`distro_redhat',` -+ # RHEL5 and possibly newer releases incl. Fedora -+ auth_domtrans_upd_passwd(su_domain_type) -+ -+ optional_policy(` -+ locallogin_search_keys(su_domain_type) -+ ') -+') -+ -+tunable_policy(`polyinstantiation_enabled',` -+ fs_mount_xattr_fs(su_domain_type) -+ fs_unmount_xattr_fs(su_domain_type) -+') -+ -+tunable_policy(`use_nfs_home_dirs',` -+ fs_search_nfs(su_domain_type) -+') -+ -+tunable_policy(`use_samba_home_dirs',` -+ fs_search_cifs(su_domain_type) -+') -+ -+optional_policy(` -+ cron_read_pipes(su_domain_type) -+') -+ -+optional_policy(` -+ kerberos_use(su_domain_type) -+') -+ -+optional_policy(` -+ # used when the password has expired -+ usermanage_read_crack_db(su_domain_type) -+') -+ -+# Modify .Xauthority file (via xauth program). -+optional_policy(` -+ xserver_user_home_dir_filetrans_user_xauth(su_domain_type) -+ xserver_domtrans_xauth(su_domain_type) -+') -diff --git a/policy/modules/admin/sudo.fc b/policy/modules/admin/sudo.fc -index 7bddc02..2b59ed0 100644 ---- a/policy/modules/admin/sudo.fc -+++ b/policy/modules/admin/sudo.fc -@@ -1,2 +1,4 @@ - - /usr/bin/sudo(edit)? -- gen_context(system_u:object_r:sudo_exec_t,s0) -+ -+/var/db/sudo(/.*)? gen_context(system_u:object_r:sudo_db_t,s0) -diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if -index 0960199..aa51ab2 100644 ---- a/policy/modules/admin/sudo.if -+++ b/policy/modules/admin/sudo.if -@@ -32,6 +32,7 @@ template(`sudo_role_template',` - - gen_require(` - type sudo_exec_t; -+ type sudo_db_t; - attribute sudodomain; - ') - -@@ -45,27 +46,13 @@ template(`sudo_role_template',` - domain_interactive_fd($1_sudo_t) - domain_role_change_exemption($1_sudo_t) - role $2 types $1_sudo_t; -+ userdom_home_manager($1_sudo_t) - -- ############################## -- # -- # Local Policy -- # -+ type $1_sudo_tmp_t; -+ files_tmp_file($1_sudo_tmp_t) - -- # Use capabilities. -- allow $1_sudo_t self:capability { fowner setuid setgid dac_override sys_nice sys_resource }; -- allow $1_sudo_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; -- allow $1_sudo_t self:process { setexec setrlimit }; -- allow $1_sudo_t self:fd use; -- allow $1_sudo_t self:fifo_file rw_fifo_file_perms; -- allow $1_sudo_t self:shm create_shm_perms; -- allow $1_sudo_t self:sem create_sem_perms; -- allow $1_sudo_t self:msgq create_msgq_perms; -- allow $1_sudo_t self:msg { send receive }; -- allow $1_sudo_t self:unix_dgram_socket create_socket_perms; -- allow $1_sudo_t self:unix_stream_socket create_stream_socket_perms; -- allow $1_sudo_t self:unix_dgram_socket sendto; -- allow $1_sudo_t self:unix_stream_socket connectto; -- allow $1_sudo_t self:key manage_key_perms; -+ allow $1_sudo_t $1_sudo_tmp_t:file manage_file_perms; -+ files_tmp_filetrans($1_sudo_t, $1_sudo_tmp_t, file) - - allow $1_sudo_t $3:key search; - -@@ -75,88 +62,30 @@ template(`sudo_role_template',` - # By default, revert to the calling domain when a shell is executed. - corecmd_shell_domtrans($1_sudo_t, $3) - corecmd_bin_domtrans($1_sudo_t, $3) -+ userdom_domtrans_user_home($1_sudo_t, $3) -+ userdom_domtrans_user_tmp($1_sudo_t, $3) -+ domain_entry_file($3, sudo_exec_t) -+ domain_auto_transition_pattern($1_sudo_t, sudo_exec_t, $3) -+ - allow $3 $1_sudo_t:fd use; - allow $3 $1_sudo_t:fifo_file rw_fifo_file_perms; - allow $3 $1_sudo_t:process signal_perms; - -- kernel_read_kernel_sysctls($1_sudo_t) - kernel_read_system_state($1_sudo_t) -- kernel_link_key($1_sudo_t) -- -- corecmd_read_bin_symlinks($1_sudo_t) -- corecmd_exec_all_executables($1_sudo_t) -- -- dev_getattr_fs($1_sudo_t) -- dev_read_urand($1_sudo_t) -- dev_rw_generic_usb_dev($1_sudo_t) -- dev_read_sysfs($1_sudo_t) -- -- domain_use_interactive_fds($1_sudo_t) -- domain_sigchld_interactive_fds($1_sudo_t) -- domain_getattr_all_entry_files($1_sudo_t) -- -- files_read_etc_files($1_sudo_t) -- files_read_var_files($1_sudo_t) -- files_read_usr_symlinks($1_sudo_t) -- files_getattr_usr_files($1_sudo_t) -- # for some PAM modules and for cwd -- files_dontaudit_search_home($1_sudo_t) -- files_list_tmp($1_sudo_t) -- -- fs_search_auto_mountpoints($1_sudo_t) -- fs_getattr_xattr_fs($1_sudo_t) -- -- selinux_validate_context($1_sudo_t) -- selinux_compute_relabel_context($1_sudo_t) -- -- term_getattr_pty_fs($1_sudo_t) -- term_relabel_all_ttys($1_sudo_t) -- term_relabel_all_ptys($1_sudo_t) -+ seutil_libselinux_linked($1_sudo_t) - - auth_run_chk_passwd($1_sudo_t, $2) -- # sudo stores a token in the pam_pid directory -- auth_manage_pam_pid($1_sudo_t) - auth_use_nsswitch($1_sudo_t) - -- init_rw_utmp($1_sudo_t) -- -- logging_send_audit_msgs($1_sudo_t) - logging_send_syslog_msg($1_sudo_t) - -- miscfiles_read_localization($1_sudo_t) -- -- seutil_search_default_contexts($1_sudo_t) -- seutil_libselinux_linked($1_sudo_t) -- -- userdom_spec_domtrans_all_users($1_sudo_t) -- userdom_create_all_users_keys($1_sudo_t) -- userdom_manage_user_home_content_files($1_sudo_t) -- userdom_manage_user_home_content_symlinks($1_sudo_t) -- userdom_manage_user_tmp_files($1_sudo_t) -- userdom_manage_user_tmp_symlinks($1_sudo_t) -- userdom_use_user_terminals($1_sudo_t) -- # for some PAM modules and for cwd -- userdom_dontaudit_search_user_home_content($1_sudo_t) -- userdom_dontaudit_search_user_home_dirs($1_sudo_t) -- -- ifdef(`hide_broken_symptoms', ` -- dontaudit $1_sudo_t $3:socket_class_set { read write }; -- ') -- -- tunable_policy(`use_nfs_home_dirs',` -- fs_manage_nfs_files($1_sudo_t) -- ') -- -- tunable_policy(`use_samba_home_dirs',` -- fs_manage_cifs_files($1_sudo_t) -- ') -- - optional_policy(` -- dbus_system_bus_client($1_sudo_t) -+ mta_role($2, $1_sudo_t) - ') - - optional_policy(` -- fprintd_dbus_chat($1_sudo_t) -+ kerberos_manage_host_rcache($1_sudo_t) -+ kerberos_read_config($1_sudo_t) - ') - - ') -@@ -178,3 +107,22 @@ interface(`sudo_sigchld',` - - allow $1 sudodomain:process sigchld; - ') -+ -+####################################### -+## -+## Allow execute sudo in called domain. -+## This interfaces is added for nova-stack policy. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`sudo_exec',` -+ gen_require(` -+ type sudo_exec_t; -+ ') -+ -+ can_exec($1, sudo_exec_t) -+') -diff --git a/policy/modules/admin/sudo.te b/policy/modules/admin/sudo.te -index d9fce57..fc6d1d3 100644 ---- a/policy/modules/admin/sudo.te -+++ b/policy/modules/admin/sudo.te -@@ -7,3 +7,100 @@ attribute sudodomain; - - type sudo_exec_t; - application_executable_file(sudo_exec_t) -+ -+type sudo_db_t; -+files_type(sudo_db_t) -+mls_trusted_object(sudo_db_t) -+ -+manage_dirs_pattern(sudodomain, sudo_db_t, sudo_db_t) -+manage_files_pattern(sudodomain, sudo_db_t, sudo_db_t) -+ -+############################## -+# -+# Local Policy -+# -+ -+# Use capabilities. -+allow sudodomain self:capability { chown fowner setuid setgid dac_override sys_nice sys_resource }; -+allow sudodomain self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; -+allow sudodomain self:process { setexec setrlimit }; -+allow sudodomain self:fd use; -+allow sudodomain self:fifo_file rw_fifo_file_perms; -+allow sudodomain self:shm create_shm_perms; -+allow sudodomain self:sem create_sem_perms; -+allow sudodomain self:msgq create_msgq_perms; -+allow sudodomain self:msg { send receive }; -+allow sudodomain self:unix_dgram_socket create_socket_perms; -+allow sudodomain self:unix_stream_socket create_stream_socket_perms; -+allow sudodomain self:unix_dgram_socket sendto; -+allow sudodomain self:unix_stream_socket connectto; -+allow sudodomain self:key manage_key_perms; -+ -+kernel_getattr_core_if(sudodomain) -+kernel_link_key(sudodomain) -+kernel_read_kernel_sysctls(sudodomain) -+ -+corecmd_read_bin_symlinks(sudodomain) -+corecmd_exec_all_executables(sudodomain) -+ -+dev_getattr_fs(sudodomain) -+dev_read_urand(sudodomain) -+dev_rw_generic_usb_dev(sudodomain) -+dev_read_sysfs(sudodomain) -+dev_dontaudit_getattr_all(sudodomain) -+ -+domain_use_interactive_fds(sudodomain) -+domain_sigchld_interactive_fds(sudodomain) -+domain_getattr_all_entry_files(sudodomain) -+ -+files_read_etc_files(sudodomain) -+files_read_var_files(sudodomain) -+files_read_usr_files(sudodomain) -+# for some PAM modules and for cwd -+files_dontaudit_search_home(sudodomain) -+files_list_tmp(sudodomain) -+ -+fs_search_auto_mountpoints(sudodomain) -+fs_getattr_all_fs(sudodomain) -+ -+selinux_validate_context(sudodomain) -+selinux_compute_relabel_context(sudodomain) -+ -+term_getattr_pty_fs(sudodomain) -+term_relabel_all_ttys(sudodomain) -+term_relabel_all_ptys(sudodomain) -+ -+#auth_run_chk_passwd(sudodomain) -+# sudo stores a token in the pam_pid directory -+auth_manage_pam_pid(sudodomain) -+auth_manage_faillog(sudodomain) -+ -+application_signal(sudodomain) -+ -+init_rw_utmp(sudodomain) -+ -+logging_send_audit_msgs(sudodomain) -+logging_set_audit_parameters(sudodomain) -+ -+seutil_read_default_contexts(sudodomain) -+ -+userdom_spec_domtrans_all_users(sudodomain) -+userdom_manage_user_home_content_files(sudodomain) -+userdom_manage_user_home_content_symlinks(sudodomain) -+userdom_manage_user_tmp_files(sudodomain) -+userdom_manage_user_tmp_symlinks(sudodomain) -+userdom_use_user_terminals(sudodomain) -+userdom_signal_all_users(sudodomain) -+userdom_exec_user_home_content_files(sudodomain) -+# for some PAM modules and for cwd -+userdom_search_user_home_content(sudodomain) -+userdom_search_admin_dir(sudodomain) -+userdom_manage_all_users_keys(sudodomain) -+ -+optional_policy(` -+ dbus_system_bus_client(sudodomain) -+') -+ -+optional_policy(` -+ fprintd_dbus_chat(sudodomain) -+') -diff --git a/policy/modules/admin/usermanage.fc b/policy/modules/admin/usermanage.fc -index f82f0ce..204bdc8 100644 ---- a/policy/modules/admin/usermanage.fc -+++ b/policy/modules/admin/usermanage.fc -@@ -20,6 +20,7 @@ ifdef(`distro_gentoo',` - /usr/sbin/groupmod -- gen_context(system_u:object_r:groupadd_exec_t,s0) - /usr/sbin/grpconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) - /usr/sbin/grpunconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) -+/usr/sbin/newusers -- gen_context(system_u:object_r:useradd_exec_t,s0) - /usr/sbin/pwconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) - /usr/sbin/pwunconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) - /usr/sbin/useradd -- gen_context(system_u:object_r:useradd_exec_t,s0) -diff --git a/policy/modules/admin/usermanage.if b/policy/modules/admin/usermanage.if -index 99e3903..7270808 100644 ---- a/policy/modules/admin/usermanage.if -+++ b/policy/modules/admin/usermanage.if -@@ -17,10 +17,6 @@ interface(`usermanage_domtrans_chfn',` - - corecmd_search_bin($1) - domtrans_pattern($1, chfn_exec_t, chfn_t) -- -- ifdef(`hide_broken_symptoms',` -- dontaudit chfn_t $1:socket_class_set { read write }; -- ') - ') - - ######################################## -@@ -41,11 +37,16 @@ interface(`usermanage_domtrans_chfn',` - # - interface(`usermanage_run_chfn',` - gen_require(` -- attribute_role chfn_roles; -+ #attribute_role chfn_roles; -+ type chfn_t; - ') - -+ #usermanage_domtrans_chfn($1) -+ #roleattribute $2 chfn_roles; -+ - usermanage_domtrans_chfn($1) -- roleattribute $2 chfn_roles; -+ role $2 types chfn_t; -+ - ') - - ######################################## -@@ -65,10 +66,25 @@ interface(`usermanage_domtrans_groupadd',` - - corecmd_search_bin($1) - domtrans_pattern($1, groupadd_exec_t, groupadd_t) -+') - -- ifdef(`hide_broken_symptoms',` -- dontaudit groupadd_t $1:socket_class_set { read write }; -+######################################## -+## -+## Check access to the groupadd executable. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`usermanage_access_check_groupadd',` -+ gen_require(` -+ type groupadd_exec_t; - ') -+ -+ corecmd_search_bin($1) -+ allow $1 groupadd_exec_t:file { getattr_file_perms execute }; - ') - - ######################################## -@@ -90,11 +106,19 @@ interface(`usermanage_domtrans_groupadd',` - # - interface(`usermanage_run_groupadd',` - gen_require(` -- attribute_role groupadd_roles; -+ type groupadd_t; -+ #attribute_role groupadd_roles; - ') - -+ #usermanage_domtrans_groupadd($1) -+ #roleattribute $2 groupadd_roles; - usermanage_domtrans_groupadd($1) -- roleattribute $2 groupadd_roles; -+ role $2 types groupadd_t; -+ -+ optional_policy(` -+ nscd_run(groupadd_t, $2) -+ ') -+ - ') - - ######################################## -@@ -114,10 +138,6 @@ interface(`usermanage_domtrans_passwd',` - - corecmd_search_bin($1) - domtrans_pattern($1, passwd_exec_t, passwd_t) -- -- ifdef(`hide_broken_symptoms',` -- dontaudit passwd_t $1:socket_class_set { read write }; -- ') - ') - - ######################################## -@@ -174,11 +194,35 @@ interface(`usermanage_check_exec_passwd',` - # - interface(`usermanage_run_passwd',` - gen_require(` -- attribute_role passwd_roles; -+ type passwd_t; -+ #attribute_role passwd_roles; - ') - -+ #usermanage_domtrans_passwd($1) -+ #roleattribute $2 passwd_roles; -+ - usermanage_domtrans_passwd($1) -- roleattribute $2 passwd_roles; -+ role $2 types passwd_t; -+ auth_run_chk_passwd(passwd_t, $2) -+') -+ -+######################################## -+## -+## Check access to the passwd executable -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`usermanage_access_check_passwd',` -+ gen_require(` -+ type passwd_exec_t; -+ ') -+ -+ corecmd_search_bin($1) -+ allow $1 passwd_exec_t:file { getattr_file_perms execute }; - ') - - ######################################## -@@ -221,11 +265,20 @@ interface(`usermanage_domtrans_admin_passwd',` - # - interface(`usermanage_run_admin_passwd',` - gen_require(` -- attribute_role sysadm_passwd_roles; -+ type sysadm_passwd_t; -+ #attribute_role sysadm_passwd_roles; - ') - -+ #usermanage_domtrans_admin_passwd($1) -+ #roleattribute $2 sysadm_passwd_roles; -+ - usermanage_domtrans_admin_passwd($1) -- roleattribute $2 sysadm_passwd_roles; -+ role $2 types sysadm_passwd_t; -+ -+ optional_policy(` -+ nscd_run(sysadm_passwd_t, $2) -+ ') -+ - ') - - ######################################## -@@ -263,10 +316,6 @@ interface(`usermanage_domtrans_useradd',` - - corecmd_search_bin($1) - domtrans_pattern($1, useradd_exec_t, useradd_t) -- -- ifdef(`hide_broken_symptoms',` -- dontaudit useradd_t $1:socket_class_set { read write }; -- ') - ') - - ######################################## -@@ -306,11 +355,38 @@ interface(`usermanage_check_exec_useradd',` - # - interface(`usermanage_run_useradd',` - gen_require(` -- attribute_role useradd_roles; -+ #attribute_role useradd_roles; -+ type useradd_t; - ') - -+ #usermanage_domtrans_useradd($1) -+ #roleattribute $2 useradd_roles; -+ - usermanage_domtrans_useradd($1) -- roleattribute $2 useradd_roles; -+ role $2 types useradd_t; -+ -+ optional_policy(` -+ nscd_run(useradd_t, $2) -+ ') -+') -+ -+######################################## -+## -+## Check access to the useradd executable. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`usermanage_access_check_useradd',` -+ gen_require(` -+ type useradd_exec_t; -+ ') -+ -+ corecmd_search_bin($1) -+ allow $1 useradd_exec_t:file { getattr_file_perms execute }; - ') - - ######################################## -diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te -index d555767..3053e39 100644 ---- a/policy/modules/admin/usermanage.te -+++ b/policy/modules/admin/usermanage.te -@@ -5,18 +5,18 @@ policy_module(usermanage, 1.18.1) - # Declarations - # - --attribute_role chfn_roles; --role system_r types chfn_t; -+#attribute_role chfn_roles; -+#role system_r types chfn_t; - --attribute_role groupadd_roles; -+#attribute_role groupadd_roles; - --attribute_role passwd_roles; --roleattribute system_r passwd_roles; -+#attribute_role passwd_roles; -+#roleattribute system_r passwd_roles; - --attribute_role sysadm_passwd_roles; --roleattribute system_r sysadm_passwd_roles; -+#attribute_role sysadm_passwd_roles; -+#roleattribute system_r sysadm_passwd_roles; - --attribute_role useradd_roles; -+#attribute_role useradd_roles; - - type admin_passwd_exec_t; - files_type(admin_passwd_exec_t) -@@ -25,7 +25,8 @@ type chfn_t; - type chfn_exec_t; - domain_obj_id_change_exemption(chfn_t) - application_domain(chfn_t, chfn_exec_t) --role chfn_roles types chfn_t; -+#role chfn_roles types chfn_t; -+role system_r types chfn_t; - - type crack_t; - type crack_exec_t; -@@ -42,18 +43,22 @@ type groupadd_t; - type groupadd_exec_t; - domain_obj_id_change_exemption(groupadd_t) - init_system_domain(groupadd_t, groupadd_exec_t) --role groupadd_roles types groupadd_t; -+#role groupadd_roles types groupadd_t; -+ - - type passwd_t; - type passwd_exec_t; - domain_obj_id_change_exemption(passwd_t) -+domain_system_change_exemption(passwd_t) - application_domain(passwd_t, passwd_exec_t) --role passwd_roles types passwd_t; -+#role passwd_roles types passwd_t; -+role system_r types passwd_t; - - type sysadm_passwd_t; - domain_obj_id_change_exemption(sysadm_passwd_t) - application_domain(sysadm_passwd_t, admin_passwd_exec_t) --role sysadm_passwd_roles types sysadm_passwd_t; -+#role sysadm_passwd_roles types sysadm_passwd_t; -+role system_r types sysadm_passwd_t; - - type sysadm_passwd_tmp_t; - files_tmp_file(sysadm_passwd_tmp_t) -@@ -61,8 +66,13 @@ files_tmp_file(sysadm_passwd_tmp_t) - type useradd_t; - type useradd_exec_t; - domain_obj_id_change_exemption(useradd_t) -+domain_system_change_exemption(useradd_t) - init_system_domain(useradd_t, useradd_exec_t) --role useradd_roles types useradd_t; -+#role useradd_roles types useradd_t; -+role system_r types useradd_t; -+ -+type useradd_var_run_t; -+files_pid_file(useradd_var_run_t) - - ######################################## - # -@@ -86,6 +96,7 @@ allow chfn_t self:unix_stream_socket connectto; - - kernel_read_system_state(chfn_t) - kernel_read_kernel_sysctls(chfn_t) -+kernel_dontaudit_getattr_core_if(chfn_t) - - selinux_get_fs_mount(chfn_t) - selinux_validate_context(chfn_t) -@@ -94,25 +105,29 @@ selinux_compute_create_context(chfn_t) - selinux_compute_relabel_context(chfn_t) - selinux_compute_user_contexts(chfn_t) - --term_use_all_ttys(chfn_t) --term_use_all_ptys(chfn_t) -+term_use_all_inherited_ttys(chfn_t) -+term_use_all_inherited_ptys(chfn_t) -+term_getattr_all_ptys(chfn_t) - - fs_getattr_xattr_fs(chfn_t) - fs_search_auto_mountpoints(chfn_t) - - # for SSP - dev_read_urand(chfn_t) -+dev_dontaudit_getattr_all(chfn_t) - --auth_run_chk_passwd(chfn_t, chfn_roles) --auth_dontaudit_read_shadow(chfn_t) --auth_use_nsswitch(chfn_t) -+auth_manage_passwd(chfn_t) -+auth_use_pam(chfn_t) -+#auth_run_chk_passwd(chfn_t, chfn_roles) -+#auth_dontaudit_read_shadow(chfn_t) -+#auth_use_nsswitch(chfn_t) - - # allow checking if a shell is executable - corecmd_check_exec_shell(chfn_t) -+corecmd_exec_bin(chfn_t) - - domain_use_interactive_fds(chfn_t) - --files_manage_etc_files(chfn_t) - files_read_etc_runtime_files(chfn_t) - files_dontaudit_search_var(chfn_t) - files_dontaudit_search_home(chfn_t) -@@ -120,19 +135,29 @@ files_dontaudit_search_home(chfn_t) - # /usr/bin/passwd asks for w access to utmp, but it will operate - # correctly without it. Do not audit write denials to utmp. - init_dontaudit_rw_utmp(chfn_t) -+init_dontaudit_getattr_initctl(chfn_t) - --miscfiles_read_localization(chfn_t) - - logging_send_syslog_msg(chfn_t) - --# uses unix_chkpwd for checking passwords --seutil_dontaudit_search_config(chfn_t) -+userdom_manage_user_tmp_files(chfn_t) -+userdom_tmp_filetrans_user_tmp(chfn_t, { file }) - - userdom_use_unpriv_users_fds(chfn_t) - # user generally runs this from their home directory, so do not audit a search - # on user home dir - userdom_dontaudit_search_user_home_content(chfn_t) - -+optional_policy(` -+ rssh_exec(chfn_t) -+') -+ -+ -+optional_policy(` -+ # allow to exec tmux -+ screen_exec(chfn_t) -+') -+ - ######################################## - # - # Crack local policy -@@ -209,8 +234,8 @@ selinux_compute_create_context(groupadd_t) - selinux_compute_relabel_context(groupadd_t) - selinux_compute_user_contexts(groupadd_t) - --term_use_all_ttys(groupadd_t) --term_use_all_ptys(groupadd_t) -+term_use_all_inherited_terms(groupadd_t) -+term_getattr_all_ptys(groupadd_t) - - init_use_fds(groupadd_t) - init_read_utmp(groupadd_t) -@@ -218,8 +243,8 @@ init_dontaudit_write_utmp(groupadd_t) - - domain_use_interactive_fds(groupadd_t) - --files_manage_etc_files(groupadd_t) - files_relabel_etc_files(groupadd_t) -+files_read_etc_files(groupadd_t) - files_read_etc_runtime_files(groupadd_t) - files_read_usr_symlinks(groupadd_t) - -@@ -229,14 +254,15 @@ corecmd_exec_bin(groupadd_t) - logging_send_audit_msgs(groupadd_t) - logging_send_syslog_msg(groupadd_t) - --miscfiles_read_localization(groupadd_t) - --auth_run_chk_passwd(groupadd_t, groupadd_roles) -+#auth_run_chk_passwd(groupadd_t, groupadd_roles) -+auth_domtrans_chk_passwd(groupadd_t) - auth_rw_lastlog(groupadd_t) - auth_use_nsswitch(groupadd_t) -+auth_manage_passwd(groupadd_t) -+auth_manage_shadow(groupadd_t) - # these may be unnecessary due to the above - # domtrans_chk_passwd() call. --auth_manage_shadow(groupadd_t) - auth_relabel_shadow(groupadd_t) - auth_etc_filetrans_shadow(groupadd_t) - -@@ -253,7 +279,8 @@ optional_policy(` - ') - - optional_policy(` -- nscd_run(groupadd_t, groupadd_roles) -+# nscd_run(groupadd_t, groupadd_roles) -+ nscd_domtrans(groupadd_t) - ') - - optional_policy(` -@@ -285,6 +312,7 @@ allow passwd_t self:shm create_shm_perms; - allow passwd_t self:sem create_sem_perms; - allow passwd_t self:msgq create_msgq_perms; - allow passwd_t self:msg { send receive }; -+allow passwd_t self:netlink_selinux_socket create_socket_perms; - - allow passwd_t crack_db_t:dir list_dir_perms; - read_files_pattern(passwd_t, crack_db_t, crack_db_t) -@@ -293,6 +321,7 @@ kernel_read_kernel_sysctls(passwd_t) - - # for SSP - dev_read_urand(passwd_t) -+dev_dontaudit_getattr_all(passwd_t) - - fs_getattr_xattr_fs(passwd_t) - fs_search_auto_mountpoints(passwd_t) -@@ -307,26 +336,38 @@ selinux_compute_create_context(passwd_t) - selinux_compute_relabel_context(passwd_t) - selinux_compute_user_contexts(passwd_t) - --term_use_all_ttys(passwd_t) --term_use_all_ptys(passwd_t) -+term_use_all_inherited_terms(passwd_t) -+term_getattr_all_ptys(passwd_t) - --auth_run_chk_passwd(passwd_t, passwd_roles) -+auth_manage_passwd(passwd_t) - auth_manage_shadow(passwd_t) - auth_relabel_shadow(passwd_t) - auth_etc_filetrans_shadow(passwd_t) --auth_use_nsswitch(passwd_t) -+auth_use_pam(passwd_t) -+ -+#auth_run_chk_passwd(passwd_t, passwd_roles) -+#auth_manage_passwd(passwd_t) -+#auth_manage_shadow(passwd_t) -+#auth_relabel_shadow(passwd_t) -+#auth_etc_filetrans_shadow(passwd_t) -+#auth_use_nsswitch(passwd_t) - - # allow checking if a shell is executable - corecmd_check_exec_shell(passwd_t) -+corecmd_exec_bin(passwd_t) -+ -+corenet_tcp_connect_kerberos_password_port(passwd_t) - - domain_use_interactive_fds(passwd_t) - - files_read_etc_runtime_files(passwd_t) --files_manage_etc_files(passwd_t) -+files_read_usr_files(passwd_t) - files_search_var(passwd_t) - files_dontaudit_search_pids(passwd_t) - files_relabel_etc_files(passwd_t) - -+term_search_ptys(passwd_t) -+ - # /usr/bin/passwd asks for w access to utmp, but it will operate - # correctly without it. Do not audit write denials to utmp. - init_dontaudit_rw_utmp(passwd_t) -@@ -335,12 +376,11 @@ init_use_fds(passwd_t) - logging_send_audit_msgs(passwd_t) - logging_send_syslog_msg(passwd_t) - --miscfiles_read_localization(passwd_t) - - seutil_read_config(passwd_t) - seutil_read_file_contexts(passwd_t) - --userdom_use_user_terminals(passwd_t) -+userdom_use_inherited_user_terminals(passwd_t) - userdom_use_unpriv_users_fds(passwd_t) - # make sure that getcon succeeds - userdom_getattr_all_users(passwd_t) -@@ -349,9 +389,17 @@ userdom_read_user_tmp_files(passwd_t) - # user generally runs this from their home directory, so do not audit a search - # on user home dir - userdom_dontaudit_search_user_home_content(passwd_t) -+userdom_stream_connect(passwd_t) - - optional_policy(` -- nscd_run(passwd_t, passwd_roles) -+ gnome_exec_keyringd(passwd_t) -+ gnome_manage_cache_home_dir(passwd_t) -+ gnome_stream_connect_gkeyringd(passwd_t) -+') -+ -+optional_policy(` -+ #nscd_run(passwd_t, passwd_roles) -+ nscd_domtrans(passwd_t) - ') - - ######################################## -@@ -398,9 +446,10 @@ dev_read_urand(sysadm_passwd_t) - fs_getattr_xattr_fs(sysadm_passwd_t) - fs_search_auto_mountpoints(sysadm_passwd_t) - --term_use_all_ttys(sysadm_passwd_t) --term_use_all_ptys(sysadm_passwd_t) -+term_use_all_inherited_terms(sysadm_passwd_t) -+term_getattr_all_ptys(sysadm_passwd_t) - -+auth_manage_passwd(sysadm_passwd_t) - auth_manage_shadow(sysadm_passwd_t) - auth_relabel_shadow(sysadm_passwd_t) - auth_etc_filetrans_shadow(sysadm_passwd_t) -@@ -413,7 +462,6 @@ files_read_usr_files(sysadm_passwd_t) - - domain_use_interactive_fds(sysadm_passwd_t) - --files_manage_etc_files(sysadm_passwd_t) - files_relabel_etc_files(sysadm_passwd_t) - files_read_etc_runtime_files(sysadm_passwd_t) - # for nscd lookups -@@ -423,19 +471,17 @@ files_dontaudit_search_pids(sysadm_passwd_t) - # correctly without it. Do not audit write denials to utmp. - init_dontaudit_rw_utmp(sysadm_passwd_t) - --miscfiles_read_localization(sysadm_passwd_t) - - logging_send_syslog_msg(sysadm_passwd_t) - --seutil_dontaudit_search_config(sysadm_passwd_t) -- - userdom_use_unpriv_users_fds(sysadm_passwd_t) - # user generally runs this from their home directory, so do not audit a search - # on user home dir - userdom_dontaudit_search_user_home_content(sysadm_passwd_t) - - optional_policy(` -- nscd_run(sysadm_passwd_t, sysadm_passwd_roles) -+ nscd_domtrans(sysadm_passwd_t) -+ #nscd_run(sysadm_passwd_t, sysadm_passwd_roles) - ') - - ######################################## -@@ -443,7 +489,8 @@ optional_policy(` - # Useradd local policy - # - --allow useradd_t self:capability { dac_override chown kill fowner fsetid setuid sys_resource }; -+allow useradd_t self:capability { dac_override chown kill fowner fsetid setuid sys_ptrace sys_resource sys_chroot }; -+ - dontaudit useradd_t self:capability sys_tty_config; - allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; - allow useradd_t self:process setfscreate; -@@ -458,6 +505,10 @@ allow useradd_t self:unix_stream_socket create_stream_socket_perms; - allow useradd_t self:unix_dgram_socket sendto; - allow useradd_t self:unix_stream_socket connectto; - -+manage_dirs_pattern(useradd_t, useradd_var_run_t, useradd_var_run_t) -+manage_files_pattern(useradd_t, useradd_var_run_t, useradd_var_run_t) -+files_pid_filetrans(useradd_t, useradd_var_run_t, dir) -+ - # for getting the number of groups - kernel_read_kernel_sysctls(useradd_t) - -@@ -465,36 +516,36 @@ corecmd_exec_shell(useradd_t) - # Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}. - corecmd_exec_bin(useradd_t) - -+kernel_getattr_core_if(useradd_t) -+dev_dontaudit_getattr_all(useradd_t) -+ - domain_use_interactive_fds(useradd_t) - domain_read_all_domains_state(useradd_t) -+domain_dontaudit_read_all_domains_state(useradd_t) - --files_manage_etc_files(useradd_t) - files_search_var_lib(useradd_t) - files_relabel_etc_files(useradd_t) - files_read_etc_runtime_files(useradd_t) -+files_manage_etc_files(useradd_t) -+files_rw_var_lib_dirs(useradd_t) - - fs_search_auto_mountpoints(useradd_t) - fs_getattr_xattr_fs(useradd_t) - - mls_file_upgrade(useradd_t) -+mls_process_read_to_clearance(useradd_t) - --# Allow access to context for shadow file --selinux_get_fs_mount(useradd_t) --selinux_validate_context(useradd_t) --selinux_compute_access_vector(useradd_t) --selinux_compute_create_context(useradd_t) --selinux_compute_relabel_context(useradd_t) --selinux_compute_user_contexts(useradd_t) -- --term_use_all_ttys(useradd_t) --term_use_all_ptys(useradd_t) -+term_use_all_inherited_terms(useradd_t) -+term_getattr_all_ptys(useradd_t) - --auth_run_chk_passwd(useradd_t, useradd_roles) -+#auth_run_chk_passwd(useradd_t, useradd_roles) -+auth_domtrans_chk_passwd(useradd_t) - auth_rw_lastlog(useradd_t) - auth_rw_faillog(useradd_t) - auth_use_nsswitch(useradd_t) - # these may be unnecessary due to the above - # domtrans_chk_passwd() call. -+auth_manage_passwd(useradd_t) - auth_manage_shadow(useradd_t) - auth_relabel_shadow(useradd_t) - auth_etc_filetrans_shadow(useradd_t) -@@ -505,33 +556,36 @@ init_rw_utmp(useradd_t) - logging_send_audit_msgs(useradd_t) - logging_send_syslog_msg(useradd_t) - --miscfiles_read_localization(useradd_t) -+ -+seutil_semanage_policy(useradd_t) -+seutil_manage_file_contexts(useradd_t) -+seutil_manage_config(useradd_t) -+seutil_manage_login_config(useradd_t) -+seutil_manage_default_contexts(useradd_t) - - seutil_read_config(useradd_t) - seutil_read_file_contexts(useradd_t) - seutil_read_default_contexts(useradd_t) --seutil_run_semanage(useradd_t, useradd_roles) --seutil_run_setfiles(useradd_t, useradd_roles) -+seutil_domtrans_semanage(useradd_t) -+seutil_domtrans_setfiles(useradd_t) -+seutil_domtrans_loadpolicy(useradd_t) -+#seutil_manage_bin_policy(useradd_t) -+#seutil_manage_module_store(useradd_t) -+seutil_get_semanage_trans_lock(useradd_t) -+seutil_get_semanage_read_lock(useradd_t) -+#seutil_run_semanage(useradd_t, useradd_roles) -+#seutil_run_setfiles(useradd_t, useradd_roles) - - userdom_use_unpriv_users_fds(useradd_t) - # Add/remove user home directories --userdom_manage_user_home_dirs(useradd_t) - userdom_home_filetrans_user_home_dir(useradd_t) --userdom_manage_user_home_content_dirs(useradd_t) --userdom_manage_user_home_content_files(useradd_t) --userdom_home_filetrans_user_home_dir(useradd_t) --userdom_user_home_dir_filetrans_user_home_content(useradd_t, notdevfile_class_set) -+userdom_manage_home_role(system_r, useradd_t) -+userdom_delete_all_user_home_content(useradd_t) - - optional_policy(` - mta_manage_spool(useradd_t) - ') - --ifdef(`distro_redhat',` -- optional_policy(` -- unconfined_domain(useradd_t) -- ') --') -- - optional_policy(` - apache_manage_all_user_content(useradd_t) - ') -@@ -542,7 +596,12 @@ optional_policy(` - ') - - optional_policy(` -- nscd_run(useradd_t, useradd_roles) -+ nscd_domtrans(useradd_t) -+# nscd_run(useradd_t, useradd_roles) -+') -+ -+optional_policy(` -+ openshift_manage_content(useradd_t) - ') - - optional_policy(` -@@ -550,6 +609,11 @@ optional_policy(` - ') - - optional_policy(` -+ rpc_list_nfs_state_data(useradd_t) -+ rpc_read_nfs_state_data(useradd_t) -+') -+ -+optional_policy(` - tunable_policy(`samba_domain_controller',` - samba_append_log(useradd_t) - ') -@@ -559,3 +623,12 @@ optional_policy(` - rpm_use_fds(useradd_t) - rpm_rw_pipes(useradd_t) - ') -+ -+optional_policy(` -+ smsd_manage_lib_files(useradd_t) -+ smsd_manage_lib_dirs(useradd_t) -+') -+ -+optional_policy(` -+ stapserver_manage_lib(useradd_t) -+') -diff --git a/policy/modules/apps/seunshare.if b/policy/modules/apps/seunshare.if -index 1dc7a85..c6f4da0 100644 ---- a/policy/modules/apps/seunshare.if -+++ b/policy/modules/apps/seunshare.if -@@ -43,18 +43,18 @@ interface(`seunshare_run',` - role $2 types seunshare_t; - - allow $1 seunshare_t:process signal_perms; -- -- ifdef(`hide_broken_symptoms', ` -- dontaudit seunshare_t $1:tcp_socket rw_socket_perms; -- dontaudit seunshare_t $1:udp_socket rw_socket_perms; -- dontaudit seunshare_t $1:unix_stream_socket rw_socket_perms; -- ') - ') - - ######################################## - ## --## Role access for seunshare -+## The role template for the seunshare module. - ## -+## -+## -+## The prefix of the user role (e.g., user -+## is the prefix for user_r). -+## -+## - ## - ## - ## Role allowed access. -@@ -66,15 +66,44 @@ interface(`seunshare_run',` - ## - ## - # --interface(`seunshare_role',` -+interface(`seunshare_role_template',` - gen_require(` -- type seunshare_t; -+ attribute seunshare_domain; -+ type seunshare_exec_t; - ') - -- role $2 types seunshare_t; -+ type $1_seunshare_t, seunshare_domain; -+ application_domain($1_seunshare_t, seunshare_exec_t) -+ role $2 types $1_seunshare_t; - -- seunshare_domtrans($1) -+ kernel_read_system_state($1_seunshare_t) -+ -+ auth_use_nsswitch($1_seunshare_t) -+ -+ logging_send_syslog_msg($1_seunshare_t) -+ -+ mls_process_set_level($1_seunshare_t) -+ -+ domtrans_pattern($3, seunshare_exec_t, $1_seunshare_t) -+ -+ # part of sandboxX.pp -+ optional_policy(` -+ sandbox_x_transition($1_seunshare_t, $2) -+ ') -+ -+ # part of sandbox.pp -+ optional_policy(` -+ sandbox_transition($1_seunshare_t, $2) -+ ') -+ -+ ps_process_pattern($3, $1_seunshare_t) -+ dontaudit $1_seunshare_t $3:file read; -+ allow $3 $1_seunshare_t:process signal_perms; -+ allow $3 $1_seunshare_t:fd use; -+ -+ allow $1_seunshare_t $3:process transition; -+ dontaudit $1_seunshare_t $3:process { noatsecure siginh rlimitinh }; - -- ps_process_pattern($2, seunshare_t) -- allow $2 seunshare_t:process signal; -+ corecmd_bin_domtrans($1_seunshare_t, $1_t) -+ corecmd_shell_domtrans($1_seunshare_t, $1_t) - ') -diff --git a/policy/modules/apps/seunshare.te b/policy/modules/apps/seunshare.te -index 7590165..fb30c11 100644 ---- a/policy/modules/apps/seunshare.te -+++ b/policy/modules/apps/seunshare.te -@@ -5,40 +5,61 @@ policy_module(seunshare, 1.1.0) - # Declarations - # - --type seunshare_t; -+attribute seunshare_domain; - type seunshare_exec_t; --application_domain(seunshare_t, seunshare_exec_t) --role system_r types seunshare_t; - - ######################################## - # - # seunshare local policy - # -+allow seunshare_domain self:capability { fowner setgid setuid dac_override setpcap sys_admin sys_nice }; -+allow seunshare_domain self:process { fork setexec signal getcap setcap setsched }; - --allow seunshare_t self:capability { setuid dac_override setpcap sys_admin }; --allow seunshare_t self:process { setexec signal getcap setcap }; -+allow seunshare_domain self:fifo_file rw_file_perms; -+allow seunshare_domain self:unix_stream_socket create_stream_socket_perms; - --allow seunshare_t self:fifo_file rw_file_perms; --allow seunshare_t self:unix_stream_socket create_stream_socket_perms; -+corecmd_exec_shell(seunshare_domain) -+corecmd_exec_bin(seunshare_domain) - --corecmd_exec_shell(seunshare_t) --corecmd_exec_bin(seunshare_t) -+dev_read_urand(seunshare_domain) -+dev_dontaudit_rw_dri(seunshare_domain) - --files_read_etc_files(seunshare_t) --files_mounton_all_poly_members(seunshare_t) -+files_search_all(seunshare_domain) -+files_read_etc_files(seunshare_domain) -+files_mounton_all_poly_members(seunshare_domain) -+files_mounton_rootfs(seunshare_domain) -+files_manage_generic_tmp_dirs(seunshare_domain) -+files_relabelfrom_tmp_dirs(seunshare_domain) - --auth_use_nsswitch(seunshare_t) -- --logging_send_syslog_msg(seunshare_t) -- --miscfiles_read_localization(seunshare_t) -- --userdom_use_user_terminals(seunshare_t) -+fs_manage_cgroup_dirs(seunshare_domain) -+fs_manage_cgroup_files(seunshare_domain) -+fs_unmount_all_fs(seunshare_domain) - -+userdom_dontaudit_rw_user_tmp_pipes(seunshare_domain) -+userdom_use_inherited_user_terminals(seunshare_domain) -+userdom_list_user_home_content(seunshare_domain) - ifdef(`hide_broken_symptoms', ` -- fs_dontaudit_rw_anon_inodefs_files(seunshare_t) -+ fs_dontaudit_rw_anon_inodefs_files(seunshare_domain) -+ fs_dontaudit_list_inotifyfs(seunshare_domain) -+ -+ optional_policy(` -+ gnome_dontaudit_rw_inherited_config(seunshare_domain) -+ ') - - optional_policy(` -- mozilla_dontaudit_manage_user_home_files(seunshare_t) -+ mozilla_dontaudit_manage_user_home_files(seunshare_domain) -+ mozilla_plugin_dontaudit_leaks(seunshare_domain) - ') - ') -+ -+tunable_policy(`use_nfs_home_dirs',` -+ fs_mounton_nfs(seunshare_domain) -+') -+ -+tunable_policy(`use_samba_home_dirs',` -+ fs_mounton_cifs(seunshare_domain) -+') -+ -+tunable_policy(`use_fusefs_home_dirs',` -+ fs_mounton_fusefs(seunshare_domain) -+') -diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc -index 644d4d7..6e7dd83 100644 ---- a/policy/modules/kernel/corecommands.fc -+++ b/policy/modules/kernel/corecommands.fc -@@ -1,9 +1,10 @@ - # - # /bin - # --/bin -d gen_context(system_u:object_r:bin_t,s0) -+/bin gen_context(system_u:object_r:bin_t,s0) - /bin/.* gen_context(system_u:object_r:bin_t,s0) - /bin/d?ash -- gen_context(system_u:object_r:shell_exec_t,s0) -+/bin/esh -- gen_context(system_u:object_r:shell_exec_t,s0) - /bin/bash -- gen_context(system_u:object_r:shell_exec_t,s0) - /bin/bash2 -- gen_context(system_u:object_r:shell_exec_t,s0) - /bin/fish -- gen_context(system_u:object_r:shell_exec_t,s0) -@@ -46,6 +47,7 @@ ifdef(`distro_redhat',` - /etc/apcupsd/offbattery -- gen_context(system_u:object_r:bin_t,s0) - /etc/apcupsd/onbattery -- gen_context(system_u:object_r:bin_t,s0) - -+/etc/auto\.[^/]* -- gen_context(system_u:object_r:bin_t,s0) - /etc/avahi/.*\.action -- gen_context(system_u:object_r:bin_t,s0) - - /etc/cipe/ip-up.* -- gen_context(system_u:object_r:bin_t,s0) -@@ -69,16 +71,25 @@ ifdef(`distro_redhat',` - /etc/kde/env(/.*)? gen_context(system_u:object_r:bin_t,s0) - /etc/kde/shutdown(/.*)? gen_context(system_u:object_r:bin_t,s0) - -+/etc/redhat-lsb(/.*)? gen_context(system_u:object_r:bin_t,s0) -+ -+/etc/lxdm/LoginReady -- gen_context(system_u:object_r:bin_t,s0) -+/etc/lxdm/Post.* -- gen_context(system_u:object_r:bin_t,s0) -+/etc/lxdm/Pre.* -- gen_context(system_u:object_r:bin_t,s0) -+/etc/lxdm/Xsession -- gen_context(system_u:object_r:bin_t,s0) -+ - /etc/mail/make -- gen_context(system_u:object_r:bin_t,s0) - - /etc/mcelog/.*-error-trigger -- gen_context(system_u:object_r:bin_t,s0) - /etc/mcelog/.*\.local -- gen_context(system_u:object_r:bin_t,s0) -+/etc/mcelog/.*\.setup -- gen_context(system_u:object_r:bin_t,s0) - - ifdef(`distro_redhat',` - /etc/mcelog/triggers(/.*)? gen_context(system_u:object_r:bin_t,s0) - ') - - /etc/mgetty\+sendfax/new_fax -- gen_context(system_u:object_r:bin_t,s0) -+/etc/munin/plugins(/.*)? gen_context(system_u:object_r:bin_t,s0) - - /etc/netplug\.d(/.*)? gen_context(system_u:object_r:bin_t,s0) - -@@ -101,8 +112,6 @@ ifdef(`distro_redhat',` - - /etc/rc\.d/init\.d/functions -- gen_context(system_u:object_r:bin_t,s0) - --/etc/security/namespace.init -- gen_context(system_u:object_r:bin_t,s0) -- - /etc/sysconfig/crond -- gen_context(system_u:object_r:bin_t,s0) - /etc/sysconfig/init -- gen_context(system_u:object_r:bin_t,s0) - /etc/sysconfig/libvirtd -- gen_context(system_u:object_r:bin_t,s0) -@@ -116,6 +125,9 @@ ifdef(`distro_redhat',` - - /etc/vmware-tools(/.*)? gen_context(system_u:object_r:bin_t,s0) - -+ -+/etc/wdmd\.d/checkquorum\.wdmd gen_context(system_u:object_r:bin_t,s0) -+ - /etc/X11/xdm/GiveConsole -- gen_context(system_u:object_r:bin_t,s0) - /etc/X11/xdm/TakeConsole -- gen_context(system_u:object_r:bin_t,s0) - /etc/X11/xdm/Xsetup_0 -- gen_context(system_u:object_r:bin_t,s0) -@@ -134,10 +146,12 @@ ifdef(`distro_debian',` - - /lib/readahead(/.*)? gen_context(system_u:object_r:bin_t,s0) - /lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0) --/lib/systemd/systemd.* -- gen_context(system_u:object_r:bin_t,s0) -+/usr/lib64/security/pam_krb5/pam_krb5_cchelper -- gen_context(system_u:object_r:bin_t,s0) - /lib/udev/[^/]* -- gen_context(system_u:object_r:bin_t,s0) -+/lib/udev/devices/MAKEDEV -l gen_context(system_u:object_r:bin_t,s0) - /lib/udev/scsi_id -- gen_context(system_u:object_r:bin_t,s0) - /lib/upstart(/.*)? gen_context(system_u:object_r:bin_t,s0) -+/lib/security/pam_krb5(/.*)? gen_context(system_u:object_r:bin_t,s0) - - ifdef(`distro_gentoo',` - /lib/dhcpcd/dhcpcd-run-hooks -- gen_context(system_u:object_r:bin_t,s0) -@@ -151,7 +165,7 @@ ifdef(`distro_gentoo',` - # - # /sbin - # --/sbin -d gen_context(system_u:object_r:bin_t,s0) -+/sbin gen_context(system_u:object_r:bin_t,s0) - /sbin/.* gen_context(system_u:object_r:bin_t,s0) - /sbin/insmod_ksymoops_clean -- gen_context(system_u:object_r:bin_t,s0) - /sbin/mkfs\.cramfs -- gen_context(system_u:object_r:bin_t,s0) -@@ -167,6 +181,7 @@ ifdef(`distro_gentoo',` - /opt/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0) - - /opt/google/talkplugin(/.*)? gen_context(system_u:object_r:bin_t,s0) -+/opt/google/chrome(/.*)? gen_context(system_u:object_r:bin_t,s0) - - /opt/gutenprint/cups/lib/filter(/.*)? gen_context(system_u:object_r:bin_t,s0) - -@@ -178,33 +193,49 @@ ifdef(`distro_gentoo',` - /opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0) - ') - -+/root/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) -+ - # - # /usr - # -+/usr/bin -d gen_context(system_u:object_r:bin_t,s0) - /usr/(.*/)?Bin(/.*)? gen_context(system_u:object_r:bin_t,s0) - /usr/(.*/)?bin(/.*)? gen_context(system_u:object_r:bin_t,s0) --/usr/bin/git-shell -- gen_context(system_u:object_r:shell_exec_t,s0) -+/usr/bin/d?ash -- gen_context(system_u:object_r:shell_exec_t,s0) -+/usr/bin/esh -- gen_context(system_u:object_r:shell_exec_t,s0) -+/usr/bin/bash -- gen_context(system_u:object_r:shell_exec_t,s0) -+/usr/bin/bash2 -- gen_context(system_u:object_r:shell_exec_t,s0) - /usr/bin/fish -- gen_context(system_u:object_r:shell_exec_t,s0) --/usr/bin/scponly -- gen_context(system_u:object_r:shell_exec_t,s0) -+/usr/bin/ksh.* -- gen_context(system_u:object_r:shell_exec_t,s0) -+/usr/bin/mksh -- gen_context(system_u:object_r:shell_exec_t,s0) -+/usr/bin/mountpoint -- gen_context(system_u:object_r:bin_t,s0) -+/usr/bin/pingus.* -- gen_context(system_u:object_r:bin_t,s0) -+/usr/bin/sash -- gen_context(system_u:object_r:shell_exec_t,s0) - /usr/bin/tcsh -- gen_context(system_u:object_r:shell_exec_t,s0) -+/usr/bin/yash -- gen_context(system_u:object_r:shell_exec_t,s0) -+/usr/bin/zsh.* -- gen_context(system_u:object_r:shell_exec_t,s0) - --/usr/lib(.*/)?bin(/.*)? gen_context(system_u:object_r:bin_t,s0) -+/usr/bin/git-shell -- gen_context(system_u:object_r:shell_exec_t,s0) -+/usr/bin/scponly -- gen_context(system_u:object_r:shell_exec_t,s0) - - /usr/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0) - /usr/lib(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0) - -+/usr/lib/jvm/java(.*/)bin(/.*) gen_context(system_u:object_r:bin_t,s0) -+/usr/lib(.*/)?bin(/.*)? gen_context(system_u:object_r:bin_t,s0) - /usr/lib/ccache/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) - /usr/lib/fence(/.*)? gen_context(system_u:object_r:bin_t,s0) -+/usr/lib/libreoffice(/.*)?/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) - /usr/lib/pgsql/test/regress/.*\.sh -- gen_context(system_u:object_r:bin_t,s0) - /usr/lib/qt.*/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) - /usr/lib/wicd/monitor\.py -- gen_context(system_u:object_r:bin_t, s0) --/usr/lib/apt/methods.+ -- gen_context(system_u:object_r:bin_t,s0) -+/usr/lib/apt/methods.+ -- gen_context(system_u:object_r:bin_t,s0) -+/usr/lib/chromium-browser(/.*)? gen_context(system_u:object_r:bin_t,s0) - /usr/lib/ConsoleKit/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0) --/usr/lib/ConsoleKit/run-session.d(/.*)? gen_context(system_u:object_r:bin_t,s0) --/usr/lib/courier(/.*)? gen_context(system_u:object_r:bin_t,s0) --/usr/lib/cups(/.*)? gen_context(system_u:object_r:bin_t,s0) --/usr/lib/cyrus/.* -- gen_context(system_u:object_r:bin_t,s0) --/usr/lib/cyrus-imapd/.* -- gen_context(system_u:object_r:bin_t,s0) -+/usr/lib/ConsoleKit/run-session\.d(/.*)? gen_context(system_u:object_r:bin_t,s0) -+/usr/lib/courier(/.*)? gen_context(system_u:object_r:bin_t,s0) -+/usr/lib/cups(/.*)? gen_context(system_u:object_r:bin_t,s0) -+/usr/lib/cyrus-imapd/.* -- gen_context(system_u:object_r:bin_t,s0) - /usr/lib/dpkg/.+ -- gen_context(system_u:object_r:bin_t,s0) - /usr/lib/emacsen-common/.* gen_context(system_u:object_r:bin_t,s0) - /usr/lib/gimp/.*/plug-ins(/.*)? gen_context(system_u:object_r:bin_t,s0) -@@ -215,18 +246,31 @@ ifdef(`distro_gentoo',` - /usr/lib/mailman/mail(/.*)? gen_context(system_u:object_r:bin_t,s0) - /usr/lib/mediawiki/math/texvc.* gen_context(system_u:object_r:bin_t,s0) - /usr/lib/misc/sftp-server -- gen_context(system_u:object_r:bin_t,s0) --/usr/lib/nagios/plugins(/.*)? gen_context(system_u:object_r:bin_t,s0) --/usr/lib/netsaint/plugins(/.*)? gen_context(system_u:object_r:bin_t,s0) --/usr/lib/news/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) --/usr/lib/nspluginwrapper/np.* gen_context(system_u:object_r:bin_t,s0) --/usr/lib/portage/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) --/usr/lib/pm-utils(/.*)? gen_context(system_u:object_r:bin_t,s0) -+/usr/lib/nagios/plugins/negate -- gen_context(system_u:object_r:bin_t,s0) -+/usr/lib/nagios/plugins/urlize -- gen_context(system_u:object_r:bin_t,s0) -+/usr/lib/nagios/plugins/utils.sh -- gen_context(system_u:object_r:bin_t,s0) -+/usr/lib/nagios/plugins/utils.pm -- gen_context(system_u:object_r:bin_t,s0) -+/usr/lib/netsaint/plugins(/.*)? gen_context(system_u:object_r:bin_t,s0) -+/usr/lib/news/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) -+/usr/lib/nspluginwrapper/np.* gen_context(system_u:object_r:bin_t,s0) -+/usr/lib/ocf(/.*)? gen_context(system_u:object_r:bin_t,s0) -+/usr/lib/portage/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) -+/usr/lib/pm-utils(/.*)? gen_context(system_u:object_r:bin_t,s0) -+/usr/lib/readahead(/.*)? gen_context(system_u:object_r:bin_t,s0) - /usr/lib/rpm/rpmd -- gen_context(system_u:object_r:bin_t,s0) - /usr/lib/rpm/rpmk -- gen_context(system_u:object_r:bin_t,s0) - /usr/lib/rpm/rpmq -- gen_context(system_u:object_r:bin_t,s0) - /usr/lib/rpm/rpmv -- gen_context(system_u:object_r:bin_t,s0) -+/usr/lib/tumbler-[^/]*/tumblerd -- gen_context(system_u:object_r:bin_t,s0) -+/usr/lib/security/pam_krb5(/.*)? -- gen_context(system_u:object_r:bin_t,s0) - /usr/lib/sftp-server -- gen_context(system_u:object_r:bin_t,s0) --/usr/lib/vte/gnome-pty-helper -- gen_context(system_u:object_r:bin_t,s0) -+/usr/lib/systemd/system-sleep(/.*)? gen_context(system_u:object_r:bin_t,s0) -+/usr/lib/vte/gnome-pty-helper -- gen_context(system_u:object_r:bin_t,s0) -+/usr/lib/yaboot/addnote -- gen_context(system_u:object_r:bin_t,s0) -+/usr/lib/udev/[^/]* -- gen_context(system_u:object_r:bin_t,s0) -+/usr/lib/udev/devices/MAKEDEV -l gen_context(system_u:object_r:bin_t,s0) -+/usr/lib/udev/scsi_id -- gen_context(system_u:object_r:bin_t,s0) -+/usr/lib/upstart(/.*)? gen_context(system_u:object_r:bin_t,s0) - /usr/lib/xfce4/exo-1/exo-compose-mail-1 -- gen_context(system_u:object_r:bin_t,s0) - /usr/lib/xfce4/exo-1/exo-helper-1 -- gen_context(system_u:object_r:bin_t,s0) - /usr/lib/xfce4/panel/migrate -- gen_context(system_u:object_r:bin_t,s0) -@@ -241,10 +285,15 @@ ifdef(`distro_gentoo',` - /usr/lib/debug/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0) - /usr/lib/debug/usr/bin(/.*)? -- gen_context(system_u:object_r:bin_t,s0) - /usr/lib/debug/usr/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0) -+/usr/lib/debug/usr/libexec(/.*)? gen_context(system_u:object_r:bin_t,s0) - - /usr/lib/[^/]*thunderbird[^/]*/thunderbird -- gen_context(system_u:object_r:bin_t,s0) - /usr/lib/[^/]*thunderbird[^/]*/thunderbird-bin -- gen_context(system_u:object_r:bin_t,s0) - /usr/lib/[^/]*thunderbird[^/]*/open-browser\.sh -- gen_context(system_u:object_r:bin_t,s0) -+/usr/lib/xulrunner[^/]*/xulrunner[^/]* -- gen_context(system_u:object_r:bin_t,s0) -+/usr/lib/xulrunner[^/]*/updater -- gen_context(system_u:object_r:bin_t,s0) -+/usr/lib/xulrunner[^/]*/crashreporter -- gen_context(system_u:object_r:bin_t,s0) -+ - /usr/lib/[^/]*/run-mozilla\.sh -- gen_context(system_u:object_r:bin_t,s0) - /usr/lib/[^/]*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0) - /usr/lib/thunderbird.*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0) -@@ -257,10 +306,17 @@ ifdef(`distro_gentoo',` - - /usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0) - --/usr/local/Brother(/.*)? gen_context(system_u:object_r:bin_t,s0) --/usr/local/Printer(/.*)? gen_context(system_u:object_r:bin_t,s0) --/usr/local/linuxprinter/filters(/.*)? gen_context(system_u:object_r:bin_t,s0) -+/usr/lib/xfce4(/.*)? gen_context(system_u:object_r:bin_t,s0) - -+/usr/Brother(/.*)? gen_context(system_u:object_r:bin_t,s0) -+/usr/Printer(/.*)? gen_context(system_u:object_r:bin_t,s0) -+/usr/Brother/(.*/)?inf/brprintconf.* gen_context(system_u:object_r:bin_t,s0) -+/usr/Brother/(.*/)?inf/setup.* gen_context(system_u:object_r:bin_t,s0) -+/usr/linuxprinter/filters(/.*)? gen_context(system_u:object_r:bin_t,s0) -+ -+/usr/sbin/insmod_ksymoops_clean -- gen_context(system_u:object_r:bin_t,s0) -+/usr/sbin/mkfs\.cramfs -- gen_context(system_u:object_r:bin_t,s0) -+/usr/sbin/nologin -- gen_context(system_u:object_r:shell_exec_t,s0) - /usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0) - /usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0) - /usr/sbin/smrsh -- gen_context(system_u:object_r:shell_exec_t,s0) -@@ -276,10 +332,15 @@ ifdef(`distro_gentoo',` - /usr/share/cluster/.*\.sh gen_context(system_u:object_r:bin_t,s0) - /usr/share/cluster/ocf-shellfuncs -- gen_context(system_u:object_r:bin_t,s0) - /usr/share/cluster/svclib_nfslock -- gen_context(system_u:object_r:bin_t,s0) -+/usr/share/cluster/SAPDatabase -- gen_context(system_u:object_r:bin_t,s0) -+/usr/share/cluster/SAPInstance -- gen_context(system_u:object_r:bin_t,s0) -+/usr/share/cluster/fence_scsi_check\.pl -- gen_context(system_u:object_r:bin_t,s0) -+/usr/share/cluster/checkquorum.* -- gen_context(system_u:object_r:bin_t,s0) - /usr/share/e16/misc(/.*)? gen_context(system_u:object_r:bin_t,s0) - /usr/share/gedit-2/plugins/externaltools/tools(/.*)? gen_context(system_u:object_r:bin_t,s0) - /usr/share/gitolite/hooks/common/update -- gen_context(system_u:object_r:bin_t,s0) - /usr/share/gitolite/hooks/gitolite-admin/post-update -- gen_context(system_u:object_r:bin_t,s0) -+/usr/share/gitolite3/commands(/.*)? -- gen_context(system_u:object_r:bin_t,s0) - /usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0) - /usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0) - /usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0) -@@ -294,16 +355,22 @@ ifdef(`distro_gentoo',` - /usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0) - /usr/share/smolt/client(/.*)? gen_context(system_u:object_r:bin_t,s0) - /usr/share/shorewall/compiler\.pl -- gen_context(system_u:object_r:bin_t,s0) --/usr/share/shorewall/configpath -- gen_context(system_u:object_r:bin_t,s0) -+/usr/share/shorewall6?/configpath -- gen_context(system_u:object_r:bin_t,s0) -+/usr/share/shorewall/getparams -- gen_context(system_u:object_r:bin_t,s0) -+/usr/share/shorewall6?/wait4ifup -- gen_context(system_u:object_r:bin_t,s0) - /usr/share/shorewall-perl(/.*)? gen_context(system_u:object_r:bin_t,s0) - /usr/share/shorewall-shell(/.*)? gen_context(system_u:object_r:bin_t,s0) - /usr/share/shorewall-lite(/.*)? gen_context(system_u:object_r:bin_t,s0) - /usr/share/shorewall6-lite(/.*)? gen_context(system_u:object_r:bin_t,s0) - /usr/share/spamassassin/sa-update\.cron gen_context(system_u:object_r:bin_t,s0) -+/usr/share/texlive/texmf/web2c/mktex(dir|nam|upd) gen_context(system_u:object_r:bin_t,s0) - /usr/share/turboprint/lib(/.*)? -- gen_context(system_u:object_r:bin_t,s0) -+/usr/share/tucan.*/tucan.py -- gen_context(system_u:object_r:bin_t,s0) - /usr/share/vhostmd/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0) -+/usr/share/virtualbox/.*\.sh gen_context(system_u:object_r:bin_t,s0) -+/usr/share/wicd/daemon(/.*)? gen_context(system_u:object_r:bin_t,s0) - --/usr/X11R6/lib(64)?/X11/xkb/xkbcomp -- gen_context(system_u:object_r:bin_t,s0) -+/usr/X11R6/lib/X11/xkb/xkbcomp -- gen_context(system_u:object_r:bin_t,s0) - - ifdef(`distro_debian',` - /usr/lib/ConsoleKit/.* -- gen_context(system_u:object_r:bin_t,s0) -@@ -321,20 +388,27 @@ ifdef(`distro_redhat', ` - /etc/gdm/[^/]+ -d gen_context(system_u:object_r:bin_t,s0) - /etc/gdm/[^/]+/.* gen_context(system_u:object_r:bin_t,s0) - -+/usr/lib/.*/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0) - /usr/lib/.*/program(/.*)? gen_context(system_u:object_r:bin_t,s0) - /usr/lib/bluetooth(/.*)? -- gen_context(system_u:object_r:bin_t,s0) -+/usr/lib/nfs-utils/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0) -+/usr/lib/oracle/xe/apps(/.*)? gen_context(system_u:object_r:bin_t,s0) -+/usr/lib/tuned/.*/.*\.sh -- gen_context(system_u:object_r:bin_t,s0) - /usr/lib/vmware-tools/(s)?bin32(/.*)? gen_context(system_u:object_r:bin_t,s0) - /usr/lib/vmware-tools/(s)?bin64(/.*)? gen_context(system_u:object_r:bin_t,s0) - /usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0) - /usr/share/authconfig/authconfig-tui\.py -- gen_context(system_u:object_r:bin_t,s0) --/usr/share/authconfig/authconfig\.py -- gen_context(system_u:object_r:bin_t,s0) -+#/usr/share/authconfig/authconfig\.py -- gen_context(system_u:object_r:bin_t,s0) - /usr/share/cvs/contrib/rcs2log -- gen_context(system_u:object_r:bin_t,s0) - /usr/share/clamav/clamd-gen -- gen_context(system_u:object_r:bin_t,s0) - /usr/share/clamav/freshclam-sleep -- gen_context(system_u:object_r:bin_t,s0) - /usr/share/createrepo(/.*)? gen_context(system_u:object_r:bin_t,s0) -+/usr/share/doc/ghc/html/libraries/gen_contents_index -- gen_context(system_u:object_r:bin_t,s0) - /usr/share/fedora-usermgmt/wrapper -- gen_context(system_u:object_r:bin_t,s0) - /usr/share/hplip/[^/]* -- gen_context(system_u:object_r:bin_t,s0) - /usr/share/hwbrowser/hwbrowser -- gen_context(system_u:object_r:bin_t,s0) -+/usr/share/kde4/apps/kajongg/kajongg.py -- gen_context(system_u:object_r:bin_t,s0) -+/usr/share/munin/plugins/plugin\.sh -- gen_context(system_u:object_r:bin_t,s0) - /usr/share/pwlib/make/ptlib-config -- gen_context(system_u:object_r:bin_t,s0) - /usr/share/pydict/pydict\.py -- gen_context(system_u:object_r:bin_t,s0) - /usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0) -@@ -342,6 +416,7 @@ ifdef(`distro_redhat', ` - /usr/share/ssl/misc(/.*)? gen_context(system_u:object_r:bin_t,s0) - /usr/share/switchdesk/switchdesk-gui\.py -- gen_context(system_u:object_r:bin_t,s0) - /usr/share/system-config-date/system-config-date\.py -- gen_context(system_u:object_r:bin_t,s0) -+/usr/share/system-config-selinux/polgengui.py -- gen_context(system_u:object_r:bin_t,s0) - /usr/share/system-config-selinux/polgen\.py -- gen_context(system_u:object_r:bin_t,s0) - /usr/share/system-config-selinux/system-config-selinux\.py -- gen_context(system_u:object_r:bin_t,s0) - /usr/share/system-config-display/system-config-display -- gen_context(system_u:object_r:bin_t,s0) -@@ -383,11 +458,15 @@ ifdef(`distro_suse', ` - # - # /var - # --/var/mailman/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) -+/var/mailman.*/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) - - /var/ftp/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) - - /var/lib/asterisk/agi-bin(/.*)? gen_context(system_u:object_r:bin_t,s0) -+/var/lib/iscan/interpreter gen_context(system_u:object_r:bin_t,s0) -+/usr/lib/ruby/gems(/.*)?/helper-scripts(/.*)? gen_context(system_u:object_r:bin_t,s0) -+/usr/share/gems(/.*)?/helper-scripts(/.*)? gen_context(system_u:object_r:bin_t,s0) -+ - /usr/lib/yp/.+ -- gen_context(system_u:object_r:bin_t,s0) - - /var/qmail/bin -d gen_context(system_u:object_r:bin_t,s0) -@@ -397,3 +476,12 @@ ifdef(`distro_suse', ` - ifdef(`distro_suse',` - /var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0) - ') -+ -+# -+# /usr/lib -+# -+ -+/usr/lib/dracut(/.*)? gen_context(system_u:object_r:bin_t,s0) -+/usr/lib/iscan/network -- gen_context(system_u:object_r:bin_t,s0) -+/usr/lib/ruby/gems/.*/agents(/.*)? gen_context(system_u:object_r:bin_t,s0) -+/usr/lib/virtualbox/VBoxManage -- gen_context(system_u:object_r:bin_t,s0) -diff --git a/policy/modules/kernel/corecommands.if b/policy/modules/kernel/corecommands.if -index 9e9263a..77e6c8c 100644 ---- a/policy/modules/kernel/corecommands.if -+++ b/policy/modules/kernel/corecommands.if -@@ -8,6 +8,22 @@ - ## run init. - ## - -+##################################### -+## -+## corecmd stub bin_t interface. No access allowed. -+## -+## -+## -+## Domain allowed access -+## -+## -+# -+interface(`corecmd_stub_bin',` -+ gen_require(` -+ type bin_t; -+ ') -+') -+ - ######################################## - ## - ## Make the specified type usable for files -@@ -68,9 +84,11 @@ interface(`corecmd_bin_alias',` - interface(`corecmd_bin_entry_type',` - gen_require(` - type bin_t; -+ type usr_t; - ') - - domain_entry_file($1, bin_t) -+ domain_entry_file($1, usr_t) - ') - - ######################################## -@@ -122,6 +140,7 @@ interface(`corecmd_search_bin',` - type bin_t; - ') - -+ corecmd_read_bin_symlinks($1) - search_dirs_pattern($1, bin_t, bin_t) - ') - -@@ -158,6 +177,7 @@ interface(`corecmd_list_bin',` - type bin_t; - ') - -+ corecmd_read_bin_symlinks($1) - list_dirs_pattern($1, bin_t, bin_t) - ') - -@@ -203,7 +223,7 @@ interface(`corecmd_getattr_bin_files',` - ## - ## - ## --## Domain allowed access. -+## Domain to not audit. - ## - ## - # -@@ -231,6 +251,7 @@ interface(`corecmd_read_bin_files',` - type bin_t; - ') - -+ corecmd_read_bin_symlinks($1) - read_files_pattern($1, bin_t, bin_t) - ') - -@@ -254,6 +275,24 @@ interface(`corecmd_dontaudit_write_bin_files',` - - ######################################## - ## -+## Do not audit attempts to access check bin files. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`corecmd_dontaudit_access_check_bin',` -+ gen_require(` -+ type bin_t; -+ ') -+ -+ dontaudit $1 bin_t:file audit_access; -+') -+ -+######################################## -+## - ## Read symbolic links in bin directories. - ## - ## -@@ -285,6 +324,7 @@ interface(`corecmd_read_bin_pipes',` - type bin_t; - ') - -+ corecmd_read_bin_symlinks(bin_t) - read_fifo_files_pattern($1, bin_t, bin_t) - ') - -@@ -303,6 +343,7 @@ interface(`corecmd_read_bin_sockets',` - type bin_t; - ') - -+ corecmd_read_bin_symlinks($1) - read_sock_files_pattern($1, bin_t, bin_t) - ') - -@@ -345,6 +386,10 @@ interface(`corecmd_exec_bin',` - read_lnk_files_pattern($1, bin_t, bin_t) - list_dirs_pattern($1, bin_t, bin_t) - can_exec($1, bin_t) -+ -+ ifdef(`enable_mls',`',` -+ files_exec_all_base_ro_files($1) -+ ') - ') - - ######################################## -@@ -362,6 +407,7 @@ interface(`corecmd_manage_bin_files',` - type bin_t; - ') - -+ corecmd_read_bin_symlinks($1) - manage_files_pattern($1, bin_t, bin_t) - ') - -@@ -398,6 +444,7 @@ interface(`corecmd_mmap_bin_files',` - type bin_t; - ') - -+ corecmd_read_bin_symlinks($1) - mmap_files_pattern($1, bin_t, bin_t) - ') - -@@ -440,10 +487,14 @@ interface(`corecmd_mmap_bin_files',` - interface(`corecmd_bin_spec_domtrans',` - gen_require(` - type bin_t; -+ type usr_t; - ') - - read_lnk_files_pattern($1, bin_t, bin_t) - domain_transition_pattern($1, bin_t, $2) -+ -+ read_lnk_files_pattern($1, usr_t, usr_t) -+ domain_transition_pattern($1, usr_t, $2) - ') - - ######################################## -@@ -483,10 +534,12 @@ interface(`corecmd_bin_spec_domtrans',` - interface(`corecmd_bin_domtrans',` - gen_require(` - type bin_t; -+ type usr_t; - ') - - corecmd_bin_spec_domtrans($1, $2) - type_transition $1 bin_t:process $2; -+ type_transition $1 usr_t:process $2; - ') - - ######################################## -@@ -945,6 +998,7 @@ interface(`corecmd_shell_domtrans',` - interface(`corecmd_exec_chroot',` - gen_require(` - type chroot_exec_t; -+ type bin_t; - ') - - read_lnk_files_pattern($1, bin_t, bin_t) -@@ -954,6 +1008,24 @@ interface(`corecmd_exec_chroot',` - - ######################################## - ## -+## Do not audit attempts to access check executable files. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`corecmd_dontaudit_access_all_executables',` -+ gen_require(` -+ attribute exec_type; -+ ') -+ -+ dontaudit $1 exec_type:file audit_access; -+') -+ -+######################################## -+## - ## Get the attributes of all executable files. - ## - ## -@@ -1012,6 +1084,10 @@ interface(`corecmd_exec_all_executables',` - can_exec($1, exec_type) - list_dirs_pattern($1, bin_t, bin_t) - read_lnk_files_pattern($1, bin_t, exec_type) -+ -+ ifdef(`enable_mls',`',` -+ files_exec_all_base_ro_files($1) -+ ') - ') - - ######################################## -@@ -1049,6 +1125,7 @@ interface(`corecmd_manage_all_executables',` - type bin_t; - ') - -+ manage_dirs_pattern($1, bin_t, exec_type) - manage_files_pattern($1, bin_t, exec_type) - manage_lnk_files_pattern($1, bin_t, bin_t) - ') -@@ -1091,3 +1168,36 @@ interface(`corecmd_mmap_all_executables',` - - mmap_files_pattern($1, bin_t, exec_type) - ') -+ -+######################################## -+## -+## Create objects in the /bin directory -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## The type of the object to be created -+## -+## -+## -+## -+## The object class. -+## -+## -+## -+## -+## The name of the object being created. -+## -+## -+# -+interface(`corecmd_bin_filetrans',` -+ gen_require(` -+ type bin_t; -+ ') -+ -+ filetrans_pattern($1, bin_t, $2, $3, $4) -+') -diff --git a/policy/modules/kernel/corecommands.te b/policy/modules/kernel/corecommands.te -index 43090a0..a784e8e 100644 ---- a/policy/modules/kernel/corecommands.te -+++ b/policy/modules/kernel/corecommands.te -@@ -13,7 +13,8 @@ attribute exec_type; - # - # bin_t is the type of files in the system bin/sbin directories. - # --type bin_t alias { ls_exec_t sbin_t }; -+type bin_t alias { ls_exec_t sbin_t unconfined_execmem_exec_t execmem_exec_t java_exec_t mono_exec_t }; -+files_ro_base_file(bin_t) - corecmd_executable_file(bin_t) - dev_associate(bin_t) #For /dev/MAKEDEV - -@@ -21,6 +22,7 @@ dev_associate(bin_t) #For /dev/MAKEDEV - # shell_exec_t is the type of user shells such as /bin/bash. - # - type shell_exec_t; -+files_ro_base_file(shell_exec_t) - corecmd_executable_file(shell_exec_t) - - type chroot_exec_t; -diff --git a/policy/modules/kernel/corenetwork.fc b/policy/modules/kernel/corenetwork.fc -index f9b25c1..9af1f7a 100644 ---- a/policy/modules/kernel/corenetwork.fc -+++ b/policy/modules/kernel/corenetwork.fc -@@ -8,3 +8,6 @@ - - /lib/udev/devices/ppp -c gen_context(system_u:object_r:ppp_device_t,s0) - /lib/udev/devices/net/.* -c gen_context(system_u:object_r:tun_tap_device_t,s0) -+ -+/usr/lib/udev/devices/ppp -c gen_context(system_u:object_r:ppp_device_t,s0) -+/usr/lib/udev/devices/net/.* -c gen_context(system_u:object_r:tun_tap_device_t,s0) -diff --git a/policy/modules/kernel/corenetwork.if.in b/policy/modules/kernel/corenetwork.if.in -index 07126bd..38ba47d 100644 ---- a/policy/modules/kernel/corenetwork.if.in -+++ b/policy/modules/kernel/corenetwork.if.in -@@ -55,6 +55,7 @@ interface(`corenet_reserved_port',` - ') - - typeattribute $1 reserved_port_type; -+ corenet_port($1) - ') - - ######################################## -@@ -82,6 +83,7 @@ interface(`corenet_rpc_port',` - ') - - typeattribute $1 rpc_port_type; -+ corenet_port($1) - ') - - ######################################## -@@ -615,6 +617,24 @@ interface(`corenet_raw_sendrecv_all_if',` - - ######################################## - ## -+## Send and receive DCCP network traffic on generic nodes. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`corenet_dccp_sendrecv_generic_node',` -+ gen_require(` -+ type node_t; -+ ') -+ -+ allow $1 node_t:node { dccp_send dccp_recv sendto recvfrom }; -+') -+ -+######################################## -+## - ## Send and receive TCP network traffic on generic nodes. - ## - ## -@@ -789,6 +809,24 @@ interface(`corenet_raw_sendrecv_generic_node',` - - ######################################## - ## -+## Bind DCCP sockets to generic nodes. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`corenet_dccp_bind_generic_node',` -+ gen_require(` -+ type node_t; -+ ') -+ -+ allow $1 node_t:dccp_socket node_bind; -+') -+ -+######################################## -+## - ## Bind TCP sockets to generic nodes. - ## - ## -@@ -855,6 +893,44 @@ interface(`corenet_udp_bind_generic_node',` - - ######################################## - ## -+## Dontaudit attempts to bind TCP sockets to generic nodes. -+## -+## -+## -+## Domain to not audit. -+## -+## -+## -+# -+interface(`corenet_dontaudit_tcp_bind_generic_node',` -+ gen_require(` -+ type node_t; -+ ') -+ -+ dontaudit $1 node_t:tcp_socket node_bind; -+') -+ -+######################################## -+## -+## Dontaudit attempts to bind UDP sockets to generic nodes. -+## -+## -+## -+## Domain to not audit. -+## -+## -+## -+# -+interface(`corenet_dontaudit_udp_bind_generic_node',` -+ gen_require(` -+ type node_t; -+ ') -+ -+ dontaudit $1 node_t:udp_socket node_bind; -+') -+ -+######################################## -+## - ## Bind raw sockets to genric nodes. - ## - ## -@@ -928,6 +1004,24 @@ interface(`corenet_inout_generic_node',` - - ######################################## - ## -+## Send and receive DCCP network traffic on all nodes. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`corenet_dccp_sendrecv_all_nodes',` -+ gen_require(` -+ attribute node_type; -+ ') -+ -+ allow $1 node_type:node { dccp_send dccp_recv sendto recvfrom }; -+') -+ -+######################################## -+## - ## Send and receive TCP network traffic on all nodes. - ## - ## -@@ -1102,6 +1196,24 @@ interface(`corenet_raw_sendrecv_all_nodes',` - - ######################################## - ## -+## Bind DCCP sockets to all nodes. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`corenet_dccp_bind_all_nodes',` -+ gen_require(` -+ attribute node_type; -+ ') -+ -+ allow $1 node_type:dccp_socket node_bind; -+') -+ -+######################################## -+## - ## Bind TCP sockets to all nodes. - ## - ## -@@ -1157,6 +1269,24 @@ interface(`corenet_raw_bind_all_nodes',` - - ######################################## - ## -+## Send and receive DCCP network traffic on generic ports. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`corenet_dccp_sendrecv_generic_port',` -+ gen_require(` -+ type port_t, unreserved_port_t, ephemeral_port_t; -+ ') -+ -+ allow $1 { port_t unreserved_port_t ephemeral_port_t }:dccp_socket { send_msg recv_msg }; -+') -+ -+######################################## -+## - ## Send and receive TCP network traffic on generic ports. - ## - ## -@@ -1167,10 +1297,30 @@ interface(`corenet_raw_bind_all_nodes',` - # - interface(`corenet_tcp_sendrecv_generic_port',` - gen_require(` -- type port_t; -+ type port_t, unreserved_port_t, ephemeral_port_t; -+ ') -+ -+ allow $1 { port_t unreserved_port_t ephemeral_port_t }:tcp_socket { send_msg recv_msg }; -+') -+ -+######################################## -+## -+## Do not audit attempts to send and -+## receive DCCP network traffic on -+## generic ports. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`corenet_dontaudit_dccp_sendrecv_generic_port',` -+ gen_require(` -+ type port_t, unreserved_port_t, ephemeral_port_t; - ') - -- allow $1 port_t:tcp_socket { send_msg recv_msg }; -+ dontaudit $1 { port_t unreserved_port_t ephemeral_port_t }:dccp_socket { send_msg recv_msg }; - ') - - ######################################## -@@ -1185,10 +1335,10 @@ interface(`corenet_tcp_sendrecv_generic_port',` - # - interface(`corenet_dontaudit_tcp_sendrecv_generic_port',` - gen_require(` -- type port_t; -+ type port_t, unreserved_port_t, ephemeral_port_t; - ') - -- dontaudit $1 port_t:tcp_socket { send_msg recv_msg }; -+ dontaudit $1 { port_t unreserved_port_t ephemeral_port_t }:tcp_socket { send_msg recv_msg }; - ') - - ######################################## -@@ -1203,10 +1353,10 @@ interface(`corenet_dontaudit_tcp_sendrecv_generic_port',` - # - interface(`corenet_udp_send_generic_port',` - gen_require(` -- type port_t; -+ type port_t, unreserved_port_t, ephemeral_port_t; - ') - -- allow $1 port_t:udp_socket send_msg; -+ allow $1 { port_t unreserved_port_t ephemeral_port_t }:udp_socket send_msg; - ') - - ######################################## -@@ -1221,10 +1371,10 @@ interface(`corenet_udp_send_generic_port',` - # - interface(`corenet_udp_receive_generic_port',` - gen_require(` -- type port_t; -+ type port_t, unreserved_port_t, ephemeral_port_t; - ') - -- allow $1 port_t:udp_socket recv_msg; -+ allow $1 { port_t unreserved_port_t ephemeral_port_t }:udp_socket recv_msg; - ') - - ######################################## -@@ -1244,6 +1394,26 @@ interface(`corenet_udp_sendrecv_generic_port',` - - ######################################## - ## -+## Bind DCCP sockets to generic ports. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`corenet_dccp_bind_generic_port',` -+ gen_require(` -+ type port_t, unreserved_port_t, ephemeral_port_t; -+ attribute defined_port_type; -+ ') -+ -+ allow $1 { port_t unreserved_port_t ephemeral_port_t }:dccp_socket name_bind; -+ dontaudit $1 defined_port_type:dccp_socket name_bind; -+') -+ -+######################################## -+## - ## Bind TCP sockets to generic ports. - ## - ## -@@ -1254,16 +1424,35 @@ interface(`corenet_udp_sendrecv_generic_port',` - # - interface(`corenet_tcp_bind_generic_port',` - gen_require(` -- type port_t; -+ type port_t, unreserved_port_t, ephemeral_port_t; - attribute defined_port_type; - ') - -- allow $1 port_t:tcp_socket name_bind; -+ allow $1 { port_t unreserved_port_t ephemeral_port_t }:tcp_socket name_bind; - dontaudit $1 defined_port_type:tcp_socket name_bind; - ') - - ######################################## - ## -+## Do not audit attempts to bind DCCP -+## sockets to generic ports. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`corenet_dontaudit_dccp_bind_generic_port',` -+ gen_require(` -+ type port_t, unreserved_port_t, ephemeral_port_t; -+ ') -+ -+ dontaudit $1 { port_t unreserved_port_t ephemeral_port_t }:dccp_socket name_bind; -+') -+ -+######################################## -+## - ## Do not audit bind TCP sockets to generic ports. - ## - ## -@@ -1274,10 +1463,10 @@ interface(`corenet_tcp_bind_generic_port',` - # - interface(`corenet_dontaudit_tcp_bind_generic_port',` - gen_require(` -- type port_t; -+ type port_t, unreserved_port_t, ephemeral_port_t; - ') - -- dontaudit $1 port_t:tcp_socket name_bind; -+ dontaudit $1 { port_t unreserved_port_t ephemeral_port_t }:tcp_socket name_bind; - ') - - ######################################## -@@ -1292,16 +1481,34 @@ interface(`corenet_dontaudit_tcp_bind_generic_port',` - # - interface(`corenet_udp_bind_generic_port',` - gen_require(` -- type port_t; -+ type port_t, unreserved_port_t, ephemeral_port_t; - attribute defined_port_type; - ') - -- allow $1 port_t:udp_socket name_bind; -+ allow $1 { port_t unreserved_port_t ephemeral_port_t }:udp_socket name_bind; - dontaudit $1 defined_port_type:udp_socket name_bind; - ') - - ######################################## - ## -+## Connect DCCP sockets to generic ports. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`corenet_dccp_connect_generic_port',` -+ gen_require(` -+ type port_t, unreserved_port_t,ephemeral_port_t; -+ ') -+ -+ allow $1 { port_t unreserved_port_t ephemeral_port_t }:dccp_socket name_connect; -+') -+ -+######################################## -+## - ## Connect TCP sockets to generic ports. - ## - ## -@@ -1312,10 +1519,28 @@ interface(`corenet_udp_bind_generic_port',` - # - interface(`corenet_tcp_connect_generic_port',` - gen_require(` -- type port_t; -+ type port_t, unreserved_port_t, ephemeral_port_t; -+ ') -+ -+ allow $1 { port_t unreserved_port_t ephemeral_port_t }:tcp_socket name_connect; -+') -+ -+######################################## -+## -+## Send and receive DCCP network traffic on all ports. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`corenet_dccp_sendrecv_all_ports',` -+ gen_require(` -+ attribute port_type; - ') - -- allow $1 port_t:tcp_socket name_connect; -+ allow $1 port_type:dccp_socket { send_msg recv_msg }; - ') - - ######################################## -@@ -1439,6 +1664,25 @@ interface(`corenet_udp_sendrecv_all_ports',` - - ######################################## - ## -+## Bind DCCP sockets to all ports. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`corenet_dccp_bind_all_ports',` -+ gen_require(` -+ attribute port_type; -+ ') -+ -+ allow $1 port_type:dccp_socket name_bind; -+ allow $1 self:capability net_bind_service; -+') -+ -+######################################## -+## - ## Bind TCP sockets to all ports. - ## - ## -@@ -1458,6 +1702,24 @@ interface(`corenet_tcp_bind_all_ports',` - - ######################################## - ## -+## Do not audit attepts to bind DCCP sockets to any ports. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`corenet_dontaudit_dccp_bind_all_ports',` -+ gen_require(` -+ attribute port_type; -+ ') -+ -+ dontaudit $1 port_type:dccp_socket name_bind; -+') -+ -+######################################## -+## - ## Do not audit attepts to bind TCP sockets to any ports. - ## - ## -@@ -1513,6 +1775,24 @@ interface(`corenet_dontaudit_udp_bind_all_ports',` - - ######################################## - ## -+## Connect DCCP sockets to all ports. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`corenet_dccp_connect_all_ports',` -+ gen_require(` -+ attribute port_type; -+ ') -+ -+ allow $1 port_type:dccp_socket name_connect; -+') -+ -+######################################## -+## - ## Connect TCP sockets to all ports. - ## - ## -@@ -1559,6 +1839,25 @@ interface(`corenet_tcp_connect_all_ports',` - - ######################################## - ## -+## Do not audit attempts to connect DCCP sockets -+## to all ports. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`corenet_dontaudit_dccp_connect_all_ports',` -+ gen_require(` -+ attribute port_type; -+ ') -+ -+ dontaudit $1 port_type:dccp_socket name_connect; -+') -+ -+######################################## -+## - ## Do not audit attempts to connect TCP sockets - ## to all ports. - ## -@@ -1578,6 +1877,24 @@ interface(`corenet_dontaudit_tcp_connect_all_ports',` - - ######################################## - ## -+## Send and receive DCCP network traffic on generic reserved ports. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`corenet_dccp_sendrecv_reserved_port',` -+ gen_require(` -+ type reserved_port_t; -+ ') -+ -+ allow $1 reserved_port_t:dccp_socket { send_msg recv_msg }; -+') -+ -+######################################## -+## - ## Send and receive TCP network traffic on generic reserved ports. - ## - ## -@@ -1647,7 +1964,26 @@ interface(`corenet_udp_sendrecv_reserved_port',` - - ######################################## - ## --## Bind TCP sockets to generic reserved ports. -+## Bind DCCP sockets to generic reserved ports. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`corenet_dccp_bind_reserved_port',` -+ gen_require(` -+ type reserved_port_t; -+ ') -+ -+ allow $1 reserved_port_t:dccp_socket name_bind; -+ allow $1 self:capability net_bind_service; -+') -+ -+######################################## -+## -+## Bind TCP sockets to generic reserved ports. - ## - ## - ## -@@ -1685,6 +2021,24 @@ interface(`corenet_udp_bind_reserved_port',` - - ######################################## - ## -+## Connect DCCP sockets to generic reserved ports. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`corenet_dccp_connect_reserved_port',` -+ gen_require(` -+ type reserved_port_t; -+ ') -+ -+ allow $1 reserved_port_t:dccp_socket name_connect; -+') -+ -+######################################## -+## - ## Connect TCP sockets to generic reserved ports. - ## - ## -@@ -1703,6 +2057,24 @@ interface(`corenet_tcp_connect_reserved_port',` - - ######################################## - ## -+## Send and receive DCCP network traffic on all reserved ports. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`corenet_dccp_sendrecv_all_reserved_ports',` -+ gen_require(` -+ attribute reserved_port_type; -+ ') -+ -+ allow $1 reserved_port_type:dccp_socket { send_msg recv_msg }; -+') -+ -+######################################## -+## - ## Send and receive TCP network traffic on all reserved ports. - ## - ## -@@ -1757,7 +2129,259 @@ interface(`corenet_udp_receive_all_reserved_ports',` - - ######################################## - ## --## Send and receive UDP network traffic on all reserved ports. -+## Send and receive UDP network traffic on all reserved ports. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`corenet_udp_sendrecv_all_reserved_ports',` -+ corenet_udp_send_all_reserved_ports($1) -+ corenet_udp_receive_all_reserved_ports($1) -+') -+ -+######################################## -+## -+## Bind DCCP sockets to all reserved ports. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`corenet_dccp_bind_all_reserved_ports',` -+ gen_require(` -+ attribute reserved_port_type; -+ ') -+ -+ allow $1 reserved_port_type:dccp_socket name_bind; -+ allow $1 self:capability net_bind_service; -+') -+ -+######################################## -+## -+## Bind TCP sockets to all reserved ports. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`corenet_tcp_bind_all_reserved_ports',` -+ gen_require(` -+ attribute reserved_port_type; -+ ') -+ -+ allow $1 reserved_port_type:tcp_socket name_bind; -+ allow $1 self:capability net_bind_service; -+') -+ -+######################################## -+## -+## Do not audit attempts to bind DCCP sockets to all reserved ports. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`corenet_dontaudit_dccp_bind_all_reserved_ports',` -+ gen_require(` -+ attribute reserved_port_type; -+ ') -+ -+ dontaudit $1 reserved_port_type:dccp_socket name_bind; -+') -+ -+######################################## -+## -+## Do not audit attempts to bind TCP sockets to all reserved ports. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`corenet_dontaudit_tcp_bind_all_reserved_ports',` -+ gen_require(` -+ attribute reserved_port_type; -+ ') -+ -+ dontaudit $1 reserved_port_type:tcp_socket name_bind; -+') -+ -+######################################## -+## -+## Bind UDP sockets to all reserved ports. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`corenet_udp_bind_all_reserved_ports',` -+ gen_require(` -+ attribute reserved_port_type; -+ ') -+ -+ allow $1 reserved_port_type:udp_socket name_bind; -+ allow $1 self:capability net_bind_service; -+') -+ -+######################################## -+## -+## Do not audit attempts to bind UDP sockets to all reserved ports. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`corenet_dontaudit_udp_bind_all_reserved_ports',` -+ gen_require(` -+ attribute reserved_port_type; -+ ') -+ -+ dontaudit $1 reserved_port_type:udp_socket name_bind; -+') -+ -+######################################## -+## -+## Bind DCCP sockets to all ports > 1024. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`corenet_dccp_bind_all_unreserved_ports',` -+ gen_require(` -+ attribute unreserved_port_type; -+ ') -+ -+ allow $1 unreserved_port_type:dccp_socket name_bind; -+') -+ -+######################################## -+## -+## Bind TCP sockets to all ports > 1024. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`corenet_tcp_bind_all_unreserved_ports',` -+ gen_require(` -+ attribute unreserved_port_type; -+ ') -+ -+ allow $1 unreserved_port_type:tcp_socket name_bind; -+') -+ -+######################################## -+## -+## Bind UDP sockets to all ports > 1024. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`corenet_udp_bind_all_unreserved_ports',` -+ gen_require(` -+ attribute unreserved_port_type; -+ ') -+ -+ allow $1 unreserved_port_type:udp_socket name_bind; -+') -+ -+######################################## -+## -+## Bind TCP sockets to all ports > 32768. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`corenet_tcp_bind_all_ephemeral_ports',` -+ gen_require(` -+ attribute ephemeral_port_type; -+ ') -+ -+ allow $1 ephemeral_port_type:tcp_socket name_bind; -+') -+ -+######################################## -+## -+## Bind UDP sockets to all ports > 32768. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`corenet_udp_bind_all_ephemeral_ports',` -+ gen_require(` -+ attribute ephemeral_port_type; -+ ') -+ -+ allow $1 ephemeral_port_type:udp_socket name_bind; -+') -+ -+######################################## -+## -+## Connect DCCP sockets to reserved ports. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`corenet_dccp_connect_all_reserved_ports',` -+ gen_require(` -+ attribute reserved_port_type; -+ ') -+ -+ allow $1 reserved_port_type:dccp_socket name_connect; -+') -+ -+######################################## -+## -+## Connect TCP sockets to reserved ports. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`corenet_tcp_connect_all_reserved_ports',` -+ gen_require(` -+ attribute reserved_port_type; -+ ') -+ -+ allow $1 reserved_port_type:tcp_socket name_connect; -+') -+ -+######################################## -+## -+## Connect DCCP sockets to all ports > 1024. - ## - ## - ## -@@ -1765,51 +2389,53 @@ interface(`corenet_udp_receive_all_reserved_ports',` - ## - ## - # --interface(`corenet_udp_sendrecv_all_reserved_ports',` -- corenet_udp_send_all_reserved_ports($1) -- corenet_udp_receive_all_reserved_ports($1) -+interface(`corenet_dccp_connect_all_unreserved_ports',` -+ gen_require(` -+ attribute unreserved_port_type; -+ ') -+ -+ allow $1 unreserved_port_type:dccp_socket name_connect; - ') - --######################################## -+####################################### - ## --## Bind TCP sockets to all reserved ports. -+## Connect TCP sockets to ports > 1024. - ## - ## --## --## Domain allowed access. --## -+## -+## Domain allowed access. -+## - ## - # --interface(`corenet_tcp_bind_all_reserved_ports',` -- gen_require(` -- attribute reserved_port_type; -- ') -+interface(`corenet_tcp_connect_unreserved_ports',` -+ gen_require(` -+ type unreserved_port_t; -+ ') - -- allow $1 reserved_port_type:tcp_socket name_bind; -- allow $1 self:capability net_bind_service; -+ allow $1 unreserved_port_t:tcp_socket name_connect; - ') - - ######################################## - ## --## Do not audit attempts to bind TCP sockets to all reserved ports. -+## Connect TCP sockets to all ports > 1024. - ## - ## - ## --## Domain to not audit. -+## Domain allowed access. - ## - ## - # --interface(`corenet_dontaudit_tcp_bind_all_reserved_ports',` -+interface(`corenet_tcp_connect_all_unreserved_ports',` - gen_require(` -- attribute reserved_port_type; -+ attribute unreserved_port_type; - ') - -- dontaudit $1 reserved_port_type:tcp_socket name_bind; -+ allow $1 unreserved_port_type:tcp_socket name_connect; - ') - - ######################################## - ## --## Bind UDP sockets to all reserved ports. -+## Connect TCP sockets to all ports > 32768. - ## - ## - ## -@@ -1817,18 +2443,18 @@ interface(`corenet_dontaudit_tcp_bind_all_reserved_ports',` - ## - ## - # --interface(`corenet_udp_bind_all_reserved_ports',` -+interface(`corenet_tcp_connect_all_ephemeral_ports',` - gen_require(` -- attribute reserved_port_type; -+ attribute ephemeral_port_type; - ') - -- allow $1 reserved_port_type:udp_socket name_bind; -- allow $1 self:capability net_bind_service; -+ allow $1 ephemeral_port_type:tcp_socket name_connect; - ') - - ######################################## - ## --## Do not audit attempts to bind UDP sockets to all reserved ports. -+## Do not audit attempts to connect DCCP sockets -+## all reserved ports. - ## - ## - ## -@@ -1836,35 +2462,36 @@ interface(`corenet_udp_bind_all_reserved_ports',` - ## - ## - # --interface(`corenet_dontaudit_udp_bind_all_reserved_ports',` -+interface(`corenet_dontaudit_dccp_connect_all_reserved_ports',` - gen_require(` - attribute reserved_port_type; - ') - -- dontaudit $1 reserved_port_type:udp_socket name_bind; -+ dontaudit $1 reserved_port_type:dccp_socket name_connect; - ') - - ######################################## - ## --## Bind TCP sockets to all ports > 1024. -+## Do not audit attempts to connect TCP sockets -+## all reserved ports. - ## - ## - ## --## Domain allowed access. -+## Domain to not audit. - ## - ## - # --interface(`corenet_tcp_bind_all_unreserved_ports',` -+interface(`corenet_dontaudit_tcp_connect_all_reserved_ports',` - gen_require(` -- attribute unreserved_port_type; -+ attribute reserved_port_type; - ') - -- allow $1 unreserved_port_type:tcp_socket name_bind; -+ dontaudit $1 reserved_port_type:tcp_socket name_connect; - ') - - ######################################## - ## --## Bind UDP sockets to all ports > 1024. -+## Connect DCCP sockets to rpc ports. - ## - ## - ## -@@ -1872,17 +2499,17 @@ interface(`corenet_tcp_bind_all_unreserved_ports',` - ## - ## - # --interface(`corenet_udp_bind_all_unreserved_ports',` -+interface(`corenet_dccp_connect_all_rpc_ports',` - gen_require(` -- attribute unreserved_port_type; -+ attribute rpc_port_type; - ') - -- allow $1 unreserved_port_type:udp_socket name_bind; -+ allow $1 rpc_port_type:dccp_socket name_connect; - ') - - ######################################## - ## --## Connect TCP sockets to reserved ports. -+## Connect TCP sockets to rpc ports. - ## - ## - ## -@@ -1890,36 +2517,37 @@ interface(`corenet_udp_bind_all_unreserved_ports',` - ## - ## - # --interface(`corenet_tcp_connect_all_reserved_ports',` -+interface(`corenet_tcp_connect_all_rpc_ports',` - gen_require(` -- attribute reserved_port_type; -+ attribute rpc_port_type; - ') - -- allow $1 reserved_port_type:tcp_socket name_connect; -+ allow $1 rpc_port_type:tcp_socket name_connect; - ') - - ######################################## - ## --## Connect TCP sockets to all ports > 1024. -+## Do not audit attempts to connect DCCP sockets -+## all rpc ports. - ## - ## - ## --## Domain allowed access. -+## Domain to not audit. - ## - ## - # --interface(`corenet_tcp_connect_all_unreserved_ports',` -+interface(`corenet_dontaudit_dccp_connect_all_rpc_ports',` - gen_require(` -- attribute unreserved_port_type; -+ attribute rpc_port_type; - ') - -- allow $1 unreserved_port_type:tcp_socket name_connect; -+ dontaudit $1 rpc_port_type:dccp_socket name_connect; - ') - - ######################################## - ## - ## Do not audit attempts to connect TCP sockets --## all reserved ports. -+## all rpc ports. - ## - ## - ## -@@ -1927,54 +2555,54 @@ interface(`corenet_tcp_connect_all_unreserved_ports',` - ## - ## - # --interface(`corenet_dontaudit_tcp_connect_all_reserved_ports',` -+interface(`corenet_dontaudit_tcp_connect_all_rpc_ports',` - gen_require(` -- attribute reserved_port_type; -+ attribute rpc_port_type; - ') - -- dontaudit $1 reserved_port_type:tcp_socket name_connect; -+ dontaudit $1 rpc_port_type:tcp_socket name_connect; - ') - - ######################################## - ## --## Connect TCP sockets to rpc ports. -+## Read and write the TUN/TAP virtual network device. - ## - ## - ## --## Domain allowed access. -+## The domain allowed access. - ## - ## - # --interface(`corenet_tcp_connect_all_rpc_ports',` -+interface(`corenet_rw_tun_tap_dev',` - gen_require(` -- attribute rpc_port_type; -+ type tun_tap_device_t; - ') - -- allow $1 rpc_port_type:tcp_socket name_connect; -+ dev_list_all_dev_nodes($1) -+ allow $1 tun_tap_device_t:chr_file rw_chr_file_perms; - ') - - ######################################## - ## --## Do not audit attempts to connect TCP sockets --## all rpc ports. -+## Relabel to and from the TUN/TAP virtual network device. - ## - ## - ## --## Domain to not audit. -+## The domain allowed access. - ## - ## - # --interface(`corenet_dontaudit_tcp_connect_all_rpc_ports',` -+interface(`corenet_relabel_tun_tap_dev',` - gen_require(` -- attribute rpc_port_type; -+ type tun_tap_device_t; - ') - -- dontaudit $1 rpc_port_type:tcp_socket name_connect; -+ relabel_chr_files_pattern($1, tun_tap_device_t, tun_tap_device_t) - ') - - ######################################## - ## --## Read and write the TUN/TAP virtual network device. -+## Read and write inherited TUN/TAP virtual network device. - ## - ## - ## -@@ -1982,13 +2610,12 @@ interface(`corenet_dontaudit_tcp_connect_all_rpc_ports',` - ## - ## - # --interface(`corenet_rw_tun_tap_dev',` -+interface(`corenet_rw_inherited_tun_tap_dev',` - gen_require(` - type tun_tap_device_t; - ') - -- dev_list_all_dev_nodes($1) -- allow $1 tun_tap_device_t:chr_file rw_chr_file_perms; -+ allow $1 tun_tap_device_t:chr_file rw_inherited_chr_file_perms; - ') - - ######################################## -@@ -2049,6 +2676,25 @@ interface(`corenet_rw_ppp_dev',` - - ######################################## - ## -+## Bind DCCP sockets to all RPC ports. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`corenet_dccp_bind_all_rpc_ports',` -+ gen_require(` -+ attribute rpc_port_type; -+ ') -+ -+ allow $1 rpc_port_type:dccp_socket name_bind; -+ allow $1 self:capability net_bind_service; -+') -+ -+######################################## -+## - ## Bind TCP sockets to all RPC ports. - ## - ## -@@ -2068,6 +2714,24 @@ interface(`corenet_tcp_bind_all_rpc_ports',` - - ######################################## - ## -+## Do not audit attempts to bind DCCP sockets to all RPC ports. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`corenet_dontaudit_dccp_bind_all_rpc_ports',` -+ gen_require(` -+ attribute rpc_port_type; -+ ') -+ -+ dontaudit $1 rpc_port_type:dccp_socket name_bind; -+') -+ -+######################################## -+## - ## Do not audit attempts to bind TCP sockets to all RPC ports. - ## - ## -@@ -2194,6 +2858,25 @@ interface(`corenet_tcp_recv_netlabel',` - - ######################################## - ## -+## Receive DCCP packets from a NetLabel connection. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`corenet_dccp_recvfrom_netlabel',` -+ gen_require(` -+ type netlabel_peer_t; -+ ') -+ -+ allow $1 netlabel_peer_t:peer recv; -+ allow $1 netlabel_peer_t:dccp_socket recvfrom; -+') -+ -+######################################## -+## - ## Receive TCP packets from a NetLabel connection. - ## - ## -@@ -2213,7 +2896,7 @@ interface(`corenet_tcp_recvfrom_netlabel',` - - ######################################## - ## --## Receive TCP packets from an unlabled connection. -+## Receive DCCP packets from an unlabled connection. - ## - ## - ## -@@ -2221,10 +2904,15 @@ interface(`corenet_tcp_recvfrom_netlabel',` - ## - ## - # --interface(`corenet_tcp_recvfrom_unlabeled',` -- kernel_tcp_recvfrom_unlabeled($1) -+interface(`corenet_dccp_recvfrom_unlabeled',` -+ gen_require(` -+ attribute corenet_unlabeled_type; -+ ') -+ -+ kernel_dccp_recvfrom_unlabeled($1) - kernel_recvfrom_unlabeled_peer($1) - -+ typeattribute $1 corenet_unlabeled_type; - # XXX - at some point the oubound/send access check will be removed - # but for right now we need to keep this in place so as not to break - # older systems -@@ -2249,6 +2937,26 @@ interface(`corenet_dontaudit_tcp_recv_netlabel',` - - ######################################## - ## -+## Do not audit attempts to receive DCCP packets from a NetLabel -+## connection. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`corenet_dontaudit_dccp_recvfrom_netlabel',` -+ gen_require(` -+ type netlabel_peer_t; -+ ') -+ -+ dontaudit $1 netlabel_peer_t:peer recv; -+ dontaudit $1 netlabel_peer_t:dccp_socket recvfrom; -+') -+ -+######################################## -+## - ## Do not audit attempts to receive TCP packets from a NetLabel - ## connection. - ## -@@ -2269,6 +2977,27 @@ interface(`corenet_dontaudit_tcp_recvfrom_netlabel',` - - ######################################## - ## -+## Do not audit attempts to receive DCCP packets from an unlabeled -+## connection. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`corenet_dontaudit_dccp_recvfrom_unlabeled',` -+ kernel_dontaudit_dccp_recvfrom_unlabeled($1) -+ kernel_dontaudit_recvfrom_unlabeled_peer($1) -+ -+ # XXX - at some point the oubound/send access check will be removed -+ # but for right now we need to keep this in place so as not to break -+ # older systems -+ kernel_dontaudit_sendrecv_unlabeled_association($1) -+') -+ -+######################################## -+## - ## Do not audit attempts to receive TCP packets from an unlabeled - ## connection. - ## -@@ -2533,15 +3262,10 @@ interface(`corenet_dontaudit_raw_recvfrom_unlabeled',` - ## - # - interface(`corenet_all_recvfrom_unlabeled',` -- kernel_tcp_recvfrom_unlabeled($1) -- kernel_udp_recvfrom_unlabeled($1) -- kernel_raw_recvfrom_unlabeled($1) -- kernel_recvfrom_unlabeled_peer($1) -- -- # XXX - at some point the oubound/send access check will be removed -- # but for right now we need to keep this in place so as not to break -- # older systems -- kernel_sendrecv_unlabeled_association($1) -+ gen_require(` -+ attribute corenet_unlabeled_type; -+ ') -+ typeattribute $1 corenet_unlabeled_type; - ') - - ######################################## -@@ -2567,11 +3291,34 @@ interface(`corenet_all_recvfrom_unlabeled',` - # - interface(`corenet_all_recvfrom_netlabel',` - gen_require(` -- type netlabel_peer_t; -+ attribute netlabel_peer_type; - ') - -- allow $1 netlabel_peer_t:peer recv; -- allow $1 netlabel_peer_t:{ tcp_socket udp_socket rawip_socket } recvfrom; -+ typeattribute $1 netlabel_peer_type; -+') -+ -+######################################## -+## -+## Enable unlabeled net packets -+## -+## -+##

    -+## Allow unlabeled_packet_t to be used by all domains that use the network -+##

    -+##     -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`corenet_enable_unlabeled_packets',` -+ gen_require(` -+ attribute corenet_unlabeled_type; -+ ') -+ -+ kernel_sendrecv_unlabeled_association(corenet_unlabeled_type) - ') - - ######################################## -@@ -2585,6 +3332,7 @@ interface(`corenet_all_recvfrom_netlabel',` - ## - # - interface(`corenet_dontaudit_all_recvfrom_unlabeled',` -+ kernel_dontaudit_dccp_recvfrom_unlabeled($1) - kernel_dontaudit_tcp_recvfrom_unlabeled($1) - kernel_dontaudit_udp_recvfrom_unlabeled($1) - kernel_dontaudit_raw_recvfrom_unlabeled($1) -@@ -2613,7 +3361,35 @@ interface(`corenet_dontaudit_all_recvfrom_netlabel',` - ') - - dontaudit $1 netlabel_peer_t:peer recv; -- dontaudit $1 netlabel_peer_t:{ tcp_socket udp_socket rawip_socket } recvfrom; -+ dontaudit $1 netlabel_peer_t:{ tcp_socket udp_socket rawip_socket dccp_socket } recvfrom; -+') -+ -+######################################## -+## -+## Rules for receiving labeled DCCP packets. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## Peer domain. -+## -+## -+# -+interface(`corenet_dccp_recvfrom_labeled',` -+ allow { $1 $2 } self:association sendto; -+ allow $1 $2:{ association dccp_socket } recvfrom; -+ allow $2 $1:{ association dccp_socket } recvfrom; -+ -+ allow $1 $2:peer recv; -+ allow $2 $1:peer recv; -+ -+ # allow receiving packets from MLS-only peers using NetLabel -+ corenet_dccp_recvfrom_netlabel($1) -+ corenet_dccp_recvfrom_netlabel($2) - ') - - ######################################## -@@ -2727,6 +3503,7 @@ interface(`corenet_raw_recvfrom_labeled',` - ## - # - interface(`corenet_all_recvfrom_labeled',` -+ corenet_dccp_recvfrom_labeled($1, $2) - corenet_tcp_recvfrom_labeled($1, $2) - corenet_udp_recvfrom_labeled($1, $2) - corenet_raw_recvfrom_labeled($1, $2) -@@ -3134,3 +3911,53 @@ interface(`corenet_unconfined',` - - typeattribute $1 corenet_unconfined_type; - ') -+ -+######################################## -+## -+## Create all network named devices with the correct label -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`corenet_filetrans_all_named_dev',` -+ -+ gen_require(` -+ type tun_tap_device_t; -+ type ppp_device_t; -+ ') -+ -+ dev_filetrans($1, tun_tap_device_t, chr_file, "tap0") -+ dev_filetrans($1, tun_tap_device_t, chr_file, "tap1") -+ dev_filetrans($1, tun_tap_device_t, chr_file, "tap2") -+ dev_filetrans($1, tun_tap_device_t, chr_file, "tap3") -+ dev_filetrans($1, tun_tap_device_t, chr_file, "tap4") -+ dev_filetrans($1, tun_tap_device_t, chr_file, "tap5") -+ dev_filetrans($1, tun_tap_device_t, chr_file, "tap6") -+ dev_filetrans($1, tun_tap_device_t, chr_file, "tap7") -+ dev_filetrans($1, tun_tap_device_t, chr_file, "tap8") -+ dev_filetrans($1, tun_tap_device_t, chr_file, "tap9") -+ dev_filetrans($1, tun_tap_device_t, chr_file, "tap10") -+ dev_filetrans($1, tun_tap_device_t, chr_file, "tap11") -+ dev_filetrans($1, tun_tap_device_t, chr_file, "tap12") -+ dev_filetrans($1, tun_tap_device_t, chr_file, "tap13") -+ dev_filetrans($1, tun_tap_device_t, chr_file, "tap14") -+ dev_filetrans($1, tun_tap_device_t, chr_file, "tap15") -+ dev_filetrans($1, tun_tap_device_t, chr_file, "tap16") -+ dev_filetrans($1, tun_tap_device_t, chr_file, "tap17") -+ dev_filetrans($1, tun_tap_device_t, chr_file, "tap18") -+ dev_filetrans($1, tun_tap_device_t, chr_file, "tap19") -+ dev_filetrans($1, tun_tap_device_t, chr_file, "tap20") -+ dev_filetrans($1, tun_tap_device_t, chr_file, "tap21") -+ dev_filetrans($1, tun_tap_device_t, chr_file, "tap22") -+ dev_filetrans($1, tun_tap_device_t, chr_file, "tap23") -+ dev_filetrans($1, tun_tap_device_t, chr_file, "tap24") -+ dev_filetrans($1, tun_tap_device_t, chr_file, "tap25") -+ dev_filetrans($1, tun_tap_device_t, chr_file, "tap26") -+ dev_filetrans($1, tun_tap_device_t, chr_file, "tap27") -+ dev_filetrans($1, tun_tap_device_t, chr_file, "tap28") -+ dev_filetrans($1, tun_tap_device_t, chr_file, "tap29") -+ dev_filetrans($1, ppp_device_t, chr_file, "ppp") -+') -diff --git a/policy/modules/kernel/corenetwork.if.m4 b/policy/modules/kernel/corenetwork.if.m4 -index 8e0f9cd..b9f45b9 100644 ---- a/policy/modules/kernel/corenetwork.if.m4 -+++ b/policy/modules/kernel/corenetwork.if.m4 -@@ -631,6 +631,26 @@ interface(`corenet_udp_bind_$1_port',` - - ######################################## - ## -+## Do not audit attempts to sbind to $1 port. -+## -+## -+## -+## Domain to not audit. -+## -+## -+## -+# -+interface(`corenet_dontaudit_udp_bind_$1_port',` -+ gen_require(` -+ $3 $1_$2; -+ ') -+ -+ dontaudit dollarsone $1_$2:udp_socket name_bind; -+ $4 -+') -+ -+######################################## -+## - ## Make a TCP connection to the $1 port. - ## - ## -@@ -646,6 +666,23 @@ interface(`corenet_tcp_connect_$1_port',` - - allow dollarsone $1_$2:tcp_socket name_connect; - ') -+######################################## -+## -+## Do not audit attempts to make a TCP connection to $1 port. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`corenet_dontaudit_tcp_connect_$1_port',` -+ gen_require(` -+ $3 $1_$2; -+ ') -+ -+ dontaudit dollarsone $1_$2:tcp_socket name_connect; -+') - '') dnl end create_port_interfaces - - define(`create_packet_interfaces',`` -diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in -index 4edc40d..7070ee2 100644 ---- a/policy/modules/kernel/corenetwork.te.in -+++ b/policy/modules/kernel/corenetwork.te.in -@@ -5,6 +5,7 @@ policy_module(corenetwork, 1.18.4) - # Declarations - # - -+attribute netlabel_peer_type; - attribute client_packet_type; - # This is an optimization for { port_type -port_t } - attribute defined_port_type; -@@ -14,12 +15,14 @@ attribute node_type; - attribute packet_type; - attribute port_type; - attribute reserved_port_type; -+attribute ephemeral_port_type; - attribute rpc_port_type; - attribute server_packet_type; - # This is an optimization for { port_type -reserved_port_type } - attribute unreserved_port_type; - - attribute corenet_unconfined_type; -+attribute corenet_unlabeled_type; - - type ppp_device_t; - dev_node(ppp_device_t) -@@ -29,6 +32,7 @@ dev_node(ppp_device_t) - # - type tun_tap_device_t; - dev_node(tun_tap_device_t) -+mls_trusted_object(tun_tap_device_t) - - ######################################## - # -@@ -38,6 +42,18 @@ dev_node(tun_tap_device_t) - # - # client_packet_t is the default type of IPv4 and IPv6 client packets. - # -+type intranet_packet_t; -+corenet_packet(intranet_packet_t) -+ -+# -+# client_packet_t is the default type of IPv4 and IPv6 client packets. -+# -+type internet_packet_t; -+corenet_packet(internet_packet_t) -+ -+# -+# client_packet_t is the default type of IPv4 and IPv6 client packets. -+# - type client_packet_t, packet_type, client_packet_type; - - # -@@ -46,6 +62,7 @@ type client_packet_t, packet_type, client_packet_type; - # - type netlabel_peer_t; - sid netmsg gen_context(system_u:object_r:netlabel_peer_t,mls_systemhigh) -+mcs_constrained(netlabel_peer_t) - - # - # port_t is the default type of INET port numbers. -@@ -59,6 +76,12 @@ sid port gen_context(system_u:object_r:port_t,s0) - type unreserved_port_t, port_type, unreserved_port_type; - - # -+# ephemeral_port_t is the default type of ephemeral port numbers. -+# cat /proc/sys/net/ipv4/ip_local_port_range -+# -+type ephemeral_port_t, port_type, ephemeral_port_type; -+ -+# - # reserved_port_t is the type of INET port numbers below 1024. - # - type reserved_port_t, port_type, reserved_port_type; -@@ -84,10 +107,10 @@ network_port(amanda, udp,10080-10082,s0, tcp,10080-10083,s0) - network_port(amavisd_recv, tcp,10024,s0) - network_port(amavisd_send, tcp,10025,s0) - network_port(amqp, udp,5671-5672,s0, tcp,5671-5672,s0) --network_port(aol, udp,5190-5193,s0, tcp,5190-5193,s0) -+network_port(aol, udp,5190-5193,s0, tcp,5190-5193,s0) -+network_port(apc, tcp,3052,s0, udp,3052,s0) - network_port(apcupsd, tcp,3551,s0, udp,3551,s0) - network_port(apertus_ldp, tcp,539,s0, udp,539,s0) --network_port(armtechdaemon, tcp,9292,s0, udp,9292,s0) - network_port(asterisk, tcp,1720,s0, udp,2427,s0, udp,2727,s0, udp,4569,s0) - network_port(audit, tcp,60,s0) - network_port(auth, tcp,113,s0) -@@ -96,19 +119,19 @@ network_port(boinc, tcp,31416,s0) - network_port(boinc_client, tcp,1043,s0, udp,1034,s0) - network_port(biff) # no defined portcon - network_port(certmaster, tcp,51235,s0) -+network_port(collectd, udp,25826,s0) - network_port(chronyd, udp,323,s0) - network_port(clamd, tcp,3310,s0) - network_port(clockspeed, udp,4041,s0) - network_port(cluster, tcp,5149,s0, udp,5149,s0, tcp,40040,s0, tcp,50006-50008,s0, udp,50006-50008,s0) - network_port(cma, tcp,1050,s0, udp,1050,s0) - network_port(cobbler, tcp,25151,s0) --network_port(commplex_link, tcp,5001,s0, udp,5001,s0) -+network_port(commplex_link, tcp,4331,s0, tcp,5001,s0, udp,5001,s0) - network_port(commplex_main, tcp,5000,s0, udp,5000,s0) - network_port(comsat, udp,512,s0) - network_port(condor, tcp,9618,s0, udp,9618,s0) - network_port(couchdb, tcp,5984,s0, udp,5984,s0) --network_port(cslistener, tcp,9000,s0, udp,9000,s0) --network_port(ctdb, tcp,4379,s0, udp,4397,s0) -+network_port(ctdb, tcp,4379,s0, udp,4379,s0) - network_port(cvs, tcp,2401,s0, udp,2401,s0) - network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, tcp,6780-6799,s0, udp,32771,s0) - network_port(daap, tcp,3689,s0, udp,3689,s0) -@@ -119,19 +142,26 @@ network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0, udp,5546,s0, - network_port(dhcpd, udp,67,s0, udp,547,s0, tcp, 547,s0, udp,548,s0, tcp, 548,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0, tcp,7911,s0) - network_port(dict, tcp,2628,s0) - network_port(distccd, tcp,3632,s0) --network_port(dns, tcp,53,s0, udp,53,s0) -+network_port(dogtag, tcp,7390,s0) -+network_port(dns, udp,53,s0, tcp,53,s0) -+network_port(dnssec, tcp,8955,s0) -+network_port(echo, tcp,7,s0, udp,7,s0) - network_port(efs, tcp,520,s0) - network_port(embrace_dp_c, tcp,3198,s0, udp,3198,s0) - network_port(epmap, tcp,135,s0, udp,135,s0) - network_port(epmd, tcp,4369,s0, udp,4369,s0) - network_port(fingerd, tcp,79,s0) --network_port(ftp, tcp,21,s0, tcp,990,s0, udp,990,s0) -+network_port(fmpro_internal, tcp,5003,s0, udp,5003,s0) -+network_port(flash, tcp,843,s0, tcp,1935,s0, udp,1935,s0) -+network_port(ftp, tcp,21,s0, tcp,989,s0, udp,989,s0, tcp,990,s0, udp,990,s0) - network_port(ftp_data, tcp,20,s0) - network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0) - network_port(gds_db, tcp,3050,s0, udp,3050,s0) - network_port(giftd, tcp,1213,s0) - network_port(git, tcp,9418,s0, udp,9418,s0) -+network_port(glance, tcp,9292,s0, udp,9292,s0) - network_port(glance_registry, tcp,9191,s0, udp,9191,s0) -+network_port(gluster, tcp,24007-24027,s0, tcp, 38465-38469,s0) - network_port(gopher, tcp,70,s0, udp,70,s0) - network_port(gpsd, tcp,2947,s0) - network_port(hadoop_datanode, tcp,50010,s0) -@@ -139,45 +169,52 @@ network_port(hadoop_namenode, tcp,8020,s0) - network_port(hddtemp, tcp,7634,s0) - network_port(howl, tcp,5335,s0, udp,5353,s0) - network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0) --network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port --network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0, tcp,8118,s0, tcp,10001-10010,s0) # 8118 is for privoxy -+network_port(http, tcp,80,s0, tcp,81,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0,tcp,9000, s0) #8443 is mod_nss default port -+network_port(http_cache, udp,3130,s0, tcp,8080,s0, tcp,8118,s0, tcp,8123,s0, tcp,10001-10010,s0) # 8118 is for privoxy - network_port(i18n_input, tcp,9010,s0) - network_port(imaze, tcp,5323,s0, udp,5323,s0) --network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0) -+network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,512,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,5666,s0) - network_port(innd, tcp,119,s0) - network_port(interwise, tcp,7778,s0, udp,7778,s0) - network_port(ionixnetmon, tcp,7410,s0, udp,7410,s0) - network_port(ipmi, udp,623,s0, udp,664,s0) - network_port(ipp, tcp,631,s0, udp,631,s0, tcp,8610-8614,s0, udp,8610-8614,s0) - network_port(ipsecnat, tcp,4500,s0, udp,4500,s0) --network_port(ircd, tcp,6667,s0) -+network_port(ircd, tcp,6667,s0, tcp,6697,s0) - network_port(isakmp, udp,500,s0) - network_port(iscsi, tcp,3260,s0) - network_port(isns, tcp,3205,s0, udp,3205,s0) - network_port(jabber_client, tcp,5222,s0, tcp,5223,s0) - network_port(jabber_interserver, tcp,5269,s0) --network_port(jboss_iiop, tcp,3528,s0, udp,3528,s0) --network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0) --network_port(kerberos_admin, tcp,464,s0, udp,464,s0, tcp,749,s0) --network_port(kerberos_master, tcp,4444,s0, udp,4444,s0) --network_port(kismet, tcp,2501,s0) -+network_port(jabber_router, tcp,5347,s0) -+network_port(jacorb, tcp,3528,s0, tcp,3529,s0) -+network_port(jboss_debug, tcp,8787,s0, udp,8787,s0) -+network_port(jboss_messaging, tcp,5445,s0, tcp,5455,s0) -+network_port(jboss_management, tcp,4712,s0, udp,4712,s0, tcp,4447,s0, tcp,7600,s0, tcp,9123,s0, udp,9123,s0, tcp, 9990, s0, tcp, 9999, s0, tcp, 18001, s0) -+network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0, tcp,4444,s0, udp,4444,s0) -+network_port(kerberos_admin, tcp,749,s0) -+network_port(kerberos_password, tcp,464,s0, udp,464,s0) -+network_port(keystone, tcp, 35357,s0, udp, 35357,s0) -+network_port(rlogin, tcp,543,s0, tcp,2105,s0) -+network_port(rtsclient, tcp,2501,s0) - network_port(kprop, tcp,754,s0) - network_port(ktalkd, udp,517,s0, udp,518,s0) --network_port(l2tp, tcp,1701,s0, udp,1701,s0) --network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0) -+network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0, tcp, 7389,s0) - network_port(lirc, tcp,8765,s0) --network_port(lmtp, tcp,24,s0, udp,24,s0) -+network_port(luci, tcp,8084,s0) -+network_port(lmtp, tcp,24,s0, udp,24,s0, tcp,2003,s0) - network_port(lrrd) # no defined portcon -+network_port(l2tp, tcp,1701,s0, udp,1701,s0) - network_port(mail, tcp,2000,s0, tcp,3905,s0) - network_port(matahari, tcp,49000,s0, udp,49000,s0) - network_port(memcache, tcp,11211,s0, udp,11211,s0) --network_port(milter) # no defined portcon -+network_port(milter, tcp, 8891, s0, tcp, 8893, s0) # no defined portcon - network_port(mmcc, tcp,5050,s0, udp,5050,s0) -+network_port(mongod, tcp,27017-27019,s0, tcp, 28017-28019,s0) - network_port(monopd, tcp,1234,s0) - network_port(mountd, tcp,20048,s0, udp,20048,s0) - network_port(movaz_ssc, tcp,5252,s0, udp,5252,s0) - network_port(mpd, tcp,6600,s0) --network_port(msgsrvr, tcp,8787,s0, udp,8787,s0) - network_port(msnp, tcp,1863,s0, udp,1863,s0) - network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0) - network_port(ms_streaming, tcp,1755,s0, udp,1755,s0) -@@ -185,26 +222,34 @@ network_port(munin, tcp,4949,s0, udp,4949,s0) - network_port(mxi, tcp,8005,s0, udp,8005,s0) - network_port(mysqld, tcp,1186,s0, tcp,3306,s0, tcp,63132-63164,s0) - network_port(mysqlmanagerd, tcp,2273,s0) -+network_port(mythtv, tcp,6543-6544,s0) - network_port(nessus, tcp,1241,s0) - network_port(netport, tcp,3129,s0, udp,3129,s0) - network_port(netsupport, tcp,5404,s0, udp,5404,s0, tcp,5405,s0, udp,5405,s0) --network_port(nfs, tcp,2049,s0, udp,2049,s0) --network_port(nfsrdma, tcp,20049,s0, udp,20049,s0) -+network_port(nfs, tcp,2049,s0, udp,2049,s0, tcp,20048-20049,s0, udp,20048-20049,s0) - network_port(nmbd, udp,137,s0, udp,138,s0) -+network_port(nodejs_debug, tcp,5858,s0, udp,5858,s0) - network_port(ntop, tcp,3000-3001,s0, udp,3000-3001,s0) - network_port(ntp, udp,123,s0) -+network_port(oracle, tcp, 1521,s0,udp, 1521,s0, tcp,2483,s0,udp,2483,s0, tcp,2484,s0, udp,2484,s0) - network_port(oa_system, tcp,8022,s0, udp,8022,s0) --network_port(oracledb, tcp, 1521,s0,udp, 1521,s0, tcp,2483,s0,udp,2483,s0, tcp,2484,s0, udp,2484,s0) - network_port(ocsp, tcp,9080,s0) - network_port(openhpid, tcp,4743,s0, udp,4743,s0) - network_port(openvpn, tcp,1194,s0, udp,1194,s0) -+network_port(osapi_compute, tcp, 8774, s0) - network_port(pdps, tcp,1314,s0, udp,1314,s0) - network_port(pegasus_http, tcp,5988,s0) - network_port(pegasus_https, tcp,5989,s0) - network_port(pgpkeyserver, udp, 11371,s0, tcp,11371,s0) - network_port(pingd, tcp,9125,s0) -+network_port(pki_ca, tcp, 829, s0, tcp, 9180, s0, tcp, 9701, s0, tcp, 9443-9447, s0) -+network_port(pki_kra, tcp, 10180, s0, tcp, 10701, s0, tcp, 10443-10446, s0) -+network_port(pki_ocsp, tcp, 11180, s0, tcp, 11701, s0, tcp, 11443-11446, s0) -+network_port(pki_tks, tcp, 13180, s0, tcp, 13701, s0, tcp, 13443-13446, s0) -+network_port(pki_ra, tcp,12888-12889,s0) -+network_port(pki_tps, tcp,7888-7889,s0) - network_port(pktcable_cops, tcp,2126,s0, udp,2126,s0) --network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0) -+network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0, tcp,10993,s0) - network_port(portmap, udp,111,s0, tcp,111,s0) - network_port(postfix_policyd, tcp,10031,s0) - network_port(postgresql, tcp,5432,s0) -@@ -214,38 +259,45 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0) - network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0) - network_port(printer, tcp,515,s0) - network_port(ptal, tcp,5703,s0) --network_port(pulseaudio, tcp,4713,s0) -+network_port(pulseaudio, tcp,4713,s0, udp,4713,s0) - network_port(puppet, tcp, 8140, s0) - network_port(pxe, udp,4011,s0) - network_port(pyzor, udp,24441,s0) -+network_port(neutron, tcp,9696,s0) - network_port(radacct, udp,1646,s0, udp,1813,s0) - network_port(radius, udp,1645,s0, udp,1812,s0) - network_port(radsec, tcp,2083,s0) - network_port(razor, tcp,2703,s0) -+network_port(time, tcp,37,s0, udp,37,s0) -+network_port(redis, tcp,6379,s0) - network_port(repository, tcp, 6363, s0) - network_port(ricci, tcp,11111,s0, udp,11111,s0) - network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0) - network_port(rlogind, tcp,513,s0) --network_port(rndc, tcp,953,s0, udp,953,s0) -+network_port(rndc, tcp,953,s0, udp,953,s0, tcp,8953,s0) - network_port(router, udp,520,s0, udp,521,s0, tcp,521,s0) - network_port(rsh, tcp,514,s0) - network_port(rsync, tcp,873,s0, udp,873,s0) --network_port(rtsp, tcp,554,s0, udp,554,s0) -+network_port(rtp_media, tcp,5004-5005,s0, udp,5004-5005,s0) -+network_port(rtsp, tcp,554,s0, udp,554,s0, tcp,8554,s0, udp,8554,s0) - network_port(rwho, udp,513,s0) -+network_port(salt, tcp,4505,s0, tcp,4506,s0) - network_port(sap, tcp,9875,s0, udp,9875,s0) -+network_port(saphostctrl, tcp,1128,s0, tcp,1129,s0) - network_port(servistaitsm, tcp,3636,s0, udp,3636,s0) -+network_port(sge, tcp,6444,s0, tcp,6445,s0) - network_port(sieve, tcp,4190,s0) - network_port(sip, tcp,5060,s0, udp,5060,s0, tcp,5061,s0, udp,5061,s0) - network_port(sixxsconfig, tcp,3874,s0, udp,3874,s0) - network_port(smbd, tcp,137-139,s0, tcp,445,s0) - network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0) --network_port(snmp, udp,161,s0, udp,162,s0, tcp,199,s0, tcp,1161,s0) -+network_port(snmp, tcp,161-162,s0, udp,161-162,s0, tcp,199,s0, tcp, 1161, s0) - network_port(socks) # no defined portcon - network_port(soundd, tcp,8000,s0, tcp,9433,s0, tcp, 16001, s0) --network_port(spamd, tcp,783,s0) -+network_port(spamd, tcp,783,s0, tcp, 10026, s0, tcp, 10027, s0) - network_port(speech, tcp,8036,s0) --network_port(squid, udp,3401,s0, tcp,3401,s0, udp,4827,s0, tcp,4827,s0) # snmp and htcp --network_port(ssdp, tcp,1900,s0, udp,1900,s0) -+network_port(squid, tcp,3128,s0, udp,3401,s0, tcp,3401,s0, udp,4827,s0, tcp,4827,s0) # snmp and htcp -+network_port(ssdp, tcp,1900,s0, udp, 1900, s0) - network_port(ssh, tcp,22,s0) - network_port(stunnel) # no defined portcon - network_port(svn, tcp,3690,s0, udp,3690,s0) -@@ -257,8 +309,9 @@ network_port(syslog_tls, tcp,6514,s0, udp,6514,s0) - network_port(tcs, tcp, 30003, s0) - network_port(telnetd, tcp,23,s0) - network_port(tftp, udp,69,s0) --network_port(tor, tcp,6969,s0, tcp,9001,s0, tcp,9030,s0, tcp,9050,s0, tcp,9051,s0) -+network_port(tor, tcp,6969,s0, tcp,9001,s0, tcp,9030,s0, tcp,9050,s0, tcp,9051,s0, tcp,9150,s0) - network_port(traceroute, udp,64000-64010,s0) -+network_port(tram, tcp, 4567, s0) - network_port(transproxy, tcp,8081,s0) - network_port(trisoap, tcp,10200,s0, udp,10200,s0) - network_port(ups, tcp,3493,s0) -@@ -268,10 +321,10 @@ network_port(varnishd, tcp,6081-6082,s0) - network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0) - network_port(virtual_places, tcp,1533,s0, udp,1533,s0) - network_port(virt_migration, tcp,49152-49216,s0) --network_port(vnc, tcp,5900,s0) -+network_port(vnc, tcp,5900-5983,s0, tcp,5985-5999,s0) - network_port(wccp, udp,2048,s0) - network_port(websm, tcp,9090,s0, udp,9090,s0) --network_port(whois, tcp,43,s0, udp,43,s0, tcp,4321,s0, udp,4321,s0) -+network_port(whois, tcp,43,s0, udp,43,s0, tcp, 4321, s0 , udp, 4321, s0 ) - network_port(winshadow, tcp,3161,s0, udp,3261,s0) - network_port(wsdapi, tcp,5357,s0, udp,5357,s0) - network_port(wsicopy, tcp,3378,s0, udp,3378,s0) -@@ -292,12 +345,16 @@ network_port(zope, tcp,8021,s0) - # Defaults for reserved ports. Earlier portcon entries take precedence; - # these entries just cover any remaining reserved ports not otherwise declared. - --portcon udp 1024-65535 gen_context(system_u:object_r:unreserved_port_t, s0) --portcon tcp 1024-65535 gen_context(system_u:object_r:unreserved_port_t, s0) - portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0) - portcon udp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0) - portcon tcp 1-511 gen_context(system_u:object_r:reserved_port_t, s0) - portcon udp 1-511 gen_context(system_u:object_r:reserved_port_t, s0) -+portcon tcp 1024-32767 gen_context(system_u:object_r:unreserved_port_t, s0) -+portcon tcp 32768-61000 gen_context(system_u:object_r:ephemeral_port_t, s0) -+portcon tcp 61001-65535 gen_context(system_u:object_r:unreserved_port_t, s0) -+portcon udp 1024-32767 gen_context(system_u:object_r:unreserved_port_t, s0) -+portcon udp 32768-61000 gen_context(system_u:object_r:ephemeral_port_t, s0) -+portcon udp 61001-65535 gen_context(system_u:object_r:unreserved_port_t, s0) - - ######################################## - # -@@ -330,6 +387,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh) - - build_option(`enable_mls',` - network_interface(lo, lo, s0 - mls_systemhigh) -+allow netlabel_peer_t lo_netif_t:netif ingress; -+allow netlabel_peer_type lo_netif_t:netif egress; - ',` - typealias netif_t alias { lo_netif_t netif_lo_t }; - ') -@@ -342,9 +401,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t }; - allow corenet_unconfined_type node_type:node *; - allow corenet_unconfined_type netif_type:netif *; - allow corenet_unconfined_type packet_type:packet *; -+allow corenet_unconfined_type port_type:dccp_socket { send_msg recv_msg name_connect }; - allow corenet_unconfined_type port_type:tcp_socket { send_msg recv_msg name_connect }; - allow corenet_unconfined_type port_type:udp_socket { send_msg recv_msg }; - - # Bind to any network address. --allow corenet_unconfined_type port_type:{ tcp_socket udp_socket rawip_socket } name_bind; --allow corenet_unconfined_type node_type:{ tcp_socket udp_socket rawip_socket } node_bind; -+allow corenet_unconfined_type port_type:{ dccp_socket tcp_socket udp_socket rawip_socket } name_bind; -+allow corenet_unconfined_type node_type:{ dccp_socket tcp_socket udp_socket rawip_socket } node_bind; -+ -+# -+# Rules coverning the use of unlabeled types -+# -+kernel_dccp_recvfrom_unlabeled(corenet_unlabeled_type) -+kernel_tcp_recvfrom_unlabeled(corenet_unlabeled_type) -+kernel_udp_recvfrom_unlabeled(corenet_unlabeled_type) -+kernel_raw_recvfrom_unlabeled(corenet_unlabeled_type) -+kernel_recvfrom_unlabeled_peer(corenet_unlabeled_type) -+ -+allow netlabel_peer_type netlabel_peer_t:peer recv; -+allow netlabel_peer_type netlabel_peer_t:{ tcp_socket udp_socket rawip_socket dccp_socket } recvfrom; -+allow netlabel_peer_t netif_t:netif { rawip_recv egress ingress }; -+allow netlabel_peer_t node_t:node recvfrom; -+ -+typealias neutron_port_t alias quantum_port_t; -+typealias neutron_server_packet_t alias quantum_server_packet_t; -+typealias neutron_client_packet_t alias quantum_client_packet_t; -diff --git a/policy/modules/kernel/corenetwork.te.m4 b/policy/modules/kernel/corenetwork.te.m4 -index 3f6e168..51ad69a 100644 ---- a/policy/modules/kernel/corenetwork.te.m4 -+++ b/policy/modules/kernel/corenetwork.te.m4 -@@ -86,6 +86,11 @@ define(`add_port_attribute',`dnl - ifelse(eval(range_start($2) < 1024),1,`typeattribute $1 reserved_port_type;',`typeattribute $1 unreserved_port_type;') - ') - -+define(`add_ephemeral_attribute',`dnl -+ifelse(eval(range_start($3) >= 32768 && range_start($3) < 61001),1,`typeattribute $1 ephemeral_port_type; -+',`ifelse(`$5',`',`',`add_ephemeral_attribute($1,shiftn(4,$*))')')dnl -+') -+ - # bindresvport in glibc starts searching for reserved ports at 512 - define(`add_rpc_attribute',`dnl - ifelse(eval(range_start($3) >= 512 && range_start($3) < 1024),1,`typeattribute $1 rpc_port_type; -@@ -101,6 +106,7 @@ type $1_client_packet_t, packet_type, client_packet_type; - type $1_server_packet_t, packet_type, server_packet_type; - ifelse(`$2',`',`',`add_port_attribute($1_port_t,$3)')dnl - ifelse(`$2',`',`',`add_rpc_attribute($1_port_t,shift($*))')dnl -+ifelse(`$2',`',`',`add_ephemeral_attribute($1_port_t,shift($*))')dnl - ifelse(`$2',`',`',`declare_portcons($1_port_t,shift($*))')dnl - ') - -diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc -index b31c054..e4d61f5 100644 ---- a/policy/modules/kernel/devices.fc -+++ b/policy/modules/kernel/devices.fc -@@ -15,15 +15,18 @@ - /dev/atibm -c gen_context(system_u:object_r:mouse_device_t,s0) - /dev/audio.* -c gen_context(system_u:object_r:sound_device_t,s0) - /dev/autofs.* -c gen_context(system_u:object_r:autofs_device_t,s0) -+/dev/bsr.* -c gen_context(system_u:object_r:cpu_device_t,s0) - /dev/beep -c gen_context(system_u:object_r:sound_device_t,s0) - /dev/btrfs-control -c gen_context(system_u:object_r:lvm_control_t,s0) --/dev/cachefiles -c gen_context(system_u:object_r:cachefiles_device_t,s0) - /dev/controlD64 -c gen_context(system_u:object_r:xserver_misc_device_t,s0) - /dev/crash -c gen_context(system_u:object_r:crash_device_t,mls_systemhigh) - /dev/dahdi/.* -c gen_context(system_u:object_r:sound_device_t,s0) --/dev/dmfm -c gen_context(system_u:object_r:sound_device_t,s0) -+/dev/dlm.* -c gen_context(system_u:object_r:dlm_control_device_t,s0) -+/dev/dmfm.* -c gen_context(system_u:object_r:sound_device_t,s0) - /dev/dmmidi.* -c gen_context(system_u:object_r:sound_device_t,s0) - /dev/dsp.* -c gen_context(system_u:object_r:sound_device_t,s0) -+/dev/ecryptfs -c gen_context(system_u:object_r:ecryptfs_device_t,mls_systemhigh) -+/dev/ptp.* -c gen_context(system_u:object_r:clock_device_t,s0) - /dev/efirtc -c gen_context(system_u:object_r:clock_device_t,s0) - /dev/elographics/e2201 -c gen_context(system_u:object_r:mouse_device_t,s0) - /dev/em8300.* -c gen_context(system_u:object_r:v4l_device_t,s0) -@@ -61,7 +64,8 @@ - /dev/loop-control -c gen_context(system_u:object_r:loop_control_device_t,s0) - /dev/lp.* -c gen_context(system_u:object_r:printer_device_t,s0) - /dev/mcelog -c gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh) --/dev/mei -c gen_context(system_u:object_r:mei_device_t,s0) -+/dev/media.* -c gen_context(system_u:object_r:v4l_device_t,s0) -+/dev/mei -c gen_context(system_u:object_r:mei_device_t,s0) - /dev/mem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh) - /dev/mergemem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh) - /dev/mga_vid.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) -@@ -106,6 +110,7 @@ - /dev/snapshot -c gen_context(system_u:object_r:apm_bios_t,s0) - /dev/sndstat -c gen_context(system_u:object_r:sound_device_t,s0) - /dev/sonypi -c gen_context(system_u:object_r:v4l_device_t,s0) -+/dev/spidev.* -c gen_context(system_u:object_r:usb_device_t,s0) - /dev/tlk[0-3] -c gen_context(system_u:object_r:v4l_device_t,s0) - /dev/tpm[0-9]* -c gen_context(system_u:object_r:tpm_device_t,s0) - /dev/uinput -c gen_context(system_u:object_r:event_device_t,s0) -@@ -118,6 +123,9 @@ - ifdef(`distro_suse', ` - /dev/usbscanner -c gen_context(system_u:object_r:scanner_device_t,s0) - ') -+/dev/vchiq -c gen_context(system_u:object_r:v4l_device_t,s0) -+/dev/vc-mem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh) -+/dev/vfio/vfio -c gen_context(system_u:object_r:vfio_device_t,s0) - /dev/vhost-net -c gen_context(system_u:object_r:vhost_device_t,s0) - /dev/vbi.* -c gen_context(system_u:object_r:v4l_device_t,s0) - /dev/vbox.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) -@@ -129,12 +137,14 @@ ifdef(`distro_suse', ` - /dev/vttuner -c gen_context(system_u:object_r:v4l_device_t,s0) - /dev/vtx.* -c gen_context(system_u:object_r:v4l_device_t,s0) - /dev/watchdog.* -c gen_context(system_u:object_r:watchdog_device_t,s0) -+/dev/cdc-wdm[0-9] -c gen_context(system_u:object_r:modem_device_t,s0) - /dev/winradio.* -c gen_context(system_u:object_r:v4l_device_t,s0) - /dev/z90crypt -c gen_context(system_u:object_r:crypt_device_t,s0) - /dev/zero -c gen_context(system_u:object_r:zero_device_t,s0) - - /dev/bus/usb/.*/[0-9]+ -c gen_context(system_u:object_r:usb_device_t,s0) - -+/dev/ati/card.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) - /dev/card.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) - /dev/cmx.* -c gen_context(system_u:object_r:smartcard_device_t,s0) - -@@ -198,12 +208,22 @@ ifdef(`distro_debian',` - /lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0) - /lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0) - --/sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0) -- - ifdef(`distro_redhat',` - # originally from named.fc - /var/named/chroot/dev -d gen_context(system_u:object_r:device_t,s0) - /var/named/chroot/dev/null -c gen_context(system_u:object_r:null_device_t,s0) - /var/named/chroot/dev/random -c gen_context(system_u:object_r:random_device_t,s0) - /var/named/chroot/dev/zero -c gen_context(system_u:object_r:zero_device_t,s0) -+/var/spool/postfix/dev -d gen_context(system_u:object_r:device_t,s0) - ') -+ -+# -+# /sys -+# -+/sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0) -+/sys/devices/system/cpu/online gen_context(system_u:object_r:cpu_online_t,s0) -+ -+/usr/lib/udev/devices(/.*)? gen_context(system_u:object_r:device_t,s0) -+/usr/lib/udev/devices/lp.* -c gen_context(system_u:object_r:printer_device_t,s0) -+/usr/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0) -+/usr/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0) -diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if -index 76f285e..b708d28 100644 ---- a/policy/modules/kernel/devices.if -+++ b/policy/modules/kernel/devices.if -@@ -143,13 +143,32 @@ interface(`dev_relabel_all_dev_nodes',` - type device_t; - ') - -- relabelfrom_dirs_pattern($1, device_t, device_node) -- relabelfrom_files_pattern($1, device_t, device_node) -- relabelfrom_lnk_files_pattern($1, device_t, { device_t device_node }) -- relabelfrom_fifo_files_pattern($1, device_t, device_node) -- relabelfrom_sock_files_pattern($1, device_t, device_node) -- relabel_blk_files_pattern($1, device_t, { device_t device_node }) -- relabel_chr_files_pattern($1, device_t, { device_t device_node }) -+ relabel_dirs_pattern($1, device_t, device_node) -+ relabel_files_pattern($1, device_t, device_node) -+ relabel_lnk_files_pattern($1, device_t, device_node) -+ relabel_fifo_files_pattern($1, device_t, device_node) -+ relabel_sock_files_pattern($1, device_t, device_node) -+ relabel_blk_files_pattern($1, device_t, device_node) -+ relabel_chr_files_pattern($1, device_t, device_node) -+') -+ -+######################################## -+## -+## Allow full relabeling (to and from) of all device files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`dev_relabel_all_dev_files',` -+ gen_require(` -+ type device_t; -+ ') -+ -+ relabel_files_pattern($1, device_t, device_t) - ') - - ######################################## -@@ -209,6 +228,24 @@ interface(`dev_dontaudit_list_all_dev_nodes',` - - ######################################## - ## -+## Dontaudit attempts to list all device nodes. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`dev_dontaudit_all_access_check',` -+ gen_require(` -+ attribute device_node; -+ ') -+ -+ dontaudit $1 device_node:file_class_set audit_access; -+') -+ -+######################################## -+## - ## Add entries to directories in /dev. - ## - ## -@@ -352,6 +389,24 @@ interface(`dev_read_generic_files',` - read_files_pattern($1, device_t, device_t) - ') - -+####################################### -+## -+## Read generic files in /dev. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`dev_dontaudit_read_generic_files',` -+ gen_require(` -+ type device_t; -+ ') -+ -+ dontaudit $1 device_t:file { read getattr }; -+') -+ - ######################################## - ## - ## Read and write generic files in /dev. -@@ -462,6 +517,42 @@ interface(`dev_getattr_generic_blk_files',` - - ######################################## - ## -+## Rename generic block device nodes. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dev_rename_generic_blk_files',` -+ gen_require(` -+ type device_t; -+ ') -+ -+ rename_blk_files_pattern($1, device_t, device_t) -+') -+ -+######################################## -+## -+## write generic sock files in /dev. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`dev_write_generic_sock_files',` -+ gen_require(` -+ type device_t; -+ ') -+ -+ write_sock_files_pattern($1, device_t, device_t) -+') -+ -+######################################## -+## - ## Dontaudit getattr on generic block devices. - ## - ## -@@ -570,6 +661,24 @@ interface(`dev_dontaudit_getattr_generic_chr_files',` - - ######################################## - ## -+## Rename generic character device nodes. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dev_rename_generic_chr_files',` -+ gen_require(` -+ type device_t; -+ ') -+ -+ rename_chr_files_pattern($1, device_t, device_t) -+') -+ -+######################################## -+## - ## Dontaudit setattr for generic character device files. - ## - ## -@@ -646,7 +755,7 @@ interface(`dev_rw_generic_blk_files',` - ## - ## - ## --## Domain to dontaudit access. -+## Domain to not audit. - ## - ## - # -@@ -733,7 +842,7 @@ interface(`dev_dontaudit_setattr_generic_symlinks',` - - ######################################## - ## --## Read symbolic links in device directories. -+## Create symbolic links in device directories. - ## - ## - ## -@@ -741,17 +850,17 @@ interface(`dev_dontaudit_setattr_generic_symlinks',` - ## - ## - # --interface(`dev_read_generic_symlinks',` -+interface(`dev_create_generic_symlinks',` - gen_require(` - type device_t; - ') - -- allow $1 device_t:lnk_file read_lnk_file_perms; -+ create_lnk_files_pattern($1, device_t, device_t) - ') - - ######################################## - ## --## Create symbolic links in device directories. -+## Delete symbolic links in device directories. - ## - ## - ## -@@ -759,17 +868,17 @@ interface(`dev_read_generic_symlinks',` - ## - ## - # --interface(`dev_create_generic_symlinks',` -+interface(`dev_delete_generic_symlinks',` - gen_require(` - type device_t; - ') - -- create_lnk_files_pattern($1, device_t, device_t) -+ delete_lnk_files_pattern($1, device_t, device_t) - ') - - ######################################## - ## --## Delete symbolic links in device directories. -+## Read symbolic links in device directories. - ## - ## - ## -@@ -777,12 +886,12 @@ interface(`dev_create_generic_symlinks',` - ## - ## - # --interface(`dev_delete_generic_symlinks',` -+interface(`dev_read_generic_symlinks',` - gen_require(` - type device_t; - ') - -- delete_lnk_files_pattern($1, device_t, device_t) -+ allow $1 device_t:lnk_file read_lnk_file_perms; - ') - - ######################################## -@@ -877,6 +986,24 @@ interface(`dev_dontaudit_rw_generic_dev_nodes',` - - ######################################## - ## -+## Read block device files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dev_read_generic_blk_files',` -+ gen_require(` -+ type device_t; -+ ') -+ -+ read_blk_files_pattern($1, device_t, device_t) -+') -+ -+######################################## -+## - ## Create, delete, read, and write block device files. - ## - ## -@@ -1003,6 +1130,26 @@ interface(`dev_getattr_all_blk_files',` - - ######################################## - ## -+## Read on all block file device nodes. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`dev_read_all_blk_files',` -+ gen_require(` -+ attribute device_node; -+ type device_t; -+ ') -+ -+ read_blk_files_pattern($1, device_t, device_node) -+') -+ -+######################################## -+## - ## Dontaudit getattr on all block file device nodes. - ## - ## -@@ -1034,6 +1181,7 @@ interface(`dev_dontaudit_getattr_all_blk_files',` - interface(`dev_getattr_all_chr_files',` - gen_require(` - attribute device_node; -+ type device_t; - ') - - getattr_chr_files_pattern($1, device_t, device_node) -@@ -1206,6 +1354,42 @@ interface(`dev_create_all_chr_files',` - - ######################################## - ## -+## rw all inherited character device files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dev_rw_all_inherited_chr_files',` -+ gen_require(` -+ attribute device_node; -+ ') -+ -+ allow $1 device_node:chr_file rw_inherited_chr_file_perms; -+') -+ -+######################################## -+## -+## rw all inherited blk device files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dev_rw_all_inherited_blk_files',` -+ gen_require(` -+ attribute device_node; -+ ') -+ -+ allow $1 device_node:blk_file rw_inherited_blk_file_perms; -+') -+ -+######################################## -+## - ## Delete all block device files. - ## - ## -@@ -1560,25 +1744,6 @@ interface(`dev_relabel_autofs_dev',` - - ######################################## - ## --## Read and write cachefiles character --## device nodes. --## --## --## --## Domain allowed access. --## --## --# --interface(`dev_rw_cachefiles',` -- gen_require(` -- type device_t, cachefiles_device_t; -- ') -- -- rw_chr_files_pattern($1, device_t, cachefiles_device_t) --') -- --######################################## --## - ## Read and write the PCMCIA card manager device. - ## - ## -@@ -1682,6 +1847,26 @@ interface(`dev_filetrans_cardmgr',` - - ######################################## - ## -+## Automatic type transition to the type -+## for xserver misc device nodes when -+## created in /dev. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dev_filetrans_xserver_misc',` -+ gen_require(` -+ type device_t, xserver_misc_device_t; -+ ') -+ -+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file ) -+') -+ -+######################################## -+## - ## Get the attributes of the CPU - ## microcode and id interfaces. - ## -@@ -1791,6 +1976,24 @@ interface(`dev_rw_crypto',` - rw_chr_files_pattern($1, device_t, crypt_device_t) - ') - -+######################################## -+## -+## Read and write the the ecrypt filesystem device. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dev_rw_ecryptfs',` -+ gen_require(` -+ type device_t, ecryptfs_device_t; -+ ') -+ -+ rw_chr_files_pattern($1, device_t, ecryptfs_device_t) -+') -+ - ####################################### - ## - ## Set the attributes of the dlm control devices. -@@ -2402,7 +2605,7 @@ interface(`dev_filetrans_lirc',` - - ######################################## - ## --## Get the attributes of the lvm comtrol device. -+## Get the attributes of the loop comtrol device. - ## - ## - ## -@@ -2410,17 +2613,17 @@ interface(`dev_filetrans_lirc',` - ## - ## - # --interface(`dev_getattr_lvm_control',` -+interface(`dev_getattr_loop_control',` - gen_require(` -- type device_t, lvm_control_t; -+ type device_t, loop_control_device_t; - ') - -- getattr_chr_files_pattern($1, device_t, lvm_control_t) -+ getattr_chr_files_pattern($1, device_t, loop_control_device_t) - ') - - ######################################## - ## --## Read the lvm comtrol device. -+## Read the loop comtrol device. - ## - ## - ## -@@ -2428,17 +2631,17 @@ interface(`dev_getattr_lvm_control',` - ## - ## - # --interface(`dev_read_lvm_control',` -+interface(`dev_read_loop_control',` - gen_require(` -- type device_t, lvm_control_t; -+ type device_t, loop_control_device_t; - ') - -- read_chr_files_pattern($1, device_t, lvm_control_t) -+ read_chr_files_pattern($1, device_t, loop_control_device_t) - ') - - ######################################## - ## --## Read and write the lvm control device. -+## Read and write the loop control device. - ## - ## - ## -@@ -2446,17 +2649,17 @@ interface(`dev_read_lvm_control',` - ## - ## - # --interface(`dev_rw_lvm_control',` -+interface(`dev_rw_loop_control',` - gen_require(` -- type device_t, lvm_control_t; -+ type device_t, loop_control_device_t; - ') - -- rw_chr_files_pattern($1, device_t, lvm_control_t) -+ rw_chr_files_pattern($1, device_t, loop_control_device_t) - ') - - ######################################## - ## --## Do not audit attempts to read and write lvm control device. -+## Do not audit attempts to read and write loop control device. - ## - ## - ## -@@ -2464,17 +2667,17 @@ interface(`dev_rw_lvm_control',` - ## - ## - # --interface(`dev_dontaudit_rw_lvm_control',` -+interface(`dev_dontaudit_rw_loop_control',` - gen_require(` -- type lvm_control_t; -+ type loop_control_device_t; - ') - -- dontaudit $1 lvm_control_t:chr_file rw_file_perms; -+ dontaudit $1 loop_control_device_t:chr_file rw_file_perms; - ') - - ######################################## - ## --## Delete the lvm control device. -+## Delete the loop control device. - ## - ## - ## -@@ -2482,35 +2685,35 @@ interface(`dev_dontaudit_rw_lvm_control',` - ## - ## - # --interface(`dev_delete_lvm_control_dev',` -+interface(`dev_delete_loop_control_dev',` - gen_require(` -- type device_t, lvm_control_t; -+ type device_t, loop_control_device_t; - ') - -- delete_chr_files_pattern($1, device_t, lvm_control_t) -+ delete_chr_files_pattern($1, device_t, loop_control_device_t) - ') - - ######################################## - ## --## dontaudit getattr raw memory devices (e.g. /dev/mem). -+## Get the attributes of the loop comtrol device. - ## - ## - ## --## Domain to not audit. -+## Domain allowed access. - ## - ## - # --interface(`dev_dontaudit_getattr_memory_dev',` -+interface(`dev_getattr_lvm_control',` - gen_require(` -- type memory_device_t; -+ type device_t, lvm_control_t; - ') - -- dontaudit $1 memory_device_t:chr_file getattr; -+ getattr_chr_files_pattern($1, device_t, lvm_control_t) - ') - - ######################################## - ## --## Read raw memory devices (e.g. /dev/mem). -+## Read the lvm comtrol device. - ## - ## - ## -@@ -2518,16 +2721,106 @@ interface(`dev_dontaudit_getattr_memory_dev',` - ## - ## - # --interface(`dev_read_raw_memory',` -+interface(`dev_read_lvm_control',` - gen_require(` -- type device_t, memory_device_t; -- attribute memory_raw_read; -+ type device_t, lvm_control_t; - ') - -- read_chr_files_pattern($1, device_t, memory_device_t) -- -- allow $1 self:capability sys_rawio; -- typeattribute $1 memory_raw_read; -+ read_chr_files_pattern($1, device_t, lvm_control_t) -+') -+ -+######################################## -+## -+## Read and write the lvm control device. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dev_rw_lvm_control',` -+ gen_require(` -+ type device_t, lvm_control_t; -+ ') -+ -+ rw_chr_files_pattern($1, device_t, lvm_control_t) -+') -+ -+######################################## -+## -+## Do not audit attempts to read and write lvm control device. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`dev_dontaudit_rw_lvm_control',` -+ gen_require(` -+ type lvm_control_t; -+ ') -+ -+ dontaudit $1 lvm_control_t:chr_file rw_file_perms; -+') -+ -+######################################## -+## -+## Delete the lvm control device. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dev_delete_lvm_control_dev',` -+ gen_require(` -+ type device_t, lvm_control_t; -+ ') -+ -+ delete_chr_files_pattern($1, device_t, lvm_control_t) -+') -+ -+######################################## -+## -+## dontaudit getattr raw memory devices (e.g. /dev/mem). -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`dev_dontaudit_getattr_memory_dev',` -+ gen_require(` -+ type memory_device_t; -+ ') -+ -+ dontaudit $1 memory_device_t:chr_file getattr; -+') -+ -+######################################## -+## -+## Read raw memory devices (e.g. /dev/mem). -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dev_read_raw_memory',` -+ gen_require(` -+ type device_t, memory_device_t; -+ attribute memory_raw_read; -+ ') -+ -+ read_chr_files_pattern($1, device_t, memory_device_t) -+ -+ allow $1 self:capability sys_rawio; -+ typeattribute $1 memory_raw_read; - ') - - ######################################## -@@ -2725,7 +3018,7 @@ interface(`dev_write_misc',` - ## - ## - ## --## Domain allowed access. -+## Domain to not audit. - ## - ## - # -@@ -2903,20 +3196,20 @@ interface(`dev_getattr_mtrr_dev',` - - ######################################## - ## --## Read the memory type range -+## Write the memory type range - ## registers (MTRR). (Deprecated) - ## - ## - ##

    --## Read the memory type range -+## Write the memory type range - ## registers (MTRR). This interface has - ## been deprecated, dev_rw_mtrr() should be - ## used instead. - ##

    - ##

    - ## The MTRR device ioctls can be used for --## reading and writing; thus, read access to the --## device cannot be separated from write access. -+## reading and writing; thus, write access to the -+## device cannot be separated from read access. - ##

    - ##     - ## -@@ -2925,43 +3218,34 @@ interface(`dev_getattr_mtrr_dev',` - ##     - ## - # --interface(`dev_read_mtrr',` -+interface(`dev_write_mtrr',` - refpolicywarn(`$0($*) has been replaced with dev_rw_mtrr().') - dev_rw_mtrr($1) - ') - - ######################################## - ## --## Write the memory type range --## registers (MTRR). (Deprecated) -+## Do not audit attempts to write the memory type -+## range registers (MTRR). - ## --## --##

    --## Write the memory type range --## registers (MTRR). This interface has --## been deprecated, dev_rw_mtrr() should be --## used instead. --##

    --##

    --## The MTRR device ioctls can be used for --## reading and writing; thus, write access to the --## device cannot be separated from read access. --##

    --##     - ## - ## --## Domain allowed access. -+## Domain to not audit. - ## - ## - # --interface(`dev_write_mtrr',` -- refpolicywarn(`$0($*) has been replaced with dev_rw_mtrr().') -- dev_rw_mtrr($1) -+interface(`dev_dontaudit_write_mtrr',` -+ gen_require(` -+ type mtrr_device_t; -+ ') -+ -+ dontaudit $1 mtrr_device_t:file write_file_perms; -+ dontaudit $1 mtrr_device_t:chr_file write_chr_file_perms; - ') - - ######################################## - ## --## Do not audit attempts to write the memory type -+## Do not audit attempts to read the memory type - ## range registers (MTRR). - ## - ## -@@ -2970,13 +3254,13 @@ interface(`dev_write_mtrr',` - ##     - ## - # --interface(`dev_dontaudit_write_mtrr',` -+interface(`dev_dontaudit_read_mtrr',` - gen_require(` - type mtrr_device_t; - ') - -- dontaudit $1 mtrr_device_t:file write; -- dontaudit $1 mtrr_device_t:chr_file write; -+ dontaudit $1 mtrr_device_t:file { open read }; -+ dontaudit $1 mtrr_device_t:chr_file { open read }; - ') - - ######################################## -@@ -3144,6 +3428,42 @@ interface(`dev_create_null_dev',` - - ######################################## - ## -+## Get the status of a null device service. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dev_service_status_null_dev',` -+ gen_require(` -+ type null_device_t; -+ ') -+ -+ allow $1 null_device_t:service status; -+') -+ -+######################################## -+## -+## Configure null_device as a unit files. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`dev_config_null_dev_service',` -+ gen_require(` -+ type null_device_t; -+ ') -+ -+ allow $1 null_device_t:service manage_service_perms; -+') -+ -+######################################## -+## - ## Do not audit attempts to get the attributes - ## of the BIOS non-volatile RAM device. - ## -@@ -3163,6 +3483,24 @@ interface(`dev_dontaudit_getattr_nvram_dev',` - - ######################################## - ## -+## Read BIOS non-volatile RAM. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dev_read_nvram',` -+ gen_require(` -+ type nvram_device_t; -+ ') -+ -+ read_chr_files_pattern($1, device_t, nvram_device_t) -+') -+ -+######################################## -+## - ## Read and write BIOS non-volatile RAM. - ## - ## -@@ -3254,7 +3592,25 @@ interface(`dev_rw_printer',` - - ######################################## - ## --## Read printk devices (e.g., /dev/kmsg /dev/mcelog) -+## Relabel the printer device node. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dev_relabel_printer',` -+ gen_require(` -+ type printer_device_t; -+ ') -+ -+ allow $1 printer_device_t:chr_file relabel_chr_file_perms; -+') -+ -+######################################## -+## -+## Read and write the printer device. - ## - ## - ## -@@ -3262,12 +3618,13 @@ interface(`dev_rw_printer',` - ## - ## - # --interface(`dev_read_printk',` -+interface(`dev_manage_printer',` - gen_require(` -- type device_t, printk_device_t; -+ type device_t, printer_device_t; - ') - -- read_chr_files_pattern($1, device_t, printk_device_t) -+ manage_chr_files_pattern($1, device_t, printer_device_t) -+ dev_filetrans_printer_named_dev($1) - ') - - ######################################## -@@ -3399,7 +3756,7 @@ interface(`dev_dontaudit_read_rand',` - - ######################################## - ## --## Do not audit attempts to append to random -+## Do not audit attempts to append to the random - ## number generator devices (e.g., /dev/random) - ## - ## -@@ -3413,7 +3770,7 @@ interface(`dev_dontaudit_append_rand',` - type random_device_t; - ') - -- dontaudit $1 random_device_t:chr_file append_chr_file_perms; -+ dontaudit $1 random_device_t:chr_file { append }; - ') - - ######################################## -@@ -3855,7 +4212,7 @@ interface(`dev_getattr_sysfs_dirs',` - - ######################################## - ## --## Search the sysfs directories. -+## Set the attributes of sysfs directories. - ## - ## - ## -@@ -3863,53 +4220,53 @@ interface(`dev_getattr_sysfs_dirs',` - ## - ## - # --interface(`dev_search_sysfs',` -+interface(`dev_setattr_sysfs_dirs',` - gen_require(` - type sysfs_t; - ') - -- search_dirs_pattern($1, sysfs_t, sysfs_t) -+ allow $1 sysfs_t:dir setattr_dir_perms; - ') - - ######################################## - ## --## Do not audit attempts to search sysfs. -+## Get attributes of sysfs filesystems. - ## - ## - ## --## Domain to not audit. -+## Domain allowed access. - ## - ## - # --interface(`dev_dontaudit_search_sysfs',` -+interface(`dev_getattr_sysfs_fs',` - gen_require(` - type sysfs_t; - ') - -- dontaudit $1 sysfs_t:dir search_dir_perms; -+ allow $1 sysfs_t:filesystem getattr; - ') - - ######################################## - ## --## List the contents of the sysfs directories. -+## Mount a filesystem on /sys - ## - ## - ## --## Domain allowed access. -+## Domain allow access. - ## - ## - # --interface(`dev_list_sysfs',` -+interface(`dev_mounton_sysfs',` - gen_require(` - type sysfs_t; - ') - -- list_dirs_pattern($1, sysfs_t, sysfs_t) -+ allow $1 sysfs_t:dir mounton; - ') - - ######################################## - ## --## Write in a sysfs directories. -+## Mount sysfs filesystems. - ## - ## - ## -@@ -3917,37 +4274,35 @@ interface(`dev_list_sysfs',` - ## - ## - # --# cjp: added for cpuspeed --interface(`dev_write_sysfs_dirs',` -+interface(`dev_mount_sysfs_fs',` - gen_require(` - type sysfs_t; - ') - -- allow $1 sysfs_t:dir write; -+ allow $1 sysfs_t:filesystem mount; - ') - - ######################################## - ## --## Do not audit attempts to write in a sysfs directory. -+## Unmount sysfs filesystems. - ## - ## - ## --## Domain to not audit. -+## Domain allowed access. - ## - ## - # --interface(`dev_dontaudit_write_sysfs_dirs',` -+interface(`dev_unmount_sysfs_fs',` - gen_require(` - type sysfs_t; - ') - -- dontaudit $1 sysfs_t:dir write; -+ allow $1 sysfs_t:filesystem unmount; - ') - - ######################################## - ## --## Create, read, write, and delete sysfs --## directories. -+## Search the sysfs directories. - ## - ## - ## -@@ -3955,47 +4310,35 @@ interface(`dev_dontaudit_write_sysfs_dirs',` - ## - ## - # --interface(`dev_manage_sysfs_dirs',` -+interface(`dev_search_sysfs',` - gen_require(` - type sysfs_t; - ') - -- manage_dirs_pattern($1, sysfs_t, sysfs_t) -+ search_dirs_pattern($1, sysfs_t, sysfs_t) - ') - - ######################################## - ## --## Read hardware state information. -+## Do not audit attempts to search sysfs. - ## --## --##

    --## Allow the specified domain to read the contents of --## the sysfs filesystem. This filesystem contains --## information, parameters, and other settings on the --## hardware installed on the system. --##

    --##     - ## - ## --## Domain allowed access. -+## Domain to not audit. - ## - ## --## - # --interface(`dev_read_sysfs',` -+interface(`dev_dontaudit_search_sysfs',` - gen_require(` - type sysfs_t; - ') - -- read_files_pattern($1, sysfs_t, sysfs_t) -- read_lnk_files_pattern($1, sysfs_t, sysfs_t) -- -- list_dirs_pattern($1, sysfs_t, sysfs_t) -+ dontaudit $1 sysfs_t:dir search_dir_perms; - ') - - ######################################## - ## --## Allow caller to modify hardware state information. -+## List the contents of the sysfs directories. - ## - ## - ## -@@ -4003,20 +4346,18 @@ interface(`dev_read_sysfs',` - ## - ## - # --interface(`dev_rw_sysfs',` -+interface(`dev_list_sysfs',` - gen_require(` - type sysfs_t; - ') - -- rw_files_pattern($1, sysfs_t, sysfs_t) - read_lnk_files_pattern($1, sysfs_t, sysfs_t) -- - list_dirs_pattern($1, sysfs_t, sysfs_t) - ') - - ######################################## - ## --## Read and write the TPM device. -+## Write in a sysfs directories. - ## - ## - ## -@@ -4024,22 +4365,211 @@ interface(`dev_rw_sysfs',` - ## - ## - # --interface(`dev_rw_tpm',` -+# cjp: added for cpuspeed -+interface(`dev_write_sysfs_dirs',` - gen_require(` -- type device_t, tpm_device_t; -+ type sysfs_t; - ') - -- rw_chr_files_pattern($1, device_t, tpm_device_t) -+ allow $1 sysfs_t:dir write; - ') - - ######################################## - ## --## Read from pseudo random number generator devices (e.g., /dev/urandom). -+## Do not audit attempts to write in a sysfs directory. - ## --## --##

    --## Allow the specified domain to read from pseudo random number --## generator devices (e.g., /dev/urandom). Typically this is -+## -+##

    -+## Domain to not audit. -+## -+## -+# -+interface(`dev_dontaudit_write_sysfs_dirs',` -+ gen_require(` -+ type sysfs_t; -+ ') -+ -+ dontaudit $1 sysfs_t:dir write; -+') -+ -+######################################## -+## -+## Read cpu online hardware state information. -+## -+## -+##

    -+## Allow the specified domain to read /sys/devices/system/cpu/online file. -+##

    -+##     -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dev_read_cpu_online',` -+ gen_require(` -+ type cpu_online_t; -+ ') -+ -+ dev_search_sysfs($1) -+ read_files_pattern($1, cpu_online_t, cpu_online_t) -+') -+ -+######################################## -+## -+## Relabel cpu online hardware state information. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dev_relabel_cpu_online',` -+ gen_require(` -+ type cpu_online_t; -+ type sysfs_t; -+ ') -+ -+ dev_search_sysfs($1) -+ allow $1 cpu_online_t:file relabel_file_perms; -+') -+ -+ -+######################################## -+## -+## Read hardware state information. -+## -+## -+##

    -+## Allow the specified domain to read the contents of -+## the sysfs filesystem. This filesystem contains -+## information, parameters, and other settings on the -+## hardware installed on the system. -+##

    -+##     -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`dev_read_sysfs',` -+ gen_require(` -+ type sysfs_t; -+ ') -+ -+ read_files_pattern($1, sysfs_t, sysfs_t) -+ read_lnk_files_pattern($1, sysfs_t, sysfs_t) -+ -+ list_dirs_pattern($1, sysfs_t, sysfs_t) -+') -+ -+######################################## -+## -+## Allow caller to modify hardware state information. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dev_rw_sysfs',` -+ gen_require(` -+ type sysfs_t; -+ ') -+ -+ rw_files_pattern($1, sysfs_t, sysfs_t) -+ read_lnk_files_pattern($1, sysfs_t, sysfs_t) -+ -+ list_dirs_pattern($1, sysfs_t, sysfs_t) -+') -+ -+######################################## -+## -+## Relabel hardware state directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dev_relabel_sysfs_dirs',` -+ gen_require(` -+ type sysfs_t; -+ ') -+ -+ relabel_dirs_pattern($1, sysfs_t, sysfs_t) -+') -+ -+######################################## -+## -+## Relabel hardware state files -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dev_relabel_all_sysfs',` -+ gen_require(` -+ type sysfs_t; -+ ') -+ -+ relabel_dirs_pattern($1, sysfs_t, sysfs_t) -+ relabel_files_pattern($1, sysfs_t, sysfs_t) -+ relabel_lnk_files_pattern($1, sysfs_t, sysfs_t) -+') -+ -+######################################## -+## -+## Allow caller to modify hardware state information. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dev_manage_sysfs_dirs',` -+ gen_require(` -+ type sysfs_t; -+ ') -+ -+ manage_dirs_pattern($1, sysfs_t, sysfs_t) -+') -+ -+######################################## -+## -+## Read and write the TPM device. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dev_rw_tpm',` -+ gen_require(` -+ type device_t, tpm_device_t; -+ ') -+ -+ rw_chr_files_pattern($1, device_t, tpm_device_t) -+') -+ -+######################################## -+## -+## Read from pseudo random number generator devices (e.g., /dev/urandom). -+## -+## -+##

    -+## Allow the specified domain to read from pseudo random number -+## generator devices (e.g., /dev/urandom). Typically this is - ## used in situations when a cryptographically secure random - ## number is not necessarily needed. One example is the Stack - ## Smashing Protector (SSP, formerly known as ProPolice) support -@@ -4113,6 +4643,25 @@ interface(`dev_write_urand',` - - ######################################## - ##

    -+## Do not audit attempts to write to pseudo -+## random devices (e.g., /dev/urandom) -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`dev_dontaudit_write_urand',` -+ gen_require(` -+ type urandom_device_t; -+ ') -+ -+ dontaudit $1 urandom_device_t:chr_file write; -+') -+ -+######################################## -+## - ## Getattr generic the USB devices. - ## - ## -@@ -4409,9 +4958,9 @@ interface(`dev_rw_usbfs',` - read_lnk_files_pattern($1, usbfs_t, usbfs_t) - ') - --######################################## -+###################################### - ## --## Get the attributes of video4linux devices. -+## Read and write userio device. - ## - ## - ## -@@ -4419,17 +4968,17 @@ interface(`dev_rw_usbfs',` - ## - ## - # --interface(`dev_getattr_video_dev',` -+interface(`dev_rw_userio_dev',` - gen_require(` -- type device_t, v4l_device_t; -+ type device_t, userio_device_t; - ') - -- getattr_chr_files_pattern($1, device_t, v4l_device_t) -+ rw_chr_files_pattern($1, device_t, userio_device_t) - ') - --###################################### -+######################################## - ## --## Read and write userio device. -+## Get the attributes of video4linux devices. - ## - ## - ## -@@ -4437,12 +4986,12 @@ interface(`dev_getattr_video_dev',` - ## - ## - # --interface(`dev_rw_userio_dev',` -+interface(`dev_getattr_video_dev',` - gen_require(` -- type device_t, userio_device_t; -+ type device_t, v4l_device_t; - ') - -- rw_chr_files_pattern($1, device_t, userio_device_t) -+ getattr_chr_files_pattern($1, device_t, v4l_device_t) - ') - - ######################################## -@@ -4539,6 +5088,134 @@ interface(`dev_write_video_dev',` - - ######################################## - ## -+## Get the attributes of vfio devices. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dev_getattr_vfio_dev',` -+ gen_require(` -+ type device_t, vfio_device_t; -+ ') -+ -+ getattr_chr_files_pattern($1, device_t, vfio_device_t) -+') -+ -+######################################## -+## -+## Do not audit attempts to get the attributes -+## of vfio device nodes. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`dev_dontaudit_getattr_vfio_dev',` -+ gen_require(` -+ type vfio_device_t; -+ ') -+ -+ dontaudit $1 vfio_device_t:chr_file getattr; -+') -+ -+######################################## -+## -+## Set the attributes of vfio device nodes. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dev_setattr_vfio_dev',` -+ gen_require(` -+ type device_t, vfio_device_t; -+ ') -+ -+ setattr_chr_files_pattern($1, device_t, vfio_device_t) -+') -+ -+######################################## -+## -+## Do not audit attempts to set the attributes -+## of vfio device nodes. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`dev_dontaudit_setattr_vfio_dev',` -+ gen_require(` -+ type vfio_device_t; -+ ') -+ -+ dontaudit $1 vfio_device_t:chr_file setattr; -+') -+ -+######################################## -+## -+## Read the vfio devices. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dev_read_vfio_dev',` -+ gen_require(` -+ type device_t, vfio_device_t; -+ ') -+ -+ read_chr_files_pattern($1, device_t, vfio_device_t) -+') -+ -+######################################## -+## -+## Write the vfio devices. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dev_write_vfio_dev',` -+ gen_require(` -+ type device_t, vfio_device_t; -+ ') -+ -+ write_chr_files_pattern($1, device_t, vfio_device_t) -+') -+ -+######################################## -+## -+## Read and write the VFIO devices. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dev_rw_vfio_dev',` -+ gen_require(` -+ type device_t, vfio_device_t; -+ ') -+ -+ rw_chr_files_pattern($1, device_t, vfio_device_t) -+') -+ -+######################################## -+## - ## Allow read/write the vhost net device - ## - ## -@@ -4557,6 +5234,24 @@ interface(`dev_rw_vhost',` - - ######################################## - ## -+## Allow read/write inheretid the vhost net device -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dev_rw_inherited_vhost',` -+ gen_require(` -+ type device_t, vhost_device_t; -+ ') -+ -+ allow $1 vhost_device_t:chr_file rw_inherited_chr_file_perms; -+') -+ -+######################################## -+## - ## Read and write VMWare devices. - ## - ## -@@ -4762,6 +5457,26 @@ interface(`dev_rw_xserver_misc',` - - ######################################## - ## -+## Read and write X server miscellaneous devices. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dev_manage_xserver_misc',` -+ gen_require(` -+ type device_t, xserver_misc_device_t; -+ ') -+ -+ manage_chr_files_pattern($1, device_t, xserver_misc_device_t) -+ -+ dev_filetrans_xserver_named_dev($1) -+') -+ -+######################################## -+## - ## Read and write to the zero device (/dev/zero). - ## - ## -@@ -4851,3 +5566,943 @@ interface(`dev_unconfined',` - - typeattribute $1 devices_unconfined_type; - ') -+ -+######################################## -+## -+## Dontaudit getattr on all device nodes. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`dev_dontaudit_getattr_all',` -+ gen_require(` -+ attribute device_node; -+ type device_t; -+ ') -+ -+ dontaudit $1 { device_t device_node }:dir_file_class_set getattr; -+') -+ -+######################################## -+## -+## Get the attributes of the mei devices. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dev_getattr_mei',` -+ gen_require(` -+ type device_t, mei_device_t; -+ ') -+ -+ getattr_chr_files_pattern($1, device_t, mei_device_t) -+') -+ -+######################################## -+## -+## Read the mei devices. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dev_read_mei',` -+ gen_require(` -+ type device_t, mei_device_t; -+ ') -+ -+ read_chr_files_pattern($1, device_t, mei_device_t) -+') -+ -+######################################## -+## -+## Read and write to mei devices. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dev_rw_mei',` -+ gen_require(` -+ type device_t, mei_device_t; -+ ') -+ -+ rw_chr_files_pattern($1, device_t, mei_device_t) -+') -+ -+######################################## -+## -+## Create all named devices with the correct label -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dev_filetrans_printer_named_dev',` -+ -+ gen_require(` -+ type printer_device_t; -+ -+ ') -+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt0") -+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt1") -+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt2") -+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt3") -+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt4") -+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt5") -+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt6") -+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt7") -+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt8") -+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt9") -+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp0") -+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp1") -+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp2") -+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp3") -+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp4") -+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp5") -+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp6") -+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp7") -+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp8") -+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp9") -+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par0") -+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par1") -+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par2") -+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par3") -+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par4") -+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par5") -+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par6") -+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par7") -+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par8") -+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par9") -+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp0") -+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp1") -+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp2") -+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp3") -+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp4") -+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp5") -+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp6") -+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp7") -+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp8") -+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp9") -+') -+ -+######################################## -+## -+## Create all named devices with the correct label -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dev_filetrans_all_named_dev',` -+ -+gen_require(` -+ type device_t; -+ type usb_device_t; -+ type sound_device_t; -+ type apm_bios_t; -+ type mouse_device_t; -+ type autofs_device_t; -+ type lvm_control_t; -+ type crash_device_t; -+ type dlm_control_device_t; -+ type clock_device_t; -+ type v4l_device_t; -+ type vfio_device_t; -+ type event_device_t; -+ type xen_device_t; -+ type framebuf_device_t; -+ type null_device_t; -+ type random_device_t; -+ type dri_device_t; -+ type ipmi_device_t; -+ type memory_device_t; -+ type kmsg_device_t; -+ type qemu_device_t; -+ type ksm_device_t; -+ type kvm_device_t; -+ type lirc_device_t; -+ type cpu_device_t; -+ type scanner_device_t; -+ type modem_device_t; -+ type vhost_device_t; -+ type netcontrol_device_t; -+ type nvram_device_t; -+ type power_device_t; -+ type wireless_device_t; -+ type tpm_device_t; -+ type userio_device_t; -+ type urandom_device_t; -+ type usbmon_device_t; -+ type vmware_device_t; -+ type watchdog_device_t; -+ type crypt_device_t; -+ type zero_device_t; -+ type smartcard_device_t; -+ type mtrr_device_t; -+ type ecryptfs_device_t; -+') -+ -+ dev_filetrans_printer_named_dev($1) -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi0") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi1") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi2") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi3") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi4") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi5") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi6") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi7") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi8") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi9") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "adsp0") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "adsp1") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "adsp2") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "adsp3") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "adsp4") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "adsp5") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "adsp6") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "adsp7") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "adsp8") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "adsp9") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "aload0") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "aload1") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "aload2") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "aload3") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "aload4") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "aload5") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "aload6") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "aload7") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "aload8") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "aload9") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "amidi0") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "amidi1") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "amidi2") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "amidi3") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "amidi4") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "amidi5") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "amidi6") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "amidi7") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "amidi8") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "amidi9") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "amixer0") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "amixer1") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "amixer2") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "amixer3") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "amixer4") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "amixer5") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "amixer6") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "amixer7") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "amixer8") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "amixer9") -+ filetrans_pattern($1, device_t, apm_bios_t, chr_file, "apm_bios") -+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "atibm") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "audio0") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "audio1") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "audio2") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "audio3") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "audio4") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "audio5") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "audio6") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "audio7") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "audio8") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "audio9") -+ filetrans_pattern($1, device_t, ecryptfs_device_t, chr_file, "ecryptfs") -+ filetrans_pattern($1, device_t, autofs_device_t, chr_file, "autofs0") -+ filetrans_pattern($1, device_t, autofs_device_t, chr_file, "autofs1") -+ filetrans_pattern($1, device_t, autofs_device_t, chr_file, "autofs2") -+ filetrans_pattern($1, device_t, autofs_device_t, chr_file, "autofs3") -+ filetrans_pattern($1, device_t, autofs_device_t, chr_file, "autofs4") -+ filetrans_pattern($1, device_t, autofs_device_t, chr_file, "autofs5") -+ filetrans_pattern($1, device_t, autofs_device_t, chr_file, "autofs6") -+ filetrans_pattern($1, device_t, autofs_device_t, chr_file, "autofs7") -+ filetrans_pattern($1, device_t, autofs_device_t, chr_file, "autofs8") -+ filetrans_pattern($1, device_t, autofs_device_t, chr_file, "autofs9") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "beep") -+ filetrans_pattern($1, device_t, lvm_control_t, chr_file, "btrfs-control") -+ filetrans_pattern($1, device_t, crash_device_t, chr_file, "crash") -+ filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, "dlm0") -+ filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, "dlm1") -+ filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, "dlm2") -+ filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, "dlm3") -+ filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, "dlm4") -+ filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, "dlm5") -+ filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, "dlm6") -+ filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, "dlm7") -+ filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, "dlm8") -+ filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, "dlm9") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dmfm") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dmmidi0") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dmmidi1") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dmmidi2") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dmmidi3") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dmmidi4") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dmmidi5") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dmmidi6") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dmmidi7") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dmmidi8") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dmmidi9") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dsp0") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dsp1") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dsp2") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dsp3") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dsp4") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dsp5") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dsp6") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dsp7") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dsp8") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dsp9") -+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "efirtc") -+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "ptp0") -+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "ptp1") -+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "ptp2") -+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "ptp3") -+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "e2201") -+ filetrans_pattern($1, device_t, vfio_device_t, chr_file, "vfio") -+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83000") -+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83001") -+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83002") -+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83003") -+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83004") -+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83005") -+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83006") -+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83007") -+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83008") -+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83009") -+ filetrans_pattern($1, device_t, event_device_t, chr_file, "event0") -+ filetrans_pattern($1, device_t, event_device_t, chr_file, "event1") -+ filetrans_pattern($1, device_t, event_device_t, chr_file, "event2") -+ filetrans_pattern($1, device_t, event_device_t, chr_file, "event3") -+ filetrans_pattern($1, device_t, event_device_t, chr_file, "event4") -+ filetrans_pattern($1, device_t, event_device_t, chr_file, "event5") -+ filetrans_pattern($1, device_t, event_device_t, chr_file, "event6") -+ filetrans_pattern($1, device_t, event_device_t, chr_file, "event7") -+ filetrans_pattern($1, device_t, event_device_t, chr_file, "event8") -+ filetrans_pattern($1, device_t, event_device_t, chr_file, "event9") -+ filetrans_pattern($1, device_t, event_device_t, chr_file, "event10") -+ filetrans_pattern($1, device_t, event_device_t, chr_file, "event11") -+ filetrans_pattern($1, device_t, event_device_t, chr_file, "event12") -+ filetrans_pattern($1, device_t, event_device_t, chr_file, "event13") -+ filetrans_pattern($1, device_t, event_device_t, chr_file, "event14") -+ filetrans_pattern($1, device_t, event_device_t, chr_file, "event15") -+ filetrans_pattern($1, device_t, event_device_t, chr_file, "event16") -+ filetrans_pattern($1, device_t, event_device_t, chr_file, "event17") -+ filetrans_pattern($1, device_t, event_device_t, chr_file, "event18") -+ filetrans_pattern($1, device_t, event_device_t, chr_file, "event19") -+ filetrans_pattern($1, device_t, event_device_t, chr_file, "event20") -+ filetrans_pattern($1, device_t, xen_device_t, chr_file, "evtchn") -+ filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb0") -+ filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb1") -+ filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb2") -+ filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb3") -+ filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb4") -+ filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb5") -+ filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb6") -+ filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb7") -+ filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb8") -+ filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb9") -+ filetrans_pattern($1, device_t, null_device_t, chr_file, "full") -+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "fw0") -+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "fw1") -+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "fw2") -+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "fw3") -+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "fw4") -+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "fw5") -+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "fw6") -+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "fw7") -+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "fw8") -+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "fw9") -+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "000") -+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "001") -+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "002") -+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "003") -+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "004") -+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "005") -+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "006") -+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "007") -+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "008") -+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "009") -+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "010") -+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "011") -+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "012") -+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "013") -+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "014") -+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "015") -+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "016") -+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "017") -+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "018") -+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "019") -+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "020") -+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "021") -+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "022") -+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "023") -+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "024") -+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "025") -+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "026") -+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "027") -+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "028") -+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "029") -+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc0") -+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc1") -+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc2") -+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc3") -+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc4") -+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc5") -+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc6") -+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc7") -+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc8") -+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc9") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "hfmodem") -+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "hiddev0") -+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "hiddev1") -+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "hiddev2") -+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "hiddev3") -+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "hiddev4") -+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "hiddev5") -+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "hiddev6") -+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "hiddev7") -+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "hiddev8") -+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "hiddev9") -+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "hidraw0") -+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "hidraw1") -+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "hidraw2") -+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "hidraw3") -+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "hidraw4") -+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "hidraw5") -+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "hidraw6") -+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "hidraw7") -+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "hidraw8") -+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "hidraw9") -+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "hpet") -+ filetrans_pattern($1, device_t, random_device_t, chr_file, "hw_random") -+ filetrans_pattern($1, device_t, random_device_t, chr_file, "hwrng") -+ filetrans_pattern($1, device_t, dri_device_t, chr_file, "i915") -+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "inportbm") -+ filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi0") -+ filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi1") -+ filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi2") -+ filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi3") -+ filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi4") -+ filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi5") -+ filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi6") -+ filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi7") -+ filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi8") -+ filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi9") -+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "jbm") -+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "js0") -+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "js1") -+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "js2") -+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "js3") -+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "js4") -+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "js5") -+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "js6") -+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "js7") -+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "js8") -+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "js9") -+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mouse0") -+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mouse1") -+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mouse2") -+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mouse3") -+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mouse4") -+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mouse5") -+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mouse6") -+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mouse7") -+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mouse8") -+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mouse9") -+ filetrans_pattern($1, device_t, memory_device_t, chr_file, "kmem") -+ filetrans_pattern($1, device_t, kmsg_device_t, chr_file, "kmsg") -+ filetrans_pattern($1, device_t, qemu_device_t, chr_file, "kqemu") -+ filetrans_pattern($1, device_t, ksm_device_t, chr_file, "ksm") -+ filetrans_pattern($1, device_t, kvm_device_t, chr_file, "kvm") -+ filetrans_pattern($1, device_t, event_device_t, chr_file, "lik0") -+ filetrans_pattern($1, device_t, event_device_t, chr_file, "lik1") -+ filetrans_pattern($1, device_t, event_device_t, chr_file, "lik2") -+ filetrans_pattern($1, device_t, event_device_t, chr_file, "lik3") -+ filetrans_pattern($1, device_t, event_device_t, chr_file, "lik4") -+ filetrans_pattern($1, device_t, event_device_t, chr_file, "lik5") -+ filetrans_pattern($1, device_t, event_device_t, chr_file, "lik6") -+ filetrans_pattern($1, device_t, event_device_t, chr_file, "lik7") -+ filetrans_pattern($1, device_t, event_device_t, chr_file, "lik8") -+ filetrans_pattern($1, device_t, event_device_t, chr_file, "lik9") -+ filetrans_pattern($1, device_t, lirc_device_t, chr_file, "lirc0") -+ filetrans_pattern($1, device_t, lirc_device_t, chr_file, "lirc1") -+ filetrans_pattern($1, device_t, lirc_device_t, chr_file, "lirc2") -+ filetrans_pattern($1, device_t, lirc_device_t, chr_file, "lirc3") -+ filetrans_pattern($1, device_t, lirc_device_t, chr_file, "lirc4") -+ filetrans_pattern($1, device_t, lirc_device_t, chr_file, "lirc5") -+ filetrans_pattern($1, device_t, lirc_device_t, chr_file, "lirc6") -+ filetrans_pattern($1, device_t, lirc_device_t, chr_file, "lirc7") -+ filetrans_pattern($1, device_t, lirc_device_t, chr_file, "lirc8") -+ filetrans_pattern($1, device_t, lirc_device_t, chr_file, "lirc9") -+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "lircm") -+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "logibm") -+ filetrans_pattern($1, device_t, kmsg_device_t, chr_file, "mcelog") -+ filetrans_pattern($1, device_t, memory_device_t, chr_file, "mem") -+ filetrans_pattern($1, device_t, memory_device_t, chr_file, "mergemem") -+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mice") -+ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "microcode") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "midi0") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "midi1") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "midi2") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "midi3") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "midi4") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "midi5") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "midi6") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "midi7") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "midi8") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "midi9") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "mixer0") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "mixer1") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "mixer2") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "mixer3") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "mixer4") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "mixer5") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "mixer6") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "mixer7") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "mixer8") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "mixer9") -+ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mmetfgrab") -+ filetrans_pattern($1, device_t, modem_device_t, chr_file, "modem") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "mpu4010") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "mpu4011") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "mpu4012") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "mpu4013") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "mpu4014") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "mpu4015") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "mpu4016") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "mpu4017") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "mpu4018") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "mpu4019") -+ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "msr0") -+ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "msr1") -+ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "msr2") -+ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "msr3") -+ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "msr4") -+ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "msr5") -+ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "msr6") -+ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "msr7") -+ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "msr8") -+ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "msr9") -+ filetrans_pattern($1, device_t, vhost_device_t, chr_file, "vhost") -+ filetrans_pattern($1, device_t, netcontrol_device_t, chr_file, "network_latency") -+ filetrans_pattern($1, device_t, netcontrol_device_t, chr_file, "network_throughput") -+ filetrans_pattern($1, device_t, modem_device_t, chr_file, "noz0") -+ filetrans_pattern($1, device_t, modem_device_t, chr_file, "noz1") -+ filetrans_pattern($1, device_t, modem_device_t, chr_file, "noz2") -+ filetrans_pattern($1, device_t, modem_device_t, chr_file, "noz3") -+ filetrans_pattern($1, device_t, modem_device_t, chr_file, "noz4") -+ filetrans_pattern($1, device_t, modem_device_t, chr_file, "noz5") -+ filetrans_pattern($1, device_t, modem_device_t, chr_file, "noz6") -+ filetrans_pattern($1, device_t, modem_device_t, chr_file, "noz7") -+ filetrans_pattern($1, device_t, modem_device_t, chr_file, "noz8") -+ filetrans_pattern($1, device_t, modem_device_t, chr_file, "noz9") -+ filetrans_pattern($1, device_t, null_device_t, chr_file, "null") -+ filetrans_pattern($1, device_t, nvram_device_t, chr_file, "nvram") -+ filetrans_pattern($1, device_t, memory_device_t, chr_file, "oldmem") -+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "pc110pad") -+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pcfclock0") -+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pcfclock1") -+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pcfclock2") -+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pcfclock3") -+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pcfclock4") -+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pcfclock5") -+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pcfclock6") -+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pcfclock7") -+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pcfclock8") -+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pcfclock9") -+ filetrans_pattern($1, device_t, power_device_t, chr_file, "pmu") -+ filetrans_pattern($1, device_t, memory_device_t, chr_file, "port") -+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pps0") -+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pps1") -+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pps2") -+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pps3") -+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pps4") -+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pps5") -+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pps6") -+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pps7") -+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pps8") -+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "pps9") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "rmidi0") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "rmidi1") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "rmidi2") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "rmidi3") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "rmidi4") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "rmidi5") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "rmidi6") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "rmidi7") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "rmidi8") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "rmidi9") -+ filetrans_pattern($1, device_t, dri_device_t, chr_file, "radeon") -+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "radio0") -+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "radio1") -+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "radio2") -+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "radio3") -+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "radio4") -+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "radio5") -+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "radio6") -+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "radio7") -+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "radio8") -+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "radio9") -+ filetrans_pattern($1, device_t, random_device_t, chr_file, "random") -+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "raw13940") -+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "raw13941") -+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "raw13942") -+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "raw13943") -+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "raw13944") -+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "raw13945") -+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "raw13946") -+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "raw13947") -+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "raw13948") -+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "raw13949") -+ filetrans_pattern($1, device_t, modem_device_t, chr_file, "cdc-wdm0") -+ filetrans_pattern($1, device_t, modem_device_t, chr_file, "cdc-wdm1") -+ filetrans_pattern($1, device_t, wireless_device_t, chr_file, "rfkill") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "sequencer") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "sequencer2") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "smpte0") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "smpte1") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "smpte2") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "smpte3") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "smpte4") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "smpte5") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "smpte6") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "smpte7") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "smpte8") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "smpte9") -+ filetrans_pattern($1, device_t, power_device_t, chr_file, "smu") -+ filetrans_pattern($1, device_t, apm_bios_t, chr_file, "snapshot") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "sndstat") -+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "sonypi") -+ filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpm0") -+ filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpm1") -+ filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpm2") -+ filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpm3") -+ filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpm4") -+ filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpm5") -+ filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpm6") -+ filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpm7") -+ filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpm8") -+ filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpm9") -+ filetrans_pattern($1, device_t, event_device_t, chr_file, "uinput") -+ filetrans_pattern($1, device_t, userio_device_t, chr_file, "uio0") -+ filetrans_pattern($1, device_t, userio_device_t, chr_file, "uio1") -+ filetrans_pattern($1, device_t, userio_device_t, chr_file, "uio2") -+ filetrans_pattern($1, device_t, userio_device_t, chr_file, "uio3") -+ filetrans_pattern($1, device_t, userio_device_t, chr_file, "uio4") -+ filetrans_pattern($1, device_t, userio_device_t, chr_file, "uio5") -+ filetrans_pattern($1, device_t, userio_device_t, chr_file, "uio6") -+ filetrans_pattern($1, device_t, userio_device_t, chr_file, "uio7") -+ filetrans_pattern($1, device_t, userio_device_t, chr_file, "uio8") -+ filetrans_pattern($1, device_t, userio_device_t, chr_file, "uio9") -+ filetrans_pattern($1, device_t, urandom_device_t, chr_file, "urandom") -+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "usb0") -+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "usb1") -+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "usb2") -+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "usb3") -+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "usb4") -+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "usb5") -+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "usb6") -+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "usb7") -+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "usb8") -+ filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon0") -+ filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon1") -+ filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon2") -+ filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon3") -+ filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon4") -+ filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon5") -+ filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon6") -+ filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon7") -+ filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon8") -+ filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon9") -+ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "usbscanner") -+ filetrans_pattern($1, device_t, vhost_device_t, chr_file, "vhost-net") -+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vbi0") -+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vbi1") -+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vbi2") -+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vbi3") -+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vbi4") -+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vbi5") -+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vbi6") -+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vbi7") -+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vbi8") -+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vbi9") -+ filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmmon") -+ filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet0") -+ filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet1") -+ filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet2") -+ filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet3") -+ filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet4") -+ filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet5") -+ filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet6") -+ filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet7") -+ filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet8") -+ filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet9") -+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media0") -+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media1") -+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media2") -+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media3") -+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media4") -+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media5") -+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media6") -+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media7") -+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media8") -+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media9") -+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "video0") -+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "video1") -+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "video2") -+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "video3") -+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "video4") -+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "video5") -+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "video6") -+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "video7") -+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "video8") -+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "video9") -+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "vrtpanel") -+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vttuner") -+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vtx0") -+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vtx1") -+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vtx2") -+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vtx3") -+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vtx4") -+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vtx5") -+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vtx6") -+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vtx7") -+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vtx8") -+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vtx9") -+ filetrans_pattern($1, device_t, watchdog_device_t, chr_file, "watchdog") -+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "winradio0") -+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "winradio1") -+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "winradio2") -+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "winradio3") -+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "winradio4") -+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "winradio5") -+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "winradio6") -+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "winradio7") -+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "winradio8") -+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "winradio9") -+ filetrans_pattern($1, device_t, crypt_device_t, chr_file, "z90crypt") -+ filetrans_pattern($1, device_t, zero_device_t, chr_file, "zero") -+ filetrans_pattern($1, device_t, smartcard_device_t, chr_file, "cmx0") -+ filetrans_pattern($1, device_t, smartcard_device_t, chr_file, "cmx1") -+ filetrans_pattern($1, device_t, smartcard_device_t, chr_file, "cmx2") -+ filetrans_pattern($1, device_t, smartcard_device_t, chr_file, "cmx3") -+ filetrans_pattern($1, device_t, smartcard_device_t, chr_file, "cmx4") -+ filetrans_pattern($1, device_t, smartcard_device_t, chr_file, "cmx5") -+ filetrans_pattern($1, device_t, smartcard_device_t, chr_file, "cmx6") -+ filetrans_pattern($1, device_t, smartcard_device_t, chr_file, "cmx7") -+ filetrans_pattern($1, device_t, smartcard_device_t, chr_file, "cmx8") -+ filetrans_pattern($1, device_t, smartcard_device_t, chr_file, "cmx9") -+ filetrans_pattern($1, device_t, netcontrol_device_t, chr_file, "cpu_dma_latency") -+ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "cpu0") -+ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "cpu1") -+ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "cpu2") -+ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "cpu3") -+ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "cpu4") -+ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "cpu5") -+ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "cpu6") -+ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "cpu7") -+ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "cpu8") -+ filetrans_pattern($1, device_t, cpu_device_t, chr_file, "cpu9") -+ filetrans_pattern($1, device_t, mtrr_device_t, chr_file, "mtrr") -+ filetrans_pattern($1, device_t, event_device_t, chr_file, "sensor0") -+ filetrans_pattern($1, device_t, event_device_t, chr_file, "sensor1") -+ filetrans_pattern($1, device_t, event_device_t, chr_file, "sensor2") -+ filetrans_pattern($1, device_t, event_device_t, chr_file, "sensor3") -+ filetrans_pattern($1, device_t, event_device_t, chr_file, "sensor4") -+ filetrans_pattern($1, device_t, event_device_t, chr_file, "sensor5") -+ filetrans_pattern($1, device_t, event_device_t, chr_file, "sensor6") -+ filetrans_pattern($1, device_t, event_device_t, chr_file, "sensor7") -+ filetrans_pattern($1, device_t, event_device_t, chr_file, "sensor8") -+ filetrans_pattern($1, device_t, event_device_t, chr_file, "sensor9") -+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "m0") -+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "m1") -+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "m2") -+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "m3") -+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "m4") -+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "m5") -+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "m6") -+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "m7") -+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "m8") -+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "m9") -+ filetrans_pattern($1, device_t, event_device_t, chr_file, "keyboard0") -+ filetrans_pattern($1, device_t, event_device_t, chr_file, "keyboard1") -+ filetrans_pattern($1, device_t, event_device_t, chr_file, "keyboard2") -+ filetrans_pattern($1, device_t, event_device_t, chr_file, "keyboard3") -+ filetrans_pattern($1, device_t, event_device_t, chr_file, "keyboard4") -+ filetrans_pattern($1, device_t, event_device_t, chr_file, "keyboard5") -+ filetrans_pattern($1, device_t, event_device_t, chr_file, "keyboard6") -+ filetrans_pattern($1, device_t, event_device_t, chr_file, "keyboard7") -+ filetrans_pattern($1, device_t, event_device_t, chr_file, "keyboard8") -+ filetrans_pattern($1, device_t, event_device_t, chr_file, "keyboard9") -+ filetrans_pattern($1, device_t, lvm_control_t, chr_file, "control") -+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "ucb1x00") -+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mk712") -+ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "dc2xx0") -+ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "dc2xx1") -+ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "dc2xx2") -+ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "dc2xx3") -+ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "dc2xx4") -+ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "dc2xx5") -+ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "dc2xx6") -+ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "dc2xx7") -+ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "dc2xx8") -+ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "dc2xx9") -+ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mdc8000") -+ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mdc8001") -+ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mdc8002") -+ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mdc8003") -+ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mdc8004") -+ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mdc8005") -+ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mdc8006") -+ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mdc8007") -+ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mdc8008") -+ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mdc8009") -+ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "scanner0") -+ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "scanner1") -+ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "scanner2") -+ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "scanner3") -+ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "scanner4") -+ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "scanner5") -+ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "scanner6") -+ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "scanner7") -+ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "scanner8") -+ filetrans_pattern($1, device_t, scanner_device_t, chr_file, "scanner9") -+ filetrans_pattern($1, device_t, xen_device_t, chr_file, "blktap0") -+ filetrans_pattern($1, device_t, xen_device_t, chr_file, "blktap1") -+ filetrans_pattern($1, device_t, xen_device_t, chr_file, "blktap2") -+ filetrans_pattern($1, device_t, xen_device_t, chr_file, "blktap3") -+ filetrans_pattern($1, device_t, xen_device_t, chr_file, "blktap4") -+ filetrans_pattern($1, device_t, xen_device_t, chr_file, "blktap5") -+ filetrans_pattern($1, device_t, xen_device_t, chr_file, "blktap6") -+ filetrans_pattern($1, device_t, xen_device_t, chr_file, "blktap7") -+ filetrans_pattern($1, device_t, xen_device_t, chr_file, "blktap8") -+ filetrans_pattern($1, device_t, xen_device_t, chr_file, "blktap9") -+ filetrans_pattern($1, device_t, xen_device_t, chr_file, "gntdev") -+ filetrans_pattern($1, device_t, xen_device_t, chr_file, "gntalloc") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC0") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC1") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC2") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC3") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC4") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC5") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC6") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC7") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC8") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC9") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC10") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC11") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC12") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC13") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC14") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC15") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC16") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC17") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC18") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC19") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC20") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC21") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC22") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC23") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC24") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC25") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC26") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC27") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC28") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC29") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "patmgr0") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "patmgr1") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "srnd0") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "srnd1") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "srnd2") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "srnd3") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "srnd4") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "srnd5") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "srnd6") -+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "srnd7") -+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "tlk0") -+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "tlk1") -+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "tlk2") -+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "tlk3") -+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "uba") -+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "ubb") -+ filetrans_pattern($1, device_t, usb_device_t, chr_file, "ubc") -+ dev_filetrans_xserver_named_dev($1) -+') -+ -+######################################## -+## -+## Create all named devices with the correct label -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dev_filetrans_xserver_named_dev',` -+ -+ gen_require(` -+ type xserver_misc_device_t; -+ ') -+ -+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "3dfx") -+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "controlD64") -+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "gfx") -+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "graphics") -+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid0") -+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid1") -+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid2") -+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid3") -+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid4") -+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid5") -+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid6") -+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid7") -+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid8") -+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid9") -+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia0") -+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia1") -+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia2") -+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia3") -+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia4") -+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia5") -+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia6") -+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia7") -+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia8") -+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia9") -+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidiactl") -+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "opengl") -+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox0") -+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox1") -+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox2") -+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox3") -+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox4") -+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox5") -+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox6") -+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox7") -+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox8") -+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox9") -+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vga_arbiter") -+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card0") -+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card1") -+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card2") -+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card3") -+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card4") -+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card5") -+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card6") -+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card7") -+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card8") -+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card9") -+') -diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te -index 6529bd9..831344c 100644 ---- a/policy/modules/kernel/devices.te -+++ b/policy/modules/kernel/devices.te -@@ -15,11 +15,12 @@ attribute devices_unconfined_type; - # - type device_t; - fs_associate_tmpfs(device_t) --files_type(device_t) -+files_base_file(device_t) - files_mountpoint(device_t) - files_associate_tmp(device_t) - fs_type(device_t) - fs_use_trans devtmpfs gen_context(system_u:object_r:device_t,s0); -+dev_node(device_t) - - # - # Type for /dev/agpgart -@@ -43,9 +44,6 @@ type cardmgr_dev_t; - dev_node(cardmgr_dev_t) - files_tmp_file(cardmgr_dev_t) - --type cachefiles_device_t; --dev_node(cachefiles_device_t) -- - # - # clock_device_t is the type of - # /dev/rtc. -@@ -65,6 +63,9 @@ dev_node(cpu_device_t) - type crash_device_t; - dev_node(crash_device_t) - -+type ecryptfs_device_t; -+dev_node(ecryptfs_device_t) -+ - # for the IBM zSeries z90crypt hardware ssl accelorator - type crypt_device_t; - dev_node(crypt_device_t) -@@ -111,6 +112,7 @@ dev_node(ksm_device_t) - # - type kvm_device_t; - dev_node(kvm_device_t) -+mls_trusted_object(kvm_device_t) - - # - # Type for /dev/lirc -@@ -118,6 +120,9 @@ dev_node(kvm_device_t) - type lirc_device_t; - dev_node(lirc_device_t) - -+# -+# Type for /dev/mapper/control -+# - type loop_control_device_t; - dev_node(loop_control_device_t) - -@@ -227,6 +232,10 @@ files_mountpoint(sysfs_t) - fs_type(sysfs_t) - genfscon sysfs / gen_context(system_u:object_r:sysfs_t,s0) - -+type cpu_online_t; -+files_type(cpu_online_t) -+dev_associate_sysfs(cpu_online_t) -+ - # - # Type for /dev/tpm - # -@@ -266,6 +275,9 @@ dev_node(usbmon_device_t) - type userio_device_t; - dev_node(userio_device_t) - -+type vfio_device_t; -+dev_node(vfio_device_t) -+ - type v4l_device_t; - dev_node(v4l_device_t) - -@@ -274,6 +286,7 @@ dev_node(v4l_device_t) - # - type vhost_device_t; - dev_node(vhost_device_t) -+mls_trusted_object(vhost_device_t) - - # Type for vmware devices. - type vmware_device_t; -@@ -319,5 +332,5 @@ files_associate_tmp(device_node) - # - - allow devices_unconfined_type self:capability sys_rawio; --allow devices_unconfined_type device_node:{ blk_file chr_file } *; -+allow devices_unconfined_type device_node:{ blk_file chr_file lnk_file } *; - allow devices_unconfined_type mtrr_device_t:file *; -diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if -index 6a1e4d1..84e8030 100644 ---- a/policy/modules/kernel/domain.if -+++ b/policy/modules/kernel/domain.if -@@ -76,33 +76,8 @@ interface(`domain_type',` - # start with basic domain - domain_base_type($1) - -- ifdef(`distro_redhat',` -- optional_policy(` -- unconfined_use_fds($1) -- ') -- ') -- -- # send init a sigchld and signull -- optional_policy(` -- init_sigchld($1) -- init_signull($1) -- ') -- -- # these seem questionable: -- -- optional_policy(` -- rpm_use_fds($1) -- rpm_read_pipes($1) -- ') -- -- optional_policy(` -- selinux_dontaudit_getattr_fs($1) -- selinux_dontaudit_read_fs($1) -- ') -- -- optional_policy(` -- seutil_dontaudit_read_config($1) -- ') -+ # Only way to get corenet_unlabeled packets disabled to work -+ corenet_all_recvfrom_unlabeled($1) - ') - - ######################################## -@@ -128,7 +103,7 @@ interface(`domain_entry_file',` - ') - - allow $1 $2:file entrypoint; -- allow $1 $2:file { mmap_file_perms ioctl lock }; -+ allow $1 $2:file { mmap_file_perms ioctl lock execute_no_trans }; - - typeattribute $2 entry_type; - -@@ -513,6 +488,26 @@ interface(`domain_signull_all_domains',` - - ######################################## - ## -+## Do not audit attempts to send -+## signulls to all domains. -+## -+## -+## -+## Domain to not audit. -+## -+## -+## -+# -+interface(`domain_dontaudit_signull_all_domains',` -+ gen_require(` -+ attribute domain; -+ ') -+ -+ dontaudit $1 domain:process signull; -+') -+ -+######################################## -+## - ## Send a stop signal to all domains. - ## - ## -@@ -631,7 +626,7 @@ interface(`domain_read_all_domains_state',` - - ######################################## - ## --## Get the attributes of all domains of all domains. -+## Get the attributes of all domains. - ## - ## - ## -@@ -655,7 +650,7 @@ interface(`domain_getattr_all_domains',` - ## - ## - ## --## Domain allowed access. -+## Domain to not audit. - ## - ## - # -@@ -1356,6 +1351,24 @@ interface(`domain_manage_all_entry_files',` - - ######################################## - ## -+## Relabel from domain types on files if a user managed to mislable -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`domain_relabelfrom',` -+ gen_require(` -+ attribute domain; -+ ') -+ -+ allow $1 domain:dir_file_class_set relabelfrom_file_perms; -+') -+ -+######################################## -+## - ## Relabel to and from all entry point - ## file types. - ## -@@ -1508,6 +1521,24 @@ interface(`domain_unconfined_signal',` - - ######################################## - ## -+## Named Filetrans Domain. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`domain_named_filetrans',` -+ gen_require(` -+ attribute named_filetrans_domain; -+ ') -+ -+ typeattribute $1 named_filetrans_domain; -+') -+ -+######################################## -+## - ## Unconfined access to domains. - ## - ## -@@ -1530,4 +1561,63 @@ interface(`domain_unconfined',` - typeattribute $1 can_change_object_identity; - typeattribute $1 set_curr_context; - typeattribute $1 process_uncond_exempt; -+ -+ mcs_process_set_categories($1) -+ -+ userdom_filetrans_home_content($1) -+') -+ -+######################################## -+## -+## Do not audit attempts to read or write -+## all leaked sockets. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`domain_dontaudit_leaks',` -+ gen_require(` -+ attribute domain; -+ ') -+ -+ dontaudit $1 domain:socket_class_set { read write }; -+') -+ -+######################################## -+## -+## Allow caller to transition to any domain -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`domain_transition_all',` -+ gen_require(` -+ attribute domain; -+ ') -+ -+ allow $1 domain:process transition; -+') -+ -+######################################## -+## -+## Do not audit attempts to access check /proc -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`domain_dontaudit_access_check',` -+ gen_require(` -+ attribute domain; -+ ') -+ -+ dontaudit $1 domain:dir_file_class_set audit_access; - ') -diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te -index cf04cb5..369ddc2 100644 ---- a/policy/modules/kernel/domain.te -+++ b/policy/modules/kernel/domain.te -@@ -4,6 +4,29 @@ policy_module(domain, 1.11.0) - # - # Declarations - # -+## -+##

    -+## Allow all domains to use other domains file descriptors -+##

    -+##     -+# -+gen_tunable(domain_fd_use, true) -+ -+## -+##

    -+## Allow all domains to execute in fips_mode -+##

    -+##     -+# -+gen_tunable(fips_mode, true) -+ -+## -+##

    -+## Allow all domains to have the kernel load modules -+##

    -+##     -+# -+gen_tunable(domain_kernel_load_modules, false) - - ## - ##

    -@@ -15,6 +38,7 @@ gen_tunable(mmap_low_allowed, false) - - # Mark process types as domains - attribute domain; -+attribute named_filetrans_domain; - - # Transitions only allowed from domains to other domains - neverallow domain ~domain:process { transition dyntransition }; -@@ -86,23 +110,45 @@ neverallow ~{ domain unlabeled_t } *:process *; - allow domain self:dir list_dir_perms; - allow domain self:lnk_file { read_lnk_file_perms lock ioctl }; - allow domain self:file rw_file_perms; -+allow domain self:fifo_file rw_fifo_file_perms; -+allow domain self:sem create_sem_perms; -+allow domain self:shm create_shm_perms; -+ - kernel_read_proc_symlinks(domain) -+kernel_read_crypto_sysctls(domain) -+kernel_read_vm_overcommit_sysctls(domain) -+ - # Every domain gets the key ring, so we should default - # to no one allowed to look at it; afs kernel support creates - # a keyring - kernel_dontaudit_search_key(domain) - kernel_dontaudit_link_key(domain) -+kernel_dontaudit_search_debugfs(domain) - - # create child processes in the domain --allow domain self:process { fork sigchld }; -+allow domain self:process { getcap fork getsched sigchld }; - - # Use trusted objects in /dev -+dev_read_cpu_online(domain) - dev_rw_null(domain) - dev_rw_zero(domain) - term_use_controlling_term(domain) - - # list the root directory - files_list_root(domain) -+# allow all domains to search through default_t directory, since users sometimes -+# place labels within these directories. (samba_share_t) for example. -+files_search_default(domain) -+files_read_inherited_tmp_files(domain) -+files_append_inherited_tmp_files(domain) -+files_read_all_base_ro_files(domain) -+ -+# All executables should be able to search the directory they are in -+corecmd_search_bin(domain) -+ -+tunable_policy(`domain_kernel_load_modules',` -+ kernel_request_load_module(domain) -+') - - ifdef(`hide_broken_symptoms',` - # This check is in the general socket -@@ -121,8 +167,18 @@ tunable_policy(`global_ssp',` - ') - - optional_policy(` -+ afs_rw_cache(domain) -+') -+ -+optional_policy(` - libs_use_ld_so(domain) - libs_use_shared_libs(domain) -+ libs_read_lib_files(domain) -+') -+ -+optional_policy(` -+ miscfiles_read_localization(domain) -+ miscfiles_read_man_pages(domain) - ') - - optional_policy(` -@@ -133,6 +189,9 @@ optional_policy(` - optional_policy(` - xserver_dontaudit_use_xdm_fds(domain) - xserver_dontaudit_rw_xdm_pipes(domain) -+ xserver_dontaudit_append_xdm_home_files(domain) -+ xserver_dontaudit_write_log(domain) -+ xserver_dontaudit_xdm_rw_stream_sockets(domain) - ') - - ######################################## -@@ -147,12 +206,18 @@ optional_policy(` - # Use/sendto/connectto sockets created by any domain. - allow unconfined_domain_type domain:{ socket_class_set socket key_socket } *; - -+allow unconfined_domain_type domain:system all_system_perms; - # Use descriptors and pipes created by any domain. - allow unconfined_domain_type domain:fd use; - allow unconfined_domain_type domain:fifo_file rw_file_perms; - -+allow unconfined_domain_type unconfined_domain_type:dbus send_msg; -+ - # Act upon any other process. --allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap }; -+allow unconfined_domain_type domain:process ~{ ptrace transition dyntransition execmem execstack execheap }; -+tunable_policy(`deny_ptrace',`',` -+ allow unconfined_domain_type domain:process ptrace; -+') - - # Create/access any System V IPC objects. - allow unconfined_domain_type domain:{ sem msgq shm } *; -@@ -166,5 +231,306 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; - # act on all domains keys - allow unconfined_domain_type domain:key *; - -+corenet_filetrans_all_named_dev(named_filetrans_domain) -+ -+dev_filetrans_all_named_dev(named_filetrans_domain) -+ - # receive from all domains over labeled networking - domain_all_recvfrom_all_domains(unconfined_domain_type) -+ -+files_filetrans_named_content(named_filetrans_domain) -+files_filetrans_system_conf_named_files(named_filetrans_domain) -+files_config_all_files(unconfined_domain_type) -+dev_config_null_dev_service(unconfined_domain_type) -+ -+optional_policy(` -+ kdump_filetrans_named_content(unconfined_domain_type) -+') -+ -+optional_policy(` -+ locallogin_filetrans_home_content(named_filetrans_domain) -+') -+ -+optional_policy(` -+ mandb_filetrans_named_home_content(named_filetrans_domain) -+') -+ -+optional_policy(` -+ seutil_filetrans_named_content(named_filetrans_domain) -+') -+ -+storage_filetrans_all_named_dev(named_filetrans_domain) -+ -+term_filetrans_all_named_dev(named_filetrans_domain) -+ -+optional_policy(` -+ init_disable_services(unconfined_domain_type) -+ init_enable_services(unconfined_domain_type) -+ init_reload_services(unconfined_domain_type) -+ init_status(unconfined_domain_type) -+ init_reboot(unconfined_domain_type) -+ init_halt(unconfined_domain_type) -+ init_undefined(unconfined_domain_type) -+ init_filetrans_named_content(named_filetrans_domain) -+') -+ -+optional_policy(` -+ auth_filetrans_named_content(named_filetrans_domain) -+ auth_filetrans_admin_home_content(named_filetrans_domain) -+') -+ -+optional_policy(` -+ libs_filetrans_named_content(named_filetrans_domain) -+') -+ -+optional_policy(` -+ logging_filetrans_named_content(named_filetrans_domain) -+') -+ -+optional_policy(` -+ miscfiles_filetrans_named_content(named_filetrans_domain) -+') -+ -+optional_policy(` -+ abrt_filetrans_named_content(named_filetrans_domain) -+') -+ -+optional_policy(` -+ alsa_filetrans_named_content(named_filetrans_domain) -+') -+ -+optional_policy(` -+ apache_filetrans_named_content(named_filetrans_domain) -+') -+ -+optional_policy(` -+ apcupsd_filetrans_named_content(named_filetrans_domain) -+') -+ -+optional_policy(` -+ bootloader_filetrans_config(named_filetrans_domain) -+') -+ -+optional_policy(` -+ clock_filetrans_named_content(named_filetrans_domain) -+') -+ -+optional_policy(` -+ cups_filetrans_named_content(named_filetrans_domain) -+') -+ -+optional_policy(` -+ devicekit_filetrans_named_content(named_filetrans_domain) -+') -+ -+optional_policy(` -+ dnsmasq_filetrans_named_content(named_filetrans_domain) -+') -+ -+optional_policy(` -+ gnome_filetrans_admin_home_content(named_filetrans_domain) -+') -+ -+optional_policy(` -+ iscsi_filetrans_named_content(named_filetrans_domain) -+') -+ -+optional_policy(` -+ kerberos_filetrans_named_content(named_filetrans_domain) -+') -+ -+optional_policy(` -+ mta_filetrans_named_content(named_filetrans_domain) -+') -+ -+optional_policy(` -+ mplayer_filetrans_home_content(named_filetrans_domain) -+') -+ -+optional_policy(` -+ modules_filetrans_named_content(named_filetrans_domain) -+') -+ -+optional_policy(` -+ mysql_filetrans_named_content(named_filetrans_domain) -+') -+ -+optional_policy(` -+ networkmanager_filetrans_named_content(named_filetrans_domain) -+') -+ -+optional_policy(` -+ ntp_filetrans_named_content(named_filetrans_domain) -+') -+ -+optional_policy(` -+ nx_filetrans_named_content(named_filetrans_domain) -+') -+ -+optional_policy(` -+ postgresql_filetrans_named_content(named_filetrans_domain) -+') -+ -+optional_policy(` -+ postfix_filetrans_named_content(named_filetrans_domain) -+') -+ -+optional_policy(` -+ prelink_filetrans_named_content(named_filetrans_domain) -+') -+ -+optional_policy(` -+ pulseaudio_filetrans_admin_home_content(named_filetrans_domain) -+') -+ -+optional_policy(` -+ quota_filetrans_named_content(named_filetrans_domain) -+') -+ -+optional_policy(` -+ rpcbind_filetrans_named_content(named_filetrans_domain) -+') -+ -+optional_policy(` -+ rsync_filetrans_named_content(named_filetrans_domain) -+') -+ -+optional_policy(` -+ sysnet_filetrans_named_content(named_filetrans_domain) -+') -+ -+optional_policy(` -+ systemd_login_status(unconfined_domain_type) -+ systemd_login_reboot(unconfined_domain_type) -+ systemd_login_halt(unconfined_domain_type) -+ systemd_login_undefined(unconfined_domain_type) -+ systemd_filetrans_named_content(named_filetrans_domain) -+ systemd_filetrans_named_hostname(named_filetrans_domain) -+ systemd_filetrans_home_content(named_filetrans_domain) -+') -+ -+optional_policy(` -+ tftp_filetrans_named_content(named_filetrans_domain) -+') -+ -+optional_policy(` -+ userdom_user_home_dir_filetrans_user_home_content(named_filetrans_domain, { dir file lnk_file fifo_file sock_file }) -+') -+ -+optional_policy(` -+ ssh_filetrans_admin_home_content(named_filetrans_domain) -+ ssh_filetrans_keys(unconfined_domain_type) -+') -+ -+optional_policy(` -+ virt_filetrans_named_content(named_filetrans_domain) -+') -+ -+selinux_getattr_fs(domain) -+selinux_search_fs(domain) -+selinux_dontaudit_read_fs(domain) -+ -+optional_policy(` -+ seutil_dontaudit_read_config(domain) -+') -+ -+optional_policy(` -+ init_sigchld(domain) -+ init_signull(domain) -+ init_read_machineid(domain) -+') -+ -+ifdef(`distro_redhat',` -+ files_search_mnt(domain) -+') -+ -+# these seem questionable: -+ -+optional_policy(` -+ abrt_domtrans_helper(domain) -+ abrt_read_pid_files(domain) -+ abrt_read_state(domain) -+ abrt_signull(domain) -+ abrt_append_cache(domain) -+ abrt_rw_fifo_file(domain) -+') -+ -+optional_policy(` -+ sosreport_append_tmp_files(domain) -+') -+ -+tunable_policy(`domain_fd_use',` -+ # Allow all domains to use fds past to them -+ allow domain domain:fd use; -+') -+ -+optional_policy(` -+ cron_dontaudit_write_system_job_tmp_files(domain) -+ cron_rw_pipes(domain) -+ cron_rw_system_job_pipes(domain) -+') -+ -+ifdef(`hide_broken_symptoms',` -+ dontaudit domain self:udp_socket listen; -+ allow domain domain:key { link search }; -+ dontaudit domain domain:socket_class_set { read write }; -+ dontaudit domain self:capability sys_module; -+') -+ -+optional_policy(` -+ ipsec_match_default_spd(domain) -+') -+ -+optional_policy(` -+ ifdef(`hide_broken_symptoms',` -+ afs_rw_udp_sockets(domain) -+ ') -+') -+ -+optional_policy(` -+ ssh_rw_pipes(domain) -+') -+ -+optional_policy(` -+ unconfined_dontaudit_rw_pipes(domain) -+ unconfined_sigchld(domain) -+') -+ -+# broken kernel -+dontaudit can_change_object_identity can_change_object_identity:key link; -+ -+ifdef(`distro_redhat',` -+ optional_policy(` -+ unconfined_use_fds(domain) -+ ') -+') -+ -+# these seem questionable: -+ -+optional_policy(` -+ puppet_rw_tmp(domain) -+') -+ -+dontaudit domain domain:process { noatsecure siginh rlimitinh } ; -+ -+optional_policy(` -+ rpm_rw_script_inherited_pipes(domain) -+ rpm_use_fds(domain) -+ rpm_read_pipes(domain) -+ rpm_search_log(domain) -+ rpm_append_tmp_files(domain) -+ rpm_dontaudit_leaks(domain) -+ rpm_read_script_tmp_files(domain) -+ rpm_inherited_fifo(domain) -+') -+ -+tunable_policy(`fips_mode',` -+ allow domain self:fifo_file manage_fifo_file_perms; -+ kernel_read_kernel_sysctls(domain) -+') -+ -+optional_policy(` -+ tunable_policy(`fips_mode',` -+ prelink_exec(domain) -+ ') -+') -diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc -index c2c6e05..058bb58 100644 ---- a/policy/modules/kernel/files.fc -+++ b/policy/modules/kernel/files.fc -@@ -18,6 +18,7 @@ ifdef(`distro_redhat',` - /fsckoptions -- gen_context(system_u:object_r:etc_runtime_t,s0) - /halt -- gen_context(system_u:object_r:etc_runtime_t,s0) - /poweroff -- gen_context(system_u:object_r:etc_runtime_t,s0) -+/[^/]+ -- gen_context(system_u:object_r:etc_runtime_t,s0) - ') - - ifdef(`distro_suse',` -@@ -27,7 +28,7 @@ ifdef(`distro_suse',` - # - # /boot - # --/boot -d gen_context(system_u:object_r:boot_t,s0) -+/boot gen_context(system_u:object_r:boot_t,s0) - /boot/.* gen_context(system_u:object_r:boot_t,s0) - /boot/\.journal <> - /boot/efi(/.*)?/System\.map(-.*)? -- gen_context(system_u:object_r:system_map_t,s0) -@@ -38,13 +39,13 @@ ifdef(`distro_suse',` - # - # /emul - # --/emul -d gen_context(system_u:object_r:usr_t,s0) -+/emul gen_context(system_u:object_r:usr_t,s0) - /emul/.* gen_context(system_u:object_r:usr_t,s0) - - # - # /etc - # --/etc -d gen_context(system_u:object_r:etc_t,s0) -+/etc gen_context(system_u:object_r:etc_t,s0) - /etc/.* gen_context(system_u:object_r:etc_t,s0) - /etc/\.fstab\.hal\..+ -- gen_context(system_u:object_r:etc_runtime_t,s0) - /etc/blkid(/.*)? gen_context(system_u:object_r:etc_runtime_t,s0) -@@ -52,13 +53,17 @@ ifdef(`distro_suse',` - /etc/fstab\.REVOKE -- gen_context(system_u:object_r:etc_runtime_t,s0) - /etc/ioctl\.save -- gen_context(system_u:object_r:etc_runtime_t,s0) - /etc/killpower -- gen_context(system_u:object_r:etc_runtime_t,s0) --/etc/localtime -l gen_context(system_u:object_r:etc_t,s0) --/etc/mtab -- gen_context(system_u:object_r:etc_runtime_t,s0) --/etc/mtab~[0-9]* -- gen_context(system_u:object_r:etc_runtime_t,s0) --/etc/mtab\.tmp -- gen_context(system_u:object_r:etc_runtime_t,s0) --/etc/mtab\.fuselock -- gen_context(system_u:object_r:etc_runtime_t,s0) -+/etc/mtab.* -- gen_context(system_u:object_r:etc_runtime_t,s0) - /etc/nohotplug -- gen_context(system_u:object_r:etc_runtime_t,s0) - /etc/nologin.* -- gen_context(system_u:object_r:etc_runtime_t,s0) -+/etc/securetty -- gen_context(system_u:object_r:etc_runtime_t,s0) -+ -+/etc/sysctl\.conf(\.old)? -- gen_context(system_u:object_r:system_conf_t,s0) -+/etc/sysconfig/ebtables.* -- gen_context(system_u:object_r:system_conf_t,s0) -+/etc/sysconfig/ip6?tables.* -- gen_context(system_u:object_r:system_conf_t,s0) -+/etc/sysconfig/ipvsadm.* -- gen_context(system_u:object_r:system_conf_t,s0) -+/etc/sysconfig/system-config-firewall.* -- gen_context(system_u:object_r:system_conf_t,s0) -+/etc/yum\.repos\.d/redhat\.repo -- gen_context(system_u:object_r:system_conf_t,s0) - - /etc/cups/client\.conf -- gen_context(system_u:object_r:etc_t,s0) - -@@ -70,7 +75,10 @@ ifdef(`distro_suse',` - - /etc/sysconfig/hwconf -- gen_context(system_u:object_r:etc_runtime_t,s0) - /etc/sysconfig/iptables\.save -- gen_context(system_u:object_r:etc_runtime_t,s0) --/etc/sysconfig/firstboot -- gen_context(system_u:object_r:etc_runtime_t,s0) -+ -+/etc/xorg\.conf\.d/00-system-setup-keyboard\.conf -- gen_context(system_u:object_r:etc_runtime_t,s0) -+/etc/X11/xorg\.conf\.d/00-system-setup-keyboard\.conf -- gen_context(system_u:object_r:etc_runtime_t,s0) -+ - - ifdef(`distro_gentoo', ` - /etc/profile\.env -- gen_context(system_u:object_r:etc_runtime_t,s0) -@@ -78,10 +86,6 @@ ifdef(`distro_gentoo', ` - /etc/env\.d/.* -- gen_context(system_u:object_r:etc_runtime_t,s0) - ') - --ifdef(`distro_redhat',` --/etc/rhgb(/.*)? -d gen_context(system_u:object_r:mnt_t,s0) --') -- - ifdef(`distro_suse',` - /etc/defkeymap\.map -- gen_context(system_u:object_r:etc_runtime_t,s0) - /etc/rc\.d/init\.d/\.depend.* -- gen_context(system_u:object_r:etc_runtime_t,s0) -@@ -104,7 +108,7 @@ HOME_ROOT/lost\+found/.* <> - /initrd -d gen_context(system_u:object_r:root_t,s0) - - # --# /lib(64)? -+# /lib - # - /lib/modules(/.*)? gen_context(system_u:object_r:modules_object_t,s0) - -@@ -129,6 +133,8 @@ ifdef(`distro_debian',` - /media(/[^/]*)? -d gen_context(system_u:object_r:mnt_t,s0) - /media/[^/]*/.* <> - /media/\.hal-.* -- gen_context(system_u:object_r:mnt_t,s0) -+/var/run/media(/[^/]*)? -d gen_context(system_u:object_r:mnt_t,s0) -+/var/run/media/.* <> - - # - # /misc -@@ -150,10 +156,10 @@ ifdef(`distro_debian',` - # - # /opt - # --/opt -d gen_context(system_u:object_r:usr_t,s0) -+/opt gen_context(system_u:object_r:usr_t,s0) - /opt/.* gen_context(system_u:object_r:usr_t,s0) - --/opt/(.*/)?var/lib(64)?(/.*)? gen_context(system_u:object_r:var_lib_t,s0) -+/opt/(.*/)?var/lib(/.*)? gen_context(system_u:object_r:var_lib_t,s0) - - # - # /proc -@@ -161,6 +167,12 @@ ifdef(`distro_debian',` - /proc -d <> - /proc/.* <> - -+ifdef(`distro_redhat',` -+/rhev -d gen_context(system_u:object_r:mnt_t,s0) -+/rhev(/[^/]*)? -d gen_context(system_u:object_r:mnt_t,s0) -+/rhev/[^/]*/.* <> -+') -+ - # - # /run - # -@@ -169,6 +181,7 @@ ifdef(`distro_debian',` - /run/.*\.*pid <> - /run/lock(/.*)? gen_context(system_u:object_r:var_lock_t,s0) - -+/sandbox(/.*)? gen_context(system_u:object_r:tmp_t,s0) - # - # /selinux - # -@@ -178,13 +191,14 @@ ifdef(`distro_debian',` - # - # /srv - # --/srv -d gen_context(system_u:object_r:var_t,s0) -+/srv gen_context(system_u:object_r:var_t,s0) - /srv/.* gen_context(system_u:object_r:var_t,s0) - - # - # /tmp - # --/tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh) -+/tmp gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh) -+/tmp-inst gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh) - /tmp/.* <> - /tmp/\.journal <> - -@@ -194,9 +208,10 @@ ifdef(`distro_debian',` - # - # /usr - # --/usr -d gen_context(system_u:object_r:usr_t,s0) -+/usr gen_context(system_u:object_r:usr_t,s0) - /usr/.* gen_context(system_u:object_r:usr_t,s0) - /usr/\.journal <> -+/export(/.*)? gen_context(system_u:object_r:usr_t,s0) - - /usr/doc(/.*)?/lib(/.*)? gen_context(system_u:object_r:usr_t,s0) - -@@ -204,15 +219,9 @@ ifdef(`distro_debian',` - - /usr/inclu.e(/.*)? gen_context(system_u:object_r:usr_t,s0) - --/usr/local/\.journal <> -- --/usr/local/etc(/.*)? gen_context(system_u:object_r:etc_t,s0) -- --/usr/local/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) --/usr/local/lost\+found/.* <> -- - /usr/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) - /usr/lost\+found/.* <> -+/usr/lib/modules(/.*)? gen_context(system_u:object_r:modules_object_t,s0) - - /usr/share/doc(/.*)?/README.* gen_context(system_u:object_r:usr_t,s0) - -@@ -220,8 +229,6 @@ ifdef(`distro_debian',` - /usr/tmp/.* <> - - ifndef(`distro_redhat',` --/usr/local/src(/.*)? gen_context(system_u:object_r:src_t,s0) -- - /usr/src(/.*)? gen_context(system_u:object_r:src_t,s0) - /usr/src/kernels/.+/lib(/.*)? gen_context(system_u:object_r:usr_t,s0) - ') -@@ -229,7 +236,7 @@ ifndef(`distro_redhat',` - # - # /var - # --/var -d gen_context(system_u:object_r:var_t,s0) -+/var gen_context(system_u:object_r:var_t,s0) - /var/.* gen_context(system_u:object_r:var_t,s0) - /var/\.journal <> - -@@ -237,11 +244,24 @@ ifndef(`distro_redhat',` - - /var/ftp/etc(/.*)? gen_context(system_u:object_r:etc_t,s0) - -+/var/named/chroot/etc(/.*)? gen_context(system_u:object_r:etc_t,s0) -+ - /var/lib(/.*)? gen_context(system_u:object_r:var_lib_t,s0) - - /var/lib/nfs/rpc_pipefs(/.*)? <> - --/var/lock(/.*)? gen_context(system_u:object_r:var_lock_t,s0) -+/var/lib/stickshift/.stickshift-proxy.d(/.*)? gen_context(system_u:object_r:etc_t,s0) -+/var/lib/stickshift/.limits.d(/.*)? gen_context(system_u:object_r:etc_t,s0) -+ -+/var/lib/openshift/.openshift-proxy.d(/.*)? gen_context(system_u:object_r:etc_t,s0) -+/var/lib/openshift/.stickshift-proxy.d(/.*)? gen_context(system_u:object_r:etc_t,s0) -+/var/lib/openshift/.limits.d(/.*)? gen_context(system_u:object_r:etc_t,s0) -+ -+/var/lib/servicelog/servicelog.db -- gen_context(system_u:object_r:system_db_t,s0) -+ -+/var/lock -d gen_context(system_u:object_r:var_lock_t,s0) -+/var/lock -l gen_context(system_u:object_r:var_lock_t,s0) -+/var/lock/.* <> - - /var/log/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) - /var/log/lost\+found/.* <> -@@ -256,12 +276,14 @@ ifndef(`distro_redhat',` - /var/run -l gen_context(system_u:object_r:var_run_t,s0) - /var/run/.* gen_context(system_u:object_r:var_run_t,s0) - /var/run/.*\.*pid <> -+/var/run/lock/.* <> - - /var/spool(/.*)? gen_context(system_u:object_r:var_spool_t,s0) - /var/spool/postfix/etc(/.*)? gen_context(system_u:object_r:etc_t,s0) - - /var/tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh) - /var/tmp -l gen_context(system_u:object_r:tmp_t,s0) -+/var/tmp-inst -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh) - /var/tmp/.* <> - /var/tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) - /var/tmp/lost\+found/.* <> -@@ -270,3 +292,5 @@ ifndef(`distro_redhat',` - ifdef(`distro_debian',` - /var/run/motd -- gen_context(system_u:object_r:initrc_var_run_t,s0) - ') -+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0) -+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0) -diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if -index 64ff4d7..36fa375 100644 ---- a/policy/modules/kernel/files.if -+++ b/policy/modules/kernel/files.if -@@ -19,6 +19,136 @@ - ## Comains the file initial SID. - ## - -+##################################### -+##

    -+## files stub etc_t interface. No access allowed. -+## -+## -+## -+## Domain allowed access -+## -+## -+# -+interface(`files_stub_etc',` -+ gen_require(` -+ type etc_t; -+ ') -+') -+ -+##################################### -+## -+## files stub var_lock_t interface. No access allowed. -+## -+## -+## -+## Domain allowed access -+## -+## -+# -+interface(`files_stub_var_lock',` -+ gen_require(` -+ type var_lock_t; -+ ') -+') -+ -+##################################### -+## -+## files stub var_log_t interface. No access allowed. -+## -+## -+## -+## Domain allowed access -+## -+## -+# -+interface(`files_stub_var_log',` -+ gen_require(` -+ type var_log_t; -+ ') -+') -+ -+##################################### -+## -+## files stub var_lib_t interface. No access allowed. -+## -+## -+## -+## Domain allowed access -+## -+## -+# -+interface(`files_stub_var_lib',` -+ gen_require(` -+ type var_lib_t; -+ ') -+') -+ -+##################################### -+## -+## files stub var_run_t interface. No access allowed. -+## -+## -+## -+## Domain allowed access -+## -+## -+# -+interface(`files_stub_var_run',` -+ gen_require(` -+ type var_run_t; -+ ') -+') -+ -+##################################### -+## -+## files stub var_run_t interface. No access allowed. -+## -+## -+## -+## Domain allowed access -+## -+## -+# -+interface(`files_stub_var_spool',` -+ gen_require(` -+ type var_spool_t; -+ ') -+') -+ -+##################################### -+## -+## files stub var_run_t interface. No access allowed. -+## -+## -+## -+## Domain allowed access -+## -+## -+# -+interface(`files_stub_var',` -+ gen_require(` -+ type var_t; -+ ') -+') -+ -+ -+##################################### -+## -+## files stub tmp_t interface. No access allowed. -+## -+## -+## -+## Domain allowed access -+## -+## -+# -+interface(`files_stub_tmp',` -+ gen_require(` -+ type tmp_t; -+ ') -+') -+ -+ - ######################################## - ## - ## Make the specified type usable for files -@@ -55,6 +185,7 @@ - ##
  • files_pid_file()
    • - ##
  • files_security_file()
    • - ##
  • files_security_mountpoint()
    • -+##
  • files_spool_file()
    • - ##
  • files_tmp_file()
    • - ##
  • files_tmpfs_file()
    • - ##
  • logging_log_file()
    • -@@ -125,44 +256,59 @@ interface(`files_security_file',` - typeattribute $1 file_type, security_file_type, non_auth_file_type; - ') - -+ - ######################################## - ## - ## Make the specified type usable for --## lock files. -+## filesystem mount points. - ## - ## - ## --## Type to be used for lock files. -+## Type to be used for mount points. - ## - ## - # --interface(`files_lock_file',` -+interface(`files_mountpoint',` - gen_require(` -- attribute lockfile; -+ attribute mountpoint; - ') - - files_type($1) -- typeattribute $1 lockfile; -+ typeattribute $1 mountpoint; - ') - - ######################################## - ## --## Make the specified type usable for --## filesystem mount points. -+## Create a private type object in mountpoint dir -+## with an automatic type transition - ## --## -+## - ## --## Type to be used for mount points. -+## Domain allowed access. -+## -+## -+## -+## -+## The type of the object to be created. -+## -+## -+## -+## -+## The object class of the object being created. -+## -+## -+## -+## -+## The name of the object being created. - ## - ## - # --interface(`files_mountpoint',` -+interface(`files_mountpoint_filetrans',` - gen_require(` - attribute mountpoint; - ') - -- files_type($1) -- typeattribute $1 mountpoint; -+ filetrans_pattern($1, mountpoint, $2, $3, $4) - ') - - ######################################## -@@ -188,6 +334,26 @@ interface(`files_security_mountpoint',` - ######################################## - ## - ## Make the specified type usable for -+## lock files. -+## -+## -+## -+## Type to be used for lock files. -+## -+## -+# -+interface(`files_lock_file',` -+ gen_require(` -+ attribute lockfile; -+ ') -+ -+ files_type($1) -+ typeattribute $1 lockfile; -+') -+ -+######################################## -+## -+## Make the specified type usable for - ## runtime process ID files. - ## - ## -@@ -521,7 +687,7 @@ interface(`files_mounton_non_security',` - attribute non_security_file_type; - ') - -- allow $1 non_security_file_type:dir mounton; -+ allow $1 non_security_file_type:dir { write setattr mounton }; - allow $1 non_security_file_type:file mounton; - ') - -@@ -620,6 +786,63 @@ interface(`files_dontaudit_getattr_non_security_files',` - - ######################################## - ## -+## Do not audit attempts to search -+## non security dirs. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`files_dontaudit_search_non_security_dirs',` -+ gen_require(` -+ attribute non_security_file_type; -+ ') -+ -+ dontaudit $1 non_security_file_type:dir search_dir_perms; -+') -+ -+######################################## -+## -+## Do not audit attempts to set the attributes -+## of non security files. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`files_dontaudit_setattr_non_security_files',` -+ gen_require(` -+ attribute non_security_file_type; -+ ') -+ -+ dontaudit $1 non_security_file_type:file setattr; -+') -+ -+######################################## -+## -+## Do not audit attempts to set the attributes -+## of non security directories. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`files_dontaudit_setattr_non_security_dirs',` -+ gen_require(` -+ attribute non_security_file_type; -+ ') -+ -+ dontaudit $1 non_security_file_type:dir setattr; -+') -+ -+######################################## -+## - ## Read all files. - ## - ## -@@ -683,12 +906,107 @@ interface(`files_read_non_security_files',` - attribute non_security_file_type; - ') - -+ list_dirs_pattern($1, non_security_file_type, non_security_file_type) - read_files_pattern($1, non_security_file_type, non_security_file_type) - read_lnk_files_pattern($1, non_security_file_type, non_security_file_type) - ') - - ######################################## - ## -+## Read/Write all inherited non-security files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`files_rw_inherited_non_security_files',` -+ gen_require(` -+ attribute non_security_file_type; -+ ') -+ -+ allow $1 non_security_file_type:file { read write }; -+') -+ -+######################################## -+## -+## Manage all non-security files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`files_manage_non_security_files',` -+ gen_require(` -+ attribute non_security_file_type; -+ ') -+ -+ manage_files_pattern($1, non_security_file_type, non_security_file_type) -+ manage_lnk_files_pattern($1, non_security_file_type, non_security_file_type) -+') -+ -+######################################## -+## -+## Relabel all non-security files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`files_relabel_non_security_files',` -+ gen_require(` -+ attribute non_security_file_type; -+ ') -+ -+ relabel_files_pattern($1, non_security_file_type, non_security_file_type) -+ allow $1 { non_security_file_type }:dir list_dir_perms; -+ relabel_dirs_pattern($1, { non_security_file_type }, { non_security_file_type }) -+ relabel_files_pattern($1, { non_security_file_type }, { non_security_file_type }) -+ relabel_lnk_files_pattern($1, { non_security_file_type }, { non_security_file_type }) -+ relabel_fifo_files_pattern($1, { non_security_file_type }, { non_security_file_type }) -+ relabel_sock_files_pattern($1, { non_security_file_type }, { non_security_file_type }) -+ relabel_blk_files_pattern($1, { non_security_file_type }, { non_security_file_type }) -+ relabel_chr_files_pattern($1, { non_security_file_type }, { non_security_file_type }) -+ -+ # satisfy the assertions: -+ seutil_relabelto_bin_policy($1) -+') -+ -+######################################## -+## -+## Relabel all base file types. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_relabel_base_file_types',` -+ gen_require(` -+ attribute base_file_type; -+ ') -+ -+ allow $1 base_file_type:dir list_dir_perms; -+ relabel_dirs_pattern($1, base_file_type , base_file_type ) -+ relabel_files_pattern($1, base_file_type , base_file_type ) -+ relabel_lnk_files_pattern($1, base_file_type , base_file_type ) -+ relabel_fifo_files_pattern($1, base_file_type , base_file_type ) -+ relabel_sock_files_pattern($1, base_file_type , base_file_type ) -+ relabel_blk_files_pattern($1, base_file_type , base_file_type ) -+ relabel_chr_files_pattern($1, base_file_type , base_file_type ) -+') -+ -+######################################## -+## - ## Read all directories on the filesystem, except - ## the listed exceptions. - ## -@@ -953,6 +1271,25 @@ interface(`files_dontaudit_getattr_non_security_pipes',` - - ######################################## - ## -+## Do not audit attempts to read/write -+## of non security named pipes. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`files_dontaudit_rw_inherited_pipes',` -+ gen_require(` -+ attribute non_security_file_type; -+ ') -+ -+ dontaudit $1 non_security_file_type:fifo_file rw_inherited_fifo_file_perms; -+') -+ -+######################################## -+## - ## Get the attributes of all named sockets. - ## - ## -@@ -991,8 +1328,8 @@ interface(`files_dontaudit_getattr_all_sockets',` - - ######################################## - ## --## Do not audit attempts to get the attributes --## of non security named sockets. -+## Do not audit attempts to read -+## of all named sockets. - ## - ## - ## -@@ -1000,43 +1337,81 @@ interface(`files_dontaudit_getattr_all_sockets',` - ## - ## - # --interface(`files_dontaudit_getattr_non_security_sockets',` -+interface(`files_dontaudit_read_all_sockets',` - gen_require(` -- attribute non_security_file_type; -+ attribute file_type; - ') - -- dontaudit $1 non_security_file_type:sock_file getattr; -+ dontaudit $1 file_type:sock_file read; - ') - - ######################################## - ## --## Read all block nodes with file types. -+## Do not audit attempts to read -+## of all security file types. - ## - ## - ## --## Domain allowed access. -+## Domain to not audit. - ## - ## - # --interface(`files_read_all_blk_files',` -+interface(`files_dontaudit_read_all_non_security_files',` - gen_require(` -- attribute file_type; -+ attribute non_security_file_type; - ') - -- read_blk_files_pattern($1, file_type, file_type) -+ dontaudit $1 non_security_file_type:file read_file_perms; - ') - - ######################################## - ## --## Read all character nodes with file types. -+## Do not audit attempts to get the attributes -+## of non security named sockets. - ## - ## - ## --## Domain allowed access. -+## Domain to not audit. - ## - ## - # --interface(`files_read_all_chr_files',` -+interface(`files_dontaudit_getattr_non_security_sockets',` -+ gen_require(` -+ attribute non_security_file_type; -+ ') -+ -+ dontaudit $1 non_security_file_type:sock_file getattr; -+') -+ -+######################################## -+## -+## Read all block nodes with file types. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_read_all_blk_files',` -+ gen_require(` -+ attribute file_type; -+ ') -+ -+ read_blk_files_pattern($1, file_type, file_type) -+') -+ -+######################################## -+## -+## Read all character nodes with file types. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_read_all_chr_files',` - gen_require(` - attribute file_type; - ') -@@ -1073,10 +1448,8 @@ interface(`files_relabel_all_files',` - relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 }) - relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 }) - relabel_sock_files_pattern($1, { file_type $2 }, { file_type $2 }) -- # this is only relabelfrom since there should be no -- # device nodes with file types. -- relabelfrom_blk_files_pattern($1, { file_type $2 }, { file_type $2 }) -- relabelfrom_chr_files_pattern($1, { file_type $2 }, { file_type $2 }) -+ relabel_blk_files_pattern($1, { file_type $2 }, { file_type $2 }) -+ relabel_chr_files_pattern($1, { file_type $2 }, { file_type $2 }) - - # satisfy the assertions: - seutil_relabelto_bin_policy($1) -@@ -1182,24 +1555,6 @@ interface(`files_list_all',` - - ######################################## - ## --## Create all files as is. --## --## --## --## Domain allowed access. --## --## --# --interface(`files_create_all_files_as',` -- gen_require(` -- attribute file_type; -- ') -- -- allow $1 file_type:kernel_service create_files_as; --') -- --######################################## --## - ## Do not audit attempts to search the - ## contents of any directories on extended - ## attribute filesystems. -@@ -1443,9 +1798,6 @@ interface(`files_relabel_non_auth_files',` - # device nodes with file types. - relabelfrom_blk_files_pattern($1, non_auth_file_type, non_auth_file_type) - relabelfrom_chr_files_pattern($1, non_auth_file_type, non_auth_file_type) -- -- # satisfy the assertions: -- seutil_relabelto_bin_policy($1) - ') - - ############################################# -@@ -1583,6 +1935,24 @@ interface(`files_getattr_all_mountpoints',` - - ######################################## - ## -+## List the directory of all mount points. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_list_all_mountpoints',` -+ gen_require(` -+ attribute mountpoint; -+ ') -+ -+ allow $1 mountpoint:dir list_dir_perms; -+') -+ -+######################################## -+## - ## Set the attributes of all mount points. - ## - ## -@@ -1673,6 +2043,24 @@ interface(`files_dontaudit_list_all_mountpoints',` - - ######################################## - ## -+## Write all mount points. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_write_all_mountpoints',` -+ gen_require(` -+ attribute mountpoint; -+ ') -+ -+ allow $1 mountpoint:dir write; -+') -+ -+######################################## -+## - ## Do not audit attempts to write to mount points. - ## - ## -@@ -1691,6 +2079,24 @@ interface(`files_dontaudit_write_all_mountpoints',` - - ######################################## - ## -+## Write all file type directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_write_all_dirs',` -+ gen_require(` -+ attribute file_type; -+ ') -+ -+ allow $1 file_type:dir write; -+') -+ -+######################################## -+## - ## List the contents of the root directory. - ## - ## -@@ -1874,25 +2280,25 @@ interface(`files_delete_root_dir_entry',` - - ######################################## - ## --## Associate to root file system. -+## Set attributes of the root directory. - ## --## -+## - ## --## Type of the file to associate. -+## Domain allowed access. - ## - ## - # --interface(`files_associate_rootfs',` -+interface(`files_setattr_root_dirs',` - gen_require(` - type root_t; - ') - -- allow $1 root_t:filesystem associate; -+ allow $1 root_t:dir setattr_dir_perms; - ') - - ######################################## - ## --## Relabel to and from rootfs file system. -+## Relabel a rootfs filesystem. - ## - ## - ## -@@ -1905,7 +2311,7 @@ interface(`files_relabel_rootfs',` - type root_t; - ') - -- allow $1 root_t:filesystem { relabelto relabelfrom }; -+ allow $1 root_t:filesystem relabel_file_perms; - ') - - ######################################## -@@ -1928,6 +2334,24 @@ interface(`files_unmount_rootfs',` - - ######################################## - ## -+## Mount a filesystem on the root file system -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_mounton_rootfs',` -+ gen_require(` -+ type root_t; -+ ') -+ -+ allow $1 root_t:dir { search_dir_perms mounton }; -+') -+ -+######################################## -+## - ## Get attributes of the /boot directory. - ## - ## -@@ -2163,6 +2587,24 @@ interface(`files_relabelfrom_boot_files',` - relabelfrom_files_pattern($1, boot_t, boot_t) - ') - -+######################################## -+## -+## Relabel to files in the /boot directory. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_relabelto_boot_files',` -+ gen_require(` -+ type boot_t; -+ ') -+ -+ relabelto_files_pattern($1, boot_t, boot_t) -+') -+ - ###################################### - ## - ## Read symbolic links in the /boot directory. -@@ -2627,6 +3069,24 @@ interface(`files_rw_etc_dirs',` - allow $1 etc_t:dir rw_dir_perms; - ') - -+####################################### -+## -+## Dontaudit remove dir /etc directories. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`files_dontaudit_remove_etc_dir',` -+ gen_require(` -+ type etc_t; -+ ') -+ -+ dontaudit $1 etc_t:dir rmdir; -+') -+ - ########################################## - ## - ## Manage generic directories in /etc -@@ -2698,6 +3158,7 @@ interface(`files_read_etc_files',` - allow $1 etc_t:dir list_dir_perms; - read_files_pattern($1, etc_t, etc_t) - read_lnk_files_pattern($1, etc_t, etc_t) -+ files_read_etc_runtime_files($1) - ') - - ######################################## -@@ -2706,7 +3167,7 @@ interface(`files_read_etc_files',` - ## - ## - ## --## Domain allowed access. -+## Domain to not audit. - ## - ## - # -@@ -2762,6 +3223,25 @@ interface(`files_manage_etc_files',` - - ######################################## - ## -+## Do not audit attempts to check the -+## access on etc files -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`files_dontaudit_access_check_etc',` -+ gen_require(` -+ type etc_t; -+ ') -+ -+ dontaudit $1 etc_t:dir_file_class_set audit_access; -+') -+ -+######################################## -+## - ## Delete system configuration files in /etc. - ## - ## -@@ -2780,6 +3260,24 @@ interface(`files_delete_etc_files',` - - ######################################## - ## -+## Remove entries from the etc directory. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_delete_etc_dir_entry',` -+ gen_require(` -+ type etc_t; -+ ') -+ -+ allow $1 etc_t:dir del_entry_dir_perms; -+') -+ -+######################################## -+## - ## Execute generic files in /etc. - ## - ## -@@ -2945,24 +3443,6 @@ interface(`files_delete_boot_flag',` - - ######################################## - ## --## Do not audit attempts to set the attributes of the etc_runtime files --## --## --## --## Domain to not audit. --## --## --# --interface(`files_dontaudit_setattr_etc_runtime_files',` -- gen_require(` -- type etc_runtime_t; -- ') -- -- dontaudit $1 etc_runtime_t:file setattr; --') -- --######################################## --## - ## Read files in /etc that are dynamically - ## created on boot, such as mtab. - ## -@@ -3003,9 +3483,7 @@ interface(`files_read_etc_runtime_files',` - - ######################################## - ## --## Do not audit attempts to read files --## in /etc that are dynamically --## created on boot, such as mtab. -+## Do not audit attempts to set the attributes of the etc_runtime files - ## - ## - ## -@@ -3013,18 +3491,17 @@ interface(`files_read_etc_runtime_files',` - ## - ## - # --interface(`files_dontaudit_read_etc_runtime_files',` -+interface(`files_dontaudit_setattr_etc_runtime_files',` - gen_require(` - type etc_runtime_t; - ') - -- dontaudit $1 etc_runtime_t:file { getattr read }; -+ dontaudit $1 etc_runtime_t:file setattr; - ') - - ######################################## - ## --## Do not audit attempts to write --## etc runtime files. -+## Do not audit attempts to write etc_runtime files - ## - ## - ## -@@ -3042,6 +3519,26 @@ interface(`files_dontaudit_write_etc_runtime_files',` - - ######################################## - ## -+## Do not audit attempts to read files -+## in /etc that are dynamically -+## created on boot, such as mtab. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`files_dontaudit_read_etc_runtime_files',` -+ gen_require(` -+ type etc_runtime_t; -+ ') -+ -+ dontaudit $1 etc_runtime_t:file { getattr read }; -+') -+ -+######################################## -+## - ## Read and write files in /etc that are dynamically - ## created on boot, such as mtab. - ## -@@ -3059,6 +3556,7 @@ interface(`files_rw_etc_runtime_files',` - - allow $1 etc_t:dir list_dir_perms; - rw_files_pattern($1, etc_t, etc_runtime_t) -+ read_lnk_files_pattern($1, etc_t, etc_t) - ') - - ######################################## -@@ -3080,6 +3578,7 @@ interface(`files_manage_etc_runtime_files',` - ') - - manage_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t) -+ read_lnk_files_pattern($1, etc_t, etc_runtime_t) - ') - - ######################################## -@@ -3132,6 +3631,25 @@ interface(`files_getattr_isid_type_dirs',` - - ######################################## - ## -+## Setattr of directories on new filesystems -+## that have not yet been labeled. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_setattr_isid_type_dirs',` -+ gen_require(` -+ type file_t; -+ ') -+ -+ allow $1 file_t:dir setattr; -+') -+ -+######################################## -+## - ## Do not audit attempts to search directories on new filesystems - ## that have not yet been labeled. - ## -@@ -3205,11 +3723,10 @@ interface(`files_delete_isid_type_dirs',` - - delete_dirs_pattern($1, file_t, file_t) - ') -- - ######################################## - ## --## Create, read, write, and delete directories --## on new filesystems that have not yet been labeled. -+## Execute files on new filesystems -+## that have not yet been labeled. - ## - ## - ## -@@ -3217,18 +3734,18 @@ interface(`files_delete_isid_type_dirs',` - ## - ## - # --interface(`files_manage_isid_type_dirs',` -+interface(`files_exec_isid_files',` - gen_require(` - type file_t; - ') - -- allow $1 file_t:dir manage_dir_perms; -+ can_exec($1, file_t) - ') - - ######################################## - ## --## Mount a filesystem on a directory on new filesystems --## that has not yet been labeled. -+## Moundon directories on new filesystems -+## that have not yet been labeled. - ## - ## - ## -@@ -3236,17 +3753,17 @@ interface(`files_manage_isid_type_dirs',` - ## - ## - # --interface(`files_mounton_isid_type_dirs',` -+interface(`files_mounton_isid',` - gen_require(` - type file_t; - ') - -- allow $1 file_t:dir { search_dir_perms mounton }; -+ allow $1 file_t:dir mounton; - ') - - ######################################## - ## --## Read files on new filesystems -+## Relabelfrom all file opbjects on new filesystems - ## that have not yet been labeled. - ## - ## -@@ -3255,12 +3772,69 @@ interface(`files_mounton_isid_type_dirs',` - ## - ## - # --interface(`files_read_isid_type_files',` -+interface(`files_relabelfrom_isid_type',` - gen_require(` - type file_t; - ') - -- allow $1 file_t:file read_file_perms; -+ dontaudit $1 file_t:dir_file_class_set relabelfrom; -+') -+ -+######################################## -+## -+## Create, read, write, and delete directories -+## on new filesystems that have not yet been labeled. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_manage_isid_type_dirs',` -+ gen_require(` -+ type file_t; -+ ') -+ -+ allow $1 file_t:dir manage_dir_perms; -+') -+ -+######################################## -+## -+## Mount a filesystem on a directory on new filesystems -+## that has not yet been labeled. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_mounton_isid_type_dirs',` -+ gen_require(` -+ type file_t; -+ ') -+ -+ allow $1 file_t:dir { search_dir_perms mounton }; -+') -+ -+######################################## -+## -+## Read files on new filesystems -+## that have not yet been labeled. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_read_isid_type_files',` -+ gen_require(` -+ type file_t; -+ ') -+ -+ allow $1 file_t:file read_file_perms; - ') - - ######################################## -@@ -3455,6 +4029,25 @@ interface(`files_rw_isid_type_blk_files',` - - ######################################## - ## -+## rw any files inherited from another process -+## on new filesystems that have not yet been labeled. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_rw_inherited_isid_type_files',` -+ gen_require(` -+ type file_t; -+ ') -+ -+ allow $1 file_t:file rw_inherited_file_perms; -+') -+ -+######################################## -+## - ## Create, read, write, and delete block device nodes - ## on new filesystems that have not yet been labeled. - ## -@@ -3796,20 +4389,38 @@ interface(`files_list_mnt',` - - ###################################### - ## --## Do not audit attempts to list the contents of /mnt. -+## dontaudit List the contents of /mnt. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`files_dontaudit_list_mnt',` -+ gen_require(` -+ type mnt_t; -+ ') -+ -+ dontaudit $1 mnt_t:dir list_dir_perms; -+') -+ -+######################################## -+## -+## Do not audit attempts to check the -+## write access on mnt files - ## - ## - ## --## Domain allowed access. -+## Domain to not audit. - ## - ## - # --interface(`files_dontaudit_list_mnt',` -+interface(`files_dontaudit_access_check_mnt',` - gen_require(` - type mnt_t; - ') -- -- dontaudit $1 mnt_t:dir list_dir_perms; -+ dontaudit $1 mnt_t:dir_file_class_set audit_access; - ') - - ######################################## -@@ -4199,6 +4810,171 @@ interface(`files_read_world_readable_sockets',` - allow $1 readable_t:sock_file read_sock_file_perms; - ') - -+####################################### -+## -+## Read manageable system configuration files in /etc -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_read_system_conf_files',` -+ gen_require(` -+ type etc_t, system_conf_t; -+ ') -+ -+ allow $1 etc_t:dir list_dir_perms; -+ read_files_pattern($1, etc_t, system_conf_t) -+ read_lnk_files_pattern($1, etc_t, system_conf_t) -+') -+ -+###################################### -+## -+## Manage manageable system configuration files in /etc. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_manage_system_conf_files',` -+ gen_require(` -+ type etc_t, system_conf_t; -+ ') -+ -+ manage_files_pattern($1, { etc_t system_conf_t }, system_conf_t) -+ files_filetrans_system_conf_named_files($1) -+') -+ -+##################################### -+## -+## File name transition for system configuration files in /etc. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_filetrans_system_conf_named_files',` -+ gen_require(` -+ type etc_t, system_conf_t; -+ ') -+ -+ filetrans_pattern($1, etc_t, system_conf_t, file, "sysctl.conf") -+ filetrans_pattern($1, etc_t, system_conf_t, file, "sysctl.conf.old") -+ filetrans_pattern($1, etc_t, system_conf_t, file, "ebtables") -+ filetrans_pattern($1, etc_t, system_conf_t, file, "ebtables.old") -+ filetrans_pattern($1, etc_t, system_conf_t, file, "ebtables-config") -+ filetrans_pattern($1, etc_t, system_conf_t, file, "ebtables-config.old") -+ filetrans_pattern($1, etc_t, system_conf_t, file, "iptables") -+ filetrans_pattern($1, etc_t, system_conf_t, file, "iptables.old") -+ filetrans_pattern($1, etc_t, system_conf_t, file, "iptables-config") -+ filetrans_pattern($1, etc_t, system_conf_t, file, "iptables-config.old") -+ filetrans_pattern($1, etc_t, system_conf_t, file, "ip6tables") -+ filetrans_pattern($1, etc_t, system_conf_t, file, "ip6tables.old") -+ filetrans_pattern($1, etc_t, system_conf_t, file, "ip6tables-config") -+ filetrans_pattern($1, etc_t, system_conf_t, file, "ip6tables-config.old") -+ filetrans_pattern($1, etc_t, system_conf_t, file, "redhat.repo") -+ filetrans_pattern($1, etc_t, system_conf_t, file, "system-config-firewall") -+ filetrans_pattern($1, etc_t, system_conf_t, file, "system-config-firewall.old") -+') -+ -+###################################### -+## -+## Relabel manageable system configuration files in /etc. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_relabelto_system_conf_files',` -+ gen_require(` -+ type usr_t; -+ ') -+ -+ relabelto_files_pattern($1, system_conf_t, system_conf_t) -+') -+ -+###################################### -+## -+## Relabel manageable system configuration files in /etc. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_relabelfrom_system_conf_files',` -+ gen_require(` -+ type usr_t; -+ ') -+ -+ relabelfrom_files_pattern($1, system_conf_t, system_conf_t) -+') -+ -+################################### -+## -+## Create files in /etc with the type used for -+## the manageable system config files. -+## -+## -+## -+## The type of the process performing this action. -+## -+## -+# -+interface(`files_etc_filetrans_system_conf',` -+ gen_require(` -+ type etc_t, system_conf_t; -+ ') -+ -+ filetrans_pattern($1, etc_t, system_conf_t, file) -+') -+ -+###################################### -+## -+## Manage manageable system db files in /var/lib. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_manage_system_db_files',` -+ gen_require(` -+ type var_lib_t, system_db_t; -+ ') -+ -+ manage_files_pattern($1, { var_lib_t system_db_t }, system_db_t) -+ files_filetrans_system_db_named_files($1) -+') -+ -+##################################### -+## -+## File name transition for system db files in /var/lib. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_filetrans_system_db_named_files',` -+ gen_require(` -+ type var_lib_t, system_db_t; -+ ') -+ -+ filetrans_pattern($1, var_lib_t, system_db_t, file, "servicelog.db") -+') -+ - ######################################## - ## - ## Allow the specified type to associate -@@ -4221,6 +4997,26 @@ interface(`files_associate_tmp',` - - ######################################## - ## -+## Allow the specified type to associate -+## to a filesystem with the type of the -+## / file system -+## -+## -+## -+## Type of the file to associate. -+## -+## -+# -+interface(`files_associate_rootfs',` -+ gen_require(` -+ type root_t; -+ ') -+ -+ allow $1 root_t:filesystem associate; -+') -+ -+######################################## -+## - ## Get the attributes of the tmp directory (/tmp). - ## - ## -@@ -4234,17 +5030,37 @@ interface(`files_getattr_tmp_dirs',` - type tmp_t; - ') - -+ read_lnk_files_pattern($1, tmp_t, tmp_t) - allow $1 tmp_t:dir getattr; - ') - - ######################################## - ## -+## Do not audit attempts to check the -+## access on tmp files -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`files_dontaudit_access_check_tmp',` -+ gen_require(` -+ type etc_t; -+ ') -+ -+ dontaudit $1 tmp_t:dir_file_class_set audit_access; -+') -+ -+######################################## -+## - ## Do not audit attempts to get the - ## attributes of the tmp directory (/tmp). - ## - ## - ## --## Domain allowed access. -+## Domain to not audit. - ## - ## - # -@@ -4271,6 +5087,7 @@ interface(`files_search_tmp',` - type tmp_t; - ') - -+ read_lnk_files_pattern($1, tmp_t, tmp_t) - allow $1 tmp_t:dir search_dir_perms; - ') - -@@ -4307,6 +5124,7 @@ interface(`files_list_tmp',` - type tmp_t; - ') - -+ read_lnk_files_pattern($1, tmp_t, tmp_t) - allow $1 tmp_t:dir list_dir_perms; - ') - -@@ -4316,7 +5134,7 @@ interface(`files_list_tmp',` - ## - ## - ## --## Domain not to audit. -+## Domain to not audit. - ## - ## - # -@@ -4328,6 +5146,25 @@ interface(`files_dontaudit_list_tmp',` - dontaudit $1 tmp_t:dir list_dir_perms; - ') - -+####################################### -+## -+## Allow read and write to the tmp directory (/tmp). -+## -+## -+## -+## Domain not to audit. -+## -+## -+# -+interface(`files_rw_generic_tmp_dir',` -+ gen_require(` -+ type tmp_t; -+ ') -+ -+ files_search_tmp($1) -+ allow $1 tmp_t:dir rw_dir_perms; -+') -+ - ######################################## - ## - ## Remove entries from the tmp directory. -@@ -4343,6 +5180,7 @@ interface(`files_delete_tmp_dir_entry',` - type tmp_t; - ') - -+ files_search_tmp($1) - allow $1 tmp_t:dir del_entry_dir_perms; - ') - -@@ -4384,6 +5222,32 @@ interface(`files_manage_generic_tmp_dirs',` - - ######################################## - ## -+## Allow shared library text relocations in tmp files. -+## -+## -+##

    -+## Allow shared library text relocations in tmp files. -+##

    -+##

    -+## This is added to support java policy. -+##

    -+##     -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_execmod_tmp',` -+ gen_require(` -+ attribute tmpfile; -+ ') -+ -+ allow $1 tmpfile:file execmod; -+') -+ -+######################################## -+## - ## Manage temporary files and directories in /tmp. - ## - ## -@@ -4438,7 +5302,7 @@ interface(`files_rw_generic_tmp_sockets',` - - ######################################## - ## --## Set the attributes of all tmp directories. -+## Relabel a dir from the type used in /tmp. - ## - ## - ## -@@ -4446,17 +5310,17 @@ interface(`files_rw_generic_tmp_sockets',` - ## - ## - # --interface(`files_setattr_all_tmp_dirs',` -+interface(`files_relabelfrom_tmp_dirs',` - gen_require(` -- attribute tmpfile; -+ type tmp_t; - ') - -- allow $1 tmpfile:dir { search_dir_perms setattr }; -+ relabelfrom_dirs_pattern($1, tmp_t, tmp_t) - ') - - ######################################## - ## --## List all tmp directories. -+## Relabel a file from the type used in /tmp. - ## - ## - ## -@@ -4464,59 +5328,53 @@ interface(`files_setattr_all_tmp_dirs',` - ## - ## - # --interface(`files_list_all_tmp',` -+interface(`files_relabelfrom_tmp_files',` - gen_require(` -- attribute tmpfile; -+ type tmp_t; - ') - -- allow $1 tmpfile:dir list_dir_perms; -+ relabelfrom_files_pattern($1, tmp_t, tmp_t) - ') - - ######################################## - ## --## Relabel to and from all temporary --## directory types. -+## Set the attributes of all tmp directories. - ## - ## - ## - ## Domain allowed access. - ## - ## --## - # --interface(`files_relabel_all_tmp_dirs',` -+interface(`files_setattr_all_tmp_dirs',` - gen_require(` - attribute tmpfile; -- type var_t; - ') - -- allow $1 var_t:dir search_dir_perms; -- relabel_dirs_pattern($1, tmpfile, tmpfile) -+ allow $1 tmpfile:dir { search_dir_perms setattr }; - ') - - ######################################## - ## --## Do not audit attempts to get the attributes --## of all tmp files. -+## Allow caller to read inherited tmp files. - ## - ## - ## --## Domain not to audit. -+## Domain allowed access. - ## - ## - # --interface(`files_dontaudit_getattr_all_tmp_files',` -+interface(`files_read_inherited_tmp_files',` - gen_require(` - attribute tmpfile; - ') - -- dontaudit $1 tmpfile:file getattr; -+ allow $1 tmpfile:file { append read_inherited_file_perms }; - ') - - ######################################## - ## --## Allow attempts to get the attributes --## of all tmp files. -+## Allow caller to append inherited tmp files. - ## - ## - ## -@@ -4524,12 +5382,108 @@ interface(`files_dontaudit_getattr_all_tmp_files',` - ## - ## - # --interface(`files_getattr_all_tmp_files',` -+interface(`files_append_inherited_tmp_files',` - gen_require(` - attribute tmpfile; - ') - -- allow $1 tmpfile:file getattr; -+ allow $1 tmpfile:file append_inherited_file_perms; -+') -+ -+######################################## -+## -+## Allow caller to read and write inherited tmp files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_rw_inherited_tmp_file',` -+ gen_require(` -+ attribute tmpfile; -+ ') -+ -+ allow $1 tmpfile:file rw_inherited_file_perms; -+') -+ -+######################################## -+## -+## List all tmp directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_list_all_tmp',` -+ gen_require(` -+ attribute tmpfile; -+ ') -+ -+ allow $1 tmpfile:dir list_dir_perms; -+') -+ -+######################################## -+## -+## Relabel to and from all temporary -+## directory types. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`files_relabel_all_tmp_dirs',` -+ gen_require(` -+ attribute tmpfile; -+ type var_t; -+ ') -+ -+ allow $1 var_t:dir search_dir_perms; -+ relabel_dirs_pattern($1, tmpfile, tmpfile) -+') -+ -+######################################## -+## -+## Do not audit attempts to get the attributes -+## of all tmp files. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`files_dontaudit_getattr_all_tmp_files',` -+ gen_require(` -+ attribute tmpfile; -+ ') -+ -+ dontaudit $1 tmpfile:file getattr; -+') -+ -+######################################## -+## -+## Allow attempts to get the attributes -+## of all tmp files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_getattr_all_tmp_files',` -+ gen_require(` -+ attribute tmpfile; -+ ') -+ -+ allow $1 tmpfile:file getattr; - ') - - ######################################## -@@ -4561,7 +5515,7 @@ interface(`files_relabel_all_tmp_files',` - ##     - ## - ## --## Domain not to audit. -+## Domain to not audit. - ## - ## - # -@@ -4593,6 +5547,44 @@ interface(`files_read_all_tmp_files',` - - ######################################## - ## -+## Do not audit attempts to read or write -+## all leaked tmpfiles files. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`files_dontaudit_tmp_file_leaks',` -+ gen_require(` -+ attribute tmpfile; -+ ') -+ -+ dontaudit $1 tmpfile:file rw_inherited_file_perms; -+') -+ -+######################################## -+## -+## Do allow attempts to read or write -+## all leaked tmpfiles files. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`files_rw_tmp_file_leaks',` -+ gen_require(` -+ attribute tmpfile; -+ ') -+ -+ allow $1 tmpfile:file rw_inherited_file_perms; -+') -+ -+######################################## -+## - ## Create an object in the tmp directories, with a private - ## type using a type transition. - ## -@@ -4646,6 +5638,16 @@ interface(`files_purge_tmp',` - delete_lnk_files_pattern($1, tmpfile, tmpfile) - delete_fifo_files_pattern($1, tmpfile, tmpfile) - delete_sock_files_pattern($1, tmpfile, tmpfile) -+ delete_chr_files_pattern($1, tmpfile, tmpfile) -+ delete_blk_files_pattern($1, tmpfile, tmpfile) -+ files_list_isid_type_dirs($1) -+ files_delete_isid_type_dirs($1) -+ files_delete_isid_type_files($1) -+ files_delete_isid_type_symlinks($1) -+ files_delete_isid_type_fifo_files($1) -+ files_delete_isid_type_sock_files($1) -+ files_delete_isid_type_blk_files($1) -+ files_delete_isid_type_chr_files($1) - ') - - ######################################## -@@ -5223,6 +6225,24 @@ interface(`files_list_var',` - - ######################################## - ## -+## Do not audit listing of the var directory (/var). -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`files_dontaudit_list_var',` -+ gen_require(` -+ type var_t; -+ ') -+ -+ dontaudit $1 var_t:dir list_dir_perms; -+') -+ -+######################################## -+## - ## Create, read, write, and delete directories - ## in the /var directory. - ## -@@ -5578,6 +6598,25 @@ interface(`files_read_var_lib_symlinks',` - read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t) - ') - -+######################################## -+## -+## manage generic symbolic links -+## in the /var/lib directory. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_manage_var_lib_symlinks',` -+ gen_require(` -+ type var_lib_t; -+ ') -+ -+ manage_lnk_files_pattern($1,var_lib_t,var_lib_t) -+') -+ - # cjp: the next two interfaces really need to be fixed - # in some way. They really neeed their own types. - -@@ -5623,7 +6662,7 @@ interface(`files_manage_mounttab',` - - ######################################## - ## --## Set the attributes of the generic lock directories. -+## List generic lock directories. - ## - ## - ## -@@ -5631,12 +6670,13 @@ interface(`files_manage_mounttab',` - ## - ## - # --interface(`files_setattr_lock_dirs',` -+interface(`files_list_locks',` - gen_require(` - type var_t, var_lock_t; - ') - -- setattr_dirs_pattern($1, var_t, var_lock_t) -+ files_search_locks($1) -+ list_dirs_pattern($1, var_t, var_lock_t) - ') - - ######################################## -@@ -5654,6 +6694,7 @@ interface(`files_search_locks',` - type var_t, var_lock_t; - ') - -+ files_search_pids($1) - allow $1 var_lock_t:lnk_file read_lnk_file_perms; - search_dirs_pattern($1, var_t, var_lock_t) - ') -@@ -5680,7 +6721,26 @@ interface(`files_dontaudit_search_locks',` - - ######################################## - ## --## List generic lock directories. -+## Do not audit attempts to read/write inherited -+## locks (/var/lock). -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`files_dontaudit_rw_inherited_locks',` -+ gen_require(` -+ type var_lock_t; -+ ') -+ -+ dontaudit $1 var_lock_t:file rw_inherited_file_perms; -+') -+ -+######################################## -+## -+## Set the attributes of the /var/lock directory. - ## - ## - ## -@@ -5688,13 +6748,12 @@ interface(`files_dontaudit_search_locks',` - ## - ## - # --interface(`files_list_locks',` -+interface(`files_setattr_lock_dirs',` - gen_require(` -- type var_t, var_lock_t; -+ type var_lock_t; - ') - -- allow $1 var_lock_t:lnk_file read_lnk_file_perms; -- list_dirs_pattern($1, var_t, var_lock_t) -+ allow $1 var_lock_t:dir setattr; - ') - - ######################################## -@@ -5713,7 +6772,7 @@ interface(`files_rw_lock_dirs',` - type var_t, var_lock_t; - ') - -- allow $1 var_lock_t:lnk_file read_lnk_file_perms; -+ files_search_locks($1) - rw_dirs_pattern($1, var_t, var_lock_t) - ') - -@@ -5746,7 +6805,6 @@ interface(`files_create_lock_dirs',` - ## Domain allowed access. - ##     - ## --## - # - interface(`files_relabel_all_lock_dirs',` - gen_require(` -@@ -5761,7 +6819,7 @@ interface(`files_relabel_all_lock_dirs',` - - ######################################## - ## --## Get the attributes of generic lock files. -+## Relabel to and from all lock file types. - ## - ## - ## -@@ -5769,13 +6827,33 @@ interface(`files_relabel_all_lock_dirs',` - ## - ## - # --interface(`files_getattr_generic_locks',` -+interface(`files_relabel_all_lock_files',` - gen_require(` -+ attribute lockfile; - type var_t, var_lock_t; - ') - - allow $1 var_t:dir search_dir_perms; - allow $1 var_lock_t:lnk_file read_lnk_file_perms; -+ relabel_files_pattern($1, lockfile, lockfile) -+') -+ -+######################################## -+## -+## Get the attributes of generic lock files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_getattr_generic_locks',` -+ gen_require(` -+ type var_t, var_lock_t; -+ ') -+ -+ files_search_locks($1) - allow $1 var_lock_t:dir list_dir_perms; - getattr_files_pattern($1, var_lock_t, var_lock_t) - ') -@@ -5791,13 +6869,12 @@ interface(`files_getattr_generic_locks',` - ## - # - interface(`files_delete_generic_locks',` -- gen_require(` -+ gen_require(` - type var_t, var_lock_t; -- ') -+ ') - -- allow $1 var_t:dir search_dir_perms; -- allow $1 var_lock_t:lnk_file read_lnk_file_perms; -- delete_files_pattern($1, var_lock_t, var_lock_t) -+ files_search_locks($1) -+ delete_files_pattern($1, var_lock_t, var_lock_t) - ') - - ######################################## -@@ -5816,9 +6893,7 @@ interface(`files_manage_generic_locks',` - type var_t, var_lock_t; - ') - -- allow $1 var_t:dir search_dir_perms; -- allow $1 var_lock_t:lnk_file read_lnk_file_perms; -- manage_dirs_pattern($1, var_lock_t, var_lock_t) -+ files_search_locks($1) - manage_files_pattern($1, var_lock_t, var_lock_t) - ') - -@@ -5860,8 +6935,7 @@ interface(`files_read_all_locks',` - type var_t, var_lock_t; - ') - -- allow $1 var_lock_t:lnk_file read_lnk_file_perms; -- allow $1 { var_t var_lock_t }:dir search_dir_perms; -+ files_search_locks($1) - allow $1 lockfile:dir list_dir_perms; - read_files_pattern($1, lockfile, lockfile) - read_lnk_files_pattern($1, lockfile, lockfile) -@@ -5883,8 +6957,7 @@ interface(`files_manage_all_locks',` - type var_t, var_lock_t; - ') - -- allow $1 var_lock_t:lnk_file read_lnk_file_perms; -- allow $1 { var_t var_lock_t }:dir search_dir_perms; -+ files_search_locks($1) - manage_dirs_pattern($1, lockfile, lockfile) - manage_files_pattern($1, lockfile, lockfile) - manage_lnk_files_pattern($1, lockfile, lockfile) -@@ -5921,8 +6994,7 @@ interface(`files_lock_filetrans',` - type var_t, var_lock_t; - ') - -- allow $1 var_t:dir search_dir_perms; -- allow $1 var_lock_t:lnk_file read_lnk_file_perms; -+ files_search_locks($1) - filetrans_pattern($1, var_lock_t, $2, $3, $4) - ') - -@@ -5961,7 +7033,7 @@ interface(`files_setattr_pid_dirs',` - type var_run_t; - ') - -- allow $1 var_run_t:lnk_file read_lnk_file_perms; -+ files_search_pids($1) - allow $1 var_run_t:dir setattr; - ') - -@@ -5981,10 +7053,48 @@ interface(`files_search_pids',` - type var_t, var_run_t; - ') - -+ allow $1 var_t:lnk_file read_lnk_file_perms; - allow $1 var_run_t:lnk_file read_lnk_file_perms; - search_dirs_pattern($1, var_t, var_run_t) - ') - -+###################################### -+## -+## Add and remove entries from pid directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_rw_pid_dirs',` -+ gen_require(` -+ type var_run_t; -+ ') -+ -+ allow $1 var_run_t:dir rw_dir_perms; -+') -+ -+####################################### -+## -+## Create generic pid directory. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_create_var_run_dirs',` -+ gen_require(` -+ type var_t, var_run_t; -+ ') -+ -+ allow $1 var_t:dir search_dir_perms; -+ allow $1 var_run_t:dir create_dir_perms; -+') -+ - ######################################## - ## - ## Do not audit attempts to search -@@ -6007,6 +7117,25 @@ interface(`files_dontaudit_search_pids',` - - ######################################## - ## -+## Do not audit attempts to search -+## the all /var/run directory. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`files_dontaudit_search_all_pids',` -+ gen_require(` -+ attribute pidfile; -+ ') -+ -+ dontaudit $1 pidfile:dir search_dir_perms; -+') -+ -+######################################## -+## - ## List the contents of the runtime process - ## ID directories (/var/run). - ## -@@ -6021,7 +7150,7 @@ interface(`files_list_pids',` - type var_t, var_run_t; - ') - -- allow $1 var_run_t:lnk_file read_lnk_file_perms; -+ files_search_pids($1) - list_dirs_pattern($1, var_t, var_run_t) - ') - -@@ -6040,7 +7169,7 @@ interface(`files_read_generic_pids',` - type var_t, var_run_t; - ') - -- allow $1 var_run_t:lnk_file read_lnk_file_perms; -+ files_search_pids($1) - list_dirs_pattern($1, var_t, var_run_t) - read_files_pattern($1, var_run_t, var_run_t) - ') -@@ -6060,7 +7189,7 @@ interface(`files_write_generic_pid_pipes',` - type var_run_t; - ') - -- allow $1 var_run_t:lnk_file read_lnk_file_perms; -+ files_search_pids($1) - allow $1 var_run_t:fifo_file write; - ') - -@@ -6122,7 +7251,6 @@ interface(`files_pid_filetrans',` - ') - - allow $1 var_t:dir search_dir_perms; -- allow $1 var_run_t:lnk_file read_lnk_file_perms; - filetrans_pattern($1, var_run_t, $2, $3, $4) - ') - -@@ -6151,7 +7279,7 @@ interface(`files_pid_filetrans_lock_dir',` - - ######################################## - ## --## Read and write generic process ID files. -+## rw generic pid files inherited from another process - ## - ## - ## -@@ -6159,12 +7287,30 @@ interface(`files_pid_filetrans_lock_dir',` - ## - ## - # --interface(`files_rw_generic_pids',` -+interface(`files_rw_inherited_generic_pid_files',` -+ gen_require(` -+ type var_run_t; -+ ') -+ -+ allow $1 var_run_t:file rw_inherited_file_perms; -+') -+ -+######################################## -+## -+## Read and write generic process ID files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_rw_generic_pids',` - gen_require(` - type var_t, var_run_t; - ') - -- allow $1 var_run_t:lnk_file read_lnk_file_perms; -+ files_search_pids($1) - list_dirs_pattern($1, var_t, var_run_t) - rw_files_pattern($1, var_run_t, var_run_t) - ') -@@ -6231,6 +7377,116 @@ interface(`files_dontaudit_ioctl_all_pids',` - - ######################################## - ## -+## Relable all pid directories -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_relabel_all_pid_dirs',` -+ gen_require(` -+ attribute pidfile; -+ ') -+ -+ relabel_dirs_pattern($1, pidfile, pidfile) -+') -+ -+######################################## -+## -+## Delete all pid sockets -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_delete_all_pid_sockets',` -+ gen_require(` -+ attribute pidfile; -+ ') -+ -+ allow $1 pidfile:sock_file delete_sock_file_perms; -+') -+ -+######################################## -+## -+## Create all pid sockets -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_create_all_pid_sockets',` -+ gen_require(` -+ attribute pidfile; -+ ') -+ -+ allow $1 pidfile:sock_file create_sock_file_perms; -+') -+ -+######################################## -+## -+## Create all pid named pipes -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_create_all_pid_pipes',` -+ gen_require(` -+ attribute pidfile; -+ ') -+ -+ allow $1 pidfile:fifo_file create_fifo_file_perms; -+') -+ -+######################################## -+## -+## Delete all pid named pipes -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_delete_all_pid_pipes',` -+ gen_require(` -+ attribute pidfile; -+ ') -+ -+ allow $1 pidfile:fifo_file delete_fifo_file_perms; -+') -+ -+######################################## -+## -+## manage all pidfile directories -+## in the /var/run directory. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_manage_all_pid_dirs',` -+ gen_require(` -+ attribute pidfile; -+ ') -+ -+ manage_dirs_pattern($1,pidfile,pidfile) -+') -+ -+ -+######################################## -+## - ## Read all process ID files. - ## - ## -@@ -6243,12 +7499,86 @@ interface(`files_dontaudit_ioctl_all_pids',` - interface(`files_read_all_pids',` - gen_require(` - attribute pidfile; -- type var_t, var_run_t; -+ type var_t; - ') - -- allow $1 var_run_t:lnk_file read_lnk_file_perms; - list_dirs_pattern($1, var_t, pidfile) - read_files_pattern($1, pidfile, pidfile) -+ read_lnk_files_pattern($1, pidfile, pidfile) -+') -+ -+######################################## -+## -+## Relable all pid files -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_relabel_all_pid_files',` -+ gen_require(` -+ attribute pidfile; -+ ') -+ -+ relabel_files_pattern($1, pidfile, pidfile) -+') -+ -+######################################## -+## -+## Execute generic programs in /var/run in the caller domain. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_exec_generic_pid_files',` -+ gen_require(` -+ type var_run_t; -+ ') -+ -+ exec_files_pattern($1, var_run_t, var_run_t) -+') -+ -+######################################## -+## -+## manage all pidfiles -+## in the /var/run directory. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_manage_all_pids',` -+ gen_require(` -+ attribute pidfile; -+ ') -+ -+ manage_files_pattern($1,pidfile,pidfile) -+') -+ -+######################################## -+## -+## Mount filesystems on all polyinstantiation -+## member directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_mounton_all_poly_members',` -+ gen_require(` -+ attribute polymember; -+ ') -+ -+ allow $1 polymember:dir mounton; - ') - - ######################################## -@@ -6268,8 +7598,8 @@ interface(`files_delete_all_pids',` - type var_t, var_run_t; - ') - -+ files_search_pids($1) - allow $1 var_t:dir search_dir_perms; -- allow $1 var_run_t:lnk_file read_lnk_file_perms; - allow $1 var_run_t:dir rmdir; - allow $1 var_run_t:lnk_file delete_lnk_file_perms; - delete_files_pattern($1, pidfile, pidfile) -@@ -6293,36 +7623,80 @@ interface(`files_delete_all_pid_dirs',` - type var_t, var_run_t; - ') - -+ files_search_pids($1) - allow $1 var_t:dir search_dir_perms; -- allow $1 var_run_t:lnk_file read_lnk_file_perms; - delete_dirs_pattern($1, pidfile, pidfile) - ') - - ######################################## - ## --## Create, read, write and delete all --## var_run (pid) content -+## Make the specified type a file -+## used for spool files. -+## -+## -+##

    -+## Make the specified type usable for spool files. -+## This will also make the type usable for files, making -+## calls to files_type() redundant. Failure to use this interface -+## for a spool file may result in problems with -+## purging spool files. -+##

    -+##

    -+## Related interfaces: -+##

    -+##
      -+##
    • files_spool_filetrans()
      • -+##
    -+##

    -+## Example usage with a domain that can create and -+## write its spool file in the system spool file -+## directories (/var/spool): -+##

    -+##

    -+## type myspoolfile_t; -+## files_spool_file(myfile_spool_t) -+## allow mydomain_t myfile_spool_t:file { create_file_perms write_file_perms }; -+## files_spool_filetrans(mydomain_t, myfile_spool_t, file) -+##

    -+##     -+## -+## -+## Type of the file to be used as a -+## spool file. -+## -+## -+## -+# -+interface(`files_spool_file',` -+ gen_require(` -+ attribute spoolfile; -+ ') -+ -+ files_type($1) -+ typeattribute $1 spoolfile; -+') -+ -+######################################## -+## -+## Create all spool sockets - ## - ## - ## --## Domain alloed access. -+## Domain allowed access. - ## - ## - # --interface(`files_manage_all_pids',` -+interface(`files_create_all_spool_sockets',` - gen_require(` -- attribute pidfile; -+ attribute spoolfile; - ') - -- manage_dirs_pattern($1, pidfile, pidfile) -- manage_files_pattern($1, pidfile, pidfile) -- manage_lnk_files_pattern($1, pidfile, pidfile) -+ allow $1 spoolfile:sock_file create_sock_file_perms; - ') - - ######################################## - ## --## Mount filesystems on all polyinstantiation --## member directories. -+## Delete all spool sockets - ## - ## - ## -@@ -6330,12 +7704,33 @@ interface(`files_manage_all_pids',` - ## - ## - # --interface(`files_mounton_all_poly_members',` -+interface(`files_delete_all_spool_sockets',` - gen_require(` -- attribute polymember; -+ attribute spoolfile; - ') - -- allow $1 polymember:dir mounton; -+ allow $1 spoolfile:sock_file delete_sock_file_perms; -+') -+ -+######################################## -+## -+## Relabel to and from all spool -+## directory types. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`files_relabel_all_spool_dirs',` -+ gen_require(` -+ attribute spoolfile; -+ type var_t; -+ ') -+ -+ relabel_dirs_pattern($1, spoolfile, spoolfile) - ') - - ######################################## -@@ -6562,3 +7957,491 @@ interface(`files_unconfined',` - - typeattribute $1 files_unconfined_type; - ') -+ -+######################################## -+## -+## Create a core files in / -+## -+## -+##

    -+## Create a core file in /, -+##

    -+##     -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`files_manage_root_files',` -+ gen_require(` -+ type root_t; -+ ') -+ -+ manage_files_pattern($1, root_t, root_t) -+') -+ -+######################################## -+## -+## Create a default directory -+## -+## -+##

    -+## Create a default_t direcrory -+##

    -+##     -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`files_create_default_dir',` -+ gen_require(` -+ type default_t; -+ ') -+ -+ allow $1 default_t:dir create; -+') -+ -+######################################## -+## -+## Create, default_t objects with an automatic -+## type transition. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## The class of the object being created. -+## -+## -+# -+interface(`files_root_filetrans_default',` -+ gen_require(` -+ type root_t, default_t; -+ ') -+ -+ filetrans_pattern($1, root_t, default_t, $2) -+') -+ -+######################################## -+## -+## manage generic symbolic links -+## in the /var/run directory. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_manage_generic_pids_symlinks',` -+ gen_require(` -+ type var_run_t; -+ ') -+ -+ manage_lnk_files_pattern($1,var_run_t,var_run_t) -+') -+ -+######################################## -+## -+## Do not audit attempts to getattr -+## all tmpfs files. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`files_dontaudit_getattr_tmpfs_files',` -+ gen_require(` -+ attribute tmpfsfile; -+ ') -+ -+ allow $1 tmpfsfile:file getattr; -+') -+ -+######################################## -+## -+## Allow read write all tmpfs files -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`files_rw_tmpfs_files',` -+ gen_require(` -+ attribute tmpfsfile; -+ ') -+ -+ allow $1 tmpfsfile:file { read write }; -+') -+ -+######################################## -+## -+## Do not audit attempts to read security files -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`files_dontaudit_read_security_files',` -+ gen_require(` -+ attribute security_file_type; -+ ') -+ -+ dontaudit $1 security_file_type:file read_file_perms; -+') -+ -+######################################## -+## -+## rw any files inherited from another process -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## Object type. -+## -+## -+# -+interface(`files_rw_all_inherited_files',` -+ gen_require(` -+ attribute file_type; -+ ') -+ -+ allow $1 { file_type $2 }:file rw_inherited_file_perms; -+ allow $1 { file_type $2 }:fifo_file rw_inherited_fifo_file_perms; -+ allow $1 { file_type $2 }:sock_file rw_inherited_sock_file_perms; -+ allow $1 { file_type $2 }:chr_file rw_inherited_chr_file_perms; -+') -+ -+######################################## -+## -+## Allow any file point to be the entrypoint of this domain -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`files_entrypoint_all_files',` -+ gen_require(` -+ attribute file_type; -+ ') -+ allow $1 file_type:file entrypoint; -+') -+ -+######################################## -+## -+## Do not audit attempts to rw inherited file perms -+## of non security files. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`files_dontaudit_all_non_security_leaks',` -+ gen_require(` -+ attribute non_security_file_type; -+ ') -+ -+ dontaudit $1 non_security_file_type:file_class_set rw_inherited_file_perms; -+') -+ -+######################################## -+## -+## Do not audit attempts to read or write -+## all leaked files. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`files_dontaudit_leaks',` -+ gen_require(` -+ attribute file_type; -+ ') -+ -+ dontaudit $1 file_type:file rw_inherited_file_perms; -+ dontaudit $1 file_type:lnk_file { read }; -+') -+ -+######################################## -+## -+## Allow domain to create_file_ass all types -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_create_as_is_all_files',` -+ gen_require(` -+ attribute file_type; -+ class kernel_service create_files_as; -+ ') -+ -+ allow $1 file_type:kernel_service create_files_as; -+') -+ -+######################################## -+## -+## Do not audit attempts to check the -+## access on all files -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`files_dontaudit_all_access_check',` -+ gen_require(` -+ attribute file_type; -+ ') -+ -+ dontaudit $1 file_type:dir_file_class_set audit_access; -+') -+ -+######################################## -+## -+## Do not audit attempts to write to all files -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`files_dontaudit_write_all_files',` -+ gen_require(` -+ attribute file_type; -+ ') -+ -+ dontaudit $1 file_type:dir_file_class_set write; -+') -+ -+######################################## -+## -+## Allow domain to delete to all files -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`files_delete_all_non_security_files',` -+ gen_require(` -+ attribute non_security_file_type; -+ ') -+ -+ allow $1 non_security_file_type:dir del_entry_dir_perms; -+ allow $1 non_security_file_type:file_class_set delete_file_perms; -+') -+ -+######################################## -+## -+## Transition named content in the var_run_t directory -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_filetrans_named_content',` -+ gen_require(` -+ type etc_t; -+ type mnt_t; -+ type usr_t; -+ type tmp_t; -+ type var_t; -+ type var_run_t; -+ type tmp_t; -+ ') -+ -+ files_pid_filetrans($1, mnt_t, dir, "media") -+ files_root_filetrans($1, etc_runtime_t, file, ".readahead") -+ files_root_filetrans($1, etc_runtime_t, file, ".autorelabel") -+ files_root_filetrans($1, mnt_t, dir, "afs") -+ files_root_filetrans($1, mnt_t, dir, "misc") -+ files_root_filetrans($1, mnt_t, dir, "net") -+ files_root_filetrans($1, usr_t, dir, "export") -+ files_root_filetrans($1, usr_t, dir, "opt") -+ files_root_filetrans($1, usr_t, dir, "emul") -+ files_root_filetrans($1, var_t, dir, "srv") -+ files_root_filetrans($1, var_run_t, dir, "run") -+ files_root_filetrans($1, tmp_t, dir, "sandbox") -+ files_root_filetrans($1, tmp_t, dir, "tmp") -+ files_root_filetrans($1, var_t, dir, "nsr") -+ files_etc_filetrans($1, etc_t, file, "system-auth-ac") -+ files_etc_filetrans($1, etc_t, file, "postlogin-ac") -+ files_etc_filetrans($1, etc_t, file, "password-auth-ac") -+ files_etc_filetrans($1, etc_t, file, "fingerprint-auth-ac") -+ files_etc_filetrans($1, etc_t, file, "smartcard-auth-ac") -+ files_etc_filetrans($1, etc_t, file, "hwdb.bin") -+ files_etc_filetrans_etc_runtime($1, file, "runtime") -+ files_etc_filetrans_etc_runtime($1, dir, "blkid") -+ files_etc_filetrans_etc_runtime($1, dir, "cmtab") -+ files_etc_filetrans_etc_runtime($1, file, "fstab.REVOKE") -+ files_etc_filetrans_etc_runtime($1, file, "ioctl.save") -+ files_etc_filetrans_etc_runtime($1, file, "nologin") -+ files_etc_filetrans_etc_runtime($1, file, "securetty") -+ files_etc_filetrans_etc_runtime($1, file, "ifstate") -+ files_etc_filetrans_etc_runtime($1, file, "ptal-printd-like") -+ files_etc_filetrans_etc_runtime($1, file, "hwconf") -+ files_etc_filetrans_etc_runtime($1, file, "iptables.save") -+ files_tmp_filetrans($1, tmp_t, dir, "tmp-inst") -+ files_var_filetrans($1, tmp_t, dir, "tmp") -+') -+ -+######################################## -+## -+## Make the specified type a -+## base file. -+## -+## -+##

    -+## Identify file type as base file type. Tools will use this attribute, -+## to help users diagnose problems. -+##

    -+##     -+## -+## -+## Type to be used as a base files. -+## -+## -+## -+# -+interface(`files_base_file',` -+ gen_require(` -+ attribute base_file_type; -+ ') -+ files_type($1) -+ typeattribute $1 base_file_type; -+') -+ -+######################################## -+## -+## Make the specified type a -+## base read only file. -+## -+## -+##

    -+## Make the specified type readable for all domains. -+##

    -+##     -+## -+## -+## Type to be used as a base read only files. -+## -+## -+## -+# -+interface(`files_ro_base_file',` -+ gen_require(` -+ attribute base_ro_file_type; -+ ') -+ files_base_file($1) -+ typeattribute $1 base_ro_file_type; -+') -+ -+######################################## -+## -+## Read all ro base files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`files_read_all_base_ro_files',` -+ gen_require(` -+ attribute base_ro_file_type; -+ ') -+ -+ list_dirs_pattern($1, base_ro_file_type, base_ro_file_type) -+ read_files_pattern($1, base_ro_file_type, base_ro_file_type) -+ read_lnk_files_pattern($1, base_ro_file_type, base_ro_file_type) -+') -+ -+######################################## -+## -+## Execute all base ro files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`files_exec_all_base_ro_files',` -+ gen_require(` -+ attribute base_ro_file_type; -+ ') -+ -+ can_exec($1, base_ro_file_type) -+') -+ -+######################################## -+## -+## Allow the specified domain to modify the systemd configuration of -+## any file. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_config_all_files',` -+ gen_require(` -+ attribute file_type; -+ ') -+ -+ allow $1 file_type:service all_service_perms; -+') -+ -+######################################## -+## -+## Get the status of etc_t files -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_status_etc',` -+ gen_require(` -+ type etc_t; -+ ') -+ -+ allow $1 etc_t:service status; -+') -diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te -index 148d87a..ccbcb66 100644 ---- a/policy/modules/kernel/files.te -+++ b/policy/modules/kernel/files.te -@@ -5,12 +5,16 @@ policy_module(files, 1.17.5) - # Declarations - # - -+attribute base_file_type; -+attribute base_ro_file_type; - attribute file_type; - attribute files_unconfined_type; - attribute lockfile; - attribute mountpoint; - attribute pidfile; -+attribute spoolfile; - attribute configfile; -+attribute etcfile; - - # For labeling types that are to be polyinstantiated - attribute polydir; -@@ -48,28 +52,45 @@ attribute usercanread; - # - type boot_t; - files_mountpoint(boot_t) -+files_ro_base_file(boot_t) - - # default_t is the default type for files that do not - # match any specification in the file_contexts configuration - # other than the generic /.* specification. - type default_t; - files_mountpoint(default_t) -+files_base_file(default_t) - - # - # etc_t is the type of the system etc directories. - # - type etc_t, configfile; --files_type(etc_t) -+files_ro_base_file(etc_t) -+ - # compatibility aliases for removed types: - typealias etc_t alias automount_etc_t; - typealias etc_t alias snmpd_etc_t; - -+# system_conf_t is a new type of various -+# files in /etc/ that can be managed and -+# created by several domains. -+# -+type system_conf_t, configfile; -+files_ro_base_file(system_conf_t) -+# compatibility aliases for removed type: -+typealias system_conf_t alias iptables_conf_t; -+ -+# system_db_t is a new type of various -+# db files. -+type system_db_t; -+files_ro_base_file(system_db_t) -+ - # - # etc_runtime_t is the type of various - # files in /etc that are automatically - # generated during initialization. - # --type etc_runtime_t; -+type etc_runtime_t, configfile; - files_type(etc_runtime_t) - #Temporarily in policy until FC5 dissappears - typealias etc_runtime_t alias firstboot_rw_t; -@@ -81,6 +102,7 @@ typealias etc_runtime_t alias firstboot_rw_t; - # - type file_t; - files_mountpoint(file_t) -+files_base_file(file_t) - kernel_rootfs_mountpoint(file_t) - sid file gen_context(system_u:object_r:file_t,s0) - -@@ -89,6 +111,7 @@ sid file gen_context(system_u:object_r:file_t,s0) - # are created - # - type home_root_t; -+files_base_file(home_root_t) - files_mountpoint(home_root_t) - files_poly_parent(home_root_t) - -@@ -96,12 +119,13 @@ files_poly_parent(home_root_t) - # lost_found_t is the type for the lost+found directories. - # - type lost_found_t; --files_type(lost_found_t) -+files_base_file(lost_found_t) - - # - # mnt_t is the type for mount points such as /mnt/cdrom - # - type mnt_t; -+files_base_file(mnt_t) - files_mountpoint(mnt_t) - - # -@@ -123,6 +147,7 @@ files_type(readable_t) - # root_t is the type for rootfs and the root directory. - # - type root_t; -+files_base_file(root_t) - files_mountpoint(root_t) - files_poly_parent(root_t) - kernel_rootfs_mountpoint(root_t) -@@ -133,52 +158,63 @@ genfscon rootfs / gen_context(system_u:object_r:root_t,s0) - # - type src_t; - files_mountpoint(src_t) -+files_ro_base_file(src_t) - - # - # system_map_t is for the system.map files in /boot - # - type system_map_t; - files_type(system_map_t) -+kernel_proc_type(system_map_t) - genfscon proc /kallsyms gen_context(system_u:object_r:system_map_t,s0) - - # - # tmp_t is the type of the temporary directories - # - type tmp_t; -+files_base_file(tmp_t) - files_tmp_file(tmp_t) - files_mountpoint(tmp_t) - files_poly(tmp_t) - files_poly_parent(tmp_t) -+typealias tmp_t alias firstboot_tmp_t; - - # - # usr_t is the type for /usr. - # - type usr_t; -+files_ro_base_file(usr_t) - files_mountpoint(usr_t) - - # - # var_t is the type of /var - # - type var_t; -+files_base_file(var_t) - files_mountpoint(var_t) - - # - # var_lib_t is the type of /var/lib - # - type var_lib_t; -+files_base_file(var_lib_t) - files_mountpoint(var_lib_t) -+files_poly(var_lib_t) - - # - # var_lock_t is tye type of /var/lock - # - type var_lock_t; -+files_base_file(var_lock_t) - files_lock_file(var_lock_t) -+files_mountpoint(var_lock_t) - - # - # var_run_t is the type of /var/run, usually - # used for pid and other runtime files. - # - type var_run_t; -+files_base_file(var_run_t) - files_pid_file(var_run_t) - files_mountpoint(var_run_t) - -@@ -186,7 +222,9 @@ files_mountpoint(var_run_t) - # var_spool_t is the type of /var/spool - # - type var_spool_t; -+files_base_file(var_spool_t) - files_tmp_file(var_spool_t) -+files_spool_file(var_spool_t) - - ######################################## - # -@@ -225,10 +263,11 @@ fs_associate_tmpfs(tmpfsfile) - # Create/access any file in a labeled filesystem; - allow files_unconfined_type file_type:{ file chr_file } ~execmod; - allow files_unconfined_type file_type:{ dir lnk_file sock_file fifo_file blk_file } *; -+allow files_unconfined_type file_type:service *; - - # Mount/unmount any filesystem with the context= option. - allow files_unconfined_type file_type:filesystem *; - --tunable_policy(`allow_execmod',` -+tunable_policy(`selinuxuser_execmod',` - allow files_unconfined_type file_type:file execmod; - ') -diff --git a/policy/modules/kernel/filesystem.fc b/policy/modules/kernel/filesystem.fc -index cda5588..924f856 100644 ---- a/policy/modules/kernel/filesystem.fc -+++ b/policy/modules/kernel/filesystem.fc -@@ -1,9 +1,12 @@ --/cgroup -d gen_context(system_u:object_r:cgroup_t,s0) --/cgroup/.* <> -+# ecryptfs does not support xattr -+HOME_DIR/\.ecryptfs(/.*)? gen_context(system_u:object_r:ecryptfs_t,s0) -+HOME_DIR/\.Private(/.*)? gen_context(system_u:object_r:ecryptfs_t,s0) -+ -+/cgroup(/.*)? gen_context(system_u:object_r:cgroup_t,s0) - - /dev/hugepages -d gen_context(system_u:object_r:hugetlbfs_t,s0) - /dev/hugepages(/.*)? <> --/dev/shm -d gen_context(system_u:object_r:tmpfs_t,s0) -+/dev/shm -d gen_context(system_u:object_r:tmpfs_t,s0-mls_systemhigh) - /dev/shm/.* <> - - /lib/udev/devices/hugepages -d gen_context(system_u:object_r:hugetlbfs_t,s0) -@@ -12,5 +15,11 @@ - /lib/udev/devices/shm/.* <> - - # for systemd systems: --/sys/fs/cgroup -d gen_context(system_u:object_r:cgroup_t,s0) --/sys/fs/cgroup/.* <> -+/sys/fs/cgroup(/.*)? gen_context(system_u:object_r:cgroup_t,s0) -+ -+/usr/lib/udev/devices/hugepages -d gen_context(system_u:object_r:hugetlbfs_t,s0) -+/usr/lib/udev/devices/hugepages/.* <> -+/usr/lib/udev/devices/shm -d gen_context(system_u:object_r:tmpfs_t,s0) -+/usr/lib/udev/devices/shm/.* <> -+/var/run/[^/]*/gvfs -d gen_context(system_u:object_r:fusefs_t,s0) -+/var/run/[^/]*/gvfs/.* <> -diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if -index 8416beb..c6cd3eb 100644 ---- a/policy/modules/kernel/filesystem.if -+++ b/policy/modules/kernel/filesystem.if -@@ -631,6 +631,27 @@ interface(`fs_getattr_cgroup',` - - ######################################## - ## -+## Get attributes of cgroup files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`fs_getattr_cgroup_files',` -+ gen_require(` -+ type cgroup_t; -+ -+ ') -+ -+ getattr_files_pattern($1, cgroup_t, cgroup_t) -+ fs_search_tmpfs($1) -+ dev_search_sysfs($1) -+') -+ -+######################################## -+## - ## Search cgroup directories. - ## - ## -@@ -646,11 +667,31 @@ interface(`fs_search_cgroup_dirs',` - ') - - search_dirs_pattern($1, cgroup_t, cgroup_t) -+ fs_search_tmpfs($1) - dev_search_sysfs($1) - ') - - ######################################## - ## -+## Relabel cgroup directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`fs_relabel_cgroup_dirs',` -+ gen_require(` -+ type cgroup_t; -+ -+ ') -+ -+ relabel_dirs_pattern($1, cgroup_t, cgroup_t) -+') -+ -+######################################## -+## - ## list cgroup directories. - ## - ## -@@ -659,15 +700,35 @@ interface(`fs_search_cgroup_dirs',` - ##     - ## - # --interface(`fs_list_cgroup_dirs', ` -+interface(`fs_list_cgroup_dirs',` - gen_require(` - type cgroup_t; - ') - - list_dirs_pattern($1, cgroup_t, cgroup_t) -+ fs_search_tmpfs($1) - dev_search_sysfs($1) - ') - -+####################################### -+## -+## Do not audit attempts to search cgroup directories. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`fs_dontaudit_search_cgroup_dirs', ` -+ gen_require(` -+ type cgroup_t; -+ ') -+ -+ dontaudit $1 cgroup_t:dir search_dir_perms; -+ dev_dontaudit_search_sysfs($1) -+') -+ - ######################################## - ## - ## Delete cgroup directories. -@@ -684,6 +745,7 @@ interface(`fs_delete_cgroup_dirs', ` - ') - - delete_dirs_pattern($1, cgroup_t, cgroup_t) -+ fs_search_tmpfs($1) - dev_search_sysfs($1) - ') - -@@ -704,6 +766,7 @@ interface(`fs_manage_cgroup_dirs',` - ') - - manage_dirs_pattern($1, cgroup_t, cgroup_t) -+ fs_search_tmpfs($1) - dev_search_sysfs($1) - ') - -@@ -724,6 +787,8 @@ interface(`fs_read_cgroup_files',` - ') - - read_files_pattern($1, cgroup_t, cgroup_t) -+ read_lnk_files_pattern($1, cgroup_t, cgroup_t) -+ fs_search_tmpfs($1) - dev_search_sysfs($1) - ') - -@@ -743,6 +808,7 @@ interface(`fs_write_cgroup_files', ` - ') - - write_files_pattern($1, cgroup_t, cgroup_t) -+ fs_search_tmpfs($1) - dev_search_sysfs($1) - ') - -@@ -762,7 +828,9 @@ interface(`fs_rw_cgroup_files',` - - ') - -+ read_lnk_files_pattern($1, cgroup_t, cgroup_t) - rw_files_pattern($1, cgroup_t, cgroup_t) -+ fs_search_tmpfs($1) - dev_search_sysfs($1) - ') - -@@ -803,6 +871,8 @@ interface(`fs_manage_cgroup_files',` - ') - - manage_files_pattern($1, cgroup_t, cgroup_t) -+ manage_lnk_files_pattern($1, cgroup_t, cgroup_t) -+ fs_search_tmpfs($1) - dev_search_sysfs($1) - ') - -@@ -1107,6 +1177,24 @@ interface(`fs_read_noxattr_fs_files',` - - ######################################## - ## -+## Read/Write all inherited noxattrfs files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`fs_rw_inherited_noxattr_fs_files',` -+ gen_require(` -+ attribute noxattrfs; -+ ') -+ -+ allow $1 noxattrfs:file rw_inherited_file_perms; -+') -+ -+######################################## -+## - ## Do not audit attempts to read all - ## noxattrfs files. - ## -@@ -1245,7 +1333,7 @@ interface(`fs_append_cifs_files',` - - ######################################## - ## --## dontaudit Append files -+## Do not audit attempts to append files - ## on a CIFS filesystem. - ## - ## -@@ -1265,6 +1353,42 @@ interface(`fs_dontaudit_append_cifs_files',` - - ######################################## - ## -+## Read inherited files on a CIFS or SMB filesystem. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`fs_read_inherited_cifs_files',` -+ gen_require(` -+ type cifs_t; -+ ') -+ -+ allow $1 cifs_t:file read_inherited_file_perms; -+') -+ -+######################################## -+## -+## Read/Write inherited files on a CIFS or SMB filesystem. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`fs_rw_inherited_cifs_files',` -+ gen_require(` -+ type cifs_t; -+ ') -+ -+ allow $1 cifs_t:file rw_inherited_file_perms; -+') -+ -+######################################## -+## - ## Do not audit attempts to read or - ## write files on a CIFS or SMB filesystem. - ## -@@ -1279,7 +1403,7 @@ interface(`fs_dontaudit_rw_cifs_files',` - type cifs_t; - ') - -- dontaudit $1 cifs_t:file rw_file_perms; -+ dontaudit $1 cifs_t:file rw_inherited_file_perms; - ') - - ######################################## -@@ -1542,6 +1666,25 @@ interface(`fs_cifs_domtrans',` - domain_auto_transition_pattern($1, cifs_t, $2) - ') - -+######################################## -+## -+## Make general progams in cifs an entrypoint for -+## the specified domain. -+## -+## -+## -+## The domain for which cifs_t is an entrypoint. -+## -+## -+# -+interface(`fs_cifs_entry_type',` -+ gen_require(` -+ type cifs_t; -+ ') -+ -+ domain_entry_file($1, cifs_t) -+') -+ - ####################################### - ## - ## Create, read, write, and delete dirs -@@ -1582,6 +1725,24 @@ interface(`fs_manage_configfs_files',` - - ######################################## - ## -+## Unmount a configfs filesystem -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`fs_unmount_configfs',` -+ gen_require(` -+ type configfs_t; -+ ') -+ -+ allow $1 configfs_t:filesystem unmount; -+') -+ -+######################################## -+## - ## Mount a DOS filesystem, such as - ## FAT32 or NTFS. - ## -@@ -1793,6 +1954,205 @@ interface(`fs_read_eventpollfs',` - refpolicywarn(`$0($*) has been deprecated.') - ') - -+ -+####################################### -+## -+## Search directories -+## on a ecrypt filesystem. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`fs_search_ecryptfs',` -+ gen_require(` -+ type ecryptfs_t; -+ ') -+ -+ allow $1 ecryptfs_t:dir search_dir_perms; -+') -+ -+######################################## -+## -+## Create, read, write, and delete directories -+## on a FUSEFS filesystem. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`fs_manage_ecryptfs_dirs',` -+ gen_require(` -+ type ecryptfs_t; -+ ') -+ -+ manage_dirs_pattern($1, ecryptfs_t, ecryptfs_t) -+ allow $1 ecryptfs_t:dir manage_dir_perms; -+') -+ -+####################################### -+## -+## Create, read, write, and delete files -+## on a FUSEFS filesystem. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`fs_read_ecryptfs_files',` -+ gen_require(` -+ type ecryptfs_t; -+ ') -+ -+ read_files_pattern($1, ecryptfs_t, ecryptfs_t) -+') -+ -+######################################## -+## -+## Create, read, write, and delete files -+## on a FUSEFS filesystem. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`fs_manage_ecryptfs_files',` -+ gen_require(` -+ type ecryptfs_t; -+ ') -+ -+ manage_files_pattern($1, ecryptfs_t, ecryptfs_t) -+') -+ -+######################################## -+## -+## Do not audit attempts to create, -+## read, write, and delete files -+## on a FUSEFS filesystem. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`fs_dontaudit_manage_ecryptfs_files',` -+ gen_require(` -+ type ecryptfs_t; -+ ') -+ -+ dontaudit $1 ecryptfs_t:file manage_file_perms; -+') -+ -+######################################## -+## -+## Read symbolic links on a FUSEFS filesystem. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`fs_read_ecryptfs_symlinks',` -+ gen_require(` -+ type ecryptfs_t; -+ ') -+ -+ allow $1 ecryptfs_t:dir list_dir_perms; -+ read_lnk_files_pattern($1, ecryptfs_t, ecryptfs_t) -+') -+ -+####################################### -+## -+## Dontaudit append files on ecrypt filesystem. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`fs_dontaudit_append_ecryptfs_files',` -+ gen_require(` -+ type ecryptfs_t; -+ ') -+ dontaudit $1 ecryptfs_t:file append; -+') -+ -+######################################## -+## -+## Manage symbolic links on a FUSEFS filesystem. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`fs_manage_ecryptfs_symlinks',` -+ gen_require(` -+ type ecryptfs_t; -+ ') -+ -+ manage_lnk_files_pattern($1, ecryptfs_t, ecryptfs_t) -+') -+ -+######################################## -+## -+## Execute a file on a FUSE filesystem -+## in the specified domain. -+## -+## -+##

    -+## Execute a file on a FUSE filesystem -+## in the specified domain. This allows -+## the specified domain to execute any file -+## on these filesystems in the specified -+## domain. This is not suggested. -+##

    -+##

    -+## No interprocess communication (signals, pipes, -+## etc.) is provided by this interface since -+## the domains are not owned by this module. -+##

    -+##

    -+## This interface was added to handle -+## home directories on FUSE filesystems, -+## in particular used by the ssh-agent policy. -+##

    -+##     -+## -+## -+## Domain allowed to transition. -+## -+## -+## -+## -+## The type of the new process. -+## -+## -+# -+interface(`fs_ecryptfs_domtrans',` -+ gen_require(` -+ type ecryptfs_t; -+ ') -+ -+ allow $1 ecryptfs_t:dir search_dir_perms; -+ domain_auto_transition_pattern($1, ecryptfs_t, $2) -+') -+ - ######################################## - ## - ## Mount a FUSE filesystem. -@@ -2025,6 +2385,87 @@ interface(`fs_read_fusefs_symlinks',` - - ######################################## - ## -+## Manage symbolic links on a FUSEFS filesystem. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`fs_manage_fusefs_symlinks',` -+ gen_require(` -+ type fusefs_t; -+ ') -+ -+ manage_lnk_files_pattern($1, fusefs_t, fusefs_t) -+') -+ -+######################################## -+## -+## Execute a file on a FUSE filesystem -+## in the specified domain. -+## -+## -+##

    -+## Execute a file on a FUSE filesystem -+## in the specified domain. This allows -+## the specified domain to execute any file -+## on these filesystems in the specified -+## domain. This is not suggested. -+##

    -+##

    -+## No interprocess communication (signals, pipes, -+## etc.) is provided by this interface since -+## the domains are not owned by this module. -+##

    -+##

    -+## This interface was added to handle -+## home directories on FUSE filesystems, -+## in particular used by the ssh-agent policy. -+##

    -+##     -+## -+## -+## Domain allowed to transition. -+## -+## -+## -+## -+## The type of the new process. -+## -+## -+# -+interface(`fs_fusefs_domtrans',` -+ gen_require(` -+ type fusefs_t; -+ ') -+ -+ allow $1 fusefs_t:dir search_dir_perms; -+ domain_auto_transition_pattern($1, fusefs_t, $2) -+') -+ -+######################################## -+## -+## Get the attributes of a FUSEFS filesystem. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`fs_getattr_fusefs',` -+ gen_require(` -+ type fusefs_t; -+ ') -+ -+ allow $1 fusefs_t:filesystem getattr; -+') -+ -+######################################## -+## - ## Get the attributes of an hugetlbfs - ## filesystem. - ## -@@ -2080,6 +2521,24 @@ interface(`fs_manage_hugetlbfs_dirs',` - - ######################################## - ## -+## Read hugetlbfs files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`fs_read_hugetlbfs_files',` -+ gen_require(` -+ type hugetlbfs_t; -+ ') -+ -+ read_files_pattern($1, hugetlbfs_t, hugetlbfs_t) -+') -+ -+######################################## -+## - ## Read and write hugetlbfs files. - ## - ## -@@ -2098,6 +2557,25 @@ interface(`fs_rw_hugetlbfs_files',` - - ######################################## - ## -+## Execute hugetlbfs files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`fs_exec_hugetlbfs_files',` -+ gen_require(` -+ type hugetlbfs_t; -+ ') -+ -+ allow $1 hugetlbfs_t:dir list_dir_perms; -+ exec_files_pattern($1, hugetlbfs_t, hugetlbfs_t) -+') -+ -+######################################## -+## - ## Allow the type to associate to hugetlbfs filesystems. - ## - ## -@@ -2148,11 +2626,12 @@ interface(`fs_list_inotifyfs',` - ') - - allow $1 inotifyfs_t:dir list_dir_perms; -+ fs_read_anon_inodefs_files($1) - ') - - ######################################## - ## --## Dontaudit List inotifyfs filesystem. -+## Do not audit attempts to list inotifyfs filesystem. - ## - ## - ## -@@ -2485,6 +2964,7 @@ interface(`fs_read_nfs_files',` - type nfs_t; - ') - -+ fs_search_auto_mountpoints($1) - allow $1 nfs_t:dir list_dir_perms; - read_files_pattern($1, nfs_t, nfs_t) - ') -@@ -2523,6 +3003,7 @@ interface(`fs_write_nfs_files',` - type nfs_t; - ') - -+ fs_search_auto_mountpoints($1) - allow $1 nfs_t:dir list_dir_perms; - write_files_pattern($1, nfs_t, nfs_t) - ') -@@ -2549,6 +3030,25 @@ interface(`fs_exec_nfs_files',` - - ######################################## - ## -+## Make general progams in nfs an entrypoint for -+## the specified domain. -+## -+## -+## -+## The domain for which nfs_t is an entrypoint. -+## -+## -+# -+interface(`fs_nfs_entry_type',` -+ gen_require(` -+ type nfs_t; -+ ') -+ -+ domain_entry_file($1, nfs_t) -+') -+ -+######################################## -+## - ## Append files - ## on a NFS filesystem. - ## -@@ -2569,7 +3069,7 @@ interface(`fs_append_nfs_files',` - - ######################################## - ## --## dontaudit Append files -+## Do not audit attempts to append files - ## on a NFS filesystem. - ## - ## -@@ -2589,6 +3089,42 @@ interface(`fs_dontaudit_append_nfs_files',` - - ######################################## - ## -+## Read inherited files on a NFS filesystem. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`fs_read_inherited_nfs_files',` -+ gen_require(` -+ type nfs_t; -+ ') -+ -+ allow $1 nfs_t:file read_inherited_file_perms; -+') -+ -+######################################## -+## -+## Read/write inherited files on a NFS filesystem. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`fs_rw_inherited_nfs_files',` -+ gen_require(` -+ type nfs_t; -+ ') -+ -+ allow $1 nfs_t:file rw_inherited_file_perms; -+') -+ -+######################################## -+## - ## Do not audit attempts to read or - ## write files on a NFS filesystem. - ## -@@ -2603,7 +3139,7 @@ interface(`fs_dontaudit_rw_nfs_files',` - type nfs_t; - ') - -- dontaudit $1 nfs_t:file rw_file_perms; -+ dontaudit $1 nfs_t:file rw_inherited_file_perms; - ') - - ######################################## -@@ -2627,7 +3163,7 @@ interface(`fs_read_nfs_symlinks',` - - ######################################## - ## --## Dontaudit read symbolic links on a NFS filesystem. -+## Do not audit attempts to read symbolic links on a NFS filesystem. - ## - ## - ## -@@ -2719,6 +3255,26 @@ interface(`fs_search_rpc',` - - ######################################## - ## -+## Do not audit attempts to list removable storage directories. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`fs_list_pstorefs',` -+ gen_require(` -+ type pstorefs_t; -+ ') -+ -+ allow $1 pstorefs_t:dir list_dir_perms; -+') -+ -+ -+ -+######################################## -+## - ## Search removable storage directories. - ## - ## -@@ -2741,7 +3297,7 @@ interface(`fs_search_removable',` - ## - ## - ## --## Domain not to audit. -+## Domain to not audit. - ## - ## - # -@@ -2777,7 +3333,7 @@ interface(`fs_read_removable_files',` - ## - ## - ## --## Domain not to audit. -+## Domain to not audit. - ## - ## - # -@@ -2970,6 +3526,7 @@ interface(`fs_manage_nfs_dirs',` - type nfs_t; - ') - -+ fs_search_auto_mountpoints($1) - allow $1 nfs_t:dir manage_dir_perms; - ') - -@@ -3010,6 +3567,7 @@ interface(`fs_manage_nfs_files',` - type nfs_t; - ') - -+ fs_search_auto_mountpoints($1) - manage_files_pattern($1, nfs_t, nfs_t) - ') - -@@ -3050,6 +3608,7 @@ interface(`fs_manage_nfs_symlinks',` - type nfs_t; - ') - -+ fs_search_auto_mountpoints($1) - manage_lnk_files_pattern($1, nfs_t, nfs_t) - ') - -@@ -3137,6 +3696,24 @@ interface(`fs_nfs_domtrans',` - - ######################################## - ## -+## Mount on nfsd_fs directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`fs_mounton_nfsd_fs', ` -+ gen_require(` -+ type nfsd_fs_t; -+ ') -+ -+ allow $1 nfsd_fs_t:dir mounton; -+') -+ -+######################################## -+## - ## Mount a NFS server pseudo filesystem. - ## - ## -@@ -3255,17 +3832,53 @@ interface(`fs_list_nfsd_fs',` - ##     - ## - # --interface(`fs_getattr_nfsd_files',` -+interface(`fs_getattr_nfsd_files',` -+ gen_require(` -+ type nfsd_fs_t; -+ ') -+ -+ getattr_files_pattern($1, nfsd_fs_t, nfsd_fs_t) -+') -+ -+####################################### -+## -+## read files on an nfsd filesystem -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`fs_read_nfsd_files',` -+ gen_require(` -+ type nfsd_fs_t; -+ ') -+ -+ read_files_pattern($1, nfsd_fs_t, nfsd_fs_t) -+') -+ -+######################################## -+## -+## Read and write NFS server files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`fs_rw_nfsd_fs',` - gen_require(` - type nfsd_fs_t; - ') - -- getattr_files_pattern($1, nfsd_fs_t, nfsd_fs_t) -+ rw_files_pattern($1, nfsd_fs_t, nfsd_fs_t) - ') - - ######################################## - ## --## Read and write NFS server files. -+## Manage NFS server files. - ## - ## - ## -@@ -3273,12 +3886,12 @@ interface(`fs_getattr_nfsd_files',` - ## - ## - # --interface(`fs_rw_nfsd_fs',` -+interface(`fs_manage_nfsd_fs',` - gen_require(` - type nfsd_fs_t; - ') - -- rw_files_pattern($1, nfsd_fs_t, nfsd_fs_t) -+ manage_files_pattern($1, nfsd_fs_t, nfsd_fs_t) - ') - - ######################################## -@@ -3392,7 +4005,7 @@ interface(`fs_search_ramfs',` - - ######################################## - ## --## Dontaudit Search directories on a ramfs -+## Do not audit attempts to search directories on a ramfs - ## - ## - ## -@@ -3429,7 +4042,7 @@ interface(`fs_manage_ramfs_dirs',` - - ######################################## - ## --## Dontaudit read on a ramfs files. -+## Do not audit attempts to read on a ramfs files. - ## - ## - ## -@@ -3447,7 +4060,7 @@ interface(`fs_dontaudit_read_ramfs_files',` - - ######################################## - ## --## Dontaudit read on a ramfs fifo_files. -+## Do not audit attempts to read on a ramfs fifo_files. - ## - ## - ## -@@ -3815,6 +4428,24 @@ interface(`fs_unmount_tmpfs',` - - ######################################## - ## -+## Mount on tmpfs directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`fs_mounton_tmpfs', ` -+ gen_require(` -+ type tmpfs_t; -+ ') -+ -+ allow $1 tmpfs_t:dir mounton; -+') -+ -+######################################## -+## - ## Get the attributes of a tmpfs - ## filesystem. - ## -@@ -3908,7 +4539,7 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',` - - ######################################## - ## --## Mount on tmpfs directories. -+## Set the attributes of tmpfs directories. - ## - ## - ## -@@ -3916,17 +4547,17 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',` - ## - ## - # --interface(`fs_mounton_tmpfs',` -+interface(`fs_setattr_tmpfs_dirs',` - gen_require(` - type tmpfs_t; - ') - -- allow $1 tmpfs_t:dir mounton; -+ allow $1 tmpfs_t:dir setattr; - ') - - ######################################## - ## --## Set the attributes of tmpfs directories. -+## Search tmpfs directories. - ## - ## - ## -@@ -3934,17 +4565,17 @@ interface(`fs_mounton_tmpfs',` - ## - ## - # --interface(`fs_setattr_tmpfs_dirs',` -+interface(`fs_search_tmpfs',` - gen_require(` - type tmpfs_t; - ') - -- allow $1 tmpfs_t:dir setattr; -+ allow $1 tmpfs_t:dir search_dir_perms; - ') - - ######################################## - ## --## Search tmpfs directories. -+## List the contents of generic tmpfs directories. - ## - ## - ## -@@ -3952,17 +4583,36 @@ interface(`fs_setattr_tmpfs_dirs',` - ## - ## - # --interface(`fs_search_tmpfs',` -+interface(`fs_list_tmpfs',` - gen_require(` - type tmpfs_t; - ') - -- allow $1 tmpfs_t:dir search_dir_perms; -+ allow $1 tmpfs_t:dir list_dir_perms; - ') - - ######################################## - ## --## List the contents of generic tmpfs directories. -+## Do not audit attempts to list the -+## contents of generic tmpfs directories. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`fs_dontaudit_list_tmpfs',` -+ gen_require(` -+ type tmpfs_t; -+ ') -+ -+ dontaudit $1 tmpfs_t:dir list_dir_perms; -+') -+ -+######################################## -+## -+## Relabel directory on tmpfs filesystems. - ## - ## - ## -@@ -3970,31 +4620,48 @@ interface(`fs_search_tmpfs',` - ## - ## - # --interface(`fs_list_tmpfs',` -+interface(`fs_relabel_tmpfs_dirs',` - gen_require(` - type tmpfs_t; - ') - -- allow $1 tmpfs_t:dir list_dir_perms; -+ relabel_dirs_pattern($1, tmpfs_t, tmpfs_t) - ') - - ######################################## - ## --## Do not audit attempts to list the --## contents of generic tmpfs directories. -+## Relabel fifo_file on tmpfs filesystems. - ## - ## - ## --## Domain to not audit. -+## Domain allowed access. - ## - ## - # --interface(`fs_dontaudit_list_tmpfs',` -+interface(`fs_relabel_tmpfs_fifo_files',` - gen_require(` - type tmpfs_t; - ') - -- dontaudit $1 tmpfs_t:dir list_dir_perms; -+ relabel_fifo_files_pattern($1, tmpfs_t, tmpfs_t) -+') -+ -+######################################## -+## -+## Relabel files on tmpfs filesystems. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`fs_relabel_tmpfs_files',` -+ gen_require(` -+ type tmpfs_t; -+ ') -+ -+ relabel_files_pattern($1, tmpfs_t, tmpfs_t) - ') - - ######################################## -@@ -4105,7 +4772,7 @@ interface(`fs_dontaudit_rw_tmpfs_files',` - type tmpfs_t; - ') - -- dontaudit $1 tmpfs_t:file rw_file_perms; -+ dontaudit $1 tmpfs_t:file rw_inherited_file_perms; - ') - - ######################################## -@@ -4165,6 +4832,24 @@ interface(`fs_rw_tmpfs_files',` - - ######################################## - ## -+## Read and write generic tmpfs files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`fs_rw_inherited_tmpfs_files',` -+ gen_require(` -+ type tmpfs_t; -+ ') -+ -+ allow $1 tmpfs_t:file { read write }; -+') -+ -+######################################## -+## - ## Read tmpfs link files. - ## - ## -@@ -4202,7 +4887,7 @@ interface(`fs_rw_tmpfs_chr_files',` - - ######################################## - ## --## dontaudit Read and write character nodes on tmpfs filesystems. -+## Do not audit attempts to read and write character nodes on tmpfs filesystems. - ## - ## - ## -@@ -4221,6 +4906,60 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',` - - ######################################## - ## -+## Do not audit attempts to create character nodes on tmpfs filesystems. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`fs_dontaudit_create_tmpfs_chr_dev',` -+ gen_require(` -+ type tmpfs_t; -+ ') -+ -+ dontaudit $1 tmpfs_t:chr_file create; -+') -+ -+######################################## -+## -+## Do not audit attempts to dontaudit read block nodes on tmpfs filesystems. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`fs_dontaudit_read_tmpfs_blk_dev',` -+ gen_require(` -+ type tmpfs_t; -+ ') -+ -+ dontaudit $1 tmpfs_t:blk_file read_blk_file_perms; -+') -+ -+######################################## -+## -+## Do not audit attempts to read files on tmpfs filesystems. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`fs_dontaudit_read_tmpfs_files',` -+ gen_require(` -+ type tmpfs_t; -+ ') -+ -+ dontaudit $1 tmpfs_t:blk_file read; -+') -+ -+######################################## -+## - ## Relabel character nodes on tmpfs filesystems. - ## - ## -@@ -4278,6 +5017,44 @@ interface(`fs_relabel_tmpfs_blk_file',` - - ######################################## - ## -+## Relabel sock nodes on tmpfs filesystems. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`fs_relabel_tmpfs_sock_file',` -+ gen_require(` -+ type tmpfs_t; -+ ') -+ -+ allow $1 tmpfs_t:dir list_dir_perms; -+ relabel_sock_files_pattern($1, tmpfs_t, tmpfs_t) -+') -+ -+######################################## -+## -+## Delete generic files in tmpfs directory. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`fs_delete_tmpfs_files',` -+ gen_require(` -+ type tmpfs_t; -+ ') -+ -+ allow $1 tmpfs_t:dir del_entry_dir_perms; -+ allow $1 tmpfs_t:file_class_set delete_file_perms; -+') -+ -+######################################## -+## - ## Read and write, create and delete generic - ## files on tmpfs filesystems. - ## -@@ -4297,6 +5074,25 @@ interface(`fs_manage_tmpfs_files',` - - ######################################## - ## -+## Execute files on a tmpfs filesystem. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`fs_exec_tmpfs_files',` -+ gen_require(` -+ type tmpfs_t; -+ ') -+ -+ exec_files_pattern($1, tmpfs_t, tmpfs_t) -+') -+ -+######################################## -+## - ## Read and write, create and delete symbolic - ## links on tmpfs filesystems. - ## -@@ -4503,6 +5299,8 @@ interface(`fs_mount_all_fs',` - ') - - allow $1 filesystem_type:filesystem mount; -+# Mount checks write access on the dir -+ allow $1 filesystem_type:dir write; - ') - - ######################################## -@@ -4549,7 +5347,7 @@ interface(`fs_unmount_all_fs',` - ## - ##

    - ## Allow the specified domain to --## et the attributes of all filesystems. -+## get the attributes of all filesystems. - ## Example attributes: - ##

    - ##
      -@@ -4596,6 +5394,26 @@ interface(`fs_dontaudit_getattr_all_fs',` - - ######################################## - ## -+## Do not audit attempts to check the -+## access on all filesystems. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`fs_dontaudit_all_access_check',` -+ gen_require(` -+ attribute filesystem_type; -+ ') -+ -+ dontaudit $1 filesystem_type:dir_file_class_set audit_access; -+') -+ -+ -+######################################## -+## - ## Get the quotas of all filesystems. - ## - ## -@@ -4671,6 +5489,25 @@ interface(`fs_getattr_all_dirs',` - - ######################################## - ## -+## Dontaudit Get the attributes of all directories -+## with a filesystem type. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`fs_dontaudit_getattr_all_dirs',` -+ gen_require(` -+ attribute filesystem_type; -+ ') -+ -+ dontaudit $1 filesystem_type:dir getattr; -+') -+ -+######################################## -+## - ## Search all directories with a filesystem type. - ## - ## -@@ -4912,3 +5749,43 @@ interface(`fs_unconfined',` - - typeattribute $1 filesystem_unconfined_type; - ') -+ -+######################################## -+## -+## Do not audit attempts to read or write -+## all leaked filesystems files. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`fs_dontaudit_leaks',` -+ gen_require(` -+ attribute filesystem_type; -+ ') -+ -+ dontaudit $1 filesystem_type:file rw_inherited_file_perms; -+ dontaudit $1 filesystem_type:lnk_file { read }; -+') -+ -+ -+######################################## -+## -+## Transition named content in tmpfs_t directory -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`fs_tmpfs_filetrans_named_content',` -+ gen_require(` -+ type cgroup_t; -+ ') -+ -+ fs_tmpfs_filetrans($1, cgroup_t, lnk_file, "cpu") -+ fs_tmpfs_filetrans($1, cgroup_t, lnk_file, "cpuacct") -+') -diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te -index 9e603f5..1198b51 100644 ---- a/policy/modules/kernel/filesystem.te -+++ b/policy/modules/kernel/filesystem.te -@@ -32,8 +32,11 @@ fs_use_xattr gpfs gen_context(system_u:object_r:fs_t,s0); - fs_use_xattr jffs2 gen_context(system_u:object_r:fs_t,s0); - fs_use_xattr jfs gen_context(system_u:object_r:fs_t,s0); - fs_use_xattr lustre gen_context(system_u:object_r:fs_t,s0); -+fs_use_xattr ocfs2 gen_context(system_u:object_r:fs_t,s0); - fs_use_xattr xfs gen_context(system_u:object_r:fs_t,s0); -+fs_use_xattr squashfs gen_context(system_u:object_r:fs_t,s0); - fs_use_xattr zfs gen_context(system_u:object_r:fs_t,s0); -+fs_use_xattr fuse.glusterfs gen_context(system_u:object_r:fs_t,s0); - - # Use the allocating task SID to label inodes in the following filesystem - # types, and label the filesystem itself with the specified context. -@@ -53,6 +56,7 @@ type anon_inodefs_t; - fs_type(anon_inodefs_t) - files_mountpoint(anon_inodefs_t) - genfscon anon_inodefs / gen_context(system_u:object_r:anon_inodefs_t,s0) -+mls_trusted_object(anon_inodefs_t) - - type bdev_t; - fs_type(bdev_t) -@@ -63,12 +67,17 @@ fs_type(binfmt_misc_fs_t) - files_mountpoint(binfmt_misc_fs_t) - genfscon binfmt_misc / gen_context(system_u:object_r:binfmt_misc_fs_t,s0) - -+type oracleasmfs_t; -+fs_type(oracleasmfs_t) -+files_mountpoint(oracleasmfs_t) -+genfscon oracleasmfs / gen_context(system_u:object_r:oracleasmfs_t,s0) -+ - type capifs_t; - fs_type(capifs_t) - files_mountpoint(capifs_t) - genfscon capifs / gen_context(system_u:object_r:capifs_t,s0) - --type cgroup_t; -+type cgroup_t alias cgroupfs_t; - fs_type(cgroup_t) - files_type(cgroup_t) - files_mountpoint(cgroup_t) -@@ -89,6 +98,11 @@ fs_noxattr_type(ecryptfs_t) - files_mountpoint(ecryptfs_t) - genfscon ecryptfs / gen_context(system_u:object_r:ecryptfs_t,s0) - -+type efivarfs_t; -+fs_noxattr_type(efivarfs_t) -+files_mountpoint(efivarfs_t) -+genfscon efivarfs / gen_context(system_u:object_r:efivarfs_t,s0) -+ - type futexfs_t; - fs_type(futexfs_t) - genfscon futexfs / gen_context(system_u:object_r:futexfs_t,s0) -@@ -97,6 +111,7 @@ type hugetlbfs_t; - fs_type(hugetlbfs_t) - files_mountpoint(hugetlbfs_t) - fs_use_trans hugetlbfs gen_context(system_u:object_r:hugetlbfs_t,s0); -+dev_associate(hugetlbfs_t) - - type ibmasmfs_t; - fs_type(ibmasmfs_t) -@@ -119,12 +134,17 @@ genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0) - - type nfsd_fs_t; - fs_type(nfsd_fs_t) -+files_mountpoint(nfsd_fs_t) - genfscon nfsd / gen_context(system_u:object_r:nfsd_fs_t,s0) - - type oprofilefs_t; - fs_type(oprofilefs_t) - genfscon oprofilefs / gen_context(system_u:object_r:oprofilefs_t,s0) - -+type pstorefs_t; -+fs_type(pstorefs_t) -+genfscon pstore / gen_context(system_u:object_r:pstorefs_t,s0) -+ - type ramfs_t; - fs_type(ramfs_t) - files_mountpoint(ramfs_t) -@@ -145,11 +165,6 @@ fs_type(spufs_t) - genfscon spufs / gen_context(system_u:object_r:spufs_t,s0) - files_mountpoint(spufs_t) - --type squash_t; --fs_type(squash_t) --genfscon squash / gen_context(system_u:object_r:squash_t,s0) --files_mountpoint(squash_t) -- - type sysv_t; - fs_noxattr_type(sysv_t) - files_mountpoint(sysv_t) -@@ -167,6 +182,8 @@ type vxfs_t; - fs_noxattr_type(vxfs_t) - files_mountpoint(vxfs_t) - genfscon vxfs / gen_context(system_u:object_r:vxfs_t,s0) -+genfscon odmfs / gen_context(system_u:object_r:vxfs_t,s0) -+genfscon vxclonefs / gen_context(system_u:object_r:vxfs_t,s0) - - # - # tmpfs_t is the type for tmpfs filesystems -@@ -176,6 +193,8 @@ fs_type(tmpfs_t) - files_type(tmpfs_t) - files_mountpoint(tmpfs_t) - files_poly_parent(tmpfs_t) -+dev_associate(tmpfs_t) -+mls_trusted_object(tmpfs_t) - - # Use a transition SID based on the allocating task SID and the - # filesystem SID to label inodes in the following filesystem types, -@@ -255,6 +274,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0) - type removable_t; - allow removable_t noxattrfs:filesystem associate; - fs_noxattr_type(removable_t) -+files_type(removable_t) -+dev_node(removable_t) - files_mountpoint(removable_t) - - # -@@ -274,6 +295,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0) - genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0) - genfscon panfs / gen_context(system_u:object_r:nfs_t,s0) - genfscon gadgetfs / gen_context(system_u:object_r:nfs_t,s0) -+genfscon 9p / gen_context(system_u:object_r:nfs_t,s0) - - ######################################## - # -diff --git a/policy/modules/kernel/kernel.fc b/policy/modules/kernel/kernel.fc -index 7be4ddf..f7021a0 100644 ---- a/policy/modules/kernel/kernel.fc -+++ b/policy/modules/kernel/kernel.fc -@@ -1 +1,2 @@ --# This module currently does not have any file contexts. -+ -+/sys/class/net/ib.* gen_context(system_u:object_r:sysctl_net_t,s0) -diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if -index 649e458..d47750f 100644 ---- a/policy/modules/kernel/kernel.if -+++ b/policy/modules/kernel/kernel.if -@@ -286,7 +286,7 @@ interface(`kernel_rw_unix_dgram_sockets',` - type kernel_t; - ') - -- allow $1 kernel_t:unix_dgram_socket { read write ioctl }; -+ allow $1 kernel_t:unix_dgram_socket { getattr read write ioctl }; - ') - - ######################################## -@@ -786,6 +786,24 @@ interface(`kernel_mount_kvmfs',` - - ######################################## - ## -+## Mount the proc filesystem. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`kernel_mount_proc',` -+ gen_require(` -+ type proc_t; -+ ') -+ -+ allow $1 proc_t:filesystem mount; -+') -+ -+######################################## -+## - ## Unmount the proc filesystem. - ## - ## -@@ -804,6 +822,24 @@ interface(`kernel_unmount_proc',` - - ######################################## - ## -+## Mounton a proc filesystem. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`kernel_mounton_proc',` -+ gen_require(` -+ type proc_t; -+ ') -+ -+ allow $1 proc_t:dir mounton; -+') -+ -+######################################## -+## - ## Get the attributes of the proc filesystem. - ## - ## -@@ -991,13 +1027,10 @@ interface(`kernel_read_proc_symlinks',` - # - interface(`kernel_read_system_state',` - gen_require(` -- type proc_t; -+ attribute kernel_system_state_reader; - ') - -- read_files_pattern($1, proc_t, proc_t) -- read_lnk_files_pattern($1, proc_t, proc_t) -- -- list_dirs_pattern($1, proc_t, proc_t) -+ typeattribute $1 kernel_system_state_reader; - ') - - ######################################## -@@ -1477,6 +1510,24 @@ interface(`kernel_dontaudit_list_all_proc',` - - ######################################## - ## -+## Allow attempts to read all proc types. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`kernel_read_all_proc',` -+ gen_require(` -+ attribute proc_type; -+ ') -+ -+ read_files_pattern($1, proc_type, proc_type) -+') -+ -+######################################## -+## - ## Do not audit attempts by caller to search - ## the base directory of sysctls. - ## -@@ -2085,7 +2136,7 @@ interface(`kernel_dontaudit_list_all_sysctls',` - ') - - dontaudit $1 sysctl_type:dir list_dir_perms; -- dontaudit $1 sysctl_type:file getattr; -+ dontaudit $1 sysctl_type:file read_file_perms; - ') - - ######################################## -@@ -2282,6 +2333,25 @@ interface(`kernel_list_unlabeled',` - - ######################################## - ## -+## Delete unlabeled files -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`kernel_delete_unlabeled',` -+ gen_require(` -+ type unlabeled_t; -+ ') -+ -+ allow $1 unlabeled_t:dir delete_dir_perms; -+ allow $1 unlabeled_t:dir_file_class_set delete_file_perms; -+') -+ -+######################################## -+## - ## Read the process state (/proc/pid) of all unlabeled_t. - ## - ## -@@ -2306,7 +2376,7 @@ interface(`kernel_read_unlabeled_state',` - ##
    - ## - ## --## Domain allowed access. -+## Domain to not audit. - ## - ## - # -@@ -2488,6 +2558,24 @@ interface(`kernel_rw_unlabeled_blk_files',` - - ######################################## - ## -+## Read and write unlabeled sockets. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`kernel_rw_unlabeled_socket',` -+ gen_require(` -+ type unlabeled_t; -+ ') -+ -+ allow $1 unlabeled_t:socket rw_socket_perms; -+') -+ -+######################################## -+## - ## Do not audit attempts by caller to get attributes for - ## unlabeled character devices. - ## -@@ -2525,6 +2613,24 @@ interface(`kernel_relabelfrom_unlabeled_dirs',` - - ######################################## - ## -+## Allow caller to relabel unlabeled filesystems. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`kernel_relabelfrom_unlabeled_fs',` -+ gen_require(` -+ type unlabeled_t; -+ ') -+ -+ allow $1 unlabeled_t:filesystem relabelfrom; -+') -+ -+######################################## -+## - ## Allow caller to relabel unlabeled files. - ## - ## -@@ -2632,7 +2738,7 @@ interface(`kernel_sendrecv_unlabeled_association',` - allow $1 unlabeled_t:association { sendto recvfrom }; - - # temporary hack until labeling on packets is supported -- allow $1 unlabeled_t:packet { send recv }; -+# allow $1 unlabeled_t:packet { send recv }; - ') - - ######################################## -@@ -2670,6 +2776,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',` - - ######################################## - ## -+## Receive DCCP packets from an unlabeled connection. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`kernel_dccp_recvfrom_unlabeled',` -+ gen_require(` -+ type unlabeled_t; -+ ') -+ -+ allow $1 unlabeled_t:dccp_socket recvfrom; -+') -+ -+######################################## -+## - ## Receive TCP packets from an unlabeled connection. - ## - ## -@@ -2697,6 +2821,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',` - - ######################################## - ## -+## Do not audit attempts to receive DCCP packets from an unlabeled -+## connection. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`kernel_dontaudit_dccp_recvfrom_unlabeled',` -+ gen_require(` -+ type unlabeled_t; -+ ') -+ -+ dontaudit $1 unlabeled_t:dccp_socket recvfrom; -+') -+ -+######################################## -+## - ## Do not audit attempts to receive TCP packets from an unlabeled - ## connection. - ## -@@ -2806,6 +2949,33 @@ interface(`kernel_raw_recvfrom_unlabeled',` - - allow $1 unlabeled_t:rawip_socket recvfrom; - ') -+######################################## -+## -+## Read/Write Raw IP packets from an unlabeled connection. -+## -+## -+##

    -+## Receive Raw IP packets from an unlabeled connection. -+##

    -+##

    -+## The corenetwork interface corenet_raw_recv_unlabeled() should -+## be used instead of this one. -+##

    -+##     -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`kernel_rw_unlabeled_rawip_socket',` -+ gen_require(` -+ type unlabeled_t; -+ ') -+ -+ allow $1 unlabeled_t:rawip_socket rw_socket_perms; -+') -+ - - ######################################## - ## -@@ -2961,6 +3131,24 @@ interface(`kernel_relabelfrom_unlabeled_database',` - - ######################################## - ## -+## Relabel to unlabeled context . -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`kernel_relabelto_unlabeled',` -+ gen_require(` -+ type unlabeled_t; -+ ') -+ -+ allow $1 unlabeled_t:dir_file_class_set relabelto; -+') -+ -+######################################## -+## - ## Unconfined access to kernel module resources. - ## - ## -@@ -2975,5 +3163,300 @@ interface(`kernel_unconfined',` - ') - - typeattribute $1 kern_unconfined; -- kernel_load_module($1) -+ kernel_load_module($1) -+') -+ -+######################################## -+## -+## Allow the specified domain to getattr on -+## the kernel with a unix socket. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`kernel_stream_read',` -+ gen_require(` -+ type kernel_t; -+ ') -+ -+ allow $1 kernel_t:unix_stream_socket { read getattr }; -+') -+ -+####################################### -+## -+## Allow the specified domain to write on -+## the kernel with a unix socket. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`kernel_stream_write',` -+ gen_require(` -+ type kernel_t; -+ ') -+ -+ allow $1 kernel_t:unix_stream_socket { write getattr }; -+') -+ -+####################################### -+## -+## Allow the specified domain to read/write on -+## the kernel with a unix socket. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`kernel_rw_stream_socket_perms',` -+ gen_require(` -+ type kernel_t; -+ ') -+ -+ allow $1 kernel_t:unix_stream_socket rw_socket_perms; -+ allow $1 kernel_t:fd use; -+') -+ -+######################################## -+## -+## Make the specified type usable for regular entries in proc -+## -+## -+## -+## Type to be used for /proc entries. -+## -+## -+# -+interface(`kernel_proc_type',` -+ gen_require(` -+ attribute proc_type; -+ ') -+ -+ typeattribute $1 proc_type; -+') -+ -+######################################## -+## -+## Do not audit attempts by caller to get attributes on all sysctls. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`kernel_dontaudit_getattr_all_sysctls',` -+ gen_require(` -+ attribute sysctl_type; -+ ') -+ -+ dontaudit $1 sysctl_type:file getattr; -+') -+ -+######################################## -+## -+## Read the process state (/proc/pid) of the kernel. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`kernel_read_state',` -+ gen_require(` -+ type kernel_t; -+ ') -+ -+ allow $1 kernel_t:dir search_dir_perms; -+ allow $1 kernel_t:file read_file_perms; -+ allow $1 kernel_t:lnk_file read_lnk_file_perms; -+') -+ -+######################################## -+## -+## Dontaudit attempts to read the process state (/proc/pid) of the kernel. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`kernel_dontaudit_read_state',` -+ gen_require(` -+ type kernel_t; -+ ') -+ -+ dontaudit $1 kernel_t:dir search_dir_perms; -+ dontaudit $1 kernel_t:file read_file_perms; -+ dontaudit $1 kernel_t:lnk_file read_lnk_file_perms; -+') -+ -+######################################## -+## -+## Allow searching of numa state directory. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`kernel_search_numa_state',` -+ gen_require(` -+ type proc_t, proc_numa_t; -+ ') -+ -+ search_dirs_pattern($1, proc_t, proc_numa_t) -+') -+ -+######################################## -+## -+## Do not audit attempts to search the numa -+## state directory. -+## -+## -+## -+## Domain to not audit. -+## -+## -+## -+# -+interface(`kernel_dontaudit_search_numa_state',` -+ gen_require(` -+ type proc_numa_t; -+ ') -+ -+ dontaudit $1 proc_numa_t:dir search; -+') -+ -+######################################## -+## -+## Allow caller to read the numa state information. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`kernel_read_numa_state',` -+ gen_require(` -+ type proc_t, proc_numa_t; -+ ') -+ -+ read_files_pattern($1, { proc_t proc_numa_t }, proc_numa_t) -+ read_lnk_files_pattern($1, { proc_t proc_numa_t }, proc_numa_t) -+ -+ list_dirs_pattern($1, proc_t, proc_numa_t) -+') -+ -+######################################## -+## -+## Allow caller to read the numa state symbolic links. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`kernel_read_numa_state_symlinks',` -+ gen_require(` -+ type proc_t, proc_numa_t; -+ ') -+ -+ read_lnk_files_pattern($1, { proc_t proc_numa_t }, proc_numa_t) -+ -+ list_dirs_pattern($1, proc_t, proc_numa_t) -+') -+ -+######################################## -+## -+## Allow caller to write numa state information. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`kernel_write_numa_state',` -+ gen_require(` -+ type proc_t, proc_numa_t; -+ ') -+ -+ write_files_pattern($1, { proc_t proc_numa_t }, proc_numa_t) -+') -+ -+######################################## -+## -+## Allow caller to search virtual memory overcommit sysctls. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`kernel_search_vm_overcommit_sysctl',` -+ gen_require(` -+ type sysctl_vm_overcommit_t; -+ ') -+ -+ kernel_search_vm_sysctl($1) -+ search_dirs_pattern($1, sysctl_vm_overcommit_t, sysctl_vm_overcommit_t) -+') -+ -+######################################## -+## -+## Allow caller to read virtual memory overcommit sysctls. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`kernel_read_vm_overcommit_sysctls',` -+ gen_require(` -+ type sysctl_vm_overcommit_t; -+ ') -+ -+ kernel_search_vm_sysctl($1) -+ read_files_pattern($1, sysctl_vm_overcommit_t, sysctl_vm_overcommit_t) -+') -+ -+######################################## -+## -+## Read and write virtual memory overcommit sysctls. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`kernel_rw_vm_overcommit_sysctls',` -+ gen_require(` -+ type sysctl_vm_overcommit_t; -+ ') -+ -+ kernel_search_vm_sysctl($1) -+ rw_files_pattern($1, sysctl_vm_overcommit_t, sysctl_vm_overcommit_t) -+ list_dirs_pattern($1, sysctl_vm_overcommit_t, sysctl_vm_overcommit_t) - ') -diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te -index 6fac350..5a087a7 100644 ---- a/policy/modules/kernel/kernel.te -+++ b/policy/modules/kernel/kernel.te -@@ -25,6 +25,9 @@ attribute kern_unconfined; - # regular entries in proc - attribute proc_type; - -+# attribute for domains which read proc_t -+attribute kernel_system_state_reader; -+ - # sysctls - attribute sysctl_type; - -@@ -48,6 +51,7 @@ ifdef(`enable_mls',` - type kernel_t, can_load_kernmodule; - domain_base_type(kernel_t) - mls_rangetrans_source(kernel_t) -+mls_trusted_object(kernel_t) - role system_r types kernel_t; - sid kernel gen_context(system_u:system_r:kernel_t,mls_systemhigh) - -@@ -58,6 +62,7 @@ sid kernel gen_context(system_u:system_r:kernel_t,mls_systemhigh) - type debugfs_t; - files_mountpoint(debugfs_t) - fs_type(debugfs_t) -+ - allow debugfs_t self:filesystem associate; - genfscon debugfs / gen_context(system_u:object_r:debugfs_t,s0) - -@@ -95,6 +100,10 @@ genfscon proc /kcore gen_context(system_u:object_r:proc_kcore_t,mls_systemhigh) - type proc_mdstat_t, proc_type; - genfscon proc /mdstat gen_context(system_u:object_r:proc_mdstat_t,s0) - -+type proc_numa_t, proc_type; -+genfscon proc /numatools gen_context(system_u:object_r:proc_numa_t,s0) -+mls_trusted_object(proc_numa_t) -+ - type proc_net_t, proc_type; - genfscon proc /net gen_context(system_u:object_r:proc_net_t,s0) - -@@ -153,6 +162,10 @@ genfscon proc /sys/net/unix gen_context(system_u:object_r:sysctl_net_unix_t,s0) - type sysctl_vm_t, sysctl_type; - genfscon proc /sys/vm gen_context(system_u:object_r:sysctl_vm_t,s0) - -+# /proc/sys/vm/overcommit_memory -+type sysctl_vm_overcommit_t, sysctl_type; -+genfscon proc /sys/vm/overcommit_memory gen_context(system_u:object_r:sysctl_vm_overcommit_t,s0) -+ - # /proc/sys/dev directory and files - type sysctl_dev_t, sysctl_type; - genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0) -@@ -165,6 +178,7 @@ genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0) - type unlabeled_t; - fs_associate(unlabeled_t) - sid unlabeled gen_context(system_u:object_r:unlabeled_t,mls_systemhigh) -+allow unlabeled_t self:filesystem associate; - - # These initial sids are no longer used, and can be removed: - sid any_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh) -@@ -189,6 +203,7 @@ sid tcp_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh) - # kernel local policy - # - -+allow kernel_t self:capability2 mac_admin; - allow kernel_t self:capability ~sys_module; - allow kernel_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; - allow kernel_t self:shm create_shm_perms; -@@ -233,7 +248,6 @@ allow unlabeled_t unlabeled_t:packet { forward_in forward_out }; - corenet_in_generic_if(unlabeled_t) - corenet_in_generic_node(unlabeled_t) - --corenet_all_recvfrom_unlabeled(kernel_t) - corenet_all_recvfrom_netlabel(kernel_t) - # Kernel-generated traffic e.g., ICMP replies: - corenet_raw_sendrecv_all_if(kernel_t) -@@ -244,17 +258,21 @@ corenet_tcp_sendrecv_all_if(kernel_t) - corenet_tcp_sendrecv_all_nodes(kernel_t) - corenet_raw_send_generic_node(kernel_t) - corenet_send_all_packets(kernel_t) -+corenet_filetrans_all_named_dev(kernel_t) - - dev_read_sysfs(kernel_t) - dev_search_usbfs(kernel_t) - # devtmpfs handling: - dev_create_generic_dirs(kernel_t) - dev_delete_generic_dirs(kernel_t) --dev_create_generic_blk_files(kernel_t) --dev_delete_generic_blk_files(kernel_t) --dev_create_generic_chr_files(kernel_t) --dev_delete_generic_chr_files(kernel_t) -+dev_create_all_blk_files(kernel_t) -+dev_delete_all_blk_files(kernel_t) -+dev_create_all_chr_files(kernel_t) -+dev_delete_all_chr_files(kernel_t) - dev_mounton(kernel_t) -+dev_filetrans_all_named_dev(kernel_t) -+storage_filetrans_all_named_dev(kernel_t) -+term_filetrans_all_named_dev(kernel_t) - - # Mount root file system. Used when loading a policy - # from initrd, then mounting the root filesystem -@@ -263,7 +281,8 @@ fs_unmount_all_fs(kernel_t) - - selinux_load_policy(kernel_t) - --term_use_console(kernel_t) -+term_use_all_terms(kernel_t) -+term_use_ptmx(kernel_t) - - corecmd_exec_shell(kernel_t) - corecmd_list_bin(kernel_t) -@@ -277,25 +296,49 @@ files_list_root(kernel_t) - files_list_etc(kernel_t) - files_list_home(kernel_t) - files_read_usr_files(kernel_t) -+files_manage_mounttab(kernel_t) -+files_manage_generic_spool_dirs(kernel_t) - - mcs_process_set_categories(kernel_t) -+mcs_file_read_all(kernel_t) -+mcs_file_write_all(kernel_t) -+mcs_socket_write_all_levels(kernel_t) - - mls_process_read_up(kernel_t) - mls_process_write_down(kernel_t) -+mls_file_downgrade(kernel_t) - mls_file_write_all_levels(kernel_t) - mls_file_read_all_levels(kernel_t) -+mls_socket_write_all_levels(kernel_t) -+mls_fd_share_all_levels(kernel_t) -+mls_fd_use_all_levels(kernel_t) -+mls_process_set_level(kernel_t) - - ifdef(`distro_redhat',` - # Bugzilla 222337 - fs_rw_tmpfs_chr_files(kernel_t) - ') - -+ -+optional_policy(` -+ apache_filetrans_home_content(kernel_t) -+') -+ -+optional_policy(` -+ gnome_filetrans_home_content(kernel_t) -+') -+ -+optional_policy(` -+ kerberos_filetrans_home_content(kernel_t) -+') -+ - optional_policy(` - hotplug_search_config(kernel_t) - ') - - optional_policy(` - init_sigchld(kernel_t) -+ init_dyntrans(kernel_t) - ') - - optional_policy(` -@@ -305,6 +348,19 @@ optional_policy(` - - optional_policy(` - logging_send_syslog_msg(kernel_t) -+ logging_manage_generic_logs(kernel_t) -+') -+ -+optional_policy(` -+ mta_filetrans_home_content(kernel_t) -+') -+ -+optional_policy(` -+ ssh_filetrans_home_content(kernel_t) -+') -+ -+optional_policy(` -+ userdom_user_home_dir_filetrans_user_home_content(kernel_t, { file dir }) - ') - - optional_policy(` -@@ -312,6 +368,10 @@ optional_policy(` - ') - - optional_policy(` -+ plymouthd_create_log(kernel_t) -+') -+ -+optional_policy(` - # nfs kernel server needs kernel UDP access. It is less risky and painful - # to just give it everything. - allow kernel_t self:tcp_socket create_stream_socket_perms; -@@ -332,9 +392,6 @@ optional_policy(` - - sysnet_read_config(kernel_t) - -- rpc_manage_nfs_ro_content(kernel_t) -- rpc_manage_nfs_rw_content(kernel_t) -- rpc_tcp_rw_nfs_sockets(kernel_t) - rpc_udp_rw_nfs_sockets(kernel_t) - - tunable_policy(`nfs_export_all_ro',` -@@ -343,9 +400,7 @@ optional_policy(` - fs_read_noxattr_fs_files(kernel_t) - fs_read_noxattr_fs_symlinks(kernel_t) - -- files_list_non_auth_dirs(kernel_t) -- files_read_non_auth_files(kernel_t) -- files_read_non_auth_symlinks(kernel_t) -+ files_read_non_security_files(kernel_t) - ') - - tunable_policy(`nfs_export_all_rw',` -@@ -354,7 +409,7 @@ optional_policy(` - fs_read_noxattr_fs_files(kernel_t) - fs_read_noxattr_fs_symlinks(kernel_t) - -- files_manage_non_auth_files(kernel_t) -+ files_manage_non_security_files(kernel_t) - ') - ') - -@@ -367,6 +422,15 @@ optional_policy(` - unconfined_domain_noaudit(kernel_t) - ') - -+optional_policy(` -+ virt_filetrans_home_content(kernel_t) -+') -+ -+optional_policy(` -+ xserver_xdm_manage_spool(kernel_t) -+ xserver_filetrans_home_content(kernel_t) -+') -+ - ######################################## - # - # Unlabeled process local policy -@@ -409,4 +473,26 @@ allow kern_unconfined unlabeled_t:dir_file_class_set *; - allow kern_unconfined unlabeled_t:filesystem *; - allow kern_unconfined unlabeled_t:association *; - allow kern_unconfined unlabeled_t:packet *; --allow kern_unconfined unlabeled_t:process ~{ transition dyntransition execmem execstack execheap }; -+allow kern_unconfined unlabeled_t:process ~{ ptrace transition dyntransition execmem execstack execheap }; -+ -+gen_require(` -+ bool secure_mode_insmod; -+') -+ -+if( ! secure_mode_insmod ) { -+ allow can_load_kernmodule self:capability sys_module; -+ allow can_load_kernmodule self:capability2 compromise_kernel; -+ # load_module() calls stop_machine() which -+ # calls sched_setscheduler() -+ allow can_load_kernmodule self:capability sys_nice; -+ kernel_setsched(can_load_kernmodule) -+} -+ -+####################################### -+# -+# Kernel system state reader policy -+# -+ -+read_files_pattern(kernel_system_state_reader, proc_t, proc_t) -+read_lnk_files_pattern(kernel_system_state_reader, proc_t, proc_t) -+list_dirs_pattern(kernel_system_state_reader, proc_t, proc_t) -diff --git a/policy/modules/kernel/mcs.if b/policy/modules/kernel/mcs.if -index b08a6e8..43d504b 100644 ---- a/policy/modules/kernel/mcs.if -+++ b/policy/modules/kernel/mcs.if -@@ -44,11 +44,7 @@ interface(`mcs_constrained',` - ## - # - interface(`mcs_file_read_all',` -- gen_require(` -- attribute mcsreadall; -- ') -- -- typeattribute $1 mcsreadall; -+ refpolicywarn(`$0() has been deprecated, please remove mcs_constrained() instead.') - ') - - ######################################## -@@ -64,11 +60,7 @@ interface(`mcs_file_read_all',` - ## - # - interface(`mcs_file_write_all',` -- gen_require(` -- attribute mcswriteall; -- ') -- -- typeattribute $1 mcswriteall; -+ refpolicywarn(`$0() has been deprecated, please remove mcs_constrained() instead.') - ') - - ######################################## -@@ -84,11 +76,7 @@ interface(`mcs_file_write_all',` - ## - # - interface(`mcs_killall',` -- gen_require(` -- attribute mcskillall; -- ') -- -- typeattribute $1 mcskillall; -+ refpolicywarn(`$0() has been deprecated, please remove mcs_constrained() instead.') - ') - - ######################################## -@@ -104,11 +92,7 @@ interface(`mcs_killall',` - ## - # - interface(`mcs_ptrace_all',` -- gen_require(` -- attribute mcsptraceall; -- ') -- -- typeattribute $1 mcsptraceall; -+ refpolicywarn(`$0() has been deprecated, please remove mcs_constrained() instead.') - ') - - ######################################## -@@ -130,3 +114,19 @@ interface(`mcs_process_set_categories',` - - typeattribute $1 mcssetcats; - ') -+ -+######################################## -+## -+## Make specified domain MCS trusted -+## for writing to sockets at any level. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`mcs_socket_write_all_levels',` -+ refpolicywarn(`$0() has been deprecated, please remove mcs_constrained() instead.') -+') -diff --git a/policy/modules/kernel/mcs.te b/policy/modules/kernel/mcs.te -index 5cbeb54..8067370 100644 ---- a/policy/modules/kernel/mcs.te -+++ b/policy/modules/kernel/mcs.te -@@ -11,3 +11,4 @@ attribute mcssetcats; - attribute mcswriteall; - attribute mcsreadall; - attribute mcs_constrained_type; -+attribute mcsnetwrite; -diff --git a/policy/modules/kernel/selinux.fc b/policy/modules/kernel/selinux.fc -index 7be4ddf..4d4c577 100644 ---- a/policy/modules/kernel/selinux.fc -+++ b/policy/modules/kernel/selinux.fc -@@ -1 +1 @@ --# This module currently does not have any file contexts. -+/selinux -l gen_context(system_u:object_r:security_t,s0) -diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if -index 81440c5..a02d444 100644 ---- a/policy/modules/kernel/selinux.if -+++ b/policy/modules/kernel/selinux.if -@@ -40,7 +40,7 @@ interface(`selinux_labeled_boolean',` - - # because of this statement, any module which - # calls this interface must be in the base module: -- genfscon selinuxfs /booleans/$2 gen_context(system_u:object_r:$1,s0) -+# genfscon selinuxfs /booleans/$2 gen_context(system_u:object_r:$1,s0) - ') - - ######################################## -@@ -58,6 +58,9 @@ interface(`selinux_get_fs_mount',` - type security_t; - ') - -+ allow $1 security_t:lnk_file read_lnk_file_perms; -+ dev_getattr_sysfs_fs($1) -+ dev_search_sysfs($1) - # starting in libselinux 2.0.5, init_selinuxmnt() will - # attempt to short circuit by checking if SELINUXMNT - # (/selinux) is already a selinuxfs -@@ -87,6 +90,7 @@ interface(`selinux_dontaudit_get_fs_mount',` - # starting in libselinux 2.0.5, init_selinuxmnt() will - # attempt to short circuit by checking if SELINUXMNT - # (/selinux) is already a selinuxfs -+ dev_dontaudit_search_sysfs($1) - dontaudit $1 security_t:filesystem getattr; - - # read /proc/filesystems to see if selinuxfs is supported -@@ -109,6 +113,9 @@ interface(`selinux_mount_fs',` - type security_t; - ') - -+ dev_getattr_sysfs_fs($1) -+ dev_search_sysfs($1) -+ allow $1 security_t:lnk_file read_lnk_file_perms; - allow $1 security_t:filesystem mount; - ') - -@@ -128,6 +135,9 @@ interface(`selinux_remount_fs',` - type security_t; - ') - -+ dev_getattr_sysfs_fs($1) -+ dev_search_sysfs($1) -+ allow $1 security_t:lnk_file read_lnk_file_perms; - allow $1 security_t:filesystem remount; - ') - -@@ -146,6 +156,9 @@ interface(`selinux_unmount_fs',` - type security_t; - ') - -+ dev_getattr_sysfs_fs($1) -+ dev_search_sysfs($1) -+ allow $1 security_t:lnk_file read_lnk_file_perms; - allow $1 security_t:filesystem unmount; - ') - -@@ -164,6 +177,7 @@ interface(`selinux_getattr_fs',` - type security_t; - ') - -+ allow $1 security_t:lnk_file read_lnk_file_perms; - allow $1 security_t:filesystem getattr; - ') - -@@ -220,6 +234,9 @@ interface(`selinux_search_fs',` - type security_t; - ') - -+ dev_getattr_sysfs_fs($1) -+ dev_search_sysfs($1) -+ allow $1 security_t:lnk_file read_lnk_file_perms; - allow $1 security_t:dir search_dir_perms; - ') - -@@ -243,6 +260,28 @@ interface(`selinux_dontaudit_search_fs',` - - ######################################## - ## -+## Mount on selinuxfs directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`selinux_mounton_fs',` -+ gen_require(` -+ type security_t; -+ ') -+ -+ dev_getattr_sysfs_fs($1) -+ dev_search_sysfs($1) -+ allow $1 security_t:lnk_file read_lnk_file_perms; -+ allow $1 security_t:dir mounton; -+') -+ -+ -+######################################## -+## - ## Do not audit attempts to read - ## generic selinuxfs entries - ## -@@ -257,6 +296,7 @@ interface(`selinux_dontaudit_read_fs',` - type security_t; - ') - -+ selinux_dontaudit_getattr_fs($1) - dontaudit $1 security_t:dir search_dir_perms; - dontaudit $1 security_t:file read_file_perms; - ') -@@ -278,6 +318,8 @@ interface(`selinux_get_enforce_mode',` - type security_t; - ') - -+ selinux_get_fs_mount($1) -+ allow $1 security_t:lnk_file read_lnk_file_perms; - allow $1 security_t:dir list_dir_perms; - allow $1 security_t:file read_file_perms; - ') -@@ -308,21 +350,9 @@ interface(`selinux_set_enforce_mode',` - gen_require(` - type security_t; - attribute can_setenforce; -- bool secure_mode_policyload; - ') - -- allow $1 security_t:dir list_dir_perms; -- allow $1 security_t:file rw_file_perms; - typeattribute $1 can_setenforce; -- -- if(!secure_mode_policyload) { -- allow $1 security_t:security setenforce; -- -- ifdef(`distro_rhel4',` -- # needed for systems without audit support -- auditallow $1 security_t:security setenforce; -- ') -- } - ') - - ######################################## -@@ -339,21 +369,14 @@ interface(`selinux_load_policy',` - gen_require(` - type security_t; - attribute can_load_policy; -- bool secure_mode_policyload; - ') - -+ dev_getattr_sysfs_fs($1) -+ dev_search_sysfs($1) -+ allow $1 security_t:lnk_file read_lnk_file_perms; - allow $1 security_t:dir list_dir_perms; - allow $1 security_t:file rw_file_perms; - typeattribute $1 can_load_policy; -- -- if(!secure_mode_policyload) { -- allow $1 security_t:security load_policy; -- -- ifdef(`distro_rhel4',` -- # needed for systems without audit support -- auditallow $1 security_t:security load_policy; -- ') -- } - ') - - ######################################## -@@ -371,6 +394,9 @@ interface(`selinux_read_policy',` - type security_t; - ') - -+ dev_getattr_sysfs_fs($1) -+ dev_search_sysfs($1) -+ allow $1 security_t:lnk_file read_lnk_file_perms; - allow $1 security_t:dir list_dir_perms; - allow $1 security_t:file read_file_perms; - allow $1 security_t:security read_policy; -@@ -433,17 +459,16 @@ interface(`selinux_set_boolean',` - interface(`selinux_set_generic_booleans',` - gen_require(` - type security_t; -+ attribute can_setbool; - ') - -+ typeattribute $1 can_setbool; -+ dev_getattr_sysfs_fs($1) -+ dev_search_sysfs($1) -+ allow $1 security_t:lnk_file read_lnk_file_perms; - allow $1 security_t:dir list_dir_perms; - allow $1 security_t:file rw_file_perms; - -- allow $1 security_t:security setbool; -- -- ifdef(`distro_rhel4',` -- # needed for systems without audit support -- auditallow $1 security_t:security setbool; -- ') - ') - - ######################################## -@@ -472,23 +497,16 @@ interface(`selinux_set_all_booleans',` - gen_require(` - type security_t, secure_mode_policyload_t; - attribute boolean_type; -- bool secure_mode_policyload; -+ attribute can_setbool; - ') - -+ typeattribute $1 can_setbool; -+ dev_getattr_sysfs_fs($1) -+ dev_search_sysfs($1) -+ allow $1 security_t:lnk_file read_lnk_file_perms; - allow $1 security_t:dir list_dir_perms; -- allow $1 { boolean_type -secure_mode_policyload_t }:file rw_file_perms; -- allow $1 secure_mode_policyload_t:file read_file_perms; -- -- allow $1 security_t:security setbool; -- -- ifdef(`distro_rhel4',` -- # needed for systems without audit support -- auditallow $1 security_t:security setbool; -- ') -- -- if(!secure_mode_policyload) { -- allow $1 secure_mode_policyload_t:file write_file_perms; -- } -+ allow $1 boolean_type:dir list_dir_perms; -+ allow $1 boolean_type:file rw_file_perms; - ') - - ######################################## -@@ -519,6 +537,9 @@ interface(`selinux_set_parameters',` - attribute can_setsecparam; - ') - -+ dev_getattr_sysfs_fs($1) -+ dev_search_sysfs($1) -+ allow $1 security_t:lnk_file read_lnk_file_perms; - allow $1 security_t:dir list_dir_perms; - allow $1 security_t:file rw_file_perms; - allow $1 security_t:security setsecparam; -@@ -542,6 +563,9 @@ interface(`selinux_validate_context',` - type security_t; - ') - -+ dev_getattr_sysfs_fs($1) -+ dev_search_sysfs($1) -+ allow $1 security_t:lnk_file read_lnk_file_perms; - allow $1 security_t:dir list_dir_perms; - allow $1 security_t:file rw_file_perms; - allow $1 security_t:security check_context; -@@ -584,6 +608,9 @@ interface(`selinux_compute_access_vector',` - type security_t; - ') - -+ dev_getattr_sysfs_fs($1) -+ dev_search_sysfs($1) -+ allow $1 security_t:lnk_file read_lnk_file_perms; - allow $1 security_t:dir list_dir_perms; - allow $1 security_t:file rw_file_perms; - allow $1 security_t:security compute_av; -@@ -605,6 +632,9 @@ interface(`selinux_compute_create_context',` - type security_t; - ') - -+ dev_getattr_sysfs_fs($1) -+ dev_search_sysfs($1) -+ allow $1 security_t:lnk_file read_lnk_file_perms; - allow $1 security_t:dir list_dir_perms; - allow $1 security_t:file rw_file_perms; - allow $1 security_t:security compute_create; -@@ -626,6 +656,9 @@ interface(`selinux_compute_member',` - type security_t; - ') - -+ dev_getattr_sysfs_fs($1) -+ dev_search_sysfs($1) -+ allow $1 security_t:lnk_file read_lnk_file_perms; - allow $1 security_t:dir list_dir_perms; - allow $1 security_t:file rw_file_perms; - allow $1 security_t:security compute_member; -@@ -655,6 +688,9 @@ interface(`selinux_compute_relabel_context',` - type security_t; - ') - -+ dev_getattr_sysfs_fs($1) -+ dev_search_sysfs($1) -+ allow $1 security_t:lnk_file read_lnk_file_perms; - allow $1 security_t:dir list_dir_perms; - allow $1 security_t:file rw_file_perms; - allow $1 security_t:security compute_relabel; -@@ -675,6 +711,9 @@ interface(`selinux_compute_user_contexts',` - type security_t; - ') - -+ dev_getattr_sysfs_fs($1) -+ dev_search_sysfs($1) -+ allow $1 security_t:lnk_file read_lnk_file_perms; - allow $1 security_t:dir list_dir_perms; - allow $1 security_t:file rw_file_perms; - allow $1 security_t:security compute_user; -@@ -696,4 +735,29 @@ interface(`selinux_unconfined',` - ') - - typeattribute $1 selinux_unconfined_type; -+ selinux_set_all_booleans($1) -+ selinux_load_policy($1) -+ selinux_set_parameters($1) -+ selinux_set_enforce_mode($1) -+') -+ -+######################################## -+## -+## Generate a file context for a boolean type -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`selinux_genbool',` -+ gen_require(` -+ attribute boolean_type; -+ ') -+ -+ type $1, boolean_type; -+ fs_type($1) -+ mls_trusted_object($1) - ') -+ -diff --git a/policy/modules/kernel/selinux.te b/policy/modules/kernel/selinux.te -index 522ab32..cb9c3a2 100644 ---- a/policy/modules/kernel/selinux.te -+++ b/policy/modules/kernel/selinux.te -@@ -17,6 +17,7 @@ gen_bool(secure_mode_policyload,false) - attribute boolean_type; - attribute can_load_policy; - attribute can_setenforce; -+attribute can_setbool; - attribute can_setsecparam; - attribute selinux_unconfined_type; - -@@ -36,9 +37,9 @@ sid security gen_context(system_u:object_r:security_t,mls_systemhigh) - genfscon selinuxfs / gen_context(system_u:object_r:security_t,s0) - genfscon securityfs / gen_context(system_u:object_r:security_t,s0) - --neverallow ~{ selinux_unconfined_type can_load_policy } security_t:security load_policy; --neverallow ~{ selinux_unconfined_type can_setenforce } security_t:security setenforce; --neverallow ~{ selinux_unconfined_type can_setsecparam } security_t:security setsecparam; -+neverallow ~{ can_load_policy } security_t:security load_policy; -+neverallow ~{ can_setenforce } security_t:security setenforce; -+neverallow ~{ can_setsecparam } security_t:security setsecparam; - - ######################################## - # -@@ -60,11 +61,28 @@ ifdef(`distro_rhel4',` - ') - - if(!secure_mode_policyload) { -- allow selinux_unconfined_type security_t:security { load_policy setenforce }; -- allow selinux_unconfined_type secure_mode_policyload_t:file write_file_perms; -+ allow can_setenforce security_t:security setenforce; -+ dev_getattr_sysfs_fs(can_setenforce) -+ dev_search_sysfs(can_setenforce) -+ allow can_setenforce security_t:dir list_dir_perms; -+ allow can_setenforce security_t:file rw_file_perms; - - ifdef(`distro_rhel4',` - # needed for systems without audit support -- auditallow selinux_unconfined_type security_t:security { load_policy setenforce }; -+ auditallow can_setenforce security_t:security setenforce; -+ ') -+ -+ allow can_load_policy security_t:security load_policy; -+ -+ ifdef(`distro_rhel4',` -+ # needed for systems without audit support -+ auditallow can_load_policy security_t:security load_policy; -+ ') -+ -+ allow can_setbool boolean_type:security setbool; -+ -+ ifdef(`distro_rhel4',` -+ # needed for systems without audit support -+ auditallow can_setbool boolean_type:security setbool; - ') - } -diff --git a/policy/modules/kernel/storage.fc b/policy/modules/kernel/storage.fc -index 54f1827..cc2de1a 100644 ---- a/policy/modules/kernel/storage.fc -+++ b/policy/modules/kernel/storage.fc -@@ -23,12 +23,15 @@ - /dev/ht[0-1] -b gen_context(system_u:object_r:tape_device_t,s0) - /dev/hwcdrom -b gen_context(system_u:object_r:removable_device_t,s0) - /dev/initrd -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) -+/dev/infiniband/.* -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) -+/dev/infiniband/.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) - /dev/jsfd -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) - /dev/jsflash -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) - /dev/loop.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) - /dev/lvm -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) - /dev/mcdx? -b gen_context(system_u:object_r:removable_device_t,s0) --/dev/megadev.* -c gen_context(system_u:object_r:removable_device_t,s0) -+/dev/megaraid_sas_ioctl_node -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) -+/dev/megadev.* -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) - /dev/mmcblk.* -b gen_context(system_u:object_r:removable_device_t,s0) - /dev/mspblk.* -b gen_context(system_u:object_r:removable_device_t,s0) - /dev/mtd.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) -@@ -51,7 +54,8 @@ ifdef(`distro_redhat', ` - /dev/sjcd -b gen_context(system_u:object_r:removable_device_t,s0) - /dev/sonycd -b gen_context(system_u:object_r:removable_device_t,s0) - /dev/tape.* -c gen_context(system_u:object_r:tape_device_t,s0) --/dev/tw[a-z][^/]+ -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) -+/dev/tgt -c gen_context(system_u:object_r:scsi_generic_device_t,s0) -+/dev/tw[a-z][^/]* -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) - /dev/ub[a-z][^/]+ -b gen_context(system_u:object_r:removable_device_t,mls_systemhigh) - /dev/ubd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) - /dev/vd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) -@@ -81,3 +85,6 @@ ifdef(`distro_redhat', ` - - /lib/udev/devices/loop.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) - /lib/udev/devices/fuse -c gen_context(system_u:object_r:fuse_device_t,s0) -+ -+/usr/lib/udev/devices/loop.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) -+/usr/lib/udev/devices/fuse -c gen_context(system_u:object_r:fuse_device_t,s0) -diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if -index 1700ef2..38b597e 100644 ---- a/policy/modules/kernel/storage.if -+++ b/policy/modules/kernel/storage.if -@@ -22,6 +22,26 @@ interface(`storage_getattr_fixed_disk_dev',` - - ######################################## - ## -+## Allow the caller to read/write inherited fixed disk -+## device nodes. -+## -+## -+## -+## The domain allowed access. -+## -+## -+# -+interface(`storage_rw_inherited_fixed_disk_dev',` -+ gen_require(` -+ type fixed_disk_device_t; -+ ') -+ -+ allow $1 fixed_disk_device_t:chr_file { read write }; -+ allow $1 fixed_disk_device_t:blk_file { read write }; -+') -+ -+######################################## -+## - ## Do not audit attempts made by the caller to get - ## the attributes of fixed disk device nodes. - ## -@@ -101,6 +121,8 @@ interface(`storage_raw_read_fixed_disk',` - dev_list_all_dev_nodes($1) - allow $1 fixed_disk_device_t:blk_file read_blk_file_perms; - allow $1 fixed_disk_device_t:chr_file read_chr_file_perms; -+ #577012 -+ allow $1 fixed_disk_device_t:lnk_file read_lnk_file_perms; - typeattribute $1 fixed_disk_raw_read; - ') - -@@ -186,6 +208,7 @@ interface(`storage_dontaudit_write_fixed_disk',` - interface(`storage_raw_rw_fixed_disk',` - storage_raw_read_fixed_disk($1) - storage_raw_write_fixed_disk($1) -+ dev_rw_generic_blk_files($1) - ') - - ######################################## -@@ -205,6 +228,7 @@ interface(`storage_create_fixed_disk_dev',` - - allow $1 self:capability mknod; - allow $1 fixed_disk_device_t:blk_file create_blk_file_perms; -+ allow $1 fixed_disk_device_t:chr_file create_chr_file_perms; - dev_add_entry_generic_dirs($1) - ') - -@@ -269,6 +293,48 @@ interface(`storage_dev_filetrans_fixed_disk',` - dev_filetrans($1, fixed_disk_device_t, blk_file) - ') - -+####################################### -+## -+## Create block devices in /dev with the fixed disk type -+## via an automatic type transition. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`storage_dev_filetrans_named_fixed_disk',` -+ gen_require(` -+ type fixed_disk_device_t; -+ ') -+ -+ dev_filetrans($1, fixed_disk_device_t, chr_file, "jsflash") -+ dev_filetrans($1, fixed_disk_device_t, chr_file, "lvm") -+ dev_filetrans($1, fixed_disk_device_t, chr_file, "megaraid_sas_ioctl_node") -+ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev0") -+ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev1") -+ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev2") -+ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev3") -+ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev4") -+ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev5") -+ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev6") -+ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev7") -+ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev8") -+ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev9") -+ dev_filetrans($1, fixed_disk_device_t, chr_file, "device-mapper") -+ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw0") -+ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw1") -+ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw2") -+ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw3") -+ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw4") -+ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw5") -+ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw6") -+ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw7") -+ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw8") -+ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw9") -+') -+ - ######################################## - ## - ## Create block devices in on a tmpfs filesystem with the -@@ -711,6 +777,24 @@ interface(`storage_dontaudit_raw_write_removable_device',` - dontaudit $1 removable_device_t:blk_file write_blk_file_perms; - ') - -+####################################### -+## -+## Alow read and write inherited removable devices. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`storage_rw_inherited_removable_device',` -+ gen_require(` -+ type removable_device_t; -+ ') -+ -+ dontaudit $1 removable_device_t:blk_file { read write }; -+') -+ - ######################################## - ## - ## Allow the caller to directly read -@@ -808,3 +892,401 @@ interface(`storage_unconfined',` - - typeattribute $1 storage_unconfined_type; - ') -+ -+######################################## -+## -+## Create all named devices with the correct label -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`storage_filetrans_all_named_dev',` -+ -+ gen_require(` -+ type tape_device_t; -+ type fixed_disk_device_t; -+ type removable_device_t; -+ type scsi_generic_device_t; -+ type fuse_device_t; -+ ') -+ -+ dev_filetrans($1, tape_device_t, chr_file, "ht00") -+ dev_filetrans($1, tape_device_t, chr_file, "ht01") -+ dev_filetrans($1, tape_device_t, chr_file, "ht02") -+ dev_filetrans($1, tape_device_t, chr_file, "ht03") -+ dev_filetrans($1, tape_device_t, chr_file, "ht04") -+ dev_filetrans($1, tape_device_t, chr_file, "ht05") -+ dev_filetrans($1, tape_device_t, chr_file, "ht06") -+ dev_filetrans($1, tape_device_t, chr_file, "ht07") -+ dev_filetrans($1, tape_device_t, chr_file, "ht08") -+ dev_filetrans($1, tape_device_t, chr_file, "ht09") -+ dev_filetrans($1, tape_device_t, chr_file, "st00") -+ dev_filetrans($1, tape_device_t, chr_file, "st01") -+ dev_filetrans($1, tape_device_t, chr_file, "st02") -+ dev_filetrans($1, tape_device_t, chr_file, "st03") -+ dev_filetrans($1, tape_device_t, chr_file, "st04") -+ dev_filetrans($1, tape_device_t, chr_file, "st05") -+ dev_filetrans($1, tape_device_t, chr_file, "st06") -+ dev_filetrans($1, tape_device_t, chr_file, "st07") -+ dev_filetrans($1, tape_device_t, chr_file, "st08") -+ dev_filetrans($1, tape_device_t, chr_file, "st09") -+ dev_filetrans($1, tape_device_t, chr_file, "qft0") -+ dev_filetrans($1, tape_device_t, chr_file, "qft1") -+ dev_filetrans($1, tape_device_t, chr_file, "qft2") -+ dev_filetrans($1, tape_device_t, chr_file, "qft3") -+ dev_filetrans($1, tape_device_t, chr_file, "osst00") -+ dev_filetrans($1, tape_device_t, chr_file, "osst01") -+ dev_filetrans($1, tape_device_t, chr_file, "osst02") -+ dev_filetrans($1, tape_device_t, chr_file, "osst03") -+ dev_filetrans($1, tape_device_t, chr_file, "osst04") -+ dev_filetrans($1, tape_device_t, chr_file, "osst05") -+ dev_filetrans($1, tape_device_t, chr_file, "osst06") -+ dev_filetrans($1, tape_device_t, chr_file, "osst07") -+ dev_filetrans($1, tape_device_t, chr_file, "osst08") -+ dev_filetrans($1, tape_device_t, chr_file, "osst09") -+ dev_filetrans($1, tape_device_t, chr_file, "pt0") -+ dev_filetrans($1, tape_device_t, chr_file, "pt1") -+ dev_filetrans($1, tape_device_t, chr_file, "pt2") -+ dev_filetrans($1, tape_device_t, chr_file, "pt3") -+ dev_filetrans($1, tape_device_t, chr_file, "pt4") -+ dev_filetrans($1, tape_device_t, chr_file, "pt5") -+ dev_filetrans($1, tape_device_t, chr_file, "pt6") -+ dev_filetrans($1, tape_device_t, chr_file, "pt7") -+ dev_filetrans($1, tape_device_t, chr_file, "pt8") -+ dev_filetrans($1, tape_device_t, chr_file, "pt9") -+ dev_filetrans($1, tape_device_t, chr_file, "tpqic0") -+ dev_filetrans($1, tape_device_t, chr_file, "tpqic1") -+ dev_filetrans($1, tape_device_t, chr_file, "tpqic2") -+ dev_filetrans($1, tape_device_t, chr_file, "tpqic3") -+ dev_filetrans($1, tape_device_t, chr_file, "tpqic4") -+ dev_filetrans($1, tape_device_t, chr_file, "tpqic5") -+ dev_filetrans($1, tape_device_t, chr_file, "tpqic6") -+ dev_filetrans($1, tape_device_t, chr_file, "tpqic7") -+ dev_filetrans($1, tape_device_t, chr_file, "tpqic8") -+ dev_filetrans($1, tape_device_t, chr_file, "tpqic9") -+ dev_filetrans($1, removable_device_t, blk_file, "aztcd") -+ dev_filetrans($1, removable_device_t, blk_file, "bpcd") -+ dev_filetrans($1, removable_device_t, blk_file, "cdu0") -+ dev_filetrans($1, removable_device_t, blk_file, "cdu1") -+ dev_filetrans($1, removable_device_t, blk_file, "cdu2") -+ dev_filetrans($1, removable_device_t, blk_file, "cdu3") -+ dev_filetrans($1, removable_device_t, blk_file, "cdu4") -+ dev_filetrans($1, removable_device_t, blk_file, "cdu5") -+ dev_filetrans($1, removable_device_t, blk_file, "cdu6") -+ dev_filetrans($1, removable_device_t, blk_file, "cdu7") -+ dev_filetrans($1, removable_device_t, blk_file, "cdu8") -+ dev_filetrans($1, removable_device_t, blk_file, "cdu9") -+ dev_filetrans($1, removable_device_t, blk_file, "cm200") -+ dev_filetrans($1, removable_device_t, blk_file, "cm201") -+ dev_filetrans($1, removable_device_t, blk_file, "cm202") -+ dev_filetrans($1, removable_device_t, blk_file, "cm203") -+ dev_filetrans($1, removable_device_t, blk_file, "cm204") -+ dev_filetrans($1, removable_device_t, blk_file, "cm205") -+ dev_filetrans($1, removable_device_t, blk_file, "cm206") -+ dev_filetrans($1, removable_device_t, blk_file, "cm207") -+ dev_filetrans($1, removable_device_t, blk_file, "cm208") -+ dev_filetrans($1, removable_device_t, blk_file, "cm209") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "md0") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "md1") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "md2") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "md3") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "md4") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "md5") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "md6") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "md7") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "md8") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "md9") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "md126p1") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sda") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sda0") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sda1") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sda2") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sda3") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sda4") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sda5") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sda6") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sda7") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sda8") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sda9") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdb") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdb0") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdb1") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdb2") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdb3") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdb4") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdb5") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdb6") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdb7") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdb8") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdb9") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdc") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdc0") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdc1") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdc2") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdc3") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdc4") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdc5") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdc6") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdc7") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdc8") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdc9") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdd") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdd0") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdd1") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdd2") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdd3") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdd4") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdd5") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdd6") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdd7") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdd8") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdd9") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sde") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sde0") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sde1") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sde2") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sde3") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sde4") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sde5") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sde6") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sde7") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sde8") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sde9") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdf") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdf0") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdf1") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdf2") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdf3") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdf4") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdf5") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdf6") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdf7") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdf8") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdf9") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdg") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdg0") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdg1") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdg2") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdg3") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdg4") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdg5") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdg6") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdg7") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdg8") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sdg9") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "dm-0") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "dm-1") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "dm-2") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "dm-3") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "dm-4") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "dm-5") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "dm-6") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "dm-7") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "dm-8") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "dm-9") -+ dev_filetrans($1, removable_device_t, blk_file, "gscd") -+ dev_filetrans($1, removable_device_t, blk_file, "hitcd") -+ dev_filetrans($1, tape_device_t, blk_file, "ht0") -+ dev_filetrans($1, tape_device_t, blk_file, "ht1") -+ dev_filetrans($1, removable_device_t, blk_file, "hwcdrom") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "initrd") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "jsfd") -+ dev_filetrans($1, fixed_disk_device_t, chr_file, "jsflash") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "loop0") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "loop1") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "loop2") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "loop3") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "loop4") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "loop5") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "loop6") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "loop7") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "loop8") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "loop9") -+ dev_filetrans($1, fixed_disk_device_t, chr_file, "lvm") -+ dev_filetrans($1, removable_device_t, blk_file, "mcd") -+ dev_filetrans($1, removable_device_t, blk_file, "mcdx") -+ dev_filetrans($1, fixed_disk_device_t, chr_file, "megaraid_sas_ioctl_node") -+ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev0") -+ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev1") -+ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev2") -+ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev3") -+ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev4") -+ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev5") -+ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev6") -+ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev7") -+ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev8") -+ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev9") -+ dev_filetrans($1, removable_device_t, blk_file, "mmcblk0") -+ dev_filetrans($1, removable_device_t, blk_file, "mmcblk1") -+ dev_filetrans($1, removable_device_t, blk_file, "mmcblk2") -+ dev_filetrans($1, removable_device_t, blk_file, "mmcblk3") -+ dev_filetrans($1, removable_device_t, blk_file, "mmcblk4") -+ dev_filetrans($1, removable_device_t, blk_file, "mmcblk5") -+ dev_filetrans($1, removable_device_t, blk_file, "mmcblk6") -+ dev_filetrans($1, removable_device_t, blk_file, "mmcblk7") -+ dev_filetrans($1, removable_device_t, blk_file, "mmcblk8") -+ dev_filetrans($1, removable_device_t, blk_file, "mmcblk9") -+ dev_filetrans($1, removable_device_t, blk_file, "mspblk0") -+ dev_filetrans($1, removable_device_t, blk_file, "mspblk1") -+ dev_filetrans($1, removable_device_t, blk_file, "mspblk2") -+ dev_filetrans($1, removable_device_t, blk_file, "mspblk3") -+ dev_filetrans($1, removable_device_t, blk_file, "mspblk4") -+ dev_filetrans($1, removable_device_t, blk_file, "mspblk5") -+ dev_filetrans($1, removable_device_t, blk_file, "mspblk6") -+ dev_filetrans($1, removable_device_t, blk_file, "mspblk7") -+ dev_filetrans($1, removable_device_t, blk_file, "mspblk8") -+ dev_filetrans($1, removable_device_t, blk_file, "mspblk9") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "mtd0") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "mtd1") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "mtd2") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "mtd3") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "mtd4") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "mtd5") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "mtd6") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "mtd7") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "mtd8") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "mtd9") -+ dev_filetrans($1, removable_device_t, blk_file, "optcd") -+ dev_filetrans($1, removable_device_t, blk_file, "pf0") -+ dev_filetrans($1, removable_device_t, blk_file, "pf1") -+ dev_filetrans($1, removable_device_t, blk_file, "pf2") -+ dev_filetrans($1, removable_device_t, blk_file, "pf3") -+ dev_filetrans($1, removable_device_t, blk_file, "pg0") -+ dev_filetrans($1, removable_device_t, blk_file, "pg1") -+ dev_filetrans($1, removable_device_t, blk_file, "pg2") -+ dev_filetrans($1, removable_device_t, blk_file, "pg3") -+ dev_filetrans($1, removable_device_t, blk_file, "pcd0") -+ dev_filetrans($1, removable_device_t, blk_file, "pcd1") -+ dev_filetrans($1, removable_device_t, blk_file, "pcd2") -+ dev_filetrans($1, removable_device_t, blk_file, "pcd3") -+ dev_filetrans($1, removable_device_t, chr_file, "pg0") -+ dev_filetrans($1, removable_device_t, chr_file, "pg1") -+ dev_filetrans($1, removable_device_t, chr_file, "pg2") -+ dev_filetrans($1, removable_device_t, chr_file, "pg3") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "ps3d0") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "ps3d1") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "ps3d2") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "ps3d3") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "ps3d4") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "ps3d5") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "ps3d6") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "ps3d7") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "ps3d8") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "ps3d9") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "ram0") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "ram1") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "ram2") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "ram3") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "ram4") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "ram5") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "ram6") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "ram7") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "ram8") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "ram9") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "ram10") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "ram11") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "ram12") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "ram13") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "ram14") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "ram15") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "rd0") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "rd1") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "rd2") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "rd3") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "rd4") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "rd5") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "rd6") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "rd7") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "rd8") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "rd9") -+ dev_filetrans($1, fixed_disk_device_t, blk_file, "root") -+ dev_filetrans($1, removable_device_t, blk_file, "sbpcd0") -+ dev_filetrans($1, removable_device_t, blk_file, "sbpcd1") -+ dev_filetrans($1, removable_device_t, blk_file, "sbpcd2") -+ dev_filetrans($1, removable_device_t, blk_file, "sbpcd3") -+ dev_filetrans($1, removable_device_t, blk_file, "sbpcd4") -+ dev_filetrans($1, removable_device_t, blk_file, "sbpcd5") -+ dev_filetrans($1, removable_device_t, blk_file, "sbpcd6") -+ dev_filetrans($1, removable_device_t, blk_file, "sbpcd7") -+ dev_filetrans($1, removable_device_t, blk_file, "sbpcd8") -+ dev_filetrans($1, removable_device_t, blk_file, "sbpcd9") -+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg0") -+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg1") -+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg2") -+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg3") -+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg4") -+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg5") -+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg6") -+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg7") -+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg8") -+ dev_filetrans($1, scsi_generic_device_t, chr_file, "sg9") -+ dev_filetrans($1, removable_device_t, blk_file, "sr0") -+ dev_filetrans($1, removable_device_t, blk_file, "sr1") -+ dev_filetrans($1, removable_device_t, blk_file, "sr2") -+ dev_filetrans($1, removable_device_t, blk_file, "sr3") -+ dev_filetrans($1, removable_device_t, blk_file, "sr4") -+ dev_filetrans($1, removable_device_t, blk_file, "sr5") -+ dev_filetrans($1, removable_device_t, blk_file, "sr6") -+ dev_filetrans($1, removable_device_t, blk_file, "sr7") -+ dev_filetrans($1, removable_device_t, blk_file, "sr8") -+ dev_filetrans($1, removable_device_t, blk_file, "sr9") -+ dev_filetrans($1, removable_device_t, blk_file, "sjcd") -+ dev_filetrans($1, removable_device_t, blk_file, "sonycd") -+ dev_filetrans($1, tape_device_t, chr_file, "tape0") -+ dev_filetrans($1, tape_device_t, chr_file, "tape1") -+ dev_filetrans($1, tape_device_t, chr_file, "tape2") -+ dev_filetrans($1, tape_device_t, chr_file, "tape3") -+ dev_filetrans($1, tape_device_t, chr_file, "tape4") -+ dev_filetrans($1, tape_device_t, chr_file, "tape5") -+ dev_filetrans($1, tape_device_t, chr_file, "tape6") -+ dev_filetrans($1, tape_device_t, chr_file, "tape7") -+ dev_filetrans($1, tape_device_t, chr_file, "tape8") -+ dev_filetrans($1, tape_device_t, chr_file, "tape9") -+ dev_filetrans($1, fuse_device_t, chr_file, "fuse") -+ dev_filetrans($1, fixed_disk_device_t, chr_file, "device-mapper") -+ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw0") -+ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw1") -+ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw2") -+ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw3") -+ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw4") -+ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw5") -+ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw6") -+ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw7") -+ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw8") -+ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw9") -+ dev_filetrans($1, removable_device_t, chr_file, "rio500") -+ dev_filetrans($1, fixed_disk_device_t, chr_file, "tw0") -+ dev_filetrans($1, fixed_disk_device_t, chr_file, "tw1") -+ dev_filetrans($1, fixed_disk_device_t, chr_file, "tw2") -+ dev_filetrans($1, fixed_disk_device_t, chr_file, "tw3") -+ dev_filetrans($1, fixed_disk_device_t, chr_file, "tw4") -+ dev_filetrans($1, fixed_disk_device_t, chr_file, "tw5") -+ dev_filetrans($1, fixed_disk_device_t, chr_file, "tw6") -+ dev_filetrans($1, fixed_disk_device_t, chr_file, "tw7") -+ dev_filetrans($1, fixed_disk_device_t, chr_file, "tw8") -+ dev_filetrans($1, fixed_disk_device_t, chr_file, "tw9") -+ dev_filetrans($1, fixed_disk_device_t, chr_file, "twa0") -+ dev_filetrans($1, fixed_disk_device_t, chr_file, "twa1") -+ dev_filetrans($1, fixed_disk_device_t, chr_file, "twa2") -+ dev_filetrans($1, fixed_disk_device_t, chr_file, "twa3") -+ dev_filetrans($1, fixed_disk_device_t, chr_file, "twa4") -+ dev_filetrans($1, fixed_disk_device_t, chr_file, "twa5") -+ dev_filetrans($1, fixed_disk_device_t, chr_file, "twa6") -+ dev_filetrans($1, fixed_disk_device_t, chr_file, "twa7") -+ dev_filetrans($1, fixed_disk_device_t, chr_file, "twa8") -+ dev_filetrans($1, fixed_disk_device_t, chr_file, "twa9") -+ dev_filetrans($1, fixed_disk_device_t, chr_file, "twa10") -+ dev_filetrans($1, fixed_disk_device_t, chr_file, "twa11") -+ dev_filetrans($1, fixed_disk_device_t, chr_file, "twa12") -+ dev_filetrans($1, fixed_disk_device_t, chr_file, "twa13") -+ dev_filetrans($1, fixed_disk_device_t, chr_file, "twa14") -+ dev_filetrans($1, fixed_disk_device_t, chr_file, "twa15") -+ dev_filetrans($1, fixed_disk_device_t, chr_file, "twa16") -+ dev_filetrans($1, fixed_disk_device_t, chr_file, "twa17") -+ dev_filetrans($1, fixed_disk_device_t, chr_file, "twa18") -+ dev_filetrans($1, fixed_disk_device_t, chr_file, "twa19") -+ -+') -diff --git a/policy/modules/kernel/storage.te b/policy/modules/kernel/storage.te -index 156c333..02f5a3c 100644 ---- a/policy/modules/kernel/storage.te -+++ b/policy/modules/kernel/storage.te -@@ -57,3 +57,9 @@ dev_node(tape_device_t) - - allow storage_unconfined_type { fixed_disk_device_t removable_device_t }:blk_file *; - allow storage_unconfined_type { scsi_generic_device_t tape_device_t }:chr_file *; -+ -+# Since block devices are some times used before being labeled correctly -+ifdef(`hide_broken_symptoms',` -+ dev_read_generic_blk_files(fixed_disk_raw_read) -+ dev_manage_generic_blk_files(fixed_disk_raw_write) -+') -diff --git a/policy/modules/kernel/terminal.fc b/policy/modules/kernel/terminal.fc -index 7d45d15..22c9cfe 100644 ---- a/policy/modules/kernel/terminal.fc -+++ b/policy/modules/kernel/terminal.fc -@@ -14,11 +14,12 @@ - /dev/ip2[^/]* -c gen_context(system_u:object_r:tty_device_t,s0) - /dev/isdn.* -c gen_context(system_u:object_r:tty_device_t,s0) - /dev/ptmx -c gen_context(system_u:object_r:ptmx_t,s0) --/dev/pts/ptmx -c gen_context(system_u:object_r:ptmx_t,s0) - /dev/rfcomm[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0) - /dev/slamr[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0) - /dev/tty -c gen_context(system_u:object_r:devtty_t,s0) - /dev/ttySG.* -c gen_context(system_u:object_r:tty_device_t,s0) -+/dev/ttyUSB[0-9]+ -c gen_context(system_u:object_r:usbtty_device_t,s0) -+/dev/vport[0-9]p[0-9]+ -c gen_context(system_u:object_r:virtio_device_t,s0) - /dev/xvc[^/]* -c gen_context(system_u:object_r:tty_device_t,s0) - - /dev/pty/.* -c gen_context(system_u:object_r:bsdpty_device_t,s0) -@@ -41,3 +42,7 @@ ifdef(`distro_gentoo',` - # used by init scripts to initally populate udev /dev - /lib/udev/devices/console -c gen_context(system_u:object_r:console_device_t,s0) - ') -+ -+/lib/udev/devices/pts -d gen_context(system_u:object_r:devpts_t,s0-mls_systemhigh) -+ -+/usr/lib/udev/devices/pts -d gen_context(system_u:object_r:devpts_t,s0-mls_systemhigh) -diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if -index 771bce1..5bbf50b 100644 ---- a/policy/modules/kernel/terminal.if -+++ b/policy/modules/kernel/terminal.if -@@ -124,7 +124,7 @@ interface(`term_user_tty',` - type_change $1 ttynode:chr_file $2; - ') - -- tunable_policy(`console_login',` -+ tunable_policy(`login_console_enabled',` - # When user logs in from /dev/console, relabel it - # to user tty type as well. - type_change $1 console_device_t:chr_file $2; -@@ -133,6 +133,25 @@ interface(`term_user_tty',` - - ######################################## - ## -+## Create the /dev/pts directory. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`term_create_pty_dir',` -+ gen_require(` -+ type devpts_t; -+ ') -+ -+ allow $1 devpts_t:dir create_dir_perms; -+ dev_filetrans($1, devpts_t, dir, "devpts") -+') -+ -+######################################## -+## - ## Create a pty in the /dev/pts directory. - ## - ## -@@ -208,6 +227,27 @@ interface(`term_use_all_terms',` - - ######################################## - ## -+## Read and write the inherited console, all inherited -+## ttys and ptys. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`term_use_all_inherited_terms',` -+ gen_require(` -+ attribute ttynode, ptynode; -+ type console_device_t, devpts_t, tty_device_t; -+ ') -+ -+ allow $1 { devpts_t console_device_t tty_device_t ttynode ptynode }:chr_file rw_inherited_term_perms; -+') -+ -+######################################## -+## - ## Write to the console. - ## - ## -@@ -274,7 +314,6 @@ interface(`term_dontaudit_read_console',` - ## Domain allowed access. - ## - ## --## - # - interface(`term_use_console',` - gen_require(` -@@ -299,9 +338,12 @@ interface(`term_use_console',` - interface(`term_dontaudit_use_console',` - gen_require(` - type console_device_t; -+ type tty_device_t; - ') - -- dontaudit $1 console_device_t:chr_file rw_chr_file_perms; -+ init_dontaudit_use_fds($1) -+ dontaudit $1 console_device_t:chr_file rw_inherited_chr_file_perms; -+ dontaudit $1 tty_device_t:chr_file rw_inherited_chr_file_perms; - ') - - ######################################## -@@ -384,6 +426,42 @@ interface(`term_getattr_pty_fs',` - - ######################################## - ## -+## Mount a pty filesystem -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`term_mount_pty_fs',` -+ gen_require(` -+ type devpts_t; -+ ') -+ -+ allow $1 devpts_t:filesystem mount; -+') -+ -+######################################## -+## -+## Unmount a pty filesystem -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`term_unmount_pty_fs',` -+ gen_require(` -+ type devpts_t; -+ ') -+ -+ allow $1 devpts_t:filesystem unmount; -+') -+ -+######################################## -+## - ## Relabel from and to pty filesystem. - ## - ## -@@ -481,6 +559,24 @@ interface(`term_list_ptys',` - - ######################################## - ## -+## Relabel the /dev/pts directory -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`term_relabel_ptys_dirs',` -+ gen_require(` -+ type devpts_t; -+ ') -+ -+ allow $1 devpts_t:dir relabel_dir_perms; -+') -+ -+######################################## -+## - ## Do not audit attempts to read the - ## /dev/pts directory. - ## -@@ -620,7 +716,7 @@ interface(`term_use_generic_ptys',` - - ######################################## - ## --## Dot not audit attempts to read and -+## Do not audit attempts to read and - ## write the generic pty type. This is - ## generally only used in the targeted policy. - ## -@@ -635,6 +731,7 @@ interface(`term_dontaudit_use_generic_ptys',` - type devpts_t; - ') - -+ init_dontaudit_use_fds($1) - dontaudit $1 devpts_t:chr_file { getattr read write ioctl }; - ') - -@@ -879,6 +976,26 @@ interface(`term_use_all_ptys',` - - ######################################## - ## -+## Read and write all inherited ptys. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`term_use_all_inherited_ptys',` -+ gen_require(` -+ attribute ptynode; -+ type devpts_t; -+ ') -+ -+ allow $1 ptynode:chr_file { rw_inherited_term_perms lock }; -+') -+ -+######################################## -+## - ## Do not audit attempts to read or write any ptys. - ## - ## -@@ -892,7 +1009,7 @@ interface(`term_dontaudit_use_all_ptys',` - attribute ptynode; - ') - -- dontaudit $1 ptynode:chr_file { rw_term_perms lock append }; -+ dontaudit $1 ptynode:chr_file { rw_inherited_term_perms lock append }; - ') - - ######################################## -@@ -912,7 +1029,7 @@ interface(`term_relabel_all_ptys',` - ') - - dev_list_all_dev_nodes($1) -- relabel_chr_files_pattern($1, devpts_t, ptynode) -+ relabel_chr_files_pattern($1, devpts_t, { ptynode devpts_t } ) - ') - - ######################################## -@@ -940,7 +1057,7 @@ interface(`term_getattr_all_user_ptys',` - ## - ## - ## --## Domain allowed access. -+## Domain to not audit. - ## - ## - # -@@ -1259,7 +1376,47 @@ interface(`term_dontaudit_use_unallocated_ttys',` - type tty_device_t; - ') - -- dontaudit $1 tty_device_t:chr_file rw_chr_file_perms; -+ init_dontaudit_use_fds($1) -+ dontaudit $1 tty_device_t:chr_file rw_inherited_chr_file_perms; -+') -+ -+######################################## -+## -+## Read and write USB tty character -+## device nodes. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`term_use_usb_ttys',` -+ gen_require(` -+ type usbtty_device_t; -+ ') -+ -+ dev_list_all_dev_nodes($1) -+ allow $1 usbtty_device_t:chr_file rw_chr_file_perms; -+') -+ -+####################################### -+## -+## Setattr on USB tty character -+## device nodes. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`term_setattr_usb_ttys',` -+ gen_require(` -+ type usbtty_device_t; -+ ') -+ -+ allow $1 usbtty_device_t:chr_file setattr; - ') - - ######################################## -@@ -1275,11 +1432,13 @@ interface(`term_dontaudit_use_unallocated_ttys',` - # - interface(`term_getattr_all_ttys',` - gen_require(` -+ type tty_device_t; - attribute ttynode; - ') - - dev_list_all_dev_nodes($1) - allow $1 ttynode:chr_file getattr; -+ allow $1 tty_device_t:chr_file getattr; - ') - - ######################################## -@@ -1296,10 +1455,12 @@ interface(`term_getattr_all_ttys',` - interface(`term_dontaudit_getattr_all_ttys',` - gen_require(` - attribute ttynode; -+ type tty_device_t; - ') - - dev_list_all_dev_nodes($1) - dontaudit $1 ttynode:chr_file getattr; -+ dontaudit $1 tty_device_t:chr_file getattr; - ') - - ######################################## -@@ -1377,7 +1538,27 @@ interface(`term_use_all_ttys',` - ') - - dev_list_all_dev_nodes($1) -- allow $1 ttynode:chr_file rw_chr_file_perms; -+ allow $1 ttynode:chr_file rw_term_perms; -+') -+ -+######################################## -+## -+## Read and write all inherited ttys. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`term_use_all_inherited_ttys',` -+ gen_require(` -+ attribute ttynode; -+ ') -+ -+ dev_list_all_dev_nodes($1) -+ allow $1 ttynode:chr_file rw_inherited_term_perms; - ') - - ######################################## -@@ -1396,7 +1577,7 @@ interface(`term_dontaudit_use_all_ttys',` - attribute ttynode; - ') - -- dontaudit $1 ttynode:chr_file rw_chr_file_perms; -+ dontaudit $1 ttynode:chr_file rw_inherited_chr_file_perms; - ') - - ######################################## -@@ -1504,7 +1685,7 @@ interface(`term_use_all_user_ttys',` - ## - ## - ## --## Domain allowed access. -+## Domain to not audit. - ## - ## - # -@@ -1512,3 +1693,436 @@ interface(`term_dontaudit_use_all_user_ttys',` - refpolicywarn(`$0() is deprecated, use term_dontaudit_use_all_ttys() instead.') - term_dontaudit_use_all_ttys($1) - ') -+ -+#################################### -+## -+## Getattr on the virtio console. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`term_getattr_virtio_console',` -+ gen_require(` -+ type virtio_device_t; -+ ') -+ -+ allow $1 virtio_device_t:chr_file getattr_chr_file_perms; -+') -+ -+##################################### -+## -+## Read from and write to the virtio console. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`term_use_virtio_console',` -+ gen_require(` -+ type virtio_device_t; -+ ') -+ -+ dev_list_all_dev_nodes($1) -+ allow $1 virtio_device_t:chr_file rw_chr_file_perms; -+') -+ -+######################################## -+## -+## Create all named term devices with the correct label -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`term_filetrans_all_named_dev',` -+ -+gen_require(` -+ type tty_device_t; -+ type bsdpty_device_t; -+ type console_device_t; -+ type ptmx_t; -+ type devtty_t; -+ type virtio_device_t; -+ type devpts_t; -+ type usbtty_device_t; -+') -+ -+ dev_filetrans($1, devtty_t, chr_file, "tty") -+ dev_filetrans($1, tty_device_t, chr_file, "tty0") -+ dev_filetrans($1, tty_device_t, chr_file, "tty1") -+ dev_filetrans($1, tty_device_t, chr_file, "tty2") -+ dev_filetrans($1, tty_device_t, chr_file, "tty3") -+ dev_filetrans($1, tty_device_t, chr_file, "tty4") -+ dev_filetrans($1, tty_device_t, chr_file, "tty5") -+ dev_filetrans($1, tty_device_t, chr_file, "tty6") -+ dev_filetrans($1, tty_device_t, chr_file, "tty7") -+ dev_filetrans($1, tty_device_t, chr_file, "tty8") -+ dev_filetrans($1, tty_device_t, chr_file, "tty9") -+ dev_filetrans($1, tty_device_t, chr_file, "tty10") -+ dev_filetrans($1, tty_device_t, chr_file, "tty11") -+ dev_filetrans($1, tty_device_t, chr_file, "tty12") -+ dev_filetrans($1, tty_device_t, chr_file, "tty13") -+ dev_filetrans($1, tty_device_t, chr_file, "tty14") -+ dev_filetrans($1, tty_device_t, chr_file, "tty15") -+ dev_filetrans($1, tty_device_t, chr_file, "tty16") -+ dev_filetrans($1, tty_device_t, chr_file, "tty17") -+ dev_filetrans($1, tty_device_t, chr_file, "tty18") -+ dev_filetrans($1, tty_device_t, chr_file, "tty19") -+ dev_filetrans($1, tty_device_t, chr_file, "tty20") -+ dev_filetrans($1, tty_device_t, chr_file, "tty21") -+ dev_filetrans($1, tty_device_t, chr_file, "tty22") -+ dev_filetrans($1, tty_device_t, chr_file, "tty23") -+ dev_filetrans($1, tty_device_t, chr_file, "tty24") -+ dev_filetrans($1, tty_device_t, chr_file, "tty25") -+ dev_filetrans($1, tty_device_t, chr_file, "tty26") -+ dev_filetrans($1, tty_device_t, chr_file, "tty27") -+ dev_filetrans($1, tty_device_t, chr_file, "tty28") -+ dev_filetrans($1, tty_device_t, chr_file, "tty29") -+ dev_filetrans($1, tty_device_t, chr_file, "tty30") -+ dev_filetrans($1, tty_device_t, chr_file, "tty31") -+ dev_filetrans($1, tty_device_t, chr_file, "tty32") -+ dev_filetrans($1, tty_device_t, chr_file, "tty33") -+ dev_filetrans($1, tty_device_t, chr_file, "tty34") -+ dev_filetrans($1, tty_device_t, chr_file, "tty35") -+ dev_filetrans($1, tty_device_t, chr_file, "tty36") -+ dev_filetrans($1, tty_device_t, chr_file, "tty37") -+ dev_filetrans($1, tty_device_t, chr_file, "tty38") -+ dev_filetrans($1, tty_device_t, chr_file, "tty39") -+ dev_filetrans($1, tty_device_t, chr_file, "tty40") -+ dev_filetrans($1, tty_device_t, chr_file, "tty41") -+ dev_filetrans($1, tty_device_t, chr_file, "tty42") -+ dev_filetrans($1, tty_device_t, chr_file, "tty43") -+ dev_filetrans($1, tty_device_t, chr_file, "tty44") -+ dev_filetrans($1, tty_device_t, chr_file, "tty45") -+ dev_filetrans($1, tty_device_t, chr_file, "tty46") -+ dev_filetrans($1, tty_device_t, chr_file, "tty47") -+ dev_filetrans($1, tty_device_t, chr_file, "tty48") -+ dev_filetrans($1, tty_device_t, chr_file, "tty49") -+ dev_filetrans($1, tty_device_t, chr_file, "tty50") -+ dev_filetrans($1, tty_device_t, chr_file, "tty51") -+ dev_filetrans($1, tty_device_t, chr_file, "tty52") -+ dev_filetrans($1, tty_device_t, chr_file, "tty53") -+ dev_filetrans($1, tty_device_t, chr_file, "tty54") -+ dev_filetrans($1, tty_device_t, chr_file, "tty55") -+ dev_filetrans($1, tty_device_t, chr_file, "tty56") -+ dev_filetrans($1, tty_device_t, chr_file, "tty57") -+ dev_filetrans($1, tty_device_t, chr_file, "tty58") -+ dev_filetrans($1, tty_device_t, chr_file, "tty59") -+ dev_filetrans($1, tty_device_t, chr_file, "tty60") -+ dev_filetrans($1, tty_device_t, chr_file, "tty61") -+ dev_filetrans($1, tty_device_t, chr_file, "tty62") -+ dev_filetrans($1, tty_device_t, chr_file, "tty63") -+ dev_filetrans($1, tty_device_t, chr_file, "tty64") -+ dev_filetrans($1, tty_device_t, chr_file, "tty65") -+ dev_filetrans($1, tty_device_t, chr_file, "tty66") -+ dev_filetrans($1, tty_device_t, chr_file, "tty67") -+ dev_filetrans($1, tty_device_t, chr_file, "tty68") -+ dev_filetrans($1, tty_device_t, chr_file, "tty69") -+ dev_filetrans($1, tty_device_t, chr_file, "tty70") -+ dev_filetrans($1, tty_device_t, chr_file, "tty71") -+ dev_filetrans($1, tty_device_t, chr_file, "tty72") -+ dev_filetrans($1, tty_device_t, chr_file, "tty73") -+ dev_filetrans($1, tty_device_t, chr_file, "tty74") -+ dev_filetrans($1, tty_device_t, chr_file, "tty75") -+ dev_filetrans($1, tty_device_t, chr_file, "tty76") -+ dev_filetrans($1, tty_device_t, chr_file, "tty77") -+ dev_filetrans($1, tty_device_t, chr_file, "tty78") -+ dev_filetrans($1, tty_device_t, chr_file, "tty79") -+ dev_filetrans($1, tty_device_t, chr_file, "tty80") -+ dev_filetrans($1, tty_device_t, chr_file, "tty81") -+ dev_filetrans($1, tty_device_t, chr_file, "tty82") -+ dev_filetrans($1, tty_device_t, chr_file, "tty83") -+ dev_filetrans($1, tty_device_t, chr_file, "tty84") -+ dev_filetrans($1, tty_device_t, chr_file, "tty85") -+ dev_filetrans($1, tty_device_t, chr_file, "tty86") -+ dev_filetrans($1, tty_device_t, chr_file, "tty87") -+ dev_filetrans($1, tty_device_t, chr_file, "tty88") -+ dev_filetrans($1, tty_device_t, chr_file, "tty89") -+ dev_filetrans($1, tty_device_t, chr_file, "tty90") -+ dev_filetrans($1, tty_device_t, chr_file, "tty91") -+ dev_filetrans($1, tty_device_t, chr_file, "tty92") -+ dev_filetrans($1, tty_device_t, chr_file, "tty93") -+ dev_filetrans($1, tty_device_t, chr_file, "tty94") -+ dev_filetrans($1, tty_device_t, chr_file, "tty95") -+ dev_filetrans($1, tty_device_t, chr_file, "tty96") -+ dev_filetrans($1, tty_device_t, chr_file, "tty97") -+ dev_filetrans($1, tty_device_t, chr_file, "tty98") -+ dev_filetrans($1, tty_device_t, chr_file, "tty99") -+ dev_filetrans($1, tty_device_t, chr_file, "pty") -+ dev_filetrans($1, tty_device_t, chr_file, "pty0") -+ dev_filetrans($1, tty_device_t, chr_file, "pty1") -+ dev_filetrans($1, tty_device_t, chr_file, "pty2") -+ dev_filetrans($1, tty_device_t, chr_file, "pty3") -+ dev_filetrans($1, tty_device_t, chr_file, "pty4") -+ dev_filetrans($1, tty_device_t, chr_file, "pty5") -+ dev_filetrans($1, tty_device_t, chr_file, "pty6") -+ dev_filetrans($1, tty_device_t, chr_file, "pty7") -+ dev_filetrans($1, tty_device_t, chr_file, "pty8") -+ dev_filetrans($1, tty_device_t, chr_file, "pty9") -+ dev_filetrans($1, tty_device_t, chr_file, "pty10") -+ dev_filetrans($1, tty_device_t, chr_file, "pty11") -+ dev_filetrans($1, tty_device_t, chr_file, "pty12") -+ dev_filetrans($1, tty_device_t, chr_file, "pty13") -+ dev_filetrans($1, tty_device_t, chr_file, "pty14") -+ dev_filetrans($1, tty_device_t, chr_file, "pty15") -+ dev_filetrans($1, tty_device_t, chr_file, "pty16") -+ dev_filetrans($1, tty_device_t, chr_file, "pty17") -+ dev_filetrans($1, tty_device_t, chr_file, "pty18") -+ dev_filetrans($1, tty_device_t, chr_file, "pty19") -+ dev_filetrans($1, tty_device_t, chr_file, "pty20") -+ dev_filetrans($1, tty_device_t, chr_file, "pty21") -+ dev_filetrans($1, tty_device_t, chr_file, "pty22") -+ dev_filetrans($1, tty_device_t, chr_file, "pty23") -+ dev_filetrans($1, tty_device_t, chr_file, "pty24") -+ dev_filetrans($1, tty_device_t, chr_file, "pty25") -+ dev_filetrans($1, tty_device_t, chr_file, "pty26") -+ dev_filetrans($1, tty_device_t, chr_file, "pty27") -+ dev_filetrans($1, tty_device_t, chr_file, "pty28") -+ dev_filetrans($1, tty_device_t, chr_file, "pty29") -+ dev_filetrans($1, tty_device_t, chr_file, "pty30") -+ dev_filetrans($1, tty_device_t, chr_file, "pty31") -+ dev_filetrans($1, tty_device_t, chr_file, "pty32") -+ dev_filetrans($1, tty_device_t, chr_file, "pty33") -+ dev_filetrans($1, tty_device_t, chr_file, "pty34") -+ dev_filetrans($1, tty_device_t, chr_file, "pty35") -+ dev_filetrans($1, tty_device_t, chr_file, "pty36") -+ dev_filetrans($1, tty_device_t, chr_file, "pty37") -+ dev_filetrans($1, tty_device_t, chr_file, "pty38") -+ dev_filetrans($1, tty_device_t, chr_file, "pty39") -+ dev_filetrans($1, tty_device_t, chr_file, "pty40") -+ dev_filetrans($1, tty_device_t, chr_file, "pty41") -+ dev_filetrans($1, tty_device_t, chr_file, "pty42") -+ dev_filetrans($1, tty_device_t, chr_file, "pty43") -+ dev_filetrans($1, tty_device_t, chr_file, "pty44") -+ dev_filetrans($1, tty_device_t, chr_file, "pty45") -+ dev_filetrans($1, tty_device_t, chr_file, "pty46") -+ dev_filetrans($1, tty_device_t, chr_file, "pty47") -+ dev_filetrans($1, tty_device_t, chr_file, "pty48") -+ dev_filetrans($1, tty_device_t, chr_file, "pty49") -+ dev_filetrans($1, tty_device_t, chr_file, "pty50") -+ dev_filetrans($1, tty_device_t, chr_file, "pty51") -+ dev_filetrans($1, tty_device_t, chr_file, "pty52") -+ dev_filetrans($1, tty_device_t, chr_file, "pty53") -+ dev_filetrans($1, tty_device_t, chr_file, "pty54") -+ dev_filetrans($1, tty_device_t, chr_file, "pty55") -+ dev_filetrans($1, tty_device_t, chr_file, "pty56") -+ dev_filetrans($1, tty_device_t, chr_file, "pty57") -+ dev_filetrans($1, tty_device_t, chr_file, "pty58") -+ dev_filetrans($1, tty_device_t, chr_file, "pty59") -+ dev_filetrans($1, tty_device_t, chr_file, "pty60") -+ dev_filetrans($1, tty_device_t, chr_file, "pty61") -+ dev_filetrans($1, tty_device_t, chr_file, "pty62") -+ dev_filetrans($1, tty_device_t, chr_file, "pty63") -+ dev_filetrans($1, tty_device_t, chr_file, "pty64") -+ dev_filetrans($1, tty_device_t, chr_file, "pty65") -+ dev_filetrans($1, tty_device_t, chr_file, "pty66") -+ dev_filetrans($1, tty_device_t, chr_file, "pty67") -+ dev_filetrans($1, tty_device_t, chr_file, "pty68") -+ dev_filetrans($1, tty_device_t, chr_file, "pty69") -+ dev_filetrans($1, tty_device_t, chr_file, "pty70") -+ dev_filetrans($1, tty_device_t, chr_file, "pty71") -+ dev_filetrans($1, tty_device_t, chr_file, "pty72") -+ dev_filetrans($1, tty_device_t, chr_file, "pty73") -+ dev_filetrans($1, tty_device_t, chr_file, "pty74") -+ dev_filetrans($1, tty_device_t, chr_file, "pty75") -+ dev_filetrans($1, tty_device_t, chr_file, "pty76") -+ dev_filetrans($1, tty_device_t, chr_file, "pty77") -+ dev_filetrans($1, tty_device_t, chr_file, "pty78") -+ dev_filetrans($1, tty_device_t, chr_file, "pty79") -+ dev_filetrans($1, tty_device_t, chr_file, "pty80") -+ dev_filetrans($1, tty_device_t, chr_file, "pty81") -+ dev_filetrans($1, tty_device_t, chr_file, "pty82") -+ dev_filetrans($1, tty_device_t, chr_file, "pty83") -+ dev_filetrans($1, tty_device_t, chr_file, "pty84") -+ dev_filetrans($1, tty_device_t, chr_file, "pty85") -+ dev_filetrans($1, tty_device_t, chr_file, "pty86") -+ dev_filetrans($1, tty_device_t, chr_file, "pty87") -+ dev_filetrans($1, tty_device_t, chr_file, "pty88") -+ dev_filetrans($1, tty_device_t, chr_file, "pty89") -+ dev_filetrans($1, tty_device_t, chr_file, "pty90") -+ dev_filetrans($1, tty_device_t, chr_file, "pty91") -+ dev_filetrans($1, tty_device_t, chr_file, "pty92") -+ dev_filetrans($1, tty_device_t, chr_file, "pty93") -+ dev_filetrans($1, tty_device_t, chr_file, "pty94") -+ dev_filetrans($1, tty_device_t, chr_file, "pty95") -+ dev_filetrans($1, tty_device_t, chr_file, "pty96") -+ dev_filetrans($1, tty_device_t, chr_file, "pty97") -+ dev_filetrans($1, tty_device_t, chr_file, "pty98") -+ dev_filetrans($1, tty_device_t, chr_file, "pty99") -+ dev_filetrans($1, tty_device_t, chr_file, "adb0") -+ dev_filetrans($1, tty_device_t, chr_file, "adb1") -+ dev_filetrans($1, tty_device_t, chr_file, "adb2") -+ dev_filetrans($1, tty_device_t, chr_file, "adb3") -+ dev_filetrans($1, tty_device_t, chr_file, "adb4") -+ dev_filetrans($1, tty_device_t, chr_file, "adb5") -+ dev_filetrans($1, tty_device_t, chr_file, "adb6") -+ dev_filetrans($1, tty_device_t, chr_file, "adb7") -+ dev_filetrans($1, tty_device_t, chr_file, "adb8") -+ dev_filetrans($1, tty_device_t, chr_file, "adb9") -+ dev_filetrans($1, tty_device_t, chr_file, "capi0") -+ dev_filetrans($1, tty_device_t, chr_file, "capi1") -+ dev_filetrans($1, tty_device_t, chr_file, "capi2") -+ dev_filetrans($1, tty_device_t, chr_file, "capi3") -+ dev_filetrans($1, tty_device_t, chr_file, "capi4") -+ dev_filetrans($1, tty_device_t, chr_file, "capi5") -+ dev_filetrans($1, tty_device_t, chr_file, "capi6") -+ dev_filetrans($1, tty_device_t, chr_file, "capi7") -+ dev_filetrans($1, tty_device_t, chr_file, "capi8") -+ dev_filetrans($1, tty_device_t, chr_file, "capi9") -+ dev_filetrans($1, console_device_t, chr_file, "console") -+ dev_filetrans($1, tty_device_t, chr_file, "cu0") -+ dev_filetrans($1, tty_device_t, chr_file, "cu1") -+ dev_filetrans($1, tty_device_t, chr_file, "cu2") -+ dev_filetrans($1, tty_device_t, chr_file, "cu3") -+ dev_filetrans($1, tty_device_t, chr_file, "cu4") -+ dev_filetrans($1, tty_device_t, chr_file, "cu5") -+ dev_filetrans($1, tty_device_t, chr_file, "cu6") -+ dev_filetrans($1, tty_device_t, chr_file, "cu7") -+ dev_filetrans($1, tty_device_t, chr_file, "cu8") -+ dev_filetrans($1, tty_device_t, chr_file, "cu9") -+ dev_filetrans($1, tty_device_t, chr_file, "dcbri0") -+ dev_filetrans($1, tty_device_t, chr_file, "dcbri1") -+ dev_filetrans($1, tty_device_t, chr_file, "dcbri2") -+ dev_filetrans($1, tty_device_t, chr_file, "dcbri3") -+ dev_filetrans($1, tty_device_t, chr_file, "dcbri4") -+ dev_filetrans($1, tty_device_t, chr_file, "dcbri5") -+ dev_filetrans($1, tty_device_t, chr_file, "dcbri6") -+ dev_filetrans($1, tty_device_t, chr_file, "dcbri7") -+ dev_filetrans($1, tty_device_t, chr_file, "dcbri8") -+ dev_filetrans($1, tty_device_t, chr_file, "dcbri9") -+ dev_filetrans($1, tty_device_t, chr_file, "vcsa") -+ dev_filetrans($1, tty_device_t, chr_file, "vcsb") -+ dev_filetrans($1, tty_device_t, chr_file, "vcsc") -+ dev_filetrans($1, tty_device_t, chr_file, "vcsd") -+ dev_filetrans($1, tty_device_t, chr_file, "vcse") -+ dev_filetrans($1, tty_device_t, chr_file, "hvc0") -+ dev_filetrans($1, tty_device_t, chr_file, "hvc1") -+ dev_filetrans($1, tty_device_t, chr_file, "hvc2") -+ dev_filetrans($1, tty_device_t, chr_file, "hvc3") -+ dev_filetrans($1, tty_device_t, chr_file, "hvc4") -+ dev_filetrans($1, tty_device_t, chr_file, "hvc5") -+ dev_filetrans($1, tty_device_t, chr_file, "hvc6") -+ dev_filetrans($1, tty_device_t, chr_file, "hvc7") -+ dev_filetrans($1, tty_device_t, chr_file, "hvc8") -+ dev_filetrans($1, tty_device_t, chr_file, "hvc9") -+ dev_filetrans($1, tty_device_t, chr_file, "hvsi0") -+ dev_filetrans($1, tty_device_t, chr_file, "hvsi1") -+ dev_filetrans($1, tty_device_t, chr_file, "hvsi2") -+ dev_filetrans($1, tty_device_t, chr_file, "hvsi3") -+ dev_filetrans($1, tty_device_t, chr_file, "hvsi4") -+ dev_filetrans($1, tty_device_t, chr_file, "hvsi5") -+ dev_filetrans($1, tty_device_t, chr_file, "hvsi6") -+ dev_filetrans($1, tty_device_t, chr_file, "hvsi7") -+ dev_filetrans($1, tty_device_t, chr_file, "hvsi8") -+ dev_filetrans($1, tty_device_t, chr_file, "hvsi9") -+ dev_filetrans($1, tty_device_t, chr_file, "ircomm0") -+ dev_filetrans($1, tty_device_t, chr_file, "ircomm1") -+ dev_filetrans($1, tty_device_t, chr_file, "ircomm2") -+ dev_filetrans($1, tty_device_t, chr_file, "ircomm3") -+ dev_filetrans($1, tty_device_t, chr_file, "ircomm4") -+ dev_filetrans($1, tty_device_t, chr_file, "ircomm5") -+ dev_filetrans($1, tty_device_t, chr_file, "ircomm6") -+ dev_filetrans($1, tty_device_t, chr_file, "ircomm7") -+ dev_filetrans($1, tty_device_t, chr_file, "ircomm8") -+ dev_filetrans($1, tty_device_t, chr_file, "ircomm9") -+ dev_filetrans($1, tty_device_t, chr_file, "isdn0") -+ dev_filetrans($1, tty_device_t, chr_file, "isdn1") -+ dev_filetrans($1, tty_device_t, chr_file, "isdn2") -+ dev_filetrans($1, tty_device_t, chr_file, "isdn3") -+ dev_filetrans($1, tty_device_t, chr_file, "isdn4") -+ dev_filetrans($1, tty_device_t, chr_file, "isdn5") -+ dev_filetrans($1, tty_device_t, chr_file, "isdn6") -+ dev_filetrans($1, tty_device_t, chr_file, "isdn7") -+ dev_filetrans($1, tty_device_t, chr_file, "isdn8") -+ dev_filetrans($1, tty_device_t, chr_file, "isdn9") -+ filetrans_pattern($1, devpts_t, ptmx_t, chr_file, "ptmx") -+ dev_filetrans($1, ptmx_t, chr_file, "ptmx") -+ dev_filetrans($1, tty_device_t, chr_file, "rfcomm0") -+ dev_filetrans($1, tty_device_t, chr_file, "rfcomm1") -+ dev_filetrans($1, tty_device_t, chr_file, "rfcomm2") -+ dev_filetrans($1, tty_device_t, chr_file, "rfcomm3") -+ dev_filetrans($1, tty_device_t, chr_file, "rfcomm4") -+ dev_filetrans($1, tty_device_t, chr_file, "rfcomm5") -+ dev_filetrans($1, tty_device_t, chr_file, "rfcomm6") -+ dev_filetrans($1, tty_device_t, chr_file, "rfcomm7") -+ dev_filetrans($1, tty_device_t, chr_file, "rfcomm8") -+ dev_filetrans($1, tty_device_t, chr_file, "rfcomm9") -+ dev_filetrans($1, tty_device_t, chr_file, "slamr0") -+ dev_filetrans($1, tty_device_t, chr_file, "slamr1") -+ dev_filetrans($1, tty_device_t, chr_file, "slamr2") -+ dev_filetrans($1, tty_device_t, chr_file, "slamr3") -+ dev_filetrans($1, tty_device_t, chr_file, "slamr4") -+ dev_filetrans($1, tty_device_t, chr_file, "slamr5") -+ dev_filetrans($1, tty_device_t, chr_file, "slamr6") -+ dev_filetrans($1, tty_device_t, chr_file, "slamr7") -+ dev_filetrans($1, tty_device_t, chr_file, "slamr8") -+ dev_filetrans($1, tty_device_t, chr_file, "slamr9") -+ dev_filetrans($1, tty_device_t, chr_file, "ttyACM0") -+ dev_filetrans($1, tty_device_t, chr_file, "ttyACM1") -+ dev_filetrans($1, tty_device_t, chr_file, "ttyACM2") -+ dev_filetrans($1, tty_device_t, chr_file, "ttyACM3") -+ dev_filetrans($1, tty_device_t, chr_file, "ttyACM4") -+ dev_filetrans($1, tty_device_t, chr_file, "ttyACM5") -+ dev_filetrans($1, tty_device_t, chr_file, "ttyACM6") -+ dev_filetrans($1, tty_device_t, chr_file, "ttyACM7") -+ dev_filetrans($1, tty_device_t, chr_file, "ttyACM8") -+ dev_filetrans($1, tty_device_t, chr_file, "ttyACM9") -+ dev_filetrans($1, tty_device_t, chr_file, "ttyS0") -+ dev_filetrans($1, tty_device_t, chr_file, "ttyS1") -+ dev_filetrans($1, tty_device_t, chr_file, "ttyS2") -+ dev_filetrans($1, tty_device_t, chr_file, "ttyS3") -+ dev_filetrans($1, tty_device_t, chr_file, "ttyS4") -+ dev_filetrans($1, tty_device_t, chr_file, "ttyS5") -+ dev_filetrans($1, tty_device_t, chr_file, "ttyS6") -+ dev_filetrans($1, tty_device_t, chr_file, "ttyS7") -+ dev_filetrans($1, tty_device_t, chr_file, "ttyS8") -+ dev_filetrans($1, tty_device_t, chr_file, "ttyS9") -+ dev_filetrans($1, tty_device_t, chr_file, "ttySG0") -+ dev_filetrans($1, tty_device_t, chr_file, "ttySG1") -+ dev_filetrans($1, tty_device_t, chr_file, "ttySG2") -+ dev_filetrans($1, tty_device_t, chr_file, "ttySG3") -+ dev_filetrans($1, tty_device_t, chr_file, "ttySG4") -+ dev_filetrans($1, tty_device_t, chr_file, "ttySG5") -+ dev_filetrans($1, tty_device_t, chr_file, "ttySG6") -+ dev_filetrans($1, tty_device_t, chr_file, "ttySG7") -+ dev_filetrans($1, tty_device_t, chr_file, "ttySG8") -+ dev_filetrans($1, tty_device_t, chr_file, "ttySG9") -+ dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB0") -+ dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB1") -+ dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB2") -+ dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB3") -+ dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB4") -+ dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB5") -+ dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB6") -+ dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB7") -+ dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB8") -+ dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB9") -+ dev_filetrans($1, virtio_device_t, chr_file, "vport0p0") -+ dev_filetrans($1, virtio_device_t, chr_file, "vport0p1") -+ dev_filetrans($1, virtio_device_t, chr_file, "vport0p2") -+ dev_filetrans($1, virtio_device_t, chr_file, "vport0p3") -+ dev_filetrans($1, virtio_device_t, chr_file, "vport0p4") -+ dev_filetrans($1, virtio_device_t, chr_file, "vport0p5") -+ dev_filetrans($1, virtio_device_t, chr_file, "vport0p6") -+ dev_filetrans($1, virtio_device_t, chr_file, "vport0p7") -+ dev_filetrans($1, virtio_device_t, chr_file, "vport0p8") -+ dev_filetrans($1, virtio_device_t, chr_file, "vport0p9") -+ dev_filetrans($1, devpts_t, dir, "pts") -+ dev_filetrans($1, tty_device_t, chr_file, "xvc0") -+ dev_filetrans($1, tty_device_t, chr_file, "xvc1") -+ dev_filetrans($1, tty_device_t, chr_file, "xvc2") -+ dev_filetrans($1, tty_device_t, chr_file, "xvc3") -+ dev_filetrans($1, tty_device_t, chr_file, "xvc4") -+ dev_filetrans($1, tty_device_t, chr_file, "xvc5") -+ dev_filetrans($1, tty_device_t, chr_file, "xvc6") -+ dev_filetrans($1, tty_device_t, chr_file, "xvc7") -+ dev_filetrans($1, tty_device_t, chr_file, "xvc8") -+ dev_filetrans($1, tty_device_t, chr_file, "xvc9") -+') -diff --git a/policy/modules/kernel/terminal.te b/policy/modules/kernel/terminal.te -index c0b88bf..a97d7cc 100644 ---- a/policy/modules/kernel/terminal.te -+++ b/policy/modules/kernel/terminal.te -@@ -29,6 +29,7 @@ files_mountpoint(devpts_t) - fs_associate_tmpfs(devpts_t) - fs_type(devpts_t) - fs_use_trans devpts gen_context(system_u:object_r:devpts_t,s0); -+dev_associate(devpts_t) - - # - # devtty_t is the type of /dev/tty. -@@ -54,5 +55,11 @@ dev_node(tty_device_t) - # - # usbtty_device_t is the type of /dev/usr/tty* - # --type usbtty_device_t, serial_device; --dev_node(usbtty_device_t) -+type usbtty_device_t; -+term_tty(usbtty_device_t) -+ -+# -+# virtio_device_t is the type of /dev/vport[0-9]p[0-9] -+# -+type virtio_device_t, serial_device; -+dev_node(virtio_device_t) -diff --git a/policy/modules/kernel/unlabelednet.fc b/policy/modules/kernel/unlabelednet.fc -new file mode 100644 -index 0000000..f310b9d ---- /dev/null -+++ b/policy/modules/kernel/unlabelednet.fc -@@ -0,0 +1 @@ -+# No unlabelednet file contexts. -diff --git a/policy/modules/kernel/unlabelednet.if b/policy/modules/kernel/unlabelednet.if -new file mode 100644 -index 0000000..0ce0470 ---- /dev/null -+++ b/policy/modules/kernel/unlabelednet.if -@@ -0,0 +1 @@ -+## Policy for allowing confined domains to use unlabeled_t packets -diff --git a/policy/modules/kernel/unlabelednet.te b/policy/modules/kernel/unlabelednet.te -new file mode 100644 -index 0000000..48caabc ---- /dev/null -+++ b/policy/modules/kernel/unlabelednet.te -@@ -0,0 +1,12 @@ -+policy_module(unlabelednet, 1.0.0) -+ -+corenet_enable_unlabeled_packets() -+ -+gen_require(` -+ type unlabeled_t; -+ attribute domain; -+') -+ -+# temporary hack until labeling on packets is supported -+allow domain unlabeled_t:packet { send recv }; -+ -diff --git a/policy/modules/roles/auditadm.te b/policy/modules/roles/auditadm.te -index 834a065..c769f81 100644 ---- a/policy/modules/roles/auditadm.te -+++ b/policy/modules/roles/auditadm.te -@@ -7,7 +7,7 @@ policy_module(auditadm, 2.2.0) - - role auditadm_r; - role system_r; --userdom_unpriv_user_template(auditadm) -+userdom_confined_admin_template(auditadm) - - ######################################## - # -@@ -22,16 +22,21 @@ corecmd_exec_shell(auditadm_t) - - domain_kill_all_domains(auditadm_t) - -+selinux_read_policy(auditadm_t) -+ - logging_send_syslog_msg(auditadm_t) - logging_read_generic_logs(auditadm_t) - logging_manage_audit_log(auditadm_t) - logging_manage_audit_config(auditadm_t) - logging_run_auditctl(auditadm_t, auditadm_r) - logging_run_auditd(auditadm_t, auditadm_r) -+logging_stream_connect_syslog(auditadm_t) - - seutil_run_runinit(auditadm_t, auditadm_r) - seutil_read_bin_policy(auditadm_t) - -+userdom_dontaudit_search_admin_dir(auditadm_t) -+ - optional_policy(` - consoletype_exec(auditadm_t) - ') -diff --git a/policy/modules/roles/logadm.te b/policy/modules/roles/logadm.te -index 3a45a3e..7499f24 100644 ---- a/policy/modules/roles/logadm.te -+++ b/policy/modules/roles/logadm.te -@@ -7,13 +7,12 @@ policy_module(logadm, 1.0.0) - - role logadm_r; - --userdom_base_user_template(logadm) -+userdom_confined_admin_template(logadm) - - ######################################## - # - # logadmin local policy - # - --allow logadm_t self:capability { dac_override dac_read_search kill sys_ptrace sys_nice }; -- -+allow logadm_t self:capability { dac_override dac_read_search kill sys_nice }; - logging_admin(logadm_t, logadm_r) -diff --git a/policy/modules/roles/secadm.te b/policy/modules/roles/secadm.te -index da11120..d67bcca 100644 ---- a/policy/modules/roles/secadm.te -+++ b/policy/modules/roles/secadm.te -@@ -7,8 +7,10 @@ policy_module(secadm, 2.4.0) - - role secadm_r; - --userdom_unpriv_user_template(secadm) --userdom_security_admin_template(secadm_t, secadm_r) -+userdom_confined_admin_template(secadm) -+userdom_security_admin(secadm_t, secadm_r) -+userdom_inherit_append_admin_home_files(secadm_t) -+userdom_read_admin_home_files(secadm_t) - - ######################################## - # -@@ -30,8 +32,7 @@ mls_file_upgrade(secadm_t) - mls_file_downgrade(secadm_t) - - auth_role(secadm_r, secadm_t) --files_relabel_non_auth_files(secadm_t) --auth_relabel_shadow(secadm_t) -+files_relabel_all_files(secadm_t) - - init_exec(secadm_t) - -diff --git a/policy/modules/roles/staff.if b/policy/modules/roles/staff.if -index 234a940..d340f20 100644 ---- a/policy/modules/roles/staff.if -+++ b/policy/modules/roles/staff.if -@@ -1,4 +1,4 @@ --## Administrator's unprivileged user role -+## Administrator's unprivileged user - - ######################################## - ## -diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te -index 5da7870..4f46291 100644 ---- a/policy/modules/roles/staff.te -+++ b/policy/modules/roles/staff.te -@@ -8,12 +8,71 @@ policy_module(staff, 2.3.1) - role staff_r; - - userdom_unpriv_user_template(staff) -+fs_exec_noxattr(staff_t) -+ -+## -+##

    -+## allow staff user to create and transition to svirt domains. -+##

    -+##     -+gen_tunable(staff_use_svirt, false) - - ######################################## - # - # Local policy - # - -+kernel_read_ring_buffer(staff_t) -+kernel_getattr_core_if(staff_t) -+kernel_getattr_message_if(staff_t) -+kernel_read_software_raid_state(staff_t) -+kernel_read_fs_sysctls(staff_t) -+kernel_read_numa_state(staff_t) -+kernel_write_numa_state(staff_t) -+ -+fs_read_hugetlbfs_files(staff_t) -+files_dontaudit_read_all_symlinks(staff_t) -+ -+dev_read_cpuid(staff_t) -+dev_read_kmsg(staff_t) -+ -+domain_read_all_domains_state(staff_t) -+domain_getsched_all_domains(staff_t) -+domain_getattr_all_domains(staff_t) -+domain_obj_id_change_exemption(staff_t) -+ -+files_read_kernel_modules(staff_t) -+ -+seutil_read_module_store(staff_t) -+seutil_run_newrole(staff_t, staff_r) -+seutil_dbus_chat_semanage(staff_t) -+seutil_read_login_config(staff_t) -+ -+storage_read_scsi_generic(staff_t) -+storage_write_scsi_generic(staff_t) -+ -+term_use_unallocated_ttys(staff_t) -+ -+auth_domtrans_pam_console(staff_t) -+ -+init_dbus_chat(staff_t) -+init_dbus_chat_script(staff_t) -+init_status(staff_t) -+ -+miscfiles_read_hwdata(staff_t) -+ -+ifndef(`enable_mls',` -+ selinux_read_policy(staff_t) -+') -+ -+optional_policy(` -+ abrt_read_cache(staff_t) -+') -+ -+optional_policy(` -+ accountsd_read_lib_files(staff_t) -+') -+ - optional_policy(` - apache_role(staff_r, staff_t) - ') -@@ -23,11 +82,110 @@ optional_policy(` - ') - - optional_policy(` -+ blueman_dbus_chat(staff_t) -+') -+ -+optional_policy(` -+ kdumpgui_dbus_chat(staff_t) -+') -+ -+optional_policy(` -+ bluetooth_role(staff_r, staff_t) -+') -+ -+optional_policy(` -+ chrome_role(staff_r, staff_t) -+') -+ -+optional_policy(` -+ colord_dbus_chat(staff_t) -+') -+ -+optional_policy(` - dbadm_role_change(staff_r) - ') - - optional_policy(` -- git_role(staff_r, staff_t) -+ dnsmasq_read_pid_files(staff_t) -+') -+ -+optional_policy(` -+ dmesg_exec(staff_t) -+') -+ -+optional_policy(` -+ firewalld_dbus_chat(staff_t) -+') -+ -+optional_policy(` -+ firewallgui_dbus_chat(staff_t) -+') -+ -+optional_policy(` -+ gnome_role(staff_r, staff_t) -+') -+ -+optional_policy(` -+ irc_role(staff_r, staff_t) -+') -+ -+optional_policy(` -+ journalctl_role(staff_r, staff_t) -+') -+ -+optional_policy(` -+ kerneloops_dbus_chat(staff_t) -+') -+ -+optional_policy(` -+ logadm_role_change(staff_r) -+') -+ -+optional_policy(` -+ lpd_list_spool(staff_t) -+') -+ -+optional_policy(` -+ mock_role(staff_r, staff_t) -+') -+ -+optional_policy(` -+ mozilla_run_plugin(staff_t, staff_r) -+') -+ -+optional_policy(` -+ modutils_read_module_config(staff_t) -+ modutils_read_module_deps(staff_t) -+') -+ -+optional_policy(` -+ netutils_run_ping(staff_t, staff_r) -+ netutils_run_traceroute(staff_t, staff_r) -+ netutils_signal_ping(staff_t) -+ netutils_kill_ping(staff_t) -+') -+ -+optional_policy(` -+ oident_manage_user_content(staff_t) -+ oident_relabel_user_content(staff_t) -+') -+ -+optional_policy(` -+ mta_role(staff_r, staff_t) -+') -+ -+optional_policy(` -+ mysql_exec(staff_t) -+') -+ -+optional_policy(` -+ polipo_role(staff_r, staff_t) -+ polipo_named_filetrans_cache_home_dirs(staff_t) -+ polipo_named_filetrans_config_home_files(staff_t) -+') -+ -+optional_policy(` -+ openvpn_exec(staff_t) - ') - - optional_policy(` -@@ -35,15 +193,31 @@ optional_policy(` - ') - - optional_policy(` -+ rtkit_scheduled(staff_t) -+') -+ -+optional_policy(` -+ rpm_dbus_chat(staff_t) -+') -+ -+optional_policy(` -+ rwho_read_spool_files(staff_t) -+') -+ -+optional_policy(` - secadm_role_change(staff_r) - ') - - optional_policy(` -- ssh_role_template(staff, staff_r, staff_t) -+ sandbox_transition(staff_t, staff_r) - ') - - optional_policy(` -- sudo_role_template(staff, staff_r, staff_t) -+ sandbox_x_transition(staff_t, staff_r) -+') -+ -+optional_policy(` -+ screen_role_template(staff, staff_r, staff_t) - ') - - optional_policy(` -@@ -52,10 +226,55 @@ optional_policy(` - ') - - optional_policy(` -+ systemd_read_unit_files(staff_t) -+ systemd_exec_systemctl(staff_t) -+') -+ -+optional_policy(` -+ setroubleshoot_stream_connect(staff_t) -+ setroubleshoot_dbus_chat(staff_t) -+ setroubleshoot_dbus_chat_fixit(staff_t) -+') -+ -+optional_policy(` -+ ssh_role_template(staff, staff_r, staff_t) -+') -+ -+optional_policy(` -+ sudo_role_template(staff, staff_r, staff_t) -+') -+ -+optional_policy(` -+ userhelper_console_role_template(staff, staff_r, staff_t) -+') -+ -+optional_policy(` -+ unconfined_role_change(staff_r) -+') -+ -+optional_policy(` -+ usbmuxd_stream_connect(staff_t) -+') -+ -+optional_policy(` -+ virt_getattr_exec(staff_t) -+ virt_search_images(staff_t) -+ virt_stream_connect(staff_t) -+') -+ -+optional_policy(` - vlock_run(staff_t, staff_r) - ') - - optional_policy(` -+ vnstatd_read_lib_files(staff_t) -+') -+ -+optional_policy(` -+ webadm_role_change(staff_r) -+') -+ -+optional_policy(` - xserver_role(staff_r, staff_t) - ') - -@@ -65,10 +284,6 @@ ifndef(`distro_redhat',` - ') - - optional_policy(` -- bluetooth_role(staff_r, staff_t) -- ') -- -- optional_policy(` - cdrecord_role(staff_r, staff_t) - ') - -@@ -78,10 +293,6 @@ ifndef(`distro_redhat',` - - optional_policy(` - dbus_role_template(staff, staff_r, staff_t) -- -- optional_policy(` -- gnome_role_template(staff, staff_r, staff_t) -- ') - ') - - optional_policy(` -@@ -101,10 +312,6 @@ ifndef(`distro_redhat',` - ') - - optional_policy(` -- irc_role(staff_r, staff_t) -- ') -- -- optional_policy(` - java_role(staff_r, staff_t) - ') - -@@ -125,10 +332,6 @@ ifndef(`distro_redhat',` - ') - - optional_policy(` -- mta_role(staff_r, staff_t) -- ') -- -- optional_policy(` - pyzor_role(staff_r, staff_t) - ') - -@@ -141,10 +344,6 @@ ifndef(`distro_redhat',` - ') - - optional_policy(` -- screen_role_template(staff, staff_r, staff_t) -- ') -- -- optional_policy(` - spamassassin_role(staff_r, staff_t) - ') - -@@ -176,3 +375,22 @@ ifndef(`distro_redhat',` - wireshark_role(staff_r, staff_t) - ') - ') -+ -+tunable_policy(`selinuxuser_execmod',` -+ userdom_execmod_user_home_files(staff_t) -+') -+ -+optional_policy(` -+ virt_transition_svirt(staff_t, staff_r) -+ virt_filetrans_home_content(staff_t) -+') -+ -+optional_policy(` -+ tunable_policy(`staff_use_svirt',` -+ allow staff_t self:fifo_file relabelfrom; -+ dev_rw_kvm(staff_t) -+ virt_manage_images(staff_t) -+ virt_stream_connect_svirt(staff_t) -+ virt_exec(staff_t) -+ ') -+') -diff --git a/policy/modules/roles/sysadm.if b/policy/modules/roles/sysadm.if -index ff92430..36740ea 100644 ---- a/policy/modules/roles/sysadm.if -+++ b/policy/modules/roles/sysadm.if -@@ -70,6 +70,23 @@ interface(`sysadm_shell_domtrans',` - allow sysadm_t $1:process sigchld; - ') - -+####################################### -+## -+## sysadm stub interface. No access allowed. -+## -+## -+## -+## Domain allowed access -+## -+## -+# -+interface(`sysadm_stub',` -+ gen_require(` -+ type sysadm_t; -+ role sysadm_r; -+ ') -+') -+ - ######################################## - ## - ## Execute a generic bin program in the sysadm domain. -diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te -index 88d0028..f520b74 100644 ---- a/policy/modules/roles/sysadm.te -+++ b/policy/modules/roles/sysadm.te -@@ -5,39 +5,85 @@ policy_module(sysadm, 2.5.1) - # Declarations - # - --## --##

    --## Allow sysadm to debug or ptrace all processes. --##

    --##     --gen_tunable(allow_ptrace, false) -- - role sysadm_r; - - userdom_admin_user_template(sysadm) - --ifndef(`enable_mls',` -- userdom_security_admin_template(sysadm_t, sysadm_r) --') -- - ######################################## - # - # Local policy - # -+kernel_read_fs_sysctls(sysadm_t) - - corecmd_exec_shell(sysadm_t) - -+dev_filetrans_all_named_dev(sysadm_t) -+ -+domain_dontaudit_read_all_domains_state(sysadm_t) -+ -+files_read_kernel_modules(sysadm_t) -+files_filetrans_named_content(sysadm_t) -+files_status_etc(sysadm_t) -+ -+fs_mount_fusefs(sysadm_t) -+ -+storage_filetrans_all_named_dev(sysadm_t) -+ -+term_filetrans_all_named_dev(sysadm_t) -+ - mls_process_read_up(sysadm_t) -+mls_file_read_all_levels(sysadm_t) -+mls_file_write_all_levels(sysadm_t) -+mls_file_read_to_clearance(sysadm_t) -+mls_process_write_to_clearance(sysadm_t) -+ -+storage_setattr_fixed_disk_dev(sysadm_t) - - ubac_process_exempt(sysadm_t) - ubac_file_exempt(sysadm_t) - ubac_fd_exempt(sysadm_t) - -+application_exec(sysadm_t) -+ -+init_filetrans_named_content(sysadm_t) -+init_disable_services(sysadm_t) -+init_enable_services(sysadm_t) -+init_reload_services(sysadm_t) - init_exec(sysadm_t) -+init_exec_script_files(sysadm_t) -+init_dbus_chat(sysadm_t) -+init_script_role_transition(sysadm_r) -+init_status(sysadm_t) -+init_reboot(sysadm_t) -+init_halt(sysadm_t) -+init_undefined(sysadm_t) -+ -+logging_filetrans_named_content(sysadm_t) -+ -+miscfiles_filetrans_named_content(sysadm_t) -+miscfiles_read_hwdata(sysadm_t) -+ -+sysnet_filetrans_named_content(sysadm_t) - - # Add/remove user home directories -+userdom_manage_user_tmp_chr_files(sysadm_t) - userdom_manage_user_home_dirs(sysadm_t) - userdom_home_filetrans_user_home_dir(sysadm_t) -+userdom_manage_tmp_role(sysadm_r, sysadm_t) -+userdom_exec_admin_home_files(sysadm_t) -+ -+optional_policy(` -+ abrt_filetrans_named_content(sysadm_t) -+') -+ -+optional_policy(` -+ alsa_filetrans_named_content(sysadm_t) -+') -+ -+optional_policy(` -+ ssh_filetrans_admin_home_content(sysadm_t) -+ ssh_filetrans_keys(sysadm_t) -+') - - ifdef(`direct_sysadm_daemon',` - optional_policy(` -@@ -55,13 +101,7 @@ ifdef(`distro_gentoo',` - init_exec_rc(sysadm_t) - ') - --ifndef(`enable_mls',` -- logging_manage_audit_log(sysadm_t) -- logging_manage_audit_config(sysadm_t) -- logging_run_auditctl(sysadm_t, sysadm_r) --') -- --tunable_policy(`allow_ptrace',` -+tunable_policy(`deny_ptrace',`',` - domain_ptrace_all_domains(sysadm_t) - ') - -@@ -71,9 +111,9 @@ optional_policy(` - - optional_policy(` - apache_run_helper(sysadm_t, sysadm_r) -+ apache_filetrans_named_content(sysadm_t) - #apache_run_all_scripts(sysadm_t, sysadm_r) - #apache_domtrans_sys_script(sysadm_t) -- apache_role(sysadm_r, sysadm_t) - ') - - optional_policy(` -@@ -87,6 +127,7 @@ optional_policy(` - - optional_policy(` - asterisk_stream_connect(sysadm_t) -+ asterisk_exec(sysadm_t) - ') - - optional_policy(` -@@ -110,11 +151,17 @@ optional_policy(` - ') - - optional_policy(` -+ certmonger_dbus_chat(sysadm_t) -+') -+ -+optional_policy(` - certwatch_run(sysadm_t, sysadm_r) - ') - - optional_policy(` - clock_run(sysadm_t, sysadm_r) -+ clock_manage_adjtime(sysadm_t) -+ clock_filetrans_named_content(sysadm_t) - ') - - optional_policy(` -@@ -122,11 +169,19 @@ optional_policy(` - ') - - optional_policy(` -- consoletype_run(sysadm_t, sysadm_r) -+ cron_admin_role(sysadm_r, sysadm_t) - ') - - optional_policy(` -- cvs_exec(sysadm_t) -+ consoletype_exec(sysadm_t) -+') -+ -+optional_policy(` -+ daemonstools_run_start(sysadm_t, sysadm_r) -+') -+ -+optional_policy(` -+ dbus_role_template(sysadm, sysadm_r, sysadm_t) - ') - - optional_policy(` -@@ -140,6 +195,10 @@ optional_policy(` - ') - - optional_policy(` -+ devicekit_filetrans_named_content(sysadm_t) -+') -+ -+optional_policy(` - dmesg_exec(sysadm_t) - ') - -@@ -156,11 +215,11 @@ optional_policy(` - ') - - optional_policy(` -- fstools_run(sysadm_t, sysadm_r) -+ firewalld_dbus_chat(sysadm_t) - ') - - optional_policy(` -- git_role(sysadm_r, sysadm_t) -+ fstools_run(sysadm_t, sysadm_r) - ') - - optional_policy(` -@@ -179,6 +238,13 @@ optional_policy(` - ipsec_stream_connect(sysadm_t) - # for lsof - ipsec_getattr_key_sockets(sysadm_t) -+ ipsec_run_setkey(sysadm_t, sysadm_r) -+ ipsec_run_racoon(sysadm_t, sysadm_r) -+ ipsec_stream_connect_racoon(sysadm_t) -+ -+ optional_policy(` -+ ipsec_mgmt_dbus_chat(sysadm_t) -+ ') - ') - - optional_policy(` -@@ -186,15 +252,20 @@ optional_policy(` - ') - - optional_policy(` -- kudzu_run(sysadm_t, sysadm_r) -+ irc_role(sysadm_r, sysadm_t) - ') - - optional_policy(` -- libs_run_ldconfig(sysadm_t, sysadm_r) -+ kerberos_exec_kadmind(sysadm_t) -+ kerberos_filetrans_named_content(sysadm_t) - ') - - optional_policy(` -- lockdev_role(sysadm_r, sysadm_t) -+ kudzu_run(sysadm_t, sysadm_r) -+') -+ -+optional_policy(` -+ libs_run_ldconfig(sysadm_t, sysadm_r) - ') - - optional_policy(` -@@ -214,22 +285,20 @@ optional_policy(` - modutils_run_depmod(sysadm_t, sysadm_r) - modutils_run_insmod(sysadm_t, sysadm_r) - modutils_run_update_mods(sysadm_t, sysadm_r) -+ modutils_read_module_deps(sysadm_t) -+ modules_filetrans_named_content(sysadm_t) - ') - - optional_policy(` - mount_run(sysadm_t, sysadm_r) --') -- --optional_policy(` -- mozilla_role(sysadm_r, sysadm_t) --') -- --optional_policy(` -- mplayer_role(sysadm_r, sysadm_t) -+ mount_run_showmount(sysadm_t, sysadm_r) - ') - - optional_policy(` - mta_role(sysadm_r, sysadm_t) -+ # this is defined in userdom_common_user_template -+ #mta_filetrans_home_content(sysadm_t) -+ mta_filetrans_admin_home_content(sysadm_t) - ') - - optional_policy(` -@@ -241,14 +310,27 @@ optional_policy(` - ') - - optional_policy(` -+ ncftool_run(sysadm_t, sysadm_r) -+') -+ -+optional_policy(` - netutils_run(sysadm_t, sysadm_r) - netutils_run_ping(sysadm_t, sysadm_r) - netutils_run_traceroute(sysadm_t, sysadm_r) - ') - - optional_policy(` -+ networkmanager_filetrans_named_content(sysadm_t) -+') -+ -+optional_policy(` - ntp_stub() - corenet_udp_bind_ntp_port(sysadm_t) -+ ntp_admin(sysadm_t, sysadm_r) -+') -+ -+optional_policy(` -+ nx_filetrans_named_content(sysadm_t) - ') - - optional_policy(` -@@ -256,10 +338,20 @@ optional_policy(` - ') - - optional_policy(` -+ openvpn_run(sysadm_t, sysadm_r) -+') -+ -+optional_policy(` - pcmcia_run_cardctl(sysadm_t, sysadm_r) - ') - - optional_policy(` -+ polipo_role(sysadm_r, sysadm_t) -+ polipo_named_filetrans_admin_cache_home_dirs(sysadm_t) -+ polipo_named_filetrans_admin_config_home_files(sysadm_t) -+') -+ -+optional_policy(` - portage_run(sysadm_t, sysadm_r) - portage_run_fetch(sysadm_t, sysadm_r) - portage_run_gcc_config(sysadm_t, sysadm_r) -@@ -270,35 +362,41 @@ optional_policy(` - ') - - optional_policy(` -- pyzor_role(sysadm_r, sysadm_t) -+ postfix_admin(sysadm_t, sysadm_r) - ') - - optional_policy(` -- quota_run(sysadm_t, sysadm_r) -+ postgresql_admin(sysadm_t, sysadm_r) - ') - - optional_policy(` -- raid_run_mdadm(sysadm_r, sysadm_t) -+ prelink_run(sysadm_t, sysadm_r) - ') - - optional_policy(` -- razor_role(sysadm_r, sysadm_t) -+ puppet_run_puppetca(sysadm_t, sysadm_r) - ') - - optional_policy(` -- rpc_domtrans_nfsd(sysadm_t) -+ quota_filetrans_named_content(sysadm_t) - ') - - optional_policy(` -- rpm_run(sysadm_t, sysadm_r) -+ raid_domtrans_mdadm(sysadm_t) - ') - - optional_policy(` -- rssh_role(sysadm_r, sysadm_t) -+ rpc_domtrans_nfsd(sysadm_t) -+') -+ -+optional_policy(` -+ rpm_run(sysadm_t, sysadm_r) -+ rpm_dbus_chat(sysadm_t, sysadm_r) - ') - - optional_policy(` - rsync_exec(sysadm_t) -+ rsync_filetrans_named_content(sysadm_t) - ') - - optional_policy(` -@@ -312,6 +410,7 @@ optional_policy(` - - optional_policy(` - screen_role_template(sysadm, sysadm_r, sysadm_t) -+ allow sysadm_screen_t self:capability dac_override; - ') - - optional_policy(` -@@ -319,12 +418,20 @@ optional_policy(` - ') - - optional_policy(` -+ setroubleshoot_stream_connect(sysadm_t) -+ setroubleshoot_dbus_chat(sysadm_t) -+ setroubleshoot_dbus_chat_fixit(sysadm_t) -+') -+ -+optional_policy(` - seutil_run_setfiles(sysadm_t, sysadm_r) - seutil_run_runinit(sysadm_t, sysadm_r) -+ seutil_dbus_chat_semanage(sysadm_t) -+ seutil_read_login_config(sysadm_t) - ') - - optional_policy(` -- spamassassin_role(sysadm_r, sysadm_t) -+ shutdown_run(sysadm_t, sysadm_r) - ') - - optional_policy(` -@@ -349,7 +456,18 @@ optional_policy(` - ') - - optional_policy(` -- thunderbird_role(sysadm_r, sysadm_t) -+ systemd_passwd_agent_run(sysadm_t, sysadm_r) -+ systemd_config_all_services(sysadm_t) -+ systemd_manage_all_unit_files(sysadm_t) -+ systemd_manage_all_unit_lnk_files(sysadm_t) -+ systemd_login_status(sysadm_t) -+ systemd_login_reboot(sysadm_t) -+ systemd_login_halt(sysadm_t) -+ systemd_login_undefined(sysadm_t) -+') -+ -+optional_policy(` -+ tftp_filetrans_named_content(sysadm_t) - ') - - optional_policy(` -@@ -360,19 +478,15 @@ optional_policy(` - ') - - optional_policy(` -- tvtime_role(sysadm_r, sysadm_t) --') -- --optional_policy(` - tzdata_domtrans(sysadm_t) - ') - - optional_policy(` -- uml_role(sysadm_r, sysadm_t) -+ unconfined_domtrans(sysadm_t) - ') - - optional_policy(` -- unconfined_domtrans(sysadm_t) -+ udev_run(sysadm_t, sysadm_r) - ') - - optional_policy(` -@@ -384,10 +498,6 @@ optional_policy(` - ') - - optional_policy(` -- userhelper_role_template(sysadm, sysadm_r, sysadm_t) --') -- --optional_policy(` - usermanage_run_admin_passwd(sysadm_t, sysadm_r) - usermanage_run_groupadd(sysadm_t, sysadm_r) - usermanage_run_useradd(sysadm_t, sysadm_r) -@@ -395,6 +505,9 @@ optional_policy(` - - optional_policy(` - virt_stream_connect(sysadm_t) -+ virt_filetrans_home_content(sysadm_t) -+ virt_manage_pid_dirs(sysadm_t) -+ virt_transition_svirt_sandbox(sysadm_t, sysadm_r) - ') - - optional_policy(` -@@ -402,31 +515,34 @@ optional_policy(` - ') - - optional_policy(` -- vpn_run(sysadm_t, sysadm_r) -+ vlock_run(sysadm_t, sysadm_r) - ') - - optional_policy(` -- webalizer_run(sysadm_t, sysadm_r) -+ vpn_run(sysadm_t, sysadm_r) - ') - - optional_policy(` -- wireshark_role(sysadm_r, sysadm_t) -+ webalizer_run(sysadm_t, sysadm_r) - ') - - optional_policy(` -- vlock_run(sysadm_t, sysadm_r) -+ xserver_role(sysadm_r, sysadm_t) - ') - - optional_policy(` -- xserver_role(sysadm_r, sysadm_t) -+ yam_run(sysadm_t, sysadm_r) - ') - - optional_policy(` -- yam_run(sysadm_t, sysadm_r) -+ zebra_stream_connect(sysadm_t) - ') - - ifndef(`distro_redhat',` - optional_policy(` -+ apache_role(sysadm_r, sysadm_t) -+ ') -+ optional_policy(` - auth_role(sysadm_r, sysadm_t) - ') - -@@ -439,10 +555,6 @@ ifndef(`distro_redhat',` - ') - - optional_policy(` -- cron_admin_role(sysadm_r, sysadm_t) -- ') -- -- optional_policy(` - dbus_role_template(sysadm, sysadm_r, sysadm_t) - - optional_policy(` -@@ -463,15 +575,75 @@ ifndef(`distro_redhat',` - ') - - optional_policy(` -- gpg_role(sysadm_r, sysadm_t) -+ gnome_role(sysadm_r, sysadm_t) -+ gnome_filetrans_admin_home_content(sysadm_t) - ') - - optional_policy(` -- irc_role(sysadm_r, sysadm_t) -+ gpg_role(sysadm_r, sysadm_t) - ') - - optional_policy(` - java_role(sysadm_r, sysadm_t) - ') --') - -+ optional_policy(` -+ lockdev_role(sysadm_r, sysadm_t) -+ ') -+ -+ optional_policy(` -+ mock_admin(sysadm_t) -+ ') -+ -+ optional_policy(` -+ mozilla_role(sysadm_r, sysadm_t) -+ ') -+ -+ optional_policy(` -+ mplayer_role(sysadm_r, sysadm_t) -+ ') -+ -+ optional_policy(` -+ pyzor_role(sysadm_r, sysadm_t) -+ ') -+ -+ optional_policy(` -+ razor_role(sysadm_r, sysadm_t) -+ ') -+ -+ optional_policy(` -+ rssh_role(sysadm_r, sysadm_t) -+ ') -+ -+ optional_policy(` -+ spamassassin_role(sysadm_r, sysadm_t) -+ ') -+ -+ optional_policy(` -+ thunderbird_role(sysadm_r, sysadm_t) -+ ') -+ -+ optional_policy(` -+ tvtime_role(sysadm_r, sysadm_t) -+ ') -+ -+ optional_policy(` -+ uml_role(sysadm_r, sysadm_t) -+ ') -+ -+ optional_policy(` -+ userhelper_role_template(sysadm, sysadm_r, sysadm_t) -+ ') -+ -+ optional_policy(` -+ vmware_role(sysadm_r, sysadm_t) -+ ') -+ -+ optional_policy(` -+ wireshark_role(sysadm_r, sysadm_t) -+ ') -+ -+ optional_policy(` -+ xserver_role(sysadm_r, sysadm_t) -+ ') -+') -diff --git a/policy/modules/roles/sysadm_secadm.fc b/policy/modules/roles/sysadm_secadm.fc -new file mode 100644 -index 0000000..ae3b6db ---- /dev/null -+++ b/policy/modules/roles/sysadm_secadm.fc -@@ -0,0 +1 @@ -+# No context -diff --git a/policy/modules/roles/sysadm_secadm.if b/policy/modules/roles/sysadm_secadm.if -new file mode 100644 -index 0000000..bd83148 ---- /dev/null -+++ b/policy/modules/roles/sysadm_secadm.if -@@ -0,0 +1 @@ -+## No Interfaces -diff --git a/policy/modules/roles/sysadm_secadm.te b/policy/modules/roles/sysadm_secadm.te -new file mode 100644 -index 0000000..63bc797 ---- /dev/null -+++ b/policy/modules/roles/sysadm_secadm.te -@@ -0,0 +1,25 @@ -+policy_module(sysadm_secadm, 1.0.0) -+ -+######################################## -+# -+# Declarations -+# -+ -+gen_require(` -+ type sysadm_t; -+ role sysadm_r; -+') -+ -+userdom_security_admin_template(sysadm_t, sysadm_r) -+ -+####################################### -+# -+# Local policy -+# -+ -+mls_file_write_all_levels(sysadm_t) -+ -+logging_manage_audit_log(sysadm_t) -+logging_manage_audit_config(sysadm_t) -+logging_run_auditctl(sysadm_t, sysadm_r) -+logging_stream_connect_syslog(sysadm_t) -diff --git a/policy/modules/roles/unconfineduser.fc b/policy/modules/roles/unconfineduser.fc -new file mode 100644 -index 0000000..0e8654b ---- /dev/null -+++ b/policy/modules/roles/unconfineduser.fc -@@ -0,0 +1,8 @@ -+# Add programs here which should not be confined by SELinux -+# e.g.: -+# /usr/local/bin/appsrv -- gen_context(system_u:object_r:unconfined_exec_t,s0) -+# For the time being until someone writes a sane policy, we need initrc to transition to unconfined_t -+/usr/bin/vncserver -- gen_context(system_u:object_r:unconfined_exec_t,s0) -+ -+/usr/sbin/xrdp -- gen_context(system_u:object_r:unconfined_exec_t,s0) -+/usr/sbin/xrdp-sesman -- gen_context(system_u:object_r:unconfined_exec_t,s0) -diff --git a/policy/modules/roles/unconfineduser.if b/policy/modules/roles/unconfineduser.if -new file mode 100644 -index 0000000..cf6582f ---- /dev/null -+++ b/policy/modules/roles/unconfineduser.if -@@ -0,0 +1,613 @@ -+## Unconfiend user role -+ -+######################################## -+## -+## Change from the unconfineduser role. -+## -+## -+##

    -+## Change from the unconfineduser role to -+## the specified role. -+##

    -+##

    -+## This is an interface to support third party modules -+## and its use is not allowed in upstream reference -+## policy. -+##

    -+##     -+## -+## -+## Role allowed access. -+## -+## -+## -+# -+interface(`unconfined_role_change_to',` -+ gen_require(` -+ role unconfined_r; -+ ') -+ -+ allow unconfined_r $1; -+') -+ -+######################################## -+## -+## Transition to the unconfined domain. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`unconfined_domtrans',` -+ gen_require(` -+ type unconfined_t, unconfined_exec_t; -+ ') -+ -+ domtrans_pattern($1,unconfined_exec_t,unconfined_t) -+') -+ -+######################################## -+## -+## Execute specified programs in the unconfined domain. -+## -+## -+## -+## The type of the process performing this action. -+## -+## -+## -+## -+## The role to allow the unconfined domain. -+## -+## -+# -+interface(`unconfined_run',` -+ gen_require(` -+ type unconfined_t; -+ ') -+ -+ unconfined_domtrans($1) -+ role $2 types unconfined_t; -+') -+ -+######################################## -+## -+## Transition to the unconfined domain by executing a shell. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`unconfined_shell_domtrans',` -+ gen_require(` -+ attribute unconfined_login_domain; -+ ') -+ typeattribute $1 unconfined_login_domain; -+') -+ -+######################################## -+## -+## Allow unconfined to execute the specified program in -+## the specified domain. -+## -+## -+##

    -+## Allow unconfined to execute the specified program in -+## the specified domain. -+##

    -+##

    -+## This is a interface to support third party modules -+## and its use is not allowed in upstream reference -+## policy. -+##

    -+##     -+## -+## -+## Domain to execute in. -+## -+## -+## -+## -+## Domain entry point file. -+## -+## -+# -+interface(`unconfined_domtrans_to',` -+ gen_require(` -+ type unconfined_t; -+ ') -+ -+ domtrans_pattern(unconfined_t,$2,$1) -+') -+ -+######################################## -+## -+## Allow unconfined to execute the specified program in -+## the specified domain. Allow the specified domain the -+## unconfined role and use of unconfined user terminals. -+## -+## -+##

    -+## Allow unconfined to execute the specified program in -+## the specified domain. Allow the specified domain the -+## unconfined role and use of unconfined user terminals. -+##

    -+##

    -+## This is a interface to support third party modules -+## and its use is not allowed in upstream reference -+## policy. -+##

    -+##     -+## -+## -+## Domain to execute in. -+## -+## -+## -+## -+## Domain entry point file. -+## -+## -+# -+interface(`unconfined_run_to',` -+ gen_require(` -+ type unconfined_t; -+ role unconfined_r; -+ ') -+ -+ domtrans_pattern(unconfined_t,$2,$1) -+ role unconfined_r types $1; -+ userdom_use_user_terminals($1) -+') -+ -+######################################## -+## -+## Inherit file descriptors from the unconfined domain. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`unconfined_use_fds',` -+ gen_require(` -+ type unconfined_t; -+ ') -+ -+ allow $1 unconfined_t:fd use; -+') -+ -+######################################## -+## -+## Send a SIGCHLD signal to the unconfined domain. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`unconfined_sigchld',` -+ gen_require(` -+ type unconfined_t; -+ ') -+ -+ allow $1 unconfined_t:process sigchld; -+') -+ -+######################################## -+## -+## Send a SIGNULL signal to the unconfined domain. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`unconfined_signull',` -+ gen_require(` -+ type unconfined_t; -+ ') -+ -+ allow $1 unconfined_t:process signull; -+') -+ -+######################################## -+## -+## Send generic signals to the unconfined domain. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`unconfined_signal',` -+ gen_require(` -+ type unconfined_t; -+ ') -+ -+ allow $1 unconfined_t:process signal; -+') -+ -+######################################## -+## -+## Read unconfined domain unnamed pipes. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`unconfined_read_pipes',` -+ gen_require(` -+ type unconfined_t; -+ ') -+ -+ allow $1 unconfined_t:fifo_file read_fifo_file_perms; -+') -+ -+######################################## -+## -+## Do not audit attempts to read unconfined domain unnamed pipes. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`unconfined_dontaudit_read_pipes',` -+ gen_require(` -+ type unconfined_t; -+ ') -+ -+ dontaudit $1 unconfined_t:fifo_file read; -+') -+ -+######################################## -+## -+## Read and write unconfined domain unnamed pipes. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`unconfined_rw_pipes',` -+ gen_require(` -+ type unconfined_t; -+ ') -+ -+ allow $1 unconfined_t:fifo_file rw_fifo_file_perms; -+') -+ -+######################################## -+## -+## Do not audit attempts to read and write -+## unconfined domain unnamed pipes. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`unconfined_dontaudit_rw_pipes',` -+ gen_require(` -+ type unconfined_t; -+ ') -+ -+ dontaudit $1 unconfined_t:fifo_file rw_file_perms; -+') -+ -+######################################## -+## -+## Do not audit attempts to read and write -+## unconfined domain stream. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`unconfined_dontaudit_rw_stream',` -+ gen_require(` -+ type unconfined_t; -+ ') -+ -+ dontaudit $1 unconfined_t:unix_stream_socket rw_socket_perms; -+') -+ -+######################################## -+## -+## Connect to the unconfined domain using -+## a unix domain stream socket. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`unconfined_stream_connect',` -+ gen_require(` -+ type unconfined_t; -+ ') -+ -+ allow $1 unconfined_t:unix_stream_socket connectto; -+') -+ -+######################################## -+## -+## Do not audit attempts to read or write -+## unconfined domain tcp sockets. -+## -+## -+##

    -+## Do not audit attempts to read or write -+## unconfined domain tcp sockets. -+##

    -+##

    -+## This interface was added due to a broken -+## symptom in ldconfig. -+##

    -+##     -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`unconfined_dontaudit_rw_tcp_sockets',` -+ gen_require(` -+ type unconfined_t; -+ ') -+ -+ dontaudit $1 unconfined_t:tcp_socket { read write }; -+') -+ -+######################################## -+## -+## Do not audit attempts to read or write -+## unconfined domain packet sockets. -+## -+## -+##

    -+## Do not audit attempts to read or write -+## unconfined domain packet sockets. -+##

    -+##

    -+## This interface was added due to a broken -+## symptom. -+##

    -+##     -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`unconfined_dontaudit_rw_packet_sockets',` -+ gen_require(` -+ type unconfined_t; -+ ') -+ -+ dontaudit $1 unconfined_t:packet_socket { read write }; -+') -+ -+######################################## -+## -+## Create keys for the unconfined domain. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`unconfined_create_keys',` -+ gen_require(` -+ type unconfined_t; -+ ') -+ -+ allow $1 unconfined_t:key create; -+') -+ -+######################################## -+## -+## Write keys for the unconfined domain. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`unconfined_write_keys',` -+ gen_require(` -+ type unconfined_t; -+ ') -+ -+ allow $1 unconfined_t:key write; -+') -+ -+######################################## -+## -+## Send messages to the unconfined domain over dbus. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`unconfined_dbus_send',` -+ gen_require(` -+ type unconfined_t; -+ class dbus send_msg; -+ ') -+ -+ allow $1 unconfined_t:dbus send_msg; -+') -+ -+######################################## -+## -+## Send and receive messages from -+## unconfined_t over dbus. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`unconfined_dbus_chat',` -+ gen_require(` -+ type unconfined_t; -+ class dbus send_msg; -+ ') -+ -+ allow $1 unconfined_t:dbus send_msg; -+ allow unconfined_t $1:dbus send_msg; -+') -+ -+######################################## -+## -+## Connect to the the unconfined DBUS -+## for service (acquire_svc). -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`unconfined_dbus_connect',` -+ gen_require(` -+ type unconfined_t; -+ class dbus acquire_svc; -+ ') -+ -+ allow $1 unconfined_t:dbus acquire_svc; -+') -+ -+######################################## -+## -+## Allow ptrace of unconfined domain -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`unconfined_ptrace',` -+ gen_require(` -+ type unconfined_t; -+ ') -+ -+ allow $1 unconfined_t:process ptrace; -+') -+ -+######################################## -+## -+## Read and write to unconfined shared memory. -+## -+## -+## -+## The type of the process performing this action. -+## -+## -+# -+interface(`unconfined_rw_shm',` -+ gen_require(` -+ type unconfined_t; -+ ') -+ -+ allow $1 unconfined_t:shm rw_shm_perms; -+') -+ -+######################################## -+## -+## Allow apps to set rlimits on userdomain -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`unconfined_set_rlimitnh',` -+ gen_require(` -+ type unconfined_t; -+ ') -+ -+ allow $1 unconfined_t:process rlimitinh; -+') -+ -+######################################## -+## -+## Get the process group of unconfined. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`unconfined_getpgid',` -+ gen_require(` -+ type unconfined_t; -+ ') -+ -+ allow $1 unconfined_t:process getpgid; -+') -+ -+######################################## -+## -+## Change to the unconfined role. -+## -+## -+## -+## Role allowed access. -+## -+## -+## -+# -+interface(`unconfined_role_change',` -+ gen_require(` -+ role unconfined_r; -+ ') -+ -+ allow $1 unconfined_r; -+') -+ -+######################################## -+## -+## Allow domain to attach to TUN devices created by unconfined_t users. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`unconfined_attach_tun_iface',` -+ gen_require(` -+ type unconfined_t; -+ ') -+ -+ allow $1 unconfined_t:tun_socket relabelfrom; -+ allow $1 self:tun_socket relabelto; -+') -+ -diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te -new file mode 100644 -index 0000000..539c163 ---- /dev/null -+++ b/policy/modules/roles/unconfineduser.te -@@ -0,0 +1,328 @@ -+policy_module(unconfineduser, 1.0.0) -+ -+######################################## -+# -+# Declarations -+# -+attribute unconfined_login_domain; -+ -+## -+##

    -+## allow unconfined users to transition to the chrome sandbox domains when running chrome-sandbox -+##

    -+##     -+gen_tunable(unconfined_chrome_sandbox_transition, false) -+ -+## -+##

    -+## Allow unconfined users to transition to the Mozilla plugin domain when running xulrunner plugin-container. -+##

    -+##     -+gen_tunable(unconfined_mozilla_plugin_transition, false) -+ -+## -+##

    -+## Allow a user to login as an unconfined domain -+##

    -+##     -+gen_tunable(unconfined_login, true) -+ -+# usage in this module of types created by these -+# calls is not correct, however we dont currently -+# have another method to add access to these types -+userdom_base_user_template(unconfined) -+userdom_manage_home_role(unconfined_r, unconfined_t) -+userdom_manage_tmp_role(unconfined_r, unconfined_t) -+userdom_manage_tmpfs_role(unconfined_r, unconfined_t) -+userdom_unpriv_type(unconfined_t) -+ -+type unconfined_exec_t; -+init_system_domain(unconfined_t, unconfined_exec_t) -+role unconfined_r types unconfined_t; -+role_transition system_r unconfined_exec_t unconfined_r; -+allow system_r unconfined_r; -+ -+domain_user_exemption_target(unconfined_t) -+allow system_r unconfined_r; -+allow unconfined_r system_r; -+init_script_role_transition(unconfined_r) -+role system_r types unconfined_t; -+typealias unconfined_t alias unconfined_crontab_t; -+ -+######################################## -+# -+# Local policy -+# -+ -+dontaudit unconfined_t self:dir write; -+dontaudit unconfined_t self:file setattr; -+ -+allow unconfined_t self:system syslog_read; -+dontaudit unconfined_t self:capability sys_module; -+ -+kernel_rw_unlabeled_socket(unconfined_t) -+kernel_rw_unlabeled_rawip_socket(unconfined_t) -+ -+files_create_boot_flag(unconfined_t) -+files_create_default_dir(unconfined_t) -+files_root_filetrans_default(unconfined_t, dir) -+ -+init_run_daemon(unconfined_t, unconfined_r) -+init_domtrans_script(unconfined_t) -+init_telinit(unconfined_t) -+ -+logging_send_syslog_msg(unconfined_t) -+ -+systemd_config_all_services(unconfined_t) -+ -+unconfined_domain_noaudit(unconfined_t) -+domain_named_filetrans(unconfined_t) -+domain_transition_all(unconfined_t) -+ -+usermanage_run_passwd(unconfined_t, unconfined_r) -+ -+tunable_policy(`deny_execmem',`',` -+ allow unconfined_t self:process execmem; -+') -+ -+tunable_policy(`selinuxuser_execstack',` -+ allow unconfined_t self:process execstack; -+') -+ -+tunable_policy(`selinuxuser_execmod',` -+ userdom_execmod_user_home_files(unconfined_t) -+') -+ -+tunable_policy(`unconfined_login',` -+ corecmd_shell_domtrans(unconfined_login_domain,unconfined_t) -+ allow unconfined_t unconfined_login_domain:fd use; -+ allow unconfined_t unconfined_login_domain:fifo_file rw_file_perms; -+ allow unconfined_t unconfined_login_domain:process sigchld; -+') -+ -+optional_policy(` -+ gen_require(` -+ type unconfined_t; -+ ') -+ -+ optional_policy(` -+ abrt_dbus_chat(unconfined_t) -+ abrt_run_helper(unconfined_t, unconfined_r) -+ ') -+ -+ optional_policy(` -+ avahi_dbus_chat(unconfined_t) -+ ') -+ -+ optional_policy(` -+ blueman_dbus_chat(unconfined_t) -+ ') -+ -+ optional_policy(` -+ certmonger_dbus_chat(unconfined_t) -+ ') -+ -+ optional_policy(` -+ devicekit_dbus_chat(unconfined_t) -+ devicekit_dbus_chat_disk(unconfined_t) -+ devicekit_dbus_chat_power(unconfined_t) -+ ') -+ -+ optional_policy(` -+ hal_dbus_chat(unconfined_t) -+ ') -+ -+ optional_policy(` -+ networkmanager_dbus_chat(unconfined_t) -+ ') -+ -+ optional_policy(` -+ rtkit_scheduled(unconfined_t) -+ ') -+ -+ # Might remove later if this proves to be problematic, but would like to gather AVCs -+ optional_policy(` -+ thumb_role(unconfined_r, unconfined_t) -+ ') -+ -+ optional_policy(` -+ setroubleshoot_dbus_chat(unconfined_t) -+ setroubleshoot_dbus_chat_fixit(unconfined_t) -+ ') -+ -+ optional_policy(` -+ sandbox_transition(unconfined_t, unconfined_r) -+ ') -+ -+ optional_policy(` -+ sandbox_x_transition(unconfined_t, unconfined_r) -+ ') -+ -+ optional_policy(` -+ gen_require(` -+ type user_tmpfs_t; -+ ') -+ -+ xserver_rw_session(unconfined_t, user_tmpfs_t) -+ xserver_dbus_chat_xdm(unconfined_t) -+ ') -+') -+ -+ifdef(`distro_gentoo',` -+ seutil_run_runinit(unconfined_t, unconfined_r) -+ seutil_init_script_run_runinit(unconfined_t, unconfined_r) -+') -+ -+optional_policy(` -+ accountsd_dbus_chat(unconfined_t) -+') -+ -+optional_policy(` -+ chrome_role_notrans(unconfined_r, unconfined_t) -+ -+ tunable_policy(`unconfined_chrome_sandbox_transition',` -+ chrome_domtrans_sandbox(unconfined_t) -+ ') -+') -+ -+optional_policy(` -+ dbus_role_template(unconfined, unconfined_r, unconfined_t) -+ role system_r types unconfined_dbusd_t; -+ -+ optional_policy(` -+ unconfined_domain(unconfined_dbusd_t) -+ -+ optional_policy(` -+ xserver_rw_shm(unconfined_dbusd_t) -+ ') -+ ') -+ -+ init_dbus_chat(unconfined_t) -+ init_dbus_chat_script(unconfined_t) -+ -+ dbus_stub(unconfined_t) -+ -+ optional_policy(` -+ bluetooth_dbus_chat(unconfined_t) -+ ') -+ -+ optional_policy(` -+ consolekit_dbus_chat(unconfined_t) -+ ') -+ -+ optional_policy(` -+ cups_dbus_chat_config(unconfined_t) -+ ') -+ -+ optional_policy(` -+ fprintd_dbus_chat(unconfined_t) -+ ') -+ -+ optional_policy(` -+ systemd_dbus_chat_timedated(unconfined_t) -+ gnome_dbus_chat_gconfdefault(unconfined_t) -+ gnome_command_domtrans_gkeyringd(unconfined_dbusd_t,unconfined_t) -+ ') -+ -+ optional_policy(` -+ ipsec_mgmt_dbus_chat(unconfined_t) -+ ') -+ -+ optional_policy(` -+ kerneloops_dbus_chat(unconfined_t) -+ ') -+ -+ optional_policy(` -+ telepathy_command_domtrans(unconfined_dbusd_t, unconfined_t) -+ ') -+ -+ optional_policy(` -+ oddjob_dbus_chat(unconfined_t) -+ ') -+ -+ optional_policy(` -+ vpn_dbus_chat(unconfined_t) -+ ') -+ -+ optional_policy(` -+ firewalld_dbus_chat(unconfined_t) -+ ') -+ -+ optional_policy(` -+ firewallgui_dbus_chat(unconfined_t) -+ ') -+') -+ -+optional_policy(` -+ firstboot_run(unconfined_t, unconfined_r) -+') -+ -+optional_policy(` -+ fsadm_manage_pid(unconfined_t) -+') -+ -+optional_policy(` -+ gpsd_run(unconfined_t, unconfined_r) -+') -+ -+optional_policy(` -+ java_run_unconfined(unconfined_t, unconfined_r) -+') -+ -+optional_policy(` -+ livecd_run(unconfined_t, unconfined_r) -+') -+ -+#optional_policy(` -+# mock_role(unconfined_r, unconfined_t) -+#') -+ -+optional_policy(` -+ mozilla_role_plugin(unconfined_r) -+ -+ tunable_policy(`unconfined_mozilla_plugin_transition', ` -+ mozilla_domtrans_plugin(unconfined_t) -+ ') -+') -+ -+optional_policy(` -+ oddjob_run_mkhomedir(unconfined_t, unconfined_r) -+') -+ -+optional_policy(` -+ rpm_run(unconfined_t, unconfined_r) -+ # Allow SELinux aware applications to request rpm_script execution -+ rpm_transition_script(unconfined_t) -+ rpm_dbus_chat(unconfined_t) -+') -+ -+optional_policy(` -+ optional_policy(` -+ samba_run_unconfined_net(unconfined_t, unconfined_r) -+ ') -+ -+ samba_role_notrans(unconfined_r) -+ samba_run_smbcontrol(unconfined_t, unconfined_r) -+') -+ -+optional_policy(` -+ sysnet_run_dhcpc(unconfined_t, unconfined_r) -+ sysnet_dbus_chat_dhcpc(unconfined_t) -+ sysnet_role_transition_dhcpc(unconfined_r) -+') -+ -+optional_policy(` -+ openshift_run(unconfined_usertype, unconfined_r) -+') -+ -+optional_policy(` -+ virt_transition_svirt(unconfined_t, unconfined_r) -+ virt_transition_svirt_sandbox(unconfined_t, unconfined_r) -+') -+ -+optional_policy(` -+ xserver_run(unconfined_t, unconfined_r) -+ xserver_manage_home_fonts(unconfined_t) -+') -+ -+gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) -diff --git a/policy/modules/roles/unprivuser.if b/policy/modules/roles/unprivuser.if -index 3835596..fbca2be 100644 ---- a/policy/modules/roles/unprivuser.if -+++ b/policy/modules/roles/unprivuser.if -@@ -1,4 +1,4 @@ --## Generic unprivileged user role -+## Generic unprivileged user - - ######################################## - ## -diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te -index cdfddf4..ad1f001 100644 ---- a/policy/modules/roles/unprivuser.te -+++ b/policy/modules/roles/unprivuser.te -@@ -1,5 +1,12 @@ - policy_module(unprivuser, 2.3.1) - -+## -+##

    -+## Allow unprivledged user to create and transition to svirt domains. -+##

    -+##     -+gen_tunable(unprivuser_use_svirt, false) -+ - # this module should be named user, but that is - # a compile error since user is a keyword. - -@@ -12,12 +19,100 @@ role user_r; - - userdom_unpriv_user_template(user) - -+kernel_read_numa_state(user_t) -+kernel_write_numa_state(user_t) -+ -+fs_exec_noxattr(user_t) -+fs_read_hugetlbfs_files(user_t) -+ -+storage_read_scsi_generic(user_t) -+storage_write_scsi_generic(user_t) -+ -+init_dbus_chat(user_t) -+init_status(user_t) -+ -+tunable_policy(`selinuxuser_execmod',` -+ userdom_execmod_user_home_files(user_t) -+') -+ -+optional_policy(` -+ abrt_read_cache(user_t) -+') -+ - optional_policy(` - apache_role(user_r, user_t) - ') - - optional_policy(` -- git_role(user_r, user_t) -+ blueman_dbus_chat(user_t) -+') -+ -+optional_policy(` -+ bluetooth_role(user_r, user_t) -+') -+ -+optional_policy(` -+ colord_dbus_chat(user_t) -+') -+ -+optional_policy(` -+ chrome_role(user_r, user_t) -+') -+ -+optional_policy(` -+ gnome_role(user_r, user_t) -+') -+ -+optional_policy(` -+ journalctl_role(user_r, user_t) -+') -+ -+optional_policy(` -+ irc_role(user_r, user_t) -+') -+ -+optional_policy(` -+ oident_manage_user_content(user_t) -+ oident_relabel_user_content(user_t) -+') -+ -+optional_policy(` -+ mozilla_run_plugin(user_t, user_r) -+') -+ -+optional_policy(` -+ mta_role(user_r, user_t) -+') -+ -+optional_policy(` -+ netutils_run_ping_cond(user_t, user_r) -+ netutils_run_traceroute_cond(user_t, user_r) -+') -+ -+optional_policy(` -+ polipo_role(user_r, user_t) -+ polipo_named_filetrans_cache_home_dirs(user_t) -+ polipo_named_filetrans_config_home_files(user_t) -+') -+ -+optional_policy(` -+ rpm_dontaudit_dbus_chat(user_t) -+') -+ -+optional_policy(` -+ rtkit_scheduled(user_t) -+') -+ -+optional_policy(` -+ sandbox_transition(user_t, user_r) -+') -+ -+optional_policy(` -+ sandbox_x_transition(user_t, user_r) -+') -+ -+optional_policy(` -+ ssh_role_template(user, user_r, user_t) - ') - - optional_policy(` -@@ -25,6 +120,18 @@ optional_policy(` - ') - - optional_policy(` -+ setroubleshoot_dontaudit_stream_connect(user_t) -+') -+ -+#optional_policy(` -+# telepathy_dbus_session_role(user_r, user_t) -+#') -+ -+optional_policy(` -+ usbmuxd_stream_connect(user_t) -+') -+ -+optional_policy(` - vlock_run(user_t, user_r) - ') - -@@ -102,10 +209,6 @@ ifndef(`distro_redhat',` - ') - - optional_policy(` -- mta_role(user_r, user_t) -- ') -- -- optional_policy(` - postgresql_role(user_r, user_t) - ') - -@@ -128,7 +231,6 @@ ifndef(`distro_redhat',` - optional_policy(` - ssh_role_template(user, user_r, user_t) - ') -- - optional_policy(` - su_role_template(user, user_r, user_t) - ') -@@ -161,3 +263,15 @@ ifndef(`distro_redhat',` - wireshark_role(user_r, user_t) - ') - ') -+ -+ -+optional_policy(` -+ virt_transition_svirt(user_t, user_r) -+ virt_filetrans_home_content(user_t) -+') -+ -+optional_policy(` -+ tunable_policy(`unprivuser_use_svirt',` -+ virt_manage_images(user_t) -+ ') -+') -diff --git a/policy/modules/services/postgresql.fc b/policy/modules/services/postgresql.fc -index a26f84f..947af6c 100644 ---- a/policy/modules/services/postgresql.fc -+++ b/policy/modules/services/postgresql.fc -@@ -10,6 +10,7 @@ - # - /usr/bin/initdb(\.sepgsql)? -- gen_context(system_u:object_r:postgresql_exec_t,s0) - /usr/bin/(se)?postgres -- gen_context(system_u:object_r:postgresql_exec_t,s0) -+/usr/bin/pg_ctl -- gen_context(system_u:object_r:postgresql_exec_t,s0) - - /usr/lib/pgsql/test/regress(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0) - /usr/lib/pgsql/test/regress/pg_regress -- gen_context(system_u:object_r:postgresql_exec_t,s0) -@@ -28,9 +29,10 @@ ifdef(`distro_redhat', ` - # - /var/lib/postgres(ql)?(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0) - --/var/lib/pgsql/data(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0) -+/var/lib/pgsql(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0) - /var/lib/pgsql/logfile(/.*)? gen_context(system_u:object_r:postgresql_log_t,s0) --/var/lib/pgsql/pgstartup\.log gen_context(system_u:object_r:postgresql_log_t,s0) -+/var/lib/pgsql/.*\.log gen_context(system_u:object_r:postgresql_log_t,s0) -+/var/lib/pgsql/data/pg_log(/.*)? gen_context(system_u:object_r:postgresql_log_t,s0) - - /var/lib/sepgsql(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0) - /var/lib/sepgsql/pgstartup\.log -- gen_context(system_u:object_r:postgresql_log_t,s0) -@@ -45,4 +47,4 @@ ifdef(`distro_redhat', ` - - /var/run/postgresql(/.*)? gen_context(system_u:object_r:postgresql_var_run_t,s0) - --/var/run/postmaster.* gen_context(system_u:object_r:postgresql_var_run_t,s0) -+#/var/run/postmaster.* gen_context(system_u:object_r:postgresql_var_run_t,s0) -diff --git a/policy/modules/services/postgresql.if b/policy/modules/services/postgresql.if -index 9d2f311..9e87525 100644 ---- a/policy/modules/services/postgresql.if -+++ b/policy/modules/services/postgresql.if -@@ -10,90 +10,21 @@ - ##     - ## - ## --## -+## - ## The type of the user domain. - ## - ## - # - interface(`postgresql_role',` - gen_require(` -- class db_database all_db_database_perms; -- class db_schema all_db_schema_perms; -- class db_table all_db_table_perms; -- class db_sequence all_db_sequence_perms; -- class db_view all_db_view_perms; -- class db_procedure all_db_procedure_perms; -- class db_language all_db_language_perms; -- class db_column all_db_column_perms; -- class db_tuple all_db_tuple_perms; -- class db_blob all_db_blob_perms; -- -- attribute sepgsql_client_type, sepgsql_database_type; -- attribute sepgsql_schema_type, sepgsql_sysobj_table_type; -- -- type sepgsql_trusted_proc_exec_t, sepgsql_trusted_proc_t; -- type sepgsql_ranged_proc_exec_t, sepgsql_ranged_proc_t; -- type user_sepgsql_blob_t, user_sepgsql_proc_exec_t; -- type user_sepgsql_schema_t, user_sepgsql_seq_t; -- type user_sepgsql_sysobj_t, user_sepgsql_table_t; -- type user_sepgsql_view_t; -- type sepgsql_temp_object_t; -+ attribute sepgsql_client_type; -+ type sepgsql_trusted_proc_t; -+ type sepgsql_ranged_proc_t; - ') - -- ######################################## -- # -- # Declarations -- # -- - typeattribute $2 sepgsql_client_type; - role $1 types sepgsql_trusted_proc_t; - role $1 types sepgsql_ranged_proc_t; -- -- ############################## -- # -- # Client local policy -- # -- -- tunable_policy(`sepgsql_enable_users_ddl',` -- allow $2 user_sepgsql_schema_t:db_schema { create drop setattr }; -- allow $2 user_sepgsql_table_t:db_table { create drop setattr }; -- allow $2 user_sepgsql_table_t:db_column { create drop setattr }; -- allow $2 user_sepgsql_sysobj_t:db_tuple { update insert delete }; -- allow $2 user_sepgsql_seq_t:db_sequence { create drop setattr set_value }; -- allow $2 user_sepgsql_view_t:db_view { create drop setattr }; -- allow $2 user_sepgsql_proc_exec_t:db_procedure { create drop setattr }; -- ') -- -- allow $2 user_sepgsql_schema_t:db_schema { getattr search add_name remove_name }; -- type_transition $2 sepgsql_database_type:db_schema user_sepgsql_schema_t; -- type_transition $2 sepgsql_database_type:db_schema sepgsql_temp_object_t "pg_temp"; -- -- allow $2 user_sepgsql_table_t:db_table { getattr select update insert delete lock }; -- allow $2 user_sepgsql_table_t:db_column { getattr select update insert }; -- allow $2 user_sepgsql_table_t:db_tuple { select update insert delete }; -- type_transition $2 sepgsql_schema_type:db_table user_sepgsql_table_t; -- -- allow $2 user_sepgsql_sysobj_t:db_tuple { use select }; -- type_transition $2 sepgsql_sysobj_table_type:db_tuple user_sepgsql_sysobj_t; -- -- allow $2 user_sepgsql_seq_t:db_sequence { getattr get_value next_value }; -- type_transition $2 sepgsql_schema_type:db_sequence user_sepgsql_seq_t; -- -- allow $2 user_sepgsql_view_t:db_view { getattr expand }; -- type_transition $2 sepgsql_schema_type:db_view user_sepgsql_view_t; -- -- allow $2 user_sepgsql_proc_exec_t:db_procedure { getattr execute }; -- type_transition $2 sepgsql_schema_type:db_procedure user_sepgsql_proc_exec_t; -- -- allow $2 user_sepgsql_blob_t:db_blob { create drop getattr setattr read write import export }; -- type_transition $2 sepgsql_database_type:db_blob user_sepgsql_blob_t; -- -- allow $2 sepgsql_ranged_proc_t:process transition; -- type_transition $2 sepgsql_ranged_proc_exec_t:process sepgsql_ranged_proc_t; -- allow sepgsql_ranged_proc_t $2:process dyntransition; -- -- allow $2 sepgsql_trusted_proc_t:process transition; -- type_transition $2 sepgsql_trusted_proc_exec_t:process sepgsql_trusted_proc_t; - ') - - ######################################## -@@ -312,7 +243,7 @@ interface(`postgresql_search_db',` - type postgresql_db_t; - ') - -- allow $1 postgresql_db_t:dir search; -+ allow $1 postgresql_db_t:dir search_dir_perms; - ') - - ######################################## -@@ -324,14 +255,16 @@ interface(`postgresql_search_db',` - ## Domain allowed access. - ## - ## -+# - interface(`postgresql_manage_db',` - gen_require(` - type postgresql_db_t; - ') - -- allow $1 postgresql_db_t:dir rw_dir_perms; -- allow $1 postgresql_db_t:file rw_file_perms; -- allow $1 postgresql_db_t:lnk_file { getattr read }; -+ files_search_var_lib($1) -+ manage_dirs_pattern($1, postgresql_db_t, postgresql_db_t) -+ manage_files_pattern($1, postgresql_db_t, postgresql_db_t) -+ manage_lnk_files_pattern($1, postgresql_db_t, postgresql_db_t) - ') - - ######################################## -@@ -354,6 +287,24 @@ interface(`postgresql_domtrans',` - - ###################################### - ## -+## Execute Postgresql in the caller domain. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`postgresql_exec',` -+ gen_require(` -+ type postgresql_exec_t; -+ ') -+ -+ can_exec($1, postgresql_exec_t) -+') -+ -+###################################### -+## - ## Allow domain to signal postgresql - ## - ## -@@ -421,7 +372,6 @@ interface(`postgresql_tcp_connect',` - ## Domain allowed access. - ##     - ## --## - # - interface(`postgresql_stream_connect',` - gen_require(` -@@ -432,6 +382,7 @@ interface(`postgresql_stream_connect',` - - files_search_pids($1) - files_search_tmp($1) -+ stream_connect_pattern($1, { postgresql_var_run_t postgresql_tmp_t }, { postgresql_var_run_t postgresql_tmp_t }, postgresql_t) - ') - - ######################################## -@@ -447,83 +398,10 @@ interface(`postgresql_stream_connect',` - # - interface(`postgresql_unpriv_client',` - gen_require(` -- class db_database all_db_database_perms; -- class db_schema all_db_schema_perms; -- class db_table all_db_table_perms; -- class db_sequence all_db_sequence_perms; -- class db_view all_db_view_perms; -- class db_procedure all_db_procedure_perms; -- class db_language all_db_language_perms; -- class db_column all_db_column_perms; -- class db_tuple all_db_tuple_perms; -- class db_blob all_db_blob_perms; -- - attribute sepgsql_client_type; -- attribute sepgsql_database_type, sepgsql_schema_type; -- attribute sepgsql_sysobj_table_type; -- -- type sepgsql_ranged_proc_t, sepgsql_ranged_proc_exec_t; -- type sepgsql_temp_object_t; -- type sepgsql_trusted_proc_t, sepgsql_trusted_proc_exec_t; -- type unpriv_sepgsql_blob_t, unpriv_sepgsql_proc_exec_t; -- type unpriv_sepgsql_schema_t, unpriv_sepgsql_seq_t; -- type unpriv_sepgsql_sysobj_t, unpriv_sepgsql_table_t; -- type unpriv_sepgsql_view_t; - ') - -- ######################################## -- # -- # Declarations -- # -- - typeattribute $1 sepgsql_client_type; -- -- ######################################## -- # -- # Client local policy -- # -- -- type_transition $1 sepgsql_ranged_proc_exec_t:process sepgsql_ranged_proc_t; -- allow $1 sepgsql_ranged_proc_t:process transition; -- allow sepgsql_ranged_proc_t $1:process dyntransition; -- -- type_transition $1 sepgsql_trusted_proc_exec_t:process sepgsql_trusted_proc_t; -- allow $1 sepgsql_trusted_proc_t:process transition; -- -- allow $1 unpriv_sepgsql_blob_t:db_blob { create drop getattr setattr read write import export }; -- type_transition $1 sepgsql_database_type:db_blob unpriv_sepgsql_blob_t; -- -- allow $1 unpriv_sepgsql_proc_exec_t:db_procedure { getattr execute }; -- type_transition $1 sepgsql_schema_type:db_procedure unpriv_sepgsql_proc_exec_t; -- -- allow $1 unpriv_sepgsql_schema_t:db_schema { getattr add_name remove_name }; -- type_transition $1 sepgsql_database_type:db_schema unpriv_sepgsql_schema_t; -- type_transition $1 sepgsql_database_type:db_schema sepgsql_temp_object_t "pg_temp"; -- -- allow $1 unpriv_sepgsql_table_t:db_table { getattr select update insert delete lock }; -- allow $1 unpriv_sepgsql_table_t:db_column { getattr select update insert }; -- allow $1 unpriv_sepgsql_table_t:db_tuple { select update insert delete }; -- type_transition $1 sepgsql_schema_type:db_table unpriv_sepgsql_table_t; -- -- allow $1 unpriv_sepgsql_seq_t:db_sequence { getattr get_value next_value set_value }; -- type_transition $1 sepgsql_schema_type:db_sequence unpriv_sepgsql_seq_t; -- -- allow $1 unpriv_sepgsql_sysobj_t:db_tuple { use select }; -- type_transition $1 sepgsql_sysobj_table_type:db_tuple unpriv_sepgsql_sysobj_t; -- -- allow $1 unpriv_sepgsql_view_t:db_view { getattr expand }; -- type_transition $1 sepgsql_schema_type:db_view unpriv_sepgsql_view_t; -- -- -- tunable_policy(`sepgsql_enable_users_ddl',` -- allow $1 unpriv_sepgsql_schema_t:db_schema { create drop setattr }; -- allow $1 unpriv_sepgsql_table_t:db_table { create drop setattr }; -- allow $1 unpriv_sepgsql_table_t:db_column { create drop setattr }; -- allow $1 unpriv_sepgsql_sysobj_t:db_tuple { update insert delete }; -- allow $1 unpriv_sepgsql_seq_t:db_sequence { create drop setattr }; -- allow $1 unpriv_sepgsql_view_t:db_view { create drop setattr }; -- allow $1 unpriv_sepgsql_proc_exec_t:db_procedure { create drop setattr }; -- ') - ') - - ######################################## -@@ -547,6 +425,29 @@ interface(`postgresql_unconfined',` - - ######################################## - ## -+## Transition to postgresql named content -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`postgresql_filetrans_named_content',` -+ gen_require(` -+ type postgresql_db_t; -+ type postgresql_log_t; -+ ') -+ -+ files_var_lib_filetrans($1, postgresql_db_t, dir, "postgresql") -+ files_var_lib_filetrans($1, postgresql_db_t, dir, "postgres") -+ files_var_lib_filetrans($1, postgresql_db_t, dir, "pgsql") -+ filetrans_pattern($1, postgresql_db_t, postgresql_log_t, dir, "logfile") -+ filetrans_pattern($1, postgresql_db_t, postgresql_log_t, dir, "pg_log") -+') -+ -+######################################## -+## - ## All of the rules required to administrate an postgresql environment - ## - ## -@@ -563,35 +464,41 @@ interface(`postgresql_unconfined',` - # - interface(`postgresql_admin',` - gen_require(` -- attribute sepgsql_admin_type; -- attribute sepgsql_client_type; -- -- type postgresql_t, postgresql_var_run_t; -- type postgresql_tmp_t, postgresql_db_t; -- type postgresql_etc_t, postgresql_log_t; -- type postgresql_initrc_exec_t; -+ attribute sepgsql_admin_type, sepgsql_client_type; -+ type postgresql_t, postgresql_var_run_t, postgresql_initrc_exec_t; -+ type postgresql_tmp_t, postgresql_db_t, postgresql_log_t; -+ type postgresql_etc_t; - ') - - typeattribute $1 sepgsql_admin_type; - -- allow $1 postgresql_t:process { ptrace signal_perms }; -+ allow $1 postgresql_t:process signal_perms; - ps_process_pattern($1, postgresql_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 postgresql_t:process ptrace; -+ ') - - init_labeled_script_domtrans($1, postgresql_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 postgresql_initrc_exec_t system_r; - allow $2 system_r; - -+ files_list_pids($1) - admin_pattern($1, postgresql_var_run_t) - -+ files_list_var_lib($1) - admin_pattern($1, postgresql_db_t) - -+ files_list_etc($1) - admin_pattern($1, postgresql_etc_t) - -+ logging_list_logs($1) - admin_pattern($1, postgresql_log_t) - -+ files_list_tmp($1) - admin_pattern($1, postgresql_tmp_t) - - postgresql_tcp_connect($1) - postgresql_stream_connect($1) -+ postgresql_filetrans_named_content($1) - ') -diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te -index 346d011..3e23acb 100644 ---- a/policy/modules/services/postgresql.te -+++ b/policy/modules/services/postgresql.te -@@ -19,25 +19,32 @@ gen_require(` - # - - ## --##

    --## Allow unprived users to execute DDL statement --##

    -+##

    -+## Allow postgresql to use ssh and rsync for point-in-time recovery -+##

    -+##     -+gen_tunable(postgresql_can_rsync, false) -+ -+## -+##

    -+## Allow unprivileged users to execute DDL statement -+##

    - ##     --gen_tunable(sepgsql_enable_users_ddl, false) -+gen_tunable(postgresql_selinux_users_ddl, true) - - ## - ##

    - ## Allow transmit client label to foreign database - ##

    - ##     --gen_tunable(sepgsql_transmit_client_label, false) -+gen_tunable(postgresql_selinux_transmit_client_label, false) - - ## - ##

    - ## Allow database admins to execute DML statement - ##

    - ##     --gen_tunable(sepgsql_unconfined_dbadm, false) -+gen_tunable(postgresql_selinux_unconfined_dbadm, true) - - type postgresql_t; - type postgresql_exec_t; -@@ -236,7 +243,8 @@ allow postgresql_t self:udp_socket create_stream_socket_perms; - allow postgresql_t self:unix_dgram_socket create_socket_perms; - allow postgresql_t self:unix_stream_socket { create_stream_socket_perms connectto }; - allow postgresql_t self:netlink_selinux_socket create_socket_perms; --tunable_policy(`sepgsql_transmit_client_label',` -+ -+tunable_policy(`postgresql_selinux_transmit_client_label',` - allow postgresql_t self:process { setsockcreate }; - ') - -@@ -270,18 +278,19 @@ manage_files_pattern(postgresql_t, postgresql_db_t, postgresql_db_t) - manage_lnk_files_pattern(postgresql_t, postgresql_db_t, postgresql_db_t) - manage_fifo_files_pattern(postgresql_t, postgresql_db_t, postgresql_db_t) - manage_sock_files_pattern(postgresql_t, postgresql_db_t, postgresql_db_t) --files_var_lib_filetrans(postgresql_t, postgresql_db_t, { dir file lnk_file sock_file fifo_file }) -+postgresql_filetrans_named_content(postgresql_t) - - allow postgresql_t postgresql_etc_t:dir list_dir_perms; - read_files_pattern(postgresql_t, postgresql_etc_t, postgresql_etc_t) - read_lnk_files_pattern(postgresql_t, postgresql_etc_t, postgresql_etc_t) - --allow postgresql_t postgresql_exec_t:lnk_file { getattr read }; -+allow postgresql_t postgresql_exec_t:lnk_file read_lnk_file_perms; - can_exec(postgresql_t, postgresql_exec_t ) - - allow postgresql_t postgresql_lock_t:file manage_file_perms; - files_lock_filetrans(postgresql_t, postgresql_lock_t, file) - -+manage_dirs_pattern(postgresql_t, postgresql_log_t, postgresql_log_t) - manage_files_pattern(postgresql_t, postgresql_log_t, postgresql_log_t) - logging_log_filetrans(postgresql_t, postgresql_log_t, { file dir }) - -@@ -304,7 +313,6 @@ kernel_list_proc(postgresql_t) - kernel_read_all_sysctls(postgresql_t) - kernel_read_proc_symlinks(postgresql_t) - --corenet_all_recvfrom_unlabeled(postgresql_t) - corenet_all_recvfrom_netlabel(postgresql_t) - corenet_tcp_sendrecv_generic_if(postgresql_t) - corenet_udp_sendrecv_generic_if(postgresql_t) -@@ -342,8 +350,7 @@ domain_dontaudit_list_all_domains_state(postgresql_t) - domain_use_interactive_fds(postgresql_t) - - files_dontaudit_search_home(postgresql_t) --files_manage_etc_files(postgresql_t) --files_search_etc(postgresql_t) -+files_read_etc_files(postgresql_t) - files_read_etc_runtime_files(postgresql_t) - files_read_usr_files(postgresql_t) - -@@ -354,7 +361,6 @@ init_read_utmp(postgresql_t) - logging_send_syslog_msg(postgresql_t) - logging_send_audit_msgs(postgresql_t) - --miscfiles_read_localization(postgresql_t) - - seutil_libselinux_linked(postgresql_t) - seutil_read_default_contexts(postgresql_t) -@@ -364,10 +370,18 @@ userdom_dontaudit_search_user_home_dirs(postgresql_t) - userdom_dontaudit_use_user_terminals(postgresql_t) - - optional_policy(` -+ ccs_read_config(postgresql_t) -+') -+ -+optional_policy(` - mta_getattr_spool(postgresql_t) - ') - --tunable_policy(`allow_execmem',` -+optional_policy(` -+ rhcs_manage_cluster_pid_files(postgresql_t) -+') -+ -+tunable_policy(`deny_execmem',`',` - allow postgresql_t self:process execmem; - ') - -@@ -485,10 +499,52 @@ dontaudit { postgresql_t sepgsql_admin_type sepgsql_client_type sepgsql_unconfin - # It is always allowed to operate temporary objects for any database client. - allow sepgsql_client_type sepgsql_temp_object_t:{db_schema db_table db_column db_tuple db_sequence db_view db_procedure} ~{ relabelto relabelfrom }; - --# Note that permission of creation/deletion are eventually controlled by --# create or drop permission of individual objects within shared schemas. --# So, it just allows to create/drop user specific types. --tunable_policy(`sepgsql_enable_users_ddl',` -+############################## -+# -+# Client local policy -+# -+allow sepgsql_client_type user_sepgsql_schema_t:db_schema { getattr search add_name remove_name }; -+type_transition sepgsql_client_type sepgsql_database_type:db_schema user_sepgsql_schema_t; -+type_transition sepgsql_client_type sepgsql_database_type:db_schema sepgsql_temp_object_t "pg_temp"; -+ -+allow sepgsql_client_type user_sepgsql_table_t:db_table { getattr select update insert delete lock }; -+allow sepgsql_client_type user_sepgsql_table_t:db_column { getattr select update insert }; -+allow sepgsql_client_type user_sepgsql_table_t:db_tuple { select update insert delete }; -+type_transition sepgsql_client_type sepgsql_schema_type:db_table user_sepgsql_table_t; -+ -+allow sepgsql_client_type user_sepgsql_sysobj_t:db_tuple { use select }; -+type_transition sepgsql_client_type sepgsql_sysobj_table_type:db_tuple user_sepgsql_sysobj_t; -+ -+allow sepgsql_client_type user_sepgsql_seq_t:db_sequence { getattr get_value next_value }; -+type_transition sepgsql_client_type sepgsql_schema_type:db_sequence user_sepgsql_seq_t; -+ -+allow sepgsql_client_type user_sepgsql_view_t:db_view { getattr expand }; -+type_transition sepgsql_client_type sepgsql_schema_type:db_view user_sepgsql_view_t; -+ -+allow sepgsql_client_type user_sepgsql_proc_exec_t:db_procedure { getattr execute }; -+type_transition sepgsql_client_type sepgsql_schema_type:db_procedure user_sepgsql_proc_exec_t; -+ -+allow sepgsql_client_type user_sepgsql_blob_t:db_blob { create drop getattr setattr read write import export }; -+type_transition sepgsql_client_type sepgsql_database_type:db_blob user_sepgsql_blob_t; -+ -+allow sepgsql_client_type sepgsql_ranged_proc_t:process transition; -+type_transition sepgsql_client_type sepgsql_ranged_proc_exec_t:process sepgsql_ranged_proc_t; -+allow sepgsql_ranged_proc_t sepgsql_client_type:process dyntransition; -+ -+allow sepgsql_client_type sepgsql_trusted_proc_t:process transition; -+type_transition sepgsql_client_type sepgsql_trusted_proc_exec_t:process sepgsql_trusted_proc_t; -+ -+tunable_policy(`postgresql_selinux_users_ddl',` -+ allow sepgsql_client_type user_sepgsql_schema_t:db_schema { create drop setattr }; -+ allow sepgsql_client_type user_sepgsql_table_t:db_table { create drop setattr }; -+ allow sepgsql_client_type user_sepgsql_table_t:db_column { create drop setattr }; -+ allow sepgsql_client_type user_sepgsql_sysobj_t:db_tuple { update insert delete }; -+ allow sepgsql_client_type user_sepgsql_seq_t:db_sequence { create drop setattr set_value }; -+ allow sepgsql_client_type user_sepgsql_view_t:db_view { create drop setattr }; -+ allow sepgsql_client_type user_sepgsql_proc_exec_t:db_procedure { create drop setattr }; -+ # Note that permission of creation/deletion are eventually controlled by -+ # create or drop permission of individual objects within shared schemas. -+ # So, it just allows to create/drop user specific types. - allow sepgsql_client_type sepgsql_schema_t:db_schema { add_name remove_name }; - ') - -@@ -536,7 +592,7 @@ allow sepgsql_admin_type sepgsql_module_type:db_database install_module; - - kernel_relabelfrom_unlabeled_database(sepgsql_admin_type) - --tunable_policy(`sepgsql_unconfined_dbadm',` -+tunable_policy(`postgresql_selinux_unconfined_dbadm',` - allow sepgsql_admin_type sepgsql_database_type:db_database *; - - allow sepgsql_admin_type sepgsql_schema_type:db_schema *; -@@ -589,3 +645,17 @@ allow sepgsql_unconfined_type sepgsql_blob_type:db_blob *; - allow sepgsql_unconfined_type sepgsql_module_type:db_database install_module; - - kernel_relabelfrom_unlabeled_database(sepgsql_unconfined_type) -+ -+optional_policy(` -+ tunable_policy(`postgresql_can_rsync',` -+ rsync_exec(postgresql_t) -+ ') -+') -+ -+optional_policy(` -+ tunable_policy(`postgresql_can_rsync',` -+ ssh_exec(postgresql_t) -+ ssh_read_user_home_files(postgresql_t) -+ corenet_tcp_connect_ssh_port(postgresql_t) -+ ') -+') -diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc -index 76d9f66..5c271ce 100644 ---- a/policy/modules/services/ssh.fc -+++ b/policy/modules/services/ssh.fc -@@ -1,16 +1,41 @@ - HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) -+HOME_DIR/\.ansible/cp/.* -s gen_context(system_u:object_r:ssh_home_t,s0) -+HOME_DIR/\.shosts gen_context(system_u:object_r:ssh_home_t,s0) - --/etc/ssh/primes -- gen_context(system_u:object_r:sshd_key_t,s0) --/etc/ssh/ssh_host.*_key -- gen_context(system_u:object_r:sshd_key_t,s0) -+/var/lib/[^/]+/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) -+/var/lib/amanda/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) -+/var/lib/gitolite/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) -+/var/lib/gitolite3/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) -+/var/lib/nocpulse/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) -+/var/lib/one/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) -+/var/lib/openshift/[^/]+/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) -+/var/lib/openshift/gear/[^/]+/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) -+/var/lib/pgsql/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) -+/var/lib/stickshift/[^/]+/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) -+ -+/etc/rc\.d/init\.d/sshd -- gen_context(system_u:object_r:sshd_initrc_exec_t,s0) -+ -+/etc/ssh/primes -- gen_context(system_u:object_r:sshd_key_t,s0) -+/etc/ssh/ssh_host.*_key -- gen_context(system_u:object_r:sshd_key_t,s0) -+/etc/ssh/ssh_host.*_key\.pub -- gen_context(system_u:object_r:sshd_key_t,s0) - - /usr/bin/ssh -- gen_context(system_u:object_r:ssh_exec_t,s0) - /usr/bin/ssh-agent -- gen_context(system_u:object_r:ssh_agent_exec_t,s0) - /usr/bin/ssh-keygen -- gen_context(system_u:object_r:ssh_keygen_exec_t,s0) - - /usr/lib/openssh/ssh-keysign -- gen_context(system_u:object_r:ssh_keysign_exec_t,s0) -+/usr/lib/systemd/system/sshd.* -- gen_context(system_u:object_r:sshd_unit_file_t,s0) -+/usr/lib/systemd/system/sshd-keygen.* -- gen_context(system_u:object_r:sshd_keygen_unit_file_t,s0) - -+/usr/libexec/nm-ssh-service -- gen_context(system_u:object_r:ssh_exec_t,s0) - /usr/libexec/openssh/ssh-keysign -- gen_context(system_u:object_r:ssh_keysign_exec_t,s0) - - /usr/sbin/sshd -- gen_context(system_u:object_r:sshd_exec_t,s0) -+/usr/sbin/sshd-keygen -- gen_context(system_u:object_r:sshd_keygen_exec_t,s0) -+/usr/sbin/gsisshd -- gen_context(system_u:object_r:sshd_exec_t,s0) - - /var/run/sshd\.init\.pid -- gen_context(system_u:object_r:sshd_var_run_t,s0) -+/var/run/sshd\.pid -- gen_context(system_u:object_r:sshd_var_run_t,s0) -+ -+/root/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) -+/root/\.shosts gen_context(system_u:object_r:ssh_home_t,s0) -diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if -index fe0c682..c0413e8 100644 ---- a/policy/modules/services/ssh.if -+++ b/policy/modules/services/ssh.if -@@ -32,10 +32,11 @@ - ## - # - template(`ssh_basic_client_template',` -- - gen_require(` - attribute ssh_server; - type ssh_exec_t, sshd_key_t, sshd_tmp_t; -+ type ssh_keysign_exec_t, ssh_keysign_t; -+ type ssh_home_t; - ') - - ############################## -@@ -47,10 +48,6 @@ template(`ssh_basic_client_template',` - application_domain($1_ssh_t, ssh_exec_t) - role $3 types $1_ssh_t; - -- type $1_ssh_home_t; -- files_type($1_ssh_home_t) -- typealias $1_ssh_home_t alias $1_home_ssh_t; -- - ############################## - # - # Client local policy -@@ -89,33 +86,38 @@ template(`ssh_basic_client_template',` - # or "regular" (not special like sshd_extern_t) servers - allow $2 ssh_server:unix_stream_socket rw_stream_socket_perms; - -+ # derived domain can execute ssh-keysign -+ domtrans_pattern($1_ssh_t, ssh_keysign_exec_t, ssh_keysign_t) -+ role $3 types ssh_keysign_t; -+ - # allow ps to show ssh - ps_process_pattern($2, $1_ssh_t) - - # user can manage the keys and config -- manage_files_pattern($2, $1_ssh_home_t, $1_ssh_home_t) -- manage_lnk_files_pattern($2, $1_ssh_home_t, $1_ssh_home_t) -- manage_sock_files_pattern($2, $1_ssh_home_t, $1_ssh_home_t) -+ manage_files_pattern($2, ssh_home_t, ssh_home_t) -+ manage_lnk_files_pattern($2, ssh_home_t, ssh_home_t) -+ manage_sock_files_pattern($2, ssh_home_t, ssh_home_t) - - # ssh client can manage the keys and config -- manage_files_pattern($1_ssh_t, $1_ssh_home_t, $1_ssh_home_t) -- read_lnk_files_pattern($1_ssh_t, $1_ssh_home_t, $1_ssh_home_t) -+ manage_files_pattern($1_ssh_t, ssh_home_t, ssh_home_t) -+ read_lnk_files_pattern($1_ssh_t, ssh_home_t, ssh_home_t) - - # ssh servers can read the user keys and config -- allow ssh_server $1_ssh_home_t:dir list_dir_perms; -- read_files_pattern(ssh_server, $1_ssh_home_t, $1_ssh_home_t) -- read_lnk_files_pattern(ssh_server, $1_ssh_home_t, $1_ssh_home_t) -+ allow ssh_server ssh_home_t:dir list_dir_perms; -+ read_files_pattern(ssh_server, ssh_home_t, ssh_home_t) -+ read_lnk_files_pattern(ssh_server, ssh_home_t, ssh_home_t) - - kernel_read_kernel_sysctls($1_ssh_t) - kernel_read_system_state($1_ssh_t) - -- corenet_all_recvfrom_unlabeled($1_ssh_t) - corenet_all_recvfrom_netlabel($1_ssh_t) - corenet_tcp_sendrecv_generic_if($1_ssh_t) - corenet_tcp_sendrecv_generic_node($1_ssh_t) - corenet_tcp_sendrecv_all_ports($1_ssh_t) - corenet_tcp_connect_ssh_port($1_ssh_t) - corenet_sendrecv_ssh_client_packets($1_ssh_t) -+ corenet_tcp_bind_generic_node($1_ssh_t) -+ corenet_tcp_bind_all_unreserved_ports($1_ssh_t) - - dev_read_urand($1_ssh_t) - -@@ -139,7 +141,6 @@ template(`ssh_basic_client_template',` - logging_send_syslog_msg($1_ssh_t) - logging_read_generic_logs($1_ssh_t) - -- miscfiles_read_localization($1_ssh_t) - - seutil_read_config($1_ssh_t) - -@@ -148,6 +149,29 @@ template(`ssh_basic_client_template',` - ') - ') - -+###################################### -+## -+## The template to define a domain to which sshd dyntransition. -+## -+## -+## -+## The prefix of the dyntransition domain -+## -+## -+# -+template(`ssh_dyntransition_domain_template',` -+ gen_require(` -+ attribute ssh_dyntransition_domain; -+ ') -+ -+ type $1, ssh_dyntransition_domain; -+ domain_type($1) -+ role system_r types $1; -+ -+ optional_policy(` -+ ssh_dyntransition_to($1) -+ ') -+') - ####################################### - ## - ## The template to define a ssh server. -@@ -168,7 +192,7 @@ template(`ssh_basic_client_template',` - ## - ## - # --template(`ssh_server_template', ` -+template(`ssh_server_template',` - type $1_t, ssh_server; - auth_login_pgm_domain($1_t) - -@@ -181,16 +205,18 @@ template(`ssh_server_template', ` - type $1_var_run_t; - files_pid_file($1_var_run_t) - -- allow $1_t self:capability { kill sys_chroot sys_nice sys_resource chown dac_override fowner fsetid setgid setuid sys_tty_config }; -+ allow $1_t self:capability { kill sys_admin sys_chroot sys_nice sys_resource chown dac_override fowner fsetid net_admin setgid setuid sys_tty_config }; - allow $1_t self:fifo_file rw_fifo_file_perms; -- allow $1_t self:process { signal getsched setsched setrlimit setexec setkeycreate }; -+ allow $1_t self:process { getcap signal getsched setsched setrlimit setexec }; -+ allow $1_t self:process { signal getcap getsched setsched setrlimit setexec }; - allow $1_t self:tcp_socket create_stream_socket_perms; - allow $1_t self:udp_socket create_socket_perms; -+ allow $1_t self:tun_socket { create_socket_perms relabelfrom relabelto }; - # ssh agent connections: - allow $1_t self:unix_stream_socket create_stream_socket_perms; - allow $1_t self:shm create_shm_perms; - -- allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr getattr relabelfrom }; -+ allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms getattr_chr_file_perms relabelfrom }; - term_create_pty($1_t, $1_devpts_t) - - manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) -@@ -206,6 +232,7 @@ template(`ssh_server_template', ` - - kernel_read_kernel_sysctls($1_t) - kernel_read_network_state($1_t) -+ kernel_request_load_module($1_t) - - corenet_all_recvfrom_unlabeled($1_t) - corenet_all_recvfrom_netlabel($1_t) -@@ -220,10 +247,13 @@ template(`ssh_server_template', ` - corenet_tcp_bind_generic_node($1_t) - corenet_udp_bind_generic_node($1_t) - corenet_tcp_bind_ssh_port($1_t) -- corenet_tcp_connect_all_ports($1_t) - corenet_sendrecv_ssh_server_packets($1_t) -+ # -R qualifier -+ corenet_sendrecv_ssh_server_packets($1_t) -+ # tunnel feature and -w (net_admin capability also) -+ corenet_rw_tun_tap_dev($1_t) - -- fs_dontaudit_getattr_all_fs($1_t) -+ fs_getattr_all_fs($1_t) - - auth_rw_login_records($1_t) - auth_rw_faillog($1_t) -@@ -234,6 +264,7 @@ template(`ssh_server_template', ` - corecmd_getattr_bin_files($1_t) - - domain_interactive_fd($1_t) -+ domain_dyntrans_type($1_t) - - files_read_etc_files($1_t) - files_read_etc_runtime_files($1_t) -@@ -241,35 +272,33 @@ template(`ssh_server_template', ` - - logging_search_logs($1_t) - -- miscfiles_read_localization($1_t) -- -- userdom_create_all_users_keys($1_t) - userdom_dontaudit_relabelfrom_user_ptys($1_t) -- userdom_search_user_home_dirs($1_t) -+ userdom_read_user_home_content_files($1_t) - - # Allow checking users mail at login - optional_policy(` - mta_getattr_spool($1_t) - ') - -- tunable_policy(`use_nfs_home_dirs',` -- fs_read_nfs_files($1_t) -- fs_read_nfs_symlinks($1_t) -- ') -- -- tunable_policy(`use_samba_home_dirs',` -- fs_read_cifs_files($1_t) -- ') -+ userdom_home_manager($1_t) - - optional_policy(` - kerberos_use($1_t) -- kerberos_manage_host_rcache($1_t) -+ #kerberos_manage_host_rcache($1_t) - ') - - optional_policy(` - files_read_var_lib_symlinks($1_t) - nx_spec_domtrans_server($1_t) - ') -+ -+ optional_policy(` -+ rlogin_read_home_content($1_t) -+ ') -+ -+ optional_policy(` -+ shutdown_getattr_exec_files($1_t) -+ ') - ') - - ######################################## -@@ -292,14 +321,15 @@ template(`ssh_server_template', ` - ## User domain for the role - ##     - ## -+## - # - template(`ssh_role_template',` - gen_require(` - attribute ssh_server, ssh_agent_type; -- - type ssh_t, ssh_exec_t, ssh_tmpfs_t, ssh_home_t; - type ssh_agent_exec_t, ssh_keysign_t, ssh_tmpfs_t; - type ssh_agent_tmp_t; -+ type cache_home_t; - ') - - ############################## -@@ -328,103 +358,56 @@ template(`ssh_role_template',` - - # allow ps to show ssh - ps_process_pattern($3, ssh_t) -- allow $3 ssh_t:process signal; -+ allow $3 ssh_t:process signal_perms; - - # for rsync - allow ssh_t $3:unix_stream_socket rw_socket_perms; - allow ssh_t $3:unix_stream_socket connectto; -+ allow ssh_t $3:key manage_key_perms; -+ allow $3 ssh_t:key read; - - # user can manage the keys and config - manage_files_pattern($3, ssh_home_t, ssh_home_t) - manage_lnk_files_pattern($3, ssh_home_t, ssh_home_t) - manage_sock_files_pattern($3, ssh_home_t, ssh_home_t) - userdom_search_user_home_dirs($1_t) -+ userdom_manage_tmp_role($2, ssh_t) - - ############################## - # - # SSH agent local policy - # - -- allow $1_ssh_agent_t self:process setrlimit; -- allow $1_ssh_agent_t self:capability setgid; -- - allow $1_ssh_agent_t { $1_ssh_agent_t $3 }:process signull; - - allow $1_ssh_agent_t self:unix_stream_socket { create_stream_socket_perms connectto }; - -- manage_dirs_pattern($1_ssh_agent_t, ssh_agent_tmp_t, ssh_agent_tmp_t) -- manage_sock_files_pattern($1_ssh_agent_t, ssh_agent_tmp_t, ssh_agent_tmp_t) -- files_tmp_filetrans($1_ssh_agent_t, ssh_agent_tmp_t, { dir sock_file }) -- - # for ssh-add - stream_connect_pattern($3, ssh_agent_tmp_t, ssh_agent_tmp_t, $1_ssh_agent_t) -+ stream_connect_pattern($3, cache_home_t, cache_home_t, $1_ssh_agent_t) - - # Allow the user shell to signal the ssh program. -- allow $3 $1_ssh_agent_t:process signal; -+ allow $3 $1_ssh_agent_t:process signal_perms; - - # allow ps to show ssh - ps_process_pattern($3, $1_ssh_agent_t) - - domtrans_pattern($3, ssh_agent_exec_t, $1_ssh_agent_t) - -- kernel_read_kernel_sysctls($1_ssh_agent_t) -- -- dev_read_urand($1_ssh_agent_t) -- dev_read_rand($1_ssh_agent_t) -- -- fs_search_auto_mountpoints($1_ssh_agent_t) -+ kernel_read_system_state($1_ssh_agent_t) - - # transition back to normal privs upon exec - corecmd_shell_domtrans($1_ssh_agent_t, $3) - corecmd_bin_domtrans($1_ssh_agent_t, $3) - -- domain_use_interactive_fds($1_ssh_agent_t) -- -- files_read_etc_files($1_ssh_agent_t) -- files_read_etc_runtime_files($1_ssh_agent_t) -- files_search_home($1_ssh_agent_t) -- -- libs_read_lib_files($1_ssh_agent_t) -+ auth_use_nsswitch($1_ssh_agent_t) - - logging_send_syslog_msg($1_ssh_agent_t) - -- miscfiles_read_localization($1_ssh_agent_t) -- miscfiles_read_generic_certs($1_ssh_agent_t) -- -- seutil_dontaudit_read_config($1_ssh_agent_t) -- -- # Write to the user domain tty. -- userdom_use_user_terminals($1_ssh_agent_t) -- -- # for the transition back to normal privs upon exec -- userdom_search_user_home_content($1_ssh_agent_t) - userdom_user_home_domtrans($1_ssh_agent_t, $3) -- allow $3 $1_ssh_agent_t:fd use; -- allow $3 $1_ssh_agent_t:fifo_file rw_file_perms; -- allow $3 $1_ssh_agent_t:process sigchld; -- -- tunable_policy(`use_nfs_home_dirs',` -- fs_manage_nfs_files($1_ssh_agent_t) -- -- # transition back to normal privs upon exec -- fs_nfs_domtrans($1_ssh_agent_t, $3) -- ') -- -- tunable_policy(`use_samba_home_dirs',` -- fs_manage_cifs_files($1_ssh_agent_t) -- -- # transition back to normal privs upon exec -- fs_cifs_domtrans($1_ssh_agent_t, $3) -- ') -- -- optional_policy(` -- nis_use_ypbind($1_ssh_agent_t) -- ') -+ userdom_home_manager($1_ssh_agent_t) - -- optional_policy(` -- xserver_use_xdm_fds($1_ssh_agent_t) -- xserver_rw_xdm_pipes($1_ssh_agent_t) -- ') -+ ssh_exec_keygen($3) - ') - - ######################################## -@@ -496,8 +479,27 @@ interface(`ssh_read_pipes',` - type sshd_t; - ') - -- allow $1 sshd_t:fifo_file { getattr read }; -+ allow $1 sshd_t:fifo_file read_fifo_file_perms; - ') -+ -+###################################### -+## -+## Read and write ssh server unix dgram sockets. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`ssh_rw_dgram_sockets',` -+ gen_require(` -+ type sshd_t; -+ ') -+ -+ allow $1 sshd_t:unix_dgram_socket rw_stream_socket_perms; -+') -+ - ######################################## - ## - ## Read and write a ssh server unnamed pipe. -@@ -513,7 +515,7 @@ interface(`ssh_rw_pipes',` - type sshd_t; - ') - -- allow $1 sshd_t:fifo_file { write read getattr ioctl }; -+ allow $1 sshd_t:fifo_file rw_inherited_fifo_file_perms; - ') - - ######################################## -@@ -605,6 +607,24 @@ interface(`ssh_domtrans',` - - ######################################## - ## -+## Execute sshd server in the sshd domain. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`ssh_initrc_domtrans',` -+ gen_require(` -+ type sshd_initrc_exec_t; -+ ') -+ -+ init_labeled_script_domtrans($1, sshd_initrc_exec_t) -+') -+ -+######################################## -+## - ## Execute the ssh client in the caller domain. - ## - ## -@@ -637,7 +657,7 @@ interface(`ssh_setattr_key_files',` - type sshd_key_t; - ') - -- allow $1 sshd_key_t:file setattr; -+ allow $1 sshd_key_t:file setattr_file_perms; - files_search_pids($1) - ') - -@@ -662,6 +682,42 @@ interface(`ssh_agent_exec',` - - ######################################## - ## -+## Getattr ssh home directory -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`ssh_getattr_user_home_dir',` -+ gen_require(` -+ type ssh_home_t; -+ ') -+ -+ allow $1 ssh_home_t:dir getattr; -+') -+ -+######################################## -+## -+## Dontaudit search ssh home directory -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`ssh_dontaudit_search_user_home_dir',` -+ gen_require(` -+ type ssh_home_t; -+ ') -+ -+ dontaudit $1 ssh_home_t:dir search_dir_perms; -+') -+ -+######################################## -+## - ## Read ssh home directory content - ## - ## -@@ -701,6 +757,50 @@ interface(`ssh_domtrans_keygen',` - - ######################################## - ## -+## Execute the ssh key generator in the caller domain. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`ssh_exec_keygen',` -+ gen_require(` -+ type ssh_keygen_exec_t; -+ ') -+ -+ can_exec($1, ssh_keygen_exec_t) -+') -+ -+####################################### -+## -+## Execute ssh-keygen in the iptables domain, and -+## allow the specified role the ssh-keygen domain. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+## -+## -+## Role allowed access. -+## -+## -+## -+# -+interface(`ssh_run_keygen',` -+ gen_require(` -+ type ssh_keygen_t; -+ ') -+ -+ role $2 types ssh_keygen_t; -+ ssh_domtrans_keygen($1) -+') -+ -+######################################## -+## - ## Read ssh server keys - ## - ## -@@ -714,7 +814,26 @@ interface(`ssh_dontaudit_read_server_keys',` - type sshd_key_t; - ') - -- dontaudit $1 sshd_key_t:file { getattr read }; -+ dontaudit $1 sshd_key_t:file read_file_perms; -+') -+ -+###################################### -+## -+## Append ssh home directory content -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`ssh_append_home_files',` -+ gen_require(` -+ type ssh_home_t; -+ ') -+ -+ append_files_pattern($1, ssh_home_t, ssh_home_t) -+ userdom_search_user_home_dirs($1) - ') - - ###################################### -@@ -754,3 +873,150 @@ interface(`ssh_delete_tmp',` - files_search_tmp($1) - delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t) - ') -+ -+##################################### -+## -+## Allow domain dyntransition to chroot_user_t domain. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`ssh_dyntransition_to',` -+ gen_require(` -+ type sshd_t; -+ ') -+ -+ allow sshd_t $1:process dyntransition; -+ allow $1 sshd_t:process sigchld; -+ allow sshd_t $1:process { getattr sigkill sigstop signull signal }; -+') -+ -+######################################## -+## -+## Create .ssh directory in the /root directory -+## with an correct label. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`ssh_filetrans_admin_home_content',` -+ gen_require(` -+ type ssh_home_t; -+ ') -+ -+ userdom_admin_home_dir_filetrans($1, ssh_home_t, dir, ".ssh") -+ userdom_admin_home_dir_filetrans($1, ssh_home_t, dir, ".shosts") -+') -+ -+######################################## -+## -+## Create .ssh directory in the user home directory -+## with an correct label. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`ssh_filetrans_home_content',` -+ -+ gen_require(` -+ type ssh_home_t; -+ ') -+ -+ userdom_user_home_dir_filetrans($1, ssh_home_t, dir, ".ssh") -+ userdom_user_home_dir_filetrans($1, ssh_home_t, dir, ".shosts") -+ files_var_lib_filetrans($1, ssh_home_t, dir, ".ssh") -+') -+ -+######################################## -+## -+## Create .ssh directory in the user home directory -+## with an correct label. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`ssh_filetrans_keys',` -+ -+ gen_require(` -+ type sshd_key_t; -+ ') -+ -+ files_etc_filetrans($1, sshd_key_t, file, ".ssh_host_key") -+ files_etc_filetrans($1, sshd_key_t, file, ".ssh_host_dsa_key") -+ files_etc_filetrans($1, sshd_key_t, file, ".ssh_host_rsa_key") -+ files_etc_filetrans($1, sshd_key_t, file, ".ssh_host_key.pub") -+ files_etc_filetrans($1, sshd_key_t, file, ".ssh_host_dsa_key.pub") -+ files_etc_filetrans($1, sshd_key_t, file, ".ssh_host_rsa_key.pub") -+') -+ -+######################################## -+## -+## Do not audit attempts to read and -+## write the sshd pty type. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`ssh_dontaudit_use_ptys',` -+ gen_require(` -+ type sshd_devpts_t; -+ ') -+ -+ dontaudit $1 sshd_devpts_t:chr_file { getattr read write ioctl }; -+') -+ -+######################################## -+## -+## Read and write inherited sshd pty type. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`ssh_use_ptys',` -+ gen_require(` -+ type sshd_devpts_t; -+ ') -+ -+ allow $1 sshd_devpts_t:chr_file rw_inherited_chr_file_perms; -+') -+ -+######################################## -+## -+## Execute sshd server in the sshd domain. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`ssh_systemctl',` -+ gen_require(` -+ type sshd_t; -+ type sshd_unit_file_t; -+ ') -+ -+ systemd_exec_systemctl($1) -+ allow $1 sshd_unit_file_t:file manage_file_perms; -+ allow $1 sshd_unit_file_t:service manage_service_perms; -+ -+ ps_process_pattern($1, sshd_t) -+') -diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te -index 5fc0391..692569b 100644 ---- a/policy/modules/services/ssh.te -+++ b/policy/modules/services/ssh.te -@@ -6,43 +6,61 @@ policy_module(ssh, 2.3.3) - # - - ## --##

    --## allow host key based authentication --##

    -+##

    -+## allow host key based authentication -+##

    -+##     -+gen_tunable(ssh_keysign, false) -+ -+## -+##

    -+## Allow ssh logins as sysadm_r:sysadm_t -+##

    - ##     --gen_tunable(allow_ssh_keysign, false) -+gen_tunable(ssh_sysadm_login, false) - - ## - ##

    --## Allow ssh logins as sysadm_r:sysadm_t -+## Allow ssh with chroot env to read and write files -+## in the user home directories - ##

    - ##     --gen_tunable(ssh_sysadm_login, false) -+gen_tunable(ssh_chroot_rw_homedirs, false) - -+attribute ssh_dyntransition_domain; - attribute ssh_server; - attribute ssh_agent_type; - -+ssh_dyntransition_domain_template(chroot_user_t) -+ssh_dyntransition_domain_template(sshd_sandbox_t) -+ssh_dyntransition_domain_template(sshd_net_t) -+ - type ssh_keygen_t; - type ssh_keygen_exec_t; - init_system_domain(ssh_keygen_t, ssh_keygen_exec_t) --role system_r types ssh_keygen_t; -+ -+type sshd_keygen_t; -+type sshd_keygen_exec_t; -+init_daemon_domain(sshd_keygen_t, sshd_keygen_exec_t) -+ -+type sshd_keygen_unit_file_t; -+systemd_unit_file(sshd_keygen_unit_file_t) - - type sshd_exec_t; - corecmd_executable_file(sshd_exec_t) - - ssh_server_template(sshd) - init_daemon_domain(sshd_t, sshd_exec_t) -+mls_trusted_object(sshd_t) - --type sshd_key_t; --files_type(sshd_key_t) -+type sshd_initrc_exec_t; -+init_script_file(sshd_initrc_exec_t) - --type sshd_tmp_t; --files_tmp_file(sshd_tmp_t) --files_poly_parent(sshd_tmp_t) -+type sshd_unit_file_t; -+systemd_unit_file(sshd_unit_file_t) - --ifdef(`enable_mcs',` -- init_ranged_daemon_domain(sshd_t, sshd_exec_t, s0 - mcs_systemhigh) --') -+type sshd_key_t; -+files_type(sshd_key_t) - - type ssh_t; - type ssh_exec_t; -@@ -73,6 +91,11 @@ type ssh_home_t; - typealias ssh_home_t alias { home_ssh_t user_ssh_home_t user_home_ssh_t staff_home_ssh_t sysadm_home_ssh_t }; - typealias ssh_home_t alias { auditadm_home_ssh_t secadm_home_ssh_t }; - userdom_user_home_content(ssh_home_t) -+files_poly_parent(ssh_home_t) -+ -+ifdef(`enable_mcs',` -+ init_ranged_daemon_domain(sshd_t, sshd_exec_t, s0 - mcs_systemhigh) -+') - - ############################## - # -@@ -83,6 +106,7 @@ allow ssh_t self:capability { setuid setgid dac_override dac_read_search }; - allow ssh_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; - allow ssh_t self:fd use; - allow ssh_t self:fifo_file rw_fifo_file_perms; -+allow ssh_t self:key manage_key_perms; - allow ssh_t self:unix_dgram_socket { create_socket_perms sendto }; - allow ssh_t self:unix_stream_socket { create_stream_socket_perms connectto }; - allow ssh_t self:shm create_shm_perms; -@@ -90,15 +114,11 @@ allow ssh_t self:sem create_sem_perms; - allow ssh_t self:msgq create_msgq_perms; - allow ssh_t self:msg { send receive }; - allow ssh_t self:tcp_socket create_stream_socket_perms; -+can_exec(ssh_t, ssh_exec_t) - - # Read the ssh key file. - allow ssh_t sshd_key_t:file read_file_perms; - --# Access the ssh temporary files. --allow ssh_t sshd_tmp_t:dir manage_dir_perms; --allow ssh_t sshd_tmp_t:file manage_file_perms; --files_tmp_filetrans(ssh_t, sshd_tmp_t, { file dir }) -- - manage_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t) - manage_lnk_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t) - manage_fifo_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t) -@@ -107,33 +127,42 @@ fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file } - - manage_dirs_pattern(ssh_t, ssh_home_t, ssh_home_t) - manage_sock_files_pattern(ssh_t, ssh_home_t, ssh_home_t) --userdom_user_home_dir_filetrans(ssh_t, ssh_home_t, { dir sock_file }) -+userdom_user_home_dir_filetrans(ssh_t, ssh_home_t, sock_file) -+userdom_user_home_content_filetrans(ssh_t, ssh_home_t, sock_file) -+userdom_user_home_dir_filetrans(ssh_t, ssh_home_t, dir, ".ssh") -+userdom_read_all_users_keys(ssh_t) -+userdom_stream_connect(ssh_t) -+userdom_search_admin_dir(sshd_t) - - # Allow the ssh program to communicate with ssh-agent. - stream_connect_pattern(ssh_t, ssh_agent_tmp_t, ssh_agent_tmp_t, ssh_agent_type) - - allow ssh_t sshd_t:unix_stream_socket connectto; -+allow ssh_t sshd_t:peer recv; - - # ssh client can manage the keys and config - manage_files_pattern(ssh_t, ssh_home_t, ssh_home_t) - read_lnk_files_pattern(ssh_t, ssh_home_t, ssh_home_t) - - # ssh servers can read the user keys and config --allow ssh_server ssh_home_t:dir list_dir_perms; --read_files_pattern(ssh_server, ssh_home_t, ssh_home_t) --read_lnk_files_pattern(ssh_server, ssh_home_t, ssh_home_t) -+manage_dirs_pattern(ssh_server, ssh_home_t, ssh_home_t) -+manage_files_pattern(ssh_server, ssh_home_t, ssh_home_t) - - kernel_read_kernel_sysctls(ssh_t) - kernel_read_system_state(ssh_t) - --corenet_all_recvfrom_unlabeled(ssh_t) - corenet_all_recvfrom_netlabel(ssh_t) - corenet_tcp_sendrecv_generic_if(ssh_t) - corenet_tcp_sendrecv_generic_node(ssh_t) - corenet_tcp_sendrecv_all_ports(ssh_t) - corenet_tcp_connect_ssh_port(ssh_t) -+corenet_tcp_connect_all_unreserved_ports(ssh_t) - corenet_sendrecv_ssh_client_packets(ssh_t) -+corenet_tcp_bind_generic_node(ssh_t) -+#corenet_tcp_bind_all_unreserved_ports(ssh_t) -+corenet_rw_tun_tap_dev(ssh_t) - -+dev_read_rand(ssh_t) - dev_read_urand(ssh_t) - - fs_getattr_all_fs(ssh_t) -@@ -154,40 +183,46 @@ files_read_var_files(ssh_t) - logging_send_syslog_msg(ssh_t) - logging_read_generic_logs(ssh_t) - -+term_use_ptmx(ssh_t) -+ - auth_use_nsswitch(ssh_t) - --miscfiles_read_localization(ssh_t) -+miscfiles_read_generic_certs(ssh_t) - - seutil_read_config(ssh_t) - - userdom_dontaudit_list_user_home_dirs(ssh_t) - userdom_search_user_home_dirs(ssh_t) -+userdom_search_admin_dir(ssh_t) - # Write to the user domain tty. --userdom_use_user_terminals(ssh_t) --# needs to read krb tgt -+userdom_use_inherited_user_terminals(ssh_t) -+# needs to read krb/write tgt - userdom_read_user_tmp_files(ssh_t) -- --tunable_policy(`allow_ssh_keysign',` -- domain_auto_trans(ssh_t, ssh_keysign_exec_t, ssh_keysign_t) -- allow ssh_keysign_t ssh_t:fd use; -- allow ssh_keysign_t ssh_t:process sigchld; -- allow ssh_keysign_t ssh_t:fifo_file rw_file_perms; -+userdom_write_user_tmp_files(ssh_t) -+userdom_read_user_home_content_symlinks(ssh_t) -+userdom_rw_inherited_user_home_content_files(ssh_t) -+userdom_read_home_certs(ssh_t) -+userdom_home_manager(ssh_t) -+ -+tunable_policy(`ssh_keysign',` -+ domtrans_pattern(ssh_t, ssh_keysign_exec_t, ssh_keysign_t) - ') - --tunable_policy(`use_nfs_home_dirs',` -- fs_manage_nfs_dirs(ssh_t) -- fs_manage_nfs_files(ssh_t) -+# for port forwarding -+tunable_policy(`selinuxuser_tcp_server',` -+ corenet_tcp_bind_ssh_port(ssh_t) -+ corenet_tcp_bind_generic_node(ssh_t) -+ corenet_tcp_bind_all_unreserved_ports(ssh_t) - ') - --tunable_policy(`use_samba_home_dirs',` -- fs_manage_cifs_dirs(ssh_t) -- fs_manage_cifs_files(ssh_t) -+ifdef(`enable_mcs',` -+ optional_policy(` -+ condor_startd_ranged_domtrans_to(sshd_t, sshd_exec_t, mcs_systemlow - mcs_systemhigh) -+ ') - ') - --# for port forwarding --tunable_policy(`user_tcp_server',` -- corenet_tcp_bind_ssh_port(ssh_t) -- corenet_tcp_bind_generic_node(ssh_t) -+optional_policy(` -+ gnome_stream_connect_gkeyringd(ssh_t) - ') - - optional_policy(` -@@ -195,6 +230,7 @@ optional_policy(` - xserver_domtrans_xauth(ssh_t) - ') - -+ - ############################## - # - # ssh_keysign_t local policy -@@ -206,6 +242,7 @@ allow ssh_keysign_t self:unix_stream_socket create_socket_perms; - allow ssh_keysign_t sshd_key_t:file { getattr read }; - - dev_read_urand(ssh_keysign_t) -+dev_read_rand(ssh_keysign_t) - - files_read_etc_files(ssh_keysign_t) - -@@ -223,33 +260,54 @@ optional_policy(` - # so a tunnel can point to another ssh tunnel - allow sshd_t self:netlink_route_socket r_netlink_socket_perms; - allow sshd_t self:key { search link write }; -- --manage_dirs_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t) --manage_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t) --manage_sock_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t) --files_tmp_filetrans(sshd_t, sshd_tmp_t, { dir file sock_file }) -+allow sshd_t self:process setcurrent; - - kernel_search_key(sshd_t) - kernel_link_key(sshd_t) - -+files_search_all(sshd_t) -+ -+fs_search_cgroup_dirs(sshd_t) -+fs_rw_cgroup_files(sshd_t) -+ - term_use_all_ptys(sshd_t) - term_setattr_all_ptys(sshd_t) -+term_setattr_all_ttys(sshd_t) - term_relabelto_all_ptys(sshd_t) -+term_use_ptmx(sshd_t) - - # for X forwarding - corenet_tcp_bind_xserver_port(sshd_t) -+corenet_tcp_bind_vnc_port(sshd_t) - corenet_sendrecv_xserver_server_packets(sshd_t) - -+auth_exec_login_program(sshd_t) -+ -+userdom_read_user_home_content_files(sshd_t) -+userdom_read_user_home_content_symlinks(sshd_t) -+userdom_manage_tmp_role(system_r, sshd_t) -+userdom_spec_domtrans_unpriv_users(sshd_t) -+userdom_signal_unpriv_users(sshd_t) -+userdom_dyntransition_unpriv_users(sshd_t) -+ - tunable_policy(`ssh_sysadm_login',` - # Relabel and access ptys created by sshd - # ioctl is necessary for logout() processing for utmp entry and for w to - # display the tty. - # some versions of sshd on the new SE Linux require setattr -- userdom_spec_domtrans_all_users(sshd_t) - userdom_signal_all_users(sshd_t) --',` -- userdom_spec_domtrans_unpriv_users(sshd_t) -- userdom_signal_unpriv_users(sshd_t) -+ userdom_spec_domtrans_all_users(sshd_t) -+ userdom_dyntransition_admin_users(sshd_t) -+') -+ -+optional_policy(` -+ amanda_search_var_lib(sshd_t) -+') -+ -+optional_policy(` -+ condor_rw_lib_files(sshd_t) -+ condor_rw_tcp_sockets_startd(sshd_t) -+ condor_rw_tcp_sockets_schedd(sshd_t) - ') - - optional_policy(` -@@ -257,11 +315,28 @@ optional_policy(` - ') - - optional_policy(` -+ kerberos_keytab_template(sshd, sshd_t) -+') -+ -+optional_policy(` -+ ftp_dyntrans_sftpd(sshd_t) -+ ftp_dyntrans_anon_sftpd(sshd_t) -+') -+ -+optional_policy(` -+ gitosis_manage_lib_files(sshd_t) -+') -+ -+optional_policy(` - inetd_tcp_service_domain(sshd_t, sshd_exec_t) - ') - - optional_policy(` -- kerberos_keytab_template(sshd, sshd_t) -+ lvm_domtrans(sshd_t) -+') -+ -+optional_policy(` -+ nx_read_home_files(sshd_t) - ') - - optional_policy(` -@@ -269,6 +344,10 @@ optional_policy(` - ') - - optional_policy(` -+ munin_read_var_lib_files(sshd_t) -+') -+ -+optional_policy(` - rpm_use_script_fds(sshd_t) - ') - -@@ -279,13 +358,93 @@ optional_policy(` - ') - - optional_policy(` -+ rsync_read_data(sshd_t) -+') -+ -+optional_policy(` -+ systemd_exec_systemctl(sshd_t) -+') -+ -+optional_policy(` -+ usermanage_domtrans_passwd(sshd_t) -+ usermanage_read_crack_db(sshd_t) -+') -+ -+optional_policy(` -+ openshift_dyntransition(sshd_t) -+ openshift_transition(sshd_t) -+ openshift_manage_tmp_files(sshd_t) -+ openshift_manage_tmp_sockets(sshd_t) -+ openshift_mounton_tmp(sshd_t) -+ openshift_read_lib_files(sshd_t) -+') -+ -+optional_policy(` -+ postgresql_search_db(sshd_t) -+') -+ -+optional_policy(` - unconfined_shell_domtrans(sshd_t) - ') - - optional_policy(` -+ kernel_write_proc_files(sshd_t) -+ virt_transition_svirt_sandbox(sshd_t, system_r) -+ virt_stream_connect_sandbox(sshd_t) -+ virt_stream_connect(sshd_t) -+') -+ -+optional_policy(` - xserver_domtrans_xauth(sshd_t) - ') - -+ifdef(`TODO',` -+ tunable_policy(`ssh_sysadm_login',` -+ # Relabel and access ptys created by sshd -+ # ioctl is necessary for logout() processing for utmp entry and for w to -+ # display the tty. -+ # some versions of sshd on the new SE Linux require setattr -+ allow sshd_t ptyfile:chr_file relabelto; -+ -+ optional_policy(` -+ domain_trans(sshd_t, xauth_exec_t, userdomain) -+ ') -+ ',` -+ optional_policy(` -+ domain_trans(sshd_t, xauth_exec_t, unpriv_userdomain) -+ ') -+ # Relabel and access ptys created by sshd -+ # ioctl is necessary for logout() processing for utmp entry and for w to -+ # display the tty. -+ # some versions of sshd on the new SE Linux require setattr -+ allow sshd_t userpty_type:chr_file { relabelto rw_inherited_chr_file_perms setattr_chr_file_perms }; -+ ') -+') dnl endif TODO -+ -+######################################## -+# -+# sshd-keygen local policy -+# -+ -+allow sshd_keygen_t self:capability { chown fsetid }; -+allow sshd_keygen_t self:fifo_file rw_fifo_file_perms; -+allow sshd_keygen_t self:unix_stream_socket create_stream_socket_perms; -+ -+allow sshd_keygen_t sshd_key_t:file manage_file_perms; -+ -+kernel_read_system_state(sshd_keygen_t) -+ -+corecmd_exec_bin(sshd_keygen_t) -+ -+auth_read_passwd(sshd_keygen_t) -+ -+files_rw_etc_dirs(sshd_keygen_t) -+ -+#run restorecon -+seutil_domtrans_setfiles(sshd_keygen_t) -+ -+ssh_domtrans_keygen(sshd_keygen_t) -+ - ######################################## - # - # ssh_keygen local policy -@@ -294,19 +453,29 @@ optional_policy(` - # ssh_keygen_t is the type of the ssh-keygen program when run at install time - # and by sysadm_t - -+allow ssh_keygen_t self:capability dac_override; - dontaudit ssh_keygen_t self:capability sys_tty_config; - allow ssh_keygen_t self:process { sigchld sigkill sigstop signull signal }; -- - allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms; - - allow ssh_keygen_t sshd_key_t:file manage_file_perms; - files_etc_filetrans(ssh_keygen_t, sshd_key_t, file) - -+manage_dirs_pattern(ssh_keygen_t, ssh_home_t, ssh_home_t) -+manage_files_pattern(ssh_keygen_t, ssh_home_t, ssh_home_t) -+userdom_admin_home_dir_filetrans(ssh_keygen_t, ssh_home_t, dir) -+userdom_user_home_dir_filetrans(ssh_keygen_t, ssh_home_t, dir) -+ -+kernel_read_system_state(ssh_keygen_t) - kernel_read_kernel_sysctls(ssh_keygen_t) - -+corecmd_exec_shell(ssh_keygen_t) -+corecmd_exec_bin(ssh_keygen_t) -+ - fs_search_auto_mountpoints(ssh_keygen_t) - - dev_read_sysfs(ssh_keygen_t) -+dev_read_rand(ssh_keygen_t) - dev_read_urand(ssh_keygen_t) - - term_dontaudit_use_console(ssh_keygen_t) -@@ -323,6 +492,12 @@ auth_use_nsswitch(ssh_keygen_t) - logging_send_syslog_msg(ssh_keygen_t) - - userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t) -+userdom_use_user_terminals(ssh_keygen_t) -+ -+tunable_policy(`use_nfs_home_dirs',` -+ fs_manage_nfs_files(ssh_keygen_t) -+ fs_manage_nfs_dirs(ssh_keygen_t) -+') - - optional_policy(` - seutil_sigchld_newrole(ssh_keygen_t) -@@ -331,3 +506,140 @@ optional_policy(` - optional_policy(` - udev_read_db(ssh_keygen_t) - ') -+ -+#################################### -+# -+# ssh_dyntransition domain local policy -+# -+ -+allow ssh_dyntransition_domain self:capability { setuid sys_chroot setgid }; -+allow ssh_dyntransition_domain self:unix_dgram_socket create_socket_perms; -+ -+allow ssh_dyntransition_domain self:fifo_file rw_fifo_file_perms; -+allow ssh_dyntransition_domain sshd_t:fd use; -+ -+optional_policy(` -+ ssh_rw_stream_sockets(ssh_dyntransition_domain) -+ ssh_rw_tcp_sockets(ssh_dyntransition_domain) -+') -+ -+##################################### -+# -+# ssh_sandbox local policy -+# -+ -+allow sshd_t sshd_sandbox_t:process signal; -+ -+init_ioctl_stream_sockets(sshd_sandbox_t) -+ -+logging_send_audit_msgs(sshd_sandbox_t) -+ -+##################################### -+# -+# sshd [net] child local policy -+# -+ -+allow sshd_t sshd_net_t:process signal; -+ -+allow sshd_net_t self:process setrlimit; -+ -+init_ioctl_stream_sockets(sshd_net_t) -+ -+logging_send_audit_msgs(sshd_net_t) -+ -+ -+###################################### -+# -+# chroot_user_t local policy -+# -+allow chroot_user_t self:fifo_file rw_fifo_file_perms; -+allow chroot_user_t self:unix_dgram_socket create_socket_perms; -+ -+corecmd_exec_shell(chroot_user_t) -+ -+term_search_ptys(chroot_user_t) -+term_use_ptmx(chroot_user_t) -+ -+fs_getattr_all_fs(chroot_user_t) -+ -+userdom_read_user_home_content_files(chroot_user_t) -+userdom_read_inherited_user_home_content_files(chroot_user_t) -+userdom_read_user_home_content_symlinks(chroot_user_t) -+userdom_exec_user_home_content_files(chroot_user_t) -+userdom_use_inherited_user_ptys(chroot_user_t) -+ -+tunable_policy(`ssh_chroot_rw_homedirs',` -+ files_list_home(chroot_user_t) -+ userdom_manage_user_home_content_files(chroot_user_t) -+ userdom_manage_user_home_content_symlinks(chroot_user_t) -+ userdom_manage_user_home_content_pipes(chroot_user_t) -+ userdom_manage_user_home_content_sockets(chroot_user_t) -+ userdom_manage_user_home_content_dirs(chroot_user_t) -+') -+ -+tunable_policy(`ssh_chroot_rw_homedirs && use_nfs_home_dirs',` -+ fs_manage_nfs_dirs(chroot_user_t) -+ fs_manage_nfs_files(chroot_user_t) -+ fs_manage_nfs_symlinks(chroot_user_t) -+') -+ -+tunable_policy(`ssh_chroot_rw_homedirs && use_samba_home_dirs',` -+ fs_manage_cifs_dirs(chroot_user_t) -+ fs_manage_cifs_files(chroot_user_t) -+ fs_manage_cifs_symlinks(chroot_user_t) -+') -+ -+tunable_policy(`ssh_chroot_rw_homedirs && use_fusefs_home_dirs',` -+ fs_manage_fusefs_dirs(chroot_user_t) -+ fs_manage_fusefs_files(chroot_user_t) -+ fs_manage_fusefs_symlinks(chroot_user_t) -+') -+ -+tunable_policy(`use_samba_home_dirs',` -+ fs_read_cifs_files(chroot_user_t) -+ fs_read_cifs_symlinks(chroot_user_t) -+') -+ -+userdom_home_manager(chroot_user_t) -+ -+optional_policy(` -+ ssh_rw_dgram_sockets(chroot_user_t) -+') -+ -+###################################### -+# -+# ssh_agent_type common policy local policy -+# -+allow ssh_agent_type self:process setrlimit; -+allow ssh_agent_type self:capability setgid; -+ -+manage_dirs_pattern(ssh_agent_type, ssh_agent_tmp_t, ssh_agent_tmp_t) -+manage_sock_files_pattern(ssh_agent_type, ssh_agent_tmp_t, ssh_agent_tmp_t) -+files_tmp_filetrans(ssh_agent_type, ssh_agent_tmp_t, { dir sock_file }) -+ -+kernel_read_kernel_sysctls(ssh_agent_type) -+ -+dev_read_urand(ssh_agent_type) -+dev_read_rand(ssh_agent_type) -+ -+fs_search_auto_mountpoints(ssh_agent_type) -+ -+domain_use_interactive_fds(ssh_agent_type) -+ -+files_read_etc_files(ssh_agent_type) -+files_read_etc_runtime_files(ssh_agent_type) -+ -+libs_read_lib_files(ssh_agent_type) -+ -+miscfiles_read_generic_certs(ssh_agent_type) -+ -+# Write to the user domain tty. -+userdom_use_inherited_user_terminals(ssh_agent_type) -+ -+# for the transition back to normal privs upon exec -+userdom_search_user_home_content(ssh_agent_type) -+ -+optional_policy(` -+ xserver_use_xdm_fds(ssh_agent_type) -+ xserver_rw_xdm_pipes(ssh_agent_type) -+') -diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc -index d1f64a0..9a5dab5 100644 ---- a/policy/modules/services/xserver.fc -+++ b/policy/modules/services/xserver.fc -@@ -2,13 +2,35 @@ - # HOME_DIR - # - HOME_DIR/\.fonts\.conf -- gen_context(system_u:object_r:user_fonts_config_t,s0) -+HOME_DIR/\.fonts\.d(/.*)? gen_context(system_u:object_r:user_fonts_config_t,s0) - HOME_DIR/\.fonts(/.*)? gen_context(system_u:object_r:user_fonts_t,s0) -+HOME_DIR/\.fontconfig(/.*)? gen_context(system_u:object_r:user_fonts_cache_t,s0) - HOME_DIR/\.fonts/auto(/.*)? gen_context(system_u:object_r:user_fonts_cache_t,s0) - HOME_DIR/\.fonts\.cache-.* -- gen_context(system_u:object_r:user_fonts_cache_t,s0) -+HOME_DIR/\.DCOP.* -- gen_context(system_u:object_r:iceauth_home_t,s0) - HOME_DIR/\.ICEauthority.* -- gen_context(system_u:object_r:iceauth_home_t,s0) - HOME_DIR/\.serverauth.* -- gen_context(system_u:object_r:xauth_home_t,s0) - HOME_DIR/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0) -+HOME_DIR/\.Xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0) - HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) -+HOME_DIR/\.cache/gdm(/.*)? gen_context(system_u:object_r:xdm_home_t,s0) -+HOME_DIR/\.xsession-errors.* -- gen_context(system_u:object_r:xdm_home_t,s0) -+HOME_DIR/\.dmrc.* -- gen_context(system_u:object_r:xdm_home_t,s0) -+ -+/root/\.fonts\.conf -- gen_context(system_u:object_r:user_fonts_config_t,s0) -+/root/\.fonts\.d(/.*)? gen_context(system_u:object_r:user_fonts_config_t,s0) -+/root/\.fonts(/.*)? gen_context(system_u:object_r:user_fonts_t,s0) -+/root/\.fontconfig(/.*)? gen_context(system_u:object_r:user_fonts_cache_t,s0) -+/root/\.fonts/auto(/.*)? gen_context(system_u:object_r:user_fonts_cache_t,s0) -+/root/\.fonts\.cache-.* -- gen_context(system_u:object_r:user_fonts_cache_t,s0) -+/root/\.DCOP.* -- gen_context(system_u:object_r:iceauth_home_t,s0) -+/root/\.ICEauthority.* -- gen_context(system_u:object_r:iceauth_home_t,s0) -+/root/\.serverauth.* -- gen_context(system_u:object_r:xauth_home_t,s0) -+/root/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0) -+/root/\.Xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0) -+/root/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) -+/root/\.xsession-errors.* -- gen_context(system_u:object_r:xdm_home_t,s0) -+/root/\.dmrc.* -- gen_context(system_u:object_r:xdm_home_t,s0) - - # - # /dev -@@ -22,13 +44,21 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) - /etc/gdm(3)?/PreSession/.* -- gen_context(system_u:object_r:xsession_exec_t,s0) - /etc/gdm(3)?/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0) - -+/etc/X11/xorg\.conf\.d(/.*)? gen_context(system_u:object_r:xserver_etc_t,s0) -+/etc/[mg]dm(/.*)? gen_context(system_u:object_r:xdm_etc_t,s0) -+/etc/[mg]dm/Init(/.*)? gen_context(system_u:object_r:xdm_unconfined_exec_t,s0) -+/etc/[mg]dm/PostLogin(/.*)? gen_context(system_u:object_r:xdm_unconfined_exec_t,s0) -+/etc/[mg]dm/PostSession(/.*)? gen_context(system_u:object_r:xdm_unconfined_exec_t,s0) -+/etc/[mg]dm/PreSession(/.*)? gen_context(system_u:object_r:xdm_unconfined_exec_t,s0) -+ - /etc/kde[34]?/kdm/Xstartup -- gen_context(system_u:object_r:xsession_exec_t,s0) - /etc/kde[34]?/kdm/Xreset -- gen_context(system_u:object_r:xsession_exec_t,s0) - /etc/kde[34]?/kdm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0) - /etc/kde[34]?/kdm/backgroundrc gen_context(system_u:object_r:xdm_var_run_t,s0) - --/etc/rc\.d/init\.d/x11-common -- gen_context(system_u:object_r:xdm_exec_t,s0) -+/etc/opt/VirtualGL(/.*)? gen_context(system_u:object_r:xdm_rw_etc_t,s0) - -+/etc/rc\.d/init\.d/x11-common -- gen_context(system_u:object_r:xdm_exec_t,s0) - /etc/X11/[wx]dm/Xreset.* -- gen_context(system_u:object_r:xsession_exec_t,s0) - /etc/X11/[wxg]dm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0) - /etc/X11/wdm(/.*)? gen_context(system_u:object_r:xdm_rw_etc_t,s0) -@@ -46,26 +76,32 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) - # /tmp - # - --/tmp/\.ICE-unix -d gen_context(system_u:object_r:xdm_tmp_t,s0) --/tmp/\.ICE-unix/.* -s <> --/tmp/\.X0-lock -- gen_context(system_u:object_r:xserver_tmp_t,s0) --/tmp/\.X11-unix -d gen_context(system_u:object_r:xdm_tmp_t,s0) --/tmp/\.X11-unix/.* -s <> -+/tmp/\.X0-lock -- gen_context(system_u:object_r:xdm_tmp_t,s0) -+/tmp/\.X11-unix(/.*)? gen_context(system_u:object_r:xdm_tmp_t,s0) -+/tmp/\.ICE-unix(/.*)? gen_context(system_u:object_r:xdm_tmp_t,s0) -+/tmp/\.font-unix(/.*)? gen_context(system_u:object_r:user_fonts_t,s0) - - # - # /usr - # - --/usr/(s)?bin/gdm(3)? -- gen_context(system_u:object_r:xdm_exec_t,s0) --/usr/(s)?bin/gdm-binary -- gen_context(system_u:object_r:xdm_exec_t,s0) --/usr/(s)?bin/lxdm(-binary)? -- gen_context(system_u:object_r:xdm_exec_t,s0) --/usr/(s)?bin/[xkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0) -+/usr/sbin/mdm-binary -- gen_context(system_u:object_r:xdm_exec_t,s0) -+/usr/s?bin/gdm3? -- gen_context(system_u:object_r:xdm_exec_t,s0) -+/usr/s?bin/gdm-binary -- gen_context(system_u:object_r:xdm_exec_t,s0) -+/usr/s?bin/lightdm* -- gen_context(system_u:object_r:xdm_exec_t,s0) -+/usr/s?bin/lxdm(-binary)? -- gen_context(system_u:object_r:xdm_exec_t,s0) -+/usr/s?bin/[mxgkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0) -+ - /usr/bin/gpe-dm -- gen_context(system_u:object_r:xdm_exec_t,s0) - /usr/bin/iceauth -- gen_context(system_u:object_r:iceauth_exec_t,s0) -+/usr/bin/razor-lightdm-.* -- gen_context(system_u:object_r:xdm_exec_t,s0) - /usr/bin/slim -- gen_context(system_u:object_r:xdm_exec_t,s0) - /usr/bin/Xair -- gen_context(system_u:object_r:xserver_exec_t,s0) -+/usr/bin/Xephyr -- gen_context(system_u:object_r:xserver_exec_t,s0) - /usr/bin/xauth -- gen_context(system_u:object_r:xauth_exec_t,s0) - /usr/bin/Xorg -- gen_context(system_u:object_r:xserver_exec_t,s0) -+/usr/bin/Xvnc -- gen_context(system_u:object_r:xserver_exec_t,s0) -+/usr/bin/x11vnc -- gen_context(system_u:object_r:xserver_exec_t,s0) - - /usr/lib/qt-.*/etc/settings(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) - -@@ -92,25 +128,49 @@ ifndef(`distro_debian',` - - /var/lib/gdm(3)?(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) - /var/lib/lxdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) --/var/lib/[xkw]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) -+/var/lib/lightdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) -+/var/lib/[mxkwg]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) - /var/lib/xkb(/.*)? gen_context(system_u:object_r:xkb_var_lib_t,s0) -+/var/lib/xorg(/.*)? gen_context(system_u:object_r:xserver_var_lib_t,s0) -+ -+/var/cache/lightdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) -+/var/cache/[mg]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) - --/var/log/[kwx]dm\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0) --/var/log/lxdm\.log -- gen_context(system_u:object_r:xserver_log_t,s0) - /var/log/gdm(3)?(/.*)? gen_context(system_u:object_r:xserver_log_t,s0) --/var/log/slim\.log -- gen_context(system_u:object_r:xserver_log_t,s0) -+/var/log/[mkwx]dm\.log.* -- gen_context(system_u:object_r:xdm_log_t,s0) -+/var/log/lightdm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0) -+/var/log/lxdm\.log.* -- gen_context(system_u:object_r:xdm_log_t,s0) -+/var/log/mdm(/.*)? gen_context(system_u:object_r:xdm_log_t,s0) -+/var/log/slim\.log -- gen_context(system_u:object_r:xdm_log_t,s0) - /var/log/XFree86.* -- gen_context(system_u:object_r:xserver_log_t,s0) - /var/log/Xorg.* -- gen_context(system_u:object_r:xserver_log_t,s0) -+/var/log/nvidia-installer\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0) -+ -+/var/spool/[mg]dm(/.*)? gen_context(system_u:object_r:xdm_spool_t,s0) - - /var/run/gdm(3)?\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0) -+/var/run/[kgm]dm(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) -+/var/run/gdm_socket -s gen_context(system_u:object_r:xdm_var_run_t,s0) -+/var/run/lightdm(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) - /var/run/xdm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0) - /var/run/lxdm\.auth -- gen_context(system_u:object_r:xdm_var_run_t,s0) - /var/run/lxdm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0) - /var/run/lxdm(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) --/var/run/slim(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) -+/var/run/slim(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) -+/var/run/slim.* -- gen_context(system_u:object_r:xdm_var_run_t,s0) - /var/run/xauth(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) - /var/run/xdmctl(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) - -+/var/run/video.rom -- gen_context(system_u:object_r:xserver_var_run_t,s0) -+/var/run/xorg(/.*)? gen_context(system_u:object_r:xserver_var_run_t,s0) -+/var/run/systemd/multi-session-x(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) -+ - ifdef(`distro_suse',` - /var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0) - ') -+ -+/var/lib/nxserver/home/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0) -+/var/lib/nxserver/home/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) -+/var/lib/pqsql/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0) -+/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) -+ -diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if -index 6bf0ecc..5a7e2a4 100644 ---- a/policy/modules/services/xserver.if -+++ b/policy/modules/services/xserver.if -@@ -18,100 +18,37 @@ - # - interface(`xserver_restricted_role',` - gen_require(` -- type xserver_t, xserver_exec_t, xserver_tmp_t, xserver_tmpfs_t; -- type user_fonts_t, user_fonts_cache_t, user_fonts_config_t; -- type iceauth_t, iceauth_exec_t, iceauth_home_t; -- type xauth_t, xauth_exec_t, xauth_home_t; -+ type xserver_t, xauth_t, iceauth_t; -+ attribute dridomain, x_userdomain; - ') - - role $1 types { xserver_t xauth_t iceauth_t }; -+ typeattribute $2 x_userdomain, dridomain; - -- # Xserver read/write client shm -- allow xserver_t $2:fd use; -- allow xserver_t $2:shm rw_shm_perms; -- -- allow xserver_t $2:process signal; -- -- allow xserver_t $2:shm rw_shm_perms; -- -- allow $2 user_fonts_t:dir list_dir_perms; -- allow $2 user_fonts_t:file read_file_perms; -- -- allow $2 user_fonts_config_t:dir list_dir_perms; -- allow $2 user_fonts_config_t:file read_file_perms; -- -- manage_dirs_pattern($2, user_fonts_cache_t, user_fonts_cache_t) -- manage_files_pattern($2, user_fonts_cache_t, user_fonts_cache_t) -- -- stream_connect_pattern($2, xserver_tmp_t, xserver_tmp_t, xserver_t) -- files_search_tmp($2) -- -- # Communicate via System V shared memory. -- allow $2 xserver_t:shm r_shm_perms; -- allow $2 xserver_tmpfs_t:file read_file_perms; -- -- # allow ps to show iceauth -- ps_process_pattern($2, iceauth_t) -- -- domtrans_pattern($2, iceauth_exec_t, iceauth_t) -- -- allow $2 iceauth_home_t:file read_file_perms; -- -- domtrans_pattern($2, xauth_exec_t, xauth_t) -- -- allow $2 xauth_t:process signal; -- -- # allow ps to show xauth -- ps_process_pattern($2, xauth_t) -- allow $2 xserver_t:process signal; -- -- allow $2 xauth_home_t:file read_file_perms; -- -- # for when /tmp/.X11-unix is created by the system -- allow $2 xdm_t:fd use; -- allow $2 xdm_t:fifo_file { getattr read write ioctl }; -- allow $2 xdm_tmp_t:dir search; -- allow $2 xdm_tmp_t:sock_file { read write }; -- dontaudit $2 xdm_t:tcp_socket { read write }; -- -- # Client read xserver shm -- allow $2 xserver_t:fd use; -- allow $2 xserver_tmpfs_t:file read_file_perms; -- -- # Read /tmp/.X0-lock -- allow $2 xserver_tmp_t:file { getattr read }; -- -- dev_rw_xserver_misc($2) -- dev_rw_power_management($2) -- dev_read_input($2) -- dev_read_misc($2) -- dev_write_misc($2) -- # open office is looking for the following -- dev_getattr_agp_dev($2) -- dev_dontaudit_rw_dri($2) -- # GNOME checks for usb and other devices: -- dev_rw_usbfs($2) -- -- miscfiles_read_fonts($2) -+ xserver_common_x_domain_template(user,$2) -+ xserver_stream_connect_xdm($2) -+ xserver_xdm_append_log($2) - -- xserver_common_x_domain_template(user, $2) -- xserver_domtrans($2) -- xserver_unconfined($2) -- xserver_xsession_entry_type($2) -- xserver_dontaudit_write_log($2) -- xserver_stream_connect_xdm($2) -- # certain apps want to read xdm.pid file -- xserver_read_xdm_pid($2) -- # gnome-session creates socket under /tmp/.ICE-unix/ -- xserver_create_xdm_tmp_sockets($2) -- # Needed for escd, remove if we get escd policy -- xserver_manage_xdm_tmp_files($2) -+ modutils_run_insmod(xserver_t, $1) -+ xserver_dri_domain($2) -+') - -- # Client write xserver shm -- tunable_policy(`allow_write_xshm',` -- allow $2 xserver_t:shm rw_shm_perms; -- allow $2 xserver_tmpfs_t:file rw_file_perms; -+######################################## -+## -+## Domain wants to use direct io devices -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`xserver_dri_domain',` -+ gen_require(` -+ attribute dridomain; - ') -+ -+ typeattribute $1 dridomain; - ') - - ######################################## -@@ -143,13 +80,15 @@ interface(`xserver_role',` - allow $2 xserver_tmpfs_t:file rw_file_perms; - - allow $2 iceauth_home_t:file manage_file_perms; -- allow $2 iceauth_home_t:file { relabelfrom relabelto }; -+ allow $2 iceauth_home_t:file relabel_file_perms; - - allow $2 xauth_home_t:file manage_file_perms; -- allow $2 xauth_home_t:file { relabelfrom relabelto }; -+ allow $2 xauth_home_t:file relabel_file_perms; - -+ mls_xwin_read_to_clearance($2) - manage_dirs_pattern($2, user_fonts_t, user_fonts_t) - manage_files_pattern($2, user_fonts_t, user_fonts_t) -+ allow $2 user_fonts_t:lnk_file read_lnk_file_perms; - relabel_dirs_pattern($2, user_fonts_t, user_fonts_t) - relabel_files_pattern($2, user_fonts_t, user_fonts_t) - -@@ -162,7 +101,6 @@ interface(`xserver_role',` - manage_files_pattern($2, user_fonts_config_t, user_fonts_config_t) - relabel_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t) - relabel_files_pattern($2, user_fonts_config_t, user_fonts_config_t) -- - ') - - ####################################### -@@ -197,7 +135,7 @@ interface(`xserver_ro_session',` - allow $1 xserver_t:process signal; - - # Read /tmp/.X0-lock -- allow $1 xserver_tmp_t:file { getattr read }; -+ allow $1 xserver_tmp_t:file read_file_perms; - - # Client read xserver shm - allow $1 xserver_t:fd use; -@@ -227,7 +165,7 @@ interface(`xserver_rw_session',` - type xserver_t, xserver_tmpfs_t; - ') - -- xserver_ro_session($1,$2) -+ xserver_ro_session($1, $2) - allow $1 xserver_t:shm rw_shm_perms; - allow $1 xserver_tmpfs_t:file rw_file_perms; - ') -@@ -255,7 +193,7 @@ interface(`xserver_non_drawing_client',` - - allow $1 self:x_gc { create setattr }; - -- allow $1 xdm_var_run_t:dir search; -+ allow $1 xdm_var_run_t:dir search_dir_perms; - allow $1 xserver_t:unix_stream_socket connectto; - - allow $1 xextension_t:x_extension { query use }; -@@ -291,13 +229,13 @@ interface(`xserver_user_client',` - allow $1 self:unix_stream_socket { connectto create_stream_socket_perms }; - - # Read .Xauthority file -- allow $1 xauth_home_t:file { getattr read }; -- allow $1 iceauth_home_t:file { getattr read }; -+ allow $1 xauth_home_t:file read_file_perms; -+ allow $1 iceauth_home_t:file read_file_perms; - - # for when /tmp/.X11-unix is created by the system - allow $1 xdm_t:fd use; -- allow $1 xdm_t:fifo_file { getattr read write ioctl }; -- allow $1 xdm_tmp_t:dir search; -+ allow $1 xdm_t:fifo_file rw_inherited_fifo_file_perms; -+ allow $1 xdm_tmp_t:dir search_dir_perms; - allow $1 xdm_tmp_t:sock_file { read write }; - dontaudit $1 xdm_t:tcp_socket { read write }; - -@@ -316,7 +254,7 @@ interface(`xserver_user_client',` - xserver_read_xdm_tmp_files($1) - - # Client write xserver shm -- tunable_policy(`allow_write_xshm',` -+ tunable_policy(`xserver_clients_write_xshm',` - allow $1 xserver_t:shm rw_shm_perms; - allow $1 xserver_tmpfs_t:file rw_file_perms; - ') -@@ -342,19 +280,23 @@ interface(`xserver_user_client',` - # - template(`xserver_common_x_domain_template',` - gen_require(` -- type root_xdrawable_t; -+ type root_xdrawable_t, xdm_t, xserver_t; - type xproperty_t, $1_xproperty_t; - type xevent_t, client_xevent_t; - type input_xevent_t, $1_input_xevent_t; - -- attribute x_domain; -+ attribute x_domain, input_xevent_type; - attribute xdrawable_type, xcolormap_type; -- attribute input_xevent_type; - - class x_drawable all_x_drawable_perms; - class x_property all_x_property_perms; - class x_event all_x_event_perms; - class x_synthetic_event all_x_synthetic_event_perms; -+ class x_client destroy; -+ class x_server manage; -+ class x_screen { saver_setattr saver_hide saver_show show_cursor hide_cursor }; -+ class x_pointer { get_property set_property manage }; -+ class x_keyboard { read manage freeze }; - ') - - ############################## -@@ -383,9 +325,18 @@ template(`xserver_common_x_domain_template',` - allow $2 $1_input_xevent_t:{ x_event x_synthetic_event } receive; - # can receive default events - allow $2 client_xevent_t:{ x_event x_synthetic_event } receive; -- allow $2 xevent_t:{ x_event x_synthetic_event } receive; -+ allow $2 xevent_t:{ x_event x_synthetic_event } { send receive }; - # dont audit send failures - dontaudit $2 input_xevent_type:x_event send; -+ -+ allow $2 xdm_t:x_drawable { hide read add_child manage }; -+ allow $2 xdm_t:x_client destroy; -+ -+ allow $2 root_xdrawable_t:x_drawable write; -+ allow $2 xserver_t:x_server manage; -+ allow $2 xserver_t:x_screen { show_cursor hide_cursor saver_setattr saver_hide saver_show }; -+ allow $2 xserver_t:x_pointer { get_property set_property manage }; -+ allow $2 xserver_t:x_keyboard { read manage freeze }; - ') - - ####################################### -@@ -444,8 +395,9 @@ template(`xserver_object_types_template',` - # - template(`xserver_user_x_domain_template',` - gen_require(` -- type xdm_t, xdm_tmp_t; -- type xauth_home_t, iceauth_home_t, xserver_t, xserver_tmpfs_t; -+ type xdm_t, xdm_tmp_t, xserver_tmpfs_t; -+ type xdm_home_t; -+ type xauth_home_t, iceauth_home_t, xserver_t; - ') - - allow $2 self:shm create_shm_perms; -@@ -456,11 +408,13 @@ template(`xserver_user_x_domain_template',` - allow $2 xauth_home_t:file read_file_perms; - allow $2 iceauth_home_t:file read_file_perms; - -+ xserver_filetrans_home_content($2) -+ - # for when /tmp/.X11-unix is created by the system - allow $2 xdm_t:fd use; -- allow $2 xdm_t:fifo_file { getattr read write ioctl }; -+ allow $2 xdm_t:fifo_file rw_inherited_fifo_file_perms; - allow $2 xdm_tmp_t:dir search_dir_perms; -- allow $2 xdm_tmp_t:sock_file { read write }; -+ allow $2 xdm_tmp_t:sock_file rw_inherited_sock_file_perms; - dontaudit $2 xdm_t:tcp_socket { read write }; - - # Allow connections to X server. -@@ -472,20 +426,26 @@ template(`xserver_user_x_domain_template',` - # for .xsession-errors - userdom_dontaudit_write_user_home_content_files($2) - -- xserver_ro_session($2,$3) -+ xserver_ro_session($2, $3) - xserver_use_user_fonts($2) - - xserver_read_xdm_tmp_files($2) -+ xserver_read_xdm_pid($2) -+ xserver_xdm_append_log($2) - - # X object manager - xserver_object_types_template($1) -- xserver_common_x_domain_template($1,$2) -+ xserver_common_x_domain_template($1, $2) - - # Client write xserver shm -- tunable_policy(`allow_write_xshm',` -+ tunable_policy(`xserver_clients_write_xshm',` - allow $2 xserver_t:shm rw_shm_perms; - allow $2 xserver_tmpfs_t:file rw_file_perms; - ') -+ -+ tunable_policy(`selinuxuser_direct_dri_enabled',` -+ dev_rw_dri($2) -+ ') - ') - - ######################################## -@@ -517,6 +477,7 @@ interface(`xserver_use_user_fonts',` - # Read per user fonts - allow $1 user_fonts_t:dir list_dir_perms; - allow $1 user_fonts_t:file read_file_perms; -+ allow $1 user_fonts_t:lnk_file read_lnk_file_perms; - - # Manipulate the global font cache - manage_dirs_pattern($1, user_fonts_cache_t, user_fonts_cache_t) -@@ -547,6 +508,42 @@ interface(`xserver_domtrans_xauth',` - domtrans_pattern($1, xauth_exec_t, xauth_t) - ') - -+###################################### -+## -+## Allow exec of Xauthority program.. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`xserver_exec_xauth',` -+ gen_require(` -+ type xauth_t, xauth_exec_t; -+ ') -+ -+ can_exec($1, xauth_exec_t) -+') -+ -+######################################## -+## -+## Dontaudit exec of Xauthority program. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`xserver_dontaudit_exec_xauth',` -+ gen_require(` -+ type xauth_exec_t; -+ ') -+ -+ dontaudit $1 xauth_exec_t:file execute; -+') -+ - ######################################## - ## - ## Create a Xauthority file in the user home directory. -@@ -567,6 +564,24 @@ interface(`xserver_user_home_dir_filetrans_user_xauth',` - - ######################################## - ## -+## Create a Xauthority file in the admin home directory. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`xserver_admin_home_dir_filetrans_xauth',` -+ gen_require(` -+ type xauth_home_t; -+ ') -+ -+ userdom_admin_home_dir_filetrans($1, xauth_home_t, file) -+') -+ -+######################################## -+## - ## Read all users fonts, user font configurations, - ## and manage all users font caches. - ## -@@ -598,6 +613,25 @@ interface(`xserver_read_user_xauth',` - - allow $1 xauth_home_t:file read_file_perms; - userdom_search_user_home_dirs($1) -+ xserver_read_xdm_pid($1) -+') -+ -+######################################## -+## -+## Manage all users .Xauthority. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`xserver_manage_user_xauth',` -+ gen_require(` -+ type xauth_home_t; -+ ') -+ -+ allow $1 xauth_home_t:file manage_file_perms; - ') - - ######################################## -@@ -615,7 +649,7 @@ interface(`xserver_setattr_console_pipes',` - type xconsole_device_t; - ') - -- allow $1 xconsole_device_t:fifo_file setattr; -+ allow $1 xconsole_device_t:fifo_file setattr_fifo_file_perms; - ') - - ######################################## -@@ -638,6 +672,25 @@ interface(`xserver_rw_console',` - - ######################################## - ## -+## Read XDM state files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`xserver_read_state_xdm',` -+ gen_require(` -+ type xdm_t; -+ ') -+ -+ kernel_search_proc($1) -+ ps_process_pattern($1, xdm_t) -+') -+ -+######################################## -+## - ## Use file descriptors for xdm. - ## - ## -@@ -651,7 +704,7 @@ interface(`xserver_use_xdm_fds',` - type xdm_t; - ') - -- allow $1 xdm_t:fd use; -+ allow $1 xdm_t:fd use; - ') - - ######################################## -@@ -670,7 +723,7 @@ interface(`xserver_dontaudit_use_xdm_fds',` - type xdm_t; - ') - -- dontaudit $1 xdm_t:fd use; -+ dontaudit $1 xdm_t:fd use; - ') - - ######################################## -@@ -688,7 +741,7 @@ interface(`xserver_rw_xdm_pipes',` - type xdm_t; - ') - -- allow $1 xdm_t:fifo_file { getattr read write }; -+ allow $1 xdm_t:fifo_file rw_inherited_fifo_file_perms; - ') - - ######################################## -@@ -703,12 +756,11 @@ interface(`xserver_rw_xdm_pipes',` - ## - # - interface(`xserver_dontaudit_rw_xdm_pipes',` -- - gen_require(` - type xdm_t; - ') - -- dontaudit $1 xdm_t:fifo_file rw_fifo_file_perms; -+ dontaudit $1 xdm_t:fifo_file rw_fifo_file_perms; - ') - - ######################################## -@@ -765,11 +817,91 @@ interface(`xserver_manage_xdm_spool_files',` - # - interface(`xserver_stream_connect_xdm',` - gen_require(` -- type xdm_t, xdm_tmp_t; -+ type xdm_t, xdm_tmp_t, xdm_var_run_t; - ') - - files_search_tmp($1) -- stream_connect_pattern($1, xdm_tmp_t, xdm_tmp_t, xdm_t) -+ files_search_pids($1) -+ stream_connect_pattern($1, { xdm_tmp_t xdm_var_run_t }, { xdm_tmp_t xdm_var_run_t }, xdm_t) -+') -+ -+######################################## -+## -+## Allow domain to append XDM unix domain -+## stream socket. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+ -+interface(`xserver_append_xdm_stream_socket',` -+ gen_require(` -+ type xdm_t; -+ ') -+ -+ allow $1 xdm_t:unix_stream_socket append; -+') -+ -+######################################## -+## -+## Read XDM files in user home directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`xserver_read_xdm_home_files',` -+ gen_require(` -+ type xdm_home_t; -+ ') -+ -+ userdom_search_user_home_dirs($1) -+ allow $1 xdm_home_t:file read_file_perms; -+') -+ -+######################################## -+## -+## Read xserver configuration files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`xserver_read_config',` -+ gen_require(` -+ type xserver_etc_t; -+ ') -+ -+ files_search_etc($1) -+ read_files_pattern($1, xserver_etc_t, xserver_etc_t) -+ read_lnk_files_pattern($1, xserver_etc_t, xserver_etc_t) -+') -+ -+######################################## -+## -+## Manage xserver configuration files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`xserver_manage_config',` -+ gen_require(` -+ type xserver_etc_t; -+ ') -+ -+ files_search_etc($1) -+ manage_files_pattern($1, xserver_etc_t, xserver_etc_t) -+ manage_lnk_files_pattern($1, xserver_etc_t, xserver_etc_t) - ') - - ######################################## -@@ -793,6 +925,25 @@ interface(`xserver_read_xdm_rw_config',` - - ######################################## - ## -+## Search XDM temporary directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`xserver_search_xdm_tmp_dirs',` -+ gen_require(` -+ type xdm_tmp_t; -+ ') -+ -+ files_search_tmp($1) -+ allow $1 xdm_tmp_t:dir search_dir_perms; -+') -+ -+######################################## -+## - ## Set the attributes of XDM temporary directories. - ## - ## -@@ -806,7 +957,25 @@ interface(`xserver_setattr_xdm_tmp_dirs',` - type xdm_tmp_t; - ') - -- allow $1 xdm_tmp_t:dir setattr; -+ allow $1 xdm_tmp_t:dir setattr_dir_perms; -+') -+ -+######################################## -+## -+## Dont audit attempts to set the attributes of XDM temporary directories. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`xserver_dontaudit_xdm_tmp_dirs',` -+ gen_require(` -+ type xdm_tmp_t; -+ ') -+ -+ dontaudit $1 xdm_tmp_t:dir setattr_dir_perms; - ') - - ######################################## -@@ -846,7 +1015,26 @@ interface(`xserver_read_xdm_pid',` - ') - - files_search_pids($1) -- allow $1 xdm_var_run_t:file read_file_perms; -+ read_files_pattern($1, xdm_var_run_t, xdm_var_run_t) -+') -+ -+###################################### -+## -+## Dontaudit Read XDM pid files. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`xserver_dontaudit_read_xdm_pid',` -+ gen_require(` -+ type xdm_var_run_t; -+ ') -+ -+ dontaudit $1 xdm_var_run_t:dir search_dir_perms; -+ dontaudit $1 xdm_var_run_t:file read_file_perms; - ') - - ######################################## -@@ -864,7 +1052,26 @@ interface(`xserver_read_xdm_lib_files',` - type xdm_var_lib_t; - ') - -- allow $1 xdm_var_lib_t:file read_file_perms; -+ read_files_pattern($1, xdm_var_lib_t, xdm_var_lib_t) -+ read_lnk_files_pattern($1, xdm_var_lib_t, xdm_var_lib_t) -+') -+ -+######################################## -+## -+## Read inherited XDM var lib files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`xserver_read_inherited_xdm_lib_files',` -+ gen_require(` -+ type xdm_var_lib_t; -+ ') -+ -+ allow $1 xdm_var_lib_t:file read_inherited_file_perms; - ') - - ######################################## -@@ -938,10 +1145,29 @@ interface(`xserver_getattr_log',` - ') - - logging_search_logs($1) -- allow $1 xserver_log_t:file getattr; -+ allow $1 xserver_log_t:file getattr_file_perms; - ') - --######################################## -+####################################### -+## -+## Allow domain to read X server logs. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`xserver_read_log',` -+ gen_require(` -+ type xserver_log_t; -+ ') -+ -+ logging_search_logs($1) -+ allow $1 xserver_log_t:file read_file_perms; -+') -+ -+######################################## - ## - ## Do not audit attempts to write the X server - ## log files. -@@ -957,7 +1183,7 @@ interface(`xserver_dontaudit_write_log',` - type xserver_log_t; - ') - -- dontaudit $1 xserver_log_t:file { append write }; -+ dontaudit $1 xserver_log_t:file rw_inherited_file_perms; - ') - - ######################################## -@@ -1004,6 +1230,64 @@ interface(`xserver_read_xkb_libs',` - - ######################################## - ## -+## dontaudit access checks X keyboard extension libraries. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`xserver_dontaudit_xkb_libs_access',` -+ gen_require(` -+ type xkb_var_lib_t; -+ ') -+ -+ dontaudit $1 xkb_var_lib_t:dir audit_access; -+ dontaudit $1 xkb_var_lib_t:file audit_access; -+') -+ -+######################################## -+## -+## Read xdm config files. -+## -+## -+## -+## Domain to not audit -+## -+## -+# -+interface(`xserver_read_xdm_etc_files',` -+ gen_require(` -+ type xdm_etc_t; -+ ') -+ -+ files_search_etc($1) -+ read_files_pattern($1, xdm_etc_t, xdm_etc_t) -+ read_lnk_files_pattern($1, xdm_etc_t, xdm_etc_t) -+') -+ -+######################################## -+## -+## Manage xdm config files. -+## -+## -+## -+## Domain to not audit -+## -+## -+# -+interface(`xserver_manage_xdm_etc_files',` -+ gen_require(` -+ type xdm_etc_t; -+ ') -+ -+ files_search_etc($1) -+ manage_files_pattern($1, xdm_etc_t, xdm_etc_t) -+') -+ -+######################################## -+## - ## Read xdm temporary files. - ## - ## -@@ -1017,7 +1301,7 @@ interface(`xserver_read_xdm_tmp_files',` - type xdm_tmp_t; - ') - -- files_search_tmp($1) -+ files_search_tmp($1) - read_files_pattern($1, xdm_tmp_t, xdm_tmp_t) - ') - -@@ -1079,6 +1363,42 @@ interface(`xserver_manage_xdm_tmp_files',` - - ######################################## - ## -+## Create, read, write, and delete xdm temporary dirs. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`xserver_relabel_xdm_tmp_dirs',` -+ gen_require(` -+ type xdm_tmp_t; -+ ') -+ -+ allow $1 xdm_tmp_t:dir relabel_dir_perms; -+') -+ -+######################################## -+## -+## Create, read, write, and delete xdm temporary dirs. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`xserver_manage_xdm_tmp_dirs',` -+ gen_require(` -+ type xdm_tmp_t; -+ ') -+ -+ manage_dirs_pattern($1, xdm_tmp_t, xdm_tmp_t) -+') -+ -+######################################## -+## - ## Do not audit attempts to get the attributes of - ## xdm temporary named sockets. - ## -@@ -1093,7 +1413,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',` - type xdm_tmp_t; - ') - -- dontaudit $1 xdm_tmp_t:sock_file getattr; -+ dontaudit $1 xdm_tmp_t:sock_file getattr_sock_file_perms; - ') - - ######################################## -@@ -1111,8 +1431,10 @@ interface(`xserver_domtrans',` - type xserver_t, xserver_exec_t; - ') - -- allow $1 xserver_t:process siginh; -+ allow $1 xserver_t:process siginh; - domtrans_pattern($1, xserver_exec_t, xserver_t) -+ -+ allow xserver_t $1:process getpgid; - ') - - ######################################## -@@ -1210,6 +1532,25 @@ interface(`xserver_dontaudit_rw_stream_sockets',` - - ######################################## - ## -+## Do not audit attempts to read and write xdm -+## unix domain stream sockets. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`xserver_dontaudit_xdm_rw_stream_sockets',` -+ gen_require(` -+ type xdm_t; -+ ') -+ -+ dontaudit $1 xdm_t:unix_stream_socket { append getattr ioctl read write }; -+') -+ -+######################################## -+## - ## Connect to the X server over a unix domain - ## stream socket. - ## -@@ -1226,6 +1567,26 @@ interface(`xserver_stream_connect',` - - files_search_tmp($1) - stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t) -+ allow xserver_t $1:shm rw_shm_perms; -+') -+ -+###################################### -+## -+## Dontaudit attempts to connect to xserver -+## over a unix stream socket. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`xserver_dontaudit_stream_connect',` -+ gen_require(` -+ type xserver_t, xserver_tmp_t; -+ ') -+ -+ stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t) - ') - - ######################################## -@@ -1251,7 +1612,7 @@ interface(`xserver_read_tmp_files',` - ## - ## Interface to provide X object permissions on a given X server to - ## an X client domain. Gives the domain permission to read the --## virtual core keyboard and virtual core pointer devices. -+## virtual core keyboard and virtual core pointer devices. - ## - ## - ## -@@ -1261,13 +1622,27 @@ interface(`xserver_read_tmp_files',` - # - interface(`xserver_manage_core_devices',` - gen_require(` -- type xserver_t; -+ type xserver_t, root_xdrawable_t, xevent_t; - class x_device all_x_device_perms; - class x_pointer all_x_pointer_perms; - class x_keyboard all_x_keyboard_perms; -+ class x_screen all_x_screen_perms; -+ class x_drawable { manage }; -+ attribute x_domain; -+ class x_drawable all_x_drawable_perms; -+ class x_resource all_x_resource_perms; -+ class x_synthetic_event all_x_synthetic_event_perms; -+ class x_cursor all_x_cursor_perms; - ') - - allow $1 xserver_t:{ x_device x_pointer x_keyboard } *; -+ allow $1 xserver_t:{ x_screen } setattr; -+ -+ allow $1 x_domain:x_cursor all_x_cursor_perms; -+ allow $1 x_domain:x_drawable all_x_drawable_perms; -+ allow $1 x_domain:x_resource all_x_resource_perms; -+ allow $1 root_xdrawable_t:x_drawable all_x_drawable_perms; -+ allow $1 xevent_t:x_synthetic_event all_x_synthetic_event_perms; - ') - - ######################################## -@@ -1284,10 +1659,624 @@ interface(`xserver_manage_core_devices',` - # - interface(`xserver_unconfined',` - gen_require(` -- attribute x_domain; -- attribute xserver_unconfined_type; -+ attribute x_domain, xserver_unconfined_type; - ') - - typeattribute $1 x_domain; - typeattribute $1 xserver_unconfined_type; - ') -+ -+######################################## -+## -+## Dontaudit append to .xsession-errors file -+## -+## -+## -+## Domain to not audit -+## -+## -+# -+interface(`xserver_dontaudit_append_xdm_home_files',` -+ gen_require(` -+ type xdm_home_t; -+ ') -+ -+ dontaudit $1 xdm_home_t:file rw_inherited_file_perms; -+ -+ tunable_policy(`use_nfs_home_dirs',` -+ fs_dontaudit_rw_nfs_files($1) -+ ') -+ -+ tunable_policy(`use_samba_home_dirs',` -+ fs_dontaudit_rw_cifs_files($1) -+ ') -+') -+ -+######################################## -+## -+## append to .xsession-errors file -+## -+## -+## -+## Domain to not audit -+## -+## -+# -+interface(`xserver_append_xdm_home_files',` -+ gen_require(` -+ type xdm_home_t, xserver_tmp_t; -+ ') -+ -+ allow $1 xdm_home_t:file append_file_perms; -+ allow $1 xserver_tmp_t:file append_file_perms; -+ -+ tunable_policy(`use_nfs_home_dirs',` -+ fs_append_nfs_files($1) -+ ') -+ -+ tunable_policy(`use_samba_home_dirs',` -+ fs_append_cifs_files($1) -+ ') -+') -+ -+####################################### -+## -+## Allow search the xdm_spool files -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`xserver_xdm_search_spool',` -+ gen_require(` -+ type xdm_spool_t; -+ ') -+ -+ files_search_spool($1) -+ search_dirs_pattern($1, xdm_spool_t, xdm_spool_t) -+') -+ -+###################################### -+## -+## Allow read the xdm_spool files -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`xserver_xdm_read_spool',` -+ gen_require(` -+ type xdm_spool_t; -+ ') -+ -+ files_search_spool($1) -+ read_files_pattern($1, xdm_spool_t, xdm_spool_t) -+') -+ -+######################################## -+## -+## Manage the xdm_spool files -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`xserver_xdm_manage_spool',` -+ gen_require(` -+ type xdm_spool_t; -+ ') -+ -+ files_search_spool($1) -+ manage_files_pattern($1, xdm_spool_t, xdm_spool_t) -+') -+ -+######################################## -+## -+## Send and receive messages from -+## xdm over dbus. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`xserver_dbus_chat_xdm',` -+ gen_require(` -+ type xdm_t; -+ class dbus send_msg; -+ ') -+ -+ allow $1 xdm_t:dbus send_msg; -+ allow xdm_t $1:dbus send_msg; -+') -+ -+######################################## -+## -+## Read xserver files created in /var/run -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`xserver_read_pid',` -+ gen_require(` -+ type xserver_var_run_t; -+ ') -+ -+ files_search_pids($1) -+ read_files_pattern($1, xserver_var_run_t, xserver_var_run_t) -+') -+ -+######################################## -+## -+## Execute xserver files created in /var/run -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`xserver_exec_pid',` -+ gen_require(` -+ type xserver_var_run_t; -+ ') -+ -+ files_search_pids($1) -+ exec_files_pattern($1, xserver_var_run_t, xserver_var_run_t) -+') -+ -+######################################## -+## -+## Write xserver files created in /var/run -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`xserver_write_pid',` -+ gen_require(` -+ type xserver_var_run_t; -+ ') -+ -+ files_search_pids($1) -+ write_files_pattern($1, xserver_var_run_t, xserver_var_run_t) -+') -+ -+######################################## -+## -+## Allow append the xdm -+## log files. -+## -+## -+## -+## Domain to not audit -+## -+## -+# -+interface(`xserver_xdm_append_log',` -+ gen_require(` -+ type xdm_log_t; -+ attribute xdmhomewriter; -+ ') -+ -+ typeattribute $1 xdmhomewriter; -+ allow $1 xdm_log_t:file append_inherited_file_perms; -+') -+ -+######################################## -+## -+## Allow ioctl the xdm log files. -+## -+## -+## -+## Domain to not audit -+## -+## -+# -+interface(`xserver_xdm_ioctl_log',` -+ gen_require(` -+ type xdm_log_t; -+ ') -+ -+ allow $1 xdm_log_t:file ioctl; -+') -+ -+######################################## -+## -+## Allow append the xdm -+## tmp files. -+## -+## -+## -+## Domain to not audit -+## -+## -+# -+interface(`xserver_append_xdm_tmp_files',` -+ gen_require(` -+ type xdm_tmp_t; -+ ') -+ -+ allow $1 xdm_tmp_t:file append_inherited_file_perms; -+') -+ -+######################################## -+## -+## Read a user Iceauthority domain. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`xserver_read_user_iceauth',` -+ gen_require(` -+ type iceauth_home_t; -+ ') -+ -+ # Read .Iceauthority file -+ allow $1 iceauth_home_t:file read_file_perms; -+') -+ -+######################################## -+## -+## Read/write inherited user homedir fonts. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`xserver_rw_inherited_user_fonts',` -+ gen_require(` -+ type user_fonts_t, user_fonts_config_t; -+ ') -+ -+ allow $1 user_fonts_t:file rw_inherited_file_perms; -+ allow $1 user_fonts_t:file read_lnk_file_perms; -+ -+ allow $1 user_fonts_config_t:file rw_inherited_file_perms; -+') -+ -+######################################## -+## -+## Search XDM var lib dirs. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`xserver_search_xdm_lib',` -+ gen_require(` -+ type xdm_var_lib_t; -+ ') -+ -+ allow $1 xdm_var_lib_t:dir search_dir_perms; -+') -+ -+######################################## -+## -+## Make an X executable an entrypoint for the specified domain. -+## -+## -+## -+## The domain for which the shell is an entrypoint. -+## -+## -+# -+interface(`xserver_entry_type',` -+ gen_require(` -+ type xserver_exec_t; -+ ') -+ -+ domain_entry_file($1, xserver_exec_t) -+') -+ -+######################################## -+## -+## Execute xsever in the xserver domain, and -+## allow the specified role the xserver domain. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## The role to be allowed the xserver domain. -+## -+## -+## -+# -+interface(`xserver_run',` -+ gen_require(` -+ type xserver_t; -+ ') -+ -+ xserver_domtrans($1) -+ role $2 types xserver_t; -+') -+ -+######################################## -+## -+## Execute xsever in the xserver domain, and -+## allow the specified role the xserver domain. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## The role to be allowed the xserver domain. -+## -+## -+## -+# -+interface(`xserver_run_xauth',` -+ gen_require(` -+ type xauth_t; -+ ') -+ -+ xserver_domtrans_xauth($1) -+ role $2 types xauth_t; -+') -+ -+######################################## -+## -+## Read user homedir fonts. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`xserver_read_home_fonts',` -+ gen_require(` -+ type user_fonts_t, user_fonts_config_t; -+ ') -+ -+ list_dirs_pattern($1, user_fonts_t, user_fonts_t) -+ read_files_pattern($1, user_fonts_t, user_fonts_t) -+ read_lnk_files_pattern($1, user_fonts_t, user_fonts_t) -+ -+ read_files_pattern($1, user_fonts_config_t, user_fonts_config_t) -+') -+ -+######################################## -+## -+## Manage user fonts dir. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`xserver_manage_user_fonts_dir',` -+ gen_require(` -+ type user_fonts_t; -+ ') -+ -+ manage_dirs_pattern($1, user_fonts_t, user_fonts_t) -+ files_tmp_filetrans($1, user_fonts_t, dir, ".font-unix") -+') -+ -+######################################## -+## -+## Manage user homedir fonts. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`xserver_manage_home_fonts',` -+ gen_require(` -+ type user_fonts_t, user_fonts_config_t, user_fonts_cache_t; -+ ') -+ -+ manage_dirs_pattern($1, user_fonts_t, user_fonts_t) -+ manage_files_pattern($1, user_fonts_t, user_fonts_t) -+ manage_lnk_files_pattern($1, user_fonts_t, user_fonts_t) -+ -+ manage_files_pattern($1, user_fonts_config_t, user_fonts_config_t) -+ -+# userdom_user_home_dir_filetrans($1, user_fonts_t, dir, ".fonts.d") -+# userdom_user_home_dir_filetrans($1, user_fonts_t, dir, ".fonts") -+# userdom_user_home_dir_filetrans($1, user_fonts_cache_t, dir, ".fontconfig") -+') -+ -+####################################### -+## -+## Transition to xserver .fontconfig named content -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`xserver_filetrans_fonts_cache_home_content',` -+ gen_require(` -+ type user_fonts_cache_t; -+ ') -+ -+ userdom_user_home_dir_filetrans($1, user_fonts_cache_t, dir, ".fontconfig") -+') -+ -+######################################## -+## -+## Transition to xserver named content -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`xserver_filetrans_home_content',` -+ gen_require(` -+ type xdm_home_t, xauth_home_t, iceauth_home_t; -+ type user_home_t, user_fonts_t, user_fonts_cache_t; -+ type user_fonts_config_t; -+ ') -+ -+ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".dmrc") -+ userdom_user_home_dir_filetrans($1, iceauth_home_t, file, ".ICEauthority") -+ userdom_user_home_dir_filetrans($1, iceauth_home_t, file, ".ICEauthority-c") -+ userdom_user_home_dir_filetrans($1, iceauth_home_t, file, ".ICEauthority-n") -+ userdom_user_home_dir_filetrans($1, iceauth_home_t, file, ".DCOP") -+ userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".Xauthority") -+ userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".Xauthority-l") -+ userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".Xauthority-c") -+ userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".Xauthority-n") -+ userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".xauth") -+ userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".Xauth") -+ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors") -+ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:0") -+ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:1") -+ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:2") -+ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:3") -+ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:4") -+ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:5") -+ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:6") -+ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:7") -+ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:8") -+ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:9") -+ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-stamped") -+ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-stamped.old") -+ userdom_user_home_dir_filetrans($1, user_fonts_config_t, file, ".fonts.conf") -+ userdom_user_home_dir_filetrans($1, user_fonts_config_t, dir, ".fonts.d") -+ userdom_user_home_dir_filetrans($1, user_fonts_t, dir, ".fonts") -+ userdom_user_home_dir_filetrans($1, user_fonts_cache_t, dir, ".fontconfig") -+ filetrans_pattern($1, user_fonts_t, user_fonts_cache_t, dir, "auto") -+ files_tmp_filetrans($1, user_fonts_t, dir, ".font-unix") -+') -+ -+######################################## -+## -+## Create xserver content in admin home -+## directory with a named file transition. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`xserver_filetrans_admin_home_content',` -+ gen_require(` -+ type xdm_home_t, xauth_home_t, iceauth_home_t; -+ type user_home_t, user_fonts_t, user_fonts_cache_t; -+ type user_fonts_config_t; -+ ') -+ -+ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".dmrc") -+ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors") -+ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:0") -+ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:1") -+ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:2") -+ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:3") -+ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:4") -+ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:5") -+ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:6") -+ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:7") -+ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:8") -+ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:9") -+ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-stamped") -+ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-stamped.old") -+ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors.old") -+ userdom_admin_home_dir_filetrans($1, iceauth_home_t, file, ".DCOP") -+ userdom_admin_home_dir_filetrans($1, iceauth_home_t, file, ".ICEauthority") -+ userdom_admin_home_dir_filetrans($1, xauth_home_t, file, ".Xauthority") -+ userdom_admin_home_dir_filetrans($1, xauth_home_t, file, ".Xauthority-l") -+ userdom_admin_home_dir_filetrans($1, xauth_home_t, file, ".Xauthority-c") -+ userdom_admin_home_dir_filetrans($1, xauth_home_t, file, ".xauth") -+ userdom_admin_home_dir_filetrans($1, xauth_home_t, file, ".Xauth") -+ userdom_admin_home_dir_filetrans($1, user_fonts_config_t, file, ".fonts.conf") -+ userdom_admin_home_dir_filetrans($1, user_fonts_config_t, dir, ".fonts.d") -+ userdom_admin_home_dir_filetrans($1, user_fonts_t, dir, ".fonts") -+ userdom_admin_home_dir_filetrans($1, user_fonts_cache_t, dir, ".fontconfig") -+ -+ optional_policy(` -+ gnome_cache_filetrans($1, xdm_home_t, dir, "xdm") -+ ') -+') -+ -+######################################## -+## -+## Create objects in a xdm temporary directory -+## with an automatic type transition to -+## a specified private type. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## The type of the object to create. -+## -+## -+## -+## -+## The class of the object to be created. -+## -+## -+## -+## -+## The name of the object being created. -+## -+## -+# -+interface(`xserver_xdm_tmp_filetrans',` -+ gen_require(` -+ type xdm_tmp_t; -+ ') -+ -+ filetrans_pattern($1, xdm_tmp_t, $2, $3, $4) -+ files_search_tmp($1) -+') -+ -+######################################## -+## -+## Dontaudit search ssh home directory -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`xserver_dontaudit_search_log',` -+ gen_require(` -+ type xserver_log_t; -+ ') -+ -+ dontaudit $1 xserver_log_t:dir search_dir_perms; -+') -diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te -index 2696452..adbe339 100644 ---- a/policy/modules/services/xserver.te -+++ b/policy/modules/services/xserver.te -@@ -26,28 +26,59 @@ gen_require(` - # - - ## --##

    --## Allows clients to write to the X server shared --## memory segments. --##

    -+##

    -+## Allows clients to write to the X server shared -+## memory segments. -+##

    -+##     -+gen_tunable(xserver_clients_write_xshm, false) -+ -+## -+##

    -+## Allows XServer to execute writable memory -+##

    - ##     --gen_tunable(allow_write_xshm, false) -+gen_tunable(xserver_execmem, false) - - ## - ##

    --## Allow xdm logins as sysadm -+## Allow the graphical login program to execute bootloader - ##

    - ##     -+gen_tunable(xdm_exec_bootloader, false) -+ -+## -+##

    -+## Allow the graphical login program to login directly as sysadm_r:sysadm_t -+##

    -+##     - gen_tunable(xdm_sysadm_login, false) - - ## --##

    --## Support X userspace object manager --##

    -+##

    -+## Allow the graphical login program to create files in HOME dirs as xdm_home_t. -+##

    -+##     -+gen_tunable(xdm_write_home, false) -+ -+## -+##

    -+## Support X userspace object manager -+##

    - ##     - gen_tunable(xserver_object_manager, false) - -+## -+##

    -+## Allow regular users direct dri device access -+##

    -+##     -+gen_tunable(selinuxuser_direct_dri_enabled, false) -+ -+attribute xdmhomewriter; -+attribute x_userdomain; - attribute x_domain; -+attribute dridomain; - - # X Events - attribute xevent_type; -@@ -107,44 +138,54 @@ xserver_object_types_template(remote) - xserver_common_x_domain_template(remote, remote_t) - - type user_fonts_t; --typealias user_fonts_t alias { staff_fonts_t sysadm_fonts_t }; -+typealias user_fonts_t alias { staff_fonts_t sysadm_fonts_t xfs_fonts_t }; - typealias user_fonts_t alias { auditadm_fonts_t secadm_fonts_t }; -+typealias user_fonts_t alias { xguest_fonts_t unconfined_fonts_t user_fonts_home_t }; -+typealias user_fonts_t alias xfs_tmp_t; - userdom_user_home_content(user_fonts_t) -+files_tmp_file(user_fonts_t) - - type user_fonts_cache_t; - typealias user_fonts_cache_t alias { staff_fonts_cache_t sysadm_fonts_cache_t }; - typealias user_fonts_cache_t alias { auditadm_fonts_cache_t secadm_fonts_cache_t }; -+typealias user_fonts_cache_t alias { xguest_fonts_cache_t unconfined_fonts_cache_t }; - userdom_user_home_content(user_fonts_cache_t) - - type user_fonts_config_t; - typealias user_fonts_config_t alias { staff_fonts_config_t sysadm_fonts_config_t }; - typealias user_fonts_config_t alias { auditadm_fonts_config_t secadm_fonts_config_t }; -+typealias user_fonts_config_t alias { fonts_config_home_t xguest_fonts_config_t unconfined_fonts_config_t }; - userdom_user_home_content(user_fonts_config_t) - - type iceauth_t; - type iceauth_exec_t; - typealias iceauth_t alias { user_iceauth_t staff_iceauth_t sysadm_iceauth_t }; -+typealias iceauth_t alias { xguest_iceauth_t }; - typealias iceauth_t alias { auditadm_iceauth_t secadm_iceauth_t }; - userdom_user_application_domain(iceauth_t, iceauth_exec_t) - - type iceauth_home_t; - typealias iceauth_home_t alias { user_iceauth_home_t staff_iceauth_home_t sysadm_iceauth_home_t }; - typealias iceauth_home_t alias { auditadm_iceauth_home_t secadm_iceauth_home_t }; -+typealias iceauth_home_t alias { xguest_iceauth_home_t }; - userdom_user_home_content(iceauth_home_t) - - type xauth_t; - type xauth_exec_t; - typealias xauth_t alias { user_xauth_t staff_xauth_t sysadm_xauth_t }; - typealias xauth_t alias { auditadm_xauth_t secadm_xauth_t }; -+typealias xauth_t alias { xguest_xauth_t unconfined_xauth_t }; - userdom_user_application_domain(xauth_t, xauth_exec_t) - - type xauth_home_t; - typealias xauth_home_t alias { user_xauth_home_t staff_xauth_home_t sysadm_xauth_home_t }; - typealias xauth_home_t alias { auditadm_xauth_home_t secadm_xauth_home_t }; -+typealias xauth_home_t alias { xguest_xauth_home_t unconfined_xauth_home_t }; - userdom_user_home_content(xauth_home_t) - - type xauth_tmp_t; - typealias xauth_tmp_t alias { user_xauth_tmp_t staff_xauth_tmp_t sysadm_xauth_tmp_t }; -+typealias xauth_tmp_t alias { xguest_xauth_tmp_t unconfined_xauth_tmp_t }; - typealias xauth_tmp_t alias { auditadm_xauth_tmp_t secadm_xauth_tmp_t }; - userdom_user_tmp_file(xauth_tmp_t) - -@@ -154,19 +195,28 @@ files_type(xconsole_device_t) - fs_associate_tmpfs(xconsole_device_t) - files_associate_tmp(xconsole_device_t) - --type xdm_t; -+type xdm_unconfined_exec_t; -+application_executable_file(xdm_unconfined_exec_t) -+ -+type xdm_t alias xdm_dbusd_t; - type xdm_exec_t; - auth_login_pgm_domain(xdm_t) - init_domain(xdm_t, xdm_exec_t) --init_daemon_domain(xdm_t, xdm_exec_t) -+init_system_domain(xdm_t, xdm_exec_t) - xserver_object_types_template(xdm) - xserver_common_x_domain_template(xdm, xdm_t) - - type xdm_lock_t; - files_lock_file(xdm_lock_t) - -+type xdm_etc_t; -+files_config_file(xdm_etc_t) -+ - type xdm_rw_etc_t; --files_type(xdm_rw_etc_t) -+files_config_file(xdm_rw_etc_t) -+ -+type xdm_spool_t; -+files_spool_file(xdm_spool_t) - - type xdm_var_lib_t; - files_type(xdm_var_lib_t) -@@ -174,13 +224,27 @@ files_type(xdm_var_lib_t) - type xdm_var_run_t; - files_pid_file(xdm_var_run_t) - -+type xserver_var_lib_t; -+files_type(xserver_var_lib_t) -+ -+type xserver_var_run_t; -+files_pid_file(xserver_var_run_t) -+ - type xdm_tmp_t; - files_tmp_file(xdm_tmp_t) --typealias xdm_tmp_t alias ice_tmp_t; -+typealias xdm_tmp_t alias { xserver_tmp_t user_xserver_tmp_t staff_xserver_tmp_t sysadm_xserver_tmp_t ice_tmp_t }; -+typealias xdm_tmp_t alias { auditadm_xserver_tmp_t secadm_xserver_tmp_t xdm_xserver_tmp_t }; -+userdom_user_tmp_file(xserver_tmp_t) - - type xdm_tmpfs_t; - files_tmpfs_file(xdm_tmpfs_t) - -+type xdm_home_t; -+userdom_user_home_content(xdm_home_t) -+ -+type xdm_log_t; -+logging_log_file(xdm_log_t) -+ - # type for /var/lib/xkb - type xkb_var_lib_t; - files_type(xkb_var_lib_t) -@@ -193,14 +257,12 @@ typealias xserver_t alias { auditadm_xserver_t secadm_xserver_t xdm_xserver_t }; - init_system_domain(xserver_t, xserver_exec_t) - ubac_constrained(xserver_t) - --type xserver_tmp_t; --typealias xserver_tmp_t alias { user_xserver_tmp_t staff_xserver_tmp_t sysadm_xserver_tmp_t }; --typealias xserver_tmp_t alias { auditadm_xserver_tmp_t secadm_xserver_tmp_t xdm_xserver_tmp_t }; --userdom_user_tmp_file(xserver_tmp_t) -+type xserver_etc_t; -+files_config_file(xserver_etc_t) - - type xserver_tmpfs_t; --typealias xserver_tmpfs_t alias { user_xserver_tmpfs_t staff_xserver_tmpfs_t sysadm_xserver_tmpfs_t }; --typealias xserver_tmpfs_t alias { auditadm_xserver_tmpfs_t secadm_xserver_tmpfs_t xdm_xserver_tmpfs_t }; -+typealias xserver_tmpfs_t alias { user_xserver_tmpfs_t staff_xserver_tmpfs_t sysadm_xserver_tmpfs_t xguest_xserver_tmpfs_t unconfined_xserver_tmpfs_t xdm_xserver_tmpfs_t }; -+typealias xserver_tmpfs_t alias { auditadm_xserver_tmpfs_t secadm_xserver_tmpfs_t }; - userdom_user_tmpfs_file(xserver_tmpfs_t) - - type xsession_exec_t; -@@ -225,21 +287,33 @@ optional_policy(` - # - - allow iceauth_t iceauth_home_t:file manage_file_perms; --userdom_user_home_dir_filetrans(iceauth_t, iceauth_home_t, file) - - allow xdm_t iceauth_home_t:file read_file_perms; - -+dev_read_rand(iceauth_t) -+ - fs_search_auto_mountpoints(iceauth_t) - --userdom_use_user_terminals(iceauth_t) -+userdom_use_inherited_user_terminals(iceauth_t) - userdom_read_user_tmp_files(iceauth_t) -- --tunable_policy(`use_nfs_home_dirs',` -- fs_manage_nfs_files(iceauth_t) --') -- --tunable_policy(`use_samba_home_dirs',` -- fs_manage_cifs_files(iceauth_t) -+userdom_read_all_users_state(iceauth_t) -+userdom_home_manager(iceauth_t) -+ -+ifdef(`hide_broken_symptoms',` -+ dev_dontaudit_read_urand(iceauth_t) -+ dev_dontaudit_rw_dri(iceauth_t) -+ dev_dontaudit_rw_generic_dev_nodes(iceauth_t) -+ fs_dontaudit_list_inotifyfs(iceauth_t) -+ fs_dontaudit_rw_anon_inodefs_files(iceauth_t) -+ term_dontaudit_use_unallocated_ttys(iceauth_t) -+ -+ userdom_dontaudit_read_user_home_content_files(iceauth_t) -+ userdom_dontaudit_write_user_home_content_files(iceauth_t) -+ userdom_dontaudit_write_user_tmp_files(iceauth_t) -+ -+ optional_policy(` -+ mozilla_dontaudit_rw_user_home_files(iceauth_t) -+ ') - ') - - ######################################## -@@ -247,48 +321,89 @@ tunable_policy(`use_samba_home_dirs',` - # Xauth local policy - # - -+allow xauth_t self:capability dac_override; - allow xauth_t self:process signal; -+allow xauth_t self:shm create_shm_perms; - allow xauth_t self:unix_stream_socket create_stream_socket_perms; -+allow xauth_t self:unix_dgram_socket create_socket_perms; -+ -+allow xauth_t xdm_t:process sigchld; -+allow xauth_t xserver_t:unix_stream_socket connectto; -+ -+corenet_tcp_connect_xserver_port(xauth_t) - - allow xauth_t xauth_home_t:file manage_file_perms; --userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file) -+ -+manage_dirs_pattern(xauth_t, xdm_var_run_t, xdm_var_run_t) -+manage_files_pattern(xauth_t, xdm_var_run_t, xdm_var_run_t) - - manage_dirs_pattern(xauth_t, xauth_tmp_t, xauth_tmp_t) - manage_files_pattern(xauth_t, xauth_tmp_t, xauth_tmp_t) - files_tmp_filetrans(xauth_t, xauth_tmp_t, { file dir }) - --allow xdm_t xauth_home_t:file manage_file_perms; --userdom_user_home_dir_filetrans(xdm_t, xauth_home_t, file) -+stream_connect_pattern(xauth_t, xserver_tmp_t, xserver_tmp_t, xserver_t) - -+kernel_read_network_state(xauth_t) -+kernel_read_system_state(xauth_t) - kernel_request_load_module(xauth_t) - -+dev_read_rand(xauth_t) -+dev_read_urand(xauth_t) -+ - domain_use_interactive_fds(xauth_t) -+domain_dontaudit_leaks(xauth_t) - - files_read_etc_files(xauth_t) -+files_read_usr_files(xauth_t) - files_search_pids(xauth_t) -+files_dontaudit_getattr_all_dirs(xauth_t) -+files_dontaudit_leaks(xauth_t) -+files_var_lib_filetrans(xauth_t, xauth_home_t, file) - --fs_getattr_xattr_fs(xauth_t) -+fs_dontaudit_leaks(xauth_t) -+fs_getattr_all_fs(xauth_t) - fs_search_auto_mountpoints(xauth_t) - --# cjp: why? --term_use_ptmx(xauth_t) -+# Probably a leak -+term_dontaudit_use_ptmx(xauth_t) -+term_dontaudit_use_console(xauth_t) - - auth_use_nsswitch(xauth_t) - --userdom_use_user_terminals(xauth_t) -+userdom_use_inherited_user_terminals(xauth_t) - userdom_read_user_tmp_files(xauth_t) -+userdom_read_all_users_state(xauth_t) -+userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file, ".Xauthority") -+userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file, ".Xauthority-l") -+userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file, ".Xauthority-c") -+userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file, ".Xauthority-n") -+userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file, ".xauth") -+userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file, ".Xauth") - - xserver_rw_xdm_tmp_files(xauth_t) - --tunable_policy(`use_nfs_home_dirs',` -- fs_manage_nfs_files(xauth_t) -+ifdef(`hide_broken_symptoms',` -+ fs_dontaudit_rw_anon_inodefs_files(xauth_t) -+ fs_dontaudit_list_inotifyfs(xauth_t) -+ userdom_manage_user_home_content_files(xauth_t) -+ userdom_manage_user_tmp_files(xauth_t) -+ dev_dontaudit_rw_generic_dev_nodes(xauth_t) -+ miscfiles_read_fonts(xauth_t) - ') - --tunable_policy(`use_samba_home_dirs',` -- fs_manage_cifs_files(xauth_t) -+userdom_home_manager(xauth_t) -+ -+ifdef(`hide_broken_symptoms',` -+ term_dontaudit_use_unallocated_ttys(xauth_t) -+ dev_dontaudit_rw_dri(xauth_t) -+') -+ -+optional_policy(` -+ nx_var_lib_filetrans(xauth_t, xauth_home_t, file) - ') - - optional_policy(` -+ ssh_use_ptys(xauth_t) - ssh_sigchld(xauth_t) - ssh_read_pipes(xauth_t) - ssh_dontaudit_rw_tcp_sockets(xauth_t) -@@ -299,64 +414,109 @@ optional_policy(` - # XDM Local policy - # - --allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service }; --allow xdm_t self:process { setexec setpgid getsched setsched setrlimit signal_perms setkeycreate }; -+allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service sys_ptrace }; -+allow xdm_t self:capability2 { block_suspend }; -+dontaudit xdm_t self:capability sys_admin; -+tunable_policy(`deny_ptrace',`',` -+ allow xdm_t self:process ptrace; -+') -+ -+allow xdm_t self:process { setexec setpgid getattr getcap setcap getsched getsession setsched setrlimit signal_perms setkeycreate transition }; - allow xdm_t self:fifo_file rw_fifo_file_perms; - allow xdm_t self:shm create_shm_perms; - allow xdm_t self:sem create_sem_perms; - allow xdm_t self:unix_stream_socket { connectto create_stream_socket_perms }; --allow xdm_t self:unix_dgram_socket create_socket_perms; -+allow xdm_t self:unix_dgram_socket { create_socket_perms sendto }; - allow xdm_t self:tcp_socket create_stream_socket_perms; - allow xdm_t self:udp_socket create_socket_perms; -+allow xdm_t self:netlink_kobject_uevent_socket create_socket_perms; -+allow xdm_t self:netlink_selinux_socket create_socket_perms; - allow xdm_t self:socket create_socket_perms; - allow xdm_t self:appletalk_socket create_socket_perms; - allow xdm_t self:key { search link write }; -+allow xdm_t self:dbus { send_msg acquire_svc }; -+ -+allow xdm_t xauth_home_t:file manage_file_perms; - --allow xdm_t xconsole_device_t:fifo_file { getattr setattr }; -+allow xdm_t xconsole_device_t:fifo_file { getattr_fifo_file_perms setattr_fifo_file_perms }; -+manage_dirs_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t) -+manage_files_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t) -+ -+manage_dirs_pattern(xdm_t, xdm_home_t, xdm_home_t) -+manage_files_pattern(xdm_t, xdm_home_t, xdm_home_t) -+xserver_filetrans_home_content(xdm_t) -+xserver_filetrans_admin_home_content(xdm_t) -+ -+#Handle mislabeled files in homedir -+userdom_delete_user_home_content_files(xdm_t) -+userdom_signull_unpriv_users(xdm_t) -+userdom_dontaudit_read_admin_home_lnk_files(xdm_t) - - # Allow gdm to run gdm-binary - can_exec(xdm_t, xdm_exec_t) -+can_exec(xdm_t, xsession_exec_t) - - allow xdm_t xdm_lock_t:file manage_file_perms; - files_lock_filetrans(xdm_t, xdm_lock_t, file) - -+read_lnk_files_pattern(xdm_t, xdm_etc_t, xdm_etc_t) -+read_files_pattern(xdm_t, xdm_etc_t, xdm_etc_t) - # wdm has its own config dir /etc/X11/wdm - # this is ugly, daemons should not create files under /etc! - manage_files_pattern(xdm_t, xdm_rw_etc_t, xdm_rw_etc_t) - - manage_dirs_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t) - manage_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t) -+manage_lnk_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t) - manage_sock_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t) --files_tmp_filetrans(xdm_t, xdm_tmp_t, { file dir sock_file }) -+files_tmp_filetrans(xdm_t, xdm_tmp_t, { file dir sock_file lnk_file }) -+relabelfrom_dirs_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t) -+relabelfrom_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t) -+can_exec(xdm_t, xdm_tmp_t) - - manage_dirs_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t) - manage_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t) - manage_lnk_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t) - manage_fifo_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t) - manage_sock_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t) --fs_tmpfs_filetrans(xdm_t, xdm_tmpfs_t, { dir file lnk_file sock_file fifo_file }) -+ -+manage_files_pattern(xdm_t, user_fonts_t, user_fonts_t) -+ -+files_search_spool(xdm_t) -+manage_dirs_pattern(xdm_t, xdm_spool_t, xdm_spool_t) -+manage_files_pattern(xdm_t, xdm_spool_t, xdm_spool_t) -+files_spool_filetrans(xdm_t, xdm_spool_t, { file dir }) - - manage_dirs_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t) - manage_files_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t) --files_var_lib_filetrans(xdm_t, xdm_var_lib_t, file) -+manage_lnk_files_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t) -+manage_sock_files_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t) -+files_var_lib_filetrans(xdm_t, xdm_var_lib_t, { file dir }) -+# Read machine-id -+files_read_var_lib_files(xdm_t) - - manage_dirs_pattern(xdm_t, xdm_var_run_t, xdm_var_run_t) - manage_files_pattern(xdm_t, xdm_var_run_t, xdm_var_run_t) -+manage_lnk_files_pattern(xdm_t, xdm_var_run_t, xdm_var_run_t) - manage_fifo_files_pattern(xdm_t, xdm_var_run_t, xdm_var_run_t) --files_pid_filetrans(xdm_t, xdm_var_run_t, { dir file fifo_file }) -+manage_sock_files_pattern(xdm_t, xdm_var_run_t, xdm_var_run_t) -+files_pid_filetrans(xdm_t, xdm_var_run_t, { dir file fifo_file sock_file }) - --allow xdm_t xserver_t:process signal; -+allow xdm_t xserver_t:process { signal signull }; - allow xdm_t xserver_t:unix_stream_socket connectto; - - allow xdm_t xserver_tmp_t:sock_file rw_sock_file_perms; --allow xdm_t xserver_tmp_t:dir { setattr list_dir_perms }; -+allow xdm_t xserver_tmp_t:dir { setattr_dir_perms list_dir_perms }; - - # transition to the xdm xserver - domtrans_pattern(xdm_t, xserver_exec_t, xserver_t) -+ -+ps_process_pattern(xserver_t, xdm_t) - allow xserver_t xdm_t:process signal; - allow xdm_t xserver_t:process { noatsecure siginh rlimitinh signal sigkill }; - - allow xdm_t xserver_t:shm rw_shm_perms; -+read_files_pattern(xdm_t, xserver_t, xserver_t) - - # connect to xdm xserver over stream socket - stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) -@@ -365,20 +525,29 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) - delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t) - delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t) - -+manage_dirs_pattern(xdm_t, xdm_log_t, xdm_log_t) -+manage_files_pattern(xdm_t, xdm_log_t, xdm_log_t) -+manage_lnk_files_pattern(xdm_t, xdm_log_t, xdm_log_t) -+manage_fifo_files_pattern(xdm_t, xdm_log_t, xdm_log_t) -+logging_log_filetrans(xdm_t, xdm_log_t, { dir file }) -+ - manage_dirs_pattern(xdm_t, xserver_log_t, xserver_log_t) - manage_files_pattern(xdm_t, xserver_log_t, xserver_log_t) -+manage_lnk_files_pattern(xdm_t, xserver_log_t, xserver_log_t) - manage_fifo_files_pattern(xdm_t, xserver_log_t, xserver_log_t) --logging_log_filetrans(xdm_t, xserver_log_t, file) - - kernel_read_system_state(xdm_t) -+kernel_read_device_sysctls(xdm_t) - kernel_read_kernel_sysctls(xdm_t) - kernel_read_net_sysctls(xdm_t) - kernel_read_network_state(xdm_t) -+kernel_request_load_module(xdm_t) -+kernel_stream_connect(xdm_t) - - corecmd_exec_shell(xdm_t) - corecmd_exec_bin(xdm_t) -+corecmd_dontaudit_access_all_executables(xdm_t) - --corenet_all_recvfrom_unlabeled(xdm_t) - corenet_all_recvfrom_netlabel(xdm_t) - corenet_tcp_sendrecv_generic_if(xdm_t) - corenet_udp_sendrecv_generic_if(xdm_t) -@@ -388,38 +557,49 @@ corenet_tcp_sendrecv_all_ports(xdm_t) - corenet_udp_sendrecv_all_ports(xdm_t) - corenet_tcp_bind_generic_node(xdm_t) - corenet_udp_bind_generic_node(xdm_t) -+corenet_udp_bind_ipp_port(xdm_t) -+corenet_udp_bind_xdmcp_port(xdm_t) - corenet_tcp_connect_all_ports(xdm_t) - corenet_sendrecv_all_client_packets(xdm_t) - # xdm tries to bind to biff_port_t - corenet_dontaudit_tcp_bind_all_ports(xdm_t) - -+dev_rwx_zero(xdm_t) - dev_read_rand(xdm_t) --dev_read_sysfs(xdm_t) -+dev_rw_sysfs(xdm_t) - dev_getattr_framebuffer_dev(xdm_t) - dev_setattr_framebuffer_dev(xdm_t) - dev_getattr_mouse_dev(xdm_t) - dev_setattr_mouse_dev(xdm_t) - dev_rw_apm_bios(xdm_t) -+dev_rw_input_dev(xdm_t) - dev_setattr_apm_bios_dev(xdm_t) - dev_rw_dri(xdm_t) - dev_rw_agp(xdm_t) -+dev_rw_wireless(xdm_t) - dev_getattr_xserver_misc_dev(xdm_t) - dev_setattr_xserver_misc_dev(xdm_t) -+dev_rw_xserver_misc(xdm_t) - dev_getattr_misc_dev(xdm_t) - dev_setattr_misc_dev(xdm_t) - dev_dontaudit_rw_misc(xdm_t) --dev_getattr_video_dev(xdm_t) -+dev_read_video_dev(xdm_t) -+dev_write_video_dev(xdm_t) - dev_setattr_video_dev(xdm_t) - dev_getattr_scanner_dev(xdm_t) - dev_setattr_scanner_dev(xdm_t) --dev_getattr_sound_dev(xdm_t) --dev_setattr_sound_dev(xdm_t) -+dev_read_sound(xdm_t) -+dev_write_sound(xdm_t) - dev_getattr_power_mgmt_dev(xdm_t) - dev_setattr_power_mgmt_dev(xdm_t) -+dev_getattr_null_dev(xdm_t) -+dev_setattr_null_dev(xdm_t) - - domain_use_interactive_fds(xdm_t) - # Do not audit denied probes of /proc. - domain_dontaudit_read_all_domains_state(xdm_t) -+domain_dontaudit_signal_all_domains(xdm_t) -+domain_dontaudit_getattr_all_entry_files(xdm_t) - - files_read_etc_files(xdm_t) - files_read_var_files(xdm_t) -@@ -430,9 +610,28 @@ files_list_mnt(xdm_t) - files_read_usr_files(xdm_t) - # Poweroff wants to create the /poweroff file when run from xdm - files_create_boot_flag(xdm_t) -+files_dontaudit_getattr_boot_dirs(xdm_t) -+files_dontaudit_write_usr_files(xdm_t) -+files_dontaudit_access_check_etc(xdm_t) -+files_dontaudit_getattr_all_dirs(xdm_t) -+files_dontaudit_getattr_all_symlinks(xdm_t) -+files_dontaudit_getattr_all_tmp_sockets(xdm_t) -+files_dontaudit_all_access_check(xdm_t) -+files_dontaudit_list_non_security(xdm_t) - - fs_getattr_all_fs(xdm_t) - fs_search_auto_mountpoints(xdm_t) -+fs_search_all(xdm_t) -+fs_rw_anon_inodefs_files(xdm_t) -+fs_mount_tmpfs(xdm_t) -+fs_list_inotifyfs(xdm_t) -+fs_dontaudit_list_noxattr_fs(xdm_t) -+fs_dontaudit_read_noxattr_fs_files(xdm_t) -+fs_manage_cgroup_dirs(xdm_t) -+fs_manage_cgroup_files(xdm_t) -+ -+mls_socket_write_to_clearance(xdm_t) -+mls_trusted_object(xdm_t) - - storage_dontaudit_read_fixed_disk(xdm_t) - storage_dontaudit_write_fixed_disk(xdm_t) -@@ -441,28 +640,45 @@ storage_dontaudit_raw_read_removable_device(xdm_t) - storage_dontaudit_raw_write_removable_device(xdm_t) - storage_dontaudit_setattr_removable_dev(xdm_t) - storage_dontaudit_rw_scsi_generic(xdm_t) -+storage_dontaudit_rw_fuse(xdm_t) - - term_setattr_console(xdm_t) -+term_use_console(xdm_t) -+term_use_virtio_console(xdm_t) - term_use_unallocated_ttys(xdm_t) - term_setattr_unallocated_ttys(xdm_t) -+term_relabel_all_ttys(xdm_t) -+term_relabel_unallocated_ttys(xdm_t) - - auth_domtrans_pam_console(xdm_t) --auth_manage_pam_pid(xdm_t) -+#auth_manage_pam_pid(xdm_t) - auth_manage_pam_console_data(xdm_t) -+auth_signal_pam(xdm_t) - auth_rw_faillog(xdm_t) - auth_write_login_records(xdm_t) - - # Run telinit->init to shutdown. - init_telinit(xdm_t) -+init_dbus_chat(xdm_t) -+init_pid_filetrans(xdm_t, xdm_var_run_t, dir, "multi-session-x") -+init_status(xdm_t) -+ -+application_exec(xdm_t) - - libs_exec_lib_files(xdm_t) -+libs_exec_ldconfig(xdm_t) - - logging_read_generic_logs(xdm_t) - --miscfiles_read_localization(xdm_t) -+miscfiles_search_man_pages(xdm_t) - miscfiles_read_fonts(xdm_t) -+miscfiles_manage_fonts_cache(xdm_t) -+miscfiles_manage_localization(xdm_t) -+miscfiles_read_hwdata(xdm_t) - --sysnet_read_config(xdm_t) -+systemd_write_inhibit_pipes(xdm_t) -+systemd_dbus_chat_localed(xdm_t) -+systemd_start_power_services(xdm_t) - - userdom_dontaudit_use_unpriv_user_fds(xdm_t) - userdom_create_all_users_keys(xdm_t) -@@ -471,24 +687,144 @@ userdom_read_user_home_content_files(xdm_t) - # Search /proc for any user domain processes. - userdom_read_all_users_state(xdm_t) - userdom_signal_all_users(xdm_t) -+userdom_stream_connect(xdm_t) -+userdom_manage_user_tmp_dirs(xdm_t) -+userdom_manage_user_tmp_files(xdm_t) -+userdom_manage_user_tmp_sockets(xdm_t) -+userdom_manage_tmpfs_role(system_r, xdm_t) -+ -+#userdom_home_manager(xdm_t) -+tunable_policy(`xdm_write_home',` -+ userdom_user_home_dir_filetrans(xdm_t, xdm_home_t, file) -+',` -+ userdom_user_home_dir_filetrans_user_home_content(xdm_t, { dir file lnk_file fifo_file sock_file }) -+') -+ -+tunable_policy(`use_nfs_home_dirs',` -+ fs_list_auto_mountpoints(xdm_t) -+ fs_manage_nfs_dirs(xdm_t) -+ fs_manage_nfs_files(xdm_t) -+ fs_manage_nfs_symlinks(xdm_t) -+') -+ -+tunable_policy(`use_samba_home_dirs',` -+ fs_manage_cifs_dirs(xdm_t) -+ fs_manage_cifs_files(xdm_t) -+ fs_manage_cifs_symlinks(xdm_t) -+') -+ -+tunable_policy(`use_fusefs_home_dirs',` -+ fs_manage_fusefs_dirs(xdm_t) -+ fs_manage_fusefs_files(xdm_t) -+ fs_manage_fusefs_symlinks(xdm_t) -+') -+ -+tunable_policy(`use_ecryptfs_home_dirs',` -+ fs_manage_ecryptfs_dirs(xdm_t) -+ fs_manage_ecryptfs_files(xdm_t) -+') -+ -+### filename transitions ### -+userdom_filetrans_generic_home_content(xdm_t) -+ -+optional_policy(` -+ gnome_config_filetrans(xdm_t, home_cert_t, dir, "certificates") -+') -+ -+optional_policy(` -+ apache_filetrans_home_content(xdm_t) -+') -+ -+optional_policy(` -+ auth_filetrans_home_content(xdm_t) -+') -+ -+optional_policy(` -+ gnome_filetrans_home_content(xdm_t) -+') -+ -+optional_policy(` -+ gpg_filetrans_home_content(xdm_t) -+') -+ -+optional_policy(` -+ irc_filetrans_home_content(xdm_t) -+') -+ -+optional_policy(` -+ kerberos_filetrans_home_content(xdm_t) -+') -+ -+optional_policy(` -+ mozilla_filetrans_home_content(xdm_t) -+') -+ -+optional_policy(` -+ mta_filetrans_home_content(xdm_t) -+') -+ -+optional_policy(` -+ pulseaudio_filetrans_home_content(xdm_t) -+') -+ -+optional_policy(` -+ spamassassin_filetrans_home_content(xdm_t) -+ spamassassin_filetrans_admin_home_content(xdm_t) -+') -+ -+optional_policy(` -+ ssh_filetrans_admin_home_content(xdm_t) -+ ssh_filetrans_home_content(xdm_t) -+') -+ -+optional_policy(` -+ telepathy_filetrans_home_content(xdm_t) -+') -+ -+optional_policy(` -+ thumb_filetrans_home_content(xdm_t) -+') -+ -+optional_policy(` -+ tvtime_filetrans_home_content(xdm_t) -+') -+ -+optional_policy(` -+ virt_filetrans_home_content(xdm_t) -+') -+ -+### end of filename transitions ### -+ -+application_signal(xdm_t) - - xserver_rw_session(xdm_t, xdm_tmpfs_t) - xserver_unconfined(xdm_t) -+xserver_domtrans_xauth(xdm_t) -+ -+ifndef(`distro_redhat',` -+ allow xdm_t self:process { execheap execmem }; -+') -+ -+ifdef(`distro_rhel4',` -+ allow xdm_t self:process { execheap execmem }; -+') - - tunable_policy(`use_nfs_home_dirs',` -- fs_manage_nfs_dirs(xdm_t) -- fs_manage_nfs_files(xdm_t) -- fs_manage_nfs_symlinks(xdm_t) - fs_exec_nfs_files(xdm_t) - ') - - tunable_policy(`use_samba_home_dirs',` -- fs_manage_cifs_dirs(xdm_t) -- fs_manage_cifs_files(xdm_t) -- fs_manage_cifs_symlinks(xdm_t) - fs_exec_cifs_files(xdm_t) - ') - -+optional_policy(` -+ tunable_policy(`xdm_exec_bootloader',` -+ bootloader_exec(xdm_t) -+ files_read_boot_files(xdm_t) -+ files_read_boot_symlinks(xdm_t) -+ ') -+') -+ - tunable_policy(`xdm_sysadm_login',` - userdom_xsession_spec_domtrans_all_users(xdm_t) - # FIXME: -@@ -502,11 +838,26 @@ tunable_policy(`xdm_sysadm_login',` - ') - - optional_policy(` -+ accountsd_read_lib_files(xdm_t) -+ accountsd_dbus_chat(xdm_t) -+') -+ -+optional_policy(` -+ acct_dontaudit_list_data(xdm_t) -+') -+ -+optional_policy(` -+ boinc_dontaudit_getattr_lib(xdm_t) -+') -+ -+optional_policy(` - alsa_domtrans(xdm_t) -+ alsa_read_rw_config(xdm_t) - ') - - optional_policy(` - consolekit_dbus_chat(xdm_t) -+ consolekit_read_log(xdm_t) - ') - - optional_policy(` -@@ -514,12 +865,57 @@ optional_policy(` - ') - - optional_policy(` -+ dbus_system_bus_client(xdm_t) -+ dbus_connect_system_bus(xdm_t) -+ -+ optional_policy(` -+ bluetooth_dbus_chat(xdm_t) -+ ') -+ -+ optional_policy(` -+ cpufreqselector_dbus_chat(xdm_t) -+ ') -+ -+ optional_policy(` -+ devicekit_dbus_chat_disk(xdm_t) -+ devicekit_dbus_chat_power(xdm_t) -+ ') -+ -+ optional_policy(` -+ hal_dbus_chat(xdm_t) -+ ') -+ -+ optional_policy(` -+ gnomeclock_dbus_chat(xdm_t) -+ ') -+ -+ optional_policy(` -+ networkmanager_dbus_chat(xdm_t) -+ ') -+') -+ -+optional_policy(` - # Talk to the console mouse server. - gpm_stream_connect(xdm_t) - gpm_setattr_gpmctl(xdm_t) - ') - - optional_policy(` -+ gnome_stream_connect_gkeyringd(xdm_t) -+ gnome_exec_gstreamer_home_files(xdm_t) -+ gnome_exec_keyringd(xdm_t) -+ gnome_delete_gkeyringd_tmp_content(xdm_t) -+ gnome_manage_config(xdm_t) -+ gnome_manage_gconf_home_files(xdm_t) -+ #gnome_filetrans_home_content(xdm_t) -+ gnome_read_config(xdm_t) -+ gnome_read_usr_config(xdm_t) -+ gnome_read_gconf_config(xdm_t) -+ gnome_transition_gkeyringd(xdm_t) -+ gnome_cache_filetrans(xdm_t, xdm_home_t, dir, "gdm") -+') -+ -+optional_policy(` - hostname_exec(xdm_t) - ') - -@@ -537,28 +933,78 @@ optional_policy(` - ') - - optional_policy(` -+ policykit_dbus_chat(xdm_t) -+ policykit_domtrans_auth(xdm_t) -+ policykit_read_lib(xdm_t) -+ policykit_read_reload(xdm_t) -+ policykit_signal_auth(xdm_t) -+') -+ -+optional_policy(` -+ pcscd_stream_connect(xdm_t) -+') -+ -+optional_policy(` -+ plymouthd_search_spool(xdm_t) -+ plymouthd_exec_plymouth(xdm_t) -+ plymouthd_stream_connect(xdm_t) -+ plymouthd_read_log(xdm_t) -+') -+ -+optional_policy(` -+ pulseaudio_exec(xdm_t) -+ pulseaudio_dbus_chat(xdm_t) -+ pulseaudio_stream_connect(xdm_t) -+ pulseaudio_read_state(xserver_t) -+') -+ -+optional_policy(` - resmgr_stream_connect(xdm_t) - ') - - optional_policy(` -+ rhev_stream_connect_agentd(xdm_t) -+ rhev_read_pid_files_agentd(xdm_t) -+') -+ -+# On crash gdm execs gdb to dump stack -+optional_policy(` -+ rpm_exec(xdm_t) -+ rpm_read_db(xdm_t) -+ rpm_dontaudit_manage_db(xdm_t) -+ rpm_dontaudit_dbus_chat(xdm_t) -+') -+ -+optional_policy(` -+ rtkit_scheduled(xdm_t) -+') -+ -+optional_policy(` - seutil_sigchld_newrole(xdm_t) - ') - - optional_policy(` -- udev_read_db(xdm_t) -+ ssh_signull(xdm_t) - ') - - optional_policy(` -- unconfined_domain(xdm_t) -- unconfined_domtrans(xdm_t) -+ shutdown_domtrans(xdm_t) -+') - -- ifndef(`distro_redhat',` -- allow xdm_t self:process { execheap execmem }; -- ') -+optional_policy(` -+ telepathy_exec(xdm_t) -+') - -- ifdef(`distro_rhel4',` -- allow xdm_t self:process { execheap execmem }; -- ') -+optional_policy(` -+ udev_read_db(xdm_t) -+') -+ -+optional_policy(` -+ unconfined_signal(xdm_t) -+') -+ -+optional_policy(` -+ usbmuxd_stream_connect(xdm_t) - ') - - optional_policy(` -@@ -570,6 +1016,14 @@ optional_policy(` - ') - - optional_policy(` -+ vdagent_stream_connect(xdm_t) -+') -+ -+optional_policy(` -+ wm_exec(xdm_t) -+') -+ -+optional_policy(` - xfs_stream_connect(xdm_t) - ') - -@@ -584,7 +1038,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t; - type_transition root_xdrawable_t input_xevent_t:x_event root_input_xevent_t; - - allow xserver_t { root_xdrawable_t x_domain }:x_drawable send; --allow xserver_t input_xevent_t:x_event send; -+allow xserver_t xevent_type:x_event send; - - # setuid/setgid for the wrapper program to change UID - # sys_rawio is for iopl access - should not be needed for frame-buffer -@@ -594,8 +1048,11 @@ allow xserver_t input_xevent_t:x_event send; - # execheap needed until the X module loader is fixed. - # NVIDIA Needs execstack - --allow xserver_t self:capability { dac_override fowner fsetid setgid setuid ipc_owner sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service }; -+allow xserver_t self:capability { sys_ptrace dac_override fowner fsetid setgid setuid ipc_owner sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service }; -+ - dontaudit xserver_t self:capability chown; -+allow xserver_t self:capability2 compromise_kernel; -+ - allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; - allow xserver_t self:fd use; - allow xserver_t self:fifo_file rw_fifo_file_perms; -@@ -608,8 +1065,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; - allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto }; - allow xserver_t self:tcp_socket create_stream_socket_perms; - allow xserver_t self:udp_socket create_socket_perms; -+allow xserver_t self:netlink_selinux_socket create_socket_perms; - allow xserver_t self:netlink_kobject_uevent_socket create_socket_perms; - -+allow xserver_t { input_xevent_t input_xevent_type }:x_event send; -+ -+domtrans_pattern(xserver_t, xauth_exec_t, xauth_t) -+ -+allow xserver_t xauth_home_t:file read_file_perms; -+ - manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) - manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) - manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) -@@ -617,6 +1081,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file }) - - filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file) - -+allow xserver_t xserver_etc_t:dir list_dir_perms; -+read_files_pattern(xserver_t, xserver_etc_t, xserver_etc_t) -+read_lnk_files_pattern(xserver_t, xserver_etc_t, xserver_etc_t) -+ - manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) - manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) - manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) -@@ -628,12 +1096,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) - manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) - files_search_var_lib(xserver_t) - --domtrans_pattern(xserver_t, xauth_exec_t, xauth_t) --allow xserver_t xauth_home_t:file read_file_perms; -+manage_dirs_pattern(xserver_t, xserver_var_lib_t, xserver_var_lib_t) -+manage_files_pattern(xserver_t, xserver_var_lib_t, xserver_var_lib_t) -+files_var_lib_filetrans(xserver_t, xserver_var_lib_t, dir) -+ -+manage_dirs_pattern(xserver_t, xserver_var_run_t, xserver_var_run_t) -+manage_files_pattern(xserver_t, xserver_var_run_t, xserver_var_run_t) -+manage_sock_files_pattern(xserver_t, xdm_var_run_t, xdm_var_run_t) -+files_pid_filetrans(xserver_t, xserver_var_run_t, { file dir }) - - # Create files in /var/log with the xserver_log_t type. - manage_files_pattern(xserver_t, xserver_log_t, xserver_log_t) - logging_log_filetrans(xserver_t, xserver_log_t, file) -+manage_files_pattern(xserver_t, xdm_log_t, xdm_log_t) - - kernel_read_system_state(xserver_t) - kernel_read_device_sysctls(xserver_t) -@@ -641,12 +1116,12 @@ kernel_read_modprobe_sysctls(xserver_t) - # Xorg wants to check if kernel is tainted - kernel_read_kernel_sysctls(xserver_t) - kernel_write_proc_files(xserver_t) -+kernel_request_load_module(xserver_t) - - # Run helper programs in xserver_t. - corecmd_exec_bin(xserver_t) - corecmd_exec_shell(xserver_t) - --corenet_all_recvfrom_unlabeled(xserver_t) - corenet_all_recvfrom_netlabel(xserver_t) - corenet_tcp_sendrecv_generic_if(xserver_t) - corenet_udp_sendrecv_generic_if(xserver_t) -@@ -667,23 +1142,28 @@ dev_rw_apm_bios(xserver_t) - dev_rw_agp(xserver_t) - dev_rw_framebuffer(xserver_t) - dev_manage_dri_dev(xserver_t) --dev_filetrans_dri(xserver_t) - dev_create_generic_dirs(xserver_t) - dev_setattr_generic_dirs(xserver_t) - # raw memory access is needed if not using the frame buffer - dev_read_raw_memory(xserver_t) - dev_wx_raw_memory(xserver_t) -+dev_read_urand(xserver_t) - # for other device nodes such as the NVidia binary-only driver --dev_rw_xserver_misc(xserver_t) -+dev_manage_xserver_misc(xserver_t) -+dev_filetrans_xserver_misc(xserver_t) -+ - # read events - the synaptics touchpad driver reads raw events - dev_rw_input_dev(xserver_t) -+dev_write_raw_memory(xserver_t) - dev_rwx_zero(xserver_t) - --domain_dontaudit_search_all_domains_state(xserver_t) -+domain_dontaudit_read_all_domains_state(xserver_t) -+domain_signal_all_domains(xserver_t) - - files_read_etc_files(xserver_t) - files_read_etc_runtime_files(xserver_t) - files_read_usr_files(xserver_t) -+files_rw_tmpfs_files(xserver_t) - - # brought on by rhgb - files_search_mnt(xserver_t) -@@ -694,7 +1174,16 @@ fs_getattr_xattr_fs(xserver_t) - fs_search_nfs(xserver_t) - fs_search_auto_mountpoints(xserver_t) - fs_search_ramfs(xserver_t) -- -+fs_rw_tmpfs_files(xserver_t) -+ -+mls_file_read_to_clearance(xserver_t) -+mls_file_write_all_levels(xserver_t) -+mls_file_upgrade(xserver_t) -+mls_process_write_to_clearance(xserver_t) -+mls_socket_read_to_clearance(xserver_t) -+mls_sysvipc_read_to_clearance(xserver_t) -+mls_sysvipc_write_to_clearance(xserver_t) -+mls_trusted_object(xserver_t) - mls_xwin_read_to_clearance(xserver_t) - - selinux_validate_context(xserver_t) -@@ -708,20 +1197,18 @@ init_getpgid(xserver_t) - term_setattr_unallocated_ttys(xserver_t) - term_use_unallocated_ttys(xserver_t) - --getty_use_fds(xserver_t) -- - locallogin_use_fds(xserver_t) - - logging_send_syslog_msg(xserver_t) - logging_send_audit_msgs(xserver_t) - --miscfiles_read_localization(xserver_t) - miscfiles_read_fonts(xserver_t) -- --modutils_domtrans_insmod(xserver_t) -+miscfiles_read_hwdata(xserver_t) - - # read x_contexts - seutil_read_default_contexts(xserver_t) -+seutil_read_config(xserver_t) -+seutil_read_file_contexts(xserver_t) - - userdom_search_user_home_dirs(xserver_t) - userdom_use_user_ttys(xserver_t) -@@ -729,8 +1216,6 @@ userdom_setattr_user_ttys(xserver_t) - userdom_read_user_tmp_files(xserver_t) - userdom_rw_user_tmpfs_files(xserver_t) - --xserver_use_user_fonts(xserver_t) -- - ifndef(`distro_redhat',` - allow xserver_t self:process { execmem execheap execstack }; - domain_mmap_low_uncond(xserver_t) -@@ -775,16 +1260,44 @@ optional_policy(` - ') - - optional_policy(` -+ consolekit_read_state(xserver_t) -+') -+ -+optional_policy(` -+ devicekit_signal_power(xserver_t) -+') -+ -+optional_policy(` -+ getty_use_fds(xserver_t) -+') -+ -+optional_policy(` -+ modutils_domtrans_insmod(xserver_t) -+') -+ -+optional_policy(` - rhgb_getpgid(xserver_t) - rhgb_signal(xserver_t) - ') - - optional_policy(` -+ setrans_translate_context(xserver_t) -+') -+ -+optional_policy(` -+ sandbox_rw_xserver_tmpfs_files(xserver_t) -+') -+ -+optional_policy(` -+ tcpd_wrapped_domain(xserver_t, xserver_exec_t) -+') -+ -+optional_policy(` - udev_read_db(xserver_t) - ') - - optional_policy(` -- unconfined_domain_noaudit(xserver_t) -+ unconfined_domain(xserver_t) - unconfined_domtrans(xserver_t) - ') - -@@ -793,6 +1306,10 @@ optional_policy(` - ') - - optional_policy(` -+ wine_rw_shm(xserver_t) -+') -+ -+optional_policy(` - xfs_stream_connect(xserver_t) - ') - -@@ -808,10 +1325,10 @@ allow xserver_t xdm_t:shm rw_shm_perms; - - # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open - # handle of a file inside the dir!!! --allow xserver_t xdm_var_lib_t:file { getattr read }; --dontaudit xserver_t xdm_var_lib_t:dir search; -+allow xserver_t xdm_var_lib_t:file read_file_perms; -+dontaudit xserver_t xdm_var_lib_t:dir search_dir_perms; - --allow xserver_t xdm_var_run_t:file read_file_perms; -+read_files_pattern(xserver_t, xdm_var_run_t, xdm_var_run_t) - - # Label pid and temporary files with derived types. - manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) -@@ -819,7 +1336,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) - manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) - - # Run xkbcomp. --allow xserver_t xkb_var_lib_t:lnk_file read; -+allow xserver_t xkb_var_lib_t:lnk_file read_lnk_file_perms; - can_exec(xserver_t, xkb_var_lib_t) - - # VNC v4 module in X server -@@ -832,26 +1349,21 @@ init_use_fds(xserver_t) - # to read ROLE_home_t - examine this in more detail - # (xauth?) - userdom_read_user_home_content_files(xserver_t) -+userdom_read_all_users_state(xserver_t) -+userdom_home_manager(xserver_t) - --tunable_policy(`use_nfs_home_dirs',` -- fs_manage_nfs_dirs(xserver_t) -- fs_manage_nfs_files(xserver_t) -- fs_manage_nfs_symlinks(xserver_t) --') -- --tunable_policy(`use_samba_home_dirs',` -- fs_manage_cifs_dirs(xserver_t) -- fs_manage_cifs_files(xserver_t) -- fs_manage_cifs_symlinks(xserver_t) --') -+xserver_use_user_fonts(xserver_t) - - optional_policy(` - dbus_system_bus_client(xserver_t) -- hal_dbus_chat(xserver_t) -+ -+ optional_policy(` -+ hal_dbus_chat(xserver_t) -+ ') - ') - - optional_policy(` -- resmgr_stream_connect(xdm_t) -+ mono_rw_shm(xserver_t) - ') - - optional_policy(` -@@ -902,7 +1414,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy - allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show }; - # operations allowed on my windows - allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive }; --allow x_domain self:x_drawable { blend }; -+allow x_domain self:x_drawable blend; - # operations allowed on all windows - allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child }; - -@@ -956,11 +1468,31 @@ allow x_domain self:x_resource { read write }; - # can mess with the screensaver - allow x_domain xserver_t:x_screen { getattr saver_getattr }; - -+# Device rules -+allow x_domain xserver_t:x_device { read getattr use setattr setfocus grab bell }; -+allow x_domain xserver_t:x_screen getattr; -+ - ######################################## - # - # Rules for unconfined access to this module - # - -+allow xserver_unconfined_type xserver_t:x_server *; -+allow xserver_unconfined_type xdrawable_type:x_drawable *; -+allow xserver_unconfined_type xserver_t:x_screen *; -+allow xserver_unconfined_type x_domain:x_gc *; -+allow xserver_unconfined_type xcolormap_type:x_colormap *; -+allow xserver_unconfined_type xproperty_type:x_property *; -+allow xserver_unconfined_type xselection_type:x_selection *; -+allow xserver_unconfined_type x_domain:x_cursor *; -+allow xserver_unconfined_type x_domain:x_client *; -+allow xserver_unconfined_type { x_domain xserver_t }:x_device *; -+allow xserver_unconfined_type { x_domain xserver_t }:x_pointer *; -+allow xserver_unconfined_type { x_domain xserver_t }:x_keyboard *; -+allow xserver_unconfined_type xextension_type:x_extension *; -+allow xserver_unconfined_type { x_domain xserver_t }:x_resource *; -+allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *; -+ - tunable_policy(`! xserver_object_manager',` - # should be xserver_unconfined(x_domain), - # but typeattribute doesnt work in conditionals -@@ -982,18 +1514,150 @@ tunable_policy(`! xserver_object_manager',` - allow x_domain xevent_type:{ x_event x_synthetic_event } *; - ') - --allow xserver_unconfined_type xserver_t:x_server *; --allow xserver_unconfined_type xdrawable_type:x_drawable *; --allow xserver_unconfined_type xserver_t:x_screen *; --allow xserver_unconfined_type x_domain:x_gc *; --allow xserver_unconfined_type xcolormap_type:x_colormap *; --allow xserver_unconfined_type xproperty_type:x_property *; --allow xserver_unconfined_type xselection_type:x_selection *; --allow xserver_unconfined_type x_domain:x_cursor *; --allow xserver_unconfined_type x_domain:x_client *; --allow xserver_unconfined_type { x_domain xserver_t }:x_device *; --allow xserver_unconfined_type { x_domain xserver_t }:x_pointer *; --allow xserver_unconfined_type { x_domain xserver_t }:x_keyboard *; --allow xserver_unconfined_type xextension_type:x_extension *; --allow xserver_unconfined_type { x_domain xserver_t }:x_resource *; --allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *; -+tunable_policy(`xserver_execmem',` -+ allow xserver_t self:process { execheap execmem execstack }; -+') -+ -+# Hack to handle the problem of using the nvidia blobs -+tunable_policy(`deny_execmem',`',` -+ allow xdm_t self:process execmem; -+') -+ -+tunable_policy(`selinuxuser_execstack',` -+ allow xdm_t self:process { execstack execmem }; -+') -+ -+tunable_policy(`use_nfs_home_dirs',` -+ fs_append_nfs_files(xdmhomewriter) -+') -+ -+optional_policy(` -+ unconfined_rw_shm(xserver_t) -+ -+ # xserver signals unconfined user on startx -+ unconfined_signal(xserver_t) -+ unconfined_getpgid(xserver_t) -+') -+ -+allow xdm_t xdm_unconfined_exec_t:dir search_dir_perms; -+can_exec(xdm_t, xdm_unconfined_exec_t) -+ -+optional_policy(` -+ type xdm_unconfined_t; -+ domain_type(xdm_unconfined_t) -+ domain_entry_file(xdm_unconfined_t, xdm_unconfined_exec_t) -+ role system_r types xdm_unconfined_t; -+ -+ domtrans_pattern(xdm_t, xdm_unconfined_exec_t, xdm_unconfined_t) -+ unconfined_domain(xdm_unconfined_t) -+') -+ -+# X Userdomain -+# Xserver read/write client shm -+allow xserver_t x_userdomain:fd use; -+allow xserver_t x_userdomain:shm rw_shm_perms; -+ -+allow xserver_t x_userdomain:process { getpgid signal }; -+ -+allow xserver_t x_userdomain:shm rw_shm_perms; -+ -+allow x_userdomain user_fonts_t:dir list_dir_perms; -+allow x_userdomain user_fonts_t:file read_file_perms; -+allow x_userdomain user_fonts_t:lnk_file read_lnk_file_perms; -+ -+allow x_userdomain user_fonts_config_t:dir list_dir_perms; -+allow x_userdomain user_fonts_config_t:file read_file_perms; -+ -+manage_dirs_pattern(x_userdomain, user_fonts_cache_t, user_fonts_cache_t) -+manage_files_pattern(x_userdomain, user_fonts_cache_t, user_fonts_cache_t) -+ -+stream_connect_pattern(x_userdomain, xserver_tmp_t, xserver_tmp_t, xserver_t) -+allow x_userdomain xserver_tmp_t:sock_file delete_sock_file_perms; -+dontaudit x_userdomain xdm_tmp_t:sock_file setattr_sock_file_perms; -+files_search_tmp(x_userdomain) -+ -+# Communicate via System V shared memory. -+allow x_userdomain xserver_t:shm r_shm_perms; -+allow x_userdomain xserver_tmpfs_t:file read_file_perms; -+ -+# allow ps to show iceauth -+ps_process_pattern(x_userdomain, iceauth_t) -+ -+domtrans_pattern(x_userdomain, iceauth_exec_t, iceauth_t) -+ -+allow x_userdomain iceauth_home_t:file read_file_perms; -+ -+domtrans_pattern(x_userdomain, xauth_exec_t, xauth_t) -+ -+allow x_userdomain xauth_t:process signal; -+ -+# allow ps to show xauth -+ps_process_pattern(x_userdomain, xauth_t) -+allow x_userdomain xserver_t:process signal; -+ -+allow x_userdomain xauth_home_t:file read_file_perms; -+ -+# for when /tmp/.X11-unix is created by the system -+allow x_userdomain xdm_t:fd use; -+allow x_userdomain xdm_t:fifo_file rw_inherited_fifo_file_perms; -+allow x_userdomain xdm_tmp_t:dir search_dir_perms; -+allow x_userdomain xdm_tmp_t:sock_file rw_inherited_sock_file_perms; -+dontaudit x_userdomain xdm_t:tcp_socket { read write }; -+dontaudit x_userdomain xdm_tmp_t:dir setattr_dir_perms; -+ -+allow x_userdomain xdm_t:dbus send_msg; -+allow xdm_t x_userdomain:dbus send_msg; -+ -+# Client read xserver shm -+allow x_userdomain xserver_t:fd use; -+allow x_userdomain xserver_tmpfs_t:file read_file_perms; -+ -+# Read /tmp/.X0-lock -+allow x_userdomain xserver_tmp_t:file read_inherited_file_perms; -+ -+dev_rw_xserver_misc(x_userdomain) -+dev_rw_power_management(x_userdomain) -+dev_read_input(x_userdomain) -+dev_read_misc(x_userdomain) -+dev_write_misc(x_userdomain) -+# open office is looking for the following -+dev_getattr_agp_dev(x_userdomain) -+ -+# GNOME checks for usb and other devices: -+dev_rw_usbfs(x_userdomain) -+ -+miscfiles_read_fonts(x_userdomain) -+miscfiles_setattr_fonts_cache_dirs(x_userdomain) -+miscfiles_read_hwdata(x_userdomain) -+ -+#xserver_common_x_domain_template(user, x_userdomain) -+xserver_domtrans(x_userdomain) -+#xserver_unconfined(x_userdomain) -+xserver_xsession_entry_type(x_userdomain) -+xserver_dontaudit_write_log(x_userdomain) -+#xserver_stream_connect_xdm(x_userdomain) -+# certain apps want to read xdm.pid file -+xserver_read_xdm_pid(x_userdomain) -+# gnome-session creates socket under /tmp/.ICE-unix/ -+xserver_create_xdm_tmp_sockets(x_userdomain) -+# Needed for escd, remove if we get escd policy -+xserver_manage_xdm_tmp_files(x_userdomain) -+xserver_read_xdm_etc_files(x_userdomain) -+#xserver_xdm_append_log(x_userdomain) -+ -+term_use_virtio_console(x_userdomain) -+# Client write xserver shm -+tunable_policy(`xserver_clients_write_xshm',` -+ allow x_userdomain xserver_t:shm rw_shm_perms; -+ allow x_userdomain xserver_tmpfs_t:file rw_file_perms; -+') -+ -+optional_policy(` -+ gnome_read_gconf_config(x_userdomain) -+') -+ -+tunable_policy(`selinuxuser_direct_dri_enabled',` -+ dev_rw_dri(dridomain) -+',` -+ dev_dontaudit_rw_dri(dridomain) -+') -diff --git a/policy/modules/system/application.if b/policy/modules/system/application.if -index 1b6619e..be02b96 100644 ---- a/policy/modules/system/application.if -+++ b/policy/modules/system/application.if -@@ -43,6 +43,27 @@ interface(`application_executable_file',` - corecmd_executable_file($1) - ') - -+####################################### -+## -+## Make the specified type usable for files -+## that are exectuables, such as binary programs. -+## This does not include shared libraries. -+## -+## -+## -+## Type to be used for files. -+## -+## -+# -+interface(`application_executable_ioctl',` -+ gen_require(` -+ attribute application_exec_type; -+ ') -+ -+ allow $1 application_exec_type:file ioctl; -+ -+') -+ - ######################################## - ## - ## Execute application executables in the caller domain. -@@ -76,13 +97,30 @@ interface(`application_exec_all',` - corecmd_dontaudit_exec_all_executables($1) - corecmd_exec_bin($1) - corecmd_exec_shell($1) -- corecmd_exec_chroot($1) - - application_exec($1) - ') - - ######################################## - ## -+## Dontaudit execute all executable files. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`application_dontaudit_exec',` -+ gen_require(` -+ attribute application_exec_type; -+ ') -+ -+ dontaudit $1 application_exec_type:file execute; -+') -+ -+######################################## -+## - ## Create a domain for applications. - ## - ## -@@ -189,6 +227,24 @@ interface(`application_dontaudit_signal',` - - ######################################## - ## -+## Send kill signals to all application domains. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`application_sigkill',` -+ gen_require(` -+ attribute application_domain_type; -+ ') -+ -+ allow $1 application_domain_type:process sigkill; -+') -+ -+######################################## -+## - ## Do not audit attempts to send kill signals - ## to all application domains. - ## -@@ -205,3 +261,21 @@ interface(`application_dontaudit_sigkill',` - - dontaudit $1 application_domain_type:process sigkill; - ') -+ -+####################################### -+## -+## Getattr all application sockets. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`application_getattr_socket',` -+ gen_require(` -+ attribute application_domain_type; -+ ') -+ -+ allow $1 application_domain_type:socket_class_set getattr; -+') -diff --git a/policy/modules/system/application.te b/policy/modules/system/application.te -index c6fdab7..af71c62 100644 ---- a/policy/modules/system/application.te -+++ b/policy/modules/system/application.te -@@ -6,15 +6,40 @@ attribute application_domain_type; - # Executables to be run by user - attribute application_exec_type; - -+domain_use_interactive_fds(application_domain_type) -+ -+userdom_inherit_append_user_home_content_files(application_domain_type) -+userdom_inherit_append_admin_home_files(application_domain_type) -+userdom_inherit_append_user_tmp_files(application_domain_type) -+userdom_rw_inherited_user_tmp_files(application_domain_type) -+userdom_rw_inherited_user_pipes(application_domain_type) -+logging_inherit_append_all_logs(application_domain_type) -+ -+files_dontaudit_search_non_security_dirs(application_domain_type) -+ -+auth_login_pgm_sigchld(application_domain_type) -+ -+optional_policy(` -+ afs_rw_udp_sockets(application_domain_type) -+') -+ - optional_policy(` -+ cfengine_append_inherited_log(application_domain_type) -+') -+ -+optional_policy(` -+ cron_rw_inherited_user_spool_files(application_domain_type) - cron_sigchld(application_domain_type) - ') - - optional_policy(` -- ssh_sigchld(application_domain_type) - ssh_rw_stream_sockets(application_domain_type) - ') - - optional_policy(` -+ screen_sigchld(application_domain_type) -+') -+ -+optional_policy(` - sudo_sigchld(application_domain_type) - ') -diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc -index 28ad538..003b09a 100644 ---- a/policy/modules/system/authlogin.fc -+++ b/policy/modules/system/authlogin.fc -@@ -1,14 +1,28 @@ -+HOME_DIR/\.yubico(/.*)? gen_context(system_u:object_r:auth_home_t,s0) -+HOME_DIR/\.google_authenticator gen_context(system_u:object_r:auth_home_t,s0) -+HOME_DIR/\.google_authenticator~ gen_context(system_u:object_r:auth_home_t,s0) -+/root/\.yubico(/.*)? gen_context(system_u:object_r:auth_home_t,s0) -+/root/\.google_authenticator gen_context(system_u:object_r:auth_home_t,s0) -+/root/\.google_authenticator~ gen_context(system_u:object_r:auth_home_t,s0) - - /bin/login -- gen_context(system_u:object_r:login_exec_t,s0) - --/etc/\.pwd\.lock -- gen_context(system_u:object_r:shadow_t,s0) --/etc/group\.lock -- gen_context(system_u:object_r:shadow_t,s0) -+/etc/group\.lock -- gen_context(system_u:object_r:passwd_file_t,s0) - /etc/gshadow.* -- gen_context(system_u:object_r:shadow_t,s0) --/etc/passwd\.lock -- gen_context(system_u:object_r:shadow_t,s0) -+/etc/nshadow.* -- gen_context(system_u:object_r:shadow_t,s0) - /etc/shadow.* -- gen_context(system_u:object_r:shadow_t,s0) -+/etc/security/opasswd -- gen_context(system_u:object_r:shadow_t,s0) -+/etc/security/opasswd\.old -- gen_context(system_u:object_r:shadow_t,s0) -+/etc/passwd\.lock -- gen_context(system_u:object_r:passwd_file_t,s0) -+/etc/passwd\.adjunct.* -- gen_context(system_u:object_r:passwd_file_t,s0) -+/etc/\.pwd\.lock -- gen_context(system_u:object_r:passwd_file_t,s0) -+/etc/passwd[-\+]? -- gen_context(system_u:object_r:passwd_file_t,s0) -+/etc/passwd\.OLD -- gen_context(system_u:object_r:passwd_file_t,s0) -+/etc/ptmptmp -- gen_context(system_u:object_r:passwd_file_t,s0) -+/etc/group[-\+]? -- gen_context(system_u:object_r:passwd_file_t,s0) - - /sbin/pam_console_apply -- gen_context(system_u:object_r:pam_console_exec_t,s0) --/sbin/pam_timestamp_check -- gen_context(system_u:object_r:pam_exec_t,s0) -+/sbin/pam_timestamp_check -- gen_context(system_u:object_r:pam_timestamp_exec_t,s0) - /sbin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0) - /sbin/unix_update -- gen_context(system_u:object_r:updpwd_exec_t,s0) - /sbin/unix_verify -- gen_context(system_u:object_r:chkpwd_exec_t,s0) -@@ -16,13 +30,24 @@ ifdef(`distro_suse', ` - /sbin/unix2_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0) - ') - -+/usr/bin/login -- gen_context(system_u:object_r:login_exec_t,s0) -+ - /usr/kerberos/sbin/login\.krb5 -- gen_context(system_u:object_r:login_exec_t,s0) - --/usr/sbin/utempter -- gen_context(system_u:object_r:utempter_exec_t,s0) --/usr/sbin/validate -- gen_context(system_u:object_r:chkpwd_exec_t,s0) -+/usr/sbin/pam_console_apply -- gen_context(system_u:object_r:pam_console_exec_t,s0) -+/usr/sbin/pam_timestamp_check -- gen_context(system_u:object_r:pam_timestamp_exec_t,s0) -+/usr/sbin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0) -+/usr/sbin/unix_update -- gen_context(system_u:object_r:updpwd_exec_t,s0) -+/usr/sbin/unix_verify -- gen_context(system_u:object_r:chkpwd_exec_t,s0) - ifdef(`distro_gentoo', ` - /usr/sbin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0) - ') -+/usr/sbin/utempter -- gen_context(system_u:object_r:utempter_exec_t,s0) -+/usr/sbin/validate -- gen_context(system_u:object_r:chkpwd_exec_t,s0) -+ -+/var/ace(/.*)? gen_context(system_u:object_r:var_auth_t,s0) -+ -+/var/opt/quest/vas/vasd(/.*)? gen_context(system_u:object_r:var_auth_t,s0) - - /var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0) - -@@ -30,20 +55,24 @@ ifdef(`distro_gentoo', ` - - /var/lib/abl(/.*)? gen_context(system_u:object_r:var_auth_t,s0) - /var/lib/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0) -+/var/lib/pam_shield(/.*)? gen_context(system_u:object_r:var_auth_t,s0) -+/var/lib/google-authenticator(/.*)? gen_context(system_u:object_r:var_auth_t,s0) - - /var/log/btmp.* -- gen_context(system_u:object_r:faillog_t,s0) - /var/log/dmesg -- gen_context(system_u:object_r:var_log_t,s0) --/var/log/faillog -- gen_context(system_u:object_r:faillog_t,s0) --/var/log/lastlog -- gen_context(system_u:object_r:lastlog_t,s0) -+/var/log/faillog.* -- gen_context(system_u:object_r:faillog_t,s0) -+/var/log/lastlog.* -- gen_context(system_u:object_r:lastlog_t,s0) - /var/log/syslog -- gen_context(system_u:object_r:var_log_t,s0) --/var/log/tallylog -- gen_context(system_u:object_r:faillog_t,s0) -+/var/log/tallylog.* -- gen_context(system_u:object_r:faillog_t,s0) - /var/log/wtmp.* -- gen_context(system_u:object_r:wtmp_t,s0) - -+/var/lib/rsa(/.*)? gen_context(system_u:object_r:var_auth_t,s0) -+/var/rsa(/.*)? gen_context(system_u:object_r:var_auth_t,s0) -+ - /var/run/console(/.*)? gen_context(system_u:object_r:pam_var_console_t,s0) - /var/run/faillock(/.*)? gen_context(system_u:object_r:faillog_t,s0) - /var/run/pam_mount(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) - /var/run/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0) - /var/run/sepermit(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) - /var/run/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) --/var/run/user(/.*)? gen_context(system_u:object_r:var_auth_t,s0) - /var/(db|lib|adm)/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) -diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if -index 3efd5b6..08c3e93 100644 ---- a/policy/modules/system/authlogin.if -+++ b/policy/modules/system/authlogin.if -@@ -23,11 +23,17 @@ interface(`auth_role',` - role $1 types chkpwd_t; - - # Transition from the user domain to this domain. -- domtrans_pattern($2, chkpwd_exec_t, chkpwd_t) -+ auth_domtrans_chkpwd($2) - - ps_process_pattern($2, chkpwd_t) - - dontaudit $2 shadow_t:file read_file_perms; -+ -+ logging_send_syslog_msg($2) -+ logging_send_audit_msgs($2) -+ -+ usermanage_read_crack_db($2) -+ - ') - - ######################################## -@@ -53,10 +59,13 @@ interface(`auth_use_pam',` - auth_read_login_records($1) - auth_append_login_records($1) - auth_rw_lastlog($1) -- auth_rw_faillog($1) -+ auth_create_lastlog($1) -+ auth_manage_faillog($1) - auth_exec_pam($1) - auth_use_nsswitch($1) - -+ init_rw_stream_sockets($1) -+ - logging_send_audit_msgs($1) - logging_send_syslog_msg($1) - -@@ -78,8 +87,19 @@ interface(`auth_use_pam',` - ') - - optional_policy(` -+ locallogin_getattr_home_content($1) -+ ') -+ -+ optional_policy(` - nis_authenticate($1) - ') -+ -+ optional_policy(` -+ systemd_dbus_chat_logind($1) -+ systemd_use_fds_logind($1) -+ systemd_write_inherited_logind_sessions_pipes($1) -+ systemd_read_logind_sessions_files($1) -+ ') - ') - - ######################################## -@@ -95,48 +115,20 @@ interface(`auth_use_pam',` - interface(`auth_login_pgm_domain',` - gen_require(` - type var_auth_t, auth_cache_t; -+ attribute polydomain; -+ attribute login_pgm; - ') - - domain_type($1) -+ typeattribute $1 polydomain; -+ typeattribute $1 login_pgm; -+ - domain_subj_id_change_exemption($1) - domain_role_change_exemption($1) - domain_obj_id_change_exemption($1) - role system_r types $1; - -- # Needed for pam_selinux_permit to cleanup properly -- domain_read_all_domains_state($1) -- domain_kill_all_domains($1) -- -- # pam_keyring -- allow $1 self:capability ipc_lock; -- allow $1 self:process setkeycreate; -- allow $1 self:key manage_key_perms; -- -- files_list_var_lib($1) -- manage_files_pattern($1, var_auth_t, var_auth_t) -- -- manage_dirs_pattern($1, auth_cache_t, auth_cache_t) -- manage_files_pattern($1, auth_cache_t, auth_cache_t) -- manage_sock_files_pattern($1, auth_cache_t, auth_cache_t) -- files_var_filetrans($1, auth_cache_t, dir) -- -- # needed for afs - https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=253321 -- kernel_rw_afs_state($1) -- -- # for fingerprint readers -- dev_rw_input_dev($1) -- dev_rw_generic_usb_dev($1) -- -- files_read_etc_files($1) -- -- fs_list_auto_mountpoints($1) -- - selinux_get_fs_mount($1) -- selinux_validate_context($1) -- selinux_compute_access_vector($1) -- selinux_compute_create_context($1) -- selinux_compute_relabel_context($1) -- selinux_compute_user_contexts($1) - - mls_file_read_all_levels($1) - mls_file_write_all_levels($1) -@@ -146,18 +138,43 @@ interface(`auth_login_pgm_domain',` - mls_fd_share_all_levels($1) - - auth_use_pam($1) -+') - -- init_rw_utmp($1) -- -- logging_set_loginuid($1) -- logging_set_tty_audit($1) -+######################################## -+## -+## Read authlogin state files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`authlogin_read_state',` -+ gen_require(` -+ attribute polydomain; -+ ') - -- seutil_read_config($1) -- seutil_read_default_contexts($1) -+ kernel_search_proc($1) -+ ps_process_pattern($1, polydomain) -+') - -- tunable_policy(`allow_polyinstantiation',` -- files_polyinstantiate_all($1) -+######################################## -+## -+## Read and write a authlogin unnamed pipe. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`authlogin_rw_pipes',` -+ gen_require(` -+ attribute polydomain; - ') -+ -+ allow $1 polydomain:fifo_file rw_inherited_fifo_file_perms; - ') - - ######################################## -@@ -231,6 +248,25 @@ interface(`auth_domtrans_login_program',` - - ######################################## - ## -+## Execute a login_program in the caller domain. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`auth_exec_login_program',` -+ gen_require(` -+ type login_exec_t; -+ ') -+ -+ corecmd_search_bin($1) -+ can_exec($1, login_exec_t) -+') -+ -+######################################## -+## - ## Execute a login_program in the target domain, - ## with a range transition. - ## -@@ -322,6 +358,24 @@ interface(`auth_rw_cache',` - - ######################################## - ## -+## Create authentication cache -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`auth_create_cache',` -+ gen_require(` -+ type auth_cache_t; -+ ') -+ -+ create_files_pattern($1, auth_cache_t, auth_cache_t) -+') -+ -+######################################## -+## - ## Manage authentication cache - ## - ## -@@ -402,6 +456,8 @@ interface(`auth_domtrans_chk_passwd',` - optional_policy(` - samba_stream_connect_winbind($1) - ') -+ -+ auth_domtrans_upd_passwd($1) - ') - - ######################################## -@@ -428,6 +484,24 @@ interface(`auth_domtrans_chkpwd',` - - ######################################## - ## -+## Execute chkpwd in the caller domain. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`auth_exec_chkpwd',` -+ gen_require(` -+ type chkpwd_exec_t; -+ ') -+ -+ allow $1 chkpwd_exec_t:file execute; -+') -+ -+######################################## -+## - ## Execute chkpwd programs in the chkpwd domain. - ## - ## -@@ -448,6 +522,25 @@ interface(`auth_run_chk_passwd',` - - auth_domtrans_chk_passwd($1) - role $2 types chkpwd_t; -+ auth_run_upd_passwd($1, $2) -+') -+ -+######################################## -+## -+## Send generic signals to chkpwd processes. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`auth_signal_chk_passwd',` -+ gen_require(` -+ type chkpwd_t; -+ ') -+ -+ allow $1 chkpwd_t:process signal; - ') - - ######################################## -@@ -467,7 +560,6 @@ interface(`auth_domtrans_upd_passwd',` - - domtrans_pattern($1, updpwd_exec_t, updpwd_t) - auth_dontaudit_read_shadow($1) -- - ') - - ######################################## -@@ -664,6 +756,10 @@ interface(`auth_manage_shadow',` - - allow $1 shadow_t:file manage_file_perms; - typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords; -+ files_var_filetrans($1, shadow_t, file, "shadow") -+ files_var_filetrans($1, shadow_t, file, "shadow-") -+ files_etc_filetrans($1, shadow_t, file, "gshadow") -+ files_etc_filetrans($1, shadow_t, file, "nshadow") - ') - - ####################################### -@@ -763,7 +859,50 @@ interface(`auth_rw_faillog',` - ') - - logging_search_logs($1) -- allow $1 faillog_t:file rw_file_perms; -+ rw_files_pattern($1, faillog_t, faillog_t) -+') -+ -+######################################## -+## -+## Relabel the login failure log. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`auth_relabel_faillog',` -+ gen_require(` -+ type faillog_t; -+ ') -+ -+ allow $1 faillog_t:dir relabel_dir_perms; -+ allow $1 faillog_t:file relabel_file_perms; -+') -+ -+######################################## -+## -+## Manage the login failure log. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`auth_manage_faillog',` -+ gen_require(` -+ type faillog_t; -+ ') -+ -+ logging_search_logs($1) -+ files_search_pids($1) -+ allow $1 faillog_t:dir manage_dir_perms; -+ allow $1 faillog_t:file manage_file_perms; -+ logging_log_named_filetrans($1, faillog_t, file, "tallylog") -+ logging_log_named_filetrans($1, faillog_t, file, "faillog") -+ logging_log_named_filetrans($1, faillog_t, file, "btmp") - ') - - ####################################### -@@ -824,9 +963,29 @@ interface(`auth_rw_lastlog',` - allow $1 lastlog_t:file { rw_file_perms lock setattr }; - ') - -+####################################### -+## -+## Manage create logins log. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`auth_create_lastlog',` -+ gen_require(` -+ type lastlog_t; -+ ') -+ -+ logging_search_logs($1) -+ allow $1 lastlog_t:file create; -+ logging_log_named_filetrans($1, lastlog_t, file, "lastlog") -+') -+ - ######################################## - ## --## Execute pam programs in the pam domain. -+## Execute pam timestamp programs in the pam timestamp domain. - ## - ## - ## -@@ -834,12 +993,27 @@ interface(`auth_rw_lastlog',` - ## - ## - # --interface(`auth_domtrans_pam',` -+interface(`auth_domtrans_pam_timestamp',` - gen_require(` -- type pam_t, pam_exec_t; -+ type pam_timestamp_t, pam_timestamp_exec_t; - ') - -- domtrans_pattern($1, pam_exec_t, pam_t) -+ domtrans_pattern($1, pam_timestamp_exec_t, pam_timestamp_t) -+') -+ -+######################################## -+## -+## Execute pam timestamp programs in the pam timestamp domain. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`auth_domtrans_pam',` -+ auth_domtrans_pam_timestamp($1) -+ refpolicywarn(`$0() has been deprecated, please use auth_domtrans_pam_timestamp() instead.') - ') - - ######################################## -@@ -854,15 +1028,15 @@ interface(`auth_domtrans_pam',` - # - interface(`auth_signal_pam',` - gen_require(` -- type pam_t; -+ type pam_timestamp_t; - ') - -- allow $1 pam_t:process signal; -+ allow $1 pam_timestamp_t:process signal; - ') - - ######################################## - ## --## Execute pam programs in the PAM domain. -+## Execute pam_timestamp programs in the PAM timestamp domain. - ## - ## - ## -@@ -875,13 +1049,33 @@ interface(`auth_signal_pam',` - ## - ## - # --interface(`auth_run_pam',` -+interface(`auth_run_pam_timestamp',` - gen_require(` -- type pam_t; -+ type pam_timestamp_t; - ') - -- auth_domtrans_pam($1) -- role $2 types pam_t; -+ auth_domtrans_pam_timestamp($1) -+ role $2 types pam_timestamp_t; -+') -+ -+######################################## -+## -+## Execute pam_timestamp programs in the PAM timestamp domain. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+## -+## -+## The role to allow the PAM domain. -+## -+## -+# -+interface(`auth_run_pam',` -+ auth_run_pam_timestamp($1, $2) -+ refpolicywarn(`$0() has been deprecated, please use auth_run_pam_timestamp.') - ') - - ######################################## -@@ -959,9 +1153,30 @@ interface(`auth_manage_var_auth',` - ') - - files_search_var($1) -- allow $1 var_auth_t:dir manage_dir_perms; -- allow $1 var_auth_t:file rw_file_perms; -- allow $1 var_auth_t:lnk_file rw_lnk_file_perms; -+ -+ manage_dirs_pattern($1, var_auth_t, var_auth_t) -+ manage_files_pattern($1, var_auth_t, var_auth_t) -+ manage_lnk_files_pattern($1, var_auth_t, var_auth_t) -+') -+ -+######################################## -+## -+## Relabel all var auth files. Used by various other applications -+## and pam applets etc. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`auth_relabel_var_auth_dirs',` -+ gen_require(` -+ type var_auth_t; -+ ') -+ -+ files_search_var($1) -+ relabel_dirs_pattern($1, var_auth_t, var_auth_t) - ') - - ######################################## -@@ -1040,6 +1255,10 @@ interface(`auth_manage_pam_pid',` - files_search_pids($1) - allow $1 pam_var_run_t:dir manage_dir_perms; - allow $1 pam_var_run_t:file manage_file_perms; -+ files_pid_filetrans($1, pam_var_run_t, dir, "pam_mount") -+ files_pid_filetrans($1, pam_var_run_t, dir, "pam_ssh") -+ files_pid_filetrans($1, pam_var_run_t, dir, "sepermit") -+ files_pid_filetrans($1, pam_var_run_t, dir, "sudo") - ') - - ######################################## -@@ -1176,6 +1395,7 @@ interface(`auth_manage_pam_console_data',` - files_search_pids($1) - manage_files_pattern($1, pam_var_console_t, pam_var_console_t) - manage_lnk_files_pattern($1, pam_var_console_t, pam_var_console_t) -+ files_pid_filetrans($1, pam_var_console_t, dir, "console") - ') - - ####################################### -@@ -1576,6 +1796,25 @@ interface(`auth_setattr_login_records',` - - ######################################## - ## -+## Relabel login record files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`auth_relabel_login_records',` -+ gen_require(` -+ type wtmp_t; -+ ') -+ -+ allow $1 wtmp_t:file relabel_file_perms; -+') -+ -+ -+######################################## -+## - ## Read login records files (/var/log/wtmp). - ## - ## -@@ -1726,24 +1965,7 @@ interface(`auth_manage_login_records',` - - logging_rw_generic_log_dirs($1) - allow $1 wtmp_t:file manage_file_perms; --') -- --######################################## --## --## Relabel login record files. --## --## --## --## Domain allowed access. --## --## --# --interface(`auth_relabel_login_records',` -- gen_require(` -- type wtmp_t; -- ') -- -- allow $1 wtmp_t:file relabel_file_perms; -+ logging_log_named_filetrans($1, wtmp_t, file, "wtmp") - ') - - ######################################## -@@ -1767,11 +1989,13 @@ interface(`auth_relabel_login_records',` - ## - # - interface(`auth_use_nsswitch',` -- gen_require(` -- attribute nsswitch_domain; -- ') -+ gen_require(` -+ attribute nsswitch_domain; -+ ') - - typeattribute $1 nsswitch_domain; -+ -+ corenet_all_recvfrom_netlabel($1) - ') - - ######################################## -@@ -1805,3 +2029,242 @@ interface(`auth_unconfined',` - typeattribute $1 can_write_shadow_passwords; - typeattribute $1 can_relabelto_shadow_passwords; - ') -+ -+######################################## -+## -+## Transition to authlogin named content -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`auth_filetrans_named_content',` -+ gen_require(` -+ type shadow_t; -+ type passwd_file_t; -+ type faillog_t; -+ type lastlog_t; -+ type wtmp_t; -+ type pam_var_console_t; -+ type pam_var_run_t; -+ type auth_cache_t; -+ ') -+ -+ files_etc_filetrans($1, passwd_file_t, file, "group") -+ files_etc_filetrans($1, passwd_file_t, file, "group-") -+ #files_etc_filetrans($1, passwd_file_t, file, "group+") -+ files_etc_filetrans($1, passwd_file_t, file, "passwd") -+ files_etc_filetrans($1, passwd_file_t, file, "passwd-") -+ #files_etc_filetrans($1, passwd_file_t, file, "passwd+") -+ files_etc_filetrans($1, passwd_file_t, file, "passwd.OLD") -+ files_etc_filetrans($1, passwd_file_t, file, "ptmptmp") -+ files_etc_filetrans($1, passwd_file_t, file, "passwd.lock") -+ files_etc_filetrans($1, passwd_file_t, file, "group.lock") -+ files_etc_filetrans($1, passwd_file_t, file, "passwd.adjunct") -+ files_etc_filetrans($1, passwd_file_t, file, ".pwd.lock") -+ files_etc_filetrans($1, shadow_t, file, "shadow") -+ files_etc_filetrans($1, shadow_t, file, "shadow-") -+ files_etc_filetrans($1, shadow_t, file, "gshadow") -+ files_etc_filetrans($1, shadow_t, file, "opasswd") -+ logging_log_named_filetrans($1, lastlog_t, file, "lastlog") -+ logging_log_named_filetrans($1, faillog_t, file, "tallylog") -+ logging_log_named_filetrans($1, faillog_t, file, "faillog") -+ logging_log_named_filetrans($1, faillog_t, file, "btmp") -+ files_pid_filetrans($1, faillog_t, file, "faillog") -+ files_pid_filetrans($1, faillog_t, dir, "faillock") -+ files_pid_filetrans($1, pam_var_console_t, dir, "console") -+ files_pid_filetrans($1, pam_var_run_t, dir, "pam_mount") -+ files_pid_filetrans($1, pam_var_run_t, dir, "pam_ssh") -+ files_pid_filetrans($1, pam_var_run_t, dir, "sepermit") -+ files_pid_filetrans($1, pam_var_run_t, dir, "sudo") -+ logging_log_named_filetrans($1, wtmp_t, file, "wtmp") -+ files_var_filetrans($1, auth_cache_t, dir, "coolkey") -+') -+ -+######################################## -+## -+## Get the attributes of the passwd passwords file. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`auth_getattr_passwd',` -+ gen_require(` -+ type passwd_file_t; -+ ') -+ -+ files_search_etc($1) -+ allow $1 passwd_file_t:file getattr; -+') -+ -+######################################## -+## -+## Do not audit attempts to get the attributes -+## of the passwd passwords file. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`auth_dontaudit_getattr_passwd',` -+ gen_require(` -+ type passwd_file_t; -+ ') -+ -+ dontaudit $1 passwd_file_t:file getattr; -+') -+ -+######################################## -+## -+## Read the passwd passwords file (/etc/passwd) -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`auth_read_passwd',` -+ gen_require(` -+ type passwd_file_t; -+ ') -+ -+ allow $1 passwd_file_t:file read_file_perms; -+') -+ -+######################################## -+## -+## Do not audit attempts to read the passwd -+## password file (/etc/passwd). -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`auth_dontaudit_read_passwd',` -+ gen_require(` -+ type passwd_file_t; -+ ') -+ -+ dontaudit $1 passwd_file_t:file read_file_perms; -+') -+ -+######################################## -+## -+## Create, read, write, and delete the passwd -+## password file. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`auth_manage_passwd',` -+ gen_require(` -+ type passwd_file_t; -+ ') -+ -+ files_rw_etc_dirs($1) -+ allow $1 passwd_file_t:file manage_file_perms; -+ files_etc_filetrans($1, passwd_file_t, file, "passwd") -+ files_etc_filetrans($1, passwd_file_t, file, "passwd-") -+ files_etc_filetrans($1, passwd_file_t, file, "ptmptmp") -+ files_etc_filetrans($1, passwd_file_t, file, "group") -+ files_etc_filetrans($1, passwd_file_t, file, "group-") -+ files_etc_filetrans($1, passwd_file_t, file, ".pwd.lock") -+ files_etc_filetrans($1, passwd_file_t, file, "passwd.lock") -+ files_etc_filetrans($1, passwd_file_t, file, "group.lock") -+') -+ -+######################################## -+## -+## Create auth directory in the /root directory -+## with an correct label. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`auth_filetrans_admin_home_content',` -+ gen_require(` -+ type auth_home_t; -+ ') -+ -+ userdom_admin_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator") -+ userdom_admin_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator~") -+ userdom_admin_home_dir_filetrans($1, auth_home_t, dir, ".yubico") -+') -+ -+ -+######################################## -+## -+## Read the authorization data in the user home directory -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`auth_read_home_content',` -+ -+ gen_require(` -+ type auth_home_t; -+ ') -+ -+ userdom_search_user_home_dirs($1) -+ read_files_pattern($1, auth_home_t, auth_home_t) -+') -+ -+ -+######################################## -+## -+## Create auth directory in the user home directory -+## with an correct label. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`auth_filetrans_home_content',` -+ -+ gen_require(` -+ type auth_home_t; -+ ') -+ -+ userdom_user_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator") -+ userdom_user_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator~") -+ userdom_user_home_dir_filetrans($1, auth_home_t, dir, ".yubico") -+') -+ -+######################################## -+## -+## Send a SIGCHLD signal to login programs. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`auth_login_pgm_sigchld',` -+ gen_require(` -+ attribute login_pgm; -+ ') -+ -+ allow $1 login_pgm:process sigchld; -+') -diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te -index 104037e..348e8cf 100644 ---- a/policy/modules/system/authlogin.te -+++ b/policy/modules/system/authlogin.te -@@ -5,6 +5,19 @@ policy_module(authlogin, 2.4.2) - # Declarations - # - -+## -+##

    -+## Allow users to login using a radius server -+##

    -+##     -+gen_tunable(authlogin_radius, false) -+ -+## -+##

    -+## Allow users to login using a yubikey server -+##

    -+##     -+gen_tunable(authlogin_yubikey, false) - - ## - ##

    -@@ -16,20 +29,26 @@ gen_tunable(authlogin_nsswitch_use_ldap, false) - attribute can_read_shadow_passwords; - attribute can_write_shadow_passwords; - attribute can_relabelto_shadow_passwords; -+attribute polydomain; - attribute nsswitch_domain; -+attribute login_pgm; - - type auth_cache_t; - logging_log_file(auth_cache_t) - -+type auth_home_t; -+userdom_user_home_content(auth_home_t) -+ - type chkpwd_t, can_read_shadow_passwords; - type chkpwd_exec_t; - typealias chkpwd_t alias { user_chkpwd_t staff_chkpwd_t sysadm_chkpwd_t }; --typealias chkpwd_t alias { auditadm_chkpwd_t secadm_chkpwd_t }; -+typealias chkpwd_t alias { auditadm_chkpwd_t secadm_chkpwd_t system_chkpwd_t }; - application_domain(chkpwd_t, chkpwd_exec_t) - role system_r types chkpwd_t; - - type faillog_t; - logging_log_file(faillog_t) -+mls_trusted_object(faillog_t) - - type lastlog_t; - logging_log_file(lastlog_t) -@@ -42,15 +61,15 @@ type pam_console_exec_t; - init_system_domain(pam_console_t, pam_console_exec_t) - role system_r types pam_console_t; - --type pam_t; --domain_type(pam_t) --role system_r types pam_t; -+type pam_timestamp_t alias pam_t; -+domain_type(pam_timestamp_t) -+role system_r types pam_timestamp_t; - --type pam_exec_t; --domain_entry_file(pam_t, pam_exec_t) -+type pam_timestamp_exec_t alias pam_exec_t; -+domain_entry_file(pam_timestamp_t, pam_timestamp_exec_t) - --type pam_tmp_t; --files_tmp_file(pam_tmp_t) -+type pam_timestamp_tmp_t; -+files_tmp_file(pam_timestamp_tmp_t) - - type pam_var_console_t; - files_pid_file(pam_var_console_t) -@@ -64,6 +83,9 @@ neverallow ~can_read_shadow_passwords shadow_t:file read; - neverallow ~can_write_shadow_passwords shadow_t:file { create write }; - neverallow ~can_relabelto_shadow_passwords shadow_t:file relabelto; - -+type passwd_file_t; -+files_type(passwd_file_t) -+ - type updpwd_t; - type updpwd_exec_t; - domain_type(updpwd_t) -@@ -109,6 +131,8 @@ dev_read_urand(chkpwd_t) - files_read_etc_files(chkpwd_t) - # for nscd - files_dontaudit_search_var(chkpwd_t) -+files_read_usr_symlinks(chkpwd_t) -+files_list_tmp(chkpwd_t) - - fs_dontaudit_getattr_xattr_fs(chkpwd_t) - -@@ -122,12 +146,11 @@ auth_use_nsswitch(chkpwd_t) - logging_send_audit_msgs(chkpwd_t) - logging_send_syslog_msg(chkpwd_t) - --miscfiles_read_localization(chkpwd_t) - - seutil_read_config(chkpwd_t) - seutil_dontaudit_use_newrole_fds(chkpwd_t) - --userdom_use_user_terminals(chkpwd_t) -+userdom_dontaudit_use_user_ttys(chkpwd_t) - - ifdef(`distro_ubuntu',` - optional_policy(` -@@ -153,53 +176,52 @@ optional_policy(` - # PAM local policy - # - --allow pam_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; --dontaudit pam_t self:capability sys_tty_config; -+allow pam_timestamp_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; -+dontaudit pam_timestamp_t self:capability sys_tty_config; - --allow pam_t self:fd use; --allow pam_t self:fifo_file rw_file_perms; --allow pam_t self:unix_dgram_socket create_socket_perms; --allow pam_t self:unix_stream_socket rw_stream_socket_perms; --allow pam_t self:unix_dgram_socket sendto; --allow pam_t self:unix_stream_socket connectto; --allow pam_t self:shm create_shm_perms; --allow pam_t self:sem create_sem_perms; --allow pam_t self:msgq create_msgq_perms; --allow pam_t self:msg { send receive }; -+allow pam_timestamp_t self:fd use; -+allow pam_timestamp_t self:fifo_file rw_file_perms; -+allow pam_timestamp_t self:unix_dgram_socket create_socket_perms; -+allow pam_timestamp_t self:unix_stream_socket rw_stream_socket_perms; -+allow pam_timestamp_t self:unix_dgram_socket sendto; -+allow pam_timestamp_t self:unix_stream_socket connectto; -+allow pam_timestamp_t self:shm create_shm_perms; -+allow pam_timestamp_t self:sem create_sem_perms; -+allow pam_timestamp_t self:msgq create_msgq_perms; -+allow pam_timestamp_t self:msg { send receive }; - --delete_files_pattern(pam_t, pam_var_run_t, pam_var_run_t) --read_files_pattern(pam_t, pam_var_run_t, pam_var_run_t) --files_list_pids(pam_t) -+delete_files_pattern(pam_timestamp_t, pam_var_run_t, pam_var_run_t) -+read_files_pattern(pam_timestamp_t, pam_var_run_t, pam_var_run_t) -+files_list_pids(pam_timestamp_t) - --allow pam_t pam_tmp_t:dir manage_dir_perms; --allow pam_t pam_tmp_t:file manage_file_perms; --files_tmp_filetrans(pam_t, pam_tmp_t, { file dir }) -+allow pam_timestamp_t pam_timestamp_tmp_t:dir manage_dir_perms; -+allow pam_timestamp_t pam_timestamp_tmp_t:file manage_file_perms; -+files_tmp_filetrans(pam_timestamp_t, pam_timestamp_tmp_t, { file dir }) - --auth_use_nsswitch(pam_t) -+auth_use_nsswitch(pam_timestamp_t) - --kernel_read_system_state(pam_t) -+kernel_read_system_state(pam_timestamp_t) - --files_read_etc_files(pam_t) -+files_read_etc_files(pam_timestamp_t) - --fs_search_auto_mountpoints(pam_t) -+fs_search_auto_mountpoints(pam_timestamp_t) - --miscfiles_read_localization(pam_t) - --term_use_all_ttys(pam_t) --term_use_all_ptys(pam_t) -+term_use_all_ttys(pam_timestamp_t) -+term_use_all_ptys(pam_timestamp_t) - --init_dontaudit_rw_utmp(pam_t) -+init_dontaudit_rw_utmp(pam_timestamp_t) - --logging_send_syslog_msg(pam_t) -+logging_send_syslog_msg(pam_timestamp_t) - - ifdef(`distro_ubuntu',` - optional_policy(` -- unconfined_domain(pam_t) -+ unconfined_domain(pam_timestamp_t) - ') - ') - - optional_policy(` -- locallogin_use_fds(pam_t) -+ locallogin_use_fds(pam_timestamp_t) - ') - - ######################################## -@@ -289,7 +311,6 @@ init_use_script_ptys(pam_console_t) - - logging_send_syslog_msg(pam_console_t) - --miscfiles_read_localization(pam_console_t) - miscfiles_read_generic_certs(pam_console_t) - - seutil_read_file_contexts(pam_console_t) -@@ -341,6 +362,7 @@ kernel_read_system_state(updpwd_t) - dev_read_urand(updpwd_t) - - files_manage_etc_files(updpwd_t) -+auth_manage_passwd(updpwd_t) - - term_dontaudit_use_console(updpwd_t) - term_dontaudit_use_unallocated_ttys(updpwd_t) -@@ -350,9 +372,7 @@ auth_use_nsswitch(updpwd_t) - - logging_send_syslog_msg(updpwd_t) - --miscfiles_read_localization(updpwd_t) -- --userdom_use_user_terminals(updpwd_t) -+userdom_use_inherited_user_terminals(updpwd_t) - - ifdef(`distro_ubuntu',` - optional_policy(` -@@ -380,13 +400,15 @@ term_dontaudit_use_all_ttys(utempter_t) - term_dontaudit_use_all_ptys(utempter_t) - term_dontaudit_use_ptmx(utempter_t) - -+auth_use_nsswitch(utempter_t) -+ - init_rw_utmp(utempter_t) - - domain_use_interactive_fds(utempter_t) - - logging_search_logs(utempter_t) - --userdom_use_user_terminals(utempter_t) -+userdom_use_inherited_user_terminals(utempter_t) - # Allow utemper to write to /tmp/.xses-* - userdom_write_user_tmp_files(utempter_t) - -@@ -397,19 +419,29 @@ ifdef(`distro_ubuntu',` - ') - - optional_policy(` -- nscd_use(utempter_t) -+ xserver_use_xdm_fds(utempter_t) -+ xserver_rw_xdm_pipes(utempter_t) -+') -+ -+tunable_policy(`polyinstantiation_enabled',` -+ files_polyinstantiate_all(polydomain) - ') - - optional_policy(` -- xserver_use_xdm_fds(utempter_t) -- xserver_rw_xdm_pipes(utempter_t) -+ tunable_policy(`polyinstantiation_enabled',` -+ namespace_init_domtrans(polydomain) -+ ') - ') - --####################################### -+###################################### - # - # nsswitch_domain local policy - # - -+allow nsswitch_domain self:key manage_key_perms; -+ -+auth_read_passwd(nsswitch_domain) -+ - files_list_var_lib(nsswitch_domain) - - # read /etc/nsswitch.conf -@@ -417,15 +449,21 @@ files_read_etc_files(nsswitch_domain) - - sysnet_dns_name_resolve(nsswitch_domain) - --tunable_policy(`authlogin_nsswitch_use_ldap',` -- files_list_var_lib(nsswitch_domain) -+systemd_hostnamed_read_config(nsswitch_domain) - -+tunable_policy(`authlogin_nsswitch_use_ldap',` - miscfiles_read_generic_certs(nsswitch_domain) - sysnet_use_ldap(nsswitch_domain) - ') - - optional_policy(` - tunable_policy(`authlogin_nsswitch_use_ldap',` -+ dirsrv_stream_connect(nsswitch_domain) -+ ') -+') -+ -+optional_policy(` -+ tunable_policy(`authlogin_nsswitch_use_ldap',` - ldap_stream_connect(nsswitch_domain) - ') - ') -@@ -438,6 +476,7 @@ optional_policy(` - likewise_stream_connect_lsassd(nsswitch_domain) - ') - -+# can not wrap nis_use_ypbind or kerberos_use, but they both have booleans you can turn off. - optional_policy(` - kerberos_use(nsswitch_domain) - ') -@@ -456,6 +495,8 @@ optional_policy(` - - optional_policy(` - sssd_stream_connect(nsswitch_domain) -+ sssd_read_public_files(nsswitch_domain) -+ sssd_read_lib_files(nsswitch_domain) - ') - - optional_policy(` -@@ -463,3 +504,133 @@ optional_policy(` - samba_read_var_files(nsswitch_domain) - samba_dontaudit_write_var_files(nsswitch_domain) - ') -+ -+####################################### -+# -+# Login Program local policy -+# -+ -+domain_read_all_domains_state(login_pgm) -+corecmd_getattr_all_executables(login_pgm) -+domain_kill_all_domains(login_pgm) -+ -+allow login_pgm self:netlink_kobject_uevent_socket create_socket_perms; -+allow login_pgm self:capability ipc_lock; -+allow login_pgm self:process setkeycreate; -+allow login_pgm self:key manage_key_perms; -+userdom_manage_all_users_keys(login_pgm) -+ -+files_list_var_lib(login_pgm) -+manage_dirs_pattern(login_pgm, var_auth_t, var_auth_t) -+manage_files_pattern(login_pgm, var_auth_t, var_auth_t) -+manage_sock_files_pattern(login_pgm, var_auth_t, var_auth_t) -+ -+manage_dirs_pattern(login_pgm, auth_cache_t, auth_cache_t) -+manage_files_pattern(login_pgm, auth_cache_t, auth_cache_t) -+manage_sock_files_pattern(login_pgm, auth_cache_t, auth_cache_t) -+files_var_filetrans(login_pgm, auth_cache_t, dir) -+ -+manage_dirs_pattern(login_pgm, auth_home_t, auth_home_t) -+manage_files_pattern(login_pgm, auth_home_t, auth_home_t) -+auth_filetrans_admin_home_content(login_pgm) -+auth_filetrans_home_content(login_pgm) -+ -+# needed for afs - https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=253321 -+kernel_search_network_sysctl(login_pgm) -+kernel_rw_afs_state(login_pgm) -+ -+tunable_policy(`authlogin_radius',` -+ corenet_udp_bind_all_unreserved_ports(login_pgm) -+') -+ -+tunable_policy(`authlogin_yubikey',` -+ corenet_tcp_connect_http_port(login_pgm) -+') -+ -+corenet_tcp_connect_pki_ca_port(login_pgm) -+ -+# for fingerprint readers -+dev_rw_input_dev(login_pgm) -+dev_rw_generic_usb_dev(login_pgm) -+ -+files_read_config_files(login_pgm) -+ -+fs_list_auto_mountpoints(login_pgm) -+fs_manage_cgroup_dirs(login_pgm) -+fs_manage_cgroup_files(login_pgm) -+fs_read_ecryptfs_symlinks(login_pgm) -+fs_read_ecryptfs_files(login_pgm) -+ -+selinux_validate_context(login_pgm) -+selinux_compute_access_vector(login_pgm) -+selinux_compute_create_context(login_pgm) -+selinux_compute_relabel_context(login_pgm) -+selinux_compute_user_contexts(login_pgm) -+ -+auth_manage_faillog(login_pgm) -+auth_manage_pam_pid(login_pgm) -+ -+init_rw_utmp(login_pgm) -+ -+logging_set_loginuid(login_pgm) -+logging_set_tty_audit(login_pgm) -+ -+miscfiles_dontaudit_write_generic_cert_files(login_pgm) -+ -+seutil_read_config(login_pgm) -+seutil_read_login_config(login_pgm) -+seutil_read_default_contexts(login_pgm) -+systemd_login_read_pid_files(login_pgm) -+ -+userdom_set_rlimitnh(login_pgm) -+userdom_read_user_home_content_symlinks(login_pgm) -+userdom_delete_user_tmp_files(login_pgm) -+userdom_search_admin_dir(login_pgm) -+userdom_stream_connect(login_pgm) -+userdom_manage_user_tmp_dirs(login_pgm) -+userdom_manage_user_tmp_files(login_pgm) -+ -+optional_policy(` -+ afs_read_config(login_pgm) -+ afs_rw_udp_sockets(login_pgm) -+') -+ -+optional_policy(` -+ kerberos_read_config(login_pgm) -+') -+ -+optional_policy(` -+ oddjob_dbus_chat(login_pgm) -+ oddjob_domtrans_mkhomedir(login_pgm) -+') -+ -+optional_policy(` -+ openct_stream_connect(login_pgm) -+ openct_signull(login_pgm) -+ openct_read_pid_files(login_pgm) -+') -+ -+optional_policy(` -+ corecmd_exec_bin(login_pgm) -+ storage_getattr_fixed_disk_dev(login_pgm) -+ mount_domtrans(login_pgm) -+ mount_domtrans_ecryptmount(login_pgm) -+') -+ -+optional_policy(` -+ fprintd_dbus_chat(login_pgm) -+') -+ -+optional_policy(` -+ realmd_dbus_chat(login_pgm) -+') -+ -+optional_policy(` -+ # allow execute tmux -+ screen_exec(login_pgm) -+') -+ -+optional_policy(` -+ ssh_agent_exec(login_pgm) -+ ssh_read_user_home_files(login_pgm) -+') -diff --git a/policy/modules/system/clock.fc b/policy/modules/system/clock.fc -index c5e05ca..c9ddbee 100644 ---- a/policy/modules/system/clock.fc -+++ b/policy/modules/system/clock.fc -@@ -3,3 +3,5 @@ - - /sbin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0) - -+/usr/sbin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0) -+ -diff --git a/policy/modules/system/clock.if b/policy/modules/system/clock.if -index d475c2d..55305d5 100644 ---- a/policy/modules/system/clock.if -+++ b/policy/modules/system/clock.if -@@ -117,3 +117,40 @@ interface(`clock_rw_adjtime',` - allow $1 adjtime_t:file rw_file_perms; - files_list_etc($1) - ') -+ -+######################################## -+##

    -+## Manage clock drift adjustments. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`clock_manage_adjtime',` -+ gen_require(` -+ type adjtime_t; -+ ') -+ -+ allow $1 adjtime_t:file manage_file_perms; -+ files_list_etc($1) -+') -+ -+######################################## -+## -+## Transition to systemd clock content -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`clock_filetrans_named_content',` -+ gen_require(` -+ type adjtime_t; -+ ') -+ -+ files_etc_filetrans($1, adjtime_t, file, "adjtime" ) -+') -diff --git a/policy/modules/system/clock.te b/policy/modules/system/clock.te -index 3694bfe..7fcd27a 100644 ---- a/policy/modules/system/clock.te -+++ b/policy/modules/system/clock.te -@@ -46,18 +46,19 @@ fs_search_auto_mountpoints(hwclock_t) - - term_dontaudit_use_console(hwclock_t) - term_use_unallocated_ttys(hwclock_t) --term_use_all_ttys(hwclock_t) --term_use_all_ptys(hwclock_t) -+term_use_all_inherited_ttys(hwclock_t) -+term_use_all_inherited_ptys(hwclock_t) - - domain_use_interactive_fds(hwclock_t) - -+auth_use_nsswitch(hwclock_t) -+ - init_use_fds(hwclock_t) - init_use_script_ptys(hwclock_t) - - logging_send_audit_msgs(hwclock_t) - logging_send_syslog_msg(hwclock_t) - --miscfiles_read_localization(hwclock_t) - - optional_policy(` - apm_append_log(hwclock_t) -@@ -65,10 +66,6 @@ optional_policy(` - ') - - optional_policy(` -- nscd_use(hwclock_t) --') -- --optional_policy(` - seutil_sigchld_newrole(hwclock_t) - ') - -diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc -index a97a096..bf726c3 100644 ---- a/policy/modules/system/fstools.fc -+++ b/policy/modules/system/fstools.fc -@@ -1,4 +1,3 @@ --/sbin/badblocks -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /sbin/blkid -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /sbin/blockdev -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /sbin/cfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) -@@ -23,7 +22,6 @@ - /sbin/mkfs.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /sbin/mkraid -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /sbin/mkreiserfs -- gen_context(system_u:object_r:fsadm_exec_t,s0) --/sbin/mkswap -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /sbin/parted -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0) -@@ -35,13 +33,53 @@ - /sbin/sfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /sbin/swapon.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /sbin/tune2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0) -+/sbin/xfs_growfs -- gen_context(system_u:object_r:fsadm_exec_t,s0) - - /usr/bin/partition_uuid -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /usr/bin/raw -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /usr/bin/scsi_unique_id -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /usr/bin/syslinux -- gen_context(system_u:object_r:fsadm_exec_t,s0) - -+/usr/lib/systemd/systemd-fsck -- gen_context(system_u:object_r:fsadm_exec_t,s0) -+ -+/usr/sbin/blkid -- gen_context(system_u:object_r:fsadm_exec_t,s0) -+/usr/sbin/blockdev -- gen_context(system_u:object_r:fsadm_exec_t,s0) -+/usr/sbin/cfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /usr/sbin/clubufflush -- gen_context(system_u:object_r:fsadm_exec_t,s0) -+/usr/sbin/dosfsck -- gen_context(system_u:object_r:fsadm_exec_t,s0) -+/usr/sbin/dump -- gen_context(system_u:object_r:fsadm_exec_t,s0) -+/usr/sbin/dumpe2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0) -+/usr/sbin/e2fsck -- gen_context(system_u:object_r:fsadm_exec_t,s0) -+/usr/sbin/e4fsck -- gen_context(system_u:object_r:fsadm_exec_t,s0) -+/usr/sbin/e2label -- gen_context(system_u:object_r:fsadm_exec_t,s0) -+/usr/sbin/fdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) -+/usr/sbin/findfs -- gen_context(system_u:object_r:fsadm_exec_t,s0) -+/usr/sbin/fsck.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) -+/usr/sbin/hdparm -- gen_context(system_u:object_r:fsadm_exec_t,s0) -+/usr/sbin/install-mbr -- gen_context(system_u:object_r:fsadm_exec_t,s0) -+/usr/sbin/jfs_.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) -+/usr/sbin/losetup.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) -+/usr/sbin/lsraid -- gen_context(system_u:object_r:fsadm_exec_t,s0) -+/usr/sbin/make_reiser4 -- gen_context(system_u:object_r:fsadm_exec_t,s0) -+/usr/sbin/mkdosfs -- gen_context(system_u:object_r:fsadm_exec_t,s0) -+/usr/sbin/mke2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0) -+/usr/sbin/mke4fs -- gen_context(system_u:object_r:fsadm_exec_t,s0) -+/usr/sbin/mkfs.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) -+/usr/sbin/mkraid -- gen_context(system_u:object_r:fsadm_exec_t,s0) -+/usr/sbin/mkreiserfs -- gen_context(system_u:object_r:fsadm_exec_t,s0) -+/usr/sbin/parted -- gen_context(system_u:object_r:fsadm_exec_t,s0) -+/usr/sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0) -+/usr/sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0) -+/usr/sbin/raidautorun -- gen_context(system_u:object_r:fsadm_exec_t,s0) -+/usr/sbin/raidstart -- gen_context(system_u:object_r:fsadm_exec_t,s0) -+/usr/sbin/reiserfs(ck|tune) -- gen_context(system_u:object_r:fsadm_exec_t,s0) -+/usr/sbin/resize.*fs -- gen_context(system_u:object_r:fsadm_exec_t,s0) -+/usr/sbin/scsi_info -- gen_context(system_u:object_r:fsadm_exec_t,s0) -+/usr/sbin/sfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /usr/sbin/smartctl -- gen_context(system_u:object_r:fsadm_exec_t,s0) -+/usr/sbin/swapon.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) -+/usr/sbin/tune2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0) - - /var/log/fsck(/.*)? gen_context(system_u:object_r:fsadm_log_t,s0) -+ -+/var/run/blkid(/.*)? gen_context(system_u:object_r:fsadm_var_run_t,s0) -diff --git a/policy/modules/system/fstools.if b/policy/modules/system/fstools.if -index 016a770..1effeb4 100644 ---- a/policy/modules/system/fstools.if -+++ b/policy/modules/system/fstools.if -@@ -154,3 +154,24 @@ interface(`fstools_getattr_swap_files',` - - allow $1 swapfile_t:file getattr; - ') -+ -+######################################## -+## -+## Create, read, write, and delete the FSADM pid files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`fsadm_manage_pid',` -+ gen_require(` -+ type fsadm_var_run_t; -+ ') -+ -+ files_search_pids($1) -+ manage_dirs_pattern($1, fsadm_var_run_t, fsadm_var_run_t) -+ manage_files_pattern($1, fsadm_var_run_t, fsadm_var_run_t) -+ files_pid_filetrans($1, fsadm_var_run_t, dir, "blkid") -+') -diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te -index 6c4b6ee..f512b72 100644 ---- a/policy/modules/system/fstools.te -+++ b/policy/modules/system/fstools.te -@@ -13,6 +13,9 @@ role system_r types fsadm_t; - type fsadm_log_t; - logging_log_file(fsadm_log_t) - -+type fsadm_var_run_t; -+files_pid_file(fsadm_var_run_t) -+ - type fsadm_tmp_t; - files_tmp_file(fsadm_tmp_t) - -@@ -41,9 +44,15 @@ allow fsadm_t self:msg { send receive }; - - can_exec(fsadm_t, fsadm_exec_t) - -+manage_dirs_pattern(fsadm_t, fsadm_var_run_t, fsadm_var_run_t) -+manage_files_pattern(fsadm_t, fsadm_var_run_t, fsadm_var_run_t) -+files_pid_filetrans(fsadm_t, fsadm_var_run_t, {dir file }) -+ - allow fsadm_t fsadm_tmp_t:dir manage_dir_perms; - allow fsadm_t fsadm_tmp_t:file manage_file_perms; - files_tmp_filetrans(fsadm_t, fsadm_tmp_t, { file dir }) -+files_create_boot_flag(fsadm_t) -+files_setattr_root_dirs(fsadm_t) - - # log files - allow fsadm_t fsadm_log_t:dir setattr; -@@ -53,6 +62,7 @@ logging_log_filetrans(fsadm_t, fsadm_log_t, file) - # Enable swapping to files - allow fsadm_t swapfile_t:file { rw_file_perms swapon }; - -+kernel_get_sysvipc_info(fsadm_t) - kernel_read_system_state(fsadm_t) - kernel_read_kernel_sysctls(fsadm_t) - kernel_request_load_module(fsadm_t) -@@ -101,6 +111,8 @@ files_read_usr_files(fsadm_t) - files_read_etc_files(fsadm_t) - files_manage_lost_found(fsadm_t) - files_manage_isid_type_dirs(fsadm_t) -+# /etc/mtab is a link -+files_read_etc_runtime_files(fsadm_t) - # Write to /etc/mtab. - files_manage_etc_runtime_files(fsadm_t) - files_etc_filetrans_etc_runtime(fsadm_t, file) -@@ -120,6 +132,9 @@ fs_list_auto_mountpoints(fsadm_t) - fs_search_tmpfs(fsadm_t) - fs_getattr_tmpfs_dirs(fsadm_t) - fs_read_tmpfs_symlinks(fsadm_t) -+fs_manage_nfs_files(fsadm_t) -+fs_manage_cifs_files(fsadm_t) -+fs_rw_hugetlbfs_files(fsadm_t) - # Recreate /mnt/cdrom. - files_manage_mnt_dirs(fsadm_t) - # for tune2fs -@@ -133,21 +148,27 @@ storage_raw_write_fixed_disk(fsadm_t) - storage_raw_read_removable_device(fsadm_t) - storage_raw_write_removable_device(fsadm_t) - storage_read_scsi_generic(fsadm_t) -+storage_rw_fuse(fsadm_t) - storage_swapon_fixed_disk(fsadm_t) - - term_use_console(fsadm_t) - -+auth_read_passwd(fsadm_t) -+ -+init_read_state(fsadm_t) - init_use_fds(fsadm_t) - init_use_script_ptys(fsadm_t) - init_dontaudit_getattr_initctl(fsadm_t) -+init_stream_connect(fsadm_t) - - logging_send_syslog_msg(fsadm_t) -+logging_send_audit_msgs(fsadm_t) -+logging_stream_connect_syslog(fsadm_t) - --miscfiles_read_localization(fsadm_t) - - seutil_read_config(fsadm_t) - --userdom_use_user_terminals(fsadm_t) -+term_use_all_inherited_terms(fsadm_t) - - ifdef(`distro_redhat',` - optional_policy(` -@@ -166,6 +187,11 @@ optional_policy(` - ') - - optional_policy(` -+ devicekit_dontaudit_read_pid_files(fsadm_t) -+ devicekit_dontaudit_rw_log(fsadm_t) -+') -+ -+optional_policy(` - hal_dontaudit_write_log(fsadm_t) - ') - -@@ -179,6 +205,10 @@ optional_policy(` - ') - - optional_policy(` -+ mount_read_pid_files(fsadm_t) -+') -+ -+optional_policy(` - nis_use_ypbind(fsadm_t) - ') - -@@ -192,6 +222,10 @@ optional_policy(` - ') - - optional_policy(` -+ virt_read_blk_images(fsadm_t) -+') -+ -+optional_policy(` - xen_append_log(fsadm_t) - xen_rw_image_files(fsadm_t) - ') -diff --git a/policy/modules/system/getty.fc b/policy/modules/system/getty.fc -index e1a1848..4927638 100644 ---- a/policy/modules/system/getty.fc -+++ b/policy/modules/system/getty.fc -@@ -3,8 +3,12 @@ - - /sbin/.*getty -- gen_context(system_u:object_r:getty_exec_t,s0) - --/var/log/mgetty\.log.* -- gen_context(system_u:object_r:getty_log_t,s0) --/var/log/vgetty\.log\..* -- gen_context(system_u:object_r:getty_log_t,s0) -+/usr/lib/systemd/system/[^/]*getty.* -- gen_context(system_u:object_r:getty_unit_file_t,s0) -+ -+/usr/sbin/.*getty -- gen_context(system_u:object_r:getty_exec_t,s0) -+ -+/var/log/mgetty.*\.log.* -- gen_context(system_u:object_r:getty_log_t,s0) -+/var/log/vgetty.*\.log.* -- gen_context(system_u:object_r:getty_log_t,s0) - - /var/run/mgetty\.pid.* -- gen_context(system_u:object_r:getty_var_run_t,s0) - -diff --git a/policy/modules/system/getty.if b/policy/modules/system/getty.if -index e4376aa..2c98c56 100644 ---- a/policy/modules/system/getty.if -+++ b/policy/modules/system/getty.if -@@ -96,3 +96,45 @@ interface(`getty_rw_config',` - files_search_etc($1) - allow $1 getty_etc_t:file rw_file_perms; - ') -+ -+######################################## -+## -+## Execute getty server in the getty domain. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`getty_systemctl',` -+ gen_require(` -+ type getty_unit_file_t; -+ type getty_t; -+ ') -+ -+ systemd_exec_systemctl($1) -+ allow $1 getty_unit_file_t:file read_file_perms; -+ allow $1 getty_unit_file_t:service manage_service_perms; -+ -+ ps_process_pattern($1, getty_t) -+') -+ -+######################################## -+## -+## Start getty unit files domain. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`getty_start_services',` -+ gen_require(` -+ type getty_unit_file_t; -+ ') -+ -+ systemd_exec_systemctl($1) -+ allow $1 getty_unit_file_t:service start; -+') -diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te -index fc38c9c..4740426 100644 ---- a/policy/modules/system/getty.te -+++ b/policy/modules/system/getty.te -@@ -27,6 +27,17 @@ files_tmp_file(getty_tmp_t) - type getty_var_run_t; - files_pid_file(getty_var_run_t) - -+type getty_unit_file_t; -+systemd_unit_file(getty_unit_file_t) -+ -+ifdef(`enable_mcs',` -+ init_ranged_daemon_domain(getty_t, getty_exec_t, s0 - mcs_systemhigh) -+') -+ -+ifdef(`enable_mls',` -+ init_ranged_daemon_domain(getty_t, getty_exec_t, mls_systemhigh) -+') -+ - ######################################## - # - # Getty local policy -@@ -83,8 +94,11 @@ term_use_unallocated_ttys(getty_t) - term_setattr_all_ttys(getty_t) - term_setattr_unallocated_ttys(getty_t) - term_setattr_console(getty_t) -+term_setattr_usb_ttys(getty_t) -+term_use_console(getty_t) - - auth_rw_login_records(getty_t) -+auth_use_nsswitch(getty_t) - - init_rw_utmp(getty_t) - init_use_script_ptys(getty_t) -@@ -94,7 +108,6 @@ locallogin_domtrans(getty_t) - - logging_send_syslog_msg(getty_t) - --miscfiles_read_localization(getty_t) - - ifdef(`distro_gentoo',` - # Gentoo default /etc/issue makes agetty -@@ -113,7 +126,7 @@ ifdef(`distro_ubuntu',` - ') - ') - --tunable_policy(`console_login',` -+tunable_policy(`login_console_enabled',` - # Support logging in from /dev/console - term_use_console(getty_t) - ',` -@@ -121,11 +134,15 @@ tunable_policy(`console_login',` - ') - - optional_policy(` -- mta_send_mail(getty_t) -+ hostname_exec(getty_t) - ') - - optional_policy(` -- nscd_use(getty_t) -+ lockdev_manage_files(getty_t) -+') -+ -+optional_policy(` -+ mta_send_mail(getty_t) - ') - - optional_policy(` -diff --git a/policy/modules/system/hostname.fc b/policy/modules/system/hostname.fc -index 9dfecf7..6d00f5c 100644 ---- a/policy/modules/system/hostname.fc -+++ b/policy/modules/system/hostname.fc -@@ -1,2 +1,4 @@ - - /bin/hostname -- gen_context(system_u:object_r:hostname_exec_t,s0) -+ -+/usr/bin/hostname -- gen_context(system_u:object_r:hostname_exec_t,s0) -diff --git a/policy/modules/system/hostname.te b/policy/modules/system/hostname.te -index f6cbda9..51e9aef 100644 ---- a/policy/modules/system/hostname.te -+++ b/policy/modules/system/hostname.te -@@ -23,39 +23,46 @@ dontaudit hostname_t self:capability sys_tty_config; - - kernel_list_proc(hostname_t) - kernel_read_proc_symlinks(hostname_t) -+kernel_read_network_state(hostname_t) - - dev_read_sysfs(hostname_t) - # Early devtmpfs, before udev relabel - dev_dontaudit_rw_generic_chr_files(hostname_t) - -+domain_dontaudit_leaks(hostname_t) - domain_use_interactive_fds(hostname_t) - - files_read_etc_files(hostname_t) -+files_dontaudit_leaks(hostname_t) - files_dontaudit_search_var(hostname_t) - # for when /usr is not mounted: - files_dontaudit_search_isid_type_dirs(hostname_t) - - fs_getattr_xattr_fs(hostname_t) - fs_search_auto_mountpoints(hostname_t) -+fs_dontaudit_leaks(hostname_t) - fs_dontaudit_use_tmpfs_chr_dev(hostname_t) - - term_dontaudit_use_console(hostname_t) --term_use_all_ttys(hostname_t) --term_use_all_ptys(hostname_t) -+term_use_all_inherited_terms(hostname_t) - - init_use_fds(hostname_t) - init_use_script_fds(hostname_t) - init_use_script_ptys(hostname_t) -+init_rw_inherited_script_tmp_files(hostname_t) - - logging_send_syslog_msg(hostname_t) - --miscfiles_read_localization(hostname_t) - - sysnet_dontaudit_rw_dhcpc_unix_stream_sockets(hostname_t) - sysnet_read_config(hostname_t) - sysnet_dns_name_resolve(hostname_t) - - optional_policy(` -+ mock_dontaudit_write_lib_chr_files(hostname_t) -+') -+ -+optional_policy(` - nis_use_ypbind(hostname_t) - ') - -diff --git a/policy/modules/system/hotplug.fc b/policy/modules/system/hotplug.fc -index caf736b..91c4c6f 100644 ---- a/policy/modules/system/hotplug.fc -+++ b/policy/modules/system/hotplug.fc -@@ -7,5 +7,8 @@ - /sbin/hotplug -- gen_context(system_u:object_r:hotplug_exec_t,s0) - /sbin/netplugd -- gen_context(system_u:object_r:hotplug_exec_t,s0) - -+/usr/sbin/hotplug -- gen_context(system_u:object_r:hotplug_exec_t,s0) -+/usr/sbin/netplugd -- gen_context(system_u:object_r:hotplug_exec_t,s0) -+ - /var/run/usb(/.*)? gen_context(system_u:object_r:hotplug_var_run_t,s0) - /var/run/hotplug(/.*)? gen_context(system_u:object_r:hotplug_var_run_t,s0) -diff --git a/policy/modules/system/hotplug.if b/policy/modules/system/hotplug.if -index 40eb10c..2a0a32c 100644 ---- a/policy/modules/system/hotplug.if -+++ b/policy/modules/system/hotplug.if -@@ -34,7 +34,7 @@ interface(`hotplug_domtrans',` - # - interface(`hotplug_exec',` - gen_require(` -- type hotplug_t; -+ type hotplug_exec_t; - ') - - corecmd_search_bin($1) -diff --git a/policy/modules/system/hotplug.te b/policy/modules/system/hotplug.te -index bb5c4a6..7ebb938 100644 ---- a/policy/modules/system/hotplug.te -+++ b/policy/modules/system/hotplug.te -@@ -23,7 +23,7 @@ files_pid_file(hotplug_var_run_t) - # - - allow hotplug_t self:capability { net_admin sys_tty_config mknod sys_rawio }; --dontaudit hotplug_t self:capability { sys_module sys_admin sys_ptrace sys_tty_config }; -+dontaudit hotplug_t self:capability { sys_module sys_admin sys_tty_config }; - # for access("/etc/bashrc", X_OK) on Red Hat - dontaudit hotplug_t self:capability { dac_override dac_read_search }; - allow hotplug_t self:process { setpgid getsession getattr signal_perms }; -@@ -52,7 +52,6 @@ kernel_rw_net_sysctls(hotplug_t) - - files_read_kernel_modules(hotplug_t) - --corenet_all_recvfrom_unlabeled(hotplug_t) - corenet_all_recvfrom_netlabel(hotplug_t) - corenet_tcp_sendrecv_generic_if(hotplug_t) - corenet_udp_sendrecv_generic_if(hotplug_t) -@@ -96,6 +95,8 @@ init_domtrans_script(hotplug_t) - # kernel threads inherit from shared descriptor table used by init - init_dontaudit_rw_initctl(hotplug_t) - -+auth_use_nsswitch(hotplug_t) -+ - logging_send_syslog_msg(hotplug_t) - logging_search_logs(hotplug_t) - -@@ -103,9 +104,6 @@ logging_search_logs(hotplug_t) - libs_read_lib_files(hotplug_t) - - miscfiles_read_hwdata(hotplug_t) --miscfiles_read_localization(hotplug_t) -- --seutil_dontaudit_search_config(hotplug_t) - - sysnet_read_config(hotplug_t) - -@@ -164,14 +162,6 @@ optional_policy(` - ') - - optional_policy(` -- nis_use_ypbind(hotplug_t) --') -- --optional_policy(` -- nscd_use(hotplug_t) --') -- --optional_policy(` - seutil_sigchld_newrole(hotplug_t) - ') - -diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc -index 9a4d3a7..9d960bb 100644 ---- a/policy/modules/system/init.fc -+++ b/policy/modules/system/init.fc -@@ -1,6 +1,9 @@ - # - # /etc - # -+/etc/init\.d/.* -- gen_context(system_u:object_r:initrc_exec_t,s0) -+/etc/machine-id -- gen_context(system_u:object_r:machineid_t,s0) -+ - /etc/rc\.d/rc -- gen_context(system_u:object_r:initrc_exec_t,s0) - /etc/rc\.d/rc\.[^/]+ -- gen_context(system_u:object_r:initrc_exec_t,s0) - -@@ -29,6 +32,11 @@ ifdef(`distro_gentoo', ` - # - # /sbin - # -+/bin/systemd -- gen_context(system_u:object_r:init_exec_t,s0) -+ -+# -+# /sbin -+# - /sbin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0) - # because nowadays, /sbin/init is often a symlink to /sbin/upstart - /sbin/upstart -- gen_context(system_u:object_r:init_exec_t,s0) -@@ -42,19 +50,33 @@ ifdef(`distro_gentoo', ` - # - /usr/bin/sepg_ctl -- gen_context(system_u:object_r:initrc_exec_t,s0) - -+/usr/sbin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0) -+# because nowadays, /sbin/init is often a symlink to /sbin/upstart -+/usr/sbin/upstart -- gen_context(system_u:object_r:init_exec_t,s0) -+ -+/usr/lib/systemd/[^/]* -- gen_context(system_u:object_r:init_exec_t,s0) -+/usr/lib/systemd/fedora[^/]* -- gen_context(system_u:object_r:initrc_exec_t,s0) -+/usr/lib/systemd/system-generators/[^/]* -- gen_context(system_u:object_r:init_exec_t,s0) -+ - /usr/libexec/dcc/start-.* -- gen_context(system_u:object_r:initrc_exec_t,s0) - /usr/libexec/dcc/stop-.* -- gen_context(system_u:object_r:initrc_exec_t,s0) - - /usr/sbin/apachectl -- gen_context(system_u:object_r:initrc_exec_t,s0) - /usr/sbin/open_init_pty -- gen_context(system_u:object_r:initrc_exec_t,s0) -+/usr/sbin/startx -- gen_context(system_u:object_r:initrc_exec_t,s0) -+/usr/bin/systemd -- gen_context(system_u:object_r:init_exec_t,s0) -+ -+/usr/share/system-config-services/system-config-services-mechanism\.py -- gen_context(system_u:object_r:initrc_exec_t,s0) - - # - # /var - # -+/var/lib/systemd(/.*)? gen_context(system_u:object_r:init_var_lib_t,s0) - /var/run/utmp -- gen_context(system_u:object_r:initrc_var_run_t,s0) - /var/run/runlevel\.dir gen_context(system_u:object_r:initrc_var_run_t,s0) - /var/run/random-seed -- gen_context(system_u:object_r:initrc_var_run_t,s0) - /var/run/setmixer_flag -- gen_context(system_u:object_r:initrc_var_run_t,s0) -+/var/run/systemd/machine-id -- gen_context(system_u:object_r:machineid_t,s0) - - ifdef(`distro_debian',` - /var/run/hotkey-setup -- gen_context(system_u:object_r:initrc_var_run_t,s0) -@@ -73,3 +95,4 @@ ifdef(`distro_suse', ` - /var/run/setleds-on -- gen_context(system_u:object_r:initrc_var_run_t,s0) - /var/run/sysconfig(/.*)? gen_context(system_u:object_r:initrc_var_run_t,s0) - ') -+/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0) -diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if -index 24e7804..76da5dd 100644 ---- a/policy/modules/system/init.if -+++ b/policy/modules/system/init.if -@@ -1,5 +1,21 @@ - ## System initialization programs (init and init scripts). - -+###################################### -+## -+## initrc stub interface. No access allowed. -+## -+## -+## -+## Domain allowed access -+## -+## -+# -+interface(`init_stub_initrc',` -+ gen_require(` -+ type initrc_t; -+ ') -+') -+ - ######################################## - ## - ## Create a file type used for init scripts. -@@ -106,6 +122,8 @@ interface(`init_domain',` - role system_r types $1; - - domtrans_pattern(init_t, $2, $1) -+ allow init_t $1:unix_stream_socket create_stream_socket_perms; -+ allow $1 init_t:unix_dgram_socket sendto; - - ifdef(`hide_broken_symptoms',` - # RHEL4 systems seem to have a stray -@@ -192,50 +210,43 @@ interface(`init_ranged_domain',` - interface(`init_daemon_domain',` - gen_require(` - attribute direct_run_init, direct_init, direct_init_entry; -- type initrc_t; -+ type init_t; - role system_r; - attribute daemon; -+ attribute initrc_transition_domain; -+ attribute initrc_domain; - ') - - typeattribute $1 daemon; -+ typeattribute $2 direct_init_entry; - - domain_type($1) - domain_entry_file($1, $2) - -- role system_r types $1; -- -- domtrans_pattern(initrc_t, $2, $1) -- -- # daemons started from init will -- # inherit fds from init for the console -- init_dontaudit_use_fds($1) -- term_dontaudit_use_console($1) -- -- # init script ptys are the stdin/out/err -- # when using run_init -- init_use_script_ptys($1) -+ type_transition initrc_domain $2:process $1; - - ifdef(`direct_sysadm_daemon',` -- domtrans_pattern(direct_run_init, $2, $1) -- allow direct_run_init $1:process { noatsecure siginh rlimitinh }; -- -+ type_transition direct_run_init $2:process $1; - typeattribute $1 direct_init; -- typeattribute $2 direct_init_entry; -- -- userdom_dontaudit_use_user_terminals($1) - ') -+') - -- ifdef(`hide_broken_symptoms',` -- # RHEL4 systems seem to have a stray -- # fds open from the initrd -- ifdef(`distro_rhel4',` -- kernel_dontaudit_use_fds($1) -- ') -- ') -+####################################### -+## -+## Create initrc domain. -+## -+## -+## -+## Type to be used as a initrc daemon domain. -+## -+## -+# -+interface(`init_initrc_domain',` -+ gen_require(` -+ attribute initrc_domain; -+ ') - -- optional_policy(` -- nscd_use($1) -- ') -+ typeattribute $1 initrc_domain; - ') - - ######################################## -@@ -283,17 +294,20 @@ interface(`init_daemon_domain',` - interface(`init_ranged_daemon_domain',` - gen_require(` - type initrc_t; -+ type init_t; - ') - -- init_daemon_domain($1, $2) -+# init_daemon_domain($1, $2) - - ifdef(`enable_mcs',` - range_transition initrc_t $2:process $3; -+ range_transition init_t $2:process $3; - ') - - ifdef(`enable_mls',` - range_transition initrc_t $2:process $3; - mls_rangetrans_target($1) -+ range_transition init_t $2:process $3; - ') - ') - -@@ -336,23 +350,19 @@ interface(`init_ranged_daemon_domain',` - # - interface(`init_system_domain',` - gen_require(` -- type initrc_t; -+ type init_t; - role system_r; -+ attribute initrc_transition_domain; -+ attribute systemprocess, systemprocess_entry; -+ attribute initrc_domain; - ') - -+ typeattribute $1 systemprocess; - application_domain($1, $2) -- - role system_r types $1; -+ typeattribute $2 systemprocess_entry; - -- domtrans_pattern(initrc_t, $2, $1) -- -- ifdef(`hide_broken_symptoms',` -- # RHEL4 systems seem to have a stray -- # fds open from the initrd -- ifdef(`distro_rhel4',` -- kernel_dontaudit_use_fds($1) -- ') -- ') -+ type_transition initrc_domain $2:process $1; - ') - - ######################################## -@@ -401,20 +411,41 @@ interface(`init_system_domain',` - interface(`init_ranged_system_domain',` - gen_require(` - type initrc_t; -+ type init_t; - ') - - init_system_domain($1, $2) - - ifdef(`enable_mcs',` - range_transition initrc_t $2:process $3; -+ range_transition init_t $2:process $3; - ') - - ifdef(`enable_mls',` - range_transition initrc_t $2:process $3; -+ range_transition init_t $2:process $3; - mls_rangetrans_target($1) - ') - ') - -+###################################### -+## -+## Allow domain dyntransition to init_t domain. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`init_dyntrans',` -+ gen_require(` -+ type init_t; -+ ') -+ -+ dyntrans_pattern($1, init_t) -+') -+ - ######################################## - ## - ## Mark the file type as a daemon run dir, allowing initrc_t -@@ -469,7 +500,6 @@ interface(`init_domtrans',` - ## Domain allowed access. - ## - ## --## - # - interface(`init_exec',` - gen_require(` -@@ -478,6 +508,48 @@ interface(`init_exec',` - - corecmd_search_bin($1) - can_exec($1, init_exec_t) -+ -+ optional_policy(` -+ systemd_exec_systemctl($1) -+ ') -+') -+ -+####################################### -+## -+## Check access to the init/systemd executable. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`init_access_check',` -+ gen_require(` -+ type init_exec_t; -+ ') -+ -+ corecmd_search_bin($1) -+ allow $1 init_exec_t:file { getattr_file_perms execute }; -+') -+ -+####################################### -+## -+## Dontaudit getattr on the init program. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`init_dontaudit_getattr_exec',` -+ gen_require(` -+ type init_exec_t; -+ ') -+ -+ dontaudit $1 init_exec_t:file getattr; - ') - - ######################################## -@@ -566,6 +638,58 @@ interface(`init_sigchld',` - - ######################################## - ## -+## Send generic signals to init. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`init_signal',` -+ gen_require(` -+ type init_t; -+ ') -+ -+ allow $1 init_t:process signal; -+') -+ -+######################################## -+## -+## Create objects in the init_var_lib_t directories -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## The type of the object to be created -+## -+## -+## -+## -+## The object class. -+## -+## -+## -+## -+## The name of the object being created. -+## -+## -+# -+interface(`init_var_lib_filetrans',` -+ gen_require(` -+ type init_var_lib_t; -+ ') -+ -+ files_search_var_lib($1) -+ filetrans_pattern($1, init_var_lib_t, $2, $3, $4) -+') -+ -+######################################## -+## - ## Connect to init with a unix socket. - ## - ## -@@ -576,10 +700,66 @@ interface(`init_sigchld',` - # - interface(`init_stream_connect',` - gen_require(` -- type init_t; -+ type init_t, init_var_run_t; - ') - -- allow $1 init_t:unix_stream_socket connectto; -+ files_search_pids($1) -+ stream_connect_pattern($1, init_var_run_t, init_var_run_t, init_t) -+ allow $1 init_t:unix_stream_socket getattr; -+') -+ -+####################################### -+## -+## Dontaudit Connect to init with a unix socket. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`init_dontaudit_stream_connect',` -+ gen_require(` -+ type init_t; -+ ') -+ -+ dontaudit $1 init_t:unix_stream_socket connectto; -+') -+ -+###################################### -+## -+## Dontaudit getattr to init with a unix socket. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`init_dontaudit_getattr_stream_socket',` -+ gen_require(` -+ type init_t; -+ ') -+ -+ dontaudit $1 init_t:unix_stream_socket getattr; -+') -+ -+###################################### -+## -+## Dontaudit read and write to init with a unix socket. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`init_dontaudit_rw_stream_socket',` -+ gen_require(` -+ type init_t; -+ ') -+ -+ dontaudit $1 init_t:unix_stream_socket { getattr read write }; - ') - - ######################################## -@@ -743,22 +923,23 @@ interface(`init_write_initctl',` - interface(`init_telinit',` - gen_require(` - type initctl_t; -+ type init_t; - ') - -+ corecmd_exec_bin($1) -+ - dev_list_all_dev_nodes($1) - allow $1 initctl_t:fifo_file rw_fifo_file_perms; - - init_exec($1) - -- tunable_policy(`init_upstart',` -- gen_require(` -- type init_t; -- ') -- -- # upstart uses a datagram socket instead of initctl pipe -- allow $1 self:unix_dgram_socket create_socket_perms; -- allow $1 init_t:unix_dgram_socket sendto; -- ') -+ ps_process_pattern($1, init_t) -+ allow $1 init_t:process signal; -+ # upstart uses a datagram socket instead of initctl pipe -+ allow $1 self:unix_dgram_socket create_socket_perms; -+ allow $1 init_t:unix_dgram_socket sendto; -+ #576913 -+ allow $1 init_t:unix_stream_socket connectto; - ') - - ######################################## -@@ -787,7 +968,7 @@ interface(`init_rw_initctl',` - ## - ## - ## --## Domain allowed access. -+## Domain to not audit. - ## - ## - # -@@ -830,11 +1011,12 @@ interface(`init_script_file_entry_type',` - # - interface(`init_spec_domtrans_script',` - gen_require(` -- type initrc_t, initrc_exec_t; -+ type initrc_t; -+ attribute init_script_file_type; - ') - - files_list_etc($1) -- spec_domtrans_pattern($1, initrc_exec_t, initrc_t) -+ spec_domtrans_pattern($1, init_script_file_type, initrc_t) - - ifdef(`distro_gentoo',` - gen_require(` -@@ -845,11 +1027,11 @@ interface(`init_spec_domtrans_script',` - ') - - ifdef(`enable_mcs',` -- range_transition $1 initrc_exec_t:process s0; -+ range_transition $1 init_script_file_type:process s0; - ') - - ifdef(`enable_mls',` -- range_transition $1 initrc_exec_t:process s0 - mls_systemhigh; -+ range_transition $1 init_script_file_type:process s0 - mls_systemhigh; - ') - ') - -@@ -865,19 +1047,41 @@ interface(`init_spec_domtrans_script',` - # - interface(`init_domtrans_script',` - gen_require(` -- type initrc_t, initrc_exec_t; -+ type initrc_t; -+ attribute init_script_file_type; -+ attribute initrc_transition_domain; - ') -+ typeattribute $1 initrc_transition_domain; - - files_list_etc($1) -- domtrans_pattern($1, initrc_exec_t, initrc_t) -+ domtrans_pattern($1, init_script_file_type, initrc_t) - - ifdef(`enable_mcs',` -- range_transition $1 initrc_exec_t:process s0; -+ range_transition $1 init_script_file_type:process s0; - ') - - ifdef(`enable_mls',` -- range_transition $1 initrc_exec_t:process s0 - mls_systemhigh; -+ range_transition $1 init_script_file_type:process s0 - mls_systemhigh; -+ ') -+') -+ -+######################################## -+## -+## Execute a file in a bin directory -+## in the initrc_t domain -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`init_bin_domtrans_spec',` -+ gen_require(` -+ type initrc_t; - ') -+ -+ corecmd_bin_domtrans($1, initrc_t) - ') - - ######################################## -@@ -933,9 +1137,14 @@ interface(`init_script_file_domtrans',` - interface(`init_labeled_script_domtrans',` - gen_require(` - type initrc_t; -+ attribute initrc_transition_domain; - ') - -+ typeattribute $1 initrc_transition_domain; -+ # service script searches all filesystems via mountpoint -+ fs_search_all($1) - domtrans_pattern($1, $2, initrc_t) -+ allow $1 $2:file ioctl; - files_search_etc($1) - ') - -@@ -1012,6 +1221,42 @@ interface(`init_read_state',` - - ######################################## - ## -+## Read the process keyring of init. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`init_read_key',` -+ gen_require(` -+ type init_t; -+ ') -+ -+ allow $1 init_t:key read; -+') -+ -+######################################## -+## -+## Write the process keyring of init. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`init_write_key',` -+ gen_require(` -+ type init_t; -+ ') -+ -+ allow $1 init_t:key read; -+') -+ -+######################################## -+## - ## Ptrace init - ## - ## -@@ -1026,7 +1271,9 @@ interface(`init_ptrace',` - type init_t; - ') - -- allow $1 init_t:process ptrace; -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 init_t:process ptrace; -+ ') - ') - - ######################################## -@@ -1125,6 +1372,25 @@ interface(`init_getattr_all_script_files',` - - ######################################## - ## -+## Allow the specified domain to modify the systemd configuration of -+## all init scripts. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`init_config_all_script_files',` -+ gen_require(` -+ attribute init_script_file_type; -+ ') -+ -+ allow $1 init_script_file_type:service all_service_perms; -+') -+ -+######################################## -+## - ## Read all init script files. - ## - ## -@@ -1144,6 +1410,24 @@ interface(`init_read_all_script_files',` - - ####################################### - ## -+## Dontaudit getattr all init script files. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`init_dontaudit_getattr_all_script_files',` -+ gen_require(` -+ attribute init_script_file_type; -+ ') -+ -+ dontaudit $1 init_script_file_type:file getattr; -+') -+ -+####################################### -+## - ## Dontaudit read all init script files. - ## - ## -@@ -1195,12 +1479,7 @@ interface(`init_read_script_state',` - ') - - kernel_search_proc($1) -- read_files_pattern($1, initrc_t, initrc_t) -- read_lnk_files_pattern($1, initrc_t, initrc_t) -- list_dirs_pattern($1, initrc_t, initrc_t) -- -- # should move this to separate interface -- allow $1 initrc_t:process getattr; -+ ps_process_pattern($1, initrc_t) - ') - - ######################################## -@@ -1440,7 +1719,7 @@ interface(`init_dbus_send_script',` - ######################################## - ## - ## Send and receive messages from --## init scripts over dbus. -+## init over dbus. - ## - ## - ## -@@ -1448,23 +1727,44 @@ interface(`init_dbus_send_script',` - ## - ## - # --interface(`init_dbus_chat_script',` -+interface(`init_dbus_chat',` - gen_require(` -- type initrc_t; -+ type init_t; - class dbus send_msg; - ') - -- allow $1 initrc_t:dbus send_msg; -- allow initrc_t $1:dbus send_msg; -+ allow $1 init_t:dbus send_msg; -+ allow init_t $1:dbus send_msg; - ') - - ######################################## - ## --## Read and write the init script pty. -+## Send and receive messages from -+## init scripts over dbus. - ## --## --##

    --## Read and write the init script pty. This -+## -+##

    -+## Domain allowed access. -+## -+## -+# -+interface(`init_dbus_chat_script',` -+ gen_require(` -+ type initrc_t; -+ class dbus send_msg; -+ ') -+ -+ allow $1 initrc_t:dbus send_msg; -+ allow initrc_t $1:dbus send_msg; -+') -+ -+######################################## -+## -+## Read and write the init script pty. -+## -+## -+##

    -+## Read and write the init script pty. This - ## pty is generally opened by the open_init_pty - ## portion of the run_init program so that the - ## daemon does not require direct access to -@@ -1526,6 +1826,25 @@ interface(`init_getattr_script_status_files',` - - ######################################## - ##

    -+## Manage init script -+## status files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`init_manage_script_status_files',` -+ gen_require(` -+ type initrc_state_t; -+ ') -+ -+ manage_files_pattern($1, initrc_state_t, initrc_state_t) -+') -+ -+######################################## -+## - ## Do not audit attempts to read init script - ## status files. - ## -@@ -1584,6 +1903,24 @@ interface(`init_rw_script_tmp_files',` - - ######################################## - ## -+## Read and write init script inherited temporary data. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`init_rw_inherited_script_tmp_files',` -+ gen_require(` -+ type initrc_tmp_t; -+ ') -+ -+ allow $1 initrc_tmp_t:file rw_inherited_file_perms; -+') -+ -+######################################## -+## - ## Create files in a init script - ## temporary data directory. - ## -@@ -1656,6 +1993,43 @@ interface(`init_read_utmp',` - - ######################################## - ## -+## Read utmp. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`init_read_machineid',` -+ gen_require(` -+ type machineid_t; -+ ') -+ -+ files_search_etc($1) -+ allow $1 machineid_t:file read_file_perms; -+') -+ -+######################################## -+## -+## Do not audit attempts to read utmp. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`init_dontaudit_read_utmp',` -+ gen_require(` -+ type initrc_var_run_t; -+ ') -+ -+ dontaudit $1 initrc_var_run_t:file read_file_perms; -+') -+ -+######################################## -+## - ## Do not audit attempts to write utmp. - ## - ## -@@ -1744,7 +2118,7 @@ interface(`init_dontaudit_rw_utmp',` - type initrc_var_run_t; - ') - -- dontaudit $1 initrc_var_run_t:file { getattr read write append lock }; -+ dontaudit $1 initrc_var_run_t:file rw_file_perms; - ') - - ######################################## -@@ -1785,6 +2159,133 @@ interface(`init_pid_filetrans_utmp',` - files_pid_filetrans($1, initrc_var_run_t, file, "utmp") - ') - -+###################################### -+## -+## Allow search directory in the /run/systemd directory. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`init_search_pid_dirs',` -+ gen_require(` -+ type init_var_run_t; -+ ') -+ -+ allow $1 init_var_run_t:dir search_dir_perms; -+') -+ -+###################################### -+## -+## Allow listing of the /run/systemd directory. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`init_list_pid_dirs',` -+ gen_require(` -+ type init_var_run_t; -+ ') -+ -+ allow $1 init_var_run_t:dir list_dir_perms; -+') -+ -+####################################### -+## -+## Create a directory in the /run/systemd directory. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`init_create_pid_dirs',` -+ gen_require(` -+ type init_var_run_t; -+ ') -+ -+ allow $1 init_var_run_t:dir list_dir_perms; -+ create_dirs_pattern($1, init_var_run_t, init_var_run_t) -+') -+ -+####################################### -+## -+## Create objects in /run/systemd directory -+## with an automatic type transition to -+## a specified private type. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## The type of the object to create. -+## -+## -+## -+## -+## The class of the object to be created. -+## -+## -+## -+## -+## The name of the object being created. -+## -+## -+# -+interface(`init_pid_filetrans',` -+ gen_require(` -+ type init_var_run_t; -+ ') -+ -+ files_search_pids($1) -+ filetrans_pattern($1, init_var_run_t, $2, $3, $4) -+') -+ -+####################################### -+## -+## Create objects in /run/systemd directory -+## with an automatic type transition to -+## a specified private type. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## The type of the object to create. -+## -+## -+## -+## -+## The class of the object to be created. -+## -+## -+## -+## -+## The name of the object being created. -+## -+## -+# -+interface(`init_named_pid_filetrans',` -+ gen_require(` -+ type init_var_run_t; -+ ') -+ -+ files_search_pids($1) -+ filetrans_pattern($1, init_var_run_t, $2, $3, $4) -+') -+ - ######################################## - ## - ## Allow the specified domain to connect to daemon with a tcp socket -@@ -1819,3 +2320,360 @@ interface(`init_udp_recvfrom_all_daemons',` - ') - corenet_udp_recvfrom_labeled($1, daemon) - ') -+ -+######################################## -+## -+## Transition to system_r when execute an init script -+## -+## -+##

    -+## Execute a init script in a specified role -+##

    -+##

    -+## No interprocess communication (signals, pipes, -+## etc.) is provided by this interface since -+## the domains are not owned by this module. -+##

    -+##     -+## -+## -+## Role to transition from. -+## -+## -+# -+interface(`init_script_role_transition',` -+ gen_require(` -+ attribute init_script_file_type; -+ ') -+ -+ role_transition $1 init_script_file_type system_r; -+') -+ -+######################################## -+## -+## dontaudit read and write an leaked init scrip file descriptors -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`init_dontaudit_script_leaks',` -+ gen_require(` -+ type initrc_t; -+ ') -+ -+ dontaudit $1 initrc_t:socket_class_set { read write }; -+ dontaudit $1 initrc_t:shm rw_shm_perms; -+ init_dontaudit_use_script_ptys($1) -+ init_dontaudit_use_script_fds($1) -+') -+ -+####################################### -+## -+## Allow the specified domain to ioctl an -+## init with a unix domain stream sockets. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`init_ioctl_stream_sockets',` -+ gen_require(` -+ type init_t; -+ ') -+ -+ allow $1 init_t:unix_stream_socket ioctl; -+') -+ -+######################################## -+## -+## Allow the specified domain to read/write to -+## init with a unix domain stream sockets. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`init_rw_stream_sockets',` -+ gen_require(` -+ type init_t; -+ ') -+ -+ allow $1 init_t:unix_stream_socket rw_stream_socket_perms; -+') -+ -+####################################### -+## -+## Allow the specified domain to write to -+## init sock file. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`init_write_pid_socket',` -+ gen_require(` -+ type init_var_run_t; -+ ') -+ -+ allow $1 init_var_run_t:sock_file write; -+') -+ -+######################################## -+## -+## Send a message to init over a unix domain -+## datagram socket. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`init_dgram_send',` -+ gen_require(` -+ type init_t; -+ ') -+ -+ allow $1 init_t:unix_dgram_socket sendto; -+') -+ -+######################################## -+## -+## Send a message to init over a unix domain -+## stream socket. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`init_stream_send',` -+ gen_require(` -+ type init_t; -+ ') -+ -+ allow $1 init_t:unix_stream_socket sendto; -+') -+ -+######################################## -+## -+## Create a file type used for init socket files. -+## -+## -+##

    -+## This defines a type that init can create sock_file within for -+## impersonation purposes -+##

    -+##     -+## -+## -+## Type to be used for a sock file. -+## -+## -+## -+# -+interface(`init_sock_file',` -+ gen_require(` -+ attribute init_sock_file_type; -+ ') -+ -+ typeattribute $1 init_sock_file_type; -+ -+') -+ -+######################################## -+## -+## Read init unnamed pipes. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`init_read_pipes',` -+ gen_require(` -+ type init_var_run_t; -+ ') -+ -+ read_fifo_files_pattern($1, init_var_run_t, init_var_run_t) -+') -+ -+######################################## -+## -+## Read/Write init unnamed pipes. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`init_rw_pipes',` -+ gen_require(` -+ type init_var_run_t; -+ ') -+ -+ rw_fifo_files_pattern($1, init_var_run_t, init_var_run_t) -+') -+ -+######################################## -+## -+## Get the system status information from init -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`init_status',` -+ gen_require(` -+ type init_t; -+ ') -+ -+ allow $1 init_t:system status; -+ allow $1 init_t:service status; -+') -+ -+######################################## -+## -+## Tell init to reboot the system. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`init_reboot',` -+ gen_require(` -+ type init_t; -+ ') -+ -+ allow $1 init_t:system reboot; -+ systemd_config_power_services($1) -+') -+ -+######################################## -+## -+## Tell init to enable the services. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`init_enable_services',` -+ gen_require(` -+ type init_t; -+ ') -+ -+ allow $1 init_t:system enable; -+') -+ -+######################################## -+## -+## Tell init to disable the services. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`init_disable_services',` -+ gen_require(` -+ type init_t; -+ ') -+ -+ allow $1 init_t:system disable; -+') -+ -+######################################## -+## -+## Tell init to reload the services. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`init_reload_services',` -+ gen_require(` -+ type init_t; -+ ') -+ -+ allow $1 init_t:system reload; -+') -+ -+######################################## -+## -+## Tell init to halt the system. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`init_halt',` -+ gen_require(` -+ type init_t; -+ ') -+ -+ allow $1 init_t:system halt; -+ systemd_config_power_services($1) -+') -+ -+######################################## -+## -+## Tell init to do an unknown access. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`init_undefined',` -+ gen_require(` -+ type init_t; -+ ') -+ -+ allow $1 init_t:system undefined; -+') -+ -+######################################## -+## -+## Transition to init named content -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`init_filetrans_named_content',` -+ gen_require(` -+ type init_var_run_t; -+ type initrc_var_run_t; -+ type machineid_t; -+ ') -+ -+ files_pid_filetrans($1, initrc_var_run_t, file, "utmp") -+ files_pid_filetrans($1, init_var_run_t, file, "random-seed") -+ files_etc_filetrans($1, machineid_t, file, "machine-id" ) -+') -diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index dd3be8d..0996734 100644 ---- a/policy/modules/system/init.te -+++ b/policy/modules/system/init.te -@@ -11,10 +11,31 @@ gen_require(` - - ## - ##

    --## Enable support for upstart as the init program. -+## Allow all daemons to use tcp wrappers. - ##

    - ##     --gen_tunable(init_upstart, false) -+gen_tunable(daemons_use_tcp_wrapper, false) -+ -+## -+##

    -+## Allow all daemons the ability to read/write terminals -+##

    -+##     -+gen_tunable(daemons_use_tty, false) -+ -+## -+##

    -+## Allow all daemons to write corefiles to / -+##

    -+##     -+gen_tunable(daemons_dump_core, false) -+ -+## -+##

    -+## Enable cluster mode for daemons. -+##

    -+##     -+gen_tunable(daemons_enable_cluster_mode, false) - - # used for direct running of init scripts - # by admin domains -@@ -25,9 +46,17 @@ attribute direct_init_entry; - attribute init_script_domain_type; - attribute init_script_file_type; - attribute init_run_all_scripts_domain; -+attribute initrc_transition_domain; -+# Attribute used for systemd so domains can allow systemd to create sock_files -+attribute init_sock_file_type; - - # Mark process types as daemons - attribute daemon; -+attribute systemprocess; -+attribute systemprocess_entry; -+ -+# Mark process types as initrc domain -+attribute initrc_domain; - - # Mark file type as a daemon run directory - attribute daemonrundir; -@@ -35,12 +64,14 @@ attribute daemonrundir; - # - # init_t is the domain of the init process. - # --type init_t; -+type init_t, initrc_transition_domain; - type init_exec_t; - domain_type(init_t) - domain_entry_file(init_t, init_exec_t) -+domain_role_change_exemption(init_t) - kernel_domtrans_to(init_t, init_exec_t) - role system_r types init_t; -+init_initrc_domain(init_t) - - # - # init_var_run_t is the type for /var/run/shutdown.pid. -@@ -49,6 +80,15 @@ type init_var_run_t; - files_pid_file(init_var_run_t) - - # -+# init_var_lib_t is the type for /var/lib/systemd -+# -+type init_var_lib_t; -+files_type(init_var_lib_t) -+ -+type machineid_t; -+files_config_file(machineid_t) -+ -+# - # initctl_t is the type of the named pipe created - # by init during initialization. This pipe is used - # to communicate with init. -@@ -57,7 +97,7 @@ type initctl_t; - files_type(initctl_t) - mls_trusted_object(initctl_t) - --type initrc_t, init_script_domain_type, init_run_all_scripts_domain; -+type initrc_t, initrc_domain, init_script_domain_type, init_run_all_scripts_domain; - type initrc_exec_t, init_script_file_type; - domain_type(initrc_t) - domain_entry_file(initrc_t, initrc_exec_t) -@@ -98,7 +138,9 @@ ifdef(`enable_mls',` - # - - # Use capabilities. old rule: --allow init_t self:capability ~sys_module; -+allow init_t self:capability ~{ audit_control audit_write sys_module }; -+allow init_t self:capability2 ~{ mac_admin mac_override }; -+allow init_t self:key manage_key_perms; - # is ~sys_module really needed? observed: - # sys_boot - # sys_tty_config -@@ -110,12 +152,33 @@ allow init_t self:fifo_file rw_fifo_file_perms; - - # Re-exec itself - can_exec(init_t, init_exec_t) -- --allow init_t initrc_t:unix_stream_socket connectto; -- --# For /var/run/shutdown.pid. --allow init_t init_var_run_t:file manage_file_perms; --files_pid_filetrans(init_t, init_var_run_t, file) -+# executing content in /run/initramfs -+manage_files_pattern(init_t, initrc_state_t, initrc_state_t) -+can_exec(init_t, initrc_state_t) -+ -+allow daemon initrc_t:unix_dgram_socket sendto; -+allow init_t initrc_t:unix_stream_socket { connectto create_stream_socket_perms }; -+allow initrc_t init_t:unix_stream_socket { connectto rw_stream_socket_perms sendto }; -+allow initrc_t init_t:fifo_file rw_fifo_file_perms; -+ -+manage_dirs_pattern(init_t, init_var_lib_t, init_var_lib_t) -+manage_files_pattern(init_t, init_var_lib_t, init_var_lib_t) -+manage_lnk_files_pattern(init_t, init_var_lib_t, init_var_lib_t) -+manage_sock_files_pattern(init_t, init_var_lib_t, init_var_lib_t) -+files_var_lib_filetrans(init_t, init_var_lib_t, { dir file }) -+ -+manage_dirs_pattern(init_t, init_var_run_t, init_var_run_t) -+manage_files_pattern(init_t, init_var_run_t, init_var_run_t) -+manage_lnk_files_pattern(init_t, init_var_run_t, init_var_run_t) -+manage_sock_files_pattern(init_t, init_var_run_t, init_var_run_t) -+files_pid_filetrans(init_t, init_var_run_t, { dir file }) -+allow init_t init_var_run_t:dir mounton; -+allow init_t init_var_run_t:sock_file relabelto; -+ -+allow init_t machineid_t:file manage_file_perms; -+files_pid_filetrans(init_t, machineid_t, file, "machine-id") -+files_etc_filetrans(init_t, machineid_t, file, "machine-id") -+allow init_t machineid_t:file mounton; - - allow init_t initctl_t:fifo_file manage_fifo_file_perms; - dev_filetrans(init_t, initctl_t, fifo_file) -@@ -125,13 +188,18 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr }; - - kernel_read_system_state(init_t) - kernel_share_state(init_t) -+kernel_stream_connect(init_t) - - corecmd_exec_chroot(init_t) - corecmd_exec_bin(init_t) - --dev_read_sysfs(init_t) -+dev_rw_sysfs(init_t) -+dev_read_urand(init_t) -+dev_read_raw_memory(init_t) - # Early devtmpfs - dev_rw_generic_chr_files(init_t) -+dev_filetrans_all_named_dev(init_t) -+dev_write_watchdog(init_t) - - domain_getpgid_all_domains(init_t) - domain_kill_all_domains(init_t) -@@ -139,14 +207,20 @@ domain_signal_all_domains(init_t) - domain_signull_all_domains(init_t) - domain_sigstop_all_domains(init_t) - domain_sigchld_all_domains(init_t) -+domain_read_all_domains_state(init_t) - - files_read_etc_files(init_t) -+files_read_all_pids(init_t) -+files_read_system_conf_files(init_t) - files_rw_generic_pids(init_t) - files_dontaudit_search_isid_type_dirs(init_t) -+files_read_etc_runtime_files(init_t) - files_manage_etc_runtime_files(init_t) -+files_manage_etc_symlinks(init_t) - files_etc_filetrans_etc_runtime(init_t, file) - # Run /etc/X11/prefdm: - files_exec_etc_files(init_t) -+files_read_usr_files(init_t) - # file descriptors inherited from the rootfs: - files_dontaudit_rw_root_files(init_t) - files_dontaudit_rw_root_chr_files(init_t) -@@ -156,28 +230,52 @@ fs_list_inotifyfs(init_t) - fs_write_ramfs_sockets(init_t) - - mcs_process_set_categories(init_t) --mcs_killall(init_t) - - mls_file_read_all_levels(init_t) - mls_file_write_all_levels(init_t) -+mls_file_downgrade(init_t) -+mls_file_upgrade(init_t) - mls_process_write_down(init_t) - mls_fd_use_all_levels(init_t) -+mls_fd_share_all_levels(init_t) -+mls_socket_read_all_levels(init_t) -+mls_socket_write_all_levels(init_t) -+ -+mls_rangetrans_source(init_t) - - selinux_set_all_booleans(init_t) -+selinux_load_policy(init_t) -+selinux_mounton_fs(init_t) -+allow init_t security_t:security load_policy; - --term_use_all_terms(init_t) -+term_create_pty_dir(init_t) -+term_use_unallocated_ttys(init_t) -+term_use_console(init_t) -+term_use_all_inherited_terms(init_t) -+term_use_generic_ptys(init_t) - - # Run init scripts. - init_domtrans_script(init_t) - - libs_rw_ld_so_cache(init_t) - -+logging_create_devlog_dev(init_t) - logging_send_syslog_msg(init_t) -+logging_send_audit_msgs(init_t) - logging_rw_generic_logs(init_t) -+logging_relabel_devlog_dev(init_t) - - seutil_read_config(init_t) -+seutil_read_module_store(init_t) -+ -+miscfiles_manage_localization(init_t) -+miscfiles_filetrans_named_content(init_t) - --miscfiles_read_localization(init_t) -+userdom_use_user_ttys(init_t) -+userdom_manage_tmp_dirs(init_t) -+userdom_manage_tmp_sockets(init_t) -+ -+allow init_t self:process setsched; - - ifdef(`distro_gentoo',` - allow init_t self:process { getcap setcap }; -@@ -186,29 +284,208 @@ ifdef(`distro_gentoo',` - ') - - ifdef(`distro_redhat',` -+ fs_manage_tmpfs_files(init_t) -+ fs_manage_tmpfs_sockets(init_t) -+ fs_exec_tmpfs_files(init_t) - fs_read_tmpfs_symlinks(init_t) - fs_rw_tmpfs_chr_files(init_t) - fs_tmpfs_filetrans(init_t, initctl_t, fifo_file) -+ fs_tmpfs_filetrans_named_content(init_t) -+ -+ logging_stream_connect_syslog(init_t) -+ logging_relabel_syslog_pid_socket(init_t) - ') - --tunable_policy(`init_upstart',` -- corecmd_shell_domtrans(init_t, initrc_t) --',` -- # Run the shell in the sysadm role for single-user mode. -- # causes problems with upstart -- sysadm_shell_domtrans(init_t) -+corecmd_shell_domtrans(init_t, initrc_t) -+ -+storage_raw_rw_fixed_disk(init_t) -+ -+sysnet_read_dhcpc_state(init_t) -+ -+optional_policy(` -+ chronyd_read_keys(init_t) -+') -+ -+optional_policy(` -+ kdump_read_crash(init_t) - ') - - optional_policy(` -- auth_rw_login_records(init_t) -+ gnome_filetrans_home_content(init_t) -+ gnome_manage_data(init_t) - ') - - optional_policy(` -+ iscsi_read_lib_files(init_t) -+') -+ -+optional_policy(` -+ modutils_domtrans_insmod(init_t) -+ modutils_list_module_config(init_t) -+') -+ -+optional_policy(` -+ postfix_exec(init_t) -+ postfix_list_spool(init_t) -+ mta_read_config(init_t) -+ mta_manage_aliases(init_t) -+') -+ -+allow init_t self:system all_system_perms; -+allow init_t self:unix_dgram_socket { create_socket_perms sendto }; -+allow init_t self:process { setsockcreate setfscreate setrlimit }; -+allow init_t self:process { getcap setcap }; -+allow init_t self:unix_stream_socket { create_stream_socket_perms connectto }; -+allow init_t self:netlink_kobject_uevent_socket create_socket_perms; -+allow init_t self:netlink_selinux_socket create_socket_perms; -+# Until systemd is fixed -+allow daemon init_t:socket_class_set { getopt read getattr ioctl setopt write }; -+allow init_t self:udp_socket create_socket_perms; -+allow init_t self:netlink_route_socket create_netlink_socket_perms; -+ -+allow init_t initrc_t:unix_dgram_socket create_socket_perms; -+ -+kernel_list_unlabeled(init_t) -+kernel_read_network_state(init_t) -+kernel_rw_all_sysctls(init_t) -+kernel_read_software_raid_state(init_t) -+kernel_unmount_debugfs(init_t) -+kernel_setsched(init_t) -+ -+dev_write_kmsg(init_t) -+dev_write_urand(init_t) -+dev_rw_lvm_control(init_t) -+dev_rw_autofs(init_t) -+dev_manage_generic_symlinks(init_t) -+dev_manage_generic_dirs(init_t) -+dev_manage_generic_files(init_t) -+dev_read_generic_chr_files(init_t) -+dev_relabel_generic_dev_dirs(init_t) -+dev_relabel_all_dev_nodes(init_t) -+dev_relabel_all_dev_files(init_t) -+dev_manage_sysfs_dirs(init_t) -+dev_relabel_sysfs_dirs(init_t) -+ -+files_search_all(init_t) -+files_mounton_all_mountpoints(init_t) -+files_unmount_all_file_type_fs(init_t) -+files_manage_all_pid_dirs(init_t) -+files_manage_etc_dirs(init_t) -+files_manage_generic_tmp_dirs(init_t) -+files_relabel_all_pid_dirs(init_t) -+files_relabel_all_pid_files(init_t) -+files_create_all_pid_sockets(init_t) -+files_delete_all_pids(init_t) -+files_exec_generic_pid_files(init_t) -+files_create_all_pid_pipes(init_t) -+files_create_all_spool_sockets(init_t) -+files_delete_all_spool_sockets(init_t) -+files_manage_urandom_seed(init_t) -+files_list_locks(init_t) -+files_list_spool(init_t) -+files_list_var(init_t) -+files_list_boot(init_t) -+files_list_home(init_t) -+files_create_lock_dirs(init_t) -+files_relabel_all_lock_dirs(init_t) -+files_read_kernel_modules(init_t) -+fs_getattr_all_fs(init_t) -+fs_manage_cgroup_dirs(init_t) -+fs_manage_cgroup_files(init_t) -+fs_manage_hugetlbfs_dirs(init_t) -+fs_manage_tmpfs_dirs(init_t) -+fs_relabel_tmpfs_dirs(init_t) -+fs_relabel_tmpfs_files(init_t) -+fs_relabel_tmpfs_fifo_files(init_t) -+fs_mount_all_fs(init_t) -+fs_unmount_all_fs(init_t) -+fs_remount_all_fs(init_t) -+fs_list_all(init_t) -+fs_list_auto_mountpoints(init_t) -+fs_register_binary_executable_type(init_t) -+fs_relabel_tmpfs_sock_file(init_t) -+fs_rw_tmpfs_files(init_t) -+fs_relabel_cgroup_dirs(init_t) -+fs_search_cgroup_dirs(init_t) -+selinux_compute_access_vector(init_t) -+selinux_compute_create_context(init_t) -+selinux_validate_context(init_t) -+selinux_unmount_fs(init_t) -+ -+storage_getattr_removable_dev(init_t) -+ -+term_relabel_ptys_dirs(init_t) -+ -+auth_relabel_login_records(init_t) -+auth_relabel_pam_console_data_dirs(init_t) -+ -+clock_read_adjtime(init_t) -+ -+init_read_script_state(init_t) -+ -+modutils_read_module_config(init_t) -+ -+seutil_read_file_contexts(init_t) -+ -+systemd_exec_systemctl(init_t) -+systemd_manage_home_content(init_t) -+systemd_manage_unit_dirs(init_t) -+systemd_manage_random_seed(init_t) -+systemd_manage_all_unit_files(init_t) -+systemd_logger_stream_connect(init_t) -+systemd_config_all_services(init_t) -+systemd_relabelto_fifo_file_passwd_run(init_t) -+systemd_relabel_unit_dirs(init_t) -+systemd_relabel_unit_files(init_t) -+systemd_manage_unit_dirs(initrc_t) -+systemd_manage_unit_symlinks(initrc_t) -+systemd_config_all_services(initrc_t) -+systemd_read_unit_files(initrc_t) -+ -+create_sock_files_pattern(init_t, init_sock_file_type, init_sock_file_type) -+ -+auth_use_nsswitch(init_t) -+auth_rw_login_records(init_t) -+auth_domtrans_chk_passwd(init_t) -+ -+optional_policy(` -+ ipsec_read_config(init_t) -+') -+ -+optional_policy(` -+ lvm_rw_pipes(init_t) -+ lvm_read_config(init_t) -+') -+ -+optional_policy(` -+ consolekit_manage_log(init_t) -+') -+ -+optional_policy(` -+ dbus_connect_system_bus(init_t) - dbus_system_bus_client(init_t) -+ dbus_delete_pid_files(init_t) -+ -+ optional_policy(` -+ devicekit_dbus_chat_power(init_t) -+ ') -+') -+ -+optional_policy(` -+ # /var/run/dovecot/login/ssl-parameters.dat is a hard link to -+ # /var/lib/dovecot/ssl-parameters.dat and init tries to clean up -+ # the directory. But we do not want to allow this. -+ # The master process of dovecot will manage this file. -+ dovecot_dontaudit_unlink_lib_files(initrc_t) -+') -+ -+optional_policy(` -+ networkmanager_stream_connect(init_t) - ') - - optional_policy(` -- nscd_use(init_t) -+ plymouthd_stream_connect(init_t) -+ plymouthd_exec_plymouth(init_t) - ') - - optional_policy(` -@@ -216,7 +493,30 @@ optional_policy(` - ') - - optional_policy(` -+ rpcbind_filetrans_named_content(init_t) -+ rpcbind_relabel_sock_file(init_t) -+') -+ -+optional_policy(` -+ systemd_filetrans_named_content(init_t) -+') -+ -+optional_policy(` -+ udev_read_db(init_t) -+ udev_relabelto_db(init_t) -+ udev_create_kobject_uevent_socket(init_t) -+ udev_relabel_pid_sockfile(init_t) -+') -+ -+optional_policy(` -+ xserver_relabel_xdm_tmp_dirs(init_t) -+ xserver_manage_xdm_tmp_dirs(init_t) -+ xserver_read_xdm_lib_files(init_t) -+') -+ -+optional_policy(` - unconfined_domain(init_t) -+ domain_named_filetrans(init_t) - ') - - ######################################## -@@ -225,8 +525,9 @@ optional_policy(` - # - - allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; --allow initrc_t self:capability ~{ sys_admin sys_module }; --dontaudit initrc_t self:capability sys_module; # sysctl is triggering this -+allow initrc_t self:capability ~{ sys_ptrace audit_control audit_write sys_admin sys_module }; -+allow initrc_t self:capability2 block_suspend; -+dontaudit initrc_t self:capability { sys_ptrace sys_module }; # sysctl is triggering this - allow initrc_t self:passwd rootok; - allow initrc_t self:key manage_key_perms; - -@@ -257,12 +558,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) - - allow initrc_t initrc_var_run_t:file manage_file_perms; - files_pid_filetrans(initrc_t, initrc_var_run_t, file) -+files_manage_generic_pids_symlinks(initrc_t) -+files_create_var_run_dirs(initrc_t) -+files_relabelfrom_isid_type(initrc_t) - - can_exec(initrc_t, initrc_tmp_t) - manage_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t) - manage_dirs_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t) - manage_lnk_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t) - files_tmp_filetrans(initrc_t, initrc_tmp_t, { file dir }) -+allow initrc_t initrc_tmp_t:dir relabelfrom; - - manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) - manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) -@@ -278,23 +583,36 @@ kernel_change_ring_buffer_level(initrc_t) - kernel_clear_ring_buffer(initrc_t) - kernel_get_sysvipc_info(initrc_t) - kernel_read_all_sysctls(initrc_t) -+kernel_request_load_module(initrc_t) - kernel_rw_all_sysctls(initrc_t) - # for lsof which is used by alsa shutdown: - kernel_dontaudit_getattr_message_if(initrc_t) -+kernel_stream_connect(initrc_t) -+files_read_kernel_modules(initrc_t) -+files_read_config_files(initrc_t) -+files_read_var_lib_symlinks(initrc_t) -+files_setattr_pid_dirs(initrc_t) - - files_create_lock_dirs(initrc_t) - files_pid_filetrans_lock_dir(initrc_t, "lock") - files_read_kernel_symbol_table(initrc_t) --files_setattr_lock_dirs(initrc_t) -+files_exec_etc_files(initrc_t) -+files_manage_etc_symlinks(initrc_t) -+files_manage_system_conf_files(initrc_t) -+ -+fs_manage_tmpfs_dirs(initrc_t) -+fs_manage_tmpfs_symlinks(initrc_t) -+fs_delete_tmpfs_files(initrc_t) -+fs_tmpfs_filetrans(initrc_t, initrc_state_t, file) -+fs_read_nfsd_files(initrc_t) - - corecmd_exec_all_executables(initrc_t) - --corenet_all_recvfrom_unlabeled(initrc_t) - corenet_all_recvfrom_netlabel(initrc_t) --corenet_tcp_sendrecv_all_if(initrc_t) --corenet_udp_sendrecv_all_if(initrc_t) --corenet_tcp_sendrecv_all_nodes(initrc_t) --corenet_udp_sendrecv_all_nodes(initrc_t) -+corenet_tcp_sendrecv_generic_if(initrc_t) -+corenet_udp_sendrecv_generic_if(initrc_t) -+corenet_tcp_sendrecv_generic_node(initrc_t) -+corenet_udp_sendrecv_generic_node(initrc_t) - corenet_tcp_sendrecv_all_ports(initrc_t) - corenet_udp_sendrecv_all_ports(initrc_t) - corenet_tcp_connect_all_ports(initrc_t) -@@ -302,9 +620,11 @@ corenet_sendrecv_all_client_packets(initrc_t) - - dev_read_rand(initrc_t) - dev_read_urand(initrc_t) -+dev_dontaudit_read_kmsg(initrc_t) - dev_write_kmsg(initrc_t) - dev_write_rand(initrc_t) - dev_write_urand(initrc_t) -+dev_write_watchdog(initrc_t) - dev_rw_sysfs(initrc_t) - dev_list_usbfs(initrc_t) - dev_read_framebuffer(initrc_t) -@@ -312,8 +632,10 @@ dev_write_framebuffer(initrc_t) - dev_read_realtime_clock(initrc_t) - dev_read_sound_mixer(initrc_t) - dev_write_sound_mixer(initrc_t) -+dev_setattr_generic_dirs(initrc_t) - dev_setattr_all_chr_files(initrc_t) - dev_rw_lvm_control(initrc_t) -+dev_rw_generic_chr_files(initrc_t) - dev_delete_lvm_control_dev(initrc_t) - dev_manage_generic_symlinks(initrc_t) - dev_manage_generic_files(initrc_t) -@@ -321,8 +643,7 @@ dev_manage_generic_files(initrc_t) - dev_delete_generic_symlinks(initrc_t) - dev_getattr_all_blk_files(initrc_t) - dev_getattr_all_chr_files(initrc_t) --# Early devtmpfs --dev_rw_generic_chr_files(initrc_t) -+dev_rw_xserver_misc(initrc_t) - - domain_kill_all_domains(initrc_t) - domain_signal_all_domains(initrc_t) -@@ -331,7 +652,6 @@ domain_sigstop_all_domains(initrc_t) - domain_sigchld_all_domains(initrc_t) - domain_read_all_domains_state(initrc_t) - domain_getattr_all_domains(initrc_t) --domain_dontaudit_ptrace_all_domains(initrc_t) - domain_getsession_all_domains(initrc_t) - domain_use_interactive_fds(initrc_t) - # for lsof which is used by alsa shutdown: -@@ -339,6 +659,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) - domain_dontaudit_getattr_all_tcp_sockets(initrc_t) - domain_dontaudit_getattr_all_dgram_sockets(initrc_t) - domain_dontaudit_getattr_all_pipes(initrc_t) -+domain_obj_id_change_exemption(initrc_t) - - files_getattr_all_dirs(initrc_t) - files_getattr_all_files(initrc_t) -@@ -346,14 +667,15 @@ files_getattr_all_symlinks(initrc_t) - files_getattr_all_pipes(initrc_t) - files_getattr_all_sockets(initrc_t) - files_purge_tmp(initrc_t) --files_delete_all_locks(initrc_t) -+files_manage_all_locks(initrc_t) -+files_manage_boot_files(initrc_t) - files_read_all_pids(initrc_t) -+files_delete_root_files(initrc_t) - files_delete_all_pids(initrc_t) - files_delete_all_pid_dirs(initrc_t) - files_read_etc_files(initrc_t) - files_manage_etc_runtime_files(initrc_t) - files_etc_filetrans_etc_runtime(initrc_t, file) --files_exec_etc_files(initrc_t) - files_read_usr_files(initrc_t) - files_manage_urandom_seed(initrc_t) - files_manage_generic_spool(initrc_t) -@@ -363,8 +685,12 @@ files_list_isid_type_dirs(initrc_t) - files_mounton_isid_type_dirs(initrc_t) - files_list_default(initrc_t) - files_mounton_default(initrc_t) -+files_manage_mnt_dirs(initrc_t) -+files_manage_mnt_files(initrc_t) - --fs_write_cgroup_files(initrc_t) -+fs_delete_cgroup_dirs(initrc_t) -+fs_list_cgroup_dirs(initrc_t) -+fs_rw_cgroup_files(initrc_t) - fs_list_inotifyfs(initrc_t) - fs_register_binary_executable_type(initrc_t) - # rhgb-console writes to ramfs -@@ -374,10 +700,11 @@ fs_mount_all_fs(initrc_t) - fs_unmount_all_fs(initrc_t) - fs_remount_all_fs(initrc_t) - fs_getattr_all_fs(initrc_t) -+fs_search_all(initrc_t) -+fs_getattr_nfsd_files(initrc_t) -+fs_dontaudit_create_tmpfs_chr_dev(initrc_t) - - # initrc_t needs to do a pidof which requires ptrace --mcs_ptrace_all(initrc_t) --mcs_killall(initrc_t) - mcs_process_set_categories(initrc_t) - - mls_file_read_all_levels(initrc_t) -@@ -386,6 +713,7 @@ mls_process_read_up(initrc_t) - mls_process_write_down(initrc_t) - mls_rangetrans_source(initrc_t) - mls_fd_share_all_levels(initrc_t) -+mls_socket_write_to_clearance(initrc_t) - - selinux_get_enforce_mode(initrc_t) - -@@ -397,6 +725,7 @@ term_use_all_terms(initrc_t) - term_reset_tty_labels(initrc_t) - - auth_rw_login_records(initrc_t) -+auth_manage_faillog(initrc_t) - auth_setattr_login_records(initrc_t) - auth_rw_lastlog(initrc_t) - auth_read_pam_pid(initrc_t) -@@ -415,20 +744,18 @@ logging_read_all_logs(initrc_t) - logging_append_all_logs(initrc_t) - logging_read_audit_config(initrc_t) - --miscfiles_read_localization(initrc_t) - # slapd needs to read cert files from its initscript --miscfiles_read_generic_certs(initrc_t) -+miscfiles_manage_generic_cert_files(initrc_t) - --modutils_read_module_config(initrc_t) --modutils_domtrans_insmod(initrc_t) - - seutil_read_config(initrc_t) - -+userdom_read_admin_home_files(initrc_t) - userdom_read_user_home_content_files(initrc_t) - # Allow access to the sysadm TTYs. Note that this will give access to the - # TTYs to any process in the initrc_t domain. Therefore, daemons and such - # started from init should be placed in their own domain. --userdom_use_user_terminals(initrc_t) -+userdom_use_inherited_user_terminals(initrc_t) - - ifdef(`distro_debian',` - dev_setattr_generic_dirs(initrc_t) -@@ -450,7 +777,6 @@ ifdef(`distro_gentoo',` - allow initrc_t self:process setfscreate; - dev_create_null_dev(initrc_t) - dev_create_zero_dev(initrc_t) -- dev_create_generic_dirs(initrc_t) - term_create_console_dev(initrc_t) - - # unfortunately /sbin/rc does stupid tricks -@@ -485,6 +811,10 @@ ifdef(`distro_gentoo',` - sysnet_setattr_config(initrc_t) - - optional_policy(` -+ abrt_manage_pid_files(initrc_t) -+ ') -+ -+ optional_policy(` - alsa_read_lib(initrc_t) - ') - -@@ -505,7 +835,7 @@ ifdef(`distro_redhat',` - - # Red Hat systems seem to have a stray - # fd open from the initrd -- kernel_dontaudit_use_fds(initrc_t) -+ kernel_use_fds(initrc_t) - files_dontaudit_read_root_files(initrc_t) - - # These seem to be from the initrd -@@ -520,6 +850,7 @@ ifdef(`distro_redhat',` - files_create_boot_dirs(initrc_t) - files_create_boot_flag(initrc_t) - files_rw_boot_symlinks(initrc_t) -+ - # wants to read /.fonts directory - files_read_default_files(initrc_t) - files_mountpoint(initrc_tmp_t) -@@ -540,6 +871,7 @@ ifdef(`distro_redhat',` - miscfiles_rw_localization(initrc_t) - miscfiles_setattr_localization(initrc_t) - miscfiles_relabel_localization(initrc_t) -+ miscfiles_filetrans_named_content(initrc_t) - - miscfiles_read_fonts(initrc_t) - miscfiles_read_hwdata(initrc_t) -@@ -549,8 +881,44 @@ ifdef(`distro_redhat',` - ') - - optional_policy(` -+ abrt_manage_pid_files(initrc_t) -+ ') -+ -+ optional_policy(` - bind_manage_config_dirs(initrc_t) -+ bind_manage_config(initrc_t) - bind_write_config(initrc_t) -+ bind_setattr_zone_dirs(initrc_t) -+ ') -+ -+ optional_policy(` -+ cyrus_write_data(initrc_t) -+ ') -+ -+ optional_policy(` -+ devicekit_append_inherited_log_files(initrc_t) -+ devicekit_dbus_chat_power(initrc_t) -+ ') -+ -+ optional_policy(` -+ dirsrvadmin_read_config(initrc_t) -+ dirsrv_manage_var_run(initrc_t) -+ ') -+ -+ optional_policy(` -+ gnome_manage_gconf_config(initrc_t) -+ ') -+ -+ optional_policy(` -+ ldap_read_db_files(initrc_t) -+ ') -+ -+ optional_policy(` -+ ntp_filetrans_named_content(initrc_t) -+ ') -+ -+ optional_policy(` -+ pulseaudio_stream_connect(initrc_t) - ') - - optional_policy(` -@@ -558,14 +926,31 @@ ifdef(`distro_redhat',` - rpc_write_exports(initrc_t) - rpc_manage_nfs_state_data(initrc_t) - ') -+ optional_policy(` -+ rpcbind_stream_connect(initrc_t) -+ ') - - optional_policy(` - sysnet_rw_dhcp_config(initrc_t) - sysnet_manage_config(initrc_t) -+ sysnet_manage_dhcpc_state(initrc_t) -+ sysnet_relabelfrom_dhcpc_state(initrc_t) -+ sysnet_relabelfrom_net_conf(initrc_t) -+ sysnet_relabelto_net_conf(initrc_t) -+ sysnet_filetrans_named_content(initrc_t) -+ ') -+ -+ optional_policy(` -+ tgtd_stream_connect(initrc_t) -+ ') -+ -+ optional_policy(` -+ wdmd_manage_pid_files(initrc_t) - ') - - optional_policy(` - xserver_delete_log(initrc_t) -+ xserver_manage_user_fonts_dir(initrc_t) - ') - ') - -@@ -576,6 +961,39 @@ ifdef(`distro_suse',` - ') - ') - -+domain_dontaudit_use_interactive_fds(daemon) -+ -+userdom_dontaudit_list_admin_dir(daemon) -+userdom_dontaudit_search_user_tmp(daemon) -+ -+tunable_policy(`daemons_use_tcp_wrapper',` -+ corenet_tcp_connect_auth_port(daemon) -+') -+ -+tunable_policy(`daemons_use_tty',` -+ term_use_unallocated_ttys(daemon) -+ term_use_generic_ptys(daemon) -+ term_use_all_ttys(daemon) -+ term_use_all_ptys(daemon) -+',` -+ term_dontaudit_use_unallocated_ttys(daemon) -+ term_dontaudit_use_generic_ptys(daemon) -+ term_dontaudit_use_all_ttys(daemon) -+ term_dontaudit_use_all_ptys(daemon) -+ ') -+ -+# system-config-services causes avc messages that should be dontaudited -+tunable_policy(`daemons_dump_core',` -+ files_manage_root_files(daemon) -+') -+ -+optional_policy(` -+ unconfined_dontaudit_rw_pipes(daemon) -+ unconfined_dontaudit_rw_stream(daemon) -+ userdom_dontaudit_read_user_tmp_files(daemon) -+ userdom_dontaudit_write_user_tmp_files(daemon) -+') -+ - optional_policy(` - amavis_search_lib(initrc_t) - amavis_setattr_pid_files(initrc_t) -@@ -588,6 +1006,8 @@ optional_policy(` - optional_policy(` - apache_read_config(initrc_t) - apache_list_modules(initrc_t) -+ # webmin seems to cause this. -+ apache_search_sys_content(daemon) - ') - - optional_policy(` -@@ -609,6 +1029,7 @@ optional_policy(` - - optional_policy(` - cgroup_stream_connect_cgred(initrc_t) -+ domain_setpriority_all_domains(initrc_t) - ') - - optional_policy(` -@@ -625,6 +1046,17 @@ optional_policy(` - ') - - optional_policy(` -+ chronyd_append_keys(initrc_t) -+ chronyd_read_keys(initrc_t) -+') -+ -+optional_policy(` -+ cron_read_pipes(initrc_t) -+ # managing /etc/cron.d/mailman content -+ cron_manage_system_spool(initrc_t) -+') -+ -+optional_policy(` - dev_getattr_printer_dev(initrc_t) - - cups_read_log(initrc_t) -@@ -641,9 +1073,13 @@ optional_policy(` - dbus_connect_system_bus(initrc_t) - dbus_system_bus_client(initrc_t) - dbus_read_config(initrc_t) -+ dbus_manage_lib_files(initrc_t) -+ -+ init_dbus_chat(initrc_t) - - optional_policy(` - consolekit_dbus_chat(initrc_t) -+ consolekit_manage_log(initrc_t) - ') - - optional_policy(` -@@ -656,15 +1092,11 @@ optional_policy(` - ') - - optional_policy(` -- # /var/run/dovecot/login/ssl-parameters.dat is a hard link to -- # /var/lib/dovecot/ssl-parameters.dat and init tries to clean up -- # the directory. But we do not want to allow this. -- # The master process of dovecot will manage this file. -- dovecot_dontaudit_unlink_lib_files(initrc_t) -+ ftp_read_config(initrc_t) - ') - - optional_policy(` -- ftp_read_config(initrc_t) -+ glance_manage_pid_files(initrc_t) - ') - - optional_policy(` -@@ -685,6 +1117,15 @@ optional_policy(` - ') - - optional_policy(` -+ firewalld_dbus_chat(initrc_t) -+') -+ -+optional_policy(` -+ modutils_read_module_config(initrc_t) -+ modutils_domtrans_insmod(initrc_t) -+') -+ -+optional_policy(` - inn_exec_config(initrc_t) - ') - -@@ -725,6 +1166,7 @@ optional_policy(` - lpd_list_spool(initrc_t) - - lpd_read_config(initrc_t) -+ lpd_manage_spool(init_t) - ') - - optional_policy(` -@@ -742,7 +1184,13 @@ optional_policy(` - ') - - optional_policy(` -- mta_read_config(initrc_t) -+ milter_delete_dkim_pid_files(initrc_t) -+ milter_setattr_all_dirs(initrc_t) -+') -+ -+optional_policy(` -+ mta_manage_aliases(initrc_t) -+ mta_manage_config(initrc_t) - mta_dontaudit_read_spool_symlinks(initrc_t) - ') - -@@ -765,6 +1213,10 @@ optional_policy(` - ') - - optional_policy(` -+ plymouthd_stream_connect(initrc_t) -+') -+ -+optional_policy(` - postgresql_manage_db(initrc_t) - postgresql_read_config(initrc_t) - ') -@@ -774,10 +1226,20 @@ optional_policy(` - ') - - optional_policy(` -+ psad_setattr_fifo_file(initrc_t) -+ psad_setattr_log(initrc_t) -+ psad_write_log(initrc_t) -+') -+ -+optional_policy(` - puppet_rw_tmp(initrc_t) - ') - - optional_policy(` -+ qpidd_manage_var_run(initrc_t) -+') -+ -+optional_policy(` - quota_manage_flags(initrc_t) - ') - -@@ -786,6 +1248,10 @@ optional_policy(` - ') - - optional_policy(` -+ ricci_manage_lib_files(initrc_t) -+') -+ -+optional_policy(` - fs_write_ramfs_sockets(initrc_t) - fs_search_ramfs(initrc_t) - -@@ -807,8 +1273,6 @@ optional_policy(` - # bash tries ioctl for some reason - files_dontaudit_ioctl_all_pids(initrc_t) - -- # why is this needed: -- rpm_manage_db(initrc_t) - ') - - optional_policy(` -@@ -817,6 +1281,10 @@ optional_policy(` - ') - - optional_policy(` -+ sendmail_setattr_pid_files(initrc_t) -+') -+ -+optional_policy(` - # shorewall-init script run /var/lib/shorewall/firewall - shorewall_lib_domtrans(initrc_t) - ') -@@ -826,10 +1294,12 @@ optional_policy(` - squid_manage_logs(initrc_t) - ') - -+ifdef(`enabled_mls',` - optional_policy(` - # allow init scripts to su - su_restricted_domain_template(initrc, initrc_t, system_r) - ') -+') - - optional_policy(` - ssh_dontaudit_read_server_keys(initrc_t) -@@ -856,12 +1326,33 @@ optional_policy(` - ') - - optional_policy(` -+ virt_read_config(init_t) -+ virt_stream_connect(init_t) -+') -+ -+optional_policy(` -+ virt_manage_pid_dirs(initrc_t) -+ virt_manage_cache(initrc_t) -+ virt_manage_lib_files(initrc_t) - virt_stream_connect(initrc_t) -- virt_manage_virt_cache(initrc_t) -+') -+ -+# Cron jobs used to start and stop services -+optional_policy(` -+ cron_rw_pipes(daemon) -+ cron_rw_inherited_user_spool_files(daemon) -+') -+ -+optional_policy(` -+ cfengine_append_inherited_log(daemon) - ') - - optional_policy(` - unconfined_domain(initrc_t) -+ domain_named_filetrans(initrc_t) -+ domain_role_change_exemption(initrc_t) -+ -+ files_tmp_filetrans(initrc_t, initrc_tmp_t, { dir_file_class_set }) - - ifdef(`distro_redhat',` - # system-config-services causes avc messages that should be dontaudited -@@ -871,6 +1362,18 @@ optional_policy(` - optional_policy(` - mono_domtrans(initrc_t) - ') -+ -+ # Allow SELinux aware applications to request rpm_script_t execution -+ rpm_transition_script(initrc_t) -+ -+ optional_policy(` -+ rtkit_scheduled(initrc_t) -+ ') -+') -+ -+optional_policy(` -+ rpm_read_db(initrc_t) -+ rpm_delete_db(initrc_t) - ') - - optional_policy(` -@@ -886,6 +1389,10 @@ optional_policy(` - ') - - optional_policy(` -+ sanlock_manage_pid_files(initrc_t) -+') -+ -+optional_policy(` - # Set device ownerships/modes. - xserver_setattr_console_pipes(initrc_t) - -@@ -896,3 +1403,218 @@ optional_policy(` - optional_policy(` - zebra_read_config(initrc_t) - ') -+ -+userdom_inherit_append_user_home_content_files(daemon) -+userdom_inherit_append_user_tmp_files(daemon) -+userdom_dontaudit_rw_stream(daemon) -+ -+logging_inherit_append_all_logs(daemon) -+ -+optional_policy(` -+ # sudo service restart causes this -+ unconfined_signull(daemon) -+') -+ -+ -+optional_policy(` -+ xserver_dontaudit_append_xdm_home_files(daemon) -+ tunable_policy(`use_nfs_home_dirs',` -+ fs_dontaudit_rw_nfs_files(daemon) -+ ') -+ tunable_policy(`use_samba_home_dirs',` -+ fs_dontaudit_rw_cifs_files(daemon) -+ ') -+') -+ -+init_rw_script_stream_sockets(daemon) -+ -+optional_policy(` -+ abrt_stream_connect(daemon) -+') -+ -+optional_policy(` -+ fail2ban_read_lib_files(daemon) -+') -+ -+optional_policy(` -+ firstboot_dontaudit_leaks(daemon) -+') -+ -+init_rw_stream_sockets(daemon) -+init_dontaudit_script_leaks(daemon) -+ -+allow init_t var_run_t:dir relabelto; -+ -+init_stream_connect(initrc_t) -+ -+allow initrc_t daemon:process siginh; -+allow daemon initrc_transition_domain:fifo_file rw_inherited_fifo_file_perms; -+allow daemon initrc_transition_domain:fd use; -+allow daemon init_var_run_t:dir search_dir_perms; -+allow systemprocess init_var_run_t:dir search_dir_perms; -+ -+allow init_t daemon:unix_stream_socket create_stream_socket_perms; -+allow init_t daemon:unix_dgram_socket create_socket_perms; -+allow init_t daemon:tcp_socket create_stream_socket_perms; -+allow init_t daemon:udp_socket create_socket_perms; -+allow daemon init_t:unix_dgram_socket sendto; -+# need write to /var/run/systemd/notify -+init_write_pid_socket(daemon) -+allow daemon init_t:unix_stream_socket { append write read getattr ioctl }; -+ -+# daemons started from init will -+# inherit fds from init for the console -+init_dontaudit_use_fds(daemon) -+term_dontaudit_use_console(daemon) -+# init script ptys are the stdin/out/err -+# when using run_init -+init_use_script_ptys(daemon) -+ -+allow init_t daemon:process siginh; -+ -+ifdef(`hide_broken_symptoms',` -+ # RHEL4 systems seem to have a stray -+ # fds open from the initrd -+ ifdef(`distro_rhel4',` -+ kernel_dontaudit_use_fds(daemon) -+ ') -+ -+ dontaudit daemon init_t:dir search_dir_perms; -+') -+ -+optional_policy(` -+ nscd_socket_use(daemon) -+') -+ -+optional_policy(` -+ puppet_rw_tmp(daemon) -+') -+ -+allow direct_run_init daemon:process { noatsecure siginh rlimitinh }; -+ -+allow initrc_t systemprocess:process siginh; -+allow systemprocess initrc_transition_domain:fifo_file rw_inherited_fifo_file_perms; -+allow systemprocess initrc_transition_domain:fd use; -+ -+dontaudit systemprocess init_t:unix_stream_socket getattr; -+ -+allow init_t daemon:unix_stream_socket create_stream_socket_perms; -+allow init_t daemon:unix_dgram_socket create_socket_perms; -+allow daemon init_t:unix_stream_socket ioctl; -+allow daemon init_t:unix_dgram_socket sendto; -+# need write to /var/run/systemd/notify -+init_write_pid_socket(daemon) -+init_rw_inherited_script_tmp_files(daemon) -+ -+# Handle upstart/systemd direct transition to a executable -+allow init_t systemprocess:process { dyntransition siginh }; -+allow init_t systemprocess:unix_stream_socket create_stream_socket_perms; -+allow init_t systemprocess:unix_dgram_socket create_socket_perms; -+allow systemprocess init_t:unix_dgram_socket sendto; -+allow systemprocess init_t:unix_stream_socket { append write read getattr ioctl }; -+ -+files_dontaudit_rw_inherited_locks(systemprocess) -+files_dontaudit_tmp_file_leaks(systemprocess) -+init_rw_inherited_script_tmp_files(systemprocess) -+ -+logging_dontaudit_rw_inherited_generic_logs(systemprocess) -+ -+userdom_dontaudit_search_user_home_dirs(systemprocess) -+userdom_dontaudit_rw_stream(systemprocess) -+userdom_dontaudit_write_user_tmp_files(systemprocess) -+ -+tunable_policy(`daemons_use_tty',` -+ term_use_all_ttys(systemprocess) -+ term_use_all_ptys(systemprocess) -+',` -+ term_dontaudit_use_all_ttys(systemprocess) -+ term_dontaudit_use_all_ptys(systemprocess) -+') -+ -+# these apps are often redirect output to random log files -+logging_inherit_append_all_logs(systemprocess) -+ -+optional_policy(` -+ abrt_stream_connect(systemprocess) -+') -+ -+optional_policy(` -+ cfengine_append_inherited_log(systemprocess) -+') -+ -+optional_policy(` -+ cron_rw_pipes(systemprocess) -+') -+ -+optional_policy(` -+ puppet_rw_tmp(systemprocess) -+') -+ -+optional_policy(` -+ xserver_dontaudit_append_xdm_home_files(systemprocess) -+') -+ -+optional_policy(` -+ unconfined_dontaudit_rw_pipes(systemprocess) -+ unconfined_dontaudit_rw_stream(systemprocess) -+ userdom_dontaudit_read_user_tmp_files(systemprocess) -+') -+ -+init_rw_script_stream_sockets(systemprocess) -+ -+role system_r types systemprocess; -+role system_r types daemon; -+ -+#ifdef(`enable_mls',` -+# mls_rangetrans_target(systemprocess) -+#') -+ -+allow initrc_domain daemon:process transition; -+allow daemon initrc_domain:fd use; -+allow daemon initrc_domain:fifo_file rw_inherited_fifo_file_perms; -+allow daemon initrc_domain:process sigchld; -+allow initrc_domain direct_init_entry:file { getattr open read execute }; -+ -+allow systemprocess initrc_domain:fd use; -+allow systemprocess initrc_domain:fifo_file rw_inherited_fifo_file_perms; -+allow systemprocess initrc_domain:process sigchld; -+allow initrc_domain systemprocess_entry:file { getattr open read execute }; -+allow initrc_domain systemprocess:process transition; -+ -+optional_policy(` -+ systemd_getattr_unit_dirs(daemon) -+ systemd_getattr_unit_dirs(systemprocess) -+') -+ -+optional_policy(` -+ rgmanager_search_lib(initrc_domain) -+') -+ -+ifdef(`direct_sysadm_daemon',` -+ allow daemon direct_run_init:fd use; -+ allow daemon direct_run_init:fifo_file rw_inherited_fifo_file_perms; -+ allow daemon direct_run_init:process sigchld; -+ allow direct_run_init direct_init_entry:file { getattr open read execute }; -+') -+ -+optional_policy(` -+ tunable_policy(`daemons_enable_cluster_mode',` -+ rhcs_manage_cluster_pid_files(daemon) -+ rhcs_manage_cluster_lib_files(daemon) -+ rhcs_rw_inherited_cluster_tmp_files(daemon) -+ rhcs_stream_connect_cluster_to(daemon,daemon) -+',` -+ rhcs_read_cluster_lib_files(daemon) -+ rhcs_read_cluster_pid_files(daemon) -+ ') -+ -+ ') -+ -+optional_policy(` -+ tunable_policy(`daemons_enable_cluster_mode',` -+ #resource agents placed config files in /etc/cluster -+ ccs_manage_config(daemon) -+',` -+ ccs_read_config(daemon) -+ ') -+ ') -diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc -index 662e79b..a199ffd 100644 ---- a/policy/modules/system/ipsec.fc -+++ b/policy/modules/system/ipsec.fc -@@ -1,14 +1,22 @@ - /etc/rc\.d/init\.d/ipsec -- gen_context(system_u:object_r:ipsec_initrc_exec_t,s0) - /etc/rc\.d/init\.d/racoon -- gen_context(system_u:object_r:ipsec_initrc_exec_t,s0) -+/etc/rc\.d/init\.d/strongswan -- gen_context(system_u:object_r:ipsec_initrc_exec_t,s0) - --/etc/ipsec\.secrets -- gen_context(system_u:object_r:ipsec_key_file_t,s0) -+/usr/lib/systemd/system/strongswan.* -- gen_context(system_u:object_r:ipsec_mgmt_unit_file_t,s0) -+ -+/etc/ipsec\.secrets.* -- gen_context(system_u:object_r:ipsec_key_file_t,s0) - /etc/ipsec\.conf -- gen_context(system_u:object_r:ipsec_conf_file_t,s0) -+/etc/strongswan/ipsec\.secrets.* -- gen_context(system_u:object_r:ipsec_key_file_t,s0) -+/etc/strongswan/ipsec\.conf -- gen_context(system_u:object_r:ipsec_conf_file_t,s0) - /etc/racoon/psk\.txt -- gen_context(system_u:object_r:ipsec_key_file_t,s0) - - /etc/racoon(/.*)? gen_context(system_u:object_r:ipsec_conf_file_t,s0) - /etc/racoon/certs(/.*)? gen_context(system_u:object_r:ipsec_key_file_t,s0) - -+/etc/strongswan(/.*)? gen_context(system_u:object_r:ipsec_conf_file_t,s0) -+ - /etc/ipsec\.d(/.*)? gen_context(system_u:object_r:ipsec_key_file_t,s0) -+/etc/strongswan/ipsec\.d(/.*)? gen_context(system_u:object_r:ipsec_key_file_t,s0) - - /sbin/setkey -- gen_context(system_u:object_r:setkey_exec_t,s0) - -@@ -26,16 +34,23 @@ - /usr/libexec/ipsec/pluto -- gen_context(system_u:object_r:ipsec_exec_t,s0) - /usr/libexec/ipsec/spi -- gen_context(system_u:object_r:ipsec_exec_t,s0) - /usr/libexec/nm-openswan-service -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0) -+/usr/libexec/strongswan/.* -- gen_context(system_u:object_r:ipsec_exec_t,s0) - - /usr/sbin/ipsec -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0) - /usr/sbin/racoon -- gen_context(system_u:object_r:racoon_exec_t,s0) - /usr/sbin/setkey -- gen_context(system_u:object_r:setkey_exec_t,s0) -+/usr/sbin/strongswan -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0) - - /var/lock/subsys/ipsec -- gen_context(system_u:object_r:ipsec_mgmt_lock_t,s0) -+/var/lock/subsys/strongswan -- gen_context(system_u:object_r:ipsec_mgmt_lock_t,s0) - - /var/log/pluto\.log -- gen_context(system_u:object_r:ipsec_log_t,s0) - - /var/racoon(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0) - -+/var/run/charon\.ctl -s gen_context(system_u:object_r:ipsec_var_run_t,s0) -+/var/run/charon.* -- gen_context(system_u:object_r:ipsec_var_run_t,s0) - /var/run/pluto(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0) - /var/run/racoon\.pid -- gen_context(system_u:object_r:ipsec_var_run_t,s0) -+/var/run/pluto/ipsec\.info -- gen_context(system_u:object_r:ipsec_mgmt_var_run_t, s0) -+/var/run/pluto/ipsec_setup\.pid -- gen_context(system_u:object_r:ipsec_mgmt_var_run_t, s0) -diff --git a/policy/modules/system/ipsec.if b/policy/modules/system/ipsec.if -index 0d4c8d3..e6ffda3 100644 ---- a/policy/modules/system/ipsec.if -+++ b/policy/modules/system/ipsec.if -@@ -55,6 +55,64 @@ interface(`ipsec_domtrans_mgmt',` - domtrans_pattern($1, ipsec_mgmt_exec_t, ipsec_mgmt_t) - ') - -+####################################### -+## -+## Allow to create OBJECT in /etc with ipsec_key_file_t. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`ipsec_filetrans_key_file',` -+ gen_require(` -+ type ipsec_key_file_t; -+ ') -+ -+ files_etc_filetrans($1, ipsec_key_file_t, file) -+') -+ -+####################################### -+## -+## Allow to manage ipsec key files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`ipsec_manage_key_file',` -+ gen_require(` -+ type ipsec_key_file_t; -+ ') -+ -+ manage_files_pattern($1, ipsec_key_file_t, ipsec_key_file_t) -+ files_etc_filetrans($1, ipsec_key_file_t, file, "ipsec.secrets") -+') -+ -+######################################## -+## -+## Read the ipsec_mgmt_var_run_t files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`ipsec_mgmt_read_pid',` -+ gen_require(` -+ type ipsec_var_run_t; -+ type ipsec_mgmt_var_run_t; -+ ') -+ -+ files_search_pids($1) -+ read_files_pattern($1, ipsec_var_run_t, ipsec_mgmt_var_run_t) -+') -+ -+ - ######################################## - ## - ## Connect to racoon using a unix domain stream socket. -@@ -120,7 +178,6 @@ interface(`ipsec_exec_mgmt',` - ## - ## - # --# - interface(`ipsec_signal_mgmt',` - gen_require(` - type ipsec_mgmt_t; -@@ -139,7 +196,6 @@ interface(`ipsec_signal_mgmt',` - ##     - ## - # --# - interface(`ipsec_signull_mgmt',` - gen_require(` - type ipsec_mgmt_t; -@@ -158,7 +214,6 @@ interface(`ipsec_signull_mgmt',` - ##     - ## - # --# - interface(`ipsec_kill_mgmt',` - gen_require(` - type ipsec_mgmt_t; -@@ -167,6 +222,60 @@ interface(`ipsec_kill_mgmt',` - allow $1 ipsec_mgmt_t:process sigkill; - ') - -+######################################## -+## -+## Send ipsec a general signal. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`ipsec_signal',` -+ gen_require(` -+ type ipsec_t; -+ ') -+ -+ allow $1 ipsec_t:process signal; -+') -+ -+######################################## -+## -+## Send ipsec a null signal. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`ipsec_signull',` -+ gen_require(` -+ type ipsec_t; -+ ') -+ -+ allow $1 ipsec_t:process signull; -+') -+ -+######################################## -+## -+## Send ipsec a kill signal. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`ipsec_kill',` -+ gen_require(` -+ type ipsec_t; -+ ') -+ -+ allow $1 ipsec_t:process sigkill; -+') -+ - ###################################### - ## - ## Send and receive messages from -@@ -225,6 +334,7 @@ interface(`ipsec_match_default_spd',` - - allow $1 ipsec_spd_t:association polmatch; - allow $1 self:association sendto; -+ allow $1 self:peer recv; - ') - - ######################################## -@@ -369,3 +479,26 @@ interface(`ipsec_run_setkey',` - ipsec_domtrans_setkey($1) - role $2 types setkey_t; - ') -+ -+####################################### -+## -+## Execute strongswan in the ipsec_mgmt domain. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`ipsec_mgmt_systemctl',` -+ gen_require(` -+ type ipsec_mgmt_unit_file_t; -+ type ipsec_mgmt_t; -+ ') -+ -+ systemd_exec_systemctl($1) -+ allow $1 ipsec_mgmt_unit_file_t:file read_file_perms; -+ allow $1 ipsec_mgmt_unit_file_t:service manage_service_perms; -+ -+ ps_process_pattern($1, ipsec_mgmt_t) -+') -diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te -index 9e54bf9..ceb7f99 100644 ---- a/policy/modules/system/ipsec.te -+++ b/policy/modules/system/ipsec.te -@@ -48,6 +48,9 @@ init_system_domain(ipsec_mgmt_t, ipsec_mgmt_exec_t) - corecmd_shell_entry_type(ipsec_mgmt_t) - role system_r types ipsec_mgmt_t; - -+type ipsec_mgmt_unit_file_t; -+systemd_unit_file(ipsec_mgmt_unit_file_t) -+ - type ipsec_mgmt_lock_t; - files_lock_file(ipsec_mgmt_lock_t) - -@@ -72,14 +75,18 @@ role system_r types setkey_t; - # ipsec Local policy - # - --allow ipsec_t self:capability { net_admin dac_override dac_read_search setpcap sys_nice }; --dontaudit ipsec_t self:capability { sys_ptrace sys_tty_config }; --allow ipsec_t self:process { getcap setcap getsched signal setsched }; -+allow ipsec_t self:capability { net_admin dac_override dac_read_search setpcap sys_nice net_raw setuid setgid }; -+dontaudit ipsec_t self:capability sys_tty_config; -+allow ipsec_t self:process { getcap setcap getsched signal signull setsched }; - allow ipsec_t self:tcp_socket create_stream_socket_perms; - allow ipsec_t self:udp_socket create_socket_perms; -+allow ipsec_t self:packet_socket create_socket_perms; - allow ipsec_t self:key_socket create_socket_perms; - allow ipsec_t self:fifo_file read_fifo_file_perms; - allow ipsec_t self:netlink_xfrm_socket { create_netlink_socket_perms nlmsg_write }; -+allow ipsec_t self:netlink_selinux_socket create_socket_perms; -+allow ipsec_t self:unix_stream_socket { create_stream_socket_perms connectto }; -+allow ipsec_t self:netlink_route_socket { create_netlink_socket_perms write }; - - allow ipsec_t ipsec_initrc_exec_t:file read_file_perms; - -@@ -88,8 +95,11 @@ read_files_pattern(ipsec_t, ipsec_conf_file_t, ipsec_conf_file_t) - read_lnk_files_pattern(ipsec_t, ipsec_conf_file_t, ipsec_conf_file_t) - - allow ipsec_t ipsec_key_file_t:dir list_dir_perms; --manage_files_pattern(ipsec_t, ipsec_key_file_t, ipsec_key_file_t) - read_lnk_files_pattern(ipsec_t, ipsec_key_file_t, ipsec_key_file_t) -+manage_files_pattern(ipsec_t, ipsec_key_file_t, ipsec_key_file_t) -+ -+manage_files_pattern(ipsec_t, ipsec_log_t, ipsec_log_t) -+logging_log_filetrans(ipsec_t, ipsec_log_t, file, "pluto.log") - - manage_dirs_pattern(ipsec_t, ipsec_tmp_t, ipsec_tmp_t) - manage_files_pattern(ipsec_t, ipsec_tmp_t, ipsec_tmp_t) -@@ -110,10 +120,10 @@ corecmd_shell_domtrans(ipsec_t, ipsec_mgmt_t) - allow ipsec_mgmt_t ipsec_t:fd use; - allow ipsec_mgmt_t ipsec_t:fifo_file rw_fifo_file_perms; - allow ipsec_mgmt_t ipsec_t:unix_stream_socket { read write }; --allow ipsec_mgmt_t ipsec_t:process { rlimitinh sigchld }; -+allow ipsec_mgmt_t ipsec_t:process { rlimitinh sigchld signull }; - - kernel_read_kernel_sysctls(ipsec_t) --kernel_read_net_sysctls(ipsec_t) -+kernel_rw_net_sysctls(ipsec_t) - kernel_list_proc(ipsec_t) - kernel_read_proc_symlinks(ipsec_t) - # allow pluto to access /proc/net/ipsec_eroute; -@@ -128,20 +138,22 @@ corecmd_exec_shell(ipsec_t) - corecmd_exec_bin(ipsec_t) - - # Pluto needs network access --corenet_all_recvfrom_unlabeled(ipsec_t) --corenet_tcp_sendrecv_all_if(ipsec_t) --corenet_raw_sendrecv_all_if(ipsec_t) --corenet_tcp_sendrecv_all_nodes(ipsec_t) --corenet_raw_sendrecv_all_nodes(ipsec_t) -+corenet_tcp_sendrecv_generic_if(ipsec_t) -+corenet_raw_sendrecv_generic_if(ipsec_t) -+corenet_tcp_sendrecv_generic_node(ipsec_t) -+corenet_raw_sendrecv_generic_node(ipsec_t) - corenet_tcp_sendrecv_all_ports(ipsec_t) --corenet_tcp_bind_all_nodes(ipsec_t) --corenet_udp_bind_all_nodes(ipsec_t) -+corenet_tcp_bind_generic_node(ipsec_t) -+corenet_udp_bind_generic_node(ipsec_t) - corenet_tcp_bind_reserved_port(ipsec_t) - corenet_tcp_bind_isakmp_port(ipsec_t) - corenet_udp_bind_isakmp_port(ipsec_t) - corenet_udp_bind_ipsecnat_port(ipsec_t) -+corenet_udp_bind_dhcpc_port(ipsec_t) - corenet_sendrecv_generic_server_packets(ipsec_t) - corenet_sendrecv_isakmp_server_packets(ipsec_t) -+corenet_tcp_connect_http_port(ipsec_t) -+corenet_tcp_connect_ldap_port(ipsec_t) - - dev_read_sysfs(ipsec_t) - dev_read_rand(ipsec_t) -@@ -157,24 +169,33 @@ files_dontaudit_search_home(ipsec_t) - fs_getattr_all_fs(ipsec_t) - fs_search_auto_mountpoints(ipsec_t) - -+selinux_compute_access_vector(ipsec_t) -+ - term_use_console(ipsec_t) - term_dontaudit_use_all_ttys(ipsec_t) - - auth_use_nsswitch(ipsec_t) -+auth_read_home_content(ipsec_t) - - init_use_fds(ipsec_t) - init_use_script_ptys(ipsec_t) - -+logging_read_all_logs(ipsec_mgmt_t) - logging_send_syslog_msg(ipsec_t) - --miscfiles_read_localization(ipsec_t) - - sysnet_domtrans_ifconfig(ipsec_t) -+sysnet_manage_config(ipsec_t) -+sysnet_etc_filetrans_config(ipsec_t) - - userdom_dontaudit_use_unpriv_user_fds(ipsec_t) - userdom_dontaudit_search_user_home_dirs(ipsec_t) - - optional_policy(` -+ iptables_domtrans(ipsec_t) -+') -+ -+optional_policy(` - seutil_sigchld_newrole(ipsec_t) - ') - -@@ -187,10 +208,10 @@ optional_policy(` - # ipsec_mgmt Local policy - # - --allow ipsec_mgmt_t self:capability { dac_override dac_read_search net_admin setpcap sys_nice }; --dontaudit ipsec_mgmt_t self:capability { sys_ptrace sys_tty_config }; --allow ipsec_mgmt_t self:process { getsched ptrace setrlimit setsched signal }; --allow ipsec_mgmt_t self:unix_stream_socket create_stream_socket_perms; -+allow ipsec_mgmt_t self:capability { dac_override dac_read_search net_admin setpcap sys_nice sys_ptrace }; -+dontaudit ipsec_mgmt_t self:capability sys_tty_config; -+allow ipsec_mgmt_t self:process { getsched setrlimit setsched signal }; -+allow ipsec_mgmt_t self:unix_stream_socket { create_stream_socket_perms connectto }; - allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms; - allow ipsec_mgmt_t self:udp_socket create_socket_perms; - allow ipsec_mgmt_t self:key_socket create_socket_perms; -@@ -208,12 +229,14 @@ logging_log_filetrans(ipsec_mgmt_t, ipsec_log_t, file) - - allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms; - files_pid_filetrans(ipsec_mgmt_t, ipsec_mgmt_var_run_t, file) -+filetrans_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_mgmt_var_run_t, file) - - manage_files_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t) -+manage_dirs_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t) - manage_lnk_files_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t) - - allow ipsec_mgmt_t ipsec_var_run_t:sock_file manage_sock_file_perms; --files_pid_filetrans(ipsec_mgmt_t, ipsec_var_run_t, sock_file) -+files_pid_filetrans(ipsec_mgmt_t, ipsec_var_run_t, { dir sock_file }) - - # _realsetup needs to be able to cat /var/run/pluto.pid, - # run ps on that pid, and delete the file -@@ -246,6 +269,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t) - kernel_getattr_core_if(ipsec_mgmt_t) - kernel_getattr_message_if(ipsec_mgmt_t) - -+domain_dontaudit_getattr_all_sockets(ipsec_mgmt_t) -+domain_dontaudit_getattr_all_pipes(ipsec_mgmt_t) -+ -+dev_dontaudit_getattr_all_blk_files(ipsec_mgmt_t) -+dev_dontaudit_getattr_all_chr_files(ipsec_mgmt_t) -+ -+dev_read_sysfs(ipsec_mgmt_t) -+ -+files_dontaudit_getattr_all_files(ipsec_mgmt_t) -+files_dontaudit_getattr_all_sockets(ipsec_mgmt_t) - files_read_kernel_symbol_table(ipsec_mgmt_t) - files_getattr_kernel_modules(ipsec_mgmt_t) - -@@ -255,6 +288,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t) - corecmd_exec_bin(ipsec_mgmt_t) - corecmd_exec_shell(ipsec_mgmt_t) - -+corenet_tcp_connect_rndc_port(ipsec_mgmt_t) -+ - dev_read_rand(ipsec_mgmt_t) - dev_read_urand(ipsec_mgmt_t) - -@@ -278,9 +313,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t) - fs_list_tmpfs(ipsec_mgmt_t) - - term_use_console(ipsec_mgmt_t) --term_dontaudit_getattr_unallocated_ttys(ipsec_mgmt_t) -+term_use_all_inherited_terms(ipsec_mgmt_t) - - auth_dontaudit_read_login_records(ipsec_mgmt_t) -+auth_use_nsswitch(ipsec_mgmt_t) - - init_read_utmp(ipsec_mgmt_t) - init_use_script_ptys(ipsec_mgmt_t) -@@ -290,15 +326,18 @@ init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t) - - logging_send_syslog_msg(ipsec_mgmt_t) - --miscfiles_read_localization(ipsec_mgmt_t) -- --seutil_dontaudit_search_config(ipsec_mgmt_t) -- - sysnet_manage_config(ipsec_mgmt_t) - sysnet_domtrans_ifconfig(ipsec_mgmt_t) - sysnet_etc_filetrans_config(ipsec_mgmt_t) - --userdom_use_user_terminals(ipsec_mgmt_t) -+systemd_exec_systemctl(ipsec_mgmt_t) -+ -+userdom_use_inherited_user_terminals(ipsec_mgmt_t) -+ -+optional_policy(` -+ bind_read_dnssec_keys(ipsec_mgmt_t) -+ bind_read_config(ipsec_mgmt_t) -+') - - optional_policy(` - consoletype_exec(ipsec_mgmt_t) -@@ -322,6 +361,10 @@ optional_policy(` - ') - - optional_policy(` -+ l2tpd_read_pid_files(ipsec_mgmt_t) -+') -+ -+optional_policy(` - modutils_domtrans_insmod(ipsec_mgmt_t) - ') - -@@ -335,7 +378,7 @@ optional_policy(` - # - - allow racoon_t self:capability { net_admin net_bind_service }; --allow racoon_t self:netlink_route_socket create_netlink_socket_perms; -+allow racoon_t self:netlink_route_socket { create_netlink_socket_perms }; - allow racoon_t self:unix_dgram_socket { connect create ioctl write }; - allow racoon_t self:netlink_selinux_socket { bind create read }; - allow racoon_t self:udp_socket create_socket_perms; -@@ -370,13 +413,12 @@ kernel_request_load_module(racoon_t) - corecmd_exec_shell(racoon_t) - corecmd_exec_bin(racoon_t) - --corenet_all_recvfrom_unlabeled(racoon_t) --corenet_tcp_sendrecv_all_if(racoon_t) --corenet_udp_sendrecv_all_if(racoon_t) --corenet_tcp_sendrecv_all_nodes(racoon_t) --corenet_udp_sendrecv_all_nodes(racoon_t) --corenet_tcp_bind_all_nodes(racoon_t) --corenet_udp_bind_all_nodes(racoon_t) -+corenet_tcp_sendrecv_generic_if(racoon_t) -+corenet_udp_sendrecv_generic_if(racoon_t) -+corenet_tcp_sendrecv_generic_node(racoon_t) -+corenet_udp_sendrecv_generic_node(racoon_t) -+corenet_tcp_bind_generic_node(racoon_t) -+corenet_udp_bind_generic_node(racoon_t) - corenet_udp_bind_isakmp_port(racoon_t) - corenet_udp_bind_ipsecnat_port(racoon_t) - -@@ -401,10 +443,10 @@ locallogin_use_fds(racoon_t) - logging_send_syslog_msg(racoon_t) - logging_send_audit_msgs(racoon_t) - --miscfiles_read_localization(racoon_t) -- - sysnet_exec_ifconfig(racoon_t) - -+auth_use_pam(racoon_t) -+ - auth_can_read_shadow_passwords(racoon_t) - tunable_policy(`racoon_read_shadow',` - auth_tunable_read_shadow(racoon_t) -@@ -438,9 +480,8 @@ corenet_setcontext_all_spds(setkey_t) - - locallogin_use_fds(setkey_t) - --miscfiles_read_localization(setkey_t) - - seutil_read_config(setkey_t) - --userdom_use_user_terminals(setkey_t) -- -+userdom_use_inherited_user_terminals(setkey_t) -+userdom_read_user_tmp_files(setkey_t) -diff --git a/policy/modules/system/iptables.fc b/policy/modules/system/iptables.fc -index 1b93eb7..b2532aa 100644 ---- a/policy/modules/system/iptables.fc -+++ b/policy/modules/system/iptables.fc -@@ -1,21 +1,27 @@ - /etc/rc\.d/init\.d/ip6?tables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0) --/etc/rc\.d/init\.d/ebtables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0) --/etc/sysconfig/ip6?tables.* -- gen_context(system_u:object_r:iptables_conf_t,s0) --/etc/sysconfig/system-config-firewall.* -- gen_context(system_u:object_r:iptables_conf_t,s0) -+/etc/rc\.d/init\.d/ebtables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0) -+ -+/usr/lib/systemd/system/iptables.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0) -+/usr/lib/systemd/system/ip6tables.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0) - - /sbin/ebtables -- gen_context(system_u:object_r:iptables_exec_t,s0) - /sbin/ebtables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0) - /sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0) --/sbin/ip6?tables -- gen_context(system_u:object_r:iptables_exec_t,s0) --/sbin/ip6?tables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0) --/sbin/ip6?tables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0) -+/sbin/ip6?tables.* -- gen_context(system_u:object_r:iptables_exec_t,s0) -+/sbin/ip6?tables-restore.* -- gen_context(system_u:object_r:iptables_exec_t,s0) -+/sbin/ip6?tables-multi.* -- gen_context(system_u:object_r:iptables_exec_t,s0) - /sbin/ipvsadm -- gen_context(system_u:object_r:iptables_exec_t,s0) - /sbin/ipvsadm-restore -- gen_context(system_u:object_r:iptables_exec_t,s0) - /sbin/ipvsadm-save -- gen_context(system_u:object_r:iptables_exec_t,s0) - /sbin/xtables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0) - -+/usr/sbin/ebtables -- gen_context(system_u:object_r:iptables_exec_t,s0) -+/usr/sbin/ebtables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0) - /usr/sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0) --/usr/sbin/ipset -- gen_context(system_u:object_r:iptables_exec_t,s0) --/usr/sbin/iptables -- gen_context(system_u:object_r:iptables_exec_t,s0) --/usr/sbin/iptables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0) --/usr/sbin/iptables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0) -+/usr/sbin/ip6?tables.* -- gen_context(system_u:object_r:iptables_exec_t,s0) -+/usr/sbin/ip6?tables-restore.* -- gen_context(system_u:object_r:iptables_exec_t,s0) -+/usr/sbin/ip6?tables-multi.* -- gen_context(system_u:object_r:iptables_exec_t,s0) -+/usr/sbin/ipvsadm -- gen_context(system_u:object_r:iptables_exec_t,s0) -+/usr/sbin/ipvsadm-restore -- gen_context(system_u:object_r:iptables_exec_t,s0) -+/usr/sbin/ipvsadm-save -- gen_context(system_u:object_r:iptables_exec_t,s0) -+/usr/sbin/xtables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0) -diff --git a/policy/modules/system/iptables.if b/policy/modules/system/iptables.if -index c42fbc3..174cfdb 100644 ---- a/policy/modules/system/iptables.if -+++ b/policy/modules/system/iptables.if -@@ -17,10 +17,6 @@ interface(`iptables_domtrans',` - - corecmd_search_bin($1) - domtrans_pattern($1, iptables_exec_t, iptables_t) -- -- ifdef(`hide_broken_symptoms', ` -- dontaudit iptables_t $1:socket_class_set { read write }; -- ') - ') - - ######################################## -@@ -86,6 +82,29 @@ interface(`iptables_initrc_domtrans',` - init_labeled_script_domtrans($1, iptables_initrc_exec_t) - ') - -+######################################## -+## -+## Execute iptables server in the iptables domain. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`iptables_systemctl',` -+ gen_require(` -+ type iptables_unit_file_t; -+ type iptables_t; -+ ') -+ -+ systemd_exec_systemctl($1) -+ allow $1 iptables_unit_file_t:file read_file_perms; -+ allow $1 iptables_unit_file_t:service manage_service_perms; -+ -+ ps_process_pattern($1, iptables_t) -+') -+ - ##################################### - ## - ## Set the attributes of iptables config files. -diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te -index 5dfa44b..cafb28e 100644 ---- a/policy/modules/system/iptables.te -+++ b/policy/modules/system/iptables.te -@@ -16,15 +16,15 @@ role iptables_roles types iptables_t; - type iptables_initrc_exec_t; - init_script_file(iptables_initrc_exec_t) - --type iptables_conf_t; --files_config_file(iptables_conf_t) -- - type iptables_tmp_t; - files_tmp_file(iptables_tmp_t) - - type iptables_var_run_t; - files_pid_file(iptables_var_run_t) - -+type iptables_unit_file_t; -+systemd_unit_file(iptables_unit_file_t) -+ - ######################################## - # - # Iptables local policy -@@ -37,8 +37,8 @@ allow iptables_t self:process { sigchld sigkill sigstop signull signal }; - allow iptables_t self:netlink_socket create_socket_perms; - allow iptables_t self:rawip_socket create_socket_perms; - --manage_files_pattern(iptables_t, iptables_conf_t, iptables_conf_t) --files_etc_filetrans(iptables_t, iptables_conf_t, file) -+files_manage_system_conf_files(iptables_t) -+files_etc_filetrans_system_conf(iptables_t) - - manage_files_pattern(iptables_t, iptables_var_run_t, iptables_var_run_t) - files_pid_filetrans(iptables_t, iptables_var_run_t, file) -@@ -49,6 +49,7 @@ allow iptables_t iptables_tmp_t:dir manage_dir_perms; - allow iptables_t iptables_tmp_t:file manage_file_perms; - files_tmp_filetrans(iptables_t, iptables_tmp_t, { file dir }) - -+kernel_getattr_proc(iptables_t) - kernel_request_load_module(iptables_t) - kernel_read_system_state(iptables_t) - kernel_read_network_state(iptables_t) -@@ -64,6 +65,7 @@ corenet_relabelto_all_packets(iptables_t) - corenet_dontaudit_rw_tun_tap_dev(iptables_t) - - dev_read_sysfs(iptables_t) -+dev_read_urand(iptables_t) - - fs_getattr_xattr_fs(iptables_t) - fs_search_auto_mountpoints(iptables_t) -@@ -72,11 +74,12 @@ fs_list_inotifyfs(iptables_t) - mls_file_read_all_levels(iptables_t) - - term_dontaudit_use_console(iptables_t) -+term_use_all_inherited_terms(iptables_t) - - domain_use_interactive_fds(iptables_t) - --files_read_etc_files(iptables_t) --files_read_etc_runtime_files(iptables_t) -+files_rw_etc_runtime_files(iptables_t) -+files_rw_inherited_tmp_file(iptables_t) - - auth_use_nsswitch(iptables_t) - -@@ -85,15 +88,14 @@ init_use_script_ptys(iptables_t) - # to allow rules to be saved on reboot: - init_rw_script_tmp_files(iptables_t) - init_rw_script_stream_sockets(iptables_t) -+init_dontaudit_script_leaks(iptables_t) - - logging_send_syslog_msg(iptables_t) - --miscfiles_read_localization(iptables_t) -- - sysnet_run_ifconfig(iptables_t, iptables_roles) - sysnet_dns_name_resolve(iptables_t) - --userdom_use_user_terminals(iptables_t) -+userdom_use_inherited_user_terminals(iptables_t) - userdom_use_all_users_fds(iptables_t) - - ifdef(`hide_broken_symptoms',` -@@ -102,6 +104,8 @@ ifdef(`hide_broken_symptoms',` - - optional_policy(` - fail2ban_append_log(iptables_t) -+ fail2ban_dontaudit_leaks(iptables_t) -+ fail2ban_rw_inherited_tmp_files(iptables_t) - ') - - optional_policy(` -@@ -110,6 +114,11 @@ optional_policy(` - ') - - optional_policy(` -+ firewalld_read_config(iptables_t) -+ firewalld_dontaudit_write_tmp_files(iptables_t) -+') -+ -+optional_policy(` - modutils_run_insmod(iptables_t, iptables_roles) - ') - -@@ -124,6 +133,12 @@ optional_policy(` - - optional_policy(` - psad_rw_tmp_files(iptables_t) -+ psad_write_log(iptables_t) -+') -+ -+optional_policy(` -+ neutron_rw_inherited_pipes(iptables_t) -+ neutron_sigchld(iptables_t) - ') - - optional_policy(` -@@ -135,9 +150,9 @@ optional_policy(` - ') - - optional_policy(` -+ shorewall_read_config(iptables_t) - shorewall_read_tmp_files(iptables_t) - shorewall_rw_lib_files(iptables_t) -- shorewall_read_config(iptables_t) - ') - - optional_policy(` -diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc -index 73bb3c0..5b9420f 100644 ---- a/policy/modules/system/libraries.fc -+++ b/policy/modules/system/libraries.fc -@@ -1,3 +1,4 @@ -+ - # - # /emul - # -@@ -28,14 +29,17 @@ ifdef(`distro_redhat',` - # /etc - # - /etc/ld\.so\.cache -- gen_context(system_u:object_r:ld_so_cache_t,s0) -+/etc/ld\.so\.cache~ -- gen_context(system_u:object_r:ld_so_cache_t,s0) - /etc/ld\.so\.preload -- gen_context(system_u:object_r:ld_so_cache_t,s0) -+/etc/ld\.so\.preload~ -- gen_context(system_u:object_r:ld_so_cache_t,s0) - - /etc/ppp/plugins/rp-pppoe\.so -- gen_context(system_u:object_r:lib_t,s0) - - # - # /lib(64)? - # --/lib -d gen_context(system_u:object_r:lib_t,s0) -+/lib gen_context(system_u:object_r:lib_t,s0) -+/lib64 gen_context(system_u:object_r:lib_t,s0) - /lib/.* gen_context(system_u:object_r:lib_t,s0) - /lib/ld-[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0) - -@@ -52,9 +56,8 @@ ifdef(`distro_gentoo',` - # - # /opt - # --/opt/.*\.so gen_context(system_u:object_r:lib_t,s0) -+/opt/.*\.so(\.[^/]*)* gen_context(system_u:object_r:lib_t,s0) - /opt/(.*/)?lib(/.*)? gen_context(system_u:object_r:lib_t,s0) --/opt/(.*/)?lib64(/.*)? gen_context(system_u:object_r:lib_t,s0) - /opt/(.*/)?java/.+\.jar -- gen_context(system_u:object_r:lib_t,s0) - /opt/(.*/)?jre.*/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /opt/(.*/)?jre/.+\.jar -- gen_context(system_u:object_r:lib_t,s0) -@@ -103,6 +106,12 @@ ifdef(`distro_redhat',` - # - # /usr - # -+/usr/lib -d gen_context(system_u:object_r:lib_t,s0) -+/usr/lib/.* gen_context(system_u:object_r:lib_t,s0) -+/usr/lib/ld-[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0) -+ -+/usr/lib/security/pam_poldi\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+ - /usr/(.*/)?/HelixPlayer/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /usr/(.*/)?/RealPlayer/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - -@@ -111,12 +120,12 @@ ifdef(`distro_redhat',` - /usr/(.*/)?java/.+\.jsa -- gen_context(system_u:object_r:lib_t,s0) - - /usr/(.*/)?lib(/.*)? gen_context(system_u:object_r:lib_t,s0) --/usr/(.*/)?lib64(/.*)? gen_context(system_u:object_r:lib_t,s0) - --/usr/(.*/)?lib(64)?(/.*)?/ld-[^/]*\.so(\.[^/]*)* gen_context(system_u:object_r:ld_so_t,s0) -+/usr/(.*/)?lib(/.*)?/ld-[^/]*\.so(\.[^/]*)* gen_context(system_u:object_r:ld_so_t,s0) - - /usr/(.*/)?nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) - -+/usr/lib/(sse2/)?libfame-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /usr/lib/altivec/libavcodec\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /usr/lib/cedega/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /usr/lib/dovecot/(.*/)?lib.*\.so.* -- gen_context(system_u:object_r:lib_t,s0) -@@ -125,10 +134,12 @@ ifdef(`distro_redhat',` - /usr/lib/vlc/codec/libdmo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /usr/lib/vlc/codec/librealaudio_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /usr/lib/libtfmessbsp\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/lib/sasl2/libsasldb\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /usr/lib/xorg/libGL\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /usr/X11R6/lib/libGL\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /usr/lib/libGL\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /usr/lib/catalyst/libGL\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/lib/catalyst/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /usr/lib/libADM5.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /usr/lib/libatiadlxx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /usr/lib/win32/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -141,19 +152,21 @@ ifdef(`distro_redhat',` - /usr/lib/ati-fglrx/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /usr/lib/fglrx/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /usr/lib/libjs\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/lib/libjavascriptcoregtk[^/]*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/lib/libzvbi\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /usr/lib/sse2/libx264\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) --/usr/lib(/.*)?/libnvidia.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/lib/libnvidia\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/lib.*/libnvidia\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /usr/lib(/.*)?/nvidia_drv.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /usr/lib/nero/plug-ins/libMP3\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /usr/lib/nvidia-graphics(-[^/]*/)?libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /usr/lib/nvidia-graphics(-[^/]*/)?libnvidia.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /usr/lib/nvidia-graphics(-[^/]*/)?libXvMCNVIDIA\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) --/usr/lib/nvidia/libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/lib/nvidia.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /usr/lib/xorg/modules/glesx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - --/usr/(local/)?.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:lib_t,s0) --/usr/(local/)?lib(64)?/wine/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) --/usr/(local/)?lib(64)?/(sse2/)?libfame-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:lib_t,s0) -+/usr/lib/wine/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /usr/NX/lib/libXcomp\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /usr/NX/lib/libjpeg\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - -@@ -182,11 +195,13 @@ ifdef(`distro_redhat',` - # Fedora Core packages: gstreamer-plugins, compat-libstdc++, Glide3, libdv - # HelixPlayer, SDL, xorg-x11, xorg-x11-libs, Hermes, valgrind, openoffice.org-libs, httpd - php - HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/(.*/)?nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /usr/lib/allegro/(.*/)?alleg-vga\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /usr/lib/firefox-[^/]*/extensions(/.*)?/libqfaservices.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /usr/lib/firefox-[^/]*/plugins/nppdf.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /usr/lib/firefox/plugins/libractrl\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /usr/lib/libFLAC\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/lib/dri/fglrx_dri.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /usr/lib/libfglrx_gamma\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /usr/lib/mozilla/plugins/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /usr/lib/mozilla/plugins/libvlcplugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -241,13 +256,11 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_ - - # Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame - /usr/lib.*/libmpg123\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) --/usr/local(/.*)?/libmpg123\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/lib/libmpg123\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/libmpg123\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /usr/lib/codecs/drv[1-9c]\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - --HOME_DIR/.*/plugins/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) --HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /usr/lib/.*/nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) --/usr/local/(.*/)?nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - - # Jai, Sun Microsystems (Jpackage SPRM) - /usr/lib/libmlib_jai\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -269,20 +282,19 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te - - # Java, Sun Microsystems (JPackage SRPM) - /usr/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) --/usr/local/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /usr/lib/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - --/usr/(local/)?Adobe/(.*/)?intellinux/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) --/usr/(local/)?Adobe/(.*/)?intellinux/sidecars/* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/Adobe/(.*/)?intellinux/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/Adobe/(.*/)?intellinux/sidecars/* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - --/usr/(local/)?acroread/(.*/)?intellinux/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) --/usr/(local/)?Adobe/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) --/usr/(local/)?acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) --/usr/(local/)?Adobe/.*\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0) --/usr/(local/)?lib/xchat/plugins/systray\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) --/usr/(local/)?matlab.*/bin/glnx86/libmwlapack\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) --/usr/(local/)?matlab.*/bin/glnx86/(libmw(lapack|mathutil|services)|lapack|libmkl)\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) --/usr/(local/)?matlab.*/sys/os/glnx86/libtermcap\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/acroread/(.*/)?intellinux/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/Adobe/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/Adobe/.*\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/lib/xchat/plugins/systray\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/matlab.*/bin/glnx86/libmwlapack\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/matlab.*/bin/glnx86/(libmw(lapack|mathutil|services)|lapack|libmkl)\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/matlab.*/sys/os/glnx86/libtermcap\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) - - /usr/(.*/)?intellinux/SPPlugins/ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0) - -@@ -299,17 +311,155 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te - # - /var/cache/ldconfig(/.*)? gen_context(system_u:object_r:ldconfig_cache_t,s0) - --/var/ftp/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0) --/var/ftp/lib(64)?/ld[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0) -- --/var/lib/spamassassin/compiled/.*\.so.* -- gen_context(system_u:object_r:lib_t,s0) -+/var/ftp/lib(/.*)? gen_context(system_u:object_r:lib_t,s0) -+/var/ftp/lib/ld[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0) - - /var/mailman/pythonlib(/.*)?/.+\.so(\..*)? -- gen_context(system_u:object_r:lib_t,s0) - -+/var/named/chroot/lib(/.*)? gen_context(system_u:object_r:lib_t,s0) -+/var/named/chroot/usr/lib(/.*)? gen_context(system_u:object_r:lib_t,s0) -+ -+/usr/lib/pgsql/.*\.so.* -- gen_context(system_u:object_r:lib_t,s0) -+/usr/lib/pgsql/test/regress/.*\.so.* -- gen_context(system_u:object_r:lib_t,s0) -+/var/lib/spamassassin/compiled/.*\.so.* -- gen_context(system_u:object_r:lib_t,s0) -+/usr/lib/xfce4/.*\.so.* -- gen_context(system_u:object_r:lib_t,s0) -+ - ifdef(`distro_suse',` - /var/lib/samba/bin/.+\.so(\.[^/]*)* -l gen_context(system_u:object_r:lib_t,s0) - ') - --/var/spool/postfix/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0) -+/usr/share/hplip/prnt/plugins(/.*)? gen_context(system_u:object_r:lib_t,s0) -+/usr/share/squeezeboxserver/CPAN/arch/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+ -+/var/spool/postfix/lib(/.*)? gen_context(system_u:object_r:lib_t,s0) -+/var/spool/postfix/lib64(/.*)? gen_context(system_u:object_r:lib_t,s0) - /var/spool/postfix/usr(/.*)? gen_context(system_u:object_r:lib_t,s0) --/var/spool/postfix/lib(64)?/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0) -+/var/spool/postfix/lib/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0) -+ -+/usr/lib/libbcm_host\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/lib/libmyth[^/]+\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/lib/mythtv/filters/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+ -+/usr/lib/jvm/java(.*/)bin(/.*)?/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+ -+/usr/lib/oracle/.*/lib/libnnz10\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+ -+/opt/altera9.1/quartus/linux/libccl_err\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+ -+/opt/novell/groupwise/client/lib/libgwapijni\.so\.1 -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+ -+/usr/lib/sse2/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/lib/i686/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/google-earth/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/lib/googleearth/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/lib/google-earth/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/opt/google-earth/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+ -+/usr/lib/nspluginwrapper/np.*\.so -- gen_context(system_u:object_r:lib_t,s0) -+ -+/usr/lib/oracle/.*/lib/libnnz.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/lib/oracle/.*/lib/libclntsh\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0) -+ -+/opt/(.*/)?oracle/(.*/)?libnnz.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/lib/libnnz11.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/lib/libxvidcore\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+ -+ -+/opt/matlab.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/matlab.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0) -+/opt/local/matlab.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0) -+ -+/usr/Zend/lib/ZendExtensionManager\.so gen_context(system_u:object_r:textrel_shlib_t,s0) -+ -+/usr/lib/libcncpmslld328\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0) -+ -+/usr/lib/ICAClient/.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0) -+ -+/usr/lib/midori/.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0) -+ -+/usr/lib/libav.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+ -+/usr/lib/xine/plugins/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+ -+/usr/lib/yafaray/libDarkSky.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+ -+/usr/lib/libpostproc\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+ -+/usr/lib/libswscale\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+ -+/usr/lib/libADM.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+ -+/usr/lib/gstreamer-.*/[^/]*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+ -+/usr/lib/libx264\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+ -+/usr/lib/libmp3lame\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/lib/libmpeg2\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+ -+/usr/lib/.*/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+ -+/usr/lib/xorg/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/X11R6/lib/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/lib/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+ -+ifdef(`fixed',` -+/usr/lib/libavfilter\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/lib/libavdevice\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/lib/libavformat.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/lib/libavcodec.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/lib/libavutil.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/lib/libdv\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/lib/libGLU\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/lib/libgsm\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/lib/libImlib2\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/lib/libjackserver\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/X11R6/lib/libOSMesa.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/lib/libOSMesa.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/lib/libSDL-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/lib/xulrunner-[^/]*/libgtkembedmoz\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/lib/xulrunner-[^/]*/libxul\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+# Flash plugin, Macromedia -+/usr/lib/php/modules/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/lib/httpd/modules/libphp5\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+') -+/opt/VBoxGuestAdditions.*/lib/VBox.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+ -+/usr/lib/nmm/liba52\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/opt/lampp/lib/libct\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/opt/lampp/lib/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/opt/VirtualBox(/.*)?/VBox.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+ -+/usr/lib/chromium-browser/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/zend/lib/apache2/libphp5\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+ -+/usr/lib/python.*/site-packages/pymedia/muxer\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/games/darwinia/lib/libSDL.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+ -+/usr/lib/octagaplayer/libapplication\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/opt/AutoScan/usr/lib/libvte\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+ -+/usr/bin/bsnes -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+ -+/usr/lib/libGLcore\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+ -+/usr/lib/libkmplayercommon\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+ -+/opt/Unify/SQLBase/libgptsblmsui11\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+ -+/opt/real/RealPlayer/plugins(/.*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+ -+/opt/real/RealPlayer/codecs(/.*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+ -+/usr/lib/vdpau/libvdpau_nvidia\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+ -+/usr/lib/libGTL.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+ -+/usr/lib/nsr/(.*/)?.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/opt/lgtonmc/bin/.*\.so(\.[0-9])? -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/opt/google/picasa/.*\.dll -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/opt/google/picasa/.*\.yti -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/opt/google/chrome/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/opt/google/talkplugin/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/opt/google/[^/]*/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+ -+/usr/sbin/ldconfig -- gen_context(system_u:object_r:ldconfig_exec_t,s0) -diff --git a/policy/modules/system/libraries.if b/policy/modules/system/libraries.if -index 808ba93..9d8f729 100644 ---- a/policy/modules/system/libraries.if -+++ b/policy/modules/system/libraries.if -@@ -66,6 +66,25 @@ interface(`libs_exec_ldconfig',` - - ######################################## - ## -+## Make ldconfig_exec_t entrypoint for -+## the specified domain. -+## -+## -+## -+## The domain for which bin_t is an entrypoint. -+## -+## -+# -+interface(`libs_ldconfig_exec_entry_type',` -+ gen_require(` -+ type ldconfig_exec_t; -+ ') -+ -+ domain_entry_file($1, ldconfig_exec_t) -+') -+ -+######################################## -+## - ## Use the dynamic link/loader for automatic loading - ## of shared libraries. - ## -@@ -147,6 +166,7 @@ interface(`libs_manage_ld_so',` - type lib_t, ld_so_t; - ') - -+ read_lnk_files_pattern($1, lib_t, lib_t) - manage_files_pattern($1, lib_t, ld_so_t) - ') - -@@ -205,8 +225,26 @@ interface(`libs_search_lib',` - type lib_t; - ') - -+ read_lnk_files_pattern($1, lib_t, lib_t) - allow $1 lib_t:dir search_dir_perms; - ') -+######################################## -+## -+## dontaudit attempts to setattr on library files -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`libs_dontaudit_setattr_lib_files',` -+ gen_require(` -+ type lib_t; -+ ') -+ -+ dontaudit $1 lib_t:file setattr; -+') - - ######################################## - ## -@@ -248,29 +286,12 @@ interface(`libs_manage_lib_dirs',` - type lib_t; - ') - -+ read_lnk_files_pattern($1, lib_t, lib_t) - allow $1 lib_t:dir manage_dir_perms; - ') - - ######################################## - ## --## dontaudit attempts to setattr on library files --## --## --## --## Domain to not audit. --## --## --# --interface(`libs_dontaudit_setattr_lib_files',` -- gen_require(` -- type lib_t; -- ') -- -- dontaudit $1 lib_t:file setattr; --') -- --######################################## --## - ## Read files in the library directories, such - ## as static libraries. - ## -@@ -345,6 +366,7 @@ interface(`libs_manage_lib_files',` - type lib_t; - ') - -+ read_lnk_files_pattern($1, lib_t, lib_t) - manage_files_pattern($1, lib_t, lib_t) - ') - -@@ -421,7 +443,8 @@ interface(`libs_manage_shared_libs',` - type lib_t, textrel_shlib_t; - ') - -- manage_files_pattern($1, lib_t, { lib_t textrel_shlib_t }) -+ read_lnk_files_pattern($1, lib_t, lib_t) -+ manage_files_pattern($1, { textrel_shlib_t lib_t }, { lib_t textrel_shlib_t }) - ') - - ######################################## -@@ -440,9 +463,10 @@ interface(`libs_use_shared_libs',` - ') - - files_search_usr($1) -- allow $1 lib_t:dir list_dir_perms; -- read_lnk_files_pattern($1, lib_t, { lib_t textrel_shlib_t }) -- mmap_files_pattern($1, lib_t, { lib_t textrel_shlib_t }) -+ allow $1 { textrel_shlib_t lib_t }:dir list_dir_perms; -+ read_lnk_files_pattern($1, { textrel_shlib_t lib_t }, { lib_t textrel_shlib_t }) -+ mmap_files_pattern($1, { textrel_shlib_t lib_t }, { lib_t textrel_shlib_t }) -+# allow $1 lib_t:file execmod; - allow $1 textrel_shlib_t:file execmod; - ') - -@@ -483,7 +507,7 @@ interface(`libs_relabel_shared_libs',` - type lib_t, textrel_shlib_t; - ') - -- relabel_files_pattern($1, lib_t, { lib_t textrel_shlib_t }) -+ relabel_files_pattern($1, { textrel_shlib_t lib_t }, { lib_t textrel_shlib_t }) - ') - - ######################################## -@@ -534,3 +558,26 @@ interface(`lib_filetrans_shared_lib',` - interface(`files_lib_filetrans_shared_lib',` - refpolicywarn(`$0($*) has been deprecated.') - ') -+ -+######################################## -+## -+## Transition to lib named content -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`libs_filetrans_named_content',` -+ gen_require(` -+ type ld_so_cache_t; -+ type ldconfig_cache_t; -+ ') -+ -+ files_var_filetrans($1, ldconfig_cache_t, dir, "ldconfig") -+ files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.cache") -+ files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.cache~") -+ files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.preload") -+ files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.preload~") -+') -diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te -index 23a645e..52a8540 100644 ---- a/policy/modules/system/libraries.te -+++ b/policy/modules/system/libraries.te -@@ -32,14 +32,14 @@ files_tmp_file(ldconfig_tmp_t) - # lib_t is the type of files in the system lib directories. - # - type lib_t alias shlib_t; --files_type(lib_t) -+files_ro_base_file(lib_t) - - # - # textrel_shlib_t is the type of shared objects in the system lib - # directories, which require text relocation. - # - type textrel_shlib_t alias texrel_shlib_t; --files_type(textrel_shlib_t) -+files_ro_base_file(textrel_shlib_t) - - ifdef(`distro_gentoo',` - # openrc unfortunately mounts a tmpfs -@@ -59,9 +59,11 @@ optional_policy(` - - allow ldconfig_t self:capability { dac_override sys_chroot }; - -+manage_dirs_pattern(ldconfig_t, ldconfig_cache_t, ldconfig_cache_t) - manage_files_pattern(ldconfig_t, ldconfig_cache_t, ldconfig_cache_t) -+files_var_filetrans(ldconfig_t, ldconfig_cache_t, dir, "ldconfig") - --allow ldconfig_t ld_so_cache_t:file manage_file_perms; -+manage_files_pattern(ldconfig_t, ld_so_cache_t, ld_so_cache_t) - files_etc_filetrans(ldconfig_t, ld_so_cache_t, file) - - manage_dirs_pattern(ldconfig_t, ldconfig_tmp_t, ldconfig_tmp_t) -@@ -75,11 +77,15 @@ kernel_read_system_state(ldconfig_t) - - fs_getattr_xattr_fs(ldconfig_t) - -+files_list_var_lib(ldconfig_t) -+files_dontaudit_leaks(ldconfig_t) -+files_manage_var_lib_symlinks(ldconfig_t) -+ - corecmd_search_bin(ldconfig_t) - - domain_use_interactive_fds(ldconfig_t) - --files_search_var_lib(ldconfig_t) -+files_search_home(ldconfig_t) - files_read_etc_files(ldconfig_t) - files_read_usr_files(ldconfig_t) - files_search_tmp(ldconfig_t) -@@ -90,11 +96,11 @@ files_delete_etc_files(ldconfig_t) - init_use_script_ptys(ldconfig_t) - init_read_script_tmp_files(ldconfig_t) - --miscfiles_read_localization(ldconfig_t) - - logging_send_syslog_msg(ldconfig_t) - --userdom_use_user_terminals(ldconfig_t) -+term_use_console(ldconfig_t) -+userdom_use_inherited_user_terminals(ldconfig_t) - userdom_use_all_users_fds(ldconfig_t) - - ifdef(`distro_ubuntu',` -@@ -103,6 +109,12 @@ ifdef(`distro_ubuntu',` - ') - ') - -+userdom_dontaudit_list_admin_dir(ldconfig_t) -+userdom_list_user_home_dirs(ldconfig_t) -+userdom_manage_user_home_content_files(ldconfig_t) -+userdom_manage_user_tmp_files(ldconfig_t) -+userdom_manage_user_tmp_symlinks(ldconfig_t) -+ - ifdef(`hide_broken_symptoms',` - ifdef(`distro_gentoo',` - # leaked fds from portage -@@ -114,6 +126,11 @@ ifdef(`hide_broken_symptoms',` - ') - ') - -+ dev_dontaudit_rw_lvm_control(ldconfig_t) -+ dev_dontaudit_read_all_chr_files(ldconfig_t) -+ dev_dontaudit_read_all_blk_files(ldconfig_t) -+ term_dontaudit_use_unallocated_ttys(ldconfig_t) -+ - optional_policy(` - unconfined_dontaudit_rw_tcp_sockets(ldconfig_t) - ') -@@ -131,6 +148,14 @@ optional_policy(` - ') - - optional_policy(` -+ gnome_append_generic_cache_files(ldconfig_t) -+') -+ -+optional_policy(` -+ kdump_manage_kdumpctl_tmp_files(ldconfig_t) -+') -+ -+optional_policy(` - puppet_rw_tmp(ldconfig_t) - ') - -@@ -141,6 +166,3 @@ optional_policy(` - rpm_manage_script_tmp_files(ldconfig_t) - ') - --optional_policy(` -- unconfined_domain(ldconfig_t) --') -diff --git a/policy/modules/system/locallogin.fc b/policy/modules/system/locallogin.fc -index be6a81b..a5303e9 100644 ---- a/policy/modules/system/locallogin.fc -+++ b/policy/modules/system/locallogin.fc -@@ -1,3 +1,8 @@ -+HOME_DIR/\.hushlogin -- gen_context(system_u:object_r:local_login_home_t,s0) -+/root/\.hushlogin -- gen_context(system_u:object_r:local_login_home_t,s0) - - /sbin/sulogin -- gen_context(system_u:object_r:sulogin_exec_t,s0) - /sbin/sushell -- gen_context(system_u:object_r:sulogin_exec_t,s0) -+ -+/usr/sbin/sulogin -- gen_context(system_u:object_r:sulogin_exec_t,s0) -+/usr/sbin/sushell -- gen_context(system_u:object_r:sulogin_exec_t,s0) -diff --git a/policy/modules/system/locallogin.if b/policy/modules/system/locallogin.if -index 0e3c2a9..ea9bd57 100644 ---- a/policy/modules/system/locallogin.if -+++ b/policy/modules/system/locallogin.if -@@ -129,3 +129,59 @@ interface(`locallogin_domtrans_sulogin',` - - domtrans_pattern($1, sulogin_exec_t, sulogin_t) - ') -+ -+####################################### -+## -+## Allow domain to gettatr local login home content -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`locallogin_getattr_home_content',` -+ gen_require(` -+ type local_login_home_t; -+ ') -+ -+ getattr_files_pattern($1, local_login_home_t, local_login_home_t) -+') -+ -+######################################## -+## -+## create local login content in the in the /root directory -+## with an correct label. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`locallogin_filetrans_admin_home_content',` -+ gen_require(` -+ type local_login_home_t; -+ ') -+ -+ userdom_admin_home_dir_filetrans($1, local_login_home_t, file, ".hushlogin") -+') -+ -+######################################## -+## -+## Transition to local login named content -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`locallogin_filetrans_home_content',` -+ gen_require(` -+ type local_login_home_t; -+ ') -+ -+ userdom_user_home_dir_filetrans($1, local_login_home_t, file, ".hushlogin") -+ userdom_admin_home_dir_filetrans($1, local_login_home_t, file, ".hushlogin") -+') -diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te -index c04ac46..ed59137 100644 ---- a/policy/modules/system/locallogin.te -+++ b/policy/modules/system/locallogin.te -@@ -13,9 +13,8 @@ auth_login_entry_type(local_login_t) - type local_login_lock_t; - files_lock_file(local_login_lock_t) - --type local_login_tmp_t; --files_tmp_file(local_login_tmp_t) --files_poly_parent(local_login_tmp_t) -+type local_login_home_t; -+userdom_user_home_content(local_login_home_t) - - type sulogin_t; - type sulogin_exec_t; -@@ -27,14 +26,21 @@ init_domain(sulogin_t, sulogin_exec_t) - init_system_domain(sulogin_t, sulogin_exec_t) - role system_r types sulogin_t; - -+ifdef(`enable_mcs',` -+ init_ranged_daemon_domain(sulogin_t, sulogin_exec_t, s0 - mcs_systemhigh) -+') -+ -+ifdef(`enable_mls',` -+ init_ranged_daemon_domain(sulogin_t, sulogin_exec_t, mls_systemhigh) -+') -+ - ######################################## - # - # Local login local policy - # - --allow local_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid sys_nice sys_resource sys_tty_config }; --allow local_login_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; --allow local_login_t self:process { setrlimit setexec }; -+allow local_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid sys_admin sys_nice sys_resource sys_tty_config }; -+allow local_login_t self:process ~{ ptrace setcurrent setfscreate execmem execstack execheap }; - allow local_login_t self:fd use; - allow local_login_t self:fifo_file rw_fifo_file_perms; - allow local_login_t self:sock_file read_sock_file_perms; -@@ -51,9 +57,7 @@ allow local_login_t self:key { search write link }; - allow local_login_t local_login_lock_t:file manage_file_perms; - files_lock_filetrans(local_login_t, local_login_lock_t, file) - --allow local_login_t local_login_tmp_t:dir manage_dir_perms; --allow local_login_t local_login_tmp_t:file manage_file_perms; --files_tmp_filetrans(local_login_t, local_login_tmp_t, { file dir }) -+allow local_login_t local_login_home_t:file read_file_perms; - - kernel_read_system_state(local_login_t) - kernel_read_kernel_sysctls(local_login_t) -@@ -73,6 +77,8 @@ dev_getattr_power_mgmt_dev(local_login_t) - dev_setattr_power_mgmt_dev(local_login_t) - dev_getattr_sound_dev(local_login_t) - dev_setattr_sound_dev(local_login_t) -+dev_rw_generic_usb_dev(local_login_t) -+dev_read_video_dev(local_login_t) - dev_dontaudit_getattr_apm_bios_dev(local_login_t) - dev_dontaudit_setattr_apm_bios_dev(local_login_t) - dev_dontaudit_read_framebuffer(local_login_t) -@@ -117,16 +123,18 @@ term_relabel_unallocated_ttys(local_login_t) - term_relabel_all_ttys(local_login_t) - term_setattr_all_ttys(local_login_t) - term_setattr_unallocated_ttys(local_login_t) -+term_relabel_all_ptys(local_login_t) -+term_setattr_generic_ptys(local_login_t) - - auth_rw_login_records(local_login_t) - auth_rw_faillog(local_login_t) --auth_manage_pam_pid(local_login_t) - auth_manage_pam_console_data(local_login_t) - auth_domtrans_pam_console(local_login_t) -+auth_use_nsswitch(local_login_t) - - init_dontaudit_use_fds(local_login_t) -+init_stream_connect(local_login_t) - --miscfiles_read_localization(local_login_t) - - userdom_spec_domtrans_all_users(local_login_t) - userdom_signal_all_users(local_login_t) -@@ -141,19 +149,15 @@ ifdef(`distro_ubuntu',` - ') - ') - --tunable_policy(`console_login',` -- # Able to relabel /dev/console to user tty types. -- term_relabel_console(local_login_t) --') -- --tunable_policy(`use_nfs_home_dirs',` -- fs_read_nfs_files(local_login_t) -- fs_read_nfs_symlinks(local_login_t) --') -+userdom_home_reader(local_login_t) -+userdom_manage_tmp_files(local_login_t) -+userdom_tmp_filetrans_user_tmp(local_login_t, file) - --tunable_policy(`use_samba_home_dirs',` -- fs_read_cifs_files(local_login_t) -- fs_read_cifs_symlinks(local_login_t) -+tunable_policy(`login_console_enabled',` -+ term_use_console(local_login_t) -+ # Able to relabel /dev/console to user tty types. -+ term_relabel_console(local_login_t) -+ term_setattr_console(local_login_t) - ') - - optional_policy(` -@@ -177,14 +181,6 @@ optional_policy(` - ') - - optional_policy(` -- nis_use_ypbind(local_login_t) --') -- --optional_policy(` -- nscd_use(local_login_t) --') -- --optional_policy(` - unconfined_shell_domtrans(local_login_t) - ') - -@@ -215,37 +211,56 @@ allow sulogin_t self:sem create_sem_perms; - allow sulogin_t self:msgq create_msgq_perms; - allow sulogin_t self:msg { send receive }; - -+kernel_read_crypto_sysctls(sulogin_t) - kernel_read_system_state(sulogin_t) - -+dev_getattr_all_chr_files(sulogin_t) -+dev_getattr_all_blk_files(sulogin_t) -+ - fs_search_auto_mountpoints(sulogin_t) - fs_rw_tmpfs_chr_files(sulogin_t) - - files_read_etc_files(sulogin_t) - # because file systems are not mounted: - files_dontaudit_search_isid_type_dirs(sulogin_t) -+files_search_pids(sulogin_t) - - auth_read_shadow(sulogin_t) -+auth_use_nsswitch(sulogin_t) - - init_getpgid_script(sulogin_t) -+init_getpgid(sulogin_t) - - logging_send_syslog_msg(sulogin_t) - -+ - seutil_read_config(sulogin_t) - seutil_read_default_contexts(sulogin_t) - - userdom_use_unpriv_users_fds(sulogin_t) - -+userdom_search_admin_dir(sulogin_t) - userdom_search_user_home_dirs(sulogin_t) - userdom_use_user_ptys(sulogin_t) - --sysadm_shell_domtrans(sulogin_t) -+term_use_console(sulogin_t) -+term_use_unallocated_ttys(sulogin_t) -+term_use_generic_ptys(sulogin_t) -+ -+ifdef(`enable_mls',` -+ sysadm_shell_domtrans(sulogin_t) -+',` -+ optional_policy(` -+ unconfined_shell_domtrans(sulogin_t) -+ ') -+') - - # suse and debian do not use pam with sulogin... - ifdef(`distro_suse', `define(`sulogin_no_pam')') - ifdef(`distro_debian', `define(`sulogin_no_pam')') - -+allow sulogin_t self:capability sys_tty_config; - ifdef(`sulogin_no_pam', ` -- allow sulogin_t self:capability sys_tty_config; - init_getpgid(sulogin_t) - ', ` - allow sulogin_t self:process setexec; -@@ -256,11 +271,3 @@ ifdef(`sulogin_no_pam', ` - selinux_compute_relabel_context(sulogin_t) - selinux_compute_user_contexts(sulogin_t) - ') -- --optional_policy(` -- nis_use_ypbind(sulogin_t) --') -- --optional_policy(` -- nscd_use(sulogin_t) --') -diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc -index b50c5fe..2faaaf2 100644 ---- a/policy/modules/system/logging.fc -+++ b/policy/modules/system/logging.fc -@@ -2,10 +2,13 @@ - - /etc/rsyslog.conf gen_context(system_u:object_r:syslog_conf_t,s0) - /etc/syslog.conf gen_context(system_u:object_r:syslog_conf_t,s0) -+/etc/rsyslog.d(/.*)? gen_context(system_u:object_r:syslog_conf_t,s0) - /etc/audit(/.*)? gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh) - /etc/rc\.d/init\.d/auditd -- gen_context(system_u:object_r:auditd_initrc_exec_t,s0) - /etc/rc\.d/init\.d/rsyslog -- gen_context(system_u:object_r:syslogd_initrc_exec_t,s0) - -+/usr/lib/systemd/system/auditd.* -- gen_context(system_u:object_r:auditd_unit_file_t,s0) -+ - /sbin/audispd -- gen_context(system_u:object_r:audisp_exec_t,s0) - /sbin/audisp-remote -- gen_context(system_u:object_r:audisp_remote_exec_t,s0) - /sbin/auditctl -- gen_context(system_u:object_r:auditctl_exec_t,s0) -@@ -17,12 +20,25 @@ - /sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) - /sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0) - -+/opt/zimbra/log(/.*)? gen_context(system_u:object_r:var_log_t,s0) -+/opt/Symantec/scspagent/IDS/system(/.*)? gen_context(system_u:object_r:var_log_t,s0) -+ -+/usr/lib/systemd/systemd-journald -- gen_context(system_u:object_r:syslogd_exec_t,s0) -+/usr/lib/systemd/systemd-kmsg-syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) -+ -+/usr/centreon/log(/.*)? gen_context(system_u:object_r:var_log_t,s0) -+ -+/usr/sbin/audispd -- gen_context(system_u:object_r:audisp_exec_t,s0) -+/usr/sbin/audisp-remote -- gen_context(system_u:object_r:audisp_remote_exec_t,s0) -+/usr/sbin/auditctl -- gen_context(system_u:object_r:auditctl_exec_t,s0) -+/usr/sbin/auditd -- gen_context(system_u:object_r:auditd_exec_t,s0) - /usr/sbin/klogd -- gen_context(system_u:object_r:klogd_exec_t,s0) - /usr/sbin/metalog -- gen_context(system_u:object_r:syslogd_exec_t,s0) -+/usr/sbin/minilogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) - /usr/sbin/rklogd -- gen_context(system_u:object_r:klogd_exec_t,s0) - /usr/sbin/rsyslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) --/usr/sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0) - /usr/sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) -+/usr/sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0) - - /var/lib/misc/syslog-ng.persist-? -- gen_context(system_u:object_r:syslogd_var_lib_t,s0) - /var/lib/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_lib_t,s0) -@@ -38,13 +54,13 @@ ifdef(`distro_suse', ` - - /var/log -d gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh) - /var/log/.* gen_context(system_u:object_r:var_log_t,s0) --/var/log/boot\.log -- gen_context(system_u:object_r:var_log_t,mls_systemhigh) - /var/log/messages[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh) - /var/log/secure[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh) - /var/log/maillog[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh) - /var/log/spooler[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh) - /var/log/audit(/.*)? gen_context(system_u:object_r:auditd_log_t,mls_systemhigh) --/var/log/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh) -+/var/run/log(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh) -+/var/run/systemd/journal(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh) - - ifndef(`distro_gentoo',` - /var/log/audit\.log -- gen_context(system_u:object_r:auditd_log_t,mls_systemhigh) -@@ -53,6 +69,7 @@ ifndef(`distro_gentoo',` - ifdef(`distro_redhat',` - /var/named/chroot/var/log -d gen_context(system_u:object_r:var_log_t,s0) - /var/named/chroot/dev/log -s gen_context(system_u:object_r:devlog_t,s0) -+/var/spool/postfix/dev/log -s gen_context(system_u:object_r:devlog_t,s0) - ') - - /var/run/audit_events -s gen_context(system_u:object_r:auditd_var_run_t,mls_systemhigh) -@@ -65,11 +82,16 @@ ifdef(`distro_redhat',` - /var/run/syslogd\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh) - /var/run/syslog-ng.ctl -- gen_context(system_u:object_r:syslogd_var_run_t,s0) - /var/run/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,s0) -+/var/run/systemd/journal/syslog -s gen_context(system_u:object_r:devlog_t,mls_systemhigh) - - /var/spool/audit(/.*)? gen_context(system_u:object_r:audit_spool_t,mls_systemhigh) - /var/spool/bacula/log(/.*)? gen_context(system_u:object_r:var_log_t,s0) - /var/spool/postfix/pid -d gen_context(system_u:object_r:var_run_t,s0) --/var/spool/plymouth/boot\.log gen_context(system_u:object_r:var_log_t,mls_systemhigh) - /var/spool/rsyslog(/.*)? gen_context(system_u:object_r:var_log_t,s0) - -+/var/stockmaniac/templates_cache(/.*)? gen_context(system_u:object_r:var_log_t,s0) -+ - /var/tinydns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0) -+ -+/var/webmin(/.*)? gen_context(system_u:object_r:var_log_t,s0) -+ -diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if -index 4e94884..9b82ed0 100644 ---- a/policy/modules/system/logging.if -+++ b/policy/modules/system/logging.if -@@ -233,7 +233,7 @@ interface(`logging_run_auditd',` - - ######################################## - ## --## Connect to auditdstored over an unix stream socket. -+## Connect to auditdstored over a unix stream socket. - ## - ## - ## -@@ -318,7 +318,7 @@ interface(`logging_dispatcher_domain',` - - ######################################## - ## --## Connect to the audit dispatcher over an unix stream socket. -+## Connect to the audit dispatcher over a unix stream socket. - ## - ## - ## -@@ -496,6 +496,68 @@ interface(`logging_log_filetrans',` - filetrans_pattern($1, var_log_t, $2, $3, $4) - ') - -+####################################### -+## -+## Create an object in the log directory, with a private type. -+## -+## -+##

    -+## Allow the specified domain to create an object -+## in the general system log directories (e.g., /var/log) -+## with a private type. Typically this is used for creating -+## private log files in /var/log with the private type instead -+## of the general system log type. To accomplish this goal, -+## either the program must be SELinux-aware, or use this interface. -+##

    -+##

    -+## Related interfaces: -+##

    -+##
      -+##
    • logging_log_file()
      • -+##
    -+##

    -+## Example usage with a domain that can create -+## and append to a private log file stored in the -+## general directories (e.g., /var/log): -+##

    -+##

    -+## type mylogfile_t; -+## logging_log_file(mylogfile_t) -+## allow mydomain_t mylogfile_t:file { create_file_perms append_file_perms }; -+## logging_log_filetrans(mydomain_t, mylogfile_t, file) -+##

    -+##     -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## The type of the object to be created. -+## -+## -+## -+## -+## The object class of the object being created. -+## -+## -+## -+## -+## The name of the object being created. -+## -+## -+## -+# -+interface(`logging_log_named_filetrans',` -+ gen_require(` -+ type var_log_t; -+ ') -+ -+ files_search_var($1) -+ filetrans_pattern($1, var_log_t, $2, $3, $4) -+') -+ - ######################################## - ## - ## Send system log messages. -@@ -530,22 +592,85 @@ interface(`logging_log_filetrans',` - # - interface(`logging_send_syslog_msg',` - gen_require(` -- type syslogd_t, devlog_t; -+ attribute syslog_client_type; - ') - -- allow $1 devlog_t:lnk_file read_lnk_file_perms; -- allow $1 devlog_t:sock_file write_sock_file_perms; -+ typeattribute $1 syslog_client_type; -+') - -- # the type of socket depends on the syslog daemon -- allow $1 syslogd_t:unix_dgram_socket sendto; -- allow $1 syslogd_t:unix_stream_socket connectto; -- allow $1 self:unix_dgram_socket create_socket_perms; -- allow $1 self:unix_stream_socket create_socket_perms; -+######################################## -+## -+## Connect to the syslog control unix stream socket. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`logging_create_devlog_dev',` -+ gen_require(` -+ type devlog_t; -+ ') - -- # If syslog is down, the glibc syslog() function -- # will write to the console. -- term_write_console($1) -- term_dontaudit_read_console($1) -+ allow $1 devlog_t:sock_file manage_sock_file_perms; -+ dev_filetrans($1, devlog_t, sock_file) -+ init_pid_filetrans($1, devlog_t, sock_file, "syslog") -+') -+ -+######################################## -+## -+## Relabel the devlog sock_file. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`logging_relabel_devlog_dev',` -+ gen_require(` -+ type devlog_t; -+ ') -+ -+ allow $1 devlog_t:sock_file relabel_sock_file_perms; -+') -+ -+######################################## -+## -+## Relabel the syslog pid sock_file. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`logging_relabel_syslog_pid_socket',` -+ gen_require(` -+ type syslogd_var_run_t; -+ ') -+ -+ allow $1 syslogd_var_run_t:sock_file relabel_sock_file_perms; -+') -+ -+######################################## -+## -+## Connect to the syslog control unix stream socket. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`logging_stream_connect_syslog',` -+ gen_require(` -+ type syslogd_t, syslogd_var_run_t; -+ ') -+ -+ files_search_pids($1) -+ stream_connect_pattern($1, syslogd_var_run_t, syslogd_var_run_t, syslogd_t) - ') - - ######################################## -@@ -776,7 +901,25 @@ interface(`logging_append_all_logs',` - ') - - files_search_var($1) -- append_files_pattern($1, var_log_t, logfile) -+ append_files_pattern($1, logfile, logfile) -+') -+ -+######################################## -+## -+## Append to all log files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`logging_inherit_append_all_logs',` -+ gen_require(` -+ attribute logfile; -+ ') -+ -+ allow $1 logfile:file { getattr append ioctl lock }; - ') - - ######################################## -@@ -859,7 +1002,7 @@ interface(`logging_manage_all_logs',` - - files_search_var($1) - manage_files_pattern($1, logfile, logfile) -- read_lnk_files_pattern($1, logfile, logfile) -+ manage_lnk_files_pattern($1, logfile, logfile) - ') - - ######################################## -@@ -885,6 +1028,44 @@ interface(`logging_read_generic_logs',` - - ######################################## - ## -+## Link generic log files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`logging_link_generic_logs',` -+ gen_require(` -+ type var_log_t; -+ ') -+ -+ allow $1 var_log_t:file link; -+') -+ -+######################################## -+## -+## Delete generic log files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`logging_delete_generic_logs',` -+ gen_require(` -+ type var_log_t; -+ ') -+ -+ allow $1 var_log_t:file unlink; -+') -+ -+######################################## -+## - ## Write generic log files. - ## - ## -@@ -905,6 +1086,24 @@ interface(`logging_write_generic_logs',` - - ######################################## - ## -+## Dontaudit read/Write inherited generic log files. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`logging_dontaudit_rw_inherited_generic_logs',` -+ gen_require(` -+ type var_log_t; -+ ') -+ -+ dontaudit $1 var_log_t:file rw_inherited_file_perms; -+') -+ -+######################################## -+## - ## Dontaudit Write generic log files. - ## - ## -@@ -984,11 +1183,16 @@ interface(`logging_admin_audit',` - type auditd_t, auditd_etc_t, auditd_log_t; - type auditd_var_run_t; - type auditd_initrc_exec_t; -+ type auditd_unit_file_t; - ') - -- allow $1 auditd_t:process { ptrace signal_perms }; -+ allow $1 auditd_t:process signal_perms; - ps_process_pattern($1, auditd_t) - -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 auditd_t:process ptrace; -+ ') -+ - manage_dirs_pattern($1, auditd_etc_t, auditd_etc_t) - manage_files_pattern($1, auditd_etc_t, auditd_etc_t) - -@@ -1004,6 +1208,33 @@ interface(`logging_admin_audit',` - domain_system_change_exemption($1) - role_transition $2 auditd_initrc_exec_t system_r; - allow $2 system_r; -+ -+ logging_systemctl_audit($1) -+ admin_pattern($1, auditd_unit_file_t) -+ allow $1 auditd_unit_file_t:service all_service_perms; -+') -+ -+######################################## -+## -+## Execute auditd server in the auditd domain. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`logging_systemctl_audit',` -+ gen_require(` -+ type auditd_t; -+ type auditd_unit_file_t; -+ ') -+ -+ systemd_exec_systemctl($1) -+ allow $1 auditd_unit_file_t:file read_file_perms; -+ allow $1 auditd_unit_file_t:service manage_service_perms; -+ -+ ps_process_pattern($1, auditd_t) - ') - - ######################################## -@@ -1032,10 +1263,15 @@ interface(`logging_admin_syslog',` - type syslogd_initrc_exec_t; - ') - -- allow $1 syslogd_t:process { ptrace signal_perms }; -- allow $1 klogd_t:process { ptrace signal_perms }; -+ allow $1 self:capability2 syslog; -+ allow $1 syslogd_t:process signal_perms; -+ allow $1 klogd_t:process signal_perms; - ps_process_pattern($1, syslogd_t) - ps_process_pattern($1, klogd_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 syslogd_t:process ptrace; -+ allow $1 klogd_t:process ptrace; -+ ') - - manage_dirs_pattern($1, klogd_var_run_t, klogd_var_run_t) - manage_files_pattern($1, klogd_var_run_t, klogd_var_run_t) -@@ -1057,6 +1293,8 @@ interface(`logging_admin_syslog',` - manage_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t) - - logging_manage_all_logs($1) -+ allow $1 logfile:dir relabel_dir_perms; -+ allow $1 logfile:file relabel_file_perms; - - init_labeled_script_domtrans($1, syslogd_initrc_exec_t) - domain_system_change_exemption($1) -@@ -1085,3 +1323,35 @@ interface(`logging_admin',` - logging_admin_audit($1, $2) - logging_admin_syslog($1, $2) - ') -+ -+######################################## -+## -+## Transition to logging named content -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`logging_filetrans_named_content',` -+ gen_require(` -+ type var_log_t; -+ type audit_spool_t; -+ type syslogd_var_run_t; -+ type syslog_conf_t; -+ ') -+ -+ files_pid_filetrans($1, syslogd_var_run_t, dir, "log") -+ files_spool_filetrans($1, var_log_t, dir, "rsyslog") -+ files_spool_filetrans($1, var_log_t, dir, "log") -+ files_spool_filetrans($1, audit_spool_t, dir, "audit") -+ files_var_filetrans($1, var_log_t, dir, "webmin") -+ -+ files_etc_filetrans($1, syslog_conf_t, file, "syslog.conf") -+ files_etc_filetrans($1, syslog_conf_t, file, "rsyslog.conf") -+ -+ init_named_pid_filetrans($1, syslogd_var_run_t, dir, "journal") -+ -+ logging_log_filetrans($1, var_log_t, dir, "anaconda") -+') -diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te -index 39ea221..616d6a8 100644 ---- a/policy/modules/system/logging.te -+++ b/policy/modules/system/logging.te -@@ -4,6 +4,21 @@ policy_module(logging, 1.19.6) - # - # Declarations - # -+attribute syslog_client_type; -+ -+## -+##

    -+## Allow syslogd daemon to send mail -+##

    -+##     -+gen_tunable(logging_syslogd_can_sendmail, false) -+ -+## -+##

    -+## Allow syslogd the ability to read/write terminals -+##

    -+##     -+gen_tunable(logging_syslogd_use_tty, false) - - attribute logfile; - -@@ -20,6 +35,7 @@ files_security_file(auditd_log_t) - files_security_mountpoint(auditd_log_t) - - type audit_spool_t; -+files_spool_file(audit_spool_t) - files_security_file(audit_spool_t) - files_security_mountpoint(audit_spool_t) - -@@ -33,6 +49,9 @@ init_script_file(auditd_initrc_exec_t) - type auditd_var_run_t; - files_pid_file(auditd_var_run_t) - -+type auditd_unit_file_t; -+systemd_unit_file(auditd_unit_file_t) -+ - type audisp_t; - type audisp_exec_t; - init_system_domain(audisp_t, audisp_exec_t) -@@ -64,6 +83,7 @@ files_config_file(syslog_conf_t) - type syslogd_t; - type syslogd_exec_t; - init_daemon_domain(syslogd_t, syslogd_exec_t) -+mls_trusted_object(syslogd_t) - - type syslogd_initrc_exec_t; - init_script_file(syslogd_initrc_exec_t) -@@ -76,6 +96,7 @@ files_type(syslogd_var_lib_t) - - type syslogd_var_run_t; - files_pid_file(syslogd_var_run_t) -+mls_trusted_object(syslogd_var_run_t) - - type var_log_t; - logging_log_file(var_log_t) -@@ -94,6 +115,8 @@ ifdef(`enable_mls',` - allow auditctl_t self:capability { fsetid dac_read_search dac_override }; - allow auditctl_t self:netlink_audit_socket nlmsg_readpriv; - -+allow auditctl_t self:process getcap; -+ - read_files_pattern(auditctl_t, auditd_etc_t, auditd_etc_t) - allow auditctl_t auditd_etc_t:dir list_dir_perms; - -@@ -111,7 +134,7 @@ domain_use_interactive_fds(auditctl_t) - - mls_file_read_all_levels(auditctl_t) - --term_use_all_terms(auditctl_t) -+term_use_all_inherited_terms(auditctl_t) - - init_dontaudit_use_fds(auditctl_t) - -@@ -148,6 +171,7 @@ kernel_read_kernel_sysctls(auditd_t) - # Needs to be able to run dispatcher. see /etc/audit/auditd.conf - # Probably want a transition, and a new auditd_helper app - kernel_read_system_state(auditd_t) -+kernel_read_network_state(auditd_t) - - dev_read_sysfs(auditd_t) - -@@ -155,9 +179,6 @@ fs_getattr_all_fs(auditd_t) - fs_search_auto_mountpoints(auditd_t) - fs_rw_anon_inodefs_files(auditd_t) - --selinux_search_fs(auditctl_t) -- --corenet_all_recvfrom_unlabeled(auditd_t) - corenet_all_recvfrom_netlabel(auditd_t) - corenet_tcp_sendrecv_generic_if(auditd_t) - corenet_tcp_sendrecv_generic_node(auditd_t) -@@ -183,16 +204,17 @@ logging_send_syslog_msg(auditd_t) - logging_domtrans_dispatcher(auditd_t) - logging_signal_dispatcher(auditd_t) - --miscfiles_read_localization(auditd_t) -+auth_use_nsswitch(auditd_t) - - mls_file_read_all_levels(auditd_t) - mls_file_write_all_levels(auditd_t) # Need to be able to write to /var/run/ directory -- --seutil_dontaudit_read_config(auditd_t) -+mls_socket_write_all_levels(auditd_t) - - sysnet_dns_name_resolve(auditd_t) - --userdom_use_user_terminals(auditd_t) -+systemd_start_systemd_services(auditd_t) -+ -+userdom_use_inherited_user_terminals(auditd_t) - userdom_dontaudit_use_unpriv_user_fds(auditd_t) - userdom_dontaudit_search_user_home_dirs(auditd_t) - -@@ -237,19 +259,29 @@ corecmd_exec_shell(audisp_t) - - domain_use_interactive_fds(audisp_t) - -+fs_getattr_all_fs(audisp_t) -+ - files_read_etc_files(audisp_t) - files_read_etc_runtime_files(audisp_t) - -+mls_file_read_all_levels(audisp_t) - mls_file_write_all_levels(audisp_t) -+mls_socket_write_all_levels(audisp_t) -+mls_dbus_send_all_levels(audisp_t) -+ -+auth_use_nsswitch(audisp_t) - - logging_send_syslog_msg(audisp_t) - --miscfiles_read_localization(audisp_t) - - sysnet_dns_name_resolve(audisp_t) - - optional_policy(` - dbus_system_bus_client(audisp_t) -+ -+ optional_policy(` -+ setroubleshoot_dbus_chat(audisp_t) -+ ') - ') - - ######################################## -@@ -268,7 +300,6 @@ files_spool_filetrans(audisp_remote_t, audit_spool_t, { dir file }) - - corecmd_exec_bin(audisp_remote_t) - --corenet_all_recvfrom_unlabeled(audisp_remote_t) - corenet_all_recvfrom_netlabel(audisp_remote_t) - corenet_tcp_sendrecv_generic_if(audisp_remote_t) - corenet_tcp_sendrecv_generic_node(audisp_remote_t) -@@ -280,10 +311,18 @@ corenet_sendrecv_audit_client_packets(audisp_remote_t) - - files_read_etc_files(audisp_remote_t) - -+mls_socket_write_all_levels(audisp_remote_t) -+ - logging_send_syslog_msg(audisp_remote_t) - logging_send_audit_msgs(audisp_remote_t) - --miscfiles_read_localization(audisp_remote_t) -+auth_use_nsswitch(audisp_remote_t) -+auth_append_login_records(audisp_remote_t) -+ -+ -+init_telinit(audisp_remote_t) -+init_read_utmp(audisp_remote_t) -+init_dontaudit_write_utmp(audisp_remote_t) - - sysnet_dns_name_resolve(audisp_remote_t) - -@@ -326,7 +365,6 @@ files_read_etc_files(klogd_t) - - logging_send_syslog_msg(klogd_t) - --miscfiles_read_localization(klogd_t) - - mls_file_read_all_levels(klogd_t) - -@@ -354,12 +392,12 @@ optional_policy(` - # chown fsetid for syslog-ng - # sys_admin for the integrated klog of syslog-ng and metalog - # cjp: why net_admin! --allow syslogd_t self:capability { dac_override sys_resource sys_tty_config net_admin sys_admin chown fsetid }; -+allow syslogd_t self:capability { sys_ptrace dac_override sys_resource sys_tty_config ipc_lock net_admin setgid setuid sys_admin sys_nice chown fsetid setuid setgid }; - dontaudit syslogd_t self:capability sys_tty_config; -+allow syslogd_t self:capability2 { syslog block_suspend }; - # setpgid for metalog - # setrlimit for syslog-ng --# getsched for syslog-ng --allow syslogd_t self:process { signal_perms setpgid setrlimit getsched }; -+allow syslogd_t self:process { signal_perms getcap setcap setpgid getsched setsched setrlimit }; - # receive messages to be logged - allow syslogd_t self:unix_dgram_socket create_socket_perms; - allow syslogd_t self:unix_stream_socket create_stream_socket_perms; -@@ -369,6 +407,7 @@ allow syslogd_t self:udp_socket create_socket_perms; - allow syslogd_t self:tcp_socket create_stream_socket_perms; - - allow syslogd_t syslog_conf_t:file read_file_perms; -+allow syslogd_t syslog_conf_t:dir list_dir_perms; - - # Create and bind to /dev/log or /var/run/log. - allow syslogd_t devlog_t:sock_file manage_sock_file_perms; -@@ -377,6 +416,7 @@ files_pid_filetrans(syslogd_t, devlog_t, sock_file) - # create/append log files. - manage_files_pattern(syslogd_t, var_log_t, var_log_t) - rw_fifo_files_pattern(syslogd_t, var_log_t, var_log_t) -+files_search_spool(syslogd_t) - - # Allow access for syslog-ng - allow syslogd_t var_log_t:dir { create setattr }; -@@ -386,28 +426,41 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) - manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) - files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file }) - -+manage_sock_files_pattern(syslogd_t, syslogd_var_lib_t, syslogd_var_lib_t) - manage_files_pattern(syslogd_t, syslogd_var_lib_t, syslogd_var_lib_t) - files_search_var_lib(syslogd_t) - --# manage pid file -+manage_dirs_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t) - manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t) --files_pid_filetrans(syslogd_t, syslogd_var_run_t, file) -+manage_sock_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t) -+files_pid_filetrans(syslogd_t, syslogd_var_run_t, { file dir }) - -+kernel_rw_stream_socket_perms(syslogd_t) - kernel_read_system_state(syslogd_t) -+kernel_read_network_state(syslogd_t) - kernel_read_kernel_sysctls(syslogd_t) - kernel_read_proc_symlinks(syslogd_t) - # Allow access to /proc/kmsg for syslog-ng - kernel_read_messages(syslogd_t) -+kernel_request_load_module(syslogd_t) - kernel_clear_ring_buffer(syslogd_t) - kernel_change_ring_buffer_level(syslogd_t) -+kernel_read_ring_buffer(syslogd_t) -+ -+ifdef(`hide_broken_symptoms',` -+ kernel_rw_unix_dgram_sockets(syslogd_t) -+') -+ -+corecmd_exec_bin(syslogd_t) -+corecmd_exec_shell(syslogd_t) - --corenet_all_recvfrom_unlabeled(syslogd_t) - corenet_all_recvfrom_netlabel(syslogd_t) - corenet_udp_sendrecv_generic_if(syslogd_t) - corenet_udp_sendrecv_generic_node(syslogd_t) - corenet_udp_sendrecv_all_ports(syslogd_t) - corenet_udp_bind_generic_node(syslogd_t) - corenet_udp_bind_syslogd_port(syslogd_t) -+corenet_udp_bind_syslog_tls_port(syslogd_t) - # syslog-ng can listen and connect on tcp port 514 (rsh) - corenet_tcp_sendrecv_generic_if(syslogd_t) - corenet_tcp_sendrecv_generic_node(syslogd_t) -@@ -417,6 +470,8 @@ corenet_tcp_bind_rsh_port(syslogd_t) - corenet_tcp_connect_rsh_port(syslogd_t) - # Allow users to define additional syslog ports to connect to - corenet_tcp_bind_syslogd_port(syslogd_t) -+corenet_tcp_bind_syslog_tls_port(syslogd_t) -+corenet_tcp_connect_syslog_tls_port(syslogd_t) - corenet_tcp_connect_syslogd_port(syslogd_t) - corenet_tcp_connect_postgresql_port(syslogd_t) - corenet_tcp_connect_mysqld_port(syslogd_t) -@@ -427,9 +482,26 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t) - corenet_sendrecv_postgresql_client_packets(syslogd_t) - corenet_sendrecv_mysqld_client_packets(syslogd_t) - -+tunable_policy(`logging_syslogd_use_tty',` -+ term_use_all_ttys(syslogd_t) -+ term_use_all_ptys(syslogd_t) -+') -+ -+tunable_policy(`logging_syslogd_can_sendmail',` -+ # support for ommail module to send logs via mail -+ corenet_tcp_connect_smtp_port(syslogd_t) -+') -+ - dev_filetrans(syslogd_t, devlog_t, sock_file) - dev_read_sysfs(syslogd_t) -- -+dev_read_rand(syslogd_t) -+dev_read_urand(syslogd_t) -+# relating to systemd-kmsg-syslogd -+dev_write_kmsg(syslogd_t) -+dev_read_kmsg(syslogd_t) -+ -+domain_read_all_domains_state(syslogd_t) -+domain_getattr_all_domains(syslogd_t) - domain_use_interactive_fds(syslogd_t) - - files_read_etc_files(syslogd_t) -@@ -442,14 +514,19 @@ files_read_kernel_symbol_table(syslogd_t) - files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir }) - - fs_getattr_all_fs(syslogd_t) -+fs_rw_tmpfs_files(syslogd_t) - fs_search_auto_mountpoints(syslogd_t) -+fs_search_cgroup_dirs(syslogd_t) - - mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and /var/log directories -+mls_socket_write_all_levels(syslogd_t) # Neet to be able to sendto dgram - - term_write_console(syslogd_t) - # Allow syslog to a terminal - term_write_unallocated_ttys(syslogd_t) -+term_use_generic_ptys(syslogd_t) - -+init_stream_connect(syslogd_t) - # for sending messages to logged in users - init_read_utmp(syslogd_t) - init_dontaudit_write_utmp(syslogd_t) -@@ -461,11 +538,11 @@ init_use_fds(syslogd_t) - - # cjp: this doesnt make sense - logging_send_syslog_msg(syslogd_t) -- --miscfiles_read_localization(syslogd_t) -+logging_manage_all_logs(syslogd_t) - - userdom_dontaudit_use_unpriv_user_fds(syslogd_t) --userdom_dontaudit_search_user_home_dirs(syslogd_t) -+userdom_search_user_home_dirs(syslogd_t) -+userdom_rw_inherited_user_tmpfs_files(syslogd_t) - - ifdef(`distro_gentoo',` - # default gentoo syslog-ng config appends kernel -@@ -502,15 +579,40 @@ optional_policy(` - ') - - optional_policy(` -+ kerberos_keytab_template(syslogd, syslogd_t) -+ kerberos_manage_host_rcache(syslogd_t) -+ kerberos_read_config(syslogd_t) -+') -+ -+optional_policy(` -+ mysql_read_config(syslogd_t) - mysql_stream_connect(syslogd_t) - ') - - optional_policy(` -+ plymouthd_manage_log(syslogd_t) -+') -+ -+optional_policy(` -+ postfix_search_spool(syslogd_t) -+') -+ -+optional_policy(` - postgresql_stream_connect(syslogd_t) - ') - - optional_policy(` -+ psad_search_lib_files(syslogd_t) -+') -+ -+optional_policy(` - seutil_sigchld_newrole(syslogd_t) -+ snmp_read_snmp_var_lib_files(syslogd_t) -+ snmp_dontaudit_write_snmp_var_lib_files(syslogd_t) -+') -+ -+optional_policy(` -+ daemontools_search_svc_dir(syslogd_t) - ') - - optional_policy(` -@@ -521,3 +623,26 @@ optional_policy(` - # log to the xconsole - xserver_rw_console(syslogd_t) - ') -+ -+##################################################### -+# -+# syslog client rules -+# -+allow syslog_client_type devlog_t:lnk_file read_lnk_file_perms; -+allow syslog_client_type devlog_t:sock_file write_sock_file_perms; -+ -+# the type of socket depends on the syslog daemon -+allow syslog_client_type syslogd_t:unix_dgram_socket sendto; -+allow syslog_client_type syslogd_t:unix_stream_socket connectto; -+allow syslog_client_type self:unix_dgram_socket create_socket_perms; -+allow syslog_client_type self:unix_stream_socket create_socket_perms; -+ -+# If syslog is down, the glibc syslog() function -+# will write to the console. -+term_write_console(syslog_client_type) -+term_dontaudit_read_console(syslog_client_type) -+ifdef(`hide_broken_symptoms',` -+ kernel_dgram_send(syslog_client_type) -+') -+ -+logging_stream_connect_syslog(syslog_client_type) -diff --git a/policy/modules/system/lvm.fc b/policy/modules/system/lvm.fc -index 879bb1e..b250b3e 100644 ---- a/policy/modules/system/lvm.fc -+++ b/policy/modules/system/lvm.fc -@@ -23,28 +23,35 @@ ifdef(`distro_gentoo',` - /etc/lvmtab(/.*)? gen_context(system_u:object_r:lvm_metadata_t,s0) - /etc/lvmtab\.d(/.*)? gen_context(system_u:object_r:lvm_metadata_t,s0) - -+/etc/multipath(/.*)? gen_context(system_u:object_r:lvm_metadata_t,s0) -+ - # - # /lib - # - /lib/lvm-10/.* -- gen_context(system_u:object_r:lvm_exec_t,s0) - /lib/lvm-200/.* -- gen_context(system_u:object_r:lvm_exec_t,s0) -+/lib/udev/udisks-lvm-pv-export -- gen_context(system_u:object_r:lvm_exec_t,s0) - - # - # /sbin - # -+/sbin/mount\.crypt -- gen_context(system_u:object_r:lvm_exec_t,s0) -+/sbin/umount\.crypt -- gen_context(system_u:object_r:lvm_exec_t,s0) - /sbin/cryptsetup -- gen_context(system_u:object_r:lvm_exec_t,s0) - /sbin/dmraid -- gen_context(system_u:object_r:lvm_exec_t,s0) - /sbin/dmsetup -- gen_context(system_u:object_r:lvm_exec_t,s0) - /sbin/dmsetup\.static -- gen_context(system_u:object_r:lvm_exec_t,s0) - /sbin/e2fsadm -- gen_context(system_u:object_r:lvm_exec_t,s0) -+/sbin/kpartx -- gen_context(system_u:object_r:lvm_exec_t,s0) - /sbin/lvchange -- gen_context(system_u:object_r:lvm_exec_t,s0) - /sbin/lvcreate -- gen_context(system_u:object_r:lvm_exec_t,s0) - /sbin/lvdisplay -- gen_context(system_u:object_r:lvm_exec_t,s0) - /sbin/lvextend -- gen_context(system_u:object_r:lvm_exec_t,s0) --/sbin/lvm -- gen_context(system_u:object_r:lvm_exec_t,s0) -+/sbin/lvm -- gen_context(system_u:object_r:lvm_exec_t,s0) - /sbin/lvm\.static -- gen_context(system_u:object_r:lvm_exec_t,s0) - /sbin/lvmchange -- gen_context(system_u:object_r:lvm_exec_t,s0) - /sbin/lvmdiskscan -- gen_context(system_u:object_r:lvm_exec_t,s0) -+/sbin/lvmetad -- gen_context(system_u:object_r:lvm_exec_t,s0) - /sbin/lvmiopversion -- gen_context(system_u:object_r:lvm_exec_t,s0) - /sbin/lvmsadc -- gen_context(system_u:object_r:lvm_exec_t,s0) - /sbin/lvmsar -- gen_context(system_u:object_r:lvm_exec_t,s0) -@@ -88,8 +95,72 @@ ifdef(`distro_gentoo',` - # - # /usr - # --/usr/sbin/clvmd -- gen_context(system_u:object_r:clvmd_exec_t,s0) --/usr/sbin/lvm -- gen_context(system_u:object_r:lvm_exec_t,s0) -+/usr/lib/systemd/generator/lvm.* gen_context(system_u:object_r:lvm_unit_file_t,s0) -+/usr/lib/systemd/system/lvm2.*\.service gen_context(system_u:object_r:lvm_unit_file_t,s0) -+ -+/usr/sbin/clvmd -- gen_context(system_u:object_r:clvmd_exec_t,s0) -+/usr/sbin/cryptsetup -- gen_context(system_u:object_r:lvm_exec_t,s0) -+/usr/sbin/dmeventd -- gen_context(system_u:object_r:lvm_exec_t,s0) -+/usr/sbin/dmraid -- gen_context(system_u:object_r:lvm_exec_t,s0) -+/usr/sbin/dmsetup -- gen_context(system_u:object_r:lvm_exec_t,s0) -+/usr/sbin/dmsetup\.static -- gen_context(system_u:object_r:lvm_exec_t,s0) -+/usr/sbin/e2fsadm -- gen_context(system_u:object_r:lvm_exec_t,s0) -+/usr/sbin/kpartx -- gen_context(system_u:object_r:lvm_exec_t,s0) -+/usr/sbin/lvchange -- gen_context(system_u:object_r:lvm_exec_t,s0) -+/usr/sbin/lvcreate -- gen_context(system_u:object_r:lvm_exec_t,s0) -+/usr/sbin/lvdisplay -- gen_context(system_u:object_r:lvm_exec_t,s0) -+/usr/sbin/lvextend -- gen_context(system_u:object_r:lvm_exec_t,s0) -+/usr/sbin/lvm -- gen_context(system_u:object_r:lvm_exec_t,s0) -+/usr/sbin/lvm\.static -- gen_context(system_u:object_r:lvm_exec_t,s0) -+/usr/sbin/lvmchange -- gen_context(system_u:object_r:lvm_exec_t,s0) -+/usr/sbin/lvmdiskscan -- gen_context(system_u:object_r:lvm_exec_t,s0) -+/usr/sbin/lvmetad -- gen_context(system_u:object_r:lvm_exec_t,s0) -+/usr/sbin/lvmiopversion -- gen_context(system_u:object_r:lvm_exec_t,s0) -+/usr/sbin/lvmsadc -- gen_context(system_u:object_r:lvm_exec_t,s0) -+/usr/sbin/lvmsar -- gen_context(system_u:object_r:lvm_exec_t,s0) -+/usr/sbin/lvreduce -- gen_context(system_u:object_r:lvm_exec_t,s0) -+/usr/sbin/lvremove -- gen_context(system_u:object_r:lvm_exec_t,s0) -+/usr/sbin/lvrename -- gen_context(system_u:object_r:lvm_exec_t,s0) -+/usr/sbin/lvresize -- gen_context(system_u:object_r:lvm_exec_t,s0) -+/usr/sbin/lvs -- gen_context(system_u:object_r:lvm_exec_t,s0) -+/usr/sbin/lvscan -- gen_context(system_u:object_r:lvm_exec_t,s0) -+/usr/sbin/mount\.crypt -- gen_context(system_u:object_r:lvm_exec_t,s0) -+/usr/sbin/multipathd -- gen_context(system_u:object_r:lvm_exec_t,s0) -+/usr/sbin/multipath\.static -- gen_context(system_u:object_r:lvm_exec_t,s0) -+/usr/sbin/pvchange -- gen_context(system_u:object_r:lvm_exec_t,s0) -+/usr/sbin/pvcreate -- gen_context(system_u:object_r:lvm_exec_t,s0) -+/usr/sbin/pvdata -- gen_context(system_u:object_r:lvm_exec_t,s0) -+/usr/sbin/pvdisplay -- gen_context(system_u:object_r:lvm_exec_t,s0) -+/usr/sbin/pvmove -- gen_context(system_u:object_r:lvm_exec_t,s0) -+/usr/sbin/pvremove -- gen_context(system_u:object_r:lvm_exec_t,s0) -+/usr/sbin/pvs -- gen_context(system_u:object_r:lvm_exec_t,s0) -+/usr/sbin/pvscan -- gen_context(system_u:object_r:lvm_exec_t,s0) -+/usr/sbin/vgcfgbackup -- gen_context(system_u:object_r:lvm_exec_t,s0) -+/usr/sbin/vgcfgrestore -- gen_context(system_u:object_r:lvm_exec_t,s0) -+/usr/sbin/vgchange -- gen_context(system_u:object_r:lvm_exec_t,s0) -+/usr/sbin/vgchange\.static -- gen_context(system_u:object_r:lvm_exec_t,s0) -+/usr/sbin/vgck -- gen_context(system_u:object_r:lvm_exec_t,s0) -+/usr/sbin/vgcreate -- gen_context(system_u:object_r:lvm_exec_t,s0) -+/usr/sbin/vgdisplay -- gen_context(system_u:object_r:lvm_exec_t,s0) -+/usr/sbin/vgexport -- gen_context(system_u:object_r:lvm_exec_t,s0) -+/usr/sbin/vgextend -- gen_context(system_u:object_r:lvm_exec_t,s0) -+/usr/sbin/vgimport -- gen_context(system_u:object_r:lvm_exec_t,s0) -+/usr/sbin/vgmerge -- gen_context(system_u:object_r:lvm_exec_t,s0) -+/usr/sbin/vgmknodes -- gen_context(system_u:object_r:lvm_exec_t,s0) -+/usr/sbin/vgreduce -- gen_context(system_u:object_r:lvm_exec_t,s0) -+/usr/sbin/vgremove -- gen_context(system_u:object_r:lvm_exec_t,s0) -+/usr/sbin/vgrename -- gen_context(system_u:object_r:lvm_exec_t,s0) -+/usr/sbin/vgs -- gen_context(system_u:object_r:lvm_exec_t,s0) -+/usr/sbin/vgscan -- gen_context(system_u:object_r:lvm_exec_t,s0) -+/usr/sbin/vgscan\.static -- gen_context(system_u:object_r:lvm_exec_t,s0) -+/usr/sbin/vgsplit -- gen_context(system_u:object_r:lvm_exec_t,s0) -+/usr/sbin/vgwrapper -- gen_context(system_u:object_r:lvm_exec_t,s0) -+ -+/usr/lib/lvm-10/.* -- gen_context(system_u:object_r:lvm_exec_t,s0) -+/usr/lib/lvm-200/.* -- gen_context(system_u:object_r:lvm_exec_t,s0) -+/usr/lib/systemd/systemd-cryptsetup -- gen_context(system_u:object_r:lvm_exec_t,s0) -+/usr/lib/systemd/system-generators/lvm2.* -- gen_context(system_u:object_r:lvm_exec_t,s0) -+/usr/lib/udev/udisks-lvm-pv-export -- gen_context(system_u:object_r:lvm_exec_t,s0) - - # - # /var -@@ -97,5 +168,8 @@ ifdef(`distro_gentoo',` - /var/cache/multipathd(/.*)? gen_context(system_u:object_r:lvm_metadata_t,s0) - /var/lib/multipath(/.*)? gen_context(system_u:object_r:lvm_var_lib_t,s0) - /var/lock/lvm(/.*)? gen_context(system_u:object_r:lvm_lock_t,s0) -+/var/lock/dmraid(/.*)? gen_context(system_u:object_r:lvm_lock_t,s0) -+/var/run/lvm(/.*)? gen_context(system_u:object_r:lvm_var_run_t,s0) - /var/run/multipathd\.sock -s gen_context(system_u:object_r:lvm_var_run_t,s0) -+/var/run/clvmd\.pid -- gen_context(system_u:object_r:clvmd_var_run_t,s0) - /var/run/dmevent.* gen_context(system_u:object_r:lvm_var_run_t,s0) -diff --git a/policy/modules/system/lvm.if b/policy/modules/system/lvm.if -index 58bc27f..51e9872 100644 ---- a/policy/modules/system/lvm.if -+++ b/policy/modules/system/lvm.if -@@ -123,3 +123,94 @@ interface(`lvm_domtrans_clvmd',` - corecmd_search_bin($1) - domtrans_pattern($1, clvmd_exec_t, clvmd_t) - ') -+ -+######################################## -+## -+## Read and write to lvm temporary file system. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`lvm_rw_clvmd_tmpfs_files',` -+ gen_require(` -+ type clvmd_tmpfs_t; -+ ') -+ -+ allow $1 clvmd_tmpfs_t:file rw_file_perms; -+') -+ -+######################################## -+## -+## Delete lvm temporary file system. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`lvm_delete_clvmd_tmpfs_files',` -+ gen_require(` -+ type clvmd_tmpfs_t; -+ ') -+ -+ allow $1 clvmd_tmpfs_t:file unlink; -+') -+ -+######################################## -+## -+## Send lvm a null signal. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`lvm_signull',` -+ gen_require(` -+ type lvm_t; -+ ') -+ -+ allow $1 lvm_t:process signull; -+') -+ -+######################################## -+## -+## Send a message to lvm over the -+## datagram socket. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`lvm_dgram_send',` -+ gen_require(` -+ type lvm_t; -+ ') -+ -+ allow $1 lvm_t:unix_dgram_socket sendto; -+') -+ -+######################################## -+## -+## Read and write a lvm unnamed pipe. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`lvm_rw_pipes',` -+ gen_require(` -+ type lvm_var_run_t; -+ ') -+ -+ allow $1 lvm_var_run_t:fifo_file rw_inherited_fifo_file_perms; -+') -diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te -index e8c59a5..b22837c 100644 ---- a/policy/modules/system/lvm.te -+++ b/policy/modules/system/lvm.te -@@ -12,6 +12,9 @@ init_daemon_domain(clvmd_t, clvmd_exec_t) - type clvmd_initrc_exec_t; - init_script_file(clvmd_initrc_exec_t) - -+type clvmd_tmpfs_t alias clmvd_tmpfs_t; -+files_tmpfs_file(clvmd_tmpfs_t) -+ - type clvmd_var_run_t; - files_pid_file(clvmd_var_run_t) - -@@ -24,7 +27,7 @@ domain_obj_id_change_exemption(lvm_t) - role system_r types lvm_t; - - type lvm_etc_t; --files_type(lvm_etc_t) -+files_config_file(lvm_etc_t) - - type lvm_lock_t; - files_lock_file(lvm_lock_t) -@@ -41,6 +44,9 @@ files_pid_file(lvm_var_run_t) - type lvm_tmp_t; - files_tmp_file(lvm_tmp_t) - -+type lvm_unit_file_t; -+systemd_unit_file(lvm_unit_file_t) -+ - ######################################## - # - # Cluster LVM daemon local policy -@@ -49,15 +55,19 @@ files_tmp_file(lvm_tmp_t) - allow clvmd_t self:capability { sys_nice chown ipc_lock sys_admin mknod }; - dontaudit clvmd_t self:capability sys_tty_config; - allow clvmd_t self:process { signal_perms setsched }; --dontaudit clvmd_t self:process ptrace; - allow clvmd_t self:socket create_socket_perms; - allow clvmd_t self:fifo_file rw_fifo_file_perms; - allow clvmd_t self:unix_stream_socket { connectto create_stream_socket_perms }; - allow clvmd_t self:tcp_socket create_stream_socket_perms; - allow clvmd_t self:udp_socket create_socket_perms; - -+manage_dirs_pattern(clvmd_t, clvmd_tmpfs_t, clvmd_tmpfs_t) -+manage_files_pattern(clvmd_t, clvmd_tmpfs_t,clvmd_tmpfs_t) -+fs_tmpfs_filetrans(clvmd_t, clvmd_tmpfs_t, { dir file }) -+ -+manage_dirs_pattern(clvmd_t, clvmd_var_run_t, clvmd_var_run_t) - manage_files_pattern(clvmd_t, clvmd_var_run_t, clvmd_var_run_t) --files_pid_filetrans(clvmd_t, clvmd_var_run_t, file) -+files_pid_filetrans(clvmd_t, clvmd_var_run_t, { file dir }) - - read_files_pattern(clvmd_t, lvm_metadata_t, lvm_metadata_t) - -@@ -71,7 +81,6 @@ kernel_dontaudit_getattr_core_if(clvmd_t) - corecmd_exec_shell(clvmd_t) - corecmd_getattr_bin_files(clvmd_t) - --corenet_all_recvfrom_unlabeled(clvmd_t) - corenet_all_recvfrom_netlabel(clvmd_t) - corenet_tcp_sendrecv_generic_if(clvmd_t) - corenet_udp_sendrecv_generic_if(clvmd_t) -@@ -120,9 +129,6 @@ init_dontaudit_getattr_initctl(clvmd_t) - - logging_send_syslog_msg(clvmd_t) - --miscfiles_read_localization(clvmd_t) -- --seutil_dontaudit_search_config(clvmd_t) - seutil_sigchld_newrole(clvmd_t) - seutil_read_config(clvmd_t) - seutil_read_file_contexts(clvmd_t) -@@ -141,6 +147,11 @@ ifdef(`distro_redhat',` - ') - - optional_policy(` -+ aisexec_stream_connect(clvmd_t) -+ corosync_stream_connect(clvmd_t) -+') -+ -+optional_policy(` - ccs_stream_connect(clvmd_t) - ') - -@@ -170,6 +181,7 @@ dontaudit lvm_t self:capability sys_tty_config; - allow lvm_t self:process { sigchld sigkill sigstop signull signal setfscreate }; - # LVM will complain a lot if it cannot set its priority. - allow lvm_t self:process setsched; -+allow lvm_t self:sem create_sem_perms; - allow lvm_t self:file rw_file_perms; - allow lvm_t self:fifo_file manage_fifo_file_perms; - allow lvm_t self:unix_dgram_socket create_socket_perms; -@@ -179,6 +191,11 @@ allow lvm_t self:sem create_sem_perms; - allow lvm_t self:unix_stream_socket { connectto create_stream_socket_perms }; - allow lvm_t clvmd_t:unix_stream_socket { connectto rw_socket_perms }; - -+allow lvm_t lvm_unit_file_t:file manage_file_perms; -+systemd_unit_file_filetrans(lvm_t, lvm_unit_file_t, file) -+systemd_create_unit_file_dirs(lvm_t) -+systemd_create_unit_file_lnk(lvm_t) -+ - manage_dirs_pattern(lvm_t, lvm_tmp_t, lvm_tmp_t) - manage_files_pattern(lvm_t, lvm_tmp_t, lvm_tmp_t) - files_tmp_filetrans(lvm_t, lvm_tmp_t, { file dir }) -@@ -191,10 +208,12 @@ read_lnk_files_pattern(lvm_t, lvm_exec_t, lvm_exec_t) - can_exec(lvm_t, lvm_exec_t) - - # Creating lock files -+manage_dirs_pattern(lvm_t, lvm_lock_t, lvm_lock_t) - manage_files_pattern(lvm_t, lvm_lock_t, lvm_lock_t) - create_dirs_pattern(lvm_t, lvm_lock_t, lvm_lock_t) - files_lock_filetrans(lvm_t, lvm_lock_t, file) - files_lock_filetrans(lvm_t, lvm_lock_t, dir, "lvm") -+files_lock_filetrans(lvm_t, lvm_lock_t, dir, "dmraid") - - manage_dirs_pattern(lvm_t, lvm_var_lib_t, lvm_var_lib_t) - manage_files_pattern(lvm_t, lvm_var_lib_t, lvm_var_lib_t) -@@ -202,8 +221,10 @@ files_var_lib_filetrans(lvm_t, lvm_var_lib_t, { dir file }) - - manage_dirs_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t) - manage_files_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t) -+manage_fifo_files_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t) - manage_sock_files_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t) --files_pid_filetrans(lvm_t, lvm_var_run_t, { file sock_file }) -+files_pid_filetrans(lvm_t, lvm_var_run_t, { dir file fifo_file sock_file }) -+init_pid_filetrans(lvm_t, lvm_var_run_t, { dir file fifo_file sock_file }) - - read_files_pattern(lvm_t, lvm_etc_t, lvm_etc_t) - read_lnk_files_pattern(lvm_t, lvm_etc_t, lvm_etc_t) -@@ -220,6 +241,7 @@ kernel_read_kernel_sysctls(lvm_t) - # it has no reason to need this - kernel_dontaudit_getattr_core_if(lvm_t) - kernel_use_fds(lvm_t) -+kernel_request_load_module(lvm_t) - kernel_search_debugfs(lvm_t) - - corecmd_exec_bin(lvm_t) -@@ -230,11 +252,13 @@ dev_delete_generic_dirs(lvm_t) - dev_read_rand(lvm_t) - dev_read_urand(lvm_t) - dev_rw_lvm_control(lvm_t) -+dev_write_kmsg(lvm_t) - dev_manage_generic_symlinks(lvm_t) - dev_relabel_generic_dev_dirs(lvm_t) - dev_manage_generic_blk_files(lvm_t) - # Read /sys/block. Device mapper metadata is kept there. --dev_read_sysfs(lvm_t) -+# cryptsetup writes read_ahead_kb -+dev_rw_sysfs(lvm_t) - # cjp: this has no effect since LVM does not - # have lnk_file relabelto for anything else. - # perhaps this should be blk_files? -@@ -246,6 +270,7 @@ dev_dontaudit_getattr_generic_chr_files(lvm_t) - dev_dontaudit_getattr_generic_blk_files(lvm_t) - dev_dontaudit_getattr_generic_pipes(lvm_t) - dev_create_generic_dirs(lvm_t) -+dev_rw_generic_files(lvm_t) - - domain_use_interactive_fds(lvm_t) - domain_read_all_domains_state(lvm_t) -@@ -255,17 +280,21 @@ files_read_etc_files(lvm_t) - files_read_etc_runtime_files(lvm_t) - # for when /usr is not mounted: - files_dontaudit_search_isid_type_dirs(lvm_t) -+fs_rw_inherited_tmpfs_files(lvm_t) - --fs_getattr_xattr_fs(lvm_t) -+fs_getattr_all_fs(lvm_t) - fs_search_auto_mountpoints(lvm_t) - fs_list_tmpfs(lvm_t) - fs_read_tmpfs_symlinks(lvm_t) - fs_dontaudit_read_removable_files(lvm_t) - fs_dontaudit_getattr_tmpfs_files(lvm_t) - fs_rw_anon_inodefs_files(lvm_t) -+fs_list_auto_mountpoints(lvm_t) -+fs_list_hugetlbfs(lvm_t) - - mls_file_read_all_levels(lvm_t) - mls_file_write_to_clearance(lvm_t) -+mls_file_upgrade(lvm_t) - - selinux_get_fs_mount(lvm_t) - selinux_validate_context(lvm_t) -@@ -285,7 +314,7 @@ storage_dev_filetrans_fixed_disk(lvm_t) - # Access raw devices and old /dev/lvm (c 109,0). Is this needed? - storage_manage_fixed_disk(lvm_t) - --term_use_all_terms(lvm_t) -+term_use_all_inherited_terms(lvm_t) - - init_use_fds(lvm_t) - init_dontaudit_getattr_initctl(lvm_t) -@@ -293,15 +322,22 @@ init_use_script_ptys(lvm_t) - init_read_script_state(lvm_t) - - logging_send_syslog_msg(lvm_t) -+logging_stream_connect_syslog(lvm_t) - --miscfiles_read_localization(lvm_t) -+authlogin_rw_pipes(lvm_t) -+auth_use_nsswitch(lvm_t) - - seutil_read_config(lvm_t) - seutil_read_file_contexts(lvm_t) - seutil_search_default_contexts(lvm_t) - seutil_sigchld_newrole(lvm_t) - -+userdom_use_inherited_user_terminals(lvm_t) - userdom_use_user_terminals(lvm_t) -+userdom_rw_semaphores(lvm_t) -+userdom_search_user_home_dirs(lvm_t) -+ -+usermanage_read_crack_db(lvm_t) - - ifdef(`distro_redhat',` - # this is from the initrd: -@@ -313,6 +349,11 @@ ifdef(`distro_redhat',` - ') - - optional_policy(` -+ aisexec_stream_connect(lvm_t) -+ corosync_stream_connect(lvm_t) -+') -+ -+optional_policy(` - bootloader_rw_tmp_files(lvm_t) - ') - -@@ -333,14 +374,30 @@ optional_policy(` - ') - - optional_policy(` -+ docker_rw_sem(lvm_t) -+') -+ -+optional_policy(` -+ livecd_rw_semaphores(lvm_t) -+') -+ -+optional_policy(` - modutils_domtrans_insmod(lvm_t) - ') - - optional_policy(` -+ raid_read_mdadm_pid(lvm_t) -+') -+ -+optional_policy(` - rpm_manage_script_tmp_files(lvm_t) - ') - - optional_policy(` -+ systemd_manage_passwd_run(lvm_t) -+') -+ -+optional_policy(` - udev_read_db(lvm_t) - ') - -diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc -index 9fe8e01..83acb32 100644 ---- a/policy/modules/system/miscfiles.fc -+++ b/policy/modules/system/miscfiles.fc -@@ -9,11 +9,13 @@ ifdef(`distro_gentoo',` - # /etc - # - /etc/avahi/etc/localtime -- gen_context(system_u:object_r:locale_t,s0) --/etc/httpd/alias/[^/]*\.db(\.[^/]*)* -- gen_context(system_u:object_r:cert_t,s0) --/etc/localtime -- gen_context(system_u:object_r:locale_t,s0) -+/etc/httpd/alias(/.*)? gen_context(system_u:object_r:cert_t,s0) -+/etc/localtime gen_context(system_u:object_r:locale_t,s0) -+/etc/locale.conf -- gen_context(system_u:object_r:locale_t,s0) - /etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0) - /etc/ssl(/.*)? gen_context(system_u:object_r:cert_t,s0) - /etc/timezone -- gen_context(system_u:object_r:locale_t,s0) -+/etc/vconsole.conf -- gen_context(system_u:object_r:locale_t,s0) - - ifdef(`distro_redhat',` - /etc/sysconfig/clock -- gen_context(system_u:object_r:locale_t,s0) -@@ -37,24 +39,20 @@ ifdef(`distro_redhat',` - - /usr/lib/perl5/man(/.*)? gen_context(system_u:object_r:man_t,s0) - --/usr/local/man(/.*)? gen_context(system_u:object_r:man_t,s0) --/usr/local/share/man(/.*)? gen_context(system_u:object_r:man_t,s0) -- --/usr/local/share/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0) -- - /usr/man(/.*)? gen_context(system_u:object_r:man_t,s0) - - /usr/share/ca-certificates(/.*)? gen_context(system_u:object_r:cert_t,s0) - /usr/share/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0) --/usr/share/X11/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0) - /usr/share/ghostscript/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0) - /usr/share/locale(/.*)? gen_context(system_u:object_r:locale_t,s0) - /usr/share/man(/.*)? gen_context(system_u:object_r:man_t,s0) --/usr/share/X11/locale(/.*)? gen_context(system_u:object_r:locale_t,s0) --/usr/share/zoneinfo(/.*)? gen_context(system_u:object_r:locale_t,s0) -- -+/usr/share/pki/ca-certificates(/.*)? gen_context(system_u:object_r:cert_t,s0) -+/usr/share/pki/ca-trust-source(/.*)? gen_context(system_u:object_r:cert_t,s0) - /usr/share/ssl/certs(/.*)? gen_context(system_u:object_r:cert_t,s0) - /usr/share/ssl/private(/.*)? gen_context(system_u:object_r:cert_t,s0) -+/usr/share/X11/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0) -+/usr/share/X11/locale(/.*)? gen_context(system_u:object_r:locale_t,s0) -+/usr/share/zoneinfo(/.*)? gen_context(system_u:object_r:locale_t,s0) - - /usr/X11R6/lib/X11/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0) - -@@ -77,7 +75,7 @@ ifdef(`distro_redhat',` - - /var/cache/fontconfig(/.*)? gen_context(system_u:object_r:fonts_cache_t,s0) - /var/cache/fonts(/.*)? gen_context(system_u:object_r:tetex_data_t,s0) --/var/cache/man(/.*)? gen_context(system_u:object_r:man_cache_t,s0) -+ - - /var/named/chroot/etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0) - -@@ -90,6 +88,7 @@ ifdef(`distro_debian',` - ') - - ifdef(`distro_redhat',` -+/var/named/chroot/etc/localtime -- gen_context(system_u:object_r:locale_t,s0) - /var/empty/sshd/etc/localtime -- gen_context(system_u:object_r:locale_t,s0) - /var/spool/postfix/etc/localtime -- gen_context(system_u:object_r:locale_t,s0) - ') -diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if -index fc28bc3..416ac0f 100644 ---- a/policy/modules/system/miscfiles.if -+++ b/policy/modules/system/miscfiles.if -@@ -106,6 +106,24 @@ interface(`miscfiles_manage_generic_cert_dirs',` - - ######################################## - ## -+## Dontaudit attempts to write generic SSL certificates. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`miscfiles_dontaudit_write_generic_cert_files',` -+ gen_require(` -+ type cert_t; -+ ') -+ -+ dontaudit $1 cert_t:file write; -+') -+ -+######################################## -+## - ## Manage generic SSL certificates. - ## - ## -@@ -156,6 +174,26 @@ interface(`miscfiles_manage_cert_dirs',` - - ######################################## - ## -+## Do not audit attempts to access check cert dirs/files. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`miscfiles_dontaudit_access_check_cert',` -+ gen_require(` -+ type cert_t; -+ ') -+ -+ dontaudit $1 cert_t:file audit_access; -+ dontaudit $1 cert_t:dir audit_access; -+') -+ -+ -+######################################## -+## - ## Manage SSL certificates. - ## - ## -@@ -434,6 +472,7 @@ interface(`miscfiles_rw_localization',` - files_search_usr($1) - allow $1 locale_t:dir list_dir_perms; - rw_files_pattern($1, locale_t, locale_t) -+ manage_lnk_files_pattern($1, locale_t, locale_t) - ') - - ######################################## -@@ -453,6 +492,7 @@ interface(`miscfiles_relabel_localization',` - - files_search_usr($1) - relabel_files_pattern($1, locale_t, locale_t) -+ relabel_lnk_files_pattern($1, locale_t, locale_t) - ') - - ######################################## -@@ -470,7 +510,6 @@ interface(`miscfiles_legacy_read_localization',` - type locale_t; - ') - -- miscfiles_read_localization($1) - allow $1 locale_t:file execute; - ') - -@@ -531,6 +570,10 @@ interface(`miscfiles_read_man_pages',` - allow $1 { man_cache_t man_t }:dir list_dir_perms; - read_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t }) - read_lnk_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t }) -+ -+ optional_policy(` -+ mandb_read_cache_files($1) -+ ') - ') - - ######################################## -@@ -554,6 +597,29 @@ interface(`miscfiles_delete_man_pages',` - delete_dirs_pattern($1, { man_cache_t man_t }, { man_cache_t man_t }) - delete_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t }) - delete_lnk_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t }) -+ optional_policy(` -+ mandb_setattr_cache_dirs($1) -+ mandb_delete_cache($1) -+ ') -+') -+####################################### -+## -+## Create, read, write, and delete man pages -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`miscfiles_setattr_man_pages',` -+ gen_require(` -+ type man_t; -+ ') -+ -+ files_search_usr($1) -+ -+ allow $1 man_t:dir setattr; - ') - - ######################################## -@@ -622,6 +688,30 @@ interface(`miscfiles_manage_man_cache',` - - ######################################## - ## -+## Allow process to relabel man_pages info -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`miscfiles_relabel_man_pages',` -+ gen_require(` -+ type man_t; -+ ') -+ -+ files_search_usr($1) -+ relabel_dirs_pattern($1, man_t, man_t) -+ relabel_files_pattern($1, man_t, man_t) -+ -+ optional_policy(` -+ mandb_relabel_cache($1) -+ ') -+') -+ -+######################################## -+## - ## Read public files used for file - ## transfer services. - ## -@@ -784,8 +874,11 @@ interface(`miscfiles_etc_filetrans_localization',` - type locale_t; - ') - -- files_etc_filetrans($1, locale_t, file) -- -+ files_etc_filetrans($1, locale_t, lnk_file) -+ files_etc_filetrans($1, locale_t, {lnk_file file}, "localtime" ) -+ files_etc_filetrans($1, locale_t, file, "locale.conf" ) -+ files_etc_filetrans($1, locale_t, file, "timezone" ) -+ files_etc_filetrans($1, locale_t, file, "vconsole.conf" ) - ') - - ######################################## -@@ -809,3 +902,61 @@ interface(`miscfiles_manage_localization',` - manage_lnk_files_pattern($1, locale_t, locale_t) - ') - -+######################################## -+## -+## Transition to miscfiles locale named content -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`miscfiles_filetrans_locale_named_content',` -+ gen_require(` -+ type locale_t; -+ ') -+ -+ files_etc_filetrans($1, locale_t, { lnk_file file }, "localtime") -+ files_etc_filetrans($1, locale_t, file, "locale.conf") -+ files_etc_filetrans($1, locale_t, file, "vconsole.conf") -+ files_etc_filetrans($1, locale_t, file, "locale.conf.new") -+ files_etc_filetrans($1, locale_t, file, "timezone") -+ files_etc_filetrans($1, locale_t, file, "clock") -+ files_usr_filetrans($1, locale_t, dir, "locale") -+ files_usr_filetrans($1, locale_t, dir, "zoneinfo") -+') -+ -+######################################## -+## -+## Transition to miscfiles named content -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`miscfiles_filetrans_named_content',` -+ gen_require(` -+ type man_t; -+ type cert_t; -+ type fonts_t; -+ type fonts_cache_t; -+ type hwdata_t; -+ type tetex_data_t; -+ type public_content_t; -+ ') -+ -+ miscfiles_filetrans_locale_named_content($1) -+ files_var_filetrans($1, man_t, dir, "man") -+ files_etc_filetrans($1, cert_t, dir, "pki") -+ files_usr_filetrans($1, cert_t, dir, "certs") -+ files_usr_filetrans($1, fonts_t, dir, "fonts") -+ files_usr_filetrans($1, hwdata_t, dir, "hwdata") -+ files_var_filetrans($1, fonts_cache_t, dir, "fontconfig") -+ files_var_filetrans($1, tetex_data_t, dir, "fonts") -+ files_spool_filetrans($1, tetex_data_t, dir, "texmf") -+ files_var_lib_filetrans($1, tetex_data_t, dir, "texmf") -+ files_var_filetrans($1, public_content_t, dir, "ftp") -+') -diff --git a/policy/modules/system/miscfiles.te b/policy/modules/system/miscfiles.te -index d6293de..8f8d80d 100644 ---- a/policy/modules/system/miscfiles.te -+++ b/policy/modules/system/miscfiles.te -@@ -4,7 +4,6 @@ policy_module(miscfiles, 1.10.2) - # - # Declarations - # -- - attribute cert_type; - - # -@@ -48,10 +47,10 @@ files_type(man_cache_t) - # Types for public content - # - type public_content_t; #, customizable; --files_type(public_content_t) -+files_mountpoint(public_content_t) - - type public_content_rw_t; #, customizable; --files_type(public_content_rw_t) -+files_mountpoint(public_content_rw_t) - - # - # Base type for the tests directory. -diff --git a/policy/modules/system/modutils.fc b/policy/modules/system/modutils.fc -index 9933677..ca14c17 100644 ---- a/policy/modules/system/modutils.fc -+++ b/policy/modules/system/modutils.fc -@@ -23,3 +23,15 @@ ifdef(`distro_gentoo',` - /sbin/update-modules -- gen_context(system_u:object_r:update_modules_exec_t,s0) - - /usr/bin/kmod -- gen_context(system_u:object_r:insmod_exec_t,s0) -+ -+/usr/sbin/depmod.* -- gen_context(system_u:object_r:depmod_exec_t,s0) -+/usr/sbin/generate-modprobe\.conf -- gen_context(system_u:object_r:update_modules_exec_t,s0) -+/usr/sbin/insmod.* -- gen_context(system_u:object_r:insmod_exec_t,s0) -+/usr/sbin/modprobe.* -- gen_context(system_u:object_r:insmod_exec_t,s0) -+/usr/sbin/modules-update -- gen_context(system_u:object_r:update_modules_exec_t,s0) -+/usr/sbin/rmmod.* -- gen_context(system_u:object_r:insmod_exec_t,s0) -+/usr/sbin/update-modules -- gen_context(system_u:object_r:update_modules_exec_t,s0) -+ -+/usr/lib/modules/modprobe\.conf -- gen_context(system_u:object_r:modules_conf_t,s0) -+ -+/var/run/tmpfiles.d/kmod.conf -- gen_context(system_u:object_r:insmod_var_run_t,s0) -diff --git a/policy/modules/system/modutils.if b/policy/modules/system/modutils.if -index 7449974..6375786 100644 ---- a/policy/modules/system/modutils.if -+++ b/policy/modules/system/modutils.if -@@ -12,7 +12,7 @@ - # - interface(`modutils_getattr_module_deps',` - gen_require(` -- type modules_dep_t; -+ type modules_dep_t, modules_object_t; - ') - - getattr_files_pattern($1, modules_object_t, modules_dep_t) -@@ -39,6 +39,44 @@ interface(`modutils_read_module_deps',` - - ######################################## - ## -+## Read the dependencies of kernel modules. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`modutils_delete_module_deps',` -+ gen_require(` -+ type modules_dep_t; -+ ') -+ -+ delete_files_pattern($1, modules_dep_t, modules_dep_t) -+') -+ -+######################################## -+## -+## list the configuration options used when -+## loading modules. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`modutils_list_module_config',` -+ gen_require(` -+ type modules_conf_t; -+ ') -+ -+ list_dirs_pattern($1, modules_conf_t, modules_conf_t) -+') -+ -+######################################## -+## - ## Read the configuration options used when - ## loading modules. - ## -@@ -308,11 +346,18 @@ interface(`modutils_domtrans_update_mods',` - # - interface(`modutils_run_update_mods',` - gen_require(` -- attribute_role update_modules_roles; -+ #attribute_role update_modules_roles; -+ type update_modules_t; - ') - -+ #modutils_domtrans_update_mods($1) -+ #roleattribute $2 update_modules_roles; -+ - modutils_domtrans_update_mods($1) -- roleattribute $2 update_modules_roles; -+ role $2 types update_modules_t; -+ -+ modutils_run_insmod(update_modules_t, $2) -+ - ') - - ######################################## -@@ -333,3 +378,25 @@ interface(`modutils_exec_update_mods',` - corecmd_search_bin($1) - can_exec($1, update_modules_exec_t) - ') -+ -+######################################## -+## -+## Transition to modutils named content -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`modules_filetrans_named_content',` -+ gen_require(` -+ type modules_dep_t; -+ type modules_conf_t; -+ ') -+ -+ files_etc_filetrans($1, modules_conf_t, file, "modprobe.conf") -+ files_etc_filetrans($1, modules_conf_t, file, "modules.conf") -+ files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.dep") -+ files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.dep.bin") -+') -diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te -index 7a49e28..82004c9 100644 ---- a/policy/modules/system/modutils.te -+++ b/policy/modules/system/modutils.te -@@ -5,7 +5,7 @@ policy_module(modutils, 1.13.3) - # Declarations - # - --attribute_role update_modules_roles; -+#attribute_role update_modules_roles; - - type depmod_t; - type depmod_exec_t; -@@ -16,11 +16,15 @@ type insmod_t; - type insmod_exec_t; - application_domain(insmod_t, insmod_exec_t) - mls_file_write_all_levels(insmod_t) -+mls_process_write_down(insmod_t) - role system_r types insmod_t; - -+type insmod_var_run_t; -+files_pid_file(insmod_var_run_t) -+ - # module loading config - type modules_conf_t; --files_type(modules_conf_t) -+files_config_file(modules_conf_t) - - # module dependencies - type modules_dep_t; -@@ -29,12 +33,16 @@ files_type(modules_dep_t) - type update_modules_t; - type update_modules_exec_t; - init_system_domain(update_modules_t, update_modules_exec_t) --roleattribute system_r update_modules_roles; --role update_modules_roles types update_modules_t; -+#roleattribute system_r update_modules_roles; -+#role update_modules_roles types update_modules_t; -+role system_r types update_modules_t; - - type update_modules_tmp_t; - files_tmp_file(update_modules_tmp_t) - -+type insmod_tmpfs_t; -+files_tmpfs_file(insmod_tmpfs_t) -+ - ######################################## - # - # depmod local policy -@@ -54,12 +62,15 @@ corecmd_search_bin(depmod_t) - - domain_use_interactive_fds(depmod_t) - -+files_delete_kernel_modules(depmod_t) - files_read_kernel_symbol_table(depmod_t) - files_read_kernel_modules(depmod_t) - files_read_etc_runtime_files(depmod_t) - files_read_etc_files(depmod_t) - files_read_usr_src_files(depmod_t) - files_list_usr(depmod_t) -+files_append_var_files(depmod_t) -+files_read_boot_files(depmod_t) - - fs_getattr_xattr_fs(depmod_t) - -@@ -69,10 +80,12 @@ init_use_fds(depmod_t) - init_use_script_fds(depmod_t) - init_use_script_ptys(depmod_t) - --userdom_use_user_terminals(depmod_t) -+userdom_use_inherited_user_terminals(depmod_t) - # Read System.map from home directories. - files_list_home(depmod_t) - userdom_read_user_home_content_files(depmod_t) -+userdom_manage_user_tmp_files(depmod_t) -+userdom_home_reader(depmod_t) - - ifdef(`distro_ubuntu',` - optional_policy(` -@@ -80,12 +93,8 @@ ifdef(`distro_ubuntu',` - ') - ') - --tunable_policy(`use_nfs_home_dirs',` -- fs_read_nfs_files(depmod_t) --') -- --tunable_policy(`use_samba_home_dirs',` -- fs_read_cifs_files(depmod_t) -+optional_policy(` -+ bootloader_rw_tmp_files(insmod_t) - ') - - optional_policy(` -@@ -94,7 +103,6 @@ optional_policy(` - ') - - optional_policy(` -- # Read System.map from home directories. - unconfined_domain(depmod_t) - ') - -@@ -103,11 +111,12 @@ optional_policy(` - # insmod local policy - # - --allow insmod_t self:capability { dac_override net_raw sys_nice sys_tty_config }; -+allow insmod_t self:capability { dac_override mknod net_raw sys_nice sys_tty_config }; - allow insmod_t self:process { execmem sigchld sigkill sigstop signull signal }; - - allow insmod_t self:udp_socket create_socket_perms; - allow insmod_t self:rawip_socket create_socket_perms; -+allow insmod_t self:shm create_shm_perms; - - # Read module config and dependency information - list_dirs_pattern(insmod_t, modules_conf_t, modules_conf_t) -@@ -115,16 +124,24 @@ read_files_pattern(insmod_t, modules_conf_t, modules_conf_t) - list_dirs_pattern(insmod_t, modules_dep_t, modules_dep_t) - read_files_pattern(insmod_t, modules_dep_t, modules_dep_t) - -+manage_dirs_pattern(insmod_t, insmod_var_run_t, insmod_var_run_t) -+manage_files_pattern(insmod_t, insmod_var_run_t, insmod_var_run_t) -+files_pid_filetrans(insmod_t, insmod_var_run_t, {dir file }) -+ - can_exec(insmod_t, insmod_exec_t) - -+manage_files_pattern(insmod_t,insmod_tmpfs_t,insmod_tmpfs_t) -+fs_tmpfs_filetrans(insmod_t,insmod_tmpfs_t,file) -+ - kernel_load_module(insmod_t) --kernel_request_load_module(insmod_t) -+files_manage_kernel_modules(insmod_t) - kernel_read_system_state(insmod_t) - kernel_read_network_state(insmod_t) - kernel_write_proc_files(insmod_t) - kernel_mount_debugfs(insmod_t) - kernel_mount_kvmfs(insmod_t) - kernel_read_debugfs(insmod_t) -+kernel_request_load_module(insmod_t) - # Rules for /proc/sys/kernel/tainted - kernel_read_kernel_sysctls(insmod_t) - kernel_rw_kernel_sysctl(insmod_t) -@@ -142,6 +159,7 @@ dev_rw_agp(insmod_t) - dev_read_sound(insmod_t) - dev_write_sound(insmod_t) - dev_rw_apm_bios(insmod_t) -+dev_create_generic_chr_files(insmod_t) - - domain_signal_all_domains(insmod_t) - domain_use_interactive_fds(insmod_t) -@@ -151,30 +169,38 @@ files_read_etc_runtime_files(insmod_t) - files_read_etc_files(insmod_t) - files_read_usr_files(insmod_t) - files_exec_etc_files(insmod_t) -+# users installing vbox put kernel modules in /var/lib -+files_read_var_lib_files(insmod_t) -+files_read_kernel_symbol_table(insmod_t) - # for nscd: - files_dontaudit_search_pids(insmod_t) - # for when /var is not mounted early in the boot: - files_dontaudit_search_isid_type_dirs(insmod_t) - # for locking: (cjp: ????) - files_write_kernel_modules(insmod_t) -+allow insmod_t modules_dep_t:file manage_file_perms; - - fs_getattr_xattr_fs(insmod_t) - fs_dontaudit_use_tmpfs_chr_dev(insmod_t) -+fs_mount_rpc_pipefs(insmod_t) -+fs_search_rpc(insmod_t) -+ -+auth_use_nsswitch(insmod_t) - - init_rw_initctl(insmod_t) - init_use_fds(insmod_t) - init_use_script_fds(insmod_t) - init_use_script_ptys(insmod_t) -+init_spec_domtrans_script(insmod_t) -+init_rw_script_tmp_files(insmod_t) -+init_dontaudit_getattr_stream_socket(insmod_t) - - logging_send_syslog_msg(insmod_t) - logging_search_logs(insmod_t) - --miscfiles_read_localization(insmod_t) -- - seutil_read_file_contexts(insmod_t) - --userdom_use_user_terminals(insmod_t) -- -+term_use_all_inherited_terms(insmod_t) - userdom_dontaudit_search_user_home_dirs(insmod_t) - - kernel_domtrans_to(insmod_t, insmod_exec_t) -@@ -184,28 +210,33 @@ optional_policy(` - ') - - optional_policy(` -- firstboot_dontaudit_rw_pipes(insmod_t) -- firstboot_dontaudit_rw_stream_sockets(insmod_t) -+ devicekit_use_fds_disk(insmod_t) -+ devicekit_dontaudit_read_pid_files(insmod_t) - ') - - optional_policy(` -- hal_write_log(insmod_t) -+ firstboot_dontaudit_leaks(insmod_t) - ') - - optional_policy(` -- hotplug_search_config(insmod_t) -+ firewalld_dontaudit_write_tmp_files(insmod_t) -+ firewallgui_dontaudit_rw_pipes(insmod_t) - ') - - optional_policy(` -- mount_domtrans(insmod_t) -+ hal_write_log(insmod_t) -+') -+ -+optional_policy(` -+ hotplug_search_config(insmod_t) - ') - - optional_policy(` -- nis_use_ypbind(insmod_t) -+ kdump_manage_kdumpctl_tmp_files(insmod_t) - ') - - optional_policy(` -- nscd_use(insmod_t) -+ mount_domtrans(insmod_t) - ') - - optional_policy(` -@@ -225,6 +256,7 @@ optional_policy(` - - optional_policy(` - rpm_rw_pipes(insmod_t) -+ rpm_manage_script_tmp_files(insmod_t) - ') - - optional_policy(` -@@ -233,6 +265,10 @@ optional_policy(` - ') - - optional_policy(` -+ virt_dontaudit_write_pipes(insmod_t) -+') -+ -+optional_policy(` - # cjp: why is this needed: - dev_rw_xserver_misc(insmod_t) - -@@ -291,11 +327,10 @@ init_use_script_ptys(update_modules_t) - - logging_send_syslog_msg(update_modules_t) - --miscfiles_read_localization(update_modules_t) - --modutils_run_insmod(update_modules_t, update_modules_roles) -+#modutils_run_insmod(update_modules_t, update_modules_roles) - --userdom_use_user_terminals(update_modules_t) -+userdom_use_inherited_user_terminals(update_modules_t) - userdom_dontaudit_search_user_home_dirs(update_modules_t) - - ifdef(`distro_gentoo',` -diff --git a/policy/modules/system/mount.fc b/policy/modules/system/mount.fc -index 72c746e..f035d9f 100644 ---- a/policy/modules/system/mount.fc -+++ b/policy/modules/system/mount.fc -@@ -1,4 +1,26 @@ -+/bin/fusermount -- gen_context(system_u:object_r:fusermount_exec_t,s0) - /bin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0) - /bin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0) - --/usr/bin/fusermount -- gen_context(system_u:object_r:mount_exec_t,s0) -+/dev/\.mount(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0) -+/run/mount(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0) -+ -+/sbin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0) -+/sbin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0) -+ -+/usr/bin/fusermount -- gen_context(system_u:object_r:fusermount_exec_t,s0) -+/usr/bin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0) -+/usr/bin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0) -+ -+/usr/sbin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0) -+/usr/sbin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0) -+/usr/sbin/showmount -- gen_context(system_u:object_r:showmount_exec_t,s0) -+ -+/var/cache/davfs2(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0) -+/var/run/davfs2(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0) -+/var/run/mount(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0) -+ -+/usr/sbin/mount\.ecryptfs_private -- gen_context(system_u:object_r:mount_ecryptfs_exec_t,s0) -+/usr/sbin/mount\.ecryptfs -- gen_context(system_u:object_r:mount_ecryptfs_exec_t,s0) -+/usr/sbin/umount\.ecryptfs_private -- gen_context(system_u:object_r:mount_ecryptfs_exec_t,s0) -+/usr/sbin/umount\.ecryptfs -- gen_context(system_u:object_r:mount_ecryptfs_exec_t,s0) -diff --git a/policy/modules/system/mount.if b/policy/modules/system/mount.if -index 4584457..e432df3 100644 ---- a/policy/modules/system/mount.if -+++ b/policy/modules/system/mount.if -@@ -16,6 +16,13 @@ interface(`mount_domtrans',` - ') - - domtrans_pattern($1, mount_exec_t, mount_t) -+ mount_domtrans_fusermount($1) -+ -+ allow $1 mount_t:fd use; -+ ps_process_pattern(mount_t, $1) -+ -+ allow mount_t $1:key write; -+ allow mount_t $1:unix_stream_socket { read write }; - ') - - ######################################## -@@ -38,11 +45,122 @@ interface(`mount_domtrans',` - # - interface(`mount_run',` - gen_require(` -- attribute_role mount_roles; -+ #attribute_role mount_roles; -+ type mount_t; - ') - -+ #mount_domtrans($1) -+ #roleattribute $2 mount_roles; -+ - mount_domtrans($1) -- roleattribute $2 mount_roles; -+ role $2 types mount_t; -+ -+ optional_policy(` -+ fstools_run(mount_t, $2) -+ ') -+ -+ optional_policy(` -+ lvm_run(mount_t, $2) -+ ') -+ -+ optional_policy(` -+ modutils_run_insmod(mount_t, $2) -+ ') -+ -+ optional_policy(` -+ rpc_run_rpcd(mount_t, $2) -+ ') -+ -+ optional_policy(` -+ samba_run_smbmount(mount_t, $2) -+ ') -+ -+') -+ -+######################################## -+## -+## Execute fusermount in the mount domain, and -+## allow the specified role the mount domain, -+## and use the caller's terminal. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## The role to be allowed the mount domain. -+## -+## -+## -+# -+interface(`mount_run_fusermount',` -+ gen_require(` -+ type mount_t; -+ ') -+ -+ mount_domtrans_fusermount($1) -+ role $2 types mount_t; -+ -+ fstools_run(mount_t, $2) -+') -+ -+######################################## -+## -+## Read mount PID files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`mount_read_pid_files',` -+ gen_require(` -+ type mount_var_run_t; -+ ') -+ -+ read_files_pattern($1, mount_var_run_t, mount_var_run_t) -+ files_search_pids($1) -+') -+ -+######################################## -+## -+## Read/write mount PID files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`mount_rw_pid_files',` -+ gen_require(` -+ type mount_var_run_t; -+ ') -+ -+ rw_files_pattern($1, mount_var_run_t, mount_var_run_t) -+ files_search_pids($1) -+') -+ -+######################################## -+## -+## Manage mount PID files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`mount_manage_pid_files',` -+ gen_require(` -+ type mount_var_run_t; -+ ') -+ -+ allow $1 mount_var_run_t:file manage_file_perms; -+ files_search_pids($1) - ') - - ######################################## -@@ -91,7 +209,7 @@ interface(`mount_signal',` - ##     - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -@@ -131,45 +249,138 @@ interface(`mount_send_nfs_client_request',` - - ######################################## - ## --## Execute mount in the unconfined mount domain. -+## Read the mount tmp directory - ## - ## - ## --## Domain allowed to transition. -+## Domain allowed access. - ## - ## - # --interface(`mount_domtrans_unconfined',` -+interface(`mount_list_tmp',` - gen_require(` -- type unconfined_mount_t, mount_exec_t; -+ type mount_tmp_t; - ') - -- domtrans_pattern($1, mount_exec_t, unconfined_mount_t) -+ allow $1 mount_tmp_t:dir list_dir_perms; - ') - - ######################################## - ## --## Execute mount in the unconfined mount domain, and --## allow the specified role the unconfined mount domain, --## and use the caller's terminal. -+## Execute fusermount in the mount domain. - ## - ## - ## --## Domain allowed to transition. -+## Domain allowed access. - ## - ## --## -+# -+interface(`mount_domtrans_fusermount',` -+ gen_require(` -+ type mount_t, fusermount_exec_t; -+ ') -+ -+ domtrans_pattern($1, fusermount_exec_t, mount_t) -+ ps_process_pattern(mount_t, $1) -+ -+ allow mount_t $1:unix_stream_socket { read write }; -+ allow $1 mount_t:fd use; -+') -+ -+######################################## -+## -+## Execute fusermount. -+## -+## - ## --## Role allowed access. -+## Domain allowed access. - ## - ## --## - # --interface(`mount_run_unconfined',` -+interface(`mount_exec_fusermount',` - gen_require(` -- type unconfined_mount_t; -+ type fusermount_exec_t; - ') - -- mount_domtrans_unconfined($1) -- role $2 types unconfined_mount_t; -+ can_exec($1, fusermount_exec_t) -+') -+ -+######################################## -+## -+## dontaudit Execute fusermount. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`mount_dontaudit_exec_fusermount',` -+ gen_require(` -+ type fusermount_exec_t; -+ ') -+ -+ dontaudit $1 fusermount_exec_t:file exec_file_perms; -+') -+ -+###################################### -+## -+## Execute a domain transition to run showmount. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`mount_domtrans_showmount',` -+ gen_require(` -+ type showmount_t, showmount_exec_t; -+ ') -+ -+ domtrans_pattern($1, showmount_exec_t, showmount_t) -+') -+ -+###################################### -+## -+## Execute showmount in the showmount domain, and -+## allow the specified role the showmount domain. -+## -+## -+## -+## Domain allowed access -+## -+## -+## -+## -+## The role to be allowed the showmount domain. -+## -+## -+# -+interface(`mount_run_showmount',` -+ gen_require(` -+ type showmount_t; -+ ') -+ -+ mount_domtrans_showmount($1) -+ role $2 types showmount_t; -+') -+ -+####################################### -+## -+## Transition to ecryptmount. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`mount_domtrans_ecryptmount',` -+ gen_require(` -+ type mount_ecryptfs_t, mount_ecryptfs_exec_t; -+ ') -+ -+ corecmd_search_bin($1) -+ domtrans_pattern($1, mount_ecryptfs_exec_t, mount_ecryptfs_t) - ') -diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te -index 6a50270..d941116 100644 ---- a/policy/modules/system/mount.te -+++ b/policy/modules/system/mount.te -@@ -5,40 +5,58 @@ policy_module(mount, 1.15.1) - # Declarations - # - --## --##

    --## Allow the mount command to mount any directory or file. --##

    --##     --gen_tunable(allow_mount_anyfile, false) -- --attribute_role mount_roles; --roleattribute system_r mount_roles; -+#attribute_role mount_roles; -+#roleattribute system_r mount_roles; - - type mount_t; - type mount_exec_t; - init_system_domain(mount_t, mount_exec_t) --role mount_roles types mount_t; -+#role mount_roles types mount_t; -+role system_r types mount_t; -+ -+type fusermount_exec_t; -+domain_entry_file(mount_t, fusermount_exec_t) -+ -+typealias mount_t alias mount_ntfs_t; -+typealias mount_exec_t alias mount_ntfs_exec_t; - - type mount_loopback_t; # customizable - files_type(mount_loopback_t) -+typealias mount_loopback_t alias mount_loop_t; - - type mount_tmp_t; - files_tmp_file(mount_tmp_t) - --# causes problems with interfaces when --# this is optionally declared in monolithic --# policy--duplicate type declaration --type unconfined_mount_t; --application_domain(unconfined_mount_t, mount_exec_t) -+type mount_var_run_t; -+files_pid_file(mount_var_run_t) -+dev_associate(mount_var_run_t) -+ -+# showmount - show mount information for an NFS server -+ -+type showmount_t; -+type showmount_exec_t; -+application_domain(showmount_t, showmount_exec_t) -+role system_r types showmount_t; -+ -+type mount_ecryptfs_t; -+type mount_ecryptfs_exec_t; -+application_domain(mount_ecryptfs_t, mount_ecryptfs_exec_t) -+role system_r types mount_ecryptfs_t; -+ -+type mount_ecryptfs_tmpfs_t; -+files_tmpfs_file(mount_ecryptfs_tmpfs_t) - - ######################################## - # - # mount local policy - # - --# setuid/setgid needed to mount cifs --allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override chown sys_tty_config setuid setgid }; -+# setuid/setgid needed to mount cifs -+allow mount_t self:capability { fsetid fowner ipc_lock setpcap sys_rawio sys_resource sys_admin dac_override dac_read_search chown sys_tty_config setuid setgid sys_nice }; -+allow mount_t self:process { getcap getsched setsched setcap setrlimit signal }; -+allow mount_t self:fifo_file rw_fifo_file_perms; -+allow mount_t self:unix_stream_socket create_stream_socket_perms; -+allow mount_t self:unix_dgram_socket create_socket_perms; - - allow mount_t mount_loopback_t:file read_file_perms; - -@@ -49,9 +67,24 @@ can_exec(mount_t, mount_exec_t) - - files_tmp_filetrans(mount_t, mount_tmp_t, { file dir }) - -+manage_dirs_pattern(mount_t,mount_var_run_t,mount_var_run_t) -+manage_files_pattern(mount_t,mount_var_run_t,mount_var_run_t) -+files_pid_filetrans(mount_t,mount_var_run_t,{ dir file }) -+files_var_filetrans(mount_t,mount_var_run_t,dir) -+dev_filetrans(mount_t, mount_var_run_t, dir) -+ -+# In order to mount reiserfs_t -+kernel_dontaudit_getattr_core_if(mount_t) -+kernel_list_unlabeled(mount_t) -+kernel_mount_unlabeled(mount_t) -+kernel_unmount_unlabeled(mount_t) - kernel_read_system_state(mount_t) -+kernel_read_network_state(mount_t) - kernel_read_kernel_sysctls(mount_t) --kernel_dontaudit_getattr_core_if(mount_t) -+kernel_relabelfrom_unlabeled_fs(mount_t) -+kernel_manage_debugfs(mount_t) -+kernel_setsched(mount_t) -+kernel_use_fds(mount_t) - kernel_dontaudit_write_debugfs_dirs(mount_t) - kernel_dontaudit_write_proc_dirs(mount_t) - # To load binfmt_misc kernel module -@@ -60,31 +93,47 @@ kernel_request_load_module(mount_t) - # required for mount.smbfs - corecmd_exec_bin(mount_t) - -+dev_getattr_generic_blk_files(mount_t) - dev_getattr_all_blk_files(mount_t) - dev_list_all_dev_nodes(mount_t) -+dev_read_usbfs(mount_t) -+dev_read_rand(mount_t) -+dev_read_urand(mount_t) - dev_read_sysfs(mount_t) - dev_dontaudit_write_sysfs_dirs(mount_t) - dev_rw_lvm_control(mount_t) - dev_dontaudit_getattr_all_chr_files(mount_t) - dev_dontaudit_getattr_memory_dev(mount_t) - dev_getattr_sound_dev(mount_t) -+dev_rw_loop_control(mount_t) -+ -+ifdef(`hide_broken_symptoms',` -+ dev_rw_generic_blk_files(mount_t) -+') -+ - # Early devtmpfs, before udev relabel - dev_dontaudit_rw_generic_chr_files(mount_t) - - domain_use_interactive_fds(mount_t) -+domain_read_all_domains_state(mount_t) - - files_search_all(mount_t) - files_read_etc_files(mount_t) -+files_read_etc_runtime_files(mount_t) - files_manage_etc_runtime_files(mount_t) - files_etc_filetrans_etc_runtime(mount_t, file) -+# for when /etc/mtab loses its type -+files_delete_etc_files(mount_t) - files_mounton_all_mountpoints(mount_t) -+files_setattr_all_mountpoints(mount_t) -+# ntfs-3g checks whether the mountpoint is writable before mounting -+files_write_all_mountpoints(mount_t) - files_unmount_rootfs(mount_t) -+ - # These rules need to be generalized. Only admin, initrc should have it: --files_relabelto_all_file_type_fs(mount_t) -+files_relabel_all_file_type_fs(mount_t) - files_mount_all_file_type_fs(mount_t) - files_unmount_all_file_type_fs(mount_t) --# for when /etc/mtab loses its type --# cjp: this seems wrong, the type should probably be etc - files_read_isid_type_files(mount_t) - # For reading cert files - files_read_usr_files(mount_t) -@@ -92,28 +141,39 @@ files_list_mnt(mount_t) - files_dontaudit_write_all_mountpoints(mount_t) - files_dontaudit_setattr_all_mountpoints(mount_t) - --fs_getattr_xattr_fs(mount_t) --fs_getattr_cifs(mount_t) -+fs_list_all(mount_t) -+fs_getattr_all_fs(mount_t) - fs_mount_all_fs(mount_t) - fs_unmount_all_fs(mount_t) - fs_remount_all_fs(mount_t) - fs_relabelfrom_all_fs(mount_t) --fs_list_auto_mountpoints(mount_t) -+fs_rw_anon_inodefs_files(mount_t) - fs_rw_tmpfs_chr_files(mount_t) -+fs_rw_nfsd_fs(mount_t) -+fs_rw_removable_blk_files(mount_t) -+#fs_manage_tmpfs_dirs(mount_t) - fs_read_tmpfs_symlinks(mount_t) -+fs_read_fusefs_files(mount_t) -+fs_manage_nfs_dirs(mount_t) -+fs_read_nfs_symlinks(mount_t) -+fs_manage_cgroup_dirs(mount_t) -+fs_manage_cgroup_files(mount_t) - fs_dontaudit_write_tmpfs_dirs(mount_t) - --mls_file_read_all_levels(mount_t) --mls_file_write_all_levels(mount_t) -+mls_file_read_to_clearance(mount_t) -+mls_file_write_to_clearance(mount_t) -+mls_process_write_to_clearance(mount_t) - - selinux_get_enforce_mode(mount_t) -+selinux_mounton_fs(mount_t) - - storage_raw_read_fixed_disk(mount_t) - storage_raw_write_fixed_disk(mount_t) - storage_raw_read_removable_device(mount_t) - storage_raw_write_removable_device(mount_t) -+storage_rw_fuse(mount_t) - --term_use_all_terms(mount_t) -+term_use_all_inherited_terms(mount_t) - term_dontaudit_manage_pty_dirs(mount_t) - - auth_use_nsswitch(mount_t) -@@ -121,16 +181,21 @@ auth_use_nsswitch(mount_t) - init_use_fds(mount_t) - init_use_script_ptys(mount_t) - init_dontaudit_getattr_initctl(mount_t) -+init_stream_connect_script(mount_t) -+init_rw_script_stream_sockets(mount_t) - - logging_send_syslog_msg(mount_t) - --miscfiles_read_localization(mount_t) -- - sysnet_use_portmap(mount_t) - - seutil_read_config(mount_t) - -+systemd_passwd_agent_domtrans(mount_t) -+ - userdom_use_all_users_fds(mount_t) -+userdom_manage_user_home_content_dirs(mount_t) -+userdom_read_user_home_content_symlinks(mount_t) -+userdom_list_user_tmp(mount_t) - - ifdef(`distro_redhat',` - optional_policy(` -@@ -146,26 +211,27 @@ ifdef(`distro_ubuntu',` - ') - ') - --tunable_policy(`allow_mount_anyfile',` -- files_list_non_auth_dirs(mount_t) -- files_read_non_auth_files(mount_t) -+corecmd_exec_shell(mount_t) -+ -+tunable_policy(`mount_anyfile',` -+ files_read_non_security_files(mount_t) - files_mounton_non_security(mount_t) -+ files_rw_inherited_non_security_files(mount_t) - ') - - optional_policy(` - # for nfs -- corenet_all_recvfrom_unlabeled(mount_t) - corenet_all_recvfrom_netlabel(mount_t) -- corenet_tcp_sendrecv_all_if(mount_t) -- corenet_raw_sendrecv_all_if(mount_t) -- corenet_udp_sendrecv_all_if(mount_t) -- corenet_tcp_sendrecv_all_nodes(mount_t) -- corenet_raw_sendrecv_all_nodes(mount_t) -- corenet_udp_sendrecv_all_nodes(mount_t) -+ corenet_tcp_sendrecv_generic_if(mount_t) -+ corenet_raw_sendrecv_generic_if(mount_t) -+ corenet_udp_sendrecv_generic_if(mount_t) -+ corenet_tcp_sendrecv_generic_node(mount_t) -+ corenet_raw_sendrecv_generic_node(mount_t) -+ corenet_udp_sendrecv_generic_node(mount_t) - corenet_tcp_sendrecv_all_ports(mount_t) - corenet_udp_sendrecv_all_ports(mount_t) -- corenet_tcp_bind_all_nodes(mount_t) -- corenet_udp_bind_all_nodes(mount_t) -+ corenet_tcp_bind_generic_node(mount_t) -+ corenet_udp_bind_generic_node(mount_t) - corenet_tcp_bind_generic_port(mount_t) - corenet_udp_bind_generic_port(mount_t) - corenet_tcp_bind_reserved_port(mount_t) -@@ -179,6 +245,9 @@ optional_policy(` - fs_search_rpc(mount_t) - - rpc_stub(mount_t) -+ -+ rpc_domtrans_rpcd(mount_t) -+ rpcbind_stream_connect(mount_t) - ') - - optional_policy(` -@@ -186,6 +255,40 @@ optional_policy(` - ') - - optional_policy(` -+ cron_system_entry(mount_t, mount_exec_t) -+') -+ -+optional_policy(` -+ devicekit_read_state_power(mount_t) -+') -+ -+optional_policy(` -+ fsadm_manage_pid(mount_t) -+') -+ -+optional_policy(` -+ glusterd_domtrans(mount_t) -+') -+ -+optional_policy(` -+ dbus_system_bus_client(mount_t) -+ -+ optional_policy(` -+ hal_dbus_chat(mount_t) -+ ') -+') -+ -+optional_policy(` -+ glusterd_domtrans(mount_t) -+') -+ -+optional_policy(` -+ hal_write_log(mount_t) -+ hal_use_fds(mount_t) -+ hal_dontaudit_rw_pipes(mount_t) -+') -+ -+optional_policy(` - ifdef(`hide_broken_symptoms',` - # for a bug in the X server - rhgb_dontaudit_rw_stream_sockets(mount_t) -@@ -194,24 +297,132 @@ optional_policy(` - ') - - optional_policy(` -+ livecd_rw_tmp_files(mount_t) -+') -+ -+# Needed for mount crypt https://bugzilla.redhat.com/show_bug.cgi?id=418711 -+optional_policy(` -+# lvm_run(mount_t, mount_roles) -+ lvm_domtrans(mount_t) -+') -+ -+optional_policy(` -+ #modutils_run_insmod(mount_t, mount_roles) -+ modutils_domtrans_insmod(mount_t) -+ modutils_read_module_deps(mount_t) -+') -+ -+optional_policy(` -+ fstools_domtrans(mount_t) -+ #fstools_run(mount_t, mount_roles) -+') -+ -+optional_policy(` -+ rhcs_stream_connect_gfs_controld(mount_t) -+') -+ -+#optional_policy(` -+# rpc_run_rpcd(mount_t, mount_roles) -+#') -+ -+optional_policy(` - puppet_rw_tmp(mount_t) - ') - - # for kernel package installation - optional_policy(` - rpm_rw_pipes(mount_t) -+ rpm_dontaudit_leaks(mount_t) - ') - - optional_policy(` -- samba_run_smbmount(mount_t, mount_roles) -+ samba_read_config(mount_t) -+ samba_domtrans_smbmount(mount_t) -+ #samba_run_smbmount(mount_t, mount_roles) - ') - --######################################## --# --# Unconfined mount local policy --# -+optional_policy(` -+ ssh_exec(mount_t) -+ ssh_append_home_files(mount_t) -+') -+ -+optional_policy(` -+ usbmuxd_stream_connect(mount_t) -+') -+ -+optional_policy(` -+ userhelper_exec_console(mount_t) -+') -+ -+optional_policy(` -+ unconfined_write_keys(mount_t) -+') -+ -+optional_policy(` -+ virt_read_blk_images(mount_t) -+') - - optional_policy(` -- files_etc_filetrans_etc_runtime(unconfined_mount_t, file) -- unconfined_domain(unconfined_mount_t) -+ vmware_exec_host(mount_t) - ') -+ -+optional_policy(` -+ unconfined_domain(mount_t) -+') -+ -+###################################### -+# -+# showmount local policy -+# -+ -+allow showmount_t self:tcp_socket create_stream_socket_perms; -+allow showmount_t self:udp_socket create_socket_perms; -+ -+kernel_read_system_state(showmount_t) -+ -+corenet_all_recvfrom_netlabel(showmount_t) -+corenet_tcp_sendrecv_generic_if(showmount_t) -+corenet_udp_sendrecv_generic_if(showmount_t) -+corenet_tcp_sendrecv_generic_node(showmount_t) -+corenet_udp_sendrecv_generic_node(showmount_t) -+corenet_tcp_sendrecv_all_ports(showmount_t) -+corenet_udp_sendrecv_all_ports(showmount_t) -+corenet_tcp_bind_generic_node(showmount_t) -+corenet_udp_bind_generic_node(showmount_t) -+corenet_tcp_bind_all_rpc_ports(showmount_t) -+corenet_udp_bind_all_rpc_ports(showmount_t) -+corenet_tcp_connect_all_ports(showmount_t) -+ -+files_read_etc_files(showmount_t) -+files_read_etc_runtime_files(showmount_t) -+ -+ -+sysnet_dns_name_resolve(showmount_t) -+ -+userdom_use_inherited_user_terminals(showmount_t) -+ -+####################################### -+# -+# mount_ecryptfs local policy -+# -+ -+domtrans_pattern(mount_ecryptfs_t, mount_exec_t, mount_t) -+ -+allow mount_ecryptfs_t self:capability setgid; -+allow mount_ecryptfs_t self:capability { setuid sys_admin }; -+allow mount_ecryptfs_t self:fifo_file rw_fifo_file_perms; -+allow mount_ecryptfs_t self:unix_stream_socket create_stream_socket_perms; -+ -+manage_dirs_pattern(mount_ecryptfs_t, mount_ecryptfs_tmpfs_t, mount_ecryptfs_tmpfs_t) -+manage_files_pattern(mount_ecryptfs_t, mount_ecryptfs_tmpfs_t, mount_ecryptfs_tmpfs_t) -+fs_tmpfs_filetrans(mount_ecryptfs_t, mount_ecryptfs_tmpfs_t, { dir file }) -+userdom_rw_user_tmpfs_files(mount_ecryptfs_t) -+ -+domain_use_interactive_fds(mount_ecryptfs_t) -+ -+files_read_etc_files(mount_ecryptfs_t) -+ -+fs_read_ecryptfs_symlinks(mount_ecryptfs_t) -+fs_read_ecryptfs_files(mount_ecryptfs_t) -+ -+auth_use_nsswitch(mount_ecryptfs_t) -diff --git a/policy/modules/system/netlabel.fc b/policy/modules/system/netlabel.fc -index b263a8a..15576ab 100644 ---- a/policy/modules/system/netlabel.fc -+++ b/policy/modules/system/netlabel.fc -@@ -1 +1,6 @@ - /sbin/netlabelctl -- gen_context(system_u:object_r:netlabel_mgmt_exec_t,s0) -+ -+/usr/lib/systemd/system/netlabel.* -- gen_context(system_u:object_r:netlabel_mgmt_unit_file_t,s0) -+ -+/usr/sbin/netlabelctl -- gen_context(system_u:object_r:netlabel_mgmt_exec_t,s0) -+/usr/sbin/netlabel-config -- gen_context(system_u:object_r:netlabel_mgmt_exec_t,s0) -diff --git a/policy/modules/system/netlabel.te b/policy/modules/system/netlabel.te -index cbbda4a..b569d5f 100644 ---- a/policy/modules/system/netlabel.te -+++ b/policy/modules/system/netlabel.te -@@ -7,9 +7,13 @@ policy_module(netlabel, 1.3.0) - - type netlabel_mgmt_t; - type netlabel_mgmt_exec_t; -+init_daemon_domain(netlabel_mgmt_t, netlabel_mgmt_exec_t) - application_domain(netlabel_mgmt_t, netlabel_mgmt_exec_t) - role system_r types netlabel_mgmt_t; - -+type netlabel_mgmt_unit_file_t; -+systemd_unit_file(netlabel_mgmt_unit_file_t) -+ - ######################################## - # - # NetLabel Management Tools Local policy -@@ -19,10 +23,21 @@ role system_r types netlabel_mgmt_t; - allow netlabel_mgmt_t self:capability net_admin; - allow netlabel_mgmt_t self:netlink_socket create_socket_perms; - -+can_exec(netlabel_mgmt_t, netlabel_mgmt_t) -+ - kernel_read_network_state(netlabel_mgmt_t) -+kernel_read_system_state(netlabel_mgmt_t) -+ -+corecmd_exec_bin(netlabel_mgmt_t) -+corecmd_exec_shell(netlabel_mgmt_t) - - files_read_etc_files(netlabel_mgmt_t) - -+term_use_all_inherited_terms(netlabel_mgmt_t) -+ - seutil_use_newrole_fds(netlabel_mgmt_t) - --userdom_use_user_terminals(netlabel_mgmt_t) -+auth_read_passwd(netlabel_mgmt_t) -+ -+userdom_use_inherited_user_terminals(netlabel_mgmt_t) -+ -diff --git a/policy/modules/system/selinuxutil.fc b/policy/modules/system/selinuxutil.fc -index d43f3b1..870bc36 100644 ---- a/policy/modules/system/selinuxutil.fc -+++ b/policy/modules/system/selinuxutil.fc -@@ -6,13 +6,14 @@ - /etc/selinux(/.*)? gen_context(system_u:object_r:selinux_config_t,s0) - /etc/selinux/([^/]*/)?contexts(/.*)? gen_context(system_u:object_r:default_context_t,s0) - /etc/selinux/([^/]*/)?contexts/files(/.*)? gen_context(system_u:object_r:file_context_t,s0) --/etc/selinux/([^/]*/)?policy(/.*)? gen_context(system_u:object_r:policy_config_t,mls_systemhigh) -+/etc/selinux/([^/]*/)?logins(/.*)? gen_context(system_u:object_r:selinux_login_config_t,s0) -+/etc/selinux/([^/]*/)?policy(/.*)? gen_context(system_u:object_r:semanage_store_t,s0) - /etc/selinux/([^/]*/)?setrans\.conf -- gen_context(system_u:object_r:selinux_config_t,mls_systemhigh) --/etc/selinux/([^/]*/)?seusers -- gen_context(system_u:object_r:selinux_config_t,mls_systemhigh) -+/etc/selinux/([^/]*/)?seusers -- gen_context(system_u:object_r:selinux_config_t,s0) - /etc/selinux/([^/]*/)?modules/(active|tmp|previous)(/.*)? gen_context(system_u:object_r:semanage_store_t,s0) - /etc/selinux/([^/]*/)?modules/semanage\.read\.LOCK -- gen_context(system_u:object_r:semanage_read_lock_t,s0) - /etc/selinux/([^/]*/)?modules/semanage\.trans\.LOCK -- gen_context(system_u:object_r:semanage_trans_lock_t,s0) --/etc/selinux/([^/]*/)?users(/.*)? -- gen_context(system_u:object_r:selinux_config_t,mls_systemhigh) -+/etc/selinux/([^/]*/)?users(/.*)? -- gen_context(system_u:object_r:selinux_config_t,s0) - - # - # /root -@@ -35,19 +36,27 @@ - /usr/lib/selinux(/.*)? gen_context(system_u:object_r:policy_src_t,s0) - - /usr/sbin/load_policy -- gen_context(system_u:object_r:load_policy_exec_t,s0) -+/usr/sbin/restorecon -- gen_context(system_u:object_r:setfiles_exec_t,s0) - /usr/sbin/restorecond -- gen_context(system_u:object_r:restorecond_exec_t,s0) - /usr/sbin/run_init -- gen_context(system_u:object_r:run_init_exec_t,s0) - /usr/sbin/setfiles.* -- gen_context(system_u:object_r:setfiles_exec_t,s0) --/usr/sbin/setsebool -- gen_context(system_u:object_r:semanage_exec_t,s0) -+/usr/sbin/setsebool -- gen_context(system_u:object_r:setsebool_exec_t,s0) - /usr/sbin/semanage -- gen_context(system_u:object_r:semanage_exec_t,s0) - /usr/sbin/semodule -- gen_context(system_u:object_r:semanage_exec_t,s0) -+/usr/share/system-config-selinux/system-config-selinux-dbus\.py -- gen_context(system_u:object_r:semanage_exec_t,s0) -+/usr/share/system-config-selinux/selinux_server\.py -- gen_context(system_u:object_r:semanage_exec_t,s0) - - # - # /var/lib - # - /var/lib/selinux(/.*)? gen_context(system_u:object_r:semanage_var_lib_t,s0) -+/var/lib/sepolgen(/.*)? gen_context(system_u:object_r:selinux_config_t,s0) - - # - # /var/run - # - /var/run/restorecond\.pid -- gen_context(system_u:object_r:restorecond_var_run_t,s0) -+ -+ -+/etc/share/selinux/targeted(/.*)? gen_context(system_u:object_r:semanage_store_t,s0) -+/etc/share/selinux/mls(/.*)? gen_context(system_u:object_r:semanage_store_t,s0) -diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if -index 3822072..270bde3 100644 ---- a/policy/modules/system/selinuxutil.if -+++ b/policy/modules/system/selinuxutil.if -@@ -192,11 +192,22 @@ interface(`seutil_domtrans_newrole',` - # - interface(`seutil_run_newrole',` - gen_require(` -- attribute_role newrole_roles; -+ type newrole_t; -+ #attribute_role newrole_roles; - ') - -+ #seutil_domtrans_newrole($1) -+ #roleattribute $2 newrole_roles; -+ - seutil_domtrans_newrole($1) -- roleattribute $2 newrole_roles; -+ role $2 types newrole_t; -+ -+ auth_run_upd_passwd(newrole_t, $2) -+ -+ optional_policy(` -+ namespace_init_run(newrole_t, $2) -+ ') -+ - ') - - ######################################## -@@ -359,6 +370,27 @@ interface(`seutil_exec_restorecon',` - - ######################################## - ## -+## Execute restorecond in the caller domain. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`seutil_exec_restorecond',` -+ gen_require(` -+ type restorecond_exec_t; -+ ') -+ -+ files_search_usr($1) -+ corecmd_search_bin($1) -+ can_exec($1, restorecond_exec_t) -+') -+ -+######################################## -+## - ## Execute run_init in the run_init domain. - ## - ## -@@ -425,11 +457,20 @@ interface(`seutil_init_script_domtrans_runinit',` - # - interface(`seutil_run_runinit',` - gen_require(` -- attribute_role run_init_roles; -+ #attribute_role run_init_roles; -+ type run_init_t; -+ role system_r; - ') - -- seutil_domtrans_runinit($1) -- roleattribute $2 run_init_roles; -+ #seutil_domtrans_runinit($1) -+ #roleattribute $2 run_init_roles; -+ -+ auth_run_chk_passwd(run_init_t, $2) -+ seutil_domtrans_runinit($1) -+ role $2 types run_init_t; -+ -+ allow $2 system_r; -+ - ') - - ######################################## -@@ -461,11 +502,19 @@ interface(`seutil_run_runinit',` - # - interface(`seutil_init_script_run_runinit',` - gen_require(` -- attribute_role run_init_roles; -+ #attribute_role run_init_roles; -+ type run_init_t; -+ role system_r; - ') - -- seutil_init_script_domtrans_runinit($1) -- roleattribute $2 run_init_roles; -+ #seutil_init_script_domtrans_runinit($1) -+ #roleattribute $2 run_init_roles; -+ auth_run_chk_passwd(run_init_t, $2) -+ seutil_init_script_domtrans_runinit($1) -+ role $2 types run_init_t; -+ -+ allow $2 system_r; -+ - ') - - ######################################## -@@ -535,6 +584,53 @@ interface(`seutil_run_setfiles',` - - ######################################## - ## -+## Execute setfiles in the setfiles domain. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`seutil_domtrans_setfiles_mac',` -+ gen_require(` -+ type setfiles_mac_t, setfiles_exec_t; -+ ') -+ -+ files_search_usr($1) -+ corecmd_search_bin($1) -+ domtrans_pattern($1, setfiles_exec_t, setfiles_mac_t) -+') -+ -+######################################## -+## -+## Execute setfiles in the setfiles_mac domain, and -+## allow the specified role the setfiles_mac domain, -+## and use the caller's terminal. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## The role to be allowed the setfiles_mac domain. -+## -+## -+## -+# -+interface(`seutil_run_setfiles_mac',` -+ gen_require(` -+ type setfiles_mac_t; -+ ') -+ -+ seutil_domtrans_setfiles_mac($1) -+ role $2 types setfiles_mac_t; -+') -+ -+######################################## -+## - ## Execute setfiles in the caller domain. - ## - ## -@@ -680,10 +776,115 @@ interface(`seutil_manage_config',` - ') - - files_search_etc($1) -+ manage_dirs_pattern($1, selinux_config_t, selinux_config_t) - manage_files_pattern($1, selinux_config_t, selinux_config_t) - read_lnk_files_pattern($1, selinux_config_t, selinux_config_t) - ') - -+###################################### -+## -+## Create, read, write, and delete -+## the general selinux configuration files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`seutil_manage_config_dirs',` -+ gen_require(` -+ type selinux_config_t; -+ ') -+ -+ files_search_etc($1) -+ allow $1 selinux_config_t:dir manage_dir_perms; -+') -+ -+######################################## -+## -+## Do not audit attempts to search the SELinux -+## login configuration directory. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`seutil_dontaudit_search_login_config',` -+ gen_require(` -+ type selinux_login_config_t; -+ ') -+ -+ dontaudit $1 selinux_login_config_t:dir search_dir_perms; -+') -+ -+######################################## -+## -+## Do not audit attempts to read the SELinux -+## login configuration. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`seutil_dontaudit_read_login_config',` -+ gen_require(` -+ type selinux_login_config_t; -+ ') -+ dontaudit $1 selinux_login_config_t:dir search_dir_perms; -+ dontaudit $1 selinux_login_config_t:file read_file_perms; -+') -+ -+######################################## -+## -+## Read the SELinux login configuration files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`seutil_read_login_config',` -+ gen_require(` -+ type selinux_config_t; -+ type selinux_login_config_t; -+ ') -+ -+ files_search_etc($1) -+ allow $1 selinux_config_t:dir search_dir_perms; -+ allow $1 selinux_login_config_t:dir list_dir_perms; -+ read_files_pattern($1, selinux_login_config_t, selinux_login_config_t) -+ read_lnk_files_pattern($1, selinux_login_config_t, selinux_login_config_t) -+') -+ -+######################################## -+## -+## Read and write the SELinux login configuration files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`seutil_rw_login_config',` -+ gen_require(` -+ type selinux_config_t; -+ type selinux_login_config_t; -+ ') -+ -+ files_search_etc($1) -+ allow $1 selinux_config_t:dir search_dir_perms; -+ allow $1 selinux_login_config_t:dir list_dir_perms; -+ rw_files_pattern($1, selinux_login_config_t, selinux_login_config_t) -+') -+ - ####################################### - ## - ## Create, read, write, and delete -@@ -694,15 +895,62 @@ interface(`seutil_manage_config',` - ## Domain allowed access. - ## - ## --## - # --interface(`seutil_manage_config_dirs',` -+interface(`seutil_rw_login_config_dirs',` - gen_require(` - type selinux_config_t; -+ type selinux_login_config_t; - ') - - files_search_etc($1) -- allow $1 selinux_config_t:dir manage_dir_perms; -+ allow $1 selinux_config_t:dir search_dir_perms; -+ allow $1 selinux_login_config_t:dir rw_dir_perms; -+') -+ -+###################################### -+## -+## Create, read, write, and delete -+## the general selinux configuration files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`seutil_manage_login_config',` -+ gen_require(` -+ type selinux_config_t; -+ type selinux_login_config_t; -+ ') -+ -+ files_search_etc($1) -+ allow $1 selinux_config_t:dir search_dir_perms; -+ manage_dirs_pattern($1, selinux_login_config_t, selinux_login_config_t) -+ manage_files_pattern($1, selinux_login_config_t, selinux_login_config_t) -+ read_lnk_files_pattern($1, selinux_login_config_t, selinux_login_config_t) -+') -+ -+###################################### -+## -+## manage the login selinux configuration files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`seutil_manage_login_config_files',` -+ gen_require(` -+ type selinux_config_t; -+ type selinux_login_config_t; -+ ') -+ -+ files_search_etc($1) -+ allow $1 selinux_config_t:dir search_dir_perms; -+ manage_files_pattern($1, selinux_login_config_t, selinux_login_config_t) -+ read_lnk_files_pattern($1, selinux_login_config_t, selinux_login_config_t) - ') - - ######################################## -@@ -746,6 +994,29 @@ interface(`seutil_read_default_contexts',` - read_files_pattern($1, default_context_t, default_context_t) - ') - -+####################################### -+## -+## Read and write the default_contexts files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`seutil_rw_default_contexts',` -+ gen_require(` -+ type default_context_t; -+ type selinux_config_t; -+ ') -+ -+ files_search_etc($1) -+ allow $1 selinux_config_t:dir list_dir_perms; -+ allow $1 default_context_t:dir list_dir_perms; -+ rw_files_pattern($1, default_context_t, default_context_t) -+') -+ - ######################################## - ## - ## Create, read, write, and delete the default_contexts files. -@@ -784,7 +1055,9 @@ interface(`seutil_read_file_contexts',` - - files_search_etc($1) - allow $1 { selinux_config_t default_context_t }:dir search_dir_perms; -+ list_dirs_pattern($1, file_context_t, file_context_t) - read_files_pattern($1, file_context_t, file_context_t) -+ read_lnk_files_pattern($1, file_context_t, file_context_t) - ') - - ######################################## -@@ -999,6 +1272,26 @@ interface(`seutil_domtrans_semanage',` - - ######################################## - ## -+## Execute a domain transition to run setsebool. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`seutil_domtrans_setsebool',` -+ gen_require(` -+ type setsebool_t, setsebool_exec_t; -+ ') -+ -+ files_search_usr($1) -+ corecmd_search_bin($1) -+ domtrans_pattern($1, setsebool_exec_t, setsebool_t) -+') -+ -+######################################## -+## - ## Execute semanage in the semanage domain, and - ## allow the specified role the semanage domain, - ## and use the caller's terminal. -@@ -1017,11 +1310,67 @@ interface(`seutil_domtrans_semanage',` - # - interface(`seutil_run_semanage',` - gen_require(` -- attribute_role semanage_roles; -+ #attribute_role semanage_roles; -+ type semanage_t; - ') - -+ #seutil_domtrans_semanage($1) -+ #roleattribute $2 semanage_roles; -+ - seutil_domtrans_semanage($1) -- roleattribute $2 semanage_roles; -+ seutil_run_setfiles(semanage_t, $2) -+ seutil_run_loadpolicy(semanage_t, $2) -+ role $2 types semanage_t; -+ -+') -+ -+######################################## -+## -+## Execute setsebool in the semanage domain, and -+## allow the specified role the semanage domain, -+## and use the caller's terminal. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## The role to be allowed the setsebool domain. -+## -+## -+## -+# -+interface(`seutil_run_setsebool',` -+ gen_require(` -+ type semanage_t; -+ ') -+ -+ seutil_domtrans_setsebool($1) -+ role $2 types setsebool_t; -+') -+ -+######################################## -+## -+## Full management of the semanage -+## module store. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`seutil_read_module_store',` -+ gen_require(` -+ type selinux_config_t, semanage_store_t; -+ ') -+ -+ files_search_etc($1) -+ list_dirs_pattern($1, selinux_config_t, semanage_store_t) -+ read_files_pattern($1, semanage_store_t, semanage_store_t) -+ read_lnk_files_pattern($1, semanage_store_t, semanage_store_t) - ') - - ######################################## -@@ -1043,7 +1392,11 @@ interface(`seutil_manage_module_store',` - files_search_etc($1) - manage_dirs_pattern($1, selinux_config_t, semanage_store_t) - manage_files_pattern($1, semanage_store_t, semanage_store_t) -+ manage_lnk_files_pattern($1, semanage_store_t, semanage_store_t) - filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "modules") -+ filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "active") -+ filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "previous") -+ filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "tmp") - ') - - ####################################### -@@ -1137,3 +1490,122 @@ interface(`seutil_dontaudit_libselinux_linked',` - selinux_dontaudit_get_fs_mount($1) - seutil_dontaudit_read_config($1) - ') -+ -+####################################### -+## -+## All rules necessary to run semanage command -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`seutil_semanage_policy',` -+ gen_require(` -+ type semanage_tmp_t; -+ type policy_config_t; -+ attribute policy_manager_domain; -+ ') -+ typeattribute $1 policy_manager_domain; -+ -+ kernel_read_system_state($1) -+ -+ # Running genhomedircon requires this for finding all users -+ auth_use_nsswitch($1) -+ -+ mls_file_write_all_levels($1) -+ mls_file_read_all_levels($1) -+ -+ selinux_get_enforce_mode($1) -+ selinux_set_enforce_mode($1) -+ -+ seutil_manage_bin_policy($1) -+ -+ logging_send_syslog_msg($1) -+') -+ -+####################################### -+## -+## All rules necessary to run setfiles command -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`seutil_setfiles',` -+ -+ gen_require(` -+ attribute setfiles_domain; -+ ') -+ typeattribute $1 setfiles_domain; -+ -+ kernel_read_system_state($1) -+ seutil_libselinux_linked($1) -+ -+ files_relabel_all_files($1) -+ -+ mls_file_read_all_levels($1) -+ mls_file_write_all_levels($1) -+ mls_file_upgrade($1) -+ mls_file_downgrade($1) -+ -+ # this is to satisfy the assertion: -+ auth_relabelto_shadow($1) -+ -+ logging_send_syslog_msg($1) -+') -+ -+##################################### -+## -+## File name transition for selinux utility content -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`seutil_filetrans_named_content',` -+ gen_require(` -+ type default_context_t, semanage_store_t; -+ type selinux_config_t, semanage_trans_lock_t; -+ type file_context_t, selinux_login_config_t; -+ ') -+ -+ filetrans_pattern($1, selinux_config_t, default_context_t, dir, "contexts") -+ filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "policy") -+ filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "active") -+ filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "tmp") -+ filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "previous") -+ filetrans_pattern($1, selinux_config_t, semanage_trans_lock_t, file, "semanage.read.LOCK") -+ filetrans_pattern($1, selinux_config_t, semanage_trans_lock_t, file, "semanage.trans.LOCK") -+ filetrans_pattern($1, selinux_config_t, selinux_login_config_t, dir, "logins") -+ filetrans_pattern($1, default_context_t, file_context_t, dir, "files") -+ userdom_admin_home_dir_filetrans($1, default_context_t, file, ".default_context") -+') -+ -+######################################## -+## -+## Send and receive messages from -+## semanage dbus server over dbus. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`seutil_dbus_chat_semanage',` -+ gen_require(` -+ type semanage_t; -+ class dbus send_msg; -+ ') -+ -+ ps_process_pattern(semanage_t, $1) -+ -+ allow $1 semanage_t:dbus send_msg; -+ allow semanage_t $1:dbus send_msg; -+') -diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te -index ec01d0b..ececda2 100644 ---- a/policy/modules/system/selinuxutil.te -+++ b/policy/modules/system/selinuxutil.te -@@ -11,14 +11,16 @@ gen_require(` - - attribute can_write_binary_policy; - attribute can_relabelto_binary_policy; -+attribute setfiles_domain; -+attribute policy_manager_domain; - --attribute_role newrole_roles; -+#attribute_role newrole_roles; - --attribute_role run_init_roles; --role system_r types run_init_t; -+#attribute_role run_init_roles; -+#role system_r types run_init_t; - --attribute_role semanage_roles; --roleattribute system_r semanage_roles; -+#attribute_role semanage_roles; -+#roleattribute system_r semanage_roles; - - # - # selinux_config_t is the type applied to -@@ -28,7 +30,13 @@ roleattribute system_r semanage_roles; - # in the domain_type interface - # (fix dup decl) - type selinux_config_t; --files_type(selinux_config_t) -+files_security_file(selinux_config_t) -+ -+type selinux_login_config_t; -+files_security_file(selinux_login_config_t) -+ -+type selinux_var_lib_t; -+files_type(selinux_var_lib_t) - - type checkpolicy_t, can_write_binary_policy; - type checkpolicy_exec_t; -@@ -40,14 +48,14 @@ role system_r types checkpolicy_t; - # /etc/selinux/*/contexts/* - # - type default_context_t; --files_type(default_context_t) -+files_security_file(default_context_t) - - # - # file_context_t is the type applied to - # /etc/selinux/*/contexts/files - # - type file_context_t; --files_type(file_context_t) -+files_security_file(file_context_t) - - type load_policy_t; - type load_policy_exec_t; -@@ -60,14 +68,20 @@ application_domain(newrole_t, newrole_exec_t) - domain_role_change_exemption(newrole_t) - domain_obj_id_change_exemption(newrole_t) - domain_interactive_fd(newrole_t) --role newrole_roles types newrole_t; -+#role newrole_roles types newrole_t; -+role system_r types newrole_t; - - # - # policy_config_t is the type of /etc/security/selinux/* - # the security server policy configuration. - # --type policy_config_t; --files_type(policy_config_t) -+#type policy_config_t; -+#files_type(policy_config_t) -+gen_require(` -+ type semanage_store_t; -+') -+ -+typealias semanage_store_t alias policy_config_t; - - neverallow ~can_relabelto_binary_policy policy_config_t:file relabelto; - #neverallow ~can_write_binary_policy policy_config_t:file { write append }; -@@ -83,7 +97,6 @@ type restorecond_t; - type restorecond_exec_t; - init_daemon_domain(restorecond_t, restorecond_exec_t) - domain_obj_id_change_exemption(restorecond_t) --role system_r types restorecond_t; - - type restorecond_var_run_t; - files_pid_file(restorecond_var_run_t) -@@ -92,25 +105,32 @@ type run_init_t; - type run_init_exec_t; - application_domain(run_init_t, run_init_exec_t) - domain_system_change_exemption(run_init_t) --role run_init_roles types run_init_t; -+#role run_init_roles types run_init_t; -+role system_r types run_init_t; - - type semanage_t; - type semanage_exec_t; - application_domain(semanage_t, semanage_exec_t) -+init_daemon_domain(semanage_t, semanage_exec_t) - domain_interactive_fd(semanage_t) --role semanage_roles types semanage_t; -+#role semanage_roles types semanage_t; -+role system_r types semanage_t; -+ -+type setsebool_t; -+type setsebool_exec_t; -+init_system_domain(setsebool_t, setsebool_exec_t) - - type semanage_store_t; --files_type(semanage_store_t) -+files_security_file(semanage_store_t) - - type semanage_read_lock_t; --files_type(semanage_read_lock_t) -+files_lock_file(semanage_read_lock_t) - - type semanage_tmp_t; - files_tmp_file(semanage_tmp_t) - --type semanage_trans_lock_t; --files_type(semanage_trans_lock_t) -+type semanage_trans_lock_t; -+files_lock_file(semanage_trans_lock_t) - - type semanage_var_lib_t; - files_type(semanage_var_lib_t) -@@ -120,6 +140,11 @@ type setfiles_exec_t alias restorecon_exec_t; - init_system_domain(setfiles_t, setfiles_exec_t) - domain_obj_id_change_exemption(setfiles_t) - -+type setfiles_mac_t; -+domain_type(setfiles_mac_t) -+domain_entry_file(setfiles_mac_t, setfiles_exec_t) -+domain_obj_id_change_exemption(setfiles_mac_t) -+ - ######################################## - # - # Checkpolicy local policy -@@ -137,6 +162,7 @@ filetrans_add_pattern(checkpolicy_t, policy_src_t, policy_config_t, file) - read_files_pattern(checkpolicy_t, policy_src_t, policy_src_t) - read_lnk_files_pattern(checkpolicy_t, policy_src_t, policy_src_t) - allow checkpolicy_t selinux_config_t:dir search_dir_perms; -+allow checkpolicy_t selinux_login_config_t:dir search_dir_perms; - - domain_use_interactive_fds(checkpolicy_t) - -@@ -151,7 +177,7 @@ term_use_console(checkpolicy_t) - init_use_fds(checkpolicy_t) - init_use_script_ptys(checkpolicy_t) - --userdom_use_user_terminals(checkpolicy_t) -+userdom_use_inherited_user_terminals(checkpolicy_t) - userdom_use_all_users_fds(checkpolicy_t) - - ifdef(`distro_ubuntu',` -@@ -188,13 +214,13 @@ term_list_ptys(load_policy_t) - - init_use_script_fds(load_policy_t) - init_use_script_ptys(load_policy_t) -- --miscfiles_read_localization(load_policy_t) -+init_write_script_pipes(load_policy_t) - - seutil_libselinux_linked(load_policy_t) - --userdom_use_user_terminals(load_policy_t) -+userdom_use_inherited_user_terminals(load_policy_t) - userdom_use_all_users_fds(load_policy_t) -+userdom_dontaudit_read_user_tmp_files(load_policy_t) - - ifdef(`distro_ubuntu',` - optional_policy(` -@@ -205,6 +231,7 @@ ifdef(`distro_ubuntu',` - ifdef(`hide_broken_symptoms',` - # cjp: cover up stray file descriptors. - dontaudit load_policy_t selinux_config_t:file write; -+ dontaudit load_policy_t selinux_login_config_t:file write; - - optional_policy(` - unconfined_dontaudit_read_pipes(load_policy_t) -@@ -215,12 +242,17 @@ optional_policy(` - portage_dontaudit_use_fds(load_policy_t) - ') - -+optional_policy(` -+ # pki is leaking -+ pki_dontaudit_write_log(load_policy_t) -+') -+ - ######################################## - # - # Newrole local policy - # - --allow newrole_t self:capability { fowner setuid setgid dac_override }; -+allow newrole_t self:capability { fowner setpcap setuid setgid dac_override }; - allow newrole_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack }; - allow newrole_t self:process setexec; - allow newrole_t self:fd use; -@@ -232,7 +264,7 @@ allow newrole_t self:msgq create_msgq_perms; - allow newrole_t self:msg { send receive }; - allow newrole_t self:unix_dgram_socket sendto; - allow newrole_t self:unix_stream_socket { create_stream_socket_perms connectto }; --allow newrole_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; -+logging_send_audit_msgs(newrole_t) - - read_files_pattern(newrole_t, default_context_t, default_context_t) - read_lnk_files_pattern(newrole_t, default_context_t, default_context_t) -@@ -249,6 +281,7 @@ domain_use_interactive_fds(newrole_t) - # for when the user types "exec newrole" at the command line: - domain_sigchld_interactive_fds(newrole_t) - -+files_list_var(newrole_t) - files_read_etc_files(newrole_t) - files_read_var_files(newrole_t) - files_read_var_symlinks(newrole_t) -@@ -276,25 +309,34 @@ term_relabel_all_ptys(newrole_t) - term_getattr_unallocated_ttys(newrole_t) - term_dontaudit_use_unallocated_ttys(newrole_t) - --auth_use_nsswitch(newrole_t) --auth_run_chk_passwd(newrole_t, newrole_roles) --auth_run_upd_passwd(newrole_t, newrole_roles) --auth_rw_faillog(newrole_t) -+auth_use_pam(newrole_t) - - # Write to utmp. - init_rw_utmp(newrole_t) - init_use_fds(newrole_t) - --logging_send_syslog_msg(newrole_t) -- --miscfiles_read_localization(newrole_t) - - seutil_libselinux_linked(newrole_t) - -+userdom_use_unpriv_users_fds(newrole_t) - # for some PAM modules and for cwd - userdom_dontaudit_search_user_home_content(newrole_t) - userdom_search_user_home_dirs(newrole_t) - -+# need to talk with dbus -+optional_policy(` -+ dbus_system_bus_client(newrole_t) -+') -+ -+#optional_policy(` -+# namespace_init_run(newrole_t, newrole_roles) -+#') -+ -+ -+optional_policy(` -+ xserver_dontaudit_exec_xauth(newrole_t) -+') -+ - ifdef(`distro_ubuntu',` - optional_policy(` - unconfined_domain(newrole_t) -@@ -309,7 +351,7 @@ if(secure_mode) { - userdom_spec_domtrans_all_users(newrole_t) - } - --tunable_policy(`allow_polyinstantiation',` -+tunable_policy(`polyinstantiation_enabled',` - files_polyinstantiate_all(newrole_t) - ') - -@@ -328,9 +370,13 @@ kernel_use_fds(restorecond_t) - kernel_rw_pipes(restorecond_t) - kernel_read_system_state(restorecond_t) - -+dev_relabel_all_dev_nodes(restorecond_t) -+ -+files_dontaudit_read_all_symlinks(restorecond_t) -+ - fs_relabelfrom_noxattr_fs(restorecond_t) - fs_dontaudit_list_nfs(restorecond_t) --fs_getattr_xattr_fs(restorecond_t) -+fs_getattr_all_fs(restorecond_t) - fs_list_inotifyfs(restorecond_t) - - selinux_validate_context(restorecond_t) -@@ -341,16 +387,17 @@ selinux_compute_user_contexts(restorecond_t) - - files_relabel_non_auth_files(restorecond_t ) - files_read_non_auth_files(restorecond_t) -+ - auth_use_nsswitch(restorecond_t) - - locallogin_dontaudit_use_fds(restorecond_t) - - logging_send_syslog_msg(restorecond_t) - --miscfiles_read_localization(restorecond_t) -- - seutil_libselinux_linked(restorecond_t) - -+userdom_read_user_home_content_symlinks(restorecond_t) -+ - ifdef(`distro_ubuntu',` - optional_policy(` - unconfined_domain(restorecond_t) -@@ -366,21 +413,24 @@ optional_policy(` - # Run_init local policy - # - --allow run_init_roles system_r; -+#allow run_init_roles system_r; - - allow run_init_t self:process setexec; - allow run_init_t self:capability setuid; - allow run_init_t self:fifo_file rw_file_perms; --allow run_init_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; -+logging_send_audit_msgs(run_init_t) - - # often the administrator runs such programs from a directory that is owned - # by a different user or has restrictive SE permissions, do not want to audit - # the failed access to the current directory - dontaudit run_init_t self:capability { dac_override dac_read_search }; - -+kernel_dontaudit_getattr_core_if(run_init_t) -+ - corecmd_exec_bin(run_init_t) - corecmd_exec_shell(run_init_t) - -+dev_dontaudit_getattr_all(run_init_t) - dev_dontaudit_list_all_dev_nodes(run_init_t) - - domain_use_interactive_fds(run_init_t) -@@ -398,23 +448,30 @@ selinux_compute_create_context(run_init_t) - selinux_compute_relabel_context(run_init_t) - selinux_compute_user_contexts(run_init_t) - -+term_use_console(run_init_t) -+ -+#auth_use_nsswitch(run_init_t) -+#auth_run_chk_passwd(run_init_t, run_init_roles) -+#auth_run_upd_passwd(run_init_t, run_init_roles) -+#auth_dontaudit_read_shadow(run_init_t) -+ - auth_use_nsswitch(run_init_t) --auth_run_chk_passwd(run_init_t, run_init_roles) --auth_run_upd_passwd(run_init_t, run_init_roles) -+auth_domtrans_chk_passwd(run_init_t) -+auth_domtrans_upd_passwd(run_init_t) - auth_dontaudit_read_shadow(run_init_t) - -+ - init_spec_domtrans_script(run_init_t) - # for utmp - init_rw_utmp(run_init_t) -+init_dontaudit_getattr_initctl(run_init_t) - - logging_send_syslog_msg(run_init_t) - --miscfiles_read_localization(run_init_t) -- - seutil_libselinux_linked(run_init_t) - seutil_read_default_contexts(run_init_t) - --userdom_use_user_terminals(run_init_t) -+userdom_use_inherited_user_terminals(run_init_t) - - ifndef(`direct_sysadm_daemon',` - ifdef(`distro_gentoo',` -@@ -425,6 +482,19 @@ ifndef(`direct_sysadm_daemon',` - ') - ') - -+# need to talk with dbus -+optional_policy(` -+ dbus_system_bus_client(run_init_t) -+') -+ -+optional_policy(` -+ gpm_dontaudit_getattr_gpmctl(run_init_t) -+') -+ -+optional_policy(` -+ rpm_domtrans(run_init_t) -+') -+ - ifdef(`distro_ubuntu',` - optional_policy(` - unconfined_domain(run_init_t) -@@ -440,81 +510,87 @@ optional_policy(` - # semodule local policy - # - --allow semanage_t self:capability { dac_override audit_write }; --allow semanage_t self:unix_stream_socket create_stream_socket_perms; --allow semanage_t self:unix_dgram_socket create_socket_perms; - allow semanage_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; --allow semanage_t self:fifo_file rw_fifo_file_perms; -- --allow semanage_t policy_config_t:file rw_file_perms; -- --allow semanage_t semanage_tmp_t:dir manage_dir_perms; --allow semanage_t semanage_tmp_t:file manage_file_perms; --files_tmp_filetrans(semanage_t, semanage_tmp_t, { file dir }) - - manage_dirs_pattern(semanage_t, semanage_var_lib_t, semanage_var_lib_t) - manage_files_pattern(semanage_t, semanage_var_lib_t, semanage_var_lib_t) - --kernel_read_system_state(semanage_t) --kernel_read_kernel_sysctls(semanage_t) -- --corecmd_exec_bin(semanage_t) -- --dev_read_urand(semanage_t) -- --domain_use_interactive_fds(semanage_t) -- --files_read_etc_files(semanage_t) --files_read_etc_runtime_files(semanage_t) --files_read_usr_files(semanage_t) --files_list_pids(semanage_t) -- --mls_file_write_all_levels(semanage_t) --mls_file_read_all_levels(semanage_t) -- --selinux_validate_context(semanage_t) --selinux_get_enforce_mode(semanage_t) --selinux_getattr_fs(semanage_t) --# for setsebool: - selinux_set_all_booleans(semanage_t) -+can_exec(semanage_t, semanage_exec_t) - --term_use_all_terms(semanage_t) -- --# Running genhomedircon requires this for finding all users --auth_use_nsswitch(semanage_t) -- --locallogin_use_fds(semanage_t) -- --logging_send_syslog_msg(semanage_t) -+# Admins are creating pp files in random locations -+files_read_non_security_files(semanage_t) - --miscfiles_read_localization(semanage_t) -- --seutil_libselinux_linked(semanage_t) -+seutil_semanage_policy(semanage_t) - seutil_manage_file_contexts(semanage_t) - seutil_manage_config(semanage_t) --seutil_run_setfiles(semanage_t, semanage_roles) --seutil_run_loadpolicy(semanage_t, semanage_roles) --seutil_manage_bin_policy(semanage_t) --seutil_use_newrole_fds(semanage_t) --seutil_manage_module_store(semanage_t) --seutil_get_semanage_trans_lock(semanage_t) --seutil_get_semanage_read_lock(semanage_t) -+seutil_domtrans_setfiles(semanage_t) -+ -+#seutil_run_setfiles(semanage_t, semanage_roles) -+#seutil_run_loadpolicy(semanage_t, semanage_roles) -+#seutil_manage_bin_policy(semanage_t) -+#seutil_use_newrole_fds(semanage_t) -+#seutil_manage_module_store(semanage_t) -+#seutil_get_semanage_trans_lock(semanage_t) -+#seutil_get_semanage_read_lock(semanage_t) - # netfilter_contexts: - seutil_manage_default_contexts(semanage_t) - - # Handle pp files created in homedir and /tmp - userdom_read_user_home_content_files(semanage_t) - userdom_read_user_tmp_files(semanage_t) -+userdom_home_reader(semanage_t) - - ifdef(`distro_debian',` - files_read_var_lib_files(semanage_t) - files_read_var_lib_symlinks(semanage_t) - ') - --ifdef(`distro_ubuntu',` -- optional_policy(` -- unconfined_domain(semanage_t) -- ') -+optional_policy(` -+ dbus_system_domain(semanage_t, semanage_exec_t) -+') -+ -+optional_policy(` -+ mock_manage_lib_files(semanage_t) -+ mock_manage_lib_dirs(semanage_t) -+') -+ -+optional_policy(` -+ unconfined_domain(semanage_t) -+') -+ -+####################################n#### -+# -+# setsebool local policy -+# -+seutil_semanage_policy(setsebool_t) -+selinux_set_all_booleans(setsebool_t) -+ -+init_dontaudit_use_fds(setsebool_t) -+ -+# Bug in semanage -+seutil_domtrans_setfiles(setsebool_t) -+seutil_manage_file_contexts(setsebool_t) -+seutil_manage_default_contexts(setsebool_t) -+seutil_manage_config(setsebool_t) -+ -+######################################## -+# -+# Setfiles mac local policy -+# -+seutil_setfiles(setfiles_mac_t) -+allow setfiles_mac_t self:capability2 mac_admin; -+kernel_relabelto_unlabeled(setfiles_mac_t) -+ -+optional_policy(` -+ files_dontaudit_write_isid_chr_files(setfiles_mac_t) -+ livecd_dontaudit_leaks(setfiles_mac_t) -+ livecd_rw_tmp_files(setfiles_mac_t) -+ dev_dontaudit_write_all_chr_files(setfiles_mac_t) -+') -+ -+optional_policy(` -+ unconfined_domain(setfiles_mac_t) - ') - - ######################################## -@@ -522,108 +598,192 @@ ifdef(`distro_ubuntu',` - # Setfiles local policy - # - --allow setfiles_t self:capability { dac_override dac_read_search fowner }; --dontaudit setfiles_t self:capability sys_tty_config; --allow setfiles_t self:fifo_file rw_file_perms; -- --allow setfiles_t { policy_src_t policy_config_t file_context_t default_context_t }:dir list_dir_perms; --allow setfiles_t { policy_src_t policy_config_t file_context_t default_context_t }:file read_file_perms; --allow setfiles_t { policy_src_t policy_config_t file_context_t default_context_t }:lnk_file { read_lnk_file_perms ioctl lock }; -- --kernel_read_system_state(setfiles_t) --kernel_relabelfrom_unlabeled_dirs(setfiles_t) --kernel_relabelfrom_unlabeled_files(setfiles_t) --kernel_relabelfrom_unlabeled_symlinks(setfiles_t) --kernel_relabelfrom_unlabeled_pipes(setfiles_t) --kernel_relabelfrom_unlabeled_sockets(setfiles_t) --kernel_use_fds(setfiles_t) --kernel_rw_pipes(setfiles_t) --kernel_rw_unix_dgram_sockets(setfiles_t) --kernel_dontaudit_list_all_proc(setfiles_t) --kernel_dontaudit_list_all_sysctls(setfiles_t) -- --dev_relabel_all_dev_nodes(setfiles_t) -- --domain_use_interactive_fds(setfiles_t) --domain_dontaudit_search_all_domains_state(setfiles_t) -- --files_read_etc_runtime_files(setfiles_t) --files_read_etc_files(setfiles_t) --files_list_all(setfiles_t) --files_relabel_all_files(setfiles_t) --files_read_usr_symlinks(setfiles_t) -- --fs_getattr_xattr_fs(setfiles_t) --fs_list_all(setfiles_t) --fs_search_auto_mountpoints(setfiles_t) --fs_relabelfrom_noxattr_fs(setfiles_t) -- --mls_file_read_all_levels(setfiles_t) --mls_file_write_all_levels(setfiles_t) --mls_file_upgrade(setfiles_t) --mls_file_downgrade(setfiles_t) -- --selinux_validate_context(setfiles_t) --selinux_compute_access_vector(setfiles_t) --selinux_compute_create_context(setfiles_t) --selinux_compute_relabel_context(setfiles_t) --selinux_compute_user_contexts(setfiles_t) -- --term_use_all_ttys(setfiles_t) --term_use_all_ptys(setfiles_t) --term_use_unallocated_ttys(setfiles_t) -- --# this is to satisfy the assertion: --auth_relabelto_shadow(setfiles_t) -- --init_use_fds(setfiles_t) --init_use_script_fds(setfiles_t) --init_use_script_ptys(setfiles_t) --init_exec_script_files(setfiles_t) -+seutil_setfiles(setfiles_t) -+# During boot in Rawhide -+term_use_generic_ptys(setfiles_t) -+ -+# needs to be able to read symlinks to make restorecon on symlink working -+files_read_all_symlinks(setfiles_t) - - logging_send_audit_msgs(setfiles_t) - logging_send_syslog_msg(setfiles_t) - --miscfiles_read_localization(setfiles_t) -+optional_policy(` -+ devicekit_dontaudit_read_pid_files(setfiles_t) -+ devicekit_dontaudit_rw_log(setfiles_t) -+') -+ -+optional_policy(` -+ # pki is leaking -+ pki_dontaudit_write_log(setfiles_t) -+') -+ -+optional_policy(` -+ xserver_append_xdm_tmp_files(setfiles_t) -+') -+ -+ifdef(`hide_broken_symptoms',` - --seutil_libselinux_linked(setfiles_t) -+ optional_policy(` -+ setroubleshoot_fixit_dontaudit_leaks(setfiles_t) -+ setroubleshoot_fixit_dontaudit_leaks(setsebool_t) -+ setroubleshoot_fixit_dontaudit_leaks(load_policy_t) -+ ') -+') -+ifdef(`distro_ubuntu',` -+ optional_policy(` -+ unconfined_domain(setfiles_t) -+ ') -+') - --userdom_use_all_users_fds(setfiles_t) -+######################################## -+# -+# Setfiles common policy -+# -+allow setfiles_domain self:capability { dac_override dac_read_search fowner }; -+dontaudit setfiles_domain self:capability sys_tty_config; -+allow setfiles_domain self:fifo_file rw_file_perms; -+dontaudit setfiles_domain self:dir relabelfrom; -+dontaudit setfiles_domain self:file relabelfrom; -+dontaudit setfiles_domain self:lnk_file relabelfrom; -+ -+domain_relabelfrom(setfiles_domain) -+ -+allow setfiles_domain { policy_src_t policy_config_t file_context_t default_context_t }:dir list_dir_perms; -+allow setfiles_domain { policy_src_t policy_config_t file_context_t default_context_t }:file read_file_perms; -+allow setfiles_domain { policy_src_t policy_config_t file_context_t default_context_t }:lnk_file { read_lnk_file_perms ioctl lock }; -+ -+logging_send_audit_msgs(setfiles_domain) -+ -+kernel_relabelfrom_unlabeled_dirs(setfiles_domain) -+kernel_relabelfrom_unlabeled_files(setfiles_domain) -+kernel_relabelfrom_unlabeled_symlinks(setfiles_domain) -+kernel_relabelfrom_unlabeled_pipes(setfiles_domain) -+kernel_relabelfrom_unlabeled_sockets(setfiles_domain) -+kernel_use_fds(setfiles_domain) -+kernel_rw_pipes(setfiles_domain) -+kernel_rw_unix_dgram_sockets(setfiles_domain) -+kernel_dontaudit_list_all_proc(setfiles_domain) -+kernel_read_all_sysctls(setfiles_domain) -+kernel_read_network_state_symlinks(setfiles_domain) -+ -+dev_relabel_all_dev_nodes(setfiles_domain) -+dev_dontaudit_rw_lvm_control(setfiles_domain) -+dev_dontaudit_read_rand(setfiles_domain) -+dev_dontaudit_read_urand(setfiles_domain) -+ -+domain_use_interactive_fds(setfiles_domain) -+domain_read_all_domains_state(setfiles_domain) -+ -+files_read_etc_runtime_files(setfiles_domain) -+files_read_etc_files(setfiles_domain) -+files_list_all(setfiles_domain) -+files_list_isid_type_dirs(setfiles_domain) -+files_read_isid_type_files(setfiles_domain) -+files_dontaudit_read_all_symlinks(setfiles_domain) -+ -+fs_getattr_all_fs(setfiles_domain) -+fs_list_all(setfiles_domain) -+fs_getattr_all_files(setfiles_domain) -+fs_search_auto_mountpoints(setfiles_domain) -+fs_relabelfrom_noxattr_fs(setfiles_domain) -+ -+selinux_validate_context(setfiles_domain) -+selinux_compute_access_vector(setfiles_domain) -+selinux_compute_create_context(setfiles_domain) -+selinux_compute_relabel_context(setfiles_domain) -+selinux_compute_user_contexts(setfiles_domain) -+ -+term_use_all_inherited_terms(setfiles_domain) -+ -+init_use_fds(setfiles_domain) -+init_use_script_fds(setfiles_domain) -+init_use_script_ptys(setfiles_domain) -+init_exec_script_files(setfiles_domain) -+ -+userdom_use_all_users_fds(setfiles_domain) - # for config files in a home directory --userdom_read_user_home_content_files(setfiles_t) -+userdom_read_user_home_content_files(setfiles_domain) -+userdom_rw_inherited_user_home_content_files(setfiles_domain) - - ifdef(`distro_debian',` - # udev tmpfs is populated with static device nodes - # and then relabeled afterwards; thus - # /dev/console has the tmpfs type -- fs_rw_tmpfs_chr_files(setfiles_t) -+ fs_rw_tmpfs_chr_files(setfiles_domain) - ') - --ifdef(`distro_redhat', ` -- fs_rw_tmpfs_chr_files(setfiles_t) -- fs_rw_tmpfs_blk_files(setfiles_t) -- fs_relabel_tmpfs_blk_file(setfiles_t) -- fs_relabel_tmpfs_chr_file(setfiles_t) -+ifdef(`distro_redhat',` -+ fs_rw_tmpfs_chr_files(setfiles_domain) -+ fs_rw_tmpfs_blk_files(setfiles_domain) -+ fs_relabel_tmpfs_blk_file(setfiles_domain) -+ fs_relabel_tmpfs_chr_file(setfiles_domain) - ') - --ifdef(`distro_ubuntu',` -- optional_policy(` -- unconfined_domain(setfiles_t) -- ') -+optional_policy(` -+ hotplug_use_fds(setfiles_domain) - ') - --ifdef(`hide_broken_symptoms',` -- optional_policy(` -- udev_dontaudit_rw_dgram_sockets(setfiles_t) -- ') -- -- # cjp: cover up stray file descriptors. -- optional_policy(` -- unconfined_dontaudit_read_pipes(setfiles_t) -- unconfined_dontaudit_rw_tcp_sockets(setfiles_t) -- ') -+optional_policy(` -+ dbus_read_pid_files(setfiles_domain) - ') - -+allow policy_manager_domain self:capability { dac_override sys_nice sys_resource }; -+dontaudit policy_manager_domain self:capability sys_tty_config; -+allow policy_manager_domain self:process { signal setsched }; -+allow policy_manager_domain self:unix_stream_socket create_stream_socket_perms; -+allow policy_manager_domain self:unix_dgram_socket create_socket_perms; -+allow policy_manager_domain self:fifo_file rw_fifo_file_perms; -+ -+dev_read_rand(policy_manager_domain) -+dev_read_urand(policy_manager_domain) -+ -+logging_send_audit_msgs(policy_manager_domain) -+ -+# Domains that will manage policy -+allow policy_manager_domain policy_config_t:file rw_file_perms; -+ -+allow policy_manager_domain semanage_tmp_t:dir manage_dir_perms; -+allow policy_manager_domain semanage_tmp_t:file manage_file_perms; -+files_tmp_filetrans(policy_manager_domain, semanage_tmp_t, { file dir }) -+ -+kernel_read_kernel_sysctls(policy_manager_domain) -+ -+corecmd_exec_bin(policy_manager_domain) -+corecmd_exec_shell(policy_manager_domain) -+ -+domain_use_interactive_fds(policy_manager_domain) -+ -+files_read_etc_files(policy_manager_domain) -+files_read_etc_runtime_files(policy_manager_domain) -+files_read_usr_files(policy_manager_domain) -+files_list_pids(policy_manager_domain) -+fs_list_inotifyfs(policy_manager_domain) -+fs_getattr_all_fs(policy_manager_domain) -+ -+selinux_validate_context(policy_manager_domain) -+selinux_read_policy(policy_manager_domain) -+ -+term_use_all_inherited_terms(policy_manager_domain) -+ -+locallogin_use_fds(policy_manager_domain) -+ -+seutil_search_default_contexts(policy_manager_domain) -+seutil_domtrans_loadpolicy(policy_manager_domain) -+seutil_read_config(policy_manager_domain) -+seutil_use_newrole_fds(policy_manager_domain) -+seutil_manage_module_store(policy_manager_domain) -+seutil_get_semanage_trans_lock(policy_manager_domain) -+seutil_get_semanage_read_lock(policy_manager_domain) -+ -+userdom_dontaudit_write_user_home_content_files(policy_manager_domain) -+userdom_use_user_ptys(policy_manager_domain) -+ -+files_rw_inherited_generic_pid_files(setfiles_domain) -+files_rw_inherited_generic_pid_files(policy_manager_domain) -+files_create_boot_flag(policy_manager_domain, ".autorelabel") -+files_delete_boot_flag(policy_manager_domain) -+ - optional_policy(` -- hotplug_use_fds(setfiles_t) -+ policykit_dbus_chat(policy_manager_domain) - ') -diff --git a/policy/modules/system/setrans.fc b/policy/modules/system/setrans.fc -index bea4629..06e2834 100644 ---- a/policy/modules/system/setrans.fc -+++ b/policy/modules/system/setrans.fc -@@ -2,4 +2,7 @@ - - /sbin/mcstransd -- gen_context(system_u:object_r:setrans_exec_t,s0) - -+/usr/sbin/mcstransd -- gen_context(system_u:object_r:setrans_exec_t,s0) -+ - /var/run/setrans(/.*)? gen_context(system_u:object_r:setrans_var_run_t,mls_systemhigh) -+/var/run/mcstransd\.pid gen_context(system_u:object_r:setrans_var_run_t,mls_systemhigh) -diff --git a/policy/modules/system/setrans.if b/policy/modules/system/setrans.if -index efa9c27..536a514 100644 ---- a/policy/modules/system/setrans.if -+++ b/policy/modules/system/setrans.if -@@ -40,3 +40,21 @@ interface(`setrans_translate_context',` - stream_connect_pattern($1, setrans_var_run_t, setrans_var_run_t, setrans_t) - files_list_pids($1) - ') -+####################################### -+## -+## Allow a domain to manage pid files -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`setrans_manage_pid_files',` -+ gen_require(` -+ type setrans_var_run_t; -+ ') -+ -+ files_search_pids($1) -+ manage_files_pattern($1, setrans_var_run_t, setrans_var_run_t) -+') -diff --git a/policy/modules/system/setrans.te b/policy/modules/system/setrans.te -index 1447687..d5e6fb9 100644 ---- a/policy/modules/system/setrans.te -+++ b/policy/modules/system/setrans.te -@@ -12,6 +12,7 @@ gen_require(` - type setrans_t; - type setrans_exec_t; - init_daemon_domain(setrans_t, setrans_exec_t) -+mls_trusted_object(setrans_t) - - type setrans_initrc_exec_t; - init_script_file(setrans_initrc_exec_t) -@@ -78,7 +79,6 @@ locallogin_dontaudit_use_fds(setrans_t) - - logging_send_syslog_msg(setrans_t) - --miscfiles_read_localization(setrans_t) - - seutil_read_config(setrans_t) - -diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc -index 346a7cc..42a48b6 100644 ---- a/policy/modules/system/sysnetwork.fc -+++ b/policy/modules/system/sysnetwork.fc -@@ -17,16 +17,17 @@ ifdef(`distro_debian',` - /etc/dhclient.*conf -- gen_context(system_u:object_r:dhcp_etc_t,s0) - /etc/dhclient-script -- gen_context(system_u:object_r:dhcp_etc_t,s0) - /etc/dhcpc.* gen_context(system_u:object_r:dhcp_etc_t,s0) --/etc/dhcpd\.conf -- gen_context(system_u:object_r:dhcp_etc_t,s0) --/etc/dhcp/dhcpd\.conf -- gen_context(system_u:object_r:dhcp_etc_t,s0) -+/etc/dhcpd(6)?\.conf -- gen_context(system_u:object_r:dhcp_etc_t,s0) -+/etc/dhcp/dhcpd(6)?\.conf -- gen_context(system_u:object_r:dhcp_etc_t,s0) - /etc/ethers -- gen_context(system_u:object_r:net_conf_t,s0) --/etc/hosts -- gen_context(system_u:object_r:net_conf_t,s0) -+/etc/hosts[^/]* -- gen_context(system_u:object_r:net_conf_t,s0) - /etc/hosts\.deny.* -- gen_context(system_u:object_r:net_conf_t,s0) - /etc/denyhosts.* -- gen_context(system_u:object_r:net_conf_t,s0) - /etc/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0) - /etc/yp\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0) -+/etc/ntp\.conf -- gen_context(system_u:object_r:net_conf_t,s0) - --/etc/dhcp3(/.*)? gen_context(system_u:object_r:dhcp_etc_t,s0) -+/etc/dhcp3?(/.*)? gen_context(system_u:object_r:dhcp_etc_t,s0) - /etc/dhcp3?/dhclient.* gen_context(system_u:object_r:dhcp_etc_t,s0) - - ifdef(`distro_redhat',` -@@ -55,6 +56,20 @@ ifdef(`distro_redhat',` - # - # /usr - # -+/usr/bin/ip -- gen_context(system_u:object_r:ifconfig_exec_t,s0) -+ -+/usr/sbin/dhclient.* -- gen_context(system_u:object_r:dhcpc_exec_t,s0) -+/usr/sbin/dhcdbd -- gen_context(system_u:object_r:dhcpc_exec_t,s0) -+/usr/sbin/dhcpcd -- gen_context(system_u:object_r:dhcpc_exec_t,s0) -+/usr/sbin/ethtool -- gen_context(system_u:object_r:ifconfig_exec_t,s0) -+/usr/sbin/ifconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0) -+/usr/sbin/ip -- gen_context(system_u:object_r:ifconfig_exec_t,s0) -+/usr/sbin/ipx_configure -- gen_context(system_u:object_r:ifconfig_exec_t,s0) -+/usr/sbin/ipx_interface -- gen_context(system_u:object_r:ifconfig_exec_t,s0) -+/usr/sbin/ipx_internal_net -- gen_context(system_u:object_r:ifconfig_exec_t,s0) -+/usr/sbin/iwconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0) -+/usr/sbin/mii-tool -- gen_context(system_u:object_r:ifconfig_exec_t,s0) -+/usr/sbin/pump -- gen_context(system_u:object_r:dhcpc_exec_t,s0) - /usr/sbin/tc -- gen_context(system_u:object_r:ifconfig_exec_t,s0) - - # -@@ -72,3 +87,6 @@ ifdef(`distro_redhat',` - ifdef(`distro_gentoo',` - /var/lib/dhcpc(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0) - ') -+ -+/var/run/netns(/.*)? gen_context(system_u:object_r:ifconfig_var_run_t,s0) -+/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0) -diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if -index 6944526..0bd8d93 100644 ---- a/policy/modules/system/sysnetwork.if -+++ b/policy/modules/system/sysnetwork.if -@@ -38,11 +38,30 @@ interface(`sysnet_domtrans_dhcpc',` - # - interface(`sysnet_run_dhcpc',` - gen_require(` -+ type dhcpc_t; - attribute_role dhcpc_roles; - ') - - sysnet_domtrans_dhcpc($1) - roleattribute $2 dhcpc_roles; -+ -+ optional_policy(` -+ networkmanager_run(dhcpc_t, $2) -+ ') -+ -+ optional_policy(` -+ nis_run_ypbind(dhcpc_t, $2) -+ ') -+ -+ optional_policy(` -+ nscd_run(dhcpc_t, $2) -+ ') -+ -+ optional_policy(` -+ ntp_run(dhcpc_t, $2) -+ ') -+ -+ seutil_run_setfiles(dhcpc_t, $2) - ') - - ######################################## -@@ -250,6 +269,7 @@ interface(`sysnet_read_dhcpc_state',` - type dhcpc_state_t; - ') - -+ list_dirs_pattern($1, dhcpc_state_t, dhcpc_state_t) - read_files_pattern($1, dhcpc_state_t, dhcpc_state_t) - ') - -@@ -271,6 +291,43 @@ interface(`sysnet_delete_dhcpc_state',` - delete_files_pattern($1, dhcpc_state_t, dhcpc_state_t) - ') - -+######################################## -+## -+## Allow caller to relabel dhcpc_state files -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`sysnet_relabelfrom_dhcpc_state',` -+ -+ gen_require(` -+ type dhcpc_state_t; -+ ') -+ -+ allow $1 dhcpc_state_t:file relabelfrom; -+') -+ -+####################################### -+## -+## Manage the dhcp client state files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`sysnet_manage_dhcpc_state',` -+ gen_require(` -+ type dhcpc_state_t; -+ ') -+ -+ manage_files_pattern($1, dhcpc_state_t, dhcpc_state_t) -+') -+ - ####################################### - ## - ## Set the attributes of network config files. -@@ -292,6 +349,44 @@ interface(`sysnet_setattr_config',` - - ####################################### - ## -+## Allow caller to relabel net_conf files -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`sysnet_relabelfrom_net_conf',` -+ -+ gen_require(` -+ type net_conf_t; -+ ') -+ -+ allow $1 net_conf_t:file relabelfrom; -+') -+ -+###################################### -+## -+## Allow caller to relabel net_conf files -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`sysnet_relabelto_net_conf',` -+ -+ gen_require(` -+ type net_conf_t; -+ ') -+ -+ allow $1 net_conf_t:file relabelto; -+') -+ -+####################################### -+## - ## Read network config files. - ## - ## -@@ -331,6 +426,7 @@ interface(`sysnet_read_config',` - - ifdef(`distro_redhat',` - allow $1 net_conf_t:dir list_dir_perms; -+ allow $1 net_conf_t:lnk_file read_lnk_file_perms; - read_files_pattern($1, net_conf_t, net_conf_t) - ') - ') -@@ -415,6 +511,40 @@ interface(`sysnet_etc_filetrans_config',` - files_etc_filetrans($1, net_conf_t, file, $2) - ') - -+######################################## -+## -+## Transition content to the type used for -+## the network config files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## The type of the directory to which the object will be created. -+## -+## -+## -+## -+## The object class. -+## -+## -+## -+## -+## The name of the object being created. -+## -+## -+# -+interface(`sysnet_filetrans_config_fromdir',` -+ gen_require(` -+ type net_conf_t; -+ ') -+ -+ filetrans_pattern($1, $2, net_conf_t, $3, $4) -+') -+ - ####################################### - ## - ## Create, read, write, and delete network config files. -@@ -433,6 +563,7 @@ interface(`sysnet_manage_config',` - allow $1 net_conf_t:file manage_file_perms; - - ifdef(`distro_redhat',` -+ allow $1 net_conf_t:dir list_dir_perms; - manage_files_pattern($1, net_conf_t, net_conf_t) - ') - ') -@@ -471,6 +602,7 @@ interface(`sysnet_delete_dhcpc_pid',` - type dhcpc_var_run_t; - ') - -+ files_rw_pid_dirs($1) - allow $1 dhcpc_var_run_t:file unlink; - ') - -@@ -580,6 +712,25 @@ interface(`sysnet_signull_ifconfig',` - - ######################################## - ## -+## Send a kill signal to iconfig. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`sysnet_kill_ifconfig',` -+ gen_require(` -+ type ifconfig_t; -+ ') -+ -+ allow $1 ifconfig_t:process sigkill; -+') -+ -+######################################## -+## - ## Read the DHCP configuration files. - ## - ## -@@ -596,6 +747,7 @@ interface(`sysnet_read_dhcp_config',` - files_search_etc($1) - allow $1 dhcp_etc_t:dir list_dir_perms; - read_files_pattern($1, dhcp_etc_t, dhcp_etc_t) -+ allow $1 dhcp_etc_t:lnk_file read_lnk_file_perms; - ') - - ######################################## -@@ -681,8 +833,6 @@ interface(`sysnet_dns_name_resolve',` - allow $1 self:udp_socket create_socket_perms; - allow $1 self:netlink_route_socket r_netlink_socket_perms; - -- corenet_all_recvfrom_unlabeled($1) -- corenet_all_recvfrom_netlabel($1) - corenet_tcp_sendrecv_generic_if($1) - corenet_udp_sendrecv_generic_if($1) - corenet_tcp_sendrecv_generic_node($1) -@@ -692,6 +842,8 @@ interface(`sysnet_dns_name_resolve',` - corenet_tcp_connect_dns_port($1) - corenet_sendrecv_dns_client_packets($1) - -+ miscfiles_read_generic_certs($1) -+ - sysnet_read_config($1) - - optional_policy(` -@@ -720,8 +872,6 @@ interface(`sysnet_use_ldap',` - - allow $1 self:tcp_socket create_socket_perms; - -- corenet_all_recvfrom_unlabeled($1) -- corenet_all_recvfrom_netlabel($1) - corenet_tcp_sendrecv_generic_if($1) - corenet_tcp_sendrecv_generic_node($1) - corenet_tcp_sendrecv_ldap_port($1) -@@ -733,6 +883,9 @@ interface(`sysnet_use_ldap',` - dev_read_urand($1) - - sysnet_read_config($1) -+ -+ # LDAP Configuration using encrypted requires -+ dev_read_urand($1) - ') - - ######################################## -@@ -754,7 +907,6 @@ interface(`sysnet_use_portmap',` - allow $1 self:udp_socket create_socket_perms; - - corenet_all_recvfrom_unlabeled($1) -- corenet_all_recvfrom_netlabel($1) - corenet_tcp_sendrecv_generic_if($1) - corenet_udp_sendrecv_generic_if($1) - corenet_tcp_sendrecv_generic_node($1) -@@ -766,3 +918,76 @@ interface(`sysnet_use_portmap',` - - sysnet_read_config($1) - ') -+ -+######################################## -+## -+## Do not audit attempts to use -+## the dhcp file descriptors. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`sysnet_dontaudit_dhcpc_use_fds',` -+ gen_require(` -+ type dhcpc_t; -+ ') -+ -+ dontaudit $1 dhcpc_t:fd use; -+') -+ -+######################################## -+## -+## Transition to system_r when execute an dhclient script -+## -+## -+##

    -+## Execute dhclient script in a specified role -+##

    -+##

    -+## No interprocess communication (signals, pipes, -+## etc.) is provided by this interface since -+## the domains are not owned by this module. -+##

    -+##     -+## -+## -+## Role to transition from. -+## -+## -+interface(`sysnet_role_transition_dhcpc',` -+ gen_require(` -+ type dhcpc_exec_t; -+ ') -+ -+ role_transition $1 dhcpc_exec_t system_r; -+') -+ -+######################################## -+## -+## Transition to sysnet named content -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`sysnet_filetrans_named_content',` -+ gen_require(` -+ type net_conf_t; -+ ') -+ -+ files_etc_filetrans($1, net_conf_t, file, "resolv.conf") -+ files_etc_filetrans($1, net_conf_t, file, "resolv.conf.tmp") -+ files_etc_filetrans($1, net_conf_t, file, "resolv.conf.fp-tmp") -+ files_etc_filetrans($1, net_conf_t, file, "resolv.conf.fp-saved") -+ files_etc_filetrans($1, net_conf_t, file, "denyhosts") -+ files_etc_filetrans($1, net_conf_t, file, "hosts") -+ files_etc_filetrans($1, net_conf_t, file, "hosts.deny") -+ files_etc_filetrans($1, net_conf_t, file, "ethers") -+ files_etc_filetrans($1, net_conf_t, file, "yp.conf") -+ files_etc_filetrans($1, net_conf_t, file, "ntp.conf") -+') -diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te -index b7686d5..087fe08 100644 ---- a/policy/modules/system/sysnetwork.te -+++ b/policy/modules/system/sysnetwork.te -@@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.14.6) - # Declarations - # - -+## -+##

    -+## Allow dhcpc client applications to execute iptables commands -+##

    -+##     -+gen_tunable(dhcpc_exec_iptables, false) -+ - attribute_role dhcpc_roles; - roleattribute system_r dhcpc_roles; - -@@ -20,7 +27,9 @@ files_type(dhcp_state_t) - type dhcpc_t; - type dhcpc_exec_t; - init_daemon_domain(dhcpc_t, dhcpc_exec_t) --role dhcpc_roles types dhcpc_t; -+ -+type dhcpc_helper_exec_t; -+init_script_file(dhcpc_helper_exec_t) - - type dhcpc_state_t; - files_type(dhcpc_state_t) -@@ -36,18 +45,22 @@ type ifconfig_exec_t; - init_system_domain(ifconfig_t, ifconfig_exec_t) - role system_r types ifconfig_t; - -+type ifconfig_var_run_t; -+files_pid_file(ifconfig_var_run_t) -+files_mountpoint(ifconfig_var_run_t) -+ - type net_conf_t alias resolv_conf_t; --files_type(net_conf_t) -+files_config_file(net_conf_t) - - ######################################## - # - # DHCP client local policy - # - allow dhcpc_t self:capability { dac_override fsetid net_admin net_raw net_bind_service setpcap sys_nice sys_resource sys_tty_config }; --dontaudit dhcpc_t self:capability { sys_tty_config sys_ptrace }; -+dontaudit dhcpc_t self:capability sys_tty_config; - # for access("/etc/bashrc", X_OK) on Red Hat - dontaudit dhcpc_t self:capability { dac_read_search sys_module }; --allow dhcpc_t self:process { getsched getcap setcap setfscreate ptrace signal_perms }; -+allow dhcpc_t self:process { getsched setsched getcap setcap setfscreate signal_perms }; - - allow dhcpc_t self:fifo_file rw_fifo_file_perms; - allow dhcpc_t self:tcp_socket create_stream_socket_perms; -@@ -60,8 +73,11 @@ read_lnk_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t) - exec_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t) - - allow dhcpc_t dhcp_state_t:file read_file_perms; -+allow dhcpc_t dhcp_state_t:file relabel_file_perms; -+ - manage_files_pattern(dhcpc_t, dhcpc_state_t, dhcpc_state_t) - filetrans_pattern(dhcpc_t, dhcp_state_t, dhcpc_state_t, file) -+allow dhcpc_t dhcpc_state_t:file relabel_file_perms; - - # create pid file - manage_files_pattern(dhcpc_t, dhcpc_var_run_t, dhcpc_var_run_t) -@@ -70,6 +86,8 @@ files_pid_filetrans(dhcpc_t, dhcpc_var_run_t, { file dir }) - - # Allow read/write to /etc/resolv.conf and /etc/ntp.conf. Note that any files - # in /etc created by dhcpcd will be labelled net_conf_t. -+allow dhcpc_t net_conf_t:file manage_file_perms; -+allow dhcpc_t net_conf_t:file relabel_file_perms; - sysnet_manage_config(dhcpc_t) - files_etc_filetrans(dhcpc_t, net_conf_t, file) - -@@ -91,14 +109,13 @@ kernel_rw_net_sysctls(dhcpc_t) - corecmd_exec_bin(dhcpc_t) - corecmd_exec_shell(dhcpc_t) - --corenet_all_recvfrom_unlabeled(dhcpc_t) - corenet_all_recvfrom_netlabel(dhcpc_t) --corenet_tcp_sendrecv_all_if(dhcpc_t) --corenet_raw_sendrecv_all_if(dhcpc_t) --corenet_udp_sendrecv_all_if(dhcpc_t) --corenet_tcp_sendrecv_all_nodes(dhcpc_t) --corenet_raw_sendrecv_all_nodes(dhcpc_t) --corenet_udp_sendrecv_all_nodes(dhcpc_t) -+corenet_tcp_sendrecv_generic_if(dhcpc_t) -+corenet_raw_sendrecv_generic_if(dhcpc_t) -+corenet_udp_sendrecv_generic_if(dhcpc_t) -+corenet_tcp_sendrecv_generic_node(dhcpc_t) -+corenet_raw_sendrecv_generic_node(dhcpc_t) -+corenet_udp_sendrecv_generic_node(dhcpc_t) - corenet_tcp_sendrecv_all_ports(dhcpc_t) - corenet_udp_sendrecv_all_ports(dhcpc_t) - corenet_tcp_bind_all_nodes(dhcpc_t) -@@ -108,21 +125,24 @@ corenet_udp_bind_dhcpc_port(dhcpc_t) - corenet_tcp_connect_all_ports(dhcpc_t) - corenet_sendrecv_dhcpd_client_packets(dhcpc_t) - corenet_sendrecv_dhcpc_server_packets(dhcpc_t) -+corenet_dontaudit_udp_bind_all_reserved_ports(dhcpc_t) -+corenet_udp_bind_all_unreserved_ports(dhcpc_t) - - dev_read_sysfs(dhcpc_t) - # for SSP: - dev_read_urand(dhcpc_t) - -+domain_obj_id_change_exemption(dhcpc_t) - domain_use_interactive_fds(dhcpc_t) - domain_dontaudit_read_all_domains_state(dhcpc_t) - --files_read_etc_files(dhcpc_t) - files_read_etc_runtime_files(dhcpc_t) --files_read_usr_files(dhcpc_t) - files_search_home(dhcpc_t) - files_search_var_lib(dhcpc_t) - files_dontaudit_search_locks(dhcpc_t) - files_getattr_generic_locks(dhcpc_t) -+files_rw_inherited_tmp_file(dhcpc_t) -+files_dontaudit_rw_inherited_locks(dhcpc_t) - - fs_getattr_all_fs(dhcpc_t) - fs_search_auto_mountpoints(dhcpc_t) -@@ -132,11 +152,15 @@ term_dontaudit_use_all_ptys(dhcpc_t) - term_dontaudit_use_unallocated_ttys(dhcpc_t) - term_dontaudit_use_generic_ptys(dhcpc_t) - -+auth_use_nsswitch(dhcpc_t) -+ - init_rw_utmp(dhcpc_t) -+init_stream_connect(dhcpc_t) -+init_stream_send(dhcpc_t) - - logging_send_syslog_msg(dhcpc_t) - --miscfiles_read_localization(dhcpc_t) -+miscfiles_read_generic_certs(dhcpc_t) - - modutils_run_insmod(dhcpc_t, dhcpc_roles) - -@@ -156,7 +180,14 @@ ifdef(`distro_ubuntu',` - ') - - optional_policy(` -- consoletype_run(dhcpc_t, dhcpc_roles) -+ chronyd_initrc_domtrans(dhcpc_t) -+ chronyd_systemctl(dhcpc_t) -+ chronyd_read_keys(dhcpc_t) -+') -+ -+optional_policy(` -+ devicekit_dontaudit_rw_log(dhcpc_t) -+ devicekit_dontaudit_read_pid_files(dhcpc_t) - ') - - optional_policy(` -@@ -174,10 +205,6 @@ optional_policy(` - ') - - optional_policy(` -- hal_dontaudit_rw_dgram_sockets(dhcpc_t) --') -- --optional_policy(` - hotplug_getattr_config_dirs(dhcpc_t) - hotplug_search_config(dhcpc_t) - -@@ -190,23 +217,36 @@ optional_policy(` - optional_policy(` - netutils_run_ping(dhcpc_t, dhcpc_roles) - netutils_run(dhcpc_t, dhcpc_roles) -+ netutils_domtrans_ping(dhcpc_t) -+ netutils_domtrans(dhcpc_t) - ',` - allow dhcpc_t self:capability setuid; - allow dhcpc_t self:rawip_socket create_socket_perms; - ') - - optional_policy(` -+ networkmanager_domtrans(dhcpc_t) -+ networkmanager_read_pid_files(dhcpc_t) -+ networkmanager_manage_lib(dhcpc_t) -+ networkmanager_stream_connect(dhcpc_t) -+') -+ -+optional_policy(` -+ nis_initrc_domtrans_ypbind(dhcpc_t) - nis_read_ypbind_pid(dhcpc_t) -+ nis_systemctl_ypbind(dhcpc_t) - ') - - optional_policy(` - nscd_initrc_domtrans(dhcpc_t) -+ nscd_systemctl(dhcpc_t) - nscd_domtrans(dhcpc_t) - nscd_read_pid(dhcpc_t) - ') - - optional_policy(` - ntp_initrc_domtrans(dhcpc_t) -+ ntp_systemctl(dhcpc_t) - ') - - optional_policy(` -@@ -216,7 +256,11 @@ optional_policy(` - - optional_policy(` - seutil_sigchld_newrole(dhcpc_t) -- seutil_dontaudit_search_config(dhcpc_t) -+ seutil_domtrans_setfiles(dhcpc_t) -+') -+optional_policy(` -+ systemd_passwd_agent_domtrans(dhcpc_t) -+ systemd_signal_passwd_agent(dhcpc_t) - ') - - optional_policy(` -@@ -228,6 +272,10 @@ optional_policy(` - ') - - optional_policy(` -+ virt_manage_pid_files(dhcpc_t) -+') -+ -+optional_policy(` - vmware_append_log(dhcpc_t) - ') - -@@ -259,12 +307,23 @@ allow ifconfig_t self:msgq create_msgq_perms; - allow ifconfig_t self:msg { send receive }; - # Create UDP sockets, necessary when called from dhcpc - allow ifconfig_t self:udp_socket create_socket_perms; -+allow ifconfig_t self:appletalk_socket create_socket_perms; - # for /sbin/ip - allow ifconfig_t self:packet_socket create_socket_perms; -+allow ifconfig_t self:netlink_socket create_socket_perms; - allow ifconfig_t self:netlink_route_socket create_netlink_socket_perms; - allow ifconfig_t self:netlink_xfrm_socket { create_netlink_socket_perms nlmsg_read }; -+allow ifconfig_t self:tun_socket { relabelfrom relabelto create_socket_perms }; -+ - allow ifconfig_t self:tcp_socket { create ioctl }; - -+can_exec(ifconfig_t, ifconfig_exec_t) -+ -+manage_files_pattern(ifconfig_t, ifconfig_var_run_t, ifconfig_var_run_t) -+create_dirs_pattern(ifconfig_t, ifconfig_var_run_t, ifconfig_var_run_t) -+files_pid_filetrans(ifconfig_t, ifconfig_var_run_t, { file dir }) -+allow ifconfig_t ifconfig_var_run_t:file mounton; -+ - kernel_use_fds(ifconfig_t) - kernel_read_system_state(ifconfig_t) - kernel_read_network_state(ifconfig_t) -@@ -274,14 +333,30 @@ kernel_rw_net_sysctls(ifconfig_t) - - corenet_rw_tun_tap_dev(ifconfig_t) - -+corecmd_exec_bin(ifconfig_t) -+corecmd_exec_shell(ifconfig_t) -+ - dev_read_sysfs(ifconfig_t) - # for IPSEC setup: - dev_read_urand(ifconfig_t) -+# needed by tuned -+dev_rw_netcontrol(ifconfig_t) -+dev_mounton_sysfs(ifconfig_t) -+dev_mount_sysfs_fs(ifconfig_t) -+dev_unmount_sysfs_fs(ifconfig_t) - - domain_use_interactive_fds(ifconfig_t) - -+read_files_pattern(ifconfig_t, dhcpc_state_t, dhcpc_state_t) -+ -+files_dontaudit_rw_inherited_pipes(ifconfig_t) -+files_dontaudit_rw_inherited_locks(ifconfig_t) -+files_dontaudit_read_root_files(ifconfig_t) -+files_rw_inherited_tmp_file(ifconfig_t) -+ - files_read_etc_files(ifconfig_t) - files_read_etc_runtime_files(ifconfig_t) -+files_read_usr_files(ifconfig_t) - - fs_getattr_xattr_fs(ifconfig_t) - fs_search_auto_mountpoints(ifconfig_t) -@@ -294,22 +369,22 @@ term_dontaudit_use_all_ptys(ifconfig_t) - term_dontaudit_use_ptmx(ifconfig_t) - term_dontaudit_use_generic_ptys(ifconfig_t) - --files_dontaudit_read_root_files(ifconfig_t) -+auth_use_nsswitch(ifconfig_t) - - init_use_fds(ifconfig_t) - init_use_script_ptys(ifconfig_t) -+init_rw_inherited_script_tmp_files(ifconfig_t) - - libs_read_lib_files(ifconfig_t) - - logging_send_syslog_msg(ifconfig_t) - --miscfiles_read_localization(ifconfig_t) -- --modutils_domtrans_insmod(ifconfig_t) - - seutil_use_runinit_fds(ifconfig_t) - --userdom_use_user_terminals(ifconfig_t) -+sysnet_dns_name_resolve(ifconfig_t) -+ -+userdom_use_inherited_user_terminals(ifconfig_t) - userdom_use_all_users_fds(ifconfig_t) - - ifdef(`distro_ubuntu',` -@@ -318,7 +393,22 @@ ifdef(`distro_ubuntu',` - ') - ') - -+optional_policy(` -+ brctl_domtrans(ifconfig_t) -+') -+ -+optional_policy(` -+ cfengine_dontaudit_write_log(ifconfig_t) -+') -+ -+optional_policy(` -+ ctdbd_read_lib_files(ifconfig_t) -+') -+ - ifdef(`hide_broken_symptoms',` -+ # caused by some bogus kernel code -+ dontaudit ifconfig_t self:capability sys_module; -+ - optional_policy(` - dev_dontaudit_rw_cardmgr(ifconfig_t) - ') -@@ -329,8 +419,11 @@ ifdef(`hide_broken_symptoms',` - ') - - optional_policy(` -- hal_dontaudit_rw_pipes(ifconfig_t) -- hal_dontaudit_rw_dgram_sockets(ifconfig_t) -+ dnsmasq_domtrans(ifconfig_t) -+') -+ -+optional_policy(` -+ devicekit_dontaudit_read_pid_files(ifconfig_t) - ') - - optional_policy(` -@@ -339,7 +432,15 @@ optional_policy(` - ') - - optional_policy(` -- nis_use_ypbind(ifconfig_t) -+ kdump_dontaudit_read_config(ifconfig_t) -+') -+ -+optional_policy(` -+ libs_exec_ldconfig(ifconfig_t) -+') -+ -+optional_policy(` -+ modutils_domtrans_insmod(ifconfig_t) - ') - - optional_policy(` -@@ -360,3 +461,13 @@ optional_policy(` - xen_append_log(ifconfig_t) - xen_dontaudit_rw_unix_stream_sockets(ifconfig_t) - ') -+ -+optional_policy(` -+ iptables_domtrans(ifconfig_t) -+') -+ -+optional_policy(` -+ tunable_policy(`dhcpc_exec_iptables',` -+ iptables_domtrans(dhcpc_t) -+ ') -+') -diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc -new file mode 100644 -index 0000000..e9f1096 ---- /dev/null -+++ b/policy/modules/system/systemd.fc -@@ -0,0 +1,47 @@ -+HOME_DIR/\.local/share/systemd(/.*)? gen_context(system_u:object_r:systemd_home_t,s0) -+/root/\.local/share/systemd(/.*)? gen_context(system_u:object_r:systemd_home_t,s0) -+ -+/etc/hostname -- gen_context(system_u:object_r:hostname_etc_t,s0) -+/etc/machine-info -- gen_context(system_u:object_r:hostname_etc_t,s0) -+ -+/bin/systemd-notify -- gen_context(system_u:object_r:systemd_notify_exec_t,s0) -+/bin/systemctl -- gen_context(system_u:object_r:systemd_systemctl_exec_t,s0) -+/bin/systemd-tty-ask-password-agent -- gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0) -+/bin/systemd-tmpfiles -- gen_context(system_u:object_r:systemd_tmpfiles_exec_t,s0) -+ -+/usr/bin/systemctl -- gen_context(system_u:object_r:systemd_systemctl_exec_t,s0) -+/usr/bin/systemd-gnome-ask-password-agent -- gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0) -+/usr/bin/systemd-notify -- gen_context(system_u:object_r:systemd_notify_exec_t,s0) -+/usr/bin/systemd-tmpfiles -- gen_context(system_u:object_r:systemd_tmpfiles_exec_t,s0) -+/usr/bin/systemd-tty-ask-password-agent -- gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0) -+ -+/usr/lib/dracut/modules.d/.*\.service gen_context(system_u:object_r:systemd_unit_file_t,s0) -+/usr/lib/systemd/system(/.*)? gen_context(system_u:object_r:systemd_unit_file_t,s0) -+/usr/lib/systemd/system/systemd-vconsole-setup\.service gen_context(system_u:object_r:systemd_vconsole_unit_file_t,s0) -+/usr/lib/systemd/system/.*halt.* -- gen_context(system_u:object_r:power_unit_file_t,s0) -+/usr/lib/systemd/system/.*hibernate.* -- gen_context(system_u:object_r:power_unit_file_t,s0) -+/usr/lib/systemd/system/.*power.* -- gen_context(system_u:object_r:power_unit_file_t,s0) -+/usr/lib/systemd/system/.*reboot.* -- gen_context(system_u:object_r:power_unit_file_t,s0) -+/usr/lib/systemd/system/.*sleep.* -- gen_context(system_u:object_r:power_unit_file_t,s0) -+/usr/lib/systemd/system/.*shutdown.* -- gen_context(system_u:object_r:power_unit_file_t,s0) -+/usr/lib/systemd/system/.*suspend.* -- gen_context(system_u:object_r:power_unit_file_t,s0) -+/usr/lib/systemd/systemd-hostnamed -- gen_context(system_u:object_r:systemd_hostnamed_exec_t,s0) -+/usr/lib/systemd/systemd-sysctl -- gen_context(system_u:object_r:systemd_sysctl_exec_t,s0) -+/usr/lib/systemd/systemd-timedated -- gen_context(system_u:object_r:systemd_timedated_exec_t,s0) -+/usr/lib/systemd/systemd-logind -- gen_context(system_u:object_r:systemd_logind_exec_t,s0) -+/usr/lib/systemd/systemd-localed -- gen_context(system_u:object_r:systemd_localed_exec_t,s0) -+/usr/lib/systemd/systemd-logger -- gen_context(system_u:object_r:systemd_logger_exec_t,s0) -+/usr/lib/systemd/systemd-tmpfiles -- gen_context(system_u:object_r:systemd_tmpfiles_exec_t,s0) -+ -+/var/lib/systemd/linger(/.*)? gen_context(system_u:object_r:systemd_logind_var_lib_t,mls_systemhigh) -+/var/lib/random-seed gen_context(system_u:object_r:random_seed_t,mls_systemhigh) -+/usr/var/lib/random-seed gen_context(system_u:object_r:random_seed_t,mls_systemhigh) -+ -+/var/run/nologin gen_context(system_u:object_r:systemd_logind_var_run_t,s0) -+/var/run/systemd/seats(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0) -+/var/run/systemd/sessions(/.*)? gen_context(system_u:object_r:systemd_logind_sessions_t,s0) -+/var/run/systemd/users(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0) -+/var/run/systemd/inhibit(/.*)? gen_context(system_u:object_r:systemd_logind_inhibit_var_run_t,s0) -+/var/run/systemd/ask-password-block(/.*)? gen_context(system_u:object_r:systemd_passwd_var_run_t,s0) -+/var/run/systemd/ask-password(/.*)? gen_context(system_u:object_r:systemd_passwd_var_run_t,s0) -+/var/run/initramfs(/.*)? <> -diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if -new file mode 100644 -index 0000000..35b4178 ---- /dev/null -+++ b/policy/modules/system/systemd.if -@@ -0,0 +1,1400 @@ -+## SELinux policy for systemd components -+ -+###################################### -+## -+## Creates types and rules for a basic -+## systemd domains. -+## -+## -+## -+## Prefix for the domain. -+## -+## -+# -+template(`systemd_domain_template',` -+ gen_require(` -+ attribute systemd_domain; -+ ') -+ -+ type $1_t, systemd_domain; -+ type $1_exec_t; -+ init_daemon_domain($1_t, $1_exec_t) -+ -+ kernel_read_system_state($1_t) -+') -+ -+###################################### -+## -+## Create a domain for processes which are started -+## exuting systemctl. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`systemd_stub_unit_file',` -+ gen_require(` -+ type systemd_unit_file_t; -+ ') -+') -+ -+####################################### -+## -+## Create a domain for processes which are started -+## exuting systemctl. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`systemd_systemctl_domain',` -+ gen_require(` -+ type systemd_systemctl_exec_t; -+ role system_r; -+ attribute systemctl_domain; -+ ') -+ -+ type $1_systemctl_t, systemctl_domain; -+ domain_type($1_systemctl_t) -+ domain_entry_file($1_systemctl_t, systemd_systemctl_exec_t) -+ -+ role system_r types $1_systemctl_t; -+ -+ domtrans_pattern($1_t, systemd_systemctl_exec_t , $1_systemctl_t) -+') -+ -+######################################## -+## -+## Execute systemctl in the caller domain. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`systemd_exec_systemctl',` -+ gen_require(` -+ type systemd_systemctl_exec_t; -+ ') -+ -+ corecmd_search_bin($1) -+ can_exec($1, systemd_systemctl_exec_t) -+ -+ fs_list_cgroup_dirs($1) -+ fs_read_cgroup_files($1) -+ systemd_list_unit_dirs($1) -+ init_list_pid_dirs($1) -+ init_read_state($1) -+ init_stream_send($1) -+ init_stream_connect($1) -+ -+ systemd_login_list_pid_dirs($1) -+ systemd_login_read_pid_files($1) -+ systemd_passwd_agent_exec($1) -+') -+ -+####################################### -+## -+## Create a file type used for systemd unit files. -+## -+## -+## -+## Type to be used for an unit file. -+## -+## -+# -+interface(`systemd_unit_file',` -+ gen_require(` -+ attribute systemd_unit_file_type; -+ ') -+ -+ typeattribute $1 systemd_unit_file_type; -+ files_type($1) -+') -+ -+###################################### -+## -+## Allow domain to search systemd unit dirs. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`systemd_search_unit_dirs',` -+ gen_require(` -+ attribute systemd_unit_file_type; -+ ') -+ -+ files_search_var_lib($1) -+ allow $1 systemd_unit_file_type:dir search_dir_perms; -+') -+ -+###################################### -+## -+## Allow domain to list systemd unit dirs. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`systemd_list_unit_dirs',` -+ gen_require(` -+ attribute systemd_unit_file_type; -+ ') -+ -+ files_search_var_lib($1) -+ allow $1 systemd_unit_file_type:dir list_dir_perms; -+') -+ -+###################################### -+## -+## Allow domain to list systemd unit dirs. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`systemd_create_unit_dirs',` -+ gen_require(` -+ attribute systemd_unit_file_type; -+ ') -+ -+ files_search_var_lib($1) -+ allow $1 systemd_unit_file_type:dir create; -+') -+ -+##################################### -+## -+## Allow domain to getattr all systemd unit files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`systemd_getattr_unit_files',` -+ gen_require(` -+ attribute systemd_unit_file_type; -+ ') -+ -+ files_search_var_lib($1) -+ getattr_files_pattern($1, systemd_unit_file_type, systemd_unit_file_type) -+') -+ -+##################################### -+## -+## Allow domain to getattr all systemd unit directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`systemd_getattr_unit_dirs',` -+ gen_require(` -+ attribute systemd_unit_file_type; -+ ') -+ -+ allow $1 systemd_unit_file_type:dir getattr; -+') -+ -+###################################### -+## -+## Allow domain to read all systemd unit files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`systemd_read_unit_files',` -+ gen_require(` -+ attribute systemd_unit_file_type; -+ ') -+ -+ files_search_var_lib($1) -+ allow $1 systemd_unit_file_type:file read_file_perms; -+ allow $1 systemd_unit_file_type:lnk_file read_lnk_file_perms; -+ allow $1 systemd_unit_file_type:dir list_dir_perms; -+') -+ -+##################################### -+## -+## Dontaudit domain to read all systemd unit files. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`systemd_dontaudit_read_unit_files',` -+ gen_require(` -+ attribute systemd_unit_file_type; -+ ') -+ -+ dontaudit $1 systemd_unit_file_type:file read_file_perms; -+') -+ -+###################################### -+## -+## Read systemd_login PID files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`systemd_login_read_pid_files',` -+ gen_require(` -+ type systemd_logind_var_run_t; -+ ') -+ -+ files_search_pids($1) -+ read_files_pattern($1, systemd_logind_var_run_t, systemd_logind_var_run_t) -+') -+ -+###################################### -+## -+## Read systemd_login PID files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`systemd_login_manage_pid_files',` -+ gen_require(` -+ type systemd_logind_var_run_t; -+ ') -+ -+ files_search_pids($1) -+ manage_files_pattern($1, systemd_logind_var_run_t, systemd_logind_var_run_t) -+ files_pid_filetrans($1, systemd_logind_var_run_t, file, "nologin") -+') -+ -+###################################### -+## -+## Read systemd_login PID files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`systemd_login_list_pid_dirs',` -+ gen_require(` -+ type systemd_logind_var_run_t; -+ ') -+ -+ files_search_pids($1) -+ list_dirs_pattern($1, systemd_logind_var_run_t, systemd_logind_var_run_t) -+') -+ -+###################################### -+## -+## Use and and inherited systemd -+## logind file descriptors. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`systemd_use_fds_logind',` -+ gen_require(` -+ type systemd_logind_t; -+ ') -+ -+ allow $1 systemd_logind_t:fd use; -+') -+ -+###################################### -+## -+## Read logind sessions files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`systemd_read_logind_sessions_files',` -+ gen_require(` -+ type systemd_logind_sessions_t; -+ ') -+ -+ init_search_pid_dirs($1) -+ allow $1 systemd_logind_sessions_t:dir list_dir_perms; -+ read_files_pattern($1, systemd_logind_sessions_t, systemd_logind_sessions_t) -+') -+ -+###################################### -+## -+## Write inherited logind sessions pipes. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`systemd_write_inherited_logind_sessions_pipes',` -+ gen_require(` -+ type systemd_logind_sessions_t; -+ type systemd_logind_t; -+ ') -+ -+ allow $1 systemd_logind_t:fd use; -+ allow $1 systemd_logind_sessions_t:fifo_file write; -+') -+ -+###################################### -+## -+## Write systemd inhibit pipes. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`systemd_write_inhibit_pipes',` -+ gen_require(` -+ type systemd_logind_inhibit_var_run_t; -+ ') -+ -+ allow $1 systemd_logind_inhibit_var_run_t:fifo_file write; -+') -+ -+######################################## -+## -+## Send and receive messages from -+## systemd logind over dbus. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`systemd_dbus_chat_logind',` -+ gen_require(` -+ type systemd_logind_t; -+ class dbus send_msg; -+ ') -+ -+ allow $1 systemd_logind_t:dbus send_msg; -+ allow systemd_logind_t $1:dbus send_msg; -+ ps_process_pattern(systemd_logind_t, $1) -+ allow systemd_logind_t $1:process signal; -+ allow $1 systemd_logind_t:fd use; -+') -+ -+####################################### -+## -+## Execute a domain transition to run systemd-tmpfiles. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`systemd_tmpfiles_domtrans',` -+ gen_require(` -+ type systemd_tmpfiles_t, systemd_tmpfiles_exec_t; -+ ') -+ -+ domtrans_pattern($1, systemd_tmpfiles_exec_t, systemd_tmpfiles_t) -+') -+ -+####################################### -+## -+## Execute a domain transition to run systemd-localed. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`systemd_localed_domtrans',` -+ gen_require(` -+ type systemd_localed_t, systemd_localed_exec_t; -+ ') -+ -+ domtrans_pattern($1, systemd_localed_exec_t, systemd_localed_t) -+') -+ -+######################################## -+## -+## Execute a domain transition to run systemd-tty-ask-password-agent. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`systemd_passwd_agent_domtrans',` -+ gen_require(` -+ type systemd_passwd_agent_t, systemd_passwd_agent_exec_t; -+ ') -+ -+ domtrans_pattern($1, systemd_passwd_agent_exec_t, systemd_passwd_agent_t) -+') -+ -+####################################### -+## -+## Execute systemd-tty-ask-password-agent in the caller domain -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`systemd_passwd_agent_exec',` -+ gen_require(` -+ type systemd_passwd_agent_t, systemd_passwd_agent_exec_t; -+ ') -+ -+ can_exec($1, systemd_passwd_agent_exec_t) -+ systemd_manage_passwd_run($1) -+') -+ -+######################################## -+## -+## Execute a domain transition to run systemd_notify. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`systemd_notify_domtrans',` -+ gen_require(` -+ type systemd_notify_t, systemd_notify_exec_t; -+ ') -+ -+ domtrans_pattern($1, systemd_notify_exec_t, systemd_notify_t) -+') -+ -+######################################## -+## -+## Execute systemd-tty-ask-password-agent in the systemd_passwd_agent domain, and -+## allow the specified role the systemd_passwd_agent domain. -+## -+## -+## -+## Domain allowed access -+## -+## -+## -+## -+## The role to be allowed the systemd_passwd_agent domain. -+## -+## -+# -+interface(`systemd_passwd_agent_run',` -+ gen_require(` -+ type systemd_passwd_agent_t; -+ ') -+ -+ systemd_passwd_agent_domtrans($1) -+ role $2 types systemd_passwd_agent_t; -+') -+ -+######################################## -+## -+## Role access for systemd_passwd_agent -+## -+## -+## -+## Role allowed access -+## -+## -+## -+## -+## User domain for the role -+## -+## -+# -+interface(`systemd_passwd_agent_role',` -+ gen_require(` -+ type systemd_passwd_agent_t; -+ ') -+ -+ role $1 types systemd_passwd_agent_t; -+ -+ systemd_passwd_agent_domtrans($2) -+ -+ ps_process_pattern($2, systemd_passwd_agent_t) -+ allow $2 systemd_passwd_agent_t:process signal; -+') -+ -+######################################## -+## -+## Send generic signals to systemd_passwd_agent processes. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`systemd_signal_passwd_agent',` -+ gen_require(` -+ type systemd_passwd_agent_t; -+ ') -+ -+ allow $1 systemd_passwd_agent_t:process signal; -+') -+ -+###################################### -+## -+## Allow to domain to read systemd-passwd pipe -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`systemd_read_fifo_file_passwd_run',` -+ gen_require(` -+ type systemd_passwd_var_run_t; -+ ') -+ -+ init_search_pid_dirs($1) -+ read_sock_files_pattern($1, systemd_passwd_var_run_t, systemd_passwd_var_run_t) -+') -+ -+######################################## -+## -+## Relabel to user home directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`systemd_relabelto_fifo_file_passwd_run',` -+ gen_require(` -+ type systemd_passwd_var_run_t; -+ ') -+ -+ allow $1 systemd_passwd_var_run_t:fifo_file relabelto; -+') -+ -+####################################### -+## -+## Relabel systemd unit directories -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`systemd_relabel_unit_dirs',` -+ gen_require(` -+ attribute systemd_unit_file_type; -+ ') -+ -+ relabel_dirs_pattern($1, systemd_unit_file_type, systemd_unit_file_type) -+') -+ -+####################################### -+## -+## Relabel systemd unit files -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`systemd_relabel_unit_files',` -+ gen_require(` -+ attribute systemd_unit_file_type; -+ ') -+ -+ relabel_files_pattern($1, systemd_unit_file_type, systemd_unit_file_type) -+') -+ -+####################################### -+## -+## Send generic signals to systemd_passwd_agent processes. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`systemd_manage_passwd_run',` -+ gen_require(` -+ type systemd_passwd_agent_t; -+ type systemd_passwd_var_run_t; -+ ') -+ -+ init_search_pid_dirs($1) -+ manage_files_pattern($1, systemd_passwd_var_run_t, systemd_passwd_var_run_t) -+ manage_sock_files_pattern($1, systemd_passwd_var_run_t, systemd_passwd_var_run_t) -+ manage_fifo_files_pattern($1, systemd_passwd_var_run_t, systemd_passwd_var_run_t) -+ -+ allow systemd_passwd_agent_t $1:process signull; -+ allow systemd_passwd_agent_t $1:unix_dgram_socket sendto; -+') -+ -+###################################### -+## -+## Template for temporary sockets and files in /dev/.systemd/ask-password -+## which are used by systemd-passwd-agent -+## -+## -+## -+## The prefix of the domain (e.g., user -+## is the prefix for user_t). -+## -+## -+# -+interface(`systemd_passwd_agent_dev_template',` -+ gen_require(` -+ type systemd_passwd_agent_t; -+ ') -+ -+ type systemd_$1_device_t; -+ files_type(systemd_$1_device_t) -+ dev_associate(systemd_$1_device_t) -+ -+ dev_filetrans($1_t, systemd_$1_device_t, { file sock_file }) -+ init_pid_filetrans($1_t, systemd_$1_device_t, { file sock_file }) -+ allow $1_t systemd_$1_device_t:file manage_file_perms; -+ allow $1_t systemd_$1_device_t:sock_file manage_sock_file_perms; -+ -+ allow systemd_passwd_agent_t $1_t:process signull; -+ allow systemd_passwd_agent_t $1_t:unix_dgram_socket sendto; -+ allow systemd_passwd_agent_t systemd_$1_device_t:sock_file write; -+ allow systemd_passwd_agent_t systemd_$1_device_t:file read_file_perms; -+') -+ -+######################################## -+## -+## Allow the specified domain to connect to -+## systemd_logger with a unix socket. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`systemd_logger_stream_connect',` -+ gen_require(` -+ type systemd_logger_t; -+ ') -+ -+ allow $1 systemd_logger_t:unix_stream_socket connectto; -+') -+ -+######################################## -+## -+## manage systemd unit dirs -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`systemd_manage_unit_dirs',` -+ gen_require(` -+ attribute systemd_unit_file_type; -+ ') -+ -+ manage_dirs_pattern($1, systemd_unit_file_type, systemd_unit_file_type) -+') -+ -+######################################## -+## -+## manage systemd unit link files -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`systemd_manage_unit_symlinks',` -+ gen_require(` -+ attribute systemd_unit_file_type; -+ ') -+ -+ manage_lnk_files_pattern($1, systemd_unit_file_type, systemd_unit_file_type) -+') -+ -+######################################## -+## -+## manage all systemd unit files -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`systemd_manage_all_unit_files',` -+ gen_require(` -+ attribute systemd_unit_file_type; -+ ') -+ -+ manage_files_pattern($1, systemd_unit_file_type, systemd_unit_file_type) -+ manage_lnk_files_pattern($1, systemd_unit_file_type, systemd_unit_file_type) -+') -+ -+######################################## -+## -+## manage all systemd unit lnk_files -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`systemd_manage_all_unit_lnk_files',` -+ gen_require(` -+ attribute systemd_unit_file_type; -+ ') -+ -+ manage_lnk_files_pattern($1, systemd_unit_file_type, systemd_unit_file_type) -+') -+ -+######################################## -+## -+## Allow the specified domain to start all systemd services. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`systemd_start_all_services',` -+ gen_require(` -+ attribute systemd_unit_file_type; -+ ') -+ -+ allow $1 systemd_unit_file_type:service start; -+') -+ -+####################################### -+## -+## Allow the specified domain to reload all systemd services. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`systemd_reload_all_services',` -+ gen_require(` -+ attribute systemd_unit_file_type; -+ ') -+ -+ allow $1 systemd_unit_file_type:service reload; -+') -+ -+######################################## -+## -+## Allow the specified domain to modify the systemd configuration of -+## all systemd services -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`systemd_config_all_services',` -+ gen_require(` -+ attribute systemd_unit_file_type; -+ ') -+ -+ allow $1 systemd_unit_file_type:service all_service_perms; -+ init_config_all_script_files($1) -+') -+ -+######################################## -+## -+## Allow the specified domain to start systemd services. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`systemd_start_systemd_services',` -+ gen_require(` -+ type systemd_unit_file_t; -+ ') -+ -+ allow $1 systemd_unit_file_t:service start; -+') -+ -+####################################### -+## -+## Allow the specified domain to reload all systemd services. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`systemd_reload_systemd_services',` -+ gen_require(` -+ type systemd_unit_file_t; -+ ') -+ -+ allow $1 systemd_unit_file_t:service reload; -+') -+ -+######################################## -+## -+## Allow the specified domain to modify the systemd configuration of -+## all systemd services -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`systemd_config_systemd_services',` -+ gen_require(` -+ type systemd_unit_file_t; -+ ') -+ -+ allow $1 systemd_unit_file_t:service all_service_perms; -+ init_config_all_script_files($1) -+') -+ -+######################################## -+## -+## manage all systemd random seed file -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`systemd_manage_random_seed',` -+ gen_require(` -+ type random_seed_t; -+ ') -+ -+ allow $1 random_seed_t:file manage_file_perms; -+ files_var_lib_filetrans($1, random_seed_t, file, "random_seed") -+') -+ -+######################################## -+## -+## Allow process to read hostname config file. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`systemd_hostnamed_read_config',` -+ gen_require(` -+ type hostname_etc_t; -+ ') -+ -+ files_search_etc($1) -+ allow $1 hostname_etc_t:file read_file_perms; -+') -+ -+####################################### -+## -+## Create objects in /run/systemd/generator directory -+## with an automatic type transition to -+## a specified private type. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## The type of the object to create. -+## -+## -+## -+## -+## The class of the object to be created. -+## -+## -+## -+## -+## The name of the object being created. -+## -+## -+# -+interface(`systemd_unit_file_filetrans',` -+ gen_require(` -+ type systemd_unit_file_t; -+ ') -+ -+ files_search_pids($1) -+ filetrans_pattern($1, systemd_unit_file_t, $2, $3, $4) -+') -+ -+####################################### -+## -+## Create a directory in the /usr/lib/systemd/system directory. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`systemd_create_unit_file_dirs',` -+ gen_require(` -+ type systemd_unit_file_t; -+ ') -+ -+ create_dirs_pattern($1, systemd_unit_file_t, systemd_unit_file_t) -+') -+ -+####################################### -+## -+## Create a link in the /usr/lib/systemd/system directory. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`systemd_create_unit_file_lnk',` -+ gen_require(` -+ type systemd_unit_file_t; -+ ') -+ -+ create_lnk_files_pattern($1, systemd_unit_file_t, systemd_unit_file_t) -+') -+ -+######################################## -+## -+## Transition to systemd named content -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`systemd_filetrans_named_content',` -+ gen_require(` -+ type systemd_passwd_var_run_t; -+ type systemd_logind_var_run_t; -+ type hostname_etc_t; -+ type systemd_home_t; -+ ') -+ -+ files_pid_filetrans($1, systemd_logind_var_run_t, file, "nologin") -+ init_named_pid_filetrans($1, systemd_passwd_var_run_t, dir, "ask-password-block") -+ init_named_pid_filetrans($1, systemd_passwd_var_run_t, dir, "ask-password") -+ files_etc_filetrans($1, hostname_etc_t, file, "hostname" ) -+ files_etc_filetrans($1, hostname_etc_t, file, "machine-info" ) -+') -+ -+######################################## -+## -+## read systemd homedir content -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`systemd_read_home_content',` -+ gen_require(` -+ type systemd_home_t; -+ ') -+ -+ optional_policy(` -+ gnome_search_gconf_data_dir($1) -+ ') -+ read_files_pattern($1, systemd_home_t, systemd_home_t) -+ read_lnk_files_pattern($1, systemd_home_t, systemd_home_t) -+') -+ -+######################################## -+## -+## Manage systemd homedir content -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`systemd_manage_home_content',` -+ gen_require(` -+ type systemd_home_t; -+ ') -+ -+ optional_policy(` -+ gnome_search_gconf_data_dir($1) -+ ') -+ manage_dirs_pattern($1, systemd_home_t, systemd_home_t) -+ manage_files_pattern($1, systemd_home_t, systemd_home_t) -+ manage_lnk_files_pattern($1, systemd_home_t, systemd_home_t) -+ -+ systemd_filetrans_home_content($1) -+') -+ -+######################################## -+## -+## Transition to systemd named content -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`systemd_filetrans_home_content',` -+ gen_require(` -+ type systemd_home_t; -+ ') -+ -+ optional_policy(` -+ gnome_data_filetrans($1, systemd_home_t, dir, "systemd") -+ ') -+') -+ -+######################################## -+## -+## Transition to systemd named content for /etc/hostname -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`systemd_filetrans_named_hostname',` -+ gen_require(` -+ type hostname_etc_t; -+ ') -+ -+ files_etc_filetrans($1, hostname_etc_t, file, "hostname" ) -+ files_etc_filetrans($1, hostname_etc_t, file, "machine-info" ) -+') -+ -+######################################## -+## -+## Get the system status information from systemd_login -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`systemd_login_status',` -+ gen_require(` -+ type systemd_logind_t; -+ ') -+ -+ allow $1 systemd_logind_t:system status; -+') -+ -+######################################## -+## -+## Send systemd_login a null signal. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`systemd_login_signull',` -+ gen_require(` -+ type systemd_logind_t; -+ ') -+ -+ allow $1 systemd_logind_t:process signull; -+') -+ -+######################################## -+## -+## Tell systemd_login to reboot the system. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`systemd_login_reboot',` -+ gen_require(` -+ type systemd_logind_t; -+ ') -+ -+ allow $1 systemd_logind_t:system reboot; -+') -+ -+######################################## -+## -+## Tell systemd_login to halt the system. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`systemd_login_halt',` -+ gen_require(` -+ type systemd_logind_t; -+ ') -+ -+ allow $1 systemd_logind_t:system halt; -+') -+ -+######################################## -+## -+## Tell systemd_login to do an unknown access. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`systemd_login_undefined',` -+ gen_require(` -+ type systemd_logind_t; -+ ') -+ -+ allow $1 systemd_logind_t:system undefined; -+') -+ -+######################################## -+## -+## Configure generic unit files domain. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`systemd_config_generic_services',` -+ gen_require(` -+ type systemd_unit_file_t; -+ ') -+ -+ systemd_exec_systemctl($1) -+ allow $1 systemd_unit_file_t:file read_file_perms; -+ allow $1 systemd_unit_file_t:service manage_service_perms; -+') -+ -+######################################## -+## -+## Configure power unit files domain. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`systemd_config_power_services',` -+ gen_require(` -+ type power_unit_file_t; -+ ') -+ -+ systemd_exec_systemctl($1) -+ allow $1 power_unit_file_t:file read_file_perms; -+ allow $1 power_unit_file_t:service manage_service_perms; -+') -+ -+######################################## -+## -+## Start power unit files domain. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`systemd_start_power_services',` -+ gen_require(` -+ type power_unit_file_t; -+ ') -+ -+ systemd_exec_systemctl($1) -+ allow $1 power_unit_file_t:service start; -+') -+ -+####################################### -+## -+## Start power unit files domain. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`systemd_start_all_unit_files',` -+ gen_require(` -+ attribute systemd_unit_file_type; -+ ') -+ -+ systemd_exec_systemctl($1) -+ allow $1 systemd_unit_file_type:service start; -+') -+ -+####################################### -+## -+## Start power unit files domain. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`systemd_status_all_unit_files',` -+ gen_require(` -+ attribute systemd_unit_file_type; -+ ') -+ -+ systemd_exec_systemctl($1) -+ allow $1 systemd_unit_file_type:service status; -+') -+ -+######################################## -+## -+## Send and receive messages from -+## systemd timedated over dbus. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`systemd_dbus_chat_timedated',` -+ gen_require(` -+ type systemd_timedated_t; -+ class dbus send_msg; -+ ') -+ -+ allow $1 systemd_timedated_t:dbus send_msg; -+ allow systemd_timedated_t $1:dbus send_msg; -+ ps_process_pattern(systemd_timedated_t, $1) -+') -+ -+######################################## -+## -+## Send and receive messages from -+## systemd hostnamed over dbus. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`systemd_dbus_chat_hostnamed',` -+ gen_require(` -+ type systemd_hostnamed_t; -+ class dbus send_msg; -+ ') -+ -+ allow $1 systemd_hostnamed_t:dbus send_msg; -+ allow systemd_hostnamed_t $1:dbus send_msg; -+ ps_process_pattern(systemd_hostnamed_t, $1) -+') -+ -+######################################## -+## -+## Send and receive messages from -+## systemd localed over dbus. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`systemd_dbus_chat_localed',` -+ gen_require(` -+ type systemd_localed_t; -+ class dbus send_msg; -+ ') -+ -+ allow $1 systemd_localed_t:dbus send_msg; -+ allow systemd_localed_t $1:dbus send_msg; -+ ps_process_pattern(systemd_localed_t, $1) -+') -+ -+######################################## -+## -+## Dontaudit attempts to send dbus domains chat messages -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`systemd_dontaudit_dbus_chat',` -+ gen_require(` -+ attribute systemd_domain; -+ class dbus send_msg; -+ ') -+ -+ dontaudit $1 systemd_domain:dbus send_msg; -+') -diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te -new file mode 100644 -index 0000000..f758960 ---- /dev/null -+++ b/policy/modules/system/systemd.te -@@ -0,0 +1,650 @@ -+policy_module(systemd, 1.0.0) -+ -+####################################### -+# -+# Declarations -+# -+ -+attribute systemd_unit_file_type; -+attribute systemd_domain; -+attribute systemctl_domain; -+ -+systemd_domain_template(systemd_logger) -+systemd_domain_template(systemd_logind) -+ -+# /run/systemd/sessions -+type systemd_logind_sessions_t; -+files_pid_file(systemd_logind_sessions_t) -+ -+type systemd_logind_var_lib_t; -+files_type(systemd_logind_var_lib_t) -+ -+# /run/systemd/{seats, users} -+type systemd_logind_var_run_t; -+files_pid_file(systemd_logind_var_run_t) -+ -+type systemd_logind_inhibit_var_run_t; -+files_pid_file(systemd_logind_inhibit_var_run_t) -+ -+type systemd_home_t; -+userdom_user_home_content(systemd_home_t) -+ -+type random_seed_t; -+files_security_file(random_seed_t) -+files_mountpoint(random_seed_t) -+ -+# domain for systemd-tty-ask-password-agent and systemd-gnome-ask-password-agent -+# systemd components -+ -+systemd_domain_template(systemd_passwd_agent) -+ -+type systemd_passwd_var_run_t alias systemd_device_t; -+files_pid_file(systemd_passwd_var_run_t) -+ -+# domain for systemd-tmpfiles component -+systemd_domain_template(systemd_tmpfiles) -+systemd_domain_template(systemd_notify) -+ -+# type for systemd unit files -+type systemd_unit_file_t; -+systemd_unit_file(systemd_unit_file_t) -+ -+type systemd_runtime_unit_file_t; -+systemd_unit_file(systemd_runtime_unit_file_t) -+ -+type power_unit_file_t; -+systemd_unit_file(power_unit_file_t) -+ -+type systemd_vconsole_unit_file_t; -+systemd_unit_file(systemd_vconsole_unit_file_t) -+ -+# executable for systemctl -+type systemd_systemctl_exec_t; -+corecmd_executable_file(systemd_systemctl_exec_t) -+ -+systemd_domain_template(systemd_localed) -+systemd_domain_template(systemd_hostnamed) -+ -+type hostname_etc_t; -+files_config_file(hostname_etc_t) -+ -+systemd_domain_template(systemd_timedated) -+typeattribute systemd_timedated_t systemd_domain; -+typealias systemd_timedated_t alias gnomeclock_t; -+ -+systemd_domain_template(systemd_sysctl) -+ -+####################################### -+# -+# Systemd_logind local policy -+# -+ -+# dac_override is for /run/user/$USER ($USER ownership is $USER:$USER) -+allow systemd_logind_t self:capability { chown kill dac_override fowner sys_tty_config }; -+allow systemd_logind_t self:process getcap; -+allow systemd_logind_t self:netlink_kobject_uevent_socket create_socket_perms; -+allow systemd_logind_t self:unix_dgram_socket create_socket_perms; -+ -+mls_file_read_all_levels(systemd_logind_t) -+mls_file_write_all_levels(systemd_logind_t) -+ -+manage_dirs_pattern(systemd_logind_t, systemd_logind_var_lib_t, systemd_logind_var_lib_t) -+manage_files_pattern(systemd_logind_t, systemd_logind_var_lib_t, systemd_logind_var_lib_t) -+init_var_lib_filetrans(systemd_logind_t, systemd_logind_var_lib_t, dir, "linger") -+ -+manage_dirs_pattern(systemd_logind_t, { systemd_logind_sessions_t systemd_logind_var_run_t }, { systemd_logind_sessions_t systemd_logind_var_run_t }) -+manage_files_pattern(systemd_logind_t, { systemd_logind_sessions_t systemd_logind_var_run_t }, { systemd_logind_var_run_t systemd_logind_sessions_t }) -+manage_fifo_files_pattern(systemd_logind_t, systemd_logind_sessions_t, { systemd_logind_sessions_t systemd_logind_var_run_t }) -+init_named_pid_filetrans(systemd_logind_t, systemd_logind_sessions_t, dir, "sessions") -+init_pid_filetrans(systemd_logind_t, systemd_logind_var_run_t, dir) -+files_pid_filetrans(systemd_logind_t, systemd_logind_var_run_t, file, "nologin") -+ -+manage_dirs_pattern(systemd_logind_t, systemd_logind_inhibit_var_run_t, systemd_logind_inhibit_var_run_t) -+manage_files_pattern(systemd_logind_t, systemd_logind_inhibit_var_run_t, systemd_logind_inhibit_var_run_t) -+manage_fifo_files_pattern(systemd_logind_t, systemd_logind_inhibit_var_run_t, systemd_logind_inhibit_var_run_t) -+manage_sock_files_pattern(systemd_logind_t, systemd_logind_inhibit_var_run_t, systemd_logind_inhibit_var_run_t) -+ -+dev_getattr_all_chr_files(systemd_logind_t) -+dev_getattr_all_blk_files(systemd_logind_t) -+dev_rw_sysfs(systemd_logind_t) -+dev_rw_input_dev(systemd_logind_t) -+dev_setattr_all_chr_files(systemd_logind_t) -+dev_setattr_dri_dev(systemd_logind_t) -+dev_setattr_generic_usb_dev(systemd_logind_t) -+dev_setattr_input_dev(systemd_logind_t) -+dev_setattr_kvm_dev(systemd_logind_t) -+dev_setattr_mouse_dev(systemd_logind_t) -+dev_setattr_sound_dev(systemd_logind_t) -+dev_setattr_video_dev(systemd_logind_t) -+dev_write_kmsg(systemd_logind_t) -+ -+domain_read_all_domains_state(systemd_logind_t) -+domain_signal_all_domains(systemd_logind_t) -+domain_signull_all_domains(systemd_logind_t) -+domain_kill_all_domains(systemd_logind_t) -+ -+# /etc/udev/udev.conf should probably have a private type if only for confined administration -+# /etc/nsswitch.conf -+ -+# /sys/fs/cgroup/systemd/user -+fs_manage_cgroup_dirs(systemd_logind_t) -+# write getattr open setattr -+fs_manage_cgroup_files(systemd_logind_t) -+fs_getattr_tmpfs(systemd_logind_t) -+fs_read_tmpfs_symlinks(systemd_logind_t) -+ -+storage_setattr_removable_dev(systemd_logind_t) -+storage_setattr_scsi_generic_dev(systemd_logind_t) -+ -+term_use_unallocated_ttys(systemd_logind_t) -+ -+init_named_pid_filetrans(systemd_logind_t, systemd_logind_inhibit_var_run_t, dir, "inhibit") -+ -+init_status(systemd_logind_t) -+init_signal(systemd_logind_t) -+init_reboot(systemd_logind_t) -+init_halt(systemd_logind_t) -+init_undefined(systemd_logind_t) -+init_signal_script(systemd_logind_t) -+ -+getty_systemctl(systemd_logind_t) -+ -+systemd_config_generic_services(systemd_logind_t) -+ -+# /run/user/.* -+# Actually only have proof of it creating dirs and symlinks (/run/user/$USER/X11/display) -+auth_manage_var_auth(systemd_logind_t) -+auth_use_nsswitch(systemd_logind_t) -+ -+authlogin_read_state(systemd_logind_t) -+ -+init_dbus_chat(systemd_logind_t) -+init_dbus_chat_script(systemd_logind_t) -+init_read_script_state(systemd_logind_t) -+init_read_state(systemd_logind_t) -+init_rw_stream_sockets(systemd_logind_t) -+ -+logging_send_syslog_msg(systemd_logind_t) -+ -+udev_read_db(systemd_logind_t) -+udev_manage_rules_files(systemd_logind_t) -+ -+userdom_read_all_users_state(systemd_logind_t) -+userdom_use_user_ttys(systemd_logind_t) -+userdom_manage_all_user_tmp_content(systemd_logind_t) -+ -+optional_policy(` -+ apache_read_tmp_files(systemd_logind_t) -+') -+ -+optional_policy(` -+ cron_dbus_chat_crond(systemd_logind_t) -+ cron_read_state_crond(systemd_logind_t) -+') -+ -+optional_policy(` -+ dbus_connect_system_bus(systemd_logind_t) -+ dbus_system_bus_client(systemd_logind_t) -+') -+ -+optional_policy(` -+ devicekit_dbus_chat_power(systemd_logind_t) -+ devicekit_dbus_chat_disk(systemd_logind_t) -+') -+ -+optional_policy(` -+ # we label /run/user/$USER/dconf as config_home_t -+ gnome_manage_home_config_dirs(systemd_logind_t) -+ gnome_manage_home_config(systemd_logind_t) -+ gnome_manage_gkeyringd_tmp_dirs(systemd_logind_t) -+ gnome_manage_gstreamer_home_dirs(systemd_logind_t) -+') -+ -+optional_policy(` -+ rpm_dbus_chat(systemd_logind_t) -+') -+ -+optional_policy(` -+ # It links /run/user/$USER/X11/display to /tmp/.X11-unix/X* sock_file -+ xserver_search_xdm_tmp_dirs(systemd_logind_t) -+') -+ -+####################################### -+# -+# Local policy -+# -+ -+allow systemd_passwd_agent_t self:capability { chown sys_tty_config dac_override }; -+allow systemd_passwd_agent_t self:process { setsockcreate }; -+allow systemd_passwd_agent_t self:unix_dgram_socket create_socket_perms; -+ -+manage_dirs_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t); -+manage_files_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t); -+manage_sock_files_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t); -+manage_fifo_files_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t); -+init_pid_filetrans(systemd_passwd_agent_t, systemd_passwd_var_run_t, { dir fifo_file file }) -+ -+kernel_stream_connect(systemd_passwd_agent_t) -+ -+dev_create_generic_dirs(systemd_passwd_agent_t) -+dev_read_generic_files(systemd_passwd_agent_t) -+dev_write_generic_sock_files(systemd_passwd_agent_t) -+dev_write_kmsg(systemd_passwd_agent_t) -+ -+term_read_console(systemd_passwd_agent_t) -+ -+auth_use_nsswitch(systemd_passwd_agent_t) -+ -+init_create_pid_dirs(systemd_passwd_agent_t) -+init_rw_pipes(systemd_passwd_agent_t) -+init_read_utmp(systemd_passwd_agent_t) -+init_stream_connect(systemd_passwd_agent_t) -+ -+logging_send_syslog_msg(systemd_passwd_agent_t) -+ -+userdom_use_user_ptys(systemd_passwd_agent_t) -+userdom_use_inherited_user_ttys(systemd_passwd_agent_t) -+ -+optional_policy(` -+ lvm_signull(systemd_passwd_agent_t) -+') -+ -+optional_policy(` -+ plymouthd_stream_connect(systemd_passwd_agent_t) -+') -+ -+####################################### -+# -+# Local policy -+# -+ -+allow systemd_tmpfiles_t self:capability { chown dac_override fsetid fowner mknod }; -+allow systemd_tmpfiles_t self:process { setfscreate }; -+ -+allow systemd_tmpfiles_t self:unix_dgram_socket create_socket_perms; -+ -+kernel_read_network_state(systemd_tmpfiles_t) -+kernel_request_load_module(systemd_tmpfiles_t) -+ -+dev_write_kmsg(systemd_tmpfiles_t) -+dev_rw_sysfs(systemd_tmpfiles_t) -+dev_relabel_all_sysfs(systemd_tmpfiles_t) -+dev_relabel_cpu_online(systemd_tmpfiles_t) -+dev_read_cpu_online(systemd_tmpfiles_t) -+dev_manage_all_dev_nodes(systemd_tmpfiles_t) -+dev_relabel_all_dev_nodes(systemd_tmpfiles_t) -+ -+domain_obj_id_change_exemption(systemd_tmpfiles_t) -+ -+# systemd-tmpfiles relabel /run/lock and creates /run/lock/lockdev -+fs_manage_tmpfs_dirs(systemd_tmpfiles_t) -+fs_relabel_tmpfs_dirs(systemd_tmpfiles_t) -+fs_list_all(systemd_tmpfiles_t) -+ -+files_getattr_all_dirs(systemd_tmpfiles_t) -+files_getattr_all_files(systemd_tmpfiles_t) -+files_getattr_all_sockets(systemd_tmpfiles_t) -+files_getattr_all_symlinks(systemd_tmpfiles_t) -+files_relabel_all_lock_dirs(systemd_tmpfiles_t) -+files_relabel_all_lock_files(systemd_tmpfiles_t) -+files_relabel_all_pid_dirs(systemd_tmpfiles_t) -+files_relabel_all_pid_files(systemd_tmpfiles_t) -+files_relabel_all_spool_dirs(systemd_tmpfiles_t) -+files_manage_all_pids(systemd_tmpfiles_t) -+files_manage_all_pid_dirs(systemd_tmpfiles_t) -+files_manage_all_locks(systemd_tmpfiles_t) -+files_read_generic_tmp_symlinks(systemd_tmpfiles_t) -+files_setattr_all_tmp_dirs(systemd_tmpfiles_t) -+files_delete_boot_flag(systemd_tmpfiles_t) -+files_delete_all_non_security_files(systemd_tmpfiles_t) -+files_delete_all_pid_sockets(systemd_tmpfiles_t) -+files_delete_all_pid_pipes(systemd_tmpfiles_t) -+files_purge_tmp(systemd_tmpfiles_t) -+files_manage_generic_tmp_files(systemd_tmpfiles_t) -+files_manage_generic_tmp_dirs(systemd_tmpfiles_t) -+files_relabelfrom_tmp_dirs(systemd_tmpfiles_t) -+files_relabelfrom_tmp_files(systemd_tmpfiles_t) -+files_relabel_all_tmp_dirs(systemd_tmpfiles_t) -+files_relabel_all_tmp_files(systemd_tmpfiles_t) -+files_list_lost_found(systemd_tmpfiles_t) -+ -+mls_file_read_all_levels(systemd_tmpfiles_t) -+mls_file_write_all_levels(systemd_tmpfiles_t) -+mls_file_upgrade(systemd_tmpfiles_t) -+ -+selinux_get_enforce_mode(systemd_tmpfiles_t) -+ -+auth_manage_faillog(systemd_tmpfiles_t) -+auth_relabel_faillog(systemd_tmpfiles_t) -+auth_manage_var_auth(systemd_tmpfiles_t) -+auth_manage_login_records(systemd_tmpfiles_t) -+auth_relabel_var_auth_dirs(systemd_tmpfiles_t) -+auth_relabel_login_records(systemd_tmpfiles_t) -+auth_setattr_login_records(systemd_tmpfiles_t) -+auth_use_nsswitch(systemd_tmpfiles_t) -+ -+init_dgram_send(systemd_tmpfiles_t) -+init_rw_stream_sockets(systemd_tmpfiles_t) -+ -+logging_create_devlog_dev(systemd_tmpfiles_t) -+logging_send_syslog_msg(systemd_tmpfiles_t) -+logging_setattr_all_log_dirs(systemd_tmpfiles_t) -+ -+miscfiles_filetrans_named_content(systemd_tmpfiles_t) -+miscfiles_manage_man_pages(systemd_tmpfiles_t) -+miscfiles_relabel_man_pages(systemd_tmpfiles_t) -+miscfiles_delete_man_pages(systemd_tmpfiles_t) -+ -+ifdef(`distro_redhat',` -+ userdom_list_user_home_content(systemd_tmpfiles_t) -+ userdom_delete_all_user_home_content_dirs(systemd_tmpfiles_t) -+ userdom_delete_all_user_home_content_files(systemd_tmpfiles_t) -+ userdom_delete_all_user_home_content_sock_files(systemd_tmpfiles_t) -+ userdom_delete_all_user_home_content_symlinks(systemd_tmpfiles_t) -+ userdom_delete_admin_home_files(systemd_tmpfiles_t) -+') -+ -+optional_policy(` -+ apache_delete_sys_content_rw(systemd_tmpfiles_t) -+ apache_list_cache(systemd_tmpfiles_t) -+ apache_delete_cache_dirs(systemd_tmpfiles_t) -+ apache_delete_cache_files(systemd_tmpfiles_t) -+ apache_setattr_cache_dirs(systemd_tmpfiles_t) -+') -+ -+ -+optional_policy(` -+ auth_rw_login_records(systemd_tmpfiles_t) -+') -+ -+optional_policy(` -+ # we have /run/user/$USER/dconf -+ gnome_delete_home_config(systemd_tmpfiles_t) -+ gnome_delete_home_config_dirs(systemd_tmpfiles_t) -+ gnome_setattr_home_config_dirs(systemd_tmpfiles_t) -+') -+ -+optional_policy(` -+ lpd_manage_spool(systemd_tmpfiles_t) -+ lpd_relabel_spool(systemd_tmpfiles_t) -+') -+ -+optional_policy(` -+ rpm_read_db(systemd_tmpfiles_t) -+ rpm_delete_db(systemd_tmpfiles_t) -+') -+ -+optional_policy(` -+ sandbox_list(systemd_tmpfiles_t) -+ sandbox_delete_dirs(systemd_tmpfiles_t) -+ sandbox_delete_files(systemd_tmpfiles_t) -+ sandbox_delete_lnk_files(systemd_tmpfiles_t) -+ sandbox_delete_pipes(systemd_tmpfiles_t) -+ sandbox_delete_sock_files(systemd_tmpfiles_t) -+ sandbox_setattr_dirs(systemd_tmpfiles_t) -+') -+ -+######################################## -+# -+# systemd_notify local policy -+# -+allow systemd_notify_t self:capability chown; -+allow systemd_notify_t self:process { fork setfscreate setsockcreate }; -+ -+allow systemd_notify_t self:fifo_file rw_fifo_file_perms; -+allow systemd_notify_t self:unix_stream_socket create_stream_socket_perms; -+allow systemd_notify_t self:unix_dgram_socket create_socket_perms; -+ -+domain_use_interactive_fds(systemd_notify_t) -+ -+fs_getattr_cgroup_files(systemd_notify_t) -+ -+auth_use_nsswitch(systemd_notify_t) -+ -+init_rw_stream_sockets(systemd_notify_t) -+ -+optional_policy(` -+ rhcs_read_log_cluster(systemd_notify_t) -+') -+ -+optional_policy(` -+ readahead_manage_pid_files(systemd_notify_t) -+') -+ -+######################################## -+# -+# systemd_logger local policy -+# -+ -+allow systemd_logger_t self:capability { sys_admin chown kill }; -+allow systemd_logger_t self:process { fork setfscreate setsockcreate }; -+ -+allow systemd_logger_t self:fifo_file rw_fifo_file_perms; -+allow systemd_logger_t self:unix_stream_socket create_stream_socket_perms; -+ -+kernel_use_fds(systemd_logger_t) -+ -+dev_write_kmsg(systemd_logger_t) -+ -+domain_use_interactive_fds(systemd_logger_t) -+ -+# only needs write -+term_use_generic_ptys(systemd_logger_t) -+ -+auth_use_nsswitch(systemd_logger_t) -+ -+# /run/systemd/notify -+init_write_pid_socket(systemd_logger_t) -+ -+logging_send_syslog_msg(systemd_logger_t) -+ -+######################################## -+# -+# systemd_sysctl domains local policy -+# -+ -+allow systemctl_domain systemd_unit_file_type:dir search_dir_perms; -+ -+fs_list_cgroup_dirs(systemctl_domain) -+fs_read_cgroup_files(systemctl_domain) -+ -+# needed by systemctl -+init_dgram_send(systemctl_domain) -+init_stream_connect(systemctl_domain) -+init_read_state(systemctl_domain) -+init_list_pid_dirs(systemctl_domain) -+init_use_fds(systemctl_domain) -+ -+####################################### -+# -+# Localed policy -+# -+allow systemd_localed_t self:process setfscreate; -+allow systemd_localed_t self:fifo_file rw_fifo_file_perms; -+allow systemd_localed_t self:unix_stream_socket create_stream_socket_perms; -+allow systemd_localed_t self:unix_dgram_socket create_socket_perms; -+ -+dev_write_kmsg(systemd_localed_t) -+ -+init_dbus_chat(systemd_localed_t) -+init_reload_services(systemd_localed_t) -+ -+logging_stream_connect_syslog(systemd_localed_t) -+logging_send_syslog_msg(systemd_localed_t) -+ -+allow systemd_localed_t systemd_vconsole_unit_file_t:service start; -+ -+miscfiles_manage_localization(systemd_localed_t) -+miscfiles_etc_filetrans_localization(systemd_localed_t) -+ -+userdom_dbus_send_all_users(systemd_localed_t) -+ -+xserver_manage_config(systemd_localed_t) -+ -+optional_policy(` -+ dbus_connect_system_bus(systemd_localed_t) -+ dbus_system_bus_client(systemd_localed_t) -+') -+ -+####################################### -+# -+# Hostnamed policy -+# -+allow systemd_hostnamed_t self:capability sys_admin; -+dontaudit systemd_hostnamed_t self:capability sys_ptrace; -+ -+allow systemd_hostnamed_t self:fifo_file rw_fifo_file_perms; -+allow systemd_hostnamed_t self:unix_stream_socket create_stream_socket_perms; -+allow systemd_hostnamed_t self:unix_dgram_socket create_socket_perms; -+ -+manage_files_pattern(systemd_hostnamed_t, hostname_etc_t, hostname_etc_t) -+manage_lnk_files_pattern(systemd_hostnamed_t, hostname_etc_t, hostname_etc_t) -+files_etc_filetrans(systemd_hostnamed_t, hostname_etc_t, file, "hostname" ) -+files_etc_filetrans(systemd_hostnamed_t, hostname_etc_t, file, "machine-info" ) -+ -+kernel_dgram_send(systemd_hostnamed_t) -+ -+dev_write_kmsg(systemd_hostnamed_t) -+dev_read_sysfs(systemd_hostnamed_t) -+ -+init_status(systemd_hostnamed_t) -+init_read_state(systemd_hostnamed_t) -+init_stream_connect(systemd_hostnamed_t) -+ -+logging_send_syslog_msg(systemd_hostnamed_t) -+ -+userdom_read_all_users_state(systemd_hostnamed_t) -+userdom_dbus_send_all_users(systemd_hostnamed_t) -+ -+optional_policy(` -+ dbus_system_bus_client(systemd_hostnamed_t) -+ dbus_connect_system_bus(systemd_hostnamed_t) -+') -+ -+####################################### -+# -+# Timedated policy -+# -+allow systemd_timedated_t self:capability { sys_nice sys_time dac_override }; -+allow systemd_timedated_t self:process { getattr getsched setfscreate }; -+allow systemd_timedated_t self:fifo_file rw_fifo_file_perms; -+allow systemd_timedated_t self:unix_stream_socket create_stream_socket_perms; -+allow systemd_timedated_t self:unix_dgram_socket create_socket_perms; -+ -+corecmd_exec_bin(systemd_timedated_t) -+corecmd_exec_shell(systemd_timedated_t) -+corecmd_dontaudit_access_check_bin(systemd_timedated_t) -+ -+corenet_tcp_connect_time_port(systemd_timedated_t) -+ -+dev_rw_realtime_clock(systemd_timedated_t) -+dev_write_kmsg(systemd_timedated_t) -+dev_read_sysfs(systemd_timedated_t) -+ -+fs_getattr_xattr_fs(systemd_timedated_t) -+ -+auth_use_nsswitch(systemd_timedated_t) -+ -+init_dbus_chat(systemd_timedated_t) -+init_status(systemd_timedated_t) -+ -+logging_send_syslog_msg(systemd_timedated_t) -+ -+miscfiles_manage_localization(systemd_timedated_t) -+miscfiles_etc_filetrans_localization(systemd_timedated_t) -+ -+userdom_read_all_users_state(systemd_timedated_t) -+ -+optional_policy(` -+ chronyd_systemctl(systemd_timedated_t) -+') -+ -+optional_policy(` -+ clock_manage_adjtime(systemd_timedated_t) -+ clock_filetrans_named_content(systemd_timedated_t) -+ clock_domtrans(systemd_timedated_t) -+') -+ -+optional_policy(` -+ consolekit_dbus_chat(systemd_timedated_t) -+') -+ -+optional_policy(` -+ consoletype_exec(systemd_timedated_t) -+') -+ -+optional_policy(` -+ dbus_system_bus_client(systemd_timedated_t) -+ dbus_connect_system_bus(systemd_timedated_t) -+') -+ -+optional_policy(` -+ gnome_manage_usr_config(systemd_timedated_t) -+ gnome_manage_home_config(systemd_timedated_t) -+ gnome_manage_home_config_dirs(systemd_timedated_t) -+') -+ -+optional_policy(` -+ ntp_domtrans_ntpdate(systemd_timedated_t) -+ ntp_initrc_domtrans(systemd_timedated_t) -+ init_dontaudit_getattr_all_script_files(systemd_timedated_t) -+ init_dontaudit_getattr_exec(systemd_timedated_t) -+ ntp_systemctl(systemd_timedated_t) -+') -+ -+optional_policy(` -+ policykit_domtrans_auth(systemd_timedated_t) -+ policykit_read_lib(systemd_timedated_t) -+ policykit_read_reload(systemd_timedated_t) -+') -+ -+optional_policy(` -+ xserver_manage_config(systemd_timedated_t) -+ xserver_read_state_xdm(systemd_timedated_t) -+') -+ -+######################################## -+# -+# systemd_sysctl domains local policy -+# -+allow systemd_sysctl_t self:capability net_admin; -+allow systemd_sysctl_t self:unix_dgram_socket create_socket_perms; -+ -+kernel_dgram_send(systemd_sysctl_t) -+kernel_rw_all_sysctls(systemd_sysctl_t) -+ -+files_read_system_conf_files(systemd_sysctl_t) -+ -+dev_write_kmsg(systemd_sysctl_t) -+ -+domain_use_interactive_fds(systemd_sysctl_t) -+ -+init_stream_connect(systemd_sysctl_t) -+ -+logging_send_syslog_msg(systemd_sysctl_t) -+ -+######################################## -+# -+# Common rules for systemd domains -+# -+allow systemd_domain self:process { setfscreate signal_perms }; -+ -+dev_read_urand(systemd_domain) -+ -+files_read_etc_files(systemd_domain) -+files_read_etc_runtime_files(systemd_domain) -+files_read_usr_files(systemd_domain) -+ -+init_search_pid_dirs(systemd_domain) -+ -+logging_stream_connect_syslog(systemd_domain) -+ -+seutil_read_config(systemd_domain) -+seutil_read_file_contexts(systemd_domain) -+ -+optional_policy(` -+ policykit_dbus_chat(systemd_domain) -+') -+ -+read_files_pattern(systemd_domain, systemd_home_t, systemd_home_t) -+read_lnk_files_pattern(systemd_domain, systemd_home_t, systemd_home_t) -diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc -index 40928d8..49fd32e 100644 ---- a/policy/modules/system/udev.fc -+++ b/policy/modules/system/udev.fc -@@ -1,6 +1,8 @@ --/dev/\.udev(/.*)? -- gen_context(system_u:object_r:udev_tbl_t,s0) --/dev/\.udevdb -- gen_context(system_u:object_r:udev_tbl_t,s0) --/dev/udev\.tbl -- gen_context(system_u:object_r:udev_tbl_t,s0) -+/bin/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0) -+ -+/dev/\.udev(/.*)? -- gen_context(system_u:object_r:udev_var_run_t,s0) -+/dev/\.udevdb -- gen_context(system_u:object_r:udev_var_run_t,s0) -+/dev/udev\.tbl -- gen_context(system_u:object_r:udev_var_run_t,s0) - - /etc/dev\.d/.+ -- gen_context(system_u:object_r:udev_helper_exec_t,s0) - -@@ -10,6 +12,7 @@ - /etc/udev/scripts/.+ -- gen_context(system_u:object_r:udev_helper_exec_t,s0) - - /lib/udev/udev-acl -- gen_context(system_u:object_r:udev_exec_t,s0) -+/lib/udev/udevd -- gen_context(system_u:object_r:udev_exec_t,s0) - - ifdef(`distro_debian',` - /lib/udev/create_static_nodes -- gen_context(system_u:object_r:udev_exec_t,s0) -@@ -27,11 +30,23 @@ ifdef(`distro_redhat',` - ') - - /usr/bin/udevinfo -- gen_context(system_u:object_r:udev_exec_t,s0) -- --/usr/lib/systemd/systemd-udevd -- gen_context(system_u:object_r:udev_exec_t,s0) -- --/var/run/PackageKit/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0) --/var/run/udev(/.*)? gen_context(system_u:object_r:udev_tbl_t,s0) -+/usr/bin/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0) -+ -+/usr/sbin/start_udev -- gen_context(system_u:object_r:udev_exec_t,s0) -+/usr/sbin/udev -- gen_context(system_u:object_r:udev_exec_t,s0) -+/usr/sbin/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0) -+/usr/sbin/udevd -- gen_context(system_u:object_r:udev_exec_t,s0) -+/usr/sbin/udevsend -- gen_context(system_u:object_r:udev_exec_t,s0) -+/usr/sbin/udevstart -- gen_context(system_u:object_r:udev_exec_t,s0) -+/usr/sbin/wait_for_sysfs -- gen_context(system_u:object_r:udev_exec_t,s0) -+ -+/usr/lib/systemd/systemd-udevd -- gen_context(system_u:object_r:udev_exec_t,s0) -+/usr/lib/udev/udev-acl -- gen_context(system_u:object_r:udev_exec_t,s0) -+/usr/lib/udev/udevd -- gen_context(system_u:object_r:udev_exec_t,s0) -+ -+/var/run/PackageKit/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0) -+/var/run/libgpod(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0) -+/var/run/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0) - - ifdef(`distro_debian',` - /var/run/xen-hotplug -d gen_context(system_u:object_r:udev_var_run_t,s0) -diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if -index 0f64692..d7e8a01 100644 ---- a/policy/modules/system/udev.if -+++ b/policy/modules/system/udev.if -@@ -34,6 +34,7 @@ interface(`udev_domtrans',` - ') - - domtrans_pattern($1, udev_exec_t, udev_t) -+ allow $1 udev_t:process noatsecure; - ') - - ######################################## -@@ -88,8 +89,7 @@ interface(`udev_read_state',` - ') - - kernel_search_proc($1) -- allow $1 udev_t:file read_file_perms; -- allow $1 udev_t:lnk_file read_lnk_file_perms; -+ ps_process_pattern($1, udev_t) - ') - - ######################################## -@@ -164,10 +164,10 @@ interface(`udev_manage_rules_files',` - # - interface(`udev_dontaudit_search_db',` - gen_require(` -- type udev_tbl_t; -+ type udev_var_run_t; - ') - -- dontaudit $1 udev_tbl_t:dir search_dir_perms; -+ dontaudit $1 udev_var_run_t:dir search_dir_perms; - ') - - ######################################## -@@ -187,25 +187,70 @@ interface(`udev_dontaudit_search_db',` - ## - # - interface(`udev_read_db',` -+ udev_read_pid_files($1) -+') -+ -+######################################## -+## -+## Allow process to modify list of devices. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`udev_rw_db',` - gen_require(` -- type udev_tbl_t; -+ type udev_var_run_t; - ') - -- allow $1 udev_tbl_t:dir list_dir_perms; -+ files_search_pids($1) -+ dev_list_all_dev_nodes($1) -+ rw_files_pattern($1, udev_var_run_t, udev_var_run_t) -+') - -- read_files_pattern($1, udev_tbl_t, udev_tbl_t) -- read_lnk_files_pattern($1, udev_tbl_t, udev_tbl_t) -+######################################## -+## -+## Allow process to modify relabelto udev database -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`udev_relabelto_db',` -+ gen_require(` -+ type udev_var_run_t; -+ ') - -- dev_list_all_dev_nodes($1) -+ files_search_pids($1) -+ allow $1 udev_var_run_t:file relabelto_file_perms; -+') - -- files_search_etc($1) -+######################################## -+## -+## Relabel the udev sock_file. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`udev_relabel_pid_sockfile',` -+ gen_require(` -+ type udev_var_run_t; -+ ') - -- udev_search_pids($1) -+ allow $1 udev_var_run_t:sock_file relabel_sock_file_perms; - ') - - ######################################## - ## --## Allow process to modify list of devices. -+## Create, read, write, and delete -+## udev pid files. - ## - ## - ## -@@ -213,13 +258,16 @@ interface(`udev_read_db',` - ## - ## - # --interface(`udev_rw_db',` -+interface(`udev_read_pid_files',` - gen_require(` -- type udev_tbl_t; -+ type udev_var_run_t; - ') - - dev_list_all_dev_nodes($1) -- allow $1 udev_tbl_t:file rw_file_perms; -+ files_search_pids($1) -+ allow $1 udev_var_run_t:dir list_dir_perms; -+ read_files_pattern($1, udev_var_run_t, udev_var_run_t) -+ read_lnk_files_pattern($1, udev_var_run_t, udev_var_run_t) - ') - - ######################################## -@@ -263,7 +311,8 @@ interface(`udev_manage_pid_dirs',` - - ######################################## - ## --## Read udev pid files. -+## Create, read, write, and delete -+## udev pid files. - ## - ## - ## -@@ -271,19 +320,44 @@ interface(`udev_manage_pid_dirs',` - ## - ## - # --interface(`udev_read_pid_files',` -+interface(`udev_manage_pid_files',` - gen_require(` - type udev_var_run_t; - ') - - files_search_pids($1) -- read_files_pattern($1, udev_var_run_t, udev_var_run_t) -+ manage_files_pattern($1, udev_var_run_t, udev_var_run_t) - ') - --######################################## -+####################################### - ## --## Create, read, write, and delete --## udev pid files. -+## Execute udev in the udev domain, and -+## allow the specified role the udev domain. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## The role to be allowed the iptables domain. -+## -+## -+## -+# -+interface(`udev_run',` -+ gen_require(` -+ type udev_t; -+ ') -+ -+ udev_domtrans($1) -+ role $2 types udev_t; -+') -+ -+####################################### -+## -+## Allow caller to create kobject uevent socket for udev - ## - ## - ## -@@ -291,13 +365,45 @@ interface(`udev_read_pid_files',` - ## - ## - # --interface(`udev_manage_pid_files',` -+interface(`udev_create_kobject_uevent_socket',` - gen_require(` -- type udev_var_run_t; -+ type udev_t; -+ role system_r; - ') - -- files_search_var_lib($1) -- manage_files_pattern($1, udev_var_run_t, udev_var_run_t) -+ allow $1 udev_t:netlink_kobject_uevent_socket create_socket_perms; -+') -+ -+######################################## -+## -+## Create a domain for processes -+## which can be started by udev. -+## -+## -+## -+## Type to be used as a domain. -+## -+## -+## -+## -+## Type of the program to be used as an entry point to this domain. -+## -+## -+# -+interface(`udev_system_domain',` -+ gen_require(` -+ type udev_t; -+ role system_r; -+ ') -+ -+ domain_type($1) -+ domain_entry_file($1, $2) -+ -+ role system_r types $1; -+ -+ domtrans_pattern(udev_t, $2, $1) -+ -+ dontaudit $1 udev_t:unix_dgram_socket { read write }; - ') - - ######################################## -diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te -index a5ec88b..de9d585 100644 ---- a/policy/modules/system/udev.te -+++ b/policy/modules/system/udev.te -@@ -17,16 +17,17 @@ init_daemon_domain(udev_t, udev_exec_t) - type udev_etc_t alias etc_udev_t; - files_config_file(udev_etc_t) - --type udev_tbl_t alias udev_tdb_t; --files_type(udev_tbl_t) -- - type udev_rules_t; - files_type(udev_rules_t) - - type udev_var_run_t; - files_pid_file(udev_var_run_t) -+typealias udev_var_run_t alias udev_tbl_t; - init_daemon_run_dir(udev_var_run_t, "udev") - -+type udev_tmp_t; -+files_tmp_file(udev_tmp_t) -+ - ifdef(`enable_mcs',` - kernel_ranged_domtrans_to(udev_t, udev_exec_t, s0 - mcs_systemhigh) - init_ranged_daemon_domain(udev_t, udev_exec_t, s0 - mcs_systemhigh) -@@ -37,9 +38,11 @@ ifdef(`enable_mcs',` - # Local policy - # - --allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio sys_resource setuid setgid sys_nice sys_ptrace }; -+allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio sys_resource setuid setgid sys_nice }; -+allow udev_t self:capability2 { block_suspend compromise_kernel }; - dontaudit udev_t self:capability sys_tty_config; --allow udev_t self:process ~{ setcurrent setexec setfscreate setrlimit execmem execstack execheap }; -+ -+allow udev_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; - allow udev_t self:process { execmem setfscreate }; - allow udev_t self:fd use; - allow udev_t self:fifo_file rw_fifo_file_perms; -@@ -53,6 +56,7 @@ allow udev_t self:unix_dgram_socket sendto; - allow udev_t self:unix_stream_socket connectto; - allow udev_t self:netlink_kobject_uevent_socket create_socket_perms; - allow udev_t self:rawip_socket create_socket_perms; -+allow udev_t self:netlink_socket create_socket_perms; - - allow udev_t udev_exec_t:file write; - can_exec(udev_t, udev_exec_t) -@@ -63,31 +67,40 @@ can_exec(udev_t, udev_helper_exec_t) - # read udev config - allow udev_t udev_etc_t:file read_file_perms; - --# create udev database in /dev/.udevdb --allow udev_t udev_tbl_t:file manage_file_perms; --dev_filetrans(udev_t, udev_tbl_t, file) -+allow udev_t udev_tmp_t:dir manage_dir_perms; -+allow udev_t udev_tmp_t:file manage_file_perms; -+files_tmp_filetrans(udev_t, udev_tmp_t, { file dir }) - - list_dirs_pattern(udev_t, udev_rules_t, udev_rules_t) --read_files_pattern(udev_t, udev_rules_t, udev_rules_t) -+manage_files_pattern(udev_t, udev_rules_t, udev_rules_t) -+manage_lnk_files_pattern(udev_t, udev_rules_t, udev_rules_t) - - manage_dirs_pattern(udev_t, udev_var_run_t, udev_var_run_t) -+manage_sock_files_pattern(udev_t, udev_var_run_t, udev_var_run_t) - manage_files_pattern(udev_t, udev_var_run_t, udev_var_run_t) - manage_lnk_files_pattern(udev_t, udev_var_run_t, udev_var_run_t) --files_pid_filetrans(udev_t, udev_var_run_t, { dir file }) -+files_pid_filetrans(udev_t, udev_var_run_t, { file dir }) -+allow udev_t udev_var_run_t:file mounton; -+allow udev_t udev_var_run_t:lnk_file relabel_lnk_file_perms; -+dev_filetrans(udev_t, udev_var_run_t, { file lnk_file } ) - -+kernel_load_module(udev_t) - kernel_read_system_state(udev_t) - kernel_request_load_module(udev_t) - kernel_getattr_core_if(udev_t) - kernel_use_fds(udev_t) - kernel_read_device_sysctls(udev_t) -+kernel_read_fs_sysctls(udev_t) - kernel_read_hotplug_sysctls(udev_t) - kernel_read_modprobe_sysctls(udev_t) - kernel_read_kernel_sysctls(udev_t) - kernel_rw_hotplug_sysctls(udev_t) - kernel_rw_unix_dgram_sockets(udev_t) - kernel_dgram_send(udev_t) --kernel_signal(udev_t) - kernel_search_debugfs(udev_t) -+kernel_setsched(udev_t) -+kernel_stream_connect(udev_t) -+kernel_signal(udev_t) - - #https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=235182 - kernel_rw_net_sysctls(udev_t) -@@ -98,6 +111,7 @@ corecmd_exec_all_executables(udev_t) - - dev_rw_sysfs(udev_t) - dev_manage_all_dev_nodes(udev_t) -+dev_rw_generic_usb_dev(udev_t) - dev_rw_generic_files(udev_t) - dev_delete_generic_files(udev_t) - dev_search_usbfs(udev_t) -@@ -106,23 +120,31 @@ dev_relabel_all_dev_nodes(udev_t) - # preserved, instead of short circuiting the relabel - dev_relabel_generic_symlinks(udev_t) - dev_manage_generic_symlinks(udev_t) -+dev_filetrans_all_named_dev(udev_t) - - domain_read_all_domains_state(udev_t) --domain_dontaudit_ptrace_all_domains(udev_t) #pidof triggers these - - files_read_usr_files(udev_t) - files_read_etc_runtime_files(udev_t) --files_read_etc_files(udev_t) -+files_read_kernel_modules(udev_t) -+files_read_system_conf_files(udev_t) -+ -+ -+# console_init manages files in /etc/sysconfig -+files_manage_etc_files(udev_t) - files_exec_etc_files(udev_t) -+files_exec_usr_files(udev_t) - files_dontaudit_search_isid_type_dirs(udev_t) - files_getattr_generic_locks(udev_t) - files_search_mnt(udev_t) -+files_list_tmp(udev_t) - - fs_getattr_all_fs(udev_t) - fs_list_inotifyfs(udev_t) - fs_rw_anon_inodefs_files(udev_t) -- --mcs_ptrace_all(udev_t) -+fs_list_auto_mountpoints(udev_t) -+fs_list_hugetlbfs(udev_t) -+fs_read_cgroup_files(udev_t) - - mls_file_read_all_levels(udev_t) - mls_file_write_all_levels(udev_t) -@@ -144,17 +166,20 @@ auth_use_nsswitch(udev_t) - init_read_utmp(udev_t) - init_dontaudit_write_utmp(udev_t) - init_getattr_initctl(udev_t) -+init_stream_connect(udev_t) - - logging_search_logs(udev_t) - logging_send_syslog_msg(udev_t) - logging_send_audit_msgs(udev_t) -+logging_stream_connect_syslog(udev_t) - --miscfiles_read_localization(udev_t) - miscfiles_read_hwdata(udev_t) - - modutils_domtrans_insmod(udev_t) - # read modules.inputmap: - modutils_read_module_deps(udev_t) -+modutils_list_module_config(udev_t) -+modutils_read_module_config(udev_t) - - seutil_read_config(udev_t) - seutil_read_default_contexts(udev_t) -@@ -168,7 +193,11 @@ sysnet_read_dhcpc_pid(udev_t) - sysnet_delete_dhcpc_pid(udev_t) - sysnet_signal_dhcpc(udev_t) - sysnet_manage_config(udev_t) --sysnet_etc_filetrans_config(udev_t) -+sysnet_filetrans_named_content(udev_t) -+#sysnet_etc_filetrans_config(udev_t) -+ -+systemd_login_read_pid_files(udev_t) -+systemd_getattr_unit_files(udev_t) - - userdom_dontaudit_search_user_home_content(udev_t) - -@@ -179,16 +208,9 @@ ifdef(`distro_gentoo',` - ') - - ifdef(`distro_redhat',` -- fs_manage_tmpfs_dirs(udev_t) -- fs_manage_tmpfs_files(udev_t) -- fs_manage_tmpfs_symlinks(udev_t) -- fs_manage_tmpfs_sockets(udev_t) -- fs_manage_tmpfs_blk_files(udev_t) -- fs_manage_tmpfs_chr_files(udev_t) -- fs_relabel_tmpfs_blk_file(udev_t) -- fs_relabel_tmpfs_chr_file(udev_t) -+ fs_manage_hugetlbfs_dirs(udev_t) - -- term_search_ptys(udev_t) -+ term_use_generic_ptys(udev_t) - - # for arping used for static IP addresses on PCMCIA ethernet - netutils_domtrans(udev_t) -@@ -226,19 +248,34 @@ optional_policy(` - - optional_policy(` - cups_domtrans_config(udev_t) -+ cups_read_config(udev_t) - ') - - optional_policy(` - dbus_system_bus_client(udev_t) -+ -+ optional_policy(` -+ systemd_dbus_chat_logind(udev_t) -+ ') - ') - - optional_policy(` - devicekit_read_pid_files(udev_t) - devicekit_dgram_send(udev_t) -+ devicekit_domtrans_disk(udev_t) -+') -+ -+optional_policy(` -+ gnome_read_home_config(udev_t) -+') -+ -+optional_policy(` -+ gpsd_domtrans(udev_t) - ') - - optional_policy(` - lvm_domtrans(udev_t) -+ lvm_dgram_send(udev_t) - ') - - optional_policy(` -@@ -264,6 +301,10 @@ optional_policy(` - ') - - optional_policy(` -+ networkmanager_dbus_chat(udev_t) -+') -+ -+optional_policy(` - openct_read_pid_files(udev_t) - openct_domtrans(udev_t) - ') -@@ -278,6 +319,15 @@ optional_policy(` - ') - - optional_policy(` -+ radvd_read_pid_files(udev_t) -+') -+ -+optional_policy(` -+ usbmuxd_domtrans(udev_t) -+ usbmuxd_stream_connect(udev_t) -+') -+ -+optional_policy(` - unconfined_signal(udev_t) - ') - -@@ -290,6 +340,7 @@ optional_policy(` - kernel_read_xen_state(udev_t) - xen_manage_log(udev_t) - xen_read_image_files(udev_t) -+ xen_stream_connect_xenstore(udev_t) - ') - - optional_policy(` -diff --git a/policy/modules/system/unconfined.fc b/policy/modules/system/unconfined.fc -index 0abaf84..8b34dbc 100644 ---- a/policy/modules/system/unconfined.fc -+++ b/policy/modules/system/unconfined.fc -@@ -1,21 +1 @@ - # Add programs here which should not be confined by SELinux --# e.g.: --# /usr/local/bin/appsrv -- gen_context(system_u:object_r:unconfined_exec_t,s0) --# For the time being until someone writes a sane policy, we need initrc to transition to unconfined_t --/usr/bin/valgrind -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) --/usr/bin/vncserver -- gen_context(system_u:object_r:unconfined_exec_t,s0) -- --/usr/lib/ia32el/ia32x_loader -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) --/usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) -- --/usr/local/RealPlayer/realplay\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) -- --ifdef(`distro_debian',` --/usr/bin/gcj-dbtool-4\.1 -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) --/usr/bin/gij-4\.1 -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) --/usr/lib/openoffice/program/soffice\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) --') -- --ifdef(`distro_gentoo',` --/usr/lib/openoffice/program/[^/]+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) --') -diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if -index db7aabb..01e03ec 100644 ---- a/policy/modules/system/unconfined.if -+++ b/policy/modules/system/unconfined.if -@@ -12,53 +12,57 @@ - # - interface(`unconfined_domain_noaudit',` - gen_require(` -- type unconfined_t; - class dbus all_dbus_perms; - class nscd all_nscd_perms; - class passwd all_passwd_perms; - ') - -- # Use most Linux capabilities -- allow $1 self:capability ~sys_module; -- allow $1 self:fifo_file manage_fifo_file_perms; -+ # Use any Linux capability. -+ -+ allow $1 self:capability ~{ sys_module }; -+ allow $1 self:capability2 ~{ mac_admin mac_override }; -+ allow $1 self:fifo_file { manage_fifo_file_perms relabelfrom relabelto }; - - # Transition to myself, to make get_ordered_context_list happy. -- allow $1 self:process transition; -+ allow $1 self:process { dyntransition transition }; - - # Write access is for setting attributes under /proc/self/attr. - allow $1 self:file rw_file_perms; -+ allow $1 self:dir rw_dir_perms; - - # Userland object managers -- allow $1 self:nscd *; -- allow $1 self:dbus *; -- allow $1 self:passwd *; -- allow $1 self:association *; -+ allow $1 self:nscd all_nscd_perms; -+ allow $1 self:dbus all_dbus_perms; -+ allow $1 self:passwd all_passwd_perms; -+ allow $1 self:association all_association_perms; -+ allow $1 self:socket_class_set create_socket_perms; - - kernel_unconfined($1) - corenet_unconfined($1) - dev_unconfined($1) - domain_unconfined($1) -- domain_dontaudit_read_all_domains_state($1) -- domain_dontaudit_ptrace_all_domains($1) - files_unconfined($1) - fs_unconfined($1) - selinux_unconfined($1) -+ systemd_config_all_services($1) -+ -+ domain_mmap_low($1) -+ -+ ubac_process_exempt($1) - -- tunable_policy(`allow_execheap',` -+ tunable_policy(`selinuxuser_execheap',` - # Allow making the stack executable via mprotect. - allow $1 self:process execheap; - ') - -- tunable_policy(`allow_execmem',` -+ tunable_policy(`deny_execmem',`',` - # Allow making anonymous memory executable, e.g. - # for runtime-code generation or executable stack. - allow $1 self:process execmem; - ') - -- tunable_policy(`allow_execstack',` -- # Allow making the stack executable via mprotect; -- # execstack implies execmem; -- allow $1 self:process { execstack execmem }; -+ tunable_policy(`selinuxuser_execstack',` -+ allow $1 self:process execstack; - # auditallow $1 self:process execstack; - ') - -@@ -69,6 +73,7 @@ interface(`unconfined_domain_noaudit',` - optional_policy(` - # Communicate via dbusd. - dbus_system_bus_unconfined($1) -+ dbus_unconfined($1) - ') - - optional_policy(` -@@ -122,9 +127,13 @@ interface(`unconfined_domain_noaudit',` - ## - # - interface(`unconfined_domain',` -+ gen_require(` -+ attribute unconfined_services; -+ ') -+ - unconfined_domain_noaudit($1) - -- tunable_policy(`allow_execheap',` -+ tunable_policy(`selinuxuser_execheap',` - auditallow $1 self:process execheap; - ') - ') -@@ -150,7 +159,7 @@ interface(`unconfined_domain',` - ## - # - interface(`unconfined_alias_domain',` -- refpolicywarn(`$0($1) has been deprecated.') -+ refpolicywarn(`$0() has been deprecated.') - ') - - ######################################## -@@ -176,414 +185,5 @@ interface(`unconfined_alias_domain',` - ## - # - interface(`unconfined_execmem_alias_program',` -- refpolicywarn(`$0($1) has been deprecated.') --') -- --######################################## --## --## Transition to the unconfined domain. --## --## --## --## Domain allowed to transition. --## --## --# --interface(`unconfined_domtrans',` -- gen_require(` -- type unconfined_t, unconfined_exec_t; -- ') -- -- domtrans_pattern($1, unconfined_exec_t, unconfined_t) --') -- --######################################## --## --## Execute specified programs in the unconfined domain. --## --## --## --## Domain allowed to transition. --## --## --## --## --## The role to allow the unconfined domain. --## --## --# --interface(`unconfined_run',` -- gen_require(` -- type unconfined_t; -- ') -- -- unconfined_domtrans($1) -- role $2 types unconfined_t; --') -- --######################################## --## --## Transition to the unconfined domain by executing a shell. --## --## --## --## Domain allowed to transition. --## --## --# --interface(`unconfined_shell_domtrans',` -- gen_require(` -- type unconfined_t; -- ') -- -- corecmd_shell_domtrans($1, unconfined_t) -- allow unconfined_t $1:fd use; -- allow unconfined_t $1:fifo_file rw_file_perms; -- allow unconfined_t $1:process sigchld; --') -- --######################################## --## --## Allow unconfined to execute the specified program in --## the specified domain. --## --## --##

    --## Allow unconfined to execute the specified program in --## the specified domain. --##

    --##

    --## This is a interface to support third party modules --## and its use is not allowed in upstream reference --## policy. --##

    --##     --## --## --## Domain to execute in. --## --## --## --## --## Domain entry point file. --## --## --# --interface(`unconfined_domtrans_to',` -- gen_require(` -- type unconfined_t; -- ') -- -- domtrans_pattern(unconfined_t,$2,$1) --') -- --######################################## --## --## Allow unconfined to execute the specified program in --## the specified domain. Allow the specified domain the --## unconfined role and use of unconfined user terminals. --## --## --##

    --## Allow unconfined to execute the specified program in --## the specified domain. Allow the specified domain the --## unconfined role and use of unconfined user terminals. --##

    --##

    --## This is a interface to support third party modules --## and its use is not allowed in upstream reference --## policy. --##

    --##     --## --## --## Domain to execute in. --## --## --## --## --## Domain entry point file. --## --## --# --interface(`unconfined_run_to',` -- gen_require(` -- type unconfined_t; -- role unconfined_r; -- ') -- -- domtrans_pattern(unconfined_t,$2,$1) -- role unconfined_r types $1; -- userdom_use_user_terminals($1) --') -- --######################################## --## --## Inherit file descriptors from the unconfined domain. --## --## --## --## Domain allowed access. --## --## --# --interface(`unconfined_use_fds',` -- gen_require(` -- type unconfined_t; -- ') -- -- allow $1 unconfined_t:fd use; --') -- --######################################## --## --## Send a SIGCHLD signal to the unconfined domain. --## --## --## --## Domain allowed access. --## --## --# --interface(`unconfined_sigchld',` -- gen_require(` -- type unconfined_t; -- ') -- -- allow $1 unconfined_t:process sigchld; --') -- --######################################## --## --## Send a SIGNULL signal to the unconfined domain. --## --## --## --## Domain allowed access. --## --## --# --interface(`unconfined_signull',` -- gen_require(` -- type unconfined_t; -- ') -- -- allow $1 unconfined_t:process signull; --') -- --######################################## --## --## Send generic signals to the unconfined domain. --## --## --## --## Domain allowed access. --## --## --# --interface(`unconfined_signal',` -- gen_require(` -- type unconfined_t; -- ') -- -- allow $1 unconfined_t:process signal; --') -- --######################################## --## --## Read unconfined domain unnamed pipes. --## --## --## --## Domain allowed access. --## --## --# --interface(`unconfined_read_pipes',` -- gen_require(` -- type unconfined_t; -- ') -- -- allow $1 unconfined_t:fifo_file read_fifo_file_perms; --') -- --######################################## --## --## Do not audit attempts to read unconfined domain unnamed pipes. --## --## --## --## Domain to not audit. --## --## --# --interface(`unconfined_dontaudit_read_pipes',` -- gen_require(` -- type unconfined_t; -- ') -- -- dontaudit $1 unconfined_t:fifo_file read; --') -- --######################################## --## --## Read and write unconfined domain unnamed pipes. --## --## --## --## Domain allowed access. --## --## --# --interface(`unconfined_rw_pipes',` -- gen_require(` -- type unconfined_t; -- ') -- -- allow $1 unconfined_t:fifo_file rw_fifo_file_perms; --') -- --######################################## --## --## Do not audit attempts to read and write --## unconfined domain unnamed pipes. --## --## --## --## Domain to not audit. --## --## --# --interface(`unconfined_dontaudit_rw_pipes',` -- gen_require(` -- type unconfined_t; -- ') -- -- dontaudit $1 unconfined_t:fifo_file rw_file_perms; --') -- --######################################## --## --## Connect to the unconfined domain using --## a unix domain stream socket. --## --## --## --## Domain allowed access. --## --## --# --interface(`unconfined_stream_connect',` -- gen_require(` -- type unconfined_t; -- ') -- -- allow $1 unconfined_t:unix_stream_socket connectto; --') -- --######################################## --## --## Do not audit attempts to read or write --## unconfined domain tcp sockets. --## --## --##

    --## Do not audit attempts to read or write --## unconfined domain tcp sockets. --##

    --##

    --## This interface was added due to a broken --## symptom in ldconfig. --##

    --##     --## --## --## Domain to not audit. --## --## --# --interface(`unconfined_dontaudit_rw_tcp_sockets',` -- gen_require(` -- type unconfined_t; -- ') -- -- dontaudit $1 unconfined_t:tcp_socket { read write }; --') -- --######################################## --## --## Create keys for the unconfined domain. --## --## --## --## Domain allowed access. --## --## --# --interface(`unconfined_create_keys',` -- gen_require(` -- type unconfined_t; -- ') -- -- allow $1 unconfined_t:key create; --') -- --######################################## --## --## Send messages to the unconfined domain over dbus. --## --## --## --## Domain allowed access. --## --## --# --interface(`unconfined_dbus_send',` -- gen_require(` -- type unconfined_t; -- class dbus send_msg; -- ') -- -- allow $1 unconfined_t:dbus send_msg; --') -- --######################################## --## --## Send and receive messages from --## unconfined_t over dbus. --## --## --## --## Domain allowed access. --## --## --# --interface(`unconfined_dbus_chat',` -- gen_require(` -- type unconfined_t; -- class dbus send_msg; -- ') -- -- allow $1 unconfined_t:dbus send_msg; -- allow unconfined_t $1:dbus send_msg; --') -- --######################################## --## --## Connect to the the unconfined DBUS --## for service (acquire_svc). --## --## --## --## Domain allowed access. --## --## --# --interface(`unconfined_dbus_connect',` -- gen_require(` -- type unconfined_t; -- class dbus acquire_svc; -- ') -- -- allow $1 unconfined_t:dbus acquire_svc; -+ refpolicywarn(`$0() has been deprecated.') - ') -diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te -index 0280b32..61f19e9 100644 ---- a/policy/modules/system/unconfined.te -+++ b/policy/modules/system/unconfined.te -@@ -4,237 +4,4 @@ policy_module(unconfined, 3.5.0) - # - # Declarations - # -- --# usage in this module of types created by these --# calls is not correct, however we dont currently --# have another method to add access to these types --userdom_base_user_template(unconfined) --userdom_manage_home_role(unconfined_r, unconfined_t) --userdom_manage_tmp_role(unconfined_r, unconfined_t) --userdom_manage_tmpfs_role(unconfined_r, unconfined_t) -- --type unconfined_exec_t; --init_system_domain(unconfined_t, unconfined_exec_t) -- --type unconfined_execmem_t; --type unconfined_execmem_exec_t; --init_system_domain(unconfined_execmem_t, unconfined_execmem_exec_t) --role unconfined_r types unconfined_execmem_t; -- --######################################## --# --# Local policy --# -- --domtrans_pattern(unconfined_t, unconfined_execmem_exec_t, unconfined_execmem_t) -- --files_create_boot_flag(unconfined_t) -- --mcs_killall(unconfined_t) --mcs_ptrace_all(unconfined_t) -- --init_run_daemon(unconfined_t, unconfined_r) -- --libs_run_ldconfig(unconfined_t, unconfined_r) -- --logging_send_syslog_msg(unconfined_t) --logging_run_auditctl(unconfined_t, unconfined_r) -- --mount_run_unconfined(unconfined_t, unconfined_r) -- --seutil_run_setfiles(unconfined_t, unconfined_r) --seutil_run_semanage(unconfined_t, unconfined_r) -- --unconfined_domain(unconfined_t) -- --userdom_user_home_dir_filetrans_user_home_content(unconfined_t, { dir file lnk_file fifo_file sock_file }) -- --ifdef(`distro_gentoo',` -- seutil_run_runinit(unconfined_t, unconfined_r) -- seutil_init_script_run_runinit(unconfined_t, unconfined_r) --') -- --optional_policy(` -- ada_domtrans(unconfined_t) --') -- --optional_policy(` -- apache_run_helper(unconfined_t, unconfined_r) -- apache_role(unconfined_r, unconfined_t) --') -- --optional_policy(` -- bind_run_ndc(unconfined_t, unconfined_r) --') -- --optional_policy(` -- bootloader_run(unconfined_t, unconfined_r) --') -- --optional_policy(` -- cron_unconfined_role(unconfined_r, unconfined_t) --') -- --optional_policy(` -- init_dbus_chat_script(unconfined_t) -- -- dbus_stub(unconfined_t) -- -- optional_policy(` -- avahi_dbus_chat(unconfined_t) -- ') -- -- optional_policy(` -- bluetooth_dbus_chat(unconfined_t) -- ') -- -- optional_policy(` -- consolekit_dbus_chat(unconfined_t) -- ') -- -- optional_policy(` -- cups_dbus_chat_config(unconfined_t) -- ') -- -- optional_policy(` -- hal_dbus_chat(unconfined_t) -- ') -- -- optional_policy(` -- networkmanager_dbus_chat(unconfined_t) -- ') -- -- optional_policy(` -- oddjob_dbus_chat(unconfined_t) -- ') --') -- --optional_policy(` -- firstboot_run(unconfined_t, unconfined_r) --') -- --optional_policy(` -- ftp_run_ftpdctl(unconfined_t, unconfined_r) --') -- --optional_policy(` -- hadoop_role(unconfined_r, unconfined_t) --') -- --optional_policy(` -- inn_domtrans(unconfined_t) --') -- --optional_policy(` -- java_run_unconfined(unconfined_t, unconfined_r) --') -- --optional_policy(` -- lpd_run_checkpc(unconfined_t, unconfined_r) --') -- --optional_policy(` -- modutils_run_update_mods(unconfined_t, unconfined_r) --') -- --optional_policy(` -- mono_domtrans(unconfined_t) --') -- --optional_policy(` -- mta_role(unconfined_r, unconfined_t) --') -- --optional_policy(` -- oddjob_domtrans_mkhomedir(unconfined_t) --') -- --optional_policy(` -- portage_run(unconfined_t, unconfined_r) -- portage_run_fetch(unconfined_t, unconfined_r) -- portage_run_gcc_config(unconfined_t, unconfined_r) --') -- --optional_policy(` -- prelink_run(unconfined_t, unconfined_r) --') -- --optional_policy(` -- portmap_run_helper(unconfined_t, unconfined_r) --') -- --optional_policy(` -- postfix_run_map(unconfined_t, unconfined_r) -- # cjp: this should probably be removed: -- postfix_domtrans_master(unconfined_t) --') -- --optional_policy(` -- pyzor_role(unconfined_r, unconfined_t) --') -- --optional_policy(` -- # cjp: this should probably be removed: -- rpc_domtrans_nfsd(unconfined_t) --') -- --optional_policy(` -- rpm_run(unconfined_t, unconfined_r) --') -- --optional_policy(` -- samba_run_net(unconfined_t, unconfined_r) -- samba_run_winbind_helper(unconfined_t, unconfined_r) --') -- --optional_policy(` -- spamassassin_role(unconfined_r, unconfined_t) --') -- --optional_policy(` -- sysnet_run_dhcpc(unconfined_t, unconfined_r) -- sysnet_dbus_chat_dhcpc(unconfined_t) --') -- --optional_policy(` -- tzdata_run(unconfined_t, unconfined_r) --') -- --optional_policy(` -- usermanage_run_admin_passwd(unconfined_t, unconfined_r) --') -- --optional_policy(` -- vpn_run(unconfined_t, unconfined_r) --') -- --optional_policy(` -- webalizer_run(unconfined_t, unconfined_r) --') -- --optional_policy(` -- wine_domtrans(unconfined_t) --') -- --optional_policy(` -- xserver_domtrans(unconfined_t) --') -- --######################################## --# --# Unconfined Execmem Local policy --# -- --allow unconfined_execmem_t self:process { execstack execmem }; --unconfined_domain_noaudit(unconfined_execmem_t) -- --optional_policy(` -- dbus_stub(unconfined_execmem_t) -- -- init_dbus_chat_script(unconfined_execmem_t) -- unconfined_dbus_chat(unconfined_execmem_t) -- -- optional_policy(` -- hal_dbus_chat(unconfined_execmem_t) -- ') --') -+attribute unconfined_services; -diff --git a/policy/modules/system/userdomain.fc b/policy/modules/system/userdomain.fc -index db75976..65191bd 100644 ---- a/policy/modules/system/userdomain.fc -+++ b/policy/modules/system/userdomain.fc -@@ -1,4 +1,21 @@ - HOME_DIR -d gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh) -+HOME_DIR -l gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh) - HOME_DIR/.+ gen_context(system_u:object_r:user_home_t,s0) -- - /tmp/gconfd-USER -d gen_context(system_u:object_r:user_tmp_t,s0) -+/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0) -+/root/\.cert(/.*)? gen_context(system_u:object_r:home_cert_t,s0) -+/root/\.pki(/.*)? gen_context(system_u:object_r:home_cert_t,s0) -+/root/\.debug(/.*)? <> -+/dev/shm/pulse-shm.* gen_context(system_u:object_r:user_tmpfs_t,s0) -+/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0) -+HOME_DIR/bin(/.*)? gen_context(system_u:object_r:home_bin_t,s0) -+HOME_DIR/\.local/bin(/.*)? gen_context(system_u:object_r:home_bin_t,s0) -+HOME_DIR/Audio(/.*)? gen_context(system_u:object_r:audio_home_t,s0) -+HOME_DIR/Music(/.*)? gen_context(system_u:object_r:audio_home_t,s0) -+HOME_DIR/\.cert(/.*)? gen_context(system_u:object_r:home_cert_t,s0) -+HOME_DIR/.kde/share/apps/networkmanagement/certificates(/.*)? gen_context(system_u:object_r:home_cert_t,s0) -+HOME_DIR/\.pki(/.*)? gen_context(system_u:object_r:home_cert_t,s0) -+HOME_DIR/\.gvfs/.* <> -+HOME_DIR/\.debug(/.*)? <> -+ -+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0) -diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 3c5dba7..2890de8 100644 ---- a/policy/modules/system/userdomain.if -+++ b/policy/modules/system/userdomain.if -@@ -30,9 +30,11 @@ template(`userdom_base_user_template',` - ') - - attribute $1_file_type; -+ attribute $1_usertype; - -- type $1_t, userdomain; -+ type $1_t, userdomain, $1_usertype; - domain_type($1_t) -+ role $1_r; - corecmd_shell_entry_type($1_t) - corecmd_bin_entry_type($1_t) - domain_user_exemption_target($1_t) -@@ -44,79 +46,132 @@ template(`userdom_base_user_template',` - term_user_pty($1_t, user_devpts_t) - - term_user_tty($1_t, user_tty_device_t) -- -- allow $1_t self:process { signal_perms getsched setsched share getpgid setpgid setcap getsession getattr }; -- allow $1_t self:fd use; -- allow $1_t self:fifo_file rw_fifo_file_perms; -- allow $1_t self:unix_dgram_socket { create_socket_perms sendto }; -- allow $1_t self:unix_stream_socket { create_stream_socket_perms connectto }; -- allow $1_t self:shm create_shm_perms; -- allow $1_t self:sem create_sem_perms; -- allow $1_t self:msgq create_msgq_perms; -- allow $1_t self:msg { send receive }; -- allow $1_t self:context contains; -- dontaudit $1_t self:socket create; -- -- allow $1_t user_devpts_t:chr_file { setattr rw_chr_file_perms }; -- term_create_pty($1_t, user_devpts_t) -+ term_dontaudit_getattr_generic_ptys($1_t) -+ -+ allow $1_usertype $1_usertype:process { signal_perms getsched setsched share getpgid setpgid getcap setcap getsession getattr }; -+ tunable_policy(`deny_ptrace',`',` -+ allow $1_usertype $1_usertype:process ptrace; -+ ') -+ allow $1_usertype $1_usertype:fd use; -+ allow $1_usertype $1_t:key { create view read write search link setattr }; -+ -+ allow $1_usertype $1_usertype:fifo_file rw_fifo_file_perms; -+ allow $1_usertype $1_usertype:unix_dgram_socket { create_socket_perms sendto }; -+ allow $1_usertype $1_usertype:unix_stream_socket { create_stream_socket_perms connectto }; -+ allow $1_usertype $1_usertype:shm create_shm_perms; -+ allow $1_usertype $1_usertype:sem create_sem_perms; -+ allow $1_usertype $1_usertype:msgq create_msgq_perms; -+ allow $1_usertype $1_usertype:msg { send receive }; -+ allow $1_usertype $1_usertype:context contains; -+ dontaudit $1_usertype $1_usertype:socket create; -+ -+ allow $1_usertype user_devpts_t:chr_file { setattr rw_chr_file_perms }; -+ term_create_pty($1_usertype, user_devpts_t) - # avoid annoying messages on terminal hangup on role change -- dontaudit $1_t user_devpts_t:chr_file ioctl; -+ dontaudit $1_usertype user_devpts_t:chr_file ioctl; - -- allow $1_t user_tty_device_t:chr_file { setattr rw_chr_file_perms }; -+ allow $1_usertype user_tty_device_t:chr_file { setattr rw_chr_file_perms }; - # avoid annoying messages on terminal hangup on role change -- dontaudit $1_t user_tty_device_t:chr_file ioctl; -- -- kernel_read_kernel_sysctls($1_t) -- kernel_dontaudit_list_unlabeled($1_t) -- kernel_dontaudit_getattr_unlabeled_files($1_t) -- kernel_dontaudit_getattr_unlabeled_symlinks($1_t) -- kernel_dontaudit_getattr_unlabeled_pipes($1_t) -- kernel_dontaudit_getattr_unlabeled_sockets($1_t) -- kernel_dontaudit_getattr_unlabeled_blk_files($1_t) -- kernel_dontaudit_getattr_unlabeled_chr_files($1_t) -- -- dev_dontaudit_getattr_all_blk_files($1_t) -- dev_dontaudit_getattr_all_chr_files($1_t) -+ dontaudit $1_usertype user_tty_device_t:chr_file ioctl; -+ -+ application_exec_all($1_usertype) -+ -+ kernel_read_kernel_sysctls($1_usertype) -+ kernel_read_all_sysctls($1_usertype) -+ kernel_dontaudit_list_unlabeled($1_usertype) -+ kernel_dontaudit_getattr_unlabeled_files($1_usertype) -+ kernel_dontaudit_getattr_unlabeled_symlinks($1_usertype) -+ kernel_dontaudit_getattr_unlabeled_pipes($1_usertype) -+ kernel_dontaudit_getattr_unlabeled_sockets($1_usertype) -+ kernel_dontaudit_getattr_unlabeled_blk_files($1_usertype) -+ kernel_dontaudit_getattr_unlabeled_chr_files($1_usertype) -+ kernel_dontaudit_list_proc($1_usertype) -+ -+ dev_dontaudit_getattr_all_blk_files($1_usertype) -+ dev_dontaudit_getattr_all_chr_files($1_usertype) -+ dev_getattr_mtrr_dev($1_t) - - # When the user domain runs ps, there will be a number of access - # denials when ps tries to search /proc. Do not audit these denials. -- domain_dontaudit_read_all_domains_state($1_t) -- domain_dontaudit_getattr_all_domains($1_t) -- domain_dontaudit_getsession_all_domains($1_t) -- -- files_read_etc_files($1_t) -- files_read_etc_runtime_files($1_t) -- files_read_usr_files($1_t) -+ domain_dontaudit_read_all_domains_state($1_usertype) -+ domain_dontaudit_getattr_all_domains($1_usertype) -+ domain_dontaudit_getsession_all_domains($1_usertype) -+ dev_dontaudit_all_access_check($1_usertype) -+ -+ files_read_etc_files($1_usertype) -+ files_list_mnt($1_usertype) -+ files_list_var($1_usertype) -+ files_read_mnt_files($1_usertype) -+ files_dontaudit_all_access_check($1_usertype) -+ files_read_etc_runtime_files($1_usertype) -+ files_read_usr_files($1_usertype) -+ files_read_usr_src_files($1_usertype) - # Read directories and files with the readable_t type. - # This type is a general type for "world"-readable files. -- files_list_world_readable($1_t) -- files_read_world_readable_files($1_t) -- files_read_world_readable_symlinks($1_t) -- files_read_world_readable_pipes($1_t) -- files_read_world_readable_sockets($1_t) -+ files_list_world_readable($1_usertype) -+ files_read_world_readable_files($1_usertype) -+ files_read_world_readable_symlinks($1_usertype) -+ files_read_world_readable_pipes($1_usertype) -+ files_read_world_readable_sockets($1_usertype) - # old broswer_domain(): -- files_dontaudit_list_non_security($1_t) -- files_dontaudit_getattr_non_security_files($1_t) -- files_dontaudit_getattr_non_security_symlinks($1_t) -- files_dontaudit_getattr_non_security_pipes($1_t) -- files_dontaudit_getattr_non_security_sockets($1_t) -+ files_dontaudit_getattr_all_dirs($1_usertype) -+ files_dontaudit_list_non_security($1_usertype) -+ files_dontaudit_getattr_all_files($1_usertype) -+ files_dontaudit_getattr_non_security_symlinks($1_usertype) -+ files_dontaudit_getattr_non_security_pipes($1_usertype) -+ files_dontaudit_getattr_non_security_sockets($1_usertype) -+ files_dontaudit_setattr_etc_runtime_files($1_usertype) -+ -+ files_exec_usr_files($1_t) -+ -+ fs_list_cgroup_dirs($1_usertype) -+ fs_dontaudit_rw_cgroup_files($1_usertype) -+ -+ storage_rw_fuse($1_usertype) -+ -+ auth_use_nsswitch($1_t) -+ -+ init_stream_connect($1_usertype) -+ # The library functions always try to open read-write first, -+ # then fall back to read-only if it fails. -+ init_dontaudit_rw_utmp($1_usertype) - -- libs_exec_ld_so($1_t) -+ libs_exec_ld_so($1_usertype) - -- miscfiles_read_localization($1_t) - miscfiles_read_generic_certs($1_t) - -- sysnet_read_config($1_t) -+ miscfiles_read_all_certs($1_usertype) -+ miscfiles_read_public_files($1_usertype) - -- tunable_policy(`allow_execmem',` -+ systemd_dbus_chat_logind($1_usertype) -+ systemd_read_logind_sessions_files($1_usertype) -+ systemd_write_inhibit_pipes($1_usertype) -+ systemd_write_inherited_logind_sessions_pipes($1_usertype) -+ systemd_login_read_pid_files($1_usertype) -+ -+ tunable_policy(`deny_execmem',`', ` - # Allow loading DSOs that require executable stack. - allow $1_t self:process execmem; - ') - -- tunable_policy(`allow_execmem && allow_execstack',` -+ tunable_policy(`selinuxuser_execstack',` - # Allow making the stack executable via mprotect. - allow $1_t self:process execstack; - ') -+ -+ optional_policy(` -+ abrt_stream_connect($1_usertype) -+ ') -+ -+ optional_policy(` -+ fs_list_cgroup_dirs($1_usertype) -+ ') -+ -+ optional_policy(` -+ ssh_rw_stream_sockets($1_usertype) -+ ssh_delete_tmp($1_t) -+ ssh_signal($1_t) -+ ') - ') - - ####################################### -@@ -150,6 +205,8 @@ interface(`userdom_ro_home_role',` - type user_home_t, user_home_dir_t; - ') - -+ role $1 types { user_home_t user_home_dir_t }; -+ - ############################## - # - # Domain access to home dir -@@ -167,27 +224,6 @@ interface(`userdom_ro_home_role',` - read_sock_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t) - files_list_home($2) - -- tunable_policy(`use_nfs_home_dirs',` -- fs_list_nfs($2) -- fs_read_nfs_files($2) -- fs_read_nfs_symlinks($2) -- fs_read_nfs_named_sockets($2) -- fs_read_nfs_named_pipes($2) -- ',` -- fs_dontaudit_list_nfs($2) -- fs_dontaudit_read_nfs_files($2) -- ') -- -- tunable_policy(`use_samba_home_dirs',` -- fs_list_cifs($2) -- fs_read_cifs_files($2) -- fs_read_cifs_symlinks($2) -- fs_read_cifs_named_sockets($2) -- fs_read_cifs_named_pipes($2) -- ',` -- fs_dontaudit_list_cifs($2) -- fs_dontaudit_read_cifs_files($2) -- ') - ') - - ####################################### -@@ -219,8 +255,11 @@ interface(`userdom_ro_home_role',` - interface(`userdom_manage_home_role',` - gen_require(` - type user_home_t, user_home_dir_t; -+ attribute user_home_type; - ') - -+ role $1 types { user_home_type user_home_dir_t }; -+ - ############################## - # - # Domain access to home dir -@@ -229,43 +268,46 @@ interface(`userdom_manage_home_role',` - type_member $2 user_home_dir_t:dir user_home_dir_t; - - # full control of the home directory -+ allow $2 user_home_t:dir mounton; - allow $2 user_home_t:file entrypoint; -- manage_dirs_pattern($2, { user_home_dir_t user_home_t }, user_home_t) -- manage_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t) -- manage_lnk_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t) -- manage_sock_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t) -- manage_fifo_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t) -- relabel_dirs_pattern($2, { user_home_dir_t user_home_t }, user_home_t) -- relabel_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t) -- relabel_lnk_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t) -- relabel_sock_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t) -- relabel_fifo_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t) -- filetrans_pattern($2, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file }) -+ -+ allow $2 user_home_type:dir_file_class_set { relabelto relabelfrom }; -+ allow $2 user_home_dir_t:lnk_file read_lnk_file_perms; -+ manage_dirs_pattern($2, { user_home_dir_t user_home_type }, user_home_type) -+ manage_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type) -+ manage_lnk_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type) -+ manage_sock_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type) -+ manage_fifo_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type) -+ relabel_dirs_pattern($2, { user_home_dir_t user_home_type }, user_home_type) -+ relabel_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type) -+ relabel_lnk_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type) -+ relabel_sock_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type) -+ relabel_fifo_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type) -+ userdom_filetrans_home_content($2) -+ - files_list_home($2) - - # cjp: this should probably be removed: - allow $2 user_home_dir_t:dir { manage_dir_perms relabel_dir_perms }; - - tunable_policy(`use_nfs_home_dirs',` -+ fs_mount_nfs($2) -+ fs_mounton_nfs($2) - fs_manage_nfs_dirs($2) - fs_manage_nfs_files($2) - fs_manage_nfs_symlinks($2) - fs_manage_nfs_named_sockets($2) - fs_manage_nfs_named_pipes($2) -- ',` -- fs_dontaudit_manage_nfs_dirs($2) -- fs_dontaudit_manage_nfs_files($2) - ') - - tunable_policy(`use_samba_home_dirs',` -+ fs_mount_cifs($2) -+ fs_mounton_cifs($2) - fs_manage_cifs_dirs($2) - fs_manage_cifs_files($2) - fs_manage_cifs_symlinks($2) - fs_manage_cifs_named_sockets($2) - fs_manage_cifs_named_pipes($2) -- ',` -- fs_dontaudit_manage_cifs_dirs($2) -- fs_dontaudit_manage_cifs_files($2) - ') - ') - -@@ -273,6 +315,63 @@ interface(`userdom_manage_home_role',` - ## - ## Manage user temporary files - ## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`userdom_manage_tmp_files',` -+ gen_require(` -+ type user_tmp_t; -+ ') -+ -+ manage_files_pattern($1, user_tmp_t, user_tmp_t) -+') -+ -+####################################### -+## -+## Manage user temporary sockets -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`userdom_manage_tmp_sockets',` -+ gen_require(` -+ type user_tmp_t; -+ ') -+ -+ manage_sock_files_pattern($1, user_tmp_t, user_tmp_t) -+') -+ -+####################################### -+## -+## Manage user temporary directories -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`userdom_manage_tmp_dirs',` -+ gen_require(` -+ type user_tmp_t; -+ ') -+ -+ manage_dirs_pattern($1, user_tmp_t, user_tmp_t) -+') -+ -+####################################### -+## -+## Manage user temporary files -+## - ## - ## - ## Role allowed access. -@@ -287,17 +386,64 @@ interface(`userdom_manage_home_role',` - # - interface(`userdom_manage_tmp_role',` - gen_require(` -+ attribute user_tmp_type; - type user_tmp_t; - ') - -+ role $1 types user_tmp_t; -+ - files_poly_member_tmp($2, user_tmp_t) - -- manage_dirs_pattern($2, user_tmp_t, user_tmp_t) -- manage_files_pattern($2, user_tmp_t, user_tmp_t) -- manage_lnk_files_pattern($2, user_tmp_t, user_tmp_t) -- manage_sock_files_pattern($2, user_tmp_t, user_tmp_t) -- manage_fifo_files_pattern($2, user_tmp_t, user_tmp_t) -+ allow $2 user_tmp_type:dir mounton; -+ manage_dirs_pattern($2, user_tmp_type, user_tmp_type) -+ manage_files_pattern($2, user_tmp_type, user_tmp_type) -+ manage_lnk_files_pattern($2, user_tmp_type, user_tmp_type) -+ manage_sock_files_pattern($2, user_tmp_type, user_tmp_type) -+ manage_fifo_files_pattern($2, user_tmp_type, user_tmp_type) - files_tmp_filetrans($2, user_tmp_t, { dir file lnk_file sock_file fifo_file }) -+ relabel_dirs_pattern($2, user_tmp_type, user_tmp_type) -+ relabel_files_pattern($2, user_tmp_type, user_tmp_type) -+ relabel_lnk_files_pattern($2, user_tmp_type, user_tmp_type) -+ relabel_sock_files_pattern($2, user_tmp_type, user_tmp_type) -+ relabel_fifo_files_pattern($2, user_tmp_type, user_tmp_type) -+') -+ -+####################################### -+## -+## Dontaudit search of user bin dirs. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`userdom_dontaudit_search_user_bin_dirs',` -+ gen_require(` -+ type home_bin_t; -+ ') -+ -+ dontaudit $1 home_bin_t:dir search_dir_perms; -+') -+ -+####################################### -+## -+## Execute user bin files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`userdom_exec_user_bin_files',` -+ gen_require(` -+ attribute user_home_type; -+ type home_bin_t, user_home_dir_t; -+ ') -+ -+ exec_files_pattern($1, { user_home_dir_t user_home_type }, home_bin_t) -+ files_search_home($1) - ') - - ####################################### -@@ -317,11 +463,31 @@ interface(`userdom_exec_user_tmp_files',` - ') - - exec_files_pattern($1, user_tmp_t, user_tmp_t) -+ dontaudit $1 user_tmp_t:sock_file execute; - files_search_tmp($1) - ') - - ####################################### - ## -+## Manage user temporary file system files -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`userdom_manage_tmpfs_files',` -+ gen_require(` -+ type user_tmpfs_t; -+ ') -+ -+ allow $1 user_tmpfs_t:file manage_file_perms; -+') -+ -+####################################### -+## - ## Role access for the user tmpfs type - ## that the user has full access. - ## -@@ -348,59 +514,60 @@ interface(`userdom_exec_user_tmp_files',` - # - interface(`userdom_manage_tmpfs_role',` - gen_require(` -+ attribute user_tmpfs_type; - type user_tmpfs_t; - ') - -- manage_dirs_pattern($2, user_tmpfs_t, user_tmpfs_t) -- manage_files_pattern($2, user_tmpfs_t, user_tmpfs_t) -- manage_lnk_files_pattern($2, user_tmpfs_t, user_tmpfs_t) -- manage_sock_files_pattern($2, user_tmpfs_t, user_tmpfs_t) -- manage_fifo_files_pattern($2, user_tmpfs_t, user_tmpfs_t) -+ role $1 types user_tmpfs_t; -+ -+ manage_dirs_pattern($2, user_tmpfs_type, user_tmpfs_type) -+ manage_files_pattern($2, user_tmpfs_type, user_tmpfs_type) -+ manage_lnk_files_pattern($2, user_tmpfs_type, user_tmpfs_type) -+ manage_sock_files_pattern($2, user_tmpfs_type, user_tmpfs_type) -+ manage_fifo_files_pattern($2, user_tmpfs_type, user_tmpfs_type) - fs_tmpfs_filetrans($2, user_tmpfs_t, { dir file lnk_file sock_file fifo_file }) -+ relabel_dirs_pattern($2, user_tmpfs_type, user_tmpfs_type) -+ relabel_files_pattern($2, user_tmpfs_type, user_tmpfs_type) -+ relabel_lnk_files_pattern($2, user_tmpfs_type, user_tmpfs_type) -+ relabel_sock_files_pattern($2, user_tmpfs_type, user_tmpfs_type) -+ relabel_fifo_files_pattern($2, user_tmpfs_type, user_tmpfs_type) - ') - - ####################################### - ## --## The template allowing the user basic -+## The interface allowing the user basic - ## network permissions - ## --## -+## - ## --## The prefix of the user domain (e.g., user --## is the prefix for user_t). -+## The user domain - ## - ## - ## - # --template(`userdom_basic_networking_template',` -- gen_require(` -- type $1_t; -- ') -+interface(`userdom_basic_networking',` - -- allow $1_t self:tcp_socket create_stream_socket_perms; -- allow $1_t self:udp_socket create_socket_perms; -+ allow $1 self:tcp_socket create_stream_socket_perms; -+ allow $1 self:udp_socket create_socket_perms; - -- corenet_all_recvfrom_unlabeled($1_t) -- corenet_all_recvfrom_netlabel($1_t) -- corenet_tcp_sendrecv_generic_if($1_t) -- corenet_udp_sendrecv_generic_if($1_t) -- corenet_tcp_sendrecv_generic_node($1_t) -- corenet_udp_sendrecv_generic_node($1_t) -- corenet_tcp_sendrecv_all_ports($1_t) -- corenet_udp_sendrecv_all_ports($1_t) -- corenet_tcp_connect_all_ports($1_t) -- corenet_sendrecv_all_client_packets($1_t) -- -- corenet_all_recvfrom_labeled($1_t, $1_t) -+ corenet_tcp_sendrecv_generic_if($1) -+ corenet_udp_sendrecv_generic_if($1) -+ corenet_tcp_sendrecv_generic_node($1) -+ corenet_udp_sendrecv_generic_node($1) -+ corenet_tcp_sendrecv_all_ports($1) -+ corenet_udp_sendrecv_all_ports($1) -+ corenet_tcp_connect_all_ports($1) -+ corenet_sendrecv_all_client_packets($1) - - optional_policy(` -- init_tcp_recvfrom_all_daemons($1_t) -- init_udp_recvfrom_all_daemons($1_t) -+ init_tcp_recvfrom_all_daemons($1) -+ init_udp_recvfrom_all_daemons($1) - ') - - optional_policy(` -- ipsec_match_default_spd($1_t) -+ ipsec_match_default_spd($1) - ') -+ - ') - - ####################################### -@@ -431,6 +598,7 @@ template(`userdom_xwindows_client_template',` - dev_dontaudit_rw_dri($1_t) - # GNOME checks for usb and other devices: - dev_rw_usbfs($1_t) -+ dev_rw_generic_usb_dev($1_t) - - xserver_user_x_domain_template($1, $1_t, user_tmpfs_t) - xserver_xsession_entry_type($1_t) -@@ -463,8 +631,8 @@ template(`userdom_change_password_template',` - ') - - optional_policy(` -- usermanage_run_chfn($1_t, $1_r) -- usermanage_run_passwd($1_t, $1_r) -+ usermanage_run_chfn($1_t,$1_r) -+ usermanage_run_passwd($1_t,$1_r) - ') - ') - -@@ -491,7 +659,8 @@ template(`userdom_common_user_template',` - attribute unpriv_userdomain; - ') - -- userdom_basic_networking_template($1) -+ userdom_basic_networking($1_usertype) -+ corenet_all_recvfrom_netlabel($1_t) - - ############################## - # -@@ -501,41 +670,51 @@ template(`userdom_common_user_template',` - # evolution and gnome-session try to create a netlink socket - dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; - dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write }; -+ allow $1_t self:netlink_kobject_uevent_socket create_socket_perms; -+ allow $1_t self:socket create_socket_perms; - -- allow $1_t unpriv_userdomain:fd use; -+ allow $1_usertype unpriv_userdomain:fd use; - - kernel_read_system_state($1_t) -- kernel_read_network_state($1_t) -- kernel_read_net_sysctls($1_t) -+ kernel_read_network_state($1_usertype) -+ kernel_read_software_raid_state($1_usertype) -+ kernel_read_net_sysctls($1_usertype) - # Very permissive allowing every domain to see every type: -- kernel_get_sysvipc_info($1_t) -+ kernel_get_sysvipc_info($1_usertype) - # Find CDROM devices: -- kernel_read_device_sysctls($1_t) -- -- corecmd_exec_bin($1_t) -+ kernel_read_device_sysctls($1_usertype) -+ kernel_request_load_module($1_usertype) - -- corenet_udp_bind_generic_node($1_t) -- corenet_udp_bind_generic_port($1_t) -+ corenet_udp_bind_generic_node($1_usertype) -+ corenet_udp_bind_generic_port($1_usertype) - -- dev_read_rand($1_t) -- dev_write_sound($1_t) -- dev_read_sound($1_t) -- dev_read_sound_mixer($1_t) -- dev_write_sound_mixer($1_t) -+ dev_read_rand($1_usertype) -+ dev_write_sound($1_usertype) -+ dev_read_sound($1_usertype) -+ dev_read_sound_mixer($1_usertype) -+ dev_write_sound_mixer($1_usertype) - -- files_exec_etc_files($1_t) -- files_search_locks($1_t) -+ files_exec_etc_files($1_usertype) -+ files_search_locks($1_usertype) - # Check to see if cdrom is mounted -- files_search_mnt($1_t) -+ files_search_mnt($1_usertype) - # cjp: perhaps should cut back on file reads: -- files_read_var_files($1_t) -- files_read_var_symlinks($1_t) -- files_read_generic_spool($1_t) -- files_read_var_lib_files($1_t) -+ files_read_var_files($1_usertype) -+ files_read_var_symlinks($1_usertype) -+ files_read_generic_spool($1_usertype) -+ files_read_var_lib_files($1_usertype) - # Stat lost+found. -- files_getattr_lost_found_dirs($1_t) -+ files_getattr_lost_found_dirs($1_usertype) -+ files_read_config_files($1_usertype) -+ fs_read_noxattr_fs_files($1_usertype) -+ fs_read_noxattr_fs_symlinks($1_usertype) -+ fs_rw_cgroup_files($1_usertype) -+ -+ application_getattr_socket($1_usertype) -+ -+ logging_send_syslog_msg($1_t) - -- fs_rw_cgroup_files($1_t) -+ selinux_get_enforce_mode($1_t) - - # cjp: some of this probably can be removed - selinux_get_fs_mount($1_t) -@@ -546,93 +725,120 @@ template(`userdom_common_user_template',` - selinux_compute_user_contexts($1_t) - - # for eject -- storage_getattr_fixed_disk_dev($1_t) -+ storage_getattr_fixed_disk_dev($1_usertype) - -- auth_use_nsswitch($1_t) -- auth_read_login_records($1_t) -- auth_search_pam_console_data($1_t) -- auth_run_pam($1_t, $1_r) -- auth_run_utempter($1_t, $1_r) -+ auth_read_login_records($1_usertype) -+ auth_run_pam_timestamp($1_t,$1_r) -+ auth_run_utempter($1_t,$1_r) -+ auth_filetrans_admin_home_content($1_t) - -- init_read_utmp($1_t) -+ init_read_utmp($1_usertype) - -- seutil_read_file_contexts($1_t) -- seutil_read_default_contexts($1_t) -- seutil_run_newrole($1_t, $1_r) -+ seutil_read_file_contexts($1_usertype) -+ seutil_read_default_contexts($1_usertype) -+ seutil_run_newrole($1_t,$1_r) - seutil_exec_checkpolicy($1_t) -- seutil_exec_setfiles($1_t) -+ seutil_exec_setfiles($1_usertype) - # for when the network connection is killed - # this is needed when a login role can change - # to this one. - seutil_dontaudit_signal_newrole($1_t) - -- tunable_policy(`user_direct_mouse',` -- dev_read_mouse($1_t) -- ') -+ term_getattr_all_ttys($1_t) - -- tunable_policy(`user_ttyfile_stat',` -- term_getattr_all_ttys($1_t) -+ optional_policy(` -+ # Allow graphical boot to check battery lifespan -+ apm_stream_connect($1_usertype) - ') - - optional_policy(` -- alsa_home_filetrans_alsa_home($1_t, file, ".asoundrc") -- alsa_manage_home_files($1_t) -- alsa_read_rw_config($1_t) -- alsa_relabel_home_files($1_t) -+ chrome_role($1_r, $1_usertype) - ') - - optional_policy(` -- # Allow graphical boot to check battery lifespan -- apm_stream_connect($1_t) -+ canna_stream_connect($1_usertype) - ') - - optional_policy(` -- canna_stream_connect($1_t) -+ colord_read_lib_files($1_usertype) - ') - - optional_policy(` -- dbus_system_bus_client($1_t) -+ dbus_system_bus_client($1_usertype) -+ -+ allow $1_usertype $1_usertype:dbus send_msg; -+ -+ optional_policy(` -+ avahi_dbus_chat($1_usertype) -+ ') -+ -+ optional_policy(` -+ bluetooth_dbus_chat($1_usertype) -+ ') -+ -+ optional_policy(` -+ consolekit_dbus_chat($1_usertype) -+ consolekit_read_log($1_usertype) -+ ') -+ -+ optional_policy(` -+ devicekit_dbus_chat($1_usertype) -+ devicekit_dbus_chat_power($1_usertype) -+ devicekit_dbus_chat_disk($1_usertype) -+ ') -+ -+ optional_policy(` -+ evolution_dbus_chat($1_usertype) -+ evolution_alarm_dbus_chat($1_usertype) -+ ') -+ -+ optional_policy(` -+ gnome_dbus_chat_gconfdefault($1_usertype) -+ ') - - optional_policy(` -- bluetooth_dbus_chat($1_t) -+ hal_dbus_chat($1_usertype) - ') - - optional_policy(` -- consolekit_dbus_chat($1_t) -+ kde_dbus_chat_backlighthelper($1_usertype) - ') - - optional_policy(` -- cups_dbus_chat_config($1_t) -+ modemmanager_dbus_chat($1_usertype) - ') - - optional_policy(` -- hal_dbus_chat($1_t) -+ networkmanager_dbus_chat($1_usertype) -+ networkmanager_read_lib_files($1_usertype) - ') - - optional_policy(` -- networkmanager_dbus_chat($1_t) -+ policykit_dbus_chat($1_usertype) - ') - - optional_policy(` -- policykit_dbus_chat($1_t) -+ vpn_dbus_chat($1_usertype) - ') - ') - - optional_policy(` -- inetd_use_fds($1_t) -- inetd_rw_tcp_sockets($1_t) -+ git_role($1_r, $1_t) -+ ') -+ -+ optional_policy(` -+ inetd_use_fds($1_usertype) -+ inetd_rw_tcp_sockets($1_usertype) - ') - - optional_policy(` -- inn_read_config($1_t) -- inn_read_news_lib($1_t) -- inn_read_news_spool($1_t) -+ inn_read_config($1_usertype) -+ inn_read_news_lib($1_usertype) -+ inn_read_news_spool($1_usertype) - ') - - optional_policy(` -- kerberos_manage_krb5_home_files($1_t) -- kerberos_relabel_krb5_home_files($1_t) -- kerberos_home_filetrans_krb5_home($1_t, file, ".k5login") -+ lircd_stream_connect($1_usertype) - ') - - optional_policy(` -@@ -642,23 +848,21 @@ template(`userdom_common_user_template',` - optional_policy(` - mpd_manage_user_data_content($1_t) - mpd_relabel_user_data_content($1_t) -+ mpd_stream_connect($1_t) - ') - - # for running depmod as part of the kernel packaging process - optional_policy(` -- modutils_read_module_config($1_t) -+ modutils_read_module_config($1_usertype) - ') - - optional_policy(` -- mta_rw_spool($1_t) -+ mta_rw_spool($1_usertype) -+ mta_manage_queue($1_usertype) - ') - - optional_policy(` -- mysql_manage_mysqld_home_files($1_t) -- mysql_relabel_mysqld_home_files($1_t) -- mysql_home_filetrans_mysqld_home($1_t, file, ".my.cnf") -- -- tunable_policy(`allow_user_mysql_connect',` -+ tunable_policy(`selinuxuser_mysql_connect_enabled',` - mysql_stream_connect($1_t) - ') - ') -@@ -671,7 +875,7 @@ template(`userdom_common_user_template',` - - optional_policy(` - # to allow monitoring of pcmcia status -- pcmcia_read_pid($1_t) -+ pcmcia_read_pid($1_usertype) - ') - - optional_policy(` -@@ -680,9 +884,9 @@ template(`userdom_common_user_template',` - ') - - optional_policy(` -- tunable_policy(`allow_user_postgresql_connect',` -- postgresql_stream_connect($1_t) -- postgresql_tcp_connect($1_t) -+ tunable_policy(`selinuxuser_postgresql_connect_enabled',` -+ postgresql_stream_connect($1_usertype) -+ postgresql_tcp_connect($1_usertype) - ') - ') - -@@ -693,32 +897,35 @@ template(`userdom_common_user_template',` - ') - - optional_policy(` -- resmgr_stream_connect($1_t) -+ resmgr_stream_connect($1_usertype) -+ ') -+ -+ optional_policy(` -+ rpc_dontaudit_getattr_exports($1_usertype) - ') - - optional_policy(` -- rpc_dontaudit_getattr_exports($1_t) -- rpc_manage_nfs_rw_content($1_t) -+ rpcbind_stream_connect($1_usertype) - ') - - optional_policy(` -- samba_stream_connect_winbind($1_t) -+ samba_stream_connect_winbind($1_usertype) - ') - - optional_policy(` -- slrnpull_search_spool($1_t) -+ sandbox_transition($1_usertype, $1_r) - ') - - optional_policy(` -- usernetctl_run($1_t, $1_r) -+ seunshare_role_template($1, $1_r, $1_t) - ') - - optional_policy(` -- virt_home_filetrans_virt_home($1_t, dir, ".libvirt") -- virt_home_filetrans_virt_home($1_t, dir, ".virtinst") -- virt_home_filetrans_virt_content($1_t, dir, "isos") -- virt_home_filetrans_svirt_home($1_t, dir, "qemu") -- virt_home_filetrans_virt_home($1_t, dir, "VirtualMachines") -+ slrnpull_search_spool($1_usertype) -+ ') -+ -+ optional_policy(` -+ thumb_role($1_r, $1_usertype) - ') - ') - -@@ -743,17 +950,33 @@ template(`userdom_common_user_template',` - template(`userdom_login_user_template', ` - gen_require(` - class context contains; -+ attribute login_userdomain; - ') - - userdom_base_user_template($1) - -+ typeattribute $1_t login_userdomain; -+ - userdom_manage_home_role($1_r, $1_t) - -- userdom_manage_tmp_role($1_r, $1_t) -- userdom_manage_tmpfs_role($1_r, $1_t) -+ userdom_manage_tmp_role($1_r, $1_usertype) -+ userdom_manage_tmpfs_role($1_r, $1_usertype) - -- userdom_exec_user_tmp_files($1_t) -- userdom_exec_user_home_content_files($1_t) -+ ifelse(`$1',`unconfined',`',` -+ gen_tunable($1_exec_content, true) -+ -+ tunable_policy(`$1_exec_content',` -+ userdom_exec_user_tmp_files($1_usertype) -+ userdom_exec_user_home_content_files($1_usertype) -+ ') -+ tunable_policy(`$1_exec_content && use_nfs_home_dirs',` -+ fs_exec_nfs_files($1_usertype) -+ ') -+ -+ tunable_policy(`$1_exec_content && use_samba_home_dirs',` -+ fs_exec_cifs_files($1_usertype) -+ ') -+ ') - - userdom_change_password_template($1) - -@@ -761,82 +984,101 @@ template(`userdom_login_user_template', ` - # - # User domain Local policy - # -- -- allow $1_t self:capability { setgid chown fowner }; - dontaudit $1_t self:capability { sys_nice fsetid }; -+ allow $1_t self:process ~{ ptrace execmem execstack execheap }; -+ -+ tunable_policy(`selinuxuser_use_ssh_chroot',` -+ allow $1_t self:capability { setuid setgid sys_chroot }; -+ ') - -- allow $1_t self:process ~{ setcurrent setexec setrlimit execmem execstack execheap }; - dontaudit $1_t self:process setrlimit; - dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write }; -+ domain_dyntrans_type($1_t) - - allow $1_t self:context contains; - -- kernel_dontaudit_read_system_state($1_t) -+ kernel_dontaudit_read_system_state($1_usertype) -+ kernel_dontaudit_list_all_proc($1_usertype) - -- dev_read_sysfs($1_t) -- dev_read_urand($1_t) -+ dev_read_sysfs($1_usertype) -+ dev_read_rand($1_usertype) -+ dev_read_urand($1_usertype) - -- domain_use_interactive_fds($1_t) -+ domain_use_interactive_fds($1_usertype) - # Command completion can fire hundreds of denials -- domain_dontaudit_exec_all_entry_files($1_t) -+ domain_dontaudit_exec_all_entry_files($1_usertype) - -- files_dontaudit_list_default($1_t) -- files_dontaudit_read_default_files($1_t) -+ files_dontaudit_list_default($1_usertype) -+ files_dontaudit_read_default_files($1_usertype) - # Stat lost+found. -- files_getattr_lost_found_dirs($1_t) -+ files_getattr_lost_found_dirs($1_usertype) - -- fs_get_all_fs_quotas($1_t) -- fs_getattr_all_fs($1_t) -- fs_getattr_all_dirs($1_t) -- fs_search_auto_mountpoints($1_t) -- fs_list_cgroup_dirs($1_t) -- fs_list_inotifyfs($1_t) -- fs_rw_anon_inodefs_files($1_t) -- fs_dontaudit_rw_cgroup_files($1_t) -+ fs_get_all_fs_quotas($1_usertype) -+ fs_getattr_all_fs($1_usertype) -+ fs_search_all($1_usertype) -+ fs_list_inotifyfs($1_usertype) -+ fs_rw_anon_inodefs_files($1_usertype) - -+ auth_role($1_r, $1_t) -+ auth_create_cache($1_t) -+ auth_rw_cache($1_t) -+ auth_search_pam_console_data($1_t) -+ auth_dontaudit_read_login_records($1_t) - auth_dontaudit_write_login_records($1_t) - - application_exec_all($1_t) -- - # The library functions always try to open read-write first, - # then fall back to read-only if it fails. - init_dontaudit_rw_utmp($1_t) -+ - # Stop warnings about access to /dev/console -- init_dontaudit_use_fds($1_t) -- init_dontaudit_use_script_fds($1_t) -+ init_dontaudit_use_fds($1_usertype) -+ init_dontaudit_use_script_fds($1_usertype) - -- libs_exec_lib_files($1_t) -+ libs_exec_lib_files($1_usertype) - -- logging_dontaudit_getattr_all_logs($1_t) -+ logging_dontaudit_getattr_all_logs($1_usertype) - -- miscfiles_read_man_pages($1_t) - # for running TeX programs -- miscfiles_read_tetex_data($1_t) -- miscfiles_exec_tetex_data($1_t) -+ miscfiles_read_tetex_data($1_usertype) -+ miscfiles_exec_tetex_data($1_usertype) -+ -+ seutil_read_config($1_usertype) -+ seutil_read_file_contexts($1_usertype) -+ seutil_read_default_contexts($1_usertype) -+ seutil_exec_setfiles($1_usertype) - -- seutil_read_config($1_t) -+ optional_policy(` -+ cups_read_config($1_usertype) -+ cups_stream_connect($1_usertype) -+ cups_stream_connect_ptal($1_usertype) -+ ') -+ -+ optional_policy(` -+ kerberos_use($1_usertype) -+ init_write_key($1_usertype) -+ ') - - optional_policy(` -- cups_read_config($1_t) -- cups_stream_connect($1_t) -- cups_stream_connect_ptal($1_t) -+ mysql_filetrans_named_content($1_usertype) - ') - - optional_policy(` -- kerberos_use($1_t) -+ mta_dontaudit_read_spool_symlinks($1_usertype) - ') - - optional_policy(` -- mta_dontaudit_read_spool_symlinks($1_t) -+ quota_dontaudit_getattr_db($1_usertype) - ') - - optional_policy(` -- quota_dontaudit_getattr_db($1_t) -+ rpm_read_db($1_usertype) -+ rpm_dontaudit_manage_db($1_usertype) -+ rpm_read_cache($1_usertype) - ') - - optional_policy(` -- rpm_read_db($1_t) -- rpm_dontaudit_manage_db($1_t) -+ oddjob_run_mkhomedir($1_t, $1_r) - ') - ') - -@@ -868,6 +1110,12 @@ template(`userdom_restricted_user_template',` - typeattribute $1_t unpriv_userdomain; - domain_interactive_fd($1_t) - -+ allow $1_usertype self:netlink_kobject_uevent_socket create_socket_perms; -+ dontaudit $1_usertype self:netlink_audit_socket create_socket_perms; -+ -+ seutil_read_file_contexts($1_t) -+ seutil_read_default_contexts($1_t) -+ - ############################## - # - # Local policy -@@ -907,42 +1155,99 @@ template(`userdom_restricted_xwindows_user_template',` - # - # Local policy - # -+ kernel_stream_connect($1_usertype) - -- auth_role($1_r, $1_t) -- auth_search_pam_console_data($1_t) -- -- dev_read_sound($1_t) -- dev_write_sound($1_t) -+ dev_read_sound($1_usertype) -+ dev_write_sound($1_usertype) - # gnome keyring wants to read this. -- dev_dontaudit_read_rand($1_t) -+ dev_dontaudit_read_rand($1_usertype) -+ # temporarily allow since openoffice requires this -+ dev_read_rand($1_usertype) -+ -+ dev_read_video_dev($1_usertype) -+ dev_write_video_dev($1_usertype) -+ dev_rw_wireless($1_usertype) -+ -+ libs_dontaudit_setattr_lib_files($1_usertype) -+ -+ init_read_state($1_usertype) -+ -+ tunable_policy(`selinuxuser_rw_noexattrfile',` -+ dev_rw_usbfs($1_t) -+ dev_rw_generic_usb_dev($1_usertype) -+ -+ fs_manage_noxattr_fs_files($1_usertype) -+ fs_manage_noxattr_fs_dirs($1_usertype) -+ fs_manage_dos_dirs($1_usertype) -+ fs_manage_dos_files($1_usertype) -+ storage_raw_read_removable_device($1_usertype) -+ storage_raw_write_removable_device($1_usertype) -+ ') - - logging_send_syslog_msg($1_t) - logging_dontaudit_send_audit_msgs($1_t) - - # Need to to this just so screensaver will work. Should be moved to screensaver domain -- logging_send_audit_msgs($1_t) - selinux_get_enforce_mode($1_t) -+ seutil_exec_restorecond($1_t) -+ seutil_read_file_contexts($1_t) -+ seutil_read_default_contexts($1_t) - - xserver_restricted_role($1_r, $1_t) - - optional_policy(` -- alsa_read_rw_config($1_t) -+ alsa_read_rw_config($1_usertype) -+ ') -+ -+ # cjp: needed by KDE apps -+ # bug: #682499 -+ optional_policy(` -+ gnome_read_usr_config($1_usertype) -+ gnome_role_gkeyringd($1, $1_r, $1_usertype) -+ # cjp: telepathy F15 bugs -+ telepathy_role($1_r, $1_t, $1) -+ ') -+ -+ optional_policy(` -+ obex_role($1_r, $1_t, $1) - ') - - optional_policy(` -- dbus_role_template($1, $1_r, $1_t) -- dbus_system_bus_client($1_t) -+ dbus_role_template($1, $1_r, $1_usertype) -+ dbus_system_bus_client($1_usertype) -+ allow $1_usertype $1_usertype:dbus send_msg; -+ -+ optional_policy(` -+ abrt_dbus_chat($1_usertype) -+ abrt_run_helper($1_usertype, $1_r) -+ ') -+ -+ optional_policy(` -+ accountsd_dbus_chat($1_usertype) -+ ') -+ -+ optional_policy(` -+ consolekit_dontaudit_read_log($1_usertype) -+ consolekit_dbus_chat($1_usertype) -+ ') -+ -+ optional_policy(` -+ cups_dbus_chat($1_usertype) -+ cups_dbus_chat_config($1_usertype) -+ ') - - optional_policy(` -- consolekit_dbus_chat($1_t) -+ devicekit_dbus_chat($1_usertype) -+ devicekit_dbus_chat_disk($1_usertype) -+ devicekit_dbus_chat_power($1_usertype) - ') - - optional_policy(` -- cups_dbus_chat($1_t) -+ fprintd_dbus_chat($1_t) - ') - - optional_policy(` -- gnome_role_template($1, $1_r, $1_t) -+ realmd_dbus_chat($1_t) - ') - - optional_policy(` -@@ -951,15 +1256,36 @@ template(`userdom_restricted_xwindows_user_template',` - ') - - optional_policy(` -- java_role($1_r, $1_t) -+ policykit_role($1_r, $1_usertype) -+ ') -+ -+ optional_policy(` -+ pulseaudio_role($1_r, $1_usertype) -+ pulseaudio_filetrans_admin_home_content($1_usertype) -+ ') -+ -+ optional_policy(` -+ rtkit_scheduled($1_usertype) -+ ') -+ -+ optional_policy(` -+ systemd_filetrans_home_content($1_usertype) - ') - - optional_policy(` - setroubleshoot_dontaudit_stream_connect($1_t) - ') --') - --####################################### -+ optional_policy(` -+ udev_read_db($1_usertype) -+ ') -+ -+ optional_policy(` -+ xserver_xdm_ioctl_log($1_t) -+ ') -+') -+ -+####################################### - ## - ## The template for creating a unprivileged user roughly - ## equivalent to a regular linux user. -@@ -990,27 +1316,33 @@ template(`userdom_unpriv_user_template', ` - # - - # Inherit rules for ordinary users. -- userdom_restricted_user_template($1) -+ userdom_restricted_xwindows_user_template($1) - userdom_common_user_template($1) - - ############################## - # - # Local policy - # -+ allow $1_t self:capability { setgid chown fowner }; -+ -+ corecmd_exec_chroot($1_t) - - # port access is audited even if dac would not have allowed it, so dontaudit it here -- corenet_dontaudit_tcp_bind_all_reserved_ports($1_t) -+# corenet_dontaudit_tcp_bind_all_reserved_ports($1_t) - # Need the following rule to allow users to run vpnc - corenet_tcp_bind_xserver_port($1_t) -+ corenet_tcp_bind_generic_node($1_usertype) -+ -+ storage_rw_fuse($1_t) - - files_exec_usr_files($1_t) -- # cjp: why? -+ # cjp: why? - files_read_kernel_symbol_table($1_t) - - ifndef(`enable_mls',` - fs_exec_noxattr($1_t) - -- tunable_policy(`user_rw_noexattrfile',` -+ tunable_policy(`selinuxuser_rw_noexattrfile',` - fs_manage_noxattr_fs_files($1_t) - fs_manage_noxattr_fs_dirs($1_t) - # Write floppies -@@ -1021,23 +1353,60 @@ template(`userdom_unpriv_user_template', ` - ') - ') - -- tunable_policy(`user_dmesg',` -- kernel_read_ring_buffer($1_t) -- ',` -- kernel_dontaudit_read_ring_buffer($1_t) -- ') -+ miscfiles_read_hwdata($1_usertype) -+ -+ fs_mounton_fusefs($1_usertype) - - # Allow users to run TCP servers (bind to ports and accept connection from - # the same domain and outside users) disabling this forces FTP passive mode - # and may change other protocols -- tunable_policy(`user_tcp_server',` -- corenet_tcp_bind_generic_node($1_t) -- corenet_tcp_bind_generic_port($1_t) -+ -+ tunable_policy(`selinuxuser_share_music',` -+ corenet_tcp_bind_daap_port($1_usertype) -+ ') -+ -+ tunable_policy(`selinuxuser_tcp_server',` -+ corenet_tcp_bind_all_unreserved_ports($1_usertype) -+ ') -+ -+ optional_policy(` -+ cdrecord_role($1_r, $1_t) -+ ') -+ -+ optional_policy(` -+ cron_role($1_r, $1_t) -+ ') -+ -+ optional_policy(` -+ games_rw_data($1_usertype) -+ ') -+ -+ optional_policy(` -+ gpg_role($1_r, $1_usertype) -+ ') -+ -+ optional_policy(` -+ systemd_dbus_chat_timedated($1_t) -+ systemd_dbus_chat_hostnamed($1_t) -+ systemd_dbus_chat_localed($1_t) -+ ') -+ -+ optional_policy(` -+ gpm_stream_connect($1_usertype) -+ ') -+ -+ optional_policy(` -+ mount_run_fusermount($1_t, $1_r) -+ mount_read_pid_files($1_t) -+ ') -+ -+ optional_policy(` -+ wine_role_template($1, $1_r, $1_t) - ') - - optional_policy(` -- netutils_run_ping_cond($1_t, $1_r) -- netutils_run_traceroute_cond($1_t, $1_r) -+ postfix_run_postdrop($1_t, $1_r) -+ postfix_search_spool($1_t) - ') - - # Run pppd in pppd_t by default for user -@@ -1046,7 +1415,9 @@ template(`userdom_unpriv_user_template', ` - ') - - optional_policy(` -- setroubleshoot_stream_connect($1_t) -+ vdagent_getattr_log($1_t) -+ vdagent_getattr_exec_files($1_t) -+ vdagent_stream_connect($1_t) - ') - ') - -@@ -1082,7 +1453,9 @@ template(`userdom_unpriv_user_template', ` - template(`userdom_admin_user_template',` - gen_require(` - attribute admindomain; -- class passwd { passwd chfn chsh rootok }; -+ attribute confined_admindomain; -+ -+ class passwd { passwd chfn chsh rootok crontab }; - ') - - ############################## -@@ -1098,6 +1471,7 @@ template(`userdom_admin_user_template',` - role system_r types $1_t; - - typeattribute $1_t admindomain; -+ typeattribute $1_t confined_admindomain; - - ifdef(`direct_sysadm_daemon',` - domain_system_change_exemption($1_t) -@@ -1109,6 +1483,7 @@ template(`userdom_admin_user_template',` - # - - allow $1_t self:capability ~{ sys_module audit_control audit_write }; -+ allow $1_t self:capability2 { block_suspend syslog }; - allow $1_t self:process { setexec setfscreate }; - allow $1_t self:netlink_audit_socket nlmsg_readpriv; - allow $1_t self:tun_socket create; -@@ -1117,6 +1492,9 @@ template(`userdom_admin_user_template',` - # Skip authentication when pam_rootok is specified. - allow $1_t self:passwd rootok; - -+ # Manipulate other users crontab. -+ allow $1_t self:passwd crontab; -+ - kernel_read_software_raid_state($1_t) - kernel_getattr_core_if($1_t) - kernel_getattr_message_if($1_t) -@@ -1131,6 +1509,7 @@ template(`userdom_admin_user_template',` - kernel_sigstop_unlabeled($1_t) - kernel_signull_unlabeled($1_t) - kernel_sigchld_unlabeled($1_t) -+ kernel_signal($1_t) - - corenet_tcp_bind_generic_port($1_t) - # allow setting up tunnels -@@ -1148,10 +1527,14 @@ template(`userdom_admin_user_template',` - dev_rename_all_blk_files($1_t) - dev_rename_all_chr_files($1_t) - dev_create_generic_symlinks($1_t) -+ dev_rw_generic_usb_dev($1_t) -+ dev_rw_usbfs($1_t) -+ dev_read_kmsg($1_t) - - domain_setpriority_all_domains($1_t) - domain_read_all_domains_state($1_t) - domain_getattr_all_domains($1_t) -+ domain_getcap_all_domains($1_t) - domain_dontaudit_ptrace_all_domains($1_t) - # signal all domains: - domain_kill_all_domains($1_t) -@@ -1162,29 +1545,38 @@ template(`userdom_admin_user_template',` - domain_sigchld_all_domains($1_t) - # for lsof - domain_getattr_all_sockets($1_t) -+ domain_dontaudit_getattr_all_sockets($1_t) - - files_exec_usr_src_files($1_t) - - fs_getattr_all_fs($1_t) -+ fs_getattr_all_files($1_t) -+ fs_list_all($1_t) - fs_set_all_quotas($1_t) - fs_exec_noxattr($1_t) - - storage_raw_read_removable_device($1_t) - storage_raw_write_removable_device($1_t) -+ storage_dontaudit_read_fixed_disk($1_t) - -- term_use_all_terms($1_t) -+ term_use_all_inherited_terms($1_t) -+ term_use_unallocated_ttys($1_t) - - auth_getattr_shadow($1_t) - # Manage almost all files -- files_manage_non_auth_files($1_t) -+ files_manage_non_security_dirs($1_t) -+ files_manage_non_security_files($1_t) - # Relabel almost all files -- files_relabel_non_auth_files($1_t) -+ files_relabel_non_security_files($1_t) - - init_telinit($1_t) - - logging_send_syslog_msg($1_t) - -- modutils_domtrans_insmod($1_t) -+ optional_policy(` -+ modutils_domtrans_insmod($1_t) -+ modutils_domtrans_depmod($1_t) -+ ') - - # The following rule is temporary until such time that a complete - # policy management infrastructure is in place so that an administrator -@@ -1194,6 +1586,8 @@ template(`userdom_admin_user_template',` - # But presently necessary for installing the file_contexts file. - seutil_manage_bin_policy($1_t) - -+ systemd_config_all_services($1_t) -+ - userdom_manage_user_home_content_dirs($1_t) - userdom_manage_user_home_content_files($1_t) - userdom_manage_user_home_content_symlinks($1_t) -@@ -1201,13 +1595,17 @@ template(`userdom_admin_user_template',` - userdom_manage_user_home_content_sockets($1_t) - userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file }) - -- tunable_policy(`user_rw_noexattrfile',` -+ tunable_policy(`selinuxuser_rw_noexattrfile',` - fs_manage_noxattr_fs_files($1_t) - fs_manage_noxattr_fs_dirs($1_t) - ',` - fs_read_noxattr_fs_files($1_t) - ') - -+ tunable_policy(`selinuxuser_tcp_server',` -+ corenet_tcp_bind_all_unreserved_ports($1_t) -+ ') -+ - optional_policy(` - postgresql_unconfined($1_t) - ') -@@ -1243,7 +1641,7 @@ template(`userdom_admin_user_template',` - ## - ## - # --template(`userdom_security_admin_template',` -+template(`userdom_security_admin',` - allow $1 self:capability { dac_read_search dac_override }; - - corecmd_exec_shell($1) -@@ -1253,6 +1651,8 @@ template(`userdom_security_admin_template',` - dev_relabel_all_dev_nodes($1) - - files_create_boot_flag($1) -+ files_create_default_dir($1) -+ files_root_filetrans_default($1, dir) - - # Necessary for managing /boot/efi - fs_manage_dos_files($1) -@@ -1265,8 +1665,10 @@ template(`userdom_security_admin_template',` - selinux_set_enforce_mode($1) - selinux_set_all_booleans($1) - selinux_set_parameters($1) -+ selinux_read_policy($1) -+ -+ files_relabel_all_files($1) - -- files_relabel_non_auth_files($1) - auth_relabel_shadow($1) - - init_exec($1) -@@ -1277,29 +1679,31 @@ template(`userdom_security_admin_template',` - logging_read_audit_config($1) - - seutil_manage_bin_policy($1) -- seutil_run_checkpolicy($1, $2) -- seutil_run_loadpolicy($1, $2) -- seutil_run_semanage($1, $2) -+ seutil_manage_default_contexts($1) -+ seutil_manage_file_contexts($1) -+ seutil_manage_module_store($1) -+ seutil_manage_config($1) -+ seutil_manage_login_config($1) -+ seutil_run_checkpolicy($1,$2) -+ seutil_run_loadpolicy($1,$2) -+ seutil_run_semanage($1,$2) -+ seutil_run_setsebool($1,$2) - seutil_run_setfiles($1, $2) - - optional_policy(` -- aide_run($1, $2) -+ aide_run($1,$2) - ') - - optional_policy(` - consoletype_exec($1) - ') - -- optional_policy(` -- dmesg_exec($1) -- ') -- -- optional_policy(` -- ipsec_run_setkey($1, $2) -+ optional_policy(` -+ ipsec_run_setkey($1,$2) - ') - - optional_policy(` -- netlabel_run_mgmt($1, $2) -+ netlabel_run_mgmt($1,$2) - ') - - optional_policy(` -@@ -1360,14 +1764,17 @@ interface(`userdom_user_home_content',` - gen_require(` - attribute user_home_content_type; - type user_home_t; -+ attribute user_home_type; - ') - - typeattribute $1 user_home_content_type; - - allow $1 user_home_t:filesystem associate; - files_type($1) -- files_poly_member($1) - ubac_constrained($1) -+ -+ files_poly_member($1) -+ typeattribute $1 user_home_type; - ') - - ######################################## -@@ -1408,6 +1815,51 @@ interface(`userdom_user_tmpfs_file',` - ## - ## Allow domain to attach to TUN devices created by administrative users. - ## -+## -+## -+## Type to be used as a file in the -+## generic temporary directory. -+## -+## -+# -+interface(`userdom_user_tmp_content',` -+ gen_require(` -+ attribute user_tmp_type; -+ ') -+ -+ typeattribute $1 user_tmp_type; -+ -+ files_tmp_file($1) -+ ubac_constrained($1) -+') -+ -+######################################## -+## -+## Make the specified type usable in a -+## generic tmpfs_t directory. -+## -+## -+## -+## Type to be used as a file in the -+## generic temporary directory. -+## -+## -+# -+interface(`userdom_user_tmpfs_content',` -+ gen_require(` -+ attribute user_tmpfs_type; -+ ') -+ -+ typeattribute $1 user_tmpfs_type; -+ -+ files_tmpfs_file($1) -+ ubac_constrained($1) -+') -+ -+######################################## -+## -+## Allow domain to attach to TUN devices created by administrative users. -+## - ## - ## - ## Domain allowed access. -@@ -1512,11 +1964,31 @@ interface(`userdom_search_user_home_dirs',` - ') - - allow $1 user_home_dir_t:dir search_dir_perms; -+ allow $1 user_home_dir_t:lnk_file read_lnk_file_perms; - files_search_home($1) - ') - - ######################################## - ## -+## Search user tmp directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`userdom_search_user_tmp_dirs',` -+ gen_require(` -+ type user_tmp_t; -+ ') -+ -+ files_search_tmp($1) -+ allow $1 user_tmp_t:dir search_dir_perms; -+') -+ -+######################################## -+## - ## Do not audit attempts to search user home directories. - ## - ## -@@ -1558,6 +2030,14 @@ interface(`userdom_list_user_home_dirs',` - - allow $1 user_home_dir_t:dir list_dir_perms; - files_search_home($1) -+ -+ tunable_policy(`use_nfs_home_dirs',` -+ fs_list_nfs($1) -+ ') -+ -+ tunable_policy(`use_samba_home_dirs',` -+ fs_list_cifs($1) -+ ') - ') - - ######################################## -@@ -1573,9 +2053,11 @@ interface(`userdom_list_user_home_dirs',` - interface(`userdom_dontaudit_list_user_home_dirs',` - gen_require(` - type user_home_dir_t; -+ type user_home_t; - ') - - dontaudit $1 user_home_dir_t:dir list_dir_perms; -+ dontaudit $1 user_home_t:dir list_dir_perms; - ') - - ######################################## -@@ -1632,6 +2114,42 @@ interface(`userdom_relabelto_user_home_dirs',` - allow $1 user_home_dir_t:dir relabelto; - ') - -+ -+######################################## -+## -+## Relabel to user home files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`userdom_relabelto_user_home_files',` -+ gen_require(` -+ type user_home_t; -+ ') -+ -+ allow $1 user_home_t:file relabelto; -+') -+######################################## -+## -+## Relabel user home files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`userdom_relabel_user_home_files',` -+ gen_require(` -+ type user_home_t; -+ ') -+ -+ allow $1 user_home_t:file relabel_file_perms; -+') -+ - ######################################## - ## - ## Create directories in the home dir root with -@@ -1711,6 +2229,8 @@ interface(`userdom_dontaudit_search_user_home_content',` - ') - - dontaudit $1 user_home_t:dir search_dir_perms; -+ fs_dontaudit_list_nfs($1) -+ fs_dontaudit_list_cifs($1) - ') - - ######################################## -@@ -1744,10 +2264,12 @@ interface(`userdom_list_all_user_home_content',` - # - interface(`userdom_list_user_home_content',` - gen_require(` -- type user_home_t; -+ type user_home_dir_t; -+ attribute user_home_type; - ') - -- allow $1 user_home_t:dir list_dir_perms; -+ files_list_home($1) -+ allow $1 { user_home_dir_t user_home_type }:dir list_dir_perms; - ') - - ######################################## -@@ -1772,7 +2294,25 @@ interface(`userdom_manage_user_home_content_dirs',` - - ######################################## - ## --## Delete all user home content directories. -+## Delete directories in a user home subdirectory. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`userdom_delete_user_home_content_dirs',` -+ gen_require(` -+ type user_home_t; -+ ') -+ -+ allow $1 user_home_t:dir delete_dir_perms; -+') -+ -+######################################## -+## -+## Delete all directories in a user home subdirectory. - ## - ## - ## -@@ -1782,53 +2322,70 @@ interface(`userdom_manage_user_home_content_dirs',` - # - interface(`userdom_delete_all_user_home_content_dirs',` - gen_require(` -- attribute user_home_content_type; -- type user_home_dir_t; -+ attribute user_home_type; - ') - -- userdom_search_user_home_dirs($1) -- delete_files_pattern($1, { user_home_dir_t user_home_content_type }, user_home_content_type) -+ allow $1 user_home_type:dir delete_dir_perms; - ') - - ######################################## - ## --## Delete directories in a user home subdirectory. -+## Set the attributes of user home files. - ## - ## - ## - ## Domain allowed access. - ## - ## -+## - # --interface(`userdom_delete_user_home_content_dirs',` -+interface(`userdom_setattr_user_home_content_files',` - gen_require(` - type user_home_t; - ') - -- allow $1 user_home_t:dir delete_dir_perms; -+ allow $1 user_home_t:file setattr; - ') - - ######################################## - ## --## Set attributes of all user home content directories. -+## Set the attributes of user tmp files. - ## - ## - ## - ## Domain allowed access. - ## - ## -+## - # --interface(`userdom_setattr_all_user_home_content_dirs',` -+interface(`userdom_setattr_user_tmp_files',` - gen_require(` -- attribute user_home_content_type; -+ type user_tmp_t; - ') - -- userdom_search_user_home_dirs($1) -- allow $1 user_home_content_type:dir setattr_dir_perms; -+ allow $1 user_tmp_t:file setattr; - ') - - ######################################## - ## -+## Relabel user tmp files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`userdom_relabel_user_tmp_files',` -+ gen_require(` -+ type user_tmp_t; -+ ') -+ -+ allow $1 user_tmp_t:file relabel_file_perms; -+') -+######################################## -+## - ## Do not audit attempts to set the - ## attributes of user home files. - ## -@@ -1848,6 +2405,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',` - - ######################################## - ## -+## Set the attributes of all user home directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`userdom_setattr_all_user_home_content_dirs',` -+ gen_require(` -+ attribute user_home_type; -+ ') -+ -+ allow $1 user_home_type:dir setattr_dir_perms; -+') -+ -+######################################## -+## - ## Mmap user home files. - ## - ## -@@ -1878,14 +2454,36 @@ interface(`userdom_mmap_user_home_content_files',` - interface(`userdom_read_user_home_content_files',` - gen_require(` - type user_home_dir_t, user_home_t; -+ attribute user_home_type; - ') - -- read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) -+ allow $1 user_home_dir_t:lnk_file read_lnk_file_perms; -+ list_dirs_pattern($1, { user_home_dir_t user_home_type }, { user_home_dir_t user_home_type }) -+ read_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type) - files_search_home($1) - ') - - ######################################## - ## -+## Do not audit attempts to getattr user home files. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`userdom_dontaudit_getattr_user_home_content',` -+ gen_require(` -+ attribute user_home_type; -+ ') -+ -+ dontaudit $1 user_home_type:dir getattr; -+ dontaudit $1 user_home_type:file getattr; -+') -+ -+######################################## -+## - ## Do not audit attempts to read user home files. - ## - ## -@@ -1896,11 +2494,14 @@ interface(`userdom_read_user_home_content_files',` - # - interface(`userdom_dontaudit_read_user_home_content_files',` - gen_require(` -- type user_home_t; -+ attribute user_home_type; -+ type user_home_dir_t; - ') - -- dontaudit $1 user_home_t:dir list_dir_perms; -- dontaudit $1 user_home_t:file read_file_perms; -+ dontaudit $1 user_home_dir_t:dir list_dir_perms; -+ dontaudit $1 user_home_type:dir list_dir_perms; -+ dontaudit $1 user_home_type:file read_file_perms; -+ dontaudit $1 user_home_type:lnk_file read_lnk_file_perms; - ') - - ######################################## -@@ -1941,7 +2542,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',` - - ######################################## - ## --## Delete all user home content files. -+## Delete files in a user home subdirectory. - ## - ## - ## -@@ -1949,19 +2550,17 @@ interface(`userdom_dontaudit_write_user_home_content_files',` - ## - ## - # --interface(`userdom_delete_all_user_home_content_files',` -+interface(`userdom_delete_user_home_content_files',` - gen_require(` -- attribute user_home_content_type; -- type user_home_dir_t; -+ type user_home_t; - ') - -- userdom_search_user_home_content($1) -- delete_files_pattern($1 { user_home_dir_t user_home_content_type }, user_home_content_type) -+ allow $1 user_home_t:file delete_file_perms; - ') - - ######################################## - ## --## Delete files in a user home subdirectory. -+## Delete all files in a user home subdirectory. - ## - ## - ## -@@ -1969,35 +2568,35 @@ interface(`userdom_delete_all_user_home_content_files',` - ## - ## - # --interface(`userdom_delete_user_home_content_files',` -+interface(`userdom_delete_all_user_home_content_files',` - gen_require(` -- type user_home_t; -+ attribute user_home_type; - ') - -- allow $1 user_home_t:file delete_file_perms; -+ allow $1 user_home_type:file delete_file_perms; - ') - - ######################################## - ## --## Do not audit attempts to write user home files. -+## Delete sock files in a user home subdirectory. - ## - ## - ## --## Domain to not audit. -+## Domain allowed access. - ## - ## - # --interface(`userdom_dontaudit_relabel_user_home_content_files',` -+interface(`userdom_delete_user_home_content_sock_files',` - gen_require(` - type user_home_t; - ') - -- dontaudit $1 user_home_t:file relabel_file_perms; -+ allow $1 user_home_t:sock_file delete_file_perms; - ') - - ######################################## - ## --## Read user home subdirectory symbolic links. -+## Delete all sock files in a user home subdirectory. - ## - ## - ## -@@ -2005,45 +2604,92 @@ interface(`userdom_dontaudit_relabel_user_home_content_files',` - ## - ## - # --interface(`userdom_read_user_home_content_symlinks',` -+interface(`userdom_delete_all_user_home_content_sock_files',` - gen_require(` -- type user_home_dir_t, user_home_t; -+ attribute user_home_type; - ') - -- read_lnk_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) -- files_search_home($1) -+ allow $1 user_home_type:sock_file delete_file_perms; - ') - - ######################################## - ## --## Execute user home files. -+## Delete all files in a user home subdirectory. - ## - ## - ## - ## Domain allowed access. - ## - ## --## - # --interface(`userdom_exec_user_home_content_files',` -+interface(`userdom_delete_all_user_home_content',` - gen_require(` -- type user_home_dir_t, user_home_t; -+ attribute user_home_type; - ') - -- files_search_home($1) -- exec_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) -+ allow $1 user_home_type:dir_file_class_set delete_file_perms; -+') - -- tunable_policy(`use_nfs_home_dirs',` -- fs_exec_nfs_files($1) -+######################################## -+## -+## Do not audit attempts to write user home files. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`userdom_dontaudit_relabel_user_home_content_files',` -+ gen_require(` -+ type user_home_t; - ') - -- tunable_policy(`use_samba_home_dirs',` -- fs_exec_cifs_files($1) -+ dontaudit $1 user_home_t:file relabel_file_perms; -+') -+ -+######################################## -+## -+## Read user home subdirectory symbolic links. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`userdom_read_user_home_content_symlinks',` -+ gen_require(` -+ type user_home_dir_t, user_home_t; - ') -+ -+ allow $1 { user_home_dir_t user_home_t }:lnk_file read_lnk_file_perms; - ') - - ######################################## - ## -+## Execute user home files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`userdom_exec_user_home_content_files',` -+ gen_require(` -+ type user_home_dir_t; -+ attribute user_home_type; -+ ') -+ -+ files_search_home($1) -+ exec_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type) -+ dontaudit $1 user_home_type:sock_file execute; -+ ') -+ -+######################################## -+## - ## Do not audit attempts to execute user home files. - ## - ## -@@ -2123,7 +2769,7 @@ interface(`userdom_manage_user_home_content_symlinks',` - - ######################################## - ## --## Delete all user home content symbolic links. -+## Delete symbolic links in a user home directory. - ## - ## - ## -@@ -2131,19 +2777,17 @@ interface(`userdom_manage_user_home_content_symlinks',` - ## - ## - # --interface(`userdom_delete_all_user_home_content_symlinks',` -+interface(`userdom_delete_user_home_content_symlinks',` - gen_require(` -- attribute user_home_content_type; -- type user_home_dir_t; -+ type user_home_t; - ') - -- userdom_search_user_home_dirs($1) -- delete_lnk_files_pattern($1, { user_home_dir_t user_home_content_type }, user_home_content_type) -+ allow $1 user_home_t:lnk_file delete_lnk_file_perms; - ') - - ######################################## - ## --## Delete symbolic links in a user home directory. -+## Delete all symbolic links in a user home directory. - ## - ## - ## -@@ -2151,12 +2795,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',` - ## - ## - # --interface(`userdom_delete_user_home_content_symlinks',` -+interface(`userdom_delete_all_user_home_content_symlinks',` - gen_require(` -- type user_home_t; -+ attribute user_home_type; - ') - -- allow $1 user_home_t:lnk_file delete_lnk_file_perms; -+ allow $1 user_home_type:lnk_file delete_lnk_file_perms; - ') - - ######################################## -@@ -2393,11 +3037,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',` - # - interface(`userdom_read_user_tmp_files',` - gen_require(` -- type user_tmp_t; -+ attribute user_tmp_type; - ') - -- read_files_pattern($1, user_tmp_t, user_tmp_t) -- allow $1 user_tmp_t:dir list_dir_perms; -+ read_files_pattern($1, user_tmp_type, user_tmp_type) -+ allow $1 user_tmp_type:dir list_dir_perms; - files_search_tmp($1) - ') - -@@ -2417,7 +3061,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` - type user_tmp_t; - ') - -- dontaudit $1 user_tmp_t:file read_file_perms; -+ dontaudit $1 user_tmp_t:file read_inherited_file_perms; - ') - - ######################################## -@@ -2664,6 +3308,25 @@ interface(`userdom_tmp_filetrans_user_tmp',` - files_tmp_filetrans($1, user_tmp_t, $2, $3) - ') - -+####################################### -+## -+## Getattr user tmpfs files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`userdom_getattr_user_tmpfs_files',` -+ gen_require(` -+ type user_tmpfs_t; -+ ') -+ -+ getattr_files_pattern($1, user_tmpfs_t, user_tmpfs_t) -+ fs_search_tmpfs($1) -+') -+ - ######################################## - ## - ## Read user tmpfs files. -@@ -2680,13 +3343,14 @@ interface(`userdom_read_user_tmpfs_files',` - ') - - read_files_pattern($1, user_tmpfs_t, user_tmpfs_t) -+ read_lnk_files_pattern($1, user_tmpfs_t, user_tmpfs_t) - allow $1 user_tmpfs_t:dir list_dir_perms; - fs_search_tmpfs($1) - ') - - ######################################## - ## --## Read user tmpfs files. -+## Read/Write user tmpfs files. - ## - ## - ## -@@ -2707,7 +3371,7 @@ interface(`userdom_rw_user_tmpfs_files',` - - ######################################## - ## --## Create, read, write, and delete user tmpfs files. -+## Read/Write inherited user tmpfs files. - ## - ## - ## -@@ -2715,14 +3379,30 @@ interface(`userdom_rw_user_tmpfs_files',` - ## - ## - # --interface(`userdom_manage_user_tmpfs_files',` -+interface(`userdom_rw_inherited_user_tmpfs_files',` - gen_require(` - type user_tmpfs_t; - ') - -- manage_files_pattern($1, user_tmpfs_t, user_tmpfs_t) -- allow $1 user_tmpfs_t:dir list_dir_perms; -- fs_search_tmpfs($1) -+ allow $1 user_tmpfs_t:file rw_inherited_file_perms; -+') -+ -+######################################## -+## -+## Execute user tmpfs files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`userdom_execute_user_tmpfs_files',` -+ gen_require(` -+ type user_tmpfs_t; -+ ') -+ -+ allow $1 user_tmpfs_t:file execute; - ') - - ######################################## -@@ -2817,6 +3497,24 @@ interface(`userdom_use_user_ttys',` - - ######################################## - ## -+## Read and write a inherited user domain tty. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`userdom_use_inherited_user_ttys',` -+ gen_require(` -+ type user_tty_device_t; -+ ') -+ -+ allow $1 user_tty_device_t:chr_file rw_inherited_term_perms; -+') -+ -+######################################## -+## - ## Read and write a user domain pty. - ## - ## -@@ -2835,22 +3533,34 @@ interface(`userdom_use_user_ptys',` - - ######################################## - ## --## Read and write a user TTYs and PTYs. -+## Read and write a inherited user domain pty. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`userdom_use_inherited_user_ptys',` -+ gen_require(` -+ type user_devpts_t; -+ ') -+ -+ allow $1 user_devpts_t:chr_file rw_inherited_term_perms; -+') -+ -+######################################## -+## -+## Read and write a inherited user TTYs and PTYs. - ## - ## - ##

    --## Allow the specified domain to read and write user -+## Allow the specified domain to read and write inherited user - ## TTYs and PTYs. This will allow the domain to - ## interact with the user via the terminal. Typically - ## all interactive applications will require this - ## access. - ##

    --##

    --## However, this also allows the applications to spy --## on user sessions or inject information into the --## user session. Thus, this access should likely --## not be allowed for non-interactive domains. --##

    - ##     - ## - ## -@@ -2859,14 +3569,33 @@ interface(`userdom_use_user_ptys',` - ## - ## - # --interface(`userdom_use_user_terminals',` -+interface(`userdom_use_inherited_user_terminals',` - gen_require(` - type user_tty_device_t, user_devpts_t; - ') - -- allow $1 user_tty_device_t:chr_file rw_term_perms; -- allow $1 user_devpts_t:chr_file rw_term_perms; -- term_list_ptys($1) -+ allow $1 user_tty_device_t:chr_file rw_inherited_term_perms; -+ allow $1 user_devpts_t:chr_file rw_inherited_term_perms; -+') -+ -+####################################### -+## -+## Allow attempts to read and write -+## a user domain tty and pty. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`userdom_use_user_terminals',` -+ gen_require(` -+ type user_tty_device_t, user_devpts_t; -+ ') -+ -+ allow $1 user_tty_device_t:chr_file rw_term_perms; -+ allow $1 user_devpts_t:chr_file rw_term_perms; - ') - - ######################################## -@@ -2885,8 +3614,27 @@ interface(`userdom_dontaudit_use_user_terminals',` - type user_tty_device_t, user_devpts_t; - ') - -- dontaudit $1 user_tty_device_t:chr_file rw_term_perms; -- dontaudit $1 user_devpts_t:chr_file rw_term_perms; -+ dontaudit $1 user_tty_device_t:chr_file rw_inherited_term_perms; -+ dontaudit $1 user_devpts_t:chr_file rw_inherited_term_perms; -+') -+ -+ -+######################################## -+## -+## Get attributes of user domain tty and pty. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`userdom_getattr_user_terminals',` -+ gen_require(` -+ type user_tty_device_t, user_devpts_t; -+ ') -+ -+ allow $1 { user_tty_device_t user_devpts_t }:chr_file getattr_chr_file_perms; - ') - - ######################################## -@@ -2958,69 +3706,68 @@ interface(`userdom_spec_domtrans_unpriv_users',` - allow unpriv_userdomain $1:process sigchld; - ') - --######################################## -+##################################### - ## --## Execute an Xserver session in all unprivileged user domains. This --## is an explicit transition, requiring the --## caller to use setexeccon(). -+## Allow domain dyntrans to unpriv userdomain. - ## - ## --## --## Domain allowed to transition. --## -+## -+## Domain allowed access. -+## - ## - # --interface(`userdom_xsession_spec_domtrans_unpriv_users',` -- gen_require(` -- attribute unpriv_userdomain; -- ') -+interface(`userdom_dyntransition_unpriv_users',` -+ gen_require(` -+ attribute unpriv_userdomain; -+ ') - -- xserver_xsession_spec_domtrans($1, unpriv_userdomain) -- allow unpriv_userdomain $1:fd use; -- allow unpriv_userdomain $1:fifo_file rw_file_perms; -- allow unpriv_userdomain $1:process sigchld; -+ allow $1 unpriv_userdomain:process dyntransition; - ') - --####################################### -+#################################### - ## --## Read and write unpriviledged user SysV sempaphores. -+## Allow domain dyntrans to admin userdomain. - ## - ## --## --## Domain allowed access. --## -+## -+## Domain allowed access. -+## - ## - # --interface(`userdom_rw_unpriv_user_semaphores',` -- gen_require(` -- attribute unpriv_userdomain; -- ') -+interface(`userdom_dyntransition_admin_users',` -+ gen_require(` -+ attribute admindomain; -+ ') - -- allow $1 unpriv_userdomain:sem rw_sem_perms; -+ allow $1 admindomain:process dyntransition; - ') - - ######################################## - ## --## Manage unpriviledged user SysV sempaphores. -+## Execute an Xserver session in all unprivileged user domains. This -+## is an explicit transition, requiring the -+## caller to use setexeccon(). - ## - ## - ## --## Domain allowed access. -+## Domain allowed to transition. - ## - ## - # --interface(`userdom_manage_unpriv_user_semaphores',` -+interface(`userdom_xsession_spec_domtrans_unpriv_users',` - gen_require(` - attribute unpriv_userdomain; - ') - -- allow $1 unpriv_userdomain:sem create_sem_perms; -+ xserver_xsession_spec_domtrans($1, unpriv_userdomain) -+ allow unpriv_userdomain $1:fd use; -+ allow unpriv_userdomain $1:fifo_file rw_file_perms; -+ allow unpriv_userdomain $1:process sigchld; - ') - --####################################### -+######################################## - ## --## Read and write unpriviledged user SysV shared --## memory segments. -+## Manage unpriviledged user SysV sempaphores. - ## - ## - ## -@@ -3028,12 +3775,12 @@ interface(`userdom_manage_unpriv_user_semaphores',` - ## - ## - # --interface(`userdom_rw_unpriv_user_shared_mem',` -+interface(`userdom_manage_unpriv_user_semaphores',` - gen_require(` - attribute unpriv_userdomain; - ') - -- allow $1 unpriv_userdomain:shm rw_shm_perms; -+ allow $1 unpriv_userdomain:sem create_sem_perms; - ') - - ######################################## -@@ -3097,7 +3844,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` - - domain_entry_file_spec_domtrans($1, unpriv_userdomain) - allow unpriv_userdomain $1:fd use; -- allow unpriv_userdomain $1:fifo_file rw_file_perms; -+ allow unpriv_userdomain $1:fifo_file rw_fifo_file_perms; - allow unpriv_userdomain $1:process sigchld; - ') - -@@ -3113,29 +3860,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` - # - interface(`userdom_search_user_home_content',` - gen_require(` -- type user_home_dir_t, user_home_t; -+ type user_home_dir_t; -+ attribute user_home_type; - ') - - files_list_home($1) -- allow $1 { user_home_dir_t user_home_t }:dir search_dir_perms; --') -- --######################################## --## --## Send signull to unprivileged user domains. --## --## --## --## Domain allowed access. --## --## --# --interface(`userdom_signull_unpriv_users',` -- gen_require(` -- attribute unpriv_userdomain; -- ') -- -- allow $1 unpriv_userdomain:process signull; -+ allow $1 { user_home_dir_t user_home_type }:dir search_dir_perms; -+ allow $1 { user_home_dir_t user_home_type }:lnk_file read_lnk_file_perms; - ') - - ######################################## -@@ -3217,7 +3948,25 @@ interface(`userdom_dontaudit_use_user_ptys',` - type user_devpts_t; - ') - -- dontaudit $1 user_devpts_t:chr_file rw_file_perms; -+ dontaudit $1 user_devpts_t:chr_file rw_inherited_file_perms; -+') -+ -+######################################## -+## -+## Do not audit attempts to open user ptys. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`userdom_dontaudit_open_user_ptys',` -+ gen_require(` -+ type user_devpts_t; -+ ') -+ -+ dontaudit $1 user_devpts_t:chr_file open; - ') - - ######################################## -@@ -3272,12 +4021,13 @@ interface(`userdom_write_user_tmp_files',` - type user_tmp_t; - ') - -- allow $1 user_tmp_t:file write_file_perms; -+ write_files_pattern($1, user_tmp_t, user_tmp_t) - ') - - ######################################## - ## --## Do not audit attempts to use user ttys. -+## Do not audit attempts to write users -+## temporary files. - ## - ## - ## -@@ -3285,46 +4035,122 @@ interface(`userdom_write_user_tmp_files',` - ## - ## - # --interface(`userdom_dontaudit_use_user_ttys',` -+interface(`userdom_dontaudit_write_user_tmp_files',` - gen_require(` -- type user_tty_device_t; -+ type user_tmp_t; - ') - -- dontaudit $1 user_tty_device_t:chr_file rw_file_perms; -+ dontaudit $1 user_tmp_t:file write; - ') - - ######################################## - ## --## Read the process state of all user domains. -+## Do not audit attempts to delete users -+## temporary files. - ## - ## - ## --## Domain allowed access. -+## Domain to not audit. - ## - ## - # --interface(`userdom_read_all_users_state',` -+interface(`userdom_dontaudit_delete_user_tmp_files',` - gen_require(` -- attribute userdomain; -+ type user_tmp_t; - ') - -- read_files_pattern($1, userdomain, userdomain) -- kernel_search_proc($1) -+ dontaudit $1 user_tmp_t:file delete_file_perms; - ') - - ######################################## - ## --## Get the attributes of all user domains. -+## Do not audit attempts to read/write users -+## temporary fifo files. - ## - ## - ## --## Domain allowed access. -+## Domain to not audit. - ## - ## - # --interface(`userdom_getattr_all_users',` -+interface(`userdom_dontaudit_rw_user_tmp_pipes',` - gen_require(` -- attribute userdomain; -+ type user_tmp_t; -+ ') -+ -+ dontaudit $1 user_tmp_t:fifo_file rw_inherited_fifo_file_perms; -+') -+ -+######################################## -+## -+## Allow domain to read/write inherited users -+## fifo files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`userdom_rw_inherited_user_pipes',` -+ gen_require(` -+ attribute userdomain; -+ ') -+ -+ allow $1 userdomain:fifo_file rw_inherited_fifo_file_perms; -+') -+ -+######################################## -+## -+## Do not audit attempts to use user ttys. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`userdom_dontaudit_use_user_ttys',` -+ gen_require(` -+ type user_tty_device_t; -+ ') -+ -+ dontaudit $1 user_tty_device_t:chr_file rw_inherited_file_perms; -+') -+ -+######################################## -+## -+## Read the process state of all user domains. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`userdom_read_all_users_state',` -+ gen_require(` -+ attribute userdomain; -+ ') -+ -+ read_files_pattern($1, userdomain, userdomain) -+ read_lnk_files_pattern($1,userdomain,userdomain) -+ kernel_search_proc($1) -+') -+ -+######################################## -+## -+## Get the attributes of all user domains. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`userdom_getattr_all_users',` -+ gen_require(` -+ attribute userdomain; - ') - - allow $1 userdomain:process getattr; -@@ -3385,6 +4211,42 @@ interface(`userdom_signal_all_users',` - allow $1 userdomain:process signal; - ') - -+####################################### -+## -+## Send signull to all user domains. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`userdom_signull_all_users',` -+ gen_require(` -+ attribute userdomain; -+ ') -+ -+ allow $1 userdomain:process signull; -+') -+ -+######################################## -+## -+## Send kill signals to all user domains. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`userdom_kill_all_users',` -+ gen_require(` -+ attribute userdomain; -+ ') -+ -+ allow $1 userdomain:process sigkill; -+') -+ - ######################################## - ## - ## Send a SIGCHLD signal to all user domains. -@@ -3405,6 +4267,24 @@ interface(`userdom_sigchld_all_users',` - - ######################################## - ## -+## Read keys for all user domains. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`userdom_read_all_users_keys',` -+ gen_require(` -+ attribute userdomain; -+ ') -+ -+ allow $1 userdomain:key read; -+') -+ -+######################################## -+## - ## Create keys for all user domains. - ## - ## -@@ -3438,4 +4318,1630 @@ interface(`userdom_dbus_send_all_users',` - ') - - allow $1 userdomain:dbus send_msg; -+ ps_process_pattern($1, userdomain) -+') -+ -+######################################## -+## -+## Allow apps to set rlimits on userdomain -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`userdom_set_rlimitnh',` -+ gen_require(` -+ attribute userdomain; -+ ') -+ -+ allow $1 userdomain:process rlimitinh; -+') -+ -+######################################## -+## -+## Define this type as a Allow apps to set rlimits on userdomain -+## -+## -+## -+## The prefix of the user domain (e.g., user -+## is the prefix for user_t). -+## -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+template(`userdom_unpriv_usertype',` -+ gen_require(` -+ attribute unpriv_userdomain, userdomain; -+ attribute $1_usertype; -+ ') -+ typeattribute $2 $1_usertype; -+ typeattribute $2 unpriv_userdomain; -+ typeattribute $2 userdomain; -+ -+ auth_use_nsswitch($2) -+ ubac_constrained($2) -+') -+ -+####################################### -+## -+## Define this type as a Allow apps to set rlimits on userdomain -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+template(`userdom_unpriv_type',` -+ gen_require(` -+ attribute unpriv_userdomain, userdomain; -+ ') -+ typeattribute $1 unpriv_userdomain; -+ typeattribute $1 userdomain; -+ -+ auth_use_nsswitch($1) -+ ubac_constrained($1) -+') -+ -+######################################## -+## -+## Connect to users over a unix stream socket. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`userdom_stream_connect',` -+ gen_require(` -+ type user_tmp_t; -+ attribute userdomain; -+ ') -+ -+ stream_connect_pattern($1, user_tmp_t, user_tmp_t, userdomain) -+') -+ -+######################################## -+## -+## Ptrace user domains. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`userdom_ptrace_all_users',` -+ gen_require(` -+ attribute userdomain; -+ ') -+ -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 userdomain:process ptrace; -+ ') -+') -+ -+######################################## -+## -+## dontaudit Search /root -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`userdom_dontaudit_search_admin_dir',` -+ gen_require(` -+ type admin_home_t; -+ ') -+ -+ dontaudit $1 admin_home_t:dir search_dir_perms; -+') -+ -+######################################## -+## -+## dontaudit list /root -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`userdom_dontaudit_list_admin_dir',` -+ gen_require(` -+ type admin_home_t; -+ ') -+ -+ dontaudit $1 admin_home_t:dir list_dir_perms; -+') -+ -+######################################## -+## -+## Allow domain to list /root -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`userdom_list_admin_dir',` -+ gen_require(` -+ type admin_home_t; -+ ') -+ -+ allow $1 admin_home_t:dir list_dir_perms; -+') -+ -+######################################## -+## -+## Allow Search /root -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`userdom_search_admin_dir',` -+ gen_require(` -+ type admin_home_t; -+ ') -+ -+ allow $1 admin_home_t:dir search_dir_perms; -+') -+ -+######################################## -+## -+## RW unpriviledged user SysV sempaphores. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`userdom_rw_semaphores',` -+ gen_require(` -+ attribute unpriv_userdomain; -+ ') -+ -+ allow $1 unpriv_userdomain:sem rw_sem_perms; - ') -+ -+######################################## -+## -+## Send a message to unpriv users over a unix domain -+## datagram socket. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`userdom_dgram_send',` -+ gen_require(` -+ attribute unpriv_userdomain; -+ ') -+ -+ allow $1 unpriv_userdomain:unix_dgram_socket sendto; -+') -+ -+###################################### -+## -+## Send a message to users over a unix domain -+## datagram socket. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`userdom_users_dgram_send',` -+ gen_require(` -+ attribute userdomain; -+ ') -+ -+ allow $1 userdomain:unix_dgram_socket sendto; -+') -+ -+####################################### -+## -+## Allow execmod on files in homedirectory -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`userdom_execmod_user_home_files',` -+ gen_require(` -+ type user_home_type; -+ ') -+ -+ allow $1 user_home_type:file execmod; -+') -+ -+######################################## -+## -+## Read admin home files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`userdom_read_admin_home_files',` -+ gen_require(` -+ type admin_home_t; -+ ') -+ -+ read_files_pattern($1, admin_home_t, admin_home_t) -+') -+ -+######################################## -+## -+## Delete admin home files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`userdom_delete_admin_home_files',` -+ gen_require(` -+ type admin_home_t; -+ ') -+ -+ allow $1 admin_home_t:file delete_file_perms; -+') -+ -+######################################## -+## -+## Execute admin home files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`userdom_exec_admin_home_files',` -+ gen_require(` -+ type admin_home_t; -+ ') -+ -+ exec_files_pattern($1, admin_home_t, admin_home_t) -+') -+ -+######################################## -+## -+## Append files inherited -+## in the /root directory. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`userdom_inherit_append_admin_home_files',` -+ gen_require(` -+ type admin_home_t; -+ ') -+ -+ allow $1 admin_home_t:file { getattr append }; -+') -+ -+ -+####################################### -+## -+## Manage all files/directories in the homedir -+## -+## -+## -+## The user domain -+## -+## -+## -+# -+interface(`userdom_manage_user_home_content',` -+ gen_require(` -+ type user_home_dir_t, user_home_t; -+ attribute user_home_type; -+ ') -+ -+ files_list_home($1) -+ manage_dirs_pattern($1, { user_home_dir_t user_home_type }, user_home_type) -+ manage_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type) -+ manage_lnk_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type) -+ manage_sock_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type) -+ manage_fifo_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type) -+ filetrans_pattern($1, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file }) -+ -+') -+ -+###################################### -+## -+## Manage all dirs in the homedir -+## -+## -+## -+## The user domain -+## -+## -+# -+interface(`userdom_manage_all_user_home_type_dirs',` -+ gen_require(` -+ type user_home_dir_t, user_home_t; -+ attribute user_home_type; -+ ') -+ -+ files_list_home($1) -+ manage_dirs_pattern($1, { user_home_dir_t user_home_type }, user_home_type) -+') -+ -+###################################### -+## -+## Manage all files in the homedir -+## -+## -+## -+## The user domain -+## -+## -+# -+interface(`userdom_manage_all_user_home_type_files',` -+ gen_require(` -+ type user_home_dir_t, user_home_t; -+ attribute user_home_type; -+ ') -+ -+ files_list_home($1) -+ manage_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type) -+ manage_lnk_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type) -+') -+ -+######################################## -+## -+## Create objects in a user home directory -+## with an automatic type transition to -+## the user home file type. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## The class of the object to be created. -+## -+## -+# -+interface(`userdom_user_home_dir_filetrans_pattern',` -+ gen_require(` -+ type user_home_dir_t, user_home_t; -+ ') -+ -+ type_transition $1 user_home_dir_t:$2 user_home_t; -+') -+ -+######################################## -+## -+## Create objects in the /root directory -+## with an automatic type transition to -+## a specified private type. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## The type of the object to create. -+## -+## -+## -+## -+## The class of the object to be created. -+## -+## -+## -+## -+## The name of the object being created. -+## -+## -+# -+interface(`userdom_admin_home_dir_filetrans',` -+ gen_require(` -+ type admin_home_t; -+ ') -+ -+ filetrans_pattern($1, admin_home_t, $2, $3, $4) -+') -+ -+######################################## -+## -+## Send signull to unprivileged user domains. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`userdom_signull_unpriv_users',` -+ gen_require(` -+ attribute unpriv_userdomain; -+ ') -+ -+ allow $1 unpriv_userdomain:process signull; -+') -+ -+######################################## -+## -+## Write all users files in /tmp -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`userdom_write_user_tmp_dirs',` -+ gen_require(` -+ type user_tmp_t; -+ ') -+ -+ write_files_pattern($1, user_tmp_t, user_tmp_t) -+') -+ -+######################################## -+## -+## Manage keys for all user domains. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`userdom_manage_all_users_keys',` -+ gen_require(` -+ attribute userdomain; -+ ') -+ -+ allow $1 userdomain:key manage_key_perms; -+') -+ -+ -+######################################## -+## -+## Do not audit attempts to read and write -+## unserdomain stream. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`userdom_dontaudit_rw_stream',` -+ gen_require(` -+ attribute userdomain; -+ ') -+ -+ dontaudit $1 userdomain:unix_stream_socket rw_socket_perms; -+') -+ -+######################################## -+## -+## Do not audit attempts to read and write -+## unserdomain datagram socket. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`userdom_dontaudit_rw_dgram_socket',` -+ gen_require(` -+ attribute userdomain; -+ ') -+ -+ dontaudit $1 userdomain:unix_dgram_socket { read write }; -+') -+ -+######################################## -+## -+## Append files -+## in a user home subdirectory. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`userdom_append_user_home_content_files',` -+ gen_require(` -+ type user_home_dir_t, user_home_t; -+ ') -+ -+ append_files_pattern($1, user_home_t, user_home_t) -+ allow $1 user_home_dir_t:dir search_dir_perms; -+ files_search_home($1) -+') -+ -+######################################## -+## -+## Read files inherited -+## in a user home subdirectory. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`userdom_read_inherited_user_home_content_files',` -+ gen_require(` -+ attribute user_home_type; -+ ') -+ -+ allow $1 user_home_type:file { getattr read }; -+') -+ -+######################################## -+## -+## Dontaudit Read files inherited from the admin home dir. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`userdom_dontaudit_read_inherited_admin_home_files',` -+ gen_require(` -+ attribute admin_home_t; -+ ') -+ -+ dontaudit $1 admin_home_t:file read_inherited_file_perms; -+') -+ -+######################################## -+## -+## Dontaudit append files inherited from the admin home dir. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`userdom_dontaudit_append_inherited_admin_home_file',` -+ gen_require(` -+ attribute admin_home_t; -+ ') -+ -+ dontaudit $1 admin_home_t:file append_inherited_file_perms; -+') -+ -+######################################## -+## -+## Read/Write files inherited -+## in a user home subdirectory. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`userdom_rw_inherited_user_home_content_files',` -+ gen_require(` -+ attribute user_home_type; -+ ') -+ -+ allow $1 user_home_type:file rw_inherited_file_perms; -+') -+ -+######################################## -+## -+## Append files inherited -+## in a user home subdirectory. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`userdom_inherit_append_user_home_content_files',` -+ gen_require(` -+ type user_home_t; -+ ') -+ -+ allow $1 user_home_t:file { getattr append }; -+') -+ -+######################################## -+## -+## Append files inherited -+## in a user tmp files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`userdom_inherit_append_user_tmp_files',` -+ gen_require(` -+ type user_tmp_t; -+ ') -+ -+ allow $1 user_tmp_t:file { getattr append }; -+') -+ -+###################################### -+## -+## Read audio files in the users homedir. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`userdom_read_home_audio_files',` -+ gen_require(` -+ type audio_home_t; -+ ') -+ -+ userdom_search_user_home_dirs($1) -+ allow $1 audio_home_t:dir list_dir_perms; -+ read_files_pattern($1, audio_home_t, audio_home_t) -+ read_lnk_files_pattern($1, audio_home_t, audio_home_t) -+') -+ -+######################################## -+## -+## Do not audit attempts to write all user home content files. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`userdom_dontaudit_write_all_user_home_content_files',` -+ gen_require(` -+ attribute user_home_type; -+ ') -+ -+ dontaudit $1 user_home_type:file write_inherited_file_perms; -+') -+ -+######################################## -+## -+## Do not audit attempts to write all user tmp content files. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`userdom_dontaudit_write_all_user_tmp_content_files',` -+ gen_require(` -+ attribute user_tmp_type; -+ ') -+ -+ dontaudit $1 user_tmp_type:file write_inherited_file_perms; -+') -+ -+######################################## -+## -+## Manage all user temporary content. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`userdom_manage_all_user_tmp_content',` -+ gen_require(` -+ attribute user_tmp_type; -+ ') -+ -+ manage_dirs_pattern($1, user_tmp_type, user_tmp_type) -+ manage_files_pattern($1, user_tmp_type, user_tmp_type) -+ manage_lnk_files_pattern($1, user_tmp_type, user_tmp_type) -+ manage_sock_files_pattern($1, user_tmp_type, user_tmp_type) -+ manage_fifo_files_pattern($1, user_tmp_type, user_tmp_type) -+ files_search_tmp($1) -+') -+ -+######################################## -+## -+## List all user temporary content. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`userdom_list_all_user_tmp_content',` -+ gen_require(` -+ attribute user_tmp_type; -+ ') -+ -+ list_dirs_pattern($1, user_tmp_type, user_tmp_type) -+ getattr_files_pattern($1, user_tmp_type, user_tmp_type) -+ read_lnk_files_pattern($1, user_tmp_type, user_tmp_type) -+ getattr_sock_files_pattern($1, user_tmp_type, user_tmp_type) -+ getattr_fifo_files_pattern($1, user_tmp_type, user_tmp_type) -+ files_search_var($1) -+ files_search_tmp($1) -+') -+ -+######################################## -+## -+## Manage all user tmpfs content. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`userdom_manage_all_user_tmpfs_content',` -+ gen_require(` -+ attribute user_tmpfs_type; -+ ') -+ -+ manage_dirs_pattern($1, user_tmpfs_type, user_tmpfs_type) -+ manage_files_pattern($1, user_tmpfs_type, user_tmpfs_type) -+ manage_lnk_files_pattern($1, user_tmpfs_type, user_tmpfs_type) -+ manage_sock_files_pattern($1, user_tmpfs_type, user_tmpfs_type) -+ manage_fifo_files_pattern($1, user_tmpfs_type, user_tmpfs_type) -+ fs_search_tmpfs($1) -+') -+ -+######################################## -+## -+## Delete all user temporary content. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`userdom_delete_all_user_tmp_content',` -+ gen_require(` -+ attribute user_tmp_type; -+ ') -+ -+ delete_dirs_pattern($1, user_tmp_type, user_tmp_type) -+ delete_files_pattern($1, user_tmp_type, user_tmp_type) -+ delete_lnk_files_pattern($1, user_tmp_type, user_tmp_type) -+ delete_sock_files_pattern($1, user_tmp_type, user_tmp_type) -+ delete_fifo_files_pattern($1, user_tmp_type, user_tmp_type) -+ # /var/tmp -+ files_search_var($1) -+ files_delete_tmp_dir_entry($1) -+') -+ -+######################################## -+## -+## Read system SSL certificates in the users homedir. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`userdom_read_home_certs',` -+ gen_require(` -+ attribute userdom_home_reader_certs_type; -+ ') -+ -+ typeattribute $1 userdom_home_reader_certs_type; -+') -+ -+######################################## -+## -+## Manage system SSL certificates in the users homedir. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`userdom_manage_home_certs',` -+ gen_require(` -+ type home_cert_t; -+ ') -+ -+ allow $1 home_cert_t:dir list_dir_perms; -+ manage_dirs_pattern($1, home_cert_t, home_cert_t) -+ manage_files_pattern($1, home_cert_t, home_cert_t) -+ manage_lnk_files_pattern($1, home_cert_t, home_cert_t) -+ -+ userdom_user_home_dir_filetrans($1, home_cert_t, dir, ".cert") -+ userdom_user_home_dir_filetrans($1, home_cert_t, dir, ".pki") -+ userdom_admin_home_dir_filetrans($1, home_cert_t, dir, ".pki") -+ userdom_admin_home_dir_filetrans($1, home_cert_t, dir, ".cert") -+') -+ -+####################################### -+## -+## Dontaudit Write system SSL certificates in the users homedir. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`userdom_dontaudit_write_home_certs',` -+ gen_require(` -+ type home_cert_t; -+ ') -+ -+ dontaudit $1 home_cert_t:file write; -+') -+ -+######################################## -+## -+## dontaudit Search getatrr /root files -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`userdom_dontaudit_getattr_admin_home_files',` -+ gen_require(` -+ type admin_home_t; -+ ') -+ -+ dontaudit $1 admin_home_t:file getattr; -+') -+ -+######################################## -+## -+## dontaudit read /root lnk files -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`userdom_dontaudit_read_admin_home_lnk_files',` -+ gen_require(` -+ type admin_home_t; -+ ') -+ -+ dontaudit $1 admin_home_t:lnk_file read; -+') -+ -+######################################## -+## -+## dontaudit read /root files -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`userdom_dontaudit_read_admin_home_files',` -+ gen_require(` -+ type admin_home_t; -+ ') -+ -+ dontaudit $1 admin_home_t:file read_file_perms; -+') -+ -+######################################## -+## -+## Create, read, write, and delete user -+## temporary chr files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`userdom_manage_user_tmp_chr_files',` -+ gen_require(` -+ type user_tmp_t; -+ ') -+ -+ manage_chr_files_pattern($1, user_tmp_t, user_tmp_t) -+ files_search_tmp($1) -+') -+ -+######################################## -+## -+## Create, read, write, and delete user -+## temporary blk files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`userdom_manage_user_tmp_blk_files',` -+ gen_require(` -+ type user_tmp_t; -+ ') -+ -+ manage_blk_files_pattern($1, user_tmp_t, user_tmp_t) -+ files_search_tmp($1) -+') -+ -+######################################## -+## -+## Dontaudit attempt to set attributes on user temporary directories. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`userdom_dontaudit_setattr_user_tmp',` -+ gen_require(` -+ type user_tmp_t; -+ ') -+ -+ dontaudit $1 user_tmp_t:dir setattr; -+') -+ -+######################################## -+## -+## Dontaudit attempt to set attributes on user temporary file system files. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`userdom_dontaudit_setattr_user_tmpfs',` -+ gen_require(` -+ type user_tmpfs_t; -+ ') -+ -+ dontaudit $1 user_tmpfs_t:file setattr; -+') -+ -+######################################## -+## -+## Read all inherited users files in /tmp -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`userdom_read_inherited_user_tmp_files',` -+ gen_require(` -+ type user_tmp_t; -+ ') -+ -+ allow $1 user_tmp_t:file read_inherited_file_perms; -+') -+ -+######################################## -+## -+## Read/write all inherited users files in /tmp -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`userdom_rw_inherited_user_tmp_files',` -+ gen_require(` -+ type user_tmp_t; -+ ') -+ -+ allow $1 user_tmp_t:file rw_inherited_file_perms; -+') -+ -+######################################## -+## -+## Write all inherited users files in /tmp -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`userdom_write_inherited_user_tmp_files',` -+ gen_require(` -+ type user_tmp_t; -+ ') -+ -+ allow $1 user_tmp_t:file write; -+') -+ -+######################################## -+## -+## Write all inherited users home files -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`userdom_rw_inherited_user_home_sock_files',` -+ gen_require(` -+ attribute user_home_type; -+ ') -+ -+ allow $1 user_home_type:sock_file write; -+') -+ -+######################################## -+## -+## Delete all users files in /tmp -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`userdom_delete_user_tmp_files',` -+ gen_require(` -+ type user_tmp_t; -+ ') -+ -+ allow $1 user_tmp_t:file delete_file_perms; -+') -+ -+######################################## -+## -+## Delete user tmpfs files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`userdom_delete_user_tmpfs_files',` -+ gen_require(` -+ type user_tmpfs_t; -+ ') -+ -+ allow $1 user_tmpfs_t:file delete_file_perms; -+') -+ -+######################################## -+## -+## Read/Write unpriviledged user SysV shared -+## memory segments. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`userdom_rw_unpriv_user_shared_mem',` -+ gen_require(` -+ attribute unpriv_userdomain; -+ ') -+ -+ allow $1 unpriv_userdomain:shm rw_shm_perms; -+') -+ -+######################################## -+## -+## Do not audit attempts to search user -+## temporary directories. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`userdom_dontaudit_search_user_tmp',` -+ gen_require(` -+ type user_tmp_t; -+ ') -+ -+ dontaudit $1 user_tmp_t:dir search_dir_perms; -+') -+ -+######################################## -+## -+## Execute a file in a user home directory -+## in the specified domain. -+## -+## -+##

    -+## Execute a file in a user home directory -+## in the specified domain. -+##

    -+##

    -+## No interprocess communication (signals, pipes, -+## etc.) is provided by this interface since -+## the domains are not owned by this module. -+##

    -+##     -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## The type of the new process. -+## -+## -+# -+interface(`userdom_domtrans_user_home',` -+ gen_require(` -+ type user_home_t; -+ ') -+ -+ read_lnk_files_pattern($1, user_home_t, user_home_t) -+ domain_transition_pattern($1, user_home_t, $2) -+ type_transition $1 user_home_t:process $2; -+') -+ -+######################################## -+## -+## Execute a file in a user tmp directory -+## in the specified domain. -+## -+## -+##

    -+## Execute a file in a user tmp directory -+## in the specified domain. -+##

    -+##

    -+## No interprocess communication (signals, pipes, -+## etc.) is provided by this interface since -+## the domains are not owned by this module. -+##

    -+##     -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## The type of the new process. -+## -+## -+# -+interface(`userdom_domtrans_user_tmp',` -+ gen_require(` -+ type user_tmp_t; -+ ') -+ -+ files_search_tmp($1) -+ read_lnk_files_pattern($1, user_tmp_t, user_tmp_t) -+ domain_transition_pattern($1, user_tmp_t, $2) -+ type_transition $1 user_tmp_t:process $2; -+') -+ -+######################################## -+## -+## Do not audit attempts to read all user home content files. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`userdom_dontaudit_read_all_user_home_content_files',` -+ gen_require(` -+ attribute user_home_type; -+ ') -+ -+ dontaudit $1 user_home_type:file read_file_perms; -+') -+ -+######################################## -+## -+## Do not audit attempts to read all user tmp content files. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`userdom_dontaudit_read_all_user_tmp_content_files',` -+ gen_require(` -+ attribute user_tmp_type; -+ ') -+ -+ dontaudit $1 user_tmp_type:file read_file_perms; -+') -+ -+####################################### -+## -+## Read and write unpriviledged user SysV sempaphores. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`userdom_rw_unpriv_user_semaphores',` -+ gen_require(` -+ attribute unpriv_userdomain; -+ ') -+ -+ allow $1 unpriv_userdomain:sem rw_sem_perms; -+') -+ -+######################################## -+## -+## Transition to userdom named content -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`userdom_filetrans_home_content',` -+ gen_require(` -+ attribute userdom_filetrans_type; -+ ') -+ -+ typeattribute $1 userdom_filetrans_type; -+') -+ -+######################################## -+## -+## Make the specified type able to read content in user home dirs -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`userdom_home_reader',` -+ gen_require(` -+ attribute userdom_home_reader_type; -+ ') -+ -+ typeattribute $1 userdom_home_reader_type; -+') -+ -+ -+######################################## -+## -+## Make the specified type able to manage content in user home dirs -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`userdom_home_manager',` -+ gen_require(` -+ attribute userdom_home_manager_type; -+ ') -+ -+ typeattribute $1 userdom_home_manager_type; -+') -+ -+######################################## -+## -+## Create objects in the temporary filesystem directory -+## with an automatic type transition to -+## the user temporary filesystem type. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## The class of the object to be created. -+## -+## -+## -+## -+## The name of the object being created. -+## -+## -+# -+interface(`userdom_tmpfs_filetrans',` -+ gen_require(` -+ type user_tmpfs_t; -+ ') -+ -+ fs_tmpfs_filetrans($1, user_tmpfs_t, $2, $3) -+') -+ -+ -+####################################### -+## -+## Create objects in the temporary filesystem directory -+## with an automatic type transition to -+## the user temporary filesystem type. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## The class of the object to be created. -+## -+## -+## -+## -+## The name of the object being created. -+## -+## -+## -+## -+## The name of the object being created. -+## -+## -+# -+interface(`userdom_tmpfs_filetrans_to',` -+ gen_require(` -+ type user_tmpfs_t; -+ ') -+ -+ filetrans_pattern($1, user_tmpfs_t, $2, $3, $4) -+') -+ -+###################################### -+## -+## File name transition for generic home content files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`userdom_filetrans_generic_home_content',` -+ gen_require(` -+ type home_bin_t; -+ type audio_home_t; -+ type home_cert_t; -+ ') -+ -+ userdom_user_home_dir_filetrans($1, home_bin_t, dir, "bin") -+ userdom_user_home_dir_filetrans($1, audio_home_t, dir, "Audio") -+ userdom_user_home_dir_filetrans($1, audio_home_t, dir, "Music") -+ userdom_user_home_dir_filetrans($1, home_cert_t, dir, ".cert") -+ userdom_user_home_dir_filetrans($1, home_cert_t, dir, ".pki") -+ userdom_user_home_dir_filetrans($1, home_cert_t, dir, "certificates") -+') -+ -+######################################## -+## -+## Allow caller to transition to any userdomain -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`userdom_transition',` -+ gen_require(` -+ attribute userdomain; -+ ') -+ -+ allow $1 userdomain:process transition; -+') -+ -+######################################## -+## -+## Do not audit attempts to check the -+## access on user content files -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`userdom_dontaudit_access_check_user_content',` -+ gen_require(` -+ attribute user_home_type; -+ ') -+ -+ dontaudit $1 user_home_type:dir_file_class_set audit_access; -+') -+ -+####################################### -+## -+## The template containing the most basic rules common to confined admin. -+## -+## -+##

    -+## The template containing the most basic rules common to all users. -+##

    -+##

    -+## This template creates a user domain, types, and -+## rules for the user's tty and pty. -+##

    -+##     -+## -+## -+## The prefix of the user domain (e.g., user -+## is the prefix for user_t). -+## -+## -+## -+# -+template(`userdom_confined_admin_template',` -+ -+ gen_require(` -+ attribute confined_admindomain; -+ attribute userdomain; -+ type user_devpts_t, user_tty_device_t; -+ class context contains; -+ ') -+ -+ type $1_t, userdomain, confined_admindomain; -+ role $1_r; -+ role $1_r types $1_t; -+ domain_type($1_t) -+ domain_user_exemption_target($1_t) -+ ubac_constrained($1_t) -+ -+ auth_use_nsswitch($1_t) -+') -+ -+######################################## -+## -+## Allow user to run as a secadm -+## -+## -+##

    -+## Create objects in a user home directory -+## with an automatic type transition to -+## a specified private type. -+##

    -+##

    -+## This is a templated interface, and should only -+## be called from a per-userdomain template. -+##

    -+##     -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## The role of the object to create. -+## -+## -+# -+template(`userdom_security_admin_template',` -+ allow $1 self:capability { dac_read_search dac_override }; -+ -+ corecmd_exec_shell($1) -+ -+ domain_obj_id_change_exemption($1) -+ -+ dev_relabel_all_dev_nodes($1) -+ -+ files_create_boot_flag($1) -+ files_create_default_dir($1) -+ files_root_filetrans_default($1, dir) -+ -+ # Necessary for managing /boot/efi -+ fs_manage_dos_files($1) -+ -+ mls_process_read_up($1) -+ mls_file_read_all_levels($1) -+ mls_file_upgrade($1) -+ mls_file_downgrade($1) -+ -+ selinux_set_enforce_mode($1) -+ selinux_set_all_booleans($1) -+ selinux_set_parameters($1) -+ selinux_read_policy($1) -+ -+ files_relabel_all_files($1) -+ -+ auth_relabel_shadow($1) -+ -+ init_exec($1) -+ -+ logging_send_syslog_msg($1) -+ logging_read_audit_log($1) -+ logging_read_generic_logs($1) -+ logging_read_audit_config($1) -+ -+ seutil_manage_bin_policy($1) -+ seutil_manage_default_contexts($1) -+ seutil_manage_file_contexts($1) -+ seutil_manage_module_store($1) -+ seutil_manage_config($1) -+ seutil_manage_login_config($1) -+ seutil_run_checkpolicy($1,$2) -+ seutil_run_loadpolicy($1,$2) -+ seutil_run_semanage($1,$2) -+ seutil_run_setsebool($1,$2) -+ seutil_run_setfiles($1, $2) -+ -+ optional_policy(` -+ aide_run($1,$2) -+ ') -+ -+ optional_policy(` -+ consoletype_exec($1) -+ ') -+ -+ optional_policy(` -+ ipsec_run_setkey($1,$2) -+ ') -+ -+ optional_policy(` -+ netlabel_run_mgmt($1,$2) -+ ') -+ -+ optional_policy(` -+ samhain_run($1, $2) -+ ') -+') -+ -diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te -index e2b538b..e0c6eeb 100644 ---- a/policy/modules/system/userdomain.te -+++ b/policy/modules/system/userdomain.te -@@ -7,48 +7,43 @@ policy_module(userdomain, 4.8.5) - - ## - ##

    --## Allow users to connect to mysql -+## Allow users to connect to the local mysql server - ##

    - ##     --gen_tunable(allow_user_mysql_connect, false) -+gen_tunable(selinuxuser_mysql_connect_enabled, false) - - ## - ##

    - ## Allow users to connect to PostgreSQL - ##

    - ##     --gen_tunable(allow_user_postgresql_connect, false) -+gen_tunable(selinuxuser_postgresql_connect_enabled, false) - - ## - ##

    --## Allow regular users direct mouse access --##

    --##     --gen_tunable(user_direct_mouse, false) -- --## --##

    --## Allow users to read system messages. -+## Allow user to r/w files on filesystems -+## that do not have extended attributes (FAT, CDROM, FLOPPY) - ##

    - ##     --gen_tunable(user_dmesg, false) -+gen_tunable(selinuxuser_rw_noexattrfile, false) - - ## - ##

    --## Allow user to r/w files on filesystems --## that do not have extended attributes (FAT, CDROM, FLOPPY) -+## Allow user music sharing - ##

    - ##     --gen_tunable(user_rw_noexattrfile, false) -+gen_tunable(selinuxuser_share_music, false) - - ## - ##

    --## Allow w to display everyone -+## Allow user to use ssh chroot environment. - ##

    - ##     --gen_tunable(user_ttyfile_stat, false) -+gen_tunable(selinuxuser_use_ssh_chroot, false) - - attribute admindomain; -+attribute login_userdomain; -+attribute confined_admindomain; - - # all user domains - attribute userdomain; -@@ -58,6 +53,24 @@ attribute unpriv_userdomain; - - attribute user_home_content_type; - -+attribute userdom_home_reader_certs_type; -+attribute userdom_home_reader_type; -+attribute userdom_home_manager_type; -+attribute userdom_filetrans_type; -+ -+# unprivileged user domains -+attribute user_home_type; -+attribute user_tmp_type; -+attribute user_tmpfs_type; -+ -+type admin_home_t; -+files_type(admin_home_t) -+files_associate_tmp(admin_home_t) -+fs_associate_tmpfs(admin_home_t) -+files_mountpoint(admin_home_t) -+files_poly_member(admin_home_t) -+files_poly_parent(admin_home_t) -+ - type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t }; - fs_associate_tmpfs(user_home_dir_t) - files_type(user_home_dir_t) -@@ -70,26 +83,359 @@ ubac_constrained(user_home_dir_t) - - type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t }; - typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t }; -+typeattribute user_home_t user_home_type; - userdom_user_home_content(user_home_t) - fs_associate_tmpfs(user_home_t) - files_associate_tmp(user_home_t) -+files_poly_member(user_home_t) - files_poly_parent(user_home_t) - files_mountpoint(user_home_t) -+ubac_constrained(user_home_t) - - type user_devpts_t alias { staff_devpts_t sysadm_devpts_t secadm_devpts_t auditadm_devpts_t unconfined_devpts_t }; - dev_node(user_devpts_t) - files_type(user_devpts_t) - ubac_constrained(user_devpts_t) - --type user_tmp_t alias { staff_tmp_t sysadm_tmp_t secadm_tmp_t auditadm_tmp_t unconfined_tmp_t }; -+type user_tmp_t, user_tmp_type; -+typealias user_tmp_t alias { screen_tmp_t winbind_tmp_t wine_tmp_t sshd_tmp_t staff_tmp_t sysadm_tmp_t secadm_tmp_t auditadm_tmp_t unconfined_tmp_t }; - typealias user_tmp_t alias { staff_untrusted_content_tmp_t sysadm_untrusted_content_tmp_t secadm_untrusted_content_tmp_t auditadm_untrusted_content_tmp_t unconfined_untrusted_content_tmp_t }; - files_tmp_file(user_tmp_t) - userdom_user_home_content(user_tmp_t) -+files_poly_parent(user_tmp_t) -+files_mountpoint(user_tmp_t) - --type user_tmpfs_t alias { staff_tmpfs_t sysadm_tmpfs_t secadm_tmpfs_t auditadm_tmpfs_t unconfined_tmpfs_t }; -+type user_tmpfs_t, user_tmpfs_type; -+typealias user_tmpfs_t alias { staff_tmpfs_t sysadm_tmpfs_t secadm_tmpfs_t auditadm_tmpfs_t unconfined_tmpfs_t }; - files_tmpfs_file(user_tmpfs_t) - userdom_user_home_content(user_tmpfs_t) - - type user_tty_device_t alias { staff_tty_device_t sysadm_tty_device_t secadm_tty_device_t auditadm_tty_device_t unconfined_tty_device_t }; - dev_node(user_tty_device_t) - ubac_constrained(user_tty_device_t) -+ -+type audio_home_t; -+userdom_user_home_content(audio_home_t) -+ubac_constrained(audio_home_t) -+ -+type home_bin_t; -+userdom_user_home_content(home_bin_t) -+ubac_constrained(home_bin_t) -+ -+type home_cert_t; -+miscfiles_cert_type(home_cert_t) -+userdom_user_home_content(home_cert_t) -+ubac_constrained(home_cert_t) -+ -+tunable_policy(`login_console_enabled',` -+ term_use_console(userdomain) -+') -+ -+allow userdomain userdomain:process signull; -+allow userdomain userdomain:fifo_file rw_inherited_fifo_file_perms; -+ -+# Nautilus causes this avc -+domain_dontaudit_access_check(unpriv_userdomain) -+dontaudit unpriv_userdomain self:dir setattr; -+allow unpriv_userdomain self:key manage_key_perms; -+ -+optional_policy(` -+ alsa_read_rw_config(unpriv_userdomain) -+ alsa_manage_home_files(unpriv_userdomain) -+ alsa_relabel_home_files(unpriv_userdomain) -+') -+ -+optional_policy(` -+ gssproxy_stream_connect(userdomain) -+') -+ -+optional_policy(` -+ gnome_filetrans_home_content(userdomain) -+') -+ -+optional_policy(` -+ locallogin_filetrans_home_content(userdomain) -+') -+ -+optional_policy(` -+ ssh_filetrans_home_content(userdomain) -+ ssh_rw_tcp_sockets(userdomain) -+') -+ -+optional_policy(` -+ telepathy_filetrans_home_content(userdomain) -+') -+ -+optional_policy(` -+ xserver_filetrans_home_content(userdomain) -+') -+ -+ -+# rules for types which can read home certs -+allow userdom_home_reader_certs_type home_cert_t:dir list_dir_perms; -+read_files_pattern(userdom_home_reader_certs_type, home_cert_t, home_cert_t) -+read_lnk_files_pattern(userdom_home_reader_certs_type, home_cert_t, home_cert_t) -+userdom_search_user_home_content(userdom_home_reader_certs_type) -+ -+tunable_policy(`use_ecryptfs_home_dirs',` -+ fs_read_ecryptfs_files(userdom_home_reader_certs_type) -+') -+ -+tunable_policy(`use_nfs_home_dirs',` -+ fs_list_auto_mountpoints(userdom_home_reader_type) -+ fs_read_nfs_files(userdom_home_reader_type) -+') -+ -+tunable_policy(`use_samba_home_dirs',` -+ fs_read_cifs_files(userdom_home_reader_type) -+') -+ -+tunable_policy(`use_fusefs_home_dirs',` -+ fs_read_fusefs_files(userdom_home_reader_type) -+') -+ -+tunable_policy(`use_ecryptfs_home_dirs',` -+ fs_read_ecryptfs_files(userdom_home_reader_type) -+') -+ -+tunable_policy(`use_nfs_home_dirs',` -+ fs_list_auto_mountpoints(userdom_home_manager_type) -+ fs_manage_nfs_dirs(userdom_home_manager_type) -+ fs_manage_nfs_files(userdom_home_manager_type) -+ fs_manage_nfs_symlinks(userdom_home_manager_type) -+') -+ -+tunable_policy(`use_samba_home_dirs',` -+ fs_manage_cifs_dirs(userdom_home_manager_type) -+ fs_manage_cifs_files(userdom_home_manager_type) -+ fs_manage_cifs_symlinks(userdom_home_manager_type) -+') -+ -+tunable_policy(`use_fusefs_home_dirs',` -+ fs_manage_fusefs_dirs(userdom_home_manager_type) -+ fs_manage_fusefs_files(userdom_home_manager_type) -+ fs_manage_fusefs_symlinks(userdom_home_manager_type) -+') -+ -+tunable_policy(`use_ecryptfs_home_dirs',` -+ fs_manage_ecryptfs_dirs(userdom_home_manager_type) -+ fs_manage_ecryptfs_files(userdom_home_manager_type) -+') -+# vi /etc/mtab can cause an avc trying to relabel to self. -+dontaudit userdomain self:file relabelto; -+ -+userdom_user_home_dir_filetrans_user_home_content(userdom_filetrans_type, { dir file lnk_file fifo_file sock_file }) -+userdom_user_home_dir_filetrans(userdom_filetrans_type, home_bin_t, dir, "bin") -+userdom_user_home_dir_filetrans(userdom_filetrans_type, audio_home_t, dir, "Audio") -+userdom_user_home_dir_filetrans(userdom_filetrans_type, audio_home_t, dir, "Music") -+userdom_user_home_dir_filetrans(userdom_filetrans_type, home_cert_t, dir, ".cert") -+userdom_user_home_dir_filetrans(userdom_filetrans_type, home_cert_t, dir, ".pki") -+userdom_user_home_dir_filetrans(userdom_filetrans_type, home_cert_t, dir, "certificates") -+ -+optional_policy(` -+ gnome_config_filetrans(userdom_filetrans_type, home_cert_t, dir, "certificates") -+ #gnome_admin_home_gconf_filetrans(userdom_filetrans_type, home_bin_t, dir, "bin") -+') -+ -+optional_policy(` -+ alsa_filetrans_home_content(userdom_filetrans_type) -+') -+ -+optional_policy(` -+ apache_filetrans_home_content(userdom_filetrans_type) -+') -+ -+optional_policy(` -+ auth_filetrans_home_content(userdom_filetrans_type) -+') -+ -+optional_policy(` -+ gnome_filetrans_home_content(userdom_filetrans_type) -+') -+ -+optional_policy(` -+ gpg_filetrans_home_content(userdom_filetrans_type) -+') -+ -+optional_policy(` -+ irc_filetrans_home_content(userdom_filetrans_type) -+') -+ -+optional_policy(` -+ kerberos_filetrans_home_content(userdom_filetrans_type) -+') -+ -+optional_policy(` -+ mozilla_filetrans_home_content(userdom_filetrans_type) -+') -+ -+optional_policy(` -+ mta_filetrans_home_content(userdom_filetrans_type) -+') -+ -+optional_policy(` -+ pulseaudio_filetrans_home_content(userdom_filetrans_type) -+') -+ -+optional_policy(` -+ spamassassin_filetrans_home_content(userdom_filetrans_type) -+ spamassassin_filetrans_admin_home_content(userdom_filetrans_type) -+') -+ -+optional_policy(` -+ ssh_filetrans_admin_home_content(userdom_filetrans_type) -+ ssh_filetrans_home_content(userdom_filetrans_type) -+') -+ -+optional_policy(` -+ telepathy_filetrans_home_content(userdom_filetrans_type) -+') -+ -+optional_policy(` -+ thumb_filetrans_home_content(userdom_filetrans_type) -+') -+ -+optional_policy(` -+ tvtime_filetrans_home_content(userdom_filetrans_type) -+') -+ -+optional_policy(` -+ virt_filetrans_home_content(userdom_filetrans_type) -+') -+ -+optional_policy(` -+ xserver_filetrans_home_content(userdom_filetrans_type) -+ xserver_filetrans_admin_home_content(userdom_filetrans_type) -+') -+ -+############################################################ -+# Local Policy Confined Admin -+# -+gen_require(` -+ class context contains; -+') -+ -+corecmd_shell_entry_type(confined_admindomain) -+corecmd_bin_entry_type(confined_admindomain) -+ -+term_user_pty(confined_admindomain, user_devpts_t) -+term_user_tty(confined_admindomain, user_tty_device_t) -+term_dontaudit_getattr_generic_ptys(confined_admindomain) -+ -+allow confined_admindomain self:process { signal_perms getsched setsched share getpgid setpgid getcap setcap getsession getattr }; -+tunable_policy(`deny_ptrace',`',` -+ allow confined_admindomain self:process ptrace; -+') -+allow confined_admindomain self:fd use; -+allow confined_admindomain self:key manage_key_perms; -+ -+allow confined_admindomain self:fifo_file rw_fifo_file_perms; -+allow confined_admindomain self:unix_dgram_socket { create_socket_perms sendto }; -+allow confined_admindomain self:unix_stream_socket { create_stream_socket_perms connectto }; -+allow confined_admindomain self:shm create_shm_perms; -+allow confined_admindomain self:sem create_sem_perms; -+allow confined_admindomain self:msgq create_msgq_perms; -+allow confined_admindomain self:msg { send receive }; -+allow confined_admindomain self:context contains; -+dontaudit confined_admindomain self:socket create; -+ -+allow confined_admindomain user_devpts_t:chr_file { setattr rw_chr_file_perms }; -+term_create_pty(confined_admindomain, user_devpts_t) -+# avoid annoying messages on terminal hangup on role change -+dontaudit confined_admindomain user_devpts_t:chr_file ioctl; -+ -+allow confined_admindomain user_tty_device_t:chr_file { setattr rw_chr_file_perms }; -+# avoid annoying messages on terminal hangup on role change -+dontaudit confined_admindomain user_tty_device_t:chr_file ioctl; -+ -+application_exec_all(confined_admindomain) -+ -+kernel_read_kernel_sysctls(confined_admindomain) -+kernel_read_all_sysctls(confined_admindomain) -+kernel_dontaudit_list_unlabeled(confined_admindomain) -+kernel_dontaudit_getattr_unlabeled_files(confined_admindomain) -+kernel_dontaudit_getattr_unlabeled_symlinks(confined_admindomain) -+kernel_dontaudit_getattr_unlabeled_pipes(confined_admindomain) -+kernel_dontaudit_getattr_unlabeled_sockets(confined_admindomain) -+kernel_dontaudit_getattr_unlabeled_blk_files(confined_admindomain) -+kernel_dontaudit_getattr_unlabeled_chr_files(confined_admindomain) -+kernel_dontaudit_list_proc(confined_admindomain) -+ -+dev_dontaudit_getattr_all_blk_files(confined_admindomain) -+dev_dontaudit_getattr_all_chr_files(confined_admindomain) -+dev_getattr_mtrr_dev(confined_admindomain) -+ -+# When the user domain runs ps, there will be a number of access -+# denials when ps tries to search /proc. Do not audit these denials. -+domain_dontaudit_read_all_domains_state(confined_admindomain) -+domain_dontaudit_getattr_all_domains(confined_admindomain) -+domain_dontaudit_getsession_all_domains(confined_admindomain) -+dev_dontaudit_all_access_check(confined_admindomain) -+ -+files_read_etc_files(confined_admindomain) -+files_list_mnt(confined_admindomain) -+files_list_var(confined_admindomain) -+files_read_mnt_files(confined_admindomain) -+files_dontaudit_all_access_check(confined_admindomain) -+files_read_etc_runtime_files(confined_admindomain) -+files_read_usr_files(confined_admindomain) -+files_read_usr_src_files(confined_admindomain) -+# Read directories and files with the readable_t type. -+# This type is a general type for "world"-readable files. -+files_list_world_readable(confined_admindomain) -+files_read_world_readable_files(confined_admindomain) -+files_read_world_readable_symlinks(confined_admindomain) -+files_read_world_readable_pipes(confined_admindomain) -+files_read_world_readable_sockets(confined_admindomain) -+# old broswer_domain(): -+files_dontaudit_getattr_all_dirs(confined_admindomain) -+files_dontaudit_list_non_security(confined_admindomain) -+files_dontaudit_getattr_all_files(confined_admindomain) -+files_dontaudit_getattr_non_security_symlinks(confined_admindomain) -+files_dontaudit_getattr_non_security_pipes(confined_admindomain) -+files_dontaudit_getattr_non_security_sockets(confined_admindomain) -+files_dontaudit_setattr_etc_runtime_files(confined_admindomain) -+ -+files_exec_usr_files(confined_admindomain) -+ -+fs_list_cgroup_dirs(confined_admindomain) -+fs_dontaudit_rw_cgroup_files(confined_admindomain) -+ -+storage_rw_fuse(confined_admindomain) -+ -+init_stream_connect(confined_admindomain) -+# The library functions always try to open read-write first, -+# then fall back to read-only if it fails. -+init_dontaudit_rw_utmp(confined_admindomain) -+ -+libs_exec_ld_so(confined_admindomain) -+ -+miscfiles_read_generic_certs(confined_admindomain) -+ -+miscfiles_read_all_certs(confined_admindomain) -+miscfiles_read_public_files(confined_admindomain) -+ -+systemd_dbus_chat_logind(confined_admindomain) -+systemd_read_logind_sessions_files(confined_admindomain) -+systemd_write_inhibit_pipes(confined_admindomain) -+systemd_write_inherited_logind_sessions_pipes(confined_admindomain) -+systemd_login_read_pid_files(confined_admindomain) -+tunable_policy(`deny_execmem',`', ` -+ # Allow loading DSOs that require executable stack. -+ allow confined_admindomain self:process execmem; -+') -+ -+tunable_policy(`selinuxuser_execstack',` -+ # Allow making the stack executable via mprotect. -+ allow confined_admindomain self:process execstack; -+') -+ -+optional_policy(` -+ fs_list_cgroup_dirs(confined_admindomain) -+') -+ -+optional_policy(` -+ ssh_rw_stream_sockets(confined_admindomain) -+ ssh_delete_tmp(confined_admindomain) -+ ssh_signal(confined_admindomain) -+') -diff --git a/policy/support/misc_patterns.spt b/policy/support/misc_patterns.spt -index e79d545..101086d 100644 ---- a/policy/support/misc_patterns.spt -+++ b/policy/support/misc_patterns.spt -@@ -4,7 +4,7 @@ - define(`domain_transition_pattern',` - allow $1 $2:file { getattr open read execute }; - allow $1 $3:process transition; -- dontaudit $1 $3:process { noatsecure siginh rlimitinh }; -+# dontaudit $1 $3:process { noatsecure siginh rlimitinh }; - ') - - # compatibility: -@@ -15,7 +15,7 @@ define(`spec_domtrans_pattern',` - domain_transition_pattern($1,$2,$3) - - allow $3 $1:fd use; -- allow $3 $1:fifo_file rw_fifo_file_perms; -+ allow $3 $1:fifo_file rw_inherited_fifo_file_perms; - allow $3 $1:process sigchld; - ') - -@@ -34,7 +34,7 @@ define(`domtrans_pattern',` - domain_auto_transition_pattern($1,$2,$3) - - allow $3 $1:fd use; -- allow $3 $1:fifo_file rw_fifo_file_perms; -+ allow $3 $1:fifo_file rw_inherited_fifo_file_perms; - allow $3 $1:process sigchld; - ') - -diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt -index 6e91317..260ea6c 100644 ---- a/policy/support/obj_perm_sets.spt -+++ b/policy/support/obj_perm_sets.spt -@@ -28,8 +28,7 @@ define(`devfile_class_set', `{ chr_file blk_file }') - # - # All socket classes. - # --define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket }') -- -+define(`socket_class_set', `{ socket dccp_socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket }') - - # - # Datagram socket classes. -@@ -59,7 +58,7 @@ define(`mount_fs_perms', `{ mount remount unmount getattr }') - # - # Permissions for using sockets. - # --define(`rw_socket_perms', `{ ioctl read getattr write setattr append bind connect getopt setopt shutdown }') -+define(`rw_socket_perms', `{ ioctl read getattr lock write setattr append bind connect getopt setopt shutdown }') - - # - # Permissions for creating and using sockets. -@@ -153,12 +152,16 @@ define(`relabel_dir_perms',`{ getattr relabelfrom relabelto }') - # - define(`getattr_file_perms',`{ getattr }') - define(`setattr_file_perms',`{ setattr }') --define(`read_file_perms',`{ getattr open read lock ioctl }') -+define(`read_inherited_file_perms',`{ getattr read ioctl lock }') -+define(`read_file_perms',`{ open read_inherited_file_perms }') - define(`mmap_file_perms',`{ getattr open read execute ioctl }') - define(`exec_file_perms',`{ getattr open read execute ioctl execute_no_trans }') --define(`append_file_perms',`{ getattr open append lock ioctl }') --define(`write_file_perms',`{ getattr open write append lock ioctl }') --define(`rw_file_perms',`{ getattr open read write append ioctl lock }') -+define(`append_inherited_file_perms',`{ getattr append }') -+define(`append_file_perms',`{ open lock ioctl append_inherited_file_perms }') -+define(`write_inherited_file_perms',`{ getattr write append lock ioctl }') -+define(`write_file_perms',`{ open write_inherited_file_perms }') -+define(`rw_inherited_file_perms',`{ getattr read write append ioctl lock }') -+define(`rw_file_perms',`{ open rw_inherited_file_perms }') - define(`create_file_perms',`{ getattr create open }') - define(`rename_file_perms',`{ getattr rename }') - define(`delete_file_perms',`{ getattr unlink }') -@@ -179,7 +182,7 @@ define(`rw_lnk_file_perms',`{ getattr read write lock ioctl }') - define(`create_lnk_file_perms',`{ create getattr }') - define(`rename_lnk_file_perms',`{ getattr rename }') - define(`delete_lnk_file_perms',`{ getattr unlink }') --define(`manage_lnk_file_perms',`{ create read write getattr setattr link unlink rename }') -+define(`manage_lnk_file_perms',`{ create getattr setattr read write append rename link unlink ioctl lock }') - define(`relabelfrom_lnk_file_perms',`{ getattr relabelfrom }') - define(`relabelto_lnk_file_perms',`{ getattr relabelto }') - define(`relabel_lnk_file_perms',`{ getattr relabelfrom relabelto }') -@@ -192,7 +195,8 @@ define(`setattr_fifo_file_perms',`{ setattr }') - define(`read_fifo_file_perms',`{ getattr open read lock ioctl }') - define(`append_fifo_file_perms',`{ getattr open append lock ioctl }') - define(`write_fifo_file_perms',`{ getattr open write append lock ioctl }') --define(`rw_fifo_file_perms',`{ getattr open read write append ioctl lock }') -+define(`rw_inherited_fifo_file_perms',`{ getattr read write append ioctl lock }') -+define(`rw_fifo_file_perms',`{ open rw_inherited_fifo_file_perms }') - define(`create_fifo_file_perms',`{ getattr create open }') - define(`rename_fifo_file_perms',`{ getattr rename }') - define(`delete_fifo_file_perms',`{ getattr unlink }') -@@ -208,7 +212,8 @@ define(`getattr_sock_file_perms',`{ getattr }') - define(`setattr_sock_file_perms',`{ setattr }') - define(`read_sock_file_perms',`{ getattr open read }') - define(`write_sock_file_perms',`{ getattr write open append }') --define(`rw_sock_file_perms',`{ getattr open read write append }') -+define(`rw_inherited_sock_file_perms',`{ getattr read write append }') -+define(`rw_sock_file_perms',`{ open rw_inherited_sock_file_perms }') - define(`create_sock_file_perms',`{ getattr create open }') - define(`rename_sock_file_perms',`{ getattr rename }') - define(`delete_sock_file_perms',`{ getattr unlink }') -@@ -225,7 +230,8 @@ define(`setattr_blk_file_perms',`{ setattr }') - define(`read_blk_file_perms',`{ getattr open read lock ioctl }') - define(`append_blk_file_perms',`{ getattr open append lock ioctl }') - define(`write_blk_file_perms',`{ getattr open write append lock ioctl }') --define(`rw_blk_file_perms',`{ getattr open read write append ioctl lock }') -+define(`rw_inherited_blk_file_perms',`{ getattr read write append ioctl lock }') -+define(`rw_blk_file_perms',`{ open rw_inherited_blk_file_perms }') - define(`create_blk_file_perms',`{ getattr create }') - define(`rename_blk_file_perms',`{ getattr rename }') - define(`delete_blk_file_perms',`{ getattr unlink }') -@@ -242,7 +248,8 @@ define(`setattr_chr_file_perms',`{ setattr }') - define(`read_chr_file_perms',`{ getattr open read lock ioctl }') - define(`append_chr_file_perms',`{ getattr open append lock ioctl }') - define(`write_chr_file_perms',`{ getattr open write append lock ioctl }') --define(`rw_chr_file_perms',`{ getattr open read write append ioctl lock }') -+define(`rw_inherited_chr_file_perms',`{ getattr read write append ioctl lock }') -+define(`rw_chr_file_perms',`{ open rw_inherited_chr_file_perms }') - define(`create_chr_file_perms',`{ getattr create }') - define(`rename_chr_file_perms',`{ getattr rename }') - define(`delete_chr_file_perms',`{ getattr unlink }') -@@ -259,7 +266,8 @@ define(`relabel_chr_file_perms',`{ getattr relabelfrom relabelto }') - # - # Use (read and write) terminals - # --define(`rw_term_perms', `{ getattr open read write append ioctl }') -+define(`rw_inherited_term_perms', `{ getattr read write append ioctl }') -+define(`rw_term_perms', `{ rw_inherited_term_perms open }') - - # - # Sockets -@@ -271,3 +279,8 @@ define(`server_stream_socket_perms', `{ client_stream_socket_perms listen accept - # Keys - # - define(`manage_key_perms', `{ create link read search setattr view write } ') -+ -+# -+# Service -+# -+define(`manage_service_perms', `{ start stop status reload } ') -diff --git a/policy/users b/policy/users -index c4ebc7e..30d6d7a 100644 ---- a/policy/users -+++ b/policy/users -@@ -15,7 +15,7 @@ - # and a user process should never be assigned the system user - # identity. - # --gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats) -+gen_user(system_u,, system_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats) - - # - # user_u is a generic user identity for Linux users who have no -@@ -24,12 +24,9 @@ gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats) - # SELinux user identity for a Linux user. If you do not want to - # permit any access to such users, then remove this entry. - # --gen_user(user_u, user, user_r, s0, s0) --gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats) --gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats) -- --# Until order dependence is fixed for users: --gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats) -+gen_user(user_u, user, user_r, s0, s0 - mls_systemhigh, mcs_allcats) -+gen_user(staff_u, user, staff_r system_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats) -+gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats) - - # - # The following users correspond to Unix identities. -@@ -38,8 +35,4 @@ gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_al - # role should use the staff_r role instead of the user_r role when - # not in the sysadm_r. - # --ifdef(`direct_sysadm_daemon',` -- gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats) --',` -- gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats) --') -+gen_user(root, user, unconfined_r sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats) -diff --git a/support/Makefile.devel b/support/Makefile.devel -index b96e9b3..ff7340f 100644 ---- a/support/Makefile.devel -+++ b/support/Makefile.devel -@@ -26,7 +26,6 @@ XMLLINT := $(BINDIR)/xmllint - # set default build options if missing - TYPE ?= standard - DIRECT_INITRC ?= n --POLY ?= n - QUIET ?= y - - genxml := $(PYTHON) $(HEADERDIR)/support/segenxml.py diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch deleted file mode 100644 index 9d9f59d..0000000 --- a/policy-rawhide-contrib.patch +++ /dev/null @@ -1,100770 +0,0 @@ -diff --git a/abrt.fc b/abrt.fc -index e4f84de..2ed712d 100644 ---- a/abrt.fc -+++ b/abrt.fc -@@ -1,30 +1,42 @@ --/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0) --/etc/rc\.d/init\.d/abrt -- gen_context(system_u:object_r:abrt_initrc_exec_t,s0) -+/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0) -+/etc/rc\.d/init\.d/abrt -- gen_context(system_u:object_r:abrt_initrc_exec_t,s0) - --/usr/bin/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0) --/usr/bin/abrt-retrace-worker -- gen_context(system_u:object_r:abrt_retrace_worker_exec_t,s0) --/usr/bin/coredump2packages -- gen_context(system_u:object_r:abrt_retrace_coredump_exec_t,s0) --/usr/bin/retrace-server-worker -- gen_context(system_u:object_r:abrt_retrace_worker_exec_t,s0) -+/usr/lib/systemd/system/abrt.* -- gen_context(system_u:object_r:abrt_unit_file_t,s0) -+ -+/usr/bin/abrt-dump-oops -- gen_context(system_u:object_r:abrt_dump_oops_exec_t,s0) -+/usr/bin/abrt-uefioops-oops -- gen_context(system_u:object_r:abrt_dump_oops_exec_t,s0) -+/usr/bin/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0) -+/usr/bin/abrt-watch-log -- gen_context(system_u:object_r:abrt_watch_log_exec_t,s0) -+ -+/usr/sbin/abrtd -- gen_context(system_u:object_r:abrt_exec_t,s0) -+/usr/sbin/abrt-dbus -- gen_context(system_u:object_r:abrt_exec_t,s0) -+/usr/sbin/abrt-harvest.* -- gen_context(system_u:object_r:abrt_exec_t,s0) -+/usr/sbin/abrt-install-ccpp-hook -- gen_context(system_u:object_r:abrt_exec_t,s0) -+/usr/sbin/abrt-upload-watch -- gen_context(system_u:object_r:abrt_upload_watch_exec_t,s0) - --/usr/libexec/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0) - /usr/libexec/abrt-handle-event -- gen_context(system_u:object_r:abrt_handle_event_exec_t,s0) --/usr/libexec/abrt-hook-python -- gen_context(system_u:object_r:abrt_helper_exec_t,s0) - --/usr/sbin/abrtd -- gen_context(system_u:object_r:abrt_exec_t,s0) --/usr/sbin/abrt-dbus -- gen_context(system_u:object_r:abrt_exec_t,s0) -+/var/cache/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0) -+/var/cache/abrt-di(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0) -+ -+/var/log/abrt-logger.* -- gen_context(system_u:object_r:abrt_var_log_t,s0) -+ -+/var/run/abrt\.pid -- gen_context(system_u:object_r:abrt_var_run_t,s0) -+/var/run/abrtd?\.lock -- gen_context(system_u:object_r:abrt_var_run_t,s0) -+/var/run/abrtd?\.socket -- gen_context(system_u:object_r:abrt_var_run_t,s0) -+/var/run/abrt(/.*)? gen_context(system_u:object_r:abrt_var_run_t,s0) - --/var/cache/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0) --/var/cache/abrt-di(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0) --/var/cache/abrt-retrace(/.*)? gen_context(system_u:object_r:abrt_retrace_cache_t,s0) --/var/cache/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_cache_t,s0) -+/var/spool/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0) -+/var/tmp/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0) - --/var/log/abrt-logger.* -- gen_context(system_u:object_r:abrt_var_log_t,s0) -+# ABRT retrace server -+/usr/bin/abrt-retrace-worker -- gen_context(system_u:object_r:abrt_retrace_worker_exec_t,s0) -+/usr/bin/coredump2packages -- gen_context(system_u:object_r:abrt_retrace_coredump_exec_t,s0) - --/var/run/abrt\.pid -- gen_context(system_u:object_r:abrt_var_run_t,s0) --/var/run/abrtd?\.lock -- gen_context(system_u:object_r:abrt_var_run_t,s0) --/var/run/abrtd?\.socket -s gen_context(system_u:object_r:abrt_var_run_t,s0) --/var/run/abrt(/.*)? gen_context(system_u:object_r:abrt_var_run_t,s0) -+/var/cache/abrt-retrace(/.*)? gen_context(system_u:object_r:abrt_retrace_cache_t,s0) -+/var/spool/abrt-retrace(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0) - --/var/spool/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0) --/var/spool/abrt-retrace(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0) --/var/spool/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0) -+# cjp: new version -+/usr/bin/retrace-server-worker -- gen_context(system_u:object_r:abrt_retrace_worker_exec_t,s0) -+/var/cache/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_cache_t,s0) -+/var/spool/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0) -diff --git a/abrt.if b/abrt.if -index 058d908..702b716 100644 ---- a/abrt.if -+++ b/abrt.if -@@ -1,4 +1,26 @@ --## Automated bug-reporting tool. -+## ABRT - automated bug-reporting tool -+ -+###################################### -+## -+## Creates types and rules for a basic -+## ABRT daemon domain. -+## -+## -+## -+## Prefix for the domain. -+## -+## -+# -+template(`abrt_basic_types_template',` -+ gen_require(` -+ attribute abrt_domain; -+ ') -+ -+ type $1_t, abrt_domain; -+ type $1_exec_t; -+ -+ kernel_read_system_state($1_t) -+') - - ###################################### - ## -@@ -40,7 +62,7 @@ interface(`abrt_exec',` - - ######################################## - ## --## Send null signals to abrt. -+## Send a null signal to abrt. - ## - ## - ## -@@ -58,7 +80,7 @@ interface(`abrt_signull',` - - ######################################## - ## --## Read process state of abrt. -+## Allow the domain to read abrt state files in /proc. - ## - ## - ## -@@ -71,12 +93,13 @@ interface(`abrt_read_state',` - type abrt_t; - ') - -+ kernel_search_proc($1) - ps_process_pattern($1, abrt_t) - ') - - ######################################## - ## --## Connect to abrt over an unix stream socket. -+## Connect to abrt over a unix stream socket. - ## - ## - ## -@@ -116,8 +139,7 @@ interface(`abrt_dbus_chat',` - - ##################################### - ## --## Execute abrt-helper in the abrt --## helper domain. -+## Execute abrt-helper in the abrt-helper domain. - ## - ## - ## -@@ -130,15 +152,13 @@ interface(`abrt_domtrans_helper',` - type abrt_helper_t, abrt_helper_exec_t; - ') - -- corecmd_search_bin($1) - domtrans_pattern($1, abrt_helper_exec_t, abrt_helper_t) - ') - - ######################################## - ## --## Execute abrt helper in the abrt --## helper domain, and allow the --## specified role the abrt helper domain. -+## Execute abrt helper in the abrt_helper domain, and -+## allow the specified role the abrt_helper domain. - ## - ## - ## -@@ -154,17 +174,35 @@ interface(`abrt_domtrans_helper',` - # - interface(`abrt_run_helper',` - gen_require(` -- attribute_role abrt_helper_roles; -+ type abrt_helper_t; - ') - - abrt_domtrans_helper($1) -- roleattribute $2 abrt_helper_roles; -+ role $2 types abrt_helper_t; -+') -+ -+######################################## -+## -+## Read abrt cache -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`abrt_read_cache',` -+ gen_require(` -+ type abrt_var_cache_t; -+ ') -+ -+ read_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t) -+ read_lnk_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t) - ') - - ######################################## - ## --## Create, read, write, and delete --## abrt cache files. -+## Append abrt cache - ## - ## - ## -@@ -172,15 +210,37 @@ interface(`abrt_run_helper',` - ## - ## - # --interface(`abrt_cache_manage',` -- refpolicywarn(`$0($*) has been deprecated, use abrt_manage_cache() instead.') -- abrt_manage_cache($1) -+interface(`abrt_append_cache',` -+ gen_require(` -+ type abrt_var_cache_t; -+ ') -+ -+ -+ allow $1 abrt_var_cache_t:file append_inherited_file_perms; - ') - - ######################################## - ## --## Create, read, write, and delete --## abrt cache content. -+## Read/Write inherited abrt cache -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`abrt_rw_inherited_cache',` -+ gen_require(` -+ type abrt_var_cache_t; -+ ') -+ -+ -+ allow $1 abrt_var_cache_t:file rw_inherited_file_perms; -+') -+ -+######################################## -+## -+## Manage abrt cache - ## - ## - ## -@@ -193,7 +253,6 @@ interface(`abrt_manage_cache',` - type abrt_var_cache_t; - ') - -- files_search_var($1) - manage_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t) - manage_lnk_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t) - manage_dirs_pattern($1, abrt_var_cache_t, abrt_var_cache_t) -@@ -201,7 +260,7 @@ interface(`abrt_manage_cache',` - - #################################### - ## --## Read abrt configuration files. -+## Read abrt configuration file. - ## - ## - ## -@@ -220,7 +279,7 @@ interface(`abrt_read_config',` - - ###################################### - ## --## Read abrt log files. -+## Read abrt logs. - ## - ## - ## -@@ -258,8 +317,7 @@ interface(`abrt_read_pid_files',` - - ###################################### - ## --## Create, read, write, and delete --## abrt PID files. -+## Create, read, write, and delete abrt PID files. - ## - ## - ## -@@ -276,10 +334,51 @@ interface(`abrt_manage_pid_files',` - manage_files_pattern($1, abrt_var_run_t, abrt_var_run_t) - ') - -+######################################## -+## -+## Read and write abrt fifo files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`abrt_rw_fifo_file',` -+ gen_require(` -+ type abrt_t; -+ ') -+ -+ allow $1 abrt_t:fifo_file rw_inherited_fifo_file_perms; -+') -+ -+######################################## -+## -+## Execute abrt server in the abrt domain. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`abrt_systemctl',` -+ gen_require(` -+ type abrt_t; -+ type abrt_unit_file_t; -+ ') -+ -+ systemd_exec_systemctl($1) -+ allow $1 abrt_unit_file_t:file manage_file_perms; -+ allow $1 abrt_unit_file_t:service manage_service_perms; -+ -+ ps_process_pattern($1, abrt_t) -+') -+ - ##################################### - ## --## All of the rules required to --## administrate an abrt environment, -+## All of the rules required to administrate -+## an abrt environment - ## - ## - ## -@@ -288,39 +387,172 @@ interface(`abrt_manage_pid_files',` - ## - ## - ## --## Role allowed access. -+## The role to be allowed to manage the abrt domain. - ## - ## - ## - # - interface(`abrt_admin',` - gen_require(` -- attribute abrt_domain; -- type abrt_t, abrt_etc_t, abrt_initrc_exec_t; -- type abrt_var_cache_t, abrt_var_log_t, abrt_retrace_cache_t; -- type abrt_var_run_t, abrt_tmp_t, abrt_retrace_spool_t; -+ type abrt_t, abrt_etc_t; -+ type abrt_var_cache_t, abrt_var_log_t; -+ type abrt_var_run_t, abrt_tmp_t; -+ type abrt_initrc_exec_t; -+ type abrt_unit_file_t; - ') - -- allow $1 abrt_domain:process { ptrace signal_perms }; -- ps_process_pattern($1, abrt_domain) -+ allow $1 abrt_t:process { signal_perms }; -+ ps_process_pattern($1, abrt_t) -+ -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 abrt_t:process ptrace; -+ ') - - init_labeled_script_domtrans($1, abrt_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 abrt_initrc_exec_t system_r; - allow $2 system_r; - -- files_search_etc($1) -+ files_list_etc($1) - admin_pattern($1, abrt_etc_t) - -- logging_search_logs($1) -+ logging_list_logs($1) - admin_pattern($1, abrt_var_log_t) - -- files_search_var($1) -- admin_pattern($1, { abrt_retrace_cache_t abrt_var_cache_t abrt_retrace_spool_t }) -+ files_list_var($1) -+ admin_pattern($1, abrt_var_cache_t) - -- files_search_pids($1) -+ files_list_pids($1) - admin_pattern($1, abrt_var_run_t) - -- files_search_tmp($1) -+ files_list_tmp($1) - admin_pattern($1, abrt_tmp_t) -+ -+ abrt_systemctl($1) -+ admin_pattern($1, abrt_unit_file_t) -+ allow $1 abrt_unit_file_t:service all_service_perms; -+') -+ -+#################################### -+## -+## Execute abrt-retrace in the abrt-retrace domain. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`abrt_domtrans_retrace_worker',` -+ gen_require(` -+ type abrt_retrace_worker_t, abrt_retrace_worker_exec_t; -+ ') -+ -+ corecmd_search_bin($1) -+ domtrans_pattern($1, abrt_retrace_worker_exec_t, abrt_retrace_worker_t) -+') -+ -+###################################### -+## -+## Manage abrt retrace server cache -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`abrt_manage_spool_retrace',` -+ gen_require(` -+ type abrt_retrace_spool_t; -+ ') -+ -+ manage_dirs_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t) -+ manage_files_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t) -+ manage_lnk_files_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t) -+') -+ -+##################################### -+## -+## Read abrt retrace server cache -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`abrt_read_spool_retrace',` -+ gen_require(` -+ type abrt_retrace_spool_t; -+ ') -+ -+ list_dirs_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t) -+ read_files_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t) -+ read_lnk_files_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t) -+') -+ -+ -+##################################### -+## -+## Read abrt retrace server cache -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`abrt_read_cache_retrace',` -+ gen_require(` -+ type abrt_retrace_cache_t; -+ ') -+ -+ list_dirs_pattern($1, abrt_retrace_cache_t, abrt_retrace_cache_t) -+ read_files_pattern($1, abrt_retrace_cache_t, abrt_retrace_cache_t) -+ read_lnk_files_pattern($1, abrt_retrace_cache_t, abrt_retrace_cache_t) - ') -+ -+######################################## -+## -+## Do not audit attempts to write abrt sock files -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`abrt_dontaudit_write_sock_file',` -+ gen_require(` -+ type abrt_t; -+ ') -+ -+ dontaudit $1 abrt_t:sock_file write; -+') -+ -+######################################## -+## -+## Transition to abrt named content -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`abrt_filetrans_named_content',` -+ gen_require(` -+ type abrt_tmp_t; -+ type abrt_etc_t; -+ type abrt_var_cache_t; -+ type abrt_var_run_t; -+ ') -+ -+ files_tmp_filetrans($1, abrt_tmp_t, dir, "abrt") -+ files_etc_filetrans($1, abrt_etc_t, dir, "abrt") -+ files_var_filetrans($1, abrt_var_cache_t, dir, "abrt") -+ files_var_filetrans($1, abrt_var_cache_t, dir, "abrt-dix") -+ files_pid_filetrans($1, abrt_var_run_t, dir, "abrt") -+') -+ -diff --git a/abrt.te b/abrt.te -index cc43d25..924daba 100644 ---- a/abrt.te -+++ b/abrt.te -@@ -1,4 +1,4 @@ --policy_module(abrt, 1.3.4) -+policy_module(abrt, 1.2.0) - - ######################################## - # -@@ -6,105 +6,131 @@ policy_module(abrt, 1.3.4) - # - - ## --##

    --## Determine whether ABRT can modify --## public files used for public file --## transfer services. --##

    -+##

    -+## Allow ABRT to modify public files -+## used for public file transfer services. -+##

    - ##     - gen_tunable(abrt_anon_write, false) - - ## --##

    --## Determine whether ABRT can run in --## the abrt_handle_event_t domain to --## handle ABRT event scripts. --##

    -+##

    -+## Allow abrt-handle-upload to modify public files -+## used for public file transfer services in /var/spool/abrt-upload/. -+##

    -+##     -+gen_tunable(abrt_upload_watch_anon_write, true) -+ -+## -+##

    -+## Allow ABRT to run in abrt_handle_event_t domain -+## to handle ABRT event scripts -+##

    - ##     - gen_tunable(abrt_handle_event, false) - - attribute abrt_domain; - --attribute_role abrt_helper_roles; --roleattribute system_r abrt_helper_roles; -- --type abrt_t, abrt_domain; --type abrt_exec_t; -+abrt_basic_types_template(abrt) - init_daemon_domain(abrt_t, abrt_exec_t) - - type abrt_initrc_exec_t; - init_script_file(abrt_initrc_exec_t) - -+type abrt_unit_file_t; -+systemd_unit_file(abrt_unit_file_t) -+ -+# etc files - type abrt_etc_t; - files_config_file(abrt_etc_t) - -+# log files - type abrt_var_log_t; - logging_log_file(abrt_var_log_t) - - type abrt_tmp_t; - files_tmp_file(abrt_tmp_t) - -+# var/cache files - type abrt_var_cache_t; - files_type(abrt_var_cache_t) -+files_tmp_file(abrt_var_cache_t) -+userdom_user_tmp_content(abrt_var_cache_t) - -+# pid files - type abrt_var_run_t; - files_pid_file(abrt_var_run_t) - --type abrt_dump_oops_t, abrt_domain; --type abrt_dump_oops_exec_t; -+abrt_basic_types_template(abrt_dump_oops) - init_system_domain(abrt_dump_oops_t, abrt_dump_oops_exec_t) - --type abrt_handle_event_t, abrt_domain; --type abrt_handle_event_exec_t; --domain_type(abrt_handle_event_t) --domain_entry_file(abrt_handle_event_t, abrt_handle_event_exec_t) -+# type for abrt-handle-event to handle -+# ABRT event scripts -+abrt_basic_types_template(abrt_handle_event) -+application_domain(abrt_handle_event_t, abrt_handle_event_exec_t) - role system_r types abrt_handle_event_t; - --type abrt_helper_t, abrt_domain; --type abrt_helper_exec_t; -+# type needed to allow all domains -+# to handle /var/cache/abrt -+# type needed to allow all domains -+# to handle /var/cache/abrt -+abrt_basic_types_template(abrt_helper) - application_domain(abrt_helper_t, abrt_helper_exec_t) --role abrt_helper_roles types abrt_helper_t; -+role system_r types abrt_helper_t; - --type abrt_retrace_coredump_t, abrt_domain; --type abrt_retrace_coredump_exec_t; --domain_type(abrt_retrace_coredump_t) --domain_entry_file(abrt_retrace_coredump_t, abrt_retrace_coredump_exec_t) --role system_r types abrt_retrace_coredump_t; -+ifdef(`enable_mcs',` -+ init_ranged_daemon_domain(abrt_t, abrt_exec_t, s0 - mcs_systemhigh) -+') -+ -+# -+# Support for ABRT retrace server - --type abrt_retrace_worker_t, abrt_domain; --type abrt_retrace_worker_exec_t; --domain_type(abrt_retrace_worker_t) --domain_entry_file(abrt_retrace_worker_t, abrt_retrace_worker_exec_t) -+# -+abrt_basic_types_template(abrt_retrace_worker) -+application_domain(abrt_retrace_worker_t, abrt_retrace_worker_exec_t) - role system_r types abrt_retrace_worker_t; - -+abrt_basic_types_template(abrt_retrace_coredump) -+application_domain(abrt_retrace_coredump_t, abrt_retrace_coredump_exec_t) -+role system_r types abrt_retrace_coredump_t; -+ - type abrt_retrace_cache_t; - files_type(abrt_retrace_cache_t) - - type abrt_retrace_spool_t; --files_type(abrt_retrace_spool_t) -+files_spool_file(abrt_retrace_spool_t) - --type abrt_watch_log_t, abrt_domain; --type abrt_watch_log_exec_t; -+# Support abrt-watch log -+abrt_basic_types_template(abrt_watch_log) - init_daemon_domain(abrt_watch_log_t, abrt_watch_log_exec_t) - --ifdef(`enable_mcs',` -- init_ranged_daemon_domain(abrt_t, abrt_exec_t, s0 - mcs_systemhigh) --') -+# Support for abrt-upload-watch -+abrt_basic_types_template(abrt_upload_watch) -+init_daemon_domain(abrt_upload_watch_t, abrt_upload_watch_exec_t) -+ -+type abrt_upload_watch_tmp_t; -+files_tmp_file(abrt_upload_watch_tmp_t) - - ######################################## - # --# Local policy -+# abrt local policy - # - --allow abrt_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_nice }; --dontaudit abrt_t self:capability sys_rawio; -+allow abrt_t self:capability { chown dac_override fowner fsetid ipc_lock kill setgid setuid sys_nice sys_ptrace }; -+dontaudit abrt_t self:capability { sys_rawio sys_ptrace }; - allow abrt_t self:process { setpgid sigkill signal signull setsched getsched }; -+ - allow abrt_t self:fifo_file rw_fifo_file_perms; --allow abrt_t self:tcp_socket { accept listen }; -+allow abrt_t self:tcp_socket create_stream_socket_perms; -+allow abrt_t self:udp_socket create_socket_perms; -+allow abrt_t self:unix_dgram_socket create_socket_perms; -+allow abrt_t self:netlink_route_socket r_netlink_socket_perms; - --allow abrt_t abrt_etc_t:dir list_dir_perms; -+# abrt etc files -+list_dirs_pattern(abrt_t, abrt_etc_t, abrt_etc_t) - rw_files_pattern(abrt_t, abrt_etc_t, abrt_etc_t) - -+# log file - manage_files_pattern(abrt_t, abrt_var_log_t, abrt_var_log_t) - logging_log_filetrans(abrt_t, abrt_var_log_t, file) - -@@ -112,23 +138,29 @@ manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) - manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) - manage_lnk_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) - files_tmp_filetrans(abrt_t, abrt_tmp_t, { file dir }) -+can_exec(abrt_t, abrt_tmp_t) - -+# abrt var/cache files - manage_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t) - manage_dirs_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t) - manage_lnk_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t) - files_var_filetrans(abrt_t, abrt_var_cache_t, { file dir }) - files_spool_filetrans(abrt_t, abrt_var_cache_t, dir) -+files_tmp_filetrans(abrt_t, abrt_var_cache_t, dir, "abrt") - -+# abrt pid files - manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) - manage_dirs_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) - manage_sock_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) - manage_lnk_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) - files_pid_filetrans(abrt_t, abrt_var_run_t, { file dir sock_file }) - --can_exec(abrt_t, abrt_tmp_t) -+manage_files_pattern(abrt_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t) -+manage_dirs_pattern(abrt_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t) -+manage_lnk_files_pattern(abrt_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t) - - kernel_read_ring_buffer(abrt_t) --kernel_read_system_state(abrt_t) -+kernel_read_network_state(abrt_t) - kernel_request_load_module(abrt_t) - kernel_rw_kernel_sysctl(abrt_t) - -@@ -137,16 +169,14 @@ corecmd_exec_shell(abrt_t) - corecmd_read_all_executables(abrt_t) - - corenet_all_recvfrom_netlabel(abrt_t) --corenet_all_recvfrom_unlabeled(abrt_t) - corenet_tcp_sendrecv_generic_if(abrt_t) - corenet_tcp_sendrecv_generic_node(abrt_t) --corenet_tcp_sendrecv_all_ports(abrt_t) -+corenet_tcp_sendrecv_generic_port(abrt_t) - corenet_tcp_bind_generic_node(abrt_t) -- --corenet_sendrecv_all_client_packets(abrt_t) - corenet_tcp_connect_http_port(abrt_t) - corenet_tcp_connect_ftp_port(abrt_t) - corenet_tcp_connect_all_ports(abrt_t) -+corenet_sendrecv_http_client_packets(abrt_t) - - dev_getattr_all_chr_files(abrt_t) - dev_getattr_all_blk_files(abrt_t) -@@ -163,29 +193,37 @@ files_getattr_all_files(abrt_t) - files_read_config_files(abrt_t) - files_read_etc_runtime_files(abrt_t) - files_read_var_symlinks(abrt_t) --files_read_usr_files(abrt_t) -+files_read_var_lib_files(abrt_t) -+files_read_generic_tmp_files(abrt_t) - files_read_kernel_modules(abrt_t) -+files_dontaudit_list_default(abrt_t) - files_dontaudit_read_default_files(abrt_t) - files_dontaudit_read_all_symlinks(abrt_t) - files_dontaudit_getattr_all_sockets(abrt_t) - files_list_mnt(abrt_t) -+fs_list_all(abrt_t) - -+fs_list_inotifyfs(abrt_t) - fs_getattr_all_fs(abrt_t) - fs_getattr_all_dirs(abrt_t) --fs_list_inotifyfs(abrt_t) - fs_read_fusefs_files(abrt_t) - fs_read_noxattr_fs_files(abrt_t) - fs_read_nfs_files(abrt_t) - fs_read_nfs_symlinks(abrt_t) - fs_search_all(abrt_t) - -+logging_read_generic_logs(abrt_t) -+logging_send_syslog_msg(abrt_t) -+ - auth_use_nsswitch(abrt_t) - --logging_read_generic_logs(abrt_t) -+init_read_utmp(abrt_t) - -+miscfiles_read_generic_certs(abrt_t) - miscfiles_read_public_files(abrt_t) - - userdom_dontaudit_read_user_home_content_files(abrt_t) -+userdom_dontaudit_read_admin_home_files(abrt_t) - - tunable_policy(`abrt_anon_write',` - miscfiles_manage_public_files(abrt_t) -@@ -193,15 +231,11 @@ tunable_policy(`abrt_anon_write',` - - optional_policy(` - apache_list_modules(abrt_t) -- apache_read_module_files(abrt_t) -+ apache_read_modules(abrt_t) - ') - - optional_policy(` - dbus_system_domain(abrt_t, abrt_exec_t) -- -- optional_policy(` -- policykit_dbus_chat(abrt_t) -- ') - ') - - optional_policy(` -@@ -209,6 +243,16 @@ optional_policy(` - ') - - optional_policy(` -+ kdump_read_crash(abrt_t) -+') -+ -+optional_policy(` -+ mozilla_plugin_dontaudit_rw_tmp_files(abrt_t) -+ mozilla_plugin_read_rw_files(abrt_t) -+') -+ -+optional_policy(` -+ policykit_dbus_chat(abrt_t) - policykit_domtrans_auth(abrt_t) - policykit_read_lib(abrt_t) - policykit_read_reload(abrt_t) -@@ -220,6 +264,7 @@ optional_policy(` - corecmd_exec_all_executables(abrt_t) - ') - -+# to install debuginfo packages - optional_policy(` - rpm_exec(abrt_t) - rpm_dontaudit_manage_db(abrt_t) -@@ -230,6 +275,7 @@ optional_policy(` - rpm_signull(abrt_t) - ') - -+# to run mailx plugin - optional_policy(` - sendmail_domtrans(abrt_t) - ') -@@ -240,9 +286,17 @@ optional_policy(` - sosreport_delete_tmp_files(abrt_t) - ') - -+optional_policy(` -+ sssd_stream_connect(abrt_t) -+') -+ -+optional_policy(` -+ xserver_read_log(abrt_t) -+') -+ - ####################################### - # --# Handle-event local policy -+# abrt-handle-event local policy - # - - allow abrt_handle_event_t self:fifo_file rw_fifo_file_perms; -@@ -253,9 +307,13 @@ tunable_policy(`abrt_handle_event',` - can_exec(abrt_t, abrt_handle_event_exec_t) - ') - -+optional_policy(` -+ unconfined_domain(abrt_handle_event_t) -+') -+ - ######################################## - # --# Helper local policy -+# abrt--helper local policy - # - - allow abrt_helper_t self:capability { chown setgid sys_nice }; -@@ -268,6 +326,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) - manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) - manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) - files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir }) -+files_tmp_filetrans(abrt_helper_t, abrt_var_cache_t, dir, "abrt") - - read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) - read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) -@@ -276,15 +335,20 @@ corecmd_read_all_executables(abrt_helper_t) - - domain_read_all_domains_state(abrt_helper_t) - -+files_dontaudit_all_non_security_leaks(abrt_helper_t) -+ - fs_list_inotifyfs(abrt_helper_t) - fs_getattr_all_fs(abrt_helper_t) - - auth_use_nsswitch(abrt_helper_t) - -+logging_send_syslog_msg(abrt_helper_t) -+ - term_dontaudit_use_all_ttys(abrt_helper_t) - term_dontaudit_use_all_ptys(abrt_helper_t) - - ifdef(`hide_broken_symptoms',` -+ domain_dontaudit_leaks(abrt_helper_t) - userdom_dontaudit_read_user_home_content_files(abrt_helper_t) - userdom_dontaudit_read_user_tmp_files(abrt_helper_t) - dev_dontaudit_read_all_blk_files(abrt_helper_t) -@@ -292,11 +356,25 @@ ifdef(`hide_broken_symptoms',` - dev_dontaudit_write_all_chr_files(abrt_helper_t) - dev_dontaudit_write_all_blk_files(abrt_helper_t) - fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t) -+ -+ optional_policy(` -+ rpm_dontaudit_leaks(abrt_helper_t) -+ ') -+') -+ -+ifdef(`hide_broken_symptoms',` -+ gen_require(` -+ attribute domain; -+ ') -+ -+ allow abrt_t self:capability sys_resource; -+ allow abrt_t domain:file write; -+ allow abrt_t domain:process setrlimit; - ') - - ####################################### - # --# Retrace coredump policy -+# abrt retrace coredump policy - # - - allow abrt_retrace_coredump_t self:fifo_file rw_fifo_file_perms; -@@ -314,10 +392,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t) - - dev_read_urand(abrt_retrace_coredump_t) - --files_read_usr_files(abrt_retrace_coredump_t) -+ -+logging_send_syslog_msg(abrt_retrace_coredump_t) - - sysnet_dns_name_resolve(abrt_retrace_coredump_t) - -+# to install debuginfo packages - optional_policy(` - rpm_exec(abrt_retrace_coredump_t) - rpm_dontaudit_manage_db(abrt_retrace_coredump_t) -@@ -330,10 +410,11 @@ optional_policy(` - - ####################################### - # --# Retrace worker policy -+# abrt retrace worker policy - # - --allow abrt_retrace_worker_t self:capability setuid; -+allow abrt_retrace_worker_t self:capability { setuid }; -+ - allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms; - - domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t) -@@ -352,46 +433,56 @@ corecmd_exec_shell(abrt_retrace_worker_t) - - dev_read_urand(abrt_retrace_worker_t) - --files_read_usr_files(abrt_retrace_worker_t) -+ -+logging_send_syslog_msg(abrt_retrace_worker_t) - - sysnet_dns_name_resolve(abrt_retrace_worker_t) - -+optional_policy(` -+ mock_domtrans(abrt_retrace_worker_t) -+ mock_manage_lib_files(abrt_t) -+') -+ - ######################################## - # --# Dump oops local policy -+# abrt_dump_oops local policy - # - - allow abrt_dump_oops_t self:capability dac_override; - allow abrt_dump_oops_t self:fifo_file rw_fifo_file_perms; --allow abrt_dump_oops_t self:unix_stream_socket { accept listen }; -+allow abrt_dump_oops_t self:unix_stream_socket create_stream_socket_perms; - - files_search_spool(abrt_dump_oops_t) - manage_dirs_pattern(abrt_dump_oops_t, abrt_var_cache_t, abrt_var_cache_t) - manage_files_pattern(abrt_dump_oops_t, abrt_var_cache_t, abrt_var_cache_t) - manage_lnk_files_pattern(abrt_dump_oops_t, abrt_var_cache_t, abrt_var_cache_t) - files_var_filetrans(abrt_dump_oops_t, abrt_var_cache_t, { file dir }) -+files_tmp_filetrans(abrt_dump_oops_t, abrt_var_cache_t, dir, "abrt") - - read_files_pattern(abrt_dump_oops_t, abrt_var_run_t, abrt_var_run_t) - read_lnk_files_pattern(abrt_dump_oops_t, abrt_var_run_t, abrt_var_run_t) - - read_files_pattern(abrt_dump_oops_t, abrt_etc_t, abrt_etc_t) - -+kernel_read_debugfs(abrt_dump_oops_t) - kernel_read_kernel_sysctls(abrt_dump_oops_t) - kernel_read_ring_buffer(abrt_dump_oops_t) - - domain_use_interactive_fds(abrt_dump_oops_t) - - fs_list_inotifyfs(abrt_dump_oops_t) -+fs_list_pstorefs(abrt_dump_oops_t) - - logging_read_generic_logs(abrt_dump_oops_t) -+logging_send_syslog_msg(abrt_dump_oops_t) - - ####################################### - # --# Watch log local policy -+# abrt_watch_log local policy - # - - allow abrt_watch_log_t self:fifo_file rw_fifo_file_perms; --allow abrt_watch_log_t self:unix_stream_socket { accept listen }; -+allow abrt_watch_log_t self:unix_stream_socket create_stream_socket_perms; - - read_files_pattern(abrt_watch_log_t, abrt_etc_t, abrt_etc_t) - -@@ -400,16 +491,50 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t) - corecmd_exec_bin(abrt_watch_log_t) - - logging_read_all_logs(abrt_watch_log_t) -+logging_send_syslog_msg(abrt_watch_log_t) -+ -+#optional_policy(` -+# unconfined_domain(abrt_watch_log_t) -+#') - - ####################################### - # --# Global local policy -+# abrt-upload-watch local policy - # - --kernel_read_system_state(abrt_domain) -+allow abrt_upload_watch_t self:capability dac_override; - --files_read_etc_files(abrt_domain) -+manage_files_pattern(abrt_upload_watch_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t) -+manage_dirs_pattern(abrt_upload_watch_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t) -+manage_lnk_files_pattern(abrt_upload_watch_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t) -+files_tmp_filetrans(abrt_upload_watch_t, abrt_upload_watch_tmp_t, {file dir}) -+ -+read_files_pattern(abrt_upload_watch_t, abrt_etc_t, abrt_etc_t) -+ -+manage_dirs_pattern(abrt_upload_watch_t, abrt_var_cache_t, abrt_var_cache_t) - --logging_send_syslog_msg(abrt_domain) -+corecmd_exec_bin(abrt_upload_watch_t) -+ -+dev_read_urand(abrt_upload_watch_t) -+ -+files_search_spool(abrt_upload_watch_t) -+ -+auth_read_passwd(abrt_upload_watch_t) -+ -+tunable_policy(`abrt_upload_watch_anon_write',` -+ miscfiles_manage_public_files(abrt_upload_watch_t) -+') - --miscfiles_read_localization(abrt_domain) -+optional_policy(` -+ dbus_system_bus_client(abrt_upload_watch_t) -+') -+ -+####################################### -+# -+# Local policy for all abrt domain -+# -+ -+allow abrt_domain abrt_var_run_t:sock_file write_sock_file_perms; -+allow abrt_domain abrt_var_run_t:unix_stream_socket connectto; -+ -+files_read_etc_files(abrt_domain) -diff --git a/accountsd.fc b/accountsd.fc -index f9d8d7a..0682710 100644 ---- a/accountsd.fc -+++ b/accountsd.fc -@@ -1,3 +1,5 @@ -+/usr/lib/systemd/system/accountsd.* -- gen_context(system_u:object_r:accountsd_unit_file_t,s0) -+ - /usr/libexec/accounts-daemon -- gen_context(system_u:object_r:accountsd_exec_t,s0) - - /usr/lib/accountsservice/accounts-daemon -- gen_context(system_u:object_r:accountsd_exec_t,s0) -diff --git a/accountsd.if b/accountsd.if -index bd5ec9a..a5ed692 100644 ---- a/accountsd.if -+++ b/accountsd.if -@@ -126,23 +126,50 @@ interface(`accountsd_manage_lib_files',` - ##     - ## - ## --## Domain allowed access. -+## Domain allowed to transition. - ## - ## --## -+# -+interface(`accountsd_systemctl',` -+ gen_require(` -+ type accountsd_t; -+ type accountsd_unit_file_t; -+ ') -+ -+ systemd_exec_systemctl($1) -+ allow $1 accountsd_unit_file_t:file read_file_perms; -+ allow $1 accountsd_unit_file_t:service manage_service_perms; -+ -+ ps_process_pattern($1, accountsd_t) -+') -+ -+######################################## -+## -+## All of the rules required to administrate -+## an accountsd environment -+## -+## - ## --## Role allowed access. -+## Domain allowed access. - ## - ## --## - # - interface(`accountsd_admin',` - gen_require(` - type accountsd_t; -+ type accountsd_unit_file_t; - ') - -- allow $1 accountsd_t:process { ptrace signal_perms }; -+ allow $1 accountsd_t:process signal_perms; - ps_process_pattern($1, accountsd_t) - -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 accountsd_t:process ptrace; -+ ') -+ - accountsd_manage_lib_files($1) -+ -+ accountsd_systemctl($1) -+ admin_pattern($1, accountsd_unit_file_t) -+ allow $1 accountsd_unit_file_t:service all_service_perms; - ') -diff --git a/accountsd.te b/accountsd.te -index 313b33f..6e0a894 100644 ---- a/accountsd.te -+++ b/accountsd.te -@@ -4,6 +4,10 @@ gen_require(` - class passwd all_passwd_perms; - ') - -+gen_require(` -+ class passwd { passwd chfn chsh rootok crontab }; -+') -+ - ######################################## - # - # Declarations -@@ -11,11 +15,15 @@ gen_require(` - - type accountsd_t; - type accountsd_exec_t; --dbus_system_domain(accountsd_t, accountsd_exec_t) -+init_daemon_domain(accountsd_t, accountsd_exec_t) -+role system_r types accountsd_t; - - type accountsd_var_lib_t; - files_type(accountsd_var_lib_t) - -+type accountsd_unit_file_t; -+systemd_unit_file(accountsd_unit_file_t) -+ - ######################################## - # - # Local policy -@@ -38,7 +46,6 @@ corecmd_exec_bin(accountsd_t) - dev_read_sysfs(accountsd_t) - - files_read_mnt_files(accountsd_t) --files_read_usr_files(accountsd_t) - - fs_getattr_xattr_fs(accountsd_t) - fs_list_inotifyfs(accountsd_t) -@@ -48,8 +55,9 @@ auth_use_nsswitch(accountsd_t) - auth_read_login_records(accountsd_t) - auth_read_shadow(accountsd_t) - --miscfiles_read_localization(accountsd_t) -+init_dbus_chat(accountsd_t) - -+logging_list_logs(accountsd_t) - logging_send_syslog_msg(accountsd_t) - logging_set_loginuid(accountsd_t) - -@@ -65,9 +73,16 @@ optional_policy(` - ') - - optional_policy(` -+ dbus_system_domain(accountsd_t, accountsd_exec_t) -+') -+ -+optional_policy(` - policykit_dbus_chat(accountsd_t) - ') - - optional_policy(` - xserver_read_xdm_tmp_files(accountsd_t) -+ xserver_read_state_xdm(accountsd_t) -+ xserver_dbus_chat_xdm(accountsd_t) -+ xserver_manage_xdm_etc_files(accountsd_t) - ') -diff --git a/acct.if b/acct.if -index 81280d0..bc4038b 100644 ---- a/acct.if -+++ b/acct.if -@@ -83,6 +83,24 @@ interface(`acct_manage_data',` - - ######################################## - ## -+## Dontaudit Attempts to list acct_data directory -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`acct_dontaudit_list_data',` -+ gen_require(` -+ type acct_data_t; -+ ') -+ -+ dontaudit $1 acct_data_t:dir list_dir_perms; -+') -+ -+####################################### -+## - ## All of the rules required to - ## administrate an acct environment. - ## -@@ -103,9 +121,13 @@ interface(`acct_admin',` - type acct_t, acct_initrc_exec_t, acct_data_t; - ') - -- allow $1 acct_t:process { ptrace signal_perms }; -+ allow $1 acct_t:process { signal_perms }; - ps_process_pattern($1, acct_t) - -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 acct_t:process ptrace; -+ ') -+ - init_labeled_script_domtrans($1, acct_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 acct_initrc_exec_t system_r; -diff --git a/acct.te b/acct.te -index 1a1c91a..d538827 100644 ---- a/acct.te -+++ b/acct.te -@@ -40,8 +40,6 @@ corecmd_exec_shell(acct_t) - dev_read_sysfs(acct_t) - dev_read_urand(acct_t) - --domain_use_interactive_fds(acct_t) -- - fs_search_auto_mountpoints(acct_t) - fs_getattr_xattr_fs(acct_t) - -@@ -49,7 +47,6 @@ term_dontaudit_use_console(acct_t) - term_dontaudit_use_generic_ptys(acct_t) - - files_read_etc_runtime_files(acct_t) --files_list_usr(acct_t) - - auth_use_nsswitch(acct_t) - -@@ -59,8 +56,6 @@ init_exec_script_files(acct_t) - - logging_send_syslog_msg(acct_t) - --miscfiles_read_localization(acct_t) -- - userdom_dontaudit_search_user_home_dirs(acct_t) - userdom_dontaudit_use_unpriv_user_fds(acct_t) - -diff --git a/ada.te b/ada.te -index 8b5ad06..8ce8f26 100644 ---- a/ada.te -+++ b/ada.te -@@ -20,7 +20,7 @@ role ada_roles types ada_t; - - allow ada_t self:process { execstack execmem }; - --userdom_use_user_terminals(ada_t) -+userdom_use_inherited_user_terminals(ada_t) - - optional_policy(` - unconfined_domain(ada_t) -diff --git a/afs.if b/afs.if -index 3b41be6..97d99f9 100644 ---- a/afs.if -+++ b/afs.if -@@ -40,6 +40,24 @@ interface(`afs_rw_udp_sockets',` - - ######################################## - ## -+## Read AFS config data -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`afs_read_config',` -+ gen_require(` -+ type afs_config_t; -+ ') -+ -+ read_files_pattern($1, afs_config_t, afs_config_t) -+') -+ -+######################################## -+## - ## Read and write afs cache files. - ## - ## -@@ -95,13 +113,17 @@ interface(`afs_initrc_domtrans',` - interface(`afs_admin',` - gen_require(` - attribute afs_domain; -- type afs_initrc_exec_t, afs_dbdir_t, afs_pt_db_t; -+ type afs_t, afs_initrc_exec_t, afs_dbdir_t, afs_pt_db_t; - type afs_ka_db_t, afs_vl_db_t, afs_config_t; - type afs_logfile_t, afs_cache_t, afs_files_t; - ') - -- allow $1 afs_domain:process { ptrace signal_perms }; -- ps_process_pattern($1, afs_domain) -+ allow $1 afs_t:process signal_perms; -+ ps_process_pattern($1, afs_t) -+ -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 afs_t:process ptrace; -+ ') - - afs_initrc_domtrans($1) - domain_system_change_exemption($1) -diff --git a/afs.te b/afs.te -index 6690cdf..7726644 100644 ---- a/afs.te -+++ b/afs.te -@@ -83,8 +83,16 @@ files_var_filetrans(afs_t, afs_cache_t, { file dir }) - - kernel_rw_afs_state(afs_t) - -+corenet_all_recvfrom_netlabel(afs_t) -+corenet_tcp_sendrecv_generic_if(afs_t) -+corenet_udp_sendrecv_generic_if(afs_t) -+corenet_tcp_sendrecv_generic_node(afs_t) -+corenet_udp_sendrecv_generic_node(afs_t) -+corenet_tcp_sendrecv_all_ports(afs_t) -+corenet_udp_sendrecv_all_ports(afs_t) -+corenet_udp_bind_generic_node(afs_t) -+ - files_mounton_mnt(afs_t) --files_read_usr_files(afs_t) - files_rw_etc_runtime_files(afs_t) - - fs_getattr_xattr_fs(afs_t) -@@ -93,6 +101,12 @@ fs_read_nfs_symlinks(afs_t) - - logging_send_syslog_msg(afs_t) - -+sysnet_dns_name_resolve(afs_t) -+ -+ifdef(`hide_broken_symptoms',` -+ kernel_rw_unlabeled_files(afs_t) -+') -+ - ######################################## - # - # AFS bossserver local policy -@@ -125,7 +139,6 @@ domtrans_pattern(afs_bosserver_t, afs_vlserver_exec_t, afs_vlserver_t) - - kernel_read_kernel_sysctls(afs_bosserver_t) - --corenet_all_recvfrom_unlabeled(afs_bosserver_t) - corenet_all_recvfrom_netlabel(afs_bosserver_t) - corenet_udp_sendrecv_generic_if(afs_bosserver_t) - corenet_udp_sendrecv_generic_node(afs_bosserver_t) -@@ -136,7 +149,6 @@ corenet_sendrecv_afs_bos_server_packets(afs_bosserver_t) - corenet_udp_sendrecv_afs_bos_port(afs_bosserver_t) - - files_list_home(afs_bosserver_t) --files_read_usr_files(afs_bosserver_t) - - seutil_read_config(afs_bosserver_t) - -@@ -151,9 +163,6 @@ allow afs_fsserver_t self:process { setsched signal_perms }; - allow afs_fsserver_t self:fifo_file rw_fifo_file_perms; - allow afs_fsserver_t self:tcp_socket create_stream_socket_perms; - --read_files_pattern(afs_fsserver_t, afs_config_t, afs_config_t) --allow afs_fsserver_t afs_config_t:dir list_dir_perms; -- - manage_dirs_pattern(afs_fsserver_t, afs_config_t, afs_config_t) - manage_files_pattern(afs_fsserver_t, afs_config_t, afs_config_t) - -@@ -175,12 +184,14 @@ kernel_read_kernel_sysctls(afs_fsserver_t) - - corenet_all_recvfrom_unlabeled(afs_fsserver_t) - corenet_all_recvfrom_netlabel(afs_fsserver_t) -+corenet_tcp_bind_generic_node(afs_fsserver_t) -+corenet_udp_bind_generic_node(afs_fsserver_t) - corenet_tcp_sendrecv_generic_if(afs_fsserver_t) - corenet_udp_sendrecv_generic_if(afs_fsserver_t) - corenet_tcp_sendrecv_generic_node(afs_fsserver_t) - corenet_udp_sendrecv_generic_node(afs_fsserver_t) --corenet_tcp_bind_generic_node(afs_fsserver_t) --corenet_udp_bind_generic_node(afs_fsserver_t) -+corenet_tcp_sendrecv_all_ports(afs_fsserver_t) -+corenet_udp_sendrecv_all_ports(afs_fsserver_t) - - corenet_sendrecv_afs_fs_server_packets(afs_fsserver_t) - corenet_tcp_bind_afs_fs_port(afs_fsserver_t) -@@ -190,7 +201,6 @@ corenet_udp_sendrecv_afs_fs_port(afs_fsserver_t) - - files_read_etc_runtime_files(afs_fsserver_t) - files_list_home(afs_fsserver_t) --files_read_usr_files(afs_fsserver_t) - files_list_pids(afs_fsserver_t) - files_dontaudit_search_mnt(afs_fsserver_t) - -@@ -224,7 +234,6 @@ manage_files_pattern(afs_kaserver_t, afs_logfile_t, afs_logfile_t) - - kernel_read_kernel_sysctls(afs_kaserver_t) - --corenet_all_recvfrom_unlabeled(afs_kaserver_t) - corenet_all_recvfrom_netlabel(afs_kaserver_t) - corenet_udp_sendrecv_generic_if(afs_kaserver_t) - corenet_udp_sendrecv_generic_node(afs_kaserver_t) -@@ -239,7 +248,6 @@ corenet_udp_bind_kerberos_port(afs_kaserver_t) - corenet_udp_sendrecv_kerberos_port(afs_kaserver_t) - - files_list_home(afs_kaserver_t) --files_read_usr_files(afs_kaserver_t) - - seutil_read_config(afs_kaserver_t) - -@@ -253,16 +261,12 @@ userdom_dontaudit_use_user_terminals(afs_kaserver_t) - allow afs_ptserver_t self:unix_stream_socket create_stream_socket_perms; - allow afs_ptserver_t self:tcp_socket create_stream_socket_perms; - --read_files_pattern(afs_ptserver_t, afs_config_t, afs_config_t) --allow afs_ptserver_t afs_config_t:dir list_dir_perms; -- - manage_dirs_pattern(afs_ptserver_t, afs_logfile_t, afs_logfile_t) - manage_files_pattern(afs_ptserver_t, afs_logfile_t, afs_logfile_t) - - manage_files_pattern(afs_ptserver_t, afs_dbdir_t, afs_pt_db_t) - filetrans_pattern(afs_ptserver_t, afs_dbdir_t, afs_pt_db_t, file) - --corenet_all_recvfrom_unlabeled(afs_ptserver_t) - corenet_all_recvfrom_netlabel(afs_ptserver_t) - corenet_tcp_sendrecv_generic_if(afs_ptserver_t) - corenet_udp_sendrecv_generic_if(afs_ptserver_t) -@@ -274,6 +278,8 @@ corenet_udp_bind_generic_node(afs_ptserver_t) - corenet_udp_bind_afs_pt_port(afs_ptserver_t) - corenet_sendrecv_afs_pt_server_packets(afs_ptserver_t) - -+sysnet_read_config(afs_ptserver_t) -+ - userdom_dontaudit_use_user_terminals(afs_ptserver_t) - - ######################################## -@@ -284,16 +290,12 @@ userdom_dontaudit_use_user_terminals(afs_ptserver_t) - allow afs_vlserver_t self:unix_stream_socket create_stream_socket_perms; - allow afs_vlserver_t self:tcp_socket create_stream_socket_perms; - --read_files_pattern(afs_vlserver_t, afs_config_t, afs_config_t) --allow afs_vlserver_t afs_config_t:dir list_dir_perms; -- - manage_dirs_pattern(afs_vlserver_t, afs_logfile_t, afs_logfile_t) - manage_files_pattern(afs_vlserver_t, afs_logfile_t, afs_logfile_t) - - manage_files_pattern(afs_vlserver_t, afs_dbdir_t, afs_vl_db_t) - filetrans_pattern(afs_vlserver_t, afs_dbdir_t, afs_vl_db_t, file) - --corenet_all_recvfrom_unlabeled(afs_vlserver_t) - corenet_all_recvfrom_netlabel(afs_vlserver_t) - corenet_tcp_sendrecv_generic_if(afs_vlserver_t) - corenet_udp_sendrecv_generic_if(afs_vlserver_t) -@@ -314,8 +316,8 @@ userdom_dontaudit_use_user_terminals(afs_vlserver_t) - - allow afs_domain self:udp_socket create_socket_perms; - --files_read_etc_files(afs_domain) -- --miscfiles_read_localization(afs_domain) -+read_files_pattern(afs_domain, afs_config_t, afs_config_t) -+allow afs_domain afs_config_t:dir list_dir_perms; - - sysnet_read_config(afs_domain) -+ -diff --git a/aiccu.if b/aiccu.if -index 3b5dcb9..fbe187f 100644 ---- a/aiccu.if -+++ b/aiccu.if -@@ -79,9 +79,13 @@ interface(`aiccu_admin',` - type aiccu_var_run_t; - ') - -- allow $1 aiccu_t:process { ptrace signal_perms }; -+ allow $1 aiccu_t:process signal_perms; - ps_process_pattern($1, aiccu_t) - -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 aiccu_t:process ptrace; -+ ') -+ - aiccu_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 aiccu_initrc_exec_t system_r; -diff --git a/aiccu.te b/aiccu.te -index 72c33c2..6e4206c 100644 ---- a/aiccu.te -+++ b/aiccu.te -@@ -48,7 +48,6 @@ corenet_all_recvfrom_unlabeled(aiccu_t) - corenet_tcp_bind_generic_node(aiccu_t) - corenet_tcp_sendrecv_generic_if(aiccu_t) - corenet_tcp_sendrecv_generic_node(aiccu_t) -- - corenet_sendrecv_sixxsconfig_client_packets(aiccu_t) - corenet_tcp_connect_sixxsconfig_port(aiccu_t) - corenet_tcp_sendrecv_sixxsconfig_port(aiccu_t) -@@ -60,11 +59,10 @@ domain_use_interactive_fds(aiccu_t) - dev_read_rand(aiccu_t) - dev_read_urand(aiccu_t) - --files_read_etc_files(aiccu_t) - --logging_send_syslog_msg(aiccu_t) -+auth_read_passwd(aiccu_t) - --miscfiles_read_localization(aiccu_t) -+logging_send_syslog_msg(aiccu_t) - - optional_policy(` - modutils_domtrans_insmod(aiccu_t) -diff --git a/aide.if b/aide.if -index 01cbb67..94a4a24 100644 ---- a/aide.if -+++ b/aide.if -@@ -67,9 +67,13 @@ interface(`aide_admin',` - type aide_t, aide_db_t, aide_log_t; - ') - -- allow $1 aide_t:process { ptrace signal_perms }; -+ allow $1 aide_t:process signal_perms; - ps_process_pattern($1, aide_t) - -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 aide_t:process ptrace; -+ ') -+ - aide_run($1, $2) - - files_list_etc($1) -diff --git a/aide.te b/aide.te -index 4b28ab3..f781a7a 100644 ---- a/aide.te -+++ b/aide.te -@@ -10,6 +10,7 @@ attribute_role aide_roles; - type aide_t; - type aide_exec_t; - application_domain(aide_t, aide_exec_t) -+cron_system_entry(aide_t, aide_exec_t) - role aide_roles types aide_t; - - type aide_log_t; -@@ -23,22 +24,30 @@ files_type(aide_db_t) - # Local policy - # - --allow aide_t self:capability { dac_override fowner }; -+allow aide_t self:capability { dac_override fowner ipc_lock sys_admin }; - - manage_files_pattern(aide_t, aide_db_t, aide_db_t) -+files_var_lib_filetrans(aide_t, aide_db_t, { dir file }) - --create_files_pattern(aide_t, aide_log_t, aide_log_t) --append_files_pattern(aide_t, aide_log_t, aide_log_t) --setattr_files_pattern(aide_t, aide_log_t, aide_log_t) -+manage_files_pattern(aide_t, aide_log_t, aide_log_t) - logging_log_filetrans(aide_t, aide_log_t, file) - - files_read_all_files(aide_t) - files_read_all_symlinks(aide_t) -+files_getattr_all_pipes(aide_t) -+files_getattr_all_sockets(aide_t) -+ -+mls_file_read_to_clearance(aide_t) -+mls_file_write_to_clearance(aide_t) - - logging_send_audit_msgs(aide_t) - logging_send_syslog_msg(aide_t) - --userdom_use_user_terminals(aide_t) -+userdom_use_inherited_user_terminals(aide_t) -+ -+optional_policy(` -+ prelink_domtrans(aide_t) -+') - - optional_policy(` - seutil_use_newrole_fds(aide_t) -diff --git a/aisexec.if b/aisexec.if -index a2997fa..861cebd 100644 ---- a/aisexec.if -+++ b/aisexec.if -@@ -83,9 +83,13 @@ interface(`aisexecd_admin',` - type aisexec_initrc_exec_t; - ') - -- allow $1 aisexec_t:process { ptrace signal_perms }; -+ allow $1 aisexec_t:process signal_perms; - ps_process_pattern($1, aisexec_t) - -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 aisexec_t:process ptrace; -+ ') -+ - init_labeled_script_domtrans($1, aisexec_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 aisexec_initrc_exec_t system_r; -diff --git a/aisexec.te b/aisexec.te -index 196f7cf..3b5354f 100644 ---- a/aisexec.te -+++ b/aisexec.te -@@ -63,6 +63,7 @@ files_pid_filetrans(aisexec_t, aisexec_var_run_t, { file sock_file }) - kernel_read_system_state(aisexec_t) - - corecmd_exec_bin(aisexec_t) -+corecmd_exec_shell(aisexec_t) - - corenet_all_recvfrom_unlabeled(aisexec_t) - corenet_all_recvfrom_netlabel(aisexec_t) -@@ -95,8 +96,6 @@ init_rw_script_tmp_files(aisexec_t) - - logging_send_syslog_msg(aisexec_t) - --miscfiles_read_localization(aisexec_t) -- - userdom_rw_unpriv_user_semaphores(aisexec_t) - userdom_rw_unpriv_user_shared_mem(aisexec_t) - -@@ -105,6 +104,11 @@ optional_policy(` - ') - - optional_policy(` -+ corosync_domtrans(aisexec_t) -+') -+ -+optional_policy(` -+ # to communication with RHCS - rhcs_rw_dlm_controld_semaphores(aisexec_t) - - rhcs_rw_fenced_semaphores(aisexec_t) -diff --git a/ajaxterm.fc b/ajaxterm.fc -new file mode 100644 -index 0000000..aeb1888 ---- /dev/null -+++ b/ajaxterm.fc -@@ -0,0 +1,6 @@ -+ -+/etc/rc\.d/init\.d/ajaxterm -- gen_context(system_u:object_r:ajaxterm_initrc_exec_t,s0) -+ -+/usr/share/ajaxterm/ajaxterm\.py -- gen_context(system_u:object_r:ajaxterm_exec_t,s0) -+ -+/var/run/ajaxterm\.pid -- gen_context(system_u:object_r:ajaxterm_var_run_t,s0) -diff --git a/ajaxterm.if b/ajaxterm.if -new file mode 100644 -index 0000000..7abe946 ---- /dev/null -+++ b/ajaxterm.if -@@ -0,0 +1,90 @@ -+## policy for ajaxterm -+ -+######################################## -+## -+## Execute a domain transition to run ajaxterm. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`ajaxterm_domtrans',` -+ gen_require(` -+ type ajaxterm_t, ajaxterm_exec_t; -+ ') -+ -+ domtrans_pattern($1, ajaxterm_exec_t, ajaxterm_t) -+') -+ -+######################################## -+## -+## Execute ajaxterm server in the ajaxterm domain. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`ajaxterm_initrc_domtrans',` -+ gen_require(` -+ type ajaxterm_initrc_exec_t; -+ ') -+ -+ init_labeled_script_domtrans($1, ajaxterm_initrc_exec_t) -+') -+ -+####################################### -+## -+## Read and write the ajaxterm pty type. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`ajaxterm_rw_ptys',` -+ gen_require(` -+ type ajaxterm_devpts_t; -+ ') -+ -+ allow $1 ajaxterm_devpts_t:chr_file rw_inherited_term_perms; -+') -+ -+######################################## -+## -+## All of the rules required to administrate -+## an ajaxterm environment -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## Role allowed access. -+## -+## -+## -+# -+interface(`ajaxterm_admin',` -+ gen_require(` -+ type ajaxterm_t, ajaxterm_initrc_exec_t; -+ ') -+ -+ allow $1 ajaxterm_t:process signal_perms; -+ ps_process_pattern($1, ajaxterm_t) -+ -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 ajaxterm_t:process ptrace; -+ ') -+ -+ ajaxterm_initrc_domtrans($1) -+ domain_system_change_exemption($1) -+ role_transition $2 ajaxterm_initrc_exec_t system_r; -+ allow $2 system_r; -+') -diff --git a/ajaxterm.te b/ajaxterm.te -new file mode 100644 -index 0000000..a95a4ad ---- /dev/null -+++ b/ajaxterm.te -@@ -0,0 +1,60 @@ -+policy_module(ajaxterm, 1.0.0) -+ -+######################################## -+# -+# Declarations -+# -+ -+type ajaxterm_t; -+type ajaxterm_exec_t; -+init_daemon_domain(ajaxterm_t, ajaxterm_exec_t) -+ -+type ajaxterm_initrc_exec_t; -+init_script_file(ajaxterm_initrc_exec_t) -+ -+type ajaxterm_var_run_t; -+files_pid_file(ajaxterm_var_run_t) -+ -+type ajaxterm_devpts_t; -+term_login_pty(ajaxterm_devpts_t) -+ -+######################################## -+# -+# ajaxterm local policy -+# -+allow ajaxterm_t self:capability setuid; -+allow ajaxterm_t self:process { setpgid signal }; -+allow ajaxterm_t self:fifo_file rw_fifo_file_perms; -+allow ajaxterm_t self:unix_stream_socket create_stream_socket_perms; -+allow ajaxterm_t self:tcp_socket create_stream_socket_perms; -+ -+allow ajaxterm_t ajaxterm_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms relabelfrom }; -+term_create_pty(ajaxterm_t, ajaxterm_devpts_t) -+ -+manage_dirs_pattern(ajaxterm_t, ajaxterm_var_run_t, ajaxterm_var_run_t) -+manage_files_pattern(ajaxterm_t, ajaxterm_var_run_t, ajaxterm_var_run_t) -+files_pid_filetrans(ajaxterm_t, ajaxterm_var_run_t, { file dir }) -+ -+kernel_read_system_state(ajaxterm_t) -+ -+corecmd_exec_bin(ajaxterm_t) -+ -+corenet_tcp_bind_generic_node(ajaxterm_t) -+corenet_tcp_bind_oa_system_port(ajaxterm_t) -+ -+dev_read_urand(ajaxterm_t) -+ -+domain_use_interactive_fds(ajaxterm_t) -+ -+ -+sysnet_dns_name_resolve(ajaxterm_t) -+ -+####################################### -+# -+# SSH component local policy -+# -+ -+optional_policy(` -+ ssh_basic_client_template(ajaxterm, ajaxterm_t, system_r) -+') -+ -diff --git a/alsa.fc b/alsa.fc -index 5de1e01..e5ab7ff 100644 ---- a/alsa.fc -+++ b/alsa.fc -@@ -19,4 +19,8 @@ HOME_DIR/\.asoundrc -- gen_context(system_u:object_r:alsa_home_t,s0) - /usr/share/alsa/alsa\.conf gen_context(system_u:object_r:alsa_etc_rw_t,s0) - /usr/share/alsa/pcm(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0) - --/var/lib/alsa(/.*)? gen_context(system_u:object_r:alsa_var_lib_t,s0) -+/var/lib/alsa(/.*)? gen_context(system_u:object_r:alsa_var_lib_t,s0) -+ -+/usr/lib/systemd/system/alsa.* -- gen_context(system_u:object_r:alsa_unit_file_t,s0) -+ -+/var/run/alsactl\.pid -- gen_context(system_u:object_r:alsa_var_run_t,s0) -diff --git a/alsa.if b/alsa.if -index 708b743..cc78465 100644 ---- a/alsa.if -+++ b/alsa.if -@@ -168,6 +168,7 @@ interface(`alsa_manage_home_files',` - - userdom_search_user_home_dirs($1) - allow $1 alsa_home_t:file manage_file_perms; -+ alsa_filetrans_home_content($1) - ') - - ######################################## -@@ -210,49 +211,85 @@ interface(`alsa_relabel_home_files',` - - ######################################## - ## --## Create objects in user home --## directories with the generic alsa --## home type. -+## Read Alsa lib files. - ## - ## - ## - ## Domain allowed access. - ## - ## --## -+# -+interface(`alsa_read_lib',` -+ gen_require(` -+ type alsa_var_lib_t; -+ ') -+ -+ files_search_var_lib($1) -+ read_files_pattern($1, alsa_var_lib_t, alsa_var_lib_t) -+') -+ -+######################################## -+## -+## Transition to alsa named content -+## -+## - ## --## Class of the object being created. -+## Domain allowed access. - ## - ## --## -+# -+interface(`alsa_filetrans_home_content',` -+ gen_require(` -+ type alsa_home_t; -+ ') -+ -+ userdom_user_home_dir_filetrans($1, alsa_home_t, file, ".asoundrc") -+') -+ -+######################################## -+## -+## Transition to alsa named content -+## -+## - ## --## The name of the object being created. -+## Domain allowed access. - ## - ## - # --interface(`alsa_home_filetrans_alsa_home',` -+interface(`alsa_filetrans_named_content',` - gen_require(` - type alsa_home_t; -+ type alsa_etc_rw_t; -+ type alsa_var_lib_t; - ') - -- userdom_user_home_dir_filetrans($1, alsa_home_t, $2, $3) -+ files_etc_filetrans($1, alsa_etc_rw_t, file, "asound.state") -+ files_etc_filetrans($1, alsa_etc_rw_t, dir, "pcm") -+ files_etc_filetrans($1, alsa_etc_rw_t, dir, "asound") -+ files_usr_filetrans($1, alsa_etc_rw_t, file, "alsa.conf") -+ files_usr_filetrans($1, alsa_etc_rw_t, dir, "pcm") -+ files_var_lib_filetrans($1, alsa_var_lib_t, dir, "alsa") - ') - - ######################################## - ## --## Read Alsa lib files. -+## Execute alsa server in the alsa domain. - ## - ## - ## --## Domain allowed access. -+## Domain allowed to transition. - ## - ## - # --interface(`alsa_read_lib',` -+interface(`alsa_systemctl',` - gen_require(` -- type alsa_var_lib_t; -+ type alsa_t; -+ type alsa_unit_file_t; - ') - -- files_search_var_lib($1) -- read_files_pattern($1, alsa_var_lib_t, alsa_var_lib_t) -+ systemd_exec_systemctl($1) -+ allow $1 alsa_unit_file_t:file read_file_perms; -+ allow $1 alsa_unit_file_t:service manage_service_perms; -+ -+ ps_process_pattern($1, alsa_t) - ') -diff --git a/alsa.te b/alsa.te -index cda6d20..443ce3c 100644 ---- a/alsa.te -+++ b/alsa.te -@@ -21,16 +21,23 @@ files_tmp_file(alsa_tmp_t) - type alsa_var_lib_t; - files_type(alsa_var_lib_t) - -+type alsa_var_run_t; -+files_pid_file(alsa_var_run_t) -+ - type alsa_home_t; - userdom_user_home_content(alsa_home_t) - -+type alsa_unit_file_t; -+systemd_unit_file(alsa_unit_file_t) -+ - ######################################## - # - # Local policy - # - --allow alsa_t self:capability { dac_read_search dac_override setgid setuid ipc_owner }; --dontaudit alsa_t self:capability sys_admin; -+allow alsa_t self:capability { dac_read_search dac_override setgid setuid ipc_owner sys_nice }; -+dontaudit alsa_t self:capability { sys_tty_config sys_admin }; -+allow alsa_t self:process { getsched setsched signal_perms }; - allow alsa_t self:sem create_sem_perms; - allow alsa_t self:shm create_shm_perms; - allow alsa_t self:unix_stream_socket { accept listen }; -@@ -51,6 +58,11 @@ userdom_user_tmp_filetrans(alsa_t, alsa_tmp_t, { dir file }) - manage_dirs_pattern(alsa_t, alsa_var_lib_t, alsa_var_lib_t) - manage_files_pattern(alsa_t, alsa_var_lib_t, alsa_var_lib_t) - -+manage_files_pattern(alsa_t, alsa_var_run_t, alsa_var_run_t) -+manage_dirs_pattern(alsa_t, alsa_var_run_t, alsa_var_run_t) -+manage_lnk_files_pattern(alsa_t, alsa_var_run_t, alsa_var_run_t) -+files_pid_filetrans(alsa_t, alsa_var_run_t, { file dir }) -+ - kernel_read_system_state(alsa_t) - - corecmd_exec_bin(alsa_t) -@@ -59,7 +71,6 @@ dev_read_sound(alsa_t) - dev_read_sysfs(alsa_t) - dev_write_sound(alsa_t) - --files_read_usr_files(alsa_t) - files_search_var_lib(alsa_t) - - term_dontaudit_use_console(alsa_t) -@@ -72,8 +83,6 @@ init_use_fds(alsa_t) - - logging_send_syslog_msg(alsa_t) - --miscfiles_read_localization(alsa_t) -- - userdom_manage_unpriv_user_semaphores(alsa_t) - userdom_manage_unpriv_user_shared_mem(alsa_t) - userdom_search_user_home_dirs(alsa_t) -diff --git a/amanda.fc b/amanda.fc -index 7f4dfbc..e5c9f45 100644 ---- a/amanda.fc -+++ b/amanda.fc -@@ -1,5 +1,6 @@ - /etc/amanda(/.*)? gen_context(system_u:object_r:amanda_config_t,s0) - /etc/amanda/.*/tapelist(/.*)? gen_context(system_u:object_r:amanda_data_t,s0) -+/etc/amanda/DailySet1(/.*)? gen_context(system_u:object_r:amanda_data_t,s0) - /etc/amandates gen_context(system_u:object_r:amanda_amandates_t,s0) - /etc/dumpdates gen_context(system_u:object_r:amanda_dumpdates_t,s0) - # empty m4 string so the index macro is not invoked -@@ -13,6 +14,8 @@ - /usr/lib/amanda/amidxtaped -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0) - /usr/lib/amanda/amindexd -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0) - -+/usr/lib/systemd/system/amanda.* -- gen_context(system_u:object_r:amanda_unit_file_t,s0) -+ - /usr/sbin/amandad -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0) - /usr/sbin/amrecover -- gen_context(system_u:object_r:amanda_recover_exec_t,s0) - -diff --git a/amanda.te b/amanda.te -index ed45974..ec7bb41 100644 ---- a/amanda.te -+++ b/amanda.te -@@ -9,11 +9,14 @@ attribute_role amanda_recover_roles; - roleattribute system_r amanda_recover_roles; - - type amanda_t; -+type amanda_exec_t; - type amanda_inetd_exec_t; --inetd_service_domain(amanda_t, amanda_inetd_exec_t) -+application_executable_file(amanda_exec_t) -+init_daemon_domain(amanda_t, amanda_inetd_exec_t) -+role system_r types amanda_t; - --type amanda_exec_t; --domain_entry_file(amanda_t, amanda_exec_t) -+type amanda_unit_file_t; -+systemd_unit_file(amanda_unit_file_t) - - type amanda_log_t; - logging_log_file(amanda_log_t) -@@ -60,7 +63,7 @@ optional_policy(` - # - - allow amanda_t self:capability { chown dac_override setuid kill }; --allow amanda_t self:process { setpgid signal }; -+allow amanda_t self:process { getsched setsched setpgid signal }; - allow amanda_t self:fifo_file rw_fifo_file_perms; - allow amanda_t self:unix_stream_socket { accept listen }; - allow amanda_t self:tcp_socket { accept listen }; -@@ -71,6 +74,7 @@ allow amanda_t amanda_config_t:file read_file_perms; - - manage_dirs_pattern(amanda_t, amanda_data_t, amanda_data_t) - manage_files_pattern(amanda_t, amanda_data_t, amanda_data_t) -+manage_lnk_files_pattern(amanda_t, amanda_data_t, amanda_data_t) - filetrans_pattern(amanda_t, amanda_config_t, amanda_data_t, { file dir }) - - allow amanda_t amanda_dumpdates_t:file rw_file_perms; -@@ -100,13 +104,14 @@ kernel_dontaudit_read_proc_symlinks(amanda_t) - corecmd_exec_shell(amanda_t) - corecmd_exec_bin(amanda_t) - --corenet_all_recvfrom_unlabeled(amanda_t) - corenet_all_recvfrom_netlabel(amanda_t) - corenet_tcp_sendrecv_generic_if(amanda_t) - corenet_tcp_sendrecv_generic_node(amanda_t) - corenet_tcp_sendrecv_all_ports(amanda_t) - corenet_tcp_bind_generic_node(amanda_t) - -+corenet_tcp_bind_amanda_port(amanda_t) -+ - corenet_sendrecv_all_server_packets(amanda_t) - corenet_tcp_bind_all_rpc_ports(amanda_t) - corenet_tcp_bind_generic_port(amanda_t) -@@ -114,6 +119,7 @@ corenet_dontaudit_tcp_bind_all_ports(amanda_t) - - dev_getattr_all_blk_files(amanda_t) - dev_getattr_all_chr_files(amanda_t) -+dev_read_urand(amanda_t) - - files_read_etc_runtime_files(amanda_t) - files_list_all(amanda_t) -@@ -170,7 +176,6 @@ kernel_read_system_state(amanda_recover_t) - corecmd_exec_shell(amanda_recover_t) - corecmd_exec_bin(amanda_recover_t) - --corenet_all_recvfrom_unlabeled(amanda_recover_t) - corenet_all_recvfrom_netlabel(amanda_recover_t) - corenet_tcp_sendrecv_generic_if(amanda_recover_t) - corenet_udp_sendrecv_generic_if(amanda_recover_t) -@@ -195,12 +200,16 @@ files_search_tmp(amanda_recover_t) - - auth_use_nsswitch(amanda_recover_t) - --fstools_domtrans(amanda_t) --fstools_signal(amanda_t) -- - logging_search_logs(amanda_recover_t) - --miscfiles_read_localization(amanda_recover_t) -- --userdom_use_user_terminals(amanda_recover_t) -+userdom_use_inherited_user_terminals(amanda_recover_t) - userdom_search_user_home_content(amanda_recover_t) -+ -+optional_policy(` -+ inetd_service_domain(amanda_t, amanda_inetd_exec_t) -+') -+ -+optional_policy(` -+ fstools_domtrans(amanda_t) -+ fstools_signal(amanda_t) -+') -diff --git a/amavis.fc b/amavis.fc -index 17689a7..8aa6849 100644 ---- a/amavis.fc -+++ b/amavis.fc -@@ -12,8 +12,6 @@ ifdef(`distro_debian',` - /usr/sbin/amavisd-new-cronjob -- gen_context(system_u:object_r:amavis_exec_t,s0) - ') - --/var/opt/f-secure(/.*)? gen_context(system_u:object_r:amavis_var_lib_t,s0) -- - /var/amavis(/.*)? gen_context(system_u:object_r:amavis_var_lib_t,s0) - - /var/lib/amavis(/.*)? gen_context(system_u:object_r:amavis_var_lib_t,s0) -diff --git a/amavis.if b/amavis.if -index 60d4f8c..18ef077 100644 ---- a/amavis.if -+++ b/amavis.if -@@ -54,6 +54,7 @@ interface(`amavis_read_spool_files',` - - files_search_spool($1) - read_files_pattern($1, amavis_spool_t, amavis_spool_t) -+ allow $1 amavis_spool_t:dir list_dir_perms; - ') - - ######################################## -@@ -153,6 +154,26 @@ interface(`amavis_read_lib_files',` - - ######################################## - ## -+## Read and write amavis lib files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`amavis_rw_lib_files',` -+ gen_require(` -+ type amavis_var_lib_t; -+ ') -+ -+ rw_files_pattern($1, amavis_var_lib_t, amavis_var_lib_t) -+ allow $1 amavis_var_lib_t:dir list_dir_perms; -+ files_search_var_lib($1) -+') -+ -+######################################## -+## - ## Create, read, write, and delete - ## amavis lib files. - ## -@@ -234,9 +255,13 @@ interface(`amavis_admin',` - type amavis_etc_t, amavis_quarantine_t, amavis_initrc_exec_t; - ') - -- allow $1 amavis_t:process { ptrace signal_perms }; -+ allow $1 amavis_t:process signal_perms; - ps_process_pattern($1, amavis_t) - -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 amavis_t:process ptrace; -+ ') -+ - amavis_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 amavis_initrc_exec_t system_r; -diff --git a/amavis.te b/amavis.te -index ab55ba7..a95b541 100644 ---- a/amavis.te -+++ b/amavis.te -@@ -39,7 +39,7 @@ type amavis_quarantine_t; - files_type(amavis_quarantine_t) - - type amavis_spool_t; --files_type(amavis_spool_t) -+files_spool_file(amavis_spool_t) - - ######################################## - # -@@ -67,9 +67,12 @@ manage_lnk_files_pattern(amavis_t, amavis_spool_t, amavis_spool_t) - manage_sock_files_pattern(amavis_t, amavis_spool_t, amavis_spool_t) - filetrans_pattern(amavis_t, amavis_spool_t, amavis_var_run_t, sock_file) - -+# tmp files -+manage_dirs_pattern(amavis_t, amavis_tmp_t, amavis_tmp_t) - manage_files_pattern(amavis_t, amavis_tmp_t, amavis_tmp_t) -+manage_sock_files_pattern(amavis_t, amavis_tmp_t, amavis_tmp_t) - allow amavis_t amavis_tmp_t:dir setattr_dir_perms; --files_tmp_filetrans(amavis_t, amavis_tmp_t, file) -+files_tmp_filetrans(amavis_t, amavis_tmp_t, { file dir sock_file } ) - - manage_dirs_pattern(amavis_t, amavis_var_lib_t, amavis_var_lib_t) - manage_files_pattern(amavis_t, amavis_var_lib_t, amavis_var_lib_t) -@@ -95,7 +98,6 @@ kernel_dontaudit_read_proc_symlinks(amavis_t) - corecmd_exec_bin(amavis_t) - corecmd_exec_shell(amavis_t) - --corenet_all_recvfrom_unlabeled(amavis_t) - corenet_all_recvfrom_netlabel(amavis_t) - corenet_tcp_sendrecv_generic_if(amavis_t) - corenet_udp_sendrecv_generic_if(amavis_t) -@@ -118,6 +120,7 @@ corenet_dontaudit_udp_bind_all_ports(amavis_t) - - corenet_sendrecv_razor_client_packets(amavis_t) - corenet_tcp_connect_razor_port(amavis_t) -+corenet_tcp_connect_agentx_port(amavis_t) - - dev_read_rand(amavis_t) - dev_read_sysfs(amavis_t) -@@ -127,7 +130,6 @@ domain_use_interactive_fds(amavis_t) - domain_dontaudit_read_all_domains_state(amavis_t) - - files_read_etc_runtime_files(amavis_t) --files_read_usr_files(amavis_t) - files_search_spool(amavis_t) - - fs_getattr_xattr_fs(amavis_t) -@@ -141,14 +143,20 @@ init_stream_connect_script(amavis_t) - - logging_send_syslog_msg(amavis_t) - --miscfiles_read_localization(amavis_t) -+miscfiles_read_generic_certs(amavis_t) -+ -+sysnet_use_ldap(amavis_t) - - userdom_dontaudit_search_user_home_dirs(amavis_t) - - tunable_policy(`amavis_use_jit',` -- allow amavis_t self:process execmem; -+ allow amavis_t self:process execmem; - ',` -- dontaudit amavis_t self:process execmem; -+ dontaudit amavis_t self:process execmem; -+') -+ -+optional_policy(` -+ antivirus_domain_template(amavis_t) - ') - - optional_policy(` -@@ -173,6 +181,10 @@ optional_policy(` - ') - - optional_policy(` -+ nslcd_stream_connect(amavis_t) -+') -+ -+optional_policy(` - postfix_read_config(amavis_t) - postfix_list_spool(amavis_t) - ') -diff --git a/amtu.te b/amtu.te -index c960f92..486e9ed 100644 ---- a/amtu.te -+++ b/amtu.te -@@ -24,11 +24,10 @@ kernel_read_system_state(amtu_t) - - files_manage_boot_files(amtu_t) - files_read_etc_runtime_files(amtu_t) --files_read_etc_files(amtu_t) - - logging_send_audit_msgs(amtu_t) - --userdom_use_user_terminals(amtu_t) -+userdom_use_inherited_user_terminals(amtu_t) - - optional_policy(` - nscd_dontaudit_search_pid(amtu_t) -diff --git a/anaconda.te b/anaconda.te -index 6f1384c..9f23456 100644 ---- a/anaconda.te -+++ b/anaconda.te -@@ -4,6 +4,10 @@ gen_require(` - class passwd all_passwd_perms; - ') - -+gen_require(` -+ class passwd { passwd chfn chsh rootok crontab }; -+') -+ - ######################################## - # - # Declarations -@@ -34,8 +38,9 @@ modutils_domtrans_insmod(anaconda_t) - modutils_domtrans_depmod(anaconda_t) - - seutil_domtrans_semanage(anaconda_t) -+seutil_domtrans_setsebool(anaconda_t) - --userdom_user_home_dir_filetrans_user_home_content(anaconda_t, { dir file lnk_file fifo_file sock_file }) -+userdom_filetrans_home_content(anaconda_t) - - optional_policy(` - rpm_domtrans(anaconda_t) -diff --git a/antivirus.fc b/antivirus.fc -new file mode 100644 -index 0000000..e44bff0 ---- /dev/null -+++ b/antivirus.fc -@@ -0,0 +1,43 @@ -+/etc/amavis(d)?\.conf -- gen_context(system_u:object_r:antivirus_conf_t,s0) -+/etc/amavisd(/.*)? gen_context(system_u:object_r:antivirus_conf_t,s0) -+ -+/etc/rc\.d/init\.d/amavis -- gen_context(system_u:object_r:antivirus_initrc_exec_t,s0) -+/etc/rc\.d/init\.d/amavisd-snmp -- gen_context(system_u:object_r:antivirus_initrc_exec_t,s0) -+/etc/rc\.d/init\.d/clamd.* -- gen_context(system_u:object_r:antivirus_initrc_exec_t,s0) -+ -+/usr/lib/systemd/system/clamd.* -- gen_context(system_u:object_r:antivirus_unit_file_t,s0) -+ -+/usr/lib/AntiVir/antivir -- gen_context(system_u:object_r:antivirus_exec_t,s0) -+ -+/usr/sbin/amavisd.* -- gen_context(system_u:object_r:antivirus_exec_t,s0) -+/usr/bin/clamscan -- gen_context(system_u:object_r:antivirus_exec_t,s0) -+/usr/bin/clamdscan -- gen_context(system_u:object_r:antivirus_exec_t,s0) -+/usr/bin/freshclam -- gen_context(system_u:object_r:antivirus_exec_t,s0) -+ -+/usr/sbin/clamd -- gen_context(system_u:object_r:antivirus_exec_t,s0) -+/usr/sbin/clamav-milter -- gen_context(system_u:object_r:antivirus_exec_t,s0) -+ -+/var/clamav(/.*)? gen_context(system_u:object_r:antivirus_db_t,s0) -+ -+ -+/var/amavis(/.*)? gen_context(system_u:object_r:antivirus_db_t,s0) -+/var/lib/amavis(/.*)? gen_context(system_u:object_r:antivirus_db_t,s0) -+/var/lib/clamav(/.*)? gen_context(system_u:object_r:antivirus_db_t,s0) -+/var/lib/clamd.* gen_context(system_u:object_r:antivirus_db_t,s0) -+/var/opt/f-secure(/.*)? gen_context(system_u:object_r:antivirus_db_t,s0) -+/var/spool/amavisd(/.*)? gen_context(system_u:object_r:antivirus_db_t,s0) -+/var/virusmails(/.*)? gen_context(system_u:object_r:antivirus_db_t,s0) -+ -+/var/log/amavisd\.log.* -- gen_context(system_u:object_r:antivirus_log_t,s0) -+/var/log/clamav.* gen_context(system_u:object_r:antivirus_log_t,s0) -+/var/log/freshclam.* -- gen_context(system_u:object_r:antivirus_log_t,s0) -+/var/log/clamav/freshclam.* -- gen_context(system_u:object_r:antivirus_log_t,s0) -+/var/log/clamd.* gen_context(system_u:object_r:antivirus_log_t,s0) -+ -+/var/run/amavis(d)?(/.*)? gen_context(system_u:object_r:antivirus_var_run_t,s0) -+/var/run/amavisd-snmp-subagent\.pid -- gen_context(system_u:object_r:antivirus_var_run_t,s0) -+ -+/var/run/amavis(d)?/clamd\.pid -- gen_context(system_u:object_r:antivirus_var_run_t,s0) -+/var/run/clamav.* gen_context(system_u:object_r:antivirus_var_run_t,s0) -+/var/run/clamd.* gen_context(system_u:object_r:antivirus_var_run_t,s0) -+ -diff --git a/antivirus.if b/antivirus.if -new file mode 100644 -index 0000000..df5b3be ---- /dev/null -+++ b/antivirus.if -@@ -0,0 +1,322 @@ -+## SELinux policy for antivirus programs - amavis, clamd, freshclam and clamscan -+ -+###################################### -+## -+## Creates types and rules for a basic -+## antivirus domain. -+## -+## -+## -+## Prefix for the domain. -+## -+## -+# -+interface(`antivirus_domain_template',` -+ gen_require(` -+ attribute antivirus_domain; -+ ') -+ -+ typeattribute $1 antivirus_domain; -+') -+ -+####################################### -+## -+## Execute a domain transition to run antivirus program. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`antivirus_domtrans',` -+ gen_require(` -+ type antivirus_t, antivirus_exec_t; -+ ') -+ -+ domtrans_pattern($1, antivirus_exec_t, antivirus_t) -+') -+ -+####################################### -+## -+## Execute antivirus program without a transition. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`antivirus_exec',` -+ gen_require(` -+ type antivirus_exec_t; -+ ') -+ -+ can_exec($1, antivirus_exec_t) -+') -+ -+####################################### -+## -+## Connect to run antivirus program. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`antivirus_stream_connect',` -+ gen_require(` -+ type antivirus_t, antivirus_db_t, antivirus_var_run_t; -+ ') -+ -+ files_search_pids($1) -+ stream_connect_pattern($1, antivirus_var_run_t, antivirus_var_run_t, antivirus_t) -+ stream_connect_pattern($1, antivirus_db_t, antivirus_db_t, antivirus_t) -+') -+ -+####################################### -+## -+## Allow the specified domain to append -+## to antivirus log files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`antivirus_append_log',` -+ gen_require(` -+ type antivirus_log_t; -+ ') -+ -+ logging_search_logs($1) -+ allow $1 antivirus_log_t:dir list_dir_perms; -+ append_files_pattern($1, antivirus_log_t, antivirus_log_t) -+') -+ -+####################################### -+## -+## Read antivirus configuration files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`antivirus_read_config',` -+ gen_require(` -+ type antivirus_conf_t; -+ ') -+ -+ files_search_etc($1) -+ allow $1 antivirus_conf_t:file read_file_perms; -+') -+ -+####################################### -+## -+## Search antivirus db content directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`antivirus_search_db',` -+ gen_require(` -+ type antivirus_db_t; -+ ') -+ -+ files_search_var_lib($1) -+ files_search_spool($1) -+ allow $1 antivirus_db_t:dir search_dir_perms; -+') -+ -+###################################### -+## -+## Read antivirus db content directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`antivirus_read_db',` -+ gen_require(` -+ type antivirus_db_t; -+ ') -+ -+ files_search_var_lib($1) -+ files_search_spool($1) -+ read_files_pattern($1, antivirus_db_t, antivirus_db_t) -+ read_lnk_files_pattern($1, antivirus_db_t, antivirus_db_t) -+') -+ -+##################################### -+## -+## Read and write antivirus db content directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`antivirus_rw_db',` -+ gen_require(` -+ type antivirus_db_t; -+ ') -+ -+ files_search_var_lib($1) -+ files_search_spool($1) -+ write_files_pattern($1, antivirus_db_t, antivirus_db_t) -+') -+ -+#################################### -+## -+## Manage antivirus db content directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`antivirus_manage_db',` -+ gen_require(` -+ type antivirus_db_t; -+ ') -+ -+ files_search_var_lib($1) -+ files_search_spool($1) -+ manage_files_pattern($1, antivirus_db_t, antivirus_db_t) -+ manage_dirs_pattern($1, antivirus_db_t, antivirus_db_t) -+') -+ -+####################################### -+## -+## Manage antivirus pid content. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`antivirus_manage_pid',` -+ gen_require(` -+ type antivirus_var_run_t; -+ ') -+ -+ manage_dirs_pattern($1, antivirus_var_run_t, antivirus_var_run_t) -+ manage_files_pattern($1, antivirus_var_run_t, antivirus_var_run_t) -+') -+ -+###################################### -+## -+## Read antivirus state files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`antivirus_read_state_clamd',` -+ gen_require(` -+ type antivirus_t; -+ ') -+ -+ kernel_search_proc($1) -+ ps_process_pattern($1, antivirus_t) -+') -+ -+###################################### -+## -+## Execute antivirus server in the antivirus domain. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`antivirus_systemctl',` -+ gen_require(` -+ type antivirus_t; -+ type antivirus_unit_file_t; -+ ') -+ -+ systemd_exec_systemctl($1) -+ systemd_read_fifo_file_passwd_run($1) -+ allow $1 antivirus_unit_file_t:file read_file_perms; -+ allow $1 antivirus_unit_file_t:service manage_service_perms; -+ -+ ps_process_pattern($1, antivirus_t) -+') -+ -+####################################### -+## -+## All of the rules required to administrate -+## an antivirus programs environment -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## The role to be allowed to manage the clamav domain. -+## -+## -+## -+# -+interface(`antivirus_admin',` -+ gen_require(` -+ attribute antivirus_domain; -+ type antivirus_t, antivirus_conf_t, antivirus_tmp_t; -+ type antivirus_log_t, antivirus_db_t, antivirus_var_run_t; -+ type antivirus_initrc_exec_t, antivirus_unit_file_t; -+ ') -+ -+ allow $1 antivirus_t:process signal_perms; -+ ps_process_pattern($1, antivirus_t) -+ -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 antivirus_t:process ptrace; -+ ') -+ -+ init_labeled_script_domtrans($1, antivirus_initrc_exec_t) -+ domain_system_change_exemption($1) -+ role_transition $2 antivirus_initrc_exec_t system_r; -+ allow $2 system_r; -+ -+ antivirus_systemctl($1) -+ admin_pattern($1, antivirus_unit_file_t) -+ allow $1 antivirus_unit_file_t:service all_service_perms; -+ -+ files_list_etc($1) -+ admin_pattern($1, antivirus_conf_t) -+ -+ files_list_var_lib($1) -+ admin_pattern($1, antivirus_db_t) -+ -+ logging_list_logs($1) -+ admin_pattern($1, antivirus_log_t) -+ -+ files_list_pids($1) -+ admin_pattern($1, antivirus_var_run_t) -+ -+ files_list_tmp($1) -+ admin_pattern($1, antivirus_tmp_t) -+ -+ optional_policy(` -+ systemd_passwd_agent_exec($1) -+ systemd_read_fifo_file_passwd_run($1) -+ ') -+') -diff --git a/antivirus.te b/antivirus.te -new file mode 100644 -index 0000000..8ba9c95 ---- /dev/null -+++ b/antivirus.te -@@ -0,0 +1,274 @@ -+policy_module(antivirus, 1.0.0) -+ -+######################################## -+# -+# Declarations -+# -+ -+## -+##

    -+## Allow antivirus programs to read non security files on a system -+##

    -+##     -+gen_tunable(antivirus_can_scan_system, false) -+ -+## -+##

    -+## Determine whether can antivirus programs use JIT compiler. -+##

    -+##     -+gen_tunable(antivirus_use_jit, false) -+ -+attribute antivirus_domain; -+ -+type antivirus_t; -+type antivirus_exec_t; -+typeattribute antivirus_t antivirus_domain; -+typealias antivirus_t alias { amavis_t clamd_t clamscan_t freshclam_t } ; -+typealias antivirus_exec_t alias { amavis_exec_t clamd_exec_t clamscan_exec_t freshclam_exec_t }; -+init_daemon_domain(antivirus_t, antivirus_exec_t) -+ -+type antivirus_initrc_exec_t; -+typealias antivirus_initrc_exec_t alias { clamd_initrc_exec_t amavis_initrc_exec_t }; -+init_script_file(antivirus_initrc_exec_t) -+ -+type antivirus_unit_file_t; -+typealias antivirus_unit_file_t alias { clamd_unit_file_t }; -+systemd_unit_file(antivirus_unit_file_t) -+ -+type antivirus_conf_t; -+typealias antivirus_conf_t alias { clamd_etc_t }; -+files_config_file(antivirus_conf_t) -+ -+type antivirus_var_run_t; -+typealias antivirus_var_run_t alias { amavis_var_run_t clamd_var_run_t clamd_sock_t }; -+files_pid_file(antivirus_var_run_t) -+ -+type antivirus_log_t; -+typealias antivirus_log_t alias { amavis_var_log_t clamd_var_log_t freshclam_var_log_t }; -+logging_log_file(antivirus_log_t) -+ -+type antivirus_db_t; -+typealias antivirus_db_t alias { amavis_var_lib_t amavis_quarantine_t amavis_spool_t clamd_var_lib_t }; -+files_type(antivirus_db_t) -+ -+type antivirus_home_t; -+userdom_user_home_content(antivirus_home_t) -+ -+type antivirus_tmp_t; -+typealias antivirus_tmp_t alias { amavis_tmp_t clamd_tmp_t clamscan_tmp_t }; -+files_tmp_file(antivirus_tmp_t) -+ -+######################################## -+# -+# antivirus domain local policy -+# -+ -+allow antivirus_domain self:capability { dac_override chown kill setgid setuid }; -+dontaudit antivirus_domain self:capability sys_tty_config; -+allow antivirus_domain self:process signal_perms; -+ -+allow antivirus_domain self:fifo_file rw_fifo_file_perms; -+allow antivirus_domain self:unix_stream_socket { accept connectto listen }; -+allow antivirus_domain self:tcp_socket { listen accept }; -+ -+allow antivirus_domain antivirus_conf_t:dir list_dir_perms; -+read_files_pattern(antivirus_domain, antivirus_conf_t, antivirus_conf_t) -+read_lnk_files_pattern(antivirus_domain, antivirus_conf_t, antivirus_conf_t) -+ -+manage_files_pattern(antivirus_domain, antivirus_db_t, antivirus_db_t) -+manage_dirs_pattern(antivirus_domain, antivirus_db_t, antivirus_db_t) -+manage_lnk_files_pattern(antivirus_domain, antivirus_db_t, antivirus_db_t) -+manage_sock_files_pattern(antivirus_domain, antivirus_db_t, antivirus_db_t) -+ -+manage_files_pattern(antivirus_domain, antivirus_home_t, antivirus_home_t) -+manage_dirs_pattern(antivirus_domain, antivirus_home_t, antivirus_home_t) -+manage_lnk_files_pattern(antivirus_domain, antivirus_home_t, antivirus_home_t) -+manage_sock_files_pattern(antivirus_domain, antivirus_home_t, antivirus_home_t) -+ -+manage_dirs_pattern(antivirus_domain, antivirus_tmp_t, antivirus_tmp_t) -+manage_files_pattern(antivirus_domain, antivirus_tmp_t, antivirus_tmp_t) -+manage_sock_files_pattern(antivirus_domain, antivirus_tmp_t, antivirus_tmp_t) -+files_tmp_filetrans(antivirus_domain, antivirus_tmp_t, { file dir sock_file } ) -+ -+manage_dirs_pattern(antivirus_domain, antivirus_log_t, antivirus_log_t) -+manage_files_pattern(antivirus_domain, antivirus_log_t, antivirus_log_t) -+manage_sock_files_pattern(antivirus_domain, antivirus_log_t, antivirus_log_t) -+logging_log_filetrans(antivirus_domain, antivirus_log_t, { sock_file file dir }) -+ -+manage_dirs_pattern(antivirus_domain, antivirus_var_run_t, antivirus_var_run_t) -+manage_files_pattern(antivirus_domain, antivirus_var_run_t, antivirus_var_run_t) -+manage_sock_files_pattern(antivirus_domain, antivirus_var_run_t, antivirus_var_run_t) -+files_pid_filetrans(antivirus_domain, antivirus_var_run_t, {file}) -+ -+can_exec(antivirus_domain, antivirus_exec_t) -+ -+kernel_read_network_state(antivirus_t) -+kernel_read_net_sysctls(antivirus_t) -+kernel_read_kernel_sysctls(antivirus_domain) -+kernel_read_sysctl(antivirus_domain) -+kernel_read_system_state(antivirus_t) -+ -+corecmd_exec_bin(antivirus_domain) -+corecmd_exec_shell(antivirus_domain) -+ -+corenet_all_recvfrom_netlabel(antivirus_t) -+corenet_tcp_sendrecv_generic_if(antivirus_t) -+corenet_udp_sendrecv_generic_if(antivirus_t) -+corenet_tcp_sendrecv_generic_node(antivirus_domain) -+corenet_udp_sendrecv_generic_node(antivirus_domain) -+corenet_tcp_sendrecv_all_ports(antivirus_domain) -+corenet_udp_sendrecv_all_ports(antivirus_domain) -+corenet_tcp_bind_generic_node(antivirus_domain) -+corenet_udp_bind_generic_node(antivirus_domain) -+ -+corenet_sendrecv_amavisd_send_client_packets(antivirus_domain) -+corenet_tcp_connect_amavisd_send_port(antivirus_domain) -+ -+corenet_sendrecv_amavisd_recv_server_packets(antivirus_domain) -+corenet_tcp_bind_amavisd_recv_port(antivirus_domain) -+ -+corenet_sendrecv_generic_server_packets(antivirus_domain) -+corenet_udp_bind_generic_port(antivirus_domain) -+corenet_dontaudit_udp_bind_all_ports(antivirus_domain) -+ -+corenet_sendrecv_razor_client_packets(antivirus_domain) -+corenet_tcp_connect_razor_port(antivirus_domain) -+corenet_tcp_connect_agentx_port(antivirus_domain) -+ -+corenet_tcp_connect_clamd_port(antivirus_domain) -+ -+corenet_sendrecv_clamd_server_packets(antivirus_domain) -+corenet_tcp_bind_clamd_port(antivirus_domain) -+ -+corenet_sendrecv_http_client_packets(antivirus_domain) -+corenet_tcp_connect_http_port(antivirus_domain) -+corenet_tcp_sendrecv_http_port(antivirus_domain) -+ -+corenet_sendrecv_http_cache_client_packets(antivirus_domain) -+corenet_tcp_connect_http_cache_port(antivirus_domain) -+corenet_tcp_sendrecv_http_cache_port(antivirus_domain) -+ -+#support for MySQL/PostgreSQL -+corenet_tcp_connect_mysqld_port(antivirus_domain) -+corenet_tcp_connect_postgresql_port(antivirus_domain) -+ -+corenet_sendrecv_snmp_client_packets(antivirus_domain) -+corenet_tcp_connect_snmp_port(antivirus_domain) -+ -+corenet_sendrecv_squid_client_packets(antivirus_domain) -+corenet_tcp_connect_squid_port(antivirus_domain) -+corenet_tcp_sendrecv_squid_port(antivirus_domain) -+ -+dev_read_rand(antivirus_domain) -+dev_read_sysfs(antivirus_domain) -+dev_read_urand(antivirus_domain) -+ -+domain_dontaudit_read_all_domains_state(antivirus_domain) -+ -+files_read_etc_runtime_files(antivirus_domain) -+files_search_spool(antivirus_domain) -+ -+fs_getattr_xattr_fs(antivirus_domain) -+ -+auth_use_nsswitch(antivirus_t) -+auth_dontaudit_read_shadow(antivirus_domain) -+ -+init_read_state(antivirus_domain) -+init_read_utmp(antivirus_domain) -+init_stream_connect_script(antivirus_domain) -+init_dontaudit_write_utmp(antivirus_domain) -+ -+logging_send_syslog_msg(antivirus_t) -+ -+miscfiles_read_generic_certs(antivirus_domain) -+ -+sysnet_use_ldap(antivirus_domain) -+ -+userdom_stream_connect(antivirus_domain) -+userdom_dontaudit_search_user_home_dirs(antivirus_domain) -+ -+tunable_policy(`antivirus_can_scan_system',` -+ files_read_non_security_files(antivirus_domain) -+ #files_dontaudit_read_all_non_security_files(antivirus_domain) -+ files_dontaudit_read_security_files(antivirus_domain) -+ files_getattr_all_pipes(antivirus_domain) -+ files_getattr_all_sockets(antivirus_domain) -+ dev_getattr_all_blk_files(antivirus_domain) -+ dev_getattr_all_chr_files(antivirus_domain) -+') -+ -+tunable_policy(`antivirus_use_jit',` -+ allow antivirus_domain self:process execmem; -+ allow antivirus_domain self:process execmem; -+',` -+ dontaudit antivirus_domain self:process execmem; -+ dontaudit antivirus_domain self:process execmem; -+') -+ -+optional_policy(` -+ apache_read_sys_content(antivirus_domain) -+') -+ -+optional_policy(` -+ antivirus_systemctl(antivirus_domain) -+') -+ -+optional_policy(` -+ cron_system_entry(antivirus_t, antivirus_exec_t) -+ cron_use_fds(antivirus_domain) -+ cron_use_system_job_fds(antivirus_domain) -+ cron_rw_pipes(antivirus_domain) -+') -+ -+optional_policy(` -+ dcc_domtrans_client(antivirus_domain) -+ dcc_stream_connect_dccifd(antivirus_domain) -+') -+ -+optional_policy(` -+ exim_read_spool_files(antivirus_domain) -+') -+ -+optional_policy(` -+ mta_read_config(antivirus_domain) -+ mta_read_queue(antivirus_domain) -+ mta_send_mail(antivirus_domain) -+') -+ -+optional_policy(` -+ nslcd_stream_connect(antivirus_domain) -+') -+ -+optional_policy(` -+ mysql_stream_connect(antivirus_domain) -+ corenet_tcp_connect_mysqld_port(antivirus_domain) -+') -+ -+optional_policy(` -+ postfix_read_config(antivirus_domain) -+ postfix_list_spool(antivirus_domain) -+') -+ -+optional_policy(` -+ pyzor_domtrans(antivirus_domain) -+ pyzor_signal(antivirus_domain) -+') -+ -+optional_policy(` -+ razor_domtrans(antivirus_domain) -+') -+ -+optional_policy(` -+ snmp_manage_var_lib_dirs(antivirus_domain) -+ snmp_manage_var_lib_files(antivirus_domain) -+ snmp_stream_connect(antivirus_domain) -+') -+ -+optional_policy(` -+ spamd_stream_connect(clamd_t) -+ spamassassin_exec(antivirus_domain) -+ spamassassin_exec_client(antivirus_domain) -+ spamassassin_read_lib_files(antivirus_domain) -+ spamassassin_read_pid_files(antivirus_domain) -+') -diff --git a/apache.fc b/apache.fc -index 550a69e..66ba451 100644 ---- a/apache.fc -+++ b/apache.fc -@@ -1,161 +1,200 @@ --HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0) --HOME_DIR/((www)|(web)|(public_html))/cgi-bin(/.+)? gen_context(system_u:object_r:httpd_user_script_exec_t,s0) -+HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0) -+HOME_DIR/((www)|(web)|(public_html))/cgi-bin(/.+)? gen_context(system_u:object_r:httpd_user_script_exec_t,s0) - HOME_DIR/((www)|(web)|(public_html))(/.*)?/\.htaccess -- gen_context(system_u:object_r:httpd_user_htaccess_t,s0) - HOME_DIR/((www)|(web)|(public_html))(/.*)?/logs(/.*)? gen_context(system_u:object_r:httpd_user_ra_content_t,s0) - --/etc/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) --/etc/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) --/etc/cherokee(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) --/etc/drupal.* gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) --/etc/horde(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) --/etc/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) --/etc/httpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) --/etc/httpd/conf/keytab -- gen_context(system_u:object_r:httpd_keytab_t,s0) --/etc/httpd/logs gen_context(system_u:object_r:httpd_log_t,s0) --/etc/httpd/modules gen_context(system_u:object_r:httpd_modules_t,s0) --/etc/lighttpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) --/etc/mock/koji(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) --/etc/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) -- --/etc/rc\.d/init\.d/cherokee -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0) -+/etc/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) -+/etc/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) -+/etc/cherokee(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) -+/etc/drupal.* gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) -+/etc/owncloud(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) -+/etc/horde(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) -+/etc/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) -+/etc/httpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) -+/etc/httpd/conf/keytab -- gen_context(system_u:object_r:httpd_keytab_t,s0) -+/etc/httpd/logs gen_context(system_u:object_r:httpd_log_t,s0) -+/etc/httpd/modules gen_context(system_u:object_r:httpd_modules_t,s0) -+/etc/init\.d/cherokee -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0) -+/etc/lighttpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) -+/etc/mock/koji(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) -+/etc/nginx(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) - /etc/rc\.d/init\.d/httpd -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0) - /etc/rc\.d/init\.d/lighttpd -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0) - --/etc/vhosts -- gen_context(system_u:object_r:httpd_config_t,s0) --/etc/WebCalendar(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) --/etc/zabbix/web(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) -+/etc/vhosts -- gen_context(system_u:object_r:httpd_config_t,s0) -+/etc/WebCalendar(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) -+/etc/zabbix/web(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) -+/etc/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) - --/opt/.*\.cgi -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) --/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) -+/usr/.*\.cgi -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) -+/opt/.*\.cgi -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) -+/usr/lib/systemd/system/httpd.* -- gen_context(system_u:object_r:httpd_unit_file_t,s0) -+/usr/lib/systemd/system/jetty.* -- gen_context(system_u:object_r:httpd_unit_file_t,s0) -+/usr/lib/systemd/system/php-fpm.* -- gen_context(system_u:object_r:httpd_unit_file_t,s0) -+/usr/lib/systemd/system/nginx.* -- gen_context(system_u:object_r:httpd_unit_file_t,s0) - --/srv/([^/]*/)?www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) --/srv/gallery2(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) -+/usr/libexec/httpd-ssl-pass-dialog -- gen_context(system_u:object_r:httpd_passwd_exec_t,s0) - --/usr/.*\.cgi -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) -+/srv/([^/]*/)?www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) -+/srv/([^/]*/)?www/logs(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) -+/srv/gallery2(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) -+/srv/gallery2/smarty(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) - --/usr/bin/htsslpass -- gen_context(system_u:object_r:httpd_helper_exec_t,s0) --/usr/bin/mongrel_rails -- gen_context(system_u:object_r:httpd_exec_t,s0) -+/usr/bin/htsslpass -- gen_context(system_u:object_r:httpd_helper_exec_t,s0) -+/usr/bin/mongrel_rails -- gen_context(system_u:object_r:httpd_exec_t,s0) - --/usr/lib/apache-ssl/.+ -- gen_context(system_u:object_r:httpd_exec_t,s0) --/usr/lib/apache(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0) --/usr/lib/apache2/modules(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0) --/usr/lib/apache(2)?/suexec(2)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0) --/usr/lib/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) --/usr/lib/cgi-bin/(nph-)?cgiwrap(d)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0) --/usr/lib/cherokee(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0) --/usr/lib/dirsrv/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) --/usr/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0) --/usr/lib/lighttpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0) -+/usr/share/jetty/bin/jetty.sh -- gen_context(system_u:object_r:httpd_exec_t,s0) - --/usr/libexec/httpd-ssl-pass-dialog -- gen_context(system_u:object_r:httpd_passwd_exec_t,s0) -+/usr/lib/apache-ssl/.+ -- gen_context(system_u:object_r:httpd_exec_t,s0) -+/usr/lib/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) -+/usr/lib/apache(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0) -+/usr/lib/apache2/modules(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0) -+/usr/lib/apache(2)?/suexec(2)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0) -+/usr/lib/cgi-bin/(nph-)?cgiwrap(d)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0) -+/usr/lib/cherokee(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0) -+/usr/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0) -+/usr/lib/lighttpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0) - --/usr/sbin/apache(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0) -+/usr/sbin/apache(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0) - /usr/sbin/apache-ssl(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0) --/usr/sbin/cherokee -- gen_context(system_u:object_r:httpd_exec_t,s0) --/usr/sbin/httpd\.event -- gen_context(system_u:object_r:httpd_exec_t,s0) -+/usr/sbin/cherokee -- gen_context(system_u:object_r:httpd_exec_t,s0) -+/usr/sbin/httpd\.event -- gen_context(system_u:object_r:httpd_exec_t,s0) - /usr/sbin/httpd(\.worker)? -- gen_context(system_u:object_r:httpd_exec_t,s0) --/usr/sbin/lighttpd -- gen_context(system_u:object_r:httpd_exec_t,s0) --/usr/sbin/rotatelogs -- gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0) --/usr/sbin/suexec -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0) -- --ifdef(`distro_suse',` --/usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0) -+/usr/sbin/lighttpd -- gen_context(system_u:object_r:httpd_exec_t,s0) -+/usr/sbin/nginx -- gen_context(system_u:object_r:httpd_exec_t,s0) -+/usr/sbin/php-fpm -- gen_context(system_u:object_r:httpd_exec_t,s0) -+/usr/sbin/rotatelogs -- gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0) -+/usr/sbin/suexec -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0) -+ -+ifdef(`distro_suse', ` -+/usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0) - ') - --/usr/share/dirsrv(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) --/usr/share/doc/ghc/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) --/usr/share/drupal.* gen_context(system_u:object_r:httpd_sys_content_t,s0) --/usr/share/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) --/usr/share/icecast(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) --/usr/share/jetty/bin/jetty\.sh -- gen_context(system_u:object_r:httpd_exec_t,s0) --/usr/share/mythweb(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) --/usr/share/mythweb/mythweb\.pl gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) --/usr/share/mythtv/mythweather/scripts(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) --/usr/share/mythtv/data(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) --/usr/share/ntop/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) --/usr/share/openca/htdocs(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) --/usr/share/selinux-policy[^/]*/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) --/usr/share/wordpress/.*\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) --/usr/share/wordpress-mu/wp-config\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) --/usr/share/wordpress-mu/wp-content(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) --/usr/share/wordpress/wp-content/uploads(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) --/usr/share/wordpress/wp-content/upgrade(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) --/usr/share/wordpress/wp-includes/.*\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) -- --/var/cache/apache2(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) --/var/cache/httpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) --/var/cache/lighttpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) --/var/cache/mason(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) --/var/cache/mediawiki(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) --/var/cache/mod_.* gen_context(system_u:object_r:httpd_cache_t,s0) --/var/cache/mod_gnutls(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) --/var/cache/mod_proxy(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) --/var/cache/mod_ssl(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) --/var/cache/php-.* gen_context(system_u:object_r:httpd_cache_t,s0) -+/usr/share/drupal.* gen_context(system_u:object_r:httpd_sys_content_t,s0) -+/usr/share/doc/ghc/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) -+ -+/usr/share/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) -+/usr/share/icecast(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) -+/usr/share/ntop/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) -+/usr/share/openca/htdocs(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) -+/usr/share/selinux-policy[^/]*/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) -+/usr/share/wordpress/.*\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) -+/usr/share/wordpress-mu/wp-config\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) -+/usr/share/wordpress-mu/wp-content(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) -+/usr/share/wordpress/wp-content/uploads(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) -+/usr/share/wordpress/wp-content/upgrade(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) -+/usr/share/wordpress/wp-includes/.*\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) -+/usr/share/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) -+ -+/var/cache/httpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) -+/var/cache/lighttpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) -+/var/cache/mason(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) -+/var/cache/mediawiki(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) -+/var/cache/mod_.* gen_context(system_u:object_r:httpd_cache_t,s0) -+/var/cache/mod_gnutls(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) -+/var/cache/mod_proxy(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) -+/var/cache/mod_ssl(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) -+/var/cache/php-.* gen_context(system_u:object_r:httpd_cache_t,s0) - /var/cache/php-eaccelerator(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) --/var/cache/php-mmcache(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) --/var/cache/rt3(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) --/var/cache/ssl.*\.sem -- gen_context(system_u:object_r:httpd_cache_t,s0) -- --/var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) --/var/lib/cherokee(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) --/var/lib/dav(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) --/var/lib/php(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) --/var/lib/dokuwiki(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) --/var/lib/drupal.* gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) --/var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) --/var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) --/var/lib/lighttpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) --/var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) --/var/lib/pootle/po(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) --/var/lib/rt3/data/RT-Shredder(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) -+/var/cache/php-mmcache(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) -+/var/cache/rt(3|4)(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) -+/var/cache/ssl.*\.sem -- gen_context(system_u:object_r:httpd_cache_t,s0) -+ -+/var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) -+/var/lib/cherokee(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) -+/var/lib/dav(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) -+/var/lib/php(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) -+/var/lib/dokuwiki(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) -+/var/lib/drupal.* gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) -+/var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) -+/var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) -+/var/lib/lighttpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) -+/var/lib/mod_security(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) -+/var/lib/nginx(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) -+/var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) -+/var/lib/php/wsdlcache(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) -+ - /var/lib/squirrelmail/prefs(/.*)? gen_context(system_u:object_r:httpd_squirrelmail_t,s0) --/var/lib/stickshift/.httpd.d(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) --/var/lib/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) --/var/lib/trac(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) --/var/lib/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) -- --/var/log/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) --/var/log/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) --/var/log/cacti(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) --/var/log/cgiwrap\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0) --/var/log/cherokee(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) --/var/log/dirsrv/admin-serv(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) --/var/log/httpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) --/var/log/horde2(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) --/var/log/lighttpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) --/var/log/piranha(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) -+/var/lib/openshift/\.httpd\.d(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) -+/var/lib/openshift/\.log/httpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) -+/var/lib/owncloud(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) -+/var/lib/stickshift/\.httpd\.d(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) -+/var/lib/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) -+/var/lib/trac(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) -+/var/lib/z-push(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) -+ -+/var/log/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) -+/var/log/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) -+/var/log/cacti(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) -+/var/log/cgiwrap\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0) -+/var/log/cherokee(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) -+/var/log/httpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) -+/var/log/lighttpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) -+/var/log/nginx(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) -+/var/log/php-fpm(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) - /var/log/roundcubemail(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) - /var/log/suphp\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0) --/var/log/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) -+/var/log/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) -+ifdef(`distro_debian', ` -+/var/log/horde2(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) -+') -+ -+/var/lib/pootle/po(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) -+/var/lib/rt(3|4)/data/RT-Shredder(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) -+ -+/var/run/apache.* gen_context(system_u:object_r:httpd_var_run_t,s0) -+/var/run/cherokee\.pid -- gen_context(system_u:object_r:httpd_var_run_t,s0) -+/var/run/gcache_port -s gen_context(system_u:object_r:httpd_var_run_t,s0) -+/var/run/httpd.* gen_context(system_u:object_r:httpd_var_run_t,s0) -+/var/run/lighttpd(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) -+/var/run/mod_.* gen_context(system_u:object_r:httpd_var_run_t,s0) -+/var/run/nginx.* gen_context(system_u:object_r:httpd_var_run_t,s0) -+/var/run/php-fpm(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) -+/var/run/wsgi.* -s gen_context(system_u:object_r:httpd_var_run_t,s0) -+/var/run/user/apache(/.*)? gen_context(system_u:object_r:httpd_tmp_t,s0) -+ -+/var/spool/gosa(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) -+/var/spool/squirrelmail(/.*)? gen_context(system_u:object_r:squirrelmail_spool_t,s0) -+/var/spool/viewvc(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t, s0) -+ -+/var/www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) -+/var/www(/.*)?/logs(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) -+/var/www/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) -+/var/www/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) -+/var/www/icons(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) -+/var/www/miq/vmdb/log(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) -+/var/www/perl(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) - --/var/run/apache.* gen_context(system_u:object_r:httpd_var_run_t,s0) --/var/run/cherokee\.pid -- gen_context(system_u:object_r:httpd_var_run_t,s0) --/var/run/dirsrv/admin-serv.* gen_context(system_u:object_r:httpd_var_run_t,s0) --/var/run/gcache_port -s gen_context(system_u:object_r:httpd_var_run_t,s0) --/var/run/httpd.* gen_context(system_u:object_r:httpd_var_run_t,s0) --/var/run/lighttpd(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) --/var/run/mod_.* gen_context(system_u:object_r:httpd_var_run_t,s0) --/var/run/wsgi.* -s gen_context(system_u:object_r:httpd_var_run_t,s0) --/var/run/user/apache(/.*)? gen_context(system_u:object_r:httpd_tmp_t,s0) -- --/var/spool/gosa(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) --/var/spool/squirrelmail(/.*)? gen_context(system_u:object_r:squirrelmail_spool_t,s0) --/var/spool/viewvc(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t, s0) -- --/var/www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) --/var/www(/.*)?/logs(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) --/var/www/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) --/var/www/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) --/var/www/gallery/albums(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) - /var/www/html/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) --/var/www/html/[^/]*/sites/default/settings\.php -- gen_context(system_u:object_r:httpd_sys_rw_content_t, s0) --/var/www/html/[^/]*/sites/default/files(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t, s0) --/var/www/html/configuration\.php gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) --/var/www/html/wp-content(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) --/var/www/icons(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) --/var/www/moodledata(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) --/var/www/perl(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) --/var/www/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) --/var/www/svn/conf(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) --/var/www/svn/hooks(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) -+ -+/var/www/html(/.*)?/sites/default/settings\.php -- gen_context(system_u:object_r:httpd_sys_rw_content_t, s0) -+/var/www/html(/.*)?/sites/default/files(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t, s0) -+ -+/var/www/html/configuration\.php gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) -+ -+/var/www/html(/.*)?/wp-content(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) -+ -+/var/www/gallery/albums(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) -+ -+/var/www/moodledata(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) -+ -+/var/www/moodle/data(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) -+ -+/var/lib/moodle(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) -+ -+/var/www/openshift/console/tmp(/.*)? gen_context(system_u:object_r:httpd_tmp_t,s0) -+/var/www/openshift/console/log(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) -+ -+/var/www/openshift/broker/httpd/logs(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) -+/var/www/openshift/console/httpd/logs(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) -+/var/www/openshift/broker/httpd/run(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) -+/var/www/openshift/console/httpd/run(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) -+ -+/var/www/stickshift/[^/]*/log(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) -+/var/www/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) -+/var/www/svn/hooks(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) -+/var/www/svn/conf(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) -+ -+/var/log/dirsrv/admin-serv(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) -+/var/run/dirsrv/admin-serv.* gen_context(system_u:object_r:httpd_var_run_t,s0) -+/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) -diff --git a/apache.if b/apache.if -index 83e899c..fac6fe5 100644 ---- a/apache.if -+++ b/apache.if -@@ -1,9 +1,9 @@ --## Various web servers. -+## Apache web server - - ######################################## - ## --## Create a set of derived types for --## httpd web content. -+## Create a set of derived types for apache -+## web content. - ## - ## - ## -@@ -13,118 +13,101 @@ - # - template(`apache_content_template',` - gen_require(` -- attribute httpdcontent, httpd_exec_scripts, httpd_script_exec_type; -- attribute httpd_script_domains, httpd_htaccess_type; -- type httpd_t, httpd_suexec_t; -+ attribute httpd_exec_scripts, httpd_script_exec_type; -+ type httpd_t, httpd_suexec_t, httpd_log_t; -+ type httpd_sys_content_t; -+ attribute httpd_script_type, httpd_content_type; - ') - -- ######################################## -- # -- # Declarations -- # -- -- ## -- ##

    -- ## Determine whether the script domain can -- ## modify public files used for public file -- ## transfer services. Directories/Files must -- ## be labeled public_content_rw_t. -- ##

    -- ##     -- gen_tunable(allow_httpd_$1_script_anon_write, false) -- -- type httpd_$1_content_t, httpdcontent; # customizable -+ #This type is for webpages -+ type httpd_$1_content_t; # customizable; -+ typeattribute httpd_$1_content_t httpd_content_type; - typealias httpd_$1_content_t alias httpd_$1_script_ro_t; - files_type(httpd_$1_content_t) - -- type httpd_$1_htaccess_t, httpd_htaccess_type; # customizable; -+ # This type is used for .htaccess files -+ type httpd_$1_htaccess_t, httpd_content_type; # customizable; -+ typeattribute httpd_$1_htaccess_t httpd_content_type; - files_type(httpd_$1_htaccess_t) - -- type httpd_$1_script_t, httpd_script_domains; -+ # Type that CGI scripts run as -+ type httpd_$1_script_t, httpd_script_type; - domain_type(httpd_$1_script_t) - role system_r types httpd_$1_script_t; - -+ kernel_read_system_state(httpd_$1_script_t) -+ -+ # This type is used for executable scripts files - type httpd_$1_script_exec_t, httpd_script_exec_type; # customizable; -- corecmd_shell_entry_type(httpd_$1_script_t) -+ typeattribute httpd_$1_script_exec_t httpd_content_type; - domain_entry_file(httpd_$1_script_t, httpd_$1_script_exec_t) - -- type httpd_$1_rw_content_t, httpdcontent; # customizable -+ type httpd_$1_rw_content_t; # customizable -+ typeattribute httpd_$1_rw_content_t httpd_content_type; - typealias httpd_$1_rw_content_t alias { httpd_$1_script_rw_t httpd_$1_content_rw_t }; - files_type(httpd_$1_rw_content_t) - -- type httpd_$1_ra_content_t, httpdcontent; # customizable -+ type httpd_$1_ra_content_t, httpd_content_type; # customizable -+ typeattribute httpd_$1_ra_content_t httpd_content_type; - typealias httpd_$1_ra_content_t alias { httpd_$1_script_ra_t httpd_$1_content_ra_t }; - files_type(httpd_$1_ra_content_t) - -- ######################################## -- # -- # Policy -- # -+ # Allow the script process to search the cgi directory, and users directory -+ allow httpd_$1_script_t httpd_$1_content_t:dir search_dir_perms; - - can_exec(httpd_$1_script_t, httpd_$1_script_exec_t) -+ allow httpd_$1_script_t httpd_$1_script_exec_t:dir list_dir_perms; - -- allow httpd_$1_script_t httpd_$1_ra_content_t:dir { list_dir_perms add_entry_dir_perms setattr_dir_perms }; -- allow httpd_$1_script_t httpd_$1_ra_content_t:file { append_file_perms read_file_perms create_file_perms setattr_file_perms }; -- allow httpd_$1_script_t httpd_$1_ra_content_t:lnk_file read_lnk_file_perms; -+ allow httpd_$1_script_t httpd_$1_ra_content_t:dir { list_dir_perms add_entry_dir_perms }; -+ read_files_pattern(httpd_$1_script_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t) -+ append_files_pattern(httpd_$1_script_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t) -+ create_files_pattern(httpd_$1_script_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t) -+ read_lnk_files_pattern(httpd_$1_script_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t) - -- allow httpd_$1_script_t { httpd_$1_content_t httpd_$1_script_exec_t }:dir list_dir_perms; -- allow httpd_$1_script_t httpd_$1_content_t:file read_file_perms; -- allow httpd_$1_script_t { httpd_$1_content_t httpd_$1_script_exec_t }:lnk_file read_lnk_file_perms; -+ allow httpd_$1_script_t httpd_$1_content_t:dir list_dir_perms; -+ read_files_pattern(httpd_$1_script_t, httpd_$1_content_t, httpd_$1_content_t) -+ read_lnk_files_pattern(httpd_$1_script_t, httpd_$1_content_t, httpd_$1_content_t) - - manage_dirs_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) - manage_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) - manage_lnk_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) - manage_fifo_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) - manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) -- files_tmp_filetrans(httpd_$1_script_t, httpd_$1_rw_content_t, { dir file lnk_file sock_file fifo_file }) -- -- allow { httpd_t httpd_suexec_t } httpd_$1_content_t:dir list_dir_perms; -- allow { httpd_t httpd_suexec_t } { httpd_$1_content_t httpd_$1_htaccess_t }:file read_file_perms; -- allow { httpd_t httpd_suexec_t } httpd_$1_content_t:lnk_file read_lnk_file_perms; -- -- tunable_policy(`allow_httpd_$1_script_anon_write',` -- miscfiles_manage_public_files(httpd_$1_script_t) -- ') - -+ # Allow the web server to run scripts and serve pages - tunable_policy(`httpd_builtin_scripting',` - manage_dirs_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) - manage_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) -- manage_fifo_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) - manage_lnk_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) -- manage_sock_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) -+ rw_sock_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) - -- allow httpd_t httpd_$1_ra_content_t:dir { list_dir_perms add_entry_dir_perms setattr_dir_perms }; -- allow httpd_t httpd_$1_ra_content_t:file { append_file_perms read_file_perms create_file_perms setattr_file_perms }; -- allow httpd_t httpd_$1_ra_content_t:lnk_file read_lnk_file_perms; -- ') -+ allow httpd_t httpd_$1_ra_content_t:dir { add_entry_dir_perms }; -+ read_files_pattern(httpd_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t) -+ append_files_pattern(httpd_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t) -+ create_files_pattern(httpd_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t) -+ read_lnk_files_pattern(httpd_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t) - -- tunable_policy(`httpd_builtin_scripting && httpd_tmp_exec',` -- can_exec(httpd_t, httpd_$1_rw_content_t) - ') - - tunable_policy(`httpd_enable_cgi',` - allow httpd_$1_script_t httpd_$1_script_exec_t:file entrypoint; -- domtrans_pattern({ httpd_t httpd_suexec_t httpd_exec_scripts }, httpd_$1_script_exec_t, httpd_$1_script_t) -- ') - -- tunable_policy(`httpd_enable_cgi && httpd_tmp_exec',` -- can_exec(httpd_$1_script_t, httpd_$1_rw_content_t) -- ') -+ domtrans_pattern(httpd_suexec_t, httpd_$1_script_exec_t, httpd_$1_script_t) - -- tunable_policy(`httpd_enable_cgi && httpd_unified',` -- allow httpd_$1_script_t { httpd_$1_content_t httpd_$1_ra_content_t }:file entrypoint; -- allow httpd_$1_script_t { httpd_$1_content_t httpd_$1_ra_content_t }:dir manage_dir_perms; -- allow httpd_$1_script_t { httpd_$1_content_t httpd_$1_ra_content_t }:file manage_file_perms; -- ') -+ # privileged users run the script: -+ domtrans_pattern(httpd_exec_scripts, httpd_$1_script_exec_t, httpd_$1_script_t) -+ -+ allow httpd_exec_scripts httpd_$1_script_exec_t:file read_file_perms; - -- tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',` -- filetrans_pattern(httpd_t, httpd_$1_content_t, httpd_$1_rw_content_t, { file dir fifo_file lnk_file sock_file }) -+ # apache runs the script: -+ domtrans_pattern(httpd_t, httpd_$1_script_exec_t, httpd_$1_script_t) -+ allow httpd_t httpd_$1_script_t:unix_dgram_socket sendto; - ') - ') - - ######################################## - ## --## Role access for apache. -+## Role access for apache - ## - ## - ## -@@ -133,47 +116,61 @@ template(`apache_content_template',` - ## - ## - ## --## User domain for the role. -+## User domain for the role - ## - ## - # - interface(`apache_role',` - gen_require(` - attribute httpdcontent; -- type httpd_user_content_t, httpd_user_htaccess_t; -- type httpd_user_script_t, httpd_user_script_exec_t; -- type httpd_user_ra_content_t, httpd_user_rw_content_t; -+ type httpd_user_content_t, httpd_user_htaccess_t, httpd_user_script_t; -+ type httpd_user_ra_content_t, httpd_user_rw_content_t, httpd_user_script_exec_t; - ') - - role $1 types httpd_user_script_t; - -- allow $2 httpd_user_htaccess_t:file { manage_file_perms relabel_file_perms }; -- -- allow $2 httpd_user_content_t:dir { manage_dir_perms relabel_dir_perms }; -- allow $2 httpd_user_content_t:file { manage_file_perms relabel_file_perms }; -- allow $2 httpd_user_content_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; -- -- allow $2 httpd_user_ra_content_t:dir { manage_dir_perms relabel_dir_perms }; -- allow $2 httpd_user_ra_content_t:file { manage_file_perms relabel_file_perms }; -- allow $2 httpd_user_ra_content_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; -- -- allow $2 httpd_user_rw_content_t:dir { manage_dir_perms relabel_dir_perms }; -- allow $2 httpd_user_rw_content_t:file { manage_file_perms relabel_file_perms }; -- allow $2 httpd_user_rw_content_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; -- -- allow $2 httpd_user_script_exec_t:dir { manage_dir_perms relabel_dir_perms }; -- allow $2 httpd_user_script_exec_t:file { manage_file_perms relabel_file_perms }; -- allow $2 httpd_user_script_exec_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; -- -- userdom_user_home_dir_filetrans($2, httpd_user_content_t, dir, "public_html") -- userdom_user_home_dir_filetrans($2, httpd_user_content_t, dir, "web") -- userdom_user_home_dir_filetrans($2, httpd_user_content_t, dir, "www") -- -- filetrans_pattern($2, httpd_user_content_t, httpd_user_htaccess_t, file, ".htaccess") -- filetrans_pattern($2, httpd_user_content_t, httpd_user_script_exec_t, dir, "cgi-bin") -- filetrans_pattern($2, httpd_user_content_t, httpd_user_ra_content_t, dir, "logs") -+ allow $2 httpd_user_htaccess_t:file { manage_file_perms relabelto relabelfrom }; -+ -+ manage_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t) -+ manage_files_pattern($2, httpd_user_content_t, httpd_user_content_t) -+ manage_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t) -+ relabel_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t) -+ relabel_files_pattern($2, httpd_user_content_t, httpd_user_content_t) -+ relabel_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t) -+ -+ manage_dirs_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t) -+ manage_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t) -+ manage_lnk_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t) -+ relabel_dirs_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t) -+ relabel_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t) -+ relabel_lnk_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t) -+ -+ manage_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t) -+ manage_files_pattern($2, httpd_user_content_t, httpd_user_content_t) -+ manage_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t) -+ relabel_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t) -+ relabel_files_pattern($2, httpd_user_content_t, httpd_user_content_t) -+ relabel_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t) -+ -+ manage_dirs_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t) -+ manage_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t) -+ manage_lnk_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t) -+ relabel_dirs_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t) -+ relabel_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t) -+ relabel_lnk_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t) -+ -+ manage_dirs_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t) -+ manage_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t) -+ manage_lnk_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t) -+ relabel_dirs_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t) -+ relabel_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t) -+ relabel_lnk_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t) -+ -+ apache_exec_modules($2) -+ apache_filetrans_home_content($2) - - tunable_policy(`httpd_enable_cgi',` -+ # If a user starts a script by hand it gets the proper context - domtrans_pattern($2, httpd_user_script_exec_t, httpd_user_script_t) - ') - -@@ -184,7 +181,7 @@ interface(`apache_role',` - - ######################################## - ## --## Read user httpd script executable files. -+## Read httpd user scripts executables. - ## - ## - ## -@@ -204,7 +201,7 @@ interface(`apache_read_user_scripts',` - - ######################################## - ## --## Read user httpd content. -+## Read user web content. - ## - ## - ## -@@ -224,7 +221,7 @@ interface(`apache_read_user_content',` - - ######################################## - ## --## Execute httpd with a domain transition. -+## Transition to apache. - ## - ## - ## -@@ -241,27 +238,47 @@ interface(`apache_domtrans',` - domtrans_pattern($1, httpd_exec_t, httpd_t) - ') - --######################################## -+###################################### - ## --## Execute httpd server in the httpd domain. -+## Allow the specified domain to execute apache -+## in the caller domain. - ## - ## - ## --## Domain allowed to transition. -+## Domain allowed access. - ## - ## - # --interface(`apache_initrc_domtrans',` -+interface(`apache_exec',` - gen_require(` -- type httpd_initrc_exec_t; -+ type httpd_exec_t; - ') - -- init_labeled_script_domtrans($1, httpd_initrc_exec_t) -+ can_exec($1, httpd_exec_t) -+') -+ -+###################################### -+## -+## Allow the specified domain to execute apache suexec -+## in the caller domain. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`apache_exec_suexec',` -+ gen_require(` -+ type httpd_suexec_exec_t; -+ ') -+ -+ can_exec($1, httpd_suexec_exec_t) - ') - - ####################################### - ## --## Send generic signals to httpd. -+## Send a generic signal to apache. - ## - ## - ## -@@ -279,7 +296,7 @@ interface(`apache_signal',` - - ######################################## - ## --## Send null signals to httpd. -+## Send a null signal to apache. - ## - ## - ## -@@ -297,7 +314,7 @@ interface(`apache_signull',` - - ######################################## - ## --## Send child terminated signals to httpd. -+## Send a SIGCHLD signal to apache. - ## - ## - ## -@@ -315,8 +332,7 @@ interface(`apache_sigchld',` - - ######################################## - ## --## Inherit and use file descriptors --## from httpd. -+## Inherit and use file descriptors from Apache. - ## - ## - ## -@@ -334,8 +350,8 @@ interface(`apache_use_fds',` - - ######################################## - ## --## Do not audit attempts to read and --## write httpd unnamed pipes. -+## Do not audit attempts to read and write Apache -+## unnamed pipes. - ## - ## - ## -@@ -348,13 +364,13 @@ interface(`apache_dontaudit_rw_fifo_file',` - type httpd_t; - ') - -- dontaudit $1 httpd_t:fifo_file rw_fifo_file_perms; -+ dontaudit $1 httpd_t:fifo_file rw_inherited_fifo_file_perms; - ') - - ######################################## - ## --## Do not audit attempts to read and --## write httpd unix domain stream sockets. -+## Do not audit attempts to read and write Apache -+## unix domain stream sockets. - ## - ## - ## -@@ -372,8 +388,8 @@ interface(`apache_dontaudit_rw_stream_sockets',` - - ######################################## - ## --## Do not audit attempts to read and --## write httpd TCP sockets. -+## Do not audit attempts to read and write Apache -+## TCP sockets. - ## - ## - ## -@@ -391,8 +407,7 @@ interface(`apache_dontaudit_rw_tcp_sockets',` - - ######################################## - ## --## Create, read, write, and delete --## all httpd content. -+## Create, read, write, and delete all web content. - ## - ## - ## -@@ -417,7 +432,8 @@ interface(`apache_manage_all_content',` - - ######################################## - ## --## Set attributes httpd cache directories. -+## Allow domain to set the attributes -+## of the APACHE cache directory. - ## - ## - ## -@@ -435,7 +451,8 @@ interface(`apache_setattr_cache_dirs',` - - ######################################## - ## --## List httpd cache directories. -+## Allow the specified domain to list -+## Apache cache. - ## - ## - ## -@@ -453,7 +470,8 @@ interface(`apache_list_cache',` - - ######################################## - ## --## Read and write httpd cache files. -+## Allow the specified domain to read -+## and write Apache cache files. - ## - ## - ## -@@ -471,7 +489,8 @@ interface(`apache_rw_cache_files',` - - ######################################## - ## --## Delete httpd cache directories. -+## Allow the specified domain to delete -+## Apache cache dirs. - ## - ## - ## -@@ -489,7 +508,8 @@ interface(`apache_delete_cache_dirs',` - - ######################################## - ## --## Delete httpd cache files. -+## Allow the specified domain to delete -+## Apache cache. - ## - ## - ## -@@ -507,49 +527,51 @@ interface(`apache_delete_cache_files',` - - ######################################## - ## --## Read httpd configuration files. -+## Allow the specified domain to search -+## apache configuration dirs. - ## - ## - ## - ## Domain allowed access. - ## - ## --## - # --interface(`apache_read_config',` -+interface(`apache_search_config',` - gen_require(` - type httpd_config_t; - ') - - files_search_etc($1) -- allow $1 httpd_config_t:dir list_dir_perms; -- read_files_pattern($1, httpd_config_t, httpd_config_t) -- read_lnk_files_pattern($1, httpd_config_t, httpd_config_t) -+ allow $1 httpd_config_t:dir search_dir_perms; - ') - - ######################################## - ## --## Search httpd configuration directories. -+## Allow the specified domain to read -+## apache configuration files. - ## - ## - ## - ## Domain allowed access. - ## - ## -+## - # --interface(`apache_search_config',` -+interface(`apache_read_config',` - gen_require(` - type httpd_config_t; - ') - - files_search_etc($1) -- allow $1 httpd_config_t:dir search_dir_perms; -+ allow $1 httpd_config_t:dir list_dir_perms; -+ read_files_pattern($1, httpd_config_t, httpd_config_t) -+ read_lnk_files_pattern($1, httpd_config_t, httpd_config_t) - ') - - ######################################## - ## --## Create, read, write, and delete --## httpd configuration files. -+## Allow the specified domain to manage -+## apache configuration files. - ## - ## - ## -@@ -570,8 +592,8 @@ interface(`apache_manage_config',` - - ######################################## - ## --## Execute the Apache helper program --## with a domain transition. -+## Execute the Apache helper program with -+## a domain transition. - ## - ## - ## -@@ -608,16 +630,38 @@ interface(`apache_domtrans_helper',` - # - interface(`apache_run_helper',` - gen_require(` -- attribute_role httpd_helper_roles; -+ type httpd_helper_t; - ') - - apache_domtrans_helper($1) -- roleattribute $2 httpd_helper_roles; -+ role $2 types httpd_helper_t; -+') -+ -+######################################## -+## -+## dontaudit attempts to read -+## apache log files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`apache_dontaudit_read_log',` -+ gen_require(` -+ type httpd_log_t; -+ ') -+ -+ dontaudit $1 httpd_log_t:file read_file_perms; -+ dontaudit $1 httpd_log_t:lnk_file read_lnk_file_perms; - ') - - ######################################## - ## --## Read httpd log files. -+## Allow the specified domain to read -+## apache log files. - ## - ## - ## -@@ -639,7 +683,8 @@ interface(`apache_read_log',` - - ######################################## - ## --## Append httpd log files. -+## Allow the specified domain to append -+## to apache log files. - ## - ## - ## -@@ -657,10 +702,29 @@ interface(`apache_append_log',` - append_files_pattern($1, httpd_log_t, httpd_log_t) - ') - -+####################################### -+## -+## Allow the specified domain to write -+## to apache log files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`apache_write_log',` -+ gen_require(` -+ type httpd_log_t; -+ ') -+ -+ allow $1 httpd_log_t:file write; -+') -+ - ######################################## - ## --## Do not audit attempts to append --## httpd log files. -+## Do not audit attempts to append to the -+## Apache logs. - ## - ## - ## -@@ -678,8 +742,8 @@ interface(`apache_dontaudit_append_log',` - - ######################################## - ## --## Create, read, write, and delete --## httpd log files. -+## Allow the specified domain to manage -+## to apache log files. - ## - ## - ## -@@ -698,47 +762,49 @@ interface(`apache_manage_log',` - read_lnk_files_pattern($1, httpd_log_t, httpd_log_t) - ') - --####################################### -+######################################## - ## --## Write apache log files. -+## Do not audit attempts to search Apache -+## module directories. - ## - ## - ## --## Domain allowed access. -+## Domain to not audit. - ## - ## - # --interface(`apache_write_log',` -+interface(`apache_dontaudit_search_modules',` - gen_require(` -- type httpd_log_t; -+ type httpd_modules_t; - ') - -- logging_search_logs($1) -- write_files_pattern($1, httpd_log_t, httpd_log_t) -+ dontaudit $1 httpd_modules_t:dir search_dir_perms; - ') - - ######################################## - ## --## Do not audit attempts to search --## httpd module directories. -+## Allow the specified domain to read -+## the apache module directories. - ## - ## - ## --## Domain to not audit. -+## Domain allowed access. - ## - ## - # --interface(`apache_dontaudit_search_modules',` -+interface(`apache_read_modules',` - gen_require(` - type httpd_modules_t; - ') - -- dontaudit $1 httpd_modules_t:dir search_dir_perms; -+ read_files_pattern($1, httpd_modules_t, httpd_modules_t) - ') - - ######################################## - ## --## List httpd module directories. -+## Allow the specified domain to list -+## the contents of the apache modules -+## directory. - ## - ## - ## -@@ -752,11 +818,13 @@ interface(`apache_list_modules',` - ') - - allow $1 httpd_modules_t:dir list_dir_perms; -+ read_lnk_files_pattern($1, httpd_modules_t, httpd_modules_t) - ') - - ######################################## - ## --## Execute httpd module files. -+## Allow the specified domain to execute -+## apache modules. - ## - ## - ## -@@ -776,46 +844,63 @@ interface(`apache_exec_modules',` - - ######################################## - ## --## Read httpd module files. -+## Execute a domain transition to run httpd_rotatelogs. - ## - ## - ## --## Domain allowed access. -+## Domain allowed to transition. - ## - ## - # --interface(`apache_read_module_files',` -+interface(`apache_domtrans_rotatelogs',` - gen_require(` -- type httpd_modules_t; -+ type httpd_rotatelogs_t, httpd_rotatelogs_exec_t; - ') - -- libs_search_lib($1) -- read_files_pattern($1, httpd_modules_t, httpd_modules_t) -+ domtrans_pattern($1, httpd_rotatelogs_exec_t, httpd_rotatelogs_t) - ') - --######################################## -+####################################### - ## --## Execute a domain transition to --## run httpd_rotatelogs. -+## Execute httpd_rotatelogs in the caller domain. - ## - ## --## --## Domain allowed to transition. --## -+## -+## Domain allowed to transition. -+## - ## - # --interface(`apache_domtrans_rotatelogs',` -+interface(`apache_exec_rotatelogs',` -+ gen_require(` -+ type httpd_rotatelogs_exec_t; -+ ') -+ -+ can_exec($1, httpd_rotatelogs_exec_t) -+') -+ -+####################################### -+## -+## Execute httpd system scripts in the caller domain. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`apache_exec_sys_script',` - gen_require(` -- type httpd_rotatelogs_t, httpd_rotatelogs_exec_t; -+ type httpd_sys_script_exec_t; - ') - -- corecmd_search_bin($1) -- domtrans_pattern($1, httpd_rotatelogs_exec_t, httpd_rotatelogs_t) -+ allow $1 httpd_sys_script_exec_t:dir search_dir_perms; -+ can_exec($1, httpd_sys_script_exec_t) - ') - - ######################################## - ## --## List httpd system content directories. -+## Allow the specified domain to list -+## apache system content files. - ## - ## - ## -@@ -829,13 +914,14 @@ interface(`apache_list_sys_content',` - ') - - list_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t) -+ read_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t) - files_search_var($1) - ') - - ######################################## - ## --## Create, read, write, and delete --## httpd system content files. -+## Allow the specified domain to manage -+## apache system content files. - ## - ## - ## -@@ -844,6 +930,7 @@ interface(`apache_list_sys_content',` - ## - ## - # -+# Note that httpd_sys_content_t is found in /var, /etc, /srv and /usr - interface(`apache_manage_sys_content',` - gen_require(` - type httpd_sys_content_t; -@@ -855,32 +942,98 @@ interface(`apache_manage_sys_content',` - manage_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t) - ') - --######################################## -+###################################### - ## --## Create, read, write, and delete --## httpd system rw content. -+## Allow the specified domain to read -+## apache system content rw files. - ## - ## - ## - ## Domain allowed access. - ## - ## -+## -+# -+interface(`apache_read_sys_content_rw_files',` -+ gen_require(` -+ type httpd_sys_rw_content_t; -+ ') -+ -+ read_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) -+') -+ -+###################################### -+## -+## Allow the specified domain to read -+## apache system content rw dirs. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`apache_read_sys_content_rw_dirs',` -+ gen_require(` -+ type httpd_sys_rw_content_t; -+ ') -+ -+ list_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) -+') -+ -+###################################### -+## -+## Allow the specified domain to manage -+## apache system content rw files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## - # --interface(`apache_manage_sys_rw_content',` -+interface(`apache_manage_sys_content_rw',` - gen_require(` - type httpd_sys_rw_content_t; - ') - -- apache_search_sys_content($1) -+ files_search_var($1) - manage_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) -- manage_files_pattern($1,httpd_sys_rw_content_t, httpd_sys_rw_content_t) -+ manage_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) - manage_lnk_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) - ') - - ######################################## - ## --## Execute all httpd scripts in the --## system script domain. -+## Allow the specified domain to delete -+## apache system content rw files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`apache_delete_sys_content_rw',` -+ gen_require(` -+ type httpd_sys_rw_content_t; -+ ') -+ -+ files_search_tmp($1) -+ delete_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) -+ delete_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) -+ delete_lnk_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) -+ delete_fifo_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) -+ delete_sock_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) -+') -+ -+######################################## -+## -+## Execute all web scripts in the system -+## script domain. - ## - ## - ## -@@ -888,10 +1041,17 @@ interface(`apache_manage_sys_rw_content',` - ## - ## - # -+# cjp: this interface specifically added to allow -+# sysadm_t to run scripts - interface(`apache_domtrans_sys_script',` - gen_require(` - attribute httpdcontent; -- type httpd_sys_script_t; -+ type httpd_sys_script_exec_t; -+ type httpd_sys_script_t, httpd_sys_content_t; -+ ') -+ -+ tunable_policy(`httpd_enable_cgi',` -+ domtrans_pattern($1, httpd_sys_script_exec_t, httpd_sys_script_t) - ') - - tunable_policy(`httpd_enable_cgi && httpd_unified',` -@@ -901,9 +1061,8 @@ interface(`apache_domtrans_sys_script',` - - ######################################## - ## --## Do not audit attempts to read and --## write httpd system script unix --## domain stream sockets. -+## Do not audit attempts to read and write Apache -+## system script unix domain stream sockets. - ## - ## - ## -@@ -941,7 +1100,7 @@ interface(`apache_domtrans_all_scripts',` - ######################################## - ## - ## Execute all user scripts in the user --## script domain. Add user script domains -+## script domain. Add user script domains - ## to the specified role. - ## - ## -@@ -954,6 +1113,7 @@ interface(`apache_domtrans_all_scripts',` - ## Role allowed access. - ## - ## -+## - # - interface(`apache_run_all_scripts',` - gen_require(` -@@ -966,7 +1126,8 @@ interface(`apache_run_all_scripts',` - - ######################################## - ## --## Read httpd squirrelmail data files. -+## Allow the specified domain to read -+## apache squirrelmail data. - ## - ## - ## -@@ -979,12 +1140,13 @@ interface(`apache_read_squirrelmail_data',` - type httpd_squirrelmail_t; - ') - -- allow $1 httpd_squirrelmail_t:file read_file_perms; -+ read_files_pattern($1, httpd_squirrelmail_t, httpd_squirrelmail_t) - ') - - ######################################## - ## --## Append httpd squirrelmail data files. -+## Allow the specified domain to append -+## apache squirrelmail data. - ## - ## - ## -@@ -1002,7 +1164,7 @@ interface(`apache_append_squirrelmail_data',` - - ######################################## - ## --## Search httpd system content. -+## Search apache system content. - ## - ## - ## -@@ -1015,13 +1177,12 @@ interface(`apache_search_sys_content',` - type httpd_sys_content_t; - ') - -- files_search_var($1) - allow $1 httpd_sys_content_t:dir search_dir_perms; - ') - - ######################################## - ## --## Read httpd system content. -+## Read apache system content. - ## - ## - ## -@@ -1041,7 +1202,7 @@ interface(`apache_read_sys_content',` - - ######################################## - ## --## Search httpd system CGI directories. -+## Search apache system CGI directories. - ## - ## - ## -@@ -1059,8 +1220,7 @@ interface(`apache_search_sys_scripts',` - - ######################################## - ## --## Create, read, write, and delete all --## user httpd content. -+## Create, read, write, and delete all user web content. - ## - ## - ## -@@ -1070,13 +1230,22 @@ interface(`apache_search_sys_scripts',` - ## - # - interface(`apache_manage_all_user_content',` -- refpolicywarn(`$0($*) has been deprecated, use apache_manage_all_content() instead.') -- apache_manage_all_content($1) -+ gen_require(` -+ attribute httpd_user_content_type, httpd_user_script_exec_type; -+ ') -+ -+ manage_dirs_pattern($1, httpd_user_content_type, httpd_user_content_type) -+ manage_files_pattern($1, httpd_user_content_type, httpd_user_content_type) -+ manage_lnk_files_pattern($1, httpd_user_content_type, httpd_user_content_type) -+ -+ manage_dirs_pattern($1, httpd_user_script_exec_type, httpd_user_script_exec_type) -+ manage_files_pattern($1, httpd_user_script_exec_type, httpd_user_script_exec_type) -+ manage_lnk_files_pattern($1, httpd_user_script_exec_type, httpd_user_script_exec_type) - ') - - ######################################## - ## --## Search system script state directories. -+## Search system script state directory. - ## - ## - ## -@@ -1094,7 +1263,8 @@ interface(`apache_search_sys_script_state',` - - ######################################## - ## --## Read httpd tmp files. -+## Allow the specified domain to read -+## apache tmp files. - ## - ## - ## -@@ -1111,10 +1281,29 @@ interface(`apache_read_tmp_files',` - read_files_pattern($1, httpd_tmp_t, httpd_tmp_t) - ') - -+###################################### -+## -+## Dontaudit attempts to read and write -+## apache tmp files. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`apache_dontaudit_rw_tmp_files',` -+ gen_require(` -+ type httpd_tmp_t; -+ ') -+ -+ dontaudit $1 httpd_tmp_t:file { read write }; -+') -+ - ######################################## - ## --## Do not audit attempts to write --## httpd tmp files. -+## Dontaudit attempts to write -+## apache tmp files. - ## - ## - ## -@@ -1127,7 +1316,7 @@ interface(`apache_dontaudit_write_tmp_files',` - type httpd_tmp_t; - ') - -- dontaudit $1 httpd_tmp_t:file write_file_perms; -+ dontaudit $1 httpd_tmp_t:file write; - ') - - ######################################## -@@ -1136,6 +1325,9 @@ interface(`apache_dontaudit_write_tmp_files',` - ## - ## - ##

    -+## Execute CGI in the specified domain. -+##

    -+##

    - ## This is an interface to support third party modules - ## and its use is not allowed in upstream reference - ## policy. -@@ -1165,8 +1357,30 @@ interface(`apache_cgi_domain',` - - ######################################## - ##

    --## All of the rules required to --## administrate an apache environment. -+## Execute httpd server in the httpd domain. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`apache_systemctl',` -+ gen_require(` -+ type httpd_t; -+ type httpd_unit_file_t; -+ ') -+ -+ systemd_exec_systemctl($1) -+ allow $1 httpd_unit_file_t:file read_file_perms; -+ allow $1 httpd_unit_file_t:service manage_service_perms; -+ -+ ps_process_pattern($1, httpd_t) -+') -+ -+######################################## -+## -+## All of the rules required to administrate an apache environment - ## - ## - ## -@@ -1183,18 +1397,19 @@ interface(`apache_cgi_domain',` - interface(`apache_admin',` - gen_require(` - attribute httpdcontent, httpd_script_exec_type; -- attribute httpd_script_domains, httpd_htaccess_type; - type httpd_t, httpd_config_t, httpd_log_t; -- type httpd_modules_t, httpd_lock_t, httpd_helper_t; -- type httpd_var_run_t, httpd_keytab_t, httpd_passwd_t; -- type httpd_suexec_tmp_t, httpd_tmp_t, httpd_rotatelogs_t; -- type httpd_initrc_exec_t, httpd_suexec_t; -+ type httpd_modules_t, httpd_lock_t, httpd_bool_t; -+ type httpd_var_run_t, httpd_php_tmp_t, httpd_initrc_exec_t; -+ type httpd_suexec_tmp_t, httpd_tmp_t; -+ type httpd_unit_file_t; - ') - -- allow $1 { httpd_script_domains httpd_t httpd_helper_t }:process { ptrace signal_perms }; -- allow $1 { httpd_rotatelogs_t httpd_suexec_t httpd_passwd_t }:process { ptrace signal_perms }; -- ps_process_pattern($1, { httpd_script_domains httpd_t httpd_helper_t }) -- ps_process_pattern($1, { httpd_rotatelogs_t httpd_suexec_t httpd_passwd_t }) -+ allow $1 httpd_t:process signal_perms; -+ ps_process_pattern($1, httpd_t) -+ -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 httpd_t:process ptrace; -+ ') - - init_labeled_script_domtrans($1, httpd_initrc_exec_t) - domain_system_change_exemption($1) -@@ -1204,10 +1419,10 @@ interface(`apache_admin',` - apache_manage_all_content($1) - miscfiles_manage_public_files($1) - -- files_search_etc($1) -- admin_pattern($1, { httpd_config_t httpd_keytab_t }) -+ files_list_etc($1) -+ admin_pattern($1, httpd_config_t) - -- logging_search_logs($1) -+ logging_list_logs($1) - admin_pattern($1, httpd_log_t) - - admin_pattern($1, httpd_modules_t) -@@ -1218,9 +1433,129 @@ interface(`apache_admin',` - admin_pattern($1, httpd_var_run_t) - files_pid_filetrans($1, httpd_var_run_t, file) - -- admin_pattern($1, { httpdcontent httpd_script_exec_type httpd_htaccess_type }) -- admin_pattern($1, { httpd_tmp_t httpd_suexec_tmp_t }) -+ admin_pattern($1, httpdcontent) -+ admin_pattern($1, httpd_script_exec_type) -+ -+ seutil_domtrans_setfiles($1) -+ -+ files_list_tmp($1) -+ admin_pattern($1, httpd_tmp_t) -+ admin_pattern($1, httpd_php_tmp_t) -+ admin_pattern($1, httpd_suexec_tmp_t) -+ -+ apache_systemctl($1) -+ admin_pattern($1, httpd_unit_file_t) -+ allow $1 httpd_unit_file_t:service all_service_perms; -+ -+ apache_filetrans_named_content($1) -+') -+ -+######################################## -+## -+## dontaudit read and write an leaked file descriptors -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`apache_dontaudit_leaks',` -+ gen_require(` -+ type httpd_t; -+ type httpd_tmp_t; -+ ') -+ -+ dontaudit $1 httpd_t:fifo_file rw_inherited_fifo_file_perms; -+ dontaudit $1 httpd_t:tcp_socket { read write }; -+ dontaudit $1 httpd_t:unix_dgram_socket { read write }; -+ dontaudit $1 httpd_t:unix_stream_socket { read write }; -+ dontaudit $1 httpd_tmp_t:file { read write }; -+') -+ -+######################################## -+## -+## Transition to apache named content -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`apache_filetrans_named_content',` -+ gen_require(` -+ type httpd_sys_content_t, httpd_sys_rw_content_t; -+ type httpd_tmp_t; -+ ') -+ -+ -+ apache_filetrans_home_content($1) -+ filetrans_pattern($1, httpd_sys_content_t, httpd_sys_rw_content_t, file, "settings.php") -+ userdom_user_tmp_filetrans($1, httpd_tmp_t, dir, "apache") -+') -+ -+######################################## -+## -+## Allow any httpd_exec_t to be an entrypoint of this domain -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`apache_entrypoint',` -+ gen_require(` -+ type httpd_exec_t; -+ ') -+ allow $1 httpd_exec_t:file entrypoint; -+') -+ -+######################################## -+## -+## Execute a httpd_exec_t in the specified domain. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+## -+## -+## The type of the new process. -+## -+## -+# -+interface(`apache_exec_domtrans',` -+ gen_require(` -+ type httpd_exec_t; -+ ') -+ -+ domtrans_pattern($1, httpd_exec_t, $2) -+') -+ -+######################################## -+## -+## Transition to apache home content -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`apache_filetrans_home_content',` -+ gen_require(` -+ type httpd_user_content_t, httpd_user_script_exec_t, httpd_user_htaccess_t; -+ type httpd_user_content_ra_t; -+ ') - -- apache_run_all_scripts($1, $2) -- apache_run_helper($1, $2) -+ userdom_user_home_dir_filetrans($1, httpd_user_content_t, dir, "public_html") -+ userdom_user_home_dir_filetrans($1, httpd_user_content_t, dir, "www") -+ userdom_user_home_dir_filetrans($1, httpd_user_content_t, dir, "web") -+ filetrans_pattern($1, httpd_user_content_t, httpd_user_script_exec_t, dir, "cgi-bin") -+ filetrans_pattern($1, httpd_user_content_t, httpd_user_content_ra_t, dir, "logs") -+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess") - ') -diff --git a/apache.te b/apache.te -index 1a82e29..bfe87eb 100644 ---- a/apache.te -+++ b/apache.te -@@ -1,297 +1,367 @@ --policy_module(apache, 2.6.10) -+policy_module(apache, 2.4.0) -+ -+# -+# NOTES: -+# This policy will work with SUEXEC enabled as part of the Apache -+# configuration. However, the user CGI scripts will run under the -+# system_u:system_r:httpd_user_script_t. -+# -+# The user CGI scripts must be labeled with the httpd_user_script_exec_t -+# type, and the directory containing the scripts should also be labeled -+# with these types. This policy allows the user role to perform that -+# relabeling. If it is desired that only admin role should be able to relabel -+# the user CGI scripts, then relabel rule for user roles should be removed. -+# - - ######################################## - # - # Declarations - # - -+selinux_genbool(httpd_bool_t) -+ - ## --##

    --## Determine whether httpd can modify --## public files used for public file --## transfer services. Directories/Files must --## be labeled public_content_rw_t. --##

    -+##

    -+## Allow Apache to modify public files -+## used for public file transfer services. Directories/Files must -+## be labeled public_content_rw_t. -+##

    - ##     --gen_tunable(allow_httpd_anon_write, false) -+gen_tunable(httpd_anon_write, false) - - ## --##

    --## Determine whether httpd can use mod_auth_pam. --##

    -+##

    -+## Allow Apache to use mod_auth_pam -+##

    - ##     --gen_tunable(allow_httpd_mod_auth_pam, false) -+gen_tunable(httpd_mod_auth_pam, false) - - ## --##

    --## Determine whether httpd can use built in scripting. --##

    -+##

    -+## Allow Apache to use mod_auth_ntlm_winbind -+##

    - ##     --gen_tunable(httpd_builtin_scripting, false) -+gen_tunable(httpd_mod_auth_ntlm_winbind, false) - - ## --##

    --## Determine whether httpd can check spam. --##

    -+##

    -+## Allow httpd scripts and modules execmem/execstack -+##

    - ##     --gen_tunable(httpd_can_check_spam, false) -+gen_tunable(httpd_execmem, false) - - ## --##

    --## Determine whether httpd scripts and modules --## can connect to the network using TCP. --##

    -+##

    -+## Allow httpd processes to manage IPA content -+##

    -+##     -+gen_tunable(httpd_manage_ipa, false) -+ -+## -+##

    -+## Allow httpd to use built in scripting (usually php) -+##

    -+##     -+gen_tunable(httpd_builtin_scripting, false) -+ -+## -+##

    -+## Allow HTTPD scripts and modules to connect to the network using TCP. -+##

    - ##     - gen_tunable(httpd_can_network_connect, false) - - ## --##

    --## Determine whether httpd scripts and modules --## can connect to cobbler over the network. --##

    -+##

    -+## Allow HTTPD scripts and modules to connect to cobbler over the network. -+##

    - ##     - gen_tunable(httpd_can_network_connect_cobbler, false) - - ## --##

    --## Determine whether scripts and modules can --## connect to databases over the network. --##

    -+##

    -+## Allow HTTPD scripts and modules to server cobbler files. -+##

    - ##     --gen_tunable(httpd_can_network_connect_db, false) -+gen_tunable(httpd_serve_cobbler_files, false) - - ## --##

    --## Determine whether httpd can connect to --## ldap over the network. --##

    -+##

    -+## Allow HTTPD to connect to port 80 for graceful shutdown -+##

    - ##     --gen_tunable(httpd_can_network_connect_ldap, false) -+gen_tunable(httpd_graceful_shutdown, false) - - ## --##

    --## Determine whether httpd can connect --## to memcache server over the network. --##

    -+##

    -+## Allow HTTPD scripts and modules to connect to databases over the network. -+##

    - ##     --gen_tunable(httpd_can_network_connect_memcache, false) -+gen_tunable(httpd_can_network_connect_db, false) - - ## --##

    --## Determine whether httpd can act as a relay. --##

    -+##

    -+## Allow httpd to connect to memcache server -+##

    -+##     -+gen_tunable(httpd_can_network_memcache, false) -+ -+## -+##

    -+## Allow httpd to act as a relay -+##

    - ##     - gen_tunable(httpd_can_network_relay, false) - - ## --##

    --## Determine whether httpd daemon can --## connect to zabbix over the network. --##

    -+##

    -+## Allow http daemon to connect to zabbix -+##

    - ##     --gen_tunable(httpd_can_network_connect_zabbix, false) -+gen_tunable(httpd_can_connect_zabbix, false) - - ## --##

    --## Determine whether httpd can send mail. --##

    -+##

    -+## Allow http daemon to connect to mythtv -+##

    - ##     --gen_tunable(httpd_can_sendmail, false) -+gen_tunable(httpd_can_connect_mythtv, false) - - ## --##

    --## Determine whether httpd can communicate --## with avahi service via dbus. --##

    -+##

    -+## Allow http daemon to check spam -+##

    - ##     --gen_tunable(httpd_dbus_avahi, false) -+gen_tunable(httpd_can_check_spam, false) - - ## --##

    --## Determine wether httpd can use support. --##

    -+##

    -+## Allow http daemon to send mail -+##

    - ##     --gen_tunable(httpd_enable_cgi, false) -+gen_tunable(httpd_can_sendmail, false) - - ## --##

    --## Determine whether httpd can act as a --## FTP server by listening on the ftp port. --##

    -+##

    -+## Allow Apache to communicate with avahi service via dbus -+##

    - ##     --gen_tunable(httpd_enable_ftp_server, false) -+gen_tunable(httpd_dbus_avahi, false) - - ## --##

    --## Determine whether httpd can traverse --## user home directories. --##

    -+##

    -+## Allow httpd cgi support -+##

    - ##     --gen_tunable(httpd_enable_homedirs, false) -+gen_tunable(httpd_enable_cgi, false) - - ## --##

    --## Determine whether httpd gpg can modify --## public files used for public file --## transfer services. Directories/Files must --## be labeled public_content_rw_t. --##

    -+##

    -+## Allow httpd to act as a FTP server by -+## listening on the ftp port. -+##

    - ##     --gen_tunable(httpd_gpg_anon_write, false) -+gen_tunable(httpd_enable_ftp_server, false) - - ## --##

    --## Determine whether httpd can execute --## its temporary content. --##

    -+##

    -+## Allow httpd to act as a FTP client -+## connecting to the ftp port and ephemeral ports -+##

    - ##     --gen_tunable(httpd_tmp_exec, false) -+gen_tunable(httpd_can_connect_ftp, false) - - ## --##

    --## Determine whether httpd scripts and --## modules can use execmem and execstack. --##

    -+##

    -+## Allow httpd to connect to the ldap port -+##

    - ##     --gen_tunable(httpd_execmem, false) -+gen_tunable(httpd_can_connect_ldap, false) - - ## --##

    --## Determine whether httpd can connect --## to port 80 for graceful shutdown. --##

    -+##

    -+## Allow httpd to read home directories -+##

    - ##     --gen_tunable(httpd_graceful_shutdown, false) -+gen_tunable(httpd_enable_homedirs, false) - - ## --##

    --## Determine whether httpd can --## manage IPA content files. --##

    -+##

    -+## Allow httpd to read user content -+##

    - ##     --gen_tunable(httpd_manage_ipa, false) -+gen_tunable(httpd_read_user_content, false) - - ## --##

    --## Determine whether httpd can use mod_auth_ntlm_winbind. --##

    -+##

    -+## Allow Apache to run in stickshift mode, not transition to passenger -+##

    - ##     --gen_tunable(httpd_mod_auth_ntlm_winbind, false) -+gen_tunable(httpd_run_stickshift, false) - - ## --##

    --## Determine whether httpd can read --## generic user home content files. --##

    -+##

    -+## Allow Apache to query NS records -+##

    - ##     --gen_tunable(httpd_read_user_content, false) -+gen_tunable(httpd_verify_dns, false) - - ## --##

    --## Determine whether httpd can change --## its resource limits. --##

    -+##

    -+## Allow httpd daemon to change its resource limits -+##

    - ##     - gen_tunable(httpd_setrlimit, false) - - ## --##

    --## Determine whether httpd can run --## SSI executables in the same domain --## as system CGI scripts. --##

    -+##

    -+## Allow HTTPD to run SSI executables in the same domain as system CGI scripts. -+##

    - ##     - gen_tunable(httpd_ssi_exec, false) - - ## --##

    --## Determine whether httpd can communicate --## with the terminal. Needed for entering the --## passphrase for certificates at the terminal. --##

    -+##

    -+## Allow Apache to execute tmp content. -+##

    -+##     -+gen_tunable(httpd_tmp_exec, false) -+ -+## -+##

    -+## Unify HTTPD to communicate with the terminal. -+## Needed for entering the passphrase for certificates at -+## the terminal. -+##

    - ##     - gen_tunable(httpd_tty_comm, false) - - ## --##

    --## Determine whether httpd can have full access --## to its content types. --##

    -+##

    -+## Unify HTTPD handling of all content files. -+##

    - ##     - gen_tunable(httpd_unified, false) - - ## --##

    --## Determine whether httpd can use --## cifs file systems. --##

    -+##

    -+## Allow httpd to access openstack ports -+##

    -+##     -+gen_tunable(httpd_use_openstack, false) -+ -+## -+##

    -+## Allow httpd to access cifs file systems -+##

    - ##     - gen_tunable(httpd_use_cifs, false) - - ## - ##

    --## Determine whether httpd can --## use fuse file systems. -+## Allow httpd to access FUSE file systems - ##

    - ##     - gen_tunable(httpd_use_fusefs, false) - - ## --##

    --## Determine whether httpd can use gpg. --##

    -+##

    -+## Allow httpd to run gpg -+##

    - ##     - gen_tunable(httpd_use_gpg, false) - - ## --##

    --## Determine whether httpd can use --## nfs file systems. --##

    -+##

    -+## Allow httpd to connect to sasl -+##

    -+##     -+gen_tunable(httpd_use_sasl, false) -+ -+## -+##

    -+## Allow httpd to access nfs file systems -+##

    - ##     - gen_tunable(httpd_use_nfs, false) - -+## -+##

    -+## Allow apache scripts to write to public content, directories/files must be labeled public_rw_content_t. -+##

    -+##     -+gen_tunable(httpd_sys_script_anon_write, false) -+ - attribute httpdcontent; --attribute httpd_htaccess_type; -+attribute httpd_user_content_type; -+attribute httpd_content_type; - --# domains that can exec all scripts -+# domains that can exec all users scripts - attribute httpd_exec_scripts; - -+attribute httpd_script_type; - attribute httpd_script_exec_type; -+attribute httpd_user_script_exec_type; - --# all script domains -+# user script domains - attribute httpd_script_domains; - --attribute_role httpd_helper_roles; --roleattribute system_r httpd_helper_roles; -- - type httpd_t; - type httpd_exec_t; -+ifdef(`distro_redhat',` -+ typealias httpd_t alias phpfpm_t; -+ typealias httpd_exec_t alias phpfpm_exec_t; -+') - init_daemon_domain(httpd_t, httpd_exec_t) -+role system_r types httpd_t; - -+# httpd_cache_t is the type given to the /var/cache/httpd -+# directory and the files under that directory - type httpd_cache_t; - files_type(httpd_cache_t) - -+# httpd_config_t is the type given to the configuration files - type httpd_config_t; - files_config_file(httpd_config_t) - - type httpd_helper_t; - type httpd_helper_exec_t; --application_domain(httpd_helper_t, httpd_helper_exec_t) --role httpd_helper_roles types httpd_helper_t; -+domain_type(httpd_helper_t) -+domain_entry_file(httpd_helper_t, httpd_helper_exec_t) -+role system_r types httpd_helper_t; - - type httpd_initrc_exec_t; - init_script_file(httpd_initrc_exec_t) - -+type httpd_unit_file_t; -+ifdef(`distro_redhat',` -+ typealias httpd_unit_file_t alias phpfpm_unit_file_t; -+') -+systemd_unit_file(httpd_unit_file_t) -+ - type httpd_lock_t; - files_lock_file(httpd_lock_t) - - type httpd_log_t; -+ifdef(`distro_redhat',` -+ typealias httpd_log_t alias phpfpm_log_t; -+') - logging_log_file(httpd_log_t) - -+# httpd_modules_t is the type given to module files (libraries) -+# that come with Apache /etc/httpd/modules and /usr/lib/apache - type httpd_modules_t; - files_type(httpd_modules_t) - -+type httpd_php_t; -+type httpd_php_exec_t; -+domain_type(httpd_php_t) -+domain_entry_file(httpd_php_t, httpd_php_exec_t) -+role system_r types httpd_php_t; -+ -+type httpd_php_tmp_t; -+files_tmp_file(httpd_php_tmp_t) -+ - type httpd_rotatelogs_t; - type httpd_rotatelogs_exec_t; - init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t) -@@ -299,10 +369,8 @@ init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t) - type httpd_squirrelmail_t; - files_type(httpd_squirrelmail_t) - --type squirrelmail_spool_t; --files_tmp_file(squirrelmail_spool_t) -- --type httpd_suexec_t; -+# SUEXEC runs user scripts as their own user ID -+type httpd_suexec_t; #, daemon; - type httpd_suexec_exec_t; - domain_type(httpd_suexec_t) - domain_entry_file(httpd_suexec_t, httpd_suexec_exec_t) -@@ -311,9 +379,19 @@ role system_r types httpd_suexec_t; - type httpd_suexec_tmp_t; - files_tmp_file(httpd_suexec_tmp_t) - -+# setup the system domain for system CGI scripts - apache_content_template(sys) --corecmd_shell_entry_type(httpd_sys_script_t) --typealias httpd_sys_content_t alias ntop_http_content_t; -+ -+typeattribute httpd_sys_content_t httpdcontent; # customizable -+typeattribute httpd_sys_rw_content_t httpdcontent; # customizable -+typeattribute httpd_sys_ra_content_t httpdcontent; # customizable -+ -+# Removal of fastcgi, will cause problems without the following -+typealias httpd_sys_script_exec_t alias httpd_fastcgi_script_exec_t; -+typealias httpd_sys_content_t alias { httpd_fastcgi_content_t httpd_fastcgi_script_ro_t }; -+typealias httpd_sys_rw_content_t alias { httpd_fastcgi_rw_content_t httpd_fastcgi_script_rw_t }; -+typealias httpd_sys_ra_content_t alias httpd_fastcgi_script_ra_t; -+typealias httpd_sys_script_t alias httpd_fastcgi_script_t; - - type httpd_tmp_t; - files_tmp_file(httpd_tmp_t) -@@ -323,12 +401,19 @@ files_tmpfs_file(httpd_tmpfs_t) - - apache_content_template(user) - ubac_constrained(httpd_user_script_t) -+ -+typeattribute httpd_user_content_t httpdcontent; -+typeattribute httpd_user_rw_content_t httpdcontent; -+typeattribute httpd_user_ra_content_t httpdcontent; -+ - userdom_user_home_content(httpd_user_content_t) - userdom_user_home_content(httpd_user_htaccess_t) - userdom_user_home_content(httpd_user_script_exec_t) - userdom_user_home_content(httpd_user_ra_content_t) - userdom_user_home_content(httpd_user_rw_content_t) -+typeattribute httpd_user_script_t httpd_script_domains; - typealias httpd_user_content_t alias { httpd_staff_content_t httpd_sysadm_content_t }; -+typealias httpd_user_content_t alias httpd_unconfined_content_t; - typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t }; - typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t }; - typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t }; -@@ -343,33 +428,40 @@ typealias httpd_user_rw_content_t alias { httpd_auditadm_script_rw_t httpd_secad - typealias httpd_user_ra_content_t alias { httpd_staff_script_ra_t httpd_sysadm_script_ra_t }; - typealias httpd_user_ra_content_t alias { httpd_auditadm_script_ra_t httpd_secadm_script_ra_t }; - -+# for apache2 memory mapped files - type httpd_var_lib_t; - files_type(httpd_var_lib_t) - - type httpd_var_run_t; -+ifdef(`distro_redhat',` -+ typealias httpd_var_run_t alias phpfpm_var_run_t; -+') - files_pid_file(httpd_var_run_t) - --type httpd_passwd_t; --type httpd_passwd_exec_t; --domain_type(httpd_passwd_t) --domain_entry_file(httpd_passwd_t, httpd_passwd_exec_t) --role system_r types httpd_passwd_t; -+# Removal of fastcgi, will cause problems without the following -+typealias httpd_var_run_t alias httpd_fastcgi_var_run_t; - --type httpd_gpg_t; --domain_type(httpd_gpg_t) --role system_r types httpd_gpg_t; -+# File Type of squirrelmail attachments -+type squirrelmail_spool_t; -+files_tmp_file(squirrelmail_spool_t) -+files_spool_file(squirrelmail_spool_t) - - optional_policy(` - prelink_object_file(httpd_modules_t) - ') - -+type httpd_passwd_t; -+type httpd_passwd_exec_t; -+application_domain(httpd_passwd_t, httpd_passwd_exec_t) -+role system_r types httpd_passwd_t; -+ - ######################################## - # --# Local policy -+# Apache server local policy - # - - allow httpd_t self:capability { chown dac_override kill setgid setuid sys_nice sys_tty_config }; --dontaudit httpd_t self:capability net_admin; -+dontaudit httpd_t self:capability { net_admin sys_tty_config }; - allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; - allow httpd_t self:fd use; - allow httpd_t self:sock_file read_sock_file_perms; -@@ -378,28 +470,36 @@ allow httpd_t self:shm create_shm_perms; - allow httpd_t self:sem create_sem_perms; - allow httpd_t self:msgq create_msgq_perms; - allow httpd_t self:msg { send receive }; --allow httpd_t self:unix_dgram_socket sendto; --allow httpd_t self:unix_stream_socket { accept connectto listen }; --allow httpd_t self:tcp_socket { accept listen }; -+allow httpd_t self:unix_dgram_socket { create_socket_perms sendto }; -+allow httpd_t self:unix_stream_socket { create_stream_socket_perms connectto }; -+allow httpd_t self:tcp_socket create_stream_socket_perms; -+allow httpd_t self:udp_socket create_socket_perms; -+dontaudit httpd_t self:netlink_audit_socket create_socket_perms; - -+# Allow httpd_t to put files in /var/cache/httpd etc - manage_dirs_pattern(httpd_t, httpd_cache_t, httpd_cache_t) - manage_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t) - manage_lnk_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t) --files_var_filetrans(httpd_t, httpd_cache_t, dir) -+files_var_filetrans(httpd_t, httpd_cache_t, { file dir }) - -+# Allow the httpd_t to read the web servers config files - allow httpd_t httpd_config_t:dir list_dir_perms; - read_files_pattern(httpd_t, httpd_config_t, httpd_config_t) - read_lnk_files_pattern(httpd_t, httpd_config_t, httpd_config_t) - -+can_exec(httpd_t, httpd_exec_t) -+ - allow httpd_t httpd_lock_t:file manage_file_perms; - files_lock_filetrans(httpd_t, httpd_lock_t, file) - --allow httpd_t httpd_log_t:dir setattr_dir_perms; -+allow httpd_t httpd_log_t:dir setattr; - create_dirs_pattern(httpd_t, httpd_log_t, httpd_log_t) - create_files_pattern(httpd_t, httpd_log_t, httpd_log_t) - append_files_pattern(httpd_t, httpd_log_t, httpd_log_t) - read_files_pattern(httpd_t, httpd_log_t, httpd_log_t) - read_lnk_files_pattern(httpd_t, httpd_log_t, httpd_log_t) -+# cjp: need to refine create interfaces to -+# cut this back to add_name only - logging_log_filetrans(httpd_t, httpd_log_t, file) - - allow httpd_t httpd_modules_t:dir list_dir_perms; -@@ -407,6 +507,8 @@ mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) - read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) - read_lnk_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) - -+apache_domtrans_rotatelogs(httpd_t) -+# Apache-httpd needs to be able to send signals to the log rotate procs. - allow httpd_t httpd_rotatelogs_t:process signal_perms; - - manage_dirs_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t) -@@ -415,6 +517,10 @@ manage_lnk_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t) - - allow httpd_t httpd_suexec_exec_t:file read_file_perms; - -+allow httpd_t httpd_sys_content_t:dir list_dir_perms; -+read_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t) -+read_lnk_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t) -+ - allow httpd_t httpd_sys_script_t:unix_stream_socket connectto; - - manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) -@@ -445,140 +551,167 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) - manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) - manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) - --can_exec(httpd_t, httpd_exec_t) -- --domtrans_pattern(httpd_t, httpd_helper_exec_t, httpd_helper_t) --domtrans_pattern(httpd_t, httpd_passwd_exec_t, httpd_passwd_t) --domtrans_pattern(httpd_t, httpd_rotatelogs_exec_t, httpd_rotatelogs_t) --domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t) -- - kernel_read_kernel_sysctls(httpd_t) --kernel_read_network_state(httpd_t) -+# for modules that want to access /proc/meminfo - kernel_read_system_state(httpd_t) -+kernel_read_network_state(httpd_t) - kernel_search_network_sysctl(httpd_t) - --corenet_all_recvfrom_unlabeled(httpd_t) - corenet_all_recvfrom_netlabel(httpd_t) - corenet_tcp_sendrecv_generic_if(httpd_t) -+corenet_udp_sendrecv_generic_if(httpd_t) - corenet_tcp_sendrecv_generic_node(httpd_t) -+corenet_udp_sendrecv_generic_node(httpd_t) -+corenet_tcp_sendrecv_all_ports(httpd_t) -+corenet_udp_sendrecv_all_ports(httpd_t) - corenet_tcp_bind_generic_node(httpd_t) -- --corenet_sendrecv_http_server_packets(httpd_t) -+corenet_udp_bind_generic_node(httpd_t) - corenet_tcp_bind_http_port(httpd_t) --corenet_tcp_sendrecv_http_port(httpd_t) -- --corenet_sendrecv_http_cache_server_packets(httpd_t) -+corenet_udp_bind_http_port(httpd_t) - corenet_tcp_bind_http_cache_port(httpd_t) --corenet_tcp_sendrecv_http_cache_port(httpd_t) -- --corecmd_exec_bin(httpd_t) --corecmd_exec_shell(httpd_t) -+corenet_tcp_bind_ntop_port(httpd_t) -+corenet_tcp_bind_jboss_management_port(httpd_t) -+corenet_tcp_bind_jboss_messaging_port(httpd_t) -+corenet_sendrecv_http_server_packets(httpd_t) -+corenet_tcp_bind_puppet_port(httpd_t) -+# Signal self for shutdown -+tunable_policy(`httpd_graceful_shutdown',` -+ corenet_tcp_connect_http_port(httpd_t) -+') - - dev_read_sysfs(httpd_t) - dev_read_rand(httpd_t) - dev_read_urand(httpd_t) - dev_rw_crypto(httpd_t) - --domain_use_interactive_fds(httpd_t) -- - fs_getattr_all_fs(httpd_t) - fs_search_auto_mountpoints(httpd_t) -- --fs_getattr_all_fs(httpd_t) --fs_read_anon_inodefs_files(httpd_t) - fs_read_iso9660_files(httpd_t) --fs_search_auto_mountpoints(httpd_t) -+fs_rw_anon_inodefs_files(httpd_t) -+fs_read_hugetlbfs_files(httpd_t) -+ -+auth_use_nsswitch(httpd_t) -+ -+application_exec_all(httpd_t) -+ -+# execute perl -+corecmd_exec_bin(httpd_t) -+corecmd_exec_shell(httpd_t) -+ -+domain_use_interactive_fds(httpd_t) -+domain_dontaudit_read_all_domains_state(httpd_t) - - files_dontaudit_getattr_all_pids(httpd_t) --files_read_usr_files(httpd_t) -+files_exec_usr_files(httpd_t) - files_list_mnt(httpd_t) -+files_read_mnt_symlinks(httpd_t) - files_search_spool(httpd_t) - files_read_var_symlinks(httpd_t) - files_read_var_lib_files(httpd_t) - files_search_home(httpd_t) - files_getattr_home_dir(httpd_t) -+# for modules that want to access /etc/mtab - files_read_etc_runtime_files(httpd_t) -+# Allow httpd_t to have access to files such as nisswitch.conf -+# for tomcat - files_read_var_lib_symlinks(httpd_t) - --auth_use_nsswitch(httpd_t) -+fs_search_auto_mountpoints(httpd_sys_script_t) -+# php uploads a file to /tmp and then execs programs to acton them -+manage_dirs_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t) -+manage_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t) -+manage_sock_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t) -+manage_fifo_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t) -+manage_lnk_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t) -+files_tmp_filetrans(httpd_sys_script_t, httpd_sys_rw_content_t, { dir file lnk_file sock_file fifo_file }) - - libs_read_lib_files(httpd_t) - -+ifdef(`hide_broken_symptoms',` -+ libs_exec_lib_files(httpd_t) -+') -+ - logging_send_syslog_msg(httpd_t) - --miscfiles_read_localization(httpd_t) -+init_dontaudit_read_utmp(httpd_t) -+ - miscfiles_read_fonts(httpd_t) - miscfiles_read_public_files(httpd_t) - miscfiles_read_generic_certs(httpd_t) - miscfiles_read_tetex_data(httpd_t) -- --seutil_dontaudit_search_config(httpd_t) -+miscfiles_dontaudit_access_check_cert(httpd_t) - - userdom_use_unpriv_users_fds(httpd_t) - --ifdef(`TODO',` -- tunable_policy(`allow_httpd_mod_auth_pam',` -- auth_domtrans_chk_passwd(httpd_t) -+tunable_policy(`httpd_setrlimit',` -+ allow httpd_t self:process setrlimit; -+ allow httpd_t self:capability sys_resource; -+') - -- logging_send_audit_msgs(httpd_t) -- ') -+tunable_policy(`httpd_anon_write',` -+ miscfiles_manage_public_files(httpd_t) - ') - --ifdef(`hide_broken_symptoms',` -- libs_exec_lib_files(httpd_t) -+# -+# We need optionals to be able to be within booleans to make this work -+# -+tunable_policy(`httpd_mod_auth_pam',` -+ auth_domtrans_chkpwd(httpd_t) -+ logging_send_audit_msgs(httpd_t) - ') - --tunable_policy(`allow_httpd_anon_write',` -- miscfiles_manage_public_files(httpd_t) -+optional_policy(` -+ tunable_policy(`httpd_mod_auth_ntlm_winbind',` -+ samba_domtrans_winbind_helper(httpd_t) -+ ') - ') - - tunable_policy(`httpd_can_network_connect',` -- corenet_sendrecv_all_client_packets(httpd_t) - corenet_tcp_connect_all_ports(httpd_t) -- corenet_tcp_sendrecv_all_ports(httpd_t) - ') - - tunable_policy(`httpd_can_network_connect_db',` -- corenet_sendrecv_gds_db_client_packets(httpd_t) - corenet_tcp_connect_gds_db_port(httpd_t) -- corenet_tcp_sendrecv_gds_db_port(httpd_t) -- corenet_sendrecv_mssql_client_packets(httpd_t) - corenet_tcp_connect_mssql_port(httpd_t) -- corenet_tcp_sendrecv_mssql_port(httpd_t) -- corenet_sendrecv_oracledb_client_packets(httpd_t) -- corenet_tcp_connect_oracledb_port(httpd_t) -- corenet_tcp_sendrecv_oracledb_port(httpd_t) -+ corenet_sendrecv_mssql_client_packets(httpd_t) -+ corenet_tcp_connect_oracle_port(httpd_t) -+ corenet_sendrecv_oracle_client_packets(httpd_t) -+') -+ -+tunable_policy(`httpd_can_network_memcache',` -+ corenet_tcp_connect_memcache_port(httpd_t) - ') - - tunable_policy(`httpd_can_network_relay',` -- corenet_sendrecv_gopher_client_packets(httpd_t) -+ # allow httpd to work as a relay - corenet_tcp_connect_gopher_port(httpd_t) -- corenet_tcp_sendrecv_gopher_port(httpd_t) -- corenet_sendrecv_ftp_client_packets(httpd_t) - corenet_tcp_connect_ftp_port(httpd_t) -- corenet_tcp_sendrecv_ftp_port(httpd_t) -- corenet_sendrecv_http_client_packets(httpd_t) - corenet_tcp_connect_http_port(httpd_t) -- corenet_tcp_sendrecv_http_port(httpd_t) -- corenet_sendrecv_http_cache_client_packets(httpd_t) - corenet_tcp_connect_http_cache_port(httpd_t) -- corenet_tcp_sendrecv_http_cache_port(httpd_t) -- corenet_sendrecv_squid_client_packets(httpd_t) - corenet_tcp_connect_squid_port(httpd_t) -- corenet_tcp_sendrecv_squid_port(httpd_t) -+ corenet_tcp_connect_memcache_port(httpd_t) -+ corenet_sendrecv_gopher_client_packets(httpd_t) -+ corenet_sendrecv_ftp_client_packets(httpd_t) -+ corenet_sendrecv_http_client_packets(httpd_t) -+ corenet_sendrecv_http_cache_client_packets(httpd_t) -+ corenet_sendrecv_squid_client_packets(httpd_t) -+ corenet_tcp_connect_all_ephemeral_ports(httpd_t) - ') - --tunable_policy(`httpd_builtin_scripting',` -- exec_files_pattern(httpd_t, httpd_script_exec_type, httpd_script_exec_type) -+tunable_policy(`httpd_execmem',` -+ allow httpd_t self:process { execmem execstack }; -+ allow httpd_sys_script_t self:process { execmem execstack }; -+ allow httpd_suexec_t self:process { execmem execstack }; -+') - -- allow httpd_t httpdcontent:dir list_dir_perms; -- allow httpd_t httpdcontent:file read_file_perms; -- allow httpd_t httpdcontent:lnk_file read_lnk_file_perms; -+tunable_policy(`httpd_enable_cgi && httpd_unified',` -+ allow httpd_sys_script_t httpd_sys_content_t:file entrypoint; -+ filetrans_pattern(httpd_sys_script_t, httpd_sys_content_t, httpd_sys_rw_content_t, { file dir lnk_file }) -+ can_exec(httpd_sys_script_t, httpd_sys_content_t) - ') - --tunable_policy(`httpd_enable_cgi',` -- allow httpd_t httpd_script_domains:process { signal sigkill sigstop }; -- allow httpd_t httpd_script_exec_type:dir list_dir_perms; -+tunable_policy(`httpd_sys_script_anon_write',` -+ miscfiles_manage_public_files(httpd_sys_script_t) - ') - - tunable_policy(`httpd_enable_cgi && httpd_use_nfs',` -@@ -589,28 +722,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` - fs_cifs_domtrans(httpd_t, httpd_sys_script_t) - ') - --# tunable_policy(`httpd_enable_cgi && httpd_use_fusefs',` --# fs_fusefs_domtrans(httpd_t, httpd_sys_script_t) --# ') -+tunable_policy(`httpd_enable_cgi && httpd_use_fusefs',` -+ fs_fusefs_domtrans(httpd_t, httpd_sys_script_t) -+') - - tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',` - domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t) -+ filetrans_pattern(httpd_t, httpd_sys_content_t, httpd_sys_rw_content_t, { file dir lnk_file }) -+ manage_dirs_pattern(httpd_t, httpdcontent, httpd_sys_rw_content_t) -+ manage_files_pattern(httpd_t, httpdcontent, httpd_sys_rw_content_t) -+ manage_lnk_files_pattern(httpd_t, httpdcontent, httpd_sys_rw_content_t) - - manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent) - manage_files_pattern(httpd_t, httpdcontent, httpdcontent) -- manage_fifo_files_pattern(httpd_t, httpdcontent, httpdcontent) - manage_lnk_files_pattern(httpd_t, httpdcontent, httpdcontent) -- manage_sock_files_pattern(httpd_t, httpdcontent, httpdcontent) -+') -+ -+tunable_policy(`httpd_can_connect_ftp',` -+ corenet_tcp_connect_ftp_port(httpd_t) -+ corenet_tcp_connect_all_ephemeral_ports(httpd_t) -+') -+ -+tunable_policy(`httpd_can_connect_ldap',` -+ corenet_tcp_connect_ldap_port(httpd_t) -+') -+ -+tunable_policy(`httpd_can_connect_mythtv',` -+ corenet_tcp_connect_mythtv_port(httpd_t) -+') -+ -+tunable_policy(`httpd_can_connect_zabbix',` -+ corenet_tcp_connect_zabbix_port(httpd_t) - ') - - tunable_policy(`httpd_enable_ftp_server',` -- corenet_sendrecv_ftp_server_packets(httpd_t) - corenet_tcp_bind_ftp_port(httpd_t) -- corenet_tcp_sendrecv_ftp_port(httpd_t) -+ corenet_tcp_bind_all_ephemeral_ports(httpd_t) - ') - --tunable_policy(`httpd_enable_homedirs',` -- userdom_search_user_home_dirs(httpd_t) -+tunable_policy(`httpd_tmp_exec && httpd_builtin_scripting',` -+ can_exec(httpd_t, httpd_tmp_t) -+') -+ -+tunable_policy(`httpd_tmp_exec && httpd_enable_cgi',` -+ can_exec(httpd_sys_script_t, httpd_tmp_t) - ') - - tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` -@@ -619,68 +774,44 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` - fs_read_nfs_symlinks(httpd_t) - ') - --tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs && httpd_builtin_scripting',` -- fs_exec_nfs_files(httpd_t) --') -- --tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` -+tunable_policy(`httpd_use_nfs',` - fs_list_auto_mountpoints(httpd_t) -- fs_read_cifs_files(httpd_t) -- fs_read_cifs_symlinks(httpd_t) -+ fs_manage_nfs_dirs(httpd_t) -+ fs_manage_nfs_files(httpd_t) -+ fs_manage_nfs_symlinks(httpd_t) - ') - --tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs && httpd_builtin_scripting',` -- fs_exec_cifs_files(httpd_t) -+ -+tunable_policy(`httpd_use_nfs',` -+ automount_search_tmp_dirs(httpd_t) - ') - --tunable_policy(`httpd_execmem',` -- allow httpd_t self:process { execmem execstack }; -+tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` -+ fs_read_cifs_files(httpd_t) -+ fs_read_cifs_symlinks(httpd_t) - ') - - tunable_policy(`httpd_can_sendmail',` -- corenet_sendrecv_smtp_client_packets(httpd_t) -+ # allow httpd to connect to mail servers - corenet_tcp_connect_smtp_port(httpd_t) -- corenet_tcp_sendrecv_smtp_port(httpd_t) -- corenet_sendrecv_pop_client_packets(httpd_t) -+ corenet_sendrecv_smtp_client_packets(httpd_t) - corenet_tcp_connect_pop_port(httpd_t) -- corenet_tcp_sendrecv_pop_port(httpd_t) -- -+ corenet_sendrecv_pop_client_packets(httpd_t) - mta_send_mail(httpd_t) - mta_signal_system_mail(httpd_t) -+ postfix_rw_spool_maildrop_files(httpd_t) - ') - --optional_policy(` -- tunable_policy(`httpd_can_network_connect_zabbix',` -- zabbix_tcp_connect(httpd_t) -- ') --') -- --optional_policy(` -- tunable_policy(`httpd_can_sendmail && httpd_can_check_spam',` -- spamassassin_domtrans_client(httpd_t) -- ') --') -- --tunable_policy(`httpd_graceful_shutdown',` -- corenet_sendrecv_http_client_packets(httpd_t) -- corenet_tcp_connect_http_port(httpd_t) -- corenet_tcp_sendrecv_http_port(httpd_t) --') -- --optional_policy(` -- tunable_policy(`httpd_enable_cgi && httpd_use_gpg',` -- gpg_spec_domtrans(httpd_t, httpd_gpg_t) -- ') --') -- --optional_policy(` -- tunable_policy(`httpd_mod_auth_ntlm_winbind',` -- samba_domtrans_winbind_helper(httpd_t) -- ') -+tunable_policy(`httpd_use_cifs',` -+ fs_manage_cifs_dirs(httpd_t) -+ fs_manage_cifs_files(httpd_t) -+ fs_manage_cifs_symlinks(httpd_t) - ') - --tunable_policy(`httpd_read_user_content',` -- userdom_read_user_home_content_files(httpd_t) -+tunable_policy(`httpd_use_fusefs',` -+ fs_manage_fusefs_dirs(httpd_t) -+ fs_manage_fusefs_files(httpd_t) -+ fs_manage_fusefs_symlinks(httpd_t) - ') - - tunable_policy(`httpd_setrlimit',` -@@ -690,49 +821,48 @@ tunable_policy(`httpd_setrlimit',` - - tunable_policy(`httpd_ssi_exec',` - corecmd_shell_domtrans(httpd_t, httpd_sys_script_t) -+ allow httpd_sys_script_t httpd_t:fd use; -+ allow httpd_sys_script_t httpd_t:fifo_file rw_file_perms; -+ allow httpd_sys_script_t httpd_t:process sigchld; - ') - --tunable_policy(`httpd_tmp_exec && httpd_builtin_scripting',` -- can_exec(httpd_t, httpd_tmp_t) --') -- -+# When the admin starts the server, the server wants to access -+# the TTY or PTY associated with the session. The httpd appears -+# to run correctly without this permission, so the permission -+# are dontaudited here. - tunable_policy(`httpd_tty_comm',` -- userdom_use_user_terminals(httpd_t) --',` -- userdom_dontaudit_use_user_terminals(httpd_t) -+ userdom_use_inherited_user_terminals(httpd_t) -+ userdom_use_inherited_user_terminals(httpd_suexec_t) - ') - --tunable_policy(`httpd_use_cifs',` -- fs_list_auto_mountpoints(httpd_t) -- fs_manage_cifs_dirs(httpd_t) -- fs_manage_cifs_files(httpd_t) -- fs_manage_cifs_symlinks(httpd_t) --') -- --tunable_policy(`httpd_use_cifs && httpd_builtin_scripting',` -- fs_exec_cifs_files(httpd_t) --') -+optional_policy(` -+ cobbler_list_config(httpd_t) -+ cobbler_read_config(httpd_t) - --tunable_policy(`httpd_use_fusefs',` -- fs_list_auto_mountpoints(httpd_t) -- fs_manage_fusefs_dirs(httpd_t) -- fs_manage_fusefs_files(httpd_t) -- fs_read_fusefs_symlinks(httpd_t) --') -+ tunable_policy(`httpd_serve_cobbler_files',` -+ cobbler_manage_lib_files(httpd_t) -+',` -+ cobbler_read_lib_files(httpd_t) -+ cobbler_search_lib(httpd_t) -+ ') - --tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',` -- fs_exec_fusefs_files(httpd_t) -+ tunable_policy(`httpd_can_network_connect_cobbler',` -+ corenet_tcp_connect_cobbler_port(httpd_t) -+ ') - ') - --tunable_policy(`httpd_use_nfs',` -- fs_list_auto_mountpoints(httpd_t) -- fs_manage_nfs_dirs(httpd_t) -- fs_manage_nfs_files(httpd_t) -- fs_manage_nfs_symlinks(httpd_t) -+optional_policy(` -+ tunable_policy(`httpd_use_sasl',` -+ sasl_connect(httpd_t) -+ ') - ') - --tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',` -- fs_exec_nfs_files(httpd_t) -+optional_policy(` -+ # Support for ABRT retrace server -+ # mod_wsgi -+ abrt_manage_spool_retrace(httpd_t) -+ abrt_domtrans_retrace_worker(httpd_t) -+ abrt_read_config(httpd_t) - ') - - optional_policy(` -@@ -743,14 +873,6 @@ optional_policy(` - ccs_read_config(httpd_t) - ') - --optional_policy(` -- clamav_domtrans_clamscan(httpd_t) --') -- --optional_policy(` -- cobbler_read_config(httpd_t) -- cobbler_read_lib_files(httpd_t) --') - - optional_policy(` - cron_system_entry(httpd_t, httpd_exec_t) -@@ -765,6 +887,23 @@ optional_policy(` - ') - - optional_policy(` -+ #needed by FreeIPA -+ dirsrv_stream_connect(httpd_t) -+') -+ -+optional_policy(` -+ dirsrv_manage_config(httpd_t) -+ dirsrv_manage_log(httpd_t) -+ dirsrv_manage_var_run(httpd_t) -+ dirsrv_read_share(httpd_t) -+ dirsrv_signal(httpd_t) -+ dirsrv_signull(httpd_t) -+ dirsrvadmin_manage_config(httpd_t) -+ dirsrvadmin_manage_tmp(httpd_t) -+ dirsrvadmin_domtrans_unconfined_script_t(httpd_t) -+') -+ -+ optional_policy(` - dbus_system_bus_client(httpd_t) - - tunable_policy(`httpd_dbus_avahi',` -@@ -781,34 +920,46 @@ optional_policy(` - ') - - optional_policy(` -+ tunable_policy(`httpd_enable_cgi && httpd_use_gpg',` -+ gpg_domtrans_web(httpd_t) -+ ') -+') -+ -+optional_policy(` -+ gssproxy_stream_connect(httpd_t) -+') -+ -+optional_policy(` -+ jetty_admin(httpd_t) -+') -+ -+optional_policy(` - kerberos_keytab_template(httpd, httpd_t) -- kerberos_manage_host_rcache(httpd_t) -- kerberos_tmp_filetrans_host_rcache(httpd_t, file, "HTTP_23") -- kerberos_tmp_filetrans_host_rcache(httpd_t, file, "HTTP_48") -+ kerberos_tmp_filetrans_host_rcache(httpd_t, "HTTP_23") -+ kerberos_tmp_filetrans_host_rcache(httpd_t, "HTTP_48") - ') - - optional_policy(` -+ # needed by FreeIPA - ldap_stream_connect(httpd_t) -- -- tunable_policy(`httpd_can_network_connect_ldap',` -- ldap_tcp_connect(httpd_t) -- ') - ') - - optional_policy(` - mailman_signal_cgi(httpd_t) - mailman_domtrans_cgi(httpd_t) - mailman_read_data_files(httpd_t) -+ # should have separate types for public and private archives - mailman_search_data(httpd_t) - mailman_read_archive(httpd_t) - ') - - optional_policy(` -- memcached_stream_connect(httpd_t) -+ mediawiki_read_tmp_files(httpd_t) -+ mediawiki_delete_tmp_files(httpd_t) -+') - -- tunable_policy(`httpd_can_network_connect_memcache',` -- memcached_tcp_connect(httpd_t) -- ') -+optional_policy(` -+ memcached_stream_connect(httpd_t) - - tunable_policy(`httpd_manage_ipa',` - memcached_manage_pid_files(httpd_t) -@@ -816,8 +967,18 @@ optional_policy(` - ') - - optional_policy(` -+ munin_read_config(httpd_t) -+') -+ -+optional_policy(` -+ # Allow httpd to work with mysql - mysql_read_config(httpd_t) - mysql_stream_connect(httpd_t) -+ mysql_rw_db_sockets(httpd_t) -+ -+ optional_policy(` -+ postgresql_stream_connect(httpd_t) -+ ') - - tunable_policy(`httpd_can_network_connect_db',` - mysql_tcp_connect(httpd_t) -@@ -826,6 +987,7 @@ optional_policy(` - - optional_policy(` - nagios_read_config(httpd_t) -+ nagios_read_log(httpd_t) - ') - - optional_policy(` -@@ -836,20 +998,39 @@ optional_policy(` - ') - - optional_policy(` -+ openshift_search_lib(httpd_t) -+ openshift_initrc_signull(httpd_t) -+ openshift_initrc_signal(httpd_t) -+') -+ -+optional_policy(` -+ passenger_exec(httpd_t) -+ passenger_manage_pid_content(httpd_t) -+') -+ -+optional_policy(` - pcscd_read_pid_files(httpd_t) - ') - - optional_policy(` -- postgresql_stream_connect(httpd_t) -- postgresql_unpriv_client(httpd_t) -+ pki_apache_domain_signal(httpd_t) -+ pki_manage_apache_config_files(httpd_t) -+ pki_manage_apache_lib(httpd_t) -+ pki_manage_apache_log_files(httpd_t) -+ pki_manage_apache_run(httpd_t) -+ pki_read_tomcat_cert(httpd_t) -+') - -- tunable_policy(`httpd_can_network_connect_db',` -- postgresql_tcp_connect(httpd_t) -- ') -+optional_policy(` -+ puppet_read_lib(httpd_t) - ') - - optional_policy(` -- puppet_read_lib_files(httpd_t) -+ pwauth_domtrans(httpd_t) -+') -+ -+optional_policy(` -+ rpm_dontaudit_read_db(httpd_t) - ') - - optional_policy(` -@@ -857,19 +1038,35 @@ optional_policy(` - ') - - optional_policy(` -+ # Allow httpd to work with postgresql -+ postgresql_stream_connect(httpd_t) -+ postgresql_unpriv_client(httpd_t) -+ -+ tunable_policy(`httpd_can_network_connect_db',` -+ postgresql_tcp_connect(httpd_t) -+ ') -+') -+ -+optional_policy(` - seutil_sigchld_newrole(httpd_t) - ') - - optional_policy(` - smokeping_read_lib_files(httpd_t) -+ smokeping_read_pid_files(httpd_t) - ') - - optional_policy(` -+ files_dontaudit_rw_usr_dirs(httpd_t) - snmp_dontaudit_read_snmp_var_lib_files(httpd_t) - snmp_dontaudit_write_snmp_var_lib_files(httpd_t) - ') - - optional_policy(` -+ thin_stream_connect(httpd_t) -+') -+ -+optional_policy(` - udev_read_db(httpd_t) - ') - -@@ -877,65 +1074,173 @@ optional_policy(` - yam_read_content(httpd_t) - ') - -+optional_policy(` -+ zarafa_manage_lib_files(httpd_t) -+ zarafa_stream_connect_server(httpd_t) -+ zarafa_search_config(httpd_t) -+') -+ -+optional_policy(` -+ zoneminder_append_log(httpd_t) -+ zoneminder_manage_lib_dirs(httpd_t) -+ zoneminder_manage_lib_files(httpd_t) -+ zoneminder_stream_connect(httpd_t) -+ zoneminder_exec(httpd_t) -+') -+ - ######################################## - # --# Helper local policy -+# Apache helper local policy - # - --read_files_pattern(httpd_helper_t, httpd_config_t, httpd_config_t) -+domtrans_pattern(httpd_t, httpd_helper_exec_t, httpd_helper_t) - --append_files_pattern(httpd_helper_t, httpd_log_t, httpd_log_t) --read_lnk_files_pattern(httpd_helper_t, httpd_log_t, httpd_log_t) -+allow httpd_helper_t httpd_config_t:file read_file_perms; - --files_search_etc(httpd_helper_t) -+allow httpd_helper_t httpd_log_t:file append_file_perms; - --logging_search_logs(httpd_helper_t) - logging_send_syslog_msg(httpd_helper_t) - -+tunable_policy(`httpd_verify_dns',` -+ corenet_udp_bind_all_ephemeral_ports(httpd_t) -+') -+ -+tunable_policy(`httpd_run_stickshift', ` -+ allow httpd_t self:capability { fowner fsetid sys_resource }; -+ dontaudit httpd_t self:capability sys_ptrace; -+ allow httpd_t self:process setexec; -+ -+ files_dontaudit_getattr_all_files(httpd_t) -+ domain_getpgid_all_domains(httpd_t) -+') -+ -+optional_policy(` -+ tunable_policy(`httpd_run_stickshift', ` -+ passenger_manage_lib_files(httpd_t) -+ passenger_getattr_log_files(httpd_t) -+ ',` -+ passenger_domtrans(httpd_t) -+ passenger_read_lib_files(httpd_t) -+ passenger_stream_connect(httpd_t) -+ passenger_manage_tmp_files(httpd_t) -+ ') -+') -+ -+optional_policy(` -+ tunable_policy(`httpd_run_stickshift', ` -+ oddjob_dbus_chat(httpd_t) -+ ') -+') -+ - tunable_policy(`httpd_tty_comm',` -- userdom_use_user_terminals(httpd_helper_t) --',` -- userdom_dontaudit_use_user_terminals(httpd_helper_t) -+ userdom_use_inherited_user_terminals(httpd_helper_t) -+') -+ -+######################################## -+# -+# Apache PHP script local policy -+# -+ -+allow httpd_php_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; -+allow httpd_php_t self:fd use; -+allow httpd_php_t self:fifo_file rw_fifo_file_perms; -+allow httpd_php_t self:sock_file read_sock_file_perms; -+allow httpd_php_t self:unix_dgram_socket create_socket_perms; -+allow httpd_php_t self:unix_stream_socket create_stream_socket_perms; -+allow httpd_php_t self:unix_dgram_socket sendto; -+allow httpd_php_t self:unix_stream_socket connectto; -+allow httpd_php_t self:shm create_shm_perms; -+allow httpd_php_t self:sem create_sem_perms; -+allow httpd_php_t self:msgq create_msgq_perms; -+allow httpd_php_t self:msg { send receive }; -+ -+domtrans_pattern(httpd_t, httpd_php_exec_t, httpd_php_t) -+ -+# allow php to read and append to apache logfiles -+allow httpd_php_t httpd_log_t:file { read_file_perms append_file_perms }; -+ -+manage_dirs_pattern(httpd_php_t, httpd_php_tmp_t, httpd_php_tmp_t) -+manage_files_pattern(httpd_php_t, httpd_php_tmp_t, httpd_php_tmp_t) -+files_tmp_filetrans(httpd_php_t, httpd_php_tmp_t, { file dir }) -+ -+fs_search_auto_mountpoints(httpd_php_t) -+ -+auth_use_nsswitch(httpd_php_t) -+ -+libs_exec_lib_files(httpd_php_t) -+ -+userdom_use_unpriv_users_fds(httpd_php_t) -+ -+tunable_policy(`httpd_can_network_connect_db',` -+ corenet_tcp_connect_gds_db_port(httpd_php_t) -+ corenet_tcp_connect_mssql_port(httpd_php_t) -+ corenet_sendrecv_mssql_client_packets(httpd_php_t) -+ corenet_tcp_connect_oracle_port(httpd_php_t) -+ corenet_sendrecv_oracle_client_packets(httpd_php_t) -+') -+ -+optional_policy(` -+ mysql_stream_connect(httpd_php_t) -+ mysql_rw_db_sockets(httpd_php_t) -+ mysql_read_config(httpd_php_t) -+ -+ tunable_policy(`httpd_can_network_connect_db',` -+ mysql_tcp_connect(httpd_php_t) -+ ') -+') -+ -+optional_policy(` -+ postgresql_stream_connect(httpd_php_t) -+ postgresql_unpriv_client(httpd_php_t) -+ -+ tunable_policy(`httpd_can_network_connect_db',` -+ postgresql_tcp_connect(httpd_php_t) -+ ') - ') - - ######################################## - # --# Suexec local policy -+# Apache suexec local policy - # - - allow httpd_suexec_t self:capability { setuid setgid }; - allow httpd_suexec_t self:process signal_perms; - allow httpd_suexec_t self:fifo_file rw_fifo_file_perms; --allow httpd_suexec_t self:tcp_socket { accept listen }; --allow httpd_suexec_t self:unix_stream_socket { accept listen }; -+allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms; -+ -+domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t) - - create_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t) - append_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t) - read_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t) --read_lnk_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t) -+ -+allow httpd_suexec_t httpd_t:fifo_file read_fifo_file_perms; - - manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) - manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) - files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir }) - -+can_exec(httpd_suexec_t, httpd_sys_script_exec_t) -+ -+read_files_pattern(httpd_suexec_t, httpd_user_content_t, httpd_user_content_t) -+read_files_pattern(httpd_suexec_t, httpd_user_rw_content_t, httpd_user_rw_content_t) -+read_files_pattern(httpd_suexec_t, httpd_user_ra_content_t, httpd_user_ra_content_t) -+ - kernel_read_kernel_sysctls(httpd_suexec_t) - kernel_list_proc(httpd_suexec_t) - kernel_read_proc_symlinks(httpd_suexec_t) - --corenet_all_recvfrom_unlabeled(httpd_suexec_t) --corenet_all_recvfrom_netlabel(httpd_suexec_t) --corenet_tcp_sendrecv_generic_if(httpd_suexec_t) --corenet_tcp_sendrecv_generic_node(httpd_suexec_t) -- --corecmd_exec_bin(httpd_suexec_t) --corecmd_exec_shell(httpd_suexec_t) -- - dev_read_urand(httpd_suexec_t) - - fs_read_iso9660_files(httpd_suexec_t) - fs_search_auto_mountpoints(httpd_suexec_t) - --files_read_usr_files(httpd_suexec_t) -+application_exec_all(httpd_suexec_t) -+ -+# for shell scripts -+corecmd_exec_bin(httpd_suexec_t) -+corecmd_exec_shell(httpd_suexec_t) -+ - files_dontaudit_search_pids(httpd_suexec_t) - files_search_home(httpd_suexec_t) - -@@ -944,123 +1249,74 @@ auth_use_nsswitch(httpd_suexec_t) - logging_search_logs(httpd_suexec_t) - logging_send_syslog_msg(httpd_suexec_t) - --miscfiles_read_localization(httpd_suexec_t) - miscfiles_read_public_files(httpd_suexec_t) - --tunable_policy(`httpd_builtin_scripting',` -- exec_files_pattern(httpd_suexec_t, httpd_script_exec_type, httpd_script_exec_type) -- -- allow httpd_suexec_t httpdcontent:dir list_dir_perms; -- allow httpd_suexec_t httpdcontent:file read_file_perms; -- allow httpd_suexec_t httpdcontent:lnk_file read_lnk_file_perms; --') -+corenet_all_recvfrom_netlabel(httpd_suexec_t) - - tunable_policy(`httpd_can_network_connect',` -+ allow httpd_suexec_t self:tcp_socket create_stream_socket_perms; -+ allow httpd_suexec_t self:udp_socket create_socket_perms; -+ -+ corenet_tcp_sendrecv_generic_if(httpd_suexec_t) -+ corenet_udp_sendrecv_generic_if(httpd_suexec_t) -+ corenet_tcp_sendrecv_generic_node(httpd_suexec_t) -+ corenet_udp_sendrecv_generic_node(httpd_suexec_t) -+ corenet_tcp_sendrecv_all_ports(httpd_suexec_t) -+ corenet_udp_sendrecv_all_ports(httpd_suexec_t) - corenet_tcp_connect_all_ports(httpd_suexec_t) - corenet_sendrecv_all_client_packets(httpd_suexec_t) -- corenet_tcp_sendrecv_all_ports(httpd_suexec_t) - ') - - tunable_policy(`httpd_can_network_connect_db',` -- corenet_sendrecv_gds_db_client_packets(httpd_suexec_t) - corenet_tcp_connect_gds_db_port(httpd_suexec_t) -- corenet_tcp_sendrecv_gds_db_port(httpd_suexec_t) -- corenet_sendrecv_mssql_client_packets(httpd_suexec_t) - corenet_tcp_connect_mssql_port(httpd_suexec_t) -- corenet_tcp_sendrecv_mssql_port(httpd_suexec_t) -- corenet_sendrecv_oracledb_client_packets(httpd_suexec_t) -- corenet_tcp_connect_oracledb_port(httpd_suexec_t) -- corenet_tcp_sendrecv_oracledb_port(httpd_suexec_t) -+ corenet_sendrecv_mssql_client_packets(httpd_suexec_t) -+ corenet_tcp_connect_oracle_port(httpd_suexec_t) -+ corenet_sendrecv_oracle_client_packets(httpd_suexec_t) - ') - -+domain_entry_file(httpd_sys_script_t, httpd_sys_content_t) -+ - tunable_policy(`httpd_can_sendmail',` -- corenet_sendrecv_smtp_client_packets(httpd_suexec_t) -- corenet_tcp_connect_smtp_port(httpd_suexec_t) -- corenet_tcp_sendrecv_smtp_port(httpd_suexec_t) -- corenet_sendrecv_pop_client_packets(httpd_suexec_t) -- corenet_tcp_connect_pop_port(httpd_suexec_t) -- corenet_tcp_sendrecv_pop_port(httpd_suexec_t) - mta_send_mail(httpd_suexec_t) -- mta_signal_system_mail(httpd_suexec_t) - ') - - tunable_policy(`httpd_enable_cgi && httpd_unified',` -+ allow httpd_sys_script_t httpdcontent:file entrypoint; - domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t) --') -- --tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` -- fs_list_auto_mountpoints(httpd_suexec_t) -- fs_read_cifs_files(httpd_suexec_t) -- fs_read_cifs_symlinks(httpd_suexec_t) --') -- --tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs && httpd_builtin_scripting',` -- fs_exec_cifs_files(httpd_suexec_t) -+ manage_dirs_pattern(httpd_sys_script_t, httpdcontent, httpdcontent) -+ manage_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent) -+ manage_sock_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent) -+ manage_lnk_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent) - ') - - tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` -- fs_list_auto_mountpoints(httpd_suexec_t) -+ fs_list_auto_mountpoints(httpd_suexec_t) - fs_read_nfs_files(httpd_suexec_t) - fs_read_nfs_symlinks(httpd_suexec_t) --') -- --tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs && httpd_builtin_scripting',` - fs_exec_nfs_files(httpd_suexec_t) - ') - --tunable_policy(`httpd_execmem',` -- allow httpd_suexec_t self:process { execmem execstack }; --') -- --tunable_policy(`httpd_tmp_exec',` -- can_exec(httpd_suexec_t, httpd_suexec_tmp_t) --') -- --tunable_policy(`httpd_tty_comm',` -- userdom_use_user_terminals(httpd_suexec_t) --',` -- userdom_dontaudit_use_user_terminals(httpd_suexec_t) --') -- --tunable_policy(`httpd_use_cifs',` -- fs_list_auto_mountpoints(httpd_suexec_t) -- fs_manage_cifs_dirs(httpd_suexec_t) -- fs_manage_cifs_files(httpd_suexec_t) -- fs_manage_cifs_symlinks(httpd_suexec_t) --') -- --tunable_policy(`httpd_use_cifs && httpd_builtin_scripting',` -+tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` -+ fs_read_cifs_files(httpd_suexec_t) -+ fs_read_cifs_symlinks(httpd_suexec_t) - fs_exec_cifs_files(httpd_suexec_t) - ') - --tunable_policy(`httpd_use_fusefs',` -- fs_list_auto_mountpoints(httpd_suexec_t) -- fs_manage_fusefs_dirs(httpd_suexec_t) -- fs_manage_fusefs_files(httpd_suexec_t) -- fs_read_fusefs_symlinks(httpd_suexec_t) --') -- --tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',` -- fs_exec_fusefs_files(httpd_suexec_t) --') -- --tunable_policy(`httpd_use_nfs',` -- fs_list_auto_mountpoints(httpd_suexec_t) -- fs_manage_nfs_dirs(httpd_suexec_t) -- fs_manage_nfs_files(httpd_suexec_t) -- fs_manage_nfs_symlinks(httpd_suexec_t) --') -- --tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',` -- fs_exec_nfs_files(httpd_suexec_t) -+optional_policy(` -+ mailman_domtrans_cgi(httpd_suexec_t) - ') - - optional_policy(` -- mailman_domtrans_cgi(httpd_suexec_t) -+ mta_stub(httpd_suexec_t) -+ -+ # apache should set close-on-exec -+ dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write }; - ') - - optional_policy(` - mysql_stream_connect(httpd_suexec_t) -+ mysql_rw_db_sockets(httpd_suexec_t) - mysql_read_config(httpd_suexec_t) - - tunable_policy(`httpd_can_network_connect_db',` -@@ -1077,172 +1333,106 @@ optional_policy(` - ') - ') - --tunable_policy(`httpd_read_user_content',` -- userdom_read_user_home_content_files(httpd_suexec_t) --') -- --tunable_policy(`httpd_enable_homedirs',` -- userdom_search_user_home_dirs(httpd_suexec_t) --') -- - ######################################## - # --# Common script local policy -+# Apache system script local policy - # - --allow httpd_script_domains self:fifo_file rw_file_perms; --allow httpd_script_domains self:unix_stream_socket connectto; -- --allow httpd_script_domains httpd_sys_content_t:dir search_dir_perms; -- --append_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t) --read_lnk_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t) -+allow httpd_sys_script_t self:process getsched; - --kernel_dontaudit_search_sysctl(httpd_script_domains) --kernel_dontaudit_search_kernel_sysctl(httpd_script_domains) -- --corenet_all_recvfrom_unlabeled(httpd_script_domains) --corenet_all_recvfrom_netlabel(httpd_script_domains) --corenet_tcp_sendrecv_generic_if(httpd_script_domains) --corenet_tcp_sendrecv_generic_node(httpd_script_domains) -+allow httpd_sys_script_t httpd_t:unix_stream_socket rw_stream_socket_perms; -+allow httpd_sys_script_t httpd_t:tcp_socket { read write }; - --corecmd_exec_all_executables(httpd_script_domains) -+dontaudit httpd_sys_script_t httpd_config_t:dir search; - --dev_read_rand(httpd_script_domains) --dev_read_urand(httpd_script_domains) -+allow httpd_sys_script_t httpd_squirrelmail_t:file { append_file_perms read_file_perms }; - --files_exec_etc_files(httpd_script_domains) --files_read_etc_files(httpd_script_domains) --files_search_home(httpd_script_domains) -+allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms; -+read_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_spool_t) -+read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_spool_t) - --libs_exec_ld_so(httpd_script_domains) --libs_exec_lib_files(httpd_script_domains) -+kernel_read_kernel_sysctls(httpd_sys_script_t) - --logging_search_logs(httpd_script_domains) -+dev_list_sysfs(httpd_sys_script_t) - --miscfiles_read_fonts(httpd_script_domains) --miscfiles_read_public_files(httpd_script_domains) -+files_read_var_symlinks(httpd_sys_script_t) -+files_search_var_lib(httpd_sys_script_t) -+files_search_spool(httpd_sys_script_t) - --seutil_dontaudit_search_config(httpd_script_domains) -+logging_inherit_append_all_logs(httpd_sys_script_t) - --tunable_policy(`httpd_enable_cgi && httpd_unified',` -- allow httpd_script_domains httpdcontent:file entrypoint; -+# Should we add a boolean? -+apache_domtrans_rotatelogs(httpd_sys_script_t) - -- manage_dirs_pattern(httpd_script_domains, httpdcontent, httpdcontent) -- manage_files_pattern(httpd_script_domains, httpdcontent, httpdcontent) -- manage_lnk_files_pattern(httpd_script_domains, httpdcontent, httpdcontent) -+auth_use_nsswitch(httpd_sys_script_t) - -- can_exec(httpd_script_domains, httpdcontent) -+ifdef(`distro_redhat',` -+ allow httpd_sys_script_t httpd_log_t:file append_file_perms; - ') - --tunable_policy(`httpd_enable_cgi',` -- allow httpd_script_domains self:process { setsched signal_perms }; -- allow httpd_script_domains self:unix_stream_socket create_stream_socket_perms; -- -- kernel_read_system_state(httpd_script_domains) -- -- fs_getattr_all_fs(httpd_script_domains) -- -- files_read_etc_runtime_files(httpd_script_domains) -- files_read_usr_files(httpd_script_domains) -- -- libs_read_lib_files(httpd_script_domains) -- -- miscfiles_read_localization(httpd_script_domains) -+tunable_policy(`httpd_can_sendmail',` -+ mta_send_mail(httpd_sys_script_t) - ') - - optional_policy(` -- tunable_policy(`httpd_enable_cgi && allow_ypbind',` -- nis_use_ypbind_uncond(httpd_script_domains) -+ tunable_policy(`httpd_can_sendmail && httpd_can_check_spam',` -+ spamassassin_domtrans_client(httpd_t) - ') - ') - --tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',` -- corenet_sendrecv_gds_db_client_packets(httpd_script_domains) -- corenet_tcp_connect_gds_db_port(httpd_script_domains) -- corenet_tcp_sendrecv_gds_db_port(httpd_script_domains) -- corenet_sendrecv_mssql_client_packets(httpd_script_domains) -- corenet_tcp_connect_mssql_port(httpd_script_domains) -- corenet_tcp_sendrecv_mssql_port(httpd_script_domains) -- corenet_sendrecv_oracledb_client_packets(httpd_script_domains) -- corenet_tcp_connect_oracledb_port(httpd_script_domains) -- corenet_tcp_sendrecv_oracledb_port(httpd_script_domains) --') -- --optional_policy(` -- mysql_read_config(httpd_script_domains) -- mysql_stream_connect(httpd_script_domains) -- -- tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',` -- mysql_tcp_connect(httpd_script_domains) -- ') -+tunable_policy(`httpd_can_network_connect_db',` -+ corenet_tcp_connect_gds_db_port(httpd_sys_script_t) -+ corenet_tcp_connect_mssql_port(httpd_sys_script_t) -+ corenet_sendrecv_mssql_client_packets(httpd_sys_script_t) -+ corenet_tcp_connect_oracle_port(httpd_sys_script_t) -+ corenet_sendrecv_oracle_client_packets(httpd_sys_script_t) - ') - --optional_policy(` -- postgresql_stream_connect(httpd_script_domains) -+fs_cifs_entry_type(httpd_sys_script_t) -+fs_read_iso9660_files(httpd_sys_script_t) -+fs_nfs_entry_type(httpd_sys_script_t) -+fs_rw_anon_inodefs_files(httpd_sys_script_t) - -- tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',` -- postgresql_tcp_connect(httpd_script_domains) -- ') --') -+tunable_policy(`httpd_use_nfs',` -+ fs_list_auto_mountpoints(httpd_sys_script_t) -+ fs_manage_nfs_dirs(httpd_sys_script_t) -+ fs_manage_nfs_files(httpd_sys_script_t) -+ fs_manage_nfs_symlinks(httpd_sys_script_t) -+ fs_exec_nfs_files(httpd_sys_script_t) - --optional_policy(` -- nscd_use(httpd_script_domains) -+ fs_list_auto_mountpoints(httpd_suexec_t) -+ fs_manage_nfs_dirs(httpd_suexec_t) -+ fs_manage_nfs_files(httpd_suexec_t) -+ fs_manage_nfs_symlinks(httpd_suexec_t) -+ fs_exec_nfs_files(httpd_suexec_t) - ') - --######################################## --# --# System script local policy --# -- --allow httpd_sys_script_t self:tcp_socket { accept listen }; -- --allow httpd_sys_script_t httpd_t:tcp_socket { read write }; -- --dontaudit httpd_sys_script_t httpd_config_t:dir search; -- --allow httpd_sys_script_t httpd_squirrelmail_t:file { append_file_perms read_file_perms }; -- --allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms; --allow httpd_sys_script_t squirrelmail_spool_t:file read_file_perms; --allow httpd_sys_script_t squirrelmail_spool_t:lnk_file read_lnk_file_perms; -- --kernel_read_kernel_sysctls(httpd_sys_script_t) -- --fs_search_auto_mountpoints(httpd_sys_script_t) -- --files_read_var_symlinks(httpd_sys_script_t) --files_search_var_lib(httpd_sys_script_t) --files_search_spool(httpd_sys_script_t) -- --apache_domtrans_rotatelogs(httpd_sys_script_t) -- --auth_use_nsswitch(httpd_sys_script_t) -- --tunable_policy(`httpd_can_sendmail',` -- corenet_sendrecv_smtp_client_packets(httpd_sys_script_t) -- corenet_tcp_connect_smtp_port(httpd_sys_script_t) -- corenet_tcp_sendrecv_smtp_port(httpd_sys_script_t) -- corenet_sendrecv_pop_client_packets(httpd_sys_script_t) -- corenet_tcp_connect_pop_port(httpd_sys_script_t) -- corenet_tcp_sendrecv_pop_port(httpd_sys_script_t) -+corenet_all_recvfrom_netlabel(httpd_sys_script_t) - -- mta_send_mail(httpd_sys_script_t) -- mta_signal_system_mail(httpd_sys_script_t) -+tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` -+ allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms; -+ allow httpd_sys_script_t self:udp_socket create_socket_perms; -+ -+ corenet_tcp_bind_generic_node(httpd_sys_script_t) -+ corenet_udp_bind_generic_node(httpd_sys_script_t) -+ corenet_tcp_sendrecv_generic_if(httpd_sys_script_t) -+ corenet_udp_sendrecv_generic_if(httpd_sys_script_t) -+ corenet_tcp_sendrecv_generic_node(httpd_sys_script_t) -+ corenet_udp_sendrecv_generic_node(httpd_sys_script_t) -+ corenet_tcp_sendrecv_all_ports(httpd_sys_script_t) -+ corenet_udp_sendrecv_all_ports(httpd_sys_script_t) -+ corenet_tcp_connect_all_ports(httpd_sys_script_t) -+ corenet_sendrecv_all_client_packets(httpd_sys_script_t) - ') - - tunable_policy(`httpd_enable_homedirs',` - userdom_search_user_home_dirs(httpd_sys_script_t) - ') - --tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` -- corenet_tcp_connect_all_ports(httpd_sys_script_t) -- corenet_sendrecv_all_client_packets(httpd_sys_script_t) -- corenet_tcp_sendrecv_all_ports(httpd_sys_script_t) --') -- --tunable_policy(`httpd_execmem',` -- allow httpd_sys_script_t self:process { execmem execstack }; -+tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` -+ fs_list_auto_mountpoints(httpd_sys_script_t) -+ fs_read_nfs_files(httpd_sys_script_t) -+ fs_read_nfs_symlinks(httpd_sys_script_t) - ') - - tunable_policy(`httpd_read_user_content',` -@@ -1250,64 +1440,74 @@ tunable_policy(`httpd_read_user_content',` - ') - - tunable_policy(`httpd_use_cifs',` -- fs_list_auto_mountpoints(httpd_sys_script_t) - fs_manage_cifs_dirs(httpd_sys_script_t) - fs_manage_cifs_files(httpd_sys_script_t) - fs_manage_cifs_symlinks(httpd_sys_script_t) --') -- --tunable_policy(`httpd_use_cifs && httpd_builtin_scripting',` -- fs_exec_cifs_files(httpd_sys_script_t) -+ fs_manage_cifs_dirs(httpd_suexec_t) -+ fs_manage_cifs_files(httpd_suexec_t) -+ fs_manage_cifs_symlinks(httpd_suexec_t) -+ fs_exec_cifs_files(httpd_suexec_t) - ') - - tunable_policy(`httpd_use_fusefs',` -- fs_list_auto_mountpoints(httpd_sys_script_t) - fs_manage_fusefs_dirs(httpd_sys_script_t) - fs_manage_fusefs_files(httpd_sys_script_t) -- fs_read_fusefs_symlinks(httpd_sys_script_t) -+ fs_manage_fusefs_symlinks(httpd_sys_script_t) -+ fs_manage_fusefs_dirs(httpd_suexec_t) -+ fs_manage_fusefs_files(httpd_suexec_t) -+ fs_manage_fusefs_symlinks(httpd_suexec_t) -+ fs_exec_fusefs_files(httpd_suexec_t) - ') - --tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',` -- fs_exec_fusefs_files(httpd_sys_script_t) -+tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` -+ fs_read_cifs_files(httpd_sys_script_t) -+ fs_read_cifs_symlinks(httpd_sys_script_t) - ') - --tunable_policy(`httpd_use_nfs',` -- fs_list_auto_mountpoints(httpd_sys_script_t) -- fs_manage_nfs_dirs(httpd_sys_script_t) -- fs_manage_nfs_files(httpd_sys_script_t) -- fs_manage_nfs_symlinks(httpd_sys_script_t) -+optional_policy(` -+ clamav_domtrans_clamscan(httpd_sys_script_t) -+ clamav_domtrans_clamscan(httpd_t) - ') - --tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',` -- fs_exec_nfs_files(httpd_sys_script_t) -+optional_policy(` -+ mysql_stream_connect(httpd_sys_script_t) -+ mysql_rw_db_sockets(httpd_sys_script_t) -+ mysql_read_config(httpd_sys_script_t) -+ -+ tunable_policy(`httpd_can_network_connect_db',` -+ mysql_tcp_connect(httpd_sys_script_t) -+ ') - ') - - optional_policy(` -- clamav_domtrans_clamscan(httpd_sys_script_t) -+ postgresql_stream_connect(httpd_sys_script_t) -+ postgresql_unpriv_client(httpd_sys_script_t) -+ -+ tunable_policy(`httpd_can_network_connect_db',` -+ postgresql_tcp_connect(httpd_sys_script_t) -+ ') - ') - - optional_policy(` -- postgresql_unpriv_client(httpd_sys_script_t) -+ snmp_read_snmp_var_lib_files(httpd_sys_script_t) - ') - - ######################################## - # --# Rotatelogs local policy -+# httpd_rotatelogs local policy - # - - allow httpd_rotatelogs_t self:capability dac_override; - - manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t) --read_lnk_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t) - - kernel_read_kernel_sysctls(httpd_rotatelogs_t) - kernel_dontaudit_list_proc(httpd_rotatelogs_t) -+kernel_dontaudit_read_proc_symlinks(httpd_rotatelogs_t) - --files_read_etc_files(httpd_rotatelogs_t) - - logging_search_logs(httpd_rotatelogs_t) - --miscfiles_read_localization(httpd_rotatelogs_t) - - ######################################## - # -@@ -1315,8 +1515,15 @@ miscfiles_read_localization(httpd_rotatelogs_t) - # - - optional_policy(` -- apache_content_template(unconfined) -+ type httpd_unconfined_script_t; -+ type httpd_unconfined_script_exec_t; -+ domain_type(httpd_unconfined_script_t) -+ domain_entry_file(httpd_unconfined_script_t, httpd_unconfined_script_exec_t) -+ domtrans_pattern(httpd_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t) - unconfined_domain(httpd_unconfined_script_t) -+ -+ role system_r types httpd_unconfined_script_t; -+ allow httpd_t httpd_unconfined_script_t:process signal_perms; - ') - - ######################################## -@@ -1324,49 +1531,38 @@ optional_policy(` - # User content local policy - # - --tunable_policy(`httpd_enable_homedirs',` -- userdom_search_user_home_dirs(httpd_user_script_t) --') -- --tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` -- fs_list_auto_mountpoints(httpd_user_script_t) -- fs_read_cifs_files(httpd_user_script_t) -- fs_read_cifs_symlinks(httpd_user_script_t) --') -- --tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs && httpd_builtin_scripting',` -- fs_exec_cifs_files(httpd_user_script_t) --') -+auth_use_nsswitch(httpd_user_script_t) - --tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` -- fs_list_auto_mountpoints(httpd_user_script_t) -- fs_read_nfs_files(httpd_user_script_t) -- fs_read_nfs_symlinks(httpd_user_script_t) -+tunable_policy(`httpd_enable_cgi && httpd_unified',` -+ allow httpd_user_script_t httpdcontent:file entrypoint; -+ manage_dirs_pattern(httpd_user_script_t, httpd_user_content_t, httpd_user_content_t) -+ manage_files_pattern(httpd_user_script_t, httpd_user_content_t, httpd_user_content_t) -+ manage_dirs_pattern(httpd_user_script_t, httpd_user_ra_content_t, httpd_user_ra_content_t) -+ manage_files_pattern(httpd_user_script_t, httpd_user_ra_content_t, httpd_user_ra_content_t) - ') - --tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs && httpd_builtin_scripting',` -- fs_exec_nfs_files(httpd_user_script_t) -+# allow accessing files/dirs below the users home dir -+tunable_policy(`httpd_enable_homedirs',` -+ userdom_search_user_home_content(httpd_t) -+ userdom_search_user_home_content(httpd_suexec_t) -+ userdom_search_user_home_content(httpd_user_script_t) - ') - - tunable_policy(`httpd_read_user_content',` -+ userdom_read_user_home_content_files(httpd_t) -+ userdom_read_user_home_content_files(httpd_suexec_t) - userdom_read_user_home_content_files(httpd_user_script_t) - ') - --optional_policy(` -- postgresql_unpriv_client(httpd_user_script_t) --') -- - ######################################## - # --# Passwd local policy -+# httpd_passwd local policy - # - - allow httpd_passwd_t self:fifo_file manage_fifo_file_perms; - allow httpd_passwd_t self:unix_stream_socket create_stream_socket_perms; - allow httpd_passwd_t self:unix_dgram_socket create_socket_perms; - --dontaudit httpd_passwd_t httpd_config_t:file read_file_perms; -- - kernel_read_system_state(httpd_passwd_t) - - corecmd_exec_bin(httpd_passwd_t) -@@ -1376,38 +1572,99 @@ dev_read_urand(httpd_passwd_t) - - domain_use_interactive_fds(httpd_passwd_t) - -+ - auth_use_nsswitch(httpd_passwd_t) - --miscfiles_read_generic_certs(httpd_passwd_t) --miscfiles_read_localization(httpd_passwd_t) -+miscfiles_read_certs(httpd_passwd_t) - --######################################## --# --# GPG local policy --# -+systemd_manage_passwd_run(httpd_passwd_t) -+systemd_manage_passwd_run(httpd_t) -+#systemd_passwd_agent_dev_template(httpd) -+ -+domtrans_pattern(httpd_t, httpd_passwd_exec_t, httpd_passwd_t) -+dontaudit httpd_passwd_t httpd_config_t:file read; -+ -+search_dirs_pattern(httpd_script_type, httpd_sys_content_t, httpd_script_exec_type) -+corecmd_shell_entry_type(httpd_script_type) -+ -+allow httpd_script_type self:fifo_file rw_file_perms; -+allow httpd_script_type self:unix_stream_socket connectto; -+ -+allow httpd_script_type httpd_t:fifo_file write; -+# apache should set close-on-exec -+apache_dontaudit_leaks(httpd_script_type) -+ -+append_files_pattern(httpd_script_type, httpd_log_t, httpd_log_t) -+logging_search_logs(httpd_script_type) -+ -+kernel_dontaudit_search_sysctl(httpd_script_type) -+kernel_dontaudit_search_kernel_sysctl(httpd_script_type) -+ -+dev_read_rand(httpd_script_type) -+dev_read_urand(httpd_script_type) -+ -+corecmd_exec_all_executables(httpd_script_type) -+application_exec_all(httpd_script_type) -+ -+files_exec_etc_files(httpd_script_type) -+files_search_home(httpd_script_type) -+ -+libs_exec_ld_so(httpd_script_type) -+libs_exec_lib_files(httpd_script_type) -+ -+miscfiles_read_fonts(httpd_script_type) -+miscfiles_read_public_files(httpd_script_type) - --allow httpd_gpg_t self:process setrlimit; -+allow httpd_t httpd_script_type:unix_stream_socket connectto; - --allow httpd_gpg_t httpd_t:fd use; --allow httpd_gpg_t httpd_t:fifo_file rw_fifo_file_perms; --allow httpd_gpg_t httpd_t:process sigchld; -+allow httpd_t httpd_script_exec_type:file read_file_perms; -+allow httpd_t httpd_script_exec_type:lnk_file read_lnk_file_perms; -+allow httpd_t httpd_script_type:process { signal sigkill sigstop }; -+allow httpd_t httpd_script_exec_type:dir list_dir_perms; - --dev_read_rand(httpd_gpg_t) --dev_read_urand(httpd_gpg_t) -+allow httpd_script_type self:process { setsched signal_perms }; -+allow httpd_script_type self:unix_stream_socket create_stream_socket_perms; -+allow httpd_script_type self:unix_dgram_socket create_socket_perms; - --files_read_usr_files(httpd_gpg_t) -+allow httpd_script_type httpd_t:fd use; -+allow httpd_script_type httpd_t:process sigchld; - --miscfiles_read_localization(httpd_gpg_t) -+dontaudit httpd_script_type httpd_t:tcp_socket { read write }; - --tunable_policy(`httpd_gpg_anon_write',` -- miscfiles_manage_public_files(httpd_gpg_t) -+fs_getattr_xattr_fs(httpd_script_type) -+ -+files_read_etc_runtime_files(httpd_script_type) -+ -+libs_read_lib_files(httpd_script_type) -+ -+allow httpd_script_type httpd_sys_content_t:dir search_dir_perms; -+ -+tunable_policy(`httpd_enable_cgi && nis_enabled',` -+ nis_use_ypbind_uncond(httpd_script_type) - ') - - optional_policy(` -- apache_manage_sys_rw_content(httpd_gpg_t) -+ nscd_socket_use(httpd_script_type) - ') - --optional_policy(` -- gpg_entry_type(httpd_gpg_t) -- gpg_exec(httpd_gpg_t) -+read_files_pattern(httpd_t, httpd_content_type, httpd_content_type) -+ -+tunable_policy(`httpd_builtin_scripting',` -+ allow httpd_t httpd_content_type:dir search_dir_perms; -+ allow httpd_suexec_t httpd_content_type:dir search_dir_perms; -+ -+ allow httpd_t httpd_content_type:dir list_dir_perms; -+ read_files_pattern(httpd_t, httpd_content_type, httpd_content_type) -+ read_lnk_files_pattern(httpd_t, httpd_content_type, httpd_content_type) -+') -+ -+tunable_policy(`httpd_use_openstack',` -+ corenet_tcp_connect_keystone_port(httpd_sys_script_t) -+ corenet_tcp_connect_all_ephemeral_ports(httpd_t) -+ corenet_tcp_connect_glance_port(httpd_sys_script_t) -+ corenet_tcp_connect_osapi_compute_port(httpd_sys_script_t) -+') -+ -+tunable_policy(`httpd_use_openstack',` -+ corenet_tcp_connect_osapi_compute_port(httpd_t) - ') -diff --git a/apcupsd.fc b/apcupsd.fc -index 5ec0e13..1c37fe1 100644 ---- a/apcupsd.fc -+++ b/apcupsd.fc -@@ -1,10 +1,13 @@ - /etc/rc\.d/init\.d/apcupsd -- gen_context(system_u:object_r:apcupsd_initrc_exec_t,s0) - -+/usr/lib/systemd/system/apcupsd.* -- gen_context(system_u:object_r:apcupsd_unit_file_t,s0) -+ - /sbin/apcupsd -- gen_context(system_u:object_r:apcupsd_exec_t,s0) - - /usr/sbin/apcupsd -- gen_context(system_u:object_r:apcupsd_exec_t,s0) - - /var/lock/subsys/apcupsd -- gen_context(system_u:object_r:apcupsd_lock_t,s0) -+/var/lock/LCK.. -- gen_context(system_u:object_r:apcupsd_lock_t,s0) - - /var/log/apcupsd\.events.* -- gen_context(system_u:object_r:apcupsd_log_t,s0) - /var/log/apcupsd\.status.* -- gen_context(system_u:object_r:apcupsd_log_t,s0) -diff --git a/apcupsd.if b/apcupsd.if -index f3c0aba..b6afc90 100644 ---- a/apcupsd.if -+++ b/apcupsd.if -@@ -125,6 +125,49 @@ interface(`apcupsd_cgi_script_domtrans',` - - ######################################## - ## -+## Execute apcupsd server in the apcupsd domain. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`apcupsd_systemctl',` -+ gen_require(` -+ type apcupsd_t; -+ type apcupsd_unit_file_t; -+ ') -+ -+ systemd_exec_systemctl($1) -+ allow $1 apcupsd_unit_file_t:file read_file_perms; -+ allow $1 apcupsd_unit_file_t:service manage_service_perms; -+ -+ ps_process_pattern($1, apcupsd_t) -+') -+ -+######################################## -+## -+## Create configuration files in /var/lock -+## with a named file type transition. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`apcupsd_filetrans_named_content',` -+ gen_require(` -+ type apcupsd_lock_t; -+ ') -+ -+ files_lock_filetrans($1, apcupsd_lock_t, file, "apcupsd") -+ files_lock_filetrans($1, apcupsd_lock_t, file, "LCK..") -+') -+ -+######################################## -+## - ## All of the rules required to - ## administrate an apcupsd environment. - ## -@@ -144,11 +187,16 @@ interface(`apcupsd_admin',` - gen_require(` - type apcupsd_t, apcupsd_tmp_t, apcupsd_log_t; - type apcupsd_var_run_t, apcupsd_initrc_exec_t, apcupsd_lock_t; -+ type apcupsd_unit_file_t; - ') - -- allow $1 apcupsd_t:process { ptrace signal_perms }; -+ allow $1 apcupsd_t:process signal_perms; - ps_process_pattern($1, apcupsd_t) - -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 apcupsd_t:process ptrace; -+ ') -+ - apcupsd_initrc_domtrans($1, apcupsd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 apcupsd_initrc_exec_t system_r; -@@ -165,4 +213,8 @@ interface(`apcupsd_admin',` - - files_list_pids($1) - admin_pattern($1, apcupsd_var_run_t) -+ -+ apcupsd_systemctl($1) -+ admin_pattern($1, apcupsd_unit_file_t) -+ allow $1 apcupsd_unit_file_t:service all_service_perms; - ') -diff --git a/apcupsd.te b/apcupsd.te -index b236327..7b2142b 100644 ---- a/apcupsd.te -+++ b/apcupsd.te -@@ -24,6 +24,9 @@ files_tmp_file(apcupsd_tmp_t) - type apcupsd_var_run_t; - files_pid_file(apcupsd_var_run_t) - -+type apcupsd_unit_file_t; -+systemd_unit_file(apcupsd_unit_file_t) -+ - ######################################## - # - # Local policy -@@ -38,9 +41,7 @@ allow apcupsd_t self:tcp_socket create_stream_socket_perms; - allow apcupsd_t apcupsd_lock_t:file manage_file_perms; - files_lock_filetrans(apcupsd_t, apcupsd_lock_t, file) - --append_files_pattern(apcupsd_t, apcupsd_log_t, apcupsd_log_t) --create_files_pattern(apcupsd_t, apcupsd_log_t, apcupsd_log_t) --setattr_files_pattern(apcupsd_t, apcupsd_log_t, apcupsd_log_t) -+manage_files_pattern(apcupsd_t, apcupsd_log_t, apcupsd_log_t) - logging_log_filetrans(apcupsd_t, apcupsd_log_t, file) - - manage_files_pattern(apcupsd_t, apcupsd_tmp_t, apcupsd_tmp_t) -@@ -54,7 +55,6 @@ kernel_read_system_state(apcupsd_t) - corecmd_exec_bin(apcupsd_t) - corecmd_exec_shell(apcupsd_t) - --corenet_all_recvfrom_unlabeled(apcupsd_t) - corenet_all_recvfrom_netlabel(apcupsd_t) - corenet_tcp_sendrecv_generic_if(apcupsd_t) - corenet_tcp_sendrecv_generic_node(apcupsd_t) -@@ -67,6 +67,8 @@ corenet_tcp_bind_apcupsd_port(apcupsd_t) - corenet_sendrecv_apcupsd_server_packets(apcupsd_t) - corenet_tcp_sendrecv_apcupsd_port(apcupsd_t) - corenet_tcp_connect_apcupsd_port(apcupsd_t) -+corenet_udp_bind_apc_port(apcupsd_t) -+corenet_udp_bind_snmp_port(apcupsd_t) - - corenet_udp_bind_snmp_port(apcupsd_t) - corenet_sendrecv_snmp_server_packets(apcupsd_t) -@@ -74,19 +76,25 @@ corenet_udp_sendrecv_snmp_port(apcupsd_t) - - dev_rw_generic_usb_dev(apcupsd_t) - --files_read_etc_files(apcupsd_t) - files_manage_etc_runtime_files(apcupsd_t) - files_etc_filetrans_etc_runtime(apcupsd_t, file, "nologin") - - term_use_unallocated_ttys(apcupsd_t) -+term_use_usb_ttys(apcupsd_t) - --logging_send_syslog_msg(apcupsd_t) -+#apcupsd runs shutdown, probably need a shutdown domain -+init_rw_utmp(apcupsd_t) -+init_telinit(apcupsd_t) - --miscfiles_read_localization(apcupsd_t) -+auth_use_nsswitch(apcupsd_t) -+ -+logging_send_syslog_msg(apcupsd_t) - - sysnet_dns_name_resolve(apcupsd_t) - --userdom_use_user_ttys(apcupsd_t) -+systemd_start_power_services(apcupsd_t) -+ -+userdom_use_inherited_user_ttys(apcupsd_t) - - optional_policy(` - hostname_exec(apcupsd_t) -@@ -112,7 +120,6 @@ optional_policy(` - allow httpd_apcupsd_cgi_script_t self:tcp_socket create_stream_socket_perms; - allow httpd_apcupsd_cgi_script_t self:udp_socket create_socket_perms; - -- corenet_all_recvfrom_unlabeled(httpd_apcupsd_cgi_script_t) - corenet_all_recvfrom_netlabel(httpd_apcupsd_cgi_script_t) - corenet_tcp_sendrecv_generic_if(httpd_apcupsd_cgi_script_t) - corenet_tcp_sendrecv_generic_node(httpd_apcupsd_cgi_script_t) -diff --git a/apm.fc b/apm.fc -index ce27d2f..d20377e 100644 ---- a/apm.fc -+++ b/apm.fc -@@ -1,3 +1,4 @@ -+/usr/lib/systemd/system/apmd.* -- gen_context(system_u:object_r:apmd_unit_file_t,s0) - /etc/rc\.d/init\.d/acpid -- gen_context(system_u:object_r:apmd_initrc_exec_t,s0) - - /usr/bin/apm -- gen_context(system_u:object_r:apm_exec_t,s0) -diff --git a/apm.if b/apm.if -index 1a7a97e..1d29dce 100644 ---- a/apm.if -+++ b/apm.if -@@ -141,6 +141,29 @@ interface(`apm_stream_connect',` - - ######################################## - ## -+## Execute apmd server in the apmd domain. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`apmd_systemctl',` -+ gen_require(` -+ type apmd_t; -+ type apmd_unit_file_t; -+ ') -+ -+ systemd_exec_systemctl($1) -+ allow $1 apmd_unit_file_t:file read_file_perms; -+ allow $1 apmd_unit_file_t:service manage_service_perms; -+ -+ ps_process_pattern($1, apmd_t) -+') -+ -+######################################## -+## - ## All of the rules required to - ## administrate an apm environment. - ## -@@ -163,9 +186,13 @@ interface(`apm_admin',` - type apmd_tmp_t; - ') - -- allow $1 apmd_t:process { ptrace signal_perms }; -+ allow $1 apmd_t:process { signal_perms }; - ps_process_pattern($1, apmd_t) - -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 apmd_t:process ptrace; -+ ') -+ - init_labeled_script_domtrans($1, apmd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 apmd_initrc_exec_t system_r; -diff --git a/apm.te b/apm.te -index 3590e2f..e1494bd 100644 ---- a/apm.te -+++ b/apm.te -@@ -35,6 +35,9 @@ files_type(apmd_var_lib_t) - type apmd_var_run_t; - files_pid_file(apmd_var_run_t) - -+type apmd_unit_file_t; -+systemd_unit_file(apmd_unit_file_t) -+ - ######################################## - # - # Client local policy -@@ -48,7 +51,7 @@ dev_rw_apm_bios(apm_t) - - fs_getattr_xattr_fs(apm_t) - --term_use_all_terms(apm_t) -+term_use_all_inherited_terms(apm_t) - - domain_use_interactive_fds(apm_t) - -@@ -60,7 +63,7 @@ logging_send_syslog_msg(apm_t) - # - - allow apmd_t self:capability { sys_admin sys_nice sys_time kill mknod }; --dontaudit apmd_t self:capability { setuid dac_override dac_read_search sys_ptrace sys_tty_config }; -+dontaudit apmd_t self:capability { setuid dac_override dac_read_search sys_tty_config }; - allow apmd_t self:process { signal_perms getsession }; - allow apmd_t self:fifo_file rw_fifo_file_perms; - allow apmd_t self:netlink_socket create_socket_perms; -@@ -114,8 +117,7 @@ fs_dontaudit_getattr_all_files(apmd_t) - fs_dontaudit_getattr_all_symlinks(apmd_t) - fs_dontaudit_getattr_all_pipes(apmd_t) - fs_dontaudit_getattr_all_sockets(apmd_t) -- --selinux_search_fs(apmd_t) -+fs_read_cgroup_files(apmd_t) - - corecmd_exec_all_executables(apmd_t) - -@@ -129,6 +131,8 @@ domain_dontaudit_list_all_domains_state(apmd_t) - auth_use_nsswitch(apmd_t) - - init_domtrans_script(apmd_t) -+init_read_utmp(apmd_t) -+init_telinit(apmd_t) - - libs_exec_ld_so(apmd_t) - libs_exec_lib_files(apmd_t) -@@ -136,17 +140,16 @@ libs_exec_lib_files(apmd_t) - logging_send_audit_msgs(apmd_t) - logging_send_syslog_msg(apmd_t) - --miscfiles_read_localization(apmd_t) - miscfiles_read_hwdata(apmd_t) - - modutils_domtrans_insmod(apmd_t) - modutils_read_module_config(apmd_t) - --seutil_dontaudit_read_config(apmd_t) -+seutil_sigchld_newrole(apmd_t) - - userdom_dontaudit_use_unpriv_user_fds(apmd_t) - userdom_dontaudit_search_user_home_dirs(apmd_t) --userdom_dontaudit_search_user_home_content(apmd_t) -+userdom_dontaudit_search_user_home_content(apmd_t) # Excessive? - - optional_policy(` - automount_domtrans(apmd_t) -@@ -206,11 +209,15 @@ optional_policy(` - ') - - optional_policy(` -- seutil_sigchld_newrole(apmd_t) -+ shutdown_domtrans(apmd_t) - ') - - optional_policy(` -- shutdown_domtrans(apmd_t) -+ sssd_search_lib(apmd_t) -+') -+ -+optional_policy(` -+ systemd_dbus_chat_logind(apmd_t) - ') - - optional_policy(` -diff --git a/apt.if b/apt.if -index e2414c4..970736b 100644 ---- a/apt.if -+++ b/apt.if -@@ -152,7 +152,7 @@ interface(`apt_read_cache',` - - files_search_var($1) - allow $1 apt_var_cache_t:dir list_dir_perms; -- dontaudit $1 apt_var_cache_t:dir write_dir_perms; -+ dontaudit $1 apt_var_cache_t:dir rw_dir_perms; - allow $1 apt_var_cache_t:file read_file_perms; - ') - -diff --git a/apt.te b/apt.te -index e2d8d52..d82403c 100644 ---- a/apt.te -+++ b/apt.te -@@ -83,7 +83,6 @@ kernel_read_kernel_sysctls(apt_t) - corecmd_exec_bin(apt_t) - corecmd_exec_shell(apt_t) - --corenet_all_recvfrom_unlabeled(apt_t) - corenet_all_recvfrom_netlabel(apt_t) - corenet_tcp_sendrecv_generic_if(apt_t) - corenet_tcp_sendrecv_generic_node(apt_t) -@@ -98,27 +97,24 @@ domain_getattr_all_domains(apt_t) - domain_use_interactive_fds(apt_t) - - files_exec_usr_files(apt_t) --files_read_etc_files(apt_t) - files_read_etc_runtime_files(apt_t) - - fs_getattr_all_fs(apt_t) - - term_create_pty(apt_t, apt_devpts_t) - term_list_ptys(apt_t) --term_use_all_terms(apt_t) -+term_use_all_inherited_terms(apt_t) - - libs_exec_ld_so(apt_t) - libs_exec_lib_files(apt_t) - - logging_send_syslog_msg(apt_t) - --miscfiles_read_localization(apt_t) -- - seutil_use_newrole_fds(apt_t) - - sysnet_read_config(apt_t) - --userdom_use_user_terminals(apt_t) -+userdom_use_inherited_user_terminals(apt_t) - - optional_policy(` - cron_system_entry(apt_t, apt_exec_t) -diff --git a/arpwatch.fc b/arpwatch.fc -index 9ca0d0f..9a1a61f 100644 ---- a/arpwatch.fc -+++ b/arpwatch.fc -@@ -1,5 +1,7 @@ - /etc/rc\.d/init\.d/arpwatch -- gen_context(system_u:object_r:arpwatch_initrc_exec_t,s0) - -+/usr/lib/systemd/system/arpwatch.* -- gen_context(system_u:object_r:arpwatch_unit_file_t,s0) -+ - /usr/sbin/arpwatch -- gen_context(system_u:object_r:arpwatch_exec_t,s0) - - /var/arpwatch(/.*)? gen_context(system_u:object_r:arpwatch_data_t,s0) -diff --git a/arpwatch.if b/arpwatch.if -index 50c9b9c..51c8cc0 100644 ---- a/arpwatch.if -+++ b/arpwatch.if -@@ -119,6 +119,29 @@ interface(`arpwatch_dontaudit_rw_packet_sockets',` - - ######################################## - ## -+## Execute arpwatch server in the arpwatch domain. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`arpwatch_systemctl',` -+ gen_require(` -+ type arpwatch_t; -+ type arpwatch_unit_file_t; -+ ') -+ -+ systemd_exec_systemctl($1) -+ allow $1 arpwatch_unit_file_t:file read_file_perms; -+ allow $1 arpwatch_unit_file_t:service manage_service_perms; -+ -+ ps_process_pattern($1, arpwatch_t) -+') -+ -+######################################## -+## - ## All of the rules required to - ## administrate an arpwatch environment. - ## -@@ -138,11 +161,16 @@ interface(`arpwatch_admin',` - gen_require(` - type arpwatch_t, arpwatch_tmp_t, arpwatch_initrc_exec_t; - type arpwatch_data_t, arpwatch_var_run_t; -+ type arpwatch_unit_file_t; - ') - -- allow $1 arpwatch_t:process { ptrace signal_perms }; -+ allow $1 arpwatch_t:process signal_perms; - ps_process_pattern($1, arpwatch_t) - -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 arpwatch_t:process ptrace; -+ ') -+ - arpwatch_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 arpwatch_initrc_exec_t system_r; -@@ -156,4 +184,8 @@ interface(`arpwatch_admin',` - - files_list_pids($1) - admin_pattern($1, arpwatch_var_run_t) -+ -+ arpwatch_systemctl($1) -+ admin_pattern($1, arpwatch_unit_file_t) -+ allow $1 arpwatch_unit_file_t:service all_service_perms; - ') -diff --git a/arpwatch.te b/arpwatch.te -index fa18c76..fd6911a 100644 ---- a/arpwatch.te -+++ b/arpwatch.te -@@ -21,6 +21,9 @@ files_tmp_file(arpwatch_tmp_t) - type arpwatch_var_run_t; - files_pid_file(arpwatch_var_run_t) - -+type arpwatch_unit_file_t; -+systemd_unit_file(arpwatch_unit_file_t) -+ - ######################################## - # - # Local policy -@@ -33,6 +36,7 @@ allow arpwatch_t self:unix_stream_socket { accept listen }; - allow arpwatch_t self:tcp_socket { accept listen }; - allow arpwatch_t self:packet_socket create_socket_perms; - allow arpwatch_t self:socket create_socket_perms; -+allow arpwatch_t self:netlink_socket create_socket_perms; - - manage_dirs_pattern(arpwatch_t, arpwatch_data_t, arpwatch_data_t) - manage_files_pattern(arpwatch_t, arpwatch_data_t, arpwatch_data_t) -@@ -45,11 +49,23 @@ files_tmp_filetrans(arpwatch_t, arpwatch_tmp_t, { file dir }) - manage_files_pattern(arpwatch_t, arpwatch_var_run_t, arpwatch_var_run_t) - files_pid_filetrans(arpwatch_t, arpwatch_var_run_t, file) - --kernel_read_kernel_sysctls(arpwatch_t) - kernel_read_network_state(arpwatch_t) -+# meminfo - kernel_read_system_state(arpwatch_t) -+kernel_read_kernel_sysctls(arpwatch_t) -+kernel_read_proc_symlinks(arpwatch_t) - kernel_request_load_module(arpwatch_t) - -+corenet_all_recvfrom_netlabel(arpwatch_t) -+corenet_tcp_sendrecv_generic_if(arpwatch_t) -+corenet_udp_sendrecv_generic_if(arpwatch_t) -+corenet_raw_sendrecv_generic_if(arpwatch_t) -+corenet_tcp_sendrecv_generic_node(arpwatch_t) -+corenet_udp_sendrecv_generic_node(arpwatch_t) -+corenet_raw_sendrecv_generic_node(arpwatch_t) -+corenet_tcp_sendrecv_all_ports(arpwatch_t) -+corenet_udp_sendrecv_all_ports(arpwatch_t) -+ - dev_read_sysfs(arpwatch_t) - dev_read_usbmon_dev(arpwatch_t) - dev_rw_generic_usb_dev(arpwatch_t) -@@ -59,15 +75,12 @@ fs_search_auto_mountpoints(arpwatch_t) - - domain_use_interactive_fds(arpwatch_t) - --files_read_usr_files(arpwatch_t) - files_search_var_lib(arpwatch_t) - - auth_use_nsswitch(arpwatch_t) - - logging_send_syslog_msg(arpwatch_t) - --miscfiles_read_localization(arpwatch_t) -- - userdom_dontaudit_search_user_home_dirs(arpwatch_t) - userdom_dontaudit_use_unpriv_user_fds(arpwatch_t) - -diff --git a/asterisk.if b/asterisk.if -index 7268a04..6ffd87d 100644 ---- a/asterisk.if -+++ b/asterisk.if -@@ -19,6 +19,25 @@ interface(`asterisk_domtrans',` - domtrans_pattern($1, asterisk_exec_t, asterisk_t) - ') - -+###################################### -+## -+## Execute asterisk in the caller domain. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`asterisk_exec',` -+ gen_require(` -+ type asterisk_exec_t; -+ ') -+ -+ corecmd_search_bin($1) -+ can_exec($1, asterisk_exec_t) -+') -+ - ##################################### - ## - ## Connect to asterisk over a unix domain. -@@ -105,9 +124,13 @@ interface(`asterisk_admin',` - type asterisk_var_lib_t, asterisk_initrc_exec_t; - ') - -- allow $1 asterisk_t:process { ptrace signal_perms }; -+ allow $1 asterisk_t:process signal_perms; - ps_process_pattern($1, asterisk_t) - -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 asterisk_t:process ptrace; -+ ') -+ - init_labeled_script_domtrans($1, asterisk_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 asterisk_initrc_exec_t system_r; -diff --git a/asterisk.te b/asterisk.te -index 5439f1c..4f8a8a5 100644 ---- a/asterisk.te -+++ b/asterisk.te -@@ -19,7 +19,7 @@ type asterisk_log_t; - logging_log_file(asterisk_log_t) - - type asterisk_spool_t; --files_type(asterisk_spool_t) -+files_spool_file(asterisk_spool_t) - - type asterisk_tmp_t; - files_tmp_file(asterisk_tmp_t) -@@ -52,13 +52,14 @@ allow asterisk_t asterisk_etc_t:dir list_dir_perms; - read_files_pattern(asterisk_t, asterisk_etc_t, asterisk_etc_t) - read_lnk_files_pattern(asterisk_t, asterisk_etc_t, asterisk_etc_t) - --append_files_pattern(asterisk_t, asterisk_log_t, asterisk_log_t) --create_files_pattern(asterisk_t, asterisk_log_t, asterisk_log_t) --setattr_files_pattern(asterisk_t, asterisk_log_t, asterisk_log_t) -+manage_dirs_pattern(asterisk_t, asterisk_log_t, asterisk_log_t) -+manage_files_pattern(asterisk_t, asterisk_log_t, asterisk_log_t) -+logging_log_filetrans(asterisk_t, asterisk_log_t, {file dir}) - - manage_dirs_pattern(asterisk_t, asterisk_spool_t, asterisk_spool_t) - manage_files_pattern(asterisk_t, asterisk_spool_t, asterisk_spool_t) - manage_lnk_files_pattern(asterisk_t, asterisk_spool_t, asterisk_spool_t) -+files_spool_file(asterisk_t, asterisk_spool_t, {dir file}) - - manage_dirs_pattern(asterisk_t, asterisk_tmp_t, asterisk_tmp_t) - manage_files_pattern(asterisk_t, asterisk_tmp_t, asterisk_tmp_t) -@@ -72,11 +73,11 @@ fs_tmpfs_filetrans(asterisk_t, asterisk_tmpfs_t, { dir file lnk_file sock_file f - - manage_files_pattern(asterisk_t, asterisk_var_lib_t, asterisk_var_lib_t) - -+manage_dirs_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t) - manage_files_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t) - manage_fifo_files_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t) - manage_sock_files_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t) --files_pid_filetrans(asterisk_t, asterisk_var_run_t, file) -- -+files_pid_filetrans(asterisk_t, asterisk_var_run_t, { dir file sock_file fifo_file }) - can_exec(asterisk_t, asterisk_exec_t) - - kernel_read_kernel_sysctls(asterisk_t) -@@ -87,7 +88,6 @@ kernel_request_load_module(asterisk_t) - corecmd_exec_bin(asterisk_t) - corecmd_exec_shell(asterisk_t) - --corenet_all_recvfrom_unlabeled(asterisk_t) - corenet_all_recvfrom_netlabel(asterisk_t) - corenet_tcp_sendrecv_generic_if(asterisk_t) - corenet_udp_sendrecv_generic_if(asterisk_t) -@@ -135,7 +135,6 @@ dev_read_urand(asterisk_t) - - domain_use_interactive_fds(asterisk_t) - --files_read_usr_files(asterisk_t) - files_search_spool(asterisk_t) - files_dontaudit_search_home(asterisk_t) - -@@ -148,8 +147,6 @@ auth_use_nsswitch(asterisk_t) - - logging_send_syslog_msg(asterisk_t) - --miscfiles_read_localization(asterisk_t) -- - userdom_dontaudit_use_unpriv_user_fds(asterisk_t) - userdom_dontaudit_search_user_home_dirs(asterisk_t) - -diff --git a/authconfig.fc b/authconfig.fc -new file mode 100644 -index 0000000..4579cfe ---- /dev/null -+++ b/authconfig.fc -@@ -0,0 +1,3 @@ -+/usr/share/authconfig/authconfig\.py -- gen_context(system_u:object_r:authconfig_exec_t,s0) -+ -+/var/lib/authconfig(/.*)? gen_context(system_u:object_r:authconfig_var_lib_t,s0) -diff --git a/authconfig.if b/authconfig.if -new file mode 100644 -index 0000000..316c324 ---- /dev/null -+++ b/authconfig.if -@@ -0,0 +1,127 @@ -+ -+## policy for authconfig -+ -+######################################## -+## -+## Execute TEMPLATE in the authconfig domin. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`authconfig_domtrans',` -+ gen_require(` -+ type authconfig_t, authconfig_exec_t; -+ ') -+ -+ corecmd_search_bin($1) -+ domtrans_pattern($1, authconfig_exec_t, authconfig_t) -+') -+ -+######################################## -+## -+## Search authconfig lib directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`authconfig_search_lib',` -+ gen_require(` -+ type authconfig_var_lib_t; -+ ') -+ -+ allow $1 authconfig_var_lib_t:dir search_dir_perms; -+ files_search_var_lib($1) -+') -+ -+######################################## -+## -+## Read authconfig lib files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`authconfig_read_lib_files',` -+ gen_require(` -+ type authconfig_var_lib_t; -+ ') -+ -+ files_search_var_lib($1) -+ read_files_pattern($1, authconfig_var_lib_t, authconfig_var_lib_t) -+') -+ -+######################################## -+## -+## Manage authconfig lib files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`authconfig_manage_lib_files',` -+ gen_require(` -+ type authconfig_var_lib_t; -+ ') -+ -+ files_search_var_lib($1) -+ manage_files_pattern($1, authconfig_var_lib_t, authconfig_var_lib_t) -+') -+ -+######################################## -+## -+## Manage authconfig lib directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`authconfig_manage_lib_dirs',` -+ gen_require(` -+ type authconfig_var_lib_t; -+ ') -+ -+ files_search_var_lib($1) -+ manage_dirs_pattern($1, authconfig_var_lib_t, authconfig_var_lib_t) -+') -+ -+ -+######################################## -+## -+## All of the rules required to administrate -+## an authconfig environment -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`authconfig_admin',` -+ gen_require(` -+ type authconfig_t; -+ type authconfig_var_lib_t; -+ ') -+ -+ allow $1 authconfig_t:process { ptrace signal_perms }; -+ ps_process_pattern($1, authconfig_t) -+ -+ files_search_var_lib($1) -+ admin_pattern($1, authconfig_var_lib_t) -+ -+ optional_policy(` -+ systemd_passwd_agent_exec($1) -+ systemd_read_fifo_file_passwd_run($1) -+ ') -+') -diff --git a/authconfig.te b/authconfig.te -new file mode 100644 -index 0000000..f2aa4e6 ---- /dev/null -+++ b/authconfig.te -@@ -0,0 +1,32 @@ -+policy_module(authconfig, 1.0.0) -+ -+######################################## -+# -+# Declarations -+# -+ -+type authconfig_t; -+type authconfig_exec_t; -+application_domain(authconfig_t, authconfig_exec_t) -+role system_r types authconfig_t; -+ -+type authconfig_var_lib_t; -+files_type(authconfig_var_lib_t) -+ -+######################################## -+# -+# authconfig local policy -+# -+allow authconfig_t self:fifo_file rw_fifo_file_perms; -+allow authconfig_t self:unix_stream_socket create_stream_socket_perms; -+ -+manage_dirs_pattern(authconfig_t, authconfig_var_lib_t, authconfig_var_lib_t) -+manage_files_pattern(authconfig_t, authconfig_var_lib_t, authconfig_var_lib_t) -+manage_lnk_files_pattern(authconfig_t, authconfig_var_lib_t, authconfig_var_lib_t) -+files_var_lib_filetrans(authconfig_t, authconfig_var_lib_t, { dir file lnk_file }) -+ -+domain_use_interactive_fds(authconfig_t) -+ -+init_domtrans_script(authconfig_t) -+ -+unconfined_domain_noaudit(authconfig_t) -diff --git a/automount.fc b/automount.fc -index 92adb37..0a2ffc6 100644 ---- a/automount.fc -+++ b/automount.fc -@@ -1,6 +1,8 @@ - /etc/apm/event\.d/autofs -- gen_context(system_u:object_r:automount_exec_t,s0) - /etc/rc\.d/init\.d/autofs -- gen_context(system_u:object_r:automount_initrc_exec_t,s0) - -+/usr/lib/systemd/system/autofs.* -- gen_context(system_u:object_r:automount_unit_file_t,s0) -+ - /usr/sbin/automount -- gen_context(system_u:object_r:automount_exec_t,s0) - - /var/lock/subsys/autofs -- gen_context(system_u:object_r:automount_lock_t,s0) -diff --git a/automount.if b/automount.if -index 089430a..b0bed70 100644 ---- a/automount.if -+++ b/automount.if -@@ -29,7 +29,6 @@ interface(`automount_domtrans',` - ## - ## - # --# - interface(`automount_signal',` - gen_require(` - type automount_t; -@@ -114,6 +113,25 @@ interface(`automount_dontaudit_write_pipes',` - - ######################################## - ## -+## Allow domain to search of automount temporary -+## directories. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`automount_search_tmp_dirs',` -+ gen_require(` -+ type automount_tmp_t; -+ ') -+ -+ search_dirs_pattern($1, automount_tmp_t, automount_tmp_t) -+') -+ -+######################################## -+## - ## Do not audit attempts to get - ## attributes of automount temporary - ## directories. -@@ -134,6 +152,29 @@ interface(`automount_dontaudit_getattr_tmp_dirs',` - - ######################################## - ## -+## Execute automount server in the automount domain. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`automount_systemctl',` -+ gen_require(` -+ type automount_t; -+ type automount_unit_file_t; -+ ') -+ -+ systemd_exec_systemctl($1) -+ allow $1 automount_unit_file_t:file read_file_perms; -+ allow $1 automount_unit_file_t:service manage_service_perms; -+ -+ ps_process_pattern($1, automount_t) -+') -+ -+######################################## -+## - ## All of the rules required to - ## administrate an automount environment. - ## -@@ -153,11 +194,16 @@ interface(`automount_admin',` - gen_require(` - type automount_t, automount_lock_t, automount_tmp_t; - type automount_var_run_t, automount_initrc_exec_t; -+ type automount_unit_file_t; - ') - -- allow $1 automount_t:process { ptrace signal_perms }; -+ allow $1 automount_t:process signal_perms; - ps_process_pattern($1, automount_t) - -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 automount_t:process ptrace; -+ ') -+ - init_labeled_script_domtrans($1, automount_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 automount_initrc_exec_t system_r; -@@ -171,4 +217,8 @@ interface(`automount_admin',` - - files_list_pids($1) - admin_pattern($1, automount_var_run_t) -+ -+ automount_systemctl($1) -+ admin_pattern($1, automount_unit_file_t) -+ allow $1 automount_unit_file_t:service all_service_perms; - ') -diff --git a/automount.te b/automount.te -index a579c3b..294b5f4 100644 ---- a/automount.te -+++ b/automount.te -@@ -22,12 +22,16 @@ type automount_tmp_t; - files_tmp_file(automount_tmp_t) - files_mountpoint(automount_tmp_t) - -+type automount_unit_file_t; -+systemd_unit_file(automount_unit_file_t) -+ - ######################################## - # - # Local policy - # - --allow automount_t self:capability { setgid setuid sys_nice sys_resource dac_override sys_admin }; -+allow automount_t self:capability { setgid setuid sys_nice sys_resource dac_override sys_admin }; -+allow automount_t self:capability2 block_suspend; - dontaudit automount_t self:capability sys_tty_config; - allow automount_t self:process { signal_perms getpgid setpgid setsched setrlimit }; - allow automount_t self:fifo_file rw_fifo_file_perms; -@@ -62,7 +66,6 @@ kernel_dontaudit_search_xen_state(automount_t) - corecmd_exec_bin(automount_t) - corecmd_exec_shell(automount_t) - --corenet_all_recvfrom_unlabeled(automount_t) - corenet_all_recvfrom_netlabel(automount_t) - corenet_tcp_sendrecv_generic_if(automount_t) - corenet_udp_sendrecv_generic_if(automount_t) -@@ -96,7 +99,6 @@ files_mount_all_file_type_fs(automount_t) - files_mounton_all_mountpoints(automount_t) - files_mounton_mnt(automount_t) - files_read_etc_runtime_files(automount_t) --files_read_usr_files(automount_t) - files_search_boot(automount_t) - files_search_all(automount_t) - files_unmount_all_file_type_fs(automount_t) -@@ -130,15 +132,18 @@ auth_use_nsswitch(automount_t) - logging_send_syslog_msg(automount_t) - logging_search_logs(automount_t) - --miscfiles_read_localization(automount_t) - miscfiles_read_generic_certs(automount_t) - --mount_domtrans(automount_t) --mount_signal(automount_t) -- - userdom_dontaudit_use_unpriv_user_fds(automount_t) - - optional_policy(` -+ # Run mount in the mount_t domain. -+ mount_domtrans(automount_t) -+ mount_domtrans_showmount(automount_t) -+ mount_signal(automount_t) -+') -+ -+optional_policy(` - fstools_domtrans(automount_t) - ') - -@@ -160,3 +165,8 @@ optional_policy(` - optional_policy(` - udev_read_db(automount_t) - ') -+ -+tunable_policy(`mount_anyfile',` -+ files_mounton_non_security(automount_t) -+') -+ -diff --git a/avahi.fc b/avahi.fc -index e9fe2ca..4c2d076 100644 ---- a/avahi.fc -+++ b/avahi.fc -@@ -1,5 +1,7 @@ - /etc/rc\.d/init\.d/avahi.* -- gen_context(system_u:object_r:avahi_initrc_exec_t,s0) - -+/usr/lib/systemd/system/avahi.* -- gen_context(system_u:object_r:avahi_unit_file_t,s0) -+ - /usr/sbin/avahi-daemon -- gen_context(system_u:object_r:avahi_exec_t,s0) - /usr/sbin/avahi-dnsconfd -- gen_context(system_u:object_r:avahi_exec_t,s0) - /usr/sbin/avahi-autoipd -- gen_context(system_u:object_r:avahi_exec_t,s0) -diff --git a/avahi.if b/avahi.if -index aebe7cb..33fe57b 100644 ---- a/avahi.if -+++ b/avahi.if -@@ -97,7 +97,7 @@ interface(`avahi_dbus_chat',` - ######################################## - ## - ## Connect to avahi using a unix --$$ stream socket. -+## stream socket. - ## - ## - ## -@@ -135,6 +135,29 @@ interface(`avahi_dontaudit_search_pid',` - - ######################################## - ## -+## Execute avahi server in the avahi domain. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`avahi_systemctl',` -+ gen_require(` -+ type avahi_t; -+ type avahi_unit_file_t; -+ ') -+ -+ systemd_exec_systemctl($1) -+ allow $1 avahi_unit_file_t:file read_file_perms; -+ allow $1 avahi_unit_file_t:service manage_service_perms; -+ -+ ps_process_pattern($1, avahi_t) -+') -+ -+######################################## -+## - ## All of the rules required to - ## administrate an avahi environment. - ## -@@ -153,12 +176,17 @@ interface(`avahi_dontaudit_search_pid',` - interface(`avahi_admin',` - gen_require(` - type avahi_t, avahi_var_run_t, avahi_initrc_exec_t; -+ type avahi_unit_file_t; - type avahi_var_lib_t; - ') - -- allow $1 avahi_t:process { ptrace signal_perms }; -+ allow $1 avahi_t:process signal_perms; - ps_process_pattern($1, avahi_t) - -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 avahi_t:process ptrace; -+ ') -+ - init_labeled_script_domtrans($1, avahi_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 avahi_initrc_exec_t system_r; -@@ -169,4 +197,8 @@ interface(`avahi_admin',` - - files_search_var_lib($1) - admin_pattern($1, avahi_var_lib_t) -+ -+ avahi_systemctl($1) -+ admin_pattern($1, avahi_unit_file_t) -+ allow $1 avahi_unit_file_t:service all_service_perms; - ') -diff --git a/avahi.te b/avahi.te -index 60e76be..0730647 100644 ---- a/avahi.te -+++ b/avahi.te -@@ -17,6 +17,10 @@ files_pid_file(avahi_var_lib_t) - - type avahi_var_run_t; - files_pid_file(avahi_var_run_t) -+init_sock_file(avahi_var_run_t) -+ -+type avahi_unit_file_t; -+systemd_unit_file(avahi_unit_file_t) - - ######################################## - # -@@ -49,7 +53,6 @@ kernel_request_load_module(avahi_t) - corecmd_exec_bin(avahi_t) - corecmd_exec_shell(avahi_t) - --corenet_all_recvfrom_unlabeled(avahi_t) - corenet_all_recvfrom_netlabel(avahi_t) - corenet_tcp_sendrecv_generic_if(avahi_t) - corenet_udp_sendrecv_generic_if(avahi_t) -@@ -72,9 +75,9 @@ fs_search_auto_mountpoints(avahi_t) - fs_list_inotifyfs(avahi_t) - - domain_use_interactive_fds(avahi_t) -+domain_dontaudit_signull_all_domains(avahi_t) - - files_read_etc_runtime_files(avahi_t) --files_read_usr_files(avahi_t) - - auth_use_nsswitch(avahi_t) - -@@ -83,13 +86,14 @@ init_signull_script(avahi_t) - - logging_send_syslog_msg(avahi_t) - --miscfiles_read_localization(avahi_t) - miscfiles_read_generic_certs(avahi_t) - - sysnet_domtrans_ifconfig(avahi_t) - sysnet_manage_config(avahi_t) - sysnet_etc_filetrans_config(avahi_t) - -+systemd_login_signull(avahi_t) -+ - userdom_dontaudit_use_unpriv_user_fds(avahi_t) - userdom_dontaudit_search_user_home_dirs(avahi_t) - -diff --git a/awstats.te b/awstats.te -index d6ab824..116176d 100644 ---- a/awstats.te -+++ b/awstats.te -@@ -52,8 +52,6 @@ corecmd_exec_shell(awstats_t) - dev_read_urand(awstats_t) - - files_dontaudit_search_all_mountpoints(awstats_t) --files_read_etc_files(awstats_t) --files_read_usr_files(awstats_t) - - fs_list_inotifyfs(awstats_t) - -@@ -61,8 +59,6 @@ libs_read_lib_files(awstats_t) - - logging_read_generic_logs(awstats_t) - --miscfiles_read_localization(awstats_t) -- - sysnet_dns_name_resolve(awstats_t) - - tunable_policy(`awstats_purge_apache_log_files',` -@@ -90,9 +86,13 @@ optional_policy(` - # CGI local policy - # - -+apache_read_log(httpd_awstats_script_t) -+ -+manage_dirs_pattern(httpd_awstats_script_t, awstats_tmp_t, awstats_tmp_t) -+manage_files_pattern(httpd_awstats_script_t, awstats_tmp_t, awstats_tmp_t) -+files_tmp_filetrans(httpd_awstats_script_t, awstats_tmp_t, { dir file }) -+ - allow httpd_awstats_script_t awstats_var_lib_t:dir list_dir_perms; - - read_files_pattern(httpd_awstats_script_t, awstats_var_lib_t, awstats_var_lib_t) - files_search_var_lib(httpd_awstats_script_t) -- --apache_read_log(httpd_awstats_script_t) -diff --git a/backup.te b/backup.te -index d6ceef4..c10d39c 100644 ---- a/backup.te -+++ b/backup.te -@@ -38,7 +38,6 @@ kernel_read_kernel_sysctls(backup_t) - corecmd_exec_bin(backup_t) - corecmd_exec_shell(backup_t) - --corenet_all_recvfrom_unlabeled(backup_t) - corenet_all_recvfrom_netlabel(backup_t) - corenet_tcp_sendrecv_generic_if(backup_t) - corenet_tcp_sendrecv_generic_node(backup_t) -@@ -67,7 +66,7 @@ logging_send_syslog_msg(backup_t) - - sysnet_read_config(backup_t) - --userdom_use_user_terminals(backup_t) -+userdom_use_inherited_user_terminals(backup_t) - - optional_policy(` - cron_system_entry(backup_t, backup_exec_t) -diff --git a/bacula.te b/bacula.te -index 3beba2f..7ca4480 100644 ---- a/bacula.te -+++ b/bacula.te -@@ -148,9 +148,7 @@ corenet_tcp_connect_hplip_port(bacula_admin_t) - - domain_use_interactive_fds(bacula_admin_t) - --files_read_etc_files(bacula_admin_t) - --miscfiles_read_localization(bacula_admin_t) - - sysnet_dns_name_resolve(bacula_admin_t) - -diff --git a/bcfg2.fc b/bcfg2.fc -index fb42e35..8af0e14 100644 ---- a/bcfg2.fc -+++ b/bcfg2.fc -@@ -1,5 +1,7 @@ - /etc/rc\.d/init\.d/bcfg2-server -- gen_context(system_u:object_r:bcfg2_initrc_exec_t,s0) - -+/usr/lib/systemd/system/bcfg2-server.* -- gen_context(system_u:object_r:bcfg2_unit_file_t,s0) -+ - /usr/sbin/bcfg2-server -- gen_context(system_u:object_r:bcfg2_exec_t,s0) - - /var/lib/bcfg2(/.*)? gen_context(system_u:object_r:bcfg2_var_lib_t,s0) -diff --git a/bcfg2.if b/bcfg2.if -index ec95d36..7132e1e 100644 ---- a/bcfg2.if -+++ b/bcfg2.if -@@ -117,6 +117,31 @@ interface(`bcfg2_manage_lib_dirs',` - - ######################################## - ## -+## Execute bcfg2 server in the bcfg2 domain. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`bcfg2_systemctl',` -+ gen_require(` -+ type bcfg2_t; -+ type bcfg2_unit_file_t; -+ ') -+ -+ systemd_exec_systemctl($1) -+ systemd_read_fifo_file_passwd_run($1) -+ allow $1 bcfg2_unit_file_t:file read_file_perms; -+ allow $1 bcfg2_unit_file_t:service manage_service_perms; -+ -+ ps_process_pattern($1, bcfg2_t) -+') -+ -+ -+######################################## -+## - ## All of the rules required to - ## administrate an bcfg2 environment. - ## -@@ -136,11 +161,16 @@ interface(`bcfg2_admin',` - gen_require(` - type bcfg2_t, bcfg2_initrc_exec_t, bcfg2_var_lib_t; - type bcfg2_var_run_t; -+ type bcfg2_unit_file_t; - ') - -- allow $1 bcfg2_t:process { ptrace signal_perms }; -+ allow $1 bcfg2_t:process { signal_perms }; - ps_process_pattern($1, bcfg2_t) - -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 bcfg2_t:process ptrace; -+ ') -+ - bcfg2_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 bcfg2_initrc_exec_t system_r; -@@ -151,4 +181,13 @@ interface(`bcfg2_admin',` - - files_search_var_lib($1) - admin_pattern($1, bcfg2_var_lib_t) -+ -+ bcfg2_systemctl($1) -+ admin_pattern($1, bcfg2_unit_file_t) -+ allow $1 bcfg2_unit_file_t:service all_service_perms; -+ -+ optional_policy(` -+ systemd_passwd_agent_exec($1) -+ systemd_read_fifo_file_passwd_run($1) -+ ') - ') -diff --git a/bcfg2.te b/bcfg2.te -index 536ec3c..271b976 100644 ---- a/bcfg2.te -+++ b/bcfg2.te -@@ -15,6 +15,9 @@ init_script_file(bcfg2_initrc_exec_t) - type bcfg2_var_lib_t; - files_type(bcfg2_var_lib_t) - -+type bcfg2_unit_file_t; -+systemd_unit_file(bcfg2_unit_file_t) -+ - type bcfg2_var_run_t; - files_pid_file(bcfg2_var_run_t) - -@@ -52,10 +55,7 @@ dev_read_urand(bcfg2_t) - - domain_use_interactive_fds(bcfg2_t) - --files_read_usr_files(bcfg2_t) - - auth_use_nsswitch(bcfg2_t) - - logging_send_syslog_msg(bcfg2_t) -- --miscfiles_read_localization(bcfg2_t) -diff --git a/bind.fc b/bind.fc -index 2b9a3a1..1742ebf 100644 ---- a/bind.fc -+++ b/bind.fc -@@ -1,54 +1,71 @@ --/etc/rc\.d/init\.d/named -- gen_context(system_u:object_r:named_initrc_exec_t,s0) --/etc/rc\.d/init\.d/unbound -- gen_context(system_u:object_r:named_initrc_exec_t,s0) -+/etc/rc\.d/init\.d/named -- gen_context(system_u:object_r:named_initrc_exec_t,s0) -+/etc/rc\.d/init\.d/unbound -- gen_context(system_u:object_r:named_initrc_exec_t,s0) - --/etc/bind(/.*)? gen_context(system_u:object_r:named_zone_t,s0) --/etc/bind/named\.conf.* -- gen_context(system_u:object_r:named_conf_t,s0) --/etc/bind/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0) --/etc/dnssec-trigger/dnssec_trigger_server\.key -- gen_context(system_u:object_r:dnssec_t,s0) --/etc/named\.rfc1912\.zones -- gen_context(system_u:object_r:named_conf_t,s0) --/etc/named\.root\.hints -- gen_context(system_u:object_r:named_conf_t,s0) --/etc/named\.conf -- gen_context(system_u:object_r:named_conf_t,s0) --/etc/named\.caching-nameserver\.conf -- gen_context(system_u:object_r:named_conf_t,s0) --/etc/rndc.* -- gen_context(system_u:object_r:named_conf_t,s0) --/etc/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0) --/etc/unbound(/.*)? gen_context(system_u:object_r:named_conf_t,s0) --/etc/unbound/.*\.key -- gen_context(system_u:object_r:dnssec_t,s0) -+/etc/rndc.* -- gen_context(system_u:object_r:named_conf_t,s0) -+/etc/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0) -+/etc/unbound(/.*)? gen_context(system_u:object_r:named_conf_t,s0) -+/etc/unbound/.*\.key -- gen_context(system_u:object_r:dnssec_t,s0) -+/etc/dnssec-trigger/dnssec_trigger_server\.key -- gen_context(system_u:object_r:dnssec_t,s0) -+ -+/usr/lib/systemd/system/unbound.* -- gen_context(system_u:object_r:named_unit_file_t,s0) -+/usr/lib/systemd/system/named.* -- gen_context(system_u:object_r:named_unit_file_t,s0) - - /usr/sbin/lwresd -- gen_context(system_u:object_r:named_exec_t,s0) --/usr/sbin/named -- gen_context(system_u:object_r:named_exec_t,s0) --/usr/sbin/named-checkconf -- gen_context(system_u:object_r:named_checkconf_exec_t,s0) --/usr/sbin/r?ndc -- gen_context(system_u:object_r:ndc_exec_t,s0) -+/usr/sbin/named -- gen_context(system_u:object_r:named_exec_t,s0) -+/usr/sbin/named-checkconf -- gen_context(system_u:object_r:named_checkconf_exec_t,s0) -+/usr/sbin/r?ndc -- gen_context(system_u:object_r:ndc_exec_t,s0) - /usr/sbin/unbound -- gen_context(system_u:object_r:named_exec_t,s0) -+/usr/sbin/unbound-anchor -- gen_context(system_u:object_r:named_exec_t,s0) -+/usr/sbin/unbound-checkconf -- gen_context(system_u:object_r:named_exec_t,s0) - --/var/bind(/.*)? gen_context(system_u:object_r:named_cache_t,s0) --/var/bind/pri(/.*)? gen_context(system_u:object_r:named_zone_t,s0) -+/var/log/named.* -- gen_context(system_u:object_r:named_log_t,s0) - --/var/cache/bind(/.*)? gen_context(system_u:object_r:named_cache_t,s0) -+/var/run/ndc -s gen_context(system_u:object_r:named_var_run_t,s0) -+/var/run/bind(/.*)? gen_context(system_u:object_r:named_var_run_t,s0) -+/var/run/named(/.*)? gen_context(system_u:object_r:named_var_run_t,s0) -+/var/run/unbound(/.*)? gen_context(system_u:object_r:named_var_run_t,s0) - --/var/log/named.* -- gen_context(system_u:object_r:named_log_t,s0) -+ifdef(`distro_debian',` -+/etc/bind(/.*)? gen_context(system_u:object_r:named_zone_t,s0) -+/etc/bind/named\.conf -- gen_context(system_u:object_r:named_conf_t,s0) -+/etc/bind/named\.conf\.local -- gen_context(system_u:object_r:named_conf_t,s0) -+/etc/bind/named\.conf\.options -- gen_context(system_u:object_r:named_conf_t,s0) -+/etc/bind/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0) -+/var/cache/bind(/.*)? gen_context(system_u:object_r:named_cache_t,s0) -+') -+ -+ifdef(`distro_gentoo',` -+/etc/bind(/.*)? gen_context(system_u:object_r:named_zone_t,s0) -+/etc/bind/named\.conf -- gen_context(system_u:object_r:named_conf_t,s0) -+/etc/bind/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0) -+/var/bind(/.*)? gen_context(system_u:object_r:named_cache_t,s0) -+/var/bind/pri(/.*)? gen_context(system_u:object_r:named_zone_t,s0) -+') - --/var/named(/.*)? gen_context(system_u:object_r:named_zone_t,s0) --/var/named/slaves(/.*)? gen_context(system_u:object_r:named_cache_t,s0) --/var/named/data(/.*)? gen_context(system_u:object_r:named_cache_t,s0) -+ifdef(`distro_redhat',` -+/etc/named\.rfc1912.zones -- gen_context(system_u:object_r:named_conf_t,s0) -+/etc/named\.root\.hints -- gen_context(system_u:object_r:named_conf_t,s0) -+/etc/named\.conf -- gen_context(system_u:object_r:named_conf_t,s0) -+/etc/named\.caching-nameserver\.conf -- gen_context(system_u:object_r:named_conf_t,s0) -+/var/lib/unbound(/.*)? gen_context(system_u:object_r:named_cache_t,s0) -+/var/named(/.*)? gen_context(system_u:object_r:named_zone_t,s0) -+/var/named/slaves(/.*)? gen_context(system_u:object_r:named_cache_t,s0) -+/var/named/data(/.*)? gen_context(system_u:object_r:named_cache_t,s0) - /var/named/named\.ca -- gen_context(system_u:object_r:named_conf_t,s0) --/var/named/chroot(/.*)? gen_context(system_u:object_r:named_conf_t,s0) --/var/named/chroot/etc/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0) --/var/named/chroot/etc/named\.conf -- gen_context(system_u:object_r:named_conf_t,s0) --/var/named/chroot/etc/named\.rfc1912\.zones -- gen_context(system_u:object_r:named_conf_t,s0) --/var/named/chroot/etc/named\.root\.hints -- gen_context(system_u:object_r:named_conf_t,s0) --/var/named/chroot/etc/named\.caching-nameserver\.conf -- gen_context(system_u:object_r:named_conf_t,s0) -+/var/named/chroot(/.*)? gen_context(system_u:object_r:named_conf_t,s0) -+/var/named/chroot/etc/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0) -+/var/named/chroot/etc/named\.conf -- gen_context(system_u:object_r:named_conf_t,s0) -+/var/named/chroot/etc/named\.rfc1912.zones -- gen_context(system_u:object_r:named_conf_t,s0) -+/var/named/chroot/etc/named\.root\.hints -- gen_context(system_u:object_r:named_conf_t,s0) -+/var/named/chroot/etc/named\.caching-nameserver\.conf -- gen_context(system_u:object_r:named_conf_t,s0) - /var/named/chroot/proc(/.*)? <> --/var/named/chroot/var/run/named.* gen_context(system_u:object_r:named_var_run_t,s0) --/var/named/chroot/var/tmp(/.*)? gen_context(system_u:object_r:named_cache_t,s0) --/var/named/chroot/var/named(/.*)? gen_context(system_u:object_r:named_zone_t,s0) --/var/named/chroot/var/named/slaves(/.*)? gen_context(system_u:object_r:named_cache_t,s0) --/var/named/chroot/var/named/data(/.*)? gen_context(system_u:object_r:named_cache_t,s0) -+/var/named/chroot/var/run/named.* gen_context(system_u:object_r:named_var_run_t,s0) -+/var/named/chroot/var/tmp(/.*)? gen_context(system_u:object_r:named_cache_t,s0) -+/var/named/chroot/var/named(/.*)? gen_context(system_u:object_r:named_zone_t,s0) -+/var/named/chroot/var/named/slaves(/.*)? gen_context(system_u:object_r:named_cache_t,s0) -+/var/named/chroot/var/named/data(/.*)? gen_context(system_u:object_r:named_cache_t,s0) - /var/named/chroot/var/named/dynamic(/.*)? gen_context(system_u:object_r:named_cache_t,s0) --/var/named/chroot/var/named/named\.ca -- gen_context(system_u:object_r:named_conf_t,s0) -+/var/named/chroot/var/named/named\.ca -- gen_context(system_u:object_r:named_conf_t,s0) - /var/named/chroot/var/log/named.* -- gen_context(system_u:object_r:named_log_t,s0) --/var/named/dynamic(/.*)? gen_context(system_u:object_r:named_cache_t,s0) -- --/var/run/ndc -s gen_context(system_u:object_r:named_var_run_t,s0) --/var/run/bind(/.*)? gen_context(system_u:object_r:named_var_run_t,s0) --/var/run/named(/.*)? gen_context(system_u:object_r:named_var_run_t,s0) --/var/run/unbound(/.*)? gen_context(system_u:object_r:named_var_run_t,s0) -+/var/named/dynamic(/.*)? gen_context(system_u:object_r:named_cache_t,s0) -+') -diff --git a/bind.if b/bind.if -index 866a1e2..6c2dbe4 100644 ---- a/bind.if -+++ b/bind.if -@@ -20,6 +20,29 @@ interface(`bind_initrc_domtrans',` - - ######################################## - ## -+## Execute bind server in the bind domain. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`bind_systemctl',` -+ gen_require(` -+ type named_unit_file_t; -+ type named_t; -+ ') -+ -+ systemd_exec_systemctl($1) -+ allow $1 named_unit_file_t:file read_file_perms; -+ allow $1 named_unit_file_t:service manage_service_perms; -+ -+ ps_process_pattern($1, named_t) -+') -+ -+######################################## -+## - ## Execute ndc in the ndc domain. - ## - ## -@@ -169,6 +192,7 @@ interface(`bind_read_config',` - type named_conf_t; - ') - -+ allow $1 named_conf_t:dir list_dir_perms; - read_files_pattern($1, named_conf_t, named_conf_t) - ') - -@@ -212,6 +236,25 @@ interface(`bind_manage_config_dirs',` - - ######################################## - ## -+## Create, read, write, and delete -+## BIND configuration files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`bind_manage_config',` -+ gen_require(` -+ type named_conf_t; -+ ') -+ -+ manage_files_pattern($1, named_conf_t, named_conf_t) -+') -+ -+######################################## -+## - ## Search bind cache directories. - ## - ## -@@ -310,6 +353,27 @@ interface(`bind_read_zone',` - - ######################################## - ## -+## Read BIND zone files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`bind_read_log',` -+ gen_require(` -+ type named_zone_t; -+ type named_log_t; -+ ') -+ -+ files_search_var($1) -+ allow $1 named_zone_t:dir search_dir_perms; -+ read_files_pattern($1, named_log_t, named_log_t) -+') -+ -+######################################## -+## - ## Create, read, write, and delete - ## bind zone files. - ## -@@ -362,12 +426,20 @@ interface(`bind_udp_chat_named',` - interface(`bind_admin',` - gen_require(` - type named_t, named_tmp_t, named_log_t; -- type named_cache_t, named_zone_t, named_initrc_exec_t; -- type dnssec_t, ndc_t, named_conf_t, named_var_run_t; -+ type named_conf_t, named_var_run_t, named_cache_t; -+ type named_zone_t, named_initrc_exec_t; -+ type dnssec_t, ndc_t, named_keytab_t; -+ type named_unit_file_t; - ') - -- allow $1 { named_t ndc_t }:process { ptrace signal_perms }; -- ps_process_pattern($1, { named_t ndc_t }) -+ allow $1 named_t:process signal_perms; -+ ps_process_pattern($1, named_t) -+ -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 named_t:process ptrace; -+ ') -+ -+ bind_run_ndc($1, $2) - - init_labeled_script_domtrans($1, named_initrc_exec_t) - domain_system_change_exemption($1) -@@ -383,11 +455,15 @@ interface(`bind_admin',` - files_list_etc($1) - admin_pattern($1, named_conf_t) - -+ admin_pattern($1, named_keytab_t) -+ - files_list_var($1) - admin_pattern($1, { dnssec_t named_cache_t named_zone_t }) - - files_list_pids($1) - admin_pattern($1, named_var_run_t) - -- bind_run_ndc($1, $2) -+ admin_pattern($1, named_unit_file_t) -+ bind_systemctl($1) -+ allow $1 named_unit_file_t:service all_service_perms; - ') -diff --git a/bind.te b/bind.te -index 076ffee..1672ca4 100644 ---- a/bind.te -+++ b/bind.te -@@ -34,7 +34,7 @@ type named_checkconf_exec_t; - init_system_domain(named_t, named_checkconf_exec_t) - - type named_conf_t; --files_type(named_conf_t) -+files_config_file(named_conf_t) - files_mountpoint(named_conf_t) - - # for secondary zone files -@@ -44,6 +44,9 @@ files_type(named_cache_t) - type named_initrc_exec_t; - init_script_file(named_initrc_exec_t) - -+type named_unit_file_t; -+systemd_unit_file(named_unit_file_t) -+ - type named_log_t; - logging_log_file(named_log_t) - -@@ -68,8 +71,9 @@ role ndc_roles types ndc_t; - # Local policy - # - --allow named_t self:capability { chown dac_override fowner setgid setuid sys_chroot sys_nice sys_resource }; -+allow named_t self:capability { chown dac_override fowner net_admin setgid setuid sys_chroot sys_nice sys_resource }; - dontaudit named_t self:capability sys_tty_config; -+allow named_t self:capability2 block_suspend; - allow named_t self:process { setsched getcap setcap setrlimit signal_perms }; - allow named_t self:fifo_file rw_fifo_file_perms; - allow named_t self:unix_stream_socket { accept listen }; -@@ -86,9 +90,7 @@ manage_lnk_files_pattern(named_t, named_cache_t, named_cache_t) - - can_exec(named_t, named_exec_t) - --append_files_pattern(named_t, named_log_t, named_log_t) --create_files_pattern(named_t, named_log_t, named_log_t) --setattr_files_pattern(named_t, named_log_t, named_log_t) -+manage_files_pattern(named_t, named_log_t, named_log_t) - logging_log_filetrans(named_t, named_log_t, file) - - manage_dirs_pattern(named_t, named_tmp_t, named_tmp_t) -@@ -110,7 +112,6 @@ kernel_read_network_state(named_t) - - corecmd_search_bin(named_t) - --corenet_all_recvfrom_unlabeled(named_t) - corenet_all_recvfrom_netlabel(named_t) - corenet_tcp_sendrecv_generic_if(named_t) - corenet_udp_sendrecv_generic_if(named_t) -@@ -139,6 +140,7 @@ corenet_tcp_sendrecv_all_ports(named_t) - dev_read_sysfs(named_t) - dev_read_rand(named_t) - dev_read_urand(named_t) -+dev_dontaudit_write_urand(named_t) - - domain_use_interactive_fds(named_t) - -@@ -170,6 +172,15 @@ tunable_policy(`named_write_master_zones',` - ') - - optional_policy(` -+ # needed by FreeIPA with DNS support -+ dirsrv_stream_connect(named_t) -+') -+ -+optional_policy(` -+ cron_system_entry(named_t, named_exec_t) -+') -+ -+optional_policy(` - dbus_system_domain(named_t, named_exec_t) - - init_dbus_chat_script(named_t) -@@ -183,6 +194,7 @@ optional_policy(` - - optional_policy(` - kerberos_keytab_template(named, named_t) -+ kerberos_tmp_filetrans_host_rcache(named_t, "DNS_25") - ') - - optional_policy(` -@@ -209,7 +221,8 @@ optional_policy(` - # - - allow ndc_t self:capability { dac_override net_admin }; --allow ndc_t self:process signal_perms; -+allow ndc_t self:capability2 block_suspend; -+allow ndc_t self:process { fork signal_perms }; - allow ndc_t self:fifo_file rw_fifo_file_perms; - allow ndc_t self:unix_stream_socket { accept listen }; - -@@ -223,10 +236,9 @@ allow ndc_t named_conf_t:lnk_file read_lnk_file_perms; - - allow ndc_t named_zone_t:dir search_dir_perms; - --kernel_read_kernel_sysctls(ndc_t) - kernel_read_system_state(ndc_t) -+kernel_read_kernel_sysctls(ndc_t) - --corenet_all_recvfrom_unlabeled(ndc_t) - corenet_all_recvfrom_netlabel(ndc_t) - corenet_tcp_sendrecv_generic_if(ndc_t) - corenet_tcp_sendrecv_generic_node(ndc_t) -@@ -251,7 +263,7 @@ init_use_script_ptys(ndc_t) - - logging_send_syslog_msg(ndc_t) - --miscfiles_read_localization(ndc_t) -+userdom_use_inherited_user_terminals(ndc_t) - - userdom_use_user_terminals(ndc_t) - -diff --git a/bird.te b/bird.te -index d4d71ec..f53b135 100644 ---- a/bird.te -+++ b/bird.te -@@ -51,7 +51,6 @@ corenet_tcp_connect_bgp_port(bird_t) - corenet_tcp_sendrecv_bgp_port(bird_t) - - # /etc/iproute2/rt_realms --files_read_etc_files(bird_t) - - logging_send_syslog_msg(bird_t) - -diff --git a/bitlbee.if b/bitlbee.if -index e73fb79..2badfc0 100644 ---- a/bitlbee.if -+++ b/bitlbee.if -@@ -44,9 +44,13 @@ interface(`bitlbee_admin',` - type bitlbee_log_t, bitlbee_tmp_t; - ') - -- allow $1 bitlbee_t:process { ptrace signal_perms }; -+ allow $1 bitlbee_t:process signal_perms; - ps_process_pattern($1, bitlbee_t) - -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 bitlbee_t:process ptrace; -+ ') -+ - init_labeled_script_domtrans($1, bitlbee_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 bitlbee_initrc_exec_t system_r; -diff --git a/bitlbee.te b/bitlbee.te -index ac8c91e..80ecd7e 100644 ---- a/bitlbee.te -+++ b/bitlbee.te -@@ -35,9 +35,12 @@ files_pid_file(bitlbee_var_run_t) - - allow bitlbee_t self:capability { dac_override kill setgid setuid sys_nice }; - allow bitlbee_t self:process { setsched signal }; -+ - allow bitlbee_t self:fifo_file rw_fifo_file_perms; --allow bitlbee_t self:tcp_socket { accept listen }; --allow bitlbee_t self:unix_stream_socket { accept listen }; -+allow bitlbee_t self:udp_socket create_socket_perms; -+allow bitlbee_t self:tcp_socket { create_stream_socket_perms connected_stream_socket_perms }; -+allow bitlbee_t self:unix_stream_socket create_stream_socket_perms; -+allow bitlbee_t self:netlink_route_socket r_netlink_socket_perms; - - allow bitlbee_t bitlbee_conf_t:dir list_dir_perms; - allow bitlbee_t bitlbee_conf_t:file read_file_perms; -@@ -45,6 +48,7 @@ allow bitlbee_t bitlbee_conf_t:file read_file_perms; - manage_dirs_pattern(bitlbee_t, bitlbee_log_t, bitlbee_log_t) - append_files_pattern(bitlbee_t, bitlbee_log_t, bitlbee_log_t) - create_files_pattern(bitlbee_t, bitlbee_log_t, bitlbee_log_t) -+read_files_pattern(bitlbee_t, bitlbee_log_t, bitlbee_log_t) - setattr_files_pattern(bitlbee_t, bitlbee_log_t, bitlbee_log_t) - - manage_files_pattern(bitlbee_t, bitlbee_tmp_t, bitlbee_tmp_t) -@@ -59,8 +63,8 @@ manage_files_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t) - manage_sock_files_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t) - files_pid_filetrans(bitlbee_t, bitlbee_var_run_t, { dir file sock_file }) - --kernel_read_kernel_sysctls(bitlbee_t) - kernel_read_system_state(bitlbee_t) -+kernel_read_kernel_sysctls(bitlbee_t) - - corenet_all_recvfrom_unlabeled(bitlbee_t) - corenet_all_recvfrom_netlabel(bitlbee_t) -@@ -109,16 +113,12 @@ corenet_tcp_sendrecv_interwise_port(bitlbee_t) - dev_read_rand(bitlbee_t) - dev_read_urand(bitlbee_t) - --files_read_usr_files(bitlbee_t) -- - libs_legacy_use_shared_libs(bitlbee_t) - - auth_use_nsswitch(bitlbee_t) - - logging_send_syslog_msg(bitlbee_t) - --miscfiles_read_localization(bitlbee_t) -- - optional_policy(` - tcpd_wrapped_domain(bitlbee_t, bitlbee_exec_t) - ') -diff --git a/blueman.fc b/blueman.fc -index c295d2e..4f84e9c 100644 ---- a/blueman.fc -+++ b/blueman.fc -@@ -1,3 +1,4 @@ -+ - /usr/libexec/blueman-mechanism -- gen_context(system_u:object_r:blueman_exec_t,s0) - - /var/lib/blueman(/.*)? gen_context(system_u:object_r:blueman_var_lib_t,s0) -diff --git a/blueman.if b/blueman.if -index 16ec525..1dd4059 100644 ---- a/blueman.if -+++ b/blueman.if -@@ -38,6 +38,7 @@ interface(`blueman_dbus_chat',` - - allow $1 blueman_t:dbus send_msg; - allow blueman_t $1:dbus send_msg; -+ ps_process_pattern(blueman_t, $1) - ') - - ######################################## -diff --git a/blueman.te b/blueman.te -index bc5c984..63a4b1d 100644 ---- a/blueman.te -+++ b/blueman.te -@@ -7,7 +7,7 @@ policy_module(blueman, 1.0.4) - - type blueman_t; - type blueman_exec_t; --dbus_system_domain(blueman_t, blueman_exec_t) -+init_daemon_domain(blueman_t, blueman_exec_t) - - type blueman_var_lib_t; - files_type(blueman_var_lib_t) -@@ -21,7 +21,8 @@ files_pid_file(blueman_var_run_t) - # - - allow blueman_t self:capability { net_admin sys_nice }; --allow blueman_t self:process { signal_perms setsched }; -+allow blueman_t self:process { execmem signal_perms setsched }; -+ - allow blueman_t self:fifo_file rw_fifo_file_perms; - - manage_dirs_pattern(blueman_t, blueman_var_lib_t, blueman_var_lib_t) -@@ -32,7 +33,7 @@ manage_dirs_pattern(blueman_t, blueman_var_run_t, blueman_var_run_t) - manage_files_pattern(blueman_t, blueman_var_run_t, blueman_var_run_t) - files_pid_filetrans(blueman_t, blueman_var_run_t, { dir file }) - --kernel_read_net_sysctls(blueman_t) -+kernel_rw_net_sysctls(blueman_t) - kernel_read_system_state(blueman_t) - kernel_request_load_module(blueman_t) - -@@ -41,29 +42,44 @@ corecmd_exec_bin(blueman_t) - dev_read_rand(blueman_t) - dev_read_urand(blueman_t) - dev_rw_wireless(blueman_t) -+dev_rwx_zero(blueman_t) - - domain_use_interactive_fds(blueman_t) - - files_list_tmp(blueman_t) --files_read_usr_files(blueman_t) - - auth_use_nsswitch(blueman_t) - - logging_send_syslog_msg(blueman_t) - --miscfiles_read_localization(blueman_t) -- - sysnet_domtrans_ifconfig(blueman_t) -+sysnet_dns_name_resolve(blueman_t) - - optional_policy(` - avahi_domtrans(blueman_t) - ') - - optional_policy(` -+ bluetooth_read_config(blueman_t) -+') -+ -+optional_policy(` -+ dbus_system_domain(blueman_t, blueman_exec_t) -+') -+ -+optional_policy(` - dnsmasq_domtrans(blueman_t) - dnsmasq_read_pid_files(blueman_t) - ') - - optional_policy(` -+ gnome_search_gconf(blueman_t) -+') -+ -+optional_policy(` - iptables_domtrans(blueman_t) - ') -+ -+optional_policy(` -+ xserver_read_state_xdm(blueman_t) -+') -diff --git a/bluetooth.fc b/bluetooth.fc -index 2b9c7f3..0086b95 100644 ---- a/bluetooth.fc -+++ b/bluetooth.fc -@@ -5,10 +5,14 @@ - /etc/rc\.d/init\.d/dund -- gen_context(system_u:object_r:bluetooth_initrc_exec_t,s0) - /etc/rc\.d/init\.d/pand -- gen_context(system_u:object_r:bluetooth_initrc_exec_t,s0) - -+/usr/lib/systemd/system/bluetooth.* -- gen_context(system_u:object_r:bluetooth_unit_file_t,s0) -+ - /usr/bin/blue.*pin -- gen_context(system_u:object_r:bluetooth_helper_exec_t,s0) - /usr/bin/dund -- gen_context(system_u:object_r:bluetooth_exec_t,s0) - /usr/bin/hidd -- gen_context(system_u:object_r:bluetooth_exec_t,s0) - /usr/bin/rfcomm -- gen_context(system_u:object_r:bluetooth_exec_t,s0) -+/usr/bin/pand -- gen_context(system_u:object_r:bluetooth_exec_t,s0) -+/usr/libexec/bluetooth/bluetoothd -- gen_context(system_u:object_r:bluetooth_exec_t,s0) - - /usr/sbin/bluetoothd -- gen_context(system_u:object_r:bluetooth_exec_t,s0) - /usr/sbin/hciattach -- gen_context(system_u:object_r:bluetooth_exec_t,s0) -diff --git a/bluetooth.if b/bluetooth.if -index c723a0a..3e8a553 100644 ---- a/bluetooth.if -+++ b/bluetooth.if -@@ -37,7 +37,12 @@ interface(`bluetooth_role',` - domtrans_pattern($2, bluetooth_helper_exec_t, bluetooth_helper_t) - - ps_process_pattern($2, bluetooth_helper_t) -- allow $2 bluetooth_helper_t:process { ptrace signal_perms }; -+ -+ allow $2 bluetooth_helper_t:process signal_perms; -+ -+ tunable_policy(`deny_ptrace',`',` -+ allow $2 bluetooth_helper_t:process ptrace; -+ ') - - allow $2 bluetooth_t:socket rw_socket_perms; - -@@ -45,8 +50,10 @@ interface(`bluetooth_role',` - allow $2 { bluetooth_helper_tmp_t bluetooth_helper_tmpfs_t }:file { manage_file_perms relabel_file_perms }; - allow $2 bluetooth_helper_tmp_t:sock_file { manage_sock_file_perms relabel_sock_file_perms }; - -+ manage_dirs_pattern($2, bluetooth_helper_tmpfs_t, bluetooth_helper_tmpfs_t) -+ manage_files_pattern($2, bluetooth_helper_tmpfs_t, bluetooth_helper_tmpfs_t) -+ bluetooth_stream_connect($2) - stream_connect_pattern($2, bluetooth_var_run_t, bluetooth_var_run_t, bluetooth_t) -- files_search_pids($2) - ') - - ##################################### -@@ -130,6 +137,27 @@ interface(`bluetooth_dbus_chat',` - - ######################################## - ## -+## dontaudit Send and receive messages from -+## bluetooth over dbus. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`bluetooth_dontaudit_dbus_chat',` -+ gen_require(` -+ type bluetooth_t; -+ class dbus send_msg; -+ ') -+ -+ dontaudit $1 bluetooth_t:dbus send_msg; -+ dontaudit bluetooth_t $1:dbus send_msg; -+') -+ -+######################################## -+## - ## Execute bluetooth_helper in the bluetooth_helper domain. (Deprecated) - ## - ## -@@ -190,6 +218,29 @@ interface(`bluetooth_dontaudit_read_helper_state',` - - ######################################## - ## -+## Execute bluetooth server in the bluetooth domain. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`bluetooth_systemctl',` -+ gen_require(` -+ type bluetooth_t; -+ type bluetooth_unit_file_t; -+ ') -+ -+ systemd_exec_systemctl($1) -+ allow $1 bluetooth_unit_file_t:file read_file_perms; -+ allow $1 bluetooth_unit_file_t:service manage_service_perms; -+ -+ ps_process_pattern($1, bluetooth_t) -+') -+ -+######################################## -+## - ## All of the rules required to - ## administrate an bluetooth environment. - ## -@@ -210,12 +261,16 @@ interface(`bluetooth_admin',` - type bluetooth_t, bluetooth_tmp_t, bluetooth_lock_t; - type bluetooth_var_lib_t, bluetooth_var_run_t; - type bluetooth_conf_t, bluetooth_conf_rw_t, bluetooth_var_lib_t; -- type bluetooth_initrc_exec_t; -+ type bluetooth_unit_file_t, bluetooth_initrc_exec_t; - ') - -- allow $1 bluetooth_t:process { ptrace signal_perms }; -+ allow $1 bluetooth_t:process signal_perms; - ps_process_pattern($1, bluetooth_t) - -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 bluetooth_t:process ptrace; -+ ') -+ - init_labeled_script_domtrans($1, bluetooth_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 bluetooth_initrc_exec_t system_r; -@@ -235,4 +290,8 @@ interface(`bluetooth_admin',` - - files_list_pids($1) - admin_pattern($1, bluetooth_var_run_t) -+ -+ bluetooth_systemctl($1) -+ admin_pattern($1, bluetooth_unit_file_t) -+ allow $1 bluetooth_unit_file_t:service all_service_perms; - ') -diff --git a/bluetooth.te b/bluetooth.te -index 6f09d24..231de05 100644 ---- a/bluetooth.te -+++ b/bluetooth.te -@@ -49,6 +49,9 @@ files_type(bluetooth_var_lib_t) - type bluetooth_var_run_t; - files_pid_file(bluetooth_var_run_t) - -+type bluetooth_unit_file_t; -+systemd_unit_file(bluetooth_unit_file_t) -+ - ######################################## - # - # Local policy -@@ -78,7 +81,8 @@ files_lock_filetrans(bluetooth_t, bluetooth_lock_t, file) - - manage_dirs_pattern(bluetooth_t, bluetooth_tmp_t, bluetooth_tmp_t) - manage_files_pattern(bluetooth_t, bluetooth_tmp_t, bluetooth_tmp_t) --files_tmp_filetrans(bluetooth_t, bluetooth_tmp_t, { dir file }) -+manage_fifo_files_pattern(bluetooth_t, bluetooth_tmp_t, bluetooth_tmp_t) -+files_tmp_filetrans(bluetooth_t, bluetooth_tmp_t, { dir file fifo_file }) - - manage_dirs_pattern(bluetooth_t, bluetooth_var_lib_t, bluetooth_var_lib_t) - manage_files_pattern(bluetooth_t, bluetooth_var_lib_t, bluetooth_var_lib_t) -@@ -90,14 +94,24 @@ files_pid_filetrans(bluetooth_t, bluetooth_var_run_t, { file sock_file }) - - can_exec(bluetooth_t, bluetooth_helper_exec_t) - -+corecmd_exec_bin(bluetooth_t) -+corecmd_exec_shell(bluetooth_t) -+ - kernel_read_kernel_sysctls(bluetooth_t) - kernel_read_system_state(bluetooth_t) - kernel_read_network_state(bluetooth_t) - kernel_request_load_module(bluetooth_t) - kernel_search_debugfs(bluetooth_t) - --corecmd_exec_bin(bluetooth_t) --corecmd_exec_shell(bluetooth_t) -+corenet_all_recvfrom_netlabel(bluetooth_t) -+corenet_tcp_sendrecv_generic_if(bluetooth_t) -+corenet_udp_sendrecv_generic_if(bluetooth_t) -+corenet_raw_sendrecv_generic_if(bluetooth_t) -+corenet_tcp_sendrecv_generic_node(bluetooth_t) -+corenet_udp_sendrecv_generic_node(bluetooth_t) -+corenet_raw_sendrecv_generic_node(bluetooth_t) -+corenet_tcp_sendrecv_all_ports(bluetooth_t) -+corenet_udp_sendrecv_all_ports(bluetooth_t) - - dev_read_sysfs(bluetooth_t) - dev_rw_usbfs(bluetooth_t) -@@ -110,7 +124,6 @@ domain_use_interactive_fds(bluetooth_t) - domain_dontaudit_search_all_domains_state(bluetooth_t) - - files_read_etc_runtime_files(bluetooth_t) --files_read_usr_files(bluetooth_t) - - fs_getattr_all_fs(bluetooth_t) - fs_search_auto_mountpoints(bluetooth_t) -@@ -122,7 +135,6 @@ auth_use_nsswitch(bluetooth_t) - - logging_send_syslog_msg(bluetooth_t) - --miscfiles_read_localization(bluetooth_t) - miscfiles_read_fonts(bluetooth_t) - miscfiles_read_hwdata(bluetooth_t) - -@@ -130,8 +142,13 @@ userdom_dontaudit_use_unpriv_user_fds(bluetooth_t) - userdom_dontaudit_use_user_terminals(bluetooth_t) - userdom_dontaudit_search_user_home_dirs(bluetooth_t) - -+# machine-info -+systemd_hostnamed_read_config(bluetooth_t) -+systemd_dbus_chat_hostnamed(bluetooth_t) -+ - optional_policy(` - dbus_system_bus_client(bluetooth_t) -+ dbus_connect_system_bus(bluetooth_t) - - optional_policy(` - cups_dbus_chat(bluetooth_t) -@@ -199,7 +216,6 @@ dev_read_urand(bluetooth_helper_t) - domain_read_all_domains_state(bluetooth_helper_t) - - files_read_etc_runtime_files(bluetooth_helper_t) --files_read_usr_files(bluetooth_helper_t) - files_dontaudit_list_default(bluetooth_helper_t) - - term_dontaudit_use_all_ttys(bluetooth_helper_t) -diff --git a/boinc.fc b/boinc.fc -index 6d3ccad..bda740a 100644 ---- a/boinc.fc -+++ b/boinc.fc -@@ -1,9 +1,12 @@ --/etc/rc\.d/init\.d/boinc-client -- gen_context(system_u:object_r:boinc_initrc_exec_t,s0) - --/usr/bin/boinc_client -- gen_context(system_u:object_r:boinc_exec_t,s0) -+/etc/rc\.d/init\.d/boinc-client -- gen_context(system_u:object_r:boinc_initrc_exec_t,s0) - --/var/lib/boinc(/.*)? gen_context(system_u:object_r:boinc_var_lib_t,s0) --/var/lib/boinc/projects(/.*)? gen_context(system_u:object_r:boinc_project_var_lib_t,s0) --/var/lib/boinc/slots(/.*)? gen_context(system_u:object_r:boinc_project_var_lib_t,s0) -+/usr/bin/boinc_client -- gen_context(system_u:object_r:boinc_exec_t,s0) - --/var/log/boinc\.log.* -- gen_context(system_u:object_r:boinc_log_t,s0) -+/usr/lib/systemd/system/boinc-client\.service -- gen_context(system_u:object_r:boinc_unit_file_t,s0) -+ -+/var/lib/boinc(/.*)? gen_context(system_u:object_r:boinc_var_lib_t,s0) -+/var/lib/boinc/projects(/.*)? gen_context(system_u:object_r:boinc_project_var_lib_t,s0) -+/var/lib/boinc/slots(/.*)? gen_context(system_u:object_r:boinc_project_var_lib_t,s0) -+ -+/var/log/boinc\.log.* -- gen_context(system_u:object_r:boinc_log_t,s0) -diff --git a/boinc.if b/boinc.if -index 02fefaa..fbcef10 100644 ---- a/boinc.if -+++ b/boinc.if -@@ -1,9 +1,165 @@ --## Platform for computing using volunteered resources. -+## policy for boinc - - ######################################## - ## --## All of the rules required to --## administrate an boinc environment. -+## Execute a domain transition to run boinc. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`boinc_domtrans',` -+ gen_require(` -+ type boinc_t, boinc_exec_t; -+ ') -+ -+ domtrans_pattern($1, boinc_exec_t, boinc_t) -+') -+ -+####################################### -+## -+## Execute boinc server in the boinc domain. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`boinc_initrc_domtrans',` -+ gen_require(` -+ type boinc_initrc_exec_t; -+ ') -+ -+ init_labeled_script_domtrans($1, boinc_initrc_exec_t) -+') -+ -+####################################### -+## -+## Dontaudit getattr on boinc lib files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`boinc_dontaudit_getattr_lib',` -+ gen_require(` -+ type boinc_var_lib_t; -+ ') -+ -+ dontaudit $1 boinc_var_lib_t:file getattr; -+') -+ -+######################################## -+## -+## Search boinc lib directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`boinc_search_lib',` -+ gen_require(` -+ type boinc_var_lib_t; -+ ') -+ -+ allow $1 boinc_var_lib_t:dir search_dir_perms; -+ files_search_var_lib($1) -+') -+ -+######################################## -+## -+## Read boinc lib files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`boinc_read_lib_files',` -+ gen_require(` -+ type boinc_var_lib_t; -+ ') -+ -+ files_search_var_lib($1) -+ read_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t) -+') -+ -+######################################## -+## -+## Create, read, write, and delete -+## boinc lib files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`boinc_manage_lib_files',` -+ gen_require(` -+ type boinc_var_lib_t; -+ ') -+ -+ files_search_var_lib($1) -+ manage_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t) -+') -+ -+######################################## -+## -+## Manage boinc var_lib files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`boinc_manage_var_lib',` -+ gen_require(` -+ type boinc_var_lib_t; -+ ') -+ -+ files_search_var_lib($1) -+ manage_dirs_pattern($1, boinc_var_lib_t, boinc_var_lib_t) -+ manage_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t) -+ manage_lnk_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t) -+') -+ -+####################################### -+## -+## Execute boinc server in the boinc domain. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`boinc_systemctl',` -+ gen_require(` -+ type boinc_t; -+ type boinc_unit_file_t; -+ ') -+ -+ systemd_exec_systemctl($1) -+ allow $1 boinc_unit_file_t:file read_file_perms; -+ allow $1 boinc_unit_file_t:service manage_service_perms; -+ -+ ps_process_pattern($1, boinc_t) -+') -+ -+######################################## -+## -+## All of the rules required to administrate -+## an boinc environment. - ## - ## - ## -@@ -19,26 +175,32 @@ - # - interface(`boinc_admin',` - gen_require(` -- -- type boinc_t, boinc_project_t, boinc_log_t; -- type boinc_var_lib_t, boinc_tmp_t, boinc_initrc_exec_t; -- type boinc_project_var_lib_t, boinc_project_tmp_t; -+ type boinc_t, boinc_initrc_exec_t, boinc_var_lib_t; -+ type boinc_unit_file_t; - ') - -- allow $1 { boinc_t boinc_project_t }:process { ptrace signal_perms }; -- ps_process_pattern($1, { boinc_t boinc_project_t }) -+ allow $1 boinc_t:process signal_perms; -+ ps_process_pattern($1, boinc_t) - -- init_labeled_script_domtrans($1, boinc_initrc_exec_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 boinc_t:process ptrace; -+ ') -+ -+ boinc_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 boinc_initrc_exec_t system_r; - allow $2 system_r; - -- logging_search_logs($1) -- admin_pattern($1, boinc_log_t) -+ files_list_var_lib($1) -+ admin_pattern($1, boinc_var_lib_t) - -- files_search_tmp($1) -- admin_pattern($1, { boinc_project_tmp_t boinc_tmp_t }) -+ boinc_systemctl($1) -+ admin_pattern($1, boinc_unit_file_t) - -- files_search_var_lib($1) -- admin_pattern($1, { boinc_project_var_lib_t boinc_var_lib_t }) -+ allow $1 boinc_unit_file_t:service all_service_perms; -+ -+ optional_policy(` -+ systemd_passwd_agent_exec($1) -+ systemd_read_fifo_file_passwd_run($1) -+ ') - ') -diff --git a/boinc.te b/boinc.te -index 7c92aa1..47619ff 100644 ---- a/boinc.te -+++ b/boinc.te -@@ -1,11 +1,20 @@ --policy_module(boinc, 1.0.3) -+policy_module(boinc, 1.0.0) - - ######################################## - # - # Declarations - # - --type boinc_t; -+## -+##

    -+## Allow boinc_domain execmem/execstack. -+##

    -+##     -+gen_tunable(boinc_execmem, true) -+ -+attribute boinc_domain; -+ -+type boinc_t, boinc_domain; - type boinc_exec_t; - init_daemon_domain(boinc_t, boinc_exec_t) - -@@ -21,31 +30,69 @@ files_tmpfs_file(boinc_tmpfs_t) - type boinc_var_lib_t; - files_type(boinc_var_lib_t) - --type boinc_project_var_lib_t; --files_type(boinc_project_var_lib_t) -- - type boinc_log_t; - logging_log_file(boinc_log_t) - -+type boinc_unit_file_t; -+systemd_unit_file(boinc_unit_file_t) -+ - type boinc_project_t; - domain_type(boinc_project_t) --domain_entry_file(boinc_project_t, boinc_project_var_lib_t) - role system_r types boinc_project_t; - - type boinc_project_tmp_t; - files_tmp_file(boinc_project_tmp_t) - -+type boinc_project_var_lib_t; -+files_type(boinc_project_var_lib_t) -+ -+####################################### -+# -+# boinc domain local policy -+# -+ -+allow boinc_domain self:fifo_file rw_fifo_file_perms; -+allow boinc_domain self:process signal; -+allow boinc_domain self:sem create_sem_perms; -+ -+manage_dirs_pattern(boinc_domain, boinc_var_lib_t, boinc_var_lib_t) -+manage_files_pattern(boinc_domain, boinc_var_lib_t, boinc_var_lib_t) -+manage_lnk_files_pattern(boinc_domain, boinc_var_lib_t, boinc_var_lib_t) -+ -+corecmd_exec_bin(boinc_domain) -+corecmd_exec_shell(boinc_domain) -+ -+dev_read_rand(boinc_domain) -+dev_read_urand(boinc_domain) -+dev_read_sysfs(boinc_domain) -+dev_rw_xserver_misc(boinc_domain) -+ -+domain_read_all_domains_state(boinc_domain) -+ -+files_read_etc_runtime_files(boinc_domain) -+ -+fs_getattr_all_fs(boinc_domain) -+ -+miscfiles_read_fonts(boinc_domain) -+ -+tunable_policy(`boinc_execmem',` -+ allow boinc_domain self:process { execstack execmem }; -+') -+ -+optional_policy(` -+ sysnet_dns_name_resolve(boinc_domain) -+') -+ - ######################################## - # --# Local policy -+# boinc local policy - # - - allow boinc_t self:process { setsched setpgid signull sigkill }; --allow boinc_t self:unix_stream_socket { accept listen }; --allow boinc_t self:tcp_socket { accept listen }; -+ -+allow boinc_t self:unix_stream_socket create_stream_socket_perms; -+allow boinc_t self:tcp_socket create_stream_socket_perms; - allow boinc_t self:shm create_shm_perms; --allow boinc_t self:fifo_file rw_fifo_file_perms; --allow boinc_t self:sem create_sem_perms; - - manage_dirs_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t) - manage_files_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t) -@@ -54,74 +101,48 @@ files_tmp_filetrans(boinc_t, boinc_tmp_t, { dir file }) - manage_files_pattern(boinc_t, boinc_tmpfs_t, boinc_tmpfs_t) - fs_tmpfs_filetrans(boinc_t, boinc_tmpfs_t, file) - --manage_dirs_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t) --manage_files_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t) --manage_lnk_files_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t) -- --# entry files to the boinc_project_t domain --manage_dirs_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t) --manage_files_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t) -+exec_files_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t) -+# this should be created by default by boinc -+# we need this label for transition to boinc_project_t -+# other boinc lib files will end up with boinc_var_lib_t - filetrans_pattern(boinc_t, boinc_var_lib_t, boinc_project_var_lib_t, dir, "slots") - filetrans_pattern(boinc_t, boinc_var_lib_t, boinc_project_var_lib_t, dir, "projects") - --append_files_pattern(boinc_t, boinc_log_t, boinc_log_t) --create_files_pattern(boinc_t, boinc_log_t, boinc_log_t) --setattr_files_pattern(boinc_t, boinc_log_t, boinc_log_t) --logging_log_filetrans(boinc_t, boinc_log_t, file) -- --can_exec(boinc_t, boinc_var_lib_t) -+manage_dirs_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t) -+manage_files_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t) - --domtrans_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_t) -+manage_files_pattern(boinc_t, boinc_log_t, boinc_log_t) -+logging_log_filetrans(boinc_t, boinc_log_t, { file }) - -+# needs read /proc/interrupts - kernel_read_system_state(boinc_t) -+kernel_read_network_state(boinc_t) - kernel_search_vm_sysctl(boinc_t) - --corenet_all_recvfrom_unlabeled(boinc_t) -+dev_getattr_mouse_dev(boinc_t) -+ -+files_getattr_all_dirs(boinc_t) -+files_getattr_all_files(boinc_t) -+ - corenet_all_recvfrom_netlabel(boinc_t) - corenet_tcp_sendrecv_generic_if(boinc_t) -+corenet_udp_sendrecv_generic_if(boinc_t) - corenet_tcp_sendrecv_generic_node(boinc_t) -+corenet_udp_sendrecv_generic_node(boinc_t) -+corenet_tcp_sendrecv_all_ports(boinc_t) -+corenet_udp_sendrecv_all_ports(boinc_t) - corenet_tcp_bind_generic_node(boinc_t) -- --corenet_sendrecv_boinc_client_packets(boinc_t) --corenet_sendrecv_boinc_server_packets(boinc_t) -+corenet_udp_bind_generic_node(boinc_t) - corenet_tcp_bind_boinc_port(boinc_t) --corenet_tcp_connect_boinc_port(boinc_t) --corenet_tcp_sendrecv_boinc_port(boinc_t) -- --corenet_sendrecv_boinc_client_server_packets(boinc_t) - corenet_tcp_bind_boinc_client_port(boinc_t) --corenet_tcp_sendrecv_boinc_client_port(boinc_t) -- --corenet_sendrecv_http_client_packets(boinc_t) -+corenet_tcp_connect_boinc_port(boinc_t) - corenet_tcp_connect_http_port(boinc_t) --corenet_tcp_sendrecv_http_port(boinc_t) -- --corenet_sendrecv_http_cache_client_packets(boinc_t) - corenet_tcp_connect_http_cache_port(boinc_t) --corenet_tcp_sendrecv_http_cache_port(boinc_t) -- --corenet_sendrecv_squid_client_packets(boinc_t) - corenet_tcp_connect_squid_port(boinc_t) --corenet_tcp_sendrecv_squid_port(boinc_t) -- --corecmd_exec_bin(boinc_t) --corecmd_exec_shell(boinc_t) -- --dev_read_rand(boinc_t) --dev_read_urand(boinc_t) --dev_read_sysfs(boinc_t) --dev_rw_xserver_misc(boinc_t) -- --domain_read_all_domains_state(boinc_t) - - files_dontaudit_getattr_boot_dirs(boinc_t) --files_getattr_all_dirs(boinc_t) --files_getattr_all_files(boinc_t) --files_read_etc_files(boinc_t) --files_read_etc_runtime_files(boinc_t) --files_read_usr_files(boinc_t) - --fs_getattr_all_fs(boinc_t) -+auth_read_passwd(boinc_t) - - term_getattr_all_ptys(boinc_t) - term_getattr_unallocated_ttys(boinc_t) -@@ -130,55 +151,67 @@ init_read_utmp(boinc_t) - - logging_send_syslog_msg(boinc_t) - --miscfiles_read_fonts(boinc_t) --miscfiles_read_localization(boinc_t) -+xserver_stream_connect(boinc_t) - - optional_policy(` - mta_send_mail(boinc_t) - ') - --optional_policy(` -- sysnet_dns_name_resolve(boinc_t) --') -- - ######################################## - # --# Project local policy -+# boinc-projects local policy - # - - allow boinc_project_t self:capability { setuid setgid }; --allow boinc_project_t self:process { execmem execstack noatsecure ptrace setcap getcap setpgid setsched signal_perms }; -+ -+domtrans_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_t) -+allow boinc_t boinc_project_t:process sigkill; -+allow boinc_t boinc_project_t:process noatsecure; -+ -+allow boinc_project_t self:process { setcap getcap setpgid setsched signal signull sigkill sigstop }; -+tunable_policy(`deny_ptrace',`',` -+ allow boinc_project_t self:process ptrace; -+') -+ -+allow boinc_project_t self:process { execstack }; - - manage_dirs_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t) - manage_files_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t) - manage_sock_files_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t) - files_tmp_filetrans(boinc_project_t, boinc_project_tmp_t, { dir file sock_file}) - -+allow boinc_project_t boinc_project_var_lib_t:file entrypoint; -+exec_files_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t) - manage_dirs_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t) - manage_files_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t) -+files_var_lib_filetrans(boinc_project_t, boinc_project_var_lib_t, dir, "projects") -+files_var_lib_filetrans(boinc_project_t, boinc_project_var_lib_t, dir, "slots" ) - - allow boinc_project_t boinc_project_var_lib_t:file execmod; --can_exec(boinc_project_t, boinc_project_var_lib_t) - - allow boinc_project_t boinc_t:shm rw_shm_perms; --allow boinc_project_t boinc_tmpfs_t:file { read write }; -+allow boinc_project_t boinc_tmpfs_t:file rw_inherited_file_perms; - - kernel_read_kernel_sysctls(boinc_project_t) --kernel_read_network_state(boinc_project_t) - kernel_search_vm_sysctl(boinc_project_t) -+kernel_read_network_state(boinc_project_t) - --corenet_all_recvfrom_unlabeled(boinc_project_t) --corenet_all_recvfrom_netlabel(boinc_project_t) --corenet_tcp_sendrecv_generic_if(boinc_project_t) --corenet_tcp_sendrecv_generic_node(boinc_project_t) --corenet_tcp_bind_generic_node(boinc_project_t) -- --corenet_sendrecv_boinc_client_packets(boinc_project_t) - corenet_tcp_connect_boinc_port(boinc_project_t) --corenet_tcp_sendrecv_boinc_port(boinc_project_t) - - files_dontaudit_search_home(boinc_project_t) - -+# needed by java -+fs_read_hugetlbfs_files(boinc_project_t) -+ -+optional_policy(` -+ gnome_read_gconf_config(boinc_project_t) -+') -+ - optional_policy(` - java_exec(boinc_project_t) - ') -+ -+# until solution for VirtualBox, java .. -+optional_policy(` -+ unconfined_domain(boinc_project_t) -+') -diff --git a/brctl.te b/brctl.te -index bcd1e87..6294955 100644 ---- a/brctl.te -+++ b/brctl.te -@@ -34,12 +34,9 @@ dev_write_sysfs_dirs(brctl_t) - - domain_use_interactive_fds(brctl_t) - --files_read_etc_files(brctl_t) - - term_dontaudit_use_console(brctl_t) - --miscfiles_read_localization(brctl_t) -- - optional_policy(` - xen_append_log(brctl_t) - xen_dontaudit_rw_unix_stream_sockets(brctl_t) -diff --git a/bugzilla.fc b/bugzilla.fc -index fce0b6e..fb6e397 100644 ---- a/bugzilla.fc -+++ b/bugzilla.fc -@@ -1,4 +1,4 @@ --/usr/share/bugzilla(/.*)? -d gen_context(system_u:object_r:httpd_bugzilla_content_t,s0) --/usr/share/bugzilla(/.*)? -- gen_context(system_u:object_r:httpd_bugzilla_script_exec_t,s0) -+/usr/share/bugzilla(/.*)? gen_context(system_u:object_r:httpd_bugzilla_content_t,s0) -+/usr/share/bugzilla/.*\.cgi -- gen_context(system_u:object_r:httpd_bugzilla_script_exec_t,s0) - - /var/lib/bugzilla(/.*)? gen_context(system_u:object_r:httpd_bugzilla_rw_content_t,s0) -diff --git a/bugzilla.if b/bugzilla.if -index 1b22262..bf0cefa 100644 ---- a/bugzilla.if -+++ b/bugzilla.if -@@ -48,24 +48,26 @@ interface(`bugzilla_dontaudit_rw_stream_sockets',` - ## Domain allowed access. - ##     - ## --## --## --## Role allowed access. --## --## --## - # - interface(`bugzilla_admin',` - gen_require(` - type httpd_bugzilla_script_t, httpd_bugzilla_content_t, httpd_bugzilla_ra_content_t; - type httpd_bugzilla_rw_content_t, httpd_bugzilla_script_exec_t; -- type httpd_bugzilla_htaccess_t; -+ type httpd_bugzilla_htaccess_t, httpd_bugzilla_tmp_t; - ') - -- allow $1 httpd_bugzilla_script_t:process { ptrace signal_perms }; -+ allow $1 httpd_bugzilla_script_t:process signal_perms; - ps_process_pattern($1, httpd_bugzilla_script_t) - -- files_search_usr($1) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 httpd_bugzilla_script_t:process ptrace; -+ ') -+ -+ files_list_tmp($1) -+ admin_pattern($1, httpd_bugzilla_tmp_t) -+ -+ files_list_var_lib(httpd_bugzilla_script_t) -+ - admin_pattern($1, httpd_bugzilla_script_exec_t) - admin_pattern($1, httpd_bugzilla_script_t) - admin_pattern($1, httpd_bugzilla_content_t) -@@ -76,5 +78,7 @@ interface(`bugzilla_admin',` - files_search_var_lib($1) - admin_pattern($1, httpd_bugzilla_rw_content_t) - -- apache_list_sys_content($1) -+ optional_policy(` -+ apache_list_sys_content($1) -+ ') - ') -diff --git a/bugzilla.te b/bugzilla.te -index 41f8251..57f094e 100644 ---- a/bugzilla.te -+++ b/bugzilla.te -@@ -7,6 +7,9 @@ policy_module(bugzilla, 1.0.4) - - apache_content_template(bugzilla) - -+type httpd_bugzilla_tmp_t; -+files_tmp_file(httpd_bugzilla_tmp_t) -+ - ######################################## - # - # Local policy -@@ -14,7 +17,6 @@ apache_content_template(bugzilla) - - allow httpd_bugzilla_script_t self:tcp_socket { accept listen }; - --corenet_all_recvfrom_unlabeled(httpd_bugzilla_script_t) - corenet_all_recvfrom_netlabel(httpd_bugzilla_script_t) - corenet_tcp_sendrecv_generic_if(httpd_bugzilla_script_t) - corenet_tcp_sendrecv_generic_node(httpd_bugzilla_script_t) -@@ -27,11 +29,21 @@ corenet_sendrecv_smtp_client_packets(httpd_bugzilla_script_t) - corenet_tcp_connect_smtp_port(httpd_bugzilla_script_t) - corenet_tcp_sendrecv_smtp_port(httpd_bugzilla_script_t) - -+manage_dirs_pattern(httpd_bugzilla_script_t, httpd_bugzilla_tmp_t, httpd_bugzilla_tmp_t) -+manage_files_pattern(httpd_bugzilla_script_t, httpd_bugzilla_tmp_t, httpd_bugzilla_tmp_t) -+files_tmp_filetrans(httpd_bugzilla_script_t, httpd_bugzilla_tmp_t, { file dir }) -+ - files_search_var_lib(httpd_bugzilla_script_t) - --sysnet_dns_name_resolve(httpd_bugzilla_script_t) -+auth_read_passwd(httpd_bugzilla_script_t) -+ -+dev_read_sysfs(httpd_bugzilla_script_t) -+ -+sysnet_read_config(httpd_bugzilla_script_t) - sysnet_use_ldap(httpd_bugzilla_script_t) - -+miscfiles_read_certs(httpd_bugzilla_script_t) -+ - optional_policy(` - mta_send_mail(httpd_bugzilla_script_t) - ') -diff --git a/cachefilesd.fc b/cachefilesd.fc -index 648c790..aa03fc8 100644 ---- a/cachefilesd.fc -+++ b/cachefilesd.fc -@@ -1,9 +1,34 @@ --/etc/rc\.d/init\.d/cachefilesd -- gen_context(system_u:object_r:cachefilesd_initrc_exec_t,s0) -+############################################################################### -+# -+# Copyright (C) 2006 Red Hat, Inc. All Rights Reserved. -+# Written by David Howells (dhowells@redhat.com) -+# Karl MacMillan (kmacmill@redhat.com) -+# -+# This program is free software; you can redistribute it and/or -+# modify it under the terms of the GNU General Public License -+# as published by the Free Software Foundation; either version -+# 2 of the License, or (at your option) any later version. -+# -+############################################################################### -+ -+# -+# Define the contexts to be assigned to various files and directories of -+# importance to the CacheFiles kernel module and userspace management daemon. -+# -+ -+# cachefilesd executable will have: -+# label: system_u:object_r:cachefilesd_exec_t -+# MLS sensitivity: s0 -+# MCS categories: -+ -+/dev/cachefiles -c gen_context(system_u:object_r:cachefiles_dev_t,s0) - - /sbin/cachefilesd -- gen_context(system_u:object_r:cachefilesd_exec_t,s0) - - /usr/sbin/cachefilesd -- gen_context(system_u:object_r:cachefilesd_exec_t,s0) - --/var/cache/fscache(/.*)? gen_context(system_u:object_r:cachefilesd_cache_t,s0) -+/var/cache/fscache(/.*)? gen_context(system_u:object_r:cachefiles_var_t,s0) -+ -+/var/fscache(/.*)? gen_context(system_u:object_r:cachefiles_var_t,s0) - --/var/run/cachefilesd\.pid -- gen_context(system_u:object_r:cachefilesd_var_run_t,s0) -+/var/run/cachefilesd\.pid -- gen_context(system_u:object_r:cachefilesd_var_run_t,s0) -diff --git a/cachefilesd.if b/cachefilesd.if -index 8de2ab9..3b41945 100644 ---- a/cachefilesd.if -+++ b/cachefilesd.if -@@ -1,39 +1,35 @@ --## CacheFiles user-space management daemon. -+############################################################################### -+# -+# Copyright (C) 2006 Red Hat, Inc. All Rights Reserved. -+# Written by David Howells (dhowells@redhat.com) -+# Karl MacMillan (kmacmill@redhat.com) -+# -+# This program is free software; you can redistribute it and/or -+# modify it under the terms of the GNU General Public License -+# as published by the Free Software Foundation; either version -+# 2 of the License, or (at your option) any later version. -+# -+############################################################################### -+ -+# -+# Define the policy interface for the CacheFiles userspace management daemon. -+# -+## policy for cachefilesd - - ######################################## - ## --## All of the rules required to --## administrate an cachefilesd environment. -+## Execute a domain transition to run cachefilesd. - ## - ## - ## --## Domain allowed access. -+## Domain allowed to transition. - ## - ## --## --## --## Role allowed access. --## --## --## - # --interface(`cachefilesd_admin',` -+interface(`cachefilesd_domtrans',` - gen_require(` -- type cachefilesd_t, cachefilesd_initrc_exec_t, cachefilesd_cache_t; -- type cachefilesd_var_run_t; -+ type cachefilesd_t, cachefilesd_exec_t; - ') - -- allow $1 cachefilesd_t:process { ptrace signal_perms }; -- ps_process_pattern($1, cachefilesd_t) -- -- init_labeled_script_domtrans($1, cachefilesd_initrc_exec_t) -- domain_system_change_exemption($1) -- role_transition $2 cachefilesd_initrc_exec_t system_r; -- allow $2 system_r; -- -- files_search_var($1) -- admin_pattern($1, cachefilesd_cache_t) -- -- files_search_pids($1) -- admin_pattern($1, cachefilesd_var_run_t) -+ domtrans_pattern($1, cachefilesd_exec_t, cachefilesd_t) - ') -diff --git a/cachefilesd.te b/cachefilesd.te -index 581c8ef..2c71b1d 100644 ---- a/cachefilesd.te -+++ b/cachefilesd.te -@@ -1,52 +1,143 @@ --policy_module(cachefilesd, 1.0.1) -+############################################################################### -+# -+# Copyright (C) 2006, 2010 Red Hat, Inc. All Rights Reserved. -+# Written by David Howells (dhowells@redhat.com) -+# Karl MacMillan (kmacmill@redhat.com) -+# -+# This program is free software; you can redistribute it and/or -+# modify it under the terms of the GNU General Public License -+# as published by the Free Software Foundation; either version -+# 2 of the License, or (at your option) any later version. -+# -+############################################################################### -+ -+# -+# This security policy governs access by the CacheFiles kernel module and -+# userspace management daemon to the files and directories in the on-disk -+# cache, on behalf of the processes accessing the cache through a network -+# filesystem such as NFS -+# -+policy_module(cachefilesd, 1.0.17) - --######################################## -+############################################################################### - # - # Declarations - # - -+# -+# Files in the cache are created by the cachefiles module with security ID -+# cachefiles_var_t -+# -+type cachefiles_var_t; -+files_type(cachefiles_var_t) -+ -+# -+# The /dev/cachefiles character device has security ID cachefiles_dev_t -+# -+type cachefiles_dev_t; -+dev_node(cachefiles_dev_t) -+ -+# -+# The cachefilesd daemon normally runs with security ID cachefilesd_t -+# - type cachefilesd_t; - type cachefilesd_exec_t; - init_daemon_domain(cachefilesd_t, cachefilesd_exec_t) - --type cachefilesd_initrc_exec_t; --init_script_file(cachefilesd_initrc_exec_t) -- --type cachefilesd_cache_t; --files_type(cachefilesd_cache_t) -- -+# -+# The cachefilesd daemon pid file context -+# - type cachefilesd_var_run_t; - files_pid_file(cachefilesd_var_run_t) - --######################################## - # --# Local policy -+# The CacheFiles kernel module causes processes accessing the cache files to do -+# so acting as security ID cachefiles_kernel_t - # -+type cachefiles_kernel_t; -+domain_type(cachefiles_kernel_t) -+domain_obj_id_change_exemption(cachefiles_kernel_t) -+role system_r types cachefiles_kernel_t; -+ -+############################################################################### -+# -+# Permit RPM to deal with files in the cache -+# -+optional_policy(` -+ rpm_use_script_fds(cachefilesd_t) -+') - -+############################################################################### -+# -+# cachefilesd local policy -+# -+# These define what cachefilesd is permitted to do. This doesn't include very -+# much: startup stuff, logging, pid file, scanning the cache superstructure and -+# deleting files from the cache. It is not permitted to read/write files in -+# the cache. -+# -+# Check in /usr/share/selinux/devel/include/ for macros to use instead of allow -+# rules. -+# - allow cachefilesd_t self:capability { setuid setgid sys_admin dac_override }; - -+# Allow manipulation of pid file -+allow cachefilesd_t cachefilesd_var_run_t:file create_file_perms; - manage_files_pattern(cachefilesd_t, cachefilesd_var_run_t, cachefilesd_var_run_t) -+manage_dirs_pattern(cachefilesd_t, cachefilesd_var_run_t, cachefilesd_var_run_t) - files_pid_filetrans(cachefilesd_t, cachefilesd_var_run_t, file) -+files_create_as_is_all_files(cachefilesd_t) - --manage_dirs_pattern(cachefilesd_t, cachefilesd_cache_t, cachefilesd_cache_t) --manage_files_pattern(cachefilesd_t, cachefilesd_cache_t, cachefilesd_cache_t) -- --dev_rw_cachefiles(cachefilesd_t) -+# Allow access to cachefiles device file -+allow cachefilesd_t cachefiles_dev_t:chr_file rw_file_perms; - --files_create_all_files_as(cachefilesd_t) --files_read_etc_files(cachefilesd_t) -+# Allow access to cache superstructure -+manage_dirs_pattern(cachefilesd_t, cachefiles_var_t, cachefiles_var_t) -+manage_files_pattern(cachefilesd_t, cachefiles_var_t, cachefiles_var_t) - -+# Permit statfs on the backing filesystem - fs_getattr_xattr_fs(cachefilesd_t) - -+# Basic access -+logging_send_syslog_msg(cachefilesd_t) -+init_dontaudit_use_script_ptys(cachefilesd_t) - term_dontaudit_use_generic_ptys(cachefilesd_t) - term_dontaudit_getattr_unallocated_ttys(cachefilesd_t) - --logging_send_syslog_msg(cachefilesd_t) -+############################################################################### -+# -+# When cachefilesd invokes the kernel module to begin caching, it has to tell -+# the kernel module the security context in which it should act, and this -+# policy has to approve that. -+# -+# There are two parts to this: -+# -+# (1) the security context used by the module to access files in the cache, -+# as set by the 'secctx' command in /etc/cachefilesd.conf, and -+# -+allow cachefilesd_t cachefiles_kernel_t:kernel_service { use_as_override }; - --miscfiles_read_localization(cachefilesd_t) -+# -+# (2) the label that will be assigned to new files and directories created in -+# the cache by the module, which will be the same as the label on the -+# directory pointed to by the 'dir' command. -+# -+allow cachefilesd_t cachefiles_var_t:kernel_service { create_files_as }; - --init_dontaudit_use_script_ptys(cachefilesd_t) -+############################################################################### -+# -+# cachefiles kernel module local policy -+# -+# This governs what the kernel module is allowed to do the contents of the -+# cache. -+# -+allow cachefiles_kernel_t self:capability { dac_override dac_read_search }; - --optional_policy(` -- rpm_use_script_fds(cachefilesd_t) --') -+manage_dirs_pattern(cachefiles_kernel_t, cachefiles_var_t, cachefiles_var_t) -+manage_files_pattern(cachefiles_kernel_t, cachefiles_var_t, cachefiles_var_t) -+ -+fs_getattr_xattr_fs(cachefiles_kernel_t) -+ -+dev_search_sysfs(cachefiles_kernel_t) -+ -+init_sigchld_script(cachefiles_kernel_t) -diff --git a/calamaris.te b/calamaris.te -index f4f21d3..de28437 100644 ---- a/calamaris.te -+++ b/calamaris.te -@@ -41,19 +41,23 @@ kernel_read_system_state(calamaris_t) - - corecmd_exec_bin(calamaris_t) - -+corenet_all_recvfrom_netlabel(calamaris_t) -+corenet_tcp_sendrecv_generic_if(calamaris_t) -+corenet_udp_sendrecv_generic_if(calamaris_t) -+corenet_tcp_sendrecv_generic_node(calamaris_t) -+corenet_udp_sendrecv_generic_node(calamaris_t) -+corenet_tcp_sendrecv_all_ports(calamaris_t) -+corenet_udp_sendrecv_all_ports(calamaris_t) -+ - dev_read_urand(calamaris_t) - --files_read_usr_files(calamaris_t) -+files_search_pids(calamaris_t) - files_read_etc_runtime_files(calamaris_t) - --libs_read_lib_files(calamaris_t) -- - auth_use_nsswitch(calamaris_t) - - logging_send_syslog_msg(calamaris_t) - --miscfiles_read_localization(calamaris_t) -- - userdom_dontaudit_list_user_home_dirs(calamaris_t) - - optional_policy(` -diff --git a/callweaver.te b/callweaver.te -index 528051e..44e5b7d 100644 ---- a/callweaver.te -+++ b/callweaver.te -@@ -84,4 +84,3 @@ term_use_ptmx(callweaver_t) - - auth_use_nsswitch(callweaver_t) - --miscfiles_read_localization(callweaver_t) -diff --git a/canna.if b/canna.if -index 400db07..f416e22 100644 ---- a/canna.if -+++ b/canna.if -@@ -43,9 +43,13 @@ interface(`canna_admin',` - type canna_var_run_t, canna_initrc_exec_t; - ') - -- allow $1 canna_t:process { ptrace signal_perms }; -+ allow $1 canna_t:process signal_perms; - ps_process_pattern($1, canna_t) - -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 canna_t:process ptrace; -+ ') -+ - init_labeled_script_domtrans($1, canna_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 canna_initrc_exec_t system_r; -diff --git a/canna.te b/canna.te -index 4ec0626..88e7e89 100644 ---- a/canna.te -+++ b/canna.te -@@ -52,7 +52,6 @@ files_pid_filetrans(canna_t, canna_var_run_t, { dir sock_file }) - kernel_read_kernel_sysctls(canna_t) - kernel_read_system_state(canna_t) - --corenet_all_recvfrom_unlabeled(canna_t) - corenet_all_recvfrom_netlabel(canna_t) - corenet_tcp_sendrecv_generic_if(canna_t) - corenet_tcp_sendrecv_generic_node(canna_t) -@@ -68,16 +67,12 @@ fs_search_auto_mountpoints(canna_t) - - domain_use_interactive_fds(canna_t) - --files_read_etc_files(canna_t) - files_read_etc_runtime_files(canna_t) --files_read_usr_files(canna_t) - files_search_tmp(canna_t) - files_dontaudit_read_root_files(canna_t) - - logging_send_syslog_msg(canna_t) - --miscfiles_read_localization(canna_t) -- - sysnet_read_config(canna_t) - - userdom_dontaudit_use_unpriv_user_fds(canna_t) -diff --git a/ccs.if b/ccs.if -index 5ded72d..cb94e5e 100644 ---- a/ccs.if -+++ b/ccs.if -@@ -98,20 +98,24 @@ interface(`ccs_manage_config',` - interface(`ccs_admin',` - gen_require(` - type ccs_t, ccs_initrc_exec_t, cluster_conf_t; -- type ccs_var_lib_t_t, ccs_var_log_t; -+ type ccs_var_lib_t, ccs_var_log_t; - type ccs_var_run_t, ccs_tmp_t; - ') - -- allow $1 ccs_t:process { ptrace signal_perms }; -+ allow $1 ccs_t:process { signal_perms }; - ps_process_pattern($1, ccs_t) - -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 ccs_t:process ptrace; -+ ') -+ - init_labeled_script_domtrans($1, ccs_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 ccs_initrc_exec_t system_r; - allow $2 system_r; - - files_search_etc($1) -- admin_pattern($1, ccs_conf_t) -+ admin_pattern($1, cluster_conf_t) - - files_search_var_lib($1) - admin_pattern($1, ccs_var_lib_t) -diff --git a/ccs.te b/ccs.te -index b85b53b..476aaa3 100644 ---- a/ccs.te -+++ b/ccs.te -@@ -37,7 +37,7 @@ files_pid_file(ccs_var_run_t) - - allow ccs_t self:capability { ipc_owner ipc_lock sys_nice sys_resource sys_admin }; - allow ccs_t self:process { signal setrlimit setsched }; --dontaudit ccs_t self:process ptrace; -+ - allow ccs_t self:fifo_file rw_fifo_file_perms; - allow ccs_t self:unix_stream_socket { accept connectto listen }; - allow ccs_t self:tcp_socket { accept listen }; -@@ -75,7 +75,6 @@ kernel_read_kernel_sysctls(ccs_t) - corecmd_list_bin(ccs_t) - corecmd_exec_bin(ccs_t) - --corenet_all_recvfrom_unlabeled(ccs_t) - corenet_all_recvfrom_netlabel(ccs_t) - corenet_tcp_sendrecv_generic_if(ccs_t) - corenet_udp_sendrecv_generic_if(ccs_t) -@@ -95,15 +94,13 @@ corenet_udp_bind_netsupport_port(ccs_t) - - dev_read_urand(ccs_t) - --files_read_etc_files(ccs_t) - files_read_etc_runtime_files(ccs_t) - - init_rw_script_tmp_files(ccs_t) -+init_signal(ccs_t) - - logging_send_syslog_msg(ccs_t) - --miscfiles_read_localization(ccs_t) -- - sysnet_dns_name_resolve(ccs_t) - - userdom_manage_unpriv_user_shared_mem(ccs_t) -@@ -115,8 +112,7 @@ ifdef(`hide_broken_symptoms',` - ') - - optional_policy(` -- aisexec_stream_connect(ccs_t) -- corosync_stream_connect(ccs_t) -+ rhcs_stream_connect_cluster(ccs_t) - ') - - optional_policy(` -diff --git a/cdrecord.if b/cdrecord.if -index fbc20f6..4de4a00 100644 ---- a/cdrecord.if -+++ b/cdrecord.if -@@ -27,6 +27,9 @@ interface(`cdrecord_role',` - - allow cdrecord_t $2:unix_stream_socket rw_socket_perms; - -- allow $2 cdrecord_t:process { ptrace signal_perms }; -+ allow $2 cdrecord_t:process signal_perms; -+ tunable_policy(`deny_ptrace',`',` -+ allow $2 cdrecord_t:process ptrace; -+ ') - ps_process_pattern($2, cdrecord_t) - ') -diff --git a/cdrecord.te b/cdrecord.te -index 55fb26a..a7555c0 100644 ---- a/cdrecord.te -+++ b/cdrecord.te -@@ -41,8 +41,6 @@ dev_read_sysfs(cdrecord_t) - domain_interactive_fd(cdrecord_t) - domain_use_interactive_fds(cdrecord_t) - --files_read_etc_files(cdrecord_t) -- - term_use_controlling_term(cdrecord_t) - term_list_ptys(cdrecord_t) - -@@ -52,10 +50,7 @@ storage_write_scsi_generic(cdrecord_t) - - logging_send_syslog_msg(cdrecord_t) - --miscfiles_read_localization(cdrecord_t) -- --userdom_use_user_terminals(cdrecord_t) --userdom_read_user_home_content_files(cdrecord_t) -+userdom_use_inherited_user_terminals(cdrecord_t) - - tunable_policy(`cdrecord_read_content && use_nfs_home_dirs',` - fs_list_auto_mountpoints(cdrecord_t) -@@ -104,11 +99,7 @@ tunable_policy(`cdrecord_read_content',` - userdom_dontaudit_read_user_home_content_files(cdrecord_t) - ') - --tunable_policy(`use_nfs_home_dirs',` -- files_search_mnt(cdrecord_t) -- fs_read_nfs_files(cdrecord_t) -- fs_read_nfs_symlinks(cdrecord_t) --') -+userdom_home_manager(cdrecord_t) - - optional_policy(` - resmgr_stream_connect(cdrecord_t) -diff --git a/certmaster.if b/certmaster.if -index 0c53b18..ef29f6e 100644 ---- a/certmaster.if -+++ b/certmaster.if -@@ -117,13 +117,16 @@ interface(`certmaster_manage_log',` - interface(`certmaster_admin',` - gen_require(` - type certmaster_t, certmaster_var_run_t, certmaster_var_lib_t; -- type certmaster_etc_rw_t, certmaster_var_log_t; -- type certmaster_initrc_exec_t; -+ type certmaster_etc_rw_t, certmaster_var_log_t, certmaster_initrc_exec_t; - ') - -- allow $1 certmaster_t:process { ptrace signal_perms }; -+ allow $1 certmaster_t:process signal_perms; - ps_process_pattern($1, certmaster_t) - -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 certmaster_t:process ptrace; -+ ') -+ - init_labeled_script_domtrans($1, certmaster_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 certmaster_initrc_exec_t system_r; -diff --git a/certmaster.te b/certmaster.te -index bf82163..2b571c7 100644 ---- a/certmaster.te -+++ b/certmaster.te -@@ -65,11 +65,10 @@ corenet_tcp_sendrecv_certmaster_port(certmaster_t) - dev_read_urand(certmaster_t) - - files_list_var(certmaster_t) --files_search_etc(certmaster_t) --files_read_usr_files(certmaster_t) - - auth_use_nsswitch(certmaster_t) - --miscfiles_read_localization(certmaster_t) - miscfiles_manage_generic_cert_dirs(certmaster_t) - miscfiles_manage_generic_cert_files(certmaster_t) -+ -+mta_send_mail(certmaster_t) -diff --git a/certmonger.fc b/certmonger.fc -index ed298d8..cd8eb4d 100644 ---- a/certmonger.fc -+++ b/certmonger.fc -@@ -2,6 +2,8 @@ - - /usr/sbin/certmonger -- gen_context(system_u:object_r:certmonger_exec_t,s0) - -+/usr/lib/ipa/certmonger(/.*)? gen_context(system_u:object_r:certmonger_unconfined_exec_t,s0) -+ - /var/lib/certmonger(/.*)? gen_context(system_u:object_r:certmonger_var_lib_t,s0) - - /var/run/certmonger.* gen_context(system_u:object_r:certmonger_var_run_t,s0) -diff --git a/certmonger.if b/certmonger.if -index 008f8ef..144c074 100644 ---- a/certmonger.if -+++ b/certmonger.if -@@ -160,16 +160,20 @@ interface(`certmonger_admin',` - ') - - ps_process_pattern($1, certmonger_t) -- allow $1 certmonger_t:process { ptrace signal_perms }; -+ allow $1 certmonger_t:process signal_perms; -+ -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 certmonger_t:process ptrace; -+ ') - - certmonger_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 certmonger_initrc_exec_t system_r; - allow $2 system_r; - -- files_search_var_lib($1) -+ files_list_var_lib($1) - admin_pattern($1, certmonger_var_lib_t) - -- files_search_pids($1) -+ files_list_pids($1) - admin_pattern($1, certmonger_var_run_t) - ') -diff --git a/certmonger.te b/certmonger.te -index 2354e21..fb8c9ed 100644 ---- a/certmonger.te -+++ b/certmonger.te -@@ -18,6 +18,9 @@ files_type(certmonger_var_lib_t) - type certmonger_var_run_t; - files_pid_file(certmonger_var_run_t) - -+type certmonger_unconfined_exec_t; -+application_executable_file(certmonger_unconfined_exec_t) -+ - ######################################## - # - # Local policy -@@ -26,10 +29,12 @@ files_pid_file(certmonger_var_run_t) - allow certmonger_t self:capability { dac_override dac_read_search setgid setuid kill sys_nice }; - dontaudit certmonger_t self:capability sys_tty_config; - allow certmonger_t self:capability2 block_suspend; -+ - allow certmonger_t self:process { getsched setsched sigkill signal }; --allow certmonger_t self:fifo_file rw_fifo_file_perms; --allow certmonger_t self:unix_stream_socket { accept listen }; --allow certmonger_t self:tcp_socket { accept listen }; -+allow certmonger_t self:fifo_file rw_file_perms; -+allow certmonger_t self:unix_stream_socket create_stream_socket_perms; -+allow certmonger_t self:tcp_socket create_stream_socket_perms; -+allow certmonger_t self:netlink_route_socket r_netlink_socket_perms; - - manage_dirs_pattern(certmonger_t, certmonger_var_lib_t, certmonger_var_lib_t) - manage_files_pattern(certmonger_t, certmonger_var_lib_t, certmonger_var_lib_t) -@@ -41,6 +46,7 @@ files_pid_filetrans(certmonger_t, certmonger_var_run_t, { dir file }) - - kernel_read_kernel_sysctls(certmonger_t) - kernel_read_system_state(certmonger_t) -+kernel_read_network_state(certmonger_t) - - corenet_all_recvfrom_unlabeled(certmonger_t) - corenet_all_recvfrom_netlabel(certmonger_t) -@@ -49,16 +55,21 @@ corenet_tcp_sendrecv_generic_node(certmonger_t) - - corenet_sendrecv_certmaster_client_packets(certmonger_t) - corenet_tcp_connect_certmaster_port(certmonger_t) -+ -+corenet_tcp_connect_http_port(certmonger_t) -+corenet_tcp_connect_http_cache_port(certmonger_t) -+ -+corenet_tcp_connect_pki_ca_port(certmonger_t) - corenet_tcp_sendrecv_certmaster_port(certmonger_t) - - corecmd_exec_bin(certmonger_t) - corecmd_exec_shell(certmonger_t) - -+dev_read_rand(certmonger_t) - dev_read_urand(certmonger_t) - - domain_use_interactive_fds(certmonger_t) - --files_read_usr_files(certmonger_t) - files_list_tmp(certmonger_t) - - fs_search_cgroup_dirs(certmonger_t) -@@ -70,16 +81,17 @@ init_getattr_all_script_files(certmonger_t) - - logging_send_syslog_msg(certmonger_t) - --miscfiles_read_localization(certmonger_t) - miscfiles_manage_generic_cert_files(certmonger_t) - -+systemd_exec_systemctl(certmonger_t) -+ - userdom_search_user_home_content(certmonger_t) - - optional_policy(` -- apache_initrc_domtrans(certmonger_t) - apache_search_config(certmonger_t) - apache_signal(certmonger_t) - apache_signull(certmonger_t) -+ apache_systemctl(certmonger_t) - ') - - optional_policy(` -@@ -92,11 +104,47 @@ optional_policy(` - ') - - optional_policy(` -- kerberos_read_keytab(certmonger_t) -+ dirsrv_manage_config(certmonger_t) -+ dirsrv_signal(certmonger_t) -+ dirsrv_signull(certmonger_t) -+') -+ -+optional_policy(` - kerberos_use(certmonger_t) -+ kerberos_read_keytab(certmonger_t) - ') - - optional_policy(` - pcscd_read_pid_files(certmonger_t) - pcscd_stream_connect(certmonger_t) - ') -+ -+optional_policy(` -+ pki_rw_tomcat_cert(certmonger_t) -+ pki_read_tomcat_lib_files(certmonger_t) -+') -+ -+######################################## -+# -+# certmonger_unconfined_script_t local policy -+# -+ -+optional_policy(` -+ type certmonger_unconfined_t; -+ domain_type(certmonger_unconfined_t) -+ -+ domain_entry_file(certmonger_unconfined_t, certmonger_unconfined_exec_t) -+ role system_r types certmonger_unconfined_t; -+ -+ domtrans_pattern(certmonger_t, certmonger_unconfined_exec_t, certmonger_unconfined_t) -+ -+ allow certmonger_t certmonger_unconfined_exec_t:dir search_dir_perms; -+ allow certmonger_t certmonger_unconfined_exec_t:dir read_file_perms; -+ allow certmonger_t certmonger_unconfined_exec_t:file ioctl; -+ -+ init_domtrans_script(certmonger_unconfined_t) -+ -+ optional_policy(` -+ unconfined_domain(certmonger_unconfined_t) -+ ') -+') -diff --git a/certwatch.te b/certwatch.te -index 403af41..1a4bd9c 100644 ---- a/certwatch.te -+++ b/certwatch.te -@@ -20,33 +20,45 @@ role certwatch_roles types certwatch_t; - - allow certwatch_t self:capability sys_nice; - allow certwatch_t self:process { setsched getsched }; -+allow certwatch_t self:tcp_socket create_stream_socket_perms; - -+kernel_read_system_state(certwatch_t) -+ -+corecmd_exec_bin(certwatch_t) -+ -+dev_read_rand(certwatch_t) - dev_read_urand(certwatch_t) - --files_read_etc_files(certwatch_t) --files_read_usr_files(certwatch_t) - files_read_usr_symlinks(certwatch_t) - files_list_tmp(certwatch_t) - - fs_list_inotifyfs(certwatch_t) - - auth_manage_cache(certwatch_t) -+auth_read_passwd(certwatch_t) - auth_var_filetrans_cache(certwatch_t) - - logging_send_syslog_msg(certwatch_t) - - miscfiles_read_all_certs(certwatch_t) --miscfiles_read_localization(certwatch_t) -+miscfiles_manage_generic_cert_dirs(certwatch_t) -+ -+sysnet_read_config(certwatch_t) - --userdom_use_user_terminals(certwatch_t) --userdom_dontaudit_list_user_home_dirs(certwatch_t) -+userdom_use_inherited_user_terminals(certwatch_t) -+userdom_dontaudit_list_admin_dir(certwatch_t) - - optional_policy(` -+ apache_domtrans(certwatch_t) - apache_exec_modules(certwatch_t) - apache_read_config(certwatch_t) - ') - - optional_policy(` -+ mta_send_mail(certwatch_t) -+') -+ -+optional_policy(` - cron_system_entry(certwatch_t, certwatch_exec_t) - ') - -diff --git a/cfengine.if b/cfengine.if -index a731122..5279d4e 100644 ---- a/cfengine.if -+++ b/cfengine.if -@@ -13,7 +13,6 @@ - template(`cfengine_domain_template',` - gen_require(` - attribute cfengine_domain; -- type cfengine_log_t, cfengine_var_lib_t; - ') - - ######################################## -@@ -30,7 +29,29 @@ template(`cfengine_domain_template',` - # Policy - # - -+ kernel_read_system_state(cfengine_$1_t) -+ - auth_use_nsswitch(cfengine_$1_t) -+ -+ logging_send_syslog_msg(cfengine_$1_t) -+') -+ -+###################################### -+## -+## Search cfengine lib files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`cfengine_search_lib_files',` -+ gen_require(` -+ type cfengine_var_lib_t; -+ ') -+ -+ allow $1 cfengine_var_lib_t:dir search_dir_perms; - ') - - ######################################## -@@ -71,6 +92,43 @@ interface(`cfengine_dontaudit_write_log_files',` - dontaudit $1 cfengine_var_log_t:file write_file_perms; - ') - -+##################################### -+## -+## Allow the specified domain to append cfengine's log files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`cfengine_append_inherited_log',` -+ gen_require(` -+ type cfengine_var_log_t; -+ ') -+ -+ cfengine_search_lib_files($1) -+ allow $1 cfengine_var_log_t:file { getattr append ioctl lock }; -+') -+ -+#################################### -+## -+## Dontaudit the specified domain to write cfengine's log files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`cfengine_dontaudit_write_log',` -+ gen_require(` -+ type cfengine_var_log_t; -+ ') -+ -+ dontaudit $1 cfengine_var_log_t:file write; -+') -+ - ######################################## - ## - ## All of the rules required to -@@ -94,7 +152,7 @@ interface(`cfengine_admin',` - type cfengine_initrc_exec_t, cfengine_log_t, cfengine_var_lib_t; - ') - -- allow $1 cfengine_domain:process { ptrace signal_perms }; -+ allow $1 cfengine_domain:process { signal_perms }; - ps_process_pattern($1, cfengine_domain) - - init_labeled_script_domtrans($1, cfengine_initrc_exec_t) -@@ -105,3 +163,4 @@ interface(`cfengine_admin',` - files_search_var_lib($1) - admin_pattern($1, { cfengine_log_t cfengine_var_lib_t }) - ') -+ -diff --git a/cfengine.te b/cfengine.te -index 8af5bbe..168f01f 100644 ---- a/cfengine.te -+++ b/cfengine.te -@@ -41,18 +41,13 @@ create_files_pattern(cfengine_domain, cfengine_log_t, cfengine_log_t) - setattr_files_pattern(cfengine_domain, cfengine_log_t, cfengine_log_t) - logging_log_filetrans(cfengine_domain, cfengine_log_t, dir) - --kernel_read_system_state(cfengine_domain) -- - corecmd_exec_bin(cfengine_domain) - corecmd_exec_shell(cfengine_domain) - - dev_read_urand(cfengine_domain) - dev_read_sysfs(cfengine_domain) - --logging_send_syslog_msg(cfengine_domain) -- --miscfiles_read_localization(cfengine_domain) -- -+sysnet_dns_name_resolve(cfengine_domain) - sysnet_domtrans_ifconfig(cfengine_domain) - - ######################################## -diff --git a/cgroup.if b/cgroup.if -index 85ca63f..1d1c99c 100644 ---- a/cgroup.if -+++ b/cgroup.if -@@ -171,8 +171,26 @@ interface(`cgroup_admin',` - type cgrules_etc_t, cgclear_t; - ') - -- allow $1 { cgclear_t cgconfig_t cgred_t }:process { ptrace signal_perms }; -- ps_process_pattern($1, { cgclear_t cgconfig_t cgred_t }) -+ allow $1 cgclear_t:process signal_perms; -+ ps_process_pattern($1, cgclear_t) -+ -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 cgclear_t:process ptrace; -+ ') -+ -+ allow $1 cgconfig_t:process signal_perms; -+ ps_process_pattern($1, cgconfig_t) -+ -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 cgconfig_t:process ptrace; -+ ') -+ -+ allow $1 cgred_t:process signal_perms; -+ ps_process_pattern($1, cgred_t) -+ -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 cgred_t:process ptrace; -+ ') - - admin_pattern($1, { cgconfig_etc_t cgrules_etc_t }) - files_list_etc($1) -diff --git a/cgroup.te b/cgroup.te -index fdee107..7a38b63 100644 ---- a/cgroup.te -+++ b/cgroup.te -@@ -25,8 +25,8 @@ files_pid_file(cgred_var_run_t) - type cgrules_etc_t; - files_config_file(cgrules_etc_t) - --type cgconfig_t; --type cgconfig_exec_t; -+type cgconfig_t alias cgconfigparser_t; -+type cgconfig_exec_t alias cgconfigparser_exec_t; - init_daemon_domain(cgconfig_t, cgconfig_exec_t) - - type cgconfig_initrc_exec_t; -@@ -42,10 +42,12 @@ files_config_file(cgconfig_etc_t) - - allow cgclear_t self:capability { dac_read_search dac_override sys_admin }; - --allow cgclear_t cgconfig_etc_t:file read_file_perms; -+read_files_pattern(cgclear_t, cgconfig_etc_t, cgconfig_etc_t) - - kernel_read_system_state(cgclear_t) - -+auth_use_nsswitch(cgclear_t) -+ - domain_setpriority_all_domains(cgclear_t) - - fs_manage_cgroup_dirs(cgclear_t) -@@ -64,20 +66,21 @@ allow cgconfig_t cgconfig_etc_t:file read_file_perms; - kernel_list_unlabeled(cgconfig_t) - kernel_read_system_state(cgconfig_t) - --files_read_etc_files(cgconfig_t) -- - fs_manage_cgroup_dirs(cgconfig_t) - fs_manage_cgroup_files(cgconfig_t) - fs_mount_cgroup(cgconfig_t) - fs_mounton_cgroup(cgconfig_t) - fs_unmount_cgroup(cgconfig_t) - -+auth_use_nsswitch(cgconfig_t) -+ - ######################################## - # - # cgred local policy - # -+allow cgred_t self:capability { chown fsetid net_admin sys_admin dac_override sys_ptrace }; -+allow cgred_t self:process signal_perms; - --allow cgred_t self:capability { chown fsetid net_admin sys_admin sys_ptrace dac_override }; - allow cgred_t self:netlink_socket { write bind create read }; - allow cgred_t self:unix_dgram_socket { write create connect }; - -@@ -99,10 +102,10 @@ domain_setpriority_all_domains(cgred_t) - files_getattr_all_files(cgred_t) - files_getattr_all_sockets(cgred_t) - files_read_all_symlinks(cgred_t) --files_read_etc_files(cgred_t) - - fs_write_cgroup_files(cgred_t) -+fs_list_inotifyfs(cgred_t) - --logging_send_syslog_msg(cgred_t) -+auth_use_nsswitch(cgred_t) - --miscfiles_read_localization(cgred_t) -+logging_send_syslog_msg(cgred_t) -diff --git a/chrome.fc b/chrome.fc -new file mode 100644 -index 0000000..57866f6 ---- /dev/null -+++ b/chrome.fc -@@ -0,0 +1,9 @@ -+/opt/google/chrome/chrome-sandbox -- gen_context(system_u:object_r:chrome_sandbox_exec_t,s0) -+ -+/usr/lib/chromium-browser/chrome-sandbox -- gen_context(system_u:object_r:chrome_sandbox_exec_t,s0) -+ -+/opt/google/chrome/nacl_helper_bootstrap -- gen_context(system_u:object_r:chrome_sandbox_nacl_exec_t,s0) -+/usr/lib/chromium-browser/nacl_helper_bootstrap -- gen_context(system_u:object_r:chrome_sandbox_nacl_exec_t,s0) -+ -+HOME_DIR/\.cache/google-chrome(/.*)? gen_context(system_u:object_r:chrome_sandbox_home_t,s0) -+HOME_DIR/\.cache/chromium(/.*)? gen_context(system_u:object_r:chrome_sandbox_home_t,s0) -diff --git a/chrome.if b/chrome.if -new file mode 100644 -index 0000000..5977d96 ---- /dev/null -+++ b/chrome.if -@@ -0,0 +1,134 @@ -+ -+## policy for chrome -+ -+######################################## -+## -+## Execute a domain transition to run chrome_sandbox. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`chrome_domtrans_sandbox',` -+ gen_require(` -+ type chrome_sandbox_t, chrome_sandbox_exec_t; -+ ') -+ -+ domtrans_pattern($1, chrome_sandbox_exec_t, chrome_sandbox_t) -+ ps_process_pattern(chrome_sandbox_t, $1) -+ -+ allow $1 chrome_sandbox_t:fd use; -+ -+ ifdef(`hide_broken_symptoms',` -+ fs_dontaudit_rw_anon_inodefs_files(chrome_sandbox_t) -+ ') -+') -+ -+ -+######################################## -+## -+## Execute chrome_sandbox in the chrome_sandbox domain, and -+## allow the specified role the chrome_sandbox domain. -+## -+## -+## -+## Domain allowed access -+## -+## -+## -+## -+## The role to be allowed the chrome_sandbox domain. -+## -+## -+# -+interface(`chrome_run_sandbox',` -+ gen_require(` -+ type chrome_sandbox_t; -+ type chrome_sandbox_nacl_t; -+ ') -+ -+ chrome_domtrans_sandbox($1) -+ role $2 types chrome_sandbox_t; -+ role $2 types chrome_sandbox_nacl_t; -+') -+ -+######################################## -+## -+## Role access for chrome sandbox -+## -+## -+## -+## Role allowed access -+## -+## -+## -+## -+## User domain for the role -+## -+## -+# -+interface(`chrome_role_notrans',` -+ gen_require(` -+ type chrome_sandbox_t; -+ type chrome_sandbox_tmpfs_t; -+ type chrome_sandbox_nacl_t; -+ ') -+ -+ role $1 types chrome_sandbox_t; -+ role $1 types chrome_sandbox_nacl_t; -+ -+ ps_process_pattern($2, chrome_sandbox_t) -+ allow $2 chrome_sandbox_t:process signal_perms; -+ -+ allow chrome_sandbox_t $2:unix_dgram_socket { read write }; -+ allow $2 chrome_sandbox_t:unix_dgram_socket { read write }; -+ allow chrome_sandbox_t $2:unix_stream_socket rw_inherited_sock_file_perms;; -+ dontaudit chrome_sandbox_t $2:unix_stream_socket shutdown; -+ allow chrome_sandbox_nacl_t $2:unix_stream_socket rw_inherited_sock_file_perms; -+ allow $2 chrome_sandbox_nacl_t:unix_stream_socket { getattr read write }; -+ allow $2 chrome_sandbox_t:unix_stream_socket { getattr read write }; -+ -+ allow $2 chrome_sandbox_t:shm rw_shm_perms; -+ -+ allow $2 chrome_sandbox_tmpfs_t:file rw_file_perms; -+') -+ -+######################################## -+## -+## Role access for chrome sandbox -+## -+## -+## -+## Role allowed access -+## -+## -+## -+## -+## User domain for the role -+## -+## -+# -+interface(`chrome_role',` -+ chrome_role_notrans($1, $2) -+ chrome_domtrans_sandbox($2) -+') -+ -+######################################## -+## -+## Dontaudit read/write to a chrome_sandbox leaks -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`chrome_dontaudit_sandbox_leaks',` -+ gen_require(` -+ type chrome_sandbox_t; -+ ') -+ -+ dontaudit $1 chrome_sandbox_t:unix_stream_socket { read write }; -+') -diff --git a/chrome.te b/chrome.te -new file mode 100644 -index 0000000..406f3a0 ---- /dev/null -+++ b/chrome.te -@@ -0,0 +1,242 @@ -+policy_module(chrome,1.0.0) -+ -+######################################## -+# -+# Declarations -+# -+ -+type chrome_sandbox_t; -+type chrome_sandbox_exec_t; -+application_domain(chrome_sandbox_t, chrome_sandbox_exec_t) -+role system_r types chrome_sandbox_t; -+ubac_constrained(chrome_sandbox_t) -+ -+type chrome_sandbox_tmp_t; -+files_tmp_file(chrome_sandbox_tmp_t) -+ -+type chrome_sandbox_tmpfs_t; -+files_tmpfs_file(chrome_sandbox_tmpfs_t) -+ubac_constrained(chrome_sandbox_tmpfs_t) -+ -+type chrome_sandbox_nacl_t; -+type chrome_sandbox_nacl_exec_t; -+application_domain(chrome_sandbox_nacl_t, chrome_sandbox_nacl_exec_t) -+role system_r types chrome_sandbox_nacl_t; -+ubac_constrained(chrome_sandbox_nacl_t) -+ -+type chrome_sandbox_home_t; -+userdom_user_home_content(chrome_sandbox_home_t) -+ -+######################################## -+# -+# chrome_sandbox local policy -+# -+allow chrome_sandbox_t self:capability2 block_suspend; -+allow chrome_sandbox_t self:capability { chown dac_override fsetid setgid setuid sys_admin sys_chroot sys_ptrace }; -+dontaudit chrome_sandbox_t self:capability sys_nice; -+allow chrome_sandbox_t self:process { signal_perms setrlimit execmem execstack }; -+allow chrome_sandbox_t self:process setsched; -+allow chrome_sandbox_t self:fifo_file manage_fifo_file_perms; -+allow chrome_sandbox_t self:unix_stream_socket create_stream_socket_perms; -+allow chrome_sandbox_t self:unix_dgram_socket { create_socket_perms sendto }; -+allow chrome_sandbox_t self:shm create_shm_perms; -+allow chrome_sandbox_t self:sem create_sem_perms; -+allow chrome_sandbox_t self:msgq create_msgq_perms; -+allow chrome_sandbox_t self:netlink_route_socket r_netlink_socket_perms; -+dontaudit chrome_sandbox_t self:memprotect mmap_zero; -+ -+manage_dirs_pattern(chrome_sandbox_t, chrome_sandbox_home_t, chrome_sandbox_home_t) -+manage_files_pattern(chrome_sandbox_t, chrome_sandbox_home_t, chrome_sandbox_home_t) -+manage_lnk_files_pattern(chrome_sandbox_t, chrome_sandbox_home_t, chrome_sandbox_home_t) -+ -+manage_dirs_pattern(chrome_sandbox_t, chrome_sandbox_tmp_t, chrome_sandbox_tmp_t) -+manage_files_pattern(chrome_sandbox_t, chrome_sandbox_tmp_t, chrome_sandbox_tmp_t) -+files_tmp_filetrans(chrome_sandbox_t, chrome_sandbox_tmp_t, { dir file }) -+userdom_user_tmp_filetrans(chrome_sandbox_t, chrome_sandbox_tmp_t, { dir file }) -+ -+manage_files_pattern(chrome_sandbox_t, chrome_sandbox_tmpfs_t, chrome_sandbox_tmpfs_t) -+fs_tmpfs_filetrans(chrome_sandbox_t, chrome_sandbox_tmpfs_t, { file dir }) -+ -+kernel_read_system_state(chrome_sandbox_t) -+kernel_read_kernel_sysctls(chrome_sandbox_t) -+ -+fs_manage_cgroup_dirs(chrome_sandbox_t) -+fs_manage_cgroup_files(chrome_sandbox_t) -+fs_read_dos_files(chrome_sandbox_t) -+fs_read_hugetlbfs_files(chrome_sandbox_t) -+ -+corecmd_exec_bin(chrome_sandbox_t) -+ -+corenet_all_recvfrom_netlabel(chrome_sandbox_t) -+corenet_tcp_connect_all_ephemeral_ports(chrome_sandbox_t) -+corenet_tcp_connect_aol_port(chrome_sandbox_t) -+corenet_tcp_connect_asterisk_port(chrome_sandbox_t) -+corenet_tcp_connect_commplex_link_port(chrome_sandbox_t) -+corenet_tcp_connect_couchdb_port(chrome_sandbox_t) -+corenet_tcp_connect_flash_port(chrome_sandbox_t) -+corenet_tcp_connect_ftp_port(chrome_sandbox_t) -+corenet_tcp_connect_gatekeeper_port(chrome_sandbox_t) -+corenet_tcp_connect_generic_port(chrome_sandbox_t) -+corenet_tcp_connect_http_cache_port(chrome_sandbox_t) -+corenet_tcp_connect_http_port(chrome_sandbox_t) -+corenet_tcp_connect_ipp_port(chrome_sandbox_t) -+corenet_tcp_connect_ipsecnat_port(chrome_sandbox_t) -+corenet_tcp_connect_jabber_client_port(chrome_sandbox_t) -+corenet_tcp_connect_jboss_management_port(chrome_sandbox_t) -+corenet_tcp_connect_mmcc_port(chrome_sandbox_t) -+corenet_tcp_connect_monopd_port(chrome_sandbox_t) -+corenet_tcp_connect_msnp_port(chrome_sandbox_t) -+corenet_tcp_connect_ms_streaming_port(chrome_sandbox_t) -+corenet_tcp_connect_pulseaudio_port(chrome_sandbox_t) -+corenet_tcp_connect_rtsp_port(chrome_sandbox_t) -+corenet_tcp_connect_soundd_port(chrome_sandbox_t) -+corenet_tcp_connect_speech_port(chrome_sandbox_t) -+corenet_tcp_connect_squid_port(chrome_sandbox_t) -+corenet_tcp_connect_tor_port(chrome_sandbox_t) -+corenet_tcp_connect_transproxy_port(chrome_sandbox_t) -+corenet_tcp_connect_vnc_port(chrome_sandbox_t) -+corenet_tcp_connect_whois_port(chrome_sandbox_t) -+corenet_tcp_sendrecv_generic_if(chrome_sandbox_t) -+corenet_tcp_sendrecv_generic_node(chrome_sandbox_t) -+ -+domain_dontaudit_read_all_domains_state(chrome_sandbox_t) -+ -+dev_read_urand(chrome_sandbox_t) -+dev_read_sysfs(chrome_sandbox_t) -+dev_rwx_zero(chrome_sandbox_t) -+dev_dontaudit_getattr_all_chr_files(chrome_sandbox_t) -+ -+fs_dontaudit_getattr_all_fs(chrome_sandbox_t) -+ -+libs_legacy_use_shared_libs(chrome_sandbox_t) -+ -+miscfiles_read_fonts(chrome_sandbox_t) -+ -+sysnet_dns_name_resolve(chrome_sandbox_t) -+ -+userdom_rw_inherited_user_tmpfs_files(chrome_sandbox_t) -+userdom_execute_user_tmpfs_files(chrome_sandbox_t) -+ -+userdom_use_user_ptys(chrome_sandbox_t) -+userdom_write_inherited_user_tmp_files(chrome_sandbox_t) -+userdom_read_inherited_user_home_content_files(chrome_sandbox_t) -+userdom_dontaudit_use_user_terminals(chrome_sandbox_t) -+userdom_search_user_home_content(chrome_sandbox_t) -+# This one we should figure a way to make it more secure -+userdom_manage_home_certs(chrome_sandbox_t) -+ -+optional_policy(` -+ gnome_rw_inherited_config(chrome_sandbox_t) -+ gnome_read_home_config(chrome_sandbox_t) -+ gnome_cache_filetrans(chrome_sandbox_t, chrome_sandbox_home_t, dir, "chromium") -+ gnome_cache_filetrans(chrome_sandbox_t, chrome_sandbox_home_t, dir, "chrome") -+ -+') -+ -+optional_policy(` -+ mozilla_write_user_home_files(chrome_sandbox_t) -+') -+ -+optional_policy(` -+ xserver_use_user_fonts(chrome_sandbox_t) -+ xserver_user_x_domain_template(chrome_sandbox, chrome_sandbox_t, chrome_sandbox_tmpfs_t) -+') -+ -+tunable_policy(`use_nfs_home_dirs',` -+ fs_search_nfs(chrome_sandbox_t) -+ fs_exec_nfs_files(chrome_sandbox_t) -+ fs_read_nfs_files(chrome_sandbox_t) -+ fs_rw_inherited_nfs_files(chrome_sandbox_t) -+ fs_read_nfs_symlinks(chrome_sandbox_t) -+ fs_dontaudit_append_nfs_files(chrome_sandbox_t) -+') -+ -+tunable_policy(`use_samba_home_dirs',` -+ fs_search_cifs(chrome_sandbox_t) -+ fs_exec_cifs_files(chrome_sandbox_t) -+ fs_rw_inherited_cifs_files(chrome_sandbox_t) -+ fs_read_cifs_files(chrome_sandbox_t) -+ fs_read_cifs_symlinks(chrome_sandbox_t) -+ fs_dontaudit_append_cifs_files(chrome_sandbox_t) -+') -+ -+tunable_policy(`use_fusefs_home_dirs',` -+ fs_search_fusefs(chrome_sandbox_t) -+ fs_read_fusefs_files(chrome_sandbox_t) -+ fs_exec_fusefs_files(chrome_sandbox_t) -+ fs_read_fusefs_symlinks(chrome_sandbox_t) -+') -+ -+tunable_policy(`use_ecryptfs_home_dirs',` -+ fs_read_ecryptfs_files(chrome_sandbox_t) -+ fs_dontaudit_append_ecryptfs_files(chrome_sandbox_t) -+ fs_read_ecryptfs_symlinks(chrome_sandbox_t) -+') -+ -+optional_policy(` -+ cups_stream_connect(chrome_sandbox_t) -+') -+ -+optional_policy(` -+ sandbox_use_ptys(chrome_sandbox_t) -+') -+ -+ -+######################################## -+# -+# chrome_sandbox_nacl local policy -+# -+ -+allow chrome_sandbox_nacl_t self:process { execmem setsched sigkill sigstop signull signal }; -+ -+allow chrome_sandbox_nacl_t self:fifo_file manage_fifo_file_perms; -+allow chrome_sandbox_nacl_t self:unix_stream_socket create_stream_socket_perms; -+allow chrome_sandbox_nacl_t self:shm create_shm_perms; -+allow chrome_sandbox_nacl_t self:unix_dgram_socket { create_socket_perms sendto }; -+allow chrome_sandbox_nacl_t chrome_sandbox_t:unix_stream_socket { getattr write read }; -+allow chrome_sandbox_t chrome_sandbox_nacl_t:unix_stream_socket { getattr write read }; -+allow chrome_sandbox_nacl_t chrome_sandbox_t:unix_dgram_socket { read write }; -+ -+allow chrome_sandbox_nacl_t chrome_sandbox_t:shm rw_shm_perms; -+allow chrome_sandbox_nacl_t chrome_sandbox_tmpfs_t:file rw_inherited_file_perms; -+allow chrome_sandbox_t chrome_sandbox_nacl_t:process { sigkill sigstop signull signal share }; -+ -+manage_files_pattern(chrome_sandbox_nacl_t, chrome_sandbox_tmpfs_t, chrome_sandbox_tmpfs_t) -+fs_tmpfs_filetrans(chrome_sandbox_nacl_t, chrome_sandbox_tmpfs_t, file) -+ -+domain_use_interactive_fds(chrome_sandbox_nacl_t) -+ -+dontaudit chrome_sandbox_nacl_t self:memprotect mmap_zero; -+ -+domtrans_pattern(chrome_sandbox_t, chrome_sandbox_nacl_exec_t, chrome_sandbox_nacl_t) -+ps_process_pattern(chrome_sandbox_t, chrome_sandbox_nacl_t) -+ps_process_pattern(chrome_sandbox_nacl_t, chrome_sandbox_t) -+ -+manage_dirs_pattern(chrome_sandbox_nacl_t, chrome_sandbox_home_t, chrome_sandbox_home_t) -+manage_files_pattern(chrome_sandbox_nacl_t, chrome_sandbox_home_t, chrome_sandbox_home_t) -+manage_lnk_files_pattern(chrome_sandbox_nacl_t, chrome_sandbox_home_t, chrome_sandbox_home_t) -+ -+kernel_read_state(chrome_sandbox_nacl_t) -+kernel_read_system_state(chrome_sandbox_nacl_t) -+ -+corecmd_bin_entry_type(chrome_sandbox_nacl_t) -+ -+dev_read_urand(chrome_sandbox_nacl_t) -+dev_read_sysfs(chrome_sandbox_nacl_t) -+dev_rwx_zero(chrome_sandbox_nacl_t) -+ -+init_read_state(chrome_sandbox_nacl_t) -+ -+libs_legacy_use_shared_libs(chrome_sandbox_nacl_t) -+ -+userdom_use_inherited_user_ptys(chrome_sandbox_nacl_t) -+userdom_rw_inherited_user_tmpfs_files(chrome_sandbox_nacl_t) -+userdom_execute_user_tmpfs_files(chrome_sandbox_nacl_t) -+userdom_rw_inherited_user_tmp_files(chrome_sandbox_nacl_t) -+userdom_dontaudit_read_user_home_content_files(chrome_sandbox_nacl_t) -+userdom_dontaudit_use_user_terminals(chrome_sandbox_nacl_t) -+ -+optional_policy(` -+ gnome_dontaudit_append_config_files(chrome_sandbox_nacl_t) -+ gnome_dontaudit_write_config_files(chrome_sandbox_nacl_t) -+') -diff --git a/chronyd.fc b/chronyd.fc -index 4e4143e..a665b32 100644 ---- a/chronyd.fc -+++ b/chronyd.fc -@@ -2,6 +2,8 @@ - - /etc/rc\.d/init\.d/chronyd -- gen_context(system_u:object_r:chronyd_initrc_exec_t,s0) - -+/usr/lib/systemd/system/chrony.* -- gen_context(system_u:object_r:chronyd_unit_file_t,s0) -+ - /usr/sbin/chronyd -- gen_context(system_u:object_r:chronyd_exec_t,s0) - - /var/lib/chrony(/.*)? gen_context(system_u:object_r:chronyd_var_lib_t,s0) -diff --git a/chronyd.if b/chronyd.if -index 32e8265..0de4af3 100644 ---- a/chronyd.if -+++ b/chronyd.if -@@ -100,8 +100,7 @@ interface(`chronyd_rw_shm',` - - ######################################## - ## --## Connect to chronyd using a unix --## domain stream socket. -+## Read chronyd keys files. - ## - ## - ## -@@ -109,19 +108,17 @@ interface(`chronyd_rw_shm',` - ## - ## - # --interface(`chronyd_stream_connect',` -+interface(`chronyd_read_keys',` - gen_require(` -- type chronyd_t, chronyd_var_run_t; -+ type chronyd_keys_t; - ') - -- files_search_pids($1) -- stream_connect_pattern($1, chronyd_var_run_t, chronyd_var_run_t, chronyd_t) -+ read_files_pattern($1, chronyd_keys_t, chronyd_keys_t) - ') - - ######################################## - ## --## Send to chronyd using a unix domain --## datagram socket. -+## Append chronyd keys files. - ## - ## - ## -@@ -129,18 +126,61 @@ interface(`chronyd_stream_connect',` - ## - ## - # --interface(`chronyd_dgram_send',` -+interface(`chronyd_append_keys',` -+ gen_require(` -+ type chronyd_keys_t; -+ ') -+ -+ append_files_pattern($1, chronyd_keys_t, chronyd_keys_t) -+') -+ -+######################################## -+## -+## Execute chronyd server in the chronyd domain. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`chronyd_systemctl',` -+ gen_require(` -+ type chronyd_t; -+ type chronyd_unit_file_t; -+ ') -+ -+ systemd_exec_systemctl($1) -+ allow $1 chronyd_unit_file_t:file read_file_perms; -+ allow $1 chronyd_unit_file_t:service manage_service_perms; -+ -+ ps_process_pattern($1, chronyd_t) -+') -+ -+####################################### -+## -+## Connect to chronyd using a unix -+## domain stream socket. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`chronyd_stream_connect',` - gen_require(` - type chronyd_t, chronyd_var_run_t; - ') - - files_search_pids($1) -- dgram_send_pattern($1, chronyd_var_run_t, chronyd_var_run_t, chronyd_t) -+ stream_connect_pattern($1, chronyd_var_run_t, chronyd_var_run_t, chronyd_t) - ') - - ######################################## - ## --## Read chronyd key files. -+## Send to chronyd using a unix domain -+## datagram socket. - ## - ## - ## -@@ -148,13 +188,13 @@ interface(`chronyd_dgram_send',` - ## - ## - # --interface(`chronyd_read_key_files',` -+interface(`chronyd_dgram_send',` - gen_require(` -- type chronyd_keys_t; -+ type chronyd_t, chronyd_var_run_t; - ') - -- files_search_etc($1) -- read_files_pattern($1, chronyd_keys_t, chronyd_keys_t) -+ files_search_pids($1) -+ dgram_send_pattern($1, chronyd_var_run_t, chronyd_var_run_t, chronyd_t) - ') - - #################################### -@@ -176,28 +216,38 @@ interface(`chronyd_read_key_files',` - # - interface(`chronyd_admin',` - gen_require(` -- type chronyd_t, chronyd_var_log_t; -- type chronyd_var_run_t, chronyd_var_lib_t; -- type chronyd_initrc_exec_t, chronyd_keys_t; -+ type chronyd_t, chronyd_var_log_t, chronyd_var_run_t; -+ type chronyd_var_lib_t, chronyd_tmpfs_t, chronyd_initrc_exec_t; -+ type chronyd_keys_t, chronyd_unit_file_t; - ') - -- allow $1 chronyd_t:process { ptrace signal_perms }; -+ allow $1 chronyd_t:process signal_perms; - ps_process_pattern($1, chronyd_t) - -- chronyd_initrc_domtrans($1) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 chronyd_t:process ptrace; -+ ') -+ -+ init_labeled_script_domtrans($1, chronyd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 chronyd_initrc_exec_t system_r; - allow $2 system_r; - -- files_search_etc($1) -+ files_list_etc($1) - admin_pattern($1, chronyd_keys_t) - -- logging_search_logs($1) -+ logging_list_logs($1) - admin_pattern($1, chronyd_var_log_t) - -- files_search_var_lib($1) -+ files_list_var_lib($1) - admin_pattern($1, chronyd_var_lib_t) - -- files_search_pids($1) -+ files_list_pids($1) - admin_pattern($1, chronyd_var_run_t) -+ -+ admin_pattern($1, chronyd_tmpfs_t) -+ -+ admin_pattern($1, chronyd_unit_file_t) -+ chronyd_systemctl($1) -+ allow $1 chronyd_unit_file_t:service all_service_perms; - ') -diff --git a/chronyd.te b/chronyd.te -index 914ee2d..7d723c0 100644 ---- a/chronyd.te -+++ b/chronyd.te -@@ -18,6 +18,9 @@ files_type(chronyd_keys_t) - type chronyd_tmpfs_t; - files_tmpfs_file(chronyd_tmpfs_t) - -+type chronyd_unit_file_t; -+systemd_unit_file(chronyd_unit_file_t) -+ - type chronyd_var_lib_t; - files_type(chronyd_var_lib_t) - -@@ -32,11 +35,15 @@ files_pid_file(chronyd_var_run_t) - # Local policy - # - --allow chronyd_t self:capability { dac_override ipc_lock setuid setgid sys_resource sys_time }; --allow chronyd_t self:process { getcap setcap setrlimit signal }; -+allow chronyd_t self:capability { dac_override ipc_lock fsetid setuid setgid sys_nice sys_resource sys_time }; -+allow chronyd_t self:process { getsched setsched getcap setcap setrlimit signal }; - allow chronyd_t self:shm create_shm_perms; -+allow chronyd_t self:udp_socket create_socket_perms; -+allow chronyd_t self:unix_dgram_socket create_socket_perms; - allow chronyd_t self:fifo_file rw_fifo_file_perms; - -+allow chronyd_t chronyd_keys_t:file append_file_perms; -+allow chronyd_t chronyd_keys_t:file setattr_file_perms; - allow chronyd_t chronyd_keys_t:file read_file_perms; - - manage_dirs_pattern(chronyd_t, chronyd_tmpfs_t, chronyd_tmpfs_t) -@@ -76,18 +83,19 @@ corenet_sendrecv_chronyd_server_packets(chronyd_t) - corenet_udp_bind_chronyd_port(chronyd_t) - corenet_udp_sendrecv_chronyd_port(chronyd_t) - -+domain_dontaudit_getsession_all_domains(chronyd_t) -+ -+dev_read_rand(chronyd_t) -+dev_read_urand(chronyd_t) -+ - dev_rw_realtime_clock(chronyd_t) - - auth_use_nsswitch(chronyd_t) - - logging_send_syslog_msg(chronyd_t) - --miscfiles_read_localization(chronyd_t) -+mta_send_mail(chronyd_t) - - optional_policy(` - gpsd_rw_shm(chronyd_t) - ') -- --optional_policy(` -- mta_send_mail(chronyd_t) --') -diff --git a/cipe.te b/cipe.te -index 28c8475..9b86dd1 100644 ---- a/cipe.te -+++ b/cipe.te -@@ -29,7 +29,6 @@ kernel_read_system_state(ciped_t) - corecmd_exec_shell(ciped_t) - corecmd_exec_bin(ciped_t) - --corenet_all_recvfrom_unlabeled(ciped_t) - corenet_all_recvfrom_netlabel(ciped_t) - corenet_udp_sendrecv_generic_if(ciped_t) - corenet_udp_sendrecv_generic_node(ciped_t) -@@ -45,7 +44,6 @@ dev_read_urand(ciped_t) - - domain_use_interactive_fds(ciped_t) - --files_read_etc_files(ciped_t) - files_read_etc_runtime_files(ciped_t) - files_dontaudit_search_var(ciped_t) - -@@ -53,8 +51,6 @@ fs_search_auto_mountpoints(ciped_t) - - logging_send_syslog_msg(ciped_t) - --miscfiles_read_localization(ciped_t) -- - sysnet_read_config(ciped_t) - - userdom_dontaudit_use_unpriv_user_fds(ciped_t) -diff --git a/clamav.fc b/clamav.fc -index d72afcc..c53b80d 100644 ---- a/clamav.fc -+++ b/clamav.fc -@@ -6,6 +6,8 @@ - /usr/bin/clamdscan -- gen_context(system_u:object_r:clamscan_exec_t,s0) - /usr/bin/freshclam -- gen_context(system_u:object_r:freshclam_exec_t,s0) - -+/usr/lib/systemd/system/clamd.* -- gen_context(system_u:object_r:clamd_unit_file_t,s0) -+ - /usr/sbin/clamd -- gen_context(system_u:object_r:clamd_exec_t,s0) - /usr/sbin/clamav-milter -- gen_context(system_u:object_r:clamd_exec_t,s0) - -diff --git a/clamav.if b/clamav.if -index 4cc4a5c..99c5cca 100644 ---- a/clamav.if -+++ b/clamav.if -@@ -1,4 +1,4 @@ --## ClamAV Virus Scanner. -+## ClamAV Virus Scanner - - ######################################## - ## -@@ -15,14 +15,12 @@ interface(`clamav_domtrans',` - type clamd_t, clamd_exec_t; - ') - -- corecmd_search_bin($1) - domtrans_pattern($1, clamd_exec_t, clamd_t) - ') - - ######################################## - ## --## Connect to clamd using a unix --## domain stream socket. -+## Connect to run clamd. - ## - ## - ## -@@ -41,7 +39,8 @@ interface(`clamav_stream_connect',` - - ######################################## - ## --## Append clamav log files. -+## Allow the specified domain to append -+## to clamav log files. - ## - ## - ## -@@ -61,27 +60,6 @@ interface(`clamav_append_log',` - - ######################################## - ## --## Create, read, write, and delete --## clamav pid content. --## --## --## --## Domain allowed access. --## --## --# --interface(`clamav_manage_pid_content',` -- gen_require(` -- type clamd_var_run_t; -- ') -- -- files_search_pids($1) -- manage_dirs_pattern($1, clamd_var_run_t, clamd_var_run_t) -- manage_files_pattern($1, clamd_var_run_t, clamd_var_run_t) --') -- --######################################## --## - ## Read clamav configuration files. - ## - ## -@@ -101,7 +79,7 @@ interface(`clamav_read_config',` - - ######################################## - ## --## Search clamav library directories. -+## Search clamav libraries directories. - ## - ## - ## -@@ -133,13 +111,12 @@ interface(`clamav_domtrans_clamscan',` - type clamscan_t, clamscan_exec_t; - ') - -- corecmd_search_bin($1) - domtrans_pattern($1, clamscan_exec_t, clamscan_t) - ') - - ######################################## - ## --## Execute clamscan in the caller domain. -+## Execute clamscan without a transition. - ## - ## - ## -@@ -152,13 +129,12 @@ interface(`clamav_exec_clamscan',` - type clamscan_exec_t; - ') - -- corecmd_search_bin($1) - can_exec($1, clamscan_exec_t) - ') - --####################################### -+######################################## - ## --## Read clamd process state files. -+## Manage clamd pid content. - ## - ## - ## -@@ -166,21 +142,62 @@ interface(`clamav_exec_clamscan',` - ## - ## - # --interface(`clamav_read_state_clamd',` -+interface(`clamav_manage_clamd_pid',` - gen_require(` -- type clamd_t; -+ type clamd_var_run_t; - ') - -- kernel_search_proc($1) -- allow $1 clamd_t:dir list_dir_perms; -- read_files_pattern($1, clamd_t, clamd_t) -- read_lnk_files_pattern($1, clamd_t, clamd_t) -+ manage_dirs_pattern($1, clamd_var_run_t, clamd_var_run_t) -+ manage_files_pattern($1, clamd_var_run_t, clamd_var_run_t) -+') -+ -+####################################### -+## -+## Read clamd state files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`clamav_read_state_clamd',` -+ gen_require(` -+ type clamd_t; -+ ') -+ -+ kernel_search_proc($1) -+ ps_process_pattern($1, clamd_t) -+') -+ -+####################################### -+## -+## Execute clamd server in the clamd domain. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`clamd_systemctl',` -+ gen_require(` -+ type clamd_t; -+ type clamd_unit_file_t; -+ ') -+ -+ systemd_exec_systemctl($1) -+ systemd_read_fifo_file_passwd_run($1) -+ allow $1 clamd_unit_file_t:file read_file_perms; -+ allow $1 clamd_unit_file_t:service manage_service_perms; -+ -+ ps_process_pattern($1, clamd_t) - ') - - ######################################## - ## --## All of the rules required to --## administrate an clamav environment. -+## All of the rules required to administrate -+## an clamav environment - ## - ## - ## -@@ -189,7 +206,7 @@ interface(`clamav_read_state_clamd',` - ## - ## - ## --## Role allowed access. -+## The role to be allowed to manage the clamav domain. - ## - ## - ## -@@ -197,19 +214,36 @@ interface(`clamav_read_state_clamd',` - interface(`clamav_admin',` - gen_require(` - type clamd_t, clamd_etc_t, clamd_tmp_t; -- type clamd_var_log_t, clamd_var_lib_t, clamd_initrc_exec_t; -- type clamd_var_run_t, clamscan_t, clamscan_tmp_t; -+ type clamd_var_log_t, clamd_var_lib_t, clamd_var_run_t; -+ type clamscan_t, clamscan_tmp_t, clamd_initrc_exec_t; - type freshclam_t, freshclam_var_log_t; -+ type clamd_unit_file_t; - ') - -- allow $1 { clamd_t clamscan_t freshclam_t }:process { ptrace signal_perms }; -- ps_process_pattern($1, { clamd_t clamscan_t freshclam_t }) -+ allow $1 clamd_t:process signal_perms; -+ ps_process_pattern($1, clamd_t) -+ -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 clamd_t:process ptrace; -+ allow $1 clamscan_t:process ptrace; -+ allow $1 freshclam_t:process ptrace; -+ ') -+ -+ allow $1 clamscan_t:process signal_perms; -+ ps_process_pattern($1, clamscan_t) -+ -+ allow $1 freshclam_t:process signal_perms; -+ ps_process_pattern($1, freshclam_t) - - init_labeled_script_domtrans($1, clamd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 clamd_initrc_exec_t system_r; - allow $2 system_r; - -+ clamd_systemctl($1) -+ admin_pattern($1, clamd_unit_file_t) -+ allow $1 clamd_unit_file_t:service all_service_perms; -+ - files_list_etc($1) - admin_pattern($1, clamd_etc_t) - -@@ -217,11 +251,21 @@ interface(`clamav_admin',` - admin_pattern($1, clamd_var_lib_t) - - logging_list_logs($1) -- admin_pattern($1, { clamd_var_log_t freshclam_var_log_t }) -+ admin_pattern($1, clamd_var_log_t) - - files_list_pids($1) - admin_pattern($1, clamd_var_run_t) - - files_list_tmp($1) -- admin_pattern($1, { clamd_tmp_t clamscan_tmp_t }) -+ admin_pattern($1, clamd_tmp_t) -+ -+ admin_pattern($1, clamscan_tmp_t) -+ -+ admin_pattern($1, freshclam_var_log_t) -+ -+ optional_policy(` -+ systemd_passwd_agent_exec($1) -+ systemd_read_fifo_file_passwd_run($1) -+ ') -+ - ') -diff --git a/clamav.te b/clamav.te -index 8e1fef9..c8c9a5a 100644 ---- a/clamav.te -+++ b/clamav.te -@@ -38,6 +38,9 @@ files_config_file(clamd_etc_t) - type clamd_initrc_exec_t; - init_script_file(clamd_initrc_exec_t) - -+type clamd_unit_file_t; -+systemd_unit_file(clamd_unit_file_t) -+ - type clamd_tmp_t; - files_tmp_file(clamd_tmp_t) - -@@ -73,6 +76,7 @@ logging_log_file(freshclam_var_log_t) - allow clamd_t self:capability { kill setgid setuid dac_override }; - dontaudit clamd_t self:capability sys_tty_config; - allow clamd_t self:process signal; -+ - allow clamd_t self:fifo_file rw_fifo_file_perms; - allow clamd_t self:unix_stream_socket { accept connectto listen }; - allow clamd_t self:tcp_socket { listen accept }; -@@ -107,7 +111,6 @@ kernel_read_system_state(clamd_t) - - corecmd_exec_shell(clamd_t) - --corenet_all_recvfrom_unlabeled(clamd_t) - corenet_all_recvfrom_netlabel(clamd_t) - corenet_tcp_sendrecv_generic_if(clamd_t) - corenet_tcp_sendrecv_generic_node(clamd_t) -@@ -119,6 +122,7 @@ corenet_tcp_bind_generic_port(clamd_t) - - corenet_sendrecv_generic_client_packets(clamd_t) - corenet_tcp_connect_generic_port(clamd_t) -+corenet_tcp_connect_clamd_port(clamd_t) - - corenet_sendrecv_clamd_server_packets(clamd_t) - corenet_tcp_bind_clamd_port(clamd_t) -@@ -135,18 +139,10 @@ auth_use_nsswitch(clamd_t) - - logging_send_syslog_msg(clamd_t) - --miscfiles_read_localization(clamd_t) -- --tunable_policy(`clamd_use_jit',` -- allow clamd_t self:process execmem; --',` -- dontaudit clamd_t self:process execmem; --') -- - optional_policy(` - amavis_read_lib_files(clamd_t) - amavis_read_spool_files(clamd_t) -- amavis_spool_filetrans(clamd_t, clamd_var_run_t, sock_file) -+ amavis_spool_filetrans(clamd_t, clamd_var_run_t, { file dir sock_file }) - amavis_create_pid_files(clamd_t) - ') - -@@ -165,6 +161,31 @@ optional_policy(` - mta_send_mail(clamd_t) - ') - -+optional_policy(` -+ spamd_stream_connect(clamd_t) -+ spamassassin_read_pid_files(clamd_t) -+') -+ -+tunable_policy(`clamd_use_jit',` -+ allow clamd_t self:process execmem; -+ allow clamscan_t self:process execmem; -+',` -+ dontaudit clamd_t self:process execmem; -+ dontaudit clamscan_t self:process execmem; -+') -+ -+optional_policy(` -+ antivirus_domain_template(clamd_t) -+') -+ -+optional_policy(` -+ antivirus_domain_template(clamscan_t) -+') -+ -+optional_policy(` -+ antivirus_domain_template(freshclam_t) -+') -+ - ######################################## - # - # Freshclam local policy -@@ -228,7 +249,6 @@ auth_use_nsswitch(freshclam_t) - - logging_send_syslog_msg(freshclam_t) - --miscfiles_read_localization(freshclam_t) - - tunable_policy(`clamd_use_jit',` - allow freshclam_t self:process execmem; -@@ -241,6 +261,10 @@ optional_policy(` - ') - - optional_policy(` -+ clamd_systemctl(freshclam_t) -+') -+ -+optional_policy(` - cron_system_entry(freshclam_t, freshclam_exec_t) - ') - -@@ -275,7 +299,6 @@ kernel_dontaudit_list_proc(clamscan_t) - kernel_read_kernel_sysctls(clamscan_t) - kernel_read_system_state(clamscan_t) - --corenet_all_recvfrom_unlabeled(clamscan_t) - corenet_all_recvfrom_netlabel(clamscan_t) - corenet_tcp_sendrecv_generic_if(clamscan_t) - corenet_tcp_sendrecv_generic_node(clamscan_t) -@@ -286,14 +309,12 @@ corenet_tcp_sendrecv_clamd_port(clamscan_t) - - corecmd_read_all_executables(clamscan_t) - --files_read_etc_files(clamscan_t) - files_read_etc_runtime_files(clamscan_t) - files_search_var_lib(clamscan_t) - - init_read_utmp(clamscan_t) - init_dontaudit_write_utmp(clamscan_t) - --miscfiles_read_localization(clamscan_t) - miscfiles_read_public_files(clamscan_t) - - sysnet_dns_name_resolve(clamscan_t) -@@ -310,10 +331,6 @@ tunable_policy(`clamav_read_all_non_security_files_clamscan',` - ') - - optional_policy(` -- amavis_read_spool_files(clamscan_t) --') -- --optional_policy(` - apache_read_sys_content(clamscan_t) - ') - -diff --git a/clockspeed.te b/clockspeed.te -index b59c592..4b8cddc 100644 ---- a/clockspeed.te -+++ b/clockspeed.te -@@ -29,7 +29,6 @@ allow clockspeed_cli_t self:udp_socket create_socket_perms; - - read_files_pattern(clockspeed_cli_t, clockspeed_var_lib_t, clockspeed_var_lib_t) - --corenet_all_recvfrom_unlabeled(clockspeed_cli_t) - corenet_all_recvfrom_netlabel(clockspeed_cli_t) - corenet_udp_sendrecv_generic_if(clockspeed_cli_t) - corenet_udp_sendrecv_generic_node(clockspeed_cli_t) -@@ -38,11 +37,9 @@ corenet_sendrecv_ntp_client_packets(clockspeed_cli_t) - corenet_udp_sendrecv_ntp_port(clockspeed_cli_t) - - files_list_var_lib(clockspeed_cli_t) --files_read_etc_files(clockspeed_cli_t) - --miscfiles_read_localization(clockspeed_cli_t) - --userdom_use_user_terminals(clockspeed_cli_t) -+userdom_use_inherited_user_terminals(clockspeed_cli_t) - - ######################################## - # -@@ -57,7 +54,6 @@ allow clockspeed_srv_t self:unix_stream_socket create_socket_perms; - manage_files_pattern(clockspeed_srv_t, clockspeed_var_lib_t, clockspeed_var_lib_t) - manage_fifo_files_pattern(clockspeed_srv_t, clockspeed_var_lib_t, clockspeed_var_lib_t) - --corenet_all_recvfrom_unlabeled(clockspeed_srv_t) - corenet_all_recvfrom_netlabel(clockspeed_srv_t) - corenet_udp_sendrecv_generic_if(clockspeed_srv_t) - corenet_udp_sendrecv_generic_node(clockspeed_srv_t) -@@ -68,9 +64,7 @@ corenet_udp_bind_clockspeed_port(clockspeed_srv_t) - corenet_udp_sendrecv_clockspeed_port(clockspeed_srv_t) - - files_list_var_lib(clockspeed_srv_t) --files_read_etc_files(clockspeed_srv_t) - --miscfiles_read_localization(clockspeed_srv_t) - - optional_policy(` - daemontools_service_domain(clockspeed_srv_t, clockspeed_srv_exec_t) -diff --git a/clogd.te b/clogd.te -index 29782b8..685edff 100644 ---- a/clogd.te -+++ b/clogd.te -@@ -41,9 +41,6 @@ storage_raw_write_fixed_disk(clogd_t) - - logging_send_syslog_msg(clogd_t) - --miscfiles_read_localization(clogd_t) -- - optional_policy(` -- aisexec_stream_connect(clogd_t) -- corosync_stream_connect(clogd_t) -+ rhcs_stream_connect_cluster(clogd_t) - ') -diff --git a/cloudform.fc b/cloudform.fc -new file mode 100644 -index 0000000..3a0de96 ---- /dev/null -+++ b/cloudform.fc -@@ -0,0 +1,27 @@ -+/etc/rc\.d/init\.d/iwhd -- gen_context(system_u:object_r:iwhd_initrc_exec_t,s0) -+/etc/rc\.d/init\.d/mongod -- gen_context(system_u:object_r:mongod_initrc_exec_t,s0) -+ -+/usr/bin/cloud-init -- gen_context(system_u:object_r:cloud_init_exec_t,s0) -+/usr/bin/deltacloudd -- gen_context(system_u:object_r:deltacloudd_exec_t,s0) -+/usr/bin/iwhd -- gen_context(system_u:object_r:iwhd_exec_t,s0) -+/usr/bin/mongod -- gen_context(system_u:object_r:mongod_exec_t,s0) -+ -+/usr/share/aeolus-conductor/dbomatic/dbomatic -- gen_context(system_u:object_r:mongod_exec_t,s0) -+ -+/usr/lib/systemd/system/cloud-config.* -- gen_context(system_u:object_r:cloud_init_unit_file_t,s0) -+ -+/usr/lib/systemd/system/cloud-init.* -- gen_context(system_u:object_r:cloud_init_unit_file_t,s0) -+ -+/var/lib/cloud(/.*)? gen_context(system_u:object_r:cloud_var_lib_t,s0) -+/var/log/cloud-init\.log -- gen_context(system_u:object_r:cloud_log_t,s0) -+/var/lib/iwhd(/.*)? gen_context(system_u:object_r:iwhd_var_lib_t,s0) -+/var/lib/mongo.* gen_context(system_u:object_r:mongod_var_lib_t,s0) -+ -+/var/log/deltacloud-core(/.*)? gen_context(system_u:object_r:deltacloudd_log_t,s0) -+/var/log/iwhd\.log.* -- gen_context(system_u:object_r:iwhd_log_t,s0) -+/var/log/mongo.* gen_context(system_u:object_r:mongod_log_t,s0) -+/var/log/aeolus-conductor/dbomatic\.log.* -- gen_context(system_u:object_r:mongod_log_t,s0) -+ -+/var/run/mongo.* gen_context(system_u:object_r:mongod_var_run_t,s0) -+/var/run/aeolus/dbomatic\.pid -- gen_context(system_u:object_r:mongod_var_run_t,s0) -+/var/run/iwhd\.pid -- gen_context(system_u:object_r:iwhd_var_run_t,s0) -diff --git a/cloudform.if b/cloudform.if -new file mode 100644 -index 0000000..8ac848b ---- /dev/null -+++ b/cloudform.if -@@ -0,0 +1,42 @@ -+## cloudform policy -+ -+####################################### -+## -+## Creates types and rules for a basic -+## cloudform daemon domain. -+## -+## -+## -+## Prefix for the domain. -+## -+## -+# -+template(`cloudform_domain_template',` -+ gen_require(` -+ attribute cloudform_domain; -+ ') -+ -+ type $1_t, cloudform_domain; -+ type $1_exec_t; -+ init_daemon_domain($1_t, $1_exec_t) -+ -+ kernel_read_system_state($1_t) -+') -+ -+###################################### -+## -+## Execute mongod in the caller domain. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`cloudform_exec_mongod',` -+ gen_require(` -+ type mongod_exec_t; -+ ') -+ -+ can_exec($1, mongod_exec_t) -+') -diff --git a/cloudform.te b/cloudform.te -new file mode 100644 -index 0000000..4e41e84 ---- /dev/null -+++ b/cloudform.te -@@ -0,0 +1,298 @@ -+policy_module(cloudform, 1.0) -+######################################## -+# -+# Declarations -+# -+ -+attribute cloudform_domain; -+ -+cloudform_domain_template(deltacloudd) -+cloudform_domain_template(iwhd) -+cloudform_domain_template(mongod) -+cloudform_domain_template(cloud_init) -+ -+type cloud_init_tmp_t; -+files_tmp_file(cloud_init_tmp_t) -+ -+type cloud_init_unit_file_t; -+systemd_unit_file(cloud_init_unit_file_t) -+ -+type cloud_var_lib_t; -+files_type(cloud_var_lib_t) -+ -+type cloud_log_t; -+logging_log_file(cloud_log_t) -+ -+type deltacloudd_log_t; -+logging_log_file(deltacloudd_log_t) -+ -+type deltacloudd_var_run_t; -+files_pid_file(deltacloudd_var_run_t) -+ -+type deltacloudd_tmp_t; -+files_tmp_file(deltacloudd_tmp_t) -+ -+type iwhd_initrc_exec_t; -+init_script_file(iwhd_initrc_exec_t) -+ -+type iwhd_var_lib_t; -+files_type(iwhd_var_lib_t) -+ -+type iwhd_var_run_t; -+files_pid_file(iwhd_var_run_t) -+ -+type mongod_initrc_exec_t; -+init_script_file(mongod_initrc_exec_t) -+ -+type mongod_log_t; -+logging_log_file(mongod_log_t) -+ -+type mongod_var_lib_t; -+files_type(mongod_var_lib_t) -+ -+type mongod_tmp_t; -+files_tmp_file(mongod_tmp_t) -+ -+type mongod_var_run_t; -+files_pid_file(mongod_var_run_t) -+ -+type iwhd_log_t; -+logging_log_file(iwhd_log_t) -+ -+######################################## -+# -+# cloudform_domain local policy -+# -+ -+allow cloudform_domain self:fifo_file rw_fifo_file_perms; -+allow cloudform_domain self:tcp_socket create_stream_socket_perms; -+ -+dev_read_rand(cloudform_domain) -+dev_read_urand(cloudform_domain) -+dev_read_sysfs(cloudform_domain) -+ -+auth_read_passwd(cloudform_domain) -+ -+miscfiles_read_certs(cloudform_domain) -+ -+################################# -+# -+# cloud-init local policy -+# -+ -+allow cloud_init_t self:capability { fowner chown fsetid dac_override }; -+ -+allow cloud_init_t self:udp_socket create_socket_perms; -+ -+manage_files_pattern(cloud_init_t, cloud_init_tmp_t, cloud_init_tmp_t) -+manage_dirs_pattern(cloud_init_t, cloud_init_tmp_t, cloud_init_tmp_t) -+files_tmp_filetrans(cloud_init_t, cloud_init_tmp_t, { file dir }) -+ -+manage_dirs_pattern(cloud_init_t, cloud_var_lib_t, cloud_var_lib_t) -+manage_files_pattern(cloud_init_t, cloud_var_lib_t, cloud_var_lib_t) -+manage_lnk_files_pattern(cloud_init_t, cloud_var_lib_t, cloud_var_lib_t) -+ -+manage_files_pattern(cloud_init_t, cloud_log_t, cloud_log_t) -+logging_log_filetrans(cloud_init_t, cloud_log_t, { file }) -+ -+kernel_read_network_state(cloud_init_t) -+ -+corenet_tcp_connect_http_port(cloud_init_t) -+ -+corecmd_exec_bin(cloud_init_t) -+corecmd_exec_shell(cloud_init_t) -+ -+domain_read_all_domains_state(cloud_init_t) -+ -+fs_getattr_all_fs(cloud_init_t) -+ -+storage_raw_read_fixed_disk(cloud_init_t) -+ -+libs_exec_ldconfig(cloud_init_t) -+ -+logging_send_syslog_msg(cloud_init_t) -+ -+miscfiles_read_localization(cloud_init_t) -+ -+selinux_validate_context(cloud_init_t) -+ -+systemd_dbus_chat_hostnamed(cloud_init_t) -+systemd_exec_systemctl(cloud_init_t) -+systemd_start_all_services(cloud_init_t) -+ -+usermanage_domtrans_passwd(cloud_init_t) -+ -+optional_policy(` -+ dbus_system_bus_client(cloud_init_t) -+') -+ -+optional_policy(` -+ dmidecode_domtrans(cloud_init_t) -+') -+ -+optional_policy(` -+ fstools_domtrans(cloud_init_t) -+') -+ -+optional_policy(` -+ hostname_exec(cloud_init_t) -+') -+ -+optional_policy(` -+ mount_domtrans(cloud_init_t) -+') -+ -+optional_policy(` -+ # it check file context and run restorecon -+ seutil_read_file_contexts(cloud_init_t) -+ seutil_domtrans_setfiles(cloud_init_t) -+') -+ -+optional_policy(` -+ ssh_exec_keygen(cloud_init_t) -+ ssh_read_user_home_files(cloud_init_t) -+') -+ -+optional_policy(` -+ sysnet_domtrans_ifconfig(cloud_init_t) -+ sysnet_read_dhcpc_state(cloud_init_t) -+ sysnet_dns_name_resolve(cloud_init_t) -+') -+ -+optional_policy(` -+ rpm_domtrans(cloud_init_t) -+ unconfined_domain(cloud_init_t) -+') -+ -+######################################## -+# -+# deltacloudd local policy -+# -+ -+allow deltacloudd_t self:capability { dac_override setuid setgid }; -+ -+allow deltacloudd_t self:netlink_route_socket r_netlink_socket_perms; -+allow deltacloudd_t self:udp_socket create_socket_perms; -+ -+allow deltacloudd_t self:process signal; -+ -+allow deltacloudd_t self:fifo_file rw_fifo_file_perms; -+allow deltacloudd_t self:tcp_socket create_stream_socket_perms; -+allow deltacloudd_t self:unix_stream_socket create_stream_socket_perms; -+ -+manage_dirs_pattern(deltacloudd_t, deltacloudd_tmp_t, deltacloudd_tmp_t) -+manage_files_pattern(deltacloudd_t, deltacloudd_tmp_t, deltacloudd_tmp_t) -+files_tmp_filetrans(deltacloudd_t, deltacloudd_tmp_t, { file dir }) -+ -+manage_files_pattern(deltacloudd_t, deltacloudd_var_run_t, deltacloudd_var_run_t) -+manage_dirs_pattern(deltacloudd_t, deltacloudd_var_run_t, deltacloudd_var_run_t) -+manage_lnk_files_pattern(deltacloudd_t, deltacloudd_var_run_t, deltacloudd_var_run_t) -+files_pid_filetrans(deltacloudd_t, deltacloudd_var_run_t, { file dir }) -+ -+manage_files_pattern(deltacloudd_t, deltacloudd_log_t, deltacloudd_log_t) -+manage_dirs_pattern(deltacloudd_t, deltacloudd_log_t, deltacloudd_log_t) -+logging_log_filetrans(deltacloudd_t, deltacloudd_log_t, { file dir }) -+ -+kernel_read_kernel_sysctls(deltacloudd_t) -+kernel_read_system_state(deltacloudd_t) -+ -+corecmd_exec_bin(deltacloudd_t) -+ -+corenet_tcp_bind_generic_node(deltacloudd_t) -+corenet_tcp_bind_generic_port(deltacloudd_t) -+corenet_tcp_connect_http_port(deltacloudd_t) -+corenet_tcp_connect_keystone_port(deltacloudd_t) -+ -+auth_use_nsswitch(deltacloudd_t) -+ -+logging_send_syslog_msg(deltacloudd_t) -+ -+optional_policy(` -+ sysnet_read_config(deltacloudd_t) -+') -+ -+######################################## -+# -+# iwhd local policy -+# -+ -+allow iwhd_t self:capability { chown kill }; -+allow iwhd_t self:process { fork }; -+ -+allow iwhd_t self:netlink_route_socket r_netlink_socket_perms; -+allow iwhd_t self:unix_stream_socket create_stream_socket_perms; -+ -+manage_dirs_pattern(iwhd_t, iwhd_var_lib_t, iwhd_var_lib_t) -+manage_files_pattern(iwhd_t, iwhd_var_lib_t, iwhd_var_lib_t) -+ -+manage_files_pattern(iwhd_t, iwhd_log_t, iwhd_log_t) -+logging_log_filetrans(iwhd_t, iwhd_log_t, { file }) -+ -+manage_dirs_pattern(iwhd_t, iwhd_var_run_t, iwhd_var_run_t) -+manage_files_pattern(iwhd_t, iwhd_var_run_t, iwhd_var_run_t) -+files_pid_filetrans(iwhd_t, iwhd_var_run_t, { dir file }) -+ -+kernel_read_system_state(iwhd_t) -+ -+corenet_tcp_bind_generic_node(iwhd_t) -+corenet_tcp_bind_websm_port(iwhd_t) -+corenet_tcp_connect_all_ports(iwhd_t) -+ -+dev_read_rand(iwhd_t) -+dev_read_urand(iwhd_t) -+ -+userdom_home_manager(iwhd_t) -+ -+######################################## -+# -+# mongod local policy -+# -+ -+allow mongod_t self:process { execmem setsched signal }; -+ -+allow mongod_t self:netlink_route_socket r_netlink_socket_perms; -+allow mongod_t self:unix_stream_socket create_stream_socket_perms; -+allow mongod_t self:udp_socket create_socket_perms; -+ -+manage_dirs_pattern(mongod_t, mongod_log_t, mongod_log_t) -+manage_files_pattern(mongod_t, mongod_log_t, mongod_log_t) -+logging_log_filetrans(mongod_t, mongod_log_t, file, "dbomatic.log") -+logging_log_filetrans(mongod_t, mongod_log_t, file, "mongod.log") -+ -+manage_dirs_pattern(mongod_t, mongod_var_lib_t, mongod_var_lib_t) -+manage_files_pattern(mongod_t, mongod_var_lib_t, mongod_var_lib_t) -+ -+manage_dirs_pattern(mongod_t, mongod_tmp_t, mongod_tmp_t) -+manage_files_pattern(mongod_t, mongod_tmp_t, mongod_tmp_t) -+manage_sock_files_pattern(mongod_t, mongod_tmp_t, mongod_tmp_t) -+files_tmp_filetrans(mongod_t, mongod_tmp_t, { file dir sock_file }) -+ -+manage_dirs_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t) -+manage_files_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t) -+#needed by dbomatic -+files_pid_filetrans(mongod_t, mongod_var_run_t, { file }) -+ -+corecmd_exec_bin(mongod_t) -+corecmd_exec_shell(mongod_t) -+ -+corenet_tcp_bind_generic_node(mongod_t) -+corenet_tcp_bind_mongod_port(mongod_t) -+corenet_tcp_connect_mongod_port(mongod_t) -+corenet_tcp_connect_postgresql_port(mongod_t) -+ -+kernel_read_vm_sysctls(mongod_t) -+kernel_read_system_state(mongod_t) -+ -+fs_getattr_all_fs(mongod_t) -+ -+optional_policy(` -+ mysql_stream_connect(mongod_t) -+') -+ -+optional_policy(` -+ postgresql_stream_connect(mongod_t) -+') -+ -+optional_policy(` -+ sysnet_dns_name_resolve(mongod_t) -+') -diff --git a/cmirrord.if b/cmirrord.if -index cc4e7cb..f348d27 100644 ---- a/cmirrord.if -+++ b/cmirrord.if -@@ -73,10 +73,11 @@ interface(`cmirrord_rw_shm',` - type cmirrord_t, cmirrord_tmpfs_t; - ') - -- allow $1 cmirrord_t:shm rw_shm_perms; -+ allow $1 cmirrord_t:shm { rw_shm_perms destroy }; - - allow $1 cmirrord_tmpfs_t:dir list_dir_perms; - rw_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t) -+ delete_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t) - read_lnk_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t) - fs_search_tmpfs($1) - ') -@@ -103,9 +104,13 @@ interface(`cmirrord_admin',` - type cmirrord_t, cmirrord_initrc_exec_t, cmirrord_var_run_t; - ') - -- allow $1 cmirrord_t:process { ptrace signal_perms }; -+ allow $1 cmirrord_t:process signal_perms; - ps_process_pattern($1, cmirrord_t) - -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 cmirrord_t:process ptrace; -+ ') -+ - cmirrord_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 cmirrord_initrc_exec_t system_r; -diff --git a/cmirrord.te b/cmirrord.te -index d8e9958..d2303a4 100644 ---- a/cmirrord.te -+++ b/cmirrord.te -@@ -23,7 +23,7 @@ files_pid_file(cmirrord_var_run_t) - # Local policy - # - --allow cmirrord_t self:capability { net_admin kill }; -+allow cmirrord_t self:capability { sys_admin net_admin kill }; - dontaudit cmirrord_t self:capability sys_tty_config; - allow cmirrord_t self:process { setfscreate signal }; - allow cmirrord_t self:fifo_file rw_fifo_file_perms; -@@ -42,16 +42,17 @@ files_pid_filetrans(cmirrord_t, cmirrord_var_run_t, file) - domain_use_interactive_fds(cmirrord_t) - domain_obj_id_change_exemption(cmirrord_t) - --files_read_etc_files(cmirrord_t) -- - storage_create_fixed_disk_dev(cmirrord_t) -+storage_rw_inherited_fixed_disk_dev(cmirrord_t) - - seutil_read_file_contexts(cmirrord_t) - - logging_send_syslog_msg(cmirrord_t) - --miscfiles_read_localization(cmirrord_t) -- - optional_policy(` - corosync_stream_connect(cmirrord_t) - ') -+ -+optional_policy(` -+ rhcs_rw_cluster_tmpfs(cmirrord_t) -+') -diff --git a/cobbler.fc b/cobbler.fc -index 973d208..2b650a7 100644 ---- a/cobbler.fc -+++ b/cobbler.fc -@@ -4,6 +4,7 @@ - - /usr/bin/cobblerd -- gen_context(system_u:object_r:cobblerd_exec_t,s0) - -+/var/cache/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0) - /var/lib/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0) - - /var/lib/tftpboot/etc(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0) -diff --git a/cobbler.if b/cobbler.if -index c223f81..8b567c1 100644 ---- a/cobbler.if -+++ b/cobbler.if -@@ -38,6 +38,28 @@ interface(`cobblerd_initrc_domtrans',` - init_labeled_script_domtrans($1, cobblerd_initrc_exec_t) - ') - -+ -+ -+######################################## -+## -+## Read cobbler configuration dirs. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`cobbler_list_config',` -+ gen_require(` -+ type cobbler_etc_t; -+ ') -+ -+ list_dirs_pattern($1, cobbler_etc_t, cobbler_etc_t) -+ files_search_etc($1) -+') -+ -+ - ######################################## - ## - ## Read cobbler configuration files. -@@ -112,6 +134,7 @@ interface(`cobbler_read_lib_files',` - - files_search_var_lib($1) - read_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t) -+ read_lnk_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t) - ') - - ######################################## -@@ -132,6 +155,8 @@ interface(`cobbler_manage_lib_files',` - - files_search_var_lib($1) - manage_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t) -+ manage_lnk_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t) -+ manage_dirs_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t) - ') - - ######################################## -@@ -176,8 +201,8 @@ interface(`cobblerd_admin',` - interface(`cobbler_admin',` - gen_require(` - type cobblerd_t, cobbler_var_lib_t, cobbler_var_log_t; -- type cobbler_etc_t, cobblerd_initrc_exec_t, httpd_cobbler_content_t; -- type httpd_cobbler_content_ra_t, httpd_cobbler_content_rw_t, cobbler_tmp_t; -+ type cobbler_etc_t, cobblerd_initrc_exec_t; -+ type cobbler_tmp_t; - ') - - allow $1 cobblerd_t:process { ptrace signal_perms }; -@@ -199,7 +224,4 @@ interface(`cobbler_admin',` - - logging_search_logs($1) - admin_pattern($1, cobbler_var_log_t) -- -- apache_search_sys_content($1) -- admin_pattern($1, { httpd_cobbler_content_t httpd_cobbler_content_ra_t httpd_cobbler_content_rw_t }) - ') -diff --git a/cobbler.te b/cobbler.te -index 2a71346..8c4ac39 100644 ---- a/cobbler.te -+++ b/cobbler.te -@@ -81,6 +81,7 @@ manage_dirs_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t) - manage_files_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t) - manage_lnk_files_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t) - files_var_lib_filetrans(cobblerd_t, cobbler_var_lib_t, dir) -+files_var_filetrans(cobblerd_t, cobbler_var_lib_t, dir, "cobbler") - - append_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t) - create_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t) -@@ -89,7 +90,7 @@ setattr_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t) - logging_log_filetrans(cobblerd_t, cobbler_var_log_t, file) - - kernel_read_system_state(cobblerd_t) --kernel_dontaudit_search_network_state(cobblerd_t) -+kernel_read_network_state(cobblerd_t) - - corecmd_exec_bin(cobblerd_t) - corecmd_exec_shell(cobblerd_t) -@@ -112,14 +113,13 @@ corenet_tcp_sendrecv_http_port(cobblerd_t) - corenet_tcp_connect_http_port(cobblerd_t) - corenet_sendrecv_http_client_packets(cobblerd_t) - -+dev_read_sysfs(cobblerd_t) - dev_read_urand(cobblerd_t) - - files_list_boot(cobblerd_t) - files_list_tmp(cobblerd_t) - files_read_boot_files(cobblerd_t) --files_read_etc_files(cobblerd_t) - files_read_etc_runtime_files(cobblerd_t) --files_read_usr_files(cobblerd_t) - - fs_getattr_all_fs(cobblerd_t) - fs_read_iso9660_files(cobblerd_t) -@@ -128,6 +128,8 @@ selinux_get_enforce_mode(cobblerd_t) - - term_use_console(cobblerd_t) - -+auth_use_nsswitch(cobblerd_t) -+ - logging_send_syslog_msg(cobblerd_t) - - miscfiles_read_localization(cobblerd_t) -@@ -160,6 +162,7 @@ tunable_policy(`cobbler_use_nfs',` - ') - - optional_policy(` -+ apache_domtrans(cobblerd_t) - apache_search_sys_content(cobblerd_t) - ') - -@@ -188,17 +191,25 @@ optional_policy(` - ') - - optional_policy(` -+ libs_exec_ldconfig(cobblerd_t) -+') -+ -+optional_policy(` -+ mysql_stream_connect(cobblerd_t) -+') -+ -+optional_policy(` - rpm_exec(cobblerd_t) - ') - - optional_policy(` -+ rsync_exec(cobblerd_t) - rsync_read_config(cobblerd_t) -- rsync_manage_config_files(cobblerd_t) -+ rsync_manage_config(cobblerd_t) - rsync_etc_filetrans_config(cobblerd_t, file, "rsync.conf") - ') - - optional_policy(` -- tftp_manage_config_files(cobblerd_t) -- tftp_etc_filetrans_config(cobblerd_t, file, "tftp") -+ tftp_manage_config(cobblerd_t) - tftp_filetrans_tftpdir(cobblerd_t, cobbler_var_lib_t, { dir file }) - ') -diff --git a/collectd.fc b/collectd.fc -index 79a3abe..2e7d7ed 100644 ---- a/collectd.fc -+++ b/collectd.fc -@@ -1,5 +1,7 @@ - /etc/rc\.d/init\.d/collectd -- gen_context(system_u:object_r:collectd_initrc_exec_t,s0) - -+/usr/lib/systemd/system/collectd.* -- gen_context(system_u:object_r:collectd_unit_file_t,s0) -+ - /usr/sbin/collectd -- gen_context(system_u:object_r:collectd_exec_t,s0) - - /var/lib/collectd(/.*)? gen_context(system_u:object_r:collectd_var_lib_t,s0) -diff --git a/collectd.if b/collectd.if -index 954309e..f4db2ca 100644 ---- a/collectd.if -+++ b/collectd.if -@@ -2,8 +2,144 @@ - - ######################################## - ## --## All of the rules required to --## administrate an collectd environment. -+## Transition to collectd. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`collectd_domtrans',` -+ gen_require(` -+ type collectd_t, collectd_exec_t; -+ ') -+ -+ corecmd_search_bin($1) -+ domtrans_pattern($1, collectd_exec_t, collectd_t) -+') -+ -+######################################## -+## -+## Execute collectd server in the collectd domain. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`collectd_initrc_domtrans',` -+ gen_require(` -+ type collectd_initrc_exec_t; -+ ') -+ -+ init_labeled_script_domtrans($1, collectd_initrc_exec_t) -+') -+ -+######################################## -+## -+## Search collectd lib directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`collectd_search_lib',` -+ gen_require(` -+ type collectd_var_lib_t; -+ ') -+ -+ allow $1 collectd_var_lib_t:dir search_dir_perms; -+ files_search_var_lib($1) -+') -+ -+######################################## -+## -+## Read collectd lib files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`collectd_read_lib_files',` -+ gen_require(` -+ type collectd_var_lib_t; -+ ') -+ -+ files_search_var_lib($1) -+ read_files_pattern($1, collectd_var_lib_t, collectd_var_lib_t) -+') -+ -+######################################## -+## -+## Manage collectd lib files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`collectd_manage_lib_files',` -+ gen_require(` -+ type collectd_var_lib_t; -+ ') -+ -+ files_search_var_lib($1) -+ manage_files_pattern($1, collectd_var_lib_t, collectd_var_lib_t) -+') -+ -+######################################## -+## -+## Manage collectd lib directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`collectd_manage_lib_dirs',` -+ gen_require(` -+ type collectd_var_lib_t; -+ ') -+ -+ files_search_var_lib($1) -+ manage_dirs_pattern($1, collectd_var_lib_t, collectd_var_lib_t) -+') -+ -+######################################## -+## -+## Execute collectd server in the collectd domain. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`collectd_systemctl',` -+ gen_require(` -+ type collectd_t; -+ type collectd_unit_file_t; -+ ') -+ -+ systemd_exec_systemctl($1) -+ allow $1 collectd_unit_file_t:file read_file_perms; -+ allow $1 collectd_unit_file_t:service manage_service_perms; -+ -+ ps_process_pattern($1, collectd_t) -+') -+ -+######################################## -+## -+## All of the rules required to administrate -+## an collectd environment - ## - ## - ## -@@ -20,13 +156,17 @@ - interface(`collectd_admin',` - gen_require(` - type collectd_t, collectd_initrc_exec_t, collectd_var_run_t; -- type collectd_var_lib_t; -+ type collectd_var_lib_t, collectd_unit_file_t; - ') - -- allow $1 collectd_t:process { ptrace signal_perms }; -+ allow $1 collectd_t:process signal_perms; - ps_process_pattern($1, collectd_t) - -- init_labeled_script_domtrans($1, collectd_initrc_exec_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 collectd_t:process ptrace; -+ ') -+ -+ collectd_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 collectd_initrc_exec_t system_r; - allow $2 system_r; -@@ -36,4 +176,9 @@ interface(`collectd_admin',` - - files_search_var_lib($1) - admin_pattern($1, collectd_var_lib_t) -+ -+ collectd_systemctl($1) -+ admin_pattern($1, collectd_unit_file_t) -+ allow $1 collectd_unit_file_t:service all_service_perms; - ') -+ -diff --git a/collectd.te b/collectd.te -index 6471fa8..dc0423c 100644 ---- a/collectd.te -+++ b/collectd.te -@@ -26,8 +26,14 @@ files_type(collectd_var_lib_t) - type collectd_var_run_t; - files_pid_file(collectd_var_run_t) - -+type collectd_unit_file_t; -+systemd_unit_file(collectd_unit_file_t) -+ - apache_content_template(collectd) - -+type httpd_collectd_script_tmp_t; -+files_tmp_file(httpd_collectd_script_tmp_t) -+ - ######################################## - # - # Local policy -@@ -38,6 +44,9 @@ allow collectd_t self:process { getsched setsched signal }; - allow collectd_t self:fifo_file rw_fifo_file_perms; - allow collectd_t self:packet_socket create_socket_perms; - allow collectd_t self:unix_stream_socket { accept listen }; -+allow collectd_t self:netlink_tcpdiag_socket create_netlink_socket_perms; -+allow collectd_t self:udp_socket create_socket_perms; -+allow collectd_t self:rawip_socket create_socket_perms; - - manage_dirs_pattern(collectd_t, collectd_var_lib_t, collectd_var_lib_t) - manage_files_pattern(collectd_t, collectd_var_lib_t, collectd_var_lib_t) -@@ -46,23 +55,28 @@ files_var_lib_filetrans(collectd_t, collectd_var_lib_t, dir) - manage_files_pattern(collectd_t, collectd_var_run_t, collectd_var_run_t) - files_pid_filetrans(collectd_t, collectd_var_run_t, file) - --domain_use_interactive_fds(collectd_t) -+kernel_read_all_sysctls(collectd_t) -+kernel_read_all_proc(collectd_t) -+kernel_list_all_proc(collectd_t) -+ -+auth_getattr_passwd(collectd_t) -+auth_read_passwd(collectd_t) - --kernel_read_network_state(collectd_t) --kernel_read_net_sysctls(collectd_t) --kernel_read_system_state(collectd_t) -+corenet_udp_bind_generic_node(collectd_t) -+corenet_udp_bind_collectd_port(collectd_t) - - dev_read_rand(collectd_t) - dev_read_sysfs(collectd_t) - dev_read_urand(collectd_t) - -+domain_use_interactive_fds(collectd_t) -+domain_read_all_domains_state(collectd_t) -+ - files_getattr_all_dirs(collectd_t) --files_read_etc_files(collectd_t) --files_read_usr_files(collectd_t) - - fs_getattr_all_fs(collectd_t) - --miscfiles_read_localization(collectd_t) -+init_read_utmp(collectd_t) - - logging_send_syslog_msg(collectd_t) - -@@ -75,16 +89,26 @@ tunable_policy(`collectd_tcp_network_connect',` - ') - - optional_policy(` -+ netutils_domtrans_ping(collectd_t) -+') -+ -+optional_policy(` - virt_read_config(collectd_t) - ') - - ######################################## - # --# Web local policy -+# Web collectd local policy - # - --optional_policy(` -- read_files_pattern(httpd_collectd_script_t, collectd_var_lib_t, collectd_var_lib_t) -- list_dirs_pattern(httpd_collectd_script_t, collectd_var_lib_t, collectd_var_lib_t) -- miscfiles_setattr_fonts_cache_dirs(httpd_collectd_script_t) --') -+ -+files_search_var_lib(httpd_collectd_script_t) -+read_files_pattern(httpd_collectd_script_t, collectd_var_lib_t, collectd_var_lib_t) -+list_dirs_pattern(httpd_collectd_script_t, collectd_var_lib_t, collectd_var_lib_t) -+miscfiles_setattr_fonts_cache_dirs(httpd_collectd_script_t) -+ -+manage_dirs_pattern(httpd_collectd_script_t, httpd_collectd_script_tmp_t, httpd_collectd_script_tmp_t) -+manage_files_pattern(httpd_collectd_script_t, httpd_collectd_script_tmp_t, httpd_collectd_script_tmp_t) -+files_tmp_filetrans(httpd_collectd_script_t, httpd_collectd_script_tmp_t, { file dir }) -+ -+auth_read_passwd(httpd_collectd_script_t) -diff --git a/colord.fc b/colord.fc -index 717ea0b..22e0385 100644 ---- a/colord.fc -+++ b/colord.fc -@@ -4,5 +4,7 @@ - /usr/libexec/colord -- gen_context(system_u:object_r:colord_exec_t,s0) - /usr/libexec/colord-sane -- gen_context(system_u:object_r:colord_exec_t,s0) - -+/usr/lib/systemd/system/colord.* -- gen_context(system_u:object_r:colord_unit_file_t,s0) -+ - /var/lib/color(/.*)? gen_context(system_u:object_r:colord_var_lib_t,s0) - /var/lib/colord(/.*)? gen_context(system_u:object_r:colord_var_lib_t,s0) -diff --git a/colord.if b/colord.if -index 8e27a37..825f537 100644 ---- a/colord.if -+++ b/colord.if -@@ -1,4 +1,4 @@ --## GNOME color manager. -+## GNOME color manager - - ######################################## - ## -@@ -15,7 +15,6 @@ interface(`colord_domtrans',` - type colord_t, colord_exec_t; - ') - -- corecmd_search_bin($1) - domtrans_pattern($1, colord_exec_t, colord_t) - ') - -@@ -38,6 +37,7 @@ interface(`colord_dbus_chat',` - - allow $1 colord_t:dbus send_msg; - allow colord_t $1:dbus send_msg; -+ ps_process_pattern(colord_t, $1) - ') - - ###################################### -@@ -58,3 +58,26 @@ interface(`colord_read_lib_files',` - files_search_var_lib($1) - read_files_pattern($1, colord_var_lib_t, colord_var_lib_t) - ') -+ -+######################################## -+## -+## Execute colord server in the colord domain. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`colord_systemctl',` -+ gen_require(` -+ type colord_t; -+ type colord_unit_file_t; -+ ') -+ -+ systemd_exec_systemctl($1) -+ allow $1 colord_unit_file_t:file read_file_perms; -+ allow $1 colord_unit_file_t:service manage_service_perms; -+ -+ ps_process_pattern($1, colord_t) -+') -diff --git a/colord.te b/colord.te -index 09f18e2..3547d05 100644 ---- a/colord.te -+++ b/colord.te -@@ -8,6 +8,7 @@ policy_module(colord, 1.0.2) - type colord_t; - type colord_exec_t; - dbus_system_domain(colord_t, colord_exec_t) -+init_daemon_domain(colord_t, colord_exec_t) - - type colord_tmp_t; - files_tmp_file(colord_tmp_t) -@@ -18,6 +19,9 @@ files_tmpfs_file(colord_tmpfs_t) - type colord_var_lib_t; - files_type(colord_var_lib_t) - -+type colord_unit_file_t; -+systemd_unit_file(colord_unit_file_t) -+ - ######################################## - # - # Local policy -@@ -26,10 +30,13 @@ files_type(colord_var_lib_t) - allow colord_t self:capability { dac_read_search dac_override }; - dontaudit colord_t self:capability sys_admin; - allow colord_t self:process signal; -+ - allow colord_t self:fifo_file rw_fifo_file_perms; - allow colord_t self:netlink_kobject_uevent_socket create_socket_perms; --allow colord_t self:tcp_socket { accept listen }; -+allow colord_t self:tcp_socket create_stream_socket_perms; - allow colord_t self:shm create_shm_perms; -+allow colord_t self:udp_socket create_socket_perms; -+allow colord_t self:unix_dgram_socket create_socket_perms; - - manage_dirs_pattern(colord_t, colord_tmp_t, colord_tmp_t) - manage_files_pattern(colord_t, colord_tmp_t, colord_tmp_t) -@@ -74,22 +81,21 @@ dev_read_video_dev(colord_t) - dev_write_video_dev(colord_t) - dev_rw_printer(colord_t) - dev_read_rand(colord_t) --dev_read_sysfs(colord_t) - dev_read_urand(colord_t) --dev_list_sysfs(colord_t) -+dev_read_sysfs(colord_t) - dev_rw_generic_usb_dev(colord_t) - - domain_use_interactive_fds(colord_t) - - files_list_mnt(colord_t) --files_read_usr_files(colord_t) - --fs_getattr_noxattr_fs(colord_t) --fs_getattr_tmpfs(colord_t) -+fs_getattr_all_fs(colord_t) - fs_list_noxattr_fs(colord_t) - fs_read_noxattr_fs_files(colord_t) - fs_search_all(colord_t) - fs_dontaudit_getattr_all_fs(colord_t) -+fs_getattr_tmpfs(colord_t) -+fs_read_cgroup_files(colord_t) - - storage_getattr_fixed_disk_dev(colord_t) - storage_getattr_removable_dev(colord_t) -@@ -98,25 +104,29 @@ storage_write_scsi_generic(colord_t) - - auth_use_nsswitch(colord_t) - -+init_read_state(colord_t) -+ - logging_send_syslog_msg(colord_t) - --miscfiles_read_localization(colord_t) -+systemd_read_logind_sessions_files(colord_t) - --tunable_policy(`use_nfs_home_dirs',` -- fs_getattr_nfs(colord_t) -- fs_read_nfs_files(colord_t) --') -- --tunable_policy(`use_samba_home_dirs',` -- fs_getattr_cifs(colord_t) -- fs_read_cifs_files(colord_t) --') -+userdom_rw_user_tmpfs_files(colord_t) -+userdom_home_reader(colord_t) -+userdom_list_user_home_content(colord_t) -+userdom_read_inherited_user_home_content_files(colord_t) - - optional_policy(` - cups_read_config(colord_t) - cups_read_rw_config(colord_t) - cups_stream_connect(colord_t) - cups_dbus_chat(colord_t) -+ cups_read_state(colord_t) -+') -+ -+optional_policy(` -+ gnome_read_home_icc_data_content(colord_t) -+ # Fixes lots of breakage in F16 on upgrade -+ gnome_read_generic_data_home_files(colord_t) - ') - - optional_policy(` -@@ -133,3 +143,16 @@ optional_policy(` - optional_policy(` - udev_read_db(colord_t) - ') -+ -+optional_policy(` -+ xserver_dbus_chat_xdm(colord_t) -+ xserver_read_xdm_state(colord_t) -+ # /var/lib/gdm/.local/share/icc/edid-0a027915105823af34f99b1704e80336.icc -+ xserver_read_inherited_xdm_lib_files(colord_t) -+ # allow to read /run/initial-setup-$username -+ xserver_read_xdm_pid(colord_t) -+') -+ -+optional_policy(` -+ zoneminder_rw_tmpfs_files(colord_t) -+') -diff --git a/comsat.te b/comsat.te -index 3f6e4dc..88c4f19 100644 ---- a/comsat.te -+++ b/comsat.te -@@ -37,6 +37,13 @@ kernel_read_kernel_sysctls(comsat_t) - kernel_read_network_state(comsat_t) - kernel_read_system_state(comsat_t) - -+corenet_all_recvfrom_netlabel(comsat_t) -+corenet_tcp_sendrecv_generic_if(comsat_t) -+corenet_udp_sendrecv_generic_if(comsat_t) -+corenet_tcp_sendrecv_generic_node(comsat_t) -+corenet_udp_sendrecv_generic_node(comsat_t) -+corenet_udp_sendrecv_all_ports(comsat_t) -+ - dev_read_urand(comsat_t) - - fs_getattr_xattr_fs(comsat_t) -@@ -52,8 +59,6 @@ init_dontaudit_write_utmp(comsat_t) - - logging_send_syslog_msg(comsat_t) - --miscfiles_read_localization(comsat_t) -- - userdom_dontaudit_getattr_user_ttys(comsat_t) - - mta_getattr_spool(comsat_t) -diff --git a/condor.fc b/condor.fc -index 23dc348..c4450f7 100644 ---- a/condor.fc -+++ b/condor.fc -@@ -1,4 +1,5 @@ - /etc/rc\.d/init\.d/condor -- gen_context(system_u:object_r:condor_initrc_exec_t,s0) -+/usr/lib/systemd/system/condor.* -- gen_context(system_u:object_r:condor_unit_file_t,s0) - - /usr/sbin/condor_collector -- gen_context(system_u:object_r:condor_collector_exec_t,s0) - /usr/sbin/condor_master -- gen_context(system_u:object_r:condor_master_exec_t,s0) -@@ -8,6 +9,8 @@ - /usr/sbin/condor_startd -- gen_context(system_u:object_r:condor_startd_exec_t,s0) - /usr/sbin/condor_starter -- gen_context(system_u:object_r:condor_startd_exec_t,s0) - -+/etc/condor(/.*)? gen_context(system_u:object_r:condor_etc_rw_t,s0) -+ - /var/lib/condor(/.*)? gen_context(system_u:object_r:condor_var_lib_t,s0) - - /var/lib/condor/execute(/.*)? gen_context(system_u:object_r:condor_var_lib_t,s0) -diff --git a/condor.if b/condor.if -index 3fe3cb8..5fe84a6 100644 ---- a/condor.if -+++ b/condor.if -@@ -1,81 +1,397 @@ --## High-Throughput Computing System. -+ -+## policy for condor -+ -+##################################### -+## -+## Creates types and rules for a basic -+## condor init daemon domain. -+## -+## -+## -+## Prefix for the domain. -+## -+## -+# -+template(`condor_domain_template',` -+ gen_require(` -+ type condor_master_t; -+ attribute condor_domain; -+ ') -+ -+ ############################# -+ # -+ # Declarations -+ # -+ -+ type condor_$1_t, condor_domain; -+ type condor_$1_exec_t; -+ init_daemon_domain(condor_$1_t, condor_$1_exec_t) -+ role system_r types condor_$1_t; -+ -+ domtrans_pattern(condor_master_t, condor_$1_exec_t, condor_$1_t) -+ allow condor_master_t condor_$1_exec_t:file ioctl; -+ -+ kernel_read_system_state(condor_$1_t) -+ -+ corenet_all_recvfrom_netlabel(condor_$1_t) -+ corenet_all_recvfrom_unlabeled(condor_$1_t) -+ -+ auth_use_nsswitch(condor_$1_t) -+ -+ logging_send_syslog_msg(condor_$1_t) -+') -+ -+######################################## -+## -+## Transition to condor. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`condor_domtrans',` -+ gen_require(` -+ type condor_t, condor_exec_t; -+ ') -+ -+ corecmd_search_bin($1) -+ domtrans_pattern($1, condor_exec_t, condor_t) -+') -+ -+####################################### -+## -+## Allows to start userland processes -+## by transitioning to the specified domain, -+## with a range transition. -+## -+## -+## -+## The process type entered by condor_startd. -+## -+## -+## -+## -+## The executable type for the entrypoint. -+## -+## -+## -+## -+## Range for the domain. -+## -+## -+# -+interface(`condor_startd_ranged_domtrans_to',` -+ gen_require(` -+ type sshd_t; -+ ') -+ condor_startd_domtrans_to($1, $2) -+ -+ -+ ifdef(`enable_mcs',` -+ range_transition condor_startd_t $2:process $3; -+ ') -+ -+') - - ####################################### - ## --## The template to define a condor domain. -+## Allows to start userlandprocesses -+## by transitioning to the specified domain. - ## --## -+## -+## -+## The process type entered by condor_startd. -+## -+## -+## -+## -+## The executable type for the entrypoint. -+## -+## -+# -+interface(`condor_startd_domtrans_to',` -+ gen_require(` -+ type condor_startd_t; -+ ') -+ -+ domtrans_pattern(condor_startd_t, $2, $1) -+') -+ -+######################################## -+## -+## Read condor's log files. -+## -+## - ## --## Domain prefix to be used. -+## Domain allowed access. - ## - ## -+## - # --template(`condor_domain_template',` -+interface(`condor_read_log',` - gen_require(` -- attribute condor_domain; -- type condor_master_t; -+ type condor_log_t; - ') - -- ############################# -- # -- # Declarations -- # -+ logging_search_logs($1) -+ read_files_pattern($1, condor_log_t, condor_log_t) -+') - -- type condor_$1_t, condor_domain; -- type condor_$1_exec_t; -- domain_type(condor_$1_t) -- domain_entry_file(condor_$1_t, condor_$1_exec_t) -- role system_r types condor_$1_t; -+######################################## -+## -+## Append to condor log files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`condor_append_log',` -+ gen_require(` -+ type condor_log_t; -+ ') - -- ############################# -- # -- # Policy -- # -+ logging_search_logs($1) -+ append_files_pattern($1, condor_log_t, condor_log_t) -+') - -- domtrans_pattern(condor_master_t, condor_$1_exec_t, condor_$1_t) -- allow condor_master_t condor_$1_exec_t:file ioctl; -+######################################## -+## -+## Manage condor log files -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`condor_manage_log',` -+ gen_require(` -+ type condor_log_t; -+ ') - -- auth_use_nsswitch(condor_$1_t) -+ logging_search_logs($1) -+ manage_dirs_pattern($1, condor_log_t, condor_log_t) -+ manage_files_pattern($1, condor_log_t, condor_log_t) -+ manage_lnk_files_pattern($1, condor_log_t, condor_log_t) - ') - - ######################################## - ## --## All of the rules required to --## administrate an condor environment. -+## Search condor lib directories. - ## - ## - ## - ## Domain allowed access. - ## - ## --## -+# -+interface(`condor_search_lib',` -+ gen_require(` -+ type condor_var_lib_t; -+ ') -+ -+ allow $1 condor_var_lib_t:dir search_dir_perms; -+ files_search_var_lib($1) -+') -+ -+######################################## -+## -+## Read condor lib files. -+## -+## - ## --## Role allowed access. -+## Domain allowed access. - ## - ## --## - # --interface(`condor_admin',` -+interface(`condor_read_lib_files',` -+ gen_require(` -+ type condor_var_lib_t; -+ ') -+ -+ files_search_var_lib($1) -+ read_files_pattern($1, condor_var_lib_t, condor_var_lib_t) -+') -+ -+###################################### -+## -+## Read and write condor lib files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`condor_rw_lib_files',` -+ gen_require(` -+ type condor_var_lib_t; -+ ') -+ -+ files_search_var_lib($1) -+ rw_files_pattern($1, condor_var_lib_t, condor_var_lib_t) -+') -+ -+######################################## -+## -+## Manage condor lib files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`condor_manage_lib_files',` -+ gen_require(` -+ type condor_var_lib_t; -+ ') -+ -+ files_search_var_lib($1) -+ manage_files_pattern($1, condor_var_lib_t, condor_var_lib_t) -+') -+ -+######################################## -+## -+## Manage condor lib directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`condor_manage_lib_dirs',` -+ gen_require(` -+ type condor_var_lib_t; -+ ') -+ -+ files_search_var_lib($1) -+ manage_dirs_pattern($1, condor_var_lib_t, condor_var_lib_t) -+') -+ -+######################################## -+## -+## Read condor PID files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`condor_read_pid_files',` - gen_require(` -- attribute condor_domain; -- type condor_initrc_exec_config_t, condor_log_t; -- type condor_var_lib_t, condor_var_lock_t, condor_schedd_tmp_t; -- type condor_var_run_t, condor_startd_tmp_t; -+ type condor_var_run_t; - ') - -- allow $1 condor_domain:process { ptrace signal_perms }; -+ files_search_pids($1) -+ allow $1 condor_var_run_t:file read_file_perms; -+') -+ -+######################################## -+## -+## Execute condor server in the condor domain. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`condor_systemctl',` -+ gen_require(` -+ type condor_t; -+ type condor_unit_file_t; -+ ') -+ -+ systemd_exec_systemctl($1) -+ systemd_read_fifo_file_passwd_run($1) -+ allow $1 condor_unit_file_t:file read_file_perms; -+ allow $1 condor_unit_file_t:service manage_service_perms; -+ -+ ps_process_pattern($1, condor_t) -+') -+ -+ -+####################################### -+## -+## Read and write condor_startd server TCP sockets. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`condor_rw_tcp_sockets_startd',` -+ gen_require(` -+ type condor_startd_t; -+ ') -+ -+ allow $1 condor_startd_t:tcp_socket rw_socket_perms; -+') -+ -+###################################### -+## -+## Read and write condor_schedd server TCP sockets. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`condor_rw_tcp_sockets_schedd',` -+ gen_require(` -+ type condor_schedd_t; -+ ') -+ -+ allow $1 condor_schedd_t:tcp_socket rw_socket_perms; -+') -+ -+######################################## -+## -+## All of the rules required to administrate -+## an condor environment -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`condor_admin',` -+ gen_require(` -+ attribute condor_domain; -+ type condor_initrc_exec_t, condor_log_t; -+ type condor_var_lib_t, condor_var_lock_t, condor_schedd_tmp_t; -+ type condor_var_run_t, condor_startd_tmp_t; -+ type condor_unit_file_t; -+ ') -+ -+ allow $1 condor_domain:process { signal_perms }; - ps_process_pattern($1, condor_domain) - -- init_labeled_script_domtrans($1, condor_initrc_exec_t) -- domain_system_change_exemption($1) -- role_transition $2 condor_initrc_exec_t system_r; -- allow $2 system_r; -+ init_labeled_script_domtrans($1, condor_initrc_exec_t) -+ domain_system_change_exemption($1) -+ role_transition $2 condor_initrc_exec_t system_r; -+ allow $2 system_r; - - logging_search_logs($1) - admin_pattern($1, condor_log_t) - -- files_search_locks($1) -- admin_pattern($1, condor_var_lock_t) -+ files_search_locks($1) -+ admin_pattern($1, condor_var_lock_t) - - files_search_var_lib($1) - admin_pattern($1, condor_var_lib_t) -@@ -85,4 +401,13 @@ interface(`condor_admin',` - - files_search_tmp($1) - admin_pattern($1, { condor_schedd_tmp_t condor_startd_tmp_t }) -+ -+ condor_systemctl($1) -+ admin_pattern($1, condor_unit_file_t) -+ allow $1 condor_unit_file_t:service all_service_perms; -+ -+ optional_policy(` -+ systemd_passwd_agent_exec($1) -+ systemd_read_fifo_file_passwd_run($1) -+ ') - ') -diff --git a/condor.te b/condor.te -index 3f2b672..ff94f23 100644 ---- a/condor.te -+++ b/condor.te -@@ -34,6 +34,9 @@ files_tmp_file(condor_startd_tmp_t) - type condor_startd_tmpfs_t; - files_tmpfs_file(condor_startd_tmpfs_t) - -+type condor_etc_rw_t; -+files_config_file(condor_etc_rw_t) -+ - type condor_log_t; - logging_log_file(condor_log_t) - -@@ -46,6 +49,9 @@ files_lock_file(condor_var_lock_t) - type condor_var_run_t; - files_pid_file(condor_var_run_t) - -+type condor_unit_file_t; -+systemd_unit_file(condor_unit_file_t) -+ - condor_domain_template(collector) - condor_domain_template(negotiator) - condor_domain_template(procd) -@@ -57,15 +63,21 @@ condor_domain_template(startd) - # Global local policy - # - -+allow condor_domain self:capability dac_override; -+allow condor_domain self:capability2 block_suspend; -+ - allow condor_domain self:process signal_perms; - allow condor_domain self:fifo_file rw_fifo_file_perms; --allow condor_domain self:tcp_socket { accept listen }; --allow condor_domain self:unix_stream_socket { accept listen }; -+allow condor_domain self:tcp_socket create_stream_socket_perms; -+allow condor_domain self:udp_socket create_socket_perms; -+allow condor_domain self:unix_stream_socket create_stream_socket_perms; -+allow condor_domain self:netlink_route_socket r_netlink_socket_perms; -+ -+allow condor_domain condor_etc_rw_t:dir list_dir_perms; -+rw_files_pattern(condor_domain, condor_etc_rw_t, condor_etc_rw_t) - - manage_dirs_pattern(condor_domain, condor_log_t, condor_log_t) --append_files_pattern(condor_domain, condor_log_t, condor_log_t) --create_files_pattern(condor_domain, condor_log_t, condor_log_t) --getattr_files_pattern(condor_domain, condor_log_t, condor_log_t) -+manage_files_pattern(condor_domain, condor_log_t, condor_log_t) - logging_log_filetrans(condor_domain, condor_log_t, { dir file }) - - manage_dirs_pattern(condor_domain, condor_var_lib_t, condor_var_lib_t) -@@ -86,13 +98,10 @@ allow condor_domain condor_master_t:tcp_socket getattr; - - kernel_read_kernel_sysctls(condor_domain) - kernel_read_network_state(condor_domain) --kernel_read_system_state(condor_domain) - - corecmd_exec_bin(condor_domain) - corecmd_exec_shell(condor_domain) - --corenet_all_recvfrom_netlabel(condor_domain) --corenet_all_recvfrom_unlabeled(condor_domain) - corenet_tcp_sendrecv_generic_if(condor_domain) - corenet_tcp_sendrecv_generic_node(condor_domain) - -@@ -106,9 +115,9 @@ dev_read_rand(condor_domain) - dev_read_sysfs(condor_domain) - dev_read_urand(condor_domain) - --logging_send_syslog_msg(condor_domain) -+auth_read_passwd(condor_domain) - --miscfiles_read_localization(condor_domain) -+sysnet_dns_name_resolve(condor_domain) - - tunable_policy(`condor_tcp_network_connect',` - corenet_sendrecv_all_client_packets(condor_domain) -@@ -125,7 +134,7 @@ optional_policy(` - # Master local policy - # - --allow condor_master_t self:capability { setuid setgid dac_override sys_ptrace }; -+allow condor_master_t self:capability { setuid setgid sys_ptrace }; - - allow condor_master_t condor_domain:process { sigkill signal }; - -@@ -133,6 +142,10 @@ manage_dirs_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t) - manage_files_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t) - files_tmp_filetrans(condor_master_t, condor_master_tmp_t, { file dir }) - -+can_exec(condor_master_t, condor_master_exec_t) -+ -+kernel_read_system_state(condor_master_t) -+ - corenet_udp_sendrecv_generic_if(condor_master_t) - corenet_udp_sendrecv_generic_node(condor_master_t) - corenet_tcp_bind_generic_node(condor_master_t) -@@ -152,6 +165,8 @@ domain_read_all_domains_state(condor_master_t) - - auth_use_nsswitch(condor_master_t) - -+logging_send_syslog_msg(condor_master_t) -+ - optional_policy(` - mta_send_mail(condor_master_t) - mta_read_config(condor_master_t) -@@ -169,6 +184,8 @@ allow condor_collector_t condor_master_t:udp_socket rw_socket_perms; - - kernel_read_network_state(condor_collector_t) - -+corenet_tcp_bind_http_port(condor_collector_t) -+ - ##################################### - # - # Negotiator local policy -@@ -178,6 +195,8 @@ allow condor_negotiator_t self:capability { setuid setgid }; - allow condor_negotiator_t condor_master_t:tcp_socket rw_stream_socket_perms; - allow condor_negotiator_t condor_master_t:udp_socket getattr; - -+corenet_tcp_connect_all_ephemeral_ports(condor_negotiator_t) -+ - ###################################### - # - # Procd local policy -@@ -185,7 +204,8 @@ allow condor_negotiator_t condor_master_t:udp_socket getattr; - - allow condor_procd_t self:capability { fowner chown kill dac_override sys_ptrace }; - --allow condor_procd_t condor_startd_t:process sigkill; -+allow condor_procd_t condor_domain:process sigkill; -+ - - domain_read_all_domains_state(condor_procd_t) - -@@ -201,6 +221,8 @@ allow condor_schedd_t condor_master_t:udp_socket getattr; - - allow condor_schedd_t condor_var_lock_t:dir manage_file_perms; - -+allow condor_schedd_t condor_master_tmp_t:dir getattr; -+ - domtrans_pattern(condor_schedd_t, condor_procd_exec_t, condor_procd_t) - domtrans_pattern(condor_schedd_t, condor_startd_exec_t, condor_startd_t) - -@@ -209,6 +231,8 @@ manage_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t) - relabel_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t) - files_tmp_filetrans(condor_schedd_t, condor_schedd_tmp_t, { file dir }) - -+corenet_tcp_connect_all_ephemeral_ports(condor_schedd_t) -+ - ##################################### - # - # Startd local policy -@@ -233,11 +257,10 @@ domain_read_all_domains_state(condor_startd_t) - mcs_process_set_categories(condor_startd_t) - - init_domtrans_script(condor_startd_t) -+init_initrc_domain(condor_startd_t) - - libs_exec_lib_files(condor_startd_t) - --files_read_usr_files(condor_startd_t) -- - optional_policy(` - ssh_basic_client_template(condor_startd, condor_startd_t, system_r) - ssh_domtrans(condor_startd_t) -@@ -249,3 +272,7 @@ optional_policy(` - kerberos_use(condor_startd_ssh_t) - ') - ') -+ -+optional_policy(` -+ unconfined_domain(condor_startd_t) -+') -diff --git a/consolekit.fc b/consolekit.fc -index 23c9558..29e5fd3 100644 ---- a/consolekit.fc -+++ b/consolekit.fc -@@ -1,3 +1,5 @@ -+/usr/lib/systemd/system/console-kit.* -- gen_context(system_u:object_r:consolekit_unit_file_t,s0) -+ - /usr/sbin/console-kit-daemon -- gen_context(system_u:object_r:consolekit_exec_t,s0) - - /var/log/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_log_t,s0) -diff --git a/consolekit.if b/consolekit.if -index 5b830ec..0647a3b 100644 ---- a/consolekit.if -+++ b/consolekit.if -@@ -21,6 +21,27 @@ interface(`consolekit_domtrans',` - - ######################################## - ## -+## dontaudit Send and receive messages from -+## consolekit over dbus. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`consolekit_dontaudit_dbus_chat',` -+ gen_require(` -+ type consolekit_t; -+ class dbus send_msg; -+ ') -+ -+ dontaudit $1 consolekit_t:dbus send_msg; -+ dontaudit consolekit_t $1:dbus send_msg; -+') -+ -+######################################## -+## - ## Send and receive messages from - ## consolekit over dbus. - ## -@@ -42,6 +63,24 @@ interface(`consolekit_dbus_chat',` - - ######################################## - ## -+## Dontaudit attempts to read consolekit log files. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`consolekit_dontaudit_read_log',` -+ gen_require(` -+ type consolekit_log_t; -+ ') -+ -+ dontaudit $1 consolekit_log_t:file read_file_perms; -+') -+ -+######################################## -+## - ## Read consolekit log files. - ## - ## -@@ -98,3 +137,64 @@ interface(`consolekit_read_pid_files',` - allow $1 consolekit_var_run_t:dir list_dir_perms; - read_files_pattern($1, consolekit_var_run_t, consolekit_var_run_t) - ') -+ -+######################################## -+## -+## List consolekit PID files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`consolekit_list_pid_files',` -+ gen_require(` -+ type consolekit_var_run_t; -+ ') -+ -+ files_search_pids($1) -+ list_dirs_pattern($1, consolekit_var_run_t, consolekit_var_run_t) -+') -+ -+######################################## -+## -+## Allow the domain to read consolekit state files in /proc. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`consolekit_read_state',` -+ gen_require(` -+ type consolekit_t; -+ ') -+ -+ kernel_search_proc($1) -+ ps_process_pattern($1, consolekit_t) -+') -+ -+######################################## -+## -+## Execute consolekit server in the consolekit domain. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`consolekit_systemctl',` -+ gen_require(` -+ type consolekit_t; -+ type consolekit_unit_file_t; -+ ') -+ -+ systemd_exec_systemctl($1) -+ allow $1 consolekit_unit_file_t:file read_file_perms; -+ allow $1 consolekit_unit_file_t:service manage_service_perms; -+ -+ ps_process_pattern($1, consolekit_t) -+') -diff --git a/consolekit.te b/consolekit.te -index 5f0c793..d11e25b 100644 ---- a/consolekit.te -+++ b/consolekit.te -@@ -19,12 +19,16 @@ type consolekit_var_run_t; - files_pid_file(consolekit_var_run_t) - init_daemon_run_dir(consolekit_var_run_t, "ConsoleKit") - -+type consolekit_unit_file_t; -+systemd_unit_file(consolekit_unit_file_t) -+ - ######################################## - # - # Local policy - # - - allow consolekit_t self:capability { chown setuid setgid sys_tty_config dac_override sys_nice sys_ptrace }; -+ - allow consolekit_t self:process { getsched signal }; - allow consolekit_t self:fifo_file rw_fifo_file_perms; - allow consolekit_t self:unix_stream_socket { accept listen }; -@@ -54,37 +58,36 @@ dev_read_sysfs(consolekit_t) - - domain_read_all_domains_state(consolekit_t) - domain_use_interactive_fds(consolekit_t) --domain_dontaudit_ptrace_all_domains(consolekit_t) - --files_read_usr_files(consolekit_t) - # needs to read /var/lib/dbus/machine-id - files_read_var_lib_files(consolekit_t) - files_search_all_mountpoints(consolekit_t) - - fs_list_inotifyfs(consolekit_t) - --mcs_ptrace_all(consolekit_t) -- - term_use_all_terms(consolekit_t) - - auth_use_nsswitch(consolekit_t) - auth_manage_pam_console_data(consolekit_t) - auth_write_login_records(consolekit_t) - -+init_read_utmp(consolekit_t) -+ - logging_send_syslog_msg(consolekit_t) - logging_send_audit_msgs(consolekit_t) - --miscfiles_read_localization(consolekit_t) -+systemd_exec_systemctl(consolekit_t) -+systemd_start_power_services(consolekit_t) - -+userdom_read_all_users_state(consolekit_t) - userdom_dontaudit_read_user_home_content_files(consolekit_t) -+userdom_dontaudit_getattr_admin_home_files(consolekit_t) - userdom_read_user_tmp_files(consolekit_t) - --tunable_policy(`use_nfs_home_dirs',` -- fs_read_nfs_files(consolekit_t) --') -+userdom_home_reader(consolekit_t) - --tunable_policy(`use_samba_home_dirs',` -- fs_read_cifs_files(consolekit_t) -+optional_policy(` -+ cron_read_system_job_lib_files(consolekit_t) - ') - - ifdef(`distro_debian',` -@@ -112,13 +115,6 @@ optional_policy(` - ') - ') - --optional_policy(` -- hal_ptrace(consolekit_t) --') -- --optional_policy(` -- networkmanager_append_log_files(consolekit_t) --') - - optional_policy(` - policykit_domtrans_auth(consolekit_t) -diff --git a/corosync.fc b/corosync.fc -index da39f0f..6a96733 100644 ---- a/corosync.fc -+++ b/corosync.fc -@@ -1,5 +1,7 @@ - /etc/rc\.d/init\.d/corosync -- gen_context(system_u:object_r:corosync_initrc_exec_t,s0) - -+/usr/lib/systemd/system/corosync.* -- gen_context(system_u:object_r:corosync_unit_file_t,s0) -+ - /usr/sbin/corosync -- gen_context(system_u:object_r:corosync_exec_t,s0) - /usr/sbin/corosync-notifyd -- gen_context(system_u:object_r:corosync_exec_t,s0) - -diff --git a/corosync.if b/corosync.if -index 694a037..b836c07 100644 ---- a/corosync.if -+++ b/corosync.if -@@ -77,6 +77,25 @@ interface(`corosync_read_log',` - read_files_pattern($1, corosync_var_log_t, corosync_var_log_t) - ') - -+####################################### -+## -+## Setattr corosync log files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`corosync_setattr_log',` -+ gen_require(` -+ type corosync_var_log_t; -+ ') -+ -+ setattr_files_pattern($1, corosync_var_log_t, corosync_var_log_t) -+') -+ -+ - ##################################### - ## - ## Connect to corosync over a unix -@@ -91,29 +110,54 @@ interface(`corosync_read_log',` - interface(`corosync_stream_connect',` - gen_require(` - type corosync_t, corosync_var_run_t; -+ type corosync_var_lib_t; - ') - - files_search_pids($1) -+ stream_connect_pattern($1, corosync_var_lib_t, corosync_var_lib_t, corosync_t) - stream_connect_pattern($1, corosync_var_run_t, corosync_var_run_t, corosync_t) - ') - - ###################################### - ## --## Read and write corosync tmpfs files. -+## Allow the specified domain to read/write corosync's tmpfs files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`corosync_rw_tmpfs',` -+ gen_require(` -+ type corosync_tmpfs_t; -+ ') -+ -+ rw_files_pattern($1, corosync_tmpfs_t, corosync_tmpfs_t) -+ -+') -+ -+######################################## -+## -+## Execute corosync server in the corosync domain. - ## - ## - ## --## Domain allowed access. -+## Domain allowed to transition. - ## - ## - # --interface(`corosync_rw_tmpfs',` -+interface(`corosync_systemctl',` - gen_require(` -- type corosync_tmpfs_t; -+ type corosync_t; -+ type corosync_unit_file_t; - ') - -- fs_search_tmpfs($1) -- rw_files_pattern($1, corosync_tmpfs_t, corosync_tmpfs_t) -+ systemd_exec_systemctl($1) -+ allow $1 corosync_unit_file_t:file read_file_perms; -+ allow $1 corosync_unit_file_t:service manage_service_perms; -+ -+ ps_process_pattern($1, corosync_t) - ') - - ###################################### -@@ -160,12 +204,17 @@ interface(`corosync_admin',` - type corosync_t, corosync_var_lib_t, corosync_var_log_t; - type corosync_var_run_t, corosync_tmp_t, corosync_tmpfs_t; - type corosync_initrc_exec_t; -+ type corosync_unit_file_t; - ') - -- allow $1 corosync_t:process { ptrace signal_perms }; -+ allow $1 corosync_t:process signal_perms; - ps_process_pattern($1, corosync_t) - -- corosync_initrc_domtrans($1) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 corosync_t:process ptrace; -+ ') -+ -+ init_labeled_script_domtrans($1, corosync_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 corosync_initrc_exec_t system_r; - allow $2 system_r; -@@ -183,4 +232,8 @@ interface(`corosync_admin',` - - files_list_pids($1) - admin_pattern($1, corosync_var_run_t) -+ -+ corosync_systemctl($1) -+ admin_pattern($1, corosync_unit_file_t) -+ allow $1 corosync_unit_file_t:service all_service_perms; - ') -diff --git a/corosync.te b/corosync.te -index eeea48d..691ca11 100644 ---- a/corosync.te -+++ b/corosync.te -@@ -28,6 +28,9 @@ logging_log_file(corosync_var_log_t) - type corosync_var_run_t; - files_pid_file(corosync_var_run_t) - -+type corosync_unit_file_t; -+systemd_unit_file(corosync_unit_file_t) -+ - ######################################## - # - # Local policy -@@ -93,7 +96,6 @@ dev_read_urand(corosync_t) - domain_read_all_domains_state(corosync_t) - - files_manage_mounttab(corosync_t) --files_read_usr_files(corosync_t) - - auth_use_nsswitch(corosync_t) - -@@ -106,7 +108,13 @@ logging_send_syslog_msg(corosync_t) - miscfiles_read_localization(corosync_t) - - userdom_read_user_tmp_files(corosync_t) --userdom_manage_user_tmpfs_files(corosync_t) -+userdom_delete_user_tmpfs_files(corosync_t) -+userdom_rw_user_tmpfs_files(corosync_t) -+ -+optional_policy(` -+ fs_manage_tmpfs_files(corosync_t) -+ init_manage_script_status_files(corosync_t) -+') - - optional_policy(` - ccs_read_config(corosync_t) -@@ -129,20 +137,29 @@ optional_policy(` - ') - - optional_policy(` -+ lvm_rw_clvmd_tmpfs_files(corosync_t) -+ lvm_delete_clvmd_tmpfs_files(corosync_t) -+') -+ -+optional_policy(` - qpidd_rw_shm(corosync_t) - ') - - optional_policy(` -- rhcs_getattr_fenced_exec_files(corosync_t) -+ rhcs_getattr_fenced(corosync_t) -+ # to communication with RHCS - rhcs_rw_cluster_shm(corosync_t) - rhcs_rw_cluster_semaphores(corosync_t) - rhcs_stream_connect_cluster(corosync_t) -+ rhcs_read_cluster_lib_files(corosync_t) -+ rhcs_manage_cluster_lib_files(corosync_t) -+ rhcs_relabel_cluster_lib_files(corosync_t) - ') - - optional_policy(` -- rgmanager_manage_tmpfs_files(corosync_t) -+ rpc_search_nfs_state_data(corosync_t) - ') - - optional_policy(` -- rpc_search_nfs_state_data(corosync_t) --') -\ No newline at end of file -+ wdmd_rw_tmpfs(corosync_t) -+') -diff --git a/couchdb.fc b/couchdb.fc -index c086302..4f33119 100644 ---- a/couchdb.fc -+++ b/couchdb.fc -@@ -1,3 +1,6 @@ -+ -+/usr/lib/systemd/system/couchdb.* -- gen_context(system_u:object_r:couchdb_unit_file_t,s0) -+ - /etc/couchdb(/.*)? gen_context(system_u:object_r:couchdb_conf_t,s0) - - /etc/rc\.d/init\.d/couchdb -- gen_context(system_u:object_r:couchdb_initrc_exec_t,s0) -diff --git a/couchdb.if b/couchdb.if -index 83d6744..afa2f78 100644 ---- a/couchdb.if -+++ b/couchdb.if -@@ -2,6 +2,44 @@ - - ######################################## - ## -+## Allow to read couchdb log files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`couchdb_read_log_files',` -+ gen_require(` -+ type couchdb_log_t; -+ ') -+ -+ files_search_var_lib($1) -+ read_files_pattern($1, couchdb_log_t, couchdb_log_t) -+') -+ -+######################################## -+## -+## Allow to read couchdb lib files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`couchdb_read_lib_files',` -+ gen_require(` -+ type couchdb_var_lib_t; -+ ') -+ -+ files_search_var_lib($1) -+ read_files_pattern($1, couchdb_var_lib_t, couchdb_var_lib_t) -+') -+ -+######################################## -+## - ## All of the rules required to - ## administrate an couchdb environment. - ## -@@ -10,6 +48,127 @@ - ## Domain allowed access. - ## - ## -+# -+interface(`couchdb_manage_lib_files',` -+ gen_require(` -+ type couchdb_var_lib_t; -+ ') -+ -+ files_search_var_lib($1) -+ manage_files_pattern($1, couchdb_var_lib_t, couchdb_var_lib_t) -+') -+ -+######################################## -+## -+## Manage couchdb lib directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`couchdb_manage_lib_dirs',` -+ gen_require(` -+ type couchdb_var_lib_t; -+ ') -+ -+ files_search_var_lib($1) -+ manage_dirs_pattern($1, couchdb_var_lib_t, couchdb_var_lib_t) -+') -+ -+######################################## -+## -+## Allow to read couchdb conf files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`couchdb_read_conf_files',` -+ gen_require(` -+ type couchdb_conf_t; -+ ') -+ -+ files_search_var_lib($1) -+ read_files_pattern($1, couchdb_conf_t, couchdb_conf_t) -+') -+ -+######################################## -+## -+## Read couchdb PID files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`couchdb_read_pid_files',` -+ gen_require(` -+ type couchdb_var_run_t; -+ ') -+ -+ files_search_pids($1) -+ allow $1 couchdb_var_run_t:file read_file_perms; -+') -+ -+####################################### -+## -+## Search couchdb PID dirs. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`couchdb_search_pid_dirs',` -+ gen_require(` -+ type couchdb_var_run_t; -+ ') -+ -+ files_search_pids($1) -+ allow $1 couchdb_var_run_t:dir search_dir_perms; -+') -+ -+######################################## -+## -+## Execute couchdb server in the couchdb domain. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`couchdb_systemctl',` -+ gen_require(` -+ type couchdb_t; -+ type couchdb_unit_file_t; -+ ') -+ -+ systemd_exec_systemctl($1) -+ systemd_read_fifo_file_passwd_run($1) -+ allow $1 couchdb_unit_file_t:file read_file_perms; -+ allow $1 couchdb_unit_file_t:service manage_service_perms; -+ -+ ps_process_pattern($1, couchdb_t) -+') -+ -+ -+######################################## -+## -+## All of the rules required to administrate -+## an couchdb environment -+## -+## -+## -+## Domain allowed access. -+## -+## - ## - ## - ## Role allowed access. -@@ -19,14 +178,19 @@ - # - interface(`couchdb_admin',` - gen_require(` -+ type couchdb_unit_file_t; - type couchdb_t, couchdb_conf_t, couchdb_initrc_exec_t; - type couchdb_log_t, couchdb_var_lib_t, couchdb_var_run_t; - type couchdb_tmp_t; - ') - -- allow $1 couchdb_t:process { ptrace signal_perms }; -+ allow $1 couchdb_t:process { signal_perms }; - ps_process_pattern($1, couchdb_t) - -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 couchdb_t:process ptrace; -+ ') -+ - init_labeled_script_domtrans($1, couchdb_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 couchdb_initrc_exec_t system_r; -@@ -46,4 +210,13 @@ interface(`couchdb_admin',` - - files_search_pids($1) - admin_pattern($1, couchdb_var_run_t) -+ -+ admin_pattern($1, couchdb_unit_file_t) -+ couchdb_systemctl($1) -+ allow $1 couchdb_unit_file_t:service all_service_perms; -+ -+ optional_policy(` -+ systemd_passwd_agent_exec($1) -+ systemd_read_fifo_file_passwd_run($1) -+ ') - ') -diff --git a/couchdb.te b/couchdb.te -index 503adab..046fe9b 100644 ---- a/couchdb.te -+++ b/couchdb.te -@@ -27,6 +27,9 @@ files_type(couchdb_var_lib_t) - type couchdb_var_run_t; - files_pid_file(couchdb_var_run_t) - -+type couchdb_unit_file_t; -+systemd_unit_file(couchdb_unit_file_t) -+ - ######################################## - # - # Local policy -@@ -79,10 +82,7 @@ dev_list_sysfs(couchdb_t) - dev_read_sysfs(couchdb_t) - dev_read_urand(couchdb_t) - --files_read_usr_files(couchdb_t) -- - fs_getattr_xattr_fs(couchdb_t) - - auth_use_nsswitch(couchdb_t) - --miscfiles_read_localization(couchdb_t) -diff --git a/courier.fc b/courier.fc -index 8a4b596..cbecde8 100644 ---- a/courier.fc -+++ b/courier.fc -@@ -9,17 +9,18 @@ - /usr/sbin/couriertcpd -- gen_context(system_u:object_r:courier_tcpd_exec_t,s0) - - /usr/lib/courier/authlib/.* -- gen_context(system_u:object_r:courier_authdaemon_exec_t,s0) --/usr/lib/courier/courier-authlib/.* -- gen_context(system_u:object_r:courier_authdaemon_exec_t,s0) - /usr/lib/courier/courier/.* -- gen_context(system_u:object_r:courier_exec_t,s0) --/usr/lib/courier/courier/courierpop.* -- gen_context(system_u:object_r:courier_pop_exec_t,s0) --/usr/lib/courier/courier/imaplogin -- gen_context(system_u:object_r:courier_pop_exec_t,s0) -+/usr/lib/courier/courier/courierpop.* -- gen_context(system_u:object_r:courier_pop_exec_t,s0) -+/usr/lib/courier/courier/imaplogin -- gen_context(system_u:object_r:courier_pop_exec_t,s0) - /usr/lib/courier/courier/pcpd -- gen_context(system_u:object_r:courier_pcp_exec_t,s0) --/usr/lib/courier/imapd -- gen_context(system_u:object_r:courier_pop_exec_t,s0) --/usr/lib/courier/pop3d -- gen_context(system_u:object_r:courier_pop_exec_t,s0) --/usr/lib/courier/rootcerts(/.*)? gen_context(system_u:object_r:courier_etc_t,s0) --/usr/lib/courier/sqwebmail/cleancache\.pl -- gen_context(system_u:object_r:sqwebmail_cron_exec_t,s0) --/usr/lib/courier-imap/couriertcpd -- gen_context(system_u:object_r:courier_tcpd_exec_t,s0) -+/usr/lib/courier/imapd -- gen_context(system_u:object_r:courier_pop_exec_t,s0) -+/usr/lib/courier/pop3d -- gen_context(system_u:object_r:courier_pop_exec_t,s0) -+/usr/lib/courier/rootcerts(/.*)? gen_context(system_u:object_r:courier_etc_t,s0) -+/usr/lib/courier/sqwebmail/cleancache\.pl -- gen_context(system_u:object_r:sqwebmail_cron_exec_t,s0) - -+ifdef(`distro_gentoo',` -+/usr/lib/courier-imap/couriertcpd -- gen_context(system_u:object_r:courier_tcpd_exec_t,s0) -+') - - /var/lib/courier(/.*)? gen_context(system_u:object_r:courier_var_lib_t,s0) - /var/lib/courier-imap(/.*)? gen_context(system_u:object_r:courier_var_lib_t,s0) -diff --git a/courier.if b/courier.if -index 10f820f..acdb179 100644 ---- a/courier.if -+++ b/courier.if -@@ -1,12 +1,12 @@ --## Courier IMAP and POP3 email servers. -+## Courier IMAP and POP3 email servers - --####################################### -+######################################## - ## --## The template to define a courier domain. -+## Template for creating courier server processes. - ## --## -+## - ## --## Domain prefix to be used. -+## Prefix name of the server process. - ## - ## - # -@@ -15,7 +15,7 @@ template(`courier_domain_template',` - attribute courier_domain; - ') - -- ######################################## -+ ############################## - # - # Declarations - # -@@ -24,18 +24,30 @@ template(`courier_domain_template',` - type courier_$1_exec_t; - init_daemon_domain(courier_$1_t, courier_$1_exec_t) - -- ######################################## -+ ############################## - # -- # Policy -+ # Declarations - # - - can_exec(courier_$1_t, courier_$1_exec_t) -+ -+ kernel_read_system_state(courier_$1_t) -+ -+ corenet_all_recvfrom_netlabel(courier_$1_t) -+ corenet_tcp_sendrecv_generic_if(courier_$1_t) -+ corenet_udp_sendrecv_generic_if(courier_$1_t) -+ corenet_tcp_sendrecv_generic_node(courier_$1_t) -+ corenet_udp_sendrecv_generic_node(courier_$1_t) -+ corenet_tcp_sendrecv_all_ports(courier_$1_t) -+ corenet_udp_sendrecv_all_ports(courier_$1_t) -+ -+ logging_send_syslog_msg(courier_$1_t) - ') - - ######################################## - ## --## Execute the courier authentication --## daemon with a domain transition. -+## Execute the courier authentication daemon with -+## a domain transition. - ## - ## - ## -@@ -48,34 +60,32 @@ interface(`courier_domtrans_authdaemon',` - type courier_authdaemon_t, courier_authdaemon_exec_t; - ') - -- corecmd_search_bin($1) - domtrans_pattern($1, courier_authdaemon_exec_t, courier_authdaemon_t) - ') - - ####################################### - ## --## Connect to courier-authdaemon over --## a unix stream socket. -+## Connect to courier-authdaemon over a unix stream socket. - ## - ## --## --## Domain allowed access. --## -+## -+## Domain allowed access. -+## - ## - # - interface(`courier_stream_connect_authdaemon',` -- gen_require(` -- type courier_authdaemon_t, courier_spool_t; -- ') -+ gen_require(` -+ type courier_authdaemon_t, courier_spool_t; -+ ') - - files_search_spool($1) -- stream_connect_pattern($1, courier_spool_t, courier_spool_t, courier_authdaemon_t) -+ stream_connect_pattern($1, courier_spool_t, courier_spool_t, courier_authdaemon_t) - ') - - ######################################## - ## --## Execute the courier POP3 and IMAP --## server with a domain transition. -+## Execute the courier POP3 and IMAP server with -+## a domain transition. - ## - ## - ## -@@ -88,13 +98,12 @@ interface(`courier_domtrans_pop',` - type courier_pop_t, courier_pop_exec_t; - ') - -- corecmd_search_bin($1) - domtrans_pattern($1, courier_pop_exec_t, courier_pop_t) - ') - - ######################################## - ## --## Read courier config files. -+## Read courier config files - ## - ## - ## -@@ -127,7 +136,7 @@ interface(`courier_manage_spool_dirs',` - type courier_spool_t; - ') - -- files_search_var($1) -+ files_search_spool($1) - manage_dirs_pattern($1, courier_spool_t, courier_spool_t) - ') - -@@ -136,7 +145,7 @@ interface(`courier_manage_spool_dirs',` - ## Create, read, write, and delete courier - ## spool files. - ## --## -+## - ## - ## Domain allowed access. - ## -@@ -147,7 +156,7 @@ interface(`courier_manage_spool_files',` - type courier_spool_t; - ') - -- files_search_var($1) -+ files_search_spool($1) - manage_files_pattern($1, courier_spool_t, courier_spool_t) - ') - -@@ -166,13 +175,13 @@ interface(`courier_read_spool',` - type courier_spool_t; - ') - -- files_search_var($1) -+ files_search_spool($1) - read_files_pattern($1, courier_spool_t, courier_spool_t) - ') - - ######################################## - ## --## Read and write courier spool pipes. -+## Read and write to courier spool pipes. - ## - ## - ## -@@ -185,6 +194,5 @@ interface(`courier_rw_spool_pipes',` - type courier_spool_t; - ') - -- files_search_var($1) - allow $1 courier_spool_t:fifo_file rw_fifo_file_perms; - ') -diff --git a/courier.te b/courier.te -index 77bb077..1499c3f 100644 ---- a/courier.te -+++ b/courier.te -@@ -18,7 +18,7 @@ type courier_etc_t; - files_config_file(courier_etc_t) - - type courier_spool_t; --files_type(courier_spool_t) -+files_spool_file(courier_spool_t) - - type courier_var_lib_t; - files_type(courier_var_lib_t) -@@ -51,7 +51,6 @@ manage_sock_files_pattern(courier_domain, courier_var_run_t, courier_var_run_t) - files_pid_filetrans(courier_domain, courier_var_run_t, dir) - - kernel_read_kernel_sysctls(courier_domain) --kernel_read_system_state(courier_domain) - - corecmd_exec_bin(courier_domain) - -@@ -59,15 +58,11 @@ dev_read_sysfs(courier_domain) - - domain_use_interactive_fds(courier_domain) - --files_read_etc_files(courier_domain) - files_read_etc_runtime_files(courier_domain) --files_read_usr_files(courier_domain) - - fs_getattr_xattr_fs(courier_domain) - fs_search_auto_mountpoints(courier_domain) - --logging_send_syslog_msg(courier_domain) -- - sysnet_read_config(courier_domain) - - userdom_dontaudit_use_unpriv_user_fds(courier_domain) -@@ -77,6 +72,10 @@ optional_policy(` - ') - - optional_policy(` -+ mysql_stream_connect(courier_domain) -+') -+ -+optional_policy(` - udev_read_db(courier_domain) - ') - -@@ -91,6 +90,7 @@ allow courier_authdaemon_t self:unix_stream_socket { accept connectto listen }; - create_dirs_pattern(courier_authdaemon_t, courier_var_lib_t, courier_var_lib_t) - manage_sock_files_pattern(courier_authdaemon_t, courier_var_lib_t, courier_var_lib_t) - -+manage_files_pattern(courier_authdaemon_t, courier_spool_t, courier_spool_t) - manage_sock_files_pattern(courier_authdaemon_t, courier_spool_t, courier_spool_t) - - allow courier_authdaemon_t courier_tcpd_t:process sigchld; -@@ -112,7 +112,6 @@ auth_domtrans_chk_passwd(courier_authdaemon_t) - - libs_read_lib_files(courier_authdaemon_t) - --miscfiles_read_localization(courier_authdaemon_t) - - userdom_dontaudit_search_user_home_dirs(courier_authdaemon_t) - -@@ -135,7 +134,7 @@ allow courier_pop_t courier_authdaemon_t:process sigchld; - - allow courier_pop_t courier_tcpd_t:{ unix_stream_socket tcp_socket } rw_stream_socket_perms; - --allow courier_pop_t courier_var_lib_t:file { read write }; -+allow courier_pop_t courier_var_lib_t:file rw_inherited_file_perms; - - domtrans_pattern(courier_pop_t, courier_authdaemon_exec_t, courier_authdaemon_t) - -@@ -172,7 +171,6 @@ corenet_tcp_sendrecv_pop_port(courier_tcpd_t) - dev_read_rand(courier_tcpd_t) - dev_read_urand(courier_tcpd_t) - --miscfiles_read_localization(courier_tcpd_t) - - ######################################## - # -diff --git a/cpucontrol.te b/cpucontrol.te -index 2f1aad6..155a337 100644 ---- a/cpucontrol.te -+++ b/cpucontrol.te -@@ -42,8 +42,6 @@ term_dontaudit_use_console(cpucontrol_domain) - init_use_fds(cpucontrol_domain) - init_use_script_ptys(cpucontrol_domain) - --logging_send_syslog_msg(cpucontrol_domain) -- - userdom_dontaudit_use_unpriv_user_fds(cpucontrol_domain) - - optional_policy(` -@@ -69,12 +67,13 @@ allow cpucontrol_t cpucontrol_conf_t:dir list_dir_perms; - read_files_pattern(cpucontrol_t, cpucontrol_conf_t, cpucontrol_conf_t) - read_lnk_files_pattern(cpucontrol_t, cpucontrol_conf_t, cpucontrol_conf_t) - --kernel_list_proc(cpucontrol_t) - kernel_read_proc_symlinks(cpucontrol_t) - - dev_read_sysfs(cpucontrol_t) - dev_rw_cpu_microcode(cpucontrol_t) - -+logging_send_syslog_msg(cpucontrol_t) -+ - optional_policy(` - rhgb_use_ptys(cpucontrol_t) - ') -@@ -98,7 +97,6 @@ dev_rw_sysfs(cpuspeed_t) - - domain_read_all_domains_state(cpuspeed_t) - --files_read_etc_files(cpuspeed_t) - files_read_etc_runtime_files(cpuspeed_t) - --miscfiles_read_localization(cpuspeed_t) -+logging_send_syslog_msg(cpuspeed_t) -diff --git a/cpufreqselector.te b/cpufreqselector.te -index a3bbc21..7fd7d8f 100644 ---- a/cpufreqselector.te -+++ b/cpufreqselector.te -@@ -14,21 +14,17 @@ init_daemon_domain(cpufreqselector_t, cpufreqselector_exec_t) - # Local policy - # - --allow cpufreqselector_t self:capability { sys_nice sys_ptrace }; -+allow cpufreqselector_t self:capability sys_nice; - allow cpufreqselector_t self:process getsched; - allow cpufreqselector_t self:fifo_file rw_fifo_file_perms; -+allow cpufreqselector_t self:process getsched; - - kernel_read_system_state(cpufreqselector_t) - --files_read_etc_files(cpufreqselector_t) --files_read_usr_files(cpufreqselector_t) -- - dev_rw_sysfs(cpufreqselector_t) - --miscfiles_read_localization(cpufreqselector_t) -- - userdom_read_all_users_state(cpufreqselector_t) --userdom_dontaudit_search_user_home_dirs(cpufreqselector_t) -+userdom_dontaudit_search_admin_dir(cpufreqselector_t) - - optional_policy(` - dbus_system_domain(cpufreqselector_t, cpufreqselector_exec_t) -@@ -51,3 +47,7 @@ optional_policy(` - policykit_read_lib(cpufreqselector_t) - policykit_read_reload(cpufreqselector_t) - ') -+ -+optional_policy(` -+ xserver_dbus_chat_xdm(cpufreqselector_t) -+') -diff --git a/cron.fc b/cron.fc -index 6e76215..224142a 100644 ---- a/cron.fc -+++ b/cron.fc -@@ -3,6 +3,9 @@ - /etc/cron\.d(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0) - /etc/crontab -- gen_context(system_u:object_r:system_cron_spool_t,s0) - -+/usr/lib/systemd/system/atd.* -- gen_context(system_u:object_r:crond_unit_file_t,s0) -+/usr/lib/systemd/system/crond.* -- gen_context(system_u:object_r:crond_unit_file_t,s0) -+ - /usr/bin/at -- gen_context(system_u:object_r:crontab_exec_t,s0) - /usr/bin/(f)?crontab -- gen_context(system_u:object_r:crontab_exec_t,s0) - -@@ -12,9 +15,6 @@ - /usr/sbin/fcron -- gen_context(system_u:object_r:crond_exec_t,s0) - /usr/sbin/fcronsighup -- gen_context(system_u:object_r:crontab_exec_t,s0) - --/var/lib/glpi/files(/.*)? gen_context(system_u:object_r:cron_var_lib_t,s0) -- --/var/log/cron.* gen_context(system_u:object_r:cron_log_t,s0) - /var/log/rpmpkgs.* -- gen_context(system_u:object_r:cron_log_t,s0) - - /var/run/anacron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0) -@@ -27,13 +27,23 @@ - - /var/spool/anacron(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0) - /var/spool/at(/.*)? gen_context(system_u:object_r:user_cron_spool_t,s0) --/var/spool/at/atspool(/.*)? gen_context(system_u:object_r:user_cron_spool_log_t,s0) - --/var/spool/cron -d gen_context(system_u:object_r:cron_spool_t,s0) -+/var/spool/cron -d gen_context(system_u:object_r:user_cron_spool_t,s0) - #/var/spool/cron/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0) - /var/spool/cron/[^/]* -- <> - --/var/spool/cron/crontabs -d gen_context(system_u:object_r:cron_spool_t,s0) -+ifdef(`distro_gentoo',` -+/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0) -+/var/spool/cron/lastrun/[^/]* -- <> -+') -+ -+ifdef(`distro_suse', ` -+/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0) -+/var/spool/cron/lastrun/[^/]* -- <> -+/var/spool/cron/tabs -d gen_context(system_u:object_r:cron_spool_t,s0) -+') -+ -+/var/spool/cron/crontabs -d gen_context(system_u:object_r:cron_spool_t,s0) - /var/spool/cron/crontabs/.* -- <> - #/var/spool/cron/crontabs/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0) - -@@ -43,19 +53,23 @@ - /var/spool/fcron/systab -- gen_context(system_u:object_r:system_cron_spool_t,s0) - /var/spool/fcron/new\.systab -- gen_context(system_u:object_r:system_cron_spool_t,s0) - -+/var/lib/glpi/files(/.*)? gen_context(system_u:object_r:cron_var_lib_t,s0) -+ - ifdef(`distro_debian',` --/var/spool/cron/atjobs -d gen_context(system_u:object_r:cron_spool_t,s0) -+/var/log/prelink.log.* -- gen_context(system_u:object_r:cron_log_t,s0) -+ -+/var/spool/cron/atjobs -d gen_context(system_u:object_r:cron_spool_t,s0) - /var/spool/cron/atjobs/[^/]* -- <> --/var/spool/cron/atspool -d gen_context(system_u:object_r:cron_spool_t,s0) -+/var/spool/cron/atspool -d gen_context(system_u:object_r:cron_spool_t,s0) - ') - - ifdef(`distro_gentoo',` --/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0) -+/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0) - /var/spool/cron/lastrun/[^/]* -- <> - ') - --ifdef(`distro_suse',` --/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0) -+ifdef(`distro_suse', ` -+/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0) - /var/spool/cron/lastrun/[^/]* -- <> --/var/spool/cron/tabs -d gen_context(system_u:object_r:cron_spool_t,s0) -+/var/spool/cron/tabs -d gen_context(system_u:object_r:cron_spool_t,s0) - ') -diff --git a/cron.if b/cron.if -index 1303b30..058864e 100644 ---- a/cron.if -+++ b/cron.if -@@ -2,11 +2,12 @@ - - ####################################### - ## --## The template to define a crontab domain. -+## The common rules for a crontab domain. - ## --## -+## - ## --## Domain prefix to be used. -+## The prefix of the user domain (e.g., user -+## is the prefix for user_t). - ## - ## - # -@@ -36,22 +37,29 @@ template(`cron_common_crontab_template',` - manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t) - files_tmp_filetrans($1_t, $1_tmp_t, { dir file }) - -+ kernel_read_system_state($1_t) -+ - auth_domtrans_chk_passwd($1_t) - auth_use_nsswitch($1_t) -+ -+ logging_send_syslog_msg($1_t) -+ -+ userdom_home_reader($1_t) -+ - ') - - ######################################## - ## --## Role access for cron. -+## Role access for cron - ## - ## - ## --## Role allowed access. -+## Role allowed access - ## - ## - ## - ## --## User domain for the role. -+## User domain for the role - ## - ## - ## -@@ -60,57 +68,37 @@ interface(`cron_role',` - gen_require(` - type cronjob_t, crontab_t, crontab_exec_t; - type user_cron_spool_t, crond_t; -- bool cron_userdomain_transition; - ') - -- ############################## -- # -- # Declarations -- # -- - role $1 types { cronjob_t crontab_t }; - -- ############################## -- # -- # Local policy -- # -+ # cronjob shows up in user ps -+ ps_process_pattern($2, cronjob_t) - -+ # Transition from the user domain to the derived domain. - domtrans_pattern($2, crontab_exec_t, crontab_t) - -+ allow crond_t $2:process transition; - dontaudit crond_t $2:process { noatsecure siginh rlimitinh }; - allow $2 crond_t:process sigchld; - -- allow $2 user_cron_spool_t:file { getattr read write ioctl }; -+ # needs to be authorized SELinux context for cron -+ allow $2 user_cron_spool_t:file { getattr read write ioctl entrypoint }; - -- allow $2 crontab_t:process { ptrace signal_perms }; -+ # crontab shows up in user ps - ps_process_pattern($2, crontab_t) -+ allow $2 crontab_t:process signal_perms; -+ -+ tunable_policy(`deny_ptrace',`',` -+ allow $2 crontab_t:process ptrace; -+ ') - -+ # Run helper programs as the user domain -+ #corecmd_bin_domtrans(crontab_t, $2) -+ #corecmd_shell_domtrans(crontab_t, $2) - corecmd_exec_bin(crontab_t) - corecmd_exec_shell(crontab_t) - -- tunable_policy(`cron_userdomain_transition',` -- allow crond_t $2:process transition; -- allow crond_t $2:fd use; -- allow crond_t $2:key manage_key_perms; -- -- allow $2 user_cron_spool_t:file entrypoint; -- -- allow $2 crond_t:fifo_file rw_fifo_file_perms; -- -- allow $2 cronjob_t:process { ptrace signal_perms }; -- ps_process_pattern($2, cronjob_t) -- ',` -- dontaudit crond_t $2:process transition; -- dontaudit crond_t $2:fd use; -- dontaudit crond_t $2:key manage_key_perms; -- -- dontaudit $2 user_cron_spool_t:file entrypoint; -- -- dontaudit $2 crond_t:fifo_file rw_fifo_file_perms; -- -- dontaudit $2 cronjob_t:process { ptrace signal_perms }; -- ') -- - optional_policy(` - gen_require(` - class dbus send_msg; -@@ -119,78 +107,38 @@ interface(`cron_role',` - dbus_stub(cronjob_t) - - allow cronjob_t $2:dbus send_msg; -- ') -+ ') - ') - - ######################################## - ## --## Role access for unconfined cron. -+## Role access for unconfined cronjobs - ## - ## - ## --## Role allowed access. -+## Role allowed access - ## - ## - ## - ## --## User domain for the role. -+## User domain for the role - ## - ## -+## - # - interface(`cron_unconfined_role',` - gen_require(` -- type unconfined_cronjob_t, crontab_t, crontab_exec_t; -- type crond_t, user_cron_spool_t; -- bool cron_userdomain_transition; -+ type unconfined_cronjob_t; - ') - -- ############################## -- # -- # Declarations -- # -- -- role $1 types { unconfined_cronjob_t crontab_t }; -+ role $1 types unconfined_cronjob_t; - -- ############################## -- # -- # Local policy -- # -- -- domtrans_pattern($2, crontab_exec_t, crontab_t) -- -- dontaudit crond_t $2:process { noatsecure siginh rlimitinh }; -- allow $2 crond_t:process sigchld; -- -- allow $2 user_cron_spool_t:file { getattr read write ioctl }; -- -- allow $2 crontab_t:process { ptrace signal_perms }; -- ps_process_pattern($2, crontab_t) -- -- corecmd_exec_bin(crontab_t) -- corecmd_exec_shell(crontab_t) -- -- tunable_policy(`cron_userdomain_transition',` -- allow crond_t $2:process transition; -- allow crond_t $2:fd use; -- allow crond_t $2:key manage_key_perms; -- -- allow $2 user_cron_spool_t:file entrypoint; -- -- allow $2 crond_t:fifo_file rw_fifo_file_perms; -- -- allow $2 unconfined_cronjob_t:process { ptrace signal_perms }; -- ps_process_pattern($2, unconfined_cronjob_t) -- ',` -- dontaudit crond_t $2:process transition; -- dontaudit crond_t $2:fd use; -- dontaudit crond_t $2:key manage_key_perms; -- -- dontaudit $2 user_cron_spool_t:file entrypoint; -- -- dontaudit $2 crond_t:fifo_file rw_fifo_file_perms; -- -- dontaudit $2 unconfined_cronjob_t:process { ptrace signal_perms }; --') -+ # cronjob shows up in user ps -+ ps_process_pattern($2, unconfined_cronjob_t) -+ allow $2 unconfined_cronjob_t:process signal_perms; -+ tunable_policy(`deny_ptrace',`',` -+ allow $2 unconfined_cronjob_t:process ptrace; -+ ') - - optional_policy(` - gen_require(` -@@ -198,85 +146,65 @@ interface(`cron_unconfined_role',` - ') - - dbus_stub(unconfined_cronjob_t) -- - allow unconfined_cronjob_t $2:dbus send_msg; - ') - ') - - ######################################## - ## --## Role access for admin cron. -+## Role access for cron - ## - ## - ## --## Role allowed access. -+## Role allowed access - ## - ## - ## - ## --## User domain for the role. -+## User domain for the role - ## - ## -+## - # - interface(`cron_admin_role',` - gen_require(` -- type cronjob_t, crontab_exec_t, admin_crontab_t; -+ type cronjob_t, crontab_exec_t, admin_crontab_t, admin_crontab_tmp_t; -+ type user_cron_spool_t, crond_t; - class passwd crontab; -- type crond_t, user_cron_spool_t; -- bool cron_userdomain_transition; - ') - -- ############################## -- # -- # Declarations -- # -+ role $1 types { cronjob_t admin_crontab_t admin_crontab_tmp_t }; - -- role $1 types { cronjob_t admin_crontab_t }; -+ # cronjob shows up in user ps -+ ps_process_pattern($2, cronjob_t) - -- ############################## -- # -- # Local policy -- # -+ # Manipulate other users crontab. -+ allow $2 self:passwd crontab; - -+ # Transition from the user domain to the derived domain. - domtrans_pattern($2, crontab_exec_t, admin_crontab_t) - -- dontaudit crond_t $2:process { noatsecure siginh rlimitinh }; -- allow $2 crond_t:process sigchld; -+ # crontab shows up in user ps -+ ps_process_pattern($2, admin_crontab_t) -+ allow $2 admin_crontab_t:process signal_perms; -+ tunable_policy(`deny_ptrace',`',` -+ allow $2 admin_crontab_t:process ptrace; -+ ') - -- allow $2 user_cron_spool_t:file { getattr read write ioctl }; -+ allow $2 crond_t:process sigchld; -+ allow crond_t $2:process transition; - -- allow $2 admin_crontab_t:process { ptrace signal_perms }; -- ps_process_pattern($2, admin_crontab_t) -+ dontaudit crond_t $2:process { noatsecure siginh rlimitinh }; - -- # Manipulate other users crontab. -- allow $2 self:passwd crontab; -+ # needs to be authorized SELinux context for cron -+ allow $2 user_cron_spool_t:file entrypoint; - -+ # Run helper programs as the user domain -+ #corecmd_bin_domtrans(admin_crontab_t, $2) -+ #corecmd_shell_domtrans(admin_crontab_t, $2) - corecmd_exec_bin(admin_crontab_t) - corecmd_exec_shell(admin_crontab_t) - -- tunable_policy(`cron_userdomain_transition',` -- allow crond_t $2:process transition; -- allow crond_t $2:fd use; -- allow crond_t $2:key manage_key_perms; -- -- allow $2 user_cron_spool_t:file entrypoint; -- -- allow $2 crond_t:fifo_file rw_fifo_file_perms; -- -- allow $2 cronjob_t:process { ptrace signal_perms }; -- ps_process_pattern($2, cronjob_t) -- ',` -- dontaudit crond_t $2:process transition; -- dontaudit crond_t $2:fd use; -- dontaudit crond_t $2:key manage_key_perms; -- -- dontaudit $2 user_cron_spool_t:file entrypoint; -- -- dontaudit $2 crond_t:fifo_file rw_fifo_file_perms; -- -- dontaudit $2 cronjob_t:process { ptrace signal_perms }; -- ') -- - optional_policy(` - gen_require(` - class dbus send_msg; -@@ -285,13 +213,13 @@ interface(`cron_admin_role',` - dbus_stub(admin_cronjob_t) - - allow cronjob_t $2:dbus send_msg; -- ') -+ ') - ') - - ######################################## - ## --## Make the specified program domain --## accessable from the system cron jobs. -+## Make the specified program domain accessable -+## from the system cron jobs. - ## - ## - ## -@@ -307,15 +235,15 @@ interface(`cron_admin_role',` - interface(`cron_system_entry',` - gen_require(` - type crond_t, system_cronjob_t; -- type user_cron_spool_log_t; - ') - -- rw_files_pattern($1, user_cron_spool_log_t, user_cron_spool_log_t) -- - domtrans_pattern(system_cronjob_t, $2, $1) - domtrans_pattern(crond_t, $2, $1) - - role system_r types $1; -+ -+ allow $1 crond_t:fifo_file rw_fifo_file_perms; -+ allow $1 system_cronjob_t:fifo_file rw_fifo_file_perms; - ') - - ######################################## -@@ -333,13 +261,12 @@ interface(`cron_domtrans',` - type system_cronjob_t, crond_exec_t; - ') - -- corecmd_search_bin($1) - domtrans_pattern($1, crond_exec_t, system_cronjob_t) - ') - - ######################################## - ## --## Execute crond in the caller domain. -+## Execute crond_exec_t - ## - ## - ## -@@ -352,7 +279,6 @@ interface(`cron_exec',` - type crond_exec_t; - ') - -- corecmd_search_bin($1) - can_exec($1, crond_exec_t) - ') - -@@ -376,7 +302,31 @@ interface(`cron_initrc_domtrans',` - - ######################################## - ## --## Use crond file descriptors. -+## Execute crond server in the crond domain. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`cron_systemctl',` -+ gen_require(` -+ type crond_unit_file_t; -+ type crond_t; -+ ') -+ -+ systemd_exec_systemctl($1) -+ allow $1 crond_unit_file_t:file read_file_perms; -+ allow $1 crond_unit_file_t:service manage_service_perms; -+ -+ ps_process_pattern($1, crond_t) -+') -+ -+######################################## -+## -+## Inherit and use a file descriptor -+## from the cron daemon. - ## - ## - ## -@@ -394,7 +344,7 @@ interface(`cron_use_fds',` - - ######################################## - ## --## Send child terminated signals to crond. -+## Send a SIGCHLD signal to the cron daemon. - ## - ## - ## -@@ -412,7 +362,7 @@ interface(`cron_sigchld',` - - ######################################## - ## --## Set the attributes of cron log files. -+## Send a generic signal to cron daemon. - ## - ## - ## -@@ -420,17 +370,17 @@ interface(`cron_sigchld',` - ## - ## - # --interface(`cron_setattr_log_files',` -+interface(`cron_signal',` - gen_require(` -- type cron_log_t; -+ type crond_t; - ') - -- allow $1 cron_log_t:file setattr_file_perms; -+ allow $1 crond_t:process signal; - ') - - ######################################## - ## --## Create cron log files. -+## Read a cron daemon unnamed pipe. - ## - ## - ## -@@ -438,17 +388,17 @@ interface(`cron_setattr_log_files',` - ## - ## - # --interface(`cron_create_log_files',` -+interface(`cron_read_pipes',` - gen_require(` -- type cron_log_t; -+ type crond_t; - ') - -- create_files_pattern($1, cron_log_t, cron_log_t) -+ allow $1 crond_t:fifo_file read_fifo_file_perms; - ') - - ######################################## - ## --## Write to cron log files. -+## Read crond state files. - ## - ## - ## -@@ -456,18 +406,20 @@ interface(`cron_create_log_files',` - ## - ## - # --interface(`cron_write_log_files',` -+interface(`cron_read_state_crond',` - gen_require(` -- type cron_log_t; -+ type crond_t; - ') - -- allow $1 cron_log_t:file write_file_perms; -+ kernel_search_proc($1) -+ ps_process_pattern($1, crond_t) - ') - -+ - ######################################## - ## --## Create, read, write and delete --## cron log files. -+## Send and receive messages from -+## crond over dbus. - ## - ## - ## -@@ -475,48 +427,37 @@ interface(`cron_write_log_files',` - ## - ## - # --interface(`cron_manage_log_files',` -+interface(`cron_dbus_chat_crond',` - gen_require(` -- type cron_log_t; -+ type crond_t; -+ class dbus send_msg; - ') - -- manage_files_pattern($1, cron_log_t, cron_log_t) -- -- logging_search_logs($1) -+ allow $1 crond_t:dbus send_msg; -+ allow crond_t $1:dbus send_msg; - ') - - ######################################## - ## --## Create specified objects in generic --## log directories with the cron log file type. -+## Do not audit attempts to write cron daemon unnamed pipes. - ## - ## - ## --## Domain allowed access. --## --## --## --## --## Class of the object being created. --## --## --## --## --## The name of the object being created. -+## Domain to not audit. - ## - ## - # --interface(`cron_generic_log_filetrans_log',` -+interface(`cron_dontaudit_write_pipes',` - gen_require(` -- type cron_log_t; -+ type crond_t; - ') - -- logging_log_filetrans($1, cron_log_t, $2, $3) -+ dontaudit $1 crond_t:fifo_file write; - ') - - ######################################## - ## --## Read cron daemon unnamed pipes. -+## Read and write a cron daemon unnamed pipe. - ## - ## - ## -@@ -524,36 +465,35 @@ interface(`cron_generic_log_filetrans_log',` - ## - ## - # --interface(`cron_read_pipes',` -+interface(`cron_rw_pipes',` - gen_require(` - type crond_t; - ') - -- allow $1 crond_t:fifo_file read_fifo_file_perms; -+ allow $1 crond_t:fifo_file rw_inherited_fifo_file_perms; - ') - - ######################################## - ## --## Do not audit attempts to write --## cron daemon unnamed pipes. -+## Read and write inherited user spool files. - ## - ## - ## --## Domain to not audit. -+## Domain allowed access. - ## - ## - # --interface(`cron_dontaudit_write_pipes',` -+interface(`cron_rw_inherited_user_spool_files',` - gen_require(` -- type crond_t; -+ type user_cron_spool_t; - ') - -- dontaudit $1 crond_t:fifo_file write; -+ allow $1 user_cron_spool_t:file rw_inherited_file_perms; - ') - - ######################################## - ## --## Read and write crond unnamed pipes. -+## Read and write inherited spool files. - ## - ## - ## -@@ -561,17 +501,17 @@ interface(`cron_dontaudit_write_pipes',` - ## - ## - # --interface(`cron_rw_pipes',` -+interface(`cron_rw_inherited_spool_files',` - gen_require(` -- type crond_t; -+ type cron_spool_t; - ') - -- allow $1 crond_t:fifo_file rw_fifo_file_perms; -+ allow $1 cron_spool_t:file rw_inherited_file_perms; - ') - - ######################################## - ## --## Read and write crond TCP sockets. -+## Read, and write cron daemon TCP sockets. - ## - ## - ## -@@ -589,8 +529,7 @@ interface(`cron_rw_tcp_sockets',` - - ######################################## - ## --## Do not audit attempts to read and --## write cron daemon TCP sockets. -+## Dontaudit Read, and write cron daemon TCP sockets. - ## - ## - ## -@@ -608,7 +547,7 @@ interface(`cron_dontaudit_rw_tcp_sockets',` - - ######################################## - ## --## Search cron spool directories. -+## Search the directory containing user cron tables. - ## - ## - ## -@@ -627,8 +566,26 @@ interface(`cron_search_spool',` - - ######################################## - ## --## Create, read, write, and delete --## crond pid files. -+## Search the directory containing user cron tables. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`cron_manage_system_spool',` -+ gen_require(` -+ type cron_system_spool_t; -+ ') -+ -+ files_search_spool($1) -+ manage_files_pattern($1, cron_system_spool_t, cron_system_spool_t) -+') -+ -+######################################## -+## -+## Manage pid files used by cron - ## - ## - ## -@@ -641,13 +598,13 @@ interface(`cron_manage_pid_files',` - type crond_var_run_t; - ') - -+ files_search_pids($1) - manage_files_pattern($1, crond_var_run_t, crond_var_run_t) - ') - - ######################################## - ## --## Execute anacron in the cron --## system domain. -+## Execute anacron in the cron system domain. - ## - ## - ## -@@ -660,13 +617,13 @@ interface(`cron_anacron_domtrans_system_job',` - type system_cronjob_t, anacron_exec_t; - ') - -- corecmd_search_bin($1) - domtrans_pattern($1, anacron_exec_t, system_cronjob_t) - ') - - ######################################## - ## --## Use system cron job file descriptors. -+## Inherit and use a file descriptor -+## from system cron jobs. - ## - ## - ## -@@ -684,7 +641,7 @@ interface(`cron_use_system_job_fds',` - - ######################################## - ## --## Read system cron job lib files. -+## Write a system cron job unnamed pipe. - ## - ## - ## -@@ -692,19 +649,17 @@ interface(`cron_use_system_job_fds',` - ## - ## - # --interface(`cron_read_system_job_lib_files',` -+interface(`cron_write_system_job_pipes',` - gen_require(` -- type system_cronjob_var_lib_t; -+ type system_cronjob_t; - ') - -- files_search_var_lib($1) -- read_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t) -+ allow $1 system_cronjob_t:fifo_file write; - ') - - ######################################## - ## --## Create, read, write, and delete --## system cron job lib files. -+## Read and write a system cron job unnamed pipe. - ## - ## - ## -@@ -712,18 +667,17 @@ interface(`cron_read_system_job_lib_files',` - ## - ## - # --interface(`cron_manage_system_job_lib_files',` -+interface(`cron_rw_system_job_pipes',` - gen_require(` -- type system_cronjob_var_lib_t; -+ type system_cronjob_t; - ') - -- files_search_var_lib($1) -- manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t) -+ allow $1 system_cronjob_t:fifo_file rw_inherited_fifo_file_perms; - ') - - ######################################## - ## --## Write system cron job unnamed pipes. -+## Allow read/write unix stream sockets from the system cron jobs. - ## - ## - ## -@@ -731,18 +685,17 @@ interface(`cron_manage_system_job_lib_files',` - ## - ## - # --interface(`cron_write_system_job_pipes',` -+interface(`cron_rw_system_job_stream_sockets',` - gen_require(` - type system_cronjob_t; - ') - -- allow $1 system_cronjob_t:file write; -+ allow $1 system_cronjob_t:unix_stream_socket { read write }; - ') - - ######################################## - ## --## Read and write system cron job --## unnamed pipes. -+## Read temporary files from the system cron jobs. - ## - ## - ## -@@ -750,86 +703,142 @@ interface(`cron_write_system_job_pipes',` - ## - ## - # --interface(`cron_rw_system_job_pipes',` -+interface(`cron_read_system_job_tmp_files',` - gen_require(` -- type system_cronjob_t; -+ type system_cronjob_tmp_t, cron_var_run_t; - ') - -- allow $1 system_cronjob_t:fifo_file rw_fifo_file_perms; -+ files_search_tmp($1) -+ allow $1 system_cronjob_tmp_t:file read_file_perms; -+ -+ files_search_pids($1) -+ allow $1 cron_var_run_t:file read_file_perms; - ') - - ######################################## - ## --## Read and write inherited system cron --## job unix domain stream sockets. -+## Do not audit attempts to append temporary -+## files from the system cron jobs. - ## - ## - ## --## Domain allowed access. -+## Domain to not audit. - ## - ## - # --interface(`cron_rw_system_job_stream_sockets',` -+interface(`cron_dontaudit_append_system_job_tmp_files',` - gen_require(` -- type system_cronjob_t; -+ type system_cronjob_tmp_t; - ') - -- allow $1 system_cronjob_t:unix_stream_socket { read write }; -+ dontaudit $1 system_cronjob_tmp_t:file append_file_perms; - ') - - ######################################## - ## --## Read system cron job temporary files. -+## Do not audit attempts to write temporary -+## files from the system cron jobs. - ## - ## - ## --## Domain allowed access. -+## Domain to not audit. - ## - ## - # --interface(`cron_read_system_job_tmp_files',` -+interface(`cron_dontaudit_write_system_job_tmp_files',` - gen_require(` - type system_cronjob_tmp_t; -+ type cron_var_run_t; - ') - -- files_search_tmp($1) -- allow $1 system_cronjob_tmp_t:file read_file_perms; -+ dontaudit $1 system_cronjob_tmp_t:file write_file_perms; -+ dontaudit $1 cron_var_run_t:file write_file_perms; - ') - - ######################################## - ## --## Do not audit attempts to append temporary --## system cron job files. -+## Read temporary files from the system cron jobs. - ## - ## - ## --## Domain to not audit. -+## Domain allowed access. - ## - ## - # --interface(`cron_dontaudit_append_system_job_tmp_files',` -+interface(`cron_read_system_job_lib_files',` - gen_require(` -- type system_cronjob_tmp_t; -+ type system_cronjob_var_lib_t; - ') - -- dontaudit $1 system_cronjob_tmp_t:file append_file_perms; -+ files_search_var_lib($1) -+ read_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t) - ') - - ######################################## - ## --## Do not audit attempts to write temporary --## system cron job files. -+## Manage files from the system cron jobs. - ## - ## - ## --## Domain to not audit. -+## Domain allowed access. - ## - ## - # --interface(`cron_dontaudit_write_system_job_tmp_files',` -+interface(`cron_manage_system_job_lib_files',` - gen_require(` -- type system_cronjob_tmp_t; -+ type system_cronjob_var_lib_t; - ') - -- dontaudit $1 system_cronjob_tmp_t:file write_file_perms; -+ files_search_var_lib($1) -+ manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t) -+') -+ -+####################################### -+## -+## Create, read, write and delete -+## cron log files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`cron_manage_log_files',` -+ gen_require(` -+ type cron_log_t; -+ ') -+ -+ manage_files_pattern($1, cron_log_t, cron_log_t) -+ -+ logging_search_logs($1) -+') -+ -+####################################### -+## -+## Create specified objects in generic -+## log directories with the cron log file type. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## Class of the object being created. -+## -+## -+## -+## -+## The name of the object being created. -+## -+## -+# -+interface(`cron_generic_log_filetrans_log',` -+ gen_require(` -+ type cron_log_t; -+ ') -+ -+ logging_log_filetrans($1, cron_log_t, $2, $3) - ') -diff --git a/cron.te b/cron.te -index 28e1b86..f871609 100644 ---- a/cron.te -+++ b/cron.te -@@ -1,4 +1,4 @@ --policy_module(cron, 2.5.10) -+policy_module(cron, 2.2.1) - - gen_require(` - class passwd rootok; -@@ -11,46 +11,37 @@ gen_require(` - - ## - ##

    --## Determine whether system cron jobs --## can relabel filesystem for --## restoring file contexts. -+## Allow system cron jobs to relabel filesystem -+## for restoring file contexts. - ##

    - ##     - gen_tunable(cron_can_relabel, false) - - ## - ##

    --## Determine whether crond can execute jobs --## in the user domain as opposed to the --## the generic cronjob domain. --##

    --##     --gen_tunable(cron_userdomain_transition, false) -- --## --##

    --## Determine whether extra rules --## should be enabled to support fcron. -+## Enable extra rules in the cron domain -+## to support fcron. - ##

    - ##     - gen_tunable(fcron_crond, false) - --attribute cron_spool_type; - attribute crontab_domain; -+attribute cron_spool_type; - - type anacron_exec_t; - application_executable_file(anacron_exec_t) - - type cron_spool_t; --files_type(cron_spool_t) --mta_system_content(cron_spool_t) -+files_spool_file(cron_spool_t) - -+# var/lib files - type cron_var_lib_t; - files_type(cron_var_lib_t) - - type cron_var_run_t; - files_pid_file(cron_var_run_t) - -+# var/log files - type cron_log_t; - logging_log_file(cron_log_t) - -@@ -71,6 +62,9 @@ domain_cron_exemption_source(crond_t) - type crond_initrc_exec_t; - init_script_file(crond_initrc_exec_t) - -+type crond_unit_file_t; -+systemd_unit_file(crond_unit_file_t) -+ - type crond_tmp_t; - files_tmp_file(crond_tmp_t) - files_poly_parent(crond_tmp_t) -@@ -92,15 +86,16 @@ typealias crontab_t alias { user_crontab_t staff_crontab_t }; - typealias crontab_t alias { auditadm_crontab_t secadm_crontab_t }; - typealias crontab_tmp_t alias { user_crontab_tmp_t staff_crontab_tmp_t }; - typealias crontab_tmp_t alias { auditadm_crontab_tmp_t secadm_crontab_tmp_t }; -+allow admin_crontab_t crond_t:process signal; - - type system_cron_spool_t, cron_spool_type; --files_type(system_cron_spool_t) --mta_system_content(system_cron_spool_t) -+files_spool_file(system_cron_spool_t) - - type system_cronjob_t alias system_crond_t; - init_daemon_domain(system_cronjob_t, anacron_exec_t) - corecmd_shell_entry_type(system_cronjob_t) --domain_entry_file(system_cronjob_t, system_cron_spool_t) -+role system_r types system_cronjob_t; -+domtrans_pattern(crond_t, anacron_exec_t, system_cronjob_t) - - type system_cronjob_lock_t alias system_crond_lock_t; - files_lock_file(system_cronjob_lock_t) -@@ -108,94 +103,38 @@ files_lock_file(system_cronjob_lock_t) - type system_cronjob_tmp_t alias system_crond_tmp_t; - files_tmp_file(system_cronjob_tmp_t) - --type system_cronjob_var_lib_t; --files_type(system_cronjob_var_lib_t) -- --type system_cronjob_var_run_t; --files_pid_file(system_cronjob_var_run_t) -+type unconfined_cronjob_t; -+domain_type(unconfined_cronjob_t) -+domain_cron_exemption_target(unconfined_cronjob_t) - -+# Type of user crontabs once moved to cron spool. - type user_cron_spool_t, cron_spool_type; - typealias user_cron_spool_t alias { staff_cron_spool_t sysadm_cron_spool_t unconfined_cron_spool_t }; - typealias user_cron_spool_t alias { auditadm_cron_spool_t secadm_cron_spool_t }; --files_type(user_cron_spool_t) -+files_spool_file(user_cron_spool_t) - ubac_constrained(user_cron_spool_t) - mta_system_content(user_cron_spool_t) - --type user_cron_spool_log_t; --logging_log_file(user_cron_spool_log_t) --ubac_constrained(user_cron_spool_log_t) --mta_system_content(user_cron_spool_log_t) -+type system_cronjob_var_lib_t; -+files_type(system_cronjob_var_lib_t) -+typealias system_cronjob_var_lib_t alias system_crond_var_lib_t; -+ -+type system_cronjob_var_run_t; -+files_pid_file(system_cronjob_var_run_t) - - ifdef(`enable_mcs',` - init_ranged_daemon_domain(crond_t, crond_exec_t, s0 - mcs_systemhigh) - ') - --############################## --# --# Common crontab local policy --# -- --allow crontab_domain self:capability { fowner setuid setgid chown dac_override }; --allow crontab_domain self:process { getcap setsched signal_perms }; --allow crontab_domain self:fifo_file rw_fifo_file_perms; -- --manage_files_pattern(crontab_domain, { cron_spool_t user_cron_spool_t }, user_cron_spool_t) --filetrans_pattern(crontab_domain, cron_spool_t, user_cron_spool_t, file) -- --allow crontab_domain cron_spool_t:dir setattr_dir_perms; -- --allow crontab_domain crond_t:process signal; --allow crontab_domain crond_var_run_t:file read_file_perms; -- --kernel_read_system_state(crontab_domain) -- --selinux_dontaudit_search_fs(crontab_domain) -- --files_list_spool(crontab_domain) --files_read_etc_files(crontab_domain) --files_read_usr_files(crontab_domain) --files_search_pids(crontab_domain) -- --fs_getattr_xattr_fs(crontab_domain) --fs_manage_cgroup_dirs(crontab_domain) --fs_rw_cgroup_files(crontab_domain) -- --domain_use_interactive_fds(crontab_domain) -- --fs_dontaudit_rw_anon_inodefs_files(crontab_domain) -- --auth_rw_var_auth(crontab_domain) -- --logging_send_syslog_msg(crontab_domain) --logging_send_audit_msgs(crontab_domain) --logging_set_loginuid(crontab_domain) -- --init_dontaudit_write_utmp(crontab_domain) --init_read_utmp(crontab_domain) --init_read_state(crontab_domain) -- --miscfiles_read_localization(crontab_domain) -- --seutil_read_config(crontab_domain) -- --userdom_manage_user_tmp_dirs(crontab_domain) --userdom_manage_user_tmp_files(crontab_domain) --userdom_use_user_terminals(crontab_domain) --userdom_read_user_home_content_files(crontab_domain) --userdom_read_user_home_content_symlinks(crontab_domain) -- --tunable_policy(`fcron_crond',` -- dontaudit crontab_domain crond_t:process signal; --') -- - ######################################## - # --# Admin local policy -+# Admin crontab local policy - # - --allow admin_crontab_t self:capability fsetid; --allow admin_crontab_t crond_t:process signal; -+# Allow our crontab domain to unlink a user cron spool file. -+allow admin_crontab_t user_cron_spool_t:file { read_file_perms delete_file_perms }; - -+# Manipulate other users crontab. - selinux_get_fs_mount(admin_crontab_t) - selinux_validate_context(admin_crontab_t) - selinux_compute_access_vector(admin_crontab_t) -@@ -204,12 +143,14 @@ selinux_compute_relabel_context(admin_crontab_t) - selinux_compute_user_contexts(admin_crontab_t) - - tunable_policy(`fcron_crond',` -+ # fcron wants an instant update of a crontab change for the administrator -+ # also crontab does a security check for crontab -u - allow admin_crontab_t self:process setfscreate; - ') - - ######################################## - # --# Daemon local policy -+# Cron daemon local policy - # - - allow crond_t self:capability { dac_override chown fowner setgid setuid sys_nice dac_read_search }; -@@ -218,8 +159,10 @@ allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate execmem exec - allow crond_t self:process { setexec setfscreate }; - allow crond_t self:fd use; - allow crond_t self:fifo_file rw_fifo_file_perms; -+allow crond_t self:unix_dgram_socket create_socket_perms; -+allow crond_t self:unix_stream_socket create_stream_socket_perms; - allow crond_t self:unix_dgram_socket sendto; --allow crond_t self:unix_stream_socket { accept connectto listen }; -+allow crond_t self:unix_stream_socket connectto; - allow crond_t self:shm create_shm_perms; - allow crond_t self:sem create_sem_perms; - allow crond_t self:msgq create_msgq_perms; -@@ -227,7 +170,7 @@ allow crond_t self:msg { send receive }; - allow crond_t self:key { search write link }; - dontaudit crond_t self:netlink_audit_socket nlmsg_tty_audit; - --allow crond_t cron_log_t:file { append_file_perms create_file_perms setattr_file_perms }; -+manage_files_pattern(crond_t, cron_log_t, cron_log_t) - logging_log_filetrans(crond_t, cron_log_t, file) - - manage_files_pattern(crond_t, crond_var_run_t, crond_var_run_t) -@@ -237,72 +180,68 @@ manage_files_pattern(crond_t, cron_spool_t, cron_spool_t) - - manage_dirs_pattern(crond_t, crond_tmp_t, crond_tmp_t) - manage_files_pattern(crond_t, crond_tmp_t, crond_tmp_t) --files_tmp_filetrans(crond_t, crond_tmp_t, { dir file }) -+files_tmp_filetrans(crond_t, crond_tmp_t, { file dir }) - - list_dirs_pattern(crond_t, system_cron_spool_t, system_cron_spool_t) - read_files_pattern(crond_t, system_cron_spool_t, system_cron_spool_t) - --rw_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) --manage_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) --manage_lnk_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) -- --manage_files_pattern(crond_t, user_cron_spool_log_t, user_cron_spool_log_t) -+kernel_read_kernel_sysctls(crond_t) -+kernel_read_fs_sysctls(crond_t) -+kernel_search_key(crond_t) - --allow crond_t system_cronjob_t:process transition; --allow crond_t system_cronjob_t:fd use; --allow crond_t system_cronjob_t:key manage_key_perms; -+dev_read_sysfs(crond_t) -+selinux_get_fs_mount(crond_t) -+selinux_validate_context(crond_t) -+selinux_compute_access_vector(crond_t) -+selinux_compute_create_context(crond_t) -+selinux_compute_relabel_context(crond_t) -+selinux_compute_user_contexts(crond_t) - --dontaudit crond_t { cronjob_t system_cronjob_t }:process { noatsecure siginh rlimitinh }; -+dev_read_urand(crond_t) - --domtrans_pattern(crond_t, anacron_exec_t, system_cronjob_t) -+fs_getattr_all_fs(crond_t) -+fs_search_auto_mountpoints(crond_t) -+fs_list_inotifyfs(crond_t) - --kernel_read_kernel_sysctls(crond_t) --kernel_read_fs_sysctls(crond_t) --kernel_search_key(crond_t) -+# need auth_chkpwd to check for locked accounts. -+auth_domtrans_chk_passwd(crond_t) -+auth_manage_var_auth(crond_t) - - corecmd_exec_shell(crond_t) --corecmd_exec_bin(crond_t) - corecmd_list_bin(crond_t) -- --dev_read_sysfs(crond_t) --dev_read_urand(crond_t) -+corecmd_exec_bin(crond_t) -+corecmd_read_bin_symlinks(crond_t) - - domain_use_interactive_fds(crond_t) - domain_subj_id_change_exemption(crond_t) - domain_role_change_exemption(crond_t) - --fs_getattr_all_fs(crond_t) --fs_list_inotifyfs(crond_t) --fs_manage_cgroup_dirs(crond_t) --fs_rw_cgroup_files(crond_t) --fs_search_auto_mountpoints(crond_t) -- --files_read_usr_files(crond_t) - files_read_etc_runtime_files(crond_t) - files_read_generic_spool(crond_t) - files_list_usr(crond_t) -+# Read from /var/spool/cron. - files_search_var_lib(crond_t) - files_search_default(crond_t) -+files_read_all_locks(crond_t) - --mls_fd_share_all_levels(crond_t) -+fs_manage_cgroup_dirs(crond_t) -+fs_manage_cgroup_files(crond_t) -+ -+# needed by "crontab -e" - mls_file_read_all_levels(crond_t) - mls_file_write_all_levels(crond_t) -+ -+# needed because of kernel check of transition - mls_process_set_level(crond_t) --mls_trusted_object(crond_t) - --selinux_get_fs_mount(crond_t) --selinux_validate_context(crond_t) --selinux_compute_access_vector(crond_t) --selinux_compute_create_context(crond_t) --selinux_compute_relabel_context(crond_t) --selinux_compute_user_contexts(crond_t) -+# to make cronjob working -+mls_fd_share_all_levels(crond_t) -+mls_trusted_object(crond_t) - - init_read_state(crond_t) - init_rw_utmp(crond_t) - init_spec_domtrans_script(crond_t) - --auth_domtrans_chk_passwd(crond_t) --auth_manage_var_auth(crond_t) - auth_use_nsswitch(crond_t) - - logging_send_audit_msgs(crond_t) -@@ -311,41 +250,46 @@ logging_set_loginuid(crond_t) - - seutil_read_config(crond_t) - seutil_read_default_contexts(crond_t) -+seutil_sigchld_newrole(crond_t) - --miscfiles_read_localization(crond_t) - -+userdom_use_unpriv_users_fds(crond_t) -+# Not sure why this is needed - userdom_list_user_home_dirs(crond_t) -+userdom_list_admin_dir(crond_t) -+userdom_manage_all_users_keys(crond_t) - --tunable_policy(`cron_userdomain_transition',` -- dontaudit crond_t cronjob_t:process transition; -- dontaudit crond_t cronjob_t:fd use; -- dontaudit crond_t cronjob_t:key manage_key_perms; --',` -- allow crond_t cronjob_t:process transition; -- allow crond_t cronjob_t:fd use; -- allow crond_t cronjob_t:key manage_key_perms; --') -+mta_send_mail(crond_t) -+mta_system_content(cron_spool_t) - - ifdef(`distro_debian',` -+ # pam_limits is used - allow crond_t self:process setrlimit; - -- optional_policy(` -- logwatch_search_cache_dir(crond_t) -- ') -+') -+ -+optional_policy(` -+ logwatch_search_cache_dir(crond_t) -+') -+ -+optional_policy(` -+ bind_read_config(crond_t) - ') - - ifdef(`distro_redhat',` -+ # Run the rpm program in the rpm_t domain. Allow creation of RPM log files -+ # via redirection of standard out. - optional_policy(` - rpm_manage_log(crond_t) - ') - ') - --tunable_policy(`allow_polyinstantiation',` -+tunable_policy(`polyinstantiation_enabled',` - files_polyinstantiate_all(crond_t) - ') - --tunable_policy(`fcron_crond',` -- allow crond_t { system_cron_spool_t user_cron_spool_t }:file manage_file_perms; -+tunable_policy(`fcron_crond', ` -+ allow crond_t system_cron_spool_t:file manage_file_perms; - ') - - optional_policy(` -@@ -353,102 +297,136 @@ optional_policy(` - ') - - optional_policy(` -- dbus_system_bus_client(crond_t) -- -- optional_policy(` -- hal_dbus_chat(crond_t) -- ') -- -- optional_policy(` -- unconfined_dbus_send(crond_t) -- ') -+ djbdns_search_tinydns_keys(crond_t) -+ djbdns_link_tinydns_keys(crond_t) - ') - - optional_policy(` -- amanda_search_var_lib(crond_t) -+ locallogin_search_keys(crond_t) -+ locallogin_link_keys(crond_t) - ') - - optional_policy(` -- amavis_search_lib(crond_t) -+ # these should probably be unconfined_crond_t -+ dbus_system_bus_client(crond_t) -+ init_dbus_send_script(crond_t) -+ init_dbus_chat(crond_t) - ') - - optional_policy(` -- djbdns_search_tinydns_keys(crond_t) -- djbdns_link_tinydns_keys(crond_t) -+ amanda_search_var_lib(crond_t) - ') - - optional_policy(` -- hal_write_log(crond_t) -+ antivirus_search_db(crond_t) - ') - - optional_policy(` -- locallogin_search_keys(crond_t) -- locallogin_link_keys(crond_t) -+ hal_dbus_chat(crond_t) -+ hal_write_log(crond_t) -+ hal_dbus_chat(system_cronjob_t) - ') - - optional_policy(` -- mta_send_mail(crond_t) -+ # cjp: why? -+ munin_search_lib(crond_t) - ') - - optional_policy(` -- munin_search_lib(crond_t) -+ rpc_search_nfs_state_data(crond_t) - ') - - optional_policy(` -- postgresql_search_db(crond_t) -+ # Commonly used from postinst scripts -+ rpm_read_pipes(crond_t) - ') - - optional_policy(` -- rpc_search_nfs_state_data(crond_t) -+ # allow crond to find /usr/lib/postgresql/bin/do.maintenance -+ postgresql_search_db(crond_t) - ') - - optional_policy(` -- rpm_read_pipes(crond_t) -+ systemd_use_fds_logind(crond_t) -+ systemd_write_inherited_logind_sessions_pipes(crond_t) - ') - - optional_policy(` -- seutil_sigchld_newrole(crond_t) -+ udev_read_db(crond_t) - ') - - optional_policy(` -- udev_read_db(crond_t) -+ vnstatd_search_lib(crond_t) - ') - - ######################################## - # --# System local policy -+# System cron process domain - # - - allow system_cronjob_t self:capability { dac_override dac_read_search chown setgid setuid fowner net_bind_service fsetid sys_nice }; -+ - allow system_cronjob_t self:process { signal_perms getsched setsched }; - allow system_cronjob_t self:fifo_file rw_fifo_file_perms; - allow system_cronjob_t self:passwd rootok; - --allow system_cronjob_t cron_log_t:file { append_file_perms create_file_perms setattr_file_perms }; -+# This is to handle creation of files in /var/log directory. -+# Used currently by rpm script log files -+allow system_cronjob_t cron_log_t:file manage_file_perms; - logging_log_filetrans(system_cronjob_t, cron_log_t, file) - -+# This is to handle /var/lib/misc directory. Used currently -+# by prelink var/lib files for cron - allow system_cronjob_t cron_var_lib_t:file { manage_file_perms relabel_file_perms }; - files_var_lib_filetrans(system_cronjob_t, cron_var_lib_t, file) - - allow system_cronjob_t cron_var_run_t:file manage_file_perms; - files_pid_filetrans(system_cronjob_t, cron_var_run_t, file) - -+allow system_cronjob_t system_cron_spool_t:file read_file_perms; -+ -+mls_file_read_to_clearance(system_cronjob_t) -+ -+# anacron forces the following - manage_files_pattern(system_cronjob_t, system_cron_spool_t, system_cron_spool_t) - -+# The entrypoint interface is not used as this is not -+# a regular entrypoint. Since crontab files are -+# not directly executed, crond must ensure that -+# the crontab file has a type that is appropriate -+# for the domain of the user cron job. It -+# performs an entrypoint permission check -+# for this purpose. -+allow system_cronjob_t system_cron_spool_t:file entrypoint; -+ -+# Permit a transition from the crond_t domain to this domain. -+# The transition is requested explicitly by the modified crond -+# via setexeccon. There is no way to set up an automatic -+# transition, since crontabs are configuration files, not executables. -+allow crond_t system_cronjob_t:process transition; -+dontaudit crond_t system_cronjob_t:process { noatsecure siginh rlimitinh }; -+allow crond_t system_cronjob_t:fd use; -+allow system_cronjob_t crond_t:fd use; -+allow system_cronjob_t crond_t:fifo_file rw_file_perms; -+allow system_cronjob_t crond_t:process sigchld; -+allow crond_t system_cronjob_t:key manage_key_perms; -+ -+# Write /var/lock/makewhatis.lock. - allow system_cronjob_t system_cronjob_lock_t:file manage_file_perms; - files_lock_filetrans(system_cronjob_t, system_cronjob_lock_t, file) - -+# write temporary files -+manage_dirs_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t) - manage_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t) - manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t) --filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file }) --files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file) -+filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { dir file lnk_file }) -+files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, { dir file }) - -+# var/lib files for system_crond -+files_search_var_lib(system_cronjob_t) - manage_files_pattern(system_cronjob_t, system_cronjob_var_lib_t, system_cronjob_var_lib_t) - --allow system_cronjob_t crond_t:fd use; --allow system_cronjob_t crond_t:fifo_file rw_fifo_file_perms; --allow system_cronjob_t crond_t:process sigchld; -- -+# Read from /var/spool/cron. - allow system_cronjob_t cron_spool_t:dir list_dir_perms; - allow system_cronjob_t cron_spool_t:file rw_file_perms; - -@@ -457,11 +435,11 @@ kernel_read_network_state(system_cronjob_t) - kernel_read_system_state(system_cronjob_t) - kernel_read_software_raid_state(system_cronjob_t) - -+# ps does not need to access /boot when run from cron - files_dontaudit_search_boot(system_cronjob_t) - - corecmd_exec_all_executables(system_cronjob_t) - --corenet_all_recvfrom_unlabeled(system_cronjob_t) - corenet_all_recvfrom_netlabel(system_cronjob_t) - corenet_tcp_sendrecv_generic_if(system_cronjob_t) - corenet_udp_sendrecv_generic_if(system_cronjob_t) -@@ -481,6 +459,7 @@ fs_getattr_all_symlinks(system_cronjob_t) - fs_getattr_all_pipes(system_cronjob_t) - fs_getattr_all_sockets(system_cronjob_t) - -+# quiet other ps operations - domain_dontaudit_read_all_domains_state(system_cronjob_t) - - files_exec_etc_files(system_cronjob_t) -@@ -491,15 +470,19 @@ files_getattr_all_files(system_cronjob_t) - files_getattr_all_symlinks(system_cronjob_t) - files_getattr_all_pipes(system_cronjob_t) - files_getattr_all_sockets(system_cronjob_t) --files_read_usr_files(system_cronjob_t) - files_read_var_files(system_cronjob_t) -+# for nscd: - files_dontaudit_search_pids(system_cronjob_t) -+# Access other spool directories like -+# /var/spool/anacron and /var/spool/slrnpull. - files_manage_generic_spool(system_cronjob_t) - files_create_boot_flag(system_cronjob_t) - --mls_file_read_to_clearance(system_cronjob_t) -- - init_use_script_fds(system_cronjob_t) -+init_read_utmp(system_cronjob_t) -+init_dontaudit_rw_utmp(system_cronjob_t) -+# prelink tells init to restart it self, we either need to allow or dontaudit -+init_telinit(system_cronjob_t) - init_domtrans_script(system_cronjob_t) - - auth_use_nsswitch(system_cronjob_t) -@@ -511,20 +494,26 @@ logging_read_generic_logs(system_cronjob_t) - logging_send_audit_msgs(system_cronjob_t) - logging_send_syslog_msg(system_cronjob_t) - --miscfiles_read_localization(system_cronjob_t) -- - seutil_read_config(system_cronjob_t) - -+userdom_manage_tmpfs_files(system_cronjob_t, file) -+userdom_tmpfs_filetrans(system_cronjob_t, file) -+ - ifdef(`distro_redhat',` -+ # Run the rpm program in the rpm_t domain. Allow creation of RPM log files -+ allow crond_t system_cron_spool_t:file manage_file_perms; -+ -+ # via redirection of standard out. - optional_policy(` - rpm_manage_log(system_cronjob_t) - ') - ') - -+selinux_get_fs_mount(system_cronjob_t) -+ - tunable_policy(`cron_can_relabel',` - seutil_domtrans_setfiles(system_cronjob_t) - ',` -- selinux_get_fs_mount(system_cronjob_t) - selinux_validate_context(system_cronjob_t) - selinux_compute_access_vector(system_cronjob_t) - selinux_compute_create_context(system_cronjob_t) -@@ -534,10 +523,17 @@ tunable_policy(`cron_can_relabel',` - ') - - optional_policy(` -+ # Needed for certwatch - apache_exec_modules(system_cronjob_t) - apache_read_config(system_cronjob_t) - apache_read_log(system_cronjob_t) - apache_read_sys_content(system_cronjob_t) -+ apache_delete_cache_dirs(system_cronjob_t) -+ apache_delete_cache_files(system_cronjob_t) -+') -+ -+optional_policy(` -+ bind_read_config(system_cronjob_t) - ') - - optional_policy(` -@@ -546,10 +542,6 @@ optional_policy(` - - optional_policy(` - dbus_system_bus_client(system_cronjob_t) -- -- optional_policy(` -- networkmanager_dbus_chat(system_cronjob_t) -- ') - ') - - optional_policy(` -@@ -581,6 +573,7 @@ optional_policy(` - optional_policy(` - mta_read_config(system_cronjob_t) - mta_send_mail(system_cronjob_t) -+ mta_system_content(system_cron_spool_t) - ') - - optional_policy(` -@@ -588,15 +581,19 @@ optional_policy(` - ') - - optional_policy(` -- postfix_read_config(system_cronjob_t) -+ networkmanager_dbus_chat(system_cronjob_t) - ') - - optional_policy(` -+ postfix_read_config(system_cronjob_t) -+') -+ -+optional_policy(` - prelink_delete_cache(system_cronjob_t) - prelink_manage_lib(system_cronjob_t) - prelink_manage_log(system_cronjob_t) - prelink_read_cache(system_cronjob_t) -- prelink_relabelfrom_lib(system_cronjob_t) -+ prelink_relabel_lib(system_cronjob_t) - ') - - optional_policy(` -@@ -606,6 +603,7 @@ optional_policy(` - - optional_policy(` - spamassassin_manage_lib_files(system_cronjob_t) -+ spamassassin_manage_home_client(system_cronjob_t) - ') - - optional_policy(` -@@ -613,12 +611,24 @@ optional_policy(` - ') - - optional_policy(` -- userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file }) -+ systemd_dbus_chat_logind(system_cronjob_t) -+ systemd_write_inherited_logind_sessions_pipes(system_cronjob_t) -+') -+ -+optional_policy(` -+ unconfined_domain(crond_t) -+ unconfined_domain(system_cronjob_t) -+') -+ -+optional_policy(` -+ unconfined_shell_domtrans(crond_t) -+ unconfined_dbus_send(crond_t) -+ userdom_filetrans_home_content(crond_t) - ') - - ######################################## - # --# Cronjob local policy -+# User cronjobs local policy - # - - allow cronjob_t self:process { signal_perms setsched }; -@@ -626,12 +636,32 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms; - allow cronjob_t self:unix_stream_socket create_stream_socket_perms; - allow cronjob_t self:unix_dgram_socket create_socket_perms; - -+# The entrypoint interface is not used as this is not -+# a regular entrypoint. Since crontab files are -+# not directly executed, crond must ensure that -+# the crontab file has a type that is appropriate -+# for the domain of the user cron job. It -+# performs an entrypoint permission check -+# for this purpose. -+allow cronjob_t user_cron_spool_t:file entrypoint; -+ -+# Permit a transition from the crond_t domain to this domain. -+# The transition is requested explicitly by the modified crond -+# via setexeccon. There is no way to set up an automatic -+# transition, since crontabs are configuration files, not executables. -+allow crond_t cronjob_t:process transition; -+dontaudit crond_t cronjob_t:process { noatsecure siginh rlimitinh }; -+allow crond_t cronjob_t:fd use; -+allow cronjob_t crond_t:fd use; -+allow cronjob_t crond_t:fifo_file rw_file_perms; -+allow cronjob_t crond_t:process sigchld; -+ - kernel_read_system_state(cronjob_t) - kernel_read_kernel_sysctls(cronjob_t) - -+# ps does not need to access /boot when run from cron - files_dontaudit_search_boot(cronjob_t) - --corenet_all_recvfrom_unlabeled(cronjob_t) - corenet_all_recvfrom_netlabel(cronjob_t) - corenet_tcp_sendrecv_generic_if(cronjob_t) - corenet_udp_sendrecv_generic_if(cronjob_t) -@@ -639,84 +669,148 @@ corenet_tcp_sendrecv_generic_node(cronjob_t) - corenet_udp_sendrecv_generic_node(cronjob_t) - corenet_tcp_sendrecv_all_ports(cronjob_t) - corenet_udp_sendrecv_all_ports(cronjob_t) -- --corenet_sendrecv_all_client_packets(cronjob_t) - corenet_tcp_connect_all_ports(cronjob_t) -- --corecmd_exec_all_executables(cronjob_t) -+corenet_sendrecv_all_client_packets(cronjob_t) - - dev_read_urand(cronjob_t) - - fs_getattr_all_fs(cronjob_t) - -+corecmd_exec_all_executables(cronjob_t) -+ -+# quiet other ps operations - domain_dontaudit_read_all_domains_state(cronjob_t) - domain_dontaudit_getattr_all_domains(cronjob_t) - - files_exec_etc_files(cronjob_t) --files_read_etc_runtime_files(cronjob_t) --files_read_var_files(cronjob_t) --files_read_usr_files(cronjob_t) --files_search_spool(cronjob_t) -+# for nscd: - files_dontaudit_search_pids(cronjob_t) - - libs_exec_lib_files(cronjob_t) - libs_exec_ld_so(cronjob_t) - -+files_read_etc_runtime_files(cronjob_t) -+files_read_var_files(cronjob_t) -+files_search_spool(cronjob_t) -+ - logging_search_logs(cronjob_t) - - seutil_read_config(cronjob_t) - --miscfiles_read_localization(cronjob_t) - - userdom_manage_user_tmp_files(cronjob_t) - userdom_manage_user_tmp_symlinks(cronjob_t) - userdom_manage_user_tmp_pipes(cronjob_t) - userdom_manage_user_tmp_sockets(cronjob_t) -+# Run scripts in user home directory and access shared libs. - userdom_exec_user_home_content_files(cronjob_t) -+# Access user files and dirs. - userdom_manage_user_home_content_files(cronjob_t) - userdom_manage_user_home_content_symlinks(cronjob_t) - userdom_manage_user_home_content_pipes(cronjob_t) - userdom_manage_user_home_content_sockets(cronjob_t) - --tunable_policy(`cron_userdomain_transition',` -- dontaudit cronjob_t crond_t:fd use; -- dontaudit cronjob_t crond_t:fifo_file rw_fifo_file_perms; -- dontaudit cronjob_t crond_t:process sigchld; -- -- dontaudit cronjob_t user_cron_spool_t:file entrypoint; --',` -- allow cronjob_t crond_t:fd use; -- allow cronjob_t crond_t:fifo_file rw_fifo_file_perms; -- allow cronjob_t crond_t:process sigchld; -+list_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) -+rw_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) -+read_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) -+read_lnk_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) -+allow crond_t user_cron_spool_t:file manage_lnk_file_perms; - -- allow cronjob_t user_cron_spool_t:file entrypoint; -+tunable_policy(`fcron_crond',` -+ allow crond_t user_cron_spool_t:file manage_file_perms; - ') - -+# need a per-role version of this: -+#optional_policy(` -+# mono_domtrans(cronjob_t) -+#') -+ - optional_policy(` - nis_use_ypbind(cronjob_t) - ') - - ######################################## - # --# Unconfined local policy -+# Unconfined cronjobs local policy - # - - optional_policy(` -- type unconfined_cronjob_t; -- domain_type(unconfined_cronjob_t) -- domain_cron_exemption_target(unconfined_cronjob_t) -- -+ # Permit a transition from the crond_t domain to this domain. -+ # The transition is requested explicitly by the modified crond -+ # via setexeccon. There is no way to set up an automatic -+ # transition, since crontabs are configuration files, not executables. -+ allow crond_t unconfined_cronjob_t:process transition; - dontaudit crond_t unconfined_cronjob_t:process { noatsecure siginh rlimitinh }; -+ allow crond_t unconfined_cronjob_t:fd use; - - unconfined_domain(unconfined_cronjob_t) -+') - -- tunable_policy(`cron_userdomain_transition',` -- dontaudit crond_t unconfined_cronjob_t:process transition; -- dontaudit crond_t unconfined_cronjob_t:fd use; -- dontaudit crond_t unconfined_cronjob_t:key manage_key_perms; -- ',` -- allow crond_t unconfined_cronjob_t:process transition; -- allow crond_t unconfined_cronjob_t:fd use; -- allow crond_t unconfined_cronjob_t:key manage_key_perms; -- ') -+############################## -+# -+# crontab common policy -+# -+ -+# dac_override is to create the file in the directory under /tmp -+allow crontab_domain self:capability { fowner setuid setgid chown dac_override }; -+allow crontab_domain self:process { getcap setsched signal_perms }; -+allow crontab_domain self:fifo_file rw_fifo_file_perms; -+ -+allow crontab_domain crond_t:process signal; -+allow crontab_domain crond_var_run_t:file read_file_perms; -+ -+# create files in /var/spool/cron -+manage_files_pattern(crontab_domain, { cron_spool_t user_cron_spool_t }, user_cron_spool_t) -+filetrans_pattern(crontab_domain, cron_spool_t, user_cron_spool_t, file) -+files_list_spool(crontab_domain) -+ -+# crontab signals crond by updating the mtime on the spooldir -+allow crontab_domain cron_spool_t:dir setattr_dir_perms; -+ -+# for the checks used by crontab -u -+selinux_dontaudit_search_fs(crontab_domain) -+ -+fs_getattr_xattr_fs(crontab_domain) -+fs_manage_cgroup_dirs(crontab_domain) -+fs_manage_cgroup_files(crontab_domain) -+ -+domain_use_interactive_fds(crontab_domain) -+ -+files_dontaudit_search_pids(crontab_domain) -+ -+fs_dontaudit_rw_anon_inodefs_files(crontab_domain) -+ -+auth_rw_var_auth(crontab_domain) -+ -+logging_send_audit_msgs(crontab_domain) -+logging_set_loginuid(crontab_domain) -+ -+init_dontaudit_write_utmp(crontab_domain) -+init_read_utmp(crontab_domain) -+init_read_state(crontab_domain) -+ -+ -+seutil_read_config(crontab_domain) -+ -+userdom_manage_user_tmp_dirs(crontab_domain) -+userdom_manage_user_tmp_files(crontab_domain) -+# Access terminals. -+userdom_use_inherited_user_terminals(crontab_domain) -+# Read user crontabs -+userdom_read_user_home_content_files(crontab_domain) -+userdom_read_user_home_content_symlinks(crontab_domain) -+ -+tunable_policy(`fcron_crond',` -+ # fcron wants an instant update of a crontab change for the administrator -+ # also crontab does a security check for crontab -u -+ dontaudit crontab_domain crond_t:process signal; -+') -+ -+optional_policy(` -+ ssh_dontaudit_use_ptys(crontab_domain) -+') -+ -+optional_policy(` -+ openshift_dontaudit_rw_inherited_fifo_files(crontab_domain) -+ openshift_transition(system_cronjob_t) - ') -diff --git a/ctdb.fc b/ctdb.fc -index 8401fe6..507804b 100644 ---- a/ctdb.fc -+++ b/ctdb.fc -@@ -2,6 +2,8 @@ - - /usr/sbin/ctdbd -- gen_context(system_u:object_r:ctdbd_exec_t,s0) - -+/var/ctdb(/.*)? gen_context(system_u:object_r:ctdbd_var_t,s0) -+ - /var/lib/ctdbd(/.*)? gen_context(system_u:object_r:ctdbd_var_lib_t,s0) - - /var/log/ctdb\.log.* -- gen_context(system_u:object_r:ctdbd_log_t,s0) -diff --git a/ctdb.if b/ctdb.if -index b25b01d..e99c5c6 100644 ---- a/ctdb.if -+++ b/ctdb.if -@@ -1,9 +1,144 @@ --## Clustered Database based on Samba Trivial Database. -+ -+## policy for ctdbd -+ -+######################################## -+## -+## Transition to ctdbd. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`ctdbd_domtrans',` -+ gen_require(` -+ type ctdbd_t, ctdbd_exec_t; -+ ') -+ -+ corecmd_search_bin($1) -+ domtrans_pattern($1, ctdbd_exec_t, ctdbd_t) -+') -+ -+######################################## -+## -+## Execute ctdbd server in the ctdbd domain. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`ctdbd_initrc_domtrans',` -+ gen_require(` -+ type ctdbd_initrc_exec_t; -+ ') -+ -+ init_labeled_script_domtrans($1, ctdbd_initrc_exec_t) -+') -+ -+######################################## -+## -+## Read ctdbd's log files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`ctdbd_read_log',` -+ gen_require(` -+ type ctdbd_log_t; -+ ') -+ -+ logging_search_logs($1) -+ read_files_pattern($1, ctdbd_log_t, ctdbd_log_t) -+') -+ -+######################################## -+## -+## Append to ctdbd log files. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`ctdbd_append_log',` -+ gen_require(` -+ type ctdbd_log_t; -+ ') -+ -+ logging_search_logs($1) -+ append_files_pattern($1, ctdbd_log_t, ctdbd_log_t) -+') - - ######################################## - ## --## Create, read, write, and delete --## ctdbd lib files. -+## Manage ctdbd log files -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`ctdbd_manage_log',` -+ gen_require(` -+ type ctdbd_log_t; -+ ') -+ -+ logging_search_logs($1) -+ manage_dirs_pattern($1, ctdbd_log_t, ctdbd_log_t) -+ manage_files_pattern($1, ctdbd_log_t, ctdbd_log_t) -+ manage_lnk_files_pattern($1, ctdbd_log_t, ctdbd_log_t) -+') -+ -+######################################## -+## -+## Search ctdbd lib directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`ctdbd_search_lib',` -+ gen_require(` -+ type ctdbd_var_lib_t; -+ ') -+ -+ allow $1 ctdbd_var_lib_t:dir search_dir_perms; -+ files_search_var_lib($1) -+') -+ -+######################################## -+## -+## Read ctdbd lib files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`ctdbd_read_lib_files',` -+ gen_require(` -+ type ctdbd_var_lib_t; -+ ') -+ -+ files_search_var_lib($1) -+ read_files_pattern($1, ctdbd_var_lib_t, ctdbd_var_lib_t) -+') -+ -+######################################## -+## -+## Manage ctdbd lib files. - ## - ## - ## -@@ -17,13 +152,12 @@ interface(`ctdbd_manage_lib_files',` - ') - - files_search_var_lib($1) -- manage_files_pattern($1, ctdbd_var_lib_t, ctdbd_var_lib_t) -+ manage_files_pattern($1, ctdbd_var_lib_t, ctdbd_var_lib_t) - ') - --####################################### -+######################################## - ## --## Connect to ctdbd with a unix --## domain stream socket. -+## Manage ctdbd lib files. - ## - ## - ## -@@ -31,19 +165,77 @@ interface(`ctdbd_manage_lib_files',` - ## - ## - # --interface(`ctdbd_stream_connect',` -+interface(`ctdbd_manage_var_files',` - gen_require(` -- type ctdbd_t, ctdbd_var_run_t, ctdbd_tmp_t; -+ type ctdbd_var_t; -+ ') -+ -+ files_search_var_lib($1) -+ manage_files_pattern($1, ctdbd_var_t, ctdbd_var_t) -+') -+ -+######################################## -+## -+## Manage ctdbd lib directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`ctdbd_manage_lib_dirs',` -+ gen_require(` -+ type ctdbd_var_lib_t; -+ ') -+ -+ files_search_var_lib($1) -+ manage_dirs_pattern($1, ctdbd_var_lib_t, ctdbd_var_lib_t) -+') -+ -+######################################## -+## -+## Read ctdbd PID files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`ctdbd_read_pid_files',` -+ gen_require(` -+ type ctdbd_var_run_t; - ') - - files_search_pids($1) -- stream_connect_pattern($1, { ctdbd_tmp_t ctdbd_var_run_t }, { ctdbd_tmp_t ctdbd_var_run_t }, ctdbd_t) -+ allow $1 ctdbd_var_run_t:file read_file_perms; -+') -+ -+####################################### -+## -+## Connect to ctdbd over a unix stream socket. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`ctdbd_stream_connect',` -+ gen_require(` -+ type ctdbd_t, ctdbd_var_run_t, ctdbd_tmp_t; -+ ') -+ -+ files_search_pids($1) -+ stream_connect_pattern($1, ctdbd_var_run_t, ctdbd_var_run_t, ctdbd_t) -+ stream_connect_pattern($1, ctdbd_tmp_t, ctdbd_tmp_t, ctdbd_t) - ') - - ######################################## - ## --## All of the rules required to --## administrate an ctdb environment. -+## All of the rules required to administrate -+## an ctdbd environment - ## - ## - ## -@@ -57,16 +249,19 @@ interface(`ctdbd_stream_connect',` - ## - ## - # --interface(`ctdb_admin',` -+interface(`ctdbd_admin',` - gen_require(` -- type ctdbd_t, ctdbd_initrc_exec_t, ctdbd_tmp_t; -+ type ctdbd_t, ctdbd_initrc_exec_t; - type ctdbd_log_t, ctdbd_var_lib_t, ctdbd_var_run_t; - ') - -- allow $1 ctdbd_t:process { ptrace signal_perms }; -+ allow $1 ctdbd_t:process signal_perms; - ps_process_pattern($1, ctdbd_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 ctdbd_t:process ptrace; -+ ') - -- init_labeled_script_domtrans($1, ctdbd_initrc_exec_t) -+ ctdbd_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 ctdbd_initrc_exec_t system_r; - allow $2 system_r; -@@ -74,12 +269,10 @@ interface(`ctdb_admin',` - logging_search_logs($1) - admin_pattern($1, ctdbd_log_t) - -- files_search_tmp($1) -- admin_pattern($1, ctdbd_tmp_t) -- - files_search_var_lib($1) - admin_pattern($1, ctdbd_var_lib_t) - - files_search_pids($1) - admin_pattern($1, ctdbd_var_run_t) - ') -+ -diff --git a/ctdb.te b/ctdb.te -index 6ce66e7..03bc338 100644 ---- a/ctdb.te -+++ b/ctdb.te -@@ -24,6 +24,9 @@ files_tmp_file(ctdbd_tmp_t) - type ctdbd_var_lib_t; - files_type(ctdbd_var_lib_t) - -+type ctdbd_var_t; -+files_type(ctdbd_var_t) -+ - type ctdbd_var_run_t; - files_pid_file(ctdbd_var_run_t) - -@@ -33,12 +36,14 @@ files_pid_file(ctdbd_var_run_t) - # - - allow ctdbd_t self:capability { chown ipc_lock net_admin net_raw sys_nice }; -+allow ctdbd_t self:capability2 block_suspend; - allow ctdbd_t self:process { setpgid signal_perms setsched }; - allow ctdbd_t self:fifo_file rw_fifo_file_perms; - allow ctdbd_t self:unix_stream_socket { accept connectto listen }; - allow ctdbd_t self:netlink_route_socket r_netlink_socket_perms; - allow ctdbd_t self:packet_socket create_socket_perms; - allow ctdbd_t self:tcp_socket create_stream_socket_perms; -+allow ctdbd_t self:udp_socket create_socket_perms; - - append_files_pattern(ctdbd_t, ctdbd_log_t, ctdbd_log_t) - create_files_pattern(ctdbd_t, ctdbd_log_t, ctdbd_log_t) -@@ -59,6 +64,11 @@ manage_dirs_pattern(ctdbd_t, ctdbd_var_lib_t, ctdbd_var_lib_t) - manage_files_pattern(ctdbd_t, ctdbd_var_lib_t, ctdbd_var_lib_t) - files_var_lib_filetrans(ctdbd_t, ctdbd_var_lib_t, dir) - -+manage_dirs_pattern(ctdbd_t, ctdbd_var_t, ctdbd_var_t) -+manage_files_pattern(ctdbd_t, ctdbd_var_t, ctdbd_var_t) -+manage_lnk_files_pattern(ctdbd_t, ctdbd_var_t, ctdbd_var_t) -+files_var_filetrans(ctdbd_t, ctdbd_var_t, dir, "ctdb") -+ - manage_dirs_pattern(ctdbd_t, ctdbd_var_run_t, ctdbd_var_run_t) - manage_files_pattern(ctdbd_t, ctdbd_var_run_t, ctdbd_var_run_t) - files_pid_filetrans(ctdbd_t, ctdbd_var_run_t, dir) -@@ -72,9 +82,11 @@ corenet_all_recvfrom_netlabel(ctdbd_t) - corenet_tcp_sendrecv_generic_if(ctdbd_t) - corenet_tcp_sendrecv_generic_node(ctdbd_t) - corenet_tcp_bind_generic_node(ctdbd_t) -+corenet_udp_bind_generic_node(ctdbd_t) - - corenet_sendrecv_ctdb_server_packets(ctdbd_t) - corenet_tcp_bind_ctdb_port(ctdbd_t) -+corenet_udp_bind_ctdb_port(ctdbd_t) - corenet_tcp_sendrecv_ctdb_port(ctdbd_t) - - corecmd_exec_bin(ctdbd_t) -@@ -85,12 +97,12 @@ dev_read_urand(ctdbd_t) - - domain_dontaudit_read_all_domains_state(ctdbd_t) - --files_read_etc_files(ctdbd_t) - files_search_all_mountpoints(ctdbd_t) - -+auth_read_passwd(ctdbd_t) -+ - logging_send_syslog_msg(ctdbd_t) - --miscfiles_read_localization(ctdbd_t) - miscfiles_read_public_files(ctdbd_t) - - optional_policy(` -@@ -109,6 +121,7 @@ optional_policy(` - samba_initrc_domtrans(ctdbd_t) - samba_domtrans_net(ctdbd_t) - samba_rw_var_files(ctdbd_t) -+ samba_systemctl(ctdbd_t) - ') - - optional_policy(` -diff --git a/cups.fc b/cups.fc -index 949011e..afe482b 100644 ---- a/cups.fc -+++ b/cups.fc -@@ -1,77 +1,87 @@ --/etc/alchemist/namespace/printconf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) - --/etc/cups(/.*)? gen_context(system_u:object_r:cupsd_etc_t,s0) --/etc/cups/classes\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) --/etc/cups/cupsd\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) --/etc/cups/lpoptions.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) --/etc/cups/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -+/etc/alchemist/namespace/printconf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -+ -+/etc/cups(/.*)? gen_context(system_u:object_r:cupsd_etc_t,s0) -+/etc/cups/classes\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -+/etc/cups/cupsd\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -+/etc/cups/lpoptions.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -+/etc/cups/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) - /etc/cups/ppds\.dat -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) --/etc/cups/printers\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) --/etc/cups/subscriptions.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) --/etc/cups/certs -d gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -+/etc/cups/printers\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -+/etc/cups/subscriptions.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -+/etc/cups/certs -d gen_context(system_u:object_r:cupsd_rw_etc_t,s0) - /etc/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) - /etc/rc\.d/init\.d/cups -- gen_context(system_u:object_r:cupsd_initrc_exec_t,s0) - - /etc/cups/interfaces(/.*)? gen_context(system_u:object_r:cupsd_interface_t,s0) - --/etc/hp(/.*)? gen_context(system_u:object_r:hplip_etc_t,s0) -- --/etc/printcap.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -+/etc/hp(/.*)? gen_context(system_u:object_r:cupsd_etc_t,s0) - --/lib/udev/udev-configure-printer -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) -+/etc/printcap.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) - --/opt/brother/Printers(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) --/opt/gutenprint/ppds(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -+/usr/lib/systemd/system/cups.* -- gen_context(system_u:object_r:cupsd_unit_file_t,s0) - --/usr/bin/cups-config-daemon -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) --/usr/bin/hpijs -- gen_context(system_u:object_r:hplip_exec_t,s0) -+/usr/lib/udev/udev-configure-printer -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) - --/usr/Brother/fax/.*\.log.* gen_context(system_u:object_r:cupsd_log_t,s0) --/usr/Brother/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) --/usr/Printer/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -+/opt/gutenprint/ppds(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) - --/usr/lib/cups-pk-helper/cups-pk-helper-mechanism -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) --/usr/lib/cups/daemon/cups-lpd -- gen_context(system_u:object_r:cupsd_lpd_exec_t,s0) --/usr/lib/cups/backend/cups-pdf -- gen_context(system_u:object_r:cups_pdf_exec_t,s0) --/usr/lib/cups/backend/hp.* -- gen_context(system_u:object_r:hplip_exec_t,s0) --/usr/lib/udev/udev-configure-printer -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) -+/usr/bin/cups-config-daemon -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) -+/usr/bin/hpijs -- gen_context(system_u:object_r:cupsd_exec_t,s0) - --/usr/libexec/cups-pk-helper-mechanism -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) --/usr/libexec/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) -+/usr/lib/cups/daemon/cups-lpd -- gen_context(system_u:object_r:cupsd_lpd_exec_t,s0) -+/usr/lib/cups/backend/cups-pdf -- gen_context(system_u:object_r:cups_pdf_exec_t,s0) -+/usr/lib/cups/backend/hp.* -- gen_context(system_u:object_r:cupsd_exec_t,s0) - --/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -+/usr/libexec/cups-pk-helper-mechanism -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) -+/usr/libexec/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) - --/usr/sbin/hp-[^/]+ -- gen_context(system_u:object_r:hplip_exec_t,s0) --/usr/sbin/cupsd -- gen_context(system_u:object_r:cupsd_exec_t,s0) --/usr/sbin/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) --/usr/sbin/hpiod -- gen_context(system_u:object_r:hplip_exec_t,s0) --/usr/sbin/printconf-backend -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) -+/usr/sbin/hp-[^/]+ -- gen_context(system_u:object_r:cupsd_exec_t,s0) -+/usr/sbin/cupsd -- gen_context(system_u:object_r:cupsd_exec_t,s0) -+/usr/sbin/cups-browsed -- gen_context(system_u:object_r:cupsd_exec_t,s0) -+/usr/sbin/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) -+/usr/sbin/hpiod -- gen_context(system_u:object_r:cupsd_exec_t,s0) -+/usr/sbin/printconf-backend -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) - /usr/sbin/ptal-printd -- gen_context(system_u:object_r:ptal_exec_t,s0) - /usr/sbin/ptal-mlcd -- gen_context(system_u:object_r:ptal_exec_t,s0) - /usr/sbin/ptal-photod -- gen_context(system_u:object_r:ptal_exec_t,s0) - --/usr/share/cups(/.*)? gen_context(system_u:object_r:cupsd_etc_t,s0) --/usr/share/foomatic/db/oldprinterids -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) --/usr/share/hplip/.*\.py -- gen_context(system_u:object_r:hplip_exec_t,s0) -+/usr/share/cups(/.*)? gen_context(system_u:object_r:cupsd_etc_t,s0) -+/usr/share/foomatic/db/oldprinterids -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -+/usr/share/hplip/.*\.py -- gen_context(system_u:object_r:cupsd_exec_t,s0) - --/var/cache/alchemist/printconf.* gen_context(system_u:object_r:cupsd_rw_etc_t,s0) --/var/cache/foomatic(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) --/var/cache/cups(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,mls_systemhigh) -+/var/cache/alchemist/printconf.* gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -+/var/cache/foomatic(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -+/var/cache/cups(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,mls_systemhigh) - - /var/lib/cups/certs -d gen_context(system_u:object_r:cupsd_rw_etc_t,s0) - /var/lib/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -+/usr/lib/bjlib(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,mls_systemhigh) -+ -+/var/lib/hp(/.*)? gen_context(system_u:object_r:cupsd_var_lib_t,s0) -+/var/lib/iscan(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) - --/var/lib/hp(/.*)? gen_context(system_u:object_r:hplip_var_lib_t,s0) -+/var/log/cups(/.*)? gen_context(system_u:object_r:cupsd_log_t,s0) -+/var/log/turboprint.* gen_context(system_u:object_r:cupsd_log_t,s0) - --/var/log/cups(/.*)? gen_context(system_u:object_r:cupsd_log_t,s0) --/var/log/turboprint.* gen_context(system_u:object_r:cupsd_log_t,s0) -+/var/log/hp(/.*)? gen_context(system_u:object_r:cupsd_log_t,s0) - --/var/ccpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0) --/var/ekpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0) --/var/run/cups(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0) --/var/run/hp.*\.pid -- gen_context(system_u:object_r:hplip_var_run_t,s0) --/var/run/hp.*\.port -- gen_context(system_u:object_r:hplip_var_run_t,s0) -+/var/ccpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0) -+/var/ekpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0) -+/var/run/cups(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,mls_systemhigh) -+/var/run/hplip(/.*) gen_context(system_u:object_r:cupsd_var_run_t,s0) -+/var/run/hp.*\.pid -- gen_context(system_u:object_r:cupsd_var_run_t,s0) -+/var/run/hp.*\.port -- gen_context(system_u:object_r:cupsd_var_run_t,s0) - /var/run/ptal-printd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0) - /var/run/ptal-mlcd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0) --/var/run/udev-configure-printer(/.*)? gen_context(system_u:object_r:cupsd_config_var_run_t,s0) --/var/turboprint(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0) -+/var/run/udev-configure-printer(/.*)? gen_context(system_u:object_r:cupsd_config_var_run_t,s0) -+/var/turboprint(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0) -+ -+/usr/Brother/fax/.*\.log.* gen_context(system_u:object_r:cupsd_log_t,s0) -+/usr/Brother/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -+/etc/opt/Brother/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -+/usr/Printer/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -+ -+/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -+ -+/etc/opt/brother/Printers/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -+/opt/brother/Printers(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -diff --git a/cups.if b/cups.if -index 06da9a0..c7834c8 100644 ---- a/cups.if -+++ b/cups.if -@@ -200,10 +200,13 @@ interface(`cups_dbus_chat_config',` - interface(`cups_read_config',` - gen_require(` - type cupsd_etc_t, cupsd_rw_etc_t; -+ type hplip_etc_t; - ') - - files_search_etc($1) -- read_files_pattern($1, cupsd_etc_t, { cupsd_etc_t cupsd_rw_etc_t }) -+ read_files_pattern($1, cupsd_etc_t, cupsd_etc_t) -+ read_files_pattern($1, hplip_etc_t, hplip_etc_t) -+ read_files_pattern($1, cupsd_etc_t, cupsd_rw_etc_t) - ') - - ######################################## -@@ -306,6 +309,29 @@ interface(`cups_stream_connect_ptal',` - - ######################################## - ## -+## Execute cupsd server in the cupsd domain. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`cupsd_systemctl',` -+ gen_require(` -+ type cupsd_t; -+ type cupsd_unit_file_t; -+ ') -+ -+ systemd_exec_systemctl($1) -+ allow $1 cupsd_unit_file_t:file read_file_perms; -+ allow $1 cupsd_unit_file_t:service manage_service_perms; -+ -+ ps_process_pattern($1, cupsd_t) -+') -+ -+######################################## -+## - ## All of the rules required to - ## administrate an cups environment. - ## -@@ -324,18 +350,23 @@ interface(`cups_stream_connect_ptal',` - interface(`cups_admin',` - gen_require(` - type cupsd_t, cupsd_tmp_t, cupsd_lpd_tmp_t; -- type cupsd_etc_t, cupsd_log_t, cupsd_spool_t; -+ type cupsd_etc_t, cupsd_log_t; - type cupsd_config_var_run_t, cupsd_lpd_var_run_t; - type cupsd_var_run_t, ptal_etc_t, cupsd_rw_etc_t; - type ptal_var_run_t, hplip_var_run_t, cupsd_initrc_exec_t; - type cupsd_config_t, cupsd_lpd_t, cups_pdf_t; -- type hplip_t, ptal_t; -+ type ptal_t; -+ type cupsd_unit_file_t; - ') - -- allow $1 { cupsd_t cupsd_config_t cupsd_lpd_t }:process { ptrace signal_perms }; -- allow $1 { cups_pdf_t hplip_t ptal_t }:process { ptrace signal_perms }; -+ allow $1 { cupsd_t cupsd_config_t cupsd_lpd_t }:process { signal_perms }; -+ allow $1 { cups_pdf_t ptal_t }:process { signal_perms }; - ps_process_pattern($1, { cupsd_t cupsd_config_t cupsd_lpd_t }) -- ps_process_pattern($1, { cups_pdf_t hplip_t ptal_t }) -+ ps_process_pattern($1, { cups_pdf_t ptal_t }) -+ -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 { cupsd_t cupsd_config_t cupsd_lpd_t }:process ptrace; -+ ') - - init_labeled_script_domtrans($1, cupsd_initrc_exec_t) - domain_system_change_exemption($1) -@@ -348,13 +379,63 @@ interface(`cups_admin',` - logging_list_logs($1) - admin_pattern($1, cupsd_log_t) - -- files_list_spool($1) -- admin_pattern($1, cupsd_spool_t) -- - files_list_tmp($1) - admin_pattern($1, { cupsd_tmp_t cupsd_lpd_tmp_t }) -- -- files_list_pids($1) - admin_pattern($1, { cupsd_config_var_run_t cupsd_var_run_t hplip_var_run_t }) - admin_pattern($1, { ptal_var_run_t cupsd_lpd_var_run_t }) -+ -+ cupsd_systemctl($1) -+ admin_pattern($1, cupsd_unit_file_t) -+ allow $1 cupsd_unit_file_t:service all_service_perms; -+') -+ -+######################################## -+## -+## Transition to cups named content -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`cups_filetrans_named_content',` -+ gen_require(` -+ type cupsd_rw_etc_t; -+ type cupsd_etc_t; -+ ') -+ -+ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "classes.conf") -+ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "printers.conf") -+ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "printers.conf.O") -+ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "cupsd.conf") -+ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "cupsd.conf.default") -+ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "lpoptions") -+ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "subscriptions.conf") -+ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "subscriptions.conf.O") -+ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "subscriptions.conf.N") -+ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "ppds.dat") -+ files_etc_filetrans($1, cupsd_rw_etc_t, file, "ppds.dat") -+ files_etc_filetrans($1, cupsd_rw_etc_t, dir, "inf") -+ files_usr_filetrans($1, cupsd_rw_etc_t, dir, "inf") -+ corecmd_bin_filetrans($1, cupsd_rw_etc_t, dir, "inf") -+') -+ -+######################################## -+## -+## Allow the domain to read cups state files in /proc. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`cups_read_state',` -+ gen_require(` -+ type cupsd_t; -+ ') -+ -+ kernel_search_proc($1) -+ ps_process_pattern($1, cupsd_t) - ') -diff --git a/cups.te b/cups.te -index 9f34c2e..d084359 100644 ---- a/cups.te -+++ b/cups.te -@@ -5,19 +5,24 @@ policy_module(cups, 1.15.9) - # Declarations - # - --type cupsd_config_t; -+attribute cups_domain; -+ -+type cupsd_config_t, cups_domain; - type cupsd_config_exec_t; - init_daemon_domain(cupsd_config_t, cupsd_config_exec_t) - - type cupsd_config_var_run_t; - files_pid_file(cupsd_config_var_run_t) - --type cupsd_t; -+type cupsd_t, cups_domain; - type cupsd_exec_t; -+typealias cupsd_t alias hplip_t; -+typealias cupsd_exec_t alias hplip_exec_t; - init_daemon_domain(cupsd_t, cupsd_exec_t) - mls_trusted_object(cupsd_t) - - type cupsd_etc_t; -+typealias cupsd_etc_t alias hplip_etc_t; - files_config_file(cupsd_etc_t) - - type cupsd_initrc_exec_t; -@@ -33,13 +38,15 @@ type cupsd_lock_t; - files_lock_file(cupsd_lock_t) - - type cupsd_log_t; -+typealias cupsd_log_t alias hplip_var_log_t; - logging_log_file(cupsd_log_t) - --type cupsd_lpd_t; -+type cupsd_var_lib_t alias hplip_var_lib_t; -+files_type(cupsd_var_lib_t) -+ -+type cupsd_lpd_t, cups_domain; - type cupsd_lpd_exec_t; --domain_type(cupsd_lpd_t) --domain_entry_file(cupsd_lpd_t, cupsd_lpd_exec_t) --role system_r types cupsd_lpd_t; -+init_domain(cupsd_lpd_t, cupsd_lpd_exec_t) - - type cupsd_lpd_tmp_t; - files_tmp_file(cupsd_lpd_tmp_t) -@@ -47,7 +54,7 @@ files_tmp_file(cupsd_lpd_tmp_t) - type cupsd_lpd_var_run_t; - files_pid_file(cupsd_lpd_var_run_t) - --type cups_pdf_t; -+type cups_pdf_t, cups_domain; - type cups_pdf_exec_t; - cups_backend(cups_pdf_t, cups_pdf_exec_t) - -@@ -55,29 +62,17 @@ type cups_pdf_tmp_t; - files_tmp_file(cups_pdf_tmp_t) - - type cupsd_tmp_t; -+typealias cupsd_tmp_t alias hplip_tmp_t; - files_tmp_file(cupsd_tmp_t) - - type cupsd_var_run_t; -+typealias cupsd_var_run_t alias hplip_var_run_t; - files_pid_file(cupsd_var_run_t) - init_daemon_run_dir(cupsd_var_run_t, "cups") - mls_trusted_object(cupsd_var_run_t) - --type hplip_t; --type hplip_exec_t; --init_daemon_domain(hplip_t, hplip_exec_t) --cups_backend(hplip_t, hplip_exec_t) -- --type hplip_etc_t; --files_config_file(hplip_etc_t) -- --type hplip_tmp_t; --files_tmp_file(hplip_tmp_t) -- --type hplip_var_lib_t; --files_type(hplip_var_lib_t) -- --type hplip_var_run_t; --files_pid_file(hplip_var_run_t) -+type cupsd_unit_file_t; -+systemd_unit_file(cupsd_unit_file_t) - - type ptal_t; - type ptal_exec_t; -@@ -97,21 +92,49 @@ ifdef(`enable_mls',` - init_ranged_daemon_domain(cupsd_t, cupsd_exec_t, mls_systemhigh) - ') - -+####################################### -+# -+# Cups general local policy -+# -+ -+allow cups_domain self:capability { setuid setgid sys_nice }; -+allow cups_domain self:process { getsched setsched signal_perms }; -+allow cups_domain self:fifo_file rw_fifo_file_perms; -+allow cups_domain self:tcp_socket { accept listen }; -+allow cups_domain self:netlink_kobject_uevent_socket create_socket_perms; -+ -+kernel_read_kernel_sysctls(cups_domain) -+kernel_read_network_state(cups_domain) -+ -+corecmd_exec_bin(cups_domain) -+corecmd_exec_shell(cups_domain) -+ -+dev_read_urand(cups_domain) -+dev_read_rand(cups_domain) -+dev_read_sysfs(cups_domain) -+ -+fs_getattr_all_fs(cups_domain) -+ -+miscfiles_read_fonts(cups_domain) -+miscfiles_setattr_fonts_cache_dirs(cups_domain) -+ -+optional_policy(` -+ lpd_manage_spool(cups_domain) -+') -+ - ######################################## - # - # Cups local policy - # - --allow cupsd_t self:capability { ipc_lock sys_admin dac_override dac_read_search kill setgid setuid fsetid fowner chown dac_override sys_rawio sys_resource sys_tty_config }; -+allow cupsd_t self:capability { ipc_lock sys_admin dac_override dac_read_search kill fsetid fowner chown dac_override sys_rawio sys_resource sys_tty_config }; - dontaudit cupsd_t self:capability { sys_tty_config net_admin }; - allow cupsd_t self:capability2 block_suspend; --allow cupsd_t self:process { getpgid setpgid setsched signal_perms }; --allow cupsd_t self:fifo_file rw_fifo_file_perms; -+allow cupsd_t self:process { getpgid setpgid setsched }; - allow cupsd_t self:unix_stream_socket { accept connectto listen }; - allow cupsd_t self:netlink_selinux_socket create_socket_perms; - allow cupsd_t self:shm create_shm_perms; - allow cupsd_t self:sem create_sem_perms; --allow cupsd_t self:tcp_socket { accept listen }; - allow cupsd_t self:appletalk_socket create_socket_perms; - - allow cupsd_t cupsd_etc_t:dir setattr_dir_perms; -@@ -120,11 +143,13 @@ read_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t) - read_lnk_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t) - - manage_files_pattern(cupsd_t, cupsd_interface_t, cupsd_interface_t) -+can_exec(cupsd_t, cupsd_interface_t) - - manage_dirs_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t) - manage_files_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t) - filetrans_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t, file) - files_var_filetrans(cupsd_t, cupsd_rw_etc_t, { dir file }) -+cups_filetrans_named_content(cupsd_t) - - allow cupsd_t cupsd_exec_t:dir search_dir_perms; - allow cupsd_t cupsd_exec_t:lnk_file read_lnk_file_perms; -@@ -133,28 +158,26 @@ allow cupsd_t cupsd_lock_t:file manage_file_perms; - files_lock_filetrans(cupsd_t, cupsd_lock_t, file) - - manage_dirs_pattern(cupsd_t, cupsd_log_t, cupsd_log_t) --append_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t) --create_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t) --read_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t) --setattr_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t) -+manage_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t) - logging_log_filetrans(cupsd_t, cupsd_log_t, { file dir }) - -+manage_files_pattern(cupsd_t, cupsd_var_lib_t, cupsd_var_lib_t) -+manage_lnk_files_pattern(cupsd_t, cupsd_var_lib_t, cupsd_var_lib_t) -+ - manage_dirs_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t) - manage_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t) - manage_fifo_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t) - files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { dir fifo_file file }) - -+allow cupsd_t cupsd_var_run_t:dir setattr_dir_perms; - manage_dirs_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t) - manage_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t) - manage_sock_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t) - manage_fifo_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t) - files_pid_filetrans(cupsd_t, cupsd_var_run_t, { dir fifo_file file }) - --allow cupsd_t hplip_t:process { signal sigkill }; -- --read_files_pattern(cupsd_t, hplip_etc_t, hplip_etc_t) -+allow cupsd_t cupsd_unit_file_t:file read_file_perms; - --allow cupsd_t hplip_var_run_t:file read_file_perms; - - stream_connect_pattern(cupsd_t, ptal_var_run_t, ptal_var_run_t, ptal_t) - allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms; -@@ -162,11 +185,9 @@ allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms; - can_exec(cupsd_t, { cupsd_exec_t cupsd_interface_t }) - - kernel_read_system_state(cupsd_t) --kernel_read_network_state(cupsd_t) - kernel_read_all_sysctls(cupsd_t) - kernel_request_load_module(cupsd_t) - --corenet_all_recvfrom_unlabeled(cupsd_t) - corenet_all_recvfrom_netlabel(cupsd_t) - corenet_tcp_sendrecv_generic_if(cupsd_t) - corenet_udp_sendrecv_generic_if(cupsd_t) -@@ -189,12 +210,20 @@ corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t) - corenet_tcp_bind_all_rpc_ports(cupsd_t) - corenet_tcp_connect_all_ports(cupsd_t) - --corecmd_exec_bin(cupsd_t) --corecmd_exec_shell(cupsd_t) -+corenet_sendrecv_hplip_client_packets(cupsd_t) -+corenet_receive_hplip_server_packets(cupsd_t) -+corenet_tcp_bind_hplip_port(cupsd_t) -+corenet_tcp_connect_hplip_port(cupsd_t) -+corenet_tcp_bind_glance_port(cupsd_t) -+corenet_tcp_connect_glance_port(cupsd_t) -+ -+corenet_sendrecv_ipp_client_packets(cupsd_t) -+corenet_tcp_connect_ipp_port(cupsd_t) -+ -+corenet_sendrecv_howl_server_packets(cupsd_t) -+corenet_udp_bind_howl_port(cupsd_t) - - dev_rw_printer(cupsd_t) --dev_read_urand(cupsd_t) --dev_read_sysfs(cupsd_t) - dev_rw_input_dev(cupsd_t) - dev_rw_generic_usb_dev(cupsd_t) - dev_rw_usbfs(cupsd_t) -@@ -206,7 +235,6 @@ domain_use_interactive_fds(cupsd_t) - files_getattr_boot_dirs(cupsd_t) - files_list_spool(cupsd_t) - files_read_etc_runtime_files(cupsd_t) --files_read_usr_files(cupsd_t) - files_exec_usr_files(cupsd_t) - # for /var/lib/defoma - files_read_var_lib_files(cupsd_t) -@@ -215,16 +243,17 @@ files_read_world_readable_files(cupsd_t) - files_read_world_readable_symlinks(cupsd_t) - files_read_var_files(cupsd_t) - files_read_var_symlinks(cupsd_t) --files_write_generic_pid_pipes(cupsd_t) - files_dontaudit_getattr_all_tmp_files(cupsd_t) - files_dontaudit_list_home(cupsd_t) - # for /etc/printcap - files_dontaudit_write_etc_files(cupsd_t) -+files_dontaudit_write_usr_dirs(cupsd_t) - --fs_getattr_all_fs(cupsd_t) - fs_search_auto_mountpoints(cupsd_t) - fs_search_fusefs(cupsd_t) - fs_read_anon_inodefs_files(cupsd_t) -+fs_rw_anon_inodefs_files(cupsd_t) -+fs_rw_inherited_tmpfs_files(cupsd_t) - - mls_fd_use_all_levels(cupsd_t) - mls_file_downgrade(cupsd_t) -@@ -235,6 +264,8 @@ mls_socket_write_all_levels(cupsd_t) - - term_search_ptys(cupsd_t) - term_use_unallocated_ttys(cupsd_t) -+term_use_ptmx(cupsd_t) -+term_use_usb_ttys(cupsd_t) - - selinux_compute_access_vector(cupsd_t) - selinux_validate_context(cupsd_t) -@@ -247,21 +278,20 @@ auth_dontaudit_read_pam_pid(cupsd_t) - auth_rw_faillog(cupsd_t) - auth_use_nsswitch(cupsd_t) - --libs_read_lib_files(cupsd_t) - libs_exec_lib_files(cupsd_t) - - logging_send_audit_msgs(cupsd_t) - logging_send_syslog_msg(cupsd_t) - --miscfiles_read_localization(cupsd_t) --miscfiles_read_fonts(cupsd_t) --miscfiles_setattr_fonts_cache_dirs(cupsd_t) -- - seutil_read_config(cupsd_t) - - sysnet_exec_ifconfig(cupsd_t) -+sysnet_dns_name_resolve(cupsd_t) - - userdom_dontaudit_use_unpriv_user_fds(cupsd_t) -+userdom_dontaudit_search_user_home_dirs(cupsd_t) -+userdom_dontaudit_search_user_home_content(cupsd_t) -+userdom_dontaudit_use_unpriv_user_fds(cupsd_t) - userdom_dontaudit_search_user_home_content(cupsd_t) - - optional_policy(` -@@ -275,6 +305,8 @@ optional_policy(` - optional_policy(` - dbus_system_bus_client(cupsd_t) - -+ init_dbus_chat(cupsd_t) -+ - userdom_dbus_send_all_users(cupsd_t) - - optional_policy(` -@@ -285,8 +317,10 @@ optional_policy(` - hal_dbus_chat(cupsd_t) - ') - -+ # talk to processes that do not have policy - optional_policy(` - unconfined_dbus_chat(cupsd_t) -+ files_write_generic_pid_pipes(cupsd_t) - ') - ') - -@@ -299,8 +333,8 @@ optional_policy(` - ') - - optional_policy(` -+ kerberos_tmp_filetrans_host_rcache(cupsd_t, "host_0") - kerberos_manage_host_rcache(cupsd_t) -- kerberos_tmp_filetrans_host_rcache(cupsd_t, file, "host_0") - ') - - optional_policy(` -@@ -309,7 +343,6 @@ optional_policy(` - - optional_policy(` - lpd_exec_lpr(cupsd_t) -- lpd_manage_spool(cupsd_t) - lpd_read_config(cupsd_t) - lpd_relabel_spool(cupsd_t) - ') -@@ -337,7 +370,11 @@ optional_policy(` - ') - - optional_policy(` -- virt_rw_all_image_chr_files(cupsd_t) -+ virt_rw_chr_files(cupsd_t) -+') -+ -+optional_policy(` -+ vmware_read_system_config(cupsd_t) - ') - - ######################################## -@@ -345,12 +382,11 @@ optional_policy(` - # Configuration daemon local policy - # - --allow cupsd_config_t self:capability { chown dac_override sys_tty_config setuid setgid }; -+allow cupsd_config_t self:capability { chown dac_override sys_tty_config }; - dontaudit cupsd_config_t self:capability sys_tty_config; --allow cupsd_config_t self:process { getsched signal_perms }; --allow cupsd_config_t self:fifo_file rw_fifo_file_perms; --allow cupsd_config_t self:tcp_socket { accept listen }; -+allow cupsd_config_t self:process { getsched }; - -+domtrans_pattern(cupsd_config_t, cupsd_exec_t, cupsd_t) - allow cupsd_config_t cupsd_t:process signal; - ps_process_pattern(cupsd_config_t, cupsd_t) - -@@ -375,18 +411,16 @@ manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run - manage_files_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t) - files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, { dir file }) - --read_files_pattern(cupsd_config_t, hplip_etc_t, hplip_etc_t) -+read_files_pattern(cupsd_config_t, cupsd_etc_t, cupsd_etc_t) - - stream_connect_pattern(cupsd_config_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t) - - can_exec(cupsd_config_t, cupsd_config_exec_t) -- --domtrans_pattern(cupsd_config_t, hplip_exec_t, hplip_t) -+can_exec(cupsd_config_t, cupsd_exec_t) - - kernel_read_system_state(cupsd_config_t) - kernel_read_all_sysctls(cupsd_config_t) - --corenet_all_recvfrom_unlabeled(cupsd_config_t) - corenet_all_recvfrom_netlabel(cupsd_config_t) - corenet_tcp_sendrecv_generic_if(cupsd_config_t) - corenet_tcp_sendrecv_generic_node(cupsd_config_t) -@@ -395,20 +429,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t) - corenet_sendrecv_all_client_packets(cupsd_config_t) - corenet_tcp_connect_all_ports(cupsd_config_t) - --corecmd_exec_bin(cupsd_config_t) --corecmd_exec_shell(cupsd_config_t) -- --dev_read_sysfs(cupsd_config_t) --dev_read_urand(cupsd_config_t) --dev_read_rand(cupsd_config_t) - dev_rw_generic_usb_dev(cupsd_config_t) - - files_read_etc_runtime_files(cupsd_config_t) --files_read_usr_files(cupsd_config_t) - files_read_var_symlinks(cupsd_config_t) - files_search_all_mountpoints(cupsd_config_t) - --fs_getattr_all_fs(cupsd_config_t) - fs_search_auto_mountpoints(cupsd_config_t) - - domain_use_interactive_fds(cupsd_config_t) -@@ -420,11 +446,6 @@ auth_use_nsswitch(cupsd_config_t) - - logging_send_syslog_msg(cupsd_config_t) - --miscfiles_read_localization(cupsd_config_t) --miscfiles_read_hwdata(cupsd_config_t) -- --seutil_dontaudit_search_config(cupsd_config_t) -- - userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t) - userdom_dontaudit_search_user_home_dirs(cupsd_config_t) - userdom_read_all_users_state(cupsd_config_t) -@@ -452,9 +473,12 @@ optional_policy(` - ') - - optional_policy(` -+ gnome_dontaudit_search_config(cupsd_config_t) -+') -+ -+optional_policy(` - hal_domtrans(cupsd_config_t) - hal_read_tmp_files(cupsd_config_t) -- hal_dontaudit_use_fds(hplip_t) - ') - - optional_policy(` -@@ -490,10 +514,6 @@ optional_policy(` - # Lpd local policy - # - --allow cupsd_lpd_t self:capability { setuid setgid }; --allow cupsd_lpd_t self:process signal_perms; --allow cupsd_lpd_t self:fifo_file rw_fifo_file_perms; --allow cupsd_lpd_t self:tcp_socket { accept listen }; - allow cupsd_lpd_t self:netlink_tcpdiag_socket r_netlink_socket_perms; - - allow cupsd_lpd_t { cupsd_etc_t cupsd_rw_etc_t }:dir list_dir_perms; -@@ -511,31 +531,23 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t) - - kernel_read_kernel_sysctls(cupsd_lpd_t) - kernel_read_system_state(cupsd_lpd_t) --kernel_read_network_state(cupsd_lpd_t) - --corenet_all_recvfrom_unlabeled(cupsd_lpd_t) - corenet_all_recvfrom_netlabel(cupsd_lpd_t) - corenet_tcp_sendrecv_generic_if(cupsd_lpd_t) - corenet_tcp_sendrecv_generic_node(cupsd_lpd_t) - - corenet_sendrecv_ipp_client_packets(cupsd_lpd_t) - corenet_tcp_connect_ipp_port(cupsd_lpd_t) -+corenet_tcp_bind_printer_port(cupsd_lpd_t) -+corenet_tcp_connect_printer_port(cupsd_lpd_t) - corenet_tcp_sendrecv_ipp_port(cupsd_lpd_t) - --dev_read_urand(cupsd_lpd_t) --dev_read_rand(cupsd_lpd_t) -- --fs_getattr_xattr_fs(cupsd_lpd_t) -- - files_search_home(cupsd_lpd_t) - - auth_use_nsswitch(cupsd_lpd_t) - - logging_send_syslog_msg(cupsd_lpd_t) - --miscfiles_read_localization(cupsd_lpd_t) --miscfiles_setattr_fonts_cache_dirs(cupsd_lpd_t) -- - optional_policy(` - inetd_service_domain(cupsd_lpd_t, cupsd_lpd_exec_t) - ') -@@ -546,7 +558,6 @@ optional_policy(` - # - - allow cups_pdf_t self:capability { chown fowner fsetid setuid setgid dac_override }; --allow cups_pdf_t self:fifo_file rw_fifo_file_perms; - allow cups_pdf_t self:unix_stream_socket create_stream_socket_perms; - - append_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t) -@@ -562,148 +573,23 @@ fs_search_auto_mountpoints(cups_pdf_t) - - kernel_read_system_state(cups_pdf_t) - --files_read_usr_files(cups_pdf_t) -- --corecmd_exec_bin(cups_pdf_t) --corecmd_exec_shell(cups_pdf_t) -- - auth_use_nsswitch(cups_pdf_t) - --miscfiles_read_localization(cups_pdf_t) --miscfiles_read_fonts(cups_pdf_t) --miscfiles_setattr_fonts_cache_dirs(cups_pdf_t) -- - userdom_manage_user_home_content_dirs(cups_pdf_t) - userdom_manage_user_home_content_files(cups_pdf_t) --userdom_home_filetrans_user_home_dir(cups_pdf_t) -+userdom_filetrans_home_content(cups_pdf_t) - - tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(cups_pdf_t) - fs_manage_nfs_files(cups_pdf_t) - ') - --tunable_policy(`use_samba_home_dirs',` -- fs_manage_cifs_dirs(cups_pdf_t) -- fs_manage_cifs_files(cups_pdf_t) --') -+userdom_home_manager(cups_pdf_t) - - optional_policy(` -- lpd_manage_spool(cups_pdf_t) -+ gnome_read_config(cups_pdf_t) - ') - --######################################## --# --# HPLIP local policy --# -- --allow hplip_t self:capability { dac_override dac_read_search net_raw }; --dontaudit hplip_t self:capability sys_tty_config; --allow hplip_t self:fifo_file rw_fifo_file_perms; --allow hplip_t self:process signal_perms; --allow hplip_t self:tcp_socket { accept listen }; --allow hplip_t self:rawip_socket create_socket_perms; -- --allow hplip_t cupsd_etc_t:dir search_dir_perms; -- --manage_dirs_pattern(hplip_t, cupsd_tmp_t, cupsd_tmp_t) --manage_files_pattern(hplip_t, cupsd_tmp_t, cupsd_tmp_t) --files_tmp_filetrans(hplip_t, cupsd_tmp_t, { dir file }) -- --allow hplip_t hplip_etc_t:dir list_dir_perms; --allow hplip_t hplip_etc_t:file read_file_perms; --allow hplip_t hplip_etc_t:lnk_file read_lnk_file_perms; -- --manage_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t) --manage_lnk_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t) -- --manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t) --files_tmp_filetrans(hplip_t, hplip_tmp_t, fifo_file) -- --manage_files_pattern(hplip_t, hplip_var_run_t, hplip_var_run_t) --files_pid_filetrans(hplip_t, hplip_var_run_t, file) -- --stream_connect_pattern(hplip_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t) -- --kernel_read_system_state(hplip_t) --kernel_read_kernel_sysctls(hplip_t) -- --corenet_all_recvfrom_unlabeled(hplip_t) --corenet_all_recvfrom_netlabel(hplip_t) --corenet_tcp_sendrecv_generic_if(hplip_t) --corenet_udp_sendrecv_generic_if(hplip_t) --corenet_raw_sendrecv_generic_if(hplip_t) --corenet_tcp_sendrecv_generic_node(hplip_t) --corenet_udp_sendrecv_generic_node(hplip_t) --corenet_raw_sendrecv_generic_node(hplip_t) --corenet_tcp_sendrecv_all_ports(hplip_t) --corenet_udp_sendrecv_all_ports(hplip_t) --corenet_tcp_bind_generic_node(hplip_t) --corenet_udp_bind_generic_node(hplip_t) -- --corenet_sendrecv_hplip_client_packets(hplip_t) --corenet_receive_hplip_server_packets(hplip_t) --corenet_tcp_bind_hplip_port(hplip_t) --corenet_tcp_connect_hplip_port(hplip_t) -- --corenet_sendrecv_ipp_client_packets(hplip_t) --corenet_tcp_connect_ipp_port(hplip_t) -- --corenet_sendrecv_howl_server_packets(hplip_t) --corenet_udp_bind_howl_port(hplip_t) -- --corecmd_exec_bin(hplip_t) -- --dev_read_sysfs(hplip_t) --dev_rw_printer(hplip_t) --dev_read_urand(hplip_t) --dev_read_rand(hplip_t) --dev_rw_generic_usb_dev(hplip_t) --dev_rw_usbfs(hplip_t) -- --domain_use_interactive_fds(hplip_t) -- --files_read_etc_files(hplip_t) --files_read_etc_runtime_files(hplip_t) --files_read_usr_files(hplip_t) -- --fs_getattr_all_fs(hplip_t) --fs_search_auto_mountpoints(hplip_t) --fs_rw_anon_inodefs_files(hplip_t) -- --logging_send_syslog_msg(hplip_t) -- --miscfiles_read_localization(hplip_t) -- --sysnet_dns_name_resolve(hplip_t) -- --userdom_dontaudit_use_unpriv_user_fds(hplip_t) --userdom_dontaudit_search_user_home_dirs(hplip_t) --userdom_dontaudit_search_user_home_content(hplip_t) -- --optional_policy(` -- dbus_system_bus_client(hplip_t) -- -- optional_policy(` -- userdom_dbus_send_all_users(hplip_t) -- ') --') -- --optional_policy(` -- lpd_read_config(hplip_t) -- lpd_manage_spool(hplip_t) --') -- --optional_policy(` -- seutil_sigchld_newrole(hplip_t) --') -- --optional_policy(` -- snmp_read_snmp_var_lib_files(hplip_t) --') -- --optional_policy(` -- udev_read_db(hplip_t) --') - - ######################################## - # -@@ -731,7 +617,6 @@ kernel_read_kernel_sysctls(ptal_t) - kernel_list_proc(ptal_t) - kernel_read_proc_symlinks(ptal_t) - --corenet_all_recvfrom_unlabeled(ptal_t) - corenet_all_recvfrom_netlabel(ptal_t) - corenet_tcp_sendrecv_generic_if(ptal_t) - corenet_tcp_sendrecv_generic_node(ptal_t) -@@ -741,13 +626,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t) - corenet_tcp_bind_ptal_port(ptal_t) - corenet_tcp_sendrecv_ptal_port(ptal_t) - --dev_read_sysfs(ptal_t) - dev_read_usbfs(ptal_t) - dev_rw_printer(ptal_t) - - domain_use_interactive_fds(ptal_t) - --files_read_etc_files(ptal_t) - files_read_etc_runtime_files(ptal_t) - - fs_getattr_all_fs(ptal_t) -@@ -755,8 +638,6 @@ fs_search_auto_mountpoints(ptal_t) - - logging_send_syslog_msg(ptal_t) - --miscfiles_read_localization(ptal_t) -- - sysnet_read_config(ptal_t) - - userdom_dontaudit_use_unpriv_user_fds(ptal_t) -@@ -769,3 +650,4 @@ optional_policy(` - optional_policy(` - udev_read_db(ptal_t) - ') -+ -diff --git a/cvs.if b/cvs.if -index 9fa7ffb..fd3262c 100644 ---- a/cvs.if -+++ b/cvs.if -@@ -1,5 +1,23 @@ - ## Concurrent versions system. - -+###################################### -+## -+## Dontaudit Attempts to list the CVS data and metadata. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`cvs_dontaudit_list_data',` -+ gen_require(` -+ type cvs_data_t; -+ ') -+ -+ dontaudit $1 cvs_data_t:dir list_dir_perms; -+') -+ - ######################################## - ## - ## Read CVS data and metadata content. -@@ -62,9 +80,14 @@ interface(`cvs_admin',` - type cvs_data_t, cvs_var_run_t; - ') - -- allow $1 cvs_t:process { ptrace signal_perms }; -+ allow $1 cvs_t:process signal_perms; - ps_process_pattern($1, cvs_t) - -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 cvs_t:process ptrace; -+ ') -+ -+ # Allow cvs_t to restart the apache service - init_labeled_script_domtrans($1, cvs_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 cvs_initrc_exec_t system_r; -diff --git a/cvs.te b/cvs.te -index 53fc3af..897ad64 100644 ---- a/cvs.te -+++ b/cvs.te -@@ -11,11 +11,12 @@ policy_module(cvs, 1.9.1) - ## password files. - ##

    - ## --gen_tunable(allow_cvs_read_shadow, false) -+gen_tunable(cvs_read_shadow, false) - - type cvs_t; - type cvs_exec_t; - inetd_tcp_service_domain(cvs_t, cvs_exec_t) -+init_domain(cvs_t, cvs_exec_t) - application_executable_file(cvs_exec_t) - - type cvs_data_t; # customizable -@@ -58,6 +59,15 @@ kernel_read_network_state(cvs_t) - corecmd_exec_bin(cvs_t) - corecmd_exec_shell(cvs_t) - -+corenet_all_recvfrom_netlabel(cvs_t) -+corenet_tcp_sendrecv_generic_if(cvs_t) -+corenet_udp_sendrecv_generic_if(cvs_t) -+corenet_tcp_sendrecv_generic_node(cvs_t) -+corenet_udp_sendrecv_generic_node(cvs_t) -+corenet_tcp_sendrecv_all_ports(cvs_t) -+corenet_udp_sendrecv_all_ports(cvs_t) -+corenet_tcp_bind_cvs_port(cvs_t) -+ - dev_read_urand(cvs_t) - - files_read_etc_runtime_files(cvs_t) -@@ -70,18 +80,18 @@ auth_use_nsswitch(cvs_t) - - init_read_utmp(cvs_t) - -+init_dontaudit_read_utmp(cvs_t) -+ - logging_send_syslog_msg(cvs_t) - logging_send_audit_msgs(cvs_t) - --miscfiles_read_localization(cvs_t) -- - mta_send_mail(cvs_t) - - userdom_dontaudit_search_user_home_dirs(cvs_t) - - # cjp: typeattribute doesnt work in conditionals yet - auth_can_read_shadow_passwords(cvs_t) --tunable_policy(`allow_cvs_read_shadow',` -+tunable_policy(`cvs_read_shadow',` - allow cvs_t self:capability dac_override; - auth_tunable_read_shadow(cvs_t) - ') -@@ -103,4 +113,5 @@ optional_policy(` - read_files_pattern(httpd_cvs_script_t, cvs_data_t, cvs_data_t) - manage_dirs_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t) - manage_files_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t) -+ files_tmp_filetrans(httpd_cvs_script_t, cvs_tmp_t, { file dir }) - ') -diff --git a/cyphesis.te b/cyphesis.te -index 916427f..556f1ac 100644 ---- a/cyphesis.te -+++ b/cyphesis.te -@@ -48,7 +48,6 @@ kernel_read_kernel_sysctls(cyphesis_t) - corecmd_search_bin(cyphesis_t) - corecmd_getattr_bin_files(cyphesis_t) - --corenet_all_recvfrom_unlabeled(cyphesis_t) - corenet_tcp_sendrecv_generic_if(cyphesis_t) - corenet_tcp_sendrecv_generic_node(cyphesis_t) - corenet_tcp_bind_generic_node(cyphesis_t) -@@ -61,13 +60,9 @@ dev_read_urand(cyphesis_t) - - domain_use_interactive_fds(cyphesis_t) - --files_read_etc_files(cyphesis_t) --files_read_usr_files(cyphesis_t) - - logging_send_syslog_msg(cyphesis_t) - --miscfiles_read_localization(cyphesis_t) -- - sysnet_dns_name_resolve(cyphesis_t) - - optional_policy(` -diff --git a/cyrus.if b/cyrus.if -index 6508280..a2860e3 100644 ---- a/cyrus.if -+++ b/cyrus.if -@@ -20,6 +20,25 @@ interface(`cyrus_manage_data',` - manage_files_pattern($1, cyrus_var_lib_t, cyrus_var_lib_t) - ') - -+####################################### -+## -+## Allow write cyrus data files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`cyrus_write_data',` -+ gen_require(` -+ type cyrus_var_lib_t; -+ ') -+ -+ files_search_var_lib($1) -+ write_files_pattern($1, cyrus_var_lib_t, cyrus_var_lib_t) -+') -+ - ######################################## - ## - ## Connect to Cyrus using a unix -@@ -63,9 +82,13 @@ interface(`cyrus_admin',` - type cyrus_var_run_t, cyrus_initrc_exec_t; - ') - -- allow $1 cyrus_t:process { ptrace signal_perms }; -+ allow $1 cyrus_t:process signal_perms; - ps_process_pattern($1, cyrus_t) - -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 cyrus_t:process ptrace; -+ ') -+ - init_labeled_script_domtrans($1, cyrus_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 cyrus_initrc_exec_t system_r; -diff --git a/cyrus.te b/cyrus.te -index 395f97c..bf8db3c 100644 ---- a/cyrus.te -+++ b/cyrus.te -@@ -26,7 +26,7 @@ files_pid_file(cyrus_var_run_t) - # Local policy - # - --allow cyrus_t self:capability { dac_override setgid setuid sys_resource }; -+allow cyrus_t self:capability { fsetid dac_override net_bind_service setgid setuid sys_resource }; - dontaudit cyrus_t self:capability sys_tty_config; - allow cyrus_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; - allow cyrus_t self:process setrlimit; -@@ -58,7 +58,6 @@ kernel_read_kernel_sysctls(cyrus_t) - kernel_read_system_state(cyrus_t) - kernel_read_all_sysctls(cyrus_t) - --corenet_all_recvfrom_unlabeled(cyrus_t) - corenet_all_recvfrom_netlabel(cyrus_t) - corenet_tcp_sendrecv_generic_if(cyrus_t) - corenet_tcp_sendrecv_generic_node(cyrus_t) -@@ -71,6 +70,9 @@ corenet_tcp_bind_mail_port(cyrus_t) - corenet_sendrecv_lmtp_server_packets(cyrus_t) - corenet_tcp_bind_lmtp_port(cyrus_t) - -+corenet_sendrecv_innd_server_packets(cyrus_t) -+corenet_tcp_bind_innd_port(cyrus_t) -+ - corenet_sendrecv_pop_server_packets(cyrus_t) - corenet_tcp_bind_pop_port(cyrus_t) - -@@ -90,8 +92,6 @@ domain_use_interactive_fds(cyrus_t) - - files_list_var_lib(cyrus_t) - files_read_etc_runtime_files(cyrus_t) --files_read_usr_files(cyrus_t) --files_dontaudit_write_usr_dirs(cyrus_t) - - fs_getattr_all_fs(cyrus_t) - fs_search_auto_mountpoints(cyrus_t) -@@ -102,7 +102,6 @@ libs_exec_lib_files(cyrus_t) - - logging_send_syslog_msg(cyrus_t) - --miscfiles_read_localization(cyrus_t) - miscfiles_read_generic_certs(cyrus_t) - - userdom_use_unpriv_users_fds(cyrus_t) -@@ -116,6 +115,10 @@ optional_policy(` - ') - - optional_policy(` -+ dirsrv_stream_connect(cyrus_t) -+') -+ -+optional_policy(` - kerberos_keytab_template(cyrus, cyrus_t) - ') - -@@ -128,8 +131,8 @@ optional_policy(` - ') - - optional_policy(` -- snmp_read_snmp_var_lib_files(cyrus_t) -- snmp_dontaudit_write_snmp_var_lib_files(cyrus_t) -+ files_dontaudit_write_usr_dirs(cyrus_t) -+ snmp_manage_var_lib_files(cyrus_t) - snmp_stream_connect(cyrus_t) - ') - -diff --git a/daemontools.if b/daemontools.if -index 3b3d9a0..6c8106a 100644 ---- a/daemontools.if -+++ b/daemontools.if -@@ -218,3 +218,4 @@ interface(`daemontools_manage_svc',` - allow $1 svc_svc_t:file manage_file_perms; - allow $1 svc_svc_t:lnk_file manage_lnk_file_perms; - ') -+ -diff --git a/daemontools.te b/daemontools.te -index 0165962..2569147 100644 ---- a/daemontools.te -+++ b/daemontools.te -@@ -44,7 +44,10 @@ allow svc_multilog_t svc_start_t:process sigchld; - allow svc_multilog_t svc_start_t:fd use; - allow svc_multilog_t svc_start_t:fifo_file rw_fifo_file_perms; - -+term_write_console(svc_multilog_t) -+ - init_use_fds(svc_multilog_t) -+init_dontaudit_use_script_fds(svc_multilog_t) - - logging_manage_generic_logs(svc_multilog_t) - -@@ -77,7 +80,8 @@ dev_read_urand(svc_run_t) - corecmd_exec_bin(svc_run_t) - corecmd_exec_shell(svc_run_t) - --files_read_etc_files(svc_run_t) -+term_write_console(svc_run_t) -+ - files_read_etc_runtime_files(svc_run_t) - files_search_pids(svc_run_t) - files_search_var_lib(svc_run_t) -@@ -109,6 +113,7 @@ allow svc_start_t svc_run_t:process { signal setrlimit }; - - can_exec(svc_start_t, svc_start_exec_t) - -+mmap_files_pattern(svc_start_t, svc_svc_t, svc_svc_t) - domtrans_pattern(svc_start_t, svc_run_exec_t, svc_run_t) - - kernel_read_kernel_sysctls(svc_start_t) -@@ -117,11 +122,13 @@ kernel_read_system_state(svc_start_t) - corecmd_exec_bin(svc_start_t) - corecmd_exec_shell(svc_start_t) - --files_read_etc_files(svc_start_t) -+corenet_tcp_bind_generic_node(svc_start_t) -+corenet_tcp_bind_generic_port(svc_start_t) -+ -+term_write_console(svc_start_t) -+ - files_read_etc_runtime_files(svc_start_t) - files_search_var(svc_start_t) - files_search_pids(svc_start_t) - - logging_send_syslog_msg(svc_start_t) -- --miscfiles_read_localization(svc_start_t) -diff --git a/dante.te b/dante.te -index 98a2d6a..fff0987 100644 ---- a/dante.te -+++ b/dante.te -@@ -53,7 +53,6 @@ dev_read_sysfs(dante_t) - - domain_use_interactive_fds(dante_t) - --files_read_etc_files(dante_t) - files_read_etc_runtime_files(dante_t) - - fs_getattr_all_fs(dante_t) -diff --git a/dbadm.te b/dbadm.te -index a67870a..f7c0e61 100644 ---- a/dbadm.te -+++ b/dbadm.te -@@ -23,14 +23,14 @@ gen_tunable(dbadm_read_user_files, false) - - role dbadm_r; - --userdom_base_user_template(dbadm) -+userdom_confined_admin_template(dbadm) - - ######################################## - # - # Local policy - # - --allow dbadm_t self:capability { dac_override dac_read_search sys_ptrace }; -+allow dbadm_t self:capability { dac_override dac_read_search }; - - files_dontaudit_search_all_dirs(dbadm_t) - files_delete_generic_locks(dbadm_t) -@@ -39,6 +39,7 @@ files_list_var(dbadm_t) - selinux_get_enforce_mode(dbadm_t) - - logging_send_syslog_msg(dbadm_t) -+logging_send_audit_msgs(dbadm_t) - - userdom_dontaudit_search_user_home_dirs(dbadm_t) - -@@ -60,3 +61,7 @@ optional_policy(` - optional_policy(` - postgresql_admin(dbadm_t, dbadm_r) - ') -+ -+optional_policy(` -+ sudo_role_template(dbadm, dbadm_r, dbadm_t) -+') -diff --git a/dbskk.te b/dbskk.te -index 188e2e6..719583e 100644 ---- a/dbskk.te -+++ b/dbskk.te -@@ -36,7 +36,6 @@ kernel_read_kernel_sysctls(dbskkd_t) - kernel_read_system_state(dbskkd_t) - kernel_read_network_state(dbskkd_t) - --corenet_all_recvfrom_unlabeled(dbskkd_t) - corenet_all_recvfrom_netlabel(dbskkd_t) - corenet_tcp_sendrecv_generic_if(dbskkd_t) - corenet_udp_sendrecv_generic_if(dbskkd_t) -@@ -49,10 +48,7 @@ dev_read_urand(dbskkd_t) - - fs_getattr_xattr_fs(dbskkd_t) - --files_read_etc_files(dbskkd_t) - - auth_use_nsswitch(dbskkd_t) - - logging_send_syslog_msg(dbskkd_t) -- --miscfiles_read_localization(dbskkd_t) -diff --git a/dbus.fc b/dbus.fc -index dda905b..31f269b 100644 ---- a/dbus.fc -+++ b/dbus.fc -@@ -1,20 +1,26 @@ --HOME_DIR/\.dbus(/.*)? gen_context(system_u:object_r:session_dbusd_home_t,s0) -+/etc/dbus-1(/.*)? gen_context(system_u:object_r:dbusd_etc_t,s0) - --/etc/dbus-.*(/.*)? gen_context(system_u:object_r:dbusd_etc_t,s0) -+/bin/dbus-daemon -- gen_context(system_u:object_r:dbusd_exec_t,s0) - --/bin/dbus-daemon -- gen_context(system_u:object_r:dbusd_exec_t,s0) -+ifdef(`distro_redhat',` -+/lib/dbus-1/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0) -+/usr/lib/dbus-1/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0) -+') - --/lib/dbus-.*/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0) -+/usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:dbusd_exec_t,s0) - --/usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:dbusd_exec_t,s0) -+ifdef(`distro_debian',` -+/usr/lib/dbus-1.0/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0) -+') - --/usr/lib/dbus-.*/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0) -+ifdef(`distro_gentoo',` -+/usr/libexec/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0) -+') - --/usr/libexec/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0) -+/var/lib/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_lib_t,s0) - --/var/lib/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_lib_t,s0) -- --/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0) --/var/run/messagebus\.pid -- gen_context(system_u:object_r:system_dbusd_var_run_t,s0) -+/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0) - -+ifdef(`distro_redhat',` - /var/named/chroot/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0) -+') -diff --git a/dbus.if b/dbus.if -index afcf3a2..e6ecc4d 100644 ---- a/dbus.if -+++ b/dbus.if -@@ -1,4 +1,4 @@ --## Desktop messaging bus. -+## Desktop messaging bus - - ######################################## - ## -@@ -19,7 +19,7 @@ interface(`dbus_stub',` - - ######################################## - ## --## Role access for dbus. -+## Role access for dbus - ## - ## - ## -@@ -41,59 +41,68 @@ interface(`dbus_stub',` - template(`dbus_role_template',` - gen_require(` - class dbus { send_msg acquire_svc }; -- attribute session_bus_type; -- type system_dbusd_t, dbusd_exec_t; -- type session_dbusd_tmp_t, session_dbusd_home_t; -+ attribute dbusd_unconfined, session_bus_type; -+ type system_dbusd_t, session_dbusd_tmp_t, dbusd_exec_t, dbusd_etc_t; -+ type $1_t; - ') - - ############################## - # -- # Declarations -+ # Delcarations - # - - type $1_dbusd_t, session_bus_type; -- domain_type($1_dbusd_t) -- domain_entry_file($1_dbusd_t, dbusd_exec_t) -+ application_domain($1_dbusd_t, dbusd_exec_t) - ubac_constrained($1_dbusd_t) -- - role $2 types $1_dbusd_t; - -+ kernel_read_system_state($1_dbusd_t) -+ -+ selinux_get_fs_mount($1_dbusd_t) -+ -+ userdom_home_manager($1_dbusd_t) -+ - ############################## - # - # Local policy - # - -+ # For connecting to the bus - allow $3 $1_dbusd_t:unix_stream_socket connectto; -- allow $3 $1_dbusd_t:dbus { send_msg acquire_svc }; -- allow $3 $1_dbusd_t:fd use; -- -- allow $3 system_dbusd_t:dbus { send_msg acquire_svc }; - -- allow $3 { session_dbusd_home_t session_dbusd_tmp_t }:dir { manage_dir_perms relabel_dir_perms }; -- allow $3 { session_dbusd_home_t session_dbusd_tmp_t }:file { manage_file_perms relabel_file_perms }; -- userdom_user_home_dir_filetrans($3, session_dbusd_home_t, dir, ".dbus") -+ # SE-DBus specific permissions -+ allow { dbusd_unconfined $3 } $1_dbusd_t:dbus { send_msg acquire_svc }; -+ allow $3 system_dbusd_t:dbus { send_msg acquire_svc }; - - domtrans_pattern($3, dbusd_exec_t, $1_dbusd_t) - - ps_process_pattern($3, $1_dbusd_t) -- allow $3 $1_dbusd_t:process { ptrace signal_perms }; -+ allow $3 $1_dbusd_t:process signal_perms; - -- allow $1_dbusd_t $3:process sigkill; -+ tunable_policy(`deny_ptrace',`',` -+ allow $3 $1_dbusd_t:process ptrace; -+ ') - -- corecmd_bin_domtrans($1_dbusd_t, $3) -- corecmd_shell_domtrans($1_dbusd_t, $3) -+ # cjp: this seems very broken -+ corecmd_bin_domtrans($1_dbusd_t, $1_t) -+ corecmd_shell_domtrans($1_dbusd_t, $1_t) -+ allow $1_dbusd_t $3:process sigkill; -+ allow $3 $1_dbusd_t:fd use; -+ allow $3 $1_dbusd_t:fifo_file rw_fifo_file_perms; - - auth_use_nsswitch($1_dbusd_t) - -- ifdef(`hide_broken_symptoms',` -- dontaudit $3 $1_dbusd_t:netlink_selinux_socket { read write }; -+ logging_send_syslog_msg($1_dbusd_t) -+ -+ optional_policy(` -+ mozilla_domtrans_spec($1_dbusd_t, $1_t) - ') - ') - - ####################################### - ## - ## Template for creating connections to --## the system bus. -+## the system DBUS. - ## - ## - ## -@@ -103,65 +112,29 @@ template(`dbus_role_template',` - # - interface(`dbus_system_bus_client',` - gen_require(` -- attribute dbusd_system_bus_client; -- type system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_lib_t; -+ type system_dbusd_t, system_dbusd_t; -+ type system_dbusd_var_run_t, system_dbusd_var_lib_t; - class dbus send_msg; -+ attribute dbusd_unconfined; - ') - -- typeattribute $1 dbusd_system_bus_client; -- -+ # SE-DBus specific permissions - allow $1 { system_dbusd_t self }:dbus send_msg; -- allow system_dbusd_t $1:dbus send_msg; -+ allow { system_dbusd_t dbusd_unconfined } $1:dbus send_msg; - -- files_search_var_lib($1) - read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t) -+ files_search_var_lib($1) - -+ # For connecting to the bus - files_search_pids($1) - stream_connect_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t, system_dbusd_t) -- - dbus_read_config($1) - ') - - ####################################### - ## --## Acquire service on DBUS --## session bus. --## --## --## --## Domain allowed access. --## --## --# --interface(`dbus_connect_session_bus',` -- refpolicywarn(`$0($*) has been deprecated, use dbus_connect_all_session_bus() instead.') -- dbus_connect_all_session_bus($1) --') -- --####################################### --## --## Acquire service on all DBUS --## session busses. --## --## --## --## Domain allowed access. --## --## --# --interface(`dbus_connect_all_session_bus',` -- gen_require(` -- attribute session_bus_type; -- class dbus acquire_svc; -- ') -- -- allow $1 session_bus_type:dbus acquire_svc; --') -- --####################################### --## --## Acquire service on specified --## DBUS session bus. -+## Creating connections to specified -+## DBUS sessions. - ## - ## - ## -@@ -175,19 +148,21 @@ interface(`dbus_connect_all_session_bus',` - ## - ## - # --interface(`dbus_connect_spec_session_bus',` -+interface(`dbus_session_client',` - gen_require(` -+ class dbus send_msg; - type $1_dbusd_t; -- class dbus acquire_svc; - ') - -- allow $2 $1_dbusd_t:dbus acquire_svc; -+ allow $2 $1_dbusd_t:fd use; -+ allow $2 { $1_dbusd_t self }:dbus send_msg; -+ allow $2 $1_dbusd_t:unix_stream_socket connectto; - ') - - ####################################### - ## --## Creating connections to DBUS --## session bus. -+## Template for creating connections to -+## a user DBUS. - ## - ## - ## -@@ -196,72 +171,23 @@ interface(`dbus_connect_spec_session_bus',` - ## - # - interface(`dbus_session_bus_client',` -- refpolicywarn(`$0($*) has been deprecated, use dbus_all_session_bus_client() instead.') -- dbus_all_session_bus_client($1) --') -- --####################################### --## --## Creating connections to all --## DBUS session busses. --## --## --## --## Domain allowed access. --## --## --# --interface(`dbus_all_session_bus_client',` - gen_require(` -- attribute session_bus_type, dbusd_session_bus_client; -+ attribute session_bus_type; - class dbus send_msg; - ') - -- typeattribute $1 dbusd_session_bus_client; -- -+ # SE-DBus specific permissions - allow $1 { session_bus_type self }:dbus send_msg; -- allow session_bus_type $1:dbus send_msg; -- -- allow $1 session_bus_type:unix_stream_socket connectto; -- allow $1 session_bus_type:fd use; --') - --####################################### --## --## Creating connections to specified --## DBUS session bus. --## --## --## --## The prefix of the user role (e.g., user --## is the prefix for user_r). --## --## --## --## --## Domain allowed access. --## --## --# --interface(`dbus_spec_session_bus_client',` -- gen_require(` -- attribute dbusd_session_bus_client; -- type $1_dbusd_t; -- class dbus send_msg; -- ') -- -- typeattribute $2 dbusd_session_bus_client; -- -- allow $2 { $1_dbusd_t self }:dbus send_msg; -- allow $1_dbusd_t $2:dbus send_msg; -+ # For connecting to the bus -+ allow $1 session_bus_type:unix_stream_socket connectto; - -- allow $2 $1_dbusd_t:unix_stream_socket connectto; -- allow $2 $1_dbusd_t:fd use; -+ allow session_bus_type $1:process sigkill; - ') - --####################################### -+######################################## - ## --## Send messages to DBUS session bus. -+## Send a message the session DBUS. - ## - ## - ## -@@ -270,59 +196,17 @@ interface(`dbus_spec_session_bus_client',` - ## - # - interface(`dbus_send_session_bus',` -- refpolicywarn(`$0($*) has been deprecated, use dbus_send_all_session_bus() instead.') -- dbus_send_all_session_bus($1) --') -- --####################################### --## --## Send messages to all DBUS --## session busses. --## --## --## --## Domain allowed access. --## --## --# --interface(`dbus_send_all_session_bus',` - gen_require(` - attribute session_bus_type; - class dbus send_msg; - ') - -- allow $1 dbus_session_bus_type:dbus send_msg; --') -- --####################################### --## --## Send messages to specified --## DBUS session busses. --## --## --## --## The prefix of the user role (e.g., user --## is the prefix for user_r). --## --## --## --## --## Domain allowed access. --## --## --# --interface(`dbus_send_spec_session_bus',` -- gen_require(` -- type $1_dbusd_t; -- class dbus send_msg; -- ') -- -- allow $2 $1_dbusd_t:dbus send_msg; -+ allow $1 session_bus_type:dbus send_msg; - ') - - ######################################## - ## --## Read dbus configuration content. -+## Read dbus configuration. - ## - ## - ## -@@ -380,69 +264,32 @@ interface(`dbus_manage_lib_files',` - - ######################################## - ## --## Allow a application domain to be --## started by the specified session bus. --## --## --## --## The prefix of the user role (e.g., user --## is the prefix for user_r). --## --## --## --## --## Type to be used as a domain. --## --## --## --## --## Type of the program to be used as an --## entry point to this domain. --## --## --# --interface(`dbus_session_domain',` -- refpolicywarn(`$0($*) has been deprecated, use dbus_all_session_domain() instead.') -- dbus_all_session_domain($1, $2) --') -- --######################################## --## --## Allow a application domain to be --## started by the specified session bus. -+## Connect to the system DBUS -+## for service (acquire_svc). - ## - ## - ## --## Type to be used as a domain. --## --## --## --## --## Type of the program to be used as an --## entry point to this domain. -+## Domain allowed access. - ## - ## - # --interface(`dbus_all_session_domain',` -+interface(`dbus_connect_session_bus',` - gen_require(` -- type session_bus_type; -+ attribute session_bus_type; -+ class dbus acquire_svc; - ') - -- domtrans_pattern(session_bus_type, $2, $1) -- -- dbus_all_session_bus_client($1) -- dbus_connect_all_session_bus($1) -+ allow $1 session_bus_type:dbus acquire_svc; - ') - - ######################################## - ## --## Allow a application domain to be --## started by the specified session bus. -+## Allow a application domain to be started -+## by the session dbus. - ## --## -+## - ## --## The prefix of the user role (e.g., user --## is the prefix for user_r). -+## User domain prefix to be used. - ## - ## - ## -@@ -457,20 +304,21 @@ interface(`dbus_all_session_domain',` - ## - ## - # --interface(`dbus_spec_session_domain',` -+interface(`dbus_session_domain',` - gen_require(` - type $1_dbusd_t; - ') - - domtrans_pattern($1_dbusd_t, $2, $3) - -- dbus_spec_session_bus_client($1, $2) -- dbus_connect_spec_session_bus($1, $2) -+ dbus_session_bus_client($3) -+ dbus_connect_session_bus($3) - ') - - ######################################## - ## --## Acquire service on the DBUS system bus. -+## Connect to the system DBUS -+## for service (acquire_svc). - ## - ## - ## -@@ -489,7 +337,7 @@ interface(`dbus_connect_system_bus',` - - ######################################## - ## --## Send messages to the DBUS system bus. -+## Send a message on the system DBUS. - ## - ## - ## -@@ -508,7 +356,7 @@ interface(`dbus_send_system_bus',` - - ######################################## - ## --## Unconfined access to DBUS system bus. -+## Allow unconfined access to the system DBUS. - ## - ## - ## -@@ -527,8 +375,8 @@ interface(`dbus_system_bus_unconfined',` - - ######################################## - ## --## Create a domain for processes which --## can be started by the DBUS system bus. -+## Create a domain for processes -+## which can be started by the system dbus - ## - ## - ## -@@ -543,33 +391,24 @@ interface(`dbus_system_bus_unconfined',` - # - interface(`dbus_system_domain',` - gen_require(` -+ attribute system_bus_type; - type system_dbusd_t; - role system_r; - ') -+ typeattribute $1 system_bus_type; - - domain_type($1) - domain_entry_file($1, $2) - -- role system_r types $1; -- - domtrans_pattern(system_dbusd_t, $2, $1) - -- dbus_system_bus_client($1) -- dbus_connect_system_bus($1) -- -- ps_process_pattern(system_dbusd_t, $1) -- -- userdom_read_all_users_state($1) -+ ps_process_pattern($1, system_dbusd_t) - -- ifdef(`hide_broken_symptoms', ` -- dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write }; -- ') - ') - - ######################################## - ## --## Use and inherit DBUS system bus --## file descriptors. -+## Use and inherit system DBUS file descriptors. - ## - ## - ## -@@ -587,26 +426,25 @@ interface(`dbus_use_system_bus_fds',` - - ######################################## - ## --## Do not audit attempts to read and --## write DBUS system bus TCP sockets. -+## Allow unconfined access to the system DBUS. - ## - ## - ## --## Domain to not audit. -+## Domain allowed access. - ## - ## - # --interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',` -+interface(`dbus_unconfined',` - gen_require(` -- type system_dbusd_t; -+ attribute dbusd_unconfined; - ') - -- dontaudit $1 system_dbusd_t:tcp_socket { read write }; -+ typeattribute $1 dbusd_unconfined; - ') - - ######################################## - ## --## Unconfined access to DBUS. -+## Delete all dbus pid files - ## - ## - ## -@@ -614,10 +452,91 @@ interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',` - ## - ## - # --interface(`dbus_unconfined',` -+interface(`dbus_delete_pid_files',` - gen_require(` -- attribute dbusd_unconfined; -+ type system_dbusd_var_run_t; - ') - -- typeattribute $1 dbusd_unconfined; -+ files_search_pids($1) -+ delete_files_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t) -+') -+ -+######################################## -+## -+## Read all dbus pid files -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dbus_read_pid_files',` -+ gen_require(` -+ type system_dbusd_var_run_t; -+ ') -+ -+ files_search_pids($1) -+ read_files_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t) -+') -+ -+######################################## -+## -+## Do not audit attempts to connect to -+## session bus types with a unix -+## stream socket. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`dbus_dontaudit_stream_connect_session_bus',` -+ gen_require(` -+ attribute session_bus_type; -+ ') -+ -+ dontaudit $1 session_bus_type:unix_stream_socket connectto; -+') -+ -+######################################## -+## -+## Do not audit attempts to send dbus -+## messages to session bus types. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`dbus_dontaudit_chat_session_bus',` -+ gen_require(` -+ attribute session_bus_type; -+ class dbus send_msg; -+ ') -+ -+ dontaudit $1 session_bus_type:dbus send_msg; -+') -+ -+######################################## -+## -+## Do not audit attempts to send dbus -+## messages to system bus types. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`dbus_dontaudit_chat_system_bus',` -+ gen_require(` -+ attribute system_bus_type; -+ class dbus send_msg; -+ ') -+ -+ dontaudit $1 system_bus_type:dbus send_msg; -+ dontaudit system_bus_type $1:dbus send_msg; - ') -diff --git a/dbus.te b/dbus.te -index 2c2e7e1..493ab48 100644 ---- a/dbus.te -+++ b/dbus.te -@@ -1,20 +1,18 @@ --policy_module(dbus, 1.18.8) -+policy_module(dbus, 1.17.0) - - gen_require(` - class dbus all_dbus_perms; - ') - --######################################## -+############################## - # --# Declarations -+# Delcarations - # - - attribute dbusd_unconfined; -+attribute system_bus_type; - attribute session_bus_type; - --attribute dbusd_system_bus_client; --attribute dbusd_session_bus_client; -- - type dbusd_etc_t; - files_config_file(dbusd_etc_t) - -@@ -22,9 +20,6 @@ type dbusd_exec_t; - corecmd_executable_file(dbusd_exec_t) - typealias dbusd_exec_t alias system_dbusd_exec_t; - --type session_dbusd_home_t; --userdom_user_home_content(session_dbusd_home_t) -- - type session_dbusd_tmp_t; - typealias session_dbusd_tmp_t alias { user_dbusd_tmp_t staff_dbusd_tmp_t sysadm_dbusd_tmp_t }; - typealias session_dbusd_tmp_t alias { auditadm_dbusd_tmp_t secadm_dbusd_tmp_t }; -@@ -41,7 +36,8 @@ files_type(system_dbusd_var_lib_t) - - type system_dbusd_var_run_t; - files_pid_file(system_dbusd_var_run_t) --init_daemon_run_dir(system_dbusd_var_run_t, "dbus") -+init_sock_file(system_dbusd_var_run_t) -+mls_trusted_object(system_dbusd_var_run_t) - - ifdef(`enable_mcs',` - init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mcs_systemhigh) -@@ -51,59 +47,58 @@ ifdef(`enable_mls',` - init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mls_systemhigh) - ') - --######################################## -+############################## - # --# Local policy -+# System bus local policy - # - -+# dac_override: /var/run/dbus is owned by messagebus on Debian -+# cjp: dac_override should probably go in a distro_debian -+allow system_dbusd_t self:capability2 block_suspend; - allow system_dbusd_t self:capability { sys_resource dac_override setgid setpcap setuid }; - dontaudit system_dbusd_t self:capability sys_tty_config; - allow system_dbusd_t self:process { getattr getsched signal_perms setpgid getcap setcap setrlimit }; - allow system_dbusd_t self:fifo_file rw_fifo_file_perms; - allow system_dbusd_t self:dbus { send_msg acquire_svc }; --allow system_dbusd_t self:unix_stream_socket { accept connectto listen }; -+allow system_dbusd_t self:unix_stream_socket { connectto create_stream_socket_perms connectto }; -+allow system_dbusd_t self:unix_dgram_socket create_socket_perms; -+# Receive notifications of policy reloads and enforcing status changes. - allow system_dbusd_t self:netlink_selinux_socket { create bind read }; - -+can_exec(system_dbusd_t, dbusd_exec_t) -+ - allow system_dbusd_t dbusd_etc_t:dir list_dir_perms; - read_files_pattern(system_dbusd_t, dbusd_etc_t, dbusd_etc_t) - read_lnk_files_pattern(system_dbusd_t, dbusd_etc_t, dbusd_etc_t) - - manage_dirs_pattern(system_dbusd_t, system_dbusd_tmp_t, system_dbusd_tmp_t) - manage_files_pattern(system_dbusd_t, system_dbusd_tmp_t, system_dbusd_tmp_t) --files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { dir file }) -+files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { file dir }) - - read_files_pattern(system_dbusd_t, system_dbusd_var_lib_t, system_dbusd_var_lib_t) - - manage_dirs_pattern(system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_run_t) - manage_files_pattern(system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_run_t) - manage_sock_files_pattern(system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_run_t) --files_pid_filetrans(system_dbusd_t, system_dbusd_var_run_t, { dir file }) -- --can_exec(system_dbusd_t, dbusd_exec_t) -+files_pid_filetrans(system_dbusd_t, system_dbusd_var_run_t, { file dir }) - - kernel_read_system_state(system_dbusd_t) - kernel_read_kernel_sysctls(system_dbusd_t) - --corecmd_list_bin(system_dbusd_t) --corecmd_read_bin_pipes(system_dbusd_t) --corecmd_read_bin_sockets(system_dbusd_t) --corecmd_exec_shell(system_dbusd_t) -- - dev_read_urand(system_dbusd_t) - dev_read_sysfs(system_dbusd_t) - --domain_use_interactive_fds(system_dbusd_t) --domain_read_all_domains_state(system_dbusd_t) -- --files_list_home(system_dbusd_t) --files_read_usr_files(system_dbusd_t) -+files_rw_inherited_non_security_files(system_dbusd_t) - - fs_getattr_all_fs(system_dbusd_t) - fs_list_inotifyfs(system_dbusd_t) - fs_search_auto_mountpoints(system_dbusd_t) --fs_search_cgroup_dirs(system_dbusd_t) - fs_dontaudit_list_nfs(system_dbusd_t) - -+storage_rw_inherited_fixed_disk_dev(system_dbusd_t) -+storage_rw_inherited_removable_device(system_dbusd_t) -+ -+mls_trusted_object(system_dbusd_t) - mls_fd_use_all_levels(system_dbusd_t) - mls_rangetrans_target(system_dbusd_t) - mls_file_read_all_levels(system_dbusd_t) -@@ -123,66 +118,159 @@ term_dontaudit_use_console(system_dbusd_t) - auth_use_nsswitch(system_dbusd_t) - auth_read_pam_console_data(system_dbusd_t) - -+corecmd_list_bin(system_dbusd_t) -+corecmd_read_bin_pipes(system_dbusd_t) -+corecmd_read_bin_sockets(system_dbusd_t) -+# needed for system-tools-backends -+corecmd_exec_shell(system_dbusd_t) -+ -+domain_use_interactive_fds(system_dbusd_t) -+domain_read_all_domains_state(system_dbusd_t) -+ -+files_list_home(system_dbusd_t) -+ - init_use_fds(system_dbusd_t) - init_use_script_ptys(system_dbusd_t) --init_all_labeled_script_domtrans(system_dbusd_t) -+init_bin_domtrans_spec(system_dbusd_t) -+init_domtrans_script(system_dbusd_t) -+init_rw_stream_sockets(system_dbusd_t) -+init_status(system_dbusd_t) - - logging_send_audit_msgs(system_dbusd_t) - logging_send_syslog_msg(system_dbusd_t) - --miscfiles_read_localization(system_dbusd_t) - miscfiles_read_generic_certs(system_dbusd_t) - - seutil_read_config(system_dbusd_t) - seutil_read_default_contexts(system_dbusd_t) -+seutil_sigchld_newrole(system_dbusd_t) - - userdom_dontaudit_use_unpriv_user_fds(system_dbusd_t) - userdom_dontaudit_search_user_home_dirs(system_dbusd_t) - -+userdom_home_reader(system_dbusd_t) -+ -+optional_policy(` -+ bind_domtrans(system_dbusd_t) -+') -+ - optional_policy(` - bluetooth_stream_connect(system_dbusd_t) - ') - - optional_policy(` -- policykit_read_lib(system_dbusd_t) -+ cpufreqselector_dbus_chat(system_dbusd_t) -+') -+ -+optional_policy(` -+ getty_start_services(system_dbusd_t) -+') -+ -+optional_policy(` -+ gnome_exec_gconf(system_dbusd_t) -+ gnome_read_inherited_home_icc_data_files(system_dbusd_t) - ') - - optional_policy(` -- seutil_sigchld_newrole(system_dbusd_t) -+ nis_use_ypbind(system_dbusd_t) -+') -+ -+optional_policy(` -+ networkmanager_initrc_domtrans(system_dbusd_t) -+ networkmanager_systemctl(system_dbusd_t) -+') -+ -+optional_policy(` -+ policykit_dbus_chat(system_dbusd_t) -+ policykit_domtrans_auth(system_dbusd_t) -+ policykit_search_lib(system_dbusd_t) -+') -+ -+optional_policy(` -+ sysnet_domtrans_dhcpc(system_dbusd_t) -+') -+ -+optional_policy(` -+ systemd_use_fds_logind(system_dbusd_t) -+ systemd_write_inherited_logind_sessions_pipes(system_dbusd_t) -+ systemd_write_inhibit_pipes(system_dbusd_t) -+# These are caused by broken systemd patch -+ systemd_start_power_services(system_dbusd_t) -+ systemd_config_all_services(system_dbusd_t) -+ files_config_all_files(system_dbusd_t) - ') - - optional_policy(` - udev_read_db(system_dbusd_t) - ') - -+optional_policy(` -+ # /var/lib/gdm/.local/share/icc/edid-0a027915105823af34f99b1704e80336.icc -+ xserver_read_inherited_xdm_lib_files(system_dbusd_t) -+') -+ - ######################################## - # --# Common session bus local policy -+# system_bus_type rules - # -+role system_r types system_bus_type; -+ -+fs_search_all(system_bus_type) -+ -+dbus_system_bus_client(system_bus_type) -+dbus_connect_system_bus(system_bus_type) -+ -+init_status(system_bus_type) -+init_stream_connect(system_bus_type) -+init_dgram_send(system_bus_type) -+init_use_fds(system_bus_type) -+init_rw_stream_sockets(system_bus_type) -+ -+ps_process_pattern(system_dbusd_t, system_bus_type) -+ -+userdom_dontaudit_search_admin_dir(system_bus_type) -+userdom_read_all_users_state(system_bus_type) -+ -+optional_policy(` -+ abrt_stream_connect(system_bus_type) -+') -+ -+optional_policy(` -+ rpm_script_dbus_chat(system_bus_type) -+') -+ -+optional_policy(` -+ unconfined_dbus_send(system_bus_type) -+') - -+ifdef(`hide_broken_symptoms',` -+ dontaudit system_bus_type system_dbusd_t:netlink_selinux_socket { read write }; -+') -+ -+######################################## -+# -+# session_bus_type rules -+# -+allow session_bus_type self:capability2 block_suspend; - dontaudit session_bus_type self:capability sys_resource; - allow session_bus_type self:process { getattr sigkill signal }; --dontaudit session_bus_type self:process { ptrace setrlimit }; -+dontaudit session_bus_type self:process setrlimit; - allow session_bus_type self:file { getattr read write }; - allow session_bus_type self:fifo_file rw_fifo_file_perms; - allow session_bus_type self:dbus { send_msg acquire_svc }; --allow session_bus_type self:unix_stream_socket { accept listen }; --allow session_bus_type self:tcp_socket { accept listen }; -+allow session_bus_type self:unix_stream_socket create_stream_socket_perms; -+allow session_bus_type self:unix_dgram_socket create_socket_perms; -+allow session_bus_type self:tcp_socket create_stream_socket_perms; - allow session_bus_type self:netlink_selinux_socket create_socket_perms; - - allow session_bus_type dbusd_etc_t:dir list_dir_perms; - read_files_pattern(session_bus_type, dbusd_etc_t, dbusd_etc_t) - read_lnk_files_pattern(session_bus_type, dbusd_etc_t, dbusd_etc_t) - --manage_dirs_pattern(session_bus_type, session_dbusd_home_t, session_dbusd_home_t) --manage_files_pattern(session_bus_type, session_dbusd_home_t, session_dbusd_home_t) --userdom_user_home_dir_filetrans(session_bus_type, session_dbusd_home_t, dir, ".dbus") -- - manage_dirs_pattern(session_bus_type, session_dbusd_tmp_t, session_dbusd_tmp_t) - manage_files_pattern(session_bus_type, session_dbusd_tmp_t, session_dbusd_tmp_t) --files_tmp_filetrans(session_bus_type, session_dbusd_tmp_t, { dir file }) -+files_tmp_filetrans(session_bus_type, session_dbusd_tmp_t, { file dir }) - --kernel_read_system_state(session_bus_type) - kernel_read_kernel_sysctls(session_bus_type) - - corecmd_list_bin(session_bus_type) -@@ -191,23 +279,18 @@ corecmd_read_bin_files(session_bus_type) - corecmd_read_bin_pipes(session_bus_type) - corecmd_read_bin_sockets(session_bus_type) - --corenet_all_recvfrom_unlabeled(session_bus_type) --corenet_all_recvfrom_netlabel(session_bus_type) - corenet_tcp_sendrecv_generic_if(session_bus_type) - corenet_tcp_sendrecv_generic_node(session_bus_type) - corenet_tcp_sendrecv_all_ports(session_bus_type) - corenet_tcp_bind_generic_node(session_bus_type) -- --corenet_sendrecv_all_server_packets(session_bus_type) - corenet_tcp_bind_reserved_port(session_bus_type) - - dev_read_urand(session_bus_type) - --domain_read_all_domains_state(session_bus_type) - domain_use_interactive_fds(session_bus_type) -+domain_read_all_domains_state(session_bus_type) - - files_list_home(session_bus_type) --files_read_usr_files(session_bus_type) - files_dontaudit_search_var(session_bus_type) - - fs_getattr_romfs(session_bus_type) -@@ -215,7 +298,6 @@ fs_getattr_xattr_fs(session_bus_type) - fs_list_inotifyfs(session_bus_type) - fs_dontaudit_list_nfs(session_bus_type) - --selinux_get_fs_mount(session_bus_type) - selinux_validate_context(session_bus_type) - selinux_compute_access_vector(session_bus_type) - selinux_compute_create_context(session_bus_type) -@@ -225,18 +307,36 @@ selinux_compute_user_contexts(session_bus_type) - auth_read_pam_console_data(session_bus_type) - - logging_send_audit_msgs(session_bus_type) --logging_send_syslog_msg(session_bus_type) -- --miscfiles_read_localization(session_bus_type) - - seutil_read_config(session_bus_type) - seutil_read_default_contexts(session_bus_type) - --term_use_all_terms(session_bus_type) -+term_use_all_inherited_terms(session_bus_type) -+ -+userdom_dontaudit_search_admin_dir(session_bus_type) -+userdom_manage_user_home_content_dirs(session_bus_type) -+userdom_manage_user_home_content_files(session_bus_type) -+userdom_manage_tmpfs_files(session_bus_type, file) -+userdom_tmpfs_filetrans(session_bus_type, file) - - optional_policy(` -- xserver_use_xdm_fds(session_bus_type) -+ gnome_read_config(session_bus_type) -+ gnome_read_gconf_home_files(session_bus_type) -+') -+ -+optional_policy(` -+ hal_dbus_chat(session_bus_type) -+') -+ -+optional_policy(` -+ thumb_domtrans(session_bus_type) -+') -+ -+optional_policy(` -+ xserver_search_xdm_lib(session_bus_type) - xserver_rw_xdm_pipes(session_bus_type) -+ xserver_use_xdm_fds(session_bus_type) -+ xserver_append_xdm_home_files(session_bus_type) - ') - - ######################################## -@@ -244,5 +344,6 @@ optional_policy(` - # Unconfined access to this module - # - --allow dbusd_unconfined { dbusd_session_bus_client dbusd_system_bus_client }:dbus send_msg; --allow dbusd_unconfined { system_dbusd_t session_bus_type }:dbus all_dbus_perms; -+allow dbusd_unconfined session_bus_type:dbus all_dbus_perms; -+allow dbusd_unconfined dbusd_unconfined:dbus all_dbus_perms; -+allow session_bus_type dbusd_unconfined:dbus send_msg; -diff --git a/dcc.fc b/dcc.fc -index 62d3c4e..cef59a7 100644 ---- a/dcc.fc -+++ b/dcc.fc -@@ -10,6 +10,8 @@ - /usr/libexec/dcc/dccifd -- gen_context(system_u:object_r:dccifd_exec_t,s0) - /usr/libexec/dcc/dccm -- gen_context(system_u:object_r:dccm_exec_t,s0) - -+/usr/libexec/dcc/start-dccifd -- gen_context(system_u:object_r:dccifd_exec_t,s0) -+ - /usr/sbin/dbclean -- gen_context(system_u:object_r:dcc_dbclean_exec_t,s0) - /usr/sbin/dccd -- gen_context(system_u:object_r:dccd_exec_t,s0) - /usr/sbin/dccifd -- gen_context(system_u:object_r:dccifd_exec_t,s0) -diff --git a/dcc.if b/dcc.if -index a5c21e0..4639421 100644 ---- a/dcc.if -+++ b/dcc.if -@@ -173,6 +173,6 @@ interface(`dcc_stream_connect_dccifd',` - type dcc_var_t, dccifd_var_run_t, dccifd_t; - ') - -- files_search_var($1) -+ files_search_pids($1) - stream_connect_pattern($1, dcc_var_t, dccifd_var_run_t, dccifd_t) - ') -diff --git a/dcc.te b/dcc.te -index 15d908f..cecb0da 100644 ---- a/dcc.te -+++ b/dcc.te -@@ -45,7 +45,7 @@ type dcc_var_t; - files_type(dcc_var_t) - - type dcc_var_run_t; --files_type(dcc_var_run_t) -+files_pid_file(dcc_var_run_t) - - type dccd_t; - type dccd_exec_t; -@@ -94,15 +94,18 @@ allow cdcc_t dcc_var_t:dir list_dir_perms; - read_files_pattern(cdcc_t, dcc_var_t, dcc_var_t) - read_lnk_files_pattern(cdcc_t, dcc_var_t, dcc_var_t) - -+corenet_all_recvfrom_netlabel(cdcc_t) -+corenet_udp_sendrecv_generic_if(cdcc_t) -+corenet_udp_sendrecv_generic_node(cdcc_t) -+corenet_udp_sendrecv_all_ports(cdcc_t) -+ - files_read_etc_runtime_files(cdcc_t) - - auth_use_nsswitch(cdcc_t) - - logging_send_syslog_msg(cdcc_t) - --miscfiles_read_localization(cdcc_t) -- --userdom_use_user_terminals(cdcc_t) -+userdom_use_inherited_user_terminals(cdcc_t) - - ######################################## - # -@@ -113,6 +116,8 @@ allow dcc_client_t self:capability { setuid setgid }; - - allow dcc_client_t dcc_client_map_t:file rw_file_perms; - -+domtrans_pattern(dcc_client_t, dccifd_exec_t, dccifd_t) -+ - manage_dirs_pattern(dcc_client_t, dcc_client_tmp_t, dcc_client_tmp_t) - manage_files_pattern(dcc_client_t, dcc_client_tmp_t, dcc_client_tmp_t) - files_tmp_filetrans(dcc_client_t, dcc_client_tmp_t, { file dir }) -@@ -123,6 +128,12 @@ read_lnk_files_pattern(dcc_client_t, dcc_var_t, dcc_var_t) - - kernel_read_system_state(dcc_client_t) - -+corenet_all_recvfrom_netlabel(dcc_client_t) -+corenet_udp_sendrecv_generic_if(dcc_client_t) -+corenet_udp_sendrecv_generic_node(dcc_client_t) -+corenet_udp_sendrecv_all_ports(dcc_client_t) -+corenet_udp_bind_generic_node(dcc_client_t) -+ - files_read_etc_runtime_files(dcc_client_t) - - fs_getattr_all_fs(dcc_client_t) -@@ -131,12 +142,10 @@ auth_use_nsswitch(dcc_client_t) - - logging_send_syslog_msg(dcc_client_t) - --miscfiles_read_localization(dcc_client_t) -- --userdom_use_user_terminals(dcc_client_t) -+userdom_use_inherited_user_terminals(dcc_client_t) - - optional_policy(` -- amavis_read_spool_files(dcc_client_t) -+ antivirus_read_db(dcc_client_t) - ') - - optional_policy(` -@@ -160,15 +169,18 @@ manage_lnk_files_pattern(dcc_dbclean_t, dcc_var_t, dcc_var_t) - - kernel_read_system_state(dcc_dbclean_t) - -+corenet_all_recvfrom_netlabel(dcc_dbclean_t) -+corenet_udp_sendrecv_generic_if(dcc_dbclean_t) -+corenet_udp_sendrecv_generic_node(dcc_dbclean_t) -+corenet_udp_sendrecv_all_ports(dcc_dbclean_t) -+ - files_read_etc_runtime_files(dcc_dbclean_t) - - auth_use_nsswitch(dcc_dbclean_t) - - logging_send_syslog_msg(dcc_dbclean_t) - --miscfiles_read_localization(dcc_dbclean_t) -- --userdom_use_user_terminals(dcc_dbclean_t) -+userdom_use_inherited_user_terminals(dcc_dbclean_t) - - ######################################## - # -@@ -202,7 +214,6 @@ files_pid_filetrans(dccd_t, dccd_var_run_t, { dir file }) - kernel_read_system_state(dccd_t) - kernel_read_kernel_sysctls(dccd_t) - --corenet_all_recvfrom_unlabeled(dccd_t) - corenet_all_recvfrom_netlabel(dccd_t) - corenet_udp_sendrecv_generic_if(dccd_t) - corenet_udp_sendrecv_generic_node(dccd_t) -@@ -227,8 +238,6 @@ auth_use_nsswitch(dccd_t) - - logging_send_syslog_msg(dccd_t) - --miscfiles_read_localization(dccd_t) -- - userdom_dontaudit_use_unpriv_user_fds(dccd_t) - userdom_dontaudit_search_user_home_dirs(dccd_t) - -@@ -269,6 +278,11 @@ files_pid_filetrans(dccifd_t, dccifd_var_run_t, file) - kernel_read_system_state(dccifd_t) - kernel_read_kernel_sysctls(dccifd_t) - -+corenet_all_recvfrom_netlabel(dccifd_t) -+corenet_udp_sendrecv_generic_if(dccifd_t) -+corenet_udp_sendrecv_generic_node(dccifd_t) -+corenet_udp_sendrecv_all_ports(dccifd_t) -+ - dev_read_sysfs(dccifd_t) - - domain_use_interactive_fds(dccifd_t) -@@ -282,8 +296,6 @@ auth_use_nsswitch(dccifd_t) - - logging_send_syslog_msg(dccifd_t) - --miscfiles_read_localization(dccifd_t) -- - userdom_dontaudit_use_unpriv_user_fds(dccifd_t) - userdom_dontaudit_search_user_home_dirs(dccifd_t) - -@@ -324,6 +336,11 @@ files_pid_filetrans(dccm_t, dccm_var_run_t, file) - kernel_read_system_state(dccm_t) - kernel_read_kernel_sysctls(dccm_t) - -+corenet_all_recvfrom_netlabel(dccm_t) -+corenet_udp_sendrecv_generic_if(dccm_t) -+corenet_udp_sendrecv_generic_node(dccm_t) -+corenet_udp_sendrecv_all_ports(dccm_t) -+ - dev_read_sysfs(dccm_t) - - domain_use_interactive_fds(dccm_t) -@@ -337,8 +354,6 @@ auth_use_nsswitch(dccm_t) - - logging_send_syslog_msg(dccm_t) - --miscfiles_read_localization(dccm_t) -- - userdom_dontaudit_use_unpriv_user_fds(dccm_t) - userdom_dontaudit_search_user_home_dirs(dccm_t) - -diff --git a/ddclient.if b/ddclient.if -index 5606b40..cd18cf2 100644 ---- a/ddclient.if -+++ b/ddclient.if -@@ -70,9 +70,13 @@ interface(`ddclient_admin',` - type ddclient_var_run_t, ddclient_initrc_exec_t; - ') - -- allow $1 ddclient_t:process { ptrace signal_perms }; -+ allow $1 ddclient_t:process signal_perms; - ps_process_pattern($1, ddclient_t) - -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 ddclient_t:process ptrace; -+ ') -+ - init_labeled_script_domtrans($1, ddclient_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 ddclient_initrc_exec_t system_r; -diff --git a/ddclient.te b/ddclient.te -index 0b4b8b9..2efb435 100644 ---- a/ddclient.te -+++ b/ddclient.te -@@ -38,9 +38,13 @@ files_pid_file(ddclient_var_run_t) - # Declarations - # - -+ - dontaudit ddclient_t self:capability sys_tty_config; - allow ddclient_t self:process signal_perms; - allow ddclient_t self:fifo_file rw_fifo_file_perms; -+allow ddclient_t self:tcp_socket create_socket_perms; -+allow ddclient_t self:udp_socket create_socket_perms; -+allow ddclient_t self:netlink_route_socket r_netlink_socket_perms; - - read_files_pattern(ddclient_t, ddclient_etc_t, ddclient_etc_t) - setattr_files_pattern(ddclient_t, ddclient_etc_t, ddclient_etc_t) -@@ -75,7 +79,6 @@ kernel_search_network_sysctl(ddclient_t) - corecmd_exec_shell(ddclient_t) - corecmd_exec_bin(ddclient_t) - --corenet_all_recvfrom_unlabeled(ddclient_t) - corenet_all_recvfrom_netlabel(ddclient_t) - corenet_tcp_sendrecv_generic_if(ddclient_t) - corenet_udp_sendrecv_generic_if(ddclient_t) -@@ -83,6 +86,8 @@ corenet_tcp_sendrecv_generic_node(ddclient_t) - corenet_udp_sendrecv_generic_node(ddclient_t) - corenet_tcp_sendrecv_all_ports(ddclient_t) - corenet_udp_sendrecv_all_ports(ddclient_t) -+corenet_tcp_bind_generic_node(ddclient_t) -+corenet_udp_bind_generic_node(ddclient_t) - - corenet_sendrecv_all_client_packets(ddclient_t) - corenet_tcp_connect_all_ports(ddclient_t) -@@ -92,16 +97,16 @@ dev_read_urand(ddclient_t) - - domain_use_interactive_fds(ddclient_t) - --files_read_etc_files(ddclient_t) - files_read_etc_runtime_files(ddclient_t) --files_read_usr_files(ddclient_t) - - fs_getattr_all_fs(ddclient_t) - fs_search_auto_mountpoints(ddclient_t) - -+auth_read_passwd(ddclient_t) -+ - logging_send_syslog_msg(ddclient_t) - --miscfiles_read_localization(ddclient_t) -+mta_send_mail(ddclient_t) - - sysnet_exec_ifconfig(ddclient_t) - sysnet_dns_name_resolve(ddclient_t) -diff --git a/ddcprobe.te b/ddcprobe.te -index ceb9bf4..2496e02 100644 ---- a/ddcprobe.te -+++ b/ddcprobe.te -@@ -34,9 +34,7 @@ dev_read_urand(ddcprobe_t) - dev_read_raw_memory(ddcprobe_t) - dev_wx_raw_memory(ddcprobe_t) - --files_read_etc_files(ddcprobe_t) - files_read_etc_runtime_files(ddcprobe_t) --files_read_usr_files(ddcprobe_t) - - term_use_all_ttys(ddcprobe_t) - term_use_all_ptys(ddcprobe_t) -diff --git a/denyhosts.if b/denyhosts.if -index a7326da..c87b5b7 100644 ---- a/denyhosts.if -+++ b/denyhosts.if -@@ -53,6 +53,7 @@ interface(`denyhosts_initrc_domtrans',` - ## Role allowed access. - ## - ## -+## - # - interface(`denyhosts_admin',` - gen_require(` -@@ -60,20 +61,24 @@ interface(`denyhosts_admin',` - type denyhosts_var_log_t, denyhosts_initrc_exec_t; - ') - -- allow $1 denyhosts_t:process { ptrace signal_perms }; -+ allow $1 denyhosts_t:process signal_perms; - ps_process_pattern($1, denyhosts_t) - -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 denyhosts_t:process ptrace; -+ ') -+ - denyhosts_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 denyhosts_initrc_exec_t system_r; - allow $2 system_r; - -- files_search_var_lib($1) -+ files_list_var_lib($1) - admin_pattern($1, denyhosts_var_lib_t) - -- logging_search_logs($1) -+ logging_list_logs($1) - admin_pattern($1, denyhosts_var_log_t) - -- files_search_locks($1) -+ files_list_locks($1) - admin_pattern($1, denyhosts_var_lock_t) - ') -diff --git a/denyhosts.te b/denyhosts.te -index bcb9770..b53e611 100644 ---- a/denyhosts.te -+++ b/denyhosts.te -@@ -25,6 +25,9 @@ logging_log_file(denyhosts_var_log_t) - # - # Local policy - # -+# Bug #588563 -+allow denyhosts_t self:capability sys_tty_config; -+allow denyhosts_t self:fifo_file rw_fifo_file_perms; - - allow denyhosts_t self:capability sys_tty_config; - allow denyhosts_t self:fifo_file rw_fifo_file_perms; -@@ -48,7 +51,6 @@ kernel_read_system_state(denyhosts_t) - corecmd_exec_bin(denyhosts_t) - corecmd_exec_shell(denyhosts_t) - --corenet_all_recvfrom_unlabeled(denyhosts_t) - corenet_all_recvfrom_netlabel(denyhosts_t) - corenet_tcp_sendrecv_generic_if(denyhosts_t) - corenet_tcp_sendrecv_generic_node(denyhosts_t) -@@ -59,11 +61,11 @@ corenet_tcp_sendrecv_smtp_port(denyhosts_t) - - dev_read_urand(denyhosts_t) - -+auth_use_nsswitch(denyhosts_t) -+ - logging_read_generic_logs(denyhosts_t) - logging_send_syslog_msg(denyhosts_t) - --miscfiles_read_localization(denyhosts_t) -- - sysnet_dns_name_resolve(denyhosts_t) - sysnet_manage_config(denyhosts_t) - sysnet_etc_filetrans_config(denyhosts_t) -@@ -71,3 +73,7 @@ sysnet_etc_filetrans_config(denyhosts_t) - optional_policy(` - cron_system_entry(denyhosts_t, denyhosts_exec_t) - ') -+ -+optional_policy(` -+ gnome_dontaudit_search_config(denyhosts_t) -+') -diff --git a/devicekit.if b/devicekit.if -index d294865..3b4f593 100644 ---- a/devicekit.if -+++ b/devicekit.if -@@ -1,4 +1,4 @@ --## Devicekit modular hardware abstraction layer. -+## Devicekit modular hardware abstraction layer - - ######################################## - ## -@@ -15,12 +15,29 @@ interface(`devicekit_domtrans',` - type devicekit_t, devicekit_exec_t; - ') - -- corecmd_search_bin($1) - domtrans_pattern($1, devicekit_exec_t, devicekit_t) - ') - - ######################################## - ## -+## Execute a domain transition to run devicekit_disk. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`devicekit_domtrans_disk',` -+ gen_require(` -+ type devicekit_disk_t, devicekit_disk_exec_t; -+ ') -+ -+ domtrans_pattern($1, devicekit_disk_exec_t, devicekit_disk_t) -+') -+ -+######################################## -+## - ## Send to devicekit over a unix domain - ## datagram socket. - ## -@@ -32,11 +49,10 @@ interface(`devicekit_domtrans',` - # - interface(`devicekit_dgram_send',` - gen_require(` -- type devicekit_t, devicekit_var_run_t; -+ type devicekit_t; - ') - -- files_search_pids($1) -- dgram_send_pattern($1, devicekit_var_run_t, devicekit_var_run_t, devicekit_t) -+ allow $1 devicekit_t:unix_dgram_socket sendto; - ') - - ######################################## -@@ -83,7 +99,46 @@ interface(`devicekit_dbus_chat_disk',` - - ######################################## - ## --## Send generic signals to devicekit power. -+## Use file descriptors for devicekit_disk. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`devicekit_use_fds_disk',` -+ gen_require(` -+ type devicekit_disk_t; -+ ') -+ -+ allow $1 devicekit_disk_t:fd use; -+') -+ -+######################################## -+## -+## Dontaudit Send and receive messages from -+## devicekit disk over dbus. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`devicekit_dontaudit_dbus_chat_disk',` -+ gen_require(` -+ type devicekit_disk_t; -+ class dbus send_msg; -+ ') -+ -+ dontaudit $1 devicekit_disk_t:dbus send_msg; -+ dontaudit devicekit_disk_t $1:dbus send_msg; -+') -+ -+######################################## -+## -+## Send signal devicekit power - ## - ## - ## -@@ -120,29 +175,46 @@ interface(`devicekit_dbus_chat_power',` - allow devicekit_power_t $1:dbus send_msg; - ') - --######################################## -+####################################### - ## --## Create, read, write, and delete --## devicekit log files. -+## Append inherited devicekit log files. - ## - ## --## --## Domain allowed access. --## -+## -+## Domain allowed access. -+## - ## - # --interface(`devicekit_manage_log_files',` -+interface(`devicekit_append_inherited_log_files',` - gen_require(` - type devicekit_var_log_t; - ') - -- logging_search_logs($1) -- manage_files_pattern($1, devicekit_var_log_t, devicekit_var_log_t) -+ allow $1 devicekit_var_log_t:file append_inherited_file_perms; -+') -+ -+####################################### -+## -+## Do not audit attempts to write the devicekit -+## log files. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`devicekit_dontaudit_rw_log',` -+ gen_require(` -+ type devicekit_var_log_t; -+ ') -+ -+ dontaudit $1 devicekit_var_log_t:file rw_file_perms; - ') - - ######################################## - ## --## Relabel devicekit log files. -+## Allow the domain to read devicekit_power state files in /proc. - ## - ## - ## -@@ -150,13 +222,13 @@ interface(`devicekit_manage_log_files',` - ## - ## - # --interface(`devicekit_relabel_log_files',` -+interface(`devicekit_read_state_power',` - gen_require(` -- type devicekit_var_log_t; -+ type devicekit_power_t; - ') - -- logging_search_logs($1) -- relabel_files_pattern($1, devicekit_var_log_t, devicekit_var_log_t) -+ kernel_search_proc($1) -+ ps_process_pattern($1, devicekit_power_t) - ') - - ######################################## -@@ -180,11 +252,30 @@ interface(`devicekit_read_pid_files',` - - ######################################## - ## --## Create, read, write, and delete -+## Do not audit attempts to read - ## devicekit PID files. - ## - ## - ## -+## Domain to not audit. -+## -+## -+# -+interface(`devicekit_dontaudit_read_pid_files',` -+ gen_require(` -+ type devicekit_var_run_t; -+ ') -+ -+ dontaudit $1 devicekit_var_run_t:file read_inherited_file_perms; -+') -+ -+ -+######################################## -+## -+## Manage devicekit PID files. -+## -+## -+## - ## Domain allowed access. - ## - ## -@@ -195,22 +286,59 @@ interface(`devicekit_manage_pid_files',` - ') - - files_search_pids($1) -+ manage_dirs_pattern($1, devicekit_var_run_t, devicekit_var_run_t) - manage_files_pattern($1, devicekit_var_run_t, devicekit_var_run_t) -+ files_pid_filetrans($1, devicekit_var_run_t, dir, "pm-utils") -+') -+ -+####################################### -+## -+## Relabel devicekit LOG files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`devicekit_relabel_log_files',` -+ gen_require(` -+ type devicekit_var_log_t; -+ ') -+ -+ logging_search_logs($1) -+ relabel_files_pattern($1, devicekit_var_log_t, devicekit_var_log_t) - ') - - ######################################## - ## --## All of the rules required to --## administrate an devicekit environment. -+## Manage devicekit LOG files. - ## - ## - ## - ## Domain allowed access. - ## - ## --## -+# -+interface(`devicekit_manage_log_files',` -+ gen_require(` -+ type devicekit_var_log_t; -+ ') -+ -+ logging_search_logs($1) -+ manage_files_pattern($1, devicekit_var_log_t, devicekit_var_log_t) -+ #logging_log_filetrans($1, devicekit_var_log_t, file, "pm-powersave.log") -+ #logging_log_filetrans($1, devicekit_var_log_t, file, "pm-suspend.log") -+') -+ -+######################################## -+## -+## All of the rules required to administrate -+## an devicekit environment -+## -+## - ## --## Role allowed access. -+## Domain allowed access. - ## - ## - ## -@@ -219,21 +347,48 @@ interface(`devicekit_admin',` - gen_require(` - type devicekit_t, devicekit_disk_t, devicekit_power_t; - type devicekit_var_lib_t, devicekit_var_run_t, devicekit_tmp_t; -- type devicekit_var_log_t; - ') - -- allow $1 { devicekit_t devicekit_disk_t devicekit_power_t }:process { ptrace signal_perms }; -- ps_process_pattern($1, { devicekit_t devicekit_disk_t devicekit_power_t }) -+ allow $1 devicekit_t:process signal_perms; -+ ps_process_pattern($1, devicekit_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 devicekit_t:process ptrace; -+ allow $1 devicekit_disk_t:process ptrace; -+ allow $1 devicekit_power_t:process ptrace; -+ ') -+ -+ allow $1 devicekit_disk_t:process signal_perms; -+ ps_process_pattern($1, devicekit_disk_t) -+ -+ allow $1 devicekit_power_t:process signal_perms; -+ ps_process_pattern($1, devicekit_power_t) - -- files_search_tmp($1) - admin_pattern($1, devicekit_tmp_t) -+ files_list_tmp($1) - -- files_search_var_lib($1) - admin_pattern($1, devicekit_var_lib_t) -+ files_list_var_lib($1) - -- logging_search_logs($1) -- admin_pattern($1, devicekit_var_log_t) -- -- files_search_pids($1) - admin_pattern($1, devicekit_var_run_t) -+ files_list_pids($1) -+') -+ -+######################################## -+## -+## Transition to devicekit named content -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`devicekit_filetrans_named_content',` -+ gen_require(` -+ type devicekit_var_run_t, devicekit_var_log_t; -+ ') -+ -+ files_pid_filetrans($1, devicekit_var_run_t, dir, "pm-utils") -+ logging_log_filetrans($1, devicekit_var_log_t, file, "pm-powersave.log") -+ logging_log_filetrans($1, devicekit_var_log_t, file, "pm-suspend.log") - ') -diff --git a/devicekit.te b/devicekit.te -index ff933af..cd1d88d 100644 ---- a/devicekit.te -+++ b/devicekit.te -@@ -7,15 +7,15 @@ policy_module(devicekit, 1.2.1) - - type devicekit_t; - type devicekit_exec_t; --dbus_system_domain(devicekit_t, devicekit_exec_t) -+init_daemon_domain(devicekit_t, devicekit_exec_t) - - type devicekit_power_t; - type devicekit_power_exec_t; --dbus_system_domain(devicekit_power_t, devicekit_power_exec_t) -+init_daemon_domain(devicekit_power_t, devicekit_power_exec_t) - - type devicekit_disk_t; - type devicekit_disk_exec_t; --dbus_system_domain(devicekit_disk_t, devicekit_disk_exec_t) -+init_daemon_domain(devicekit_disk_t, devicekit_disk_exec_t) - - type devicekit_tmp_t; - files_tmp_file(devicekit_tmp_t) -@@ -45,11 +45,8 @@ kernel_read_system_state(devicekit_t) - dev_read_sysfs(devicekit_t) - dev_read_urand(devicekit_t) - --files_read_etc_files(devicekit_t) -- --miscfiles_read_localization(devicekit_t) -- - optional_policy(` -+ dbus_system_domain(devicekit_t, devicekit_exec_t) - dbus_system_bus_client(devicekit_t) - - allow devicekit_t { devicekit_disk_t devicekit_power_t }:dbus send_msg; -@@ -64,7 +61,8 @@ optional_policy(` - # Disk local policy - # - --allow devicekit_disk_t self:capability { chown setuid setgid dac_override fowner fsetid net_admin sys_admin sys_nice sys_ptrace sys_rawio }; -+allow devicekit_disk_t self:capability { chown setuid setgid dac_override fowner fsetid net_admin sys_admin sys_nice sys_tty_config sys_rawio }; -+ - allow devicekit_disk_t self:process { getsched signal_perms }; - allow devicekit_disk_t self:fifo_file rw_fifo_file_perms; - allow devicekit_disk_t self:netlink_kobject_uevent_socket create_socket_perms; -@@ -81,10 +79,11 @@ allow devicekit_disk_t devicekit_var_run_t:dir mounton; - manage_dirs_pattern(devicekit_disk_t, devicekit_var_run_t, devicekit_var_run_t) - manage_files_pattern(devicekit_disk_t, devicekit_var_run_t, devicekit_var_run_t) - files_pid_filetrans(devicekit_disk_t, devicekit_var_run_t, { dir file }) -+files_filetrans_named_content(devicekit_disk_t) - -+kernel_dontaudit_getattr_unlabeled_files(devicekit_disk_t) - kernel_getattr_message_if(devicekit_disk_t) - kernel_list_unlabeled(devicekit_disk_t) --kernel_dontaudit_getattr_unlabeled_files(devicekit_disk_t) - kernel_read_fs_sysctls(devicekit_disk_t) - kernel_read_network_state(devicekit_disk_t) - kernel_read_software_raid_state(devicekit_disk_t) -@@ -98,6 +97,8 @@ corecmd_getattr_all_executables(devicekit_disk_t) - - dev_getattr_all_chr_files(devicekit_disk_t) - dev_getattr_mtrr_dev(devicekit_disk_t) -+dev_rw_generic_blk_files(devicekit_disk_t) -+dev_rw_loop_control(devicekit_disk_t) - dev_getattr_usbfs_dirs(devicekit_disk_t) - dev_manage_generic_files(devicekit_disk_t) - dev_read_urand(devicekit_disk_t) -@@ -116,8 +117,8 @@ files_getattr_all_pipes(devicekit_disk_t) - files_manage_boot_dirs(devicekit_disk_t) - files_manage_isid_type_dirs(devicekit_disk_t) - files_manage_mnt_dirs(devicekit_disk_t) -+files_manage_etc_files(devicekit_disk_t) - files_read_etc_runtime_files(devicekit_disk_t) --files_read_usr_files(devicekit_disk_t) - - fs_getattr_all_fs(devicekit_disk_t) - fs_list_inotifyfs(devicekit_disk_t) -@@ -134,16 +135,18 @@ storage_raw_write_fixed_disk(devicekit_disk_t) - storage_raw_read_removable_device(devicekit_disk_t) - storage_raw_write_removable_device(devicekit_disk_t) - --term_use_all_terms(devicekit_disk_t) -+term_use_all_inherited_terms(devicekit_disk_t) - - auth_use_nsswitch(devicekit_disk_t) - --miscfiles_read_localization(devicekit_disk_t) -+logging_send_syslog_msg(devicekit_disk_t) - - userdom_read_all_users_state(devicekit_disk_t) - userdom_search_user_home_dirs(devicekit_disk_t) -+userdom_manage_user_tmp_dirs(devicekit_disk_t) - - optional_policy(` -+ dbus_system_domain(devicekit_disk_t, devicekit_disk_exec_t) - dbus_system_bus_client(devicekit_disk_t) - - allow devicekit_disk_t devicekit_t:dbus send_msg; -@@ -167,6 +170,7 @@ optional_policy(` - - optional_policy(` - mount_domtrans(devicekit_disk_t) -+ mount_read_pid_files(devicekit_disk_t) - ') - - optional_policy(` -@@ -180,6 +184,11 @@ optional_policy(` - ') - - optional_policy(` -+ systemd_read_logind_sessions_files(devicekit_disk_t) -+ systemd_write_inhibit_pipes(devicekit_disk_t) -+') -+ -+optional_policy(` - udev_domtrans(devicekit_disk_t) - udev_read_db(devicekit_disk_t) - ') -@@ -188,12 +197,19 @@ optional_policy(` - virt_manage_images(devicekit_disk_t) - ') - -+optional_policy(` -+ unconfined_domain(devicekit_t) -+ unconfined_domain(devicekit_power_t) -+ unconfined_domain(devicekit_disk_t) -+') -+ - ######################################## - # - # Power local policy - # - --allow devicekit_power_t self:capability { dac_override net_admin sys_admin sys_tty_config sys_nice sys_ptrace }; -+allow devicekit_power_t self:capability { dac_override net_admin sys_admin sys_tty_config sys_nice }; -+allow devicekit_power_t self:capability2 compromise_kernel; - allow devicekit_power_t self:process { getsched signal_perms }; - allow devicekit_power_t self:fifo_file rw_fifo_file_perms; - allow devicekit_power_t self:unix_dgram_socket create_socket_perms; -@@ -207,9 +223,7 @@ manage_dirs_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t) - manage_files_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t) - files_var_lib_filetrans(devicekit_power_t, devicekit_var_lib_t, dir) - --allow devicekit_power_t devicekit_var_log_t:file append_file_perms; --allow devicekit_power_t devicekit_var_log_t:file create_file_perms; --allow devicekit_power_t devicekit_var_log_t:file setattr_file_perms; -+manage_files_pattern(devicekit_power_t, devicekit_var_log_t, devicekit_var_log_t) - logging_log_filetrans(devicekit_power_t, devicekit_var_log_t, file) - - manage_dirs_pattern(devicekit_power_t, devicekit_var_run_t, devicekit_var_run_t) -@@ -242,17 +256,16 @@ domain_read_all_domains_state(devicekit_power_t) - - files_read_kernel_img(devicekit_power_t) - files_read_etc_runtime_files(devicekit_power_t) --files_read_usr_files(devicekit_power_t) - files_dontaudit_list_mnt(devicekit_power_t) - - fs_getattr_all_fs(devicekit_power_t) - fs_list_inotifyfs(devicekit_power_t) - --term_use_all_terms(devicekit_power_t) -+term_use_all_inherited_terms(devicekit_power_t) - - auth_use_nsswitch(devicekit_power_t) - --miscfiles_read_localization(devicekit_power_t) -+seutil_exec_setfiles(devicekit_power_t) - - sysnet_domtrans_ifconfig(devicekit_power_t) - sysnet_domtrans_dhcpc(devicekit_power_t) -@@ -269,9 +282,11 @@ optional_policy(` - - optional_policy(` - cron_initrc_domtrans(devicekit_power_t) -+ cron_systemctl(devicekit_power_t) - ') - - optional_policy(` -+ dbus_system_domain(devicekit_power_t, devicekit_power_exec_t) - dbus_system_bus_client(devicekit_power_t) - - allow devicekit_power_t devicekit_t:dbus send_msg; -@@ -302,8 +317,11 @@ optional_policy(` - ') - - optional_policy(` -+ gnome_manage_home_config(devicekit_power_t) -+') -+ -+optional_policy(` - hal_domtrans_mac(devicekit_power_t) -- hal_manage_log(devicekit_power_t) - hal_manage_pid_dirs(devicekit_power_t) - hal_manage_pid_files(devicekit_power_t) - ') -@@ -341,3 +359,9 @@ optional_policy(` - optional_policy(` - vbetool_domtrans(devicekit_power_t) - ') -+ -+optional_policy(` -+ corenet_tcp_connect_xserver_port(devicekit_power_t) -+ xserver_stream_connect(devicekit_power_t) -+') -+ -diff --git a/dhcp.fc b/dhcp.fc -index 7956248..5fee161 100644 ---- a/dhcp.fc -+++ b/dhcp.fc -@@ -1,4 +1,5 @@ - /etc/rc\.d/init\.d/dhcpd(6)? -- gen_context(system_u:object_r:dhcpd_initrc_exec_t,s0) -+/usr/lib/systemd/system/dhcpcd.* -- gen_context(system_u:object_r:dhcpd_unit_file_t,s0) - - /usr/sbin/dhcpd.* -- gen_context(system_u:object_r:dhcpd_exec_t,s0) - -diff --git a/dhcp.if b/dhcp.if -index c697edb..31d45bf 100644 ---- a/dhcp.if -+++ b/dhcp.if -@@ -36,7 +36,7 @@ interface(`dhcpd_setattr_state_files',` - ') - - sysnet_search_dhcp_state($1) -- allow $1 dhcpd_state_t:file setattr; -+ allow $1 dhcpd_state_t:file setattr_file_perms; - ') - - ######################################## -@@ -60,6 +60,30 @@ interface(`dhcpd_initrc_domtrans',` - - ######################################## - ## -+## Execute dhcpd server in the dhcpd domain. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`dhcpd_systemctl',` -+ gen_require(` -+ type dhcpd_unit_file_t; -+ type dhcpd_t; -+ ') -+ -+ systemd_exec_systemctl($1) -+ systemd_search_unit_dirs($1) -+ allow $1 dhcpd_unit_file_t:file read_file_perms; -+ allow $1 dhcpd_unit_file_t:service manage_service_perms; -+ -+ ps_process_pattern($1, dhcpd_t) -+') -+ -+######################################## -+## - ## All of the rules required to - ## administrate an dhcpd environment. - ## -@@ -79,11 +103,16 @@ interface(`dhcpd_admin',` - gen_require(` - type dhcpd_t, dhcpd_tmp_t, dhcpd_state_t; - type dhcpd_var_run_t, dhcpd_initrc_exec_t; -+ type dhcpd_unit_file_t; - ') - -- allow $1 dhcpd_t:process { ptrace signal_perms }; -+ allow $1 dhcpd_t:process signal_perms; - ps_process_pattern($1, dhcpd_t) - -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 dhcpd_t:process ptrace; -+ ') -+ - init_labeled_script_domtrans($1, dhcpd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 dhcpd_initrc_exec_t system_r; -@@ -97,4 +126,8 @@ interface(`dhcpd_admin',` - - files_list_pids($1) - admin_pattern($1, dhcpd_var_run_t) -+ -+ dhcpd_systemctl($1) -+ admin_pattern($1, dhcpd_unit_file_t) -+ allow $1 dhcpd_unit_file_t:service all_service_perms; - ') -diff --git a/dhcp.te b/dhcp.te -index c93c3db..cdb4d60 100644 ---- a/dhcp.te -+++ b/dhcp.te -@@ -20,6 +20,9 @@ init_daemon_domain(dhcpd_t, dhcpd_exec_t) - type dhcpd_initrc_exec_t; - init_script_file(dhcpd_initrc_exec_t) - -+type dhcpd_unit_file_t; -+systemd_unit_file(dhcpd_unit_file_t) -+ - type dhcpd_state_t; - files_type(dhcpd_state_t) - -@@ -58,7 +61,6 @@ kernel_read_system_state(dhcpd_t) - kernel_read_kernel_sysctls(dhcpd_t) - kernel_read_network_state(dhcpd_t) - --corenet_all_recvfrom_unlabeled(dhcpd_t) - corenet_all_recvfrom_netlabel(dhcpd_t) - corenet_tcp_sendrecv_generic_if(dhcpd_t) - corenet_udp_sendrecv_generic_if(dhcpd_t) -@@ -94,7 +96,6 @@ fs_search_auto_mountpoints(dhcpd_t) - - domain_use_interactive_fds(dhcpd_t) - --files_read_usr_files(dhcpd_t) - files_read_etc_runtime_files(dhcpd_t) - files_search_var_lib(dhcpd_t) - -@@ -102,8 +103,6 @@ auth_use_nsswitch(dhcpd_t) - - logging_send_syslog_msg(dhcpd_t) - --miscfiles_read_localization(dhcpd_t) -- - sysnet_read_dhcp_config(dhcpd_t) - - userdom_dontaudit_use_unpriv_user_fds(dhcpd_t) -@@ -113,11 +112,20 @@ tunable_policy(`dhcpd_use_ldap',` - sysnet_use_ldap(dhcpd_t) - ') - -+ifdef(`distro_gentoo',` -+ allow dhcpd_t self:capability { chown dac_override setgid setuid sys_chroot }; -+') -+ - optional_policy(` -+ # used for dynamic DNS - bind_read_dnssec_keys(dhcpd_t) - ') - - optional_policy(` -+ cobbler_dontaudit_rw_log(dhcpd_t) -+') -+ -+optional_policy(` - dbus_system_bus_client(dhcpd_t) - dbus_connect_system_bus(dhcpd_t) - ') -diff --git a/dictd.if b/dictd.if -index 3cc3494..cb0a1f4 100644 ---- a/dictd.if -+++ b/dictd.if -@@ -38,8 +38,11 @@ interface(`dictd_admin',` - type dictd_var_run_t, dictd_initrc_exec_t; - ') - -- allow $1 dictd_t:process { ptrace signal_perms }; -+ allow $1 dictd_t:process signal_perms; - ps_process_pattern($1, dictd_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 dictd_t:process ptrace; -+ ') - - init_labeled_script_domtrans($1, dictd_initrc_exec_t) - domain_system_change_exemption($1) -diff --git a/dictd.te b/dictd.te -index fd4a602..43b800a 100644 ---- a/dictd.te -+++ b/dictd.te -@@ -43,7 +43,6 @@ files_pid_filetrans(dictd_t, dictd_var_run_t, file) - kernel_read_system_state(dictd_t) - kernel_read_kernel_sysctls(dictd_t) - --corenet_all_recvfrom_unlabeled(dictd_t) - corenet_all_recvfrom_netlabel(dictd_t) - corenet_tcp_sendrecv_generic_if(dictd_t) - corenet_tcp_sendrecv_generic_node(dictd_t) -@@ -58,7 +57,6 @@ dev_read_sysfs(dictd_t) - domain_use_interactive_fds(dictd_t) - - files_read_etc_runtime_files(dictd_t) --files_read_usr_files(dictd_t) - files_search_var_lib(dictd_t) - - fs_getattr_xattr_fs(dictd_t) -@@ -68,8 +66,6 @@ auth_use_nsswitch(dictd_t) - - logging_send_syslog_msg(dictd_t) - --miscfiles_read_localization(dictd_t) -- - userdom_dontaudit_use_unpriv_user_fds(dictd_t) - - optional_policy(` -diff --git a/dirmngr.te b/dirmngr.te -index b3b2188..5f91705 100644 ---- a/dirmngr.te -+++ b/dirmngr.te -@@ -53,6 +53,5 @@ files_pid_filetrans(dirmngr_t, dirmngr_var_run_t, { dir file }) - - kernel_read_crypto_sysctls(dirmngr_t) - --files_read_etc_files(dirmngr_t) - - miscfiles_read_localization(dirmngr_t) -diff --git a/dirsrv-admin.fc b/dirsrv-admin.fc -new file mode 100644 -index 0000000..8c44697 ---- /dev/null -+++ b/dirsrv-admin.fc -@@ -0,0 +1,15 @@ -+/etc/dirsrv/admin-serv(/.*)? gen_context(system_u:object_r:dirsrvadmin_config_t,s0) -+ -+/etc/dirsrv/dsgw(/.*)? gen_context(system_u:object_r:dirsrvadmin_config_t,s0) -+ -+/usr/sbin/restart-ds-admin -- gen_context(system_u:object_r:dirsrvadmin_exec_t,s0) -+/usr/sbin/start-ds-admin -- gen_context(system_u:object_r:dirsrvadmin_exec_t,s0) -+/usr/sbin/stop-ds-admin -- gen_context(system_u:object_r:dirsrvadmin_exec_t,s0) -+ -+/usr/lib/dirsrv/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_dirsrvadmin_script_exec_t,s0) -+/usr/lib/dirsrv/dsgw-cgi-bin(/.*)? gen_context(system_u:object_r:httpd_dirsrvadmin_script_exec_t,s0) -+ -+/usr/lib/dirsrv/cgi-bin/ds_create -- gen_context(system_u:object_r:dirsrvadmin_unconfined_script_exec_t,s0) -+/usr/lib/dirsrv/cgi-bin/ds_remove -- gen_context(system_u:object_r:dirsrvadmin_unconfined_script_exec_t,s0) -+ -+/var/lock/subsys/dirsrv-admin -- gen_context(system_u:object_r:dirsrvadmin_lock_t,s0) -diff --git a/dirsrv-admin.if b/dirsrv-admin.if -new file mode 100644 -index 0000000..30416f2 ---- /dev/null -+++ b/dirsrv-admin.if -@@ -0,0 +1,133 @@ -+## Administration Server for Directory Server, dirsrv-admin. -+ -+######################################## -+## -+## Exec dirsrv-admin programs. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dirsrvadmin_run_exec',` -+ gen_require(` -+ type dirsrvadmin_exec_t; -+ ') -+ -+ allow $1 dirsrvadmin_exec_t:dir search_dir_perms; -+ can_exec($1, dirsrvadmin_exec_t) -+') -+ -+######################################## -+## -+## Exec cgi programs. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dirsrvadmin_run_httpd_script_exec',` -+ gen_require(` -+ type httpd_dirsrvadmin_script_exec_t; -+ ') -+ -+ allow $1 httpd_dirsrvadmin_script_exec_t:dir search_dir_perms; -+ can_exec($1, httpd_dirsrvadmin_script_exec_t) -+') -+ -+######################################## -+## -+## Manage dirsrv-adminserver configuration files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dirsrvadmin_read_config',` -+ gen_require(` -+ type dirsrvadmin_config_t; -+ ') -+ -+ read_files_pattern($1, dirsrvadmin_config_t, dirsrvadmin_config_t) -+') -+ -+######################################## -+## -+## Manage dirsrv-adminserver configuration files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dirsrvadmin_manage_config',` -+ gen_require(` -+ type dirsrvadmin_config_t; -+ ') -+ -+ allow $1 dirsrvadmin_config_t:dir manage_dir_perms; -+ allow $1 dirsrvadmin_config_t:file manage_file_perms; -+') -+ -+####################################### -+## -+## Read dirsrv-adminserver tmp files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dirsrvadmin_read_tmp',` -+ gen_require(` -+ type dirsrvadmin_tmp_t; -+ ') -+ -+ read_files_pattern($1, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t) -+') -+ -+######################################## -+## -+## Manage dirsrv-adminserver tmp files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dirsrvadmin_manage_tmp',` -+ gen_require(` -+ type dirsrvadmin_tmp_t; -+ ') -+ -+ manage_files_pattern($1, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t) -+ manage_dirs_pattern($1, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t) -+') -+ -+####################################### -+## -+## Execute admin cgi programs in caller domain. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dirsrvadmin_domtrans_unconfined_script_t',` -+ gen_require(` -+ type dirsrvadmin_unconfined_script_t; -+ type dirsrvadmin_unconfined_script_exec_t; -+ ') -+ -+ domtrans_pattern($1, dirsrvadmin_unconfined_script_exec_t, dirsrvadmin_unconfined_script_t) -+ allow $1 dirsrvadmin_unconfined_script_t:process signal_perms; -+') -diff --git a/dirsrv-admin.te b/dirsrv-admin.te -new file mode 100644 -index 0000000..021c5ae ---- /dev/null -+++ b/dirsrv-admin.te -@@ -0,0 +1,157 @@ -+policy_module(dirsrv-admin,1.0.0) -+ -+######################################## -+# -+# Declarations for the daemon -+# -+ -+type dirsrvadmin_t; -+type dirsrvadmin_exec_t; -+init_daemon_domain(dirsrvadmin_t, dirsrvadmin_exec_t) -+role system_r types dirsrvadmin_t; -+ -+type dirsrvadmin_config_t; -+files_type(dirsrvadmin_config_t) -+ -+type dirsrvadmin_lock_t; -+files_lock_file(dirsrvadmin_lock_t) -+ -+type dirsrvadmin_tmp_t; -+files_tmp_file(dirsrvadmin_tmp_t) -+ -+type dirsrvadmin_unconfined_script_t; -+type dirsrvadmin_unconfined_script_exec_t; -+domain_type(dirsrvadmin_unconfined_script_t) -+domain_entry_file(dirsrvadmin_unconfined_script_t, dirsrvadmin_unconfined_script_exec_t) -+corecmd_shell_entry_type(dirsrvadmin_unconfined_script_t) -+role system_r types dirsrvadmin_unconfined_script_t; -+ -+######################################## -+# -+# Local policy for the daemon -+# -+ -+allow dirsrvadmin_t self:fifo_file rw_fifo_file_perms; -+allow dirsrvadmin_t self:capability { dac_read_search dac_override sys_tty_config sys_resource }; -+allow dirsrvadmin_t self:process { setrlimit signal_perms }; -+ -+manage_files_pattern(dirsrvadmin_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t) -+manage_dirs_pattern(dirsrvadmin_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t) -+files_tmp_filetrans(dirsrvadmin_t, dirsrvadmin_tmp_t, { file dir }) -+ -+kernel_read_system_state(dirsrvadmin_t) -+ -+corecmd_exec_bin(dirsrvadmin_t) -+corecmd_read_bin_symlinks(dirsrvadmin_t) -+corecmd_search_bin(dirsrvadmin_t) -+corecmd_shell_entry_type(dirsrvadmin_t) -+ -+files_exec_etc_files(dirsrvadmin_t) -+ -+libs_exec_ld_so(dirsrvadmin_t) -+ -+logging_search_logs(dirsrvadmin_t) -+ -+# Needed for stop and restart scripts -+dirsrv_read_var_run(dirsrvadmin_t) -+ -+optional_policy(` -+ apache_domtrans(dirsrvadmin_t) -+ apache_signal(dirsrvadmin_t) -+') -+ -+######################################## -+# -+# Local policy for the CGIs -+# -+# -+# -+# Create a domain for the CGI scripts -+ -+optional_policy(` -+ apache_content_template(dirsrvadmin) -+ -+ allow httpd_dirsrvadmin_script_t self:process { getsched getpgid }; -+ allow httpd_dirsrvadmin_script_t self:capability { fowner fsetid setuid net_bind_service setgid chown sys_nice kill dac_read_search dac_override }; -+ allow httpd_dirsrvadmin_script_t self:tcp_socket create_stream_socket_perms; -+ allow httpd_dirsrvadmin_script_t self:udp_socket create_socket_perms; -+ allow httpd_dirsrvadmin_script_t self:unix_dgram_socket create_socket_perms; -+ allow httpd_dirsrvadmin_script_t self:netlink_route_socket r_netlink_socket_perms; -+ allow httpd_dirsrvadmin_script_t self:sem create_sem_perms; -+ -+ -+ manage_files_pattern(httpd_dirsrvadmin_script_t, dirsrvadmin_lock_t, dirsrvadmin_lock_t) -+ files_lock_filetrans(httpd_dirsrvadmin_script_t, dirsrvadmin_lock_t, { file }) -+ -+ kernel_read_kernel_sysctls(httpd_dirsrvadmin_script_t) -+ -+ -+ corenet_tcp_bind_generic_node(httpd_dirsrvadmin_script_t) -+ corenet_udp_bind_generic_node(httpd_dirsrvadmin_script_t) -+ corenet_all_recvfrom_netlabel(httpd_dirsrvadmin_script_t) -+ -+ corenet_tcp_bind_http_port(httpd_dirsrvadmin_script_t) -+ corenet_tcp_connect_generic_port(httpd_dirsrvadmin_script_t) -+ corenet_tcp_connect_ldap_port(httpd_dirsrvadmin_script_t) -+ corenet_tcp_connect_http_port(httpd_dirsrvadmin_script_t) -+ -+ files_search_var_lib(httpd_dirsrvadmin_script_t) -+ -+ sysnet_read_config(httpd_dirsrvadmin_script_t) -+ -+ manage_files_pattern(httpd_dirsrvadmin_script_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t) -+ manage_dirs_pattern(httpd_dirsrvadmin_script_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t) -+ files_tmp_filetrans(httpd_dirsrvadmin_script_t, dirsrvadmin_tmp_t, { file dir }) -+ -+ optional_policy(` -+ apache_read_modules(httpd_dirsrvadmin_script_t) -+ apache_read_config(httpd_dirsrvadmin_script_t) -+ apache_signal(httpd_dirsrvadmin_script_t) -+ apache_signull(httpd_dirsrvadmin_script_t) -+ ') -+ -+ optional_policy(` -+ # The CGI scripts must be able to manage dirsrv-admin -+ dirsrvadmin_run_exec(httpd_dirsrvadmin_script_t) -+ dirsrvadmin_manage_config(httpd_dirsrvadmin_script_t) -+ dirsrv_domtrans(httpd_dirsrvadmin_script_t) -+ dirsrv_signal(httpd_dirsrvadmin_script_t) -+ dirsrv_signull(httpd_dirsrvadmin_script_t) -+ dirsrv_manage_log(httpd_dirsrvadmin_script_t) -+ dirsrv_manage_var_lib(httpd_dirsrvadmin_script_t) -+ dirsrv_pid_filetrans(httpd_dirsrvadmin_script_t) -+ dirsrv_manage_var_run(httpd_dirsrvadmin_script_t) -+ dirsrv_manage_config(httpd_dirsrvadmin_script_t) -+ dirsrv_read_share(httpd_dirsrvadmin_script_t) -+ ') -+') -+ -+####################################### -+# -+# Local policy for the admin CGIs -+# -+# -+ -+ -+manage_files_pattern(dirsrvadmin_unconfined_script_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t) -+manage_dirs_pattern(dirsrvadmin_unconfined_script_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t) -+files_tmp_filetrans(dirsrvadmin_unconfined_script_t, dirsrvadmin_tmp_t, { file dir }) -+ -+# needed because of filetrans rules -+dirsrvadmin_run_exec(dirsrvadmin_unconfined_script_t) -+dirsrvadmin_manage_config(dirsrvadmin_unconfined_script_t) -+dirsrv_domtrans(dirsrvadmin_unconfined_script_t) -+dirsrv_signal(dirsrvadmin_unconfined_script_t) -+dirsrv_signull(dirsrvadmin_unconfined_script_t) -+dirsrv_manage_log(dirsrvadmin_unconfined_script_t) -+dirsrv_manage_var_lib(dirsrvadmin_unconfined_script_t) -+dirsrv_pid_filetrans(dirsrvadmin_unconfined_script_t) -+dirsrv_manage_var_run(dirsrvadmin_unconfined_script_t) -+dirsrv_manage_config(dirsrvadmin_unconfined_script_t) -+dirsrv_read_share(dirsrvadmin_unconfined_script_t) -+ -+optional_policy(` -+ unconfined_domain(dirsrvadmin_unconfined_script_t) -+') -+ -+ -diff --git a/dirsrv.fc b/dirsrv.fc -new file mode 100644 -index 0000000..5d30dab ---- /dev/null -+++ b/dirsrv.fc -@@ -0,0 +1,23 @@ -+/etc/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_config_t,s0) -+ -+/usr/sbin/ns-slapd -- gen_context(system_u:object_r:dirsrv_exec_t,s0) -+/usr/sbin/ldap-agent -- gen_context(system_u:object_r:initrc_exec_t,s0) -+/usr/sbin/ldap-agent-bin -- gen_context(system_u:object_r:dirsrv_snmp_exec_t,s0) -+/usr/sbin/start-dirsrv -- gen_context(system_u:object_r:initrc_exec_t,s0) -+/usr/sbin/restart-dirsrv -- gen_context(system_u:object_r:initrc_exec_t,s0) -+ -+/usr/share/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_share_t,s0) -+ -+/var/run/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_var_run_t,s0) -+/var/run/ldap-agent\.pid gen_context(system_u:object_r:dirsrv_snmp_var_run_t,s0) -+ -+# BZ: -+/var/run/slapd.* -s gen_context(system_u:object_r:dirsrv_var_run_t,s0) -+ -+/var/lib/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_var_lib_t,s0) -+ -+/var/lock/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_var_lock_t,s0) -+ -+/var/log/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_var_log_t,s0) -+ -+/var/log/dirsrv/ldap-agent.log.* gen_context(system_u:object_r:dirsrv_snmp_var_log_t,s0) -diff --git a/dirsrv.if b/dirsrv.if -new file mode 100644 -index 0000000..b214253 ---- /dev/null -+++ b/dirsrv.if -@@ -0,0 +1,208 @@ -+## policy for dirsrv -+ -+######################################## -+## -+## Execute a domain transition to run dirsrv. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`dirsrv_domtrans',` -+ gen_require(` -+ type dirsrv_t, dirsrv_exec_t; -+ ') -+ -+ domtrans_pattern($1, dirsrv_exec_t,dirsrv_t) -+') -+ -+ -+######################################## -+## -+## Allow caller to signal dirsrv. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dirsrv_signal',` -+ gen_require(` -+ type dirsrv_t; -+ ') -+ -+ allow $1 dirsrv_t:process signal; -+') -+ -+ -+######################################## -+## -+## Send a null signal to dirsrv. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dirsrv_signull',` -+ gen_require(` -+ type dirsrv_t; -+ ') -+ -+ allow $1 dirsrv_t:process signull; -+') -+ -+####################################### -+## -+## Allow a domain to manage dirsrv logs. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dirsrv_manage_log',` -+ gen_require(` -+ type dirsrv_var_log_t; -+ ') -+ -+ allow $1 dirsrv_var_log_t:dir manage_dir_perms; -+ allow $1 dirsrv_var_log_t:file manage_file_perms; -+ allow $1 dirsrv_var_log_t:fifo_file manage_fifo_file_perms; -+') -+ -+####################################### -+## -+## Allow a domain to manage dirsrv /var/lib files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dirsrv_manage_var_lib',` -+ gen_require(` -+ type dirsrv_var_lib_t; -+ ') -+ allow $1 dirsrv_var_lib_t:dir manage_dir_perms; -+ allow $1 dirsrv_var_lib_t:file manage_file_perms; -+') -+ -+######################################## -+## -+## Connect to dirsrv over a unix stream socket. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dirsrv_stream_connect',` -+ gen_require(` -+ type dirsrv_t, dirsrv_var_run_t; -+ ') -+ -+ files_search_pids($1) -+ stream_connect_pattern($1, dirsrv_var_run_t, dirsrv_var_run_t, dirsrv_t) -+') -+ -+####################################### -+## -+## Allow a domain to manage dirsrv /var/run files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dirsrv_manage_var_run',` -+ gen_require(` -+ type dirsrv_var_run_t; -+ ') -+ allow $1 dirsrv_var_run_t:dir manage_dir_perms; -+ allow $1 dirsrv_var_run_t:file manage_file_perms; -+ allow $1 dirsrv_var_run_t:sock_file manage_file_perms; -+') -+ -+###################################### -+## -+## Allow a domain to create dirsrv pid directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dirsrv_pid_filetrans',` -+ gen_require(` -+ type dirsrv_var_run_t; -+ ') -+ # Allow creating a dir in /var/run with this type -+ files_pid_filetrans($1, dirsrv_var_run_t, dir) -+') -+ -+####################################### -+## -+## Allow a domain to read dirsrv /var/run files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dirsrv_read_var_run',` -+ gen_require(` -+ type dirsrv_var_run_t; -+ ') -+ allow $1 dirsrv_var_run_t:dir list_dir_perms; -+ allow $1 dirsrv_var_run_t:file read_file_perms; -+') -+ -+######################################## -+## -+## Manage dirsrv configuration files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dirsrv_manage_config',` -+ gen_require(` -+ type dirsrv_config_t; -+ ') -+ -+ allow $1 dirsrv_config_t:dir manage_dir_perms; -+ allow $1 dirsrv_config_t:file manage_file_perms; -+') -+ -+######################################## -+## -+## Read dirsrv share files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dirsrv_read_share',` -+ gen_require(` -+ type dirsrv_share_t; -+ ') -+ -+ allow $1 dirsrv_share_t:dir list_dir_perms; -+ allow $1 dirsrv_share_t:file read_file_perms; -+ allow $1 dirsrv_share_t:lnk_file read; -+') -diff --git a/dirsrv.te b/dirsrv.te -new file mode 100644 -index 0000000..73d1b46 ---- /dev/null -+++ b/dirsrv.te -@@ -0,0 +1,196 @@ -+policy_module(dirsrv,1.0.0) -+ -+######################################## -+# -+# Declarations -+# -+ -+# main daemon -+type dirsrv_t; -+type dirsrv_exec_t; -+domain_type(dirsrv_t) -+init_daemon_domain(dirsrv_t, dirsrv_exec_t) -+ -+type dirsrv_snmp_t; -+type dirsrv_snmp_exec_t; -+domain_type(dirsrv_snmp_t) -+init_daemon_domain(dirsrv_snmp_t, dirsrv_snmp_exec_t) -+ -+type dirsrv_var_lib_t; -+files_type(dirsrv_var_lib_t) -+ -+type dirsrv_var_log_t; -+logging_log_file(dirsrv_var_log_t) -+ -+type dirsrv_snmp_var_log_t; -+logging_log_file(dirsrv_snmp_var_log_t) -+ -+type dirsrv_var_run_t; -+files_pid_file(dirsrv_var_run_t) -+ -+type dirsrv_snmp_var_run_t; -+files_pid_file(dirsrv_snmp_var_run_t) -+ -+type dirsrv_var_lock_t; -+files_lock_file(dirsrv_var_lock_t) -+ -+type dirsrv_config_t; -+files_type(dirsrv_config_t) -+ -+type dirsrv_tmp_t; -+files_tmp_file(dirsrv_tmp_t) -+ -+type dirsrv_tmpfs_t; -+files_tmpfs_file(dirsrv_tmpfs_t) -+ -+type dirsrv_share_t; -+files_type(dirsrv_share_t); -+ -+######################################## -+# -+# dirsrv local policy -+# -+allow dirsrv_t self:process { getsched setsched setfscreate signal_perms}; -+allow dirsrv_t self:capability { sys_nice setuid setgid fsetid chown dac_override fowner }; -+allow dirsrv_t self:fifo_file manage_fifo_file_perms; -+allow dirsrv_t self:sem create_sem_perms; -+allow dirsrv_t self:tcp_socket create_stream_socket_perms; -+ -+manage_dirs_pattern(dirsrv_t, dirsrv_tmpfs_t, dirsrv_tmpfs_t) -+manage_files_pattern(dirsrv_t, dirsrv_tmpfs_t, dirsrv_tmpfs_t) -+manage_lnk_files_pattern(dirsrv_t, dirsrv_tmpfs_t, dirsrv_tmpfs_t) -+fs_tmpfs_filetrans(dirsrv_t, dirsrv_tmpfs_t, { dir file }) -+ -+manage_dirs_pattern(dirsrv_t, dirsrv_var_lib_t, dirsrv_var_lib_t) -+manage_files_pattern(dirsrv_t, dirsrv_var_lib_t, dirsrv_var_lib_t) -+manage_sock_files_pattern(dirsrv_t, dirsrv_var_lib_t, dirsrv_var_lib_t) -+files_var_lib_filetrans(dirsrv_t,dirsrv_var_lib_t, { file dir sock_file }) -+ -+manage_dirs_pattern(dirsrv_t, dirsrv_var_log_t, dirsrv_var_log_t) -+manage_files_pattern(dirsrv_t, dirsrv_var_log_t, dirsrv_var_log_t) -+manage_fifo_files_pattern(dirsrv_t, dirsrv_var_log_t, dirsrv_var_log_t) -+allow dirsrv_t dirsrv_var_log_t:dir { setattr }; -+logging_log_filetrans(dirsrv_t,dirsrv_var_log_t,{ sock_file file dir }) -+ -+manage_dirs_pattern(dirsrv_t, dirsrv_var_run_t, dirsrv_var_run_t) -+manage_files_pattern(dirsrv_t, dirsrv_var_run_t, dirsrv_var_run_t) -+manage_sock_files_pattern(dirsrv_t, dirsrv_var_run_t, dirsrv_var_run_t) -+files_pid_filetrans(dirsrv_t, dirsrv_var_run_t, { file dir sock_file }) -+ -+manage_files_pattern(dirsrv_t, dirsrv_var_lock_t, dirsrv_var_lock_t) -+manage_dirs_pattern(dirsrv_t, dirsrv_var_lock_t, dirsrv_var_lock_t) -+files_lock_filetrans(dirsrv_t, dirsrv_var_lock_t, file) -+files_setattr_lock_dirs(dirsrv_t) -+ -+manage_files_pattern(dirsrv_t, dirsrv_config_t, dirsrv_config_t) -+manage_dirs_pattern(dirsrv_t, dirsrv_config_t, dirsrv_config_t) -+manage_lnk_files_pattern(dirsrv_t, dirsrv_config_t, dirsrv_config_t) -+ -+manage_files_pattern(dirsrv_t, dirsrv_tmp_t, dirsrv_tmp_t) -+manage_dirs_pattern(dirsrv_t, dirsrv_tmp_t, dirsrv_tmp_t) -+files_tmp_filetrans(dirsrv_t, dirsrv_tmp_t, { file dir }) -+allow dirsrv_t dirsrv_tmp_t:file relabel_file_perms; -+ -+kernel_read_network_state(dirsrv_t) -+kernel_read_system_state(dirsrv_t) -+kernel_read_kernel_sysctls(dirsrv_t) -+ -+corecmd_search_bin(dirsrv_t) -+ -+corenet_all_recvfrom_netlabel(dirsrv_t) -+corenet_tcp_sendrecv_generic_if(dirsrv_t) -+corenet_tcp_sendrecv_generic_node(dirsrv_t) -+corenet_tcp_sendrecv_all_ports(dirsrv_t) -+corenet_tcp_bind_generic_node(dirsrv_t) -+corenet_tcp_bind_ldap_port(dirsrv_t) -+corenet_tcp_bind_dogtag_port(dirsrv_t) -+corenet_tcp_bind_all_rpc_ports(dirsrv_t) -+corenet_udp_bind_all_rpc_ports(dirsrv_t) -+corenet_tcp_connect_all_ports(dirsrv_t) -+corenet_sendrecv_ldap_server_packets(dirsrv_t) -+corenet_sendrecv_all_client_packets(dirsrv_t) -+ -+dev_read_sysfs(dirsrv_t) -+dev_read_urand(dirsrv_t) -+ -+files_read_usr_symlinks(dirsrv_t) -+ -+fs_getattr_all_fs(dirsrv_t) -+ -+auth_use_pam(dirsrv_t) -+ -+logging_send_syslog_msg(dirsrv_t) -+ -+sysnet_dns_name_resolve(dirsrv_t) -+ -+optional_policy(` -+ apache_dontaudit_leaks(dirsrv_t) -+') -+ -+optional_policy(` -+ dirsrvadmin_read_tmp(dirsrv_t) -+') -+ -+optional_policy(` -+ kerberos_use(dirsrv_t) -+ kerberos_tmp_filetrans_host_rcache(dirsrv_t, "ldapmap1_0") -+ kerberos_tmp_filetrans_host_rcache(dirsrv_t, "ldap_487") -+ kerberos_tmp_filetrans_host_rcache(dirsrv_t, "ldap_55") -+') -+ -+# FIPS mode -+optional_policy(` -+ prelink_exec(dirsrv_t) -+') -+ -+optional_policy(` -+ rpcbind_stream_connect(dirsrv_t) -+') -+ -+optional_policy(` -+ uuidd_stream_connect_manager(dirsrv_t) -+') -+ -+######################################## -+# -+# dirsrv-snmp local policy -+# -+allow dirsrv_snmp_t self:capability { dac_override dac_read_search }; -+allow dirsrv_snmp_t self:fifo_file rw_fifo_file_perms; -+ -+rw_files_pattern(dirsrv_snmp_t, dirsrv_tmpfs_t, dirsrv_tmpfs_t) -+ -+read_files_pattern(dirsrv_snmp_t, dirsrv_var_run_t, dirsrv_var_run_t) -+ -+read_files_pattern(dirsrv_snmp_t, dirsrv_config_t, dirsrv_config_t) -+ -+manage_files_pattern(dirsrv_snmp_t, dirsrv_snmp_var_run_t, dirsrv_snmp_var_run_t) -+files_pid_filetrans(dirsrv_snmp_t, dirsrv_snmp_var_run_t, { file sock_file }) -+search_dirs_pattern(dirsrv_snmp_t, dirsrv_var_run_t, dirsrv_var_run_t) -+ -+manage_files_pattern(dirsrv_snmp_t, dirsrv_var_log_t, dirsrv_snmp_var_log_t); -+filetrans_pattern(dirsrv_snmp_t, dirsrv_var_log_t, dirsrv_snmp_var_log_t, file) -+ -+corenet_tcp_connect_agentx_port(dirsrv_snmp_t) -+ -+dev_read_rand(dirsrv_snmp_t) -+dev_read_urand(dirsrv_snmp_t) -+ -+domain_use_interactive_fds(dirsrv_snmp_t) -+ -+#files_manage_var_files(dirsrv_snmp_t) -+ -+fs_getattr_tmpfs(dirsrv_snmp_t) -+fs_search_tmpfs(dirsrv_snmp_t) -+ -+ -+sysnet_read_config(dirsrv_snmp_t) -+sysnet_dns_name_resolve(dirsrv_snmp_t) -+ -+optional_policy(` -+ snmp_dontaudit_read_snmp_var_lib_files(dirsrv_snmp_t) -+ snmp_dontaudit_write_snmp_var_lib_files(dirsrv_snmp_t) -+ snmp_manage_var_lib_dirs(dirsrv_snmp_t) -+ snmp_manage_var_lib_files(dirsrv_snmp_t) -+ snmp_stream_connect(dirsrv_snmp_t) -+') -diff --git a/distcc.if b/distcc.if -index 24d8c74..1790ec5 100644 ---- a/distcc.if -+++ b/distcc.if -@@ -19,7 +19,7 @@ - # - interface(`distcc_admin',` - gen_require(` -- type distccd_t, distccd_t, distccd_log_t; -+ type distccd_t, distccd_t, distccd_log_t, distccd_var_run_t; - type disccd_var_run_t, distccd_tmp_t, distccd_initrc_exec_t; - ') - -diff --git a/distcc.te b/distcc.te -index b441a4d..83fb340 100644 ---- a/distcc.te -+++ b/distcc.te -@@ -47,7 +47,6 @@ files_pid_filetrans(distccd_t, distccd_var_run_t, file) - kernel_read_system_state(distccd_t) - kernel_read_kernel_sysctls(distccd_t) - --corenet_all_recvfrom_unlabeled(distccd_t) - corenet_all_recvfrom_netlabel(distccd_t) - corenet_tcp_sendrecv_generic_if(distccd_t) - corenet_tcp_sendrecv_generic_node(distccd_t) -@@ -74,8 +73,6 @@ libs_exec_lib_files(distccd_t) - - logging_send_syslog_msg(distccd_t) - --miscfiles_read_localization(distccd_t) -- - userdom_dontaudit_use_unpriv_user_fds(distccd_t) - userdom_dontaudit_search_user_home_dirs(distccd_t) - -diff --git a/djbdns.if b/djbdns.if -index 671d3c0..6d36c95 100644 ---- a/djbdns.if -+++ b/djbdns.if -@@ -39,6 +39,23 @@ template(`djbdns_daemontools_domain_template',` - - allow djbdns_$1_t djbdns_$1_conf_t:dir list_dir_perms; - allow djbdns_$1_t djbdns_$1_conf_t:file read_file_perms; -+ -+ corenet_all_recvfrom_netlabel(djbdns_$1_t) -+ corenet_tcp_sendrecv_generic_if(djbdns_$1_t) -+ corenet_udp_sendrecv_generic_if(djbdns_$1_t) -+ corenet_tcp_sendrecv_generic_node(djbdns_$1_t) -+ corenet_udp_sendrecv_generic_node(djbdns_$1_t) -+ corenet_tcp_sendrecv_all_ports(djbdns_$1_t) -+ corenet_udp_sendrecv_all_ports(djbdns_$1_t) -+ corenet_tcp_bind_generic_node(djbdns_$1_t) -+ corenet_udp_bind_generic_node(djbdns_$1_t) -+ corenet_tcp_bind_dns_port(djbdns_$1_t) -+ corenet_udp_bind_dns_port(djbdns_$1_t) -+ corenet_udp_bind_generic_port(djbdns_$1_t) -+ corenet_sendrecv_dns_server_packets(djbdns_$1_t) -+ corenet_sendrecv_generic_server_packets(djbdns_$1_t) -+ -+ files_search_var(djbdns_$1_t) - ') - - ##################################### -diff --git a/djbdns.te b/djbdns.te -index 463d290..df50e4c 100644 ---- a/djbdns.te -+++ b/djbdns.te -@@ -48,6 +48,10 @@ corenet_udp_bind_generic_port(djbdns_domain) - - files_search_var(djbdns_domain) - -+daemontools_ipc_domain(djbdns_axfrdns_t) -+daemontools_read_svc(djbdns_axfrdns_t) -+ -+ - ######################################## - # - # axfrdns local policy -diff --git a/dkim.fc b/dkim.fc -index 5818418..674367b 100644 ---- a/dkim.fc -+++ b/dkim.fc -@@ -9,7 +9,6 @@ - - /var/lib/dkim-milter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0) - --/var/run/dkim-filter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0) - /var/run/dkim-milter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0) - /var/run/dkim-milter\.pid -- gen_context(system_u:object_r:dkim_milter_data_t,s0) - -diff --git a/dmidecode.if b/dmidecode.if -index 41c3f67..653a1ec 100644 ---- a/dmidecode.if -+++ b/dmidecode.if -@@ -19,6 +19,25 @@ interface(`dmidecode_domtrans',` - domtrans_pattern($1, dmidecode_exec_t, dmidecode_t) - ') - -+###################################### -+## -+## Execute dmidecode in the caller domain. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dmidecode_exec',` -+ gen_require(` -+ type dmidecode_exec_t; -+ ') -+ -+ corecmd_search_bin($1) -+ can_exec($1, dmidecode_exec_t) -+') -+ - ######################################## - ## - ## Execute dmidecode in the dmidecode -diff --git a/dmidecode.te b/dmidecode.te -index c947c2c..8d4d843 100644 ---- a/dmidecode.te -+++ b/dmidecode.te -@@ -29,4 +29,8 @@ files_list_usr(dmidecode_t) - - locallogin_use_fds(dmidecode_t) - --userdom_use_user_terminals(dmidecode_t) -+userdom_use_inherited_user_terminals(dmidecode_t) -+ -+optional_policy(` -+ rhsmcertd_rw_inherited_lock_files(dmidecode_t) -+') -diff --git a/dnsmasq.fc b/dnsmasq.fc -index 23ab808..4a801b5 100644 ---- a/dnsmasq.fc -+++ b/dnsmasq.fc -@@ -2,6 +2,8 @@ - - /etc/rc\.d/init\.d/dnsmasq -- gen_context(system_u:object_r:dnsmasq_initrc_exec_t,s0) - -+/usr/lib/systemd/system/dnsmasq.* -- gen_context(system_u:object_r:dnsmasq_unit_file_t,s0) -+ - /usr/sbin/dnsmasq -- gen_context(system_u:object_r:dnsmasq_exec_t,s0) - - /var/lib/misc/dnsmasq\.leases -- gen_context(system_u:object_r:dnsmasq_lease_t,s0) -diff --git a/dnsmasq.if b/dnsmasq.if -index 19aa0b8..1e8b244 100644 ---- a/dnsmasq.if -+++ b/dnsmasq.if -@@ -10,7 +10,6 @@ - ## - ## - # --# - interface(`dnsmasq_domtrans',` - gen_require(` - type dnsmasq_exec_t, dnsmasq_t; -@@ -20,6 +19,42 @@ interface(`dnsmasq_domtrans',` - domtrans_pattern($1, dnsmasq_exec_t, dnsmasq_t) - ') - -+####################################### -+## -+## Execute dnsmasq server in the caller domain. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`dnsmasq_exec',` -+ gen_require(` -+ type dnsmasq_exec_t; -+ ') -+ -+ can_exec($1, dnsmasq_exec_t) -+') -+ -+######################################## -+## -+## Allow read/write dnsmasq pipes -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dnsmasq_rw_inherited_pipes',` -+ gen_require(` -+ type dnsmasq_t; -+ ') -+ -+ allow $1 dnsmasq_t:fifo_file rw_inherited_fifo_file_perms; -+') -+ - ######################################## - ## - ## Execute the dnsmasq init script in -@@ -42,6 +77,48 @@ interface(`dnsmasq_initrc_domtrans',` - - ######################################## - ## -+## Execute dnsmasq server in the dnsmasq domain. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`dnsmasq_systemctl',` -+ gen_require(` -+ type dnsmasq_unit_file_t; -+ type dnsmasq_t; -+ ') -+ -+ systemd_exec_systemctl($1) -+ allow $1 dnsmasq_unit_file_t:file read_file_perms; -+ allow $1 dnsmasq_unit_file_t:service manage_service_perms; -+ -+ ps_process_pattern($1, dnsmasq_t) -+') -+ -+######################################## -+## -+## Send sigchld to dnsmasq. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+# -+interface(`dnsmasq_sigchld',` -+ gen_require(` -+ type dnsmasq_t; -+ ') -+ -+ allow $1 dnsmasq_t:process sigchld; -+') -+ -+######################################## -+## - ## Send generic signals to dnsmasq. - ## - ## -@@ -145,15 +222,16 @@ interface(`dnsmasq_write_config',` - ## - ## - # --# - interface(`dnsmasq_delete_pid_files',` - gen_require(` - type dnsmasq_var_run_t; - ') - -+ files_search_pids($1) - delete_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t) - ') - -+ - ######################################## - ## - ## Create, read, write, and delete -@@ -176,7 +254,7 @@ interface(`dnsmasq_manage_pid_files',` - - ######################################## - ## --## Read dnsmasq pid files. -+## Read dnsmasq pid files - ## - ## - ## -@@ -184,12 +262,12 @@ interface(`dnsmasq_manage_pid_files',` - ## - ## - # --# - interface(`dnsmasq_read_pid_files',` - gen_require(` - type dnsmasq_var_run_t; - ') - -+ files_search_pids($1) - read_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t) - ') - -@@ -214,37 +292,46 @@ interface(`dnsmasq_create_pid_dirs',` - - ######################################## - ## --## Create specified objects in specified --## directories with a type transition to --## the dnsmasq pid file type. -+## Transition to dnsmasq named content - ## - ## - ## --## Domain allowed access. --## --## --## --## --## Directory to transition on. --## --## --## --## --## The object class of the object being created. -+## Domain allowed access. - ## - ## --## -+## - ## --## The name of the object being created. -+## The type of the directory for the object to be created. - ## - ## - # --interface(`dnsmasq_spec_filetrans_pid',` -+interface(`dnsmasq_filetrans_named_content_fromdir',` - gen_require(` - type dnsmasq_var_run_t; - ') - -- filetrans_pattern($1, $2, dnsmasq_var_run_t, $3, $4) -+ filetrans_pattern($1, $2, dnsmasq_var_run_t, dir, "network") -+ filetrans_pattern($1, $2, dnsmasq_var_run_t, file, "dnsmasq.pid") -+') -+ -+####################################### -+## -+## Transition to dnsmasq named content -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dnsmasq_filetrans_named_content',` -+ gen_require(` -+ type dnsmasq_var_run_t; -+ ') -+ -+ files_pid_filetrans($1, dnsmasq_var_run_t, dir, "network") -+ files_pid_filetrans($1, dnsmasq_var_run_t, file, "dnsmasq.pid") -+ virt_pid_filetrans($1, dnsmasq_var_run_t, file, "network") - ') - - ######################################## -@@ -267,12 +354,18 @@ interface(`dnsmasq_spec_filetrans_pid',` - interface(`dnsmasq_admin',` - gen_require(` - type dnsmasq_t, dnsmasq_lease_t, dnsmasq_var_run_t; -- type dnsmasq_initrc_exec_t, dnsmasq_var_log_t; -+ type dnsmasq_var_log_t; -+ type dnsmasq_initrc_exec_t; -+ type dnsmasq_unit_file_t; - ') - -- allow $1 dnsmasq_t:process { ptrace signal_perms }; -+ allow $1 dnsmasq_t:process signal_perms; - ps_process_pattern($1, dnsmasq_t) - -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 dnsmasq_t:process ptrace; -+ ') -+ - init_labeled_script_domtrans($1, dnsmasq_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 dnsmasq_initrc_exec_t system_r; -@@ -281,9 +374,13 @@ interface(`dnsmasq_admin',` - files_list_var_lib($1) - admin_pattern($1, dnsmasq_lease_t) - -- logging_seearch_logs($1) -+ logging_search_logs($1) - admin_pattern($1, dnsmasq_var_log_t) - - files_list_pids($1) - admin_pattern($1, dnsmasq_var_run_t) -+ -+ dnsmasq_systemctl($1) -+ admin_pattern($1, dnsmasq_unit_file_t) -+ allow $1 dnsmasq_unit_file_t:service all_service_perms; - ') -diff --git a/dnsmasq.te b/dnsmasq.te -index ba14bcf..a3e6c7c 100644 ---- a/dnsmasq.te -+++ b/dnsmasq.te -@@ -24,6 +24,9 @@ logging_log_file(dnsmasq_var_log_t) - type dnsmasq_var_run_t; - files_pid_file(dnsmasq_var_run_t) - -+type dnsmasq_unit_file_t; -+systemd_unit_file(dnsmasq_unit_file_t) -+ - ######################################## - # - # Local policy -@@ -52,11 +55,14 @@ manage_files_pattern(dnsmasq_t, dnsmasq_var_run_t, dnsmasq_var_run_t) - files_pid_filetrans(dnsmasq_t, dnsmasq_var_run_t, { dir file }) - - kernel_read_kernel_sysctls(dnsmasq_t) -+kernel_read_net_sysctls(dnsmasq_t) - kernel_read_network_state(dnsmasq_t) - kernel_read_system_state(dnsmasq_t) - kernel_request_load_module(dnsmasq_t) - --corenet_all_recvfrom_unlabeled(dnsmasq_t) -+corecmd_exec_bin(dnsmasq_t) -+corecmd_exec_shell(dnsmasq_t) -+ - corenet_all_recvfrom_netlabel(dnsmasq_t) - corenet_tcp_sendrecv_generic_if(dnsmasq_t) - corenet_udp_sendrecv_generic_if(dnsmasq_t) -@@ -86,9 +92,9 @@ fs_search_auto_mountpoints(dnsmasq_t) - - auth_use_nsswitch(dnsmasq_t) - --logging_send_syslog_msg(dnsmasq_t) -+libs_exec_ldconfig(dnsmasq_t) - --miscfiles_read_localization(dnsmasq_t) -+logging_send_syslog_msg(dnsmasq_t) - - userdom_dontaudit_use_unpriv_user_fds(dnsmasq_t) - userdom_dontaudit_search_user_home_dirs(dnsmasq_t) -@@ -98,12 +104,21 @@ optional_policy(` - ') - - optional_policy(` -+ cron_manage_pid_files(dnsmasq_t) -+') -+ -+optional_policy(` - dbus_connect_system_bus(dnsmasq_t) - dbus_system_bus_client(dnsmasq_t) - ') - - optional_policy(` -- networkmanager_read_pid_files(dnsmasq_t) -+ dnsmasq_domtrans(dnsmasq_t) -+') -+ -+optional_policy(` -+ networkmanager_read_conf(dnsmasq_t) -+ networkmanager_manage_pid_files(dnsmasq_t) - ') - - optional_policy(` -@@ -124,6 +139,14 @@ optional_policy(` - - optional_policy(` - virt_manage_lib_files(dnsmasq_t) -+ virt_read_lib_files(dnsmasq_t) - virt_read_pid_files(dnsmasq_t) - virt_pid_filetrans(dnsmasq_t, dnsmasq_var_run_t, { dir file }) - ') -+ -+optional_policy(` -+ neutron_manage_lib_files(dnsmasq_t) -+ neutron_stream_connect(dnsmasq_t) -+ neutron_rw_fifo_file(dnsmasq_t) -+ neutron_sigchld(dnsmasq_t) -+') -diff --git a/dnssec.fc b/dnssec.fc -new file mode 100644 -index 0000000..9e231a8 ---- /dev/null -+++ b/dnssec.fc -@@ -0,0 +1,3 @@ -+/usr/sbin/dnssec-triggerd -- gen_context(system_u:object_r:dnssec_trigger_exec_t,s0) -+ -+/var/run/dnssec.* gen_context(system_u:object_r:dnssec_trigger_var_run_t,s0) -diff --git a/dnssec.if b/dnssec.if -new file mode 100644 -index 0000000..a952041 ---- /dev/null -+++ b/dnssec.if -@@ -0,0 +1,64 @@ -+ -+## policy for dnssec_trigger -+ -+######################################## -+## -+## Transition to dnssec_trigger. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`dnssec_trigger_domtrans',` -+ gen_require(` -+ type dnssec_trigger_t, dnssec_trigger_exec_t; -+ ') -+ -+ corecmd_search_bin($1) -+ domtrans_pattern($1, dnssec_trigger_exec_t, dnssec_trigger_t) -+') -+######################################## -+## -+## Read dnssec_trigger PID files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dnssec_trigger_read_pid_files',` -+ gen_require(` -+ type dnssec_trigger_var_run_t; -+ ') -+ -+ files_search_pids($1) -+ allow $1 dnssec_trigger_var_run_t:file read_file_perms; -+') -+ -+ -+######################################## -+## -+## All of the rules required to administrate -+## an dnssec_trigger environment -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dnssec_trigger_admin',` -+ gen_require(` -+ type dnssec_trigger_t; -+ type dnssec_trigger_var_run_t; -+ ') -+ -+ allow $1 dnssec_trigger_t:process { ptrace signal_perms }; -+ ps_process_pattern($1, dnssec_trigger_t) -+ -+ files_search_pids($1) -+ admin_pattern($1, dnssec_trigger_var_run_t) -+') -diff --git a/dnssec.te b/dnssec.te -new file mode 100644 -index 0000000..7f715f8 ---- /dev/null -+++ b/dnssec.te -@@ -0,0 +1,58 @@ -+policy_module(dnssec, 1.0.0) -+ -+######################################## -+# -+# Declarations -+# -+ -+type dnssec_trigger_t; -+type dnssec_trigger_exec_t; -+init_daemon_domain(dnssec_trigger_t, dnssec_trigger_exec_t) -+ -+type dnssec_trigger_var_run_t; -+files_pid_file(dnssec_trigger_var_run_t) -+ -+######################################## -+# -+# dnssec_trigger local policy -+# -+allow dnssec_trigger_t self:capability linux_immutable; -+allow dnssec_trigger_t self:process signal; -+allow dnssec_trigger_t self:fifo_file rw_fifo_file_perms; -+allow dnssec_trigger_t self:unix_stream_socket create_stream_socket_perms; -+allow dnssec_trigger_t self:tcp_socket create_stream_socket_perms; -+allow dnssec_trigger_t self:udp_socket create_socket_perms; -+ -+manage_dirs_pattern(dnssec_trigger_t, dnssec_trigger_var_run_t, dnssec_trigger_var_run_t) -+manage_files_pattern(dnssec_trigger_t, dnssec_trigger_var_run_t, dnssec_trigger_var_run_t) -+files_pid_filetrans(dnssec_trigger_t, dnssec_trigger_var_run_t, { dir file }) -+ -+kernel_read_system_state(dnssec_trigger_t) -+ -+corecmd_exec_bin(dnssec_trigger_t) -+corecmd_exec_shell(dnssec_trigger_t) -+ -+corenet_tcp_bind_generic_node(dnssec_trigger_t) -+corenet_tcp_bind_dnssec_port(dnssec_trigger_t) -+corenet_tcp_connect_rndc_port(dnssec_trigger_t) -+corenet_tcp_connect_http_port(dnssec_trigger_t) -+ -+dev_read_urand(dnssec_trigger_t) -+ -+domain_use_interactive_fds(dnssec_trigger_t) -+ -+files_read_etc_runtime_files(dnssec_trigger_t) -+ -+logging_send_syslog_msg(dnssec_trigger_t) -+ -+auth_read_passwd(dnssec_trigger_t) -+ -+sysnet_dns_name_resolve(dnssec_trigger_t) -+sysnet_manage_config(dnssec_trigger_t) -+ -+optional_policy(` -+ bind_read_config(dnssec_trigger_t) -+ bind_read_dnssec_keys(dnssec_trigger_t) -+') -+ -+ -diff --git a/dnssectrigger.te b/dnssectrigger.te -index ef36d73..fddd51f 100644 ---- a/dnssectrigger.te -+++ b/dnssectrigger.te -@@ -67,8 +67,6 @@ files_read_etc_runtime_files(dnssec_triggerd_t) - - logging_send_syslog_msg(dnssec_triggerd_t) - --miscfiles_read_localization(dnssec_triggerd_t) -- - sysnet_dns_name_resolve(dnssec_triggerd_t) - sysnet_manage_config(dnssec_triggerd_t) - sysnet_etc_filetrans_config(dnssec_triggerd_t) -diff --git a/docker.fc b/docker.fc -new file mode 100644 -index 0000000..484dd44 ---- /dev/null -+++ b/docker.fc -@@ -0,0 +1,12 @@ -+/usr/bin/docker -- gen_context(system_u:object_r:docker_exec_t,s0) -+ -+/usr/lib/systemd/system/docker.service -- gen_context(system_u:object_r:docker_unit_file_t,s0) -+ -+/var/lib/docker(/.*)? gen_context(system_u:object_r:docker_var_lib_t,s0) -+ -+/var/run/docker\.pid -- gen_context(system_u:object_r:docker_var_run_t,s0) -+/var/run/docker\.sock -s gen_context(system_u:object_r:docker_var_run_t,s0) -+ -+/var/log/lxc(/.*)? gen_context(system_u:object_r:docker_log_t,s0) -+ -+/usr/lib/lxc/rootfs gen_context(system_u:object_r:mnt_t,s0) -\ No newline at end of file -diff --git a/docker.if b/docker.if -new file mode 100644 -index 0000000..097c75c ---- /dev/null -+++ b/docker.if -@@ -0,0 +1,202 @@ -+ -+## policy for docker -+ -+######################################## -+## -+## Execute TEMPLATE in the docker domin. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`docker_domtrans',` -+ gen_require(` -+ type docker_t, docker_exec_t; -+ ') -+ -+ corecmd_search_bin($1) -+ domtrans_pattern($1, docker_exec_t, docker_t) -+') -+ -+######################################## -+## -+## Search docker lib directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`docker_search_lib',` -+ gen_require(` -+ type docker_var_lib_t; -+ ') -+ -+ allow $1 docker_var_lib_t:dir search_dir_perms; -+ files_search_var_lib($1) -+') -+ -+######################################## -+## -+## Read docker lib files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`docker_read_lib_files',` -+ gen_require(` -+ type docker_var_lib_t; -+ ') -+ -+ files_search_var_lib($1) -+ read_files_pattern($1, docker_var_lib_t, docker_var_lib_t) -+') -+ -+######################################## -+## -+## Manage docker lib files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`docker_manage_lib_files',` -+ gen_require(` -+ type docker_var_lib_t; -+ ') -+ -+ files_search_var_lib($1) -+ manage_files_pattern($1, docker_var_lib_t, docker_var_lib_t) -+') -+ -+######################################## -+## -+## Manage docker lib directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`docker_manage_lib_dirs',` -+ gen_require(` -+ type docker_var_lib_t; -+ ') -+ -+ files_search_var_lib($1) -+ manage_dirs_pattern($1, docker_var_lib_t, docker_var_lib_t) -+') -+ -+######################################## -+## -+## Read docker PID files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`docker_read_pid_files',` -+ gen_require(` -+ type docker_var_run_t; -+ ') -+ -+ files_search_pids($1) -+ read_files_pattern($1, docker_var_run_t, docker_var_run_t) -+') -+ -+######################################## -+## -+## Execute docker server in the docker domain. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`docker_systemctl',` -+ gen_require(` -+ type docker_t; -+ type docker_unit_file_t; -+ ') -+ -+ systemd_exec_systemctl($1) -+ systemd_read_fifo_file_passwd_run($1) -+ allow $1 docker_unit_file_t:file read_file_perms; -+ allow $1 docker_unit_file_t:service manage_service_perms; -+ -+ ps_process_pattern($1, docker_t) -+') -+ -+ -+######################################## -+## -+## All of the rules required to administrate -+## an docker environment -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## Role allowed access. -+## -+## -+## -+# -+interface(`docker_admin',` -+ gen_require(` -+ type docker_t; -+ type docker_var_lib_t; -+ type docker_var_run_t; -+ type docker_unit_file_t; -+ ') -+ -+ allow $1 docker_t:process { ptrace signal_perms }; -+ ps_process_pattern($1, docker_t) -+ -+ files_search_var_lib($1) -+ admin_pattern($1, docker_var_lib_t) -+ -+ files_search_pids($1) -+ admin_pattern($1, docker_var_run_t) -+ -+ docker_systemctl($1) -+ admin_pattern($1, docker_unit_file_t) -+ allow $1 docker_unit_file_t:service all_service_perms; -+ optional_policy(` -+ systemd_passwd_agent_exec($1) -+ systemd_read_fifo_file_passwd_run($1) -+ ') -+') -+ -+######################################## -+## -+## Read and write docker shared memory. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`docker_rw_sem',` -+ gen_require(` -+ type docker_t; -+ ') -+ -+ allow $1 docker_t:sem rw_sem_perms; -+') -diff --git a/docker.te b/docker.te -new file mode 100644 -index 0000000..1229d66 ---- /dev/null -+++ b/docker.te -@@ -0,0 +1,133 @@ -+policy_module(docker, 1.0.0) -+ -+######################################## -+# -+# Declarations -+# -+ -+type docker_t; -+type docker_exec_t; -+init_daemon_domain(docker_t, docker_exec_t) -+ -+type docker_var_lib_t; -+files_type(docker_var_lib_t) -+ -+type docker_log_t; -+logging_log_file(docker_log_t) -+ -+type docker_tmp_t; -+files_tmp_file(docker_tmp_t) -+ -+type docker_var_run_t; -+files_pid_file(docker_var_run_t) -+ -+type docker_unit_file_t; -+systemd_unit_file(docker_unit_file_t) -+ -+######################################## -+# -+# docker local policy -+# -+allow docker_t self:capability { chown fowner fsetid mknod net_admin }; -+allow docker_t self:process signal_perms; -+allow docker_t self:fifo_file rw_fifo_file_perms; -+allow docker_t self:unix_stream_socket create_stream_socket_perms; -+allow docker_t self:capability2 block_suspend; -+ -+manage_dirs_pattern(docker_t, docker_log_t, docker_log_t) -+manage_files_pattern(docker_t, docker_log_t, docker_log_t) -+manage_lnk_files_pattern(docker_t, docker_log_t, docker_log_t) -+logging_log_filetrans(docker_t, docker_log_t, { dir file lnk_file }) -+ -+manage_dirs_pattern(docker_t, docker_tmp_t, docker_tmp_t) -+manage_files_pattern(docker_t, docker_tmp_t, docker_tmp_t) -+manage_lnk_files_pattern(docker_t, docker_tmp_t, docker_tmp_t) -+files_tmp_filetrans(docker_t, docker_tmp_t, { dir file lnk_file }) -+ -+manage_dirs_pattern(docker_t, docker_var_lib_t, docker_var_lib_t) -+manage_chr_files_pattern(docker_t, docker_var_lib_t, docker_var_lib_t) -+manage_blk_files_pattern(docker_t, docker_var_lib_t, docker_var_lib_t) -+manage_files_pattern(docker_t, docker_var_lib_t, docker_var_lib_t) -+manage_lnk_files_pattern(docker_t, docker_var_lib_t, docker_var_lib_t) -+files_var_lib_filetrans(docker_t, docker_var_lib_t, { dir file lnk_file }) -+ -+manage_dirs_pattern(docker_t, docker_var_run_t, docker_var_run_t) -+manage_files_pattern(docker_t, docker_var_run_t, docker_var_run_t) -+manage_sock_files_pattern(docker_t, docker_var_run_t, docker_var_run_t) -+manage_lnk_files_pattern(docker_t, docker_var_run_t, docker_var_run_t) -+files_pid_filetrans(docker_t, docker_var_run_t, { dir file lnk_file sock_file }) -+ -+kernel_read_system_state(docker_t) -+kernel_read_network_state(docker_t) -+kernel_read_all_sysctls(docker_t) -+ -+domain_use_interactive_fds(docker_t) -+ -+corecmd_exec_bin(docker_t) -+corecmd_exec_shell(docker_t) -+ -+corenet_tcp_bind_generic_node(docker_t) -+ -+files_read_etc_files(docker_t) -+ -+fs_read_cgroup_files(docker_t) -+ -+auth_use_nsswitch(docker_t) -+ -+miscfiles_read_localization(docker_t) -+ -+mount_domtrans(docker_t) -+ -+sysnet_dns_name_resolve(docker_t) -+sysnet_exec_ifconfig(docker_t) -+ -+optional_policy(` -+ fstools_domtrans(docker_t) -+') -+ -+optional_policy(` -+ iptables_domtrans(docker_t) -+') -+ -+# -+# lxc rules -+# -+ -+allow docker_t self:capability { sys_admin sys_boot dac_override setpcap sys_ptrace }; -+allow docker_t self:process { setsched signal_perms }; -+allow docker_t self:netlink_route_socket nlmsg_write; -+allow docker_t self:unix_dgram_socket create_socket_perms; -+ -+allow docker_t docker_var_lib_t:dir mounton; -+ -+kernel_setsched(docker_t) -+ -+dev_getattr_all_blk_files(docker_t) -+dev_read_urand(docker_t) -+dev_read_lvm_control(docker_t) -+dev_read_sysfs(docker_t) -+ -+files_manage_isid_type_dirs(docker_t) -+files_manage_isid_type_files(docker_t) -+files_manage_isid_type_symlinks(docker_t) -+files_manage_isid_type_chr_files(docker_t) -+files_exec_isid_files(docker_t) -+files_mounton_isid(docker_t) -+files_mounton_non_security(docker_t) -+ -+fs_mount_all_fs(docker_t) -+fs_unmount_all_fs(docker_t) -+fs_remount_all_fs(docker_t) -+fs_manage_cgroup_dirs(docker_t) -+fs_manage_cgroup_files(docker_t) -+ -+term_use_generic_ptys(docker_t) -+term_use_ptmx(docker_t) -+term_getattr_pty_fs(docker_t) -+ -+modutils_domtrans_insmod(docker_t) -+ -+optional_policy(` -+ virt_read_config(docker_t) -+ virt_exec(docker_t) -+') -diff --git a/dovecot.fc b/dovecot.fc -index c880070..4448055 100644 ---- a/dovecot.fc -+++ b/dovecot.fc -@@ -1,36 +1,48 @@ --/etc/dovecot(/.*)? gen_context(system_u:object_r:dovecot_etc_t,s0) --/etc/dovecot/passwd.* gen_context(system_u:object_r:dovecot_passwd_t,s0) - --/etc/dovecot\.conf.* gen_context(system_u:object_r:dovecot_etc_t,s0) --/etc/dovecot\.passwd.* gen_context(system_u:object_r:dovecot_passwd_t,s0) -- --/etc/pki/dovecot(/.*)? gen_context(system_u:object_r:dovecot_cert_t,s0) -+# -+# /etc -+# -+/etc/dovecot(/.*)? gen_context(system_u:object_r:dovecot_etc_t,s0) -+/etc/dovecot\.conf.* gen_context(system_u:object_r:dovecot_etc_t,s0) -+/etc/dovecot\.passwd.* gen_context(system_u:object_r:dovecot_passwd_t,s0) - -+/etc/pki/dovecot(/.*)? gen_context(system_u:object_r:dovecot_cert_t,s0) - /etc/rc\.d/init\.d/dovecot -- gen_context(system_u:object_r:dovecot_initrc_exec_t,s0) - --/usr/sbin/dovecot -- gen_context(system_u:object_r:dovecot_exec_t,s0) -+# Debian uses /etc/dovecot/ -+ifdef(`distro_debian',` -+/etc/dovecot/passwd.* gen_context(system_u:object_r:dovecot_passwd_t,s0) -+') - --/usr/share/ssl/certs/dovecot\.pem -- gen_context(system_u:object_r:dovecot_cert_t,s0) --/usr/share/ssl/private/dovecot\.pem -- gen_context(system_u:object_r:dovecot_cert_t,s0) -+# -+# /usr -+# -+/usr/sbin/dovecot -- gen_context(system_u:object_r:dovecot_exec_t,s0) - --/etc/ssl/dovecot(/.*)? gen_context(system_u:object_r:dovecot_cert_t,s0) -+/usr/share/ssl/certs/dovecot\.pem -- gen_context(system_u:object_r:dovecot_cert_t,s0) -+/usr/share/ssl/private/dovecot\.pem -- gen_context(system_u:object_r:dovecot_cert_t,s0) - --/usr/lib/dovecot/auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0) --/usr/lib/dovecot/deliver -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0) -+ifdef(`distro_debian', ` - /usr/lib/dovecot/dovecot-auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0) --/usr/lib/dovecot/dovecot-lda -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0) -+/usr/lib/dovecot/deliver -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0) -+') - --/usr/libexec/dovecot/auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0) -+ifdef(`distro_redhat', ` -+/usr/libexec/dovecot/auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0) - /usr/libexec/dovecot/deliver -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0) --/usr/libexec/dovecot/deliver-lda -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0) --/usr/libexec/dovecot/dovecot-auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0) -+/usr/libexec/dovecot/dovecot-lda -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0) -+/usr/libexec/dovecot/dovecot-auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0) -+') - --/var/run/dovecot(-login)?(/.*)? gen_context(system_u:object_r:dovecot_var_run_t,s0) --/var/run/dovecot/login/ssl-parameters.dat -- gen_context(system_u:object_r:dovecot_var_lib_t,s0) -+# -+# /var -+# -+/var/run/dovecot(-login)?(/.*)? gen_context(system_u:object_r:dovecot_var_run_t,s0) -+/var/run/dovecot/login/ssl-parameters.dat -- gen_context(system_u:object_r:dovecot_var_lib_t,s0) - --/var/lib/dovecot(/.*)? gen_context(system_u:object_r:dovecot_var_lib_t,s0) -+/var/lib/dovecot(/.*)? gen_context(system_u:object_r:dovecot_var_lib_t,s0) - --/var/log/dovecot(/.*)? gen_context(system_u:object_r:dovecot_var_log_t,s0) --/var/log/dovecot\.log.* gen_context(system_u:object_r:dovecot_var_log_t,s0) -+/var/log/dovecot(/.*)? gen_context(system_u:object_r:dovecot_var_log_t,s0) -+/var/log/dovecot\.log.* gen_context(system_u:object_r:dovecot_var_log_t,s0) - --/var/spool/dovecot(/.*)? gen_context(system_u:object_r:dovecot_spool_t,s0) -+/var/spool/dovecot(/.*)? gen_context(system_u:object_r:dovecot_spool_t,s0) -diff --git a/dovecot.if b/dovecot.if -index dbcac59..66d42bb 100644 ---- a/dovecot.if -+++ b/dovecot.if -@@ -1,29 +1,49 @@ --## POP and IMAP mail server. -+## Dovecot POP and IMAP mail server -+ -+###################################### -+## -+## Creates types and rules for a basic -+## dovecot daemon domain. -+## -+## -+## -+## Prefix for the domain. -+## -+## -+# -+template(`dovecot_basic_types_template',` -+ gen_require(` -+ attribute dovecot_domain; -+ ') -+ -+ type $1_t, dovecot_domain; -+ type $1_exec_t; -+ -+ kernel_read_system_state($1_t) -+') - - ####################################### - ## --## Connect to dovecot using a unix --## domain stream socket. -+## Connect to dovecot unix domain stream socket. - ## - ## --## --## Domain allowed access. --## -+## -+## Domain allowed access. -+## - ## - # - interface(`dovecot_stream_connect',` -- gen_require(` -- type dovecot_t, dovecot_var_run_t; -- ') -+ gen_require(` -+ type dovecot_t, dovecot_var_run_t; -+ ') - -- files_search_pids($1) -- stream_connect_pattern($1, dovecot_var_run_t, dovecot_var_run_t, dovecot_t) -+ files_search_pids($1) -+ stream_connect_pattern($1, dovecot_var_run_t, dovecot_var_run_t, dovecot_t) - ') - - ######################################## - ## --## Connect to dovecot using a unix --## domain stream socket. -+## Connect to dovecot auth unix domain stream socket. - ## - ## - ## -@@ -43,8 +63,7 @@ interface(`dovecot_stream_connect_auth',` - - ######################################## - ## --## Execute dovecot_deliver in the --## dovecot_deliver domain. -+## Execute dovecot_deliver in the dovecot_deliver domain. - ## - ## - ## -@@ -57,14 +76,12 @@ interface(`dovecot_domtrans_deliver',` - type dovecot_deliver_t, dovecot_deliver_exec_t; - ') - -- corecmd_search_bin($1) - domtrans_pattern($1, dovecot_deliver_exec_t, dovecot_deliver_t) - ') - - ######################################## - ## --## Create, read, write, and delete --## dovecot spool files. -+## Create, read, write, and delete the dovecot spool files. - ## - ## - ## -@@ -78,15 +95,13 @@ interface(`dovecot_manage_spool',` - ') - - files_search_spool($1) -- allow $1 dovecot_spool_t:dir manage_dir_perms; -- allow $1 dovecot_spool_t:file manage_file_perms; -- allow $1 dovecot_spool_t:lnk_file manage_lnk_file_perms; -+ manage_files_pattern($1, dovecot_spool_t, dovecot_spool_t) -+ manage_lnk_files_pattern($1, dovecot_spool_t, dovecot_spool_t) - ') - - ######################################## - ## --## Do not audit attempts to delete --## dovecot lib files. -+## Do not audit attempts to delete dovecot lib files. - ## - ## - ## -@@ -99,12 +114,13 @@ interface(`dovecot_dontaudit_unlink_lib_files',` - type dovecot_var_lib_t; - ') - -- dontaudit $1 dovecot_var_lib_t:file delete_file_perms; -+ dontaudit $1 dovecot_var_lib_t:file unlink; - ') - - ###################################### - ## --## Write inherited dovecot tmp files. -+## Allow attempts to write inherited -+## dovecot tmp files. - ## - ## - ## -@@ -122,8 +138,8 @@ interface(`dovecot_write_inherited_tmp_files',` - - ######################################## - ## --## All of the rules required to --## administrate an dovecot environment. -+## All of the rules required to administrate -+## an dovecot environment - ## - ## - ## -@@ -132,21 +148,24 @@ interface(`dovecot_write_inherited_tmp_files',` - ## - ## - ## --## Role allowed access. -+## The role to be allowed to manage the dovecot domain. - ## - ## - ## - # - interface(`dovecot_admin',` - gen_require(` -- type dovecot_t, dovecot_etc_t, dovecot_var_log_t; -- type dovecot_spool_t, dovecot_var_lib_t, dovecot_initrc_exec_t; -- type dovecot_var_run_t, dovecot_cert_t, dovecot_passwd_t; -- type dovecot_tmp_t, dovecot_auth_tmp_t, dovecot_deliver_tmp_t; -+ type dovecot_t, dovecot_etc_t, dovecot_auth_tmp_t; -+ type dovecot_spool_t, dovecot_var_lib_t, dovecot_var_log_t; -+ type dovecot_var_run_t, dovecot_tmp_t, dovecot_keytab_t; -+ type dovecot_cert_t, dovecot_passwd_t, dovecot_initrc_exec_t; - ') - -- allow $1 dovecot_t:process { ptrace signal_perms }; -+ allow $1 dovecot_t:process signal_perms; - ps_process_pattern($1, dovecot_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 dovecot_t:process ptrace; -+ ') - - init_labeled_script_domtrans($1, dovecot_initrc_exec_t) - domain_system_change_exemption($1) -@@ -156,20 +175,25 @@ interface(`dovecot_admin',` - files_list_etc($1) - admin_pattern($1, dovecot_etc_t) - -- logging_list_logs($1) -- admin_pattern($1, dovecot_var_log_t) -+ files_list_tmp($1) -+ admin_pattern($1, dovecot_auth_tmp_t) -+ admin_pattern($1, dovecot_tmp_t) -+ -+ admin_pattern($1, dovecot_keytab_t) - - files_list_spool($1) - admin_pattern($1, dovecot_spool_t) - -- files_search_tmp($1) -- admin_pattern($1, { dovecot_tmp_t dovecot_auth_tmp_t dovecot_deliver_tmp_t }) -- - files_list_var_lib($1) - admin_pattern($1, dovecot_var_lib_t) - -+ logging_search_logs($1) -+ admin_pattern($1, dovecot_var_log_t) -+ - files_list_pids($1) - admin_pattern($1, dovecot_var_run_t) - -- admin_pattern($1, { dovecot_cert_t dovecot_passwd_t }) -+ admin_pattern($1, dovecot_cert_t) -+ -+ admin_pattern($1, dovecot_passwd_t) - ') -diff --git a/dovecot.te b/dovecot.te -index a7bfaf0..d4a79a1 100644 ---- a/dovecot.te -+++ b/dovecot.te -@@ -1,4 +1,4 @@ --policy_module(dovecot, 1.15.6) -+policy_module(dovecot, 1.14.0) - - ######################################## - # -@@ -7,12 +7,10 @@ policy_module(dovecot, 1.15.6) - - attribute dovecot_domain; - --type dovecot_t, dovecot_domain; --type dovecot_exec_t; -+dovecot_basic_types_template(dovecot) - init_daemon_domain(dovecot_t, dovecot_exec_t) - --type dovecot_auth_t, dovecot_domain; --type dovecot_auth_exec_t; -+dovecot_basic_types_template(dovecot_auth) - domain_type(dovecot_auth_t) - domain_entry_file(dovecot_auth_t, dovecot_auth_exec_t) - role system_r types dovecot_auth_t; -@@ -23,8 +21,7 @@ files_tmp_file(dovecot_auth_tmp_t) - type dovecot_cert_t; - miscfiles_cert_type(dovecot_cert_t) - --type dovecot_deliver_t, dovecot_domain; --type dovecot_deliver_exec_t; -+dovecot_basic_types_template(dovecot_deliver) - domain_type(dovecot_deliver_t) - domain_entry_file(dovecot_deliver_t, dovecot_deliver_exec_t) - role system_r types dovecot_deliver_t; -@@ -42,11 +39,12 @@ type dovecot_passwd_t; - files_type(dovecot_passwd_t) - - type dovecot_spool_t; --files_type(dovecot_spool_t) -+files_spool_file(dovecot_spool_t) - - type dovecot_tmp_t; - files_tmp_file(dovecot_tmp_t) - -+# /var/lib/dovecot holds SSL parameters file - type dovecot_var_lib_t; - files_type(dovecot_var_lib_t) - -@@ -56,20 +54,18 @@ logging_log_file(dovecot_var_log_t) - type dovecot_var_run_t; - files_pid_file(dovecot_var_run_t) - --######################################## -+####################################### - # --# Common local policy -+# dovecot domain local policy - # - - allow dovecot_domain self:capability2 block_suspend; --allow dovecot_domain self:fifo_file rw_fifo_file_perms; - --allow dovecot_domain dovecot_etc_t:dir list_dir_perms; --allow dovecot_domain dovecot_etc_t:file read_file_perms; --allow dovecot_domain dovecot_etc_t:lnk_file read_lnk_file_perms; -+allow dovecot_domain self:unix_dgram_socket create_socket_perms; -+allow dovecot_domain self:fifo_file rw_fifo_file_perms; - - kernel_read_all_sysctls(dovecot_domain) --kernel_read_system_state(dovecot_domain) -+kernel_read_network_state(dovecot_domain) - - corecmd_exec_bin(dovecot_domain) - corecmd_exec_shell(dovecot_domain) -@@ -78,37 +74,46 @@ dev_read_sysfs(dovecot_domain) - dev_read_rand(dovecot_domain) - dev_read_urand(dovecot_domain) - -+# Dovecot now has quota support and it uses getmntent() to find the mountpoints. - files_read_etc_runtime_files(dovecot_domain) - --logging_send_syslog_msg(dovecot_domain) -- --miscfiles_read_localization(dovecot_domain) -- - ######################################## - # --# Local policy -+# dovecot local policy - # - --allow dovecot_t self:capability { dac_override dac_read_search chown fsetid kill setgid setuid sys_chroot }; -+allow dovecot_t self:capability { dac_override dac_read_search chown fsetid kill net_bind_service setgid setuid sys_chroot }; - dontaudit dovecot_t self:capability sys_tty_config; - allow dovecot_t self:process { setrlimit signal_perms getcap setcap setsched }; --allow dovecot_t self:tcp_socket { accept listen }; --allow dovecot_t self:unix_stream_socket { accept connectto listen }; -+allow dovecot_t self:tcp_socket create_stream_socket_perms; -+allow dovecot_t self:unix_stream_socket { create_stream_socket_perms connectto }; -+ -+domtrans_pattern(dovecot_t, dovecot_auth_exec_t, dovecot_auth_t) -+ -+allow dovecot_t dovecot_auth_t:process signal; - - allow dovecot_t dovecot_cert_t:dir list_dir_perms; --allow dovecot_t dovecot_cert_t:file read_file_perms; --allow dovecot_t dovecot_cert_t:lnk_file read_lnk_file_perms; -+read_files_pattern(dovecot_t, dovecot_cert_t, dovecot_cert_t) -+read_lnk_files_pattern(dovecot_t, dovecot_cert_t, dovecot_cert_t) -+ -+allow dovecot_t dovecot_etc_t:dir list_dir_perms; -+read_files_pattern(dovecot_t, dovecot_etc_t, dovecot_etc_t) -+read_lnk_files_pattern(dovecot_t, dovecot_etc_t, dovecot_etc_t) -+files_search_etc(dovecot_t) -+ -+can_exec(dovecot_t, dovecot_exec_t) - - manage_dirs_pattern(dovecot_t, dovecot_tmp_t, dovecot_tmp_t) - manage_files_pattern(dovecot_t, dovecot_tmp_t, dovecot_tmp_t) - files_tmp_filetrans(dovecot_t, dovecot_tmp_t, { file dir }) - -+# Allow dovecot to create and read SSL parameters file - manage_files_pattern(dovecot_t, dovecot_var_lib_t, dovecot_var_lib_t) -+files_search_var_lib(dovecot_t) -+files_read_var_symlinks(dovecot_t) - - manage_dirs_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t) --append_files_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t) --create_files_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t) --setattr_files_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t) -+manage_files_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t) - logging_log_filetrans(dovecot_t, dovecot_var_log_t, { file dir }) - - manage_dirs_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t) -@@ -120,45 +125,35 @@ manage_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t) - manage_lnk_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t) - manage_sock_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t) - manage_fifo_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t) --files_pid_filetrans(dovecot_t, dovecot_var_run_t, { dir file fifo_file }) -- --can_exec(dovecot_t, dovecot_exec_t) -- --allow dovecot_t dovecot_auth_t:process signal; -- --domtrans_pattern(dovecot_t, dovecot_auth_exec_t, dovecot_auth_t) -+files_pid_filetrans(dovecot_t, dovecot_var_run_t, { dir file fifo_file sock_file }) - --corenet_all_recvfrom_unlabeled(dovecot_t) - corenet_all_recvfrom_netlabel(dovecot_t) - corenet_tcp_sendrecv_generic_if(dovecot_t) - corenet_tcp_sendrecv_generic_node(dovecot_t) - corenet_tcp_sendrecv_all_ports(dovecot_t) - corenet_tcp_bind_generic_node(dovecot_t) -- --corenet_sendrecv_mail_server_packets(dovecot_t) - corenet_tcp_bind_mail_port(dovecot_t) --corenet_sendrecv_pop_server_packets(dovecot_t) - corenet_tcp_bind_pop_port(dovecot_t) --corenet_sendrecv_sieve_server_packets(dovecot_t) -+corenet_tcp_bind_lmtp_port(dovecot_t) - corenet_tcp_bind_sieve_port(dovecot_t) -- --corenet_sendrecv_all_client_packets(dovecot_t) - corenet_tcp_connect_all_ports(dovecot_t) - corenet_tcp_connect_postgresql_port(dovecot_t) -+corenet_sendrecv_pop_server_packets(dovecot_t) -+corenet_sendrecv_all_client_packets(dovecot_t) -+ -+fs_getattr_all_fs(dovecot_t) -+fs_getattr_all_dirs(dovecot_t) -+fs_search_auto_mountpoints(dovecot_t) -+fs_list_inotifyfs(dovecot_t) - - domain_use_interactive_fds(dovecot_t) - --files_read_var_lib_files(dovecot_t) --files_read_var_symlinks(dovecot_t) - files_search_spool(dovecot_t) -+files_search_tmp(dovecot_t) - files_dontaudit_list_default(dovecot_t) - files_dontaudit_search_all_dirs(dovecot_t) - files_search_all_mountpoints(dovecot_t) -- --fs_getattr_all_fs(dovecot_t) --fs_getattr_all_dirs(dovecot_t) --fs_search_auto_mountpoints(dovecot_t) --fs_list_inotifyfs(dovecot_t) -+files_read_var_lib_files(dovecot_t) - - init_getattr_utmp(dovecot_t) - -@@ -166,44 +161,42 @@ auth_use_nsswitch(dovecot_t) - - miscfiles_read_generic_certs(dovecot_t) - --userdom_dontaudit_use_unpriv_user_fds(dovecot_t) --userdom_use_user_terminals(dovecot_t) -+logging_send_syslog_msg(dovecot_t) - --tunable_policy(`use_nfs_home_dirs',` -- fs_manage_nfs_dirs(dovecot_t) -- fs_manage_nfs_files(dovecot_t) -- fs_manage_nfs_symlinks(dovecot_t) --') -+userdom_home_manager(dovecot_t) -+userdom_dontaudit_use_unpriv_user_fds(dovecot_t) -+userdom_manage_user_home_content_dirs(dovecot_t) -+userdom_manage_user_home_content_files(dovecot_t) -+userdom_manage_user_home_content_symlinks(dovecot_t) -+userdom_manage_user_home_content_pipes(dovecot_t) -+userdom_manage_user_home_content_sockets(dovecot_t) -+userdom_filetrans_home_content(dovecot_t) - --tunable_policy(`use_samba_home_dirs',` -- fs_manage_cifs_dirs(dovecot_t) -- fs_manage_cifs_files(dovecot_t) -- fs_manage_cifs_symlinks(dovecot_t) -+optional_policy(` -+ mta_manage_home_rw(dovecot_t) -+ mta_manage_spool(dovecot_t) - ') - - optional_policy(` - kerberos_keytab_template(dovecot, dovecot_t) -- kerberos_manage_host_rcache(dovecot_t) -- kerberos_tmp_filetrans_host_rcache(dovecot_t, file, "imap_0") -+ kerberos_tmp_filetrans_host_rcache(dovecot_t, "imap_0") - ') - - optional_policy(` -- mta_manage_spool(dovecot_t) -- mta_manage_mail_home_rw_content(dovecot_t) -- mta_home_filetrans_mail_home_rw(dovecot_t, dir, "Maildir") -- mta_home_filetrans_mail_home_rw(dovecot_t, dir, ".maildir") -+ gnome_manage_data(dovecot_t) - ') - - optional_policy(` -- postgresql_stream_connect(dovecot_t) -+ postfix_manage_private_sockets(dovecot_t) -+ postfix_search_spool(dovecot_t) - ') - - optional_policy(` -- postfix_manage_private_sockets(dovecot_t) -- postfix_search_spool(dovecot_t) -+ postgresql_stream_connect(dovecot_t) - ') - - optional_policy(` -+ # Handle sieve scripts - sendmail_domtrans(dovecot_t) - ') - -@@ -221,46 +214,65 @@ optional_policy(` - - ######################################## - # --# Auth local policy -+# dovecot auth local policy - # - - allow dovecot_auth_t self:capability { chown dac_override ipc_lock setgid setuid sys_nice }; - allow dovecot_auth_t self:process { getsched setsched signal_perms getcap setcap }; --allow dovecot_auth_t self:unix_stream_socket { accept connectto listen }; -+allow dovecot_auth_t self:unix_stream_socket create_stream_socket_perms; -+ -+allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_perms }; - - read_files_pattern(dovecot_auth_t, dovecot_passwd_t, dovecot_passwd_t) - -+read_files_pattern(dovecot_auth_t, dovecot_etc_t, dovecot_etc_t) -+read_lnk_files_pattern(dovecot_auth_t, dovecot_etc_t, dovecot_etc_t) -+ -+manage_files_pattern(dovecot_auth_t, dovecot_var_run_t, dovecot_var_run_t) -+ - manage_dirs_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t) - manage_files_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t) - files_tmp_filetrans(dovecot_auth_t, dovecot_auth_tmp_t, { file dir }) - - allow dovecot_auth_t dovecot_var_run_t:dir list_dir_perms; - manage_sock_files_pattern(dovecot_auth_t, dovecot_var_run_t, dovecot_var_run_t) -+dovecot_stream_connect_auth(dovecot_auth_t) - --allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_perms }; -+corecmd_exec_bin(dovecot_auth_t) - --files_search_pids(dovecot_auth_t) --files_read_usr_files(dovecot_auth_t) --files_read_var_lib_files(dovecot_auth_t) -+logging_send_audit_msgs(dovecot_auth_t) - - auth_domtrans_chk_passwd(dovecot_auth_t) - auth_use_nsswitch(dovecot_auth_t) - --init_rw_utmp(dovecot_auth_t) -+logging_send_syslog_msg(dovecot_auth_t) - --logging_send_audit_msgs(dovecot_auth_t) -+files_search_pids(dovecot_auth_t) -+files_read_usr_symlinks(dovecot_auth_t) -+files_read_var_lib_files(dovecot_auth_t) -+files_search_tmp(dovecot_auth_t) - --seutil_dontaudit_search_config(dovecot_auth_t) -+fs_getattr_xattr_fs(dovecot_auth_t) -+ -+init_rw_utmp(dovecot_auth_t) - - sysnet_use_ldap(dovecot_auth_t) - -+systemd_login_read_pid_files(dovecot_auth_t) -+ -+userdom_getattr_user_home_dirs(dovecot_auth_t) -+ - optional_policy(` -+ kerberos_use(dovecot_auth_t) -+ -+ # for gssapi (kerberos) - userdom_list_user_tmp(dovecot_auth_t) - userdom_read_user_tmp_files(dovecot_auth_t) - userdom_read_user_tmp_symlinks(dovecot_auth_t) - ') - - optional_policy(` -+ mysql_search_db(dovecot_auth_t) - mysql_stream_connect(dovecot_auth_t) - mysql_read_config(dovecot_auth_t) - mysql_tcp_connect(dovecot_auth_t) -@@ -271,15 +283,30 @@ optional_policy(` - ') - - optional_policy(` -+ dbus_system_bus_client(dovecot_auth_t) -+ optional_policy(` -+ oddjob_dbus_chat(dovecot_auth_t) -+ oddjob_domtrans_mkhomedir(dovecot_auth_t) -+ ') -+') -+ -+optional_policy(` - postfix_manage_private_sockets(dovecot_auth_t) -+ postfix_rw_inherited_master_pipes(dovecot_deliver_t) - postfix_search_spool(dovecot_auth_t) - ') - - ######################################## - # --# Deliver local policy -+# dovecot deliver local policy - # - -+allow dovecot_deliver_t dovecot_t:process signull; -+ -+allow dovecot_deliver_t dovecot_etc_t:dir list_dir_perms; -+read_files_pattern(dovecot_deliver_t, dovecot_etc_t, dovecot_etc_t) -+read_lnk_files_pattern(dovecot_deliver_t, dovecot_etc_t, dovecot_etc_t) -+ - allow dovecot_deliver_t dovecot_cert_t:dir search_dir_perms; - - append_files_pattern(dovecot_deliver_t, dovecot_var_log_t, dovecot_var_log_t) -@@ -289,35 +316,43 @@ manage_files_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_t - files_tmp_filetrans(dovecot_deliver_t, dovecot_deliver_tmp_t, { file dir }) - - allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms; --allow dovecot_deliver_t dovecot_var_run_t:file read_file_perms; --allow dovecot_deliver_t dovecot_var_run_t:sock_file read_sock_file_perms; -- --stream_connect_pattern(dovecot_deliver_t, dovecot_var_run_t, dovecot_var_run_t, { dovecot_t dovecot_auth_t }) -+read_files_pattern(dovecot_deliver_t, dovecot_var_run_t, dovecot_var_run_t) -+read_sock_files_pattern(dovecot_deliver_t, dovecot_var_run_t, dovecot_var_run_t) -+dovecot_stream_connect(dovecot_deliver_t) - - can_exec(dovecot_deliver_t, dovecot_deliver_exec_t) - --allow dovecot_deliver_t dovecot_t:process signull; -+auth_use_nsswitch(dovecot_deliver_t) - --fs_getattr_all_fs(dovecot_deliver_t) -+logging_append_all_logs(dovecot_deliver_t) -+logging_send_syslog_msg(dovecot_deliver_t) - --auth_use_nsswitch(dovecot_deliver_t) -+dovecot_stream_connect_auth(dovecot_deliver_t) - --logging_search_logs(dovecot_deliver_t) -+files_search_tmp(dovecot_deliver_t) -+files_dontaudit_getattr_all_dirs(dovecot_deliver_t) - --tunable_policy(`use_nfs_home_dirs',` -- fs_manage_nfs_dirs(dovecot_deliver_t) -- fs_manage_nfs_files(dovecot_deliver_t) -- fs_manage_nfs_symlinks(dovecot_deliver_t) --') -+fs_getattr_all_fs(dovecot_deliver_t) -+fs_dontaudit_getattr_all_fs(dovecot_deliver_t) -+fs_dontaudit_getattr_all_dirs(dovecot_deliver_t) -+fs_dontaudit_search_cgroup_dirs(dovecot_deliver_t) -+ -+userdom_manage_user_home_content_dirs(dovecot_deliver_t) -+userdom_manage_user_home_content_files(dovecot_deliver_t) -+userdom_manage_user_home_content_symlinks(dovecot_deliver_t) -+userdom_manage_user_home_content_pipes(dovecot_deliver_t) -+userdom_manage_user_home_content_sockets(dovecot_deliver_t) -+userdom_filetrans_home_content(dovecot_deliver_t) - --tunable_policy(`use_samba_home_dirs',` -- fs_manage_cifs_dirs(dovecot_deliver_t) -- fs_manage_cifs_files(dovecot_deliver_t) -- fs_manage_cifs_symlinks(dovecot_deliver_t) -+userdom_home_manager(dovecot_deliver_t) -+ -+optional_policy(` -+ gnome_manage_data(dovecot_deliver_t) - ') - - optional_policy(` - mta_mailserver_delivery(dovecot_deliver_t) -+ mta_manage_spool(dovecot_deliver_t) - mta_read_queue(dovecot_deliver_t) - ') - -@@ -326,5 +361,6 @@ optional_policy(` - ') - - optional_policy(` -+ # Handle sieve scripts - sendmail_domtrans(dovecot_deliver_t) - ') -diff --git a/drbd.if b/drbd.if -index 9a21639..26c5986 100644 ---- a/drbd.if -+++ b/drbd.if -@@ -2,12 +2,11 @@ - - ######################################## - ## --## Execute a domain transition to --## run drbd. -+## Execute a domain transition to run drbd. - ## - ## - ## --## Domain allowed to transition. -+## Domain allowed access. - ## - ## - # -@@ -16,14 +15,91 @@ interface(`drbd_domtrans',` - type drbd_t, drbd_exec_t; - ') - -- corecmd_search_bin($1) - domtrans_pattern($1, drbd_exec_t, drbd_t) - ') - - ######################################## - ## --## All of the rules required to --## administrate an drbd environment. -+## Search drbd lib directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`drbd_search_lib',` -+ gen_require(` -+ type drbd_var_lib_t; -+ ') -+ -+ allow $1 drbd_var_lib_t:dir search_dir_perms; -+ files_search_var_lib($1) -+') -+ -+######################################## -+## -+## Read drbd lib files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`drbd_read_lib_files',` -+ gen_require(` -+ type drbd_var_lib_t; -+ ') -+ -+ files_search_var_lib($1) -+ read_files_pattern($1, drbd_var_lib_t, drbd_var_lib_t) -+') -+ -+######################################## -+## -+## Create, read, write, and delete -+## drbd lib files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`drbd_manage_lib_files',` -+ gen_require(` -+ type drbd_var_lib_t; -+ ') -+ -+ files_search_var_lib($1) -+ manage_files_pattern($1, drbd_var_lib_t, drbd_var_lib_t) -+') -+ -+######################################## -+## -+## Manage drbd lib dirs files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`drbd_manage_lib_dirs',` -+ gen_require(` -+ type drbd_var_lib_t; -+ ') -+ -+ files_search_var_lib($1) -+ manage_dirs_pattern($1, drbd_var_lib_t, drbd_var_lib_t) -+') -+ -+ -+######################################## -+## -+## All of the rules required to administrate -+## an drbd environment - ## - ## - ## -@@ -35,7 +111,6 @@ interface(`drbd_domtrans',` - ## Role allowed access. - ## - ## --## - # - interface(`drbd_admin',` - gen_require(` -@@ -43,9 +118,13 @@ interface(`drbd_admin',` - type drbd_var_lib_t; - ') - -- allow $1 drbd_t:process { ptrace signal_perms }; -+ allow $1 drbd_t:process signal_perms; - ps_process_pattern($1, drbd_t) - -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 drbd_t:process ptrace; -+ ') -+ - init_labeled_script_domtrans($1, drbd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 drbd_initrc_exec_t system_r; -@@ -57,3 +136,4 @@ interface(`drbd_admin',` - files_search_var_lib($1) - admin_pattern($1, drbd_var_lib_t) - ') -+ -diff --git a/drbd.te b/drbd.te -index 8e5ee54..6e11edb 100644 ---- a/drbd.te -+++ b/drbd.te -@@ -28,7 +28,7 @@ dontaudit drbd_t self:capability sys_tty_config; - allow drbd_t self:fifo_file rw_fifo_file_perms; - allow drbd_t self:unix_stream_socket create_stream_socket_perms; - allow drbd_t self:netlink_socket create_socket_perms; --allow drbd_t self:netlink_route_socket nlmsg_write; -+allow drbd_t self:netlink_route_socket rw_netlink_socket_perms; - - manage_dirs_pattern(drbd_t, drbd_var_lib_t, drbd_var_lib_t) - manage_files_pattern(drbd_t, drbd_var_lib_t, drbd_var_lib_t) -@@ -46,10 +46,6 @@ dev_read_rand(drbd_t) - dev_read_sysfs(drbd_t) - dev_read_urand(drbd_t) - --files_read_etc_files(drbd_t) -- - storage_raw_read_fixed_disk(drbd_t) - --miscfiles_read_localization(drbd_t) -- - sysnet_dns_name_resolve(drbd_t) -diff --git a/dspam.fc b/dspam.fc -index 5eddac5..3ea0423 100644 ---- a/dspam.fc -+++ b/dspam.fc -@@ -5,8 +5,13 @@ - /usr/share/dspam-web/dspam\.cgi -- gen_context(system_u:object_r:httpd_dspam_script_exec_t,s0) - - /var/lib/dspam(/.*)? gen_context(system_u:object_r:dspam_var_lib_t,s0) --/var/lib/dspam/data(/.*)? gen_context(system_u:object_r:httpd_dspam_rw_content_t,s0) - - /var/log/dspam(/.*)? gen_context(system_u:object_r:dspam_log_t,s0) - - /var/run/dspam(/.*)? gen_context(system_u:object_r:dspam_var_run_t,s0) -+ -+# web -+/var/www/dspam/.*\.cgi -- gen_context(system_u:object_r:httpd_dspam_script_exec_t,s0) -+/var/www/dspam(/.*?) gen_context(system_u:object_r:httpd_dspam_content_t,s0) -+ -+/var/lib/dspam/data(/.*)? gen_context(system_u:object_r:httpd_dspam_rw_content_t,s0) -diff --git a/dspam.if b/dspam.if -index 18f2452..a446210 100644 ---- a/dspam.if -+++ b/dspam.if -@@ -1,13 +1,15 @@ --## Content-based spam filter designed for multi-user enterprise systems. -+ -+## policy for dspam -+ - - ######################################## - ## - ## Execute a domain transition to run dspam. - ## - ## --## -+## - ## Domain allowed access. --## -+## - ## - # - interface(`dspam_domtrans',` -@@ -15,35 +17,211 @@ interface(`dspam_domtrans',` - type dspam_t, dspam_exec_t; - ') - -- corecmd_search_bin($1) - domtrans_pattern($1, dspam_exec_t, dspam_t) - ') - --####################################### -+ -+######################################## - ## --## Connect to dspam using a unix --## domain stream socket. -+## Execute dspam server in the dspam domain. -+## -+## -+## -+## The type of the process performing this action. -+## -+## -+# -+interface(`dspam_initrc_domtrans',` -+ gen_require(` -+ type dspam_initrc_exec_t; -+ ') -+ -+ init_labeled_script_domtrans($1, dspam_initrc_exec_t) -+') -+ -+######################################## -+## -+## Allow the specified domain to read dspam's log files. - ## - ## - ## - ## Domain allowed access. - ## - ## -+## - # --interface(`dspam_stream_connect',` -+interface(`dspam_read_log',` -+ gen_require(` -+ type dspam_log_t; -+ ') -+ -+ logging_search_logs($1) -+ read_files_pattern($1, dspam_log_t, dspam_log_t) -+') -+ -+######################################## -+## -+## Allow the specified domain to append -+## dspam log files. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`dspam_append_log',` -+ gen_require(` -+ type dspam_log_t; -+ ') -+ -+ logging_search_logs($1) -+ append_files_pattern($1, dspam_log_t, dspam_log_t) -+') -+ -+######################################## -+## -+## Allow domain to manage dspam log files -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`dspam_manage_log',` -+ gen_require(` -+ type dspam_log_t; -+ ') -+ -+ logging_search_logs($1) -+ manage_dirs_pattern($1, dspam_log_t, dspam_log_t) -+ manage_files_pattern($1, dspam_log_t, dspam_log_t) -+ manage_lnk_files_pattern($1, dspam_log_t, dspam_log_t) -+') -+ -+######################################## -+## -+## Search dspam lib directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dspam_search_lib',` -+ gen_require(` -+ type dspam_var_lib_t; -+ ') -+ -+ allow $1 dspam_var_lib_t:dir search_dir_perms; -+ files_search_var_lib($1) -+') -+ -+######################################## -+## -+## Read dspam lib files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dspam_read_lib_files',` -+ gen_require(` -+ type dspam_var_lib_t; -+ ') -+ -+ files_search_var_lib($1) -+ read_files_pattern($1, dspam_var_lib_t, dspam_var_lib_t) -+') -+ -+######################################## -+## -+## Create, read, write, and delete -+## dspam lib files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dspam_manage_lib_files',` -+ gen_require(` -+ type dspam_var_lib_t; -+ ') -+ -+ files_search_var_lib($1) -+ manage_files_pattern($1, dspam_var_lib_t, dspam_var_lib_t) -+') -+ -+######################################## -+## -+## Manage dspam lib dirs files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dspam_manage_lib_dirs',` - gen_require(` -- type dspam_t, dspam_var_run_t, dspam_tmp_t; -+ type dspam_var_lib_t; -+ ') -+ -+ files_search_var_lib($1) -+ manage_dirs_pattern($1, dspam_var_lib_t, dspam_var_lib_t) -+') -+ -+ -+######################################## -+## -+## Read dspam PID files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dspam_read_pid_files',` -+ gen_require(` -+ type dspam_var_run_t; - ') - - files_search_pids($1) -+ allow $1 dspam_var_run_t:file read_file_perms; -+') -+ -+####################################### -+## -+## Connect to DSPAM using a unix domain stream socket. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dspam_stream_connect',` -+ gen_require(` -+ type dspam_t, dspam_var_run_t, dspam_tmp_t; -+ ') -+ -+ files_search_pids($1) - files_search_tmp($1) -- stream_connect_pattern($1, { dspam_tmp_t dspam_var_run_t }, { dspam_tmp_t dspam_var_run_t }, dspam_t) -+ stream_connect_pattern($1, dspam_var_run_t, dspam_var_run_t, dspam_t) -+ stream_connect_pattern($1, dspam_tmp_t, dspam_tmp_t, dspam_t) - ') - - ######################################## - ## --## All of the rules required to --## administrate an dspam environment. -+## All of the rules required to administrate -+## an dspam environment - ## - ## - ## -@@ -59,14 +237,20 @@ interface(`dspam_stream_connect',` - # - interface(`dspam_admin',` - gen_require(` -- type dspam_t, dspam_initrc_exec_t, dspam_log_t; -- type dspam_var_lib_t, dspam_var_run_t; -+ type dspam_t; -+ type dspam_initrc_exec_t; -+ type dspam_log_t; -+ type dspam_var_lib_t; -+ type dspam_var_run_t; - ') - -- allow $1 dspam_t:process { ptrace signal_perms }; -+ allow $1 dspam_t:process signal_perms; - ps_process_pattern($1, dspam_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 dspam_t:process ptrace; -+ ') - -- init_labeled_script_domtrans($1, dspam_initrc_exec_t) -+ dspam_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 dspam_initrc_exec_t system_r; - allow $2 system_r; -@@ -79,4 +263,5 @@ interface(`dspam_admin',` - - files_search_pids($1) - admin_pattern($1, dspam_var_run_t) -+ - ') -diff --git a/dspam.te b/dspam.te -index 266cb8f..b619351 100644 ---- a/dspam.te -+++ b/dspam.te -@@ -28,6 +28,9 @@ files_pid_file(dspam_var_run_t) - - allow dspam_t self:capability net_admin; - allow dspam_t self:process signal; -+ -+allow dspam_t self:tcp_socket { listen accept }; -+ - allow dspam_t self:fifo_file rw_fifo_file_perms; - allow dspam_t self:unix_stream_socket { accept listen }; - -@@ -57,6 +60,12 @@ corenet_sendrecv_spamd_server_packets(dspam_t) - corenet_tcp_bind_spamd_port(dspam_t) - corenet_tcp_connect_spamd_port(dspam_t) - corenet_tcp_sendrecv_spamd_port(dspam_t) -+corenet_tcp_bind_lmtp_port(dspam_t) -+corenet_tcp_connect_lmtp_port(dspam_t) -+ -+kernel_read_system_state(dspam_t) -+ -+corecmd_exec_shell(dspam_t) - - files_search_spool(dspam_t) - -@@ -64,14 +73,32 @@ auth_use_nsswitch(dspam_t) - - logging_send_syslog_msg(dspam_t) - --miscfiles_read_localization(dspam_t) -- - optional_policy(` - apache_content_template(dspam) - -+ read_files_pattern(httpd_dspam_script_t, dspam_var_lib_t, dspam_var_lib_t) -+ -+ files_search_var_lib(httpd_dspam_script_t) - list_dirs_pattern(dspam_t, httpd_dspam_content_t, httpd_dspam_content_t) -- manage_dirs_pattern(dspam_t, httpd_dspam_rw_content_t, httpd_dspam_rw_content_t) -- manage_files_pattern(dspam_t, httpd_dspam_rw_content_t, httpd_dspam_rw_content_t) -+ manage_dirs_pattern(dspam_t, httpd_dspam_content_rw_t, httpd_dspam_content_rw_t) -+ manage_files_pattern(dspam_t, httpd_dspam_content_rw_t, httpd_dspam_content_rw_t) -+ -+ domain_dontaudit_read_all_domains_state(httpd_dspam_script_t) -+ -+ term_dontaudit_search_ptys(httpd_dspam_script_t) -+ term_dontaudit_getattr_all_ttys(httpd_dspam_script_t) -+ term_dontaudit_getattr_all_ptys(httpd_dspam_script_t) -+ -+ init_read_utmp(httpd_dspam_script_t) -+ -+ logging_send_syslog_msg(httpd_dspam_script_t) -+ -+ mta_send_mail(httpd_dspam_script_t) -+ -+ optional_policy(` -+ mysql_tcp_connect(httpd_dspam_script_t) -+ mysql_stream_connect(httpd_dspam_script_t) -+ ') - ') - - optional_policy(` -@@ -87,3 +114,12 @@ optional_policy(` - - postgresql_tcp_connect(dspam_t) - ') -+ -+optional_policy(` -+ postfix_rw_inherited_master_pipes(dspam_t) -+ postfix_list_spool(dspam_t) -+') -+ -+optional_policy(` -+ procmail_domtrans(dspam_t) -+') -diff --git a/entropyd.te b/entropyd.te -index a0da189..d8bc9d5 100644 ---- a/entropyd.te -+++ b/entropyd.te -@@ -45,9 +45,6 @@ dev_write_urand(entropyd_t) - dev_read_rand(entropyd_t) - dev_write_rand(entropyd_t) - --files_read_etc_files(entropyd_t) --files_read_usr_files(entropyd_t) -- - fs_getattr_all_fs(entropyd_t) - fs_search_auto_mountpoints(entropyd_t) - -@@ -55,7 +52,7 @@ domain_use_interactive_fds(entropyd_t) - - logging_send_syslog_msg(entropyd_t) - --miscfiles_read_localization(entropyd_t) -+auth_use_nsswitch(entropyd_t) - - userdom_dontaudit_use_unpriv_user_fds(entropyd_t) - userdom_dontaudit_search_user_home_dirs(entropyd_t) -diff --git a/evolution.fc b/evolution.fc -index 597f305..8520653 100644 ---- a/evolution.fc -+++ b/evolution.fc -@@ -1,5 +1,6 @@ - HOME_DIR/\.camel_certs(/.*)? gen_context(system_u:object_r:evolution_home_t,s0) - HOME_DIR/\.evolution(/.*)? gen_context(system_u:object_r:evolution_home_t,s0) -+HOME_DIR/\.cache/evolution(/.*)? gen_context(system_u:object_r:evolution_home_t,s0) - - /tmp/\.exchange-USER(/.*)? gen_context(system_u:object_r:evolution_exchange_tmp_t,s0) - -diff --git a/evolution.te b/evolution.te -index 94fb625..3742ee1 100644 ---- a/evolution.te -+++ b/evolution.te -@@ -168,7 +168,6 @@ dev_read_urand(evolution_t) - - domain_dontaudit_read_all_domains_state(evolution_t) - --files_read_usr_files(evolution_t) - - fs_search_auto_mountpoints(evolution_t) - -@@ -187,7 +186,7 @@ userdom_manage_user_tmp_files(evolution_t) - - userdom_manage_user_home_content_dirs(evolution_t) - userdom_manage_user_home_content_files(evolution_t) --userdom_user_home_dir_filetrans_user_home_content(evolution_t, { dir file }) -+userdom_filetrans_home_content(evolution_t) - - userdom_write_user_tmp_sockets(evolution_t) - -@@ -286,7 +285,6 @@ stream_connect_pattern(evolution_alarm_t, evolution_server_orbit_tmp_t, evolutio - - dev_read_urand(evolution_alarm_t) - --files_read_usr_files(evolution_alarm_t) - - fs_search_auto_mountpoints(evolution_alarm_t) - -@@ -354,7 +352,6 @@ corecmd_exec_bin(evolution_exchange_t) - - dev_read_urand(evolution_exchange_t) - --files_read_usr_files(evolution_exchange_t) - - fs_search_auto_mountpoints(evolution_exchange_t) - -@@ -423,7 +420,6 @@ corenet_tcp_connect_http_port(evolution_server_t) - - dev_read_urand(evolution_server_t) - --files_read_usr_files(evolution_server_t) - - fs_search_auto_mountpoints(evolution_server_t) - -diff --git a/exim.if b/exim.if -index 6041113..ef3b449 100644 ---- a/exim.if -+++ b/exim.if -@@ -21,35 +21,51 @@ interface(`exim_domtrans',` - - ######################################## - ## --## Execute exim in the exim domain, --## and allow the specified role --## the exim domain. -+## Execute the mailman program in the mailman domain. - ## - ## --## --## Domain allowed to transition. --## -+## -+## Domain allowed to transition. -+## - ## - ## --## --## Role allowed access. --## -+## -+## The role to allow the mailman domain. -+## - ## - ## - # - interface(`exim_run',` -+ gen_require(` -+ type exim_t; -+ ') -+ -+ exim_domtrans($1) -+ role $2 types exim_t; -+') -+ -+######################################## -+## -+## Execute exim in the exim domain. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`exim_initrc_domtrans',` - gen_require(` -- attribute_role exim_roles; -+ type exim_initrc_exec_t; - ') - -- exim_domtrans($1) -- roleattribute $2 exim_roles; -+ init_labeled_script_domtrans($1, exim_initrc_exec_t) - ') - - ######################################## - ## --## Do not audit attempts to read exim --## temporary tmp files. -+## Do not audit attempts to read, -+## exim tmp files - ## - ## - ## -@@ -67,7 +83,7 @@ interface(`exim_dontaudit_read_tmp_files',` - - ######################################## - ## --## Read exim temporary files. -+## Allow domain to read, exim tmp files - ## - ## - ## -@@ -86,7 +102,7 @@ interface(`exim_read_tmp_files',` - - ######################################## - ## --## Read exim pid files. -+## Read exim PID files. - ## - ## - ## -@@ -105,7 +121,7 @@ interface(`exim_read_pid_files',` - - ######################################## - ## --## Read exim log files. -+## Allow the specified domain to read exim's log files. - ## - ## - ## -@@ -125,7 +141,8 @@ interface(`exim_read_log',` - - ######################################## - ## --## Append exim log files. -+## Allow the specified domain to append -+## exim log files. - ## - ## - ## -@@ -144,8 +161,7 @@ interface(`exim_append_log',` - - ######################################## - ## --## Create, read, write, and delete --## exim log files. -+## Allow the specified domain to manage exim's log files. - ## - ## - ## -@@ -166,7 +182,7 @@ interface(`exim_manage_log',` - ######################################## - ## - ## Create, read, write, and delete --## exim spool directories. -+## exim spool dirs. - ## - ## - ## -@@ -225,8 +241,8 @@ interface(`exim_manage_spool_files',` - - ######################################## - ## --## All of the rules required to --## administrate an exim environment. -+## All of the rules required to administrate -+## an exim environment. - ## - ## - ## -@@ -238,18 +254,21 @@ interface(`exim_manage_spool_files',` - ## Role allowed access. - ## - ## --## - # - interface(`exim_admin',` - gen_require(` -- type exim_t, exim_spool_t, exim_log_t; -- type exim_var_run_t, exim_initrc_exec_t, exim_tmp_t; -+ type exim_t, exim_initrc_exec_t, exim_log_t; -+ type exim_tmp_t, exim_spool_t, exim_var_run_t; - ') - -- allow $1 exim_t:process { ptrace signal_perms }; -+ allow $1 exim_t:process signal_perms; - ps_process_pattern($1, exim_t) - -- init_labeled_script_domtrans($1, exim_initrc_exec_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 exim_t:process ptrace; -+ ') -+ -+ exim_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 exim_initrc_exec_t system_r; - allow $2 system_r; -diff --git a/exim.te b/exim.te -index 19325ce..3e86b12 100644 ---- a/exim.te -+++ b/exim.te -@@ -49,7 +49,7 @@ type exim_log_t; - logging_log_file(exim_log_t) - - type exim_spool_t; --files_type(exim_spool_t) -+files_spool_file(exim_spool_t) - - type exim_tmp_t; - files_tmp_file(exim_tmp_t) -@@ -90,11 +90,10 @@ can_exec(exim_t, exim_exec_t) - - kernel_read_kernel_sysctls(exim_t) - kernel_read_network_state(exim_t) --kernel_dontaudit_read_system_state(exim_t) -+kernel_read_system_state(exim_t) - - corecmd_search_bin(exim_t) - --corenet_all_recvfrom_unlabeled(exim_t) - corenet_all_recvfrom_netlabel(exim_t) - corenet_tcp_sendrecv_generic_if(exim_t) - corenet_udp_sendrecv_generic_if(exim_t) -@@ -138,7 +137,6 @@ auth_use_nsswitch(exim_t) - - logging_send_syslog_msg(exim_t) - --miscfiles_read_localization(exim_t) - miscfiles_read_generic_certs(exim_t) - - userdom_dontaudit_search_user_home_dirs(exim_t) -@@ -154,9 +152,9 @@ tunable_policy(`exim_can_connect_db',` - corenet_sendrecv_mssql_client_packets(exim_t) - corenet_tcp_connect_mssql_port(exim_t) - corenet_tcp_sendrecv_mssql_port(exim_t) -- corenet_sendrecv_oracledb_client_packets(exim_t) -- corenet_tcp_connect_oracledb_port(exim_t) -- corenet_tcp_sendrecv_oracledb_port(exim_t) -+ corenet_sendrecv_oracle_client_packets(exim_t) -+ corenet_tcp_connect_oracle_port(exim_t) -+ corenet_tcp_sendrecv_oracle_port(exim_t) - ') - - tunable_policy(`exim_read_user_files',` -@@ -170,8 +168,8 @@ tunable_policy(`exim_manage_user_files',` - ') - - optional_policy(` -- clamav_domtrans_clamscan(exim_t) -- clamav_stream_connect(exim_t) -+ antivirus_domtrans(exim_t) -+ antivirus_stream_connect(exim_t) - ') - - optional_policy(` -@@ -192,11 +190,6 @@ optional_policy(` - ') - - optional_policy(` -- mailman_read_data_files(exim_t) -- mailman_domtrans(exim_t) --') -- --optional_policy(` - nagios_search_spool(exim_t) - ') - -@@ -218,6 +211,7 @@ optional_policy(` - - optional_policy(` - procmail_domtrans(exim_t) -+ procmail_read_home_files(exim_t) - ') - - optional_policy(` -diff --git a/fail2ban.if b/fail2ban.if -index 50d0084..6565422 100644 ---- a/fail2ban.if -+++ b/fail2ban.if -@@ -19,57 +19,57 @@ interface(`fail2ban_domtrans',` - domtrans_pattern($1, fail2ban_exec_t, fail2ban_t) - ') - --######################################## -+####################################### - ## --## Execute the fail2ban client in --## the fail2ban client domain. -+## Execute the fail2ban client in -+## the fail2ban client domain. - ## - ## --## --## Domain allowed to transition. --## -+## -+## Domain allowed to transition. -+## - ## - # - interface(`fail2ban_domtrans_client',` -- gen_require(` -- type fail2ban_client_t, fail2ban_client_exec_t; -- ') -+ gen_require(` -+ type fail2ban_client_t, fail2ban_client_exec_t; -+ ') - -- corecmd_search_bin($1) -- domtrans_pattern($1, fail2ban_client_exec_t, fail2ban_client_t) -+ corecmd_search_bin($1) -+ domtrans_pattern($1, fail2ban_client_exec_t, fail2ban_client_t) - ') - --######################################## -+####################################### - ## --## Execute fail2ban client in the --## fail2ban client domain, and allow --## the specified role the fail2ban --## client domain. -+## Execute fail2ban client in the -+## fail2ban client domain, and allow -+## the specified role the fail2ban -+## client domain. - ## - ## --## --## Domain allowed to transition. --## -+## -+## Domain allowed to transition. -+## - ## - ## --## --## Role allowed access. --## -+## -+## Role allowed access. -+## - ## - # - interface(`fail2ban_run_client',` -- gen_require(` -- attribute_role fail2ban_client_roles; -- ') -+ gen_require(` -+ attribute_role fail2ban_client_roles; -+ ') - -- fail2ban_domtrans_client($1) -- roleattribute $2 fail2ban_client_roles; -+ fail2ban_domtrans_client($1) -+ roleattribute $2 fail2ban_client_roles; - ') - - ##################################### - ## --## Connect to fail2ban over a --## unix domain stream socket. -+## Connect to fail2ban over a unix domain -+## stream socket. - ## - ## - ## -@@ -102,51 +102,12 @@ interface(`fail2ban_rw_inherited_tmp_files',` - ') - - files_search_tmp($1) -- allow $1 fail2ban_tmp_t:file { read write }; --') -- --######################################## --## --## Do not audit attempts to use --## fail2ban file descriptors. --## --## --## --## Domain to not audit. --## --## --# --interface(`fail2ban_dontaudit_use_fds',` -- gen_require(` -- type fail2ban_t; -- ') -- -- dontaudit $1 fail2ban_t:fd use; --') -- --######################################## --## --## Do not audit attempts to read and --## write fail2ban unix stream sockets --## --## --## --## Domain to not audit. --## --## --# --interface(`fail2ban_dontaudit_rw_stream_sockets',` -- gen_require(` -- type fail2ban_t; -- ') -- -- dontaudit $1 fail2ban_t:unix_stream_socket { read write }; -+ allow $1 fail2ban_tmp_t:file rw_inherited_file_perms; - ') - - ######################################## - ## --## Read and write fail2ban unix --## stream sockets. -+## Read and write to an fail2ba unix stream socket. - ## - ## - ## -@@ -178,12 +139,12 @@ interface(`fail2ban_read_lib_files',` - ') - - files_search_var_lib($1) -- allow $1 fail2ban_var_lib_t:file read_file_perms; -+ read_files_pattern($1, fail2ban_var_lib_t, fail2ban_var_lib_t) - ') - - ######################################## - ## --## Read fail2ban log files. -+## Allow the specified domain to read fail2ban's log files. - ## - ## - ## -@@ -198,12 +159,14 @@ interface(`fail2ban_read_log',` - ') - - logging_search_logs($1) -+ allow $1 fail2ban_log_t:dir list_dir_perms; - allow $1 fail2ban_log_t:file read_file_perms; - ') - - ######################################## - ## --## Append fail2ban log files. -+## Allow the specified domain to append -+## fail2ban log files. - ## - ## - ## -@@ -217,12 +180,13 @@ interface(`fail2ban_append_log',` - ') - - logging_search_logs($1) -+ allow $1 fail2ban_log_t:dir list_dir_perms; - allow $1 fail2ban_log_t:file append_file_perms; - ') - - ######################################## - ## --## Read fail2ban pid files. -+## Read fail2ban PID files. - ## - ## - ## -@@ -241,8 +205,28 @@ interface(`fail2ban_read_pid_files',` - - ######################################## - ## --## All of the rules required to --## administrate an fail2ban environment. -+## dontaudit read and write an leaked file descriptors -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`fail2ban_dontaudit_leaks',` -+ gen_require(` -+ type fail2ban_t; -+ ') -+ -+ dontaudit $1 fail2ban_t:tcp_socket { read write }; -+ dontaudit $1 fail2ban_t:unix_dgram_socket { read write }; -+ dontaudit $1 fail2ban_t:unix_stream_socket { read write }; -+') -+ -+######################################## -+## -+## All of the rules required to administrate -+## an fail2ban environment - ## - ## - ## -@@ -251,21 +235,25 @@ interface(`fail2ban_read_pid_files',` - ## - ## - ## --## Role allowed access. -+## The role to be allowed to manage the fail2ban domain. - ## - ## - ## - # - interface(`fail2ban_admin',` - gen_require(` -- type fail2ban_t, fail2ban_log_t, fail2ban_tmp_t; -- type fail2ban_var_run_t, fail2ban_initrc_exec_t; -- type fail2ban_var_lib_t, fail2ban_client_t; -+ type fail2ban_t, fail2ban_log_t, fail2ban_initrc_exec_t; -+ type fail2ban_var_run_t, fail2ban_var_lib_t, fail2ban_tmp_t; -+ type fail2ban_client_t; - ') - -- allow $1 { fail2ban_t fail2ban_client_t }:process { ptrace signal_perms }; -+ allow $1 { fail2ban_t fail2ban_client_t }:process signal_perms; - ps_process_pattern($1, { fail2ban_t fail2ban_client_t }) - -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 { fail2ban_t fail2ban_client_t }:process ptrace; -+ ') -+ - init_labeled_script_domtrans($1, fail2ban_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 fail2ban_initrc_exec_t system_r; -@@ -277,10 +265,10 @@ interface(`fail2ban_admin',` - files_list_pids($1) - admin_pattern($1, fail2ban_var_run_t) - -- files_search_var_lib($1) -+ files_list_var_lib($1) - admin_pattern($1, fail2ban_var_lib_t) - -- files_search_tmp($1) -+ files_list_tmp($1) - admin_pattern($1, fail2ban_tmp_t) - - fail2ban_run_client($1, $2) -diff --git a/fail2ban.te b/fail2ban.te -index 0872e50..95bb886 100644 ---- a/fail2ban.te -+++ b/fail2ban.te -@@ -37,7 +37,7 @@ role fail2ban_client_roles types fail2ban_client_t; - # - - allow fail2ban_t self:capability { dac_read_search dac_override sys_tty_config }; --allow fail2ban_t self:process signal; -+allow fail2ban_t self:process { setsched signal }; - allow fail2ban_t self:fifo_file rw_fifo_file_perms; - allow fail2ban_t self:unix_stream_socket { accept connectto listen }; - allow fail2ban_t self:tcp_socket { accept listen }; -@@ -65,7 +65,6 @@ kernel_read_system_state(fail2ban_t) - corecmd_exec_bin(fail2ban_t) - corecmd_exec_shell(fail2ban_t) - --corenet_all_recvfrom_unlabeled(fail2ban_t) - corenet_all_recvfrom_netlabel(fail2ban_t) - corenet_tcp_sendrecv_generic_if(fail2ban_t) - corenet_tcp_sendrecv_generic_node(fail2ban_t) -@@ -80,7 +79,6 @@ domain_use_interactive_fds(fail2ban_t) - domain_dontaudit_read_all_domains_state(fail2ban_t) - - files_read_etc_runtime_files(fail2ban_t) --files_read_usr_files(fail2ban_t) - files_list_var(fail2ban_t) - files_dontaudit_list_tmp(fail2ban_t) - -@@ -92,22 +90,33 @@ auth_use_nsswitch(fail2ban_t) - logging_read_all_logs(fail2ban_t) - logging_send_syslog_msg(fail2ban_t) - --miscfiles_read_localization(fail2ban_t) -+mta_send_mail(fail2ban_t) - - sysnet_manage_config(fail2ban_t) --sysnet_etc_filetrans_config(fail2ban_t) -- --mta_send_mail(fail2ban_t) -+sysnet_filetrans_named_content(fail2ban_t) - - optional_policy(` - apache_read_log(fail2ban_t) - ') - - optional_policy(` -+ dbus_system_bus_client(fail2ban_t) -+ dbus_connect_system_bus(fail2ban_t) -+ -+ optional_policy(` -+ firewalld_dbus_chat(fail2ban_t) -+ ') -+') -+ -+optional_policy(` - ftp_read_log(fail2ban_t) - ') - - optional_policy(` -+ gnome_dontaudit_search_config(fail2ban_t) -+') -+ -+optional_policy(` - iptables_domtrans(fail2ban_t) - ') - -@@ -116,6 +125,10 @@ optional_policy(` - ') - - optional_policy(` -+ rpm_exec(fail2ban_t) -+') -+ -+optional_policy(` - shorewall_domtrans(fail2ban_t) - ') - -@@ -129,22 +142,25 @@ allow fail2ban_client_t self:unix_stream_socket { create connect write read }; - - domtrans_pattern(fail2ban_client_t, fail2ban_exec_t, fail2ban_t) - -+dontaudit fail2ban_client_t fail2ban_var_run_t:dir_file_class_set audit_access; -+allow fail2ban_client_t fail2ban_var_run_t:dir write; - stream_connect_pattern(fail2ban_client_t, fail2ban_var_run_t, fail2ban_var_run_t, fail2ban_t) - - kernel_read_system_state(fail2ban_client_t) - - corecmd_exec_bin(fail2ban_client_t) - -+dev_read_urand(fail2ban_client_t) -+dev_read_rand(fail2ban_client_t) -+ - domain_use_interactive_fds(fail2ban_client_t) - --files_read_etc_files(fail2ban_client_t) --files_read_usr_files(fail2ban_client_t) - files_search_pids(fail2ban_client_t) - -+auth_use_nsswitch(fail2ban_client_t) -+ - logging_getattr_all_logs(fail2ban_client_t) - logging_search_all_logs(fail2ban_client_t) - --miscfiles_read_localization(fail2ban_client_t) -- - userdom_dontaudit_search_user_home_dirs(fail2ban_client_t) - userdom_use_user_terminals(fail2ban_client_t) -diff --git a/fcoe.te b/fcoe.te -index 79b9273..76b7ed5 100644 ---- a/fcoe.te -+++ b/fcoe.te -@@ -20,20 +20,20 @@ files_pid_file(fcoemon_var_run_t) - # Local policy - # - --allow fcoemon_t self:capability { dac_override kill net_admin }; -+allow fcoemon_t self:capability { net_admin net_raw dac_override }; - allow fcoemon_t self:fifo_file rw_fifo_file_perms; - allow fcoemon_t self:unix_stream_socket { accept listen }; - allow fcoemon_t self:netlink_socket create_socket_perms; - allow fcoemon_t self:netlink_route_socket create_netlink_socket_perms; -+allow fcoemon_t self:packet_socket create_socket_perms; -+allow fcoemon_t self:udp_socket create_socket_perms; - - manage_dirs_pattern(fcoemon_t, fcoemon_var_run_t, fcoemon_var_run_t) - manage_files_pattern(fcoemon_t, fcoemon_var_run_t, fcoemon_var_run_t) - manage_sock_files_pattern(fcoemon_t, fcoemon_var_run_t, fcoemon_var_run_t) - files_pid_filetrans(fcoemon_t, fcoemon_var_run_t, { dir file }) - --files_read_etc_files(fcoemon_t) -- --dev_read_sysfs(fcoemon_t) -+dev_rw_sysfs(fcoemon_t) - - logging_send_syslog_msg(fcoemon_t) - -diff --git a/fetchmail.fc b/fetchmail.fc -index 2486e2a..fef9bff 100644 ---- a/fetchmail.fc -+++ b/fetchmail.fc -@@ -1,4 +1,5 @@ - HOME_DIR/\.fetchmailrc -- gen_context(system_u:object_r:fetchmail_home_t,s0) -+/root/\.fetchmailrc -- gen_context(system_u:object_r:fetchmail_home_t, s0) - - /etc/fetchmailrc -- gen_context(system_u:object_r:fetchmail_etc_t,s0) - -@@ -12,4 +13,4 @@ HOME_DIR/\.fetchmailrc -- gen_context(system_u:object_r:fetchmail_home_t,s0) - - /var/mail/\.fetchmail-UIDL-cache -- gen_context(system_u:object_r:fetchmail_uidl_cache_t,s0) - --/var/run/fetchmail/.* -- gen_context(system_u:object_r:fetchmail_var_run_t,s0) -+/var/run/fetchmail.* gen_context(system_u:object_r:fetchmail_var_run_t,s0) -diff --git a/fetchmail.if b/fetchmail.if -index c3f7916..cab3954 100644 ---- a/fetchmail.if -+++ b/fetchmail.if -@@ -23,14 +23,16 @@ interface(`fetchmail_admin',` - type fetchmail_var_run_t, fetchmail_initrc_exec_t, fetchmail_log_t; - ') - -+ ps_process_pattern($1, fetchmail_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 fetchmail_t:process ptrace; -+ ') -+ - init_labeled_script_domtrans($1, fetchmail_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 fetchmail_initrc_exec_t system_r; - allow $2 system_r; - -- allow $1 fetchmail_t:process { ptrace signal_perms }; -- ps_process_pattern($1, fetchmail_t) -- - files_list_etc($1) - admin_pattern($1, fetchmail_etc_t) - -diff --git a/fetchmail.te b/fetchmail.te -index f0388cb..2e94f0e 100644 ---- a/fetchmail.te -+++ b/fetchmail.te -@@ -32,15 +32,13 @@ files_type(fetchmail_uidl_cache_t) - # - # Local policy - # -- -+allow fetchmail_t self:capability setuid; - dontaudit fetchmail_t self:capability sys_tty_config; - allow fetchmail_t self:process { signal_perms setrlimit }; - allow fetchmail_t self:unix_stream_socket { accept listen }; - - allow fetchmail_t fetchmail_etc_t:file read_file_perms; - --read_files_pattern(fetchmail_t, fetchmail_home_t, fetchmail_home_t) -- - manage_dirs_pattern(fetchmail_t, fetchmail_log_t, fetchmail_log_t) - append_files_pattern(fetchmail_t, fetchmail_log_t, fetchmail_log_t) - create_files_pattern(fetchmail_t, fetchmail_log_t, fetchmail_log_t) -@@ -52,7 +50,12 @@ mta_spool_filetrans(fetchmail_t, fetchmail_uidl_cache_t, file) - - manage_dirs_pattern(fetchmail_t, fetchmail_var_run_t, fetchmail_var_run_t) - manage_files_pattern(fetchmail_t, fetchmail_var_run_t, fetchmail_var_run_t) --files_pid_filetrans(fetchmail_t, fetchmail_var_run_t, dir) -+files_pid_filetrans(fetchmail_t, fetchmail_var_run_t, {file dir}) -+ -+list_dirs_pattern(fetchmail_t, fetchmail_home_t, fetchmail_home_t) -+read_files_pattern(fetchmail_t, fetchmail_home_t, fetchmail_home_t) -+userdom_search_user_home_dirs(fetchmail_t) -+userdom_search_admin_dir(fetchmail_t) - - kernel_read_kernel_sysctls(fetchmail_t) - kernel_list_proc(fetchmail_t) -@@ -63,7 +66,6 @@ kernel_dontaudit_read_system_state(fetchmail_t) - corecmd_exec_bin(fetchmail_t) - corecmd_exec_shell(fetchmail_t) - --corenet_all_recvfrom_unlabeled(fetchmail_t) - corenet_all_recvfrom_netlabel(fetchmail_t) - corenet_tcp_sendrecv_generic_if(fetchmail_t) - corenet_tcp_sendrecv_generic_node(fetchmail_t) -@@ -84,15 +86,23 @@ fs_search_auto_mountpoints(fetchmail_t) - - domain_use_interactive_fds(fetchmail_t) - --auth_use_nsswitch(fetchmail_t) -+auth_read_passwd(fetchmail_t) - - logging_send_syslog_msg(fetchmail_t) - --miscfiles_read_localization(fetchmail_t) - miscfiles_read_generic_certs(fetchmail_t) - -+sysnet_dns_name_resolve(fetchmail_t) -+ - userdom_dontaudit_use_unpriv_user_fds(fetchmail_t) --userdom_search_user_home_dirs(fetchmail_t) -+ -+optional_policy(` -+ mta_send_mail(fetchmail_t) -+') -+ -+optional_policy(` -+ kerberos_use(fetchmail_t) -+') - - optional_policy(` - procmail_domtrans(fetchmail_t) -diff --git a/finger.te b/finger.te -index af4b6d7..92245bf 100644 ---- a/finger.te -+++ b/finger.te -@@ -45,7 +45,6 @@ logging_log_filetrans(fingerd_t, fingerd_log_t, file) - kernel_read_kernel_sysctls(fingerd_t) - kernel_read_system_state(fingerd_t) - --corenet_all_recvfrom_unlabeled(fingerd_t) - corenet_all_recvfrom_netlabel(fingerd_t) - corenet_tcp_sendrecv_generic_if(fingerd_t) - corenet_tcp_sendrecv_generic_node(fingerd_t) -@@ -63,6 +62,7 @@ dev_read_sysfs(fingerd_t) - domain_use_interactive_fds(fingerd_t) - - files_read_etc_runtime_files(fingerd_t) -+files_search_home(fingerd_t) - - fs_getattr_all_fs(fingerd_t) - fs_search_auto_mountpoints(fingerd_t) -@@ -71,6 +71,7 @@ term_getattr_all_ttys(fingerd_t) - term_getattr_all_ptys(fingerd_t) - - auth_read_lastlog(fingerd_t) -+auth_use_nsswitch(fingerd_t) - - init_read_utmp(fingerd_t) - init_dontaudit_write_utmp(fingerd_t) -@@ -79,7 +80,7 @@ logging_send_syslog_msg(fingerd_t) - - mta_getattr_spool(fingerd_t) - --miscfiles_read_localization(fingerd_t) -+sysnet_read_config(fingerd_t) - - userdom_dontaudit_use_unpriv_user_fds(fingerd_t) - -diff --git a/firewalld.fc b/firewalld.fc -index 21d7b84..0e272bd 100644 ---- a/firewalld.fc -+++ b/firewalld.fc -@@ -1,3 +1,5 @@ -+/usr/lib/systemd/system/firewalld.* -- gen_context(system_u:object_r:firewalld_unit_file_t,s0) -+ - /etc/rc\.d/init\.d/firewalld -- gen_context(system_u:object_r:firewalld_initrc_exec_t,s0) - - /etc/firewalld(/.*)? gen_context(system_u:object_r:firewalld_etc_rw_t,s0) -diff --git a/firewalld.if b/firewalld.if -index 5cf6ac6..0fc685b 100644 ---- a/firewalld.if -+++ b/firewalld.if -@@ -2,6 +2,66 @@ - - ######################################## - ## -+## Read firewalld config -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`firewalld_read_config',` -+ gen_require(` -+ type firewalld_etc_rw_t; -+ ') -+ -+ files_search_etc($1) -+ read_files_pattern($1, firewalld_etc_rw_t, firewalld_etc_rw_t) -+') -+ -+######################################## -+## -+## Execute firewalld server in the firewalld domain. -+## -+## -+## -+## The type of the process performing this action. -+## -+## -+# -+interface(`firewalld_initrc_domtrans',` -+ gen_require(` -+ type firewalld_initrc_exec_t; -+ ') -+ -+ init_labeled_script_domtrans($1, firewalld_initrc_exec_t) -+') -+ -+######################################## -+## -+## Execute firewalld server in the firewalld domain. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`firewalld_systemctl',` -+ gen_require(` -+ type firewalld_t; -+ type firewalld_unit_file_t; -+ ') -+ -+ systemd_exec_systemctl($1) -+ allow $1 firewalld_unit_file_t:file read_file_perms; -+ allow $1 firewalld_unit_file_t:service manage_service_perms; -+ -+ ps_process_pattern($1, firewalld_t) -+') -+ -+######################################## -+## - ## Send and receive messages from - ## firewalld over dbus. - ## -@@ -23,8 +83,27 @@ interface(`firewalld_dbus_chat',` - - ######################################## - ## --## All of the rules required to --## administrate an firewalld environment. -+## Dontaudit attempts to write -+## firewalld tmp files. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`firewalld_dontaudit_write_tmp_files',` -+ gen_require(` -+ type firewalld_tmp_t; -+ ') -+ -+ dontaudit $1 firewalld_tmp_t:file write; -+') -+ -+######################################## -+## -+## All of the rules required to administrate -+## an firewalld environment - ## - ## - ## -@@ -45,10 +124,14 @@ interface(`firewalld_admin',` - type firewalld_var_log_t; - ') - -- allow $1 firewalld_t:process { ptrace signal_perms }; -+ allow $1 firewalld_t:process signal_perms; - ps_process_pattern($1, firewalld_t) - -- init_labeled_script_domtrans($1, firewalld_initrc_exec_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 firewalld_t:process ptrace; -+ ') -+ -+ firewalld_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 firewalld_initrc_exec_t system_r; - allow $2 system_r; -@@ -59,6 +142,9 @@ interface(`firewalld_admin',` - logging_search_logs($1) - admin_pattern($1, firewalld_var_log_t) - -- files_search_etc($1) - admin_pattern($1, firewall_etc_rw_t) -+ -+ admin_pattern($1, firewalld_unit_file_t) -+ firewalld_systemctl($1) -+ allow $1 firewalld_unit_file_t:service all_service_perms; - ') -diff --git a/firewalld.te b/firewalld.te -index c8014f8..bacc80c 100644 ---- a/firewalld.te -+++ b/firewalld.te -@@ -21,11 +21,20 @@ logging_log_file(firewalld_var_log_t) - type firewalld_var_run_t; - files_pid_file(firewalld_var_run_t) - -+type firewalld_unit_file_t; -+systemd_unit_file(firewalld_unit_file_t) -+ -+type firewalld_tmp_t; -+files_tmp_file(firewalld_tmp_t) -+ -+type firewalld_tmpfs_t; -+files_tmpfs_file(firewalld_tmpfs_t) -+ - ######################################## - # - # Local policy - # -- -+allow firewalld_t self:capability { dac_override net_admin }; - dontaudit firewalld_t self:capability sys_tty_config; - allow firewalld_t self:fifo_file rw_fifo_file_perms; - allow firewalld_t self:unix_stream_socket { accept listen }; -@@ -33,6 +42,7 @@ allow firewalld_t self:udp_socket create_socket_perms; - - manage_dirs_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t) - manage_files_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t) -+manage_lnk_files_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t) - - allow firewalld_t firewalld_var_log_t:file append_file_perms; - allow firewalld_t firewalld_var_log_t:file create_file_perms; -@@ -40,11 +50,21 @@ allow firewalld_t firewalld_var_log_t:file read_file_perms; - allow firewalld_t firewalld_var_log_t:file setattr_file_perms; - logging_log_filetrans(firewalld_t, firewalld_var_log_t, file) - -+manage_files_pattern(firewalld_t, firewalld_tmp_t, firewalld_tmp_t) -+files_tmp_filetrans(firewalld_t, firewalld_tmp_t, file) -+allow firewalld_t firewalld_tmp_t:file execute; -+ -+manage_files_pattern(firewalld_t, firewalld_tmpfs_t, firewalld_tmpfs_t) -+fs_tmpfs_filetrans(firewalld_t, firewalld_tmpfs_t, file) -+allow firewalld_t firewalld_tmpfs_t:file execute; -+ - manage_files_pattern(firewalld_t, firewalld_var_run_t, firewalld_var_run_t) - files_pid_filetrans(firewalld_t, firewalld_var_run_t, file) -+can_exec(firewalld_t, firewalld_var_run_t) - - kernel_read_network_state(firewalld_t) - kernel_read_system_state(firewalld_t) -+kernel_rw_net_sysctls(firewalld_t) - - corecmd_exec_bin(firewalld_t) - corecmd_exec_shell(firewalld_t) -@@ -53,20 +73,17 @@ dev_read_urand(firewalld_t) - - domain_use_interactive_fds(firewalld_t) - --files_read_etc_files(firewalld_t) --files_read_usr_files(firewalld_t) -+files_dontaudit_access_check_tmp(firewalld_t) - files_dontaudit_list_tmp(firewalld_t) - - fs_getattr_xattr_fs(firewalld_t) -+fs_dontaudit_all_access_check(firewalld_t) - --logging_send_syslog_msg(firewalld_t) -- --miscfiles_read_localization(firewalld_t) -+auth_use_nsswitch(firewalld_t) - --seutil_exec_setfiles(firewalld_t) --seutil_read_file_contexts(firewalld_t) -+logging_send_syslog_msg(firewalld_t) - --sysnet_read_config(firewalld_t) -+sysnet_dns_name_resolve(firewalld_t) - - optional_policy(` - dbus_system_domain(firewalld_t, firewalld_exec_t) -@@ -85,9 +102,17 @@ optional_policy(` - ') - - optional_policy(` -+ gnome_read_generic_data_home_dirs(firewalld_t) -+') -+ -+optional_policy(` - iptables_domtrans(firewalld_t) - ') - - optional_policy(` - modutils_domtrans_insmod(firewalld_t) - ') -+ -+optional_policy(` -+ NetworkManager_read_state(firewalld_t) -+') -diff --git a/firewallgui.if b/firewallgui.if -index e6866d1..941f4ef 100644 ---- a/firewallgui.if -+++ b/firewallgui.if -@@ -37,5 +37,5 @@ interface(`firewallgui_dontaudit_rw_pipes',` - type firewallgui_t; - ') - -- dontaudit $1 firewallgui_t:fifo_file rw_fifo_file_perms; -+ dontaudit $1 firewallgui_t:fifo_file rw_inherited_fifo_file_perms; - ') -diff --git a/firewallgui.te b/firewallgui.te -index c5ceab1..86b8098 100644 ---- a/firewallgui.te -+++ b/firewallgui.te -@@ -36,8 +36,10 @@ corecmd_exec_shell(firewallgui_t) - dev_read_sysfs(firewallgui_t) - dev_read_urand(firewallgui_t) - -+files_manage_system_conf_files(firewallgui_t) -+files_etc_filetrans_system_conf(firewallgui_t) -+files_search_kernel_modules(firewallgui_t) - files_list_kernel_modules(firewallgui_t) --files_read_usr_files(firewallgui_t) - - auth_use_nsswitch(firewallgui_t) - -@@ -60,12 +62,13 @@ optional_policy(` - ') - - optional_policy(` -- gnome_read_generic_gconf_home_content(firewallgui_t) -+ gnome_read_gconf_home_files(firewallgui_t) - ') - - optional_policy(` - iptables_domtrans(firewallgui_t) - iptables_initrc_domtrans(firewallgui_t) -+ iptables_systemctl(firewallgui_t) - ') - - optional_policy(` -diff --git a/firstboot.fc b/firstboot.fc -index 12c782c..ba614e4 100644 ---- a/firstboot.fc -+++ b/firstboot.fc -@@ -1,5 +1,3 @@ --/etc/rc\.d/init\.d/firstboot.* -- gen_context(system_u:object_r:firstboot_initrc_exec_t,s0) -+/usr/sbin/firstboot -- gen_context(system_u:object_r:firstboot_exec_t,s0) - --/usr/sbin/firstboot -- gen_context(system_u:object_r:firstboot_exec_t,s0) -- --/usr/share/firstboot/firstboot\.py -- gen_context(system_u:object_r:firstboot_exec_t,s0) -+/usr/share/firstboot/firstboot\.py -- gen_context(system_u:object_r:firstboot_exec_t,s0) -diff --git a/firstboot.if b/firstboot.if -index 280f875..f3a67c9 100644 ---- a/firstboot.if -+++ b/firstboot.if -@@ -1,4 +1,7 @@ --## Initial system configuration utility. -+## -+## Final system configuration run during the first boot -+## after installation of Red Hat/Fedora systems. -+## - - ######################################## - ## -@@ -15,15 +18,13 @@ interface(`firstboot_domtrans',` - type firstboot_t, firstboot_exec_t; - ') - -- corecmd_search_bin($1) - domtrans_pattern($1, firstboot_exec_t, firstboot_t) - ') - - ######################################## - ## --## Execute firstboot in the firstboot --## domain, and allow the specified role --## the firstboot domain. -+## Execute firstboot in the firstboot domain, and -+## allow the specified role the firstboot domain. - ## - ## - ## -@@ -38,16 +39,16 @@ interface(`firstboot_domtrans',` - # - interface(`firstboot_run',` - gen_require(` -- attribute_role firstboot_roles; -+ type firstboot_t; - ') - - firstboot_domtrans($1) -- roleattribute $2 firstboot_roles; -+ role $2 types firstboot_t; - ') - - ######################################## - ## --## Inherit and use firstboot file descriptors. -+## Inherit and use a file descriptor from firstboot. - ## - ## - ## -@@ -65,8 +66,8 @@ interface(`firstboot_use_fds',` - - ######################################## - ## --## Do not audit attempts to inherit --## firstboot file descriptors. -+## Do not audit attempts to inherit a -+## file descriptor from firstboot. - ## - ## - ## -@@ -84,7 +85,26 @@ interface(`firstboot_dontaudit_use_fds',` - - ######################################## - ## --## Write firstboot unnamed pipes. -+## dontaudit read and write an leaked file descriptors -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`firstboot_dontaudit_leaks',` -+ gen_require(` -+ type firstboot_t; -+ ') -+ -+ dontaudit $1 firstboot_t:socket_class_set { read write }; -+ dontaudit $1 firstboot_t:fifo_file rw_inherited_fifo_file_perms; -+') -+ -+######################################## -+## -+## Write to a firstboot unnamed pipe. - ## - ## - ## -@@ -97,12 +117,13 @@ interface(`firstboot_write_pipes',` - type firstboot_t; - ') - -+ allow $1 firstboot_t:fd use; - allow $1 firstboot_t:fifo_file write; - ') - - ######################################## - ## --## Read and Write firstboot unnamed pipes. -+## Read and Write to a firstboot unnamed pipe. - ## - ## - ## -@@ -120,8 +141,7 @@ interface(`firstboot_rw_pipes',` - - ######################################## - ## --## Do not audit attemps to read and --## write firstboot unnamed pipes. -+## Do not audit attemps to read and write to a firstboot unnamed pipe. - ## - ## - ## -@@ -139,9 +159,8 @@ interface(`firstboot_dontaudit_rw_pipes',` - - ######################################## - ## --## Do not audit attemps to read and --## write firstboot unix domain --## stream sockets. -+## Do not audit attemps to read and write to a firstboot -+## unix domain stream socket. - ## - ## - ## -diff --git a/firstboot.te b/firstboot.te -index c12c067..a415012 100644 ---- a/firstboot.te -+++ b/firstboot.te -@@ -1,7 +1,7 @@ --policy_module(firstboot, 1.12.3) -+policy_module(firstboot, 1.12.0) - - gen_require(` -- class passwd { passwd chfn chsh rootok }; -+ class passwd { passwd chfn chsh rootok crontab }; - ') - - ######################################## -@@ -9,17 +9,12 @@ gen_require(` - # Declarations - # - --attribute_role firstboot_roles; -- - type firstboot_t; - type firstboot_exec_t; - init_system_domain(firstboot_t, firstboot_exec_t) - domain_obj_id_change_exemption(firstboot_t) - domain_subj_id_change_exemption(firstboot_t) --role firstboot_roles types firstboot_t; -- --type firstboot_initrc_exec_t; --init_script_file(firstboot_initrc_exec_t) -+role system_r types firstboot_t; - - type firstboot_etc_t; - files_config_file(firstboot_etc_t) -@@ -32,28 +27,25 @@ files_config_file(firstboot_etc_t) - allow firstboot_t self:capability { dac_override setgid }; - allow firstboot_t self:process setfscreate; - allow firstboot_t self:fifo_file rw_fifo_file_perms; --allow firstboot_t self:tcp_socket { accept listen }; -+allow firstboot_t self:tcp_socket create_stream_socket_perms; -+allow firstboot_t self:unix_stream_socket { connect create }; - allow firstboot_t self:passwd { rootok passwd chfn chsh }; - - allow firstboot_t firstboot_etc_t:file read_file_perms; - -+files_manage_generic_tmp_dirs(firstboot_t) -+files_manage_generic_tmp_files(firstboot_t) -+ - kernel_read_system_state(firstboot_t) - kernel_read_kernel_sysctls(firstboot_t) - --corecmd_exec_all_executables(firstboot_t) -+corenet_all_recvfrom_netlabel(firstboot_t) -+corenet_tcp_sendrecv_generic_if(firstboot_t) -+corenet_tcp_sendrecv_generic_node(firstboot_t) -+corenet_tcp_sendrecv_all_ports(firstboot_t) - - dev_read_urand(firstboot_t) - --files_exec_etc_files(firstboot_t) --files_manage_etc_files(firstboot_t) --files_manage_etc_runtime_files(firstboot_t) --files_read_usr_files(firstboot_t) --files_manage_var_dirs(firstboot_t) --files_manage_var_files(firstboot_t) --files_manage_var_symlinks(firstboot_t) --files_create_boot_flag(firstboot_t) --files_delete_boot_flag(firstboot_t) -- - selinux_get_fs_mount(firstboot_t) - selinux_validate_context(firstboot_t) - selinux_compute_access_vector(firstboot_t) -@@ -63,6 +55,17 @@ selinux_compute_user_contexts(firstboot_t) - - auth_dontaudit_getattr_shadow(firstboot_t) - -+corecmd_exec_all_executables(firstboot_t) -+ -+files_exec_etc_files(firstboot_t) -+files_manage_etc_files(firstboot_t) -+files_manage_etc_runtime_files(firstboot_t) -+files_manage_var_dirs(firstboot_t) -+files_manage_var_files(firstboot_t) -+files_manage_var_symlinks(firstboot_t) -+files_create_boot_flag(firstboot_t) -+files_delete_boot_flag(firstboot_t) -+ - init_domtrans_script(firstboot_t) - init_rw_utmp(firstboot_t) - -@@ -73,18 +76,18 @@ locallogin_use_fds(firstboot_t) - - logging_send_syslog_msg(firstboot_t) - --miscfiles_read_localization(firstboot_t) -- - sysnet_dns_name_resolve(firstboot_t) - --userdom_use_user_terminals(firstboot_t) -+userdom_use_inherited_user_terminals(firstboot_t) -+ -+# Add/remove user home directories - userdom_manage_user_home_content_dirs(firstboot_t) - userdom_manage_user_home_content_files(firstboot_t) - userdom_manage_user_home_content_symlinks(firstboot_t) - userdom_manage_user_home_content_pipes(firstboot_t) - userdom_manage_user_home_content_sockets(firstboot_t) - userdom_home_filetrans_user_home_dir(firstboot_t) --userdom_user_home_dir_filetrans_user_home_content(firstboot_t, { dir file lnk_file fifo_file sock_file }) -+userdom_filetrans_home_content(firstboot_t) - - optional_policy(` - dbus_system_bus_client(firstboot_t) -@@ -102,20 +105,18 @@ optional_policy(` - ') - - optional_policy(` -- nis_use_ypbind(firstboot_t) --') -- --optional_policy(` - samba_rw_config(firstboot_t) - ') - - optional_policy(` - unconfined_domtrans(firstboot_t) -- unconfined_domain(firstboot_t) -+ # The big hammer -+ unconfined_domain_noaudit(firstboot_t) - ') - - optional_policy(` -- gnome_manage_generic_home_content(firstboot_t) -+ gnome_admin_home_gconf_filetrans(firstboot_t, dir) -+ gnome_manage_config(firstboot_t) - ') - - optional_policy(` -diff --git a/fprintd.te b/fprintd.te -index c81b6e8..34e1f1c 100644 ---- a/fprintd.te -+++ b/fprintd.te -@@ -20,6 +20,7 @@ files_type(fprintd_var_lib_t) - allow fprintd_t self:capability sys_nice; - allow fprintd_t self:process { getsched setsched signal sigkill }; - allow fprintd_t self:fifo_file rw_fifo_file_perms; -+allow fprintd_t self:netlink_kobject_uevent_socket create_socket_perms; - - manage_dirs_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t) - manage_files_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t) -@@ -28,16 +29,13 @@ kernel_read_system_state(fprintd_t) - - dev_list_usbfs(fprintd_t) - dev_read_sysfs(fprintd_t) -+dev_read_urand(fprintd_t) - dev_rw_generic_usb_dev(fprintd_t) - --files_read_usr_files(fprintd_t) -- - fs_getattr_all_fs(fprintd_t) - - auth_use_nsswitch(fprintd_t) - --miscfiles_read_localization(fprintd_t) -- - userdom_use_user_ptys(fprintd_t) - userdom_read_all_users_state(fprintd_t) - -@@ -54,8 +52,13 @@ optional_policy(` - ') - ') - -+ - optional_policy(` -- policykit_domtrans_auth(fprintd_t) - policykit_read_reload(fprintd_t) - policykit_read_lib(fprintd_t) -+ policykit_domtrans_auth(fprintd_t) -+') -+ -+optional_policy(` -+ xserver_read_state_xdm(fprintd_t) - ') -diff --git a/ftp.fc b/ftp.fc -index ddb75c1..44f74e6 100644 ---- a/ftp.fc -+++ b/ftp.fc -@@ -1,5 +1,8 @@ - /etc/proftpd\.conf -- gen_context(system_u:object_r:ftpd_etc_t,s0) - -+/usr/lib/systemd/system/vsftpd.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0) -+/usr/lib/systemd/system/proftpd.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0) -+ - /etc/cron\.monthly/proftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0) - - /etc/rc\.d/init\.d/vsftpd -- gen_context(system_u:object_r:ftpd_initrc_exec_t,s0) -diff --git a/ftp.if b/ftp.if -index d062080..97fb494 100644 ---- a/ftp.if -+++ b/ftp.if -@@ -1,5 +1,66 @@ - ## File transfer protocol service. - -+###################################### -+## -+## Execute a domain transition to run ftpd. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`ftp_domtrans',` -+ gen_require(` -+ type ftpd_t, ftpd_exec_t; -+ ') -+ -+ corecmd_search_bin($1) -+ domtrans_pattern($1,ftpd_exec_t, ftpd_t) -+ -+') -+ -+####################################### -+## -+## Execute ftpd server in the ftpd domain. -+## -+## -+## -+## The type of the process performing this action. -+## -+## -+# -+interface(`ftp_initrc_domtrans',` -+ gen_require(` -+ type ftpd_initrc_exec_t; -+ ') -+ -+ init_labeled_script_domtrans($1, ftpd_initrc_exec_t) -+') -+ -+######################################## -+## -+## Execute ftpd server in the ftpd domain. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`ftp_systemctl',` -+ gen_require(` -+ type ftpd_unit_file_t; -+ type ftpd_t; -+ ') -+ -+ systemd_exec_systemctl($1) -+ allow $1 ftpd_unit_file_t:file read_file_perms; -+ allow $1 ftpd_unit_file_t:service manage_service_perms; -+ -+ ps_process_pattern($1, ftpd_t) -+') -+ - ####################################### - ## - ## Execute a dyntransition to run anon sftpd. -@@ -178,8 +239,11 @@ interface(`ftp_admin',` - type ftpd_initrc_exec_t, ftpdctl_tmp_t; - ') - -- allow $1 { ftpd_t ftpdctl_t sftpd_t anon_sftpd }:process { ptrace signal_perms }; -+ allow $1 ftpd_t:process signal_perms; - ps_process_pattern($1, { ftpd_t ftpdctl_t sftpd_t anon_sftpd_t }) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 { ftpd_t ftpdctl_t sftpd_t anon_sftpd_t }:process ptrace; -+ ') - - init_labeled_script_domtrans($1, ftpd_initrc_exec_t) - domain_system_change_exemption($1) -@@ -203,5 +267,9 @@ interface(`ftp_admin',` - logging_list_logs($1) - admin_pattern($1, xferlog_t) - -+ ftp_systemctl($1) -+ admin_pattern($1, ftpd_unit_file_t) -+ allow $1 ftpd_unit_file_t:service all_service_perms; -+ - ftp_run_ftpdctl($1, $2) - ') -diff --git a/ftp.te b/ftp.te -index e50f33c..6edd471 100644 ---- a/ftp.te -+++ b/ftp.te -@@ -13,7 +13,7 @@ policy_module(ftp, 1.14.1) - ## be labeled public_content_rw_t. - ##

    - ## --gen_tunable(allow_ftpd_anon_write, false) -+gen_tunable(ftpd_anon_write, false) - - ## - ##

    -@@ -22,7 +22,7 @@ gen_tunable(allow_ftpd_anon_write, false) - ## all files on the system, governed by DAC. - ##

    - ##     --gen_tunable(allow_ftpd_full_access, false) -+gen_tunable(ftpd_full_access, false) - - ## - ##

    -@@ -30,7 +30,14 @@ gen_tunable(allow_ftpd_full_access, false) - ## used for public file transfer services. - ##

    - ##     --gen_tunable(allow_ftpd_use_cifs, false) -+gen_tunable(ftpd_use_cifs, false) -+ -+## -+##

    -+## Allow ftpd to use ntfs/fusefs volumes. -+##

    -+##     -+gen_tunable(ftpd_use_fusefs, false) - - ## - ##

    -@@ -38,7 +45,7 @@ gen_tunable(allow_ftpd_use_cifs, false) - ## used for public file transfer services. - ##

    - ##     --gen_tunable(allow_ftpd_use_nfs, false) -+gen_tunable(ftpd_use_nfs, false) - - ## - ##

    -@@ -124,6 +131,9 @@ files_config_file(ftpd_etc_t) - type ftpd_initrc_exec_t; - init_script_file(ftpd_initrc_exec_t) - -+type ftpd_unit_file_t; -+systemd_unit_file(ftpd_unit_file_t) -+ - type ftpd_lock_t; - files_lock_file(ftpd_lock_t) - -@@ -179,6 +189,9 @@ allow ftpd_t ftpd_etc_t:file read_file_perms; - allow ftpd_t ftpd_lock_t:file manage_file_perms; - files_lock_filetrans(ftpd_t, ftpd_lock_t, file) - -+manage_dirs_pattern(ftpd_t, ftpd_tmp_t, ftpd_tmp_t) -+manage_files_pattern(ftpd_t, ftpd_tmp_t, ftpd_tmp_t) -+ - manage_dirs_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t) - manage_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t) - manage_lnk_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t) -@@ -201,14 +214,13 @@ logging_log_filetrans(ftpd_t, xferlog_t, file) - - kernel_read_kernel_sysctls(ftpd_t) - kernel_read_system_state(ftpd_t) --kernel_search_network_state(ftpd_t) -+kernel_read_network_state(ftpd_t) - - dev_read_sysfs(ftpd_t) - dev_read_urand(ftpd_t) - - corecmd_exec_bin(ftpd_t) - --corenet_all_recvfrom_unlabeled(ftpd_t) - corenet_all_recvfrom_netlabel(ftpd_t) - corenet_tcp_sendrecv_generic_if(ftpd_t) - corenet_udp_sendrecv_generic_if(ftpd_t) -@@ -224,9 +236,12 @@ corenet_tcp_bind_ftp_port(ftpd_t) - corenet_sendrecv_ftp_data_server_packets(ftpd_t) - corenet_tcp_bind_ftp_data_port(ftpd_t) - -+corenet_tcp_bind_generic_port(ftpd_t) -+corenet_tcp_bind_all_ephemeral_ports(ftpd_t) -+corenet_tcp_connect_all_ephemeral_ports(ftpd_t) -+ - domain_use_interactive_fds(ftpd_t) - --files_read_etc_files(ftpd_t) - files_read_etc_runtime_files(ftpd_t) - files_search_var_lib(ftpd_t) - -@@ -245,7 +260,6 @@ logging_send_audit_msgs(ftpd_t) - logging_send_syslog_msg(ftpd_t) - logging_set_loginuid(ftpd_t) - --miscfiles_read_localization(ftpd_t) - miscfiles_read_public_files(ftpd_t) - - seutil_dontaudit_search_config(ftpd_t) -@@ -254,32 +268,49 @@ sysnet_use_ldap(ftpd_t) - - userdom_dontaudit_use_unpriv_user_fds(ftpd_t) - userdom_dontaudit_search_user_home_dirs(ftpd_t) -+userdom_filetrans_home_content(ftpd_t) - --tunable_policy(`allow_ftpd_anon_write',` -+tunable_policy(`ftpd_anon_write',` - miscfiles_manage_public_files(ftpd_t) - ') - --tunable_policy(`allow_ftpd_use_cifs',` -+tunable_policy(`ftpd_use_cifs',` - fs_read_cifs_files(ftpd_t) - fs_read_cifs_symlinks(ftpd_t) - ') - --tunable_policy(`allow_ftpd_use_cifs && allow_ftpd_anon_write',` -+tunable_policy(`ftpd_use_cifs && ftpd_anon_write',` - fs_manage_cifs_files(ftpd_t) - ') - --tunable_policy(`allow_ftpd_use_nfs',` -+tunable_policy(`ftpd_use_fusefs',` -+ fs_manage_fusefs_dirs(ftpd_t) -+ fs_manage_fusefs_files(ftpd_t) -+',` -+ fs_search_fusefs(ftpd_t) -+') -+ -+tunable_policy(`ftpd_use_nfs',` - fs_read_nfs_files(ftpd_t) - fs_read_nfs_symlinks(ftpd_t) - ') - --tunable_policy(`allow_ftpd_use_nfs && allow_ftpd_anon_write',` -+tunable_policy(`ftpd_use_nfs && ftpd_anon_write',` - fs_manage_nfs_files(ftpd_t) - ') - --tunable_policy(`allow_ftpd_full_access',` -+tunable_policy(`ftpd_full_access',` - allow ftpd_t self:capability { dac_override dac_read_search }; -- files_manage_non_auth_files(ftpd_t) -+ files_manage_non_security_dirs(ftpd_t) -+ files_manage_non_security_files(ftpd_t) -+') -+ -+tunable_policy(`ftpd_use_passive_mode',` -+ corenet_tcp_bind_all_unreserved_ports(ftpd_t) -+') -+ -+tunable_policy(`ftpd_connect_all_unreserved',` -+ corenet_tcp_connect_all_unreserved_ports(ftpd_t) - ') - - tunable_policy(`ftpd_use_passive_mode',` -@@ -299,22 +330,19 @@ tunable_policy(`ftpd_connect_db',` - corenet_sendrecv_mssql_client_packets(ftpd_t) - corenet_tcp_connect_mssql_port(ftpd_t) - corenet_tcp_sendrecv_mssql_port(ftpd_t) -- corenet_sendrecv_oracledb_client_packets(ftpd_t) -- corenet_tcp_connect_oracledb_port(ftpd_t) -- corenet_tcp_sendrecv_oracledb_port(ftpd_t) -+ corenet_sendrecv_oracle_client_packets(ftpd_t) -+ corenet_tcp_connect_oracle_port(ftpd_t) -+ corenet_tcp_sendrecv_oracle_port(ftpd_t) - ') - - tunable_policy(`ftp_home_dir',` - allow ftpd_t self:capability { dac_override dac_read_search }; - -- userdom_manage_user_home_content_dirs(ftpd_t) -- userdom_manage_user_home_content_files(ftpd_t) -- userdom_user_home_dir_filetrans_user_home_content(ftpd_t, { dir file }) -+ userdom_manage_all_user_home_type_dirs(ftpd_t) -+ userdom_manage_all_user_home_type_files(ftpd_t) - userdom_manage_user_tmp_dirs(ftpd_t) - userdom_manage_user_tmp_files(ftpd_t) -- userdom_tmp_filetrans_user_tmp(ftpd_t, { dir file }) - ',` -- userdom_user_home_dir_filetrans_user_home_content(ftpd_t, { dir file }) - userdom_tmp_filetrans_user_tmp(ftpd_t, { dir file }) - ') - -@@ -360,7 +388,7 @@ optional_policy(` - selinux_validate_context(ftpd_t) - - kerberos_keytab_template(ftpd, ftpd_t) -- kerberos_tmp_filetrans_host_rcache(ftpd_t, file, "host_0") -+ kerberos_tmp_filetrans_host_rcache(ftpd_t, "host_0") - ') - - optional_policy(` -@@ -410,21 +438,20 @@ optional_policy(` - # - - stream_connect_pattern(ftpdctl_t, ftpd_var_run_t, ftpd_var_run_t, ftpd_t) -+files_search_pids(ftpdctl_t) - - allow ftpdctl_t ftpdctl_tmp_t:sock_file manage_sock_file_perms; - files_tmp_filetrans(ftpdctl_t, ftpdctl_tmp_t, sock_file) - --files_read_etc_files(ftpdctl_t) - files_search_pids(ftpdctl_t) - --userdom_use_user_terminals(ftpdctl_t) -+userdom_use_inherited_user_terminals(ftpdctl_t) - - ######################################## - # - # Anon sftpd local policy - # - --files_read_etc_files(anon_sftpd_t) - - miscfiles_read_public_files(anon_sftpd_t) - -@@ -437,23 +464,34 @@ tunable_policy(`sftpd_anon_write',` - # Sftpd local policy - # - --files_read_etc_files(sftpd_t) - - userdom_read_user_home_content_files(sftpd_t) - userdom_read_user_home_content_symlinks(sftpd_t) -+userdom_dontaudit_list_admin_dir(sftpd_t) -+ -+tunable_policy(`sftpd_full_access',` -+ allow sftpd_t self:capability { dac_override dac_read_search }; -+ fs_read_noxattr_fs_files(sftpd_t) -+ files_manage_non_security_dirs(sftpd_t) -+ files_manage_non_security_files(sftpd_t) -+') -+ -+optional_policy(` -+ tunable_policy(`sftpd_write_ssh_home',` -+ ssh_manage_home_files(sftpd_t) -+ ') -+') -+ -+userdom_filetrans_home_content(sftpd_t) -+userdom_tmp_filetrans_user_tmp(sftpd_t, { dir file }) - - tunable_policy(`sftpd_enable_homedirs',` - allow sftpd_t self:capability { dac_override dac_read_search }; - - userdom_manage_user_home_content_dirs(sftpd_t) - userdom_manage_user_home_content_files(sftpd_t) -- userdom_user_home_dir_filetrans_user_home_content(sftpd_t, { dir file }) - userdom_manage_user_tmp_dirs(sftpd_t) - userdom_manage_user_tmp_files(sftpd_t) -- userdom_tmp_filetrans_user_tmp(sftpd_t, { dir file }) --',` -- userdom_user_home_dir_filetrans_user_home_content(sftpd_t, { dir file }) -- userdom_tmp_filetrans_user_tmp(sftpd_t, { dir file }) - ') - - tunable_policy(`sftpd_enable_homedirs && use_nfs_home_dirs',` -@@ -475,21 +513,11 @@ tunable_policy(`sftpd_anon_write',` - tunable_policy(`sftpd_full_access',` - allow sftpd_t self:capability { dac_override dac_read_search }; - fs_read_noxattr_fs_files(sftpd_t) -- files_manage_non_auth_files(sftpd_t) -+ files_manage_non_security_files(sftpd_t) - ') - -+userdom_home_reader(sftpd_t) -+ - tunable_policy(`sftpd_write_ssh_home',` - ssh_manage_home_files(sftpd_t) - ') -- --tunable_policy(`use_samba_home_dirs',` -- fs_list_cifs(sftpd_t) -- fs_read_cifs_files(sftpd_t) -- fs_read_cifs_symlinks(sftpd_t) --') -- --tunable_policy(`use_nfs_home_dirs',` -- fs_list_nfs(sftpd_t) -- fs_read_nfs_files(sftpd_t) -- fs_read_nfs_symlinks(ftpd_t) --') -diff --git a/games.te b/games.te -index 572fb12..879c59a 100644 ---- a/games.te -+++ b/games.te -@@ -76,8 +76,6 @@ init_use_script_ptys(games_srv_t) - - logging_send_syslog_msg(games_srv_t) - --miscfiles_read_localization(games_srv_t) -- - userdom_dontaudit_use_unpriv_user_fds(games_srv_t) - - userdom_dontaudit_search_user_home_dirs(games_srv_t) -@@ -120,7 +118,6 @@ kernel_read_system_state(games_t) - - corecmd_exec_bin(games_t) - --corenet_all_recvfrom_unlabeled(games_t) - corenet_all_recvfrom_netlabel(games_t) - corenet_tcp_sendrecv_generic_if(games_t) - corenet_tcp_sendrecv_generic_node(games_t) -@@ -142,8 +139,6 @@ dev_write_sound(games_t) - files_list_var(games_t) - files_search_var_lib(games_t) - files_dontaudit_search_var(games_t) --files_read_etc_files(games_t) --files_read_usr_files(games_t) - files_read_var_files(games_t) - - init_dontaudit_rw_utmp(games_t) -@@ -151,7 +146,6 @@ init_dontaudit_rw_utmp(games_t) - logging_dontaudit_search_logs(games_t) - - miscfiles_read_man_pages(games_t) --miscfiles_read_localization(games_t) - - sysnet_dns_name_resolve(games_t) - -@@ -161,7 +155,7 @@ userdom_manage_user_tmp_symlinks(games_t) - userdom_manage_user_tmp_sockets(games_t) - userdom_dontaudit_read_user_home_content_files(games_t) - --tunable_policy(`allow_execmem',` -+tunable_policy(`deny_execmem',`', ` - allow games_t self:process execmem; - ') - -diff --git a/gatekeeper.te b/gatekeeper.te -index fc3b036..10a1bbe 100644 ---- a/gatekeeper.te -+++ b/gatekeeper.te -@@ -57,7 +57,6 @@ kernel_read_kernel_sysctls(gatekeeper_t) - - corecmd_list_bin(gatekeeper_t) - --corenet_all_recvfrom_unlabeled(gatekeeper_t) - corenet_all_recvfrom_netlabel(gatekeeper_t) - corenet_tcp_sendrecv_generic_if(gatekeeper_t) - corenet_udp_sendrecv_generic_if(gatekeeper_t) -@@ -77,15 +76,11 @@ dev_read_urand(gatekeeper_t) - - domain_use_interactive_fds(gatekeeper_t) - --files_read_etc_files(gatekeeper_t) -- - fs_getattr_all_fs(gatekeeper_t) - fs_search_auto_mountpoints(gatekeeper_t) - - logging_send_syslog_msg(gatekeeper_t) - --miscfiles_read_localization(gatekeeper_t) -- - sysnet_read_config(gatekeeper_t) - - userdom_dontaudit_use_unpriv_user_fds(gatekeeper_t) -diff --git a/gift.te b/gift.te -index 395238e..af76abb 100644 ---- a/gift.te -+++ b/gift.te -@@ -67,17 +67,7 @@ auth_use_nsswitch(gift_t) - - userdom_dontaudit_read_user_home_content_files(gift_t) - --tunable_policy(`use_nfs_home_dirs',` -- fs_manage_nfs_dirs(gift_t) -- fs_manage_nfs_files(gift_t) -- fs_manage_nfs_symlinks(gift_t) --') -- --tunable_policy(`use_samba_home_dirs',` -- fs_manage_cifs_dirs(gift_t) -- fs_manage_cifs_files(gift_t) -- fs_manage_cifs_symlinks(gift_t) --') -+userdom_home_manager(gift_t) - - optional_policy(` - xserver_user_x_domain_template(gift, gift_t, gift_tmpfs_t) -@@ -119,22 +109,8 @@ corenet_sendrecv_all_client_packets(giftd_t) - corenet_tcp_connect_all_ports(giftd_t) - - files_read_etc_runtime_files(giftd_t) --files_read_usr_files(giftd_t) -- --miscfiles_read_localization(giftd_t) - - sysnet_dns_name_resolve(giftd_t) - --userdom_use_user_terminals(giftd_t) -- --tunable_policy(`use_nfs_home_dirs',` -- fs_manage_nfs_dirs(giftd_t) -- fs_manage_nfs_files(giftd_t) -- fs_manage_nfs_symlinks(giftd_t) --') -- --tunable_policy(`use_samba_home_dirs',` -- fs_manage_cifs_dirs(giftd_t) -- fs_manage_cifs_files(giftd_t) -- fs_manage_cifs_symlinks(giftd_t) --') -+userdom_use_inherited_user_terminals(giftd_t) -+userdom_home_manager(gitd_t) -diff --git a/git.if b/git.if -index 1e29af1..6c64f55 100644 ---- a/git.if -+++ b/git.if -@@ -37,7 +37,10 @@ template(`git_role',` - allow $2 git_user_content_t:file { exec_file_perms manage_file_perms relabel_file_perms }; - userdom_user_home_dir_filetrans($2, git_user_content_t, dir, "public_git") - -- allow $2 git_session_t:process { ptrace signal_perms }; -+ allow $2 git_session_t:process signal_perms; -+ tunable_policy(`deny_ptrace',`',` -+ allow $2 git_session_t:process ptrace; -+ ') - ps_process_pattern($2, git_session_t) - - tunable_policy(`git_session_users',` -@@ -64,6 +67,7 @@ interface(`git_read_generic_sys_content_files',` - - list_dirs_pattern($1, git_sys_content_t, git_sys_content_t) - read_files_pattern($1, git_sys_content_t, git_sys_content_t) -+ read_lnk_files_pattern($1, git_sys_content_t, git_sys_content_t) - - files_search_var_lib($1) - -@@ -79,3 +83,21 @@ interface(`git_read_generic_sys_content_files',` - fs_read_nfs_files($1) - ') - ') -+ -+####################################### -+##

    -+## Create Git user content with a -+## named file transition. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`git_filetrans_user_content',` -+ gen_require(` -+ type git_user_content_t; -+ ') -+ userdom_user_home_dir_filetrans($1, git_user_content_t, dir, "public_git") -+') -diff --git a/git.te b/git.te -index 93b0301..ad8eb38 100644 ---- a/git.te -+++ b/git.te -@@ -49,14 +49,6 @@ gen_tunable(git_session_users, false) - - ## - ##

    --## Determine whether Git session daemons --## can send syslog messages. --##

    --##     --gen_tunable(git_session_send_syslog_msg, false) -- --## --##

    - ## Determine whether Git system daemon - ## can search home directories. - ##

    -@@ -92,10 +84,10 @@ type git_session_t, git_daemon; - userdom_user_application_domain(git_session_t, gitd_exec_t) - role git_session_roles types git_session_t; - --type git_sys_content_t; -+type git_sys_content_t alias git_system_content_t; - files_type(git_sys_content_t) - --type git_user_content_t; -+type git_user_content_t alias git_session_content_t; - userdom_user_home_content(git_user_content_t) - - ######################################## -@@ -109,6 +101,8 @@ list_dirs_pattern(git_session_t, git_user_content_t, git_user_content_t) - read_files_pattern(git_session_t, git_user_content_t, git_user_content_t) - userdom_search_user_home_dirs(git_session_t) - -+kernel_read_system_state(git_session_t) -+ - corenet_all_recvfrom_netlabel(git_session_t) - corenet_all_recvfrom_unlabeled(git_session_t) - corenet_tcp_bind_generic_node(git_session_t) -@@ -129,9 +123,7 @@ tunable_policy(`git_session_bind_all_unreserved_ports',` - corenet_tcp_sendrecv_all_ports(git_session_t) - ') - --tunable_policy(`git_session_send_syslog_msg',` -- logging_send_syslog_msg(git_session_t) --') -+logging_send_syslog_msg(git_session_t) - - tunable_policy(`use_nfs_home_dirs',` - fs_getattr_nfs(git_session_t) -@@ -157,6 +149,11 @@ tunable_policy(`use_samba_home_dirs',` - list_dirs_pattern(git_system_t, git_sys_content_t, git_sys_content_t) - read_files_pattern(git_system_t, git_sys_content_t, git_sys_content_t) - -+kernel_read_network_state(git_system_t) -+kernel_read_system_state(git_system_t) -+ -+corenet_tcp_bind_git_port(git_system_t) -+ - files_search_var_lib(git_system_t) - - auth_use_nsswitch(git_system_t) -@@ -255,12 +252,9 @@ tunable_policy(`git_cgi_use_nfs',` - - allow git_daemon self:fifo_file rw_fifo_file_perms; - --kernel_read_system_state(git_daemon) -+#kernel_read_system_state(git_daemon) - - corecmd_exec_bin(git_daemon) - --files_read_usr_files(git_daemon) -- - fs_search_auto_mountpoints(git_daemon) - --miscfiles_read_localization(git_daemon) -diff --git a/gitosis.te b/gitosis.te -index 3194b76..d3acb1a 100644 ---- a/gitosis.te -+++ b/gitosis.te -@@ -52,12 +52,8 @@ corecmd_exec_shell(gitosis_t) - - dev_read_urand(gitosis_t) - --files_read_etc_files(gitosis_t) --files_read_usr_files(gitosis_t) - files_search_var_lib(gitosis_t) - --miscfiles_read_localization(gitosis_t) -- - sysnet_read_config(gitosis_t) - - tunable_policy(`gitosis_can_sendmail',` -diff --git a/glance.if b/glance.if -index 9eacb2c..229782f 100644 ---- a/glance.if -+++ b/glance.if -@@ -1,5 +1,30 @@ - ## OpenStack image registry and delivery service. - -+####################################### -+## -+## Creates types and rules for a basic -+## glance daemon domain. -+## -+## -+## -+## Prefix for the domain. -+## -+## -+# -+template(`glance_basic_types_template',` -+ gen_require(` -+ attribute glance_domain; -+ ') -+ -+ type $1_t, glance_domain; -+ type $1_exec_t; -+ -+ kernel_read_system_state($1_t) -+ -+ corenet_all_recvfrom_unlabeled($1_t) -+ corenet_all_recvfrom_netlabel($1_t) -+') -+ - ######################################## - ## - ## Execute a domain transition to -@@ -26,9 +51,9 @@ interface(`glance_domtrans_registry',` - ## run glance api. - ## - ## --## -+## - ## Domain allowed to transition. --## -+## - ## - # - interface(`glance_domtrans_api',` -@@ -242,8 +267,13 @@ interface(`glance_admin',` - type glance_registry_initrc_exec_t, glance_api_initrc_exec_t; - ') - -- allow $1 { glance_api_t glance_registry_t }:process signal_perms; -- ps_process_pattern($1, { glance_api_t glance_registry_t }) -+ allow $1 glance_registry_t:process signal_perms; -+ ps_process_pattern($1, glance_registry_t) -+ -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 glance_registry_t:process ptrace; -+ allow $1 glance_api_t:process ptrace; -+ ') - - init_labeled_script_domtrans($1, { glance_api_initrc_exec_t glance_registry_initrc_exec_t }) - domain_system_change_exemption($1) -diff --git a/glance.te b/glance.te -index e0a4f46..16dcb5b 100644 ---- a/glance.te -+++ b/glance.te -@@ -7,8 +7,7 @@ policy_module(glance, 1.0.2) - - attribute glance_domain; - --type glance_registry_t, glance_domain; --type glance_registry_exec_t; -+glance_basic_types_template(glance_registry) - init_daemon_domain(glance_registry_t, glance_registry_exec_t) - - type glance_registry_initrc_exec_t; -@@ -17,8 +16,10 @@ init_script_file(glance_registry_initrc_exec_t) - type glance_registry_tmp_t; - files_tmp_file(glance_registry_tmp_t) - --type glance_api_t, glance_domain; --type glance_api_exec_t; -+type glance_registry_tmpfs_t; -+files_tmpfs_file(glance_registry_tmpfs_t) -+ -+glance_basic_types_template(glance_api) - init_daemon_domain(glance_api_t, glance_api_exec_t) - - type glance_api_initrc_exec_t; -@@ -41,6 +42,7 @@ files_pid_file(glance_var_run_t) - # Common local policy - # - -+allow glance_domain self:process signal_perms; - allow glance_domain self:fifo_file rw_fifo_file_perms; - allow glance_domain self:unix_stream_socket create_stream_socket_perms; - allow glance_domain self:tcp_socket { accept listen }; -@@ -56,27 +58,23 @@ manage_files_pattern(glance_domain, glance_var_lib_t, glance_var_lib_t) - manage_dirs_pattern(glance_domain, glance_var_run_t, glance_var_run_t) - manage_files_pattern(glance_domain, glance_var_run_t, glance_var_run_t) - --kernel_read_system_state(glance_domain) -- --corenet_all_recvfrom_unlabeled(glance_domain) --corenet_all_recvfrom_netlabel(glance_domain) - corenet_tcp_sendrecv_generic_if(glance_domain) - corenet_tcp_sendrecv_generic_node(glance_domain) - corenet_tcp_sendrecv_all_ports(glance_domain) - corenet_tcp_bind_generic_node(glance_domain) -+corenet_tcp_connect_mysqld_port(glance_domain) -+corenet_tcp_connect_http_port(glance_domain) - - corecmd_exec_bin(glance_domain) - corecmd_exec_shell(glance_domain) - - dev_read_urand(glance_domain) -+dev_read_sysfs(glance_domain) - --files_read_etc_files(glance_domain) --files_read_usr_files(glance_domain) -+auth_read_passwd(glance_domain) - - libs_exec_ldconfig(glance_domain) - --miscfiles_read_localization(glance_domain) -- - sysnet_dns_name_resolve(glance_domain) - - ######################################## -@@ -88,8 +86,14 @@ manage_dirs_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tm - manage_files_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tmp_t) - files_tmp_filetrans(glance_registry_t, glance_registry_tmp_t, { dir file }) - -+manage_dirs_pattern(glance_registry_t, glance_registry_tmpfs_t, glance_registry_tmpfs_t) -+manage_files_pattern(glance_registry_t, glance_registry_tmpfs_t, glance_registry_tmpfs_t) -+fs_tmpfs_filetrans(glance_registry_t, glance_registry_tmpfs_t,{ dir file }) -+ -+corenet_tcp_bind_generic_node(glance_registry_t) - corenet_sendrecv_glance_registry_server_packets(glance_registry_t) - corenet_tcp_bind_glance_registry_port(glance_registry_t) -+corenet_tcp_connect_all_ephemeral_ports(glance_registry_t) - - logging_send_syslog_msg(glance_registry_t) - -@@ -108,13 +112,22 @@ manage_files_pattern(glance_api_t, glance_tmp_t, glance_tmp_t) - files_tmp_filetrans(glance_api_t, glance_tmp_t, { dir file }) - can_exec(glance_api_t, glance_tmp_t) - --corenet_sendrecv_armtechdaemon_server_packets(glance_api_t) --corenet_tcp_bind_armtechdaemon_port(glance_api_t) -- --corenet_sendrecv_hplip_server_packets(glance_api_t) --corenet_tcp_bind_hplip_port(glance_api_t) -+corenet_tcp_bind_generic_node(glance_api_t) - -+corenet_tcp_bind_glance_port(glance_api_t) - corenet_sendrecv_glance_registry_client_packets(glance_api_t) -+corenet_tcp_connect_amqp_port(glance_api_t) - corenet_tcp_connect_glance_registry_port(glance_api_t) -+corenet_tcp_connect_mysqld_port(glance_api_t) -+corenet_tcp_connect_http_port(glance_api_t) -+ -+corenet_tcp_connect_all_ephemeral_ports(glance_api_t) -+ -+corenet_sendrecv_hplip_server_packets(glance_api_t) -+corenet_tcp_bind_hplip_port(glance_api_t) - - fs_getattr_xattr_fs(glance_api_t) -+ -+optional_policy(` -+ mysql_stream_connect(glance_api_t) -+') -diff --git a/glusterd.fc b/glusterd.fc -new file mode 100644 -index 0000000..9614520 ---- /dev/null -+++ b/glusterd.fc -@@ -0,0 +1,16 @@ -+/etc/rc\.d/init\.d/gluster.* -- gen_context(system_u:object_r:glusterd_initrc_exec_t,s0) -+ -+/etc/glusterfs(/.*)? gen_context(system_u:object_r:glusterd_conf_t,s0) -+/etc/glusterd(/.*)? gen_context(system_u:object_r:glusterd_conf_t,s0) -+ -+/usr/sbin/glusterd -- gen_context(system_u:object_r:glusterd_initrc_exec_t,s0) -+/usr/sbin/glusterfsd -- gen_context(system_u:object_r:glusterd_exec_t,s0) -+ -+/opt/glusterfs/[^/]+/sbin/glusterfsd -- gen_context(system_u:object_r:glusterd_exec_t,s0) -+ -+/var/lib/glusterd(/.*)? gen_context(system_u:object_r:glusterd_var_lib_t,s0) -+ -+/var/log/glusterfs(/.*)? gen_context(system_u:object_r:glusterd_log_t,s0) -+ -+/var/run/glusterd(/.*)? gen_context(system_u:object_r:glusterd_var_run_t,s0) -+/var/run/glusterd\.pid -- gen_context(system_u:object_r:glusterd_var_run_t,s0) -diff --git a/glusterd.if b/glusterd.if -new file mode 100644 -index 0000000..1ed97fe ---- /dev/null -+++ b/glusterd.if -@@ -0,0 +1,150 @@ -+ -+## policy for glusterd -+ -+ -+######################################## -+## -+## Transition to glusterd. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`glusterd_domtrans',` -+ gen_require(` -+ type glusterd_t, glusterd_exec_t; -+ ') -+ -+ corecmd_search_bin($1) -+ domtrans_pattern($1, glusterd_exec_t, glusterd_t) -+') -+ -+ -+######################################## -+## -+## Execute glusterd server in the glusterd domain. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`glusterd_initrc_domtrans',` -+ gen_require(` -+ type glusterd_initrc_exec_t; -+ ') -+ -+ init_labeled_script_domtrans($1, glusterd_initrc_exec_t) -+') -+ -+ -+######################################## -+## -+## Read glusterd's log files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`glusterd_read_log',` -+ gen_require(` -+ type glusterd_log_t; -+ ') -+ -+ logging_search_logs($1) -+ read_files_pattern($1, glusterd_log_t, glusterd_log_t) -+') -+ -+######################################## -+## -+## Append to glusterd log files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`glusterd_append_log',` -+ gen_require(` -+ type glusterd_log_t; -+ ') -+ -+ logging_search_logs($1) -+ append_files_pattern($1, glusterd_log_t, glusterd_log_t) -+') -+ -+######################################## -+## -+## Manage glusterd log files -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`glusterd_manage_log',` -+ gen_require(` -+ type glusterd_log_t; -+ ') -+ -+ logging_search_logs($1) -+ manage_dirs_pattern($1, glusterd_log_t, glusterd_log_t) -+ manage_files_pattern($1, glusterd_log_t, glusterd_log_t) -+ manage_lnk_files_pattern($1, glusterd_log_t, glusterd_log_t) -+') -+ -+######################################## -+## -+## All of the rules required to administrate -+## an glusterd environment -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## Role allowed access. -+## -+## -+## -+# -+interface(`glusterd_admin',` -+ gen_require(` -+ type glusterd_t; -+ type glusterd_initrc_exec_t; -+ type glusterd_log_t; -+ type glusterd_tmp_t; -+ type glusterd_conf_t; -+ ') -+ -+ allow $1 glusterd_t:process { signal_perms }; -+ ps_process_pattern($1, glusterd_t) -+ -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 glusterd_t:process ptrace; -+ ') -+ -+ glusterd_initrc_domtrans($1) -+ domain_system_change_exemption($1) -+ role_transition $2 glusterd_initrc_exec_t system_r; -+ allow $2 system_r; -+ -+ logging_search_logs($1) -+ admin_pattern($1, glusterd_log_t) -+ -+ admin_pattern($1, glusterd_tmp_t) -+ -+ admin_pattern($1, glusterd_conf_t) -+ -+') -+ -diff --git a/glusterd.te b/glusterd.te -new file mode 100644 -index 0000000..ac74fc9 ---- /dev/null -+++ b/glusterd.te -@@ -0,0 +1,188 @@ -+policy_module(glusterfs, 1.0.1) -+ -+## -+##

    -+## Allow glusterfsd to modify public files used for public file -+## transfer services. Files/Directories must be labeled -+## public_content_rw_t. -+##

    -+##     -+gen_tunable(gluster_anon_write, false) -+ -+## -+##

    -+## Allow glusterfsd to share any file/directory read only. -+##

    -+##     -+gen_tunable(gluster_export_all_ro, false) -+ -+## -+##

    -+## Allow glusterfsd to share any file/directory read/write. -+##

    -+##     -+gen_tunable(gluster_export_all_rw, true) -+ -+######################################## -+# -+# Declarations -+# -+ -+type glusterd_t; -+type glusterd_exec_t; -+init_daemon_domain(glusterd_t, glusterd_exec_t) -+ -+type glusterd_conf_t; -+files_type(glusterd_conf_t) -+ -+type glusterd_initrc_exec_t; -+init_script_file(glusterd_initrc_exec_t) -+ -+type glusterd_tmp_t; -+files_tmp_file(glusterd_tmp_t) -+ -+type glusterd_log_t; -+logging_log_file(glusterd_log_t) -+ -+type glusterd_var_run_t; -+files_pid_file(glusterd_var_run_t) -+ -+type glusterd_var_lib_t; -+files_type(glusterd_var_lib_t) -+ -+######################################## -+# -+# Local policy -+# -+ -+allow glusterd_t self:capability { sys_admin sys_resource dac_override chown dac_read_search fowner fsetid kill setgid setuid net_admin }; -+ -+allow glusterd_t self:capability2 block_suspend; -+allow glusterd_t self:process { getcap setcap setrlimit signal_perms }; -+allow glusterd_t self:fifo_file rw_fifo_file_perms; -+allow glusterd_t self:tcp_socket { accept listen }; -+allow glusterd_t self:unix_stream_socket { accept listen connectto }; -+ -+manage_dirs_pattern(glusterd_t, glusterd_conf_t, glusterd_conf_t) -+manage_files_pattern(glusterd_t, glusterd_conf_t, glusterd_conf_t) -+files_etc_filetrans(glusterd_t, glusterd_conf_t, { dir file }, "glusterfs") -+ -+manage_dirs_pattern(glusterd_t, glusterd_tmp_t, glusterd_tmp_t) -+manage_files_pattern(glusterd_t, glusterd_tmp_t, glusterd_tmp_t) -+manage_sock_files_pattern(glusterd_t, glusterd_tmp_t, glusterd_tmp_t) -+files_tmp_filetrans(glusterd_t, glusterd_tmp_t, { dir file sock_file }) -+allow glusterd_t glusterd_tmp_t:dir mounton; -+ -+manage_dirs_pattern(glusterd_t, glusterd_log_t, glusterd_log_t) -+append_files_pattern(glusterd_t, glusterd_log_t, glusterd_log_t) -+create_files_pattern(glusterd_t, glusterd_log_t, glusterd_log_t) -+setattr_files_pattern(glusterd_t, glusterd_log_t, glusterd_log_t) -+logging_log_filetrans(glusterd_t, glusterd_log_t, dir) -+ -+manage_dirs_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t) -+manage_files_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t) -+manage_sock_files_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t) -+files_pid_filetrans(glusterd_t, glusterd_var_run_t, { dir file sock_file }) -+ -+manage_dirs_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t) -+manage_files_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t) -+#manage_sock_files_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t) -+files_var_lib_filetrans(glusterd_t, glusterd_var_lib_t, dir) -+ -+can_exec(glusterd_t, glusterd_exec_t) -+ -+kernel_read_system_state(glusterd_t) -+kernel_read_network_state(glusterd_t) -+kernel_read_net_sysctls(glusterd_t) -+kernel_request_load_module(glusterd_t) -+ -+corecmd_exec_bin(glusterd_t) -+corecmd_exec_shell(glusterd_t) -+ -+corenet_all_recvfrom_unlabeled(glusterd_t) -+corenet_all_recvfrom_netlabel(glusterd_t) -+corenet_tcp_sendrecv_generic_if(glusterd_t) -+corenet_udp_sendrecv_generic_if(glusterd_t) -+corenet_tcp_sendrecv_generic_node(glusterd_t) -+corenet_udp_sendrecv_generic_node(glusterd_t) -+corenet_tcp_sendrecv_all_ports(glusterd_t) -+corenet_udp_sendrecv_all_ports(glusterd_t) -+corenet_tcp_bind_generic_node(glusterd_t) -+corenet_udp_bind_generic_node(glusterd_t) -+ -+corenet_tcp_connect_gluster_port(glusterd_t) -+corenet_tcp_bind_gluster_port(glusterd_t) -+ -+# replacement for rpc.mountd -+corenet_sendrecv_all_server_packets(glusterd_t) -+corenet_tcp_bind_all_reserved_ports(glusterd_t) -+corenet_udp_bind_all_rpc_ports(glusterd_t) -+corenet_tcp_bind_all_rpc_ports(glusterd_t) -+corenet_tcp_bind_nfs_port(glusterd_t) -+corenet_udp_bind_nfs_port(glusterd_t) -+corenet_udp_bind_mountd_port(glusterd_t) -+corenet_tcp_bind_mountd_port(glusterd_t) -+corenet_udp_bind_ipp_port(glusterd_t) -+ -+corenet_sendrecv_all_client_packets(glusterd_t) -+corenet_tcp_bind_all_unreserved_ports(glusterd_t) -+corenet_tcp_connect_all_unreserved_ports(glusterd_t) -+corenet_tcp_connect_ssh_port(glusterd_t) -+ -+dev_read_sysfs(glusterd_t) -+dev_read_urand(glusterd_t) -+ -+domain_read_all_domains_state(glusterd_t) -+ -+domain_use_interactive_fds(glusterd_t) -+ -+fs_mount_all_fs(glusterd_t) -+fs_unmount_all_fs(glusterd_t) -+fs_getattr_all_fs(glusterd_t) -+ -+files_mounton_mnt(glusterd_t) -+ -+storage_rw_fuse(glusterd_t) -+ -+auth_use_nsswitch(glusterd_t) -+ -+fs_getattr_all_fs(glusterd_t) -+ -+logging_send_syslog_msg(glusterd_t) -+libs_exec_ldconfig(glusterd_t) -+ -+miscfiles_read_localization(glusterd_t) -+miscfiles_read_public_files(glusterd_t) -+ -+userdom_manage_user_home_dirs(glusterd_t) -+userdom_filetrans_home_content(glusterd_t) -+ -+mount_domtrans(glusterd_t) -+tunable_policy(`gluster_anon_write',` -+ miscfiles_manage_public_files(glusterd_t) -+') -+ -+tunable_policy(`gluster_export_all_ro',` -+ fs_read_noxattr_fs_files(glusterd_t) -+ files_read_non_security_files(glusterd_t) -+') -+ -+tunable_policy(`gluster_export_all_rw',` -+ fs_manage_noxattr_fs_files(glusterd_t) -+ files_manage_non_security_dirs(glusterd_t) -+ files_manage_non_security_files(glusterd_t) -+ files_relabel_base_file_types(glusterd_t) -+') -+ -+optional_policy(` -+ rpc_domtrans_rpcd(glusterd_t) -+ rpc_kill_rpcd(glusterd_t) -+') -+ -+optional_policy(` -+ rsync_exec(glusterd_t) -+') -+ -+optional_policy(` -+ ssh_exec(glusterd_t) -+') -diff --git a/glusterfs.fc b/glusterfs.fc -deleted file mode 100644 -index 4bd6ade..0000000 ---- a/glusterfs.fc -+++ /dev/null -@@ -1,16 +0,0 @@ --/etc/rc\.d/init\.d/gluster.* -- gen_context(system_u:object_r:glusterd_initrc_exec_t,s0) -- --/etc/glusterfs(/.*)? gen_context(system_u:object_r:glusterd_conf_t,s0) --/etc/glusterd(/.*)? gen_context(system_u:object_r:glusterd_conf_t,s0) -- --/usr/sbin/glusterd -- gen_context(system_u:object_r:glusterd_initrc_exec_t,s0) --/usr/sbin/glusterfsd -- gen_context(system_u:object_r:glusterd_exec_t,s0) -- --/opt/glusterfs/[^/]+/sbin/glusterfsd -- gen_context(system_u:object_r:glusterd_exec_t,s0) -- --/var/lib/gluster.* gen_context(system_u:object_r:glusterd_var_lib_t,s0) -- --/var/log/glusterfs(/.*)? gen_context(system_u:object_r:glusterd_log_t,s0) -- --/var/run/glusterd(/.*)? gen_context(system_u:object_r:glusterd_var_run_t,s0) --/var/run/glusterd\.pid -- gen_context(system_u:object_r:glusterd_var_run_t,s0) -diff --git a/glusterfs.if b/glusterfs.if -deleted file mode 100644 -index 05233c8..0000000 ---- a/glusterfs.if -+++ /dev/null -@@ -1,71 +0,0 @@ --## Cluster File System binary, daemon and command line. -- --######################################## --## --## All of the rules required to --## administrate an glusterfs environment. --## --## --## --## Domain allowed access. --## --## --## --## --## Role allowed access. --## --## --## --# --interface(`glusterd_admin',` -- refpolicywarn(`$0($*) has been deprecated, use glusterfs_admin() instead.') -- glusterfs_admin($1, $2) --') -- --######################################## --## --## All of the rules required to --## administrate an glusterfs environment. --## --## --## --## Domain allowed access. --## --## --## --## --## Role allowed access. --## --## --## --# --interface(`glusterfs_admin',` -- gen_require(` -- type glusterd_t, glusterd_initrc_exec_t, glusterd_log_t; -- type glusterd_tmp_t, glusterd_conf_t, glusterd_var_lib_t; -- type glusterd_var_run_t; -- ') -- -- init_labeled_script_domtrans($1, glusterd_initrc_exec_t) -- domain_system_change_exemption($1) -- role_transition $2 glusterd_initrc_exec_t system_r; -- allow $2 system_r; -- -- allow $1 glusterd_t:process { ptrace signal_perms }; -- ps_process_pattern($1, glusterd_t) -- -- files_search_etc($1) -- admin_pattern($1, glusterd_conf_t) -- -- logging_search_logs($1) -- admin_pattern($1, glusterd_log_t) -- -- files_search_tmp($1) -- admin_pattern($1, glusterd_tmp_t) -- -- files_search_var_lib($1) -- admin_pattern($1, glusterd_var_lib_t) -- -- files_search_pids($1) -- admin_pattern($1, glusterd_var_run_t) --') -diff --git a/glusterfs.te b/glusterfs.te -deleted file mode 100644 -index fd02acc..0000000 ---- a/glusterfs.te -+++ /dev/null -@@ -1,102 +0,0 @@ --policy_module(glusterfs, 1.0.1) -- --######################################## --# --# Declarations --# -- --type glusterd_t; --type glusterd_exec_t; --init_daemon_domain(glusterd_t, glusterd_exec_t) -- --type glusterd_conf_t; --files_type(glusterd_conf_t) -- --type glusterd_initrc_exec_t; --init_script_file(glusterd_initrc_exec_t) -- --type glusterd_tmp_t; --files_tmp_file(glusterd_tmp_t) -- --type glusterd_log_t; --logging_log_file(glusterd_log_t) -- --type glusterd_var_run_t; --files_pid_file(glusterd_var_run_t) -- --type glusterd_var_lib_t; --files_type(glusterd_var_lib_t); -- --######################################## --# --# Local policy --# -- --allow glusterd_t self:capability { sys_admin sys_resource dac_override chown dac_read_search fowner }; --allow glusterd_t self:process { setrlimit signal }; --allow glusterd_t self:fifo_file rw_fifo_file_perms; --allow glusterd_t self:tcp_socket { accept listen }; --allow glusterd_t self:unix_stream_socket { accept listen }; -- --manage_dirs_pattern(glusterd_t, glusterd_conf_t, glusterd_conf_t) --manage_files_pattern(glusterd_t, glusterd_conf_t, glusterd_conf_t) --files_etc_filetrans(glusterd_t, glusterd_conf_t, dir) -- --manage_dirs_pattern(glusterd_t, glusterd_tmp_t, glusterd_tmp_t) --manage_files_pattern(glusterd_t, glusterd_tmp_t, glusterd_tmp_t) --manage_sock_files_pattern(glusterd_t, glusterd_tmp_t, glusterd_tmp_t) --files_tmp_filetrans(glusterd_t, glusterd_tmp_t, { dir file sock_file }) -- --manage_dirs_pattern(glusterd_t, glusterd_log_t, glusterd_log_t) --append_files_pattern(glusterd_t, glusterd_log_t, glusterd_log_t) --create_files_pattern(glusterd_t, glusterd_log_t, glusterd_log_t) --setattr_files_pattern(glusterd_t, glusterd_log_t, glusterd_log_t) --logging_log_filetrans(glusterd_t, glusterd_log_t, dir) -- --manage_dirs_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t) --manage_files_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t) --files_pid_filetrans(glusterd_t, glusterd_var_run_t, { dir file }) -- --manage_dirs_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t) --manage_files_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t) --files_var_lib_filetrans(glusterd_t, glusterd_var_lib_t, dir) -- --can_exec(glusterd_t, glusterd_exec_t) -- --kernel_read_system_state(glusterd_t) -- --corecmd_exec_bin(glusterd_t) --corecmd_exec_shell(glusterd_t) -- --corenet_all_recvfrom_unlabeled(glusterd_t) --corenet_all_recvfrom_netlabel(glusterd_t) --corenet_tcp_sendrecv_generic_if(glusterd_t) --corenet_udp_sendrecv_generic_if(glusterd_t) --corenet_tcp_sendrecv_generic_node(glusterd_t) --corenet_udp_sendrecv_generic_node(glusterd_t) --corenet_tcp_sendrecv_all_ports(glusterd_t) --corenet_udp_sendrecv_all_ports(glusterd_t) --corenet_tcp_bind_generic_node(glusterd_t) --corenet_udp_bind_generic_node(glusterd_t) -- --# Too coarse? --corenet_sendrecv_all_server_packets(glusterd_t) --corenet_tcp_bind_all_reserved_ports(glusterd_t) --corenet_udp_bind_all_rpc_ports(glusterd_t) --corenet_udp_bind_ipp_port(glusterd_t) -- --corenet_sendrecv_all_client_packets(glusterd_t) --corenet_tcp_connect_all_unreserved_ports(glusterd_t) -- --dev_read_sysfs(glusterd_t) --dev_read_urand(glusterd_t) -- --domain_use_interactive_fds(glusterd_t) -- --files_read_usr_files(glusterd_t) -- --auth_use_nsswitch(glusterd_t) -- --logging_send_syslog_msg(glusterd_t) -- --miscfiles_read_localization(glusterd_t) -diff --git a/gnome.fc b/gnome.fc -index e39de43..5818f74 100644 ---- a/gnome.fc -+++ b/gnome.fc -@@ -1,15 +1,58 @@ --HOME_DIR/\.gconf(/.*)? gen_context(system_u:object_r:gconf_home_t,s0) --HOME_DIR/\.gconfd(/.*)? gen_context(system_u:object_r:gconf_home_t,s0) --HOME_DIR/\.gnome(/.*)? gen_context(system_u:object_r:gnome_home_t,s0) --HOME_DIR/\.gnome2(/.*)? gen_context(system_u:object_r:gnome_home_t,s0) --HOME_DIR/\.gnome2/keyrings(/.*)? gen_context(system_u:object_r:gnome_keyring_home_t,s0) --HOME_DIR/\.gnome2_private(/.*)? gen_context(system_u:object_r:gnome_home_t,s0) -+HOME_DIR/\.cache(/.*)? gen_context(system_u:object_r:cache_home_t,s0) -+HOME_DIR/\.cache/dconf(/.*)? gen_context(system_u:object_r:config_home_t,s0) -+HOME_DIR/\.color/icc(/.*)? gen_context(system_u:object_r:icc_data_home_t,s0) -+HOME_DIR/\.dbus(/.*)? gen_context(system_u:object_r:dbus_home_t,s0) -+HOME_DIR/\.config(/.*)? gen_context(system_u:object_r:config_home_t,s0) -+HOME_DIR/\.kde(/.*)? gen_context(system_u:object_r:config_home_t,s0) -+HOME_DIR/\.nv(/.*)? gen_context(system_u:object_r:cache_home_t,s0) -+HOME_DIR/\.gconf(d)?(/.*)? gen_context(system_u:object_r:gconf_home_t,s0) -+HOME_DIR/\.gnome2(/.*)? gen_context(system_u:object_r:gnome_home_t,s0) -+HOME_DIR/\.gnome2/keyrings(/.*)? gen_context(system_u:object_r:gkeyringd_gnome_home_t,s0) -+HOME_DIR/\.grl-bookmarks gen_context(system_u:object_r:gstreamer_home_t,s0) -+HOME_DIR/\.grl-metadata-store gen_context(system_u:object_r:gstreamer_home_t,s0) -+HOME_DIR/\.grl-bookmarks gen_context(system_u:object_r:gstreamer_home_t,s0) -+HOME_DIR/\.gstreamer-.* gen_context(system_u:object_r:gstreamer_home_t,s0) -+HOME_DIR/\.cache/gstreamer-.* gen_context(system_u:object_r:gstreamer_home_t,s0) -+HOME_DIR/\.orc(/.*)? gen_context(system_u:object_r:gstreamer_home_t,s0) -+HOME_DIR/\.local.* gen_context(system_u:object_r:gconf_home_t,s0) -+HOME_DIR/\.local/share(/.*)? gen_context(system_u:object_r:data_home_t,s0) -+HOME_DIR/\.local/share/icc(/.*)? gen_context(system_u:object_r:icc_data_home_t,s0) -+HOME_DIR/\.local/share/keyrings(/.*)? gen_context(system_u:object_r:gkeyringd_gnome_home_t,s0) -+HOME_DIR/\.Xdefaults gen_context(system_u:object_r:config_home_t,s0) -+HOME_DIR/\.xine(/.*)? gen_context(system_u:object_r:config_home_t,s0) - --/etc/gconf(/.*)? gen_context(system_u:object_r:gconf_etc_t,s0) -+/var/run/user/[^/]*/\.orc(/.*)? gen_context(system_u:object_r:gstreamer_home_t,s0) -+/var/run/user/[^/]*/dconf(/.*)? gen_context(system_u:object_r:config_home_t,s0) -+/var/run/user/[^/]*/keyring.* gen_context(system_u:object_r:gkeyringd_tmp_t,s0) -+ -+/root/\.cache(/.*)? gen_context(system_u:object_r:cache_home_t,s0) -+/root/\.color/icc(/.*)? gen_context(system_u:object_r:icc_data_home_t,s0) -+/root/\.config(/.*)? gen_context(system_u:object_r:config_home_t,s0) -+/root/\.kde(/.*)? gen_context(system_u:object_r:config_home_t,s0) -+/root/\.gconf(d)?(/.*)? gen_context(system_u:object_r:gconf_home_t,s0) -+/root/\.dbus(/.*)? gen_context(system_u:object_r:dbus_home_t,s0) -+/root/\.gnome2(/.*)? gen_context(system_u:object_r:gnome_home_t,s0) -+/root/\.gnome2/keyrings(/.*)? gen_context(system_u:object_r:gkeyringd_gnome_home_t,s0) -+/root/\.gstreamer-.* gen_context(system_u:object_r:gstreamer_home_t,s0) -+/root/\.cache/gstreamer-.* gen_context(system_u:object_r:gstreamer_home_t,s0) -+/root/\.local.* gen_context(system_u:object_r:gconf_home_t,s0) -+/root/\.local/share(/.*)? gen_context(system_u:object_r:data_home_t,s0) -+/root/\.local/share/icc(/.*)? gen_context(system_u:object_r:icc_data_home_t,s0) -+/root/\.Xdefaults gen_context(system_u:object_r:config_home_t,s0) -+/root/\.xine(/.*)? gen_context(system_u:object_r:config_home_t,s0) -+ -+/etc/gconf(/.*)? gen_context(system_u:object_r:gconf_etc_t,s0) - - /tmp/gconfd-USER/.* -- gen_context(system_u:object_r:gconf_tmp_t,s0) - -+/usr/share/config(/.*)? gen_context(system_u:object_r:config_usr_t,s0) -+ - /usr/bin/gnome-keyring-daemon -- gen_context(system_u:object_r:gkeyringd_exec_t,s0) - --/usr/lib/[^/]*/gconf/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0) --/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0) -+# Don't use because toolchain is broken -+#/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0) -+ -+/usr/libexec/gconf-defaults-mechanism -- gen_context(system_u:object_r:gconfdefaultsm_exec_t,s0) -+ -+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) -+/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) -diff --git a/gnome.if b/gnome.if -index d03fd43..0e04529 100644 ---- a/gnome.if -+++ b/gnome.if -@@ -1,123 +1,157 @@ --## GNU network object model environment. -+## GNU network object model environment (GNOME) - --######################################## -+########################################################### - ## --## Role access for gnome. (Deprecated) -+## Role access for gnome - ## - ## --## --## Role allowed access. --## -+## -+## Role allowed access -+## - ## - ## --## --## User domain for the role. --## -+## -+## User domain for the role -+## - ## - # - interface(`gnome_role',` -- refpolicywarn(`$0($*) has been deprecated') -+ gen_require(` -+ type gconfd_t, gconfd_exec_t; -+ type gconf_tmp_t; -+ ') -+ -+ role $1 types gconfd_t; -+ -+ domain_auto_trans($2, gconfd_exec_t, gconfd_t) -+ allow gconfd_t $2:fd use; -+ allow gconfd_t $2:fifo_file write; -+ allow gconfd_t $2:unix_stream_socket connectto; -+ -+ ps_process_pattern($2, gconfd_t) -+ -+ #gnome_stream_connect_gconf_template($1, $2) -+ read_files_pattern($2, gconf_tmp_t, gconf_tmp_t) -+ allow $2 gconfd_t:unix_stream_socket connectto; - ') - --####################################### -+###################################### - ## --## The role template for gnome. -+## The role template for the gnome-keyring-daemon. - ## --## --## --## The prefix of the user domain (e.g., user --## is the prefix for user_t). --## -+## -+## -+## The user prefix. -+## - ## - ## --## --## The role associated with the user domain. --## -+## -+## The user role. -+## - ## - ## --## --## The type of the user domain. --## -+## -+## The user domain associated with the role. -+## - ## - # --template(`gnome_role_template',` -- gen_require(` -- attribute gnomedomain, gkeyringd_domain; -- attribute_role gconfd_roles; -- type gkeyringd_exec_t, gnome_keyring_home_t, gnome_keyring_tmp_t; -- type gconfd_t, gconfd_exec_t, gconf_tmp_t; -- type gconf_home_t; -- ') -- -- ######################################## -- # -- # Gconf declarations -- # -- -- roleattribute $2 gconfd_roles; -- -- ######################################## -- # -- # Gkeyringd declarations -- # -+interface(`gnome_role_gkeyringd',` -+ gen_require(` -+ attribute gkeyringd_domain; -+ attribute gnomedomain; -+ type gnome_home_t; -+ type gkeyringd_exec_t, gkeyringd_tmp_t, gkeyringd_gnome_home_t; -+ class dbus send_msg; -+ ') - - type $1_gkeyringd_t, gnomedomain, gkeyringd_domain; -- userdom_user_application_domain($1_gkeyringd_t, gkeyringd_exec_t) -+ typealias $1_gkeyringd_t alias gkeyringd_$1_t; -+ application_domain($1_gkeyringd_t, gkeyringd_exec_t) -+ ubac_constrained($1_gkeyringd_t) - domain_user_exemption_target($1_gkeyringd_t) - -+ userdom_home_manager($1_gkeyringd_t) -+ - role $2 types $1_gkeyringd_t; - -- ######################################## -- # -- # Gconf policy -- # -+ domtrans_pattern($3, gkeyringd_exec_t, $1_gkeyringd_t) - -- domtrans_pattern($3, gconfd_exec_t, gconfd_t) -+ allow $3 gkeyringd_gnome_home_t:dir { relabel_dir_perms manage_dir_perms }; -+ allow $3 gkeyringd_gnome_home_t:file { relabel_file_perms manage_file_perms }; - -- allow $3 { gconf_home_t gconf_tmp_t }:dir { manage_dir_perms relabel_dir_perms }; -- allow $3 { gconf_home_t gconf_tmp_t }:file { manage_file_perms relabel_file_perms }; -- userdom_user_home_dir_filetrans($3, gconf_home_t, dir, ".gconf") -- userdom_user_home_dir_filetrans($3, gconf_home_t, dir, ".gconfd") -+ allow $3 gkeyringd_tmp_t:dir { relabel_dir_perms manage_dir_perms }; -+ allow $3 gkeyringd_tmp_t:sock_file { relabel_sock_file_perms manage_sock_file_perms }; - -- allow $3 gconfd_t:process { ptrace signal_perms }; -- ps_process_pattern($3, gconfd_t) -+ corecmd_bin_domtrans($1_gkeyringd_t, $1_t) -+ corecmd_shell_domtrans($1_gkeyringd_t, $1_t) -+ allow $1_gkeyringd_t $3:process sigkill; -+ allow $3 $1_gkeyringd_t:fd use; -+ allow $3 $1_gkeyringd_t:fifo_file rw_fifo_file_perms; -+ dontaudit $1_gkeyringd_t $3:unix_stream_socket { getattr read write }; - -- ######################################## -- # -- # Gkeyringd policy -- # - -- domtrans_pattern($3, gkeyringd_exec_t, $1_gkeyringd_t) -+ kernel_read_system_state($1_gkeyringd_t) - -- allow $3 { gnome_home_t gnome_keyring_home_t gnome_keyring_tmp_t }:dir { relabel_dir_perms manage_dir_perms }; -- allow $3 { gnome_home_t gnome_keyring_home_t }:file { relabel_file_perms manage_file_perms }; -+ ps_process_pattern($1_gkeyringd_t, $3) - -- userdom_user_home_dir_filetrans($3, gnome_home_t, dir, ".gnome") -- userdom_user_home_dir_filetrans($3, gnome_home_t, dir, ".gnome2") -- userdom_user_home_dir_filetrans($3, gnome_home_t, dir, ".gnome2_private") -- -- gnome_home_filetrans($3, gnome_keyring_home_t, dir, "keyrings") -+ auth_use_nsswitch($1_gkeyringd_t) - -- allow $3 gnome_keyring_tmp_t:sock_file { relabel_sock_file_perms manage_sock_file_perms }; -+ logging_send_syslog_msg($1_gkeyringd_t) - - ps_process_pattern($3, $1_gkeyringd_t) -- allow $3 $1_gkeyringd_t:process { ptrace signal_perms }; -- -- corecmd_bin_domtrans($1_gkeyringd_t, $3) -- corecmd_shell_domtrans($1_gkeyringd_t, $3) -+ allow $3 $1_gkeyringd_t:process signal_perms; -+ dontaudit $3 gkeyringd_exec_t:file entrypoint; - -- gnome_stream_connect_gkeyringd($1, $3) -+ stream_connect_pattern($3, gkeyringd_tmp_t, gkeyringd_tmp_t, $1_gkeyringd_t) - -+ allow $1_gkeyringd_t $3:dbus send_msg; -+ allow $3 $1_gkeyringd_t:dbus send_msg; - optional_policy(` -- dbus_spec_session_domain($1, gkeyringd_exec_t, $1_gkeyringd_t) -+ dbus_session_domain($1, gkeyringd_exec_t, $1_gkeyringd_t) -+ dbus_session_bus_client($1_gkeyringd_t) -+ gnome_manage_generic_home_dirs($1_gkeyringd_t) -+ gnome_read_generic_data_home_files($1_gkeyringd_t) -+ gnome_read_generic_data_home_dirs($1_gkeyringd_t) -+ -+ optional_policy(` -+ telepathy_mission_control_read_state($1_gkeyringd_t) -+ telepathy_gabble_stream_connect_to($1_gkeyringd_t,gkeyringd_tmp_t,gkeyringd_tmp_t) -+ ') -+ ') -+') - -- gnome_dbus_chat_gkeyringd($1, $3) -+####################################### -+## -+## Allow domain to run gkeyring in the $1_gkeyringd_t domain. -+## -+## -+## -+## The user prefix. -+## -+## -+## -+## -+## The user role. -+## -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`gnome_run_gkeyringd',` -+ gen_require(` -+ type $1_gkeyringd_t; -+ type gkeyringd_exec_t; - ') -+ role $2 types $1_gkeyringd_t; -+ domtrans_pattern($3, gkeyringd_exec_t, $1_gkeyringd_t) - ') - - ######################################## - ## --## Execute gconf in the caller domain. -+## gconf connection template. - ## - ## - ## -@@ -125,18 +159,18 @@ template(`gnome_role_template',` - ## - ## - # --interface(`gnome_exec_gconf',` -+interface(`gnome_stream_connect_gconf',` - gen_require(` -- type gconfd_exec_t; -+ type gconfd_t, gconf_tmp_t; - ') - -- corecmd_search_bin($1) -- can_exec($1, gconfd_exec_t) -+ read_files_pattern($1, gconf_tmp_t, gconf_tmp_t) -+ allow $1 gconfd_t:unix_stream_socket connectto; - ') - - ######################################## - ## --## Read gconf configuration content. -+## Connect to gkeyringd with a unix stream socket. - ## - ## - ## -@@ -144,119 +178,114 @@ interface(`gnome_exec_gconf',` - ## - ## - # --interface(`gnome_read_gconf_config',` -+interface(`gnome_stream_connect_gkeyringd',` - gen_require(` -- type gconf_etc_t; -+ attribute gkeyringd_domain; -+ type gkeyringd_tmp_t; -+ type gconf_tmp_t; -+ type cache_home_t; - ') - -- files_search_etc($1) -- allow $1 gconf_etc_t:dir list_dir_perms; -- allow $1 gconf_etc_t:file read_file_perms; -- allow $1 gconf_etc_t:lnk_file read_lnk_file_perms; -+ allow $1 gconf_tmp_t:dir search_dir_perms; -+ userdom_search_user_tmp_dirs($1) -+ stream_connect_pattern($1, gkeyringd_tmp_t, gkeyringd_tmp_t, gkeyringd_domain) -+ stream_connect_pattern($1, cache_home_t, cache_home_t, gkeyringd_domain) - ') - - ######################################## - ## --## Do not audit attempts to read --## inherited gconf configuration files. -+## Run gconfd in gconfd domain. - ## - ## - ## --## Domain to not audit. -+## Domain allowed access. - ## - ## - # --interface(`gnome_dontaudit_read_inherited_gconf_config_files',` -+interface(`gnome_domtrans_gconfd',` - gen_require(` -- type gconf_etc_t; -+ type gconfd_t, gconfd_exec_t; - ') - -- dontaudit $1 gconf_etc_t:file read; -+ domtrans_pattern($1, gconfd_exec_t, gconfd_t) - ') - --####################################### -+######################################## - ## --## Create, read, write, and delete --## gconf configuration content. -+## Dontaudit read gnome homedir content (.config) - ## - ## - ## --## Domain allowed access. -+## Domain to not audit. - ## - ## - # --interface(`gnome_manage_gconf_config',` -+interface(`gnome_dontaudit_read_config',` - gen_require(` -- type gconf_etc_t; -+ attribute gnome_home_type; - ') - -- files_search_etc($1) -- allow $1 gconf_etc_t:dir manage_dir_perms; -- allow $1 gconf_etc_t:file manage_file_perms; -- allow $1 gconf_etc_t:lnk_file manage_lnk_file_perms; -+ dontaudit $1 gnome_home_type:dir read_inherited_file_perms; - ') - - ######################################## - ## --## Connect to gconf using a unix --## domain stream socket. -+## Dontaudit search gnome homedir content (.config) - ## - ## - ## --## Domain allowed access. -+## Domain to not audit. - ## - ## - # --interface(`gnome_stream_connect_gconf',` -+interface(`gnome_dontaudit_search_config',` - gen_require(` -- type gconfd_t, gconf_tmp_t; -+ attribute gnome_home_type; - ') - -- files_search_tmp($1) -- stream_connect_pattern($1, gconf_tmp_t, gconf_tmp_t, gconfd_t) -+ dontaudit $1 gnome_home_type:dir search_dir_perms; - ') - - ######################################## - ## --## Run gconfd in gconfd domain. -+## Dontaudit write gnome homedir content (.config) - ## - ## - ## --## Domain allowed to transition. -+## Domain to not audit. - ## - ## - # --interface(`gnome_domtrans_gconfd',` -+interface(`gnome_dontaudit_append_config_files',` - gen_require(` -- type gconfd_t, gconfd_exec_t; -+ attribute gnome_home_type; - ') - -- corecmd_search_bin($1) -- domtrans_pattern($1, gconfd_exec_t, gconfd_t) -+ dontaudit $1 gnome_home_type:file append; - ') - -+ - ######################################## - ## --## Create generic gnome home directories. -+## Dontaudit write gnome homedir content (.config) - ## - ## - ## --## Domain allowed access. -+## Domain to not audit. - ## - ## - # --interface(`gnome_create_generic_home_dirs',` -+interface(`gnome_dontaudit_write_config_files',` - gen_require(` -- type gnome_home_t; -+ attribute gnome_home_type; - ') - -- allow $1 gnome_home_t:dir create_dir_perms; -+ dontaudit $1 gnome_home_type:file write; - ') - - ######################################## - ## --## Set attributes of generic gnome --## user home directories. (Deprecated) -+## manage gnome homedir content (.config) - ## - ## - ## -@@ -264,15 +293,21 @@ interface(`gnome_create_generic_home_dirs',` - ## - ## - # --interface(`gnome_setattr_config_dirs',` -- refpolicywarn(`$0($*) has been deprecated, use gnome_setattr_generic_home_dirs() instead.') -- gnome_setattr_generic_home_dirs($1) -+interface(`gnome_manage_config',` -+ gen_require(` -+ attribute gnome_home_type; -+ ') -+ -+ allow $1 gnome_home_type:dir manage_dir_perms; -+ allow $1 gnome_home_type:file manage_file_perms; -+ allow $1 gnome_home_type:lnk_file manage_lnk_file_perms; -+ allow $1 gnome_home_type:sock_file manage_sock_file_perms; -+ userdom_search_user_home_dirs($1) - ') - - ######################################## - ## --## Set attributes of generic gnome --## user home directories. -+## Send general signals to all gconf domains. - ## - ## - ## -@@ -280,57 +315,89 @@ interface(`gnome_setattr_config_dirs',` - ## - ## - # --interface(`gnome_setattr_generic_home_dirs',` -+interface(`gnome_signal_all',` - gen_require(` -- type gnome_home_t; -+ attribute gnomedomain; - ') - -- userdom_search_user_home_dirs($1) -- setattr_dirs_pattern($1, gnome_home_t, gnome_home_t) -+ allow $1 gnomedomain:process signal; - ') - - ######################################## - ## --## Read generic gnome user home content. (Deprecated) -+## Create objects in a Gnome cache home directory -+## with an automatic type transition to -+## a specified private type. - ## - ## - ## - ## Domain allowed access. - ## - ## -+## -+## -+## The type of the object to create. -+## -+## -+## -+## -+## The class of the object to be created. -+## -+## -+## -+## -+## The name of the object being created. -+## -+## - # --interface(`gnome_read_config',` -- refpolicywarn(`$0($*) has been deprecated, use gnome_read_generic_home_content() instead.') -- gnome_read_generic_home_content($1) -+interface(`gnome_cache_filetrans',` -+ gen_require(` -+ type cache_home_t; -+ ') -+ -+ filetrans_pattern($1, cache_home_t, $2, $3, $4) -+ userdom_search_user_home_dirs($1) - ') - - ######################################## - ## --## Read generic gnome home content. -+## Create objects in a Gnome cache home directory -+## with an automatic type transition to -+## a specified private type. - ## - ## - ## - ## Domain allowed access. - ## - ## -+## -+## -+## The type of the object to create. -+## -+## -+## -+## -+## The class of the object to be created. -+## -+## -+## -+## -+## The name of the object being created. -+## -+## - # --interface(`gnome_read_generic_home_content',` -+interface(`gnome_config_filetrans',` - gen_require(` -- type gnome_home_t; -+ type config_home_t; - ') - -+ filetrans_pattern($1, config_home_t, $2, $3, $4) - userdom_search_user_home_dirs($1) -- allow $1 gnome_home_t:dir list_dir_perms; -- allow $1 gnome_home_t:file read_file_perms; -- allow $1 gnome_home_t:fifo_file read_fifo_file_perms; -- allow $1 gnome_home_t:lnk_file read_lnk_file_perms; -- allow $1 gnome_home_t:sock_file read_sock_file_perms; - ') - - ######################################## - ## --## Create, read, write, and delete --## generic gnome user home content. (Deprecated) -+## Read generic cache home files (.cache) - ## - ## - ## -@@ -338,15 +405,18 @@ interface(`gnome_read_generic_home_content',` - ## - ## - # --interface(`gnome_manage_config',` -- refpolicywarn(`$0($*) has been deprecated, use gnome_manage_generic_home_content() instead.') -- gnome_manage_generic_home_content($1) -+interface(`gnome_read_generic_cache_files',` -+ gen_require(` -+ type cache_home_t; -+ ') -+ -+ read_files_pattern($1, cache_home_t, cache_home_t) -+ userdom_search_user_home_dirs($1) - ') - - ######################################## - ## --## Create, read, write, and delete --## generic gnome home content. -+## Create generic cache home dir (.cache) - ## - ## - ## -@@ -354,22 +424,18 @@ interface(`gnome_manage_config',` - ## - ## - # --interface(`gnome_manage_generic_home_content',` -+interface(`gnome_create_generic_cache_dir',` - gen_require(` -- type gnome_home_t; -+ type cache_home_t; - ') - -- userdom_search_user_home_dirs($1) -- allow $1 gnome_home_t:dir manage_dir_perms; -- allow $1 gnome_home_t:file manage_file_perms; -- allow $1 gnome_home_t:fifo_file manage_fifo_file_perms; -- allow $1 gnome_home_t:lnk_file manage_lnk_file_perms; -- allow $1 gnome_home_t:sock_file manage_sock_file_perms; -+ allow $1 cache_home_t:dir create_dir_perms; -+ userdom_user_home_dir_filetrans($1, cache_home_t, dir, ".cache") - ') - - ######################################## - ## --## Search generic gnome home directories. -+## Set attributes of cache home dir (.cache) - ## - ## - ## -@@ -377,53 +443,37 @@ interface(`gnome_manage_generic_home_content',` - ## - ## - # --interface(`gnome_search_generic_home',` -+interface(`gnome_setattr_cache_home_dir',` - gen_require(` -- type gnome_home_t; -+ type cache_home_t; - ') - -+ setattr_dirs_pattern($1, cache_home_t, cache_home_t) - userdom_search_user_home_dirs($1) -- allow $1 gnome_home_t:dir search_dir_perms; - ') - - ######################################## - ## --## Create objects in gnome user home --## directories with a private type. -+## Manage cache home dir (.cache) - ## - ## - ## - ## Domain allowed access. - ## - ## --## --## --## Private file type. --## --## --## --## --## Class of the object being created. --## --## --## --## --## The name of the object being created. --## --## - # --interface(`gnome_home_filetrans',` -+interface(`gnome_manage_cache_home_dir',` - gen_require(` -- type gnome_home_t; -+ type cache_home_t; - ') - -+ manage_dirs_pattern($1, cache_home_t, cache_home_t) - userdom_search_user_home_dirs($1) -- filetrans_pattern($1, gnome_home_t, $2, $3, $4) - ') - - ######################################## - ## --## Create generic gconf home directories. -+## append to generic cache home files (.cache) - ## - ## - ## -@@ -431,17 +481,18 @@ interface(`gnome_home_filetrans',` - ## - ## - # --interface(`gnome_create_generic_gconf_home_dirs',` -+interface(`gnome_append_generic_cache_files',` - gen_require(` -- type gconf_home_t; -+ type cache_home_t; - ') - -- allow $1 gconf_home_t:dir create_dir_perms; -+ append_files_pattern($1, cache_home_t, cache_home_t) -+ userdom_search_user_home_dirs($1) - ') - - ######################################## - ## --## Read generic gconf home content. -+## write to generic cache home files (.cache) - ## - ## - ## -@@ -449,23 +500,18 @@ interface(`gnome_create_generic_gconf_home_dirs',` - ## - ## - # --interface(`gnome_read_generic_gconf_home_content',` -+interface(`gnome_write_generic_cache_files',` - gen_require(` -- type gconf_home_t; -+ type cache_home_t; - ') - -+ write_files_pattern($1, cache_home_t, cache_home_t) - userdom_search_user_home_dirs($1) -- allow $1 gconf_home_t:dir list_dir_perms; -- allow $1 gconf_home_t:file read_file_perms; -- allow $1 gconf_home_t:fifo_file read_fifo_file_perms; -- allow $1 gconf_home_t:lnk_file read_lnk_file_perms; -- allow $1 gconf_home_t:sock_file read_sock_file_perms; - ') - - ######################################## - ## --## Create, read, write, and delete --## generic gconf home content. -+## Manage a sock_file in the generic cache home files (.cache) - ## - ## - ## -@@ -473,82 +519,73 @@ interface(`gnome_read_generic_gconf_home_content',` - ## - ## - # --interface(`gnome_manage_generic_gconf_home_content',` -+interface(`gnome_manage_generic_cache_sockets',` - gen_require(` -- type gconf_home_t; -+ type cache_home_t; - ') - - userdom_search_user_home_dirs($1) -- allow $1 gconf_home_t:dir manage_dir_perms; -- allow $1 gconf_home_t:file manage_file_perms; -- allow $1 gconf_home_t:fifo_file manage_fifo_file_perms; -- allow $1 gconf_home_t:lnk_file manage_lnk_file_perms; -- allow $1 gconf_home_t:sock_file manage_sock_file_perms; -+ manage_sock_files_pattern($1, cache_home_t, cache_home_t) - ') - - ######################################## - ## --## Search generic gconf home directories. -+## Dontaudit read/write to generic cache home files (.cache) - ## - ## - ## --## Domain allowed access. -+## Domain to not audit. - ## - ## - # --interface(`gnome_search_generic_gconf_home',` -+interface(`gnome_dontaudit_rw_generic_cache_files',` - gen_require(` -- type gconf_home_t; -+ type cache_home_t; - ') - -- userdom_search_user_home_dirs($1) -- allow $1 gconf_home_t:dir search_dir_perms; -+ dontaudit $1 cache_home_t:file rw_inherited_file_perms; - ') - - ######################################## - ## --## Create objects in user home --## directories with the generic gconf --## home type. -+## read gnome homedir content (.config) - ## - ## - ## - ## Domain allowed access. - ## - ## --## --## --## Class of the object being created. --## --## --## --## --## The name of the object being created. --## --## - # --interface(`gnome_home_filetrans_gconf_home',` -+interface(`gnome_read_config',` - gen_require(` -- type gconf_home_t; -+ attribute gnome_home_type; - ') - -- userdom_user_home_dir_filetrans($1, gconf_home_t, $2, $3) -+ list_dirs_pattern($1, gnome_home_type, gnome_home_type) -+ read_files_pattern($1, gnome_home_type, gnome_home_type) -+ read_lnk_files_pattern($1, gnome_home_type, gnome_home_type) -+ gnome_read_usr_config($1) - ') - - ######################################## - ## --## Create objects in user home --## directories with the generic gnome --## home type. -+## Create objects in a Gnome gconf home directory -+## with an automatic type transition to -+## a specified private type. - ## - ## - ## - ## Domain allowed access. - ## - ## -+## -+## -+## The type of the object to create. -+## -+## - ## - ## --## Class of the object being created. -+## The class of the object to be created. - ## - ## - ## -@@ -557,52 +594,77 @@ interface(`gnome_home_filetrans_gconf_home',` - ##     - ## - # --interface(`gnome_home_filetrans_gnome_home',` -+interface(`gnome_data_filetrans',` - gen_require(` -- type gnome_home_t; -+ type data_home_t; - ') - -- userdom_user_home_dir_filetrans($1, gnome_home_t, $2, $3) -+ filetrans_pattern($1, data_home_t, $2, $3, $4) -+ gnome_search_gconf($1) - ') - --######################################## -+####################################### - ## --## Create objects in gnome gconf home --## directories with a private type. -+## Read generic data home files. - ## - ## - ## - ## Domain allowed access. - ## - ## --## --## --## Private file type. --## --## --## --## --## Class of the object being created. --## -+# -+interface(`gnome_read_generic_data_home_files',` -+ gen_require(` -+ type data_home_t, gconf_home_t; -+ ') -+ -+ read_files_pattern($1, { gconf_home_t data_home_t }, data_home_t) -+ read_lnk_files_pattern($1, { gconf_home_t data_home_t }, data_home_t) -+') -+ -+###################################### -+## -+## Read generic data home dirs. -+## -+## -+## -+## Domain allowed access. -+## - ## --## -+# -+interface(`gnome_read_generic_data_home_dirs',` -+ gen_require(` -+ type data_home_t, gconf_home_t; -+ ') -+ -+ list_dirs_pattern($1, { gconf_home_t data_home_t }, data_home_t) -+') -+ -+####################################### -+## -+## Manage gconf data home files -+## -+## - ## --## The name of the object being created. -+## Domain allowed access. - ## - ## - # --interface(`gnome_gconf_home_filetrans',` -+interface(`gnome_manage_data',` - gen_require(` -+ type data_home_t; - type gconf_home_t; - ') - -- userdom_search_user_home_dirs($1) -- filetrans_pattern($1, gconf_home_t, $2, $3, $4) -+ allow $1 gconf_home_t:dir search_dir_perms; -+ manage_dirs_pattern($1, data_home_t, data_home_t) -+ manage_files_pattern($1, data_home_t, data_home_t) -+ manage_lnk_files_pattern($1, data_home_t, data_home_t) - ') - - ######################################## - ## --## Read generic gnome keyring home files. -+## Read icc data home content. - ## - ## - ## -@@ -610,93 +672,126 @@ interface(`gnome_gconf_home_filetrans',` - ## - ## - # --interface(`gnome_read_keyring_home_files',` -+interface(`gnome_read_home_icc_data_content',` - gen_require(` -- type gnome_home_t, gnome_keyring_home_t; -+ type icc_data_home_t, gconf_home_t, data_home_t; - ') - - userdom_search_user_home_dirs($1) -- read_files_pattern($1, { gnome_home_t gnome_keyring_home_t }, gnome_keyring_home_t) -+ allow $1 { gconf_home_t data_home_t }:dir search_dir_perms; -+ list_dirs_pattern($1, icc_data_home_t, icc_data_home_t) -+ read_files_pattern($1, icc_data_home_t, icc_data_home_t) -+ read_lnk_files_pattern($1, icc_data_home_t, icc_data_home_t) - ') - - ######################################## - ## --## Send and receive messages from --## gnome keyring daemon over dbus. -+## Read inherited icc data home files. - ## --## --## --## The prefix of the user domain (e.g., user --## is the prefix for user_t). --## --## - ## - ## - ## Domain allowed access. - ## - ## - # --interface(`gnome_dbus_chat_gkeyringd',` -+interface(`gnome_read_inherited_home_icc_data_files',` - gen_require(` -- type $1_gkeyringd_t; -- class dbus send_msg; -+ type icc_data_home_t; - ') - -- allow $2 $1_gkeyringd_t:dbus send_msg; -- allow $1_gkeyringd_t $2:dbus send_msg; -+ allow $1 icc_data_home_t:file read_inherited_file_perms; - ') - - ######################################## - ## --## Send and receive messages from all --## gnome keyring daemon over dbus. -+## Create gconf_home_t objects in the /root directory - ## - ## - ## - ## Domain allowed access. - ## - ## -+## -+## -+## The class of the object to be created. -+## -+## -+## -+## -+## The name of the object being created. -+## -+## - # --interface(`gnome_dbus_chat_all_gkeyringd',` -+interface(`gnome_admin_home_gconf_filetrans',` - gen_require(` -- attribute gkeyringd_domain; -- class dbus send_msg; -+ type gconf_home_t; - ') - -- allow $1 gkeyringd_domain:dbus send_msg; -- allow gkeyringd_domain $1:dbus send_msg; -+ userdom_admin_home_dir_filetrans($1, gconf_home_t, $2, $3) - ') - - ######################################## - ## --## Connect to gnome keyring daemon --## with a unix stream socket. -+## Do not audit attempts to read -+## inherited gconf config files. - ## --## -+## - ## --## The prefix of the user domain (e.g., user --## is the prefix for user_t). -+## Domain to not audit. - ## - ## -+# -+interface(`gnome_dontaudit_read_inherited_gconf_config_files',` -+ gen_require(` -+ type gconf_etc_t; -+ ') -+ -+ dontaudit $1 gconf_etc_t:file read_inherited_file_perms; -+') -+ -+######################################## -+## -+## read gconf config files -+## - ## - ## - ## Domain allowed access. - ## - ## - # --interface(`gnome_stream_connect_gkeyringd',` -+interface(`gnome_read_gconf_config',` - gen_require(` -- type $1_gkeyringd_t, gnome_keyring_tmp_t; -+ type gconf_etc_t; - ') - -- files_search_tmp($2) -- stream_connect_pattern($2, gnome_keyring_tmp_t, gnome_keyring_tmp_t, $1_gkeyringd_t) -+ allow $1 gconf_etc_t:dir list_dir_perms; -+ read_files_pattern($1, gconf_etc_t, gconf_etc_t) -+ files_search_etc($1) -+') -+ -+####################################### -+## -+## Manage gconf config files -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`gnome_manage_gconf_config',` -+ gen_require(` -+ type gconf_etc_t; -+ ') -+ -+ allow $1 gconf_etc_t:dir list_dir_perms; -+ manage_files_pattern($1, gconf_etc_t, gconf_etc_t) - ') - - ######################################## - ## --## Connect to all gnome keyring daemon --## with a unix stream socket. -+## Execute gconf programs in -+## in the caller domain. - ## - ## - ## -@@ -704,12 +799,872 @@ interface(`gnome_stream_connect_gkeyringd',` - ## - ## - # --interface(`gnome_stream_connect_all_gkeyringd',` -+interface(`gnome_exec_gconf',` -+ gen_require(` -+ type gconfd_exec_t; -+ ') -+ -+ can_exec($1, gconfd_exec_t) -+') -+ -+######################################## -+## -+## Execute gnome keyringd in the caller domain. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`gnome_exec_keyringd',` -+ gen_require(` -+ type gkeyringd_exec_t; -+ ') -+ -+ can_exec($1, gkeyringd_exec_t) -+ corecmd_search_bin($1) -+') -+ -+######################################## -+## -+## Search gconf home data dirs -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`gnome_search_gconf_data_dir',` -+ gen_require(` -+ type gconf_home_t; -+ type data_home_t; -+ ') -+ -+ userdom_search_user_home_dirs($1) -+ allow $1 gconf_home_t:dir list_dir_perms; -+ allow $1 data_home_t:dir search_dir_perms; -+') -+ -+######################################## -+## -+## Read gconf home files -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`gnome_read_gconf_home_files',` -+ gen_require(` -+ type gconf_home_t; -+ type data_home_t; -+ ') -+ -+ userdom_search_user_home_dirs($1) -+ allow $1 gconf_home_t:dir list_dir_perms; -+ allow $1 data_home_t:dir list_dir_perms; -+ read_files_pattern($1, gconf_home_t, gconf_home_t) -+ read_files_pattern($1, data_home_t, data_home_t) -+ read_lnk_files_pattern($1, gconf_home_t, gconf_home_t) -+ read_lnk_files_pattern($1, data_home_t, data_home_t) -+') -+ -+######################################## -+## -+## Search gkeyringd temporary directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`gnome_search_gkeyringd_tmp_dirs',` -+ gen_require(` -+ type gkeyringd_tmp_t; -+ ') -+ -+ files_search_tmp($1) -+ allow $1 gkeyringd_tmp_t:dir search_dir_perms; -+') -+ -+######################################## -+## -+## List gkeyringd temporary directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`gnome_list_gkeyringd_tmp_dirs',` -+ gen_require(` -+ type gkeyringd_tmp_t; -+ ') -+ -+ files_search_tmp($1) -+ allow $1 gkeyringd_tmp_t:dir list_dir_perms; -+') -+ -+####################################### -+## -+## Delete gkeyringd temporary -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`gnome_delete_gkeyringd_tmp_content',` -+ gen_require(` -+ type gkeyringd_tmp_t; -+ ') -+ -+ files_search_tmp($1) -+ delete_dirs_pattern($1, gkeyringd_tmp_t, gkeyringd_tmp_t) -+ delete_files_pattern($1, gkeyringd_tmp_t, gkeyringd_tmp_t) -+ delete_sock_files_pattern($1, gkeyringd_tmp_t, gkeyringd_tmp_t) -+') -+ -+####################################### -+## -+## Manage gkeyringd temporary directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`gnome_manage_gkeyringd_tmp_dirs',` -+ gen_require(` -+ type gkeyringd_tmp_t; -+ ') -+ -+ files_search_tmp($1) -+ manage_dirs_pattern($1, gkeyringd_tmp_t, gkeyringd_tmp_t) -+') -+ -+######################################## -+## -+## search gconf homedir (.local) -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`gnome_search_gconf',` -+ gen_require(` -+ type gconf_home_t; -+ ') -+ -+ allow $1 gconf_home_t:dir search_dir_perms; -+ userdom_search_user_home_dirs($1) -+') -+ -+######################################## -+## -+## Set attributes of Gnome config dirs. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`gnome_setattr_config_dirs',` -+ gen_require(` -+ type gnome_home_t; -+ ') -+ -+ setattr_dirs_pattern($1, gnome_home_t, gnome_home_t) -+ files_search_home($1) -+') -+ -+######################################## -+## -+## Manage generic gnome home files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`gnome_manage_generic_home_files',` -+ gen_require(` -+ type gnome_home_t; -+ ') -+ -+ userdom_search_user_home_dirs($1) -+ manage_files_pattern($1, gnome_home_t, gnome_home_t) -+') -+ -+######################################## -+## -+## Manage generic gnome home directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`gnome_manage_generic_home_dirs',` -+ gen_require(` -+ type gnome_home_t; -+ ') -+ -+ userdom_search_user_home_dirs($1) -+ allow $1 gnome_home_t:dir manage_dir_perms; -+') -+ -+######################################## -+## -+## Append gconf home files -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`gnome_append_gconf_home_files',` -+ gen_require(` -+ type gconf_home_t; -+ ') -+ -+ append_files_pattern($1, gconf_home_t, gconf_home_t) -+') -+ -+######################################## -+## -+## manage gconf home files -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`gnome_manage_gconf_home_files',` -+ gen_require(` -+ type gconf_home_t; -+ ') -+ -+ allow $1 gconf_home_t:dir list_dir_perms; -+ manage_files_pattern($1, gconf_home_t, gconf_home_t) -+') -+ -+######################################## -+## -+## Connect to gnome over a unix stream socket. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## The type of the user domain. -+## -+## -+# -+interface(`gnome_stream_connect',` -+ gen_require(` -+ attribute gnome_home_type; -+ ') -+ -+ # Connect to pulseaudit server -+ stream_connect_pattern($1, gnome_home_type, gnome_home_type, $2) -+') -+ -+######################################## -+## -+## list gnome homedir content (.config) -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`gnome_list_home_config',` -+ gen_require(` -+ type config_home_t; -+ ') -+ -+ allow $1 config_home_t:dir list_dir_perms; -+') -+ -+######################################## -+## -+## Set attributes of gnome homedir content (.config) -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`gnome_setattr_home_config',` -+ gen_require(` -+ type config_home_t; -+ ') -+ -+ setattr_dirs_pattern($1, config_home_t, config_home_t) -+ userdom_search_user_home_dirs($1) -+') -+ -+######################################## -+## -+## read gnome homedir content (.config) -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`gnome_read_home_config',` -+ gen_require(` -+ type config_home_t; -+ ') -+ -+ list_dirs_pattern($1, config_home_t, config_home_t) -+ read_files_pattern($1, config_home_t, config_home_t) -+ read_lnk_files_pattern($1, config_home_t, config_home_t) -+') -+ -+####################################### -+## -+## delete gnome homedir content (.config) -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`gnome_delete_home_config',` -+ gen_require(` -+ type config_home_t; -+ ') -+ -+ delete_files_pattern($1, config_home_t, config_home_t) -+') -+ -+####################################### -+## -+## setattr gnome homedir content (.config) -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`gnome_setattr_home_config_dirs',` -+ gen_require(` -+ type config_home_t; -+ ') -+ -+ setattr_dirs_pattern($1, config_home_t, config_home_t) -+') -+ -+######################################## -+## -+## manage gnome homedir content (.config) -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`gnome_manage_home_config',` -+ gen_require(` -+ type config_home_t; -+ ') -+ -+ manage_files_pattern($1, config_home_t, config_home_t) -+') -+ -+####################################### -+## -+## delete gnome homedir content (.config) -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`gnome_delete_home_config_dirs',` -+ gen_require(` -+ type config_home_t; -+ ') -+ -+ delete_dirs_pattern($1, config_home_t, config_home_t) -+') -+ -+######################################## -+## -+## manage gnome homedir content (.config) -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`gnome_manage_home_config_dirs',` -+ gen_require(` -+ type config_home_t; -+ ') -+ -+ manage_dirs_pattern($1, config_home_t, config_home_t) -+') -+ -+######################################## -+## -+## manage gstreamer home content files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`gnome_manage_gstreamer_home_files',` -+ gen_require(` -+ type gstreamer_home_t; -+ ') -+ -+ manage_dirs_pattern($1, gstreamer_home_t, gstreamer_home_t) -+ manage_files_pattern($1, gstreamer_home_t, gstreamer_home_t) -+ gnome_filetrans_gstreamer_home_content($1) -+') -+ -+###################################### -+## -+## Allow to execute gstreamer home content files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`gnome_exec_gstreamer_home_files',` -+ gen_require(` -+ type gstreamer_home_t; -+ ') -+ -+ can_exec($1, gstreamer_home_t) -+') -+ -+####################################### -+## -+## file name transition gstreamer home content files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`gnome_filetrans_gstreamer_home_content',` -+ gen_require(` -+ type gstreamer_home_t; -+ ') -+ -+ userdom_user_home_dir_filetrans($1, gstreamer_home_t, file, ".grl-bookmarks") -+ userdom_user_home_dir_filetrans($1, gstreamer_home_t, file, ".grl-metadata-store") -+ userdom_user_home_dir_filetrans($1, gstreamer_home_t, file, ".grl-podcasts") -+ userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-0.12") -+ userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-0.10") -+ userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-1.0") -+ userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-1.2") -+ userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-10") -+ userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-12") -+ userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".orc") -+ userdom_user_tmp_filetrans($1, gstreamer_home_t, dir, ".orc") -+ gnome_cache_filetrans($1, gstreamer_home_t, dir, "gstreamer-0.12") -+ gnome_cache_filetrans($1, gstreamer_home_t, dir, "gstreamer-0.10") -+ gnome_cache_filetrans($1, gstreamer_home_t, dir, "gstreamer-1.0") -+ gnome_cache_filetrans($1, gstreamer_home_t, dir, "gstreamer-1.2") -+ gnome_cache_filetrans($1, gstreamer_home_t, dir, "gstreamer-10") -+ gnome_cache_filetrans($1, gstreamer_home_t, dir, "gstreamer-12") -+') -+ -+####################################### -+## -+## manage gstreamer home content files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`gnome_manage_gstreamer_home_dirs',` -+ gen_require(` -+ type gstreamer_home_t; -+ ') -+ -+ manage_dirs_pattern($1, gstreamer_home_t, gstreamer_home_t) -+') -+ -+######################################## -+## -+## Read/Write all inherited gnome home config -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`gnome_rw_inherited_config',` -+ gen_require(` -+ attribute gnome_home_type; -+ ') -+ -+ allow $1 gnome_home_type:file rw_inherited_file_perms; -+') -+ -+######################################## -+## -+## Dontaudit Read/Write all inherited gnome home config -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`gnome_dontaudit_rw_inherited_config',` -+ gen_require(` -+ attribute gnome_home_type; -+ ') -+ -+ dontaudit $1 gnome_home_type:file rw_inherited_file_perms; -+') -+ -+######################################## -+## -+## Send and receive messages from -+## gconf system service over dbus. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`gnome_dbus_chat_gconfdefault',` -+ gen_require(` -+ type gconfdefaultsm_t; -+ class dbus send_msg; -+ ') -+ -+ allow $1 gconfdefaultsm_t:dbus send_msg; -+ allow gconfdefaultsm_t $1:dbus send_msg; -+') -+ -+######################################## -+## -+## Send and receive messages from -+## gkeyringd over dbus. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`gnome_dbus_chat_gkeyringd',` - gen_require(` - attribute gkeyringd_domain; -- type gnome_keyring_tmp_t; -+ class dbus send_msg; - ') - -- files_search_tmp($1) -- stream_connect_pattern($1, gnome_keyring_tmp_t, gnome_keyring_tmp_t, gkeyringd_domain) -+ allow $1 gkeyringd_domain:dbus send_msg; -+ allow gkeyringd_domain $1:dbus send_msg; -+') -+ -+######################################## -+## -+## Send signull signal to gkeyringd processes. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`gnome_signull_gkeyringd',` -+ gen_require(` -+ attribute gkeyringd_domain; -+ ') -+ -+ allow $1 gkeyringd_domain:process signull; -+') -+ -+######################################## -+## -+## Allow the domain to read gkeyringd state files in /proc. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`gnome_read_gkeyringd_state',` -+ gen_require(` -+ attribute gkeyringd_domain; -+ ') -+ -+ ps_process_pattern($1, gkeyringd_domain) -+') -+ -+######################################## -+## -+## Create directories in user home directories -+## with the gnome home file type. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`gnome_home_dir_filetrans',` -+ gen_require(` -+ type gnome_home_t; -+ ') -+ -+ userdom_user_home_dir_filetrans($1, gnome_home_t, dir) -+ userdom_search_user_home_dirs($1) -+') -+ -+###################################### -+## -+## Allow read kde config content -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`gnome_read_usr_config',` -+ gen_require(` -+ type config_usr_t; -+ ') -+ -+ files_search_usr($1) -+ list_dirs_pattern($1, config_usr_t, config_usr_t) -+ read_files_pattern($1, config_usr_t, config_usr_t) -+ read_lnk_files_pattern($1, config_usr_t, config_usr_t) -+') -+ -+####################################### -+## -+## Allow manage kde config content -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`gnome_manage_usr_config',` -+ gen_require(` -+ type config_usr_t; -+ ') -+ -+ files_search_usr($1) -+ manage_dirs_pattern($1, config_usr_t, config_usr_t) -+ manage_files_pattern($1, config_usr_t, config_usr_t) -+ manage_lnk_files_pattern($1, config_usr_t, config_usr_t) -+') -+ -+######################################## -+## -+## Execute gnome-keyring in the user gkeyring domain -+## -+## -+## -+## Domain allowed access -+## -+## -+# -+interface(`gnome_transition_gkeyringd',` -+ gen_require(` -+ attribute gkeyringd_domain; -+ ') -+ -+ allow $1 gkeyringd_domain:process transition; -+ dontaudit $1 gkeyringd_domain:process { noatsecure siginh rlimitinh }; -+ allow gkeyringd_domain $1:process { sigchld signull }; -+ allow gkeyringd_domain $1:fifo_file rw_inherited_fifo_file_perms; -+') -+ -+######################################## -+## -+## Create gnome content in the user home directory -+## with an correct label. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`gnome_filetrans_home_content',` -+ -+gen_require(` -+ type config_home_t; -+ type cache_home_t; -+ type dbus_home_t; -+ type gconf_home_t; -+ type gnome_home_t; -+ type data_home_t, icc_data_home_t; -+ type gkeyringd_gnome_home_t; -+') -+ -+ userdom_user_home_dir_filetrans($1, config_home_t, dir, ".config") -+ userdom_user_home_dir_filetrans($1, config_home_t, file, ".Xdefaults") -+ userdom_user_home_dir_filetrans($1, config_home_t, dir, ".xine") -+ userdom_user_home_dir_filetrans($1, cache_home_t, dir, ".cache") -+ userdom_user_home_dir_filetrans($1, dbus_home_t, dir, ".dbus") -+ userdom_user_home_dir_filetrans($1, cache_home_t, dir, ".nv") -+ userdom_user_home_dir_filetrans($1, config_home_t, dir, ".kde") -+ userdom_user_home_dir_filetrans($1, gconf_home_t, dir, ".gconf") -+ userdom_user_home_dir_filetrans($1, gconf_home_t, dir, ".gconfd") -+ userdom_user_home_dir_filetrans($1, gconf_home_t, dir, ".local") -+ userdom_user_home_dir_filetrans($1, gnome_home_t, dir, ".gnome2") -+ -+ # ~/.color/icc: legacy -+ userdom_user_home_content_filetrans($1, icc_data_home_t, dir, "icc") -+ filetrans_pattern($1, gnome_home_t, gkeyringd_gnome_home_t, dir, "keyrings") -+ filetrans_pattern($1, data_home_t, gkeyringd_gnome_home_t, dir, "keyrings") -+ filetrans_pattern($1, gconf_home_t, data_home_t, dir, "share") -+ filetrans_pattern($1, data_home_t, icc_data_home_t, dir, "icc") -+ filetrans_pattern($1, cache_home_t, cache_home_t, dir, "fontconfig") -+ userdom_user_tmp_filetrans($1, config_home_t, dir, "dconf") -+ gnome_cache_filetrans($1, config_home_t, dir, "dconf") -+ gnome_filetrans_gstreamer_home_content($1) -+') -+ -+######################################## -+## -+## Create gnome dconf dir in the user home directory -+## with an correct label. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`gnome_filetrans_config_home_content',` -+ gen_require(` -+ type config_home_t; -+ ') -+ -+ gnome_cache_filetrans($1, config_home_t, dir, "dconf") -+') -+ -+######################################## -+## -+## Create gnome directory in the /root directory -+## with an correct label. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`gnome_filetrans_admin_home_content',` -+ -+gen_require(` -+ type config_home_t; -+ type cache_home_t; -+ type dbus_home_t; -+ type gstreamer_home_t; -+ type gconf_home_t; -+ type gnome_home_t; -+ type icc_data_home_t; -+') -+ -+ userdom_admin_home_dir_filetrans($1, config_home_t, dir, ".config") -+ userdom_admin_home_dir_filetrans($1, config_home_t, file, ".Xdefaults") -+ userdom_admin_home_dir_filetrans($1, config_home_t, dir, ".xine") -+ userdom_admin_home_dir_filetrans($1, cache_home_t, dir, ".cache") -+ userdom_admin_home_dir_filetrans($1, dbus_home_t, dir, ".dbus") -+ userdom_admin_home_dir_filetrans($1, config_home_t, dir, ".kde") -+ userdom_admin_home_dir_filetrans($1, gconf_home_t, dir, ".gconf") -+ userdom_admin_home_dir_filetrans($1, gconf_home_t, dir, ".gconfd") -+ userdom_admin_home_dir_filetrans($1, gconf_home_t, dir, ".local") -+ userdom_admin_home_dir_filetrans($1, gnome_home_t, dir, ".gnome2") -+ gnome_filetrans_gstreamer_home_content($1) -+ # /root/.color/icc: legacy -+ userdom_admin_home_dir_filetrans($1, icc_data_home_t, dir, "icc") -+') -+ -+##################################### -+## -+## Execute gnome-keyring executable -+## in the specified domain. -+## -+## -+##

    -+## Execute a telepathy executable -+## in the specified domain. This allows -+## the specified domain to execute any file -+## on these filesystems in the specified -+## domain. -+##

    -+##

    -+## No interprocess communication (signals, pipes, -+## etc.) is provided by this interface since -+## the domains are not owned by this module. -+##

    -+##

    -+## This interface was added to handle -+## the ssh-agent policy. -+##

    -+##     -+## -+## -+## Domain allowed to transition. -+## -+## -+## -+## -+## The type of the new process. -+## -+## -+# -+interface(`gnome_command_domtrans_gkeyringd', ` -+ gen_require(` -+ type gkeyringd_exec_t; -+ ') -+ -+ allow $2 gkeyringd_exec_t:file entrypoint; -+ domain_transition_pattern($1, gkeyringd_exec_t, $2) -+ type_transition $1 gkeyringd_exec_t:process $2; - ') -diff --git a/gnome.te b/gnome.te -index 20f726b..c6ff2a1 100644 ---- a/gnome.te -+++ b/gnome.te -@@ -1,18 +1,36 @@ --policy_module(gnome, 2.2.5) -+policy_module(gnome, 2.2.0) - - ############################## - # - # Declarations - # - --attribute gkeyringd_domain; - attribute gnomedomain; --attribute_role gconfd_roles; -+attribute gnome_home_type; -+attribute gkeyringd_domain; - - type gconf_etc_t; - files_config_file(gconf_etc_t) - --type gconf_home_t; -+type data_home_t, gnome_home_type; -+userdom_user_home_content(data_home_t) -+ -+type config_home_t, gnome_home_type; -+userdom_user_home_content(config_home_t) -+ -+type cache_home_t, gnome_home_type; -+userdom_user_home_content(cache_home_t) -+ -+type gstreamer_home_t, gnome_home_type; -+userdom_user_home_content(gstreamer_home_t) -+ -+type dbus_home_t, gnome_home_type; -+userdom_user_home_content(dbus_home_t) -+ -+type icc_data_home_t, gnome_home_type; -+userdom_user_home_content(icc_data_home_t) -+ -+type gconf_home_t, gnome_home_type; - typealias gconf_home_t alias { user_gconf_home_t staff_gconf_home_t sysadm_gconf_home_t }; - typealias gconf_home_t alias { auditadm_gconf_home_t secadm_gconf_home_t }; - typealias gconf_home_t alias unconfined_gconf_home_t; -@@ -29,107 +47,226 @@ type gconfd_exec_t; - typealias gconfd_t alias { user_gconfd_t staff_gconfd_t sysadm_gconfd_t }; - typealias gconfd_t alias { auditadm_gconfd_t secadm_gconfd_t }; - userdom_user_application_domain(gconfd_t, gconfd_exec_t) --role gconfd_roles types gconfd_t; - --type gnome_home_t; -+type gnome_home_t, gnome_home_type; - typealias gnome_home_t alias { user_gnome_home_t staff_gnome_home_t sysadm_gnome_home_t }; - typealias gnome_home_t alias { auditadm_gnome_home_t secadm_gnome_home_t }; - typealias gnome_home_t alias unconfined_gnome_home_t; - userdom_user_home_content(gnome_home_t) - -+# type KDE /usr/share/config files -+type config_usr_t; -+files_type(config_usr_t) -+ - type gkeyringd_exec_t; --application_executable_file(gkeyringd_exec_t) -+corecmd_executable_file(gkeyringd_exec_t) - --type gnome_keyring_home_t; --userdom_user_home_content(gnome_keyring_home_t) -+type gkeyringd_gnome_home_t; -+userdom_user_home_content(gkeyringd_gnome_home_t) - --type gnome_keyring_tmp_t; --userdom_user_tmp_file(gnome_keyring_tmp_t) -+type gkeyringd_tmp_t; -+userdom_user_tmp_content(gkeyringd_tmp_t) -+ -+type gconfdefaultsm_t; -+type gconfdefaultsm_exec_t; -+init_daemon_domain(gconfdefaultsm_t, gconfdefaultsm_exec_t) -+ -+type gnomesystemmm_t; -+type gnomesystemmm_exec_t; -+init_daemon_domain(gnomesystemmm_t, gnomesystemmm_exec_t) - - ############################## - # --# Common local Policy -+# Local Policy - # - --allow gnomedomain self:process { getsched signal }; --allow gnomedomain self:fifo_file rw_fifo_file_perms; -+allow gconfd_t self:process getsched; -+allow gconfd_t self:fifo_file rw_fifo_file_perms; - --dev_read_urand(gnomedomain) -+manage_dirs_pattern(gconfd_t, gconf_home_t, gconf_home_t) -+manage_files_pattern(gconfd_t, gconf_home_t, gconf_home_t) -+userdom_user_home_dir_filetrans(gconfd_t, gconf_home_t, dir) - --domain_use_interactive_fds(gnomedomain) -+manage_dirs_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t) -+manage_files_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t) -+userdom_user_tmp_filetrans(gconfd_t, gconf_tmp_t, { dir file }) - --files_read_etc_files(gnomedomain) -+allow gconfd_t gconf_etc_t:dir list_dir_perms; -+read_files_pattern(gconfd_t, gconf_etc_t, gconf_etc_t) -+ -+dev_read_urand(gconfd_t) - --miscfiles_read_localization(gnomedomain) - --logging_send_syslog_msg(gnomedomain) - --userdom_use_user_terminals(gnomedomain) -+logging_send_syslog_msg(gconfd_t) -+ -+userdom_manage_user_tmp_sockets(gconfd_t) -+userdom_manage_user_tmp_dirs(gconfd_t) -+userdom_tmp_filetrans_user_tmp(gconfd_t, dir) - - optional_policy(` -- xserver_rw_xdm_pipes(gnomedomain) -- xserver_use_xdm_fds(gnomedomain) -+ nscd_dontaudit_search_pid(gconfd_t) - ') - --############################## -+optional_policy(` -+ xserver_use_xdm_fds(gconfd_t) -+ xserver_rw_xdm_pipes(gconfd_t) -+') -+ -+####################################### - # --# Conf daemon local Policy -+# gconf-defaults-mechanisms local policy - # - --allow gconfd_t gconf_etc_t:dir list_dir_perms; --read_files_pattern(gconfd_t, gconf_etc_t, gconf_etc_t) -+allow gconfdefaultsm_t self:capability { dac_override sys_nice }; -+allow gconfdefaultsm_t self:process getsched; -+allow gconfdefaultsm_t self:fifo_file rw_fifo_file_perms; - --manage_dirs_pattern(gconfd_t, gconf_home_t, gconf_home_t) --manage_files_pattern(gconfd_t, gconf_home_t, gconf_home_t) --userdom_user_home_dir_filetrans(gconfd_t, gconf_home_t, dir) -+corecmd_search_bin(gconfdefaultsm_t) - --manage_dirs_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t) --manage_files_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t) --userdom_user_tmp_filetrans(gconfd_t, gconf_tmp_t, { dir file }) -+auth_read_passwd(gconfdefaultsm_t) - --userdom_manage_user_tmp_dirs(gconfd_t) --userdom_tmp_filetrans_user_tmp(gconfd_t, dir) -+gnome_manage_gconf_home_files(gconfdefaultsm_t) -+gnome_manage_gconf_config(gconfdefaultsm_t) -+ -+userdom_read_all_users_state(gconfdefaultsm_t) -+userdom_search_user_home_dirs(gconfdefaultsm_t) -+ -+userdom_dontaudit_search_admin_dir(gconfdefaultsm_t) - - optional_policy(` -- nscd_dontaudit_search_pid(gconfd_t) -+ consolekit_dbus_chat(gconfdefaultsm_t) - ') - --############################## -+optional_policy(` -+ dbus_system_domain(gconfdefaultsm_t, gconfdefaultsm_exec_t) -+') -+ -+optional_policy(` -+ nscd_dontaudit_search_pid(gconfdefaultsm_t) -+') -+ -+optional_policy(` -+ policykit_domtrans_auth(gconfdefaultsm_t) -+ policykit_dbus_chat(gconfdefaultsm_t) -+ policykit_read_lib(gconfdefaultsm_t) -+ policykit_read_reload(gconfdefaultsm_t) -+') -+ -+userdom_home_manager(gconfdefaultsm_t) -+ -+####################################### -+# -+# gnome-system-monitor-mechanisms local policy -+# -+ -+allow gnomesystemmm_t self:capability { sys_admin sys_nice }; -+allow gnomesystemmm_t self:fifo_file rw_fifo_file_perms; -+ -+rw_files_pattern(gnomesystemmm_t, config_usr_t, config_usr_t) -+ -+kernel_read_system_state(gnomesystemmm_t) -+ -+corecmd_search_bin(gnomesystemmm_t) -+ -+domain_kill_all_domains(gnomesystemmm_t) -+domain_search_all_domains_state(gnomesystemmm_t) -+domain_setpriority_all_domains(gnomesystemmm_t) -+domain_signal_all_domains(gnomesystemmm_t) -+domain_sigstop_all_domains(gnomesystemmm_t) -+ -+fs_getattr_xattr_fs(gnomesystemmm_t) -+ -+auth_read_passwd(gnomesystemmm_t) -+ -+logging_send_syslog_msg(gnomesystemmm_t) -+ -+userdom_read_all_users_state(gnomesystemmm_t) -+userdom_dontaudit_search_admin_dir(gnomesystemmm_t) -+ -+optional_policy(` -+ consolekit_dbus_chat(gnomesystemmm_t) -+') -+ -+optional_policy(` -+ dbus_system_domain(gnomesystemmm_t, gnomesystemmm_exec_t) -+') -+ -+optional_policy(` -+ gnome_manage_home_config(gnomesystemmm_t) -+') -+ -+optional_policy(` -+ nscd_dontaudit_search_pid(gnomesystemmm_t) -+') -+ -+optional_policy(` -+ policykit_dbus_chat(gnomesystemmm_t) -+ policykit_domtrans_auth(gnomesystemmm_t) -+ policykit_read_lib(gnomesystemmm_t) -+ policykit_read_reload(gnomesystemmm_t) -+') -+ -+###################################### - # --# Keyring-daemon local policy -+# gnome-keyring-daemon local policy - # - - allow gkeyringd_domain self:capability ipc_lock; --allow gkeyringd_domain self:process { getcap setcap }; -+allow gkeyringd_domain self:process { getcap getsched setcap signal }; -+allow gkeyringd_domain self:fifo_file rw_fifo_file_perms; - allow gkeyringd_domain self:unix_stream_socket { connectto accept listen }; - --allow gkeyringd_domain gnome_home_t:dir create_dir_perms; --gnome_home_filetrans_gnome_home(gkeyringd_domain, dir, ".gnome2") -+manage_files_pattern(gkeyringd_domain, config_home_t, config_home_t) - --manage_dirs_pattern(gkeyringd_domain, gnome_keyring_home_t, gnome_keyring_home_t) --manage_files_pattern(gkeyringd_domain, gnome_keyring_home_t, gnome_keyring_home_t) --gnome_home_filetrans(gkeyringd_domain, gnome_keyring_home_t, dir, "keyrings") -+manage_dirs_pattern(gkeyringd_domain, gkeyringd_gnome_home_t, gkeyringd_gnome_home_t) -+manage_files_pattern(gkeyringd_domain, gkeyringd_gnome_home_t, gkeyringd_gnome_home_t) -+allow gkeyringd_domain data_home_t:dir create_dir_perms; -+allow gkeyringd_domain gconf_home_t:dir create_dir_perms; -+filetrans_pattern(gkeyringd_domain, gconf_home_t, data_home_t, dir, "share") -+filetrans_pattern(gkeyringd_domain, gnome_home_t, gkeyringd_gnome_home_t, dir, "keyrings") -+filetrans_pattern(gkeyringd_domain, data_home_t, gkeyringd_gnome_home_t, dir, "keyrings") -+filetrans_pattern(gkeyringd_domain, gnome_home_t, data_home_t, dir, "keyrings") - --manage_dirs_pattern(gkeyringd_domain, gnome_keyring_tmp_t, gnome_keyring_tmp_t) --manage_sock_files_pattern(gkeyringd_domain, gnome_keyring_tmp_t, gnome_keyring_tmp_t) --files_tmp_filetrans(gkeyringd_domain, gnome_keyring_tmp_t, dir) -+manage_dirs_pattern(gkeyringd_domain, gkeyringd_tmp_t, gkeyringd_tmp_t) -+manage_sock_files_pattern(gkeyringd_domain, gkeyringd_tmp_t, gkeyringd_tmp_t) -+files_tmp_filetrans(gkeyringd_domain, gkeyringd_tmp_t, dir) -+userdom_user_tmp_filetrans(gkeyringd_domain, gkeyringd_tmp_t, { sock_file dir }) - --kernel_read_system_state(gkeyringd_domain) - kernel_read_crypto_sysctls(gkeyringd_domain) - -+corecmd_search_bin(gkeyringd_domain) -+ - dev_read_rand(gkeyringd_domain) -+dev_read_urand(gkeyringd_domain) - dev_read_sysfs(gkeyringd_domain) - --files_read_usr_files(gkeyringd_domain) -+# for nscd? -+files_search_pids(gkeyringd_domain) - --fs_getattr_all_fs(gkeyringd_domain) -+fs_getattr_xattr_fs(gkeyringd_domain) -+fs_getattr_tmpfs(gkeyringd_domain) - --selinux_getattr_fs(gkeyringd_domain) -+userdom_user_home_dir_filetrans(gkeyringd_domain, gconf_home_t, dir, ".local") - - optional_policy(` -- ssh_read_user_home_files(gkeyringd_domain) -+ xserver_append_xdm_home_files(gkeyringd_domain) -+ xserver_read_xdm_home_files(gkeyringd_domain) -+ xserver_use_xdm_fds(gkeyringd_domain) - ') - - optional_policy(` -- telepathy_mission_control_read_state(gkeyringd_domain) -+ gnome_read_home_config(gkeyringd_domain) -+ gnome_read_generic_cache_files(gkeyringd_domain) -+ gnome_write_generic_cache_files(gkeyringd_domain) -+ gnome_manage_cache_home_dir(gkeyringd_domain) -+ gnome_manage_generic_cache_sockets(gkeyringd_domain) - ') -+ -+optional_policy(` -+ ssh_read_user_home_files(gkeyringd_domain) -+') -+ -+domain_use_interactive_fds(gnomedomain) -+ -+userdom_use_inherited_user_terminals(gnomedomain) -diff --git a/gnomeclock.fc b/gnomeclock.fc -index b687443..e4c1b83 100644 ---- a/gnomeclock.fc -+++ b/gnomeclock.fc -@@ -1,5 +1,9 @@ -+/usr/lib/systemd/systemd-timedated -- gen_context(system_u:object_r:gnomeclock_exec_t,s0) -+ - /usr/libexec/gnome-clock-applet-mechanism -- gen_context(system_u:object_r:gnomeclock_exec_t,s0) - --/usr/libexec/gsd-datetime-mechanism -- gen_context(system_u:object_r:gnomeclock_exec_t,s0) -+/usr/libexec/gsd-datetime-mechanism -- gen_context(system_u:object_r:gnomeclock_exec_t,s0) -+ -+/usr/libexec/kde3/kcmdatetimehelper -- gen_context(system_u:object_r:gnomeclock_exec_t,s0) -+/usr/libexec/kde4/kcmdatetimehelper -- gen_context(system_u:object_r:gnomeclock_exec_t,s0) - --/usr/libexec/kde(3|4)/kcmdatetimehelper -- gen_context(system_u:object_r:gnomeclock_exec_t,s0) -diff --git a/gnomeclock.if b/gnomeclock.if -index 3f55702..25c7ab8 100644 ---- a/gnomeclock.if -+++ b/gnomeclock.if -@@ -2,8 +2,7 @@ - - ######################################## - ## --## Execute a domain transition to --## run gnomeclock. -+## Execute a domain transition to run gnomeclock. - ## - ## - ## -@@ -16,15 +15,13 @@ interface(`gnomeclock_domtrans',` - type gnomeclock_t, gnomeclock_exec_t; - ') - -- corecmd_search_bin($1) - domtrans_pattern($1, gnomeclock_exec_t, gnomeclock_t) - ') - - ######################################## - ## --## Execute gnomeclock in the gnomeclock --## domain, and allow the specified --## role the gnomeclock domain. -+## Execute gnomeclock in the gnomeclock domain, and -+## allow the specified role the gnomeclock domain. - ## - ## - ## -@@ -39,11 +36,11 @@ interface(`gnomeclock_domtrans',` - # - interface(`gnomeclock_run',` - gen_require(` -- attribute_role gnomeclock_roles; -+ type gnomeclock_t; - ') - - gnomeclock_domtrans($1) -- roleattribute $2 gnomeclock_roles; -+ role $2 types gnomeclock_t; - ') - - ######################################## -@@ -69,9 +66,8 @@ interface(`gnomeclock_dbus_chat',` - - ######################################## - ## --## Do not audit attempts to send and --## receive messages from gnomeclock --## over dbus. -+## Do not audit send and receive messages from -+## gnomeclock over dbus. - ## - ## - ## -diff --git a/gnomeclock.te b/gnomeclock.te -index 6d79eb5..c728009 100644 ---- a/gnomeclock.te -+++ b/gnomeclock.te -@@ -1,86 +1,99 @@ --policy_module(gnomeclock, 1.0.5) -+policy_module(gnomeclock, 1.0.0) - - ######################################## - # - # Declarations - # - --attribute_role gnomeclock_roles; -- - type gnomeclock_t; - type gnomeclock_exec_t; --init_system_domain(gnomeclock_t, gnomeclock_exec_t) --role gnomeclock_roles types gnomeclock_t; -+init_daemon_domain(gnomeclock_t, gnomeclock_exec_t) -+ -+type gnomeclock_tmp_t; -+files_tmp_file(gnomeclock_tmp_t) - - ######################################## - # --# Local policy -+# gnomeclock local policy - # - --allow gnomeclock_t self:capability { sys_nice sys_time }; -+allow gnomeclock_t self:capability { sys_nice sys_time dac_override }; - allow gnomeclock_t self:process { getattr getsched signal }; - allow gnomeclock_t self:fifo_file rw_fifo_file_perms; --allow gnomeclock_t self:unix_stream_socket { accept listen }; -+allow gnomeclock_t self:unix_stream_socket create_stream_socket_perms; -+allow gnomeclock_t self:unix_dgram_socket create_socket_perms; -+ -+manage_dirs_pattern(gnomeclock_t, gnomeclock_tmp_t, gnomeclock_tmp_t) -+manage_files_pattern(gnomeclock_t, gnomeclock_tmp_t, gnomeclock_tmp_t) -+manage_lnk_files_pattern(gnomeclock_t, gnomeclock_tmp_t, gnomeclock_tmp_t) -+files_tmp_filetrans(gnomeclock_t, gnomeclock_tmp_t, { file dir }) - - kernel_read_system_state(gnomeclock_t) - - corecmd_exec_bin(gnomeclock_t) - corecmd_exec_shell(gnomeclock_t) -+corecmd_dontaudit_access_check_bin(gnomeclock_t) - --corenet_all_recvfrom_unlabeled(gnomeclock_t) --corenet_all_recvfrom_netlabel(gnomeclock_t) --corenet_tcp_sendrecv_generic_if(gnomeclock_t) --corenet_tcp_sendrecv_generic_node(gnomeclock_t) -+corenet_tcp_connect_time_port(gnomeclock_t) - --# tcp:37 (time) --corenet_sendrecv_inetd_child_client_packets(gnomeclock_t) --corenet_tcp_connect_inetd_child_port(gnomeclock_t) --corenet_tcp_sendrecv_inetd_child_port(gnomeclock_t) -- --dev_read_sysfs(gnomeclock_t) --dev_read_urand(gnomeclock_t) - dev_rw_realtime_clock(gnomeclock_t) -+dev_read_urand(gnomeclock_t) -+dev_write_kmsg(gnomeclock_t) -+dev_read_sysfs(gnomeclock_t) - --files_read_usr_files(gnomeclock_t) -+files_read_etc_runtime_files(gnomeclock_t) - - fs_getattr_xattr_fs(gnomeclock_t) - - auth_use_nsswitch(gnomeclock_t) - -+init_dbus_chat(gnomeclock_t) -+ -+logging_stream_connect_syslog(gnomeclock_t) - logging_send_syslog_msg(gnomeclock_t) - --miscfiles_etc_filetrans_localization(gnomeclock_t) - miscfiles_manage_localization(gnomeclock_t) --miscfiles_read_localization(gnomeclock_t) -+miscfiles_etc_filetrans_localization(gnomeclock_t) - - userdom_read_all_users_state(gnomeclock_t) - - optional_policy(` -- chronyd_initrc_domtrans(gnomeclock_t) -+ chronyd_systemctl(gnomeclock_t) - ') - - optional_policy(` -+ clock_read_adjtime(gnomeclock_t) - clock_domtrans(gnomeclock_t) - ') - - optional_policy(` -- dbus_system_domain(gnomeclock_t, gnomeclock_exec_t) -+ consolekit_dbus_chat(gnomeclock_t) -+') - -- optional_policy(` -- consolekit_dbus_chat(gnomeclock_t) -- ') -+optional_policy(` -+ consoletype_exec(gnomeclock_t) -+') - -- optional_policy(` -- policykit_dbus_chat(gnomeclock_t) -- ') -+optional_policy(` -+dbus_system_domain(gnomeclock_t, gnomeclock_exec_t) -+') -+ -+optional_policy(` -+ gnome_manage_usr_config(gnomeclock_t) -+ gnome_manage_home_config(gnomeclock_t) -+ gnome_filetrans_admin_home_content(gnomeclock_t) - ') - - optional_policy(` - ntp_domtrans_ntpdate(gnomeclock_t) - ntp_initrc_domtrans(gnomeclock_t) -+ init_dontaudit_getattr_all_script_files(gnomeclock_t) -+ init_dontaudit_getattr_exec(gnomeclock_t) -+ ntp_systemctl(gnomeclock_t) - ') - - optional_policy(` -+ policykit_dbus_chat(gnomeclock_t) - policykit_domtrans_auth(gnomeclock_t) - policykit_read_lib(gnomeclock_t) - policykit_read_reload(gnomeclock_t) -diff --git a/gpg.fc b/gpg.fc -index 888cd2c..c02fa56 100644 ---- a/gpg.fc -+++ b/gpg.fc -@@ -1,10 +1,14 @@ --HOME_DIR/\.gnupg(/.+)? gen_context(system_u:object_r:gpg_secret_t,s0) --HOME_DIR/\.gnupg/log-socket -s gen_context(system_u:object_r:gpg_agent_tmp_t,s0) -+HOME_DIR/\.gnupg(/.+)? gen_context(system_u:object_r:gpg_secret_t,s0) -+HOME_DIR/\.gnupg/log-socket gen_context(system_u:object_r:gpg_agent_tmp_t,s0) -+ -+/etc/mail/spamassassin/sa-update-keys(/.*)? gen_context(system_u:object_r:gpg_secret_t,s0) -+ -+/root/\.gnupg(/.+)? gen_context(system_u:object_r:gpg_secret_t,s0) - - /usr/bin/gpg(2)? -- gen_context(system_u:object_r:gpg_exec_t,s0) --/usr/bin/gpgsm -- gen_context(system_u:object_r:gpg_exec_t,s0) -+/usr/bin/gpgsm -- gen_context(system_u:object_r:gpg_exec_t,s0) - /usr/bin/gpg-agent -- gen_context(system_u:object_r:gpg_agent_exec_t,s0) - /usr/bin/pinentry.* -- gen_context(system_u:object_r:pinentry_exec_t,s0) - - /usr/lib/gnupg/.* -- gen_context(system_u:object_r:gpg_exec_t,s0) --/usr/lib/gnupg/gpgkeys.* -- gen_context(system_u:object_r:gpg_helper_exec_t,s0) -+/usr/lib/gnupg/gpgkeys.* -- gen_context(system_u:object_r:gpg_helper_exec_t,s0) -diff --git a/gpg.if b/gpg.if -index 180f1b7..951b790 100644 ---- a/gpg.if -+++ b/gpg.if -@@ -2,57 +2,75 @@ - - ############################################################ - ## --## Role access for gpg. -+## Role access for gpg - ## - ## - ## --## Role allowed access. -+## Role allowed access - ## - ## - ## - ## --## User domain for the role. -+## User domain for the role - ## - ## - # - interface(`gpg_role',` - gen_require(` -- attribute_role gpg_roles, gpg_agent_roles, gpg_helper_roles, gpg_pinentry_roles; -- type gpg_t, gpg_exec_t, gpg_agent_t; -- type gpg_agent_exec_t, gpg_agent_tmp_t, gpg_helper_t; -- type gpg_pinentry_t, gpg_pinentry_tmp_t, gpg_secret_t; -+ type gpg_t, gpg_exec_t; -+ type gpg_agent_t, gpg_agent_exec_t; -+ type gpg_agent_tmp_t; -+ type gpg_helper_t, gpg_pinentry_t; -+ type gpg_pinentry_tmp_t; - ') - -- roleattribute $1 gpg_roles; -- roleattribute $1 gpg_agent_roles; -- roleattribute $1 gpg_helper_roles; -- roleattribute $1 gpg_pinentry_roles; -+ role $1 types { gpg_t gpg_agent_t gpg_helper_t gpg_pinentry_t }; - -+ # transition from the userdomain to the derived domain - domtrans_pattern($2, gpg_exec_t, gpg_t) -- domtrans_pattern($2, gpg_agent_exec_t, gpg_agent_t) - -- allow $2 { gpg_t gpg_agent_t gpg_helper_t gpg_pinentry_t }:process { ptrace signal_perms }; -- ps_process_pattern($2, { gpg_t gpg_agent_t gpg_helper_t gpg_pinentry_t }) -+ # allow ps to show gpg -+ ps_process_pattern($2, gpg_t) -+ allow $2 gpg_t:process { signull sigstop signal sigkill }; - -- allow gpg_pinentry_t $2:process signull; -+ # communicate with the user - allow gpg_helper_t $2:fd use; -- allow { gpg_t gpg_agent_t gpg_helper_t gpg_pinentry_t } $2:fifo_file { read write }; -+ allow gpg_helper_t $2:fifo_file write; -+ -+ # allow ps to show gpg-agent -+ ps_process_pattern($2, gpg_agent_t) - -- allow $2 { gpg_agent_tmp_t gpg_secret_t }:dir { manage_dir_perms relabel_dir_perms }; -- allow $2 { gpg_agent_tmp_t gpg_secret_t }:file { manage_file_perms relabel_file_perms }; -- allow $2 gpg_secret_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; -- allow $2 { gpg_agent_tmp_t gpg_pinentry_tmp_t gpg_secret_t }:sock_file { manage_sock_file_perms relabel_sock_file_perms }; -- filetrans_pattern($2, gpg_secret_t, gpg_agent_tmp_t, sock_file, "log-socket") -- userdom_user_home_dir_filetrans($2, gpg_secret_t, dir, ".gnupg") -+ # Allow the user shell to signal the gpg-agent program. -+ allow $2 gpg_agent_t:process { signal sigkill }; -+ -+ manage_dirs_pattern($2, gpg_agent_tmp_t, gpg_agent_tmp_t) -+ manage_files_pattern($2, gpg_agent_tmp_t, gpg_agent_tmp_t) -+ manage_sock_files_pattern($2, gpg_agent_tmp_t, gpg_agent_tmp_t) -+ files_tmp_filetrans(gpg_agent_t, gpg_agent_tmp_t, { file sock_file dir }) -+ -+ # Transition from the user domain to the agent domain. -+ domtrans_pattern($2, gpg_agent_exec_t, gpg_agent_t) -+ -+ manage_sock_files_pattern($2, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t) -+ relabel_sock_files_pattern($2, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t) -+ -+ allow gpg_pinentry_t $2:fifo_file { read write }; - - optional_policy(` - gpg_pinentry_dbus_chat($2) - ') -+ -+ allow $2 gpg_agent_t:unix_stream_socket { rw_socket_perms connectto }; -+ ifdef(`hide_broken_symptoms',` -+ #Leaked File Descriptors -+ dontaudit gpg_t $2:fifo_file rw_fifo_file_perms; -+ dontaudit gpg_agent_t $2:fifo_file rw_fifo_file_perms; -+ ') - ') - - ######################################## - ## --## Execute the gpg in the gpg domain. -+## Transition to a user gpg domain. - ## - ## - ## -@@ -65,13 +83,12 @@ interface(`gpg_domtrans',` - type gpg_t, gpg_exec_t; - ') - -- corecmd_search_bin($1) - domtrans_pattern($1, gpg_exec_t, gpg_t) - ') - --######################################## -+###################################### - ## --## Execute the gpg in the caller domain. -+## Execute gpg in the caller domain. - ## - ## - ## -@@ -88,76 +105,46 @@ interface(`gpg_exec',` - can_exec($1, gpg_exec_t) - ') - --######################################## --## --## Execute gpg in a specified domain. --## --## --##

    --## Execute gpg in a specified domain. --##

    --##

    --## No interprocess communication (signals, pipes, --## etc.) is provided by this interface since --## the domains are not owned by this module. --##

    --##     --## --## --## Domain allowed to transition. --## --## --## --## --## Domain to transition to. --## --## --# --interface(`gpg_spec_domtrans',` -- gen_require(` -- type gpg_exec_t; -- ') -- -- corecmd_search_bin($1) -- domain_auto_trans($1, gpg_exec_t, $2) --') -- - ###################################### - ## --## Execute gpg in the gpg web domain. (Deprecated) -+## Transition to a gpg web domain. - ## - ## --## --## Domain allowed to transition. --## -+## -+## Domain allowed access. -+## - ## - # - interface(`gpg_domtrans_web',` -- refpolicywarn(`$0($*) has been deprecated.') -+ gen_require(` -+ type gpg_web_t, gpg_exec_t; -+ ') -+ -+ domtrans_pattern($1, gpg_exec_t, gpg_web_t) - ') - - ###################################### - ## --## Make gpg executable files an --## entrypoint for the specified domain. -+## Make gpg an entrypoint for -+## the specified domain. - ## - ## --## --## The domain for which gpg_exec_t is an entrypoint. --## -+## -+## The domain for which cifs_t is an entrypoint. -+## - ## - # - interface(`gpg_entry_type',` -- gen_require(` -- type gpg_exec_t; -- ') -+ gen_require(` -+ type gpg_exec_t; -+ ') - -- domain_entry_file($1, gpg_exec_t) -+ domain_entry_file($1, gpg_exec_t) - ') - - ######################################## - ## --## Send generic signals to gpg. -+## Send generic signals to user gpg processes. - ## - ## - ## -@@ -175,7 +162,7 @@ interface(`gpg_signal',` - - ######################################## - ## --## Read and write gpg agent pipes. -+## Read and write GPG agent pipes. - ## - ## - ## -@@ -184,6 +171,7 @@ interface(`gpg_signal',` - ## - # - interface(`gpg_rw_agent_pipes',` -+ # Just wants read/write could this be a leak? - gen_require(` - type gpg_agent_t; - ') -@@ -193,8 +181,8 @@ interface(`gpg_rw_agent_pipes',` - - ######################################## - ## --## Send messages to and from gpg --## pinentry over DBUS. -+## Send messages to and from GPG -+## Pinentry over DBUS. - ## - ## - ## -@@ -214,7 +202,7 @@ interface(`gpg_pinentry_dbus_chat',` - - ######################################## - ## --## List gpg user secrets. -+## List Gnu Privacy Guard user secrets. - ## - ## - ## -@@ -230,3 +218,39 @@ interface(`gpg_list_user_secrets',` - list_dirs_pattern($1, gpg_secret_t, gpg_secret_t) - userdom_search_user_home_dirs($1) - ') -+########################### -+## -+## Allow to manage gpg named home content -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`gpg_manage_home_content',` -+ gen_require(` -+ type gpg_secret_t; -+ ') -+ -+ manage_files_pattern($1, gpg_secret_t, gpg_secret_t) -+ manage_dirs_pattern($1, gpg_secret_t, gpg_secret_t) -+ userdom_user_home_dir_filetrans($1, gpg_secret_t, dir, ".gnupg") -+') -+######################################## -+## -+## Transition to gpg named home content -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`gpg_filetrans_home_content',` -+ gen_require(` -+ type gpg_secret_t; -+ ') -+ -+ userdom_user_home_dir_filetrans($1, gpg_secret_t, dir, ".gnupg") -+') -diff --git a/gpg.te b/gpg.te -index 44cf341..8aa9dd9 100644 ---- a/gpg.te -+++ b/gpg.te -@@ -1,47 +1,47 @@ --policy_module(gpg, 2.7.3) -+policy_module(gpg, 2.6.0) - - ######################################## - # - # Declarations - # -+attribute gpgdomain; - - ## --##

    --## Determine whether GPG agent can manage --## generic user home content files. This is --## required by the --write-env-file option. --##

    -+##

    -+## Allow usage of the gpg-agent --write-env-file option. -+## This also allows gpg-agent to manage user files. -+##

    - ##     - gen_tunable(gpg_agent_env_file, false) - --attribute_role gpg_roles; --roleattribute system_r gpg_roles; -- --attribute_role gpg_agent_roles; -- --attribute_role gpg_helper_roles; --roleattribute system_r gpg_helper_roles; -- --attribute_role gpg_pinentry_roles; -+## -+##

    -+## Allow gpg web domain to modify public files -+## used for public file transfer services. -+##

    -+##     -+gen_tunable(gpg_web_anon_write, false) - --type gpg_t; -+type gpg_t, gpgdomain; - type gpg_exec_t; - typealias gpg_t alias { user_gpg_t staff_gpg_t sysadm_gpg_t }; - typealias gpg_t alias { auditadm_gpg_t secadm_gpg_t }; --userdom_user_application_domain(gpg_t, gpg_exec_t) --role gpg_roles types gpg_t; -+application_domain(gpg_t, gpg_exec_t) -+ubac_constrained(gpg_t) -+role system_r types gpg_t; - - type gpg_agent_t; - type gpg_agent_exec_t; - typealias gpg_agent_t alias { user_gpg_agent_t staff_gpg_agent_t sysadm_gpg_agent_t }; - typealias gpg_agent_t alias { auditadm_gpg_agent_t secadm_gpg_agent_t }; --userdom_user_application_domain(gpg_agent_t, gpg_agent_exec_t) --role gpg_agent_roles types gpg_agent_t; -+application_domain(gpg_agent_t, gpg_agent_exec_t) -+ubac_constrained(gpg_agent_t) - - type gpg_agent_tmp_t; - typealias gpg_agent_tmp_t alias { user_gpg_agent_tmp_t staff_gpg_agent_tmp_t sysadm_gpg_agent_tmp_t }; - typealias gpg_agent_tmp_t alias { auditadm_gpg_agent_tmp_t secadm_gpg_agent_tmp_t }; --userdom_user_tmp_file(gpg_agent_tmp_t) -+files_tmp_file(gpg_agent_tmp_t) -+ubac_constrained(gpg_agent_tmp_t) - - type gpg_secret_t; - typealias gpg_secret_t alias { user_gpg_secret_t staff_gpg_secret_t sysadm_gpg_secret_t }; -@@ -52,112 +52,116 @@ type gpg_helper_t; - type gpg_helper_exec_t; - typealias gpg_helper_t alias { user_gpg_helper_t staff_gpg_helper_t sysadm_gpg_helper_t }; - typealias gpg_helper_t alias { auditadm_gpg_helper_t secadm_gpg_helper_t }; --userdom_user_application_domain(gpg_helper_t, gpg_helper_exec_t) --role gpg_helper_roles types gpg_helper_t; -+application_domain(gpg_helper_t, gpg_helper_exec_t) -+ubac_constrained(gpg_helper_t) -+role system_r types gpg_helper_t; - - type gpg_pinentry_t; - type pinentry_exec_t; - typealias gpg_pinentry_t alias { user_gpg_pinentry_t staff_gpg_pinentry_t sysadm_gpg_pinentry_t }; - typealias gpg_pinentry_t alias { auditadm_gpg_pinentry_t secadm_gpg_pinentry_t }; --userdom_user_application_domain(gpg_pinentry_t, pinentry_exec_t) --role gpg_pinentry_roles types gpg_pinentry_t; -+application_domain(gpg_pinentry_t, pinentry_exec_t) -+ubac_constrained(gpg_pinentry_t) - - type gpg_pinentry_tmp_t; --userdom_user_tmp_file(gpg_pinentry_tmp_t) -+files_tmp_file(gpg_pinentry_tmp_t) -+ubac_constrained(gpg_pinentry_tmp_t) - - type gpg_pinentry_tmpfs_t; --userdom_user_tmpfs_file(gpg_pinentry_tmpfs_t) -+files_tmpfs_file(gpg_pinentry_tmpfs_t) -+ubac_constrained(gpg_pinentry_tmpfs_t) - --optional_policy(` -- pulseaudio_tmpfs_content(gpg_pinentry_tmpfs_t) --') -+type gpg_web_t; -+domain_type(gpg_web_t) -+gpg_entry_type(gpg_web_t) -+role system_r types gpg_web_t; - - ######################################## - # --# Local policy -+# GPG local policy - # - --allow gpg_t self:capability { ipc_lock setuid }; --allow gpg_t self:process { signal signull setrlimit getcap setcap getsched setsched setpgid }; --dontaudit gpg_t self:netlink_audit_socket r_netlink_socket_perms; --allow gpg_t self:fifo_file rw_fifo_file_perms; --allow gpg_t self:tcp_socket { accept listen }; -+allow gpgdomain self:capability { ipc_lock setuid }; -+allow gpgdomain self:process { getsched setsched }; -+#at setrlimit is for ulimit -c 0 -+allow gpgdomain self:process { signal signull setrlimit getcap setcap setpgid }; -+dontaudit gpgdomain self:netlink_audit_socket r_netlink_socket_perms; -+ -+allow gpgdomain self:fifo_file rw_fifo_file_perms; -+allow gpgdomain self:tcp_socket create_stream_socket_perms; - - manage_dirs_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t) - manage_files_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t) - files_tmp_filetrans(gpg_t, gpg_agent_tmp_t, { dir file }) - --manage_dirs_pattern(gpg_t, gpg_secret_t, gpg_secret_t) -+ -+allow gpg_t gpg_secret_t:dir create_dir_perms; - manage_sock_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t) - manage_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t) - manage_lnk_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t) --userdom_user_home_dir_filetrans(gpg_t, gpg_secret_t, dir) -- --stream_connect_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t, gpg_agent_t) -- --domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t) --domtrans_pattern(gpg_t, gpg_helper_exec_t, gpg_helper_t) -+userdom_user_home_dir_filetrans(gpg_t, gpg_secret_t, dir, ".gnupg") - - kernel_read_sysctl(gpg_t) -+kernel_read_system_state(gpg_t) -+kernel_getattr_core_if(gpg_t) - - corecmd_exec_shell(gpg_t) - corecmd_exec_bin(gpg_t) - --corenet_all_recvfrom_unlabeled(gpg_t) - corenet_all_recvfrom_netlabel(gpg_t) - corenet_tcp_sendrecv_generic_if(gpg_t) -+corenet_udp_sendrecv_generic_if(gpg_t) - corenet_tcp_sendrecv_generic_node(gpg_t) -- --corenet_sendrecv_all_client_packets(gpg_t) --corenet_tcp_connect_all_ports(gpg_t) -+corenet_udp_sendrecv_generic_node(gpg_t) - corenet_tcp_sendrecv_all_ports(gpg_t) -+corenet_udp_sendrecv_all_ports(gpg_t) -+corenet_tcp_connect_all_ports(gpg_t) -+corenet_sendrecv_all_client_packets(gpg_t) - --dev_read_generic_usb_dev(gpg_t) - dev_read_rand(gpg_t) - dev_read_urand(gpg_t) -- --files_read_usr_files(gpg_t) --files_dontaudit_search_var(gpg_t) -+dev_read_generic_usb_dev(gpg_t) -+dev_dontaudit_getattr_all(gpg_t) - - fs_getattr_xattr_fs(gpg_t) - fs_list_inotifyfs(gpg_t) - - domain_use_interactive_fds(gpg_t) - --auth_use_nsswitch(gpg_t) -+files_dontaudit_search_var(gpg_t) - --logging_send_syslog_msg(gpg_t) -+auth_use_nsswitch(gpg_t) - --miscfiles_read_localization(gpg_t) -+init_dontaudit_getattr_initctl(gpg_t) - --userdom_use_user_terminals(gpg_t) -+logging_send_syslog_msg(gpg_t) - --userdom_manage_user_tmp_files(gpg_t) -+userdom_use_inherited_user_terminals(gpg_t) -+# sign/encrypt user files -+userdom_manage_all_user_tmp_content(gpg_t) -+#userdom_manage_user_home_content(gpg_t) - userdom_manage_user_home_content_files(gpg_t) --userdom_user_home_dir_filetrans_user_home_content(gpg_t, file) -+userdom_manage_user_home_content_dirs(gpg_t) -+userdom_filetrans_home_content(gpg_t) -+userdom_stream_connect(gpg_t) - --tunable_policy(`use_nfs_home_dirs',` -- fs_manage_nfs_dirs(gpg_t) -- fs_manage_nfs_files(gpg_t) --') -+mta_manage_config(gpg_t) -+mta_read_spool(gpg_t) - --tunable_policy(`use_samba_home_dirs',` -- fs_manage_cifs_dirs(gpg_t) -- fs_manage_cifs_files(gpg_t) --') -+userdom_home_manager(gpg_t) - - optional_policy(` -- gnome_read_generic_home_content(gpg_t) -- gnome_stream_connect_all_gkeyringd(gpg_t) -+ gpm_dontaudit_getattr_gpmctl(gpg_t) - ') - - optional_policy(` -- mozilla_dontaudit_rw_user_home_files(gpg_t) -+ gnome_manage_config(gpg_t) -+ gnome_stream_connect_gkeyringd(gpg_t) - ') - - optional_policy(` -- mta_read_spool_files(gpg_t) -- mta_write_config(gpg_t) -+ mozilla_read_user_home_files(gpg_t) -+ mozilla_write_user_home_files(gpg_t) - ') - - optional_policy(` -@@ -165,37 +169,51 @@ optional_policy(` - ') - - optional_policy(` -- cron_system_entry(gpg_t, gpg_exec_t) -- cron_read_system_job_tmp_files(gpg_t) --') -- --optional_policy(` - xserver_use_xdm_fds(gpg_t) - xserver_rw_xdm_pipes(gpg_t) - ') - -+#optional_policy(` -+# cron_system_entry(gpg_t, gpg_exec_t) -+# cron_read_system_job_tmp_files(gpg_t) -+#') -+ - ######################################## - # --# Helper local policy -+# GPG helper local policy - # - -+domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t) -+ - allow gpg_helper_t self:process { getsched setsched }; -+ -+# for helper programs (which automatically fetch keys) -+# Note: this is only tested with the hkp interface. If you use eg the -+# mail interface you will likely need additional permissions. -+ - allow gpg_helper_t self:unix_stream_socket create_stream_socket_perms; -+allow gpg_helper_t self:tcp_socket { connect connected_socket_perms }; -+allow gpg_helper_t self:udp_socket { connect connected_socket_perms }; - --dontaudit gpg_helper_t gpg_secret_t:file read_file_perms; -+dontaudit gpg_helper_t gpg_secret_t:file read; - --corenet_all_recvfrom_unlabeled(gpg_helper_t) - corenet_all_recvfrom_netlabel(gpg_helper_t) - corenet_tcp_sendrecv_generic_if(gpg_helper_t) -+corenet_raw_sendrecv_generic_if(gpg_helper_t) -+corenet_udp_sendrecv_generic_if(gpg_helper_t) - corenet_tcp_sendrecv_generic_node(gpg_helper_t) -+corenet_udp_sendrecv_generic_node(gpg_helper_t) -+corenet_raw_sendrecv_generic_node(gpg_helper_t) - corenet_tcp_sendrecv_all_ports(gpg_helper_t) -- --corenet_sendrecv_all_client_packets(gpg_helper_t) -+corenet_udp_sendrecv_all_ports(gpg_helper_t) -+corenet_tcp_bind_generic_node(gpg_helper_t) -+corenet_udp_bind_generic_node(gpg_helper_t) - corenet_tcp_connect_all_ports(gpg_helper_t) - -+ - auth_use_nsswitch(gpg_helper_t) - --userdom_use_user_terminals(gpg_helper_t) -+userdom_use_inherited_user_terminals(gpg_helper_t) - - tunable_policy(`use_nfs_home_dirs',` - fs_dontaudit_rw_nfs_files(gpg_helper_t) -@@ -207,29 +225,35 @@ tunable_policy(`use_samba_home_dirs',` - - ######################################## - # --# Agent local policy -+# GPG agent local policy - # -+domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t) - -+# rlimit: gpg-agent wants to prevent coredumps - allow gpg_agent_t self:process setrlimit; --allow gpg_agent_t self:unix_stream_socket { create_stream_socket_perms connectto }; -+ -+allow gpg_agent_t self:unix_stream_socket { create_stream_socket_perms connectto } ; - allow gpg_agent_t self:fifo_file rw_fifo_file_perms; - -+# read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d ) - manage_dirs_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t) - manage_sock_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t) - manage_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t) - manage_lnk_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t) - -+# Allow the gpg-agent to manage its tmp files (socket) - manage_dirs_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t) - manage_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t) - manage_sock_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t) - files_tmp_filetrans(gpg_agent_t, gpg_agent_tmp_t, { file sock_file dir }) - --filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file, "log-socket") -- --domtrans_pattern(gpg_agent_t, pinentry_exec_t, gpg_pinentry_t) -+# allow gpg to connect to the gpg agent -+stream_connect_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t, gpg_agent_t) - --kernel_dontaudit_search_sysctl(gpg_agent_t) -+kernel_read_system_state(gpg_agent_t) - -+corecmd_read_bin_symlinks(gpg_agent_t) -+corecmd_search_bin(gpg_agent_t) - corecmd_exec_shell(gpg_agent_t) - - dev_read_rand(gpg_agent_t) -@@ -239,37 +263,40 @@ domain_use_interactive_fds(gpg_agent_t) - - fs_dontaudit_list_inotifyfs(gpg_agent_t) - --miscfiles_read_localization(gpg_agent_t) - --userdom_use_user_terminals(gpg_agent_t) -+# Write to the user domain tty. -+userdom_use_inherited_user_terminals(gpg_agent_t) -+# read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d ) - userdom_search_user_home_dirs(gpg_agent_t) -+userdom_filetrans_home_content(gpg_agent_t) - - ifdef(`hide_broken_symptoms',` - userdom_dontaudit_read_user_tmp_files(gpg_agent_t) -+ userdom_dontaudit_write_user_tmp_files(gpg_agent_t) - ') - - tunable_policy(`gpg_agent_env_file',` -+ # write ~/.gpg-agent-info or a similar to the users home dir -+ # or subdir (gpg-agent --write-env-file option) -+ # - userdom_manage_user_home_content_dirs(gpg_agent_t) - userdom_manage_user_home_content_files(gpg_agent_t) -- userdom_user_home_dir_filetrans_user_home_content(gpg_agent_t, file) - ') - --tunable_policy(`use_nfs_home_dirs',` -- fs_manage_nfs_dirs(gpg_agent_t) -- fs_manage_nfs_files(gpg_agent_t) -- fs_manage_nfs_symlinks(gpg_agent_t) --') -+userdom_home_manager(gpg_agent_t) - --tunable_policy(`use_samba_home_dirs',` -- fs_manage_cifs_dirs(gpg_agent_t) -- fs_manage_cifs_files(gpg_agent_t) -- fs_manage_cifs_symlinks(gpg_agent_t) -+optional_policy(` -+ gnome_manage_config(gpg_agent_t) - ') - - optional_policy(` - mozilla_dontaudit_rw_user_home_files(gpg_agent_t) - ') - -+optional_policy(` -+ pcscd_stream_connect(gpg_agent_t) -+') -+ - ############################## - # - # Pinentry local policy -@@ -277,8 +304,17 @@ optional_policy(` - - allow gpg_pinentry_t self:process { getcap getsched setsched signal }; - allow gpg_pinentry_t self:fifo_file rw_fifo_file_perms; -+allow gpg_pinentry_t self:netlink_route_socket create_netlink_socket_perms; - allow gpg_pinentry_t self:shm create_shm_perms; --allow gpg_pinentry_t self:tcp_socket { accept listen }; -+allow gpg_pinentry_t self:tcp_socket create_stream_socket_perms; -+allow gpg_pinentry_t self:unix_dgram_socket sendto; -+allow gpg_pinentry_t self:unix_stream_socket { connect create getattr read shutdown write }; -+ -+can_exec(gpg_pinentry_t, pinentry_exec_t) -+ -+# we need to allow gpg-agent to call pinentry so it can get the passphrase -+# from the user. -+domtrans_pattern(gpg_agent_t, pinentry_exec_t, gpg_pinentry_t) - - manage_sock_files_pattern(gpg_pinentry_t, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t) - userdom_user_tmp_filetrans(gpg_pinentry_t, gpg_pinentry_tmp_t, sock_file) -@@ -287,53 +323,89 @@ manage_dirs_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t) - manage_files_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t) - fs_tmpfs_filetrans(gpg_pinentry_t, gpg_pinentry_tmpfs_t, { file dir }) - --can_exec(gpg_pinentry_t, pinentry_exec_t) -- -+# read /proc/meminfo - kernel_read_system_state(gpg_pinentry_t) - - corecmd_exec_shell(gpg_pinentry_t) - corecmd_exec_bin(gpg_pinentry_t) - - corenet_all_recvfrom_netlabel(gpg_pinentry_t) --corenet_all_recvfrom_unlabeled(gpg_pinentry_t) -+corenet_sendrecv_pulseaudio_client_packets(gpg_pinentry_t) -+corenet_tcp_bind_generic_node(gpg_pinentry_t) -+corenet_tcp_connect_pulseaudio_port(gpg_pinentry_t) - corenet_tcp_sendrecv_generic_if(gpg_pinentry_t) - corenet_tcp_sendrecv_generic_node(gpg_pinentry_t) -+corenet_tcp_sendrecv_generic_port(gpg_pinentry_t) - - dev_read_urand(gpg_pinentry_t) - dev_read_rand(gpg_pinentry_t) - --domain_use_interactive_fds(gpg_pinentry_t) -- --files_read_usr_files(gpg_pinentry_t) -+# read /etc/X11/qtrc - - fs_dontaudit_list_inotifyfs(gpg_pinentry_t) -+fs_getattr_tmpfs(gpg_pinentry_t) - - auth_use_nsswitch(gpg_pinentry_t) - - logging_send_syslog_msg(gpg_pinentry_t) - - miscfiles_read_fonts(gpg_pinentry_t) --miscfiles_read_localization(gpg_pinentry_t) - -+# for .Xauthority -+userdom_read_user_home_content_files(gpg_pinentry_t) -+userdom_read_user_tmpfs_files(gpg_pinentry_t) -+# Bug: user pulseaudio files need open,read and unlink: -+allow gpg_pinentry_t user_tmpfs_t:file unlink; -+userdom_signull_unpriv_users(gpg_pinentry_t) - userdom_use_user_terminals(gpg_pinentry_t) - --tunable_policy(`use_nfs_home_dirs',` -- fs_read_nfs_files(gpg_pinentry_t) --') -+userdom_home_reader(gpg_pinentry_t) - --tunable_policy(`use_samba_home_dirs',` -- fs_read_cifs_files(gpg_pinentry_t) -+optional_policy(` -+ gnome_read_home_config(gpg_pinentry_t) - ') - - optional_policy(` -- dbus_all_session_bus_client(gpg_pinentry_t) -+ dbus_session_bus_client(gpg_pinentry_t) - dbus_system_bus_client(gpg_pinentry_t) - ') - - optional_policy(` -- pulseaudio_run(gpg_pinentry_t, gpg_pinentry_roles) -+ gnome_write_generic_cache_files(gpg_pinentry_t) -+ gnome_read_generic_cache_files(gpg_pinentry_t) -+ gnome_read_gconf_home_files(gpg_pinentry_t) -+') -+ -+optional_policy(` -+ pulseaudio_exec(gpg_pinentry_t) -+ pulseaudio_rw_home_files(gpg_pinentry_t) -+ pulseaudio_setattr_home_dir(gpg_pinentry_t) -+ pulseaudio_stream_connect(gpg_pinentry_t) -+ pulseaudio_signull(gpg_pinentry_t) - ') - - optional_policy(` - xserver_user_x_domain_template(gpg_pinentry, gpg_pinentry_t, gpg_pinentry_tmpfs_t) -+ -+') -+ -+############################# -+# -+# gpg web local policy -+# -+ -+allow gpg_web_t self:process setrlimit; -+ -+dev_read_rand(gpg_web_t) -+dev_read_urand(gpg_web_t) -+ -+can_exec(gpg_web_t, gpg_exec_t) -+ -+ -+ -+apache_dontaudit_rw_tmp_files(gpg_web_t) -+apache_manage_sys_content_rw(gpg_web_t) -+ -+tunable_policy(`gpg_web_anon_write',` -+ miscfiles_manage_public_files(gpg_web_t) - ') -diff --git a/gpm.te b/gpm.te -index 3226f52..68b2eb8 100644 ---- a/gpm.te -+++ b/gpm.te -@@ -13,7 +13,7 @@ type gpm_initrc_exec_t; - init_script_file(gpm_initrc_exec_t) - - type gpm_conf_t; --files_type(gpm_conf_t) -+files_config_file(gpm_conf_t) - - type gpm_tmp_t; - files_tmp_file(gpm_tmp_t) -@@ -57,7 +57,6 @@ dev_read_sysfs(gpm_t) - dev_rw_input_dev(gpm_t) - dev_rw_mouse(gpm_t) - --files_read_etc_files(gpm_t) - - fs_getattr_all_fs(gpm_t) - fs_search_auto_mountpoints(gpm_t) -@@ -68,11 +67,9 @@ domain_use_interactive_fds(gpm_t) - - logging_send_syslog_msg(gpm_t) - --miscfiles_read_localization(gpm_t) -- --userdom_use_user_terminals(gpm_t) - userdom_dontaudit_use_unpriv_user_fds(gpm_t) - userdom_dontaudit_search_user_home_dirs(gpm_t) -+userdom_use_inherited_user_terminals(gpm_t) - - optional_policy(` - seutil_sigchld_newrole(gpm_t) -diff --git a/gpsd.te b/gpsd.te -index 25f09ae..3085534 100644 ---- a/gpsd.te -+++ b/gpsd.te -@@ -28,11 +28,12 @@ files_pid_file(gpsd_var_run_t) - # - - allow gpsd_t self:capability { fowner fsetid setuid setgid sys_nice sys_time sys_tty_config }; --dontaudit gpsd_t self:capability { dac_read_search dac_override }; -+dontaudit gpsd_t self:capability { sys_ptrace dac_read_search dac_override }; - allow gpsd_t self:process { setsched signal_perms }; - allow gpsd_t self:shm create_shm_perms; - allow gpsd_t self:unix_dgram_socket sendto; - allow gpsd_t self:tcp_socket { accept listen }; -+allow gpsd_t self:netlink_kobject_uevent_socket create_socket_perms; - - manage_dirs_pattern(gpsd_t, gpsd_tmpfs_t, gpsd_tmpfs_t) - manage_files_pattern(gpsd_t, gpsd_tmpfs_t, gpsd_tmpfs_t) -@@ -62,13 +63,13 @@ domain_dontaudit_read_all_domains_state(gpsd_t) - - term_use_unallocated_ttys(gpsd_t) - term_setattr_unallocated_ttys(gpsd_t) -+term_use_usb_ttys(gpsd_t) -+term_setattr_usb_ttys(gpsd_t) - - auth_use_nsswitch(gpsd_t) - - logging_send_syslog_msg(gpsd_t) - --miscfiles_read_localization(gpsd_t) -- - optional_policy(` - chronyd_rw_shm(gpsd_t) - chronyd_stream_connect(gpsd_t) -diff --git a/gssproxy.fc b/gssproxy.fc -new file mode 100644 -index 0000000..f4659d1 ---- /dev/null -+++ b/gssproxy.fc -@@ -0,0 +1,8 @@ -+/usr/lib/systemd/system/gssproxy.service -- gen_context(system_u:object_r:gssproxy_unit_file_t,s0) -+ -+/usr/sbin/gssproxy -- gen_context(system_u:object_r:gssproxy_exec_t,s0) -+ -+/var/lib/gssproxy(/.*)? gen_context(system_u:object_r:gssproxy_var_lib_t,s0) -+ -+/var/run/gssproxy\.pid -- gen_context(system_u:object_r:gssproxy_var_run_t,s0) -+/var/run/gssproxy\.sock -s gen_context(system_u:object_r:gssproxy_var_run_t,s0) -diff --git a/gssproxy.if b/gssproxy.if -new file mode 100644 -index 0000000..3ce0ac0 ---- /dev/null -+++ b/gssproxy.if -@@ -0,0 +1,198 @@ -+ -+## policy for gssproxy -+ -+######################################## -+## -+## Execute TEMPLATE in the gssproxy domin. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`gssproxy_domtrans',` -+ gen_require(` -+ type gssproxy_t, gssproxy_exec_t; -+ ') -+ -+ corecmd_search_bin($1) -+ domtrans_pattern($1, gssproxy_exec_t, gssproxy_t) -+') -+ -+######################################## -+## -+## Search gssproxy lib directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`gssproxy_search_lib',` -+ gen_require(` -+ type gssproxy_var_lib_t; -+ ') -+ -+ allow $1 gssproxy_var_lib_t:dir search_dir_perms; -+ files_search_var_lib($1) -+') -+ -+######################################## -+## -+## Read gssproxy lib files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`gssproxy_read_lib_files',` -+ gen_require(` -+ type gssproxy_var_lib_t; -+ ') -+ -+ files_search_var_lib($1) -+ read_files_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t) -+') -+ -+######################################## -+## -+## Manage gssproxy lib files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`gssproxy_manage_lib_files',` -+ gen_require(` -+ type gssproxy_var_lib_t; -+ ') -+ -+ files_search_var_lib($1) -+ manage_files_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t) -+') -+ -+######################################## -+## -+## Manage gssproxy lib directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`gssproxy_manage_lib_dirs',` -+ gen_require(` -+ type gssproxy_var_lib_t; -+ ') -+ -+ files_search_var_lib($1) -+ manage_dirs_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t) -+') -+ -+######################################## -+## -+## Read gssproxy PID files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`gssproxy_read_pid_files',` -+ gen_require(` -+ type gssproxy_var_run_t; -+ ') -+ -+ files_search_pids($1) -+ read_files_pattern($1, gssproxy_var_run_t, gssproxy_var_run_t) -+') -+ -+######################################## -+## -+## Execute gssproxy server in the gssproxy domain. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`gssproxy_systemctl',` -+ gen_require(` -+ type gssproxy_t; -+ type gssproxy_unit_file_t; -+ ') -+ -+ systemd_exec_systemctl($1) -+ allow $1 gssproxy_unit_file_t:file read_file_perms; -+ allow $1 gssproxy_unit_file_t:service manage_service_perms; -+ -+ ps_process_pattern($1, gssproxy_t) -+') -+ -+######################################## -+## -+## Connect to gssproxy over an unix -+## domain stream socket. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`gssproxy_stream_connect',` -+ gen_require(` -+ type gssproxy_t, gssproxy_var_run_t, gssproxy_var_lib_t; -+ ') -+ -+ files_search_pids($1) -+ stream_connect_pattern($1, gssproxy_var_run_t, gssproxy_var_run_t, gssproxy_t) -+ stream_connect_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t, gssproxy_t) -+') -+ -+######################################## -+## -+## All of the rules required to administrate -+## an gssproxy environment -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`gssproxy_admin',` -+ gen_require(` -+ type gssproxy_t; -+ type gssproxy_var_lib_t; -+ type gssproxy_var_run_t; -+ type gssproxy_unit_file_t; -+ ') -+ -+ allow $1 gssproxy_t:process { ptrace signal_perms }; -+ ps_process_pattern($1, gssproxy_t) -+ -+ files_search_var_lib($1) -+ admin_pattern($1, gssproxy_var_lib_t) -+ -+ files_search_pids($1) -+ admin_pattern($1, gssproxy_var_run_t) -+ -+ gssproxy_systemctl($1) -+ admin_pattern($1, gssproxy_unit_file_t) -+ allow $1 gssproxy_unit_file_t:service all_service_perms; -+ optional_policy(` -+ systemd_passwd_agent_exec($1) -+ systemd_read_fifo_file_passwd_run($1) -+ ') -+') -diff --git a/gssproxy.te b/gssproxy.te -new file mode 100644 -index 0000000..5044e7b ---- /dev/null -+++ b/gssproxy.te -@@ -0,0 +1,66 @@ -+policy_module(gssproxy, 1.0.0) -+ -+######################################## -+# -+# Declarations -+# -+ -+type gssproxy_t; -+type gssproxy_exec_t; -+init_daemon_domain(gssproxy_t, gssproxy_exec_t) -+ -+type gssproxy_var_lib_t; -+files_type(gssproxy_var_lib_t) -+ -+type gssproxy_var_run_t; -+files_pid_file(gssproxy_var_run_t) -+ -+type gssproxy_unit_file_t; -+systemd_unit_file(gssproxy_unit_file_t) -+ -+######################################## -+# -+# gssproxy local policy -+# -+allow gssproxy_t self:capability2 block_suspend; -+allow gssproxy_t self:fifo_file rw_fifo_file_perms; -+allow gssproxy_t self:unix_stream_socket create_stream_socket_perms; -+ -+manage_dirs_pattern(gssproxy_t, gssproxy_var_lib_t, gssproxy_var_lib_t) -+manage_files_pattern(gssproxy_t, gssproxy_var_lib_t, gssproxy_var_lib_t) -+manage_sock_files_pattern(gssproxy_t, gssproxy_var_lib_t, gssproxy_var_lib_t) -+manage_lnk_files_pattern(gssproxy_t, gssproxy_var_lib_t, gssproxy_var_lib_t) -+files_var_lib_filetrans(gssproxy_t, gssproxy_var_lib_t, { dir file lnk_file }) -+ -+manage_dirs_pattern(gssproxy_t, gssproxy_var_run_t, gssproxy_var_run_t) -+manage_files_pattern(gssproxy_t, gssproxy_var_run_t, gssproxy_var_run_t) -+manage_sock_files_pattern(gssproxy_t, gssproxy_var_run_t, gssproxy_var_run_t) -+manage_lnk_files_pattern(gssproxy_t, gssproxy_var_run_t, gssproxy_var_run_t) -+files_pid_filetrans(gssproxy_t, gssproxy_var_run_t, { dir file lnk_file sock_file }) -+ -+kernel_rw_rpc_sysctls(gssproxy_t) -+ -+domain_use_interactive_fds(gssproxy_t) -+ -+files_read_etc_files(gssproxy_t) -+ -+auth_use_nsswitch(gssproxy_t) -+ -+dev_read_urand(gssproxy_t) -+ -+logging_send_syslog_msg(gssproxy_t) -+ -+miscfiles_read_localization(gssproxy_t) -+ -+userdom_manage_user_tmp_dirs(gssproxy_t) -+userdom_manage_user_tmp_files(gssproxy_t) -+ -+optional_policy(` -+ kerberos_use(gssproxy_t) -+ kerberos_filetrans_named_content(gssproxy_t) -+') -+ -+optional_policy(` -+ kerberos_keytab_template(gssproxy, gssproxy_t) -+ kerberos_manage_host_rcache(gssproxy_t) -+') -diff --git a/guest.te b/guest.te -index d928711..93d2d83 100644 ---- a/guest.te -+++ b/guest.te -@@ -20,4 +20,4 @@ optional_policy(` - apache_role(guest_r, guest_t) - ') - --#gen_user(guest_u, user, guest_r, s0, s0) -+gen_user(guest_u, user, guest_r, s0, s0) -diff --git a/hadoop.te b/hadoop.te -index e62bcb7..f44ad99 100644 ---- a/hadoop.te -+++ b/hadoop.te -@@ -155,7 +155,6 @@ dev_read_urand(hadoop_t) - domain_use_interactive_fds(hadoop_t) - - files_dontaudit_search_spool(hadoop_t) --files_read_usr_files(hadoop_t) - - fs_getattr_xattr_fs(hadoop_t) - -@@ -263,8 +262,6 @@ kernel_read_system_state(hadoop_initrc_domain) - corecmd_exec_bin(hadoop_initrc_domain) - corecmd_exec_shell(hadoop_initrc_domain) - --files_read_etc_files(hadoop_initrc_domain) --files_read_usr_files(hadoop_initrc_domain) - files_search_locks(hadoop_initrc_domain) - files_search_pids(hadoop_initrc_domain) - -@@ -453,7 +450,6 @@ dev_read_urand(zookeeper_t) - - domain_use_interactive_fds(zookeeper_t) - --files_read_usr_files(zookeeper_t) - - auth_use_nsswitch(zookeeper_t) - -@@ -537,7 +533,6 @@ dev_read_rand(zookeeper_server_t) - dev_read_sysfs(zookeeper_server_t) - dev_read_urand(zookeeper_server_t) - --files_read_usr_files(zookeeper_server_t) - - fs_getattr_xattr_fs(zookeeper_server_t) - -diff --git a/hal.te b/hal.te -index 0801fe1..85b6f3e 100644 ---- a/hal.te -+++ b/hal.te -@@ -61,7 +61,6 @@ files_type(hald_var_lib_t) - # Common local policy - # - --files_read_usr_files(hald_domain) - - miscfiles_read_localization(hald_domain) - -@@ -437,7 +436,6 @@ write_files_pattern(hald_keymap_t, hald_log_t, hald_log_t) - - dev_rw_input_dev(hald_keymap_t) - --files_read_etc_files(hald_keymap_t) - - logging_search_logs(hald_keymap_t) - -diff --git a/hddtemp.if b/hddtemp.if -index 1728071..77e71ea 100644 ---- a/hddtemp.if -+++ b/hddtemp.if -@@ -60,9 +60,13 @@ interface(`hddtemp_admin',` - type hddtemp_t, hddtemp_etc_t, hddtemp_initrc_exec_t; - ') - -- allow $1 hddtemp_t:process { ptrace signal_perms }; -+ allow $1 hddtemp_t:process signal_perms; - ps_process_pattern($1, hddtemp_t) - -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 hddtemp_t:process ptrace; -+ ') -+ - init_labeled_script_domtrans($1, hddtemp_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 hddtemp_initrc_exec_t system_r; -diff --git a/hddtemp.te b/hddtemp.te -index 18d76bb..588c964 100644 ---- a/hddtemp.te -+++ b/hddtemp.te -@@ -26,7 +26,6 @@ allow hddtemp_t self:tcp_socket { accept listen }; - - allow hddtemp_t hddtemp_etc_t:file read_file_perms; - --corenet_all_recvfrom_unlabeled(hddtemp_t) - corenet_all_recvfrom_netlabel(hddtemp_t) - corenet_tcp_sendrecv_generic_if(hddtemp_t) - corenet_tcp_sendrecv_generic_node(hddtemp_t) -@@ -36,9 +35,6 @@ corenet_tcp_bind_hddtemp_port(hddtemp_t) - corenet_sendrecv_hddtemp_server_packets(hddtemp_t) - corenet_tcp_sendrecv_hddtemp_port(hddtemp_t) - --files_search_etc(hddtemp_t) --files_read_usr_files(hddtemp_t) -- - storage_raw_read_fixed_disk(hddtemp_t) - storage_raw_read_removable_device(hddtemp_t) - -@@ -46,4 +42,3 @@ auth_use_nsswitch(hddtemp_t) - - logging_send_syslog_msg(hddtemp_t) - --miscfiles_read_localization(hddtemp_t) -diff --git a/howl.te b/howl.te -index e207823..4e0f8ba 100644 ---- a/howl.te -+++ b/howl.te -@@ -36,7 +36,6 @@ kernel_request_load_module(howl_t) - kernel_list_proc(howl_t) - kernel_read_proc_symlinks(howl_t) - --corenet_all_recvfrom_unlabeled(howl_t) - corenet_all_recvfrom_netlabel(howl_t) - corenet_tcp_sendrecv_generic_if(howl_t) - corenet_udp_sendrecv_generic_if(howl_t) -@@ -65,8 +64,6 @@ init_dontaudit_write_utmp(howl_t) - - logging_send_syslog_msg(howl_t) - --miscfiles_read_localization(howl_t) -- - userdom_dontaudit_use_unpriv_user_fds(howl_t) - userdom_dontaudit_search_user_home_dirs(howl_t) - -diff --git a/hypervkvp.fc b/hypervkvp.fc -new file mode 100644 -index 0000000..e2ae3b2 ---- /dev/null -+++ b/hypervkvp.fc -@@ -0,0 +1,10 @@ -+/etc/rc\.d/init\.d/hypervkvpd -- gen_context(system_u:object_r:hypervkvp_initrc_exec_t,s0) -+ -+/usr/lib/systemd/system/hypervvssd.* -- gen_context(system_u:object_r:hypervvssd_unit_file_t,s0) -+ -+/usr/sbin/hv_kvp_daemon -- gen_context(system_u:object_r:hypervkvp_exec_t,s0) -+/usr/sbin/hypervkvpd -- gen_context(system_u:object_r:hypervkvp_exec_t,s0) -+ -+/usr/sbin/hypervvssd -- gen_context(system_u:object_r:hypervvssd_exec_t,s0) -+ -+/var/lib/hyperv(/.*)? gen_context(system_u:object_r:hypervkvp_var_lib_t,s0) -diff --git a/hypervkvp.if b/hypervkvp.if -new file mode 100644 -index 0000000..17c3627 ---- /dev/null -+++ b/hypervkvp.if -@@ -0,0 +1,111 @@ -+ -+## policy for hypervkvp -+ -+######################################## -+## -+## Execute TEMPLATE in the hypervkvp domin. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`hypervkvp_domtrans',` -+ gen_require(` -+ type hypervkvp_t, hypervkvp_exec_t; -+ ') -+ -+ corecmd_search_bin($1) -+ domtrans_pattern($1, hypervkvp_exec_t, hypervkvp_t) -+') -+ -+######################################## -+## -+## Search hypervkvp lib directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`hypervkvp_search_lib',` -+ gen_require(` -+ type hypervkvp_var_lib_t; -+ ') -+ -+ allow $1 hypervkvp_var_lib_t:dir search_dir_perms; -+ files_search_var_lib($1) -+') -+ -+######################################## -+## -+## Read hypervkvp lib files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`hypervkvp_read_lib_files',` -+ gen_require(` -+ type hypervkvp_var_lib_t; -+ ') -+ -+ files_search_var_lib($1) -+ allow $1 hypervkvp_var_lib_t:dir list_dir_perms; -+ read_files_pattern($1, hypervkvp_var_lib_t, hypervkvp_var_lib_t) -+') -+ -+######################################## -+## -+## Create, read, write, and delete -+## hypervkvp lib files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`hypervkvp_manage_lib_files',` -+ gen_require(` -+ type hypervkvp_var_lib_t; -+ ') -+ -+ files_search_var_lib($1) -+ manage_files_pattern($1, hypervkvp_var_lib_t, hypervkvp_var_lib_t) -+') -+ -+######################################## -+## -+## All of the rules required to administrate -+## an hypervkvp environment -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`hypervkvp_admin',` -+ gen_require(` -+ type hypervkvp_t; -+ type hypervkvp_unit_file_t; -+ ') -+ -+ allow $1 hypervkvp_t:process signal_perms; -+ ps_process_pattern($1, hypervkvp_t) -+ -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 hypervkvp_t:process ptrace; -+ ') -+ -+ hypervkvp_manage_lib_files($1) -+ -+ hypervkvp_systemctl($1) -+ admin_pattern($1, hypervkvp_unit_file_t) -+ allow $1 hypervkvp_unit_file_t:service all_service_perms; -+') -diff --git a/hypervkvp.te b/hypervkvp.te -new file mode 100644 -index 0000000..d2ad022 ---- /dev/null -+++ b/hypervkvp.te -@@ -0,0 +1,59 @@ -+policy_module(hypervkvp, 1.0.0) -+ -+######################################## -+# -+# Declarations -+# -+ -+attribute hyperv_domain; -+ -+type hypervkvp_t, hyperv_domain; -+type hypervkvp_exec_t; -+init_daemon_domain(hypervkvp_t, hypervkvp_exec_t) -+ -+type hypervkvp_initrc_exec_t; -+init_script_file(hypervkvp_initrc_exec_t) -+ -+type hypervkvp_unit_file_t; -+systemd_unit_file(hypervkvp_unit_file_t) -+ -+type hypervkvp_var_lib_t; -+files_type(hypervkvp_var_lib_t) -+ -+type hypervvssd_t, hyperv_domain; -+type hypervvssd_exec_t; -+init_daemon_domain(hypervvssd_t, hypervvssd_exec_t) -+ -+type hypervvssd_unit_file_t; -+systemd_unit_file(hypervvssd_unit_file_t) -+ -+######################################## -+# -+# hyperv domain local policy -+# -+ -+allow hyperv_domain self:capability net_admin; -+allow hyperv_domain self:netlink_socket create_socket_perms; -+ -+allow hyperv_domain self:fifo_file rw_fifo_file_perms; -+allow hyperv_domain self:unix_stream_socket create_stream_socket_perms; -+ -+######################################## -+# -+# hypervkvp local policy -+# -+ -+manage_dirs_pattern(hypervkvp_t, hypervkvp_var_lib_t, hypervkvp_var_lib_t) -+manage_files_pattern(hypervkvp_t, hypervkvp_var_lib_t, hypervkvp_var_lib_t) -+files_var_lib_filetrans(hypervkvp_t, hypervkvp_var_lib_t, dir) -+ -+logging_send_syslog_msg(hypervkvp_t) -+ -+sysnet_dns_name_resolve(hypervkvp_t) -+ -+######################################## -+# -+# hypervvssd local policy -+# -+ -+logging_send_syslog_msg(hypervvssd_t) -diff --git a/i18n_input.te b/i18n_input.te -index 3bed8fa..a738d7f 100644 ---- a/i18n_input.te -+++ b/i18n_input.te -@@ -45,7 +45,6 @@ can_exec(i18n_input_t, i18n_input_exec_t) - kernel_read_kernel_sysctls(i18n_input_t) - kernel_read_system_state(i18n_input_t) - --corenet_all_recvfrom_unlabeled(i18n_input_t) - corenet_all_recvfrom_netlabel(i18n_input_t) - corenet_tcp_sendrecv_generic_if(i18n_input_t) - corenet_tcp_sendrecv_generic_node(i18n_input_t) -@@ -68,7 +67,6 @@ fs_getattr_all_fs(i18n_input_t) - fs_search_auto_mountpoints(i18n_input_t) - - files_read_etc_runtime_files(i18n_input_t) --files_read_usr_files(i18n_input_t) - - auth_use_nsswitch(i18n_input_t) - -@@ -76,20 +74,9 @@ init_stream_connect_script(i18n_input_t) - - logging_send_syslog_msg(i18n_input_t) - --miscfiles_read_localization(i18n_input_t) -- - userdom_dontaudit_use_unpriv_user_fds(i18n_input_t) - userdom_read_user_home_content_files(i18n_input_t) -- --tunable_policy(`use_nfs_home_dirs',` -- fs_read_nfs_files(i18n_input_t) -- fs_read_nfs_symlinks(i18n_input_t) --') -- --tunable_policy(`use_samba_home_dirs',` -- fs_read_cifs_files(i18n_input_t) -- fs_read_cifs_symlinks(i18n_input_t) --') -+userdom_home_reader(i18n_input_t) - - optional_policy(` - canna_stream_connect(i18n_input_t) -diff --git a/icecast.if b/icecast.if -index 580b533..c267cea 100644 ---- a/icecast.if -+++ b/icecast.if -@@ -176,6 +176,14 @@ interface(`icecast_admin',` - type icecast_var_run_t; - ') - -+ allow $1 icecast_t:process signal_perms; -+ ps_process_pattern($1, icecast_t) -+ -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 icecast_t:process ptrace; -+ ') -+ -+ # Allow icecast_t to restart the apache service - icecast_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 icecast_initrc_exec_t system_r; -diff --git a/icecast.te b/icecast.te -index ac6f9d5..6097225 100644 ---- a/icecast.te -+++ b/icecast.te -@@ -65,12 +65,8 @@ dev_read_sysfs(icecast_t) - dev_read_urand(icecast_t) - dev_read_rand(icecast_t) - --domain_use_interactive_fds(icecast_t) -- - auth_use_nsswitch(icecast_t) - --miscfiles_read_localization(icecast_t) -- - tunable_policy(`icecast_use_any_tcp_ports',` - corenet_tcp_connect_all_ports(icecast_t) - corenet_sendrecv_all_client_packets(icecast_t) -diff --git a/ifplugd.if b/ifplugd.if -index 8999899..96909ae 100644 ---- a/ifplugd.if -+++ b/ifplugd.if -@@ -119,7 +119,7 @@ interface(`ifplugd_admin',` - type ifplugd_initrc_exec_t; - ') - -- allow $1 ifplugd_t:process { ptrace signal_perms }; -+ allow $1 ifplugd_t:process signal_perms; - ps_process_pattern($1, ifplugd_t) - - init_labeled_script_domtrans($1, ifplugd_initrc_exec_t) -diff --git a/ifplugd.te b/ifplugd.te -index 6910e49..c4a9fcb 100644 ---- a/ifplugd.te -+++ b/ifplugd.te -@@ -10,7 +10,7 @@ type ifplugd_exec_t; - init_daemon_domain(ifplugd_t, ifplugd_exec_t) - - type ifplugd_etc_t; --files_type(ifplugd_etc_t) -+files_config_file(ifplugd_etc_t) - - type ifplugd_initrc_exec_t; - init_script_file(ifplugd_initrc_exec_t) -@@ -49,14 +49,11 @@ corecmd_exec_shell(ifplugd_t) - dev_read_sysfs(ifplugd_t) - - domain_read_confined_domains_state(ifplugd_t) --domain_dontaudit_read_all_domains_state(ifplugd_t) - - auth_use_nsswitch(ifplugd_t) - - logging_send_syslog_msg(ifplugd_t) - --miscfiles_read_localization(ifplugd_t) -- - netutils_domtrans(ifplugd_t) - - sysnet_domtrans_ifconfig(ifplugd_t) -diff --git a/imaze.te b/imaze.te -index 05387d1..08a489c 100644 ---- a/imaze.te -+++ b/imaze.te -@@ -45,7 +45,6 @@ kernel_list_proc(imazesrv_t) - kernel_read_kernel_sysctls(imazesrv_t) - kernel_read_proc_symlinks(imazesrv_t) - --corenet_all_recvfrom_unlabeled(imazesrv_t) - corenet_all_recvfrom_netlabel(imazesrv_t) - corenet_tcp_sendrecv_generic_if(imazesrv_t) - corenet_udp_sendrecv_generic_if(imazesrv_t) -@@ -71,8 +70,6 @@ auth_use_nsswitch(imazesrv_t) - - logging_send_syslog_msg(imazesrv_t) - --miscfiles_read_localization(imazesrv_t) -- - userdom_use_unpriv_users_fds(imazesrv_t) - userdom_dontaudit_search_user_home_dirs(imazesrv_t) - -diff --git a/inetd.if b/inetd.if -index fbb54e7..05c3777 100644 ---- a/inetd.if -+++ b/inetd.if -@@ -37,6 +37,12 @@ interface(`inetd_core_service_domain',` - - domtrans_pattern(inetd_t, $2, $1) - allow inetd_t $1:process { siginh sigkill }; -+ -+ init_domain($1, $2) -+ -+ optional_policy(` -+ abrt_stream_connect($1) -+ ') - ') - - ######################################## -diff --git a/inetd.te b/inetd.te -index 1a5ed62..420305b 100644 ---- a/inetd.te -+++ b/inetd.te -@@ -37,9 +37,9 @@ ifdef(`enable_mcs',` - # Local policy - # - --allow inetd_t self:capability { setuid setgid sys_resource }; -+allow inetd_t self:capability { setuid setgid }; - dontaudit inetd_t self:capability sys_tty_config; --allow inetd_t self:process { setsched setexec setrlimit }; -+allow inetd_t self:process { setsched setexec }; - allow inetd_t self:fifo_file rw_fifo_file_perms; - allow inetd_t self:tcp_socket { accept listen }; - allow inetd_t self:fd use; -@@ -61,6 +61,7 @@ kernel_read_system_state(inetd_t) - kernel_tcp_recvfrom_unlabeled(inetd_t) - - corecmd_bin_domtrans(inetd_t, inetd_child_t) -+corecmd_exec_shell(inetd_t) - - corenet_all_recvfrom_unlabeled(inetd_t) - corenet_all_recvfrom_netlabel(inetd_t) -@@ -98,6 +99,11 @@ corenet_sendrecv_inetd_child_server_packets(inetd_t) - corenet_tcp_bind_inetd_child_port(inetd_t) - corenet_udp_bind_inetd_child_port(inetd_t) - -+corenet_tcp_bind_echo_port(inetd_t) -+corenet_udp_bind_echo_port(inetd_t) -+corenet_tcp_bind_time_port(inetd_t) -+corenet_udp_bind_time_port(inetd_t) -+ - corenet_sendrecv_ircd_server_packets(inetd_t) - corenet_tcp_bind_ircd_port(inetd_t) - -@@ -157,8 +163,6 @@ auth_use_nsswitch(inetd_t) - - logging_send_syslog_msg(inetd_t) - --miscfiles_read_localization(inetd_t) -- - mls_fd_share_all_levels(inetd_t) - mls_socket_read_to_clearance(inetd_t) - mls_socket_write_to_clearance(inetd_t) -@@ -188,7 +192,7 @@ optional_policy(` - ') - - optional_policy(` -- tftp_read_config_files(inetd_t) -+ tftp_read_config(inetd_t) - ') - - optional_policy(` -@@ -220,6 +224,14 @@ kernel_read_kernel_sysctls(inetd_child_t) - kernel_read_network_state(inetd_child_t) - kernel_read_system_state(inetd_child_t) - -+corenet_all_recvfrom_netlabel(inetd_child_t) -+corenet_tcp_sendrecv_generic_if(inetd_child_t) -+corenet_udp_sendrecv_generic_if(inetd_child_t) -+corenet_tcp_sendrecv_generic_node(inetd_child_t) -+corenet_udp_sendrecv_generic_node(inetd_child_t) -+corenet_tcp_sendrecv_all_ports(inetd_child_t) -+corenet_udp_sendrecv_all_ports(inetd_child_t) -+ - dev_read_urand(inetd_child_t) - - fs_getattr_xattr_fs(inetd_child_t) -@@ -230,7 +242,11 @@ auth_use_nsswitch(inetd_child_t) - - logging_send_syslog_msg(inetd_child_t) - --miscfiles_read_localization(inetd_child_t) -+sysnet_read_config(inetd_child_t) -+ -+optional_policy(` -+ kerberos_use(inetd_child_t) -+') - - optional_policy(` - unconfined_domain(inetd_child_t) -diff --git a/inn.if b/inn.if -index eb87f23..d3d32c3 100644 ---- a/inn.if -+++ b/inn.if -@@ -124,6 +124,7 @@ interface(`inn_read_config',` - type innd_etc_t; - ') - -+ files_search_etc($1) - allow $1 innd_etc_t:dir list_dir_perms; - allow $1 innd_etc_t:file read_file_perms; - allow $1 innd_etc_t:lnk_file read_lnk_file_perms; -@@ -144,12 +145,31 @@ interface(`inn_read_news_lib',` - type innd_var_lib_t; - ') - -+ files_search_var_lib($1) - allow $1 innd_var_lib_t:dir list_dir_perms; - allow $1 innd_var_lib_t:file read_file_perms; - ') - - ######################################## - ## -+## Write innd inherited news library content. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`inn_write_inherited_news_lib',` -+ gen_require(` -+ type innd_var_lib_t; -+ ') -+ -+ allow $1 innd_var_lib_t:file write_inherited_file_perms; -+') -+ -+######################################## -+## - ## Read innd news spool content. - ## - ## -@@ -163,6 +183,7 @@ interface(`inn_read_news_spool',` - type news_spool_t; - ') - -+ files_search_spool($1) - allow $1 news_spool_t:dir list_dir_perms; - allow $1 news_spool_t:file read_file_perms; - allow $1 news_spool_t:lnk_file read_lnk_file_perms; -@@ -226,8 +247,15 @@ interface(`inn_domtrans',` - interface(`inn_admin',` - gen_require(` - type innd_t, innd_etc_t, innd_log_t; -- type news_spool_t, innd_var_lib_t; -- type innd_var_run_t, innd_initrc_exec_t; -+ type news_spool_t, innd_var_lib_t, innd_var_run_t; -+ type innd_initrc_exec_t; -+ ') -+ -+ allow $1 innd_t:process signal_perms; -+ ps_process_pattern($1, innd_t) -+ -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 innd_t:process ptrace; - ') - - init_labeled_script_domtrans($1, innd_initrc_exec_t) -diff --git a/inn.te b/inn.te -index 5aab5d0..5967395 100644 ---- a/inn.te -+++ b/inn.te -@@ -26,6 +26,7 @@ files_pid_file(innd_var_run_t) - - type news_spool_t; - files_mountpoint(news_spool_t) -+files_spool_file(news_spool_t) - - ######################################## - # -@@ -54,7 +55,7 @@ manage_files_pattern(innd_t, innd_var_lib_t, innd_var_lib_t) - manage_dirs_pattern(innd_t, innd_var_run_t, innd_var_run_t) - manage_files_pattern(innd_t, innd_var_run_t, innd_var_run_t) - manage_sock_files_pattern(innd_t, innd_var_run_t, innd_var_run_t) --files_pid_filetrans(innd_t, innd_var_run_t, file) -+files_pid_filetrans(innd_t, innd_var_run_t, { dir file }) - - manage_dirs_pattern(innd_t, news_spool_t, news_spool_t) - manage_files_pattern(innd_t, news_spool_t, news_spool_t) -@@ -65,7 +66,6 @@ can_exec(innd_t, innd_exec_t) - kernel_read_kernel_sysctls(innd_t) - kernel_read_system_state(innd_t) - --corenet_all_recvfrom_unlabeled(innd_t) - corenet_all_recvfrom_netlabel(innd_t) - corenet_tcp_sendrecv_generic_if(innd_t) - corenet_tcp_sendrecv_generic_node(innd_t) -@@ -91,18 +91,16 @@ fs_search_auto_mountpoints(innd_t) - - files_list_spool(innd_t) - files_read_etc_runtime_files(innd_t) --files_read_usr_files(innd_t) - - auth_use_nsswitch(innd_t) - - logging_send_syslog_msg(innd_t) - --miscfiles_read_localization(innd_t) -- - seutil_dontaudit_search_config(innd_t) - - userdom_dontaudit_use_unpriv_user_fds(innd_t) - userdom_dontaudit_search_user_home_dirs(innd_t) -+userdom_dgram_send(innd_t) - - mta_send_mail(innd_t) - -diff --git a/iodine.fc b/iodine.fc -index ca07a87..6ea129c 100644 ---- a/iodine.fc -+++ b/iodine.fc -@@ -1,3 +1,5 @@ - /etc/rc\.d/init\.d/((iodined)|(iodine-server)) -- gen_context(system_u:object_r:iodined_initrc_exec_t,s0) - -+/usr/lib/systemd/system/iodine-server.* -- gen_context(system_u:object_r:iodined_unit_file_t,s0) -+ - /usr/sbin/iodined -- gen_context(system_u:object_r:iodined_exec_t,s0) -diff --git a/iodine.if b/iodine.if -index a0bfbd0..47f7c75 100644 ---- a/iodine.if -+++ b/iodine.if -@@ -2,6 +2,30 @@ - - ######################################## - ## -+## Execute iodined server in the iodined domain. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`iodined_systemctl',` -+ gen_require(` -+ type iodined_t; -+ type iodined_unit_file_t; -+ ') -+ -+ systemd_exec_systemctl($1) -+ systemd_read_fifo_file_passwd_run($1) -+ allow $1 iodined_unit_file_t:file read_file_perms; -+ allow $1 iodined_unit_file_t:service manage_service_perms; -+ -+ ps_process_pattern($1, iodined_t) -+') -+ -+######################################## -+## - ## All of the rules required to - ## administrate an iodined environment - ## -diff --git a/iodine.te b/iodine.te -index 94ec5f8..8556c27 100644 ---- a/iodine.te -+++ b/iodine.te -@@ -12,6 +12,9 @@ init_daemon_domain(iodined_t, iodined_exec_t) - type iodined_initrc_exec_t; - init_script_file(iodined_initrc_exec_t) - -+type iodined_unit_file_t; -+systemd_unit_file(iodined_unit_file_t) -+ - ######################################## - # - # Local policy -@@ -43,7 +46,6 @@ corenet_udp_sendrecv_dns_port(iodined_t) - - corecmd_exec_shell(iodined_t) - --files_read_etc_files(iodined_t) - - logging_send_syslog_msg(iodined_t) - -diff --git a/irc.fc b/irc.fc -index 48e7739..c3285c2 100644 ---- a/irc.fc -+++ b/irc.fc -@@ -1,6 +1,6 @@ - HOME_DIR/\.ircmotd -- gen_context(system_u:object_r:irc_home_t,s0) - HOME_DIR/\.irssi(/.*)? gen_context(system_u:object_r:irc_home_t,s0) --HOME_DIR/irclogs(/.*)? gen_context(system_u:object_r:irc_log_home_t,s0) -+HOME_DIR/irclog(/.*)? gen_context(system_u:object_r:issi_home_t,s0) - - /etc/irssi\.conf -- gen_context(system_u:object_r:irc_conf_t,s0) - -diff --git a/irc.if b/irc.if -index ac00fb0..36ef2e5 100644 ---- a/irc.if -+++ b/irc.if -@@ -20,6 +20,7 @@ interface(`irc_role',` - attribute_role irc_roles; - type irc_t, irc_exec_t, irc_home_t; - type irc_tmp_t, irc_log_home_t; -+ type irssi_t, irssi_exec_t, irssi_home_t; - ') - - ######################################## -@@ -37,12 +38,42 @@ interface(`irc_role',` - domtrans_pattern($2, irc_exec_t, irc_t) - - ps_process_pattern($2, irc_t) -- allow $2 irc_t:process { ptrace signal_perms }; -- -- allow $2 { irc_home_t irc_log_home_t irc_tmp_t }:dir { manage_dir_perms relabel_dir_perms }; -- allow $2 { irc_home_t irc_log_home_t irc_tmp_t }:file { manage_file_perms relabel_file_perms }; -- allow $2 { irc_home_t irc_log_home_t irc_tmp_t }:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; -- userdom_user_home_dir_filetrans($2, irc_home_t, dir, ".irssi") -- userdom_user_home_dir_filetrans($2, irc_home_t, file, ".ircmotd") -- userdom_user_home_dir_filetrans($2, irc_log_home_t, dir, "irclogs") -+ allow $2 irc_t:process signal_perms; -+ tunable_policy(`deny_ptrace',`',` -+ allow $2 irc_t:process ptrace; -+ ') -+ -+ domtrans_pattern($2, irssi_exec_t, irssi_t) -+ -+ allow $2 irssi_t:process signal_perms; -+ ps_process_pattern($2, irssi_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $2 irssi_t:process ptrace; -+ ') -+ -+ allow $2 { irc_home_t irc_log_home_t irc_tmp_t irssi_home_t }:dir { manage_dir_perms relabel_dir_perms }; -+ allow $2 { irc_home_t irc_log_home_t irc_tmp_t irssi_home_t }:file { manage_file_perms relabel_file_perms }; -+ allow $2 { irc_home_t irc_log_home_t irc_tmp_t irssi_home_t }:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; -+ -+ irc_filetrans_home_content($2) -+') -+ -+####################################### -+## -+## Transition to alsa named content -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`irc_filetrans_home_content',` -+ gen_require(` -+ type irc_home_t; -+ type irssi_home_t; -+ ') -+ userdom_user_home_dir_filetrans($1, irc_home_t, file, ".ircmotd") -+ userdom_user_home_dir_filetrans($1, irc_home_t, dir, ".irssi") -+ userdom_user_home_dir_filetrans($1, irssi_home_t, dir, "irclogs") - ') -diff --git a/irc.te b/irc.te -index ecad9c7..e413e5a 100644 ---- a/irc.te -+++ b/irc.te -@@ -31,13 +31,35 @@ typealias irc_home_t alias { user_irc_home_t staff_irc_home_t sysadm_irc_home_t - typealias irc_home_t alias { auditadm_irc_home_t secadm_irc_home_t }; - userdom_user_home_content(irc_home_t) - --type irc_log_home_t; --userdom_user_home_content(irc_log_home_t) -- - type irc_tmp_t; - typealias irc_tmp_t alias { user_irc_tmp_t staff_irc_tmp_t sysadm_irc_tmp_t }; - typealias irc_tmp_t alias { auditadm_irc_tmp_t secadm_irc_tmp_t }; --userdom_user_tmp_file(irc_tmp_t) -+userdom_user_home_content(irc_tmp_t) -+ -+######################################## -+# -+# Irssi personal declarations. -+# -+ -+## -+##

    -+## Allow the Irssi IRC Client to connect to any port, -+## and to bind to any unreserved port. -+##

    -+##     -+gen_tunable(irssi_use_full_network, false) -+ -+type irssi_t; -+type irssi_exec_t; -+application_domain(irssi_t, irssi_exec_t) -+ubac_constrained(irssi_t) -+role irc_roles types irssi_t; -+ -+type irssi_etc_t; -+files_config_file(irssi_etc_t) -+ -+type irssi_home_t alias irc_log_home_t; -+userdom_user_home_content(irssi_home_t) - - ######################################## - # -@@ -53,13 +75,7 @@ allow irc_t irc_conf_t:file read_file_perms; - manage_dirs_pattern(irc_t, irc_home_t, irc_home_t) - manage_files_pattern(irc_t, irc_home_t, irc_home_t) - manage_lnk_files_pattern(irc_t, irc_home_t, irc_home_t) --userdom_user_home_dir_filetrans(irc_t, irc_home_t, dir, ".irssi") --userdom_user_home_dir_filetrans(irc_t, irc_home_t, file, ".ircmotd") -- --manage_dirs_pattern(irc_t, irc_log_home_t, irc_log_home_t) --create_files_pattern(irc_t, irc_log_home_t, irc_log_home_t) --append_files_pattern(irc_t, irc_log_home_t, irc_log_home_t) --userdom_user_home_dir_filetrans(irc_t, irc_log_home_t, dir, "irclogs") -+irc_filetrans_home_content(irc_t) - - manage_dirs_pattern(irc_t, irc_tmp_t, irc_tmp_t) - manage_files_pattern(irc_t, irc_tmp_t, irc_tmp_t) -@@ -70,7 +86,6 @@ files_tmp_filetrans(irc_t, irc_tmp_t, { file dir lnk_file sock_file fifo_file }) - - kernel_read_system_state(irc_t) - --corenet_all_recvfrom_unlabeled(irc_t) - corenet_all_recvfrom_netlabel(irc_t) - corenet_tcp_sendrecv_generic_if(irc_t) - corenet_tcp_sendrecv_generic_node(irc_t) -@@ -93,7 +108,6 @@ dev_read_rand(irc_t) - - domain_use_interactive_fds(irc_t) - --files_read_usr_files(irc_t) - - fs_getattr_all_fs(irc_t) - fs_search_auto_mountpoints(irc_t) -@@ -106,15 +120,18 @@ auth_use_nsswitch(irc_t) - init_read_utmp(irc_t) - init_dontaudit_lock_utmp(irc_t) - --miscfiles_read_localization(irc_t) - - userdom_use_user_terminals(irc_t) - - userdom_manage_user_home_content_dirs(irc_t) - userdom_manage_user_home_content_files(irc_t) --userdom_user_home_dir_filetrans_user_home_content(irc_t, { dir file }) -+userdom_filetrans_home_content(irc_t) -+ -+# Write to the user domain tty. -+userdom_use_inherited_user_terminals(irc_t) - - tunable_policy(`irc_use_any_tcp_ports',` -+ allow irc_t self:tcp_socket create_stream_socket_perms; - corenet_sendrecv_all_server_packets(irc_t) - corenet_tcp_bind_all_unreserved_ports(irc_t) - corenet_sendrecv_all_client_packets(irc_t) -@@ -122,18 +139,71 @@ tunable_policy(`irc_use_any_tcp_ports',` - corenet_tcp_sendrecv_all_ports(irc_t) - ') - --tunable_policy(`use_nfs_home_dirs',` -- fs_manage_nfs_dirs(irc_t) -- fs_manage_nfs_files(irc_t) -- fs_manage_nfs_symlinks(irc_t) -+userdom_home_manager(irc_t) -+ -+optional_policy(` -+ nis_use_ypbind(irc_t) - ') - --tunable_policy(`use_samba_home_dirs',` -- fs_manage_cifs_dirs(irc_t) -- fs_manage_cifs_files(irc_t) -- fs_manage_cifs_symlinks(irc_t) -+######################################## -+# -+# Irssi personal declarations. -+# -+ -+allow irssi_t self:process { signal sigkill }; -+allow irssi_t self:fifo_file rw_fifo_file_perms; -+allow irssi_t self:tcp_socket create_stream_socket_perms; -+ -+read_files_pattern(irssi_t, irssi_etc_t, irssi_etc_t) -+ -+manage_dirs_pattern(irssi_t, irssi_home_t, irssi_home_t) -+manage_files_pattern(irssi_t, irssi_home_t, irssi_home_t) -+manage_lnk_files_pattern(irssi_t, irssi_home_t, irssi_home_t) -+irc_filetrans_home_content(irssi_t) -+userdom_search_user_home_dirs(irssi_t) -+ -+kernel_read_system_state(irssi_t) -+ -+corecmd_search_bin(irssi_t) -+corecmd_read_bin_symlinks(irssi_t) -+ -+corenet_tcp_connect_ircd_port(irssi_t) -+corenet_tcp_sendrecv_ircd_port(irssi_t) -+corenet_sendrecv_ircd_client_packets(irssi_t) -+ -+# tcp:7000 is often used for SSL irc -+corenet_tcp_connect_gatekeeper_port(irssi_t) -+corenet_tcp_sendrecv_gatekeeper_port(irssi_t) -+corenet_sendrecv_gatekeeper_client_packets(irssi_t) -+ -+# Privoxy -+corenet_tcp_connect_http_cache_port(irssi_t) -+corenet_tcp_sendrecv_http_cache_port(irssi_t) -+corenet_sendrecv_http_cache_client_packets(irssi_t) -+ -+corenet_tcp_bind_generic_node(irssi_t) -+ -+dev_read_urand(irssi_t) -+# irssi-otr genkey. -+dev_read_rand(irssi_t) -+ -+ -+fs_search_auto_mountpoints(irssi_t) -+ -+auth_use_nsswitch(irssi_t) -+ -+ -+userdom_use_inherited_user_terminals(irssi_t) -+ -+tunable_policy(`irssi_use_full_network', ` -+ corenet_tcp_bind_all_unreserved_ports(irssi_t) -+ corenet_tcp_connect_all_ports(irssi_t) -+ corenet_sendrecv_generic_server_packets(irssi_t) -+ corenet_sendrecv_all_client_packets(irssi_t) - ') - -+userdom_home_manager(irssi_t) -+ - optional_policy(` - seutil_use_newrole_fds(irc_t) - ') -diff --git a/ircd.if b/ircd.if -index ade9803..3620c9a 100644 ---- a/ircd.if -+++ b/ircd.if -@@ -33,8 +33,8 @@ interface(`ircd_admin',` - - files_search_etc($1) - admin_pattern($1, ircd_etc_t) -- -- logging_search_log($1) -+ -+ logging_search_logs($1) - admin_pattern($1, ircd_log_t) - - files_search_var_lib($1) -diff --git a/ircd.te b/ircd.te -index e9f746e..40e440c 100644 ---- a/ircd.te -+++ b/ircd.te -@@ -52,7 +52,6 @@ kernel_read_kernel_sysctls(ircd_t) - - corecmd_exec_bin(ircd_t) - --corenet_all_recvfrom_unlabeled(ircd_t) - corenet_all_recvfrom_netlabel(ircd_t) - corenet_tcp_sendrecv_generic_if(ircd_t) - corenet_tcp_sendrecv_generic_node(ircd_t) -@@ -75,8 +74,6 @@ auth_use_nsswitch(ircd_t) - - logging_send_syslog_msg(ircd_t) - --miscfiles_read_localization(ircd_t) -- - userdom_dontaudit_use_unpriv_user_fds(ircd_t) - userdom_dontaudit_search_user_home_dirs(ircd_t) - -diff --git a/irqbalance.te b/irqbalance.te -index c5a8112..947efe0 100644 ---- a/irqbalance.te -+++ b/irqbalance.te -@@ -22,6 +22,12 @@ files_pid_file(irqbalance_var_run_t) - - allow irqbalance_t self:capability { setpcap net_admin }; - dontaudit irqbalance_t self:capability sys_tty_config; -+ -+ifdef(`hide_broken_symptoms',` -+ # caused by some bogus kernel code -+ dontaudit irqbalance_t self:capability sys_module; -+') -+ - allow irqbalance_t self:process { getcap setcap signal_perms }; - allow irqbalance_t self:udp_socket create_socket_perms; - -@@ -35,7 +41,6 @@ kernel_rw_irq_sysctls(irqbalance_t) - - dev_read_sysfs(irqbalance_t) - --files_read_etc_files(irqbalance_t) - files_read_etc_runtime_files(irqbalance_t) - - fs_getattr_all_fs(irqbalance_t) -@@ -45,8 +50,6 @@ domain_use_interactive_fds(irqbalance_t) - - logging_send_syslog_msg(irqbalance_t) - --miscfiles_read_localization(irqbalance_t) -- - userdom_dontaudit_use_unpriv_user_fds(irqbalance_t) - userdom_dontaudit_search_user_home_dirs(irqbalance_t) - -diff --git a/iscsi.fc b/iscsi.fc -index 08b7560..417e630 100644 ---- a/iscsi.fc -+++ b/iscsi.fc -@@ -1,19 +1,18 @@ --/etc/rc\.d/init\.d/((iscsi)|(iscsid)) -- gen_context(system_u:object_r:iscsi_initrc_exec_t,s0) -- - /sbin/iscsid -- gen_context(system_u:object_r:iscsid_exec_t,s0) --/sbin/brcm_iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0) - /sbin/iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0) - - /usr/sbin/iscsid -- gen_context(system_u:object_r:iscsid_exec_t,s0) --/usr/sbin/brcm_iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0) - /usr/sbin/iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0) -+/usr/sbin/iscsiadm -- gen_context(system_u:object_r:iscsid_exec_t,s0) - - /var/lib/iscsi(/.*)? gen_context(system_u:object_r:iscsi_var_lib_t,s0) - - /var/lock/iscsi(/.*)? gen_context(system_u:object_r:iscsi_lock_t,s0) - --/var/log/brcm-iscsi\.log.* -- gen_context(system_u:object_r:iscsi_log_t,s0) - /var/log/iscsiuio\.log.* -- gen_context(system_u:object_r:iscsi_log_t,s0) - - /var/run/iscsid\.pid -- gen_context(system_u:object_r:iscsi_var_run_t,s0) - /var/run/iscsiuio\.pid -- gen_context(system_u:object_r:iscsi_var_run_t,s0) -+ -+/usr/lib/systemd/system/((iscsi)|(iscsid)|(iscsiuio))\.service -- gen_context(system_u:object_r:iscsi_unit_file_t,s0) -+/usr/lib/systemd/system/((iscsid)|(iscsiuio))\.socket -- gen_context(system_u:object_r:iscsi_unit_file_t,s0) -diff --git a/iscsi.if b/iscsi.if -index 1a35420..4b9b978 100644 ---- a/iscsi.if -+++ b/iscsi.if -@@ -80,17 +80,31 @@ interface(`iscsi_read_lib_files',` - - ######################################## - ## --## All of the rules required to --## administrate an iscsi environment. -+## Transition to iscsi named content - ## - ## - ## --## Domain allowed access. -+## Domain allowed access. - ## - ## --## -+# -+interface(`iscsi_filetrans_named_content',` -+ gen_require(` -+ type iscsi_lock_t; -+ ') -+ -+ files_lock_filetrans($1, iscsi_lock_t, dir, "iscsi") -+') -+ -+ -+######################################## -+## -+## All of the rules required to -+## administrate an iscsi environment. -+## -+## - ## --## Role allowed access. -+## Domain allowed access. - ## - ## - ## -@@ -99,16 +113,15 @@ interface(`iscsi_admin',` - gen_require(` - type iscsid_t, iscsi_lock_t, iscsi_log_t; - type iscsi_var_lib_t, iscsi_var_run_t, iscsi_tmp_t; -- type iscsi_initrc_exec_t; -+ type iscsi_unit_file_t; - ') - - allow $1 iscsid_t:process { ptrace signal_perms }; - ps_process_pattern($1, iscsid_t) - -- init_labeled_script_domtrans($1, iscsi_initrc_exec_t) -- domain_system_change_exemption($1) -- role_transition $2 iscsi_initrc_exec_t system_r; -- allow $2 system_r; -+ systemd_exec_systemctl($1) -+ allow $1 iscsi_unit_file_t:file manage_file_perms; -+ allow $1 iscsi_unit_file_t:service manage_service_perms; - - logging_search_logs($1) - admin_pattern($1, iscsi_log_t) -diff --git a/iscsi.te b/iscsi.te -index 57304e4..46e5e3d 100644 ---- a/iscsi.te -+++ b/iscsi.te -@@ -9,8 +9,8 @@ type iscsid_t; - type iscsid_exec_t; - init_daemon_domain(iscsid_t, iscsid_exec_t) - --type iscsi_initrc_exec_t; --init_script_file(iscsi_initrc_exec_t) -+type iscsi_unit_file_t; -+systemd_unit_file(iscsi_unit_file_t) - - type iscsi_lock_t; - files_lock_file(iscsi_lock_t) -@@ -32,8 +32,7 @@ files_pid_file(iscsi_var_run_t) - # Local policy - # - --allow iscsid_t self:capability { dac_override ipc_lock net_admin net_raw sys_admin sys_nice sys_resource }; --dontaudit iscsid_t self:capability sys_ptrace; -+allow iscsid_t self:capability { dac_override ipc_lock net_admin net_raw sys_admin sys_nice sys_module sys_resource }; - allow iscsid_t self:process { setrlimit setsched signal }; - allow iscsid_t self:fifo_file rw_fifo_file_perms; - allow iscsid_t self:unix_stream_socket { accept connectto listen }; -@@ -64,11 +63,12 @@ files_pid_filetrans(iscsid_t, iscsi_var_run_t, file) - - can_exec(iscsid_t, iscsid_exec_t) - -+kernel_request_load_module(iscsid_t) - kernel_read_network_state(iscsid_t) - kernel_read_system_state(iscsid_t) - kernel_setsched(iscsid_t) -+kernel_request_load_module(iscsid_t) - --corenet_all_recvfrom_unlabeled(iscsid_t) - corenet_all_recvfrom_netlabel(iscsid_t) - corenet_tcp_sendrecv_generic_if(iscsid_t) - corenet_tcp_sendrecv_generic_node(iscsid_t) -@@ -85,21 +85,26 @@ corenet_sendrecv_isns_client_packets(iscsid_t) - corenet_tcp_connect_isns_port(iscsid_t) - corenet_tcp_sendrecv_isns_port(iscsid_t) - --dev_read_raw_memory(iscsid_t) -+corenet_sendrecv_winshadow_client_packets(iscsid_t) -+corenet_tcp_connect_winshadow_port(iscsid_t) -+corenet_tcp_sendrecv_winshadow_port(iscsid_t) -+ -+dev_read_urand(iscsid_t) - dev_rw_sysfs(iscsid_t) - dev_rw_userio_dev(iscsid_t) --dev_write_raw_memory(iscsid_t) - - domain_use_interactive_fds(iscsid_t) - domain_dontaudit_read_all_domains_state(iscsid_t) - -+files_read_kernel_modules(iscsid_t) -+ - auth_use_nsswitch(iscsid_t) - - init_stream_connect_script(iscsid_t) - - logging_send_syslog_msg(iscsid_t) - --miscfiles_read_localization(iscsid_t) -+modutils_read_module_config(iscsid_t) - - optional_policy(` - tgtd_manage_semaphores(iscsid_t) -diff --git a/isns.te b/isns.te -index bc11034..107ed2f 100644 ---- a/isns.te -+++ b/isns.te -@@ -26,6 +26,7 @@ files_pid_file(isnsd_var_run_t) - allow isnsd_t self:capability kill; - allow isnsd_t self:process signal; - allow isnsd_t self:fifo_file rw_fifo_file_perms; -+allow isnsd_t self:tcp_socket { listen }; - allow isnsd_t self:udp_socket { accept listen }; - allow isnsd_t self:unix_stream_socket { accept listen }; - -@@ -46,8 +47,6 @@ corenet_tcp_bind_generic_node(isnsd_t) - corenet_sendrecv_isns_server_packets(isnsd_t) - corenet_tcp_bind_isns_port(isnsd_t) - --files_read_etc_files(isnsd_t) -- - logging_send_syslog_msg(isnsd_t) - - miscfiles_read_localization(isnsd_t) -diff --git a/jabber.fc b/jabber.fc -index 59ad3b3..bd02cc8 100644 ---- a/jabber.fc -+++ b/jabber.fc -@@ -1,25 +1,18 @@ --/etc/rc\.d/init\.d/((jabber)|(ejabberd)|(jabberd)) -- gen_context(system_u:object_r:jabberd_initrc_exec_t,s0) -+/etc/rc\.d/init\.d/jabberd -- gen_context(system_u:object_r:jabberd_initrc_exec_t,s0) - --/usr/bin/router -- gen_context(system_u:object_r:jabberd_router_exec_t,s0) --/usr/bin/c2s -- gen_context(system_u:object_r:jabberd_router_exec_t,s0) --/usr/bin/s2s -- gen_context(system_u:object_r:jabberd_exec_t,s0) --/usr/bin/sm -- gen_context(system_u:object_r:jabberd_exec_t,s0) -+/usr/bin/router -- gen_context(system_u:object_r:jabberd_router_exec_t,s0) -+/usr/bin/c2s -- gen_context(system_u:object_r:jabberd_router_exec_t,s0) -+/usr/bin/s2s -- gen_context(system_u:object_r:jabberd_exec_t,s0) -+/usr/bin/sm -- gen_context(system_u:object_r:jabberd_exec_t,s0) - --/usr/sbin/ejabberd -- gen_context(system_u:object_r:jabberd_exec_t,s0) --/usr/sbin/ejabberdctl -- gen_context(system_u:object_r:jabberd_exec_t,s0) --/usr/sbin/jabberd -- gen_context(system_u:object_r:jabberd_exec_t,s0) -+/var/lib/jabberd(/.*)? gen_context(system_u:object_r:jabberd_var_lib_t,s0) - --/var/lock/ejabberdctl(/.*) gen_context(system_u:object_r:jabberd_lock_t,s0) -+# pyicq-t - --/var/log/ejabberd(/.*)? gen_context(system_u:object_r:jabberd_log_t,s0) --/var/log/jabber(/.*)? gen_context(system_u:object_r:jabberd_log_t,s0) -+/usr/share/pyicq-t/PyICQt\.py -- gen_context(system_u:object_r:pyicqt_exec_t,s0) - --/var/lib/ejabberd(/.*)? gen_context(system_u:object_r:jabberd_var_lib_t,s0) --/var/lib/ejabberd/spool(/.*)? gen_context(system_u:object_r:jabberd_spool_t,s0) --/var/lib/jabber(/.*)? gen_context(system_u:object_r:jabberd_var_lib_t,s0) --/var/lib/jabberd(/.*)? gen_context(system_u:object_r:jabberd_var_lib_t,s0) --/var/lib/jabberd/log(/.*)? gen_context(system_u:object_r:jabberd_log_t,s0) --/var/lib/jabberd/pid(/.*)? gen_context(system_u:object_r:jabberd_var_run_t,s0) -+/var/log/pyicq-t\.log.* gen_context(system_u:object_r:pyicqt_log_t,s0) - --/var/run/ejabber\.pid -- gen_context(system_u:object_r:jabberd_var_run_t,s0) --/var/run/jabber\.pid -- gen_context(system_u:object_r:jabberd_var_run_t,s0) -+/var/run/pyicq-t(/.*)? gen_context(system_u:object_r:pyicqt_var_run_t,s0) -+ -+/var/spool/pyicq-t(/.*)? gen_context(system_u:object_r:pyicqt_var_spool_t,s0) -diff --git a/jabber.if b/jabber.if -index 16b1666..01673a4 100644 ---- a/jabber.if -+++ b/jabber.if -@@ -1,29 +1,76 @@ --## Jabber instant messaging servers. -+## Jabber instant messaging server -+ -+##################################### -+## -+## Creates types and rules for a basic -+## jabber init daemon domain. -+## -+## -+## -+## Prefix for the domain. -+## -+## -+# -+template(`jabber_domain_template',` -+ gen_require(` -+ attribute jabberd_domain; -+ ') -+ -+ ############################## -+ # -+ # $1_t declarations -+ # -+ -+ type $1_t, jabberd_domain; -+ type $1_exec_t; -+ init_daemon_domain($1_t, $1_exec_t) -+ -+ kernel_read_system_state($1_t) -+ -+ corenet_all_recvfrom_netlabel($1_t) -+ -+ logging_send_syslog_msg($1_t) -+') - - ####################################### - ## --## The template to define a jabber domain. -+## Execute a domain transition to run jabberd services - ## --## -+## - ## --## Domain prefix to be used. -+## Domain allowed to transition. - ## - ## - # --template(`jabber_domain_template',` -+interface(`jabber_domtrans_jabberd',` - gen_require(` -- attribute jabberd_domain; -+ type jabberd_t, jabberd_exec_t; - ') - -- type $1_t, jabberd_domain; -- type $1_exec_t; -- init_daemon_domain($1_t, $1_exec_t) -+ domtrans_pattern($1, jabberd_exec_t, jabberd_t) - ') - --######################################## -+###################################### - ## --## Create, read, write, and delete --## jabber lib files. -+## Execute a domain transition to run jabberd router service -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`jabber_domtrans_jabberd_router',` -+ gen_require(` -+ type jabberd_router_t, jabberd_router_exec_t; -+ ') -+ -+ domtrans_pattern($1, jabberd_router_exec_t, jabberd_router_t) -+') -+ -+####################################### -+## -+## Read jabberd lib files. - ## - ## - ## -@@ -31,18 +78,37 @@ template(`jabber_domain_template',` - ## - ## - # --interface(`jabber_manage_lib_files',` -+interface(`jabberd_read_lib_files',` - gen_require(` - type jabberd_var_lib_t; - ') - - files_search_var_lib($1) -- manage_files_pattern($1, jabberd_var_lib_t, jabberd_var_lib_t) -+ read_files_pattern($1, jabberd_var_lib_t, jabberd_var_lib_t) - ') - --######################################## -+####################################### -+## -+## Dontaudit inherited read jabberd lib files. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`jabberd_dontaudit_read_lib_files',` -+ gen_require(` -+ type jabberd_var_lib_t; -+ ') -+ -+ dontaudit $1 jabberd_var_lib_t:file read_inherited_file_perms; -+') -+ -+####################################### - ## --## Connect to jabber over a TCP socket (Deprecated) -+## Create, read, write, and delete -+## jabberd lib files. - ## - ## - ## -@@ -50,14 +116,19 @@ interface(`jabber_manage_lib_files',` - ## - ## - # --interface(`jabber_tcp_connect',` -- refpolicywarn(`$0($*) has been deprecated.') -+interface(`jabberd_manage_lib_files',` -+ gen_require(` -+ type jabberd_var_lib_t; -+ ') -+ -+ files_search_var_lib($1) -+ manage_files_pattern($1, jabberd_var_lib_t, jabberd_var_lib_t) - ') - - ######################################## - ## --## All of the rules required to --## administrate an jabber environment. -+## All of the rules required to administrate -+## an jabber environment - ## - ## - ## -@@ -66,38 +137,32 @@ interface(`jabber_tcp_connect',` - ## - ## - ## --## Role allowed access. -+## The role to be allowed to manage the jabber domain. - ## - ## - ## - # - interface(`jabber_admin',` - gen_require(` -- attribute jabberd_domain; -- type jabberd_lock_t, jabberd_log_t, jabberd_spool_t; -- type jabberd_var_lib_t, jabberd_var_run_t, jabberd_initrc_exec_t; -+ type jabberd_t, jabberd_var_lib_t; -+ type jabberd_initrc_exec_t, jabberd_router_t; - ') - -- allow $1 jabberd_domain:process { ptrace signal_perms }; -- ps_process_pattern($1, jabberd_domain) -+ allow $1 jabberd_t:process signal_perms; -+ ps_process_pattern($1, jabberd_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 jabberd_t:process ptrace; -+ allow $1 jabberd_router_t:process ptrace; -+ ') -+ -+ allow $1 jabberd_router_t:process signal_perms; -+ ps_process_pattern($1, jabberd_router_t) - - init_labeled_script_domtrans($1, jabberd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 jabberd_initrc_exec_t system_r; - allow $2 system_r; - -- files_search_locks($1)) -- admin_pattern($1, jabberd_lock_t) -- -- logging_search_logs($1) -- admin_pattern($1, jabberd_log_t) -- -- files_search_spool($1) -- admin_pattern($1, jabberd_spool_t) -- -- files_search_var_lib($1) -+ files_list_var_lib($1) - admin_pattern($1, jabberd_var_lib_t) -- -- files_search_pids($1) -- admin_pattern($1, jabberd_var_run_t) - ') -diff --git a/jabber.te b/jabber.te -index bb12c90..62d511b 100644 ---- a/jabber.te -+++ b/jabber.te -@@ -1,4 +1,4 @@ --policy_module(jabber, 1.9.1) -+policy_module(jabber, 1.8.0) - - ######################################## - # -@@ -9,129 +9,133 @@ attribute jabberd_domain; - - jabber_domain_template(jabberd) - jabber_domain_template(jabberd_router) -+jabber_domain_template(pyicqt) - - type jabberd_initrc_exec_t; - init_script_file(jabberd_initrc_exec_t) - --type jabberd_lock_t; --files_lock_file(jabberd_lock_t) -- --type jabberd_log_t; --logging_log_file(jabberd_log_t) -- --type jabberd_spool_t; --files_type(jabberd_spool_t) -- -+# type which includes log/pid files pro jabberd components - type jabberd_var_lib_t; - files_type(jabberd_var_lib_t) - --type jabberd_var_run_t; --files_pid_file(jabberd_var_run_t) -+# pyicq-t types -+type pyicqt_log_t; -+logging_log_file(pyicqt_log_t); - --######################################## --# --# Common local policy --# -+type pyicqt_var_spool_t; -+files_spool_file(pyicqt_var_spool_t) - --allow jabberd_domain self:process signal_perms; --allow jabberd_domain self:fifo_file rw_fifo_file_perms; --allow jabberd_domain self:tcp_socket { accept listen }; -+type pyicqt_var_run_t; -+files_pid_file(pyicqt_var_run_t) - --manage_files_pattern(jabberd_domain, jabberd_var_lib_t, jabberd_var_lib_t) -+###################################### -+# -+# Local policy for jabberd-router and c2s components -+# - --kernel_read_system_state(jabberd_domain) -+allow jabberd_router_t self:netlink_route_socket r_netlink_socket_perms; - --corenet_all_recvfrom_unlabeled(jabberd_domain) --corenet_all_recvfrom_netlabel(jabberd_domain) --corenet_tcp_sendrecv_generic_if(jabberd_domain) --corenet_tcp_sendrecv_generic_node(jabberd_domain) --corenet_tcp_bind_generic_node(jabberd_domain) -+manage_files_pattern(jabberd_router_t, jabberd_var_lib_t, jabberd_var_lib_t) -+manage_dirs_pattern(jabberd_router_t, jabberd_var_lib_t, jabberd_var_lib_t) - --dev_read_urand(jabberd_domain) --dev_read_sysfs(jabberd_domain) -+kernel_read_network_state(jabberd_router_t) - --fs_getattr_all_fs(jabberd_domain) -+corenet_tcp_bind_jabber_client_port(jabberd_router_t) -+corenet_tcp_bind_jabber_router_port(jabberd_router_t) -+corenet_tcp_connect_jabber_router_port(jabberd_router_t) -+corenet_sendrecv_jabber_router_server_packets(jabberd_router_t) -+corenet_sendrecv_jabber_client_server_packets(jabberd_router_t) - --logging_send_syslog_msg(jabberd_domain) -+fs_getattr_all_fs(jabberd_router_t) - --miscfiles_read_localization(jabberd_domain) -+miscfiles_read_generic_certs(jabberd_router_t) - - optional_policy(` -- nis_use_ypbind(jabberd_domain) -+ kerberos_use(jabberd_router_t) - ') - - optional_policy(` -- seutil_sigchld_newrole(jabberd_domain) -+ nis_use_ypbind(jabberd_router_t) - ') - --######################################## -+##################################### - # --# Local policy -+# Local policy for other jabberd components - # - --allow jabberd_t self:capability dac_override; --dontaudit jabberd_t self:capability sys_tty_config; --allow jabberd_t self:tcp_socket create_socket_perms; --allow jabberd_t self:udp_socket create_socket_perms; -+manage_files_pattern(jabberd_t, jabberd_var_lib_t, jabberd_var_lib_t) -+manage_dirs_pattern(jabberd_t, jabberd_var_lib_t, jabberd_var_lib_t) - --manage_files_pattern(jabberd_t, jabberd_lock_t, jabberd_lock_t) -+corenet_tcp_bind_jabber_interserver_port(jabberd_t) -+corenet_tcp_connect_jabber_interserver_port(jabberd_t) -+corenet_tcp_connect_jabber_router_port(jabberd_t) - --allow jabberd_t jabberd_log_t:dir setattr_dir_perms; --append_files_pattern(jabberd_t, jabberd_log_t, jabberd_log_t) --create_files_pattern(jabberd_t, jabberd_log_t, jabberd_log_t) --setattr_files_pattern(jabberd_t, jabberd_log_t, jabberd_log_t) --logging_log_filetrans(jabberd_t, jabberd_log_t, { file dir }) -+userdom_dontaudit_use_unpriv_user_fds(jabberd_t) -+userdom_dontaudit_search_user_home_dirs(jabberd_t) - --manage_files_pattern(jabberd_domain, jabberd_spool_t, jabberd_spool_t) -+miscfiles_read_certs(jabberd_t) - --manage_files_pattern(jabberd_t, jabberd_var_run_t, jabberd_var_run_t) --files_pid_filetrans(jabberd_t, jabberd_var_run_t, file) -+optional_policy(` -+ seutil_sigchld_newrole(jabberd_t) -+') - --kernel_read_kernel_sysctls(jabberd_t) -+optional_policy(` -+ udev_read_db(jabberd_t) -+') - --corenet_sendrecv_jabber_client_server_packets(jabberd_t) --corenet_tcp_bind_jabber_client_port(jabberd_t) --corenet_tcp_sendrecv_jabber_client_port(jabberd_t) -+###################################### -+# -+# Local policy for pyicq-t -+# - --corenet_sendrecv_jabber_interserver_server_packets(jabberd_t) --corenet_tcp_bind_jabber_interserver_port(jabberd_t) --corenet_tcp_sendrecv_jabber_interserver_port(jabberd_t) -+# need for /var/log/pyicq-t.log -+manage_files_pattern(pyicqt_t, pyicqt_log_t, pyicqt_log_t) -+logging_log_filetrans(pyicqt_t, pyicqt_log_t, file) - --dev_read_rand(jabberd_t) -+manage_files_pattern(pyicqt_t, pyicqt_var_run_t, pyicqt_var_run_t); - --domain_use_interactive_fds(jabberd_t) -+files_search_spool(pyicqt_t) -+manage_files_pattern(pyicqt_t, pyicqt_var_spool_t, pyicqt_var_spool_t); - --files_read_etc_files(jabberd_t) --files_read_etc_runtime_files(jabberd_t) -+corenet_tcp_bind_jabber_router_port(pyicqt_t) -+corenet_tcp_connect_jabber_router_port(pyicqt_t) - --fs_search_auto_mountpoints(jabberd_t) -+corecmd_exec_bin(pyicqt_t) - --sysnet_read_config(jabberd_t) -+dev_read_urand(pyicqt_t) - --userdom_dontaudit_use_unpriv_user_fds(jabberd_t) --userdom_dontaudit_search_user_home_dirs(jabberd_t) -+auth_use_nsswitch(pyicqt_t) - -+# needed for pyicq-t-mysql - optional_policy(` -- udev_read_db(jabberd_t) -+ corenet_tcp_connect_mysqld_port(pyicqt_t) - ') - --######################################## -+optional_policy(` -+ sysnet_use_ldap(pyicqt_t) -+') -+ -+####################################### - # --# Router local policy -+# Local policy for jabberd domains - # - --manage_dirs_pattern(jabberd_router_t, jabberd_var_lib_t, jabberd_var_lib_t) -+allow jabberd_domain self:process signal_perms; -+allow jabberd_domain self:fifo_file rw_fifo_file_perms; -+allow jabberd_domain self:tcp_socket create_stream_socket_perms; -+allow jabberd_domain self:udp_socket create_socket_perms; - --kernel_read_network_state(jabberd_router_t) -+corenet_tcp_sendrecv_generic_if(jabberd_domain) -+corenet_udp_sendrecv_generic_if(jabberd_domain) -+corenet_tcp_sendrecv_generic_node(jabberd_domain) -+corenet_udp_sendrecv_generic_node(jabberd_domain) -+corenet_tcp_sendrecv_all_ports(jabberd_domain) -+corenet_udp_sendrecv_all_ports(jabberd_domain) -+corenet_tcp_bind_generic_node(jabberd_domain) - --corenet_sendrecv_jabber_client_server_packets(jabberd_router_t) --corenet_tcp_bind_jabber_client_port(jabberd_router_t) --corenet_tcp_sendrecv_jabber_client_port(jabberd_router_t) -+dev_read_sysfs(jabberd_domain) -+dev_read_urand(jabberd_domain) - --# corenet_sendrecv_jabber_router_server_packets(jabberd_router_t) --# corenet_tcp_bind_jabber_router_port(jabberd_router_t) --# corenet_sendrecv_jabber_router_client_packets(jabberd_router_t) --# corenet_tcp_connect_jabber_router_port(jabberd_router_t) --# corenet_tcp_sendrecv_jabber_router_port(jabberd_router_t) -+files_read_etc_runtime_files(jabberd_domain) - --auth_use_nsswitch(jabberd_router_t) -+sysnet_read_config(jabberd_domain) -diff --git a/java.te b/java.te -index b3fcfbb..5459aa3 100644 ---- a/java.te -+++ b/java.te -@@ -11,7 +11,7 @@ policy_module(java, 2.6.3) - ## its stack executable. - ##

    - ## --gen_tunable(allow_java_execstack, false) -+gen_tunable(java_execstack, false) - - attribute java_domain; - -@@ -90,7 +90,6 @@ dev_read_urand(java_domain) - dev_read_rand(java_domain) - dev_dontaudit_append_rand(java_domain) - --files_read_usr_files(java_domain) - files_read_etc_runtime_files(java_domain) - - fs_getattr_all_fs(java_domain) -@@ -108,11 +107,11 @@ userdom_manage_user_home_content_files(java_domain) - userdom_manage_user_home_content_symlinks(java_domain) - userdom_manage_user_home_content_pipes(java_domain) - userdom_manage_user_home_content_sockets(java_domain) --userdom_user_home_dir_filetrans_user_home_content(java_domain, { file lnk_file sock_file fifo_file }) -+userdom_filetrans_home_content(java_domain_t) - - userdom_write_user_tmp_sockets(java_domain) - --tunable_policy(`allow_java_execstack',` -+tunable_policy(`java_execstack',` - allow java_domain self:process { execmem execstack }; - - libs_legacy_use_shared_libs(java_domain) -diff --git a/jetty.fc b/jetty.fc -new file mode 100644 -index 0000000..1725b7e ---- /dev/null -+++ b/jetty.fc -@@ -0,0 +1,9 @@ -+ -+/var/cache/jetty(/.*)? gen_context(system_u:object_r:jetty_cache_t,s0) -+ -+/var/lib/jetty(/.*)? gen_context(system_u:object_r:jetty_var_lib_t,s0) -+ -+/var/log/jetty(/.*)? gen_context(system_u:object_r:jetty_log_t,s0) -+ -+/var/run/jetty(/.*)? gen_context(system_u:object_r:jetty_var_run_t,s0) -+ -diff --git a/jetty.if b/jetty.if -new file mode 100644 -index 0000000..2abc285 ---- /dev/null -+++ b/jetty.if -@@ -0,0 +1,268 @@ -+ -+## policy for jetty -+ -+######################################## -+## -+## Search jetty cache directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`jetty_search_cache',` -+ gen_require(` -+ type jetty_cache_t; -+ ') -+ -+ allow $1 jetty_cache_t:dir search_dir_perms; -+ files_search_var($1) -+') -+ -+######################################## -+## -+## Read jetty cache files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`jetty_read_cache_files',` -+ gen_require(` -+ type jetty_cache_t; -+ ') -+ -+ files_search_var($1) -+ read_files_pattern($1, jetty_cache_t, jetty_cache_t) -+') -+ -+######################################## -+## -+## Create, read, write, and delete -+## jetty cache files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`jetty_manage_cache_files',` -+ gen_require(` -+ type jetty_cache_t; -+ ') -+ -+ files_search_var($1) -+ manage_files_pattern($1, jetty_cache_t, jetty_cache_t) -+') -+ -+######################################## -+## -+## Manage jetty cache dirs. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`jetty_manage_cache_dirs',` -+ gen_require(` -+ type jetty_cache_t; -+ ') -+ -+ files_search_var($1) -+ manage_dirs_pattern($1, jetty_cache_t, jetty_cache_t) -+') -+ -+######################################## -+## -+## Read jetty's log files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`jetty_read_log',` -+ gen_require(` -+ type jetty_log_t; -+ ') -+ -+ logging_search_logs($1) -+ read_files_pattern($1, jetty_log_t, jetty_log_t) -+') -+ -+######################################## -+## -+## Append to jetty log files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`jetty_append_log',` -+ gen_require(` -+ type jetty_log_t; -+ ') -+ -+ logging_search_logs($1) -+ append_files_pattern($1, jetty_log_t, jetty_log_t) -+') -+ -+######################################## -+## -+## Manage jetty log files -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`jetty_manage_log',` -+ gen_require(` -+ type jetty_log_t; -+ ') -+ -+ logging_search_logs($1) -+ manage_dirs_pattern($1, jetty_log_t, jetty_log_t) -+ manage_files_pattern($1, jetty_log_t, jetty_log_t) -+ manage_lnk_files_pattern($1, jetty_log_t, jetty_log_t) -+') -+ -+######################################## -+## -+## Search jetty lib directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`jetty_search_lib',` -+ gen_require(` -+ type jetty_var_lib_t; -+ ') -+ -+ allow $1 jetty_var_lib_t:dir search_dir_perms; -+ files_search_var_lib($1) -+') -+ -+######################################## -+## -+## Read jetty lib files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`jetty_read_lib_files',` -+ gen_require(` -+ type jetty_var_lib_t; -+ ') -+ -+ files_search_var_lib($1) -+ read_files_pattern($1, jetty_var_lib_t, jetty_var_lib_t) -+') -+ -+######################################## -+## -+## Manage jetty lib files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`jetty_manage_lib_files',` -+ gen_require(` -+ type jetty_var_lib_t; -+ ') -+ -+ files_search_var_lib($1) -+ manage_files_pattern($1, jetty_var_lib_t, jetty_var_lib_t) -+') -+ -+######################################## -+## -+## Manage jetty lib directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`jetty_manage_lib_dirs',` -+ gen_require(` -+ type jetty_var_lib_t; -+ ') -+ -+ files_search_var_lib($1) -+ manage_dirs_pattern($1, jetty_var_lib_t, jetty_var_lib_t) -+') -+ -+######################################## -+## -+## Read jetty PID files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`jetty_read_pid_files',` -+ gen_require(` -+ type jetty_var_run_t; -+ ') -+ -+ files_search_pids($1) -+ allow $1 jetty_var_run_t:file read_file_perms; -+') -+ -+ -+######################################## -+## -+## All of the rules required to administrate -+## an jetty environment -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`jetty_admin',` -+ gen_require(` -+ type jetty_cache_t; -+ type jetty_log_t; -+ type jetty_var_lib_t; -+ type jetty_var_run_t; -+ ') -+ -+ files_search_var($1) -+ admin_pattern($1, jetty_cache_t) -+ -+ logging_search_logs($1) -+ admin_pattern($1, jetty_log_t) -+ -+ files_search_var_lib($1) -+ admin_pattern($1, jetty_var_lib_t) -+ -+ files_search_pids($1) -+ admin_pattern($1, jetty_var_run_t) -+') -diff --git a/jetty.te b/jetty.te -new file mode 100644 -index 0000000..af510ea ---- /dev/null -+++ b/jetty.te -@@ -0,0 +1,25 @@ -+policy_module(jetty, 1.0.0) -+ -+######################################## -+# -+# Declarations -+# -+ -+type jetty_cache_t; -+files_type(jetty_cache_t) -+ -+type jetty_log_t; -+logging_log_file(jetty_log_t) -+ -+type jetty_var_lib_t; -+files_type(jetty_var_lib_t) -+ -+type jetty_var_run_t; -+files_pid_file(jetty_var_run_t) -+ -+######################################## -+# -+# jetty local policy -+# -+ -+# No local policy. This module just contains type definitions -diff --git a/jockey.if b/jockey.if -index 2fb7a20..c6ba007 100644 ---- a/jockey.if -+++ b/jockey.if -@@ -1 +1,131 @@ --## Jockey driver manager. -+ -+## policy for jockey -+ -+######################################## -+## -+## Transition to jockey. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`jockey_domtrans',` -+ gen_require(` -+ type jockey_t, jockey_exec_t; -+ ') -+ -+ corecmd_search_bin($1) -+ domtrans_pattern($1, jockey_exec_t, jockey_t) -+') -+ -+######################################## -+## -+## Search jockey cache directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`jockey_search_cache',` -+ gen_require(` -+ type jockey_cache_t; -+ ') -+ -+ allow $1 jockey_cache_t:dir search_dir_perms; -+ files_search_var($1) -+') -+ -+######################################## -+## -+## Read jockey cache files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`jockey_read_cache_files',` -+ gen_require(` -+ type jockey_cache_t; -+ ') -+ -+ files_search_var($1) -+ read_files_pattern($1, jockey_cache_t, jockey_cache_t) -+') -+ -+######################################## -+## -+## Create, read, write, and delete -+## jockey cache files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`jockey_manage_cache_files',` -+ gen_require(` -+ type jockey_cache_t; -+ ') -+ -+ files_search_var($1) -+ manage_files_pattern($1, jockey_cache_t, jockey_cache_t) -+') -+ -+######################################## -+## -+## Manage jockey cache dirs. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`jockey_manage_cache_dirs',` -+ gen_require(` -+ type jockey_cache_t; -+ ') -+ -+ files_search_var($1) -+ manage_dirs_pattern($1, jockey_cache_t, jockey_cache_t) -+') -+ -+######################################## -+## -+## All of the rules required to administrate -+## an jockey environment -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`jockey_admin',` -+ gen_require(` -+ type jockey_t; -+ type jockey_cache_t; -+ type jockey_var_log_t; -+ ') -+ -+ allow $1 jockey_t:process { ptrace signal_perms }; -+ ps_process_pattern($1, jockey_t) -+ -+ files_search_var($1) -+ admin_pattern($1, jockey_cache_t) -+ -+ logging_search_logs($1) -+ admin_pattern($1, jockey_var_log_t) -+ -+ optional_policy(` -+ systemd_passwd_agent_exec($1) -+ systemd_read_fifo_file_passwd_run($1) -+ ') -+') -diff --git a/jockey.te b/jockey.te -index d59ec10..dec1b3b 100644 ---- a/jockey.te -+++ b/jockey.te -@@ -44,16 +44,19 @@ dev_read_urand(jockey_t) - - domain_use_interactive_fds(jockey_t) - --files_read_etc_files(jockey_t) --files_read_usr_files(jockey_t) - --miscfiles_read_localization(jockey_t) -+auth_read_passwd(jockey_t) - - optional_policy(` - dbus_system_domain(jockey_t, jockey_exec_t) - ') - - optional_policy(` -+ gnome_dontaudit_search_config(jockey_t) -+') -+ -+optional_policy(` - modutils_domtrans_insmod(jockey_t) - modutils_read_module_config(jockey_t) -+ modutils_list_module_config(jockey_t) - ') -diff --git a/journalctl.fc b/journalctl.fc -new file mode 100644 -index 0000000..f270652 ---- /dev/null -+++ b/journalctl.fc -@@ -0,0 +1 @@ -+/usr/bin/journalctl -- gen_context(system_u:object_r:journalctl_exec_t,s0) -diff --git a/journalctl.if b/journalctl.if -new file mode 100644 -index 0000000..9d32f23 ---- /dev/null -+++ b/journalctl.if -@@ -0,0 +1,76 @@ -+ -+## policy for journalctl -+ -+######################################## -+## -+## Execute TEMPLATE in the journalctl domin. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`journalctl_domtrans',` -+ gen_require(` -+ type journalctl_t, journalctl_exec_t; -+ ') -+ -+ corecmd_search_bin($1) -+ domtrans_pattern($1, journalctl_exec_t, journalctl_t) -+') -+ -+######################################## -+## -+## Execute journalctl in the journalctl domain, and -+## allow the specified role the journalctl domain. -+## -+## -+## -+## Domain allowed to transition -+## -+## -+## -+## -+## The role to be allowed the journalctl domain. -+## -+## -+# -+interface(`journalctl_run',` -+ gen_require(` -+ type journalctl_t; -+ attribute_role journalctl_roles; -+ ') -+ -+ journalctl_domtrans($1) -+ roleattribute $2 journalctl_roles; -+') -+ -+######################################## -+## -+## Role access for journalctl -+## -+## -+## -+## Role allowed access -+## -+## -+## -+## -+## User domain for the role -+## -+## -+# -+interface(`journalctl_role',` -+ gen_require(` -+ type journalctl_t; -+ attribute_role journalctl_roles; -+ ') -+ -+ roleattribute $1 journalctl_roles; -+ -+ journalctl_domtrans($2) -+ -+ ps_process_pattern($2, journalctl_t) -+ allow $2 journalctl_t:process { signull signal sigkill }; -+') -diff --git a/journalctl.te b/journalctl.te -new file mode 100644 -index 0000000..5de3229 ---- /dev/null -+++ b/journalctl.te -@@ -0,0 +1,44 @@ -+policy_module(journalctl, 1.0.0) -+ -+######################################## -+# -+# Declarations -+# -+ -+attribute_role journalctl_roles; -+roleattribute system_r journalctl_roles; -+ -+type journalctl_t; -+type journalctl_exec_t; -+application_domain(journalctl_t, journalctl_exec_t) -+ -+role journalctl_roles types journalctl_t; -+ -+######################################## -+# -+# journalctl local policy -+# -+allow journalctl_t self:process { fork signal_perms }; -+ -+allow journalctl_t self:fifo_file manage_fifo_file_perms; -+allow journalctl_t self:unix_stream_socket create_stream_socket_perms; -+ -+kernel_read_system_state(journalctl_t) -+ -+corecmd_exec_bin(journalctl_t) -+ -+domain_use_interactive_fds(journalctl_t) -+ -+files_read_etc_files(journalctl_t) -+ -+fs_getattr_all_fs(journalctl_t) -+ -+userdom_list_user_home_dirs(journalctl_t) -+userdom_read_user_home_content_files(journalctl_t) -+userdom_use_inherited_user_ptys(journalctl_t) -+userdom_write_inherited_user_tmp_files(journalctl_t) -+userdom_rw_inherited_user_tmpfs_files(journalctl_t) -+userdom_rw_inherited_user_home_content_files(journalctl_t) -+ -+miscfiles_read_localization(journalctl_t) -+logging_read_generic_logs(journalctl_t) -diff --git a/kde.fc b/kde.fc -new file mode 100644 -index 0000000..25e4b68 ---- /dev/null -+++ b/kde.fc -@@ -0,0 +1 @@ -+#/usr/libexec/kde(3|4)/backlighthelper -- gen_context(system_u:object_r:kdebacklighthelper_exec_t,s0) -diff --git a/kde.if b/kde.if -new file mode 100644 -index 0000000..cf65577 ---- /dev/null -+++ b/kde.if -@@ -0,0 +1,22 @@ -+## Policy for KDE components -+ -+####################################### -+## -+## Send and receive messages from -+## firewallgui over dbus. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`kde_dbus_chat_backlighthelper',` -+ gen_require(` -+ type kdebacklighthelper_t; -+ class dbus send_msg; -+ ') -+ -+ allow $1 kdebacklighthelper_t:dbus send_msg; -+ allow kdebacklighthelper_t $1:dbus send_msg; -+') -diff --git a/kde.te b/kde.te -new file mode 100644 -index 0000000..dbe3f03 ---- /dev/null -+++ b/kde.te -@@ -0,0 +1,41 @@ -+policy_module(kde,1.0.0) -+ -+######################################## -+# -+# Declarations -+# -+ -+type kdebacklighthelper_t; -+type kdebacklighthelper_exec_t; -+init_daemon_domain(kdebacklighthelper_t, kdebacklighthelper_exec_t) -+ -+######################################## -+# -+# backlighthelper local policy -+# -+ -+allow kdebacklighthelper_t self:fifo_file rw_fifo_file_perms; -+ -+kernel_read_system_state(kdebacklighthelper_t) -+ -+# r/w brightness values -+dev_rw_sysfs(kdebacklighthelper_t) -+ -+files_read_etc_runtime_files(kdebacklighthelper_t) -+ -+fs_getattr_all_fs(kdebacklighthelper_t) -+ -+logging_send_syslog_msg(kdebacklighthelper_t) -+ -+optional_policy(` -+ dbus_system_domain(kdebacklighthelper_t, kdebacklighthelper_exec_t) -+') -+ -+optional_policy(` -+ consolekit_dbus_chat(kdebacklighthelper_t) -+') -+ -+optional_policy(` -+ policykit_dbus_chat(kdebacklighthelper_t) -+') -+ -diff --git a/kdump.fc b/kdump.fc -index a49ae4e..0c0e987 100644 ---- a/kdump.fc -+++ b/kdump.fc -@@ -1,13 +1,16 @@ - /etc/kdump\.conf -- gen_context(system_u:object_r:kdump_etc_t,s0) -+/etc/rc\.d/init\.d/kdump -- gen_context(system_u:object_r:kdump_initrc_exec_t,s0) - --/etc/rc\.d/init\.d/kdump -- gen_context(system_u:object_r:kdump_initrc_exec_t,s0) -+/sbin/kdump -- gen_context(system_u:object_r:kdump_exec_t,s0) -+/sbin/kexec -- gen_context(system_u:object_r:kdump_exec_t,s0) - --/bin/kdumpctl -- gen_context(system_u:object_r:kdumpctl_exec_t,s0) - --/usr/bin/kdumpctl -- gen_context(system_u:object_r:kdumpctl_exec_t,s0) -+/usr/lib/systemd/system/kdump\.service -- gen_context(system_u:object_r:kdump_unit_file_t,s0) - --/sbin/kdump -- gen_context(system_u:object_r:kdump_exec_t,s0) --/sbin/kexec -- gen_context(system_u:object_r:kdump_exec_t,s0) -+/usr/bin/kdumpctl -- gen_context(system_u:object_r:kdumpctl_exec_t,s0) -+/usr/sbin/kdump -- gen_context(system_u:object_r:kdump_exec_t,s0) -+/usr/sbin/kexec -- gen_context(system_u:object_r:kdump_exec_t,s0) - --/usr/sbin/kdump -- gen_context(system_u:object_r:kdump_exec_t,s0) --/usr/sbin/kexec -- gen_context(system_u:object_r:kdump_exec_t,s0) -+/var/crash(/.*)? gen_context(system_u:object_r:kdump_crash_t,s0) -+ -+/var/lock/kdump(/.*)? gen_context(system_u:object_r:kdump_lock_t,s0) -diff --git a/kdump.if b/kdump.if -index 3a00b3a..21efcc4 100644 ---- a/kdump.if -+++ b/kdump.if -@@ -1,4 +1,4 @@ --## Kernel crash dumping mechanism. -+## Kernel crash dumping mechanism - - ###################################### - ## -@@ -19,6 +19,26 @@ interface(`kdump_domtrans',` - domtrans_pattern($1, kdump_exec_t, kdump_t) - ') - -+###################################### -+## -+## Execute kdumpctl in the kdumpctl domain. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`kdumpctl_domtrans',` -+ gen_require(` -+ type kdumpctl_t, kdumpctl_exec_t; -+ ') -+ -+ corecmd_search_bin($1) -+ domtrans_pattern($1, kdumpctl_exec_t, kdumpctl_t) -+') -+ -+ - ####################################### - ## - ## Execute kdump in the kdump domain. -@@ -37,9 +57,33 @@ interface(`kdump_initrc_domtrans',` - init_labeled_script_domtrans($1, kdump_initrc_exec_t) - ') - -+######################################## -+## -+## Execute kdump server in the kdump domain. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`kdump_systemctl',` -+ gen_require(` -+ type kdump_unit_file_t; -+ type kdump_t; -+ ') -+ -+ systemd_exec_systemctl($1) -+ systemd_search_unit_dirs($1) -+ allow $1 kdump_unit_file_t:file read_file_perms; -+ allow $1 kdump_unit_file_t:service all_service_perms; -+ -+ ps_process_pattern($1, kdump_t) -+') -+ - ##################################### - ## --## Read kdump configuration files. -+## Read kdump configuration file. - ## - ## - ## -@@ -56,10 +100,67 @@ interface(`kdump_read_config',` - allow $1 kdump_etc_t:file read_file_perms; - ') - -+##################################### -+## -+## Read kdump crash files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`kdump_read_crash',` -+ gen_require(` -+ type kdump_crash_t; -+ ') -+ -+ files_search_var($1) -+ read_files_pattern($1, kdump_crash_t, kdump_crash_t) -+ list_dirs_pattern($1, kdump_crash_t, kdump_crash_t) -+') -+ -+##################################### -+## -+## Read kdump crash files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`kdump_manage_crash',` -+ gen_require(` -+ type kdump_crash_t; -+ ') -+ -+ files_search_var($1) -+ manage_files_pattern($1, kdump_crash_t, kdump_crash_t) -+ list_dirs_pattern($1, kdump_crash_t, kdump_crash_t) -+') -+ -+##################################### -+## -+## Dontaudit read kdump configuration file. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`kdump_dontaudit_read_config',` -+ gen_require(` -+ type kdump_etc_t; -+ ') -+ -+ dontaudit $1 kdump_etc_t:file read_inherited_file_perms; -+') -+ - #################################### - ## --## Create, read, write, and delete --## kdmup configuration files. -+## Manage kdump configuration file. - ## - ## - ## -@@ -76,10 +177,69 @@ interface(`kdump_manage_config',` - allow $1 kdump_etc_t:file manage_file_perms; - ') - -+##################################### -+## -+## Read and write kdump lock files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`kdump_rw_lock',` -+ gen_require(` -+ type kdump_lock_t; -+ ') -+ -+ files_search_locks($1) -+ rw_files_pattern($1, kdump_lock_t, kdump_lock_t) -+') -+ -+################################### -+## -+## Manage kdump /var/tmp files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`kdump_manage_kdumpctl_tmp_files',` -+ gen_require(` -+ type kdumpctl_tmp_t; -+ ') -+ -+ files_search_tmp($1) -+ manage_files_pattern($1, kdumpctl_tmp_t, kdumpctl_tmp_t) -+ manage_dirs_pattern($1, kdumpctl_tmp_t, kdumpctl_tmp_t) -+ manage_fifo_files_pattern($1, kdumpctl_tmp_t, kdumpctl_tmp_t) -+ manage_lnk_files_pattern($1, kdumpctl_tmp_t, kdumpctl_tmp_t) -+') -+ -+####################################### -+## -+## Transition content labels to kdump named content -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`kdump_filetrans_named_content',` -+ gen_require(` -+ type kdump_lock_t; -+ ') -+ -+ files_lock_filetrans($1, kdump_lock_t, file, "kdump") -+') -+ - ###################################### - ## --## All of the rules required to --## administrate an kdump environment. -+## All of the rules required to administrate -+## an kdump environment - ## - ## - ## -@@ -88,19 +248,24 @@ interface(`kdump_manage_config',` - ## - ## - ## --## Role allowed access. -+## The role to be allowed to manage the kdump domain. - ## - ## - ## - # - interface(`kdump_admin',` - gen_require(` -- type kdump_t, kdump_etc_t, kdumpctl_tmp_t; -- type kdump_initrc_exec_t, kdumpctl_t; -+ type kdump_t, kdump_etc_t; -+ type kdump_initrc_exec_t; -+ type kdump_unit_file_t; -+ type kdump_crash_t; - ') - -- allow $1 { kdump_t kdumpctl_t }:process { ptrace signal_perms }; -- ps_process_pattern($1, { kdump_t kdumpctl_t }) -+ allow $1 kdump_t:process signal_perms; -+ ps_process_pattern($1, kdump_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 kdump_t:process ptrace; -+ ') - - init_labeled_script_domtrans($1, kdump_initrc_exec_t) - domain_system_change_exemption($1) -@@ -110,6 +275,10 @@ interface(`kdump_admin',` - files_search_etc($1) - admin_pattern($1, kdump_etc_t) - -- files_search_tmp($1) -- admin_pattern($1, kdumpctl_tmp_t) -+ files_search_var($1) -+ admin_pattern($1, kdump_crash_t) -+ -+ kdump_systemctl($1) -+ admin_pattern($1, kdump_unit_file_t) -+ allow $1 kdump_unit_file_t:service all_service_perms; - ') -diff --git a/kdump.te b/kdump.te -index 70f3007..f8b68bf 100644 ---- a/kdump.te -+++ b/kdump.te -@@ -1,4 +1,4 @@ --policy_module(kdump, 1.2.3) -+policy_module(kdump, 1.2.0) - - ####################################### - # -@@ -12,35 +12,55 @@ init_system_domain(kdump_t, kdump_exec_t) - type kdump_etc_t; - files_config_file(kdump_etc_t) - -+type kdump_crash_t; -+files_type(kdump_crash_t) -+ - type kdump_initrc_exec_t; - init_script_file(kdump_initrc_exec_t) - -+type kdump_unit_file_t alias kdumpctl_unit_file_t; -+systemd_unit_file(kdump_unit_file_t) -+ -+type kdump_lock_t; -+files_lock_file(kdump_lock_t) -+ - type kdumpctl_t; - type kdumpctl_exec_t; - init_daemon_domain(kdumpctl_t, kdumpctl_exec_t) --application_executable_file(kdumpctl_exec_t) -+init_initrc_domain(kdumpctl_t) - - type kdumpctl_tmp_t; - files_tmp_file(kdumpctl_tmp_t) - - ##################################### - # --# Local policy -+# kdump local policy - # - - allow kdump_t self:capability { sys_boot dac_override }; -+allow kdump_t self:capability2 compromise_kernel; -+ -+manage_dirs_pattern(kdump_t, kdump_crash_t, kdump_crash_t) -+manage_files_pattern(kdump_t, kdump_crash_t, kdump_crash_t) -+manage_lnk_files_pattern(kdump_t, kdump_crash_t, kdump_crash_t) -+files_var_filetrans(kdump_t, kdump_crash_t, dir, "crash") -+ -+read_files_pattern(kdump_t, kdump_etc_t, kdump_etc_t) - --allow kdump_t kdump_etc_t:file read_file_perms; -+manage_dirs_pattern(kdump_t, kdump_lock_t, kdump_lock_t) -+manage_files_pattern(kdump_t, kdump_lock_t, kdump_lock_t) -+files_lock_filetrans(kdump_t, kdump_lock_t, { dir file }) - --files_read_etc_files(kdump_t) - files_read_etc_runtime_files(kdump_t) - files_read_kernel_img(kdump_t) - -+kernel_read_system_state(kdump_t) - kernel_read_core_if(kdump_t) - kernel_read_debugfs(kdump_t) --kernel_read_system_state(kdump_t) - kernel_request_load_module(kdump_t) - -+mls_file_read_all_levels(kdump_t) -+ - dev_read_framebuffer(kdump_t) - dev_read_sysfs(kdump_t) - -@@ -48,22 +68,32 @@ term_use_console(kdump_t) - - ####################################### - # --# Ctl local policy -+# kdumpctl local policy - # - -+#cjp:almost all rules are needed by dracut -+ -+kdump_domtrans(kdumpctl_t) -+ - allow kdumpctl_t self:capability { dac_override sys_chroot }; - allow kdumpctl_t self:process setfscreate; --allow kdumpctl_t self:fifo_file rw_fifo_file_perms; --allow kdumpctl_t self:unix_stream_socket { accept listen }; - --allow kdumpctl_t kdump_etc_t:file read_file_perms; -+allow kdumpctl_t self:fifo_file rw_fifo_file_perms; -+allow kdumpctl_t self:unix_stream_socket create_stream_socket_perms; - - manage_dirs_pattern(kdumpctl_t, kdumpctl_tmp_t, kdumpctl_tmp_t) -+manage_chr_files_pattern(kdumpctl_t, kdumpctl_tmp_t, kdumpctl_tmp_t) - manage_files_pattern(kdumpctl_t, kdumpctl_tmp_t, kdumpctl_tmp_t) - manage_lnk_files_pattern(kdumpctl_t, kdumpctl_tmp_t, kdumpctl_tmp_t) - files_tmp_filetrans(kdumpctl_t, kdumpctl_tmp_t, { file dir lnk_file }) -+can_exec(kdumpctl_t, kdumpctl_tmp_t) -+ -+manage_dirs_pattern(kdumpctl_t, kdump_crash_t, kdump_crash_t) -+manage_files_pattern(kdumpctl_t, kdump_crash_t, kdump_crash_t) -+manage_lnk_files_pattern(kdumpctl_t, kdump_crash_t, kdump_crash_t) -+files_var_filetrans(kdumpctl_t, kdump_crash_t, dir, "crash") - --domtrans_pattern(kdumpctl_t, kdump_exec_t, kdump_t) -+read_files_pattern(kdumpctl_t, kdump_etc_t, kdump_etc_t) - - kernel_read_system_state(kdumpctl_t) - -@@ -71,46 +101,56 @@ corecmd_exec_bin(kdumpctl_t) - corecmd_exec_shell(kdumpctl_t) - - dev_read_sysfs(kdumpctl_t) -+# dracut - dev_manage_all_dev_nodes(kdumpctl_t) - - domain_use_interactive_fds(kdumpctl_t) - - files_create_kernel_img(kdumpctl_t) --files_read_etc_files(kdumpctl_t) - files_read_etc_runtime_files(kdumpctl_t) --files_read_usr_files(kdumpctl_t) - files_read_kernel_modules(kdumpctl_t) - files_getattr_all_dirs(kdumpctl_t) -+files_delete_kernel(kdumpctl_t) - - fs_getattr_all_fs(kdumpctl_t) - fs_search_all(kdumpctl_t) - --init_domtrans_script(kdumpctl_t) -+application_executable_ioctl(kdumpctl_t) -+ -+auth_read_passwd(kdumpctl_t) -+ - init_exec(kdumpctl_t) -+systemd_exec_systemctl(kdumpctl_t) -+systemd_read_unit_files(kdumpctl_t) - - libs_exec_ld_so(kdumpctl_t) - - logging_send_syslog_msg(kdumpctl_t) -+# Need log file from /var/log/dracut.log -+logging_write_generic_logs(kdumpctl_t) - --miscfiles_read_localization(kdumpctl_t) -+optional_policy(` -+ gpg_exec(kdumpctl_t) -+') - - optional_policy(` -- gpg_exec(kdumpctl_t) -+ lvm_read_config(kdumpctl_t) - ') - - optional_policy(` -- lvm_read_config(kdumpctl_t) -+ modutils_domtrans_insmod(kdumpctl_t) -+ modutils_list_module_config(kdumpctl_t) -+ modutils_read_module_config(kdumpctl_t) - ') - - optional_policy(` -- modutils_domtrans_insmod(kdumpctl_t) -- modutils_read_module_config(kdumpctl_t) -+ plymouthd_domtrans_plymouth(kdumpctl_t) - ') - - optional_policy(` -- plymouthd_domtrans_plymouth(kdumpctl_t) -+ ssh_exec(kdumpctl_t) - ') - - optional_policy(` -- ssh_exec(kdumpctl_t) -+ unconfined_domain(kdumpctl_t) - ') -diff --git a/kdumpgui.if b/kdumpgui.if -index 182ab8b..8b1d9c2 100644 ---- a/kdumpgui.if -+++ b/kdumpgui.if -@@ -1 +1,23 @@ --## System-config-kdump GUI. -+## system-config-kdump GUI -+ -+######################################## -+## -+## Send and receive messages from -+## kdumpgui over dbus. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`kdumpgui_dbus_chat',` -+ gen_require(` -+ type kdumpgui_t; -+ class dbus send_msg; -+ ') -+ -+ allow $1 kdumpgui_t:dbus send_msg; -+ allow kdumpgui_t $1:dbus send_msg; -+') -+ -diff --git a/kdumpgui.te b/kdumpgui.te -index e7f5c81..8c75bc8 100644 ---- a/kdumpgui.te -+++ b/kdumpgui.te -@@ -1,83 +1,92 @@ --policy_module(kdumpgui, 1.1.4) -+policy_module(kdumpgui, 1.1.0) - - ######################################## - # - # Declarations - # - -+## -+##

    -+## Allow s-c-kdump to run bootloader in bootloader_t. -+##

    -+##     -+gen_tunable(kdumpgui_run_bootloader, false) -+ - type kdumpgui_t; - type kdumpgui_exec_t; --init_system_domain(kdumpgui_t, kdumpgui_exec_t) -+init_daemon_domain(kdumpgui_t, kdumpgui_exec_t) - - type kdumpgui_tmp_t; - files_tmp_file(kdumpgui_tmp_t) - - ###################################### - # --# Local policy -+# system-config-kdump local policy - # - - allow kdumpgui_t self:capability { net_admin sys_admin sys_nice sys_rawio }; --allow kdumpgui_t self:process { setsched sigkill }; - allow kdumpgui_t self:fifo_file rw_fifo_file_perms; - allow kdumpgui_t self:netlink_kobject_uevent_socket create_socket_perms; -+allow kdumpgui_t self:process { setsched sigkill }; - - manage_dirs_pattern(kdumpgui_t, kdumpgui_tmp_t, kdumpgui_tmp_t) - manage_files_pattern(kdumpgui_t, kdumpgui_tmp_t, kdumpgui_tmp_t) - files_tmp_filetrans(kdumpgui_t, kdumpgui_tmp_t, { dir file }) - --kernel_getattr_core_if(kdumpgui_t) - kernel_read_system_state(kdumpgui_t) - kernel_read_network_state(kdumpgui_t) -+kernel_getattr_core_if(kdumpgui_t) - - corecmd_exec_bin(kdumpgui_t) - corecmd_exec_shell(kdumpgui_t) - --dev_getattr_all_blk_files(kdumpgui_t) - dev_dontaudit_getattr_all_chr_files(kdumpgui_t) - dev_read_sysfs(kdumpgui_t) -+dev_read_urand(kdumpgui_t) -+dev_getattr_all_blk_files(kdumpgui_t) - - files_manage_boot_files(kdumpgui_t) - files_manage_boot_symlinks(kdumpgui_t) -+# Needed for running chkconfig - files_manage_etc_symlinks(kdumpgui_t) -+# for blkid.tab - files_manage_etc_runtime_files(kdumpgui_t) - files_etc_filetrans_etc_runtime(kdumpgui_t, file) --files_read_usr_files(kdumpgui_t) - -+fs_manage_dos_files(kdumpgui_t) - fs_getattr_all_fs(kdumpgui_t) - fs_list_hugetlbfs(kdumpgui_t) --fs_read_dos_files(kdumpgui_t) - - storage_raw_read_fixed_disk(kdumpgui_t) - storage_raw_write_fixed_disk(kdumpgui_t) -+storage_getattr_removable_dev(kdumpgui_t) - - auth_use_nsswitch(kdumpgui_t) - -+logging_send_syslog_msg(kdumpgui_t) - logging_list_logs(kdumpgui_t) - logging_read_generic_logs(kdumpgui_t) --logging_send_syslog_msg(kdumpgui_t) -- --miscfiles_read_localization(kdumpgui_t) - - mount_exec(kdumpgui_t) - - init_dontaudit_read_all_script_files(kdumpgui_t) -+init_access_check(kdumpgui_t) - --optional_policy(` -- bootloader_exec(kdumpgui_t) -- bootloader_rw_config(kdumpgui_t) --') -+userdom_dontaudit_search_admin_dir(kdumpgui_t) - - optional_policy(` -- consoletype_exec(kdumpgui_t) -+ tunable_policy(`kdumpgui_run_bootloader',` -+ bootloader_domtrans(kdumpgui_t) -+ #if s-c-kdump is involved -+ bootloader_manage_config(kdumpgui_t) -+ ',` -+ bootloader_exec(kdumpgui_t) -+ bootloader_manage_config(kdumpgui_t) -+ ') - ') - - optional_policy(` - dbus_system_domain(kdumpgui_t, kdumpgui_exec_t) -- -- optional_policy(` -- policykit_dbus_chat(kdumpgui_t) -- ') - ') - - optional_policy(` -@@ -87,4 +96,10 @@ optional_policy(` - optional_policy(` - kdump_manage_config(kdumpgui_t) - kdump_initrc_domtrans(kdumpgui_t) -+ kdump_systemctl(kdumpgui_t) -+ kdumpctl_domtrans(kdumpgui_t) -+') -+ -+optional_policy(` -+ policykit_dbus_chat(kdumpgui_t) - ') -diff --git a/kerberos.fc b/kerberos.fc -index 4fe75fd..8c702c9 100644 ---- a/kerberos.fc -+++ b/kerberos.fc -@@ -1,52 +1,44 @@ --HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0) --/root/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0) -+HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0) -+/root/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0) - --/etc/krb5\.conf -- gen_context(system_u:object_r:krb5_conf_t,s0) --/etc/krb5\.keytab -- gen_context(system_u:object_r:krb5_keytab_t,s0) -+/etc/krb5\.conf -- gen_context(system_u:object_r:krb5_conf_t,s0) -+/etc/krb5\.keytab gen_context(system_u:object_r:krb5_keytab_t,s0) - --/etc/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0) --/etc/krb5kdc/kadm5\.keytab -- gen_context(system_u:object_r:krb5_keytab_t,s0) --/etc/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0) -+/etc/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0) -+/etc/krb5kdc/kadm5\.keytab -- gen_context(system_u:object_r:krb5_keytab_t,s0) -+/etc/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0) - - /etc/rc\.d/init\.d/kadmind -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0) - /etc/rc\.d/init\.d/kprop -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0) - /etc/rc\.d/init\.d/krb524d -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0) - /etc/rc\.d/init\.d/krb5kdc -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0) - --/usr/kerberos/sbin/krb5kdc -- gen_context(system_u:object_r:krb5kdc_exec_t,s0) --/usr/kerberos/sbin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0) --/usr/kerberos/sbin/kadmin\.local -- gen_context(system_u:object_r:kadmind_exec_t,s0) -+/usr/(kerberos/)?sbin/krb5kdc -- gen_context(system_u:object_r:krb5kdc_exec_t,s0) -+/usr/(kerberos/)?sbin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0) -+/usr/kerberos/sbin/kadmin\.local -- gen_context(system_u:object_r:kadmind_exec_t,s0) - /usr/kerberos/sbin/kpropd -- gen_context(system_u:object_r:kpropd_exec_t,s0) -+/usr/sbin/kpropd -- gen_context(system_u:object_r:kpropd_exec_t,s0) - --/usr/local/kerberos/sbin/krb5kdc -- gen_context(system_u:object_r:krb5kdc_exec_t,s0) --/usr/local/kerberos/sbin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0) -- --/usr/sbin/krb5kdc -- gen_context(system_u:object_r:krb5kdc_exec_t,s0) --/usr/sbin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0) -- --/usr/local/var/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0) --/usr/local/var/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0) -- --/usr/var/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0) -+/usr/var/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0) - /usr/var/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0) - --/var/cache/krb5rcache(/.*)? gen_context(system_u:object_r:krb5_host_rcache_t,s0) -- --/var/kerberos/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0) -+/var/kerberos/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0) - /var/kerberos/krb5kdc/from_master.* gen_context(system_u:object_r:krb5kdc_lock_t,s0) --/var/kerberos/krb5kdc/kadm5\.keytab -- gen_context(system_u:object_r:krb5_keytab_t,s0) -+/var/kerberos/krb5kdc/kadm5\.keytab -- gen_context(system_u:object_r:krb5_keytab_t,s0) - /var/kerberos/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0) --/var/kerberos/krb5kdc/principal.*\.ok -- gen_context(system_u:object_r:krb5kdc_lock_t,s0) -- --/var/log/krb5kdc\.log.* -- gen_context(system_u:object_r:krb5kdc_log_t,s0) --/var/log/kadmin\.log.* -- gen_context(system_u:object_r:kadmind_log_t,s0) --/var/log/kadmind\.log.* -- gen_context(system_u:object_r:kadmind_log_t,s0) -- --/var/tmp/host_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) --/var/tmp/HTTP_23 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) --/var/tmp/HTTP_48 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) --/var/tmp/imap_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) --/var/tmp/nfs_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) --/var/tmp/ldapmap1_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) --/var/tmp/ldap_487 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) --/var/tmp/ldap_55 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) -+/var/kerberos/krb5kdc/principal.*\.ok gen_context(system_u:object_r:krb5kdc_lock_t,s0) -+ -+/var/log/krb5kdc\.log.* gen_context(system_u:object_r:krb5kdc_log_t,s0) -+/var/log/kadmin(d)?\.log.* gen_context(system_u:object_r:kadmind_log_t,s0) -+ -+/var/cache/krb5rcache(/.*)? gen_context(system_u:object_r:krb5_host_rcache_t,s0) -+ -+/var/tmp/DNS_25 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) -+/var/tmp/host_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) -+/var/tmp/HTTP_23 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) -+/var/tmp/HTTP_48 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) -+/var/tmp/imap_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) -+/var/tmp/nfs_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) -+/var/tmp/ldapmap1_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) -+/var/tmp/ldap_487 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) -+/var/tmp/ldap_55 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) -diff --git a/kerberos.if b/kerberos.if -index f9de9fc..11e6268 100644 ---- a/kerberos.if -+++ b/kerberos.if -@@ -1,27 +1,29 @@ --## MIT Kerberos admin and KDC. -+## MIT Kerberos admin and KDC -+## -+##

    -+## This policy supports: -+##

    -+##

    -+## Servers: -+##

      -+##
    • kadmind
      • -+##
    • krb5kdc
      • -+##
    -+##

    -+##

    -+## Clients: -+##

      -+##
    • kinit
      • -+##
    • kdestroy
      • -+##
    • klist
      • -+##
    • ksu (incomplete)
      • -+##
    -+##

    -+##     - - ######################################## - ## --## Role access for kerberos. --## --## --## --## Role allowed access. --## --## --## --## --## User domain for the role. --## --## --# --template(`kerberos_role',` -- refpolicywarn(`$0($*) has been deprecated') --') -- --######################################## --## --## Execute kadmind in the caller domain. -+## Execute kadmind in the current domain - ## - ## - ## -@@ -34,7 +36,6 @@ interface(`kerberos_exec_kadmind',` - type kadmind_exec_t; - ') - -- corecmd_search_bin($1) - can_exec($1, kadmind_exec_t) - ') - -@@ -53,13 +54,12 @@ interface(`kerberos_domtrans_kpropd',` - type kpropd_t, kpropd_exec_t; - ') - -- corecmd_search_bin($1) - domtrans_pattern($1, kpropd_exec_t, kpropd_t) - ') - - ######################################## - ## --## Support kerberos services. -+## Use kerberos services - ## - ## - ## -@@ -69,45 +69,44 @@ interface(`kerberos_domtrans_kpropd',` - # - interface(`kerberos_use',` - gen_require(` -- type krb5kdc_conf_t, krb5_host_rcache_t; -+ type krb5_conf_t, krb5kdc_conf_t; -+ type krb5_host_rcache_t; - ') - -- kerberos_read_config($1) -- -- dontaudit $1 krb5_conf_t:file write_file_perms; -+ files_search_etc($1) -+ read_files_pattern($1, krb5_conf_t, krb5_conf_t) -+ dontaudit $1 krb5_conf_t:file write; - dontaudit $1 krb5kdc_conf_t:dir list_dir_perms; - dontaudit $1 krb5kdc_conf_t:file rw_file_perms; - -+ #kerberos libraries are attempting to set the correct file context - dontaudit $1 self:process setfscreate; -- - selinux_dontaudit_validate_context($1) -- seutil_dontaudit_read_file_contexts($1) -+ seutil_read_file_contexts($1) - -- tunable_policy(`allow_kerberos',` -+ tunable_policy(`kerberos_enabled',` - allow $1 self:tcp_socket create_socket_perms; - allow $1 self:udp_socket create_socket_perms; - -- corenet_all_recvfrom_unlabeled($1) -- corenet_all_recvfrom_netlabel($1) - corenet_tcp_sendrecv_generic_if($1) - corenet_udp_sendrecv_generic_if($1) - corenet_tcp_sendrecv_generic_node($1) - corenet_udp_sendrecv_generic_node($1) -- -- corenet_sendrecv_kerberos_client_packets($1) -- corenet_tcp_connect_kerberos_port($1) - corenet_tcp_sendrecv_kerberos_port($1) - corenet_udp_sendrecv_kerberos_port($1) -- -- corenet_sendrecv_ocsp_client_packets($1) -+ corenet_tcp_bind_generic_node($1) -+ corenet_udp_bind_generic_node($1) -+ corenet_tcp_connect_kerberos_port($1) - corenet_tcp_connect_ocsp_port($1) -- corenet_tcp_sendrecv_ocsp_port($1) -+ corenet_sendrecv_kerberos_client_packets($1) -+ corenet_sendrecv_ocsp_client_packets($1) - -+ allow $1 krb5_host_rcache_t:dir search_dir_perms; - allow $1 krb5_host_rcache_t:file getattr_file_perms; - ') - - optional_policy(` -- tunable_policy(`allow_kerberos',` -+ tunable_policy(`kerberos_enabled',` - pcscd_stream_connect($1) - ') - ') -@@ -119,7 +118,7 @@ interface(`kerberos_use',` - - ######################################## - ## --## Read kerberos configuration files. -+## Read the kerberos configuration file (/etc/krb5.conf). - ## - ## - ## -@@ -135,15 +134,13 @@ interface(`kerberos_read_config',` - - files_search_etc($1) - allow $1 krb5_conf_t:file read_file_perms; -- -- userdom_search_user_home_dirs($1) - allow $1 krb5_home_t:file read_file_perms; - ') - - ######################################## - ## --## Do not audit attempts to write --## kerberos configuration files. -+## Do not audit attempts to write the kerberos -+## configuration file (/etc/krb5.conf). - ## - ## - ## -@@ -156,13 +153,12 @@ interface(`kerberos_dontaudit_write_config',` - type krb5_conf_t; - ') - -- dontaudit $1 krb5_conf_t:file write_file_perms; -+ dontaudit $1 krb5_conf_t:file write; - ') - - ######################################## - ## --## Read and write kerberos --## configuration files. -+## Read and write the kerberos configuration file (/etc/krb5.conf). - ## - ## - ## -@@ -182,75 +178,7 @@ interface(`kerberos_rw_config',` - - ######################################## - ## --## Create, read, write, and delete --## kerberos home files. --## --## --## --## Domain allowed access. --## --## --# --interface(`kerberos_manage_krb5_home_files',` -- gen_require(` -- type krb5_home_t; -- ') -- -- userdom_search_user_home_dirs($1) -- allow $1 krb5_home_t:file manage_file_perms; --') -- --######################################## --## --## Relabel kerberos home files. --## --## --## --## Domain allowed access. --## --## --# --interface(`kerberos_relabel_krb5_home_files',` -- gen_require(` -- type krb5_home_t; -- ') -- -- userdom_search_user_home_dirs($1) -- allow $1 krb5_home_t:file relabel_file_perms; --') -- --######################################## --## --## Create objects in user home --## directories with the krb5 home type. --## --## --## --## Domain allowed access. --## --## --## --## --## Class of the object being created. --## --## --## --## --## The name of the object being created. --## --## --# --interface(`kerberos_home_filetrans_krb5_home',` -- gen_require(` -- type krb5_home_t; -- ') -- -- userdom_user_home_dir_filetrans($1, krb5_home_t, $2, $3) --') -- --######################################## --## --## Read kerberos key table files. -+## Read the kerberos key table. - ## - ## - ## -@@ -270,7 +198,7 @@ interface(`kerberos_read_keytab',` - - ######################################## - ## --## Read and write kerberos key table files. -+## Read/Write the kerberos key table. - ## - ## - ## -@@ -289,40 +217,13 @@ interface(`kerberos_rw_keytab',` - - ######################################## - ## --## Create, read, write, and delete --## kerberos key table files. --## --## --## --## Domain allowed access. --## --## --# --interface(`kerberos_manage_keytab_files',` -- gen_require(` -- type krb5_keytab_t; -- ') -- -- files_search_etc($1) -- allow $1 krb5_keytab_t:file manage_file_perms; --') -- --######################################## --## --## Create specified objects in generic --## etc directories with the kerberos --## keytab file type. -+## Create keytab file in /etc - ## - ## - ## - ## Domain allowed access. - ## - ## --## --## --## Class of the object being created. --## --## - ## - ## - ## The name of the object being created. -@@ -334,13 +235,13 @@ interface(`kerberos_etc_filetrans_keytab',` - type krb5_keytab_t; - ') - -- files_etc_filetrans($1, krb5_keytab_t, $2, $3) -+ allow $1 krb5_keytab_t:file manage_file_perms; -+ files_etc_filetrans($1, krb5_keytab_t, file, $2) - ') - - ######################################## - ## --## Create a derived type for kerberos --## keytab files. -+## Create a derived type for kerberos keytab - ## - ## - ## -@@ -354,21 +255,15 @@ interface(`kerberos_etc_filetrans_keytab',` - ## - # - template(`kerberos_keytab_template',` -- -- ######################################## -- # -- # Declarations -- # -- - type $1_keytab_t; - files_type($1_keytab_t) - -- ######################################## -- # -- # Policy -- # -+ allow $2 self:process setfscreate; -+ allow $2 $1_keytab_t:file read_file_perms; - -- allow $2 $1_keytab_t:file read_file_perms; -+ seutil_read_file_contexts($2) -+ seutil_read_config($2) -+ selinux_get_enforce_mode($2) - - kerberos_read_keytab($2) - kerberos_use($2) -@@ -376,7 +271,7 @@ template(`kerberos_keytab_template',` - - ######################################## - ## --## Read kerberos kdc configuration files. -+## Read the kerberos kdc configuration file (/etc/krb5kdc.conf). - ## - ## - ## -@@ -396,8 +291,7 @@ interface(`kerberos_read_kdc_config',` - - ######################################## - ## --## Create, read, write, and delete --## kerberos host rcache files. -+## Read the kerberos kdc configuration file (/etc/krb5kdc.conf). - ## - ## - ## -@@ -411,34 +305,99 @@ interface(`kerberos_manage_host_rcache',` - type krb5_host_rcache_t; - ') - -+ # creates files as system_u no matter what the selinux user -+ # cjp: should be in the below tunable but typeattribute -+ # does not work in conditionals - domain_obj_id_change_exemption($1) - -- tunable_policy(`allow_kerberos',` -+ tunable_policy(`kerberos_enabled',` - allow $1 self:process setfscreate; - - selinux_validate_context($1) - - seutil_read_file_contexts($1) - -+ files_rw_generic_tmp_dir($1) -+ manage_files_pattern($1, krb5_host_rcache_t, krb5_host_rcache_t) - files_search_tmp($1) -- allow $1 krb5_host_rcache_t:file manage_file_perms; - ') - ') - - ######################################## - ## --## Create objects in generic temporary --## directories with the kerberos host --## rcache type. -+## All of the rules required to administrate -+## an kerberos environment - ## - ## - ## --## Domain allowed to transition. -+## Domain allowed access. - ## - ## --## -+## - ## --## Class of the object being created. -+## The role to be allowed to manage the kerberos domain. -+## -+## -+## -+# -+interface(`kerberos_admin',` -+ gen_require(` -+ type kadmind_t, krb5kdc_t, kerberos_initrc_exec_t; -+ type kadmind_log_t, kadmind_tmp_t, kadmind_var_run_t; -+ type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t; -+ type krb5kdc_principal_t, krb5kdc_tmp_t, kpropd_t; -+ type krb5kdc_var_run_t, krb5_host_rcache_t; -+ ') -+ -+ allow $1 kadmind_t:process signal_perms; -+ ps_process_pattern($1, kadmind_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 kadmind_t:process ptrace; -+ allow $1 krb5kdc_t:process ptrace; -+ allow $1 kpropd_t:process ptrace; -+ ') -+ -+ allow $1 krb5kdc_t:process signal_perms; -+ ps_process_pattern($1, krb5kdc_t) -+ -+ allow $1 kpropd_t:process signal_perms; -+ ps_process_pattern($1, kpropd_t) -+ -+ init_labeled_script_domtrans($1, kerberos_initrc_exec_t) -+ domain_system_change_exemption($1) -+ role_transition $2 kerberos_initrc_exec_t system_r; -+ allow $2 system_r; -+ -+ logging_list_logs($1) -+ admin_pattern($1, kadmind_log_t) -+ -+ files_list_tmp($1) -+ admin_pattern($1, kadmind_tmp_t) -+ -+ files_list_pids($1) -+ admin_pattern($1, kadmind_var_run_t) -+ -+ admin_pattern($1, krb5_conf_t) -+ -+ admin_pattern($1, krb5_host_rcache_t) -+ -+ admin_pattern($1, krb5_keytab_t) -+ -+ admin_pattern($1, krb5kdc_principal_t) -+ -+ admin_pattern($1, krb5kdc_tmp_t) -+ -+ admin_pattern($1, krb5kdc_var_run_t) -+') -+ -+######################################## -+## -+## Type transition files created in /tmp -+## to the krb5_host_rcache type. -+## -+## -+## -+## Domain allowed access. - ## - ## - ## -@@ -452,12 +411,13 @@ interface(`kerberos_tmp_filetrans_host_rcache',` - type krb5_host_rcache_t; - ') - -- files_tmp_filetrans($1, krb5_host_rcache_t, $2, $3) -+ manage_files_pattern($1, krb5_host_rcache_t, krb5_host_rcache_t) -+ files_tmp_filetrans($1, krb5_host_rcache_t, file, $2) - ') - - ######################################## - ## --## Connect to krb524 service. -+## read kerberos homedir content (.k5login) - ## - ## - ## -@@ -465,82 +425,85 @@ interface(`kerberos_tmp_filetrans_host_rcache',` - ## - ## - # --interface(`kerberos_connect_524',` -- tunable_policy(`allow_kerberos',` -- allow $1 self:udp_socket create_socket_perms; -- -- corenet_all_recvfrom_unlabeled($1) -- corenet_all_recvfrom_netlabel($1) -- corenet_udp_sendrecv_generic_if($1) -- corenet_udp_sendrecv_generic_node($1) -- -- corenet_sendrecv_kerberos_master_client_packets($1) -- corenet_udp_sendrecv_kerberos_master_port($1) -+interface(`kerberos_read_home_content',` -+ gen_require(` -+ type krb5_home_t; - ') -+ -+ userdom_search_user_home_dirs($1) -+ read_files_pattern($1, krb5_home_t, krb5_home_t) - ') - - ######################################## - ## --## All of the rules required to --## administrate an kerberos environment. -+## create kerberos content in the in the /root directory -+## with an correct label. - ## - ## - ## - ## Domain allowed access. - ## - ## --## -+# -+interface(`kerberos_filetrans_admin_home_content',` -+ gen_require(` -+ type krb5_home_t; -+ ') -+ -+ userdom_admin_home_dir_filetrans($1, krb5_home_t, file, ".k5login") -+') -+ -+######################################## -+## -+## Transition to kerberos named content -+## -+## - ## --## Role allowed access. -+## Domain allowed access. - ## - ## --## - # --interface(`kerberos_admin',` -+interface(`kerberos_filetrans_home_content',` - gen_require(` -- type kadmind_t, krb5kdc_t, kerberos_initrc_exec_t; -- type kadmind_log_t, kadmind_tmp_t, kadmind_var_run_t; -- type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t; -- type krb5kdc_principal_t, krb5kdc_tmp_t, kpropd_t; -- type krb5kdc_var_run_t, krb5_host_rcache_t; -+ type krb5_home_t; - ') - -- allow $1 { kadmind_t krb5kdc_t kpropd }:process { ptrace signal_perms }; -- ps_process_pattern($1, { kadmind_t krb5kdc_t kpropd }) -- -- init_labeled_script_domtrans($1, kerberos_initrc_exec_t) -- domain_system_change_exemption($1) -- role_transition $2 kerberos_initrc_exec_t system_r; -- allow $2 system_r; -- -- logging_list_logs($1) -- admin_pattern($1, kadmind_log_t) -- -- files_list_tmp($1) -- admin_pattern($1, { kadmind_tmp_t krb5_host_rcache_t krb5kdc_tmp_t }) -- -- kerberos_tmp_filetrans_host_rcache($1, file, "host_0") -- kerberos_tmp_filetrans_host_rcache($1, file, "HTTP_23") -- kerberos_tmp_filetrans_host_rcache($1, file, "HTTP_48") -- kerberos_tmp_filetrans_host_rcache($1, file, "imap_0") -- kerberos_tmp_filetrans_host_rcache($1, file, "nfs_0") -- kerberos_tmp_filetrans_host_rcache($1, file, "ldapmap1_0") -- kerberos_tmp_filetrans_host_rcache($1, file, "ldap_487") -- kerberos_tmp_filetrans_host_rcache($1, file, "ldap_55") -- -- files_list_pids($1) -- admin_pattern($1, { kadmind_var_run_t krb5kdc_var_run_t }) -+ userdom_user_home_dir_filetrans($1, krb5_home_t, file, ".k5login") -+') - -- files_list_etc($1) -- admin_pattern($1, krb5_conf_t) -+######################################## -+## -+## Transition to kerberos named content -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`kerberos_filetrans_named_content',` -+ gen_require(` -+ type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t; -+ type krb5kdc_principal_t; -+ ') - - files_etc_filetrans($1, krb5_conf_t, file, "krb5.conf") -- -- admin_pattern($1, { krb5_keytab_t krb5kdc_principal_t }) -- -+ filetrans_pattern($1, krb5kdc_conf_t, krb5_keytab_t, file, "kadm5.keytab") - filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal") - filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal0") - filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal1") -- -- kerberos_etc_filetrans_keytab($1, file, "kadm5.keytab") -+ #filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal1") -+ -+ kerberos_etc_filetrans_keytab($1, "krb5.keytab") -+ kerberos_filetrans_admin_home_content($1) -+ -+ kerberos_tmp_filetrans_host_rcache($1, "DNS_25") -+ kerberos_tmp_filetrans_host_rcache($1, "host_0") -+ kerberos_tmp_filetrans_host_rcache($1, "HTTP_23") -+ kerberos_tmp_filetrans_host_rcache($1, "HTTP_48") -+ kerberos_tmp_filetrans_host_rcache($1, "imap_0") -+ kerberos_tmp_filetrans_host_rcache($1, "nfs_0") -+ kerberos_tmp_filetrans_host_rcache($1, "ldapmap1_0") -+ kerberos_tmp_filetrans_host_rcache($1, "ldap_487") -+ kerberos_tmp_filetrans_host_rcache($1, "ldap_55") - ') -diff --git a/kerberos.te b/kerberos.te -index 3465a9a..353c4ce 100644 ---- a/kerberos.te -+++ b/kerberos.te -@@ -1,4 +1,4 @@ --policy_module(kerberos, 1.11.7) -+policy_module(kerberos, 1.11.0) - - ######################################## - # -@@ -6,11 +6,11 @@ policy_module(kerberos, 1.11.7) - # - - ## --##

    --## Determine whether kerberos is supported. --##

    -+##

    -+## Allow confined applications to run with kerberos. -+##

    - ##     --gen_tunable(allow_kerberos, false) -+gen_tunable(kerberos_enabled, false) - - type kadmind_t; - type kadmind_exec_t; -@@ -35,23 +35,27 @@ init_daemon_domain(kpropd_t, kpropd_exec_t) - domain_obj_id_change_exemption(kpropd_t) - - type krb5_conf_t; --files_type(krb5_conf_t) -+files_config_file(krb5_conf_t) - - type krb5_home_t; - userdom_user_home_content(krb5_home_t) - --type krb5_host_rcache_t; -+type krb5_host_rcache_t alias saslauthd_tmp_t; - files_tmp_file(krb5_host_rcache_t) - -+# types for general configuration files in /etc - type krb5_keytab_t; - files_security_file(krb5_keytab_t) - -+# types for KDC configs and principal file(s) - type krb5kdc_conf_t; --files_type(krb5kdc_conf_t) -+files_config_file(krb5kdc_conf_t) - - type krb5kdc_lock_t; --files_type(krb5kdc_lock_t) -+files_lock_file(krb5kdc_lock_t) - -+ -+# types for KDC principal file(s) - type krb5kdc_principal_t; - files_type(krb5kdc_principal_t) - -@@ -74,28 +78,31 @@ files_pid_file(krb5kdc_var_run_t) - # kadmind local policy - # - -+# Use capabilities. Surplus capabilities may be allowed. - allow kadmind_t self:capability { setuid setgid chown fowner dac_override sys_nice }; --dontaudit kadmind_t self:capability sys_tty_config; - allow kadmind_t self:capability2 block_suspend; -+dontaudit kadmind_t self:capability sys_tty_config; - allow kadmind_t self:process { setfscreate setsched getsched signal_perms }; - allow kadmind_t self:netlink_route_socket r_netlink_socket_perms; --allow kadmind_t self:tcp_socket { accept listen }; -+allow kadmind_t self:unix_dgram_socket { connect create write }; -+allow kadmind_t self:tcp_socket connected_stream_socket_perms; - allow kadmind_t self:udp_socket create_socket_perms; - --allow kadmind_t kadmind_log_t:file { append_file_perms create_file_perms setattr_file_perms }; -+allow kadmind_t kadmind_log_t:file manage_file_perms; - logging_log_filetrans(kadmind_t, kadmind_log_t, file) - - allow kadmind_t krb5_conf_t:file read_file_perms; --dontaudit kadmind_t krb5_conf_t:file write_file_perms; -+dontaudit kadmind_t krb5_conf_t:file write; - --read_files_pattern(kadmind_t, krb5kdc_conf_t, krb5kdc_conf_t) --dontaudit kadmind_t krb5kdc_conf_t:file { write_file_perms setattr_file_perms }; -+manage_files_pattern(kadmind_t, krb5kdc_conf_t, krb5kdc_conf_t) - - allow kadmind_t krb5kdc_lock_t:file { rw_file_perms setattr_file_perms }; - - allow kadmind_t krb5kdc_principal_t:file manage_file_perms; - filetrans_pattern(kadmind_t, krb5kdc_conf_t, krb5kdc_principal_t, file) - -+can_exec(kadmind_t, kadmind_exec_t) -+ - manage_dirs_pattern(kadmind_t, kadmind_tmp_t, kadmind_tmp_t) - manage_files_pattern(kadmind_t, kadmind_tmp_t, kadmind_tmp_t) - files_tmp_filetrans(kadmind_t, kadmind_tmp_t, { file dir }) -@@ -103,13 +110,15 @@ files_tmp_filetrans(kadmind_t, kadmind_tmp_t, { file dir }) - manage_files_pattern(kadmind_t, kadmind_var_run_t, kadmind_var_run_t) - files_pid_filetrans(kadmind_t, kadmind_var_run_t, file) - --can_exec(kadmind_t, kadmind_exec_t) -- - kernel_read_kernel_sysctls(kadmind_t) -+kernel_list_proc(kadmind_t) - kernel_read_network_state(kadmind_t) -+kernel_read_proc_symlinks(kadmind_t) - kernel_read_system_state(kadmind_t) - --corenet_all_recvfrom_unlabeled(kadmind_t) -+corecmd_exec_bin(kadmind_t) -+corecmd_exec_shell(kadmind_t) -+ - corenet_all_recvfrom_netlabel(kadmind_t) - corenet_tcp_sendrecv_generic_if(kadmind_t) - corenet_udp_sendrecv_generic_if(kadmind_t) -@@ -119,31 +128,41 @@ corenet_tcp_sendrecv_all_ports(kadmind_t) - corenet_udp_sendrecv_all_ports(kadmind_t) - corenet_tcp_bind_generic_node(kadmind_t) - corenet_udp_bind_generic_node(kadmind_t) -- --corenet_sendrecv_all_server_packets(kadmind_t) - corenet_tcp_bind_kerberos_admin_port(kadmind_t) -+corenet_tcp_bind_kerberos_password_port(kadmind_t) - corenet_udp_bind_kerberos_admin_port(kadmind_t) -+corenet_udp_bind_kerberos_password_port(kadmind_t) - corenet_tcp_bind_reserved_port(kadmind_t) -+corenet_dontaudit_tcp_bind_all_reserved_ports(kadmind_t) -+corenet_sendrecv_kerberos_admin_server_packets(kadmind_t) -+corenet_sendrecv_kerberos_password_server_packets(kadmind_t) -+corenet_tcp_connect_kprop_port(kadmind_t) - - dev_read_sysfs(kadmind_t) -+dev_read_rand(kadmind_t) -+dev_read_urand(kadmind_t) - - fs_getattr_all_fs(kadmind_t) - fs_search_auto_mountpoints(kadmind_t) -+fs_rw_anon_inodefs_files(kadmind_t) - - domain_use_interactive_fds(kadmind_t) - --files_read_etc_files(kadmind_t) --files_read_usr_files(kadmind_t) -+files_read_usr_symlinks(kadmind_t) - files_read_var_files(kadmind_t) - - selinux_validate_context(kadmind_t) - -+auth_read_passwd(kadmind_t) -+ - logging_send_syslog_msg(kadmind_t) - --miscfiles_read_localization(kadmind_t) -+miscfiles_read_generic_certs(kadmind_t) - -+seutil_read_config(kadmind_t) - seutil_read_file_contexts(kadmind_t) - -+sysnet_read_config(kadmind_t) - sysnet_use_ldap(kadmind_t) - - userdom_dontaudit_use_unpriv_user_fds(kadmind_t) -@@ -154,6 +173,10 @@ optional_policy(` - ') - - optional_policy(` -+ dirsrv_stream_connect(kadmind_t) -+') -+ -+optional_policy(` - nis_use_ypbind(kadmind_t) - ') - -@@ -174,24 +197,27 @@ optional_policy(` - # Krb5kdc local policy - # - -+# Use capabilities. Surplus capabilities may be allowed. - allow krb5kdc_t self:capability { setuid setgid net_admin chown fowner dac_override sys_nice }; --dontaudit krb5kdc_t self:capability sys_tty_config; - allow krb5kdc_t self:capability2 block_suspend; -+dontaudit krb5kdc_t self:capability sys_tty_config; - allow krb5kdc_t self:process { setfscreate setsched getsched signal_perms }; - allow krb5kdc_t self:netlink_route_socket r_netlink_socket_perms; --allow krb5kdc_t self:tcp_socket { accept listen }; -+allow krb5kdc_t self:tcp_socket create_stream_socket_perms; - allow krb5kdc_t self:udp_socket create_socket_perms; - allow krb5kdc_t self:fifo_file rw_fifo_file_perms; - - allow krb5kdc_t krb5_conf_t:file read_file_perms; - dontaudit krb5kdc_t krb5_conf_t:file write; - -+can_exec(krb5kdc_t, krb5kdc_exec_t) -+ - read_files_pattern(krb5kdc_t, krb5kdc_conf_t, krb5kdc_conf_t) --dontaudit krb5kdc_t krb5kdc_conf_t:file write_file_perms; -+dontaudit krb5kdc_t krb5kdc_conf_t:file write; - - allow krb5kdc_t krb5kdc_lock_t:file { rw_file_perms setattr_file_perms }; - --allow krb5kdc_t krb5kdc_log_t:file { append_file_perms create_file_perms setattr_file_perms }; -+allow krb5kdc_t krb5kdc_log_t:file manage_file_perms; - logging_log_filetrans(krb5kdc_t, krb5kdc_log_t, file) - - allow krb5kdc_t krb5kdc_principal_t:file rw_file_perms; -@@ -203,54 +229,53 @@ files_tmp_filetrans(krb5kdc_t, krb5kdc_tmp_t, { file dir }) - manage_files_pattern(krb5kdc_t, krb5kdc_var_run_t, krb5kdc_var_run_t) - files_pid_filetrans(krb5kdc_t, krb5kdc_var_run_t, file) - --can_exec(krb5kdc_t, krb5kdc_exec_t) -- - kernel_read_system_state(krb5kdc_t) - kernel_read_kernel_sysctls(krb5kdc_t) -+kernel_list_proc(krb5kdc_t) -+kernel_read_proc_symlinks(krb5kdc_t) - kernel_read_network_state(krb5kdc_t) - kernel_search_network_sysctl(krb5kdc_t) - - corecmd_exec_bin(krb5kdc_t) - --corenet_all_recvfrom_unlabeled(krb5kdc_t) - corenet_all_recvfrom_netlabel(krb5kdc_t) - corenet_tcp_sendrecv_generic_if(krb5kdc_t) - corenet_udp_sendrecv_generic_if(krb5kdc_t) - corenet_tcp_sendrecv_generic_node(krb5kdc_t) - corenet_udp_sendrecv_generic_node(krb5kdc_t) -+corenet_tcp_sendrecv_all_ports(krb5kdc_t) -+corenet_udp_sendrecv_all_ports(krb5kdc_t) - corenet_tcp_bind_generic_node(krb5kdc_t) - corenet_udp_bind_generic_node(krb5kdc_t) -- --corenet_sendrecv_kerberos_server_packets(krb5kdc_t) - corenet_tcp_bind_kerberos_port(krb5kdc_t) - corenet_udp_bind_kerberos_port(krb5kdc_t) --corenet_tcp_sendrecv_kerberos_port(krb5kdc_t) --corenet_udp_sendrecv_kerberos_port(krb5kdc_t) -- --corenet_sendrecv_ocsp_client_packets(krb5kdc_t) - corenet_tcp_connect_ocsp_port(krb5kdc_t) --corenet_tcp_sendrecv_ocsp_port(krb5kdc_t) -+corenet_sendrecv_kerberos_server_packets(krb5kdc_t) -+corenet_sendrecv_ocsp_client_packets(krb5kdc_t) - - dev_read_sysfs(krb5kdc_t) -+dev_read_urand(krb5kdc_t) - - fs_getattr_all_fs(krb5kdc_t) - fs_search_auto_mountpoints(krb5kdc_t) -+fs_rw_anon_inodefs_files(krb5kdc_t) - - domain_use_interactive_fds(krb5kdc_t) - --files_read_etc_files(krb5kdc_t) - files_read_usr_symlinks(krb5kdc_t) - files_read_var_files(krb5kdc_t) - - selinux_validate_context(krb5kdc_t) - -+auth_read_passwd(krb5kdc_t) -+ - logging_send_syslog_msg(krb5kdc_t) - - miscfiles_read_generic_certs(krb5kdc_t) --miscfiles_read_localization(krb5kdc_t) - - seutil_read_file_contexts(krb5kdc_t) - -+sysnet_read_config(krb5kdc_t) - sysnet_use_ldap(krb5kdc_t) - - userdom_dontaudit_use_unpriv_user_fds(krb5kdc_t) -@@ -261,11 +286,11 @@ optional_policy(` - ') - - optional_policy(` -- nis_use_ypbind(krb5kdc_t) -+ dirsrv_stream_connect(krb5kdc_t) - ') - - optional_policy(` -- sssd_read_public_files(krb5kdc_t) -+ nis_use_ypbind(krb5kdc_t) - ') - - optional_policy(` -@@ -273,6 +298,10 @@ optional_policy(` - ') - - optional_policy(` -+ sssd_read_public_files(krb5kdc_t) -+') -+ -+optional_policy(` - udev_read_db(krb5kdc_t) - ') - -@@ -281,10 +310,12 @@ optional_policy(` - # kpropd local policy - # - -+allow kpropd_t self:capability net_bind_service; - allow kpropd_t self:process setfscreate; --allow kpropd_t self:fifo_file rw_fifo_file_perms; --allow kpropd_t self:unix_stream_socket { accept listen }; --allow kpropd_t self:tcp_socket { accept listen }; -+ -+allow kpropd_t self:fifo_file rw_file_perms; -+allow kpropd_t self:unix_stream_socket create_stream_socket_perms; -+allow kpropd_t self:tcp_socket create_stream_socket_perms; - - allow kpropd_t krb5_host_rcache_t:file manage_file_perms; - -@@ -303,26 +334,20 @@ files_tmp_filetrans(kpropd_t, krb5kdc_tmp_t, { file dir }) - - corecmd_exec_bin(kpropd_t) - --corenet_all_recvfrom_unlabeled(kpropd_t) - corenet_tcp_sendrecv_generic_if(kpropd_t) - corenet_tcp_sendrecv_generic_node(kpropd_t) -+corenet_tcp_sendrecv_all_ports(kpropd_t) - corenet_tcp_bind_generic_node(kpropd_t) -- --corenet_sendrecv_kprop_server_packets(kpropd_t) - corenet_tcp_bind_kprop_port(kpropd_t) --corenet_tcp_sendrecv_kprop_port(kpropd_t) - - dev_read_urand(kpropd_t) - --files_read_etc_files(kpropd_t) - files_search_tmp(kpropd_t) - - selinux_validate_context(kpropd_t) - - logging_send_syslog_msg(kpropd_t) - --miscfiles_read_localization(kpropd_t) -- - seutil_read_file_contexts(kpropd_t) - - sysnet_dns_name_resolve(kpropd_t) -diff --git a/kerneloops.if b/kerneloops.if -index 714448f..fa0c994 100644 ---- a/kerneloops.if -+++ b/kerneloops.if -@@ -101,13 +101,16 @@ interface(`kerneloops_manage_tmp_files',` - # - interface(`kerneloops_admin',` - gen_require(` -- type kerneloops_t, kerneloops_initrc_exec_t; -- type kerneloops_tmp_t; -+ type kerneloops_t, kerneloops_initrc_exec_t, kerneloops_tmp_t; - ') - -- allow $1 kerneloops_t:process { ptrace signal_perms }; -+ allow $1 kerneloops_t:process signal_perms; - ps_process_pattern($1, kerneloops_t) - -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 kerneloops_t:process ptrace; -+ ') -+ - init_labeled_script_domtrans($1, kerneloops_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 kerneloops_initrc_exec_t system_r; -diff --git a/kerneloops.te b/kerneloops.te -index 1101985..7f1061d 100644 ---- a/kerneloops.te -+++ b/kerneloops.te -@@ -31,7 +31,6 @@ kernel_read_ring_buffer(kerneloops_t) - - domain_use_interactive_fds(kerneloops_t) - --corenet_all_recvfrom_unlabeled(kerneloops_t) - corenet_all_recvfrom_netlabel(kerneloops_t) - corenet_tcp_sendrecv_generic_if(kerneloops_t) - corenet_tcp_sendrecv_generic_node(kerneloops_t) -@@ -45,8 +44,6 @@ auth_use_nsswitch(kerneloops_t) - logging_send_syslog_msg(kerneloops_t) - logging_read_generic_logs(kerneloops_t) - --miscfiles_read_localization(kerneloops_t) -- - optional_policy(` - dbus_system_domain(kerneloops_t, kerneloops_exec_t) - ') -diff --git a/keyboardd.if b/keyboardd.if -index 8982b91..6134ef2 100644 ---- a/keyboardd.if -+++ b/keyboardd.if -@@ -1,19 +1,39 @@ --## Xorg.conf keyboard layout callout. - --###################################### -+## policy for system-setup-keyboard daemon -+ -+######################################## - ## --## Read keyboardd unnamed pipes. -+## Execute a domain transition to run keyboard setup daemon. - ## - ## --## -+## - ## Domain allowed access. --## -+## - ## - # --interface(`keyboardd_read_pipes',` -+interface(`keyboardd_domtrans',` - gen_require(` -- type keyboardd_t; -+ type keyboardd_t, keyboardd_exec_t; -+ ') -+ -+ domtrans_pattern($1, keyboardd_exec_t, keyboardd_t) -+') -+ -+###################################### -+## -+## Allow attempts to read to -+## keyboardd unnamed pipes. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`keyboardd_read_pipes',` -+ gen_require(` -+ type keyboardd_t; - ') - -- allow $1 keyboardd_t:fifo_file read_fifo_file_perms; -+ allow $1 keyboardd_t:fifo_file read_fifo_file_perms; - ') -diff --git a/keyboardd.te b/keyboardd.te -index adfe3dc..a60b664 100644 ---- a/keyboardd.te -+++ b/keyboardd.te -@@ -19,6 +19,3 @@ allow keyboardd_t self:unix_stream_socket create_stream_socket_perms; - - files_manage_etc_runtime_files(keyboardd_t) - files_etc_filetrans_etc_runtime(keyboardd_t, file) --files_read_etc_files(keyboardd_t) -- --miscfiles_read_localization(keyboardd_t) -diff --git a/keystone.fc b/keystone.fc -index b273d80..186cd86 100644 ---- a/keystone.fc -+++ b/keystone.fc -@@ -1,3 +1,5 @@ -+/usr/lib/systemd/system/openstack-keystone.* -- gen_context(system_u:object_r:keystone_unit_file_t,s0) -+ - /etc/rc\.d/init\.d/openstack-keystone -- gen_context(system_u:object_r:keystone_initrc_exec_t,s0) - - /usr/bin/keystone-all -- gen_context(system_u:object_r:keystone_exec_t,s0) -diff --git a/keystone.if b/keystone.if -index d3e7fc9..f20248c 100644 ---- a/keystone.if -+++ b/keystone.if -@@ -1,42 +1,218 @@ --## Python implementation of the OpenStack identity service API. -+ -+## policy for keystone - - ######################################## - ## --## All of the rules required to --## administrate an keystone environment. -+## Transition to keystone. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`keystone_domtrans',` -+ gen_require(` -+ type keystone_t, keystone_exec_t; -+ ') -+ -+ corecmd_search_bin($1) -+ domtrans_pattern($1, keystone_exec_t, keystone_t) -+') -+######################################## -+## -+## Read keystone's log files. - ## - ## - ## - ## Domain allowed access. - ## - ## --## -+## -+# -+interface(`keystone_read_log',` -+ gen_require(` -+ type keystone_log_t; -+ ') -+ -+ logging_search_logs($1) -+ read_files_pattern($1, keystone_log_t, keystone_log_t) -+') -+ -+######################################## -+## -+## Append to keystone log files. -+## -+## - ## --## Role allowed access. -+## Domain allowed access. -+## -+## -+# -+interface(`keystone_append_log',` -+ gen_require(` -+ type keystone_log_t; -+ ') -+ -+ logging_search_logs($1) -+ append_files_pattern($1, keystone_log_t, keystone_log_t) -+') -+ -+######################################## -+## -+## Manage keystone log files -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`keystone_manage_log',` -+ gen_require(` -+ type keystone_log_t; -+ ') -+ -+ logging_search_logs($1) -+ manage_dirs_pattern($1, keystone_log_t, keystone_log_t) -+ manage_files_pattern($1, keystone_log_t, keystone_log_t) -+ manage_lnk_files_pattern($1, keystone_log_t, keystone_log_t) -+') -+ -+######################################## -+## -+## Search keystone lib directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`keystone_search_lib',` -+ gen_require(` -+ type keystone_var_lib_t; -+ ') -+ -+ allow $1 keystone_var_lib_t:dir search_dir_perms; -+ files_search_var_lib($1) -+') -+ -+######################################## -+## -+## Read keystone lib files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`keystone_read_lib_files',` -+ gen_require(` -+ type keystone_var_lib_t; -+ ') -+ -+ files_search_var_lib($1) -+ read_files_pattern($1, keystone_var_lib_t, keystone_var_lib_t) -+') -+ -+######################################## -+## -+## Manage keystone lib files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`keystone_manage_lib_files',` -+ gen_require(` -+ type keystone_var_lib_t; -+ ') -+ -+ files_search_var_lib($1) -+ manage_files_pattern($1, keystone_var_lib_t, keystone_var_lib_t) -+') -+ -+######################################## -+## -+## Manage keystone lib directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`keystone_manage_lib_dirs',` -+ gen_require(` -+ type keystone_var_lib_t; -+ ') -+ -+ files_search_var_lib($1) -+ manage_dirs_pattern($1, keystone_var_lib_t, keystone_var_lib_t) -+') -+ -+######################################## -+## -+## Execute keystone server in the keystone domain. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`keystone_systemctl',` -+ gen_require(` -+ type keystone_t; -+ type keystone_unit_file_t; -+ ') -+ -+ systemd_exec_systemctl($1) -+ systemd_read_fifo_file_passwd_run($1) -+ allow $1 keystone_unit_file_t:file read_file_perms; -+ allow $1 keystone_unit_file_t:service manage_service_perms; -+ -+ ps_process_pattern($1, keystone_t) -+') -+ -+ -+######################################## -+## -+## All of the rules required to administrate -+## an keystone environment -+## -+## -+## -+## Domain allowed access. - ## - ## --## - # - interface(`keystone_admin',` - gen_require(` -- type keystone_t, keystone_initrc_exec_t, keystone_log_t; -- type keystone_var_lib_t, keystone_tmp_t; -+ type keystone_t; -+ type keystone_log_t; -+ type keystone_var_lib_t; -+ type keystone_unit_file_t; - ') - - allow $1 keystone_t:process { ptrace signal_perms }; - ps_process_pattern($1, keystone_t) - -- init_labeled_script_domtrans($1, keystone_initrc_exec_t) -- domain_system_change_exemption($1) -- role_transition $2 keystone_initrc_exec_t system_r; -- allow $2 system_r; -- - logging_search_logs($1) - admin_pattern($1, keystone_log_t) - -- files_search_var_lib($1 -+ files_search_var_lib($1) - admin_pattern($1, keystone_var_lib_t) - -- files_search_tmp($1) -- admin_pattern($1, keystone_tmp_t) -+ keystone_systemctl($1) -+ admin_pattern($1, keystone_unit_file_t) -+ allow $1 keystone_unit_file_t:service all_service_perms; -+ optional_policy(` -+ systemd_passwd_agent_exec($1) -+ systemd_read_fifo_file_passwd_run($1) -+ ') - ') -diff --git a/keystone.te b/keystone.te -index 3494d9b..a82637c 100644 ---- a/keystone.te -+++ b/keystone.te -@@ -21,10 +21,14 @@ files_type(keystone_var_lib_t) - type keystone_tmp_t; - files_tmp_file(keystone_tmp_t) - -+type keystone_unit_file_t; -+systemd_unit_file(keystone_unit_file_t) -+ - ######################################## - # - # Local policy - # -+allow keystone_t self:process { getsched setsched }; - - allow keystone_t self:fifo_file rw_fifo_file_perms; - allow keystone_t self:unix_stream_socket { accept listen }; -@@ -57,20 +61,29 @@ corenet_all_recvfrom_netlabel(keystone_t) - corenet_tcp_sendrecv_generic_if(keystone_t) - corenet_tcp_sendrecv_generic_node(keystone_t) - corenet_tcp_bind_generic_node(keystone_t) -+corenet_tcp_connect_mysqld_port(keystone_t) -+ -+corenet_tcp_connect_mysqld_port(keystone_t) - - corenet_sendrecv_commplex_main_server_packets(keystone_t) - corenet_tcp_bind_commplex_main_port(keystone_t) - corenet_tcp_sendrecv_commplex_main_port(keystone_t) - --files_read_usr_files(keystone_t) -+corenet_tcp_bind_keystone_port(keystone_t) - - auth_use_pam(keystone_t) - - libs_exec_ldconfig(keystone_t) - --miscfiles_read_localization(keystone_t) -- - optional_policy(` - mysql_stream_connect(keystone_t) - mysql_tcp_connect(keystone_t) - ') -+ -+optional_policy(` -+ postgresql_stream_connect(keystone_t) -+') -+ -+optional_policy(` -+ rpm_exec(keystone_t) -+') -diff --git a/kismet.if b/kismet.if -index aa2a337..7ff229f 100644 ---- a/kismet.if -+++ b/kismet.if -@@ -283,7 +283,7 @@ interface(`kismet_manage_log',` - interface(`kismet_admin',` - gen_require(` - type kismet_t, kismet_var_lib_t, kismet_var_run_t; -- type kismet_log_t, kismet_tmp_t; -+ type kismet_log_t, kismet_tmp_t, kismet_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, kismet_initrc_exec_t) -@@ -292,7 +292,11 @@ interface(`kismet_admin',` - allow $2 system_r; - - ps_process_pattern($1, kismet_t) -- allow $1 kismet_t:process { ptrace signal_perms }; -+ allow $1 kismet_t:process signal_perms; -+ -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 kismet_t:process ptrace; -+ ') - - files_search_var_lib($1) - admin_pattern($1, kismet_var_lib_t) -diff --git a/kismet.te b/kismet.te -index ea64ed5..e60f701 100644 ---- a/kismet.te -+++ b/kismet.te -@@ -81,25 +81,22 @@ kernel_read_network_state(kismet_t) - - corecmd_exec_bin(kismet_t) - --corenet_all_recvfrom_unlabeled(kismet_t) - corenet_all_recvfrom_netlabel(kismet_t) - corenet_tcp_sendrecv_generic_if(kismet_t) - corenet_tcp_sendrecv_generic_node(kismet_t) - corenet_tcp_bind_generic_node(kismet_t) - --corenet_sendrecv_kismet_server_packets(kismet_t) --corenet_tcp_bind_kismet_port(kismet_t) --corenet_sendrecv_kismet_client_packets(kismet_t) --corenet_tcp_connect_kismet_port(kismet_t) --corenet_tcp_sendrecv_kismet_port(kismet_t) -+corenet_tcp_connect_pulseaudio_port(kismet_t) - --auth_use_nsswitch(kismet_t) -- --files_read_usr_files(kismet_t) -+corenet_sendrecv_rtsclient_server_packets(kismet_t) -+corenet_tcp_bind_rtsclient_port(kismet_t) -+corenet_sendrecv_rtsclient_client_packets(kismet_t) -+corenet_tcp_connect_rtsclient_port(kismet_t) - --miscfiles_read_localization(kismet_t) -+auth_use_nsswitch(kismet_t) - --userdom_use_user_terminals(kismet_t) -+userdom_use_inherited_user_terminals(kismet_t) -+userdom_read_user_tmpfs_files(kismet_t) - - optional_policy(` - dbus_system_bus_client(kismet_t) -diff --git a/ksmtuned.fc b/ksmtuned.fc -index e736c45..4b1e1e4 100644 ---- a/ksmtuned.fc -+++ b/ksmtuned.fc -@@ -1,5 +1,7 @@ - /etc/rc\.d/init\.d/ksmtuned -- gen_context(system_u:object_r:ksmtuned_initrc_exec_t,s0) - -+/usr/lib/systemd/system/ksmtuned.* -- gen_context(system_u:object_r:ksmtuned_unit_file_t,s0) -+ - /usr/sbin/ksmtuned -- gen_context(system_u:object_r:ksmtuned_exec_t,s0) - - /var/log/ksmtuned.* gen_context(system_u:object_r:ksmtuned_log_t,s0) -diff --git a/ksmtuned.if b/ksmtuned.if -index c530214..3ac0b8b 100644 ---- a/ksmtuned.if -+++ b/ksmtuned.if -@@ -38,6 +38,29 @@ interface(`ksmtuned_initrc_domtrans',` - init_labeled_script_domtrans($1, ksmtuned_initrc_exec_t) - ') - -+####################################### -+## -+## Execute ksmtuned server in the ksmtunedd domain. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`ksmtuned_systemctl',` -+ gen_require(` -+ type ksmtuned_unit_file_t; -+ type ksmtuned_t; -+ ') -+ -+ systemd_exec_systemctl($1) -+ allow $1 ksmtuned_unit_file_t:file read_file_perms; -+ allow $1 ksmtuned_unit_file_t:service manage_service_perms; -+ -+ ps_process_pattern($1, ksmtuned_t) -+') -+ - ######################################## - ## - ## All of the rules required to -@@ -48,30 +71,28 @@ interface(`ksmtuned_initrc_domtrans',` - ## Domain allowed access. - ## - ## --## --## --## Role allowed access. --## --## - ## - # - interface(`ksmtuned_admin',` - gen_require(` -- type ksmtuned_t, ksmtuned_var_run_t; -- type ksmtuned_initrc_exec_t, ksmtuned_log_t; -+ type ksmtuned_t, ksmtuned_var_run_t, ksmtuned_initrc_exec_t, ksmtuned_unit_file_t; -+ type ksmtuned_log_t; - ') - -- ksmtuned_initrc_domtrans($1) -- domain_system_change_exemption($1) -- role_transition $2 ksmtuned_initrc_exec_t system_r; -- allow $2 system_r; -+ allow $1 ksmtuned_t:process signal_perms; -+ ps_process_pattern($1, ksmtuned_t) - -- allow $1 ksmtuned_t:process { ptrace signal_perms }; -- ps_process_pattern(ksmtumed_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 ksmtuned_t:process ptrace; -+ ') - - files_list_pids($1) - admin_pattern($1, ksmtuned_var_run_t) - - logging_search_logs($1) - admin_pattern($1, ksmtuned_log_t) -+ -+ ksmtuned_systemctl($1) -+ admin_pattern($1, ksmtuned_unit_file_t) -+ allow $1 ksmtuned_unit_file_t:service all_service_perms; - ') -diff --git a/ksmtuned.te b/ksmtuned.te -index c1539b5..fd0a17f 100644 ---- a/ksmtuned.te -+++ b/ksmtuned.te -@@ -5,10 +5,27 @@ policy_module(ksmtuned, 1.0.1) - # Declarations - # - -+## -+##

    -+## Allow ksmtuned to use nfs file systems -+##

    -+##     -+gen_tunable(ksmtuned_use_nfs, false) -+ -+## -+##

    -+## Allow ksmtuned to use cifs/Samba file systems -+##

    -+##     -+gen_tunable(ksmtuned_use_cifs, false) -+ - type ksmtuned_t; - type ksmtuned_exec_t; - init_daemon_domain(ksmtuned_t, ksmtuned_exec_t) - -+type ksmtuned_unit_file_t; -+systemd_unit_file(ksmtuned_unit_file_t) -+ - type ksmtuned_initrc_exec_t; - init_script_file(ksmtuned_initrc_exec_t) - -@@ -43,6 +60,7 @@ corecmd_exec_shell(ksmtuned_t) - dev_rw_sysfs(ksmtuned_t) - - domain_read_all_domains_state(ksmtuned_t) -+domain_dontaudit_read_all_domains_state(ksmtuned_t) - - mls_file_read_to_clearance(ksmtuned_t) - -@@ -52,4 +70,11 @@ auth_use_nsswitch(ksmtuned_t) - - logging_send_syslog_msg(ksmtuned_t) - --miscfiles_read_localization(ksmtuned_t) -+tunable_policy(`ksmtuned_use_nfs',` -+ fs_read_nfs_files(ksmtuned_t) -+') -+ -+tunable_policy(`ksmtuned_use_cifs',` -+ fs_read_cifs_files(ksmtuned_t) -+ samba_read_share_files(ksmtuned_t) -+') -diff --git a/ktalk.fc b/ktalk.fc -index 38ecb07..451067e 100644 ---- a/ktalk.fc -+++ b/ktalk.fc -@@ -1,3 +1,5 @@ -+/usr/lib/systemd/system/ntalk.* -- gen_context(system_u:object_r:ktalkd_unit_file_t,s0) -+ - /usr/bin/ktalkd -- gen_context(system_u:object_r:ktalkd_exec_t,s0) - - /usr/sbin/in\.talkd -- gen_context(system_u:object_r:ktalkd_exec_t,s0) -diff --git a/ktalk.if b/ktalk.if -index 19777b8..55d1556 100644 ---- a/ktalk.if -+++ b/ktalk.if -@@ -1 +1,76 @@ --## KDE Talk daemon. -+ -+## talk-server - daemon programs for the Internet talk -+ -+######################################## -+## -+## Execute TEMPLATE in the ktalkd domin. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`ktalk_domtrans',` -+ gen_require(` -+ type ktalkd_t, ktalkd_exec_t; -+ ') -+ -+ corecmd_search_bin($1) -+ domtrans_pattern($1, ktalkd_exec_t, ktalkd_t) -+') -+######################################## -+## -+## Execute ktalkd server in the ktalkd domain. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`ktalk_systemctl',` -+ gen_require(` -+ type ktalkd_t; -+ type ktalkd_unit_file_t; -+ ') -+ -+ systemd_exec_systemctl($1) -+ systemd_read_fifo_file_passwd_run($1) -+ allow $1 ktalkd_unit_file_t:file read_file_perms; -+ allow $1 ktalkd_unit_file_t:service manage_service_perms; -+ -+ ps_process_pattern($1, ktalkd_t) -+') -+ -+ -+######################################## -+## -+## All of the rules required to administrate -+## an ktalkd environment -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`ktalk_admin',` -+ gen_require(` -+ type ktalkd_t; -+ type ktalkd_unit_file_t; -+ ') -+ -+ allow $1 ktalkd_t:process { ptrace signal_perms }; -+ ps_process_pattern($1, ktalkd_t) -+ -+ ktalk_systemctl($1) -+ admin_pattern($1, ktalkd_unit_file_t) -+ allow $1 ktalkd_unit_file_t:service all_service_perms; -+ -+ optional_policy(` -+ systemd_passwd_agent_exec($1) -+ systemd_read_fifo_file_passwd_run($1) -+ ') -+') -diff --git a/ktalk.te b/ktalk.te -index 2cf3815..a43a4f6 100644 ---- a/ktalk.te -+++ b/ktalk.te -@@ -7,11 +7,15 @@ policy_module(ktalk, 1.8.1) - - type ktalkd_t; - type ktalkd_exec_t; -+init_domain(ktalkd_t, ktalkd_exec_t) - inetd_udp_service_domain(ktalkd_t, ktalkd_exec_t) - - type ktalkd_log_t; - logging_log_file(ktalkd_log_t) - -+type ktalkd_unit_file_t; -+systemd_unit_file(ktalkd_unit_file_t) -+ - type ktalkd_tmp_t; - files_tmp_file(ktalkd_tmp_t) - -@@ -35,16 +39,24 @@ kernel_read_kernel_sysctls(ktalkd_t) - kernel_read_system_state(ktalkd_t) - kernel_read_network_state(ktalkd_t) - -+corenet_all_recvfrom_netlabel(ktalkd_t) -+corenet_tcp_sendrecv_generic_if(ktalkd_t) -+corenet_udp_sendrecv_generic_if(ktalkd_t) -+corenet_tcp_sendrecv_generic_node(ktalkd_t) -+corenet_udp_sendrecv_generic_node(ktalkd_t) -+corenet_tcp_sendrecv_all_ports(ktalkd_t) -+corenet_udp_sendrecv_all_ports(ktalkd_t) -+corenet_udp_bind_ktalkd_port(ktalkd_t) -+ - dev_read_urand(ktalkd_t) - - fs_getattr_xattr_fs(ktalkd_t) - --term_use_all_terms(ktalkd_t) -+term_search_ptys(ktalkd_t) -+term_use_all_inherited_terms(ktalkd_t) - - auth_use_nsswitch(ktalkd_t) - - init_read_utmp(ktalkd_t) - - logging_send_syslog_msg(ktalkd_t) -- --miscfiles_read_localization(ktalkd_t) -diff --git a/kudzu.if b/kudzu.if -index 5297064..6ba8108 100644 ---- a/kudzu.if -+++ b/kudzu.if -@@ -86,9 +86,13 @@ interface(`kudzu_admin',` - type kudzu_tmp_t; - ') - -- allow $1 kudzu_t:process { ptrace signal_perms }; -+ allow $1 kudzu_t:process { signal_perms }; - ps_process_pattern($1, kudzu_t) - -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 kudzu_t:process ptrace; -+ ') -+ - init_labeled_script_domtrans($1, kudzu_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 kudzu_initrc_exec_t system_r; -diff --git a/kudzu.te b/kudzu.te -index 9725f1a..34aa63b 100644 ---- a/kudzu.te -+++ b/kudzu.te -@@ -63,7 +63,6 @@ dev_rwx_zero(kudzu_t) - domain_use_interactive_fds(kudzu_t) - - files_read_kernel_modules(kudzu_t) --files_read_usr_files(kudzu_t) - files_search_locks(kudzu_t) - files_manage_etc_files(kudzu_t) - files_manage_etc_runtime_files(kudzu_t) -@@ -101,11 +100,10 @@ libs_read_lib_files(kudzu_t) - logging_send_syslog_msg(kudzu_t) - - miscfiles_read_hwdata(kudzu_t) --miscfiles_read_localization(kudzu_t) - - sysnet_read_config(kudzu_t) - --userdom_use_user_terminals(kudzu_t) -+userdom_use_inherited_user_terminals(kudzu_t) - userdom_dontaudit_use_unpriv_user_fds(kudzu_t) - userdom_search_user_home_dirs(kudzu_t) - -@@ -122,10 +120,6 @@ optional_policy(` - ') - - optional_policy(` -- nscd_use(kudzu_t) --') -- --optional_policy(` - seutil_sigchld_newrole(kudzu_t) - ') - -diff --git a/l2tp.fc b/l2tp.fc -index d5d1572..82267a7 100644 ---- a/l2tp.fc -+++ b/l2tp.fc -@@ -5,6 +5,7 @@ - /etc/sysconfig/.*l2tpd -- gen_context(system_u:object_r:l2tp_conf_t,s0) - - /usr/sbin/.*l2tpd -- gen_context(system_u:object_r:l2tpd_exec_t,s0) -+/usr/libexec/nm-l2tp-service -- gen_context(system_u:object_r:l2tpd_exec_t,s0) - - /var/run/.*l2tpd(/.*)? gen_context(system_u:object_r:l2tpd_var_run_t,s0) - /var/run/prol2tpd\.ctl -s gen_context(system_u:object_r:l2tpd_var_run_t,s0) -diff --git a/l2tp.if b/l2tp.if -index 73e2803..2fc7570 100644 ---- a/l2tp.if -+++ b/l2tp.if -@@ -1,9 +1,45 @@ --## Layer 2 Tunneling Protocol. -+## Layer 2 Tunneling Protocol daemons. - - ######################################## - ## --## Send to l2tpd with a unix --## domain dgram socket. -+## Transition to l2tpd. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`l2tpd_domtrans',` -+ gen_require(` -+ type l2tpd_t, l2tpd_exec_t; -+ ') -+ -+ corecmd_search_bin($1) -+ domtrans_pattern($1, l2tpd_exec_t, l2tpd_t) -+') -+ -+######################################## -+## -+## Execute l2tpd server in the l2tpd domain. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`l2tpd_initrc_domtrans',` -+ gen_require(` -+ type l2tpd_initrc_exec_t; -+ ') -+ -+ init_labeled_script_domtrans($1, l2tpd_initrc_exec_t) -+') -+ -+######################################## -+## -+## Send to l2tpd via a unix dgram socket. - ## - ## - ## -@@ -16,7 +52,6 @@ interface(`l2tpd_dgram_send',` - type l2tpd_t, l2tpd_tmp_t, l2tpd_var_run_t; - ') - -- files_search_pids($1) - files_search_tmp($1) - dgram_send_pattern($1, { l2tpd_tmp_t l2tpd_var_run_t }, { l2tpd_tmp_t l2tpd_var_run_t }, l2tpd_t) - ') -@@ -39,10 +74,29 @@ interface(`l2tpd_rw_socket',` - allow $1 l2tpd_t:socket rw_socket_perms; - ') - -+######################################## -+## -+## Read l2tpd PID files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`l2tpd_read_pid_files',` -+ gen_require(` -+ type l2tpd_var_run_t; -+ ') -+ -+ files_search_pids($1) -+ allow $1 l2tpd_var_run_t:file read_file_perms; -+') -+ - ##################################### - ## --## Connect to l2tpd with a unix --## domain stream socket. -+## Connect to l2tpd over a unix domain -+## stream socket. - ## - ## - ## -@@ -56,14 +110,107 @@ interface(`l2tpd_stream_connect',` - ') - - files_search_pids($1) -- files_search_tmp($1) -- stream_connect_pattern($1, { l2tpd_tmp_t l2tpd_var_run_t }, { l2tpd_tmp_t l2tpd_var_run_t }, l2tpd_t) -+ stream_connect_pattern($1, l2tpd_tmp_t, l2tpd_tmp_t, l2tpd_t) -+ stream_connect_pattern($1, l2tpd_var_run_t, l2tpd_var_run_t, l2tpd_t) - ') - - ######################################## - ## --## All of the rules required to --## administrate an l2tp environment. -+## Read and write l2tpd unnamed pipes. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`l2tpd_rw_pipes',` -+ gen_require(` -+ type l2tpd_t; -+ ') -+ -+ allow $1 l2tpd_t:fifo_file rw_fifo_file_perms; -+') -+ -+######################################## -+## -+## Allow send a signal to l2tpd. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`l2tpd_signal',` -+ gen_require(` -+ type l2tpd_t; -+ ') -+ -+ allow $1 l2tpd_t:process signal; -+') -+ -+######################################## -+## -+## Allow send signull to l2tpd. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`l2tpd_signull',` -+ gen_require(` -+ type l2tpd_t; -+ ') -+ -+ allow $1 l2tpd_t:process signull; -+') -+ -+######################################## -+## -+## Allow send sigkill to l2tpd. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`l2tpd_sigkill',` -+ gen_require(` -+ type l2tpd_t; -+ ') -+ -+ allow $1 l2tpd_t:process sigkill; -+') -+ -+######################################## -+## -+## Send and receive messages from -+## l2tpd over dbus. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`l2tpd_dbus_chat',` -+ gen_require(` -+ type l2tpd_t; -+ class dbus send_msg; -+ ') -+ -+ allow $1 l2tpd_t:dbus send_msg; -+ allow l2tpd_t $1:dbus send_msg; -+') -+ -+######################################## -+## -+## All of the rules required to administrate -+## an l2tpd environment - ## - ## - ## -@@ -77,22 +224,26 @@ interface(`l2tpd_stream_connect',` - ## - ## - # --interface(`l2tp_admin',` -+interface(`l2tpd_admin',` - gen_require(` - type l2tpd_t, l2tpd_initrc_exec_t, l2tpd_var_run_t; -- type l2tp_conf_t, l2tpd_tmp_t; -+ type l2tp_etc_t, l2tpd_tmp_t; - ') - -- allow $1 l2tpd_t:process { ptrace signal_perms }; -+ allow $1 l2tpd_t:process signal_perms; - ps_process_pattern($1, l2tpd_t) - -- init_labeled_script_domtrans($1, l2tpd_initrc_exec_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 l2tpd_t:process ptrace; -+ ') -+ -+ l2tpd_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 l2tpd_initrc_exec_t system_r; - allow $2 system_r; - - files_search_etc($1) -- admin_pattern($1, l2tp_conf_t) -+ admin_pattern($1, l2tp_etc_t) - - files_search_pids($1) - admin_pattern($1, l2tpd_var_run_t) -diff --git a/l2tp.te b/l2tp.te -index 19f2b97..bbbda10 100644 ---- a/l2tp.te -+++ b/l2tp.te -@@ -27,7 +27,7 @@ files_pid_file(l2tpd_var_run_t) - # - - allow l2tpd_t self:capability net_admin; --allow l2tpd_t self:process signal; -+allow l2tpd_t self:process signal_perms; - allow l2tpd_t self:fifo_file rw_fifo_file_perms; - allow l2tpd_t self:netlink_socket create_socket_perms; - allow l2tpd_t self:rawip_socket create_socket_perms; -@@ -42,11 +42,13 @@ manage_dirs_pattern(l2tpd_t, l2tpd_var_run_t, l2tpd_var_run_t) - manage_files_pattern(l2tpd_t, l2tpd_var_run_t, l2tpd_var_run_t) - manage_sock_files_pattern(l2tpd_t, l2tpd_var_run_t, l2tpd_var_run_t) - manage_fifo_files_pattern(l2tpd_t, l2tpd_var_run_t, l2tpd_var_run_t) --files_pid_filetrans(l2tpd_t, l2tpd_var_run_t, { dir file sock_file }) -+files_pid_filetrans(l2tpd_t, l2tpd_var_run_t, { dir file sock_file fifo_file }) - - manage_sock_files_pattern(l2tpd_t, l2tpd_tmp_t, l2tpd_tmp_t) - files_tmp_filetrans(l2tpd_t, l2tpd_tmp_t, sock_file) - -+can_exec(l2tpd_t, l2tpd_exec_t) -+ - corenet_all_recvfrom_unlabeled(l2tpd_t) - corenet_all_recvfrom_netlabel(l2tpd_t) - corenet_raw_sendrecv_generic_if(l2tpd_t) -@@ -75,19 +77,37 @@ corecmd_exec_bin(l2tpd_t) - - dev_read_urand(l2tpd_t) - --files_read_etc_files(l2tpd_t) -- - term_setattr_generic_ptys(l2tpd_t) - term_use_generic_ptys(l2tpd_t) - term_use_ptmx(l2tpd_t) - --logging_send_syslog_msg(l2tpd_t) -+auth_read_passwd(l2tpd_t) - --miscfiles_read_localization(l2tpd_t) -+logging_send_syslog_msg(l2tpd_t) - - sysnet_dns_name_resolve(l2tpd_t) - - optional_policy(` -+ dbus_system_bus_client(l2tpd_t) -+ dbus_connect_system_bus(l2tpd_t) -+ -+ optional_policy(` -+ networkmanager_dbus_chat(l2tpd_t) -+ ') -+') -+ -+optional_policy(` -+ ipsec_domtrans_mgmt(l2tpd_t) -+ ipsec_mgmt_read_pid(l2tpd_t) -+ ipsec_filetrans_key_file(l2tpd_t) -+ ipsec_manage_key_file(l2tpd_t) -+') -+ -+optional_policy(` -+ networkmanager_read_pid_files(l2tpd_t) -+') -+ -+optional_policy(` - ppp_domtrans(l2tpd_t) - ppp_signal(l2tpd_t) - ppp_kill(l2tpd_t) -diff --git a/ldap.fc b/ldap.fc -index bc25c95..6692d91 100644 ---- a/ldap.fc -+++ b/ldap.fc -@@ -1,8 +1,11 @@ - /etc/ldap/slapd\.conf -- gen_context(system_u:object_r:slapd_etc_t,s0) --/etc/openldap/certs(/.*)? gen_context(system_u:object_r:slapd_cert_t,s0) -+ -+/etc/openldap/certs(/.*)? gen_context(system_u:object_r:slapd_cert_t,s0) - /etc/openldap/slapd\.d(/.*)? gen_context(system_u:object_r:slapd_db_t,s0) - --/etc/rc\.d/init\.d/ldap -- gen_context(system_u:object_r:slapd_initrc_exec_t,s0) -+/etc/rc\.d/init\.d/slapd -- gen_context(system_u:object_r:slapd_initrc_exec_t,s0) -+ -+/usr/lib/systemd/system/slapd.* -- gen_context(system_u:object_r:slapd_unit_file_t,s0) - - /usr/sbin/slapd -- gen_context(system_u:object_r:slapd_exec_t,s0) - -@@ -17,8 +20,7 @@ - /var/log/ldap.* gen_context(system_u:object_r:slapd_log_t,s0) - /var/log/slapd.* gen_context(system_u:object_r:slapd_log_t,s0) - --/var/run/ldapi -s gen_context(system_u:object_r:slapd_var_run_t,s0) --/var/run/openldap(/.*)? gen_context(system_u:object_r:slapd_var_run_t,s0) --/var/run/slapd.* -s gen_context(system_u:object_r:slapd_var_run_t,s0) --/var/run/slapd\.args -- gen_context(system_u:object_r:slapd_var_run_t,s0) --/var/run/slapd\.pid -- gen_context(system_u:object_r:slapd_var_run_t,s0) -+/var/run/ldapi -s gen_context(system_u:object_r:slapd_var_run_t,s0) -+/var/run/openldap(/.*)? gen_context(system_u:object_r:slapd_var_run_t,s0) -+/var/run/slapd\.args -- gen_context(system_u:object_r:slapd_var_run_t,s0) -+/var/run/slapd\.pid -- gen_context(system_u:object_r:slapd_var_run_t,s0) -diff --git a/ldap.if b/ldap.if -index ee0c7cc..c54e3d2 100644 ---- a/ldap.if -+++ b/ldap.if -@@ -1,8 +1,68 @@ --## OpenLDAP directory server. -+## OpenLDAP directory server -+ -+####################################### -+## -+## Execute OpenLDAP in the ldap domain. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`ldap_domtrans',` -+ gen_require(` -+ type slapd_t, slapd_exec_t; -+ ') -+ -+ domtrans_pattern($1, slapd_exec_t, slapd_t) -+') -+ -+####################################### -+## -+## Execute OpenLDAP server in the ldap domain. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`ldap_initrc_domtrans',` -+ gen_require(` -+ type slapd_initrc_exec_t; -+ ') -+ -+ init_labeled_script_domtrans($1, slapd_initrc_exec_t) -+') -+ -+######################################## -+## -+## Execute slapd server in the slapd domain. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`ldap_systemctl',` -+ gen_require(` -+ type slapd_unit_file_t; -+ type slapd_t; -+ ') -+ -+ systemd_exec_systemctl($1) -+ allow $1 slapd_unit_file_t:file read_file_perms; -+ allow $1 slapd_unit_file_t:service manage_service_perms; -+ -+ ps_process_pattern($1, slapd_t) -+') - - ######################################## - ## --## List ldap database directories. -+## Read the contents of the OpenLDAP -+## database directories. - ## - ## - ## -@@ -15,13 +75,31 @@ interface(`ldap_list_db',` - type slapd_db_t; - ') - -- files_search_etc($1) - allow $1 slapd_db_t:dir list_dir_perms; - ') - - ######################################## - ## --## Read ldap configuration files. -+## Read the contents of the OpenLDAP -+## database files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`ldap_read_db_files',` -+ gen_require(` -+ type slapd_db_t; -+ ') -+ -+ read_files_pattern($1, slapd_db_t, slapd_db_t) -+') -+ -+######################################## -+## -+## Read the OpenLDAP configuration files. - ## - ## - ## -@@ -41,22 +119,27 @@ interface(`ldap_read_config',` - - ######################################## - ## --## Use LDAP over TCP connection. (Deprecated) -+## Read the OpenLDAP cert files. - ## - ## - ## - ## Domain allowed access. - ## - ## -+## - # --interface(`ldap_use',` -- refpolicywarn(`$0($*) has been deprecated.') -+interface(`ldap_read_certs',` -+ gen_require(` -+ type slapd_cert_t; -+ ') -+ -+ files_search_etc($1) -+ read_files_pattern($1, slapd_cert_t, slapd_cert_t) - ') - - ######################################## - ## --## Connect to slapd over an unix --## stream socket. -+## Use LDAP over TCP connection. (Deprecated) - ## - ## - ## -@@ -64,18 +147,13 @@ interface(`ldap_use',` - ## - ## - # --interface(`ldap_stream_connect',` -- gen_require(` -- type slapd_t, slapd_var_run_t; -- ') -- -- files_search_pids($1) -- stream_connect_pattern($1, slapd_var_run_t, slapd_var_run_t, slapd_t) -+interface(`ldap_use',` -+ refpolicywarn(`$0($*) has been deprecated.') - ') - - ######################################## - ## --## Connect to ldap over the network. -+## Connect to slapd over an unix stream socket. - ## - ## - ## -@@ -83,21 +161,19 @@ interface(`ldap_stream_connect',` - ## - ## - # --interface(`ldap_tcp_connect',` -+interface(`ldap_stream_connect',` - gen_require(` -- type slapd_t; -+ type slapd_t, slapd_var_run_t; - ') - -- corenet_sendrecv_ldap_client_packets($1) -- corenet_tcp_connect_ldap_port($1) -- corenet_tcp_recvfrom_labeled($1, slapd_t) -- corenet_tcp_sendrecv_ldap_port($1) -+ files_search_pids($1) -+ stream_connect_pattern($1, slapd_var_run_t, slapd_var_run_t, slapd_t) - ') - - ######################################## - ## --## All of the rules required to --## administrate an ldap environment. -+## All of the rules required to administrate -+## an ldap environment - ## - ## - ## -@@ -106,7 +182,7 @@ interface(`ldap_tcp_connect',` - ## - ## - ## --## Role allowed access. -+## The role to be allowed to manage the ldap domain. - ## - ## - ## -@@ -115,28 +191,28 @@ interface(`ldap_admin',` - gen_require(` - type slapd_t, slapd_tmp_t, slapd_replog_t; - type slapd_lock_t, slapd_etc_t, slapd_var_run_t; -- type slapd_initrc_exec_t, slapd_log_t, slapd_cert_t; -- type slapd_db_t; -+ type slapd_initrc_exec_t; -+ type slapd_unit_file_t; - ') - -- allow $1 slapd_t:process { ptrace signal_perms }; -+ allow $1 slapd_t:process signal_perms; - ps_process_pattern($1, slapd_t) - -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 slapd_t:process ptrace; -+ ') -+ - init_labeled_script_domtrans($1, slapd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 slapd_initrc_exec_t system_r; - allow $2 system_r; - - files_list_etc($1) -- admin_pattern($1, { slapd_etc_t slapd_db_t slapd_cert_t }) -+ admin_pattern($1, slapd_etc_t) - -- files_list_locks($1) - admin_pattern($1, slapd_lock_t) - -- logging_list_logs($1) -- admin_pattern($1, slapd_log_t) -- -- files_search_var_lib($1) -+ files_list_var_lib($1) - admin_pattern($1, slapd_replog_t) - - files_list_tmp($1) -@@ -144,4 +220,8 @@ interface(`ldap_admin',` - - files_list_pids($1) - admin_pattern($1, slapd_var_run_t) -+ -+ ldap_systemctl($1) -+ admin_pattern($1, slapd_unit_file_t) -+ allow $1 slapd_unit_file_t:service all_service_perms; - ') -diff --git a/ldap.te b/ldap.te -index d7d9b09..562c288 100644 ---- a/ldap.te -+++ b/ldap.te -@@ -21,6 +21,9 @@ files_config_file(slapd_etc_t) - type slapd_initrc_exec_t; - init_script_file(slapd_initrc_exec_t) - -+type slapd_unit_file_t; -+systemd_unit_file(slapd_unit_file_t) -+ - type slapd_lock_t; - files_lock_file(slapd_lock_t) - -@@ -88,7 +91,6 @@ files_pid_filetrans(slapd_t, slapd_var_run_t, { dir file sock_file }) - kernel_read_system_state(slapd_t) - kernel_read_kernel_sysctls(slapd_t) - --corenet_all_recvfrom_unlabeled(slapd_t) - corenet_all_recvfrom_netlabel(slapd_t) - corenet_tcp_sendrecv_generic_if(slapd_t) - corenet_tcp_sendrecv_generic_node(slapd_t) -@@ -110,25 +112,23 @@ fs_getattr_all_fs(slapd_t) - fs_search_auto_mountpoints(slapd_t) - - files_read_etc_runtime_files(slapd_t) --files_read_usr_files(slapd_t) - files_list_var_lib(slapd_t) - - auth_use_nsswitch(slapd_t) -+auth_rw_cache(slapd_t) - - logging_send_syslog_msg(slapd_t) - - miscfiles_read_generic_certs(slapd_t) --miscfiles_read_localization(slapd_t) - - userdom_dontaudit_use_unpriv_user_fds(slapd_t) - userdom_dontaudit_search_user_home_dirs(slapd_t) - - optional_policy(` - kerberos_keytab_template(slapd, slapd_t) -- kerberos_manage_host_rcache(slapd_t) -- kerberos_tmp_filetrans_host_rcache(slapd_t, file, "ldapmap1_0") -- kerberos_tmp_filetrans_host_rcache(slapd_t, file, "ldap_487") -- kerberos_tmp_filetrans_host_rcache(slapd_t, file, "ldap_55") -+ kerberos_tmp_filetrans_host_rcache(slapd_t, "ldapmap1_0") -+ kerberos_tmp_filetrans_host_rcache(slapd_t, "ldap_487") -+ kerberos_tmp_filetrans_host_rcache(slapd_t, "ldap_55") - ') - - optional_policy(` -diff --git a/lightsquid.if b/lightsquid.if -index 33a28b9..33ffe24 100644 ---- a/lightsquid.if -+++ b/lightsquid.if -@@ -76,5 +76,7 @@ interface(`lightsquid_admin',` - files_search_var_lib($1) - admin_pattern($1, lightsquid_rw_content_t) - -- apache_list_sys_content($1) -+ optional_policy(` -+ apache_list_sys_content($1) -+ ') - ') -diff --git a/lightsquid.te b/lightsquid.te -index 40a2607..308accb 100644 ---- a/lightsquid.te -+++ b/lightsquid.te -@@ -31,11 +31,6 @@ corecmd_exec_shell(lightsquid_t) - - dev_read_urand(lightsquid_t) - --files_read_etc_files(lightsquid_t) --files_read_usr_files(lightsquid_t) -- --miscfiles_read_localization(lightsquid_t) -- - squid_read_config(lightsquid_t) - squid_read_log(lightsquid_t) - -diff --git a/likewise.if b/likewise.if -index bd20e8c..3393a01 100644 ---- a/likewise.if -+++ b/likewise.if -@@ -1,9 +1,22 @@ - ## Likewise Active Directory support for UNIX. -+## -+##

    -+## Likewise Open is a free, open source application that joins Linux, Unix, -+## and Mac machines to Microsoft Active Directory to securely authenticate -+## users with their domain credentials. -+##

    -+##     - - ####################################### - ## - ## The template to define a likewise domain. - ## -+## -+##

    -+## This template creates a domain to be used for -+## a new likewise daemon. -+##

    -+##     - ## - ## - ## The type of daemon to be used. -@@ -11,6 +24,7 @@ - ## - # - template(`likewise_domain_template',` -+ - gen_require(` - attribute likewise_domains; - type likewise_var_lib_t; -@@ -24,6 +38,7 @@ template(`likewise_domain_template',` - type $1_t; - type $1_exec_t; - init_daemon_domain($1_t, $1_exec_t) -+ domain_use_interactive_fds($1_t) - - typeattribute $1_t likewise_domains; - -@@ -38,15 +53,18 @@ template(`likewise_domain_template',` - - #################################### - # -- # Policy -+ # Local Policy - # - - allow $1_t self:process { signal_perms getsched setsched }; - allow $1_t self:fifo_file rw_fifo_file_perms; -- allow $1_t self:unix_stream_socket { accept listen }; -+ allow $1_t self:unix_dgram_socket create_socket_perms; -+ allow $1_t self:unix_stream_socket create_stream_socket_perms; - allow $1_t self:tcp_socket create_stream_socket_perms; - allow $1_t self:udp_socket create_socket_perms; - -+ allow $1_t likewise_var_lib_t:dir setattr_dir_perms; -+ - manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t) - files_pid_filetrans($1_t, $1_var_run_t, file) - -@@ -55,12 +73,15 @@ template(`likewise_domain_template',` - - manage_sock_files_pattern($1_t, likewise_var_lib_t, $1_var_socket_t) - filetrans_pattern($1_t, likewise_var_lib_t, $1_var_socket_t, sock_file) -+ -+ kernel_read_system_state($1_t) -+ -+ logging_send_syslog_msg($1_t) - ') - - ######################################## - ## --## Connect to lsassd with a unix domain --## stream socket. -+## Connect to lsassd. - ## - ## - ## -@@ -76,59 +97,3 @@ interface(`likewise_stream_connect_lsassd',` - files_search_pids($1) - stream_connect_pattern($1, likewise_var_lib_t, lsassd_var_socket_t, lsassd_t) - ') -- --######################################## --## --## All of the rules required to --## administrate an likewise environment. --## --## --## --## Domain allowed access. --## --## --## --## --## Role allowed access. --## --## --## --# --interface(`likewise_admin',` -- gen_require(` -- attribute likewise_domains; -- type likewise_initrc_exec_t, likewise_etc_t, likewise_pstore_lock_t; -- type likewise_krb5_ad_t, likewise_var_lib_t, eventlogd_var_socket_t; -- type lsassd_var_socket_t, lwiod_var_socket_t, lwregd_var_socket_t; -- type lwsmd_var_socket_t, lwsmd_var_lib_t, netlogond_var_socket_t; -- type netlogond_var_lib_t, lsassd_var_lib_t, lwregd_var_lib_t; -- type eventlogd_var_lib_t, dcerpcd_var_lib_t, lsassd_tmp_t; -- type eventlogd_var_run_t, lsassd_var_run_t, lwiod_var_run_t; -- type lwregd_var_run_t, netlogond_var_run_t, srvsvcd_var_run_t; -- ') -- -- allow $1 likewise_domains:process { ptrace signal_perms }; -- ps_process_pattern($1, likewise_domains) -- -- init_labeled_script_domtrans($1, likewise_initrc_exec_t) -- domain_system_change_exemption($1) -- role_transition $2 likewise_initrc_exec_t system_r; -- allow $2 system_r; -- -- files_list_etc($1) -- admin_pattern($1, { likewise_etc_t likewise_pstore_lock_t likewise_krb5_ad_t }) -- -- files_search_var_lib($1) -- admin_pattern($1, { likewise_var_lib_t eventlogd_var_socket_t lsassd_var_socket_t }) -- admin_pattern($1, { lwiod_var_socket_t lwregd_var_socket_t lwsmd_var_socket_t }) -- admin_pattern($1, { lwsmd_var_lib_t netlogond_var_socket_t netlogond_var_lib_t }) -- admin_pattern($1, { lsassd_var_lib_t lwregd_var_lib_t eventlogd_var_lib_t }) -- admin_pattern($1, dcerpcd_var_lib_t) -- -- files_list_tmp($1) -- admin_pattern($1, lsassd_tmp_t) -- -- files_list_pids($1) -- admin_pattern($1, { eventlogd_var_run_t lsassd_var_run_t lwiod_var_run_t }) -- admin_pattern($1, { lwregd_var_run_t netlogond_var_run_t srvsvcd_var_run_t }) --') -diff --git a/likewise.te b/likewise.te -index 408fbe3..e86ead6 100644 ---- a/likewise.te -+++ b/likewise.te -@@ -26,7 +26,7 @@ type likewise_var_lib_t; - files_type(likewise_var_lib_t) - - type likewise_pstore_lock_t; --files_type(likewise_pstore_lock_t) -+files_lock_file(likewise_pstore_lock_t) - - type likewise_krb5_ad_t; - files_type(likewise_krb5_ad_t) -@@ -41,20 +41,13 @@ files_tmp_file(lsassd_tmp_t) - - allow likewise_domains likewise_var_lib_t:dir setattr_dir_perms; - --kernel_read_system_state(likewise_domains) -- - dev_read_rand(likewise_domains) - dev_read_urand(likewise_domains) - - domain_use_interactive_fds(likewise_domains) - --files_read_etc_files(likewise_domains) - files_search_var_lib(likewise_domains) - --logging_send_syslog_msg(likewise_domains) -- --miscfiles_read_localization(likewise_domains) -- - ################################# - # - # dcerpcd local policy -@@ -126,7 +119,6 @@ corecmd_exec_bin(lsassd_t) - corecmd_exec_shell(lsassd_t) - - corenet_all_recvfrom_netlabel(lsassd_t) --corenet_all_recvfrom_unlabeled(lsassd_t) - corenet_tcp_sendrecv_generic_if(lsassd_t) - corenet_tcp_sendrecv_generic_node(lsassd_t) - -@@ -242,7 +234,6 @@ stream_connect_pattern(srvsvcd_t, likewise_var_lib_t, lwiod_var_socket_t, lwiod_ - stream_connect_pattern(srvsvcd_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_t) - - corenet_all_recvfrom_netlabel(srvsvcd_t) --corenet_all_recvfrom_unlabeled(srvsvcd_t) - corenet_sendrecv_generic_server_packets(srvsvcd_t) - corenet_tcp_sendrecv_generic_if(srvsvcd_t) - corenet_tcp_sendrecv_generic_node(srvsvcd_t) -diff --git a/lircd.if b/lircd.if -index dff21a7..b6981c8 100644 ---- a/lircd.if -+++ b/lircd.if -@@ -81,8 +81,11 @@ interface(`lircd_admin',` - type lircd_initrc_exec_t, lircd_etc_t; - ') - -- allow $1 lircd_t:process { ptrace signal_perms }; -+ allow $1 lircd_t:process signal_perms; - ps_process_pattern($1, lircd_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 lircd_t:process ptrace; -+ ') - - init_labeled_script_domtrans($1, lircd_initrc_exec_t) - domain_system_change_exemption($1) -diff --git a/lircd.te b/lircd.te -index 98b5405..7d982bb 100644 ---- a/lircd.te -+++ b/lircd.te -@@ -13,7 +13,7 @@ type lircd_initrc_exec_t; - init_script_file(lircd_initrc_exec_t) - - type lircd_etc_t; --files_type(lircd_etc_t) -+files_config_file(lircd_etc_t) - - type lircd_var_run_t alias lircd_sock_t; - files_pid_file(lircd_var_run_t) -@@ -27,6 +27,7 @@ allow lircd_t self:capability { chown kill sys_admin }; - allow lircd_t self:process signal; - allow lircd_t self:fifo_file rw_fifo_file_perms; - allow lircd_t self:tcp_socket { accept listen }; -+allow lircd_t self:netlink_kobject_uevent_socket create_socket_perms; - - read_files_pattern(lircd_t, lircd_etc_t, lircd_etc_t) - -@@ -64,9 +65,8 @@ files_manage_generic_locks(lircd_t) - files_read_all_locks(lircd_t) - - term_use_ptmx(lircd_t) -+term_use_usb_ttys(lircd_t) - - logging_send_syslog_msg(lircd_t) - --miscfiles_read_localization(lircd_t) -- - sysnet_dns_name_resolve(lircd_t) -diff --git a/livecd.if b/livecd.if -index e354181..c6b2383 100644 ---- a/livecd.if -+++ b/livecd.if -@@ -38,11 +38,32 @@ interface(`livecd_domtrans',` - # - interface(`livecd_run',` - gen_require(` -+ type livecd_t; -+ type livecd_exec_t; - attribute_role livecd_roles; - ') - - livecd_domtrans($1) - roleattribute $2 livecd_roles; -+ role_transition $2 livecd_exec_t system_r; -+') -+ -+######################################## -+## -+## Dontaudit read/write to a livecd leaks -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`livecd_dontaudit_leaks',` -+ gen_require(` -+ type livecd_t; -+ ') -+ -+ dontaudit $1 livecd_t:unix_dgram_socket { read write }; - ') - - ######################################## -diff --git a/livecd.te b/livecd.te -index 33f64b5..a920c08 100644 ---- a/livecd.te -+++ b/livecd.te -@@ -21,9 +21,11 @@ files_tmp_file(livecd_tmp_t) - # Local policy - # - --dontaudit livecd_t self:capability2 mac_admin; -+allow livecd_t self:capability2 mac_admin; - --domain_ptrace_all_domains(livecd_t) -+tunable_policy(`deny_ptrace',`',` -+ domain_ptrace_all_domains(livecd_t) -+') - - manage_dirs_pattern(livecd_t, livecd_tmp_t, livecd_tmp_t) - manage_files_pattern(livecd_t, livecd_tmp_t, livecd_tmp_t) -@@ -35,12 +37,17 @@ sysnet_etc_filetrans_config(livecd_t) - optional_policy(` - hal_dbus_chat(livecd_t) - ') -+ -+optional_policy(` -+ mount_run(livecd_t, livecd_roles) -+') -+ - optional_policy(` -- mount_run(livecd_t, livecd_roles) -+ rpm_transition_script(livecd_t) - ') - - optional_policy(` -- rpm_domtrans(livecd_t) -+ seutil_run_setfiles_mac(livecd_t, livecd_roles) - ') - - optional_policy(` -diff --git a/lldpad.if b/lldpad.if -index d18c960..fb5b674 100644 ---- a/lldpad.if -+++ b/lldpad.if -@@ -2,6 +2,25 @@ - - ####################################### - ## -+## Transition to lldpad. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`lldpad_domtrans',` -+ gen_require(` -+ type lldpad_t, lldpad_exec_t; -+ ') -+ -+ corecmd_search_bin($1) -+ domtrans_pattern($1, lldpad_exec_t, lldpad_t) -+') -+ -+####################################### -+## - ## Send to lldpad with a unix dgram socket. - ## - ## -@@ -42,9 +61,13 @@ interface(`lldpad_admin',` - type lldpad_var_run_t; - ') - -- allow $1 lldpad_t:process { ptrace signal_perms }; -+ allow $1 lldpad_t:process { signal_perms }; - ps_process_pattern($1, lldpad_t) - -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 lldpad_t:process ptrace; -+ ') -+ - init_labeled_script_domtrans($1, lldpad_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 lldpad_initrc_exec_t system_r; -diff --git a/lldpad.te b/lldpad.te -index 648def0..b17392a 100644 ---- a/lldpad.te -+++ b/lldpad.te -@@ -26,7 +26,7 @@ files_pid_file(lldpad_var_run_t) - # Local policy - # - --allow lldpad_t self:capability { net_admin net_raw }; -+allow lldpad_t self:capability { net_admin net_raw sys_resource }; - allow lldpad_t self:shm create_shm_perms; - allow lldpad_t self:fifo_file rw_fifo_file_perms; - allow lldpad_t self:unix_stream_socket { accept listen }; -@@ -51,11 +51,9 @@ kernel_request_load_module(lldpad_t) - - dev_read_sysfs(lldpad_t) - --files_read_etc_files(lldpad_t) -- - logging_send_syslog_msg(lldpad_t) - --miscfiles_read_localization(lldpad_t) -+userdom_dgram_send(lldpad_t) - - optional_policy(` - fcoe_dgram_send_fcoemon(lldpad_t) -diff --git a/loadkeys.te b/loadkeys.te -index 6cbb977..bd5406a 100644 ---- a/loadkeys.te -+++ b/loadkeys.te -@@ -25,20 +25,19 @@ kernel_read_system_state(loadkeys_t) - corecmd_exec_bin(loadkeys_t) - corecmd_exec_shell(loadkeys_t) - --files_read_etc_files(loadkeys_t) - files_read_etc_runtime_files(loadkeys_t) - - term_dontaudit_use_console(loadkeys_t) - term_use_unallocated_ttys(loadkeys_t) - -+auth_read_passwd(loadkeys_t) -+ - init_dontaudit_use_fds(loadkeys_t) - init_dontaudit_use_script_ptys(loadkeys_t) - - locallogin_use_fds(loadkeys_t) - --miscfiles_read_localization(loadkeys_t) -- --userdom_use_user_ttys(loadkeys_t) -+userdom_use_inherited_user_ttys(loadkeys_t) - userdom_list_user_home_content(loadkeys_t) - - ifdef(`hide_broken_symptoms',` -diff --git a/lockdev.if b/lockdev.if -index 4313b8b..cd1435c 100644 ---- a/lockdev.if -+++ b/lockdev.if -@@ -1,5 +1,25 @@ - ## Library for locking devices. - -+####################################### -+## -+## Create, read, write, and delete -+## lockdev lock files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`lockdev_manage_files',` -+ gen_require(` -+ type lockdev_lock_t; -+ ') -+ -+ files_search_var_lib($1) -+ manage_files_pattern($1, lockdev_lock_t, lockdev_lock_t) -+') -+ - ######################################## - ## - ## Role access for lockdev. -diff --git a/lockdev.te b/lockdev.te -index db87831..30bfb76 100644 ---- a/lockdev.te -+++ b/lockdev.te -@@ -36,4 +36,5 @@ fs_getattr_xattr_fs(lockdev_t) - - logging_send_syslog_msg(lockdev_t) - --userdom_use_user_terminals(lockdev_t) -+userdom_use_inherited_user_terminals(lockdev_t) -+ -diff --git a/logrotate.fc b/logrotate.fc -index a11d5be..36c8de7 100644 ---- a/logrotate.fc -+++ b/logrotate.fc -@@ -1,6 +1,9 @@ --/etc/cron\.(daily|weekly)/sysklogd -- gen_context(system_u:object_r:logrotate_exec_t,s0) -+/etc/cron\.(daily|weekly)/sysklogd -- gen_context(system_u:object_r:logrotate_exec_t,s0) - - /usr/sbin/logrotate -- gen_context(system_u:object_r:logrotate_exec_t,s0) - -+ifdef(`distro_debian', ` - /var/lib/logrotate(/.*)? gen_context(system_u:object_r:logrotate_var_lib_t,s0) --/var/lib/logrotate\.status -- gen_context(system_u:object_r:logrotate_var_lib_t,s0) -+', ` -+/var/lib/logrotate\.status -- gen_context(system_u:object_r:logrotate_var_lib_t,s0) -+') -diff --git a/logrotate.if b/logrotate.if -index dd8e01a..9cd6b0b 100644 ---- a/logrotate.if -+++ b/logrotate.if -@@ -1,4 +1,4 @@ --## Rotates, compresses, removes and mails system log files. -+## Rotate and archive system logs - - ######################################## - ## -@@ -21,9 +21,8 @@ interface(`logrotate_domtrans',` - - ######################################## - ## --## Execute logrotate in the logrotate --## domain, and allow the specified --## role the logrotate domain. -+## Execute logrotate in the logrotate domain, and -+## allow the specified role the logrotate domain. - ## - ## - ## -@@ -39,11 +38,11 @@ interface(`logrotate_domtrans',` - # - interface(`logrotate_run',` - gen_require(` -- attribute_role logrotate_roles; -+ type logrotate_t; - ') - - logrotate_domtrans($1) -- roleattribute $2 logrotate_roles; -+ role $2 types logrotate_t; - ') - - ######################################## -@@ -85,8 +84,7 @@ interface(`logrotate_use_fds',` - - ######################################## - ## --## Do not audit attempts to inherit --## logrotate file descriptors. -+## Do not audit attempts to inherit logrotate file descriptors. - ## - ## - ## -@@ -104,7 +102,7 @@ interface(`logrotate_dontaudit_use_fds',` - - ######################################## - ## --## Read logrotate temporary files. -+## Read a logrotate temporary files. - ## - ## - ## -diff --git a/logrotate.te b/logrotate.te -index 7bab8e5..b88bbf3 100644 ---- a/logrotate.te -+++ b/logrotate.te -@@ -1,20 +1,18 @@ --policy_module(logrotate, 1.14.5) -+policy_module(logrotate, 1.14.0) - - ######################################## - # - # Declarations - # - --attribute_role logrotate_roles; --roleattribute system_r logrotate_roles; -- - type logrotate_t; --type logrotate_exec_t; - domain_type(logrotate_t) - domain_obj_id_change_exemption(logrotate_t) - domain_system_change_exemption(logrotate_t) -+role system_r types logrotate_t; -+ -+type logrotate_exec_t; - domain_entry_file(logrotate_t, logrotate_exec_t) --role logrotate_roles types logrotate_t; - - type logrotate_lock_t; - files_lock_file(logrotate_lock_t) -@@ -25,21 +23,27 @@ files_tmp_file(logrotate_tmp_t) - type logrotate_var_lib_t; - files_type(logrotate_var_lib_t) - --mta_base_mail_template(logrotate) --role system_r types logrotate_mail_t; -- - ######################################## - # - # Local policy - # - --allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner setuid setgid sys_resource sys_nice }; --allow logrotate_t self:process ~{ ptrace setcurrent setexec setrlimit execmem execstack execheap }; -+# Change ownership on log files. -+allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner setuid setgid sys_resource sys_nice sys_ptrace }; -+dontaudit logrotate_t self:capability sys_resource; -+ -+allow logrotate_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; -+ -+# Set a context other than the default one for newly created files. -+allow logrotate_t self:process setfscreate; -+ - allow logrotate_t self:fd use; - allow logrotate_t self:key manage_key_perms; - allow logrotate_t self:fifo_file rw_fifo_file_perms; -+allow logrotate_t self:unix_dgram_socket create_socket_perms; -+allow logrotate_t self:unix_stream_socket create_stream_socket_perms; - allow logrotate_t self:unix_dgram_socket sendto; --allow logrotate_t self:unix_stream_socket { accept connectto listen }; -+allow logrotate_t self:unix_stream_socket connectto; - allow logrotate_t self:shm create_shm_perms; - allow logrotate_t self:sem create_sem_perms; - allow logrotate_t self:msgq create_msgq_perms; -@@ -48,79 +52,94 @@ allow logrotate_t self:msg { send receive }; - allow logrotate_t logrotate_lock_t:file manage_file_perms; - files_lock_filetrans(logrotate_t, logrotate_lock_t, file) - -+can_exec(logrotate_t, logrotate_tmp_t) -+ - manage_dirs_pattern(logrotate_t, logrotate_tmp_t, logrotate_tmp_t) - manage_files_pattern(logrotate_t, logrotate_tmp_t, logrotate_tmp_t) - files_tmp_filetrans(logrotate_t, logrotate_tmp_t, { file dir }) - -+# for /var/lib/logrotate.status and /var/lib/logcheck - create_dirs_pattern(logrotate_t, logrotate_var_lib_t, logrotate_var_lib_t) - manage_files_pattern(logrotate_t, logrotate_var_lib_t, logrotate_var_lib_t) - read_lnk_files_pattern(logrotate_t, logrotate_var_lib_t, logrotate_var_lib_t) - files_var_lib_filetrans(logrotate_t, logrotate_var_lib_t, file) - --can_exec(logrotate_t, logrotate_tmp_t) -- - kernel_read_system_state(logrotate_t) - kernel_read_kernel_sysctls(logrotate_t) - -+dev_read_urand(logrotate_t) -+dev_read_sysfs(logrotate_t) -+ -+fs_search_auto_mountpoints(logrotate_t) -+fs_getattr_all_fs(logrotate_t) -+fs_list_inotifyfs(logrotate_t) -+ -+mls_file_read_all_levels(logrotate_t) -+mls_file_write_all_levels(logrotate_t) -+mls_file_upgrade(logrotate_t) -+mls_process_write_to_clearance(logrotate_t) -+ -+selinux_get_fs_mount(logrotate_t) -+selinux_get_enforce_mode(logrotate_t) -+ -+auth_manage_login_records(logrotate_t) -+auth_use_nsswitch(logrotate_t) -+ -+# Run helper programs. - corecmd_exec_bin(logrotate_t) - corecmd_exec_shell(logrotate_t) - corecmd_getattr_all_executables(logrotate_t) - --dev_read_urand(logrotate_t) -- - domain_signal_all_domains(logrotate_t) - domain_use_interactive_fds(logrotate_t) - domain_getattr_all_entry_files(logrotate_t) -+# Read /proc/PID directories for all domains. - domain_read_all_domains_state(logrotate_t) - --files_read_usr_files(logrotate_t) - files_read_etc_runtime_files(logrotate_t) - files_read_all_pids(logrotate_t) - files_search_all(logrotate_t) - files_read_var_lib_files(logrotate_t) -+# Write to /var/spool/slrnpull - should be moved into its own type. - files_manage_generic_spool(logrotate_t) - files_manage_generic_spool_dirs(logrotate_t) - files_getattr_generic_locks(logrotate_t) - files_dontaudit_list_mnt(logrotate_t) - --fs_search_auto_mountpoints(logrotate_t) --fs_getattr_xattr_fs(logrotate_t) --fs_list_inotifyfs(logrotate_t) -- --mls_file_read_all_levels(logrotate_t) --mls_file_write_all_levels(logrotate_t) --mls_file_upgrade(logrotate_t) --mls_process_write_to_clearance(logrotate_t) -- --selinux_get_fs_mount(logrotate_t) --selinux_get_enforce_mode(logrotate_t) -- --auth_manage_login_records(logrotate_t) --auth_use_nsswitch(logrotate_t) -- -+# cjp: why is this needed? - init_domtrans_script(logrotate_t) - - logging_manage_all_logs(logrotate_t) - logging_send_syslog_msg(logrotate_t) - logging_send_audit_msgs(logrotate_t) -+# cjp: why is this needed? - logging_exec_all_logs(logrotate_t) - --miscfiles_read_localization(logrotate_t) -+systemd_exec_systemctl(logrotate_t) -+systemd_getattr_unit_files(logrotate_t) -+systemd_start_all_unit_files(logrotate_t) -+systemd_reload_all_services(logrotate_t) -+systemd_status_all_unit_files(logrotate_t) -+init_stream_connect(logrotate_t) - --seutil_dontaudit_read_config(logrotate_t) -+miscfiles_read_hwdata(logrotate_t) - --userdom_use_user_terminals(logrotate_t) -+userdom_use_inherited_user_terminals(logrotate_t) - userdom_list_user_home_dirs(logrotate_t) - userdom_use_unpriv_users_fds(logrotate_t) -+userdom_list_admin_dir(logrotate_t) -+userdom_dontaudit_getattr_user_home_content(logrotate_t) - --mta_sendmail_domtrans(logrotate_t, logrotate_mail_t) -- --ifdef(`distro_debian',` -+ifdef(`distro_debian', ` - allow logrotate_t logrotate_tmp_t:file relabel_file_perms; -+ # for savelog - can_exec(logrotate_t, logrotate_exec_t) - -- logging_check_exec_syslog(logrotate_t) -+ # for syslogd-listfiles - logging_read_syslog_config(logrotate_t) -+ -+ # for "test -x /sbin/syslogd" -+ logging_check_exec_syslog(logrotate_t) - ') - - optional_policy(` -@@ -135,16 +154,17 @@ optional_policy(` - - optional_policy(` - apache_read_config(logrotate_t) -+ apache_read_sys_content_rw_dirs(logrotate_t) - apache_domtrans(logrotate_t) - apache_signull(logrotate_t) - ') - - optional_policy(` -- asterisk_domtrans(logrotate_t) -+ awstats_domtrans(logrotate_t) - ') - - optional_policy(` -- awstats_domtrans(logrotate_t) -+ asterisk_domtrans(logrotate_t) - ') - - optional_policy(` -@@ -178,7 +198,7 @@ optional_policy(` - ') - - optional_policy(` -- chronyd_read_key_files(logrotate_t) -+ chronyd_read_keys(logrotate_t) - ') - - optional_policy(` -@@ -198,21 +218,26 @@ optional_policy(` - ') - - optional_policy(` -+ mysql_read_home_content(logrotate_t) - mysql_read_config(logrotate_t) -+ mysql_search_db(logrotate_t) - mysql_stream_connect(logrotate_t) - ') - - optional_policy(` -- openvswitch_read_pid_files(logrotate_t) -- openvswitch_domtrans(logrotate_t) -+ polipo_named_filetrans_log_files(logrotate_t) -+') -+ -+optional_policy(` -+ psad_domtrans(logrotate_t) - ') - - optional_policy(` -- polipo_log_filetrans_log(logrotate_t, file, "polipo") -+ rabbitmq_domtrans_beam(logrotate_t) - ') - - optional_policy(` -- psad_domtrans(logrotate_t) -+ raid_domtrans_mdadm(logrotate_t) - ') - - optional_policy(` -@@ -228,10 +253,20 @@ optional_policy(` - ') - - optional_policy(` -+ openshift_manage_lib_files(logrotate_t) -+') -+ -+optional_policy(` -+ openvswitch_read_pid_files(logrotate_t) -+ openvswitch_domtrans(logrotate_t) -+') -+ -+optional_policy(` - squid_domtrans(logrotate_t) - ') - - optional_policy(` -+ #Red Hat bug 564565 - su_exec(logrotate_t) - ') - -@@ -241,13 +276,11 @@ optional_policy(` - - ####################################### - # --# Mail local policy -+# logrotate_mail local policy - # - --allow logrotate_mail_t logrotate_t:fd use; --allow logrotate_mail_t logrotate_t:fifo_file rw_fifo_file_perms; --allow logrotate_mail_t logrotate_t:process sigchld; -- --manage_files_pattern(logrotate_mail_t, logrotate_tmp_t, logrotate_tmp_t) -- -+mta_base_mail_template(logrotate) -+mta_sendmail_domtrans(logrotate_t, logrotate_mail_t) -+role system_r types logrotate_mail_t; - logging_read_all_logs(logrotate_mail_t) -+manage_files_pattern(logrotate_mail_t, logrotate_tmp_t, logrotate_tmp_t) -diff --git a/logwatch.te b/logwatch.te -index 4256a4c..30e3cd2 100644 ---- a/logwatch.te -+++ b/logwatch.te -@@ -5,9 +5,17 @@ policy_module(logwatch, 1.11.6) - # Declarations - # - -+## -+##

    -+## Allow epylog to send mail -+##

    -+##     -+gen_tunable(logwatch_can_sendmail, false) -+ - type logwatch_t; - type logwatch_exec_t; --init_system_domain(logwatch_t, logwatch_exec_t) -+init_daemon_domain(logwatch_t, logwatch_exec_t) -+application_domain(logwatch_t, logwatch_exec_t) - - type logwatch_cache_t; - files_type(logwatch_cache_t) -@@ -37,7 +45,8 @@ allow logwatch_t self:unix_stream_socket { accept listen }; - manage_dirs_pattern(logwatch_t, logwatch_cache_t, logwatch_cache_t) - manage_files_pattern(logwatch_t, logwatch_cache_t, logwatch_cache_t) - --allow logwatch_t logwatch_lock_t:file manage_file_perms; -+manage_files_pattern(logwatch_t, logwatch_lock_t, logwatch_lock_t) -+manage_dirs_pattern(logwatch_t, logwatch_lock_t, logwatch_lock_t) - files_lock_filetrans(logwatch_t, logwatch_lock_t, file) - - manage_dirs_pattern(logwatch_t, logwatch_tmp_t, logwatch_tmp_t) -@@ -67,10 +76,11 @@ files_list_var(logwatch_t) - files_search_all(logwatch_t) - files_read_var_symlinks(logwatch_t) - files_read_etc_runtime_files(logwatch_t) --files_read_usr_files(logwatch_t) -+files_read_system_conf_files(logwatch_t) - - fs_getattr_all_dirs(logwatch_t) - fs_getattr_all_fs(logwatch_t) -+fs_getattr_all_dirs(logwatch_t) - fs_dontaudit_list_auto_mountpoints(logwatch_t) - fs_list_inotifyfs(logwatch_t) - -@@ -92,13 +102,12 @@ libs_read_lib_files(logwatch_t) - logging_read_all_logs(logwatch_t) - logging_send_syslog_msg(logwatch_t) - --miscfiles_read_localization(logwatch_t) -- - selinux_dontaudit_getattr_dir(logwatch_t) - - sysnet_exec_ifconfig(logwatch_t) - - userdom_dontaudit_search_user_home_dirs(logwatch_t) -+userdom_dontaudit_list_admin_dir(logwatch_t) - - mta_sendmail_domtrans(logwatch_t, logwatch_mail_t) - mta_getattr_spool(logwatch_t) -@@ -137,6 +146,11 @@ optional_policy(` - ') - - optional_policy(` -+ raid_domtrans_mdadm(logwatch_t) -+ raid_access_check_mdadm(logwatch_t) -+') -+ -+optional_policy(` - rpc_search_nfs_state_data(logwatch_t) - ') - -@@ -145,6 +159,13 @@ optional_policy(` - samba_read_share_files(logwatch_t) - ') - -+tunable_policy(`logwatch_can_sendmail',` -+ corenet_tcp_connect_smtp_port(logwatch_t) -+ corenet_sendrecv_smtp_client_packets(logwatch_t) -+ corenet_tcp_connect_pop_port(logwatch_t) -+ corenet_sendrecv_pop_client_packets(logwatch_t) -+') -+ - ######################################## - # - # Mail local policy -@@ -164,6 +185,12 @@ dev_read_sysfs(logwatch_mail_t) - - logging_read_all_logs(logwatch_mail_t) - -+mta_read_home(logwatch_mail_t) -+ - optional_policy(` - cron_use_system_job_fds(logwatch_mail_t) - ') -+ -+optional_policy(` -+ courier_stream_connect_authdaemon(logwatch_mail_t) -+') -diff --git a/lpd.fc b/lpd.fc -index 2fb9b2e..08974e3 100644 ---- a/lpd.fc -+++ b/lpd.fc -@@ -19,6 +19,7 @@ - /usr/sbin/lpinfo -- gen_context(system_u:object_r:lpr_exec_t,s0) - /usr/sbin/lpmove -- gen_context(system_u:object_r:lpr_exec_t,s0) - -+/usr/linuxprinter/bin/l?lpr -- gen_context(system_u:object_r:lpr_exec_t,s0) - /usr/local/linuxprinter/bin/l?lpr -- gen_context(system_u:object_r:lpr_exec_t,s0) - - /usr/share/printconf/.* -- gen_context(system_u:object_r:printconf_t,s0) -diff --git a/lpd.if b/lpd.if -index 6256371..7826e38 100644 ---- a/lpd.if -+++ b/lpd.if -@@ -1,44 +1,49 @@ --## Line printer daemon. -+## Line printer daemon - - ######################################## - ## --## Role access for lpd. -+## Role access for lpd - ## - ## - ## --## Role allowed access. -+## Role allowed access - ## - ## - ## - ## --## User domain for the role. -+## User domain for the role - ## - ## -+## - # - interface(`lpd_role',` - gen_require(` - attribute_role lpr_roles; -- type lpr_t, lpr_exec_t; -+ type lpr_t, lpr_exec_t, print_spool_t; - ') - -- ######################################## -- # -- # Declarations -- # -+ ######################################## -+ # -+ # Declarations -+ # - - roleattribute $1 lpr_roles; - -- ######################################## -- # -- # Policy -- # -+ ######################################## -+ # -+ # Policy -+ # - -+ # Transition from the user domain to the derived domain. - domtrans_pattern($2, lpr_exec_t, lpr_t) -+ dontaudit lpr_t $2:unix_stream_socket { read write }; - -- allow $2 lpr_t:process { ptrace signal_perms }; - ps_process_pattern($2, lpr_t) -+ allow $2 lpr_t:process signal_perms; - -- dontaudit lpr_t $2:unix_stream_socket { read write }; -+ tunable_policy(`deny_ptrace',`',` -+ allow $2 lpr_t:process ptrace; -+ ') - - optional_policy(` - cups_read_config($2) -@@ -60,15 +65,13 @@ interface(`lpd_domtrans_checkpc',` - type checkpc_t, checkpc_exec_t; - ') - -- corecmd_search_bin($1) - domtrans_pattern($1, checkpc_exec_t, checkpc_t) - ') - - ######################################## - ## --## Execute amrecover in the lpd --## domain, and allow the specified --## role the lpd domain. -+## Execute amrecover in the lpd domain, and -+## allow the specified role the lpd domain. - ## - ## - ## -@@ -84,16 +87,16 @@ interface(`lpd_domtrans_checkpc',` - # - interface(`lpd_run_checkpc',` - gen_require(` -- attribute_role checkpc_roles; -+ type checkpc_t; - ') - - lpd_domtrans_checkpc($1) -- roleattribute $2 checkpc_roles; -+ role $2 types checkpc_t; - ') - - ######################################## - ## --## List printer spool directories. -+## List the contents of the printer spool directories. - ## - ## - ## -@@ -112,7 +115,7 @@ interface(`lpd_list_spool',` - - ######################################## - ## --## Read printer spool files. -+## Read the printer spool files. - ## - ## - ## -@@ -131,8 +134,7 @@ interface(`lpd_read_spool',` - - ######################################## - ## --## Create, read, write, and delete --## printer spool content. -+## Create, read, write, and delete printer spool files. - ## - ## - ## -@@ -153,7 +155,7 @@ interface(`lpd_manage_spool',` - - ######################################## - ## --## Relabel spool files. -+## Relabel from and to the spool files. - ## - ## - ## -@@ -172,7 +174,7 @@ interface(`lpd_relabel_spool',` - - ######################################## - ## --## Read printer configuration files. -+## List the contents of the printer spool directories. - ## - ## - ## -@@ -200,12 +202,11 @@ interface(`lpd_read_config',` - ## - ## - # --template(`lpd_domtrans_lpr',` -+interface(`lpd_domtrans_lpr',` - gen_require(` - type lpr_t, lpr_exec_t; - ') - -- corecmd_search_bin($1) - domtrans_pattern($1, lpr_exec_t, lpr_t) - ') - -@@ -237,7 +238,8 @@ interface(`lpd_run_lpr',` - - ######################################## - ## --## Execute lpr in the caller domain. -+## Allow the specified domain to execute lpr -+## in the caller domain. - ## - ## - ## -@@ -250,6 +252,5 @@ interface(`lpd_exec_lpr',` - type lpr_exec_t; - ') - -- corecmd_search_bin($1) - can_exec($1, lpr_exec_t) - ') -diff --git a/lpd.te b/lpd.te -index b9270f7..15f3748 100644 ---- a/lpd.te -+++ b/lpd.te -@@ -48,7 +48,7 @@ userdom_user_tmp_file(lpr_tmp_t) - type print_spool_t; - typealias print_spool_t alias { user_print_spool_t staff_print_spool_t sysadm_print_spool_t }; - typealias print_spool_t alias { auditadm_print_spool_t secadm_print_spool_t }; --files_type(print_spool_t) -+files_spool_file(print_spool_t) - ubac_constrained(print_spool_t) - - type printer_t; -@@ -81,7 +81,6 @@ allow checkpc_t printconf_t:dir list_dir_perms; - - kernel_read_system_state(checkpc_t) - --corenet_all_recvfrom_unlabeled(checkpc_t) - corenet_all_recvfrom_netlabel(checkpc_t) - corenet_tcp_sendrecv_generic_if(checkpc_t) - corenet_tcp_sendrecv_generic_node(checkpc_t) -@@ -97,7 +96,6 @@ dev_append_printer(checkpc_t) - - domain_use_interactive_fds(checkpc_t) - --files_read_etc_files(checkpc_t) - files_read_etc_runtime_files(checkpc_t) - files_search_pids(checkpc_t) - files_search_spool(checkpc_t) -@@ -107,7 +105,7 @@ init_use_fds(checkpc_t) - - sysnet_read_config(checkpc_t) - --userdom_use_user_terminals(checkpc_t) -+userdom_use_inherited_user_terminals(checkpc_t) - - optional_policy(` - cron_system_entry(checkpc_t, checkpc_exec_t) -@@ -155,7 +153,6 @@ can_exec(lpd_t, printconf_t) - kernel_read_kernel_sysctls(lpd_t) - kernel_read_system_state(lpd_t) - --corenet_all_recvfrom_unlabeled(lpd_t) - corenet_all_recvfrom_netlabel(lpd_t) - corenet_tcp_sendrecv_generic_if(lpd_t) - corenet_tcp_sendrecv_generic_node(lpd_t) -@@ -174,14 +171,12 @@ dev_rw_printer(lpd_t) - domain_use_interactive_fds(lpd_t) - - files_read_etc_runtime_files(lpd_t) --files_read_usr_files(lpd_t) - files_list_world_readable(lpd_t) - files_read_world_readable_files(lpd_t) - files_read_world_readable_symlinks(lpd_t) - files_list_var_lib(lpd_t) - files_read_var_lib_files(lpd_t) - files_read_var_lib_symlinks(lpd_t) --files_read_etc_files(lpd_t) - files_search_spool(lpd_t) - - fs_getattr_all_fs(lpd_t) -@@ -190,7 +185,6 @@ fs_search_auto_mountpoints(lpd_t) - logging_send_syslog_msg(lpd_t) - - miscfiles_read_fonts(lpd_t) --miscfiles_read_localization(lpd_t) - - sysnet_read_config(lpd_t) - -@@ -224,7 +218,6 @@ can_exec(lpr_t, lpr_exec_t) - kernel_read_crypto_sysctls(lpr_t) - kernel_read_kernel_sysctls(lpr_t) - --corenet_all_recvfrom_unlabeled(lpr_t) - corenet_all_recvfrom_netlabel(lpr_t) - corenet_tcp_sendrecv_generic_if(lpr_t) - corenet_tcp_sendrecv_generic_node(lpr_t) -@@ -239,7 +232,6 @@ dev_read_urand(lpr_t) - domain_use_interactive_fds(lpr_t) - - files_search_spool(lpr_t) --files_read_usr_files(lpr_t) - files_list_home(lpr_t) - - fs_getattr_all_fs(lpr_t) -@@ -249,23 +241,27 @@ term_use_generic_ptys(lpr_t) - - auth_use_nsswitch(lpr_t) - --logging_send_syslog_msg(lpr_t) -- - miscfiles_read_fonts(lpr_t) --miscfiles_read_localization(lpr_t) - - userdom_read_user_tmp_symlinks(lpr_t) --userdom_use_user_terminals(lpr_t) -+# Write to the user domain tty. -+userdom_use_inherited_user_terminals(lpr_t) - userdom_read_user_home_content_files(lpr_t) - userdom_read_user_tmp_files(lpr_t) -+userdom_write_user_tmp_sockets(lpr_t) -+userdom_stream_connect(lpr_t) - - tunable_policy(`use_lpd_server',` -- allow lpr_t lpd_t:process signal; -- -- write_sock_files_pattern(lpr_t, lpd_var_run_t, lpd_var_run_t) -+ # lpr can run in lightweight mode, without a local print spooler. -+ allow lpr_t lpd_var_run_t:dir search_dir_perms; -+ allow lpr_t lpd_var_run_t:sock_file write_sock_file_perms; - files_read_var_files(lpr_t) - -+ # Connect to lpd via a Unix domain socket. -+ allow lpr_t printer_t:sock_file read_sock_file_perms; - stream_connect_pattern(lpr_t, printer_t, printer_t, lpd_t) -+ # Send SIGHUP to lpd. -+ allow lpr_t lpd_t:process signal; - - manage_dirs_pattern(lpr_t, lpr_tmp_t, lpr_tmp_t) - manage_files_pattern(lpr_t, lpr_tmp_t, lpr_tmp_t) -@@ -279,17 +275,7 @@ tunable_policy(`use_lpd_server',` - allow lpr_t printconf_t:lnk_file read_lnk_file_perms; - ') - --tunable_policy(`use_nfs_home_dirs',` -- fs_list_auto_mountpoints(lpr_t) -- fs_read_nfs_files(lpr_t) -- fs_read_nfs_symlinks(lpr_t) --') -- --tunable_policy(`use_samba_home_dirs',` -- fs_list_auto_mountpoints(lpr_t) -- fs_read_cifs_files(lpr_t) -- fs_read_cifs_symlinks(lpr_t) --') -+userdom_home_reader(lpr_t) - - optional_policy(` - cups_read_config(lpr_t) -@@ -298,5 +284,13 @@ optional_policy(` - ') - - optional_policy(` -- gnome_stream_connect_all_gkeyringd(lpr_t) -+ gnome_stream_connect_gkeyringd(lpr_t) -+') -+ -+optional_policy(` -+ logging_send_syslog_msg(lpr_t) -+') -+ -+optional_policy(` -+ mozilla_plugin_dontaudit_rw_tmp_files(lpr_t) - ') -diff --git a/lsm.fc b/lsm.fc -new file mode 100644 -index 0000000..81cd4e0 ---- /dev/null -+++ b/lsm.fc -@@ -0,0 +1,5 @@ -+/usr/bin/lsmd -- gen_context(system_u:object_r:lsmd_exec_t,s0) -+ -+/usr/lib/systemd/system/libstoragemgmt.* -- gen_context(system_u:object_r:lsmd_unit_file_t,s0) -+ -+/var/run/lsm(/.*)? gen_context(system_u:object_r:lsmd_var_run_t,s0) -diff --git a/lsm.if b/lsm.if -new file mode 100644 -index 0000000..da30c5d ---- /dev/null -+++ b/lsm.if -@@ -0,0 +1,99 @@ -+ -+## libStorageMgmt plug-in daemon -+ -+######################################## -+## -+## Execute TEMPLATE in the lsmd domin. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`lsmd_domtrans',` -+ gen_require(` -+ type lsmd_t, lsmd_exec_t; -+ ') -+ -+ corecmd_search_bin($1) -+ domtrans_pattern($1, lsmd_exec_t, lsmd_t) -+') -+######################################## -+## -+## Read lsmd PID files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`lsmd_read_pid_files',` -+ gen_require(` -+ type lsmd_var_run_t; -+ ') -+ -+ files_search_pids($1) -+ read_files_pattern($1, lsmd_var_run_t, lsmd_var_run_t) -+') -+ -+######################################## -+## -+## Execute lsmd server in the lsmd domain. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`lsmd_systemctl',` -+ gen_require(` -+ type lsmd_t; -+ type lsmd_unit_file_t; -+ ') -+ -+ systemd_exec_systemctl($1) -+ systemd_read_fifo_file_passwd_run($1) -+ allow $1 lsmd_unit_file_t:file read_file_perms; -+ allow $1 lsmd_unit_file_t:service manage_service_perms; -+ -+ ps_process_pattern($1, lsmd_t) -+') -+ -+ -+######################################## -+## -+## All of the rules required to administrate -+## an lsmd environment -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`lsmd_admin',` -+ gen_require(` -+ type lsmd_t; -+ type lsmd_var_run_t; -+ type lsmd_unit_file_t; -+ ') -+ -+ allow $1 lsmd_t:process { ptrace signal_perms }; -+ ps_process_pattern($1, lsmd_t) -+ -+ files_search_pids($1) -+ admin_pattern($1, lsmd_var_run_t) -+ -+ lsmd_systemctl($1) -+ admin_pattern($1, lsmd_unit_file_t) -+ allow $1 lsmd_unit_file_t:service all_service_perms; -+ -+ optional_policy(` -+ systemd_passwd_agent_exec($1) -+ systemd_read_fifo_file_passwd_run($1) -+ ') -+') -diff --git a/lsm.te b/lsm.te -new file mode 100644 -index 0000000..6611d9f ---- /dev/null -+++ b/lsm.te -@@ -0,0 +1,34 @@ -+policy_module(lsm, 1.0.0) -+ -+######################################## -+# -+# Declarations -+# -+ -+type lsmd_t; -+type lsmd_exec_t; -+init_daemon_domain(lsmd_t, lsmd_exec_t) -+ -+type lsmd_var_run_t; -+files_pid_file(lsmd_var_run_t) -+ -+type lsmd_unit_file_t; -+systemd_unit_file(lsmd_unit_file_t) -+ -+######################################## -+# -+# lsmd local policy -+# -+allow lsmd_t self:capability { setgid }; -+allow lsmd_t self:process { fork }; -+allow lsmd_t self:unix_stream_socket create_stream_socket_perms; -+ -+manage_dirs_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t) -+manage_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t) -+manage_lnk_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t) -+manage_sock_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t) -+files_pid_filetrans(lsmd_t, lsmd_var_run_t, { dir file sock_file }) -+ -+corecmd_exec_bin(lsmd_t) -+ -+logging_send_syslog_msg(lsmd_t) -diff --git a/mailman.fc b/mailman.fc -index 7fa381b..bbe6b01 100644 ---- a/mailman.fc -+++ b/mailman.fc -@@ -3,10 +3,12 @@ - - /etc/mailman.* gen_context(system_u:object_r:mailman_data_t,s0) - -+/usr/lib/mailman/bin/mailmanctl -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) - /usr/lib/mailman.*/bin/mailmanctl -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) -+/usr/lib/mailman/bin/mm-handler.* -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) - /usr/lib/mailman.*/bin/mm-handler.* -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) - /usr/lib/mailman.*/cron/.* -- gen_context(system_u:object_r:mailman_queue_exec_t,s0) --/var/lib/mailman.* gen_context(system_u:object_r:mailman_data_t,s0) -+/var/lib/mailman(/.*)? gen_context(system_u:object_r:mailman_data_t,s0) - /var/lib/mailman.*/archives(/.*)? gen_context(system_u:object_r:mailman_archive_t,s0) - - /var/lock/mailman.* gen_context(system_u:object_r:mailman_lock_t,s0) -diff --git a/mailman.if b/mailman.if -index 108c0f1..a248501 100644 ---- a/mailman.if -+++ b/mailman.if -@@ -1,44 +1,70 @@ --## Manage electronic mail discussion and e-newsletter lists. -+## Mailman is for managing electronic mail discussion and e-newsletter lists - - ####################################### - ## --## The template to define a mailman domain. -+## The template to define a mailmain domain. - ## --## -+## -+##

    -+## This template creates a domain to be used for -+## a new mailman daemon. -+##

    -+##     -+## - ## --## Domain prefix to be used. -+## The type of daemon to be used eg, cgi would give mailman_cgi_ - ## - ## - # --template(`mailman_domain_template',` -- gen_require(` -- attribute mailman_domain; -- ') -+template(`mailman_domain_template', ` - -- ######################################## -- # -- # Declarations -- # -+ ######################################## -+ # -+ # Declarations -+ # - -- type mailman_$1_t; -- type mailman_$1_exec_t; -+ gen_require(` -+ attribute mailman_domain; -+ ') -+ -+ type mailman_$1_t, mailman_domain; - domain_type(mailman_$1_t) -+ type mailman_$1_exec_t; - domain_entry_file(mailman_$1_t, mailman_$1_exec_t) - role system_r types mailman_$1_t; - - type mailman_$1_tmp_t; - files_tmp_file(mailman_$1_tmp_t) - -- #################################### -- # -- # Policy -- # -+ #################################### -+ # -+ # Policy -+ # - - manage_dirs_pattern(mailman_$1_t, mailman_$1_tmp_t, mailman_$1_tmp_t) - manage_files_pattern(mailman_$1_t, mailman_$1_tmp_t, mailman_$1_tmp_t) - files_tmp_filetrans(mailman_$1_t, mailman_$1_tmp_t, { file dir }) - -+ kernel_read_system_state(mailman_$1_t) -+ -+ corenet_all_recvfrom_unlabeled(mailman_$1_t) -+ corenet_all_recvfrom_netlabel(mailman_$1_t) -+ corenet_tcp_sendrecv_generic_if(mailman_$1_t) -+ corenet_udp_sendrecv_generic_if(mailman_$1_t) -+ corenet_raw_sendrecv_generic_if(mailman_$1_t) -+ corenet_tcp_sendrecv_generic_node(mailman_$1_t) -+ corenet_udp_sendrecv_generic_node(mailman_$1_t) -+ corenet_raw_sendrecv_generic_node(mailman_$1_t) -+ corenet_tcp_sendrecv_all_ports(mailman_$1_t) -+ corenet_udp_sendrecv_all_ports(mailman_$1_t) -+ corenet_tcp_bind_generic_node(mailman_$1_t) -+ corenet_udp_bind_generic_node(mailman_$1_t) -+ corenet_tcp_connect_smtp_port(mailman_$1_t) -+ corenet_sendrecv_smtp_client_packets(mailman_$1_t) -+ - auth_use_nsswitch(mailman_$1_t) -+ -+ logging_send_syslog_msg(mailman_$1_t) - ') - - ####################################### -@@ -56,15 +82,12 @@ interface(`mailman_domtrans',` - type mailman_mail_exec_t, mailman_mail_t; - ') - -- libs_search_lib($1) - domtrans_pattern($1, mailman_mail_exec_t, mailman_mail_t) - ') - - ######################################## - ## --## Execute the mailman program in the --## mailman domain and allow the --## specified role the mailman domain. -+## Execute the mailman program in the mailman domain. - ## - ## - ## -@@ -73,18 +96,18 @@ interface(`mailman_domtrans',` - ## - ## - ## --## Role allowed access. -+## The role to allow the mailman domain. - ## - ## - ## - # - interface(`mailman_run',` - gen_require(` -- attribute_role mailman_roles; -+ type mailman_mail_t; - ') - - mailman_domtrans($1) -- roleattribute $2 mailman_roles; -+ role $2 types mailman_mail_t; - ') - - ####################################### -@@ -103,7 +126,6 @@ interface(`mailman_domtrans_cgi',` - type mailman_cgi_exec_t, mailman_cgi_t; - ') - -- libs_search_lib($1) - domtrans_pattern($1, mailman_cgi_exec_t, mailman_cgi_t) - ') - -@@ -122,13 +144,12 @@ interface(`mailman_exec',` - type mailman_mail_exec_t; - ') - -- libs_search_lib($1) - can_exec($1, mailman_mail_exec_t) - ') - - ####################################### - ## --## Send generic signals to mailman cgi. -+## Send generic signals to the mailman cgi domain. - ## - ## - ## -@@ -146,7 +167,7 @@ interface(`mailman_signal_cgi',` - - ####################################### - ## --## Search mailman data directories. -+## Allow domain to search data directories. - ## - ## - ## -@@ -159,13 +180,12 @@ interface(`mailman_search_data',` - type mailman_data_t; - ') - -- files_search_spool($1) - allow $1 mailman_data_t:dir search_dir_perms; - ') - - ####################################### - ## --## Read mailman data content. -+## Allow domain to to read mailman data files. - ## - ## - ## -@@ -178,7 +198,6 @@ interface(`mailman_read_data_files',` - type mailman_data_t; - ') - -- files_search_spool($1) - list_dirs_pattern($1, mailman_data_t, mailman_data_t) - read_files_pattern($1, mailman_data_t, mailman_data_t) - read_lnk_files_pattern($1, mailman_data_t, mailman_data_t) -@@ -186,8 +205,8 @@ interface(`mailman_read_data_files',` - - ####################################### - ## --## Create, read, write, and delete --## mailman data files. -+## Allow domain to to create mailman data files -+## and write the directory. - ## - ## - ## -@@ -200,14 +219,13 @@ interface(`mailman_manage_data_files',` - type mailman_data_t; - ') - -- files_search_spool($1) - manage_dirs_pattern($1, mailman_data_t, mailman_data_t) - manage_files_pattern($1, mailman_data_t, mailman_data_t) - ') - - ####################################### - ## --## List mailman data directories. -+## List the contents of mailman data directories. - ## - ## - ## -@@ -220,13 +238,12 @@ interface(`mailman_list_data',` - type mailman_data_t; - ') - -- files_search_spool($1) - allow $1 mailman_data_t:dir list_dir_perms; - ') - - ####################################### - ## --## Read mailman data symbolic links. -+## Allow read acces to mailman data symbolic links. - ## - ## - ## -@@ -244,7 +261,7 @@ interface(`mailman_read_data_symlinks',` - - ####################################### - ## --## Read mailman log files. -+## Read mailman logs. - ## - ## - ## -@@ -257,13 +274,12 @@ interface(`mailman_read_log',` - type mailman_log_t; - ') - -- logging_search_logs($1) - read_files_pattern($1, mailman_log_t, mailman_log_t) - ') - - ####################################### - ## --## Append mailman log files. -+## Append to mailman logs. - ## - ## - ## -@@ -276,14 +292,13 @@ interface(`mailman_append_log',` - type mailman_log_t; - ') - -- logging_search_logs($1) - append_files_pattern($1, mailman_log_t, mailman_log_t) - ') - - ####################################### - ## - ## Create, read, write, and delete --## mailman log content. -+## mailman logs. - ## - ## - ## -@@ -296,14 +311,13 @@ interface(`mailman_manage_log',` - type mailman_log_t; - ') - -- logging_search_logs($1) - manage_files_pattern($1, mailman_log_t, mailman_log_t) - manage_lnk_files_pattern($1, mailman_log_t, mailman_log_t) - ') - - ####################################### - ## --## Read mailman archive content. -+## Allow domain to read mailman archive files. - ## - ## - ## -@@ -316,7 +330,6 @@ interface(`mailman_read_archive',` - type mailman_archive_t; - ') - -- files_search_var_lib($1) - allow $1 mailman_archive_t:dir list_dir_perms; - read_files_pattern($1, mailman_archive_t, mailman_archive_t) - read_lnk_files_pattern($1, mailman_archive_t, mailman_archive_t) -@@ -324,8 +337,7 @@ interface(`mailman_read_archive',` - - ####################################### - ## --## Execute mailman_queue in the --## mailman_queue domain. -+## Execute mailman_queue in the mailman_queue domain. - ## - ## - ## -@@ -338,6 +350,5 @@ interface(`mailman_domtrans_queue',` - type mailman_queue_exec_t, mailman_queue_t; - ') - -- libs_search_lib($1) - domtrans_pattern($1, mailman_queue_exec_t, mailman_queue_t) - ') -diff --git a/mailman.te b/mailman.te -index 8eaf51b..a057913 100644 ---- a/mailman.te -+++ b/mailman.te -@@ -4,6 +4,12 @@ policy_module(mailman, 1.9.4) - # - # Declarations - # -+## -+##

    -+## Allow mailman to access FUSE file systems -+##

    -+##     -+gen_tunable(mailman_use_fusefs, false) - - attribute mailman_domain; - -@@ -50,16 +56,11 @@ manage_lnk_files_pattern(mailman_domain, mailman_data_t, mailman_data_t) - manage_files_pattern(mailman_domain, mailman_lock_t, mailman_lock_t) - files_lock_filetrans(mailman_domain, mailman_lock_t, file) - --append_files_pattern(mailman_domain, mailman_log_t, mailman_log_t) --create_files_pattern(mailman_domain, mailman_log_t, mailman_log_t) --setattr_files_pattern(mailman_domain, mailman_log_t, mailman_log_t) -+manage_files_pattern(mailman_domain, mailman_log_t, mailman_log_t) - logging_log_filetrans(mailman_domain, mailman_log_t, file) - - kernel_read_kernel_sysctls(mailman_domain) --kernel_read_system_state(mailman_domain) - --corenet_all_recvfrom_unlabeled(mailman_domain) --corenet_all_recvfrom_netlabel(mailman_domain) - corenet_tcp_sendrecv_generic_if(mailman_domain) - corenet_tcp_sendrecv_generic_node(mailman_domain) - -@@ -82,10 +83,6 @@ fs_getattr_all_fs(mailman_domain) - libs_exec_ld_so(mailman_domain) - libs_exec_lib_files(mailman_domain) - --logging_send_syslog_msg(mailman_domain) -- --miscfiles_read_localization(mailman_domain) -- - ######################################## - # - # CGI local policy -@@ -115,20 +112,23 @@ optional_policy(` - # Mail local policy - # - --allow mailman_mail_t self:capability { kill dac_override setuid setgid sys_tty_config }; --allow mailman_mail_t self:process { signal signull }; -+allow mailman_mail_t self:capability { kill dac_override setuid setgid sys_nice sys_tty_config }; -+allow mailman_mail_t self:process { setsched signal signull }; -+allow mailman_mail_t self:unix_dgram_socket create_socket_perms; - - manage_files_pattern(mailman_mail_t, mailman_var_run_t, mailman_var_run_t) - manage_dirs_pattern(mailman_mail_t, mailman_var_run_t, mailman_var_run_t) - files_pid_filetrans(mailman_mail_t, mailman_var_run_t, { file dir }) - -+can_exec(mailman_mail_t, mailman_mail_exec_t) -+ - corenet_sendrecv_innd_client_packets(mailman_mail_t) - corenet_tcp_connect_innd_port(mailman_mail_t) - corenet_tcp_sendrecv_innd_port(mailman_mail_t) - - corenet_sendrecv_spamd_client_packets(mailman_mail_t) --corenet_tcp_connect_spamd_port(mailman_mail_t) - corenet_tcp_sendrecv_spamd_port(mailman_mail_t) -+corenet_tcp_connect_spamd_port(mailman_mail_t) - - dev_read_urand(mailman_mail_t) - -@@ -142,6 +142,10 @@ optional_policy(` - ') - - optional_policy(` -+ gnome_dontaudit_search_config(mailman_mail_t) -+') -+ -+optional_policy(` - cron_read_pipes(mailman_mail_t) - ') - -@@ -182,3 +186,9 @@ optional_policy(` - optional_policy(` - su_exec(mailman_queue_t) - ') -+ -+tunable_policy(`mailman_use_fusefs',` -+ fs_manage_fusefs_dirs(mailman_domain) -+ fs_manage_fusefs_files(mailman_domain) -+ fs_manage_fusefs_symlinks(mailman_domain) -+') -diff --git a/mailscanner.if b/mailscanner.if -index 0293f34..bd1d48e 100644 ---- a/mailscanner.if -+++ b/mailscanner.if -@@ -2,29 +2,27 @@ - - ######################################## - ## --## Create, read, write, and delete --## mscan spool content. -+## Execute a domain transition to run -+## MailScanner. - ## - ## - ## --## Domain allowed access. -+## Domain allowed to transition. - ## - ## - # --interface(`mscan_manage_spool_content',` -+interface(`mailscanner_initrc_domtrans',` - gen_require(` -- type mscan_spool_t; -+ type mscan_initrc_exec_t; - ') - -- files_search_spool($1) -- manage_dirs_pattern($1, mscan_spool_t, mscan_spool_t) -- manage_files_pattern($1, mscan_spool_t, mscan_spool_t) -+ init_labeled_script_domtrans($1, mscan_initrc_exec_t) - ') - - ######################################## - ## --## All of the rules required to --## administrate an mscan environment -+## All of the rules required to administrate -+## an mailscanner environment. - ## - ## - ## -@@ -38,26 +36,26 @@ interface(`mscan_manage_spool_content',` - ## - ## - # --interface(`mscan_admin',` -+interface(`mailscanner_admin',` - gen_require(` -- type mscan_t, mscan_etc_t, mscan_initrc_exec_t; -- type mscan_var_run_t, mscan_spool_t; -+ type mscan_t, mscan_var_run_t, mscan_etc_t; -+ type mscan_initrc_exec_t; - ') - -- allow $1 mscan_t:process { ptrace signal_perms }; -- ps_process_pattern($1, mscan_t) -- -- init_labeled_script_domtrans($1, mscan_initrc_exec_t) -+ mailscanner_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 mscan_initrc_exec_t system_r; - allow $2 system_r; - -- files_search_etc($1) -+ allow $1 mscan_t:process signal_perms; -+ ps_process_pattern($1, mscan_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 mscan_t:process ptrace; -+ ') -+ - admin_pattern($1, mscan_etc_t) -+ files_list_etc($1) - -- files_search_pids($1 - admin_pattern($1, mscan_var_run_t) -- -- files_search_spool($1) -- admin_pattern($1, mscan_spool_t) -+ files_list_pids($1) - ') -diff --git a/mailscanner.te b/mailscanner.te -index 725ba32..cec64d0 100644 ---- a/mailscanner.te -+++ b/mailscanner.te -@@ -34,6 +34,7 @@ allow mscan_t self:process signal; - allow mscan_t self:fifo_file rw_fifo_file_perms; - - read_files_pattern(mscan_t, mscan_etc_t, mscan_etc_t) -+list_dirs_pattern(mscan_t, mscan_etc_t, mscan_etc_t) - - manage_files_pattern(mscan_t, mscan_var_run_t, mscan_var_run_t) - files_pid_filetrans(mscan_t, mscan_var_run_t, file) -@@ -72,7 +73,6 @@ corenet_udp_sendrecv_all_ports(mscan_t) - - dev_read_urand(mscan_t) - --files_read_usr_files(mscan_t) - - fs_getattr_xattr_fs(mscan_t) - -@@ -81,10 +81,9 @@ auth_use_nsswitch(mscan_t) - - logging_send_syslog_msg(mscan_t) - --miscfiles_read_localization(mscan_t) -- - optional_policy(` -- clamav_domtrans_clamscan(mscan_t) -+ antivirus_domtrans(mscan_t) -+ antivirus_manage_pid(mscan_t) - ') - - optional_policy(` -@@ -97,5 +96,6 @@ optional_policy(` - ') - - optional_policy(` -+ spamassassin_read_home_client(mscan_t) - spamassassin_read_lib_files(mscan_t) - ') -diff --git a/man2html.if b/man2html.if -index 54ec04d..fe43dea 100644 ---- a/man2html.if -+++ b/man2html.if -@@ -1 +1,127 @@ - ## A Unix manpage-to-HTML converter. -+ -+######################################## -+## -+## Transition to httpd_man2html_script. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`httpd_man2html_script_domtrans',` -+ gen_require(` -+ type httpd_man2html_script_t, httpd_man2html_script_exec_t; -+ ') -+ -+ corecmd_search_bin($1) -+ domtrans_pattern($1, httpd_man2html_script_exec_t, httpd_man2html_script_t) -+') -+ -+######################################## -+## -+## Search httpd_man2html_script cache directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`httpd_man2html_script_search_cache',` -+ gen_require(` -+ type httpd_man2html_script_cache_t; -+ ') -+ -+ allow $1 httpd_man2html_script_cache_t:dir search_dir_perms; -+ files_search_var($1) -+') -+ -+######################################## -+## -+## Read httpd_man2html_script cache files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`httpd_man2html_script_read_cache_files',` -+ gen_require(` -+ type httpd_man2html_script_cache_t; -+ ') -+ -+ files_search_var($1) -+ read_files_pattern($1, httpd_man2html_script_cache_t, httpd_man2html_script_cache_t) -+') -+ -+######################################## -+## -+## Create, read, write, and delete -+## httpd_man2html_script cache files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`httpd_man2html_script_manage_cache_files',` -+ gen_require(` -+ type httpd_man2html_script_cache_t; -+ ') -+ -+ files_search_var($1) -+ manage_files_pattern($1, httpd_man2html_script_cache_t, httpd_man2html_script_cache_t) -+') -+ -+######################################## -+## -+## Manage httpd_man2html_script cache dirs. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`httpd_man2html_script_manage_cache_dirs',` -+ gen_require(` -+ type httpd_man2html_script_cache_t; -+ ') -+ -+ files_search_var($1) -+ manage_dirs_pattern($1, httpd_man2html_script_cache_t, httpd_man2html_script_cache_t) -+') -+ -+ -+######################################## -+## -+## All of the rules required to administrate -+## an httpd_man2html_script environment -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`httpd_man2html_script_admin',` -+ gen_require(` -+ type httpd_man2html_script_t; -+ type httpd_man2html_script_cache_t; -+ ') -+ -+ allow $1 httpd_man2html_script_t:process { ptrace signal_perms }; -+ ps_process_pattern($1, httpd_man2html_script_t) -+ -+ files_search_var($1) -+ admin_pattern($1, httpd_man2html_script_cache_t) -+ -+ optional_policy(` -+ systemd_passwd_agent_exec($1) -+ systemd_read_fifo_file_passwd_run($1) -+ ') -+') -diff --git a/man2html.te b/man2html.te -index e08c55d..9e634bd 100644 ---- a/man2html.te -+++ b/man2html.te -@@ -5,22 +5,24 @@ policy_module(man2html, 1.0.0) - # Declarations - # - --apache_content_template(man2html) - - type httpd_man2html_script_cache_t; - files_type(httpd_man2html_script_cache_t) - - ######################################## - # --# Local policy -+# httpd_man2html_script local policy - # - --manage_dirs_pattern(httpd_man2html_script_t, httpd_man2html_script_cache_t, httpd_man2html_script_cache_t) --manage_files_pattern(httpd_man2html_script_t, httpd_man2html_script_cache_t, httpd_man2html_script_cache_t) --manage_lnk_files_pattern(httpd_man2html_script_t, httpd_man2html_script_cache_t, httpd_man2html_script_cache_t) --files_var_filetrans(httpd_man2html_script_t, httpd_man2html_script_cache_t, dir) -+optional_policy(` - --files_read_etc_files(httpd_man2html_script_t) -+ apache_content_template(man2html) - --miscfiles_read_localization(httpd_man2html_script_t) --miscfiles_read_man_pages(httpd_man2html_script_t) -+ allow httpd_man2html_script_t self:process { fork }; -+ -+ manage_dirs_pattern(httpd_man2html_script_t, httpd_man2html_script_cache_t, httpd_man2html_script_cache_t) -+ manage_files_pattern(httpd_man2html_script_t, httpd_man2html_script_cache_t, httpd_man2html_script_cache_t) -+ manage_lnk_files_pattern(httpd_man2html_script_t, httpd_man2html_script_cache_t, httpd_man2html_script_cache_t) -+ files_var_filetrans(httpd_man2html_script_t, httpd_man2html_script_cache_t, { dir file }) -+ -+') -diff --git a/mandb.fc b/mandb.fc -index 2de0f64..3c24286 100644 ---- a/mandb.fc -+++ b/mandb.fc -@@ -1 +1,10 @@ - /etc/cron.daily/man-db\.cron -- gen_context(system_u:object_r:mandb_exec_t,s0) -+ -+/usr/bin/mandb -- gen_context(system_u:object_r:mandb_exec_t,s0) -+ -+/var/cache/man(/.*)? gen_context(system_u:object_r:mandb_cache_t,s0) -+/opt/local/share/man(/.*)? gen_context(system_u:object_r:mandb_cache_t,s0) -+ -+/var/lock/man-db\.lock -- gen_context(system_u:object_r:mandb_lock_t,s0) -+ -+HOME_DIR/\.manpath -- gen_context(system_u:object_r:mandb_home_t,s0) -diff --git a/mandb.if b/mandb.if -index 327f3f7..4f61561 100644 ---- a/mandb.if -+++ b/mandb.if -@@ -1,14 +1,14 @@ --## On-line manual database. -+ -+## policy for mandb - - ######################################## - ## --## Execute the mandb program in --## the mandb domain. -+## Transition to mandb. - ## - ## --## -+## - ## Domain allowed to transition. --## -+## - ## - # - interface(`mandb_domtrans',` -@@ -22,33 +22,45 @@ interface(`mandb_domtrans',` - - ######################################## - ## --## Execute mandb in the mandb --## domain, and allow the specified --## role the mandb domain. -+## Search mandb cache directories. - ## - ## - ## --## Domain allowed to transition. -+## Domain allowed access. - ## - ## --## -+# -+interface(`mandb_search_cache',` -+ gen_require(` -+ type mandb_cache_t; -+ ') -+ -+ allow $1 mandb_cache_t:dir search_dir_perms; -+ files_search_var($1) -+') -+ -+######################################## -+## -+## Read mandb cache files. -+## -+## - ## --## Role allowed access. -+## Domain allowed access. - ## - ## - # --interface(`mandb_run',` -+interface(`mandb_read_cache_files',` - gen_require(` -- attribute_role mandb_roles; -+ type mandb_cache_t; - ') - -- lightsquid_domtrans($1) -- roleattribute $2 mandb_roles; -+ files_search_var($1) -+ read_files_pattern($1, mandb_cache_t, mandb_cache_t) - ') - - ######################################## - ## --## Search mandb cache directories. -+## Relabel mandb cache files/directories - ## - ## - ## -@@ -56,13 +68,18 @@ interface(`mandb_run',` - ## - ## - # --interface(`mandb_search_cache',` -- refpolicywarn(`$0($*) has been deprecated') -+interface(`mandb_relabel_cache',` -+ gen_require(` -+ type mandb_cache_t; -+ ') -+ -+ allow $1 mandb_cache_t:dir relabel_dir_perms; -+ allow $1 mandb_cache_t:file relabel_file_perms; - ') - - ######################################## - ## --## Delete mandb cache content. -+## Set attributes on mandb cache files. - ## - ## - ## -@@ -70,13 +87,18 @@ interface(`mandb_search_cache',` - ## - ## - # --interface(`mandb_delete_cache_content',` -- refpolicywarn(`$0($*) has been deprecated') -+interface(`mandb_setattr_cache_dirs',` -+ gen_require(` -+ type mandb_cache_t; -+ ') -+ -+ files_search_var($1) -+ allow $1 mandb_cache_t:dir setattr; - ') - - ######################################## - ## --## Read mandb cache content. -+## Delete mandb cache files. - ## - ## - ## -@@ -84,8 +106,16 @@ interface(`mandb_delete_cache_content',` - ## - ## - # --interface(`mandb_read_cache_content',` -- refpolicywarn(`$0($*) has been deprecated') -+interface(`mandb_delete_cache',` -+ gen_require(` -+ type mandb_cache_t; -+ ') -+ -+ files_search_var($1) -+ allow $1 mandb_cache_t:dir list_dir_perms; -+ delete_dirs_pattern($1, mandb_cache_t, mandb_cache_t) -+ delete_files_pattern($1, mandb_cache_t, mandb_cache_t) -+ delete_lnk_files_pattern($1, mandb_cache_t, mandb_cache_t) - ') - - ######################################## -@@ -99,37 +129,82 @@ interface(`mandb_read_cache_content',` - ## - ## - # --interface(`mandb_manage_cache_content',` -- refpolicywarn(`$0($*) has been deprecated') -+interface(`mandb_manage_cache_files',` -+ gen_require(` -+ type mandb_cache_t; -+ ') -+ -+ files_search_var($1) -+ manage_files_pattern($1, mandb_cache_t, mandb_cache_t) -+') -+ -+######################################## -+## -+## Manage mandb cache dirs. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`mandb_manage_cache_dirs',` -+ gen_require(` -+ type mandb_cache_t; -+ ') -+ -+ files_search_var($1) -+ manage_dirs_pattern($1, mandb_cache_t, mandb_cache_t) - ') - - ######################################## - ## --## All of the rules required to --## administrate an mandb environment. -+## Create configuration files in user -+## home directories with a named file -+## type transition. - ## - ## - ## - ## Domain allowed access. - ## - ## --## -+# -+interface(`mandb_filetrans_named_home_content',` -+ gen_require(` -+ type mandb_home_t; -+ ') -+ -+ userdom_user_home_dir_filetrans($1, mandb_home_t, file, ".manpath") -+') -+ -+######################################## -+## -+## All of the rules required to administrate -+## an mandb environment -+## -+## - ## --## Role allowed access. -+## Domain allowed access. - ## - ## --## - # - interface(`mandb_admin',` - gen_require(` -- type mandb_t, mandb_cache_t; -+ type mandb_t; -+ type mandb_cache_t, mandb_lock_t; - ') - - allow $1 mandb_t:process { ptrace signal_perms }; - ps_process_pattern($1, mandb_t) - -- mandb_run($1, $2) -+ files_search_var($1) -+ admin_pattern($1, mandb_cache_t) -+ -+ files_search_locks($1) -+ admin_pattern($1, mandb_lock_t) - -- # pending -- # miscfiles_manage_man_cache_content(mandb_t) -+ optional_policy(` -+ systemd_passwd_agent_exec($1) -+ systemd_read_fifo_file_passwd_run($1) -+ ') - ') -diff --git a/mandb.te b/mandb.te -index 5a414e0..7fee444 100644 ---- a/mandb.te -+++ b/mandb.te -@@ -10,28 +10,51 @@ roleattribute system_r mandb_roles; - - type mandb_t; - type mandb_exec_t; --application_domain(mandb_t, mandb_exec_t) -+init_daemon_domain(mandb_t, mandb_exec_t) - role mandb_roles types mandb_t; - -+type mandb_cache_t; -+files_type(mandb_cache_t) -+ -+type mandb_home_t; -+userdom_user_home_content(mandb_home_t) -+ -+type mandb_lock_t; -+files_lock_file(mandb_lock_t) -+ - ######################################## - # - # Local policy - # - --allow mandb_t self:process signal; -+allow mandb_t self:process { setsched signal }; - allow mandb_t self:fifo_file rw_fifo_file_perms; - allow mandb_t self:unix_stream_socket create_stream_socket_perms; - -+manage_dirs_pattern(mandb_t, mandb_cache_t, mandb_cache_t) -+manage_files_pattern(mandb_t, mandb_cache_t, mandb_cache_t) -+manage_lnk_files_pattern(mandb_t, mandb_cache_t, mandb_cache_t) -+files_var_filetrans(mandb_t, mandb_cache_t, { dir file lnk_file }) -+can_exec(mandb_t, mandb_exec_t) -+ -+userdom_search_user_home_dirs(mandb_t) -+allow mandb_t mandb_home_t:file read_file_perms; -+ -+allow mandb_t mandb_lock_t:file manage_file_perms; -+files_lock_filetrans(mandb_t, mandb_lock_t, file) -+ - kernel_read_system_state(mandb_t) - - corecmd_exec_bin(mandb_t) - - domain_use_interactive_fds(mandb_t) - --files_read_etc_files(mandb_t) -+files_search_locks(mandb_t) - - miscfiles_manage_man_cache(mandb_t) -+miscfiles_setattr_man_pages(mandb_t) - - optional_policy(` - cron_system_entry(mandb_t, mandb_exec_t) - ') -+ -diff --git a/mcelog.if b/mcelog.if -index 9dbe694..f89651e 100644 ---- a/mcelog.if -+++ b/mcelog.if -@@ -56,6 +56,6 @@ interface(`mcelog_admin',` - logging_search_logs($1) - admin_pattern($1, mcelog_log_t) - -- files_search_pids($1 -+ files_search_pids($1) - admin_pattern($1, mcelog_var_run_t) - ') -diff --git a/mcelog.te b/mcelog.te -index 13ea191..c146d9c 100644 ---- a/mcelog.te -+++ b/mcelog.te -@@ -36,13 +36,6 @@ gen_tunable(mcelog_foreground, false) - ## - gen_tunable(mcelog_server, false) - --## --##

    --## Determine whether mcelog can use syslog. --##

    --##     --gen_tunable(mcelog_syslog, false) -- - type mcelog_t; - type mcelog_exec_t; - init_daemon_domain(mcelog_t, mcelog_exec_t) -@@ -84,17 +77,20 @@ files_pid_filetrans(mcelog_t, mcelog_var_run_t, { dir file sock_file }) - - kernel_read_system_state(mcelog_t) - -+corecmd_exec_shell(mcelog_t) -+corecmd_exec_bin(mcelog_t) -+ - dev_read_raw_memory(mcelog_t) - dev_read_kmsg(mcelog_t) - dev_rw_sysfs(mcelog_t) - --files_read_etc_files(mcelog_t) -- - mls_file_read_all_levels(mcelog_t) - -+auth_use_nsswitch(mcelog_t) -+ - locallogin_use_fds(mcelog_t) - --miscfiles_read_localization(mcelog_t) -+logging_send_syslog_msg(mcelog_t) - - tunable_policy(`mcelog_client',` - allow mcelog_t self:unix_stream_socket connectto; -@@ -114,9 +110,6 @@ tunable_policy(`mcelog_server',` - allow mcelog_t self:unix_stream_socket { listen accept }; - ') - --tunable_policy(`mcelog_syslog',` -- logging_send_syslog_msg(mcelog_t) --') - - optional_policy(` - cron_system_entry(mcelog_t, mcelog_exec_t) -diff --git a/mcollective.fc b/mcollective.fc -new file mode 100644 -index 0000000..821bf88 ---- /dev/null -+++ b/mcollective.fc -@@ -0,0 +1,3 @@ -+/etc/mcollective/facts\.yaml -- gen_context(system_u:object_r:mcollective_etc_rw_t,s0) -+ -+/usr/libexec/mcollective/update_yaml\.rb -- gen_context(system_u:object_r:mcollective_exec_t,s0) -diff --git a/mcollective.if b/mcollective.if -new file mode 100644 -index 0000000..3f433f1 ---- /dev/null -+++ b/mcollective.if -@@ -0,0 +1,109 @@ -+ -+## policy for mcollective -+ -+######################################## -+## -+## Execute TEMPLATE in the mcollective domin. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`mcollective_domtrans',` -+ gen_require(` -+ type mcollective_t, mcollective_exec_t; -+ ') -+ -+ corecmd_search_bin($1) -+ domtrans_pattern($1, mcollective_exec_t, mcollective_t) -+') -+ -+######################################## -+## -+## Search mcollective conf directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`mcollective_search_conf',` -+ gen_require(` -+ type mcollective_etc_rw_t; -+ ') -+ -+ allow $1 mcollective_etc_rw_t:dir search_dir_perms; -+ files_search_etc($1) -+') -+ -+######################################## -+## -+## Read mcollective conf files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`mcollective_read_conf_files',` -+ gen_require(` -+ type mcollective_etc_rw_t; -+ ') -+ -+ allow $1 mcollective_etc_rw_t:dir list_dir_perms; -+ read_files_pattern($1, mcollective_etc_rw_t, mcollective_etc_rw_t) -+ files_search_etc($1) -+') -+ -+######################################## -+## -+## Manage mcollective conf files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`mcollective_manage_conf_files',` -+ gen_require(` -+ type mcollective_etc_rw_t; -+ ') -+ -+ manage_files_pattern($1, mcollective_etc_rw_t, mcollective_etc_rw_t) -+ files_search_etc($1) -+') -+ -+ -+######################################## -+## -+## All of the rules required to administrate -+## an mcollective environment -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`mcollective_admin',` -+ gen_require(` -+ type mcollective_t; -+ type mcollective_etc_rw_t; -+ ') -+ -+ allow $1 mcollective_t:process { ptrace signal_perms }; -+ ps_process_pattern($1, mcollective_t) -+ -+ files_search_etc($1) -+ admin_pattern($1, mcollective_etc_rw_t) -+ -+ optional_policy(` -+ systemd_passwd_agent_exec($1) -+ systemd_read_fifo_file_passwd_run($1) -+ ') -+') -diff --git a/mcollective.te b/mcollective.te -new file mode 100644 -index 0000000..a04dd6b ---- /dev/null -+++ b/mcollective.te -@@ -0,0 +1,29 @@ -+policy_module(mcollective, 1.0.0) -+ -+######################################## -+# -+# Declarations -+# -+ -+type mcollective_t; -+type mcollective_exec_t; -+init_daemon_domain(mcollective_t, mcollective_exec_t) -+cron_system_entry(mcollective_t, mcollective_exec_t) -+ -+permissive mcollective_t; -+ -+type mcollective_etc_rw_t; -+files_type(mcollective_etc_rw_t) -+ -+######################################## -+# -+# mcollective local policy -+# -+allow mcollective_t self:fifo_file rw_fifo_file_perms; -+allow mcollective_t self:unix_stream_socket create_stream_socket_perms; -+ -+manage_files_pattern(mcollective_t, mcollective_etc_rw_t, mcollective_etc_rw_t) -+files_etc_filetrans(mcollective_t, mcollective_etc_rw_t, file, "facts.yaml") -+ -+domain_use_interactive_fds(mcollective_t) -+ -diff --git a/mediawiki.if b/mediawiki.if -index 9771b4b..1c1d012 100644 ---- a/mediawiki.if -+++ b/mediawiki.if -@@ -1 +1,40 @@ --## Open source wiki package written in PHP. -+## Mediawiki policy -+ -+####################################### -+## -+## Allow the specified domain to read -+## mediawiki tmp files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`mediawiki_read_tmp_files',` -+ gen_require(` -+ type httpd_mediawiki_tmp_t; -+ ') -+ -+ files_search_tmp($1) -+ read_files_pattern($1, httpd_mediawiki_tmp_t, httpd_mediawiki_tmp_t) -+ read_lnk_files_pattern($1, httpd_mediawiki_tmp_t, httpd_mediawiki_tmp_t) -+') -+ -+####################################### -+## -+## Delete mediawiki tmp files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`mediawiki_delete_tmp_files',` -+ gen_require(` -+ type httpd_mediawiki_tmp_t; -+ ') -+ -+ delete_files_pattern($1, httpd_mediawiki_tmp_t, httpd_mediawiki_tmp_t) -+') -diff --git a/mediawiki.te b/mediawiki.te -index c528b9f..212712c 100644 ---- a/mediawiki.te -+++ b/mediawiki.te -@@ -5,13 +5,16 @@ policy_module(mediawiki, 1.0.0) - # Declarations - # - --apache_content_template(mediawiki) -+optional_policy(` -+ -+ apache_content_template(mediawiki) - - ######################################## - # - # Local policy - # - --files_search_var_lib(httpd_mediawiki_script_t) -+ files_search_var_lib(httpd_mediawiki_script_t) - --miscfiles_read_tetex_data(httpd_mediawiki_script_t) -+ miscfiles_read_tetex_data(httpd_mediawiki_script_t) -+') -diff --git a/memcached.if b/memcached.if -index 1d4eb19..650014e 100644 ---- a/memcached.if -+++ b/memcached.if -@@ -1,4 +1,4 @@ --## High-performance memory object caching system. -+## high-performance memory object caching system - - ######################################## - ## -@@ -12,17 +12,16 @@ - # - interface(`memcached_domtrans',` - gen_require(` -- type memcached_t,memcached_exec_t; -+ type memcached_t; -+ type memcached_exec_t; - ') - -- corecmd_search_bin($1) - domtrans_pattern($1, memcached_exec_t, memcached_t) - ') - - ######################################## - ## --## Create, read, write, and delete --## memcached pid files. -+## Read memcached PID files. - ## - ## - ## -@@ -30,18 +29,18 @@ interface(`memcached_domtrans',` - ## - ## - # --interface(`memcached_manage_pid_files',` -+interface(`memcached_read_pid_files',` - gen_require(` - type memcached_var_run_t; - ') - - files_search_pids($1) -- manage_files_pattern($1, memcached_var_run_t, memcached_var_run_t) -+ allow $1 memcached_var_run_t:file read_file_perms; - ') - - ######################################## - ## --## Read memcached pid files. -+## Manage memcached PID files - ## - ## - ## -@@ -49,19 +48,18 @@ interface(`memcached_manage_pid_files',` - ## - ## - # --interface(`memcached_read_pid_files',` -+interface(`memcached_manage_pid_files',` - gen_require(` - type memcached_var_run_t; - ') - - files_search_pids($1) -- allow $1 memcached_var_run_t:file read_file_perms; -+ manage_files_pattern($1, memcached_var_run_t, memcached_var_run_t) - ') - - ######################################## - ## --## Connect to memcached using a unix --## domain stream socket. -+## Connect to memcached over a unix stream socket. - ## - ## - ## -@@ -80,29 +78,8 @@ interface(`memcached_stream_connect',` - - ######################################## - ## --## Connect to memcache over the network. --## --## --## --## Domain allowed access. --## --## --# --interface(`memcached_tcp_connect',` -- gen_require(` -- type memcached_t; -- ') -- -- corenet_sendrecv_memcache_client_packets($1) -- corenet_tcp_connect_memcache_port($1) -- corenet_tcp_recvfrom_labeled($1, memcached_t) -- corenet_tcp_sendrecv_memcache_port($1) --') -- --######################################## --## --## All of the rules required to --## administrate an memcached environment. -+## All of the rules required to administrate -+## an memcached environment - ## - ## - ## -@@ -111,7 +88,7 @@ interface(`memcached_tcp_connect',` - ## - ## - ## --## Role allowed access. -+## The role to be allowed to manage the memcached domain. - ## - ## - ## -@@ -121,14 +98,17 @@ interface(`memcached_admin',` - type memcached_t, memcached_initrc_exec_t, memcached_var_run_t; - ') - -- allow $1 memcached_t:process { ptrace signal_perms }; -+ allow $1 memcached_t:process signal_perms; - ps_process_pattern($1, memcached_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 memcached_t:process ptrace; -+ ') - - init_labeled_script_domtrans($1, memcached_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 memcached_initrc_exec_t system_r; - allow $2 system_r; - -- files_search_pids($1) -+ files_list_pids($1) - admin_pattern($1, memcached_var_run_t) - ') -diff --git a/memcached.te b/memcached.te -index 4926208..4396320 100644 ---- a/memcached.te -+++ b/memcached.te -@@ -20,7 +20,7 @@ files_pid_file(memcached_var_run_t) - # Local policy - # - --allow memcached_t self:capability { setuid setgid }; -+allow memcached_t self:capability { setuid setgid sys_resource }; - dontaudit memcached_t self:capability sys_tty_config; - allow memcached_t self:process { setrlimit signal_perms }; - allow memcached_t self:tcp_socket { accept listen }; -@@ -51,10 +51,11 @@ corenet_tcp_sendrecv_all_ports(memcached_t) - corenet_udp_bind_memcache_port(memcached_t) - corenet_udp_sendrecv_all_ports(memcached_t) - -+dev_read_sysfs(memcached_t) -+ - term_dontaudit_use_all_ptys(memcached_t) - term_dontaudit_use_all_ttys(memcached_t) - term_dontaudit_use_console(memcached_t) - - auth_use_nsswitch(memcached_t) - --miscfiles_read_localization(memcached_t) -diff --git a/milter.fc b/milter.fc -index 89409eb..67e42f6 100644 ---- a/milter.fc -+++ b/milter.fc -@@ -1,18 +1,29 @@ -+/etc/mail/dkim-milter/keys(/.*)? gen_context(system_u:object_r:dkim_milter_private_key_t,s0) -+ -+/usr/sbin/dkim-filter -- gen_context(system_u:object_r:dkim_milter_exec_t,s0) -+/usr/sbin/opendkim -- gen_context(system_u:object_r:dkim_milter_exec_t,s0) -+/usr/sbin/opendmarc -- gen_context(system_u:object_r:dkim_milter_exec_t,s0) - /usr/sbin/milter-greylist -- gen_context(system_u:object_r:greylist_milter_exec_t,s0) --/usr/sbin/sqlgrey -- gen_context(system_u:object_r:greylist_milter_exec_t,s0) --/usr/sbin/milter-regex -- gen_context(system_u:object_r:regex_milter_exec_t,s0) -+/usr/sbin/sqlgrey -- gen_context(system_u:object_r:greylist_milter_exec_t,s0) -+/usr/sbin/milter-regex -- gen_context(system_u:object_r:regex_milter_exec_t,s0) - /usr/sbin/spamass-milter -- gen_context(system_u:object_r:spamass_milter_exec_t,s0) - --/var/lib/milter-greylist(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0) --/var/lib/sqlgrey(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0) --/var/lib/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_state_t,s0) -+/var/lib/dkim-milter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0) -+/var/lib/milter-greylist(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0) -+/var/lib/sqlgrey(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0) -+/var/lib/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_state_t,s0) - --/var/run/milter-greylist(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0) -+/var/run/dkim-milter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0) -+/var/run/opendmarc(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0) -+/var/run/milter-greylist(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0) - /var/run/milter-greylist\.pid -- gen_context(system_u:object_r:greylist_milter_data_t,s0) --/var/run/spamass(/.*)? gen_context(system_u:object_r:spamass_milter_data_t,s0) --/var/run/sqlgrey\.pid -- gen_context(system_u:object_r:greylist_milter_data_t,s0) --/var/run/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_data_t,s0) -+/var/run/spamass(/.*)? gen_context(system_u:object_r:spamass_milter_data_t,s0) -+/var/run/sqlgrey\.pid -- gen_context(system_u:object_r:greylist_milter_data_t,s0) -+/var/run/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_data_t,s0) - /var/run/spamass-milter\.pid -- gen_context(system_u:object_r:spamass_milter_data_t,s0) -+/var/run/opendkim(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0) - --/var/spool/milter-regex(/.*)? gen_context(system_u:object_r:regex_milter_data_t,s0) -+/var/spool/milter-regex(/.*)? gen_context(system_u:object_r:regex_milter_data_t,s0) - /var/spool/postfix/spamass(/.*)? gen_context(system_u:object_r:spamass_milter_data_t,s0) -+/var/spool/opendkim(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0) -+/var/spool/opendmarc(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0) -diff --git a/milter.if b/milter.if -index cba62db..562833a 100644 ---- a/milter.if -+++ b/milter.if -@@ -1,47 +1,43 @@ --## Milter mail filters. -+## Milter mail filters - --####################################### -+######################################## - ## --## The template to define a milter domain. -+## Create a set of derived types for various -+## mail filter applications using the milter interface. - ## --## -+## - ## --## Domain prefix to be used. -+## The name to be used for deriving type names. - ## - ## - # - template(`milter_template',` -+ # attributes common to all milters - gen_require(` - attribute milter_data_type, milter_domains; - ') - -- ######################################## -- # -- # Declarations -- # -- - type $1_milter_t, milter_domains; - type $1_milter_exec_t; - init_daemon_domain($1_milter_t, $1_milter_exec_t) -+ role system_r types $1_milter_t; - -+ # Type for the milter data (e.g. the socket used to communicate with the MTA) - type $1_milter_data_t, milter_data_type; - files_pid_file($1_milter_data_t) - -- ######################################## -- # -- # Policy -- # -+ # Allow communication with MTA over a unix-domain socket -+ manage_sock_files_pattern($1_milter_t, $1_milter_data_t, $1_milter_data_t) - -+ # Create other data files and directories in the data directory - manage_files_pattern($1_milter_t, $1_milter_data_t, $1_milter_data_t) -- manage_sock_files_pattern($1_milter_t, $1_milter_data_t, $1_milter_data_t) - -- auth_use_nsswitch($1_milter_t) -+ logging_send_syslog_msg($1_milter_t) - ') - - ######################################## - ## --## connect to all milter domains using --## a unix domain stream socket. -+## MTA communication with milter sockets - ## - ## - ## -@@ -55,12 +51,13 @@ interface(`milter_stream_connect_all',` - ') - - files_search_pids($1) -+ getattr_dirs_pattern($1, milter_data_type, milter_data_type) - stream_connect_pattern($1, milter_data_type, milter_data_type, milter_domains) - ') - - ######################################## - ## --## Get attributes of all milter sock files. -+## Allow getattr of milter sockets - ## - ## - ## -@@ -73,13 +70,31 @@ interface(`milter_getattr_all_sockets',` - attribute milter_data_type; - ') - -+ getattr_dirs_pattern($1, milter_data_type, milter_data_type) - getattr_sock_files_pattern($1, milter_data_type, milter_data_type) - ') - - ######################################## - ## --## Create, read, write, and delete --## spamassissin milter data content. -+## Allow setattr of milter dirs -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`milter_setattr_all_dirs',` -+ gen_require(` -+ attribute milter_data_type; -+ ') -+ -+ setattr_dirs_pattern($1, milter_data_type, milter_data_type) -+') -+ -+######################################## -+## -+## Manage spamassassin milter state - ## - ## - ## -@@ -97,3 +112,22 @@ interface(`milter_manage_spamass_state',` - manage_dirs_pattern($1, spamass_milter_state_t, spamass_milter_state_t) - manage_lnk_files_pattern($1, spamass_milter_state_t, spamass_milter_state_t) - ') -+ -+####################################### -+## -+## Delete dkim-milter PID files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`milter_delete_dkim_pid_files',` -+ gen_require(` -+ type dkim_milter_data_t; -+ ') -+ -+ files_search_pids($1) -+ delete_files_pattern($1, dkim_milter_data_t, dkim_milter_data_t) -+') -diff --git a/milter.te b/milter.te -index 92508b2..db83591 100644 ---- a/milter.te -+++ b/milter.te -@@ -1,77 +1,110 @@ --policy_module(milter, 1.4.2) -+policy_module(milter, 1.4.0) - - ######################################## - # - # Declarations - # - -+# attributes common to all milters - attribute milter_domains; - attribute milter_data_type; - -+# support for dkim-milter - domainKeys Identified Mail sender authentication sendmail milter -+milter_template(dkim) -+ -+# type for the private key of dkim-milter -+type dkim_milter_private_key_t; -+files_type(dkim_milter_private_key_t) -+ -+# currently-supported milters are milter-greylist, milter-regex and spamass-milter - milter_template(greylist) - milter_template(regex) - milter_template(spamass) - -+# Type for the spamass-milter home directory, under which spamassassin will -+# store system-wide preferences, bayes databases etc. if not configured to -+# use per-user configuration - type spamass_milter_state_t; - files_type(spamass_milter_state_t) - -+ - ####################################### - # --# Common local policy -+# milter domains local policy - # - -+# Allow communication with MTA over a unix-domain socket -+# Note: usage with TCP sockets requires additional policy -+ - allow milter_domains self:fifo_file rw_fifo_file_perms; --allow milter_domains self:tcp_socket { accept listen }; -+ -+# Allow communication with MTA over a TCP socket -+allow milter_domains self:tcp_socket create_stream_socket_perms; - - kernel_dontaudit_read_system_state(milter_domains) - --corenet_all_recvfrom_unlabeled(milter_domains) --corenet_all_recvfrom_netlabel(milter_domains) --corenet_tcp_sendrecv_generic_if(milter_domains) --corenet_tcp_sendrecv_generic_node(milter_domains) - corenet_tcp_bind_generic_node(milter_domains) -- - corenet_tcp_bind_milter_port(milter_domains) --corenet_tcp_sendrecv_all_ports(milter_domains) - --miscfiles_read_localization(milter_domains) -+dev_read_rand(milter_domains) -+dev_read_urand(milter_domains) -+ -+mta_read_config(milter_domains) -+ -+sysnet_read_config(greylist_milter_t) -+ -+####################################### -+# -+# dkim-milter local policy -+# -+ -+allow dkim_milter_t self:capability { kill setgid setuid }; -+allow dkim_milter_t self:process signal; -+allow dkim_milter_t self:tcp_socket create_stream_socket_perms; -+allow dkim_milter_t self:unix_stream_socket create_stream_socket_perms; - --logging_send_syslog_msg(milter_domains) -+read_files_pattern(dkim_milter_t, dkim_milter_private_key_t, dkim_milter_private_key_t) -+ -+kernel_read_kernel_sysctls(dkim_milter_t) -+ -+auth_use_nsswitch(dkim_milter_t) -+ -+sysnet_dns_name_resolve(dkim_milter_t) - - ######################################## - # --# greylist local policy -+# milter-greylist local policy -+# ensure smtp clients retry mail like real MTAs and not spamware -+# http://hcpnet.free.fr/milter-greylist/ - # - -+# It removes any existing socket (not owned by root) whilst running as root, -+# fixes permissions, renices itself and then calls setgid() and setuid() to -+# drop privileges - allow greylist_milter_t self:capability { chown dac_override setgid setuid sys_nice }; - allow greylist_milter_t self:process { setsched getsched }; - -+allow greylist_milter_t self:tcp_socket create_stream_socket_perms; -+ -+# It creates a pid file /var/run/milter-greylist.pid - files_pid_filetrans(greylist_milter_t, greylist_milter_data_t, file) - - kernel_read_kernel_sysctls(greylist_milter_t) - --corenet_sendrecv_movaz_ssc_server_packets(greylist_milter_t) --corenet_tcp_bind_movaz_ssc_port(greylist_milter_t) --corenet_sendrecv_movaz_ssc_client_packets(greylist_milter_t) --corenet_tcp_connect_movaz_ssc_port(greylist_milter_t) --corenet_tcp_sendrecv_movaz_ssc_port(greylist_milter_t) -- --corenet_sendrecv_kismet_server_packets(greylist_milter_t) --corenet_tcp_bind_kismet_port(greylist_milter_t) --corenet_tcp_sendrecv_kismet_port(greylist_milter_t) -- - corecmd_exec_bin(greylist_milter_t) - corecmd_exec_shell(greylist_milter_t) - --dev_read_rand(greylist_milter_t) --dev_read_urand(greylist_milter_t) -+corenet_tcp_bind_movaz_ssc_port(greylist_milter_t) -+corenet_tcp_connect_movaz_ssc_port(greylist_milter_t) -+corenet_tcp_bind_rtsclient_port(greylist_milter_t) - --files_read_usr_files(greylist_milter_t) -+# perl getgroups() reads a bunch of files in /etc -+# Allow the milter to read a GeoIP database in /usr/share -+# The milter runs from /var/lib/milter-greylist and maintains files there - files_search_var_lib(greylist_milter_t) - --mta_read_config(greylist_milter_t) -- --miscfiles_read_localization(greylist_milter_t) -+# Look up username for dropping privs -+auth_use_nsswitch(greylist_milter_t) - - optional_policy(` - mysql_stream_connect(greylist_milter_t) -@@ -79,30 +112,45 @@ optional_policy(` - - ######################################## - # --# regex local policy -+# milter-regex local policy -+# filter emails using regular expressions -+# http://www.benzedrine.cx/milter-regex.html - # - -+# It removes any existing socket (not owned by root) whilst running as root -+# and then calls setgid() and setuid() to drop privileges - allow regex_milter_t self:capability { setuid setgid dac_override }; - -+# The milter's socket directory lives under /var/spool - files_search_spool(regex_milter_t) - --mta_read_config(regex_milter_t) -+# Look up username for dropping privs -+auth_use_nsswitch(regex_milter_t) - - ######################################## - # --# spamass local policy -+# spamass-milter local policy -+# pipe emails through SpamAssassin -+# http://savannah.nongnu.org/projects/spamass-milt/ - # - -+# The milter runs from /var/lib/spamass-milter - allow spamass_milter_t spamass_milter_state_t:dir search_dir_perms; -+files_search_var_lib(spamass_milter_t) - - kernel_read_system_state(spamass_milter_t) - -+# When used with -b or -B options, the milter invokes sendmail to send mail -+# to a spamtrap address, using popen() - corecmd_exec_shell(spamass_milter_t) -+corecmd_read_bin_symlinks(spamass_milter_t) -+corecmd_search_bin(spamass_milter_t) - --files_search_var_lib(spamass_milter_t) -+auth_use_nsswitch(spamass_milter_t) - - mta_send_mail(spamass_milter_t) - -+# The main job of the milter is to pipe spam through spamc and act on the result - optional_policy(` - spamassassin_domtrans_client(spamass_milter_t) - ') -diff --git a/mock.fc b/mock.fc -new file mode 100644 -index 0000000..8d0e473 ---- /dev/null -+++ b/mock.fc -@@ -0,0 +1,5 @@ -+ -+/usr/sbin/mock -- gen_context(system_u:object_r:mock_exec_t,s0) -+ -+/var/lib/mock(/.*)? gen_context(system_u:object_r:mock_var_lib_t,s0) -+/var/cache/mock(/.*)? gen_context(system_u:object_r:mock_cache_t,s0) -diff --git a/mock.if b/mock.if -new file mode 100644 -index 0000000..6568bfe ---- /dev/null -+++ b/mock.if -@@ -0,0 +1,310 @@ -+## policy for mock -+ -+######################################## -+## -+## Execute a domain transition to run mock. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`mock_domtrans',` -+ gen_require(` -+ type mock_t, mock_exec_t; -+ ') -+ -+ domtrans_pattern($1, mock_exec_t, mock_t) -+') -+ -+######################################## -+## -+## Search mock lib directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`mock_search_lib',` -+ gen_require(` -+ type mock_var_lib_t; -+ ') -+ -+ allow $1 mock_var_lib_t:dir search_dir_perms; -+ files_search_var_lib($1) -+') -+ -+######################################## -+## -+## Read mock lib files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`mock_read_lib_files',` -+ gen_require(` -+ type mock_var_lib_t; -+ ') -+ -+ files_search_var_lib($1) -+ read_files_pattern($1, mock_var_lib_t, mock_var_lib_t) -+') -+ -+######################################## -+## -+## Getattr on mock lib file,dir,sock_file ... -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`mock_getattr_lib',` -+ gen_require(` -+ type mock_var_lib_t; -+ ') -+ -+ allow $1 mock_var_lib_t:dir_file_class_set getattr; -+') -+ -+######################################## -+## -+## Create, read, write, and delete -+## mock lib files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`mock_manage_lib_files',` -+ gen_require(` -+ type mock_var_lib_t; -+ ') -+ -+ files_search_var_lib($1) -+ manage_files_pattern($1, mock_var_lib_t, mock_var_lib_t) -+') -+ -+######################################## -+## -+## Manage mock lib dirs files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`mock_manage_lib_dirs',` -+ gen_require(` -+ type mock_var_lib_t; -+ ') -+ -+ files_search_var_lib($1) -+ manage_dirs_pattern($1, mock_var_lib_t, mock_var_lib_t) -+') -+ -+######################################### -+## -+## Manage mock lib symlinks. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`mock_manage_lib_symlinks',` -+ gen_require(` -+ type mock_var_lib_t; -+ ') -+ -+ files_search_var_lib($1) -+ manage_lnk_files_pattern($1, mock_var_lib_t, mock_var_lib_t) -+') -+ -+######################################## -+## -+## Manage mock lib files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`mock_manage_lib_chr_files',` -+ gen_require(` -+ type mock_var_lib_t; -+ ') -+ -+ files_search_var_lib($1) -+ manage_chr_files_pattern($1, mock_var_lib_t, mock_var_lib_t) -+') -+ -+######################################## -+## -+## Manage mock lib files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`mock_dontaudit_write_lib_chr_files',` -+ gen_require(` -+ type mock_var_lib_t; -+ ') -+ -+ dontaudit $1 mock_var_lib_t:chr_file write; -+') -+ -+####################################### -+## -+## Dontaudit read and write an leaked file descriptors -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`mock_dontaudit_leaks',` -+ gen_require(` -+ type mock_tmp_t; -+ ') -+ -+ dontaudit $1 mock_tmp_t:file rw_inherited_file_perms; -+') -+ -+######################################## -+## -+## Execute mock in the mock domain, and -+## allow the specified role the mock domain. -+## -+## -+## -+## Domain allowed access -+## -+## -+## -+## -+## The role to be allowed the mock domain. -+## -+## -+## -+# -+interface(`mock_run',` -+ gen_require(` -+ type mock_t; -+ type mock_build_t; -+ ') -+ -+ mock_domtrans($1) -+ role $2 types mock_t; -+ role $2 types mock_build_t; -+ -+ mount_run(mock_t, $2) -+') -+ -+######################################## -+## -+## Role access for mock -+## -+## -+## -+## Role allowed access -+## -+## -+## -+## -+## User domain for the role -+## -+## -+## -+# -+interface(`mock_role',` -+ gen_require(` -+ type mock_t; -+ ') -+ -+ role $1 types mock_t; -+ -+ mock_run($2, $1) -+ -+ ps_process_pattern($2, mock_t) -+ allow $2 mock_t:process signal_perms; -+ -+ tunable_policy(`deny_ptrace',`',` -+ allow $2 mock_t:process ptrace; -+ ') -+ -+ optional_policy(` -+ mock_read_lib_files($2) -+ ') -+') -+ -+####################################### -+## -+## Send a generic signal to mock. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`mock_signal',` -+ gen_require(` -+ type mock_t; -+ ') -+ -+ allow $1 mock_t:process signal; -+') -+ -+######################################## -+## -+## All of the rules required to administrate -+## an mock environment -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`mock_admin',` -+ gen_require(` -+ type mock_t, mock_var_lib_t; -+ type mock_build_t, mock_etc_t, mock_tmp_t; -+ ') -+ -+ allow $1 mock_t:process signal_perms; -+ ps_process_pattern($1, mock_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 mock_t:process ptrace; -+ allow $1 mock_build_t:process ptrace; -+ ') -+ -+ allow $1 mock_build_t:process signal_perms; -+ ps_process_pattern($1, mock_build_t) -+ -+ files_list_var_lib($1) -+ admin_pattern($1, mock_var_lib_t) -+ -+ files_list_tmp($1) -+ admin_pattern($1, mock_tmp_t) -+ -+ files_search_etc($1) -+ admin_pattern($1, mock_etc_t) -+') -diff --git a/mock.te b/mock.te -new file mode 100644 -index 0000000..7245033 ---- /dev/null -+++ b/mock.te -@@ -0,0 +1,273 @@ -+policy_module(mock,1.0.0) -+ -+## -+##

    -+## Allow mock to read files in home directories. -+##

    -+##     -+gen_tunable(mock_enable_homedirs, false) -+ -+######################################## -+# -+# Declarations -+# -+ -+type mock_t; -+type mock_exec_t; -+application_domain(mock_t, mock_exec_t) -+domain_role_change_exemption(mock_t) -+domain_system_change_exemption(mock_t) -+role system_r types mock_t; -+ -+type mock_build_t; -+type mock_build_exec_t; -+application_domain(mock_build_t, mock_build_exec_t) -+role system_r types mock_build_t; -+ -+type mock_cache_t; -+files_type(mock_cache_t) -+ -+type mock_tmp_t; -+files_tmp_file(mock_tmp_t) -+ -+type mock_var_lib_t; -+files_type(mock_var_lib_t) -+ -+type mock_var_run_t; -+files_pid_file(mock_var_run_t) -+ -+type mock_etc_t; -+files_config_file(mock_etc_t) -+ -+######################################## -+# -+# mock local policy -+# -+ -+allow mock_t self:capability { sys_admin sys_ptrace setfcap setuid sys_chroot chown audit_write dac_override sys_nice mknod fsetid setgid fowner }; -+allow mock_t self:process { siginh noatsecure signal_perms transition rlimitinh setsched setpgid }; -+# Needed because mock can run java and mono withing build environment -+allow mock_t self:process { execmem execstack }; -+dontaudit mock_t self:process { siginh noatsecure rlimitinh }; -+allow mock_t self:fifo_file manage_fifo_file_perms; -+allow mock_t self:unix_stream_socket create_stream_socket_perms; -+allow mock_t self:unix_dgram_socket create_socket_perms; -+ -+allow mock_t mock_build_t:process { siginh noatsecure rlimitinh }; -+ -+manage_dirs_pattern(mock_t, mock_cache_t, mock_cache_t) -+manage_files_pattern(mock_t, mock_cache_t, mock_cache_t) -+manage_lnk_files_pattern(mock_t, mock_cache_t, mock_cache_t) -+files_var_filetrans(mock_t, mock_cache_t, { dir file } ) -+ -+read_files_pattern(mock_t, mock_etc_t, mock_etc_t) -+read_lnk_files_pattern(mock_t, mock_etc_t, mock_etc_t) -+ -+manage_dirs_pattern(mock_t, mock_tmp_t, mock_tmp_t) -+manage_files_pattern(mock_t, mock_tmp_t, mock_tmp_t) -+manage_lnk_files_pattern(mock_t, mock_tmp_t, mock_tmp_t) -+files_tmp_filetrans(mock_t, mock_tmp_t, { dir file lnk_file }) -+ -+manage_dirs_pattern(mock_t, mock_var_lib_t, mock_var_lib_t) -+manage_files_pattern(mock_t, mock_var_lib_t, mock_var_lib_t) -+manage_lnk_files_pattern(mock_t, mock_var_lib_t, mock_var_lib_t) -+manage_blk_files_pattern(mock_t, mock_var_lib_t, mock_var_lib_t) -+manage_chr_files_pattern(mock_t, mock_var_lib_t, mock_var_lib_t) -+files_var_lib_filetrans(mock_t, mock_var_lib_t, { dir file }) -+allow mock_t mock_var_lib_t:dir mounton; -+allow mock_t mock_var_lib_t:dir relabel_dir_perms; -+allow mock_t mock_var_lib_t:file relabel_file_perms; -+ -+manage_files_pattern(mock_t, mock_var_run_t, mock_var_run_t) -+manage_dirs_pattern(mock_t, mock_var_run_t, mock_var_run_t) -+manage_sock_files_pattern(mock_t, mock_var_run_t, mock_var_run_t) -+manage_lnk_files_pattern(mock_t, mock_var_run_t, mock_var_run_t) -+files_pid_filetrans(mock_t, mock_var_run_t, { file dir sock_file }) -+ -+kernel_read_irq_sysctls(mock_t) -+kernel_read_system_state(mock_t) -+kernel_read_network_state(mock_t) -+kernel_read_kernel_sysctls(mock_t) -+kernel_request_load_module(mock_t) -+kernel_dontaudit_setattr_proc_dirs(mock_t) -+kernel_read_fs_sysctls(mock_t) -+# we run mount in mock_t -+kernel_mount_proc(mock_t) -+kernel_unmount_proc(mock_t) -+ -+fs_mount_tmpfs(mock_t) -+fs_unmount_tmpfs(mock_t) -+fs_unmount_xattr_fs(mock_t) -+ -+corecmd_exec_bin(mock_t) -+corecmd_exec_shell(mock_t) -+corecmd_dontaudit_exec_all_executables(mock_t) -+ -+corenet_tcp_connect_git_port(mock_t) -+corenet_tcp_connect_http_port(mock_t) -+corenet_tcp_connect_ftp_port(mock_t) -+corenet_tcp_connect_all_ephemeral_ports(mock_t) -+ -+dev_read_urand(mock_t) -+dev_rw_sysfs(mock_t) -+dev_setattr_sysfs_dirs(mock_t) -+dev_mount_sysfs_fs(mock_t) -+dev_unmount_sysfs_fs(mock_t) -+ -+domain_read_all_domains_state(mock_t) -+domain_use_interactive_fds(mock_t) -+ -+files_read_etc_runtime_files(mock_t) -+files_dontaudit_list_boot(mock_t) -+files_list_isid_type_dirs(mock_t) -+ -+fs_getattr_all_fs(mock_t) -+fs_manage_cgroup_dirs(mock_t) -+fs_search_all(mock_t) -+fs_setattr_tmpfs_dirs(mock_t) -+ -+selinux_get_enforce_mode(mock_t) -+ -+term_search_ptys(mock_t) -+term_mount_pty_fs(mock_t) -+term_unmount_pty_fs(mock_t) -+ -+auth_use_nsswitch(mock_t) -+ -+init_exec(mock_t) -+init_dontaudit_stream_connect(mock_t) -+ -+libs_exec_ldconfig(mock_t) -+ -+logging_send_audit_msgs(mock_t) -+logging_send_syslog_msg(mock_t) -+ -+userdom_use_user_ptys(mock_t) -+ -+files_search_home(mock_t) -+ -+tunable_policy(`mock_enable_homedirs',` -+ userdom_manage_user_home_content_dirs(mock_t) -+ userdom_manage_user_home_content_files(mock_t) -+') -+ -+tunable_policy(`mock_enable_homedirs && use_nfs_home_dirs',` -+ rpc_search_nfs_state_data(mock_t) -+ fs_list_auto_mountpoints(mock_t) -+ fs_manage_nfs_files(mock_t) -+') -+ -+tunable_policy(`mock_enable_homedirs && use_samba_home_dirs',` -+ fs_list_auto_mountpoints(mock_t) -+ fs_read_cifs_files(mock_t) -+ fs_manage_cifs_files(mock_t) -+') -+ -+optional_policy(` -+ abrt_read_spool_retrace(mock_t) -+ abrt_read_cache_retrace(mock_t) -+ abrt_stream_connect(mock_t) -+') -+ -+optional_policy(` -+ apache_read_sys_content_rw_files(mock_t) -+') -+ -+optional_policy(` -+ rpm_exec(mock_t) -+ rpm_manage_cache(mock_t) -+ rpm_manage_db(mock_t) -+ rpm_manage_tmp_files(mock_t) -+ rpm_read_log(mock_t) -+') -+ -+optional_policy(` -+ mount_exec(mock_t) -+ mount_rw_pid_files(mock_t) -+') -+ -+ -+######################################## -+# -+# mock_build local policy -+# -+allow mock_build_t self:capability { sys_admin setfcap setuid sys_chroot chown dac_override sys_nice mknod fsetid setgid fowner }; -+dontaudit mock_build_t self:capability audit_write; -+allow mock_build_t self:process { fork setsched setpgid signal_perms }; -+allow mock_build_t self:netlink_audit_socket { create_socket_perms nlmsg_relay }; -+# Needed because mock can run java and mono withing build environment -+allow mock_build_t self:process { execmem execstack }; -+dontaudit mock_build_t self:process { siginh noatsecure rlimitinh }; -+allow mock_build_t self:fifo_file manage_fifo_file_perms; -+allow mock_build_t self:unix_stream_socket create_stream_socket_perms; -+allow mock_build_t self:unix_dgram_socket create_socket_perms; -+allow mock_build_t self:dir list_dir_perms; -+allow mock_build_t self:dir read_file_perms; -+ -+ps_process_pattern(mock_t, mock_build_t) -+allow mock_t mock_build_t:process signal_perms; -+domtrans_pattern(mock_t, mock_build_exec_t, mock_build_t) -+domtrans_pattern(mock_t, mock_tmp_t, mock_build_t) -+domain_entry_file(mock_build_t, mock_tmp_t) -+domtrans_pattern(mock_t, mock_var_lib_t, mock_build_t) -+domain_entry_file(mock_build_t, mock_var_lib_t) -+ -+manage_dirs_pattern(mock_build_t, mock_cache_t, mock_cache_t) -+manage_files_pattern(mock_build_t, mock_cache_t, mock_cache_t) -+manage_lnk_files_pattern(mock_build_t, mock_cache_t, mock_cache_t) -+files_var_filetrans(mock_build_t, mock_cache_t, { dir file } ) -+ -+manage_dirs_pattern(mock_build_t, mock_tmp_t, mock_tmp_t) -+manage_files_pattern(mock_build_t, mock_tmp_t, mock_tmp_t) -+files_tmp_filetrans(mock_build_t, mock_tmp_t, { dir file }) -+can_exec(mock_build_t, mock_tmp_t) -+ -+manage_dirs_pattern(mock_build_t, mock_var_lib_t, mock_var_lib_t) -+manage_files_pattern(mock_build_t, mock_var_lib_t, mock_var_lib_t) -+manage_lnk_files_pattern(mock_build_t, mock_var_lib_t, mock_var_lib_t) -+manage_blk_files_pattern(mock_build_t, mock_var_lib_t, mock_var_lib_t) -+manage_chr_files_pattern(mock_build_t, mock_var_lib_t, mock_var_lib_t) -+files_var_lib_filetrans(mock_build_t, mock_var_lib_t, { dir file }) -+can_exec(mock_build_t, mock_var_lib_t) -+allow mock_build_t mock_var_lib_t:dir mounton; -+allow mock_build_t mock_var_lib_t:dir relabel_dir_perms; -+allow mock_build_t mock_var_lib_t:file relabel_file_perms; -+ -+kernel_list_proc(mock_build_t) -+kernel_read_irq_sysctls(mock_build_t) -+kernel_read_system_state(mock_build_t) -+kernel_read_network_state(mock_build_t) -+kernel_read_kernel_sysctls(mock_build_t) -+kernel_request_load_module(mock_build_t) -+kernel_dontaudit_setattr_proc_dirs(mock_build_t) -+ -+corecmd_exec_bin(mock_build_t) -+corecmd_exec_shell(mock_build_t) -+corecmd_dontaudit_exec_all_executables(mock_build_t) -+ -+dev_getattr_all_chr_files(mock_build_t) -+dev_dontaudit_list_all_dev_nodes(mock_build_t) -+dev_dontaudit_getattr_all(mock_build_t) -+fs_getattr_all_dirs(mock_build_t) -+dev_read_sysfs(mock_build_t) -+ -+domain_dontaudit_read_all_domains_state(mock_build_t) -+domain_use_interactive_fds(mock_build_t) -+ -+files_dontaudit_list_boot(mock_build_t) -+ -+fs_getattr_all_fs(mock_build_t) -+fs_manage_cgroup_dirs(mock_build_t) -+ -+selinux_get_enforce_mode(mock_build_t) -+ -+auth_use_nsswitch(mock_build_t) -+ -+init_exec(mock_build_t) -+init_dontaudit_stream_connect(mock_build_t) -+ -+libs_exec_ldconfig(mock_build_t) -+ -+tunable_policy(`mock_enable_homedirs',` -+ userdom_read_user_home_content_files(mock_build_t) -+') -diff --git a/modemmanager.fc b/modemmanager.fc -index a83894c..481dca3 100644 ---- a/modemmanager.fc -+++ b/modemmanager.fc -@@ -1 +1,4 @@ - /usr/sbin/modem-manager -- gen_context(system_u:object_r:modemmanager_exec_t,s0) -+/usr/sbin/ModemManager -- gen_context(system_u:object_r:modemmanager_exec_t,s0) -+ -+/usr/lib/systemd/system/ModemManager.service -- gen_context(system_u:object_r:modemmanager_unit_file_t,s0) -diff --git a/modemmanager.if b/modemmanager.if -index b1ac8b5..9b22bea 100644 ---- a/modemmanager.if -+++ b/modemmanager.if -@@ -21,6 +21,30 @@ interface(`modemmanager_domtrans',` - - ######################################## - ## -+## Execute modemmanager server in the modemmanager domain. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`modemmanager_systemctl',` -+ gen_require(` -+ type modemmanager_t; -+ type modemmanager_unit_file_t; -+ ') -+ -+ systemd_exec_systemctl($1) -+ systemd_read_fifo_file_passwd_run($1) -+ allow $1 modemmanager_unit_file_t:file read_file_perms; -+ allow $1 modemmanager_unit_file_t:service manage_service_perms; -+ -+ ps_process_pattern($1, modemmanager_t) -+') -+ -+######################################## -+## - ## Send and receive messages from - ## modemmanager over dbus. - ## -@@ -39,3 +63,33 @@ interface(`modemmanager_dbus_chat',` - allow $1 modemmanager_t:dbus send_msg; - allow modemmanager_t $1:dbus send_msg; - ') -+ -+######################################## -+## -+## All of the rules required to administrate -+## an modemmanager environment -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`modemmanager_admin',` -+ gen_require(` -+ type modemmanager_t; -+ type modemmanager_unit_file_t; -+ ') -+ -+ allow $1 modemmanager_t:process { ptrace signal_perms }; -+ ps_process_pattern($1, modemmanager_t) -+ -+ modemmanager_systemctl($1) -+ admin_pattern($1, modemmanager_unit_file_t) -+ allow $1 modemmanager_unit_file_t:service all_service_perms; -+ optional_policy(` -+ systemd_passwd_agent_exec($1) -+ systemd_read_fifo_file_passwd_run($1) -+ ') -+') -diff --git a/modemmanager.te b/modemmanager.te -index cb4c13d..ab6fb25 100644 ---- a/modemmanager.te -+++ b/modemmanager.te -@@ -11,6 +11,9 @@ init_daemon_domain(modemmanager_t, modemmanager_exec_t) - typealias modemmanager_t alias ModemManager_t; - typealias modemmanager_exec_t alias ModemManager_exec_t; - -+type modemmanager_unit_file_t; -+systemd_unit_file(modemmanager_unit_file_t) -+ - ######################################## - # - # Local policy -@@ -27,12 +30,12 @@ kernel_read_system_state(modemmanager_t) - dev_read_sysfs(modemmanager_t) - dev_rw_modem(modemmanager_t) - --files_read_etc_files(modemmanager_t) - - term_use_generic_ptys(modemmanager_t) - term_use_unallocated_ttys(modemmanager_t) -+term_use_usb_ttys(modemmanager_t) - --miscfiles_read_localization(modemmanager_t) -+xserver_read_state_xdm(modemmanager_t) - - logging_send_syslog_msg(modemmanager_t) - -diff --git a/mojomojo.if b/mojomojo.if -index 73952f4..b19a6ee 100644 ---- a/mojomojo.if -+++ b/mojomojo.if -@@ -15,7 +15,6 @@ - ## Role allowed access. - ##     - ## --## - # - interface(`mojomojo_admin',` - refpolicywarn(`$0($*) has been deprecated, use apache_admin() instead.') -diff --git a/mojomojo.te b/mojomojo.te -index 7e534cf..3652584 100644 ---- a/mojomojo.te -+++ b/mojomojo.te -@@ -5,21 +5,41 @@ policy_module(mojomojo, 1.0.1) - # Declarations - # - --apache_content_template(mojomojo) -+type httpd_mojomojo_tmp_t; -+files_tmp_file(httpd_mojomojo_tmp_t) - - ######################################## - # - # Local policy - # - --allow httpd_mojomojo_script_t httpd_t:unix_stream_socket rw_stream_socket_perms; -+optional_policy(` -+ apache_content_template(mojomojo) - --corenet_sendrecv_smtp_client_packets(httpd_mojomojo_script_t) --corenet_tcp_connect_smtp_port(httpd_mojomojo_script_t) --corenet_sendrecv_smtp_client_packets(httpd_mojomojo_script_t) -+ allow httpd_mojomojo_script_t httpd_t:unix_stream_socket rw_stream_socket_perms; - --files_search_var_lib(httpd_mojomojo_script_t) -+ manage_dirs_pattern(httpd_mojomojo_script_t, httpd_mojomojo_tmp_t, httpd_mojomojo_tmp_t) -+ manage_files_pattern(httpd_mojomojo_script_t, httpd_mojomojo_tmp_t, httpd_mojomojo_tmp_t) -+ files_tmp_filetrans(httpd_mojomojo_script_t, httpd_mojomojo_tmp_t, { file dir }) - --sysnet_dns_name_resolve(httpd_mojomojo_script_t) -+ corenet_tcp_connect_postgresql_port(httpd_mojomojo_script_t) -+ corenet_tcp_connect_mysqld_port(httpd_mojomojo_script_t) -+ corenet_tcp_connect_smtp_port(httpd_mojomojo_script_t) -+ corenet_sendrecv_postgresql_client_packets(httpd_mojomojo_script_t) -+ corenet_sendrecv_mysqld_client_packets(httpd_mojomojo_script_t) -+ corenet_sendrecv_smtp_client_packets(httpd_mojomojo_script_t) - --mta_send_mail(httpd_mojomojo_script_t) -+ files_search_var_lib(httpd_mojomojo_script_t) -+ -+ sysnet_dns_name_resolve(httpd_mojomojo_script_t) -+ -+ mta_send_mail(httpd_mojomojo_script_t) -+ -+ optional_policy(` -+ mysql_stream_connect(httpd_mojomojo_script_t) -+ ') -+ -+ optional_policy(` -+ postgresql_stream_connect(httpd_mojomojo_script_t) -+ ') -+') -diff --git a/mongodb.te b/mongodb.te -index 4de8949..7bd7e35 100644 ---- a/mongodb.te -+++ b/mongodb.te -@@ -49,13 +49,11 @@ corenet_all_recvfrom_unlabeled(mongod_t) - corenet_all_recvfrom_netlabel(mongod_t) - corenet_tcp_sendrecv_generic_if(mongod_t) - corenet_tcp_sendrecv_generic_node(mongod_t) -+corenet_tcp_connect_mongod_port(mongod_t) - corenet_tcp_bind_generic_node(mongod_t) - - dev_read_sysfs(mongod_t) - dev_read_urand(mongod_t) - --files_read_etc_files(mongod_t) -- - fs_getattr_all_fs(mongod_t) - --miscfiles_read_localization(mongod_t) -diff --git a/mono.te b/mono.te -index d287fe9..3dc493c 100644 ---- a/mono.te -+++ b/mono.te -@@ -28,7 +28,7 @@ allow mono_domain self:process { signal getsched execheap execmem execstack }; - # local policy - # - --userdom_user_home_dir_filetrans_user_home_content(mono_t, { dir file lnk_file fifo_file sock_file }) -+userdom_filetrans_home_content(mono_t) - - init_dbus_chat_script(mono_t) - -diff --git a/monop.if b/monop.if -index 8fdaece..5440757 100644 ---- a/monop.if -+++ b/monop.if -@@ -31,7 +31,7 @@ interface(`monop_admin',` - role_transition $2 monopd_initrc_exec_t system_r; - allow $2 system_r; - -- logging_search_etc($1) -+ logging_search_logs($1) - admin_pattern($1, monopd_etc_t) - - files_search_pids($1) -diff --git a/monop.te b/monop.te -index 4462c0e..84944d1 100644 ---- a/monop.te -+++ b/monop.te -@@ -43,7 +43,6 @@ kernel_read_kernel_sysctls(monopd_t) - kernel_list_proc(monopd_t) - kernel_read_proc_symlinks(monopd_t) - --corenet_all_recvfrom_unlabeled(monopd_t) - corenet_all_recvfrom_netlabel(monopd_t) - corenet_tcp_sendrecv_generic_if(monopd_t) - corenet_tcp_sendrecv_generic_node(monopd_t) -@@ -57,15 +56,11 @@ dev_read_sysfs(monopd_t) - - domain_use_interactive_fds(monopd_t) - --files_read_etc_files(monopd_t) -- - fs_getattr_all_fs(monopd_t) - fs_search_auto_mountpoints(monopd_t) - - logging_send_syslog_msg(monopd_t) - --miscfiles_read_localization(monopd_t) -- - sysnet_dns_name_resolve(monopd_t) - - userdom_dontaudit_use_unpriv_user_fds(monopd_t) -diff --git a/motion.fc b/motion.fc -new file mode 100644 -index 0000000..7415106 ---- /dev/null -+++ b/motion.fc -@@ -0,0 +1,9 @@ -+/usr/bin/motion -- gen_context(system_u:object_r:motion_exec_t,s0) -+ -+/usr/lib/systemd/system/motion.* -- gen_context(system_u:object_r:motion_unit_file_t,s0) -+ -+/var/log/motion\.log.* -- gen_context(system_u:object_r:motion_log_t,s0) -+ -+/var/run/motion\.pid -- gen_context(system_u:object_r:motion_var_run_t,s0) -+ -+/var/motion(/.*)? gen_context(system_u:object_r:motion_data_t,s0) -diff --git a/motion.if b/motion.if -new file mode 100644 -index 0000000..1b1b04c ---- /dev/null -+++ b/motion.if -@@ -0,0 +1,193 @@ -+ -+## Detect motion using a video4linux device -+ -+######################################## -+## -+## Execute TEMPLATE in the motion domain. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`motion_domtrans',` -+ gen_require(` -+ type motion_t, motion_exec_t; -+ ') -+ -+ corecmd_search_bin($1) -+ domtrans_pattern($1, motion_exec_t, motion_t) -+') -+######################################## -+## -+## Read motion's log files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`motion_read_log',` -+ gen_require(` -+ type motion_log_t; -+ ') -+ -+ logging_search_logs($1) -+ read_files_pattern($1, motion_log_t, motion_log_t) -+') -+ -+######################################## -+## -+## Append to motion log files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`motion_append_log',` -+ gen_require(` -+ type motion_log_t; -+ ') -+ -+ logging_search_logs($1) -+ append_files_pattern($1, motion_log_t, motion_log_t) -+') -+ -+######################################## -+## -+## Manage motion log files -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`motion_manage_log',` -+ gen_require(` -+ type motion_log_t; -+ ') -+ -+ logging_search_logs($1) -+ manage_dirs_pattern($1, motion_log_t, motion_log_t) -+ manage_files_pattern($1, motion_log_t, motion_log_t) -+ manage_lnk_files_pattern($1, motion_log_t, motion_log_t) -+') -+ -+######################################## -+## -+## Manage motion pid files -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`motion_manage_pid',` -+ gen_require(` -+ type motion_var_run_t; -+ ') -+ -+ manage_dirs_pattern($1, motion_var_run_t, motion_var_run_t) -+ manage_files_pattern($1, motion_var_run_t, motion_var_run_t) -+') -+ -+######################################## -+## -+## Manage motion data files -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`motion_manage_data',` -+ gen_require(` -+ type motion_data_t; -+ ') -+ -+ manage_dirs_pattern($1, motion_data_t, motion_data_t) -+ manage_files_pattern($1, motion_data_t, motion_data_t) -+') -+ -+######################################## -+## -+## Execute motion server in the motion domain. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`motion_systemctl',` -+ gen_require(` -+ type motion_t; -+ type motion_unit_file_t; -+ ') -+ -+ systemd_exec_systemctl($1) -+ systemd_read_fifo_file_password_run($1) -+ allow $1 motion_unit_file_t:file read_file_perms; -+ allow $1 motion_unit_file_t:service manage_service_perms; -+ -+ ps_process_pattern($1, motion_t) -+') -+ -+######################################## -+## -+## Manage all motion files. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`motion_manage_all_files',` -+ -+ motion_manage_log($1) -+ motion_manage_pid($1) -+ motion_manage_data($1) -+') -+ -+######################################## -+## -+## All of the rules required to administrate -+## an motion environment -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`motion_admin',` -+ gen_require(` -+ type motion_t; -+ type motion_log_t; -+ type motion_unit_file_t; -+ ') -+ -+ allow $1 motion_t:process { ptrace signal_perms }; -+ ps_process_pattern($1, motion_t) -+ -+ logging_search_logs($1) -+ admin_pattern($1, motion_log_t) -+ -+ motion_systemctl($1) -+ admin_pattern($1, motion_unit_file_t) -+ allow $1 motion_unit_file_t:service all_service_perms; -+ optional_policy(` -+ systemd_passwd_agent_exec($1) -+ systemd_read_fifo_file_passwd_run($1) -+ ') -+') -diff --git a/motion.te b/motion.te -new file mode 100644 -index 0000000..b694afc ---- /dev/null -+++ b/motion.te -@@ -0,0 +1,64 @@ -+policy_module(motion, 1.0.0) -+ -+######################################## -+# -+# Declarations -+# -+ -+type motion_t; -+type motion_exec_t; -+init_daemon_domain(motion_t, motion_exec_t) -+ -+type motion_log_t; -+logging_log_file(motion_log_t) -+ -+type motion_unit_file_t; -+systemd_unit_file(motion_unit_file_t) -+ -+type motion_var_run_t; -+files_pid_file(motion_var_run_t) -+ -+type motion_data_t; -+files_type(motion_data_t) -+ -+######################################## -+# -+# motion local policy -+# -+allow motion_t self:udp_socket { create connect getattr }; -+allow motion_t self:tcp_socket { bind create setopt listen }; -+allow motion_t self:netlink_route_socket r_netlink_socket_perms; -+ -+manage_dirs_pattern(motion_t, motion_log_t, motion_log_t) -+manage_files_pattern(motion_t, motion_log_t, motion_log_t) -+logging_log_filetrans(motion_t, motion_log_t, { dir file }) -+ -+manage_dirs_pattern(motion_t, motion_var_run_t, motion_var_run_t) -+manage_files_pattern(motion_t, motion_var_run_t, motion_var_run_t) -+files_pid_filetrans(motion_t, motion_var_run_t, { dir file }) -+ -+manage_dirs_pattern(motion_t, motion_data_t, motion_data_t) -+manage_files_pattern(motion_t, motion_data_t, motion_data_t) -+files_var_filetrans(motion_t, motion_data_t, { dir file }) -+ -+corenet_tcp_bind_http_cache_port(motion_t) -+corenet_tcp_bind_transproxy_port(motion_t) -+corenet_tcp_connect_http_port(motion_t) -+corenet_tcp_bind_generic_node(motion_t) -+ -+dev_read_video_dev(motion_t) -+dev_write_video_dev(motion_t) -+ -+domain_use_interactive_fds(motion_t) -+ -+logging_send_syslog_msg(motion_t) -+ -+sysnet_read_config(motion_t) -+ -+userdom_home_manager(motion_t) -+ -+optional_policy(` -+ zoneminder_domtrans(motion_t) -+ zoneminder_manage_lib_files(motion_t) -+') -+ -diff --git a/mozilla.fc b/mozilla.fc -index 6ffaba2..a4d75bf 100644 ---- a/mozilla.fc -+++ b/mozilla.fc -@@ -1,38 +1,69 @@ --HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) --HOME_DIR/\.mozilla(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) --HOME_DIR/\.mozilla/plugins(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0) --HOME_DIR/\.netscape(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) --HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) -- --HOME_DIR/\.adobe(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0) --HOME_DIR/\.macromedia(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0) --HOME_DIR/\.gnash(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0) --HOME_DIR/\.gcjwebplugin(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0) --HOME_DIR/\.icedteaplugin(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0) --HOME_DIR/\.spicec(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0) --HOME_DIR/\.ICAClient(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0) --HOME_DIR/zimbrauserdata(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0) -- --/usr/bin/epiphany -- gen_context(system_u:object_r:mozilla_exec_t,s0) --/usr/bin/epiphany-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0) --/usr/bin/mozilla -- gen_context(system_u:object_r:mozilla_exec_t,s0) -+HOME_DIR/\.config/chromium(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) -+HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) -+HOME_DIR/\.java(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) -+HOME_DIR/\.mozilla(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) -+HOME_DIR/\.cache/mozilla(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) -+HOME_DIR/\.thunderbird(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) -+HOME_DIR/POkemon.*(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) -+HOME_DIR/\.netscape(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) -+HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) -+HOME_DIR/\.adobe(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) -+HOME_DIR/\.macromedia(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) -+HOME_DIR/\.gnash(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) -+HOME_DIR/\.webex(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) -+HOME_DIR/\.gnashpluginrc gen_context(system_u:object_r:mozilla_home_t,s0) -+HOME_DIR/abc -- gen_context(system_u:object_r:mozilla_home_t,s0) -+HOME_DIR/\.gcjwebplugin(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) -+HOME_DIR/\.grl-podcasts(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) -+HOME_DIR/\.icedteaplugin(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) -+HOME_DIR/\.icedtea(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) -+HOME_DIR/\.juniper_networks(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) -+HOME_DIR/\.lyx(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) -+HOME_DIR/\.quakelive(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) -+HOME_DIR/\.spicec(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) -+HOME_DIR/\.texlive2012(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) -+HOME_DIR/\.texlive2013(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) -+HOME_DIR/\.ICAClient(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) -+HOME_DIR/\.IBMERS(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) -+HOME_DIR/zimbrauserdata(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) -+# -+# /bin -+# -+/usr/bin/netscape -- gen_context(system_u:object_r:mozilla_exec_t,s0) -+/usr/bin/mozilla -- gen_context(system_u:object_r:mozilla_exec_t,s0) - /usr/bin/mozilla-snapshot -- gen_context(system_u:object_r:mozilla_exec_t,s0) -+/usr/bin/epiphany-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0) -+/usr/bin/epiphany -- gen_context(system_u:object_r:mozilla_exec_t,s0) - /usr/bin/mozilla-[0-9].* -- gen_context(system_u:object_r:mozilla_exec_t,s0) - /usr/bin/mozilla-bin-[0-9].* -- gen_context(system_u:object_r:mozilla_exec_t,s0) --/usr/bin/netscape -- gen_context(system_u:object_r:mozilla_exec_t,s0) --/usr/bin/nspluginscan -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0) --/usr/bin/nspluginviewer -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0) - --/usr/lib/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0) --/usr/lib/[^/]*firefox[^/]*/firefox-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0) --/usr/lib/firefox[^/]*/mozilla-.* -- gen_context(system_u:object_r:mozilla_exec_t,s0) --/usr/lib/galeon/galeon -- gen_context(system_u:object_r:mozilla_exec_t,s0) --/usr/lib/iceweasel/iceweasel -- gen_context(system_u:object_r:mozilla_exec_t,s0) --/usr/lib/mozilla[^/]*/reg.+ -- gen_context(system_u:object_r:mozilla_exec_t,s0) --/usr/lib/mozilla[^/]*/mozilla-.* -- gen_context(system_u:object_r:mozilla_exec_t,s0) --/usr/lib/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:mozilla_plugin_rw_t,s0) --/usr/lib/netscape/base-4/wrapper -- gen_context(system_u:object_r:mozilla_exec_t,s0) --/usr/lib/netscape/.+/communicator/communicator-smotif\.real -- gen_context(system_u:object_r:mozilla_exec_t,s0) -+ifdef(`distro_redhat',` -+/usr/bin/nspluginscan -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0) -+/usr/bin/nspluginviewer -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0) - /usr/lib/nspluginwrapper/npviewer.bin -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0) --/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0) --/usr/lib/xulrunner[^/]*/plugin-container -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0) -+') -+ -+ifdef(`distro_debian',` -+/usr/lib/iceweasel/iceweasel -- gen_context(system_u:object_r:mozilla_exec_t,s0) -+') -+ -+# -+# /lib -+# -+ -+/usr/lib/galeon/galeon -- gen_context(system_u:object_r:mozilla_exec_t,s0) -+/usr/lib/netscape/.+/communicator/communicator-smotif\.real -- gen_context(system_u:object_r:mozilla_exec_t,s0) -+/usr/lib/netscape/base-4/wrapper -- gen_context(system_u:object_r:mozilla_exec_t,s0) -+/usr/lib/mozilla[^/]*/reg.+ -- gen_context(system_u:object_r:mozilla_exec_t,s0) -+/usr/lib/mozilla[^/]*/mozilla-.* -- gen_context(system_u:object_r:mozilla_exec_t,s0) -+/usr/lib/firefox[^/]*/mozilla-.* -- gen_context(system_u:object_r:mozilla_exec_t,s0) -+/usr/lib/[^/]*firefox[^/]*/firefox-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0) -+/usr/lib/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0) -+ -+/usr/lib/xulrunner[^/]*/plugin-container -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0) -+ -+/usr/lib/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:mozilla_plugin_rw_t,s0) -+ -+ifdef(`distro_redhat',` -+/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0) -+') -diff --git a/mozilla.if b/mozilla.if -index 6194b80..ada96f0 100644 ---- a/mozilla.if -+++ b/mozilla.if -@@ -1,146 +1,75 @@ --## Policy for Mozilla and related web browsers. -+## Policy for Mozilla and related web browsers - - ######################################## - ## --## Role access for mozilla. -+## Role access for mozilla - ## - ## - ## --## Role allowed access. -+## Role allowed access - ## - ## - ## - ## --## User domain for the role. -+## User domain for the role - ## - ## - # - interface(`mozilla_role',` - gen_require(` - type mozilla_t, mozilla_exec_t, mozilla_home_t; -- type mozilla_tmp_t, mozilla_tmpfs_t, mozilla_plugin_tmp_t; -- type mozilla_plugin_tmpfs_t, mozilla_plugin_home_t; - attribute_role mozilla_roles; - ') - -- ######################################## -- # -- # Declarations -- # -- - roleattribute $1 mozilla_roles; - -- ######################################## -- # -- # Policy -- # -- -- domtrans_pattern($2, mozilla_exec_t, mozilla_t) -+ domain_auto_trans($2, mozilla_exec_t, mozilla_t) -+ # Unrestricted inheritance from the caller. -+ allow $2 mozilla_t:process { noatsecure siginh rlimitinh }; -+ allow mozilla_t $2:fd use; -+ allow mozilla_t $2:process { sigchld signull }; -+ allow mozilla_t $2:unix_stream_socket connectto; - -- allow $2 mozilla_t:process { noatsecure siginh rlimitinh ptrace signal_perms }; -+ # Allow the user domain to signal/ps. - ps_process_pattern($2, mozilla_t) -- -- allow mozilla_t $2:process signull; -- allow mozilla_t $2:unix_stream_socket connectto; -+ allow $2 mozilla_t:process signal_perms; - - allow $2 mozilla_t:fd use; -- allow $2 mozilla_t:shm rw_shm_perms; -- -- stream_connect_pattern($2, mozilla_tmpfs_t, mozilla_tmpfs_t, mozilla_t) -+ allow $2 mozilla_t:shm { associate getattr }; -+ allow $2 mozilla_t:shm { unix_read unix_write }; -+ allow $2 mozilla_t:unix_stream_socket connectto; - -- allow $2 { mozilla_home_t mozilla_plugin_home_t }:dir { manage_dir_perms relabel_dir_perms }; -- allow $2 { mozilla_home_t mozilla_plugin_home_t }:file { manage_file_perms relabel_file_perms }; -- allow $2 mozilla_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; -- userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".galeon") -- userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".mozilla") -- userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".netscape") -- userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".phoenix") -+ # X access, Home files -+ manage_dirs_pattern($2, mozilla_home_t, mozilla_home_t) -+ manage_files_pattern($2, mozilla_home_t, mozilla_home_t) -+ manage_lnk_files_pattern($2, mozilla_home_t, mozilla_home_t) -+ relabel_dirs_pattern($2, mozilla_home_t, mozilla_home_t) -+ relabel_files_pattern($2, mozilla_home_t, mozilla_home_t) -+ relabel_lnk_files_pattern($2, mozilla_home_t, mozilla_home_t) - -- filetrans_pattern($2, mozilla_home_t, mozilla_plugin_home_t, dir, "plugins") -+ #should be remove then with adding of roleattribute -+ mozilla_run_plugin(mozilla_t, $1) -+ mozilla_dbus_chat($2) - -- allow $2 { mozilla_tmp_t mozilla_plugin_tmp_t }:dir { manage_dir_perms relabel_dir_perms }; -- allow $2 { mozilla_tmp_t mozilla_plugin_tmp_t }:file { manage_file_perms relabel_file_perms }; -- allow $2 mozilla_plugin_tmp_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms }; -- -- allow $2 { mozilla_tmpfs_t mozilla_plugin_tmpfs_t }:dir { manage_dir_perms relabel_dir_perms }; -- allow $2 { mozilla_tmpfs_t mozilla_plugin_tmpfs_t }:file { manage_file_perms relabel_file_perms }; -- allow $2 { mozilla_tmpfs_t mozilla_plugin_tmpfs_t }:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms }; -- allow $2 { mozilla_tmpfs_t mozilla_plugin_tmpfs_t }:sock_file { manage_sock_file_perms relabel_sock_file_perms }; -+ userdom_manage_tmp_role($1, mozilla_t) - - optional_policy(` -- mozilla_dbus_chat($2) -+ nsplugin_role($1, mozilla_t) - ') --') - --######################################## --## --## Role access for mozilla plugin. --## --## --## --## Role allowed access. --## --## --## --## --## User domain for the role. --## --## --# --interface(`mozilla_role_plugin',` -- gen_require(` -- type mozilla_plugin_tmp_t, mozilla_plugin_tmpfs_t, mozilla_plugin_rw_t; -- type mozilla_home_t; -+ optional_policy(` -+ pulseaudio_role($1, mozilla_t) -+ pulseaudio_filetrans_admin_home_content(mozilla_t) -+ pulseaudio_filetrans_home_content(mozilla_t) - ') - -- mozilla_run_plugin($2, $1) -- mozilla_run_plugin_config($2, $1) -- -- allow $2 { mozilla_plugin_t mozilla_plugin_config_t }:process { ptrace signal_perms }; -- ps_process_pattern($2, { mozilla_plugin_t mozilla_plugin_config_t }) -- -- allow $2 mozilla_plugin_t:unix_stream_socket rw_socket_perms; -- allow $2 mozilla_plugin_t:fd use; -- -- stream_connect_pattern($2, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_plugin_t) -- -- allow mozilla_plugin_t $2:process signull; -- allow mozilla_plugin_t $2:unix_stream_socket { connectto rw_socket_perms }; -- allow mozilla_plugin_t $2:unix_dgram_socket { sendto rw_socket_perms }; -- allow mozilla_plugin_t $2:shm { rw_shm_perms destroy }; -- allow mozilla_plugin_t $2:sem create_sem_perms; -- -- allow $2 mozilla_home_t:dir { manage_dir_perms relabel_dir_perms }; -- allow $2 mozilla_home_t:file { manage_file_perms relabel_file_perms }; -- allow $2 mozilla_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; -- userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".galeon") -- userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".mozilla") -- userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".netscape") -- userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".phoenix") -+ mozilla_filetrans_home_content($2) - -- allow $2 mozilla_plugin_tmp_t:dir { manage_dir_perms relabel_dir_perms }; -- allow $2 mozilla_plugin_tmp_t:file { manage_file_perms relabel_file_perms }; -- allow $2 mozilla_plugin_tmp_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms }; -- -- allow $2 mozilla_plugin_tmpfs_t:dir { manage_dir_perms relabel_dir_perms }; -- allow $2 mozilla_plugin_tmpfs_t:file { manage_file_perms relabel_file_perms }; -- allow $2 mozilla_plugin_tmpfs_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms }; -- allow $2 mozilla_plugin_tmpfs_t:sock_file { manage_sock_file_perms relabel_sock_file_perms }; -- -- allow $2 mozilla_plugin_rw_t:dir list_dir_perms; -- allow $2 mozilla_plugin_rw_t:file read_file_perms; -- allow $2 mozilla_plugin_rw_t:lnk_file read_lnk_file_perms; -- -- can_exec($2, mozilla_plugin_rw_t) -- -- optional_policy(` -- mozilla_dbus_chat_plugin($2) -- ') - ') - - ######################################## - ## --## Read mozilla home directory content. -+## Read mozilla home directory content - ## - ## - ## -@@ -153,15 +82,15 @@ interface(`mozilla_read_user_home_files',` - type mozilla_home_t; - ') - -- userdom_search_user_home_dirs($1) - allow $1 mozilla_home_t:dir list_dir_perms; - allow $1 mozilla_home_t:file read_file_perms; - allow $1 mozilla_home_t:lnk_file read_lnk_file_perms; -+ userdom_search_user_home_dirs($1) - ') - - ######################################## - ## --## Write mozilla home directory files. -+## Write mozilla home directory content - ## - ## - ## -@@ -174,14 +103,13 @@ interface(`mozilla_write_user_home_files',` - type mozilla_home_t; - ') - -- userdom_search_user_home_dirs($1) - write_files_pattern($1, mozilla_home_t, mozilla_home_t) -+ userdom_search_user_home_dirs($1) - ') - - ######################################## - ## --## Do not audit attempts to read and --## write mozilla home directory files. -+## Dontaudit attempts to read/write mozilla home directory content - ## - ## - ## -@@ -194,14 +122,12 @@ interface(`mozilla_dontaudit_rw_user_home_files',` - type mozilla_home_t; - ') - -- dontaudit $1 mozilla_home_t:file rw_file_perms; -+ dontaudit $1 mozilla_home_t:file rw_inherited_file_perms; - ') - - ######################################## - ## --## Do not audit attempt to Create, --## read, write, and delete mozilla --## home directory content. -+## Dontaudit attempts to write mozilla home directory content - ## - ## - ## -@@ -216,12 +142,11 @@ interface(`mozilla_dontaudit_manage_user_home_files',` - - dontaudit $1 mozilla_home_t:dir manage_dir_perms; - dontaudit $1 mozilla_home_t:file manage_file_perms; -- dontaudit $1 mozilla_home_t:lnk_file manage_lnk_file_perms; - ') - - ######################################## - ## --## Execute mozilla home directory files. (Deprecated) -+## Execute mozilla home directory content. - ## - ## - ## -@@ -230,33 +155,16 @@ interface(`mozilla_dontaudit_manage_user_home_files',` - ## - # - interface(`mozilla_exec_user_home_files',` -- refpolicywarn(`$0($*) has been deprecated, use mozilla_exec_user_plugin_home_files() instead.') -- mozilla_exec_user_plugin_home_files($1) --') -- --######################################## --## --## Execute mozilla plugin home directory files. --## --## --## --## Domain allowed access. --## --## --# --interface(`mozilla_exec_user_plugin_home_files',` - gen_require(` -- type mozilla_home_t, mozilla_plugin_home_t; -+ type mozilla_home_t; - ') - -- userdom_search_user_home_dirs($1) -- exec_files_pattern($1, { mozilla_home_t mozilla_plugin_home_t }, mozilla_plugin_home_t) -+ can_exec($1, mozilla_home_t) - ') - - ######################################## - ## --## Mozilla home directory file --## text relocation. (Deprecated) -+## Execmod mozilla home directory content. - ## - ## - ## -@@ -265,140 +173,153 @@ interface(`mozilla_exec_user_plugin_home_files',` - ## - # - interface(`mozilla_execmod_user_home_files',` -- refpolicywarn(`$0($*) has been deprecated, use mozilla_execmod_user_plugin_home_files() instead.') -- mozilla_execmod_user_plugin_home_files($1) -+ gen_require(` -+ type mozilla_home_t; -+ ') -+ -+ allow $1 mozilla_home_t:file execmod; - ') - - ######################################## - ## --## Mozilla plugin home directory file --## text relocation. -+## Run mozilla in the mozilla domain. - ## - ## - ## --## Domain allowed access. -+## Domain allowed to transition. - ## - ## - # --interface(`mozilla_execmod_user_plugin_home_files',` -+interface(`mozilla_domtrans',` - gen_require(` -- type mozilla_plugin_home_t; -+ type mozilla_t, mozilla_exec_t; - ') - -- allow $1 mozilla_plugin_home_t:file execmod; -+ domtrans_pattern($1, mozilla_exec_t, mozilla_t) - ') - - ######################################## - ## --## Run mozilla in the mozilla domain. -+## Execute a mozilla_exec_t in the specified domain. - ## - ## - ## - ## Domain allowed to transition. - ## - ## -+## -+## -+## The type of the new process. -+## -+## - # --interface(`mozilla_domtrans',` -+interface(`mozilla_domtrans_spec',` - gen_require(` -- type mozilla_t, mozilla_exec_t; -+ type mozilla_exec_t; - ') - -- corecmd_search_bin($1) -- domtrans_pattern($1, mozilla_exec_t, mozilla_t) -+ domain_entry_file($2, mozilla_exec_t) -+ domtrans_pattern($1, mozilla_exec_t, $2) - ') - - ######################################## - ## --## Execute a domain transition to --## run mozilla plugin. -+## Execute a domain transition to run mozilla_plugin. - ## - ## - ## --## Domain allowed to transition. -+## Domain allowed access. - ## - ## - # - interface(`mozilla_domtrans_plugin',` - gen_require(` - type mozilla_plugin_t, mozilla_plugin_exec_t; -+ type mozilla_plugin_config_t, mozilla_plugin_config_exec_t; -+ type mozilla_plugin_rw_t; -+ class dbus send_msg; - ') - -- corecmd_search_bin($1) - domtrans_pattern($1, mozilla_plugin_exec_t, mozilla_plugin_t) -+ domtrans_pattern($1, mozilla_plugin_config_exec_t, mozilla_plugin_config_t) -+ allow mozilla_plugin_t $1:process signull; -+ dontaudit mozilla_plugin_config_t $1:file read_inherited_file_perms; -+ dontaudit mozilla_plugin_t $1:process signal; -+ allow $1 mozilla_plugin_t:unix_stream_socket { connectto rw_socket_perms }; -+ allow $1 mozilla_plugin_t:fd use; -+ -+ allow mozilla_plugin_t $1:unix_stream_socket rw_socket_perms; -+ allow mozilla_plugin_t $1:unix_dgram_socket { sendto rw_socket_perms }; -+ allow mozilla_plugin_t $1:shm { rw_shm_perms destroy }; -+ allow mozilla_plugin_t $1:sem create_sem_perms; -+ -+ ps_process_pattern($1, mozilla_plugin_t) -+ allow $1 mozilla_plugin_t:process signal_perms; -+ -+ list_dirs_pattern($1, mozilla_plugin_rw_t, mozilla_plugin_rw_t) -+ read_files_pattern($1, mozilla_plugin_rw_t, mozilla_plugin_rw_t) -+ read_lnk_files_pattern($1, mozilla_plugin_rw_t, mozilla_plugin_rw_t) -+ can_exec($1, mozilla_plugin_rw_t) -+ -+ allow $1 mozilla_plugin_t:dbus send_msg; -+ allow mozilla_plugin_t $1:dbus send_msg; -+ -+ allow mozilla_plugin_t $1:process signull; - ') - - ######################################## - ## --## Execute mozilla plugin in the --## mozilla plugin domain, and allow --## the specified role the mozilla --## plugin domain. -+## Execute mozilla_plugin in the mozilla_plugin domain, and -+## allow the specified role the mozilla_plugin domain. - ## - ## - ## --## Domain allowed to transition. -+## Domain allowed access - ## - ## - ## - ## --## Role allowed access. -+## The role to be allowed the mozilla_plugin domain. - ## - ## - # - interface(`mozilla_run_plugin',` - gen_require(` -- attribute_role mozilla_plugin_roles; -+ type mozilla_plugin_t; -+ attribute_role mozilla_plugin_roles, mozilla_plugin_config_roles; - ') - - mozilla_domtrans_plugin($1) - roleattribute $2 mozilla_plugin_roles; --') -+ roleattribute $2 mozilla_plugin_config_roles; - --######################################## --## --## Execute a domain transition to --## run mozilla plugin config. --## --## --## --## Domain allowed to transition. --## --## --# --interface(`mozilla_domtrans_plugin_config',` -- gen_require(` -- type mozilla_plugin_config_t, mozilla_plugin_config_exec_t; -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 mozilla_plugin_t:process ptrace; - ') - -- corecmd_search_bin($1) -- domtrans_pattern($1, mozilla_plugin_config_exec_t, mozilla_plugin_config_t) -+ optional_policy(` -+ lpd_run_lpr(mozilla_plugin_t, $2) -+ ') - ') - --######################################## -+####################################### - ## --## Execute mozilla plugin config in --## the mozilla plugin config domain, --## and allow the specified role the --## mozilla plugin config domain. -+## Execute qemu unconfined programs in the role. - ## --## --## --## Domain allowed to transition. --## --## - ## --## --## Role allowed access. --## -+## -+## The role to allow the mozilla_plugin domain. -+## - ## -+## - # --interface(`mozilla_run_plugin_config',` -- gen_require(` -- attribute_role mozilla_plugin_config_roles; -- ') -+interface(`mozilla_role_plugin',` -+ gen_require(` -+ attribute_role mozilla_plugin_roles, mozilla_plugin_config_roles; -+ ') - -- mozilla_domtrans_plugin_config($1) -- roleattribute $2 mozilla_plugin_config_roles; -+ roleattribute $1 mozilla_plugin_roles; -+ roleattribute $1 mozilla_plugin_config_roles; - ') - - ######################################## -@@ -424,8 +345,7 @@ interface(`mozilla_dbus_chat',` - - ######################################## - ## --## Send and receive messages from --## mozilla plugin over dbus. -+## read/write mozilla per user tcp_socket - ## - ## - ## -@@ -433,76 +353,126 @@ interface(`mozilla_dbus_chat',` - ## - ## - # --interface(`mozilla_dbus_chat_plugin',` -+interface(`mozilla_rw_tcp_sockets',` - gen_require(` -- type mozilla_plugin_t; -- class dbus send_msg; -+ type mozilla_t; - ') - -- allow $1 mozilla_plugin_t:dbus send_msg; -- allow mozilla_plugin_t $1:dbus send_msg; -+ allow $1 mozilla_t:tcp_socket rw_socket_perms; - ') - --######################################## -+####################################### - ## --## Read and write mozilla TCP sockets. -+## Read mozilla_plugin tmpfs files - ## - ## --## --## Domain allowed access. --## -+## -+## Domain allowed access -+## - ## - # --interface(`mozilla_rw_tcp_sockets',` -- gen_require(` -- type mozilla_t; -- ') -+interface(`mozilla_plugin_read_tmpfs_files',` -+ gen_require(` -+ type mozilla_plugin_tmpfs_t; -+ ') - -- allow $1 mozilla_t:tcp_socket rw_socket_perms; -+ allow $1 mozilla_plugin_tmpfs_t:file read_file_perms; -+') -+ -+####################################### -+## -+## Read/Write mozilla_plugin tmpfs files -+## -+## -+## -+## Domain allowed access -+## -+## -+# -+interface(`mozilla_plugin_rw_tmpfs_files',` -+ gen_require(` -+ type mozilla_plugin_tmpfs_t; -+ ') -+ -+ rw_files_pattern($1, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t) - ') - - ######################################## - ## --## Create, read, write, and delete --## mozilla plugin rw files. -+## Delete mozilla_plugin tmpfs files - ## - ## - ## --## Domain allowed access. -+## Domain allowed access - ## - ## - # --interface(`mozilla_manage_plugin_rw_files',` -+interface(`mozilla_plugin_delete_tmpfs_files',` - gen_require(` -- type mozilla_plugin_rw_t; -+ type mozilla_plugin_tmpfs_t; - ') - -- libs_search_lib($1) -- manage_files_pattern($1, mozilla_plugin_rw_t, mozilla_plugin_rw_t) -+ allow $1 mozilla_plugin_tmpfs_t:file delete_file_perms; -+') -+ -+####################################### -+## -+## Dontaudit generict ipc read/write to a mozilla_plugin -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`mozilla_plugin_dontaudit_rw_sem',` -+ gen_require(` -+ type mozilla_plugin_t; -+ ') -+ -+ allow $1 mozilla_plugin_t:sem { unix_read unix_write }; - ') - - ######################################## - ## --## Read mozilla_plugin tmpfs files. -+## Dontaudit read/write to a mozilla_plugin leaks - ## - ## - ## --## Domain allowed access. -+## Domain to not audit. - ## - ## - # --interface(`mozilla_plugin_read_tmpfs_files',` -+interface(`mozilla_plugin_dontaudit_leaks',` - gen_require(` -- type mozilla_plugin_tmpfs_t; -+ type mozilla_plugin_t; - ') - -- fs_search_tmpfs($1) -- allow $1 mozilla_plugin_tmpfs_t:file read_file_perms; -+ dontaudit $1 mozilla_plugin_t:unix_stream_socket { read write }; -+') -+ -+####################################### -+## -+## Dontaudit read/write to a mozilla_plugin tmp files. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`mozilla_plugin_dontaudit_rw_tmp_files',` -+ gen_require(` -+ type mozilla_plugin_tmp_t; -+ ') -+ -+ dontaudit $1 mozilla_plugin_tmp_t:file { read write }; - ') - - ######################################## - ## --## Delete mozilla_plugin tmpfs files. -+## Create, read, write, and delete -+## mozilla_plugin rw files. - ## - ## - ## -@@ -510,19 +480,18 @@ interface(`mozilla_plugin_read_tmpfs_files',` - ## - ## - # --interface(`mozilla_plugin_delete_tmpfs_files',` -+interface(`mozilla_plugin_manage_rw_files',` - gen_require(` -- type mozilla_plugin_tmpfs_t; -+ type mozilla_plugin_rw_t; - ') - -- fs_search_tmpfs($1) -- allow $1 mozilla_plugin_tmpfs_t:file delete_file_perms; -+ allow $1 mozilla_plugin_rw_t:file manage_file_perms; -+ allow $1 mozilla_plugin_rw_t:dir rw_dir_perms; - ') - - ######################################## - ## --## Create, read, write, and delete --## generic mozilla plugin home content. -+## read mozilla_plugin rw files. - ## - ## - ## -@@ -530,45 +499,58 @@ interface(`mozilla_plugin_delete_tmpfs_files',` - ## - ## - # --interface(`mozilla_manage_generic_plugin_home_content',` -+interface(`mozilla_plugin_read_rw_files',` - gen_require(` -- type mozilla_plugin_home_t; -+ type mozilla_plugin_rw_t; - ') - -- userdom_search_user_home_dirs($1) -- allow $1 mozilla_plugin_home_t:dir manage_dir_perms; -- allow $1 mozilla_plugin_home_t:file manage_file_perms; -- allow $1 mozilla_plugin_home_t:fifo_file manage_fifo_file_perms; -- allow $1 mozilla_plugin_home_t:lnk_file manage_lnk_file_perms; -- allow $1 mozilla_plugin_home_t:sock_file manage_sock_file_perms; -+ read_files_pattern($1, mozilla_plugin_rw_t, mozilla_plugin_rw_t) - ') - - ######################################## - ## --## Create objects in user home --## directories with the generic mozilla --## plugin home type. -+## Create mozilla content in the user home directory -+## with an correct label. - ## - ## - ## - ## Domain allowed access. - ## - ## --## --## --## Class of the object being created. --## --## --## --## --## The name of the object being created. --## --## - # --interface(`mozilla_home_filetrans_plugin_home',` -+interface(`mozilla_filetrans_home_content',` -+ - gen_require(` -- type mozilla_plugin_home_t; -+ type mozilla_home_t; - ') - -- userdom_user_home_dir_filetrans($1, mozilla_plugin_home_t, $2, $3) -+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".galeon") -+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".java") -+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".mozilla") -+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".thunderbird") -+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".netscape") -+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".phoenix") -+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".adobe") -+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".macromedia") -+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".gnash") -+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".grl-podcasts") -+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".gcjwebplugin") -+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".icedteaplugin") -+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".icedtea") -+ userdom_user_home_dir_filetrans($1, mozilla_home_t, file, "abc") -+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".quakelive") -+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".spicec") -+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".texlive2012") -+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".texlive2013") -+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".ICAClient") -+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, "zimbrauserdata") -+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".juniper_networks") -+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".lyx") -+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".IBMERS") -+ userdom_user_home_dir_filetrans($1, mozilla_home_t, file, ".gnashpluginrc") -+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".webex") -+ optional_policy(` -+ gnome_cache_filetrans($1, mozilla_home_t, dir, "mozilla") -+ ') - ') -+ -diff --git a/mozilla.te b/mozilla.te -index 6a306ee..b236449 100644 ---- a/mozilla.te -+++ b/mozilla.te -@@ -1,4 +1,4 @@ --policy_module(mozilla, 2.7.4) -+policy_module(mozilla, 2.6.0) - - ######################################## - # -@@ -6,17 +6,41 @@ policy_module(mozilla, 2.7.4) - # - - ## --##

    --## Determine whether mozilla can --## make its stack executable. --##

    -+##

    -+## Allow mozilla plugin domain to connect to the network using TCP. -+##

    - ##     --gen_tunable(mozilla_execstack, false) -+gen_tunable(mozilla_plugin_can_network_connect, false) -+ -+## -+##

    -+## Allow mozilla plugin to support spice protocols. -+##

    -+##     -+gen_tunable(mozilla_plugin_use_spice, false) -+ -+## -+##

    -+## Allow mozilla plugin to support GPS. -+##

    -+##     -+gen_tunable(mozilla_plugin_use_gps, false) -+ -+## -+##

    -+## Allow confined web browsers to read home directory content -+##

    -+##     -+gen_tunable(mozilla_read_content, false) - - attribute_role mozilla_roles; - attribute_role mozilla_plugin_roles; - attribute_role mozilla_plugin_config_roles; - -+roleattribute system_r mozilla_roles; -+roleattribute system_r mozilla_plugin_roles; -+roleattribute system_r mozilla_plugin_config_roles; -+ - type mozilla_t; - type mozilla_exec_t; - typealias mozilla_t alias { user_mozilla_t staff_mozilla_t sysadm_mozilla_t }; -@@ -24,6 +48,9 @@ typealias mozilla_t alias { auditadm_mozilla_t secadm_mozilla_t }; - userdom_user_application_domain(mozilla_t, mozilla_exec_t) - role mozilla_roles types mozilla_t; - -+type mozilla_conf_t; -+files_config_file(mozilla_conf_t) -+ - type mozilla_home_t; - typealias mozilla_home_t alias { user_mozilla_home_t staff_mozilla_home_t sysadm_mozilla_home_t }; - typealias mozilla_home_t alias { auditadm_mozilla_home_t secadm_mozilla_home_t }; -@@ -31,28 +58,24 @@ userdom_user_home_content(mozilla_home_t) - - type mozilla_plugin_t; - type mozilla_plugin_exec_t; --userdom_user_application_domain(mozilla_plugin_t, mozilla_plugin_exec_t) -+application_domain(mozilla_plugin_t, mozilla_plugin_exec_t) - role mozilla_plugin_roles types mozilla_plugin_t; - --type mozilla_plugin_home_t; --userdom_user_home_content(mozilla_plugin_home_t) -- - type mozilla_plugin_tmp_t; -+userdom_user_tmp_content(mozilla_plugin_tmp_t) - userdom_user_tmp_file(mozilla_plugin_tmp_t) - - type mozilla_plugin_tmpfs_t; -+userdom_user_tmpfs_content(mozilla_plugin_tmpfs_t) - userdom_user_tmpfs_file(mozilla_plugin_tmpfs_t) - --optional_policy(` -- pulseaudio_tmpfs_content(mozilla_plugin_tmpfs_t) --') -- - type mozilla_plugin_rw_t; - files_type(mozilla_plugin_rw_t) - - type mozilla_plugin_config_t; - type mozilla_plugin_config_exec_t; --userdom_user_application_domain(mozilla_plugin_config_t, mozilla_plugin_config_exec_t) -+application_domain(mozilla_plugin_config_t, mozilla_plugin_config_exec_t) -+role mozilla_roles types mozilla_plugin_config_t; - role mozilla_plugin_config_roles types mozilla_plugin_config_t; - - type mozilla_tmp_t; -@@ -63,10 +86,6 @@ typealias mozilla_tmpfs_t alias { user_mozilla_tmpfs_t staff_mozilla_tmpfs_t sys - typealias mozilla_tmpfs_t alias { auditadm_mozilla_tmpfs_t secadm_mozilla_tmpfs_t }; - userdom_user_tmpfs_file(mozilla_tmpfs_t) - --optional_policy(` -- pulseaudio_tmpfs_content(mozilla_tmpfs_t) --') -- - ######################################## - # - # Local policy -@@ -75,27 +94,30 @@ optional_policy(` - allow mozilla_t self:capability { sys_nice setgid setuid }; - allow mozilla_t self:process { sigkill signal setsched getsched setrlimit }; - allow mozilla_t self:fifo_file rw_fifo_file_perms; --allow mozilla_t self:shm create_shm_perms; -+allow mozilla_t self:shm { unix_read unix_write read write destroy create }; - allow mozilla_t self:sem create_sem_perms; - allow mozilla_t self:socket create_socket_perms; --allow mozilla_t self:unix_stream_socket { accept listen }; -+allow mozilla_t self:unix_stream_socket { listen accept }; -+# Browse the web, connect to printer -+allow mozilla_t self:tcp_socket create_socket_perms; -+allow mozilla_t self:netlink_route_socket r_netlink_socket_perms; - --allow mozilla_t mozilla_plugin_t:unix_stream_socket rw_socket_perms; --allow mozilla_t mozilla_plugin_t:fd use; -+# for bash - old mozilla binary -+can_exec(mozilla_t, mozilla_exec_t) - --allow mozilla_t { mozilla_home_t mozilla_plugin_home_t }:dir manage_dir_perms; --allow mozilla_t { mozilla_home_t mozilla_plugin_home_t }:file manage_file_perms; --allow mozilla_t mozilla_home_t:lnk_file manage_lnk_file_perms; --userdom_user_home_dir_filetrans(mozilla_t, mozilla_home_t, dir, ".galeon") --userdom_user_home_dir_filetrans(mozilla_t, mozilla_home_t, dir, ".mozilla") --userdom_user_home_dir_filetrans(mozilla_t, mozilla_home_t, dir, ".netscape") --userdom_user_home_dir_filetrans(mozilla_t, mozilla_home_t, dir, ".phoenix") -+# X access, Home files -+manage_dirs_pattern(mozilla_t, mozilla_home_t, mozilla_home_t) -+manage_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t) -+manage_lnk_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t) -+userdom_search_user_home_dirs(mozilla_t) - --filetrans_pattern(mozilla_t, mozilla_home_t, mozilla_plugin_home_t, dir, "plugins") -+# Mozpluggerrc -+allow mozilla_t mozilla_conf_t:file read_file_perms; - - manage_files_pattern(mozilla_t, mozilla_tmp_t, mozilla_tmp_t) - manage_dirs_pattern(mozilla_t, mozilla_tmp_t, mozilla_tmp_t) --files_tmp_filetrans(mozilla_t, mozilla_tmp_t, { file dir }) -+# mozilla will manage user_tmp_t, so it will transition to it. -+#files_tmp_filetrans(mozilla_t, mozilla_tmp_t, { file dir }) - - manage_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t) - manage_lnk_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t) -@@ -103,76 +125,69 @@ manage_fifo_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t) - manage_sock_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t) - fs_tmpfs_filetrans(mozilla_t, mozilla_tmpfs_t, { file lnk_file sock_file fifo_file }) - --allow mozilla_t mozilla_plugin_rw_t:dir list_dir_perms; --allow mozilla_t mozilla_plugin_rw_t:file read_file_perms; --allow mozilla_t mozilla_plugin_rw_t:lnk_file read_lnk_file_perms; -- --stream_connect_pattern(mozilla_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_plugin_t) -- --can_exec(mozilla_t, { mozilla_exec_t mozilla_plugin_rw_t mozilla_plugin_home_t }) -- - kernel_read_kernel_sysctls(mozilla_t) - kernel_read_network_state(mozilla_t) -+# Access /proc, sysctl - kernel_read_system_state(mozilla_t) - kernel_read_net_sysctls(mozilla_t) - -+# Look for plugins - corecmd_list_bin(mozilla_t) -+# for bash - old mozilla binary - corecmd_exec_shell(mozilla_t) - corecmd_exec_bin(mozilla_t) - --corenet_all_recvfrom_unlabeled(mozilla_t) -+# Browse the web, connect to printer - corenet_all_recvfrom_netlabel(mozilla_t) - corenet_tcp_sendrecv_generic_if(mozilla_t) -+corenet_raw_sendrecv_generic_if(mozilla_t) - corenet_tcp_sendrecv_generic_node(mozilla_t) -- --corenet_sendrecv_http_client_packets(mozilla_t) --corenet_tcp_connect_http_port(mozilla_t) -+corenet_raw_sendrecv_generic_node(mozilla_t) - corenet_tcp_sendrecv_http_port(mozilla_t) -- --corenet_sendrecv_http_cache_client_packets(mozilla_t) --corenet_tcp_connect_http_cache_port(mozilla_t) - corenet_tcp_sendrecv_http_cache_port(mozilla_t) -- --corenet_sendrecv_squid_client_packets(mozilla_t) --corenet_tcp_connect_squid_port(mozilla_t) - corenet_tcp_sendrecv_squid_port(mozilla_t) -- --corenet_sendrecv_ftp_client_packets(mozilla_t) --corenet_tcp_connect_ftp_port(mozilla_t) - corenet_tcp_sendrecv_ftp_port(mozilla_t) -- --corenet_sendrecv_ipp_client_packets(mozilla_t) --corenet_tcp_connect_ipp_port(mozilla_t) -+corenet_tcp_connect_all_ephemeral_ports(mozilla_t) - corenet_tcp_sendrecv_ipp_port(mozilla_t) -- --corenet_sendrecv_soundd_client_packets(mozilla_t) -+corenet_tcp_connect_http_port(mozilla_t) -+corenet_tcp_connect_http_cache_port(mozilla_t) -+corenet_tcp_connect_squid_port(mozilla_t) -+corenet_tcp_connect_ftp_port(mozilla_t) -+corenet_tcp_connect_ipp_port(mozilla_t) -+corenet_tcp_connect_generic_port(mozilla_t) - corenet_tcp_connect_soundd_port(mozilla_t) --corenet_tcp_sendrecv_soundd_port(mozilla_t) -- --corenet_sendrecv_speech_client_packets(mozilla_t) -+corenet_sendrecv_http_client_packets(mozilla_t) -+corenet_sendrecv_http_cache_client_packets(mozilla_t) -+corenet_sendrecv_squid_client_packets(mozilla_t) -+corenet_sendrecv_ftp_client_packets(mozilla_t) -+corenet_sendrecv_ipp_client_packets(mozilla_t) -+corenet_sendrecv_generic_client_packets(mozilla_t) -+# Should not need other ports -+corenet_dontaudit_tcp_sendrecv_generic_port(mozilla_t) -+corenet_dontaudit_tcp_bind_generic_port(mozilla_t) - corenet_tcp_connect_speech_port(mozilla_t) --corenet_tcp_sendrecv_speech_port(mozilla_t) - --dev_getattr_sysfs_dirs(mozilla_t) --dev_read_sound(mozilla_t) --dev_read_rand(mozilla_t) - dev_read_urand(mozilla_t) --dev_rw_dri(mozilla_t) -+dev_read_rand(mozilla_t) - dev_write_sound(mozilla_t) -+dev_read_sound(mozilla_t) -+dev_dontaudit_rw_dri(mozilla_t) -+dev_getattr_sysfs_dirs(mozilla_t) - - domain_dontaudit_read_all_domains_state(mozilla_t) - - files_read_etc_runtime_files(mozilla_t) --files_read_usr_files(mozilla_t) --files_read_var_files(mozilla_t) -+# /var/lib - files_read_var_lib_files(mozilla_t) -+# interacting with gstreamer -+files_read_var_files(mozilla_t) - files_read_var_symlinks(mozilla_t) - files_dontaudit_getattr_boot_dirs(mozilla_t) - --fs_getattr_all_fs(mozilla_t) -+fs_dontaudit_getattr_all_fs(mozilla_t) - fs_search_auto_mountpoints(mozilla_t) - fs_list_inotifyfs(mozilla_t) --fs_rw_tmpfs_files(mozilla_t) -+fs_rw_inherited_tmpfs_files(mozilla_t) - - term_dontaudit_getattr_pty_dirs(mozilla_t) - -@@ -181,56 +196,73 @@ auth_use_nsswitch(mozilla_t) - logging_send_syslog_msg(mozilla_t) - - miscfiles_read_fonts(mozilla_t) --miscfiles_read_localization(mozilla_t) - miscfiles_dontaudit_setattr_fonts_dirs(mozilla_t) - --userdom_use_user_ptys(mozilla_t) -- --userdom_manage_user_tmp_dirs(mozilla_t) --userdom_manage_user_tmp_files(mozilla_t) -- --userdom_manage_user_home_content_dirs(mozilla_t) --userdom_manage_user_home_content_files(mozilla_t) --userdom_user_home_dir_filetrans_user_home_content(mozilla_t, { dir file }) -+userdom_use_inherited_user_ptys(mozilla_t) - --userdom_write_user_tmp_sockets(mozilla_t) -- --mozilla_run_plugin(mozilla_t, mozilla_roles) --mozilla_run_plugin_config(mozilla_t, mozilla_roles) -+#mozilla_run_plugin(mozilla_t, mozilla_roles) - - xserver_user_x_domain_template(mozilla, mozilla_t, mozilla_tmpfs_t) - xserver_dontaudit_read_xdm_tmp_files(mozilla_t) - xserver_dontaudit_getattr_xdm_tmp_sockets(mozilla_t) - --ifndef(`enable_mls',` -- fs_list_dos(mozilla_t) -- fs_read_dos_files(mozilla_t) -- -- fs_search_removable(mozilla_t) -- fs_read_removable_files(mozilla_t) -- fs_read_removable_symlinks(mozilla_t) -- -- fs_read_iso9660_files(mozilla_t) -+tunable_policy(`selinuxuser_execstack',` -+ allow mozilla_t self:process execstack; - ') - --tunable_policy(`allow_execmem',` -+tunable_policy(`deny_execmem',`',` - allow mozilla_t self:process execmem; - ') - --tunable_policy(`mozilla_execstack',` -- allow mozilla_t self:process { execmem execstack }; --') -- --tunable_policy(`use_nfs_home_dirs',` -- fs_manage_nfs_dirs(mozilla_t) -- fs_manage_nfs_files(mozilla_t) -- fs_manage_nfs_symlinks(mozilla_t) --') -- --tunable_policy(`use_samba_home_dirs',` -- fs_manage_cifs_dirs(mozilla_t) -- fs_manage_cifs_files(mozilla_t) -- fs_manage_cifs_symlinks(mozilla_t) -+userdom_home_manager(mozilla_t) -+ -+# Uploads, local html -+tunable_policy(`mozilla_read_content && use_nfs_home_dirs',` -+ fs_list_auto_mountpoints(mozilla_t) -+ files_list_home(mozilla_t) -+ fs_read_nfs_files(mozilla_t) -+ fs_read_nfs_symlinks(mozilla_t) -+ -+',` -+ files_dontaudit_list_home(mozilla_t) -+ fs_dontaudit_list_auto_mountpoints(mozilla_t) -+ fs_dontaudit_read_nfs_files(mozilla_t) -+ fs_dontaudit_list_nfs(mozilla_t) -+') -+ -+tunable_policy(`mozilla_read_content && use_samba_home_dirs',` -+ fs_list_auto_mountpoints(mozilla_t) -+ files_list_home(mozilla_t) -+ fs_read_cifs_files(mozilla_t) -+ fs_read_cifs_symlinks(mozilla_t) -+',` -+ files_dontaudit_list_home(mozilla_t) -+ fs_dontaudit_list_auto_mountpoints(mozilla_t) -+ fs_dontaudit_read_cifs_files(mozilla_t) -+ fs_dontaudit_list_cifs(mozilla_t) -+') -+ -+tunable_policy(`mozilla_read_content',` -+ userdom_list_user_tmp(mozilla_t) -+ userdom_read_user_tmp_files(mozilla_t) -+ userdom_read_user_tmp_symlinks(mozilla_t) -+ userdom_read_user_home_content_files(mozilla_t) -+ userdom_read_user_home_content_symlinks(mozilla_t) -+ -+ ifndef(`enable_mls',` -+ fs_search_removable(mozilla_t) -+ fs_read_removable_files(mozilla_t) -+ fs_read_removable_symlinks(mozilla_t) -+ ') -+',` -+ files_dontaudit_list_tmp(mozilla_t) -+ files_dontaudit_list_home(mozilla_t) -+ fs_dontaudit_list_removable(mozilla_t) -+ fs_dontaudit_read_removable_files(mozilla_t) -+ userdom_dontaudit_list_user_tmp(mozilla_t) -+ userdom_dontaudit_read_user_tmp_files(mozilla_t) -+ userdom_dontaudit_list_user_home_dirs(mozilla_t) -+ userdom_dontaudit_read_user_home_content_files(mozilla_t) - ') - - optional_policy(` -@@ -244,19 +276,12 @@ optional_policy(` - - optional_policy(` - cups_read_rw_config(mozilla_t) -+ cups_dbus_chat(mozilla_t) - ') - - optional_policy(` -- dbus_all_session_bus_client(mozilla_t) - dbus_system_bus_client(mozilla_t) -- -- optional_policy(` -- cups_dbus_chat(mozilla_t) -- ') -- -- optional_policy(` -- mozilla_dbus_chat_plugin(mozilla_t) -- ') -+ dbus_session_bus_client(mozilla_t) - - optional_policy(` - networkmanager_dbus_chat(mozilla_t) -@@ -265,33 +290,32 @@ optional_policy(` - - optional_policy(` - gnome_stream_connect_gconf(mozilla_t) -- gnome_manage_generic_gconf_home_content(mozilla_t) -- gnome_home_filetrans_gconf_home(mozilla_t, dir, ".gconf") -- gnome_home_filetrans_gconf_home(mozilla_t, dir, ".gconfd") -- gnome_manage_generic_home_content(mozilla_t) -- gnome_home_filetrans_gnome_home(mozilla_t, dir, ".gnome") -- gnome_home_filetrans_gnome_home(mozilla_t, dir, ".gnome2") -- gnome_home_filetrans_gnome_home(mozilla_t, dir, ".gnome2_private") -+ gnome_manage_config(mozilla_t) -+ gnome_manage_gconf_home_files(mozilla_t) -+') -+ -+optional_policy(` -+ java_domtrans(mozilla_t) - ') - - optional_policy(` -- java_exec(mozilla_t) -- java_manage_generic_home_content(mozilla_t) -- java_home_filetrans_java_home(mozilla_t, dir, ".java") -+ lpd_domtrans_lpr(mozilla_t) - ') - - optional_policy(` -- lpd_run_lpr(mozilla_t, mozilla_roles) -+ mplayer_domtrans(mozilla_t) -+ mplayer_read_user_home_files(mozilla_t) - ') - - optional_policy(` -- mplayer_exec(mozilla_t) -- mplayer_manage_generic_home_content(mozilla_t) -- mplayer_home_filetrans_mplayer_home(mozilla_t, dir, ".mplayer") -+ nscd_socket_use(mozilla_t) - ') - - optional_policy(` -- pulseaudio_run(mozilla_t, mozilla_roles) -+ #pulseaudio_role(mozilla_roles, mozilla_t) -+ pulseaudio_exec(mozilla_t) -+ pulseaudio_stream_connect(mozilla_t) -+ pulseaudio_manage_home_files(mozilla_t) - ') - - optional_policy(` -@@ -300,259 +324,236 @@ optional_policy(` - - ######################################## - # --# Plugin local policy -+# mozilla_plugin local policy - # - --dontaudit mozilla_plugin_t self:capability { ipc_lock sys_nice sys_ptrace sys_tty_config }; --allow mozilla_plugin_t self:process { setpgid getsched setsched signal_perms setrlimit }; --allow mozilla_plugin_t self:fifo_file manage_fifo_file_perms; -+dontaudit mozilla_plugin_t self:capability { sys_admin ipc_lock sys_nice sys_tty_config }; -+dontaudit mozilla_plugin_t self:capability2 block_suspend; -+ -+allow mozilla_plugin_t self:process { setpgid getsched setsched signal_perms execmem execstack setrlimit transition }; -+allow mozilla_plugin_t self:netlink_route_socket r_netlink_socket_perms; -+allow mozilla_plugin_t self:netlink_socket create_socket_perms; -+allow mozilla_plugin_t self:tcp_socket create_stream_socket_perms; -+allow mozilla_plugin_t self:udp_socket create_socket_perms; - allow mozilla_plugin_t self:netlink_kobject_uevent_socket create_socket_perms; -+ - allow mozilla_plugin_t self:sem create_sem_perms; - allow mozilla_plugin_t self:shm create_shm_perms; --allow mozilla_plugin_t self:tcp_socket { accept listen }; --allow mozilla_plugin_t self:unix_stream_socket { accept connectto listen }; -- --allow mozilla_plugin_t mozilla_t:unix_stream_socket rw_socket_perms; --allow mozilla_plugin_t mozilla_t:unix_dgram_socket rw_socket_perms; --allow mozilla_plugin_t mozilla_t:shm { rw_shm_perms destroy }; --allow mozilla_plugin_t mozilla_t:sem create_sem_perms; -- --manage_dirs_pattern(mozilla_plugin_t, { mozilla_home_t mozilla_plugin_home_t }, { mozilla_home_t mozilla_plugin_home_t }) --manage_files_pattern(mozilla_plugin_t, { mozilla_home_t mozilla_plugin_home_t }, mozilla_plugin_home_t) --manage_lnk_files_pattern(mozilla_plugin_t, { mozilla_home_t mozilla_plugin_home_t }, mozilla_plugin_home_t) -- --userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_home_t, dir, ".galeon") --userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_home_t, dir, ".mozilla") --userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_home_t, dir, ".netscape") --userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_home_t, dir, ".phoenix") -- --userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_plugin_home_t, dir, ".adobe") --userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_plugin_home_t, dir, ".macromedia") --userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_plugin_home_t, dir, ".gnash") --userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_plugin_home_t, dir, ".gcjwebplugin") --userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_plugin_home_t, dir, ".icedteaplugin") --userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_plugin_home_t, dir, ".spicec") --userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_plugin_home_t, dir, ".ICAClient") --userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_plugin_home_t, dir, "zimbrauserdata") -- --filetrans_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_plugin_home_t, dir, "plugins") -+allow mozilla_plugin_t self:msgq create_msgq_perms; -+allow mozilla_plugin_t self:fifo_file manage_fifo_file_perms; -+allow mozilla_plugin_t self:unix_dgram_socket sendto; -+allow mozilla_plugin_t self:unix_stream_socket { connectto create_stream_socket_perms }; -+ -+can_exec(mozilla_plugin_t, mozilla_home_t) -+manage_dirs_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t) -+manage_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t) -+manage_lnk_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t) -+manage_fifo_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t) - - manage_dirs_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t) - manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t) -+manage_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t) - manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t) --files_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file }) --userdom_user_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file }) -+manage_sock_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t) -+files_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file sock_file lnk_file }) -+userdom_user_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file sock_file }) -+xserver_xdm_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file sock_file lnk_file }) -+can_exec(mozilla_plugin_t, mozilla_plugin_tmp_t) - - manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t) - manage_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t) - manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t) - manage_sock_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t) - fs_tmpfs_filetrans(mozilla_plugin_t, mozilla_plugin_tmpfs_t, { file lnk_file sock_file fifo_file }) -+userdom_tmpfs_filetrans_to(mozilla_plugin_t, mozilla_plugin_tmpfs_t, { file lnk_file sock_file fifo_file }) - - allow mozilla_plugin_t mozilla_plugin_rw_t:dir list_dir_perms; --allow mozilla_plugin_t mozilla_plugin_rw_t:file read_file_perms; --allow mozilla_plugin_t mozilla_plugin_rw_t:lnk_file read_lnk_file_perms; -- --dgram_send_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t) --stream_connect_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t) -+read_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t) -+read_files_pattern(mozilla_plugin_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t) - --can_exec(mozilla_plugin_t, { mozilla_exec_t mozilla_plugin_home_t mozilla_plugin_tmp_t }) -+can_exec(mozilla_plugin_t, mozilla_exec_t) - - kernel_read_all_sysctls(mozilla_plugin_t) - kernel_read_system_state(mozilla_plugin_t) - kernel_read_network_state(mozilla_plugin_t) - kernel_request_load_module(mozilla_plugin_t) - kernel_dontaudit_getattr_core_if(mozilla_plugin_t) -+files_dontaudit_read_root_files(mozilla_plugin_t) - - corecmd_exec_bin(mozilla_plugin_t) - corecmd_exec_shell(mozilla_plugin_t) -+corecmd_dontaudit_access_all_executables(mozilla_plugin_t) -+corecmd_getattr_all_executables(mozilla_plugin_t) - --corenet_all_recvfrom_netlabel(mozilla_plugin_t) --corenet_all_recvfrom_unlabeled(mozilla_plugin_t) --corenet_tcp_sendrecv_generic_if(mozilla_plugin_t) --corenet_tcp_sendrecv_generic_node(mozilla_plugin_t) -- --corenet_sendrecv_asterisk_client_packets(mozilla_plugin_t) -+corenet_tcp_bind_generic_node(mozilla_plugin_t) -+corenet_tcp_connect_all_ephemeral_ports(mozilla_plugin_t) -+corenet_tcp_connect_aol_port(mozilla_plugin_t) - corenet_tcp_connect_asterisk_port(mozilla_plugin_t) --corenet_tcp_sendrecv_asterisk_port(mozilla_plugin_t) -- --corenet_sendrecv_ftp_client_packets(mozilla_plugin_t) -+corenet_tcp_connect_commplex_link_port(mozilla_plugin_t) -+corenet_tcp_connect_couchdb_port(mozilla_plugin_t) -+corenet_tcp_connect_flash_port(mozilla_plugin_t) - corenet_tcp_connect_ftp_port(mozilla_plugin_t) --corenet_tcp_sendrecv_ftp_port(mozilla_plugin_t) -- --corenet_sendrecv_gatekeeper_client_packets(mozilla_plugin_t) - corenet_tcp_connect_gatekeeper_port(mozilla_plugin_t) --corenet_tcp_sendrecv_gatekeeper_port(mozilla_plugin_t) -- --corenet_sendrecv_http_client_packets(mozilla_plugin_t) --corenet_tcp_connect_http_port(mozilla_plugin_t) --corenet_tcp_sendrecv_http_port(mozilla_plugin_t) -- --corenet_sendrecv_http_cache_client_packets(mozilla_plugin_t) -+corenet_tcp_connect_generic_port(mozilla_plugin_t) - corenet_tcp_connect_http_cache_port(mozilla_plugin_t) --corenet_tcp_sendrecv_http_cache_port(mozilla_plugin_t) -- --corenet_sendrecv_ipp_client_packets(mozilla_plugin_t) -+corenet_tcp_connect_http_port(mozilla_plugin_t) - corenet_tcp_connect_ipp_port(mozilla_plugin_t) --corenet_tcp_sendrecv_ipp_port(mozilla_plugin_t) -- --corenet_sendrecv_ircd_client_packets(mozilla_plugin_t) -+corenet_tcp_connect_ipsecnat_port(mozilla_plugin_t) - corenet_tcp_connect_ircd_port(mozilla_plugin_t) --corenet_tcp_sendrecv_ircd_port(mozilla_plugin_t) -- --corenet_sendrecv_jabber_client_client_packets(mozilla_plugin_t) - corenet_tcp_connect_jabber_client_port(mozilla_plugin_t) --corenet_tcp_sendrecv_jabber_client_port(mozilla_plugin_t) -- --corenet_sendrecv_mmcc_client_packets(mozilla_plugin_t) -+corenet_tcp_connect_jboss_management_port(mozilla_plugin_t) - corenet_tcp_connect_mmcc_port(mozilla_plugin_t) --corenet_tcp_sendrecv_mmcc_port(mozilla_plugin_t) -- --corenet_sendrecv_monopd_client_packets(mozilla_plugin_t) - corenet_tcp_connect_monopd_port(mozilla_plugin_t) --corenet_tcp_sendrecv_monopd_port(mozilla_plugin_t) -- --corenet_sendrecv_soundd_client_packets(mozilla_plugin_t) -+corenet_tcp_connect_msnp_port(mozilla_plugin_t) -+corenet_tcp_connect_ms_streaming_port(mozilla_plugin_t) -+corenet_tcp_connect_pulseaudio_port(mozilla_plugin_t) -+corenet_tcp_connect_rtsp_port(mozilla_plugin_t) - corenet_tcp_connect_soundd_port(mozilla_plugin_t) --corenet_tcp_sendrecv_soundd_port(mozilla_plugin_t) -- --corenet_sendrecv_speech_client_packets(mozilla_plugin_t) - corenet_tcp_connect_speech_port(mozilla_plugin_t) --corenet_tcp_sendrecv_speech_port(mozilla_plugin_t) -- --corenet_sendrecv_squid_client_packets(mozilla_plugin_t) - corenet_tcp_connect_squid_port(mozilla_plugin_t) --corenet_tcp_sendrecv_squid_port(mozilla_plugin_t) -- --corenet_sendrecv_vnc_client_packets(mozilla_plugin_t) -+corenet_tcp_connect_tor_port(mozilla_plugin_t) -+corenet_tcp_connect_transproxy_port(mozilla_plugin_t) - corenet_tcp_connect_vnc_port(mozilla_plugin_t) --corenet_tcp_sendrecv_vnc_port(mozilla_plugin_t) -+corenet_tcp_connect_whois_port(mozilla_plugin_t) -+corenet_tcp_bind_generic_node(mozilla_plugin_t) -+corenet_udp_bind_generic_node(mozilla_plugin_t) -+corenet_tcp_bind_jboss_debug_port(mozilla_plugin_t) -+corenet_dontaudit_udp_bind_ssdp_port(mozilla_plugin_t) - --dev_read_generic_usb_dev(mozilla_plugin_t) -+dev_dontaudit_append_rand(mozilla_plugin_t) - dev_read_rand(mozilla_plugin_t) --dev_read_realtime_clock(mozilla_plugin_t) --dev_read_sound(mozilla_plugin_t) --dev_read_sysfs(mozilla_plugin_t) - dev_read_urand(mozilla_plugin_t) -+dev_read_generic_usb_dev(mozilla_plugin_t) - dev_read_video_dev(mozilla_plugin_t) --dev_write_sound(mozilla_plugin_t) - dev_write_video_dev(mozilla_plugin_t) --dev_rw_dri(mozilla_plugin_t) -+dev_read_realtime_clock(mozilla_plugin_t) -+dev_read_sysfs(mozilla_plugin_t) -+dev_read_sound(mozilla_plugin_t) -+dev_write_sound(mozilla_plugin_t) -+# for nvidia driver - dev_rw_xserver_misc(mozilla_plugin_t) -+dev_rwx_zero(mozilla_plugin_t) -+dev_dontaudit_read_mtrr(mozilla_plugin_t) -+xserver_dri_domain(mozilla_plugin_t) - --dev_dontaudit_getattr_generic_files(mozilla_plugin_t) --dev_dontaudit_getattr_generic_pipes(mozilla_plugin_t) --dev_dontaudit_getattr_all_blk_files(mozilla_plugin_t) --dev_dontaudit_getattr_all_chr_files(mozilla_plugin_t) -+dev_dontaudit_getattr_all(mozilla_plugin_t) - - domain_use_interactive_fds(mozilla_plugin_t) - domain_dontaudit_read_all_domains_state(mozilla_plugin_t) - --files_exec_usr_files(mozilla_plugin_t) --files_list_mnt(mozilla_plugin_t) - files_read_config_files(mozilla_plugin_t) --files_read_usr_files(mozilla_plugin_t) -+files_list_mnt(mozilla_plugin_t) -+files_exec_usr_files(mozilla_plugin_t) -+fs_rw_inherited_tmpfs_files(mozilla_plugin_t) -+files_dontaudit_all_access_check(mozilla_plugin_t) - - fs_getattr_all_fs(mozilla_plugin_t) --# fs_read_hugetlbfs_files(mozilla_plugin_t) --fs_search_auto_mountpoints(mozilla_plugin_t) -- --term_getattr_all_ttys(mozilla_plugin_t) --term_getattr_all_ptys(mozilla_plugin_t) -+fs_list_dos(mozilla_plugin_t) -+fs_read_noxattr_fs_files(mozilla_plugin_t) -+fs_read_hugetlbfs_files(mozilla_plugin_t) -+fs_exec_hugetlbfs_files(mozilla_plugin_t) - - application_exec(mozilla_plugin_t) -+application_dontaudit_signull(mozilla_plugin_t) - - auth_use_nsswitch(mozilla_plugin_t) - -+init_dontaudit_getattr_initctl(mozilla_plugin_t) -+init_read_all_script_files(mozilla_plugin_t) -+ - libs_exec_ld_so(mozilla_plugin_t) - libs_exec_lib_files(mozilla_plugin_t) -+libs_legacy_use_shared_libs(mozilla_plugin_t) - - logging_send_syslog_msg(mozilla_plugin_t) - --miscfiles_read_localization(mozilla_plugin_t) - miscfiles_read_fonts(mozilla_plugin_t) - miscfiles_read_generic_certs(mozilla_plugin_t) -+miscfiles_dontaudit_write_generic_cert_files(mozilla_plugin_t) - miscfiles_dontaudit_setattr_fonts_dirs(mozilla_plugin_t) - miscfiles_dontaudit_setattr_fonts_cache_dirs(mozilla_plugin_t) - --userdom_manage_user_tmp_dirs(mozilla_plugin_t) --userdom_manage_user_tmp_files(mozilla_plugin_t) -- --userdom_manage_user_home_content_dirs(mozilla_plugin_t) --userdom_manage_user_home_content_files(mozilla_plugin_t) --userdom_user_home_dir_filetrans_user_home_content(mozilla_plugin_t, { dir file }) -+systemd_read_logind_sessions_files(mozilla_plugin_t) - --userdom_write_user_tmp_sockets(mozilla_plugin_t) -+term_getattr_all_ttys(mozilla_plugin_t) -+term_getattr_all_ptys(mozilla_plugin_t) -+term_getattr_ptmx(mozilla_plugin_t) -+term_dontaudit_use_ptmx(mozilla_plugin_t) - -+userdom_dontaudit_setattr_user_tmpfs(mozilla_plugin_t) -+userdom_rw_user_tmpfs_files(mozilla_plugin_t) -+userdom_delete_user_tmpfs_files(mozilla_plugin_t) - userdom_dontaudit_use_user_terminals(mozilla_plugin_t) -+userdom_manage_user_tmp_sockets(mozilla_plugin_t) -+userdom_manage_user_tmp_dirs(mozilla_plugin_t) -+userdom_rw_inherited_user_tmp_files(mozilla_plugin_t) -+userdom_delete_user_tmp_files(mozilla_plugin_t) -+userdom_rw_inherited_user_home_sock_files(mozilla_plugin_t) -+userdom_manage_home_certs(mozilla_plugin_t) -+userdom_read_user_tmp_symlinks(mozilla_plugin_t) -+userdom_stream_connect(mozilla_plugin_t) -+userdom_dontaudit_rw_user_tmp_pipes(mozilla_plugin_t) - --ifndef(`enable_mls',` -- fs_list_dos(mozilla_plugin_t) -- fs_read_dos_files(mozilla_plugin_t) -- -- fs_search_removable(mozilla_plugin_t) -- fs_read_removable_files(mozilla_plugin_t) -- fs_read_removable_symlinks(mozilla_plugin_t) -+userdom_read_user_home_content_files(mozilla_plugin_t) -+userdom_read_user_home_content_symlinks(mozilla_plugin_t) -+userdom_read_home_certs(mozilla_plugin_t) -+userdom_read_home_audio_files(mozilla_plugin_t) -+userdom_exec_user_tmp_files(mozilla_plugin_t) - -- fs_read_iso9660_files(mozilla_plugin_t) --') -- --tunable_policy(`allow_execmem',` -- allow mozilla_plugin_t self:process execmem; --') -+userdom_home_manager(mozilla_plugin_t) - --tunable_policy(`mozilla_execstack',` -- allow mozilla_plugin_t self:process { execmem execstack }; -+tunable_policy(`mozilla_plugin_can_network_connect',` -+ corenet_tcp_connect_all_ports(mozilla_plugin_t) - ') - --tunable_policy(`use_nfs_home_dirs',` -- fs_manage_nfs_dirs(mozilla_plugin_t) -- fs_manage_nfs_files(mozilla_plugin_t) -- fs_manage_nfs_symlinks(mozilla_plugin_t) -+optional_policy(` -+ alsa_read_rw_config(mozilla_plugin_t) -+ alsa_read_home_files(mozilla_plugin_t) - ') - --tunable_policy(`use_samba_home_dirs',` -- fs_manage_cifs_dirs(mozilla_plugin_t) -- fs_manage_cifs_files(mozilla_plugin_t) -- fs_manage_cifs_symlinks(mozilla_plugin_t) -+optional_policy(` -+ apache_list_modules(mozilla_plugin_t) - ') - - optional_policy(` -- alsa_read_rw_config(mozilla_plugin_t) -- alsa_read_home_files(mozilla_plugin_t) -+ cups_stream_connect(mozilla_plugin_t) - ') - - optional_policy(` -- automount_dontaudit_getattr_tmp_dirs(mozilla_plugin_t) -+ dbus_system_bus_client(mozilla_plugin_t) -+ dbus_session_bus_client(mozilla_plugin_t) -+ dbus_connect_session_bus(mozilla_plugin_t) -+ dbus_read_lib_files(mozilla_plugin_t) - ') - - optional_policy(` -- dbus_all_session_bus_client(mozilla_plugin_t) -- dbus_connect_all_session_bus(mozilla_plugin_t) -- dbus_system_bus_client(mozilla_plugin_t) -+ gnome_manage_config(mozilla_plugin_t) -+ gnome_read_usr_config(mozilla_plugin_t) -+ gnome_filetrans_home_content(mozilla_plugin_t) -+ gnome_exec_gstreamer_home_files(mozilla_plugin_t) - ') - - optional_policy(` -- gnome_manage_generic_home_content(mozilla_plugin_t) -- gnome_home_filetrans_gnome_home(mozilla_plugin_t, dir, ".gnome") -- gnome_home_filetrans_gnome_home(mozilla_plugin_t, dir, ".gnome2") -- gnome_home_filetrans_gnome_home(mozilla_plugin_t, dir, ".gnome2_private") -+ gpm_dontaudit_getattr_gpmctl(mozilla_plugin_t) - ') - - optional_policy(` - java_exec(mozilla_plugin_t) -- java_manage_generic_home_content(mozilla_plugin_t) -- java_home_filetrans_java_home(mozilla_plugin_t, dir, ".java") - ') - - optional_policy(` -- lpd_run_lpr(mozilla_plugin_t, mozilla_plugin_roles) -+ mplayer_exec(mozilla_plugin_t) -+ mplayer_manage_generic_home_content(mozilla_plugin_t) -+ mplayer_home_filetrans_mplayer_home(mozilla_plugin_t, dir, ".mplayer") - ') - - optional_policy(` -- mplayer_exec(mozilla_plugin_t) -- mplayer_manage_generic_home_content(mozilla_plugin_t) -- mplayer_home_filetrans_mplayer_home(mozilla_plugin_t, dir, ".mplayer") -+ pulseaudio_exec(mozilla_plugin_t) -+ pulseaudio_stream_connect(mozilla_plugin_t) -+ pulseaudio_setattr_home_dir(mozilla_plugin_t) -+ pulseaudio_manage_home_dirs(mozilla_plugin_t) -+ pulseaudio_manage_home_files(mozilla_plugin_t) -+ pulseaudio_manage_home_symlinks(mozilla_plugin_t) - ') - - optional_policy(` -@@ -560,7 +561,7 @@ optional_policy(` - ') - - optional_policy(` -- pulseaudio_run(mozilla_plugin_t, mozilla_plugin_roles) -+ rtkit_scheduled(mozilla_plugin_t) - ') - - optional_policy(` -@@ -568,108 +569,130 @@ optional_policy(` - ') - - optional_policy(` -- xserver_read_user_xauth(mozilla_plugin_t) -+ xserver_xdm_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file sock_file }) -+ xserver_dontaudit_read_xdm_tmp_files(mozilla_plugin_t) - xserver_read_xdm_pid(mozilla_plugin_t) - xserver_stream_connect(mozilla_plugin_t) - xserver_use_user_fonts(mozilla_plugin_t) -- xserver_dontaudit_read_xdm_tmp_files(mozilla_plugin_t) -+ xserver_read_user_iceauth(mozilla_plugin_t) -+ xserver_read_user_xauth(mozilla_plugin_t) -+ xserver_append_xdm_home_files(mozilla_plugin_t) -+ xserver_dontaudit_xdm_tmp_dirs(mozilla_plugin_t) -+ xserver_dontaudit_xdm_rw_stream_sockets(mozilla_plugin_t) -+ xserver_filetrans_fonts_cache_home_content(mozilla_plugin_t) - ') - - ######################################## - # --# Plugin config local policy -+# mozilla_plugin_config local policy - # - - allow mozilla_plugin_config_t self:capability { dac_override dac_read_search sys_nice setuid setgid }; --allow mozilla_plugin_config_t self:process { setsched signal_perms getsched }; --allow mozilla_plugin_config_t self:fifo_file rw_fifo_file_perms; --allow mozilla_plugin_config_t self:unix_stream_socket create_stream_socket_perms; -- --allow mozilla_plugin_config_t mozilla_plugin_rw_t:dir manage_dir_perms; --allow mozilla_plugin_config_t mozilla_plugin_rw_t:file manage_file_perms; --allow mozilla_plugin_config_t mozilla_plugin_rw_t:lnk_file manage_lnk_file_perms; -+allow mozilla_plugin_config_t self:process { setsched signal_perms getsched execmem execstack }; - --manage_dirs_pattern(mozilla_plugin_config_t, { mozilla_home_t mozilla_plugin_home_t }, { mozilla_home_t mozilla_plugin_home_t }) --manage_files_pattern(mozilla_plugin_config_t, { mozilla_home_t mozilla_plugin_home_t }, mozilla_plugin_home_t) --manage_lnk_files_pattern(mozilla_plugin_config_t, { mozilla_home_t mozilla_plugin_home_t }, mozilla_plugin_home_t) -- --userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_home_t, dir, ".galeon") --userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_home_t, dir, ".mozilla") --userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_home_t, dir, ".netscape") --userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_home_t, dir, ".phoenix") -+allow mozilla_plugin_config_t self:fifo_file rw_file_perms; -+allow mozilla_plugin_config_t self:unix_stream_socket create_stream_socket_perms; - --userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".adobe") --userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".macromedia") --userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".gnash") --userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".gcjwebplugin") --userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".icedteaplugin") --userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".spicec") --userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".ICAClient") --userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, "zimbrauserdata") -+ps_process_pattern(mozilla_plugin_config_t,mozilla_plugin_t) - --filetrans_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_plugin_home_t, dir, "plugins") -+dev_read_sysfs(mozilla_plugin_config_t) -+dev_read_urand(mozilla_plugin_config_t) -+dev_dontaudit_read_rand(mozilla_plugin_config_t) -+dev_dontaudit_rw_dri(mozilla_plugin_config_t) - --can_exec(mozilla_plugin_config_t, { mozilla_plugin_rw_t mozilla_plugin_home_t }) -+fs_search_auto_mountpoints(mozilla_plugin_config_t) -+fs_list_inotifyfs(mozilla_plugin_config_t) - --ps_process_pattern(mozilla_plugin_config_t, mozilla_plugin_t) -- --kernel_read_system_state(mozilla_plugin_config_t) --kernel_request_load_module(mozilla_plugin_config_t) -+can_exec(mozilla_plugin_config_t, mozilla_plugin_rw_t) -+manage_dirs_pattern(mozilla_plugin_config_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t) -+manage_files_pattern(mozilla_plugin_config_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t) -+manage_lnk_files_pattern(mozilla_plugin_config_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t) -+ -+manage_dirs_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t) -+manage_files_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t) -+manage_lnk_files_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t) -+manage_fifo_files_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t) -+mozilla_filetrans_home_content(mozilla_plugin_t) -+ -+manage_dirs_pattern(mozilla_plugin_config_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t) -+manage_files_pattern(mozilla_plugin_config_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t) -+manage_lnk_files_pattern(mozilla_plugin_config_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t) -+files_tmp_filetrans(mozilla_plugin_config_t, mozilla_plugin_tmp_t, { dir file fifo_file sock_file lnk_file }) -+userdom_user_tmp_filetrans(mozilla_plugin_config_t, mozilla_plugin_tmp_t, { dir file }) -+mozilla_filetrans_home_content(mozilla_plugin_config_t) -+dontaudit mozilla_plugin_t mozilla_plugin_tmp_t:file relabelfrom; - - corecmd_exec_bin(mozilla_plugin_config_t) - corecmd_exec_shell(mozilla_plugin_config_t) - --dev_read_urand(mozilla_plugin_config_t) --dev_rw_dri(mozilla_plugin_config_t) --dev_search_sysfs(mozilla_plugin_config_t) --dev_dontaudit_read_rand(mozilla_plugin_config_t) -+kernel_read_system_state(mozilla_plugin_config_t) -+kernel_request_load_module(mozilla_plugin_config_t) - - domain_use_interactive_fds(mozilla_plugin_config_t) - --files_list_tmp(mozilla_plugin_config_t) --files_read_usr_files(mozilla_plugin_config_t) - files_dontaudit_search_home(mozilla_plugin_config_t) -+files_list_tmp(mozilla_plugin_config_t) - - fs_getattr_all_fs(mozilla_plugin_config_t) --fs_search_auto_mountpoints(mozilla_plugin_config_t) --fs_list_inotifyfs(mozilla_plugin_config_t) -+ -+term_dontaudit_use_ptmx(mozilla_plugin_config_t) - - auth_use_nsswitch(mozilla_plugin_config_t) - --miscfiles_read_localization(mozilla_plugin_config_t) - miscfiles_read_fonts(mozilla_plugin_config_t) - -+userdom_search_user_home_content(mozilla_plugin_config_t) - userdom_read_user_home_content_symlinks(mozilla_plugin_config_t) - userdom_read_user_home_content_files(mozilla_plugin_config_t) -+userdom_dontaudit_search_admin_dir(mozilla_plugin_config_t) -+userdom_use_inherited_user_ptys(mozilla_plugin_config_t) -+userdom_dontaudit_use_user_terminals(mozilla_plugin_config_t) -+userdom_dontaudit_rw_user_tmp_pipes(mozilla_plugin_config_t) -+userdom_dontaudit_write_all_user_home_content_files(mozilla_plugin_config_t) -+userdom_dontaudit_write_all_user_tmp_content_files(mozilla_plugin_config_t) - --userdom_use_user_ptys(mozilla_plugin_config_t) -+domtrans_pattern(mozilla_plugin_config_t, mozilla_plugin_exec_t, mozilla_plugin_t) - --mozilla_run_plugin(mozilla_plugin_config_t, mozilla_plugin_config_roles) -+tunable_policy(`use_ecryptfs_home_dirs',` -+ fs_read_ecryptfs_files(mozilla_plugin_config_t) -+') - --tunable_policy(`allow_execmem',` -- allow mozilla_plugin_config_t self:process execmem; -+optional_policy(` -+ gnome_dontaudit_rw_inherited_config(mozilla_plugin_config_t) - ') - --tunable_policy(`mozilla_execstack',` -- allow mozilla_plugin_config_t self:process { execmem execstack }; -+optional_policy(` -+ xserver_use_user_fonts(mozilla_plugin_config_t) - ') - --tunable_policy(`use_nfs_home_dirs',` -- fs_manage_nfs_dirs(mozilla_plugin_config_t) -- fs_manage_nfs_files(mozilla_plugin_config_t) -- fs_manage_nfs_symlinks(mozilla_plugin_config_t) -+ifdef(`distro_redhat',` -+ typealias mozilla_plugin_t alias nsplugin_t; -+ typealias mozilla_plugin_exec_t alias nsplugin_exec_t; -+ typealias mozilla_plugin_rw_t alias nsplugin_rw_t; -+ typealias mozilla_plugin_tmp_t alias nsplugin_tmp_t; -+ typealias mozilla_home_t alias nsplugin_home_t; -+ typealias mozilla_plugin_config_t alias nsplugin_config_t; -+ typealias mozilla_plugin_config_exec_t alias nsplugin_config_exec_t; - ') - --tunable_policy(`use_samba_home_dirs',` -- fs_manage_cifs_dirs(mozilla_plugin_config_t) -- fs_manage_cifs_files(mozilla_plugin_config_t) -- fs_manage_cifs_symlinks(mozilla_plugin_config_t) -+#tunable_policy(`mozilla_plugin_enable_homedirs',` -+# userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_home_t, { dir file }) -+#', ` -+ -+ #userdom_user_home_dir_filetrans_pattern(mozilla_plugin_t, file) -+ #userdom_user_home_dir_filetrans_pattern(mozilla_plugin_t, dir) -+#') -+ -+tunable_policy(`selinuxuser_execmod',` -+ userdom_execmod_user_home_files(mozilla_plugin_t) - ') - --optional_policy(` -- automount_dontaudit_getattr_tmp_dirs(mozilla_plugin_config_t) -+tunable_policy(`mozilla_plugin_use_spice',` -+ dev_rw_generic_usb_dev(mozilla_plugin_t) -+ corenet_tcp_bind_vnc_port(mozilla_plugin_t) - ') - --optional_policy(` -- xserver_use_user_fonts(mozilla_plugin_config_t) -+tunable_policy(`mozilla_plugin_use_gps',` -+ fs_manage_dos_dirs(mozilla_plugin_t) -+ fs_manage_dos_files(mozilla_plugin_t) - ') -diff --git a/mpd.fc b/mpd.fc -index 313ce52..ae93e07 100644 ---- a/mpd.fc -+++ b/mpd.fc -@@ -1,3 +1,5 @@ -+HOME_DIR/\.mpd(/.*)? gen_context(system_u:object_r:mpd_home_t,s0) -+ - /etc/mpd\.conf -- gen_context(system_u:object_r:mpd_etc_t,s0) - - /etc/rc\.d/init\.d/mpd -- gen_context(system_u:object_r:mpd_initrc_exec_t,s0) -@@ -9,3 +11,5 @@ - /var/lib/mpd/playlists(/.*)? gen_context(system_u:object_r:mpd_data_t,s0) - - /var/log/mpd(/.*)? gen_context(system_u:object_r:mpd_log_t,s0) -+ -+/var/run/mpd(/.*)? gen_context(system_u:object_r:mpd_var_run_t,s0) -diff --git a/mpd.if b/mpd.if -index 5fa77c7..2e01c7d 100644 ---- a/mpd.if -+++ b/mpd.if -@@ -322,6 +322,25 @@ interface(`mpd_manage_lib_dirs',` - - ######################################## - ## -+## Connect to mpd over a unix stream socket. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`mpd_stream_connect',` -+ gen_require(` -+ type mpd_t, mpd_var_run_t; -+ ') -+ -+ files_search_pids($1) -+ stream_connect_pattern($1, mpd_var_run_t, mpd_var_run_t, mpd_t) -+') -+ -+######################################## -+## - ## All of the rules required to - ## administrate an mpd environment. - ## -@@ -344,9 +363,13 @@ interface(`mpd_admin',` - type mpd_tmpfs_t, mpd_tmp_t, mpd_user_data_t; - ') - -- allow $1 mpd_t:process { ptrace signal_perms }; -+ allow $1 mpd_t:process signal_perms; - ps_process_pattern($1, mpd_t) - -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 mpd_t:process ptrace; -+ ') -+ - mpd_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 mpd_initrc_exec_t system_r; -diff --git a/mpd.te b/mpd.te -index 7c8afcc..33b18c8 100644 ---- a/mpd.te -+++ b/mpd.te -@@ -62,18 +62,25 @@ files_type(mpd_var_lib_t) - type mpd_user_data_t; - userdom_user_home_content(mpd_user_data_t) # customizable - -+type mpd_home_t; -+userdom_user_home_content(mpd_home_t) -+ -+type mpd_var_run_t; -+files_pid_file(mpd_var_run_t) -+ - ######################################## - # - # Local policy - # - - allow mpd_t self:capability { dac_override kill setgid setuid }; --allow mpd_t self:process { getsched setsched setrlimit signal signull }; -+allow mpd_t self:process { getsched setsched setrlimit signal signull setcap }; - allow mpd_t self:fifo_file rw_fifo_file_perms; - allow mpd_t self:unix_stream_socket { accept connectto listen }; - allow mpd_t self:unix_dgram_socket sendto; - allow mpd_t self:tcp_socket { accept listen }; - allow mpd_t self:netlink_kobject_uevent_socket create_socket_perms; -+allow mpd_t self:unix_dgram_socket { create_socket_perms sendto }; - - allow mpd_t mpd_data_t:dir manage_dir_perms; - allow mpd_t mpd_data_t:file manage_file_perms; -@@ -104,13 +111,22 @@ manage_files_pattern(mpd_t, mpd_var_lib_t, mpd_var_lib_t) - manage_lnk_files_pattern(mpd_t, mpd_var_lib_t, mpd_var_lib_t) - files_var_lib_filetrans(mpd_t, mpd_var_lib_t, dir) - -+manage_files_pattern(mpd_t, mpd_var_run_t, mpd_var_run_t) -+manage_dirs_pattern(mpd_t, mpd_var_run_t, mpd_var_run_t) -+manage_sock_files_pattern(mpd_t, mpd_var_run_t, mpd_var_run_t) -+manage_lnk_files_pattern(mpd_t, mpd_var_run_t, mpd_var_run_t) -+files_pid_filetrans(mpd_t, mpd_var_run_t, { file dir sock_file }) -+ -+manage_files_pattern(mpd_t, mpd_home_t, mpd_home_t) -+manage_dirs_pattern(mpd_t, mpd_home_t, mpd_home_t) -+manage_lnk_files_pattern(mpd_t, mpd_home_t, mpd_home_t) -+ - kernel_getattr_proc(mpd_t) - kernel_read_system_state(mpd_t) - kernel_read_kernel_sysctls(mpd_t) - - corecmd_exec_bin(mpd_t) - --corenet_all_recvfrom_unlabeled(mpd_t) - corenet_all_recvfrom_netlabel(mpd_t) - corenet_tcp_sendrecv_generic_if(mpd_t) - corenet_tcp_sendrecv_generic_node(mpd_t) -@@ -139,9 +155,9 @@ dev_read_sound(mpd_t) - dev_write_sound(mpd_t) - dev_read_sysfs(mpd_t) - --files_read_usr_files(mpd_t) - - fs_getattr_all_fs(mpd_t) -+fs_getattr_all_dirs(mpd_t) - fs_list_inotifyfs(mpd_t) - fs_rw_anon_inodefs_files(mpd_t) - fs_search_auto_mountpoints(mpd_t) -@@ -150,15 +166,26 @@ auth_use_nsswitch(mpd_t) - - logging_send_syslog_msg(mpd_t) - --miscfiles_read_localization(mpd_t) -+userdom_home_reader(mpd_t) - - tunable_policy(`mpd_enable_homedirs',` -- userdom_search_user_home_dirs(mpd_t) -+ userdom_stream_connect(mpd_t) -+ userdom_read_home_audio_files(mpd_t) -+ userdom_list_user_tmp(mpd_t) -+ userdom_read_user_tmpfs_files(mpd_t) -+ userdom_dontaudit_setattr_user_tmp(mpd_t) -+') -+ -+optional_policy(` -+ tunable_policy(`mpd_enable_homedirs',` -+ pulseaudio_read_home_files(mpd_t) -+ ') - ') - - tunable_policy(`mpd_enable_homedirs && use_nfs_home_dirs',` - fs_read_nfs_files(mpd_t) - fs_read_nfs_symlinks(mpd_t) -+ - ') - - tunable_policy(`mpd_enable_homedirs && use_samba_home_dirs',` -@@ -191,7 +218,7 @@ optional_policy(` - ') - - optional_policy(` -- pulseaudio_domtrans(mpd_t) -+ pulseaudio_exec(mpd_t) - ') - - optional_policy(` -@@ -199,6 +226,16 @@ optional_policy(` - ') - - optional_policy(` -+ #needed by pulseaudio -+ systemd_read_logind_sessions_files(mpd_t) -+ systemd_login_read_pid_files(mpd_t) -+') -+ -+optional_policy(` -+ rtkit_daemon_dontaudit_dbus_chat(mpd_t) -+') -+ -+optional_policy(` - udev_read_db(mpd_t) - ') - -diff --git a/mplayer.if b/mplayer.if -index 861d5e9..1c3d5a5 100644 ---- a/mplayer.if -+++ b/mplayer.if -@@ -161,3 +161,23 @@ interface(`mplayer_home_filetrans_mplayer_home',` - - userdom_user_home_dir_filetrans($1, mplayer_home_t, $2, $3) - ') -+ -+######################################## -+## -+## Create specified objects in user home -+## directories with the generic mplayer -+## home type. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`mplayer_filetrans_home_content',` -+ gen_require(` -+ type mplayer_home_t; -+ ') -+ -+ userdom_user_home_dir_filetrans($1, mplayer_home_t, dir, ".mplayer") -+') -diff --git a/mplayer.te b/mplayer.te -index 9aca704..f92829c 100644 ---- a/mplayer.te -+++ b/mplayer.te -@@ -11,7 +11,7 @@ policy_module(mplayer, 2.4.4) - ## its stack executable. - ##

    - ## --gen_tunable(allow_mplayer_execstack, false) -+gen_tunable(mplayer_execstack, false) - - attribute_role mencoder_roles; - attribute_role mplayer_roles; -@@ -67,7 +67,6 @@ kernel_read_kernel_sysctls(mencoder_t) - dev_rwx_zero(mencoder_t) - dev_read_video_dev(mencoder_t) - --files_read_usr_files(mencoder_t) - - fs_search_auto_mountpoints(mencoder_t) - -@@ -82,7 +81,7 @@ userdom_manage_user_tmp_files(mencoder_t) - - userdom_manage_user_home_content_dirs(mencoder_t) - userdom_manage_user_home_content_files(mencoder_t) --userdom_user_home_dir_filetrans_user_home_content(mencoder_t, { dir file }) -+userdom_filetrans_home_content(mencoder_t) - - ifndef(`enable_mls',` - fs_list_dos(mencoder_t) -@@ -95,15 +94,15 @@ ifndef(`enable_mls',` - fs_read_iso9660_files(mencoder_t) - ') - --tunable_policy(`allow_execmem',` -- allow mencoder_t self:process execmem; -+tunable_policy(`deny_execmem',`',` -+ allow mencoder_t self:process execmem; - ') - --tunable_policy(`allow_execmod',` -+tunable_policy(`selinuxuser_execmod',` - dev_execmod_zero(mencoder_t) - ') - --tunable_policy(`allow_mplayer_execstack',` -+tunable_policy(`mplayer_execstack',` - allow mencoder_t self:process { execmem execstack }; - ') - -@@ -173,7 +172,6 @@ files_dontaudit_getattr_non_security_files(mplayer_t) - files_read_non_security_files(mplayer_t) - files_list_home(mplayer_t) - files_read_etc_runtime_files(mplayer_t) --files_read_usr_files(mplayer_t) - - fs_getattr_all_fs(mplayer_t) - fs_search_auto_mountpoints(mplayer_t) -@@ -194,7 +192,7 @@ userdom_tmp_filetrans_user_tmp(mplayer_t, { dir file }) - - userdom_manage_user_home_content_dirs(mplayer_t) - userdom_manage_user_home_content_files(mplayer_t) --userdom_user_home_dir_filetrans_user_home_content(mplayer_t, { dir file }) -+userdom_filetrans_home_content(mplayer_t) - - userdom_write_user_tmp_sockets(mplayer_t) - -@@ -211,15 +209,15 @@ ifndef(`enable_mls',` - fs_read_iso9660_files(mplayer_t) - ') - --tunable_policy(`allow_execmem',` -- allow mplayer_t self:process execmem; -+tunable_policy(`deny_execmem',`',` -+ allow mplayer_t self:process execmem; - ') - --tunable_policy(`allow_execmod',` -+tunable_policy(`selinuxuser_execmod',` - dev_execmod_zero(mplayer_t) - ') - --tunable_policy(`allow_mplayer_execstack',` -+tunable_policy(`mplayer_execstack',` - allow mplayer_t self:process { execmem execstack }; - ') - -@@ -235,7 +233,7 @@ tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_symlinks(mplayer_t) - ') - --tunable_policy(`allow_mplayer_execstack',` -+tunable_policy(`mplayer_execstack',` - allow mplayer_t mplayer_tmpfs_t:file execute; - ') - -diff --git a/mrtg.te b/mrtg.te -index c97c177..9411154 100644 ---- a/mrtg.te -+++ b/mrtg.te -@@ -65,7 +65,6 @@ kernel_read_kernel_sysctls(mrtg_t) - corecmd_exec_bin(mrtg_t) - corecmd_exec_shell(mrtg_t) - --corenet_all_recvfrom_unlabeled(mrtg_t) - corenet_all_recvfrom_netlabel(mrtg_t) - corenet_tcp_sendrecv_generic_if(mrtg_t) - corenet_tcp_sendrecv_generic_node(mrtg_t) -@@ -82,7 +81,6 @@ domain_dontaudit_search_all_domains_state(mrtg_t) - - files_getattr_tmp_dirs(mrtg_t) - files_read_etc_runtime_files(mrtg_t) --files_read_usr_files(mrtg_t) - files_search_var(mrtg_t) - files_search_locks(mrtg_t) - files_search_var_lib(mrtg_t) -@@ -105,13 +103,12 @@ libs_read_lib_files(mrtg_t) - - logging_send_syslog_msg(mrtg_t) - --miscfiles_read_localization(mrtg_t) -- - selinux_dontaudit_getattr_dir(mrtg_t) - --userdom_use_user_terminals(mrtg_t) -+userdom_use_inherited_user_terminals(mrtg_t) - userdom_dontaudit_read_user_home_content_files(mrtg_t) - userdom_dontaudit_use_unpriv_user_fds(mrtg_t) -+userdom_dontaudit_list_admin_dir(mrtg_t) - - netutils_domtrans_ping(mrtg_t) - -diff --git a/mta.fc b/mta.fc -index f42896c..cb2791a 100644 ---- a/mta.fc -+++ b/mta.fc -@@ -2,33 +2,43 @@ HOME_DIR/\.esmtp_queue -- gen_context(system_u:object_r:mail_home_t,s0) - HOME_DIR/\.forward[^/]* -- gen_context(system_u:object_r:mail_home_t,s0) - HOME_DIR/dead\.letter -- gen_context(system_u:object_r:mail_home_t,s0) - HOME_DIR/\.mailrc -- gen_context(system_u:object_r:mail_home_t,s0) --HOME_DIR/Maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0) --HOME_DIR/\.maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0) -+HOME_DIR/Maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0) -+HOME_DIR/.maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0) - --/bin/mail(x)? -- gen_context(system_u:object_r:sendmail_exec_t,s0) - --/etc/aliases -- gen_context(system_u:object_r:etc_aliases_t,s0) -+/bin/mail(x)? -- gen_context(system_u:object_r:sendmail_exec_t,s0) -+ -+/etc/aliases -- gen_context(system_u:object_r:etc_aliases_t,s0) - /etc/aliases\.db -- gen_context(system_u:object_r:etc_aliases_t,s0) --/etc/mail(/.*)? gen_context(system_u:object_r:etc_mail_t,s0) -+/etc/mail(/.*)? gen_context(system_u:object_r:etc_mail_t,s0) - /etc/mail/aliases.* -- gen_context(system_u:object_r:etc_aliases_t,s0) --/etc/postfix/aliases.* -- gen_context(system_u:object_r:etc_aliases_t,s0) -- --/usr/bin/esmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0) -+/etc/mail/.*\.db -- gen_context(system_u:object_r:etc_aliases_t,s0) -+ifdef(`distro_redhat',` -+/etc/postfix/aliases.* gen_context(system_u:object_r:etc_aliases_t,s0) -+') -+ -+/root/\.esmtp_queue -- gen_context(system_u:object_r:mail_home_t,s0) -+/root/\.forward -- gen_context(system_u:object_r:mail_home_t,s0) -+/root/dead\.letter -- gen_context(system_u:object_r:mail_home_t,s0) -+/root/\.mailrc -- gen_context(system_u:object_r:mail_home_t,s0) -+/root/Maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0) -+ -+/usr/bin/esmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0) - /usr/bin/mail(x)? -- gen_context(system_u:object_r:sendmail_exec_t,s0) - - /usr/lib/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) - /usr/lib/courier/bin/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) - --/usr/sbin/rmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) -+/usr/sbin/rmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) - /usr/sbin/sendmail\.postfix -- gen_context(system_u:object_r:sendmail_exec_t,s0) - /usr/sbin/sendmail(\.sendmail)? -- gen_context(system_u:object_r:sendmail_exec_t,s0) --/usr/sbin/ssmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0) -+/usr/sbin/ssmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0) - --/var/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) -+/var/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) - - /var/qmail/bin/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) - --/var/spool/imap(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) -+/var/spool/imap(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) - /var/spool/(client)?mqueue(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0) - /var/spool/mqueue\.in(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0) --/var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) -+/var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) -diff --git a/mta.if b/mta.if -index ed81cac..566684a 100644 ---- a/mta.if -+++ b/mta.if -@@ -1,4 +1,4 @@ --## Common e-mail transfer agent policy. -+## Policy common to all email tranfer agents. - - ######################################## - ## -@@ -18,23 +18,37 @@ interface(`mta_stub',` - - ####################################### - ## --## The template to define a mail domain. -+## Basic mail transfer agent domain template. - ## -+## -+##

    -+## This template creates a derived domain which is -+## a email transfer agent, which sends mail on -+## behalf of the user. -+##

    -+##

    -+## This is the basic types and rules, common -+## to the system agent and user agents. -+##

    -+##     - ## - ## --## Domain prefix to be used. -+## The prefix of the domain (e.g., user -+## is the prefix for user_t). - ## - ## -+## - # - template(`mta_base_mail_template',` -+ - gen_require(` - attribute user_mail_domain; - type sendmail_exec_t; - ') - -- ######################################## -+ ############################## - # -- # Declarations -+ # $1_mail_t declarations - # - - type $1_mail_t, user_mail_domain; -@@ -43,17 +57,16 @@ template(`mta_base_mail_template',` - type $1_mail_tmp_t; - files_tmp_file($1_mail_tmp_t) - -- ######################################## -- # -- # Declarations -- # -- - manage_dirs_pattern($1_mail_t, $1_mail_tmp_t, $1_mail_tmp_t) - manage_files_pattern($1_mail_t, $1_mail_tmp_t, $1_mail_tmp_t) - files_tmp_filetrans($1_mail_t, $1_mail_tmp_t, { file dir }) - -+ kernel_read_system_state($1_mail_t) -+ - auth_use_nsswitch($1_mail_t) - -+ logging_send_syslog_msg($1_mail_t) -+ - optional_policy(` - postfix_domtrans_user_mail_handler($1_mail_t) - ') -@@ -61,61 +74,41 @@ template(`mta_base_mail_template',` - - ######################################## - ## --## Role access for mta. -+## Role access for mta - ## - ## - ## --## Role allowed access. -+## Role allowed access - ## - ## - ## - ## --## User domain for the role. -+## User domain for the role - ## - ## - # - interface(`mta_role',` - gen_require(` - attribute mta_user_agent; -- attribute_role user_mail_roles; -- type user_mail_t, sendmail_exec_t, mail_home_t; -- type user_mail_tmp_t, mail_home_rw_t; -+ type user_mail_t, sendmail_exec_t; - ') - -- roleattribute $1 user_mail_roles; -- -- # this is something i need to fix -- # i dont know if and why it is needed -- # will role attribute work? -- role $1 types mta_user_agent; -+ role $1 types { user_mail_t mta_user_agent }; - -+ # Transition from the user domain to the derived domain. - domtrans_pattern($2, sendmail_exec_t, user_mail_t) - allow $2 sendmail_exec_t:lnk_file read_lnk_file_perms; - -- allow $2 { user_mail_t mta_user_agent }:process { ptrace signal_perms }; -- ps_process_pattern($2, { user_mail_t mta_user_agent }) -- -- allow $2 mail_home_t:file { manage_file_perms relabel_file_perms }; -- userdom_user_home_dir_filetrans($2, mail_home_t, file, ".esmtp_queue") -- userdom_user_home_dir_filetrans($2, mail_home_t, file, ".forward") -- userdom_user_home_dir_filetrans($2, mail_home_t, file, ".mailrc") -- userdom_user_home_dir_filetrans($2, mail_home_t, file, "dead.letter") -- -- allow $2 mail_home_rw_t:dir { manage_dir_perms relabel_dir_perms }; -- allow $2 mail_home_rw_t:file { manage_file_perms relabel_file_perms }; -- allow $2 mail_home_rw_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; -- userdom_user_home_dir_filetrans($2, mail_home_rw_t, dir, "Maildir") -- userdom_user_home_dir_filetrans($2, mail_home_rw_t, dir, ".maildir") -- -- allow $2 user_mail_tmp_t:dir { manage_dir_perms relabel_dir_perms }; -- allow $2 user_mail_tmp_t:file { manage_file_perms relabel_file_perms }; -+ allow mta_user_agent $2:fd use; -+ allow mta_user_agent $2:process sigchld; -+ allow mta_user_agent $2:fifo_file rw_inherited_fifo_file_perms; - - optional_policy(` - exim_run($2, $1) - ') - - optional_policy(` -- mailman_run($2, $1) -+ mailman_run(mta_user_agent, $1) - ') - ') - -@@ -163,125 +156,23 @@ interface(`mta_agent_executable',` - application_executable_file($1) - ') - --####################################### --## --## Read mta mail home files. --## --## --## --## Domain allowed access. --## --## --# --interface(`mta_read_mail_home_files',` -- gen_require(` -- type mail_home_t; -- ') -- -- userdom_search_user_home_dirs($1) -- allow $1 mail_home_t:file read_file_perms; --') -- --####################################### --## --## Create, read, write, and delete --## mta mail home files. --## --## --## --## Domain allowed access. --## --## --# --interface(`mta_manage_mail_home_files',` -- gen_require(` -- type mail_home_t; -- ') -- -- userdom_search_user_home_dirs($1) -- allow $1 mail_home_t:file manage_file_perms; --') -- --######################################## --## --## Create specified objects in user home --## directories with the generic mail --## home type. --## --## --## --## Domain allowed access. --## --## --## --## --## Class of the object being created. --## --## --## --## --## The name of the object being created. --## --## --# --interface(`mta_home_filetrans_mail_home',` -- gen_require(` -- type mail_home_t; -- ') -- -- userdom_user_home_dir_filetrans($1, mail_home_t, $2, $3) --') -- --####################################### --## --## Create, read, write, and delete --## mta mail home rw content. --## --## --## --## Domain allowed access. --## --## --# --interface(`mta_manage_mail_home_rw_content',` -- gen_require(` -- type mail_home_rw_t; -- ') -- -- userdom_search_user_home_dirs($1) -- manage_dirs_pattern($1, mail_home_rw_t, mail_home_rw_t) -- manage_files_pattern($1, mail_home_rw_t, mail_home_rw_t) -- manage_lnk_files_pattern($1, mail_home_rw_t, mail_home_rw_t) --') -- --######################################## -+###################################### - ## --## Create specified objects in user home --## directories with the generic mail --## home rw type. -+## Dontaudit read and write an leaked file descriptors - ## - ## - ## --## Domain allowed access. --## --## --## --## --## Class of the object being created. --## --## --## --## --## The name of the object being created. -+## Domain to not audit. - ## - ## - # --interface(`mta_home_filetrans_mail_home_rw',` -+interface(`mta_dontaudit_leaks_system_mail',` - gen_require(` -- type mail_home_rw_t; -+ type system_mail_t; - ') - -- userdom_user_home_dir_filetrans($1, mail_home_rw_t, $2, $3) -+ dontaudit $1 system_mail_t:fifo_file write; -+ dontaudit $1 system_mail_t:tcp_socket { read write }; - ') - - ######################################## -@@ -334,7 +225,6 @@ interface(`mta_sendmail_mailserver',` - ') - - init_system_domain($1, sendmail_exec_t) -- - typeattribute $1 mailserver_domain; - ') - -@@ -374,6 +264,15 @@ interface(`mta_mailserver_delivery',` - ') - - typeattribute $1 mailserver_delivery; -+ -+ userdom_home_manager($1) -+ -+ optional_policy(` -+ mta_rw_delivery_tcp_sockets($1) -+ ') -+ -+ userdom_filetrans_home_content($1) -+ - ') - - ####################################### -@@ -394,6 +293,12 @@ interface(`mta_mailserver_user_agent',` - ') - - typeattribute $1 mta_user_agent; -+ -+ optional_policy(` -+ # apache should set close-on-exec -+ apache_dontaudit_rw_stream_sockets($1) -+ apache_dontaudit_rw_sys_script_stream_sockets($1) -+ ') - ') - - ######################################## -@@ -408,14 +313,19 @@ interface(`mta_mailserver_user_agent',` - # - interface(`mta_send_mail',` - gen_require(` -+ attribute mta_user_agent; - type system_mail_t; - attribute mta_exec_type; - ') - -- corecmd_search_bin($1) -+ allow $1 mta_exec_type:lnk_file read_lnk_file_perms; -+ corecmd_read_bin_symlinks($1) - domtrans_pattern($1, mta_exec_type, system_mail_t) - -- allow $1 mta_exec_type:lnk_file read_lnk_file_perms; -+ allow mta_user_agent $1:fd use; -+ allow mta_user_agent $1:process sigchld; -+ allow mta_user_agent $1:fifo_file rw_inherited_fifo_file_perms; -+ dontaudit mta_user_agent $1:unix_stream_socket rw_socket_perms; - ') - - ######################################## -@@ -445,18 +355,24 @@ interface(`mta_send_mail',` - # - interface(`mta_sendmail_domtrans',` - gen_require(` -- type sendmail_exec_t; -+ attribute mta_exec_type; -+ attribute mta_user_agent; - ') - -- corecmd_search_bin($1) -- domain_auto_trans($1, sendmail_exec_t, $2) -+ files_search_usr($1) -+ allow $1 mta_exec_type:lnk_file read_lnk_file_perms; -+ corecmd_read_bin_symlinks($1) - -- allow $1 sendmail_exec_t:lnk_file read_lnk_file_perms; -+ allow $2 mta_exec_type:file entrypoint; -+ domtrans_pattern($1, mta_exec_type, $2) -+ allow mta_user_agent $1:fd use; -+ allow mta_user_agent $1:process sigchld; -+ allow mta_user_agent $1:fifo_file rw_inherited_fifo_file_perms; - ') - - ######################################## - ## --## Send signals to system mail. -+## Send system mail client a signal - ## - ## - ## -@@ -464,7 +380,6 @@ interface(`mta_sendmail_domtrans',` - ## - ## - # --# - interface(`mta_signal_system_mail',` - gen_require(` - type system_mail_t; -@@ -475,7 +390,43 @@ interface(`mta_signal_system_mail',` - - ######################################## - ## --## Send kill signals to system mail. -+## Send all user mail client a signal -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`mta_signal_user_agent',` -+ gen_require(` -+ attribute mta_user_agent; -+ ') -+ -+ allow $1 mta_user_agent:process signal; -+') -+ -+######################################## -+## -+## Send all user mail client a kill signal -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`mta_kill_user_agent',` -+ gen_require(` -+ attribute mta_user_agent; -+ ') -+ -+ allow $1 mta_user_agent:process sigkill; -+') -+ -+######################################## -+## -+## Send system mail client a kill signal - ## - ## - ## -@@ -506,13 +457,32 @@ interface(`mta_sendmail_exec',` - type sendmail_exec_t; - ') - -- corecmd_search_bin($1) - can_exec($1, sendmail_exec_t) - ') - - ######################################## - ## --## Read mail server configuration content. -+## Check whether sendmail executable -+## files are executable. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`mta_sendmail_access_check',` -+ gen_require(` -+ type sendmail_exec_t; -+ ') -+ -+ corecmd_search_bin($1) -+ allow $1 sendmail_exec_t:file { getattr_file_perms execute }; -+') -+ -+######################################## -+## -+## Read mail server configuration. - ## - ## - ## -@@ -528,13 +498,13 @@ interface(`mta_read_config',` - - files_search_etc($1) - allow $1 etc_mail_t:dir list_dir_perms; -- allow $1 etc_mail_t:file read_file_perms; -- allow $1 etc_mail_t:lnk_file read_lnk_file_perms; -+ read_files_pattern($1, etc_mail_t, etc_mail_t) -+ read_lnk_files_pattern($1, etc_mail_t, etc_mail_t) - ') - - ######################################## - ## --## Write mail server configuration files. -+## write mail server configuration. - ## - ## - ## -@@ -548,33 +518,31 @@ interface(`mta_write_config',` - type etc_mail_t; - ') - -- files_search_etc($1) - write_files_pattern($1, etc_mail_t, etc_mail_t) - ') - - ######################################## - ## --## Read mail address alias files. -+## Manage mail server configuration. - ## - ## - ## - ## Domain allowed access. - ## - ## -+## - # --interface(`mta_read_aliases',` -+interface(`mta_manage_config',` - gen_require(` -- type etc_aliases_t; -+ type etc_mail_t; - ') - -- files_search_etc($1) -- allow $1 etc_aliases_t:file read_file_perms; -+ manage_files_pattern($1, etc_mail_t, etc_mail_t) - ') - - ######################################## - ## --## Create, read, write, and delete --## mail address alias content. -+## Read mail address aliases. - ## - ## - ## -@@ -582,84 +550,66 @@ interface(`mta_read_aliases',` - ## - ## - # --interface(`mta_manage_aliases',` -+interface(`mta_read_aliases',` - gen_require(` - type etc_aliases_t; - ') - - files_search_etc($1) -- manage_files_pattern($1, etc_aliases_t, etc_aliases_t) -- manage_lnk_files_pattern($1, etc_aliases_t, etc_aliases_t) -+ allow $1 etc_aliases_t:file read_file_perms; -+ allow $1 etc_aliases_t:lnk_file read_lnk_file_perms; - ') - - ######################################## - ## --## Create specified object in generic --## etc directories with the mail address --## alias type. -+## Create, read, write, and delete mail address aliases. - ## - ## - ## - ## Domain allowed access. - ## - ## --## --## --## The object class of the object being created. --## --## --## --## --## The name of the object being created. --## --## - # --interface(`mta_etc_filetrans_aliases',` -+interface(`mta_manage_aliases',` - gen_require(` - type etc_aliases_t; - ') - -- files_etc_filetrans($1, etc_aliases_t, $2, $3) -+ files_search_etc($1) -+ manage_files_pattern($1, etc_aliases_t, etc_aliases_t) -+ manage_lnk_files_pattern($1, etc_aliases_t, etc_aliases_t) -+ mta_etc_filetrans_aliases($1, "aliases") -+ mta_etc_filetrans_aliases($1, "aliases.db") -+ mta_etc_filetrans_aliases($1, "aliasesdb-stamp") - ') - - ######################################## - ## --## Create specified objects in specified --## directories with a type transition to --## the mail address alias type. -+## Type transition files created in /etc -+## to the mail address aliases type. - ## - ## - ## - ## Domain allowed access. - ## - ## --## --## --## Directory to transition on. --## --## --## --## --## The object class of the object being created. --## --## - ## - ## - ## The name of the object being created. - ## - ## - # --interface(`mta_spec_filetrans_aliases',` -+interface(`mta_etc_filetrans_aliases',` - gen_require(` - type etc_aliases_t; - ') - -- filetrans_pattern($1, $2, etc_aliases_t, $3, $4) -+ files_etc_filetrans($1, etc_aliases_t, file, $2) - ') - - ######################################## - ## --## Read and write mail alias files. -+## Read and write mail aliases. - ## - ## - ## -@@ -674,14 +624,13 @@ interface(`mta_rw_aliases',` - ') - - files_search_etc($1) -- allow $1 etc_aliases_t:file rw_file_perms; -+ allow $1 etc_aliases_t:file { rw_file_perms setattr_file_perms }; - ') - - ####################################### - ## --## Do not audit attempts to read --## and write TCP sockets of mail --## delivery domains. -+## Do not audit attempts to read and write TCP -+## sockets of mail delivery domains. - ## - ## - ## -@@ -697,6 +646,25 @@ interface(`mta_dontaudit_rw_delivery_tcp_sockets',` - dontaudit $1 mailserver_delivery:tcp_socket { read write }; - ') - -+###################################### -+## -+## Allow attempts to read and write TCP -+## sockets of mail delivery domains. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`mta_rw_delivery_tcp_sockets',` -+ gen_require(` -+ attribute mailserver_delivery; -+ ') -+ -+ allow $1 mailserver_delivery:tcp_socket { read write }; -+') -+ - ####################################### - ## - ## Connect to all mail servers over TCP. (Deprecated) -@@ -713,8 +681,8 @@ interface(`mta_tcp_connect_all_mailservers',` - - ####################################### - ## --## Do not audit attempts to read --## mail spool symlinks. -+## Do not audit attempts to read a symlink -+## in the mail spool. - ## - ## - ## -@@ -732,7 +700,7 @@ interface(`mta_dontaudit_read_spool_symlinks',` - - ######################################## - ## --## Get attributes of mail spool content. -+## Get the attributes of mail spool files. - ## - ## - ## -@@ -753,8 +721,8 @@ interface(`mta_getattr_spool',` - - ######################################## - ## --## Do not audit attempts to get --## attributes of mail spool files. -+## Do not audit attempts to get the attributes -+## of mail spool files. - ## - ## - ## -@@ -775,9 +743,8 @@ interface(`mta_dontaudit_getattr_spool_files',` - - ####################################### - ## --## Create specified objects in the --## mail spool directory with a --## private type. -+## Create private objects in the -+## mail spool directory. - ## - ## - ## -@@ -811,7 +778,7 @@ interface(`mta_spool_filetrans',` - - ####################################### - ## --## Read mail spool files. -+## Read the mail spool. - ## - ## - ## -@@ -819,10 +786,10 @@ interface(`mta_spool_filetrans',` - ## - ## - # --interface(`mta_read_spool_files',` -- gen_require(` -- type mail_spool_t; -- ') -+interface(`mta_read_spool',` -+ gen_require(` -+ type mail_spool_t; -+ ') - - files_search_spool($1) - read_files_pattern($1, mail_spool_t, mail_spool_t) -@@ -830,7 +797,7 @@ interface(`mta_read_spool_files',` - - ######################################## - ## --## Read and write mail spool files. -+## Read and write the mail spool. - ## - ## - ## -@@ -845,13 +812,14 @@ interface(`mta_rw_spool',` - - files_search_spool($1) - allow $1 mail_spool_t:dir list_dir_perms; -- allow $1 mail_spool_t:file rw_file_perms; -- allow $1 mail_spool_t:lnk_file read_lnk_file_perms; -+ allow $1 mail_spool_t:file setattr_file_perms; -+ manage_files_pattern($1, mail_spool_t, mail_spool_t) -+ read_lnk_files_pattern($1, mail_spool_t, mail_spool_t) - ') - - ####################################### - ## --## Create, read, and write mail spool files. -+## Create, read, and write the mail spool. - ## - ## - ## -@@ -866,13 +834,14 @@ interface(`mta_append_spool',` - - files_search_spool($1) - allow $1 mail_spool_t:dir list_dir_perms; -- manage_files_pattern($1, mail_spool_t, mail_spool_t) -- allow $1 mail_spool_t:lnk_file read_lnk_file_perms; -+ create_files_pattern($1, mail_spool_t, mail_spool_t) -+ write_files_pattern($1, mail_spool_t, mail_spool_t) -+ read_lnk_files_pattern($1, mail_spool_t, mail_spool_t) - ') - - ####################################### - ## --## Delete mail spool files. -+## Delete from the mail spool. - ## - ## - ## -@@ -891,8 +860,7 @@ interface(`mta_delete_spool',` - - ######################################## - ## --## Create, read, write, and delete --## mail spool content. -+## Create, read, write, and delete mail spool files. - ## - ## - ## -@@ -911,45 +879,9 @@ interface(`mta_manage_spool',` - manage_lnk_files_pattern($1, mail_spool_t, mail_spool_t) - ') - --####################################### --## --## Create specified objects in the --## mail queue spool directory with a --## private type. --## --## --## --## Domain allowed access. --## --## --## --## --## The type of the object to be created. --## --## --## --## --## The object class of the object being created. --## --## --## --## --## The name of the object being created. --## --## --# --interface(`mta_queue_filetrans',` -- gen_require(` -- type mqueue_spool_t; -- ') -- -- files_search_spool($1) -- filetrans_pattern($1, mqueue_spool_t, $2, $3, $4) --') -- - ######################################## - ## --## Search mail queue directories. -+## Search mail queue dirs. - ## - ## - ## -@@ -968,7 +900,7 @@ interface(`mta_search_queue',` - - ####################################### - ## --## List mail queue directories. -+## List the mail queue. - ## - ## - ## -@@ -981,13 +913,13 @@ interface(`mta_list_queue',` - type mqueue_spool_t; - ') - -- files_search_spool($1) - allow $1 mqueue_spool_t:dir list_dir_perms; -+ files_search_spool($1) - ') - - ####################################### - ## --## Read mail queue files. -+## Read the mail queue. - ## - ## - ## -@@ -1000,14 +932,14 @@ interface(`mta_read_queue',` - type mqueue_spool_t; - ') - -- files_search_spool($1) - read_files_pattern($1, mqueue_spool_t, mqueue_spool_t) -+ files_search_spool($1) - ') - - ####################################### - ## - ## Do not audit attempts to read and --## write mail queue content. -+## write the mail queue. - ## - ## - ## -@@ -1027,7 +959,7 @@ interface(`mta_dontaudit_rw_queue',` - ######################################## - ## - ## Create, read, write, and delete --## mail queue content. -+## mail queue files. - ## - ## - ## -@@ -1047,6 +979,41 @@ interface(`mta_manage_queue',` - - ####################################### - ## -+## Create private objects in the -+## mqueue spool directory. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## The type of the object to be created. -+## -+## -+## -+## -+## The object class of the object being created. -+## -+## -+## -+## -+## The name of the object being created. -+## -+## -+# -+interface(`mta_spool_filetrans_queue',` -+ gen_require(` -+ type mqueue_spool_t; -+ ') -+ -+ files_search_spool($1) -+ filetrans_pattern($1, mqueue_spool_t, $2, $3, $4) -+') -+ -+####################################### -+## - ## Read sendmail binary. - ## - ## -@@ -1055,6 +1022,7 @@ interface(`mta_manage_queue',` - ## - ## - # -+# cjp: added for postfix - interface(`mta_read_sendmail_bin',` - gen_require(` - type sendmail_exec_t; -@@ -1065,8 +1033,8 @@ interface(`mta_read_sendmail_bin',` - - ####################################### - ## --## Read and write unix domain stream --## sockets of all base mail domains. -+## Read and write unix domain stream sockets -+## of user mail domains. - ## - ## - ## -@@ -1081,3 +1049,175 @@ interface(`mta_rw_user_mail_stream_sockets',` - - allow $1 user_mail_domain:unix_stream_socket rw_socket_perms; - ') -+ -+######################################## -+## -+## Type transition files created in calling dir -+## to the mail address aliases type. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## Directory to transition on. -+## -+## -+# -+interface(`mta_filetrans_aliases',` -+ gen_require(` -+ type etc_aliases_t; -+ ') -+ -+ filetrans_pattern($1, $2, etc_aliases_t, file) -+') -+ -+###################################### -+## -+## ALlow domain to read mail content in the homedir -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`mta_read_home',` -+ gen_require(` -+ type mail_home_t; -+ ') -+ -+ userdom_search_user_home_dirs($1) -+ read_files_pattern($1, mail_home_t, mail_home_t) -+ -+ ifdef(`distro_redhat',` -+ userdom_search_admin_dir($1) -+ ') -+') -+ -+#################################### -+## -+## ALlow domain to read mail content in the homedir -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`mta_read_home_rw',` -+ gen_require(` -+ type mail_home_rw_t; -+ ') -+ -+ userdom_search_user_home_dirs($1) -+ read_files_pattern($1, mail_home_rw_t, mail_home_rw_t) -+ read_lnk_files_pattern($1, mail_home_rw_t, mail_home_rw_t) -+ -+ ifdef(`distro_redhat',` -+ userdom_search_admin_dir($1) -+ ') -+') -+ -+#################################### -+## -+## Allow domain to manage mail content in the homedir -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`mta_manage_home_rw',` -+ gen_require(` -+ type mail_home_rw_t; -+ ') -+ -+ userdom_search_user_home_dirs($1) -+ userdom_search_admin_dir($1) -+ manage_files_pattern($1, mail_home_rw_t, mail_home_rw_t) -+ manage_dirs_pattern($1, mail_home_rw_t, mail_home_rw_t) -+ manage_lnk_files_pattern($1, mail_home_rw_t, mail_home_rw_t) -+ userdom_user_home_dir_filetrans($1, mail_home_rw_t, dir, "Maildir") -+ -+ ifdef(`distro_redhat',` -+ userdom_search_admin_dir($1) -+ userdom_admin_home_dir_filetrans($1, mail_home_rw_t, dir, "Maildir") -+ ') -+') -+ -+######################################## -+## -+## create mail content in the in the /root directory -+## with an correct label. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`mta_filetrans_admin_home_content',` -+ gen_require(` -+ type mail_home_t; -+ type mail_home_rw_t; -+ ') -+ -+ userdom_admin_home_dir_filetrans($1, mail_home_t, file, "dead.letter") -+ userdom_admin_home_dir_filetrans($1, mail_home_t, file, ".mailrc") -+ userdom_admin_home_dir_filetrans($1, mail_home_t, file, ".forward") -+ userdom_admin_home_dir_filetrans($1, mail_home_rw_t, dir, "Maildir") -+ userdom_admin_home_dir_filetrans($1, mail_home_rw_t, dir, ".maildir") -+ userdom_admin_home_dir_filetrans($1, mail_home_rw_t, file, ".esmtp_queue") -+') -+ -+######################################## -+## -+## Transition to mta named home content -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`mta_filetrans_home_content',` -+ gen_require(` -+ type mail_home_t; -+ type mail_home_rw_t; -+ ') -+ -+ userdom_user_home_dir_filetrans($1, mail_home_t, file, ".mailrc") -+ userdom_user_home_dir_filetrans($1, mail_home_t, file, "dead.letter") -+ userdom_user_home_dir_filetrans($1, mail_home_t, file, ".forward") -+ userdom_user_home_dir_filetrans($1, mail_home_rw_t, dir, "Maildir") -+ userdom_user_home_dir_filetrans($1, mail_home_rw_t, dir, ".maildir") -+ userdom_user_home_dir_filetrans($1, mail_home_rw_t, file, ".esmtp_queue") -+') -+ -+######################################## -+## -+## Transition to mta named content -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`mta_filetrans_named_content',` -+ gen_require(` -+ type etc_aliases_t; -+ type etc_mail_t; -+ ') -+ -+ filetrans_pattern($1, etc_mail_t, etc_aliases_t, { dir file }) -+ mta_etc_filetrans_aliases($1, "aliases") -+ mta_etc_filetrans_aliases($1, "aliases.db") -+ mta_etc_filetrans_aliases($1, "aliasesdb-stamp") -+ mta_filetrans_home_content($1) -+ mta_filetrans_admin_home_content($1) -+') -diff --git a/mta.te b/mta.te -index afd2fad..09ebbbe 100644 ---- a/mta.te -+++ b/mta.te -@@ -1,4 +1,4 @@ --policy_module(mta, 2.6.5) -+policy_module(mta, 2.5.0) - - ######################################## - # -@@ -14,8 +14,6 @@ attribute mailserver_sender; - - attribute user_mail_domain; - --attribute_role user_mail_roles; -- - type etc_aliases_t; - files_type(etc_aliases_t) - -@@ -30,9 +28,11 @@ userdom_user_home_content(mail_home_rw_t) - - type mqueue_spool_t; - files_mountpoint(mqueue_spool_t) -+files_spool_file(mqueue_spool_t) - - type mail_spool_t; - files_mountpoint(mail_spool_t) -+files_spool_file(mail_spool_t) - - type sendmail_exec_t; - mta_agent_executable(sendmail_exec_t) -@@ -43,178 +43,79 @@ role system_r types system_mail_t; - mta_base_mail_template(user) - typealias user_mail_t alias { staff_mail_t sysadm_mail_t }; - typealias user_mail_t alias { auditadm_mail_t secadm_mail_t }; --userdom_user_application_type(user_mail_t) --role user_mail_roles types user_mail_t; -- - typealias user_mail_tmp_t alias { staff_mail_tmp_t sysadm_mail_tmp_t }; - typealias user_mail_tmp_t alias { auditadm_mail_tmp_t secadm_mail_tmp_t }; -+userdom_user_application_type(user_mail_t) - userdom_user_tmp_file(user_mail_tmp_t) - - ######################################## - # --# Common base mail policy --# -- --allow user_mail_domain self:capability { setuid setgid chown }; --allow user_mail_domain self:process { signal_perms setrlimit }; --allow user_mail_domain self:fifo_file rw_fifo_file_perms; -- --allow user_mail_domain mta_exec_type:file entrypoint; -- --allow user_mail_domain mail_home_t:file { append_file_perms read_file_perms }; -- --manage_dirs_pattern(user_mail_domain, mail_home_rw_t, mail_home_rw_t) --manage_files_pattern(user_mail_domain, mail_home_rw_t, mail_home_rw_t) --manage_lnk_files_pattern(user_mail_domain, mail_home_rw_t, mail_home_rw_t) --userdom_user_home_dir_filetrans(user_mail_domain, mail_home_rw_t, dir, "Maildir") --userdom_user_home_dir_filetrans(user_mail_domain, mail_home_rw_t, dir, ".maildir") -- --read_files_pattern(user_mail_domain, { etc_mail_t etc_aliases_t }, { etc_mail_t etc_aliases_t }) -- --manage_files_pattern(user_mail_domain, { mqueue_spool_t mail_spool_t }, { mqueue_spool_t mail_spool_t }) --read_lnk_files_pattern(user_mail_domain, { mqueue_spool_t mail_spool_t }, { mqueue_spool_t mail_spool_t }) -- --allow user_mail_domain sendmail_exec_t:lnk_file read_lnk_file_perms; -- --can_exec(user_mail_domain, { mta_exec_type sendmail_exec_t }) -- --kernel_read_system_state(user_mail_domain) --kernel_read_kernel_sysctls(user_mail_domain) --kernel_read_network_state(user_mail_domain) --kernel_request_load_module(user_mail_domain) -- --corenet_all_recvfrom_netlabel(user_mail_domain) --corenet_tcp_sendrecv_generic_if(user_mail_domain) --corenet_tcp_sendrecv_generic_node(user_mail_domain) -- --corenet_sendrecv_all_client_packets(user_mail_domain) --corenet_tcp_connect_all_ports(user_mail_domain) --corenet_tcp_sendrecv_all_ports(user_mail_domain) -- --corecmd_exec_bin(user_mail_domain) -- --dev_read_urand(user_mail_domain) -- --domain_use_interactive_fds(user_mail_domain) -- --files_read_etc_runtime_files(user_mail_domain) --files_read_usr_files(user_mail_domain) --files_search_spool(user_mail_domain) --files_dontaudit_search_pids(user_mail_domain) -- --fs_getattr_all_fs(user_mail_domain) -- --init_dontaudit_rw_utmp(user_mail_domain) -- --logging_send_syslog_msg(user_mail_domain) -- --miscfiles_read_localization(user_mail_domain) -- --tunable_policy(`use_samba_home_dirs',` -- fs_manage_cifs_dirs(user_mail_domain) -- fs_manage_cifs_files(user_mail_domain) -- fs_read_cifs_symlinks(user_mail_domain) --') -- --tunable_policy(`use_nfs_home_dirs',` -- fs_manage_nfs_dirs(user_mail_domain) -- fs_manage_nfs_files(user_mail_domain) -- fs_read_nfs_symlinks(user_mail_domain) --') -- --optional_policy(` -- courier_manage_spool_dirs(user_mail_domain) -- courier_manage_spool_files(user_mail_domain) -- courier_rw_spool_pipes(user_mail_domain) --') -- --optional_policy(` -- exim_domtrans(user_mail_domain) -- exim_manage_log(user_mail_domain) -- exim_manage_spool_files(user_mail_domain) --') -- --optional_policy(` -- files_getattr_tmp_dirs(user_mail_domain) -- -- postfix_exec_master(user_mail_domain) -- postfix_read_config(user_mail_domain) -- postfix_search_spool(user_mail_domain) -- postfix_rw_inherited_master_pipes(user_mail_domain) -- -- ifdef(`distro_redhat',` -- postfix_config_filetrans(user_mail_domain, etc_aliases_t, { dir file lnk_file sock_file fifo_file }) -- ') --') -- --optional_policy(` -- procmail_exec(user_mail_domain) --') -- --optional_policy(` -- qmail_domtrans_inject(user_mail_domain) --') -- --optional_policy(` -- sendmail_manage_log(user_mail_domain) -- sendmail_log_filetrans_sendmail_log(user_mail_domain, file) --') -- --optional_policy(` -- uucp_manage_spool(user_mail_domain) --') -- --######################################## --# --# System local policy -+# System mail local policy - # - -+# newalias required this, not sure if it is needed in 'if' file - allow system_mail_t self:capability { dac_override fowner }; -- --read_files_pattern(system_mail_t, etc_mail_t, etc_mail_t) -- --read_files_pattern(system_mail_t, mailcontent_type, mailcontent_type) -+dontaudit system_mail_t self:capability net_admin; - - allow system_mail_t mail_home_t:file manage_file_perms; --userdom_user_home_dir_filetrans(system_mail_t, mail_home_t, file, ".esmtp_queue") --userdom_user_home_dir_filetrans(system_mail_t, mail_home_t, file, ".forward") --userdom_user_home_dir_filetrans(system_mail_t, mail_home_t, file, ".mailrc") --userdom_user_home_dir_filetrans(system_mail_t, mail_home_t, file, "dead.letter") - --allow system_mail_t user_mail_domain:dir list_dir_perms; --allow system_mail_t user_mail_domain:file read_file_perms; --allow system_mail_t user_mail_domain:lnk_file read_lnk_file_perms; -+read_files_pattern(system_mail_t, mailcontent_type, mailcontent_type) - - corecmd_exec_shell(system_mail_t) - --dev_read_rand(system_mail_t) - dev_read_sysfs(system_mail_t) -+dev_read_rand(system_mail_t) -+dev_read_urand(system_mail_t) - --fs_rw_anon_inodefs_files(system_mail_t) - --selinux_getattr_fs(system_mail_t) -+fs_rw_anon_inodefs_files(system_mail_t) - - term_dontaudit_use_unallocated_ttys(system_mail_t) - - init_use_script_ptys(system_mail_t) -+init_dontaudit_rw_stream_socket(system_mail_t) -+ -+userdom_use_inherited_user_terminals(system_mail_t) -+userdom_dontaudit_list_user_home_dirs(system_mail_t) -+userdom_dontaudit_list_admin_dir(system_mail_t) -+ -+manage_dirs_pattern(system_mail_t, mail_home_rw_t, mail_home_rw_t) -+manage_files_pattern(system_mail_t, mail_home_rw_t, mail_home_rw_t) -+ -+allow system_mail_t mail_home_t:file manage_file_perms; -+userdom_admin_home_dir_filetrans(system_mail_t, mail_home_t, file) -+ -+ -+logging_append_all_logs(system_mail_t) - --userdom_use_user_terminals(system_mail_t) -+logging_send_syslog_msg(system_mail_t) - - optional_policy(` - apache_read_squirrelmail_data(system_mail_t) - apache_append_squirrelmail_data(system_mail_t) -+ -+ # apache should set close-on-exec - apache_dontaudit_append_log(system_mail_t) - apache_dontaudit_rw_stream_sockets(system_mail_t) - apache_dontaudit_rw_tcp_sockets(system_mail_t) - apache_dontaudit_rw_sys_script_stream_sockets(system_mail_t) -+ apache_dontaudit_rw_tmp_files(system_mail_t) -+ -+ apache_dontaudit_rw_fifo_file(user_mail_domain) -+ apache_dontaudit_rw_fifo_file(mta_user_agent) -+ # apache should set close-on-exec -+ apache_dontaudit_rw_stream_sockets(mta_user_agent) -+ apache_dontaudit_rw_sys_script_stream_sockets(mta_user_agent) -+ apache_append_log(mta_user_agent) - ') - - optional_policy(` - arpwatch_manage_tmp_files(system_mail_t) - -- ifdef(`hide_broken_symptoms',` -- arpwatch_dontaudit_rw_packet_sockets(system_mail_t) -- ') -+ ifdef(`hide_broken_symptoms', ` -+ arpwatch_dontaudit_rw_packet_sockets(system_mail_t) -+ ') -+ - ') - - optional_policy(` -@@ -223,18 +124,18 @@ optional_policy(` - ') - - optional_policy(` -- clamav_stream_connect(system_mail_t) -- clamav_append_log(system_mail_t) -+ courier_stream_connect_authdaemon(system_mail_t) - ') - - optional_policy(` - cron_read_system_job_tmp_files(system_mail_t) - cron_dontaudit_write_pipes(system_mail_t) - cron_rw_system_job_stream_sockets(system_mail_t) -+ cron_rw_inherited_spool_files(system_mail_t) -+ cron_rw_inherited_user_spool_files(system_mail_t) - ') - - optional_policy(` -- courier_stream_connect_authdaemon(system_mail_t) - courier_manage_spool_dirs(system_mail_t) - courier_manage_spool_files(system_mail_t) - courier_rw_spool_pipes(system_mail_t) -@@ -245,13 +146,8 @@ optional_policy(` - ') - - optional_policy(` -- exim_domtrans(system_mail_t) -- exim_manage_log(system_mail_t) --') -- --optional_policy(` -- fail2ban_dontaudit_rw_stream_sockets(system_mail_t) - fail2ban_append_log(system_mail_t) -+ fail2ban_dontaudit_leaks(system_mail_t) - fail2ban_rw_inherited_tmp_files(system_mail_t) - ') - -@@ -264,10 +160,15 @@ optional_policy(` - ') - - optional_policy(` -+ # newaliases runs as system_mail_t when the sendmail initscript does a restart - milter_getattr_all_sockets(system_mail_t) - ') - - optional_policy(` -+ munin_dontaudit_leaks(system_mail_t) -+') -+ -+optional_policy(` - nagios_read_tmp_files(system_mail_t) - ') - -@@ -278,6 +179,15 @@ optional_policy(` - manage_fifo_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t) - manage_sock_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t) - files_etc_filetrans(system_mail_t, etc_aliases_t, { file lnk_file sock_file fifo_file }) -+ -+ domain_use_interactive_fds(system_mail_t) -+') -+ -+optional_policy(` -+ qmail_domtrans_inject(system_mail_t) -+ qmail_manage_spool_dirs(system_mail_t) -+ qmail_manage_spool_files(system_mail_t) -+ qmail_rw_spool_pipes(system_mail_t) - ') - - optional_policy(` -@@ -293,42 +203,36 @@ optional_policy(` - ') - - optional_policy(` -- spamassassin_stream_connect_spamd(system_mail_t) -+ spamd_stream_connect(system_mail_t) - ') - - optional_policy(` - smartmon_read_tmp_files(system_mail_t) - ') - --######################################## --# --# MTA user agent local policy --# -- --userdom_use_user_terminals(mta_user_agent) -- --optional_policy(` -- apache_append_log(mta_user_agent) --') -+# should break this up among sections: - - optional_policy(` -+ # why is mail delivered to a directory of type arpwatch_data_t? -+ arpwatch_search_data(mailserver_delivery) - arpwatch_manage_tmp_files(mta_user_agent) - -- ifdef(`hide_broken_symptoms',` -- arpwatch_dontaudit_rw_packet_sockets(mta_user_agent) -- ') -- - optional_policy(` - cron_read_system_job_tmp_files(mta_user_agent) - ') - ') - -+ifdef(`hide_broken_symptoms',` -+ domain_dontaudit_leaks(user_mail_domain) -+ domain_dontaudit_leaks(mta_user_agent) -+') -+ - ######################################## - # - # Mailserver delivery local policy - # - --allow mailserver_delivery self:fifo_file rw_fifo_file_perms; -+allow mailserver_delivery self:fifo_file rw_inherited_fifo_file_perms; - - allow mailserver_delivery mail_spool_t:dir list_dir_perms; - create_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) -@@ -337,40 +241,26 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) - create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) - read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) - -+userdom_search_admin_dir(mailserver_delivery) -+read_files_pattern(mailserver_delivery, mail_home_t, mail_home_t) -+ - manage_dirs_pattern(mailserver_delivery, mail_home_rw_t, mail_home_rw_t) --manage_files_pattern(mailserver_delivery, { mail_home_t mail_home_rw_t }, { mail_home_t mail_home_rw_t }) -+manage_files_pattern(mailserver_delivery, mail_home_rw_t, mail_home_rw_t) - manage_lnk_files_pattern(mailserver_delivery, mail_home_rw_t, mail_home_rw_t) --userdom_user_home_dir_filetrans(mailserver_delivery, mail_home_t, file, ".esmtp_queue") --userdom_user_home_dir_filetrans(mailserver_delivery, mail_home_t, file, ".forward") --userdom_user_home_dir_filetrans(mailserver_delivery, mail_home_t, file, ".mailrc") --userdom_user_home_dir_filetrans(mailserver_delivery, mail_home_t, file, "dead.letter") --userdom_user_home_dir_filetrans(mailserver_delivery, mail_home_rw_t, dir, "Maildir") --userdom_user_home_dir_filetrans(mailserver_delivery, mail_home_rw_t, dir, ".maildir") - - read_files_pattern(mailserver_delivery, system_mail_tmp_t, system_mail_tmp_t) - --tunable_policy(`use_samba_home_dirs',` -- fs_manage_cifs_dirs(mailserver_delivery) -- fs_manage_cifs_files(mailserver_delivery) -- fs_read_cifs_symlinks(mailserver_delivery) --') -- --tunable_policy(`use_nfs_home_dirs',` -- fs_manage_nfs_dirs(mailserver_delivery) -- fs_manage_nfs_files(mailserver_delivery) -- fs_read_nfs_symlinks(mailserver_delivery) --') -- - optional_policy(` -- arpwatch_search_data(mailserver_delivery) -+ dovecot_manage_spool(mailserver_delivery) -+ dovecot_domtrans_deliver(mailserver_delivery) - ') - - optional_policy(` -- dovecot_manage_spool(mailserver_delivery) -- dovecot_domtrans_deliver(mailserver_delivery) -+ logwatch_search_cache_dir(mailserver_delivery) - ') - - optional_policy(` -+ # so MTA can access /var/lib/mailman/mail/wrapper - files_search_var_lib(mailserver_delivery) - - mailman_domtrans(mailserver_delivery) -@@ -387,24 +277,173 @@ optional_policy(` - - ######################################## - # --# User local policy -+# User send mail local policy - # - --manage_files_pattern(user_mail_t, mail_home_t, mail_home_t) --userdom_user_home_dir_filetrans(user_mail_t, mail_home_t, file, ".esmtp_queue") --userdom_user_home_dir_filetrans(user_mail_t, mail_home_t, file, ".forward") --userdom_user_home_dir_filetrans(user_mail_t, mail_home_t, file, ".mailrc") --userdom_user_home_dir_filetrans(user_mail_t, mail_home_t, file, "dead.letter") -+domain_use_interactive_fds(user_mail_t) -+ -+userdom_use_inherited_user_terminals(user_mail_t) -+# Write to the user domain tty. cjp: why? -+userdom_use_inherited_user_terminals(mta_user_agent) -+# Create dead.letter in user home directories. -+userdom_manage_user_home_content_files(user_mail_t) -+userdom_filetrans_home_content(user_mail_t) -+# for reading .forward - maybe we need a new type for it? -+# also for delivering mail to maildir -+userdom_manage_user_home_content_dirs(mailserver_delivery) -+userdom_manage_user_home_content_files(mailserver_delivery) -+userdom_manage_user_home_content_symlinks(mailserver_delivery) -+userdom_manage_user_home_content_pipes(mailserver_delivery) -+userdom_manage_user_home_content_sockets(mailserver_delivery) -+allow mailserver_delivery mailserver_delivery:fifo_file rw_inherited_fifo_file_perms; -+ -+# Read user temporary files. -+userdom_read_user_tmp_files(user_mail_t) -+userdom_dontaudit_append_user_tmp_files(user_mail_t) -+# cjp: this should probably be read all user tmp -+# files in an appropriate place for mta_user_agent -+userdom_read_user_tmp_files(mta_user_agent) - - dev_read_sysfs(user_mail_t) - --userdom_use_user_terminals(user_mail_t) -+tunable_policy(`use_samba_home_dirs',` -+ fs_manage_cifs_files(user_mail_t) -+ fs_manage_cifs_symlinks(user_mail_t) -+') - - optional_policy(` - allow user_mail_t self:capability dac_override; - -+ # Read user temporary files. -+ # postfix seems to need write access if the file handle is opened read/write - userdom_rw_user_tmp_files(user_mail_t) - - postfix_read_config(user_mail_t) - postfix_list_spool(user_mail_t) - ') -+ -+######################################## -+# -+# Comman user_mail_domain policy -+# -+ -+allow user_mail_domain self:capability { setuid setgid chown }; -+allow user_mail_domain self:process { signal_perms setrlimit }; -+allow user_mail_domain self:tcp_socket create_socket_perms; -+allow user_mail_domain self:fifo_file rw_fifo_file_perms; -+allow user_mail_domain mta_exec_type:file entrypoint; -+ -+append_files_pattern(user_mail_domain, mail_home_t, mail_home_t) -+read_files_pattern(user_mail_domain, mail_home_t, mail_home_t) -+ -+manage_dirs_pattern(user_mail_domain, mail_home_rw_t, mail_home_rw_t) -+manage_files_pattern(user_mail_domain, mail_home_rw_t, mail_home_rw_t) -+ -+read_files_pattern(user_mail_domain, etc_aliases_t, etc_aliases_t) -+ -+can_exec(user_mail_domain, mta_exec_type) -+ -+allow system_mail_t user_mail_domain:file read_file_perms; -+ -+read_files_pattern(user_mail_domain, etc_mail_t, etc_mail_t) -+ -+kernel_read_network_state(user_mail_domain) -+kernel_request_load_module(user_mail_domain) -+ -+dev_read_urand(user_mail_domain) -+ -+ -+# Write to /var/spool/mail and /var/spool/mqueue. -+manage_files_pattern(user_mail_domain, mail_spool_t, mail_spool_t) -+manage_files_pattern(user_mail_domain, mqueue_spool_t, mqueue_spool_t) -+read_lnk_files_pattern(user_mail_domain, mail_spool_t, mail_spool_t) -+read_lnk_files_pattern(user_mail_domain, mqueue_spool_t, mqueue_spool_t) -+ -+# re-exec itself -+can_exec(user_mail_domain, sendmail_exec_t) -+allow user_mail_domain sendmail_exec_t:lnk_file read_lnk_file_perms; -+ -+kernel_read_kernel_sysctls(user_mail_domain) -+ -+corenet_tcp_sendrecv_generic_if(user_mail_domain) -+corenet_tcp_sendrecv_generic_node(user_mail_domain) -+corenet_tcp_sendrecv_all_ports(user_mail_domain) -+corenet_tcp_connect_all_ports(user_mail_domain) -+corenet_tcp_connect_smtp_port(user_mail_domain) -+corenet_sendrecv_smtp_client_packets(user_mail_domain) -+ -+corecmd_exec_bin(user_mail_domain) -+ -+files_search_spool(user_mail_domain) -+# It wants to check for nscd -+files_dontaudit_search_pids(user_mail_domain) -+allow user_mail_domain etc_mail_t:dir search_dir_perms; -+ -+files_read_etc_runtime_files(user_mail_domain) -+ -+# Check available space. -+fs_getattr_xattr_fs(user_mail_domain) -+ -+init_dontaudit_rw_utmp(user_mail_domain) -+ -+optional_policy(` -+ courier_manage_spool_dirs(user_mail_domain) -+ courier_manage_spool_files(user_mail_domain) -+ courier_rw_spool_pipes(user_mail_domain) -+') -+ -+optional_policy(` -+ exim_domtrans(user_mail_domain) -+ exim_manage_log(user_mail_domain) -+ exim_manage_spool_files(user_mail_domain) -+') -+ -+optional_policy(` -+ # postfix needs this for newaliases -+ files_getattr_tmp_dirs(user_mail_domain) -+ -+ postfix_exec_master(user_mail_domain) -+ postfix_read_config(user_mail_domain) -+ postfix_search_spool(user_mail_domain) -+ postfix_rw_inherited_master_pipes(user_mail_domain) -+ -+ ifdef(`distro_redhat',` -+ # compatability for old default main.cf -+ postfix_config_filetrans(user_mail_domain, etc_aliases_t, { dir file lnk_file sock_file fifo_file }) -+ ') -+') -+ -+optional_policy(` -+ openshift_rw_inherited_content(mta_user_agent) -+') -+ -+optional_policy(` -+ procmail_exec(user_mail_domain) -+') -+ -+optional_policy(` -+ qmail_domtrans_inject(user_mail_domain) -+') -+ -+optional_policy(` -+ # Write to /var/log/sendmail.st -+ sendmail_manage_log(user_mail_domain) -+ sendmail_create_log(user_mail_domain) -+') -+ -+optional_policy(` -+ uucp_manage_spool(user_mail_domain) -+') -+ -+optional_policy(` -+ antivirus_stream_connect(user_mail_domain) -+ antivirus_stream_connect(mta_user_agent) -+') -+ -+optional_policy(` -+ mailman_manage_data_files(mailserver_domain) -+ mailman_domtrans(mailserver_domain) -+ mailman_append_log(mailserver_domain) -+ mailman_read_log(mailserver_domain) -+') -+ -diff --git a/munin.fc b/munin.fc -index eb4b72a..4968324 100644 ---- a/munin.fc -+++ b/munin.fc -@@ -1,77 +1,79 @@ --/etc/munin(/.*)? gen_context(system_u:object_r:munin_etc_t,s0) -- -+/etc/munin(/.*)? gen_context(system_u:object_r:munin_etc_t,s0) - /etc/rc\.d/init\.d/munin-node -- gen_context(system_u:object_r:munin_initrc_exec_t,s0) - --/usr/bin/munin-.* -- gen_context(system_u:object_r:munin_exec_t,s0) -- --/usr/sbin/munin-.* -- gen_context(system_u:object_r:munin_exec_t,s0) -- -+/usr/bin/munin-.* -- gen_context(system_u:object_r:munin_exec_t,s0) -+/usr/sbin/munin-.* -- gen_context(system_u:object_r:munin_exec_t,s0) - /usr/share/munin/munin-.* -- gen_context(system_u:object_r:munin_exec_t,s0) - -+# label all plugins as unconfined_munin_plugin_exec_t - /usr/share/munin/plugins/.* -- gen_context(system_u:object_r:unconfined_munin_plugin_exec_t,s0) - --/usr/share/munin/plugins/diskstat.* -- gen_context(system_u:object_r:disk_munin_plugin_exec_t,s0) -+# disk plugins -+/usr/share/munin/plugins/diskstat.* -- gen_context(system_u:object_r:disk_munin_plugin_exec_t,s0) - /usr/share/munin/plugins/df.* -- gen_context(system_u:object_r:disk_munin_plugin_exec_t,s0) --/usr/share/munin/plugins/hddtemp.* -- gen_context(system_u:object_r:disk_munin_plugin_exec_t,s0) --/usr/share/munin/plugins/smart_.* -- gen_context(system_u:object_r:disk_munin_plugin_exec_t,s0) -+/usr/share/munin/plugins/hddtemp.* -- gen_context(system_u:object_r:disk_munin_plugin_exec_t,s0) -+/usr/share/munin/plugins/smart_.* -- gen_context(system_u:object_r:disk_munin_plugin_exec_t,s0) - --/usr/share/munin/plugins/courier_mta_.* -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0) --/usr/share/munin/plugins/exim_mail.* -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0) --/usr/share/munin/plugins/mailman -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0) --/usr/share/munin/plugins/mailscanner -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0) --/usr/share/munin/plugins/postfix_mail.* -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0) --/usr/share/munin/plugins/sendmail_.* -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0) --/usr/share/munin/plugins/qmail.* -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0) -+# mail plugins -+/usr/share/munin/plugins/courier_mta_.* -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0) -+/usr/share/munin/plugins/exim_mail.* -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0) -+/usr/share/munin/plugins/mailman -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0) -+/usr/share/munin/plugins/mailscanner -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0) -+/usr/share/munin/plugins/postfix_mail.* -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0) -+/usr/share/munin/plugins/sendmail_.* -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0) -+/usr/share/munin/plugins/qmail.* -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0) - --/usr/share/munin/plugins/apache_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) --/usr/share/munin/plugins/asterisk_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) --/usr/share/munin/plugins/http_loadtime -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) --/usr/share/munin/plugins/fail2ban -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) -+# services plugins -+/usr/share/munin/plugins/apache_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) -+/usr/share/munin/plugins/asterisk_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) -+/usr/share/munin/plugins/http_loadtime -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) -+/usr/share/munin/plugins/fail2ban -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) - /usr/share/munin/plugins/lpstat -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) --/usr/share/munin/plugins/mysql_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) -+/usr/share/munin/plugins/mysql_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) - /usr/share/munin/plugins/named -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) - /usr/share/munin/plugins/ntp_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) - /usr/share/munin/plugins/nut.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) --/usr/share/munin/plugins/openvpn -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) --/usr/share/munin/plugins/ping_ -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) --/usr/share/munin/plugins/postgres_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) -+/usr/share/munin/plugins/openvpn -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) -+/usr/share/munin/plugins/ping_ -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) -+/usr/share/munin/plugins/postgres_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) - /usr/share/munin/plugins/samba -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) --/usr/share/munin/plugins/slapd_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) --/usr/share/munin/plugins/snmp_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) --/usr/share/munin/plugins/squid_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) --/usr/share/munin/plugins/tomcat_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) --/usr/share/munin/plugins/varnish_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) -+/usr/share/munin/plugins/slapd_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) -+/usr/share/munin/plugins/snmp_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) -+/usr/share/munin/plugins/squid_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) -+/usr/share/munin/plugins/tomcat_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) -+/usr/share/munin/plugins/varnish_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) - -+# selinux plugins - /usr/share/munin/plugins/selinux_avcstat -- gen_context(system_u:object_r:selinux_munin_plugin_exec_t,s0) - -+# system plugins - /usr/share/munin/plugins/acpi -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) - /usr/share/munin/plugins/cpu.* -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) - /usr/share/munin/plugins/forks -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) - /usr/share/munin/plugins/if_.* -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) --/usr/share/munin/plugins/iostat.* -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) --/usr/share/munin/plugins/interrupts -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) --/usr/share/munin/plugins/irqstats -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) -+/usr/share/munin/plugins/iostat.* -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) -+/usr/share/munin/plugins/interrupts -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) -+/usr/share/munin/plugins/irqstats -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) - /usr/share/munin/plugins/load -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) - /usr/share/munin/plugins/memory -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) - /usr/share/munin/plugins/munin_.* -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) --/usr/share/munin/plugins/netstat -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) -+/usr/share/munin/plugins/netstat -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) - /usr/share/munin/plugins/nfs.* -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) --/usr/share/munin/plugins/open_files -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) --/usr/share/munin/plugins/proc_pri -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) --/usr/share/munin/plugins/processes -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) -+/usr/share/munin/plugins/open_files -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) -+/usr/share/munin/plugins/proc_pri -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) -+/usr/share/munin/plugins/processes -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) - /usr/share/munin/plugins/swap -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) --/usr/share/munin/plugins/threads -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) -+/usr/share/munin/plugins/threads -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) - /usr/share/munin/plugins/unbound -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) - /usr/share/munin/plugins/uptime -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) - /usr/share/munin/plugins/users -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) - /usr/share/munin/plugins/yum -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) - --/var/lib/munin(/.*)? gen_context(system_u:object_r:munin_var_lib_t,s0) -+/var/lib/munin(/.*)? gen_context(system_u:object_r:munin_var_lib_t,s0) - /var/lib/munin/plugin-state(/.*)? gen_context(system_u:object_r:munin_plugin_state_t,s0) -- --/var/log/munin.* gen_context(system_u:object_r:munin_log_t,s0) -- --/var/run/munin.* gen_context(system_u:object_r:munin_var_run_t,s0) -- --/var/www/html/munin(/.*)? gen_context(system_u:object_r:httpd_munin_content_t,s0) -+/var/log/munin.* gen_context(system_u:object_r:munin_log_t,s0) -+/var/run/munin(/.*)? gen_context(system_u:object_r:munin_var_run_t,s0) -+/var/www/html/munin(/.*)? gen_context(system_u:object_r:httpd_munin_content_t,s0) - /var/www/html/munin/cgi(/.*)? gen_context(system_u:object_r:httpd_munin_script_exec_t,s0) -+/var/www/html/cgi/munin.* gen_context(system_u:object_r:httpd_munin_script_exec_t,s0) -+/var/www/cgi-bin/munin.* gen_context(system_u:object_r:httpd_munin_script_exec_t,s0) -diff --git a/munin.if b/munin.if -index b744fe3..4c1b6a8 100644 ---- a/munin.if -+++ b/munin.if -@@ -1,12 +1,13 @@ --## Munin network-wide load graphing. -+## Munin network-wide load graphing (formerly LRRD) - --####################################### -+######################################## - ## --## The template to define a munin plugin domain. -+## Create a set of derived types for various -+## munin plugins, - ## --## -+## - ## --## Domain prefix to be used. -+## The name to be used for deriving type names. - ## - ## - # -@@ -14,12 +15,8 @@ template(`munin_plugin_template',` - gen_require(` - attribute munin_plugin_domain, munin_plugin_tmp_content; - type munin_t; -- ') - -- ######################################## -- # -- # Declarations -- # -+ ') - - type $1_munin_plugin_t, munin_plugin_domain; - type $1_munin_plugin_exec_t; -@@ -33,15 +30,22 @@ template(`munin_plugin_template',` - files_tmp_file($1_munin_plugin_tmp_t) - - ######################################## -- # -- # Policy -- # -+ # -+ # Policy -+ # - -+ # automatic transition rules from munin domain -+ # to specific munin plugin domain - domtrans_pattern(munin_t, $1_munin_plugin_exec_t, $1_munin_plugin_t) - - manage_files_pattern($1_munin_plugin_t, $1_munin_plugin_tmp_t, $1_munin_plugin_tmp_t) - manage_dirs_pattern($1_munin_plugin_t, $1_munin_plugin_tmp_t, $1_munin_plugin_tmp_t) - files_tmp_filetrans($1_munin_plugin_t, $1_munin_plugin_tmp_t, { dir file }) -+ -+ kernel_read_system_state($1_munin_plugin_t) -+ -+ corenet_all_recvfrom_unlabeled($1_munin_plugin_t) -+ corenet_all_recvfrom_netlabel($1_munin_plugin_t) - ') - - ######################################## -@@ -66,7 +70,7 @@ interface(`munin_stream_connect',` - - ####################################### - ## --## Read munin configuration content. -+## Read munin configuration files. - ## - ## - ## -@@ -80,15 +84,53 @@ interface(`munin_read_config',` - type munin_etc_t; - ') - -- files_search_etc($1) - allow $1 munin_etc_t:dir list_dir_perms; - allow $1 munin_etc_t:file read_file_perms; - allow $1 munin_etc_t:lnk_file read_lnk_file_perms; -+ files_search_etc($1) - ') - - ####################################### - ## --## Append munin log files. -+## Read munin library files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`munin_read_var_lib_files',` -+ gen_require(` -+ type munin_var_lib_t; -+ ') -+ -+ files_search_var_lib($1) -+ read_files_pattern($1, munin_var_lib_t, munin_var_lib_t) -+ -+') -+ -+###################################### -+## -+## dontaudit read and write an leaked file descriptors -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`munin_dontaudit_leaks',` -+ gen_require(` -+ type munin_t; -+ ') -+ -+ dontaudit $1 munin_t:tcp_socket { read write }; -+') -+ -+####################################### -+## -+## Append to the munin log. - ## - ## - ## -@@ -147,8 +189,8 @@ interface(`munin_dontaudit_search_lib',` - - ######################################## - ## --## All of the rules required to --## administrate an munin environment. -+## All of the rules required to administrate -+## an munin environment - ## - ## - ## -@@ -157,7 +199,7 @@ interface(`munin_dontaudit_search_lib',` - ## - ## - ## --## Role allowed access. -+## The role to be allowed to manage the munin domain. - ## - ## - ## -@@ -170,8 +212,12 @@ interface(`munin_admin',` - type httpd_munin_content_t, munin_plugin_state_t, munin_initrc_exec_t; - ') - -- allow $1 { munin_plugin_domain munin_t }:process { ptrace signal_perms }; -- ps_process_pattern($1, { munin_plugin_domain munin_t }) -+ allow $1 munin_t:process signal_perms; -+ ps_process_pattern($1, munin_t) -+ -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 munin_t:process ptrace; -+ ') - - init_labeled_script_domtrans($1, munin_initrc_exec_t) - domain_system_change_exemption($1) -diff --git a/munin.te b/munin.te -index 97370e4..3549b8f 100644 ---- a/munin.te -+++ b/munin.te -@@ -37,15 +37,22 @@ munin_plugin_template(disk) - munin_plugin_template(mail) - munin_plugin_template(selinux) - munin_plugin_template(services) -+ -+type services_munin_plugin_tmpfs_t; -+files_tmpfs_file(services_munin_plugin_tmpfs_t) -+ - munin_plugin_template(system) - munin_plugin_template(unconfined) - -+type httpd_munin_script_tmp_t; -+files_tmp_file(httpd_munin_script_tmp_t) -+ - ################################ - # - # Common munin plugin local policy - # - --allow munin_plugin_domain self:process signal; -+allow munin_plugin_domain self:process signal_perms; - allow munin_plugin_domain self:fifo_file rw_fifo_file_perms; - - allow munin_plugin_domain munin_t:tcp_socket rw_socket_perms; -@@ -58,23 +65,17 @@ allow munin_plugin_domain munin_var_lib_t:dir search_dir_perms; - - manage_files_pattern(munin_plugin_domain, munin_plugin_state_t, munin_plugin_state_t) - --kernel_read_system_state(munin_plugin_domain) -- --corenet_all_recvfrom_unlabeled(munin_plugin_domain) --corenet_all_recvfrom_netlabel(munin_plugin_domain) - corenet_tcp_sendrecv_generic_if(munin_plugin_domain) - corenet_tcp_sendrecv_generic_node(munin_plugin_domain) - - corecmd_exec_bin(munin_plugin_domain) - corecmd_exec_shell(munin_plugin_domain) - --files_read_etc_files(munin_plugin_domain) --files_read_usr_files(munin_plugin_domain) - files_search_var_lib(munin_plugin_domain) - - fs_getattr_all_fs(munin_plugin_domain) - --miscfiles_read_localization(munin_plugin_domain) -+auth_read_passwd(munin_plugin_domain) - - optional_policy(` - nscd_use(munin_plugin_domain) -@@ -114,7 +115,7 @@ manage_dirs_pattern(munin_t, munin_var_lib_t, munin_var_lib_t) - manage_files_pattern(munin_t, munin_var_lib_t, munin_var_lib_t) - manage_lnk_files_pattern(munin_t, munin_var_lib_t, munin_var_lib_t) - --read_files_pattern(munin_t, munin_plugin_state_t, munin_plugin_state_t) -+rw_files_pattern(munin_t, munin_plugin_state_t, munin_plugin_state_t) - - manage_dirs_pattern(munin_t, munin_var_run_t, munin_var_run_t) - manage_files_pattern(munin_t, munin_var_run_t, munin_var_run_t) -@@ -130,7 +131,6 @@ kernel_read_all_sysctls(munin_t) - corecmd_exec_bin(munin_t) - corecmd_exec_shell(munin_t) - --corenet_all_recvfrom_unlabeled(munin_t) - corenet_all_recvfrom_netlabel(munin_t) - corenet_tcp_sendrecv_generic_if(munin_t) - corenet_tcp_sendrecv_generic_node(munin_t) -@@ -153,7 +153,6 @@ domain_use_interactive_fds(munin_t) - domain_read_all_domains_state(munin_t) - - files_read_etc_runtime_files(munin_t) --files_read_usr_files(munin_t) - files_list_spool(munin_t) - - fs_getattr_all_fs(munin_t) -@@ -165,7 +164,6 @@ logging_send_syslog_msg(munin_t) - logging_read_all_logs(munin_t) - - miscfiles_read_fonts(munin_t) --miscfiles_read_localization(munin_t) - miscfiles_setattr_fonts_cache_dirs(munin_t) - - sysnet_exec_ifconfig(munin_t) -@@ -173,13 +171,6 @@ sysnet_exec_ifconfig(munin_t) - userdom_dontaudit_use_unpriv_user_fds(munin_t) - userdom_dontaudit_search_user_home_dirs(munin_t) - --optional_policy(` -- apache_content_template(munin) -- -- manage_dirs_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t) -- manage_files_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t) -- apache_search_sys_content(munin_t) --') - - optional_policy(` - cron_system_entry(munin_t, munin_exec_t) -@@ -213,7 +204,6 @@ optional_policy(` - - optional_policy(` - postfix_list_spool(munin_t) -- postfix_getattr_all_spool_files(munin_t) - ') - - optional_policy(` -@@ -242,21 +232,23 @@ allow disk_munin_plugin_t self:tcp_socket create_stream_socket_perms; - - rw_files_pattern(disk_munin_plugin_t, munin_var_lib_t, munin_var_lib_t) - -+kernel_read_fs_sysctls(disk_munin_plugin_t) -+ - corenet_sendrecv_hddtemp_client_packets(disk_munin_plugin_t) - corenet_tcp_connect_hddtemp_port(disk_munin_plugin_t) - corenet_tcp_sendrecv_hddtemp_port(disk_munin_plugin_t) - --dev_getattr_all_blk_files(disk_munin_plugin_t) -+files_read_etc_runtime_files(disk_munin_plugin_t) -+ - dev_getattr_lvm_control(disk_munin_plugin_t) - dev_read_sysfs(disk_munin_plugin_t) - dev_read_urand(disk_munin_plugin_t) -- --files_read_etc_runtime_files(disk_munin_plugin_t) -+dev_read_all_blk_files(disk_munin_plugin_t) - - fs_getattr_all_fs(disk_munin_plugin_t) - fs_getattr_all_dirs(disk_munin_plugin_t) - --storage_getattr_fixed_disk_dev(disk_munin_plugin_t) -+storage_raw_read_fixed_disk(disk_munin_plugin_t) - - sysnet_read_config(disk_munin_plugin_t) - -@@ -268,6 +260,10 @@ optional_policy(` - fstools_exec(disk_munin_plugin_t) - ') - -+optional_policy(` -+ rpc_search_nfs_state_data(disk_munin_plugin_t) -+') -+ - #################################### - # - # Mail local policy -@@ -275,27 +271,36 @@ optional_policy(` - - allow mail_munin_plugin_t self:capability dac_override; - -+allow mail_munin_plugin_t self:tcp_socket create_stream_socket_perms; -+allow mail_munin_plugin_t self:netlink_route_socket r_netlink_socket_perms; -+ - rw_files_pattern(mail_munin_plugin_t, munin_var_lib_t, munin_var_lib_t) - - dev_read_urand(mail_munin_plugin_t) - - logging_read_generic_logs(mail_munin_plugin_t) - -+sysnet_read_config(mail_munin_plugin_t) -+ -+optional_policy(` -+ exim_read_log(mail_munin_plugin_t) -+') -+ - optional_policy(` -- mta_list_queue(mail_munin_plugin_t) - mta_read_config(mail_munin_plugin_t) -- mta_read_queue(mail_munin_plugin_t) - mta_send_mail(mail_munin_plugin_t) -+ mta_list_queue(mail_munin_plugin_t) -+ mta_read_queue(mail_munin_plugin_t) - ') - - optional_policy(` -- nscd_use(mail_munin_plugin_t) -+ nscd_socket_use(mail_munin_plugin_t) - ') - - optional_policy(` -- postfix_getattr_all_spool_files(mail_munin_plugin_t) - postfix_read_config(mail_munin_plugin_t) - postfix_list_spool(mail_munin_plugin_t) -+ postfix_getattr_spool_files(mail_munin_plugin_t) - ') - - optional_policy(` -@@ -320,6 +325,9 @@ allow services_munin_plugin_t self:tcp_socket create_stream_socket_perms; - allow services_munin_plugin_t self:udp_socket create_socket_perms; - allow services_munin_plugin_t self:netlink_route_socket r_netlink_socket_perms; - -+manage_files_pattern(services_munin_plugin_t, services_munin_plugin_tmpfs_t, services_munin_plugin_tmpfs_t) -+manage_dirs_pattern(services_munin_plugin_t, services_munin_plugin_tmpfs_t, services_munin_plugin_tmpfs_t) -+ - corenet_sendrecv_all_client_packets(services_munin_plugin_t) - corenet_tcp_connect_all_ports(services_munin_plugin_t) - corenet_tcp_connect_http_port(services_munin_plugin_t) -@@ -331,7 +339,7 @@ dev_read_rand(services_munin_plugin_t) - sysnet_read_config(services_munin_plugin_t) - - optional_policy(` -- bind_read_config(munin_services_plugin_t) -+ bind_read_config(services_munin_plugin_t) - ') - - optional_policy(` -@@ -353,7 +361,11 @@ optional_policy(` - ') - - optional_policy(` -- nscd_use(services_munin_plugin_t) -+ nscd_socket_use(services_munin_plugin_t) -+') -+ -+optional_policy(` -+ ntp_exec(services_munin_plugin_t) - ') - - optional_policy(` -@@ -385,6 +397,7 @@ read_files_pattern(system_munin_plugin_t, munin_log_t, munin_log_t) - - kernel_read_network_state(system_munin_plugin_t) - kernel_read_all_sysctls(system_munin_plugin_t) -+kernel_read_fs_sysctls(system_munin_plugin_t) - - dev_read_sysfs(system_munin_plugin_t) - dev_read_urand(system_munin_plugin_t) -@@ -413,3 +426,31 @@ optional_policy(` - optional_policy(` - unconfined_domain(unconfined_munin_plugin_t) - ') -+ -+ -+####################################### -+# -+# Munin CGI script local policy -+# -+ -+apache_content_template(munin) -+ -+manage_dirs_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t) -+manage_files_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t) -+ -+manage_dirs_pattern(httpd_munin_script_t, httpd_munin_script_tmp_t, httpd_munin_script_tmp_t) -+manage_files_pattern(httpd_munin_script_t, httpd_munin_script_tmp_t,httpd_munin_script_tmp_t) -+ -+read_files_pattern(httpd_munin_script_t, munin_var_lib_t, munin_var_lib_t) -+read_files_pattern(httpd_munin_script_t, munin_etc_t, munin_etc_t) -+ -+read_files_pattern(httpd_munin_script_t, munin_log_t, munin_log_t) -+append_files_pattern(httpd_munin_script_t, munin_log_t, munin_log_t) -+ -+files_search_var_lib(httpd_munin_script_t) -+ -+auth_read_passwd(httpd_munin_script_t) -+ -+optional_policy(` -+ apache_search_sys_content(munin_t) -+') -diff --git a/mysql.fc b/mysql.fc -index c48dc17..43d56e3 100644 ---- a/mysql.fc -+++ b/mysql.fc -@@ -1,11 +1,24 @@ --HOME_DIR/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t,s0) -- --/etc/my\.cnf -- gen_context(system_u:object_r:mysqld_etc_t,s0) --/etc/mysql(/.*)? gen_context(system_u:object_r:mysqld_etc_t,s0) -- --/etc/rc\.d/init\.d/mysqld? -- gen_context(system_u:object_r:mysqld_initrc_exec_t,s0) --/etc/rc\.d/init\.d/mysqlmanager -- gen_context(system_u:object_r:mysqlmanagerd_initrc_exec_t,s0) -- -+# mysql database server -+ -+# -+# /HOME -+# -+HOME_DIR/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t, s0) -+/root/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t, s0) -+ -+/usr/lib/systemd/system/mysqld.* -- gen_context(system_u:object_r:mysqld_unit_file_t,s0) -+ -+# -+# /etc -+# -+/etc/my\.cnf -- gen_context(system_u:object_r:mysqld_etc_t,s0) -+/etc/mysql(/.*)? gen_context(system_u:object_r:mysqld_etc_t,s0) -+/etc/rc\.d/init\.d/mysqld -- gen_context(system_u:object_r:mysqld_initrc_exec_t,s0) -+/etc/rc\.d/init\.d/mysqlmanager -- gen_context(system_u:object_r:mysqlmanagerd_initrc_exec_t,s0) -+ -+# -+# /usr -+# - /usr/bin/mysqld_safe -- gen_context(system_u:object_r:mysqld_safe_exec_t,s0) - /usr/bin/mysql_upgrade -- gen_context(system_u:object_r:mysqld_exec_t,s0) - -@@ -13,13 +26,17 @@ HOME_DIR/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t,s0) - - /usr/sbin/mysqld(-max)? -- gen_context(system_u:object_r:mysqld_exec_t,s0) - /usr/sbin/mysqlmanager -- gen_context(system_u:object_r:mysqlmanagerd_exec_t,s0) --/usr/sbin/ndbd -- gen_context(system_u:object_r:mysqld_exec_t,s0) -+/usr/sbin/ndbd -- gen_context(system_u:object_r:mysqld_exec_t,s0) - --/var/lib/mysql(/.*)? gen_context(system_u:object_r:mysqld_db_t,s0) --/var/lib/mysql/mysql.* -s gen_context(system_u:object_r:mysqld_var_run_t,s0) -+# -+# /var -+# -+/var/lib/mysql(/.*)? gen_context(system_u:object_r:mysqld_db_t,s0) -+/var/lib/mysql/mysql\.sock -s gen_context(system_u:object_r:mysqld_var_run_t,s0) - --/var/log/mysql.* -- gen_context(system_u:object_r:mysqld_log_t,s0) -+/var/log/mariadb(/.*)? gen_context(system_u:object_r:mysqld_log_t,s0) -+/var/log/mysql.* gen_context(system_u:object_r:mysqld_log_t,s0) - --/var/run/mysqld.* gen_context(system_u:object_r:mysqld_var_run_t,s0) --/var/run/mysqlmanager.* -- gen_context(system_u:object_r:mysqlmanagerd_var_run_t,s0) --/var/run/mysqld/mysqlmanager.* -- gen_context(system_u:object_r:mysqlmanagerd_var_run_t,s0) -+/var/run/mariadb(/.*)? gen_context(system_u:object_r:mysqld_var_run_t,s0) -+/var/run/mysqld(/.*)? gen_context(system_u:object_r:mysqld_var_run_t,s0) -+/var/run/mysqld/mysqlmanager.* -- gen_context(system_u:object_r:mysqlmanagerd_var_run_t,s0) -diff --git a/mysql.if b/mysql.if -index 687af38..404ed6d 100644 ---- a/mysql.if -+++ b/mysql.if -@@ -1,23 +1,4 @@ --## Open source database. -- --######################################## --## --## Role access for mysql. --## --## --## --## Role allowed access. --## --## --## --## --## User domain for the role. --## --## --# --interface(`mysql_role',` -- refpolicywarn(`$0($*) has been deprecated') --') -+## Policy for MySQL - - ###################################### - ## -@@ -34,38 +15,30 @@ interface(`mysql_domtrans',` - type mysqld_t, mysqld_exec_t; - ') - -- corecmd_search_bin($1) - domtrans_pattern($1, mysqld_exec_t, mysqld_t) - ') - --######################################## -+###################################### - ## --## Execute mysqld in the mysqld domain, and --## allow the specified role the mysqld domain. -+## Execute MySQL in the caller domain. - ## - ## - ## --## Domain allowed to transition. --## --## --## --## --## Role allowed access. -+## Domain allowed access. - ## - ## - # --interface(`mysql_run_mysqld',` -+interface(`mysql_exec',` - gen_require(` -- attribute_role mysqld_roles; -+ type mysqld_exec_t; - ') - -- mysql_domtrans($1) -- roleattribute $2 mysqld_roles; -+ can_exec($1, mysqld_exec_t) - ') - - ######################################## - ## --## Send generic signals to mysqld. -+## Send a generic signal to MySQL. - ## - ## - ## -@@ -81,9 +54,27 @@ interface(`mysql_signal',` - allow $1 mysqld_t:process signal; - ') - -+####################################### -+## -+## Send a null signal to mysql. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`mysql_signull',` -+ gen_require(` -+ type mysqld_t; -+ ') -+ -+ allow $1 mysqld_t:process signull; -+') -+ - ######################################## - ## --## Connect to mysqld with a tcp socket. -+## Allow the specified domain to connect to postgresql with a tcp socket. - ## - ## - ## -@@ -104,8 +95,7 @@ interface(`mysql_tcp_connect',` - - ######################################## - ## --## Connect to mysqld with a unix --# domain stream socket. -+## Connect to MySQL using a unix domain stream socket. - ## - ## - ## -@@ -120,12 +110,13 @@ interface(`mysql_stream_connect',` - ') - - files_search_pids($1) -- stream_connect_pattern($1, { mysqld_db_t mysqld_var_run_t }, mysqld_var_run_t, mysqld_t) -+ stream_connect_pattern($1, mysqld_var_run_t, mysqld_var_run_t, mysqld_t) -+ stream_connect_pattern($1, mysqld_db_t, mysqld_var_run_t, mysqld_t) - ') - - ######################################## - ## --## Read mysqld configuration content. -+## Read MySQL configuration files. - ## - ## - ## -@@ -139,7 +130,6 @@ interface(`mysql_read_config',` - type mysqld_etc_t; - ') - -- files_search_etc($1) - allow $1 mysqld_etc_t:dir list_dir_perms; - allow $1 mysqld_etc_t:file read_file_perms; - allow $1 mysqld_etc_t:lnk_file read_lnk_file_perms; -@@ -147,7 +137,8 @@ interface(`mysql_read_config',` - - ######################################## - ## --## Search mysqld db directories. -+## Search the directories that contain MySQL -+## database storage. - ## - ## - ## -@@ -155,6 +146,8 @@ interface(`mysql_read_config',` - ## - ## - # -+# cjp: "_dir" in the name is added to clarify that this -+# is not searching the database itself. - interface(`mysql_search_db',` - gen_require(` - type mysqld_db_t; -@@ -166,7 +159,27 @@ interface(`mysql_search_db',` - - ######################################## - ## --## Read and write mysqld database directories. -+## List the directories that contain MySQL -+## database storage. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`mysql_list_db',` -+ gen_require(` -+ type mysqld_db_t; -+ ') -+ -+ files_search_var_lib($1) -+ allow $1 mysqld_db_t:dir list_dir_perms; -+') -+ -+######################################## -+## -+## Read and write to the MySQL database directory. - ## - ## - ## -@@ -185,8 +198,7 @@ interface(`mysql_rw_db_dirs',` - - ######################################## - ## --## Create, read, write, and delete --## mysqld database directories. -+## Create, read, write, and delete MySQL database directories. - ## - ## - ## -@@ -205,7 +217,7 @@ interface(`mysql_manage_db_dirs',` - - ####################################### - ## --## Append mysqld database files. -+## Append to the MySQL database directory. - ## - ## - ## -@@ -224,7 +236,7 @@ interface(`mysql_append_db_files',` - - ####################################### - ## --## Read and write mysqld database files. -+## Read and write to the MySQL database directory. - ## - ## - ## -@@ -243,8 +255,7 @@ interface(`mysql_rw_db_files',` - - ####################################### - ## --## Create, read, write, and delete --## mysqld database files. -+## Create, read, write, and delete MySQL database files. - ## - ## - ## -@@ -263,7 +274,7 @@ interface(`mysql_manage_db_files',` - - ######################################## - ## --## Read and write mysqld database sockets. -+## Read and write to the MySQL database - ## named socket. - ## - ## -@@ -273,13 +284,18 @@ interface(`mysql_manage_db_files',` - ## - # - interface(`mysql_rw_db_sockets',` -- refpolicywarn(`$0($*) has been deprecated.') -+ gen_require(` -+ type mysqld_db_t; -+ ') -+ -+ files_search_var_lib($1) -+ allow $1 mysqld_db_t:dir search_dir_perms; -+ allow $1 mysqld_db_t:sock_file rw_sock_file_perms; - ') - - ######################################## - ## --## Create, read, write, and delete --## mysqld home files. -+## Write to the MySQL log. - ## - ## - ## -@@ -287,86 +303,92 @@ interface(`mysql_rw_db_sockets',` - ## - ## - # --interface(`mysql_manage_mysqld_home_files',` -+interface(`mysql_write_log',` - gen_require(` -- type mysqld_home_t; -+ type mysqld_log_t; - ') - -- userdom_search_user_home_dirs($1) -- allow $1 mysqld_home_t:file manage_file_perms; -+ logging_search_logs($1) -+ allow $1 mysqld_log_t:file { write_file_perms setattr_file_perms }; - ') - --######################################## -+###################################### - ## --## Relabel mysqld home files. -+## Execute MySQL safe script in the mysql safe domain. - ## - ## - ## --## Domain allowed access. -+## Domain allowed to transition. - ## - ## - # --interface(`mysql_relabel_mysqld_home_files',` -+interface(`mysql_domtrans_mysql_safe',` - gen_require(` -- type mysqld_home_t; -+ type mysqld_safe_t, mysqld_safe_exec_t; - ') - -- userdom_search_user_home_dirs($1) -- allow $1 mysqld_home_t:file relabel_file_perms; -+ domtrans_pattern($1, mysqld_safe_exec_t, mysqld_safe_t) - ') - --######################################## -+###################################### - ## --## Create objects in user home --## directories with the mysqld home type. -+## Execute MySQL_safe in the caller domain. - ## - ## - ## - ## Domain allowed access. - ## - ## --## --## --## Class of the object being created. --## --## --## -+# -+interface(`mysql_safe_exec',` -+ gen_require(` -+ type mysqld_safe_exec_t; -+ ') -+ -+ can_exec($1, mysqld_safe_exec_t) -+') -+ -+##################################### -+## -+## Read MySQL PID files. -+## -+## - ## --## The name of the object being created. -+## Domain allowed access. - ## - ## - # --interface(`mysql_home_filetrans_mysqld_home',` -+interface(`mysql_read_pid_files',` - gen_require(` -- type mysqld_home_t; -+ type mysqld_var_run_t; - ') - -- userdom_user_home_dir_filetrans($1, mysqld_home_t, $2, $3) -+ mysql_search_pid_files($1) -+ read_files_pattern($1, mysqld_var_run_t, mysqld_var_run_t) - ') - --######################################## -+##################################### - ## --## Write mysqld log files. -+## Search MySQL PID files. - ## - ## - ## - ## Domain allowed access. - ## - ## -+## - # --interface(`mysql_write_log',` -+interface(`mysql_search_pid_files',` - gen_require(` -- type mysqld_log_t; -+ type mysqld_var_run_t; - ') - -- logging_search_logs($1) -- allow $1 mysqld_log_t:file write_file_perms; -+ search_dirs_pattern($1, mysqld_var_run_t, mysqld_var_run_t) - ') - --###################################### -+######################################## - ## --## Execute mysqld safe in the --## mysqld safe domain. -+## Execute mysqld server in the mysqld domain. - ## - ## - ## -@@ -374,18 +396,22 @@ interface(`mysql_write_log',` - ## - ## - # --interface(`mysql_domtrans_mysql_safe',` -+interface(`mysql_systemctl',` - gen_require(` -- type mysqld_safe_t, mysqld_safe_exec_t; -+ type mysqld_unit_file_t; -+ type mysqld_t; - ') - -- corecmd_search_bin($1) -- domtrans_pattern($1, mysqld_safe_exec_t, mysqld_safe_t) -+ systemd_exec_systemctl($1) -+ allow $1 mysqld_unit_file_t:file read_file_perms; -+ allow $1 mysqld_unit_file_t:service manage_service_perms; -+ -+ ps_process_pattern($1, mysqld_t) - ') - --##################################### -+######################################## - ## --## Read mysqld pid files. -+## read mysqld homedir content (.k5login) - ## - ## - ## -@@ -393,39 +419,37 @@ interface(`mysql_domtrans_mysql_safe',` - ## - ## - # --interface(`mysql_read_pid_files',` -+interface(`mysql_read_home_content',` - gen_require(` -- type mysqld_var_run_t; -+ type mysqld_home_t; - ') - -- files_search_pids($1) -- read_files_pattern($1, mysqld_var_run_t, mysqld_var_run_t) -+ userdom_search_user_home_dirs($1) -+ read_files_pattern($1, mysqld_home_t, mysqld_home_t) - ') - --##################################### -+######################################## - ## --## Search mysqld pid files. -+## Transition to mysqld named content - ## - ## - ## --## Domain allowed access. -+## Domain allowed access. - ## - ## --## - # --interface(`mysql_search_pid_files',` -+interface(`mysql_filetrans_named_content',` - gen_require(` -- type mysqld_var_run_t; -+ type mysqld_home_t; - ') - -- files_search_pids($1) -- search_dirs_pattern($1, mysqld_var_run_t, mysqld_var_run_t) -+ userdom_admin_home_dir_filetrans($1, mysqld_home_t, file, ".my.cnf") -+ userdom_user_home_dir_filetrans($1, mysqld_home_t, file, ".my.cnf") - ') - - ######################################## - ## --## All of the rules required to --## administrate an mysqld environment. -+## All of the rules required to administrate an mysql environment - ## - ## - ## -@@ -434,41 +458,52 @@ interface(`mysql_search_pid_files',` - ## - ## - ## --## Role allowed access. -+## The role to be allowed to manage the mysql domain. - ## - ## - ## - # - interface(`mysql_admin',` - gen_require(` -- type mysqld_t, mysqld_var_run_t, mysqld_etc_t; -+ type mysqld_t, mysqld_var_run_t, mysqld_initrc_exec_t; - type mysqld_tmp_t, mysqld_db_t, mysqld_log_t; -- type mysqld_safe_t, mysqlmanagerd_t, mysqlmanagerd_var_run_t; -- type mysqld_initrc_exec_t, mysqlmanagerd_initrc_exec_t, mysqld_home_t; -+ type mysqld_etc_t; -+ type mysqld_home_t; -+ type mysqld_unit_file_t; - ') - -- allow $1 { mysqld_safe_t mysqld_t mysqlmanagerd_t }:process { ptrace signal_perms }; -- ps_process_pattern($1, { mysqld_safe_t mysqld_t mysqlmanagerd_t }) -+ allow $1 mysqld_t:process signal_perms; -+ ps_process_pattern($1, mysqld_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 mysqld_t:process ptrace; -+ ') - -- init_labeled_script_domtrans($1, { mysqlmanagerd_initrc_exec_t mysqld_initrc_exec_t }) -+ init_labeled_script_domtrans($1, mysqld_initrc_exec_t) - domain_system_change_exemption($1) -- role_transition $2 { mysqlmanagerd_initrc_exec_t mysqld_initrc_exec_t } system_r; -+ role_transition $2 mysqld_initrc_exec_t system_r; - allow $2 system_r; - -- files_search_pids($1) -- admin_pattern($1, { mysqlmanagerd_var_run_t mysqld_var_run_t }) -+ files_list_pids($1) -+ admin_pattern($1, mysqld_var_run_t) - -- files_search_var_lib($1) - admin_pattern($1, mysqld_db_t) - -- files_search_etc($1) -- admin_pattern($1, { mysqld_etc_t mysqld_home_t }) -+ files_list_etc($1) -+ admin_pattern($1, mysqld_etc_t) - -- logging_search_logs($1) -+ logging_list_logs($1) - admin_pattern($1, mysqld_log_t) - -- files_search_tmp($1) -+ files_list_tmp($1) - admin_pattern($1, mysqld_tmp_t) - -- mysql_run_mysqld($1, $2) -+ userdom_search_user_home_dirs($1) -+ files_list_root($1) -+ admin_pattern($1, mysqld_home_t) -+ -+ mysql_systemctl($1) -+ admin_pattern($1, mysqld_unit_file_t) -+ allow $1 mysqld_unit_file_t:service all_service_perms; -+ -+ mysql_stream_connect($1) - ') -diff --git a/mysql.te b/mysql.te -index 9f6179e..4383f87 100644 ---- a/mysql.te -+++ b/mysql.te -@@ -1,4 +1,4 @@ --policy_module(mysql, 1.13.5) -+policy_module(mysql, 1.13.0) - - ######################################## - # -@@ -6,20 +6,15 @@ policy_module(mysql, 1.13.5) - # - - ## --##

    --## Determine whether mysqld can --## connect to all TCP ports. --##

    -+##

    -+## Allow mysqld to connect to all ports -+##

    - ##     - gen_tunable(mysql_connect_any, false) - --attribute_role mysqld_roles; -- - type mysqld_t; - type mysqld_exec_t; - init_daemon_domain(mysqld_t, mysqld_exec_t) --application_domain(mysqld_t, mysqld_exec_t) --role mysqld_roles types mysqld_t; - - type mysqld_safe_t; - type mysqld_safe_exec_t; -@@ -27,7 +22,6 @@ init_daemon_domain(mysqld_safe_t, mysqld_safe_exec_t) - - type mysqld_var_run_t; - files_pid_file(mysqld_var_run_t) --init_daemon_run_dir(mysqld_var_run_t, "mysqld") - - type mysqld_db_t; - files_type(mysqld_db_t) -@@ -38,6 +32,9 @@ files_config_file(mysqld_etc_t) - type mysqld_home_t; - userdom_user_home_content(mysqld_home_t) - -+type mysqld_unit_file_t; -+systemd_unit_file(mysqld_unit_file_t) -+ - type mysqld_initrc_exec_t; - init_script_file(mysqld_initrc_exec_t) - -@@ -62,27 +59,29 @@ files_pid_file(mysqlmanagerd_var_run_t) - # Local policy - # - --allow mysqld_t self:capability { dac_override ipc_lock setgid setuid sys_resource }; -+allow mysqld_t self:capability { dac_override ipc_lock setgid setuid sys_resource net_bind_service }; - dontaudit mysqld_t self:capability sys_tty_config; - allow mysqld_t self:process { setsched getsched setrlimit signal_perms rlimitinh }; - allow mysqld_t self:fifo_file rw_fifo_file_perms; - allow mysqld_t self:shm create_shm_perms; --allow mysqld_t self:unix_stream_socket { accept listen }; --allow mysqld_t self:tcp_socket { accept listen }; -+allow mysqld_t self:unix_stream_socket create_stream_socket_perms; -+allow mysqld_t self:tcp_socket create_stream_socket_perms; -+allow mysqld_t self:udp_socket create_socket_perms; - - manage_dirs_pattern(mysqld_t, mysqld_db_t, mysqld_db_t) - manage_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t) -+manage_sock_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t) - manage_lnk_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t) - files_var_lib_filetrans(mysqld_t, mysqld_db_t, { dir file lnk_file }) - --filetrans_pattern(mysqld_t, mysqld_db_t, mysqld_var_run_t, sock_file) -- --allow mysqld_t mysqld_etc_t:dir list_dir_perms; --allow mysqld_t { mysqld_etc_t mysqld_home_t }:file read_file_perms; -+allow mysqld_t mysqld_etc_t:file read_file_perms; - allow mysqld_t mysqld_etc_t:lnk_file read_lnk_file_perms; -+allow mysqld_t mysqld_etc_t:dir list_dir_perms; - --allow mysqld_t mysqld_log_t:file { append_file_perms create_file_perms setattr_file_perms }; --logging_log_filetrans(mysqld_t, mysqld_log_t, file) -+manage_dirs_pattern(mysqld_t, mysqld_log_t, mysqld_log_t) -+manage_files_pattern(mysqld_t, mysqld_log_t, mysqld_log_t) -+manage_lnk_files_pattern(mysqld_t, mysqld_log_t, mysqld_log_t) -+logging_log_filetrans(mysqld_t, mysqld_log_t, { dir file }) - - manage_dirs_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t) - manage_files_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t) -@@ -93,50 +92,54 @@ manage_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t) - manage_sock_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t) - files_pid_filetrans(mysqld_t, mysqld_var_run_t, { dir file sock_file }) - --kernel_read_kernel_sysctls(mysqld_t) -+userdom_dontaudit_use_unpriv_user_fds(mysqld_t) -+ - kernel_read_network_state(mysqld_t) - kernel_read_system_state(mysqld_t) -+kernel_read_kernel_sysctls(mysqld_t) -+ -+corecmd_exec_bin(mysqld_t) -+corecmd_exec_shell(mysqld_t) - --corenet_all_recvfrom_unlabeled(mysqld_t) - corenet_all_recvfrom_netlabel(mysqld_t) - corenet_tcp_sendrecv_generic_if(mysqld_t) -+corenet_udp_sendrecv_generic_if(mysqld_t) - corenet_tcp_sendrecv_generic_node(mysqld_t) -+corenet_udp_sendrecv_generic_node(mysqld_t) -+corenet_tcp_sendrecv_all_ports(mysqld_t) -+corenet_udp_sendrecv_all_ports(mysqld_t) - corenet_tcp_bind_generic_node(mysqld_t) -- --corenet_sendrecv_mysqld_server_packets(mysqld_t) - corenet_tcp_bind_mysqld_port(mysqld_t) --corenet_sendrecv_mysqld_client_packets(mysqld_t) - corenet_tcp_connect_mysqld_port(mysqld_t) --corenet_tcp_sendrecv_mysqld_port(mysqld_t) -- --corecmd_exec_bin(mysqld_t) --corecmd_exec_shell(mysqld_t) -+corenet_sendrecv_mysqld_client_packets(mysqld_t) -+corenet_sendrecv_mysqld_server_packets(mysqld_t) - - dev_read_sysfs(mysqld_t) - dev_read_urand(mysqld_t) - --domain_use_interactive_fds(mysqld_t) -- - fs_getattr_all_fs(mysqld_t) - fs_search_auto_mountpoints(mysqld_t) - fs_rw_hugetlbfs_files(mysqld_t) - -+domain_use_interactive_fds(mysqld_t) -+ -+files_getattr_var_lib_dirs(mysqld_t) - files_read_etc_runtime_files(mysqld_t) --files_read_usr_files(mysqld_t) -+files_search_var_lib(mysqld_t) - - auth_use_nsswitch(mysqld_t) - - logging_send_syslog_msg(mysqld_t) - --miscfiles_read_localization(mysqld_t) -+sysnet_read_config(mysqld_t) - --userdom_search_user_home_dirs(mysqld_t) --userdom_dontaudit_use_unpriv_user_fds(mysqld_t) -+ifdef(`distro_redhat',` -+ filetrans_pattern(mysqld_t, mysqld_db_t, mysqld_var_run_t, sock_file) -+') - - tunable_policy(`mysql_connect_any',` -- corenet_sendrecv_all_client_packets(mysqld_t) - corenet_tcp_connect_all_ports(mysqld_t) -- corenet_tcp_sendrecv_all_ports(mysqld_t) -+ corenet_sendrecv_all_client_packets(mysqld_t) - ') - - optional_policy(` -@@ -144,6 +147,10 @@ optional_policy(` - ') - - optional_policy(` -+ openshift_search_lib(mysqld_t) -+') -+ -+optional_policy(` - seutil_sigchld_newrole(mysqld_t) - ') - -@@ -153,29 +160,24 @@ optional_policy(` - - ####################################### - # --# Safe local policy -+# Local mysqld_safe policy - # - --allow mysqld_safe_t self:capability { chown dac_override fowner kill }; -+allow mysqld_safe_t self:capability { chown dac_override fowner kill sys_nice sys_resource }; - allow mysqld_safe_t self:process { setsched getsched setrlimit }; - allow mysqld_safe_t self:fifo_file rw_fifo_file_perms; - --allow mysqld_safe_t mysqld_t:process signull; -- - read_lnk_files_pattern(mysqld_safe_t, mysqld_db_t, mysqld_db_t) --manage_files_pattern(mysqld_safe_t, mysqld_db_t, mysqld_db_t) -+delete_sock_files_pattern(mysqld_safe_t, mysqld_db_t, mysqld_db_t) - --allow mysqld_safe_t mysqld_etc_t:dir list_dir_perms; --allow mysqld_safe_t { mysqld_etc_t mysqld_home_t }:file read_file_perms; --allow mysqld_safe_t mysqld_etc_t:lnk_file read_lnk_file_perms; -+domtrans_pattern(mysqld_safe_t, mysqld_exec_t, mysqld_t) - --allow mysqld_safe_t mysqld_log_t:file { append_file_perms create_file_perms setattr_file_perms }; --logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file) -+list_dirs_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t) -+manage_lnk_files_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t) -+manage_files_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t) - - manage_files_pattern(mysqld_safe_t, mysqld_var_run_t, mysqld_var_run_t) --delete_sock_files_pattern(mysqld_safe_t, { mysqld_db_t mysqld_var_run_t }, mysqld_var_run_t) -- --domtrans_pattern(mysqld_safe_t, mysqld_exec_t, mysqld_t) -+delete_sock_files_pattern(mysqld_safe_t, mysqld_var_run_t, mysqld_var_run_t) - - kernel_read_system_state(mysqld_safe_t) - kernel_read_kernel_sysctls(mysqld_safe_t) -@@ -183,21 +185,27 @@ kernel_read_kernel_sysctls(mysqld_safe_t) - corecmd_exec_bin(mysqld_safe_t) - corecmd_exec_shell(mysqld_safe_t) - -+dev_read_urand(mysqld_safe_t) - dev_list_sysfs(mysqld_safe_t) - - domain_read_all_domains_state(mysqld_safe_t) - --files_read_etc_files(mysqld_safe_t) --files_read_usr_files(mysqld_safe_t) --files_search_pids(mysqld_safe_t) --files_dontaudit_getattr_all_dirs(mysqld_safe_t) - files_dontaudit_search_all_mountpoints(mysqld_safe_t) -+files_dontaudit_getattr_all_dirs(mysqld_safe_t) -+files_dontaudit_write_root_dirs(mysqld_safe_t) - -+logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file) - logging_send_syslog_msg(mysqld_safe_t) - --miscfiles_read_localization(mysqld_safe_t) -+auth_read_passwd(mysqld_safe_t) -+ -+domain_dontaudit_signull_all_domains(mysqld_safe_t) - --userdom_search_user_home_dirs(mysqld_safe_t) -+mysql_manage_db_files(mysqld_safe_t) -+mysql_read_config(mysqld_safe_t) -+mysql_search_pid_files(mysqld_safe_t) -+mysql_signull(mysqld_safe_t) -+mysql_write_log(mysqld_safe_t) - - optional_policy(` - hostname_exec(mysqld_safe_t) -@@ -205,7 +213,7 @@ optional_policy(` - - ######################################## - # --# Manager local policy -+# MySQL Manager Policy - # - - allow mysqlmanagerd_t self:capability { dac_override kill }; -@@ -214,11 +222,12 @@ allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms; - allow mysqlmanagerd_t self:tcp_socket create_stream_socket_perms; - allow mysqlmanagerd_t self:unix_stream_socket create_stream_socket_perms; - --allow mysqlmanagerd_t mysqld_t:process signal; -- --allow mysqlmanagerd_t mysqld_etc_t:dir list_dir_perms; --allow mysqlmanagerd_t { mysqld_etc_t mysqld_home_t }:file read_file_perms; --allow mysqlmanagerd_t mysqld_etc_t:lnk_file read_lnk_file_perms; -+mysql_read_config(initrc_t) -+mysql_read_config(mysqlmanagerd_t) -+mysql_read_pid_files(mysqlmanagerd_t) -+mysql_search_db(mysqlmanagerd_t) -+mysql_signal(mysqlmanagerd_t) -+mysql_stream_connect(mysqlmanagerd_t) - - domtrans_pattern(mysqlmanagerd_t, mysqld_exec_t, mysqld_t) - -@@ -226,31 +235,20 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t) - manage_sock_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t) - filetrans_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t, { file sock_file }) - --stream_connect_pattern(mysqlmanagerd_t, { mysqld_db_t mysqld_var_run_t }, mysqld_var_run_t, mysqld_t) -- - kernel_read_system_state(mysqlmanagerd_t) - - corecmd_exec_shell(mysqlmanagerd_t) - --corenet_all_recvfrom_unlabeled(mysqlmanagerd_t) - corenet_all_recvfrom_netlabel(mysqlmanagerd_t) - corenet_tcp_sendrecv_generic_if(mysqlmanagerd_t) - corenet_tcp_sendrecv_generic_node(mysqlmanagerd_t) -+corenet_tcp_sendrecv_all_ports(mysqlmanagerd_t) - corenet_tcp_bind_generic_node(mysqlmanagerd_t) -- --corenet_sendrecv_mysqlmanagerd_server_packets(mysqlmanagerd_t) - corenet_tcp_bind_mysqlmanagerd_port(mysqlmanagerd_t) --corenet_sendrecv_mysqlmanagerd_client_packets(mysqlmanagerd_t) - corenet_tcp_connect_mysqlmanagerd_port(mysqlmanagerd_t) --corenet_tcp_sendrecv_mysqlmanagerd_port(mysqlmanagerd_t) -+corenet_sendrecv_mysqlmanagerd_server_packets(mysqlmanagerd_t) -+corenet_sendrecv_mysqlmanagerd_client_packets(mysqlmanagerd_t) - - dev_read_urand(mysqlmanagerd_t) - --files_read_etc_files(mysqlmanagerd_t) --files_read_usr_files(mysqlmanagerd_t) --files_search_pids(mysqlmanagerd_t) --files_search_var_lib(mysqlmanagerd_t) -- --miscfiles_read_localization(mysqlmanagerd_t) -- --userdom_search_user_home_dirs(mysqlmanagerd_t) -+userdom_getattr_user_home_dirs(mysqlmanagerd_t) -diff --git a/mythtv.fc b/mythtv.fc -new file mode 100644 -index 0000000..3a1c423 ---- /dev/null -+++ b/mythtv.fc -@@ -0,0 +1,9 @@ -+/usr/share/mythweb/mythweb\.pl -- gen_context(system_u:object_r:httpd_mythtv_script_exec_t,s0) -+ -+/var/lib/mythtv(/.*)? gen_context(system_u:object_r:mythtv_var_lib_t,s0) -+ -+/var/log/mythtv(/.*)? gen_context(system_u:object_r:mythtv_var_log_t,s0) -+ -+/usr/share/mythtv(/.*)? gen_context(system_u:object_r:httpd_mythtv_content_t,s0) -+/usr/share/mythweb(/.*)? gen_context(system_u:object_r:httpd_mythtv_content_t,s0) -+/usr/share/mythtv/mythweather/scripts(/.*)? gen_context(system_u:object_r:httpd_mythtv_script_exec_t,s0) -diff --git a/mythtv.if b/mythtv.if -new file mode 100644 -index 0000000..171f666 ---- /dev/null -+++ b/mythtv.if -@@ -0,0 +1,152 @@ -+ -+## policy for httpd_mythtv_script -+ -+######################################## -+## -+## Execute TEMPLATE in the httpd_mythtv_script domin. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`httpd_mythtv_script_domtrans',` -+ gen_require(` -+ type httpd_mythtv_script_t, httpd_mythtv_script_exec_t; -+ ') -+ -+ corecmd_search_bin($1) -+ domtrans_pattern($1, httpd_mythtv_script_exec_t, httpd_mythtv_script_t) -+') -+ -+####################################### -+## -+## read mythtv libs. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`mythtv_read_lib',` -+ gen_require(` -+ type mythtv_var_lib_t; -+ ') -+ -+ read_files_pattern($1, mythtv_var_lib_t, mythtv_var_lib_t) -+ files_list_var_lib($1) -+') -+ -+####################################### -+## -+## Create, read, write, and delete -+## mythtv lib content. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`mythtv_manage_lib',` -+ gen_require(` -+ type mythtv_var_lib_t; -+ ') -+ -+ manage_files_pattern($1, mythtv_var_lib_t, mythtv_var_lib_t) -+ manage_lnk_files_pattern($1, mythtv_var_lib_t, mythtv_var_lib_t) -+ files_list_var_lib($1) -+') -+ -+####################################### -+## -+## read mythtv logs. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`mythtv_read_log',` -+ gen_require(` -+ type mythtv_var_log_t; -+ ') -+ -+ read_files_pattern($1, mythtv_var_log_t, mythtv_var_log_t) -+ logging_search_logs($1) -+') -+ -+####################################### -+## -+## Append mythtv log files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`mythtv_append_log',` -+ gen_require(` -+ type mythtv_var_log_t; -+ ') -+ -+ append_files_pattern($1, mythtv_var_log_t, mythtv_var_log_t) -+ logging_search_logs($1) -+') -+ -+####################################### -+## -+## Create, read, write, and delete -+## mythtv log content. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`mythtv_manage_log',` -+ gen_require(` -+ type mythtv_var_log_t; -+ ') -+ -+ manage_files_pattern($1, mythtv_var_log_t, mythtv_var_log_t) -+ manage_lnk_files_pattern($1, mythtv_var_log_t, mythtv_var_log_t) -+ logging_search_logs($1) -+') -+ -+######################################## -+## -+## All of the rules required to -+## administrate an mythtv environment. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`mythtv_admin',` -+ gen_require(` -+ type httpd_mythtv_script_t, mythtv_var_lib_t; -+ type mythtv_var_log_t; -+ ') -+ -+ allow $1 httpd_mythtv_script_t:process signal_perms; -+ ps_process_pattern($1, httpd_mythtv_script_t) -+ -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 httpd_mythtv_script_t:process ptrace; -+ ') -+ -+ logging_list_logs($1) -+ admin_pattern($1, mythtv_var_log_t) -+ -+ files_list_var_lib($1) -+ admin_pattern($1, mythtv_var_lib_t) -+') -diff --git a/mythtv.te b/mythtv.te -new file mode 100644 -index 0000000..90129ac ---- /dev/null -+++ b/mythtv.te -@@ -0,0 +1,41 @@ -+policy_module(mythtv, 1.0.0) -+ -+######################################## -+# -+# Declarations -+# -+ -+apache_content_template(mythtv) -+ -+type mythtv_var_lib_t; -+files_type(mythtv_var_lib_t) -+ -+type mythtv_var_log_t; -+logging_log_file(mythtv_var_log_t) -+ -+######################################## -+# -+# httpd_mythtv_script local policy -+# -+ -+manage_files_pattern(httpd_mythtv_script_t, mythtv_var_lib_t, mythtv_var_lib_t) -+manage_dirs_pattern(httpd_mythtv_script_t, mythtv_var_lib_t, mythtv_var_lib_t) -+files_var_lib_filetrans(httpd_mythtv_script_t, mythtv_var_lib_t, { dir file }) -+ -+manage_files_pattern(httpd_mythtv_script_t, mythtv_var_log_t, mythtv_var_log_t) -+manage_dirs_pattern(httpd_mythtv_script_t, mythtv_var_log_t, mythtv_var_log_t) -+logging_log_filetrans(httpd_mythtv_script_t, mythtv_var_log_t, file ) -+ -+domain_use_interactive_fds(httpd_mythtv_script_t) -+ -+files_read_etc_files(httpd_mythtv_script_t) -+ -+fs_read_nfs_files(httpd_mythtv_script_t) -+ -+miscfiles_read_localization(httpd_mythtv_script_t) -+ -+optional_policy(` -+ mysql_read_config(httpd_mythtv_script_t) -+ mysql_stream_connect(httpd_mythtv_script_t) -+ mysql_tcp_connect(httpd_mythtv_script_t) -+') -diff --git a/nagios.fc b/nagios.fc -index d78dfc3..a00cc2d 100644 ---- a/nagios.fc -+++ b/nagios.fc -@@ -1,88 +1,97 @@ --/etc/nagios(/.*)? gen_context(system_u:object_r:nagios_etc_t,s0) --/etc/nagios/nrpe\.cfg -- gen_context(system_u:object_r:nrpe_etc_t,s0) -+/etc/nagios(/.*)? gen_context(system_u:object_r:nagios_etc_t,s0) -+/etc/nagios/nrpe\.cfg -- gen_context(system_u:object_r:nrpe_etc_t,s0) -+/etc/rc\.d/init\.d/nagios -- gen_context(system_u:object_r:nagios_initrc_exec_t,s0) -+/etc/rc\.d/init\.d/nrpe -- gen_context(system_u:object_r:nagios_initrc_exec_t,s0) - --/etc/rc\.d/init\.d/nagios -- gen_context(system_u:object_r:nagios_initrc_exec_t,s0) --/etc/rc\.d/init\.d/nrpe -- gen_context(system_u:object_r:nagios_initrc_exec_t,s0) -+/usr/s?bin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0) -+/usr/s?bin/nrpe -- gen_context(system_u:object_r:nrpe_exec_t,s0) - --/usr/bin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0) --/usr/bin/nrpe -- gen_context(system_u:object_r:nrpe_exec_t,s0) -+/usr/lib/cgi-bin/netsaint(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0) -+/usr/lib/nagios/cgi(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0) - --/usr/sbin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0) --/usr/sbin/nrpe -- gen_context(system_u:object_r:nrpe_exec_t,s0) -+/var/log/nagios(/.*)? gen_context(system_u:object_r:nagios_log_t,s0) -+/var/log/netsaint(/.*)? gen_context(system_u:object_r:nagios_log_t,s0) - --/usr/lib/cgi-bin/nagios(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0) --/usr/lib/cgi-bin/netsaint(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0) -+/var/run/nagios.* gen_context(system_u:object_r:nagios_var_run_t,s0) - --/usr/lib/nagios/cgi(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0) --/usr/lib/nagios/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0) -+/var/spool/nagios(/.*)? gen_context(system_u:object_r:nagios_spool_t,s0) - --/usr/lib/nagios/plugins/eventhandlers(/.*) gen_context(system_u:object_r:nagios_eventhandler_plugin_exec_t,s0) -+ifdef(`distro_debian',` -+/usr/sbin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0) -+') -+/usr/lib/cgi-bin/nagios(/.+)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0) -+/usr/lib/nagios/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0) - -+# admin plugins - /usr/lib/nagios/plugins/check_file_age -- gen_context(system_u:object_r:nagios_admin_plugin_exec_t,s0) - --/usr/lib/nagios/plugins/check_disk -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0) -+# check disk plugins -+/usr/lib/nagios/plugins/check_disk -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0) - /usr/lib/nagios/plugins/check_disk_smb -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0) - /usr/lib/nagios/plugins/check_ide_smart -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0) - /usr/lib/nagios/plugins/check_linux_raid -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0) - --/usr/lib/nagios/plugins/check_mailq -- gen_context(system_u:object_r:nagios_mail_plugin_exec_t,s0) -+# mail plugins -+/usr/lib/nagios/plugins/check_mailq -- gen_context(system_u:object_r:nagios_mail_plugin_exec_t,s0) -+ -+/usr/lib/pnp4nagios(/.*)? gen_context(system_u:object_r:nagios_var_lib_t,s0) - -+# system plugins - /usr/lib/nagios/plugins/check_breeze -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) - /usr/lib/nagios/plugins/check_dummy -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) - /usr/lib/nagios/plugins/check_flexlm -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) - /usr/lib/nagios/plugins/check_ifoperstatus -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) - /usr/lib/nagios/plugins/check_ifstatus -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) --/usr/lib/nagios/plugins/check_load -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) --/usr/lib/nagios/plugins/check_log -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) --/usr/lib/nagios/plugins/check_mrtg -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) -+/usr/lib/nagios/plugins/check_load -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) -+/usr/lib/nagios/plugins/check_log -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) -+/usr/lib/nagios/plugins/check_mrtg -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) - /usr/lib/nagios/plugins/check_mrtgtraf -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) - /usr/lib/nagios/plugins/check_nagios -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) - /usr/lib/nagios/plugins/check_nwstat -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) - /usr/lib/nagios/plugins/check_overcr -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) - /usr/lib/nagios/plugins/check_procs -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) - /usr/lib/nagios/plugins/check_sensors -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) --/usr/lib/nagios/plugins/check_swap -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) -+/usr/lib/nagios/plugins/check_swap -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) - /usr/lib/nagios/plugins/check_users -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) --/usr/lib/nagios/plugins/check_wave -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) -+/usr/lib/nagios/plugins/check_wave -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) - -+# services plugins - /usr/lib/nagios/plugins/check_cluster -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) --/usr/lib/nagios/plugins/check_dhcp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) --/usr/lib/nagios/plugins/check_dig -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) --/usr/lib/nagios/plugins/check_dns -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) --/usr/lib/nagios/plugins/check_game -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -+/usr/lib/nagios/plugins/check_dhcp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -+/usr/lib/nagios/plugins/check_dig -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -+/usr/lib/nagios/plugins/check_dns -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -+/usr/lib/nagios/plugins/check_game -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) - /usr/lib/nagios/plugins/check_fping -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) --/usr/lib/nagios/plugins/check_hpjd -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) --/usr/lib/nagios/plugins/check_http -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) --/usr/lib/nagios/plugins/check_icmp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) --/usr/lib/nagios/plugins/check_ircd -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) --/usr/lib/nagios/plugins/check_ldap -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -+/usr/lib/nagios/plugins/check_hpjd -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -+/usr/lib/nagios/plugins/check_http -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -+/usr/lib/nagios/plugins/check_icmp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -+/usr/lib/nagios/plugins/check_ircd -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -+/usr/lib/nagios/plugins/check_ldap -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) - /usr/lib/nagios/plugins/check_mysql -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) --/usr/lib/nagios/plugins/check_mysql_query -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) --/usr/lib/nagios/plugins/check_nrpe -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) --/usr/lib/nagios/plugins/check_nt -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -+/usr/lib/nagios/plugins/check_mysql_query -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -+/usr/lib/nagios/plugins/check_nrpe -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -+/usr/lib/nagios/plugins/check_nt -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) - /usr/lib/nagios/plugins/check_ntp.* -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) - /usr/lib/nagios/plugins/check_oracle -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) - /usr/lib/nagios/plugins/check_pgsql -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) --/usr/lib/nagios/plugins/check_ping -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -+/usr/lib/nagios/plugins/check_ping -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) - /usr/lib/nagios/plugins/check_radius -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) --/usr/lib/nagios/plugins/check_real -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) --/usr/lib/nagios/plugins/check_rpc -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) --/usr/lib/nagios/plugins/check_tcp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) --/usr/lib/nagios/plugins/check_time -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) --/usr/lib/nagios/plugins/check_sip -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) --/usr/lib/nagios/plugins/check_smtp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -+/usr/lib/nagios/plugins/check_real -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -+/usr/lib/nagios/plugins/check_rpc -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -+/usr/lib/nagios/plugins/check_tcp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -+/usr/lib/nagios/plugins/check_time -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -+/usr/lib/nagios/plugins/check_sip -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -+/usr/lib/nagios/plugins/check_smtp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) - /usr/lib/nagios/plugins/check_snmp.* -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) --/usr/lib/nagios/plugins/check_ssh -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) --/usr/lib/nagios/plugins/check_ups -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -- --/usr/lib/nagios/plugins/check_by_ssh -- gen_context(system_u:object_r:nagios_unconfined_plugin_exec_t,s0) -+/usr/lib/nagios/plugins/check_ssh -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -+/usr/lib/nagios/plugins/check_ups -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) - --/usr/lib/pnp4nagios(/.*)? gen_context(system_u:object_r:nagios_var_lib_t,s0) -+# openshift plugins -+/usr/lib64/nagios/plugins/check_node_accept_status -- gen_context(system_u:object_r:nagios_openshift_plugin_exec_t,s0) -+/usr/lib64/nagios/plugins/check_number_openshift_apps -- gen_context(system_u:object_r:nagios_openshift_plugin_exec_t,s0) - --/var/log/nagios(/.*)? gen_context(system_u:object_r:nagios_log_t,s0) --/var/log/netsaint(/.*)? gen_context(system_u:object_r:nagios_log_t,s0) -+# label all nagios plugin as unconfined by default -+/usr/lib/nagios/plugins/.* -- gen_context(system_u:object_r:nagios_unconfined_plugin_exec_t,s0) - --/var/run/nagios.* -- gen_context(system_u:object_r:nagios_var_run_t,s0) --/var/run/nrpe.* -- gen_context(system_u:object_r:nrpe_var_run_t,s0) -- --/var/spool/nagios(/.*)? gen_context(system_u:object_r:nagios_spool_t,s0) -+# eventhandlers -+/usr/lib/nagios/plugins/eventhandlers(/.*) gen_context(system_u:object_r:nagios_eventhandler_plugin_exec_t,s0) -diff --git a/nagios.if b/nagios.if -index 0641e97..d7d9a79 100644 ---- a/nagios.if -+++ b/nagios.if -@@ -1,12 +1,13 @@ --## Network monitoring server. -+## Net Saint / NAGIOS - network monitoring server - --####################################### -+######################################## - ## --## The template to define a nagios plugin domain. -+## Create a set of derived types for various -+## nagios plugins, - ## --## -+## - ## --## Domain prefix to be used. -+## The name to be used for deriving type names. - ## - ## - # -@@ -16,38 +17,31 @@ template(`nagios_plugin_template',` - type nagios_t, nrpe_t; - ') - -- ######################################## -- # -- # Declarations -- # -- - type nagios_$1_plugin_t, nagios_plugin_domain; - type nagios_$1_plugin_exec_t; - application_domain(nagios_$1_plugin_t, nagios_$1_plugin_exec_t) - role system_r types nagios_$1_plugin_t; - -- ######################################## -- # -- # Policy -- # -- - domtrans_pattern(nrpe_t, nagios_$1_plugin_exec_t, nagios_$1_plugin_t) - allow nagios_t nagios_$1_plugin_exec_t:file ioctl; - -+ # needed by command.cfg - domtrans_pattern(nagios_t, nagios_$1_plugin_exec_t, nagios_$1_plugin_t) -+ -+ kernel_read_system_state(nagios_$1_plugin_t) -+ - ') - - ######################################## - ## --## Do not audit attempts to read or --## write nagios unnamed pipes. -+## Do not audit attempts to read or write nagios -+## unnamed pipes. - ## - ## - ## - ## Domain to not audit. - ## - ## --## - # - interface(`nagios_dontaudit_rw_pipes',` - gen_require(` -@@ -59,7 +53,8 @@ interface(`nagios_dontaudit_rw_pipes',` - - ######################################## - ## --## Read nagios configuration content. -+## Allow the specified domain to read -+## nagios configuration files. - ## - ## - ## -@@ -73,15 +68,14 @@ interface(`nagios_read_config',` - type nagios_etc_t; - ') - -- files_search_etc($1) - allow $1 nagios_etc_t:dir list_dir_perms; - allow $1 nagios_etc_t:file read_file_perms; -- allow $1 nagios_etc_t:lnk_file read_lnk_file_perms; -+ files_search_etc($1) - ') - - ###################################### - ## --## Read nagios log files. -+## Read nagios logs. - ## - ## - ## -@@ -100,8 +94,7 @@ interface(`nagios_read_log',` - - ######################################## - ## --## Do not audit attempts to read or --## write nagios log files. -+## Do not audit attempts to read or write nagios logs. - ## - ## - ## -@@ -132,13 +125,14 @@ interface(`nagios_search_spool',` - type nagios_spool_t; - ') - -- files_search_spool($1) - allow $1 nagios_spool_t:dir search_dir_perms; -+ files_search_spool($1) - ') - - ######################################## - ## --## Read nagios temporary files. -+## Allow the specified domain to read -+## nagios temporary files. - ## - ## - ## -@@ -151,13 +145,34 @@ interface(`nagios_read_tmp_files',` - type nagios_tmp_t; - ') - -- files_search_tmp($1) - allow $1 nagios_tmp_t:file read_file_perms; -+ files_search_tmp($1) -+') -+ -+######################################## -+## -+## Allow the specified domain to read -+## nagios temporary files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`nagios_rw_inerited_tmp_files',` -+ gen_require(` -+ type nagios_tmp_t; -+ ') -+ -+ allow $1 nagios_tmp_t:file rw_inherited_file_perms; -+ files_search_tmp($1) - ') - - ######################################## - ## --## Execute nrpe with a domain transition. -+## Execute the nagios NRPE with -+## a domain transition. - ## - ## - ## -@@ -170,14 +185,13 @@ interface(`nagios_domtrans_nrpe',` - type nrpe_t, nrpe_exec_t; - ') - -- corecmd_search_bin($1) - domtrans_pattern($1, nrpe_exec_t, nrpe_t) - ') - - ######################################## - ## --## All of the rules required to --## administrate an nagios environment. -+## All of the rules required to administrate -+## an nagios environment - ## - ## - ## -@@ -186,44 +200,43 @@ interface(`nagios_domtrans_nrpe',` - ## - ## - ## --## Role allowed access. -+## The role to be allowed to manage the nagios domain. - ## - ## - ## - # - interface(`nagios_admin',` - gen_require(` -- attribute nagios_plugin_domain; - type nagios_t, nrpe_t, nagios_initrc_exec_t; -- type nagios_tmp_t, nagios_log_t, nagios_var_lib_t; -- type nagios_etc_t, nrpe_etc_t, nrpe_var_run_t; -- type nagios_spool_t, nagios_var_run_t, nagios_system_plugin_tmp_t; -- type nagios_eventhandler_plugin_tmp_t; -+ type nagios_tmp_t, nagios_log_t, nagios_var_run_t; -+ type nagios_etc_t, nrpe_etc_t, nagios_spool_t; - ') - -- allow $1 { nagios_t nrpe_t nagios_plugin_domain }:process { ptrace signal_perms }; -- ps_process_pattern($1, { nagios_t nrpe_t nagios_plugin_domain }) -+ allow $1 nagios_t:process signal_perms; -+ ps_process_pattern($1, nagios_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 nagios_t:process ptrace; -+ ') - - init_labeled_script_domtrans($1, nagios_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 nagios_initrc_exec_t system_r; - allow $2 system_r; - -- files_search_tmp($1) -- admin_pattern($1, { nagios_eventhandler_plugin_tmp_t nagios_tmp_t nagios_system_plugin_tmp_t }) -+ files_list_tmp($1) -+ admin_pattern($1, nagios_tmp_t) - -- logging_search_logs($1) -+ logging_list_logs($1) - admin_pattern($1, nagios_log_t) - -- files_search_etc($1) -- admin_pattern($1, { nrpe_etc_t nagios_etc_t }) -+ files_list_etc($1) -+ admin_pattern($1, nagios_etc_t) - -- files_search_spool($1) -+ files_list_spool($1) - admin_pattern($1, nagios_spool_t) - -- files_search_pids($1) -- admin_pattern($1, { nrpe_var_run_t nagios_var_run_t }) -+ files_list_pids($1) -+ admin_pattern($1, nagios_var_run_t) - -- files_search_var_lib($1) -- admin_pattern($1, nagios_var_lib_t) -+ admin_pattern($1, nrpe_etc_t) - ') -diff --git a/nagios.te b/nagios.te -index 44ad3b7..a0488ea 100644 ---- a/nagios.te -+++ b/nagios.te -@@ -27,7 +27,7 @@ type nagios_var_run_t; - files_pid_file(nagios_var_run_t) - - type nagios_spool_t; --files_type(nagios_spool_t) -+files_spool_file(nagios_spool_t) - - type nagios_var_lib_t; - files_type(nagios_var_lib_t) -@@ -39,6 +39,7 @@ nagios_plugin_template(services) - nagios_plugin_template(system) - nagios_plugin_template(unconfined) - nagios_plugin_template(eventhandler) -+nagios_plugin_template(openshift) - - type nagios_eventhandler_plugin_tmp_t; - files_tmp_file(nagios_eventhandler_plugin_tmp_t) -@@ -46,6 +47,9 @@ files_tmp_file(nagios_eventhandler_plugin_tmp_t) - type nagios_system_plugin_tmp_t; - files_tmp_file(nagios_system_plugin_tmp_t) - -+type nagios_openshift_plugin_tmp_t; -+files_tmp_file(nagios_openshift_plugin_tmp_t) -+ - type nrpe_t; - type nrpe_exec_t; - init_daemon_domain(nrpe_t, nrpe_exec_t) -@@ -63,19 +67,21 @@ files_pid_file(nrpe_var_run_t) - - allow nagios_plugin_domain self:fifo_file rw_fifo_file_perms; - -+allow nrpe_t nagios_plugin_domain:process { signal sigkill }; -+ -+allow nagios_t nagios_plugin_domain:process signal_perms; -+allow nagios_plugin_domain nagios_t:process signal_perms; -+ -+# cjp: leaked file descriptor - dontaudit nagios_plugin_domain nrpe_t:tcp_socket { read write }; - dontaudit nagios_plugin_domain nagios_log_t:file { read write }; - --kernel_read_system_state(nagios_plugin_domain) -- - dev_read_urand(nagios_plugin_domain) - dev_read_rand(nagios_plugin_domain) -+dev_read_sysfs(nagios_plugin_domain) - --files_read_usr_files(nagios_plugin_domain) -- --miscfiles_read_localization(nagios_plugin_domain) -- --userdom_use_user_terminals(nagios_plugin_domain) -+userdom_use_inherited_user_ptys(nagios_plugin_domain) -+userdom_use_inherited_user_ttys(nagios_plugin_domain) - - ######################################## - # -@@ -96,11 +102,13 @@ allow nagios_t nagios_etc_t:dir list_dir_perms; - allow nagios_t nagios_etc_t:file read_file_perms; - allow nagios_t nagios_etc_t:lnk_file read_lnk_file_perms; - --allow nagios_t nagios_log_t:dir setattr_dir_perms; --append_files_pattern(nagios_t, nagios_log_t, nagios_log_t) --create_files_pattern(nagios_t, nagios_log_t, nagios_log_t) --setattr_files_pattern(nagios_t, nagios_log_t, nagios_log_t) --logging_log_filetrans(nagios_t, nagios_log_t, file) -+#allow nagios_t nagios_log_t:dir setattr_dir_perms; -+#append_files_pattern(nagios_t, nagios_log_t, nagios_log_t) -+#create_files_pattern(nagios_t, nagios_log_t, nagios_log_t) -+#setattr_files_pattern(nagios_t, nagios_log_t, nagios_log_t) -+manage_files_pattern(nagios_t, nagios_log_t, nagios_log_t) -+manage_dirs_pattern(nagios_t, nagios_log_t, nagios_log_t) -+logging_log_filetrans(nagios_t, nagios_log_t, { dir file }) - - manage_dirs_pattern(nagios_t, nagios_tmp_t, nagios_tmp_t) - manage_files_pattern(nagios_t, nagios_tmp_t, nagios_tmp_t) -@@ -110,7 +118,8 @@ manage_files_pattern(nagios_t, nagios_var_run_t, nagios_var_run_t) - files_pid_filetrans(nagios_t, nagios_var_run_t, file) - - manage_fifo_files_pattern(nagios_t, nagios_spool_t, nagios_spool_t) --files_spool_filetrans(nagios_t, nagios_spool_t, fifo_file) -+manage_files_pattern(nagios_t, nagios_spool_t, nagios_spool_t) -+files_spool_filetrans(nagios_t, nagios_spool_t, { file fifo_file}) - - manage_files_pattern(nagios_t, nagios_var_lib_t, nagios_var_lib_t) - manage_fifo_files_pattern(nagios_t, nagios_var_lib_t, nagios_var_lib_t) -@@ -123,7 +132,6 @@ kernel_read_software_raid_state(nagios_t) - corecmd_exec_bin(nagios_t) - corecmd_exec_shell(nagios_t) - --corenet_all_recvfrom_unlabeled(nagios_t) - corenet_all_recvfrom_netlabel(nagios_t) - corenet_tcp_sendrecv_generic_if(nagios_t) - corenet_tcp_sendrecv_generic_node(nagios_t) -@@ -143,7 +151,6 @@ domain_read_all_domains_state(nagios_t) - - files_read_etc_runtime_files(nagios_t) - files_read_kernel_symbol_table(nagios_t) --files_read_usr_files(nagios_t) - files_search_spool(nagios_t) - - fs_getattr_all_fs(nagios_t) -@@ -153,8 +160,6 @@ auth_use_nsswitch(nagios_t) - - logging_send_syslog_msg(nagios_t) - --miscfiles_read_localization(nagios_t) -- - userdom_dontaudit_use_unpriv_user_fds(nagios_t) - userdom_dontaudit_search_user_home_dirs(nagios_t) - -@@ -178,6 +183,7 @@ optional_policy(` - # - # CGI local policy - # -+ - optional_policy(` - apache_content_template(nagios) - typealias httpd_nagios_script_t alias nagios_cgi_t; -@@ -229,9 +235,9 @@ files_pid_filetrans(nrpe_t, nrpe_var_run_t, file) - - domtrans_pattern(nrpe_t, nagios_checkdisk_plugin_exec_t, nagios_checkdisk_plugin_t) - -+kernel_read_system_state(nrpe_t) - kernel_read_kernel_sysctls(nrpe_t) - kernel_read_software_raid_state(nrpe_t) --kernel_read_system_state(nrpe_t) - - corecmd_exec_bin(nrpe_t) - corecmd_exec_shell(nrpe_t) -@@ -252,8 +258,8 @@ dev_read_urand(nrpe_t) - domain_use_interactive_fds(nrpe_t) - domain_read_all_domains_state(nrpe_t) - -+files_list_var(nrpe_t) - files_read_etc_runtime_files(nrpe_t) --files_read_usr_files(nrpe_t) - - fs_getattr_all_fs(nrpe_t) - fs_search_auto_mountpoints(nrpe_t) -@@ -262,8 +268,6 @@ auth_use_nsswitch(nrpe_t) - - logging_send_syslog_msg(nrpe_t) - --miscfiles_read_localization(nrpe_t) -- - userdom_dontaudit_use_unpriv_user_fds(nrpe_t) - - optional_policy(` -@@ -310,15 +314,15 @@ files_getattr_all_file_type_fs(nagios_admin_plugin_t) - # - - allow nagios_mail_plugin_t self:capability { setuid setgid dac_override }; --allow nagios_mail_plugin_t self:tcp_socket { accept listen }; -+allow nagios_mail_plugin_t self:netlink_route_socket r_netlink_socket_perms; -+allow nagios_mail_plugin_t self:tcp_socket create_stream_socket_perms; -+allow nagios_mail_plugin_t self:udp_socket create_socket_perms; - - kernel_read_kernel_sysctls(nagios_mail_plugin_t) - - corecmd_read_bin_files(nagios_mail_plugin_t) - corecmd_read_bin_symlinks(nagios_mail_plugin_t) - --files_read_etc_files(nagios_mail_plugin_t) -- - logging_send_syslog_msg(nagios_mail_plugin_t) - - sysnet_dns_name_resolve(nagios_mail_plugin_t) -@@ -345,6 +349,9 @@ allow nagios_checkdisk_plugin_t self:capability { sys_admin sys_rawio }; - - kernel_read_software_raid_state(nagios_checkdisk_plugin_t) - -+corecmd_exec_bin(nagios_checkdisk_plugin_t) -+ -+files_getattr_all_dirs(nagios_checkdisk_plugin_t) - files_getattr_all_mountpoints(nagios_checkdisk_plugin_t) - files_read_etc_runtime_files(nagios_checkdisk_plugin_t) - -@@ -357,9 +364,11 @@ storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t) - # Services local policy - # - --allow nagios_services_plugin_t self:capability net_raw; -+allow nagios_services_plugin_t self:capability { setuid net_bind_service net_raw }; - allow nagios_services_plugin_t self:process { signal sigkill }; --allow nagios_services_plugin_t self:tcp_socket { accept listen }; -+allow nagios_services_plugin_t self:tcp_socket create_stream_socket_perms; -+allow nagios_services_plugin_t self:udp_socket create_socket_perms; -+allow nagios_services_plugin_t self:rawip_socket create_socket_perms; - - corecmd_exec_bin(nagios_services_plugin_t) - -@@ -391,6 +400,11 @@ optional_policy(` - - optional_policy(` - mysql_stream_connect(nagios_services_plugin_t) -+ mysql_read_config(nagios_services_plugin_t) -+') -+ -+optional_policy(` -+ postgresql_stream_connect(nagios_services_plugin_t) - ') - - optional_policy(` -@@ -411,6 +425,7 @@ manage_files_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_ - manage_dirs_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_system_plugin_tmp_t) - files_tmp_filetrans(nagios_system_plugin_t, nagios_system_plugin_tmp_t, { dir file }) - -+kernel_read_system_state(nagios_system_plugin_t) - kernel_read_kernel_sysctls(nagios_system_plugin_t) - - corecmd_exec_bin(nagios_system_plugin_t) -@@ -420,10 +435,10 @@ dev_read_sysfs(nagios_system_plugin_t) - - domain_read_all_domains_state(nagios_system_plugin_t) - --files_read_etc_files(nagios_system_plugin_t) -- - fs_getattr_all_fs(nagios_system_plugin_t) - -+auth_read_passwd(nagios_system_plugin_t) -+ - optional_policy(` - init_read_utmp(nagios_system_plugin_t) - ') -@@ -442,11 +457,44 @@ corecmd_exec_shell(nagios_eventhandler_plugin_t) - - init_domtrans_script(nagios_eventhandler_plugin_t) - -+systemd_exec_systemctl(nagios_eventhandler_plugin_t) -+ -+allow nagios_t nagios_eventhandler_plugin_exec_t:dir list_dir_perms; -+ -+optional_policy(` -+ unconfined_domain(nagios_eventhandler_plugin_t) -+') -+ - ######################################## - # --# Unconfined plugin policy -+# nagios openshift plugin policy -+# -+ -+allow nagios_openshift_plugin_t self:capability sys_ptrace; -+ -+manage_dirs_pattern(nagios_openshift_plugin_t, nagios_openshift_plugin_tmp_t, nagios_openshift_plugin_tmp_t) -+manage_files_pattern(nagios_openshift_plugin_t, nagios_openshift_plugin_tmp_t, nagios_openshift_plugin_tmp_t) -+files_tmp_filetrans(nagios_openshift_plugin_t, nagios_openshift_plugin_tmp_t, { file dir }) -+ -+corecmd_exec_bin(nagios_openshift_plugin_t) -+corecmd_exec_shell(nagios_openshift_plugin_t) -+ -+domain_read_all_domains_state(nagios_openshift_plugin_t) -+ -+fs_getattr_all_fs(nagios_openshift_plugin_t) -+ -+optional_policy(` -+ apache_read_config(nagios_openshift_plugin_t) -+') -+ -+###################################### -+# -+# nagios plugin domain policy - # - - optional_policy(` - unconfined_domain(nagios_unconfined_plugin_t) - ') -+ -+ -+ -diff --git a/namespace.fc b/namespace.fc -new file mode 100644 -index 0000000..ce51c8d ---- /dev/null -+++ b/namespace.fc -@@ -0,0 +1,3 @@ -+ -+/etc/security/namespace.init -- gen_context(system_u:object_r:namespace_init_exec_t,s0) -+ -diff --git a/namespace.if b/namespace.if -new file mode 100644 -index 0000000..8d7c751 ---- /dev/null -+++ b/namespace.if -@@ -0,0 +1,48 @@ -+ -+## policy for namespace -+ -+######################################## -+## -+## Execute a domain transition to run namespace_init. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`namespace_init_domtrans',` -+ gen_require(` -+ type namespace_init_t, namespace_init_exec_t; -+ ') -+ -+ domtrans_pattern($1, namespace_init_exec_t, namespace_init_t) -+') -+ -+ -+######################################## -+## -+## Execute namespace_init in the namespace_init domain, and -+## allow the specified role the namespace_init domain. -+## -+## -+## -+## Domain allowed access -+## -+## -+## -+## -+## The role to be allowed the namespace_init domain. -+## -+## -+# -+interface(`namespace_init_run',` -+ gen_require(` -+ type namespace_init_t; -+ ') -+ -+ namespace_init_domtrans($1) -+ role $2 types namespace_init_t; -+ -+ seutil_run_setfiles(namespace_init_t, $2) -+') -diff --git a/namespace.te b/namespace.te -new file mode 100644 -index 0000000..c674894 ---- /dev/null -+++ b/namespace.te -@@ -0,0 +1,39 @@ -+policy_module(namespace,1.0.0) -+ -+######################################## -+# -+# Declarations -+# -+ -+type namespace_init_t; -+type namespace_init_exec_t; -+init_system_domain(namespace_init_t, namespace_init_exec_t) -+role system_r types namespace_init_t; -+ -+######################################## -+# -+# namespace_init local policy -+# -+ -+allow namespace_init_t self:capability dac_override; -+ -+allow namespace_init_t self:fifo_file manage_fifo_file_perms; -+allow namespace_init_t self:unix_stream_socket create_stream_socket_perms; -+ -+kernel_read_system_state(namespace_init_t) -+ -+corecmd_exec_shell(namespace_init_t) -+ -+domain_use_interactive_fds(namespace_init_t) -+domain_obj_id_change_exemption(namespace_init_t) -+ -+files_polyinstantiate_all(namespace_init_t) -+ -+auth_use_nsswitch(namespace_init_t) -+ -+term_use_console(namespace_init_t) -+ -+userdom_manage_user_home_content(namespace_init_t) -+userdom_relabelto_user_home_dirs(namespace_init_t) -+userdom_relabelto_user_home_files(namespace_init_t) -+userdom_filetrans_home_content(namespace_init_t) -diff --git a/ncftool.if b/ncftool.if -index db9578f..4309e3d 100644 ---- a/ncftool.if -+++ b/ncftool.if -@@ -38,9 +38,11 @@ interface(`ncftool_domtrans',` - # - interface(`ncftool_run',` - gen_require(` -+ type ncftool_t; - attribute_role ncftool_roles; - ') - - ncftool_domtrans($1) - roleattribute $2 ncftool_roles; - ') -+ -diff --git a/ncftool.te b/ncftool.te -index b13c0b1..c8baed2 100644 ---- a/ncftool.te -+++ b/ncftool.te -@@ -22,6 +22,7 @@ role ncftool_roles types ncftool_t; - - allow ncftool_t self:capability net_admin; - allow ncftool_t self:process signal; -+ - allow ncftool_t self:fifo_file manage_fifo_file_perms; - allow ncftool_t self:unix_stream_socket create_stream_socket_perms; - allow ncftool_t self:netlink_route_socket create_netlink_socket_perms; -@@ -41,11 +42,11 @@ domain_read_all_domains_state(ncftool_t) - - dev_read_sysfs(ncftool_t) - --files_read_etc_files(ncftool_t) -+files_manage_system_conf_files(ncftool_t) -+files_relabelto_system_conf_files(ncftool_t) - files_read_etc_runtime_files(ncftool_t) --files_read_usr_files(ncftool_t) - --miscfiles_read_localization(ncftool_t) -+term_use_all_inherited_terms(ncftool_t) - - sysnet_delete_dhcpc_pid(ncftool_t) - sysnet_run_dhcpc(ncftool_t, ncftool_roles) -@@ -53,6 +54,8 @@ sysnet_run_ifconfig(ncftool_t, ncftool_roles) - sysnet_etc_filetrans_config(ncftool_t) - sysnet_manage_config(ncftool_t) - sysnet_read_dhcpc_state(ncftool_t) -+sysnet_relabelfrom_net_conf(ncftool_t) -+sysnet_relabelto_net_conf(ncftool_t) - sysnet_read_dhcpc_pid(ncftool_t) - sysnet_signal_dhcpc(ncftool_t) - -@@ -73,11 +76,14 @@ optional_policy(` - - optional_policy(` - iptables_initrc_domtrans(ncftool_t) -+ iptables_systemctl(ncftool_t) - ') - - optional_policy(` -+ modutils_list_module_config(ncftool_t) - modutils_read_module_config(ncftool_t) - modutils_run_insmod(ncftool_t, ncftool_roles) -+ - ') - - optional_policy(` -diff --git a/nessus.te b/nessus.te -index 56c0fbd..173a2c0 100644 ---- a/nessus.te -+++ b/nessus.te -@@ -58,7 +58,6 @@ kernel_read_kernel_sysctls(nessusd_t) - - corecmd_exec_bin(nessusd_t) - --corenet_all_recvfrom_unlabeled(nessusd_t) - corenet_all_recvfrom_netlabel(nessusd_t) - corenet_tcp_sendrecv_generic_if(nessusd_t) - corenet_udp_sendrecv_generic_if(nessusd_t) -@@ -82,7 +81,6 @@ dev_read_urand(nessusd_t) - domain_use_interactive_fds(nessusd_t) - - files_list_var_lib(nessusd_t) --files_read_etc_files(nessusd_t) - files_read_etc_runtime_files(nessusd_t) - - fs_getattr_all_fs(nessusd_t) -@@ -90,8 +88,6 @@ fs_search_auto_mountpoints(nessusd_t) - - logging_send_syslog_msg(nessusd_t) - --miscfiles_read_localization(nessusd_t) -- - sysnet_read_config(nessusd_t) - - userdom_dontaudit_use_unpriv_user_fds(nessusd_t) -diff --git a/networkmanager.fc b/networkmanager.fc -index a1fb3c3..2b818b9 100644 ---- a/networkmanager.fc -+++ b/networkmanager.fc -@@ -1,43 +1,45 @@ --/etc/rc\.d/init\.d/wicd -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0) -+/etc/rc\.d/init\.d/wicd -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0) - - /etc/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_etc_t,s0) - /etc/NetworkManager/NetworkManager\.conf gen_context(system_u:object_r:NetworkManager_etc_rw_t,s0) - /etc/NetworkManager/system-connections(/.*)? gen_context(system_u:object_r:NetworkManager_etc_rw_t,s0) - /etc/NetworkManager/dispatcher\.d(/.*)? gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0) - --/etc/dhcp/manager-settings\.conf -- gen_context(system_u:object_r:NetworkManager_etc_rw_t, s0) --/etc/dhcp/wireless-settings\.conf -- gen_context(system_u:object_r:NetworkManager_etc_rw_t, s0) --/etc/dhcp/wired-settings\.conf -- gen_context(system_u:object_r:NetworkManager_etc_rw_t, s0) -+/etc/dhcp/manager-settings.conf -- gen_context(system_u:object_r:NetworkManager_var_lib_t, s0) -+/etc/dhcp/wireless-settings.conf -- gen_context(system_u:object_r:NetworkManager_var_lib_t, s0) -+/etc/dhcp/wired-settings.conf -- gen_context(system_u:object_r:NetworkManager_var_lib_t, s0) - --/etc/wicd/manager-settings\.conf -- gen_context(system_u:object_r:NetworkManager_etc_rw_t, s0) --/etc/wicd/wireless-settings\.conf -- gen_context(system_u:object_r:NetworkManager_etc_rw_t, s0) --/etc/wicd/wired-settings\.conf -- gen_context(system_u:object_r:NetworkManager_etc_rw_t, s0) -+/etc/wicd/manager-settings.conf -- gen_context(system_u:object_r:NetworkManager_var_lib_t, s0) -+/etc/wicd/wireless-settings.conf -- gen_context(system_u:object_r:NetworkManager_var_lib_t, s0) -+/etc/wicd/wired-settings.conf -- gen_context(system_u:object_r:NetworkManager_var_lib_t, s0) - --/usr/lib/NetworkManager/nm-dispatcher\.action -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0) --/usr/libexec/nm-dispatcher\.action -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0) -+/usr/lib/systemd/system/NetworkManager.* -- gen_context(system_u:object_r:NetworkManager_unit_file_t,s0) - --/sbin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0) --/sbin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) -+/usr/libexec/nm-dispatcher.action -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0) - --/usr/bin/NetworkManager -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) --/usr/bin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) -+/sbin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0) -+/sbin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) - --/usr/sbin/NetworkManager -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) --/usr/sbin/NetworkManagerDispatcher -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) -+/usr/s?bin/NetworkManager -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) -+/usr/s?bin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) -+/usr/sbin/NetworkManagerDispatcher -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) - /usr/sbin/nm-system-settings -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) --/usr/sbin/wicd -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) --/usr/sbin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0) -+/usr/sbin/wicd -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) -+/usr/sbin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0) - /usr/sbin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) - --/var/lib/wicd(/.*)? gen_context(system_u:object_r:NetworkManager_var_lib_t,s0) --/var/lib/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_lib_t,s0) -+/var/lib/wicd(/.*)? gen_context(system_u:object_r:NetworkManager_var_lib_t,s0) -+/var/lib/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_lib_t,s0) -+ -+/var/log/wicd.* -- gen_context(system_u:object_r:NetworkManager_log_t,s0) - --/var/log/wicd(/.*)? gen_context(system_u:object_r:NetworkManager_log_t,s0) - /var/log/wpa_supplicant.* -- gen_context(system_u:object_r:NetworkManager_log_t,s0) - - /var/run/NetworkManager\.pid -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0) --/var/run/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0) --/var/run/nm-dhclient.* gen_context(system_u:object_r:NetworkManager_var_run_t,s0) -+/var/run/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0) -+/var/run/nm-dhclient.* gen_context(system_u:object_r:NetworkManager_var_run_t,s0) - /var/run/nm-dns-dnsmasq\.conf -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0) --/var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0) -+/var/run/nm-xl2tpd.conf.* -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0) -+/var/run/wicd\.pid -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0) -+/var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0) - /var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0) -diff --git a/networkmanager.if b/networkmanager.if -index 0e8508c..ee2e3de 100644 ---- a/networkmanager.if -+++ b/networkmanager.if -@@ -2,7 +2,7 @@ - - ######################################## - ## --## Read and write networkmanager udp sockets. -+## Read and write NetworkManager UDP sockets. - ## - ## - ## -@@ -10,6 +10,7 @@ - ## - ## - # -+# cjp: added for named. - interface(`networkmanager_rw_udp_sockets',` - gen_require(` - type NetworkManager_t; -@@ -20,7 +21,7 @@ interface(`networkmanager_rw_udp_sockets',` - - ######################################## - ## --## Read and write networkmanager packet sockets. -+## Read and write NetworkManager packet sockets. - ## - ## - ## -@@ -28,6 +29,7 @@ interface(`networkmanager_rw_udp_sockets',` - ## - ## - # -+# cjp: added for named. - interface(`networkmanager_rw_packet_sockets',` - gen_require(` - type NetworkManager_t; -@@ -38,12 +40,12 @@ interface(`networkmanager_rw_packet_sockets',` - - ####################################### - ## --## Relabel networkmanager tun socket. -+## Allow caller to relabel tun_socket - ## - ## --## --## Domain allowed access. --## -+## -+## Domain allowed access. -+## - ## - # - interface(`networkmanager_attach_tun_iface',` -@@ -57,7 +59,7 @@ interface(`networkmanager_attach_tun_iface',` - - ######################################## - ## --## Read and write networkmanager netlink -+## Read and write NetworkManager netlink - ## routing sockets. - ## - ## -@@ -66,6 +68,7 @@ interface(`networkmanager_attach_tun_iface',` - ## - ## - # -+# cjp: added for named. - interface(`networkmanager_rw_routing_sockets',` - gen_require(` - type NetworkManager_t; -@@ -76,7 +79,7 @@ interface(`networkmanager_rw_routing_sockets',` - - ######################################## - ## --## Execute networkmanager with a domain transition. -+## Execute NetworkManager with a domain transition. - ## - ## - ## -@@ -95,8 +98,7 @@ interface(`networkmanager_domtrans',` - - ######################################## - ## --## Execute networkmanager scripts with --## an automatic domain transition to initrc. -+## Execute NetworkManager scripts with an automatic domain transition to NetworkManagerrc. - ## - ## - ## -@@ -104,18 +106,59 @@ interface(`networkmanager_domtrans',` - ## - ## - # -+interface(`networkmanager_NetworkManagerrc_domtrans',` -+ gen_require(` -+ type NetworkManager_NetworkManagerrc_exec_t; -+ ') -+ -+ NetworkManager_labeled_script_domtrans($1, NetworkManager_NetworkManagerrc_exec_t) -+') -+ -+####################################### -+## -+## Execute NetworkManager scripts with an automatic domain transition to initrc. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# - interface(`networkmanager_initrc_domtrans',` -+ gen_require(` -+ type NetworkManager_initrc_exec_t; -+ ') -+ -+ init_labeled_script_domtrans($1, NetworkManager_initrc_exec_t) -+') -+ -+######################################## -+## -+## Execute NetworkManager server in the NetworkManager domain. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`networkmanager_systemctl',` - gen_require(` -- type NetworkManager_initrc_exec_t; -+ type NetworkManager_unit_file_t; -+ type NetworkManager_t; - ') - -- init_labeled_script_domtrans($1, NetworkManager_initrc_exec_t) -+ systemd_exec_systemctl($1) -+ allow $1 NetworkManager_unit_file_t:file read_file_perms; -+ allow $1 NetworkManager_unit_file_t:service manage_service_perms; -+ -+ ps_process_pattern($1, NetworkManager_t) - ') - - ######################################## - ## - ## Send and receive messages from --## networkmanager over dbus. -+## NetworkManager over dbus. - ## - ## - ## -@@ -135,7 +178,29 @@ interface(`networkmanager_dbus_chat',` - - ######################################## - ## --## Send generic signals to networkmanager. -+## Do not audit attempts to send and -+## receive messages from NetworkManager -+## over dbus. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`networkmanager_dontaudit_dbus_chat',` -+ gen_require(` -+ type NetworkManager_t; -+ class dbus send_msg; -+ ') -+ -+ dontaudit $1 NetworkManager_t:dbus send_msg; -+ dontaudit NetworkManager_t $1:dbus send_msg; -+') -+ -+######################################## -+## -+## Send a generic signal to NetworkManager - ## - ## - ## -@@ -153,7 +218,7 @@ interface(`networkmanager_signal',` - - ######################################## - ## --## Read networkmanager lib files. -+## Read NetworkManager lib files. - ## - ## - ## -@@ -171,9 +236,28 @@ interface(`networkmanager_read_lib_files',` - read_files_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t) - ') - -+####################################### -+## -+## Read NetworkManager conf files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`networkmanager_read_conf',` -+ gen_require(` -+ type NetworkManager_etc_t; -+ ') -+ -+ allow $1 NetworkManager_etc_t:dir list_dir_perms; -+ read_files_pattern($1,NetworkManager_etc_t,NetworkManager_etc_t) -+') -+ - ######################################## - ## --## Append networkmanager log files. -+## Read NetworkManager PID files. - ## - ## - ## -@@ -181,19 +265,18 @@ interface(`networkmanager_read_lib_files',` - ## - ## - # --interface(`networkmanager_append_log_files',` -+interface(`networkmanager_read_pid_files',` - gen_require(` -- type NetworkManager_log_t; -+ type NetworkManager_var_run_t; - ') - -- logging_search_logs($1) -- allow $1 NetworkManager_log_t:dir list_dir_perms; -- append_files_pattern($1, NetworkManager_log_t, NetworkManager_log_t) -+ files_search_pids($1) -+ read_files_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t) - ') - - ######################################## - ## --## Read networkmanager pid files. -+## Read NetworkManager PID files. - ## - ## - ## -@@ -201,23 +284,23 @@ interface(`networkmanager_append_log_files',` - ## - ## - # --interface(`networkmanager_read_pid_files',` -+interface(`networkmanager_manage_pid_files',` - gen_require(` - type NetworkManager_var_run_t; - ') - - files_search_pids($1) -- allow $1 NetworkManager_var_run_t:file read_file_perms; -+ manage_files_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t) - ') - - ######################################## - ## --## All of the rules required to --## administrate an networkmanager environment. -+## Execute NetworkManager in the NetworkManager domain, and -+## allow the specified role the NetworkManager domain. - ## - ## - ## --## Domain allowed access. -+## Domain allowed to transition. - ## - ## - ## -@@ -227,33 +310,133 @@ interface(`networkmanager_read_pid_files',` - ## - ## - # --interface(`networkmanager_admin',` -+interface(`networkmanager_run',` - gen_require(` -- type NetworkManager_t, NetworkManager_initrc_exec_t, NetworkManager_etc_t; -- type NetworkManager_etc_rw_t, NetworkManager_log_t, NetworkManager_tmp_t; -- type NetworkManager_var_lib_t, NetworkManager_var_run_t, wpa_cli_t; -+ type NetworkManager_t, NetworkManager_exec_t; - ') - -- allow $1 { wpa_cli_t NetworkManager_t }:process { ptrace signal_perms }; -- ps_process_pattern($1, { wpa_cli_t NetworkManager_t }) -- -- init_labeled_script_domtrans($1, NetworkManager_initrc_exec_t) -- domain_system_change_exemption($1) -- role_transition $2 NetworkManager_initrc_exec_t system_r; -- allow $2 system_r; -+ networkmanager_domtrans($1) -+ role $2 types NetworkManager_t; -+') - -- logging_search_etc($1) -- admin_pattern($1, { NetworkManager_etc_t NetworkManager_etc_rw_t }) -+######################################## -+## -+## Allow the specified domain to append -+## to Network Manager log files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`networkmanager_append_log',` -+ gen_require(` -+ type NetworkManager_log_t; -+ ') - - logging_search_logs($1) -- admin_pattern($1, NetworkManager_log_t) -+ allow $1 NetworkManager_log_t:dir list_dir_perms; -+ append_files_pattern($1, NetworkManager_log_t, NetworkManager_log_t) -+') - -- files_search_var_lib($1) -- admin_pattern($1, NetworkManager_var_lib_t) -+####################################### -+## -+## Allow the specified domain to manage -+## to Network Manager lib files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`networkmanager_manage_lib',` -+ gen_require(` -+ type NetworkManager_var_lib_t; -+ ') - -- files_search_pids($1) -- admin_pattern($1, NetworkManager_var_run_t) -+ manage_files_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t) -+') -+ -+#################################### -+## -+## Connect to NM over a unix domain -+## stream socket. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`networkmanager_stream_connect',` -+ gen_require(` -+ type NetworkManager_t, NetworkManager_var_run_t; -+ ') -+ -+ files_search_pids($1) -+ stream_connect_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t, NetworkManager_t) -+') -+ -+####################################### -+## -+## Read the process state (/proc/pid) of NetworkManager. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`NetworkManager_read_state',` -+ gen_require(` -+ type NetworkManager_t; -+ ') -+ -+ allow $1 NetworkManager_t:dir search_dir_perms; -+ allow $1 NetworkManager_t:file read_file_perms; -+ allow $1 NetworkManager_t:lnk_file read_lnk_file_perms; -+') -+ -+######################################## -+## -+## Transition to networkmanager named content -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`networkmanager_filetrans_named_content',` -+ gen_require(` -+ type NetworkManager_var_run_t; -+ type NetworkManager_var_lib_t; -+ ') - -- files_search_tmp($1) -- admin_pattern($1, NetworkManager_tmp_t) -+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient.-eth0.conf") -+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient.-eth1.conf") -+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient.-eth2.conf") -+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient.-eth3.conf") -+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient.-eth4.conf") -+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient.-eth5.conf") -+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient.-eth6.conf") -+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient.-eth7.conf") -+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient.-eth8.conf") -+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient.-eth9.conf") -+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em0.conf") -+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em1.conf") -+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em2.conf") -+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em3.conf") -+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em4.conf") -+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em5.conf") -+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em6.conf") -+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em7.conf") -+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em8.conf") -+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "wicd.pid") -+ files_etc_filetrans($1, NetworkManager_var_lib_t, file, "manager-settings.conf") -+ files_etc_filetrans($1, NetworkManager_var_lib_t, file, "wireless-settings.conf") -+ files_etc_filetrans($1, NetworkManager_var_lib_t, file, "wired-settings.conf") -+ logging_log_filetrans($1, NetworkManager_var_lib_t, file, "wpa_supplicant.log") - ') -diff --git a/networkmanager.te b/networkmanager.te -index 0b48a30..b5c140b 100644 ---- a/networkmanager.te -+++ b/networkmanager.te -@@ -1,4 +1,4 @@ --policy_module(networkmanager, 1.14.7) -+policy_module(networkmanager, 1.14.0) - - ######################################## - # -@@ -9,15 +9,18 @@ type NetworkManager_t; - type NetworkManager_exec_t; - init_daemon_domain(NetworkManager_t, NetworkManager_exec_t) - -+type NetworkManager_initrc_exec_t; -+init_script_file(NetworkManager_initrc_exec_t) -+ -+type NetworkManager_unit_file_t; -+systemd_unit_file(NetworkManager_unit_file_t) -+ - type NetworkManager_etc_t; - files_config_file(NetworkManager_etc_t) - - type NetworkManager_etc_rw_t; - files_config_file(NetworkManager_etc_rw_t) - --type NetworkManager_initrc_exec_t; --init_script_file(NetworkManager_initrc_exec_t) -- - type NetworkManager_log_t; - logging_log_file(NetworkManager_log_t) - -@@ -39,25 +42,44 @@ init_system_domain(wpa_cli_t, wpa_cli_exec_t) - # Local policy - # - --allow NetworkManager_t self:capability { chown fsetid kill setgid setuid sys_nice dac_override net_admin net_raw ipc_lock }; --dontaudit NetworkManager_t self:capability { sys_tty_config sys_module sys_ptrace }; --allow NetworkManager_t self:process { ptrace getcap setcap setpgid getsched setsched signal_perms }; -+# networkmanager will ptrace itself if gdb is installed -+# and it receives a unexpected signal (rh bug #204161) -+allow NetworkManager_t self:capability { fowner chown fsetid kill setgid setuid sys_admin sys_nice dac_override net_admin net_raw net_bind_service ipc_lock }; -+dontaudit NetworkManager_t self:capability sys_tty_config; -+ifdef(`hide_broken_symptoms',` -+ # caused by some bogus kernel code -+ dontaudit NetworkManager_t self:capability sys_module; -+') -+allow NetworkManager_t self:process { getcap setcap setpgid getsched setsched signal_perms }; -+tunable_policy(`deny_ptrace',`',` -+ allow NetworkManager_t self:capability sys_ptrace; -+ allow NetworkManager_t self:process ptrace; -+') -+ - allow NetworkManager_t self:fifo_file rw_fifo_file_perms; --allow NetworkManager_t self:unix_dgram_socket sendto; --allow NetworkManager_t self:unix_stream_socket { accept listen }; -+allow NetworkManager_t self:unix_dgram_socket { sendto create_socket_perms }; -+allow NetworkManager_t self:unix_stream_socket create_stream_socket_perms; - allow NetworkManager_t self:netlink_route_socket create_netlink_socket_perms; -+allow NetworkManager_t self:netlink_xfrm_socket create_netlink_socket_perms; - allow NetworkManager_t self:netlink_socket create_socket_perms; - allow NetworkManager_t self:netlink_kobject_uevent_socket create_socket_perms; --allow NetworkManager_t self:tcp_socket { accept listen }; -+allow NetworkManager_t self:tcp_socket create_stream_socket_perms; - allow NetworkManager_t self:tun_socket { create_socket_perms relabelfrom relabelto }; -+allow NetworkManager_t self:udp_socket create_socket_perms; - allow NetworkManager_t self:packet_socket create_socket_perms; -+allow NetworkManager_t self:rawip_socket create_socket_perms; - - allow NetworkManager_t wpa_cli_t:unix_dgram_socket sendto; - --allow NetworkManager_t NetworkManager_etc_t:dir list_dir_perms; --allow NetworkManager_t NetworkManager_etc_t:file read_file_perms; --allow NetworkManager_t NetworkManager_etc_t:lnk_file read_lnk_file_perms; -+can_exec(NetworkManager_t, NetworkManager_exec_t) -+#wicd -+can_exec(NetworkManager_t, wpa_cli_exec_t) - -+list_dirs_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_t) -+read_files_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_t) -+read_lnk_files_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_t) -+ -+read_lnk_files_pattern(NetworkManager_t, NetworkManager_etc_rw_t, NetworkManager_etc_rw_t) - manage_dirs_pattern(NetworkManager_t, NetworkManager_etc_rw_t, NetworkManager_etc_rw_t) - manage_files_pattern(NetworkManager_t, NetworkManager_etc_rw_t, NetworkManager_etc_rw_t) - filetrans_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_rw_t, { dir file }) -@@ -68,6 +90,7 @@ create_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_ - setattr_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_t) - logging_log_filetrans(NetworkManager_t, NetworkManager_log_t, file) - -+can_exec(NetworkManager_t, NetworkManager_tmp_t) - manage_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t) - manage_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t) - files_tmp_filetrans(NetworkManager_t, NetworkManager_tmp_t, { sock_file file }) -@@ -81,17 +104,14 @@ manage_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_ - manage_sock_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t) - files_pid_filetrans(NetworkManager_t, NetworkManager_var_run_t, { dir file sock_file }) - --can_exec(NetworkManager_t, { NetworkManager_exec_t wpa_cli_exec_t NetworkManager_tmp_t }) -- --kernel_read_crypto_sysctls(NetworkManager_t) - kernel_read_system_state(NetworkManager_t) - kernel_read_network_state(NetworkManager_t) - kernel_read_kernel_sysctls(NetworkManager_t) - kernel_request_load_module(NetworkManager_t) - kernel_read_debugfs(NetworkManager_t) - kernel_rw_net_sysctls(NetworkManager_t) -+kernel_setsched(NetworkManager_t) - --corenet_all_recvfrom_unlabeled(NetworkManager_t) - corenet_all_recvfrom_netlabel(NetworkManager_t) - corenet_tcp_sendrecv_generic_if(NetworkManager_t) - corenet_udp_sendrecv_generic_if(NetworkManager_t) -@@ -102,22 +122,15 @@ corenet_raw_sendrecv_generic_node(NetworkManager_t) - corenet_tcp_sendrecv_all_ports(NetworkManager_t) - corenet_udp_sendrecv_all_ports(NetworkManager_t) - corenet_udp_bind_generic_node(NetworkManager_t) -- --corenet_sendrecv_isakmp_server_packets(NetworkManager_t) - corenet_udp_bind_isakmp_port(NetworkManager_t) -- --corenet_sendrecv_dhcpc_server_packets(NetworkManager_t) - corenet_udp_bind_dhcpc_port(NetworkManager_t) -- --corenet_sendrecv_all_client_packets(NetworkManager_t) - corenet_tcp_connect_all_ports(NetworkManager_t) -- -+corenet_sendrecv_isakmp_server_packets(NetworkManager_t) -+corenet_sendrecv_dhcpc_server_packets(NetworkManager_t) -+corenet_sendrecv_all_client_packets(NetworkManager_t) - corenet_rw_tun_tap_dev(NetworkManager_t) - corenet_getattr_ppp_dev(NetworkManager_t) - --corecmd_exec_shell(NetworkManager_t) --corecmd_exec_bin(NetworkManager_t) -- - dev_rw_sysfs(NetworkManager_t) - dev_read_rand(NetworkManager_t) - dev_read_urand(NetworkManager_t) -@@ -125,13 +138,6 @@ dev_dontaudit_getattr_generic_blk_files(NetworkManager_t) - dev_getattr_all_chr_files(NetworkManager_t) - dev_rw_wireless(NetworkManager_t) - --domain_use_interactive_fds(NetworkManager_t) --domain_read_all_domains_state(NetworkManager_t) -- --files_read_etc_runtime_files(NetworkManager_t) --files_read_usr_files(NetworkManager_t) --files_read_usr_src_files(NetworkManager_t) -- - fs_getattr_all_fs(NetworkManager_t) - fs_search_auto_mountpoints(NetworkManager_t) - fs_list_inotifyfs(NetworkManager_t) -@@ -140,6 +146,17 @@ mls_file_read_all_levels(NetworkManager_t) - - selinux_dontaudit_search_fs(NetworkManager_t) - -+corecmd_exec_shell(NetworkManager_t) -+corecmd_exec_bin(NetworkManager_t) -+ -+domain_use_interactive_fds(NetworkManager_t) -+domain_read_all_domains_state(NetworkManager_t) -+ -+files_read_etc_runtime_files(NetworkManager_t) -+files_read_system_conf_files(NetworkManager_t) -+files_read_usr_src_files(NetworkManager_t) -+files_read_isid_type_files(NetworkManager_t) -+ - storage_getattr_fixed_disk_dev(NetworkManager_t) - - init_read_utmp(NetworkManager_t) -@@ -148,10 +165,11 @@ init_domtrans_script(NetworkManager_t) - - auth_use_nsswitch(NetworkManager_t) - -+libs_exec_ldconfig(NetworkManager_t) -+ - logging_send_syslog_msg(NetworkManager_t) - - miscfiles_read_generic_certs(NetworkManager_t) --miscfiles_read_localization(NetworkManager_t) - - seutil_read_config(NetworkManager_t) - -@@ -166,21 +184,32 @@ sysnet_kill_dhcpc(NetworkManager_t) - sysnet_read_dhcpc_state(NetworkManager_t) - sysnet_delete_dhcpc_state(NetworkManager_t) - sysnet_search_dhcp_state(NetworkManager_t) -+# in /etc created by NetworkManager will be labelled net_conf_t. - sysnet_manage_config(NetworkManager_t) - sysnet_etc_filetrans_config(NetworkManager_t) - --# certificates in user home directories (cert_home_t in ~/\.pki) --userdom_read_user_home_content_files(NetworkManager_t) -- --userdom_write_user_tmp_sockets(NetworkManager_t) -+userdom_stream_connect(NetworkManager_t) - userdom_dontaudit_use_unpriv_user_fds(NetworkManager_t) - userdom_dontaudit_use_user_ttys(NetworkManager_t) -+# Read gnome-keyring -+userdom_read_home_certs(NetworkManager_t) -+userdom_read_user_home_content_files(NetworkManager_t) -+userdom_dgram_send(NetworkManager_t) -+ -+tunable_policy(`use_nfs_home_dirs',` -+ fs_read_nfs_files(NetworkManager_t) -+') -+ -+tunable_policy(`use_samba_home_dirs',` -+ fs_read_cifs_files(NetworkManager_t) -+') - - optional_policy(` - avahi_domtrans(NetworkManager_t) - avahi_kill(NetworkManager_t) - avahi_signal(NetworkManager_t) - avahi_signull(NetworkManager_t) -+ avahi_dbus_chat(NetworkManager_t) - ') - - optional_policy(` -@@ -196,10 +225,6 @@ optional_policy(` - ') - - optional_policy(` -- consolekit_read_pid_files(NetworkManager_t) --') -- --optional_policy(` - consoletype_exec(NetworkManager_t) - ') - -@@ -210,16 +235,11 @@ optional_policy(` - optional_policy(` - dbus_system_domain(NetworkManager_t, NetworkManager_exec_t) - -- optional_policy(` -- avahi_dbus_chat(NetworkManager_t) -- ') -+ init_dbus_chat(NetworkManager_t) - - optional_policy(` - consolekit_dbus_chat(NetworkManager_t) -- ') -- -- optional_policy(` -- policykit_dbus_chat(NetworkManager_t) -+ consolekit_read_pid_files(NetworkManager_t) - ') - ') - -@@ -231,18 +251,19 @@ optional_policy(` - dnsmasq_kill(NetworkManager_t) - dnsmasq_signal(NetworkManager_t) - dnsmasq_signull(NetworkManager_t) -+ dnsmasq_systemctl(NetworkManager_t) - ') - - optional_policy(` -- gnome_stream_connect_all_gkeyringd(NetworkManager_t) -+ hal_write_log(NetworkManager_t) - ') - - optional_policy(` -- hal_write_log(NetworkManager_t) -+ howl_signal(NetworkManager_t) - ') - - optional_policy(` -- howl_signal(NetworkManager_t) -+ gnome_dontaudit_search_config(NetworkManager_t) - ') - - optional_policy(` -@@ -250,6 +271,10 @@ optional_policy(` - ipsec_kill_mgmt(NetworkManager_t) - ipsec_signal_mgmt(NetworkManager_t) - ipsec_signull_mgmt(NetworkManager_t) -+ ipsec_domtrans(NetworkManager_t) -+ ipsec_kill(NetworkManager_t) -+ ipsec_signal(NetworkManager_t) -+ ipsec_signull(NetworkManager_t) - ') - - optional_policy(` -@@ -257,11 +282,10 @@ optional_policy(` - ') - - optional_policy(` -- libs_exec_ldconfig(NetworkManager_t) --') -- --optional_policy(` -- modutils_domtrans_insmod(NetworkManager_t) -+ l2tpd_domtrans(NetworkManager_t) -+ l2tpd_sigkill(NetworkManager_t) -+ l2tpd_signal(NetworkManager_t) -+ l2tpd_signull(NetworkManager_t) - ') - - optional_policy(` -@@ -274,10 +298,17 @@ optional_policy(` - nscd_signull(NetworkManager_t) - nscd_kill(NetworkManager_t) - nscd_initrc_domtrans(NetworkManager_t) -+ nscd_systemctl(NetworkManager_t) - ') - - optional_policy(` -+ # Dispatcher starting and stoping ntp - ntp_initrc_domtrans(NetworkManager_t) -+ ntp_systemctl(NetworkManager_t) -+') -+ -+optional_policy(` -+ modutils_domtrans_insmod(NetworkManager_t) - ') - - optional_policy(` -@@ -289,6 +320,7 @@ optional_policy(` - ') - - optional_policy(` -+ policykit_dbus_chat(NetworkManager_t) - policykit_domtrans_auth(NetworkManager_t) - policykit_read_lib(NetworkManager_t) - policykit_read_reload(NetworkManager_t) -@@ -296,7 +328,7 @@ optional_policy(` - ') - - optional_policy(` -- polipo_initrc_domtrans(NetworkManager_t) -+ polipo_systemctl(NetworkManager_t) - ') - - optional_policy(` -@@ -307,6 +339,7 @@ optional_policy(` - ppp_signal(NetworkManager_t) - ppp_signull(NetworkManager_t) - ppp_read_config(NetworkManager_t) -+ ppp_systemctl(NetworkManager_t) - ') - - optional_policy(` -@@ -320,13 +353,19 @@ optional_policy(` - ') - - optional_policy(` -- udev_exec(NetworkManager_t) -- udev_read_db(NetworkManager_t) -+ systemd_write_inhibit_pipes(NetworkManager_t) -+ systemd_read_logind_sessions_files(NetworkManager_t) -+ systemd_dbus_chat_logind(NetworkManager_t) -+ systemd_hostnamed_read_config(NetworkManager_t) - ') - - optional_policy(` -- # unconfined_dgram_send(NetworkManager_t) -- unconfined_stream_connect(NetworkManager_t) -+ ssh_exec(NetworkManager_t) -+') -+ -+optional_policy(` -+ udev_exec(NetworkManager_t) -+ udev_read_db(NetworkManager_t) - ') - - optional_policy(` -@@ -356,6 +395,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru - init_dontaudit_use_fds(wpa_cli_t) - init_use_script_ptys(wpa_cli_t) - --miscfiles_read_localization(wpa_cli_t) -- - term_dontaudit_use_console(wpa_cli_t) -diff --git a/nis.fc b/nis.fc -index 8aa1bfa..cd0e015 100644 ---- a/nis.fc -+++ b/nis.fc -@@ -2,21 +2,26 @@ - /etc/rc\.d/init\.d/yppasswd -- gen_context(system_u:object_r:nis_initrc_exec_t,s0) - /etc/rc\.d/init\.d/ypserv -- gen_context(system_u:object_r:nis_initrc_exec_t,s0) - /etc/rc\.d/init\.d/ypxfrd -- gen_context(system_u:object_r:nis_initrc_exec_t,s0) -- - /etc/ypserv\.conf -- gen_context(system_u:object_r:ypserv_conf_t,s0) - --/sbin/ypbind -- gen_context(system_u:object_r:ypbind_exec_t,s0) -+/sbin/ypbind -- gen_context(system_u:object_r:ypbind_exec_t,s0) - - /usr/lib/yp/ypxfr -- gen_context(system_u:object_r:ypxfr_exec_t,s0) - --/usr/sbin/rpc\.yppasswdd -- gen_context(system_u:object_r:yppasswdd_exec_t,s0) -+/usr/sbin/rpc\.yppasswdd -- gen_context(system_u:object_r:yppasswdd_exec_t,s0) -+/usr/sbin/rpc\.yppasswdd\.env -- gen_context(system_u:object_r:yppasswdd_exec_t,s0) - /usr/sbin/rpc\.ypxfrd -- gen_context(system_u:object_r:ypxfr_exec_t,s0) - /usr/sbin/ypbind -- gen_context(system_u:object_r:ypbind_exec_t,s0) - /usr/sbin/ypserv -- gen_context(system_u:object_r:ypserv_exec_t,s0) - --/var/yp(/.*)? gen_context(system_u:object_r:var_yp_t,s0) -+/var/yp(/.*)? gen_context(system_u:object_r:var_yp_t,s0) - - /var/run/ypxfrd.* -- gen_context(system_u:object_r:ypxfr_var_run_t,s0) - /var/run/ypbind.* -- gen_context(system_u:object_r:ypbind_var_run_t,s0) - /var/run/ypserv.* -- gen_context(system_u:object_r:ypserv_var_run_t,s0) - /var/run/yppass.* -- gen_context(system_u:object_r:yppasswdd_var_run_t,s0) -+ -+/usr/lib/systemd/system/ypbind.* -- gen_context(system_u:object_r:ypbind_unit_file_t,s0) -+/usr/lib/systemd/system/ypserv.* -- gen_context(system_u:object_r:nis_unit_file_t,s0) -+/usr/lib/systemd/system/yppasswdd.* -- gen_context(system_u:object_r:nis_unit_file_t,s0) -+/usr/lib/systemd/system/ypxfrd.* -- gen_context(system_u:object_r:nis_unit_file_t,s0) -diff --git a/nis.if b/nis.if -index 46e55c3..6e4e061 100644 ---- a/nis.if -+++ b/nis.if -@@ -1,4 +1,4 @@ --## Policy for NIS (YP) servers and clients. -+## Policy for NIS (YP) servers and clients - - ######################################## - ## -@@ -27,18 +27,15 @@ interface(`nis_use_ypbind_uncond',` - gen_require(` - type var_yp_t; - ') -- -- allow $1 self:capability net_bind_service; -+ dontaudit $1 self:capability net_bind_service; - - allow $1 self:tcp_socket create_stream_socket_perms; - allow $1 self:udp_socket create_socket_perms; - - allow $1 var_yp_t:dir list_dir_perms; -- allow $1 var_yp_t:file read_file_perms; - allow $1 var_yp_t:lnk_file read_lnk_file_perms; -+ allow $1 var_yp_t:file read_file_perms; - -- corenet_all_recvfrom_unlabeled($1) -- corenet_all_recvfrom_netlabel($1) - corenet_tcp_sendrecv_generic_if($1) - corenet_udp_sendrecv_generic_if($1) - corenet_tcp_sendrecv_generic_node($1) -@@ -49,14 +46,11 @@ interface(`nis_use_ypbind_uncond',` - corenet_udp_bind_generic_node($1) - corenet_tcp_bind_generic_port($1) - corenet_udp_bind_generic_port($1) -- corenet_dontaudit_tcp_bind_all_reserved_ports($1) -- corenet_dontaudit_udp_bind_all_reserved_ports($1) - corenet_dontaudit_tcp_bind_all_ports($1) - corenet_dontaudit_udp_bind_all_ports($1) - corenet_tcp_connect_portmap_port($1) -- corenet_tcp_connect_reserved_port($1) -+ corenet_tcp_connect_all_reserved_ports($1) - corenet_tcp_connect_generic_port($1) -- corenet_dontaudit_tcp_connect_all_ports($1) - corenet_sendrecv_portmap_client_packets($1) - corenet_sendrecv_generic_client_packets($1) - corenet_sendrecv_generic_server_packets($1) -@@ -88,14 +82,14 @@ interface(`nis_use_ypbind_uncond',` - ## - # - interface(`nis_use_ypbind',` -- tunable_policy(`allow_ypbind',` -+ tunable_policy(`nis_enabled',` - nis_use_ypbind_uncond($1) - ') - ') - - ######################################## - ## --## Use nis to authenticate passwords. -+## Use the nis to authenticate passwords - ## - ## - ## -@@ -105,7 +99,7 @@ interface(`nis_use_ypbind',` - ## - # - interface(`nis_authenticate',` -- tunable_policy(`allow_ypbind',` -+ tunable_policy(`nis_enabled',` - nis_use_ypbind_uncond($1) - corenet_tcp_bind_all_rpc_ports($1) - corenet_udp_bind_all_rpc_ports($1) -@@ -133,20 +127,19 @@ interface(`nis_domtrans_ypbind',` - - ####################################### - ## --## Execute ypbind in the caller domain. -+## Execute ypbind in the caller domain. - ## - ## --## --## Domain allowed access. --## -+## -+## Domain allowed to transition. -+## - ## - # - interface(`nis_exec_ypbind',` -- gen_require(` -- type ypbind_exec_t; -- ') -+ gen_require(` -+ type ypbind_t, ypbind_exec_t; -+ ') - -- corecmd_search_bin($1) - can_exec($1, ypbind_exec_t) - ') - -@@ -169,11 +162,11 @@ interface(`nis_exec_ypbind',` - # - interface(`nis_run_ypbind',` - gen_require(` -- attribute_role ypbind_roles; -+ type ypbind_t; - ') - - nis_domtrans_ypbind($1) -- roleattribute $2 ypbind_roles; -+ role $2 types ypbind_t; - ') - - ######################################## -@@ -196,7 +189,7 @@ interface(`nis_signal_ypbind',` - - ######################################## - ## --## List nis data directories. -+## List the contents of the NIS data directory. - ## - ## - ## -@@ -272,10 +265,11 @@ interface(`nis_read_ypbind_pid',` - # - interface(`nis_delete_ypbind_pid',` - gen_require(` -- type ypbind_var_run_t; -+ type ypbind_t; - ') - -- allow $1 ypbind_var_run_t:file delete_file_perms; -+ # TODO: add delete pid from dir call to files -+ allow $1 ypbind_t:file unlink; - ') - - ######################################## -@@ -355,8 +349,57 @@ interface(`nis_initrc_domtrans_ypbind',` - - ######################################## - ## --## All of the rules required to --## administrate an nis environment. -+## Execute ypbind server in the ypbind domain. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`nis_systemctl_ypbind',` -+ gen_require(` -+ type ypbind_unit_file_t; -+ type ypbind_t; -+ ') -+ -+ systemd_exec_systemctl($1) -+ allow $1 ypbind_unit_file_t:file read_file_perms; -+ allow $1 ypbind_unit_file_t:service manage_service_perms; -+ -+ ps_process_pattern($1, ypbind_t) -+') -+ -+######################################## -+## -+## Execute ypbind server in the ypbind domain. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`nis_systemctl',` -+ gen_require(` -+ type nis_unit_file_t, ypbind_unit_file_t; -+ type ypbind_t, yppasswdd_t, ypserv_t, ypxfr_t; -+ ') -+ -+ systemd_exec_systemctl($1) -+ allow $1 nis_unit_file_t:file read_file_perms; -+ allow $1 nis_unit_file_t:service manage_service_perms; -+ -+ ps_process_pattern($1, ypbind_t) -+ ps_process_pattern($1, yppasswdd_t) -+ ps_process_pattern($1, ypserv_t) -+ ps_process_pattern($1, ypxfr_t) -+') -+ -+######################################## -+## -+## All of the rules required to administrate -+## an nis environment - ## - ## - ## -@@ -372,32 +415,56 @@ interface(`nis_initrc_domtrans_ypbind',` - # - interface(`nis_admin',` - gen_require(` -- type ypbind_t, yppasswdd_t, ypserv_t, ypxfr_t; -- type ypbind_tmp_t, ypserv_tmp_t, ypserv_conf_t; -+ type ypbind_t, yppasswdd_t, ypserv_t; -+ type ypserv_conf_t; - type ypbind_var_run_t, yppasswdd_var_run_t, ypserv_var_run_t; -- type ypbind_initrc_exec_t, nis_initrc_exec_t, var_yp_t; -+ type ypserv_tmp_t; -+ type ypbind_initrc_exec_t, nis_initrc_exec_t, ypxfr_t; -+ type nis_unit_file_t; -+ type ypbind_unit_file_t; -+ ') -+ -+ allow $1 ypbind_t:process signal_perms; -+ ps_process_pattern($1, ypbind_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 ypbind_t:process ptrace; -+ allow $1 yppasswdd_t:process ptrace; -+ allow $1 ypserv_t:process ptrace; -+ allow $1 ypxfr_t:process ptrace; - ') - -- allow $1 { ypbind_t yppasswdd_t ypserv_t ypxfr_t }:process { ptrace signal_perms }; -- ps_process_pattern($1, { ypbind_t yppasswdd_t ypserv_t ypxfr_t }) -+ allow $1 yppasswdd_t:process signal_perms; -+ ps_process_pattern($1, yppasswdd_t) -+ -+ allow $1 ypserv_t:process signal_perms; -+ ps_process_pattern($1, ypserv_t) -+ -+ allow $1 ypxfr_t:process signal_perms; -+ ps_process_pattern($1, ypxfr_t) - - nis_initrc_domtrans($1) - nis_initrc_domtrans_ypbind($1) - domain_system_change_exemption($1) -- role_transition $2 { nis_initrc_exec_t ypbind_initrc_exec_t } system_r; -+ role_transition $2 nis_initrc_exec_t system_r; -+ role_transition $2 ypbind_initrc_exec_t system_r; - allow $2 system_r; - -- files_list_tmp($1) -- admin_pattern($1, { ypserv_tmp_t ypbind_tmp_t }) -- - files_list_pids($1) -- admin_pattern($1, { ypserv_var_run_t ypbind_var_run_t yppasswdd_var_run_t }) -+ admin_pattern($1, ypbind_var_run_t) -+ nis_systemctl_ypbind($1) -+ admin_pattern($1, ypbind_unit_file_t) -+ allow $1 ypbind_unit_file_t:service all_service_perms; -+ -+ admin_pattern($1, yppasswdd_var_run_t) - - files_list_etc($1) - admin_pattern($1, ypserv_conf_t) - -- files_search_var($1) -- admin_pattern($1, var_yp_t) -+ admin_pattern($1, ypserv_var_run_t) -+ -+ admin_pattern($1, ypserv_tmp_t) - -- nis_run_ypbind($1, $2) -+ nis_systemctl($1) -+ admin_pattern($1, nis_unit_file_t) -+ allow $1 nis_unit_file_t:service all_service_perms; - ') -diff --git a/nis.te b/nis.te -index 3e4a31c..eea788e 100644 ---- a/nis.te -+++ b/nis.te -@@ -1,12 +1,10 @@ --policy_module(nis, 1.11.1) -+policy_module(nis, 1.11.0) - - ######################################## - # - # Declarations - # - --attribute_role ypbind_roles; -- - type nis_initrc_exec_t; - init_script_file(nis_initrc_exec_t) - -@@ -16,16 +14,18 @@ files_type(var_yp_t) - type ypbind_t; - type ypbind_exec_t; - init_daemon_domain(ypbind_t, ypbind_exec_t) --role ypbind_roles types ypbind_t; - - type ypbind_initrc_exec_t; - init_script_file(ypbind_initrc_exec_t) - -+type ypbind_var_run_t; -+files_pid_file(ypbind_var_run_t) -+ - type ypbind_tmp_t; - files_tmp_file(ypbind_tmp_t) - --type ypbind_var_run_t; --files_pid_file(ypbind_var_run_t) -+type ypbind_unit_file_t; -+systemd_unit_file(ypbind_unit_file_t) - - type yppasswdd_t; - type yppasswdd_exec_t; -@@ -40,7 +40,7 @@ type ypserv_exec_t; - init_daemon_domain(ypserv_t, ypserv_exec_t) - - type ypserv_conf_t; --files_type(ypserv_conf_t) -+files_config_file(ypserv_conf_t) - - type ypserv_tmp_t; - files_tmp_file(ypserv_tmp_t) -@@ -55,6 +55,9 @@ init_daemon_domain(ypxfr_t, ypxfr_exec_t) - type ypxfr_var_run_t; - files_pid_file(ypxfr_var_run_t) - -+type nis_unit_file_t; -+systemd_unit_file(nis_unit_file_t) -+ - ######################################## - # - # ypbind local policy -@@ -62,6 +65,7 @@ files_pid_file(ypxfr_var_run_t) - dontaudit ypbind_t self:capability { net_admin sys_tty_config }; - allow ypbind_t self:fifo_file rw_fifo_file_perms; - allow ypbind_t self:process signal_perms; -+allow ypbind_t self:{ unix_dgram_socket unix_stream_socket } create_socket_perms; - allow ypbind_t self:netlink_route_socket r_netlink_socket_perms; - allow ypbind_t self:tcp_socket create_stream_socket_perms; - allow ypbind_t self:udp_socket create_socket_perms; -@@ -78,7 +82,6 @@ manage_files_pattern(ypbind_t, var_yp_t, var_yp_t) - kernel_read_system_state(ypbind_t) - kernel_read_kernel_sysctls(ypbind_t) - --corenet_all_recvfrom_unlabeled(ypbind_t) - corenet_all_recvfrom_netlabel(ypbind_t) - corenet_tcp_sendrecv_generic_if(ypbind_t) - corenet_udp_sendrecv_generic_if(ypbind_t) -@@ -88,7 +91,6 @@ corenet_tcp_sendrecv_all_ports(ypbind_t) - corenet_udp_sendrecv_all_ports(ypbind_t) - corenet_tcp_bind_generic_node(ypbind_t) - corenet_udp_bind_generic_node(ypbind_t) -- - corenet_tcp_bind_generic_port(ypbind_t) - corenet_udp_bind_generic_port(ypbind_t) - corenet_tcp_bind_reserved_port(ypbind_t) -@@ -96,11 +98,10 @@ corenet_udp_bind_reserved_port(ypbind_t) - corenet_tcp_bind_all_rpc_ports(ypbind_t) - corenet_udp_bind_all_rpc_ports(ypbind_t) - corenet_tcp_connect_all_ports(ypbind_t) --corenet_sendrecv_all_client_packets(ypbind_t) --corenet_sendrecv_generic_server_packets(ypbind_t) -- - corenet_dontaudit_tcp_bind_all_reserved_ports(ypbind_t) - corenet_dontaudit_udp_bind_all_reserved_ports(ypbind_t) -+corenet_sendrecv_all_client_packets(ypbind_t) -+corenet_sendrecv_generic_server_packets(ypbind_t) - - dev_read_sysfs(ypbind_t) - -@@ -109,12 +110,11 @@ fs_search_auto_mountpoints(ypbind_t) - - domain_use_interactive_fds(ypbind_t) - --files_read_etc_files(ypbind_t) - files_list_var(ypbind_t) - --logging_send_syslog_msg(ypbind_t) -+init_search_pid_dirs(ypbind_t) - --miscfiles_read_localization(ypbind_t) -+logging_send_syslog_msg(ypbind_t) - - sysnet_read_config(ypbind_t) - -@@ -124,7 +124,6 @@ userdom_dontaudit_search_user_home_dirs(ypbind_t) - optional_policy(` - dbus_system_bus_client(ypbind_t) - dbus_connect_system_bus(ypbind_t) -- - init_dbus_chat_script(ypbind_t) - - optional_policy(` -@@ -149,7 +148,8 @@ allow yppasswdd_t self:capability dac_override; - dontaudit yppasswdd_t self:capability sys_tty_config; - allow yppasswdd_t self:fifo_file rw_fifo_file_perms; - allow yppasswdd_t self:process { getsched setfscreate signal_perms }; --allow yppasswdd_t self:unix_stream_socket { accept listen }; -+allow yppasswdd_t self:unix_dgram_socket create_socket_perms; -+allow yppasswdd_t self:unix_stream_socket create_stream_socket_perms; - allow yppasswdd_t self:netlink_route_socket r_netlink_socket_perms; - allow yppasswdd_t self:tcp_socket create_stream_socket_perms; - allow yppasswdd_t self:udp_socket create_socket_perms; -@@ -160,14 +160,13 @@ files_pid_filetrans(yppasswdd_t, yppasswdd_var_run_t, file) - manage_files_pattern(yppasswdd_t, var_yp_t, var_yp_t) - manage_lnk_files_pattern(yppasswdd_t, var_yp_t, var_yp_t) - --can_exec(yppasswdd_t, yppasswdd_exec_t) -+can_exec(yppasswdd_t,yppasswdd_exec_t) - - kernel_list_proc(yppasswdd_t) - kernel_read_proc_symlinks(yppasswdd_t) - kernel_getattr_proc_files(yppasswdd_t) - kernel_read_kernel_sysctls(yppasswdd_t) - --corenet_all_recvfrom_unlabeled(yppasswdd_t) - corenet_all_recvfrom_netlabel(yppasswdd_t) - corenet_tcp_sendrecv_generic_if(yppasswdd_t) - corenet_udp_sendrecv_generic_if(yppasswdd_t) -@@ -177,23 +176,13 @@ corenet_tcp_sendrecv_all_ports(yppasswdd_t) - corenet_udp_sendrecv_all_ports(yppasswdd_t) - corenet_tcp_bind_generic_node(yppasswdd_t) - corenet_udp_bind_generic_node(yppasswdd_t) -- - corenet_tcp_bind_all_rpc_ports(yppasswdd_t) - corenet_udp_bind_all_rpc_ports(yppasswdd_t) --corenet_sendrecv_generic_server_packets(yppasswdd_t) -- - corenet_dontaudit_tcp_bind_all_reserved_ports(yppasswdd_t) - corenet_dontaudit_udp_bind_all_reserved_ports(yppasswdd_t) -+corenet_sendrecv_generic_server_packets(yppasswdd_t) - --corecmd_exec_bin(yppasswdd_t) --corecmd_exec_shell(yppasswdd_t) -- --domain_use_interactive_fds(yppasswdd_t) -- --files_read_etc_files(yppasswdd_t) --files_read_etc_runtime_files(yppasswdd_t) --files_relabel_etc_files(yppasswdd_t) -- -+dev_read_urand(yppasswdd_t) - dev_read_sysfs(yppasswdd_t) - - fs_getattr_all_fs(yppasswdd_t) -@@ -203,11 +192,19 @@ selinux_get_fs_mount(yppasswdd_t) - - auth_manage_shadow(yppasswdd_t) - auth_relabel_shadow(yppasswdd_t) -+auth_read_passwd(yppasswdd_t) - auth_etc_filetrans_shadow(yppasswdd_t) - -+corecmd_exec_bin(yppasswdd_t) -+corecmd_exec_shell(yppasswdd_t) -+ -+domain_use_interactive_fds(yppasswdd_t) -+ -+files_read_etc_runtime_files(yppasswdd_t) -+files_relabel_etc_files(yppasswdd_t) -+ - logging_send_syslog_msg(yppasswdd_t) - --miscfiles_read_localization(yppasswdd_t) - - sysnet_read_config(yppasswdd_t) - -@@ -219,6 +216,14 @@ optional_policy(` - ') - - optional_policy(` -+ mta_send_mail(yppasswdd_t) -+') -+ -+optional_policy(` -+ nis_use_ypbind(yppasswdd_t) -+') -+ -+optional_policy(` - seutil_sigchld_newrole(yppasswdd_t) - ') - -@@ -234,7 +239,8 @@ optional_policy(` - dontaudit ypserv_t self:capability sys_tty_config; - allow ypserv_t self:fifo_file rw_fifo_file_perms; - allow ypserv_t self:process signal_perms; --allow ypserv_t self:unix_stream_socket { accept listen }; -+allow ypserv_t self:unix_dgram_socket create_socket_perms; -+allow ypserv_t self:unix_stream_socket create_stream_socket_perms; - allow ypserv_t self:netlink_route_socket r_netlink_socket_perms; - allow ypserv_t self:tcp_socket connected_stream_socket_perms; - allow ypserv_t self:udp_socket create_socket_perms; -@@ -254,7 +260,6 @@ kernel_read_kernel_sysctls(ypserv_t) - kernel_list_proc(ypserv_t) - kernel_read_proc_symlinks(ypserv_t) - --corenet_all_recvfrom_unlabeled(ypserv_t) - corenet_all_recvfrom_netlabel(ypserv_t) - corenet_tcp_sendrecv_generic_if(ypserv_t) - corenet_udp_sendrecv_generic_if(ypserv_t) -@@ -264,31 +269,27 @@ corenet_tcp_sendrecv_all_ports(ypserv_t) - corenet_udp_sendrecv_all_ports(ypserv_t) - corenet_tcp_bind_generic_node(ypserv_t) - corenet_udp_bind_generic_node(ypserv_t) -- - corenet_tcp_bind_reserved_port(ypserv_t) - corenet_udp_bind_reserved_port(ypserv_t) - corenet_tcp_bind_all_rpc_ports(ypserv_t) - corenet_udp_bind_all_rpc_ports(ypserv_t) --corenet_sendrecv_generic_server_packets(ypserv_t) -- - corenet_dontaudit_tcp_bind_all_reserved_ports(ypserv_t) - corenet_dontaudit_udp_bind_all_reserved_ports(ypserv_t) -+corenet_sendrecv_generic_server_packets(ypserv_t) - --corecmd_exec_bin(ypserv_t) -+dev_read_sysfs(ypserv_t) - --files_read_etc_files(ypserv_t) --files_read_var_files(ypserv_t) -+fs_getattr_all_fs(ypserv_t) -+fs_search_auto_mountpoints(ypserv_t) - --dev_read_sysfs(ypserv_t) -+corecmd_exec_bin(ypserv_t) - - domain_use_interactive_fds(ypserv_t) - --fs_getattr_all_fs(ypserv_t) --fs_search_auto_mountpoints(ypserv_t) -+files_read_var_files(ypserv_t) - - logging_send_syslog_msg(ypserv_t) - --miscfiles_read_localization(ypserv_t) - - nis_domtrans_ypxfr(ypserv_t) - -@@ -310,8 +311,8 @@ optional_policy(` - # ypxfr local policy - # - --allow ypxfr_t self:unix_stream_socket { accept listen }; --allow ypxfr_t self:unix_dgram_socket { accept listen }; -+allow ypxfr_t self:unix_stream_socket create_stream_socket_perms; -+allow ypxfr_t self:unix_dgram_socket create_stream_socket_perms; - allow ypxfr_t self:tcp_socket create_stream_socket_perms; - allow ypxfr_t self:udp_socket create_socket_perms; - allow ypxfr_t self:netlink_route_socket r_netlink_socket_perms; -@@ -326,7 +327,6 @@ allow ypxfr_t ypserv_conf_t:file read_file_perms; - manage_files_pattern(ypxfr_t, ypxfr_var_run_t, ypxfr_var_run_t) - files_pid_filetrans(ypxfr_t, ypxfr_var_run_t, file) - --corenet_all_recvfrom_unlabeled(ypxfr_t) - corenet_all_recvfrom_netlabel(ypxfr_t) - corenet_tcp_sendrecv_generic_if(ypxfr_t) - corenet_udp_sendrecv_generic_if(ypxfr_t) -@@ -336,23 +336,19 @@ corenet_tcp_sendrecv_all_ports(ypxfr_t) - corenet_udp_sendrecv_all_ports(ypxfr_t) - corenet_tcp_bind_generic_node(ypxfr_t) - corenet_udp_bind_generic_node(ypxfr_t) -- - corenet_tcp_bind_reserved_port(ypxfr_t) - corenet_udp_bind_reserved_port(ypxfr_t) - corenet_tcp_bind_all_rpc_ports(ypxfr_t) - corenet_udp_bind_all_rpc_ports(ypxfr_t) -+corenet_dontaudit_tcp_bind_all_reserved_ports(ypxfr_t) -+corenet_dontaudit_udp_bind_all_reserved_ports(ypxfr_t) - corenet_tcp_connect_all_ports(ypxfr_t) - corenet_sendrecv_generic_server_packets(ypxfr_t) - corenet_sendrecv_all_client_packets(ypxfr_t) - --corenet_dontaudit_tcp_bind_all_reserved_ports(ypxfr_t) --corenet_dontaudit_udp_bind_all_reserved_ports(ypxfr_t) -- --files_read_etc_files(ypxfr_t) - files_search_usr(ypxfr_t) - - logging_send_syslog_msg(ypxfr_t) - --miscfiles_read_localization(ypxfr_t) - - sysnet_read_config(ypxfr_t) -diff --git a/nova.fc b/nova.fc -new file mode 100644 -index 0000000..02dc6dc ---- /dev/null -+++ b/nova.fc -@@ -0,0 +1,32 @@ -+ -+/usr/bin/nova-ajax-console-proxy -- gen_context(system_u:object_r:nova_ajax_exec_t,s0) -+/usr/bin/nova-console.* -- gen_context(system_u:object_r:nova_console_exec_t,s0) -+/usr/bin/nova-direct-api -- gen_context(system_u:object_r:nova_direct_exec_t,s0) -+/usr/bin/nova-api -- gen_context(system_u:object_r:nova_api_exec_t,s0) -+/usr/bin/nova-cert -- gen_context(system_u:object_r:nova_cert_exec_t,s0) -+/usr//bin/nova-api-metadata -- gen_context(system_u:object_r:nova_api_exec_t,s0) -+/usr/bin/nova-network -- gen_context(system_u:object_r:nova_network_exec_t,s0) -+/usr/bin/nova-objectstore -- gen_context(system_u:object_r:nova_objectstore_exec_t,s0) -+/usr/bin/nova-scheduler -- gen_context(system_u:object_r:nova_scheduler_exec_t,s0) -+/usr/bin/nova-vncproxy -- gen_context(system_u:object_r:nova_vncproxy_exec_t,s0) -+/usr/bin/nova-volume -- gen_context(system_u:object_r:nova_volume_exec_t,s0) -+/usr/bin/nova-xvpvncproxy -- gen_context(system_u:object_r:nova_vncproxy_exec_t,s0) -+ -+/usr/lib/systemd/system/openstack-nova-ajax-console-proxy.* -- gen_context(system_u:object_r:nova_ajax_unit_file_t,s0) -+/usr/lib/systemd/system/openstack-nova-api.* -- gen_context(system_u:object_r:nova_api_unit_file_t,s0) -+/usr/lib/systemd/system/openstack-nova-cert.* -- gen_context(system_u:object_r:nova_cert_unit_file_t,s0) -+/usr/lib/systemd/system/openstack-nova-console.* -- gen_context(system_u:object_r:nova_console_unit_file_t,s0) -+/usr/lib/systemd/system/openstack-nova-direct-api.* -- gen_context(system_u:object_r:nova_direct_unit_file_t,s0) -+/usr/lib/systemd/system/openstack-nova-metadata-api.service.* -- gen_context(system_u:object_r:nova_api_unit_file_t,s0) -+/usr/lib/systemd/system/openstack-nova-network.* -- gen_context(system_u:object_r:nova_network_unit_file_t,s0) -+/usr/lib/systemd/system/openstack-nova-objectstore.* -- gen_context(system_u:object_r:nova_objectstore_unit_file_t,s0) -+/usr/lib/systemd/system/openstack-nova-scheduler.* -- gen_context(system_u:object_r:nova_scheduler_unit_file_t,s0) -+/usr/lib/systemd/system/openstack-nova-vncproxy.* -- gen_context(system_u:object_r:nova_vncproxy_unit_file_t,s0) -+/usr/lib/systemd/system/openstack-nova-xvpvncproxy.* -- gen_context(system_u:object_r:nova_vncproxy_unit_file_t,s0) -+/usr/lib/systemd/system/openstack-nova-volume.* -- gen_context(system_u:object_r:nova_volume_unit_file_t,s0) -+ -+/var/lib/nova(/.*)? gen_context(system_u:object_r:nova_var_lib_t,s0) -+ -+/var/log/nova(/.*)? gen_context(system_u:object_r:nova_log_t,s0) -+ -+/var/run/nova(/.*)? gen_context(system_u:object_r:nova_var_run_t,s0) -diff --git a/nova.if b/nova.if -new file mode 100644 -index 0000000..28936b4 ---- /dev/null -+++ b/nova.if -@@ -0,0 +1,57 @@ -+## openstack-nova -+ -+###################################### -+## -+## Manage nova lib files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`nova_manage_lib_files',` -+ gen_require(` -+ type nova_var_lib_t; -+ ') -+ -+ files_search_var_lib($1) -+ manage_files_pattern($1, nova_var_lib_t, nova_var_lib_t) -+') -+ -+####################################### -+## -+## Creates types and rules for a basic -+## openstack-nova systemd daemon domain. -+## -+## -+## -+## Prefix for the domain. -+## -+## -+# -+template(`nova_domain_template',` -+ gen_require(` -+ attribute nova_domain; -+ ') -+ -+ type nova_$1_t, nova_domain; -+ type nova_$1_exec_t; -+ init_daemon_domain(nova_$1_t, nova_$1_exec_t) -+ -+ type nova_$1_unit_file_t; -+ systemd_unit_file(nova_$1_unit_file_t) -+ -+ type nova_$1_tmp_t; -+ files_tmp_file(nova_$1_tmp_t) -+ -+ manage_dirs_pattern(nova_$1_t, nova_$1_tmp_t, nova_$1_tmp_t) -+ manage_files_pattern(nova_$1_t, nova_$1_tmp_t, nova_$1_tmp_t) -+ files_tmp_filetrans(nova_$1_t, nova_$1_tmp_t, { file dir }) -+ can_exec(nova_$1_t, nova_$1_tmp_t) -+ -+ kernel_read_system_state(nova_$1_t) -+ -+ logging_send_syslog_msg(nova_$1_t) -+ -+') -diff --git a/nova.te b/nova.te -new file mode 100644 -index 0000000..d5b54e5 ---- /dev/null -+++ b/nova.te -@@ -0,0 +1,320 @@ -+policy_module(nova, 1.0.0) -+ -+######################################## -+# -+# Declarations -+# -+ -+# -+# nova-stack daemons contain security issue with using sudo in the code -+# we make this policy as unconfined until this issue is fixed -+# -+ -+attribute nova_domain; -+attribute nova_sudo_domain; -+ -+nova_domain_template(ajax) -+nova_domain_template(api) -+nova_domain_template(cert) -+nova_domain_template(compute) -+nova_domain_template(console) -+nova_domain_template(direct) -+nova_domain_template(network) -+nova_domain_template(objectstore) -+nova_domain_template(scheduler) -+nova_domain_template(vncproxy) -+nova_domain_template(volume) -+ -+typeattribute nova_api_t nova_sudo_domain; -+typeattribute nova_cert_t nova_sudo_domain; -+typeattribute nova_console_t nova_sudo_domain; -+typeattribute nova_network_t nova_sudo_domain; -+typeattribute nova_volume_t nova_sudo_domain; -+ -+type nova_log_t; -+logging_log_file(nova_log_t) -+ -+type nova_var_lib_t; -+files_type(nova_var_lib_t) -+ -+type nova_var_run_t; -+files_pid_file(nova_var_run_t) -+ -+ -+###################################### -+# -+# nova general domain local policy -+# -+ -+allow nova_domain self:fifo_file rw_fifo_file_perms; -+allow nova_domain self:tcp_socket create_stream_socket_perms; -+allow nova_domain self:unix_stream_socket create_stream_socket_perms; -+ -+manage_dirs_pattern(nova_domain, nova_log_t, nova_log_t) -+manage_files_pattern(nova_domain, nova_log_t, nova_log_t) -+ -+manage_dirs_pattern(nova_domain, nova_var_lib_t, nova_var_lib_t) -+manage_files_pattern(nova_domain, nova_var_lib_t, nova_var_lib_t) -+ -+manage_dirs_pattern(nova_domain, nova_var_run_t, nova_var_run_t) -+manage_files_pattern(nova_domain, nova_var_run_t, nova_var_run_t) -+ -+corenet_tcp_connect_amqp_port(nova_domain) -+corenet_tcp_connect_mysqld_port(nova_domain) -+ -+kernel_read_network_state(nova_domain) -+ -+corecmd_exec_bin(nova_domain) -+corecmd_exec_shell(nova_domain) -+corenet_tcp_connect_mysqld_port(nova_domain) -+ -+dev_read_sysfs(nova_domain) -+dev_read_urand(nova_domain) -+ -+fs_getattr_xattr_fs(nova_domain) -+ -+libs_exec_ldconfig(nova_domain) -+ -+optional_policy(` -+ sysnet_read_config(nova_domain) -+ sysnet_exec_ifconfig(nova_domain) -+') -+ -+###################################### -+# -+# nova ajax local policy -+# -+ -+#optional_policy(` -+# unconfined_domain(nova_ajax_t) -+#') -+ -+####################################### -+# -+# nova api local policy -+# -+ -+allow nova_api_t self:process setfscreate; -+ -+allow nova_api_t self:key write; -+ -+allow nova_api_t self:netlink_route_socket r_netlink_socket_perms; -+ -+allow nova_api_t self:udp_socket create_socket_perms; -+ -+kernel_read_kernel_sysctls(nova_api_t) -+ -+corenet_tcp_bind_generic_node(nova_api_t) -+corenet_udp_bind_generic_node(nova_api_t) -+# should be add to booleans -+corenet_tcp_connect_all_ports(nova_api_t) -+corenet_tcp_bind_all_unreserved_ports(nova_api_t) -+ -+auth_read_passwd(nova_api_t) -+ -+logging_send_syslog_msg(nova_api_t) -+ -+miscfiles_read_certs(nova_api_t) -+ -+optional_policy(` -+ iptables_domtrans(nova_api_t) -+') -+ -+optional_policy(` -+ ssh_exec_keygen(nova_api_t) -+') -+ -+#optional_policy(` -+# unconfined_domain(nova_api_t) -+#') -+ -+###################################### -+# -+# nova cert local policy -+# -+ -+allow nova_cert_t self:process setfscreate; -+ -+allow nova_cert_t self:udp_socket create_socket_perms; -+ -+auth_use_nsswitch(nova_cert_t) -+ -+miscfiles_read_certs(nova_cert_t) -+ -+optional_policy(` -+ mysql_stream_connect(nova_cert_t) -+') -+ -+optional_policy(` -+ postgresql_stream_connect(nova_cert_t) -+') -+ -+####################################### -+# -+# nova compute local policy -+# -+ -+# needs to be re-write since now runs as virtd_t -+ -+allow nova_compute_t self:udp_socket create_socket_perms; -+ -+kernel_read_network_state(nova_compute_t) -+ -+dev_read_rand(nova_compute_t) -+ -+optional_policy(` -+ virt_getattr_exec(nova_compute_t) -+ virt_stream_connect(nova_compute_t) -+') -+ -+###################################### -+# -+# nova console local policy -+# -+ -+allow nova_console_t self:udp_socket create_socket_perms; -+ -+auth_use_nsswitch(nova_console_t) -+ -+optional_policy(` -+ mysql_stream_connect(nova_console_t) -+') -+ -+####################################### -+# -+# nova direct local policy -+# -+ -+#optional_policy(` -+# unconfined_domain(nova_direct_t) -+#') -+ -+####################################### -+# -+# nova network local policy -+# -+ -+allow nova_network_t self:capability { dac_override net_admin net_bind_service }; -+allow nova_network_t self:process { getcap setcap }; -+ -+allow nova_network_t self:netlink_route_socket r_netlink_socket_perms; -+allow nova_network_t self:udp_socket create_socket_perms; -+ -+kernel_read_network_state(nova_network_t) -+kernel_read_kernel_sysctls(nova_network_t) -+ -+# should be added to boolean or fixed in the code -+# dnsmasq domtrans does not work since then dnsmasq_t wants -+# to do some stuff with nova_lib, nova_tmp -+# nova-dhcpbridge runs in dnsmasq domain -+corenet_all_recvfrom_netlabel(nova_network_t) -+corenet_tcp_sendrecv_generic_if(nova_network_t) -+corenet_udp_sendrecv_generic_if(nova_network_t) -+corenet_raw_sendrecv_generic_if(nova_network_t) -+corenet_tcp_sendrecv_generic_node(nova_network_t) -+corenet_udp_sendrecv_generic_node(nova_network_t) -+corenet_raw_sendrecv_generic_node(nova_network_t) -+corenet_tcp_sendrecv_all_ports(nova_network_t) -+corenet_udp_sendrecv_all_ports(nova_network_t) -+corenet_tcp_bind_generic_node(nova_network_t) -+corenet_udp_bind_generic_node(nova_network_t) -+corenet_tcp_bind_dns_port(nova_network_t) -+corenet_udp_bind_all_ports(nova_network_t) -+corenet_sendrecv_dns_server_packets(nova_network_t) -+corenet_sendrecv_dhcpd_server_packets(nova_network_t) -+ -+libs_exec_ldconfig(nova_network_t) -+ -+logging_send_syslog_msg(nova_network_t) -+ -+optional_policy(` -+ brctl_domtrans(nova_network_t) -+') -+ -+optional_policy(` -+ dnsmasq_exec(nova_network_t) -+# dnsmasq_domtrans(nova_network_t) -+') -+ -+optional_policy(` -+ iptables_domtrans(nova_network_t) -+') -+ -+optional_policy(` -+ sysnet_domtrans_ifconfig(nova_network_t) -+') -+ -+#optional_policy(` -+# unconfined_domain(nova_network_t) -+#') -+ -+####################################### -+# -+# nova object store local policy -+# -+ -+allow nova_objectstore_t self:udp_socket create_socket_perms; -+ -+corenet_tcp_bind_generic_node(nova_objectstore_t) -+corenet_udp_bind_generic_node(nova_objectstore_t) -+ -+optional_policy(` -+ unconfined_domain(nova_objectstore_t) -+') -+ -+####################################### -+# -+# nova scheduler local policy -+# -+ -+allow nova_scheduler_t self:netlink_route_socket r_netlink_socket_perms; -+allow nova_scheduler_t self:udp_socket create_socket_perms; -+ -+#optional_policy(` -+# unconfined_domain(nova_scheduler_t) -+#') -+ -+####################################### -+# -+# nova vncproxy local policy -+# -+ -+#optional_policy(` -+# unconfined_domain(nova_vncproxy_t) -+#') -+ -+####################################### -+# -+# nova volume local policy -+# -+ -+allow nova_volume_t self:netlink_route_socket r_netlink_socket_perms; -+ -+allow nova_volume_t self:udp_socket create_socket_perms; -+ -+kernel_read_kernel_sysctls(nova_volume_t) -+ -+logging_send_syslog_msg(nova_volume_t) -+ -+optional_policy(` -+ lvm_domtrans(nova_volume_t) -+') -+ -+#optional_policy(` -+# unconfined_domain(nova_volume_t) -+#') -+ -+####################################### -+# -+# nova sudo domain local policy -+# -+ -+ifdef(`hide_broken_symptoms',` -+ optional_policy(` -+ sudo_exec(nova_sudo_domain) -+ allow nova_sudo_domain self:capability { setuid sys_resource setgid audit_write }; -+ allow nova_sudo_domain self:process { setsched setrlimit }; -+ logging_send_audit_msgs(nova_sudo_domain) -+ ') -+') -+ -diff --git a/nscd.fc b/nscd.fc -index ba64485..429bd79 100644 ---- a/nscd.fc -+++ b/nscd.fc -@@ -1,13 +1,15 @@ - /etc/rc\.d/init\.d/nscd -- gen_context(system_u:object_r:nscd_initrc_exec_t,s0) - --/usr/sbin/nscd -- gen_context(system_u:object_r:nscd_exec_t,s0) -+/usr/sbin/nscd -- gen_context(system_u:object_r:nscd_exec_t,s0) - --/var/cache/nscd(/.*)? gen_context(system_u:object_r:nscd_var_run_t,s0) -- --/var/db/nscd(/.*)? gen_context(system_u:object_r:nscd_var_run_t,s0) -+/var/db/nscd(/.*)? gen_context(system_u:object_r:nscd_var_run_t,s0) -+/var/cache/nscd(/.*)? gen_context(system_u:object_r:nscd_var_run_t,s0) - - /var/log/nscd\.log.* -- gen_context(system_u:object_r:nscd_log_t,s0) - --/var/run/nscd(/.*)? gen_context(system_u:object_r:nscd_var_run_t,s0) - /var/run/nscd\.pid -- gen_context(system_u:object_r:nscd_var_run_t,s0) - /var/run/\.nscd_socket -s gen_context(system_u:object_r:nscd_var_run_t,s0) -+ -+/var/run/nscd(/.*)? gen_context(system_u:object_r:nscd_var_run_t,s0) -+ -+/usr/lib/systemd/system/nscd\.service -- gen_context(system_u:object_r:nscd_unit_file_t,s0) -diff --git a/nscd.if b/nscd.if -index 8f2ab09..6ab4ea1 100644 ---- a/nscd.if -+++ b/nscd.if -@@ -1,8 +1,8 @@ --## Name service cache daemon. -+## Name service cache daemon - - ######################################## - ## --## Send generic signals to nscd. -+## Send generic signals to NSCD. - ## - ## - ## -@@ -20,7 +20,7 @@ interface(`nscd_signal',` - - ######################################## - ## --## Send kill signals to nscd. -+## Send NSCD the kill signal. - ## - ## - ## -@@ -38,7 +38,7 @@ interface(`nscd_kill',` - - ######################################## - ## --## Send null signals to nscd. -+## Send signulls to NSCD. - ## - ## - ## -@@ -56,7 +56,7 @@ interface(`nscd_signull',` - - ######################################## - ## --## Execute nscd in the nscd domain. -+## Execute NSCD in the nscd domain. - ## - ## - ## -@@ -75,7 +75,8 @@ interface(`nscd_domtrans',` - - ######################################## - ## --## Execute nscd in the caller domain. -+## Allow the specified domain to execute nscd -+## in the caller domain. - ## - ## - ## -@@ -88,14 +89,13 @@ interface(`nscd_exec',` - type nscd_exec_t; - ') - -- corecmd_search_bin($1) - can_exec($1, nscd_exec_t) - ') - - ######################################## - ## --## Use nscd services by connecting using --## a unix domain stream socket. -+## Use NSCD services by connecting using -+## a unix stream socket. - ## - ## - ## -@@ -112,22 +112,17 @@ interface(`nscd_socket_use',` - allow $1 self:unix_stream_socket create_socket_perms; - - allow $1 nscd_t:nscd { getpwd getgrp gethost }; -- - dontaudit $1 nscd_t:fd use; - dontaudit $1 nscd_t:nscd { getserv shmempwd shmemgrp shmemhost shmemserv }; -- - files_search_pids($1) - stream_connect_pattern($1, nscd_var_run_t, nscd_var_run_t, nscd_t) - dontaudit $1 nscd_var_run_t:file read_file_perms; -- - ps_process_pattern(nscd_t, $1) - ') - - ######################################## - ## --## Use nscd services by mapping the --## database from an inherited nscd --## file descriptor. -+## Use nscd services - ## - ## - ## -@@ -135,28 +130,38 @@ interface(`nscd_socket_use',` - ## - ## - # --interface(`nscd_shm_use',` -+interface(`nscd_use',` -+ tunable_policy(`nscd_use_shm',` -+ nscd_shm_use($1) -+ ',` -+ nscd_socket_use($1) -+ ') -+') -+ -+######################################## -+## -+## Do not audit attempts to write nscd sock files -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`nscd_dontaudit_write_sock_file',` - gen_require(` - type nscd_t, nscd_var_run_t; -- class nscd { getpwd getgrp gethost shmempwd shmemgrp shmemhost }; - ') - -- allow $1 self:unix_stream_socket create_stream_socket_perms; -- -- allow $1 nscd_t:nscd { getpwd getgrp gethost shmempwd shmemgrp shmemhost }; -- allow $1 nscd_t:fd use; -- -- files_search_pids($1) -- stream_connect_pattern($1, nscd_var_run_t, nscd_var_run_t, nscd_t) -- dontaudit $1 nscd_var_run_t:file read_file_perms; -+ dontaudit $1 nscd_t:sock_file write; -+ dontaudit $1 nscd_var_run_t:sock_file write; - -- allow $1 nscd_var_run_t:dir list_dir_perms; -- allow $1 nscd_var_run_t:sock_file read_sock_file_perms; - ') - - ######################################## - ## --## Use nscd services. -+## Use NSCD services by mapping the database from -+## an inherited NSCD file descriptor. - ## - ## - ## -@@ -164,18 +169,34 @@ interface(`nscd_shm_use',` - ## - ## - # --interface(`nscd_use',` -- tunable_policy(`nscd_use_shm',` -- nscd_shm_use($1) -- ',` -- nscd_socket_use($1) -+interface(`nscd_shm_use',` -+ gen_require(` -+ type nscd_t, nscd_var_run_t; -+ class nscd { getpwd getgrp gethost shmempwd shmemgrp shmemhost }; - ') -+ -+ allow $1 nscd_var_run_t:dir list_dir_perms; -+ allow $1 nscd_t:nscd { shmempwd shmemgrp shmemhost shmemserv }; -+ # Receive fd from nscd and map the backing file with read access. -+ allow $1 nscd_t:fd use; -+ -+ # cjp: these were originally inherited from the -+ # nscd_socket_domain macro. need to investigate -+ # if they are all actually required -+ allow $1 self:unix_stream_socket create_stream_socket_perms; -+ -+ # dg: This may not be required. -+ allow $1 nscd_var_run_t:sock_file read_sock_file_perms; -+ -+ stream_connect_pattern($1, nscd_var_run_t, nscd_var_run_t, nscd_t) -+ files_search_pids($1) -+ allow $1 nscd_t:nscd { getpwd getgrp gethost getserv }; -+ dontaudit $1 nscd_var_run_t:file read_file_perms; - ') - - ######################################## - ## --## Do not audit attempts to search --## nscd pid directories. -+## Do not audit attempts to search the NSCD pid directory. - ## - ## - ## -@@ -193,7 +214,7 @@ interface(`nscd_dontaudit_search_pid',` - - ######################################## - ## --## Read nscd pid files. -+## Read NSCD pid file. - ## - ## - ## -@@ -212,7 +233,7 @@ interface(`nscd_read_pid',` - - ######################################## - ## --## Unconfined access to nscd services. -+## Unconfined access to NSCD services. - ## - ## - ## -@@ -244,20 +265,20 @@ interface(`nscd_unconfined',` - ## Role allowed access. - ## - ## -+## - # - interface(`nscd_run',` - gen_require(` -- attribute_role nscd_roles; -+ type nscd_t; - ') - - nscd_domtrans($1) -- roleattribute $2 nscd_roles; -+ role $2 types nscd_t; - ') - - ######################################## - ## --## Execute the nscd server init --## script in the initrc domain. -+## Execute the nscd server init script. - ## - ## - ## -@@ -275,8 +296,31 @@ interface(`nscd_initrc_domtrans',` - - ######################################## - ## --## All of the rules required to --## administrate an nscd environment. -+## Execute nscd server in the nscd domain. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`nscd_systemctl',` -+ gen_require(` -+ type nscd_unit_file_t; -+ type nscd_t; -+ ') -+ -+ systemd_exec_systemctl($1) -+ allow $1 nscd_unit_file_t:file read_file_perms; -+ allow $1 nscd_unit_file_t:service manage_service_perms; -+ -+ ps_process_pattern($1, nscd_t) -+') -+ -+######################################## -+## -+## All of the rules required to administrate -+## an nscd environment - ## - ## - ## -@@ -285,7 +329,7 @@ interface(`nscd_initrc_domtrans',` - ## - ## - ## --## Role allowed access. -+## The role to be allowed to manage the nscd domain. - ## - ## - ## -@@ -294,10 +338,14 @@ interface(`nscd_admin',` - gen_require(` - type nscd_t, nscd_log_t, nscd_var_run_t; - type nscd_initrc_exec_t; -+ type nscd_unit_file_t; - ') - -- allow $1 nscd_t:process { ptrace signal_perms }; -+ allow $1 nscd_t:process signal_perms; - ps_process_pattern($1, nscd_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 nscd_t:process ptrace; -+ ') - - init_labeled_script_domtrans($1, nscd_initrc_exec_t) - domain_system_change_exemption($1) -@@ -310,5 +358,7 @@ interface(`nscd_admin',` - files_list_pids($1) - admin_pattern($1, nscd_var_run_t) - -- nscd_run($1, $2) -+ nscd_systemctl($1) -+ admin_pattern($1, nscd_unit_file_t) -+ allow $1 nscd_unit_file_t:service all_service_perms; - ') -diff --git a/nscd.te b/nscd.te -index df4c10f..8c09c68 100644 ---- a/nscd.te -+++ b/nscd.te -@@ -1,36 +1,37 @@ --policy_module(nscd, 1.10.3) -+policy_module(nscd, 1.10.0) - - gen_require(` - class nscd all_nscd_perms; - ') - --######################################## --# --# Declarations --# -- - ## - ##

    --## Determine whether confined applications --## can use nscd shared memory. -+## Allow confined applications to use nscd shared memory. - ##

    - ##     - gen_tunable(nscd_use_shm, false) - --attribute_role nscd_roles; -+######################################## -+# -+# Declarations -+# - -+# cjp: this is out of order because of an -+# ordering problem with loadable modules - type nscd_var_run_t; - files_pid_file(nscd_var_run_t) --init_daemon_run_dir(nscd_var_run_t, "nscd") - -+# nscd is both the client program and the daemon. - type nscd_t; - type nscd_exec_t; - init_daemon_domain(nscd_t, nscd_exec_t) --role nscd_roles types nscd_t; - - type nscd_initrc_exec_t; - init_script_file(nscd_initrc_exec_t) - -+type nscd_unit_file_t; -+systemd_unit_file(nscd_unit_file_t) -+ - type nscd_log_t; - logging_log_file(nscd_log_t) - -@@ -43,53 +44,54 @@ allow nscd_t self:capability { kill setgid setuid }; - dontaudit nscd_t self:capability sys_tty_config; - allow nscd_t self:process { getattr getcap setcap setsched signal_perms }; - allow nscd_t self:fifo_file read_fifo_file_perms; --allow nscd_t self:unix_stream_socket { accept listen }; -+allow nscd_t self:unix_stream_socket create_stream_socket_perms; -+allow nscd_t self:unix_dgram_socket create_socket_perms; - allow nscd_t self:netlink_selinux_socket create_socket_perms; -+allow nscd_t self:tcp_socket create_socket_perms; -+allow nscd_t self:udp_socket create_socket_perms; - -+# For client program operation, invoked from sysadm_t. -+# Transition occurs to nscd_t due to direct_sysadm_daemon. - allow nscd_t self:nscd { admin getstat }; - --allow nscd_t nscd_log_t:file { append_file_perms create_file_perms setattr_file_perms }; -+allow nscd_t nscd_log_t:file manage_file_perms; - logging_log_filetrans(nscd_t, nscd_log_t, file) - -+manage_dirs_pattern(nscd_t, nscd_var_run_t, nscd_var_run_t) - manage_files_pattern(nscd_t, nscd_var_run_t, nscd_var_run_t) - manage_sock_files_pattern(nscd_t, nscd_var_run_t, nscd_var_run_t) --files_pid_filetrans(nscd_t, nscd_var_run_t, { file sock_file }) -+files_pid_filetrans(nscd_t, nscd_var_run_t, { file sock_file dir }) - -+corecmd_search_bin(nscd_t) - can_exec(nscd_t, nscd_exec_t) - --kernel_list_proc(nscd_t) --kernel_read_kernel_sysctls(nscd_t) - kernel_read_network_state(nscd_t) -+kernel_read_kernel_sysctls(nscd_t) -+kernel_list_proc(nscd_t) - kernel_read_proc_symlinks(nscd_t) - --corecmd_search_bin(nscd_t) -- - dev_read_sysfs(nscd_t) - dev_read_rand(nscd_t) - dev_read_urand(nscd_t) - --domain_search_all_domains_state(nscd_t) --domain_use_interactive_fds(nscd_t) -- --files_read_generic_tmp_symlinks(nscd_t) --files_read_etc_runtime_files(nscd_t) -- - fs_getattr_all_fs(nscd_t) - fs_search_auto_mountpoints(nscd_t) - fs_list_inotifyfs(nscd_t) - -+# for when /etc/passwd has just been updated and has the wrong type - auth_getattr_shadow(nscd_t) - auth_use_nsswitch(nscd_t) - --corenet_all_recvfrom_unlabeled(nscd_t) - corenet_all_recvfrom_netlabel(nscd_t) - corenet_tcp_sendrecv_generic_if(nscd_t) -+corenet_udp_sendrecv_generic_if(nscd_t) - corenet_tcp_sendrecv_generic_node(nscd_t) -- --corenet_sendrecv_all_client_packets(nscd_t) --corenet_tcp_connect_all_ports(nscd_t) -+corenet_udp_sendrecv_generic_node(nscd_t) - corenet_tcp_sendrecv_all_ports(nscd_t) -- -+corenet_udp_sendrecv_all_ports(nscd_t) -+corenet_udp_bind_generic_node(nscd_t) -+corenet_tcp_connect_all_ports(nscd_t) -+corenet_sendrecv_all_client_packets(nscd_t) - corenet_rw_tun_tap_dev(nscd_t) - - selinux_get_fs_mount(nscd_t) -@@ -98,16 +100,23 @@ selinux_compute_access_vector(nscd_t) - selinux_compute_create_context(nscd_t) - selinux_compute_relabel_context(nscd_t) - selinux_compute_user_contexts(nscd_t) -+domain_use_interactive_fds(nscd_t) -+domain_search_all_domains_state(nscd_t) -+ -+files_read_generic_tmp_symlinks(nscd_t) -+# Needed to read files created by firstboot "/etc/hesiod.conf" -+files_read_etc_runtime_files(nscd_t) - - logging_send_audit_msgs(nscd_t) - logging_send_syslog_msg(nscd_t) - --miscfiles_read_localization(nscd_t) - - seutil_read_config(nscd_t) - seutil_read_default_contexts(nscd_t) - seutil_sigchld_newrole(nscd_t) - -+sysnet_read_config(nscd_t) -+ - userdom_dontaudit_use_user_terminals(nscd_t) - userdom_dontaudit_use_unpriv_user_fds(nscd_t) - userdom_dontaudit_search_user_home_dirs(nscd_t) -@@ -121,20 +130,31 @@ optional_policy(` - ') - - optional_policy(` -+ kerberos_use(nscd_t) -+') -+ -+optional_policy(` -+ udev_read_db(nscd_t) -+') -+ -+optional_policy(` -+ xen_dontaudit_rw_unix_stream_sockets(nscd_t) -+ xen_append_log(nscd_t) -+') -+ -+optional_policy(` - tunable_policy(`samba_domain_controller',` - samba_append_log(nscd_t) - samba_dontaudit_use_fds(nscd_t) - ') -- -- samba_read_config(nscd_t) -- samba_read_var_files(nscd_t) - ') - - optional_policy(` -- udev_read_db(nscd_t) -+ samba_read_config(nscd_t) -+ samba_read_var_files(nscd_t) -+ samba_stream_connect_nmbd(nscd_t) - ') - - optional_policy(` -- xen_dontaudit_rw_unix_stream_sockets(nscd_t) -- xen_append_log(nscd_t) -+ unconfined_dontaudit_rw_packet_sockets(nscd_t) - ') -diff --git a/nsd.fc b/nsd.fc -index 4f2b1b6..5348e92 100644 ---- a/nsd.fc -+++ b/nsd.fc -@@ -1,16 +1,13 @@ --/etc/rc\.d/init\.d/nsd -- gen_context(system_u:object_r:nsd_initrc_exec_t,s0) - --/etc/nsd(/.*)? gen_context(system_u:object_r:nsd_conf_t,s0) --/etc/nsd/nsd\.db -- gen_context(system_u:object_r:nsd_db_t,s0) --/etc/nsd/primary(/.*)? gen_context(system_u:object_r:nsd_zone_t,s0) -+/etc/nsd(/.*)? gen_context(system_u:object_r:nsd_conf_t,s0) -+/etc/nsd/nsd\.db -- gen_context(system_u:object_r:nsd_zone_t,s0) -+/etc/nsd/primary(/.*)? gen_context(system_u:object_r:nsd_zone_t,s0) - /etc/nsd/secondary(/.*)? gen_context(system_u:object_r:nsd_zone_t,s0) - --/usr/sbin/nsd -- gen_context(system_u:object_r:nsd_exec_t,s0) --/usr/sbin/nsdc -- gen_context(system_u:object_r:nsd_exec_t,s0) -+/usr/sbin/nsd -- gen_context(system_u:object_r:nsd_exec_t,s0) -+/usr/sbin/nsdc -- gen_context(system_u:object_r:nsd_exec_t,s0) - /usr/sbin/nsd-notify -- gen_context(system_u:object_r:nsd_exec_t,s0) --/usr/sbin/zonec -- gen_context(system_u:object_r:nsd_exec_t,s0) -- --/var/lib/nsd(/.*)? gen_context(system_u:object_r:nsd_zone_t,s0) --/var/lib/nsd/nsd\.db -- gen_context(system_u:object_r:nsd_db_t,s0) -+/usr/sbin/zonec -- gen_context(system_u:object_r:nsd_exec_t,s0) - -+/var/lib/nsd(/.*)? gen_context(system_u:object_r:nsd_zone_t,s0) - /var/run/nsd\.pid -- gen_context(system_u:object_r:nsd_var_run_t,s0) -diff --git a/nsd.if b/nsd.if -index a9c60ff..ad4f14a 100644 ---- a/nsd.if -+++ b/nsd.if -@@ -1,8 +1,8 @@ --## Authoritative only name server. -+## Authoritative only name server - - ######################################## - ## --## Send and receive datagrams from NSD. (Deprecated) -+## Read NSD pid file. - ## - ## - ## -@@ -10,13 +10,18 @@ - ## - ## - # --interface(`nsd_udp_chat',` -- refpolicywarn(`$0($*) has been deprecated.') -+interface(`nsd_read_pid',` -+ gen_require(` -+ type nsd_var_run_t; -+ ') -+ -+ files_search_pids($1) -+ read_files_pattern($1, nsd_var_run_t, nsd_var_run_t) - ') - - ######################################## - ## --## Connect to NSD over a TCP socket (Deprecated) -+## Send and receive datagrams from NSD. (Deprecated) - ## - ## - ## -@@ -24,47 +29,20 @@ interface(`nsd_udp_chat',` - ## - ## - # --interface(`nsd_tcp_connect',` -+interface(`nsd_udp_chat',` - refpolicywarn(`$0($*) has been deprecated.') - ') - - ######################################## - ## --## All of the rules required to --## administrate an nsd environment. -+## Connect to NSD over a TCP socket (Deprecated) - ## - ## - ## - ## Domain allowed access. - ## - ## --## --## --## Role allowed access. --## --## --## - # --interface(`nsd_admin',` -- gen_require(` -- type nsd_t, nsd_conf_t, nsd_var_run_t; -- type nsd_initrc_exec_t, nsd_db_t, nsd_zone_t; -- ') -- -- allow $1 nsd_t:process { ptrace signal_perms }; -- ps_process_pattern($1, nsd_t) -- -- init_labeled_script_domtrans($1, nsd_initrc_exec_t) -- domain_system_change_exemption($1) -- role_transition $2 nsd_initrc_exec_t system_r; -- allow $2 system_r; -- -- files_search_etc($1) -- admin_pattern($1, { nsd_conf_t nsd_db_t }) -- -- files_search_var_lib($1) -- admin_pattern($1, nsd_zone_t) -- -- files_list_pids($1) -- admin_pattern($1, nsd_var_run_t) -+interface(`nsd_tcp_connect',` -+ refpolicywarn(`$0($*) has been deprecated.') - ') -diff --git a/nsd.te b/nsd.te -index dde7f42..b3662dd 100644 ---- a/nsd.te -+++ b/nsd.te -@@ -1,4 +1,4 @@ --policy_module(nsd, 1.7.1) -+policy_module(nsd, 1.7.0) - - ######################################## - # -@@ -9,9 +9,7 @@ type nsd_t; - type nsd_exec_t; - init_daemon_domain(nsd_t, nsd_exec_t) - --type nsd_initrc_exec_t; --init_script_file(nsd_initrc_exec_t) -- -+# A type for configuration files of nsd - type nsd_conf_t; - files_type(nsd_conf_t) - -@@ -20,32 +18,28 @@ domain_type(nsd_crond_t) - domain_entry_file(nsd_crond_t, nsd_exec_t) - role system_r types nsd_crond_t; - --type nsd_db_t; --files_type(nsd_db_t) -- - type nsd_var_run_t; - files_pid_file(nsd_var_run_t) - --type nsd_zone_t; -+# A type for zone files -+type nsd_zone_t alias nsd_db_t; - files_type(nsd_zone_t) - - ######################################## - # --# Local policy -+# NSD Local policy - # - - allow nsd_t self:capability { chown dac_override kill setgid setuid }; - dontaudit nsd_t self:capability sys_tty_config; - allow nsd_t self:process signal_perms; -+allow nsd_t self:tcp_socket create_stream_socket_perms; -+allow nsd_t self:udp_socket create_socket_perms; - allow nsd_t self:fifo_file rw_fifo_file_perms; --allow nsd_t self:tcp_socket { accept listen }; - - allow nsd_t nsd_conf_t:dir list_dir_perms; --allow nsd_t nsd_conf_t:file read_file_perms; --allow nsd_t nsd_conf_t:lnk_file read_lnk_file_perms; -- --allow nsd_t nsd_db_t:file manage_file_perms; --filetrans_pattern(nsd_t, nsd_zone_t, nsd_db_t, file) -+read_files_pattern(nsd_t, nsd_conf_t, nsd_conf_t) -+read_lnk_files_pattern(nsd_t, nsd_conf_t, nsd_conf_t) - - manage_files_pattern(nsd_t, nsd_var_run_t, nsd_var_run_t) - files_pid_filetrans(nsd_t, nsd_var_run_t, file) -@@ -62,7 +56,6 @@ kernel_read_kernel_sysctls(nsd_t) - - corecmd_exec_bin(nsd_t) - --corenet_all_recvfrom_unlabeled(nsd_t) - corenet_all_recvfrom_netlabel(nsd_t) - corenet_tcp_sendrecv_generic_if(nsd_t) - corenet_udp_sendrecv_generic_if(nsd_t) -@@ -72,16 +65,17 @@ corenet_tcp_sendrecv_all_ports(nsd_t) - corenet_udp_sendrecv_all_ports(nsd_t) - corenet_tcp_bind_generic_node(nsd_t) - corenet_udp_bind_generic_node(nsd_t) -- --corenet_sendrecv_dns_server_packets(nsd_t) - corenet_tcp_bind_dns_port(nsd_t) - corenet_udp_bind_dns_port(nsd_t) -+corenet_sendrecv_dns_server_packets(nsd_t) - - dev_read_sysfs(nsd_t) -+dev_read_urand(nsd_t) - - domain_use_interactive_fds(nsd_t) - - files_read_etc_runtime_files(nsd_t) -+files_search_var_lib(nsd_t) - - fs_getattr_all_fs(nsd_t) - fs_search_auto_mountpoints(nsd_t) -@@ -90,8 +84,6 @@ auth_use_nsswitch(nsd_t) - - logging_send_syslog_msg(nsd_t) - --miscfiles_read_localization(nsd_t) -- - userdom_dontaudit_use_unpriv_user_fds(nsd_t) - userdom_dontaudit_search_user_home_dirs(nsd_t) - -@@ -105,23 +97,24 @@ optional_policy(` - - ######################################## - # --# Cron local policy -+# Zone update cron job local policy - # - -+# kill capability for root cron job and non-root daemon - allow nsd_crond_t self:capability { dac_override kill }; - dontaudit nsd_crond_t self:capability sys_nice; - allow nsd_crond_t self:process { setsched signal_perms }; - allow nsd_crond_t self:fifo_file rw_fifo_file_perms; -+allow nsd_crond_t self:tcp_socket create_socket_perms; -+allow nsd_crond_t self:udp_socket create_socket_perms; - --allow nsd_crond_t nsd_t:process signal; --ps_process_pattern(nsd_crond_t, nsd_t) -- --allow nsd_crond_t nsd_conf_t:dir list_dir_perms; - allow nsd_crond_t nsd_conf_t:file read_file_perms; --allow nsd_crond_t nsd_conf_t:lnk_file read_lnk_file_perms; - --allow nsd_crond_t nsd_db_t:file manage_file_perms; --filetrans_pattern(nsd_crond_t, nsd_zone_t, nsd_db_t, file) -+files_search_var_lib(nsd_crond_t) -+ -+allow nsd_crond_t nsd_t:process signal; -+ -+ps_process_pattern(nsd_crond_t, nsd_t) - - manage_files_pattern(nsd_crond_t, nsd_zone_t, nsd_zone_t) - filetrans_pattern(nsd_crond_t, nsd_conf_t, nsd_zone_t, file) -@@ -133,27 +126,27 @@ kernel_read_system_state(nsd_crond_t) - corecmd_exec_bin(nsd_crond_t) - corecmd_exec_shell(nsd_crond_t) - --corenet_all_recvfrom_unlabeled(nsd_crond_t) - corenet_all_recvfrom_netlabel(nsd_crond_t) - corenet_tcp_sendrecv_generic_if(nsd_crond_t) -+corenet_udp_sendrecv_generic_if(nsd_crond_t) - corenet_tcp_sendrecv_generic_node(nsd_crond_t) -- --corenet_sendrecv_all_client_packets(nsd_crond_t) --corenet_tcp_connect_all_ports(nsd_crond_t) -+corenet_udp_sendrecv_generic_node(nsd_crond_t) - corenet_tcp_sendrecv_all_ports(nsd_crond_t) -+corenet_udp_sendrecv_all_ports(nsd_crond_t) -+corenet_tcp_connect_all_ports(nsd_crond_t) -+corenet_sendrecv_all_client_packets(nsd_crond_t) - - dev_read_urand(nsd_crond_t) - - domain_dontaudit_read_all_domains_state(nsd_crond_t) - - files_read_etc_runtime_files(nsd_crond_t) -+files_search_var_lib(nsd_t) - - auth_use_nsswitch(nsd_crond_t) - - logging_send_syslog_msg(nsd_crond_t) - --miscfiles_read_localization(nsd_crond_t) -- - userdom_dontaudit_search_user_home_dirs(nsd_crond_t) - - optional_policy(` -diff --git a/nslcd.fc b/nslcd.fc -index 402100e..ce913b2 100644 ---- a/nslcd.fc -+++ b/nslcd.fc -@@ -1,7 +1,4 @@ --/etc/nss-ldapd\.conf -- gen_context(system_u:object_r:nslcd_conf_t,s0) -- --/etc/rc\.d/init\.d/nslcd -- gen_context(system_u:object_r:nslcd_initrc_exec_t,s0) -- --/usr/sbin/nslcd -- gen_context(system_u:object_r:nslcd_exec_t,s0) -- --/var/run/nslcd(/.*)? gen_context(system_u:object_r:nslcd_var_run_t,s0) -+/etc/nss-ldapd.conf -- gen_context(system_u:object_r:nslcd_conf_t,s0) -+/etc/rc\.d/init\.d/nslcd -- gen_context(system_u:object_r:nslcd_initrc_exec_t,s0) -+/usr/sbin/nslcd -- gen_context(system_u:object_r:nslcd_exec_t,s0) -+/var/run/nslcd(/.*)? gen_context(system_u:object_r:nslcd_var_run_t,s0) -diff --git a/nslcd.if b/nslcd.if -index 97df768..852d1c6 100644 ---- a/nslcd.if -+++ b/nslcd.if -@@ -1,4 +1,4 @@ --## Local LDAP name service daemon. -+## nslcd - local LDAP name service daemon. - - ######################################## - ## -@@ -15,7 +15,6 @@ interface(`nslcd_domtrans',` - type nslcd_t, nslcd_exec_t; - ') - -- corecmd_searh_bin($1) - domtrans_pattern($1, nslcd_exec_t, nslcd_t) - ') - -@@ -39,7 +38,7 @@ interface(`nslcd_initrc_domtrans',` - - ######################################## - ## --## Read nslcd pid files. -+## Read nslcd PID files. - ## - ## - ## -@@ -58,8 +57,25 @@ interface(`nslcd_read_pid_files',` - - ######################################## - ## --## Connect to nslcd over an unix --## domain stream socket. -+## Dontaudit write to nslcd over an unix stream socket. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`nslcd_dontaudit_write_ock_file',` -+ gen_require(` -+ type nslcd_var_run_t; -+ ') -+ -+ dontaudit $1 nslcd_var_run_t:sock_file write; -+') -+ -+######################################## -+## -+## Connect to nslcd over an unix stream socket. - ## - ## - ## -@@ -72,14 +88,33 @@ interface(`nslcd_stream_connect',` - type nslcd_t, nslcd_var_run_t; - ') - -- files_search_pids($1) - stream_connect_pattern($1, nslcd_var_run_t, nslcd_var_run_t, nslcd_t) -+ files_search_pids($1) -+') -+ -+####################################### -+## -+## Do not audit attempts to write nslcd sock files -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`nslcd_dontaudit_write_sock_file',` -+ gen_require(` -+ type nslcd_t, nslcd_var_run_t; -+ ') -+ -+ dontaudit $1 nslcd_t:sock_file write; -+ dontaudit $1 nslcd_var_run_t:sock_file write; - ') - - ######################################## - ## --## All of the rules required to --## administrate an nslcd environment. -+## All of the rules required to administrate -+## an nslcd environment - ## - ## - ## -@@ -99,17 +134,21 @@ interface(`nslcd_admin',` - type nslcd_conf_t; - ') - -- allow $1 nslcd_t:process { ptrace signal_perms }; - ps_process_pattern($1, nslcd_t) -+ allow $1 nslcd_t:process signal_perms; -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 nslcd_t:process ptrace; -+ ') - -+ # Allow nslcd_t to restart the apache service - nslcd_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 nslcd_initrc_exec_t system_r; - allow $2 system_r; - -- files_search_etc($1) -+ files_list_etc($1) - admin_pattern($1, nslcd_conf_t) - -- files_search_pids($1) -- admin_pattern($1, nslcd_var_run_t) -+ files_list_pids($1) -+ admin_pattern($1, nslcd_var_run_t, nslcd_var_run_t) - ') -diff --git a/nslcd.te b/nslcd.te -index a3e56f0..2c5b389 100644 ---- a/nslcd.te -+++ b/nslcd.te -@@ -1,4 +1,4 @@ --policy_module(nslcd, 1.3.1) -+policy_module(nslcd, 1.3.0) - - ######################################## - # -@@ -20,12 +20,12 @@ files_config_file(nslcd_conf_t) - - ######################################## - # --# Local policy -+# nslcd local policy - # - --allow nslcd_t self:capability { setgid setuid dac_override }; --allow nslcd_t self:process signal; --allow nslcd_t self:unix_stream_socket { accept listen }; -+allow nslcd_t self:capability { dac_override setgid setuid sys_nice }; -+allow nslcd_t self:process { setsched signal signull }; -+allow nslcd_t self:unix_stream_socket create_stream_socket_perms; - - allow nslcd_t nslcd_conf_t:file read_file_perms; - -@@ -36,14 +36,12 @@ files_pid_filetrans(nslcd_t, nslcd_var_run_t, { file dir }) - - kernel_read_system_state(nslcd_t) - -+dev_read_sysfs(nslcd_t) -+ - corenet_all_recvfrom_unlabeled(nslcd_t) - corenet_all_recvfrom_netlabel(nslcd_t) --corenet_tcp_sendrecv_generic_if(nslcd_t) --corenet_tcp_sendrecv_generic_node(nslcd_t) -- --corenet_sendrecv_ldap_client_packets(nslcd_t) - corenet_tcp_connect_ldap_port(nslcd_t) --corenet_tcp_sendrecv_ldap_port(nslcd_t) -+corenet_sendrecv_ldap_client_packets(nslcd_t) - - files_read_usr_symlinks(nslcd_t) - files_list_tmp(nslcd_t) -@@ -52,10 +50,14 @@ auth_use_nsswitch(nslcd_t) - - logging_send_syslog_msg(nslcd_t) - --miscfiles_read_localization(nslcd_t) - - userdom_read_user_tmp_files(nslcd_t) - - optional_policy(` -+ dirsrv_stream_connect(nslcd_t) -+') -+ -+optional_policy(` - ldap_stream_connect(nslcd_t) - ') -+ -diff --git a/nsplugin.fc b/nsplugin.fc -new file mode 100644 -index 0000000..22e6c96 ---- /dev/null -+++ b/nsplugin.fc -@@ -0,0 +1,11 @@ -+HOME_DIR/\.adobe(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0) -+HOME_DIR/\.macromedia(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0) -+HOME_DIR/\.gnash(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0) -+HOME_DIR/\.gcjwebplugin(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0) -+HOME_DIR/\.icedteaplugin(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0) -+ -+/usr/bin/nspluginscan -- gen_context(system_u:object_r:nsplugin_exec_t,s0) -+/usr/bin/nspluginviewer -- gen_context(system_u:object_r:nsplugin_exec_t,s0) -+/usr/lib/nspluginwrapper/npviewer.bin -- gen_context(system_u:object_r:nsplugin_exec_t,s0) -+/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:nsplugin_config_exec_t,s0) -+/usr/lib/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:nsplugin_rw_t,s0) -diff --git a/nsplugin.if b/nsplugin.if -new file mode 100644 -index 0000000..16f4789 ---- /dev/null -+++ b/nsplugin.if -@@ -0,0 +1,474 @@ -+ -+## policy for nsplugin -+ -+######################################## -+## -+## Create, read, write, and delete -+## nsplugin rw files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`nsplugin_manage_rw_files',` -+ gen_require(` -+ type nsplugin_rw_t; -+ ') -+ -+ allow $1 nsplugin_rw_t:file manage_file_perms; -+ allow $1 nsplugin_rw_t:dir rw_dir_perms; -+') -+ -+######################################## -+## -+## Manage nsplugin rw files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`nsplugin_manage_rw',` -+ gen_require(` -+ type nsplugin_rw_t; -+ ') -+ -+ manage_dirs_pattern($1, nsplugin_rw_t, nsplugin_rw_t) -+ manage_files_pattern($1, nsplugin_rw_t, nsplugin_rw_t) -+ manage_lnk_files_pattern($1, nsplugin_rw_t, nsplugin_rw_t) -+') -+ -+####################################### -+## -+## The per role template for the nsplugin module. -+## -+## -+## -+## The role associated with the user domain. -+## -+## -+## -+## -+## The type of the user domain. -+## -+## -+# -+interface(`nsplugin_role_notrans',` -+ gen_require(` -+ type nsplugin_rw_t; -+ type nsplugin_home_t; -+ type nsplugin_exec_t; -+ type nsplugin_config_exec_t; -+ type nsplugin_t; -+ type nsplugin_config_t; -+ class x_drawable all_x_drawable_perms; -+ class x_resource all_x_resource_perms; -+ class dbus send_msg; -+ ') -+ -+ role $1 types nsplugin_t; -+ role $1 types nsplugin_config_t; -+ -+ allow nsplugin_t $2:process signull; -+ allow nsplugin_t $2:dbus send_msg; -+ allow $2 nsplugin_t:dbus send_msg; -+ -+ list_dirs_pattern($2, nsplugin_rw_t, nsplugin_rw_t) -+ read_files_pattern($2, nsplugin_rw_t, nsplugin_rw_t) -+ read_lnk_files_pattern($2, nsplugin_rw_t, nsplugin_rw_t) -+ can_exec($2, nsplugin_rw_t) -+ -+ #Leaked File Descriptors -+ifdef(`hide_broken_symptoms', ` -+ dontaudit nsplugin_t $2:fifo_file rw_inherited_fifo_file_perms; -+ dontaudit nsplugin_config_t $2:fifo_file rw_inherited_fifo_file_perms; -+') -+ allow nsplugin_t $2:unix_stream_socket connectto; -+ dontaudit nsplugin_t $2:process ptrace; -+ allow nsplugin_t $2:sem rw_sem_perms; -+ allow nsplugin_t $2:shm rw_shm_perms; -+ dontaudit nsplugin_t $2:shm destroy; -+ allow $2 nsplugin_t:sem rw_sem_perms; -+ -+ allow $2 nsplugin_t:process { getattr signal_perms }; -+ allow $2 nsplugin_t:unix_stream_socket connectto; -+ -+ # Connect to pulseaudit server -+ stream_connect_pattern(nsplugin_t, user_home_t, user_home_t, $2) -+ optional_policy(` -+ gnome_stream_connect(nsplugin_t, $2) -+ ') -+ -+ userdom_use_inherited_user_terminals(nsplugin_t) -+ userdom_use_inherited_user_terminals(nsplugin_config_t) -+ userdom_dontaudit_setattr_user_home_content_files(nsplugin_t) -+ userdom_manage_tmpfs_role($1, nsplugin_t) -+ -+ optional_policy(` -+ pulseaudio_role($1, nsplugin_t) -+ ') -+') -+ -+####################################### -+## -+## Role access for nsplugin -+## -+## -+## -+## The role associated with the user domain. -+## -+## -+## -+## -+## The type of the user domain. -+## -+## -+# -+interface(`nsplugin_role',` -+ gen_require(` -+ type nsplugin_exec_t; -+ type nsplugin_config_exec_t; -+ type nsplugin_t; -+ type nsplugin_config_t; -+ ') -+ -+ nsplugin_role_notrans($1, $2) -+ -+ domtrans_pattern($2, nsplugin_exec_t, nsplugin_t) -+ domtrans_pattern($2, nsplugin_config_exec_t, nsplugin_config_t) -+ -+') -+ -+####################################### -+## -+## The per role template for the nsplugin module. -+## -+## -+## -+## The type of the user domain. -+## -+## -+# -+interface(`nsplugin_domtrans',` -+ gen_require(` -+ type nsplugin_exec_t; -+ type nsplugin_t; -+ ') -+ -+ domtrans_pattern($1, nsplugin_exec_t, nsplugin_t) -+ allow $1 nsplugin_t:unix_stream_socket connectto; -+ allow nsplugin_t $1:process signal; -+') -+ -+####################################### -+## -+## The per role template for the nsplugin module. -+## -+## -+## -+## The type of the user domain. -+## -+## -+# -+interface(`nsplugin_domtrans_config',` -+ gen_require(` -+ type nsplugin_config_exec_t; -+ type nsplugin_config_t; -+ ') -+ -+ domtrans_pattern($1, nsplugin_config_exec_t, nsplugin_config_t) -+') -+ -+######################################## -+## -+## Search nsplugin rw directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`nsplugin_search_rw_dir',` -+ gen_require(` -+ type nsplugin_rw_t; -+ ') -+ -+ allow $1 nsplugin_rw_t:dir search_dir_perms; -+') -+ -+######################################## -+## -+## Read nsplugin rw files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`nsplugin_read_rw_files',` -+ gen_require(` -+ type nsplugin_rw_t; -+ ') -+ -+ list_dirs_pattern($1, nsplugin_rw_t, nsplugin_rw_t) -+ read_files_pattern($1, nsplugin_rw_t, nsplugin_rw_t) -+ read_lnk_files_pattern($1, nsplugin_rw_t, nsplugin_rw_t) -+') -+ -+######################################## -+## -+## Read nsplugin home files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`nsplugin_read_home',` -+ gen_require(` -+ type nsplugin_home_t; -+ ') -+ -+ list_dirs_pattern($1, nsplugin_home_t, nsplugin_home_t) -+ read_files_pattern($1, nsplugin_home_t, nsplugin_home_t) -+ read_lnk_files_pattern($1, nsplugin_home_t, nsplugin_home_t) -+') -+ -+######################################## -+## -+## Exec nsplugin rw files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`nsplugin_rw_exec',` -+ gen_require(` -+ type nsplugin_rw_t; -+ ') -+ -+ can_exec($1, nsplugin_rw_t) -+') -+ -+######################################## -+## -+## Create, read, write, and delete -+## nsplugin home files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`nsplugin_manage_home_files',` -+ gen_require(` -+ type nsplugin_home_t; -+ ') -+ -+ manage_files_pattern($1, nsplugin_home_t, nsplugin_home_t) -+') -+ -+######################################## -+## -+## manage nnsplugin home dirs. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`nsplugin_manage_home_dirs',` -+ gen_require(` -+ type nsplugin_home_t; -+ ') -+ -+ manage_dirs_pattern($1, nsplugin_home_t, nsplugin_home_t) -+') -+ -+######################################## -+## -+## Allow attempts to read and write to -+## nsplugin named pipes. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`nsplugin_rw_pipes',` -+ gen_require(` -+ type nsplugin_home_t; -+ ') -+ -+ allow $1 nsplugin_home_t:fifo_file rw_fifo_file_perms; -+') -+ -+######################################## -+## -+## Read and write to nsplugin shared memory. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`nsplugin_rw_shm',` -+ gen_require(` -+ type nsplugin_t; -+ ') -+ -+ allow $1 nsplugin_t:shm rw_shm_perms; -+') -+ -+##################################### -+## -+## Allow read and write access to nsplugin semaphores. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`nsplugin_rw_semaphores',` -+ gen_require(` -+ type nsplugin_t; -+ ') -+ -+ allow $1 nsplugin_t:sem rw_sem_perms; -+') -+ -+######################################## -+## -+## Execute nsplugin_exec_t -+## in the specified domain. -+## -+## -+##

    -+## Execute a nsplugin_exec_t -+## in the specified domain. -+##

    -+##

    -+## No interprocess communication (signals, pipes, -+## etc.) is provided by this interface since -+## the domains are not owned by this module. -+##

    -+##     -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## The type of the new process. -+## -+## -+# -+interface(`nsplugin_exec_domtrans',` -+ gen_require(` -+ type nsplugin_exec_t; -+ ') -+ -+ allow $2 nsplugin_exec_t:file entrypoint; -+ domtrans_pattern($1, nsplugin_exec_t, $2) -+') -+ -+######################################## -+## -+## Send generic signals to user nsplugin processes. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`nsplugin_signal',` -+ gen_require(` -+ type nsplugin_t; -+ ') -+ -+ allow $1 nsplugin_t:process signal; -+') -+ -+######################################## -+## -+## Create objects in a user home directory -+## with an automatic type transition to -+## the nsplugin home file type. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## The class of the object to be created. -+## -+## -+# -+interface(`nsplugin_user_home_dir_filetrans',` -+ gen_require(` -+ type nsplugin_home_t; -+ ') -+ -+ userdom_user_home_dir_filetrans($1, nsplugin_home_t, $2) -+') -+ -+####################################### -+## -+## Create objects in a user home directory -+## with an automatic type transition to -+## the nsplugin home file type. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## The class of the object to be created. -+## -+## -+# -+interface(`nsplugin_user_home_filetrans',` -+ gen_require(` -+ type nsplugin_home_t; -+ ') -+ -+ userdom_user_home_content_filetrans($1, nsplugin_home_t, $2) -+') -+ -+######################################## -+## -+## Send signull signal to nsplugin -+## processes. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`nsplugin_signull',` -+ gen_require(` -+ type nsplugin_t; -+ ') -+ -+ allow $1 nsplugin_t:process signull; -+') -diff --git a/nsplugin.te b/nsplugin.te -new file mode 100644 -index 0000000..7d839fe ---- /dev/null -+++ b/nsplugin.te -@@ -0,0 +1,318 @@ -+policy_module(nsplugin, 1.0.0) -+ -+######################################## -+# -+# Declarations -+# -+ -+## -+##

    -+## Allow nsplugin code to execmem/execstack -+##

    -+##     -+gen_tunable(nsplugin_execmem, false) -+ -+## -+##

    -+## Allow nsplugin code to connect to unreserved ports -+##

    -+##     -+gen_tunable(nsplugin_can_network, true) -+ -+type nsplugin_exec_t; -+application_executable_file(nsplugin_exec_t) -+ -+type nsplugin_config_exec_t; -+application_executable_file(nsplugin_config_exec_t) -+ -+type nsplugin_rw_t; -+files_poly_member(nsplugin_rw_t) -+files_type(nsplugin_rw_t) -+ -+type nsplugin_tmp_t; -+files_tmp_file(nsplugin_tmp_t) -+ -+type nsplugin_home_t; -+files_poly_member(nsplugin_home_t) -+userdom_user_home_content(nsplugin_home_t) -+typealias nsplugin_home_t alias user_nsplugin_home_t; -+ -+type nsplugin_t; -+application_domain(nsplugin_t, nsplugin_exec_t) -+ -+type nsplugin_config_t; -+domain_type(nsplugin_config_t) -+domain_entry_file(nsplugin_config_t, nsplugin_config_exec_t) -+ -+######################################## -+# -+# nsplugin local policy -+# -+dontaudit nsplugin_t self:capability { sys_nice sys_tty_config }; -+allow nsplugin_t self:fifo_file rw_file_perms; -+allow nsplugin_t self:process { setpgid getsched setsched signal_perms }; -+ -+allow nsplugin_t self:sem create_sem_perms; -+allow nsplugin_t self:shm create_shm_perms; -+allow nsplugin_t self:msgq create_msgq_perms; -+allow nsplugin_t self:netlink_kobject_uevent_socket create_socket_perms; -+allow nsplugin_t self:unix_stream_socket { connectto create_stream_socket_perms }; -+allow nsplugin_t self:unix_dgram_socket { sendto create_socket_perms }; -+allow nsplugin_t self:tcp_socket create_stream_socket_perms; -+allow nsplugin_t nsplugin_rw_t:dir list_dir_perms; -+read_lnk_files_pattern(nsplugin_t, nsplugin_rw_t, nsplugin_rw_t) -+read_files_pattern(nsplugin_t, nsplugin_rw_t, nsplugin_rw_t) -+ -+tunable_policy(`nsplugin_execmem',` -+ allow nsplugin_t self:process { execstack execmem }; -+ allow nsplugin_config_t self:process { execstack execmem }; -+') -+ -+tunable_policy(`nsplugin_can_network',` -+ corenet_tcp_connect_all_unreserved_ports(nsplugin_t) -+ corenet_tcp_connect_all_ephemeral_ports(nsplugin_t) -+') -+ -+manage_dirs_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t) -+exec_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t) -+manage_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t) -+manage_fifo_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t) -+manage_sock_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t) -+manage_lnk_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t) -+userdom_user_home_dir_filetrans(nsplugin_t, nsplugin_home_t, {file dir}) -+userdom_user_home_content_filetrans(nsplugin_t, nsplugin_home_t, {file dir}) -+userdom_dontaudit_getattr_user_home_content(nsplugin_t) -+userdom_dontaudit_search_user_bin_dirs(nsplugin_t) -+userdom_dontaudit_write_user_home_content_files(nsplugin_t) -+userdom_dontaudit_search_admin_dir(nsplugin_t) -+ -+corecmd_exec_bin(nsplugin_t) -+corecmd_exec_shell(nsplugin_t) -+ -+corenet_all_recvfrom_netlabel(nsplugin_t) -+corenet_tcp_connect_flash_port(nsplugin_t) -+corenet_tcp_connect_ms_streaming_port(nsplugin_t) -+corenet_tcp_connect_rtsp_port(nsplugin_t) -+corenet_tcp_connect_pulseaudio_port(nsplugin_t) -+corenet_tcp_connect_http_port(nsplugin_t) -+corenet_tcp_connect_http_cache_port(nsplugin_t) -+corenet_tcp_connect_squid_port(nsplugin_t) -+corenet_tcp_sendrecv_generic_if(nsplugin_t) -+corenet_tcp_sendrecv_generic_node(nsplugin_t) -+corenet_tcp_connect_ipp_port(nsplugin_t) -+corenet_tcp_connect_speech_port(nsplugin_t) -+ -+domain_dontaudit_read_all_domains_state(nsplugin_t) -+ -+dev_read_urand(nsplugin_t) -+dev_read_rand(nsplugin_t) -+dev_read_sound(nsplugin_t) -+dev_write_sound(nsplugin_t) -+dev_read_video_dev(nsplugin_t) -+dev_write_video_dev(nsplugin_t) -+dev_getattr_dri_dev(nsplugin_t) -+dev_getattr_mouse_dev(nsplugin_t) -+dev_rwx_zero(nsplugin_t) -+dev_read_sysfs(nsplugin_t) -+dev_dontaudit_getattr_all(nsplugin_t) -+ -+kernel_read_kernel_sysctls(nsplugin_t) -+kernel_read_system_state(nsplugin_t) -+kernel_read_network_state(nsplugin_t) -+ -+files_dontaudit_getattr_lost_found_dirs(nsplugin_t) -+files_dontaudit_list_home(nsplugin_t) -+files_read_config_files(nsplugin_t) -+ -+fs_getattr_tmpfs(nsplugin_t) -+fs_getattr_xattr_fs(nsplugin_t) -+fs_search_auto_mountpoints(nsplugin_t) -+fs_rw_anon_inodefs_files(nsplugin_t) -+fs_list_inotifyfs(nsplugin_t) -+fs_dontaudit_list_fusefs(nsplugin_t) -+ -+storage_dontaudit_getattr_fixed_disk_dev(nsplugin_t) -+storage_dontaudit_getattr_removable_dev(nsplugin_t) -+ -+term_dontaudit_getattr_all_ptys(nsplugin_t) -+term_dontaudit_getattr_all_ttys(nsplugin_t) -+ -+auth_use_nsswitch(nsplugin_t) -+ -+libs_exec_ld_so(nsplugin_t) -+ -+miscfiles_read_fonts(nsplugin_t) -+miscfiles_dontaudit_write_fonts(nsplugin_t) -+miscfiles_setattr_fonts_cache_dirs(nsplugin_t) -+ -+userdom_manage_user_tmp_dirs(nsplugin_t) -+userdom_manage_user_tmp_files(nsplugin_t) -+userdom_manage_user_tmp_sockets(nsplugin_t) -+userdom_tmp_filetrans_user_tmp(nsplugin_t, { file dir sock_file }) -+userdom_rw_semaphores(nsplugin_t) -+userdom_dontaudit_rw_user_tmp_pipes(nsplugin_t) -+ -+userdom_read_user_home_content_symlinks(nsplugin_t) -+userdom_read_user_home_content_files(nsplugin_t) -+userdom_read_user_tmp_files(nsplugin_t) -+userdom_write_user_tmp_sockets(nsplugin_t) -+userdom_dontaudit_append_user_home_content_files(nsplugin_t) -+userdom_read_home_audio_files(nsplugin_t) -+ -+optional_policy(` -+ alsa_read_rw_config(nsplugin_t) -+ alsa_read_home_files(nsplugin_t) -+') -+ -+optional_policy(` -+ chrome_dontaudit_sandbox_leaks(nsplugin_t) -+') -+ -+optional_policy(` -+ cups_stream_connect(nsplugin_t) -+') -+ -+optional_policy(` -+ dbus_session_bus_client(nsplugin_t) -+ dbus_connect_session_bus(nsplugin_t) -+ dbus_system_bus_client(nsplugin_t) -+') -+ -+optional_policy(` -+ gnome_exec_gconf(nsplugin_t) -+ gnome_manage_config(nsplugin_t) -+ gnome_read_gconf_home_files(nsplugin_t) -+ gnome_read_usr_config(nsplugin_t) -+') -+ -+optional_policy(` -+ gpm_getattr_gpmctl(nsplugin_t) -+') -+ -+optional_policy(` -+ mozilla_exec_user_home_files(nsplugin_t) -+ mozilla_read_user_home_files(nsplugin_t) -+ mozilla_write_user_home_files(nsplugin_t) -+ mozilla_plugin_delete_tmpfs_files(nsplugin_t) -+') -+ -+optional_policy(` -+ mplayer_exec(nsplugin_t) -+ mplayer_read_user_home_files(nsplugin_t) -+') -+ -+optional_policy(` -+ sandbox_read_tmpfs_files(nsplugin_t) -+') -+ -+optional_policy(` -+ gen_require(` -+ type user_tmpfs_t; -+ ') -+ xserver_user_x_domain_template(nsplugin, nsplugin_t, user_tmpfs_t) -+ xserver_rw_shm(nsplugin_t) -+ xserver_read_xdm_pid(nsplugin_t) -+ xserver_read_xdm_tmp_files(nsplugin_t) -+ xserver_read_user_xauth(nsplugin_t) -+ xserver_read_user_iceauth(nsplugin_t) -+ xserver_use_user_fonts(nsplugin_t) -+ xserver_rw_inherited_user_fonts(nsplugin_t) -+') -+ -+######################################## -+# -+# nsplugin_config local policy -+# -+ -+allow nsplugin_config_t self:capability { dac_override dac_read_search sys_nice setuid setgid }; -+allow nsplugin_config_t self:process { setsched signal_perms getsched execmem }; -+#execing pulseaudio -+dontaudit nsplugin_t self:process { getcap setcap }; -+ -+allow nsplugin_config_t self:fifo_file rw_file_perms; -+allow nsplugin_config_t self:unix_stream_socket create_stream_socket_perms; -+ -+dev_search_sysfs(nsplugin_config_t) -+dev_read_urand(nsplugin_config_t) -+dev_dontaudit_read_rand(nsplugin_config_t) -+dev_dontaudit_rw_dri(nsplugin_config_t) -+ -+fs_search_auto_mountpoints(nsplugin_config_t) -+fs_list_inotifyfs(nsplugin_config_t) -+ -+can_exec(nsplugin_config_t, nsplugin_rw_t) -+manage_dirs_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t) -+manage_files_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t) -+manage_lnk_files_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t) -+ -+manage_dirs_pattern(nsplugin_config_t, nsplugin_home_t, nsplugin_home_t) -+manage_files_pattern(nsplugin_config_t, nsplugin_home_t, nsplugin_home_t) -+manage_lnk_files_pattern(nsplugin_config_t, nsplugin_home_t, nsplugin_home_t) -+ -+corecmd_exec_bin(nsplugin_config_t) -+corecmd_exec_shell(nsplugin_config_t) -+ -+kernel_read_system_state(nsplugin_config_t) -+kernel_request_load_module(nsplugin_config_t) -+ -+domain_use_interactive_fds(nsplugin_config_t) -+ -+files_dontaudit_search_home(nsplugin_config_t) -+files_list_tmp(nsplugin_config_t) -+ -+auth_use_nsswitch(nsplugin_config_t) -+ -+miscfiles_read_fonts(nsplugin_config_t) -+ -+userdom_search_user_home_content(nsplugin_config_t) -+userdom_read_user_home_content_symlinks(nsplugin_config_t) -+userdom_read_user_home_content_files(nsplugin_config_t) -+userdom_dontaudit_search_admin_dir(nsplugin_config_t) -+ -+tunable_policy(`use_nfs_home_dirs',` -+ fs_getattr_nfs(nsplugin_t) -+ fs_manage_nfs_dirs(nsplugin_t) -+ fs_manage_nfs_files(nsplugin_t) -+ fs_manage_nfs_symlinks(nsplugin_t) -+ fs_manage_nfs_named_pipes(nsplugin_t) -+ fs_manage_nfs_dirs(nsplugin_config_t) -+ fs_manage_nfs_files(nsplugin_config_t) -+ fs_manage_nfs_named_pipes(nsplugin_config_t) -+ fs_manage_nfs_symlinks(nsplugin_config_t) -+') -+ -+tunable_policy(`use_samba_home_dirs',` -+ fs_getattr_cifs(nsplugin_t) -+ fs_manage_cifs_dirs(nsplugin_t) -+ fs_manage_cifs_files(nsplugin_t) -+ fs_manage_cifs_symlinks(nsplugin_t) -+ fs_manage_cifs_named_pipes(nsplugin_t) -+ fs_manage_cifs_dirs(nsplugin_config_t) -+ fs_manage_cifs_files(nsplugin_config_t) -+ fs_manage_cifs_named_pipes(nsplugin_config_t) -+ fs_manage_cifs_symlinks(nsplugin_config_t) -+') -+ -+domtrans_pattern(nsplugin_config_t, nsplugin_exec_t, nsplugin_t) -+ -+optional_policy(` -+ xserver_use_user_fonts(nsplugin_config_t) -+') -+ -+optional_policy(` -+ mozilla_read_user_home_files(nsplugin_config_t) -+ mozilla_write_user_home_files(nsplugin_config_t) -+') -+ -+application_signull(nsplugin_t) -+ -+optional_policy(` -+ devicekit_dbus_chat_power(nsplugin_t) -+') -+ -+optional_policy(` -+ pulseaudio_exec(nsplugin_t) -+ pulseaudio_stream_connect(nsplugin_t) -+ pulseaudio_manage_home_files(nsplugin_t) -+ pulseaudio_setattr_home_dir(nsplugin_t) -+') -diff --git a/ntop.te b/ntop.te -index 52757d8..0f7f5e4 100644 ---- a/ntop.te -+++ b/ntop.te -@@ -33,6 +33,7 @@ allow ntop_t self:capability { net_raw setgid setuid sys_admin net_admin }; - dontaudit ntop_t self:capability sys_tty_config; - allow ntop_t self:process signal_perms; - allow ntop_t self:fifo_file rw_fifo_file_perms; -+allow ntop_t self:netlink_socket create_socket_perms; - allow ntop_t self:tcp_socket { accept listen }; - allow ntop_t self:unix_stream_socket { accept listen }; - allow ntop_t self:packet_socket create_socket_perms; -@@ -58,7 +59,6 @@ kernel_read_system_state(ntop_t) - kernel_read_network_state(ntop_t) - kernel_read_kernel_sysctls(ntop_t) - --corenet_all_recvfrom_unlabeled(ntop_t) - corenet_all_recvfrom_netlabel(ntop_t) - corenet_tcp_sendrecv_generic_if(ntop_t) - corenet_raw_sendrecv_generic_if(ntop_t) -@@ -78,10 +78,11 @@ corenet_tcp_sendrecv_http_port(ntop_t) - - dev_read_sysfs(ntop_t) - dev_rw_generic_usb_dev(ntop_t) -+dev_read_usbmon_dev(ntop_t) -+dev_write_usbmon_dev(ntop_t) - - domain_use_interactive_fds(ntop_t) - --files_read_usr_files(ntop_t) - - fs_getattr_all_fs(ntop_t) - fs_search_auto_mountpoints(ntop_t) -diff --git a/ntp.fc b/ntp.fc -index af3c91e..6882a3f 100644 ---- a/ntp.fc -+++ b/ntp.fc -@@ -13,6 +13,8 @@ - /usr/sbin/ntpdate -- gen_context(system_u:object_r:ntpdate_exec_t,s0) - /usr/sbin/sntp -- gen_context(system_u:object_r:ntpdate_exec_t,s0) - -+/usr/lib/systemd/system/ntpd.* -- gen_context(system_u:object_r:ntpd_unit_file_t,s0) -+ - /var/lib/ntp(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0) - /var/lib/sntp-kod(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0) - -diff --git a/ntp.if b/ntp.if -index b59196f..017b36f 100644 ---- a/ntp.if -+++ b/ntp.if -@@ -1,4 +1,4 @@ --## Network time protocol daemon. -+## Network time protocol daemon - - ######################################## - ## -@@ -37,6 +37,25 @@ interface(`ntp_domtrans',` - - ######################################## - ## -+## Execute ntp server in the caller domain. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`ntp_exec',` -+ gen_require(` -+ type ntpd_exec_t; -+ ') -+ -+ corecmd_search_bin($1) -+ can_exec($1, ntpd_exec_t) -+') -+ -+######################################## -+## - ## Execute ntp in the ntp domain, and - ## allow the specified role the ntp domain. - ## -@@ -54,11 +73,11 @@ interface(`ntp_domtrans',` - # - interface(`ntp_run',` - gen_require(` -- attribute_role ntpd_roles; -+ type ntpd_t; - ') - - ntp_domtrans($1) -- roleattribute $2 ntpd_roles; -+ role $2 types ntpd_t; - ') - - ######################################## -@@ -98,6 +117,48 @@ interface(`ntp_initrc_domtrans',` - init_labeled_script_domtrans($1, ntpd_initrc_exec_t) - ') - -+##################################### -+## -+## Allow domain to read ntpd systemd unit files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`ntp_read_unit_file',` -+ gen_require(` -+ type ntpd_unit_file_t; -+ ') -+ -+ files_search_var_lib($1) -+ allow $1 ntpd_unit_file_t:file read_file_perms; -+') -+ -+######################################## -+## -+## Execute ntpd server in the ntpd domain. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`ntp_systemctl',` -+ gen_require(` -+ type ntpd_unit_file_t; -+ type ntpd_t; -+ ') -+ -+ systemd_exec_systemctl($1) -+ allow $1 ntpd_unit_file_t:file read_file_perms; -+ allow $1 ntpd_unit_file_t:service manage_service_perms; -+ -+ ps_process_pattern($1, ntpd_t) -+') -+ - ######################################## - ## - ## Read and write ntpd shared memory. -@@ -122,8 +183,27 @@ interface(`ntp_rw_shm',` - - ######################################## - ## --## All of the rules required to --## administrate an ntp environment. -+## Allow the domain to read ntpd state files in /proc. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`ntp_read_state',` -+ gen_require(` -+ type ntpd_t; -+ ') -+ -+ kernel_search_proc($1) -+ ps_process_pattern($1, ntpd_t) -+') -+ -+######################################## -+## -+## All of the rules required to administrate -+## an ntp environment - ## - ## - ## -@@ -132,7 +212,7 @@ interface(`ntp_rw_shm',` - ## - ## - ## --## Role allowed access. -+## The role to be allowed to manage the ntp domain. - ## - ## - ## -@@ -140,20 +220,22 @@ interface(`ntp_rw_shm',` - interface(`ntp_admin',` - gen_require(` - type ntpd_t, ntpd_tmp_t, ntpd_log_t; -- type ntpd_key_t, ntpd_var_run_t, ntp_conf_t; -- type ntpd_initrc_exec_t, ntp_drift_t; -+ type ntpd_key_t, ntpd_var_run_t, ntpd_initrc_exec_t; -+ type ntpd_unit_file_t; - ') - -- allow $1 ntpd_t:process { ptrace signal_perms }; -+ allow $1 ntpd_t:process signal_perms; - ps_process_pattern($1, ntpd_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 ntpd_t:process ptrace; -+ ') - - init_labeled_script_domtrans($1, ntpd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 ntpd_initrc_exec_t system_r; - allow $2 system_r; - -- files_list_etc($1) -- admin_pattern($1, { ntpd_key_t ntp_conf_t ntp_drift_t }) -+ admin_pattern($1, ntpd_key_t) - - logging_list_logs($1) - admin_pattern($1, ntpd_log_t) -@@ -164,5 +246,28 @@ interface(`ntp_admin',` - files_list_pids($1) - admin_pattern($1, ntpd_var_run_t) - -- ntp_run($1, $2) -+ ntp_systemctl($1) -+ admin_pattern($1, ntpd_unit_file_t) -+ allow $1 ntpd_unit_file_t:service all_service_perms; -+ -+ ntp_filetrans_named_content($1) -+') -+ -+######################################## -+## -+## Transition content labels to ntp named content -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`ntp_filetrans_named_content',` -+ gen_require(` -+ type ntp_conf_t; -+ ') -+ -+ files_etc_filetrans($1, ntp_conf_t, file, "ntpd.conf") -+ files_etc_filetrans($1, ntp_conf_t, dir, "ntp") - ') -diff --git a/ntp.te b/ntp.te -index b90e343..8369b61 100644 ---- a/ntp.te -+++ b/ntp.te -@@ -18,6 +18,9 @@ role ntpd_roles types ntpd_t; - type ntpd_initrc_exec_t; - init_script_file(ntpd_initrc_exec_t) - -+type ntpd_unit_file_t; -+systemd_unit_file(ntpd_unit_file_t) -+ - type ntp_conf_t; - files_config_file(ntp_conf_t) - -@@ -60,9 +63,7 @@ read_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t) - read_lnk_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t) - - allow ntpd_t ntpd_log_t:dir setattr_dir_perms; --append_files_pattern(ntpd_t, ntpd_log_t, ntpd_log_t) --create_files_pattern(ntpd_t, ntpd_log_t, ntpd_log_t) --setattr_files_pattern(ntpd_t, ntpd_log_t, ntpd_log_t) -+manage_files_pattern(ntpd_t, ntpd_log_t, ntpd_log_t) - logging_log_filetrans(ntpd_t, ntpd_log_t, { file dir }) - - manage_dirs_pattern(ntpd_t, ntpd_tmp_t, ntpd_tmp_t) -@@ -83,21 +84,16 @@ kernel_read_system_state(ntpd_t) - kernel_read_network_state(ntpd_t) - kernel_request_load_module(ntpd_t) - --corenet_all_recvfrom_unlabeled(ntpd_t) - corenet_all_recvfrom_netlabel(ntpd_t) - corenet_tcp_sendrecv_generic_if(ntpd_t) - corenet_udp_sendrecv_generic_if(ntpd_t) - corenet_tcp_sendrecv_generic_node(ntpd_t) - corenet_udp_sendrecv_generic_node(ntpd_t) - corenet_udp_bind_generic_node(ntpd_t) -- --corenet_sendrecv_ntp_server_packets(ntpd_t) - corenet_udp_bind_ntp_port(ntpd_t) --corenet_udp_sendrecv_ntp_port(ntpd_t) -- --corenet_sendrecv_ntp_client_packets(ntpd_t) - corenet_tcp_connect_ntp_port(ntpd_t) --corenet_tcp_sendrecv_ntp_port(ntpd_t) -+corenet_sendrecv_ntp_server_packets(ntpd_t) -+corenet_sendrecv_ntp_client_packets(ntpd_t) - - corecmd_exec_bin(ntpd_t) - corecmd_exec_shell(ntpd_t) -@@ -110,13 +106,15 @@ domain_use_interactive_fds(ntpd_t) - domain_dontaudit_list_all_domains_state(ntpd_t) - - files_read_etc_runtime_files(ntpd_t) --files_read_usr_files(ntpd_t) - files_list_var_lib(ntpd_t) - - fs_getattr_all_fs(ntpd_t) - fs_search_auto_mountpoints(ntpd_t) -+# Necessary to communicate with gpsd devices -+fs_rw_tmpfs_files(ntpd_t) - - term_use_ptmx(ntpd_t) -+term_use_unallocated_ttys(ntpd_t) - - auth_use_nsswitch(ntpd_t) - -@@ -124,8 +122,6 @@ init_exec_script_files(ntpd_t) - - logging_send_syslog_msg(ntpd_t) - --miscfiles_read_localization(ntpd_t) -- - userdom_dontaudit_use_unpriv_user_fds(ntpd_t) - userdom_list_user_home_dirs(ntpd_t) - -diff --git a/numad.fc b/numad.fc -index 3488bb0..1f97624 100644 ---- a/numad.fc -+++ b/numad.fc -@@ -1,7 +1,7 @@ --/etc/rc\.d/init\.d/numad -- gen_context(system_u:object_r:numad_initrc_exec_t,s0) -+/usr/bin/numad -- gen_context(system_u:object_r:numad_exec_t,s0) - --/usr/bin/numad -- gen_context(system_u:object_r:numad_exec_t,s0) -+/usr/lib/systemd/system/numad.* -- gen_context(system_u:object_r:numad_unit_file_t,s0) - --/var/log/numad\.log.* -- gen_context(system_u:object_r:numad_log_t,s0) -+/var/log/numad\.log.* -- gen_context(system_u:object_r:numad_var_log_t,s0) - --/var/run/numad\.pid -- gen_context(system_u:object_r:numad_var_run_t,s0) -+/var/run/numad\.pid -- gen_context(system_u:object_r:numad_var_run_t,s0) -diff --git a/numad.if b/numad.if -index 0d3c270..709dda1 100644 ---- a/numad.if -+++ b/numad.if -@@ -1,39 +1,72 @@ --## Non-Uniform Memory Alignment Daemon. - -+## policy for numad -+ -+######################################## -+## -+## Transition to numad. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`numad_domtrans',` -+ gen_require(` -+ type numad_t, numad_exec_t; -+ ') -+ -+ corecmd_search_bin($1) -+ domtrans_pattern($1, numad_exec_t, numad_t) -+') - ######################################## - ## --## All of the rules required to --## administrate an numad environment. -+## Execute numad server in the numad domain. - ## - ## - ## --## Domain allowed access. -+## Domain allowed to transition. - ## - ## --## -+# -+interface(`numad_systemctl',` -+ gen_require(` -+ type numad_t; -+ type numad_unit_file_t; -+ ') -+ -+ systemd_exec_systemctl($1) -+ systemd_read_fifo_file_passwd_run($1) -+ allow $1 numad_unit_file_t:file read_file_perms; -+ allow $1 numad_unit_file_t:service all_service_perms; -+ -+ ps_process_pattern($1, numad_t) -+') -+ -+ -+######################################## -+## -+## All of the rules required to administrate -+## an numad environment -+## -+## - ## --## Role allowed access. -+## Domain allowed access. - ## - ## --## - # - interface(`numad_admin',` - gen_require(` -- type numad_t, numad_initrc_exec_t, numad_log_t; -- type numad_var_run_t; -+ type numad_t; -+ type numad_unit_file_t; - ') - - allow $1 numad_t:process { ptrace signal_perms }; - ps_process_pattern($1, numad_t) - -- init_labeled_script_domtrans($1, numad_initrc_exec_t) -- domain_system_change_exemption($1) -- role_transition $2 numad_initrc_exec_t system_r; -- allow $2 system_r; -- -- logging_search_logs($1) -- admin_pattern($1, numad_log_t) -- -- files_search_pids($1) -- admin_pattern($1, numad_var_run_t) -+ numad_systemctl($1) -+ optional_policy(` -+ systemd_passwd_agent_exec($1) -+ systemd_read_fifo_file_passwd_run($1) -+ ') - ') -diff --git a/numad.te b/numad.te -index f5d145d..97e1148 100644 ---- a/numad.te -+++ b/numad.te -@@ -1,4 +1,4 @@ --policy_module(numad, 1.0.3) -+policy_module(numad, 1.0.0) - - ######################################## - # -@@ -8,29 +8,29 @@ policy_module(numad, 1.0.3) - type numad_t; - type numad_exec_t; - init_daemon_domain(numad_t, numad_exec_t) --application_executable_file(numad_exec_t) - --type numad_initrc_exec_t; --init_script_file(numad_initrc_exec_t) -+type numad_unit_file_t; -+systemd_unit_file(numad_unit_file_t) - --type numad_log_t; --logging_log_file(numad_log_t) -+type numad_var_log_t; -+logging_log_file(numad_var_log_t) - - type numad_var_run_t; - files_pid_file(numad_var_run_t) - - ######################################## - # --# Local policy -+# numad local policy - # - -+allow numad_t self:capability sys_ptrace; - allow numad_t self:fifo_file rw_fifo_file_perms; --allow numad_t self:msg { send receive }; - allow numad_t self:msgq create_msgq_perms; -+allow numad_t self:msg { send receive }; - allow numad_t self:unix_stream_socket create_stream_socket_perms; - --allow numad_t numad_log_t:file { append_file_perms create_file_perms setattr_file_perms }; --logging_log_filetrans(numad_t, numad_log_t, file) -+manage_files_pattern(numad_t, numad_var_log_t, numad_var_log_t) -+logging_log_filetrans(numad_t, numad_var_log_t, file) - - manage_files_pattern(numad_t, numad_var_run_t, numad_var_run_t) - files_pid_filetrans(numad_t, numad_var_run_t, file) -@@ -39,6 +39,13 @@ kernel_read_system_state(numad_t) - - dev_read_sysfs(numad_t) - --files_read_etc_files(numad_t) -+domain_use_interactive_fds(numad_t) -+domain_read_all_domains_state(numad_t) -+domain_setpriority_all_domains(numad_t) -+ -+fs_manage_cgroup_dirs(numad_t) -+fs_rw_cgroup_files(numad_t) - --miscfiles_read_localization(numad_t) -+tunable_policy(`deny_ptrace',`',` -+ virt_ptrace(numad_t) -+') -diff --git a/nut.fc b/nut.fc -index 379af96..41ff159 100644 ---- a/nut.fc -+++ b/nut.fc -@@ -1,23 +1,16 @@ --/etc/nut(/.*)? gen_context(system_u:object_r:nut_conf_t,s0) --/etc/ups(/.*)? gen_context(system_u:object_r:nut_conf_t,s0) -+/etc/ups(/.*)? gen_context(system_u:object_r:nut_conf_t,s0) - --/etc/rc\.d/init\.d/nut-driver -- gen_context(system_u:object_r:nut_initrc_exec_t,s0) --/etc/rc\.d/init\.d/nut-server -- gen_context(system_u:object_r:nut_initrc_exec_t,s0) -- --/sbin/upsd -- gen_context(system_u:object_r:nut_upsd_exec_t,s0) - /sbin/upsdrvctl -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0) --/sbin/upsmon -- gen_context(system_u:object_r:nut_upsmon_exec_t,s0) - --/usr/lib/cgi-bin/nut/upsimage\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0) --/usr/lib/cgi-bin/nut/upsset\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0) --/usr/lib/cgi-bin/nut/upsstats\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0) -+/usr/lib/systemd/system/nut.* -- gen_context(system_u:object_r:nut_unit_file_t,s0) - - /usr/sbin/upsd -- gen_context(system_u:object_r:nut_upsd_exec_t,s0) - /usr/sbin/upsdrvctl -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0) --/usr/sbin/upsmon -- gen_context(system_u:object_r:nut_upsmon_exec_t,s0) -+/usr/sbin/blazer_usb -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0) -+/usr/sbin/upsmon -- gen_context(system_u:object_r:nut_upsmon_exec_t,s0) - - /var/run/nut(/.*)? gen_context(system_u:object_r:nut_var_run_t,s0) - --/var/www/nut-cgi-bin/upsimage\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0) --/var/www/nut-cgi-bin/upsset\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0) --/var/www/nut-cgi-bin/upsstats\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0) -+/var/www/nut-cgi-bin/upsimage\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0) -+/var/www/nut-cgi-bin/upsset\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0) -+/var/www/nut-cgi-bin/upsstats\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0) -diff --git a/nut.if b/nut.if -index 57c0161..54bd4d7 100644 ---- a/nut.if -+++ b/nut.if -@@ -1,39 +1,24 @@ --## Network UPS Tools -+## nut - Network UPS Tools - --######################################## -+####################################### - ## --## All of the rules required to --## administrate an nut environment. -+## Execute swift server in the swift domain. - ## - ## --## --## Domain allowed access. --## -+## -+## Domain allowed to transition. -+## - ## --## --## --## Role allowed access. --## --## --## - # --interface(`nut_admin',` -- gen_require(` -- attribute nut_domain; -- type nut_initrc_exec_t, nut_var_run_t, nut_conf_t; -- ') -- -- allow $1 nut_domain:process { ptrace signal_perms }; -- ps_process_pattern($1, nut_domain_t) -- -- init_labeled_script_domtrans($1, nut_initrc_exec_t) -- domain_system_change_exemption($1) -- role_transition $2 nut_initrc_exec_t system_r; -- allow $2 system_r; -+interface(`nut_systemctl',` -+ gen_require(` -+ type nut_t; -+ type nut_unit_file_t; -+ ') - -- files_search_etc($1) -- admin_pattern($1, nut_conf_t) -+ systemd_exec_systemctl($1) -+ allow $1 nut_unit_file_t:file read_file_perms; -+ allow $1 nut_unit_file_t:service manage_service_perms; - -- files_search_pids($1) -- admin_pattern($1, nut_var_run_t) -+ ps_process_pattern($1, swift_t) - ') -diff --git a/nut.te b/nut.te -index 0c9deb7..76988d6 100644 ---- a/nut.te -+++ b/nut.te -@@ -1,4 +1,4 @@ --policy_module(nut, 1.2.4) -+policy_module(nut, 1.2.0) - - ######################################## - # -@@ -22,116 +22,126 @@ type nut_upsdrvctl_t, nut_domain; - type nut_upsdrvctl_exec_t; - init_daemon_domain(nut_upsdrvctl_t, nut_upsdrvctl_exec_t) - --type nut_initrc_exec_t; --init_script_file(nut_initrc_exec_t) -- - type nut_var_run_t; - files_pid_file(nut_var_run_t) --init_daemon_run_dir(nut_var_run_t, "nut") - --######################################## -+type nut_unit_file_t; -+systemd_unit_file(nut_unit_file_t) -+ -+####################################### - # --# Common nut domain local policy -+# Local policy for upsd - # - --allow nut_domain self:capability { setgid setuid dac_override kill }; --allow nut_domain self:process signal_perms; --allow nut_domain self:fifo_file rw_fifo_file_perms; --allow nut_domain self:unix_dgram_socket sendto; -- --allow nut_domain nut_conf_t:dir list_dir_perms; --allow nut_domain nut_conf_t:file read_file_perms; --allow nut_domain nut_conf_t:lnk_file read_lnk_file_perms; -- --manage_files_pattern(nut_domain, nut_var_run_t, nut_var_run_t) --manage_dirs_pattern(nut_domain, nut_var_run_t, nut_var_run_t) --files_pid_filetrans(nut_domain, nut_var_run_t, { dir file }) -- --kernel_read_kernel_sysctls(nut_domain) -- --logging_send_syslog_msg(nut_domain) -- --miscfiles_read_localization(nut_domain) -+allow nut_domain self:netlink_kobject_uevent_socket create_socket_perms; - - ######################################## - # --# Upsd local policy -+# Local policy for upsd - # - --allow nut_upsd_t self:tcp_socket { accept listen }; -+allow nut_upsd_t self:capability { setgid setuid dac_override }; -+allow nut_upsd_t self:process signal_perms; - --manage_sock_files_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t) --files_pid_filetrans(nut_upsd_t, nut_var_run_t, sock_file) -+allow nut_upsd_t self:unix_dgram_socket { create_socket_perms sendto }; -+allow nut_upsd_t self:tcp_socket connected_stream_socket_perms; - --stream_connect_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t, nut_upsdrvctl_t) -+allow nut_upsd_t nut_upsdrvctl_t:unix_stream_socket connectto; - --corenet_all_recvfrom_unlabeled(nut_upsd_t) --corenet_all_recvfrom_netlabel(nut_upsd_t) --corenet_tcp_sendrecv_generic_if(nut_upsd_t) --corenet_tcp_sendrecv_generic_node(nut_upsd_t) --corenet_tcp_sendrecv_all_ports(nut_upsd_t) --corenet_tcp_bind_generic_node(nut_upsd_t) -+read_files_pattern(nut_upsd_t, nut_conf_t, nut_conf_t) - --corenet_sendrecv_ups_server_packets(nut_upsd_t) --corenet_tcp_bind_ups_port(nut_upsd_t) -+# pid file -+manage_files_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t) -+manage_dirs_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t) -+manage_sock_files_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t) -+files_pid_filetrans(nut_upsd_t, nut_var_run_t, { dir file sock_file }) - --corenet_sendrecv_generic_server_packets(nut_upsd_t) --corenet_tcp_bind_generic_port(nut_upsd_t) -+kernel_read_kernel_sysctls(nut_upsd_t) - --files_read_usr_files(nut_upsd_t) -+corenet_tcp_bind_ups_port(nut_upsd_t) -+corenet_tcp_bind_generic_port(nut_upsd_t) -+corenet_tcp_bind_all_nodes(nut_upsd_t) - - auth_use_nsswitch(nut_upsd_t) - -+logging_send_syslog_msg(nut_upsd_t) -+ - ######################################## - # --# Upsmon local policy -+# Local policy for upsmon - # - --allow nut_upsmon_t self:capability dac_read_search; --allow nut_upsmon_t self:unix_stream_socket connectto; -+allow nut_upsmon_t self:capability { dac_override dac_read_search setgid setuid }; -+allow nut_upsmon_t self:fifo_file rw_fifo_file_perms; -+allow nut_upsmon_t self:unix_dgram_socket { create_socket_perms sendto }; -+allow nut_upsmon_t self:unix_stream_socket { create_socket_perms connectto }; -+allow nut_upsmon_t self:tcp_socket create_socket_perms; -+ -+read_files_pattern(nut_upsmon_t, nut_conf_t, nut_conf_t) - -+# pid file -+manage_files_pattern(nut_upsmon_t, nut_var_run_t, nut_var_run_t) -+manage_dirs_pattern(nut_upsmon_t, nut_var_run_t, nut_var_run_t) -+files_pid_filetrans(nut_upsmon_t, nut_var_run_t, file) -+ -+kernel_read_kernel_sysctls(nut_upsmon_t) - kernel_read_system_state(nut_upsmon_t) - - corecmd_exec_bin(nut_upsmon_t) - corecmd_exec_shell(nut_upsmon_t) - --corenet_all_recvfrom_unlabeled(nut_upsmon_t) --corenet_all_recvfrom_netlabel(nut_upsmon_t) --corenet_tcp_sendrecv_generic_if(nut_upsmon_t) --corenet_tcp_sendrecv_generic_node(nut_upsmon_t) --corenet_tcp_sendrecv_all_ports(nut_upsmon_t) --corenet_tcp_bind_generic_node(nut_upsmon_t) -- --corenet_sendrecv_ups_client_packets(nut_upsmon_t) - corenet_tcp_connect_ups_port(nut_upsmon_t) -- --corenet_sendrecv_generic_client_packets(nut_upsmon_t) - corenet_tcp_connect_generic_port(nut_upsmon_t) - -+# Creates /etc/killpower - files_manage_etc_runtime_files(nut_upsmon_t) - files_etc_filetrans_etc_runtime(nut_upsmon_t, file) - files_search_usr(nut_upsmon_t) - -+# /usr/bin/wall - term_write_all_terms(nut_upsmon_t) - -+# upsmon runs shutdown, probably need a shutdown domain -+init_rw_utmp(nut_upsmon_t) -+init_telinit(nut_upsmon_t) -+ -+logging_send_syslog_msg(nut_upsmon_t) -+ - auth_use_nsswitch(nut_upsmon_t) - - mta_send_mail(nut_upsmon_t) - -+systemd_start_power_services(nut_upsmon_t) -+ - optional_policy(` - shutdown_domtrans(nut_upsmon_t) - ') - - ######################################## - # --# Upsdrvctl local policy -+# Local policy for upsdrvctl - # - -+allow nut_upsdrvctl_t self:capability { dac_override kill setgid setuid }; -+allow nut_upsdrvctl_t self:process { sigchld signal signull }; - allow nut_upsdrvctl_t self:fd use; -+allow nut_upsdrvctl_t self:fifo_file rw_fifo_file_perms; -+allow nut_upsdrvctl_t self:unix_dgram_socket { create_socket_perms sendto }; -+allow nut_upsdrvctl_t self:udp_socket create_socket_perms; -+ -+can_exec(nut_upsdrvctl_t, nut_upsdrvctl_exec_t) - -+read_files_pattern(nut_upsdrvctl_t, nut_conf_t, nut_conf_t) -+ -+# pid file -+manage_files_pattern(nut_upsdrvctl_t, nut_var_run_t, nut_var_run_t) -+manage_dirs_pattern(nut_upsdrvctl_t, nut_var_run_t, nut_var_run_t) - manage_sock_files_pattern(nut_upsdrvctl_t, nut_var_run_t, nut_var_run_t) --files_pid_filetrans(nut_upsdrvctl_t, nut_var_run_t, sock_file) -+files_pid_filetrans(nut_upsdrvctl_t, nut_var_run_t, { file sock_file }) -+ -+kernel_read_kernel_sysctls(nut_upsdrvctl_t) - -+# /sbin/upsdrvctl executes other drivers - corecmd_exec_bin(nut_upsdrvctl_t) - - dev_read_sysfs(nut_upsdrvctl_t) -@@ -139,22 +149,34 @@ dev_read_urand(nut_upsdrvctl_t) - dev_rw_generic_usb_dev(nut_upsdrvctl_t) - - term_use_unallocated_ttys(nut_upsdrvctl_t) -+term_use_usb_ttys(nut_upsdrvctl_t) - - auth_use_nsswitch(nut_upsdrvctl_t) - - init_sigchld(nut_upsdrvctl_t) - -+logging_send_syslog_msg(nut_upsdrvctl_t) -+ -+ - ####################################### - # --# Cgi local policy -+# Local policy for upscgi scripts -+# requires httpd_enable_cgi and httpd_can_network_connect - # - - optional_policy(` - apache_content_template(nutups_cgi) - -- allow httpd_nutups_cgi_script_t nut_conf_t:dir list_dir_perms; -- allow httpd_nutups_cgi_script_t nut_conf_t:file read_file_perms; -- allow httpd_nutups_cgi_script_t nut_conf_t:lnk_file read_lnk_file_perms; -+ read_files_pattern(httpd_nutups_cgi_script_t, nut_conf_t, nut_conf_t) -+ -+ corenet_all_recvfrom_netlabel(httpd_nutups_cgi_script_t) -+ corenet_tcp_sendrecv_generic_if(httpd_nutups_cgi_script_t) -+ corenet_tcp_sendrecv_generic_node(httpd_nutups_cgi_script_t) -+ corenet_tcp_sendrecv_all_ports(httpd_nutups_cgi_script_t) -+ corenet_tcp_connect_ups_port(httpd_nutups_cgi_script_t) -+ corenet_udp_sendrecv_generic_if(httpd_nutups_cgi_script_t) -+ corenet_udp_sendrecv_generic_node(httpd_nutups_cgi_script_t) -+ corenet_udp_sendrecv_all_ports(httpd_nutups_cgi_script_t) - - sysnet_dns_name_resolve(httpd_nutups_cgi_script_t) - ') -diff --git a/nx.if b/nx.if -index 251d681..50ae2a9 100644 ---- a/nx.if -+++ b/nx.if -@@ -35,7 +35,9 @@ interface(`nx_read_home_files',` - ') - - files_search_var_lib($1) -- read_files_pattern($1, { nx_server_var_lib_t nx_server_home_ssh_t }, nx_server_home_ssh_t) -+ allow $1 nx_server_var_lib_t:dir search_dir_perms; -+ read_files_pattern($1, nx_server_home_ssh_t, nx_server_home_ssh_t) -+ read_lnk_files_pattern($1, nx_server_home_ssh_t, nx_server_home_ssh_t) - ') - - ######################################## -@@ -90,3 +92,21 @@ interface(`nx_var_lib_filetrans',` - - filetrans_pattern($1, nx_server_var_lib_t, $2, $3, $4) - ') -+ -+######################################## -+## -+## Transition to nx named content -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`nx_filetrans_named_content',` -+ gen_require(` -+ type nx_server_home_ssh_t, nx_server_var_lib_t; -+ ') -+ -+ filetrans_pattern($1, nx_server_var_lib_t, nx_server_home_ssh_t, dir, ".ssh") -+') -diff --git a/nx.te b/nx.te -index b1832ca..d181d03 100644 ---- a/nx.te -+++ b/nx.te -@@ -27,6 +27,9 @@ files_type(nx_server_var_lib_t) - type nx_server_var_run_t; - files_pid_file(nx_server_var_run_t) - -+type nx_server_home_ssh_t; -+files_type(nx_server_home_ssh_t) -+ - ######################################## - # - # Local policy -@@ -50,13 +53,15 @@ files_var_lib_filetrans(nx_server_t, nx_server_var_lib_t, { file dir }) - manage_files_pattern(nx_server_t, nx_server_var_run_t, nx_server_var_run_t) - files_pid_filetrans(nx_server_t, nx_server_var_run_t, file) - -+manage_dirs_pattern(nx_server_t, nx_server_home_ssh_t, nx_server_home_ssh_t) -+manage_files_pattern(nx_server_t, nx_server_home_ssh_t, nx_server_home_ssh_t) -+ - kernel_read_system_state(nx_server_t) - kernel_read_kernel_sysctls(nx_server_t) - - corecmd_exec_shell(nx_server_t) - corecmd_exec_bin(nx_server_t) - --corenet_all_recvfrom_unlabeled(nx_server_t) - corenet_all_recvfrom_netlabel(nx_server_t) - corenet_tcp_sendrecv_generic_if(nx_server_t) - corenet_tcp_sendrecv_generic_node(nx_server_t) -@@ -67,13 +72,7 @@ corenet_sendrecv_all_client_packets(nx_server_t) - - dev_read_urand(nx_server_t) - --files_read_etc_files(nx_server_t) - files_read_etc_runtime_files(nx_server_t) --files_read_usr_files(nx_server_t) -- --miscfiles_read_localization(nx_server_t) -- --seutil_dontaudit_search_config(nx_server_t) - - sysnet_read_config(nx_server_t) - -diff --git a/oav.te b/oav.te -index 75fdf58..1a9e754 100644 ---- a/oav.te -+++ b/oav.te -@@ -95,7 +95,6 @@ dev_read_sysfs(scannerdaemon_t) - domain_use_interactive_fds(scannerdaemon_t) - - files_exec_etc_files(scannerdaemon_t) --files_read_etc_files(scannerdaemon_t) - files_read_etc_runtime_files(scannerdaemon_t) - files_search_var_lib(scannerdaemon_t) - -diff --git a/obex.fc b/obex.fc -index 03fa560..000c5fe 100644 ---- a/obex.fc -+++ b/obex.fc -@@ -1 +1 @@ --/usr/bin/obex-data-server -- gen_context(system_u:object_r:obex_exec_t,s0) -+/usr/bin/obex-data-server -- gen_context(system_u:object_r:obex_exec_t,s0) -diff --git a/obex.if b/obex.if -index 8635ea2..eec20b4 100644 ---- a/obex.if -+++ b/obex.if -@@ -1,15 +1,50 @@ - ## D-Bus service providing high-level OBEX client and server side functionality. - --####################################### -+######################################## - ## --## The role template for obex. -+## Transition to obex. - ## --## --## --## The prefix of the user domain (e.g., user --## is the prefix for user_t). --## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`obex_domtrans',` -+ gen_require(` -+ type obex_t, obex_exec_t; -+ ') -+ -+ corecmd_search_bin($1) -+ domtrans_pattern($1, obex_exec_t, obex_t) -+') -+ -+######################################## -+## -+## Send and receive messages from -+## obex over dbus. -+## -+## -+## -+## Domain allowed access. -+## - ## -+# -+interface(`obex_dbus_chat',` -+ gen_require(` -+ type obex_t; -+ class dbus send_msg; -+ ') -+ -+ allow $1 obex_t:dbus send_msg; -+ allow obex_t $1:dbus send_msg; -+') -+ -+####################################### -+## -+## Role access for obex domains -+## that executes via dbus-session -+## - ## - ## - ## The role associated with the user domain. -@@ -20,69 +55,34 @@ - ## The type of the user domain. - ## - ## -+## -+## -+## User domain prefix to be used. -+## -+## - # --template(`obex_role_template',` -+template(`obex_role',` - gen_require(` - attribute_role obex_roles; -- type obex_t, obex_exec_exec_t; -+ type obex_t, obex_exec_t; - ') - - ######################################## -- # -+ # - # Declarations - # - -- roleattribute $2 obex_roles; -+ roleattribute $1 obex_roles; - - ######################################## -- # -+ # - # Policy -- # -- -- allow $3 obex_t:process { ptrace signal_perms }; -- ps_process_pattern($3, obex_t) -+ # - -- dbus_spec_session_domain($1, obex_exec_t, obex_t) -- -- obex_dbus_chat($3) --') -+ allow $2 obex_t:process signal_perms; -+ ps_process_pattern($2, obex_t) - --######################################## --## --## Execute obex in the obex domain. --## --## --## --## Domain allowed to transition. --## --## --# --interface(`obex_domtrans',` -- gen_require(` -- type obex_t, obex_exec_t; -- ') -- -- corecmd_search_bin($1) -- domtrans_pattern($1, obex_exec_t, obex_t) --') -- --######################################## --## --## Send and receive messages from --## obex over dbus. --## --## --## --## Domain allowed access. --## --## --# --interface(`obex_dbus_chat',` -- gen_require(` -- type obex_t; -- class dbus send_msg; -- ') -+ dbus_session_domain($3, obex_exec_t, obex_t) - -- allow $1 obex_t:dbus send_msg; -- allow obex_t $1:dbus send_msg; -+ obex_dbus_chat($2) - ') -diff --git a/obex.te b/obex.te -index cd29ea8..d01d2c8 100644 ---- a/obex.te -+++ b/obex.te -@@ -1,4 +1,4 @@ --policy_module(obex, 1.0.0) -+policy_module(obex,1.0.0) - - ######################################## - # -@@ -14,30 +14,26 @@ role obex_roles types obex_t; - - ######################################## - # --# Local policy -+# obex local policy - # - - allow obex_t self:fifo_file rw_fifo_file_perms; - allow obex_t self:socket create_stream_socket_perms; -+allow obex_t self:netlink_kobject_uevent_socket create_socket_perms; - --dev_read_urand(obex_t) -+kernel_request_load_module(obex_t) - --files_read_etc_files(obex_t) -+dev_read_urand(obex_t) - - logging_send_syslog_msg(obex_t) - --miscfiles_read_localization(obex_t) -- - userdom_search_user_home_content(obex_t) - - optional_policy(` -- bluetooth_stream_connect(obex_t) --') -- --optional_policy(` - dbus_system_bus_client(obex_t) - - optional_policy(` -+ bluetooth_stream_connect(obex_t) - bluetooth_dbus_chat(obex_t) - ') - ') -diff --git a/oddjob.fc b/oddjob.fc -index dd1d9ef..fbbe3ff 100644 ---- a/oddjob.fc -+++ b/oddjob.fc -@@ -1,10 +1,10 @@ --/sbin/mkhomedir_helper -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0) - --/usr/lib/oddjob/mkhomedir -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0) -+/usr/lib/systemd/system/oddjobd.* -- gen_context(system_u:object_r:oddjob_unit_file_t,s0) - -+/usr/lib/oddjob/mkhomedir -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0) - /usr/libexec/oddjob/mkhomedir -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0) - --/usr/sbin/oddjobd -- gen_context(system_u:object_r:oddjob_exec_t,s0) --/usr/sbin/mkhomedir_helper -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0) -+/usr/sbin/mkhomedir_helper -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0) -+/usr/sbin/oddjobd -- gen_context(system_u:object_r:oddjob_exec_t,s0) - --/var/run/oddjobd\.pid gen_context(system_u:object_r:oddjob_var_run_t,s0) -+/var/run/oddjobd\.pid gen_context(system_u:object_r:oddjob_var_run_t,s0) -diff --git a/oddjob.if b/oddjob.if -index c87bd2a..7de054a 100644 ---- a/oddjob.if -+++ b/oddjob.if -@@ -1,4 +1,8 @@ --## D-BUS service which runs odd jobs on behalf of client applications. -+## -+## Oddjob provides a mechanism by which unprivileged applications can -+## request that specified privileged operations be performed on their -+## behalf. -+## - - ######################################## - ## -@@ -15,14 +19,32 @@ interface(`oddjob_domtrans',` - type oddjob_t, oddjob_exec_t; - ') - -- corecmd_search_bin($1) - domtrans_pattern($1, oddjob_exec_t, oddjob_t) - ') - -+##################################### -+## -+## Do not audit attempts to read and write -+## oddjob fifo file. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`oddjob_dontaudit_rw_fifo_file',` -+ gen_require(` -+ type oddjob_t; -+ ') -+ -+ dontaudit $1 oddjob_t:fifo_file rw_inherited_fifo_file_perms; -+') -+ - ######################################## - ## --## Make the specified program domain --## accessable from the oddjob. -+## Make the specified program domain accessable -+## from the oddjob. - ## - ## - ## -@@ -41,6 +63,7 @@ interface(`oddjob_system_entry',` - ') - - domtrans_pattern(oddjob_t, $2, $1) -+ domain_user_exemption_target($1) - ') - - ######################################## -@@ -64,32 +87,45 @@ interface(`oddjob_dbus_chat',` - allow oddjob_t $1:dbus send_msg; - ') - --######################################## -+###################################### - ## --## Execute a domain transition to --## run oddjob mkhomedir. -+## Send a SIGCHLD signal to oddjob. - ## - ## - ## --## Domain allowed to transition. -+## Domain allowed access. - ## - ## - # -+interface(`oddjob_sigchld',` -+ gen_require(` -+ type oddjob_t; -+ ') -+ -+ allow $1 oddjob_t:process sigchld; -+') -+ -+######################################## -+## -+## Execute a domain transition to run oddjob_mkhomedir. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# - interface(`oddjob_domtrans_mkhomedir',` - gen_require(` - type oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t; - ') - -- corecmd_search_bin($1) - domtrans_pattern($1, oddjob_mkhomedir_exec_t, oddjob_mkhomedir_t) - ') - - ######################################## - ## --## Execute oddjob mkhomedir in the --## oddjob mkhomedir domain and allow --## the specified role the oddjob --## mkhomedir domain. -+## Execute the oddjob_mkhomedir program in the oddjob_mkhomedir domain. - ## - ## - ## -@@ -105,46 +141,70 @@ interface(`oddjob_domtrans_mkhomedir',` - # - interface(`oddjob_run_mkhomedir',` - gen_require(` -- attribute_role oddjob_mkhomedir_roles; -+ type oddjob_mkhomedir_t; - ') - - oddjob_domtrans_mkhomedir($1) -- roleattribute $2 oddjob_mkhomedir_roles; -+ role $2 types oddjob_mkhomedir_t; - ') - --##################################### -+####################################### - ## --## Do not audit attempts to read and write --## oddjob fifo files. -+## Execute oddjob in the oddjob domain. - ## - ## --## --## Domain to not audit. --## -+## -+## Domain allowed to transition. -+## - ## - # --interface(`oddjob_dontaudit_rw_fifo_files',` -- gen_require(` -- type oddjob_t; -- ') -+interface(`oddjob_systemctl',` -+ gen_require(` -+ type oddjob_unit_file_t; -+ type oddjob_t; -+ ') -+ -+ systemd_exec_systemctl($1) -+ allow $1 oddjob_unit_file_t:file read_file_perms; -+ allow $1 oddjob_unit_file_t:service manage_service_perms; - -- dontaudit $1 oddjob_t:fifo_file rw_fifo_file_perms; -+ ps_process_pattern($1, oddjob_t) - ') - --###################################### -+######################################## - ## --## Send child terminated signals to oddjob. -+## Create a domain which can be started by init, -+## with a range transition. - ## - ## - ## --## Domain allowed access. -+## Type to be used as a domain. -+## -+## -+## -+## -+## Type of the program to be used as an entry point to this domain. -+## -+## -+## -+## -+## Range for the domain. - ## - ## - # --interface(`oddjob_sigchld',` -+interface(`oddjob_ranged_domain',` - gen_require(` - type oddjob_t; - ') - -- allow $1 oddjob_t:process sigchld; -+ oddjob_system_entry($1, $2) -+ -+ ifdef(`enable_mcs',` -+ range_transition oddjob_t $2:process $3; -+ ') -+ -+ ifdef(`enable_mls',` -+ range_transition oddjob_t $2:process $3; -+ mls_rangetrans_target($1) -+ ') - ') -diff --git a/oddjob.te b/oddjob.te -index 296a1d3..edc3e32 100644 ---- a/oddjob.te -+++ b/oddjob.te -@@ -1,12 +1,10 @@ --policy_module(oddjob, 1.9.2) -+policy_module(oddjob, 1.9.0) - - ######################################## - # - # Declarations - # - --attribute_role oddjob_mkhomedir_roles; -- - type oddjob_t; - type oddjob_exec_t; - domain_type(oddjob_t) -@@ -20,18 +18,22 @@ type oddjob_mkhomedir_exec_t; - domain_type(oddjob_mkhomedir_t) - domain_obj_id_change_exemption(oddjob_mkhomedir_t) - init_system_domain(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t) --role oddjob_mkhomedir_roles types oddjob_mkhomedir_t; -+oddjob_system_entry(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t) - -+# pid files - type oddjob_var_run_t; - files_pid_file(oddjob_var_run_t) - -+type oddjob_unit_file_t; -+systemd_unit_file(oddjob_unit_file_t) -+ - ifdef(`enable_mcs',` - init_ranged_daemon_domain(oddjob_t, oddjob_exec_t, s0 - mcs_systemhigh) - ') - - ######################################## - # --# Local policy -+# oddjob local policy - # - - allow oddjob_t self:capability setgid; -@@ -43,8 +45,6 @@ manage_files_pattern(oddjob_t, oddjob_var_run_t, oddjob_var_run_t) - manage_sock_files_pattern(oddjob_t, oddjob_var_run_t, oddjob_var_run_t) - files_pid_filetrans(oddjob_t, oddjob_var_run_t, { file sock_file }) - --domtrans_pattern(oddjob_t, oddjob_mkhomedir_exec_t, oddjob_mkhomedir_t) -- - kernel_read_system_state(oddjob_t) - - corecmd_exec_bin(oddjob_t) -@@ -54,9 +54,9 @@ mcs_process_set_categories(oddjob_t) - - selinux_compute_create_context(oddjob_t) - -+ - auth_use_nsswitch(oddjob_t) - --miscfiles_read_localization(oddjob_t) - - locallogin_dontaudit_use_fds(oddjob_t) - -@@ -71,13 +71,13 @@ optional_policy(` - - ######################################## - # --# Mkhomedir local policy -+# oddjob_mkhomedir local policy - # - - allow oddjob_mkhomedir_t self:capability { chown fowner fsetid dac_override }; - allow oddjob_mkhomedir_t self:process setfscreate; - allow oddjob_mkhomedir_t self:fifo_file rw_fifo_file_perms; --allow oddjob_mkhomedir_t self:unix_stream_socket { accept listen }; -+allow oddjob_mkhomedir_t self:unix_stream_socket create_stream_socket_perms; - - kernel_read_system_state(oddjob_mkhomedir_t) - -@@ -85,7 +85,6 @@ auth_use_nsswitch(oddjob_mkhomedir_t) - - logging_send_syslog_msg(oddjob_mkhomedir_t) - --miscfiles_read_localization(oddjob_mkhomedir_t) - - selinux_get_fs_mount(oddjob_mkhomedir_t) - selinux_validate_context(oddjob_mkhomedir_t) -@@ -98,8 +97,11 @@ seutil_read_config(oddjob_mkhomedir_t) - seutil_read_file_contexts(oddjob_mkhomedir_t) - seutil_read_default_contexts(oddjob_mkhomedir_t) - -+# Add/remove user home directories - userdom_home_filetrans_user_home_dir(oddjob_mkhomedir_t) --userdom_manage_user_home_content_dirs(oddjob_mkhomedir_t) --userdom_manage_user_home_content_files(oddjob_mkhomedir_t) - userdom_manage_user_home_dirs(oddjob_mkhomedir_t) --userdom_user_home_dir_filetrans_user_home_content(oddjob_mkhomedir_t, notdevfile_class_set) -+userdom_manage_user_home_content_dirs(oddjob_mkhomedir_t) -+userdom_manage_user_home_content(oddjob_mkhomedir_t) -+userdom_home_manager(oddjob_mkhomedir_t) -+userdom_stream_connect(oddjob_mkhomedir_t) -+ -diff --git a/openct.te b/openct.te -index 8467596..428ae48 100644 ---- a/openct.te -+++ b/openct.te -@@ -22,18 +22,19 @@ files_pid_file(openct_var_run_t) - - dontaudit openct_t self:capability sys_tty_config; - allow openct_t self:process signal_perms; -+allow openct_t self:netlink_kobject_uevent_socket create_socket_perms; - - manage_dirs_pattern(openct_t, openct_var_run_t, openct_var_run_t) - manage_files_pattern(openct_t, openct_var_run_t, openct_var_run_t) - manage_sock_files_pattern(openct_t, openct_var_run_t, openct_var_run_t) - files_pid_filetrans(openct_t, openct_var_run_t, { dir file sock_file }) - --can_exec(openct_t, openct_exec_t) -- - kernel_read_kernel_sysctls(openct_t) - kernel_list_proc(openct_t) - kernel_read_proc_symlinks(openct_t) - -+can_exec(openct_t, openct_exec_t) -+ - dev_read_sysfs(openct_t) - dev_rw_usbfs(openct_t) - dev_rw_smartcard(openct_t) -@@ -41,15 +42,12 @@ dev_rw_generic_usb_dev(openct_t) - - domain_use_interactive_fds(openct_t) - --files_read_etc_files(openct_t) - - fs_getattr_all_fs(openct_t) - fs_search_auto_mountpoints(openct_t) - - logging_send_syslog_msg(openct_t) - --miscfiles_read_localization(openct_t) -- - userdom_dontaudit_use_unpriv_user_fds(openct_t) - userdom_dontaudit_search_user_home_dirs(openct_t) - -diff --git a/openhpi.te b/openhpi.te -index 7f398c0..e66751b 100644 ---- a/openhpi.te -+++ b/openhpi.te -@@ -50,7 +50,6 @@ corenet_tcp_sendrecv_openhpid_port(openhpid_t) - - dev_read_urand(openhpid_t) - --files_read_etc_files(openhpid_t) - - logging_send_syslog_msg(openhpid_t) - -diff --git a/openhpid.fc b/openhpid.fc -new file mode 100644 -index 0000000..9441fd7 ---- /dev/null -+++ b/openhpid.fc -@@ -0,0 +1,8 @@ -+ -+/etc/rc\.d/init\.d/openhpid -- gen_context(system_u:object_r:openhpid_initrc_exec_t,s0) -+ -+/usr/sbin/openhpid -- gen_context(system_u:object_r:openhpid_exec_t,s0) -+ -+/var/lib/openhpi(/.*)? gen_context(system_u:object_r:openhpid_var_lib_t,s0) -+ -+/var/run/openhpid\.pid -- gen_context(system_u:object_r:openhpid_var_run_t,s0) -diff --git a/openhpid.if b/openhpid.if -new file mode 100644 -index 0000000..598789a ---- /dev/null -+++ b/openhpid.if -@@ -0,0 +1,159 @@ -+ -+## policy for openhpid -+ -+ -+######################################## -+## -+## Transition to openhpid. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`openhpid_domtrans',` -+ gen_require(` -+ type openhpid_t, openhpid_exec_t; -+ ') -+ -+ corecmd_search_bin($1) -+ domtrans_pattern($1, openhpid_exec_t, openhpid_t) -+') -+ -+ -+######################################## -+## -+## Execute openhpid server in the openhpid domain. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`openhpid_initrc_domtrans',` -+ gen_require(` -+ type openhpid_initrc_exec_t; -+ ') -+ -+ init_labeled_script_domtrans($1, openhpid_initrc_exec_t) -+') -+ -+ -+######################################## -+## -+## Search openhpid lib directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`openhpid_search_lib',` -+ gen_require(` -+ type openhpid_var_lib_t; -+ ') -+ -+ allow $1 openhpid_var_lib_t:dir search_dir_perms; -+ files_search_var_lib($1) -+') -+ -+######################################## -+## -+## Read openhpid lib files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`openhpid_read_lib_files',` -+ gen_require(` -+ type openhpid_var_lib_t; -+ ') -+ -+ files_search_var_lib($1) -+ read_files_pattern($1, openhpid_var_lib_t, openhpid_var_lib_t) -+') -+ -+######################################## -+## -+## Manage openhpid lib files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`openhpid_manage_lib_files',` -+ gen_require(` -+ type openhpid_var_lib_t; -+ ') -+ -+ files_search_var_lib($1) -+ manage_files_pattern($1, openhpid_var_lib_t, openhpid_var_lib_t) -+') -+ -+######################################## -+## -+## Manage openhpid lib directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`openhpid_manage_lib_dirs',` -+ gen_require(` -+ type openhpid_var_lib_t; -+ ') -+ -+ files_search_var_lib($1) -+ manage_dirs_pattern($1, openhpid_var_lib_t, openhpid_var_lib_t) -+') -+ -+ -+######################################## -+## -+## All of the rules required to administrate -+## an openhpid environment -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## Role allowed access. -+## -+## -+## -+# -+interface(`openhpid_admin',` -+ gen_require(` -+ type openhpid_t; -+ type openhpid_initrc_exec_t; -+ type openhpid_var_lib_t; -+ ') -+ -+ allow $1 openhpid_t:process { ptrace signal_perms }; -+ ps_process_pattern($1, openhpid_t) -+ -+ openhpid_initrc_domtrans($1) -+ domain_system_change_exemption($1) -+ role_transition $2 openhpid_initrc_exec_t system_r; -+ allow $2 system_r; -+ -+ files_search_var_lib($1) -+ admin_pattern($1, openhpid_var_lib_t) -+ -+ -+ -+') -+ -diff --git a/openhpid.te b/openhpid.te -new file mode 100644 -index 0000000..51acfae ---- /dev/null -+++ b/openhpid.te -@@ -0,0 +1,47 @@ -+policy_module(openhpid, 1.0.0) -+ -+######################################## -+# -+# Declarations -+# -+ -+type openhpid_t; -+type openhpid_exec_t; -+init_daemon_domain(openhpid_t, openhpid_exec_t) -+ -+type openhpid_initrc_exec_t; -+init_script_file(openhpid_initrc_exec_t) -+ -+type openhpid_var_lib_t; -+files_type(openhpid_var_lib_t) -+ -+type openhpid_var_run_t; -+files_pid_file(openhpid_var_run_t) -+ -+######################################## -+# -+# openhpid local policy -+# -+ -+allow openhpid_t self:capability { kill }; -+allow openhpid_t self:process signal_perms; -+ -+allow openhpid_t self:fifo_file rw_fifo_file_perms; -+allow openhpid_t self:netlink_route_socket r_netlink_socket_perms; -+allow openhpid_t self:unix_stream_socket create_stream_socket_perms; -+allow openhpid_t self:tcp_socket create_stream_socket_perms; -+allow openhpid_t self:udp_socket create_socket_perms; -+ -+manage_dirs_pattern(openhpid_t, openhpid_var_lib_t, openhpid_var_lib_t) -+manage_files_pattern(openhpid_t, openhpid_var_lib_t, openhpid_var_lib_t) -+files_var_lib_filetrans(openhpid_t, openhpid_var_lib_t, { dir file }) -+ -+manage_files_pattern(openhpid_t, openhpid_var_run_t, openhpid_var_run_t) -+files_pid_filetrans(openhpid_t, openhpid_var_run_t, { file }) -+ -+corenet_tcp_bind_generic_node(openhpid_t) -+corenet_tcp_bind_openhpid_port(openhpid_t) -+ -+dev_read_urand(openhpid_t) -+ -+logging_send_syslog_msg(openhpid_t) -diff --git a/openshift-origin.fc b/openshift-origin.fc -new file mode 100644 -index 0000000..30ca148 ---- /dev/null -+++ b/openshift-origin.fc -@@ -0,0 +1 @@ -+# Left Blank -diff --git a/openshift-origin.if b/openshift-origin.if -new file mode 100644 -index 0000000..3eb6a30 ---- /dev/null -+++ b/openshift-origin.if -@@ -0,0 +1 @@ -+## -diff --git a/openshift-origin.te b/openshift-origin.te -new file mode 100644 -index 0000000..a437f80 ---- /dev/null -+++ b/openshift-origin.te -@@ -0,0 +1,13 @@ -+policy_module(openshift-origin,1.0.0) -+gen_require(` -+ attribute openshift_domain; -+') -+ -+######################################## -+# -+# openshift origin standard local policy -+# -+allow openshift_domain self:socket_class_set create_socket_perms; -+corenet_tcp_connect_all_ports(openshift_domain) -+corenet_tcp_bind_all_ports(openshift_domain) -+files_read_config_files(openshift_domain) -diff --git a/openshift.fc b/openshift.fc -new file mode 100644 -index 0000000..f2d6119 ---- /dev/null -+++ b/openshift.fc -@@ -0,0 +1,26 @@ -+/etc/rc\.d/init\.d/libra gen_context(system_u:object_r:openshift_initrc_exec_t,s0) -+/etc/rc\.d/init\.d/mcollective gen_context(system_u:object_r:openshift_initrc_exec_t,s0) -+ -+/etc/cron.minutely/openshift-facts -- gen_context(system_u:object_r:openshift_cron_exec_t,s0) -+ -+/var/lib/stickshift(/.*)? gen_context(system_u:object_r:openshift_var_lib_t,s0) -+/var/lib/stickshift/.*/data(/.*)? gen_context(system_u:object_r:openshift_rw_file_t,s0) -+/var/lib/openshift(/.*)? gen_context(system_u:object_r:openshift_var_lib_t,s0) -+/var/lib/openshift/.*/data(/.*)? gen_context(system_u:object_r:openshift_rw_file_t,s0) -+ -+/var/lib/stickshift/.*/\.tmp(/.*)? gen_context(system_u:object_r:openshift_tmp_t,s0) -+/var/lib/stickshift/.*/\.sandbox(/.*)? gen_context(system_u:object_r:openshift_tmp_t,s0) -+/var/lib/openshift/.*/\.tmp(/.*)? gen_context(system_u:object_r:openshift_tmp_t,s0) -+/var/lib/openshift/.*/\.sandbox(/.*)? gen_context(system_u:object_r:openshift_tmp_t,s0) -+ -+/var/log/mcollective\.log -- gen_context(system_u:object_r:openshift_log_t,s0) -+ -+/usr/s?bin/(oo|rhc)-cgroup-read -- gen_context(system_u:object_r:openshift_cgroup_read_exec_t,s0) -+ -+/usr/s?bin/(oo|rhc)-restorer -- gen_context(system_u:object_r:openshift_initrc_exec_t,s0) -+/usr/s?bin/(oo|rhc)-restorer-wrapper.sh -- gen_context(system_u:object_r:httpd_openshift_script_exec_t,s0) -+/usr/s?bin/oo-admin-ctl-gears -- gen_context(system_u:object_r:openshift_initrc_exec_t,s0) -+/usr/s?bin/mcollectived -- gen_context(system_u:object_r:openshift_initrc_exec_t,s0) -+ -+/var/run/stickshift(/.*)? gen_context(system_u:object_r:openshift_var_run_t,s0) -+/var/run/openshift(/.*)? gen_context(system_u:object_r:openshift_var_run_t,s0) -diff --git a/openshift.if b/openshift.if -new file mode 100644 -index 0000000..e03de01 ---- /dev/null -+++ b/openshift.if -@@ -0,0 +1,700 @@ -+ -+## policy for openshift -+ -+######################################## -+## -+## Execute openshift server in the openshift domain. -+## -+## -+## -+## The type of the process performing this action. -+## -+## -+# -+interface(`openshift_initrc_domtrans',` -+ gen_require(` -+ type openshift_initrc_t; -+ type openshift_initrc_exec_t; -+ ') -+ -+ domtrans_pattern($1, openshift_initrc_exec_t, openshift_initrc_t) -+') -+ -+####################################### -+## -+## Execute openshift server in the openshift domain. -+## -+## -+## -+## The type of the process performing this action. -+## -+## -+## -+## -+## Role access to this domain. -+## -+## -+# -+interface(`openshift_initrc_run',` -+ gen_require(` -+ type openshift_initrc_t; -+ type openshift_initrc_exec_t; -+ ') -+ -+ openshift_initrc_domtrans($1) -+ role $2 types openshift_initrc_t; -+') -+ -+######################################## -+## -+## Send a null signal to openshift init scripts. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`openshift_initrc_signull',` -+ gen_require(` -+ type openshift_initrc_t; -+ ') -+ -+ allow $1 openshift_initrc_t:process signull; -+') -+ -+####################################### -+## -+## Send a signal to openshift init scripts. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`openshift_initrc_signal',` -+ gen_require(` -+ type openshift_initrc_t; -+ ') -+ -+ allow $1 openshift_initrc_t:process signal; -+') -+ -+######################################## -+## -+## Search openshift cache directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`openshift_search_cache',` -+ gen_require(` -+ type openshift_cache_t; -+ ') -+ -+ allow $1 openshift_cache_t:dir search_dir_perms; -+ files_search_var($1) -+') -+ -+######################################## -+## -+## Read openshift cache files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`openshift_read_cache_files',` -+ gen_require(` -+ type openshift_cache_t; -+ ') -+ -+ files_search_var($1) -+ read_files_pattern($1, openshift_cache_t, openshift_cache_t) -+') -+ -+######################################## -+## -+## Create, read, write, and delete -+## openshift cache files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`openshift_manage_cache_files',` -+ gen_require(` -+ type openshift_cache_t; -+ ') -+ -+ files_search_var($1) -+ manage_files_pattern($1, openshift_cache_t, openshift_cache_t) -+') -+ -+######################################## -+## -+## Create, read, write, and delete -+## openshift cache dirs. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`openshift_manage_cache_dirs',` -+ gen_require(` -+ type openshift_cache_t; -+ ') -+ -+ files_search_var($1) -+ manage_dirs_pattern($1, openshift_cache_t, openshift_cache_t) -+') -+ -+ -+######################################## -+## -+## Allow the specified domain to read openshift's log files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`openshift_read_log',` -+ gen_require(` -+ type openshift_log_t; -+ ') -+ -+ logging_search_logs($1) -+ read_files_pattern($1, openshift_log_t, openshift_log_t) -+') -+ -+######################################## -+## -+## Allow the specified domain to append -+## openshift log files. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`openshift_append_log',` -+ gen_require(` -+ type openshift_log_t; -+ ') -+ -+ logging_search_logs($1) -+ append_files_pattern($1, openshift_log_t, openshift_log_t) -+') -+ -+######################################## -+## -+## Allow domain to manage openshift log files -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`openshift_manage_log',` -+ gen_require(` -+ type openshift_log_t; -+ ') -+ -+ logging_search_logs($1) -+ manage_dirs_pattern($1, openshift_log_t, openshift_log_t) -+ manage_files_pattern($1, openshift_log_t, openshift_log_t) -+ manage_lnk_files_pattern($1, openshift_log_t, openshift_log_t) -+') -+ -+######################################## -+## -+## Search openshift lib directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`openshift_search_lib',` -+ gen_require(` -+ type openshift_var_lib_t; -+ ') -+ -+ search_dirs_pattern($1, openshift_var_lib_t, openshift_var_lib_t) -+ getattr_files_pattern($1, openshift_var_lib_t, openshift_var_lib_t) -+ files_search_var_lib($1) -+') -+ -+######################################## -+## -+## Getattr openshift lib files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`openshift_getattr_lib',` -+ gen_require(` -+ type openshift_var_lib_t; -+ ') -+ -+ getattr_files_pattern($1, openshift_var_lib_t, openshift_var_lib_t) -+ files_search_var_lib($1) -+') -+ -+######################################## -+## -+## Read openshift lib files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`openshift_read_lib_files',` -+ gen_require(` -+ type openshift_var_lib_t; -+ ') -+ -+ files_search_var_lib($1) -+ read_files_pattern($1, openshift_var_lib_t, openshift_var_lib_t) -+ read_lnk_files_pattern($1, openshift_var_lib_t, openshift_var_lib_t) -+') -+ -+######################################## -+## -+## Read openshift lib files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`openshift_append_lib_files',` -+ gen_require(` -+ type openshift_var_lib_t; -+ ') -+ -+ files_search_var_lib($1) -+ append_files_pattern($1, openshift_var_lib_t, openshift_var_lib_t) -+') -+ -+######################################## -+## -+## Create, read, write, and delete -+## openshift lib files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`openshift_manage_lib_files',` -+ gen_require(` -+ type openshift_var_lib_t; -+ ') -+ -+ files_search_var_lib($1) -+ manage_files_pattern($1, openshift_var_lib_t, openshift_var_lib_t) -+ manage_lnk_files_pattern($1, openshift_var_lib_t, openshift_var_lib_t) -+') -+ -+######################################## -+## -+## Create, read, write, and delete -+## openshift lib files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`openshift_manage_lib_dirs',` -+ gen_require(` -+ type openshift_var_lib_t; -+ ') -+ -+ files_search_var_lib($1) -+ manage_dirs_pattern($1, openshift_var_lib_t, openshift_var_lib_t) -+') -+ -+######################################## -+## -+## Manage openshift lib content. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`openshift_manage_content',` -+ gen_require(` -+ attribute openshift_file_type; -+ ') -+ -+ files_search_var_lib($1) -+ manage_dirs_pattern($1, openshift_file_type, openshift_file_type) -+ manage_files_pattern($1, openshift_file_type, openshift_file_type) -+ manage_lnk_files_pattern($1, openshift_file_type, openshift_file_type) -+ manage_sock_files_pattern($1, openshift_file_type, openshift_file_type) -+') -+ -+####################################### -+## -+## Create private objects in the -+## mail lib directory. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## The type of the object to be created. -+## -+## -+## -+## -+## The object class of the object being created. -+## -+## -+## -+## -+## The name of the object being created. -+## -+## -+# -+interface(`openshift_lib_filetrans',` -+ gen_require(` -+ type openshift_var_lib_t; -+ ') -+ -+ files_search_var_lib($1) -+ filetrans_pattern($1, openshift_var_lib_t, $2, $3, $4) -+') -+ -+######################################## -+## -+## Read openshift PID files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`openshift_read_pid_files',` -+ gen_require(` -+ type openshift_var_run_t; -+ ') -+ -+ files_search_pids($1) -+ allow $1 openshift_var_run_t:file read_file_perms; -+') -+ -+ -+######################################## -+## -+## All of the rules required to administrate -+## an openshift environment -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## Role allowed access. -+## -+## -+## -+# -+interface(`openshift_admin',` -+ gen_require(` -+ attribute openshift_domain; -+ type openshift_initrc_exec_t; -+ type openshift_cache_t; -+ type openshift_log_t; -+ type openshift_var_lib_t; -+ type openshift_var_run_t; -+ ') -+ -+ allow $1 openshift_domain:process signal_perms; -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 openshift_domain:process ptrace; -+ ') -+ ps_process_pattern($1, openshift_domain) -+ -+ openshift_initrc_domtrans($1) -+ domain_system_change_exemption($1) -+ role_transition $2 openshift_initrc_exec_t system_r; -+ allow $2 system_r; -+ -+ files_search_var($1) -+ admin_pattern($1, openshift_cache_t) -+ -+ logging_search_logs($1) -+ admin_pattern($1, openshift_log_t) -+ -+ files_search_var_lib($1) -+ admin_pattern($1, openshift_var_lib_t) -+ -+ files_search_pids($1) -+ admin_pattern($1, openshift_var_run_t) -+ -+') -+ -+######################################## -+## -+## Make the specified type usable as a openshift domain. -+## -+## -+## -+## The prefix of the domain (e.g., openshift -+## is the prefix for openshift_t). -+## -+## -+# -+template(`openshift_service_domain_template',` -+ gen_require(` -+ attribute openshift_domain; -+ attribute openshift_user_domain; -+ ') -+ -+ type $1_t; -+ typeattribute $1_t openshift_domain, openshift_user_domain; -+ domain_type($1_t) -+ role system_r types $1_t; -+ mcs_constrained($1_t) -+ domain_user_exemption_target($1_t) -+ auth_use_nsswitch($1_t) -+ domain_subj_id_change_exemption($1_t) -+ domain_obj_id_change_exemption($1_t) -+ domain_dyntrans_type($1_t) -+ -+ kernel_read_system_state($1_t) -+ -+ logging_send_syslog_msg($1_t) -+ -+ type $1_app_t; -+ typeattribute $1_app_t openshift_domain; -+ domain_type($1_app_t) -+ role system_r types $1_app_t; -+ mcs_constrained($1_app_t) -+ domain_user_exemption_target($1_app_t) -+ domain_obj_id_change_exemption($1_app_t) -+ domain_dyntrans_type($1_app_t) -+ auth_use_nsswitch($1_app_t) -+ -+ kernel_read_system_state($1_app_t) -+ -+ logging_send_syslog_msg($1_app_t) -+') -+ -+######################################## -+## -+## Make the specified type usable as a openshift domain. -+## -+## -+## -+## Type to be used as a openshift domain type. -+## -+## -+# -+interface(`openshift_net_type',` -+ gen_require(` -+ attribute openshift_net_domain; -+ ') -+ -+ typeattribute $1 openshift_net_domain; -+') -+ -+######################################## -+## -+## Read and write inherited openshift files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`openshift_rw_inherited_content',` -+ gen_require(` -+ attribute openshift_file_type; -+ ') -+ -+ allow $1 openshift_file_type:file rw_inherited_file_perms; -+') -+ -+######################################## -+## -+## Manage openshift tmp files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`openshift_manage_tmp_files',` -+ gen_require(` -+ type openshift_tmp_t; -+ ') -+ -+ manage_files_pattern($1, openshift_tmp_t, openshift_tmp_t) -+') -+ -+######################################## -+## -+## Manage openshift tmp sockets. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`openshift_manage_tmp_sockets',` -+ gen_require(` -+ type openshift_tmp_t; -+ ') -+ -+ manage_sock_files_pattern($1, openshift_tmp_t, openshift_tmp_t) -+') -+ -+######################################## -+## -+## Mounton openshift tmp directory. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`openshift_mounton_tmp',` -+ gen_require(` -+ type openshift_tmp_t; -+ ') -+ -+ allow $1 openshift_tmp_t:dir mounton; -+') -+ -+######################################## -+## -+## Dontaudit Read and write inherited script fifo files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`openshift_dontaudit_rw_inherited_fifo_files',` -+ gen_require(` -+ type openshift_initrc_t; -+ ') -+ -+ dontaudit $1 openshift_initrc_t:fifo_file rw_inherited_fifo_file_perms; -+') -+ -+######################################## -+## -+## Allow calling app to transition to an openshift domain -+## -+## -+## -+## Domain allowed access -+## -+## -+## -+# -+interface(`openshift_transition',` -+ gen_require(` -+ attribute openshift_user_domain; -+ ') -+ -+ allow $1 openshift_user_domain:process transition; -+ dontaudit $1 openshift_user_domain:process { noatsecure siginh rlimitinh }; -+ allow openshift_user_domain $1:fd use; -+ allow openshift_user_domain $1:fifo_file rw_inherited_fifo_file_perms; -+ allow openshift_user_domain $1:process sigchld; -+ dontaudit $1 openshift_user_domain:socket_class_set { read write }; -+') -+ -+######################################## -+## -+## Allow calling app to transition to an openshift domain -+## -+## -+## -+## Domain allowed access -+## -+## -+## -+# -+interface(`openshift_dyntransition',` -+ gen_require(` -+ attribute openshift_domain; -+ attribute openshift_user_domain; -+ ') -+ -+ allow $1 openshift_user_domain:process dyntransition; -+ dontaudit openshift_user_domain $1:key view; -+ allow openshift_user_domain $1:unix_stream_socket { connectto rw_socket_perms }; -+ allow openshift_user_domain $1:unix_dgram_socket rw_socket_perms; -+ allow $1 openshift_user_domain:process { rlimitinh signal }; -+ dontaudit openshift_domain $1:tcp_socket { read write getattr setopt getopt shutdown }; -+') -+ -+######################################## -+## -+## Execute openshift in the openshift domain, and -+## allow the specified role the openshift domain. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+## -+## -+## Role allowed access. -+## -+## -+# -+interface(`openshift_run',` -+ gen_require(` -+ type openshift_initrc_exec_t; -+ ') -+ -+ openshift_initrc_domtrans($1) -+ role_transition $2 openshift_initrc_exec_t system_r; -+ openshift_transition($1) -+') -diff --git a/openshift.te b/openshift.te -new file mode 100644 -index 0000000..cd25e8e ---- /dev/null -+++ b/openshift.te -@@ -0,0 +1,555 @@ -+policy_module(openshift,1.0.0) -+ -+gen_require(` -+ role system_r; -+') -+ -+######################################## -+# -+# Declarations -+# -+ -+ -+# openshift applications that can use the network. -+attribute openshift_net_domain; -+# Attribute representing all openshift user processes (excludes apache processes) -+attribute openshift_user_domain; -+# Attribute representing all openshift processes -+attribute openshift_domain; -+ -+# Attribute for all openshift content -+attribute openshift_file_type; -+ -+# Type of openshift init script -+type openshift_initrc_t; -+type openshift_initrc_exec_t; -+init_daemon_domain(openshift_initrc_t, openshift_initrc_exec_t) -+init_ranged_daemon_domain(openshift_initrc_t, openshift_initrc_exec_t, s0 - mcs_systemhigh) -+domain_obj_id_change_exemption(openshift_initrc_t) -+optional_policy(` -+ oddjob_ranged_domain(openshift_initrc_t, openshift_initrc_exec_t, s0 - mcs_systemhigh) -+') -+ -+type openshift_initrc_tmp_t; -+files_tmp_file(openshift_initrc_tmp_t) -+ -+type openshift_tmpfs_t; -+files_tmpfs_file(openshift_tmpfs_t) -+ -+type openshift_tmp_t, openshift_file_type; -+files_tmp_file(openshift_tmp_t) -+files_mountpoint(openshift_tmp_t) -+files_poly(openshift_tmp_t) -+files_poly_parent(openshift_tmp_t) -+ -+type openshift_var_run_t; -+files_pid_file(openshift_var_run_t) -+ -+type openshift_var_lib_t, openshift_file_type; -+userdom_user_home_content(openshift_var_lib_t) -+files_poly(openshift_var_lib_t) -+files_poly_parent(openshift_var_lib_t) -+files_mountpoint(openshift_var_lib_t) -+ -+type openshift_rw_file_t, openshift_file_type; -+files_poly(openshift_rw_file_t) -+files_poly_parent(openshift_rw_file_t) -+ -+type openshift_log_t; -+logging_log_file(openshift_log_t) -+ -+type openshift_port_t; -+corenet_port(openshift_port_t) -+corenet_reserved_port(openshift_port_t) -+ -+type openshift_cgroup_read_t; -+type openshift_cgroup_read_exec_t; -+application_domain(openshift_cgroup_read_t, openshift_cgroup_read_exec_t) -+ -+type openshift_cgroup_read_tmp_t, openshift_file_type; -+files_tmp_file(openshift_cgroup_read_tmp_t) -+ -+type openshift_cron_t; -+type openshift_cron_exec_t; -+domain_type(openshift_cron_t) -+domain_entry_file(openshift_cron_t, openshift_cron_exec_t) -+role system_r types openshift_cron_t; -+ -+optional_policy(` -+ cron_system_entry(openshift_cron_t, openshift_cron_exec_t) -+') -+ -+type openshift_cron_tmp_t, openshift_file_type; -+files_tmp_file(openshift_cron_tmp_t) -+ -+######################################## -+# -+# Template to create openshift_t and openshift_app_t -+# -+ -+openshift_service_domain_template(openshift) -+ -+######################################## -+# -+# openshift initrc local policy -+# -+ -+unconfined_domain_noaudit(openshift_initrc_t) -+mcs_process_set_categories(openshift_initrc_t) -+ -+virt_sandbox_domain(openshift_initrc_t) -+ -+systemd_dbus_chat_logind(openshift_initrc_t) -+ -+manage_dirs_pattern(openshift_initrc_t, openshift_initrc_tmp_t, openshift_initrc_tmp_t) -+manage_files_pattern(openshift_initrc_t, openshift_initrc_tmp_t, openshift_initrc_tmp_t) -+manage_lnk_files_pattern(openshift_initrc_t, openshift_initrc_tmp_t, openshift_initrc_tmp_t) -+files_tmp_filetrans(openshift_initrc_t, openshift_initrc_tmp_t, { file dir }) -+ -+manage_dirs_pattern(openshift_initrc_t, openshift_var_run_t, openshift_var_run_t) -+manage_files_pattern(openshift_initrc_t, openshift_var_run_t, openshift_var_run_t) -+manage_lnk_files_pattern(openshift_initrc_t, openshift_var_run_t, openshift_var_run_t) -+files_pid_filetrans(openshift_initrc_t, openshift_var_run_t, { file dir }) -+ -+manage_dirs_pattern(openshift_initrc_t, openshift_log_t, openshift_log_t) -+manage_files_pattern(openshift_initrc_t, openshift_log_t, openshift_log_t) -+logging_log_filetrans(openshift_initrc_t, openshift_log_t, { file dir }) -+ -+allow openshift_initrc_t openshift_domain:process { getattr getsched setsched transition signal signull sigkill }; -+allow openshift_domain openshift_initrc_t:fd use; -+allow openshift_domain openshift_initrc_t:fifo_file rw_inherited_fifo_file_perms; -+allow openshift_domain openshift_initrc_t:process sigchld; -+dontaudit openshift_domain openshift_initrc_t:key view; -+dontaudit openshift_domain openshift_initrc_t:process signull; -+dontaudit openshift_domain openshift_initrc_t:socket_class_set { read write }; -+ -+init_domtrans_script(openshift_initrc_t) -+init_initrc_domain(openshift_initrc_t) -+ -+####################################################### -+# -+# Policy for all openshift domains -+# -+allow openshift_domain self:process ~ptrace; -+tunable_policy(`deny_ptrace',`',` -+ allow openshift_domain self:process ptrace; -+') -+ -+allow openshift_domain self:msg all_msg_perms; -+allow openshift_domain self:msgq create_msgq_perms; -+allow openshift_domain self:shm create_shm_perms; -+allow openshift_domain self:sem create_sem_perms; -+dontaudit openshift_domain self:dir write; -+dontaudit openshift_t self:unix_stream_socket recvfrom; -+dontaudit openshift_domain self:netlink_tcpdiag_socket create; -+dontaudit openshift_domain self:netlink_route_socket nlmsg_write; -+allow openshift_domain self:tcp_socket create_stream_socket_perms; -+allow openshift_domain self:fifo_file manage_fifo_file_perms; -+allow openshift_domain self:unix_stream_socket { create_stream_socket_perms connectto }; -+allow openshift_domain self:unix_dgram_socket { create_socket_perms sendto }; -+dontaudit openshift_domain self:netlink_audit_socket { create_socket_perms nlmsg_relay }; -+ -+manage_dirs_pattern(openshift_domain, openshift_rw_file_t, openshift_rw_file_t) -+manage_files_pattern(openshift_domain, openshift_rw_file_t, openshift_rw_file_t) -+manage_fifo_files_pattern(openshift_domain, openshift_rw_file_t, openshift_rw_file_t) -+manage_sock_files_pattern(openshift_domain, openshift_rw_file_t, openshift_rw_file_t) -+manage_lnk_files_pattern(openshift_domain, openshift_rw_file_t, openshift_rw_file_t) -+allow openshift_domain openshift_rw_file_t:dir_file_class_set { relabelfrom relabelto }; -+ -+list_dirs_pattern(openshift_domain, openshift_file_type, openshift_file_type) -+read_files_pattern(openshift_domain, openshift_file_type, openshift_file_type) -+rw_fifo_files_pattern(openshift_domain, openshift_file_type, openshift_file_type) -+rw_sock_files_pattern(openshift_domain, openshift_file_type, openshift_file_type) -+read_lnk_files_pattern(openshift_domain, openshift_file_type, openshift_file_type) -+allow openshift_domain openshift_file_type:file execmod; -+can_exec(openshift_domain, openshift_file_type) -+allow openshift_domain openshift_file_type:file entrypoint; -+# Allow users to execute files in their home dir -+allow openshift_domain openshift_file_type:file { execute execute_no_trans }; -+ -+# Dontaudit openshift domains trying to search other openshift domains directories, -+# this happens just when users are probing the system -+dontaudit openshift_domain openshift_file_type:dir search_dir_perms -+; -+ -+manage_dirs_pattern(openshift_domain, openshift_tmpfs_t, openshift_tmpfs_t) -+manage_files_pattern(openshift_domain, openshift_tmpfs_t, openshift_tmpfs_t) -+manage_lnk_files_pattern(openshift_domain, openshift_tmpfs_t, openshift_tmpfs_t) -+manage_sock_files_pattern(openshift_domain, openshift_tmpfs_t, openshift_tmpfs_t) -+manage_fifo_files_pattern(openshift_domain, openshift_tmpfs_t, openshift_tmpfs_t) -+fs_tmpfs_filetrans(openshift_domain, openshift_tmpfs_t, { dir file sock_file lnk_file fifo_file }) -+can_exec(openshift_domain, openshift_tmpfs_t) -+ -+manage_dirs_pattern(openshift_domain, openshift_tmp_t, openshift_tmp_t) -+manage_fifo_files_pattern(openshift_domain, openshift_tmp_t, openshift_tmp_t) -+manage_files_pattern(openshift_domain, openshift_tmp_t, openshift_tmp_t) -+manage_lnk_files_pattern(openshift_domain, openshift_tmp_t, openshift_tmp_t) -+manage_sock_files_pattern(openshift_domain, openshift_tmp_t, openshift_tmp_t) -+files_tmp_filetrans(openshift_domain, openshift_tmp_t, { lnk_file file dir sock_file fifo_file }) -+allow openshift_domain openshift_tmp_t:dir_file_class_set { relabelfrom relabelto }; -+ -+allow openshift_domain openshift_log_t:file { getattr append lock ioctl }; -+ -+#lsof -+allow openshift_domain openshift_initrc_t:tcp_socket getattr; -+ -+dontaudit openshift_domain openshift_initrc_tmp_t:file append; -+dontaudit openshift_domain openshift_var_run_t:file append; -+dontaudit openshift_domain openshift_file_type:sock_file execute; -+ -+kernel_read_network_state(openshift_domain) -+kernel_dontaudit_list_all_proc(openshift_domain) -+kernel_dontaudit_list_all_sysctls(openshift_domain) -+kernel_dontaudit_request_load_module(openshift_domain) -+kernel_get_sysvipc_info(openshift_domain) -+ -+corecmd_shell_entry_type(openshift_domain) -+corecmd_bin_entry_type(openshift_domain) -+corecmd_exec_all_executables(openshift_domain) -+ -+dev_read_sysfs(openshift_domain) -+dev_read_rand(openshift_domain) -+dev_read_urand(openshift_domain) -+dev_dontaudit_append_rand(openshift_domain) -+dev_dontaudit_write_urand(openshift_domain) -+dev_dontaudit_getattr_all_blk_files(openshift_domain) -+dev_dontaudit_getattr_all_chr_files(openshift_domain) -+dev_dontaudit_all_access_check(openshift_domain) -+ -+domain_use_interactive_fds(openshift_domain) -+domain_dontaudit_read_all_domains_state(openshift_domain) -+ -+files_read_var_lib_symlinks(openshift_domain) -+ -+fs_rw_hugetlbfs_files(openshift_domain) -+fs_rw_anon_inodefs_files(openshift_domain) -+fs_search_tmpfs(openshift_domain) -+fs_getattr_all_fs(openshift_domain) -+fs_dontaudit_getattr_all_fs(openshift_domain) -+fs_list_inotifyfs(openshift_domain) -+fs_dontaudit_list_auto_mountpoints(openshift_domain) -+fs_dontaudit_list_tmpfs(openshift_domain) -+storage_dontaudit_getattr_fixed_disk_dev(openshift_domain) -+storage_getattr_fixed_disk_dev(openshift_domain) -+fs_get_xattr_fs_quotas(openshift_domain) -+fs_rw_inherited_tmpfs_files(openshift_domain) -+fs_dontaudit_rw_anon_inodefs_files(openshift_domain) -+ -+dontaudit openshift_domain file_type:dir read; -+files_dontaudit_list_home(openshift_domain) -+files_dontaudit_search_all_pids(openshift_domain) -+files_dontaudit_getattr_all_dirs(openshift_domain) -+files_dontaudit_getattr_all_files(openshift_domain) -+files_dontaudit_list_mnt(openshift_domain) -+files_dontaudit_list_var(openshift_domain) -+files_dontaudit_getattr_lost_found_dirs(openshift_domain) -+files_dontaudit_search_all_mountpoints(openshift_domain) -+files_dontaudit_search_spool(openshift_domain) -+files_dontaudit_search_all_dirs(openshift_domain) -+files_exec_etc_files(openshift_domain) -+files_exec_usr_files(openshift_domain) -+files_dontaudit_getattr_non_security_sockets(openshift_domain) -+files_dontaudit_setattr_non_security_dirs(openshift_domain) -+files_dontaudit_setattr_non_security_files(openshift_domain) -+files_dontaudit_rw_inherited_locks(openshift_domain) -+ -+libs_exec_lib_files(openshift_domain) -+libs_exec_ld_so(openshift_domain) -+ -+selinux_validate_context(openshift_domain) -+ -+logging_inherit_append_all_logs(openshift_domain) -+ -+init_dontaudit_read_utmp(openshift_domain) -+ -+miscfiles_read_fonts(openshift_domain) -+miscfiles_dontaudit_setattr_fonts_cache_dirs(openshift_domain) -+ -+mta_dontaudit_read_spool_symlinks(openshift_domain) -+ -+term_dontaudit_search_ptys(openshift_domain) -+term_use_generic_ptys(openshift_domain) -+term_dontaudit_getattr_generic_ptys(openshift_domain) -+term_use_ptmx(openshift_domain) -+ -+userdom_use_inherited_user_ptys(openshift_domain) -+userdom_dontaudit_search_admin_dir(openshift_domain) -+ -+application_exec(openshift_domain) -+ -+optional_policy(` -+ apache_exec_modules(openshift_domain) -+ apache_list_modules(openshift_domain) -+ apache_read_config(openshift_domain) -+ apache_search_config(openshift_domain) -+ apache_read_sys_content(openshift_domain) -+ apache_exec_sys_script(openshift_domain) -+ apache_entrypoint(openshift_domain) -+ apache_dontaudit_read_log(openshift_domain) -+') -+ -+optional_policy(` -+ ############################################# -+ # -+ # openshift cgi script policy -+ # -+ apache_content_template(openshift) -+ domtrans_pattern(httpd_openshift_script_t, openshift_initrc_exec_t, openshift_initrc_t) -+ -+ optional_policy(` -+ dbus_system_bus_client(httpd_openshift_script_t) -+ -+ optional_policy(` -+ oddjob_dbus_chat(httpd_openshift_script_t) -+ oddjob_dontaudit_rw_fifo_file(openshift_domain) -+ ') -+ ') -+') -+ -+optional_policy(` -+ cron_role(system_r, openshift_domain) -+') -+ -+optional_policy(` -+ gpg_entry_type(openshift_domain) -+') -+ -+optional_policy(` -+ mysql_search_db(openshift_domain) -+') -+ -+optional_policy(` -+ screen_exec(openshift_domain) -+') -+ -+optional_policy(` -+ ssh_use_ptys(openshift_domain) -+ ssh_getattr_user_home_dir(openshift_domain) -+ ssh_dontaudit_search_user_home_dir(openshift_domain) -+') -+ -+optional_policy(` -+ udev_read_pid_files(openshift_domain) -+') -+ -+####################################################### -+# -+# Policy for openshift user domain process -+# -+manage_dirs_pattern(openshift_user_domain, openshift_file_type, openshift_file_type) -+manage_files_pattern(openshift_user_domain, openshift_file_type, openshift_file_type) -+manage_fifo_files_pattern(openshift_user_domain, openshift_file_type, openshift_file_type) -+manage_sock_files_pattern(openshift_user_domain, openshift_file_type, openshift_file_type) -+manage_lnk_files_pattern(openshift_user_domain, openshift_file_type, openshift_file_type) -+allow openshift_user_domain openshift_file_type:dir_file_class_set { relabelfrom relabelto }; -+ -+allow openshift_user_domain openshift_domain:process transition; -+allow openshift_domain openshift_user_domain:fd use; -+allow openshift_domain openshift_user_domain:fifo_file rw_inherited_fifo_file_perms; -+allow openshift_domain openshift_user_domain:process sigchld; -+dontaudit openshift_domain openshift_user_domain:key view; -+dontaudit openshift_domain openshift_user_domain:process signull; -+dontaudit openshift_domain openshift_user_domain:socket_class_set { read write }; -+ -+tunable_policy(`deny_ptrace',`',` -+ allow openshift_user_domain openshift_domain:process ptrace; -+') -+ -+mta_signal_user_agent(openshift_user_domain) -+ -+optional_policy(` -+ ssh_rw_tcp_sockets(openshift_user_domain) -+') -+ -+############################################################################ -+# -+# Rules specific to openshift_net_domains -+# -+allow openshift_net_domain openshift_port_t:tcp_socket { name_connect name_bind }; -+allow openshift_net_domain openshift_port_t:udp_socket name_bind; -+ -+corenet_tcp_connect_mssql_port(openshift_net_domain) -+corenet_tcp_connect_mysqld_port(openshift_net_domain) -+corenet_tcp_connect_postgresql_port(openshift_net_domain) -+corenet_tcp_connect_git_port(openshift_net_domain) -+corenet_tcp_connect_oracle_port(openshift_net_domain) -+corenet_tcp_connect_flash_port(openshift_net_domain) -+corenet_tcp_connect_http_port(openshift_net_domain) -+corenet_tcp_connect_ftp_port(openshift_net_domain) -+#/* These ports are the ephemeral ports needed for ftp */ -+corenet_tcp_connect_virt_migration_port(openshift_net_domain) -+corenet_tcp_connect_ssh_port(openshift_net_domain) -+corenet_tcp_connect_jacorb_port(openshift_net_domain) -+corenet_tcp_connect_jboss_management_port(openshift_net_domain) -+corenet_tcp_connect_jboss_debug_port(openshift_net_domain) -+corenet_tcp_connect_jboss_messaging_port(openshift_net_domain) -+corenet_tcp_connect_memcache_port(openshift_net_domain) -+corenet_tcp_connect_http_cache_port(openshift_net_domain) -+corenet_tcp_connect_amqp_port(openshift_net_domain) -+corenet_tcp_connect_generic_port(openshift_net_domain) -+corenet_tcp_connect_mongod_port(openshift_net_domain) -+corenet_tcp_connect_munin_port(openshift_net_domain) -+corenet_tcp_connect_pop_port(openshift_net_domain) -+corenet_tcp_connect_pulseaudio_port(openshift_net_domain) -+corenet_tcp_connect_smtp_port(openshift_net_domain) -+corenet_tcp_connect_whois_port(openshift_net_domain) -+corenet_udp_bind_generic_port(openshift_net_domain) -+corenet_tcp_bind_http_cache_port(openshift_domain) -+corenet_tcp_bind_jacorb_port(openshift_net_domain) -+corenet_tcp_bind_jboss_management_port(openshift_net_domain) -+corenet_tcp_bind_jboss_messaging_port(openshift_net_domain) -+corenet_tcp_bind_jboss_debug_port(openshift_net_domain) -+corenet_tcp_bind_mongod_port(openshift_net_domain) -+corenet_tcp_bind_mysqld_port(openshift_domain) -+corenet_tcp_bind_pulseaudio_port(openshift_net_domain) -+corenet_tcp_bind_postgresql_port(openshift_net_domain) -+ -+############################################################################ -+# -+# Rules specific to openshift and openshift_app_t -+# -+kernel_read_vm_sysctls(openshift_t) -+kernel_read_vm_sysctls(openshift_app_t) -+kernel_search_vm_sysctl(openshift_t) -+kernel_search_vm_sysctl(openshift_app_t) -+netutils_domtrans_ping(openshift_t) -+netutils_kill_ping(openshift_t) -+netutils_signal_ping(openshift_t) -+ -+openshift_net_type(openshift_app_t) -+openshift_net_type(openshift_t) -+ -+optional_policy(` -+ postfix_rw_public_pipes(openshift_t) -+ postfix_manage_spool_maildrop_files(openshift_t) -+') -+ -+######################################## -+# -+# openshift_cgroup_read local policy -+# -+ -+allow openshift_cgroup_read_t self:process { getattr signal_perms }; -+allow openshift_cgroup_read_t self:fifo_file rw_fifo_file_perms; -+allow openshift_cgroup_read_t self:unix_stream_socket create_stream_socket_perms; -+allow openshift_cgroup_read_t openshift_initrc_t:fifo_file rw_inherited_fifo_file_perms; -+ -+allow openshift_cgroup_read_t openshift_file_type:file rw_inherited_file_perms; -+ -+manage_dirs_pattern(openshift_cgroup_read_t, openshift_cgroup_read_tmp_t, openshift_cgroup_read_tmp_t) -+manage_files_pattern(openshift_cgroup_read_t, openshift_cgroup_read_tmp_t, openshift_cgroup_read_tmp_t) -+files_tmp_filetrans(openshift_cgroup_read_t, openshift_cgroup_read_tmp_t, { file dir }) -+ -+kernel_read_system_state(openshift_cgroup_read_t) -+ -+term_dontaudit_use_generic_ptys(openshift_cgroup_read_t) -+ -+auth_read_passwd(openshift_cgroup_read_t) -+ -+miscfiles_read_localization(openshift_cgroup_read_t) -+ -+optional_policy(` -+ ssh_use_ptys(openshift_cgroup_read_t) -+') -+ -+corecmd_exec_bin(openshift_cgroup_read_t) -+corecmd_exec_shell(openshift_cgroup_read_t) -+ -+dev_read_urand(openshift_cgroup_read_t) -+ -+domain_use_interactive_fds(openshift_cgroup_read_t) -+ -+fs_dontaudit_rw_anon_inodefs_files(openshift_cgroup_read_t) -+ -+userdom_use_inherited_user_ptys(openshift_cgroup_read_t) -+ -+miscfiles_read_generic_certs(openshift_cgroup_read_t) -+ -+domtrans_pattern(openshift_domain, openshift_cgroup_read_exec_t, openshift_cgroup_read_t) -+role system_r types openshift_cgroup_read_t; -+ -+allow openshift_domain openshift_cgroup_read_t:process { getattr signal signull sigkill }; -+ -+fs_list_cgroup_dirs(openshift_cgroup_read_t) -+fs_read_cgroup_files(openshift_cgroup_read_t) -+ -+allow openshift_cgroup_read_t openshift_var_lib_t:dir list_dir_perms; -+manage_files_pattern(openshift_cgroup_read_t, openshift_var_lib_t, openshift_var_lib_t) -+allow openshift_cgroup_read_t openshift_file_type:file rw_inherited_file_perms; -+ -+######################################## -+# -+# openshift_cron local policy -+# -+allow openshift_cron_t self:capability { dac_override net_admin sys_admin }; -+allow openshift_cron_t self:process signal_perms; -+allow openshift_cron_t self:tcp_socket create_stream_socket_perms; -+allow openshift_cron_t self:udp_socket create_socket_perms; -+allow openshift_cron_t self:unix_dgram_socket create_socket_perms; -+allow openshift_cron_t self:netlink_route_socket rw_netlink_socket_perms; -+ -+manage_dirs_pattern(openshift_cron_t, openshift_cron_tmp_t, openshift_cron_tmp_t) -+manage_fifo_files_pattern(openshift_cron_t, openshift_cron_tmp_t, openshift_cron_tmp_t) -+manage_files_pattern(openshift_cron_t, openshift_cron_tmp_t, openshift_cron_tmp_t) -+manage_lnk_files_pattern(openshift_cron_t, openshift_cron_tmp_t, openshift_cron_tmp_t) -+manage_sock_files_pattern(openshift_cron_t, openshift_cron_tmp_t, openshift_cron_tmp_t) -+files_tmp_filetrans(openshift_cron_t, openshift_cron_tmp_t, { lnk_file file dir sock_file fifo_file }) -+ -+openshift_manage_lib_dirs(openshift_cron_t) -+openshift_manage_lib_files(openshift_cron_t) -+ -+kernel_search_network_sysctl(openshift_cron_t) -+kernel_read_network_state(openshift_cron_t) -+kernel_read_system_state(openshift_cron_t) -+ -+corecmd_exec_bin(openshift_cron_t) -+corecmd_exec_shell(openshift_cron_t) -+ -+dev_read_raw_memory(openshift_cron_t) -+dev_read_urand(openshift_cron_t) -+ -+corenet_udp_bind_generic_node(openshift_cron_t) -+corenet_udp_bind_generic_port(openshift_cron_t) -+ -+dev_getattr_fs(openshift_cron_t) -+dev_list_sysfs(openshift_cron_t) -+dev_read_sysfs(openshift_cron_t) -+ -+files_getattr_home_dir(openshift_cron_t) -+files_manage_etc_files(openshift_cron_t) -+ -+fs_getattr_tmpfs_dirs(openshift_cron_t) -+fs_getattr_all_fs(openshift_cron_t) -+fs_list_hugetlbfs(openshift_cron_t) -+fs_search_cgroup_dirs(openshift_cron_t) -+ -+seutil_domtrans_setfiles(openshift_cron_t) -+ -+term_getattr_pty_fs(openshift_cron_t) -+term_search_ptys(openshift_cron_t) -+ -+auth_use_nsswitch(openshift_cron_t) -+ -+miscfiles_read_generic_certs(openshift_cron_t) -+miscfiles_read_hwdata(openshift_cron_t) -+ -+sysnet_exec_ifconfig(openshift_cron_t) -+sysnet_read_config(openshift_cron_t) -+ -+optional_policy(` -+ dmidecode_exec(openshift_cron_t) -+') -+ -+optional_policy(` -+ hostname_exec(openshift_cron_t) -+') -+ -+optional_policy(` -+ quota_read_db(openshift_cron_t) -+') -+ -+optional_policy(` -+ ssh_domtrans_keygen(openshift_cron_t) -+ ssh_dontaudit_read_server_keys(openshift_cron_t) -+') -+ -diff --git a/openvpn.fc b/openvpn.fc -index 300213f..4cdfe09 100644 ---- a/openvpn.fc -+++ b/openvpn.fc -@@ -1,10 +1,13 @@ - /etc/openvpn(/.*)? gen_context(system_u:object_r:openvpn_etc_t,s0) -+/etc/openvpn/scripts(/.*)? gen_context(system_u:object_r:openvpn_unconfined_script_exec_t,s0) - /etc/openvpn/ipp\.txt -- gen_context(system_u:object_r:openvpn_etc_rw_t,s0) - - /etc/rc\.d/init\.d/openvpn -- gen_context(system_u:object_r:openvpn_initrc_exec_t,s0) - - /usr/sbin/openvpn -- gen_context(system_u:object_r:openvpn_exec_t,s0) - -+/var/lib/openvpn(/.*)? gen_context(system_u:object_r:openvpn_var_lib_t,s0) -+ - /var/log/openvpn-status\.log.* -- gen_context(system_u:object_r:openvpn_status_t,s0) - /var/log/openvpn.* gen_context(system_u:object_r:openvpn_var_log_t,s0) - -diff --git a/openvpn.if b/openvpn.if -index 6837e9a..21e6dae 100644 ---- a/openvpn.if -+++ b/openvpn.if -@@ -23,6 +23,25 @@ interface(`openvpn_domtrans',` - ######################################## - ## - ## Execute openvpn clients in the -+## caller domain. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`openvpn_exec',` -+ gen_require(` -+ type openvpn_exec_t; -+ ') -+ -+ can_exec($1, openvpn_exec_t) -+') -+ -+######################################## -+## -+## Execute openvpn clients in the - ## openvpn domain, and allow the - ## specified role the openvpn domain. - ## -@@ -147,9 +166,13 @@ interface(`openvpn_admin',` - type openvpn_status_t; - ') - -- allow $1 openvpn_t:process { ptrace signal_perms }; -+ allow $1 openvpn_t:process signal_perms; - ps_process_pattern($1, openvpn_t) - -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 openvpn_t:process ptrace; -+ ') -+ - init_labeled_script_domtrans($1, openvpn_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 openvpn_initrc_exec_t system_r; -diff --git a/openvpn.te b/openvpn.te -index 3270ff9..5b046fe 100644 ---- a/openvpn.te -+++ b/openvpn.te -@@ -6,6 +6,13 @@ policy_module(openvpn, 1.11.3) - # - - ## -+##

    -+## Allow openvpn to run unconfined scripts -+##

    -+##     -+gen_tunable(openvpn_run_unconfined, false) -+ -+## - ##

    - ## Determine whether openvpn can - ## read generic user home content files. -@@ -13,6 +20,14 @@ policy_module(openvpn, 1.11.3) - ## - gen_tunable(openvpn_enable_homedirs, false) - -+## -+##

    -+## Determine whether openvpn can -+## connect to the TCP network. -+##

    -+##     -+gen_tunable(openvpn_can_network_connect, false) -+ - attribute_role openvpn_roles; - - type openvpn_t; -@@ -26,12 +41,18 @@ files_config_file(openvpn_etc_t) - type openvpn_etc_rw_t; - files_config_file(openvpn_etc_rw_t) - -+type openvpn_tmp_t; -+files_tmp_file(openvpn_tmp_t) -+ - type openvpn_initrc_exec_t; - init_script_file(openvpn_initrc_exec_t) - - type openvpn_status_t; - logging_log_file(openvpn_status_t) - -+type openvpn_var_lib_t; -+files_type(openvpn_var_lib_t) -+ - type openvpn_var_log_t; - logging_log_file(openvpn_var_log_t) - -@@ -43,7 +64,7 @@ files_pid_file(openvpn_var_run_t) - # Local policy - # - --allow openvpn_t self:capability { dac_read_search dac_override ipc_lock net_admin setgid setuid sys_chroot sys_tty_config sys_nice }; -+allow openvpn_t self:capability { dac_read_search dac_override ipc_lock net_bind_service net_admin setgid setuid sys_chroot sys_tty_config sys_nice }; - allow openvpn_t self:process { signal getsched setsched }; - allow openvpn_t self:fifo_file rw_fifo_file_perms; - allow openvpn_t self:unix_dgram_socket sendto; -@@ -62,10 +83,14 @@ filetrans_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t, file) - allow openvpn_t openvpn_status_t:file manage_file_perms; - logging_log_filetrans(openvpn_t, openvpn_status_t, file, "openvpn-status.log") - -+manage_files_pattern(openvpn_t, openvpn_tmp_t, openvpn_tmp_t) -+files_tmp_filetrans(openvpn_t, openvpn_tmp_t, file) -+ -+manage_files_pattern(openvpn_t, openvpn_var_lib_t, openvpn_var_lib_t) -+files_var_lib_filetrans(openvpn_t, openvpn_var_lib_t, { dir file }) -+ - manage_dirs_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t) --append_files_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t) --create_files_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t) --setattr_files_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t) -+manage_files_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t) - logging_log_filetrans(openvpn_t, openvpn_var_log_t, file) - - manage_dirs_pattern(openvpn_t, openvpn_var_run_t, openvpn_var_run_t) -@@ -83,7 +108,6 @@ kernel_request_load_module(openvpn_t) - corecmd_exec_bin(openvpn_t) - corecmd_exec_shell(openvpn_t) - --corenet_all_recvfrom_unlabeled(openvpn_t) - corenet_all_recvfrom_netlabel(openvpn_t) - corenet_tcp_sendrecv_generic_if(openvpn_t) - corenet_udp_sendrecv_generic_if(openvpn_t) -@@ -103,13 +127,15 @@ corenet_udp_sendrecv_openvpn_port(openvpn_t) - corenet_sendrecv_http_server_packets(openvpn_t) - corenet_tcp_bind_http_port(openvpn_t) - corenet_sendrecv_http_client_packets(openvpn_t) -+corenet_tcp_connect_squid_port(openvpn_t) - corenet_tcp_connect_http_port(openvpn_t) - corenet_tcp_sendrecv_http_port(openvpn_t) -- - corenet_sendrecv_http_cache_client_packets(openvpn_t) - corenet_tcp_connect_http_cache_port(openvpn_t) - corenet_tcp_sendrecv_http_cache_port(openvpn_t) - -+corenet_tcp_connect_tor_port(openvpn_t) -+ - corenet_rw_tun_tap_dev(openvpn_t) - - dev_read_rand(openvpn_t) -@@ -121,18 +147,24 @@ fs_search_auto_mountpoints(openvpn_t) - - auth_use_pam(openvpn_t) - --miscfiles_read_localization(openvpn_t) -+logging_send_syslog_msg(openvpn_t) -+ - miscfiles_read_all_certs(openvpn_t) - -+sysnet_dns_name_resolve(openvpn_t) - sysnet_exec_ifconfig(openvpn_t) - sysnet_manage_config(openvpn_t) - sysnet_etc_filetrans_config(openvpn_t) - sysnet_use_ldap(openvpn_t) - --userdom_use_user_terminals(openvpn_t) -+userdom_use_inherited_user_terminals(openvpn_t) -+userdom_read_home_certs(openvpn_t) -+userdom_attach_admin_tun_iface(openvpn_t) -+userdom_read_inherited_user_tmp_files(openvpn_t) -+userdom_read_inherited_user_home_content_files(openvpn_t) - - tunable_policy(`openvpn_enable_homedirs',` -- userdom_read_user_home_content_files(openvpn_t) -+ userdom_search_user_home_dirs(openvpn_t) - ') - - tunable_policy(`openvpn_enable_homedirs && use_nfs_home_dirs',` -@@ -143,6 +175,10 @@ tunable_policy(`openvpn_enable_homedirs && use_samba_home_dirs',` - fs_read_cifs_files(openvpn_t) - ') - -+tunable_policy(`openvpn_can_network_connect',` -+ corenet_tcp_connect_all_ports(openvpn_t) -+') -+ - optional_policy(` - daemontools_service_domain(openvpn_t, openvpn_exec_t) - ') -@@ -155,3 +191,27 @@ optional_policy(` - networkmanager_dbus_chat(openvpn_t) - ') - ') -+ -+optional_policy(` -+ unconfined_attach_tun_iface(openvpn_t) -+') -+ -+type openvpn_unconfined_script_t; -+type openvpn_unconfined_script_exec_t; -+domain_type(openvpn_unconfined_script_t) -+domain_entry_file(openvpn_unconfined_script_t, openvpn_unconfined_script_exec_t) -+corecmd_shell_entry_type(openvpn_unconfined_script_t) -+role system_r types openvpn_unconfined_script_t; -+ -+allow openvpn_t openvpn_unconfined_script_exec_t:dir search_dir_perms; -+allow openvpn_t openvpn_unconfined_script_exec_t:file ioctl; -+ -+optional_policy(` -+ unconfined_domain(openvpn_unconfined_script_t) -+') -+ -+tunable_policy(`openvpn_run_unconfined',` -+ domtrans_pattern(openvpn_t, openvpn_unconfined_script_exec_t, openvpn_unconfined_script_t) -+',` -+ can_exec(openvpn_t, openvpn_unconfined_script_exec_t) -+') -diff --git a/openvswitch.fc b/openvswitch.fc -index 45d7cc5..c5b9607 100644 ---- a/openvswitch.fc -+++ b/openvswitch.fc -@@ -1,12 +1,16 @@ --/etc/rc\.d/init\.d/openvswitch -- gen_context(system_u:object_r:openvswitch_initrc_exec_t,s0) -+/usr/lib/systemd/system/openvswitch.service -- gen_context(system_u:object_r:openvswitch_unit_file_t,s0) - --/etc/openvswitch(/.*)? gen_context(system_u:object_r:openvswitch_conf_t,s0) -+/usr/share/openvswitch/scripts/ovs-ctl -- gen_context(system_u:object_r:openvswitch_exec_t,s0) -+/usr/bin/ovs-vsctl -- gen_context(system_u:object_r:openvswitch_exec_t,s0) -+/usr/sbin/ovsdb-ctl -- gen_context(system_u:object_r:openvswitch_exec_t,s0) -+/usr/sbin/ovsdb-server -- gen_context(system_u:object_r:openvswitch_exec_t,s0) -+/usr/sbin/ovs-vswitchd -- gen_context(system_u:object_r:openvswitch_exec_t,s0) -+/usr/bin/ovs-appctl -- gen_context(system_u:object_r:openvswitch_exec_t,s0) - --/usr/share/openvswitch/scripts/ovs-ctl -- gen_context(system_u:object_r:openvswitch_exec_t,s0) --/usr/share/openvswitch/scripts/openvswitch\.init -- gen_context(system_u:object_r:openvswitch_exec_t,s0) -+/var/lib/openvswitch(/.*)? gen_context(system_u:object_r:openvswitch_var_lib_t,s0) - --/var/lib/openvswitch(/.*)? gen_context(system_u:object_r:openvswitch_var_lib_t,s0) -+/var/log/openvswitch(/.*)? gen_context(system_u:object_r:openvswitch_log_t,s0) - --/var/log/openvswitch(/.*)? gen_context(system_u:object_r:openvswitch_log_t,s0) -+/var/run/openvswitch(/.*)? gen_context(system_u:object_r:openvswitch_var_run_t,s0) - --/var/run/openvswitch(/.*)? gen_context(system_u:object_r:openvswitch_var_run_t,s0) -+/etc/openvswitch(/.*)? gen_context(system_u:object_r:openvswitch_rw_t,s0) -diff --git a/openvswitch.if b/openvswitch.if -index 9b15730..eedd136 100644 ---- a/openvswitch.if -+++ b/openvswitch.if -@@ -1,13 +1,14 @@ --## Multilayer virtual switch. -+ -+## policy for openvswitch - - ######################################## - ## --## Execute openvswitch in the openvswitch domain. -+## Execute TEMPLATE in the openvswitch domin. - ## - ## --## -+## - ## Domain allowed to transition. --## -+## - ## - # - interface(`openvswitch_domtrans',` -@@ -18,10 +19,145 @@ interface(`openvswitch_domtrans',` - corecmd_search_bin($1) - domtrans_pattern($1, openvswitch_exec_t, openvswitch_t) - ') -+######################################## -+## -+## Read openvswitch's log files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`openvswitch_read_log',` -+ gen_require(` -+ type openvswitch_log_t; -+ ') -+ -+ logging_search_logs($1) -+ read_files_pattern($1, openvswitch_log_t, openvswitch_log_t) -+') -+ -+######################################## -+## -+## Append to openvswitch log files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`openvswitch_append_log',` -+ gen_require(` -+ type openvswitch_log_t; -+ ') -+ -+ logging_search_logs($1) -+ append_files_pattern($1, openvswitch_log_t, openvswitch_log_t) -+') - - ######################################## - ## --## Read openvswitch pid files. -+## Manage openvswitch log files -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`openvswitch_manage_log',` -+ gen_require(` -+ type openvswitch_log_t; -+ ') -+ -+ logging_search_logs($1) -+ manage_dirs_pattern($1, openvswitch_log_t, openvswitch_log_t) -+ manage_files_pattern($1, openvswitch_log_t, openvswitch_log_t) -+ manage_lnk_files_pattern($1, openvswitch_log_t, openvswitch_log_t) -+') -+ -+######################################## -+## -+## Search openvswitch lib directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`openvswitch_search_lib',` -+ gen_require(` -+ type openvswitch_var_lib_t; -+ ') -+ -+ allow $1 openvswitch_var_lib_t:dir search_dir_perms; -+ files_search_var_lib($1) -+') -+ -+######################################## -+## -+## Read openvswitch lib files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`openvswitch_read_lib_files',` -+ gen_require(` -+ type openvswitch_var_lib_t; -+ ') -+ -+ files_search_var_lib($1) -+ read_files_pattern($1, openvswitch_var_lib_t, openvswitch_var_lib_t) -+') -+ -+######################################## -+## -+## Manage openvswitch lib files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`openvswitch_manage_lib_files',` -+ gen_require(` -+ type openvswitch_var_lib_t; -+ ') -+ -+ files_search_var_lib($1) -+ manage_files_pattern($1, openvswitch_var_lib_t, openvswitch_var_lib_t) -+') -+ -+######################################## -+## -+## Manage openvswitch lib directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`openvswitch_manage_lib_dirs',` -+ gen_require(` -+ type openvswitch_var_lib_t; -+ ') -+ -+ files_search_var_lib($1) -+ manage_dirs_pattern($1, openvswitch_var_lib_t, openvswitch_var_lib_t) -+') -+ -+######################################## -+## -+## Read openvswitch PID files. - ## - ## - ## -@@ -40,44 +176,86 @@ interface(`openvswitch_read_pid_files',` - - ######################################## - ## --## All of the rules required to --## administrate an openvswitch environment. -+## Allow stream connect to openvswitch. - ## - ## - ## - ## Domain allowed access. - ## - ## --## -+# -+ -+interface(`openvswitch_stream_connect',` -+ gen_require(` -+ type openvswitch_t, openvswitch_var_run_t; -+ ') -+ -+ files_search_pids($1) -+ stream_connect_pattern($1, openvswitch_var_run_t, openvswitch_var_run_t, openvswitch_t) -+') -+ -+######################################## -+## -+## Execute openvswitch server in the openvswitch domain. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`openvswitch_systemctl',` -+ gen_require(` -+ type openvswitch_t; -+ type openvswitch_unit_file_t; -+ ') -+ -+ systemd_exec_systemctl($1) -+ allow $1 openvswitch_unit_file_t:file read_file_perms; -+ allow $1 openvswitch_unit_file_t:service manage_service_perms; -+ -+ ps_process_pattern($1, openvswitch_t) -+') -+ -+ -+######################################## -+## -+## All of the rules required to administrate -+## an openvswitch environment -+## -+## - ## --## Role allowed access. -+## Domain allowed access. - ## - ## - ## - # - interface(`openvswitch_admin',` - gen_require(` -- type openvswitch_t, openvswitch_initrc_exec_t, openvswitch_conf_t; -- type openvswitch_var_lib_t, openvswitch_log_t, openvswitch_var_run_t; -+ type openvswitch_t, openvswitch_log_t, openvswitch_var_lib_t; -+ type openvswitch_rw_t, openvswitch_var_run_t, openvswitch_unit_file_t; - ') - - allow $1 openvswitch_t:process { ptrace signal_perms }; - ps_process_pattern($1, openvswitch_t) - -- init_labeled_script_domtrans($1, openvswitch_initrc_exec_t) -- domain_system_change_exemption($1) -- role_transition $2 openvswitch_initrc_exec_t system_r; -- allow $2 system_r; -+ logging_search_logs($1) -+ admin_pattern($1, openvswitch_rw_t) - -- files_search_etc($1) -- admin_pattern($1, openvswitch_conf_t) -+ logging_search_logs($1) -+ admin_pattern($1, openvswitch_log_t) - - files_search_var_lib($1) - admin_pattern($1, openvswitch_var_lib_t) - -- logging_search_logs($1) -- admin_pattern($1, openvswitch_log_t) -- - files_search_pids($1) - admin_pattern($1, openvswitch_var_run_t) -+ -+ openvswitch_systemctl($1) -+ admin_pattern($1, openvswitch_unit_file_t) -+ allow $1 openvswitch_unit_file_t:service all_service_perms; -+ optional_policy(` -+ systemd_passwd_agent_exec($1) -+ systemd_read_fifo_file_passwd_run($1) -+ ') - ') -diff --git a/openvswitch.te b/openvswitch.te -index 508fedf..a499612 100644 ---- a/openvswitch.te -+++ b/openvswitch.te -@@ -1,4 +1,4 @@ --policy_module(openvswitch, 1.0.1) -+policy_module(openvswitch, 1.0.0) - - ######################################## - # -@@ -9,11 +9,8 @@ type openvswitch_t; - type openvswitch_exec_t; - init_daemon_domain(openvswitch_t, openvswitch_exec_t) - --type openvswitch_initrc_exec_t; --init_script_file(openvswitch_initrc_exec_t) -- --type openvswitch_conf_t; --files_config_file(openvswitch_conf_t) -+type openvswitch_rw_t; -+files_config_file(openvswitch_rw_t) - - type openvswitch_var_lib_t; - files_type(openvswitch_var_lib_t) -@@ -21,23 +18,33 @@ files_type(openvswitch_var_lib_t) - type openvswitch_log_t; - logging_log_file(openvswitch_log_t) - -+type openvswitch_tmp_t; -+files_tmp_file(openvswitch_tmp_t) -+ - type openvswitch_var_run_t; - files_pid_file(openvswitch_var_run_t) - -+type openvswitch_unit_file_t; -+systemd_unit_file(openvswitch_unit_file_t) -+ - ######################################## - # --# Local policy -+# openvswitch local policy - # - --allow openvswitch_t self:capability { net_admin sys_nice sys_resource ipc_lock }; --allow openvswitch_t self:process { setrlimit setsched signal }; -+allow openvswitch_t self:capability { net_admin ipc_lock sys_module sys_nice sys_resource }; -+allow openvswitch_t self:capability2 block_suspend; -+allow openvswitch_t self:process { fork setsched setrlimit signal }; - allow openvswitch_t self:fifo_file rw_fifo_file_perms; --allow openvswitch_t self:rawip_socket create_socket_perms; --allow openvswitch_t self:unix_stream_socket { accept connectto listen }; -+allow openvswitch_t self:unix_stream_socket { create_stream_socket_perms connectto }; -+allow openvswitch_t self:netlink_socket create_socket_perms; -+allow openvswitch_t self:netlink_route_socket rw_netlink_socket_perms; - --manage_dirs_pattern(openvswitch_t, openvswitch_conf_t, openvswitch_conf_t) --manage_files_pattern(openvswitch_t, openvswitch_conf_t, openvswitch_conf_t) --manage_lnk_files_pattern(openvswitch_t, openvswitch_conf_t, openvswitch_conf_t) -+can_exec(openvswitch_t, openvswitch_exec_t) -+ -+manage_dirs_pattern(openvswitch_t, openvswitch_rw_t, openvswitch_rw_t) -+manage_files_pattern(openvswitch_t, openvswitch_rw_t, openvswitch_rw_t) -+manage_lnk_files_pattern(openvswitch_t, openvswitch_rw_t, openvswitch_rw_t) - - manage_dirs_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_lib_t) - manage_files_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_lib_t) -@@ -45,45 +52,53 @@ manage_lnk_files_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_l - files_var_lib_filetrans(openvswitch_t, openvswitch_var_lib_t, { dir file lnk_file }) - - manage_dirs_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t) --append_files_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t) --create_files_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t) --setattr_files_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t) -+manage_files_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t) - manage_lnk_files_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t) - logging_log_filetrans(openvswitch_t, openvswitch_log_t, { dir file lnk_file }) - -+manage_dirs_pattern(openvswitch_t, openvswitch_tmp_t, openvswitch_tmp_t) -+manage_files_pattern(openvswitch_t, openvswitch_tmp_t, openvswitch_tmp_t) -+manage_lnk_files_pattern(openvswitch_t, openvswitch_tmp_t, openvswitch_tmp_t) -+files_tmp_filetrans(openvswitch_t, openvswitch_tmp_t, { file dir }) -+ - manage_dirs_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t) - manage_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t) - manage_sock_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t) - manage_lnk_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t) - files_pid_filetrans(openvswitch_t, openvswitch_var_run_t, { dir file lnk_file }) - --can_exec(openvswitch_t, openvswitch_exec_t) -- - kernel_read_network_state(openvswitch_t) - kernel_read_system_state(openvswitch_t) -- --corenet_all_recvfrom_unlabeled(openvswitch_t) --corenet_all_recvfrom_netlabel(openvswitch_t) --corenet_raw_sendrecv_generic_if(openvswitch_t) --corenet_raw_sendrecv_generic_node(openvswitch_t) -+kernel_request_load_module(openvswitch_t) - - corecmd_exec_bin(openvswitch_t) -+corecmd_exec_shell(openvswitch_t) - -+dev_read_rand(openvswitch_t) - dev_read_urand(openvswitch_t) -+dev_read_sysfs(openvswitch_t) - - domain_use_interactive_fds(openvswitch_t) - --files_read_etc_files(openvswitch_t) -+files_read_kernel_modules(openvswitch_t) - - fs_getattr_all_fs(openvswitch_t) - fs_search_cgroup_dirs(openvswitch_t) - -+auth_read_passwd(openvswitch_t) -+ - logging_send_syslog_msg(openvswitch_t) - --miscfiles_read_localization(openvswitch_t) -+modutils_exec_insmod(openvswitch_t) -+modutils_list_module_config(openvswitch_t) -+modutils_read_module_config(openvswitch_t) - - sysnet_dns_name_resolve(openvswitch_t) - - optional_policy(` - iptables_domtrans(openvswitch_t) - ') -+ -+optional_policy(` -+ plymouthd_exec_plymouth(openvswitch_t) -+') -diff --git a/oracleasm.fc b/oracleasm.fc -new file mode 100644 -index 0000000..80fb8c3 ---- /dev/null -+++ b/oracleasm.fc -@@ -0,0 +1,4 @@ -+ -+/etc/rc\.d/init\.d/oracleasm -- gen_context(system_u:object_r:oracleasm_initrc_exec_t,s0) -+ -+/usr/sbin/oracleasm -- gen_context(system_u:object_r:oracleasm_exec_t,s0) -diff --git a/oracleasm.if b/oracleasm.if -new file mode 100644 -index 0000000..6ae382c ---- /dev/null -+++ b/oracleasm.if -@@ -0,0 +1,75 @@ -+ -+## policy for oracleasm -+ -+######################################## -+## -+## Transition to oracleasm. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`oracleasm_domtrans',` -+ gen_require(` -+ type oracleasm_t, oracleasm_exec_t; -+ ') -+ -+ corecmd_search_bin($1) -+ domtrans_pattern($1, oracleasm_exec_t, oracleasm_t) -+') -+ -+ -+######################################## -+## -+## Execute oracleasm server in the oracleasm domain. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`oracleasm_initrc_domtrans',` -+ gen_require(` -+ type oracleasm_initrc_exec_t; -+ ') -+ -+ init_labeled_script_domtrans($1, oracleasm_initrc_exec_t) -+') -+ -+ -+######################################## -+## -+## All of the rules required to administrate -+## an oracleasm environment -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## Role allowed access. -+## -+## -+## -+# -+interface(`oracleasm_admin',` -+ gen_require(` -+ type oracleasm_t; -+ type oracleasm_initrc_exec_t; -+ ') -+ -+ allow $1 oracleasm_t:process { ptrace signal_perms }; -+ ps_process_pattern($1, oracleasm_t) -+ -+ oracleasm_initrc_domtrans($1) -+ domain_system_change_exemption($1) -+ role_transition $2 oracleasm_initrc_exec_t system_r; -+ allow $2 system_r; -+ -+') -+ -diff --git a/oracleasm.te b/oracleasm.te -new file mode 100644 -index 0000000..0493b99 ---- /dev/null -+++ b/oracleasm.te -@@ -0,0 +1,34 @@ -+policy_module(oracleasm, 1.0.0) -+ -+######################################## -+# -+# Declarations -+# -+ -+type oracleasm_t; -+type oracleasm_exec_t; -+init_daemon_domain(oracleasm_t, oracleasm_exec_t) -+ -+type oracleasm_initrc_exec_t; -+init_script_file(oracleasm_initrc_exec_t) -+ -+######################################## -+# -+# oracleasm local policy -+# -+ -+allow oracleasm_t self:fifo_file rw_fifo_file_perms; -+allow oracleasm_t self:unix_stream_socket create_stream_socket_perms; -+ -+domain_use_interactive_fds(oracleasm_t) -+ -+corecmd_exec_shell(oracleasm_t) -+corecmd_exec_bin(oracleasm_t) -+ -+optional_policy(` -+ mount_domtrans(oracleasm_t) -+') -+ -+optional_policy(` -+ modutils_domtrans_insmod(oracleasm_t) -+') -diff --git a/pacemaker.fc b/pacemaker.fc -index 2f0ad56..d4da0b8 100644 ---- a/pacemaker.fc -+++ b/pacemaker.fc -@@ -1,5 +1,7 @@ - /etc/rc\.d/init\.d/pacemaker -- gen_context(system_u:object_r:pacemaker_initrc_exec_t,s0) - -+/usr/lib/systemd/system/pacemaker.* -- gen_context(system_u:object_r:pacemaker_unit_file_t,s0) -+ - /usr/sbin/pacemakerd -- gen_context(system_u:object_r:pacemaker_exec_t,s0) - - /var/lib/heartbeat/crm(/.*)? gen_context(system_u:object_r:pacemaker_var_lib_t,s0) -diff --git a/pacemaker.if b/pacemaker.if -index 9682d9a..d47f913 100644 ---- a/pacemaker.if -+++ b/pacemaker.if -@@ -1,9 +1,166 @@ --## A scalable high-availability cluster resource manager. -+## >A scalable high-availability cluster resource manager. - - ######################################## - ## --## All of the rules required to --## administrate an pacemaker environment. -+## Transition to pacemaker. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`pacemaker_domtrans',` -+ gen_require(` -+ type pacemaker_t, pacemaker_exec_t; -+ ') -+ -+ corecmd_search_bin($1) -+ domtrans_pattern($1, pacemaker_exec_t, pacemaker_t) -+') -+ -+######################################## -+## -+## Execute pacemaker server in the pacemaker domain. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`pacemaker_initrc_domtrans',` -+ gen_require(` -+ type pacemaker_initrc_exec_t; -+ ') -+ -+ init_labeled_script_domtrans($1, pacemaker_initrc_exec_t) -+') -+ -+######################################## -+## -+## Search pacemaker lib directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`pacemaker_search_lib',` -+ gen_require(` -+ type pacemaker_var_lib_t; -+ ') -+ -+ allow $1 pacemaker_var_lib_t:dir search_dir_perms; -+ files_search_var_lib($1) -+') -+ -+######################################## -+## -+## Read pacemaker lib files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`pacemaker_read_lib_files',` -+ gen_require(` -+ type pacemaker_var_lib_t; -+ ') -+ -+ files_search_var_lib($1) -+ read_files_pattern($1, pacemaker_var_lib_t, pacemaker_var_lib_t) -+') -+ -+######################################## -+## -+## Manage pacemaker lib files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`pacemaker_manage_lib_files',` -+ gen_require(` -+ type pacemaker_var_lib_t; -+ ') -+ -+ files_search_var_lib($1) -+ manage_files_pattern($1, pacemaker_var_lib_t, pacemaker_var_lib_t) -+') -+ -+######################################## -+## -+## Manage pacemaker lib directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`pacemaker_manage_lib_dirs',` -+ gen_require(` -+ type pacemaker_var_lib_t; -+ ') -+ -+ files_search_var_lib($1) -+ manage_dirs_pattern($1, pacemaker_var_lib_t, pacemaker_var_lib_t) -+') -+ -+######################################## -+## -+## Read pacemaker PID files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`pacemaker_read_pid_files',` -+ gen_require(` -+ type pacemaker_var_run_t; -+ ') -+ -+ files_search_pids($1) -+ allow $1 pacemaker_var_run_t:file read_file_perms; -+') -+ -+######################################## -+## -+## Execute pacemaker server in the pacemaker domain. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`pacemaker_systemctl',` -+ gen_require(` -+ type pacemaker_t; -+ type pacemaker_unit_file_t; -+ ') -+ -+ systemd_exec_systemctl($1) -+ systemd_read_fifo_file_passwd_run($1) -+ allow $1 pacemaker_unit_file_t:file read_file_perms; -+ allow $1 pacemaker_unit_file_t:service manage_service_perms; -+ -+ ps_process_pattern($1, pacemaker_t) -+') -+ -+ -+######################################## -+## -+## All of the rules required to administrate -+## an pacemaker environment - ## - ## - ## -@@ -19,14 +176,17 @@ - # - interface(`pacemaker_admin',` - gen_require(` -- type pacemaker_t, pacemaker_initrc_exec_t, pacemaker_var_lib_t; -+ type pacemaker_t; -+ type pacemaker_initrc_exec_t; -+ type pacemaker_var_lib_t; - type pacemaker_var_run_t; -+ type pacemaker_unit_file_t; - ') - - allow $1 pacemaker_t:process { ptrace signal_perms }; - ps_process_pattern($1, pacemaker_t) - -- init_labeled_script_domtrans($1, pacemaker_initrc_exec_t) -+ pacemaker_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 pacemaker_initrc_exec_t system_r; - allow $2 system_r; -@@ -36,4 +196,13 @@ interface(`pacemaker_admin',` - - files_search_pids($1) - admin_pattern($1, pacemaker_var_run_t) -+ -+ pacemaker_systemctl($1) -+ admin_pattern($1, pacemaker_unit_file_t) -+ allow $1 pacemaker_unit_file_t:service all_service_perms; -+ -+ optional_policy(` -+ systemd_passwd_agent_exec($1) -+ systemd_read_fifo_file_passwd_run($1) -+ ') - ') -diff --git a/pacemaker.te b/pacemaker.te -index 3dd8ada..993c92c 100644 ---- a/pacemaker.te -+++ b/pacemaker.te -@@ -5,6 +5,13 @@ policy_module(pacemaker, 1.0.2) - # Declarations - # - -+## -+##

    -+## Allow pacemaker memcheck-amd64- to use executable memory -+##

    -+##     -+gen_tunable(pacemaker_use_execmem, false) -+ - type pacemaker_t; - type pacemaker_exec_t; - init_daemon_domain(pacemaker_t, pacemaker_exec_t) -@@ -12,17 +19,20 @@ init_daemon_domain(pacemaker_t, pacemaker_exec_t) - type pacemaker_initrc_exec_t; - init_script_file(pacemaker_initrc_exec_t) - -+type pacemaker_var_lib_t; -+files_type(pacemaker_var_lib_t) -+ -+type pacemaker_var_run_t; -+files_pid_file(pacemaker_var_run_t) -+ - type pacemaker_tmp_t; - files_tmp_file(pacemaker_tmp_t) - - type pacemaker_tmpfs_t; - files_tmpfs_file(pacemaker_tmpfs_t) - --type pacemaker_var_lib_t; --files_type(pacemaker_var_lib_t) -- --type pacemaker_var_run_t; --files_pid_file(pacemaker_var_run_t) -+type pacemaker_unit_file_t; -+systemd_unit_file(pacemaker_unit_file_t) - - ######################################## - # -@@ -30,13 +40,15 @@ files_pid_file(pacemaker_var_run_t) - # - - allow pacemaker_t self:capability { fowner fsetid kill chown dac_override setuid }; -+allow pacemaker_t self:capability2 block_suspend; - allow pacemaker_t self:process { setrlimit signal setpgid }; - allow pacemaker_t self:fifo_file rw_fifo_file_perms; - allow pacemaker_t self:unix_stream_socket { connectto accept listen }; - - manage_dirs_pattern(pacemaker_t, pacemaker_tmp_t, pacemaker_tmp_t) - manage_files_pattern(pacemaker_t, pacemaker_tmp_t, pacemaker_tmp_t) --files_tmp_filetrans(pacemaker_t, pacemaker_tmp_t, { file dir }) -+manage_fifo_files_pattern(pacemaker_t, pacemaker_tmp_t, pacemaker_tmp_t) -+files_tmp_filetrans(pacemaker_t, pacemaker_tmp_t, { fifo_file file dir }) - - manage_dirs_pattern(pacemaker_t, pacemaker_tmpfs_t, pacemaker_tmpfs_t) - manage_files_pattern(pacemaker_t, pacemaker_tmpfs_t, pacemaker_tmpfs_t) -@@ -60,13 +72,13 @@ kernel_read_system_state(pacemaker_t) - corecmd_exec_bin(pacemaker_t) - corecmd_exec_shell(pacemaker_t) - -+domain_use_interactive_fds(pacemaker_t) -+domain_read_all_domains_state(pacemaker_t) -+ - dev_getattr_mtrr_dev(pacemaker_t) - dev_read_rand(pacemaker_t) - dev_read_urand(pacemaker_t) - --domain_read_all_domains_state(pacemaker_t) --domain_use_interactive_fds(pacemaker_t) -- - files_read_kernel_symbol_table(pacemaker_t) - - fs_getattr_all_fs(pacemaker_t) -@@ -75,9 +87,20 @@ auth_use_nsswitch(pacemaker_t) - - logging_send_syslog_msg(pacemaker_t) - --miscfiles_read_localization(pacemaker_t) -+sysnet_domtrans_ifconfig(pacemaker_t) -+ -+tunable_policy(`pacemaker_use_execmem',` -+ allow pacemaker_t self:process { execmem }; -+') - - optional_policy(` - corosync_read_log(pacemaker_t) -+ corosync_setattr_log(pacemaker_t) - corosync_stream_connect(pacemaker_t) -+ corosync_rw_tmpfs(pacemaker_t) -+') -+ -+optional_policy(` -+ #executes heartbeat lib files -+ rgmanager_execute_lib(pacemaker_t) - ') -diff --git a/pads.if b/pads.if -index 6e097c9..503c97a 100644 ---- a/pads.if -+++ b/pads.if -@@ -17,15 +17,19 @@ - ## - ## - # --interface(`pads_admin', ` -+interface(`pads_admin',` - gen_require(` - type pads_t, pads_config_t, pads_var_run_t; - type pads_initrc_exec_t; - ') - -- allow $1 pads_t:process { ptrace signal_perms }; -+ allow $1 pads_t:process signal_perms; - ps_process_pattern($1, pads_t) - -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 pads_t:process ptrace; -+ ') -+ - init_labeled_script_domtrans($1, pads_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 pads_initrc_exec_t system_r; -diff --git a/pads.te b/pads.te -index 29a7364..446e5ca 100644 ---- a/pads.te -+++ b/pads.te -@@ -25,8 +25,11 @@ files_pid_file(pads_var_run_t) - # - - allow pads_t self:capability { dac_override net_raw }; -+allow pads_t self:netlink_route_socket create_netlink_socket_perms; - allow pads_t self:packet_socket create_socket_perms; - allow pads_t self:socket create_socket_perms; -+allow pads_t self:udp_socket create_socket_perms; -+allow pads_t self:unix_dgram_socket create_socket_perms; - - allow pads_t pads_config_t:file manage_file_perms; - files_etc_filetrans(pads_t, pads_config_t, file) -@@ -39,7 +42,6 @@ kernel_read_network_state(pads_t) - - corecmd_search_bin(pads_t) - --corenet_all_recvfrom_unlabeled(pads_t) - corenet_all_recvfrom_netlabel(pads_t) - corenet_tcp_sendrecv_generic_if(pads_t) - corenet_tcp_sendrecv_generic_node(pads_t) -@@ -52,11 +54,8 @@ dev_read_rand(pads_t) - dev_read_urand(pads_t) - dev_read_sysfs(pads_t) - --files_read_etc_files(pads_t) - files_search_spool(pads_t) - --miscfiles_read_localization(pads_t) -- - logging_send_syslog_msg(pads_t) - - sysnet_dns_name_resolve(pads_t) -diff --git a/passenger.fc b/passenger.fc -index 2c389ea..9155bd0 100644 ---- a/passenger.fc -+++ b/passenger.fc -@@ -1,10 +1,12 @@ --/usr/.*/gems/.*/passenger-.*/ext/apache2/ApplicationPoolServerExecutable -- gen_context(system_u:object_r:passenger_exec_t,s0) --/usr/.*/gems/.*/passenger-.*/agents/PassengerWatchdog -- gen_context(system_u:object_r:passenger_exec_t,s0) --/usr/.*/gems/.*/passenger-.*/agents/PassengerLoggingAgent -- gen_context(system_u:object_r:passenger_exec_t,s0) --/usr/.*/gems/.*/passenger-.*/agents/apache2/PassengerHelperAgent -- gen_context(system_u:object_r:passenger_exec_t,s0) -+/usr/share/gems/.*/Passenger.* -- gen_context(system_u:object_r:passenger_exec_t,s0) -+/usr/share/gems/.*/ApplicationPoolServerExecutable -- gen_context(system_u:object_r:passenger_exec_t,s0) -+/usr/lib/gems/.*/Passenger.* -- gen_context(system_u:object_r:passenger_exec_t,s0) -+/usr/lib/gems/.*/ApplicationPoolServerExecutable -- gen_context(system_u:object_r:passenger_exec_t,s0) - --/var/lib/passenger(/.*)? gen_context(system_u:object_r:passenger_var_lib_t,s0) -+/usr/share/.*/gems/.*/helper-scripts/prespawn -- gen_context(system_u:object_r:passenger_exec_t,s0) - --/var/log/passenger.* gen_context(system_u:object_r:passenger_log_t,s0) -+/var/lib/passenger(/.*)? gen_context(system_u:object_r:passenger_var_lib_t,s0) - --/var/run/passenger(/.*)? gen_context(system_u:object_r:passenger_var_run_t,s0) -+/var/log/passenger.* gen_context(system_u:object_r:passenger_log_t,s0) -+ -+/var/run/passenger(/.*)? gen_context(system_u:object_r:passenger_var_run_t,s0) -diff --git a/passenger.if b/passenger.if -index bf59ef7..0ec51d4 100644 ---- a/passenger.if -+++ b/passenger.if -@@ -15,17 +15,16 @@ interface(`passenger_domtrans',` - type passenger_t, passenger_exec_t; - ') - -- corecmd_search_bin($1) - domtrans_pattern($1, passenger_exec_t, passenger_t) - ') - - ###################################### - ## --## Execute passenger in the caller domain. -+## Execute passenger in the current domain. - ## - ## - ## --## Domain allowed access. -+## Domain allowed to transition. - ## - ## - # -@@ -34,13 +33,30 @@ interface(`passenger_exec',` - type passenger_exec_t; - ') - -- corecmd_search_bin($1) - can_exec($1, passenger_exec_t) - ') - -+####################################### -+## -+## Getattr passenger log files -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`passenger_getattr_log_files',` -+ gen_require(` -+ type passenger_log_t; -+ ') -+ -+ getattr_files_pattern($1, passenger_log_t, passenger_log_t) -+') -+ - ######################################## - ## --## Read passenger lib files. -+## Read passenger lib files - ## - ## - ## -@@ -53,6 +69,93 @@ interface(`passenger_read_lib_files',` - type passenger_var_lib_t; - ') - -- files_search_var_lib($1) - read_files_pattern($1, passenger_var_lib_t, passenger_var_lib_t) -+ read_lnk_files_pattern($1, passenger_var_lib_t, passenger_var_lib_t) -+ files_search_var_lib($1) -+') -+ -+######################################## -+## -+## Manage passenger lib files -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`passenger_manage_lib_files',` -+ gen_require(` -+ type passenger_var_lib_t; -+ ') -+ -+ manage_dirs_pattern($1, passenger_var_lib_t, passenger_var_lib_t) -+ manage_files_pattern($1, passenger_var_lib_t, passenger_var_lib_t) -+ manage_lnk_files_pattern($1, passenger_var_lib_t, passenger_var_lib_t) -+ files_search_var_lib($1) -+') -+ -+##################################### -+## -+## Manage passenger var_run content. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`passenger_manage_pid_content',` -+ gen_require(` -+ type passenger_var_run_t; -+ ') -+ -+ files_search_pids($1) -+ manage_dirs_pattern($1, passenger_var_run_t, passenger_var_run_t) -+ manage_files_pattern($1, passenger_var_run_t, passenger_var_run_t) -+ manage_fifo_files_pattern($1, passenger_var_run_t, passenger_var_run_t) -+ manage_sock_files_pattern($1, passenger_var_run_t, passenger_var_run_t) -+') -+ -+######################################## -+## -+## Connect to passenger unix stream socket. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`passenger_stream_connect',` -+ gen_require(` -+ type passenger_t; -+ type passenger_tmp_t; -+ type passenger_var_run_t; -+ ') -+ -+ -+ -+ stream_connect_pattern($1, passenger_var_run_t, passenger_var_run_t, passenger_t) -+ stream_connect_pattern($1, passenger_tmp_t, passenger_tmp_t, passenger_t) -+') -+ -+####################################### -+## -+## Allow to manage passenger tmp files/dirs. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`passenger_manage_tmp_files',` -+ gen_require(` -+ type passenger_tmp_t; -+ ') -+ -+ files_search_tmp($1) -+ manage_files_pattern($1, passenger_tmp_t, passenger_tmp_t) -+ manage_dirs_pattern($1, passenger_tmp_t, passenger_tmp_t) - ') -diff --git a/passenger.te b/passenger.te -index 4e114ff..1b1cb71 100644 ---- a/passenger.te -+++ b/passenger.te -@@ -1,4 +1,4 @@ --policy_module(passanger, 1.0.3) -+policy_module(passanger, 1.0.0) - - ######################################## - # -@@ -14,6 +14,9 @@ role system_r types passenger_t; - type passenger_log_t; - logging_log_file(passenger_log_t) - -+type passenger_tmp_t; -+files_tmp_file(passenger_tmp_t) -+ - type passenger_var_lib_t; - files_type(passenger_var_lib_t) - -@@ -22,22 +25,24 @@ files_pid_file(passenger_var_run_t) - - ######################################## - # --# Local policy -+# passanger local policy - # - - allow passenger_t self:capability { chown dac_override fsetid fowner kill setuid setgid sys_nice sys_ptrace sys_resource }; --allow passenger_t self:process { setpgid setsched sigkill signal }; -+allow passenger_t self:process { setpgid setsched sigkill signal signull }; - allow passenger_t self:fifo_file rw_fifo_file_perms; --allow passenger_t self:unix_stream_socket { accept connectto listen }; -+allow passenger_t self:tcp_socket listen; -+allow passenger_t self:unix_stream_socket { create_stream_socket_perms connectto }; -+ -+can_exec(passenger_t, passenger_exec_t) - - manage_dirs_pattern(passenger_t, passenger_log_t, passenger_log_t) --append_files_pattern(passenger_t, passenger_log_t, passenger_log_t) --create_files_pattern(passenger_t, passenger_log_t, passenger_log_t) --setattr_files_pattern(passenger_t, passenger_log_t, passenger_log_t) --logging_log_filetrans(passenger_t, passenger_log_t, file) -+manage_files_pattern(passenger_t, passenger_log_t, passenger_log_t) -+logging_log_filetrans(passenger_t, passenger_log_t, { dir file }) - - manage_dirs_pattern(passenger_t, passenger_var_lib_t, passenger_var_lib_t) - manage_files_pattern(passenger_t, passenger_var_lib_t, passenger_var_lib_t) -+files_search_var_lib(passenger_t) - - manage_dirs_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t) - manage_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t) -@@ -45,19 +50,22 @@ manage_fifo_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t) - manage_sock_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t) - files_pid_filetrans(passenger_t, passenger_var_run_t, { file dir sock_file }) - --can_exec(passenger_t, passenger_exec_t) -+#needed by puppet -+manage_dirs_pattern(passenger_t, passenger_tmp_t, passenger_tmp_t) -+manage_files_pattern(passenger_t, passenger_tmp_t, passenger_tmp_t) -+manage_sock_files_pattern(passenger_t, passenger_tmp_t, passenger_tmp_t) -+files_tmp_filetrans(passenger_t, passenger_tmp_t, { file dir sock_file }) - - kernel_read_system_state(passenger_t) - kernel_read_kernel_sysctls(passenger_t) -+kernel_read_network_state(passenger_t) -+kernel_read_net_sysctls(passenger_t) - - corenet_all_recvfrom_netlabel(passenger_t) --corenet_all_recvfrom_unlabeled(passenger_t) - corenet_tcp_sendrecv_generic_if(passenger_t) - corenet_tcp_sendrecv_generic_node(passenger_t) -- --corenet_sendrecv_http_client_packets(passenger_t) - corenet_tcp_connect_http_port(passenger_t) --corenet_tcp_sendrecv_http_port(passenger_t) -+corenet_tcp_connect_postgresql_port(passenger_t) - - corecmd_exec_bin(passenger_t) - corecmd_exec_shell(passenger_t) -@@ -66,14 +74,14 @@ dev_read_urand(passenger_t) - - domain_read_all_domains_state(passenger_t) - --files_read_etc_files(passenger_t) -- - auth_use_nsswitch(passenger_t) - - logging_send_syslog_msg(passenger_t) - - miscfiles_read_localization(passenger_t) - -+sysnet_exec_ifconfig(passenger_t) -+ - userdom_dontaudit_use_user_terminals(passenger_t) - - optional_policy(` -@@ -90,14 +98,21 @@ optional_policy(` - ') - - optional_policy(` -- puppet_manage_lib_files(passenger_t) -+ mysql_stream_connect(passenger_t) -+ mysql_list_db(passenger_t) -+') -+ -+optional_policy(` -+ puppet_domtrans_master(passenger_t) -+ puppet_manage_lib(passenger_t) - puppet_read_config(passenger_t) -- puppet_append_log_files(passenger_t) -- puppet_create_log_files(passenger_t) -- puppet_read_log_files(passenger_t) -+ puppet_append_log(passenger_t) -+ puppet_create_log(passenger_t) -+ puppet_read_log(passenger_t) -+ puppet_search_pid(passenger_t) - ') - - optional_policy(` -- rpm_exec(passenger_t) -- rpm_read_db(passenger_t) -+ rpm_exec(passenger_t) -+ rpm_read_db(passenger_t) - ') -diff --git a/pcmcia.te b/pcmcia.te -index 3ad10b5..49baca5 100644 ---- a/pcmcia.te -+++ b/pcmcia.te -@@ -88,20 +88,17 @@ libs_exec_lib_files(cardmgr_t) - - logging_send_syslog_msg(cardmgr_t) - --miscfiles_read_localization(cardmgr_t) -- - modutils_domtrans_insmod(cardmgr_t) - - sysnet_domtrans_ifconfig(cardmgr_t) - sysnet_etc_filetrans_config(cardmgr_t) - sysnet_manage_config(cardmgr_t) - --userdom_use_user_terminals(cardmgr_t) -+userdom_use_inherited_user_terminals(cardmgr_t) - userdom_dontaudit_use_unpriv_user_fds(cardmgr_t) - userdom_dontaudit_search_user_home_dirs(cardmgr_t) - - optional_policy(` -- seutil_dontaudit_read_config(cardmgr_t) - seutil_sigchld_newrole(cardmgr_t) - ') - -diff --git a/pcscd.if b/pcscd.if -index 43d50f9..7f77d32 100644 ---- a/pcscd.if -+++ b/pcscd.if -@@ -50,7 +50,7 @@ interface(`pcscd_read_pid_files',` - ') - - files_search_pids($1) -- allow $1 pcscd_var_run_t:file read_file_perms; -+ read_files_pattern($1, pcscd_var_run_t, pcscd_var_run_t) - ') - - ######################################## -diff --git a/pcscd.te b/pcscd.te -index 96db654..ff3aadd 100644 ---- a/pcscd.te -+++ b/pcscd.te -@@ -24,8 +24,9 @@ init_daemon_run_dir(pcscd_var_run_t, "pcscd") - allow pcscd_t self:capability { dac_override dac_read_search fsetid }; - allow pcscd_t self:process signal; - allow pcscd_t self:fifo_file rw_fifo_file_perms; --allow pcscd_t self:unix_stream_socket { accept listen }; --allow pcscd_t self:tcp_socket { accept listen }; -+allow pcscd_t self:unix_stream_socket create_stream_socket_perms; -+allow pcscd_t self:unix_dgram_socket create_socket_perms; -+allow pcscd_t self:tcp_socket create_stream_socket_perms; - allow pcscd_t self:netlink_kobject_uevent_socket create_socket_perms; - - manage_dirs_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t) -@@ -36,7 +37,6 @@ files_pid_filetrans(pcscd_t, pcscd_var_run_t, { file sock_file dir }) - - kernel_read_system_state(pcscd_t) - --corenet_all_recvfrom_unlabeled(pcscd_t) - corenet_all_recvfrom_netlabel(pcscd_t) - corenet_tcp_sendrecv_generic_if(pcscd_t) - corenet_tcp_sendrecv_generic_node(pcscd_t) -@@ -50,7 +50,6 @@ dev_rw_smartcard(pcscd_t) - dev_rw_usbfs(pcscd_t) - dev_read_sysfs(pcscd_t) - --files_read_etc_files(pcscd_t) - files_read_etc_runtime_files(pcscd_t) - - term_use_unallocated_ttys(pcscd_t) -@@ -60,8 +59,6 @@ locallogin_use_fds(pcscd_t) - - logging_send_syslog_msg(pcscd_t) - --miscfiles_read_localization(pcscd_t) -- - sysnet_dns_name_resolve(pcscd_t) - - optional_policy(` -@@ -85,3 +82,7 @@ optional_policy(` - optional_policy(` - udev_read_db(pcscd_t) - ') -+ -+optional_policy(` -+ virt_rw_svirt_dev(pcscd_t) -+') -diff --git a/pegasus.fc b/pegasus.fc -index dfd46e4..31122bd 100644 ---- a/pegasus.fc -+++ b/pegasus.fc -@@ -1,15 +1,26 @@ --/etc/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_conf_t,s0) -+ -+/etc/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_conf_t,s0) - /etc/Pegasus/pegasus_current\.conf gen_context(system_u:object_r:pegasus_data_t,s0) - --/etc/rc\.d/init\.d/tog-pegasus -- gen_context(system_u:object_r:pegasus_initrc_exec_t,s0) -+/usr/sbin/cimserver -- gen_context(system_u:object_r:pegasus_exec_t,s0) -+/usr/sbin/init_repository -- gen_context(system_u:object_r:pegasus_exec_t,s0) - --/usr/sbin/cimserver -- gen_context(system_u:object_r:pegasus_exec_t,s0) --/usr/sbin/init_repository -- gen_context(system_u:object_r:pegasus_exec_t,s0) -+/var/lib/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_data_t,s0) - --/var/cache/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_cache_t,s0) -+/var/run/tog-pegasus(/.*)? gen_context(system_u:object_r:pegasus_var_run_t,s0) - --/var/lib/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_data_t,s0) -+/usr/share/Pegasus/mof(/.*)?/.*\.mof gen_context(system_u:object_r:pegasus_mof_t,s0) - --/var/run/tog-pegasus(/.*)? gen_context(system_u:object_r:pegasus_var_run_t,s0) -+/var/lib/openlmi-storage(/.*)? gen_context(system_u:object_r:pegasus_openlmi_storage_lib_t,s0) - --/usr/share/Pegasus/mof(/.*)?/.*\.mof gen_context(system_u:object_r:pegasus_mof_t,s0) -+#openlmi agents -+/usr/libexec/pegasus/cmpiLMI_Account-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_account_exec_t,s0) -+/usr/libexec/pegasus/cmpiLMI_Fan-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_system_exec_t,s0) -+/usr/libexec/pegasus/cmpiLMI_LogicalFile-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_logicalfile_exec_t,s0) -+/usr/libexec/pegasus/cmpiLMI_Networking-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_system_exec_t,s0) -+/usr/libexec/pegasus/cmpiLMI_PowerManagement-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_system_exec_t,s0) -+/usr/libexec/pegasus/cmpiLMI_Realmd-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_services_exec_t,s0) -+/usr/libexec/pegasus/cmpiLMI_Service-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_admin_exec_t,s0) -+ -+ -+/usr/libexec/pegasus/pycmpiLMI_Storage-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_storage_exec_t,s0) -diff --git a/pegasus.if b/pegasus.if -index d2fc677..ded726f 100644 ---- a/pegasus.if -+++ b/pegasus.if -@@ -1,52 +1,59 @@ - ## The Open Group Pegasus CIM/WBEM Server. - -+###################################### -+## -+## Creates types and rules for a basic -+## openlmi init daemon domain. -+## -+## -+## -+## Prefix for the domain. -+## -+## -+# -+template(`pegasus_openlmi_domain_template',` -+ gen_require(` -+ attribute pegasus_openlmi_domain; -+ type pegasus_t; -+ ') -+ -+ ############################## -+ # -+ # Declarations -+ # -+ -+ type pegasus_openlmi_$1_t, pegasus_openlmi_domain; -+ type pegasus_openlmi_$1_exec_t; -+ init_daemon_domain(pegasus_openlmi_$1_t, pegasus_openlmi_$1_exec_t) -+ -+ ############################## -+ # -+ # Local policy -+ # -+ -+ domtrans_pattern(pegasus_t, pegasus_openlmi_$1_exec_t, pegasus_openlmi_$1_t) -+ -+ kernel_read_system_state(pegasus_openlmi_$1_t) -+ logging_send_syslog_msg(pegasus_openlmi_$1_t) -+') -+ - ######################################## - ## --## All of the rules required to --## administrate an pegasus environment. -+## Connect to pegasus over a unix stream socket. - ## - ## - ## - ## Domain allowed access. - ## - ## --## --## --## Role allowed access. --## --## --## - # --interface(`pegasus_admin',` -+interface(`pegasus_stream_connect',` - gen_require(` -- type pegasus_t, pegasus_initrc_exec_t, pegasus_tmp_t; -- type pegasus_cache_t, pegasus_data_t, pegasus_conf_t; -- type pegasus_mof_t, pegasus_var_run_t; -+ type pegasus_t, pegasus_var_run_t, pegasus_tmp_t; - ') - -- allow $1 pegasus_t:process { ptrace signal_perms }; -- ps_process_pattern($1, pegasus_t) -- -- init_labeled_script_domtrans($1, pegasus_initrc_exec_t) -- domain_system_change_exemption($1) -- role_transition $2 pegasus_initrc_exec_t system_r; -- allow $2 system_r; -- -- files_search_etc($1) -- admin_pattern($1, pegasus_conf_t) -- -- files_search_usr($1) -- admin_pattern($1, pegasus_mof_t) -- -- files_search_tmp($1) -- admin_pattern($1, pegasus_tmp_t) -- -- files_search_var($1) -- admin_pattern($1, pegasus_cache_t) -- -- files_search_var_lib($1) -- admin_pattern($1, pegasus_data_t) -- - files_search_pids($1) -- admin_pattern($1, pegasus_var_run_t) -+ stream_connect_pattern($1, pegasus_var_run_t, pegasus_var_run_t, pegasus_t) -+ stream_connect_pattern($1, pegasus_tmp_t, pegasus_tmp_t, pegasus_t) - ') -+ -diff --git a/pegasus.te b/pegasus.te -index 7bcf327..22a5b66 100644 ---- a/pegasus.te -+++ b/pegasus.te -@@ -1,17 +1,16 @@ --policy_module(pegasus, 1.8.3) -+policy_module(pegasus, 1.8.0) - - ######################################## - # - # Declarations - # - -+attribute pegasus_openlmi_domain; -+ - type pegasus_t; - type pegasus_exec_t; - init_daemon_domain(pegasus_t, pegasus_exec_t) - --type pegasus_initrc_exec_t; --init_script_file(pegasus_initrc_exec_t) -- - type pegasus_cache_t; - files_type(pegasus_cache_t) - -@@ -30,20 +29,269 @@ files_type(pegasus_mof_t) - type pegasus_var_run_t; - files_pid_file(pegasus_var_run_t) - -+# pegasus openlmi providers -+pegasus_openlmi_domain_template(admin) -+typealias pegasus_openlmi_admin_t alias pegasus_openlmi_service_t; -+ -+pegasus_openlmi_domain_template(account) -+domain_obj_id_change_exemption(pegasus_openlmi_account_t) -+domain_system_change_exemption(pegasus_openlmi_account_t) -+ -+pegasus_openlmi_domain_template(logicalfile) -+pegasus_openlmi_domain_template(services) -+ -+pegasus_openlmi_domain_template(storage) -+type pegasus_openlmi_storage_tmp_t; -+files_tmp_file(pegasus_openlmi_storage_tmp_t) -+ -+type pegasus_openlmi_storage_lib_t; -+files_type(pegasus_openlmi_storage_lib_t) -+ -+pegasus_openlmi_domain_template(system) -+typealias pegasus_openlmi_system_t alias pegasus_openlmi_networking_t; -+pegasus_openlmi_domain_template(unconfined) -+ -+####################################### -+# -+# pegasus openlmi providers local policy -+# -+ -+allow pegasus_openlmi_domain self:capability { setuid setgid }; -+ -+allow pegasus_openlmi_domain self:fifo_file rw_fifo_file_perms; -+allow pegasus_openlmi_domain self:udp_socket create_socket_perms; -+ -+manage_files_pattern(pegasus_openlmi_domain, pegasus_data_t, pegasus_data_t) -+manage_dirs_pattern(pegasus_openlmi_domain, pegasus_data_t, pegasus_data_t) -+ -+corecmd_exec_bin(pegasus_openlmi_domain) -+corecmd_exec_shell(pegasus_openlmi_domain) -+ -+dev_read_sysfs(pegasus_openlmi_domain) -+ -+auth_read_passwd(pegasus_openlmi_domain) -+ -+sysnet_read_config(pegasus_openlmi_domain) -+ -+optional_policy(` -+ pegasus_stream_connect(pegasus_openlmi_domain) -+') -+ -+###################################### -+# -+# pegasus openlmi account local policy -+# -+ -+allow pegasus_openlmi_account_t self:capability { chown dac_override fowner fsetid }; -+allow pegasus_openlmi_account_t self:process setfscreate; -+ -+auth_manage_passwd(pegasus_openlmi_account_t) -+auth_manage_shadow(pegasus_openlmi_account_t) -+auth_relabel_shadow(pegasus_openlmi_account_t) -+auth_read_login_records(pegasus_openlmi_account_t) -+auth_etc_filetrans_shadow(pegasus_openlmi_account_t) -+ -+logging_send_audit_msgs(pegasus_openlmi_account_t) -+logging_send_syslog_msg(pegasus_openlmi_account_t) -+ -+init_rw_utmp(pegasus_openlmi_account_t) -+ -+seutil_semanage_policy(pegasus_openlmi_account_t) -+ -+logging_send_syslog_msg(pegasus_openlmi_account_t) -+ -+seutil_read_config(pegasus_openlmi_account_t) -+seutil_read_file_contexts(pegasus_openlmi_account_t) -+seutil_read_default_contexts(pegasus_openlmi_account_t) -+ -+# Add/remove user home directories -+userdom_home_filetrans_user_home_dir(pegasus_openlmi_account_t) -+userdom_manage_home_role(system_r, pegasus_openlmi_account_t) -+userdom_delete_all_user_home_content(pegasus_openlmi_account_t) -+ -+optional_policy(` -+ # run userdel -+ usermanage_domtrans_useradd(pegasus_openlmi_account_t) -+') -+ -+###################################### -+# -+# pegasus openlmi logicalfile local policy -+# -+ -+allow pegasus_openlmi_logicalfile_t self:capability { dac_override }; -+files_manage_non_security_dirs(pegasus_openlmi_logicalfile_t) -+files_manage_non_security_files(pegasus_openlmi_logicalfile_t) -+ -+dev_getattr_all_blk_files(pegasus_openlmi_logicalfile_t) -+dev_getattr_all_chr_files(pegasus_openlmi_logicalfile_t) -+ -+files_list_all(pegasus_openlmi_logicalfile_t) -+files_read_all_files(pegasus_openlmi_logicalfile_t) -+files_read_all_symlinks(pegasus_openlmi_logicalfile_t) -+files_read_all_blk_files(pegasus_openlmi_logicalfile_t) -+files_read_all_chr_files(pegasus_openlmi_logicalfile_t) -+files_getattr_all_pipes(pegasus_openlmi_logicalfile_t) -+files_getattr_all_sockets(pegasus_openlmi_logicalfile_t) -+ -+# Add/remove user home directories -+userdom_home_filetrans_user_home_dir(pegasus_openlmi_logicalfile_t) -+userdom_manage_home_role(system_r, pegasus_openlmi_logicalfile_t) -+userdom_delete_all_user_home_content(pegasus_openlmi_logicalfile_t) -+ -+optional_policy(` -+ # it can delete/create empty dirs -+ # so we want to have unconfined_domain attribute for filename rules -+ unconfined_domain(pegasus_openlmi_logicalfile_t) -+') -+ -+###################################### -+# -+# pegasus openlmi services local policy -+# -+ -+allow pegasus_openlmi_services_t self:netlink_route_socket r_netlink_socket_perms; -+ -+kernel_read_network_state(pegasus_openlmi_services_t) -+ -+optional_policy(` -+ dbus_system_bus_client(pegasus_openlmi_services_t) -+') -+ -+optional_policy(` -+ realmd_dbus_chat(pegasus_openlmi_services_t) -+') -+ -+optional_policy(` -+ sssd_stream_connect(pegasus_openlmi_services_t) -+') -+ -+###################################### -+# -+# pegasus openlmi system (networking) local policy -+# -+ -+allow pegasus_openlmi_system_t self:capability { net_admin }; -+ -+allow pegasus_openlmi_system_t self:netlink_route_socket r_netlink_socket_perms; -+ -+kernel_read_network_state(pegasus_openlmi_system_t) -+ -+dev_rw_sysfs(pegasus_openlmi_system_t) -+dev_read_urand(pegasus_openlmi_system_t) -+ -+optional_policy(` -+ dbus_system_bus_client(pegasus_openlmi_system_t) -+') -+ -+optional_policy(` -+ networkmanager_dbus_chat(pegasus_openlmi_system_t) -+') -+ -+###################################### -+# -+# pegasus openlmi service local policy -+# -+ -+init_disable_services(pegasus_openlmi_admin_t) -+init_enable_services(pegasus_openlmi_admin_t) -+init_reload_services(pegasus_openlmi_admin_t) -+init_exec(pegasus_openlmi_admin_t) -+ -+systemd_config_all_services(pegasus_openlmi_admin_t) -+systemd_manage_all_unit_files(pegasus_openlmi_admin_t) -+systemd_manage_all_unit_lnk_files(pegasus_openlmi_admin_t) -+ -+allow pegasus_openlmi_service_t self:udp_socket create_socket_perms; -+ -+optional_policy(` -+ dbus_system_bus_client(pegasus_openlmi_admin_t) -+') -+ -+###################################### -+# -+# pegasus openlmi storage local policy -+# -+ -+allow pegasus_openlmi_storage_t self:capability { sys_admin sys_rawio }; -+ -+manage_files_pattern(pegasus_openlmi_storage_t, pegasus_openlmi_storage_lib_t, pegasus_openlmi_storage_lib_t) -+manage_dirs_pattern(pegasus_openlmi_storage_t, pegasus_openlmi_storage_lib_t, pegasus_openlmi_storage_lib_t) -+files_var_lib_filetrans(pegasus_openlmi_storage_t, pegasus_openlmi_storage_lib_t, file) -+ -+manage_files_pattern(pegasus_openlmi_storage_t, pegasus_openlmi_storage_tmp_t, pegasus_openlmi_storage_tmp_t) -+manage_dirs_pattern(pegasus_openlmi_storage_t, pegasus_openlmi_storage_tmp_t, pegasus_openlmi_storage_tmp_t) -+files_tmp_filetrans(pegasus_openlmi_storage_tmp_t, pegasus_openlmi_storage_tmp_t, { file dir}) -+ -+kernel_read_all_sysctls(pegasus_openlmi_storage_t) -+kernel_get_sysvipc_info(pegasus_openlmi_storage_t) -+ -+dev_read_rand(pegasus_openlmi_storage_t) -+dev_read_urand(pegasus_openlmi_storage_t) -+ -+dev_rw_lvm_control(pegasus_openlmi_storage_t) -+dev_rw_sysfs(pegasus_openlmi_storage_t) -+ -+selinux_validate_context(pegasus_openlmi_storage_t) -+ -+seutil_read_file_contexts(pegasus_openlmi_storage_t) -+ -+storage_raw_read_fixed_disk(pegasus_openlmi_storage_t) -+storage_raw_write_fixed_disk(pegasus_openlmi_storage_t) -+ -+fs_getattr_all_fs(pegasus_openlmi_storage_t) -+ -+modutils_domtrans_insmod(pegasus_openlmi_storage_t) -+ -+udev_domtrans(pegasus_openlmi_storage_t) -+udev_read_pid_files(pegasus_openlmi_storage_t) -+ -+optional_policy(` -+ dmidecode_domtrans(pegasus_openlmi_storage_t) -+') -+ -+optional_policy(` -+ fstools_domtrans(pegasus_openlmi_storage_t) -+') -+ -+optional_policy(` -+ lvm_domtrans(pegasus_openlmi_storage_t) -+') -+ -+optional_policy(` -+ mount_domtrans(pegasus_openlmi_storage_t) -+') -+ -+optional_policy(` -+ raid_domtrans_mdadm(pegasus_openlmi_storage_t) -+ raid_filetrans_named_content(pegasus_openlmi_storage_t) -+ raid_manage_conf_files(pegasus_openlmi_storage_t) -+') -+ -+###################################### -+# -+# pegasus openlmi unconfined local policy -+# -+ -+optional_policy(` -+ unconfined_domain(pegasus_openlmi_unconfined_t) -+') -+ - ######################################## - # --# Local policy -+# pegasus local policy - # - - allow pegasus_t self:capability { chown kill ipc_lock sys_nice setuid setgid dac_override net_admin net_bind_service }; - dontaudit pegasus_t self:capability sys_tty_config; --allow pegasus_t self:process signal; -+allow pegasus_t self:process { setsched signal }; - allow pegasus_t self:fifo_file rw_fifo_file_perms; --allow pegasus_t self:unix_stream_socket { connectto accept listen }; --allow pegasus_t self:tcp_socket { accept listen }; -+allow pegasus_t self:unix_dgram_socket create_socket_perms; -+allow pegasus_t self:unix_stream_socket { connectto create_stream_socket_perms }; -+allow pegasus_t self:tcp_socket create_stream_socket_perms; - - allow pegasus_t pegasus_conf_t:dir rw_dir_perms; --allow pegasus_t pegasus_conf_t:file { read_file_perms delete_file_perms rename_file_perms }; -+allow pegasus_t pegasus_conf_t:file { read_file_perms link delete_file_perms rename_file_perms }; - allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms; - - manage_dirs_pattern(pegasus_t, pegasus_cache_t, pegasus_cache_t) -@@ -54,22 +302,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file }) - manage_dirs_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) - manage_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) - manage_lnk_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) --filetrans_pattern(pegasus_t, pegasus_conf_t, pegasus_data_t, { dir file }) -+filetrans_pattern(pegasus_t, pegasus_conf_t, pegasus_data_t, { file dir }) -+ -+can_exec(pegasus_t, pegasus_exec_t) - - allow pegasus_t pegasus_mof_t:dir list_dir_perms; --allow pegasus_t pegasus_mof_t:file read_file_perms; --allow pegasus_t pegasus_mof_t:lnk_file read_lnk_file_perms; -+read_files_pattern(pegasus_t, pegasus_mof_t, pegasus_mof_t) -+read_lnk_files_pattern(pegasus_t, pegasus_mof_t, pegasus_mof_t) - - manage_dirs_pattern(pegasus_t, pegasus_tmp_t, pegasus_tmp_t) - manage_files_pattern(pegasus_t, pegasus_tmp_t, pegasus_tmp_t) --files_tmp_filetrans(pegasus_t, pegasus_tmp_t, { dir file }) -+files_tmp_filetrans(pegasus_t, pegasus_tmp_t, { file dir }) - -+manage_sock_files_pattern(pegasus_t, pegasus_var_run_t, pegasus_var_run_t) - manage_dirs_pattern(pegasus_t, pegasus_var_run_t, pegasus_var_run_t) - manage_files_pattern(pegasus_t, pegasus_var_run_t, pegasus_var_run_t) --manage_sock_files_pattern(pegasus_t, pegasus_var_run_t, pegasus_var_run_t) --files_pid_filetrans(pegasus_t, pegasus_var_run_t, { dir file sock_file }) -- --can_exec(pegasus_t, pegasus_exec_t) -+files_pid_filetrans(pegasus_t, pegasus_var_run_t, { file dir }) - - kernel_read_network_state(pegasus_t) - kernel_read_kernel_sysctls(pegasus_t) -@@ -80,27 +328,21 @@ kernel_read_net_sysctls(pegasus_t) - kernel_read_xen_state(pegasus_t) - kernel_write_xen_state(pegasus_t) - --corenet_all_recvfrom_unlabeled(pegasus_t) - corenet_all_recvfrom_netlabel(pegasus_t) - corenet_tcp_sendrecv_generic_if(pegasus_t) - corenet_tcp_sendrecv_generic_node(pegasus_t) - corenet_tcp_sendrecv_all_ports(pegasus_t) - corenet_tcp_bind_generic_node(pegasus_t) -- --corenet_sendrecv_pegasus_http_server_packets(pegasus_t) - corenet_tcp_bind_pegasus_http_port(pegasus_t) -- --corenet_sendrecv_pegasus_https_server_packets(pegasus_t) - corenet_tcp_bind_pegasus_https_port(pegasus_t) -- --corenet_sendrecv_pegasus_http_client_packets(pegasus_t) - corenet_tcp_connect_pegasus_http_port(pegasus_t) -- --corenet_sendrecv_pegasus_https_client_packets(pegasus_t) - corenet_tcp_connect_pegasus_https_port(pegasus_t) -- --corenet_sendrecv_generic_client_packets(pegasus_t) - corenet_tcp_connect_generic_port(pegasus_t) -+corenet_sendrecv_generic_client_packets(pegasus_t) -+corenet_sendrecv_pegasus_http_client_packets(pegasus_t) -+corenet_sendrecv_pegasus_http_server_packets(pegasus_t) -+corenet_sendrecv_pegasus_https_client_packets(pegasus_t) -+corenet_sendrecv_pegasus_https_server_packets(pegasus_t) - - corecmd_exec_bin(pegasus_t) - corecmd_exec_shell(pegasus_t) -@@ -114,6 +356,7 @@ files_getattr_all_dirs(pegasus_t) - - auth_use_nsswitch(pegasus_t) - auth_domtrans_chk_passwd(pegasus_t) -+auth_read_shadow(pegasus_t) - - domain_use_interactive_fds(pegasus_t) - domain_read_all_domains_state(pegasus_t) -@@ -128,18 +371,25 @@ init_stream_connect_script(pegasus_t) - logging_send_audit_msgs(pegasus_t) - logging_send_syslog_msg(pegasus_t) - --miscfiles_read_localization(pegasus_t) -+mount_domtrans(pegasus_t) -+ -+sysnet_read_config(pegasus_t) -+sysnet_domtrans_ifconfig(pegasus_t) - - userdom_dontaudit_use_unpriv_user_fds(pegasus_t) - userdom_dontaudit_search_user_home_dirs(pegasus_t) - - optional_policy(` -- dbus_system_bus_client(pegasus_t) -- dbus_connect_system_bus(pegasus_t) -+ dbus_system_bus_client(pegasus_t) -+ dbus_connect_system_bus(pegasus_t) - -- optional_policy(` -- networkmanager_dbus_chat(pegasus_t) -- ') -+ optional_policy(` -+ networkmanager_dbus_chat(pegasus_t) -+ ') -+') -+ -+optional_policy(` -+ rhcs_stream_connect_cluster(pegasus_t) - ') - - optional_policy(` -@@ -151,16 +401,24 @@ optional_policy(` - ') - - optional_policy(` -- rpm_exec(pegasus_t) -+ ricci_stream_connect_modclusterd(pegasus_t) - ') - - optional_policy(` -- samba_manage_config(pegasus_t) -+ realmd_dbus_chat(pegasus_t) - ') - - optional_policy(` -- seutil_sigchld_newrole(pegasus_t) -- seutil_dontaudit_read_config(pegasus_t) -+ rpc_read_exports(pegasus_t) -+ rpc_read_nfs_state_data(pegasus_t) -+') -+ -+optional_policy(` -+ rpm_domtrans(pegasus_t) -+') -+ -+optional_policy(` -+ samba_manage_config(pegasus_t) - ') - - optional_policy(` -@@ -168,7 +426,7 @@ optional_policy(` - ') - - optional_policy(` -- sysnet_domtrans_ifconfig(pegasus_t) -+ seutil_sigchld_newrole(pegasus_t) - ') - - optional_policy(` -diff --git a/pesign.fc b/pesign.fc -new file mode 100644 -index 0000000..7b54c39 ---- /dev/null -+++ b/pesign.fc -@@ -0,0 +1,6 @@ -+/usr/bin/pesign -- gen_context(system_u:object_r:pesign_exec_t,s0) -+ -+/usr/lib/systemd/system/pesign.service -- gen_context(system_u:object_r:pesign_unit_file_t,s0) -+ -+/var/run/pesign(/.*)? gen_context(system_u:object_r:pesign_var_run_t,s0) -+/var/run/pesign\.pid -- gen_context(system_u:object_r:pesign_var_run_t,s0) -diff --git a/pesign.if b/pesign.if -new file mode 100644 -index 0000000..abd5dd8 ---- /dev/null -+++ b/pesign.if -@@ -0,0 +1,98 @@ -+ -+## pesign utility for signing UEFI binaries as well as other associated tools -+ -+######################################## -+## -+## Execute TEMPLATE in the pesign domin. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`pesign_domtrans',` -+ gen_require(` -+ type pesign_t, pesign_exec_t; -+ ') -+ -+ corecmd_search_bin($1) -+ domtrans_pattern($1, pesign_exec_t, pesign_t) -+') -+######################################## -+## -+## Read pesign PID files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`pesign_read_pid_files',` -+ gen_require(` -+ type pesign_var_run_t; -+ ') -+ -+ files_search_pids($1) -+ read_files_pattern($1, pesign_var_run_t, pesign_var_run_t) -+') -+ -+######################################## -+## -+## Execute pesign server in the pesign domain. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`pesign_systemctl',` -+ gen_require(` -+ type pesign_t; -+ type pesign_unit_file_t; -+ ') -+ -+ systemd_exec_systemctl($1) -+ systemd_read_fifo_file_passwd_run($1) -+ allow $1 pesign_unit_file_t:file read_file_perms; -+ allow $1 pesign_unit_file_t:service manage_service_perms; -+ -+ ps_process_pattern($1, pesign_t) -+') -+ -+ -+######################################## -+## -+## All of the rules required to administrate -+## an pesign environment -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`pesign_admin',` -+ gen_require(` -+ type pesign_t; -+ type pesign_var_run_t; -+ type pesign_unit_file_t; -+ ') -+ -+ allow $1 pesign_t:process { ptrace signal_perms }; -+ ps_process_pattern($1, pesign_t) -+ -+ files_search_pids($1) -+ admin_pattern($1, pesign_var_run_t) -+ -+ pesign_systemctl($1) -+ admin_pattern($1, pesign_unit_file_t) -+ allow $1 pesign_unit_file_t:service all_service_perms; -+ optional_policy(` -+ systemd_passwd_agent_exec($1) -+ systemd_read_fifo_file_passwd_run($1) -+ ') -+') -diff --git a/pesign.te b/pesign.te -new file mode 100644 -index 0000000..513887d ---- /dev/null -+++ b/pesign.te -@@ -0,0 +1,43 @@ -+policy_module(pesign, 1.0.0) -+ -+######################################## -+# -+# Declarations -+# -+ -+type pesign_t; -+type pesign_exec_t; -+init_daemon_domain(pesign_t, pesign_exec_t) -+ -+type pesign_var_run_t; -+files_pid_file(pesign_var_run_t) -+ -+type pesign_unit_file_t; -+systemd_unit_file(pesign_unit_file_t) -+ -+######################################## -+# -+# pesign local policy -+# -+ -+allow pesign_t self:capability { setgid setuid }; -+allow pesign_t self:process setsched; -+allow pesign_t self:fifo_file rw_fifo_file_perms; -+allow pesign_t self:unix_stream_socket create_stream_socket_perms; -+ -+manage_dirs_pattern(pesign_t, pesign_var_run_t, pesign_var_run_t) -+manage_files_pattern(pesign_t, pesign_var_run_t, pesign_var_run_t) -+manage_lnk_files_pattern(pesign_t, pesign_var_run_t, pesign_var_run_t) -+manage_sock_files_pattern(pesign_t, pesign_var_run_t, pesign_var_run_t) -+files_pid_filetrans(pesign_t, pesign_var_run_t, { file dir }) -+ -+dev_read_urand(pesign_t) -+ -+files_dontaudit_list_tmp(pesign_t) -+ -+auth_use_nsswitch(pesign_t) -+ -+logging_send_syslog_msg(pesign_t) -+ -+miscfiles_read_certs(pesign_t) -+miscfiles_read_localization(pesign_t) -diff --git a/pingd.if b/pingd.if -index 21a6ecb..b99e4cb 100644 ---- a/pingd.if -+++ b/pingd.if -@@ -55,7 +55,8 @@ interface(`pingd_manage_config',` - ') - - files_search_etc($1) -- allow $1 pingd_etc_t:file manage_file_perms; -+ manage_dirs_pattern($1, pingd_etc_t, pingd_etc_t) -+ manage_files_pattern($1, pingd_etc_t, pingd_etc_t) - ') - - ####################################### -@@ -81,9 +82,13 @@ interface(`pingd_admin',` - type pingd_initrc_exec_t; - ') - -- allow $1 pingd_t:process { ptrace signal_perms }; -+ allow $1 pingd_t:process signal_perms; - ps_process_pattern($1, pingd_t) - -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 pingd_t:process ptrace; -+ ') -+ - init_labeled_script_domtrans($1, pingd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 pingd_initrc_exec_t system_r; -diff --git a/pingd.te b/pingd.te -index 0f77942..0e3f230 100644 ---- a/pingd.te -+++ b/pingd.te -@@ -10,7 +10,7 @@ type pingd_exec_t; - init_daemon_domain(pingd_t, pingd_exec_t) - - type pingd_etc_t; --files_type(pingd_etc_t) -+files_config_file(pingd_etc_t) - - type pingd_initrc_exec_t; - init_script_file(pingd_initrc_exec_t) -@@ -50,5 +50,3 @@ auth_use_nsswitch(pingd_t) - files_search_usr(pingd_t) - - logging_send_syslog_msg(pingd_t) -- --miscfiles_read_localization(pingd_t) -diff --git a/piranha.fc b/piranha.fc -new file mode 100644 -index 0000000..20ea9f5 ---- /dev/null -+++ b/piranha.fc -@@ -0,0 +1,24 @@ -+ -+/etc/rc\.d/init\.d/pulse -- gen_context(system_u:object_r:piranha_pulse_initrc_exec_t,s0) -+ -+# RHEL6 -+#/etc/sysconfig/ha/lvs\.cf -- gen_context(system_u:object_r:piranha_etc_rw_t,s0) -+ -+/etc/piranha/lvs\.cf -- gen_context(system_u:object_r:piranha_etc_rw_t,s0) -+ -+/usr/sbin/fos -- gen_context(system_u:object_r:piranha_fos_exec_t,s0) -+/usr/sbin/lvsd -- gen_context(system_u:object_r:piranha_lvs_exec_t,s0) -+/usr/sbin/piranha_gui -- gen_context(system_u:object_r:piranha_web_exec_t,s0) -+/usr/sbin/pulse -- gen_context(system_u:object_r:piranha_pulse_exec_t,s0) -+ -+/var/lib/luci(/.*)? gen_context(system_u:object_r:piranha_web_data_t,s0) -+/var/lib/luci/cert(/.*)? gen_context(system_u:object_r:piranha_web_conf_t,s0) -+/var/lib/luci/etc(/.*)? gen_context(system_u:object_r:piranha_web_conf_t,s0) -+ -+/var/log/piranha(/.*)? gen_context(system_u:object_r:piranha_log_t,s0) -+ -+/var/run/fos\.pid -- gen_context(system_u:object_r:piranha_fos_var_run_t,s0) -+/var/run/lvs\.pid -- gen_context(system_u:object_r:piranha_lvs_var_run_t,s0) -+/var/run/piranha-httpd\.pid -- gen_context(system_u:object_r:piranha_web_var_run_t,s0) -+/var/run/pulse\.pid -- gen_context(system_u:object_r:piranha_pulse_var_run_t,s0) -+ -diff --git a/piranha.if b/piranha.if -new file mode 100644 -index 0000000..cf54103 ---- /dev/null -+++ b/piranha.if -@@ -0,0 +1,187 @@ -+## policy for piranha -+ -+####################################### -+## -+## Creates types and rules for a basic -+## cluster init daemon domain. -+## -+## -+## -+## Prefix for the domain. -+## -+## -+# -+template(`piranha_domain_template',` -+ gen_require(` -+ attribute piranha_domain; -+ ') -+ -+ ############################## -+ # -+ # piranha_$1_t declarations -+ # -+ -+ type piranha_$1_t, piranha_domain; -+ type piranha_$1_exec_t; -+ init_daemon_domain(piranha_$1_t, piranha_$1_exec_t) -+ -+ # tmpfs files -+ type piranha_$1_tmpfs_t, piranha_tmpfs; -+ files_tmpfs_file(piranha_$1_tmpfs_t) -+ -+ # pid files -+ type piranha_$1_var_run_t; -+ files_pid_file(piranha_$1_var_run_t) -+ -+ ############################## -+ # -+ # piranha_$1_t local policy -+ # -+ -+ manage_dirs_pattern(piranha_$1_t, piranha_$1_tmpfs_t, piranha_$1_tmpfs_t) -+ manage_files_pattern(piranha_$1_t, piranha_$1_tmpfs_t, piranha_$1_tmpfs_t) -+ fs_tmpfs_filetrans(piranha_$1_t, piranha_$1_tmpfs_t, { dir file }) -+ -+ manage_files_pattern(piranha_$1_t, piranha_$1_var_run_t, piranha_$1_var_run_t) -+ manage_dirs_pattern(piranha_$1_t, piranha_$1_var_run_t, piranha_$1_var_run_t) -+ files_pid_filetrans(piranha_$1_t, piranha_$1_var_run_t, { dir file }) -+ -+ kernel_read_system_state(piranha_$1_t) -+ -+ auth_use_nsswitch(piranha_$1_t) -+ -+ logging_send_syslog_msg(piranha_$1_t) -+') -+ -+######################################## -+## -+## Execute a domain transition to run fos. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`piranha_domtrans_fos',` -+ gen_require(` -+ type piranha_fos_t, piranha_fos_exec_t; -+ ') -+ -+ domtrans_pattern($1, piranha_fos_exec_t, piranha_fos_t) -+') -+ -+####################################### -+## -+## Execute a domain transition to run lvsd. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`piranha_domtrans_lvs',` -+ gen_require(` -+ type piranha_lvs_t, piranha_lvs_exec_t; -+ ') -+ -+ domtrans_pattern($1, piranha_lvs_exec_t, piranha_lvs_t) -+') -+ -+####################################### -+## -+## Execute a domain transition to run pulse. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`piranha_domtrans_pulse',` -+ gen_require(` -+ type piranha_pulse_t, piranha_pulse_exec_t; -+ ') -+ -+ domtrans_pattern($1, piranha_pulse_exec_t, piranha_pulse_t) -+') -+ -+####################################### -+## -+## Execute pulse server in the pulse domain. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`piranha_pulse_initrc_domtrans',` -+ gen_require(` -+ type piranha_pulse_initrc_exec_t; -+ ') -+ -+ init_labeled_script_domtrans($1, piranha_pulse_initrc_exec_t) -+') -+ -+######################################## -+## -+## Allow the specified domain to read piranha's log files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`piranha_read_log',` -+ gen_require(` -+ type piranha_log_t; -+ ') -+ -+ logging_search_logs($1) -+ read_files_pattern($1, piranha_log_t, piranha_log_t) -+') -+ -+######################################## -+## -+## Allow the specified domain to append -+## piranha log files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`piranha_append_log',` -+ gen_require(` -+ type piranha_log_t; -+ ') -+ -+ logging_search_logs($1) -+ append_files_pattern($1, piranha_log_t, piranha_log_t) -+') -+ -+######################################## -+## -+## Allow domain to manage piranha log files -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`piranha_manage_log',` -+ gen_require(` -+ type piranha_log_t; -+ ') -+ -+ logging_search_logs($1) -+ manage_dirs_pattern($1, piranha_log_t, piranha_log_t) -+ manage_files_pattern($1, piranha_log_t, piranha_log_t) -+ manage_lnk_files_pattern($1, piranha_log_t, piranha_log_t) -+') -diff --git a/piranha.te b/piranha.te -new file mode 100644 -index 0000000..a989aea ---- /dev/null -+++ b/piranha.te -@@ -0,0 +1,292 @@ -+policy_module(piranha, 1.0.0) -+ -+######################################## -+# -+# Declarations -+# -+ -+## -+##

    -+## Allow piranha-lvs domain to connect to the network using TCP. -+##

    -+##     -+gen_tunable(piranha_lvs_can_network_connect, false) -+ -+attribute piranha_domain; -+attribute piranha_tmpfs; -+ -+piranha_domain_template(fos) -+ -+piranha_domain_template(lvs) -+ -+piranha_domain_template(pulse) -+ -+type piranha_pulse_initrc_exec_t; -+init_script_file(piranha_pulse_initrc_exec_t) -+ -+piranha_domain_template(web) -+ -+type piranha_web_conf_t; -+files_config_file(piranha_web_conf_t) -+ -+type piranha_web_data_t; -+files_type(piranha_web_data_t) -+ -+type piranha_web_tmp_t; -+files_tmp_file(piranha_web_tmp_t) -+ -+type piranha_etc_rw_t; -+files_config_file(piranha_etc_rw_t) -+ -+type piranha_log_t; -+logging_log_file(piranha_log_t) -+ -+####################################### -+# -+# piranha-fos local policy -+# -+ -+kernel_read_kernel_sysctls(piranha_fos_t) -+ -+domain_read_all_domains_state(piranha_fos_t) -+ -+optional_policy(` -+ consoletype_exec(piranha_fos_t) -+') -+ -+# start and stop services -+init_domtrans_script(piranha_fos_t) -+ -+######################################## -+# -+# piranha-gui local policy -+# -+ -+allow piranha_web_t self:capability { setuid sys_nice kill setgid }; -+allow piranha_web_t self:process { getsched setsched signal signull }; -+ -+allow piranha_web_t self:rawip_socket create_socket_perms; -+allow piranha_web_t self:netlink_route_socket r_netlink_socket_perms; -+allow piranha_web_t self:sem create_sem_perms; -+allow piranha_web_t self:shm create_shm_perms; -+ -+manage_files_pattern(piranha_web_t, piranha_web_data_t, piranha_web_data_t) -+manage_dirs_pattern(piranha_web_t, piranha_web_data_t, piranha_web_data_t) -+files_var_lib_filetrans(piranha_web_t, piranha_web_data_t, file) -+ -+read_files_pattern(piranha_web_t, piranha_web_conf_t, piranha_web_conf_t) -+ -+rw_files_pattern(piranha_web_t, piranha_etc_rw_t, piranha_etc_rw_t) -+ -+manage_dirs_pattern(piranha_web_t, piranha_log_t, piranha_log_t) -+manage_files_pattern(piranha_web_t, piranha_log_t, piranha_log_t) -+logging_log_filetrans(piranha_web_t, piranha_log_t, { dir file }) -+ -+can_exec(piranha_web_t, piranha_web_tmp_t) -+manage_dirs_pattern(piranha_web_t, piranha_web_tmp_t, piranha_web_tmp_t) -+manage_files_pattern(piranha_web_t, piranha_web_tmp_t, piranha_web_tmp_t) -+files_tmp_filetrans(piranha_web_t, piranha_web_tmp_t, { file dir }) -+ -+piranha_pulse_initrc_domtrans(piranha_web_t) -+ -+kernel_read_kernel_sysctls(piranha_web_t) -+ -+corenet_tcp_bind_http_cache_port(piranha_web_t) -+corenet_tcp_bind_luci_port(piranha_web_t) -+corenet_tcp_bind_servistaitsm_port(piranha_web_t) -+corenet_tcp_connect_ricci_port(piranha_web_t) -+ -+dev_read_rand(piranha_web_t) -+dev_read_urand(piranha_web_t) -+ -+domain_read_all_domains_state(piranha_web_t) -+ -+ -+optional_policy(` -+ consoletype_exec(piranha_web_t) -+') -+ -+optional_policy(` -+ apache_read_config(piranha_web_t) -+ apache_exec_modules(piranha_web_t) -+ apache_exec(piranha_web_t) -+') -+ -+optional_policy(` -+ gnome_dontaudit_search_config(piranha_web_t) -+') -+ -+optional_policy(` -+ sasl_connect(piranha_web_t) -+') -+ -+optional_policy(` -+ snmp_dontaudit_read_snmp_var_lib_files(piranha_web_t) -+ snmp_dontaudit_write_snmp_var_lib_files(piranha_web_t) -+') -+ -+###################################### -+# -+# piranha-lvs local policy -+# -+ -+# neede by nanny -+allow piranha_lvs_t self:capability { net_raw sys_nice }; -+allow piranha_lvs_t self:process signal; -+allow piranha_lvs_t self:unix_dgram_socket create_socket_perms; -+allow piranha_lvs_t self:rawip_socket create_socket_perms; -+ -+manage_files_pattern(piranha_lvs_t, piranha_pulse_tmpfs_t,piranha_pulse_tmpfs_t) -+manage_dirs_pattern(piranha_lvs_t, piranha_pulse_tmpfs_t,piranha_pulse_tmpfs_t) -+ -+kernel_read_kernel_sysctls(piranha_lvs_t) -+ -+# needed by nanny -+corenet_tcp_connect_ftp_port(piranha_lvs_t) -+corenet_tcp_connect_http_port(piranha_lvs_t) -+corenet_tcp_connect_smtp_port(piranha_lvs_t) -+ -+sysnet_dns_name_resolve(piranha_lvs_t) -+ -+# needed by nanny -+tunable_policy(`piranha_lvs_can_network_connect',` -+ corenet_tcp_connect_all_ports(piranha_lvs_t) -+') -+ -+# needed by ipvsadm -+optional_policy(` -+ iptables_domtrans(piranha_lvs_t) -+') -+ -+####################################### -+# -+# piranha-pulse local policy -+# -+ -+allow piranha_pulse_t self:capability net_admin; -+ -+allow piranha_pulse_t self:packet_socket create_socket_perms; -+ -+# pulse starts fos and lvs daemon -+domtrans_pattern(piranha_pulse_t, piranha_fos_exec_t, piranha_fos_t) -+allow piranha_pulse_t piranha_fos_t:process signal; -+ -+domtrans_pattern(piranha_pulse_t, piranha_lvs_exec_t, piranha_lvs_t) -+allow piranha_pulse_t piranha_lvs_t:process signal; -+ -+kernel_read_kernel_sysctls(piranha_pulse_t) -+kernel_read_rpc_sysctls(piranha_pulse_t) -+kernel_rw_rpc_sysctls(piranha_pulse_t) -+kernel_search_debugfs(piranha_pulse_t) -+kernel_search_network_state(piranha_pulse_t) -+ -+corecmd_exec_bin(piranha_pulse_t) -+corecmd_exec_shell(piranha_pulse_t) -+optional_policy(` -+ consoletype_exec(piranha_pulse_t) -+') -+ -+corenet_udp_bind_apertus_ldp_port(piranha_pulse_t) -+corenet_udp_bind_cma_port(piranha_pulse_t) -+ -+domain_read_all_domains_state(piranha_pulse_t) -+domain_getattr_all_domains(piranha_pulse_t) -+ -+fs_getattr_all_fs(piranha_pulse_t) -+ -+init_initrc_domain(piranha_pulse_t) -+ -+logging_send_syslog_msg(piranha_pulse_t) -+ -+# various services to failover -+ -+optional_policy(` -+ apache_domtrans(piranha_pulse_t) -+ apache_signal(piranha_pulse_t) -+') -+ -+optional_policy(` -+ ftp_domtrans(piranha_pulse_t) -+ ftp_initrc_domtrans(piranha_pulse_t) -+ ftp_systemctl(piranha_pulse_t) -+') -+ -+optional_policy(` -+ hostname_exec(piranha_pulse_t) -+') -+ -+optional_policy(` -+ iptables_domtrans(piranha_pulse_t) -+') -+ -+optional_policy(` -+ ldap_systemctl(piranha_pulse_t) -+ ldap_initrc_domtrans(piranha_pulse_t) -+ ldap_domtrans(piranha_pulse_t) -+') -+ -+optional_policy(` -+ mysql_domtrans_mysql_safe(piranha_pulse_t) -+ mysql_stream_connect(piranha_pulse_t) -+') -+ -+optional_policy(` -+ netutils_domtrans(piranha_pulse_t) -+ netutils_domtrans_ping(piranha_pulse_t) -+') -+ -+optional_policy(` -+ postgresql_domtrans(piranha_pulse_t) -+ postgresql_signal(piranha_pulse_t) -+') -+ -+optional_policy(` -+ samba_initrc_domtrans(piranha_pulse_t) -+ samba_systemctl(piranha_pulse_t) -+ samba_domtrans_smbd(piranha_pulse_t) -+ samba_domtrans_nmbd(piranha_pulse_t) -+ samba_manage_var_files(piranha_pulse_t) -+ samba_rw_config(piranha_pulse_t) -+ samba_signal_smbd(piranha_pulse_t) -+ samba_signal_nmbd(piranha_pulse_t) -+') -+ -+optional_policy(` -+ sysnet_domtrans_ifconfig(piranha_pulse_t) -+') -+ -+optional_policy(` -+ udev_read_db(piranha_pulse_t) -+') -+ -+#################################### -+# -+# piranha domains common policy -+# -+ -+allow piranha_domain self:process signal_perms; -+allow piranha_domain self:fifo_file rw_fifo_file_perms; -+allow piranha_domain self:tcp_socket create_stream_socket_perms; -+allow piranha_domain self:udp_socket create_socket_perms; -+allow piranha_domain self:unix_stream_socket create_stream_socket_perms; -+ -+read_files_pattern(piranha_domain, piranha_etc_rw_t, piranha_etc_rw_t) -+ -+manage_files_pattern(piranha_pulse_t, piranha_tmpfs,piranha_tmpfs) -+manage_dirs_pattern(piranha_pulse_t, piranha_tmpfs ,piranha_tmpfs) -+ -+kernel_read_network_state(piranha_domain) -+ -+corenet_tcp_sendrecv_generic_if(piranha_domain) -+corenet_udp_sendrecv_generic_if(piranha_domain) -+corenet_tcp_sendrecv_generic_node(piranha_domain) -+corenet_udp_sendrecv_generic_node(piranha_domain) -+corenet_tcp_sendrecv_all_ports(piranha_domain) -+corenet_udp_sendrecv_all_ports(piranha_domain) -+corenet_tcp_bind_generic_node(piranha_domain) -+corenet_udp_bind_generic_node(piranha_domain) -+ -+corecmd_exec_bin(piranha_domain) -+corecmd_exec_shell(piranha_domain) -+ -+sysnet_read_config(piranha_domain) -diff --git a/pkcs.fc b/pkcs.fc -deleted file mode 100644 -index f9dc0be..0000000 ---- a/pkcs.fc -+++ /dev/null -@@ -1,7 +0,0 @@ --/etc/rc\.d/init\.d/pkcsslotd -- gen_context(system_u:object_r:pkcs_slotd_initrc_exec_t,s0) -- --/usr/sbin/pkcsslotd -- gen_context(system_u:object_r:pkcs_slotd_exec_t,s0) -- --/var/lib/opencryptoki(/.*)? gen_context(system_u:object_r:pkcs_slotd_var_lib_t,s0) -- --/var/run/pkcsslotd\.pid -- gen_context(system_u:object_r:pkcs_slotd_var_run_t,s0) -diff --git a/pkcs.if b/pkcs.if -deleted file mode 100644 -index 69be2aa..0000000 ---- a/pkcs.if -+++ /dev/null -@@ -1,45 +0,0 @@ --## Implementations of the Cryptoki specification. -- --######################################## --## --## All of the rules required to --## administrate an pkcs slotd environment. --## --## --## --## Domain allowed access. --## --## --## --## --## Role allowed access. --## --## --## --# --interface(`pkcs_admin_slotd',` -- gen_require(` -- type pkcs_slotd_t, pkcs_slotd_initrc_exec_t, pkcs_slotd_var_lib_t; -- type pkcs_slotd_var_run_t, pkcs_slotd_tmp_t, pkcs_slotd_tmpfs_t; -- ') -- -- allow $1 pkcs_slotd_t:process { ptrace signal_perms }; -- ps_process_pattern($1, pkcs_slotd_t) -- -- init_labeled_script_domtrans($1, pkcs_slotd_initrc_exec_t) -- domain_system_change_exemption($1) -- role_transition $2 pkcs_slotd_initrc_exec_t system_r; -- allow $2 system_r; -- -- files_search_var_lib($1) -- admin_pattern($1, pkcs_slotd_var_lib_t) -- -- files_search_pids($1) -- admin_pattern($1, pkcs_slotd_var_run_t) -- -- files_search_tmp($1) -- admin_pattern($1, pkcs_slotd_tmp_t) -- -- fs_search_tmpfs($1) -- admin_pattern($1, pkcs_slotd_tmpfs_t) --') -diff --git a/pkcs.te b/pkcs.te -deleted file mode 100644 -index 977b972..0000000 ---- a/pkcs.te -+++ /dev/null -@@ -1,58 +0,0 @@ --policy_module(pkcs, 1.0.0) -- --######################################## --# --# Declarations --# -- --type pkcs_slotd_t; --type pkcs_slotd_exec_t; --init_daemon_domain(pkcs_slotd_t, pkcs_slotd_exec_t) -- --type pkcs_slotd_initrc_exec_t; --init_script_file(pkcs_slotd_initrc_exec_t) -- --type pkcs_slotd_var_lib_t; --files_type(pkcs_slotd_var_lib_t) -- --type pkcs_slotd_var_run_t; --files_pid_file(pkcs_slotd_var_run_t) -- --type pkcs_slotd_tmp_t; --files_tmp_file(pkcs_slotd_tmp_t) -- --type pkcs_slotd_tmpfs_t; --files_tmpfs_file(pkcs_slotd_tmpfs_t) -- --######################################## --# --# Local policy --# -- --allow pkcs_slotd_t self:capability kill; --allow pkcs_slotd_t self:fifo_file rw_fifo_file_perms; --allow pkcs_slotd_t self:sem create_sem_perms; --allow pkcs_slotd_t self:shm create_shm_perms; --allow pkcs_slotd_t self:unix_stream_socket { accept listen }; -- --manage_dirs_pattern(pkcs_slotd_t, pkcs_slotd_var_lib_t, pkcs_slotd_var_lib_t) --manage_files_pattern(pkcs_slotd_t, pkcs_slotd_var_lib_t, pkcs_slotd_var_lib_t) --manage_lnk_files_pattern(pkcs_slotd_t, pkcs_slotd_var_lib_t, pkcs_slotd_var_lib_t) --files_var_lib_filetrans(pkcs_slotd_t, pkcs_slotd_var_lib_t, dir) -- --manage_files_pattern(pkcs_slotd_t, pkcs_slotd_var_run_t, pkcs_slotd_var_run_t) --files_pid_filetrans(pkcs_slotd_t, pkcs_slotd_var_run_t, file) -- --manage_dirs_pattern(pkcs_slotd_t, pkcs_slotd_tmp_t, pkcs_slotd_tmp_t) --manage_files_pattern(pkcs_slotd_t, pkcs_slotd_tmp_t, pkcs_slotd_tmp_t) --files_tmp_filetrans(pkcs_slotd_t, pkcs_slotd_tmp_t, dir) -- --manage_dirs_pattern(pkcs_slotd_t, pkcs_slotd_tmpfs_t, pkcs_slotd_tmpfs_t) --manage_files_pattern(pkcs_slotd_t, pkcs_slotd_tmpfs_t, pkcs_slotd_tmpfs_t) --fs_tmpfs_filetrans(pkcs_slotd_t, pkcs_slotd_tmpfs_t, dir) -- --files_read_etc_files(pkcs_slotd_t) -- --logging_send_syslog_msg(pkcs_slotd_t) -- --miscfiles_read_localization(pkcs_slotd_t) -diff --git a/pkcsslotd.fc b/pkcsslotd.fc -new file mode 100644 -index 0000000..29d7c1c ---- /dev/null -+++ b/pkcsslotd.fc -@@ -0,0 +1,9 @@ -+/usr/lib/systemd/system/pkcsslotd.* -- gen_context(system_u:object_r:pkcsslotd_unit_file_t,s0) -+ -+/usr/sbin/pkcsslotd -- gen_context(system_u:object_r:pkcsslotd_exec_t,s0) -+ -+/var/lib/opencryptoki(/.*)? gen_context(system_u:object_r:pkcsslotd_var_lib_t,s0) -+ -+/var/lock/opencryptoki(/.*)? gen_context(system_u:object_r:pkcsslotd_lock_t,s0) -+ -+/var/run/pkcsslotd.* -- gen_context(system_u:object_r:pkcsslotd_var_run_t,s0) -diff --git a/pkcsslotd.if b/pkcsslotd.if -new file mode 100644 -index 0000000..848ddc9 ---- /dev/null -+++ b/pkcsslotd.if -@@ -0,0 +1,155 @@ -+ -+## policy for pkcsslotd -+ -+######################################## -+## -+## Transition to pkcsslotd. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`pkcsslotd_domtrans',` -+ gen_require(` -+ type pkcsslotd_t, pkcsslotd_exec_t; -+ ') -+ -+ corecmd_search_bin($1) -+ domtrans_pattern($1, pkcsslotd_exec_t, pkcsslotd_t) -+') -+ -+######################################## -+## -+## Search pkcsslotd lib directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`pkcsslotd_search_lib',` -+ gen_require(` -+ type pkcsslotd_var_lib_t; -+ ') -+ -+ allow $1 pkcsslotd_var_lib_t:dir search_dir_perms; -+ files_search_var_lib($1) -+') -+ -+######################################## -+## -+## Read pkcsslotd lib files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`pkcsslotd_read_lib_files',` -+ gen_require(` -+ type pkcsslotd_var_lib_t; -+ ') -+ -+ files_search_var_lib($1) -+ read_files_pattern($1, pkcsslotd_var_lib_t, pkcsslotd_var_lib_t) -+') -+ -+######################################## -+## -+## Manage pkcsslotd lib files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`pkcsslotd_manage_lib_files',` -+ gen_require(` -+ type pkcsslotd_var_lib_t; -+ ') -+ -+ files_search_var_lib($1) -+ manage_files_pattern($1, pkcsslotd_var_lib_t, pkcsslotd_var_lib_t) -+') -+ -+######################################## -+## -+## Manage pkcsslotd lib directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`pkcsslotd_manage_lib_dirs',` -+ gen_require(` -+ type pkcsslotd_var_lib_t; -+ ') -+ -+ files_search_var_lib($1) -+ manage_dirs_pattern($1, pkcsslotd_var_lib_t, pkcsslotd_var_lib_t) -+') -+ -+######################################## -+## -+## Execute pkcsslotd server in the pkcsslotd domain. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`pkcsslotd_systemctl',` -+ gen_require(` -+ type pkcsslotd_t; -+ type pkcsslotd_unit_file_t; -+ ') -+ -+ systemd_exec_systemctl($1) -+ allow $1 pkcsslotd_unit_file_t:file read_file_perms; -+ allow $1 pkcsslotd_unit_file_t:service manage_service_perms; -+ -+ ps_process_pattern($1, pkcsslotd_t) -+') -+ -+ -+######################################## -+## -+## All of the rules required to administrate -+## an pkcsslotd environment -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`pkcsslotd_admin',` -+ gen_require(` -+ type pkcsslotd_t; -+ type pkcsslotd_var_lib_t; -+ type pkcsslotd_unit_file_t; -+ ') -+ -+ allow $1 pkcsslotd_t:process { ptrace signal_perms }; -+ ps_process_pattern($1, pkcsslotd_t) -+ -+ files_search_var_lib($1) -+ admin_pattern($1, pkcsslotd_var_lib_t) -+ -+ pkcsslotd_systemctl($1) -+ admin_pattern($1, pkcsslotd_unit_file_t) -+ allow $1 pkcsslotd_unit_file_t:service all_service_perms; -+ -+ optional_policy(` -+ systemd_passwd_agent_exec($1) -+ systemd_read_fifo_file_passwd_run($1) -+ ') -+') -diff --git a/pkcsslotd.te b/pkcsslotd.te -new file mode 100644 -index 0000000..2ce92e0 ---- /dev/null -+++ b/pkcsslotd.te -@@ -0,0 +1,67 @@ -+policy_module(pkcsslotd, 1.0.0) -+ -+######################################## -+# -+# Declarations -+# -+ -+type pkcsslotd_t; -+type pkcsslotd_exec_t; -+init_daemon_domain(pkcsslotd_t, pkcsslotd_exec_t) -+ -+type pkcsslotd_var_lib_t; -+files_type(pkcsslotd_var_lib_t) -+ -+type pkcsslotd_lock_t; -+files_lock_file(pkcsslotd_lock_t) -+ -+type pkcsslotd_unit_file_t; -+systemd_unit_file(pkcsslotd_unit_file_t) -+ -+type pkcsslotd_tmp_t; -+files_tmp_file(pkcsslotd_tmp_t) -+ -+type pkcsslotd_tmpfs_t; -+files_tmpfs_file(pkcsslotd_tmpfs_t) -+ -+type pkcsslotd_var_run_t; -+files_pid_file(pkcsslotd_var_run_t) -+ -+######################################## -+# -+# pkcsslotd local policy -+# -+ -+allow pkcsslotd_t self:capability { fsetid chown kill }; -+ -+allow pkcsslotd_t self:fifo_file rw_fifo_file_perms; -+allow pkcsslotd_t self:sem create_sem_perms; -+allow pkcsslotd_t self:shm create_shm_perms; -+allow pkcsslotd_t self:unix_stream_socket create_stream_socket_perms; -+ -+manage_files_pattern(pkcsslotd_t, pkcsslotd_lock_t, pkcsslotd_lock_t) -+files_lock_filetrans(pkcsslotd_t, pkcsslotd_lock_t, file) -+ -+manage_dirs_pattern(pkcsslotd_t, pkcsslotd_tmp_t, pkcsslotd_tmp_t) -+manage_files_pattern(pkcsslotd_t, pkcsslotd_tmp_t, pkcsslotd_tmp_t) -+files_tmp_filetrans(pkcsslotd_t, pkcsslotd_tmp_t, { file dir }) -+ -+manage_dirs_pattern(pkcsslotd_t, pkcsslotd_tmpfs_t, pkcsslotd_tmpfs_t) -+manage_files_pattern(pkcsslotd_t, pkcsslotd_tmpfs_t, pkcsslotd_tmpfs_t) -+fs_tmpfs_filetrans(pkcsslotd_t, pkcsslotd_tmpfs_t, { dir file }) -+ -+manage_dirs_pattern(pkcsslotd_t, pkcsslotd_var_lib_t, pkcsslotd_var_lib_t) -+manage_files_pattern(pkcsslotd_t, pkcsslotd_var_lib_t, pkcsslotd_var_lib_t) -+manage_lnk_files_pattern(pkcsslotd_t, pkcsslotd_var_lib_t, pkcsslotd_var_lib_t) -+files_var_lib_filetrans(pkcsslotd_t, pkcsslotd_var_lib_t, { dir file lnk_file }) -+ -+manage_files_pattern(pkcsslotd_t, pkcsslotd_var_run_t, pkcsslotd_var_run_t) -+manage_dirs_pattern(pkcsslotd_t, pkcsslotd_var_run_t,pkcsslotd_var_run_t) -+manage_sock_files_pattern(pkcsslotd_t, pkcsslotd_var_run_t,pkcsslotd_var_run_t) -+files_pid_filetrans(pkcsslotd_t, pkcsslotd_var_run_t, { sock_file file dir }) -+ -+domain_use_interactive_fds(pkcsslotd_t) -+ -+auth_read_passwd(pkcsslotd_t) -+ -+logging_send_syslog_msg(pkcsslotd_t) -diff --git a/pki.fc b/pki.fc -new file mode 100644 -index 0000000..726d992 ---- /dev/null -+++ b/pki.fc -@@ -0,0 +1,56 @@ -+/etc/pki/pki-tomcat(/.*)? gen_context(system_u:object_r:pki_tomcat_etc_rw_t,s0) -+/var/lib/pki/pki-tomcat(/.*)? gen_context(system_u:object_r:pki_tomcat_var_lib_t,s0) -+/var/run/pki/tomcat(/.*)? gen_context(system_u:object_r:pki_tomcat_var_run_t,s0) -+/var/log/pki/pki-tomcat(/.*)? gen_context(system_u:object_r:pki_tomcat_log_t,s0) -+/etc/sysconfig/pki/tomcat(/.*)? gen_context(system_u:object_r:pki_tomcat_etc_rw_t,s0) -+/var/log/pki gen_context(system_u:object_r:pki_log_t,s0) -+/usr/bin/pkidaemon gen_context(system_u:object_r:pki_tomcat_exec_t,s0) -+/etc/pki/pki-tomcat/alias(/.*)? gen_context(system_u:object_r:pki_tomcat_cert_t,s0) -+ -+/etc/pki-ra(/.*)? gen_context(system_u:object_r:pki_ra_etc_rw_t,s0) -+/var/lib/pki-ra(/.*)? gen_context(system_u:object_r:pki_ra_var_lib_t,s0) -+/var/log/pki-ra(/.*)? gen_context(system_u:object_r:pki_ra_log_t,s0) -+/var/run/pki/ra(/.*)? gen_context(system_u:object_r:pki_ra_var_run_t,s0) -+/etc/sysconfig/pki/ra(/.*)? gen_context(system_u:object_r:pki_ra_etc_rw_t,s0) -+/var/lib/pki-ra/pki-ra gen_context(system_u:object_r:pki_ra_exec_t,s0) -+ -+/etc/pki-tps(/.*)? gen_context(system_u:object_r:pki_tps_etc_rw_t,s0) -+/var/lib/pki-tps(/.*)? gen_context(system_u:object_r:pki_tps_var_lib_t,s0) -+/var/log/pki-tps(/.*)? gen_context(system_u:object_r:pki_tps_log_t,s0) -+/var/run/pki/tps(/.*)? gen_context(system_u:object_r:pki_tps_var_run_t,s0) -+/etc/sysconfig/pki/tps(/.*)? gen_context(system_u:object_r:pki_tps_etc_rw_t,s0) -+/var/lib/pki-tps/pki-tps gen_context(system_u:object_r:pki_tps_exec_t,s0) -+ -+# default labeling for nCipher -+/opt/nfast/scripts/init.d/(.*) gen_context(system_u:object_r:initrc_exec_t, s0) -+/opt/nfast/sbin/init.d-ncipher gen_context(system_u:object_r:initrc_exec_t, s0) -+/opt/nfast(/.*)? gen_context(system_u:object_r:pki_common_t, s0) -+/dev/nfast(/.*)? gen_context(system_u:object_r:pki_common_dev_t, s0) -+ -+# old paths (for migration) -+/etc/pki-ca(/.*)? gen_context(system_u:object_r:pki_tomcat_etc_rw_t,s0) -+/var/lib/pki-ca(/.*)? gen_context(system_u:object_r:pki_tomcat_var_lib_t,s0) -+/var/run/pki-ca.pid gen_context(system_u:object_r:pki_tomcat_var_run_t,s0) -+/var/log/pki-ca(/.*)? gen_context(system_u:object_r:pki_tomcat_log_t,s0) -+/var/lib/pki-ca/alias(/.*)? gen_context(system_u:object_r:pki_tomcat_cert_t,s0) -+/var/lib/ipa/pki-ca/publish(/.*)? gen_context(system_u:object_r:pki_tomcat_cert_t,s0) -+/etc/pki-kra(/.*)? gen_context(system_u:object_r:pki_tomcat_etc_rw_t,s0) -+/var/lib/pki-kra(/.*)? gen_context(system_u:object_r:pki_tomcat_var_lib_t,s0) -+/var/run/pki-kra.pid gen_context(system_u:object_r:pki_tomcat_var_run_t,s0) -+/var/log/pki-kra(/.*)? gen_context(system_u:object_r:pki_tomcat_log_t,s0) -+/var/lib/pki-kra/alias(/.*)? gen_context(system_u:object_r:pki_tomcat_cert_t,s0) -+/etc/pki-ocsp(/.*)? gen_context(system_u:object_r:pki_tomcat_etc_rw_t,s0) -+/var/lib/pki-ocsp(/.*)? gen_context(system_u:object_r:pki_tomcat_var_lib_t,s0) -+/var/run/pki-ocsp.pid gen_context(system_u:object_r:pki_tomcat_var_run_t,s0) -+/var/log/pki-ocsp(/.*)? gen_context(system_u:object_r:pki_tomcat_log_t,s0) -+/var/lib/pki-ocsp/alias(/.*)? gen_context(system_u:object_r:pki_tomcat_cert_t,s0) -+/etc/pki-tks(/.*)? gen_context(system_u:object_r:pki_tomcat_etc_rw_t,s0) -+/var/lib/pki-tks(/.*)? gen_context(system_u:object_r:pki_tomcat_var_lib_t,s0) -+/var/run/pki-tks.pid gen_context(system_u:object_r:pki_tomcat_var_run_t,s0) -+/var/log/pki-tks(/.*)? gen_context(system_u:object_r:pki_tomcat_log_t,s0) -+/var/lib/pki-tks/alias(/.*)? gen_context(system_u:object_r:pki_tomcat_cert_t,s0) -+ -+/var/lock/subsys/pkidaemon -- gen_context(system_u:object_r:pki_tomcat_lock_t,s0) -+ -+#/etc/systemd/system/pki-tomcatd\.target\.wants(/.*)? gen_context(system_u:object_r:pki_tomcat_unit_file_t,s0) -+/usr/lib/systemd/system/pki-tomcat.* gen_context(system_u:object_r:pki_tomcat_unit_file_t,s0) -diff --git a/pki.if b/pki.if -new file mode 100644 -index 0000000..b975b85 ---- /dev/null -+++ b/pki.if -@@ -0,0 +1,294 @@ -+ -+## policy for pki -+ -+######################################## -+## -+## Allow read and write pki cert files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`pki_rw_tomcat_cert',` -+ gen_require(` -+ type pki_tomcat_cert_t; -+ type pki_tomcat_etc_rw_t; -+ ') -+ -+ allow $1 pki_tomcat_etc_rw_t:dir search_dir_perms; -+ rw_files_pattern($1, pki_tomcat_cert_t, pki_tomcat_cert_t) -+ create_lnk_files_pattern($1, pki_tomcat_cert_t, pki_tomcat_cert_t) -+') -+ -+######################################## -+## -+## Allow domain to read pki cert files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`pki_read_tomcat_cert',` -+ gen_require(` -+ type pki_tomcat_cert_t; -+ ') -+ -+ read_files_pattern($1, pki_tomcat_cert_t, pki_tomcat_cert_t) -+ read_lnk_files_pattern($1, pki_tomcat_cert_t, pki_tomcat_cert_t) -+') -+ -+######################################## -+## -+## Create a set of derived types for apache -+## web content. -+## -+## -+## -+## The prefix to be used for deriving type names. -+## -+## -+# -+template(`pki_apache_template',` -+ gen_require(` -+ attribute pki_apache_domain; -+ attribute pki_apache_config, pki_apache_var_lib, pki_apache_var_run; -+ attribute pki_apache_executable, pki_apache_script, pki_apache_var_log; -+ ') -+ -+ ######################################## -+ # -+ # Declarations -+ # -+ -+ type $1_t, pki_apache_domain; -+ type $1_exec_t, pki_apache_executable; -+ domain_type($1_t) -+ init_daemon_domain($1_t, $1_exec_t) -+ -+ type $1_script_exec_t, pki_apache_script; -+ init_script_file($1_script_exec_t) -+ -+ type $1_etc_rw_t, pki_apache_config; -+ files_type($1_etc_rw_t) -+ -+ type $1_var_run_t, pki_apache_var_run; -+ files_pid_file($1_var_run_t) -+ -+ type $1_var_lib_t, pki_apache_var_lib; -+ files_type($1_var_lib_t) -+ -+ type $1_log_t, pki_apache_var_log; -+ logging_log_file($1_log_t) -+ -+ type $1_lock_t; -+ files_lock_file($1_lock_t) -+ -+ type $1_tmp_t; -+ files_tmpfs_file($1_tmp_t) -+ -+ ######################################## -+ # -+ # $1 local policy -+ # -+ -+ files_read_etc_files($1_t) -+ allow $1_t $1_etc_rw_t:lnk_file read; -+ -+ manage_dirs_pattern($1_t, $1_etc_rw_t, $1_etc_rw_t) -+ manage_files_pattern($1_t, $1_etc_rw_t, $1_etc_rw_t) -+ files_etc_filetrans($1_t,$1_etc_rw_t, { file dir }) -+ -+ manage_dirs_pattern($1_t, $1_var_run_t, $1_var_run_t) -+ manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t) -+ files_pid_filetrans($1_t,$1_var_run_t, { file dir }) -+ -+ manage_dirs_pattern($1_t, $1_var_lib_t, $1_var_lib_t) -+ manage_files_pattern($1_t, $1_var_lib_t, $1_var_lib_t) -+ read_lnk_files_pattern($1_t, $1_var_lib_t, $1_var_lib_t) -+ files_var_lib_filetrans($1_t, $1_var_lib_t, { file dir } ) -+ -+ manage_dirs_pattern($1_t, $1_log_t, $1_log_t) -+ manage_files_pattern($1_t, $1_log_t, $1_log_t) -+ logging_log_filetrans($1_t, $1_log_t, { file dir } ) -+ -+ manage_dirs_pattern($1_t, $1_lock_t, $1_lock_t) -+ manage_files_pattern($1_t, $1_lock_t, $1_lock_t) -+ manage_lnk_files_pattern($1_t, $1_lock_t, $1_lock_t) -+ files_lock_filetrans($1_t, $1_lock_t, { dir file lnk_file }) -+ -+ manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t) -+ manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t) -+ files_tmp_filetrans($1_t, $1_tmp_t, { file dir }) -+ -+ #talk to lunasa hsm -+ logging_send_syslog_msg($1_t) -+ -+ kernel_read_kernel_sysctls($1_t) -+ kernel_read_system_state($1_t) -+ -+ corenet_all_recvfrom_unlabeled($1_t) -+ -+ # need to resolve addresses? -+ auth_use_nsswitch($1_t) -+ -+ #pki_apache_domain_signal(httpd_t) -+ #pki_apache_domain_signal(httpd_t) -+ #pki_manage_apache_run(httpd_t) -+ #pki_manage_apache_config_files(httpd_t) -+ #pki_manage_apache_log_files(httpd_t) -+ #pki_manage_apache_lib(httpd_t) -+') -+ -+####################################### -+## -+## Send a null signal to pki apache domains. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`pki_apache_domain_signal',` -+ gen_require(` -+ attribute pki_apache_domain; -+ ') -+ -+ allow $1 pki_apache_domain:process signal; -+') -+ -+####################################### -+## -+## Send a null signal to pki apache domains. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`pki_apache_domain_signull',` -+ gen_require(` -+ attribute pki_apache_domain; -+ ') -+ -+ allow $1 pki_apache_domain:process signull; -+') -+ -+################################### -+## -+## Allow domain to read pki apache subsystem pid files -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`pki_manage_apache_run',` -+ gen_require(` -+ attribute pki_apache_var_run; -+ ') -+ -+ files_search_var_lib($1) -+ read_files_pattern($1, pki_apache_var_run, pki_apache_var_run) -+') -+ -+#################################### -+## -+## Allow domain to manage pki apache subsystem lib files -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`pki_manage_apache_lib',` -+ gen_require(` -+ attribute pki_apache_var_lib; -+ ') -+ -+ files_search_var_lib($1) -+ manage_files_pattern($1, pki_apache_var_lib, pki_apache_var_lib) -+ manage_lnk_files_pattern($1, pki_apache_var_lib, pki_apache_var_lib) -+') -+ -+################################## -+## -+## Dontaudit domain to write pki log files -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`pki_dontaudit_write_log',` -+ gen_require(` -+ type pki_log_t; -+ ') -+ -+ dontaudit $1 pki_log_t:file write; -+') -+ -+################################### -+## -+## Allow domain to manage pki apache subsystem log files -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`pki_manage_apache_log_files',` -+ gen_require(` -+ attribute pki_apache_var_log; -+ ') -+ -+ files_search_var_lib($1) -+ manage_files_pattern($1, pki_apache_var_log, pki_apache_var_log) -+') -+ -+################################## -+## -+## Allow domain to manage pki apache subsystem config files -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`pki_manage_apache_config_files',` -+ gen_require(` -+ attribute pki_apache_config; -+ ') -+ -+ files_search_var_lib($1) -+ manage_files_pattern($1, pki_apache_config, pki_apache_config) -+') -+ -+################################# -+## -+## Allow domain to read pki tomcat lib files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`pki_read_tomcat_lib_files',` -+ gen_require(` -+ type pki_tomcat_var_lib_t; -+ ') -+ -+ read_files_pattern($1, pki_tomcat_var_lib_t, pki_tomcat_var_lib_t) -+ read_lnk_files_pattern($1, pki_tomcat_var_lib_t, pki_tomcat_var_lib_t) -+') -diff --git a/pki.te b/pki.te -new file mode 100644 -index 0000000..17f5d18 ---- /dev/null -+++ b/pki.te -@@ -0,0 +1,284 @@ -+policy_module(pki,10.0.11) -+ -+######################################## -+# -+# Declarations -+# -+ -+attribute pki_apache_domain; -+attribute pki_apache_config; -+attribute pki_apache_executable; -+attribute pki_apache_var_lib; -+attribute pki_apache_var_log; -+attribute pki_apache_var_run; -+attribute pki_apache_pidfiles; -+attribute pki_apache_script; -+ -+type pki_log_t; -+files_type(pki_log_t) -+ -+type pki_common_t; -+files_type(pki_common_t) -+ -+type pki_common_dev_t; -+files_type(pki_common_dev_t) -+ -+type pki_tomcat_etc_rw_t; -+files_type(pki_tomcat_etc_rw_t) -+ -+type pki_tomcat_cert_t; -+files_type(pki_tomcat_cert_t) -+ -+tomcat_domain_template(pki_tomcat) -+ -+type pki_tomcat_unit_file_t; -+systemd_unit_file(pki_tomcat_unit_file_t) -+ -+type pki_tomcat_lock_t; -+files_lock_file(pki_tomcat_lock_t) -+ -+# old type aliases for migration -+typealias pki_tomcat_t alias { pki_ca_t pki_kra_t pki_ocsp_t pki_tks_t }; -+typealias pki_tomcat_etc_rw_t alias { pki_ca_etc_rw_t pki_kra_etc_rw_t pki_ocsp_etc_rw_t pki_tks_etc_rw_t }; -+typealias pki_tomcat_var_lib_t alias { pki_ca_var_lib_t pki_kra_var_lib_t pki_ocsp_var_lib_t pki_tks_var_lib_t }; -+typealias pki_tomcat_var_run_t alias { pki_ca_var_run_t pki_kra_var_run_t pki_ocsp_var_run_t pki_tks_var_run_t }; -+typealias pki_tomcat_log_t alias { pki_ca_log_t pki_kra_log_t pki_ocsp_log_t pki_tks_log_t }; -+# typealias http_port_t alias { pki_ca_port_t pki_kra_port_t pki_ocsp_port_t pki_tks_port_t }; -+ -+ -+# pki policy types -+type pki_tps_tomcat_exec_t; -+files_type(pki_tps_tomcat_exec_t) -+ -+pki_apache_template(pki_tps) -+ -+# ra policy types -+type pki_ra_tomcat_exec_t; -+files_type(pki_ra_tomcat_exec_t) -+ -+pki_apache_template(pki_ra) -+ -+# needed for dogtag 9 style instances -+type pki_tomcat_script_t; -+domain_type(pki_tomcat_script_t) -+role system_r types pki_tomcat_script_t; -+ -+optional_policy(` -+ unconfined_domain(pki_tomcat_script_t) -+') -+ -+######################################## -+# -+# pki-tomcat local policy -+# -+ -+allow pki_tomcat_t self:capability { setuid chown setgid fowner audit_write dac_override sys_nice fsetid}; -+allow pki_tomcat_t self:process { signal setsched signull execmem }; -+ -+allow pki_tomcat_t self:netlink_audit_socket { nlmsg_relay create }; -+allow pki_tomcat_t self:tcp_socket { accept listen }; -+ -+# allow writing to the kernel keyring -+allow pki_tomcat_t self:key { write read }; -+ -+manage_dirs_pattern(pki_tomcat_t, pki_tomcat_etc_rw_t, pki_tomcat_etc_rw_t) -+manage_files_pattern(pki_tomcat_t, pki_tomcat_etc_rw_t, pki_tomcat_etc_rw_t) -+ -+manage_dirs_pattern(pki_tomcat_t, pki_tomcat_cert_t, pki_tomcat_cert_t) -+manage_files_pattern(pki_tomcat_t, pki_tomcat_cert_t, pki_tomcat_cert_t) -+manage_lnk_files_pattern(pki_tomcat_t, pki_tomcat_cert_t, pki_tomcat_cert_t) -+ -+manage_dirs_pattern(pki_tomcat_t, pki_tomcat_lock_t, pki_tomcat_lock_t) -+manage_files_pattern(pki_tomcat_t, pki_tomcat_lock_t, pki_tomcat_lock_t) -+manage_lnk_files_pattern(pki_tomcat_t, pki_tomcat_lock_t, pki_tomcat_lock_t) -+files_lock_filetrans(pki_tomcat_t, pki_tomcat_lock_t, { dir file lnk_file }) -+ -+read_files_pattern(pki_tomcat_t, pki_tomcat_unit_file_t,pki_tomcat_unit_file_t) -+read_lnk_files_pattern(pki_tomcat_t, pki_tomcat_unit_file_t, pki_tomcat_unit_file_t) -+allow pki_tomcat_t pki_tomcat_unit_file_t:file setattr; -+allow pki_tomcat_t pki_tomcat_unit_file_t:lnk_file setattr; -+systemd_search_unit_dirs(pki_tomcat_t) -+ -+# allow java subsystems to talk to the ncipher hsm -+allow pki_tomcat_t pki_common_dev_t:sock_file write; -+allow pki_tomcat_t pki_common_dev_t:dir search; -+allow pki_tomcat_t pki_common_t:dir create_dir_perms; -+manage_files_pattern(pki_tomcat_t, pki_common_t, pki_common_t) -+can_exec(pki_tomcat_t, pki_common_t) -+init_stream_connect_script(pki_tomcat_t) -+ -+search_dirs_pattern(pki_tomcat_t, pki_log_t, pki_log_t) -+ -+kernel_read_kernel_sysctls(pki_tomcat_t) -+ -+corenet_tcp_connect_http_cache_port(pki_tomcat_t) -+corenet_tcp_connect_ldap_port(pki_tomcat_t) -+corenet_tcp_connect_smtp_port(pki_tomcat_t) -+corenet_tcp_connect_pki_ca_port(pki_tomcat_t) -+ -+selinux_get_enforce_mode(pki_tomcat_t) -+ -+logging_send_audit_msgs(pki_tomcat_t) -+ -+miscfiles_read_hwdata(pki_tomcat_t) -+ -+# is this really needed? -+userdom_manage_user_tmp_dirs(pki_tomcat_t) -+userdom_manage_user_tmp_files(pki_tomcat_t) -+ -+# forward proxy -+# need to define ports to fix this -+#corenet_tcp_connect_pki_tomcat_port(httpd_t) -+ -+# for crl publishing -+allow pki_tomcat_t pki_tomcat_var_lib_t:lnk_file { rename create unlink }; -+ -+# for ECC -+auth_getattr_shadow(pki_tomcat_t) -+ -+optional_policy(` -+ consoletype_exec(pki_tomcat_t) -+') -+ -+optional_policy(` -+ dirsrv_manage_var_lib(pki_tomcat_t) -+') -+ -+optional_policy(` -+ hostname_exec(pki_tomcat_t) -+') -+ -+####################################### -+# -+# tps local policy -+# -+ -+# used to serve cgi web pages under /var/lib/pki-tps, formatting, enrollment -+allow pki_tps_t pki_tps_var_lib_t:file {execute execute_no_trans}; -+ -+corenet_tcp_bind_pki_tps_port(pki_tps_t) -+# customer may run an ldap server on 389 -+corenet_tcp_connect_ldap_port(pki_tps_t) -+# connect to other subsystems -+corenet_tcp_connect_pki_ca_port(pki_tps_t) -+corenet_tcp_connect_pki_kra_port(pki_tps_t) -+corenet_tcp_connect_pki_tks_port(pki_tps_t) -+ -+files_exec_usr_files(pki_tps_t) -+ -+# why do I need to add this? -+#allow httpd_t httpd_config_t:file execute; -+ -+###################################### -+# -+# ra local policy -+# -+ -+# RA specific? talking to mysql? -+allow pki_ra_t self:udp_socket { write read create connect }; -+allow pki_ra_t self:unix_dgram_socket { write create connect }; -+ -+corenet_tcp_bind_pki_ra_port(pki_ra_t) -+# talk to other subsystems -+corenet_tcp_connect_pki_ca_port(pki_ra_t) -+corenet_tcp_connect_smtp_port(pki_ra_t) -+ -+fs_getattr_xattr_fs(pki_ra_t) -+ -+files_search_spool(pki_ra_t) -+files_exec_usr_files(pki_ra_t) -+ -+optional_policy(` -+ mta_send_mail(pki_ra_t) -+ mta_manage_spool(pki_ra_t) -+ mta_manage_queue(pki_ra_t) -+ mta_read_config(pki_ra_t) -+') -+ -+##################################### -+# -+# pki_apache_domain local policy -+# -+ -+ -+allow pki_apache_domain self:capability { setuid sys_nice setgid dac_override fowner fsetid kill chown}; -+allow pki_apache_domain self:process { setsched signal getsched signull execstack execmem sigkill}; -+ -+allow pki_apache_domain self:sem all_sem_perms; -+allow pki_apache_domain self:tcp_socket create_stream_socket_perms; -+allow pki_apache_domain self:netlink_route_socket { write getattr read bind create nlmsg_read }; -+ -+# allow writing to the kernel keyring -+allow pki_apache_domain self:key { write read }; -+ -+## internal communication is often done using fifo and unix sockets. -+allow pki_apache_domain self:fifo_file rw_file_perms; -+allow pki_apache_domain self:unix_stream_socket create_stream_socket_perms; -+ -+# talk to the hsm -+allow pki_apache_domain pki_common_dev_t:sock_file write; -+allow pki_apache_domain pki_common_dev_t:dir search; -+allow pki_apache_domain pki_common_t:dir create_dir_perms; -+manage_files_pattern(pki_apache_domain, pki_common_t, pki_common_t) -+can_exec(pki_apache_domain, pki_common_t) -+init_stream_connect_script(pki_apache_domain) -+ -+corenet_sendrecv_unlabeled_packets(pki_apache_domain) -+corenet_tcp_bind_all_nodes(pki_apache_domain) -+corenet_tcp_sendrecv_all_if(pki_apache_domain) -+corenet_tcp_sendrecv_all_nodes(pki_apache_domain) -+corenet_tcp_sendrecv_all_ports(pki_apache_domain) -+#corenet_all_recvfrom_unlabeled(pki_apache_domain) -+corenet_tcp_connect_generic_port(pki_apache_domain) -+ -+# Init script handling -+domain_use_interactive_fds(pki_apache_domain) -+ -+seutil_exec_setfiles(pki_apache_domain) -+ -+init_dontaudit_write_utmp(pki_apache_domain) -+ -+libs_use_ld_so(pki_apache_domain) -+libs_use_shared_libs(pki_apache_domain) -+libs_exec_ld_so(pki_apache_domain) -+libs_exec_lib_files(pki_apache_domain) -+ -+fs_search_cgroup_dirs(pki_apache_domain) -+ -+corecmd_exec_bin(pki_apache_domain) -+corecmd_exec_shell(pki_apache_domain) -+ -+dev_read_urand(pki_apache_domain) -+dev_read_rand(pki_apache_domain) -+ -+# shutdown script uses ps -+domain_dontaudit_read_all_domains_state(pki_apache_domain) -+ps_process_pattern(pki_apache_domain, pki_apache_domain) -+ -+sysnet_read_config(pki_apache_domain) -+ -+ifdef(`targeted_policy',` -+ term_dontaudit_use_unallocated_ttys(pki_apache_domain) -+ term_dontaudit_use_generic_ptys(pki_apache_domain) -+') -+ -+optional_policy(` -+ # apache permissions -+ apache_exec_modules(pki_apache_domain) -+ apache_list_modules(pki_apache_domain) -+ apache_read_config(pki_apache_domain) -+ apache_exec(pki_apache_domain) -+ apache_exec_suexec(pki_apache_domain) -+ apache_entrypoint(pki_apache_domain) -+ -+ # should be started using a script which will execute httpd -+ # start up httpd in pki_apache_domain mode -+ #can_exec(pki_apache_domain, httpd_config_t) -+ #can_exec(pki_apache_domain, httpd_suexec_exec_t) -+') -+ -+# allow rpm -q in init scripts -+optional_policy(` -+ rpm_exec(pki_apache_domain) -+') -+ -diff --git a/plymouthd.fc b/plymouthd.fc -index 735500f..ef1dd7a 100644 ---- a/plymouthd.fc -+++ b/plymouthd.fc -@@ -1,15 +1,15 @@ --/bin/plymouth -- gen_context(system_u:object_r:plymouth_exec_t,s0) -+/bin/plymouth -- gen_context(system_u:object_r:plymouth_exec_t,s0) - --/sbin/plymouthd -- gen_context(system_u:object_r:plymouthd_exec_t,s0) -+/sbin/plymouthd -- gen_context(system_u:object_r:plymouthd_exec_t,s0) - --/usr/bin/plymouth -- gen_context(system_u:object_r:plymouth_exec_t,s0) -+/usr/bin/plymouth -- gen_context(system_u:object_r:plymouth_exec_t,s0) - --/usr/sbin/plymouthd -- gen_context(system_u:object_r:plymouthd_exec_t,s0) -+/var/lib/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_lib_t,s0) - --/var/lib/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_lib_t,s0) -+/var/run/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_run_t,s0) -+/var/log/boot\.log gen_context(system_u:object_r:plymouthd_var_log_t,mls_systemhigh) - --/var/log/boot\.log.* -- gen_context(system_u:object_r:plymouthd_var_log_t,mls_systemhigh) -+/usr/sbin/plymouthd -- gen_context(system_u:object_r:plymouthd_exec_t,s0) - --/var/run/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_run_t,s0) -+/var/spool/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_spool_t,s0) - --/var/spool/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_spool_t,s0) -diff --git a/plymouthd.if b/plymouthd.if -index 30e751f..3985ff9 100644 ---- a/plymouthd.if -+++ b/plymouthd.if -@@ -1,4 +1,4 @@ --## Plymouth graphical boot. -+## Plymouth graphical boot - - ######################################## - ## -@@ -10,18 +10,17 @@ - ## - ## - # --interface(`plymouthd_domtrans',` -+interface(`plymouthd_domtrans', ` - gen_require(` - type plymouthd_t, plymouthd_exec_t; - ') - -- corecmd_search_bin($1) - domtrans_pattern($1, plymouthd_exec_t, plymouthd_t) - ') - - ######################################## - ## --## Execute plymouthd in the caller domain. -+## Execute the plymoth daemon in the current domain - ## - ## - ## -@@ -29,19 +28,18 @@ interface(`plymouthd_domtrans',` - ## - ## - # --interface(`plymouthd_exec',` -+interface(`plymouthd_exec', ` - gen_require(` - type plymouthd_exec_t; - ') - -- corecmd_search_bin($1) - can_exec($1, plymouthd_exec_t) - ') - - ######################################## - ## --## Connect to plymouthd using a unix --## domain stream socket. -+## Allow domain to Stream socket connect -+## to Plymouth daemon. - ## - ## - ## -@@ -49,18 +47,17 @@ interface(`plymouthd_exec',` - ## - ## - # --interface(`plymouthd_stream_connect',` -+interface(`plymouthd_stream_connect', ` - gen_require(` -- type plymouthd_t, plymouthd_spool_t; -+ type plymouthd_t; - ') - -- files_search_spool($1) -- stream_connect_pattern($1, plymouthd_spool_t, plymouthd_spool_t, plymouthd_t) -+ allow $1 plymouthd_t:unix_stream_socket connectto; - ') - - ######################################## - ## --## Execute plymouth in the caller domain. -+## Execute the plymoth command in the current domain - ## - ## - ## -@@ -68,18 +65,17 @@ interface(`plymouthd_stream_connect',` - ## - ## - # --interface(`plymouthd_exec_plymouth',` -+interface(`plymouthd_exec_plymouth', ` - gen_require(` - type plymouth_exec_t; - ') - -- corecmd_search_bin($1) - can_exec($1, plymouth_exec_t) - ') - - ######################################## - ## --## Execute a domain transition to run plymouth. -+## Execute a domain transition to run plymouthd. - ## - ## - ## -@@ -87,12 +83,11 @@ interface(`plymouthd_exec_plymouth',` - ## - ## - # --interface(`plymouthd_domtrans_plymouth',` -+interface(`plymouthd_domtrans_plymouth', ` - gen_require(` - type plymouth_t, plymouth_exec_t; - ') - -- corecmd_search_bin($1) - domtrans_pattern($1, plymouth_exec_t, plymouth_t) - ') - -@@ -106,13 +101,13 @@ interface(`plymouthd_domtrans_plymouth',` - ##     - ## - # --interface(`plymouthd_search_spool',` -+interface(`plymouthd_search_spool', ` - gen_require(` - type plymouthd_spool_t; - ') - -- files_search_spool($1) - allow $1 plymouthd_spool_t:dir search_dir_perms; -+ files_search_spool($1) - ') - - ######################################## -@@ -145,7 +140,7 @@ interface(`plymouthd_read_spool_files',` - ##     - ## - # --interface(`plymouthd_manage_spool_files',` -+interface(`plymouthd_manage_spool_files', ` - gen_require(` - type plymouthd_spool_t; - ') -@@ -164,13 +159,13 @@ interface(`plymouthd_manage_spool_files',` - ##     - ## - # --interface(`plymouthd_search_lib',` -+interface(`plymouthd_search_lib', ` - gen_require(` - type plymouthd_var_lib_t; - ') - -- files_search_var_lib($1) - allow $1 plymouthd_var_lib_t:dir search_dir_perms; -+ files_search_var_lib($1) - ') - - ######################################## -@@ -183,7 +178,7 @@ interface(`plymouthd_search_lib',` - ##     - ## - # --interface(`plymouthd_read_lib_files',` -+interface(`plymouthd_read_lib_files', ` - gen_require(` - type plymouthd_var_lib_t; - ') -@@ -203,7 +198,7 @@ interface(`plymouthd_read_lib_files',` - ##     - ## - # --interface(`plymouthd_manage_lib_files',` -+interface(`plymouthd_manage_lib_files', ` - gen_require(` - type plymouthd_var_lib_t; - ') -@@ -214,7 +209,7 @@ interface(`plymouthd_manage_lib_files',` - - ######################################## - ## --## Read plymouthd pid files. -+## Read plymouthd PID files. - ## - ## - ## -@@ -222,7 +217,7 @@ interface(`plymouthd_manage_lib_files',` - ## - ## - # --interface(`plymouthd_read_pid_files',` -+interface(`plymouthd_read_pid_files', ` - gen_require(` - type plymouthd_var_run_t; - ') -@@ -233,36 +228,93 @@ interface(`plymouthd_read_pid_files',` - - ######################################## - ## --## All of the rules required to --## administrate an plymouthd environment. -+## Allow the specified domain to read -+## to plymouthd log files. - ## - ## - ## - ## Domain allowed access. - ## - ## --## -+# -+interface(`plymouthd_read_log',` -+ gen_require(` -+ type plymouthd_var_log_t; -+ ') -+ -+ logging_search_logs($1) -+ read_files_pattern($1, plymouthd_var_log_t, plymouthd_var_log_t) -+') -+ -+######################################## -+## -+## Allow the specified domain to manage -+## to plymouthd log files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`plymouthd_manage_log',` -+ gen_require(` -+ type plymouthd_var_log_t; -+ ') -+ -+ logging_search_logs($1) -+ manage_dirs_pattern($1, plymouthd_var_log_t, plymouthd_var_log_t) -+ manage_files_pattern($1, plymouthd_var_log_t, plymouthd_var_log_t) -+ read_lnk_files_pattern($1, plymouthd_var_log_t, plymouthd_var_log_t) -+') -+ -+####################################### -+## -+## Allow domain to create boot.log -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`plymouthd_create_log',` -+ gen_require(` -+ type plymouthd_var_log_t; -+ ') -+ -+ logging_rw_generic_log_dirs($1) -+ logging_log_named_filetrans($1, plymouthd_var_log_t, file, "boot.log") -+') -+ -+######################################## -+## -+## All of the rules required to administrate -+## an plymouthd environment -+## -+## - ## --## Role allowed access. -+## Domain allowed access. - ## - ## --## - # --interface(`plymouthd_admin',` -+interface(`plymouthd_admin', ` - gen_require(` - type plymouthd_t, plymouthd_spool_t, plymouthd_var_lib_t; - type plymouthd_var_run_t; - ') - -- allow $1 plymouthd_t:process { ptrace signal_perms }; -- read_files_pattern($1, plymouthd_t, plymouthd_t) -+ allow $1 plymouthd_t:process signal_perms; -+ ps_process_pattern($1, plymouthd_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 plymouthd_t:process ptrace; -+ ') - -- files_search_spool($1) -+ files_list_var_lib($1) - admin_pattern($1, plymouthd_spool_t) - -- files_search_var_lib($1) - admin_pattern($1, plymouthd_var_lib_t) - -- files_search_pids($1) -+ files_list_pids($1) - admin_pattern($1, plymouthd_var_run_t) - ') -diff --git a/plymouthd.te b/plymouthd.te -index b1f412b..3a3249a 100644 ---- a/plymouthd.te -+++ b/plymouthd.te -@@ -1,4 +1,4 @@ --policy_module(plymouthd, 1.1.4) -+policy_module(plymouthd, 1.0.1) - - ######################################## - # -@@ -15,7 +15,7 @@ type plymouthd_exec_t; - init_daemon_domain(plymouthd_t, plymouthd_exec_t) - - type plymouthd_spool_t; --files_type(plymouthd_spool_t) -+files_spool_file(plymouthd_spool_t) - - type plymouthd_var_lib_t; - files_type(plymouthd_var_lib_t) -@@ -28,12 +28,12 @@ files_pid_file(plymouthd_var_run_t) - - ######################################## - # --# Daemon local policy -+# Plymouthd private policy - # - - allow plymouthd_t self:capability { sys_admin sys_tty_config }; --dontaudit plymouthd_t self:capability dac_override; - allow plymouthd_t self:capability2 block_suspend; -+dontaudit plymouthd_t self:capability dac_override; - allow plymouthd_t self:process { signal getsched }; - allow plymouthd_t self:fifo_file rw_fifo_file_perms; - allow plymouthd_t self:unix_stream_socket create_stream_socket_perms; -@@ -48,9 +48,7 @@ manage_files_pattern(plymouthd_t, plymouthd_var_lib_t, plymouthd_var_lib_t) - files_var_lib_filetrans(plymouthd_t, plymouthd_var_lib_t, { file dir }) - - manage_dirs_pattern(plymouthd_t, plymouthd_var_log_t, plymouthd_var_log_t) --append_files_pattern(plymouthd_t, plymouthd_var_log_t, plymouthd_var_log_t) --create_files_pattern(plymouthd_t, plymouthd_var_log_t, plymouthd_var_log_t) --setattr_files_pattern(plymouthd_t, plymouthd_var_log_t, plymouthd_var_log_t) -+manage_files_pattern(plymouthd_t, plymouthd_var_log_t, plymouthd_var_log_t) - logging_log_filetrans(plymouthd_t, plymouthd_var_log_t, { file dir }) - - manage_dirs_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t) -@@ -70,19 +68,27 @@ domain_use_interactive_fds(plymouthd_t) - - fs_getattr_all_fs(plymouthd_t) - --files_read_etc_files(plymouthd_t) --files_read_usr_files(plymouthd_t) - - term_getattr_pty_fs(plymouthd_t) - term_use_all_terms(plymouthd_t) - term_use_ptmx(plymouthd_t) - --miscfiles_read_localization(plymouthd_t) -+init_signal(plymouthd_t) -+ -+logging_link_generic_logs(plymouthd_t) -+logging_delete_generic_logs(plymouthd_t) -+ -+auth_read_passwd(plymouthd_t) -+ - miscfiles_read_fonts(plymouthd_t) - miscfiles_manage_fonts_cache(plymouthd_t) - -+userdom_read_admin_home_files(plymouthd_t) -+ -+term_use_unallocated_ttys(plymouthd_t) -+ - optional_policy(` -- gnome_read_generic_home_content(plymouthd_t) -+ gnome_read_config(plymouthd_t) - ') - - optional_policy(` -@@ -90,35 +96,33 @@ optional_policy(` - ') - - optional_policy(` -- xserver_manage_xdm_spool_files(plymouthd_t) -- xserver_read_xdm_state(plymouthd_t) -+ xserver_xdm_manage_spool(plymouthd_t) -+ xserver_read_state_xdm(plymouthd_t) - ') - - ######################################## - # --# Client local policy -+# Plymouth private policy - # - - allow plymouth_t self:process signal; --allow plymouth_t self:fifo_file rw_fifo_file_perms; -+allow plymouth_t self:fifo_file rw_file_perms; - allow plymouth_t self:unix_stream_socket create_stream_socket_perms; - --stream_connect_pattern(plymouth_t, plymouthd_spool_t, plymouthd_spool_t, plymouthd_t) -- - kernel_read_system_state(plymouth_t) - kernel_stream_connect(plymouth_t) - - domain_use_interactive_fds(plymouth_t) - --files_read_etc_files(plymouth_t) - - term_use_ptmx(plymouth_t) - --miscfiles_read_localization(plymouth_t) - - sysnet_read_config(plymouth_t) - --ifdef(`hide_broken_symptoms',` -+plymouthd_stream_connect(plymouth_t) -+ -+ifdef(`hide_broken_symptoms', ` - optional_policy(` - hal_dontaudit_write_log(plymouth_t) - hal_dontaudit_rw_pipes(plymouth_t) -diff --git a/podsleuth.te b/podsleuth.te -index a14b3bc..b196183 100644 ---- a/podsleuth.te -+++ b/podsleuth.te -@@ -29,7 +29,8 @@ userdom_user_tmpfs_file(podsleuth_tmpfs_t) - # - - allow podsleuth_t self:capability { kill dac_override sys_admin sys_rawio }; --allow podsleuth_t self:process { ptrace signal signull getsched execheap execmem execstack }; -+allow podsleuth_t self:process { signal signull getsched execheap execmem execstack }; -+ - allow podsleuth_t self:fifo_file rw_fifo_file_perms; - allow podsleuth_t self:unix_stream_socket create_stream_socket_perms; - allow podsleuth_t self:sem create_sem_perms; -@@ -65,7 +66,6 @@ corenet_tcp_sendrecv_http_port(podsleuth_t) - - dev_read_urand(podsleuth_t) - --files_read_etc_files(podsleuth_t) - - fs_mount_dos_fs(podsleuth_t) - fs_unmount_dos_fs(podsleuth_t) -@@ -76,8 +76,6 @@ fs_getattr_tmpfs(podsleuth_t) - fs_list_tmpfs(podsleuth_t) - fs_rw_removable_blk_files(podsleuth_t) - --miscfiles_read_localization(podsleuth_t) -- - sysnet_dns_name_resolve(podsleuth_t) - - userdom_signal_unpriv_users(podsleuth_t) -diff --git a/policykit.fc b/policykit.fc -index 1d76c72..93d09d9 100644 ---- a/policykit.fc -+++ b/policykit.fc -@@ -1,23 +1,22 @@ --/usr/lib/polkit-1/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0) --/usr/lib/polkit-1/polkit-agent-helper-1 -- gen_context(system_u:object_r:policykit_auth_exec_t,s0) -- --/usr/lib/policykit/polkit-read-auth-helper -- gen_context(system_u:object_r:policykit_auth_exec_t,s0) --/usr/lib/policykit/polkit-grant-helper.* -- gen_context(system_u:object_r:policykit_grant_exec_t,s0) --/usr/lib/policykit/polkit-resolve-exe-helper.* -- gen_context(system_u:object_r:policykit_resolve_exec_t,s0) --/usr/lib/policykit/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0) --/usr/lib/policykit-1/polkit-agent-helper-1 -- gen_context(system_u:object_r:policykit_auth_exec_t,s0) --/usr/lib/policykit-1/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0) -+/usr/lib/policykit/polkit-read-auth-helper -- gen_context(system_u:object_r:policykit_auth_exec_t,s0) -+/usr/bin/pkla-check-authorization -- gen_context(system_u:object_r:policykit_auth_exec_t,s0) -+/usr/lib/policykit/polkit-grant-helper.* -- gen_context(system_u:object_r:policykit_grant_exec_t,s0) -+/usr/lib/policykit/polkit-resolve-exe-helper.* -- gen_context(system_u:object_r:policykit_resolve_exec_t,s0) -+/usr/lib/policykit/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0) -+/usr/lib/polkit-1/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0) - - /usr/libexec/polkit-read-auth-helper -- gen_context(system_u:object_r:policykit_auth_exec_t,s0) - /usr/libexec/polkit-grant-helper.* -- gen_context(system_u:object_r:policykit_grant_exec_t,s0) --/usr/libexec/polkit-resolve-exe-helper.* -- gen_context(system_u:object_r:policykit_resolve_exec_t,s0) --/usr/libexec/polkitd.* -- gen_context(system_u:object_r:policykit_exec_t,s0) --/usr/libexec/polkit-1/polkit-agent-helper-1 -- gen_context(system_u:object_r:policykit_auth_exec_t,s0) --/usr/libexec/polkit-1/polkitd.* -- gen_context(system_u:object_r:policykit_exec_t,s0) -+/usr/libexec/polkit-resolve-exe-helper.* -- gen_context(system_u:object_r:policykit_resolve_exec_t,s0) -+/usr/libexec/polkitd.* -- gen_context(system_u:object_r:policykit_exec_t,s0) -+/usr/libexec/polkit-1/polkit-agent-helper-1 -- gen_context(system_u:object_r:policykit_auth_exec_t,s0) -+/usr/lib/polkit-1/polkit-agent-helper-1 -- gen_context(system_u:object_r:policykit_auth_exec_t,s0) -+/usr/libexec/kde4/polkit-kde-authentication-agent-1 -- gen_context(system_u:object_r:policykit_auth_exec_t,s0) -+/usr/libexec/polkit-1/polkitd.* -- gen_context(system_u:object_r:policykit_exec_t,s0) - --/var/lib/misc/PolicyKit.reload gen_context(system_u:object_r:policykit_reload_t,s0) --/var/lib/PolicyKit(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0) --/var/lib/polkit-1(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0) --/var/lib/PolicyKit-public(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0) -+/var/lib/misc/PolicyKit.reload gen_context(system_u:object_r:policykit_reload_t,s0) -+/var/lib/PolicyKit(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0) -+/var/lib/polkit-1(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0) -+/var/lib/PolicyKit-public(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0) -+/var/run/PolicyKit(/.*)? gen_context(system_u:object_r:policykit_var_run_t,s0) - --/var/run/PolicyKit(/.*)? gen_context(system_u:object_r:policykit_var_run_t,s0) -diff --git a/policykit.if b/policykit.if -index 032a84d..be00a65 100644 ---- a/policykit.if -+++ b/policykit.if -@@ -17,6 +17,8 @@ interface(`policykit_dbus_chat',` - class dbus send_msg; - ') - -+ ps_process_pattern(policykit_t, $1) -+ - allow $1 policykit_t:dbus send_msg; - allow policykit_t $1:dbus send_msg; - ') -@@ -24,7 +26,7 @@ interface(`policykit_dbus_chat',` - ######################################## - ## - ## Send and receive messages from --## policykit auth over dbus. -+## policykit over dbus. - ## - ## - ## -@@ -38,6 +40,8 @@ interface(`policykit_dbus_chat_auth',` - class dbus send_msg; - ') - -+ ps_process_pattern(policykit_auth_t, $1) -+ - allow $1 policykit_auth_t:dbus send_msg; - allow policykit_auth_t $1:dbus send_msg; - ') -@@ -47,9 +51,9 @@ interface(`policykit_dbus_chat_auth',` - ## Execute a domain transition to run polkit_auth. - ## - ## --## -+## - ## Domain allowed to transition. --## -+## - ## - # - interface(`policykit_domtrans_auth',` -@@ -57,15 +61,13 @@ interface(`policykit_domtrans_auth',` - type policykit_auth_t, policykit_auth_exec_t; - ') - -- corecmd_search_bin($1) - domtrans_pattern($1, policykit_auth_exec_t, policykit_auth_t) - ') - - ######################################## - ## --## Execute a policy_auth in the policy --## auth domain, and allow the specified --## role the policy auth domain. -+## Execute a policy_auth in the policy_auth domain, and -+## allow the specified role the policy_auth domain, - ## - ## - ## -@@ -77,24 +79,28 @@ interface(`policykit_domtrans_auth',` - ## Role allowed access. - ## - ## -+## - # - interface(`policykit_run_auth',` - gen_require(` -- attribute_role policykit_auth_roles; -+ type policykit_auth_t; - ') - - policykit_domtrans_auth($1) -- roleattribute $2 policykit_auth_roles; -+ role $2 types policykit_auth_t; -+ -+ allow $1 policykit_auth_t:process signal; -+ ps_process_pattern(policykit_auth_t, $1) - ') - - ######################################## - ## --## Execute a domain transition to run polkit grant. -+## Execute a domain transition to run polkit_grant. - ## - ## --## -+## - ## Domain allowed to transition. --## -+## - ## - # - interface(`policykit_domtrans_grant',` -@@ -102,15 +108,13 @@ interface(`policykit_domtrans_grant',` - type policykit_grant_t, policykit_grant_exec_t; - ') - -- corecmd_search_bin($1) - domtrans_pattern($1, policykit_grant_exec_t, policykit_grant_t) - ') - - ######################################## - ## --## Execute a policy_grant in the policy --## grant domain, and allow the specified --## role the policy grant domain. -+## Execute a policy_grant in the policy_grant domain, and -+## allow the specified role the policy_grant domain, - ## - ## - ## -@@ -126,16 +130,20 @@ interface(`policykit_domtrans_grant',` - # - interface(`policykit_run_grant',` - gen_require(` -- attribute_role policykit_grant_roles; -+ type policykit_grant_t; - ') - - policykit_domtrans_grant($1) -- roleattribute $2 policykit_grant_roles; -+ role $2 types policykit_grant_t; -+ -+ allow $1 policykit_grant_t:process signal; -+ -+ ps_process_pattern(policykit_grant_t, $1) - ') - - ######################################## - ## --## Read policykit reload files. -+## read policykit reload files - ## - ## - ## -@@ -154,7 +162,7 @@ interface(`policykit_read_reload',` - - ######################################## - ## --## Read and write policykit reload files. -+## rw policykit reload files - ## - ## - ## -@@ -173,12 +181,12 @@ interface(`policykit_rw_reload',` - - ######################################## - ## --## Execute a domain transition to run polkit resolve. -+## Execute a domain transition to run polkit_resolve. - ## - ## --## -+## - ## Domain allowed to transition. --## -+## - ## - # - interface(`policykit_domtrans_resolve',` -@@ -186,8 +194,9 @@ interface(`policykit_domtrans_resolve',` - type policykit_resolve_t, policykit_resolve_exec_t; - ') - -- corecmd_search_bin($1) - domtrans_pattern($1, policykit_resolve_exec_t, policykit_resolve_t) -+ -+ ps_process_pattern(policykit_resolve_t, $1) - ') - - ######################################## -@@ -205,13 +214,13 @@ interface(`policykit_search_lib',` - type policykit_var_lib_t; - ') - -- files_search_var_lib($1) - allow $1 policykit_var_lib_t:dir search_dir_perms; -+ files_search_var_lib($1) - ') - - ######################################## - ## --## Read policykit lib files. -+## read policykit lib files - ## - ## - ## -@@ -226,4 +235,50 @@ interface(`policykit_read_lib',` - - files_search_var_lib($1) - read_files_pattern($1, policykit_var_lib_t, policykit_var_lib_t) -+ -+ optional_policy(` -+ # Broken placement -+ cron_read_system_job_lib_files($1) -+ ') -+') -+ -+####################################### -+## -+## The per role template for the policykit module. -+## -+## -+## -+## Role allowed access -+## -+## -+## -+## -+## User domain for the role -+## -+## -+# -+template(`policykit_role',` -+ policykit_run_auth($2, $1) -+ policykit_run_grant($2, $1) -+ policykit_read_lib($2) -+ policykit_read_reload($2) -+ policykit_dbus_chat($2) -+') -+ -+######################################## -+## -+## Send generic signal to policy_auth -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`policykit_signal_auth',` -+ gen_require(` -+ type policykit_auth_t; -+ ') -+ -+ allow $1 policykit_auth_t:process signal; - ') -diff --git a/policykit.te b/policykit.te -index 49694e8..a1497cd 100644 ---- a/policykit.te -+++ b/policykit.te -@@ -1,4 +1,4 @@ --policy_module(policykit, 1.2.8) -+policy_module(policykit, 1.1.0) - - ######################################## - # -@@ -7,9 +7,6 @@ policy_module(policykit, 1.2.8) - - attribute policykit_domain; - --attribute_role policykit_auth_roles; --attribute_role policykit_grant_roles; -- - type policykit_t, policykit_domain; - type policykit_exec_t; - init_daemon_domain(policykit_t, policykit_exec_t) -@@ -17,12 +14,10 @@ init_daemon_domain(policykit_t, policykit_exec_t) - type policykit_auth_t, policykit_domain; - type policykit_auth_exec_t; - init_daemon_domain(policykit_auth_t, policykit_auth_exec_t) --role policykit_auth_roles types policykit_auth_t; - - type policykit_grant_t, policykit_domain; - type policykit_grant_exec_t; - init_system_domain(policykit_grant_t, policykit_grant_exec_t) --role policykit_grant_roles types policykit_grant_t; - - type policykit_resolve_t, policykit_domain; - type policykit_resolve_exec_t; -@@ -42,63 +37,68 @@ files_pid_file(policykit_var_run_t) - - ####################################### - # --# Common policykit domain local policy -+# policykit_domain local policy - # - - allow policykit_domain self:process { execmem getattr }; - allow policykit_domain self:fifo_file rw_fifo_file_perms; - --kernel_search_proc(policykit_domain) -- --corecmd_exec_bin(policykit_domain) -- - dev_read_sysfs(policykit_domain) - --files_read_usr_files(policykit_domain) -- --logging_send_syslog_msg(policykit_domain) -- --miscfiles_read_localization(policykit_domain) -- - ######################################## - # --# Local policy -+# policykit local policy - # - - allow policykit_t self:capability { dac_override dac_read_search setgid setuid sys_nice sys_ptrace }; - allow policykit_t self:process { getsched setsched signal }; --allow policykit_t self:unix_stream_socket { accept connectto listen }; -+allow policykit_t self:unix_dgram_socket create_socket_perms; -+allow policykit_t self:unix_stream_socket { create_stream_socket_perms connectto }; -+ -+policykit_domtrans_auth(policykit_t) -+allow policykit_t policykit_auth_t:process signal; -+ -+can_exec(policykit_t, policykit_exec_t) -+corecmd_exec_bin(policykit_t) -+ -+dev_read_sysfs(policykit_t) - - rw_files_pattern(policykit_t, policykit_reload_t, policykit_reload_t) - -+policykit_domtrans_resolve(policykit_t) -+ - manage_files_pattern(policykit_t, policykit_var_lib_t, policykit_var_lib_t) - - manage_dirs_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t) - manage_files_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t) - files_pid_filetrans(policykit_t, policykit_var_run_t, { file dir }) - --can_exec(policykit_t, policykit_exec_t) -- --domtrans_pattern(policykit_t, policykit_auth_exec_t, policykit_auth_t) --domtrans_pattern(policykit_t, policykit_resolve_exec_t, policykit_resolve_t) -- --kernel_read_kernel_sysctls(policykit_t) - kernel_read_system_state(policykit_t) -+kernel_read_kernel_sysctls(policykit_t) - - domain_read_all_domains_state(policykit_t) - - files_dontaudit_search_all_mountpoints(policykit_t) - -+fs_getattr_all_fs(policykit_t) - fs_list_inotifyfs(policykit_t) -+fs_list_cgroup_dirs(policykit_t) - - auth_use_nsswitch(policykit_t) - -+init_list_pid_dirs(policykit_t) -+ -+logging_send_syslog_msg(policykit_t) -+ - userdom_getattr_all_users(policykit_t) - userdom_read_all_users_state(policykit_t) -+userdom_dontaudit_search_admin_dir(policykit_t) - - optional_policy(` - dbus_system_domain(policykit_t, policykit_exec_t) - -+ init_dbus_chat(policykit_t) -+ - optional_policy(` - consolekit_dbus_chat(policykit_t) - ') -@@ -109,29 +109,43 @@ optional_policy(` - ') - - optional_policy(` -+ consolekit_list_pid_files(policykit_t) - consolekit_read_pid_files(policykit_t) - ') - - optional_policy(` -- gnome_read_generic_home_content(policykit_t) -+ kerberos_tmp_filetrans_host_rcache(policykit_t, "host_0") -+ kerberos_manage_host_rcache(policykit_t) - ') - - optional_policy(` -- kerberos_manage_host_rcache(policykit_t) -- kerberos_tmp_filetrans_host_rcache(policykit_t, file, "host_0") -+ gnome_read_config(policykit_t) -+') -+ -+optional_policy(` -+ systemd_read_logind_sessions_files(policykit_t) -+ systemd_login_list_pid_dirs(policykit_t) -+ systemd_login_read_pid_files(policykit_t) - ') - - ######################################## - # --# Auth local policy -+# polkit_auth local policy - # - --allow policykit_auth_t self:capability { ipc_lock setgid setuid sys_nice }; -+allow policykit_auth_t self:capability { sys_nice ipc_lock setgid setuid }; - dontaudit policykit_auth_t self:capability sys_tty_config; --allow policykit_auth_t self:process { getsched setsched signal }; --allow policykit_auth_t self:unix_stream_socket { accept listen }; -+allow policykit_auth_t self:process { setsched getsched signal }; -+ -+allow policykit_auth_t self:unix_dgram_socket create_socket_perms; -+allow policykit_auth_t self:unix_stream_socket create_stream_socket_perms; - --ps_process_pattern(policykit_auth_t, policykit_domain) -+policykit_dbus_chat(policykit_auth_t) -+ -+kernel_read_system_state(policykit_auth_t) -+ -+can_exec(policykit_auth_t, policykit_auth_exec_t) -+corecmd_exec_bin(policykit_auth_t) - - rw_files_pattern(policykit_auth_t, policykit_reload_t, policykit_reload_t) - -@@ -145,9 +159,6 @@ manage_dirs_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t) - manage_files_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t) - files_pid_filetrans(policykit_auth_t, policykit_var_run_t, { file dir }) - --can_exec(policykit_auth_t, policykit_auth_exec_t) -- --kernel_read_system_state(policykit_auth_t) - kernel_dontaudit_search_kernel_sysctl(policykit_auth_t) - - dev_read_video_dev(policykit_auth_t) -@@ -157,53 +168,64 @@ files_search_home(policykit_auth_t) - - fs_getattr_all_fs(policykit_auth_t) - fs_search_tmpfs(policykit_auth_t) -+fs_dontaudit_append_ecryptfs_files(policykit_auth_t) - - auth_rw_var_auth(policykit_auth_t) - auth_use_nsswitch(policykit_auth_t) - auth_domtrans_chk_passwd(policykit_auth_t) - -+logging_send_syslog_msg(policykit_auth_t) -+ - miscfiles_read_fonts(policykit_auth_t) - miscfiles_setattr_fonts_cache_dirs(policykit_auth_t) - - userdom_dontaudit_read_user_home_content_files(policykit_auth_t) -+userdom_dontaudit_write_user_tmp_files(policykit_auth_t) -+userdom_read_admin_home_files(policykit_auth_t) - - optional_policy(` -- dbus_system_domain(policykit_auth_t, policykit_auth_exec_t) -- dbus_all_session_bus_client(policykit_auth_t) -+ dbus_system_domain( policykit_auth_t, policykit_auth_exec_t) -+ dbus_session_bus_client(policykit_auth_t) - - optional_policy(` - consolekit_dbus_chat(policykit_auth_t) - ') -- -- optional_policy(` -- policykit_dbus_chat(policykit_auth_t) -- ') - ') - - optional_policy(` -+ kernel_search_proc(policykit_auth_t) - hal_read_state(policykit_auth_t) - ') - - optional_policy(` -- kerberos_manage_host_rcache(policykit_auth_t) -- kerberos_tmp_filetrans_host_rcache(policykit_auth_t, file, "host_0") -+ kerberos_tmp_filetrans_host_rcache(policykit_auth_t, "host_0") -+ kerberos_manage_host_rcache(policykit_auth_t) - ') - - optional_policy(` - xserver_stream_connect(policykit_auth_t) -+ xserver_xdm_append_log(policykit_auth_t) - xserver_read_xdm_pid(policykit_auth_t) -+ xserver_search_xdm_lib(policykit_auth_t) -+ xserver_create_xdm_tmp_sockets(policykit_auth_t) - ') - - ######################################## - # --# Grant local policy -+# polkit_grant local policy - # - - allow policykit_grant_t self:capability setuid; -+ - allow policykit_grant_t self:unix_dgram_socket create_socket_perms; - allow policykit_grant_t self:unix_stream_socket create_stream_socket_perms; - --ps_process_pattern(policykit_grant_t, policykit_domain) -+policykit_domtrans_auth(policykit_grant_t) -+ -+policykit_domtrans_resolve(policykit_grant_t) -+ -+can_exec(policykit_grant_t, policykit_grant_exec_t) -+corecmd_search_bin(policykit_grant_t) - - rw_files_pattern(policykit_grant_t, policykit_reload_t, policykit_reload_t) - -@@ -211,23 +233,20 @@ manage_files_pattern(policykit_grant_t, policykit_var_run_t, policykit_var_run_t - - manage_files_pattern(policykit_grant_t, policykit_var_lib_t, policykit_var_lib_t) - --can_exec(policykit_grant_t, policykit_grant_exec_t) -- --domtrans_pattern(policykit_grant_t, policykit_auth_exec_t, policykit_auth_t) --domtrans_pattern(policykit_grant_t, policykit_resolve_exec_t, policykit_resolve_t) - - auth_domtrans_chk_passwd(policykit_grant_t) - auth_use_nsswitch(policykit_grant_t) - -+logging_send_syslog_msg(policykit_grant_t) -+ - userdom_read_all_users_state(policykit_grant_t) - - optional_policy(` - cron_manage_system_job_lib_files(policykit_grant_t) - ') - --optional_policy(` -+ optional_policy(` - dbus_system_bus_client(policykit_grant_t) -- - optional_policy(` - consolekit_dbus_chat(policykit_grant_t) - ') -@@ -235,26 +254,28 @@ optional_policy(` - - ######################################## - # --# Resolve local policy -+# polkit_resolve local policy - # - - allow policykit_resolve_t self:capability { setuid sys_nice }; --allow policykit_resolve_t self:unix_stream_socket { accept listen }; - --ps_process_pattern(policykit_resolve_t, policykit_domain) -+allow policykit_resolve_t self:unix_dgram_socket create_socket_perms; -+allow policykit_resolve_t self:unix_stream_socket create_stream_socket_perms; -+ -+policykit_domtrans_auth(policykit_resolve_t) - - read_files_pattern(policykit_resolve_t, policykit_reload_t, policykit_reload_t) - - read_files_pattern(policykit_resolve_t, policykit_var_lib_t, policykit_var_lib_t) - - can_exec(policykit_resolve_t, policykit_resolve_exec_t) -+corecmd_search_bin(policykit_resolve_t) - --domtrans_pattern(policykit_resolve_t, policykit_auth_exec_t, policykit_auth_t) -- --mcs_ptrace_all(policykit_resolve_t) - - auth_use_nsswitch(policykit_resolve_t) - -+logging_send_syslog_msg(policykit_resolve_t) -+ - userdom_read_all_users_state(policykit_resolve_t) - - optional_policy(` -@@ -266,6 +287,6 @@ optional_policy(` - ') - - optional_policy(` -+ kernel_search_proc(policykit_resolve_t) - hal_read_state(policykit_resolve_t) - ') -- -diff --git a/polipo.fc b/polipo.fc -index d35614b..11f77ee 100644 ---- a/polipo.fc -+++ b/polipo.fc -@@ -1,15 +1,16 @@ --HOME_DIR/\.forbidden -- gen_context(system_u:object_r:polipo_config_home_t,s0) - HOME_DIR/\.polipo -- gen_context(system_u:object_r:polipo_config_home_t,s0) - HOME_DIR/\.polipo-cache(/.*)? gen_context(system_u:object_r:polipo_cache_home_t,s0) - --/etc/polipo(/.*)? gen_context(system_u:object_r:polipo_conf_t,s0) -+/etc/polipo(/.*)? gen_context(system_u:object_r:polipo_etc_t,s0) - - /etc/rc\.d/init\.d/polipo -- gen_context(system_u:object_r:polipo_initrc_exec_t,s0) - -+/usr/lib/systemd/system/polipo.* -- gen_context(system_u:object_r:polipo_unit_file_t,s0) -+ - /usr/bin/polipo -- gen_context(system_u:object_r:polipo_exec_t,s0) - - /var/cache/polipo(/.*)? gen_context(system_u:object_r:polipo_cache_t,s0) - - /var/log/polipo.* -- gen_context(system_u:object_r:polipo_log_t,s0) - --/var/run/polipo(/.*)? gen_context(system_u:object_r:polipo_var_run_t,s0) -+/var/run/polipo(/.*)? gen_context(system_u:object_r:polipo_pid_t,s0) -diff --git a/polipo.if b/polipo.if -index ae27bb7..d00f6ba 100644 ---- a/polipo.if -+++ b/polipo.if -@@ -1,8 +1,8 @@ --## Lightweight forwarding and caching proxy server. -+## Caching web proxy. - - ######################################## - ## --## Role access for Polipo session. -+## Role access for polipo session. - ## - ## - ## -@@ -11,14 +11,13 @@ - ## - ## - ## --## User domain for the role. -+## Domain allowed access. - ## - ## - # - template(`polipo_role',` - gen_require(` -- type polipo_session_t, polipo_exec_t, polipo_config_home_t; -- type polipo_cache_home_t; -+ type polipo_session_t, polipo_exec_t; - ') - - ######################################## -@@ -33,15 +32,11 @@ template(`polipo_role',` - # Policy - # - -- allow $2 polipo_cache_home_t:dir { manage_dir_perms relabel_dir_perms }; -- allow $2 { polipo_cache_home_t polipo_config_home_t }:file { manage_file_perms relabel_file_perms }; -- -- userdom_user_home_dir_filetrans($2, polipo_config_home_t, file, ".forbidden") -- userdom_user_home_dir_filetrans($2, polipo_config_home_t, file, ".polipo") -- userdom_user_home_dir_filetrans($2, polipo_cache_home_t, dir, ".polipo-cache") -- -- allow $2 polipo_session_t:process { ptrace signal_perms }; -+ allow $2 polipo_session_t:process signal_perms; - ps_process_pattern($2, polipo_session_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $2 polipo_session_t:process ptrace; -+ ') - - tunable_policy(`polipo_session_users',` - domtrans_pattern($2, polipo_exec_t, polipo_session_t) -@@ -52,57 +47,129 @@ template(`polipo_role',` - - ######################################## - ## --## Execute Polipo in the Polipo --## system domain. -+## Create configuration files in user -+## home directories with a named file -+## type transition. - ## - ## - ## --## Domain allowed to transition. -+## Domain allowed access. - ## - ## - # --interface(`polipo_initrc_domtrans',` -+interface(`polipo_named_filetrans_config_home_files',` - gen_require(` -- type polipo_initrc_exec_t; -+ type polipo_config_home_t; - ') - -- init_labeled_script_domtrans($1, polipo_initrc_exec_t) -+ userdom_user_home_dir_filetrans($1, polipo_config_home_t, file, ".polipo") -+') -+ -+######################################## -+## -+## Create cache directories in user -+## home directories with a named file -+## type transition. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`polipo_named_filetrans_cache_home_dirs',` -+ gen_require(` -+ type polipo_cache_home_t; -+ ') -+ -+ userdom_user_home_dir_filetrans($1, polipo_cache_home_t, dir, ".polipo-cache") - ') - - ######################################## - ## --## Create specified objects in generic --## log directories with the polipo --## log file type. -+## Create configuration files in admin -+## home directories with a named file -+## type transition. - ## - ## - ## - ## Domain allowed access. - ## - ## --## -+# -+interface(`polipo_named_filetrans_admin_config_home_files',` -+ gen_require(` -+ type polipo_config_home_t; -+ ') -+ -+ userdom_admin_home_dir_filetrans($1, polipo_config_home_t, file, ".polipo") -+') -+ -+######################################## -+## -+## Create cache directories in admin -+## home directories with a named file -+## type transition. -+## -+## - ## --## Class of the object being created. -+## Domain allowed access. - ## - ## --## -+# -+interface(`polipo_named_filetrans_admin_cache_home_dirs',` -+ gen_require(` -+ type polipo_cache_home_t; -+ ') -+ -+ userdom_admin_home_dir_filetrans($1, polipo_cache_home_t, dir, ".polipo-cache") -+') -+ -+######################################## -+## -+## Create log files with a named file -+## type transition. -+## -+## - ## --## The name of the object being created. -+## Domain allowed access. - ## - ## - # --interface(`polipo_log_filetrans_log',` -+interface(`polipo_named_filetrans_log_files',` - gen_require(` - type polipo_log_t; - ') - -- logging_log_filetrans($1, polipo_log_t, $2, $3) -+ logging_log_named_filetrans($1, polipo_log_t, file, "polipo") -+') -+ -+######################################## -+## -+## Execute polipo server in the polipo domain. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`polipo_systemctl',` -+ gen_require(` -+ type polipo_t; -+ type polipo_unit_file_t; -+ ') -+ -+ systemd_exec_systemctl($1) -+ allow $1 polipo_unit_file_t:file read_file_perms; -+ allow $1 polipo_unit_file_t:service manage_service_perms; -+ -+ ps_process_pattern($1, polipo_t) - ') - - ######################################## - ## --## All of the rules required to --## administrate an polipo environment. -+## Administrate an polipo environment. - ## - ## - ## -@@ -118,27 +185,35 @@ interface(`polipo_log_filetrans_log',` - # - interface(`polipo_admin',` - gen_require(` -- type polipo_system_t, polipo_initrc_exec_t, polipo_cache_t; -- type polipo_conf_t, polipo_log_t, polipo_var_run_t; -+ type polipo_t, polipo_pid_t, polipo_cache_t; -+ type polipo_etc_t, polipo_log_t, polipo_initrc_exec_t; -+ type polipo_unit_file_t; - ') - -- allow $1 polipo_system_t:process { ptrace signal_perms }; -- ps_process_pattern($1, polipo_system_t) -+ allow $1 polipo_t:process signal_perms; -+ ps_process_pattern($1, polipo_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 polipo_t:process ptrace; -+ ') - -- polipo_initrc_domtrans($1) -+ init_labeled_script_domtrans($1, polipo_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 polipo_initrc_exec_t system_r; - allow $2 system_r; - -- files_search_var($1) -- admin_pattern($1, polipo_cache_t) -- -- files_search_etc($1) -- admin_pattern($1, polipo_conf_t) -+ files_list_etc($1) -+ admin_pattern($1, polipo_etc_t) - -- logging_search_logs($1) -+ logging_list_logs($1) - admin_pattern($1, polipo_log_t) - -- files_search_pids($1) -- admin_pattern($1, polipo_var_run_t) -+ files_list_var($1) -+ admin_pattern($1, polipo_cache_t) -+ -+ files_list_pids($1) -+ admin_pattern($1, polipo_pid_t) -+ -+ polipo_systemctl($1) -+ admin_pattern($1, polipo_unit_file_t) -+ allow $1 polipo_unit_file_t:service all_service_perms; - ') -diff --git a/polipo.te b/polipo.te -index 316d53a..35d9018 100644 ---- a/polipo.te -+++ b/polipo.te -@@ -1,4 +1,4 @@ --policy_module(polipo, 1.0.4) -+policy_module(polipo, 1.0.0) - - ######################################## - # -@@ -7,19 +7,27 @@ policy_module(polipo, 1.0.4) - - ## - ##

    --## Determine whether Polipo system --## daemon can access CIFS file systems. -+## Determine whether polipo can -+## access cifs file systems. - ##

    - ##     --gen_tunable(polipo_system_use_cifs, false) -+gen_tunable(polipo_use_cifs, false) - - ## - ##

    --## Determine whether Polipo system --## daemon can access NFS file systems. -+## Determine whether Polipo can -+## access nfs file systems. - ##

    - ##     --gen_tunable(polipo_system_use_nfs, false) -+gen_tunable(polipo_use_nfs, false) -+ -+## -+##

    -+## Determine whether Polipo session daemon -+## can bind tcp sockets to all unreserved ports. -+##

    -+##     -+gen_tunable(polipo_session_bind_all_unreserved_ports, false) - - ## - ##

    -@@ -31,24 +39,23 @@ gen_tunable(polipo_system_use_nfs, false) - gen_tunable(polipo_session_users, false) - - ## --##

    --## Determine whether Polipo session daemon --## can send syslog messages. --##

    -+##

    -+## Allow polipo to connect to all ports > 1023 -+##

    - ##     --gen_tunable(polipo_session_send_syslog_msg, false) -+gen_tunable(polipo_connect_all_unreserved, false) - - attribute polipo_daemon; - --type polipo_system_t, polipo_daemon; -+type polipo_t, polipo_daemon; - type polipo_exec_t; --init_daemon_domain(polipo_system_t, polipo_exec_t) -+init_daemon_domain(polipo_t, polipo_exec_t) - - type polipo_initrc_exec_t; - init_script_file(polipo_initrc_exec_t) - --type polipo_conf_t; --files_config_file(polipo_conf_t) -+type polipo_etc_t; -+files_config_file(polipo_etc_t) - - type polipo_cache_t; - files_type(polipo_cache_t) -@@ -56,112 +63,97 @@ files_type(polipo_cache_t) - type polipo_log_t; - logging_log_file(polipo_log_t) - --type polipo_var_run_t; --files_pid_file(polipo_var_run_t) -+type polipo_pid_t; -+files_pid_file(polipo_pid_t) - - type polipo_session_t, polipo_daemon; --userdom_user_application_domain(polipo_session_t, polipo_exec_t) -+application_domain(polipo_session_t, polipo_exec_t) -+ubac_constrained(polipo_session_t) -+ -+type polipo_config_home_t; -+userdom_user_home_content(polipo_config_home_t) - - type polipo_cache_home_t; - userdom_user_home_content(polipo_cache_home_t) - --type polipo_config_home_t; --userdom_user_home_content(polipo_config_home_t) -+type polipo_unit_file_t; -+systemd_unit_file(polipo_unit_file_t) - - ######################################## - # --# Session local policy -+# Global local policy - # - --allow polipo_session_t polipo_config_home_t:file read_file_perms; -- --manage_dirs_pattern(polipo_session_t, polipo_cache_home_t, polipo_cache_home_t) --manage_files_pattern(polipo_session_t, polipo_cache_home_t, polipo_cache_home_t) --userdom_user_home_dir_filetrans(polipo_session_t, polipo_cache_home_t, dir, ".polipo-cache") -- --auth_use_nsswitch(polipo_session_t) -- --userdom_use_user_terminals(polipo_session_t) -+allow polipo_daemon self:fifo_file rw_fifo_file_perms; -+allow polipo_daemon self:tcp_socket { listen accept }; - --tunable_policy(`polipo_session_send_syslog_msg',` -- logging_send_syslog_msg(polipo_session_t) --') -+corenet_tcp_bind_generic_node(polipo_daemon) -+corenet_tcp_sendrecv_generic_if(polipo_daemon) -+corenet_tcp_sendrecv_generic_node(polipo_daemon) -+corenet_tcp_sendrecv_http_cache_port(polipo_daemon) -+corenet_tcp_bind_http_cache_port(polipo_daemon) -+corenet_sendrecv_http_cache_server_packets(polipo_daemon) -+corenet_tcp_connect_http_port(polipo_daemon) -+corenet_tcp_connect_tor_port(polipo_daemon) -+corenet_tcp_connect_flash_port(polipo_daemon) - --tunable_policy(`use_nfs_home_dirs',` -- fs_read_nfs_files(polipo_session_t) --',` -- fs_dontaudit_read_nfs_files(polipo_session_t) --') -+fs_search_auto_mountpoints(polipo_daemon) - --tunable_policy(`use_samba_home_dirs',` -- fs_read_cifs_files(polipo_session_t) --',` -- fs_dontaudit_read_cifs_files(polipo_session_t) --') - - ######################################## - # --# System local policy -+# Polipo local policy - # - --read_files_pattern(polipo_system_t, polipo_conf_t, polipo_conf_t) -+read_files_pattern(polipo_t, polipo_etc_t, polipo_etc_t) - --manage_files_pattern(polipo_system_t, polipo_cache_t, polipo_cache_t) --manage_dirs_pattern(polipo_system_t, polipo_cache_t, polipo_cache_t) --files_var_filetrans(polipo_system_t, polipo_cache_t, dir) -+manage_files_pattern(polipo_t, polipo_cache_t, polipo_cache_t) -+manage_dirs_pattern(polipo_t, polipo_cache_t, polipo_cache_t) -+files_var_filetrans(polipo_t, polipo_cache_t, dir) - --append_files_pattern(polipo_system_t, polipo_log_t, polipo_log_t) --create_files_pattern(polipo_system_t, polipo_log_t, polipo_log_t) --setattr_files_pattern(polipo_system_t, polipo_log_t, polipo_log_t) --logging_log_filetrans(polipo_system_t, polipo_log_t, file) -+manage_files_pattern(polipo_t, polipo_log_t, polipo_log_t) -+logging_log_filetrans(polipo_t, polipo_log_t, file) - --manage_files_pattern(polipo_system_t, polipo_var_run_t, polipo_var_run_t) --files_pid_filetrans(polipo_system_t, polipo_var_run_t, file) -+manage_files_pattern(polipo_t, polipo_pid_t, polipo_pid_t) -+files_pid_filetrans(polipo_t, polipo_pid_t, file) - --auth_use_nsswitch(polipo_system_t) -+auth_use_nsswitch(polipo_t) - --logging_send_syslog_msg(polipo_system_t) -+logging_send_syslog_msg(polipo_t) - - optional_policy(` -- cron_system_entry(polipo_system_t, polipo_exec_t) -+ cron_system_entry(polipo_t, polipo_exec_t) -+') -+ -+tunable_policy(`polipo_connect_all_unreserved',` -+ corenet_tcp_connect_all_unreserved_ports(polipo_t) - ') - --tunable_policy(`polipo_system_use_cifs',` -- fs_manage_cifs_files(polipo_system_t) --',` -- fs_dontaudit_read_cifs_files(polipo_system_t) -+tunable_policy(`polipo_use_cifs',` -+ fs_manage_cifs_files(polipo_t) - ') - --tunable_policy(`polipo_system_use_nfs',` -- fs_manage_nfs_files(polipo_system_t) --',` -- fs_dontaudit_read_nfs_files(polipo_system_t) -+tunable_policy(`polipo_use_nfs',` -+ fs_manage_nfs_files(polipo_t) - ') - - ######################################## - # --# Polipo global local policy -+# Polipo session local policy - # - --allow polipo_daemon self:fifo_file rw_fifo_file_perms; --allow polipo_daemon self:tcp_socket { listen accept }; -- --corenet_all_recvfrom_unlabeled(polipo_daemon) --corenet_all_recvfrom_netlabel(polipo_daemon) --corenet_tcp_sendrecv_generic_if(polipo_daemon) --corenet_tcp_sendrecv_generic_node(polipo_daemon) --corenet_tcp_bind_generic_node(polipo_daemon) -+read_files_pattern(polipo_session_t, polipo_config_home_t, polipo_config_home_t) -+manage_files_pattern(polipo_session_t, polipo_cache_home_t, polipo_cache_home_t) - --corenet_sendrecv_http_client_packets(polipo_daemon) --corenet_tcp_sendrecv_http_port(polipo_daemon) --corenet_tcp_connect_http_port(polipo_daemon) -+auth_use_nsswitch(polipo_session_t) - --corenet_sendrecv_http_cache_server_packets(polipo_daemon) --corenet_tcp_sendrecv_http_cache_port(polipo_daemon) --corenet_tcp_bind_http_cache_port(polipo_daemon) -+userdom_use_user_terminals(polipo_session_t) - --files_read_usr_files(polipo_daemon) -+tunable_policy(`polipo_session_bind_all_unreserved_ports',` -+ corenet_tcp_sendrecv_all_ports(polipo_session_t) -+ corenet_tcp_bind_all_unreserved_ports(polipo_session_t) -+') - --fs_search_auto_mountpoints(polipo_daemon) -+logging_send_syslog_msg(polipo_session_t) - --miscfiles_read_localization(polipo_daemon) -+userdom_home_manager(polipo_session_t) -diff --git a/portage.if b/portage.if -index 67e8c12..18b89d7 100644 ---- a/portage.if -+++ b/portage.if -@@ -67,6 +67,7 @@ interface(`portage_compile_domain',` - class dbus send_msg; - type portage_devpts_t, portage_log_t, portage_srcrepo_t, portage_tmp_t; - type portage_tmpfs_t; -+ type portage_sandbox_t; - ') - - allow $1 self:capability { fowner fsetid mknod setgid setuid chown dac_override net_raw }; -diff --git a/portage.te b/portage.te -index a95fc4a..b9b5418 100644 ---- a/portage.te -+++ b/portage.te -@@ -108,7 +108,6 @@ domain_use_interactive_fds(gcc_config_t) - - files_manage_etc_files(gcc_config_t) - files_rw_etc_runtime_files(gcc_config_t) --files_read_usr_files(gcc_config_t) - files_search_var_lib(gcc_config_t) - files_search_pids(gcc_config_t) - # complains loudly about not being able to list -@@ -291,7 +290,6 @@ dev_dontaudit_read_rand(portage_fetch_t) - domain_use_interactive_fds(portage_fetch_t) - - files_read_etc_runtime_files(portage_fetch_t) --files_read_usr_files(portage_fetch_t) - files_dontaudit_search_pids(portage_fetch_t) - - fs_search_auto_mountpoints(portage_fetch_t) -diff --git a/portmap.fc b/portmap.fc -index cd45831..69406ee 100644 ---- a/portmap.fc -+++ b/portmap.fc -@@ -4,9 +4,14 @@ - /sbin/pmap_set -- gen_context(system_u:object_r:portmap_helper_exec_t,s0) - /sbin/portmap -- gen_context(system_u:object_r:portmap_exec_t,s0) - -+ifdef(`distro_debian',` -+/sbin/pmap_dump -- gen_context(system_u:object_r:portmap_helper_exec_t,s0) -+/sbin/pmap_set -- gen_context(system_u:object_r:portmap_helper_exec_t,s0) -+', ` - /usr/sbin/pmap_dump -- gen_context(system_u:object_r:portmap_helper_exec_t,s0) - /usr/sbin/pmap_set -- gen_context(system_u:object_r:portmap_helper_exec_t,s0) - /usr/sbin/portmap -- gen_context(system_u:object_r:portmap_exec_t,s0) -+') - - /var/run/portmap\.upgrade-state -- gen_context(system_u:object_r:portmap_var_run_t,s0) - /var/run/portmap_mapping -- gen_context(system_u:object_r:portmap_var_run_t,s0) -diff --git a/portmap.te b/portmap.te -index 738c13b..04a202e 100644 ---- a/portmap.te -+++ b/portmap.te -@@ -45,7 +45,6 @@ files_pid_filetrans(portmap_t, portmap_var_run_t, file) - kernel_read_system_state(portmap_t) - kernel_read_kernel_sysctls(portmap_t) - --corenet_all_recvfrom_unlabeled(portmap_t) - corenet_all_recvfrom_netlabel(portmap_t) - corenet_tcp_sendrecv_generic_if(portmap_t) - corenet_udp_sendrecv_generic_if(portmap_t) -@@ -80,9 +79,11 @@ fs_search_auto_mountpoints(portmap_t) - - domain_use_interactive_fds(portmap_t) - -+auth_use_nsswitch(portmap_t) -+ - logging_send_syslog_msg(portmap_t) - --miscfiles_read_localization(portmap_t) -+sysnet_read_config(portmap_t) - - userdom_dontaudit_use_unpriv_user_fds(portmap_t) - userdom_dontaudit_search_user_home_dirs(portmap_t) -@@ -106,7 +107,6 @@ allow portmap_helper_t self:tcp_socket { accept listen }; - allow portmap_helper_t portmap_var_run_t:file manage_file_perms; - files_pid_filetrans(portmap_helper_t, portmap_var_run_t, file) - --corenet_all_recvfrom_unlabeled(portmap_helper_t) - corenet_all_recvfrom_netlabel(portmap_helper_t) - corenet_tcp_sendrecv_generic_if(portmap_helper_t) - corenet_udp_sendrecv_generic_if(portmap_helper_t) -@@ -138,5 +138,7 @@ init_rw_utmp(portmap_helper_t) - - logging_send_syslog_msg(portmap_helper_t) - --userdom_use_user_terminals(portmap_helper_t) -+sysnet_read_config(portmap_helper_t) -+ -+userdom_use_inherited_user_terminals(portmap_helper_t) - userdom_dontaudit_use_all_users_fds(portmap_helper_t) -diff --git a/portreserve.fc b/portreserve.fc -index 1b2b4f9..575b7d6 100644 ---- a/portreserve.fc -+++ b/portreserve.fc -@@ -1,6 +1,6 @@ - /etc/portreserve(/.*)? gen_context(system_u:object_r:portreserve_etc_t,s0) - --/etc/rc\.d/init\.d/portreserve -- gen_context(system_u:object_r:portreserve_initrc_exec_t,s0) -+/etc/rc\.d/init\.d/portreserve -- gen_context(system_u:object_r:portreserve_initrc_exec_t,s0) - - /sbin/portreserve -- gen_context(system_u:object_r:portreserve_exec_t,s0) - -diff --git a/portreserve.if b/portreserve.if -index 5ad5291..7f1ae2a 100644 ---- a/portreserve.if -+++ b/portreserve.if -@@ -105,8 +105,11 @@ interface(`portreserve_admin',` - type portreserve_initrc_exec_t; - ') - -- allow $1 portreserve_t:process { ptrace signal_perms }; -+ allow $1 portreserve_t:process signal_perms; - ps_process_pattern($1, portreserve_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 portreserve_t:process ptrace; -+ ') - - portreserve_initrc_domtrans($1) - domain_system_change_exemption($1) -diff --git a/portreserve.te b/portreserve.te -index a38b57a..aa9d604 100644 ---- a/portreserve.te -+++ b/portreserve.te -@@ -41,7 +41,6 @@ files_pid_filetrans(portreserve_t, portreserve_var_run_t, { file sock_file dir } - - corecmd_getattr_bin_files(portreserve_t) - --corenet_all_recvfrom_unlabeled(portreserve_t) - corenet_all_recvfrom_netlabel(portreserve_t) - corenet_tcp_sendrecv_generic_if(portreserve_t) - corenet_udp_sendrecv_generic_if(portreserve_t) -@@ -56,6 +55,5 @@ corenet_sendrecv_all_server_packets(portreserve_t) - corenet_tcp_bind_all_ports(portreserve_t) - corenet_udp_bind_all_ports(portreserve_t) - --files_read_etc_files(portreserve_t) - - userdom_dontaudit_search_user_home_content(portreserve_t) -diff --git a/portslave.te b/portslave.te -index e85e33d..a7d7c55 100644 ---- a/portslave.te -+++ b/portslave.te -@@ -48,7 +48,6 @@ kernel_read_kernel_sysctls(portslave_t) - corecmd_exec_bin(portslave_t) - corecmd_exec_shell(portslave_t) - --corenet_all_recvfrom_unlabeled(portslave_t) - corenet_all_recvfrom_netlabel(portslave_t) - corenet_tcp_sendrecv_generic_if(portslave_t) - corenet_udp_sendrecv_generic_if(portslave_t) -@@ -72,7 +71,7 @@ fs_getattr_xattr_fs(portslave_t) - - term_use_unallocated_ttys(portslave_t) - term_setattr_unallocated_ttys(portslave_t) --term_use_all_ttys(portslave_t) -+term_use_all_inherited_ttys(portslave_t) - term_search_ptys(portslave_t) - - auth_domtrans_chk_passwd(portslave_t) -diff --git a/postfix.fc b/postfix.fc -index c0e8785..c0e0959 100644 ---- a/postfix.fc -+++ b/postfix.fc -@@ -1,38 +1,38 @@ --/etc/postfix.* gen_context(system_u:object_r:postfix_etc_t,s0) --/etc/postfix/postfix-script.* -- gen_context(system_u:object_r:postfix_exec_t,s0) --/etc/postfix/prng_exch -- gen_context(system_u:object_r:postfix_prng_t,s0) -- --/etc/rc\.d/init\.d/postfix -- gen_context(system_u:object_r:postfix_initrc_exec_t,s0) -- -+# postfix -+/etc/rc\.d/init\.d/postfix -- gen_context(system_u:object_r:postfix_initrc_exec_t,s0) -+/etc/postfix.* gen_context(system_u:object_r:postfix_etc_t,s0) -+ifdef(`distro_redhat', ` -+/usr/libexec/postfix/.* -- gen_context(system_u:object_r:postfix_exec_t,s0) -+/usr/libexec/postfix/cleanup -- gen_context(system_u:object_r:postfix_cleanup_exec_t,s0) -+/usr/libexec/postfix/lmtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0) -+/usr/libexec/postfix/local -- gen_context(system_u:object_r:postfix_local_exec_t,s0) -+/usr/libexec/postfix/master -- gen_context(system_u:object_r:postfix_master_exec_t,s0) -+/usr/libexec/postfix/pickup -- gen_context(system_u:object_r:postfix_pickup_exec_t,s0) -+/usr/libexec/postfix/(n)?qmgr -- gen_context(system_u:object_r:postfix_qmgr_exec_t,s0) -+/usr/libexec/postfix/showq -- gen_context(system_u:object_r:postfix_showq_exec_t,s0) -+/usr/libexec/postfix/smtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0) -+/usr/libexec/postfix/scache -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0) -+/usr/libexec/postfix/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0) -+/usr/libexec/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0) -+/usr/libexec/postfix/pipe -- gen_context(system_u:object_r:postfix_pipe_exec_t,s0) -+/usr/libexec/postfix/virtual -- gen_context(system_u:object_r:postfix_virtual_exec_t,s0) -+', ` - /usr/lib/postfix/.* -- gen_context(system_u:object_r:postfix_exec_t,s0) --/usr/lib/postfix/cleanup -- gen_context(system_u:object_r:postfix_cleanup_exec_t,s0) -+/usr/lib/postfix/cleanup -- gen_context(system_u:object_r:postfix_cleanup_exec_t,s0) - /usr/lib/postfix/local -- gen_context(system_u:object_r:postfix_local_exec_t,s0) - /usr/lib/postfix/master -- gen_context(system_u:object_r:postfix_master_exec_t,s0) - /usr/lib/postfix/pickup -- gen_context(system_u:object_r:postfix_pickup_exec_t,s0) --/usr/lib/postfix/(n)?qmgr -- gen_context(system_u:object_r:postfix_qmgr_exec_t,s0) -+/usr/lib/postfix/(n)?qmgr -- gen_context(system_u:object_r:postfix_qmgr_exec_t,s0) -+/usr/lib/postfix/showq -- gen_context(system_u:object_r:postfix_showq_exec_t,s0) - /usr/lib/postfix/smtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0) - /usr/lib/postfix/lmtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0) - /usr/lib/postfix/scache -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0) - /usr/lib/postfix/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0) - /usr/lib/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0) - /usr/lib/postfix/pipe -- gen_context(system_u:object_r:postfix_pipe_exec_t,s0) --/usr/lib/postfix/virtual -- gen_context(system_u:object_r:postfix_virtual_exec_t,s0) -- --/usr/libexec/postfix/.* -- gen_context(system_u:object_r:postfix_exec_t,s0) --/usr/libexec/postfix/cleanup -- gen_context(system_u:object_r:postfix_cleanup_exec_t,s0) --/usr/libexec/postfix/lmtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0) --/usr/libexec/postfix/local -- gen_context(system_u:object_r:postfix_local_exec_t,s0) --/usr/libexec/postfix/master -- gen_context(system_u:object_r:postfix_master_exec_t,s0) --/usr/libexec/postfix/pickup -- gen_context(system_u:object_r:postfix_pickup_exec_t,s0) --/usr/libexec/postfix/(n)?qmgr -- gen_context(system_u:object_r:postfix_qmgr_exec_t,s0) --/usr/libexec/postfix/showq -- gen_context(system_u:object_r:postfix_showq_exec_t,s0) --/usr/libexec/postfix/smtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0) --/usr/libexec/postfix/scache -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0) --/usr/libexec/postfix/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0) --/usr/libexec/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0) --/usr/libexec/postfix/pipe -- gen_context(system_u:object_r:postfix_pipe_exec_t,s0) --/usr/libexec/postfix/virtual -- gen_context(system_u:object_r:postfix_virtual_exec_t,s0) -- -+') -+/etc/postfix/postfix-script.* -- gen_context(system_u:object_r:postfix_exec_t,s0) -+/etc/postfix/prng_exch -- gen_context(system_u:object_r:postfix_prng_t,s0) - /usr/sbin/postalias -- gen_context(system_u:object_r:postfix_master_exec_t,s0) - /usr/sbin/postcat -- gen_context(system_u:object_r:postfix_master_exec_t,s0) - /usr/sbin/postdrop -- gen_context(system_u:object_r:postfix_postdrop_exec_t,s0) -@@ -44,14 +44,14 @@ - /usr/sbin/postqueue -- gen_context(system_u:object_r:postfix_postqueue_exec_t,s0) - /usr/sbin/postsuper -- gen_context(system_u:object_r:postfix_master_exec_t,s0) - --/var/lib/postfix.* gen_context(system_u:object_r:postfix_data_t,s0) -+/var/lib/postfix.* gen_context(system_u:object_r:postfix_data_t,s0) - --/var/spool/postfix.* gen_context(system_u:object_r:postfix_spool_t,s0) --/var/spool/postfix/deferred(/.*)? -d gen_context(system_u:object_r:postfix_spool_maildrop_t,s0) --/var/spool/postfix/defer(/.*)? gen_context(system_u:object_r:postfix_spool_maildrop_t,s0) --/var/spool/postfix/maildrop(/.*)? gen_context(system_u:object_r:postfix_spool_maildrop_t,s0) --/var/spool/postfix/pid(/.*)? gen_context(system_u:object_r:postfix_var_run_t,s0) --/var/spool/postfix/private(/.*)? gen_context(system_u:object_r:postfix_private_t,s0) --/var/spool/postfix/public(/.*)? gen_context(system_u:object_r:postfix_public_t,s0) --/var/spool/postfix/bounce(/.*)? gen_context(system_u:object_r:postfix_spool_bounce_t,s0) -+/var/spool/postfix.* gen_context(system_u:object_r:postfix_spool_t,s0) -+/var/spool/postfix/deferred(/.*)? gen_context(system_u:object_r:postfix_spool_maildrop_t,s0) -+/var/spool/postfix/defer(/.*)? gen_context(system_u:object_r:postfix_spool_maildrop_t,s0) -+/var/spool/postfix/maildrop(/.*)? gen_context(system_u:object_r:postfix_spool_maildrop_t,s0) -+/var/spool/postfix/pid/.* gen_context(system_u:object_r:postfix_var_run_t,s0) -+/var/spool/postfix/private(/.*)? gen_context(system_u:object_r:postfix_private_t,s0) -+/var/spool/postfix/public(/.*)? gen_context(system_u:object_r:postfix_public_t,s0) -+/var/spool/postfix/bounce(/.*)? gen_context(system_u:object_r:postfix_spool_bounce_t,s0) - /var/spool/postfix/flush(/.*)? gen_context(system_u:object_r:postfix_spool_flush_t,s0) -diff --git a/postfix.if b/postfix.if -index 2e23946..0b76d72 100644 ---- a/postfix.if -+++ b/postfix.if -@@ -1,4 +1,4 @@ --## Postfix email server. -+## Postfix email server - - ######################################## - ## -@@ -16,13 +16,14 @@ interface(`postfix_stub',` - ') - ') - --####################################### -+######################################## - ## --## The template to define a postfix domain. -+## Creates types and rules for a basic -+## postfix process domain. - ## --## -+## - ## --## Domain prefix to be used. -+## Prefix for the domain. - ## - ## - # -@@ -31,73 +32,69 @@ template(`postfix_domain_template',` - attribute postfix_domain; - ') - -- ######################################## -- # -- # Declarations -- # -- - type postfix_$1_t, postfix_domain; - type postfix_$1_exec_t; - domain_type(postfix_$1_t) - domain_entry_file(postfix_$1_t, postfix_$1_exec_t) - role system_r types postfix_$1_t; - -- ######################################## -- # -- # Policy -- # -- -- can_exec(postfix_$1_t, postfix_$1_exec_t) -+ kernel_read_system_state(postfix_$1_t) - - auth_use_nsswitch(postfix_$1_t) -+ -+ logging_send_syslog_msg(postfix_$1_t) -+ -+ can_exec(postfix_$1_t, postfix_$1_exec_t) - ') - --####################################### -+######################################## - ## --## The template to define a postfix server domain. -+## Creates a postfix server process domain. - ## --## -+## - ## --## Domain prefix to be used. -+## Prefix of the domain. - ## - ## - # - template(`postfix_server_domain_template',` -- gen_require(` -- attribute postfix_server_domain, postfix_server_tmp_content; -- ') -- -- ######################################## -- # -- # Declarations -- # -- - postfix_domain_template($1) - -- typeattribute postfix_$1_t postfix_server_domain; -- -- type postfix_$1_tmp_t, postfix_server_tmp_content; -+ type postfix_$1_tmp_t; - files_tmp_file(postfix_$1_tmp_t) - -- ######################################## -- # -- # Declarations -- # -+ allow postfix_$1_t self:capability { setuid setgid sys_chroot dac_override }; -+ allow postfix_$1_t postfix_master_t:unix_stream_socket { connectto rw_stream_socket_perms }; -+ allow postfix_$1_t self:tcp_socket create_socket_perms; -+ allow postfix_$1_t self:udp_socket create_socket_perms; - - manage_dirs_pattern(postfix_$1_t, postfix_$1_tmp_t, postfix_$1_tmp_t) - manage_files_pattern(postfix_$1_t, postfix_$1_tmp_t, postfix_$1_tmp_t) - files_tmp_filetrans(postfix_$1_t, postfix_$1_tmp_t, { file dir }) - - domtrans_pattern(postfix_master_t, postfix_$1_exec_t, postfix_$1_t) -+ -+ corenet_all_recvfrom_netlabel(postfix_$1_t) -+ corenet_tcp_sendrecv_generic_if(postfix_$1_t) -+ corenet_udp_sendrecv_generic_if(postfix_$1_t) -+ corenet_tcp_sendrecv_generic_node(postfix_$1_t) -+ corenet_udp_sendrecv_generic_node(postfix_$1_t) -+ corenet_tcp_sendrecv_all_ports(postfix_$1_t) -+ corenet_udp_sendrecv_all_ports(postfix_$1_t) -+ corenet_tcp_bind_generic_node(postfix_$1_t) -+ corenet_udp_bind_generic_node(postfix_$1_t) -+ corenet_tcp_connect_all_ports(postfix_$1_t) -+ corenet_sendrecv_all_client_packets(postfix_$1_t) - ') - --####################################### -+######################################## - ## --## The template to define a postfix user domain. -+## Creates a process domain for programs -+## that are ran by users. - ## --## -+## - ## --## Domain prefix to be used. -+## Prefix of the domain. - ## - ## - # -@@ -106,30 +103,22 @@ template(`postfix_user_domain_template',` - attribute postfix_user_domains, postfix_user_domtrans; - ') - -- ######################################## -- # -- # Declarations -- # -- - postfix_domain_template($1) - - typeattribute postfix_$1_t postfix_user_domains; - -- ######################################## -- # -- # Policy -- # -- - allow postfix_$1_t self:capability dac_override; - - domtrans_pattern(postfix_user_domtrans, postfix_$1_exec_t, postfix_$1_t) - - domain_use_interactive_fds(postfix_$1_t) -+ -+ application_domain(postfix_$1_t, postfix_$1_exec_t) - ') - - ######################################## - ## --## Read postfix configuration content. -+## Read postfix configuration files. - ## - ## - ## -@@ -143,16 +132,15 @@ interface(`postfix_read_config',` - type postfix_etc_t; - ') - -+ read_files_pattern($1, postfix_etc_t, postfix_etc_t) -+ read_lnk_files_pattern($1, postfix_etc_t, postfix_etc_t) - files_search_etc($1) -- allow $1 postfix_etc_t:dir list_dir_perms; -- allow $1 postfix_etc_t:file read_file_perms; -- allow $1 postfix_etc_t:lnk_file read_lnk_file_perms; - ') - - ######################################## - ## --## Create specified object in postfix --## etc directories with a type transition. -+## Create files with the specified type in -+## the postfix configuration directories. - ## - ## - ## -@@ -180,6 +168,7 @@ interface(`postfix_config_filetrans',` - type postfix_etc_t; - ') - -+ files_search_etc($1) - filetrans_pattern($1, postfix_etc_t, $2, $3, $4) - ') - -@@ -205,7 +194,8 @@ interface(`postfix_dontaudit_rw_local_tcp_sockets',` - - ######################################## - ## --## Read and write postfix local pipes. -+## Allow read/write postfix local pipes -+## TCP sockets. - ## - ## - ## -@@ -221,30 +211,28 @@ interface(`postfix_rw_local_pipes',` - allow $1 postfix_local_t:fifo_file rw_fifo_file_perms; - ') - --######################################## -+####################################### - ## --## Read postfix local process state files. -+## Allow read/write postfix public pipes -+## TCP sockets. - ## - ## --## --## Domain allowed access. --## -+## -+## Domain allowed access. -+## - ## - # --interface(`postfix_read_local_state',` -- gen_require(` -- type postfix_local_t; -- ') -+interface(`postfix_rw_public_pipes',` -+ gen_require(` -+ type postfix_public_t; -+ ') - -- kernel_search_proc($1) -- allow $1 postfix_local_t:dir list_dir_perms; -- allow $1 postfix_local_t:file read_file_perms; -- allow $1 postfix_local_t:lnk_file read_lnk_file_perms; -+ allow $1 postfix_public_t:fifo_file rw_fifo_file_perms; - ') - - ######################################## - ## --## Read and write inherited postfix master pipes. -+## Allow domain to read postfix local process state - ## - ## - ## -@@ -252,18 +240,18 @@ interface(`postfix_read_local_state',` - ## - ## - # --interface(`postfix_rw_inherited_master_pipes',` -+interface(`postfix_read_local_state',` - gen_require(` -- type postfix_master_t; -+ type postfix_local_t; - ') - -- allow $1 postfix_master_t:fd use; -- allow $1 postfix_master_t:fifo_file { getattr write append lock ioctl read }; -+ kernel_search_proc($1) -+ ps_process_pattern($1, postfix_local_t) - ') - - ######################################## - ## --## Read postfix master process state files. -+## Allow domain to read postfix master process state - ## - ## - ## -@@ -277,14 +265,13 @@ interface(`postfix_read_master_state',` - ') - - kernel_search_proc($1) -- allow $1 postfix_master_t:dir list_dir_perms; -- allow $1 postfix_master_t:file read_file_perms; -- allow $1 postfix_master_t:lnk_file read_lnk_file_perms; -+ ps_process_pattern($1, postfix_master_t) - ') - - ######################################## - ## --## Use postfix master file descriptors. -+## Use postfix master process file -+## file descriptors. - ## - ## - ## -@@ -335,15 +322,13 @@ interface(`postfix_domtrans_map',` - type postfix_map_t, postfix_map_exec_t; - ') - -- corecmd_search_bin($1) - domtrans_pattern($1, postfix_map_exec_t, postfix_map_t) - ') - - ######################################## - ## --## Execute postfix map in the postfix --## map domain, and allow the specified --## role the postfix_map domain. -+## Execute postfix_map in the postfix_map domain, and -+## allow the specified role the postfix_map domain. - ## - ## - ## -@@ -359,17 +344,17 @@ interface(`postfix_domtrans_map',` - # - interface(`postfix_run_map',` - gen_require(` -- attribute_role postfix_map_roles; -+ type postfix_map_t; - ') - - postfix_domtrans_map($1) -- roleattribute $2 postfix_map_roles; -+ role $2 types postfix_map_t; - ') - - ######################################## - ## --## Execute the master postfix program --## in the postfix_master domain. -+## Execute the master postfix program in the -+## postfix_master domain. - ## - ## - ## -@@ -382,14 +367,32 @@ interface(`postfix_domtrans_master',` - type postfix_master_t, postfix_master_exec_t; - ') - -- corecmd_search_bin($1) - domtrans_pattern($1, postfix_master_exec_t, postfix_master_t) - ') - -+ - ######################################## - ## --## Execute the master postfix program --## in the caller domain. -+## Execute the master postfix in the postfix master domain. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`postfix_initrc_domtrans',` -+ gen_require(` -+ type postfix_initrc_exec_t; -+ ') -+ -+ init_labeled_script_domtrans($1, postfix_initrc_exec_t) -+') -+ -+######################################## -+## -+## Execute the master postfix program in the -+## caller domain. - ## - ## - ## -@@ -402,21 +405,18 @@ interface(`postfix_exec_master',` - type postfix_master_exec_t; - ') - -- corecmd_search_bin($1) - can_exec($1, postfix_master_exec_t) - ') - - ####################################### - ## --## Connect to postfix master process --## using a unix domain stream socket. -+## Connect to postfix master process using a unix domain stream socket. - ## - ## - ## - ## Domain allowed access. - ## - ## --## - # - interface(`postfix_stream_connect_master',` - gen_require(` -@@ -428,8 +428,7 @@ interface(`postfix_stream_connect_master',` - - ######################################## - ## --## Read and write postfix master --## unnamed pipes. (Deprecated) -+## Allow read/write postfix master pipes - ## - ## - ## -@@ -437,15 +436,18 @@ interface(`postfix_stream_connect_master',` - ## - ## - # --interface(`postfix_rw_master_pipes',` -- refpolicywarn(`$0($*) has been deprecated, use postfix_rw_inherited_master_pipes() instead.') -- postfix_rw_inherited_master_pipes($1) -+interface(`postfix_rw_inherited_master_pipes',` -+ gen_require(` -+ type postfix_master_t; -+ ') -+ -+ allow $1 postfix_master_t:fifo_file rw_inherited_fifo_file_perms; - ') - - ######################################## - ## - ## Execute the master postdrop in the --## postfix postdrop domain. -+## postfix_postdrop domain. - ## - ## - ## -@@ -458,14 +460,13 @@ interface(`postfix_domtrans_postdrop',` - type postfix_postdrop_t, postfix_postdrop_exec_t; - ') - -- corecmd_search_bin($1) - domtrans_pattern($1, postfix_postdrop_exec_t, postfix_postdrop_t) - ') - - ######################################## - ## - ## Execute the master postqueue in the --## postfix postqueue domain. -+## postfix_postqueue domain. - ## - ## - ## -@@ -478,30 +479,85 @@ interface(`postfix_domtrans_postqueue',` - type postfix_postqueue_t, postfix_postqueue_exec_t; - ') - -- corecmd_search_bin($1) - domtrans_pattern($1, postfix_postqueue_exec_t, postfix_postqueue_t) - ') - --####################################### -+######################################## - ## --## Execute the master postqueue in --## the caller domain. (Deprecated) -+## Execute the master postqueue in the -+## postfix_postdrop domain. - ## - ## - ## --## Domain allowed access. -+## Domain allowed to transition. - ## - ## -+## -+## -+## The role to be allowed the iptables domain. -+## -+## -+## - # --interface(`posftix_exec_postqueue',` -- refpolicywarn(`$0($*) has been deprecated.') -- postfix_exec_postqueue($1) -+ -+interface(`postfix_run_postqueue',` -+ gen_require(` -+ type postfix_postqueue_t; -+ ') -+ -+ postfix_domtrans_postqueue($1) -+ role $2 types postfix_postqueue_t; -+ allow postfix_postqueue_t $1:unix_stream_socket { read write getattr }; - ') - -+######################################## -+## -+## Execute postfix_postgqueue in the postfix_postgqueue domain. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`postfix_domtrans_postgqueue',` -+ gen_require(` -+ type postfix_postgqueue_t; -+ type postfix_postgqueue_exec_t; -+ ') -+ domtrans_pattern($1, postfix_postgqueue_exec_t,postfix_postgqueue_t) -+') -+ -+######################################## -+## -+## Execute postfix_postgqueue in the postfix_postgqueue domain, and -+## allow the specified role the postfix_postgqueue domain. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+## -+## -+## Role allowed access. -+## -+## -+## -+# -+interface(`postfix_run_postgqueue',` -+ gen_require(` -+ type postfix_postgqueue_t; -+ ') -+ -+ postfix_domtrans_postgqueue($1) -+ role $2 types postfix_postgqueue_t; -+') -+ -+ - ####################################### - ## --## Execute postfix postqueue in --## the caller domain. -+## Execute the master postqueue in the caller domain. - ## - ## - ## -@@ -514,13 +570,12 @@ interface(`postfix_exec_postqueue',` - type postfix_postqueue_exec_t; - ') - -- corecmd_search_bin($1) - can_exec($1, postfix_postqueue_exec_t) - ') - - ######################################## - ## --## Create postfix private sock files. -+## Create a named socket in a postfix private directory. - ## - ## - ## -@@ -533,13 +588,13 @@ interface(`postfix_create_private_sockets',` - type postfix_private_t; - ') - -+ allow $1 postfix_private_t:dir list_dir_perms; - create_sock_files_pattern($1, postfix_private_t, postfix_private_t) - ') - - ######################################## - ## --## Create, read, write, and delete --## postfix private sock files. -+## manage named socket in a postfix private directory. - ## - ## - ## -@@ -552,13 +607,14 @@ interface(`postfix_manage_private_sockets',` - type postfix_private_t; - ') - -+ allow $1 postfix_private_t:dir list_dir_perms; - manage_sock_files_pattern($1, postfix_private_t, postfix_private_t) - ') - - ######################################## - ## --## Execute the smtp postfix program --## in the postfix smtp domain. -+## Execute the master postfix program in the -+## postfix_master domain. - ## - ## - ## -@@ -571,14 +627,12 @@ interface(`postfix_domtrans_smtp',` - type postfix_smtp_t, postfix_smtp_exec_t; - ') - -- corecmd_search_bin($1) - domtrans_pattern($1, postfix_smtp_exec_t, postfix_smtp_t) - ') - - ######################################## - ## --## Get attributes of all postfix mail --## spool files. -+## Getattr postfix mail spool files. - ## - ## - ## -@@ -586,7 +640,7 @@ interface(`postfix_domtrans_smtp',` - ## - ## - # --interface(`postfix_getattr_all_spool_files',` -+interface(`postfix_getattr_spool_files',` - gen_require(` - attribute postfix_spool_type; - ') -@@ -607,11 +661,11 @@ interface(`postfix_getattr_all_spool_files',` - # - interface(`postfix_search_spool',` - gen_require(` -- type postfix_spool_t; -+ attribute postfix_spool_type; - ') - -+ allow $1 postfix_spool_type:dir search_dir_perms; - files_search_spool($1) -- allow $1 postfix_spool_t:dir search_dir_perms; - ') - - ######################################## -@@ -626,11 +680,11 @@ interface(`postfix_search_spool',` - # - interface(`postfix_list_spool',` - gen_require(` -- type postfix_spool_t; -+ attribute postfix_spool_type; - ') - -+ allow $1 postfix_spool_type:dir list_dir_perms; - files_search_spool($1) -- allow $1 postfix_spool_t:dir list_dir_perms; - ') - - ######################################## -@@ -645,17 +699,16 @@ interface(`postfix_list_spool',` - # - interface(`postfix_read_spool_files',` - gen_require(` -- type postfix_spool_t; -+ attribute postfix_spool_type; - ') - - files_search_spool($1) -- read_files_pattern($1, postfix_spool_t, postfix_spool_t) -+ read_files_pattern($1, postfix_spool_type, postfix_spool_type) - ') - - ######################################## - ## --## Create, read, write, and delete --## postfix mail spool files. -+## Create, read, write, and delete postfix mail spool files. - ## - ## - ## -@@ -665,11 +718,50 @@ interface(`postfix_read_spool_files',` - # - interface(`postfix_manage_spool_files',` - gen_require(` -- type postfix_spool_t; -+ attribute postfix_spool_type; - ') - - files_search_spool($1) -- manage_files_pattern($1, postfix_spool_t, postfix_spool_t) -+ manage_files_pattern($1, postfix_spool_type, postfix_spool_type) -+') -+ -+####################################### -+## -+## Read, write, and delete postfix maildrop spool files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`postfix_rw_spool_maildrop_files',` -+ gen_require(` -+ type postfix_spool_maildrop_t; -+ ') -+ -+ files_search_spool($1) -+ rw_files_pattern($1, postfix_spool_maildrop_t, postfix_spool_maildrop_t) -+') -+ -+####################################### -+## -+## Create, read, write, and delete postfix maildrop spool files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`postfix_manage_spool_maildrop_files',` -+ gen_require(` -+ type postfix_spool_maildrop_t; -+ ') -+ -+ files_search_spool($1) -+ manage_dirs_pattern($1, postfix_spool_maildrop_t, postfix_spool_maildrop_t) -+ manage_files_pattern($1, postfix_spool_maildrop_t, postfix_spool_maildrop_t) - ') - - ######################################## -@@ -693,8 +785,8 @@ interface(`postfix_domtrans_user_mail_handler',` - - ######################################## - ## --## All of the rules required to --## administrate an postfix environment. -+## All of the rules required to administrate -+## an postfix environment. - ## - ## - ## -@@ -710,37 +802,137 @@ interface(`postfix_domtrans_user_mail_handler',` - # - interface(`postfix_admin',` - gen_require(` -- attribute postfix_domain, postfix_spool_type, postfix_server_tmp_content; -- type postfix_initrc_exec_t, postfix_prng_t, postfix_etc_t; -- type postfix_data_t, postfix_var_run_t, postfix_public_t; -- type postfix_private_t, postfix_map_tmp_t, postfix_exec_t; -+ attribute postfix_spool_type; -+ type postfix_bounce_t, postfix_cleanup_t, postfix_local_t; -+ type postfix_master_t, postfix_pickup_t, postfix_qmgr_t; -+ type postfix_initrc_exec_t, postfix_data_t, postfix_etc_t; -+ type postfix_map_tmp_t, postfix_prng_t, postfix_public_t; -+ type postfix_smtpd_t, postfix_var_run_t; - ') - -- allow $1 postfix_domain:process { ptrace signal_perms }; -- ps_process_pattern($1, postfix_domain) -+ allow $1 postfix_bounce_t:process signal_perms; -+ ps_process_pattern($1, postfix_bounce_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 postfix_bounce_t:process ptrace; -+ ') - -- init_labeled_script_domtrans($1, postfix_initrc_exec_t) -+ allow $1 postfix_cleanup_t:process signal_perms; -+ ps_process_pattern($1, postfix_cleanup_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 postfix_cleanup_t:process ptrace; -+ allow $1 postfix_local_t:process ptrace; -+ allow $1 postfix_master_t:process ptrace; -+ allow $1 postfix_pickup_t:process ptrace; -+ allow $1 postfix_qmgr_t:process ptrace; -+ allow $1 postfix_smtpd_t:process ptrace; -+ ') -+ -+ allow $1 postfix_local_t:process signal_perms; -+ ps_process_pattern($1, postfix_local_t) -+ -+ allow $1 postfix_master_t:process signal_perms; -+ ps_process_pattern($1, postfix_master_t) -+ -+ allow $1 postfix_pickup_t:process signal_perms; -+ ps_process_pattern($1, postfix_pickup_t) -+ -+ allow $1 postfix_qmgr_t:process signal_perms; -+ ps_process_pattern($1, postfix_qmgr_t) -+ -+ allow $1 postfix_smtpd_t:process signal_perms; -+ ps_process_pattern($1, postfix_smtpd_t) -+ -+ postfix_run_map($1, $2) -+ postfix_run_postdrop($1, $2) -+ postfix_run_postqueue($1, $2) -+ -+ postfix_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 postfix_initrc_exec_t system_r; - allow $2 system_r; - -- files_search_etc($1) -- admin_pattern($1, { postfix_prng_t postfix_etc_t postfix_exec_t }) -+ admin_pattern($1, postfix_data_t) - -- files_search_spool($1) -- admin_pattern($1, { postfix_public_t postfix_private_t postfix_spool_type }) -+ files_list_etc($1) -+ admin_pattern($1, postfix_etc_t) - -- files_search_var_lib($1) -- admin_pattern($1, postfix_data_t) -+ files_list_spool($1) -+ admin_pattern($1, postfix_spool_type) - -- files_search_pids($1) - admin_pattern($1, postfix_var_run_t) - -- files_search_tmp($1) -- admin_pattern($1, { postfix_server_tmp_content postfix_map_tmp_t }) -+ files_list_tmp($1) -+ admin_pattern($1, postfix_map_tmp_t) -+ -+ admin_pattern($1, postfix_prng_t) - -- postfix_exec_master($1) -- postfix_exec_postqueue($1) -- postfix_stream_connect_master($1) -- postfix_run_map($1, $2) -+ admin_pattern($1, postfix_public_t) -+ -+ postfix_filetrans_named_content($1) -+') -+ -+######################################## -+## -+## Execute the master postdrop in the -+## postfix_postdrop domain. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+## -+## -+## The role to be allowed the iptables domain. -+## -+## -+## -+# -+interface(`postfix_run_postdrop',` -+ gen_require(` -+ type postfix_postdrop_t; -+ ') -+ -+ postfix_domtrans_postdrop($1) -+ role $2 types postfix_postdrop_t; -+ allow postfix_postdrop_t $1:unix_stream_socket { read write getattr }; -+') -+ -+ -+######################################## -+## -+## Execute postfix exec in the users domain -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`postfix_exec',` -+ gen_require(` -+ type postfix_exec_t; -+ ') -+ -+ can_exec($1, postfix_exec_t) -+') -+ -+######################################## -+## -+## Transition to postfix named content -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`postfix_filetrans_named_content',` -+ gen_require(` -+ type postfix_exec_t; -+ type postfix_prng_t; -+ ') -+ -+ postfix_config_filetrans($1, postfix_exec_t, file, "postfix-script") -+ postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch") - ') -diff --git a/postfix.te b/postfix.te -index 191a66f..f19bca4 100644 ---- a/postfix.te -+++ b/postfix.te -@@ -1,4 +1,4 @@ --policy_module(postfix, 1.14.10) -+policy_module(postfix, 1.14.0) - - ######################################## - # -@@ -6,27 +6,23 @@ policy_module(postfix, 1.14.10) - # - - ## --##

    --## Determine whether postfix local --## can manage mail spool content. --##

    -+##

    -+## Allow postfix_local domain full write access to mail_spool directories -+##

    - ##     - gen_tunable(postfix_local_write_mail_spool, true) - - attribute postfix_domain; --attribute postfix_server_domain; --attribute postfix_server_tmp_content; - attribute postfix_spool_type; - attribute postfix_user_domains; -+# domains that transition to the -+# postfix user domains - attribute postfix_user_domtrans; - --attribute_role postfix_map_roles; --roleattribute system_r postfix_map_roles; -- - postfix_server_domain_template(bounce) - - type postfix_spool_bounce_t, postfix_spool_type; --files_type(postfix_spool_bounce_t) -+files_spool_file(postfix_spool_bounce_t) - - postfix_server_domain_template(cleanup) - -@@ -39,16 +35,19 @@ application_executable_file(postfix_exec_t) - postfix_server_domain_template(local) - mta_mailserver_delivery(postfix_local_t) - -+# Program for creating database files - type postfix_map_t; - type postfix_map_exec_t; - application_domain(postfix_map_t, postfix_map_exec_t) --role postfix_map_roles types postfix_map_t; -+role system_r types postfix_map_t; - - type postfix_map_tmp_t; - files_tmp_file(postfix_map_tmp_t) - - postfix_domain_template(master) - typealias postfix_master_t alias postfix_t; -+# alias is a hack to make the disable trans bool -+# generation macro work - mta_mailserver(postfix_t, postfix_master_exec_t) - - type postfix_initrc_exec_t; -@@ -60,6 +59,7 @@ postfix_server_domain_template(pipe) - - postfix_user_domain_template(postdrop) - mta_mailserver_user_agent(postfix_postdrop_t) -+mta_agent_executable(postfix_postdrop_t) - - postfix_user_domain_template(postqueue) - mta_mailserver_user_agent(postfix_postqueue_t) -@@ -80,13 +80,13 @@ mta_mailserver_sender(postfix_smtp_t) - postfix_server_domain_template(smtpd) - - type postfix_spool_t, postfix_spool_type; --files_type(postfix_spool_t) -+files_spool_file(postfix_spool_t) - - type postfix_spool_maildrop_t, postfix_spool_type; --files_type(postfix_spool_maildrop_t) -+files_spool_file(postfix_spool_maildrop_t) - - type postfix_spool_flush_t, postfix_spool_type; --files_type(postfix_spool_flush_t) -+files_spool_file(postfix_spool_flush_t) - - type postfix_public_t; - files_type(postfix_public_t) -@@ -94,6 +94,7 @@ files_type(postfix_public_t) - type postfix_var_run_t; - files_pid_file(postfix_var_run_t) - -+# the data_directory config parameter - type postfix_data_t; - files_type(postfix_data_t) - -@@ -102,160 +103,61 @@ mta_mailserver_delivery(postfix_virtual_t) - - ######################################## - # --# Common postfix domain local policy --# -- --allow postfix_domain self:capability { sys_nice sys_chroot }; --dontaudit postfix_domain self:capability sys_tty_config; --allow postfix_domain self:process { signal_perms setpgid setsched }; --allow postfix_domain self:fifo_file rw_fifo_file_perms; --allow postfix_domain self:unix_stream_socket { accept connectto listen }; -- --allow postfix_domain postfix_etc_t:dir list_dir_perms; --allow postfix_domain postfix_etc_t:file read_file_perms; --allow postfix_domain postfix_etc_t:lnk_file read_lnk_file_perms; -- --allow postfix_domain postfix_master_t:file read_file_perms; -- --allow postfix_domain postfix_exec_t:file { mmap_file_perms lock }; -- --allow postfix_domain postfix_master_t:process sigchld; -- --allow postfix_domain postfix_spool_t:dir list_dir_perms; -- --manage_files_pattern(postfix_domain, postfix_var_run_t, postfix_var_run_t) --files_pid_filetrans(postfix_domain, postfix_var_run_t, file) -- --kernel_read_system_state(postfix_domain) --kernel_read_network_state(postfix_domain) --kernel_read_all_sysctls(postfix_domain) -- --dev_read_sysfs(postfix_domain) --dev_read_rand(postfix_domain) --dev_read_urand(postfix_domain) -- --fs_search_auto_mountpoints(postfix_domain) --fs_getattr_all_fs(postfix_domain) --fs_rw_anon_inodefs_files(postfix_domain) -- --term_dontaudit_use_console(postfix_domain) -- --corecmd_exec_shell(postfix_domain) -- --files_read_etc_runtime_files(postfix_domain) --files_read_usr_files(postfix_domain) --files_search_spool(postfix_domain) --files_getattr_tmp_dirs(postfix_domain) --files_search_all_mountpoints(postfix_domain) -- --init_dontaudit_use_fds(postfix_domain) --init_sigchld(postfix_domain) -- --logging_send_syslog_msg(postfix_domain) -- --miscfiles_read_localization(postfix_domain) --miscfiles_read_generic_certs(postfix_domain) -- --userdom_dontaudit_use_unpriv_user_fds(postfix_domain) -- --optional_policy(` -- udev_read_db(postfix_domain) --') -- --######################################## --# --# Common postfix server domain local policy --# -- --allow postfix_server_domain self:capability { setuid setgid dac_override }; -- --allow postfix_server_domain postfix_master_t:unix_stream_socket { connectto rw_stream_socket_perms }; -- --corenet_all_recvfrom_unlabeled(postfix_server_domain) --corenet_all_recvfrom_netlabel(postfix_server_domain) --corenet_tcp_sendrecv_generic_if(postfix_server_domain) --corenet_tcp_sendrecv_generic_node(postfix_server_domain) -- --corenet_sendrecv_all_client_packets(postfix_server_domain) --corenet_tcp_connect_all_ports(postfix_server_domain) --corenet_tcp_sendrecv_all_ports(postfix_server_domain) -- --######################################## --# --# Common postfix user domain local policy -+# Postfix master process local policy - # - --allow postfix_user_domains self:capability dac_override; -- --domain_use_interactive_fds(postfix_user_domains) -- --######################################## --# --# Master local policy --# -- --allow postfix_master_t self:capability { chown dac_override kill fowner setgid setuid sys_tty_config }; -+# chown is to set the correct ownership of queue dirs -+allow postfix_master_t self:capability { chown dac_override kill setgid setuid net_bind_service sys_tty_config }; - allow postfix_master_t self:capability2 block_suspend; -+ - allow postfix_master_t self:process setrlimit; - allow postfix_master_t self:tcp_socket create_stream_socket_perms; - allow postfix_master_t self:udp_socket create_socket_perms; - --allow postfix_master_t postfix_domain:fifo_file rw_fifo_file_perms; --allow postfix_master_t postfix_domain:process signal; -- - allow postfix_master_t postfix_etc_t:dir rw_dir_perms; - allow postfix_master_t postfix_etc_t:file rw_file_perms; -+mta_filetrans_aliases(postfix_master_t, postfix_etc_t) -+ -+can_exec(postfix_master_t, postfix_exec_t) - - allow postfix_master_t postfix_data_t:dir manage_dir_perms; - allow postfix_master_t postfix_data_t:file manage_file_perms; - --allow postfix_master_t postfix_map_exec_t:file { mmap_file_perms ioctl lock }; -+allow postfix_master_t postfix_map_exec_t:file { mmap_file_perms lock }; -+ -+allow postfix_master_t postfix_postdrop_exec_t:file getattr_file_perms; - --allow postfix_master_t { postfix_postdrop_exec_t postfix_postqueue_exec_t }:file getattr_file_perms; -+allow postfix_master_t postfix_postqueue_exec_t:file getattr_file_perms; -+ -+manage_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t) -+manage_fifo_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t) -+manage_sock_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t) -+ -+domtrans_pattern(postfix_master_t, postfix_postqueue_exec_t, postfix_postqueue_t) - - allow postfix_master_t postfix_prng_t:file rw_file_perms; - -+manage_fifo_files_pattern(postfix_master_t, postfix_public_t, postfix_public_t) -+manage_sock_files_pattern(postfix_master_t, postfix_public_t, postfix_public_t) -+ -+domtrans_pattern(postfix_master_t, postfix_showq_exec_t, postfix_showq_t) -+ -+# allow access to deferred queue and allow removing bogus incoming entries - manage_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_spool_t) - manage_files_pattern(postfix_master_t, postfix_spool_t, postfix_spool_t) - files_spool_filetrans(postfix_master_t, postfix_spool_t, dir) - - allow postfix_master_t postfix_spool_bounce_t:dir manage_dir_perms; - allow postfix_master_t postfix_spool_bounce_t:file getattr_file_perms; --filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_bounce_t, dir, "bounce") - - manage_dirs_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_flush_t) - manage_files_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_flush_t) - manage_lnk_files_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_flush_t) --filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_flush_t, dir, "flush") -- --create_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_private_t) --manage_fifo_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t) --manage_sock_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t) --setattr_dirs_pattern(postfix_master_t, postfix_private_t, postfix_private_t) --filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_private_t, dir, "private") -- --create_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_public_t) --manage_fifo_files_pattern(postfix_master_t, postfix_public_t, postfix_public_t) --manage_sock_files_pattern(postfix_master_t, postfix_public_t, postfix_public_t) --setattr_dirs_pattern(postfix_master_t, postfix_public_t, postfix_public_t) --filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_public_t, dir, "public") - --create_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_spool_maildrop_t) --delete_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) --rename_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) --setattr_dirs_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) --filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_maildrop_t, dir, "maildrop") -+manage_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) - --create_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_var_run_t) --setattr_dirs_pattern(postfix_master_t, postfix_var_run_t, postfix_var_run_t) --filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_var_run_t, dir, "pid") -+kernel_read_all_sysctls(postfix_master_t) - --can_exec(postfix_master_t, postfix_exec_t) -- --domtrans_pattern(postfix_master_t, postfix_postqueue_exec_t, postfix_postqueue_t) --domtrans_pattern(postfix_master_t, postfix_showq_exec_t, postfix_showq_t) -- --corenet_all_recvfrom_unlabeled(postfix_master_t) - corenet_all_recvfrom_netlabel(postfix_master_t) - corenet_tcp_sendrecv_generic_if(postfix_master_t) - corenet_udp_sendrecv_generic_if(postfix_master_t) -@@ -263,64 +165,50 @@ corenet_tcp_sendrecv_generic_node(postfix_master_t) - corenet_udp_sendrecv_generic_node(postfix_master_t) - corenet_tcp_sendrecv_all_ports(postfix_master_t) - corenet_udp_sendrecv_all_ports(postfix_master_t) -+corenet_udp_bind_generic_node(postfix_master_t) -+corenet_udp_bind_all_unreserved_ports(postfix_master_t) -+corenet_dontaudit_udp_bind_all_ports(postfix_master_t) - corenet_tcp_bind_generic_node(postfix_master_t) -- --corenet_sendrecv_amavisd_send_server_packets(postfix_master_t) - corenet_tcp_bind_amavisd_send_port(postfix_master_t) -- --corenet_sendrecv_smtp_server_packets(postfix_master_t) - corenet_tcp_bind_smtp_port(postfix_master_t) -- --corenet_sendrecv_spamd_server_packets(postfix_master_t) --corenet_tcp_bind_spamd_port(postfix_master_t) -- --corenet_sendrecv_all_client_packets(postfix_master_t) - corenet_tcp_connect_all_ports(postfix_master_t) -+corenet_sendrecv_amavisd_send_server_packets(postfix_master_t) -+corenet_sendrecv_smtp_server_packets(postfix_master_t) -+corenet_sendrecv_all_client_packets(postfix_master_t) -+# for spampd -+corenet_tcp_bind_spamd_port(postfix_master_t) - --# Can this be conditional? --corenet_sendrecv_all_server_packets(postfix_master_t) --corenet_udp_bind_all_unreserved_ports(postfix_master_t) --corenet_dontaudit_udp_bind_all_ports(postfix_master_t) -- -+# for a find command - selinux_dontaudit_search_fs(postfix_master_t) - -+corecmd_exec_shell(postfix_master_t) - corecmd_exec_bin(postfix_master_t) - - domain_use_interactive_fds(postfix_master_t) - -+files_search_var_lib(postfix_master_t) - files_search_tmp(postfix_master_t) - --mcs_file_read_all(postfix_master_t) -- - term_dontaudit_search_ptys(postfix_master_t) - --miscfiles_read_man_pages(postfix_master_t) -- - seutil_sigchld_newrole(postfix_master_t) --seutil_dontaudit_search_config(postfix_master_t) - --mta_manage_aliases(postfix_master_t) --mta_etc_filetrans_aliases(postfix_master_t, file, "aliases") --mta_etc_filetrans_aliases(postfix_master_t, file, "aliases.db") --mta_etc_filetrans_aliases(postfix_master_t, file, "aliasesdb-stamp") --mta_spec_filetrans_aliases(postfix_master_t, postfix_etc_t, file) -+mta_rw_aliases(postfix_master_t) - mta_read_sendmail_bin(postfix_master_t) - mta_getattr_spool(postfix_master_t) - --optional_policy(` -- cyrus_stream_connect(postfix_master_t) --') -- --optional_policy(` -- kerberos_keytab_template(postfix, postfix_t) -+ifdef(`distro_redhat',` -+ # for newer main.cf that uses /etc/aliases -+ mta_manage_aliases(postfix_master_t) -+ mta_etc_filetrans_aliases(postfix_master_t) - ') - - optional_policy(` -- mailman_manage_data_files(postfix_master_t) -+ cyrus_stream_connect(postfix_master_t) - ') - - optional_policy(` -- mysql_stream_connect(postfix_master_t) -+ kerberos_keytab_template(postfix, postfix_t) - ') - - optional_policy(` -@@ -333,12 +221,14 @@ optional_policy(` - - ######################################## - # --# Bounce local policy -+# Postfix bounce local policy - # - - allow postfix_bounce_t self:capability dac_read_search; -+allow postfix_bounce_t self:tcp_socket create_socket_perms; - --write_sock_files_pattern(postfix_bounce_t, postfix_public_t, postfix_public_t) -+allow postfix_bounce_t postfix_public_t:sock_file write; -+allow postfix_bounce_t postfix_public_t:dir search_dir_perms; - - manage_dirs_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t) - manage_files_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t) -@@ -355,37 +245,34 @@ manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool - - ######################################## - # --# Cleanup local policy -+# Postfix cleanup local policy - # - - allow postfix_cleanup_t self:process setrlimit; -- - allow postfix_cleanup_t postfix_smtpd_t:tcp_socket rw_stream_socket_perms; --allow postfix_cleanup_t postfix_smtpd_t:unix_stream_socket rw_socket_perms; -- --allow postfix_cleanup_t postfix_spool_maildrop_t:dir list_dir_perms; --allow postfix_cleanup_t postfix_spool_maildrop_t:file read_file_perms; --allow postfix_cleanup_t postfix_spool_maildrop_t:lnk_file read_lnk_file_perms; - -+# connect to master process - stream_connect_pattern(postfix_cleanup_t, postfix_private_t, postfix_private_t, postfix_master_t) - - rw_fifo_files_pattern(postfix_cleanup_t, postfix_public_t, postfix_public_t) - write_sock_files_pattern(postfix_cleanup_t, postfix_public_t, postfix_public_t) -+allow postfix_cleanup_t postfix_smtpd_t:unix_stream_socket rw_socket_perms; - - manage_dirs_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t) - manage_files_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t) - manage_lnk_files_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t) - files_spool_filetrans(postfix_cleanup_t, postfix_spool_t, dir) - -+allow postfix_cleanup_t postfix_spool_maildrop_t:dir list_dir_perms; -+allow postfix_cleanup_t postfix_spool_maildrop_t:file read_file_perms; -+allow postfix_cleanup_t postfix_spool_maildrop_t:lnk_file read_lnk_file_perms; -+ - allow postfix_cleanup_t postfix_spool_bounce_t:dir list_dir_perms; - - corecmd_exec_bin(postfix_cleanup_t) - --corenet_sendrecv_kismet_client_packets(postfix_cleanup_t) --corenet_tcp_connect_kismet_port(postfix_cleanup_t) --corenet_tcp_sendrecv_kismet_port(postfix_cleanup_t) -- --mta_read_aliases(postfix_cleanup_t) -+# allow postfix to connect to sqlgrey -+corenet_tcp_connect_rtsclient_port(postfix_cleanup_t) - - optional_policy(` - mailman_read_data_files(postfix_cleanup_t) -@@ -393,36 +280,50 @@ optional_policy(` - - ######################################## - # --# Local local policy -+# Postfix local local policy - # - --allow postfix_local_t self:capability chown; --allow postfix_local_t self:process setrlimit; -+allow postfix_local_t self:process { setsched setrlimit }; - -+# connect to master process - stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, postfix_master_t) - -+# for .forward - maybe we need a new type for it? - rw_sock_files_pattern(postfix_local_t, postfix_private_t, postfix_private_t) -- --allow postfix_local_t postfix_spool_t:file rw_file_perms; -+rw_files_pattern(postfix_local_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) - - domtrans_pattern(postfix_local_t, postfix_postdrop_exec_t, postfix_postdrop_t) - -+allow postfix_local_t postfix_spool_t:file rw_file_perms; -+ -+corecmd_exec_shell(postfix_local_t) - corecmd_exec_bin(postfix_local_t) - - logging_dontaudit_search_logs(postfix_local_t) - - mta_delete_spool(postfix_local_t) --mta_read_aliases(postfix_local_t) --mta_read_config(postfix_local_t) -+# Handle vacation script - mta_send_mail(postfix_local_t) - -+userdom_read_user_home_content_files(postfix_local_t) -+userdom_exec_user_bin_files(postfix_local_t) -+ -+tunable_policy(`use_nfs_home_dirs',` -+ fs_exec_nfs_files(postfix_local_t) -+') -+ -+tunable_policy(`use_samba_home_dirs',` -+ fs_exec_cifs_files(postfix_local_t) -+') -+ - tunable_policy(`postfix_local_write_mail_spool',` - mta_manage_spool(postfix_local_t) - ') - - optional_policy(` -- clamav_search_lib(postfix_local_t) -- clamav_exec_clamscan(postfix_local_t) -+ antivirus_search_db(postfix_local_t) -+ antivirus_exec(postfix_local_t) -+ antivirus_stream_connect(postfix_domain) - ') - - optional_policy(` -@@ -434,6 +335,7 @@ optional_policy(` - ') - - optional_policy(` -+# for postalias - mailman_manage_data_files(postfix_local_t) - mailman_append_log(postfix_local_t) - mailman_read_log(postfix_local_t) -@@ -444,6 +346,10 @@ optional_policy(` - ') - - optional_policy(` -+ openshift_search_lib(postfix_local_t) -+') -+ -+optional_policy(` - procmail_domtrans(postfix_local_t) - ') - -@@ -458,15 +364,17 @@ optional_policy(` - - ######################################## - # --# Map local policy -+# Postfix map local policy - # -- - allow postfix_map_t self:capability { dac_override setgid setuid }; --allow postfix_map_t self:tcp_socket { accept listen }; -+allow postfix_map_t self:unix_stream_socket create_stream_socket_perms; -+allow postfix_map_t self:unix_dgram_socket create_socket_perms; -+allow postfix_map_t self:tcp_socket create_stream_socket_perms; -+allow postfix_map_t self:udp_socket create_socket_perms; - --allow postfix_map_t postfix_etc_t:dir manage_dir_perms; --allow postfix_map_t postfix_etc_t:file manage_file_perms; --allow postfix_map_t postfix_etc_t:lnk_file manage_lnk_file_perms; -+manage_dirs_pattern(postfix_map_t, postfix_etc_t, postfix_etc_t) -+manage_files_pattern(postfix_map_t, postfix_etc_t, postfix_etc_t) -+manage_lnk_files_pattern(postfix_map_t, postfix_etc_t, postfix_etc_t) - - manage_dirs_pattern(postfix_map_t, postfix_map_tmp_t, postfix_map_tmp_t) - manage_files_pattern(postfix_map_t, postfix_map_tmp_t, postfix_map_tmp_t) -@@ -476,14 +384,15 @@ kernel_read_kernel_sysctls(postfix_map_t) - kernel_dontaudit_list_proc(postfix_map_t) - kernel_dontaudit_read_system_state(postfix_map_t) - --corenet_all_recvfrom_unlabeled(postfix_map_t) - corenet_all_recvfrom_netlabel(postfix_map_t) - corenet_tcp_sendrecv_generic_if(postfix_map_t) -+corenet_udp_sendrecv_generic_if(postfix_map_t) - corenet_tcp_sendrecv_generic_node(postfix_map_t) -- --corenet_sendrecv_all_client_packets(postfix_map_t) --corenet_tcp_connect_all_ports(postfix_map_t) -+corenet_udp_sendrecv_generic_node(postfix_map_t) - corenet_tcp_sendrecv_all_ports(postfix_map_t) -+corenet_udp_sendrecv_all_ports(postfix_map_t) -+corenet_tcp_connect_all_ports(postfix_map_t) -+corenet_sendrecv_all_client_packets(postfix_map_t) - - corecmd_list_bin(postfix_map_t) - corecmd_read_bin_symlinks(postfix_map_t) -@@ -492,7 +401,6 @@ corecmd_read_bin_pipes(postfix_map_t) - corecmd_read_bin_sockets(postfix_map_t) - - files_list_home(postfix_map_t) --files_read_usr_files(postfix_map_t) - files_read_etc_runtime_files(postfix_map_t) - files_dontaudit_search_var(postfix_map_t) - -@@ -500,21 +408,22 @@ auth_use_nsswitch(postfix_map_t) - - logging_send_syslog_msg(postfix_map_t) - --miscfiles_read_localization(postfix_map_t) -- - optional_policy(` - locallogin_dontaudit_use_fds(postfix_map_t) - ') - - optional_policy(` -+# for postalias - mailman_manage_data_files(postfix_map_t) - ') - - ######################################## - # --# Pickup local policy -+# Postfix pickup local policy - # - -+allow postfix_pickup_t self:tcp_socket create_socket_perms; -+ - stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, postfix_master_t) - - rw_fifo_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t) -@@ -524,16 +433,15 @@ allow postfix_pickup_t postfix_spool_t:dir list_dir_perms; - read_files_pattern(postfix_pickup_t, postfix_spool_t, postfix_spool_t) - delete_files_pattern(postfix_pickup_t, postfix_spool_t, postfix_spool_t) - -+postfix_list_spool(postfix_pickup_t) -+ - allow postfix_pickup_t postfix_spool_maildrop_t:dir list_dir_perms; - read_files_pattern(postfix_pickup_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) - delete_files_pattern(postfix_pickup_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) - --mcs_file_read_all(postfix_pickup_t) --mcs_file_write_all(postfix_pickup_t) -- - ######################################## - # --# Pipe local policy -+# Postfix pipe local policy - # - - allow postfix_pipe_t self:process setrlimit; -@@ -576,19 +484,26 @@ optional_policy(` - - ######################################## - # --# Postdrop local policy -+# Postfix postdrop local policy - # - -+# usually it does not need a UDP socket - allow postfix_postdrop_t self:capability sys_resource; -+allow postfix_postdrop_t self:tcp_socket create; -+allow postfix_postdrop_t self:udp_socket create_socket_perms; -+ -+# Might be a leak, but I need a postfix expert to explain -+allow postfix_postdrop_t postfix_local_t:unix_stream_socket { read write }; -+allow postfix_postdrop_t postfix_master_t:unix_stream_socket connectto; - - rw_fifo_files_pattern(postfix_postdrop_t, postfix_public_t, postfix_public_t) -+rw_sock_files_pattern(postfix_postdrop_t, postfix_public_t, postfix_public_t) - -+postfix_list_spool(postfix_postdrop_t) - manage_files_pattern(postfix_postdrop_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) - --allow postfix_postdrop_t postfix_local_t:unix_stream_socket { read write }; -- --mcs_file_read_all(postfix_postdrop_t) --mcs_file_write_all(postfix_postdrop_t) -+corenet_udp_sendrecv_generic_if(postfix_postdrop_t) -+corenet_udp_sendrecv_generic_node(postfix_postdrop_t) - - term_dontaudit_use_all_ptys(postfix_postdrop_t) - term_dontaudit_use_all_ttys(postfix_postdrop_t) -@@ -603,10 +518,7 @@ optional_policy(` - cron_system_entry(postfix_postdrop_t, postfix_postdrop_exec_t) - ') - --optional_policy(` -- fail2ban_dontaudit_use_fds(postfix_postdrop_t) --') -- -+# https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=239951 - optional_policy(` - fstools_read_pipes(postfix_postdrop_t) - ') -@@ -621,17 +533,24 @@ optional_policy(` - - ####################################### - # --# Postqueue local policy -+# Postfix postqueue local policy - # - -+allow postfix_postqueue_t self:capability2 block_suspend; -+allow postfix_postqueue_t self:tcp_socket create; -+allow postfix_postqueue_t self:udp_socket { create ioctl }; -+ -+# wants to write to /var/spool/postfix/public/showq - stream_connect_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t, postfix_master_t) - -+# write to /var/spool/postfix/public/qmgr - write_fifo_files_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t) - - domtrans_pattern(postfix_postqueue_t, postfix_showq_exec_t, postfix_showq_t) - --term_use_all_ptys(postfix_postqueue_t) --term_use_all_ttys(postfix_postqueue_t) -+# to write the mailq output, it really should not need read access! -+term_use_all_inherited_ptys(postfix_postqueue_t) -+term_use_all_inherited_ttys(postfix_postqueue_t) - - init_sigchld_script(postfix_postqueue_t) - init_use_script_fds(postfix_postqueue_t) -@@ -647,67 +566,77 @@ optional_policy(` - - ######################################## - # --# Qmgr local policy -+# Postfix qmgr local policy - # - --allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms; --allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms; --allow postfix_qmgr_t postfix_spool_bounce_t:lnk_file read_lnk_file_perms; -- - stream_connect_pattern(postfix_qmgr_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t) - - rw_fifo_files_pattern(postfix_qmgr_t, postfix_public_t, postfix_public_t) - --manage_files_pattern(postfix_qmgr_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) --manage_dirs_pattern(postfix_qmgr_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) --allow postfix_qmgr_t postfix_spool_maildrop_t:lnk_file read_lnk_file_perms; -- -+# for /var/spool/postfix/active - manage_dirs_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t) - manage_files_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t) - manage_lnk_files_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t) - files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir) - -+allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms; -+allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms; -+allow postfix_qmgr_t postfix_spool_bounce_t:lnk_file read_lnk_file_perms; -+ -+manage_files_pattern(postfix_qmgr_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) -+manage_dirs_pattern(postfix_qmgr_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) -+allow postfix_qmgr_t postfix_spool_maildrop_t:lnk_file read_lnk_file_perms; -+ - corecmd_exec_bin(postfix_qmgr_t) - - ######################################## - # --# Showq local policy -+# Postfix showq local policy - # - - allow postfix_showq_t self:capability { setuid setgid }; -+allow postfix_showq_t self:tcp_socket create_socket_perms; - - allow postfix_showq_t postfix_master_t:unix_stream_socket { accept rw_socket_perms }; - -+allow postfix_showq_t postfix_spool_t:file read_file_perms; -+ -+postfix_list_spool(postfix_showq_t) -+ - allow postfix_showq_t postfix_spool_maildrop_t:dir list_dir_perms; - allow postfix_showq_t postfix_spool_maildrop_t:file read_file_perms; - allow postfix_showq_t postfix_spool_maildrop_t:lnk_file read_lnk_file_perms; - --allow postfix_showq_t postfix_spool_t:file read_file_perms; -- --mcs_file_read_all(postfix_showq_t) -- -+# to write the mailq output, it really should not need read access! - term_use_all_ptys(postfix_showq_t) - term_use_all_ttys(postfix_showq_t) - - ######################################## - # --# Smtp delivery local policy -+# Postfix smtp delivery local policy - # - -+# connect to master process - allow postfix_smtp_t self:capability sys_chroot; -- - stream_connect_pattern(postfix_smtp_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t) - --allow postfix_smtp_t { postfix_prng_t postfix_spool_t }:file rw_file_perms; -+allow postfix_smtp_t postfix_prng_t:file rw_file_perms; -+ -+allow postfix_smtp_t postfix_spool_t:file rw_file_perms; - - rw_files_pattern(postfix_smtp_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) - -+# for spampd -+corenet_tcp_connect_spamd_port(postfix_master_t) -+ -+files_search_all_mountpoints(postfix_smtp_t) -+ - optional_policy(` - cyrus_stream_connect(postfix_smtp_t) - ') - - optional_policy(` -- dovecot_stream_connect(postfix_smtp_t) -+ dovecot_stream_connect(postfix_smtp_t) - ') - - optional_policy(` -@@ -720,29 +649,30 @@ optional_policy(` - - ######################################## - # --# Smtpd local policy -+# Postfix smtpd local policy - # -- - allow postfix_smtpd_t postfix_master_t:tcp_socket rw_stream_socket_perms; - -+# connect to master process - stream_connect_pattern(postfix_smtpd_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t) - -+# Connect to policy server -+corenet_tcp_connect_postfix_policyd_port(postfix_smtpd_t) -+ -+# for prng_exch - manage_dirs_pattern(postfix_smtpd_t, postfix_spool_t, postfix_spool_t) - manage_files_pattern(postfix_smtpd_t, postfix_spool_t, postfix_spool_t) - manage_lnk_files_pattern(postfix_smtpd_t, postfix_spool_t, postfix_spool_t) - allow postfix_smtpd_t postfix_prng_t:file rw_file_perms; - --corenet_sendrecv_postfix_policyd_client_packets(postfix_smtpd_t) --corenet_tcp_connect_postfix_policyd_port(postfix_smtpd_t) --corenet_tcp_sendrecv_postfix_policyd_port(postfix_smtpd_t) -- - corecmd_exec_bin(postfix_smtpd_t) - -+# for OpenSSL certificates -+ -+# postfix checks the size of all mounted file systems - fs_getattr_all_dirs(postfix_smtpd_t) - fs_getattr_all_fs(postfix_smtpd_t) - --mta_read_aliases(postfix_smtpd_t) -- - optional_policy(` - dovecot_stream_connect_auth(postfix_smtpd_t) - dovecot_stream_connect(postfix_smtpd_t) -@@ -754,6 +684,7 @@ optional_policy(` - - optional_policy(` - milter_stream_connect_all(postfix_smtpd_t) -+ spamassassin_read_pid_files(postfix_smtpd_t) - ') - - optional_policy(` -@@ -764,31 +695,99 @@ optional_policy(` - sasl_connect(postfix_smtpd_t) - ') - --optional_policy(` -- spamassassin_read_spamd_pid_files(postfix_smtpd_t) -- spamassassin_stream_connect_spamd(postfix_smtpd_t) --') -- - ######################################## - # --# Virtual local policy -+# Postfix virtual local policy - # - --allow postfix_virtual_t self:process setrlimit; -+allow postfix_virtual_t self:process { setsched setrlimit }; - --allow postfix_virtual_t postfix_spool_t:file rw_file_perms; -+manage_files_pattern(postfix_virtual_t, postfix_spool_t, postfix_spool_t) - -+# connect to master process - stream_connect_pattern(postfix_virtual_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t) - -+corecmd_exec_shell(postfix_virtual_t) - corecmd_exec_bin(postfix_virtual_t) - --mta_read_aliases(postfix_virtual_t) - mta_delete_spool(postfix_virtual_t) --mta_read_config(postfix_virtual_t) - mta_manage_spool(postfix_virtual_t) - - userdom_manage_user_home_dirs(postfix_virtual_t) --userdom_manage_user_home_content_dirs(postfix_virtual_t) --userdom_manage_user_home_content_files(postfix_virtual_t) --userdom_home_filetrans_user_home_dir(postfix_virtual_t) --userdom_user_home_dir_filetrans_user_home_content(postfix_virtual_t, { file dir }) -+userdom_manage_user_home_content(postfix_virtual_t) -+userdom_filetrans_home_content(postfix_virtual_t) -+ -+######################################## -+# -+# postfix_domain common policy -+# -+allow postfix_domain self:capability { sys_nice sys_chroot }; -+dontaudit postfix_domain self:capability sys_tty_config; -+allow postfix_domain self:process { signal_perms setpgid setsched }; -+allow postfix_domain self:unix_dgram_socket create_socket_perms; -+allow postfix_domain self:unix_stream_socket create_stream_socket_perms; -+allow postfix_domain self:unix_stream_socket connectto; -+allow postfix_domain self:fifo_file rw_fifo_file_perms; -+ -+allow postfix_master_t postfix_domain:fifo_file { read write }; -+allow postfix_master_t postfix_domain:process signal; -+#https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=244456 -+allow postfix_domain postfix_master_t:file read; -+allow postfix_domain postfix_etc_t:dir list_dir_perms; -+read_files_pattern(postfix_domain, postfix_etc_t, postfix_etc_t) -+read_lnk_files_pattern(postfix_domain, postfix_etc_t, postfix_etc_t) -+ -+allow postfix_domain postfix_exec_t:file { mmap_file_perms lock }; -+ -+allow postfix_domain postfix_master_t:process sigchld; -+ -+allow postfix_domain postfix_spool_t:dir list_dir_perms; -+ -+manage_files_pattern(postfix_domain, postfix_var_run_t, postfix_var_run_t) -+files_pid_filetrans(postfix_domain, postfix_var_run_t, file) -+ -+kernel_read_network_state(postfix_domain) -+kernel_read_all_sysctls(postfix_domain) -+ -+dev_read_sysfs(postfix_domain) -+dev_read_rand(postfix_domain) -+dev_read_urand(postfix_domain) -+ -+fs_search_auto_mountpoints(postfix_domain) -+fs_getattr_xattr_fs(postfix_domain) -+fs_rw_anon_inodefs_files(postfix_domain) -+ -+term_dontaudit_use_console(postfix_domain) -+ -+corecmd_exec_shell(postfix_domain) -+ -+files_read_etc_runtime_files(postfix_domain) -+files_read_usr_symlinks(postfix_domain) -+files_search_spool(postfix_domain) -+files_list_tmp(postfix_domain) -+files_search_all_mountpoints(postfix_domain) -+ -+init_dontaudit_use_fds(postfix_domain) -+init_sigchld(postfix_domain) -+init_dontaudit_rw_stream_socket(postfix_domain) -+ -+# For reading spamassasin -+mta_read_config(postfix_domain) -+mta_read_aliases(postfix_domain) -+ -+miscfiles_read_generic_certs(postfix_domain) -+ -+userdom_dontaudit_use_unpriv_user_fds(postfix_domain) -+ -+optional_policy(` -+ mysql_stream_connect(postfix_domain) -+') -+ -+optional_policy(` -+ spamd_stream_connect(postfix_domain) -+ spamassassin_domtrans_client(postfix_domain) -+') -+ -+optional_policy(` -+ udev_read_db(postfix_domain) -+') -diff --git a/postfixpolicyd.if b/postfixpolicyd.if -index 5de8173..985b877 100644 ---- a/postfixpolicyd.if -+++ b/postfixpolicyd.if -@@ -23,8 +23,11 @@ interface(`postfixpolicyd_admin',` - type postfix_policyd_var_run_t, postfix_policyd_initrc_exec_t; - ') - -- allow $1 postfix_policyd_t:process { ptrace signal_perms }; -+ allow $1 postfix_policyd_t:process signal_perms; - ps_process_pattern($1, postfix_policyd_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 postfix_policyd_t:process ptrace; -+ ') - - init_labeled_script_domtrans($1, postfix_policyd_initrc_exec_t) - domain_system_change_exemption($1) -diff --git a/postfixpolicyd.te b/postfixpolicyd.te -index 70f0533..77d4cd9 100644 ---- a/postfixpolicyd.te -+++ b/postfixpolicyd.te -@@ -34,7 +34,6 @@ allow postfix_policyd_t postfix_policyd_conf_t:lnk_file read_lnk_file_perms; - manage_files_pattern(postfix_policyd_t, postfix_policyd_var_run_t, postfix_policyd_var_run_t) - files_pid_filetrans(postfix_policyd_t, postfix_policyd_var_run_t, file) - --corenet_all_recvfrom_unlabeled(postfix_policyd_t) - corenet_tcp_sendrecv_generic_if(postfix_policyd_t) - corenet_tcp_sendrecv_generic_node(postfix_policyd_t) - corenet_tcp_bind_generic_node(postfix_policyd_t) -@@ -47,11 +46,7 @@ corenet_sendrecv_mysqld_server_packets(postfix_policyd_t) - corenet_tcp_bind_mysqld_port(postfix_policyd_t) - corenet_tcp_sendrecv_mysqld_port(postfix_policyd_t) - --files_read_etc_files(postfix_policyd_t) --files_read_usr_files(postfix_policyd_t) - - logging_send_syslog_msg(postfix_policyd_t) - --miscfiles_read_localization(postfix_policyd_t) -- - sysnet_dns_name_resolve(postfix_policyd_t) -diff --git a/postgrey.if b/postgrey.if -index b9e71b5..a7502cd 100644 ---- a/postgrey.if -+++ b/postgrey.if -@@ -16,9 +16,9 @@ interface(`postgrey_stream_connect',` - type postgrey_var_run_t, postgrey_t, postgrey_spool_t; - ') - -+ stream_connect_pattern($1, { postgrey_spool_t postgrey_var_run_t }, { postgrey_spool_t postgrey_var_run_t }, postgrey_t) - files_search_pids($1) - files_search_spool($1) -- stream_connect_pattern($1, { postgrey_spool_t postgrey_var_run_t }, { postgrey_spool_t postgrey_var_run_t }, postgrey_t) - ') - - ######################################## -@@ -59,14 +59,17 @@ interface(`postgrey_search_spool',` - # - interface(`postgrey_admin',` - gen_require(` -- type postgrey_t, postgrey_etc_t, postgrey_spool_t; -- type postgrey_var_lib_t, postgrey_var_run_t; -- type postgrey_initrc_exec_t; -+ type postgrey_t, postgrey_etc_t, postgrey_initrc_exec_t; -+ type postgrey_spool_t, postgrey_var_lib_t, postgrey_var_run_t; - ') - -- allow $1 postgrey_t:process { ptrace signal_perms }; -+ allow $1 postgrey_t:process signal_perms; - ps_process_pattern($1, postgrey_t) - -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 postgrey_t:process ptrace; -+ ') -+ - init_labeled_script_domtrans($1, postgrey_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 postgrey_initrc_exec_t system_r; -diff --git a/postgrey.te b/postgrey.te -index 3b11496..04e3809 100644 ---- a/postgrey.te -+++ b/postgrey.te -@@ -16,7 +16,7 @@ type postgrey_initrc_exec_t; - init_script_file(postgrey_initrc_exec_t) - - type postgrey_spool_t; --files_type(postgrey_spool_t) -+files_spool_file(postgrey_spool_t) - - type postgrey_var_lib_t; - files_type(postgrey_var_lib_t) -@@ -57,7 +57,6 @@ kernel_read_kernel_sysctls(postgrey_t) - - corecmd_search_bin(postgrey_t) - --corenet_all_recvfrom_unlabeled(postgrey_t) - corenet_all_recvfrom_netlabel(postgrey_t) - corenet_tcp_sendrecv_generic_if(postgrey_t) - corenet_tcp_sendrecv_generic_node(postgrey_t) -@@ -72,17 +71,15 @@ dev_read_sysfs(postgrey_t) - - domain_use_interactive_fds(postgrey_t) - --files_read_etc_files(postgrey_t) - files_read_etc_runtime_files(postgrey_t) --files_read_usr_files(postgrey_t) - files_getattr_tmp_dirs(postgrey_t) - - fs_getattr_all_fs(postgrey_t) - fs_search_auto_mountpoints(postgrey_t) - --logging_send_syslog_msg(postgrey_t) -+auth_read_passwd(postgrey_t) - --miscfiles_read_localization(postgrey_t) -+logging_send_syslog_msg(postgrey_t) - - sysnet_read_config(postgrey_t) - -diff --git a/ppp.fc b/ppp.fc -index efcb653..ff2c96a 100644 ---- a/ppp.fc -+++ b/ppp.fc -@@ -1,30 +1,45 @@ --HOME_DIR/\.ppprc -- gen_context(system_u:object_r:ppp_home_t,s0) -+# -+# /etc -+# -+/etc/rc\.d/init\.d/ppp -- gen_context(system_u:object_r:pppd_initrc_exec_t,s0) - --/etc/rc\.d/init\.d/ppp -- gen_context(system_u:object_r:pppd_initrc_exec_t,s0) -+/etc/ppp -d gen_context(system_u:object_r:pppd_etc_t,s0) -+/etc/ppp(/.*)? -- gen_context(system_u:object_r:pppd_etc_rw_t,s0) -+/etc/ppp/peers(/.*)? gen_context(system_u:object_r:pppd_etc_rw_t,s0) -+/etc/ppp/.*secrets -- gen_context(system_u:object_r:pppd_secret_t,s0) -+/etc/ppp/resolv\.conf -- gen_context(system_u:object_r:pppd_etc_rw_t,s0) -+# Fix /etc/ppp {up,down} family scripts (see man pppd) -+/etc/ppp/(auth|ip(v6|x)?)-(up|down) -- gen_context(system_u:object_r:pppd_initrc_exec_t,s0) - --/etc/ppp -d gen_context(system_u:object_r:pppd_etc_t,s0) --/etc/ppp(/.*)? -- gen_context(system_u:object_r:pppd_etc_rw_t,s0) --/etc/ppp/peers(/.*)? gen_context(system_u:object_r:pppd_etc_rw_t,s0) --/etc/ppp/.*secrets -- gen_context(system_u:object_r:pppd_secret_t,s0) --/etc/ppp/resolv\.conf -- gen_context(system_u:object_r:pppd_etc_rw_t,s0) --/etc/ppp/(auth|ip(v6|x)?)-(up|down) -- gen_context(system_u:object_r:pppd_initrc_exec_t,s0) -+/usr/lib/systemd/system/ppp.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0) - --/sbin/ppp-watch -- gen_context(system_u:object_r:pppd_exec_t,s0) --/sbin/pppoe-server -- gen_context(system_u:object_r:pppd_exec_t,s0) -+/root/.ppprc -- gen_context(system_u:object_r:pppd_etc_t,s0) - --/usr/sbin/ipppd -- gen_context(system_u:object_r:pppd_exec_t,s0) --/usr/sbin/ppp-watch -- gen_context(system_u:object_r:pppd_exec_t,s0) --/usr/sbin/pppd -- gen_context(system_u:object_r:pppd_exec_t,s0) --/usr/sbin/pppoe-server -- gen_context(system_u:object_r:pppd_exec_t,s0) --/usr/sbin/pptp -- gen_context(system_u:object_r:pptp_exec_t,s0) -+# -+# /sbin -+# -+/sbin/pppoe-server -- gen_context(system_u:object_r:pppd_exec_t,s0) -+/sbin/ppp-watch -- gen_context(system_u:object_r:pppd_exec_t,s0) - --/var/lock/ppp(/.*)? gen_context(system_u:object_r:pppd_lock_t,s0) -- --/var/log/ppp-connect-errors.* -- gen_context(system_u:object_r:pppd_log_t,s0) --/var/log/ppp/.* -- gen_context(system_u:object_r:pppd_log_t,s0) --/var/log/pptp.* -- gen_context(system_u:object_r:pptp_log_t,s0) -+# -+# /usr -+# -+/usr/sbin/ipppd -- gen_context(system_u:object_r:pppd_exec_t,s0) -+/usr/sbin/ppp-watch -- gen_context(system_u:object_r:pppd_exec_t,s0) -+/usr/sbin/pppd -- gen_context(system_u:object_r:pppd_exec_t,s0) -+/usr/sbin/pppoe-server -- gen_context(system_u:object_r:pppd_exec_t,s0) -+/usr/sbin/pptp -- gen_context(system_u:object_r:pptp_exec_t,s0) - -+# -+# /var -+# - /var/run/(i)?ppp.*pid[^/]* -- gen_context(system_u:object_r:pppd_var_run_t,s0) - /var/run/pppd[0-9]*\.tdb -- gen_context(system_u:object_r:pppd_var_run_t,s0) --/var/run/ppp(/.*)? gen_context(system_u:object_r:pppd_var_run_t,s0) --/var/run/pptp(/.*)? gen_context(system_u:object_r:pptp_var_run_t,s0) -+/var/run/ppp(/.*)? gen_context(system_u:object_r:pppd_var_run_t,s0) -+# Fix pptp sockets -+/var/run/pptp(/.*)? gen_context(system_u:object_r:pptp_var_run_t,s0) -+ -+/var/lock/ppp(/.*)? gen_context(system_u:object_r:pppd_lock_t,s0) -+ -+/var/log/ppp-connect-errors.* -- gen_context(system_u:object_r:pppd_log_t,s0) -+/var/log/ppp(/.*)? gen_context(system_u:object_r:pppd_log_t,s0) -diff --git a/ppp.if b/ppp.if -index cd8b8b9..6c73980 100644 ---- a/ppp.if -+++ b/ppp.if -@@ -1,110 +1,91 @@ --## Point to Point Protocol daemon creates links in ppp networks. -+## Point to Point Protocol daemon creates links in ppp networks - --######################################## -+####################################### - ## --## Role access for ppp. -+## Create, read, write, and delete -+## ppp home files. - ## --## --## --## Role allowed access. --## --## - ## --## --## User domain for the role. --## --## --# --interface(`ppp_role',` -- refpolicywarn(`$0($*) has been deprecated') --') -- --######################################## --## --## Create, read, write, and delete --## ppp home files. --## --## --## --## Domain allowed access. --## -+## -+## Domain allowed access. -+## - ## - # - interface(`ppp_manage_home_files',` -- gen_require(` -- type ppp_home_t; -- ') -+ gen_require(` -+ type ppp_home_t; -+ ') - -- userdom_search_user_home_dirs($1) -- allow $1 ppp_home_t:file manage_file_perms; -+ userdom_search_user_home_dirs($1) -+ allow $1 ppp_home_t:file manage_file_perms; - ') - --######################################## -+####################################### - ## --## Read ppp user home content files. -+## Read ppp user home content files. - ## - ## --## --## Domain allowed access. --## -+## -+## Domain allowed access. -+## - ## - # - interface(`ppp_read_home_files',` -- gen_require(` -- type ppp_home_t; -+ gen_require(` -+ type ppp_home_t; - -- ') -+ ') - -- userdom_search_user_home_dirs($1) -- allow $1 ppp_home_t:file read_file_perms; -+ userdom_search_user_home_dirs($1) -+ allow $1 ppp_home_t:file read_file_perms; - ') - --######################################## -+####################################### - ## --## Relabel ppp home files. -+## Relabel ppp home files. - ## - ## --## --## Domain allowed access. --## -+## -+## Domain allowed access. -+## - ## - # - interface(`ppp_relabel_home_files',` -- gen_require(` -- type ppp_home_t; -- ') -+ gen_require(` -+ type ppp_home_t; -+ ') - -- userdom_search_user_home_dirs($1) -- allow $1 ppp_home_t:file relabel_file_perms; -+ userdom_search_user_home_dirs($1) -+ allow $1 ppp_home_t:file relabel_file_perms; - ') - --######################################## -+####################################### - ## --## Create objects in user home --## directories with the ppp home type. -+## Create objects in user home -+## directories with the ppp home type. - ## - ## --## --## Domain allowed access. --## -+## -+## Domain allowed access. -+## - ## - ## --## --## Class of the object being created. --## -+## -+## Class of the object being created. -+## - ## - ## --## --## The name of the object being created. --## -+## -+## The name of the object being created. -+## - ## - # - interface(`ppp_home_filetrans_ppp_home',` -- gen_require(` -- type ppp_home_t; -- ') -+ gen_require(` -+ type ppp_home_t; -+ ') - -- userdom_user_home_dir_filetrans($1, ppp_home_t, $2, $3) -+ userdom_user_home_dir_filetrans($1, ppp_home_t, $2, $3) - ') - - ######################################## -@@ -128,7 +109,7 @@ interface(`ppp_use_fds',` - ######################################## - ## - ## Do not audit attempts to inherit --## and use ppp file discriptors. -+## and use PPP file discriptors. - ## - ## - ## -@@ -146,7 +127,7 @@ interface(`ppp_dontaudit_use_fds',` - - ######################################## - ## --## Send child terminated signals to ppp. -+## Send a SIGCHLD signal to PPP. - ## - ## - ## -@@ -165,7 +146,7 @@ interface(`ppp_sigchld',` - - ######################################## - ## --## Send kill signals to ppp. -+## Send ppp a kill signal - ## - ## - ## -@@ -173,7 +154,6 @@ interface(`ppp_sigchld',` - ## - ## - # --# - interface(`ppp_kill',` - gen_require(` - type pppd_t; -@@ -184,7 +164,7 @@ interface(`ppp_kill',` - - ######################################## - ## --## Send generic signals to ppp. -+## Send a generic signal to PPP. - ## - ## - ## -@@ -202,7 +182,7 @@ interface(`ppp_signal',` - - ######################################## - ## --## Send null signals to ppp. -+## Send a generic signull to PPP. - ## - ## - ## -@@ -220,7 +200,7 @@ interface(`ppp_signull',` - - ######################################## - ## --## Execute pppd in the pppd domain. -+## Execute domain in the ppp domain. - ## - ## - ## -@@ -239,8 +219,7 @@ interface(`ppp_domtrans',` - - ######################################## - ## --## Conditionally execute pppd on --## behalf of a user or staff type. -+## Conditionally execute ppp daemon on behalf of a user or staff type. - ## - ## - ## -@@ -249,7 +228,7 @@ interface(`ppp_domtrans',` - ## - ## - ## --## Role allowed access. -+## The role to allow the ppp domain. - ## - ## - ## -@@ -268,8 +247,7 @@ interface(`ppp_run_cond',` - - ######################################## - ## --## Unconditionally execute ppp daemon --## on behalf of a user or staff type. -+## Unconditionally execute ppp daemon on behalf of a user or staff type. - ## - ## - ## -@@ -278,7 +256,7 @@ interface(`ppp_run_cond',` - ## - ## - ## --## Role allowed access. -+## The role to allow the ppp domain. - ## - ## - ## -@@ -294,7 +272,7 @@ interface(`ppp_run',` - - ######################################## - ## --## Execute domain in the caller domain. -+## Execute domain in the ppp caller. - ## - ## - ## -@@ -326,13 +304,13 @@ interface(`ppp_read_config',` - type pppd_etc_t; - ') - -- files_search_etc($1) - read_files_pattern($1, pppd_etc_t, pppd_etc_t) -+ files_search_etc($1) - ') - - ######################################## - ## --## Read ppp writable configuration content. -+## Read PPP-writable configuration files. - ## - ## - ## -@@ -345,15 +323,14 @@ interface(`ppp_read_rw_config',` - type pppd_etc_t, pppd_etc_rw_t; - ') - -- files_search_etc($1) -- allow $1 { pppd_etc_t pppd_etc_rw_t }:dir list_dir_perms; -+ allow $1 pppd_etc_t:dir list_dir_perms; - allow $1 pppd_etc_rw_t:file read_file_perms; -- allow $1 { pppd_etc_t pppd_etc_rw_t }:lnk_file read_lnk_file_perms; -+ files_search_etc($1) - ') - - ######################################## - ## --## Read ppp secret files. -+## Read PPP secrets. - ## - ## - ## -@@ -366,15 +343,14 @@ interface(`ppp_read_secrets',` - type pppd_etc_t, pppd_secret_t; - ') - -- files_search_etc($1) - allow $1 pppd_etc_t:dir list_dir_perms; - allow $1 pppd_secret_t:file read_file_perms; -- allow $1 pppd_etc_t:lnk_file read_lnk_file_perms; -+ files_search_etc($1) - ') - - ######################################## - ## --## Read ppp pid files. -+## Read PPP pid files. - ## - ## - ## -@@ -388,13 +364,12 @@ interface(`ppp_read_pid_files',` - ') - - files_search_pids($1) -- allow $1 pppd_var_run_t:file read_file_perms; -+ read_files_pattern($1, pppd_var_run_t, pppd_var_run_t) - ') - - ######################################## - ## --## Create, read, write, and delete --## ppp pid files. -+## Create, read, write, and delete PPP pid files. - ## - ## - ## -@@ -408,42 +383,30 @@ interface(`ppp_manage_pid_files',` - ') - - files_search_pids($1) -- allow $1 pppd_var_run_t:file manage_file_perms; -+ manage_files_pattern($1, pppd_var_run_t, pppd_var_run_t) - ') - - ######################################## - ## --## Create specified pppd pid objects --## with a type transition. -+## Create, read, write, and delete PPP pid files. - ## - ## - ## - ## Domain allowed access. - ## - ## --## --## --## Class of the object being created. --## --## --## --## --## The name of the object being created. --## --## - # - interface(`ppp_pid_filetrans',` - gen_require(` - type pppd_var_run_t; - ') - -- files_pid_filetrans($1, pppd_var_run_t, $2, $3) -+ files_pid_filetrans($1, pppd_var_run_t, file) - ') - - ######################################## - ## --## Execute pppd init script in --## the initrc domain. -+## Execute ppp server in the ntpd domain. - ## - ## - ## -@@ -461,31 +424,62 @@ interface(`ppp_initrc_domtrans',` - - ######################################## - ## --## All of the rules required to --## administrate an ppp environment. -+## Execute pppd server in the pppd domain. - ## - ## - ## --## Domain allowed access. -+## Domain allowed to transition. - ## - ## --## -+# -+interface(`ppp_systemctl',` -+ gen_require(` -+ type pppd_unit_file_t; -+ type pppd_t; -+ ') -+ -+ systemd_exec_systemctl($1) -+ allow $1 pppd_unit_file_t:file read_file_perms; -+ allow $1 pppd_unit_file_t:service manage_service_perms; -+ -+ ps_process_pattern($1, pppd_t) -+') -+ -+######################################## -+## -+## All of the rules required to administrate -+## an ppp environment -+## -+## - ## --## Role allowed access. -+## Domain allowed access. - ## - ## -+## -+## -+## Role allowed access. -+## -+## - ## - # - interface(`ppp_admin',` - gen_require(` - type pppd_t, pppd_tmp_t, pppd_log_t, pppd_lock_t; -- type pppd_etc_t, pppd_secret_t, pppd_etc_rw_t; -- type pppd_var_run_t, pppd_initrc_exec_t; -+ type pppd_etc_t, pppd_secret_t, pppd_var_run_t; - type pptp_t, pptp_log_t, pptp_var_run_t; -+ type pppd_initrc_exec_t, pppd_etc_rw_t; -+ type pppd_unit_file_t; -+ ') -+ -+ allow $1 pppd_t:process signal_perms; -+ ps_process_pattern($1, pppd_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 pppd_t:process ptrace; -+ allow $1 pptp_t:process ptrace; - ') - -- allow $1 { pptp_t pppd_t }:process { ptrace signal_perms }; -- ps_process_pattern($1, { pptp_t pppd_t }) -+ allow $1 pptp_t:process signal_perms; -+ ps_process_pattern($1, pptp_t) - - ppp_initrc_domtrans($1) - domain_system_change_exemption($1) -@@ -496,14 +490,26 @@ interface(`ppp_admin',` - admin_pattern($1, pppd_tmp_t) - - logging_list_logs($1) -- admin_pattern($1, { pptp_log_t pppd_log_t }) -+ admin_pattern($1, pppd_log_t) - - files_list_locks($1) - admin_pattern($1, pppd_lock_t) - - files_list_etc($1) -- admin_pattern($1, { pppd_etc_rw_t pppd_secret_t pppd_etc_t }) -+ admin_pattern($1, pppd_etc_t) -+ -+ admin_pattern($1, pppd_etc_rw_t) -+ -+ admin_pattern($1, pppd_secret_t) - - files_list_pids($1) -- admin_pattern($1, { pptp_var_run_t pppd_var_run_t }) -+ admin_pattern($1, pppd_var_run_t) -+ -+ admin_pattern($1, pptp_log_t) -+ -+ admin_pattern($1, pptp_var_run_t) -+ -+ ppp_systemctl($1) -+ admin_pattern($1, pppd_unit_file_t) -+ allow $1 pppd_unit_file_t:service all_service_perms; - ') -diff --git a/ppp.te b/ppp.te -index b2b5dba..9bc465c 100644 ---- a/ppp.te -+++ b/ppp.te -@@ -1,4 +1,4 @@ --policy_module(ppp, 1.13.5) -+policy_module(ppp, 1.13.0) - - ######################################## - # -@@ -6,41 +6,47 @@ policy_module(ppp, 1.13.5) - # - - ## --##

    --## Determine whether pppd can --## load kernel modules. --##

    -+##

    -+## Allow pppd to load kernel modules for certain modems -+##

    - ##     - gen_tunable(pppd_can_insmod, false) - - ## --##

    --## Determine whether common users can --## run pppd with a domain transition. --##

    -+##

    -+## Allow pppd to be run for a regular user -+##

    - ##     - gen_tunable(pppd_for_user, false) - - attribute_role pppd_roles; --attribute_role pptp_roles; - -+# pppd_t is the domain for the pppd program. -+# pppd_exec_t is the type of the pppd executable. - type pppd_t; - type pppd_exec_t; - init_daemon_domain(pppd_t, pppd_exec_t) - role pppd_roles types pppd_t; -+role system_r types pppd_t; - - type pppd_devpts_t; - term_pty(pppd_devpts_t) - -+# Define a separate type for /etc/ppp - type pppd_etc_t; - files_config_file(pppd_etc_t) - -+# Define a separate type for writable files under /etc/ppp - type pppd_etc_rw_t; - files_type(pppd_etc_rw_t) - - type pppd_initrc_exec_t alias pppd_script_exec_t; - init_script_file(pppd_initrc_exec_t) - -+type pppd_unit_file_t; -+systemd_unit_file(pppd_unit_file_t) -+ -+# pppd_secret_t is the type of the pap and chap password files - type pppd_secret_t; - files_type(pppd_secret_t) - -@@ -59,7 +65,8 @@ files_pid_file(pppd_var_run_t) - type pptp_t; - type pptp_exec_t; - init_daemon_domain(pptp_t, pptp_exec_t) --role pptp_roles types pptp_t; -+#role pppd_roles types pptp_t; -+role system_r types pptp_t; - - type pptp_log_t; - logging_log_file(pptp_log_t) -@@ -67,54 +74,57 @@ logging_log_file(pptp_log_t) - type pptp_var_run_t; - files_pid_file(pptp_var_run_t) - --type ppp_home_t; --userdom_user_home_content(ppp_home_t) -- - ######################################## - # --# PPPD local policy -+# PPPD Local policy - # - - allow pppd_t self:capability { kill net_admin setuid setgid sys_admin fsetid fowner net_raw dac_override sys_nice }; - dontaudit pppd_t self:capability sys_tty_config; --allow pppd_t self:process { getsched setsched signal }; -+allow pppd_t self:process { getsched setsched signal_perms }; - allow pppd_t self:fifo_file rw_fifo_file_perms; - allow pppd_t self:socket create_socket_perms; --allow pppd_t self:netlink_route_socket nlmsg_write; --allow pppd_t self:tcp_socket { accept listen }; -+allow pppd_t self:unix_dgram_socket create_socket_perms; -+allow pppd_t self:unix_stream_socket create_socket_perms; -+allow pppd_t self:netlink_route_socket rw_netlink_socket_perms; -+allow pppd_t self:tcp_socket create_stream_socket_perms; -+allow pppd_t self:udp_socket { connect connected_socket_perms }; - allow pppd_t self:packet_socket create_socket_perms; - -+domtrans_pattern(pppd_t, pptp_exec_t, pptp_t) -+ - allow pppd_t pppd_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms }; - - allow pppd_t pppd_etc_t:dir rw_dir_perms; --allow pppd_t { pppd_etc_t ppp_home_t }:file read_file_perms; -+allow pppd_t pppd_etc_t:file read_file_perms; - allow pppd_t pppd_etc_t:lnk_file read_lnk_file_perms; - - manage_files_pattern(pppd_t, pppd_etc_rw_t, pppd_etc_rw_t) -+# Automatically label newly created files under /etc/ppp with this type - filetrans_pattern(pppd_t, pppd_etc_t, pppd_etc_rw_t, file) - --allow pppd_t pppd_lock_t:file manage_file_perms; --files_lock_filetrans(pppd_t, pppd_lock_t, file) -+manage_files_pattern(pppd_t, pppd_lock_t, pppd_lock_t) -+files_search_locks(pppd_t) - --allow pppd_t pppd_log_t:file { append_file_perms create_file_perms setattr_file_perms }; -+manage_files_pattern(pppd_t, pppd_log_t, pppd_log_t) - logging_log_filetrans(pppd_t, pppd_log_t, file) - - manage_dirs_pattern(pppd_t, pppd_tmp_t, pppd_tmp_t) - manage_files_pattern(pppd_t, pppd_tmp_t, pppd_tmp_t) --files_tmp_filetrans(pppd_t, pppd_tmp_t, { dir file}) -+files_tmp_filetrans(pppd_t, pppd_tmp_t, { file dir }) - - manage_dirs_pattern(pppd_t, pppd_var_run_t, pppd_var_run_t) - manage_files_pattern(pppd_t, pppd_var_run_t, pppd_var_run_t) - files_pid_filetrans(pppd_t, pppd_var_run_t, { dir file }) - --can_exec(pppd_t, pppd_exec_t) -- --domtrans_pattern(pppd_t, pptp_exec_t, pptp_t) -- - allow pppd_t pptp_t:process signal; - -+# for SSP -+# Access secret files - allow pppd_t pppd_secret_t:file read_file_perms; - -+ppp_initrc_domtrans(pppd_t) -+ - kernel_read_kernel_sysctls(pppd_t) - kernel_read_system_state(pppd_t) - kernel_rw_net_sysctls(pppd_t) -@@ -122,10 +132,10 @@ kernel_read_network_state(pppd_t) - kernel_request_load_module(pppd_t) - - dev_read_urand(pppd_t) -+dev_search_sysfs(pppd_t) - dev_read_sysfs(pppd_t) - dev_rw_modem(pppd_t) - --corenet_all_recvfrom_unlabeled(pppd_t) - corenet_all_recvfrom_netlabel(pppd_t) - corenet_tcp_sendrecv_generic_if(pppd_t) - corenet_raw_sendrecv_generic_if(pppd_t) -@@ -135,9 +145,21 @@ corenet_raw_sendrecv_generic_node(pppd_t) - corenet_udp_sendrecv_generic_node(pppd_t) - corenet_tcp_sendrecv_all_ports(pppd_t) - corenet_udp_sendrecv_all_ports(pppd_t) -- -+# Access /dev/ppp. - corenet_rw_ppp_dev(pppd_t) - -+fs_getattr_all_fs(pppd_t) -+fs_search_auto_mountpoints(pppd_t) -+ -+term_use_unallocated_ttys(pppd_t) -+term_use_usb_ttys(pppd_t) -+term_setattr_unallocated_ttys(pppd_t) -+term_ioctl_generic_ptys(pppd_t) -+# for pppoe -+term_create_pty(pppd_t, pppd_devpts_t) -+term_use_generic_ptys(pppd_t) -+ -+# allow running ip-up and ip-down scripts and running chat. - corecmd_exec_bin(pppd_t) - corecmd_exec_shell(pppd_t) - -@@ -147,36 +169,31 @@ files_exec_etc_files(pppd_t) - files_manage_etc_runtime_files(pppd_t) - files_dontaudit_write_etc_files(pppd_t) - --fs_getattr_all_fs(pppd_t) --fs_search_auto_mountpoints(pppd_t) -+# for scripts - --term_use_unallocated_ttys(pppd_t) --term_setattr_unallocated_ttys(pppd_t) --term_ioctl_generic_ptys(pppd_t) --term_create_pty(pppd_t, pppd_devpts_t) --term_use_generic_ptys(pppd_t) -- --init_labeled_script_domtrans(pppd_t, pppd_initrc_exec_t) - init_read_utmp(pppd_t) --init_signal_script(pppd_t) - init_dontaudit_write_utmp(pppd_t) -+init_signal_script(pppd_t) - --auth_run_chk_passwd(pppd_t, pppd_roles) - auth_use_nsswitch(pppd_t) -+auth_domtrans_chk_passwd(pppd_t) -+#auth_run_chk_passwd(pppd_t,pppd_roles) - auth_write_login_records(pppd_t) - - logging_send_syslog_msg(pppd_t) - logging_send_audit_msgs(pppd_t) - --miscfiles_read_localization(pppd_t) -- - sysnet_exec_ifconfig(pppd_t) - sysnet_manage_config(pppd_t) - sysnet_etc_filetrans_config(pppd_t) -+sysnet_filetrans_config_fromdir(pppd_t, pppd_var_run_t, file, "resolv.conf") - --userdom_use_user_terminals(pppd_t) -+userdom_use_inherited_user_terminals(pppd_t) - userdom_dontaudit_use_unpriv_user_fds(pppd_t) - userdom_search_user_home_dirs(pppd_t) -+userdom_search_admin_dir(pppd_t) -+ -+ppp_exec(pppd_t) - - optional_policy(` - ddclient_run(pppd_t, pppd_roles) -@@ -186,11 +203,13 @@ optional_policy(` - l2tpd_dgram_send(pppd_t) - l2tpd_rw_socket(pppd_t) - l2tpd_stream_connect(pppd_t) -+ l2tpd_read_pid_files(pppd_t) -+ l2tpd_dbus_chat(pppd_t) - ') - - optional_policy(` - tunable_policy(`pppd_can_insmod',` -- modutils_domtrans_insmod(pppd_t) -+ modutils_domtrans_insmod_uncond(pppd_t) - ') - ') - -@@ -218,16 +237,19 @@ optional_policy(` - - ######################################## - # --# PPTP local policy -+# PPTP Local policy - # - - allow pptp_t self:capability { dac_override dac_read_search net_raw net_admin }; - dontaudit pptp_t self:capability sys_tty_config; - allow pptp_t self:process signal; - allow pptp_t self:fifo_file rw_fifo_file_perms; --allow pptp_t self:unix_stream_socket { accept connectto listen }; -+allow pptp_t self:unix_dgram_socket create_socket_perms; -+allow pptp_t self:unix_stream_socket { connectto create_stream_socket_perms }; - allow pptp_t self:rawip_socket create_socket_perms; --allow pptp_t self:netlink_route_socket nlmsg_write; -+allow pptp_t self:tcp_socket create_socket_perms; -+allow pptp_t self:udp_socket create_socket_perms; -+allow pptp_t self:netlink_route_socket rw_netlink_socket_perms; - - allow pptp_t pppd_etc_t:dir list_dir_perms; - allow pptp_t pppd_etc_t:file read_file_perms; -@@ -236,45 +258,43 @@ allow pptp_t pppd_etc_t:lnk_file read_lnk_file_perms; - allow pptp_t pppd_etc_rw_t:dir list_dir_perms; - allow pptp_t pppd_etc_rw_t:file read_file_perms; - allow pptp_t pppd_etc_rw_t:lnk_file read_lnk_file_perms; -+can_exec(pptp_t, pppd_etc_rw_t) - -+# Allow pptp to append to pppd log files - allow pptp_t pppd_log_t:file append_file_perms; - --allow pptp_t pptp_log_t:file { append_file_perms create_file_perms setattr_file_perms }; -+allow pptp_t pptp_log_t:file manage_file_perms; - logging_log_filetrans(pptp_t, pptp_log_t, file) - -+manage_dirs_pattern(pptp_t, pptp_var_run_t, pptp_var_run_t) - manage_files_pattern(pptp_t, pptp_var_run_t, pptp_var_run_t) - manage_sock_files_pattern(pptp_t, pptp_var_run_t, pptp_var_run_t) --files_pid_filetrans(pptp_t, pptp_var_run_t, file) -- --can_exec(pptp_t, pppd_etc_rw_t) -+files_pid_filetrans(pptp_t, pptp_var_run_t, { file dir }) - -+kernel_list_proc(pptp_t) - kernel_read_kernel_sysctls(pptp_t) - kernel_read_network_state(pptp_t) -+kernel_read_proc_symlinks(pptp_t) - kernel_read_system_state(pptp_t) - kernel_signal(pptp_t) - -+dev_read_sysfs(pptp_t) -+ - corecmd_exec_shell(pptp_t) - corecmd_read_bin_symlinks(pptp_t) - --corenet_all_recvfrom_unlabeled(pptp_t) - corenet_all_recvfrom_netlabel(pptp_t) - corenet_tcp_sendrecv_generic_if(pptp_t) - corenet_raw_sendrecv_generic_if(pptp_t) - corenet_tcp_sendrecv_generic_node(pptp_t) - corenet_raw_sendrecv_generic_node(pptp_t) - corenet_tcp_sendrecv_all_ports(pptp_t) -- --corenet_tcp_connect_all_reserved_ports(pptp_t) -+corenet_tcp_bind_generic_node(pptp_t) - corenet_tcp_connect_generic_port(pptp_t) -+corenet_tcp_connect_all_reserved_ports(pptp_t) - corenet_sendrecv_generic_client_packets(pptp_t) -- --corenet_sendrecv_pptp_client_packets(pptp_t) - corenet_tcp_connect_pptp_port(pptp_t) - --dev_read_sysfs(pptp_t) -- --domain_use_interactive_fds(pptp_t) -- - fs_getattr_all_fs(pptp_t) - fs_search_auto_mountpoints(pptp_t) - -@@ -282,12 +302,12 @@ term_ioctl_generic_ptys(pptp_t) - term_search_ptys(pptp_t) - term_use_ptmx(pptp_t) - -+domain_use_interactive_fds(pptp_t) -+ - auth_use_nsswitch(pptp_t) - - logging_send_syslog_msg(pptp_t) - --miscfiles_read_localization(pptp_t) -- - sysnet_exec_ifconfig(pptp_t) - - userdom_dontaudit_use_unpriv_user_fds(pptp_t) -@@ -299,6 +319,10 @@ optional_policy(` - ') - - optional_policy(` -+ gnome_dontaudit_search_config(pppd_t) -+') -+ -+optional_policy(` - dbus_system_domain(pppd_t, pppd_exec_t) - - optional_policy(` -diff --git a/prelink.fc b/prelink.fc -index a90d623..62af9a4 100644 ---- a/prelink.fc -+++ b/prelink.fc -@@ -1,11 +1,11 @@ - /etc/cron\.daily/prelink -- gen_context(system_u:object_r:prelink_cron_system_exec_t,s0) - --/etc/prelink\.cache -- gen_context(system_u:object_r:prelink_cache_t,s0) -+/etc/prelink\.cache -- gen_context(system_u:object_r:prelink_cache_t,s0) - - /usr/sbin/prelink(\.bin)? -- gen_context(system_u:object_r:prelink_exec_t,s0) - --/var/log/prelink\.log.* -- gen_context(system_u:object_r:prelink_log_t,s0) --/var/log/prelink(/.*)? gen_context(system_u:object_r:prelink_log_t,s0) -+/var/log/prelink\.log.* -- gen_context(system_u:object_r:prelink_log_t,s0) -+/var/log/prelink(/.*)? gen_context(system_u:object_r:prelink_log_t,s0) - --/var/lib/misc/prelink.* -- gen_context(system_u:object_r:prelink_var_lib_t,s0) --/var/lib/prelink(/.*)? gen_context(system_u:object_r:prelink_var_lib_t,s0) -+/var/lib/misc/prelink.* -- gen_context(system_u:object_r:prelink_var_lib_t,s0) -+/var/lib/prelink(/.*)? gen_context(system_u:object_r:prelink_var_lib_t,s0) -diff --git a/prelink.if b/prelink.if -index 20d4697..e6605c1 100644 ---- a/prelink.if -+++ b/prelink.if -@@ -2,7 +2,7 @@ - - ######################################## - ## --## Execute prelink in the prelink domain. -+## Execute the prelink program in the prelink domain. - ## - ## - ## -@@ -18,15 +18,15 @@ interface(`prelink_domtrans',` - corecmd_search_bin($1) - domtrans_pattern($1, prelink_exec_t, prelink_t) - -- ifdef(`hide_broken_symptoms',` -+ ifdef(`hide_broken_symptoms', ` - dontaudit prelink_t $1:socket_class_set { read write }; -- dontaudit prelink_t $1:fifo_file setattr_fifo_file_perms; -+ dontaudit prelink_t $1:fifo_file setattr; - ') - ') - - ######################################## - ## --## Execute prelink in the caller domain. -+## Execute the prelink program in the current domain. - ## - ## - ## -@@ -45,9 +45,7 @@ interface(`prelink_exec',` - - ######################################## - ## --## Execute prelink in the prelink --## domain, and allow the specified role --## the prelink domain. -+## Execute the prelink program in the prelink domain. - ## - ## - ## -@@ -56,18 +54,18 @@ interface(`prelink_exec',` - ## - ## - ## --## Role allowed access. -+## The role to allow the prelink domain. - ## - ## - ## - # - interface(`prelink_run',` - gen_require(` -- attribute_role prelink_roles; -+ type prelink_t; - ') - - prelink_domtrans($1) -- roleattribute $2 prelink_roles; -+ role $2 types prelink_t; - ') - - ######################################## -@@ -80,6 +78,7 @@ interface(`prelink_run',` - ## - ## - # -+# cjp: added for misc non-entrypoint objects - interface(`prelink_object_file',` - gen_require(` - attribute prelink_object; -@@ -90,7 +89,7 @@ interface(`prelink_object_file',` - - ######################################## - ## --## Read prelink cache files. -+## Read the prelink cache. - ## - ## - ## -@@ -109,7 +108,7 @@ interface(`prelink_read_cache',` - - ######################################## - ## --## Delete prelink cache files. -+## Delete the prelink cache. - ## - ## - ## -@@ -122,8 +121,8 @@ interface(`prelink_delete_cache',` - type prelink_cache_t; - ') - -+ allow $1 prelink_cache_t:file unlink; - files_rw_etc_dirs($1) -- allow $1 prelink_cache_t:file delete_file_perms; - ') - - ######################################## -@@ -168,7 +167,7 @@ interface(`prelink_manage_lib',` - - ######################################## - ## --## Relabel from prelink lib files. -+## Relabel from files in the /boot directory. - ## - ## - ## -@@ -187,7 +186,7 @@ interface(`prelink_relabelfrom_lib',` - - ######################################## - ## --## Relabel prelink lib files. -+## Relabel from files in the /boot directory. - ## - ## - ## -@@ -203,3 +202,21 @@ interface(`prelink_relabel_lib',` - files_search_var_lib($1) - relabel_files_pattern($1, prelink_var_lib_t, prelink_var_lib_t) - ') -+ -+######################################## -+## -+## Transition to prelink named content -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`prelink_filetrans_named_content',` -+ gen_require(` -+ type prelink_cache_t; -+ ') -+ -+ files_etc_filetrans($1, prelink_cache_t, file, "prelink.cache") -+') -diff --git a/prelink.te b/prelink.te -index c0f047a..e04bdd6 100644 ---- a/prelink.te -+++ b/prelink.te -@@ -1,4 +1,4 @@ --policy_module(prelink, 1.10.2) -+policy_module(prelink, 1.10.0) - - ######################################## - # -@@ -6,13 +6,10 @@ policy_module(prelink, 1.10.2) - - attribute prelink_object; - --attribute_role prelink_roles; -- - type prelink_t; - type prelink_exec_t; - init_system_domain(prelink_t, prelink_exec_t) - domain_obj_id_change_exemption(prelink_t) --role prelink_roles types prelink_t; - - type prelink_cache_t; - files_type(prelink_cache_t) -@@ -47,24 +44,27 @@ allow prelink_t self:fifo_file rw_fifo_file_perms; - allow prelink_t prelink_cache_t:file manage_file_perms; - files_etc_filetrans(prelink_t, prelink_cache_t, file) - --allow prelink_t prelink_log_t:dir setattr_dir_perms; -+allow prelink_t prelink_log_t:dir setattr; - create_files_pattern(prelink_t, prelink_log_t, prelink_log_t) - append_files_pattern(prelink_t, prelink_log_t, prelink_log_t) - read_lnk_files_pattern(prelink_t, prelink_log_t, prelink_log_t) - logging_log_filetrans(prelink_t, prelink_log_t, file) - --allow prelink_t prelink_tmp_t:file { manage_file_perms mmap_file_perms relabel_file_perms execmod }; -+allow prelink_t prelink_tmp_t:file { manage_file_perms execute relabelfrom execmod }; - files_tmp_filetrans(prelink_t, prelink_tmp_t, file) - --allow prelink_t prelink_tmpfs_t:file { manage_file_perms mmap_file_perms relabel_file_perms execmod }; -+allow prelink_t prelink_tmpfs_t:file { manage_file_perms execute relabelfrom execmod }; - fs_tmpfs_filetrans(prelink_t, prelink_tmpfs_t, file) - - manage_dirs_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t) - manage_files_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t) - relabel_files_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t) - files_var_lib_filetrans(prelink_t, prelink_var_lib_t, { dir file }) -+files_search_var_lib(prelink_t) - --allow prelink_t prelink_object:file { manage_file_perms mmap_file_perms relabel_file_perms }; -+# prelink misc objects that are not system -+# libraries or entrypoints -+allow prelink_t prelink_object:file { manage_file_perms execute relabel_file_perms }; - - kernel_read_system_state(prelink_t) - kernel_read_kernel_sysctls(prelink_t) -@@ -75,25 +75,23 @@ corecmd_mmap_all_executables(prelink_t) - corecmd_read_bin_symlinks(prelink_t) - - dev_read_urand(prelink_t) -+dev_getattr_all_chr_files(prelink_t) - --files_getattr_all_files(prelink_t) - files_list_all(prelink_t) -+files_getattr_all_files(prelink_t) -+files_write_non_security_dirs(prelink_t) -+files_read_etc_runtime_files(prelink_t) -+files_dontaudit_read_all_symlinks(prelink_t) - files_manage_usr_files(prelink_t) - files_manage_var_files(prelink_t) --files_read_etc_files(prelink_t) --files_read_etc_runtime_files(prelink_t) - files_relabelfrom_usr_files(prelink_t) --files_search_var_lib(prelink_t) --files_write_non_security_dirs(prelink_t) --files_dontaudit_read_all_symlinks(prelink_t) - --fs_getattr_all_fs(prelink_t) --fs_search_auto_mountpoints(prelink_t) -- --selinux_get_enforce_mode(prelink_t) -+fs_getattr_xattr_fs(prelink_t) - - storage_getattr_fixed_disk_dev(prelink_t) - -+selinux_get_enforce_mode(prelink_t) -+ - libs_exec_ld_so(prelink_t) - libs_legacy_use_shared_libs(prelink_t) - libs_manage_ld_so(prelink_t) -@@ -102,32 +100,16 @@ libs_manage_shared_libs(prelink_t) - libs_relabel_shared_libs(prelink_t) - libs_delete_lib_symlinks(prelink_t) - --miscfiles_read_localization(prelink_t) - --userdom_use_user_terminals(prelink_t) --userdom_manage_user_home_content_files(prelink_t) --# pending --# userdom_relabel_user_home_content_files(prelink_t) --# userdom_execmod_user_home_content_files(prelink_t) -+userdom_use_inherited_user_terminals(prelink_t) -+userdom_manage_user_home_content(prelink_t) -+userdom_relabel_user_home_files(prelink_t) -+userdom_execmod_user_home_files(prelink_t) - userdom_exec_user_home_content_files(prelink_t) - --ifdef(`hide_broken_symptoms',` -- miscfiles_read_man_pages(prelink_t) -+systemd_read_unit_files(prelink_t) - -- optional_policy(` -- dbus_read_config(prelink_t) -- ') --') -- --tunable_policy(`use_nfs_home_dirs',` -- fs_exec_nfs_files(prelink_t) -- fs_manage_nfs_files(prelink_t) --') -- --tunable_policy(`use_samba_home_dirs',` -- fs_exec_cifs_files(prelink_t) -- fs_manage_cifs_files(prelink_t) --') -+term_use_all_inherited_terms(prelink_t) - - optional_policy(` - amanda_manage_lib(prelink_t) -@@ -138,11 +120,12 @@ optional_policy(` - ') - - optional_policy(` -+ gnome_dontaudit_read_config(prelink_t) - gnome_dontaudit_read_inherited_gconf_config_files(prelink_t) - ') - - optional_policy(` -- mozilla_manage_plugin_rw_files(prelink_t) -+ mozilla_plugin_manage_rw_files(prelink_t) - ') - - optional_policy(` -@@ -155,17 +138,18 @@ optional_policy(` - - ######################################## - # --# Cron system local policy -+# Prelink Cron system Policy - # - - optional_policy(` - allow prelink_cron_system_t self:capability setuid; - allow prelink_cron_system_t self:process { setsched setfscreate signal }; - allow prelink_cron_system_t self:fifo_file rw_fifo_file_perms; -- allow prelink_cron_system_t self:unix_dgram_socket create_socket_perms; -+ allow prelink_cron_system_t self:unix_dgram_socket { write bind create setopt }; - - read_files_pattern(prelink_cron_system_t, prelink_cache_t, prelink_cache_t) -- allow prelink_cron_system_t prelink_cache_t:file delete_file_perms; -+ allow prelink_cron_system_t prelink_cache_t:file unlink; -+ files_delete_etc_dir_entry(prelink_cron_system_t) - - domtrans_pattern(prelink_cron_system_t, prelink_exec_t, prelink_t) - allow prelink_cron_system_t prelink_t:process noatsecure; -@@ -174,7 +158,7 @@ optional_policy(` - - manage_files_pattern(prelink_cron_system_t, prelink_var_lib_t, prelink_var_lib_t) - files_var_lib_filetrans(prelink_cron_system_t, prelink_var_lib_t, file) -- allow prelink_cron_system_t prelink_var_lib_t:file relabel_file_perms; -+ allow prelink_cron_system_t prelink_var_lib_t:file { relabelfrom relabelto }; - - kernel_read_system_state(prelink_cron_system_t) - -@@ -184,23 +168,36 @@ optional_policy(` - dev_list_sysfs(prelink_cron_system_t) - dev_read_sysfs(prelink_cron_system_t) - -- files_rw_etc_dirs(prelink_cron_system_t) - files_dontaudit_search_all_mountpoints(prelink_cron_system_t) -+ files_search_var_lib(prelink_cron_system_t) -+ files_dontaudit_list_non_security(prelink_cron_system_t) -+ -+ fs_search_cgroup_dirs(prelink_cron_system_t) - - auth_use_nsswitch(prelink_cron_system_t) - - init_telinit(prelink_cron_system_t) - init_exec(prelink_cron_system_t) -+ init_reload_services(prelink_cron_system_t) - - libs_exec_ld_so(prelink_cron_system_t) - - logging_search_logs(prelink_cron_system_t) - -- miscfiles_read_localization(prelink_cron_system_t) -+ init_stream_connect(prelink_cron_system_t) -+ - - cron_system_entry(prelink_cron_system_t, prelink_cron_system_exec_t) - -+ userdom_dontaudit_list_admin_dir(prelink_cron_system_t) -+ - optional_policy(` - rpm_read_db(prelink_cron_system_t) - ') - ') -+ -+ifdef(`hide_broken_symptoms', ` -+ optional_policy(` -+ dbus_read_config(prelink_t) -+ ') -+') -diff --git a/prelude.if b/prelude.if -index c83a838..f41a4f7 100644 ---- a/prelude.if -+++ b/prelude.if -@@ -1,13 +1,13 @@ --## Prelude hybrid intrusion detection system. -+## Prelude hybrid intrusion detection system - - ######################################## - ## - ## Execute a domain transition to run prelude. - ## - ## --## -+## - ## Domain allowed to transition. --## -+## - ## - # - interface(`prelude_domtrans',` -@@ -15,19 +15,17 @@ interface(`prelude_domtrans',` - type prelude_t, prelude_exec_t; - ') - -- corecmd_search_bin($1) - domtrans_pattern($1, prelude_exec_t, prelude_t) - ') - - ######################################## - ## --## Execute a domain transition to --## run prelude audisp. -+## Execute a domain transition to run prelude_audisp. - ## - ## --## -+## - ## Domain allowed to transition. --## -+## - ## - # - interface(`prelude_domtrans_audisp',` -@@ -35,18 +33,17 @@ interface(`prelude_domtrans_audisp',` - type prelude_audisp_t, prelude_audisp_exec_t; - ') - -- corecmd_search_bin($1) - domtrans_pattern($1, prelude_audisp_exec_t, prelude_audisp_t) - ') - - ######################################## - ## --## Send generic signals to prelude audisp. -+## Signal the prelude_audisp domain. - ## - ## --## --## Domain allowed access. --## -+## -+## Domain allowed acccess. -+## - ## - # - interface(`prelude_signal_audisp',` -@@ -59,7 +56,7 @@ interface(`prelude_signal_audisp',` - - ######################################## - ## --## Read prelude spool files. -+## Read the prelude spool files - ## - ## - ## -@@ -78,13 +75,12 @@ interface(`prelude_read_spool',` - - ######################################## - ## --## Create, read, write, and delete --## prelude manager spool files. -+## Manage to prelude-manager spool files. - ## - ## --## -+## - ## Domain allowed access. --## -+## - ## - # - interface(`prelude_manage_spool',` -@@ -99,8 +95,8 @@ interface(`prelude_manage_spool',` - - ######################################## - ## --## All of the rules required to --## administrate an prelude environment. -+## All of the rules required to administrate -+## an prelude environment - ## - ## - ## -@@ -116,32 +112,42 @@ interface(`prelude_manage_spool',` - # - interface(`prelude_admin',` - gen_require(` -- type prelude_t, prelude_spool_t, prelude_lml_var_run_t; -- type prelude_var_run_t, prelude_var_lib_t, prelude_log_t; -- type prelude_audisp_t, prelude_audisp_var_run_t; -- type prelude_initrc_exec_t, prelude_lml_t, prelude_lml_tmp_t; -+ type prelude_t, prelude_spool_t, prelude_initrc_exec_t; -+ type prelude_var_run_t, prelude_var_lib_t, prelude_lml_var_run_t; -+ type prelude_audisp_t, prelude_audisp_var_run_t, prelude_lml_tmp_t; -+ type prelude_lml_t; - ') - -- allow $1 { prelude_t prelude_audisp_t prelude_lml_t prelude_correlator_t }:process { ptrace signal_perms }; -- ps_process_pattern($1, { prelude_t prelude_audisp_t prelude_lml_t prelude_correlator_t }) -+ allow $1 prelude_t:process signal_perms; -+ ps_process_pattern($1, prelude_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 prelude_t:process ptrace; -+ allow $1 prelude_audisp_t:process ptrace; -+ allow $1 prelude_lml_t:process ptrace; -+ ') -+ -+ allow $1 prelude_audisp_t:process signal_perms; -+ ps_process_pattern($1, prelude_audisp_t) -+ -+ allow $1 prelude_lml_t:process signal_perms; -+ ps_process_pattern($1, prelude_lml_t) - - init_labeled_script_domtrans($1, prelude_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 prelude_initrc_exec_t system_r; - allow $2 system_r; - -- files_search_spool($1) -+ files_list_spool($1) - admin_pattern($1, prelude_spool_t) - -- logging_search_logs($1) -- admin_pattern($1, prelude_log_t) -- -- files_search_var_lib($1) -+ files_list_var_lib($1) - admin_pattern($1, prelude_var_lib_t) - -- files_search_pids($1) -- admin_pattern($1, { prelude_audisp_var_run_t prelude_var_run_t prelude_lml_var_run_t }) -+ files_list_pids($1) -+ admin_pattern($1, prelude_var_run_t) -+ admin_pattern($1, prelude_audisp_var_run_t) -+ admin_pattern($1, prelude_lml_var_run_t) - -- files_search_tmp($1) -+ files_list_tmp($1) - admin_pattern($1, prelude_lml_tmp_t) - ') -diff --git a/prelude.te b/prelude.te -index db864df..f7eb5e0 100644 ---- a/prelude.te -+++ b/prelude.te -@@ -13,7 +13,7 @@ type prelude_initrc_exec_t; - init_script_file(prelude_initrc_exec_t) - - type prelude_spool_t; --files_type(prelude_spool_t) -+files_spool_file(prelude_spool_t) - - type prelude_log_t; - logging_log_file(prelude_log_t) -@@ -81,7 +81,6 @@ kernel_read_sysctl(prelude_t) - - corecmd_search_bin(prelude_t) - --corenet_all_recvfrom_unlabeled(prelude_t) - corenet_all_recvfrom_netlabel(prelude_t) - corenet_tcp_sendrecv_generic_if(prelude_t) - corenet_tcp_sendrecv_generic_node(prelude_t) -@@ -97,7 +96,6 @@ dev_read_rand(prelude_t) - dev_read_urand(prelude_t) - - files_read_etc_runtime_files(prelude_t) --files_read_usr_files(prelude_t) - files_search_spool(prelude_t) - files_search_tmp(prelude_t) - -@@ -108,8 +106,6 @@ auth_use_nsswitch(prelude_t) - logging_send_audit_msgs(prelude_t) - logging_send_syslog_msg(prelude_t) - --miscfiles_read_localization(prelude_t) -- - optional_policy(` - mysql_stream_connect(prelude_t) - mysql_tcp_connect(prelude_t) -@@ -141,7 +137,6 @@ kernel_read_system_state(prelude_audisp_t) - - corecmd_search_bin(prelude_audisp_t) - --corenet_all_recvfrom_unlabeled(prelude_audisp_t) - corenet_all_recvfrom_netlabel(prelude_audisp_t) - corenet_tcp_sendrecv_generic_if(prelude_audisp_t) - corenet_tcp_sendrecv_generic_node(prelude_audisp_t) -@@ -155,15 +150,12 @@ dev_read_urand(prelude_audisp_t) - - domain_use_interactive_fds(prelude_audisp_t) - --files_read_etc_files(prelude_audisp_t) - files_read_etc_runtime_files(prelude_audisp_t) - files_search_spool(prelude_audisp_t) - files_search_tmp(prelude_audisp_t) - - logging_send_syslog_msg(prelude_audisp_t) - --miscfiles_read_localization(prelude_audisp_t) -- - sysnet_dns_name_resolve(prelude_audisp_t) - - ######################################## -@@ -184,7 +176,6 @@ kernel_read_sysctl(prelude_correlator_t) - - corecmd_search_bin(prelude_correlator_t) - --corenet_all_recvfrom_unlabeled(prelude_correlator_t) - corenet_all_recvfrom_netlabel(prelude_correlator_t) - corenet_tcp_sendrecv_generic_if(prelude_correlator_t) - corenet_tcp_sendrecv_generic_node(prelude_correlator_t) -@@ -196,14 +187,10 @@ corenet_tcp_sendrecv_prelude_port(prelude_correlator_t) - dev_read_rand(prelude_correlator_t) - dev_read_urand(prelude_correlator_t) - --files_read_etc_files(prelude_correlator_t) --files_read_usr_files(prelude_correlator_t) - files_search_spool(prelude_correlator_t) - - logging_send_syslog_msg(prelude_correlator_t) - --miscfiles_read_localization(prelude_correlator_t) -- - sysnet_dns_name_resolve(prelude_correlator_t) - - ######################################## -@@ -212,6 +199,8 @@ sysnet_dns_name_resolve(prelude_correlator_t) - # - - allow prelude_lml_t self:capability dac_override; -+allow prelude_lml_t self:tcp_socket { setopt create_socket_perms }; -+allow prelude_lml_t self:unix_dgram_socket create_socket_perms; - allow prelude_lml_t self:fifo_file rw_fifo_file_perms; - allow prelude_lml_t self:unix_stream_socket connectto; - -@@ -262,8 +251,6 @@ libs_read_lib_files(prelude_lml_t) - logging_send_syslog_msg(prelude_lml_t) - logging_read_generic_logs(prelude_lml_t) - --miscfiles_read_localization(prelude_lml_t) -- - userdom_read_all_users_state(prelude_lml_t) - - optional_policy(` -diff --git a/privoxy.if b/privoxy.if -index bdcee30..34f3143 100644 ---- a/privoxy.if -+++ b/privoxy.if -@@ -23,8 +23,11 @@ interface(`privoxy_admin',` - type privoxy_etc_rw_t, privoxy_var_run_t; - ') - -- allow $1 privoxy_t:process { ptrace signal_perms }; -+ allow $1 privoxy_t:process signal_perms; - ps_process_pattern($1, privoxy_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 privoxy_t:process ptrace; -+ ') - - init_labeled_script_domtrans($1, privoxy_initrc_exec_t) - domain_system_change_exemption($1) -diff --git a/privoxy.te b/privoxy.te -index 85b1c9a..072d425 100644 ---- a/privoxy.te -+++ b/privoxy.te -@@ -85,6 +85,7 @@ corenet_sendrecv_tor_client_packets(privoxy_t) - corenet_tcp_connect_tor_port(privoxy_t) - corenet_tcp_sendrecv_tor_port(privoxy_t) - -+ - dev_read_sysfs(privoxy_t) - - domain_use_interactive_fds(privoxy_t) -@@ -96,8 +97,6 @@ auth_use_nsswitch(privoxy_t) - - logging_send_syslog_msg(privoxy_t) - --miscfiles_read_localization(privoxy_t) -- - userdom_dontaudit_use_unpriv_user_fds(privoxy_t) - userdom_dontaudit_search_user_home_dirs(privoxy_t) - -diff --git a/procmail.fc b/procmail.fc -index bdff6c9..4b36a13 100644 ---- a/procmail.fc -+++ b/procmail.fc -@@ -1,6 +1,7 @@ --HOME_DIR/\.procmailrc -- gen_context(system_u:object_r:procmail_home_t,s0) -+HOME_DIR/\.procmailrc -- gen_context(system_u:object_r:procmail_home_t, s0) -+/root/\.procmailrc -- gen_context(system_u:object_r:procmail_home_t, s0) - - /usr/bin/procmail -- gen_context(system_u:object_r:procmail_exec_t,s0) - --/var/log/procmail\.log.* -- gen_context(system_u:object_r:procmail_log_t,s0) --/var/log/procmail(/.*)? gen_context(system_u:object_r:procmail_log_t,s0) -+/var/log/procmail\.log.* -- gen_context(system_u:object_r:procmail_log_t,s0) -+/var/log/procmail(/.*)? gen_context(system_u:object_r:procmail_log_t,s0) -diff --git a/procmail.if b/procmail.if -index 00edeab..166e9c3 100644 ---- a/procmail.if -+++ b/procmail.if -@@ -1,4 +1,4 @@ --## Procmail mail delivery agent. -+## Procmail mail delivery agent - - ######################################## - ## -@@ -15,6 +15,7 @@ interface(`procmail_domtrans',` - type procmail_exec_t, procmail_t; - ') - -+ files_search_usr($1) - corecmd_search_bin($1) - domtrans_pattern($1, procmail_exec_t, procmail_t) - ') -@@ -34,101 +35,33 @@ interface(`procmail_exec',` - type procmail_exec_t; - ') - -+ files_search_usr($1) - corecmd_search_bin($1) - can_exec($1, procmail_exec_t) - ') - - ######################################## - ## --## Create, read, write, and delete --## procmail home files. --## --## --## --## Domain allowed access. --## --## --# --interface(`procmail_manage_home_files',` -- gen_require(` -- type procmail_home_t; -- ') -- -- userdom_search_user_home_dirs($1) -- allow $1 procmail_home_t:file manage_file_perms; --') -- --######################################## --## --## Read procmail user home content files. --## --## --## --## Domain allowed access. --## --## --# --interface(`procmail_read_home_files',` -- gen_require(` -- type procmail_home_t; -- -- ') -- -- userdom_search_user_home_dirs($1) -- allow $1 procmail_home_t:file read_file_perms; --') -- --######################################## --## --## Relabel procmail home files. --## --## --## --## Domain allowed access. --## --## --# --interface(`procmail_relabel_home_files',` -- gen_require(` -- type ppp_home_t; -- ') -- -- userdom_search_user_home_dirs($1) -- allow $1 procmail_home_t:file relabel_file_perms; --') -- --######################################## --## --## Create objects in user home --## directories with the procmail home type. -+## Read procmail tmp files. - ## - ## - ## - ## Domain allowed access. - ## - ## --## --## --## Class of the object being created. --## --## --## --## --## The name of the object being created. --## --## - # --interface(`procmail_home_filetrans_procmail_home',` -+interface(`procmail_read_tmp_files',` - gen_require(` -- type procmail_home_t; -+ type procmail_tmp_t; - ') - -- userdom_user_home_dir_filetrans($1, procmail_home_t, $2, $3) -+ files_search_tmp($1) -+ allow $1 procmail_tmp_t:file read_file_perms; - ') - - ######################################## - ## --## Read procmail tmp files. -+## Read/write procmail tmp files. - ## - ## - ## -@@ -136,18 +69,18 @@ interface(`procmail_home_filetrans_procmail_home',` - ## - ## - # --interface(`procmail_read_tmp_files',` -+interface(`procmail_rw_tmp_files',` - gen_require(` - type procmail_tmp_t; - ') - - files_search_tmp($1) -- allow $1 procmail_tmp_t:file read_file_perms; -+ rw_files_pattern($1, procmail_tmp_t, procmail_tmp_t) - ') - - ######################################## - ## --## Read and write procmail tmp files. -+## Read procmail home directory content - ## - ## - ## -@@ -155,11 +88,11 @@ interface(`procmail_read_tmp_files',` - ## - ## - # --interface(`procmail_rw_tmp_files',` -+interface(`procmail_read_home_files',` - gen_require(` -- type procmail_tmp_t; -+ type procmail_home_t; - ') - -- files_search_tmp($1) -- rw_files_pattern($1, procmail_tmp_t, procmail_tmp_t) -+ userdom_search_user_home_dirs($1) -+ read_files_pattern($1, procmail_home_t, procmail_home_t) - ') -diff --git a/procmail.te b/procmail.te -index d447152..73c437c 100644 ---- a/procmail.te -+++ b/procmail.te -@@ -1,4 +1,4 @@ --policy_module(procmail, 1.12.2) -+policy_module(procmail, 1.12.0) - - ######################################## - # -@@ -14,7 +14,7 @@ type procmail_home_t; - userdom_user_home_content(procmail_home_t) - - type procmail_log_t; --logging_log_file(procmail_log_t) -+logging_log_file(procmail_log_t) - - type procmail_tmp_t; - files_tmp_file(procmail_tmp_t) -@@ -27,10 +27,14 @@ files_tmp_file(procmail_tmp_t) - allow procmail_t self:capability { sys_nice chown fsetid setuid setgid dac_override }; - allow procmail_t self:process { setsched signal signull }; - allow procmail_t self:fifo_file rw_fifo_file_perms; --allow procmail_t self:tcp_socket { accept listen }; -+allow procmail_t self:unix_stream_socket create_socket_perms; -+allow procmail_t self:unix_dgram_socket create_socket_perms; -+allow procmail_t self:tcp_socket create_stream_socket_perms; -+allow procmail_t self:udp_socket create_socket_perms; - --allow procmail_t procmail_home_t:file read_file_perms; -+can_exec(procmail_t, procmail_exec_t) - -+# Write log to /var/log/procmail.log or /var/log/procmail/.* - allow procmail_t procmail_log_t:dir setattr_dir_perms; - create_files_pattern(procmail_t, procmail_log_t, procmail_log_t) - append_files_pattern(procmail_t, procmail_log_t, procmail_log_t) -@@ -40,89 +44,106 @@ logging_log_filetrans(procmail_t, procmail_log_t, { file dir }) - allow procmail_t procmail_tmp_t:file manage_file_perms; - files_tmp_filetrans(procmail_t, procmail_tmp_t, file) - --can_exec(procmail_t, procmail_exec_t) -- -+kernel_read_network_state(procmail_t) - kernel_read_system_state(procmail_t) - kernel_read_kernel_sysctls(procmail_t) - --corenet_all_recvfrom_unlabeled(procmail_t) - corenet_all_recvfrom_netlabel(procmail_t) - corenet_tcp_sendrecv_generic_if(procmail_t) -+corenet_udp_sendrecv_generic_if(procmail_t) - corenet_tcp_sendrecv_generic_node(procmail_t) -- --corenet_sendrecv_spamd_client_packets(procmail_t) -+corenet_udp_sendrecv_generic_node(procmail_t) -+corenet_tcp_sendrecv_all_ports(procmail_t) -+corenet_udp_sendrecv_all_ports(procmail_t) -+corenet_udp_bind_generic_node(procmail_t) - corenet_tcp_connect_spamd_port(procmail_t) --corenet_tcp_sendrecv_spamd_port(procmail_t) -- -+corenet_sendrecv_spamd_client_packets(procmail_t) - corenet_sendrecv_comsat_client_packets(procmail_t) --corenet_tcp_connect_comsat_port(procmail_t) --corenet_tcp_sendrecv_comsat_port(procmail_t) -- --corecmd_exec_bin(procmail_t) --corecmd_exec_shell(procmail_t) - - dev_read_urand(procmail_t) - --fs_getattr_all_fs(procmail_t) -+fs_getattr_xattr_fs(procmail_t) - fs_search_auto_mountpoints(procmail_t) - fs_rw_anon_inodefs_files(procmail_t) - - auth_use_nsswitch(procmail_t) - -+corecmd_exec_bin(procmail_t) -+corecmd_exec_shell(procmail_t) -+ - files_read_etc_runtime_files(procmail_t) --files_read_usr_files(procmail_t) -+files_search_pids(procmail_t) -+# for spamassasin - --logging_send_syslog_msg(procmail_t) -+application_exec_all(procmail_t) - --miscfiles_read_localization(procmail_t) -+init_read_utmp(procmail_t) -+ -+logging_send_syslog_msg(procmail_t) -+logging_append_all_logs(procmail_t) - -+list_dirs_pattern(procmail_t, procmail_home_t, procmail_home_t) -+read_files_pattern(procmail_t, procmail_home_t, procmail_home_t) - userdom_search_user_home_dirs(procmail_t) -+userdom_search_admin_dir(procmail_t) - --tunable_policy(`use_nfs_home_dirs',` -- fs_manage_nfs_dirs(procmail_t) -- fs_manage_nfs_files(procmail_t) -- fs_manage_nfs_symlinks(procmail_t) --') -+# only works until we define a different type for maildir -+userdom_manage_user_home_content_dirs(procmail_t) -+userdom_manage_user_home_content_files(procmail_t) -+userdom_manage_user_home_content_symlinks(procmail_t) -+userdom_manage_user_home_content_pipes(procmail_t) -+userdom_manage_user_home_content_sockets(procmail_t) -+userdom_filetrans_home_content(procmail_t) -+ -+userdom_manage_user_tmp_dirs(procmail_t) -+userdom_manage_user_tmp_files(procmail_t) -+userdom_manage_user_tmp_symlinks(procmail_t) -+ -+# Execute user executables -+userdom_exec_user_bin_files(procmail_t) -+ -+mta_manage_spool(procmail_t) -+mta_read_queue(procmail_t) - --tunable_policy(`use_samba_home_dirs',` -- fs_manage_cifs_dirs(procmail_t) -- fs_manage_cifs_files(procmail_t) -- fs_manage_cifs_symlinks(procmail_t) -+ifdef(`hide_broken_symptoms',` -+ mta_dontaudit_rw_queue(procmail_t) - ') - -+userdom_home_manager(procmail_t) -+ - optional_policy(` -- clamav_domtrans_clamscan(procmail_t) -- clamav_search_lib(procmail_t) -+ antivirus_domtrans(procmail_t) -+ antivirus_search_db(procmail_t) - ') - - optional_policy(` -- cyrus_stream_connect(procmail_t) -+ dovecot_stream_connect(procmail_t) - ') - - optional_policy(` -- mta_manage_spool(procmail_t) -- mta_read_config(procmail_t) -- mta_read_queue(procmail_t) -- mta_manage_mail_home_rw_content(procmail_t) -- mta_home_filetrans_mail_home_rw(procmail_t, dir, "Maildir") -- mta_home_filetrans_mail_home_rw(procmail_t, dir, ".maildir") -+ cyrus_stream_connect(procmail_t) - ') - - optional_policy(` -- munin_dontaudit_search_lib(procmail_t) -+ gnome_manage_data(procmail_t) - ') - - optional_policy(` -- nagios_search_spool(procmail_t) -+ munin_dontaudit_search_lib(procmail_t) - ') - - optional_policy(` -+ # for a bug in the postfix local program - postfix_dontaudit_rw_local_tcp_sockets(procmail_t) - postfix_dontaudit_use_fds(procmail_t) - postfix_read_spool_files(procmail_t) - postfix_read_local_state(procmail_t) - postfix_read_master_state(procmail_t) -- postfix_rw_master_pipes(procmail_t) -+ postfix_rw_inherited_master_pipes(procmail_t) -+') -+ -+optional_policy(` -+ nagios_search_spool(procmail_t) - ') - - optional_policy(` -@@ -131,6 +152,8 @@ optional_policy(` - ') - - optional_policy(` -+ mta_read_config(procmail_t) -+ mta_manage_home_rw(procmail_t) - sendmail_domtrans(procmail_t) - sendmail_signal(procmail_t) - sendmail_dontaudit_rw_tcp_sockets(procmail_t) -diff --git a/prosody.fc b/prosody.fc -new file mode 100644 -index 0000000..96a0d9f ---- /dev/null -+++ b/prosody.fc -@@ -0,0 +1,8 @@ -+/usr/bin/prosody -- gen_context(system_u:object_r:prosody_exec_t,s0) -+/usr/bin/prosodyctl -- gen_context(system_u:object_r:prosody_exec_t,s0) -+ -+/usr/lib/systemd/system/prosody.service -- gen_context(system_u:object_r:prosody_unit_file_t,s0) -+ -+/var/lib/prosody(/.*)? gen_context(system_u:object_r:prosody_var_lib_t,s0) -+ -+/var/run/prosody(/.*)? gen_context(system_u:object_r:prosody_var_run_t,s0) -diff --git a/prosody.if b/prosody.if -new file mode 100644 -index 0000000..19c35c1 ---- /dev/null -+++ b/prosody.if -@@ -0,0 +1,234 @@ -+ -+## policy for prosody -+ -+######################################## -+## -+## Execute TEMPLATE in the prosody domin. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`prosody_domtrans',` -+ gen_require(` -+ type prosody_t, prosody_exec_t; -+ ') -+ -+ corecmd_search_bin($1) -+ domtrans_pattern($1, prosody_exec_t, prosody_t) -+') -+ -+######################################## -+## -+## Search prosody lib directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`prosody_search_lib',` -+ gen_require(` -+ type prosody_var_lib_t; -+ ') -+ -+ allow $1 prosody_var_lib_t:dir search_dir_perms; -+ files_search_var_lib($1) -+') -+ -+######################################## -+## -+## Read prosody lib files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`prosody_read_lib_files',` -+ gen_require(` -+ type prosody_var_lib_t; -+ ') -+ -+ files_search_var_lib($1) -+ read_files_pattern($1, prosody_var_lib_t, prosody_var_lib_t) -+') -+ -+######################################## -+## -+## Manage prosody lib files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`prosody_manage_lib_files',` -+ gen_require(` -+ type prosody_var_lib_t; -+ ') -+ -+ files_search_var_lib($1) -+ manage_files_pattern($1, prosody_var_lib_t, prosody_var_lib_t) -+') -+ -+######################################## -+## -+## Manage prosody lib directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`prosody_manage_lib_dirs',` -+ gen_require(` -+ type prosody_var_lib_t; -+ ') -+ -+ files_search_var_lib($1) -+ manage_dirs_pattern($1, prosody_var_lib_t, prosody_var_lib_t) -+') -+ -+######################################## -+## -+## Read prosody PID files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`prosody_read_pid_files',` -+ gen_require(` -+ type prosody_var_run_t; -+ ') -+ -+ files_search_pids($1) -+ read_files_pattern($1, prosody_var_run_t, prosody_var_run_t) -+') -+ -+######################################## -+## -+## Execute prosody server in the prosody domain. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`prosody_systemctl',` -+ gen_require(` -+ type prosody_t; -+ type prosody_unit_file_t; -+ ') -+ -+ systemd_exec_systemctl($1) -+ systemd_read_fifo_file_passwd_run($1) -+ allow $1 prosody_unit_file_t:file read_file_perms; -+ allow $1 prosody_unit_file_t:service manage_service_perms; -+ -+ ps_process_pattern($1, prosody_t) -+') -+ -+ -+######################################## -+## -+## Execute prosody in the prosody domain, and -+## allow the specified role the prosody domain. -+## -+## -+## -+## Domain allowed to transition -+## -+## -+## -+## -+## The role to be allowed the prosody domain. -+## -+## -+# -+interface(`prosody_run',` -+ gen_require(` -+ type prosody_t; -+ attribute_role prosody_roles; -+ ') -+ -+ prosody_domtrans($1) -+ roleattribute $2 prosody_roles; -+') -+ -+######################################## -+## -+## Role access for prosody -+## -+## -+## -+## Role allowed access -+## -+## -+## -+## -+## User domain for the role -+## -+## -+# -+interface(`prosody_role',` -+ gen_require(` -+ type prosody_t; -+ attribute_role prosody_roles; -+ ') -+ -+ roleattribute $1 prosody_roles; -+ -+ prosody_domtrans($2) -+ -+ ps_process_pattern($2, prosody_t) -+ allow $2 prosody_t:process { signull signal sigkill }; -+') -+ -+######################################## -+## -+## All of the rules required to administrate -+## an prosody environment -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`prosody_admin',` -+ gen_require(` -+ type prosody_t; -+ type prosody_var_lib_t; -+ type prosody_var_run_t; -+ type prosody_unit_file_t; -+ ') -+ -+ allow $1 prosody_t:process { ptrace signal_perms }; -+ ps_process_pattern($1, prosody_t) -+ -+ files_search_var_lib($1) -+ admin_pattern($1, prosody_var_lib_t) -+ -+ files_search_pids($1) -+ admin_pattern($1, prosody_var_run_t) -+ -+ prosody_systemctl($1) -+ admin_pattern($1, prosody_unit_file_t) -+ allow $1 prosody_unit_file_t:service all_service_perms; -+ optional_policy(` -+ systemd_passwd_agent_exec($1) -+ systemd_read_fifo_file_passwd_run($1) -+ ') -+') -diff --git a/prosody.te b/prosody.te -new file mode 100644 -index 0000000..4f6badd ---- /dev/null -+++ b/prosody.te -@@ -0,0 +1,75 @@ -+policy_module(prosody, 1.0.0) -+ -+######################################## -+# -+# Declarations -+# -+ -+## -+##

    -+## Permit to prosody to bind apache port. -+## Need to be activated to use BOSH. -+##

    -+##     -+gen_tunable(prosody_bind_http_port, false) -+ -+type prosody_t; -+type prosody_exec_t; -+init_daemon_domain(prosody_t, prosody_exec_t) -+ -+type prosody_var_lib_t; -+files_type(prosody_var_lib_t) -+ -+type prosody_var_run_t; -+files_pid_file(prosody_var_run_t) -+ -+type prosody_unit_file_t; -+systemd_unit_file(prosody_unit_file_t) -+ -+######################################## -+# -+# prosody local policy -+# -+allow prosody_t self:capability { setuid setgid }; -+allow prosody_t self:process signal_perms; -+allow prosody_t self:tcp_socket create_stream_socket_perms; -+ -+manage_dirs_pattern(prosody_t, prosody_var_lib_t, prosody_var_lib_t) -+manage_files_pattern(prosody_t, prosody_var_lib_t, prosody_var_lib_t) -+manage_lnk_files_pattern(prosody_t, prosody_var_lib_t, prosody_var_lib_t) -+files_var_lib_filetrans(prosody_t, prosody_var_lib_t, { dir file lnk_file }) -+ -+manage_dirs_pattern(prosody_t, prosody_var_run_t, prosody_var_run_t) -+manage_files_pattern(prosody_t, prosody_var_run_t, prosody_var_run_t) -+manage_lnk_files_pattern(prosody_t, prosody_var_run_t, prosody_var_run_t) -+files_pid_filetrans(prosody_t, prosody_var_run_t, { dir file lnk_file }) -+ -+can_exec(prosody_t, prosody_exec_t) -+ -+kernel_read_system_state(prosody_t) -+ -+corecmd_exec_bin(prosody_t) -+corecmd_exec_shell(prosody_t) -+ -+corenet_udp_bind_generic_node(prosody_t) -+corenet_tcp_connect_jabber_interserver_port(prosody_t) -+corenet_tcp_connect_jabber_client_port(prosody_t) -+corenet_tcp_bind_jabber_client_port(prosody_t) -+corenet_tcp_bind_jabber_interserver_port(prosody_t) -+corenet_tcp_bind_jabber_router_port(prosody_t) -+tunable_policy(`prosody_bind_http_port',` -+ corenet_tcp_bind_http_port(prosody_t) -+') -+ -+dev_read_urand(prosody_t) -+ -+domain_use_interactive_fds(prosody_t) -+ -+files_read_etc_files(prosody_t) -+ -+auth_use_nsswitch(prosody_t) -+sysnet_read_config(prosody_t) -+ -+logging_send_syslog_msg(prosody_t) -+ -+miscfiles_read_localization(prosody_t) -diff --git a/psad.if b/psad.if -index d4dcf78..3cce82e 100644 ---- a/psad.if -+++ b/psad.if -@@ -93,9 +93,8 @@ interface(`psad_manage_config',` - ') - - files_search_etc($1) -- allow $1 psad_etc_t:dir manage_dir_perms; -- allow $1 psad_etc_t:file manage_file_perms; -- allow $1 psad_etc_t:lnk_file manage_lnk_file_perms; -+ manage_dirs_pattern($1, psad_etc_t, psad_etc_t) -+ manage_files_pattern($1, psad_etc_t, psad_etc_t) - ') - - ######################################## -@@ -119,7 +118,7 @@ interface(`psad_read_pid_files',` - - ######################################## - ## --## Read and write psad pid files. -+## Read and write psad PID files. - ## - ## - ## -@@ -179,6 +178,45 @@ interface(`psad_append_log',` - - ######################################## - ## -+## Allow the specified domain to write to psad's log files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`psad_write_log',` -+ gen_require(` -+ type psad_var_log_t; -+ ') -+ -+ logging_search_logs($1) -+ write_files_pattern($1, psad_var_log_t, psad_var_log_t) -+') -+ -+####################################### -+## -+## Allow the specified domain to setattr to psad's log files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`psad_setattr_log',` -+ gen_require(` -+ type psad_var_log_t; -+ ') -+ -+ logging_search_logs($1) -+ setattr_files_pattern($1, psad_var_log_t, psad_var_log_t) -+') -+ -+######################################## -+## - ## Read and write psad fifo files. - ## - ## -@@ -198,6 +236,45 @@ interface(`psad_rw_fifo_file',` - - ####################################### - ## -+## Allow setattr to psad fifo files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`psad_setattr_fifo_file',` -+ gen_require(` -+ type psad_t, psad_var_lib_t; -+ ') -+ -+ files_search_var_lib($1) -+ allow $1 psad_var_lib_t:fifo_file setattr; -+ search_dirs_pattern($1, psad_var_lib_t, psad_var_lib_t) -+') -+ -+####################################### -+## -+## Allow search to psad lib files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`psad_search_lib_files',` -+ gen_require(` -+ type psad_t, psad_var_lib_t; -+ ') -+ -+ files_search_var_lib($1) -+ search_dirs_pattern($1, psad_var_lib_t, psad_var_lib_t) -+') -+ -+####################################### -+## - ## Read and write psad temporary files. - ## - ## -@@ -235,30 +312,34 @@ interface(`psad_rw_tmp_files',` - interface(`psad_admin',` - gen_require(` - type psad_t, psad_var_run_t, psad_var_log_t; -- type psad_initrc_exec_t, psad_var_lib_t; -+ type psad_initrc_exec_t, psad_var_lib_t, psad_etc_t; - type psad_tmp_t; - ') - -- allow $1 psad_t:process { ptrace signal_perms }; -+ allow $1 psad_t:process signal_perms; - ps_process_pattern($1, psad_t) - -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 psad_t:process ptrace; -+ ') -+ - init_labeled_script_domtrans($1, psad_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 psad_initrc_exec_t system_r; - allow $2 system_r; - -- files_search_etc($1) -+ files_list_etc($1) - admin_pattern($1, psad_etc_t) - -- files_search_pids($1) -+ files_list_pids($1) - admin_pattern($1, psad_var_run_t) - -- logging_search_logs($1) -+ logging_list_logs($1) - admin_pattern($1, psad_var_log_t) - -- files_search_var_lib($1) -+ files_list_var_lib($1) - admin_pattern($1, psad_var_lib_t) - -- files_search_tmp($1) -+ files_list_tmp($1) - admin_pattern($1, psad_tmp_t) - ') -diff --git a/psad.te b/psad.te -index 5427bb6..718c847 100644 ---- a/psad.te -+++ b/psad.te -@@ -66,7 +66,6 @@ kernel_read_net_sysctls(psad_t) - corecmd_exec_bin(psad_t) - corecmd_exec_shell(psad_t) - --corenet_all_recvfrom_unlabeled(psad_t) - corenet_all_recvfrom_netlabel(psad_t) - corenet_tcp_sendrecv_generic_if(psad_t) - corenet_tcp_sendrecv_generic_node(psad_t) -@@ -78,7 +77,6 @@ corenet_tcp_sendrecv_whois_port(psad_t) - dev_read_urand(psad_t) - - files_read_etc_runtime_files(psad_t) --files_read_usr_files(psad_t) - - fs_getattr_all_fs(psad_t) - -@@ -88,8 +86,6 @@ logging_read_generic_logs(psad_t) - logging_read_syslog_config(psad_t) - logging_send_syslog_msg(psad_t) - --miscfiles_read_localization(psad_t) -- - sysnet_exec_ifconfig(psad_t) - - optional_policy(` -diff --git a/ptchown.te b/ptchown.te -index d67905e..2da9eca 100644 ---- a/ptchown.te -+++ b/ptchown.te -@@ -21,7 +21,6 @@ role ptchown_roles types ptchown_t; - allow ptchown_t self:capability { chown fowner fsetid setuid }; - allow ptchown_t self:process { getcap setcap }; - --files_read_etc_files(ptchown_t) - - fs_rw_anon_inodefs_files(ptchown_t) - -@@ -31,4 +30,4 @@ term_setattr_all_ptys(ptchown_t) - term_use_generic_ptys(ptchown_t) - term_use_ptmx(ptchown_t) - --miscfiles_read_localization(ptchown_t) -+auth_read_passwd(ptchown_t) -diff --git a/pulseaudio.fc b/pulseaudio.fc -index 6864479..0e7d875 100644 ---- a/pulseaudio.fc -+++ b/pulseaudio.fc -@@ -1,9 +1,14 @@ - HOME_DIR/\.esd_auth -- gen_context(system_u:object_r:pulseaudio_home_t,s0) --HOME_DIR/\.pulse(/.*)? gen_context(system_u:object_r:pulseaudio_home_t,s0) - HOME_DIR/\.pulse-cookie -- gen_context(system_u:object_r:pulseaudio_home_t,s0) -+HOME_DIR/\.pulse(/.*)? gen_context(system_u:object_r:pulseaudio_home_t,s0) -+HOME_DIR/\.config/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_home_t,s0) - --/usr/bin/pulseaudio -- gen_context(system_u:object_r:pulseaudio_exec_t,s0) -+/root/\.esd_auth -- gen_context(system_u:object_r:pulseaudio_home_t,s0) -+/root/\.pulse-cookie -- gen_context(system_u:object_r:pulseaudio_home_t,s0) -+/root/\.pulse(/.*)? gen_context(system_u:object_r:pulseaudio_home_t,s0) -+/root/\.config/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_home_t,s0) - --/var/lib/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_var_lib_t,s0) -+/usr/bin/pulseaudio -- gen_context(system_u:object_r:pulseaudio_exec_t,s0) - --/var/run/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_var_run_t,s0) -+/var/lib/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_var_lib_t,s0) -+/var/run/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_var_run_t,s0) -diff --git a/pulseaudio.if b/pulseaudio.if -index fa3dc8e..99cfa95 100644 ---- a/pulseaudio.if -+++ b/pulseaudio.if -@@ -2,47 +2,44 @@ - - ######################################## - ## --## Role access for pulseaudio. -+## Role access for pulseaudio - ## - ## - ## --## Role allowed access. -+## Role allowed access - ## - ## - ## - ## --## User domain for the role. -+## User domain for the role - ## - ## - # - interface(`pulseaudio_role',` - gen_require(` -- attribute pulseaudio_tmpfsfile; -- type pulseaudio_t, pulseaudio_home_t, pulseaudio_tmpfs_t; -- type pulseaudio_tmp_t; -+ type pulseaudio_t, pulseaudio_exec_t; -+ class dbus { acquire_svc send_msg }; - ') - -- pulseaudio_run($2, $1) -+ role $1 types pulseaudio_t; - -- allow $2 pulseaudio_t:process { ptrace signal_perms }; -- ps_process_pattern($2, pulseaudio_t) -+ # Transition from the user domain to the derived domain. -+ domtrans_pattern($2, pulseaudio_exec_t, pulseaudio_t) - -- allow $2 pulseaudio_home_t:dir { manage_dir_perms relabel_dir_perms }; -- allow $2 pulseaudio_home_t:file { manage_file_perms relabel_file_perms }; -- allow $2 pulseaudio_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; -+ ps_process_pattern($2, pulseaudio_t) - -- userdom_user_home_dir_filetrans($2, pulseaudio_home_t, dir, ".pulse") -- userdom_user_home_dir_filetrans($2, pulseaudio_home_t, file, ".esd_auth") -- userdom_user_home_dir_filetrans($2, pulseaudio_home_t, file, ".pulse-cookie") -+ allow pulseaudio_t $2:process { signal signull }; -+ allow $2 pulseaudio_t:process { signal signull sigkill }; -+ ps_process_pattern(pulseaudio_t, $2) - -- allow $2 { pulseaudio_tmpfs_t pulseaudio_tmpfsfile }:dir { manage_dir_perms relabel_dir_perms }; -- allow $2 { pulseaudio_tmpfs_t pulseaudio_tmpfsfile }:file { manage_file_perms relabel_file_perms }; -+ allow pulseaudio_t $2:unix_stream_socket connectto; -+ allow $2 pulseaudio_t:unix_stream_socket connectto; - -- allow $2 pulseaudio_tmp_t:dir { manage_dir_perms relabel_dir_perms }; -- allow $2 pulseaudio_tmp_t:file { manage_file_perms relabel_file_perms }; -- allow $2 pulseaudio_tmp_t:sock_file { manage_sock_file_perms relabel_sock_file_perms }; -+ userdom_manage_tmp_role($1, pulseaudio_t) -+ userdom_manage_tmpfs_role($1, pulseaudio_t) - -- allow pulseaudio_t $2:unix_stream_socket connectto; -+ allow $2 pulseaudio_t:dbus send_msg; -+ allow pulseaudio_t $2:dbus { acquire_svc send_msg }; - ') - - ######################################## -@@ -69,9 +66,8 @@ interface(`pulseaudio_domtrans',` - - ######################################## - ## --## Execute pulseaudio in the pulseaudio --## domain, and allow the specified role --## the pulseaudio domain. -+## Execute pulseaudio in the pulseaudio domain, and -+## allow the specified role the pulseaudio domain. - ## - ## - ## -@@ -86,16 +82,16 @@ interface(`pulseaudio_domtrans',` - # - interface(`pulseaudio_run',` - gen_require(` -- attribute_role pulseaudio_roles; -+ type pulseaudio_t; - ') - - pulseaudio_domtrans($1) -- roleattribute $2 pulseaudio_roles; -+ role $2 types pulseaudio_t; - ') - - ######################################## - ## --## Execute pulseaudio in the caller domain. -+## Execute a pulseaudio in the current domain. - ## - ## - ## -@@ -108,13 +104,12 @@ interface(`pulseaudio_exec',` - type pulseaudio_exec_t; - ') - -- corecmd_search_bin($1) - can_exec($1, pulseaudio_exec_t) - ') - - ######################################## - ## --## Do not audit attempts to execute pulseaudio. -+## Do not audit to execute a pulseaudio. - ## - ## - ## -@@ -132,7 +127,7 @@ interface(`pulseaudio_dontaudit_exec',` - - ######################################## - ## --## Send null signals to pulseaudio. -+## Send signull signal to pulseaudio - ## processes. - ## - ## -@@ -151,8 +146,8 @@ interface(`pulseaudio_signull',` - - ##################################### - ## --## Connect to pulseaudio with a unix --## domain stream socket. -+## Connect to pulseaudio over a unix domain -+## stream socket. - ## - ## - ## -@@ -162,11 +157,15 @@ interface(`pulseaudio_signull',` - # - interface(`pulseaudio_stream_connect',` - gen_require(` -- type pulseaudio_t, pulseaudio_var_run_t, pulseaudio_tmp_t; -+ type pulseaudio_t, pulseaudio_var_run_t; -+ type pulseaudio_home_t; - ') - - files_search_pids($1) -- stream_connect_pattern($1, { pulseaudio_tmp_t pulseaudio_var_run_t }, { pulseaudio_tmp_t pulseaudio_var_run_t }, pulseaudio_t) -+ allow $1 pulseaudio_t:process signull; -+ allow pulseaudio_t $1:process signull; -+ stream_connect_pattern($1, pulseaudio_var_run_t, pulseaudio_var_run_t, pulseaudio_t) -+ stream_connect_pattern($1, pulseaudio_home_t, pulseaudio_home_t, pulseaudio_t) - ') - - ######################################## -@@ -192,9 +191,9 @@ interface(`pulseaudio_dbus_chat',` - - ######################################## - ## --## Set attributes of pulseaudio home directories. -+## Set the attributes of the pulseaudio homedir. - ## --## -+## - ## - ## Domain allowed access. - ## -@@ -205,148 +204,190 @@ interface(`pulseaudio_setattr_home_dir',` - type pulseaudio_home_t; - ') - -- allow $1 pulseaudio_home_t:dir setattr_dir_perms; -+ allow $1 pulseaudio_home_t:dir setattr; - ') - - ######################################## - ## --## Read pulseaudio home content. -+## Read pulseaudio homedir files. - ## --## -+## - ## - ## Domain allowed access. - ## - ## - # - interface(`pulseaudio_read_home_files',` -- refpolicywarn(`$0($*) has been deprecated, use pulseaudio_read_home() instead.') -- pulseaudio_read_home($1) -+ gen_require(` -+ type pulseaudio_home_t; -+ ') -+ -+ userdom_search_user_home_dirs($1) -+ read_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t) -+ read_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t) - ') - - ######################################## - ## --## Read pulseaudio home content. -+## Read and write Pulse Audio files. - ## --## -+## - ## - ## Domain allowed access. - ## - ## - # --interface(`pulseaudio_read_home',` -+interface(`pulseaudio_rw_home_files',` - gen_require(` - type pulseaudio_home_t; - ') - -+ rw_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t) -+ read_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t) - userdom_search_user_home_dirs($1) -- allow $1 pulseaudio_home_t:dir list_dir_perms; -- allow $1 pulseaudio_home_t:file read_file_perms; -- allow $1 pulseaudio_home_t:lnk_file read_lnk_file_perms; - ') - - ######################################## - ## --## Read and write Pulse Audio files. -+## Create, read, write, and delete pulseaudio -+## home directories. - ## --## -+## - ## - ## Domain allowed access. - ## - ## - # --interface(`pulseaudio_rw_home_files',` -+interface(`pulseaudio_manage_home_dirs',` - gen_require(` - type pulseaudio_home_t; - ') - - userdom_search_user_home_dirs($1) -- rw_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t) -- read_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t) -+ manage_dirs_pattern($1, pulseaudio_home_t, pulseaudio_home_t) - ') - - ######################################## - ## --## Create, read, write, and delete --## pulseaudio home content. -+## Create, read, write, and delete pulseaudio -+## home directory files. - ## --## -+## - ## - ## Domain allowed access. - ## - ## - # - interface(`pulseaudio_manage_home_files',` -- refpolicywarn(`$0($*) has been deprecated, use pulseaudio_manage_home() instead.') -- pulseaudio_manage_home($1) -+ gen_require(` -+ type pulseaudio_home_t; -+ ') -+ -+ userdom_search_user_home_dirs($1) -+ manage_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t) -+ read_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t) -+ pulseaudio_filetrans_home_content($1) - ') - - ######################################## - ## --## Create, read, write, and delete --## pulseaudio home content. -+## Create, read, write, and delete pulseaudio -+## home directory symlinks. - ## --## -+## - ## - ## Domain allowed access. - ## - ## - # --interface(`pulseaudio_manage_home',` -+interface(`pulseaudio_manage_home_symlinks',` - gen_require(` - type pulseaudio_home_t; - ') - - userdom_search_user_home_dirs($1) -- allow $1 pulseaudio_home_t:dir manage_dir_perms; -- allow $1 pulseaudio_home_t:file manage_file_perms; -- allow $1 pulseaudio_home_t:lnk_file manage_lnk_file_perms; -+ manage_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t) - ') - - ######################################## - ## --## Create objects in user home --## directories with the pulseaudio --## home type. -+## Create pulseaudio content in the user home directory -+## with an correct label. - ## - ## - ## - ## Domain allowed access. - ## - ## --## --## --## Class of the object being created. --## --## --## -+# -+interface(`pulseaudio_filetrans_home_content',` -+ gen_require(` -+ type pulseaudio_home_t; -+ ') -+ -+ userdom_user_home_dir_filetrans($1, pulseaudio_home_t, dir, ".pulse") -+ userdom_user_home_dir_filetrans($1, pulseaudio_home_t, file, ".pulse-cookie") -+ userdom_user_home_dir_filetrans($1, pulseaudio_home_t, file, ".esd_auth") -+ optional_policy(` -+ gnome_config_filetrans($1, pulseaudio_home_t, dir, "pulse") -+ ') -+') -+ -+######################################## -+## -+## Create pulseaudio content in the admin home directory -+## with an correct label. -+## -+## - ## --## The name of the object being created. -+## Domain allowed access. - ## - ## - # --interface(`pulseaudio_home_filetrans_pulseaudio_home',` -+interface(`pulseaudio_filetrans_admin_home_content',` - gen_require(` - type pulseaudio_home_t; - ') - -- userdom_user_home_dir_filetrans($1, pulseaudio_home_t, $2, $3) -+ userdom_admin_home_dir_filetrans($1, pulseaudio_home_t, dir, ".pulse") -+ userdom_admin_home_dir_filetrans($1, pulseaudio_home_t, file, ".pulse-cookie") -+ userdom_admin_home_dir_filetrans($1, pulseaudio_home_t, file, ".esd_auth") - ') - --######################################## -+####################################### - ## --## Make the specified tmpfs file type --## pulseaudio tmpfs content. -+## Make the specified tmpfs file type -+## pulseaudio tmpfs content. - ## - ## -+## -+## File type to make pulseaudio tmpfs content. -+## -+## -+# -+interface(`pulseaudio_tmpfs_content',` -+ gen_require(` -+ attribute pulseaudio_tmpfsfile; -+ ') -+ -+ typeattribute $1 pulseaudio_tmpfsfile; -+') -+ -+######################################## -+## -+## Allow the domain to read pulseaudio state files in /proc. -+## -+## - ## --## File type to make pulseaudio tmpfs content. -+## Domain allowed access. - ## - ## - # --interface(`pulseaudio_tmpfs_content',` -+interface(`pulseaudio_read_state',` - gen_require(` -- attribute pulseaudio_tmpfsfile; -+ type pulseaudio_t; - ') - -- typeattribute $1 pulseaudio_tmpfsfile; -+ kernel_search_proc($1) -+ ps_process_pattern($1, pulseaudio_t) - ') -diff --git a/pulseaudio.te b/pulseaudio.te -index e31bbe1..822ab6c 100644 ---- a/pulseaudio.te -+++ b/pulseaudio.te -@@ -1,4 +1,4 @@ --policy_module(pulseaudio, 1.5.4) -+policy_module(pulseaudio, 1.5.0) - - ######################################## - # -@@ -8,61 +8,49 @@ policy_module(pulseaudio, 1.5.4) - attribute pulseaudio_client; - attribute pulseaudio_tmpfsfile; - --attribute_role pulseaudio_roles; -- - type pulseaudio_t; - type pulseaudio_exec_t; - init_daemon_domain(pulseaudio_t, pulseaudio_exec_t) - userdom_user_application_domain(pulseaudio_t, pulseaudio_exec_t) --role pulseaudio_roles types pulseaudio_t; -+role system_r types pulseaudio_t; - - type pulseaudio_home_t; - userdom_user_home_content(pulseaudio_home_t) - --type pulseaudio_tmp_t; --userdom_user_tmp_file(pulseaudio_tmp_t) -- - type pulseaudio_tmpfs_t; - userdom_user_tmpfs_file(pulseaudio_tmpfs_t) - - type pulseaudio_var_lib_t; - files_type(pulseaudio_var_lib_t) -+ubac_constrained(pulseaudio_var_lib_t) - - type pulseaudio_var_run_t; - files_pid_file(pulseaudio_var_run_t) -+ubac_constrained(pulseaudio_var_run_t) - - ######################################## - # --# Local policy -+# pulseaudio local policy - # - - allow pulseaudio_t self:capability { fowner fsetid chown setgid setuid sys_nice sys_resource sys_tty_config }; - allow pulseaudio_t self:process { getcap setcap setrlimit setsched getsched signal signull }; --allow pulseaudio_t self:fifo_file rw_fifo_file_perms; --allow pulseaudio_t self:unix_stream_socket { accept connectto listen }; --allow pulseaudio_t self:unix_dgram_socket sendto; --allow pulseaudio_t self:tcp_socket { accept listen }; -+allow pulseaudio_t self:fifo_file rw_file_perms; -+allow pulseaudio_t self:unix_stream_socket { create_stream_socket_perms connectto }; -+allow pulseaudio_t self:unix_dgram_socket { sendto create_socket_perms }; -+allow pulseaudio_t self:tcp_socket create_stream_socket_perms; -+allow pulseaudio_t self:udp_socket create_socket_perms; - allow pulseaudio_t self:netlink_kobject_uevent_socket create_socket_perms; - --allow pulseaudio_t pulseaudio_home_t:dir manage_dir_perms; --allow pulseaudio_t pulseaudio_home_t:file manage_file_perms; --allow pulseaudio_t pulseaudio_home_t:lnk_file manage_lnk_file_perms; -- --userdom_user_home_dir_filetrans(pulseaudio_t, pulseaudio_home_t, dir, ".pulse") --userdom_user_home_dir_filetrans(pulseaudio_t, pulseaudio_home_t, file, ".esd_auth") --userdom_user_home_dir_filetrans(pulseaudio_t, pulseaudio_home_t, file, ".pulse-cookie") -- --manage_dirs_pattern(pulseaudio_t, pulseaudio_tmp_t, pulseaudio_tmp_t) --manage_files_pattern(pulseaudio_t, pulseaudio_tmp_t, pulseaudio_tmp_t) --manage_sock_files_pattern(pulseaudio_t, pulseaudio_tmp_t, pulseaudio_tmp_t) --files_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, dir) --userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, file, "pid") --userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, sock_file, "dbus-socket") --userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, sock_file, "native") -+manage_dirs_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t) -+manage_files_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t) -+manage_lnk_files_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t) -+userdom_search_user_home_dirs(pulseaudio_t) -+pulseaudio_filetrans_home_content(pulseaudio_t) - --manage_dirs_pattern(pulseaudio_t, pulseaudio_tmpfs_t, pulseaudio_tmpfs_t) --manage_files_pattern(pulseaudio_t, pulseaudio_tmpfs_t, pulseaudio_tmpfs_t) --fs_tmpfs_filetrans(pulseaudio_t, pulseaudio_tmpfs_t, { dir file }) -+# ~/.esd_auth - maybe we should label this pulseaudio_home_t? -+userdom_read_user_home_content_files(pulseaudio_t) -+userdom_search_admin_dir(pulseaudio_t) - - manage_dirs_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t) - manage_files_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t) -@@ -72,10 +60,7 @@ files_var_lib_filetrans(pulseaudio_t, pulseaudio_var_lib_t, { dir file }) - manage_dirs_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t) - manage_files_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t) - manage_sock_files_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t) --files_pid_filetrans(pulseaudio_t, pulseaudio_var_run_t, { dir file }) -- --allow pulseaudio_t pulseaudio_client:process signull; --ps_process_pattern(pulseaudio_t, pulseaudio_client) -+files_pid_filetrans(pulseaudio_t, pulseaudio_var_run_t, { file dir }) - - can_exec(pulseaudio_t, pulseaudio_exec_t) - -@@ -85,60 +70,51 @@ kernel_read_kernel_sysctls(pulseaudio_t) - - corecmd_exec_bin(pulseaudio_t) - --corenet_all_recvfrom_unlabeled(pulseaudio_t) - corenet_all_recvfrom_netlabel(pulseaudio_t) --corenet_tcp_sendrecv_generic_if(pulseaudio_t) --corenet_udp_sendrecv_generic_if(pulseaudio_t) --corenet_tcp_sendrecv_generic_node(pulseaudio_t) --corenet_udp_sendrecv_generic_node(pulseaudio_t) -- --corenet_sendrecv_pulseaudio_server_packets(pulseaudio_t) - corenet_tcp_bind_pulseaudio_port(pulseaudio_t) --corenet_tcp_sendrecv_pulseaudio_port(pulseaudio_t) -- --corenet_sendrecv_soundd_server_packets(pulseaudio_t) - corenet_tcp_bind_soundd_port(pulseaudio_t) --corenet_tcp_sendrecv_soundd_port(pulseaudio_t) -- --corenet_sendrecv_sap_server_packets(pulseaudio_t) -+corenet_tcp_sendrecv_generic_if(pulseaudio_t) -+corenet_tcp_sendrecv_generic_node(pulseaudio_t) - corenet_udp_bind_sap_port(pulseaudio_t) --corenet_udp_sendrecv_sap_port(pulseaudio_t) -+corenet_udp_sendrecv_generic_if(pulseaudio_t) -+corenet_udp_sendrecv_generic_node(pulseaudio_t) -+corenet_dontaudit_tcp_connect_xserver_port(pulseaudio_t) - - dev_read_sound(pulseaudio_t) - dev_write_sound(pulseaudio_t) - dev_read_sysfs(pulseaudio_t) - dev_read_urand(pulseaudio_t) - --files_read_usr_files(pulseaudio_t) - -+fs_rw_anon_inodefs_files(pulseaudio_t) - fs_getattr_tmpfs(pulseaudio_t) --fs_getattr_all_fs(pulseaudio_t) - fs_list_inotifyfs(pulseaudio_t) --fs_rw_anon_inodefs_files(pulseaudio_t) --fs_search_auto_mountpoints(pulseaudio_t) - --term_use_all_ttys(pulseaudio_t) --term_use_all_ptys(pulseaudio_t) -+term_use_all_inherited_ttys(pulseaudio_t) -+term_use_all_inherited_ptys(pulseaudio_t) - - auth_use_nsswitch(pulseaudio_t) - - logging_send_syslog_msg(pulseaudio_t) - --miscfiles_read_localization(pulseaudio_t) -- --userdom_search_user_home_dirs(pulseaudio_t) --userdom_write_user_tmp_sockets(pulseaudio_t) -- - tunable_policy(`use_nfs_home_dirs',` -+ fs_mount_nfs(pulseaudio_t) -+ fs_mounton_nfs(pulseaudio_t) - fs_manage_nfs_dirs(pulseaudio_t) - fs_manage_nfs_files(pulseaudio_t) - fs_manage_nfs_symlinks(pulseaudio_t) -+ fs_manage_nfs_named_sockets(pulseaudio_t) -+ fs_manage_nfs_named_pipes(pulseaudio_t) - ') - - tunable_policy(`use_samba_home_dirs',` -+ fs_mount_cifs(pulseaudio_t) -+ fs_mounton_cifs(pulseaudio_t) - fs_manage_cifs_dirs(pulseaudio_t) - fs_manage_cifs_files(pulseaudio_t) - fs_manage_cifs_symlinks(pulseaudio_t) -+ fs_manage_cifs_named_sockets(pulseaudio_t) -+ fs_manage_cifs_named_pipes(pulseaudio_t) - ') - - optional_policy(` -@@ -151,8 +127,9 @@ optional_policy(` - - optional_policy(` - dbus_system_domain(pulseaudio_t, pulseaudio_exec_t) -- dbus_all_session_bus_client(pulseaudio_t) -- dbus_connect_all_session_bus(pulseaudio_t) -+ dbus_system_bus_client(pulseaudio_t) -+ dbus_session_bus_client(pulseaudio_t) -+ dbus_connect_session_bus(pulseaudio_t) - - optional_policy(` - consolekit_dbus_chat(pulseaudio_t) -@@ -172,16 +149,33 @@ optional_policy(` - ') - - optional_policy(` -+ gnome_read_gkeyringd_state(pulseaudio_t) -+ gnome_signull_gkeyringd(pulseaudio_t) -+ gnome_manage_gstreamer_home_files(pulseaudio_t) -+ gnome_exec_gstreamer_home_files(pulseaudio_t) -+') -+ -+optional_policy(` - rtkit_scheduled(pulseaudio_t) - ') - - optional_policy(` -+ mozilla_plugin_delete_tmpfs_files(pulseaudio_t) -+ mozilla_plugin_read_tmpfs_files(pulseaudio_t) -+') -+ -+optional_policy(` - policykit_domtrans_auth(pulseaudio_t) - policykit_read_lib(pulseaudio_t) - policykit_read_reload(pulseaudio_t) - ') - - optional_policy(` -+ systemd_read_logind_sessions_files(pulseaudio_t) -+ systemd_login_read_pid_files(pulseaudio_t) -+') -+ -+optional_policy(` - udev_read_state(pulseaudio_t) - udev_read_db(pulseaudio_t) - ') -@@ -194,7 +188,11 @@ optional_policy(` - xserver_user_x_domain_template(pulseaudio, pulseaudio_t, pulseaudio_tmpfs_t) - ') - --######################################## -+optional_policy(` -+ virt_manage_tmpfs_files(pulseaudio_t) -+') -+ -+####################################### - # - # Client local policy - # -@@ -208,8 +206,6 @@ delete_files_pattern(pulseaudio_client, pulseaudio_tmpfsfile, pulseaudio_tmpfsfi - - fs_getattr_tmpfs(pulseaudio_client) - --corenet_all_recvfrom_unlabeled(pulseaudio_client) --corenet_all_recvfrom_netlabel(pulseaudio_client) - corenet_tcp_sendrecv_generic_if(pulseaudio_client) - corenet_tcp_sendrecv_generic_node(pulseaudio_client) - -@@ -218,36 +214,31 @@ corenet_tcp_connect_pulseaudio_port(pulseaudio_client) - corenet_tcp_sendrecv_pulseaudio_port(pulseaudio_client) - - pulseaudio_stream_connect(pulseaudio_client) --pulseaudio_manage_home(pulseaudio_client) --pulseaudio_home_filetrans_pulseaudio_home(pulseaudio_client, dir, ".pulse") --pulseaudio_home_filetrans_pulseaudio_home(pulseaudio_client, file, ".esd_auth") --pulseaudio_home_filetrans_pulseaudio_home(pulseaudio_client, file, ".pulse-cookie") -+pulseaudio_manage_home_files(pulseaudio_client) - pulseaudio_signull(pulseaudio_client) - --# TODO: ~/.cache - userdom_manage_user_home_content_files(pulseaudio_client) - - userdom_read_user_tmpfs_files(pulseaudio_client) --# userdom_delete_user_tmpfs_files(pulseaudio_client) - - tunable_policy(`use_nfs_home_dirs',` -- fs_getattr_nfs(pulseaudio_client) -- fs_manage_nfs_dirs(pulseaudio_client) -- fs_manage_nfs_files(pulseaudio_client) -- fs_read_nfs_symlinks(pulseaudio_client) -+ fs_getattr_nfs(pulseaudio_client) -+ fs_manage_nfs_dirs(pulseaudio_client) -+ fs_manage_nfs_files(pulseaudio_client) -+ fs_read_nfs_symlinks(pulseaudio_client) - ') - - tunable_policy(`use_samba_home_dirs',` -- fs_getattr_cifs(pulseaudio_client) -- fs_manage_cifs_dirs(pulseaudio_client) -- fs_manage_cifs_files(pulseaudio_client) -- fs_read_cifs_symlinks(pulseaudio_client) -+ fs_getattr_cifs(pulseaudio_client) -+ fs_manage_cifs_dirs(pulseaudio_client) -+ fs_manage_cifs_files(pulseaudio_client) -+ fs_read_cifs_symlinks(pulseaudio_client) - ') - - optional_policy(` -- pulseaudio_dbus_chat(pulseaudio_client) -+ pulseaudio_dbus_chat(pulseaudio_client) - ') - - optional_policy(` -- rtkit_scheduled(pulseaudio_client) -+ rtkit_scheduled(pulseaudio_client) - ') -diff --git a/puppet.fc b/puppet.fc -index 4ecda09..8c0b242 100644 ---- a/puppet.fc -+++ b/puppet.fc -@@ -1,14 +1,12 @@ --/etc/puppet(/.*)? gen_context(system_u:object_r:puppet_etc_t,s0) -+/etc/puppet(/.*)? gen_context(system_u:object_r:puppet_etc_t,s0) - - /etc/rc\.d/init\.d/puppet -- gen_context(system_u:object_r:puppet_initrc_exec_t,s0) --/etc/rc\.d/init\.d/puppetmaster -- gen_context(system_u:object_r:puppetmaster_initrc_exec_t,s0) -+/etc/rc\.d/init\.d/puppetmaster -- gen_context(system_u:object_r:puppetmaster_initrc_exec_t,s0) - --/usr/sbin/puppetca -- gen_context(system_u:object_r:puppetca_exec_t,s0) --/usr/sbin/puppetd -- gen_context(system_u:object_r:puppet_exec_t,s0) --/usr/sbin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0) -+/usr/sbin/puppetca -- gen_context(system_u:object_r:puppetca_exec_t,s0) -+/usr/sbin/puppetd -- gen_context(system_u:object_r:puppet_exec_t,s0) -+/usr/sbin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0) - --/var/lib/puppet(/.*)? gen_context(system_u:object_r:puppet_var_lib_t,s0) -- --/var/log/puppet(/.*)? gen_context(system_u:object_r:puppet_log_t,s0) -- --/var/run/puppet(/.*)? gen_context(system_u:object_r:puppet_var_run_t,s0) -+/var/lib/puppet(/.*)? gen_context(system_u:object_r:puppet_var_lib_t,s0) -+/var/log/puppet(/.*)? gen_context(system_u:object_r:puppet_log_t,s0) -+/var/run/puppet(/.*)? gen_context(system_u:object_r:puppet_var_run_t,s0) -diff --git a/puppet.if b/puppet.if -index 7cb8b1f..9422c90 100644 ---- a/puppet.if -+++ b/puppet.if -@@ -1,4 +1,32 @@ --## Configuration management system. -+## Puppet client daemon -+## -+##

    -+## Puppet is a configuration management system written in Ruby. -+## The client daemon is responsible for periodically requesting the -+## desired system state from the server and ensuring the state of -+## the client system matches. -+##

    -+##     -+ -+######################################## -+## -+## Execute puppet_master in the puppet_master -+## domain. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`puppet_domtrans_master',` -+ gen_require(` -+ type puppetmaster_t, puppetmaster_exec_t; -+ ') -+ -+ corecmd_search_bin($1) -+ domtrans_pattern($1, puppetmaster_exec_t, puppetmaster_t) -+') - - ######################################## - ## -@@ -40,16 +68,19 @@ interface(`puppet_domtrans_puppetca',` - # - interface(`puppet_run_puppetca',` - gen_require(` -- attribute_role puppetca_roles; -+ type puppetca_t, puppetca_exec_t; - ') - - puppet_domtrans_puppetca($1) -- roleattribute $2 puppetca_roles; -+ role $2 types puppetca_t; - ') - --#################################### -+################################################ - ## --## Read puppet configuration content. -+## Read / Write to Puppet temp files. Puppet uses -+## some system binaries (groupadd, etc) that run in -+## a non-puppet domain and redirects output into temp -+## files. - ## - ## - ## -@@ -57,15 +88,13 @@ interface(`puppet_run_puppetca',` - ## - ## - # --interface(`puppet_read_config',` -+interface(`puppet_rw_tmp', ` - gen_require(` -- type puppet_etc_t; -+ type puppet_tmp_t; - ') - -- files_search_etc($1) -- allow $1 puppet_etc_t:dir list_dir_perms; -- allow $1 puppet_etc_t:file read_file_perms; -- allow $1 puppet_etc_t:lnk_file read_lnk_file_perms; -+ allow $1 puppet_tmp_t:file rw_inherited_file_perms; -+ files_search_tmp($1) - ') - - ################################################ -@@ -78,158 +107,164 @@ interface(`puppet_read_config',` - ## - ## - # --interface(`puppet_read_lib_files',` -+interface(`puppet_read_lib',` - gen_require(` - type puppet_var_lib_t; - ') - -- files_search_var_lib($1) - read_files_pattern($1, puppet_var_lib_t, puppet_var_lib_t) -+ files_search_var_lib($1) - ') - - ############################################### - ## --## Create, read, write, and delete --## puppet lib files. -+## Manage Puppet lib files. - ## - ## --## --## Domain allowed access. --## -+## -+## Domain allowed access. -+## - ## - # --interface(`puppet_manage_lib_files',` -- gen_require(` -- type puppet_var_lib_t; -- ') -+interface(`puppet_manage_lib',` -+ gen_require(` -+ type puppet_var_lib_t; -+ ') - -- files_search_var_lib($1) -- manage_files_pattern($1, puppet_var_lib_t, puppet_var_lib_t) -+ manage_files_pattern($1, puppet_var_lib_t, puppet_var_lib_t) -+ files_search_var_lib($1) - ') - --##################################### -+###################################### - ## --## Append puppet log files. -+## Allow the specified domain to search puppet's log files. - ## - ## --## --## Domain allowed access. --## -+## -+## Domain allowed access. -+## - ## - # --interface(`puppet_append_log_files',` -- gen_require(` -- type puppet_log_t; -- ') -+interface(`puppet_search_log',` -+ gen_require(` -+ type puppet_log_t; -+ ') - -- logging_search_logs($1) -- append_files_pattern($1, puppet_log_t, puppet_log_t) -+ logging_search_logs($1) -+ allow $1 puppet_log_t:dir search_dir_perms; - ') - - ##################################### - ## --## Create puppet log files. -+## Allow the specified domain to read puppet's log files. - ## - ## --## --## Domain allowed access. --## -+## -+## Domain allowed access. -+## - ## - # --interface(`puppet_create_log_files',` -- gen_require(` -- type puppet_log_t; -- ') -+interface(`puppet_read_log',` -+ gen_require(` -+ type puppet_log_t; -+ ') - -- logging_search_logs($1) -- create_files_pattern($1, puppet_log_t, puppet_log_t) -+ logging_search_logs($1) -+ read_files_pattern($1, puppet_log_t, puppet_log_t) - ') - - ##################################### - ## --## Read puppet log files. -+## Allow the specified domain to create puppet's log files. - ## - ## --## --## Domain allowed access. --## -+## -+## Domain allowed access. -+## - ## - # --interface(`puppet_read_log_files',` -- gen_require(` -- type puppet_log_t; -- ') -+interface(`puppet_create_log',` -+ gen_require(` -+ type puppet_log_t; -+ ') - -- logging_search_logs($1) -- read_files_pattern($1, puppet_log_t, puppet_log_t) -+ logging_search_logs($1) -+ create_files_pattern($1, puppet_log_t, puppet_log_t) - ') - --################################################ -+#################################### - ## --## Read and write to puppet tempoprary files. -+## Allow the specified domain to append puppet's log files. - ## - ## --## --## Domain allowed access. --## -+## -+## Domain allowed access. -+## - ## - # --interface(`puppet_rw_tmp', ` -- gen_require(` -- type puppet_tmp_t; -- ') -+interface(`puppet_append_log',` -+ gen_require(` -+ type puppet_log_t; -+ ') - -- files_search_tmp($1) -- allow $1 puppet_tmp_t:file rw_file_perms; -+ logging_search_logs($1) -+ append_files_pattern($1, puppet_log_t, puppet_log_t) - ') - --######################################## -+#################################### - ## --## All of the rules required to --## administrate an puppet environment. -+## Allow the specified domain to manage puppet's log files. - ## - ## --## --## Domain allowed access. --## -+## -+## Domain allowed access. -+## - ## --## --## --## Role allowed access. --## --## --## - # --interface(`puppet_admin',` -- gen_require(` -- type puppet_initrc_exec_t, puppetmaster_initrc_exec_t, puppet_log_t; -- type puppet_var_lib_t, puppet_tmp_t, puppet_etc_t; -- type puppet_var_run_t, puppetmaster_tmp_t; -- type puppet_t, puppetca_t, puppetmaster_t; -- ') -- -- allow $1 { puppet_t puppetca_t puppetmaster_t }:process { ptrace signal_perms }; -- ps_process_pattern($1, { puppet_t puppetca_t puppetmaster_t }) -+interface(`puppet_manage_log',` -+ gen_require(` -+ type puppet_log_t; -+ ') - -- init_labeled_script_domtrans($1, { puppet_initrc_exec_t puppetmaster_initrc_exec_t }) -- domain_system_change_exemption($1) -- role_transition $2 { puppet_initrc_exec_t puppetmaster_initrc_exec_t } system_r; -- allow $2 system_r; -- -- files_search_etc($1) -- admin_pattern($1, puppet_etc_t) -+ logging_search_logs($1) -+ manage_files_pattern($1, puppet_log_t, puppet_log_t) -+') - -- logging_search_logs($1) -- admin_pattern($1, puppet_log_t) -+#################################### -+## -+## Allow the specified domain to read puppet's config files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`puppet_read_config',` -+ gen_require(` -+ type puppet_etc_t; -+ ') - -- files_search_var_lib($1) -- admin_pattern($1, puppet_var_lib_t) -+ files_search_etc($1) -+ list_dirs_pattern($1, puppet_etc_t, puppet_etc_t) -+ read_files_pattern($1, puppet_etc_t, puppet_etc_t) -+') - -+##################################### -+## -+## Allow the specified domain to search puppet's pid files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`puppet_search_pid',` -+ gen_require(` -+ type puppet_var_run_t; -+ ') -+ - files_search_pids($1) -- admin_pattern($1, puppet_var_run_t) -- -- files_search_tmp($1) -- admin_pattern($1, { puppet_tmp_t puppetmaster_tmp_t }) -- -- puppet_run_puppetca($1, $2) -+ allow $1 puppet_var_run_t:dir search_dir_perms; - ') -diff --git a/puppet.te b/puppet.te -index f2309f4..a375475 100644 ---- a/puppet.te -+++ b/puppet.te -@@ -1,4 +1,4 @@ --policy_module(puppet, 1.3.7) -+policy_module(puppet, 1.3.0) - - ######################################## - # -@@ -6,15 +6,19 @@ policy_module(puppet, 1.3.7) - # - - ## --##

    --## Determine whether puppet can --## manage all non-security files. --##

    -+##

    -+## Allow Puppet client to manage all file -+## types. -+##

    - ##     - gen_tunable(puppet_manage_all_files, false) - --attribute_role puppetca_roles; --roleattribute system_r puppetca_roles; -+## -+##

    -+## Allow Puppet master to use connect to MySQL and PostgreSQL database -+##

    -+##     -+gen_tunable(puppetmaster_use_db, false) - - type puppet_t; - type puppet_exec_t; -@@ -37,12 +41,11 @@ files_type(puppet_var_lib_t) - - type puppet_var_run_t; - files_pid_file(puppet_var_run_t) --init_daemon_run_dir(puppet_var_run_t, "puppet") - - type puppetca_t; - type puppetca_exec_t; - application_domain(puppetca_t, puppetca_exec_t) --role puppetca_roles types puppetca_t; -+role system_r types puppetca_t; - - type puppetmaster_t; - type puppetmaster_exec_t; -@@ -56,33 +59,29 @@ files_tmp_file(puppetmaster_tmp_t) - - ######################################## - # --# Local policy -+# Puppet personal policy - # - --allow puppet_t self:capability { chown fowner fsetid setuid setgid dac_override sys_admin sys_nice sys_tty_config }; -+allow puppet_t self:capability { fowner fsetid setuid setgid dac_override sys_nice sys_tty_config }; - allow puppet_t self:process { signal signull getsched setsched }; - allow puppet_t self:fifo_file rw_fifo_file_perms; - allow puppet_t self:netlink_route_socket create_netlink_socket_perms; --allow puppet_t self:tcp_socket { accept listen }; -+allow puppet_t self:tcp_socket create_stream_socket_perms; - allow puppet_t self:udp_socket create_socket_perms; - --allow puppet_t puppet_etc_t:dir list_dir_perms; --allow puppet_t puppet_etc_t:file read_file_perms; --allow puppet_t puppet_etc_t:lnk_file read_lnk_file_perms; -+read_files_pattern(puppet_t, puppet_etc_t, puppet_etc_t) - - manage_dirs_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t) - manage_files_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t) --can_exec(puppet_t, puppet_var_lib_t) -+files_search_var_lib(puppet_t) - --setattr_dirs_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t) -+manage_dirs_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t) - manage_files_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t) - files_pid_filetrans(puppet_t, puppet_var_run_t, { file dir }) - --allow puppet_t puppet_log_t:dir { create_dir_perms setattr_dir_perms }; --append_files_pattern(puppet_t, puppet_log_t, puppet_log_t) -+create_dirs_pattern(puppet_t, var_log_t, puppet_log_t) - create_files_pattern(puppet_t, puppet_log_t, puppet_log_t) --read_files_pattern(puppet_t, puppet_log_t, puppet_log_t) --setattr_files_pattern(puppet_t, puppet_log_t, puppet_log_t) -+append_files_pattern(puppet_t, puppet_log_t, puppet_log_t) - logging_log_filetrans(puppet_t, puppet_log_t, { file dir }) - - manage_dirs_pattern(puppet_t, puppet_tmp_t, puppet_tmp_t) -@@ -91,43 +90,37 @@ files_tmp_filetrans(puppet_t, puppet_tmp_t, { file dir }) - - kernel_dontaudit_search_sysctl(puppet_t) - kernel_dontaudit_search_kernel_sysctl(puppet_t) -+kernel_read_system_state(puppet_t) - kernel_read_crypto_sysctls(puppet_t) - kernel_read_kernel_sysctls(puppet_t) --kernel_read_net_sysctls(puppet_t) --kernel_read_network_state(puppet_t) - -+corecmd_read_all_executables(puppet_t) -+corecmd_dontaudit_access_all_executables(puppet_t) - corecmd_exec_bin(puppet_t) - corecmd_exec_shell(puppet_t) --corecmd_read_all_executables(puppet_t) - - corenet_all_recvfrom_netlabel(puppet_t) --corenet_all_recvfrom_unlabeled(puppet_t) - corenet_tcp_sendrecv_generic_if(puppet_t) - corenet_tcp_sendrecv_generic_node(puppet_t) -- --corenet_sendrecv_puppet_client_packets(puppet_t) -+corenet_tcp_bind_generic_node(puppet_t) - corenet_tcp_connect_puppet_port(puppet_t) --corenet_tcp_sendrecv_puppet_port(puppet_t) -+corenet_sendrecv_puppet_client_packets(puppet_t) - - dev_read_rand(puppet_t) - dev_read_sysfs(puppet_t) - dev_read_urand(puppet_t) - --domain_interactive_fd(puppet_t) - domain_read_all_domains_state(puppet_t) -+domain_interactive_fd(puppet_t) - - files_manage_config_files(puppet_t) - files_manage_config_dirs(puppet_t) - files_manage_etc_dirs(puppet_t) - files_manage_etc_files(puppet_t) --files_read_usr_files(puppet_t) - files_read_usr_symlinks(puppet_t) - files_relabel_config_dirs(puppet_t) - files_relabel_config_files(puppet_t) --files_search_var_lib(puppet_t) - --selinux_get_fs_mount(puppet_t) --selinux_search_fs(puppet_t) - selinux_set_all_booleans(puppet_t) - selinux_set_generic_booleans(puppet_t) - selinux_validate_context(puppet_t) -@@ -135,6 +128,8 @@ selinux_validate_context(puppet_t) - term_dontaudit_getattr_unallocated_ttys(puppet_t) - term_dontaudit_getattr_all_ttys(puppet_t) - -+auth_use_nsswitch(puppet_t) -+ - init_all_labeled_script_domtrans(puppet_t) - init_domtrans_script(puppet_t) - init_read_utmp(puppet_t) -@@ -143,18 +138,19 @@ init_signull_script(puppet_t) - logging_send_syslog_msg(puppet_t) - - miscfiles_read_hwdata(puppet_t) --miscfiles_read_localization(puppet_t) -- --mount_domtrans(puppet_t) - - seutil_domtrans_setfiles(puppet_t) - seutil_domtrans_semanage(puppet_t) -+seutil_read_file_contexts(puppet_t) - - sysnet_run_ifconfig(puppet_t, system_r) --sysnet_use_ldap(puppet_t) -+ -+usermanage_access_check_groupadd(puppet_t) -+usermanage_access_check_passwd(puppet_t) -+usermanage_access_check_useradd(puppet_t) - - tunable_policy(`puppet_manage_all_files',` -- files_manage_non_auth_files(puppet_t) -+ files_manage_non_security_files(puppet_t) - ') - - optional_policy(` -@@ -196,21 +192,86 @@ optional_policy(` - ') - - optional_policy(` -- usermanage_domtrans_groupadd(puppet_t) -- usermanage_domtrans_useradd(puppet_t) -+ auth_filetrans_named_content(puppet_t) -+') -+ -+optional_policy(` -+ alsa_filetrans_named_content(puppet_t) -+') -+ -+optional_policy(` -+ bootloader_filetrans_config(puppet_t) -+') -+ -+optional_policy(` -+ devicekit_filetrans_named_content(puppet_t) -+') -+ -+optional_policy(` -+ dnsmasq_filetrans_named_content(puppet_t) -+') -+ -+optional_policy(` -+ kerberos_filetrans_named_content(puppet_t) -+') -+ -+optional_policy(` -+ libs_filetrans_named_content(puppet_t) -+') -+ -+optional_policy(` -+ miscfiles_filetrans_named_content(puppet_t) -+') -+ -+optional_policy(` -+ mta_filetrans_named_content(puppet_t) -+') -+ -+optional_policy(` -+ modules_filetrans_named_content(puppet_t) -+') -+ -+optional_policy(` -+ networkmanager_filetrans_named_content(puppet_t) -+') -+ -+optional_policy(` -+ nx_filetrans_named_content(puppet_t) -+') -+ -+optional_policy(` -+ postfix_filetrans_named_content(puppet_t) -+') -+ -+optional_policy(` -+ openshift_initrc_domtrans(puppet_t) -+') -+ -+optional_policy(` -+ quota_filetrans_named_content(puppet_t) -+') -+ -+optional_policy(` -+ sysnet_filetrans_named_content(puppet_t) -+') -+ -+optional_policy(` -+ virt_filetrans_home_content(puppet_t) -+') -+ -+optional_policy(` -+ ssh_filetrans_admin_home_content(puppet_t) - ') - - ######################################## - # --# Ca local policy -+# PuppetCA personal policy - # - - allow puppetca_t self:capability { dac_override setgid setuid }; - allow puppetca_t self:fifo_file rw_fifo_file_perms; - --allow puppetca_t puppet_etc_t:dir list_dir_perms; --allow puppetca_t puppet_etc_t:file read_file_perms; --allow puppetca_t puppet_etc_t:lnk_file read_lnk_file_perms; -+read_files_pattern(puppetca_t, puppet_etc_t, puppet_etc_t) - - allow puppetca_t puppet_var_lib_t:dir list_dir_perms; - manage_files_pattern(puppetca_t, puppet_var_lib_t, puppet_var_lib_t) -@@ -221,6 +282,7 @@ allow puppetca_t puppet_log_t:dir search_dir_perms; - allow puppetca_t puppet_var_run_t:dir search_dir_perms; - - kernel_read_system_state(puppetca_t) -+# Maybe dontaudit this like we did with other puppet domains? - kernel_read_kernel_sysctls(puppetca_t) - - corecmd_exec_bin(puppetca_t) -@@ -229,15 +291,12 @@ corecmd_exec_shell(puppetca_t) - dev_read_urand(puppetca_t) - dev_search_sysfs(puppetca_t) - --files_read_etc_files(puppetca_t) --files_search_pids(puppetca_t) - files_search_var_lib(puppetca_t) - - selinux_validate_context(puppetca_t) - - logging_search_logs(puppetca_t) - --miscfiles_read_localization(puppetca_t) - miscfiles_read_generic_certs(puppetca_t) - - seutil_read_file_contexts(puppetca_t) -@@ -246,38 +305,47 @@ optional_policy(` - hostname_exec(puppetca_t) - ') - -+optional_policy(` -+ mta_sendmail_access_check(puppetca_t) -+') -+ -+ - ######################################## - # --# Master local policy -+# Pupper master personal policy - # - - allow puppetmaster_t self:capability { dac_read_search dac_override setuid setgid fowner chown fsetid sys_tty_config }; - allow puppetmaster_t self:process { signal_perms getsched setsched }; - allow puppetmaster_t self:fifo_file rw_fifo_file_perms; --allow puppetmaster_t self:netlink_route_socket nlmsg_write; -+allow puppetmaster_t self:netlink_route_socket create_netlink_socket_perms; - allow puppetmaster_t self:socket create; --allow puppetmaster_t self:tcp_socket { accept listen }; -+allow puppetmaster_t self:tcp_socket create_stream_socket_perms; -+allow puppetmaster_t self:udp_socket create_socket_perms; - --allow puppetmaster_t puppet_etc_t:dir list_dir_perms; --allow puppetmaster_t puppet_etc_t:file read_file_perms; --allow puppetmaster_t puppet_etc_t:lnk_file read_lnk_file_perms; -+list_dirs_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t) -+read_files_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t) - --allow puppetmaster_t puppet_log_t:dir setattr_dir_perms; --append_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t) --create_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t) --setattr_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t) -+allow puppetmaster_t puppet_log_t:dir { rw_dir_perms setattr_dir_perms }; -+allow puppetmaster_t puppet_log_t:file { rw_file_perms create_file_perms setattr_file_perms }; - logging_log_filetrans(puppetmaster_t, puppet_log_t, { file dir }) -+allow puppetmaster_t puppet_log_t:file relabel_file_perms; - --allow puppetmaster_t puppet_var_lib_t:dir { manage_dir_perms relabel_dir_perms }; --allow puppetmaster_t puppet_var_lib_t:file { manage_file_perms relabel_file_perms }; -+manage_dirs_pattern(puppetmaster_t, puppet_var_lib_t, puppet_var_lib_t) -+manage_files_pattern(puppetmaster_t, puppet_var_lib_t, puppet_var_lib_t) -+allow puppetmaster_t puppet_var_lib_t:dir relabel_dir_perms; -+allow puppetmaster_t puppet_var_lib_t:file relabel_file_perms; - --allow puppetmaster_t puppet_var_run_t:dir { create_dir_perms setattr_dir_perms relabel_dir_perms }; --allow puppetmaster_t puppet_var_run_t:file manage_file_perms; -+setattr_dirs_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t) -+create_dirs_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t) -+manage_files_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t) - files_pid_filetrans(puppetmaster_t, puppet_var_run_t, { file dir }) -+allow puppetmaster_t puppet_var_run_t:dir relabel_dir_perms; - --allow puppetmaster_t puppetmaster_tmp_t:dir { manage_dir_perms relabel_dir_perms }; --allow puppetmaster_t puppetmaster_tmp_t:file manage_file_perms; -+manage_dirs_pattern(puppetmaster_t, puppetmaster_tmp_t, puppetmaster_tmp_t) -+manage_files_pattern(puppetmaster_t, puppetmaster_tmp_t, puppetmaster_tmp_t) - files_tmp_filetrans(puppetmaster_t, puppetmaster_tmp_t, { file dir }) -+allow puppetmaster_t puppet_tmp_t:dir relabel_dir_perms; - - kernel_dontaudit_search_kernel_sysctl(puppetmaster_t) - kernel_read_network_state(puppetmaster_t) -@@ -289,23 +357,24 @@ corecmd_exec_bin(puppetmaster_t) - corecmd_exec_shell(puppetmaster_t) - - corenet_all_recvfrom_netlabel(puppetmaster_t) --corenet_all_recvfrom_unlabeled(puppetmaster_t) - corenet_tcp_sendrecv_generic_if(puppetmaster_t) - corenet_tcp_sendrecv_generic_node(puppetmaster_t) - corenet_tcp_bind_generic_node(puppetmaster_t) -- --corenet_sendrecv_puppet_server_packets(puppetmaster_t) - corenet_tcp_bind_puppet_port(puppetmaster_t) --corenet_tcp_sendrecv_puppet_port(puppetmaster_t) -+corenet_sendrecv_puppet_server_packets(puppetmaster_t) -+corenet_tcp_connect_ntop_port(puppetmaster_t) -+ -+# This needs investigation. Puppermasterd is confirmed to bind udp sockets to random high ports. -+corenet_udp_bind_generic_node(puppetmaster_t) -+corenet_udp_bind_generic_port(puppetmaster_t) - - dev_read_rand(puppetmaster_t) - dev_read_urand(puppetmaster_t) - dev_search_sysfs(puppetmaster_t) - --domain_obj_id_change_exemption(puppetmaster_t) - domain_read_all_domains_state(puppetmaster_t) -+domain_obj_id_change_exemption(puppetmaster_t) - --files_read_usr_files(puppetmaster_t) - - selinux_validate_context(puppetmaster_t) - -@@ -314,26 +383,31 @@ auth_use_nsswitch(puppetmaster_t) - logging_send_syslog_msg(puppetmaster_t) - - miscfiles_read_generic_certs(puppetmaster_t) --miscfiles_read_localization(puppetmaster_t) - - seutil_read_file_contexts(puppetmaster_t) - - sysnet_run_ifconfig(puppetmaster_t, system_r) - -+mta_send_mail(puppetmaster_t) -+ - optional_policy(` -- hostname_exec(puppetmaster_t) -+ tunable_policy(`puppetmaster_use_db',` -+ mysql_stream_connect(puppetmaster_t) -+ ') - ') - - optional_policy(` -- mta_send_mail(puppetmaster_t) -+ tunable_policy(`puppetmaster_use_db',` -+ postgresql_stream_connect(puppetmaster_t) -+ ') - ') - - optional_policy(` -- mysql_stream_connect(puppetmaster_t) -+ systemd_dbus_chat_timedated(puppetmaster_t) - ') - - optional_policy(` -- postgresql_stream_connect(puppetmaster_t) -+ hostname_exec(puppetmaster_t) - ') - - optional_policy(` -@@ -342,3 +416,9 @@ optional_policy(` - rpm_exec(puppetmaster_t) - rpm_read_db(puppetmaster_t) - ') -+ -+optional_policy(` -+ usermanage_access_check_groupadd(puppetmaster_t) -+ usermanage_access_check_passwd(puppetmaster_t) -+ usermanage_access_check_useradd(puppetmaster_t) -+') -diff --git a/pwauth.fc b/pwauth.fc -index 7e7b444..e2f8687 100644 ---- a/pwauth.fc -+++ b/pwauth.fc -@@ -1,3 +1,3 @@ --/usr/bin/pwauth -- gen_context(system_u:object_r:pwauth_exec_t,s0) -+/usr/bin/pwauth -- gen_context(system_u:object_r:pwauth_exec_t,s0) - --/var/run/pwauth\.lock -- gen_context(system_u:object_r:pwauth_var_run_t,s0) -+/var/run/pwauth.lock -- gen_context(system_u:object_r:pwauth_var_run_t,s0) -diff --git a/pwauth.if b/pwauth.if -index 1148dce..86d25ea 100644 ---- a/pwauth.if -+++ b/pwauth.if -@@ -1,72 +1,74 @@ --## External plugin for mod_authnz_external authenticator. -+ -+## policy for pwauth - - ######################################## - ## --## Role access for pwauth. -+## Transition to pwauth. - ## --## --## --## Role allowed access. --## --## - ## --## --## User domain for the role. --## -+## -+## Domain allowed to transition. -+## - ## - # --interface(`pwauth_role',` -+interface(`pwauth_domtrans',` - gen_require(` -- type pwauth_t; -+ type pwauth_t, pwauth_exec_t; - ') - -- pwauth_run($2, $1) -- -- ps_process_pattern($2, pwauth_t) -- allow $2 pwauth_t:process { ptrace signal_perms }; -+ corecmd_search_bin($1) -+ domtrans_pattern($1, pwauth_exec_t, pwauth_t) - ') - - ######################################## - ## --## Execute pwauth in the pwauth domain. -+## Execute pwauth in the pwauth domain, and -+## allow the specified role the pwauth domain. - ## - ## - ## --## Domain allowed to transition. -+## Domain allowed to transition -+## -+## -+## -+## -+## The role to be allowed the pwauth domain. - ## - ## - # --interface(`pwauth_domtrans',` -+interface(`pwauth_run',` - gen_require(` -- type pwauth_t, pwauth_exec_t; -+ type pwauth_t; - ') - -- corecmd_search_bin($1) -- domtrans_pattern($1, pwauth_exec_t, pwauth_t) -+ pwauth_domtrans($1) -+ role $2 types pwauth_t; - ') - - ######################################## - ## --## Execute pwauth in the pwauth --## domain, and allow the specified --## role the pwauth domain. -+## Role access for pwauth - ## --## -+## - ## --## Domain allowed to transition. -+## Role allowed access - ## - ## --## -+## - ## --## Role allowed access. -+## User domain for the role - ## - ## - # --interface(`pwauth_run',` -+interface(`pwauth_role',` - gen_require(` -- attribute_role pwauth_roles; -+ type pwauth_t; - ') - -- pwauth_domtrans($1) -- roleattribute $2 pwauth_roles; -+ role $1 types pwauth_t; -+ -+ pwauth_domtrans($2) -+ -+ ps_process_pattern($2, pwauth_t) -+ allow $2 pwauth_t:process signal; - ') -diff --git a/pwauth.te b/pwauth.te -index 3078e34..215df88 100644 ---- a/pwauth.te -+++ b/pwauth.te -@@ -5,26 +5,23 @@ policy_module(pwauth, 1.0.0) - # Declarations - # - --attribute_role pwauth_roles; --roleattribute system_r pwauth_roles; -- - type pwauth_t; - type pwauth_exec_t; - application_domain(pwauth_t, pwauth_exec_t) --role pwauth_roles types pwauth_t; -+role system_r types pwauth_t; - - type pwauth_var_run_t; - files_pid_file(pwauth_var_run_t) - - ######################################## - # --# Local policy -+# pwauth local policy - # -- - allow pwauth_t self:capability setuid; - allow pwauth_t self:process setrlimit; -+ - allow pwauth_t self:fifo_file manage_fifo_file_perms; --allow pwauth_t self:unix_stream_socket { accept listen }; -+allow pwauth_t self:unix_stream_socket create_stream_socket_perms; - - manage_files_pattern(pwauth_t, pwauth_var_run_t, pwauth_var_run_t) - files_pid_filetrans(pwauth_t, pwauth_var_run_t, file) -@@ -33,10 +30,10 @@ domain_use_interactive_fds(pwauth_t) - - auth_domtrans_chkpwd(pwauth_t) - auth_use_nsswitch(pwauth_t) -+auth_read_shadow(pwauth_t) -+auth_rw_lastlog(pwauth_t) - - init_read_utmp(pwauth_t) - - logging_send_syslog_msg(pwauth_t) - logging_send_audit_msgs(pwauth_t) -- --miscfiles_read_localization(pwauth_t) -diff --git a/pxe.te b/pxe.te -index 72db707..6dae5e5 100644 ---- a/pxe.te -+++ b/pxe.te -@@ -50,15 +50,12 @@ dev_read_sysfs(pxe_t) - - domain_use_interactive_fds(pxe_t) - --files_read_etc_files(pxe_t) - - fs_getattr_all_fs(pxe_t) - fs_search_auto_mountpoints(pxe_t) - - logging_send_syslog_msg(pxe_t) - --miscfiles_read_localization(pxe_t) -- - userdom_dontaudit_use_unpriv_user_fds(pxe_t) - userdom_dontaudit_search_user_home_dirs(pxe_t) - -diff --git a/pyicqt.fc b/pyicqt.fc -deleted file mode 100644 -index 0c143e3..0000000 ---- a/pyicqt.fc -+++ /dev/null -@@ -1,11 +0,0 @@ --/etc/pyicq-t(/.*)? gen_context(system_u:object_r:pyicqt_conf_t,s0) -- --/etc/rc\.d/init\.d/pyicq-t -- gen_context(system_u:object_r:pyicqt_initrc_exec_t,s0) -- --/usr/share/pyicq-t/PyICQt\.py -- gen_context(system_u:object_r:pyicqt_exec_t,s0) -- --/var/log/pyicq-t\.log.* -- gen_context(system_u:object_r:pyicqt_log_t,s0) -- --/var/run/pyicq-t(/.*)? gen_context(system_u:object_r:pyicqt_var_run_t,s0) -- --/var/spool/pyicq-t(/.*)? gen_context(system_u:object_r:pyicqt_spool_t,s0) -diff --git a/pyicqt.if b/pyicqt.if -deleted file mode 100644 -index 0ccea82..0000000 ---- a/pyicqt.if -+++ /dev/null -@@ -1,45 +0,0 @@ --## ICQ transport for XMPP server. -- --######################################## --## --## All of the rules required to --## administrate an pyicqt environment. --## --## --## --## Domain allowed access. --## --## --## --## --## Role allowed access. --## --## --## --# --interface(`pyicqt_admin',` -- gen_require(` -- type pyicqt_t, pyicqt_log_t, pyicqt_spool_t; -- type pyicqt_var_run_t, pyicqt_initrc_exec_t, pyicqt_conf_t; -- ') -- -- allow $1 pyicqt_t:process { ptrace signal_perms }; -- ps_process_pattern($1, pyicqt_t) -- -- init_labeled_script_domtrans($1, pyicqt_initrc_exec_t) -- domain_system_change_exemption($1) -- role_transition $2 pyicqt_initrc_exec_t system_r; -- allow $2 system_r; -- -- files_search_etc($1) -- admin_pattern($1, pyicqt_conf_t) -- -- logging_search_logs($1) -- admin_pattern($1, pyicqt_log_t) -- -- files_search_spool($1) -- admin_pattern($1, pyicqt_spool_t) -- -- files_search_pids($1) -- admin_pattern($1, pyicqt_var_run_t) --') -diff --git a/pyicqt.te b/pyicqt.te -deleted file mode 100644 -index 99bebbd..0000000 ---- a/pyicqt.te -+++ /dev/null -@@ -1,92 +0,0 @@ --policy_module(pyicqt, 1.0.1) -- --######################################## --# --# Declarations --# -- --type pyicqt_t; --type pyicqt_exec_t; --init_daemon_domain(pyicqt_t, pyicqt_exec_t) -- --type pyicqt_initrc_exec_t; --init_script_file(pyicqt_initrc_exec_t) -- --type pyicqt_conf_t; --files_config_file(pyicqt_conf_t) -- --type pyicqt_log_t; --logging_log_file(pyicqt_log_t) -- --type pyicqt_spool_t; --files_type(pyicqt_spool_t) -- --type pyicqt_var_run_t; --files_pid_file(pyicqt_var_run_t) -- --######################################## --# --# Local policy --# -- --allow pyicqt_t self:process signal_perms; --allow pyicqt_t self:fifo_file rw_fifo_file_perms; --allow pyicqt_t self:tcp_socket { accept listen }; -- --read_files_pattern(pyicqt_t, pyicqt_conf_t, pyicqt_conf_t) -- --allow pyicqt_t pyicqt_log_t:file append_file_perms; --allow pyicqt_t pyicqt_log_t:file create_file_perms; --allow pyicqt_t pyicqt_log_t:file setattr_file_perms; --logging_log_filetrans(pyicqt_t, pyicqt_log_t, file) -- --manage_dirs_pattern(pyicqt_t, pyicqt_spool_t, pyicqt_spool_t) --manage_files_pattern(pyicqt_t, pyicqt_spool_t, pyicqt_spool_t) --files_spool_filetrans(pyicqt_t, pyicqt_spool_t, dir) -- --manage_files_pattern(pyicqt_t, pyicqt_var_run_t, pyicqt_var_run_t) --files_pid_filetrans(pyicqt_t, pyicqt_var_run_t, file) -- --kernel_read_system_state(pyicqt_t) -- --corecmd_exec_bin(pyicqt_t) -- --corenet_all_recvfrom_unlabeled(pyicqt_t) --corenet_all_recvfrom_netlabel(pyicqt_t) --corenet_tcp_sendrecv_generic_if(pyicqt_t) --corenet_tcp_sendrecv_generic_node(pyicqt_t) --corenet_tcp_bind_generic_node(pyicqt_t) -- --# corenet_sendrecv_jabber_router_server_packets(pyicqt_t) --# corenet_tcp_bind_jabber_router_port(pyicqt_t) --# corenet_sendrecv_jabber_router_client_packets(pyicqt_t) --# corenet_tcp_connect_jabber_router_port(pyicqt_t) --# corenet_tcp_sendrecv_jabber_router_port(pyicqt_t) -- --dev_read_sysfs(pyicqt_t) --dev_read_urand(pyicqt_t) -- --files_read_usr_files(pyicqt_t) -- --fs_getattr_all_fs(pyicqt_t) -- --auth_use_nsswitch(pyicqt_t) -- --libs_read_lib_files(pyicqt_t) -- --logging_send_syslog_msg(pyicqt_t) -- --miscfiles_read_localization(pyicqt_t) -- --optional_policy(` -- jabber_manage_lib_files(pyicqt_t) --') -- --optional_policy(` -- mysql_stream_connect(pyicqt_t) -- mysql_tcp_connect(pyicqt_t) --') -- --optional_policy(` -- seutil_sigchld_newrole(pyicqt_t) --') -diff --git a/pyzor.fc b/pyzor.fc -index af13139..a927c5a 100644 ---- a/pyzor.fc -+++ b/pyzor.fc -@@ -1,12 +1,13 @@ --HOME_DIR/\.pyzor(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0) -- --/etc/pyzor(/.*)? gen_context(system_u:object_r:pyzor_etc_t, s0) -- -+/etc/pyzor(/.*)? gen_context(system_u:object_r:pyzor_etc_t, s0) - /etc/rc\.d/init\.d/pyzord -- gen_context(system_u:object_r:pyzord_initrc_exec_t,s0) - --/usr/bin/pyzor -- gen_context(system_u:object_r:pyzor_exec_t,s0) --/usr/bin/pyzord -- gen_context(system_u:object_r:pyzord_exec_t,s0) -+HOME_DIR/\.pyzor(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0) -+HOME_DIR/\.spamd(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0) -+/root/\.pyzor(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0) -+/root/\.spamd(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0) - --/var/lib/pyzord(/.*)? gen_context(system_u:object_r:pyzor_var_lib_t,s0) -+/usr/bin/pyzor -- gen_context(system_u:object_r:pyzor_exec_t,s0) -+/usr/bin/pyzord -- gen_context(system_u:object_r:pyzord_exec_t,s0) - -+/var/lib/pyzord(/.*)? gen_context(system_u:object_r:pyzor_var_lib_t,s0) - /var/log/pyzord\.log.* -- gen_context(system_u:object_r:pyzord_log_t,s0) -diff --git a/pyzor.if b/pyzor.if -index 593c03d..2c411af 100644 ---- a/pyzor.if -+++ b/pyzor.if -@@ -2,7 +2,7 @@ - - ######################################## - ## --## Role access for pyzor. -+## Role access for pyzor - ## - ## - ## -@@ -14,31 +14,30 @@ - ## User domain for the role - ## - ## -+## - # - interface(`pyzor_role',` - gen_require(` -- attribute_role pyzor_roles; -- type pyzor_t, pyzor_exec_t, pyzor_home_t; -- type pyzor_tmp_t; -+ type pyzor_t, pyzor_exec_t; -+ type pyzor_home_t, pyzor_var_lib_t, pyzor_tmp_t; - ') - -- roleattribute $1 pyzor_roles; -+ role $1 types pyzor_t; - -+ # Transition from the user domain to the derived domain. - domtrans_pattern($2, pyzor_exec_t, pyzor_t) - -- allow $2 pyzor_t:process { ptrace signal_perms }; -+ # allow ps to show pyzor and allow the user to kill it - ps_process_pattern($2, pyzor_t) -- -- allow $2 { pyzor_home_t pyzor_tmp_t }:dir { manage_dir_perms relabel_dir_perms }; -- allow $2 { pyzor_home_t pyzor_tmp_t }:file { manage_file_perms relabel_file_perms }; -- allow $2 pyzor_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; -- -- userdom_user_home_dir_filetrans($2, pyzor_home_t, dir, ".pyzor") -+ allow $2 pyzor_t:process signal_perms; -+ tunable_policy(`deny_ptrace',`',` -+ allow $2 pyzor_t:process ptrace; -+ ') - ') - - ######################################## - ## --## Send generic signals to pyzor. -+## Send generic signals to pyzor - ## - ## - ## -@@ -69,6 +68,7 @@ interface(`pyzor_domtrans',` - type pyzor_exec_t, pyzor_t; - ') - -+ files_search_usr($1) - corecmd_search_bin($1) - domtrans_pattern($1, pyzor_exec_t, pyzor_t) - ') -@@ -88,14 +88,15 @@ interface(`pyzor_exec',` - type pyzor_exec_t; - ') - -+ files_search_usr($1) - corecmd_search_bin($1) - can_exec($1, pyzor_exec_t) - ') - - ######################################## - ## --## All of the rules required to --## administrate an pyzor environment. -+## All of the rules required to administrate -+## an pyzor environment - ## - ## - ## -@@ -104,33 +105,37 @@ interface(`pyzor_exec',` - ## - ## - ## --## Role allowed access. -+## The role to be allowed to manage the pyzor domain. - ## - ## - ## - # - interface(`pyzor_admin',` - gen_require(` -- type pyzord_t, pyzord_initrc_exec_t, pyzord_log_t; -- type pyzor_var_lib_t, pyzor_etc_t; -+ type pyzord_t, pyzor_tmp_t, pyzord_log_t; -+ type pyzor_etc_t, pyzor_var_lib_t, pyzord_initrc_exec_t; - ') - -- allow $1 pyzord_t:process { ptrace signal_perms }; -+ allow $1 pyzord_t:process signal_perms; - ps_process_pattern($1, pyzord_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 pyzord_t:process ptrace; -+ ') - - init_labeled_script_domtrans($1, pyzord_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 pyzord_initrc_exec_t system_r; - allow $2 system_r; - -- files_search_etc($1) -- admin_pattern($1, pyzor_etc_t) -+ files_list_tmp($1) -+ admin_pattern($1, pyzor_tmp_t) - -- logging_search_logs($1) -+ logging_list_logs($1) - admin_pattern($1, pyzord_log_t) - -- files_search_var_lib($1) -- admin_pattern($1, pyzor_var_lib_t) -+ files_list_etc($1) -+ admin_pattern($1, pyzor_etc_t) - -- pyzor_role($2, $1) -+ files_list_var_lib($1) -+ admin_pattern($1, pyzor_var_lib_t) - ') -diff --git a/pyzor.te b/pyzor.te -index 6c456d2..86daaba 100644 ---- a/pyzor.te -+++ b/pyzor.te -@@ -1,61 +1,82 @@ --policy_module(pyzor, 2.2.1) -+policy_module(pyzor, 2.1.0) - - ######################################## - # - # Declarations - # - --attribute_role pyzor_roles; --roleattribute system_r pyzor_roles; -- --type pyzor_t; --type pyzor_exec_t; --typealias pyzor_t alias { user_pyzor_t staff_pyzor_t sysadm_pyzor_t }; --typealias pyzor_t alias { auditadm_pyzor_t secadm_pyzor_t }; --userdom_user_application_domain(pyzor_t, pyzor_exec_t) --role pyzor_roles types pyzor_t; -- --type pyzor_etc_t; --files_type(pyzor_etc_t) -- --type pyzor_home_t; --typealias pyzor_home_t alias { user_pyzor_home_t staff_pyzor_home_t sysadm_pyzor_home_t }; --typealias pyzor_home_t alias { auditadm_pyzor_home_t secadm_pyzor_home_t }; --userdom_user_home_content(pyzor_home_t) -- --type pyzor_tmp_t; --typealias pyzor_tmp_t alias { user_pyzor_tmp_t staff_pyzor_tmp_t sysadm_pyzor_tmp_t }; --typealias pyzor_tmp_t alias { auditadm_pyzor_tmp_t secadm_pyzor_tmp_t }; --userdom_user_tmp_file(pyzor_tmp_t) -- --type pyzor_var_lib_t; --typealias pyzor_var_lib_t alias { user_pyzor_var_lib_t staff_pyzor_var_lib_t sysadm_pyzor_var_lib_t }; --typealias pyzor_var_lib_t alias { auditadm_pyzor_var_lib_t secadm_pyzor_var_lib_t }; --files_type(pyzor_var_lib_t) --ubac_constrained(pyzor_var_lib_t) -- --type pyzord_t; --type pyzord_exec_t; --init_daemon_domain(pyzord_t, pyzord_exec_t) -- --type pyzord_initrc_exec_t; --init_script_file(pyzord_initrc_exec_t) -- --type pyzord_log_t; --logging_log_file(pyzord_log_t) -+ifdef(`distro_redhat',` -+ gen_require(` -+ type spamc_t, spamc_exec_t, spamd_t; -+ type spamd_initrc_exec_t, spamd_exec_t, spamc_tmp_t; -+ type spamd_log_t, spamd_var_lib_t, spamd_etc_t; -+ type spamc_tmp_t, spamc_home_t; -+ ') -+ -+ typealias spamc_t alias pyzor_t; -+ typealias spamc_exec_t alias pyzor_exec_t; -+ typealias spamd_t alias pyzord_t; -+ typealias spamd_initrc_exec_t alias pyzord_initrc_exec_t; -+ typealias spamd_exec_t alias pyzord_exec_t; -+ typealias spamc_tmp_t alias pyzor_tmp_t; -+ typealias spamd_log_t alias pyzor_log_t; -+ typealias spamd_log_t alias pyzord_log_t; -+ typealias spamd_var_lib_t alias pyzor_var_lib_t; -+ typealias spamd_etc_t alias pyzor_etc_t; -+ typealias spamc_home_t alias pyzor_home_t; -+ typealias spamc_home_t alias user_pyzor_home_t; -+',` -+ type pyzor_t; -+ type pyzor_exec_t; -+ typealias pyzor_t alias { user_pyzor_t staff_pyzor_t sysadm_pyzor_t }; -+ typealias pyzor_t alias { auditadm_pyzor_t secadm_pyzor_t }; -+ application_domain(pyzor_t, pyzor_exec_t) -+ ubac_constrained(pyzor_t) -+ role system_r types pyzor_t; -+ -+ type pyzor_etc_t; -+ files_config_file(pyzor_etc_t) -+ -+ type pyzor_home_t; -+ typealias pyzor_home_t alias { user_pyzor_home_t staff_pyzor_home_t sysadm_pyzor_home_t }; -+ typealias pyzor_home_t alias { auditadm_pyzor_home_t secadm_pyzor_home_t }; -+ userdom_user_home_content(pyzor_home_t) -+ -+ type pyzor_tmp_t; -+ typealias pyzor_tmp_t alias { user_pyzor_tmp_t staff_pyzor_tmp_t sysadm_pyzor_tmp_t }; -+ typealias pyzor_tmp_t alias { auditadm_pyzor_tmp_t secadm_pyzor_tmp_t }; -+ files_tmp_file(pyzor_tmp_t) -+ ubac_constrained(pyzor_tmp_t) -+ -+ type pyzor_var_lib_t; -+ typealias pyzor_var_lib_t alias { user_pyzor_var_lib_t staff_pyzor_var_lib_t sysadm_pyzor_var_lib_t }; -+ typealias pyzor_var_lib_t alias { auditadm_pyzor_var_lib_t secadm_pyzor_var_lib_t }; -+ files_type(pyzor_var_lib_t) -+ ubac_constrained(pyzor_var_lib_t) -+ -+ type pyzord_t; -+ type pyzord_exec_t; -+ init_daemon_domain(pyzord_t, pyzord_exec_t) -+ -+ type pyzord_log_t; -+ logging_log_file(pyzord_log_t) -+') - - ######################################## - # --# Local policy -+# Pyzor client local policy - # - -+allow pyzor_t self:udp_socket create_socket_perms; -+ - manage_dirs_pattern(pyzor_t, pyzor_home_t, pyzor_home_t) - manage_files_pattern(pyzor_t, pyzor_home_t, pyzor_home_t) - manage_lnk_files_pattern(pyzor_t, pyzor_home_t, pyzor_home_t) --userdom_user_home_dir_filetrans(pyzor_t, pyzor_home_t, dir, ".pyzor") -+userdom_user_home_dir_filetrans(pyzor_t, pyzor_home_t, { dir file lnk_file }) - - allow pyzor_t pyzor_var_lib_t:dir list_dir_perms; - read_files_pattern(pyzor_t, pyzor_var_lib_t, pyzor_var_lib_t) -+files_search_var_lib(pyzor_t) - - manage_files_pattern(pyzor_t, pyzor_tmp_t, pyzor_tmp_t) - manage_dirs_pattern(pyzor_t, pyzor_tmp_t, pyzor_tmp_t) -@@ -67,41 +88,28 @@ kernel_read_system_state(pyzor_t) - corecmd_list_bin(pyzor_t) - corecmd_getattr_bin_files(pyzor_t) - --corenet_all_recvfrom_unlabeled(pyzor_t) --corenet_all_recvfrom_netlabel(pyzor_t) - corenet_tcp_sendrecv_generic_if(pyzor_t) -+corenet_udp_sendrecv_generic_if(pyzor_t) - corenet_tcp_sendrecv_generic_node(pyzor_t) -- --corenet_sendrecv_http_client_packets(pyzor_t) -+corenet_udp_sendrecv_generic_node(pyzor_t) -+corenet_tcp_sendrecv_all_ports(pyzor_t) -+corenet_udp_sendrecv_all_ports(pyzor_t) - corenet_tcp_connect_http_port(pyzor_t) --corenet_tcp_sendrecv_http_port(pyzor_t) - - dev_read_urand(pyzor_t) - --fs_getattr_all_fs(pyzor_t) --fs_search_auto_mountpoints(pyzor_t) -+fs_getattr_xattr_fs(pyzor_t) -+ - - auth_use_nsswitch(pyzor_t) - --miscfiles_read_localization(pyzor_t) - - mta_read_queue(pyzor_t) - --tunable_policy(`use_nfs_home_dirs',` -- fs_manage_nfs_dirs(pyzor_t) -- fs_manage_nfs_files(pyzor_t) -- fs_manage_nfs_symlinks(pyzor_t) --') -- --tunable_policy(`use_samba_home_dirs',` -- fs_manage_cifs_dirs(pyzor_t) -- fs_manage_cifs_files(pyzor_t) -- fs_manage_cifs_symlinks(pyzor_t) --') -+userdom_dontaudit_search_user_home_dirs(pyzor_t) - - optional_policy(` -- amavis_manage_lib_files(pyzor_t) -- amavis_manage_spool_files(pyzor_t) -+ antivirus_manage_db(pyzor_t) - ') - - optional_policy(` -@@ -111,25 +119,24 @@ optional_policy(` - - ######################################## - # --# Daemon local policy -+# Pyzor server local policy - # - --allow pyzord_t pyzor_var_lib_t:dir setattr_dir_perms; -+allow pyzord_t self:udp_socket create_socket_perms; -+ - manage_files_pattern(pyzord_t, pyzor_var_lib_t, pyzor_var_lib_t) -+allow pyzord_t pyzor_var_lib_t:dir setattr; - files_var_lib_filetrans(pyzord_t, pyzor_var_lib_t, { file dir }) - -+read_files_pattern(pyzord_t, pyzor_etc_t, pyzor_etc_t) - allow pyzord_t pyzor_etc_t:dir list_dir_perms; --allow pyzord_t pyzor_etc_t:file read_file_perms; --allow pyzord_t pyzor_etc_t:lnk_file read_lnk_file_perms; - -+can_exec(pyzord_t, pyzor_exec_t) -+ -+manage_files_pattern(pyzord_t, pyzord_log_t, pyzord_log_t) - allow pyzord_t pyzord_log_t:dir setattr_dir_perms; --append_files_pattern(pyzord_t, pyzord_log_t, pyzord_log_t) --create_files_pattern(pyzord_t, pyzord_log_t, pyzord_log_t) --setattr_files_pattern(pyzord_t, pyzord_log_t, pyzord_log_t) - logging_log_filetrans(pyzord_t, pyzord_log_t, { file dir }) - --can_exec(pyzord_t, pyzor_exec_t) -- - kernel_read_kernel_sysctls(pyzord_t) - kernel_read_system_state(pyzord_t) - -@@ -137,24 +144,25 @@ dev_read_urand(pyzord_t) - - corecmd_exec_bin(pyzord_t) - --corenet_all_recvfrom_unlabeled(pyzord_t) - corenet_all_recvfrom_netlabel(pyzord_t) - corenet_udp_sendrecv_generic_if(pyzord_t) - corenet_udp_sendrecv_generic_node(pyzord_t) -+corenet_udp_sendrecv_all_ports(pyzord_t) - corenet_udp_bind_generic_node(pyzord_t) -- --corenet_sendrecv_pyzor_server_packets(pyzord_t) - corenet_udp_bind_pyzor_port(pyzord_t) --corenet_udp_sendrecv_pyzor_port(pyzord_t) -+corenet_sendrecv_pyzor_server_packets(pyzord_t) - --auth_use_nsswitch(pyzord_t) - --logging_send_syslog_msg(pyzord_t) -+auth_use_nsswitch(pyzord_t) - - locallogin_dontaudit_use_fds(pyzord_t) - --miscfiles_read_localization(pyzord_t) - -+# Do not audit attempts to access /root. - userdom_dontaudit_search_user_home_dirs(pyzord_t) - - mta_manage_spool(pyzord_t) -+ -+optional_policy(` -+ logging_send_syslog_msg(pyzord_t) -+') -diff --git a/qemu.fc b/qemu.fc -index 6b53fa4..64d877e 100644 ---- a/qemu.fc -+++ b/qemu.fc -@@ -1,5 +1,4 @@ --/usr/bin/qemu -- gen_context(system_u:object_r:qemu_exec_t,s0) -+/usr/bin/qemu -- gen_context(system_u:object_r:qemu_exec_t,s0) - /usr/bin/qemu-system-.* -- gen_context(system_u:object_r:qemu_exec_t,s0) - /usr/bin/qemu-kvm -- gen_context(system_u:object_r:qemu_exec_t,s0) -- - /usr/libexec/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0) -diff --git a/qemu.if b/qemu.if -index eaf56b8..580f9ee 100644 ---- a/qemu.if -+++ b/qemu.if -@@ -1,19 +1,21 @@ --## QEMU machine emulator and virtualizer. -+## QEMU machine emulator and virtualizer - --####################################### -+######################################## - ## --## The template to define a qemu domain. -+## Creates types and rules for a basic -+## qemu process domain. - ## --## -+## - ## --## Domain prefix to be used. -+## Prefix for the domain. - ## - ## - # - template(`qemu_domain_template',` -+ - ############################## - # -- # Declarations -+ # Local Policy - # - - type $1_t; -@@ -24,7 +26,7 @@ template(`qemu_domain_template',` - - ############################## - # -- # Policy -+ # Local Policy - # - - allow $1_t self:capability { dac_read_search dac_override }; -@@ -41,7 +43,6 @@ template(`qemu_domain_template',` - - kernel_read_system_state($1_t) - -- corenet_all_recvfrom_unlabeled($1_t) - corenet_all_recvfrom_netlabel($1_t) - corenet_tcp_sendrecv_generic_if($1_t) - corenet_tcp_sendrecv_generic_node($1_t) -@@ -70,11 +71,10 @@ template(`qemu_domain_template',` - term_getattr_pty_fs($1_t) - term_use_generic_ptys($1_t) - -- miscfiles_read_localization($1_t) - - sysnet_read_config($1_t) - -- userdom_use_user_terminals($1_t) -+ userdom_use_inherited_user_terminals($1_t) - userdom_attach_admin_tun_iface($1_t) - - optional_policy(` -@@ -98,38 +98,12 @@ template(`qemu_domain_template',` - - ######################################## - ## --## Role access for qemu. --## --## --## --## Role allowed access. --## --## --## --## --## User domain for the role. --## --## --# --template(`qemu_role',` -- gen_require(` -- type qemu_t; -- ') -- -- qemu_run($2, $1) -- -- allow $2 qemu_t:process { ptrace signal_perms }; -- ps_process_pattern($2, qemu_t) --') -- --######################################## --## - ## Execute a domain transition to run qemu. - ## - ## --## -+## - ## Domain allowed to transition. --## -+## - ## - # - interface(`qemu_domtrans',` -@@ -137,18 +111,17 @@ interface(`qemu_domtrans',` - type qemu_t, qemu_exec_t; - ') - -- corecmd_search_bin($1) - domtrans_pattern($1, qemu_exec_t, qemu_t) - ') - - ######################################## - ## --## Execute a qemu in the caller domain. -+## Execute a qemu in the callers domain - ## - ## --## -+## - ## Domain allowed access. --## -+## - ## - # - interface(`qemu_exec',` -@@ -156,15 +129,12 @@ interface(`qemu_exec',` - type qemu_exec_t; - ') - -- corecmd_search_bin($1) - can_exec($1, qemu_exec_t) - ') - - ######################################## - ## --## Execute qemu in the qemu domain, --## and allow the specified role the --## qemu domain. -+## Execute qemu in the qemu domain. - ## - ## - ## -@@ -173,23 +143,25 @@ interface(`qemu_exec',` - ## - ## - ## --## Role allowed access. -+## The role to allow the qemu domain. - ## - ## - ## - # - interface(`qemu_run',` - gen_require(` -- attribute_role qemu_roles; -+ type qemu_t; - ') - - qemu_domtrans($1) -- roleattribute $2 qemu_roles; -+ role $2 types qemu_t; -+ allow qemu_t $1:process signull; -+ allow $1 qemu_t:process signull; - ') - - ######################################## - ## --## Read qemu process state files. -+## Allow the domain to read state files in /proc. - ## - ## - ## -@@ -202,15 +174,12 @@ interface(`qemu_read_state',` - type qemu_t; - ') - -- kernel_search_proc($1) -- allow $1 qemu_t:dir list_dir_perms; -- allow $1 qemu_t:file read_file_perms; -- allow $1 qemu_t:lnk_file read_lnk_file_perms; -+ read_files_pattern($1, qemu_t, qemu_t) - ') - - ######################################## - ## --## Set qemu scheduler. -+## Set the schedule on qemu. - ## - ## - ## -@@ -228,7 +197,7 @@ interface(`qemu_setsched',` - - ######################################## - ## --## Send generic signals to qemu. -+## Send a signal to qemu. - ## - ## - ## -@@ -246,7 +215,7 @@ interface(`qemu_signal',` - - ######################################## - ## --## Send kill signals to qemu. -+## Send a sigill to qemu - ## - ## - ## -@@ -264,48 +233,68 @@ interface(`qemu_kill',` - - ######################################## - ## --## Execute a domain transition to --## run qemu unconfined. -+## Execute qemu_exec_t -+## in the specified domain but do not -+## do it automatically. This is an explicit -+## transition, requiring the caller to use setexeccon(). - ## -+## -+##

    -+## Execute qemu_exec_t -+## in the specified domain. This allows -+## the specified domain to qemu programs -+## on these filesystems in the specified -+## domain. -+##

    -+##     - ## - ## --## Domain allowed to transition. -+## Domain allowed access. -+## -+## -+## -+## -+## The type of the new process. - ## - ## - # --interface(`qemu_domtrans_unconfined',` -+interface(`qemu_spec_domtrans',` - gen_require(` -- type unconfined_qemu_t, qemu_exec_t; -+ type qemu_exec_t; - ') -- -- corecmd_search_bin($1) -- domtrans_pattern($1, qemu_exec_t, unconfined_qemu_t) -+ -+ read_lnk_files_pattern($1, qemu_exec_t, qemu_exec_t) -+ domain_transition_pattern($1, qemu_exec_t, $2) -+ domain_entry_file($2,qemu_exec_t) -+ can_exec($1,qemu_exec_t) -+ -+ allow $2 $1:fd use; -+ allow $2 $1:fifo_file rw_fifo_file_perms; -+ allow $2 $1:process sigchld; - ') - - ######################################## - ## --## Create, read, write, and delete --## qemu temporary directories. -+## Execute qemu unconfined programs in the role. - ## --## -+## - ## --## Domain allowed access. -+## The role to allow the qemu unconfined domain. - ## - ## - # --interface(`qemu_manage_tmp_dirs',` -+interface(`qemu_unconfined_role',` - gen_require(` -- type qemu_tmp_t; -+ type unconfined_qemu_t; -+ type qemu_t; - ') -- -- files_search_tmp($1) -- manage_dirs_pattern($1, qemu_tmp_t, qemu_tmp_t) -+ role $1 types unconfined_qemu_t; -+ role $1 types qemu_t; - ') - - ######################################## - ## --## Create, read, write, and delete --## qemu temporary files. -+## Manage qemu temporary dirs. - ## - ## - ## -@@ -313,58 +302,41 @@ interface(`qemu_manage_tmp_dirs',` - ## - ## - # --interface(`qemu_manage_tmp_files',` -+interface(`qemu_manage_tmp_dirs',` - gen_require(` - type qemu_tmp_t; - ') - -- files_search_tmp($1) -- manage_files_pattern($1, qemu_tmp_t, qemu_tmp_t) -+ manage_dirs_pattern($1, qemu_tmp_t, qemu_tmp_t) - ') - - ######################################## - ## --## Execute qemu in a specified domain. -+## Manage qemu temporary files. - ## --## --##

    --## Execute qemu in a specified domain. --##

    --##

    --## No interprocess communication (signals, pipes, --## etc.) is provided by this interface since --## the domains are not owned by this module. --##

    --##     --## --## --## Domain allowed to transition. --## --## --## -+## - ## --## Domain to transition to. -+## Domain allowed access. - ## - ## - # --interface(`qemu_spec_domtrans',` -+interface(`qemu_manage_tmp_files',` - gen_require(` -- type qemu_exec_t; -+ type qemu_tmp_t; - ') - -- corecmd_search_bin($1) -- domain_auto_trans($1, qemu_exec_t, $2) -+ manage_files_pattern($1, qemu_tmp_t, qemu_tmp_t) - ') - --###################################### -+######################################## - ## --## Make qemu executable files an --## entrypoint for the specified domain. -+## Make qemu_exec_t an entrypoint for -+## the specified domain. - ## - ## --## --## The domain for which qemu_exec_t is an entrypoint. --## -+## -+## The domain for which qemu_exec_t is an entrypoint. -+## - ## - # - interface(`qemu_entry_type',` -diff --git a/qemu.te b/qemu.te -index 2e824eb..695c857 100644 ---- a/qemu.te -+++ b/qemu.te -@@ -1,4 +1,4 @@ --policy_module(qemu, 1.7.4) -+policy_module(qemu, 1.7.0) - - ######################################## - # -@@ -6,28 +6,58 @@ policy_module(qemu, 1.7.4) - # - - ## --##

    --## Determine whether qemu has full --## access to the network. --##

    -+##

    -+## Allow qemu to connect fully to the network -+##

    - ##     - gen_tunable(qemu_full_network, false) - --attribute_role qemu_roles; --roleattribute system_r qemu_roles; -+## -+##

    -+## Allow qemu to use cifs/Samba file systems -+##

    -+##     -+gen_tunable(qemu_use_cifs, true) -+ -+## -+##

    -+## Allow qemu to use serial/parallel communication ports -+##

    -+##     -+gen_tunable(qemu_use_comm, false) - --type qemu_exec_t; --application_executable_file(qemu_exec_t) -+## -+##

    -+## Allow qemu to use nfs file systems -+##

    -+##     -+gen_tunable(qemu_use_nfs, true) -+ -+## -+##

    -+## Allow qemu to use usb devices -+##

    -+##     -+gen_tunable(qemu_use_usb, true) - - virt_domain_template(qemu) --role qemu_roles types qemu_t; -+role system_r types qemu_t; - - ######################################## - # --# Local policy -+# qemu local policy - # - -+storage_raw_write_removable_device(qemu_t) -+storage_raw_read_removable_device(qemu_t) -+ -+userdom_search_user_home_content(qemu_t) -+userdom_read_user_tmpfs_files(qemu_t) -+userdom_stream_connect(qemu_t) -+ - tunable_policy(`qemu_full_network',` -+ allow qemu_t self:udp_socket create_socket_perms; -+ - corenet_udp_sendrecv_generic_if(qemu_t) - corenet_udp_sendrecv_generic_node(qemu_t) - corenet_udp_sendrecv_all_ports(qemu_t) -@@ -37,21 +67,57 @@ tunable_policy(`qemu_full_network',` - corenet_tcp_connect_all_ports(qemu_t) - ') - -+tunable_policy(`qemu_use_cifs',` -+ fs_manage_cifs_dirs(qemu_t) -+ fs_manage_cifs_files(qemu_t) -+') -+ -+tunable_policy(`qemu_use_comm',` -+ term_use_unallocated_ttys(qemu_t) -+ dev_rw_printer(qemu_t) -+') -+ -+tunable_policy(`qemu_use_nfs',` -+ fs_manage_nfs_dirs(qemu_t) -+ fs_manage_nfs_files(qemu_t) -+') -+ -+tunable_policy(`qemu_use_usb',` -+ dev_rw_usbfs(qemu_t) -+ fs_manage_dos_dirs(qemu_t) -+ fs_manage_dos_files(qemu_t) -+') -+ - optional_policy(` -- xserver_user_x_domain_template(qemu, qemu_t, qemu_tmpfs_t) -+ dbus_read_lib_files(qemu_t) - ') - --######################################## --# --# Unconfined local policy --# -+optional_policy(` -+ pulseaudio_manage_home_files(qemu_t) -+ pulseaudio_stream_connect(qemu_t) -+') -+ -+optional_policy(` -+ tunable_policy(`qemu_use_cifs',` -+ samba_domtrans_smbd(qemu_t) -+ ') -+') - - optional_policy(` -- type unconfined_qemu_t; -- typealias unconfined_qemu_t alias qemu_unconfined_t; -- application_type(unconfined_qemu_t) -- unconfined_domain(unconfined_qemu_t) -+ virt_domtrans_bridgehelper(qemu_t) -+') -+ -+optional_policy(` -+ virt_manage_home_files(qemu_t) -+ virt_manage_images(qemu_t) -+ virt_append_log(qemu_t) -+') - -- allow unconfined_qemu_t self:process { execstack execmem }; -- allow unconfined_qemu_t qemu_exec_t:file execmod; -+optional_policy(` -+ xen_rw_image_files(qemu_t) -+') -+ -+optional_policy(` -+ xserver_read_xdm_pid(qemu_t) -+ xserver_stream_connect(qemu_t) - ') -diff --git a/qmail.fc b/qmail.fc -index e53fe5a..edee505 100644 ---- a/qmail.fc -+++ b/qmail.fc -@@ -1,22 +1,6 @@ --/etc/qmail(/.*)? gen_context(system_u:object_r:qmail_etc_t,s0) -- --/usr/bin/tcp-env -- gen_context(system_u:object_r:qmail_tcp_env_exec_t,s0) -- --/usr/sbin/qmail-clean -- gen_context(system_u:object_r:qmail_clean_exec_t,s0) --/usr/sbin/qmail-getpw -- gen_context(system_u:object_r:qmail_exec_t,s0) --/usr/sbin/qmail-inject -- gen_context(system_u:object_r:qmail_inject_exec_t,s0) --/usr/sbin/qmail-local -- gen_context(system_u:object_r:qmail_local_exec_t,s0) --/usr/sbin/qmail-lspawn -- gen_context(system_u:object_r:qmail_lspawn_exec_t,s0) --/usr/sbin/qmail-queue -- gen_context(system_u:object_r:qmail_queue_exec_t,s0) --/usr/sbin/qmail-remote -- gen_context(system_u:object_r:qmail_remote_exec_t,s0) --/usr/sbin/qmail-rspawn -- gen_context(system_u:object_r:qmail_rspawn_exec_t,s0) --/usr/sbin/qmail-send -- gen_context(system_u:object_r:qmail_send_exec_t,s0) --/usr/sbin/qmail-smtpd -- gen_context(system_u:object_r:qmail_smtpd_exec_t,s0) --/usr/sbin/qmail-start -- gen_context(system_u:object_r:qmail_start_exec_t,s0) --/usr/sbin/splogger -- gen_context(system_u:object_r:qmail_splogger_exec_t,s0) -- --/var/qmail/alias -d gen_context(system_u:object_r:qmail_alias_home_t,s0) --/var/qmail/alias(/.*)? gen_context(system_u:object_r:qmail_alias_home_t,s0) -+ -+/var/qmail/alias -d gen_context(system_u:object_r:qmail_alias_home_t,s0) -+/var/qmail/alias(/.*)? gen_context(system_u:object_r:qmail_alias_home_t,s0) - - /var/qmail/bin/qmail-clean -- gen_context(system_u:object_r:qmail_clean_exec_t,s0) - /var/qmail/bin/qmail-getpw -- gen_context(system_u:object_r:qmail_exec_t,s0) -@@ -29,9 +13,36 @@ - /var/qmail/bin/qmail-send -- gen_context(system_u:object_r:qmail_send_exec_t,s0) - /var/qmail/bin/qmail-smtpd -- gen_context(system_u:object_r:qmail_smtpd_exec_t,s0) - /var/qmail/bin/qmail-start -- gen_context(system_u:object_r:qmail_start_exec_t,s0) --/var/qmail/bin/splogger -- gen_context(system_u:object_r:qmail_splogger_exec_t,s0) --/var/qmail/bin/tcp-env -- gen_context(system_u:object_r:qmail_tcp_env_exec_t,s0) -+/var/qmail/bin/splogger -- gen_context(system_u:object_r:qmail_splogger_exec_t,s0) -+/var/qmail/bin/tcp-env -- gen_context(system_u:object_r:qmail_tcp_env_exec_t,s0) -+ -+/var/qmail/control(/.*)? gen_context(system_u:object_r:qmail_etc_t,s0) -+/var/qmail/owners(/.*)? gen_context(system_u:object_r:qmail_etc_t,s0) -+ -+/var/qmail/queue(/.*)? gen_context(system_u:object_r:qmail_spool_t,s0) -+ -+ifdef(`distro_debian', ` -+/etc/qmail(/.*)? gen_context(system_u:object_r:qmail_etc_t,s0) -+ -+/usr/bin/tcp-env -- gen_context(system_u:object_r:qmail_tcp_env_exec_t,s0) -+ -+#/usr/bin/serialmail/.* -- gen_context(system_u:object_r:qmail_serialmail_exec_t,s0) -+ -+/usr/sbin/qmail-clean -- gen_context(system_u:object_r:qmail_clean_exec_t,s0) -+/usr/sbin/qmail-getpw -- gen_context(system_u:object_r:qmail_exec_t,s0) -+/usr/sbin/qmail-inject -- gen_context(system_u:object_r:qmail_inject_exec_t,s0) -+/usr/sbin/qmail-local -- gen_context(system_u:object_r:qmail_local_exec_t,s0) -+/usr/sbin/qmail-lspawn -- gen_context(system_u:object_r:qmail_lspawn_exec_t,s0) -+/usr/sbin/qmail-queue -- gen_context(system_u:object_r:qmail_queue_exec_t,s0) -+/usr/sbin/qmail-remote -- gen_context(system_u:object_r:qmail_remote_exec_t,s0) -+/usr/sbin/qmail-rspawn -- gen_context(system_u:object_r:qmail_rspawn_exec_t,s0) -+/usr/sbin/qmail-send -- gen_context(system_u:object_r:qmail_send_exec_t,s0) -+/usr/sbin/qmail-smtpd -- gen_context(system_u:object_r:qmail_smtpd_exec_t,s0) -+/usr/sbin/qmail-start -- gen_context(system_u:object_r:qmail_start_exec_t,s0) -+/usr/sbin/splogger -- gen_context(system_u:object_r:qmail_splogger_exec_t,s0) -+ -+/var/qmail(/.*)? gen_context(system_u:object_r:qmail_etc_t,s0) - --/var/qmail(/.*)? gen_context(system_u:object_r:qmail_etc_t,s0) -+/var/spool/qmail(/.*)? gen_context(system_u:object_r:qmail_spool_t,s0) -+') - --/var/spool/qmail(/.*)? gen_context(system_u:object_r:qmail_spool_t,s0) -diff --git a/qmail.if b/qmail.if -index e4f0000..05e219e 100644 ---- a/qmail.if -+++ b/qmail.if -@@ -1,12 +1,12 @@ --## Qmail Mail Server. -+## Qmail Mail Server - - ######################################## - ## --## Template for qmail parent/sub-domain pairs. -+## Template for qmail parent/sub-domain pairs - ## - ## - ## --## The prefix of the child domain. -+## The prefix of the child domain - ## - ## - ## -@@ -16,35 +16,39 @@ - ## - # - template(`qmail_child_domain_template',` -- gen_require(` -- attribute qmail_child_domain; -- ') -- -- ######################################## -- # -- # Declarations -- # -- -- type $1_t, qmail_child_domain; -- type $1_exec_t; -+ type $1_t; - domain_type($1_t) -+ type $1_exec_t; - domain_entry_file($1_t, $1_exec_t) -- -+ domain_auto_trans($2, $1_exec_t, $1_t) - role system_r types $1_t; - -- ######################################## -- # -- # Policy -- # -+ allow $1_t self:process signal_perms; -+ -+ allow $1_t $2:fd use; -+ allow $1_t $2:fifo_file rw_file_perms; -+ allow $1_t $2:process sigchld; -+ -+ allow $1_t qmail_etc_t:dir list_dir_perms; -+ allow $1_t qmail_etc_t:file read_file_perms; -+ allow $1_t qmail_etc_t:lnk_file read_lnk_file_perms; -+ -+ allow $1_t qmail_start_t:fd use; -+ -+ kernel_list_proc($2) -+ kernel_read_proc_symlinks($2) - -- domtrans_pattern($2, $1_exec_t, $1_t) -+ corecmd_search_bin($1_t) -+ -+ files_search_var($1_t) -+ -+ fs_getattr_xattr_fs($1_t) - -- kernel_read_system_state($2) - ') - - ######################################## - ## --## Transition to qmail_inject_t. -+## Transition to qmail_inject_t - ## - ## - ## -@@ -57,11 +61,11 @@ interface(`qmail_domtrans_inject',` - type qmail_inject_t, qmail_inject_exec_t; - ') - -+ corecmd_search_bin($1) - domtrans_pattern($1, qmail_inject_exec_t, qmail_inject_t) - - ifdef(`distro_debian',` - files_search_usr($1) -- corecmd_search_bin($1) - ',` - files_search_var($1) - ') -@@ -69,7 +73,7 @@ interface(`qmail_domtrans_inject',` - - ######################################## - ## --## Transition to qmail_queue_t. -+## Transition to qmail_queue_t - ## - ## - ## -@@ -82,11 +86,11 @@ interface(`qmail_domtrans_queue',` - type qmail_queue_t, qmail_queue_exec_t; - ') - -+ corecmd_search_bin($1) - domtrans_pattern($1, qmail_queue_exec_t, qmail_queue_t) - - ifdef(`distro_debian',` - files_search_usr($1) -- corecmd_search_bin($1) - ',` - files_search_var($1) - ') -@@ -108,20 +112,21 @@ interface(`qmail_read_config',` - type qmail_etc_t; - ') - -- files_search_var($1) - allow $1 qmail_etc_t:dir list_dir_perms; - allow $1 qmail_etc_t:file read_file_perms; - allow $1 qmail_etc_t:lnk_file read_lnk_file_perms; -+ files_search_var($1) - - ifdef(`distro_debian',` -+ # handle /etc/qmail - files_search_etc($1) - ') - ') - - ######################################## - ## --## Define the specified domain as a --## qmail-smtp service. -+## Define the specified domain as a qmail-smtp service. -+## Needed by antivirus/antispam filters. - ## - ## - ## -@@ -141,3 +146,59 @@ interface(`qmail_smtpd_service_domain',` - - domtrans_pattern(qmail_smtpd_t, $2, $1) - ') -+ -+######################################## -+## -+## Create, read, write, and delete qmail -+## spool directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`qmail_manage_spool_dirs',` -+ gen_require(` -+ type qmail_spool_t; -+ ') -+ -+ manage_dirs_pattern($1, qmail_spool_t, qmail_spool_t) -+') -+ -+######################################## -+## -+## Create, read, write, and delete qmail -+## spool files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`qmail_manage_spool_files',` -+ gen_require(` -+ type qmail_spool_t; -+ ') -+ -+ manage_files_pattern($1, qmail_spool_t, qmail_spool_t) -+') -+ -+######################################## -+## -+## Read and write to qmail spool pipes. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`qmail_rw_spool_pipes',` -+ gen_require(` -+ type qmail_spool_t; -+ ') -+ -+ allow $1 qmail_spool_t:fifo_file rw_fifo_file_perms; -+') -diff --git a/qmail.te b/qmail.te -index 1bef513..af2850e 100644 ---- a/qmail.te -+++ b/qmail.te -@@ -1,11 +1,11 @@ --policy_module(qmail, 1.5.1) -+policy_module(qmail, 1.5.0) - - ######################################## - # - # Declarations - # - --attribute qmail_child_domain; -+attribute qmail_user_domains; - - type qmail_alias_home_t; - files_type(qmail_alias_home_t) -@@ -18,7 +18,7 @@ files_config_file(qmail_etc_t) - type qmail_exec_t; - files_type(qmail_exec_t) - --type qmail_inject_t; -+type qmail_inject_t, qmail_user_domains; - type qmail_inject_exec_t; - domain_type(qmail_inject_t) - domain_entry_file(qmail_inject_t, qmail_inject_exec_t) -@@ -32,18 +32,22 @@ qmail_child_domain_template(qmail_lspawn, qmail_start_t) - mta_mailserver_delivery(qmail_lspawn_t) - - qmail_child_domain_template(qmail_queue, qmail_inject_t) -+typeattribute qmail_queue_t qmail_user_domains; - mta_mailserver_user_agent(qmail_queue_t) - - qmail_child_domain_template(qmail_remote, qmail_rspawn_t) - mta_mailserver_sender(qmail_remote_t) - - qmail_child_domain_template(qmail_rspawn, qmail_start_t) -+ - qmail_child_domain_template(qmail_send, qmail_start_t) -+ - qmail_child_domain_template(qmail_smtpd, qmail_tcp_env_t) -+ - qmail_child_domain_template(qmail_splogger, qmail_start_t) - - type qmail_spool_t; --files_type(qmail_spool_t) -+files_spool_file(qmail_spool_t) - - type qmail_start_t; - type qmail_start_exec_t; -@@ -55,28 +59,8 @@ application_domain(qmail_tcp_env_t, qmail_tcp_env_exec_t) - - ######################################## - # --# Common qmail child domain local policy --# -- --allow qmail_child_domain self:process signal_perms; -- --allow qmail_child_domain qmail_etc_t:dir list_dir_perms; --allow qmail_child_domain qmail_etc_t:file read_file_perms; --allow qmail_child_domain qmail_etc_t:lnk_file read_lnk_file_perms; -- --allow qmail_child_domain qmail_start_t:fd use; -- --corecmd_search_bin(qmail_child_domain) -- --files_search_var(qmail_child_domain) -- --fs_getattr_xattr_fs(qmail_child_domain) -- --miscfiles_read_localization(qmail_child_domain) -- --######################################## --# --# Clean local policy -+# qmail-clean local policy -+# this component cleans up the queue directory - # - - read_files_pattern(qmail_clean_t, qmail_spool_t, qmail_spool_t) -@@ -84,11 +68,12 @@ delete_files_pattern(qmail_clean_t, qmail_spool_t, qmail_spool_t) - - ######################################## - # --# Inject local policy -+# qmail-inject local policy -+# this component preprocesses mail from stdin and invokes qmail-queue - # - --allow qmail_inject_t self:fifo_file write_fifo_file_perms; - allow qmail_inject_t self:process signal_perms; -+allow qmail_inject_t self:fifo_file write_fifo_file_perms; - - allow qmail_inject_t qmail_queue_exec_t:file read_file_perms; - -@@ -96,18 +81,18 @@ corecmd_search_bin(qmail_inject_t) - - files_search_var(qmail_inject_t) - --miscfiles_read_localization(qmail_inject_t) - - qmail_read_config(qmail_inject_t) - - ######################################## - # --# Local local policy -+# qmail-local local policy -+# this component delivers a mail message - # - --allow qmail_local_t self:fifo_file write_fifo_file_perms; - allow qmail_local_t self:process signal_perms; --allow qmail_local_t self:unix_stream_socket { accept listen }; -+allow qmail_local_t self:fifo_file write_file_perms; -+allow qmail_local_t self:unix_stream_socket create_stream_socket_perms; - - manage_dirs_pattern(qmail_local_t, qmail_alias_home_t, qmail_alias_home_t) - manage_files_pattern(qmail_local_t, qmail_alias_home_t, qmail_alias_home_t) -@@ -134,12 +119,17 @@ mta_append_spool(qmail_local_t) - qmail_domtrans_queue(qmail_local_t) - - optional_policy(` -+ uucp_domtrans(qmail_local_t) -+') -+ -+optional_policy(` - spamassassin_domtrans_client(qmail_local_t) - ') - - ######################################## - # --# Lspawn local policy -+# qmail-lspawn local policy -+# this component schedules local deliveries - # - - allow qmail_lspawn_t self:capability { setuid setgid }; -@@ -153,21 +143,23 @@ allow qmail_lspawn_t qmail_local_exec_t:file read_file_perms; - - read_files_pattern(qmail_lspawn_t, qmail_spool_t, qmail_spool_t) - --files_read_etc_files(qmail_lspawn_t) -+corecmd_search_bin(qmail_lspawn_t) -+ - files_search_pids(qmail_lspawn_t) - files_search_tmp(qmail_lspawn_t) - - ######################################## - # --# Queue local policy -+# qmail-queue local policy -+# this component places a mail in a delivery queue, later to be processed by qmail-send - # - - allow qmail_queue_t qmail_lspawn_t:fd use; - allow qmail_queue_t qmail_lspawn_t:fifo_file write_fifo_file_perms; - -+allow qmail_queue_t qmail_smtpd_t:process sigchld; - allow qmail_queue_t qmail_smtpd_t:fd use; - allow qmail_queue_t qmail_smtpd_t:fifo_file read_fifo_file_perms; --allow qmail_queue_t qmail_smtpd_t:process sigchld; - - manage_dirs_pattern(qmail_queue_t, qmail_spool_t, qmail_spool_t) - manage_files_pattern(qmail_queue_t, qmail_spool_t, qmail_spool_t) -@@ -183,28 +175,34 @@ optional_policy(` - - ######################################## - # --# Remote local policy -+# qmail-remote local policy -+# this component sends mail via SMTP - # - -+allow qmail_remote_t self:tcp_socket create_socket_perms; -+allow qmail_remote_t self:udp_socket create_socket_perms; -+ - rw_files_pattern(qmail_remote_t, qmail_spool_t, qmail_spool_t) - --corenet_all_recvfrom_unlabeled(qmail_remote_t) - corenet_all_recvfrom_netlabel(qmail_remote_t) - corenet_tcp_sendrecv_generic_if(qmail_remote_t) -+corenet_udp_sendrecv_generic_if(qmail_remote_t) - corenet_tcp_sendrecv_generic_node(qmail_remote_t) -- --corenet_sendrecv_smtp_client_packets(qmail_remote_t) --corenet_tcp_connect_smtp_port(qmail_remote_t) -+corenet_udp_sendrecv_generic_node(qmail_remote_t) - corenet_tcp_sendrecv_smtp_port(qmail_remote_t) -+corenet_udp_sendrecv_dns_port(qmail_remote_t) -+corenet_tcp_connect_smtp_port(qmail_remote_t) -+corenet_sendrecv_smtp_client_packets(qmail_remote_t) - - dev_read_rand(qmail_remote_t) - dev_read_urand(qmail_remote_t) - --sysnet_dns_name_resolve(qmail_remote_t) -+sysnet_read_config(qmail_remote_t) - - ######################################## - # --# Rspawn local policy -+# qmail-rspawn local policy -+# this component scedules remote deliveries - # - - allow qmail_rspawn_t self:process signal_perms; -@@ -214,9 +212,12 @@ allow qmail_rspawn_t qmail_remote_exec_t:file read_file_perms; - - rw_files_pattern(qmail_rspawn_t, qmail_spool_t, qmail_spool_t) - -+corecmd_search_bin(qmail_rspawn_t) -+ - ######################################## - # --# Send local policy -+# qmail-send local policy -+# this component delivers mail messages from the queue - # - - allow qmail_send_t self:process signal_perms; -@@ -234,7 +235,8 @@ optional_policy(` - - ######################################## - # --# Smtpd local policy -+# qmail-smtpd local policy -+# this component receives mails via SMTP - # - - allow qmail_smtpd_t self:process signal_perms; -@@ -262,26 +264,26 @@ optional_policy(` - - ######################################## - # --# Splogger local policy -+# splogger local policy -+# this component creates entries in syslog - # - - allow qmail_splogger_t self:unix_dgram_socket create_socket_perms; - --files_read_etc_files(qmail_splogger_t) - - init_dontaudit_use_script_fds(qmail_splogger_t) - --miscfiles_read_localization(qmail_splogger_t) - - ######################################## - # --# Start local policy -+# qmail-start local policy -+# this component starts up the mail delivery component - # - - allow qmail_start_t self:capability { setgid setuid }; - dontaudit qmail_start_t self:capability sys_tty_config; --allow qmail_start_t self:fifo_file rw_fifo_file_perms; - allow qmail_start_t self:process signal_perms; -+allow qmail_start_t self:fifo_file rw_fifo_file_perms; - - can_exec(qmail_start_t, qmail_start_exec_t) - -@@ -298,7 +300,8 @@ optional_policy(` - - ######################################## - # --# Tcp-env local policy -+# tcp-env local policy -+# this component sets up TCP-related environment variables - # - - allow qmail_tcp_env_t qmail_smtpd_exec_t:file read_file_perms; -diff --git a/qpid.if b/qpid.if -index cd51b96..f7e9c70 100644 ---- a/qpid.if -+++ b/qpid.if -@@ -1,4 +1,4 @@ --## Apache QPID AMQP messaging server. -+## policy for qpidd - - ######################################## - ## -@@ -15,13 +15,12 @@ interface(`qpidd_domtrans',` - type qpidd_t, qpidd_exec_t; - ') - -- corecmd_search_bin($1) - domtrans_pattern($1, qpidd_exec_t, qpidd_t) - ') - --##################################### -+######################################## - ## --## Read and write access qpidd semaphores. -+## Execute qpidd server in the qpidd domain. - ## - ## - ## -@@ -29,17 +28,17 @@ interface(`qpidd_domtrans',` - ## - ## - # --interface(`qpidd_rw_semaphores',` -+interface(`qpidd_initrc_domtrans',` - gen_require(` -- type qpidd_t; -+ type qpidd_initrc_exec_t; - ') - -- allow $1 qpidd_t:sem rw_sem_perms; -+ init_labeled_script_domtrans($1, qpidd_initrc_exec_t) - ') - - ######################################## - ## --## Read and write qpidd shared memory. -+## Read qpidd PID files. - ## - ## - ## -@@ -47,36 +46,39 @@ interface(`qpidd_rw_semaphores',` - ## - ## - # --interface(`qpidd_rw_shm',` -+interface(`qpidd_read_pid_files',` - gen_require(` -- type qpidd_t; -+ type qpidd_var_run_t; - ') - -- allow $1 qpidd_t:shm rw_shm_perms; -+ files_search_pids($1) -+ allow $1 qpidd_var_run_t:file read_file_perms; - ') - - ######################################## - ## --## Execute qpidd init script in --## the initrc domain. -+## Manage qpidd var_run files. - ## - ## - ## --## Domain allowed to transition. -+## Domain allowed access. - ## - ## - # --interface(`qpidd_initrc_domtrans',` -+interface(`qpidd_manage_var_run',` - gen_require(` -- type qpidd_initrc_exec_t; -+ type qpidd_var_run_t; - ') - -- init_labeled_script_domtrans($1, qpidd_initrc_exec_t) -+ files_search_pids($1) -+ manage_dirs_pattern($1, qpidd_var_run_t, qpidd_var_run_t) -+ manage_files_pattern($1, qpidd_var_run_t, qpidd_var_run_t) -+ manage_lnk_files_pattern($1, qpidd_var_run_t, qpidd_var_run_t) - ') - - ######################################## - ## --## Read qpidd pid files. -+## Search qpidd lib directories. - ## - ## - ## -@@ -84,18 +86,18 @@ interface(`qpidd_initrc_domtrans',` - ## - ## - # --interface(`qpidd_read_pid_files',` -+interface(`qpidd_search_lib',` - gen_require(` -- type qpidd_var_run_t; -+ type qpidd_var_lib_t; - ') - -- files_search_pids($1) -- allow $1 qpidd_var_run_t:file read_file_perms; -+ allow $1 qpidd_var_lib_t:dir search_dir_perms; -+ files_search_var_lib($1) - ') - - ######################################## - ## --## Search qpidd lib directories. -+## Read qpidd lib files. - ## - ## - ## -@@ -103,18 +105,19 @@ interface(`qpidd_read_pid_files',` - ## - ## - # --interface(`qpidd_search_lib',` -+interface(`qpidd_read_lib_files',` - gen_require(` - type qpidd_var_lib_t; - ') - - files_search_var_lib($1) -- allow $1 qpidd_var_lib_t:dir search_dir_perms; -+ read_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t) - ') - - ######################################## - ## --## Read qpidd lib files. -+## Create, read, write, and delete -+## qpidd lib files. - ## - ## - ## -@@ -122,19 +125,18 @@ interface(`qpidd_search_lib',` - ## - ## - # --interface(`qpidd_read_lib_files',` -+interface(`qpidd_manage_lib_files',` - gen_require(` - type qpidd_var_lib_t; - ') - - files_search_var_lib($1) -- read_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t) -+ manage_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t) - ') - - ######################################## - ## --## Create, read, write, and delete --## qpidd lib files. -+## Manage qpidd var_lib files. - ## - ## - ## -@@ -142,49 +144,94 @@ interface(`qpidd_read_lib_files',` - ## - ## - # --interface(`qpidd_manage_lib_files',` -+interface(`qpidd_manage_var_lib',` - gen_require(` - type qpidd_var_lib_t; - ') - - files_search_var_lib($1) -+ manage_dirs_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t) - manage_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t) -+ manage_lnk_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t) - ') - --######################################## -+##################################### - ## --## All of the rules required to --## administrate an qpidd environment. -+## Allow read and write access to qpidd semaphores. - ## - ## - ## - ## Domain allowed access. - ## - ## -+# -+interface(`qpidd_rw_semaphores',` -+ gen_require(` -+ type qpidd_t; -+ ') -+ -+ allow $1 qpidd_t:sem rw_sem_perms; -+') -+ -+####################################### -+## -+## Read and write to qpidd shared memory. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`qpidd_rw_shm',` -+ gen_require(` -+ type qpidd_t; -+ type qpidd_tmpfs_t; -+ ') -+ -+ allow $1 qpidd_t:shm rw_shm_perms; -+ fs_search_tmpfs($1) -+ manage_files_pattern($1, qpidd_tmpfs_t, qpidd_tmpfs_t) -+') -+ -+####################################### -+## -+## All of the rules required to -+## administrate an qpidd environment. -+## -+## -+## -+## Domain allowed access. -+## -+## - ## --## --## Role allowed access. --## -+## -+## Role allowed access. -+## - ## - ## - # - interface(`qpidd_admin',` -- gen_require(` -- type qpidd_t, qpidd_initrc_exec_t, qpidd_var_lib_t; -- type qpidd_var_run_t; -- ') -+ gen_require(` -+ type qpidd_t, qpidd_initrc_exec_t, qpidd_var_lib_t; -+ type qpidd_var_run_t; -+ ') - -- allow $1 qpidd_t:process { ptrace signal_perms }; -- ps_process_pattern($1, qpidd_t) -+ allow $1 qpidd_t:process { signal_perms }; -+ ps_process_pattern($1, qpidd_t) - -- qpidd_initrc_domtrans($1) -- domain_system_change_exemption($1) -- role_transition $2 qpidd_initrc_exec_t system_r; -- allow $2 system_r; -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 qpidd_t:process ptrace; -+ ') - -- files_search_var_lib($1( -- admin_pattern($1, qpidd_var_lib_t) -+ qpidd_initrc_domtrans($1) -+ domain_system_change_exemption($1) -+ role_transition $2 qpidd_initrc_exec_t system_r; -+ allow $2 system_r; - -- files_search_pids($1) -- admin_pattern($1, qpidd_var_run_t) -+ files_search_var_lib($1) -+ admin_pattern($1, qpidd_var_lib_t) -+ -+ files_search_pids($1) -+ admin_pattern($1, qpidd_var_run_t) - ') -diff --git a/qpid.te b/qpid.te -index 76f5b39..8bb80a2 100644 ---- a/qpid.te -+++ b/qpid.te -@@ -12,6 +12,9 @@ init_daemon_domain(qpidd_t, qpidd_exec_t) - type qpidd_initrc_exec_t; - init_script_file(qpidd_initrc_exec_t) - -+type qpidd_tmp_t; -+files_tmp_file(qpidd_tmp_t) -+ - type qpidd_tmpfs_t; - files_tmpfs_file(qpidd_tmpfs_t) - -@@ -33,41 +36,52 @@ allow qpidd_t self:shm create_shm_perms; - allow qpidd_t self:tcp_socket { accept listen }; - allow qpidd_t self:unix_stream_socket { accept listen }; - -+manage_dirs_pattern(qpidd_t, qpidd_tmp_t, qpidd_tmp_t) -+manage_files_pattern(qpidd_t, qpidd_tmp_t, qpidd_tmp_t) -+files_tmp_filetrans(qpidd_t, qpidd_tmp_t, { dir file }) -+ - manage_dirs_pattern(qpidd_t, qpidd_tmpfs_t, qpidd_tmpfs_t) - manage_files_pattern(qpidd_t, qpidd_tmpfs_t, qpidd_tmpfs_t) - fs_tmpfs_filetrans(qpidd_t, qpidd_tmpfs_t, { dir file }) - --manage_dirs_pattern(qpidd_t, qpidd_var_lib_t, qpidd_var_lib_t) --manage_files_pattern(qpidd_t, qpidd_var_lib_t, qpidd_var_lib_t) -+manage_dirs_pattern(qpidd_t, qpidd_var_lib_t, qpidd_var_lib_t) -+manage_files_pattern(qpidd_t, qpidd_var_lib_t, qpidd_var_lib_t) - files_var_lib_filetrans(qpidd_t, qpidd_var_lib_t, { file dir }) - --manage_dirs_pattern(qpidd_t, qpidd_var_run_t, qpidd_var_run_t) --manage_files_pattern(qpidd_t, qpidd_var_run_t, qpidd_var_run_t) -+manage_dirs_pattern(qpidd_t, qpidd_var_run_t, qpidd_var_run_t) -+manage_files_pattern(qpidd_t, qpidd_var_run_t, qpidd_var_run_t) - files_pid_filetrans(qpidd_t, qpidd_var_run_t, { file dir }) - - kernel_read_system_state(qpidd_t) - --corenet_all_recvfrom_unlabeled(qpidd_t) - corenet_all_recvfrom_netlabel(qpidd_t) -+corenet_tcp_bind_generic_node(qpidd_t) - corenet_tcp_sendrecv_generic_if(qpidd_t) - corenet_tcp_sendrecv_generic_node(qpidd_t) --corenet_tcp_bind_generic_node(qpidd_t) - - corenet_sendrecv_amqp_server_packets(qpidd_t) - corenet_tcp_bind_amqp_port(qpidd_t) - corenet_tcp_sendrecv_amqp_port(qpidd_t) - -+corenet_tcp_bind_matahari_port(qpidd_t) -+corenet_tcp_connect_matahari_port(qpidd_t) -+ - dev_read_sysfs(qpidd_t) - dev_read_urand(qpidd_t) -+dev_read_rand(qpidd_t) - --files_read_etc_files(qpidd_t) -+# needed by ssl -+files_list_tmp(qpidd_t) - - logging_send_syslog_msg(qpidd_t) - --miscfiles_read_localization(qpidd_t) -- - sysnet_dns_name_resolve(qpidd_t) - - optional_policy(` -- corosync_stream_connect(qpidd_t) -+ kerberos_use(qpidd_t) - ') -+ -+optional_policy(` -+ rhcs_stream_connect_cluster(qpidd_t) -+') -+ -diff --git a/quantum.fc b/quantum.fc -index 70ab68b..1de192b 100644 ---- a/quantum.fc -+++ b/quantum.fc -@@ -1,10 +1,26 @@ --/etc/rc\.d/init\.d/quantum.* -- gen_context(system_u:object_r:quantum_initrc_exec_t,s0) -+/etc/rc\.d/init\.d/neutron.* -- gen_context(system_u:object_r:neutron_initrc_exec_t,s0) -+/etc/rc\.d/init\.d/quantum.* -- gen_context(system_u:object_r:neutron_initrc_exec_t,s0) - --/usr/bin/quantum-server -- gen_context(system_u:object_r:quantum_exec_t,s0) --/usr/bin/quantum-openvswitch-agent -- gen_context(system_u:object_r:quantum_exec_t,s0) --/usr/bin/quantum-linuxbridge-agent -- gen_context(system_u:object_r:quantum_exec_t,s0) --/usr/bin/quantum-ryu-agent -- gen_context(system_u:object_r:quantum_exec_t,s0) -+/usr/bin/neutron-dhcp-agent -- gen_context(system_u:object_r:neutron_exec_t,s0) -+/usr/bin/neutron-l3-agent -- gen_context(system_u:object_r:neutron_exec_t,s0) -+/usr/bin/neutron-linuxbridge-agent -- gen_context(system_u:object_r:neutron_exec_t,s0) -+/usr/bin/neutron-openvswitch-agent -- gen_context(system_u:object_r:neutron_exec_t,s0) -+/usr/bin/neutron-ovs-cleanup -- gen_context(system_u:object_r:neutron_exec_t,s0) -+/usr/bin/neutron-ryu-agent -- gen_context(system_u:object_r:neutron_exec_t,s0) -+/usr/bin/neutron-server -- gen_context(system_u:object_r:neutron_exec_t,s0) -+/usr/bin/quantum-dhcp-agent -- gen_context(system_u:object_r:neutron_exec_t,s0) -+/usr/bin/quantum-l3-agent -- gen_context(system_u:object_r:neutron_exec_t,s0) -+/usr/bin/quantum-linuxbridge-agent -- gen_context(system_u:object_r:neutron_exec_t,s0) -+/usr/bin/quantum-openvswitch-agent -- gen_context(system_u:object_r:neutron_exec_t,s0) -+/usr/bin/quantum-ovs-cleanup -- gen_context(system_u:object_r:neutron_exec_t,s0) -+/usr/bin/quantum-ryu-agent -- gen_context(system_u:object_r:neutron_exec_t,s0) -+/usr/bin/quantum-server -- gen_context(system_u:object_r:neutron_exec_t,s0) - --/var/lib/quantum(/.*)? gen_context(system_u:object_r:quantum_var_lib_t,s0) -+/usr/lib/systemd/system/neutron.* -- gen_context(system_u:object_r:neutron_unit_file_t,s0) -+/usr/lib/systemd/system/quantum.* -- gen_context(system_u:object_r:neutron_unit_file_t,s0) - --/var/log/quantum(/.*)? gen_context(system_u:object_r:quantum_log_t,s0) -+/var/lib/neutron(/.*)? gen_context(system_u:object_r:neutron_var_lib_t,s0) -+/var/lib/quantum(/.*)? gen_context(system_u:object_r:neutron_var_lib_t,s0) -+ -+/var/log/neutron(/.*)? gen_context(system_u:object_r:neutron_log_t,s0) -+/var/log/quantum(/.*)? gen_context(system_u:object_r:neutron_log_t,s0) -diff --git a/quantum.if b/quantum.if -index afc0068..3105104 100644 ---- a/quantum.if -+++ b/quantum.if -@@ -2,41 +2,293 @@ - - ######################################## - ## --## All of the rules required to --## administrate an quantum environment. -+## Transition to neutron. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`neutron_domtrans',` -+ gen_require(` -+ type neutron_t, neutron_exec_t; -+ ') -+ -+ corecmd_search_bin($1) -+ domtrans_pattern($1, neutron_exec_t, neutron_t) -+') -+ -+######################################## -+## -+## Allow read/write neutron pipes - ## - ## - ## - ## Domain allowed access. - ## - ## --## -+# -+interface(`neutron_rw_inherited_pipes',` -+ gen_require(` -+ type neutron_t; -+ ') -+ -+ allow $1 neutron_t:fifo_file rw_inherited_fifo_file_perms; -+') -+ -+######################################## -+## -+## Send sigchld to neutron. -+## -+## - ## --## Role allowed access. -+## Domain allowed access. -+## -+## -+# -+# -+interface(`neutron_sigchld',` -+ gen_require(` -+ type neutron_t; -+ ') -+ -+ allow $1 neutron_t:process sigchld; -+') -+ -+######################################## -+## -+## Read neutron's log files. -+## -+## -+## -+## Domain allowed access. - ## - ## - ## - # --interface(`quantum_admin',` -+interface(`neutron_read_log',` -+ gen_require(` -+ type neutron_log_t; -+ ') -+ -+ logging_search_logs($1) -+ read_files_pattern($1, neutron_log_t, neutron_log_t) -+') -+ -+######################################## -+## -+## Append to neutron log files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`neutron_append_log',` -+ gen_require(` -+ type neutron_log_t; -+ ') -+ -+ logging_search_logs($1) -+ append_files_pattern($1, neutron_log_t, neutron_log_t) -+') -+ -+######################################## -+## -+## Manage neutron log files -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`neutron_manage_log',` -+ gen_require(` -+ type neutron_log_t; -+ ') -+ -+ logging_search_logs($1) -+ manage_dirs_pattern($1, neutron_log_t, neutron_log_t) -+ manage_files_pattern($1, neutron_log_t, neutron_log_t) -+ manage_lnk_files_pattern($1, neutron_log_t, neutron_log_t) -+') -+ -+######################################## -+## -+## Search neutron lib directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`neutron_search_lib',` -+ gen_require(` -+ type neutron_var_lib_t; -+ ') -+ -+ allow $1 neutron_var_lib_t:dir search_dir_perms; -+ files_search_var_lib($1) -+') -+ -+######################################## -+## -+## Read neutron lib files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`neutron_read_lib_files',` - gen_require(` -- type quantum_t, quantum_initrc_exec_t, quantum_log_t; -- type quantum_var_lib_t, quantum_tmp_t; -+ type neutron_var_lib_t; - ') - -- allow $1 quantum_t:process { ptrace signal_perms }; -- ps_process_pattern($1, quantum_t) -+ files_search_var_lib($1) -+ read_files_pattern($1, neutron_var_lib_t, neutron_var_lib_t) -+') -+ -+######################################## -+## -+## Manage neutron lib files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`neutron_manage_lib_files',` -+ gen_require(` -+ type neutron_var_lib_t; -+ ') - -- init_labeled_script_domtrans($1, quantum_initrc_exec_t) -- domain_system_change_exemption($1) -- role_transition $2 quantum_initrc_exec_t system_r; -- allow $2 system_r; -+ files_search_var_lib($1) -+ manage_files_pattern($1, neutron_var_lib_t, neutron_var_lib_t) -+') -+ -+######################################## -+## -+## Manage neutron lib directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`neutron_manage_lib_dirs',` -+ gen_require(` -+ type neutron_var_lib_t; -+ ') -+ -+ files_search_var_lib($1) -+ manage_dirs_pattern($1, neutron_var_lib_t, neutron_var_lib_t) -+') -+ -+######################################## -+## -+## Read and write neutron fifo files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`neutron_rw_fifo_file',` -+ gen_require(` -+ type neutron_t; -+ ') -+ -+ allow $1 neutron_t:fifo_file rw_inherited_fifo_file_perms; -+') -+ -+##################################### -+## -+## Connect to neutron over a unix domain -+## stream socket. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`neutron_stream_connect',` -+ gen_require(` -+ type neutron_t; -+ type neutron_var_lib_t; -+ ') -+ -+ files_search_pids($1) -+ stream_connect_pattern($1, neutron_var_lib_t, neutron_var_lib_t, neutron_t ) -+') -+ -+######################################## -+## -+## Execute neutron server in the neutron domain. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`neutron_systemctl',` -+ gen_require(` -+ type neutron_t; -+ type neutron_unit_file_t; -+ ') -+ -+ systemd_exec_systemctl($1) -+ systemd_read_fifo_file_passwd_run($1) -+ allow $1 neutron_unit_file_t:file read_file_perms; -+ allow $1 neutron_unit_file_t:service manage_service_perms; -+ -+ ps_process_pattern($1, neutron_t) -+') -+ -+ -+######################################## -+## -+## All of the rules required to administrate -+## an neutron environment -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`neutron_admin',` -+ gen_require(` -+ type neutron_t; -+ type neutron_log_t; -+ type neutron_var_lib_t; -+ type neutron_unit_file_t; -+ ') -+ -+ allow $1 neutron_t:process { ptrace signal_perms }; -+ ps_process_pattern($1, neutron_t) - - logging_search_logs($1) -- admin_pattern($1, quantum_log_t) -+ admin_pattern($1, neutron_log_t) - - files_search_var_lib($1) -- admin_pattern($1, quantum_var_lib_t) -+ admin_pattern($1, neutron_var_lib_t) - -- files_search_tmp($1) -- admin_pattern($1, quantum_tmp_t) -+ neutron_systemctl($1) -+ admin_pattern($1, neutron_unit_file_t) -+ allow $1 neutron_unit_file_t:service all_service_perms; -+ optional_policy(` -+ systemd_passwd_agent_exec($1) -+ systemd_read_fifo_file_passwd_run($1) -+ ') - ') -diff --git a/quantum.te b/quantum.te -index 769d1fd..acee489 100644 ---- a/quantum.te -+++ b/quantum.te -@@ -1,96 +1,109 @@ --policy_module(quantum, 1.0.2) -+policy_module(quantum, 1.0.3) - - ######################################## - # - # Declarations - # - --type quantum_t; --type quantum_exec_t; --init_daemon_domain(quantum_t, quantum_exec_t) -+type neutron_t alias quantum_t; -+type neutron_exec_t alias quantum_exec_t; -+init_daemon_domain(neutron_t, neutron_exec_t) - --type quantum_initrc_exec_t; --init_script_file(quantum_initrc_exec_t) -+type neutron_initrc_exec_t alias quantum_initrc_exec_t; -+init_script_file(neutron_initrc_exec_t) - --type quantum_log_t; --logging_log_file(quantum_log_t) -+type neutron_log_t alias quantum_log_t; -+logging_log_file(neutron_log_t) - --type quantum_tmp_t; --files_tmp_file(quantum_tmp_t) -+type neutron_tmp_t alias quantum_tmp_t; -+files_tmp_file(neutron_tmp_t) - --type quantum_var_lib_t; --files_type(quantum_var_lib_t) -+type neutron_var_lib_t alias quantum_var_lib_t; -+files_type(neutron_var_lib_t) -+ -+type neutron_unit_file_t alias quantum_unit_file_t; -+systemd_unit_file(neutron_unit_file_t) - - ######################################## - # - # Local policy - # - --allow quantum_t self:capability { setgid setuid sys_resource }; --allow quantum_t self:process { setsched setrlimit }; --allow quantum_t self:fifo_file rw_fifo_file_perms; --allow quantum_t self:key manage_key_perms; --allow quantum_t self:tcp_socket { accept listen }; --allow quantum_t self:unix_stream_socket { accept listen }; -+allow neutron_t self:capability { setgid setuid sys_resource }; -+allow neutron_t self:process { setsched setrlimit }; -+allow neutron_t self:fifo_file rw_fifo_file_perms; -+allow neutron_t self:key manage_key_perms; -+allow neutron_t self:tcp_socket { accept listen }; -+allow neutron_t self:unix_stream_socket { accept listen }; - --manage_dirs_pattern(quantum_t, quantum_log_t, quantum_log_t) --append_files_pattern(quantum_t, quantum_log_t, quantum_log_t) --create_files_pattern(quantum_t, quantum_log_t, quantum_log_t) --setattr_files_pattern(quantum_t, quantum_log_t, quantum_log_t) --logging_log_filetrans(quantum_t, quantum_log_t, dir) -+manage_dirs_pattern(neutron_t, neutron_log_t, neutron_log_t) -+append_files_pattern(neutron_t, neutron_log_t, neutron_log_t) -+create_files_pattern(neutron_t, neutron_log_t, neutron_log_t) -+setattr_files_pattern(neutron_t, neutron_log_t, neutron_log_t) -+logging_log_filetrans(neutron_t, neutron_log_t, dir) - --manage_files_pattern(quantum_t, quantum_tmp_t, quantum_tmp_t) --files_tmp_filetrans(quantum_t, quantum_tmp_t, file) -+manage_files_pattern(neutron_t, neutron_tmp_t, neutron_tmp_t) -+files_tmp_filetrans(neutron_t, neutron_tmp_t, file) - --manage_dirs_pattern(quantum_t, quantum_var_lib_t, quantum_var_lib_t) --manage_files_pattern(quantum_t, quantum_var_lib_t, quantum_var_lib_t) --files_var_lib_filetrans(quantum_t, quantum_var_lib_t, dir) -+manage_dirs_pattern(neutron_t, neutron_var_lib_t, neutron_var_lib_t) -+manage_files_pattern(neutron_t, neutron_var_lib_t, neutron_var_lib_t) -+files_var_lib_filetrans(neutron_t, neutron_var_lib_t, dir) - --can_exec(quantum_t, quantum_tmp_t) -+can_exec(neutron_t, neutron_tmp_t) - --kernel_read_kernel_sysctls(quantum_t) --kernel_read_system_state(quantum_t) -+kernel_read_kernel_sysctls(neutron_t) -+kernel_read_system_state(neutron_t) - --corecmd_exec_shell(quantum_t) --corecmd_exec_bin(quantum_t) -+corecmd_exec_shell(neutron_t) -+corecmd_exec_bin(neutron_t) - --corenet_all_recvfrom_unlabeled(quantum_t) --corenet_all_recvfrom_netlabel(quantum_t) --corenet_tcp_sendrecv_generic_if(quantum_t) --corenet_tcp_sendrecv_generic_node(quantum_t) --corenet_tcp_sendrecv_all_ports(quantum_t) --corenet_tcp_bind_generic_node(quantum_t) -+corenet_all_recvfrom_unlabeled(neutron_t) -+corenet_all_recvfrom_netlabel(neutron_t) -+corenet_tcp_sendrecv_generic_if(neutron_t) -+corenet_tcp_sendrecv_generic_node(neutron_t) -+corenet_tcp_sendrecv_all_ports(neutron_t) -+corenet_tcp_bind_generic_node(neutron_t) - --dev_list_sysfs(quantum_t) --dev_read_urand(quantum_t) -+corenet_tcp_bind_neutron_port(neutron_t) -+corenet_tcp_connect_keystone_port(neutron_t) -+corenet_tcp_connect_amqp_port(neutron_t) -+corenet_tcp_connect_mysqld_port(neutron_t) - --files_read_usr_files(quantum_t) -+dev_list_sysfs(neutron_t) -+dev_read_urand(neutron_t) - --auth_use_nsswitch(quantum_t) -+auth_use_nsswitch(neutron_t) - --libs_exec_ldconfig(quantum_t) -+libs_exec_ldconfig(neutron_t) - --logging_send_audit_msgs(quantum_t) --logging_send_syslog_msg(quantum_t) -+logging_send_audit_msgs(neutron_t) -+logging_send_syslog_msg(neutron_t) - --miscfiles_read_localization(quantum_t) -+sysnet_domtrans_ifconfig(neutron_t) - --sysnet_domtrans_ifconfig(quantum_t) -+optional_policy(` -+ brctl_domtrans(neutron_t) -+') - - optional_policy(` -- brctl_domtrans(quantum_t) -+ mysql_stream_connect(neutron_t) -+ mysql_read_config(neutron_t) -+ -+ mysql_tcp_connect(neutron_t) - ') - - optional_policy(` -- mysql_stream_connect(quantum_t) -- mysql_read_config(quantum_t) -+ postgresql_stream_connect(neutron_t) -+ postgresql_unpriv_client(neutron_t) - -- mysql_tcp_connect(quantum_t) -+ postgresql_tcp_connect(neutron_t) - ') - - optional_policy(` -- postgresql_stream_connect(quantum_t) -- postgresql_unpriv_client(quantum_t) -+ openvswitch_domtrans(neutron_t) -+ openvswitch_stream_connect(neutron_t) -+') - -- postgresql_tcp_connect(quantum_t) -+optional_policy(` -+ sudo_exec(neutron_t) - ') -diff --git a/quota.fc b/quota.fc -index cadabe3..0ee2489 100644 ---- a/quota.fc -+++ b/quota.fc -@@ -1,6 +1,5 @@ - HOME_ROOT/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0) -- --HOME_DIR/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0) -+HOME_DIR/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0) - - /a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0) - -@@ -8,24 +7,23 @@ HOME_DIR/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0) - - /etc/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0) - --/etc/rc\.d/init\.d/quota_nld -- gen_context(system_u:object_r:quota_nld_initrc_exec_t,s0) -- --/sbin/convertquota -- gen_context(system_u:object_r:quota_exec_t,s0) --/sbin/quota(check|on) -- gen_context(system_u:object_r:quota_exec_t,s0) -+/sbin/quota(check|on) -- gen_context(system_u:object_r:quota_exec_t,s0) - --/usr/sbin/convertquota -- gen_context(system_u:object_r:quota_exec_t,s0) - /usr/sbin/quota(check|on) -- gen_context(system_u:object_r:quota_exec_t,s0) --/usr/sbin/quota_nld -- gen_context(system_u:object_r:quota_nld_exec_t,s0) - - /var/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0) -+/var/lib/quota(/.*)? gen_context(system_u:object_r:quota_flag_t,s0) -+/var/spool/(.*/)?a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0) - --/var/lib/quota(/.*)? gen_context(system_u:object_r:quota_flag_t,s0) -+ifdef(`distro_redhat',` -+/usr/sbin/convertquota -- gen_context(system_u:object_r:quota_exec_t,s0) -+',` -+/sbin/convertquota -- gen_context(system_u:object_r:quota_exec_t,s0) -+') - --/var/run/quota_nld\.pid -- gen_context(system_u:object_r:quota_nld_var_run_t,s0) -+/usr/sbin/quota_nld -- gen_context(system_u:object_r:quota_nld_exec_t,s0) - --/var/spool/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0) -+/var/lib/stickshift/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0) -+/var/lib/openshift/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0) - --/var/spool/imap/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0) --/var/spool/(client)?mqueue/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0) --/var/spool/mqueue\.in/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0) --/var/spool/mail/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0) -+/var/run/quota_nld\.pid -- gen_context(system_u:object_r:quota_nld_var_run_t,s0) -diff --git a/quota.if b/quota.if -index da64218..3fb8575 100644 ---- a/quota.if -+++ b/quota.if -@@ -1,4 +1,4 @@ --## File system quota management. -+## File system quota management - - ######################################## - ## -@@ -21,9 +21,8 @@ interface(`quota_domtrans',` - - ######################################## - ## --## Execute quota management tools in --## the quota domain, and allow the --## specified role the quota domain. -+## Execute quota management tools in the quota domain, and -+## allow the specified role the quota domain. - ## - ## - ## -@@ -39,90 +38,54 @@ interface(`quota_domtrans',` - # - interface(`quota_run',` - gen_require(` -- attribute_role quota_roles; -+ type quota_t; - ') - - quota_domtrans($1) -- roleattribute $2 quota_roles; -+ role $2 types quota_t; - ') - - ####################################### - ## --## Execute quota nld in the quota nld domain. -+## Alow to read of filesystem quota data files. - ## - ## --## --## Domain allowed to transition. --## -+## -+## Domain to not audit. -+## - ## - # --interface(`quota_domtrans_nld',` -- gen_require(` -- type quota_nld_t, quota_nld_exec_t; -- ') -+interface(`quota_read_db',` -+ gen_require(` -+ type quota_db_t; -+ ') - -- corecmd_search_bin($1) -- domtrans_pattern($1, quota_nld_exec_t, quota_nld_t) -+ allow $1 quota_db_t:file read_file_perms; - ') - - ######################################## - ## --## Create, read, write, and delete --## quota db files. --## --## --## --## Domain allowed access. --## --## --# --interface(`quota_manage_db_files',` -- gen_require(` -- type quota_db_t; -- ') -- -- allow $1 quota_db_t:file manage_file_perms; --') -- --######################################## --## --## Create specified objects in specified --## directories with a type transition to --## the quota db file type. -+## Do not audit attempts to get the attributes -+## of filesystem quota data files. - ## - ## - ## --## Domain allowed access. --## --## --## --## --## Directory to transition on. --## --## --## --## --## The object class of the object being created. --## --## --## --## --## The name of the object being created. -+## Domain to not audit. - ## - ## - # --interface(`quota_spec_filetrans_db',` -+interface(`quota_dontaudit_getattr_db',` - gen_require(` - type quota_db_t; - ') - -- filetrans_pattern($1, $2, quota_db_t, $3, $4) -+ dontaudit $1 quota_db_t:file getattr_file_perms; - ') - - ######################################## - ## --## Do not audit attempts to get attributes --## of filesystem quota data files. -+## Create, read, write, and delete quota -+## db files. - ## - ## - ## -@@ -130,18 +93,18 @@ interface(`quota_spec_filetrans_db',` - ## - ## - # --interface(`quota_dontaudit_getattr_db',` -+interface(`quota_manage_db',` - gen_require(` - type quota_db_t; - ') - -- dontaudit $1 quota_db_t:file getattr_file_perms; -+ allow $1 quota_db_t:file manage_file_perms; - ') - - ######################################## - ## --## Create, read, write, and delete --## quota flag files. -+## Create, read, write, and delete quota -+## flag files. - ## - ## - ## -@@ -160,37 +123,56 @@ interface(`quota_manage_flags',` - - ######################################## - ## --## All of the rules required to --## administrate an quota environment. -+## Transition to quota named content - ## - ## - ## --## Domain allowed access. --## --## --## --## --## Role allowed access. -+## Domain allowed access. - ## - ## --## - # --interface(`quota_admin',` -+interface(`quota_filetrans_named_content',` - gen_require(` -- type quota_nld_t, quota_t, quota_db_t; -- type quota_nld_initrc_exec_t, quota_flag_t, quota_nld_var_run_t; -+ type quota_db_t; - ') - -- allow $1 { quota_nld_t quota_t }:process { ptrace signal_perms }; -- ps_process_pattern($1, { quota_nld_t quota_t }) -- -- init_labeled_script_domtrans($1, quota_nld_initrc_exec_t) -- domain_system_change_exemption($1) -- role_transition $2 quota_nld_initrc_exec_t system_r; -- allow $2 system_r; -+ files_root_filetrans($1, quota_db_t, file, "aquota.user") -+ files_root_filetrans($1, quota_db_t, file, "aquota.group") -+ files_boot_filetrans($1, quota_db_t, file, "aquota.user") -+ files_boot_filetrans($1, quota_db_t, file, "aquota.group") -+ files_etc_filetrans($1, quota_db_t, file, "aquota.user") -+ files_etc_filetrans($1, quota_db_t, file, "aquota.group") -+ files_tmp_filetrans($1, quota_db_t, file, "aquota.user") -+ files_tmp_filetrans($1, quota_db_t, file, "aquota.group") -+ files_home_filetrans($1, quota_db_t, file, "aquota.user") -+ files_home_filetrans($1, quota_db_t, file, "aquota.group") -+ files_usr_filetrans($1, quota_db_t, file, "aquota.user") -+ files_usr_filetrans($1, quota_db_t, file, "aquota.group") -+ files_var_filetrans($1, quota_db_t, file, "aquota.user") -+ files_var_filetrans($1, quota_db_t, file, "aquota.group") -+ files_spool_filetrans($1, quota_db_t, file, "aquota.user") -+ files_spool_filetrans($1, quota_db_t, file, "aquota.group") -+ mta_spool_filetrans($1, quota_db_t, file, "aquota.user") -+ mta_spool_filetrans($1, quota_db_t, file, "aquota.group") -+ mta_spool_filetrans_queue($1, quota_db_t, file, "aquota.user") -+ mta_spool_filetrans_queue($1, quota_db_t, file, "aquota.group") -+') - -- files_list_all($1) -- admin_pattern($1, { quota_db_t quota_flag quota_nld_var_run_t }) -+####################################### -+## -+## Transition to quota_nld. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`quota_domtrans_nld',` -+ gen_require(` -+ type quota_nld_t, quota_nld_exec_t; -+ ') - -- quota_run($1, $2) -+ corecmd_search_bin($1) -+ domtrans_pattern($1, quota_nld_exec_t, quota_nld_t) - ') -diff --git a/quota.te b/quota.te -index 4b2c272..1aee969 100644 ---- a/quota.te -+++ b/quota.te -@@ -1,16 +1,14 @@ --policy_module(quota, 1.5.2) -+policy_module(quota, 1.5.0) - - ######################################## - # - # Declarations - # - --attribute_role quota_roles; -- - type quota_t; - type quota_exec_t; --init_system_domain(quota_t, quota_exec_t) --role quota_roles types quota_t; -+application_domain(quota_t, quota_exec_t) -+#init_system_domain(quota_t, quota_exec_t) - - type quota_db_t; - files_type(quota_db_t) -@@ -22,9 +20,6 @@ type quota_nld_t; - type quota_nld_exec_t; - init_daemon_domain(quota_nld_t, quota_nld_exec_t) - --type quota_nld_initrc_exec_t; --init_script_file(quota_nld_initrc_exec_t) -- - type quota_nld_var_run_t; - files_pid_file(quota_nld_var_run_t) - -@@ -37,6 +32,7 @@ allow quota_t self:capability { sys_admin dac_override }; - dontaudit quota_t self:capability sys_tty_config; - allow quota_t self:process signal_perms; - -+# for /quota.* - allow quota_t quota_db_t:file { manage_file_perms quotaon }; - files_root_filetrans(quota_t, quota_db_t, file) - files_boot_filetrans(quota_t, quota_db_t, file) -@@ -48,7 +44,6 @@ files_var_filetrans(quota_t, quota_db_t, file) - files_spool_filetrans(quota_t, quota_db_t, file) - userdom_user_home_dir_filetrans(quota_t, quota_db_t, file) - --kernel_request_load_module(quota_t) - kernel_list_proc(quota_t) - kernel_read_proc_symlinks(quota_t) - kernel_read_kernel_sysctls(quota_t) -@@ -58,14 +53,6 @@ dev_read_sysfs(quota_t) - dev_getattr_all_blk_files(quota_t) - dev_getattr_all_chr_files(quota_t) - --files_list_all(quota_t) --files_read_all_files(quota_t) --files_read_all_symlinks(quota_t) --files_getattr_all_pipes(quota_t) --files_getattr_all_sockets(quota_t) --files_getattr_all_file_type_fs(quota_t) --files_read_etc_runtime_files(quota_t) -- - fs_get_xattr_fs_quotas(quota_t) - fs_set_xattr_fs_quotas(quota_t) - fs_getattr_xattr_fs(quota_t) -@@ -80,17 +67,28 @@ term_dontaudit_use_console(quota_t) - - domain_use_interactive_fds(quota_t) - -+files_list_all(quota_t) -+files_read_all_files(quota_t) -+files_read_all_symlinks(quota_t) -+files_getattr_all_pipes(quota_t) -+files_getattr_all_sockets(quota_t) -+files_getattr_all_file_type_fs(quota_t) -+# Read /etc/mtab. -+files_read_etc_runtime_files(quota_t) -+ - init_use_fds(quota_t) - init_use_script_ptys(quota_t) - - logging_send_syslog_msg(quota_t) - --userdom_use_user_terminals(quota_t) -+mta_spool_filetrans(quota_t, quota_db_t, file) -+mta_spool_filetrans_queue(quota_t, quota_db_t, file) -+ -+userdom_use_inherited_user_terminals(quota_t) - userdom_dontaudit_use_unpriv_user_fds(quota_t) - - optional_policy(` -- mta_queue_filetrans(quota_t, quota_db_t, file) -- mta_spool_filetrans(quota_t, quota_db_t, file) -+ openshift_lib_filetrans(quota_t, quota_db_t, file) - ') - - optional_policy(` -@@ -103,12 +101,12 @@ optional_policy(` - - ####################################### - # --# Nld local policy -+# Local policy - # - - allow quota_nld_t self:fifo_file rw_fifo_file_perms; - allow quota_nld_t self:netlink_socket create_socket_perms; --allow quota_nld_t self:unix_stream_socket { accept listen }; -+allow quota_nld_t self:unix_stream_socket create_stream_socket_perms; - - manage_files_pattern(quota_nld_t, quota_nld_var_run_t, quota_nld_var_run_t) - files_pid_filetrans(quota_nld_t, quota_nld_var_run_t, { file }) -@@ -121,11 +119,9 @@ init_read_utmp(quota_nld_t) - - logging_send_syslog_msg(quota_nld_t) - --miscfiles_read_localization(quota_nld_t) -- - userdom_use_user_terminals(quota_nld_t) - - optional_policy(` -- dbus_system_bus_client(quota_nld_t) -- dbus_connect_system_bus(quota_nld_t) -+ dbus_system_bus_client(quota_nld_t) -+ dbus_connect_system_bus(quota_nld_t) - ') -diff --git a/rabbitmq.fc b/rabbitmq.fc -index c5ad6de..a48c318 100644 ---- a/rabbitmq.fc -+++ b/rabbitmq.fc -@@ -4,7 +4,11 @@ - /usr/lib/erlang/erts.*/bin/epmd -- gen_context(system_u:object_r:rabbitmq_epmd_exec_t,s0) - - /var/lib/rabbitmq(/.*)? gen_context(system_u:object_r:rabbitmq_var_lib_t,s0) -+/var/lib/ejabberd(/.*)? gen_context(system_u:object_r:rabbitmq_var_lib_t,s0) -+ -+/var/lock/ejabberdctl(/.*)? gen_context(system_u:object_r:rabbitmq_var_lock_t,s0) - - /var/log/rabbitmq(/.*)? gen_context(system_u:object_r:rabbitmq_var_log_t,s0) -+/var/log/ejabberd(/.*)? gen_context(system_u:object_r:rabbitmq_var_log_t,s0) - - /var/run/rabbitmq(/.*)? gen_context(system_u:object_r:rabbitmq_var_run_t,s0) -diff --git a/rabbitmq.if b/rabbitmq.if -index 2c3d338..cf3e5ad 100644 ---- a/rabbitmq.if -+++ b/rabbitmq.if -@@ -10,13 +10,13 @@ - ## - ## - # --interface(`rabbitmq_domtrans',` -+interface(`rabbitmq_domtrans_beam',` - gen_require(` -- type rabbitmq_t, rabbitmq_exec_t; -+ type rabbitmq_beam_t, rabbitmq_beam_exec_t; - ') - - corecmd_search_bin($1) -- domtrans_pattern($1, rabbitmq_exec_t, rabbitmq_t) -+ domtrans_pattern($1, rabbitmq_beam_exec_t, rabbitmq_beam_t) - ') - - ######################################## -diff --git a/rabbitmq.te b/rabbitmq.te -index 3698b51..136b017 100644 ---- a/rabbitmq.te -+++ b/rabbitmq.te -@@ -19,6 +19,9 @@ init_script_file(rabbitmq_initrc_exec_t) - type rabbitmq_var_lib_t; - files_type(rabbitmq_var_lib_t) - -+type rabbitmq_var_lock_t; -+files_lock_file(rabbitmq_var_lock_t) -+ - type rabbitmq_var_log_t; - logging_log_file(rabbitmq_var_log_t) - -@@ -30,6 +33,8 @@ files_pid_file(rabbitmq_var_run_t) - # Beam local policy - # - -+allow rabbitmq_beam_t self:capability setuid; -+ - allow rabbitmq_beam_t self:process { setsched signal signull }; - allow rabbitmq_beam_t self:fifo_file rw_fifo_file_perms; - allow rabbitmq_beam_t self:tcp_socket { accept listen }; -@@ -38,27 +43,35 @@ manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t) - manage_files_pattern(rabbitmq_beam_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t) - - manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t) --append_files_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t) --create_files_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t) --setattr_files_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t) -+manage_files_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t) -+ -+manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_lock_t, rabbitmq_var_lock_t) -+manage_files_pattern(rabbitmq_beam_t, rabbitmq_var_lock_t, rabbitmq_var_lock_t) -+files_lock_filetrans(rabbitmq_beam_t, rabbitmq_var_lock_t, file) - - manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_run_t, rabbitmq_var_run_t) - manage_files_pattern(rabbitmq_beam_t, rabbitmq_var_run_t, rabbitmq_var_run_t) - -+ps_process_pattern(rabbitmq_beam_t, rabbitmq_epmd_t) -+ - can_exec(rabbitmq_beam_t, rabbitmq_beam_exec_t) - - domtrans_pattern(rabbitmq_beam_t, rabbitmq_epmd_exec_t, rabbitmq_epmd_t) - - kernel_read_system_state(rabbitmq_beam_t) -+kernel_read_fs_sysctls(rabbitmq_beam_t) - - corecmd_exec_bin(rabbitmq_beam_t) - corecmd_exec_shell(rabbitmq_beam_t) - -+corenet_tcp_bind_generic_node(rabbitmq_beam_t) -+corenet_udp_bind_generic_node(rabbitmq_beam_t) - corenet_all_recvfrom_unlabeled(rabbitmq_beam_t) - corenet_all_recvfrom_netlabel(rabbitmq_beam_t) - corenet_tcp_sendrecv_generic_if(rabbitmq_beam_t) - corenet_tcp_sendrecv_generic_node(rabbitmq_beam_t) - corenet_tcp_bind_generic_node(rabbitmq_beam_t) -+corenet_tcp_connect_all_ephemeral_ports(rabbitmq_beam_t) - - corenet_sendrecv_amqp_server_packets(rabbitmq_beam_t) - corenet_tcp_bind_amqp_port(rabbitmq_beam_t) -@@ -68,20 +81,50 @@ corenet_sendrecv_epmd_client_packets(rabbitmq_beam_t) - corenet_tcp_connect_epmd_port(rabbitmq_beam_t) - corenet_tcp_sendrecv_epmd_port(rabbitmq_beam_t) - --dev_read_sysfs(rabbitmq_beam_t) -+corenet_tcp_bind_couchdb_port(rabbitmq_beam_t) -+ -+corenet_tcp_bind_jabber_client_port(rabbitmq_beam_t) -+corenet_tcp_bind_jabber_interserver_port(rabbitmq_beam_t) -+ -+domain_read_all_domains_state(rabbitmq_beam_t) -+ -+auth_read_passwd(rabbitmq_beam_t) -+auth_use_pam(rabbitmq_beam_t) - --files_read_etc_files(rabbitmq_beam_t) -+files_getattr_all_mountpoints(rabbitmq_beam_t) - --miscfiles_read_localization(rabbitmq_beam_t) -+fs_getattr_all_fs(rabbitmq_beam_t) -+fs_getattr_all_dirs(rabbitmq_beam_t) -+fs_getattr_cgroup(rabbitmq_beam_t) -+fs_search_cgroup_dirs(rabbitmq_beam_t) -+ -+corenet_tcp_connect_couchdb_port(rabbitmq_beam_t) -+ -+dev_read_sysfs(rabbitmq_beam_t) -+dev_read_urand(rabbitmq_beam_t) -+ -+storage_getattr_fixed_disk_dev(rabbitmq_beam_t) - - sysnet_dns_name_resolve(rabbitmq_beam_t) - -+logging_send_syslog_msg(rabbitmq_beam_t) -+ -+optional_policy(` -+ couchdb_manage_lib_files(rabbitmq_beam_t) -+ couchdb_read_conf_files(rabbitmq_beam_t) -+ couchdb_read_log_files(rabbitmq_beam_t) -+ couchdb_search_pid_dirs(rabbitmq_beam_t) -+') -+ -+optional_policy(` -+ dbus_system_bus_client(rabbitmq_beam_t) -+') -+ - ######################################## - # - # Epmd local policy - # - -- - allow rabbitmq_epmd_t self:process signal; - allow rabbitmq_epmd_t self:fifo_file rw_fifo_file_perms; - allow rabbitmq_epmd_t self:tcp_socket create_stream_socket_perms; -@@ -99,8 +142,5 @@ corenet_sendrecv_epmd_server_packets(rabbitmq_epmd_t) - corenet_tcp_bind_epmd_port(rabbitmq_epmd_t) - corenet_tcp_sendrecv_epmd_port(rabbitmq_epmd_t) - --files_read_etc_files(rabbitmq_epmd_t) -- - logging_send_syslog_msg(rabbitmq_epmd_t) - --miscfiles_read_localization(rabbitmq_epmd_t) -diff --git a/radius.fc b/radius.fc -index c84b7ae..29c453e 100644 ---- a/radius.fc -+++ b/radius.fc -@@ -9,6 +9,8 @@ - /usr/sbin/radiusd -- gen_context(system_u:object_r:radiusd_exec_t,s0) - /usr/sbin/freeradius -- gen_context(system_u:object_r:radiusd_exec_t,s0) - -+/usr/lib/systemd/system/radiusd.* -- gen_context(system_u:object_r:radiusd_unit_file_t,s0) -+ - /var/lib/radiousd(/.*)? gen_context(system_u:object_r:radiusd_var_lib_t,s0) - - /var/log/freeradius(/.*)? gen_context(system_u:object_r:radiusd_log_t,s0) -diff --git a/radius.if b/radius.if -index 4460582..60cf556 100644 ---- a/radius.if -+++ b/radius.if -@@ -14,6 +14,29 @@ interface(`radius_use',` - refpolicywarn(`$0($*) has been deprecated.') - ') - -+####################################### -+## -+## Execute radiusd server in the radiusd domain. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`radiusd_systemctl',` -+ gen_require(` -+ type radiusd_unit_file_t; -+ type radiusd_t; -+ ') -+ -+ systemd_exec_systemctl($1) -+ allow $1 radiusd_unit_file_t:file read_file_perms; -+ allow $1 radiusd_unit_file_t:service manage_service_perms; -+ -+ ps_process_pattern($1, radiusd_t) -+') -+ - ######################################## - ## - ## All of the rules required to -@@ -35,11 +58,14 @@ interface(`radius_admin',` - gen_require(` - type radiusd_t, radiusd_etc_t, radiusd_log_t; - type radiusd_etc_rw_t, radiusd_var_lib_t, radiusd_var_run_t; -- type radiusd_initrc_exec_t; -+ type radiusd_initrc_exec_t, radiusd_unit_file_t; - ') - -- allow $1 radiusd_t:process { ptrace signal_perms }; -+ allow $1 radiusd_t:process signal_perms; - ps_process_pattern($1, radiusd_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 radiusd_t:process ptrace; -+ ') - - init_labeled_script_domtrans($1, radiusd_initrc_exec_t) - domain_system_change_exemption($1) -@@ -57,4 +83,9 @@ interface(`radius_admin',` - - files_list_pids($1) - admin_pattern($1, radiusd_var_run_t) -+ -+ admin_pattern($1, radiusd_unit_file_t) -+ bind_systemctl($1) -+ allow $1 radiusd_unit_file_t:service all_service_perms; -+ - ') -diff --git a/radius.te b/radius.te -index 1e7927f..eb72458 100644 ---- a/radius.te -+++ b/radius.te -@@ -27,6 +27,9 @@ files_type(radiusd_var_lib_t) - type radiusd_var_run_t; - files_pid_file(radiusd_var_run_t) - -+type radiusd_unit_file_t; -+systemd_unit_file(radiusd_unit_file_t) -+ - ######################################## - # - # Local policy -@@ -60,11 +63,11 @@ manage_sock_files_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t) - manage_dirs_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t) - manage_files_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t) - files_pid_filetrans(radiusd_t, radiusd_var_run_t, { file sock_file dir }) -+files_dontaudit_list_tmp(radiusd_t) - - kernel_read_kernel_sysctls(radiusd_t) - kernel_read_system_state(radiusd_t) - --corenet_all_recvfrom_unlabeled(radiusd_t) - corenet_all_recvfrom_netlabel(radiusd_t) - corenet_tcp_sendrecv_generic_if(radiusd_t) - corenet_udp_sendrecv_generic_if(radiusd_t) -@@ -74,6 +77,8 @@ corenet_tcp_sendrecv_all_ports(radiusd_t) - corenet_udp_sendrecv_all_ports(radiusd_t) - corenet_udp_bind_generic_node(radiusd_t) - -+corenet_tcp_connect_postgresql_port(radiusd_t) -+ - corenet_sendrecv_radacct_server_packets(radiusd_t) - corenet_udp_bind_radacct_port(radiusd_t) - -@@ -97,7 +102,6 @@ domain_use_interactive_fds(radiusd_t) - fs_getattr_all_fs(radiusd_t) - fs_search_auto_mountpoints(radiusd_t) - --files_read_usr_files(radiusd_t) - files_read_etc_runtime_files(radiusd_t) - files_dontaudit_list_tmp(radiusd_t) - -@@ -109,7 +113,6 @@ libs_exec_lib_files(radiusd_t) - - logging_send_syslog_msg(radiusd_t) - --miscfiles_read_localization(radiusd_t) - miscfiles_read_generic_certs(radiusd_t) - - sysnet_use_ldap(radiusd_t) -@@ -122,6 +125,11 @@ optional_policy(` - ') - - optional_policy(` -+ kerberos_tmp_filetrans_host_rcache(radiusd_t, "host_0") -+ kerberos_manage_host_rcache(radiusd_t) -+') -+ -+optional_policy(` - logrotate_exec(radiusd_t) - ') - -diff --git a/radvd.if b/radvd.if -index ac7058d..48739ac 100644 ---- a/radvd.if -+++ b/radvd.if -@@ -1,5 +1,24 @@ - ## IPv6 router advertisement daemon. - -+###################################### -+## -+## Read radvd PID files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`radvd_read_pid_files',` -+ gen_require(` -+ type radvd_var_run_t; -+ ') -+ -+ files_search_pids($1) -+ read_files_pattern($1, radvd_var_run_t, radvd_var_run_t) -+') -+ - ######################################## - ## - ## All of the rules required to -@@ -23,8 +42,11 @@ interface(`radvd_admin',` - type radvd_var_run_t; - ') - -- allow $1 radvd_t:process { ptrace signal_perms }; -+ allow $1 radvd_t:process signal_perms; - ps_process_pattern($1, radvd_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 radvd_t:process ptrace; -+ ') - - init_labeled_script_domtrans($1, radvd_initrc_exec_t) - domain_system_change_exemption($1) -diff --git a/radvd.te b/radvd.te -index b31f2d7..046f5b8 100644 ---- a/radvd.te -+++ b/radvd.te -@@ -65,8 +65,6 @@ auth_use_nsswitch(radvd_t) - - logging_send_syslog_msg(radvd_t) - --miscfiles_read_localization(radvd_t) -- - userdom_dontaudit_use_unpriv_user_fds(radvd_t) - userdom_dontaudit_search_user_home_dirs(radvd_t) - -diff --git a/raid.fc b/raid.fc -index 5806046..5578653 100644 ---- a/raid.fc -+++ b/raid.fc -@@ -3,6 +3,9 @@ - - /etc/rc\.d/init\.d/mdmonitor -- gen_context(system_u:object_r:mdadm_initrc_exec_t,s0) - -+/usr/lib/systemd/system/mdmon@.* -- gen_context(system_u:object_r:mdadm_unit_file_t,s0) -+/usr/lib/systemd/system/mdmonitor.* -- gen_context(system_u:object_r:mdadm_unit_file_t,s0) -+ - /sbin/iprdump -- gen_context(system_u:object_r:mdadm_exec_t,s0) - /sbin/iprinit -- gen_context(system_u:object_r:mdadm_exec_t,s0) - /sbin/iprupdate -- gen_context(system_u:object_r:mdadm_exec_t,s0) -@@ -16,6 +19,7 @@ - /usr/sbin/iprupdate -- gen_context(system_u:object_r:mdadm_exec_t,s0) - /usr/sbin/mdadm -- gen_context(system_u:object_r:mdadm_exec_t,s0) - /usr/sbin/mdmpd -- gen_context(system_u:object_r:mdadm_exec_t,s0) -+/usr/sbin/mdmon -- gen_context(system_u:object_r:mdadm_exec_t,s0) - /usr/sbin/raid-check -- gen_context(system_u:object_r:mdadm_exec_t,s0) - - /var/run/mdadm(/.*)? gen_context(system_u:object_r:mdadm_var_run_t,s0) -diff --git a/raid.if b/raid.if -index 951db7f..98a0758 100644 ---- a/raid.if -+++ b/raid.if -@@ -1,9 +1,8 @@ --## RAID array management tools. -+## RAID array management tools - - ######################################## - ## --## Execute software raid tools in --## the mdadm domain. -+## Execute software raid tools in the mdadm domain. - ## - ## - ## -@@ -22,34 +21,56 @@ interface(`raid_domtrans_mdadm',` - - ###################################### - ## --## Execute mdadm in the mdadm --## domain, and allow the specified --## role the mdadm domain. -+## Execute a domain transition to mdadm_t for the -+## specified role, allowing it to use the mdadm_t -+## domain - ## - ## - ## --## Role allowed access. -+## Role allowed to access mdadm_t domain - ## - ## - ## - ## --## Domain allowed to transition. -+## Domain allowed to transition to mdadm_t - ## - ## - # - interface(`raid_run_mdadm',` - gen_require(` -- attribute_role mdadm_roles; -+ type mdadm_t; - ') - -+ role $1 types mdadm_t; - raid_domtrans_mdadm($2) -- roleattribute $1 mdadm_roles; -+') -+ -+###################################### -+## -+## Execute mdadm server in the mdadm domain. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`mdadm_systemctl',` -+ gen_require(` -+ type mdadm_t; -+ type mdadm_unit_file_t; -+ ') -+ -+ systemd_exec_systemctl($1) -+ allow $1 mdadm_unit_file_t:file read_file_perms; -+ allow $1 mdadm_unit_file_t:service manage_service_perms; -+ -+ ps_process_pattern($1, mdadm_t) - ') - - ######################################## - ## --## Create, read, write, and delete --## mdadm pid files. -+## read the mdadm pid files. - ## - ## - ## -@@ -57,47 +78,94 @@ interface(`raid_run_mdadm',` - ## - ## - # --interface(`raid_manage_mdadm_pid',` -+interface(`raid_read_mdadm_pid',` - gen_require(` - type mdadm_var_run_t; - ') - -- files_search_pids($1) -- allow $1 mdadm_var_run_t:file manage_file_perms; -+ read_files_pattern($1, mdadm_var_run_t, mdadm_var_run_t) - ') - - ######################################## - ## --## All of the rules required to --## administrate an mdadm environment. -+## Create, read, write, and delete the mdadm pid files. - ## -+## -+##

    -+## Create, read, write, and delete the mdadm pid files. -+##

    -+##

    -+## Added for use in the init module. -+##

    -+##     - ## - ## - ## Domain allowed access. - ## - ## --## -+# -+interface(`raid_manage_mdadm_pid',` -+ gen_require(` -+ type mdadm_var_run_t; -+ ') -+ -+ # FIXME: maybe should have a type_transition. not -+ # clear what this is doing, from the original -+ # mdadm policy -+ allow $1 mdadm_var_run_t:file manage_file_perms; -+') -+ -+####################################### -+## -+## Check access to the mdadm executable. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`raid_access_check_mdadm',` -+ gen_require(` -+ type mdadm_exec_t; -+ ') -+ -+ corecmd_search_bin($1) -+ allow $1 mdadm_exec_t:file { getattr_file_perms execute }; -+') -+ -+######################################## -+## -+## Manage mdadm config files. -+## -+## - ## --## Role allowed access. -+## Domain allowed access. - ## - ## --## - # --interface(`raid_admin_mdadm',` -+interface(`raid_manage_conf_files',` - gen_require(` -- type mdadm_t, mdadm_initrc_exec_t, mdadm_var_run_t; -+ type mdadm_conf_t; - ') - -- allow $1 mdadm_t:process { ptrace signal_perms }; -- ps_process_pattern($1, mdadm_t) -- -- init_labeled_script_domtrans($1, mdadm_initrc_exec_t) -- domain_system_change_exemption($1) -- role_transition $2 mdadm_initrc_exec_t system_r; -- allow $2 system_r; -+ manage_files_pattern($1, mdadm_conf_t, mdadm_conf_t) -+') - -- files_search_pids($1) -- admin_pattern($1, mdadm_var_run_t) -+######################################## -+## -+## Transition to mdadm named content -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`raid_filetrans_named_content',` -+ gen_require(` -+ type mdadm_conf_t; -+ ') - -- raid_run_mdadm($2, $1) -+ files_etc_filetrans($1, mdadm_conf_t, file, "mdadm.conf") - ') -diff --git a/raid.te b/raid.te -index 2c1730b..4699a1e 100644 ---- a/raid.te -+++ b/raid.te -@@ -15,6 +15,15 @@ role mdadm_roles types mdadm_t; - type mdadm_initrc_exec_t; - init_script_file(mdadm_initrc_exec_t) - -+type mdadm_conf_t; -+files_config_file(mdadm_conf_t) -+ -+type mdadm_unit_file_t; -+systemd_unit_file(mdadm_unit_file_t) -+ -+type mdadm_tmp_t; -+files_tmpfs_file(mdadm_tmp_t) -+ - type mdadm_var_run_t alias mdadm_map_t; - files_pid_file(mdadm_var_run_t) - dev_associate(mdadm_var_run_t) -@@ -25,23 +34,34 @@ dev_associate(mdadm_var_run_t) - # - - allow mdadm_t self:capability { dac_override sys_admin ipc_lock }; --dontaudit mdadm_t self:capability sys_tty_config; --allow mdadm_t self:process { getsched setsched signal_perms }; -+dontaudit mdadm_t self:capability { sys_tty_config sys_ptrace }; -+allow mdadm_t self:process { getsched setsched sigchld sigkill sigstop signull signal }; - allow mdadm_t self:fifo_file rw_fifo_file_perms; - allow mdadm_t self:netlink_kobject_uevent_socket create_socket_perms; -+allow mdadm_t self:unix_stream_socket { create_stream_socket_perms connectto }; -+ -+manage_files_pattern(mdadm_t, mdadm_conf_t, mdadm_conf_t) -+files_etc_filetrans(mdadm_t, mdadm_conf_t, file, "mdadm.conf") -+ -+manage_files_pattern(mdadm_t, mdadm_tmp_t, mdadm_tmp_t) -+manage_dirs_pattern(mdadm_t, mdadm_tmp_t, mdadm_tmp_t) -+files_tmp_filetrans(mdadm_t, mdadm_tmp_t, file) - - manage_dirs_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t) - manage_files_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t) - manage_lnk_files_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t) - manage_sock_files_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t) --dev_filetrans(mdadm_t, mdadm_var_run_t, file) --files_pid_filetrans(mdadm_t, mdadm_var_run_t, { dir file }) -+files_pid_filetrans(mdadm_t, mdadm_var_run_t, { file dir }) -+dev_filetrans(mdadm_t, mdadm_var_run_t, { file dir sock_file }) -+ -+can_exec(mdadm_t, mdadm_exec_t) - - kernel_getattr_core_if(mdadm_t) - kernel_read_system_state(mdadm_t) - kernel_read_kernel_sysctls(mdadm_t) - kernel_request_load_module(mdadm_t) - kernel_rw_software_raid_state(mdadm_t) -+kernel_setsched(mdadm_t) - - corecmd_exec_bin(mdadm_t) - corecmd_exec_shell(mdadm_t) -@@ -49,19 +69,29 @@ corecmd_exec_shell(mdadm_t) - dev_rw_sysfs(mdadm_t) - dev_dontaudit_getattr_all_blk_files(mdadm_t) - dev_dontaudit_getattr_all_chr_files(mdadm_t) -+dev_read_crash(mdadm_t) -+dev_read_framebuffer(mdadm_t) - dev_read_realtime_clock(mdadm_t) - dev_read_raw_memory(mdadm_t) -- -+dev_read_kvm(mdadm_t) -+dev_read_mei(mdadm_t) -+dev_read_nvram(mdadm_t) -+dev_read_generic_files(mdadm_t) -+dev_read_generic_usb_dev(mdadm_t) -+dev_read_urand(mdadm_t) -+ -+domain_read_all_domains_state(mdadm_t) - domain_use_interactive_fds(mdadm_t) - --files_read_etc_files(mdadm_t) - files_read_etc_runtime_files(mdadm_t) --files_dontaudit_getattr_all_files(mdadm_t) -+files_dontaudit_getattr_tmpfs_files(mdadm_t) - -+fs_getattr_all_fs(mdadm_t) - fs_list_auto_mountpoints(mdadm_t) - fs_list_hugetlbfs(mdadm_t) - fs_rw_cgroup_files(mdadm_t) - fs_dontaudit_list_tmpfs(mdadm_t) -+fs_manage_cgroup_files(mdadm_t) - - mls_file_read_all_levels(mdadm_t) - mls_file_write_all_levels(mdadm_t) -@@ -70,15 +100,20 @@ storage_dev_filetrans_fixed_disk(mdadm_t) - storage_manage_fixed_disk(mdadm_t) - storage_read_scsi_generic(mdadm_t) - storage_write_scsi_generic(mdadm_t) -+storage_raw_read_removable_device(mdadm_t) - - term_dontaudit_list_ptys(mdadm_t) - term_dontaudit_use_unallocated_ttys(mdadm_t) - -+auth_use_nsswitch(mdadm_t) -+ - init_dontaudit_getattr_initctl(mdadm_t) - -+logging_dontaudit_getattr_all_logs(mdadm_t) - logging_send_syslog_msg(mdadm_t) - --miscfiles_read_localization(mdadm_t) -+systemd_exec_systemctl(mdadm_t) -+systemd_start_systemd_services(mdadm_t) - - userdom_dontaudit_use_unpriv_user_fds(mdadm_t) - userdom_dontaudit_search_user_home_content(mdadm_t) -@@ -93,13 +128,30 @@ optional_policy(` - ') - - optional_policy(` -+ kdump_manage_kdumpctl_tmp_files(mdadm_t) -+ kdump_rw_lock(mdadm_t) -+') -+ -+optional_policy(` - mta_send_mail(mdadm_t) - ') - - optional_policy(` -+ mdadm_systemctl(mdadm_t) -+') -+ -+optional_policy(` - seutil_sigchld_newrole(mdadm_t) - ') - - optional_policy(` - udev_read_db(mdadm_t) - ') -+ -+optional_policy(` -+ virt_read_blk_images(mdadm_t) -+') -+ -+optional_policy(` -+ xserver_dontaudit_search_log(mdadm_t) -+') -diff --git a/razor.fc b/razor.fc -index 6723f4d..6e26673 100644 ---- a/razor.fc -+++ b/razor.fc -@@ -1,9 +1,9 @@ --HOME_DIR/\.razor(/.*)? gen_context(system_u:object_r:razor_home_t,s0) -+#/root/\.razor(/.*)? gen_context(system_u:object_r:razor_home_t,s0) -+#HOME_DIR/\.razor(/.*)? gen_context(system_u:object_r:razor_home_t,s0) - --/etc/razor(/.*)? gen_context(system_u:object_r:razor_etc_t,s0) -+#/etc/razor(/.*)? gen_context(system_u:object_r:razor_etc_t,s0) - --/usr/bin/razor.* -- gen_context(system_u:object_r:razor_exec_t,s0) -+#/usr/bin/razor.* -- gen_context(system_u:object_r:razor_exec_t,s0) - --/var/lib/razor(/.*)? gen_context(system_u:object_r:razor_var_lib_t,s0) -- --/var/log/razor-agent\.log.* -- gen_context(system_u:object_r:razor_log_t,s0) -+#/var/lib/razor(/.*)? gen_context(system_u:object_r:razor_var_lib_t,s0) -+#/var/log/razor-agent\.log.* -- gen_context(system_u:object_r:razor_log_t,s0) -diff --git a/razor.if b/razor.if -index 1e4b523..fee3b7c 100644 ---- a/razor.if -+++ b/razor.if -@@ -1,72 +1,147 @@ - ## A distributed, collaborative, spam detection and filtering network. -+## -+##

    -+## A distributed, collaborative, spam detection and filtering network. -+##

    -+##

    -+## This policy will work with either the ATrpms provided config -+## file in /etc/razor, or with the default of dumping everything into -+## $HOME/.razor. -+##

    -+##     - - ####################################### - ## --## The template to define a razor domain. -+## Template to create types and rules common to -+## all razor domains. - ## --## -+## - ## --## Domain prefix to be used. -+## The prefix of the domain (e.g., user -+## is the prefix for user_t). - ## - ## - # - template(`razor_common_domain_template',` - gen_require(` -- attribute razor_domain; -- type razor_exec_t; -+ type razor_exec_t, razor_etc_t, razor_log_t, razor_var_lib_t; - ') - -- ######################################## -- # -- # Declarations -- # -- -- type $1_t, razor_domain; -+ type $1_t; - domain_type($1_t) - domain_entry_file($1_t, razor_exec_t) - -- ######################################## -- # -- # Declarations -- # -- -- auth_use_nsswitch($1_t) -+ allow $1_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; -+ allow $1_t self:fd use; -+ allow $1_t self:fifo_file rw_fifo_file_perms; -+ allow $1_t self:unix_dgram_socket create_socket_perms; -+ allow $1_t self:unix_stream_socket create_stream_socket_perms; -+ allow $1_t self:unix_dgram_socket sendto; -+ allow $1_t self:unix_stream_socket connectto; -+ allow $1_t self:shm create_shm_perms; -+ allow $1_t self:sem create_sem_perms; -+ allow $1_t self:msgq create_msgq_perms; -+ allow $1_t self:msg { send receive }; -+ allow $1_t self:tcp_socket create_socket_perms; -+ -+ # Read system config file -+ allow $1_t razor_etc_t:dir list_dir_perms; -+ allow $1_t razor_etc_t:file read_file_perms; -+ allow $1_t razor_etc_t:lnk_file read_lnk_file_perms; -+ -+ manage_dirs_pattern($1_t, razor_log_t, razor_log_t) -+ manage_files_pattern($1_t, razor_log_t, razor_log_t) -+ manage_lnk_files_pattern($1_t, razor_log_t, razor_log_t) -+ logging_log_filetrans($1_t, razor_log_t, file) -+ -+ manage_dirs_pattern($1_t, razor_var_lib_t, razor_var_lib_t) -+ manage_files_pattern($1_t, razor_var_lib_t, razor_var_lib_t) -+ manage_lnk_files_pattern($1_t, razor_var_lib_t, razor_var_lib_t) -+ files_search_var_lib($1_t) -+ -+ # Razor is one executable and several symlinks -+ allow $1_t razor_exec_t:file read_file_perms; -+ allow $1_t razor_exec_t:lnk_file read_lnk_file_perms; -+ -+ kernel_read_system_state($1_t) -+ kernel_read_network_state($1_t) -+ kernel_read_software_raid_state($1_t) -+ kernel_getattr_core_if($1_t) -+ kernel_getattr_message_if($1_t) -+ kernel_read_kernel_sysctls($1_t) -+ -+ corecmd_exec_bin($1_t) -+ -+ corenet_all_recvfrom_unlabeled($1_t) -+ corenet_all_recvfrom_netlabel($1_t) -+ corenet_tcp_sendrecv_generic_if($1_t) -+ corenet_raw_sendrecv_generic_if($1_t) -+ corenet_tcp_sendrecv_generic_node($1_t) -+ corenet_raw_sendrecv_generic_node($1_t) -+ corenet_tcp_sendrecv_razor_port($1_t) -+ -+ # mktemp and other randoms -+ dev_read_rand($1_t) -+ dev_read_urand($1_t) -+ -+ files_search_pids($1_t) -+ # Allow access to various files in the /etc/directory including mtab -+ # and nsswitch -+ files_read_etc_files($1_t) -+ files_read_etc_runtime_files($1_t) -+ -+ fs_search_auto_mountpoints($1_t) -+ -+ libs_read_lib_files($1_t) -+ -+ -+ sysnet_read_config($1_t) -+ sysnet_dns_name_resolve($1_t) -+ -+ optional_policy(` -+ nis_use_ypbind($1_t) -+ ') - ') - - ######################################## - ## --## Role access for razor. -+## Role access for razor - ## - ## - ## --## Role allowed access. -+## Role allowed access - ## - ## - ## - ## --## User domain for the role. -+## User domain for the role - ## - ## -+## - # - interface(`razor_role',` - gen_require(` -- attribute_role razor_roles; - type razor_t, razor_exec_t, razor_home_t; -- type razor_tmp_t; - ') - -- roleattribute $1 razor_roles; -+ role $1 types razor_t; - -+ # Transition from the user domain to the derived domain. - domtrans_pattern($2, razor_exec_t, razor_t) - -+ # allow ps to show razor and allow the user to kill it - ps_process_pattern($2, razor_t) -- allow $2 razor_t:process signal; -- -- allow $2 { razor_home_t razor_tmp_t }:dir { manage_dir_perms relabel_dir_perms }; -- allow $2 { razor_home_t razor_tmp_t }:file { manage_file_perms relabel_file_perms }; -- allow $2 razor_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; -+ allow $2 razor_t:process signal_perms; -+ tunable_policy(`deny_ptrace',`',` -+ allow $2 razor_t:process ptrace; -+ ') - -- userdom_user_home_dir_filetrans($2, razor_home_t, dir, ".razor") -+ manage_dirs_pattern($2, razor_home_t, razor_home_t) -+ manage_files_pattern($2, razor_home_t, razor_home_t) -+ manage_lnk_files_pattern($2, razor_home_t, razor_home_t) -+ relabel_dirs_pattern($2, razor_home_t, razor_home_t) -+ relabel_files_pattern($2, razor_home_t, razor_home_t) -+ relabel_lnk_files_pattern($2, razor_home_t, razor_home_t) - ') - - ######################################## -@@ -81,17 +156,16 @@ interface(`razor_role',` - # - interface(`razor_domtrans',` - gen_require(` -- type system_razor_t, razor_exec_t; -+ type razor_t, razor_exec_t; - ') - -- corecmd_search_bin($1) -- domtrans_pattern($1, razor_exec_t, system_razor_t) -+ domtrans_pattern($1, razor_exec_t, razor_t) - ') - - ######################################## - ## --## Create, read, write, and delete --## razor home content. -+## Create, read, write, and delete razor files -+## in a user home subdirectory. - ## - ## - ## -@@ -99,20 +173,19 @@ interface(`razor_domtrans',` - ## - ## - # --interface(`razor_manage_home_content',` -+interface(`razor_manage_user_home_files',` - gen_require(` - type razor_home_t; - ') - - userdom_search_user_home_dirs($1) -- allow $1 razor_home_t:dir manage_dir_perms; -- allow $1 razor_home_t:file manage_file_perms; -- allow $1 razor_home_t:lnk_file manage_lnk_file_perms; -+ manage_files_pattern($1, razor_home_t, razor_home_t) -+ read_lnk_files_pattern($1, razor_home_t, razor_home_t) - ') - - ######################################## - ## --## Read razor lib files. -+## read razor lib files. - ## - ## - ## -diff --git a/razor.te b/razor.te -index 5ddedbc..4e15f29 100644 ---- a/razor.te -+++ b/razor.te -@@ -1,139 +1,128 @@ --policy_module(razor, 2.3.2) -+policy_module(razor, 2.3.0) - - ######################################## - # - # Declarations - # - --attribute razor_domain; -+ifdef(`distro_redhat',` -+ gen_require(` -+ type spamc_t, spamc_exec_t, spamd_log_t; -+ type spamd_spool_t, spamd_var_lib_t, spamd_etc_t; -+ type spamc_home_t, spamc_tmp_t; -+ ') -+ -+ typealias spamc_t alias razor_t; -+ typealias spamc_exec_t alias razor_exec_t; -+ typealias spamd_log_t alias razor_log_t; -+ typealias spamd_var_lib_t alias razor_var_lib_t; -+ typealias spamd_etc_t alias razor_etc_t; -+ typealias spamc_home_t alias razor_home_t; -+ typealias spamc_home_t alias { user_razor_home_t staff_razor_home_t sysadm_razor_home_t }; -+ typealias spamc_home_t alias { auditadm_razor_home_t secadm_razor_home_t }; -+ typealias spamc_tmp_t alias { user_razor_tmp_t staff_razor_tmp_t sysadm_razor_tmp_t }; -+ typealias spamc_tmp_t alias { auditadm_razor_tmp_t secadm_razor_tmp_t }; -+',` -+ type razor_exec_t; -+ corecmd_executable_file(razor_exec_t) -+ -+ type razor_etc_t; -+ files_config_file(razor_etc_t) -+ -+ type razor_home_t; -+ typealias razor_home_t alias { user_razor_home_t staff_razor_home_t sysadm_razor_home_t }; -+ typealias razor_home_t alias { auditadm_razor_home_t secadm_razor_home_t }; -+ userdom_user_home_content(razor_home_t) -+ -+ type razor_log_t; -+ logging_log_file(razor_log_t) -+ -+ type razor_tmp_t; -+ typealias razor_tmp_t alias { user_razor_tmp_t staff_razor_tmp_t sysadm_razor_tmp_t }; -+ typealias razor_tmp_t alias { auditadm_razor_tmp_t secadm_razor_tmp_t }; -+ files_tmp_file(razor_tmp_t) -+ ubac_constrained(razor_tmp_t) -+ -+ type razor_var_lib_t; -+ files_type(razor_var_lib_t) -+ -+ # these are here due to ordering issues: -+ razor_common_domain_template(razor) -+ typealias razor_t alias { user_razor_t staff_razor_t sysadm_razor_t }; -+ typealias razor_t alias { auditadm_razor_t secadm_razor_t }; -+ ubac_constrained(razor_t) -+ -+ razor_common_domain_template(system_razor) -+ role system_r types system_razor_t; -+ -+ ######################################## -+ # -+ # System razor local policy -+ # -+ -+ # this version of razor is invoked typically -+ # via the system spam filter -+ -+ allow system_razor_t self:tcp_socket create_socket_perms; -+ -+ manage_dirs_pattern(system_razor_t, razor_etc_t, razor_etc_t) -+ manage_files_pattern(system_razor_t, razor_etc_t, razor_etc_t) -+ manage_lnk_files_pattern(system_razor_t, razor_etc_t, razor_etc_t) -+ files_search_etc(system_razor_t) -+ -+ allow system_razor_t razor_log_t:file manage_file_perms; -+ logging_log_filetrans(system_razor_t, razor_log_t, file) -+ -+ manage_files_pattern(system_razor_t, razor_var_lib_t, razor_var_lib_t) -+ files_var_lib_filetrans(system_razor_t, razor_var_lib_t, file) -+ -+ corenet_all_recvfrom_netlabel(system_razor_t) -+ corenet_tcp_sendrecv_generic_if(system_razor_t) -+ corenet_raw_sendrecv_generic_if(system_razor_t) -+ corenet_tcp_sendrecv_generic_node(system_razor_t) -+ corenet_raw_sendrecv_generic_node(system_razor_t) -+ corenet_tcp_sendrecv_razor_port(system_razor_t) -+ corenet_tcp_connect_razor_port(system_razor_t) -+ corenet_sendrecv_razor_client_packets(system_razor_t) -+ -+ auth_use_nsswitch(system_razor_t) -+ -+ # cjp: this shouldn't be needed -+ userdom_use_unpriv_users_fds(system_razor_t) -+ -+ optional_policy(` -+ logging_send_syslog_msg(system_razor_t) -+ ') -+ -+ ######################################## -+ # -+ # User razor local policy -+ # -+ -+ # Allow razor to be run by hand. Needed by any action other than -+ # invocation from a spam filter. -+ -+ allow razor_t self:unix_stream_socket create_stream_socket_perms; -+ -+ manage_dirs_pattern(razor_t, razor_home_t, razor_home_t) -+ manage_files_pattern(razor_t, razor_home_t, razor_home_t) -+ manage_lnk_files_pattern(razor_t, razor_home_t, razor_home_t) -+ userdom_user_home_dir_filetrans(razor_t, razor_home_t, dir) -+ -+ manage_dirs_pattern(razor_t, razor_tmp_t, razor_tmp_t) -+ manage_files_pattern(razor_t, razor_tmp_t, razor_tmp_t) -+ files_tmp_filetrans(razor_t, razor_tmp_t, { file dir }) -+ -+ auth_use_nsswitch(razor_t) - --attribute_role razor_roles; -+ logging_send_syslog_msg(razor_t) - --type razor_exec_t; --corecmd_executable_file(razor_exec_t) -+ userdom_search_user_home_dirs(razor_t) -+ userdom_use_inherited_user_terminals(razor_t) - --type razor_etc_t; --files_config_file(razor_etc_t) -+ userdom_home_manager(razor_t) - --type razor_home_t; --typealias razor_home_t alias { user_razor_home_t staff_razor_home_t sysadm_razor_home_t }; --typealias razor_home_t alias { auditadm_razor_home_t secadm_razor_home_t }; --userdom_user_home_content(razor_home_t) -- --type razor_log_t; --logging_log_file(razor_log_t) -- --type razor_tmp_t; --typealias razor_tmp_t alias { user_razor_tmp_t staff_razor_tmp_t sysadm_razor_tmp_t }; --typealias razor_tmp_t alias { auditadm_razor_tmp_t secadm_razor_tmp_t }; --userdom_user_tmp_file(razor_tmp_t) -- --type razor_var_lib_t; --files_type(razor_var_lib_t) -- --razor_common_domain_template(razor) --typealias razor_t alias { user_razor_t staff_razor_t sysadm_razor_t }; --typealias razor_t alias { auditadm_razor_t secadm_razor_t }; --userdom_user_application_type(razor_t) --role razor_roles types razor_t; -- --razor_common_domain_template(system_razor) --role system_r types system_razor_t; -- --######################################## --# --# Common razor domain local policy --# -- --allow razor_domain self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; --allow razor_domain self:fd use; --allow razor_domain self:fifo_file rw_fifo_file_perms; --allow razor_domain self:unix_dgram_socket sendto; --allow razor_domain self:unix_stream_socket { accept connectto listen }; -- --allow razor_domain razor_etc_t:dir list_dir_perms; --allow razor_domain razor_etc_t:file read_file_perms; --allow razor_domain razor_etc_t:lnk_file read_lnk_file_perms; -- --allow razor_domain razor_exec_t:file read_file_perms; --allow razor_domain razor_exec_t:lnk_file read_lnk_file_perms; -- --kernel_read_system_state(razor_domain) --kernel_read_network_state(razor_domain) --kernel_read_software_raid_state(razor_domain) --kernel_getattr_core_if(razor_domain) --kernel_getattr_message_if(razor_domain) --kernel_read_kernel_sysctls(razor_domain) -- --corecmd_exec_bin(razor_domain) -- --corenet_all_recvfrom_unlabeled(razor_domain) --corenet_all_recvfrom_netlabel(razor_domain) --corenet_tcp_sendrecv_generic_if(razor_domain) --corenet_tcp_sendrecv_generic_node(razor_domain) -- --corenet_tcp_sendrecv_razor_port(razor_domain) --corenet_tcp_connect_razor_port(razor_domain) --corenet_sendrecv_razor_client_packets(razor_domain) -- --dev_read_rand(razor_domain) --dev_read_urand(razor_domain) -- --files_read_etc_runtime_files(razor_domain) -- --libs_read_lib_files(razor_domain) -- --miscfiles_read_localization(razor_domain) -- --######################################## --# --# System local policy --# -- --manage_dirs_pattern(system_razor_t, razor_etc_t, razor_etc_t) --manage_files_pattern(system_razor_t, razor_etc_t, razor_etc_t) --manage_lnk_files_pattern(system_razor_t, razor_etc_t, razor_etc_t) -- --manage_dirs_pattern(system_razor_t, razor_log_t, razor_log_t) --append_files_pattern(system_razor_t, razor_log_t, razor_log_t) --create_files_pattern(system_razor_t, razor_log_t, razor_log_t) --setattr_files_pattern(system_razor_t, razor_log_t, razor_log_t) --manage_lnk_files_pattern(system_razor_t, razor_log_t, razor_log_t) --logging_log_filetrans(system_razor_t, razor_log_t, file) -- --manage_dirs_pattern(system_razor_t, razor_var_lib_t, razor_var_lib_t) --manage_files_pattern(system_razor_t, razor_var_lib_t, razor_var_lib_t) --manage_lnk_files_pattern(system_razor_t, razor_var_lib_t, razor_var_lib_t) --files_var_lib_filetrans(system_razor_t, razor_var_lib_t, file) -- --######################################## --# --# Session local policy --# -- --manage_dirs_pattern(razor_t, razor_home_t, razor_home_t) --manage_files_pattern(razor_t, razor_home_t, razor_home_t) --manage_lnk_files_pattern(razor_t, razor_home_t, razor_home_t) --userdom_user_home_dir_filetrans(razor_t, razor_home_t, dir, ".razor") -- --manage_dirs_pattern(razor_t, razor_tmp_t, razor_tmp_t) --manage_files_pattern(razor_t, razor_tmp_t, razor_tmp_t) --files_tmp_filetrans(razor_t, razor_tmp_t, { file dir }) -- --fs_getattr_all_fs(razor_t) --fs_search_auto_mountpoints(razor_t) -- --userdom_use_unpriv_users_fds(razor_t) --userdom_use_user_terminals(razor_t) -- --tunable_policy(`use_nfs_home_dirs',` -- fs_manage_nfs_dirs(razor_t) -- fs_manage_nfs_files(razor_t) -- fs_manage_nfs_symlinks(razor_t) --') -- --tunable_policy(`use_samba_home_dirs',` -- fs_manage_cifs_dirs(razor_t) -- fs_manage_cifs_files(razor_t) -- fs_manage_cifs_symlinks(razor_t) -+ optional_policy(` -+ milter_manage_spamass_state(razor_t) -+ ') - ') -diff --git a/rdisc.te b/rdisc.te -index 9196c1d..3dac4d9 100644 ---- a/rdisc.te -+++ b/rdisc.te -@@ -25,7 +25,6 @@ kernel_list_proc(rdisc_t) - kernel_read_proc_symlinks(rdisc_t) - kernel_read_kernel_sysctls(rdisc_t) - --corenet_all_recvfrom_unlabeled(rdisc_t) - corenet_all_recvfrom_netlabel(rdisc_t) - corenet_udp_sendrecv_generic_if(rdisc_t) - corenet_raw_sendrecv_generic_if(rdisc_t) -@@ -39,12 +38,9 @@ fs_search_auto_mountpoints(rdisc_t) - - domain_use_interactive_fds(rdisc_t) - --files_read_etc_files(rdisc_t) - - logging_send_syslog_msg(rdisc_t) - --miscfiles_read_localization(rdisc_t) -- - sysnet_read_config(rdisc_t) - - userdom_dontaudit_use_unpriv_user_fds(rdisc_t) -diff --git a/readahead.fc b/readahead.fc -index f307db4..0428aee 100644 ---- a/readahead.fc -+++ b/readahead.fc -@@ -1,7 +1,10 @@ --/sbin/readahead.* -- gen_context(system_u:object_r:readahead_exec_t,s0) -+/dev/\.systemd/readahead(/.*)? gen_context(system_u:object_r:readahead_var_run_t,s0) - -+/sbin/readahead.* -- gen_context(system_u:object_r:readahead_exec_t,s0) - /usr/sbin/readahead.* -- gen_context(system_u:object_r:readahead_exec_t,s0) - -+/usr/lib/systemd/systemd-readahead.* -- gen_context(system_u:object_r:readahead_exec_t,s0) -+ - /var/lib/readahead(/.*)? gen_context(system_u:object_r:readahead_var_lib_t,s0) - --/var/run/readahead,* gen_context(system_u:object_r:readahead_var_run_t,s0) -+/var/run/systemd/readahead(/.*)? gen_context(system_u:object_r:readahead_var_run_t,s0) -diff --git a/readahead.if b/readahead.if -index 661bb88..06f69c4 100644 ---- a/readahead.if -+++ b/readahead.if -@@ -19,3 +19,27 @@ interface(`readahead_domtrans',` - corecmd_search_bin($1) - domtrans_pattern($1, readahead_exec_t, readahead_t) - ') -+ -+######################################## -+## -+## Manage readahead var_run files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`readahead_manage_pid_files',` -+ gen_require(` -+ type readahead_var_run_t; -+ ') -+ -+ manage_dirs_pattern($1, readahead_var_run_t, readahead_var_run_t) -+ manage_files_pattern($1, readahead_var_run_t, readahead_var_run_t) -+ dev_filetrans($1, readahead_var_run_t, { dir file }) -+ init_pid_filetrans($1, readahead_var_run_t, { dir file }) -+ files_search_pids($1) -+ init_search_pid_dirs($1) -+') -+ -diff --git a/readahead.te b/readahead.te -index f1512d6..8ee7e70 100644 ---- a/readahead.te -+++ b/readahead.te -@@ -15,6 +15,7 @@ typealias readahead_var_lib_t alias readahead_etc_rw_t; - - type readahead_var_run_t; - files_pid_file(readahead_var_run_t) -+dev_associate(readahead_var_run_t) - init_daemon_run_dir(readahead_var_run_t, "readahead") - - ######################################## -@@ -31,13 +32,18 @@ manage_files_pattern(readahead_t, readahead_var_lib_t, readahead_var_lib_t) - - manage_dirs_pattern(readahead_t, readahead_var_run_t, readahead_var_run_t) - manage_files_pattern(readahead_t, readahead_var_run_t, readahead_var_run_t) -+dev_filetrans(readahead_t, readahead_var_run_t, { dir file }) - files_pid_filetrans(readahead_t, readahead_var_run_t, { dir file }) - - kernel_read_all_sysctls(readahead_t) - kernel_read_system_state(readahead_t) - kernel_dontaudit_getattr_core_if(readahead_t) -+kernel_list_all_proc(readahead_t) - --dev_read_sysfs(readahead_t) -+dev_rw_sysfs(readahead_t) -+dev_read_kmsg(readahead_t) -+dev_read_urand(readahead_t) -+dev_write_kmsg(readahead_t) - dev_getattr_generic_chr_files(readahead_t) - dev_getattr_generic_blk_files(readahead_t) - dev_getattr_all_chr_files(readahead_t) -@@ -51,12 +57,22 @@ domain_use_interactive_fds(readahead_t) - domain_read_all_domains_state(readahead_t) - - files_create_boot_flag(readahead_t) -+files_delete_root_files(readahead_t) - files_getattr_all_pipes(readahead_t) - files_list_non_security(readahead_t) - files_read_non_security_files(readahead_t) - files_search_var_lib(readahead_t) - files_dontaudit_getattr_all_sockets(readahead_t) - files_dontaudit_getattr_non_security_blk_files(readahead_t) -+files_dontaudit_all_access_check(readahead_t) -+files_dontaudit_read_security_files(readahead_t) -+files_dontaudit_read_all_sockets(readahead_t) -+ -+ifdef(`hide_broken_symptoms', ` -+ files_dontaudit_write_all_files(readahead_t) -+ dev_dontaudit_write_all_chr_files(readahead_t) -+ dev_dontaudit_write_all_blk_files(readahead_t) -+') - - fs_getattr_all_fs(readahead_t) - fs_search_auto_mountpoints(readahead_t) -@@ -66,13 +82,12 @@ fs_read_cgroup_files(readahead_t) - fs_read_tmpfs_files(readahead_t) - fs_read_tmpfs_symlinks(readahead_t) - fs_list_inotifyfs(readahead_t) -+fs_dontaudit_read_tmpfs_blk_dev(readahead_t) - fs_dontaudit_search_ramfs(readahead_t) - fs_dontaudit_read_ramfs_pipes(readahead_t) - fs_dontaudit_read_ramfs_files(readahead_t) - fs_dontaudit_use_tmpfs_chr_dev(readahead_t) - --mcs_file_read_all(readahead_t) -- - mls_file_read_all_levels(readahead_t) - - storage_raw_read_fixed_disk(readahead_t) -@@ -84,13 +99,15 @@ auth_dontaudit_read_shadow(readahead_t) - init_use_fds(readahead_t) - init_use_script_ptys(readahead_t) - init_getattr_initctl(readahead_t) -+# needs to write to /run/systemd/notify -+init_write_pid_socket(readahead_t) -+init_create_pid_dirs(readahead_t) -+init_pid_filetrans(readahead_t, readahead_var_run_t, dir, "readahead") - - logging_send_syslog_msg(readahead_t) - logging_set_audit_parameters(readahead_t) - logging_dontaudit_search_audit_config(readahead_t) - --miscfiles_read_localization(readahead_t) -- - userdom_dontaudit_use_unpriv_user_fds(readahead_t) - userdom_dontaudit_search_user_home_dirs(readahead_t) - -diff --git a/realmd.fc b/realmd.fc -index 04babe3..3b92679 100644 ---- a/realmd.fc -+++ b/realmd.fc -@@ -1 +1,5 @@ --/usr/lib/realmd/realmd -- gen_context(system_u:object_r:realmd_exec_t,s0) -+/usr/lib/realmd/realmd -- gen_context(system_u:object_r:realmd_exec_t,s0) -+ -+/var/cache/realmd(/.*)? gen_context(system_u:object_r:realmd_var_cache_t,s0) -+ -+/var/lib/ipa-client(/.*)? gen_context(system_u:object_r:realmd_var_lib_t,s0) -diff --git a/realmd.if b/realmd.if -index bff31df..3b2a829 100644 ---- a/realmd.if -+++ b/realmd.if -@@ -1,8 +1,9 @@ --## Dbus system service which manages discovery and enrollment in realms and domains like Active Directory or IPA. -+ -+## dbus system service which manages discovery and enrollment in realms and domains like Active Directory or IPA - - ######################################## - ## --## Execute realmd in the realmd domain. -+## Execute realmd in the realmd_t domain. - ## - ## - ## -@@ -39,3 +40,101 @@ interface(`realmd_dbus_chat',` - allow $1 realmd_t:dbus send_msg; - allow realmd_t $1:dbus send_msg; - ') -+ -+######################################## -+## -+## Search realmd cache directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`realmd_search_cache',` -+ gen_require(` -+ type realmd_var_cache_t; -+ ') -+ -+ allow $1 realmd_var_cache_t:dir search_dir_perms; -+ files_search_var($1) -+') -+ -+######################################## -+## -+## Read realmd cache files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`realmd_read_cache_files',` -+ gen_require(` -+ type realmd_var_cache_t; -+ ') -+ -+ files_search_var($1) -+ read_files_pattern($1, realmd_var_cache_t, realmd_var_cache_t) -+') -+ -+######################################## -+## -+## Create, read, write, and delete -+## realmd cache files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`realmd_manage_cache_files',` -+ gen_require(` -+ type realmd_var_cache_t; -+ ') -+ -+ files_search_var($1) -+ manage_files_pattern($1, realmd_var_cache_t, realmd_var_cache_t) -+') -+ -+######################################## -+## -+## Manage realmd cache dirs. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`realmd_manage_cache_dirs',` -+ gen_require(` -+ type realmd_var_cache_t; -+ ') -+ -+ files_search_var($1) -+ manage_dirs_pattern($1, realmd_var_cache_t, realmd_var_cache_t) -+') -+ -+ -+######################################## -+## -+## Read realmd tmp files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`realmd_read_tmp_files',` -+ gen_require(` -+ type realmd_tmp_t; -+ ') -+ -+ files_search_var($1) -+ read_files_pattern($1, realmd_tmp_t, realmd_tmp_t) -+') -+ -diff --git a/realmd.te b/realmd.te -index 9a8f052..3baa71a 100644 ---- a/realmd.te -+++ b/realmd.te -@@ -1,4 +1,4 @@ --policy_module(realmd, 1.0.2) -+policy_module(realmd, 1.0.0) - - ######################################## - # -@@ -7,47 +7,89 @@ policy_module(realmd, 1.0.2) - - type realmd_t; - type realmd_exec_t; --init_system_domain(realmd_t, realmd_exec_t) -+init_daemon_domain(realmd_t, realmd_exec_t) -+application_domain(realmd_t, realmd_exec_t) -+role system_r types realmd_t; -+ -+type realmd_tmp_t; -+files_tmp_file(realmd_tmp_t) -+ -+type realmd_var_cache_t; -+files_type(realmd_var_cache_t) -+ -+type realmd_var_lib_t; -+files_type(realmd_var_lib_t) - - ######################################## - # --# Local policy -+# realmd local policy - # - --allow realmd_t self:capability sys_nice; -+allow realmd_t self:capability { sys_nice }; -+allow realmd_t self:capability2 block_suspend; - allow realmd_t self:process setsched; -+allow realmd_t self:key manage_key_perms; -+ -+manage_dirs_pattern(realmd_t, realmd_tmp_t, realmd_tmp_t) -+manage_files_pattern(realmd_t, realmd_tmp_t, realmd_tmp_t) -+files_tmp_filetrans(realmd_t, realmd_tmp_t, { dir file }) -+ -+manage_files_pattern(realmd_t, realmd_var_cache_t, realmd_var_cache_t) -+manage_dirs_pattern(realmd_t, realmd_var_cache_t, realmd_var_cache_t) -+ -+manage_dirs_pattern(realmd_t, realmd_var_lib_t, realmd_var_lib_t) -+manage_files_pattern(realmd_t, realmd_var_lib_t, realmd_var_lib_t) -+files_var_lib_filetrans(realmd_t, realmd_var_lib_t, dir) - - kernel_read_system_state(realmd_t) -+kernel_read_network_state(realmd_t) - - corecmd_exec_bin(realmd_t) - corecmd_exec_shell(realmd_t) - --corenet_all_recvfrom_unlabeled(realmd_t) --corenet_all_recvfrom_netlabel(realmd_t) --corenet_tcp_sendrecv_generic_if(realmd_t) --corenet_tcp_sendrecv_generic_node(realmd_t) -- --corenet_sendrecv_http_client_packets(realmd_t) - corenet_tcp_connect_http_port(realmd_t) --corenet_tcp_sendrecv_http_port(realmd_t) -+corenet_tcp_connect_ldap_port(realmd_t) -+corenet_tcp_connect_smbd_port(realmd_t) - - domain_use_interactive_fds(realmd_t) - - dev_read_rand(realmd_t) - dev_read_urand(realmd_t) - --fs_getattr_all_fs(realmd_t) -+files_manage_etc_files(realmd_t) - --files_read_usr_files(realmd_t) -+fs_getattr_all_fs(realmd_t) - - auth_use_nsswitch(realmd_t) - -+init_filetrans_named_content(realmd_t) -+ -+logging_manage_generic_logs(realmd_t) - logging_send_syslog_msg(realmd_t) - -+miscfiles_manage_generic_cert_files(realmd_t) -+ -+seutil_domtrans_setfiles(realmd_t) -+seutil_read_file_contexts(realmd_t) -+ -+sysnet_dns_name_resolve(realmd_t) -+systemd_exec_systemctl(realmd_t) -+ -+#userdom_admin_home_dir_filetrans(realmd_t, cache_home_t, dir, ".cache") -+#userdom_user_home_dir_filetrans(realmd_t, cache_home_t, dir, ".cache") -+ -+optional_policy(` -+ authconfig_domtrans(realmd_t) -+') -+ - optional_policy(` - dbus_system_domain(realmd_t, realmd_exec_t) - - optional_policy(` -+ certmonger_dbus_chat(realmd_t) -+ ') -+ -+ optional_policy(` - networkmanager_dbus_chat(realmd_t) - ') - -@@ -63,21 +105,40 @@ optional_policy(` - optional_policy(` - kerberos_use(realmd_t) - kerberos_rw_keytab(realmd_t) -+ kerberos_rw_config(realmd_t) -+ kerberos_filetrans_named_content(realmd_t) -+') -+ -+optional_policy(` -+ ntp_domtrans_ntpdate(realmd_t) -+') -+ -+optional_policy(` -+ ssh_domtrans(realmd_t) -+ ssh_systemctl(realmd_t) - ') - - optional_policy(` - nis_exec_ypbind(realmd_t) -- nis_initrc_domtrans(realmd_t) -+ nis_systemctl_ypbind(realmd_t) - ') - - optional_policy(` -- gnome_read_generic_home_content(realmd_t) -+ gnome_read_config(realmd_t) -+ gnome_read_generic_cache_files(realmd_t) -+ gnome_write_generic_cache_files(realmd_t) -+ gnome_manage_cache_home_dir(realmd_t) -+ - ') - - optional_policy(` - samba_domtrans_net(realmd_t) - samba_manage_config(realmd_t) -- samba_getattr_winbind_exec(realmd_t) -+ samba_getattr_winbind(realmd_t) -+') -+ -+optional_policy(` -+ rpm_dbus_chat(realmd_t) - ') - - optional_policy(` -@@ -86,5 +147,27 @@ optional_policy(` - sssd_manage_lib_files(realmd_t) - sssd_manage_public_files(realmd_t) - sssd_read_pid_files(realmd_t) -- sssd_initrc_domtrans(realmd_t) -+ sssd_systemctl(realmd_t) -+') -+ -+optional_policy(` -+ xserver_read_state_xdm(realmd_t) -+') -+ -+optional_policy(` -+ unconfined_domain(realmd_t) -+') -+ -+##################################### -+# -+# realmd consolehelper local policy -+# -+ -+optional_policy(` -+ userhelper_console_role_template(realmd, system_r, realmd_t) -+ authconfig_manage_lib_files(realmd_consolehelper_t) -+ -+ oddjob_systemctl(realmd_consolehelper_t) -+ -+ unconfined_domain_noaudit(realmd_consolehelper_t) - ') -diff --git a/redis.fc b/redis.fc -new file mode 100644 -index 0000000..638d6b4 ---- /dev/null -+++ b/redis.fc -@@ -0,0 +1,11 @@ -+/etc/rc\.d/init\.d/redis -- gen_context(system_u:object_r:redis_initrc_exec_t,s0) -+ -+/usr/lib/systemd/system/redis.* -- gen_context(system_u:object_r:redis_unit_file_t,s0) -+ -+/usr/sbin/redis-server -- gen_context(system_u:object_r:redis_exec_t,s0) -+ -+/var/lib/redis(/.*)? gen_context(system_u:object_r:redis_var_lib_t,s0) -+ -+/var/log/redis(/.*)? gen_context(system_u:object_r:redis_log_t,s0) -+ -+/var/run/redis(/.*)? gen_context(system_u:object_r:redis_var_run_t,s0) -diff --git a/redis.if b/redis.if -new file mode 100644 -index 0000000..72a2d7b ---- /dev/null -+++ b/redis.if -@@ -0,0 +1,271 @@ -+ -+## redis-server SELinux policy -+ -+######################################## -+## -+## Execute TEMPLATE in the redis domin. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`redis_domtrans',` -+ gen_require(` -+ type redis_t, redis_exec_t; -+ ') -+ -+ corecmd_search_bin($1) -+ domtrans_pattern($1, redis_exec_t, redis_t) -+') -+ -+######################################## -+## -+## Execute redis server in the redis domain. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`redis_initrc_domtrans',` -+ gen_require(` -+ type redis_initrc_exec_t; -+ ') -+ -+ init_labeled_script_domtrans($1, redis_initrc_exec_t) -+') -+######################################## -+## -+## Read redis's log files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`redis_read_log',` -+ gen_require(` -+ type redis_log_t; -+ ') -+ -+ logging_search_logs($1) -+ read_files_pattern($1, redis_log_t, redis_log_t) -+') -+ -+######################################## -+## -+## Append to redis log files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`redis_append_log',` -+ gen_require(` -+ type redis_log_t; -+ ') -+ -+ logging_search_logs($1) -+ append_files_pattern($1, redis_log_t, redis_log_t) -+') -+ -+######################################## -+## -+## Manage redis log files -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`redis_manage_log',` -+ gen_require(` -+ type redis_log_t; -+ ') -+ -+ logging_search_logs($1) -+ manage_dirs_pattern($1, redis_log_t, redis_log_t) -+ manage_files_pattern($1, redis_log_t, redis_log_t) -+ manage_lnk_files_pattern($1, redis_log_t, redis_log_t) -+') -+ -+######################################## -+## -+## Search redis lib directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`redis_search_lib',` -+ gen_require(` -+ type redis_var_lib_t; -+ ') -+ -+ allow $1 redis_var_lib_t:dir search_dir_perms; -+ files_search_var_lib($1) -+') -+ -+######################################## -+## -+## Read redis lib files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`redis_read_lib_files',` -+ gen_require(` -+ type redis_var_lib_t; -+ ') -+ -+ files_search_var_lib($1) -+ read_files_pattern($1, redis_var_lib_t, redis_var_lib_t) -+') -+ -+######################################## -+## -+## Manage redis lib files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`redis_manage_lib_files',` -+ gen_require(` -+ type redis_var_lib_t; -+ ') -+ -+ files_search_var_lib($1) -+ manage_files_pattern($1, redis_var_lib_t, redis_var_lib_t) -+') -+ -+######################################## -+## -+## Manage redis lib directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`redis_manage_lib_dirs',` -+ gen_require(` -+ type redis_var_lib_t; -+ ') -+ -+ files_search_var_lib($1) -+ manage_dirs_pattern($1, redis_var_lib_t, redis_var_lib_t) -+') -+ -+######################################## -+## -+## Read redis PID files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`redis_read_pid_files',` -+ gen_require(` -+ type redis_var_run_t; -+ ') -+ -+ files_search_pids($1) -+ read_files_pattern($1, redis_var_run_t, redis_var_run_t) -+') -+ -+######################################## -+## -+## Execute redis server in the redis domain. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`redis_systemctl',` -+ gen_require(` -+ type redis_t; -+ type redis_unit_file_t; -+ ') -+ -+ systemd_exec_systemctl($1) -+ systemd_read_fifo_file_password_run($1) -+ allow $1 redis_unit_file_t:file read_file_perms; -+ allow $1 redis_unit_file_t:service manage_service_perms; -+ -+ ps_process_pattern($1, redis_t) -+') -+ -+ -+######################################## -+## -+## All of the rules required to administrate -+## an redis environment -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## Role allowed access. -+## -+## -+## -+# -+interface(`redis_admin',` -+ gen_require(` -+ type redis_t; -+ type redis_initrc_exec_t; -+ type redis_log_t; -+ type redis_var_lib_t; -+ type redis_var_run_t; -+ type redis_unit_file_t; -+ ') -+ -+ allow $1 redis_t:process { ptrace signal_perms }; -+ ps_process_pattern($1, redis_t) -+ -+ redis_initrc_domtrans($1) -+ domain_system_change_exemption($1) -+ role_transition $2 redis_initrc_exec_t system_r; -+ allow $2 system_r; -+ -+ logging_search_logs($1) -+ admin_pattern($1, redis_log_t) -+ -+ files_search_var_lib($1) -+ admin_pattern($1, redis_var_lib_t) -+ -+ files_search_pids($1) -+ admin_pattern($1, redis_var_run_t) -+ -+ redis_systemctl($1) -+ admin_pattern($1, redis_unit_file_t) -+ allow $1 redis_unit_file_t:service all_service_perms; -+ optional_policy(` -+ systemd_passwd_agent_exec($1) -+ systemd_read_fifo_file_passwd_run($1) -+ ') -+') -diff --git a/redis.te b/redis.te -new file mode 100644 -index 0000000..e5e9cf7 ---- /dev/null -+++ b/redis.te -@@ -0,0 +1,62 @@ -+policy_module(redis, 1.0.0) -+ -+######################################## -+# -+# Declarations -+# -+ -+type redis_t; -+type redis_exec_t; -+init_daemon_domain(redis_t, redis_exec_t) -+ -+type redis_initrc_exec_t; -+init_script_file(redis_initrc_exec_t) -+ -+type redis_log_t; -+logging_log_file(redis_log_t) -+ -+type redis_var_lib_t; -+files_type(redis_var_lib_t) -+ -+type redis_var_run_t; -+files_pid_file(redis_var_run_t) -+ -+type redis_unit_file_t; -+systemd_unit_file(redis_unit_file_t) -+ -+######################################## -+# -+# redis local policy -+# -+ -+allow redis_t self:process { setrlimit signal_perms }; -+allow redis_t self:fifo_file rw_fifo_file_perms; -+allow redis_t self:unix_stream_socket create_stream_socket_perms; -+allow redis_t self:tcp_socket create_stream_socket_perms; -+ -+manage_dirs_pattern(redis_t, redis_log_t, redis_log_t) -+manage_files_pattern(redis_t, redis_log_t, redis_log_t) -+manage_lnk_files_pattern(redis_t, redis_log_t, redis_log_t) -+ -+manage_dirs_pattern(redis_t, redis_var_lib_t, redis_var_lib_t) -+manage_files_pattern(redis_t, redis_var_lib_t, redis_var_lib_t) -+manage_lnk_files_pattern(redis_t, redis_var_lib_t, redis_var_lib_t) -+ -+manage_dirs_pattern(redis_t, redis_var_run_t, redis_var_run_t) -+manage_files_pattern(redis_t, redis_var_run_t, redis_var_run_t) -+manage_lnk_files_pattern(redis_t, redis_var_run_t, redis_var_run_t) -+ -+kernel_read_system_state(redis_t) -+ -+corenet_tcp_bind_generic_node(redis_t) -+corenet_tcp_bind_redis_port(redis_t) -+ -+dev_read_sysfs(redis_t) -+dev_read_urand(redis_t) -+ -+logging_send_syslog_msg(redis_t) -+ -+miscfiles_read_localization(redis_t) -+ -+sysnet_dns_name_resolve(redis_t) -+ -diff --git a/remotelogin.fc b/remotelogin.fc -index 327baf0..d8691bd 100644 ---- a/remotelogin.fc -+++ b/remotelogin.fc -@@ -1 +1,2 @@ -+ - # Remote login currently has no file contexts. -diff --git a/remotelogin.if b/remotelogin.if -index a9ce68e..31be971 100644 ---- a/remotelogin.if -+++ b/remotelogin.if -@@ -1,4 +1,4 @@ --## Rshd, rlogind, and telnetd. -+## Policy for rshd, rlogind, and telnetd. - - ######################################## - ## -@@ -15,13 +15,12 @@ interface(`remotelogin_domtrans',` - type remote_login_t; - ') - -- corecmd_search_bin($1) - auth_domtrans_login_program($1, remote_login_t) - ') - - ######################################## - ## --## Send generic signals to remote login. -+## allow Domain to signal remote login domain. - ## - ## - ## -@@ -36,44 +35,3 @@ interface(`remotelogin_signal',` - - allow $1 remote_login_t:process signal; - ') -- --######################################## --## --## Create, read, write, and delete --## remote login temporary content. --## --## --## --## Domain allowed access. --## --## --# --interface(`remotelogin_manage_tmp_content',` -- gen_require(` -- type remote_login_tmp_t; -- ') -- -- files_search_tmp($1) -- allow $1 remote_login_tmp_t:dir manage_dir_perms; -- allow $1 remote_login_tmp_t:file manage_file_perms; --') -- --######################################## --## --## Relabel remote login temporary content. --## --## --## --## Domain allowed access. --## --## --# --interface(`remotelogin_relabel_tmp_content',` -- gen_require(` -- type remote_login_tmp_t; -- ') -- -- files_search_tmp($1) -- allow $1 remote_login_tmp_t:dir relabel_dir_perms; -- allow $1 remote_login_tmp_t:file relabel_file_perms; --') -diff --git a/remotelogin.te b/remotelogin.te -index c51a32c..bef8238 100644 ---- a/remotelogin.te -+++ b/remotelogin.te -@@ -1,4 +1,4 @@ --policy_module(remotelogin, 1.7.2) -+policy_module(remotelogin, 1.7.0) - - ######################################## - # -@@ -10,12 +10,9 @@ domain_interactive_fd(remote_login_t) - auth_login_pgm_domain(remote_login_t) - auth_login_entry_type(remote_login_t) - --type remote_login_tmp_t; --files_tmp_file(remote_login_tmp_t) -- - ######################################## - # --# Local policy -+# Remote login remote policy - # - - allow remote_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid net_bind_service sys_nice sys_resource sys_tty_config }; -@@ -23,68 +20,79 @@ allow remote_login_t self:process ~{ ptrace setcurrent setexec setfscreate setrl - allow remote_login_t self:process { setrlimit setexec }; - allow remote_login_t self:fd use; - allow remote_login_t self:fifo_file rw_fifo_file_perms; -+allow remote_login_t self:sock_file read_sock_file_perms; -+allow remote_login_t self:unix_dgram_socket create_socket_perms; -+allow remote_login_t self:unix_stream_socket create_stream_socket_perms; - allow remote_login_t self:unix_dgram_socket sendto; --allow remote_login_t self:unix_stream_socket { accept connectto listen }; -- --manage_dirs_pattern(remote_login_t, remote_login_tmp_t, remote_login_tmp_t) --manage_files_pattern(remote_login_t, remote_login_tmp_t, remote_login_tmp_t) --files_tmp_filetrans(remote_login_t, remote_login_tmp_t, { file dir }) -+allow remote_login_t self:unix_stream_socket connectto; -+allow remote_login_t self:shm create_shm_perms; -+allow remote_login_t self:sem create_sem_perms; -+allow remote_login_t self:msgq create_msgq_perms; -+allow remote_login_t self:msg { send receive }; -+allow remote_login_t self:key write; - - kernel_read_system_state(remote_login_t) - kernel_read_kernel_sysctls(remote_login_t) - - dev_getattr_mouse_dev(remote_login_t) - dev_setattr_mouse_dev(remote_login_t) -+dev_dontaudit_search_sysfs(remote_login_t) - - fs_getattr_xattr_fs(remote_login_t) -+fs_search_auto_mountpoints(remote_login_t) - - term_relabel_all_ptys(remote_login_t) - term_use_all_ptys(remote_login_t) - term_setattr_all_ptys(remote_login_t) - --auth_manage_pam_console_data(remote_login_t) --auth_domtrans_pam_console(remote_login_t) - auth_rw_login_records(remote_login_t) - auth_rw_faillog(remote_login_t) -+auth_manage_pam_console_data(remote_login_t) -+auth_domtrans_pam_console(remote_login_t) - - corecmd_list_bin(remote_login_t) - corecmd_read_bin_symlinks(remote_login_t) -+# cjp: these are probably not needed: -+corecmd_read_bin_files(remote_login_t) -+corecmd_read_bin_pipes(remote_login_t) -+corecmd_read_bin_sockets(remote_login_t) - - domain_read_all_entry_files(remote_login_t) - - files_read_etc_runtime_files(remote_login_t) - files_list_home(remote_login_t) --files_read_usr_files(remote_login_t) - files_list_world_readable(remote_login_t) - files_read_world_readable_files(remote_login_t) - files_read_world_readable_symlinks(remote_login_t) - files_read_world_readable_pipes(remote_login_t) - files_read_world_readable_sockets(remote_login_t) - files_list_mnt(remote_login_t) -+# for when /var/mail is a sym-link - files_read_var_symlinks(remote_login_t) - --miscfiles_read_localization(remote_login_t) -+auth_use_nsswitch(remote_login_t) -+ - - userdom_use_unpriv_users_fds(remote_login_t) - userdom_search_user_home_content(remote_login_t) -+# Only permit unprivileged user domains to be entered via rlogin, -+# since very weak authentication is used. - userdom_signal_unpriv_users(remote_login_t) - userdom_spec_domtrans_unpriv_users(remote_login_t) -+userdom_use_user_ptys(remote_login_t) - --tunable_policy(`use_nfs_home_dirs',` -- fs_read_nfs_files(remote_login_t) -- fs_read_nfs_symlinks(remote_login_t) --') -+userdom_manage_user_tmp_dirs(remote_login_t) -+userdom_manage_user_tmp_files(remote_login_t) -+userdom_tmp_filetrans_user_tmp(remote_login_t, { file dir }) - --tunable_policy(`use_samba_home_dirs',` -- fs_read_cifs_files(remote_login_t) -- fs_read_cifs_symlinks(remote_login_t) --') -+userdom_home_reader(remote_login_t) - - optional_policy(` - alsa_domtrans(remote_login_t) - ') - - optional_policy(` -+ # Search for mail spool file. - mta_getattr_spool(remote_login_t) - ') - -diff --git a/resmgr.te b/resmgr.te -index 6f219b3..6bef328 100644 ---- a/resmgr.te -+++ b/resmgr.te -@@ -42,7 +42,6 @@ dev_getattr_scanner_dev(resmgrd_t) - - domain_use_interactive_fds(resmgrd_t) - --files_read_etc_files(resmgrd_t) - - fs_search_auto_mountpoints(resmgrd_t) - -@@ -54,8 +53,6 @@ storage_write_scsi_generic(resmgrd_t) - - logging_send_syslog_msg(resmgrd_t) - --miscfiles_read_localization(resmgrd_t) -- - userdom_dontaudit_use_unpriv_user_fds(resmgrd_t) - - optional_policy(` -diff --git a/rgmanager.fc b/rgmanager.fc -index 5421af0..91e69b8 100644 ---- a/rgmanager.fc -+++ b/rgmanager.fc -@@ -1,12 +1,22 @@ --/etc/rc\.d/init\.d/rgmanager -- gen_context(system_u:object_r:rgmanager_initrc_exec_t,s0) -+/etc/rc\.d/init\.d/cpglockd -- gen_context(system_u:object_r:rgmanager_initrc_exec_t,s0) -+/etc/rc\.d/init\.d/rgmanager -- gen_context(system_u:object_r:rgmanager_initrc_exec_t,s0) -+/etc/rc\.d/init\.d/heartbeat -- gen_context(system_u:object_r:rgmanager_initrc_exec_t,s0) - --/usr/sbin/rgmanager -- gen_context(system_u:object_r:rgmanager_exec_t,s0) -+/usr/sbin/cpglockd -- gen_context(system_u:object_r:rgmanager_exec_t,s0) -+/usr/sbin/rgmanager -- gen_context(system_u:object_r:rgmanager_exec_t,s0) - --/usr/sbin/ccs_tool -- gen_context(system_u:object_r:rgmanager_exec_t,s0) --/usr/sbin/cman_tool -- gen_context(system_u:object_r:rgmanager_exec_t,s0) -+/usr/sbin/ccs_tool -- gen_context(system_u:object_r:rgmanager_exec_t,s0) -+/usr/sbin/cman_tool -- gen_context(system_u:object_r:rgmanager_exec_t,s0) - --/var/log/cluster/rgmanager\.log.* -- gen_context(system_u:object_r:rgmanager_var_log_t,s0) -+/usr/lib/heartbeat(/.*)? gen_context(system_u:object_r:rgmanager_var_lib_t,s0) -+/usr/lib/heartbeat/heartbeat -- gen_context(system_u:object_r:rgmanager_exec_t,s0) -+/var/lib/heartbeat(/.*)? gen_context(system_u:object_r:rgmanager_var_lib_t,s0) - --/var/run/cluster/rgmanager\.sk -s gen_context(system_u:object_r:rgmanager_var_run_t,s0) -+/var/log/cluster/cpglockd\.log.* -- gen_context(system_u:object_r:rgmanager_var_log_t,s0) -+/var/log/cluster/rgmanager\.log.* -- gen_context(system_u:object_r:rgmanager_var_log_t,s0) - --/var/run/rgmanager\.pid -- gen_context(system_u:object_r:rgmanager_var_run_t,s0) -+/var/run/cluster/rgmanager\.sk -s gen_context(system_u:object_r:rgmanager_var_run_t,s0) -+ -+/var/run/cpglockd\.pid -- gen_context(system_u:object_r:rgmanager_var_run_t,s0) -+/var/run/heartbeat(/.*)? gen_context(system_u:object_r:rgmanager_var_run_t,s0) -+/var/run/rgmanager\.pid -- gen_context(system_u:object_r:rgmanager_var_run_t,s0) -diff --git a/rgmanager.if b/rgmanager.if -index 1c2f9aa..a4133dc 100644 ---- a/rgmanager.if -+++ b/rgmanager.if -@@ -1,13 +1,13 @@ --## Resource Group Manager. -+## rgmanager - Resource Group Manager - - ####################################### - ## - ## Execute a domain transition to run rgmanager. - ## - ## --## -+## - ## Domain allowed to transition. --## -+## - ## - # - interface(`rgmanager_domtrans',` -@@ -21,8 +21,7 @@ interface(`rgmanager_domtrans',` - - ######################################## - ## --## Connect to rgmanager with a unix --## domain stream socket. -+## Connect to rgmanager over a unix stream socket. - ## - ## - ## -@@ -39,10 +38,28 @@ interface(`rgmanager_stream_connect',` - stream_connect_pattern($1, rgmanager_var_run_t, rgmanager_var_run_t, rgmanager_t) - ') - -+######################################## -+## -+## Manage rgmanager pid files -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`rgmanager_manage_pid_files',` -+ gen_require(` -+ type rgmanager_var_run_t; -+ ') -+ -+ files_search_pids($1) -+ manage_files_pattern($1, rgmanager_var_run_t, rgmanager_var_run_t) -+') -+ - ###################################### - ## --## Create, read, write, and delete --## rgmanager tmp files. -+## Allow manage rgmanager tmp files. - ## - ## - ## -@@ -61,8 +78,7 @@ interface(`rgmanager_manage_tmp_files',` - - ###################################### - ## --## Create, read, write, and delete --## rgmanager tmpfs files. -+## Allow manage rgmanager tmpfs files. - ## - ## - ## -@@ -79,10 +95,28 @@ interface(`rgmanager_manage_tmpfs_files',` - manage_files_pattern($1, rgmanager_tmpfs_t, rgmanager_tmpfs_t) - ') - -+####################################### -+## -+## Allow read and write access to rgmanager semaphores. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`rgmanager_rw_semaphores',` -+ gen_require(` -+ type rgmanager_t; -+ ') -+ -+ allow $1 rgmanager_t:sem rw_sem_perms; -+') -+ - ###################################### - ## --## All of the rules required to --## administrate an rgmanager environment. -+## All of the rules required to administrate -+## an rgmanager environment - ## - ## - ## -@@ -91,7 +125,7 @@ interface(`rgmanager_manage_tmpfs_files',` - ## - ## - ## --## Role allowed access. -+## The role to be allowed to manage the rgmanager domain. - ## - ## - ## -@@ -102,8 +136,11 @@ interface(`rgmanager_admin',` - type rgmanager_tmpfs_t, rgmanager_var_log_t, rgmanager_var_run_t; - ') - -- allow $1 rgmanager_t:process { ptrace signal_perms }; -+ allow $1 rgmanager_t:process signal_perms; - ps_process_pattern($1, rgmanager_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 rgmanager_t:process ptrace; -+ ') - - init_labeled_script_domtrans($1, rgmanager_initrc_exec_t) - domain_system_change_exemption($1) -@@ -121,3 +158,66 @@ interface(`rgmanager_admin',` - files_list_pids($1) - admin_pattern($1, rgmanager_var_run_t) - ') -+ -+ -+###################################### -+## -+## Allow the specified domain to manage rgmanager's lib/run files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`rgmanager_manage_files',` -+ gen_require(` -+ type rgmanager_var_lib_t; -+ type rgmanager_var_run_t; -+ ') -+ -+ files_list_var_lib($1) -+ admin_pattern($1, rgmanager_var_lib_t) -+ -+ files_list_pids($1) -+ admin_pattern($1, rgmanager_var_run_t) -+') -+ -+###################################### -+## -+## Allow the specified domain to execute rgmanager's lib files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`rgmanager_execute_lib',` -+ gen_require(` -+ type rgmanager_var_lib_t; -+ ') -+ -+ files_list_var_lib($1) -+ allow $1 rgmanager_var_lib_t:dir search_dir_perms; -+ can_exec($1, rgmanager_var_lib_t) -+') -+ -+###################################### -+## -+## Allow the specified domain to search rgmanager's lib files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`rgmanager_search_lib',` -+ gen_require(` -+ type rgmanager_var_lib_t; -+ ') -+ -+ files_list_var_lib($1) -+ allow $1 rgmanager_var_lib_t:dir search_dir_perms; -+') -diff --git a/rgmanager.te b/rgmanager.te -index b418d1c..1ad9c12 100644 ---- a/rgmanager.te -+++ b/rgmanager.te -@@ -1,4 +1,4 @@ --policy_module(rgmanager, 1.2.2) -+policy_module(rgmanager, 1.2.0) - - ######################################## - # -@@ -6,10 +6,9 @@ policy_module(rgmanager, 1.2.2) - # - - ## --##

    --## Determine whether rgmanager can --## connect to the network using TCP. --##

    -+##

    -+## Allow rgmanager domain to connect to the network using TCP. -+##

    - ##     - gen_tunable(rgmanager_can_network_connect, false) - -@@ -26,6 +25,9 @@ files_tmp_file(rgmanager_tmp_t) - type rgmanager_tmpfs_t; - files_tmpfs_file(rgmanager_tmpfs_t) - -+type rgmanager_var_lib_t; -+files_type(rgmanager_var_lib_t) -+ - type rgmanager_var_log_t; - logging_log_file(rgmanager_var_log_t) - -@@ -34,14 +36,16 @@ files_pid_file(rgmanager_var_run_t) - - ######################################## - # --# Local policy -+# rgmanager local policy - # - - allow rgmanager_t self:capability { dac_override net_raw sys_resource sys_admin sys_nice ipc_lock }; - allow rgmanager_t self:process { setsched signal }; -+ - allow rgmanager_t self:fifo_file rw_fifo_file_perms; --allow rgmanager_t self:unix_stream_socket { accept listen }; --allow rgmanager_t self:tcp_socket { accept listen }; -+allow rgmanager_t self:unix_stream_socket { create_stream_socket_perms }; -+allow rgmanager_t self:unix_dgram_socket create_socket_perms; -+allow rgmanager_t self:tcp_socket create_stream_socket_perms; - - manage_dirs_pattern(rgmanager_t, rgmanager_tmp_t, rgmanager_tmp_t) - manage_files_pattern(rgmanager_t, rgmanager_tmp_t, rgmanager_tmp_t) -@@ -51,77 +55,93 @@ manage_dirs_pattern(rgmanager_t, rgmanager_tmpfs_t, rgmanager_tmpfs_t) - manage_files_pattern(rgmanager_t, rgmanager_tmpfs_t, rgmanager_tmpfs_t) - fs_tmpfs_filetrans(rgmanager_t, rgmanager_tmpfs_t, { dir file }) - --allow rgmanager_t rgmanager_var_log_t:file { append_file_perms create_file_perms setattr_file_perms }; --logging_log_filetrans(rgmanager_t, rgmanager_var_log_t, file) -+# var/lib files -+# # needed by hearbeat -+can_exec(rgmanager_t, rgmanager_var_lib_t) -+manage_files_pattern(rgmanager_t, rgmanager_var_lib_t,rgmanager_var_lib_t) -+manage_dirs_pattern(rgmanager_t, rgmanager_var_lib_t,rgmanager_var_lib_t) -+manage_sock_files_pattern(rgmanager_t, rgmanager_var_lib_t,rgmanager_var_lib_t) -+manage_fifo_files_pattern(rgmanager_t, rgmanager_var_lib_t,rgmanager_var_lib_t) -+files_var_lib_filetrans(rgmanager_t,rgmanager_var_lib_t, { file dir fifo_file sock_file }) -+ -+ -+manage_files_pattern(rgmanager_t, rgmanager_var_log_t, rgmanager_var_log_t) -+logging_log_filetrans(rgmanager_t, rgmanager_var_log_t, { file }) - -+manage_dirs_pattern(rgmanager_t, rgmanager_var_run_t, rgmanager_var_run_t) - manage_files_pattern(rgmanager_t, rgmanager_var_run_t, rgmanager_var_run_t) - manage_sock_files_pattern(rgmanager_t, rgmanager_var_run_t, rgmanager_var_run_t) --files_pid_filetrans(rgmanager_t, rgmanager_var_run_t, { file sock_file }) -+files_pid_filetrans(rgmanager_t, rgmanager_var_run_t, { file sock_file dir }) - -+kernel_kill(rgmanager_t) - kernel_read_kernel_sysctls(rgmanager_t) -+kernel_read_rpc_sysctls(rgmanager_t) - kernel_read_system_state(rgmanager_t) - kernel_rw_rpc_sysctls(rgmanager_t) - kernel_search_debugfs(rgmanager_t) - kernel_search_network_state(rgmanager_t) - --corenet_all_recvfrom_unlabeled(rgmanager_t) --corenet_all_recvfrom_netlabel(rgmanager_t) --corenet_tcp_sendrecv_generic_if(rgmanager_t) --corenet_tcp_sendrecv_generic_node(rgmanager_t) -- - corecmd_exec_bin(rgmanager_t) - corecmd_exec_shell(rgmanager_t) - -+# need to write to /dev/misc/dlm-control - dev_rw_dlm_control(rgmanager_t) - dev_setattr_dlm_control(rgmanager_t) - dev_search_sysfs(rgmanager_t) - - domain_read_all_domains_state(rgmanager_t) - domain_getattr_all_domains(rgmanager_t) --domain_dontaudit_ptrace_all_domains(rgmanager_t) - --files_list_all(rgmanager_t) -+files_create_var_run_dirs(rgmanager_t) - files_getattr_all_symlinks(rgmanager_t) -+files_list_all(rgmanager_t) - files_manage_mnt_dirs(rgmanager_t) -+files_manage_mnt_files(rgmanager_t) -+files_manage_mnt_symlinks(rgmanager_t) -+files_manage_isid_type_files(rgmanager_t) - files_manage_isid_type_dirs(rgmanager_t) --files_read_non_security_files(rgmanager_t) - -+fs_getattr_xattr_fs(rgmanager_t) - fs_getattr_all_fs(rgmanager_t) - - storage_raw_read_fixed_disk(rgmanager_t) -+storage_getattr_fixed_disk_dev(rgmanager_t) - - term_getattr_pty_fs(rgmanager_t) - -+# needed by resources scripts -+files_read_non_security_files(rgmanager_t) - auth_dontaudit_getattr_shadow(rgmanager_t) - auth_use_nsswitch(rgmanager_t) - - init_domtrans_script(rgmanager_t) -+init_initrc_domain(rgmanager_t) - - logging_send_syslog_msg(rgmanager_t) - --miscfiles_read_localization(rgmanager_t) -+userdom_kill_all_users(rgmanager_t) - - tunable_policy(`rgmanager_can_network_connect',` -- corenet_sendrecv_all_client_packets(rgmanager_t) - corenet_tcp_connect_all_ports(rgmanager_t) -- corenet_tcp_sendrecv_all_ports(rgmanager_t) - ') - -+# rgmanager can run resource scripts - optional_policy(` - aisexec_stream_connect(rgmanager_t) -+ corosync_stream_connect(rgmanager_t) - ') - - optional_policy(` -- consoletype_exec(rgmanager_t) -+ apache_domtrans(rgmanager_t) -+ apache_signal(rgmanager_t) - ') - - optional_policy(` -- corosync_stream_connect(rgmanager_t) -+ consoletype_exec(rgmanager_t) - ') - - optional_policy(` -- apache_domtrans(rgmanager_t) -- apache_signal(rgmanager_t) -+ dbus_system_bus_client(rgmanager_t) - ') - - optional_policy(` -@@ -130,7 +150,6 @@ optional_policy(` - - optional_policy(` - rhcs_stream_connect_groupd(rgmanager_t) -- rhcs_stream_connect_gfs_controld(rgmanager_t) - ') - - optional_policy(` -@@ -140,6 +159,7 @@ optional_policy(` - optional_policy(` - ccs_manage_config(rgmanager_t) - ccs_stream_connect(rgmanager_t) -+ rhcs_stream_connect_gfs_controld(rgmanager_t) - ') - - optional_policy(` -@@ -147,6 +167,12 @@ optional_policy(` - ') - - optional_policy(` -+ ldap_initrc_domtrans(rgmanager_t) -+ ldap_systemctl(rgmanager_t) -+ ldap_domtrans(rgmanager_t) -+') -+ -+optional_policy(` - mount_domtrans(rgmanager_t) - ') - -@@ -174,12 +200,18 @@ optional_policy(` - ') - - optional_policy(` -+ rpc_initrc_domtrans_nfsd(rgmanager_t) -+ rpc_initrc_domtrans_rpcd(rgmanager_t) -+ rpc_systemctl_nfsd(rgmanager_t) -+ rpc_systemctl_rpcd(rgmanager_t) -+ - rpc_domtrans_nfsd(rgmanager_t) - rpc_domtrans_rpcd(rgmanager_t) - rpc_manage_nfs_state_data(rgmanager_t) - ') - - optional_policy(` -+ samba_initrc_domtrans(rgmanager_t) - samba_domtrans_smbd(rgmanager_t) - samba_domtrans_nmbd(rgmanager_t) - samba_manage_var_files(rgmanager_t) -@@ -201,5 +233,9 @@ optional_policy(` - ') - - optional_policy(` -+ unconfined_domain(rgmanager_t) -+') -+ -+optional_policy(` - xen_domtrans_xm(rgmanager_t) - ') -diff --git a/rhcs.fc b/rhcs.fc -index 47de2d6..98a4280 100644 ---- a/rhcs.fc -+++ b/rhcs.fc -@@ -1,31 +1,85 @@ --/etc/rc\.d/init\.d/dlm -- gen_context(system_u:object_r:dlm_controld_initrc_exec_t,s0) --/etc/rc\.d/init\.d/foghorn -- gen_context(system_u:object_r:foghorn_initrc_exec_t,s0) -+/usr/sbin/dlm_controld -- gen_context(system_u:object_r:dlm_controld_exec_t,s0) -+/usr/sbin/fenced -- gen_context(system_u:object_r:fenced_exec_t,s0) -+/usr/sbin/fence_node -- gen_context(system_u:object_r:fenced_exec_t,s0) -+/usr/sbin/fence_sanlockd -- gen_context(system_u:object_r:fenced_exec_t,s0) -+/usr/sbin/fence_tool -- gen_context(system_u:object_r:fenced_exec_t,s0) -+/usr/sbin/fence_virtd -- gen_context(system_u:object_r:fenced_exec_t,s0) -+/usr/sbin/gfs_controld -- gen_context(system_u:object_r:gfs_controld_exec_t,s0) -+/usr/sbin/foghorn -- gen_context(system_u:object_r:foghorn_exec_t,s0) -+/usr/sbin/groupd -- gen_context(system_u:object_r:groupd_exec_t,s0) -+/usr/sbin/haproxy -- gen_context(system_u:object_r:haproxy_exec_t,s0) -+/usr/sbin/qdiskd -- gen_context(system_u:object_r:qdiskd_exec_t,s0) - --/usr/sbin/dlm_controld -- gen_context(system_u:object_r:dlm_controld_exec_t,s0) --/usr/sbin/fenced -- gen_context(system_u:object_r:fenced_exec_t,s0) --/usr/sbin/fence_node -- gen_context(system_u:object_r:fenced_exec_t,s0) --/usr/sbin/fence_tool -- gen_context(system_u:object_r:fenced_exec_t,s0) --/usr/sbin/foghorn -- gen_context(system_u:object_r:foghorn_exec_t,s0) --/usr/sbin/gfs_controld -- gen_context(system_u:object_r:gfs_controld_exec_t,s0) --/usr/sbin/groupd -- gen_context(system_u:object_r:groupd_exec_t,s0) --/usr/sbin/qdiskd -- gen_context(system_u:object_r:qdiskd_exec_t,s0) -+/usr/lib/systemd/system/haproxy.* -- gen_context(system_u:object_r:haproxy_unit_file_t,s0) - --/var/lock/fence_manual\.lock -- gen_context(system_u:object_r:fenced_lock_t,s0) -+/var/lock/fence_manual\.lock -- gen_context(system_u:object_r:fenced_lock_t,s0) - --/var/lib/qdiskd(/.*)? gen_context(system_u:object_r:qdiskd_var_lib_t,s0) -+/var/lib/cluster(/.*)? gen_context(system_u:object_r:cluster_var_lib_t,s0) -+/var/lib/haproxy(/.*)? gen_context(system_u:object_r:haproxy_var_lib_t,s0) -+/var/lib/qdiskd(/.*)? gen_context(system_u:object_r:qdiskd_var_lib_t,s0) - --/var/log/cluster/.*\.*log <> -+/var/log/cluster/.*\.*log <> - /var/log/cluster/dlm_controld\.log.* -- gen_context(system_u:object_r:dlm_controld_var_log_t,s0) --/var/log/cluster/fenced\.log.* -- gen_context(system_u:object_r:fenced_var_log_t,s0) -+/var/log/cluster/fenced\.log.* -- gen_context(system_u:object_r:fenced_var_log_t,s0) - /var/log/cluster/gfs_controld\.log.* -- gen_context(system_u:object_r:gfs_controld_var_log_t,s0) --/var/log/cluster/qdiskd\.log.* -- gen_context(system_u:object_r:qdiskd_var_log_t,s0) --/var/log/dlm_controld(/.*)? gen_context(system_u:object_r:dlm_controld_var_log_t,s0) -+/var/log/cluster/qdiskd\.log.* -- gen_context(system_u:object_r:qdiskd_var_log_t,s0) -+/var/log/dlm_controld(/.*)? gen_context(system_u:object_r:dlm_controld_var_log_t,s0) - - /var/run/cluster/fenced_override -- gen_context(system_u:object_r:fenced_var_run_t,s0) --/var/run/cluster/fence_scsi.* -- gen_context(system_u:object_r:fenced_var_run_t,s0) --/var/run/dlm_controld\.pid -- gen_context(system_u:object_r:dlm_controld_var_run_t,s0) --/var/run/dlm_controld(/.*)? gen_context(system_u:object_r:dlm_controld_var_run_t,s0) --/var/run/fenced\.pid -- gen_context(system_u:object_r:fenced_var_run_t,s0) --/var/run/gfs_controld\.pid -- gen_context(system_u:object_r:gfs_controld_var_run_t,s0) --/var/run/groupd\.pid -- gen_context(system_u:object_r:groupd_var_run_t,s0) --/var/run/qdiskd\.pid -- gen_context(system_u:object_r:qdiskd_var_run_t,s0) -+/var/run/cluster/fence_scsi.* -- gen_context(system_u:object_r:fenced_var_run_t,s0) -+/var/run/dlm_controld\.pid -- gen_context(system_u:object_r:dlm_controld_var_run_t,s0) -+/var/run/dlm_controld(/.*)? gen_context(system_u:object_r:dlm_controld_var_run_t,s0) -+/var/run/fence.* gen_context(system_u:object_r:fenced_var_run_t,s0) -+/var/run/gfs_controld\.pid -- gen_context(system_u:object_r:gfs_controld_var_run_t,s0) -+/var/run/groupd\.pid -- gen_context(system_u:object_r:groupd_var_run_t,s0) -+/var/run/haproxy\.pid -- gen_context(system_u:object_r:haproxy_var_run_t,s0) -+/var/run/qdiskd\.pid -- gen_context(system_u:object_r:qdiskd_var_run_t,s0) -+ -+# cluster administrative domains file spec -+/etc/rc\.d/init\.d/openais -- gen_context(system_u:object_r:cluster_initrc_exec_t,s0) -+/etc/rc\.d/init\.d/cpglockd -- gen_context(system_u:object_r:cluster_initrc_exec_t,s0) -+/etc/rc\.d/init\.d/corosync -- gen_context(system_u:object_r:cluster_initrc_exec_t,s0) -+/etc/rc\.d/init\.d/rgmanager -- gen_context(system_u:object_r:cluster_initrc_exec_t,s0) -+/etc/rc\.d/init\.d/heartbeat -- gen_context(system_u:object_r:cluster_initrc_exec_t,s0) -+/etc/rc\.d/init\.d/pacemaker -- gen_context(system_u:object_r:cluster_initrc_exec_t,s0) -+ -+/usr/lib/systemd/system/corosync.* -- gen_context(system_u:object_r:cluster_unit_file_t,s0) -+/usr/lib/systemd/system/pacemaker.* -- gen_context(system_u:object_r:cluster_unit_file_t,s0) -+/usr/lib/systemd/system/pcsd.* -- gen_context(system_u:object_r:cluster_unit_file_t,s0) -+ -+/usr/sbin/aisexec -- gen_context(system_u:object_r:cluster_exec_t,s0) -+/usr/sbin/corosync -- gen_context(system_u:object_r:cluster_exec_t,s0) -+/usr/sbin/corosync-notifyd -- gen_context(system_u:object_r:cluster_exec_t,s0) -+/usr/sbin/cpglockd -- gen_context(system_u:object_r:cluster_exec_t,s0) -+/usr/sbin/ccs_tool -- gen_context(system_u:object_r:cluster_exec_t,s0) -+/usr/sbin/cman_tool -- gen_context(system_u:object_r:cluster_exec_t,s0) -+/usr/sbin/ldirectord -- gen_context(system_u:object_r:cluster_exec_t,s0) -+/usr/sbin/rgmanager -- gen_context(system_u:object_r:cluster_exec_t,s0) -+/usr/sbin/pacemakerd -- gen_context(system_u:object_r:cluster_exec_t,s0) -+ -+/usr/lib/pcsd/pcsd -- gen_context(system_u:object_r:cluster_exec_t,s0) -+ -+/usr/lib/heartbeat(/.*)? gen_context(system_u:object_r:cluster_var_lib_t,s0) -+/usr/lib/heartbeat/heartbeat -- gen_context(system_u:object_r:cluster_exec_t,s0) -+/var/lib/heartbeat(/.*)? gen_context(system_u:object_r:cluster_var_lib_t,s0) -+/var/lib/corosync(/.*)? gen_context(system_u:object_r:cluster_var_lib_t,s0) -+/var/lib/openais(/.*)? gen_context(system_u:object_r:cluster_var_lib_t,s0) -+/var/lib/pacemaker(/.*)? gen_context(system_u:object_r:cluster_var_lib_t,s0) -+/var/lib/pcsd(/.*)? gen_context(system_u:object_r:cluster_var_lib_t,s0) -+/var/lib/pengine(/.*)? gen_context(system_u:object_r:cluster_var_lib_t,s0) -+ -+/var/run/aisexec.* gen_context(system_u:object_r:cluster_var_run_t,s0) -+/var/run/cman_.* -s gen_context(system_u:object_r:cluster_var_run_t,s0) -+/var/run/cluster/rgmanager\.sk -s gen_context(system_u:object_r:cluster_var_run_t,s0) -+/var/run/cpglockd\.pid -- gen_context(system_u:object_r:cluster_var_run_t,s0) -+/var/run/corosync\.pid -- gen_context(system_u:object_r:cluster_var_run_t,s0) -+/var/run/crm(/.*)? gen_context(system_u:object_r:cluster_var_run_t,s0) -+/var/run/heartbeat(/.*)? gen_context(system_u:object_r:cluster_var_run_t,s0) -+/var/run/rgmanager\.pid -- gen_context(system_u:object_r:cluster_var_run_t,s0) -+/var/run/rsctmp(/.*)? gen_context(system_u:object_r:cluster_var_run_t,s0) -+ -+/var/log/cluster/aisexec\.log.* -- gen_context(system_u:object_r:cluster_var_log_t,s0) -+/var/log/cluster/cpglockd\.log.* -- gen_context(system_u:object_r:cluster_var_log_t,s0) -+/var/log/cluster/corosync\.log.* -- gen_context(system_u:object_r:cluster_var_log_t,s0) -+/var/log/cluster/rgmanager\.log.* -- gen_context(system_u:object_r:cluster_var_log_t,s0) -+/var/log/pcsd(/.*)? gen_context(system_u:object_r:cluster_var_log_t,s0) -diff --git a/rhcs.if b/rhcs.if -index 56bc01f..2e4d698 100644 ---- a/rhcs.if -+++ b/rhcs.if -@@ -1,19 +1,19 @@ --## Red Hat Cluster Suite. -+## RHCS - Red Hat Cluster Suite - - ####################################### - ## --## The template to define a rhcs domain. -+## Creates types and rules for a basic -+## rhcs init daemon domain. - ## --## -+## - ## --## Domain prefix to be used. -+## Prefix for the domain. - ## - ## - # - template(`rhcs_domain_template',` - gen_require(` -- attribute cluster_domain, cluster_pid, cluster_tmpfs; -- attribute cluster_log; -+ attribute cluster_domain, cluster_tmpfs, cluster_pid, cluster_log; - ') - - ############################## -@@ -43,33 +43,27 @@ template(`rhcs_domain_template',` - manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) - fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { dir file }) - -- manage_dirs_pattern($1_t, $1_var_log_t, $1_var_log_t) -- append_files_pattern($1_t, $1_var_log_t, $1_var_log_t) -- create_files_pattern($1_t, $1_var_log_t, $1_var_log_t) -- setattr_files_pattern($1_t, $1_var_log_t, $1_var_log_t) -- manage_sock_files_pattern($1_t, $1_var_log_t, $1_var_log_t) - logging_log_filetrans($1_t, $1_var_log_t, { dir file sock_file }) - - manage_dirs_pattern($1_t, $1_var_run_t, $1_var_run_t) - manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t) - manage_fifo_files_pattern($1_t, $1_var_run_t, $1_var_run_t) - manage_sock_files_pattern($1_t, $1_var_run_t, $1_var_run_t) -- files_pid_filetrans($1_t, $1_var_run_t, { dir file fifo_file }) -+ files_pid_filetrans($1_t, $1_var_run_t, { file sock_file fifo_file }) - -- optional_policy(` -- dbus_system_bus_client($1_t) -- ') -+ auth_use_nsswitch($1_t) -+ -+ logging_send_syslog_msg($1_t) - ') - - ###################################### - ## --## Execute a domain transition to --## run dlm_controld. -+## Execute a domain transition to run dlm_controld. - ## - ## --## -+## - ## Domain allowed to transition. --## -+## - ## - # - interface(`rhcs_domtrans_dlm_controld',` -@@ -83,27 +77,8 @@ interface(`rhcs_domtrans_dlm_controld',` - - ##################################### - ## --## Get attributes of fenced --## executable files. --## --## --## --## Domain allowed access. --## --## --# --interface(`rhcs_getattr_fenced_exec_files',` -- gen_require(` -- type fenced_exec_t; -- ') -- -- allow $1 fenced_exec_t:file getattr_file_perms; --') -- --##################################### --## --## Connect to dlm_controld with a --## unix domain stream socket. -+## Connect to dlm_controld over a unix domain -+## stream socket. - ## - ## - ## -@@ -122,7 +97,7 @@ interface(`rhcs_stream_connect_dlm_controld',` - - ##################################### - ## --## Read and write dlm_controld semaphores. -+## Allow read and write access to dlm_controld semaphores. - ## - ## - ## -@@ -160,9 +135,27 @@ interface(`rhcs_domtrans_fenced',` - domtrans_pattern($1, fenced_exec_t, fenced_t) - ') - -+##################################### -+## -+## Allow a domain to getattr on fenced executable. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`rhcs_getattr_fenced',` -+ gen_require(` -+ type fenced_t, fenced_exec_t; -+ ') -+ -+ allow $1 fenced_exec_t:file getattr; -+') -+ - ###################################### - ## --## Read and write fenced semaphores. -+## Allow read and write access to fenced semaphores. - ## - ## - ## -@@ -181,10 +174,9 @@ interface(`rhcs_rw_fenced_semaphores',` - manage_files_pattern($1, fenced_tmpfs_t, fenced_tmpfs_t) - ') - --#################################### -+###################################### - ## --## Connect to all cluster domains --## with a unix domain stream socket. -+## Read fenced PID files. - ## - ## - ## -@@ -192,19 +184,18 @@ interface(`rhcs_rw_fenced_semaphores',` - ## - ## - # --interface(`rhcs_stream_connect_cluster',` -+interface(`rhcs_read_fenced_pid_files',` - gen_require(` -- attribute cluster_domain, cluster_pid; -+ type fenced_var_run_t; - ') - - files_search_pids($1) -- stream_connect_pattern($1, cluster_pid, cluster_pid, cluster_domain) -+ read_files_pattern($1, fenced_var_run_t, fenced_var_run_t) - ') - - ###################################### - ## --## Connect to fenced with an unix --## domain stream socket. -+## Connect to fenced over a unix domain stream socket. - ## - ## - ## -@@ -223,8 +214,7 @@ interface(`rhcs_stream_connect_fenced',` - - ##################################### - ## --## Execute a domain transition --## to run gfs_controld. -+## Execute a domain transition to run gfs_controld. - ## - ## - ## -@@ -243,7 +233,7 @@ interface(`rhcs_domtrans_gfs_controld',` - - #################################### - ## --## Read and write gfs_controld semaphores. -+## Allow read and write access to gfs_controld semaphores. - ## - ## - ## -@@ -264,7 +254,7 @@ interface(`rhcs_rw_gfs_controld_semaphores',` - - ######################################## - ## --## Read and write gfs_controld_t shared memory. -+## Read and write to gfs_controld_t shared memory. - ## - ## - ## -@@ -285,8 +275,7 @@ interface(`rhcs_rw_gfs_controld_shm',` - - ##################################### - ## --## Connect to gfs_controld_t with --## a unix domain stream socket. -+## Connect to gfs_controld_t over a unix domain stream socket. - ## - ## - ## -@@ -324,8 +313,8 @@ interface(`rhcs_domtrans_groupd',` - - ##################################### - ## --## Connect to groupd with a unix --## domain stream socket. -+## Connect to groupd over a unix domain -+## stream socket. - ## - ## - ## -@@ -342,10 +331,51 @@ interface(`rhcs_stream_connect_groupd',` - stream_connect_pattern($1, groupd_var_run_t, groupd_var_run_t, groupd_t) - ') - -+##################################### -+## -+## Allow read and write access to groupd semaphores. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`rhcs_rw_groupd_semaphores',` -+ gen_require(` -+ type groupd_t, groupd_tmpfs_t; -+ ') -+ -+ allow $1 groupd_t:sem { rw_sem_perms destroy }; -+ -+ fs_search_tmpfs($1) -+ manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t) -+') -+ -+######################################## -+## -+## Read and write to group shared memory. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`rhcs_rw_groupd_shm',` -+ gen_require(` -+ type groupd_t, groupd_tmpfs_t; -+ ') -+ -+ allow $1 groupd_t:shm { rw_shm_perms destroy }; -+ -+ fs_search_tmpfs($1) -+ manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t) -+') -+ - ######################################## - ## --## Read and write all cluster domains --## shared memory. -+## Read and write to group shared memory. - ## - ## - ## -@@ -366,8 +396,7 @@ interface(`rhcs_rw_cluster_shm',` - - #################################### - ## --## Read and write all cluster --## domains semaphores. -+## Read and write access to cluster domains semaphores. - ## - ## - ## -@@ -383,9 +412,10 @@ interface(`rhcs_rw_cluster_semaphores',` - allow $1 cluster_domain:sem { rw_sem_perms destroy }; - ') - --##################################### -+#################################### - ## --## Read and write groupd semaphores. -+## Connect to cluster domains over a unix domain -+## stream socket. - ## - ## - ## -@@ -393,36 +423,39 @@ interface(`rhcs_rw_cluster_semaphores',` - ## - ## - # --interface(`rhcs_rw_groupd_semaphores',` -+interface(`rhcs_stream_connect_cluster',` - gen_require(` -- type groupd_t, groupd_tmpfs_t; -+ attribute cluster_domain, cluster_pid; - ') - -- allow $1 groupd_t:sem { rw_sem_perms destroy }; -- -- fs_search_tmpfs($1) -- manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t) -+ files_search_pids($1) -+ stream_connect_pattern($1, cluster_pid, cluster_pid, cluster_domain) - ') - --######################################## -+##################################### - ## --## Read and write groupd shared memory. -+## Connect to cluster domains over a unix domain -+## stream socket. - ## - ## - ## - ## Domain allowed access. - ## - ## -+## -+## -+## Domain allowed access. -+## -+## - # --interface(`rhcs_rw_groupd_shm',` -+interface(`rhcs_stream_connect_cluster_to',` - gen_require(` -- type groupd_t, groupd_tmpfs_t; -+ attribute cluster_domain; -+ attribute cluster_pid; - ') - -- allow $1 groupd_t:shm { rw_shm_perms destroy }; -- -- fs_search_tmpfs($1) -- manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t) -+ files_search_pids($1) -+ stream_connect_pattern($1, cluster_pid, cluster_pid, $2) - ') - - ###################################### -@@ -446,52 +479,360 @@ interface(`rhcs_domtrans_qdiskd',` - - ######################################## - ## --## All of the rules required to --## administrate an rhcs environment. -+## Allow domain to read qdiskd tmpfs files - ## - ## - ## - ## Domain allowed access. - ## - ## --## -+# -+interface(`rhcs_read_qdiskd_tmpfs_files',` -+ gen_require(` -+ type qdiskd_tmpfs_t; -+ ') -+ -+ fs_search_tmpfs($1) -+ allow $1 qdiskd_tmpfs_t:file read_file_perms; -+') -+ -+###################################### -+## -+## Allow domain to read cluster lib files -+## -+## - ## --## Role allowed access. -+## Domain allowed access. - ## - ## --## - # --interface(`rhcs_admin',` -+interface(`rhcs_read_cluster_lib_files',` - gen_require(` -- attribute cluster_domain, cluster_pid, cluster_tmpfs; -- attribute cluster_log; -- type dlm_controld_initrc_exec_t, foghorn_initrc_exec_t, fenced_lock_t; -- type fenced_tmp_t, qdiskd_var_lib_t; -+ type cluster_var_lib_t; - ') - -- allow $1 cluster_domain:process { ptrace signal_perms }; -- ps_process_pattern($1, cluster_domain) -+ files_search_var_lib($1) -+ read_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t) -+') -+ -+##################################### -+## -+## Allow domain to manage cluster lib files -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`rhcs_manage_cluster_lib_files',` -+ gen_require(` -+ type cluster_var_lib_t; -+ ') - -- init_labeled_script_domtrans($1, { dlm_controld_initrc_exec_t foghorn_initrc_exec_t }) -- domain_system_change_exemption($1) -- role_transition $2 { dlm_controld_initrc_exec_t foghorn_initrc_exec_t } system_r; -- allow $2 system_r; -+ files_search_var_lib($1) -+ manage_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t) -+') - -- files_search_pids($1) -- admin_pattern($1, cluster_pid) -+#################################### -+## -+## Allow domain to relabel cluster lib files -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`rhcs_relabel_cluster_lib_files',` -+ gen_require(` -+ type cluster_var_lib_t; -+ ') -+ -+ files_search_var_lib($1) -+ relabelto_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t) -+ relabelfrom_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t) -+') - -- files_search_locks($1) -- admin_pattern($1, fenced_lock_t) -+###################################### -+## -+## Execute a domain transition to run cluster administrative domain. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`rhcs_domtrans_cluster',` -+ gen_require(` -+ type cluster_t, cluster_exec_t; -+ ') - -- files_search_tmp($1) -- admin_pattern($1, fenced_tmp_t) -+ corecmd_search_bin($1) -+ domtrans_pattern($1, cluster_exec_t, cluster_t) -+') - -- files_search_var_lib($1) -- admin_pattern($1, qdiskd_var_lib_t) -+####################################### -+## -+## Execute cluster init scripts in -+## the init script domain. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`rhcs_initrc_domtrans_cluster',` -+ gen_require(` -+ type cluster_initrc_exec_t; -+ ') - -- fs_search_tmpfs($1) -- admin_pattern($1, cluster_tmpfs) -+ init_labeled_script_domtrans($1, cluster_initrc_exec_t) -+') -+ -+##################################### -+## -+## Execute cluster in the caller domain. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`rhcs_exec_cluster',` -+ gen_require(` -+ type cluster_exec_t; -+ ') -+ -+ corecmd_search_bin($1) -+ can_exec($1, cluster_exec_t) -+') -+ -+###################################### -+## -+## Read cluster log files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`rhcs_read_log_cluster',` -+ gen_require(` -+ type cluster_var_log_t; -+ ') -+ -+ logging_search_logs($1) -+ list_dirs_pattern($1, cluster_var_log_t, cluster_var_log_t) -+ read_files_pattern($1, cluster_var_log_t, cluster_var_log_t) -+') -+ -+###################################### -+## -+## Setattr cluster log files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`rhcs_setattr_log_cluster',` -+ gen_require(` -+ type cluster_var_log_t; -+ ') -+ -+ setattr_files_pattern($1, cluster_var_log_t, cluster_var_log_t) -+') -+ -+##################################### -+## -+## Allow the specified domain to read/write inherited cluster's tmpf files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`rhcs_rw_inherited_cluster_tmp_files',` -+ gen_require(` -+ type cluster_tmp_t; -+ ') -+ -+ allow $1 cluster_tmp_t:file rw_inherited_file_perms; -+') -+ -+##################################### -+## -+## Allow manage cluster tmp files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`rhcs_manage_cluster_tmp_files',` -+ gen_require(` -+ type cluster_tmp_t; -+ ') -+ -+ files_search_tmp($1) -+ manage_files_pattern($1, cluster_tmp_t, cluster_tmp_t) -+') -+ -+##################################### -+## -+## Allow the specified domain to read/write cluster's tmpfs files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`rhcs_rw_cluster_tmpfs',` -+ gen_require(` -+ type cluster_tmpfs_t; -+ ') -+ -+ rw_files_pattern($1, cluster_tmpfs_t, cluster_tmpfs_t) -+') -+ -+##################################### -+## -+## Allow manage cluster tmpfs files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`rhcs_manage_cluster_tmpfs_files',` -+ gen_require(` -+ type cluster_tmpfs_t; -+ ') -+ -+ fs_search_tmpfs($1) -+ manage_files_pattern($1, cluster_tmpfs_t, cluster_tmpfs_t) -+') -+ -+##################################### -+## -+## Allow read cluster pid files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`rhcs_read_cluster_pid_files',` -+ gen_require(` -+ type cluster_var_run_t; -+ ') -+ -+ files_search_pids($1) -+ read_files_pattern($1, cluster_var_run_t, cluster_var_run_t) -+') -+ -+ -+##################################### -+## -+## Allow manage cluster pid files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`rhcs_manage_cluster_pid_files',` -+ gen_require(` -+ type cluster_var_run_t; -+ ') -+ -+ files_search_pids($1) -+ manage_files_pattern($1, cluster_var_run_t, cluster_var_run_t) -+') -+ -+####################################### -+## -+## Execute cluster server in the cluster domain. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`rhcs_systemctl_cluster',` -+ gen_require(` -+ type cluster_t; -+ type cluster_unit_file_t; -+ ') -+ -+ systemd_exec_systemctl($1) -+ allow $1 cluster_unit_file_t:file read_file_perms; -+ allow $1 cluster_unit_file_t:service manage_service_perms; -+ -+ ps_process_pattern($1, cluster_t) -+') -+ -+##################################### -+## -+## All of the rules required to administrate -+## an cluster environment -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## The role to be allowed to manage the rgmanager domain. -+## -+## -+## -+# -+interface(`rhcs_admin_cluster',` -+ gen_require(` -+ type cluster_t, cluster_initrc_exec_t, cluster_tmp_t; -+ type cluster_tmpfs_t, cluster_var_log_t, cluster_var_run_t; -+ type cluster_unit_file_t; -+ ') -+ -+ allow $1 cluster_t:process signal_perms; -+ ps_process_pattern($1, cluster_t) -+ -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 cluster_t:process ptrace; -+ ') -+ -+ init_labeled_script_domtrans($1, cluster_initrc_exec_t) -+ domain_system_change_exemption($1) -+ role_transition $2 cluster_initrc_exec_t system_r; -+ allow $2 system_r; -+ -+ files_list_tmp($1) -+ admin_pattern($1, cluster_tmp_t) -+ -+ admin_pattern($1, cluster_tmpfs_t) -+ -+ logging_list_logs($1) -+ admin_pattern($1, cluster_var_log_t) -+ -+ files_list_pids($1) -+ admin_pattern($1, cluster_var_run_t) - -- logging_search_logs($1) -- admin_pattern($1, cluster_log) -+ rhcs_systemctl_cluster($1) -+ admin_pattern($1, cluster_unit_file_t) -+ allow $1 cluster_unit_file_t:service all_service_perms; - ') -diff --git a/rhcs.te b/rhcs.te -index 2c2de9a..26fba30 100644 ---- a/rhcs.te -+++ b/rhcs.te -@@ -20,6 +20,27 @@ gen_tunable(fenced_can_network_connect, false) - ## - gen_tunable(fenced_can_ssh, false) - -+## -+##

    -+## Allow cluster administrative domains to connect to the network using TCP. -+##

    -+##     -+gen_tunable(cluster_can_network_connect, false) -+ -+## -+##

    -+## Allow cluster administrative domains to manage all files on a system. -+##

    -+##     -+gen_tunable(cluster_manage_all_files, false) -+ -+## -+##

    -+## Allow cluster administrative cluster domains memcheck-amd64- to use executable memory -+##

    -+##     -+gen_tunable(cluster_use_execmem, false) -+ - attribute cluster_domain; - attribute cluster_log; - attribute cluster_pid; -@@ -44,34 +65,283 @@ type foghorn_initrc_exec_t; - init_script_file(foghorn_initrc_exec_t) - - rhcs_domain_template(gfs_controld) -+rhcs_domain_template(haproxy) -+ -+type haproxy_var_lib_t; -+files_type(haproxy_var_lib_t) -+ -+type haproxy_unit_file_t; -+systemd_unit_file(haproxy_unit_file_t) -+ - rhcs_domain_template(groupd) - rhcs_domain_template(qdiskd) - - type qdiskd_var_lib_t; - files_type(qdiskd_var_lib_t) - -+# cluster_t is a new domain for administrative generic cluster services -+# (rgmanager, corosync, hearbeat, cman, pacemaker) -+rhcs_domain_template(cluster) -+ -+typealias cluster_t alias { aisexec_t corosync_t pacemaker_t rgmanager_t }; -+typealias cluster_exec_t alias { aisexec_exec_t corosync_exec_t pacemaker_exec_t rgmanager_exec_t }; -+typealias cluster_tmpfs_t alias { aisexec_tmpfs_t corosync_tmpfs_t pacemaker_tmpfs_t rgmanager_tmpfs_t }; -+typealias cluster_var_log_t alias { aisexec_var_log_t corosync_var_log_t rgmanager_var_log_t }; -+typealias cluster_var_run_t alias { aisexec_var_run_t corosync_var_run_t pacemaker_var_run_t rgmanager_var_run_t }; -+ -+type cluster_initrc_exec_t; -+typealias cluster_initrc_exec_t alias { aisexec_initrc_exec_t corosync_initrc_exec_t pacemaker_initrc_exec_t rgmanager_initrc_exec_t }; -+init_script_file(cluster_initrc_exec_t) -+ -+type cluster_tmp_t; -+typealias cluster_tmp_t alias { aisexec_tmp_t corosync_tmp_t pacemaker_tmp_t rgmanager_tmp_t }; -+files_tmp_file(cluster_tmp_t) -+ -+type cluster_var_lib_t; -+typealias cluster_var_lib_t alias { aisexec_var_lib_t corosync_var_lib_t pacemaker_var_lib_t rgmanager_var_lib_t }; -+files_type(cluster_var_lib_t) -+ -+type cluster_unit_file_t; -+typealias cluster_unit_file_t alias { corosync_unit_file_t pacemaker_unit_file_t }; -+systemd_unit_file(cluster_unit_file_t) -+ - ##################################### - # - # Common cluster domains local policy - # - - allow cluster_domain self:capability sys_nice; --allow cluster_domain self:process setsched; -+allow cluster_domain self:process { signal setsched }; - allow cluster_domain self:sem create_sem_perms; - allow cluster_domain self:fifo_file rw_fifo_file_perms; - allow cluster_domain self:unix_stream_socket create_stream_socket_perms; - allow cluster_domain self:unix_dgram_socket create_socket_perms; - --logging_send_syslog_msg(cluster_domain) -+manage_dirs_pattern(cluster_domain, cluster_log, cluster_log) -+manage_files_pattern(cluster_domain, cluster_log, cluster_log) -+manage_sock_files_pattern(cluster_domain, cluster_log, cluster_log) - --miscfiles_read_localization(cluster_domain) -+tunable_policy(`cluster_use_execmem',` -+ allow cluster_domain self:process execmem; -+') - - optional_policy(` - ccs_stream_connect(cluster_domain) - ') - - optional_policy(` -- corosync_stream_connect(cluster_domain) -+ dbus_system_bus_client(cluster_domain) -+') -+ -+##################################### -+# -+# cluster domain local policy -+# -+ -+allow cluster_t self:capability { dac_override fowner setuid setgid sys_nice sys_admin sys_resource ipc_lock ipc_owner }; -+# for hearbeat -+allow cluster_t self:capability { net_raw chown }; -+allow cluster_t self:capability2 block_suspend; -+allow cluster_t self:process { setpgid setrlimit setsched signull }; -+ -+allow cluster_t self:tcp_socket create_stream_socket_perms; -+allow cluster_t self:shm create_shm_perms; -+ -+manage_dirs_pattern(cluster_t, cluster_tmp_t, cluster_tmp_t) -+manage_files_pattern(cluster_t, cluster_tmp_t, cluster_tmp_t) -+files_tmp_filetrans(cluster_t, cluster_tmp_t, { file dir }) -+ -+can_exec(cluster_t, cluster_var_lib_t) -+manage_files_pattern(cluster_t, cluster_var_lib_t,cluster_var_lib_t) -+manage_dirs_pattern(cluster_t, cluster_var_lib_t,cluster_var_lib_t) -+manage_sock_files_pattern(cluster_t, cluster_var_lib_t,cluster_var_lib_t) -+manage_fifo_files_pattern(cluster_t, cluster_var_lib_t,cluster_var_lib_t) -+files_var_lib_filetrans(cluster_t,cluster_var_lib_t, { file dir fifo_file sock_file }) -+ -+can_exec(cluster_t, cluster_exec_t) -+ -+kernel_kill(cluster_t) -+kernel_read_all_sysctls(cluster_t) -+kernel_read_system_state(cluster_t) -+kernel_rw_rpc_sysctls(cluster_t) -+kernel_search_debugfs(cluster_t) -+kernel_search_network_state(cluster_t) -+ -+corecmd_exec_bin(cluster_t) -+corecmd_exec_shell(cluster_t) -+ -+corenet_all_recvfrom_unlabeled(cluster_t) -+corenet_all_recvfrom_netlabel(cluster_t) -+corenet_udp_sendrecv_generic_if(cluster_t) -+corenet_udp_sendrecv_generic_node(cluster_t) -+corenet_udp_bind_generic_node(cluster_t) -+ -+corenet_sendrecv_netsupport_server_packets(cluster_t) -+corenet_udp_bind_netsupport_port(cluster_t) -+corenet_udp_sendrecv_netsupport_port(cluster_t) -+ -+corenet_sendrecv_cluster_server_packets(cluster_t) -+corenet_udp_bind_cluster_port(cluster_t) -+corenet_udp_sendrecv_cluster_port(cluster_t) -+ -+# need to write to /dev/misc/dlm-contro -+dev_rw_dlm_control(cluster_t) -+dev_setattr_dlm_control(cluster_t) -+dev_read_sysfs(cluster_t) -+dev_read_rand(cluster_t) -+dev_read_urand(cluster_t) -+ -+domain_read_all_domains_state(cluster_t) -+ -+fs_getattr_xattr_fs(cluster_t) -+fs_getattr_all_fs(cluster_t) -+ -+storage_raw_read_fixed_disk(cluster_t) -+ -+term_getattr_pty_fs(cluster_t) -+ -+files_manage_mounttab(cluster_t) -+# needed by resources scripts -+files_read_non_security_files(cluster_t) -+auth_dontaudit_getattr_shadow(cluster_t) -+ -+init_domtrans_script(cluster_t) -+init_initrc_domain(cluster_t) -+init_read_script_state(cluster_t) -+init_rw_script_tmp_files(cluster_t) -+init_manage_script_status_files(cluster_t) -+ -+userdom_read_user_tmp_files(cluster_t) -+userdom_delete_user_tmpfs_files(cluster_t) -+userdom_rw_user_tmpfs_files(cluster_t) -+userdom_kill_all_users(cluster_t) -+ -+tunable_policy(`cluster_can_network_connect',` -+ corenet_tcp_connect_all_ports(cluster_t) -+') -+ -+# we need to have dirs created with var_run_t in /run/cluster -+files_create_var_run_dirs(cluster_t) -+ -+tunable_policy(`cluster_manage_all_files',` -+ files_getattr_all_symlinks(cluster_t) -+ files_list_all(cluster_t) -+ files_manage_mnt_dirs(cluster_t) -+ files_manage_mnt_files(cluster_t) -+ files_manage_mnt_symlinks(cluster_t) -+ files_manage_isid_type_files(cluster_t) -+ files_manage_isid_type_dirs(cluster_t) -+ fs_manage_tmpfs_files(cluster_t) -+') -+ -+optional_policy(` -+ ccs_read_config(cluster_t) -+') -+ -+optional_policy(` -+ cmirrord_rw_shm(cluster_t) -+') -+ -+optional_policy(` -+ consoletype_exec(cluster_t) -+') -+ -+optional_policy(` -+ lvm_domtrans(cluster_t) -+ lvm_rw_clvmd_tmpfs_files(cluster_t) -+ lvm_delete_clvmd_tmpfs_files(cluster_t) -+') -+ -+optional_policy(` -+ fstools_domtrans(cluster_t) -+') -+ -+ -+optional_policy(` -+ hostname_exec(cluster_t) -+') -+ -+optional_policy(` -+ ccs_manage_config(cluster_t) -+ ccs_stream_connect(cluster_t) -+') -+ -+optional_policy(` -+ ldap_systemctl(cluster_t) -+') -+ -+optional_policy(` -+ mount_domtrans(cluster_t) -+') -+ -+optional_policy(` -+ mysql_domtrans_mysql_safe(cluster_t) -+ mysql_stream_connect(cluster_t) -+') -+ -+optional_policy(` -+ netutils_domtrans(cluster_t) -+ netutils_domtrans_ping(cluster_t) -+') -+ -+optional_policy(` -+ postgresql_signal(cluster_t) -+') -+ -+optional_policy(` -+ rhcs_getattr_fenced(cluster_t) -+ rhcs_rw_cluster_shm(cluster_t) -+ rhcs_rw_cluster_semaphores(cluster_t) -+ rhcs_stream_connect_cluster(cluster_t) -+ rhcs_relabel_cluster_lib_files(cluster_t) -+') -+ -+optional_policy(` -+ rdisc_exec(cluster_t) -+') -+ -+optional_policy(` -+ ricci_dontaudit_rw_modcluster_pipes(cluster_t) -+') -+ -+optional_policy(` -+ rpc_systemctl_nfsd(cluster_t) -+ rpc_systemctl_rpcd(cluster_t) -+ -+ rpc_domtrans_nfsd(cluster_t) -+ rpc_domtrans_rpcd(cluster_t) -+ rpc_manage_nfs_state_data(cluster_t) -+') -+ -+optional_policy(` -+ samba_manage_var_files(cluster_t) -+ samba_rw_config(cluster_t) -+ samba_signal_smbd(cluster_t) -+ samba_signal_nmbd(cluster_t) -+') -+ -+optional_policy(` -+ sysnet_domtrans_ifconfig(cluster_t) -+') -+ -+optional_policy(` -+ udev_read_db(cluster_t) -+') -+ -+optional_policy(` -+ virt_stream_connect(cluster_t) -+') -+ -+optional_policy(` -+ unconfined_domain(cluster_t) -+') -+ -+optional_policy(` -+ wdmd_rw_tmpfs(cluster_t) -+') -+ -+optional_policy(` -+ xen_domtrans_xm(cluster_t) - ') - - ##################################### -@@ -79,7 +349,7 @@ optional_policy(` - # dlm_controld local policy - # - --allow dlm_controld_t self:capability { net_admin sys_admin sys_resource }; -+allow dlm_controld_t self:capability { dac_override net_admin sys_admin sys_resource }; - allow dlm_controld_t self:netlink_kobject_uevent_socket create_socket_perms; - - stream_connect_pattern(dlm_controld_t, fenced_var_run_t, fenced_var_run_t, fenced_t) -@@ -98,16 +368,30 @@ fs_manage_configfs_dirs(dlm_controld_t) - - init_rw_script_tmp_files(dlm_controld_t) - -+logging_send_syslog_msg(dlm_controld_t) -+ -+optional_policy(` -+ corosync_rw_tmpfs(dlm_controld_t) -+') -+ -+optional_policy(` -+ rhcs_stream_connect_cluster(dlm_controld_t) -+') -+ - ####################################### - # - # fenced local policy - # - - allow fenced_t self:capability { sys_rawio sys_resource }; --allow fenced_t self:process { getsched signal_perms }; --allow fenced_t self:tcp_socket { accept listen }; -+allow fenced_t self:process { getsched setpgid signal_perms }; -+ -+allow fenced_t self:tcp_socket create_stream_socket_perms; -+allow fenced_t self:udp_socket create_socket_perms; - allow fenced_t self:unix_stream_socket connectto; - -+can_exec(fenced_t, fenced_exec_t) -+ - manage_files_pattern(fenced_t, fenced_lock_t, fenced_lock_t) - files_lock_filetrans(fenced_t, fenced_lock_t, file) - -@@ -118,9 +402,8 @@ files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir }) - - stream_connect_pattern(fenced_t, groupd_var_run_t, groupd_var_run_t, groupd_t) - --can_exec(fenced_t, fenced_exec_t) -- - kernel_read_system_state(fenced_t) -+kernel_read_network_state(fenced_t) - - corecmd_exec_bin(fenced_t) - corecmd_exec_shell(fenced_t) -@@ -148,9 +431,7 @@ corenet_tcp_sendrecv_http_port(fenced_t) - - dev_read_sysfs(fenced_t) - dev_read_urand(fenced_t) -- --files_read_usr_files(fenced_t) --files_read_usr_symlinks(fenced_t) -+dev_read_rand(fenced_t) - - storage_raw_read_fixed_disk(fenced_t) - storage_raw_write_fixed_disk(fenced_t) -@@ -160,7 +441,7 @@ term_getattr_pty_fs(fenced_t) - term_use_generic_ptys(fenced_t) - term_use_ptmx(fenced_t) - --auth_use_nsswitch(fenced_t) -+logging_send_syslog_msg(fenced_t) - - tunable_policy(`fenced_can_network_connect',` - corenet_sendrecv_all_client_packets(fenced_t) -@@ -182,7 +463,8 @@ optional_policy(` - ') - - optional_policy(` -- corosync_exec(fenced_t) -+ rhcs_exec_cluster(fenced_t) -+ rhcs_rw_cluster_tmpfs(fenced_t) - ') - - optional_policy(` -@@ -190,12 +472,12 @@ optional_policy(` - ') - - optional_policy(` -- gnome_read_generic_home_content(fenced_t) -+ lvm_domtrans(fenced_t) -+ lvm_read_config(fenced_t) - ') - - optional_policy(` -- lvm_domtrans(fenced_t) -- lvm_read_config(fenced_t) -+ sanlock_domtrans(fenced_t) - ') - - optional_policy(` -@@ -203,6 +485,13 @@ optional_policy(` - snmp_manage_var_lib_dirs(fenced_t) - ') - -+optional_policy(` -+ virt_domtrans(fenced_t) -+ virt_read_config(fenced_t) -+ virt_read_pid_files(fenced_t) -+ virt_stream_connect(fenced_t) -+') -+ - ####################################### - # - # foghorn local policy -@@ -221,16 +510,18 @@ corenet_sendrecv_agentx_client_packets(foghorn_t) - corenet_tcp_connect_agentx_port(foghorn_t) - corenet_tcp_sendrecv_agentx_port(foghorn_t) - -+corenet_tcp_connect_snmp_port(foghorn_t) -+ - dev_read_urand(foghorn_t) - --files_read_usr_files(foghorn_t) -+logging_send_syslog_msg(foghorn_t) - - optional_policy(` - dbus_connect_system_bus(foghorn_t) - ') - - optional_policy(` -- snmp_read_snmp_var_lib_files(foghorn_t) -+ snmp_manage_var_lib_files(foghorn_t) - snmp_stream_connect(foghorn_t) - ') - -@@ -257,6 +548,8 @@ storage_getattr_removable_dev(gfs_controld_t) - - init_rw_script_tmp_files(gfs_controld_t) - -+logging_send_syslog_msg(gfs_controld_t) -+ - optional_policy(` - lvm_exec(gfs_controld_t) - dev_rw_lvm_control(gfs_controld_t) -@@ -275,10 +568,39 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t) - - dev_list_sysfs(groupd_t) - --files_read_etc_files(groupd_t) -- - init_rw_script_tmp_files(groupd_t) - -+logging_send_syslog_msg(groupd_t) -+ -+######################################## -+# -+# haproxy local policy -+# -+ -+# bug in haproxy and process vs pid owner -+allow haproxy_t self:capability dac_override; -+ -+allow haproxy_t self:capability { chown setgid setuid sys_chroot sys_resource }; -+allow haproxy_t self:process { fork setrlimit signal_perms }; -+allow haproxy_t self:fifo_file rw_fifo_file_perms; -+allow haproxy_t self:unix_stream_socket create_stream_socket_perms; -+allow haproxy_t self:tcp_socket { accept listen }; -+ -+manage_dirs_pattern(haproxy_t, haproxy_var_lib_t, haproxy_var_lib_t) -+manage_files_pattern(haproxy_t, haproxy_var_lib_t, haproxy_var_lib_t) -+manage_lnk_files_pattern(haproxy_t, haproxy_var_lib_t, haproxy_var_lib_t) -+manage_sock_files_pattern(haproxy_t, haproxy_var_lib_t, haproxy_var_lib_t) -+files_var_lib_filetrans(haproxy_t, haproxy_var_lib_t, { dir file lnk_file }) -+ -+corenet_tcp_connect_commplex_link_port(haproxy_t) -+corenet_tcp_connect_commplex_main_port(haproxy_t) -+corenet_tcp_bind_commplex_main_port(haproxy_t) -+ -+corenet_tcp_connect_fmpro_internal_port(haproxy_t) -+corenet_tcp_connect_rtp_media_port(haproxy_t) -+ -+sysnet_dns_name_resolve(haproxy_t) -+ - ###################################### - # - # qdiskd local policy -@@ -321,6 +643,8 @@ storage_raw_write_fixed_disk(qdiskd_t) - - auth_use_nsswitch(qdiskd_t) - -+logging_send_syslog_msg(qdiskd_t) -+ - optional_policy(` - netutils_domtrans_ping(qdiskd_t) - ') -diff --git a/rhev.fc b/rhev.fc -new file mode 100644 -index 0000000..4b66adf ---- /dev/null -+++ b/rhev.fc -@@ -0,0 +1,13 @@ -+/usr/share/rhev-agent/rhev-agentd\.py -- gen_context(system_u:object_r:rhev_agentd_exec_t,s0) -+/usr/share/ovirt-guest-agent -- gen_context(system_u:object_r:rhev_agentd_exec_t,s0) -+ -+/usr/share/rhev-agent/LockActiveSession\.py -- gen_context(system_u:object_r:rhev_agentd_exec_t,s0) -+/usr/share/ovirt-guest-agent/LockActiveSession\.py -- gen_context(system_u:object_r:rhev_agentd_exec_t,s0) -+ -+/usr/lib/systemd/system/ovirt-guest-agent.* -- gen_context(system_u:object_r:rhev_agentd_unit_file_t,s0) -+ -+/var/run/rhev-agentd\.pid -- gen_context(system_u:object_r:rhev_agentd_var_run_t,s0) -+/var/run/ovirt-guest-agent\.pid -- gen_context(system_u:object_r:rhev_agentd_var_run_t,s0) -+ -+/var/log/rhev-agent(/.*)? gen_context(system_u:object_r:rhev_agentd_log_t,s0) -+/var/log/ovirt-guest-agent(/.*)? gen_context(system_u:object_r:rhev_agentd_log_t,s0) -diff --git a/rhev.if b/rhev.if -new file mode 100644 -index 0000000..bf11e25 ---- /dev/null -+++ b/rhev.if -@@ -0,0 +1,76 @@ -+## rhev polic module contains policies for rhev apps -+ -+##################################### -+## -+## Execute rhev-agentd in the rhev_agentd domain. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`rhev_domtrans_agentd',` -+ gen_require(` -+ type rhev_agentd_t, rhev_agentd_exec_t; -+ ') -+ -+ domtrans_pattern($1, rhev_agentd_exec_t, rhev_agentd_t) -+') -+ -+#################################### -+## -+## Read rhev-agentd PID files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`rhev_read_pid_files_agentd',` -+ gen_require(` -+ type rhev_agentd_var_run_t; -+ ') -+ -+ files_search_pids($1) -+ read_files_pattern($1, rhev_agentd_var_run_t, rhev_agentd_var_run_t) -+') -+ -+##################################### -+## -+## Connect to rhev_agentd over a unix domain -+## stream socket. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`rhev_stream_connect_agentd',` -+ gen_require(` -+ type rhev_agentd_var_run_t, rhev_agentd_t; -+ ') -+ -+ files_search_pids($1) -+ stream_connect_pattern($1, rhev_agentd_var_run_t, rhev_agentd_var_run_t, rhev_agentd_t) -+') -+ -+###################################### -+## -+## Send sigchld to rhev-agentd -+## -+## -+## -+## Domain allowed access -+## -+## -+# -+interface(`rhev_sigchld_agentd',` -+ gen_require(` -+ type rhev_agentd_t; -+ ') -+ -+ allow $1 rhev_agentd_t:process sigchld; -+') -diff --git a/rhev.te b/rhev.te -new file mode 100644 -index 0000000..26f7884 ---- /dev/null -+++ b/rhev.te -@@ -0,0 +1,116 @@ -+policy_module(rhev,1.0) -+ -+######################################## -+# -+# Declarations -+# -+ -+type rhev_agentd_t; -+type rhev_agentd_exec_t; -+init_daemon_domain(rhev_agentd_t, rhev_agentd_exec_t) -+ -+type rhev_agentd_unit_file_t; -+systemd_unit_file(rhev_agentd_unit_file_t) -+ -+type rhev_agentd_var_run_t; -+files_pid_file(rhev_agentd_var_run_t) -+ -+type rhev_agentd_tmp_t; -+files_tmp_file(rhev_agentd_tmp_t) -+ -+type rhev_agentd_log_t; -+logging_log_file(rhev_agentd_log_t) -+ -+######################################## -+# -+# rhev_agentd_t local policy -+# -+ -+allow rhev_agentd_t self:capability { setuid setgid sys_nice }; -+allow rhev_agentd_t self:process setsched; -+ -+allow rhev_agentd_t self:fifo_file rw_fifo_file_perms; -+allow rhev_agentd_t self:unix_stream_socket create_stream_socket_perms; -+ -+manage_dirs_pattern(rhev_agentd_t, rhev_agentd_var_run_t, rhev_agentd_var_run_t) -+manage_files_pattern(rhev_agentd_t, rhev_agentd_var_run_t, rhev_agentd_var_run_t) -+manage_sock_files_pattern(rhev_agentd_t, rhev_agentd_var_run_t, rhev_agentd_var_run_t) -+files_pid_filetrans(rhev_agentd_t, rhev_agentd_var_run_t, { dir file sock_file }) -+ -+manage_files_pattern(rhev_agentd_t, rhev_agentd_log_t, rhev_agentd_log_t) -+manage_dirs_pattern(rhev_agentd_t, rhev_agentd_log_t, rhev_agentd_log_t) -+logging_log_filetrans(rhev_agentd_t, rhev_agentd_log_t, { dir file }) -+ -+manage_dirs_pattern(rhev_agentd_t, rhev_agentd_tmp_t, rhev_agentd_tmp_t) -+manage_files_pattern(rhev_agentd_t, rhev_agentd_tmp_t, rhev_agentd_tmp_t) -+files_tmp_filetrans(rhev_agentd_t, rhev_agentd_tmp_t, { file dir }) -+can_exec(rhev_agentd_t, rhev_agentd_tmp_t) -+ -+kernel_read_system_state(rhev_agentd_t) -+kernel_read_kernel_sysctls(rhev_agentd_t) -+ -+corecmd_exec_bin(rhev_agentd_t) -+corecmd_exec_shell(rhev_agentd_t) -+ -+dev_read_urand(rhev_agentd_t) -+ -+term_use_virtio_console(rhev_agentd_t) -+ -+fs_getattr_all_fs(rhev_agentd_t) -+ -+files_getattr_all_mountpoints(rhev_agentd_t) -+files_search_all_mountpoints(rhev_agentd_t) -+ -+auth_use_nsswitch(rhev_agentd_t) -+ -+init_read_utmp(rhev_agentd_t) -+ -+libs_exec_ldconfig(rhev_agentd_t) -+logging_send_syslog_msg(rhev_agentd_t) -+ -+optional_policy(` -+ rpm_read_db(rhev_agentd_t) -+ rpm_dontaudit_manage_db(rhev_agentd_t) -+') -+ -+optional_policy(` -+ ssh_signull(rhev_agentd_t) -+') -+ -+optional_policy(` -+ dbus_system_bus_client(rhev_agentd_t) -+ dbus_connect_system_bus(rhev_agentd_t) -+ dbus_session_bus_client(rhev_agentd_t) -+') -+ -+optional_policy(` -+ xserver_dbus_chat_xdm(rhev_agentd_t) -+ xserver_stream_connect(rhev_agentd_t) -+') -+ -+###################################### -+# -+# rhev_agentd_t consolehelper local policy -+# -+ -+optional_policy(` -+ userhelper_console_role_template(rhev_agentd, system_r, rhev_agentd_t) -+ -+ allow rhev_agentd_consolehelper_t rhev_agentd_log_t:file rw_inherited_file_perms; -+ allow rhev_agentd_consolehelper_t rhev_agentd_tmp_t:file rw_inherited_file_perms; -+ -+ can_exec(rhev_agentd_consolehelper_t, rhev_agentd_exec_t) -+ kernel_read_system_state(rhev_agentd_consolehelper_t) -+ -+ term_use_virtio_console(rhev_agentd_consolehelper_t) -+ -+ corenet_tcp_connect_xserver_port(rhev_agentd_consolehelper_t) -+ -+ optional_policy(` -+ dbus_session_bus_client(rhev_agentd_consolehelper_t) -+ ') -+ -+ optional_policy(` -+ unconfined_dbus_chat(rhev_agentd_consolehelper_t) -+ ') -+') -diff --git a/rhgb.if b/rhgb.if -index 1a134a7..793a29f 100644 ---- a/rhgb.if -+++ b/rhgb.if -@@ -1,4 +1,4 @@ --## Red Hat Graphical Boot. -+## Red Hat Graphical Boot - - ######################################## - ## -@@ -18,7 +18,7 @@ interface(`rhgb_stub',` - - ######################################## - ## --## Inherit and use rhgb file descriptors. -+## Use a rhgb file descriptor. - ## - ## - ## -@@ -54,7 +54,7 @@ interface(`rhgb_getpgid',` - - ######################################## - ## --## Send generic signals to rhgb. -+## Send a signal to rhgb. - ## - ## - ## -@@ -72,8 +72,7 @@ interface(`rhgb_signal',` - - ######################################## - ## --## Read and write inherited rhgb unix --## domain stream sockets. -+## Read and write to unix stream sockets. - ## - ## - ## -@@ -110,8 +109,7 @@ interface(`rhgb_dontaudit_rw_stream_sockets',` - - ######################################## - ## --## Connected to rhgb with a unix --## domain stream socket. -+## Connected to rhgb unix stream socket. - ## - ## - ## -@@ -121,11 +119,10 @@ interface(`rhgb_dontaudit_rw_stream_sockets',` - # - interface(`rhgb_stream_connect',` - gen_require(` -- type rhgb_t, rhgb_tmpfs_t; -+ type rhgb_t; - ') - -- fs_search_tmpfs($1) -- stream_connect_pattern($1, rhgb_tmpfs_t, rhgb_tmpfs_t, rhgb_t) -+ allow $1 rhgb_t:unix_stream_socket connectto; - ') - - ######################################## -@@ -148,7 +145,7 @@ interface(`rhgb_rw_shm',` - - ######################################## - ## --## Read and write rhgb pty devices. -+## Read from and write to the rhgb devpts. - ## - ## - ## -@@ -161,14 +158,12 @@ interface(`rhgb_use_ptys',` - type rhgb_devpts_t; - ') - -- dev_list_all_dev_nodes($1) - allow $1 rhgb_devpts_t:chr_file rw_term_perms; - ') - - ######################################## - ## --## Do not audit attempts to read and --## write rhgb pty devices. -+## dontaudit Read from and write to the rhgb devpts. - ## - ## - ## -@@ -186,7 +181,7 @@ interface(`rhgb_dontaudit_use_ptys',` - - ######################################## - ## --## Read and write to rhgb tmpfs files. -+## Read and write to rhgb temporary file system. - ## - ## - ## -@@ -199,7 +194,6 @@ interface(`rhgb_rw_tmpfs_files',` - type rhgb_tmpfs_t; - ') - -- - fs_search_tmpfs($1) - allow $1 rhgb_tmpfs_t:file rw_file_perms; - ') -diff --git a/rhgb.te b/rhgb.te -index 3f32e4b..f97ea42 100644 ---- a/rhgb.te -+++ b/rhgb.te -@@ -43,7 +43,6 @@ kernel_read_system_state(rhgb_t) - corecmd_exec_bin(rhgb_t) - corecmd_exec_shell(rhgb_t) - --corenet_all_recvfrom_unlabeled(rhgb_t) - corenet_all_recvfrom_netlabel(rhgb_t) - corenet_tcp_sendrecv_generic_if(rhgb_t) - corenet_tcp_sendrecv_generic_node(rhgb_t) -@@ -57,11 +56,9 @@ dev_read_urand(rhgb_t) - - domain_use_interactive_fds(rhgb_t) - --files_read_etc_files(rhgb_t) - files_read_var_files(rhgb_t) - files_read_etc_runtime_files(rhgb_t) - files_search_tmp(rhgb_t) --files_read_usr_files(rhgb_t) - files_mounton_mnt(rhgb_t) - files_dontaudit_rw_root_dir(rhgb_t) - files_dontaudit_read_default_files(rhgb_t) -@@ -89,7 +86,6 @@ libs_read_lib_files(rhgb_t) - - logging_send_syslog_msg(rhgb_t) - --miscfiles_read_localization(rhgb_t) - miscfiles_read_fonts(rhgb_t) - miscfiles_dontaudit_write_fonts(rhgb_t) - -diff --git a/rhnsd.fc b/rhnsd.fc -new file mode 100644 -index 0000000..1936028 ---- /dev/null -+++ b/rhnsd.fc -@@ -0,0 +1,5 @@ -+/etc/rc\.d/init\.d/rhnsd -- gen_context(system_u:object_r:rhnsd_initrc_exec_t,s0) -+ -+/usr/sbin/rhnsd -- gen_context(system_u:object_r:rhnsd_exec_t,s0) -+ -+/var/run/rhnsd\.pid -- gen_context(system_u:object_r:rhnsd_var_run_t,s0) -diff --git a/rhnsd.if b/rhnsd.if -new file mode 100644 -index 0000000..88087b7 ---- /dev/null -+++ b/rhnsd.if -@@ -0,0 +1,74 @@ -+## policy for rhnsd -+ -+######################################## -+## -+## Transition to rhnsd. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`rhnsd_domtrans',` -+ gen_require(` -+ type rhnsd_t, rhnsd_exec_t; -+ ') -+ -+ corecmd_search_bin($1) -+ domtrans_pattern($1, rhnsd_exec_t, rhnsd_t) -+') -+ -+######################################## -+## -+## Execute rhnsd server in the rhnsd domain. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`rhnsd_initrc_domtrans',` -+ gen_require(` -+ type rhnsd_initrc_exec_t; -+ ') -+ -+ init_labeled_script_domtrans($1, rhnsd_initrc_exec_t) -+') -+ -+######################################## -+## -+## All of the rules required to administrate -+## an rhnsd environment -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## Role allowed access. -+## -+## -+## -+# -+interface(`rhnsd_admin',` -+ gen_require(` -+ type rhnsd_t; -+ type rhnsd_initrc_exec_t; -+ ') -+ -+ allow $1 rhnsd_t:process { ptrace signal_perms }; -+ ps_process_pattern($1, rhnsd_t) -+ -+ rhnsd_initrc_domtrans($1) -+ domain_system_change_exemption($1) -+ role_transition $2 rhnsd_initrc_exec_t system_r; -+ allow $2 system_r; -+ optional_policy(` -+ systemd_passwd_agent_exec($1) -+ systemd_read_fifo_file_passwd_run($1) -+ ') -+') -diff --git a/rhnsd.te b/rhnsd.te -new file mode 100644 -index 0000000..0e965c3 ---- /dev/null -+++ b/rhnsd.te -@@ -0,0 +1,40 @@ -+policy_module(rhnsd, 1.0.0) -+ -+######################################## -+# -+# Declarations -+# -+ -+type rhnsd_t; -+type rhnsd_exec_t; -+init_daemon_domain(rhnsd_t, rhnsd_exec_t) -+ -+type rhnsd_var_run_t; -+files_pid_file(rhnsd_var_run_t) -+ -+type rhnsd_initrc_exec_t; -+init_script_file(rhnsd_initrc_exec_t) -+ -+######################################## -+# -+# rhnsd local policy -+# -+ -+allow rhnsd_t self:capability { kill }; -+allow rhnsd_t self:process { fork signal }; -+allow rhnsd_t self:fifo_file rw_fifo_file_perms; -+allow rhnsd_t self:unix_stream_socket create_stream_socket_perms; -+ -+manage_dirs_pattern(rhnsd_t, rhnsd_var_run_t, rhnsd_var_run_t) -+manage_files_pattern(rhnsd_t, rhnsd_var_run_t, rhnsd_var_run_t) -+files_pid_filetrans(rhnsd_t, rhnsd_var_run_t, { dir file }) -+ -+corecmd_exec_bin(rhnsd_t) -+ -+ -+logging_send_syslog_msg(rhnsd_t) -+ -+optional_policy(` -+ # execute rhn_check -+ rpm_domtrans(rhnsd_t) -+') -diff --git a/rhsmcertd.if b/rhsmcertd.if -index 6dbc905..78746ef 100644 ---- a/rhsmcertd.if -+++ b/rhsmcertd.if -@@ -1,8 +1,8 @@ --## Subscription Management Certificate Daemon. -+## Subscription Management Certificate Daemon policy - - ######################################## - ## --## Execute rhsmcertd in the rhsmcertd domain. -+## Transition to rhsmcertd. - ## - ## - ## -@@ -21,12 +21,11 @@ interface(`rhsmcertd_domtrans',` - - ######################################## - ## --## Execute rhsmcertd init scripts --## in the initrc domain. -+## Execute rhsmcertd server in the rhsmcertd domain. - ## - ## - ## --## Domain allowed to transition. -+## Domain allowed access. - ## - ## - # -@@ -40,7 +39,7 @@ interface(`rhsmcertd_initrc_domtrans',` - - ######################################## - ## --## Read rhsmcertd log files. -+## Read rhsmcertd's log files. - ## - ## - ## -@@ -60,7 +59,7 @@ interface(`rhsmcertd_read_log',` - - ######################################## - ## --## Append rhsmcertd log files. -+## Append to rhsmcertd log files. - ## - ## - ## -@@ -79,8 +78,7 @@ interface(`rhsmcertd_append_log',` - - ######################################## - ## --## Create, read, write, and delete --## rhsmcertd log files. -+## Manage rhsmcertd log files - ## - ## - ## -@@ -114,8 +112,8 @@ interface(`rhsmcertd_search_lib',` - type rhsmcertd_var_lib_t; - ') - -- files_search_var_lib($1) - allow $1 rhsmcertd_var_lib_t:dir search_dir_perms; -+ files_search_var_lib($1) - ') - - ######################################## -@@ -139,8 +137,7 @@ interface(`rhsmcertd_read_lib_files',` - - ######################################## - ## --## Create, read, write, and delete --## rhsmcertd lib files. -+## Manage rhsmcertd lib files. - ## - ## - ## -@@ -159,8 +156,7 @@ interface(`rhsmcertd_manage_lib_files',` - - ######################################## - ## --## Create, read, write, and delete --## rhsmcertd lib directories. -+## Manage rhsmcertd lib directories. - ## - ## - ## -@@ -179,7 +175,7 @@ interface(`rhsmcertd_manage_lib_dirs',` - - ######################################## - ## --## Read rhsmcertd pid files. -+## Read rhsmcertd PID files. - ## - ## - ## -@@ -196,10 +192,9 @@ interface(`rhsmcertd_read_pid_files',` - allow $1 rhsmcertd_var_run_t:file read_file_perms; - ') - --#################################### -+######################################## - ## --## Connect to rhsmcertd with a --## unix domain stream socket. -+## Read/wirte inherited lock files. - ## - ## - ## -@@ -207,6 +202,26 @@ interface(`rhsmcertd_read_pid_files',` - ## - ## - # -+interface(`rhsmcertd_rw_inherited_lock_files',` -+ gen_require(` -+ type rhsmcertd_lock_t; -+ ') -+ -+ files_search_locks($1) -+ allow $1 rhsmcertd_lock_t:file rw_inherited_file_perms; -+') -+ -+#################################### -+## -+## Connect to rhsmcertd over a unix domain -+## stream socket. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# - interface(`rhsmcertd_stream_connect',` - gen_require(` - type rhsmcertd_t, rhsmcertd_var_run_t; -@@ -239,30 +254,29 @@ interface(`rhsmcertd_dbus_chat',` - - ###################################### - ## --## Do not audit attempts to send --## and receive messages from --## rhsmcertd over dbus. -+## Dontaudit Send and receive messages from -+## rhsmcertd over dbus. - ## - ## --## --## Domain to not audit. --## -+## -+## Domain allowed access. -+## - ## - # - interface(`rhsmcertd_dontaudit_dbus_chat',` -- gen_require(` -- type rhsmcertd_t; -- class dbus send_msg; -- ') -+ gen_require(` -+ type rhsmcertd_t; -+ class dbus send_msg; -+ ') - -- dontaudit $1 rhsmcertd_t:dbus send_msg; -- dontaudit rhsmcertd_t $1:dbus send_msg; -+ dontaudit $1 rhsmcertd_t:dbus send_msg; -+ dontaudit rhsmcertd_t $1:dbus send_msg; - ') - - ######################################## - ## --## All of the rules required to --## administrate an rhsmcertd environment. -+## All of the rules required to administrate -+## an rhsmcertd environment - ## - ## - ## -@@ -270,35 +284,41 @@ interface(`rhsmcertd_dontaudit_dbus_chat',` - ## - ## - ## --## --## Role allowed access. --## -+## -+## Role allowed access. -+## - ## - ## - # -+ - interface(`rhsmcertd_admin',` - gen_require(` - type rhsmcertd_t, rhsmcertd_initrc_exec_t, rhsmcertd_log_t; -- type rhsmcertd_var_lib_t, rhsmcertd_var_run_t, rhsmcertd_lock_t; -+ type rhsmcertd_var_lib_t, rhsmcertd_lock_t, rhsmcertd_var_run_t; - ') - -- allow $1 rhsmcertd_t:process { ptrace signal_perms }; -+ allow $1 rhsmcertd_t:process signal_perms; - ps_process_pattern($1, rhsmcertd_t) - -- rhsmcertd_initrc_domtrans($1) -- domain_system_change_exemption($1) -- role_transition $2 rhsmcertd_initrc_exec_t system_r; -- allow $2 system_r; -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 rhsmcertd_t:process ptrace; -+ ') - -- logging_search_logs($1) -- admin_pattern($1, rhsmcertd_log_t) -+ rhsmcertd_initrc_domtrans($1) -+ domain_system_change_exemption($1) -+ role_transition $2 rhsmcertd_initrc_exec_t system_r; -+ allow $2 system_r; - -- files_search_var_lib($1) -- admin_pattern($1, rhsmcertd_var_lib_t) -+ logging_search_logs($1) -+ admin_pattern($1, rhsmcertd_log_t) - -- files_search_pids($1) -- admin_pattern($1, rhsmcertd_var_run_t) -+ files_search_var_lib($1) -+ admin_pattern($1, rhsmcertd_var_lib_t) -+ -+ files_search_pids($1) -+ admin_pattern($1, rhsmcertd_var_run_t) -+ -+ files_search_locks($1) -+ admin_pattern($1, rhsmcertd_lock_t) - -- files_search_locks($1) -- admin_pattern($1, rhsmcertd_lock_t) - ') -diff --git a/rhsmcertd.te b/rhsmcertd.te -index 1cedd70..0369e30 100644 ---- a/rhsmcertd.te -+++ b/rhsmcertd.te -@@ -30,14 +30,13 @@ files_pid_file(rhsmcertd_var_run_t) - # - - allow rhsmcertd_t self:capability sys_nice; --allow rhsmcertd_t self:process { signal setsched }; -+allow rhsmcertd_t self:process { signal_perms setsched }; -+ - allow rhsmcertd_t self:fifo_file rw_fifo_file_perms; - allow rhsmcertd_t self:unix_stream_socket create_stream_socket_perms; - - manage_dirs_pattern(rhsmcertd_t, rhsmcertd_log_t, rhsmcertd_log_t) --append_files_pattern(rhsmcertd_t, rhsmcertd_log_t, rhsmcertd_log_t) --create_files_pattern(rhsmcertd_t, rhsmcertd_log_t, rhsmcertd_log_t) --setattr_files_pattern(rhsmcertd_t, rhsmcertd_log_t, rhsmcertd_log_t) -+manage_files_pattern(rhsmcertd_t, rhsmcertd_log_t, rhsmcertd_log_t) - - manage_files_pattern(rhsmcertd_t, rhsmcertd_lock_t, rhsmcertd_lock_t) - files_lock_filetrans(rhsmcertd_t, rhsmcertd_lock_t, file) -@@ -52,21 +51,39 @@ files_pid_filetrans(rhsmcertd_t, rhsmcertd_var_run_t, { file dir }) - kernel_read_network_state(rhsmcertd_t) - kernel_read_system_state(rhsmcertd_t) - -+corenet_tcp_connect_http_port(rhsmcertd_t) -+ - corecmd_exec_bin(rhsmcertd_t) -+corecmd_exec_shell(rhsmcertd_t) - - dev_read_sysfs(rhsmcertd_t) - dev_read_rand(rhsmcertd_t) - dev_read_urand(rhsmcertd_t) -+dev_read_raw_memory(rhsmcertd_t) - - files_list_tmp(rhsmcertd_t) --files_read_etc_files(rhsmcertd_t) --files_read_usr_files(rhsmcertd_t) -+files_manage_generic_locks(rhsmcertd_t) -+files_manage_system_conf_files(rhsmcertd_t) -+ -+auth_read_passwd(rhsmcertd_t) - --miscfiles_read_localization(rhsmcertd_t) --miscfiles_read_generic_certs(rhsmcertd_t) -+init_read_state(rhsmcertd_t) -+ -+logging_send_syslog_msg(rhsmcertd_t) -+ -+miscfiles_manage_cert_files(rhsmcertd_t) -+miscfiles_manage_cert_dirs(rhsmcertd_t) - - sysnet_dns_name_resolve(rhsmcertd_t) - - optional_policy(` -+ dmidecode_domtrans(rhsmcertd_t) -+') -+ -+optional_policy(` -+ gnome_dontaudit_search_config(rhsmcertd_t) -+') -+ -+optional_policy(` - rpm_read_db(rhsmcertd_t) - ') -diff --git a/ricci.if b/ricci.if -index 2ab3ed1..23d579c 100644 ---- a/ricci.if -+++ b/ricci.if -@@ -1,13 +1,13 @@ --## Ricci cluster management agent. -+## Ricci cluster management agent - - ######################################## - ## - ## Execute a domain transition to run ricci. - ## - ## --## -+## - ## Domain allowed to transition. --## -+## - ## - # - interface(`ricci_domtrans',` -@@ -15,19 +15,35 @@ interface(`ricci_domtrans',` - type ricci_t, ricci_exec_t; - ') - -- corecmd_search_bin($1) - domtrans_pattern($1, ricci_exec_t, ricci_t) - ') - --######################################## -+####################################### - ## --## Execute a domain transition to --## run ricci modcluster. -+## Execute ricci server in the ricci domain. - ## - ## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`ricci_initrc_domtrans',` -+ gen_require(` -+ type ricci_initrc_exec_t; -+ ') -+ -+ init_labeled_script_domtrans($1, ricci_initrc_exec_t) -+') -+ -+######################################## - ## --## Domain allowed to transition. -+## Execute a domain transition to run ricci_modcluster. - ## -+## -+## -+## Domain allowed to transition. -+## - ## - # - interface(`ricci_domtrans_modcluster',` -@@ -35,14 +51,13 @@ interface(`ricci_domtrans_modcluster',` - type ricci_modcluster_t, ricci_modcluster_exec_t; - ') - -- corecmd_search_bin($1) - domtrans_pattern($1, ricci_modcluster_exec_t, ricci_modcluster_t) - ') - - ######################################## - ## - ## Do not audit attempts to use --## ricci modcluster file descriptors. -+## ricci_modcluster file descriptors. - ## - ## - ## -@@ -61,7 +76,7 @@ interface(`ricci_dontaudit_use_modcluster_fds',` - ######################################## - ## - ## Do not audit attempts to read write --## ricci modcluster unamed pipes. -+## ricci_modcluster unamed pipes. - ## - ## - ## -@@ -74,13 +89,12 @@ interface(`ricci_dontaudit_rw_modcluster_pipes',` - type ricci_modcluster_t; - ') - -- dontaudit $1 ricci_modcluster_t:fifo_file { read write }; -+ dontaudit $1 ricci_modcluster_t:fifo_file rw_inherited_fifo_file_perms; - ') - - ######################################## - ## --## Connect to ricci_modclusterd with --## a unix domain stream socket. -+## Connect to ricci_modclusterd over a unix stream socket. - ## - ## - ## -@@ -99,8 +113,26 @@ interface(`ricci_stream_connect_modclusterd',` - - ######################################## - ## --## Execute a domain transition to --## run ricci modlog. -+## Read and write to ricci_modcluserd temporary file system. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`ricci_rw_modclusterd_tmpfs_files',` -+ gen_require(` -+ type ricci_modclusterd_tmpfs_t; -+ ') -+ -+ fs_search_tmpfs($1) -+ allow $1 ricci_modclusterd_tmpfs_t:file rw_file_perms; -+') -+ -+######################################## -+## -+## Execute a domain transition to run ricci_modlog. - ## - ## - ## -@@ -113,14 +145,12 @@ interface(`ricci_domtrans_modlog',` - type ricci_modlog_t, ricci_modlog_exec_t; - ') - -- corecmd_search_bin($1) - domtrans_pattern($1, ricci_modlog_exec_t, ricci_modlog_t) - ') - - ######################################## - ## --## Execute a domain transition to --## run ricci modrpm. -+## Execute a domain transition to run ricci_modrpm. - ## - ## - ## -@@ -133,14 +163,12 @@ interface(`ricci_domtrans_modrpm',` - type ricci_modrpm_t, ricci_modrpm_exec_t; - ') - -- corecmd_search_bin($1) - domtrans_pattern($1, ricci_modrpm_exec_t, ricci_modrpm_t) - ') - - ######################################## - ## --## Execute a domain transition to --## run ricci modservice. -+## Execute a domain transition to run ricci_modservice. - ## - ## - ## -@@ -153,14 +181,12 @@ interface(`ricci_domtrans_modservice',` - type ricci_modservice_t, ricci_modservice_exec_t; - ') - -- corecmd_search_bin($1) - domtrans_pattern($1, ricci_modservice_exec_t, ricci_modservice_t) - ') - - ######################################## - ## --## Execute a domain transition to --## run ricci modstorage. -+## Execute a domain transition to run ricci_modstorage. - ## - ## - ## -@@ -173,14 +199,33 @@ interface(`ricci_domtrans_modstorage',` - type ricci_modstorage_t, ricci_modstorage_exec_t; - ') - -- corecmd_search_bin($1) - domtrans_pattern($1, ricci_modstorage_exec_t, ricci_modstorage_t) - ') - -+#################################### -+## -+## Allow the specified domain to manage ricci's lib files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`ricci_manage_lib_files',` -+ gen_require(` -+ type ricci_var_lib_t; -+ ') -+ -+ files_search_var_lib($1) -+ manage_dirs_pattern($1, ricci_var_lib_t, ricci_var_lib_t) -+ manage_files_pattern($1, ricci_var_lib_t, ricci_var_lib_t) -+') -+ - ######################################## - ## --## All of the rules required to --## administrate an ricci environment. -+## All of the rules required to administrate -+## an ricci environment - ## - ## - ## -@@ -200,10 +245,13 @@ interface(`ricci_admin',` - type ricci_var_lib_t, ricci_var_log_t, ricci_var_run_t; - ') - -- allow $1 ricci_t:process { ptrace signal_perms }; -+ allow $1 ricci_t:process signal_perms; - ps_process_pattern($1, ricci_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 ricci_t:process ptrace; -+ ') - -- init_labeled_script_domtrans($1, ricci_initrc_exec_t) -+ ricci_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 ricci_initrc_exec_t system_r; - allow $2 system_r; -diff --git a/ricci.te b/ricci.te -index 9702ed2..a265af9 100644 ---- a/ricci.te -+++ b/ricci.te -@@ -115,7 +115,6 @@ kernel_read_system_state(ricci_t) - - corecmd_exec_bin(ricci_t) - --corenet_all_recvfrom_unlabeled(ricci_t) - corenet_all_recvfrom_netlabel(ricci_t) - corenet_tcp_sendrecv_generic_if(ricci_t) - corenet_tcp_sendrecv_generic_node(ricci_t) -@@ -136,7 +135,6 @@ dev_read_urand(ricci_t) - - domain_read_all_domains_state(ricci_t) - --files_read_etc_files(ricci_t) - files_read_etc_runtime_files(ricci_t) - files_create_boot_flag(ricci_t) - -@@ -149,7 +147,7 @@ locallogin_dontaudit_use_fds(ricci_t) - - logging_send_syslog_msg(ricci_t) - --miscfiles_read_localization(ricci_t) -+systemd_start_power_services(ricci_t) - - sysnet_dns_name_resolve(ricci_t) - -@@ -235,13 +233,8 @@ init_domtrans_script(ricci_modcluster_t) - - logging_send_syslog_msg(ricci_modcluster_t) - --miscfiles_read_localization(ricci_modcluster_t) -- --ricci_stream_connect_modclusterd(ricci_modcluster_t) -- - optional_policy(` -- aisexec_stream_connect(ricci_modcluster_t) -- corosync_stream_connect(ricci_modcluster_t) -+ ricci_stream_connect_modclusterd(ricci_modcluster_t) - ') - - optional_policy(` -@@ -271,7 +264,7 @@ optional_policy(` - ') - - optional_policy(` -- rgmanager_stream_connect(ricci_modcluster_t) -+ rhcs_stream_connect_cluster(ricci_modcluster_t) - ') - - ######################################## -@@ -336,23 +329,16 @@ locallogin_dontaudit_use_fds(ricci_modclusterd_t) - - logging_send_syslog_msg(ricci_modclusterd_t) - --miscfiles_read_localization(ricci_modclusterd_t) -- - sysnet_domtrans_ifconfig(ricci_modclusterd_t) - - optional_policy(` -- aisexec_stream_connect(ricci_modclusterd_t) -- corosync_stream_connect(ricci_modclusterd_t) --') -- --optional_policy(` - ccs_domtrans(ricci_modclusterd_t) - ccs_stream_connect(ricci_modclusterd_t) - ccs_read_config(ricci_modclusterd_t) - ') - - optional_policy(` -- rgmanager_stream_connect(ricci_modclusterd_t) -+ rhcs_stream_connect_cluster(ricci_modclusterd_t) - ') - - optional_policy(` -@@ -374,12 +360,10 @@ corecmd_exec_bin(ricci_modlog_t) - - domain_read_all_domains_state(ricci_modlog_t) - --files_read_etc_files(ricci_modlog_t) - files_search_usr(ricci_modlog_t) - - logging_read_generic_logs(ricci_modlog_t) - --miscfiles_read_localization(ricci_modlog_t) - - optional_policy(` - nscd_dontaudit_search_pid(ricci_modlog_t) -@@ -401,9 +385,8 @@ kernel_read_kernel_sysctls(ricci_modrpm_t) - corecmd_exec_bin(ricci_modrpm_t) - - files_search_usr(ricci_modrpm_t) --files_read_etc_files(ricci_modrpm_t) - --miscfiles_read_localization(ricci_modrpm_t) -+logging_send_syslog_msg(ricci_modrpm_t) - - optional_policy(` - oddjob_system_entry(ricci_modrpm_t, ricci_modrpm_exec_t) -@@ -428,14 +411,13 @@ kernel_read_system_state(ricci_modservice_t) - corecmd_exec_bin(ricci_modservice_t) - corecmd_exec_shell(ricci_modservice_t) - --files_read_etc_files(ricci_modservice_t) - files_read_etc_runtime_files(ricci_modservice_t) - files_search_usr(ricci_modservice_t) - files_manage_etc_symlinks(ricci_modservice_t) - - init_domtrans_script(ricci_modservice_t) - --miscfiles_read_localization(ricci_modservice_t) -+logging_send_syslog_msg(ricci_modservice_t) - - optional_policy(` - ccs_read_config(ricci_modservice_t) -@@ -460,7 +442,6 @@ optional_policy(` - - allow ricci_modstorage_t self:capability { mknod sys_nice }; - allow ricci_modstorage_t self:process { setsched signal }; --dontaudit ricci_modstorage_t self:process ptrace; - allow ricci_modstorage_t self:fifo_file rw_fifo_file_perms; - - kernel_read_kernel_sysctls(ricci_modstorage_t) -@@ -480,21 +461,21 @@ domain_read_all_domains_state(ricci_modstorage_t) - - files_manage_etc_files(ricci_modstorage_t) - files_read_etc_runtime_files(ricci_modstorage_t) --files_read_usr_files(ricci_modstorage_t) - files_read_kernel_modules(ricci_modstorage_t) - -+files_create_default_dir(ricci_modstorage_t) -+files_root_filetrans_default(ricci_modstorage_t, dir) -+files_mounton_default(ricci_modstorage_t) -+files_manage_default_dirs(ricci_modstorage_t) -+files_manage_default_files(ricci_modstorage_t) -+ - storage_raw_read_fixed_disk(ricci_modstorage_t) - - term_dontaudit_use_console(ricci_modstorage_t) - --logging_send_syslog_msg(ricci_modstorage_t) -- --miscfiles_read_localization(ricci_modstorage_t) -+auth_use_nsswitch(ricci_modstorage_t) - --optional_policy(` -- aisexec_stream_connect(ricci_modstorage_t) -- corosync_stream_connect(ricci_modstorage_t) --') -+logging_send_syslog_msg(ricci_modstorage_t) - - optional_policy(` - ccs_stream_connect(ricci_modstorage_t) -diff --git a/rlogin.fc b/rlogin.fc -index f111877..e361ee9 100644 ---- a/rlogin.fc -+++ b/rlogin.fc -@@ -1,5 +1,7 @@ --HOME_DIR/\.rhosts -- gen_context(system_u:object_r:rlogind_home_t,s0) --HOME_DIR/\.rlogin -- gen_context(system_u:object_r:rlogind_home_t,s0) -+HOME_DIR/\.rlogin -- gen_context(system_u:object_r:rlogind_home_t,s0) -+HOME_DIR/\.rhosts -- gen_context(system_u:object_r:rlogind_home_t,s0) -+/root/\.rlogin -- gen_context(system_u:object_r:rlogind_home_t,s0) -+/root/\.rhosts -- gen_context(system_u:object_r:rlogind_home_t,s0) - - /usr/kerberos/sbin/klogind -- gen_context(system_u:object_r:rlogind_exec_t,s0) - -diff --git a/rlogin.if b/rlogin.if -index 050479d..0e1b364 100644 ---- a/rlogin.if -+++ b/rlogin.if -@@ -29,7 +29,7 @@ interface(`rlogin_domtrans',` - ## - ## - # --template(`rlogin_read_home_content',` -+interface(`rlogin_read_home_content',` - gen_require(` - type rlogind_home_t; - ') -diff --git a/rlogin.te b/rlogin.te -index d34cdec..15d7ca6 100644 ---- a/rlogin.te -+++ b/rlogin.te -@@ -30,7 +30,9 @@ files_pid_file(rlogind_var_run_t) - allow rlogind_t self:capability { fsetid chown fowner setuid setgid sys_tty_config dac_override }; - allow rlogind_t self:process signal_perms; - allow rlogind_t self:fifo_file rw_fifo_file_perms; --allow rlogind_t self:tcp_socket { accept listen }; -+allow rlogind_t self:tcp_socket connected_stream_socket_perms; -+# for identd; cjp: this should probably only be inetd_child rules? -+allow rlogind_t self:netlink_tcpdiag_socket r_netlink_socket_perms; - - allow rlogind_t rlogind_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms }; - term_create_pty(rlogind_t, rlogind_devpts_t) -@@ -39,7 +41,6 @@ allow rlogind_t rlogind_home_t:file read_file_perms; - - manage_dirs_pattern(rlogind_t, rlogind_tmp_t, rlogind_tmp_t) - manage_files_pattern(rlogind_t, rlogind_tmp_t, rlogind_tmp_t) --files_tmp_filetrans(rlogind_t, rlogind_tmp_t, { dir file }) - - manage_files_pattern(rlogind_t, rlogind_var_run_t, rlogind_var_run_t) - files_pid_filetrans(rlogind_t, rlogind_var_run_t, file) -@@ -50,7 +51,6 @@ kernel_read_kernel_sysctls(rlogind_t) - kernel_read_system_state(rlogind_t) - kernel_read_network_state(rlogind_t) - --corenet_all_recvfrom_unlabeled(rlogind_t) - corenet_all_recvfrom_netlabel(rlogind_t) - corenet_tcp_sendrecv_generic_if(rlogind_t) - corenet_udp_sendrecv_generic_if(rlogind_t) -@@ -58,6 +58,8 @@ corenet_tcp_sendrecv_generic_node(rlogind_t) - corenet_udp_sendrecv_generic_node(rlogind_t) - corenet_tcp_sendrecv_all_ports(rlogind_t) - corenet_udp_sendrecv_all_ports(rlogind_t) -+corenet_tcp_bind_rlogin_port(rlogind_t) -+corenet_tcp_bind_rlogind_port(rlogind_t) - - dev_read_urand(rlogind_t) - -@@ -67,6 +69,7 @@ fs_getattr_all_fs(rlogind_t) - fs_search_auto_mountpoints(rlogind_t) - - auth_domtrans_chk_passwd(rlogind_t) -+auth_signal_chk_passwd(rlogind_t) - auth_rw_login_records(rlogind_t) - auth_use_nsswitch(rlogind_t) - -@@ -77,30 +80,23 @@ init_rw_utmp(rlogind_t) - - logging_send_syslog_msg(rlogind_t) - --miscfiles_read_localization(rlogind_t) -- - seutil_read_config(rlogind_t) - - userdom_search_user_home_dirs(rlogind_t) - userdom_setattr_user_ptys(rlogind_t) -+# cjp: this is egregious -+userdom_read_user_home_content_files(rlogind_t) -+userdom_search_admin_dir(rlogind_t) -+userdom_manage_user_tmp_files(rlogind_t) -+userdom_tmp_filetrans_user_tmp(rlogind_t, file) - userdom_use_user_terminals(rlogind_t) -+userdom_home_reader(rlogind_t) - --tunable_policy(`use_nfs_home_dirs',` -- fs_list_nfs(rlogind_t) -- fs_read_nfs_files(rlogind_t) -- fs_read_nfs_symlinks(rlogind_t) --') -- --tunable_policy(`use_samba_home_dirs',` -- fs_list_cifs(rlogind_t) -- fs_read_cifs_files(rlogind_t) -- fs_read_cifs_symlinks(rlogind_t) --') -+rlogin_read_home_content(rlogind_t) - - optional_policy(` - kerberos_keytab_template(rlogind, rlogind_t) -- kerberos_tmp_filetrans_host_rcache(rlogind_t, file, "host_0") -- kerberos_manage_host_rcache(rlogind_t) -+ kerberos_tmp_filetrans_host_rcache(rlogind_t, "host_0") - ') - - optional_policy(` -diff --git a/rngd.fc b/rngd.fc -index 5dd779e..276eb3a 100644 ---- a/rngd.fc -+++ b/rngd.fc -@@ -1,3 +1,5 @@ - /etc/rc\.d/init\.d/rngd -- gen_context(system_u:object_r:rngd_initrc_exec_t,s0) - -+/usr/lib/systemd/system/rngd.* -- gen_context(system_u:object_r:rngd_unit_file_t,s0) -+ - /usr/sbin/rngd -- gen_context(system_u:object_r:rngd_exec_t,s0) -diff --git a/rngd.if b/rngd.if -index 0e759a2..9c83bc9 100644 ---- a/rngd.if -+++ b/rngd.if -@@ -2,6 +2,28 @@ - - ######################################## - ## -+## Execute rngd in the rngd domain. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`rng_systemctl_rngd',` -+ gen_require(` -+ type rngd_t, rngd_unit_file_t; -+ ') -+ -+ systemd_exec_systemctl($1) -+ allow $1 rngd_unit_file_t:file read_file_perms; -+ allow $1 rngd_unit_file_t:service manage_service_perms; -+ -+ ps_process_pattern($1, rngd_t) -+') -+ -+######################################## -+## - ## All of the rules required to - ## administrate an rng environment. - ## -@@ -17,16 +39,24 @@ - ## - ## - # --interface(`rngd_admin',` -+interface(`rng_admin',` - gen_require(` -- type rngd_t, rngd_initrc_exec_t; -+ type rngd_t, rngd_initrc_exec_t, rngd_unit_file_t; - ') - -- allow $1 rngd_t:process { ptrace signal_perms }; -+ allow $1 rngd_t:process signal_perms; - ps_process_pattern($1, rngd_t) - -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 rngd_t:process ptrace; -+ ') -+ - init_labeled_script_domtrans($1, rngd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 rngd_initrc_exec_t system_r; - allow $2 system_r; -+ -+ rng_systemctl_rngd($1) -+ admin_pattern($1, rngd_unit_file_t) -+ allow $1 rngd_unit_file_t:service all_service_perms; - ') -diff --git a/rngd.te b/rngd.te -index 35c1427..2519caa 100644 ---- a/rngd.te -+++ b/rngd.te -@@ -12,6 +12,9 @@ init_daemon_domain(rngd_t, rngd_exec_t) - type rngd_initrc_exec_t; - init_script_file(rngd_initrc_exec_t) - -+type rngd_unit_file_t; -+systemd_unit_file(rngd_unit_file_t) -+ - ######################################## - # - # Local policy -@@ -29,8 +32,5 @@ dev_read_urand(rngd_t) - dev_rw_tpm(rngd_t) - dev_write_rand(rngd_t) - --files_read_etc_files(rngd_t) -- - logging_send_syslog_msg(rngd_t) - --miscfiles_read_localization(rngd_t) -diff --git a/roundup.if b/roundup.if -index 975bb6a..ce4f5ea 100644 ---- a/roundup.if -+++ b/roundup.if -@@ -23,8 +23,11 @@ interface(`roundup_admin',` - type roundup_initrc_exec_t; - ') - -- allow $1 roundup_t:process { ptrace signal_perms }; -+ allow $1 roundup_t:process signal_perms; - ps_process_pattern($1, roundup_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 roundup_t:process ptrace; -+ ') - - init_labeled_script_domtrans($1, roundup_initrc_exec_t) - domain_system_change_exemption($1) -diff --git a/roundup.te b/roundup.te -index 353960c..3b74aae 100644 ---- a/roundup.te -+++ b/roundup.te -@@ -41,7 +41,6 @@ kernel_read_proc_symlinks(roundup_t) - - corecmd_exec_bin(roundup_t) - --corenet_all_recvfrom_unlabeled(roundup_t) - corenet_all_recvfrom_netlabel(roundup_t) - corenet_tcp_sendrecv_generic_if(roundup_t) - corenet_tcp_sendrecv_generic_node(roundup_t) -@@ -60,16 +59,11 @@ dev_read_urand(roundup_t) - - domain_use_interactive_fds(roundup_t) - --files_read_etc_files(roundup_t) --files_read_usr_files(roundup_t) -- - fs_getattr_all_fs(roundup_t) - fs_search_auto_mountpoints(roundup_t) - - logging_send_syslog_msg(roundup_t) - --miscfiles_read_localization(roundup_t) -- - sysnet_dns_name_resolve(roundup_t) - - userdom_dontaudit_use_unpriv_user_fds(roundup_t) -diff --git a/rpc.fc b/rpc.fc -index a6fb30c..b0c22f7 100644 ---- a/rpc.fc -+++ b/rpc.fc -@@ -1,12 +1,23 @@ --/etc/exports -- gen_context(system_u:object_r:exports_t,s0) -+# -+# /etc -+# -+/etc/exports -- gen_context(system_u:object_r:exports_t,s0) -+/etc/rc\.d/init\.d/nfs -- gen_context(system_u:object_r:nfsd_initrc_exec_t,s0) -+/etc/rc\.d/init\.d/nfslock -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0) -+/etc/rc\.d/init\.d/rpcidmapd -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0) - --/etc/rc\.d/init\.d/nfs -- gen_context(system_u:object_r:nfsd_initrc_exec_t,s0) --/etc/rc\.d/init\.d/nfslock -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0) --/etc/rc\.d/init\.d/rpcidmapd -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0) -+/usr/lib/systemd/system/nfs.* -- gen_context(system_u:object_r:nfsd_unit_file_t,s0) -+/usr/lib/systemd/system/rpc.* -- gen_context(system_u:object_r:rpcd_unit_file_t,s0) - --/sbin/rpc\..* -- gen_context(system_u:object_r:rpcd_exec_t,s0) --/sbin/sm-notify -- gen_context(system_u:object_r:rpcd_exec_t,s0) -+# -+# /sbin -+# -+/sbin/rpc\..* -- gen_context(system_u:object_r:rpcd_exec_t,s0) -+/sbin/sm-notify -- gen_context(system_u:object_r:rpcd_exec_t,s0) - -+# -+# /usr -+# - /usr/sbin/rpc\..* -- gen_context(system_u:object_r:rpcd_exec_t,s0) - /usr/sbin/rpc\.idmapd -- gen_context(system_u:object_r:rpcd_exec_t,s0) - /usr/sbin/rpc\.gssd -- gen_context(system_u:object_r:gssd_exec_t,s0) -@@ -16,7 +27,11 @@ - /usr/sbin/rpc\.svcgssd -- gen_context(system_u:object_r:gssd_exec_t,s0) - /usr/sbin/sm-notify -- gen_context(system_u:object_r:rpcd_exec_t,s0) - --/var/lib/nfs(/.*)? gen_context(system_u:object_r:var_lib_nfs_t,s0) -+# -+# /var -+# -+/var/lib/nfs(/.*)? gen_context(system_u:object_r:var_lib_nfs_t,s0) - - /var/run/rpc\.statd(/.*)? gen_context(system_u:object_r:rpcd_var_run_t,s0) --/var/run/rpc\.statd\.pid -- gen_context(system_u:object_r:rpcd_var_run_t,s0) -+/var/run/rpc\.statd\.pid -- gen_context(system_u:object_r:rpcd_var_run_t,s0) -+ -diff --git a/rpc.if b/rpc.if -index 3bd6446..eec0a35 100644 ---- a/rpc.if -+++ b/rpc.if -@@ -1,4 +1,4 @@ --## Remote Procedure Call Daemon. -+## Remote Procedure Call Daemon for managment of network based process communication - - ######################################## - ## -@@ -20,15 +20,21 @@ interface(`rpc_stub',` - ## - ## The template to define a rpc domain. - ## --## -+## -+##

    -+## This template creates a domain to be used for -+## a new rpc daemon. -+##

    -+##     -+## - ## --## Domain prefix to be used. -+## The type of daemon to be used. - ## - ## - # - template(`rpc_domain_template',` - gen_require(` -- attribute rpc_domain; -+ type var_lib_nfs_t; - ') - - ######################################## -@@ -36,18 +42,86 @@ template(`rpc_domain_template',` - # Declarations - # - -- type $1_t, rpc_domain; -+ type $1_t; - type $1_exec_t; - init_daemon_domain($1_t, $1_exec_t) -- - domain_use_interactive_fds($1_t) - -- ######################################## -+ #################################### - # -- # Policy -+ # Local Policy - # - -+ dontaudit $1_t self:capability { net_admin sys_tty_config }; -+ allow $1_t self:capability net_bind_service; -+ allow $1_t self:process signal_perms; -+ allow $1_t self:unix_dgram_socket create_socket_perms; -+ allow $1_t self:unix_stream_socket create_stream_socket_perms; -+ allow $1_t self:tcp_socket create_stream_socket_perms; -+ allow $1_t self:udp_socket create_socket_perms; -+ -+ manage_dirs_pattern($1_t, var_lib_nfs_t, var_lib_nfs_t) -+ manage_files_pattern($1_t, var_lib_nfs_t, var_lib_nfs_t) -+ -+ kernel_list_proc($1_t) -+ kernel_read_proc_symlinks($1_t) -+ kernel_read_kernel_sysctls($1_t) -+ # bind to arbitary unused ports -+ kernel_rw_rpc_sysctls($1_t) -+ -+ dev_read_sysfs($1_t) -+ dev_read_urand($1_t) -+ dev_read_rand($1_t) -+ -+ corenet_all_recvfrom_netlabel($1_t) -+ corenet_tcp_sendrecv_generic_if($1_t) -+ corenet_udp_sendrecv_generic_if($1_t) -+ corenet_tcp_sendrecv_generic_node($1_t) -+ corenet_udp_sendrecv_generic_node($1_t) -+ corenet_tcp_sendrecv_all_ports($1_t) -+ corenet_udp_sendrecv_all_ports($1_t) -+ corenet_tcp_bind_generic_node($1_t) -+ corenet_udp_bind_generic_node($1_t) -+ corenet_tcp_bind_reserved_port($1_t) -+ corenet_tcp_connect_all_ports($1_t) -+ corenet_sendrecv_portmap_client_packets($1_t) -+ # do not log when it tries to bind to a port belonging to another domain -+ corenet_dontaudit_tcp_bind_all_ports($1_t) -+ corenet_dontaudit_udp_bind_all_ports($1_t) -+ # bind to arbitary unused ports -+ corenet_tcp_bind_generic_port($1_t) -+ corenet_udp_bind_generic_port($1_t) -+ corenet_tcp_bind_all_rpc_ports($1_t) -+ corenet_udp_bind_all_rpc_ports($1_t) -+ corenet_sendrecv_generic_server_packets($1_t) -+ -+ fs_rw_rpc_named_pipes($1_t) -+ fs_search_auto_mountpoints($1_t) -+ -+ files_read_etc_files($1_t) -+ files_read_etc_runtime_files($1_t) -+ files_search_var($1_t) -+ files_search_var_lib($1_t) -+ files_list_home($1_t) -+ - auth_use_nsswitch($1_t) -+ -+ logging_send_syslog_msg($1_t) -+ -+ -+ userdom_dontaudit_use_unpriv_user_fds($1_t) -+ -+ optional_policy(` -+ rpcbind_stream_connect($1_t) -+ ') -+ -+ optional_policy(` -+ seutil_sigchld_newrole($1_t) -+ ') -+ -+ optional_policy(` -+ udev_read_db($1_t) -+ ') - ') - - ######################################## -@@ -66,8 +140,8 @@ interface(`rpc_udp_send',` - - ######################################## - ## --## Do not audit attempts to get --## attributes of export files. -+## Do not audit attempts to get the attributes -+## of the NFS export file. - ## - ## - ## -@@ -80,12 +154,12 @@ interface(`rpc_dontaudit_getattr_exports',` - type exports_t; - ') - -- dontaudit $1 exports_t:file getattr; -+ dontaudit $1 exports_t:file getattr_file_perms; - ') - - ######################################## - ## --## Read export files. -+## Allow read access to exports. - ## - ## - ## -@@ -103,7 +177,7 @@ interface(`rpc_read_exports',` - - ######################################## - ## --## Write export files. -+## Allow write access to exports. - ## - ## - ## -@@ -116,12 +190,12 @@ interface(`rpc_write_exports',` - type exports_t; - ') - -- allow $1 exports_t:file write; -+ allow $1 exports_t:file write_file_perms; - ') - - ######################################## - ## --## Execute nfsd in the nfsd domain. -+## Execute domain in nfsd domain. - ## - ## - ## -@@ -134,14 +208,12 @@ interface(`rpc_domtrans_nfsd',` - type nfsd_t, nfsd_exec_t; - ') - -- corecmd_search_bin($1) - domtrans_pattern($1, nfsd_exec_t, nfsd_t) - ') - - ####################################### - ## --## Execute nfsd init scripts in --## the initrc domain. -+## Execute domain in nfsd domain. - ## - ## - ## -@@ -159,7 +231,7 @@ interface(`rpc_initrc_domtrans_nfsd',` - - ######################################## - ## --## Execute rpcd in the rpcd domain. -+## Execute nfsd server in the nfsd domain. - ## - ## - ## -@@ -167,120 +239,126 @@ interface(`rpc_initrc_domtrans_nfsd',` - ## - ## - # --interface(`rpc_domtrans_rpcd',` -+interface(`rpc_systemctl_nfsd',` - gen_require(` -- type rpcd_t, rpcd_exec_t; -+ type nfsd_unit_file_t; -+ type nfsd_t; - ') - -- corecmd_search_bin($1) -- domtrans_pattern($1, rpcd_exec_t, rpcd_t) -+ systemd_exec_systemctl($1) -+ allow $1 nfsd_unit_file_t:file read_file_perms; -+ allow $1 nfsd_unit_file_t:service manage_service_perms; -+ -+ ps_process_pattern($1, nfsd_t) - ') - --####################################### -+######################################## - ## --## Execute rpcd init scripts in --## the initrc domain. -+## Send kill signals to rpcd. - ## - ## - ## --## Domain allowed to transition. -+## Domain allowed access. - ## - ## - # --interface(`rpc_initrc_domtrans_rpcd',` -+interface(`rpc_kill_rpcd',` - gen_require(` -- type rpcd_initrc_exec_t; -+ type rpcd_t; - ') - -- init_labeled_script_domtrans($1, rpcd_initrc_exec_t) -+ allow $1 rpcd_t:process sigkill; - ') - - ######################################## - ## --## Read nfs exported content. -+## Execute domain in rpcd domain. - ## - ## - ## --## Domain allowed access. -+## Domain allowed to transition. - ## - ## --## - # --interface(`rpc_read_nfs_content',` -+interface(`rpc_domtrans_rpcd',` - gen_require(` -- type nfsd_ro_t, nfsd_rw_t; -+ type rpcd_t, rpcd_exec_t; - ') - -- allow $1 { nfsd_ro_t nfsd_rw_t }:dir list_dir_perms; -- allow $1 { nfsd_ro_t nfsd_rw_t }:file read_file_perms; -- allow $1 { nfsd_ro_t nfsd_rw_t }:lnk_file read_lnk_file_perms; -+ domtrans_pattern($1, rpcd_exec_t, rpcd_t) -+ allow rpcd_t $1:process signal; - ') - - ######################################## - ## --## Create, read, write, and delete --## nfs exported read write content. -+## Execute rpcd in the rcpd domain, and -+## allow the specified role the rpcd domain. - ## - ## - ## --## Domain allowed access. -+## Domain allowed to transition. - ## - ## -+## -+## -+## Role allowed access. -+## -+## - ## - # --interface(`rpc_manage_nfs_rw_content',` -+interface(`rpc_run_rpcd',` - gen_require(` -- type nfsd_rw_t; -+ type rpcd_t; - ') - -- manage_dirs_pattern($1, nfsd_rw_t, nfsd_rw_t) -- manage_files_pattern($1, nfsd_rw_t, nfsd_rw_t) -- manage_lnk_files_pattern($1, nfsd_rw_t, nfsd_rw_t) -+ rpc_domtrans_rpcd($1) -+ role $2 types rpcd_t; - ') - --######################################## -+####################################### - ## --## Create, read, write, and delete --## nfs exported read only content. -+## Execute domain in rpcd domain. - ## - ## - ## --## Domain allowed access. -+## Domain allowed to transition. - ## - ## --## - # --interface(`rpc_manage_nfs_ro_content',` -+interface(`rpc_initrc_domtrans_rpcd',` - gen_require(` -- type nfsd_ro_t; -+ type rpcd_initrc_exec_t; - ') - -- manage_dirs_pattern($1, nfsd_ro_t, nfsd_ro_t) -- manage_files_pattern($1, nfsd_ro_t, nfsd_ro_t) -- manage_lnk_files_pattern($1, nfsd_ro_t, nfsd_ro_t) -+ init_labeled_script_domtrans($1, rpcd_initrc_exec_t) - ') - - ######################################## - ## --## Read and write to nfsd tcp sockets. -+## Execute rpcd server in the rpcd domain. - ## - ## - ## --## Domain allowed access. -+## Domain allowed to transition. - ## - ## - # --interface(`rpc_tcp_rw_nfs_sockets',` -+interface(`rpc_systemctl_rpcd',` - gen_require(` -- type nfsd_t; -+ type rpcd_unit_file_t; -+ type rpcd_t; - ') - -- allow $1 nfsd_t:tcp_socket rw_socket_perms; -+ systemd_exec_systemctl($1) -+ allow $1 rpcd_unit_file_t:file read_file_perms; -+ allow $1 rpcd_unit_file_t:service manage_service_perms; -+ -+ ps_process_pattern($1, rpcd_t) - ') - - ######################################## - ## --## Read and write to nfsd udp sockets. -+## Allow domain to read and write to an NFS UDP socket. - ## - ## - ## -@@ -312,7 +390,7 @@ interface(`rpc_udp_send_nfs',` - - ######################################## - ## --## Search nfs lib directories. -+## Search NFS state data in /var/lib/nfs. - ## - ## - ## -@@ -326,12 +404,12 @@ interface(`rpc_search_nfs_state_data',` - ') - - files_search_var_lib($1) -- allow $1 var_lib_nfs_t:dir search; -+ allow $1 var_lib_nfs_t:dir search_dir_perms; - ') - - ######################################## - ## --## Read nfs lib files. -+## List NFS state data in /var/lib/nfs. - ## - ## - ## -@@ -339,19 +417,18 @@ interface(`rpc_search_nfs_state_data',` - ## - ## - # --interface(`rpc_read_nfs_state_data',` -+interface(`rpc_list_nfs_state_data',` - gen_require(` - type var_lib_nfs_t; - ') - - files_search_var_lib($1) -- read_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t) -+ allow $1 var_lib_nfs_t:dir list_dir_perms; - ') - - ######################################## - ## --## Create, read, write, and delete --## nfs lib files. -+## Read NFS state data in /var/lib/nfs. - ## - ## - ## -@@ -359,62 +436,31 @@ interface(`rpc_read_nfs_state_data',` - ## - ## - # --interface(`rpc_manage_nfs_state_data',` -+interface(`rpc_read_nfs_state_data',` - gen_require(` - type var_lib_nfs_t; - ') - - files_search_var_lib($1) -- manage_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t) -+ read_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t) - ') - - ######################################## - ## --## All of the rules required to --## administrate an rpc environment. -+## Manage NFS state data in /var/lib/nfs. - ## - ## - ## - ## Domain allowed access. - ## - ## --## --## --## Role allowed access. --## --## --## - # --interface(`rpc_admin',` -+interface(`rpc_manage_nfs_state_data',` - gen_require(` -- attribute rpc_domain; -- type nfsd_initrc_exec_t, rpcd_initrc_exec_t, exports_t; -- type var_lib_nfs_t, rpcd_var_run_t, gssd_tmp_t; -- type nfsd_ro_t, nfsd_rw_t; -+ type var_lib_nfs_t; - ') - -- allow $1 rpc_domain:process { ptrace signal_perms }; -- ps_process_pattern($1, rpc_domain) -- -- init_labeled_script_domtrans($1, { nfsd_initrc_exec_t rpcd_initrc_exec_t }) -- domain_system_change_exemption($1) -- role_transition $2 { nfsd_initrc_exec_t rpcd_initrc_exec_t } system_r; -- allow $2 system_r; -- -- files_list_etc($1) -- admin_pattern($1, exports_t) -- -- files_list_var_lib($1) -- admin_pattern($1, var_lib_nfs_t) -- -- files_list_pids($1) -- admin_pattern($1, rpcd_var_run_t) -- -- files_list_all($1) -- admin_pattern($1, { nfsd_ro_t nfsd_rw_t }) -- -- files_list_tmp($1) -- admin_pattern($1, gssd_tmp_t) -- -- fs_search_nfsd_fs($1) -+ files_search_var_lib($1) -+ manage_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t) -+ allow $1 var_lib_nfs_t:file relabel_file_perms; - ') -diff --git a/rpc.te b/rpc.te -index e5212e6..022f7fc 100644 ---- a/rpc.te -+++ b/rpc.te -@@ -1,4 +1,4 @@ --policy_module(rpc, 1.14.6) -+policy_module(rpc, 1.14.0) - - ######################################## - # -@@ -6,24 +6,20 @@ policy_module(rpc, 1.14.6) - # - - ## --##

    --## Determine whether gssd can read --## generic user temporary content. --##

    -+##

    -+## Allow gssd to list tmp directories and read the kerberos credential cache. -+##

    - ##     --gen_tunable(allow_gssd_read_tmp, false) -+gen_tunable(gssd_read_tmp, true) - - ## --##

    --## Determine whether nfs can modify --## public files used for public file --## transfer services. Directories/Files must --## be labeled public_content_rw_t. --##

    -+##

    -+## Allow nfs servers to modify public files -+## used for public file transfer services. Files/Directories must be -+## labeled public_content_rw_t. -+##

    - ##     --gen_tunable(allow_nfsd_anon_write, false) -- --attribute rpc_domain; -+gen_tunable(nfsd_anon_write, false) - - type exports_t; - files_config_file(exports_t) -@@ -36,110 +32,49 @@ files_tmp_file(gssd_tmp_t) - type rpcd_var_run_t; - files_pid_file(rpcd_var_run_t) - -+# rpcd_t is the domain of rpc daemons. -+# rpc_exec_t is the type of rpc daemon programs. - rpc_domain_template(rpcd) - - type rpcd_initrc_exec_t; - init_script_file(rpcd_initrc_exec_t) - -+type rpcd_unit_file_t; -+systemd_unit_file(rpcd_unit_file_t) -+ - rpc_domain_template(nfsd) - - type nfsd_initrc_exec_t; - init_script_file(nfsd_initrc_exec_t) - --type nfsd_rw_t; --files_type(nfsd_rw_t) -- --type nfsd_ro_t; --files_type(nfsd_ro_t) -+type nfsd_unit_file_t; -+systemd_unit_file(nfsd_unit_file_t) - - type var_lib_nfs_t; - files_mountpoint(var_lib_nfs_t) - - ######################################## - # --# Common rpc domain local policy --# -- --dontaudit rpc_domain self:capability { net_admin sys_tty_config }; --allow rpc_domain self:process signal_perms; --allow rpc_domain self:unix_stream_socket { accept listen }; --allow rpc_domain self:tcp_socket { accept listen }; -- --manage_dirs_pattern(rpc_domain, var_lib_nfs_t, var_lib_nfs_t) --manage_files_pattern(rpc_domain, var_lib_nfs_t, var_lib_nfs_t) -- --kernel_read_system_state(rpc_domain) --kernel_read_kernel_sysctls(rpc_domain) --kernel_rw_rpc_sysctls(rpc_domain) -- --dev_read_sysfs(rpc_domain) --dev_read_urand(rpc_domain) --dev_read_rand(rpc_domain) -- --corenet_all_recvfrom_unlabeled(rpc_domain) --corenet_all_recvfrom_netlabel(rpc_domain) --corenet_tcp_sendrecv_generic_if(rpc_domain) --corenet_udp_sendrecv_generic_if(rpc_domain) --corenet_tcp_sendrecv_generic_node(rpc_domain) --corenet_udp_sendrecv_generic_node(rpc_domain) --corenet_tcp_sendrecv_all_ports(rpc_domain) --corenet_udp_sendrecv_all_ports(rpc_domain) --corenet_tcp_bind_generic_node(rpc_domain) --corenet_udp_bind_generic_node(rpc_domain) -- --corenet_sendrecv_all_server_packets(rpc_domain) --corenet_tcp_bind_reserved_port(rpc_domain) --corenet_tcp_connect_all_ports(rpc_domain) --corenet_sendrecv_portmap_client_packets(rpc_domain) --corenet_dontaudit_tcp_bind_all_ports(rpc_domain) --corenet_dontaudit_udp_bind_all_ports(rpc_domain) --corenet_tcp_bind_generic_port(rpc_domain) --corenet_udp_bind_generic_port(rpc_domain) --corenet_tcp_bind_all_rpc_ports(rpc_domain) --corenet_udp_bind_all_rpc_ports(rpc_domain) -- --fs_rw_rpc_named_pipes(rpc_domain) --fs_search_auto_mountpoints(rpc_domain) -- --files_read_etc_runtime_files(rpc_domain) --files_read_usr_files(rpc_domain) --files_list_home(rpc_domain) -- --logging_send_syslog_msg(rpc_domain) -- --miscfiles_read_localization(rpc_domain) -- --userdom_dontaudit_use_unpriv_user_fds(rpc_domain) -- --optional_policy(` -- rpcbind_stream_connect(rpc_domain) --') -- --optional_policy(` -- seutil_sigchld_newrole(rpc_domain) --') -- --optional_policy(` -- udev_read_db(rpc_domain) --') -- --######################################## --# --# Local policy -+# RPC local policy - # - - allow rpcd_t self:capability { setpcap sys_admin chown dac_override setgid setuid }; - allow rpcd_t self:capability2 block_suspend; -+ - allow rpcd_t self:process { getcap setcap }; - allow rpcd_t self:fifo_file rw_fifo_file_perms; - -+allow rpcd_t rpcd_var_run_t:dir setattr_dir_perms; - manage_dirs_pattern(rpcd_t, rpcd_var_run_t, rpcd_var_run_t) - manage_files_pattern(rpcd_t, rpcd_var_run_t, rpcd_var_run_t) - files_pid_filetrans(rpcd_t, rpcd_var_run_t, { file dir }) - -+# rpc.statd executes sm-notify - can_exec(rpcd_t, rpcd_exec_t) - -+kernel_read_system_state(rpcd_t) - kernel_read_network_state(rpcd_t) -+# for rpc.rquotad - kernel_read_sysctl(rpcd_t) - kernel_rw_fs_sysctls(rpcd_t) - kernel_dontaudit_getattr_core_if(rpcd_t) -@@ -160,13 +95,14 @@ fs_getattr_all_fs(rpcd_t) - - storage_getattr_fixed_disk_dev(rpcd_t) - -+init_read_utmp(rpcd_t) -+ - selinux_dontaudit_read_fs(rpcd_t) - - miscfiles_read_generic_certs(rpcd_t) - --seutil_dontaudit_search_config(rpcd_t) -- --userdom_signal_all_users(rpcd_t) -+userdom_signal_unpriv_users(rpcd_t) -+userdom_read_user_home_content_files(rpcd_t) - - optional_policy(` - automount_signal(rpcd_t) -@@ -174,19 +110,23 @@ optional_policy(` - ') - - optional_policy(` -- nis_read_ypserv_config(rpcd_t) -+ domain_unconfined_signal(rpcd_t) - ') - - optional_policy(` -- quota_manage_db_files(rpcd_t) -+ quota_manage_db(rpcd_t) - ') - - optional_policy(` -- rgmanager_manage_tmp_files(rpcd_t) -+ nis_read_ypserv_config(rpcd_t) - ') - - optional_policy(` -- unconfined_signal(rpcd_t) -+ quota_read_db(rpcd_t) -+') -+ -+optional_policy(` -+ rhcs_manage_cluster_tmp_files(rpcd_t) - ') - - ######################################## -@@ -195,41 +135,56 @@ optional_policy(` - # - - allow nfsd_t self:capability { dac_override dac_read_search sys_admin sys_resource }; -+dontaudit nfsd_t self:capability sys_rawio; - - allow nfsd_t exports_t:file read_file_perms; --allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms; - -+# for /proc/fs/nfs/exports - should we have a new type? -+kernel_read_system_state(nfsd_t) - kernel_read_network_state(nfsd_t) - kernel_dontaudit_getattr_core_if(nfsd_t) - kernel_setsched(nfsd_t) - kernel_request_load_module(nfsd_t) --# kernel_mounton_proc(nfsd_t) -+kernel_mounton_proc(nfsd_t) -+ -+corecmd_exec_shell(nfsd_t) - --corenet_sendrecv_nfs_server_packets(nfsd_t) -+corenet_tcp_bind_all_rpc_ports(nfsd_t) -+corenet_udp_bind_all_rpc_ports(nfsd_t) - corenet_tcp_bind_nfs_port(nfsd_t) - corenet_udp_bind_nfs_port(nfsd_t) -- --corecmd_exec_shell(nfsd_t) -+corenet_udp_bind_mountd_port(nfsd_t) -+corenet_tcp_bind_mountd_port(nfsd_t) - - dev_dontaudit_getattr_all_blk_files(nfsd_t) - dev_dontaudit_getattr_all_chr_files(nfsd_t) - dev_rw_lvm_control(nfsd_t) - -+# does not really need this, but it is easier to just allow it -+files_search_pids(nfsd_t) -+# for exportfs and rpc.mountd - files_getattr_tmp_dirs(nfsd_t) -+# cjp: this should really have its own type - files_manage_mounttab(nfsd_t) -+files_read_etc_runtime_files(nfsd_t) - -+fs_mounton_nfsd_fs(nfsd_t) - fs_mount_nfsd_fs(nfsd_t) - fs_getattr_all_fs(nfsd_t) - fs_getattr_all_dirs(nfsd_t) --fs_rw_nfsd_fs(nfsd_t) --# fs_manage_nfsd_fs(nfsd_t) -+fs_manage_nfsd_fs(nfsd_t) - - storage_dontaudit_read_fixed_disk(nfsd_t) - storage_raw_read_removable_device(nfsd_t) - -+# Read access to public_content_t and public_content_rw_t - miscfiles_read_public_files(nfsd_t) - --tunable_policy(`allow_nfsd_anon_write',` -+userdom_filetrans_home_content(nfsd_t) -+userdom_list_user_tmp(nfsd_t) -+ -+# Write access to public_content_t and public_content_rw_t -+tunable_policy(`nfsd_anon_write',` - miscfiles_manage_public_files(nfsd_t) - ') - -@@ -238,7 +193,6 @@ tunable_policy(`nfs_export_all_rw',` - dev_getattr_all_chr_files(nfsd_t) - - fs_read_noxattr_fs_files(nfsd_t) -- files_manage_non_auth_files(nfsd_t) - ') - - tunable_policy(`nfs_export_all_ro',` -@@ -250,12 +204,12 @@ tunable_policy(`nfs_export_all_ro',` - - fs_read_noxattr_fs_files(nfsd_t) - -- files_list_non_auth_dirs(nfsd_t) -- files_read_non_auth_files(nfsd_t) -+ files_read_non_security_files(nfsd_t) - ') - - optional_policy(` - mount_exec(nfsd_t) -+ mount_manage_pid_files(nfsd_t) - ') - - ######################################## -@@ -271,6 +225,7 @@ manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t) - manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t) - files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir }) - -+kernel_read_system_state(gssd_t) - kernel_read_network_state(gssd_t) - kernel_read_network_state_symlinks(gssd_t) - kernel_request_load_module(gssd_t) -@@ -279,25 +234,29 @@ kernel_signal(gssd_t) - - corecmd_exec_bin(gssd_t) - --fs_list_inotifyfs(gssd_t) - fs_list_rpc(gssd_t) - fs_rw_rpc_sockets(gssd_t) - fs_read_rpc_files(gssd_t) --fs_read_nfs_files(gssd_t) -+fs_read_nfsd_files(gssd_t) - -+fs_list_inotifyfs(gssd_t) - files_list_tmp(gssd_t) -+files_read_usr_symlinks(gssd_t) - files_dontaudit_write_var_dirs(gssd_t) - -+auth_use_nsswitch(gssd_t) - auth_manage_cache(gssd_t) - - miscfiles_read_generic_certs(gssd_t) - - userdom_signal_all_users(gssd_t) - --tunable_policy(`allow_gssd_read_tmp',` -+tunable_policy(`gssd_read_tmp',` - userdom_list_user_tmp(gssd_t) - userdom_read_user_tmp_files(gssd_t) - userdom_read_user_tmp_symlinks(gssd_t) -+ userdom_manage_user_tmp_files(gssd_t) -+ files_read_generic_tmp_files(gssd_t) - ') - - optional_policy(` -@@ -306,8 +265,11 @@ optional_policy(` - - optional_policy(` - kerberos_keytab_template(gssd, gssd_t) -- kerberos_manage_host_rcache(gssd_t) -- kerberos_tmp_filetrans_host_rcache(gssd_t, file, "nfs_0") -+ kerberos_tmp_filetrans_host_rcache(gssd_t, "nfs_0") -+') -+ -+optional_policy(` -+ gssproxy_stream_connect(gssd_t) - ') - - optional_policy(` -diff --git a/rpcbind.if b/rpcbind.if -index 3b5e9ee..ff1163f 100644 ---- a/rpcbind.if -+++ b/rpcbind.if -@@ -1,4 +1,4 @@ --## Universal Addresses to RPC Program Number Mapper. -+## Universal Addresses to RPC Program Number Mapper - - ######################################## - ## -@@ -15,14 +15,12 @@ interface(`rpcbind_domtrans',` - type rpcbind_t, rpcbind_exec_t; - ') - -- corecmd_search_bin($1) - domtrans_pattern($1, rpcbind_exec_t, rpcbind_t) - ') - - ######################################## - ## --## Connect to rpcbindd with a --## unix domain stream socket. -+## Connect to rpcbindd over an unix stream socket. - ## - ## - ## -@@ -41,7 +39,7 @@ interface(`rpcbind_stream_connect',` - - ######################################## - ## --## Read rpcbind pid files. -+## Read rpcbind PID files. - ## - ## - ## -@@ -73,8 +71,8 @@ interface(`rpcbind_search_lib',` - type rpcbind_var_lib_t; - ') - -- files_search_var_lib($1) - allow $1 rpcbind_var_lib_t:dir search_dir_perms; -+ files_search_var_lib($1) - ') - - ######################################## -@@ -92,8 +90,8 @@ interface(`rpcbind_read_lib_files',` - type rpcbind_var_lib_t; - ') - -- files_search_var_lib($1) - read_files_pattern($1, rpcbind_var_lib_t, rpcbind_var_lib_t) -+ files_search_var_lib($1) - ') - - ######################################## -@@ -112,13 +110,13 @@ interface(`rpcbind_manage_lib_files',` - type rpcbind_var_lib_t; - ') - -- files_search_var_lib($1) - manage_files_pattern($1, rpcbind_var_lib_t, rpcbind_var_lib_t) -+ files_search_var_lib($1) - ') - - ######################################## - ## --## Send null signals to rpcbind. -+## Send a null signal to rpcbind. - ## - ## - ## -@@ -136,8 +134,44 @@ interface(`rpcbind_signull',` - - ######################################## - ## --## All of the rules required to --## administrate an rpcbind environment. -+## Transition to rpcbind named content -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`rpcbind_filetrans_named_content',` -+ gen_require(` -+ type rpcbind_var_run_t; -+ ') -+ -+ files_pid_filetrans($1, rpcbind_var_run_t, sock_file, "rpcbind.sock") -+') -+ -+######################################## -+## -+## Relabel from rpcbind sock file. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`rpcbind_relabel_sock_file',` -+ gen_require(` -+ type rpcbind_var_run_t; -+ ') -+ -+ allow $1 rpcbind_var_run_t:sock_file relabel_sock_file_perms; -+') -+ -+######################################## -+## -+## All of the rules required to administrate -+## an rpcbind environment - ## - ## - ## -@@ -146,7 +180,7 @@ interface(`rpcbind_signull',` - ## - ## - ## --## Role allowed access. -+## The role to be allowed to manage the rpcbind domain. - ## - ## - ## -@@ -157,17 +191,20 @@ interface(`rpcbind_admin',` - type rpcbind_initrc_exec_t; - ') - -- allow $1 rpcbind_t:process { ptrace signal_perms }; -+ allow $1 rpcbind_t:process signal_perms; - ps_process_pattern($1, rpcbind_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 rpcbind_t:process ptrace; -+ ') - -- init_labeled_script_domtrans($1, rbcbind_initrc_exec_t) -+ init_labeled_script_domtrans($1, rpcbind_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 rpcbind_initrc_exec_t system_r; - allow $2 system_r; - -- files_search_pids($1) -- admin_pattern($1, rpcbind_var_run_t) -- -- files_search_var_lib($1) -+ files_list_var_lib($1) - admin_pattern($1, rpcbind_var_lib_t) -+ -+ files_list_pids($1) -+ admin_pattern($1, rpcbind_var_run_t) - ') -diff --git a/rpcbind.te b/rpcbind.te -index c49828c..56cb0c2 100644 ---- a/rpcbind.te -+++ b/rpcbind.te -@@ -42,7 +42,6 @@ kernel_read_system_state(rpcbind_t) - kernel_read_network_state(rpcbind_t) - kernel_request_load_module(rpcbind_t) - --corenet_all_recvfrom_unlabeled(rpcbind_t) - corenet_all_recvfrom_netlabel(rpcbind_t) - corenet_tcp_sendrecv_generic_if(rpcbind_t) - corenet_udp_sendrecv_generic_if(rpcbind_t) -@@ -62,12 +61,11 @@ corecmd_exec_shell(rpcbind_t) - - domain_use_interactive_fds(rpcbind_t) - --files_read_etc_files(rpcbind_t) - files_read_etc_runtime_files(rpcbind_t) - --logging_send_syslog_msg(rpcbind_t) -+auth_use_nsswitch(rpcbind_t) - --miscfiles_read_localization(rpcbind_t) -+logging_send_syslog_msg(rpcbind_t) - - sysnet_dns_name_resolve(rpcbind_t) - -diff --git a/rpm.fc b/rpm.fc -index ebe91fc..6392cad 100644 ---- a/rpm.fc -+++ b/rpm.fc -@@ -1,61 +1,72 @@ --/bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0) - --/etc/rc\.d/init\.d/bcfg2 -- gen_context(system_u:object_r:rpm_initrc_exec_t,s0) -- --/sbin/yast2 -- gen_context(system_u:object_r:rpm_exec_t,s0) -+/bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0) - -+/usr/bin/anaconda-yum -- gen_context(system_u:object_r:rpm_exec_t,s0) - /usr/bin/debuginfo-install -- gen_context(system_u:object_r:debuginfo_exec_t,s0) --/usr/bin/fedora-rmdevelrpms -- gen_context(system_u:object_r:rpm_exec_t,s0) --/usr/bin/online_update -- gen_context(system_u:object_r:rpm_exec_t,s0) --/usr/bin/rpmdev-rmdevelrpms -- gen_context(system_u:object_r:rpm_exec_t,s0) --/usr/bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0) --/usr/bin/smart -- gen_context(system_u:object_r:rpm_exec_t,s0) --/usr/bin/yum -- gen_context(system_u:object_r:rpm_exec_t,s0) --/usr/bin/zif -- gen_context(system_u:object_r:rpm_exec_t,s0) -+/usr/bin/dnf -- gen_context(system_u:object_r:rpm_exec_t,s0) -+/usr/bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0) -+/usr/bin/smart -- gen_context(system_u:object_r:rpm_exec_t,s0) -+ -+/bin/yum-builddep -- gen_context(system_u:object_r:rpm_exec_t,s0) -+/usr/bin/yum -- gen_context(system_u:object_r:rpm_exec_t,s0) -+/usr/bin/yum-builddep -- gen_context(system_u:object_r:rpm_exec_t,s0) -+/usr/bin/repoquery -- gen_context(system_u:object_r:rpm_exec_t,s0) -+/usr/bin/zif -- gen_context(system_u:object_r:rpm_exec_t,s0) - - /usr/libexec/packagekitd -- gen_context(system_u:object_r:rpm_exec_t,s0) - /usr/libexec/yumDBUSBackend.py -- gen_context(system_u:object_r:rpm_exec_t,s0) -+/usr/libexec/pegasus/pycmpiLMI_Software-cimprovagt -- gen_context(system_u:object_r:rpm_exec_t,s0) - --/usr/sbin/bcfg2 -- gen_context(system_u:object_r:rpm_exec_t,s0) --/usr/sbin/pirut -- gen_context(system_u:object_r:rpm_exec_t,s0) --/usr/sbin/pup -- gen_context(system_u:object_r:rpm_exec_t,s0) --/usr/sbin/rhn_check -- gen_context(system_u:object_r:rpm_exec_t,s0) --/usr/sbin/up2date -- gen_context(system_u:object_r:rpm_exec_t,s0) --/usr/sbin/yum-complete-transaction -- gen_context(system_u:object_r:rpm_exec_t,s0) --/usr/sbin/system-install-packages -- gen_context(system_u:object_r:rpm_exec_t,s0) --/usr/sbin/yum-updatesd -- gen_context(system_u:object_r:rpm_exec_t,s0) --/usr/sbin/packagekitd -- gen_context(system_u:object_r:rpm_exec_t,s0) -- --ifdef(`distro_redhat',` --/usr/bin/apt-get -- gen_context(system_u:object_r:rpm_exec_t,s0) --/usr/bin/apt-shell -- gen_context(system_u:object_r:rpm_exec_t,s0) --/usr/bin/aptitude -- gen_context(system_u:object_r:rpm_exec_t,s0) --/usr/sbin/synaptic -- gen_context(system_u:object_r:rpm_exec_t,s0) --/var/cache/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0) --/var/lib/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) --') -+/usr/sbin/yum-complete-transaction -- gen_context(system_u:object_r:rpm_exec_t,s0) - --/usr/share/yumex/yumex-yum-backend -- gen_context(system_u:object_r:rpm_exec_t,s0) --/usr/share/yumex/yum_childtask\.py -- gen_context(system_u:object_r:rpm_exec_t,s0) -+/usr/sbin/system-install-packages -- gen_context(system_u:object_r:rpm_exec_t,s0) -+/usr/sbin/yum-updatesd -- gen_context(system_u:object_r:rpm_exec_t,s0) -+/usr/sbin/yum-cron -- gen_context(system_u:object_r:rpm_exec_t,s0) -+/usr/sbin/packagekitd -- gen_context(system_u:object_r:rpm_exec_t,s0) - --/var/cache/bcfg2(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0) --/var/cache/yum(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0) -+/usr/share/yumex/yumex-yum-backend -- gen_context(system_u:object_r:rpm_exec_t,s0) -+/usr/share/yumex/yum_childtask\.py -- gen_context(system_u:object_r:rpm_exec_t,s0) - --/var/lib/alternatives(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) --/var/lib/rpm(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) --/var/lib/YaST2(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) --/var/lib/yum(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) -+ifdef(`distro_redhat', ` -+/usr/sbin/bcfg2 -- gen_context(system_u:object_r:rpm_exec_t,s0) -+/usr/bin/package-cleanup -- gen_context(system_u:object_r:rpm_exec_t,s0) -+/usr/bin/fedora-rmdevelrpms -- gen_context(system_u:object_r:rpm_exec_t,s0) -+/usr/bin/rpmdev-rmdevelrpms -- gen_context(system_u:object_r:rpm_exec_t,s0) -+/usr/sbin/pirut -- gen_context(system_u:object_r:rpm_exec_t,s0) -+/usr/sbin/pup -- gen_context(system_u:object_r:rpm_exec_t,s0) -+/usr/sbin/rhn_check -- gen_context(system_u:object_r:rpm_exec_t,s0) -+/usr/sbin/rhnreg_ks -- gen_context(system_u:object_r:rpm_exec_t,s0) -+/usr/sbin/up2date -- gen_context(system_u:object_r:rpm_exec_t,s0) -+/usr/sbin/synaptic -- gen_context(system_u:object_r:rpm_exec_t,s0) -+/usr/bin/apt-get -- gen_context(system_u:object_r:rpm_exec_t,s0) -+/usr/bin/apt-shell -- gen_context(system_u:object_r:rpm_exec_t,s0) -+') -+ -+/var/cache/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0) -+/var/cache/yum(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0) -+/var/cache/dnf(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0) - --/var/lock/bcfg2\.run -- gen_context(system_u:object_r:rpm_lock_t,s0) -+/var/lib/alternatives(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) -+/var/lib/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) -+/var/lib/rpm(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) -+/var/lib/yum(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) -+/var/lib/dnf(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) - --/var/log/YaST2(/.*)? gen_context(system_u:object_r:rpm_log_t,s0) --/var/log/yum\.log.* -- gen_context(system_u:object_r:rpm_log_t,s0) -+/var/log/yum\.log.* -- gen_context(system_u:object_r:rpm_log_t,s0) - --/var/spool/up2date(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0) -+/var/spool/up2date(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0) - --/var/run/yum.* -- gen_context(system_u:object_r:rpm_var_run_t,s0) --/var/run/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_run_t,s0) -+/var/run/yum.* -- gen_context(system_u:object_r:rpm_var_run_t,s0) -+/var/run/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_run_t,s0) -+ -+# SuSE -+ifdef(`distro_suse', ` -+/usr/bin/online_update -- gen_context(system_u:object_r:rpm_exec_t,s0) -+/sbin/yast2 -- gen_context(system_u:object_r:rpm_exec_t,s0) -+/var/lib/YaST2(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) -+/var/log/YaST2(/.*)? gen_context(system_u:object_r:rpm_log_t,s0) -+') - - ifdef(`enable_mls',` --/usr/sbin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0) -+/sbin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0) - ') -diff --git a/rpm.if b/rpm.if -index 0628d50..cafc027 100644 ---- a/rpm.if -+++ b/rpm.if -@@ -1,8 +1,8 @@ --## Redhat package manager. -+## Policy for the RPM package manager. - - ######################################## - ## --## Execute rpm in the rpm domain. -+## Execute rpm programs in the rpm domain. - ## - ## - ## -@@ -13,16 +13,18 @@ - interface(`rpm_domtrans',` - gen_require(` - type rpm_t, rpm_exec_t; -+ attribute rpm_transition_domain; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, rpm_exec_t, rpm_t) -+ typeattribute $1 rpm_transition_domain; -+ rpm_debuginfo_domtrans($1) - ') - - ######################################## - ## --## Execute debuginfo install --## in the rpm domain. -+## Execute debuginfo_install programs in the rpm domain. - ## - ## - ## -@@ -41,7 +43,7 @@ interface(`rpm_debuginfo_domtrans',` - - ######################################## - ## --## Execute rpm scripts in the rpm script domain. -+## Execute rpm_script programs in the rpm_script domain. - ## - ## - ## -@@ -54,18 +56,16 @@ interface(`rpm_domtrans_script',` - type rpm_script_t; - ') - -+ # transition to rpm script: - corecmd_shell_domtrans($1, rpm_script_t) -- - allow rpm_script_t $1:fd use; -- allow rpm_script_t $1:fifo_file rw_fifo_file_perms; -+ allow rpm_script_t $1:fifo_file rw_file_perms; - allow rpm_script_t $1:process sigchld; - ') - - ######################################## - ## --## Execute rpm in the rpm domain, --## and allow the specified roles the --## rpm domain. -+## Execute RPM programs in the RPM domain. - ## - ## - ## -@@ -74,23 +74,28 @@ interface(`rpm_domtrans_script',` - ## - ## - ## --## Role allowed access. -+## The role to allow the RPM domain. - ## - ## - ## - # - interface(`rpm_run',` - gen_require(` -- attribute_role rpm_roles; -+ type rpm_t, rpm_script_t; -+ attribute_role rpm_script_roles; - ') - - rpm_domtrans($1) -- roleattribute $2 rpm_roles; -+ roleattribute $2 rpm_script_roles; -+ -+ domain_system_change_exemption($1) -+ role_transition $2 rpm_exec_t system_r; -+ allow $2 system_r; - ') - - ######################################## - ## --## Execute the rpm in the caller domain. -+## Execute the rpm client in the caller domain. - ## - ## - ## -@@ -109,7 +114,7 @@ interface(`rpm_exec',` - - ######################################## - ## --## Send null signals to rpm. -+## Send a null signal to rpm. - ## - ## - ## -@@ -127,7 +132,7 @@ interface(`rpm_signull',` - - ######################################## - ## --## Inherit and use file descriptors from rpm. -+## Inherit and use file descriptors from RPM. - ## - ## - ## -@@ -145,7 +150,7 @@ interface(`rpm_use_fds',` - - ######################################## - ## --## Read rpm unnamed pipes. -+## Read from an unnamed RPM pipe. - ## - ## - ## -@@ -163,7 +168,7 @@ interface(`rpm_read_pipes',` - - ######################################## - ## --## Read and write rpm unnamed pipes. -+## Read and write an unnamed RPM pipe. - ## - ## - ## -@@ -181,6 +186,60 @@ interface(`rpm_rw_pipes',` - - ######################################## - ## -+## Read and write an unnamed RPM script pipe. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`rpm_rw_script_inherited_pipes',` -+ gen_require(` -+ type rpm_script_tmp_t; -+ ') -+ -+ allow $1 rpm_script_tmp_t:fifo_file rw_inherited_fifo_file_perms; -+') -+ -+######################################## -+## -+## dontaudit read and write an leaked file descriptors -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`rpm_dontaudit_leaks',` -+ gen_require(` -+ type rpm_t, rpm_var_cache_t; -+ type rpm_script_t, rpm_var_run_t, rpm_tmp_t; -+ type rpm_tmpfs_t, rpm_script_tmp_t, rpm_var_lib_t; -+ ') -+ -+ dontaudit $1 rpm_t:fifo_file rw_inherited_fifo_file_perms; -+ dontaudit $1 rpm_t:tcp_socket { read write }; -+ dontaudit $1 rpm_t:unix_dgram_socket { read write }; -+ dontaudit $1 rpm_t:shm rw_shm_perms; -+ -+ dontaudit $1 rpm_script_t:fd use; -+ dontaudit $1 rpm_script_t:fifo_file rw_inherited_fifo_file_perms; -+ -+ dontaudit $1 rpm_var_run_t:file rw_inherited_file_perms; -+ -+ dontaudit $1 rpm_tmp_t:file rw_inherited_file_perms; -+ dontaudit $1 rpm_tmpfs_t:dir rw_dir_perms; -+ dontaudit $1 rpm_tmpfs_t:file rw_inherited_file_perms; -+ dontaudit $1 rpm_script_tmp_t:file rw_inherited_file_perms; -+ dontaudit $1 rpm_var_lib_t:dir getattr; -+ dontaudit $1 rpm_var_lib_t:file rw_inherited_file_perms; -+ dontaudit $1 rpm_var_cache_t:file rw_inherited_file_perms; -+') -+ -+######################################## -+## - ## Send and receive messages from - ## rpm over dbus. - ## -@@ -224,7 +283,7 @@ interface(`rpm_dontaudit_dbus_chat',` - ######################################## - ## - ## Send and receive messages from --## rpm script over dbus. -+## rpm_script over dbus. - ## - ## - ## -@@ -244,7 +303,7 @@ interface(`rpm_script_dbus_chat',` - - ######################################## - ## --## Search rpm log directories. -+## Search RPM log directory. - ## - ## - ## -@@ -263,7 +322,8 @@ interface(`rpm_search_log',` - - ##################################### - ## --## Append rpm log files. -+## Allow the specified domain to append -+## to rpm log files. - ## - ## - ## -@@ -276,14 +336,30 @@ interface(`rpm_append_log',` - type rpm_log_t; - ') - -- logging_search_logs($1) -- append_files_pattern($1, rpm_log_t, rpm_log_t) -+ allow $1 rpm_log_t:file append_inherited_file_perms; - ') - - ######################################## - ## --## Create, read, write, and delete --## rpm log files. -+## Create, read, write, and delete the RPM log. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`rpm_read_log',` -+ gen_require(` -+ type rpm_log_t; -+ ') -+ -+ read_files_pattern($1, rpm_log_t, rpm_log_t) -+') -+ -+######################################## -+## -+## Create, read, write, and delete the RPM log. - ## - ## - ## -@@ -302,7 +378,7 @@ interface(`rpm_manage_log',` - - ######################################## - ## --## Inherit and use rpm script file descriptors. -+## Inherit and use file descriptors from RPM scripts. - ## - ## - ## -@@ -320,8 +396,8 @@ interface(`rpm_use_script_fds',` - - ######################################## - ## --## Create, read, write, and delete --## rpm script temporary files. -+## Create, read, write, and delete RPM -+## script temporary files. - ## - ## - ## -@@ -335,12 +411,15 @@ interface(`rpm_manage_script_tmp_files',` - ') - - files_search_tmp($1) -+ manage_dirs_pattern($1, rpm_script_tmp_t, rpm_script_tmp_t) - manage_files_pattern($1, rpm_script_tmp_t, rpm_script_tmp_t) -+ manage_lnk_files_pattern($1, rpm_script_tmp_t, rpm_script_tmp_t) - ') - - ##################################### - ## --## Append rpm temporary files. -+## Allow the specified domain to append -+## to rpm tmp files. - ## - ## - ## -@@ -353,14 +432,13 @@ interface(`rpm_append_tmp_files',` - type rpm_tmp_t; - ') - -- files_search_tmp($1) -- append_files_pattern($1, rpm_tmp_t, rpm_tmp_t) -+ allow $1 rpm_tmp_t:file append_inherited_file_perms; - ') - - ######################################## - ## --## Create, read, write, and delete --## rpm temporary files. -+## Create, read, write, and delete RPM -+## temporary files. - ## - ## - ## -@@ -374,12 +452,14 @@ interface(`rpm_manage_tmp_files',` - ') - - files_search_tmp($1) -+ manage_dirs_pattern($1, rpm_tmp_t, rpm_tmp_t) - manage_files_pattern($1, rpm_tmp_t, rpm_tmp_t) -+ manage_lnk_files_pattern($1, rpm_tmp_t, rpm_tmp_t) - ') - - ######################################## - ## --## Read rpm script temporary files. -+## Read RPM script temporary files. - ## - ## - ## -@@ -399,7 +479,7 @@ interface(`rpm_read_script_tmp_files',` - - ######################################## - ## --## Read rpm cache content. -+## Read the RPM cache. - ## - ## - ## -@@ -420,8 +500,7 @@ interface(`rpm_read_cache',` - - ######################################## - ## --## Create, read, write, and delete --## rpm cache content. -+## Create, read, write, and delete the RPM package database. - ## - ## - ## -@@ -442,7 +521,7 @@ interface(`rpm_manage_cache',` - - ######################################## - ## --## Read rpm lib content. -+## Read the RPM package database. - ## - ## - ## -@@ -459,11 +538,12 @@ interface(`rpm_read_db',` - allow $1 rpm_var_lib_t:dir list_dir_perms; - read_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t) - read_lnk_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t) -+ rpm_read_cache($1) - ') - - ######################################## - ## --## Delete rpm lib files. -+## Delete the RPM package database. - ## - ## - ## -@@ -482,8 +562,7 @@ interface(`rpm_delete_db',` - - ######################################## - ## --## Create, read, write, and delete --## rpm lib files. -+## Create, read, write, and delete the RPM package database. - ## - ## - ## -@@ -503,8 +582,28 @@ interface(`rpm_manage_db',` - - ######################################## - ## -+## Do not audit attempts to create, read,the RPM package database. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`rpm_dontaudit_read_db',` -+ gen_require(` -+ type rpm_var_lib_t; -+ ') -+ -+ dontaudit $1 rpm_var_lib_t:dir list_dir_perms; -+ dontaudit $1 rpm_var_lib_t:file read_file_perms; -+ dontaudit $1 rpm_var_lib_t:lnk_file read_lnk_file_perms; -+') -+ -+######################################## -+## - ## Do not audit attempts to create, read, --## write, and delete rpm lib content. -+## write, and delete the RPM package database. - ## - ## - ## -@@ -517,7 +616,7 @@ interface(`rpm_dontaudit_manage_db',` - type rpm_var_lib_t; - ') - -- dontaudit $1 rpm_var_lib_t:dir rw_dir_perms; -+ dontaudit $1 rpm_var_lib_t:dir manage_dir_perms; - dontaudit $1 rpm_var_lib_t:file manage_file_perms; - dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms; - ') -@@ -543,8 +642,7 @@ interface(`rpm_read_pid_files',` - - ##################################### - ## --## Create, read, write, and delete --## rpm pid files. -+## Create, read, write, and delete rpm pid files. - ## - ## - ## -@@ -563,8 +661,7 @@ interface(`rpm_manage_pid_files',` - - ###################################### - ## --## Create files in pid directories --## with the rpm pid file type. -+## Create files in /var/run with the rpm pid file type. - ## - ## - ## -@@ -573,94 +670,72 @@ interface(`rpm_manage_pid_files',` - ## - # - interface(`rpm_pid_filetrans',` -- refpolicywarn(`$0($*) has been deprecated, rpm_pid_filetrans_rpm_pid() instead.') -- rpm_pid_filetrans_rpm_pid($1, file) -+ gen_require(` -+ type rpm_var_run_t; -+ ') -+ -+ files_pid_filetrans($1, rpm_var_run_t, file) - ') - - ######################################## - ## --## Create specified objects in pid directories --## with the rpm pid file type. -+## Send a null signal to rpm. - ## - ## - ## - ## Domain allowed access. - ## - ## --## --## --## Class of the object being created. --## --## --## --## --## The name of the object being created. --## --## - # --interface(`rpm_pid_filetrans_rpm_pid',` -+interface(`rpm_inherited_fifo',` - gen_require(` -- type rpm_var_run_t; -+ attribute rpm_transition_domain; - ') - -- files_pid_filetrans($1, rpm_var_run_t, $3, $4) -+ allow $1 rpm_transition_domain:fifo_file rw_inherited_fifo_file_perms; - ') - -+ - ######################################## - ## --## All of the rules required to --## administrate an rpm environment. -+## Make rpm_exec_t an entry point for -+## the specified domain. - ## - ## - ## - ## Domain allowed access. - ## - ## --## -+# -+interface(`rpm_entry_type',` -+ gen_require(` -+ type rpm_exec_t; -+ ') -+ -+ domain_entry_file($1, rpm_exec_t) -+') -+ -+######################################## -+## -+## Allow application to transition to rpm_script domain. -+## -+## - ## --## Role allowed access. -+## Domain allowed access. - ## - ## --## - # --interface(`rpm_admin',` -+interface(`rpm_transition_script',` - gen_require(` -- type rpm_t, rpm_script_t, rpm_initrc_exec_t; -- type rpm_var_cache_t, rpm_var_lib_t, rpm_lock_t; -- type rpm_log_t, rpm_tmpfs_t, rpm_tmp_t; -- type rpm_script_tmp_t, rpm_script_tmpfs_t, rpm_file_t; -+ type rpm_script_t; -+ attribute rpm_transition_domain; - ') - -- allow $1 { rpm_t rpm_script_t }:process { ptrace signal_perms }; -- ps_process_pattern($1, { rpm_t rpm_script_t }) -+ typeattribute $1 rpm_transition_domain; -+ allow $1 rpm_script_t:process transition; - -- init_labeled_script_domtrans($1, rpm_initrc_exec_t) -- domain_system_change_exemption($1) -- role_transition $2 rpm_initrc_exec_t system_r; -- allow $2 system_r; -- -- admin_pattern($1, rpm_file_t) -- -- files_list_var($1) -- admin_pattern($1, rpm_cache_t) -- -- files_list_tmp($1) -- admin_pattern($1, { rpm_tmp_t rpm_script_tmp_t }) -- -- files_list_var_lib($1) -- admin_pattern($1, rpm_var_lib_t) -- -- files_search_locks($1) -- admin_pattern($1, rpm_lock_t) -- -- logging_list_logs($1) -- admin_pattern($1, rpm_log_t) -- -- files_list_pids($1) -- admin_pattern($1, rpm_var_run_t) -- -- fs_search_tmpfs($1) -- admin_pattern($1, { rpm_tmpfs_t rpm_script_tmpfs_t } -- -- rpm_run($1, $2) -+ allow $1 rpm_script_t:fd use; -+ allow rpm_script_t $1:fd use; -+ allow rpm_script_t $1:fifo_file rw_fifo_file_perms; -+ allow rpm_script_t $1:process sigchld; - ') -diff --git a/rpm.te b/rpm.te -index 5cbe81c..5b28e97 100644 ---- a/rpm.te -+++ b/rpm.te -@@ -1,15 +1,13 @@ --policy_module(rpm, 1.15.3) -+policy_module(rpm, 1.15.0) -+ -+attribute rpm_transition_domain; -+attribute_role rpm_script_roles; -+roleattribute system_r rpm_script_roles; - - ######################################## - # - # Declarations - # -- --attribute_role rpm_roles; -- --type debuginfo_exec_t; --domain_entry_file(rpm_t, debuginfo_exec_t) -- - type rpm_t; - type rpm_exec_t; - init_system_domain(rpm_t, rpm_exec_t) -@@ -17,10 +15,10 @@ domain_obj_id_change_exemption(rpm_t) - domain_role_change_exemption(rpm_t) - domain_system_change_exemption(rpm_t) - domain_interactive_fd(rpm_t) --role rpm_roles types rpm_t; -+role rpm_script_roles types rpm_t; - --type rpm_initrc_exec_t; --init_script_file(rpm_initrc_exec_t) -+type debuginfo_exec_t; -+domain_entry_file(rpm_t, debuginfo_exec_t) - - type rpm_file_t; - files_type(rpm_file_t) -@@ -31,9 +29,6 @@ files_tmp_file(rpm_tmp_t) - type rpm_tmpfs_t; - files_tmpfs_file(rpm_tmpfs_t) - --type rpm_lock_t; --files_lock_file(rpm_lock_t) -- - type rpm_log_t; - logging_log_file(rpm_log_t) - -@@ -56,8 +51,7 @@ corecmd_bin_entry_type(rpm_script_t) - domain_type(rpm_script_t) - domain_entry_file(rpm_t, rpm_script_exec_t) - domain_interactive_fd(rpm_script_t) --role rpm_roles types rpm_script_t; --role system_r types rpm_script_t; -+role rpm_script_roles types rpm_script_t; - - type rpm_script_tmp_t; - files_tmp_file(rpm_script_tmp_t) -@@ -70,28 +64,34 @@ files_tmpfs_file(rpm_script_tmpfs_t) - # rpm Local policy - # - -+allow rpm_t self:capability2 block_suspend; - allow rpm_t self:capability { chown dac_override fowner setfcap fsetid ipc_lock setgid setuid sys_chroot sys_nice sys_tty_config mknod }; - allow rpm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execstack execheap }; - allow rpm_t self:process { getattr setexec setfscreate setrlimit }; - allow rpm_t self:fd use; - allow rpm_t self:fifo_file rw_fifo_file_perms; -+allow rpm_t self:unix_dgram_socket create_socket_perms; -+allow rpm_t self:unix_stream_socket rw_stream_socket_perms; - allow rpm_t self:unix_dgram_socket sendto; --allow rpm_t self:unix_stream_socket { accept connectto listen }; --allow rpm_t self:udp_socket connect; --allow rpm_t self:tcp_socket { accept listen }; -+allow rpm_t self:unix_stream_socket connectto; -+allow rpm_t self:udp_socket { connect }; -+allow rpm_t self:udp_socket create_socket_perms; -+allow rpm_t self:tcp_socket create_stream_socket_perms; - allow rpm_t self:shm create_shm_perms; - allow rpm_t self:sem create_sem_perms; - allow rpm_t self:msgq create_msgq_perms; - allow rpm_t self:msg { send receive }; --allow rpm_t self:file rw_file_perms; -+allow rpm_t self:dir search; -+allow rpm_t self:file rw_file_perms;; - allow rpm_t self:netlink_kobject_uevent_socket create_socket_perms; - --allow rpm_t rpm_log_t:file { append_file_perms create_file_perms setattr_file_perms }; -+allow rpm_t rpm_log_t:file manage_file_perms; - logging_log_filetrans(rpm_t, rpm_log_t, file) - - manage_dirs_pattern(rpm_t, rpm_tmp_t, rpm_tmp_t) - manage_files_pattern(rpm_t, rpm_tmp_t, rpm_tmp_t) - files_tmp_filetrans(rpm_t, rpm_tmp_t, { file dir }) -+can_exec(rpm_t, rpm_tmp_t) - - manage_dirs_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t) - manage_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t) -@@ -99,23 +99,19 @@ manage_lnk_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t) - manage_fifo_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t) - manage_sock_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t) - fs_tmpfs_filetrans(rpm_t, rpm_tmpfs_t, { dir file lnk_file sock_file fifo_file }) -+can_exec(rpm_t, rpm_tmpfs_t) - - manage_dirs_pattern(rpm_t, rpm_var_cache_t, rpm_var_cache_t) - manage_files_pattern(rpm_t, rpm_var_cache_t, rpm_var_cache_t) - files_var_filetrans(rpm_t, rpm_var_cache_t, dir) - --manage_files_pattern(rpm_t, rpm_lock_t, rpm_lock_t) --files_lock_filetrans(rpm_t, rpm_lock_t, file) -- --manage_dirs_pattern(rpm_t, rpm_var_lib_t, rpm_var_lib_t) -+# Access /var/lib/rpm files - manage_files_pattern(rpm_t, rpm_var_lib_t, rpm_var_lib_t) --files_var_lib_filetrans(rpm_t, rpm_var_lib_t, { dir file }) -+files_var_lib_filetrans(rpm_t, rpm_var_lib_t, dir) - - manage_dirs_pattern(rpm_t, rpm_var_run_t, rpm_var_run_t) - manage_files_pattern(rpm_t, rpm_var_run_t, rpm_var_run_t) --files_pid_filetrans(rpm_t, rpm_var_run_t, { dir file }) -- --can_exec(rpm_t, { rpm_tmp_t rpm_tmpfs_t }) -+files_pid_filetrans(rpm_t, rpm_var_run_t, { file dir }) - - kernel_read_crypto_sysctls(rpm_t) - kernel_read_network_state(rpm_t) -@@ -126,41 +122,34 @@ kernel_rw_irq_sysctls(rpm_t) - - corecmd_exec_all_executables(rpm_t) - --corenet_all_recvfrom_unlabeled(rpm_t) - corenet_all_recvfrom_netlabel(rpm_t) - corenet_tcp_sendrecv_generic_if(rpm_t) -+corenet_raw_sendrecv_generic_if(rpm_t) -+corenet_udp_sendrecv_generic_if(rpm_t) - corenet_tcp_sendrecv_generic_node(rpm_t) -+corenet_raw_sendrecv_generic_node(rpm_t) -+corenet_udp_sendrecv_generic_node(rpm_t) - corenet_tcp_sendrecv_all_ports(rpm_t) -- --corenet_sendrecv_all_client_packets(rpm_t) -+corenet_udp_sendrecv_all_ports(rpm_t) - corenet_tcp_connect_all_ports(rpm_t) -+corenet_sendrecv_all_client_packets(rpm_t) - - dev_list_sysfs(rpm_t) - dev_list_usbfs(rpm_t) - dev_read_urand(rpm_t) - dev_read_raw_memory(rpm_t) -- - dev_manage_all_dev_nodes(rpm_t) --dev_relabel_all_dev_nodes(rpm_t) - -+#devices_manage_all_device_types(rpm_t) - dev_create_generic_blk_files(rpm_t) - dev_create_generic_chr_files(rpm_t) -- --domain_read_all_domains_state(rpm_t) --domain_getattr_all_domains(rpm_t) --domain_use_interactive_fds(rpm_t) --domain_dontaudit_getattr_all_pipes(rpm_t) --domain_dontaudit_getattr_all_tcp_sockets(rpm_t) --domain_dontaudit_getattr_all_udp_sockets(rpm_t) --domain_dontaudit_getattr_all_packet_sockets(rpm_t) --domain_dontaudit_getattr_all_raw_sockets(rpm_t) --domain_dontaudit_getattr_all_stream_sockets(rpm_t) --domain_dontaudit_getattr_all_dgram_sockets(rpm_t) --domain_signull_all_domains(rpm_t) -- --files_exec_etc_files(rpm_t) --files_relabel_non_auth_files(rpm_t) --files_manage_non_auth_files(rpm_t) -+dev_delete_all_blk_files(rpm_t) -+dev_delete_all_chr_files(rpm_t) -+dev_relabel_all_dev_nodes(rpm_t) -+dev_rename_generic_blk_files(rpm_t) -+dev_rename_generic_chr_files(rpm_t) -+dev_setattr_all_blk_files(rpm_t) -+dev_setattr_all_chr_files(rpm_t) - - fs_getattr_all_dirs(rpm_t) - fs_list_inotifyfs(rpm_t) -@@ -183,29 +172,49 @@ selinux_compute_relabel_context(rpm_t) - selinux_compute_user_contexts(rpm_t) - - storage_raw_write_fixed_disk(rpm_t) -+# for installing kernel packages - storage_raw_read_fixed_disk(rpm_t) - - term_list_ptys(rpm_t) - -+files_relabel_all_files(rpm_t) -+files_manage_all_files(rpm_t) - auth_dontaudit_read_shadow(rpm_t) - auth_use_nsswitch(rpm_t) - -+# transition to rpm script: - rpm_domtrans_script(rpm_t) - -+domain_read_all_domains_state(rpm_t) -+domain_getattr_all_domains(rpm_t) -+domain_use_interactive_fds(rpm_t) -+domain_dontaudit_getattr_all_pipes(rpm_t) -+domain_dontaudit_getattr_all_tcp_sockets(rpm_t) -+domain_dontaudit_getattr_all_udp_sockets(rpm_t) -+domain_dontaudit_getattr_all_packet_sockets(rpm_t) -+domain_dontaudit_getattr_all_raw_sockets(rpm_t) -+domain_dontaudit_getattr_all_stream_sockets(rpm_t) -+domain_dontaudit_getattr_all_dgram_sockets(rpm_t) -+domain_signull_all_domains(rpm_t) -+ -+files_exec_etc_files(rpm_t) -+ - init_domtrans_script(rpm_t) - init_use_script_ptys(rpm_t) - init_signull_script(rpm_t) - - libs_exec_ld_so(rpm_t) - libs_exec_lib_files(rpm_t) --libs_run_ldconfig(rpm_t, rpm_roles) - - logging_send_syslog_msg(rpm_t) - -+miscfiles_filetrans_named_content(rpm_t) -+ -+# allow compiling and loading new policy - seutil_manage_src_policy(rpm_t) - seutil_manage_bin_policy(rpm_t) - --userdom_use_user_terminals(rpm_t) -+userdom_use_inherited_user_terminals(rpm_t) - userdom_use_unpriv_users_fds(rpm_t) - - optional_policy(` -@@ -224,13 +233,17 @@ optional_policy(` - networkmanager_dbus_chat(rpm_t) - ') - -- optional_policy(` -- unconfined_dbus_chat(rpm_t) -- ') - ') - - optional_policy(` -- prelink_run(rpm_t, rpm_roles) -+ prelink_domtrans(rpm_t) -+') -+ -+optional_policy(` -+ unconfined_domain_noaudit(rpm_t) -+ # yum-updatesd requires this -+ unconfined_dbus_chat(rpm_t) -+ unconfined_dbus_chat(rpm_script_t) - ') - - ######################################## -@@ -239,18 +252,20 @@ optional_policy(` - # - - allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_admin sys_chroot sys_rawio sys_nice mknod kill net_admin }; -+ - allow rpm_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execheap }; - allow rpm_script_t self:fd use; - allow rpm_script_t self:fifo_file rw_fifo_file_perms; -+allow rpm_script_t self:unix_dgram_socket create_socket_perms; -+allow rpm_script_t self:unix_stream_socket rw_stream_socket_perms; - allow rpm_script_t self:unix_dgram_socket sendto; --allow rpm_script_t self:unix_stream_socket { accept connectto listen }; -+allow rpm_script_t self:unix_stream_socket connectto; - allow rpm_script_t self:shm create_shm_perms; - allow rpm_script_t self:sem create_sem_perms; - allow rpm_script_t self:msgq create_msgq_perms; - allow rpm_script_t self:msg { send receive }; - allow rpm_script_t self:netlink_kobject_uevent_socket create_socket_perms; -- --allow rpm_script_t rpm_t:netlink_route_socket { read write }; -+allow rpm_script_t self:netlink_audit_socket { create_socket_perms nlmsg_relay }; - - allow rpm_script_t rpm_tmp_t:file read_file_perms; - -@@ -267,8 +282,9 @@ manage_lnk_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t) - manage_fifo_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t) - manage_sock_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t) - fs_tmpfs_filetrans(rpm_script_t, rpm_script_tmpfs_t, { dir file lnk_file sock_file fifo_file }) -+can_exec(rpm_script_t, rpm_script_tmpfs_t) - --can_exec(rpm_script_t, { rpm_script_tmp_t rpm_script_tmpfs_t }) -+allow rpm_script_t rpm_t:netlink_route_socket { read write }; - - kernel_read_crypto_sysctls(rpm_script_t) - kernel_read_kernel_sysctls(rpm_script_t) -@@ -277,45 +293,27 @@ kernel_read_network_state(rpm_script_t) - kernel_list_all_proc(rpm_script_t) - kernel_read_software_raid_state(rpm_script_t) - --corenet_all_recvfrom_unlabeled(rpm_script_t) --corenet_all_recvfrom_netlabel(rpm_script_t) --corenet_tcp_sendrecv_generic_if(rpm_script_t) --corenet_tcp_sendrecv_generic_node(rpm_script_t) -- --corenet_sendrecv_http_client_packets(rpm_script_t) -+# needed by rhn_check - corenet_tcp_connect_http_port(rpm_script_t) --corenet_tcp_sendrecv_http_port(rpm_script_t) -- --corecmd_exec_all_executables(rpm_script_t) - - dev_list_sysfs(rpm_script_t) -+ -+# ideally we would not need this - dev_manage_generic_blk_files(rpm_script_t) - dev_manage_generic_chr_files(rpm_script_t) - dev_manage_all_blk_files(rpm_script_t) - dev_manage_all_chr_files(rpm_script_t) - --domain_read_all_domains_state(rpm_script_t) --domain_getattr_all_domains(rpm_script_t) --domain_use_interactive_fds(rpm_script_t) --domain_signal_all_domains(rpm_script_t) --domain_signull_all_domains(rpm_script_t) -- --files_exec_etc_files(rpm_script_t) --files_exec_usr_files(rpm_script_t) --files_manage_non_auth_files(rpm_script_t) --files_relabel_non_auth_files(rpm_script_t) -- - fs_manage_nfs_files(rpm_script_t) - fs_getattr_nfs(rpm_script_t) - fs_search_all(rpm_script_t) - fs_getattr_all_fs(rpm_script_t) -+# why is this not using mount? - fs_getattr_xattr_fs(rpm_script_t) - fs_mount_xattr_fs(rpm_script_t) - fs_unmount_xattr_fs(rpm_script_t) - fs_search_auto_mountpoints(rpm_script_t) - --mcs_killall(rpm_script_t) -- - mls_file_read_all_levels(rpm_script_t) - mls_file_write_all_levels(rpm_script_t) - -@@ -331,30 +329,48 @@ storage_raw_write_fixed_disk(rpm_script_t) - - term_getattr_unallocated_ttys(rpm_script_t) - term_list_ptys(rpm_script_t) --term_use_all_terms(rpm_script_t) -+term_use_all_inherited_terms(rpm_script_t) - - auth_dontaudit_getattr_shadow(rpm_script_t) - auth_use_nsswitch(rpm_script_t) - -+corecmd_exec_all_executables(rpm_script_t) -+can_exec(rpm_script_t, rpm_script_tmp_t) -+can_exec(rpm_script_t, rpm_script_tmpfs_t) -+ -+domain_read_all_domains_state(rpm_script_t) -+domain_getattr_all_domains(rpm_script_t) -+domain_use_interactive_fds(rpm_script_t) -+domain_signal_all_domains(rpm_script_t) -+domain_signull_all_domains(rpm_script_t) -+ -+# ideally we would not need this -+files_manage_all_files(rpm_script_t) -+files_exec_etc_files(rpm_script_t) -+files_read_etc_runtime_files(rpm_script_t) -+files_exec_usr_files(rpm_script_t) -+files_relabel_all_files(rpm_script_t) -+ - init_domtrans_script(rpm_script_t) - init_telinit(rpm_script_t) - -+systemd_config_all_services(rpm_script_t) -+ - libs_exec_ld_so(rpm_script_t) - libs_exec_lib_files(rpm_script_t) --libs_run_ldconfig(rpm_script_t, rpm_roles) -+libs_ldconfig_exec_entry_type(rpm_script_t) - - logging_send_syslog_msg(rpm_script_t) - --miscfiles_read_localization(rpm_script_t) -- --modutils_run_depmod(rpm_script_t, rpm_roles) --modutils_run_insmod(rpm_script_t, rpm_roles) -+miscfiles_filetrans_named_content(rpm_script_t) - --seutil_run_loadpolicy(rpm_script_t, rpm_roles) --seutil_run_setfiles(rpm_script_t, rpm_roles) --seutil_run_semanage(rpm_script_t, rpm_roles) -+seutil_run_loadpolicy(rpm_script_t, rpm_script_roles) -+seutil_run_setfiles(rpm_script_t, rpm_script_roles) -+seutil_run_semanage(rpm_script_t, rpm_script_roles) -+seutil_run_setsebool(rpm_script_t, rpm_script_roles) - - userdom_use_all_users_fds(rpm_script_t) -+userdom_exec_admin_home_files(rpm_script_t) - - ifdef(`distro_redhat',` - optional_policy(` -@@ -363,41 +379,61 @@ ifdef(`distro_redhat',` - ') - ') - --tunable_policy(`allow_execmem',` -+tunable_policy(`deny_execmem',`',` - allow rpm_script_t self:process execmem; - ') - - optional_policy(` -- bootloader_run(rpm_script_t, rpm_roles) -+ bootloader_run(rpm_script_t, rpm_script_roles) -+') -+ -+optional_policy(` -+ certmonger_dbus_chat(rpm_script_t) -+') -+ -+optional_policy(` -+ cups_filetrans_named_content(rpm_script_t) - ') - - optional_policy(` - dbus_system_bus_client(rpm_script_t) - -- optional_policy(` -- unconfined_dbus_chat(rpm_script_t) -- ') -+ optional_policy(` -+ systemd_dbus_chat_logind(rpm_script_t) -+ ') -+') -+ -+optional_policy(` -+ lvm_domtrans(rpm_script_t, rpm_script_roles) -+') -+ -+optional_policy(` -+ ntp_run(rpm_script_t, rpm_script_roles) - ') - - optional_policy(` -- lvm_run(rpm_script_t, rpm_roles) -+ modutils_run_depmod(rpm_script_t, rpm_script_roles) -+ modutils_run_insmod(rpm_script_t, rpm_script_roles) - ') - - optional_policy(` -- ntp_domtrans(rpm_script_t) -+ openshift_initrc_run(rpm_script_t, rpm_script_roles) - ') - - optional_policy(` -- tzdata_run(rpm_t, rpm_roles) -- tzdata_run(rpm_script_t, rpm_roles) -+ tzdata_domtrans(rpm_t) -+ tzdata_run(rpm_script_t, rpm_script_roles) - ') - - optional_policy(` -- udev_domtrans(rpm_script_t) -+ udev_run(rpm_script_t, rpm_script_roles) - ') - - optional_policy(` -+ unconfined_domain_noaudit(rpm_script_t) - unconfined_domtrans(rpm_script_t) -+ domain_named_filetrans(rpm_script_t) -+ - - optional_policy(` - java_domtrans_unconfined(rpm_script_t) -@@ -409,6 +445,6 @@ optional_policy(` - ') - - optional_policy(` -- usermanage_run_groupadd(rpm_script_t, rpm_roles) -- usermanage_run_useradd(rpm_script_t, rpm_roles) -+ usermanage_run_groupadd(rpm_script_t, rpm_script_roles) -+ usermanage_run_useradd(rpm_script_t, rpm_script_roles) - ') -diff --git a/rshd.fc b/rshd.fc -index 9ad0d58..6a4db03 100644 ---- a/rshd.fc -+++ b/rshd.fc -@@ -1,3 +1,4 @@ -+ - /usr/kerberos/sbin/kshd -- gen_context(system_u:object_r:rshd_exec_t,s0) - - /usr/sbin/in\.rexecd -- gen_context(system_u:object_r:rshd_exec_t,s0) -diff --git a/rshd.if b/rshd.if -index 7ad29c0..2e87d76 100644 ---- a/rshd.if -+++ b/rshd.if -@@ -2,7 +2,7 @@ - - ######################################## - ## --## Execute rshd in the rshd domain. -+## Domain transition to rshd. - ## - ## - ## -@@ -15,6 +15,7 @@ interface(`rshd_domtrans',` - type rshd_exec_t, rshd_t; - ') - -+ files_search_usr($1) - corecmd_search_bin($1) - domtrans_pattern($1, rshd_exec_t, rshd_t) - ') -diff --git a/rshd.te b/rshd.te -index f842825..24cf46d 100644 ---- a/rshd.te -+++ b/rshd.te -@@ -1,62 +1,75 @@ --policy_module(rshd, 1.7.1) -+policy_module(rshd, 1.7.0) - - ######################################## - # - # Declarations - # -- - type rshd_t; - type rshd_exec_t; --auth_login_pgm_domain(rshd_t) - inetd_tcp_service_domain(rshd_t, rshd_exec_t) -+domain_subj_id_change_exemption(rshd_t) -+domain_role_change_exemption(rshd_t) -+role system_r types rshd_t; - - ######################################## - # - # Local policy - # -- - allow rshd_t self:capability { kill setuid setgid fowner fsetid chown dac_override }; --allow rshd_t self:process { signal_perms setsched setpgid setexec }; -+allow rshd_t self:process { signal_perms fork setsched setpgid setexec }; - allow rshd_t self:fifo_file rw_fifo_file_perms; - allow rshd_t self:tcp_socket create_stream_socket_perms; - - kernel_read_kernel_sysctls(rshd_t) - --corenet_all_recvfrom_unlabeled(rshd_t) - corenet_all_recvfrom_netlabel(rshd_t) - corenet_tcp_sendrecv_generic_if(rshd_t) -+corenet_udp_sendrecv_generic_if(rshd_t) - corenet_tcp_sendrecv_generic_node(rshd_t) -+corenet_udp_sendrecv_generic_node(rshd_t) - corenet_tcp_sendrecv_all_ports(rshd_t) -+corenet_udp_sendrecv_all_ports(rshd_t) - corenet_tcp_bind_generic_node(rshd_t) -- --corenet_sendrecv_all_server_packets(rshd_t) - corenet_tcp_bind_rsh_port(rshd_t) - corenet_tcp_bind_all_rpc_ports(rshd_t) - corenet_tcp_connect_all_ports(rshd_t) - corenet_tcp_connect_all_rpc_ports(rshd_t) -+corenet_sendrecv_rsh_server_packets(rshd_t) -+ -+dev_read_urand(rshd_t) -+ -+domain_interactive_fd(rshd_t) -+ -+selinux_get_fs_mount(rshd_t) -+selinux_validate_context(rshd_t) -+selinux_compute_access_vector(rshd_t) -+selinux_compute_create_context(rshd_t) -+selinux_compute_relabel_context(rshd_t) -+selinux_compute_user_contexts(rshd_t) - - corecmd_read_bin_symlinks(rshd_t) - - files_list_home(rshd_t) -+files_search_tmp(rshd_t) -+ -+auth_login_pgm_domain(rshd_t) -+auth_write_login_records(rshd_t) - -+init_rw_utmp(rshd_t) -+ -+logging_send_syslog_msg(rshd_t) - logging_search_logs(rshd_t) - --miscfiles_read_localization(rshd_t) -+seutil_read_config(rshd_t) -+seutil_read_default_contexts(rshd_t) - --tunable_policy(`use_nfs_home_dirs',` -- fs_read_nfs_files(rshd_t) -- fs_read_nfs_symlinks(rshd_t) --') -+userdom_search_user_home_content(rshd_t) -+userdom_manage_tmp_role(system_r, rshd_t) - --tunable_policy(`use_samba_home_dirs',` -- fs_read_cifs_files(rshd_t) -- fs_read_cifs_symlinks(rshd_t) --') -+userdom_home_reader(rshd_t) - - optional_policy(` - kerberos_keytab_template(rshd, rshd_t) -- kerberos_manage_host_rcache(rshd_t) -- kerberos_tmp_filetrans_host_rcache(rshd_t, file, "host_0") - ') - - optional_policy(` -diff --git a/rssh.te b/rssh.te -index d1fd97f..7ee8502 100644 ---- a/rssh.te -+++ b/rssh.te -@@ -60,18 +60,14 @@ manage_files_pattern(rssh_t, rssh_rw_t, rssh_rw_t) - kernel_read_system_state(rssh_t) - kernel_read_kernel_sysctls(rssh_t) - --files_read_etc_files(rssh_t) - files_read_etc_runtime_files(rssh_t) - files_list_home(rssh_t) --files_read_usr_files(rssh_t) - files_list_var(rssh_t) - - fs_search_auto_mountpoints(rssh_t) - - logging_send_syslog_msg(rssh_t) - --miscfiles_read_localization(rssh_t) -- - rssh_domtrans_chroot_helper(rssh_t) - - ssh_rw_tcp_sockets(rssh_t) -@@ -95,5 +91,3 @@ domain_use_interactive_fds(rssh_chroot_helper_t) - auth_use_nsswitch(rssh_chroot_helper_t) - - logging_send_syslog_msg(rssh_chroot_helper_t) -- --miscfiles_read_localization(rssh_chroot_helper_t) -diff --git a/rsync.fc b/rsync.fc -index d25301b..f3eeec7 100644 ---- a/rsync.fc -+++ b/rsync.fc -@@ -1,7 +1,8 @@ - /etc/rsyncd\.conf -- gen_context(system_u:object_r:rsync_etc_t, s0) - --/usr/bin/rsync -- gen_context(system_u:object_r:rsync_exec_t,s0) -+/usr/bin/rsync -- gen_context(system_u:object_r:rsync_exec_t,s0) - --/var/log/rsync\.log.* -- gen_context(system_u:object_r:rsync_log_t,s0) -+/var/log/rsync.* gen_context(system_u:object_r:rsync_log_t,s0) - - /var/run/rsyncd\.lock -- gen_context(system_u:object_r:rsync_var_run_t,s0) -+/var/run/swift_server\.lock -- gen_context(system_u:object_r:rsync_var_run_t,s0) -diff --git a/rsync.if b/rsync.if -index f1140ef..8afe362 100644 ---- a/rsync.if -+++ b/rsync.if -@@ -1,16 +1,32 @@ --## Fast incremental file transfer for synchronization. -+## Fast incremental file transfer for synchronization -+ -+####################################### -+## -+## Sendmail stub interface. No access allowed. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`sendmail_stub',` -+gen_require(` -+type sendmail_t; -+') -+') - - ######################################## - ## --## Make rsync executable file an --## entry point for the specified domain. -+## Make rsync an entry point for -+## the specified domain. - ## - ## - ## --## The domain for which rsync_exec_t is an entrypoint. -+## The domain for which init scripts are an entrypoint. - ## - ## --# -+# cjp: added for portage - interface(`rsync_entry_type',` - gen_require(` - type rsync_exec_t; -@@ -43,14 +59,13 @@ interface(`rsync_entry_type',` - ## Domain to transition to. - ## - ## --# -+# cjp: added for portage - interface(`rsync_entry_spec_domtrans',` - gen_require(` - type rsync_exec_t; - ') - -- corecmd_search_bin($1) -- auto_trans($1, rsync_exec_t, $2) -+ domain_trans($1, rsync_exec_t, $2) - ') - - ######################################## -@@ -77,82 +92,56 @@ interface(`rsync_entry_spec_domtrans',` - ## Domain to transition to. - ## - ## --# -+# cjp: added for portage - interface(`rsync_entry_domtrans',` - gen_require(` - type rsync_exec_t; - ') - -- corecmd_search_bin($1) - domain_auto_trans($1, rsync_exec_t, $2) - ') - - ######################################## - ## --## Execute the rsync program in the rsync domain. -+## Execute rsync in the caller domain domain. - ## - ## - ## --## Domain allowed to transition. -+## Domain allowed access. - ## - ## -+## - # --interface(`rsync_domtrans',` -+interface(`rsync_exec',` - gen_require(` -- type rsync_t, rsync_exec_t; -+ type rsync_exec_t; - ') - -- corecmd_search_bin($1) -- domtrans_pattern($1, rsync_exec_t, rsync_t) -+ can_exec($1, rsync_exec_t) - ') - - ######################################## - ## --## Execute rsync in the rsync domain, and --## allow the specified role the rsync domain. -+## Read rsync config files. - ## - ## --## --## Domain allowed to transition. --## --## --## --## --## Role allowed access. --## --## --# --interface(`rsync_run',` -- gen_require(` -- attribute_role rsync_roles; -- ') -- -- rsync_domtrans($1) -- roleattribute $2 rsync_roles; --') -- --######################################## - ## --## Execute rsync in the caller domain. --## --## --## - ## Domain allowed access. --## -+## - ## - # --interface(`rsync_exec',` -+interface(`rsync_read_config',` - gen_require(` -- type rsync_exec_t; -+ type rsync_etc_t; - ') - -- corecmd_search_bin($1) -- can_exec($1, rsync_exec_t) -+ read_files_pattern($1, rsync_etc_t, rsync_etc_t) -+ files_search_etc($1) - ') - - ######################################## - ## --## Read rsync config files. -+## Read rsync data files. - ## - ## - ## -@@ -160,23 +149,23 @@ interface(`rsync_exec',` - ## - ## - # --interface(`rsync_read_config',` -+interface(`rsync_read_data',` - gen_require(` -- type rsync_etc_t; -+ type rsync_data_t; - ') - -- files_search_etc($1) -- allow $1 rsync_etc_t:file read_file_perms; -+ read_files_pattern($1, rsync_data_t, rsync_data_t) - ') - -+ - ######################################## - ## --## Write rsync config files. -+## Write to rsync config files. - ## - ## --## -+## - ## Domain allowed access. --## -+## - ## - # - interface(`rsync_write_config',` -@@ -184,14 +173,13 @@ interface(`rsync_write_config',` - type rsync_etc_t; - ') - -+ write_files_pattern($1, rsync_etc_t, rsync_etc_t) - files_search_etc($1) -- allow $1 rsync_etc_t:file write_file_perms; - ') - - ######################################## - ## --## Create, read, write, and delete --## rsync config files. -+## Manage rsync config files. - ## - ## - ## -@@ -199,18 +187,18 @@ interface(`rsync_write_config',` - ## - ## - # --interface(`rsync_manage_config_files',` -+interface(`rsync_manage_config',` - gen_require(` - type rsync_etc_t; - ') - -- files_search_etc($1) - manage_files_pattern($1, rsync_etc_t, rsync_etc_t) -+ files_search_etc($1) - ') - - ######################################## - ## --## Create specified objects in etc directories -+## Create objects in etc directories - ## with rsync etc type. - ## - ## -@@ -239,43 +227,21 @@ interface(`rsync_etc_filetrans_config',` - - ######################################## - ## --## All of the rules required to --## administrate an rsync environment. -+## Transition to rsync named content - ## - ## - ## --## Domain allowed access. --## --## --## --## --## Role allowed access. -+## Domain allowed access. - ## - ## --## - # --interface(`rsync_admin',` -+interface(`rsync_filetrans_named_content',` - gen_require(` -- type rsync_t, rsync_etc_t, rsync_data_t; -- type rsync_log_t, rsync_tmp_t. rsync_var_run_t; -+ type rsync_etc_t; -+ type rsync_var_run_t; - ') - -- allow $1 rsync_t:process { ptrace signal_perms }; -- ps_process_pattern($1, rsync_t) -- -- files_search_etc($1) -- admin_pattern($1, rsync_etc_t) -- -- admin_pattern($1, rsync_data_t) -- -- logging_search_logs($1) -- admin_pattern($1, rsync_log_t) -- -- files_search_tmp($1) -- admin_pattern($1, rsync_tmp_t) -- -- files_search_pids($1) -- admin_pattern($1, rsync_var_run_t) -- -- rsync_run($1, $2) -+ files_etc_filetrans($1, rsync_etc_t, file, "rsyncd.cond") -+ files_pid_filetrans($1, rsync_var_run_t, file, "swift_server.lock") -+ files_pid_filetrans($1, rsync_var_run_t, file, "rsyncd.lock") - ') -diff --git a/rsync.te b/rsync.te -index e3e7c96..ec50426 100644 ---- a/rsync.te -+++ b/rsync.te -@@ -1,4 +1,4 @@ --policy_module(rsync, 1.12.2) -+policy_module(rsync, 1.12.0) - - ######################################## - # -@@ -6,67 +6,45 @@ policy_module(rsync, 1.12.2) - # - - ## --##

    --## Determine whether rsync can use --## cifs file systems. --##

    -+##

    -+## Allow rsync to run as a client -+##

    - ##     --gen_tunable(rsync_use_cifs, false) -+gen_tunable(rsync_client, false) - - ## --##

    --## Determine whether rsync can --## use fuse file systems. --##

    -+##

    -+## Allow rsync to export any files/directories read only. -+##

    - ##     --gen_tunable(rsync_use_fusefs, false) -+gen_tunable(rsync_export_all_ro, false) - - ## --##

    --## Determine whether rsync can use --## nfs file systems. --##

    -+##

    -+## Allow rsync to modify public files -+## used for public file transfer services. Files/Directories must be -+## labeled public_content_rw_t. -+##

    - ##     --gen_tunable(rsync_use_nfs, false) -+gen_tunable(rsync_anon_write, false) - - ## - ##

    --## Determine whether rsync can --## run as a client -+## Allow rsync server to manage all files/directories on the system. - ##

    - ##     --gen_tunable(rsync_client, false) -+gen_tunable(rsync_full_access, false) - --## --##

    --## Determine whether rsync can --## export all content read only. --##

    --##     --gen_tunable(rsync_export_all_ro, false) -- --## --##

    --## Determine whether rsync can modify --## public files used for public file --## transfer services. Directories/Files must --## be labeled public_content_rw_t. --##

    --##     --gen_tunable(allow_rsync_anon_write, false) -- --attribute_role rsync_roles; - - type rsync_t; - type rsync_exec_t; --init_daemon_domain(rsync_t, rsync_exec_t) --application_domain(rsync_t, rsync_exec_t) --role rsync_roles types rsync_t; -+application_executable_file(rsync_exec_t) -+role system_r types rsync_t; - - type rsync_etc_t; - files_config_file(rsync_etc_t) - --type rsync_data_t; # customizable -+type rsync_data_t; - files_type(rsync_data_t) - - type rsync_log_t; -@@ -86,15 +64,25 @@ files_pid_file(rsync_var_run_t) - allow rsync_t self:capability { chown dac_read_search dac_override fowner fsetid setuid setgid sys_chroot }; - allow rsync_t self:process signal_perms; - allow rsync_t self:fifo_file rw_fifo_file_perms; --allow rsync_t self:tcp_socket { accept listen }; -+allow rsync_t self:tcp_socket create_stream_socket_perms; -+allow rsync_t self:udp_socket connected_socket_perms; -+ -+# for identd -+# cjp: this should probably only be inetd_child_t rules? -+# search home and kerberos also. -+allow rsync_t self:netlink_tcpdiag_socket r_netlink_socket_perms; -+#end for identd - --allow rsync_t rsync_etc_t:file read_file_perms; -+read_files_pattern(rsync_t, rsync_etc_t, rsync_etc_t) - - allow rsync_t rsync_data_t:dir list_dir_perms; --allow rsync_t rsync_data_t:file read_file_perms; --allow rsync_t rsync_data_t:lnk_file read_lnk_file_perms; -+read_files_pattern(rsync_t, rsync_data_t, rsync_data_t) -+read_lnk_files_pattern(rsync_t, rsync_data_t, rsync_data_t) -+allow rsync_t rsync_data_t:dir_file_class_set getattr; -+allow rsync_t rsync_data_t:socket_class_set getattr; -+allow rsync_t rsync_data_t:sock_file setattr; - --allow rsync_t rsync_log_t:file { append_file_perms create_file_perms setattr_file_perms }; -+manage_files_pattern(rsync_t, rsync_log_t, rsync_log_t) - logging_log_filetrans(rsync_t, rsync_log_t, file) - - manage_dirs_pattern(rsync_t, rsync_tmp_t, rsync_tmp_t) -@@ -108,91 +96,80 @@ kernel_read_kernel_sysctls(rsync_t) - kernel_read_system_state(rsync_t) - kernel_read_network_state(rsync_t) - --corenet_all_recvfrom_unlabeled(rsync_t) - corenet_all_recvfrom_netlabel(rsync_t) - corenet_tcp_sendrecv_generic_if(rsync_t) -+corenet_udp_sendrecv_generic_if(rsync_t) - corenet_tcp_sendrecv_generic_node(rsync_t) -+corenet_udp_sendrecv_generic_node(rsync_t) -+corenet_tcp_sendrecv_all_ports(rsync_t) -+corenet_udp_sendrecv_all_ports(rsync_t) - corenet_tcp_bind_generic_node(rsync_t) -- --corenet_sendrecv_rsync_server_packets(rsync_t) - corenet_tcp_bind_rsync_port(rsync_t) --corenet_tcp_sendrecv_rsync_port(rsync_t) -+corenet_sendrecv_rsync_server_packets(rsync_t) - - dev_read_urand(rsync_t) - --fs_getattr_all_fs(rsync_t) -+fs_getattr_xattr_fs(rsync_t) - fs_search_auto_mountpoints(rsync_t) - - files_search_home(rsync_t) - --auth_can_read_shadow_passwords(rsync_t) - auth_use_nsswitch(rsync_t) - - logging_send_syslog_msg(rsync_t) - --miscfiles_read_localization(rsync_t) - miscfiles_read_public_files(rsync_t) - --tunable_policy(`allow_rsync_anon_write',` -- miscfiles_manage_public_files(rsync_t) -+userdom_home_manager(rsync_t) -+ -+optional_policy(` -+ daemontools_service_domain(rsync_t, rsync_exec_t) - ') - --tunable_policy(`rsync_client',` -- corenet_sendrecv_rsync_client_packets(rsync_t) -- corenet_tcp_connect_rsync_port(rsync_t) -+optional_policy(` -+ kerberos_use(rsync_t) -+') - -- corenet_sendrecv_ssh_client_packets(rsync_t) -- corenet_tcp_connect_ssh_port(rsync_t) -- corenet_tcp_sendrecv_ssh_port(rsync_t) -+optional_policy(` -+ inetd_service_domain(rsync_t, rsync_exec_t) -+') - -- manage_dirs_pattern(rsync_t, rsync_data_t, rsync_data_t) -- manage_files_pattern(rsync_t, rsync_data_t, rsync_data_t) -- manage_lnk_files_pattern(rsync_t, rsync_data_t, rsync_data_t) -+tunable_policy(`rsync_anon_write',` -+ miscfiles_manage_public_files(rsync_t) -+') -+ -+tunable_policy(`rsync_full_access',` -+ allow rsync_t self:capability { dac_override dac_read_search }; -+ files_manage_non_security_dirs(rsync_t) -+ files_manage_non_security_files(rsync_t) -+ #files_relabel_non_security_files(rsync_t) - ') - - tunable_policy(`rsync_export_all_ro',` -- fs_read_noxattr_fs_files(rsync_t) -+ files_getattr_all_pipes(rsync_t) -+ fs_read_noxattr_fs_files(rsync_t) - fs_read_nfs_files(rsync_t) -- fs_read_fusefs_files(rsync_t) - fs_read_cifs_files(rsync_t) -- files_list_non_auth_dirs(rsync_t) -- files_read_non_auth_files(rsync_t) -- files_read_non_auth_symlinks(rsync_t) -+ files_read_non_security_files(rsync_t) - auth_tunable_read_shadow(rsync_t) - ') - --tunable_policy(`rsync_use_cifs',` -- fs_list_cifs(rsync_t) -- fs_read_cifs_files(rsync_t) -- fs_read_cifs_symlinks(rsync_t) --') -- --tunable_policy(`rsync_use_fusefs',` -- fs_search_fusefs(rsync_t) -- fs_read_fusefs_files(rsync_t) -- fs_read_fusefs_symlinks(rsync_t) --') -- --tunable_policy(`rsync_use_nfs',` -- fs_list_nfs(rsync_t) -- fs_read_nfs_files(rsync_t) -- fs_read_nfs_symlinks(rsync_t) -+tunable_policy(`rsync_client',` -+ corenet_tcp_connect_rsync_port(rsync_t) -+ corenet_tcp_connect_ssh_port(rsync_t) -+ manage_dirs_pattern(rsync_t, rsync_data_t, rsync_data_t) -+ manage_files_pattern(rsync_t, rsync_data_t, rsync_data_t) -+ manage_lnk_files_pattern(rsync_t, rsync_data_t, rsync_data_t) - ') - - optional_policy(` - tunable_policy(`rsync_client',` -- ssh_exec(rsync_t) -+ ssh_exec(rsync_t) - ') - ') - --optional_policy(` -- daemontools_service_domain(rsync_t, rsync_exec_t) --') -- --optional_policy(` -- kerberos_use(rsync_t) --') -+auth_can_read_shadow_passwords(rsync_t) - - optional_policy(` -- inetd_service_domain(rsync_t, rsync_exec_t) -+ swift_manage_data_files(rsync_t) - ') -diff --git a/rtas.fc b/rtas.fc -new file mode 100644 -index 0000000..25d96cb ---- /dev/null -+++ b/rtas.fc -@@ -0,0 +1,13 @@ -+/usr/lib/systemd/system/rtas_errd.* -- gen_context(system_u:object_r:rtas_errd_unit_file_t,s0) -+ -+/usr/sbin/rtas_errd -- gen_context(system_u:object_r:rtas_errd_exec_t,s0) -+ -+/var/lock/subsys/rtas_errd -- gen_context(system_u:object_r:rtas_errd_var_lock_t) -+/var/lock/.*librtas -- gen_context(system_u:object_r:rtas_errd_var_lock_t) -+ -+/var/log/rtas_errd.* -- gen_context(system_u:object_r:rtas_errd_log_t) -+/var/log/platform -- gen_context(system_u:object_r:rtas_errd_log_t) -+/var/log/epow_status -- gen_context(system_u:object_r:rtas_errd_log_t) -+ -+/var/run/rtas_errd.* -- gen_context(system_u:object_r:rtas_errd_var_run_t,s0) -+ -diff --git a/rtas.if b/rtas.if -new file mode 100644 -index 0000000..9381936 ---- /dev/null -+++ b/rtas.if -@@ -0,0 +1,166 @@ -+ -+## rtas_errd - Platform diagnostics report firmware events -+ -+######################################## -+## -+## Execute TEMPLATE in the rtas_errd domin. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`rtas_errd_domtrans',` -+ gen_require(` -+ type rtas_errd_t, rtas_errd_exec_t; -+ ') -+ -+ corecmd_search_bin($1) -+ domtrans_pattern($1, rtas_errd_exec_t, rtas_errd_t) -+') -+######################################## -+## -+## Read rtas_errd's log files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`rtas_errd_read_log',` -+ gen_require(` -+ type rtas_errd_log_t; -+ ') -+ -+ logging_search_logs($1) -+ read_files_pattern($1, rtas_errd_log_t, rtas_errd_log_t) -+') -+ -+######################################## -+## -+## Append to rtas_errd log files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`rtas_errd_append_log',` -+ gen_require(` -+ type rtas_errd_log_t; -+ ') -+ -+ logging_search_logs($1) -+ append_files_pattern($1, rtas_errd_log_t, rtas_errd_log_t) -+') -+ -+######################################## -+## -+## Manage rtas_errd log files -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`rtas_errd_manage_log',` -+ gen_require(` -+ type rtas_errd_log_t; -+ ') -+ -+ logging_search_logs($1) -+ manage_dirs_pattern($1, rtas_errd_log_t, rtas_errd_log_t) -+ manage_files_pattern($1, rtas_errd_log_t, rtas_errd_log_t) -+ manage_lnk_files_pattern($1, rtas_errd_log_t, rtas_errd_log_t) -+') -+######################################## -+## -+## Read rtas_errd PID files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`rtas_errd_read_pid_files',` -+ gen_require(` -+ type rtas_errd_var_run_t; -+ ') -+ -+ files_search_pids($1) -+ read_files_pattern($1, rtas_errd_var_run_t, rtas_errd_var_run_t) -+') -+ -+######################################## -+## -+## Execute rtas_errd server in the rtas_errd domain. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`rtas_errd_systemctl',` -+ gen_require(` -+ type rtas_errd_t; -+ type rtas_errd_unit_file_t; -+ ') -+ -+ systemd_exec_systemctl($1) -+ systemd_read_fifo_file_passwd_run($1) -+ allow $1 rtas_errd_unit_file_t:file read_file_perms; -+ allow $1 rtas_errd_unit_file_t:service manage_service_perms; -+ -+ ps_process_pattern($1, rtas_errd_t) -+') -+ -+ -+######################################## -+## -+## All of the rules required to administrate -+## an rtas_errd environment -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## Role allowed access. -+## -+## -+## -+# -+interface(`rtas_errd_admin',` -+ gen_require(` -+ type rtas_errd_t; -+ type rtas_errd_log_t; -+ type rtas_errd_var_run_t; -+ type rtas_errd_unit_file_t; -+ ') -+ -+ allow $1 rtas_errd_t:process { ptrace signal_perms }; -+ ps_process_pattern($1, rtas_errd_t) -+ -+ logging_search_logs($1) -+ admin_pattern($1, rtas_errd_log_t) -+ -+ files_search_pids($1) -+ admin_pattern($1, rtas_errd_var_run_t) -+ -+ rtas_errd_systemctl($1) -+ admin_pattern($1, rtas_errd_unit_file_t) -+ allow $1 rtas_errd_unit_file_t:service all_service_perms; -+ optional_policy(` -+ systemd_passwd_agent_exec($1) -+ systemd_read_fifo_file_passwd_run($1) -+ ') -+') -diff --git a/rtas.te b/rtas.te -new file mode 100644 -index 0000000..4e6663f ---- /dev/null -+++ b/rtas.te -@@ -0,0 +1,60 @@ -+policy_module(rtas, 1.0.0) -+ -+######################################## -+# -+# Declarations -+# -+ -+type rtas_errd_t; -+type rtas_errd_exec_t; -+init_daemon_domain(rtas_errd_t, rtas_errd_exec_t) -+ -+type rtas_errd_log_t; -+logging_log_file(rtas_errd_log_t) -+ -+type rtas_errd_var_run_t; -+files_pid_file(rtas_errd_var_run_t) -+ -+type rtas_errd_var_lock_t; -+files_lock_file(rtas_errd_var_lock_t) -+ -+type rtas_errd_unit_file_t; -+systemd_unit_file(rtas_errd_unit_file_t) -+ -+######################################## -+# -+# rtas_errd local policy -+# -+ -+allow rtas_errd_t self:capability sys_admin; -+allow rtas_errd_t self:process fork; -+allow rtas_errd_t self:fifo_file rw_fifo_file_perms; -+allow rtas_errd_t self:unix_stream_socket create_stream_socket_perms; -+ -+manage_dirs_pattern(rtas_errd_t, rtas_errd_log_t, rtas_errd_log_t) -+manage_files_pattern(rtas_errd_t, rtas_errd_log_t, rtas_errd_log_t) -+manage_lnk_files_pattern(rtas_errd_t, rtas_errd_log_t, rtas_errd_log_t) -+logging_log_filetrans(rtas_errd_t, rtas_errd_log_t, { dir file lnk_file }) -+ -+manage_files_pattern(rtas_errd_t,rtas_errd_var_lock_t,rtas_errd_var_lock_t) -+manage_lnk_files_pattern(rtas_errd_t,rtas_errd_var_lock_t,rtas_errd_var_lock_t) -+files_lock_filetrans(rtas_errd_t,rtas_errd_var_lock_t, { dir file } ) -+ -+manage_dirs_pattern(rtas_errd_t, rtas_errd_var_run_t, rtas_errd_var_run_t) -+manage_files_pattern(rtas_errd_t, rtas_errd_var_run_t, rtas_errd_var_run_t) -+manage_lnk_files_pattern(rtas_errd_t, rtas_errd_var_run_t, rtas_errd_var_run_t) -+files_pid_filetrans(rtas_errd_t, rtas_errd_var_run_t, { dir file lnk_file }) -+ -+kernel_read_system_state(rtas_errd_t) -+ -+auth_use_nsswitch(rtas_errd_t) -+ -+corecmd_exec_bin(rtas_errd_t) -+ -+dev_read_raw_memory(rtas_errd_t) -+dev_write_raw_memory(rtas_errd_t) -+ -+files_manage_system_db_files(rtas_errd_t) -+ -+logging_read_generic_logs(rtas_errd_t) -+ -diff --git a/rtkit.if b/rtkit.if -index bd35afe..051addd 100644 ---- a/rtkit.if -+++ b/rtkit.if -@@ -15,7 +15,6 @@ interface(`rtkit_daemon_domtrans',` - type rtkit_daemon_t, rtkit_daemon_exec_t; - ') - -- corecmd_search_bin($1) - domtrans_pattern($1, rtkit_daemon_exec_t, rtkit_daemon_t) - ') - -@@ -42,55 +41,43 @@ interface(`rtkit_daemon_dbus_chat',` - - ######################################## - ## --## Allow rtkit to control scheduling for your process. -+## Do not audit send and receive messages from -+## rtkit_daemon over dbus. - ## - ## - ## --## Domain allowed access. -+## Domain to not audit. - ## - ## - # --interface(`rtkit_scheduled',` -+interface(`rtkit_daemon_dontaudit_dbus_chat',` - gen_require(` - type rtkit_daemon_t; -+ class dbus send_msg; - ') - -- allow rtkit_daemon_t $1:process { getsched setsched }; -- -- ps_process_pattern(rtkit_daemon_t, $1) -- -- optional_policy(` -- rtkit_daemon_dbus_chat($1) -- ') -+ dontaudit $1 rtkit_daemon_t:dbus send_msg; -+ dontaudit rtkit_daemon_t $1:dbus send_msg; -+ dontaudit rtkit_daemon_t $1:process { getsched setsched }; - ') - - ######################################## - ## --## All of the rules required to --## administrate an rtkit environment. -+## Allow rtkit to control scheduling for your process - ## - ## - ## - ## Domain allowed access. - ## - ## --## --## --## Role allowed access. --## --## --## - # --interface(`rtkit_admin',` -+interface(`rtkit_scheduled',` - gen_require(` -- type rtkit_daemon_t, rtkit_daemon_initrc_exec_t; -+ type rtkit_daemon_t; - ') - -- allow $1 rtkit_daemon_t:process { ptrace signal_perms }; -- ps_process_pattern($1, rtkit_daemon_t) -- -- init_labeled_script_domtrans($1, rtkit_daemon_initrc_exec_t) -- domain_system_change_exemption($1) -- role_transition $2 rtkit_daemon_initrc_exec_t system_r; -- allow $2 system_r; -+ kernel_search_proc($1) -+ ps_process_pattern(rtkit_daemon_t, $1) -+ allow rtkit_daemon_t $1:process { getsched setsched }; -+ rtkit_daemon_dbus_chat($1) - ') -diff --git a/rtkit.te b/rtkit.te -index 3f5a8ef..29a8e9e 100644 ---- a/rtkit.te -+++ b/rtkit.te -@@ -31,8 +31,6 @@ auth_use_nsswitch(rtkit_daemon_t) - - logging_send_syslog_msg(rtkit_daemon_t) - --miscfiles_read_localization(rtkit_daemon_t) -- - optional_policy(` - dbus_system_domain(rtkit_daemon_t, rtkit_daemon_exec_t) - -diff --git a/rwho.if b/rwho.if -index 0360ff0..e6cb34f 100644 ---- a/rwho.if -+++ b/rwho.if -@@ -139,8 +139,11 @@ interface(`rwho_admin',` - type rwho_initrc_exec_t; - ') - -- allow $1 rwho_t:process { ptrace signal_perms }; -+ allow $1 rwho_t:process signal_perms; - ps_process_pattern($1, rwho_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 rwho_t:process ptrace; -+ ') - - init_labeled_script_domtrans($1, rwho_initrc_exec_t) - domain_system_change_exemption($1) -diff --git a/rwho.te b/rwho.te -index 9927d29..6746952 100644 ---- a/rwho.te -+++ b/rwho.te -@@ -16,7 +16,7 @@ type rwho_log_t; - files_type(rwho_log_t) - - type rwho_spool_t; --files_type(rwho_spool_t) -+files_spool_file(rwho_spool_t) - - ######################################## - # -@@ -38,7 +38,6 @@ files_spool_filetrans(rwho_t, rwho_spool_t, { file dir }) - - kernel_read_system_state(rwho_t) - --corenet_all_recvfrom_unlabeled(rwho_t) - corenet_all_recvfrom_netlabel(rwho_t) - corenet_udp_sendrecv_generic_if(rwho_t) - corenet_udp_sendrecv_generic_node(rwho_t) -@@ -50,15 +49,13 @@ corenet_udp_sendrecv_rwho_port(rwho_t) - - domain_use_interactive_fds(rwho_t) - --files_read_etc_files(rwho_t) - - init_read_utmp(rwho_t) - init_dontaudit_write_utmp(rwho_t) - - logging_send_syslog_msg(rwho_t) - --miscfiles_read_localization(rwho_t) -- - sysnet_dns_name_resolve(rwho_t) - --# userdom_getattr_user_terminals(rwho_t) -+userdom_getattr_user_terminals(rwho_t) -+ -diff --git a/samba.fc b/samba.fc -index b8b66ff..2ccac49 100644 ---- a/samba.fc -+++ b/samba.fc -@@ -1,42 +1,54 @@ --/etc/rc\.d/init\.d/nmb -- gen_context(system_u:object_r:samba_initrc_exec_t,s0) --/etc/rc\.d/init\.d/smb -- gen_context(system_u:object_r:samba_initrc_exec_t,s0) -+ -+# -+# /etc -+# -+/etc/rc\.d/init\.d/nmb -- gen_context(system_u:object_r:samba_initrc_exec_t,s0) -+/etc/rc\.d/init\.d/smb -- gen_context(system_u:object_r:samba_initrc_exec_t,s0) - /etc/rc\.d/init\.d/winbind -- gen_context(system_u:object_r:samba_initrc_exec_t,s0) -+/etc/samba/MACHINE\.SID -- gen_context(system_u:object_r:samba_secrets_t,s0) -+/etc/samba/passdb\.tdb -- gen_context(system_u:object_r:samba_secrets_t,s0) -+/etc/samba/secrets\.tdb -- gen_context(system_u:object_r:samba_secrets_t,s0) -+/etc/samba/smbpasswd -- gen_context(system_u:object_r:samba_secrets_t,s0) -+/etc/samba(/.*)? gen_context(system_u:object_r:samba_etc_t,s0) - --/etc/samba/MACHINE\.SID -- gen_context(system_u:object_r:samba_secrets_t,s0) --/etc/samba/passdb\.tdb -- gen_context(system_u:object_r:samba_secrets_t,s0) --/etc/samba/secrets\.tdb -- gen_context(system_u:object_r:samba_secrets_t,s0) --/etc/samba/smbpasswd -- gen_context(system_u:object_r:samba_secrets_t,s0) --/etc/samba(/.*)? gen_context(system_u:object_r:samba_etc_t,s0) -+# -+# /usr -+# -+/usr/lib/systemd/system/smb.* -- gen_context(system_u:object_r:samba_unit_file_t,s0) -+/usr/lib/systemd/system/nmb.* -- gen_context(system_u:object_r:samba_unit_file_t,s0) - --/usr/bin/net -- gen_context(system_u:object_r:samba_net_exec_t,s0) --/usr/bin/ntlm_auth -- gen_context(system_u:object_r:winbind_helper_exec_t,s0) --/usr/bin/smbcontrol -- gen_context(system_u:object_r:smbcontrol_exec_t,s0) --/usr/bin/smbmount -- gen_context(system_u:object_r:smbmount_exec_t,s0) --/usr/bin/smbmnt -- gen_context(system_u:object_r:smbmount_exec_t,s0) -+/usr/bin/net -- gen_context(system_u:object_r:samba_net_exec_t,s0) -+/usr/bin/ntlm_auth -- gen_context(system_u:object_r:winbind_helper_exec_t,s0) -+/usr/bin/smbcontrol -- gen_context(system_u:object_r:smbcontrol_exec_t,s0) -+/usr/bin/smbmount -- gen_context(system_u:object_r:smbmount_exec_t,s0) -+/usr/bin/smbmnt -- gen_context(system_u:object_r:smbmount_exec_t,s0) - --/usr/sbin/swat -- gen_context(system_u:object_r:swat_exec_t,s0) --/usr/sbin/nmbd -- gen_context(system_u:object_r:nmbd_exec_t,s0) --/usr/sbin/smbd -- gen_context(system_u:object_r:smbd_exec_t,s0) --/usr/sbin/winbindd -- gen_context(system_u:object_r:winbind_exec_t,s0) -+/usr/sbin/swat -- gen_context(system_u:object_r:swat_exec_t,s0) -+/usr/sbin/nmbd -- gen_context(system_u:object_r:nmbd_exec_t,s0) -+/usr/sbin/smbd -- gen_context(system_u:object_r:smbd_exec_t,s0) -+/usr/sbin/winbindd -- gen_context(system_u:object_r:winbind_exec_t,s0) - --/var/cache/samba(/.*)? gen_context(system_u:object_r:samba_var_t,s0) --/var/cache/samba/winbindd_privileged(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0) -+# -+# /var -+# -+/var/cache/samba(/.*)? gen_context(system_u:object_r:samba_var_t,s0) -+/var/cache/samba/winbindd_privileged(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0) - --/var/lib/samba(/.*)? gen_context(system_u:object_r:samba_var_t,s0) --/var/lib/samba/winbindd_privileged(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0) -+/var/nmbd(/.*)? gen_context(system_u:object_r:samba_var_t,s0) - --/var/log/samba(/.*)? gen_context(system_u:object_r:samba_log_t,s0) -+/var/lib/samba(/.*)? gen_context(system_u:object_r:samba_var_t,s0) -+/var/lib/samba/winbindd_privileged(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0) - --/var/nmbd(/.*)? gen_context(system_u:object_r:samba_var_t,s0) -+/var/log/samba(/.*)? gen_context(system_u:object_r:samba_log_t,s0) - --/var/run/nmbd(/.*)? gen_context(system_u:object_r:nmbd_var_run_t,s0) --/var/run/samba/nmbd(/.*)? gen_context(system_u:object_r:nmbd_var_run_t,s0) -+/var/run/nmbd(/.*)? gen_context(system_u:object_r:nmbd_var_run_t,s0) -+/var/run/samba/nmbd(/.*)? gen_context(system_u:object_r:nmbd_var_run_t,s0) - --/var/run/samba(/.*)? gen_context(system_u:object_r:smbd_var_run_t,s0) -+/var/run/samba(/.*)? gen_context(system_u:object_r:smbd_var_run_t,s0) - /var/run/samba/brlock\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0) - /var/run/samba/connections\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0) - /var/run/samba/gencache\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0) --/var/run/samba/locking\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0) -+/var/run/samba/locking\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0) - /var/run/samba/messages\.tdb -- gen_context(system_u:object_r:nmbd_var_run_t,s0) - /var/run/samba/namelist\.debug -- gen_context(system_u:object_r:nmbd_var_run_t,s0) - /var/run/samba/nmbd\.pid -- gen_context(system_u:object_r:nmbd_var_run_t,s0) -@@ -45,7 +57,11 @@ - /var/run/samba/smbd\.pid -- gen_context(system_u:object_r:smbd_var_run_t,s0) - /var/run/samba/unexpected\.tdb -- gen_context(system_u:object_r:nmbd_var_run_t,s0) - --/var/run/winbindd(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0) --/var/run/samba/winbindd(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0) -+/var/run/samba/winbindd(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0) -+/var/run/winbindd(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0) -+ -+/var/spool/samba(/.*)? gen_context(system_u:object_r:samba_var_t,s0) - --/var/spool/samba(/.*)? gen_context(system_u:object_r:samba_var_t,s0) -+ifndef(`enable_mls',` -+/var/lib/samba/scripts(/.*)? gen_context(system_u:object_r:samba_unconfined_script_exec_t,s0) -+') -diff --git a/samba.if b/samba.if -index aee75af..a6bab06 100644 ---- a/samba.if -+++ b/samba.if -@@ -1,8 +1,12 @@ --## SMB and CIFS client/server programs. -+## -+## SMB and CIFS client/server programs for UNIX and -+## name Service Switch daemon for resolving names -+## from Windows NT servers. -+## - - ######################################## - ## --## Execute nmbd in the nmbd domain. -+## Execute nmbd net in the nmbd_t domain. - ## - ## - ## -@@ -21,7 +25,7 @@ interface(`samba_domtrans_nmbd',` - - ####################################### - ## --## Send generic signals to nmbd. -+## Allow domain to signal samba - ## - ## - ## -@@ -38,8 +42,26 @@ interface(`samba_signal_nmbd',` - - ######################################## - ## --## Connect to nmbd with a unix domain --## stream socket. -+## Search the samba pid directory. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`samba_search_pid',` -+ gen_require(` -+ type smbd_var_run_t; -+ ') -+ -+ files_search_pids($1) -+ allow $1 smbd_var_run_t:dir search_dir_perms; -+') -+ -+######################################## -+## -+## Connect to nmbd. - ## - ## - ## -@@ -49,17 +71,16 @@ interface(`samba_signal_nmbd',` - # - interface(`samba_stream_connect_nmbd',` - gen_require(` -- type samba_var_t, nmbd_t, nmbd_var_run_t, smbd_var_run_t; -+ type nmbd_t, nmbd_var_run_t; - ') - -- files_search_pids($1) -- stream_connect_pattern($1, { smbd_var_run_t samba_var_t nmbd_var_run_t }, nmbd_var_run_t, nmbd_t) -+ samba_search_pid($1) -+ stream_connect_pattern($1, nmbd_var_run_t, nmbd_var_run_t, nmbd_t) - ') - - ######################################## - ## --## Execute samba init scripts in --## the init script domain. -+## Execute samba server in the samba domain. - ## - ## - ## -@@ -77,7 +98,30 @@ interface(`samba_initrc_domtrans',` - - ######################################## - ## --## Execute samba net in the samba net domain. -+## Execute samba server in the samba domain. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`samba_systemctl',` -+ gen_require(` -+ type samba_unit_file_t; -+ type smbd_t; -+ ') -+ -+ systemd_exec_systemctl($1) -+ allow $1 samba_unit_file_t:file read_file_perms; -+ allow $1 samba_unit_file_t:service manage_service_perms; -+ -+ ps_process_pattern($1, smbd_t) -+') -+ -+######################################## -+## -+## Execute samba net in the samba_net domain. - ## - ## - ## -@@ -96,9 +140,27 @@ interface(`samba_domtrans_net',` - - ######################################## - ## --## Execute samba net in the samba net --## domain, and allow the specified --## role the samba net domain. -+## Execute samba net in the samba_unconfined_net domain. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`samba_domtrans_unconfined_net',` -+ gen_require(` -+ type samba_unconfined_net_t, samba_net_exec_t; -+ ') -+ -+ corecmd_search_bin($1) -+ domtrans_pattern($1, samba_net_exec_t, samba_unconfined_net_t) -+') -+ -+######################################## -+## -+## Execute samba net in the samba_net domain, and -+## allow the specified role the samba_net domain. - ## - ## - ## -@@ -114,11 +176,56 @@ interface(`samba_domtrans_net',` - # - interface(`samba_run_net',` - gen_require(` -- attribute_role samba_net_roles; -+ type samba_net_t; - ') - - samba_domtrans_net($1) -- roleattribute $2 samba_net_roles; -+ role $2 types samba_net_t; -+') -+ -+####################################### -+## -+## The role for the samba module. -+## -+## -+## -+## The role to be allowed the samba_net domain. -+## -+## -+## -+# -+interface(`samba_role_notrans',` -+ gen_require(` -+ type smbd_t; -+ ') -+ -+ role $1 types smbd_t; -+') -+ -+######################################## -+## -+## Execute samba net in the samba_unconfined_net domain, and -+## allow the specified role the samba_unconfined_net domain. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+## -+## -+## The role to be allowed the samba_unconfined_net domain. -+## -+## -+## -+# -+interface(`samba_run_unconfined_net',` -+ gen_require(` -+ type samba_unconfined_net_t; -+ ') -+ -+ samba_domtrans_unconfined_net($1) -+ role $2 types samba_unconfined_net_t; - ') - - ######################################## -@@ -142,9 +249,8 @@ interface(`samba_domtrans_smbmount',` - - ######################################## - ## --## Execute smbmount in the smbmount --## domain, and allow the specified --## role the smbmount domain. -+## Execute smbmount interactively and do -+## a domain transition to the smbmount domain. - ## - ## - ## -@@ -160,16 +266,17 @@ interface(`samba_domtrans_smbmount',` - # - interface(`samba_run_smbmount',` - gen_require(` -- attribute_role smbmount_roles; -+ type smbmount_t; - ') - - samba_domtrans_smbmount($1) -- roleattribute $2 smbmount_roles; -+ role $2 types smbmount_t; - ') - - ######################################## - ## --## Read samba configuration files. -+## Allow the specified domain to read -+## samba configuration files. - ## - ## - ## -@@ -184,12 +291,14 @@ interface(`samba_read_config',` - ') - - files_search_etc($1) -+ list_dirs_pattern($1, samba_etc_t, samba_etc_t) - read_files_pattern($1, samba_etc_t, samba_etc_t) - ') - - ######################################## - ## --## Read and write samba configuration files. -+## Allow the specified domain to read -+## and write samba configuration files. - ## - ## - ## -@@ -209,8 +318,8 @@ interface(`samba_rw_config',` - - ######################################## - ## --## Create, read, write, and delete --## samba configuration files. -+## Allow the specified domain to read -+## and write samba configuration files. - ## - ## - ## -@@ -231,7 +340,7 @@ interface(`samba_manage_config',` - - ######################################## - ## --## Read samba log files. -+## Allow the specified domain to read samba's log files. - ## - ## - ## -@@ -252,7 +361,7 @@ interface(`samba_read_log',` - - ######################################## - ## --## Append to samba log files. -+## Allow the specified domain to append to samba's log files. - ## - ## - ## -@@ -273,7 +382,7 @@ interface(`samba_append_log',` - - ######################################## - ## --## Execute samba log files in the caller domain. -+## Execute samba log in the caller domain. - ## - ## - ## -@@ -292,7 +401,7 @@ interface(`samba_exec_log',` - - ######################################## - ## --## Read samba secret files. -+## Allow the specified domain to read samba's secrets. - ## - ## - ## -@@ -311,7 +420,7 @@ interface(`samba_read_secrets',` - - ######################################## - ## --## Read samba share files. -+## Allow the specified domain to read samba's shares - ## - ## - ## -@@ -330,7 +439,8 @@ interface(`samba_read_share_files',` - - ######################################## - ## --## Search samba var directories. -+## Allow the specified domain to search -+## samba /var directories. - ## - ## - ## -@@ -343,13 +453,15 @@ interface(`samba_search_var',` - type samba_var_t; - ') - -+ files_search_var($1) - files_search_var_lib($1) - allow $1 samba_var_t:dir search_dir_perms; - ') - - ######################################## - ## --## Read samba var files. -+## Allow the specified domain to -+## read samba /var files. - ## - ## - ## -@@ -362,14 +474,15 @@ interface(`samba_read_var_files',` - type samba_var_t; - ') - -+ files_search_var($1) - files_search_var_lib($1) - read_files_pattern($1, samba_var_t, samba_var_t) - ') - - ######################################## - ## --## Do not audit attempts to write --## samba var files. -+## Do not audit attempts to write samba -+## /var files. - ## - ## - ## -@@ -387,7 +500,8 @@ interface(`samba_dontaudit_write_var_files',` - - ######################################## - ## --## Read and write samba var files. -+## Allow the specified domain to -+## read and write samba /var files. - ## - ## - ## -@@ -400,14 +514,15 @@ interface(`samba_rw_var_files',` - type samba_var_t; - ') - -+ files_search_var($1) - files_search_var_lib($1) - rw_files_pattern($1, samba_var_t, samba_var_t) - ') - - ######################################## - ## --## Create, read, write, and delete --## samba var files. -+## Allow the specified domain to -+## read and write samba /var files. - ## - ## - ## -@@ -421,33 +536,34 @@ interface(`samba_manage_var_files',` - ') - - files_search_var_lib($1) -+ files_search_var_lib($1) - manage_files_pattern($1, samba_var_t, samba_var_t) -+ manage_lnk_files_pattern($1, samba_var_t, samba_var_t) - ') - - ######################################## - ## --## Execute smbcontrol in the smbcontrol domain. -+## Execute a domain transition to run smbcontrol. - ## - ## --## -+## - ## Domain allowed to transition. --## -+## - ## - # - interface(`samba_domtrans_smbcontrol',` - gen_require(` -- type smbcontrol_t, smbcontrol_exec_t; -+ type smbcontrol_t; -+ type smbcontrol_exec_t; - ') - -- corecmd_search_bin($1) - domtrans_pattern($1, smbcontrol_exec_t, smbcontrol_t) - ') - - ######################################## - ## --## Execute smbcontrol in the smbcontrol --## domain, and allow the specified --## role the smbcontrol domain. -+## Execute smbcontrol in the smbcontrol domain, and -+## allow the specified role the smbcontrol domain. - ## - ## - ## -@@ -462,16 +578,16 @@ interface(`samba_domtrans_smbcontrol',` - # - interface(`samba_run_smbcontrol',` - gen_require(` -- attribute_role smbcontrol_roles; -+ type smbcontrol_t; - ') - - samba_domtrans_smbcontrol($1) -- roleattribute $2 smbcontrol_roles; -+ role $2 types smbcontrol_t; - ') - - ######################################## - ## --## Execute smbd in the smbd domain. -+## Execute smbd in the smbd_t domain. - ## - ## - ## -@@ -490,7 +606,7 @@ interface(`samba_domtrans_smbd',` - - ###################################### - ## --## Send generic signals to smbd. -+## Allow domain to signal samba - ## - ## - ## -@@ -507,8 +623,7 @@ interface(`samba_signal_smbd',` - - ######################################## - ## --## Do not audit attempts to inherit --## and use smbd file descriptors. -+## Do not audit attempts to use file descriptors from samba. - ## - ## - ## -@@ -526,7 +641,7 @@ interface(`samba_dontaudit_use_fds',` - - ######################################## - ## --## Write smbmount tcp sockets. -+## Allow the specified domain to write to smbmount tcp sockets. - ## - ## - ## -@@ -544,7 +659,7 @@ interface(`samba_write_smbmount_tcp_sockets',` - - ######################################## - ## --## Read and write smbmount tcp sockets. -+## Allow the specified domain to read and write to smbmount tcp sockets. - ## - ## - ## -@@ -560,49 +675,47 @@ interface(`samba_rw_smbmount_tcp_sockets',` - allow $1 smbmount_t:tcp_socket { read write }; - ') - --######################################## -+####################################### - ## --## Execute winbind helper in the --## winbind helper domain. -+## Allow to getattr on winbind binary. - ## - ## --## --## Domain allowed to transition. --## -+## -+## Domain allowed to transition. -+## - ## - # --interface(`samba_domtrans_winbind_helper',` -- gen_require(` -- type winbind_helper_t, winbind_helper_exec_t; -- ') -+interface(`samba_getattr_winbind',` -+ gen_require(` -+ type winbind_exec_t; -+ ') - -- corecmd_search_bin($1) -- domtrans_pattern($1, winbind_helper_exec_t, winbind_helper_t) -+ allow $1 winbind_exec_t:file getattr; - ') - --####################################### -+######################################## - ## --## Get attributes of winbind executable files. -+## Execute winbind_helper in the winbind_helper domain. - ## - ## - ## --## Domain allowed access. -+## Domain allowed to transition. - ## - ## - # --interface(`samba_getattr_winbind_exec',` -+interface(`samba_domtrans_winbind_helper',` - gen_require(` -- type winbind_exec_t; -+ type winbind_helper_t, winbind_helper_exec_t; - ') - -- allow $1 winbind_exec_t:file getattr_file_perms; -+ domtrans_pattern($1, winbind_helper_exec_t, winbind_helper_t) -+ allow $1 winbind_helper_t:process signal; - ') - - ######################################## - ## --## Execute winbind helper in the winbind --## helper domain, and allow the specified --## role the winbind helper domain. -+## Execute winbind_helper in the winbind_helper domain, and -+## allow the specified role the winbind_helper domain. - ## - ## - ## -@@ -618,16 +731,16 @@ interface(`samba_getattr_winbind_exec',` - # - interface(`samba_run_winbind_helper',` - gen_require(` -- attribute_role winbind_helper_roles; -+ type winbind_helper_t; - ') - - samba_domtrans_winbind_helper($1) -- roleattribute $2 winbind_helper_roles; -+ role $2 types winbind_helper_t; - ') - - ######################################## - ## --## Read winbind pid files. -+## Allow the specified domain to read the winbind pid files. - ## - ## - ## -@@ -637,17 +750,16 @@ interface(`samba_run_winbind_helper',` - # - interface(`samba_read_winbind_pid',` - gen_require(` -- type winbind_var_run_t, smbd_var_run_t; -+ type winbind_var_run_t; - ') - -- files_search_pids($1) -- read_files_pattern($1, { smbd_var_run_t winbind_var_run_t }, winbind_var_run_t) -+ samba_search_pid($1) -+ allow $1 winbind_var_run_t:file read_file_perms; - ') - - ######################################## - ## --## Connect to winbind with a unix --## domain stream socket. -+## Connect to winbind. - ## - ## - ## -@@ -657,17 +769,61 @@ interface(`samba_read_winbind_pid',` - # - interface(`samba_stream_connect_winbind',` - gen_require(` -- type samba_var_t, winbind_t, winbind_var_run_t, smbd_var_run_t; -+ type samba_var_t, winbind_t, winbind_var_run_t; - ') - -- files_search_pids($1) -- stream_connect_pattern($1, { smbd_var_run_t samba_var_t winbind_var_run_t }, winbind_var_run_t, winbind_t) -+ samba_search_pid($1) -+ allow $1 samba_var_t:dir search_dir_perms; -+ stream_connect_pattern($1, winbind_var_run_t, winbind_var_run_t, winbind_t) -+ samba_read_config($1) -+ -+ ifndef(`distro_redhat',` -+ gen_require(` -+ type winbind_tmp_t; -+ ') -+ -+ # the default for the socket is (poorly named): -+ # /tmp/.winbindd/pipe -+ files_search_tmp($1) -+ stream_connect_pattern($1, winbind_tmp_t, winbind_tmp_t, winbind_t) -+ ') - ') - - ######################################## - ## --## All of the rules required to --## administrate an samba environment. -+## Create a set of derived types for apache -+## web content. -+## -+## -+## -+## The prefix to be used for deriving type names. -+## -+## -+# -+template(`samba_helper_template',` -+ gen_require(` -+ type smbd_t; -+ role system_r; -+ ') -+ -+ #This type is for samba helper scripts -+ type samba_$1_script_t; -+ domain_type(samba_$1_script_t) -+ role system_r types samba_$1_script_t; -+ -+ # This type is used for executable scripts files -+ type samba_$1_script_exec_t; -+ corecmd_shell_entry_type(samba_$1_script_t) -+ domain_entry_file(samba_$1_script_t, samba_$1_script_exec_t) -+ -+ domtrans_pattern(smbd_t, samba_$1_script_exec_t, samba_$1_script_t) -+ allow smbd_t samba_$1_script_exec_t:file ioctl; -+') -+ -+######################################## -+## -+## All of the rules required to administrate -+## an samba environment - ## - ## - ## -@@ -676,7 +832,7 @@ interface(`samba_stream_connect_winbind',` - ## - ## - ## --## Role allowed access. -+## The role to be allowed to manage the samba domain. - ## - ## - ## -@@ -684,41 +840,71 @@ interface(`samba_stream_connect_winbind',` - interface(`samba_admin',` - gen_require(` - type nmbd_t, nmbd_var_run_t, smbd_var_run_t; -- type smbd_t, smbd_tmp_t, smbd_spool_t; -- type samba_log_t, samba_var_t, samba_secrets_t; -- type samba_etc_t, samba_share_t, samba_initrc_exec_t; -- type swat_var_run_t, swat_tmp_t, winbind_log_t; -- type winbind_var_run_t, winbind_tmp_t; -+ type smbd_t, smbd_tmp_t, samba_secrets_t; -+ type samba_initrc_exec_t, samba_log_t, samba_var_t; -+ type samba_etc_t, samba_share_t, winbind_log_t; -+ type swat_var_run_t, swat_tmp_t, samba_unconfined_script_exec_t; -+ type winbind_var_run_t, winbind_tmp_t, samba_unconfined_script_t; -+ type samba_unit_file_t; - ') - -- allow $1 { nmbd_t smbd_t }:process { ptrace signal_perms }; -- ps_process_pattern($1, { nmbd_t smbd_t }) -+ allow $1 smbd_t:process signal_perms; -+ ps_process_pattern($1, smbd_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 smbd_t:process ptrace; -+ allow $1 nmbd_t:process ptrace; -+ allow $1 samba_unconfined_script_t:process ptrace; -+ ') -+ -+ allow $1 nmbd_t:process signal_perms; -+ ps_process_pattern($1, nmbd_t) -+ -+ allow $1 samba_unconfined_script_t:process signal_perms; -+ ps_process_pattern($1, samba_unconfined_script_t) -+ -+ samba_run_smbcontrol($1, $2) -+ samba_run_winbind_helper($1, $2) -+ samba_run_smbmount($1, $2) -+ samba_run_net($1, $2) - - init_labeled_script_domtrans($1, samba_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 samba_initrc_exec_t system_r; - allow $2 system_r; - -- files_list_etc($1) -+ admin_pattern($1, nmbd_var_run_t) -+ - admin_pattern($1, samba_etc_t) -+ files_list_etc($1) - -+ admin_pattern($1, samba_log_t) - logging_list_logs($1) -- admin_pattern($1, { samba_log_t winbind_log_t }) - -- files_list_var($1) -- admin_pattern($1, { samba_share_t samba_var_t samba_secrets_t }) -+ admin_pattern($1, samba_secrets_t) - -- files_list_spool($1) -- admin_pattern($1, smbd_spool_t) -+ admin_pattern($1, samba_share_t) -+ -+ admin_pattern($1, samba_var_t) -+ files_list_var($1) - -+ admin_pattern($1, smbd_var_run_t) - files_list_pids($1) -- admin_pattern($1, { winbind_var_run_t smbd_var_run_t swat_var_run_t nmbd_var_run_t }) - -+ admin_pattern($1, smbd_tmp_t) - files_list_tmp($1) -- admin_pattern($1, { swat_tmp_t smbd_tmp_t winbind_tmp_t }) - -- samba_run_smbcontrol($1, $2) -- samba_run_winbind_helper($1, $2) -- samba_run_smbmount($1, $2) -- samba_run_net($1, $2) -+ admin_pattern($1, swat_var_run_t) -+ -+ admin_pattern($1, swat_tmp_t) -+ -+ admin_pattern($1, winbind_log_t) -+ -+ admin_pattern($1, winbind_tmp_t) -+ -+ admin_pattern($1, winbind_var_run_t) -+ admin_pattern($1, samba_unconfined_script_exec_t) -+ -+ samba_systemctl($1) -+ admin_pattern($1, samba_unit_file_t) -+ allow $1 samba_unit_file_t:service all_service_perms; - ') -diff --git a/samba.te b/samba.te -index 57c034b..9e91107 100644 ---- a/samba.te -+++ b/samba.te -@@ -1,4 +1,4 @@ --policy_module(samba, 1.15.7) -+policy_module(samba, 1.15.0) - - ################################# - # -@@ -6,100 +6,80 @@ policy_module(samba, 1.15.7) - # - - ## --##

    --## Determine whether samba can modify --## public files used for public file --## transfer services. Directories/Files must --## be labeled public_content_rw_t. --##

    -+##

    -+## Allow samba to modify public files used for public file -+## transfer services. Files/Directories must be labeled -+## public_content_rw_t. -+##

    - ##     --gen_tunable(allow_smbd_anon_write, false) -+gen_tunable(smbd_anon_write, false) - - ## --##

    --## Determine whether samba can --## create home directories via pam. --##

    -+##

    -+## Allow samba to create new home directories (e.g. via PAM) -+##

    - ##     - gen_tunable(samba_create_home_dirs, false) - - ## --##

    --## Determine whether samba can act as the --## domain controller, add users, groups --## and change passwords. --##

    -+##

    -+## Allow samba to act as the domain controller, add users, -+## groups and change passwords. -+## -+##

    - ##     - gen_tunable(samba_domain_controller, false) - - ## --##

    --## Determine whether samba can --## act as a portmapper. --##

    -+##

    -+## Allow samba to act as a portmapper -+## -+##

    - ##     - gen_tunable(samba_portmapper, false) - - ## --##

    --## Determine whether samba can share --## users home directories. --##

    -+##

    -+## Allow samba to share users home directories. -+##

    - ##     - gen_tunable(samba_enable_home_dirs, false) - - ## --##

    --## Determine whether samba can share --## any content read only. --##

    -+##

    -+## Allow samba to share any file/directory read only. -+##

    - ##     - gen_tunable(samba_export_all_ro, false) - - ## --##

    --## Determine whether samba can share any --## content readable and writable. --##

    -+##

    -+## Allow samba to share any file/directory read/write. -+##

    - ##     - gen_tunable(samba_export_all_rw, false) - - ## --##

    --## Determine whether samba can --## run unconfined scripts. --##

    -+##

    -+## Allow samba to run unconfined scripts -+##

    - ##     - gen_tunable(samba_run_unconfined, false) - - ## --##

    --## Determine whether samba can --## use nfs file systems. --##

    -+##

    -+## Allow samba to export NFS volumes. -+##

    - ##     - gen_tunable(samba_share_nfs, false) - - ## --##

    --## Determine whether samba can --## use fuse file systems. --##

    -+##

    -+## Allow samba to export ntfs/fusefs volumes. -+##

    - ##     - gen_tunable(samba_share_fusefs, false) - --attribute_role samba_net_roles; --roleattribute system_r samba_net_roles; -- --attribute_role smbcontrol_roles; --roleattribute system_r smbcontrol_roles; -- --attribute_role smbmount_roles; --roleattribute system_r smbmount_roles; -- --attribute_role winbind_helper_roles; --roleattribute system_r winbind_helper_roles; -- - type nmbd_t; - type nmbd_exec_t; - init_daemon_domain(nmbd_t, nmbd_exec_t) -@@ -113,13 +93,16 @@ files_config_file(samba_etc_t) - type samba_initrc_exec_t; - init_script_file(samba_initrc_exec_t) - -+type samba_unit_file_t; -+systemd_unit_file(samba_unit_file_t) -+ - type samba_log_t; - logging_log_file(samba_log_t) - - type samba_net_t; - type samba_net_exec_t; - application_domain(samba_net_t, samba_net_exec_t) --role samba_net_roles types samba_net_t; -+role system_r types samba_net_t; - - type samba_net_tmp_t; - files_tmp_file(samba_net_tmp_t) -@@ -136,7 +119,7 @@ files_type(samba_var_t) - type smbcontrol_t; - type smbcontrol_exec_t; - application_domain(smbcontrol_t, smbcontrol_exec_t) --role smbcontrol_roles types smbcontrol_t; -+role system_r types smbcontrol_t; - - type smbd_t; - type smbd_exec_t; -@@ -149,9 +132,10 @@ type smbd_var_run_t; - files_pid_file(smbd_var_run_t) - - type smbmount_t; -+domain_type(smbmount_t) -+ - type smbmount_exec_t; --application_domain(smbmount_t, smbmount_exec_t) --role smbmount_roles types smbmount_t; -+domain_entry_file(smbmount_t, smbmount_exec_t) - - type swat_t; - type swat_exec_t; -@@ -170,27 +154,29 @@ type winbind_exec_t; - init_daemon_domain(winbind_t, winbind_exec_t) - - type winbind_helper_t; -+domain_type(winbind_helper_t) -+role system_r types winbind_helper_t; -+ - type winbind_helper_exec_t; --application_domain(winbind_helper_t, winbind_helper_exec_t) --role winbind_helper_roles types winbind_helper_t; -+domain_entry_file(winbind_helper_t, winbind_helper_exec_t) - - type winbind_log_t; - logging_log_file(winbind_log_t) - --type winbind_tmp_t; --files_tmp_file(winbind_tmp_t) -- - type winbind_var_run_t; - files_pid_file(winbind_var_run_t) - - ######################################## - # --# Net local policy -+# Samba net local policy - # -- - allow samba_net_t self:capability { sys_chroot sys_nice dac_read_search dac_override }; -+allow samba_net_t self:capability2 block_suspend; - allow samba_net_t self:process { getsched setsched }; --allow samba_net_t self:unix_stream_socket { accept listen }; -+allow samba_net_t self:unix_dgram_socket create_socket_perms; -+allow samba_net_t self:unix_stream_socket create_stream_socket_perms; -+allow samba_net_t self:udp_socket create_socket_perms; -+allow samba_net_t self:tcp_socket create_socket_perms; - - allow samba_net_t samba_etc_t:file read_file_perms; - -@@ -206,17 +192,22 @@ manage_files_pattern(samba_net_t, samba_var_t, samba_var_t) - manage_lnk_files_pattern(samba_net_t, samba_var_t, samba_var_t) - files_var_filetrans(samba_net_t, samba_var_t, dir, "samba") - -+kernel_read_proc_symlinks(samba_net_t) - kernel_read_system_state(samba_net_t) - kernel_read_network_state(samba_net_t) - --corenet_all_recvfrom_unlabeled(samba_net_t) - corenet_all_recvfrom_netlabel(samba_net_t) -+corenet_tcp_sendrecv_generic_if(samba_net_t) - corenet_udp_sendrecv_generic_if(samba_net_t) -+corenet_raw_sendrecv_generic_if(samba_net_t) - corenet_tcp_sendrecv_generic_node(samba_net_t) -- --corenet_sendrecv_smbd_client_packets(samba_net_t) -+corenet_udp_sendrecv_generic_node(samba_net_t) -+corenet_raw_sendrecv_generic_node(samba_net_t) -+corenet_tcp_sendrecv_all_ports(samba_net_t) -+corenet_udp_sendrecv_all_ports(samba_net_t) -+corenet_tcp_bind_generic_node(samba_net_t) -+corenet_udp_bind_generic_node(samba_net_t) - corenet_tcp_connect_smbd_port(samba_net_t) --corenet_tcp_sendrecv_smbd_port(samba_net_t) - - dev_read_urand(samba_net_t) - -@@ -229,15 +220,16 @@ auth_manage_cache(samba_net_t) - - logging_send_syslog_msg(samba_net_t) - --miscfiles_read_localization(samba_net_t) -- - samba_read_var_files(samba_net_t) - --userdom_use_user_terminals(samba_net_t) -+sysnet_use_ldap(samba_net_t) -+ -+userdom_use_inherited_user_terminals(samba_net_t) - userdom_list_user_home_dirs(samba_net_t) - - optional_policy(` -- ldap_stream_connect(samba_net_t) -+ ldap_stream_connect(samba_net_t) -+ dirsrv_stream_connect(samba_net_t) - ') - - optional_policy(` -@@ -245,44 +237,56 @@ optional_policy(` - ') - - optional_policy(` -+ realmd_manage_cache_files(samba_net_t) -+ realmd_read_tmp_files(samba_net_t) -+') -+ -+optional_policy(` - kerberos_use(samba_net_t) -- kerberos_etc_filetrans_keytab(samba_net_t, file) -+ kerberos_etc_filetrans_keytab(samba_net_t) - ') - - ######################################## - # --# Smbd Local policy -+# smbd Local policy - # - - allow smbd_t self:capability { chown fowner kill fsetid setgid setuid sys_chroot sys_nice sys_admin sys_resource lease dac_override dac_read_search }; - dontaudit smbd_t self:capability sys_tty_config; --allow smbd_t self:process ~{ ptrace setcurrent setexec setfscreate execmem execstack execheap }; -+allow smbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; -+allow smbd_t self:process setrlimit; - allow smbd_t self:fd use; - allow smbd_t self:fifo_file rw_fifo_file_perms; - allow smbd_t self:msg { send receive }; - allow smbd_t self:msgq create_msgq_perms; - allow smbd_t self:sem create_sem_perms; - allow smbd_t self:shm create_shm_perms; --allow smbd_t self:tcp_socket { accept listen }; --allow smbd_t self:unix_dgram_socket sendto; --allow smbd_t self:unix_stream_socket { accept connectto listen }; -+allow smbd_t self:key manage_key_perms; -+allow smbd_t self:sock_file read_sock_file_perms; -+allow smbd_t self:tcp_socket create_stream_socket_perms; -+allow smbd_t self:udp_socket create_socket_perms; -+allow smbd_t self:unix_dgram_socket { create_socket_perms sendto }; -+allow smbd_t self:unix_stream_socket { create_stream_socket_perms connectto }; - --allow smbd_t { swat_t winbind_t smbcontrol_t nmbd_t }:process { signal signull }; -+allow smbd_t nmbd_t:process { signal signull }; -+ -+allow smbd_t nmbd_var_run_t:file rw_file_perms; -+stream_connect_pattern(smbd_t, nmbd_var_run_t, nmbd_var_run_t, nmbd_t) - --allow smbd_t samba_etc_t:file { rw_file_perms setattr_file_perms }; -+allow smbd_t samba_etc_t:file { rw_file_perms setattr }; - - manage_dirs_pattern(smbd_t, samba_log_t, samba_log_t) --append_files_pattern(smbd_t, samba_log_t, samba_log_t) --create_files_pattern(smbd_t, samba_log_t, samba_log_t) --setattr_files_pattern(smbd_t, samba_log_t, samba_log_t) -+manage_files_pattern(smbd_t, samba_log_t, samba_log_t) - --allow smbd_t samba_net_tmp_t:file getattr_file_perms; -+allow smbd_t samba_net_tmp_t:file getattr; - - manage_files_pattern(smbd_t, samba_secrets_t, samba_secrets_t) - filetrans_pattern(smbd_t, samba_etc_t, samba_secrets_t, file) - - manage_dirs_pattern(smbd_t, samba_share_t, samba_share_t) - manage_files_pattern(smbd_t, samba_share_t, samba_share_t) -+manage_fifo_files_pattern(smbd_t, samba_share_t, samba_share_t) -+manage_sock_files_pattern(smbd_t, samba_share_t, samba_share_t) - manage_lnk_files_pattern(smbd_t, samba_share_t, samba_share_t) - allow smbd_t samba_share_t:filesystem { getattr quotaget }; - -@@ -292,6 +296,8 @@ manage_lnk_files_pattern(smbd_t, samba_var_t, samba_var_t) - manage_sock_files_pattern(smbd_t, samba_var_t, samba_var_t) - files_var_filetrans(smbd_t, samba_var_t, dir, "samba") - -+allow smbd_t smbcontrol_t:process { signal signull }; -+ - manage_dirs_pattern(smbd_t, smbd_tmp_t, smbd_tmp_t) - manage_files_pattern(smbd_t, smbd_tmp_t, smbd_tmp_t) - files_tmp_filetrans(smbd_t, smbd_tmp_t, { file dir }) -@@ -301,11 +307,11 @@ manage_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t) - manage_sock_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t) - files_pid_filetrans(smbd_t, smbd_var_run_t, { dir file }) - --allow smbd_t winbind_var_run_t:sock_file read_sock_file_perms; --stream_connect_pattern(smbd_t, winbind_var_run_t, winbind_var_run_t, winbind_t) -+allow smbd_t swat_t:process signal; - --allow smbd_t nmbd_var_run_t:file read_file_perms; --stream_connect_pattern(smbd_t, nmbd_var_run_t, nmbd_var_run_t, nmbd_t) -+allow smbd_t winbind_var_run_t:sock_file rw_sock_file_perms; -+ -+allow smbd_t winbind_t:process { signal signull }; - - kernel_getattr_core_if(smbd_t) - kernel_getattr_message_if(smbd_t) -@@ -315,43 +321,33 @@ kernel_read_kernel_sysctls(smbd_t) - kernel_read_software_raid_state(smbd_t) - kernel_read_system_state(smbd_t) - --corecmd_exec_bin(smbd_t) - corecmd_exec_shell(smbd_t) -+corecmd_exec_bin(smbd_t) - --corenet_all_recvfrom_unlabeled(smbd_t) - corenet_all_recvfrom_netlabel(smbd_t) - corenet_tcp_sendrecv_generic_if(smbd_t) -+corenet_udp_sendrecv_generic_if(smbd_t) -+corenet_raw_sendrecv_generic_if(smbd_t) - corenet_tcp_sendrecv_generic_node(smbd_t) -+corenet_udp_sendrecv_generic_node(smbd_t) -+corenet_raw_sendrecv_generic_node(smbd_t) -+corenet_tcp_sendrecv_all_ports(smbd_t) -+corenet_udp_sendrecv_all_ports(smbd_t) - corenet_tcp_bind_generic_node(smbd_t) -- --corenet_sendrecv_smbd_client_packets(smbd_t) --corenet_tcp_connect_smbd_port(smbd_t) --corenet_sendrecv_smbd_server_packets(smbd_t) -+corenet_udp_bind_generic_node(smbd_t) - corenet_tcp_bind_smbd_port(smbd_t) --corenet_tcp_sendrecv_smbd_port(smbd_t) -- --corenet_sendrecv_ipp_client_packets(smbd_t) - corenet_tcp_connect_ipp_port(smbd_t) --corenet_tcp_sendrecv_ipp_port(smbd_t) -+corenet_tcp_connect_smbd_port(smbd_t) - - dev_read_sysfs(smbd_t) - dev_read_urand(smbd_t) -+dev_dontaudit_write_urand(smbd_t) - dev_getattr_mtrr_dev(smbd_t) - dev_dontaudit_getattr_usbfs_dirs(smbd_t) -+# For redhat bug 566984 - dev_getattr_all_blk_files(smbd_t) - dev_getattr_all_chr_files(smbd_t) - --domain_use_interactive_fds(smbd_t) --domain_dontaudit_list_all_domains_state(smbd_t) -- --files_list_var_lib(smbd_t) --files_read_etc_runtime_files(smbd_t) --files_read_usr_files(smbd_t) --files_search_spool(smbd_t) --files_dontaudit_getattr_all_dirs(smbd_t) --files_dontaudit_list_all_mountpoints(smbd_t) --files_list_mnt(smbd_t) -- - fs_getattr_all_fs(smbd_t) - fs_getattr_all_dirs(smbd_t) - fs_get_xattr_fs_quotas(smbd_t) -@@ -360,44 +356,54 @@ fs_getattr_rpc_dirs(smbd_t) - fs_list_inotifyfs(smbd_t) - fs_get_all_fs_quotas(smbd_t) - --term_use_ptmx(smbd_t) -- - auth_use_nsswitch(smbd_t) - auth_domtrans_chk_passwd(smbd_t) - auth_domtrans_upd_passwd(smbd_t) - auth_manage_cache(smbd_t) - auth_write_login_records(smbd_t) - -+domain_use_interactive_fds(smbd_t) -+domain_dontaudit_list_all_domains_state(smbd_t) -+ -+files_list_var_lib(smbd_t) -+files_read_etc_runtime_files(smbd_t) -+files_search_spool(smbd_t) -+# smbd seems to getattr all mountpoints -+files_dontaudit_getattr_all_dirs(smbd_t) -+files_dontaudit_list_all_mountpoints(smbd_t) -+# Allow samba to list mnt_t for potential mounted dirs -+files_list_mnt(smbd_t) -+ - init_rw_utmp(smbd_t) - - logging_search_logs(smbd_t) - logging_send_syslog_msg(smbd_t) - --miscfiles_read_localization(smbd_t) - miscfiles_read_public_files(smbd_t) - - sysnet_use_ldap(smbd_t) - - userdom_use_unpriv_users_fds(smbd_t) -+userdom_search_user_home_content(smbd_t) - userdom_signal_all_users(smbd_t) --userdom_home_filetrans_user_home_dir(smbd_t) --userdom_user_home_dir_filetrans_user_home_content(smbd_t, { dir file lnk_file sock_file fifo_file }) - - usermanage_read_crack_db(smbd_t) - --ifdef(`hide_broken_symptoms',` -+term_use_ptmx(smbd_t) -+ -+ifdef(`hide_broken_symptoms', ` - files_dontaudit_getattr_default_dirs(smbd_t) - files_dontaudit_getattr_boot_dirs(smbd_t) - fs_dontaudit_getattr_tmpfs_dirs(smbd_t) - ') - --tunable_policy(`allow_smbd_anon_write',` -+tunable_policy(`smbd_anon_write',` - miscfiles_manage_public_files(smbd_t) --') -+') - --tunable_policy(`samba_create_home_dirs',` -- allow smbd_t self:capability chown; -- userdom_create_user_home_dirs(smbd_t) -+tunable_policy(`samba_portmapper',` -+ corenet_tcp_bind_epmap_port(smbd_t) -+ corenet_tcp_bind_all_unreserved_ports(smbd_t) - ') - - tunable_policy(`samba_domain_controller',` -@@ -413,20 +419,10 @@ tunable_policy(`samba_domain_controller',` - ') - - tunable_policy(`samba_enable_home_dirs',` -- userdom_manage_user_home_content_dirs(smbd_t) -- userdom_manage_user_home_content_files(smbd_t) -- userdom_manage_user_home_content_symlinks(smbd_t) -- userdom_manage_user_home_content_sockets(smbd_t) -- userdom_manage_user_home_content_pipes(smbd_t) --') -- --tunable_policy(`samba_portmapper',` -- corenet_sendrecv_all_server_packets(smbd_t) -- corenet_tcp_bind_epmap_port(smbd_t) -- corenet_tcp_bind_all_unreserved_ports(smbd_t) -- corenet_tcp_sendrecv_all_ports(smbd_t) -+ userdom_manage_user_home_content(smbd_t) - ') - -+# Support Samba sharing of NFS mount points - tunable_policy(`samba_share_nfs',` - fs_manage_nfs_dirs(smbd_t) - fs_manage_nfs_files(smbd_t) -@@ -435,6 +431,7 @@ tunable_policy(`samba_share_nfs',` - fs_manage_nfs_named_sockets(smbd_t) - ') - -+# Support Samba sharing of ntfs/fusefs mount points - tunable_policy(`samba_share_fusefs',` - fs_manage_fusefs_dirs(smbd_t) - fs_manage_fusefs_files(smbd_t) -@@ -442,17 +439,6 @@ tunable_policy(`samba_share_fusefs',` - fs_search_fusefs(smbd_t) - ') - --tunable_policy(`samba_export_all_ro',` -- fs_read_noxattr_fs_files(smbd_t) -- files_list_non_auth_dirs(smbd_t) -- files_read_non_auth_files(smbd_t) --') -- --tunable_policy(`samba_export_all_rw',` -- fs_read_noxattr_fs_files(smbd_t) -- files_manage_non_auth_files(smbd_t) --') -- - optional_policy(` - ccs_read_config(smbd_t) - ') -@@ -460,6 +446,7 @@ optional_policy(` - optional_policy(` - ctdbd_stream_connect(smbd_t) - ctdbd_manage_lib_files(smbd_t) -+ ctdbd_manage_var_files(smbd_t) - ') - - optional_policy(` -@@ -473,6 +460,11 @@ optional_policy(` - ') - - optional_policy(` -+ ldap_stream_connect(smbd_t) -+ dirsrv_stream_connect(smbd_t) -+') -+ -+optional_policy(` - lpd_exec_lpr(smbd_t) - ') - -@@ -493,9 +485,33 @@ optional_policy(` - udev_read_db(smbd_t) - ') - -+tunable_policy(`samba_create_home_dirs',` -+ allow smbd_t self:capability chown; -+ userdom_create_user_home_dirs(smbd_t) -+') -+ -+userdom_home_filetrans_user_home_dir(smbd_t) -+ -+tunable_policy(`samba_export_all_ro',` -+ allow nmbd_t self:capability { dac_read_search dac_override }; -+ fs_read_noxattr_fs_files(smbd_t) -+ files_read_non_security_files(smbd_t) -+ fs_read_noxattr_fs_files(nmbd_t) -+ files_read_non_security_files(nmbd_t) -+') -+ -+tunable_policy(`samba_export_all_rw',` -+ allow nmbd_t self:capability { dac_read_search dac_override }; -+ fs_manage_noxattr_fs_files(smbd_t) -+ files_manage_non_security_files(smbd_t) -+ fs_manage_noxattr_fs_files(nmbd_t) -+ files_manage_non_security_files(nmbd_t) -+') -+userdom_filetrans_home_content(nmbd_t) -+ - ######################################## - # --# Nmbd Local policy -+# nmbd Local policy - # - - dontaudit nmbd_t self:capability sys_tty_config; -@@ -506,9 +522,11 @@ allow nmbd_t self:msg { send receive }; - allow nmbd_t self:msgq create_msgq_perms; - allow nmbd_t self:sem create_sem_perms; - allow nmbd_t self:shm create_shm_perms; --allow nmbd_t self:tcp_socket { accept listen }; --allow nmbd_t self:unix_dgram_socket sendto; --allow nmbd_t self:unix_stream_socket { accept connectto listen }; -+allow nmbd_t self:sock_file read_sock_file_perms; -+allow nmbd_t self:tcp_socket create_stream_socket_perms; -+allow nmbd_t self:udp_socket create_socket_perms; -+allow nmbd_t self:unix_dgram_socket { create_socket_perms sendto }; -+allow nmbd_t self:unix_stream_socket { create_stream_socket_perms connectto }; - - manage_dirs_pattern(nmbd_t, { smbd_var_run_t nmbd_var_run_t }, nmbd_var_run_t) - manage_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t) -@@ -520,20 +538,15 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) - read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) - - manage_dirs_pattern(nmbd_t, samba_log_t, samba_log_t) --append_files_pattern(nmbd_t, samba_log_t, samba_log_t) --create_files_pattern(nmbd_t, samba_log_t, samba_log_t) --setattr_files_pattern(nmbd_t, samba_log_t, samba_log_t) -+manage_files_pattern(nmbd_t, samba_log_t, samba_log_t) - --manage_files_pattern(nmbd_t, samba_var_t, samba_var_t) -+manage_dirs_pattern(nmbd_t, samba_var_t, samba_var_t) - manage_files_pattern(nmbd_t, samba_var_t, samba_var_t) - manage_lnk_files_pattern(nmbd_t, samba_var_t, samba_var_t) - manage_sock_files_pattern(nmbd_t, samba_var_t, samba_var_t) --files_var_filetrans(nmbd_t, samba_var_t, dir, "nmbd") - files_var_filetrans(nmbd_t, samba_var_t, dir, "samba") - --allow nmbd_t { swat_t smbcontrol_t }:process signal; -- --allow nmbd_t smbd_var_run_t:dir rw_dir_perms; -+allow nmbd_t smbcontrol_t:process signal; - - kernel_getattr_core_if(nmbd_t) - kernel_getattr_message_if(nmbd_t) -@@ -542,52 +555,41 @@ kernel_read_network_state(nmbd_t) - kernel_read_software_raid_state(nmbd_t) - kernel_read_system_state(nmbd_t) - --corenet_all_recvfrom_unlabeled(nmbd_t) - corenet_all_recvfrom_netlabel(nmbd_t) - corenet_tcp_sendrecv_generic_if(nmbd_t) - corenet_udp_sendrecv_generic_if(nmbd_t) - corenet_tcp_sendrecv_generic_node(nmbd_t) - corenet_udp_sendrecv_generic_node(nmbd_t) -+corenet_tcp_sendrecv_all_ports(nmbd_t) -+corenet_udp_sendrecv_all_ports(nmbd_t) - corenet_udp_bind_generic_node(nmbd_t) -- --corenet_sendrecv_nmbd_server_packets(nmbd_t) - corenet_udp_bind_nmbd_port(nmbd_t) --corenet_udp_sendrecv_nmbd_port(nmbd_t) -- --corenet_sendrecv_smbd_client_packets(nmbd_t) -+corenet_sendrecv_nmbd_server_packets(nmbd_t) -+corenet_sendrecv_nmbd_client_packets(nmbd_t) - corenet_tcp_connect_smbd_port(nmbd_t) --corenet_tcp_sendrecv_smbd_port(nmbd_t) - --dev_read_sysfs(nmbd_t) - dev_getattr_mtrr_dev(nmbd_t) -+dev_read_sysfs(nmbd_t) -+dev_read_urand(nmbd_t) -+ -+fs_getattr_all_fs(nmbd_t) -+fs_search_auto_mountpoints(nmbd_t) - - domain_use_interactive_fds(nmbd_t) - --files_read_usr_files(nmbd_t) - files_list_var_lib(nmbd_t) - --fs_getattr_all_fs(nmbd_t) --fs_search_auto_mountpoints(nmbd_t) -- - auth_use_nsswitch(nmbd_t) - - logging_search_logs(nmbd_t) - logging_send_syslog_msg(nmbd_t) - --miscfiles_read_localization(nmbd_t) -- - userdom_use_unpriv_users_fds(nmbd_t) --userdom_user_home_dir_filetrans_user_home_content(nmbd_t, { file dir }) -+userdom_dontaudit_search_user_home_dirs(nmbd_t) - --tunable_policy(`samba_export_all_ro',` -- fs_read_noxattr_fs_files(nmbd_t) -- files_list_non_auth_dirs(nmbd_t) -- files_read_non_auth_files(nmbd_t) --') -- --tunable_policy(`samba_export_all_rw',` -- fs_read_noxattr_fs_files(nmbd_t) -- files_manage_non_auth_files(nmbd_t) -+optional_policy(` -+ ctdbd_stream_connect(nmbd_t) -+ ctdbd_manage_var_files(nmbd_t) - ') - - optional_policy(` -@@ -600,19 +602,26 @@ optional_policy(` - - ######################################## - # --# Smbcontrol local policy -+# smbcontrol local policy - # - -+ - allow smbcontrol_t self:process signal; --allow smbcontrol_t self:fifo_file rw_fifo_file_perms; -+# internal communication is often done using fifo and unix sockets. -+allow smbcontrol_t self:fifo_file rw_file_perms; - allow smbcontrol_t self:unix_stream_socket create_stream_socket_perms; - allow smbcontrol_t self:process { signal signull }; - --allow smbcontrol_t { winbind_t nmbd_t smbd_t }:process { signal signull }; --read_files_pattern(smbcontrol_t, { nmbd_var_run_t smbd_var_run_t }, { nmbd_var_run_t smbd_var_run_t }) -+allow smbcontrol_t nmbd_t:process { signal signull }; -+read_files_pattern(smbcontrol_t, nmbd_var_run_t, nmbd_var_run_t) -+ -+allow smbcontrol_t smbd_t:process { signal signull }; -+read_files_pattern(smbcontrol_t, smbd_var_run_t, smbd_var_run_t) -+allow smbcontrol_t winbind_t:process { signal signull }; - -+files_search_var_lib(smbcontrol_t) - samba_read_config(smbcontrol_t) --samba_rw_var_files(smbcontrol_t) -+manage_files_pattern(smbcontrol_t, samba_var_t, samba_var_t) - samba_search_var(smbcontrol_t) - samba_read_winbind_pid(smbcontrol_t) - -@@ -620,16 +629,12 @@ domain_use_interactive_fds(smbcontrol_t) - - dev_read_urand(smbcontrol_t) - --files_read_etc_files(smbcontrol_t) --files_search_var_lib(smbcontrol_t) - - term_use_console(smbcontrol_t) - --miscfiles_read_localization(smbcontrol_t) -- - sysnet_use_ldap(smbcontrol_t) - --userdom_use_user_terminals(smbcontrol_t) -+userdom_use_inherited_user_terminals(smbcontrol_t) - - optional_policy(` - ctdbd_stream_connect(smbcontrol_t) -@@ -637,22 +642,23 @@ optional_policy(` - - ######################################## - # --# Smbmount Local policy -+# smbmount Local policy - # - --allow smbmount_t self:capability { sys_rawio sys_admin dac_override chown }; --allow smbmount_t self:process signal_perms; --allow smbmount_t self:tcp_socket { accept listen }; -+allow smbmount_t self:capability { sys_rawio sys_admin dac_override chown }; # FIXME: is all of this really necessary? -+allow smbmount_t self:process { fork signal_perms }; -+allow smbmount_t self:tcp_socket create_stream_socket_perms; -+allow smbmount_t self:udp_socket connect; - allow smbmount_t self:unix_dgram_socket create_socket_perms; - allow smbmount_t self:unix_stream_socket create_socket_perms; - - allow smbmount_t samba_etc_t:dir list_dir_perms; - allow smbmount_t samba_etc_t:file read_file_perms; - --allow smbmount_t samba_log_t:dir list_dir_perms; --append_files_pattern(smbmount_t, samba_log_t, samba_log_t) --create_files_pattern(smbmount_t, samba_log_t, samba_log_t) --setattr_files_pattern(smbmount_t, samba_log_t, samba_log_t) -+can_exec(smbmount_t, smbmount_exec_t) -+ -+allow smbmount_t samba_log_t:dir list_dir_perms; -+allow smbmount_t samba_log_t:file manage_file_perms; - - allow smbmount_t samba_secrets_t:file manage_file_perms; - -@@ -661,26 +667,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t) - manage_lnk_files_pattern(smbmount_t, samba_var_t, samba_var_t) - files_var_filetrans(smbmount_t, samba_var_t, dir, "samba") - --can_exec(smbmount_t, smbmount_exec_t) -+files_list_var_lib(smbmount_t) - - kernel_read_system_state(smbmount_t) - --corenet_all_recvfrom_unlabeled(smbmount_t) - corenet_all_recvfrom_netlabel(smbmount_t) - corenet_tcp_sendrecv_generic_if(smbmount_t) -+corenet_raw_sendrecv_generic_if(smbmount_t) -+corenet_udp_sendrecv_generic_if(smbmount_t) - corenet_tcp_sendrecv_generic_node(smbmount_t) -- --corenet_sendrecv_all_client_packets(smbmount_t) --corenet_tcp_connect_all_ports(smbmount_t) -+corenet_raw_sendrecv_generic_node(smbmount_t) -+corenet_udp_sendrecv_generic_node(smbmount_t) - corenet_tcp_sendrecv_all_ports(smbmount_t) -- --corecmd_list_bin(smbmount_t) -- --files_list_mnt(smbmount_t) --files_list_var_lib(smbmount_t) --files_mounton_mnt(smbmount_t) --files_manage_etc_runtime_files(smbmount_t) --files_etc_filetrans_etc_runtime(smbmount_t, file) -+corenet_udp_sendrecv_all_ports(smbmount_t) -+corenet_tcp_bind_generic_node(smbmount_t) -+corenet_udp_bind_generic_node(smbmount_t) -+corenet_tcp_connect_all_ports(smbmount_t) - - fs_getattr_cifs(smbmount_t) - fs_mount_cifs(smbmount_t) -@@ -692,58 +694,77 @@ fs_read_cifs_files(smbmount_t) - storage_raw_read_fixed_disk(smbmount_t) - storage_raw_write_fixed_disk(smbmount_t) - --auth_use_nsswitch(smbmount_t) -+corecmd_list_bin(smbmount_t) - --miscfiles_read_localization(smbmount_t) -+files_list_mnt(smbmount_t) -+files_mounton_mnt(smbmount_t) -+files_manage_etc_runtime_files(smbmount_t) -+files_etc_filetrans_etc_runtime(smbmount_t, file) -+ -+auth_use_nsswitch(smbmount_t) - --mount_use_fds(smbmount_t) - - locallogin_use_fds(smbmount_t) - - logging_search_logs(smbmount_t) - --userdom_use_user_terminals(smbmount_t) -+userdom_use_inherited_user_terminals(smbmount_t) - userdom_use_all_users_fds(smbmount_t) - - optional_policy(` - cups_read_rw_config(smbmount_t) - ') - -+optional_policy(` -+ mount_use_fds(smbmount_t) -+') -+ - ######################################## - # --# Swat Local policy -+# SWAT Local policy - # - - allow swat_t self:capability { dac_override setuid setgid sys_resource }; -+allow swat_t self:capability2 block_suspend; - allow swat_t self:process { setrlimit signal_perms }; - allow swat_t self:fifo_file rw_fifo_file_perms; - allow swat_t self:netlink_tcpdiag_socket r_netlink_socket_perms; --allow swat_t self:tcp_socket { accept listen }; -+allow swat_t self:tcp_socket create_stream_socket_perms; -+allow swat_t self:udp_socket create_socket_perms; - allow swat_t self:unix_stream_socket connectto; - --allow swat_t { nmbd_t smbd_t }:process { signal signull }; -+samba_domtrans_smbd(swat_t) -+allow swat_t smbd_t:process { signal signull }; - --allow swat_t smbd_var_run_t:file read_file_perms; --allow swat_t smbd_var_run_t:file { lock delete_file_perms }; -+samba_domtrans_nmbd(swat_t) -+allow swat_t nmbd_t:process { signal signull }; -+allow nmbd_t swat_t:process signal; -+ -+read_files_pattern(swat_t, nmbd_var_run_t, nmbd_var_run_t) -+stream_connect_pattern(swat_t, nmbd_var_run_t, nmbd_var_run_t, nmbd_t) -+ -+allow swat_t smbd_port_t:tcp_socket name_bind; -+ -+allow swat_t nmbd_port_t:udp_socket name_bind; - - rw_files_pattern(swat_t, samba_etc_t, samba_etc_t) - read_lnk_files_pattern(swat_t, samba_etc_t, samba_etc_t) - - manage_dirs_pattern(swat_t, samba_log_t, samba_log_t) --append_files_pattern(swat_t, samba_log_t, samba_log_t) --create_files_pattern(swat_t, samba_log_t, samba_log_t) --setattr_files_pattern(swat_t, samba_log_t, samba_log_t) -+manage_files_pattern(swat_t, samba_log_t, samba_log_t) - - manage_files_pattern(swat_t, samba_etc_t, samba_secrets_t) - - manage_dirs_pattern(swat_t, samba_var_t, samba_var_t) - manage_files_pattern(swat_t, samba_var_t, samba_var_t) --manage_lnk_files_pattern(swat_t, samba_var_t, samba_var_t) - files_var_filetrans(swat_t, samba_var_t, dir, "samba") - - allow swat_t smbd_exec_t:file mmap_file_perms ; - --allow swat_t { winbind_t smbd_t }:process { signal signull }; -+allow swat_t smbd_t:process signull; -+ -+allow swat_t smbd_var_run_t:file read_file_perms; -+allow swat_t smbd_var_run_t:file { lock unlink }; - - manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t) - manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t) -@@ -752,17 +773,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir }) - manage_files_pattern(swat_t, swat_var_run_t, swat_var_run_t) - files_pid_filetrans(swat_t, swat_var_run_t, file) - --read_files_pattern(swat_t, winbind_var_run_t, winbind_var_run_t) --allow swat_t winbind_var_run_t:dir { add_entry_dir_perms del_entry_dir_perms }; --allow swat_t winbind_var_run_t:sock_file { create_sock_file_perms delete_sock_file_perms }; -- --read_files_pattern(swat_t, nmbd_var_run_t, nmbd_var_run_t) --stream_connect_pattern(swat_t, nmbd_var_run_t, nmbd_var_run_t, nmbd_t) -- --samba_domtrans_smbd(swat_t) --samba_domtrans_nmbd(swat_t) -- -+allow swat_t winbind_exec_t:file mmap_file_perms; - domtrans_pattern(swat_t, winbind_exec_t, winbind_t) -+allow swat_t winbind_t:process { signal signull }; -+ -+read_files_pattern(swat_t, winbind_var_run_t, winbind_var_run_t) -+allow swat_t winbind_var_run_t:dir { write add_name remove_name }; -+allow swat_t winbind_var_run_t:sock_file { create unlink }; - - kernel_read_kernel_sysctls(swat_t) - kernel_read_system_state(swat_t) -@@ -770,36 +787,25 @@ kernel_read_network_state(swat_t) - - corecmd_search_bin(swat_t) - --corenet_all_recvfrom_unlabeled(swat_t) - corenet_all_recvfrom_netlabel(swat_t) - corenet_tcp_sendrecv_generic_if(swat_t) - corenet_udp_sendrecv_generic_if(swat_t) -+corenet_raw_sendrecv_generic_if(swat_t) - corenet_tcp_sendrecv_generic_node(swat_t) - corenet_udp_sendrecv_generic_node(swat_t) --corenet_tcp_bind_generic_node(swat_t) --corenet_udp_bind_generic_node(swat_t) -- --corenet_sendrecv_nmbd_server_packets(swat_t) --corenet_udp_bind_nmbd_port(swat_t) --corenet_udp_sendrecv_nmbd_port(swat_t) -- --corenet_sendrecv_smbd_client_packets(swat_t) -+corenet_raw_sendrecv_generic_node(swat_t) -+corenet_tcp_sendrecv_all_ports(swat_t) -+corenet_udp_sendrecv_all_ports(swat_t) - corenet_tcp_connect_smbd_port(swat_t) --corenet_sendrecv_smbd_server_packets(swat_t) --corenet_tcp_bind_smbd_port(swat_t) --corenet_tcp_sendrecv_smbd_port(swat_t) -- --corenet_sendrecv_ipp_client_packets(swat_t) - corenet_tcp_connect_ipp_port(swat_t) --corenet_tcp_sendrecv_ipp_port(swat_t) -+corenet_sendrecv_smbd_client_packets(swat_t) -+corenet_sendrecv_ipp_client_packets(swat_t) - - dev_read_urand(swat_t) - - files_list_var_lib(swat_t) - files_search_home(swat_t) --files_read_usr_files(swat_t) - fs_getattr_xattr_fs(swat_t) --files_list_var_lib(swat_t) - - auth_domtrans_chk_passwd(swat_t) - auth_use_nsswitch(swat_t) -@@ -811,10 +817,11 @@ logging_send_syslog_msg(swat_t) - logging_send_audit_msgs(swat_t) - logging_search_logs(swat_t) - --miscfiles_read_localization(swat_t) -- - sysnet_use_ldap(swat_t) - -+ -+userdom_dontaudit_search_admin_dir(swat_t) -+ - optional_policy(` - cups_read_rw_config(swat_t) - cups_stream_connect(swat_t) -@@ -834,16 +841,19 @@ optional_policy(` - # - - allow winbind_t self:capability { dac_override ipc_lock setuid sys_nice }; -+allow winbind_t self:capability2 block_suspend; - dontaudit winbind_t self:capability sys_tty_config; - allow winbind_t self:process { signal_perms getsched setsched }; - allow winbind_t self:fifo_file rw_fifo_file_perms; --allow winbind_t self:unix_stream_socket { accept listen }; --allow winbind_t self:tcp_socket { accept listen }; -+allow winbind_t self:unix_dgram_socket create_socket_perms; -+allow winbind_t self:unix_stream_socket create_stream_socket_perms; -+allow winbind_t self:tcp_socket create_stream_socket_perms; -+allow winbind_t self:udp_socket create_socket_perms; - - allow winbind_t nmbd_t:process { signal signull }; - --allow winbind_t nmbd_var_run_t:file read_file_perms; --stream_connect_pattern(winbind_t, nmbd_var_run_t, nmbd_var_run_t, nmbd_t) -+read_files_pattern(winbind_t, nmbd_var_run_t, nmbd_var_run_t) -+samba_stream_connect_nmbd(winbind_t) - - allow winbind_t samba_etc_t:dir list_dir_perms; - read_files_pattern(winbind_t, samba_etc_t, samba_etc_t) -@@ -853,9 +863,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t) - filetrans_pattern(winbind_t, samba_etc_t, samba_secrets_t, file) - - manage_dirs_pattern(winbind_t, samba_log_t, samba_log_t) --append_files_pattern(winbind_t, samba_log_t, samba_log_t) --create_files_pattern(winbind_t, samba_log_t, samba_log_t) --setattr_files_pattern(winbind_t, samba_log_t, samba_log_t) -+manage_files_pattern(winbind_t, samba_log_t, samba_log_t) - manage_lnk_files_pattern(winbind_t, samba_log_t, samba_log_t) - - manage_dirs_pattern(winbind_t, samba_var_t, samba_var_t) -@@ -866,23 +874,21 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba") - - rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t) - --# This needs a file context specification --allow winbind_t winbind_log_t:file { append_file_perms create_file_perms setattr_file_perms }; -+allow winbind_t winbind_log_t:file manage_file_perms; - logging_log_filetrans(winbind_t, winbind_log_t, file) - --manage_dirs_pattern(winbind_t, winbind_tmp_t, winbind_tmp_t) --manage_files_pattern(winbind_t, winbind_tmp_t, winbind_tmp_t) --manage_sock_files_pattern(winbind_t, winbind_tmp_t, winbind_tmp_t) --files_tmp_filetrans(winbind_t, winbind_tmp_t, { file dir }) -+userdom_manage_user_tmp_dirs(winbind_t) -+userdom_manage_user_tmp_files(winbind_t) -+userdom_tmp_filetrans_user_tmp(winbind_t, { file dir }) - - manage_dirs_pattern(winbind_t, { smbd_var_run_t winbind_var_run_t }, winbind_var_run_t) - manage_files_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t) - manage_sock_files_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t) - files_pid_filetrans(winbind_t, winbind_var_run_t, { sock_file file dir }) - filetrans_pattern(winbind_t, smbd_var_run_t, winbind_var_run_t, dir) -- --manage_dirs_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t) -+# /run/samba/krb5cc_samba - manage_files_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t) -+manage_dirs_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t) - manage_sock_files_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t) - - kernel_read_network_state(winbind_t) -@@ -891,13 +897,17 @@ kernel_read_system_state(winbind_t) - - corecmd_exec_bin(winbind_t) - --corenet_all_recvfrom_unlabeled(winbind_t) - corenet_all_recvfrom_netlabel(winbind_t) - corenet_tcp_sendrecv_generic_if(winbind_t) -+corenet_udp_sendrecv_generic_if(winbind_t) -+corenet_raw_sendrecv_generic_if(winbind_t) - corenet_tcp_sendrecv_generic_node(winbind_t) -+corenet_udp_sendrecv_generic_node(winbind_t) -+corenet_raw_sendrecv_generic_node(winbind_t) - corenet_tcp_sendrecv_all_ports(winbind_t) -- --corenet_sendrecv_all_client_packets(winbind_t) -+corenet_udp_sendrecv_all_ports(winbind_t) -+corenet_tcp_bind_generic_node(winbind_t) -+corenet_udp_bind_generic_node(winbind_t) - corenet_tcp_connect_smbd_port(winbind_t) - corenet_tcp_connect_epmap_port(winbind_t) - corenet_tcp_connect_all_unreserved_ports(winbind_t) -@@ -905,10 +915,6 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t) - dev_read_sysfs(winbind_t) - dev_read_urand(winbind_t) - --domain_use_interactive_fds(winbind_t) -- --files_read_usr_symlinks(winbind_t) --files_list_var_lib(winbind_t) - - fs_getattr_all_fs(winbind_t) - fs_search_auto_mountpoints(winbind_t) -@@ -917,26 +923,39 @@ auth_domtrans_chk_passwd(winbind_t) - auth_use_nsswitch(winbind_t) - auth_manage_cache(winbind_t) - -+domain_use_interactive_fds(winbind_t) -+ -+files_read_usr_symlinks(winbind_t) -+files_list_var_lib(winbind_t) -+ - logging_send_syslog_msg(winbind_t) - --miscfiles_read_localization(winbind_t) - miscfiles_read_generic_certs(winbind_t) - -+sysnet_use_ldap(winbind_t) -+ - userdom_dontaudit_use_unpriv_user_fds(winbind_t) - userdom_manage_user_home_content_dirs(winbind_t) - userdom_manage_user_home_content_files(winbind_t) - userdom_manage_user_home_content_symlinks(winbind_t) - userdom_manage_user_home_content_pipes(winbind_t) - userdom_manage_user_home_content_sockets(winbind_t) --userdom_user_home_dir_filetrans_user_home_content(winbind_t, { dir file lnk_file fifo_file sock_file }) -+userdom_filetrans_home_content(winbind_t) - - optional_policy(` - ctdbd_stream_connect(winbind_t) - ctdbd_manage_lib_files(winbind_t) -+ ctdbd_manage_var_files(winbind_t) -+') -+ -+ -+optional_policy(` -+ dirsrv_stream_connect(winbind_t) - ') - - optional_policy(` - kerberos_use(winbind_t) -+ kerberos_filetrans_named_content(winbind_t) - ') - - optional_policy(` -@@ -952,31 +971,29 @@ optional_policy(` - # Winbind helper local policy - # - --allow winbind_helper_t self:unix_stream_socket { accept listen }; -+allow winbind_helper_t self:unix_dgram_socket create_socket_perms; -+allow winbind_helper_t self:unix_stream_socket create_stream_socket_perms; - - allow winbind_helper_t samba_etc_t:dir list_dir_perms; - read_files_pattern(winbind_helper_t, samba_etc_t, samba_etc_t) - read_lnk_files_pattern(winbind_helper_t, samba_etc_t, samba_etc_t) - - allow winbind_helper_t samba_var_t:dir search_dir_perms; -+files_list_var_lib(winbind_helper_t) - - allow winbind_t smbcontrol_t:process signal; - - stream_connect_pattern(winbind_helper_t, winbind_var_run_t, winbind_var_run_t, winbind_t) - --domain_use_interactive_fds(winbind_helper_t) -- --files_list_var_lib(winbind_helper_t) -- - term_list_ptys(winbind_helper_t) - -+domain_use_interactive_fds(winbind_helper_t) -+ - auth_use_nsswitch(winbind_helper_t) - - logging_send_syslog_msg(winbind_helper_t) - --miscfiles_read_localization(winbind_helper_t) -- --userdom_use_user_terminals(winbind_helper_t) -+userdom_use_inherited_user_terminals(winbind_helper_t) - - optional_policy(` - apache_append_log(winbind_helper_t) -@@ -990,25 +1007,38 @@ optional_policy(` - - ######################################## - # --# Unconfined script local policy -+# samba_unconfined_script_t local policy - # - - optional_policy(` -- type samba_unconfined_script_t; -- type samba_unconfined_script_exec_t; -- domain_type(samba_unconfined_script_t) -- domain_entry_file(samba_unconfined_script_t, samba_unconfined_script_exec_t) -- corecmd_shell_entry_type(samba_unconfined_script_t) -- role system_r types samba_unconfined_script_t; -+ type samba_unconfined_net_t; -+ domain_type(samba_unconfined_net_t) -+ domain_entry_file(samba_unconfined_net_t, samba_net_exec_t) -+ role system_r types samba_unconfined_net_t; -+ -+ unconfined_domain(samba_unconfined_net_t) -+ -+ manage_files_pattern(samba_unconfined_net_t, samba_etc_t, samba_secrets_t) -+ filetrans_pattern(samba_unconfined_net_t, samba_etc_t, samba_secrets_t, file) -+ userdom_use_inherited_user_terminals(samba_unconfined_net_t) -+') -+ -+type samba_unconfined_script_t; -+type samba_unconfined_script_exec_t; -+domain_type(samba_unconfined_script_t) -+domain_entry_file(samba_unconfined_script_t, samba_unconfined_script_exec_t) -+corecmd_shell_entry_type(samba_unconfined_script_t) -+role system_r types samba_unconfined_script_t; - -- allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms; -- allow smbd_t samba_unconfined_script_exec_t:file ioctl; -+allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms; -+allow smbd_t samba_unconfined_script_exec_t:file ioctl; - -+optional_policy(` - unconfined_domain(samba_unconfined_script_t) -+') - -- tunable_policy(`samba_run_unconfined',` -+tunable_policy(`samba_run_unconfined',` - domtrans_pattern(smbd_t, samba_unconfined_script_exec_t, samba_unconfined_script_t) -- ',` -- can_exec(smbd_t, samba_unconfined_script_exec_t) -- ') -+',` -+ can_exec(smbd_t, samba_unconfined_script_exec_t) - ') -diff --git a/sambagui.te b/sambagui.te -index d9f8784..9c40dbd 100644 ---- a/sambagui.te -+++ b/sambagui.te -@@ -28,14 +28,14 @@ corecmd_exec_shell(sambagui_t) - - dev_dontaudit_read_urand(sambagui_t) - --files_read_usr_files(sambagui_t) -+files_search_var_lib(sambagui_t) - - auth_use_nsswitch(sambagui_t) - auth_dontaudit_read_shadow(sambagui_t) - --logging_send_syslog_msg(sambagui_t) -+init_access_check(sambagui_t) - --miscfiles_read_localization(sambagui_t) -+logging_send_syslog_msg(sambagui_t) - - sysnet_use_ldap(sambagui_t) - -@@ -61,6 +61,7 @@ optional_policy(` - samba_manage_var_files(sambagui_t) - samba_read_secrets(sambagui_t) - samba_initrc_domtrans(sambagui_t) -+ samba_systemctl(sambagui_t) - samba_domtrans_smbd(sambagui_t) - samba_domtrans_nmbd(sambagui_t) - ') -diff --git a/samhain.if b/samhain.if -index f0236d6..78a792a 100644 ---- a/samhain.if -+++ b/samhain.if -@@ -23,6 +23,8 @@ template(`samhain_service_template',` - files_read_all_files($1_t) - - mls_file_write_all_levels($1_t) -+ -+ logging_send_sylog_msg($1_t) - ') - - ######################################## -diff --git a/samhain.te b/samhain.te -index 931312b..bd9a4c7 100644 ---- a/samhain.te -+++ b/samhain.te -@@ -88,8 +88,6 @@ auth_read_login_records(samhain_domain) - - init_read_utmp(samhain_domain) - --logging_send_syslog_msg(samhain_domain) -- - ######################################## - # - # Client local policy -@@ -102,7 +100,7 @@ domain_use_interactive_fds(samhain_t) - - seutil_sigchld_newrole(samhain_t) - --userdom_use_user_terminals(samhain_t) -+userdom_use_inherited_user_terminals(samhain_t) - - ######################################## - # -diff --git a/sandbox.fc b/sandbox.fc -new file mode 100644 -index 0000000..b7db254 ---- /dev/null -+++ b/sandbox.fc -@@ -0,0 +1 @@ -+# Empty -diff --git a/sandbox.if b/sandbox.if -new file mode 100644 -index 0000000..577dfa7 ---- /dev/null -+++ b/sandbox.if -@@ -0,0 +1,55 @@ -+ -+## policy for sandbox -+ -+######################################## -+## -+## Execute sandbox in the sandbox domain, and -+## allow the specified role the sandbox domain. -+## -+## -+## -+## Domain allowed access -+## -+## -+## -+## -+## The role to be allowed the sandbox domain. -+## -+## -+# -+interface(`sandbox_transition',` -+ gen_require(` -+ attribute sandbox_domain; -+ ') -+ -+ allow $1 sandbox_domain:process transition; -+ dontaudit $1 sandbox_domain:process { noatsecure siginh rlimitinh }; -+ role $2 types sandbox_domain; -+ allow sandbox_domain $1:process { sigchld signull }; -+ allow sandbox_domain $1:fifo_file rw_inherited_fifo_file_perms; -+ dontaudit sandbox_domain $1:process signal; -+') -+ -+######################################## -+## -+## Creates types and rules for a basic -+## sandbox process domain. -+## -+## -+## -+## Prefix for the domain. -+## -+## -+# -+template(`sandbox_domain_template',` -+ -+ gen_require(` -+ attribute sandbox_domain; -+ ') -+ type $1_t, sandbox_domain; -+ -+ application_type($1_t) -+ -+ mls_rangetrans_target($1_t) -+ mcs_constrained($1_t) -+') -diff --git a/sandbox.te b/sandbox.te -new file mode 100644 -index 0000000..b12aada ---- /dev/null -+++ b/sandbox.te -@@ -0,0 +1,62 @@ -+policy_module(sandbox,1.0.0) -+ -+attribute sandbox_domain; -+ -+######################################## -+# -+# Declarations -+# -+sandbox_domain_template(sandbox) -+ -+######################################## -+# -+# sandbox local policy -+# -+allow sandbox_domain self:process { getattr signal_perms getsched setsched setpgid execstack }; -+tunable_policy(`deny_execmem',`',` -+ allow sandbox_domain self:process execmem; -+') -+ -+allow sandbox_domain self:fifo_file manage_file_perms; -+allow sandbox_domain self:sem create_sem_perms; -+allow sandbox_domain self:shm create_shm_perms; -+allow sandbox_domain self:msgq create_msgq_perms; -+allow sandbox_domain self:unix_stream_socket create_stream_socket_perms; -+allow sandbox_domain self:unix_dgram_socket { sendto create_socket_perms }; -+dontaudit sandbox_domain self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; -+ -+dev_rw_all_inherited_chr_files(sandbox_domain) -+dev_rw_all_inherited_blk_files(sandbox_domain) -+ -+# sandbox_file_t was moved to sandboxX.te -+optional_policy(` -+ sandbox_exec_file(sandbox_domain) -+ sandbox_manage_content(sandbox_domain) -+ sandbox_dontaudit_mounton(sandbox_domain) -+ sandbox_manage_tmpfs_files(sandbox_domain) -+') -+ -+gen_require(` -+ type usr_t, lib_t, locale_t, device_t; -+ type var_t, var_run_t, rpm_log_t, locale_t; -+ attribute exec_type, configfile; -+') -+ -+kernel_dontaudit_read_system_state(sandbox_domain) -+ -+corecmd_exec_all_executables(sandbox_domain) -+ -+dev_dontaudit_getattr_all(sandbox_domain) -+ -+files_rw_all_inherited_files(sandbox_domain, -exec_type -configfile -usr_t -lib_t -locale_t -var_t -var_run_t -device_t -rpm_log_t ) -+files_entrypoint_all_files(sandbox_domain) -+ -+files_read_config_files(sandbox_domain) -+files_read_var_files(sandbox_domain) -+files_dontaudit_search_all_dirs(sandbox_domain) -+ -+fs_dontaudit_getattr_all_fs(sandbox_domain) -+ -+userdom_use_inherited_user_terminals(sandbox_domain) -+ -+mta_dontaudit_read_spool_symlinks(sandbox_domain) -diff --git a/sandboxX.fc b/sandboxX.fc -new file mode 100644 -index 0000000..6caef63 ---- /dev/null -+++ b/sandboxX.fc -@@ -0,0 +1,2 @@ -+ -+/usr/share/sandbox/start -- gen_context(system_u:object_r:sandbox_exec_t,s0) -diff --git a/sandboxX.if b/sandboxX.if -new file mode 100644 -index 0000000..5da5bff ---- /dev/null -+++ b/sandboxX.if -@@ -0,0 +1,392 @@ -+ -+## policy for sandboxX -+ -+######################################## -+## -+## Execute sandbox in the sandbox domain, and -+## allow the specified role the sandbox domain. -+## -+## -+## -+## Domain allowed access -+## -+## -+## -+## -+## The role to be allowed the sandbox domain. -+## -+## -+# -+interface(`sandbox_x_transition',` -+ gen_require(` -+ type sandbox_xserver_t; -+ type sandbox_file_t; -+ attribute sandbox_x_domain; -+ attribute sandbox_tmpfs_type; -+ ') -+ -+ allow $1 sandbox_x_domain:process { signal_perms transition }; -+ dontaudit $1 sandbox_x_domain:process { noatsecure siginh rlimitinh }; -+ allow sandbox_x_domain $1:process { sigchld signull }; -+ allow { sandbox_x_domain sandbox_xserver_t } $1:fd use; -+ role $2 types sandbox_x_domain; -+ role $2 types sandbox_xserver_t; -+ allow $1 sandbox_xserver_t:process signal_perms; -+ dontaudit sandbox_xserver_t $1:fifo_file rw_inherited_fifo_file_perms; -+ dontaudit sandbox_xserver_t $1:tcp_socket rw_socket_perms; -+ dontaudit sandbox_xserver_t $1:udp_socket rw_socket_perms; -+ allow sandbox_xserver_t $1:unix_stream_socket { connectto rw_socket_perms }; -+ dontaudit sandbox_xserver_t $1:file read; -+ allow sandbox_x_domain sandbox_x_domain:process signal; -+ # Dontaudit leaked file descriptors -+ dontaudit sandbox_x_domain $1:fifo_file { read write }; -+ dontaudit sandbox_x_domain $1:tcp_socket rw_socket_perms; -+ dontaudit sandbox_x_domain $1:udp_socket rw_socket_perms; -+ dontaudit sandbox_x_domain $1:unix_stream_socket { read write }; -+ dontaudit sandbox_x_domain $1:process { signal sigkill }; -+ -+ allow $1 sandbox_tmpfs_type:file manage_file_perms; -+ dontaudit $1 sandbox_tmpfs_type:file manage_file_perms; -+ -+ can_exec($1, sandbox_file_t) -+ allow $1 sandbox_file_t:filesystem getattr; -+ manage_files_pattern($1, sandbox_file_t, sandbox_file_t); -+ manage_dirs_pattern($1, sandbox_file_t, sandbox_file_t); -+ manage_sock_files_pattern($1, sandbox_file_t, sandbox_file_t); -+ manage_fifo_files_pattern($1, sandbox_file_t, sandbox_file_t); -+ manage_lnk_files_pattern($1, sandbox_file_t, sandbox_file_t); -+ relabel_dirs_pattern($1, sandbox_file_t, sandbox_file_t) -+ relabel_files_pattern($1, sandbox_file_t, sandbox_file_t) -+ relabel_lnk_files_pattern($1, sandbox_file_t, sandbox_file_t) -+ relabel_fifo_files_pattern($1, sandbox_file_t, sandbox_file_t) -+ relabel_sock_files_pattern($1, sandbox_file_t, sandbox_file_t) -+') -+ -+######################################## -+## -+## Creates types and rules for a basic -+## sandbox process domain. -+## -+## -+## -+## Prefix for the domain. -+## -+## -+# -+template(`sandbox_x_domain_template',` -+ gen_require(` -+ type xserver_exec_t, sandbox_devpts_t; -+ type sandbox_xserver_t; -+ type sandbox_exec_t; -+ attribute sandbox_x_domain; -+ attribute sandbox_tmpfs_type; -+ attribute sandbox_type; -+ ') -+ -+ type $1_t, sandbox_x_domain, sandbox_type; -+ application_type($1_t) -+ mcs_constrained($1_t) -+ -+ kernel_read_system_state($1_t) -+ selinux_get_fs_mount($1_t) -+ -+ auth_use_nsswitch($1_t) -+ -+ logging_send_syslog_msg($1_t) -+ -+ # window manager -+ miscfiles_setattr_fonts_cache_dirs($1_t) -+ allow $1_t self:capability setuid; -+ -+ type $1_client_t, sandbox_x_domain; -+ application_type($1_client_t) -+ kernel_read_system_state($1_client_t) -+ -+ mcs_constrained($1_t) -+ -+ type $1_client_tmpfs_t, sandbox_tmpfs_type; -+ files_tmpfs_file($1_client_tmpfs_t) -+ -+ manage_files_pattern($1_client_t, $1_client_tmpfs_t, $1_client_tmpfs_t) -+ manage_files_pattern($1_t, $1_client_tmpfs_t, $1_client_tmpfs_t) -+ fs_tmpfs_filetrans($1_client_t, $1_client_tmpfs_t, file ) -+ fs_tmpfs_filetrans($1_t, $1_client_tmpfs_t, file ) -+ # Pulseaudio tmpfs files with different MCS labels -+ dontaudit $1_client_t $1_client_tmpfs_t:file { read write }; -+ dontaudit $1_t $1_client_tmpfs_t:file { read write }; -+ allow sandbox_xserver_t $1_client_tmpfs_t:file { read write }; -+ -+ domtrans_pattern($1_t, xserver_exec_t, sandbox_xserver_t) -+ allow $1_t sandbox_xserver_t:process signal_perms; -+ -+ domtrans_pattern($1_t, sandbox_exec_t, $1_client_t) -+ domain_entry_file($1_client_t, sandbox_exec_t) -+ -+ ps_process_pattern(sandbox_xserver_t, $1_client_t) -+ ps_process_pattern(sandbox_xserver_t, $1_t) -+ allow sandbox_xserver_t $1_client_t:shm rw_shm_perms; -+ allow sandbox_xserver_t $1_t:shm rw_shm_perms; -+ allow $1_client_t $1_t:unix_stream_socket connectto; -+ allow $1_t $1_client_t:unix_stream_socket connectto; -+') -+ -+######################################## -+## -+## allow domain to read, -+## write sandbox_xserver tmp files -+## -+## -+## -+## Domain allowed access -+## -+## -+# -+interface(`sandbox_rw_xserver_tmpfs_files',` -+ gen_require(` -+ type sandbox_xserver_tmpfs_t; -+ ') -+ -+ allow $1 sandbox_xserver_tmpfs_t:file rw_file_perms; -+') -+ -+######################################## -+## -+## allow domain to read -+## sandbox tmpfs files -+## -+## -+## -+## Domain allowed access -+## -+## -+# -+interface(`sandbox_read_tmpfs_files',` -+ gen_require(` -+ attribute sandbox_tmpfs_type; -+ ') -+ -+ allow $1 sandbox_tmpfs_type:file read_file_perms; -+') -+ -+######################################## -+## -+## allow domain to manage -+## sandbox tmpfs files -+## -+## -+## -+## Domain allowed access -+## -+## -+# -+interface(`sandbox_manage_tmpfs_files',` -+ gen_require(` -+ attribute sandbox_tmpfs_type; -+ ') -+ -+ allow $1 sandbox_tmpfs_type:file manage_file_perms; -+') -+ -+######################################## -+## -+## Delete sandbox files -+## -+## -+## -+## Domain allowed access -+## -+## -+# -+interface(`sandbox_delete_files',` -+ gen_require(` -+ type sandbox_file_t; -+ ') -+ -+ delete_files_pattern($1, sandbox_file_t, sandbox_file_t) -+') -+ -+######################################## -+## -+## Manage sandbox content -+## -+## -+## -+## Domain allowed access -+## -+## -+# -+interface(`sandbox_manage_content',` -+ gen_require(` -+ type sandbox_file_t; -+ ') -+ -+ allow $1 sandbox_file_t:filesystem getattr; -+ manage_files_pattern($1, sandbox_file_t, sandbox_file_t); -+ manage_dirs_pattern($1, sandbox_file_t, sandbox_file_t); -+ manage_sock_files_pattern($1, sandbox_file_t, sandbox_file_t); -+ manage_fifo_files_pattern($1, sandbox_file_t, sandbox_file_t); -+ manage_lnk_files_pattern($1, sandbox_file_t, sandbox_file_t); -+') -+ -+######################################## -+## -+## Delete sandbox symbolic links -+## -+## -+## -+## Domain allowed access -+## -+## -+# -+interface(`sandbox_delete_lnk_files',` -+ gen_require(` -+ type sandbox_file_t; -+ ') -+ -+ delete_lnk_files_pattern($1, sandbox_file_t, sandbox_file_t) -+') -+ -+######################################## -+## -+## Delete sandbox fifo files -+## -+## -+## -+## Domain allowed access -+## -+## -+# -+interface(`sandbox_delete_pipes',` -+ gen_require(` -+ type sandbox_file_t; -+ ') -+ -+ delete_fifo_files_pattern($1, sandbox_file_t, sandbox_file_t) -+') -+ -+######################################## -+## -+## Delete sandbox sock files -+## -+## -+## -+## Domain allowed access -+## -+## -+# -+interface(`sandbox_delete_sock_files',` -+ gen_require(` -+ type sandbox_file_t; -+ ') -+ -+ delete_sock_files_pattern($1, sandbox_file_t, sandbox_file_t) -+') -+ -+######################################## -+## -+## Allow domain to set the attributes -+## of the sandbox directory. -+## -+## -+## -+## Domain allowed access -+## -+## -+# -+interface(`sandbox_setattr_dirs',` -+ gen_require(` -+ type sandbox_file_t; -+ ') -+ -+ allow $1 sandbox_file_t:dir setattr; -+') -+ -+######################################## -+## -+## Delete sandbox directories -+## -+## -+## -+## Domain allowed access -+## -+## -+# -+interface(`sandbox_delete_dirs',` -+ gen_require(` -+ type sandbox_file_t; -+ ') -+ -+ delete_dirs_pattern($1, sandbox_file_t, sandbox_file_t) -+') -+ -+######################################## -+## -+## allow domain to list sandbox dirs -+## -+## -+## -+## Domain allowed access -+## -+## -+# -+interface(`sandbox_list',` -+ gen_require(` -+ type sandbox_file_t; -+ ') -+ -+ allow $1 sandbox_file_t:dir list_dir_perms; -+') -+ -+######################################## -+## -+## Read and write a sandbox domain pty. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`sandbox_use_ptys',` -+ gen_require(` -+ type sandbox_devpts_t; -+ ') -+ -+ allow $1 sandbox_devpts_t:chr_file rw_inherited_term_perms; -+') -+ -+####################################### -+## -+## Allow domain to execute sandbox_file_t in the caller domain. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`sandbox_exec_file',` -+ gen_require(` -+ type sandbox_file_t; -+ ') -+ -+ can_exec($1, sandbox_file_t) -+') -+ -+###################################### -+## -+## Allow domain to execute sandbox_file_t in the caller domain. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`sandbox_dontaudit_mounton',` -+ gen_require(` -+ type sandbox_file_t; -+ ') -+ -+ dontaudit $1 sandbox_file_t:dir mounton; -+') -diff --git a/sandboxX.te b/sandboxX.te -new file mode 100644 -index 0000000..710df6b ---- /dev/null -+++ b/sandboxX.te -@@ -0,0 +1,483 @@ -+policy_module(sandboxX,1.0.0) -+ -+dbus_stub() -+attribute sandbox_x_domain; -+attribute sandbox_web_type; -+attribute sandbox_file_type; -+attribute sandbox_tmpfs_type; -+attribute sandbox_type; -+ -+type sandbox_exec_t; -+files_type(sandbox_exec_t) -+ -+type sandbox_file_t, sandbox_file_type; -+userdom_user_home_content(sandbox_file_t) -+ -+typealias sandbox_file_t alias { sandbox_x_file_t sandbox_web_file_t sandbox_net_file_t sandbox_min_file_t }; -+ -+######################################## -+# -+# Declarations -+# -+sandbox_x_domain_template(sandbox_min) -+sandbox_x_domain_template(sandbox_x) -+sandbox_x_domain_template(sandbox_web) -+sandbox_x_domain_template(sandbox_net) -+ -+type sandbox_xserver_t; -+domain_type(sandbox_xserver_t) -+xserver_user_x_domain_template(sandbox_xserver, sandbox_xserver_t, sandbox_xserver_tmpfs_t) -+ -+type sandbox_xserver_tmpfs_t; -+files_tmpfs_file(sandbox_xserver_tmpfs_t) -+ -+type sandbox_devpts_t; -+term_pty(sandbox_devpts_t) -+files_type(sandbox_devpts_t) -+ -+######################################## -+# -+# sandbox xserver policy -+# -+allow sandbox_xserver_t self:process { signal_perms execstack }; -+ -+tunable_policy(`deny_execmem',`',` -+ allow sandbox_xserver_t self:process execmem; -+') -+ -+allow sandbox_xserver_t self:fifo_file manage_fifo_file_perms; -+allow sandbox_xserver_t self:shm create_shm_perms; -+allow sandbox_xserver_t self:tcp_socket create_stream_socket_perms; -+ -+manage_dirs_pattern(sandbox_xserver_t, sandbox_file_t, sandbox_file_t) -+manage_files_pattern(sandbox_xserver_t, sandbox_file_t, sandbox_file_t) -+manage_sock_files_pattern(sandbox_xserver_t, sandbox_file_t, sandbox_file_t) -+allow sandbox_xserver_t sandbox_file_t:sock_file create_sock_file_perms; -+ -+manage_dirs_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t) -+manage_files_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t) -+manage_lnk_files_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t) -+manage_fifo_files_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t) -+manage_sock_files_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t) -+fs_tmpfs_filetrans(sandbox_xserver_t, sandbox_xserver_tmpfs_t, { dir file lnk_file sock_file fifo_file }) -+ -+kernel_dontaudit_request_load_module(sandbox_xserver_t) -+kernel_read_system_state(sandbox_xserver_t) -+ -+corecmd_exec_bin(sandbox_xserver_t) -+corecmd_exec_shell(sandbox_xserver_t) -+ -+corenet_all_recvfrom_netlabel(sandbox_xserver_t) -+corenet_tcp_sendrecv_generic_if(sandbox_xserver_t) -+corenet_udp_sendrecv_generic_if(sandbox_xserver_t) -+corenet_tcp_sendrecv_generic_node(sandbox_xserver_t) -+corenet_udp_sendrecv_generic_node(sandbox_xserver_t) -+corenet_tcp_sendrecv_all_ports(sandbox_xserver_t) -+corenet_udp_sendrecv_all_ports(sandbox_xserver_t) -+corenet_tcp_bind_generic_node(sandbox_xserver_t) -+corenet_tcp_bind_xserver_port(sandbox_xserver_t) -+corenet_sendrecv_xserver_server_packets(sandbox_xserver_t) -+corenet_sendrecv_all_client_packets(sandbox_xserver_t) -+ -+dev_read_sysfs(sandbox_xserver_t) -+dev_rwx_zero(sandbox_xserver_t) -+dev_read_urand(sandbox_xserver_t) -+ -+domain_use_interactive_fds(sandbox_xserver_t) -+ -+files_read_config_files(sandbox_xserver_t) -+files_search_home(sandbox_xserver_t) -+fs_dontaudit_rw_tmpfs_files(sandbox_xserver_t) -+fs_list_inotifyfs(sandbox_xserver_t) -+fs_search_auto_mountpoints(sandbox_xserver_t) -+ -+miscfiles_read_fonts(sandbox_xserver_t) -+ -+selinux_validate_context(sandbox_xserver_t) -+selinux_compute_access_vector(sandbox_xserver_t) -+selinux_compute_create_context(sandbox_xserver_t) -+ -+auth_use_nsswitch(sandbox_xserver_t) -+ -+logging_send_syslog_msg(sandbox_xserver_t) -+logging_send_audit_msgs(sandbox_xserver_t) -+ -+userdom_use_inherited_user_terminals(sandbox_xserver_t) -+userdom_dontaudit_search_user_home_content(sandbox_xserver_t) -+userdom_dontaudit_rw_user_tmp_pipes(sandbox_xserver_t) -+ -+xserver_read_xkb_libs(sandbox_xserver_t) -+xserver_dontaudit_xkb_libs_access(sandbox_xserver_t) -+xserver_entry_type(sandbox_xserver_t) -+ -+optional_policy(` -+ dbus_system_bus_client(sandbox_xserver_t) -+ -+ optional_policy(` -+ hal_dbus_chat(sandbox_xserver_t) -+ ') -+') -+ -+######################################## -+# -+# sandbox_x_domain local policy -+# -+allow sandbox_x_domain self:process { getattr signal_perms getsched setsched setpgid execstack }; -+tunable_policy(`deny_execmem',`',` -+ allow sandbox_x_domain self:process execmem; -+') -+ -+allow sandbox_x_domain self:fifo_file manage_file_perms; -+allow sandbox_x_domain self:sem create_sem_perms; -+allow sandbox_x_domain self:shm create_shm_perms; -+allow sandbox_x_domain self:msgq create_msgq_perms; -+allow sandbox_x_domain self:netlink_selinux_socket create_socket_perms; -+allow sandbox_x_domain self:unix_dgram_socket { sendto create_socket_perms }; -+allow sandbox_x_domain self:unix_stream_socket { connectto create_stream_socket_perms }; -+ -+dontaudit sandbox_x_domain sandbox_x_domain:process signal; -+dontaudit sandbox_x_domain sandbox_xserver_t:process signal; -+dontaudit sandbox_x_domain self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; -+ -+allow sandbox_x_domain sandbox_xserver_t:unix_stream_socket connectto; -+ -+allow sandbox_x_domain sandbox_devpts_t:chr_file { rw_term_perms setattr }; -+term_create_pty(sandbox_x_domain,sandbox_devpts_t) -+ -+can_exec(sandbox_x_domain, sandbox_file_t) -+allow sandbox_x_domain sandbox_file_t:filesystem getattr; -+manage_files_pattern(sandbox_x_domain, sandbox_file_t, sandbox_file_t); -+manage_dirs_pattern(sandbox_x_domain, sandbox_file_t, sandbox_file_t); -+manage_sock_files_pattern(sandbox_x_domain, sandbox_file_t, sandbox_file_t); -+manage_fifo_files_pattern(sandbox_x_domain, sandbox_file_t, sandbox_file_t); -+manage_lnk_files_pattern(sandbox_x_domain, sandbox_file_t, sandbox_file_t); -+dontaudit sandbox_x_domain sandbox_file_t:dir mounton; -+ -+kernel_getattr_proc(sandbox_x_domain) -+kernel_read_network_state(sandbox_x_domain) -+kernel_dontaudit_search_kernel_sysctl(sandbox_x_domain) -+ -+domain_dontaudit_read_all_domains_state(sandbox_x_domain) -+ -+corecmd_exec_all_executables(sandbox_x_domain) -+ -+dev_read_urand(sandbox_x_domain) -+dev_dontaudit_read_rand(sandbox_x_domain) -+dev_read_sysfs(sandbox_x_domain) -+dev_dontaudit_rw_dri(sandbox_x_domain) -+ -+files_search_home(sandbox_x_domain) -+files_dontaudit_list_all_mountpoints(sandbox_x_domain) -+files_entrypoint_all_files(sandbox_x_domain) -+files_read_config_files(sandbox_x_domain) -+files_read_usr_symlinks(sandbox_x_domain) -+ -+fs_getattr_tmpfs(sandbox_x_domain) -+fs_getattr_xattr_fs(sandbox_x_domain) -+fs_list_inotifyfs(sandbox_x_domain) -+fs_dontaudit_getattr_xattr_fs(sandbox_x_domain) -+# Random tmpfs_t that gets created when you run X. -+fs_rw_tmpfs_files(sandbox_x_domain) -+fs_get_xattr_fs_quotas(sandbox_x_domain) -+ -+auth_dontaudit_read_login_records(sandbox_x_domain) -+auth_dontaudit_write_login_records(sandbox_x_domain) -+auth_search_pam_console_data(sandbox_x_domain) -+ -+init_read_utmp(sandbox_x_domain) -+init_dontaudit_write_utmp(sandbox_x_domain) -+ -+libs_dontaudit_setattr_lib_files(sandbox_x_domain) -+ -+miscfiles_dontaudit_setattr_fonts_cache_dirs(sandbox_x_domain) -+ -+mta_dontaudit_read_spool_symlinks(sandbox_x_domain) -+ -+selinux_validate_context(sandbox_x_domain) -+selinux_compute_access_vector(sandbox_x_domain) -+selinux_compute_create_context(sandbox_x_domain) -+selinux_compute_relabel_context(sandbox_x_domain) -+selinux_compute_user_contexts(sandbox_x_domain) -+seutil_read_default_contexts(sandbox_x_domain) -+ -+term_getattr_pty_fs(sandbox_x_domain) -+term_use_ptmx(sandbox_x_domain) -+term_search_ptys(sandbox_x_domain) -+ -+application_dontaudit_signal(sandbox_x_domain) -+application_dontaudit_sigkill(sandbox_x_domain) -+ -+logging_dontaudit_search_logs(sandbox_x_domain) -+ -+miscfiles_read_fonts(sandbox_x_domain) -+ -+storage_dontaudit_rw_fuse(sandbox_x_domain) -+ -+optional_policy(` -+ consolekit_dbus_chat(sandbox_x_domain) -+') -+ -+optional_policy(` -+ cups_stream_connect(sandbox_x_domain) -+ cups_read_rw_config(sandbox_x_domain) -+') -+ -+optional_policy(` -+ dbus_system_bus_client(sandbox_x_domain) -+') -+ -+optional_policy(` -+ devicekit_dontaudit_dbus_chat_disk(sandbox_x_domain) -+') -+ -+optional_policy(` -+ gnome_read_gconf_config(sandbox_x_domain) -+') -+ -+optional_policy(` -+ nscd_dontaudit_search_pid(sandbox_x_domain) -+') -+ -+optional_policy(` -+ sssd_dontaudit_search_lib(sandbox_x_domain) -+') -+ -+optional_policy(` -+ udev_read_db(sandbox_x_domain) -+') -+ -+userdom_use_inherited_user_terminals(sandbox_x_domain) -+userdom_read_user_home_content_symlinks(sandbox_x_domain) -+userdom_search_user_home_content(sandbox_x_domain) -+userdom_dontaudit_rw_user_tmp_pipes(sandbox_x_domain) -+ -+fs_search_auto_mountpoints(sandbox_x_domain) -+fs_read_hugetlbfs_files(sandbox_x_domain) -+ -+tunable_policy(`use_nfs_home_dirs',` -+ fs_search_auto_mountpoints(sandbox_x_domain) -+ fs_search_nfs(sandbox_xserver_t) -+ fs_read_nfs_files(sandbox_xserver_t) -+ fs_manage_nfs_dirs(sandbox_x_domain) -+ fs_manage_nfs_files(sandbox_x_domain) -+ fs_exec_nfs_files(sandbox_x_domain) -+') -+ -+tunable_policy(`use_samba_home_dirs',` -+ fs_search_cifs(sandbox_xserver_t) -+ fs_read_cifs_files(sandbox_xserver_t) -+ fs_manage_cifs_dirs(sandbox_x_domain) -+ fs_manage_cifs_files(sandbox_x_domain) -+ fs_exec_cifs_files(sandbox_x_domain) -+') -+ -+tunable_policy(`use_fusefs_home_dirs',` -+ fs_search_fusefs(sandbox_xserver_t) -+ fs_read_fusefs_files(sandbox_xserver_t) -+ fs_manage_fusefs_dirs(sandbox_x_domain) -+ fs_manage_fusefs_files(sandbox_x_domain) -+ fs_exec_fusefs_files(sandbox_x_domain) -+') -+ -+files_search_home(sandbox_x_t) -+userdom_use_user_ptys(sandbox_x_t) -+ -+######################################## -+# -+# sandbox_x_client_t local policy -+# -+allow sandbox_x_client_t self:tcp_socket create_stream_socket_perms; -+allow sandbox_x_client_t self:udp_socket create_socket_perms; -+allow sandbox_x_client_t self:dbus { acquire_svc send_msg }; -+ -+dev_read_rand(sandbox_x_client_t) -+ -+corenet_tcp_connect_ipp_port(sandbox_x_client_t) -+corenet_dontaudit_tcp_connect_xserver_port(sandbox_x_client_t) -+ -+auth_use_nsswitch(sandbox_x_client_t) -+ -+logging_send_syslog_msg(sandbox_x_client_t) -+ -+optional_policy(` -+ colord_dbus_chat(sandbox_x_client_t) -+') -+ -+optional_policy(` -+ hal_dbus_chat(sandbox_x_client_t) -+') -+ -+optional_policy(` -+ nsplugin_read_rw_files(sandbox_x_client_t) -+') -+ -+######################################## -+# -+# sandbox_web_client_t local policy -+# -+typeattribute sandbox_web_client_t sandbox_web_type; -+ -+selinux_get_fs_mount(sandbox_web_client_t) -+ -+auth_use_nsswitch(sandbox_web_client_t) -+ -+logging_send_syslog_msg(sandbox_web_client_t) -+ -+allow sandbox_web_type self:capability { setuid setgid }; -+allow sandbox_web_type self:netlink_audit_socket nlmsg_relay; -+dontaudit sandbox_web_type self:process setrlimit; -+ -+allow sandbox_web_type self:tcp_socket create_stream_socket_perms; -+allow sandbox_web_type self:udp_socket create_socket_perms; -+allow sandbox_web_type self:dbus { acquire_svc send_msg }; -+ -+kernel_dontaudit_search_kernel_sysctl(sandbox_web_type) -+kernel_request_load_module(sandbox_web_type) -+ -+dev_read_rand(sandbox_web_type) -+dev_write_sound(sandbox_web_type) -+dev_read_sound(sandbox_web_type) -+ -+corenet_tcp_sendrecv_generic_if(sandbox_web_type) -+corenet_raw_sendrecv_generic_if(sandbox_web_type) -+corenet_tcp_sendrecv_generic_node(sandbox_web_type) -+corenet_raw_sendrecv_generic_node(sandbox_web_type) -+corenet_tcp_sendrecv_http_port(sandbox_web_type) -+corenet_tcp_sendrecv_http_cache_port(sandbox_web_type) -+corenet_tcp_sendrecv_squid_port(sandbox_web_type) -+corenet_tcp_sendrecv_ftp_port(sandbox_web_type) -+corenet_tcp_sendrecv_ipp_port(sandbox_web_type) -+corenet_tcp_connect_all_ephemeral_ports(sandbox_web_type) -+corenet_tcp_connect_aol_port(sandbox_web_type) -+corenet_tcp_connect_asterisk_port(sandbox_web_type) -+corenet_tcp_connect_commplex_link_port(sandbox_web_type) -+corenet_tcp_connect_couchdb_port(sandbox_web_type) -+corenet_tcp_connect_flash_port(sandbox_web_type) -+corenet_tcp_connect_ftp_port(sandbox_web_type) -+corenet_tcp_connect_gatekeeper_port(sandbox_web_type) -+corenet_tcp_connect_generic_port(sandbox_web_type) -+corenet_tcp_connect_http_cache_port(sandbox_web_type) -+corenet_tcp_connect_http_port(sandbox_web_type) -+corenet_tcp_connect_ipp_port(sandbox_web_type) -+corenet_tcp_connect_ipsecnat_port(sandbox_web_type) -+corenet_tcp_connect_ircd_port(sandbox_web_type) -+corenet_tcp_connect_jabber_client_port(sandbox_web_type) -+corenet_tcp_connect_jboss_management_port(sandbox_web_type) -+corenet_tcp_connect_mmcc_port(sandbox_web_type) -+corenet_tcp_connect_monopd_port(sandbox_web_type) -+corenet_tcp_connect_msnp_port(sandbox_web_type) -+corenet_tcp_connect_ms_streaming_port(sandbox_web_type) -+corenet_tcp_connect_pulseaudio_port(sandbox_web_type) -+corenet_tcp_connect_rtsp_port(sandbox_web_type) -+corenet_tcp_connect_soundd_port(sandbox_web_type) -+corenet_tcp_connect_speech_port(sandbox_web_type) -+corenet_tcp_connect_squid_port(sandbox_web_type) -+corenet_tcp_connect_tor_port(sandbox_web_type) -+corenet_tcp_connect_transproxy_port(sandbox_web_type) -+corenet_tcp_connect_vnc_port(sandbox_web_type) -+corenet_tcp_connect_whois_port(sandbox_web_type) -+corenet_sendrecv_http_client_packets(sandbox_web_type) -+corenet_sendrecv_http_cache_client_packets(sandbox_web_type) -+corenet_sendrecv_squid_client_packets(sandbox_web_type) -+corenet_sendrecv_ftp_client_packets(sandbox_web_type) -+corenet_sendrecv_ipp_client_packets(sandbox_web_type) -+corenet_sendrecv_generic_client_packets(sandbox_web_type) -+corenet_dontaudit_tcp_connect_xserver_port(sandbox_web_type) -+ -+corenet_dontaudit_tcp_sendrecv_generic_port(sandbox_web_type) -+corenet_dontaudit_tcp_bind_generic_port(sandbox_web_type) -+ -+files_dontaudit_getattr_all_dirs(sandbox_web_type) -+ -+fs_dontaudit_rw_anon_inodefs_files(sandbox_web_type) -+fs_dontaudit_getattr_all_fs(sandbox_web_type) -+ -+storage_dontaudit_getattr_fixed_disk_dev(sandbox_web_type) -+ -+dbus_system_bus_client(sandbox_web_type) -+dbus_read_config(sandbox_web_type) -+selinux_validate_context(sandbox_web_type) -+selinux_compute_access_vector(sandbox_web_type) -+selinux_compute_create_context(sandbox_web_type) -+selinux_compute_relabel_context(sandbox_web_type) -+selinux_compute_user_contexts(sandbox_web_type) -+seutil_read_default_contexts(sandbox_web_type) -+ -+userdom_rw_user_tmpfs_files(sandbox_web_type) -+userdom_delete_user_tmpfs_files(sandbox_web_type) -+ -+optional_policy(` -+ alsa_read_rw_config(sandbox_web_type) -+') -+ -+optional_policy(` -+ bluetooth_dontaudit_dbus_chat(sandbox_web_type) -+') -+ -+optional_policy(` -+ hal_dbus_chat(sandbox_web_type) -+') -+ -+optional_policy(` -+ chrome_domtrans_sandbox(sandbox_web_type) -+') -+ -+optional_policy(` -+ nsplugin_manage_rw(sandbox_web_type) -+ nsplugin_read_rw_files(sandbox_web_type) -+ nsplugin_rw_exec(sandbox_web_type) -+') -+ -+optional_policy(` -+ pulseaudio_stream_connect(sandbox_web_type) -+ allow sandbox_web_type self:netlink_kobject_uevent_socket create_socket_perms; -+') -+ -+optional_policy(` -+ rtkit_daemon_dontaudit_dbus_chat(sandbox_web_type) -+') -+ -+optional_policy(` -+ # needed by pulseaudio -+ systemd_read_logind_sessions_files(sandbox_web_type) -+ systemd_login_read_pid_files(sandbox_web_type) -+') -+ -+optional_policy(` -+ networkmanager_dontaudit_dbus_chat(sandbox_web_type) -+') -+ -+optional_policy(` -+ udev_read_state(sandbox_web_type) -+') -+ -+######################################## -+# -+# sandbox_net_client_t local policy -+# -+typeattribute sandbox_net_client_t sandbox_web_type; -+ -+corenet_tcp_sendrecv_generic_if(sandbox_net_client_t) -+corenet_udp_sendrecv_generic_if(sandbox_net_client_t) -+corenet_tcp_sendrecv_generic_node(sandbox_net_client_t) -+corenet_udp_sendrecv_generic_node(sandbox_net_client_t) -+corenet_tcp_sendrecv_all_ports(sandbox_net_client_t) -+corenet_udp_sendrecv_all_ports(sandbox_net_client_t) -+corenet_tcp_connect_all_ports(sandbox_net_client_t) -+corenet_sendrecv_all_client_packets(sandbox_net_client_t) -+ -+selinux_get_fs_mount(sandbox_net_client_t) -+ -+auth_use_nsswitch(sandbox_net_client_t) -+ -+logging_send_syslog_msg(sandbox_net_client_t) -+ -+optional_policy(` -+ mozilla_plugin_rw_tmpfs_files(sandbox_x_domain) -+ mozilla_dontaudit_rw_user_home_files(sandbox_x_t) -+ mozilla_dontaudit_rw_user_home_files(sandbox_xserver_t) -+ mozilla_dontaudit_rw_user_home_files(sandbox_x_domain) -+ mozilla_plugin_dontaudit_rw_sem(sandbox_x_domain) -+ mozilla_plugin_dontaudit_leaks(sandbox_x_domain) -+') -+userdom_dontaudit_open_user_ptys(sandbox_x_domain) -diff --git a/sanlock.fc b/sanlock.fc -index 3df2a0f..9059165 100644 ---- a/sanlock.fc -+++ b/sanlock.fc -@@ -1,7 +1,10 @@ -+ - /etc/rc\.d/init\.d/sanlock -- gen_context(system_u:object_r:sanlock_initrc_exec_t,s0) - --/usr/sbin/sanlock -- gen_context(system_u:object_r:sanlock_exec_t,s0) -+/var/run/sanlock(/.*)? gen_context(system_u:object_r:sanlock_var_run_t,s0) -+ -+/var/log/sanlock\.log.* gen_context(system_u:object_r:sanlock_log_t,s0) - --/var/run/sanlock(/.*)? gen_context(system_u:object_r:sanlock_var_run_t,s0) -+/usr/sbin/sanlock -- gen_context(system_u:object_r:sanlock_exec_t,s0) - --/var/log/sanlock\.log.* -- gen_context(system_u:object_r:sanlock_log_t,s0) -+/usr/lib/systemd/system/sanlock\.service -- gen_context(system_u:object_r:sanlock_unit_file_t,s0) -diff --git a/sanlock.if b/sanlock.if -index cd6c213..34b861a 100644 ---- a/sanlock.if -+++ b/sanlock.if -@@ -1,4 +1,5 @@ --## shared storage lock manager. -+ -+## policy for sanlock - - ######################################## - ## -@@ -15,18 +16,17 @@ interface(`sanlock_domtrans',` - type sanlock_t, sanlock_exec_t; - ') - -- corecmd_search_bin($1) - domtrans_pattern($1, sanlock_exec_t, sanlock_t) - ') - -+ - ######################################## - ## --## Execute sanlock init scripts in --## the initrc domain. -+## Execute sanlock server in the sanlock domain. - ## - ## - ## --## Domain allowed to transition. -+## The type of the process performing this action. - ## - ## - # -@@ -40,8 +40,7 @@ interface(`sanlock_initrc_domtrans',` - - ###################################### - ## --## Create, read, write, and delete --## sanlock pid files. -+## Create, read, write, and delete sanlock PID files. - ## - ## - ## -@@ -60,28 +59,50 @@ interface(`sanlock_manage_pid_files',` - - ######################################## - ## --## Connect to sanlock with a unix --## domain stream socket. -+## Connect to sanlock over a unix stream socket. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`sanlock_stream_connect',` -+ gen_require(` -+ type sanlock_t, sanlock_var_run_t; -+ ') -+ -+ files_search_pids($1) -+ stream_connect_pattern($1, sanlock_var_run_t, sanlock_var_run_t, sanlock_t) -+') -+ -+######################################## -+## -+## Execute virt server in the virt domain. - ## - ## - ## --## Domain allowed access. -+## Domain allowed to transition. - ## - ## - # --interface(`sanlock_stream_connect',` -+interface(`sanlock_systemctl',` - gen_require(` -- type sanlock_t, sanlock_var_run_t; -+ type sanlock_unit_file_t; -+ type sanlock_t; - ') - -- files_search_pids($1) -- stream_connect_pattern($1, sanlock_var_run_t, sanlock_var_run_t, sanlock_t) -+ systemd_exec_systemctl($1) -+ allow $1 sanlock_unit_file_t:file read_file_perms; -+ allow $1 sanlock_unit_file_t:service manage_service_perms; -+ -+ ps_process_pattern($1, sanlock_t) - ') - - ######################################## - ## --## All of the rules required to --## administrate an sanlock environment. -+## All of the rules required to administrate -+## an sanlock environment - ## - ## - ## -@@ -97,21 +118,23 @@ interface(`sanlock_stream_connect',` - # - interface(`sanlock_admin',` - gen_require(` -- type sanlock_t, sanlock_initrc_exec_t, sanlock_var_run_t; -- type sanlock_log_t; -+ type sanlock_t; -+ type sanlock_initrc_exec_t; -+ type sanlock_unit_file_t; - ') - -- allow $1 sanlock_t:process { ptrace signal_perms }; -+ allow $1 sanlock_t:process signal_perms; - ps_process_pattern($1, sanlock_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 sanlock_t:process ptrace; -+ ') - - sanlock_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 sanlock_initrc_exec_t system_r; - allow $2 system_r; - -- files_search_pids($1) -- admin_pattern($1, sanlock_var_run_t) -- -- logging_search_logs($1) -- admin_pattern($1, sanlock_log_t) -+ virt_systemctl($1) -+ admin_pattern($1, sanlock_unit_file_t) -+ allow $1 sanlock_unit_file_t:service all_service_perms; - ') -diff --git a/sanlock.te b/sanlock.te -index a34eac4..b144d40 100644 ---- a/sanlock.te -+++ b/sanlock.te -@@ -1,4 +1,4 @@ --policy_module(sanlock, 1.0.2) -+policy_module(sanlock,1.0.0) - - ######################################## - # -@@ -6,21 +6,26 @@ policy_module(sanlock, 1.0.2) - # - - ## --##

    --## Determine whether sanlock can use --## nfs file systems. --##

    -+##

    -+## Allow sanlock to manage nfs files -+##

    - ##     - gen_tunable(sanlock_use_nfs, false) - - ## --##

    --## Determine whether sanlock can use --## cifs file systems. --##

    -+##

    -+## Allow sanlock to manage cifs files -+##

    - ##     - gen_tunable(sanlock_use_samba, false) - -+## -+##

    -+## Allow sanlock to read/write fuse files -+##

    -+##     -+gen_tunable(sanlock_use_fusefs, false) -+ - type sanlock_t; - type sanlock_exec_t; - init_daemon_domain(sanlock_t, sanlock_exec_t) -@@ -34,6 +39,9 @@ logging_log_file(sanlock_log_t) - type sanlock_initrc_exec_t; - init_script_file(sanlock_initrc_exec_t) - -+type sanlock_unit_file_t; -+systemd_unit_file(sanlock_unit_file_t) -+ - ifdef(`enable_mcs',` - init_ranged_daemon_domain(sanlock_t, sanlock_exec_t, s0 - mcs_systemhigh) - ') -@@ -44,17 +52,15 @@ ifdef(`enable_mls',` - - ######################################## - # --# Local policy -+# sanlock local policy - # -- - allow sanlock_t self:capability { chown dac_override ipc_lock kill setgid setuid sys_nice sys_resource }; - allow sanlock_t self:process { setrlimit setsched signull signal sigkill }; -+ - allow sanlock_t self:fifo_file rw_fifo_file_perms; --allow sanlock_t self:unix_stream_socket { accept listen }; -+allow sanlock_t self:unix_stream_socket create_stream_socket_perms; - --append_files_pattern(sanlock_t, sanlock_log_t, sanlock_log_t) --create_files_pattern(sanlock_t, sanlock_log_t, sanlock_log_t) --setattr_files_pattern(sanlock_t, sanlock_log_t, sanlock_log_t) -+manage_files_pattern(sanlock_t, sanlock_log_t, sanlock_log_t) - logging_log_filetrans(sanlock_t, sanlock_log_t, file) - - manage_dirs_pattern(sanlock_t, sanlock_var_run_t, sanlock_var_run_t) -@@ -65,13 +71,15 @@ files_pid_filetrans(sanlock_t, sanlock_var_run_t, { file dir sock_file }) - kernel_read_system_state(sanlock_t) - kernel_read_kernel_sysctls(sanlock_t) - --dev_read_rand(sanlock_t) --dev_read_urand(sanlock_t) -- - domain_use_interactive_fds(sanlock_t) - -+files_read_mnt_symlinks(sanlock_t) -+ - storage_raw_rw_fixed_disk(sanlock_t) - -+dev_read_rand(sanlock_t) -+dev_read_urand(sanlock_t) -+ - auth_use_nsswitch(sanlock_t) - - init_read_utmp(sanlock_t) -@@ -79,20 +87,29 @@ init_dontaudit_write_utmp(sanlock_t) - - logging_send_syslog_msg(sanlock_t) - --miscfiles_read_localization(sanlock_t) -+tunable_policy(`sanlock_use_fusefs',` -+ fs_manage_fusefs_dirs(sanlock_t) -+ fs_manage_fusefs_files(sanlock_t) -+ fs_read_fusefs_symlinks(sanlock_t) -+ fs_getattr_fusefs(sanlock_t) -+') - - tunable_policy(`sanlock_use_nfs',` -- fs_manage_nfs_dirs(sanlock_t) -- fs_manage_nfs_files(sanlock_t) -- fs_manage_nfs_named_sockets(sanlock_t) -- fs_read_nfs_symlinks(sanlock_t) -+ fs_manage_nfs_dirs(sanlock_t) -+ fs_manage_nfs_files(sanlock_t) -+ fs_manage_nfs_named_sockets(sanlock_t) -+ fs_read_nfs_symlinks(sanlock_t) - ') - - tunable_policy(`sanlock_use_samba',` -- fs_manage_cifs_dirs(sanlock_t) -- fs_manage_cifs_files(sanlock_t) -- fs_manage_cifs_named_sockets(sanlock_t) -- fs_read_cifs_symlinks(sanlock_t) -+ fs_manage_cifs_dirs(sanlock_t) -+ fs_manage_cifs_files(sanlock_t) -+ fs_manage_cifs_named_sockets(sanlock_t) -+ fs_read_cifs_symlinks(sanlock_t) -+') -+ -+optional_policy(` -+ rhcs_domtrans_fenced(sanlock_t) - ') - - optional_policy(` -@@ -100,7 +117,8 @@ optional_policy(` - ') - - optional_policy(` -- virt_kill_all_virt_domains(sanlock_t) -+ virt_kill_svirt(sanlock_t) -+ virt_kill(sanlock_t) - virt_manage_lib_files(sanlock_t) -- virt_signal_all_virt_domains(sanlock_t) -+ virt_signal_svirt(sanlock_t) - ') -diff --git a/sasl.fc b/sasl.fc -index 54f41c2..7e58679 100644 ---- a/sasl.fc -+++ b/sasl.fc -@@ -1,7 +1,12 @@ - /etc/rc\.d/init\.d/sasl -- gen_context(system_u:object_r:saslauthd_initrc_exec_t,s0) - -+# -+# /usr -+# - /usr/sbin/saslauthd -- gen_context(system_u:object_r:saslauthd_exec_t,s0) - --/var/lib/sasl2(/.*)? gen_context(system_u:object_r:saslauthd_var_run_t,s0) -- -+# -+# /var -+# -+/var/lib/sasl2(/.*)? gen_context(system_u:object_r:saslauthd_var_run_t,s0) - /var/run/saslauthd(/.*)? gen_context(system_u:object_r:saslauthd_var_run_t,s0) -diff --git a/sasl.if b/sasl.if -index b2f388a..3e6a93f 100644 ---- a/sasl.if -+++ b/sasl.if -@@ -1,4 +1,4 @@ --## SASL authentication server. -+## SASL authentication server - - ######################################## - ## -@@ -21,8 +21,8 @@ interface(`sasl_connect',` - - ######################################## - ## --## All of the rules required to --## administrate an sasl environment. -+## All of the rules required to administrate -+## an sasl environment - ## - ## - ## -@@ -38,11 +38,15 @@ interface(`sasl_connect',` - # - interface(`sasl_admin',` - gen_require(` -- type saslauthd_t, saslauthd_var_run_t, saslauthd_initrc_exec_t; -+ type saslauthd_t, saslauthd_var_run_t; -+ type saslauthd_initrc_exec_t; - ') - -- allow $1 saslauthd_t:process { ptrace signal_perms }; -+ allow $1 saslauthd_t:process signal_perms; - ps_process_pattern($1, saslauthd_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 saslauthd_t:process ptrace; -+ ') - - init_labeled_script_domtrans($1, saslauthd_initrc_exec_t) - domain_system_change_exemption($1) -diff --git a/sasl.te b/sasl.te -index a63b875..1c9e41b 100644 ---- a/sasl.te -+++ b/sasl.te -@@ -1,4 +1,4 @@ --policy_module(sasl, 1.14.3) -+policy_module(sasl, 1.14.0) - - ######################################## - # -@@ -6,12 +6,11 @@ policy_module(sasl, 1.14.3) - # - - ## --##

    --## Determine whether sasl can --## read shadow files. --##

    -+##

    -+## Allow sasl to read shadow -+##

    - ##     --gen_tunable(allow_saslauthd_read_shadow, false) -+gen_tunable(saslauthd_read_shadow, false) - - type saslauthd_t; - type saslauthd_exec_t; -@@ -32,7 +31,9 @@ allow saslauthd_t self:capability { setgid setuid sys_nice }; - dontaudit saslauthd_t self:capability sys_tty_config; - allow saslauthd_t self:process { setsched signal_perms }; - allow saslauthd_t self:fifo_file rw_fifo_file_perms; --allow saslauthd_t self:unix_stream_socket { accept listen }; -+allow saslauthd_t self:unix_dgram_socket create_socket_perms; -+allow saslauthd_t self:unix_stream_socket create_stream_socket_perms; -+allow saslauthd_t self:tcp_socket create_socket_perms; - - manage_dirs_pattern(saslauthd_t, saslauthd_var_run_t, saslauthd_var_run_t) - manage_files_pattern(saslauthd_t, saslauthd_var_run_t, saslauthd_var_run_t) -@@ -43,29 +44,20 @@ kernel_read_kernel_sysctls(saslauthd_t) - kernel_read_system_state(saslauthd_t) - kernel_rw_afs_state(saslauthd_t) - --corenet_all_recvfrom_unlabeled(saslauthd_t) -+#577519 -+corecmd_exec_bin(saslauthd_t) -+ - corenet_all_recvfrom_netlabel(saslauthd_t) - corenet_tcp_sendrecv_generic_if(saslauthd_t) - corenet_tcp_sendrecv_generic_node(saslauthd_t) -- --corenet_sendrecv_pop_client_packets(saslauthd_t) -+corenet_tcp_sendrecv_all_ports(saslauthd_t) -+corenet_tcp_connect_ldap_port(saslauthd_t) - corenet_tcp_connect_pop_port(saslauthd_t) --corenet_tcp_sendrecv_pop_port(saslauthd_t) -- --corenet_sendrecv_zarafa_client_packets(saslauthd_t) - corenet_tcp_connect_zarafa_port(saslauthd_t) --corenet_tcp_sendrecv_zarafa_port(saslauthd_t) -- --corecmd_exec_bin(saslauthd_t) -+corenet_sendrecv_pop_client_packets(saslauthd_t) - - dev_read_urand(saslauthd_t) - --domain_use_interactive_fds(saslauthd_t) -- --files_dontaudit_read_etc_runtime_files(saslauthd_t) --files_dontaudit_getattr_home_dir(saslauthd_t) --files_dontaudit_getattr_tmp_dirs(saslauthd_t) -- - fs_getattr_all_fs(saslauthd_t) - fs_search_auto_mountpoints(saslauthd_t) - -@@ -73,33 +65,37 @@ selinux_compute_access_vector(saslauthd_t) - - auth_use_pam(saslauthd_t) - -+domain_use_interactive_fds(saslauthd_t) -+ -+files_dontaudit_read_etc_runtime_files(saslauthd_t) -+files_search_var_lib(saslauthd_t) -+files_dontaudit_getattr_home_dir(saslauthd_t) -+files_dontaudit_getattr_tmp_dirs(saslauthd_t) -+ - init_dontaudit_stream_connect_script(saslauthd_t) - - logging_send_syslog_msg(saslauthd_t) - --miscfiles_read_localization(saslauthd_t) - miscfiles_read_generic_certs(saslauthd_t) - --seutil_dontaudit_read_config(saslauthd_t) -- - userdom_dontaudit_use_unpriv_user_fds(saslauthd_t) - userdom_dontaudit_search_user_home_dirs(saslauthd_t) - -+# cjp: typeattribute doesnt work in conditionals - auth_can_read_shadow_passwords(saslauthd_t) --tunable_policy(`allow_saslauthd_read_shadow',` -+tunable_policy(`saslauthd_read_shadow',` - allow saslauthd_t self:capability dac_override; - auth_tunable_read_shadow(saslauthd_t) - ') - - optional_policy(` -+ kerberos_tmp_filetrans_host_rcache(saslauthd_t, "host_0") - kerberos_keytab_template(saslauthd, saslauthd_t) -- kerberos_manage_host_rcache(saslauthd_t) -- kerberos_tmp_filetrans_host_rcache(saslauthd_t, file, "host_0") - ') - - optional_policy(` -+ mysql_search_db(saslauthd_t) - mysql_stream_connect(saslauthd_t) -- mysql_tcp_connect(saslauthd_t) - ') - - optional_policy(` -diff --git a/sblim.fc b/sblim.fc -index 68a550d..e976fc6 100644 ---- a/sblim.fc -+++ b/sblim.fc -@@ -1,6 +1,10 @@ - /etc/rc\.d/init\.d/gatherer -- gen_context(system_u:object_r:sblim_initrc_exec_t,s0) -+/etc/rc\.d/init\.d/sblim-sfcbd -- gen_context(system_u:object_r:sblim_initrc_exec_t,s0) - - /usr/sbin/gatherd -- gen_context(system_u:object_r:sblim_gatherd_exec_t,s0) - /usr/sbin/reposd -- gen_context(system_u:object_r:sblim_reposd_exec_t,s0) -+/usr/sbin/sfcbd -- gen_context(system_u:object_r:sblim_sfcbd_exec_t,s0) -+ -+/var/lib/sfcb(/.*)? gen_context(system_u:object_r:sblim_var_lib_t,s0) - - /var/run/gather(/.*)? gen_context(system_u:object_r:sblim_var_run_t,s0) -diff --git a/sblim.if b/sblim.if -index 98c9e0a..df51942 100644 ---- a/sblim.if -+++ b/sblim.if -@@ -1,8 +1,36 @@ --## Standards Based Linux Instrumentation for Manageability. -+## Standards Based Linux Instrumentation for Manageability. -+ -+###################################### -+## -+## Creates types and rules for a basic -+## sblim daemon domain. -+## -+## -+## -+## Prefix for the domain. -+## -+## -+# -+template(`sblim_domain_template',` -+ gen_require(` -+ attribute sblim_domain; -+ ') -+ -+ type sblim_$1_t, sblim_domain; -+ type sblim_$1_exec_t; -+ init_daemon_domain(sblim_$1_t, sblim_$1_exec_t) -+ -+ kernel_read_system_state(sblim_$1_t) -+ -+ corenet_all_recvfrom_unlabeled(sblim_$1_t) -+ corenet_all_recvfrom_netlabel(sblim_$1_t) -+ -+ logging_send_syslog_msg(sblim_$1_t) -+') - - ######################################## - ## --## Execute gatherd in the gatherd domain. -+## Transition to gatherd. - ## - ## - ## -@@ -21,7 +49,7 @@ interface(`sblim_domtrans_gatherd',` - - ######################################## - ## --## Read gatherd pid files. -+## Read gatherd PID files. - ## - ## - ## -@@ -40,34 +68,33 @@ interface(`sblim_read_pid_files',` - - ######################################## - ## --## All of the rules required to --## administrate an sblim environment. -+## All of the rules required to administrate -+## an gatherd environment - ## - ## - ## - ## Domain allowed access. - ## - ## --## --## --## Role allowed access. --## --## - ## - # - interface(`sblim_admin',` - gen_require(` -- attribute sblim_domain; -- type sblim_initrc_exec_t, sblim_var_run_t; -+ type sblim_gatherd_t; -+ type sblim_reposd_t; -+ type sblim_var_run_t; - ') - -- allow $1 sblim_domain:process { ptrace signal_perms }; -- ps_process_pattern($1, sblim_domain) -+ allow $1 sblim_gatherd_t:process signal_perms; -+ ps_process_pattern($1, sblim_gatherd_t) -+ -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 sblim_gatherd_t:process ptrace; -+ allow $1 sblim_reposd_t:process ptrace; -+ ') - -- init_labeled_script_domtrans($1, sblim_initrc_exec_t) -- domain_system_change_exemption($1) -- role_transition $2 sblim_initrc_exec_t system_r; -- allow $2 system_r; -+ allow $1 sblim_reposd_t:process signal_perms; -+ ps_process_pattern($1, sblim_reposd_t) - - files_search_pids($1) - admin_pattern($1, sblim_var_run_t) -diff --git a/sblim.te b/sblim.te -index 4a23d84..62df1db 100644 ---- a/sblim.te -+++ b/sblim.te -@@ -7,13 +7,11 @@ policy_module(sblim, 1.0.3) - - attribute sblim_domain; - --type sblim_gatherd_t, sblim_domain; --type sblim_gatherd_exec_t; --init_daemon_domain(sblim_gatherd_t, sblim_gatherd_exec_t) -+sblim_domain_template(gatherd) - --type sblim_reposd_t, sblim_domain; --type sblim_reposd_exec_t; --init_daemon_domain(sblim_reposd_t, sblim_reposd_exec_t) -+sblim_domain_template(reposd) -+ -+sblim_domain_template(sfcbd) - - type sblim_initrc_exec_t; - init_script_file(sblim_initrc_exec_t) -@@ -21,6 +19,15 @@ init_script_file(sblim_initrc_exec_t) - type sblim_var_run_t; - files_pid_file(sblim_var_run_t) - -+type sblim_var_lib_t; -+files_type(sblim_var_lib_t) -+ -+type sblim_tmp_t; -+files_tmp_file(sblim_tmp_t) -+ -+type sblim_sfcb_tmpfs_t; -+files_tmpfs_file(sblim_sfcb_tmpfs_t) -+ - ###################################### - # - # Common sblim domain local policy -@@ -32,11 +39,18 @@ manage_dirs_pattern(sblim_domain, sblim_var_run_t, sblim_var_run_t) - manage_files_pattern(sblim_domain, sblim_var_run_t, sblim_var_run_t) - manage_sock_files_pattern(sblim_domain, sblim_var_run_t, sblim_var_run_t) - -+manage_dirs_pattern(sblim_domain, sblim_var_lib_t, sblim_var_lib_t) -+manage_files_pattern(sblim_domain, sblim_var_lib_t, sblim_var_lib_t) -+manage_lnk_files_pattern(sblim_domain, sblim_var_lib_t, sblim_var_lib_t) -+files_var_lib_filetrans(sblim_domain, sblim_var_lib_t, { dir file lnk_file }) -+ -+manage_dirs_pattern(sblim_domain, sblim_tmp_t, sblim_tmp_t) -+manage_files_pattern(sblim_domain, sblim_tmp_t, sblim_tmp_t) -+manage_sock_files_pattern(sblim_domain, sblim_tmp_t, sblim_tmp_t) -+files_tmp_filetrans(sblim_domain, sblim_tmp_t, { dir file sock_file}) -+ - kernel_read_network_state(sblim_domain) --kernel_read_system_state(sblim_domain) - --corenet_all_recvfrom_unlabeled(sblim_domain) --corenet_all_recvfrom_netlabel(sblim_domain) - corenet_tcp_sendrecv_generic_if(sblim_domain) - corenet_tcp_sendrecv_generic_node(sblim_domain) - -@@ -44,19 +58,15 @@ corenet_tcp_sendrecv_repository_port(sblim_domain) - - dev_read_sysfs(sblim_domain) - --logging_send_syslog_msg(sblim_domain) -- --files_read_etc_files(sblim_domain) -- --miscfiles_read_localization(sblim_domain) -+auth_read_passwd(sblim_domain) - - ######################################## - # - # Gatherd local policy - # - --allow sblim_gatherd_t self:capability dac_override; --allow sblim_gatherd_t self:process signal; -+allow sblim_gatherd_t self:capability { dac_override sys_nice }; -+allow sblim_gatherd_t self:process { setsched signal }; - allow sblim_gatherd_t self:fifo_file rw_fifo_file_perms; - allow sblim_gatherd_t self:unix_stream_socket { accept listen }; - -@@ -84,6 +94,8 @@ storage_raw_read_removable_device(sblim_gatherd_t) - - init_read_utmp(sblim_gatherd_t) - -+logging_send_syslog_msg(sblim_gatherd_t) -+ - sysnet_dns_name_resolve(sblim_gatherd_t) - - term_getattr_pty_fs(sblim_gatherd_t) -@@ -103,8 +115,9 @@ optional_policy(` - ') - - optional_policy(` -- virt_getattr_virtd_exec_files(sblim_gatherd_t) -+ virt_read_config(sblim_gatherd_t) - virt_stream_connect(sblim_gatherd_t) -+ virt_getattr_exec(sblim_gatherd_t) - ') - - optional_policy(` -@@ -117,6 +130,29 @@ optional_policy(` - # Reposd local policy - # - -+corenet_tcp_bind_generic_node(sblim_reposd_t) -+ - corenet_sendrecv_repository_server_packets(sblim_reposd_t) - corenet_tcp_bind_repository_port(sblim_reposd_t) --corenet_tcp_bind_generic_node(sblim_domain) -+ -+logging_send_syslog_msg(sblim_reposd_t) -+ -+####################################### -+# -+# Sfcbd local policy -+# -+ -+allow sblim_sfcbd_t self:capability { sys_ptrace setgid }; -+allow sblim_sfcbd_t self:process signal; -+allow sblim_sfcbd_t self:unix_stream_socket connectto; -+ -+manage_dirs_pattern(sblim_sfcbd_t, sblim_sfcb_tmpfs_t, sblim_sfcb_tmpfs_t) -+manage_files_pattern(sblim_sfcbd_t, sblim_sfcb_tmpfs_t, sblim_sfcb_tmpfs_t) -+fs_tmpfs_filetrans(sblim_sfcbd_t, sblim_sfcb_tmpfs_t, { dir file }) -+ -+auth_use_nsswitch(sblim_sfcbd_t) -+ -+corenet_tcp_bind_pegasus_https_port(sblim_sfcbd_t) -+ -+domain_read_all_domains_state(sblim_sfcbd_t) -+domain_use_interactive_fds(sblim_sfcbd_t) -diff --git a/screen.fc b/screen.fc -index ac04d27..b73334e 100644 ---- a/screen.fc -+++ b/screen.fc -@@ -1,8 +1,19 @@ --HOME_DIR/\.screen(/.*)? gen_context(system_u:object_r:screen_home_t,s0) --HOME_DIR/\.screenrc -- gen_context(system_u:object_r:screen_home_t,s0) -+# -+# /home -+# -+HOME_DIR/\.screenrc -- gen_context(system_u:object_r:screen_home_t,s0) -+HOME_DIR/\.screen(/.*)? gen_context(system_u:object_r:screen_home_t,s0) - --/usr/bin/screen -- gen_context(system_u:object_r:screen_exec_t,s0) --/usr/bin/tmux -- gen_context(system_u:object_r:screen_exec_t,s0) -+/root/\.screen(/.*)? gen_context(system_u:object_r:screen_home_t,s0) - --/var/run/screen(/.*)? gen_context(system_u:object_r:screen_var_run_t,s0) --/var/run/tmux(/.*)? gen_context(system_u:object_r:screen_var_run_t,s0) -+# -+# /usr -+# -+/usr/bin/screen -- gen_context(system_u:object_r:screen_exec_t,s0) -+/usr/bin/tmux -- gen_context(system_u:object_r:screen_exec_t,s0) -+ -+# -+# /var -+# -+/var/run/screen(/.*)? gen_context(system_u:object_r:screen_var_run_t,s0) -+/var/run/tmux(/.*)? gen_context(system_u:object_r:screen_var_run_t,s0) -diff --git a/screen.if b/screen.if -index c21ddcc..4dd623e 100644 ---- a/screen.if -+++ b/screen.if -@@ -1,4 +1,4 @@ --## GNU terminal multiplexer. -+## GNU terminal multiplexer - - ####################################### - ## -@@ -23,10 +23,9 @@ - # - template(`screen_role_template',` - gen_require(` -- attribute screen_domain; -- attribute_role screen_roles; - type screen_exec_t, screen_tmp_t; - type screen_home_t, screen_var_run_t; -+ attribute screen_domain; - ') - - ######################################## -@@ -35,49 +34,48 @@ template(`screen_role_template',` - # - - type $1_screen_t, screen_domain; -- userdom_user_application_domain($1_screen_t, screen_exec_t) -+ application_domain($1_screen_t, screen_exec_t) - domain_interactive_fd($1_screen_t) -- role screen_roles types $1_screen_t; -+ ubac_constrained($1_screen_t) -+ role $2 types $1_screen_t; - -- roleattribute $2 screen_roles; -+ tunable_policy(`deny_ptrace',`',` -+ allow $3 $1_screen_t:process ptrace; -+ ') - -- ######################################## -- # -- # Local policy -- # -+ userdom_home_reader($1_screen_t) - - domtrans_pattern($3, screen_exec_t, $1_screen_t) -- -- ps_process_pattern($3, $1_screen_t) -- allow $3 $1_screen_t:process { ptrace signal_perms }; -- -+ allow $3 $1_screen_t:process { signal sigchld }; - dontaudit $3 $1_screen_t:unix_stream_socket { read write }; -+ allow $1_screen_t $3:unix_stream_socket { connectto }; - allow $1_screen_t $3:process signal; -+ ps_process_pattern($1_screen_t, $3) - -- allow $3 screen_tmp_t:dir { manage_dir_perms relabel_dir_perms }; -- allow $3 screen_tmp_t:file { manage_file_perms relabel_file_perms }; -- allow $3 screen_tmp_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms }; -- -- allow $3 screen_home_t:dir { manage_dir_perms relabel_dir_perms }; -- allow $3 screen_home_t:file { manage_file_perms relabel_file_perms }; -- allow $3 screen_home_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms }; -- allow $3 screen_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; -- -- userdom_user_home_dir_filetrans($3, screen_home_t, dir, ".screen") -- userdom_user_home_dir_filetrans($3, screen_home_t, file, ".screenrc") -+ manage_fifo_files_pattern($3, screen_home_t, screen_home_t) -+ manage_dirs_pattern($3, screen_home_t, screen_home_t) -+ manage_files_pattern($3, screen_home_t, screen_home_t) -+ manage_lnk_files_pattern($3, screen_home_t, screen_home_t) -+ relabel_dirs_pattern($3, screen_home_t, screen_home_t) -+ relabel_files_pattern($3, screen_home_t, screen_home_t) -+ relabel_lnk_files_pattern($3, screen_home_t, screen_home_t) - - manage_dirs_pattern($3, screen_var_run_t, screen_var_run_t) -- manage_files_pattern($3, screen_var_run_t, screen_var_run_t) -- manage_lnk_files_pattern($3, screen_var_run_t, screen_var_run_t) - manage_fifo_files_pattern($3, screen_var_run_t, screen_var_run_t) - -- corecmd_bin_domtrans($1_screen_t, $3) -+ kernel_read_system_state($1_screen_t) -+ -+ # Revert to the user domain when a shell is executed. - corecmd_shell_domtrans($1_screen_t, $3) -+ corecmd_bin_domtrans($1_screen_t, $3) - - auth_domtrans_chk_passwd($1_screen_t) - auth_use_nsswitch($1_screen_t) - -+ logging_send_syslog_msg($1_screen_t) -+ - userdom_user_home_domtrans($1_screen_t, $3) -+ userdom_manage_tmp_role($2, $1_screen_t) - - tunable_policy(`use_samba_home_dirs',` - fs_cifs_domtrans($1_screen_t, $3) -@@ -87,3 +85,41 @@ template(`screen_role_template',` - fs_nfs_domtrans($1_screen_t, $3) - ') - ') -+ -+####################################### -+## -+## Execute the rssh program -+## in the caller domain. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`screen_exec',` -+ gen_require(` -+ type screen_exec_t; -+ ') -+ -+ can_exec($1, screen_exec_t) -+') -+ -+######################################## -+## -+## Send a SIGCHLD signal to the screen domain. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`screen_sigchld',` -+ gen_require(` -+ attribute screen_domain; -+ ') -+ -+ allow $1 screen_domain:process sigchld; -+') -+ -diff --git a/screen.te b/screen.te -index f095081..ee69aa7 100644 ---- a/screen.te -+++ b/screen.te -@@ -1,13 +1,11 @@ --policy_module(screen, 2.5.3) -+policy_module(screen, 2.5.0) - - ######################################## - # - # Declarations - # - --attribute screen_domain; -- --attribute_role screen_roles; -+attribute screen_domain; - - type screen_exec_t; - application_executable_file(screen_exec_t) -@@ -17,11 +15,6 @@ typealias screen_home_t alias { user_screen_home_t staff_screen_home_t sysadm_sc - typealias screen_home_t alias { auditadm_screen_home_t secadm_screen_home_t }; - userdom_user_home_content(screen_home_t) - --type screen_tmp_t; --typealias screen_tmp_t alias { user_screen_tmp_t staff_screen_tmp_t sysadm_screen_tmp_t }; --typealias screen_tmp_t alias { auditadm_screen_tmp_t secadm_screen_tmp_t }; --userdom_user_tmp_file(screen_tmp_t) -- - type screen_var_run_t; - typealias screen_var_run_t alias { user_screen_var_run_t staff_screen_var_run_t sysadm_screen_var_run_t }; - typealias screen_var_run_t alias { auditadm_screen_var_run_t secadm_screen_var_run_t screen_dir_t }; -@@ -30,33 +23,35 @@ ubac_constrained(screen_var_run_t) - - ######################################## - # --# Common screen domain local policy -+# Local policy - # - --allow screen_domain self:capability { setuid setgid fsetid }; -+allow screen_domain self:capability { fsetid setgid setuid sys_tty_config }; -+dontaudit screen_domain self:capability dac_override; - allow screen_domain self:process signal_perms; --allow screen_domain self:fd use; - allow screen_domain self:fifo_file rw_fifo_file_perms; --allow screen_domain self:tcp_socket { accept listen }; --allow screen_domain self:unix_stream_socket connectto; -- --manage_dirs_pattern(screen_domain, screen_tmp_t, screen_tmp_t) --manage_files_pattern(screen_domain, screen_tmp_t, screen_tmp_t) --manage_fifo_files_pattern(screen_domain, screen_tmp_t, screen_tmp_t) --files_tmp_filetrans(screen_domain, screen_tmp_t, { file dir }) -+allow screen_domain self:tcp_socket create_stream_socket_perms; -+allow screen_domain self:udp_socket create_socket_perms; -+# Internal screen networking -+allow screen_domain self:fd use; -+allow screen_domain self:unix_stream_socket { create_socket_perms connectto }; -+allow screen_domain self:unix_dgram_socket create_socket_perms; - -+# Create fifo - manage_fifo_files_pattern(screen_domain, screen_var_run_t, screen_var_run_t) - manage_dirs_pattern(screen_domain, screen_var_run_t, screen_var_run_t) - manage_sock_files_pattern(screen_domain, screen_var_run_t, screen_var_run_t) - files_pid_filetrans(screen_domain, screen_var_run_t, dir) - -+allow screen_domain screen_home_t:dir list_dir_perms; - manage_dirs_pattern(screen_domain, screen_home_t, screen_home_t) --read_files_pattern(screen_domain, screen_home_t, screen_home_t) - manage_fifo_files_pattern(screen_domain, screen_home_t, screen_home_t) -+manage_sock_files_pattern(screen_domain, screen_home_t, screen_home_t) -+userdom_user_home_dir_filetrans(screen_domain, screen_home_t, dir) -+userdom_admin_home_dir_filetrans(screen_domain, screen_home_t, dir) -+read_files_pattern(screen_domain, screen_home_t, screen_home_t) - read_lnk_files_pattern(screen_domain, screen_home_t, screen_home_t) --userdom_user_home_dir_filetrans(screen_domain, screen_home_t, dir, ".screen") - --kernel_read_system_state(screen_domain) - kernel_read_kernel_sysctls(screen_domain) - - corecmd_list_bin(screen_domain) -@@ -65,55 +60,39 @@ corecmd_read_bin_symlinks(screen_domain) - corecmd_read_bin_pipes(screen_domain) - corecmd_read_bin_sockets(screen_domain) - --corenet_all_recvfrom_unlabeled(screen_domain) --corenet_all_recvfrom_netlabel(screen_domain) - corenet_tcp_sendrecv_generic_if(screen_domain) -+corenet_udp_sendrecv_generic_if(screen_domain) - corenet_tcp_sendrecv_generic_node(screen_domain) -+corenet_udp_sendrecv_generic_node(screen_domain) - corenet_tcp_sendrecv_all_ports(screen_domain) -- --corenet_sendrecv_all_client_packets(screen_domain) -+corenet_udp_sendrecv_all_ports(screen_domain) - corenet_tcp_connect_all_ports(screen_domain) - - dev_dontaudit_getattr_all_chr_files(screen_domain) - dev_dontaudit_getattr_all_blk_files(screen_domain) -+# for SSP - dev_read_urand(screen_domain) - --domain_use_interactive_fds(screen_domain) - domain_sigchld_interactive_fds(screen_domain) -+domain_use_interactive_fds(screen_domain) - domain_read_all_domains_state(screen_domain) - -+files_search_tmp(screen_domain) -+files_search_home(screen_domain) - files_list_home(screen_domain) --files_read_usr_files(screen_domain) - - fs_search_auto_mountpoints(screen_domain) --fs_getattr_all_fs(screen_domain) -+fs_getattr_xattr_fs(screen_domain) - - auth_dontaudit_read_shadow(screen_domain) - auth_dontaudit_exec_utempter(screen_domain) - -+# Write to utmp. - init_rw_utmp(screen_domain) - --logging_send_syslog_msg(screen_domain) -- --miscfiles_read_localization(screen_domain) -- - seutil_read_config(screen_domain) - - userdom_use_user_terminals(screen_domain) - userdom_create_user_pty(screen_domain) - userdom_setattr_user_ptys(screen_domain) - userdom_setattr_user_ttys(screen_domain) -- --tunable_policy(`use_samba_home_dirs',` -- fs_manage_cifs_dirs(screen_domain) -- fs_read_cifs_files(screen_domain) -- fs_manage_cifs_named_pipes(screen_domain) -- fs_read_cifs_symlinks(screen_domain) --') -- --tunable_policy(`use_nfs_home_dirs',` -- fs_manage_nfs_dirs(screen_domain) -- fs_read_nfs_files(screen_domain) -- fs_manage_nfs_named_pipes(screen_domain) -- fs_read_nfs_symlinks(screen_domain) --') -diff --git a/sectoolm.fc b/sectoolm.fc -index 64a2394..3f1dac5 100644 ---- a/sectoolm.fc -+++ b/sectoolm.fc -@@ -1,5 +1,4 @@ - /usr/libexec/sectool-mechanism\.py -- gen_context(system_u:object_r:sectoolm_exec_t,s0) - --/var/lib/sectool(/.*)? gen_context(system_u:object_r:sectool_var_lib_t,s0) -- --/var/log/sectool\.log.* -- gen_context(system_u:object_r:sectool_var_log_t,s0) -+/var/lib/sectool(/.*)? gen_context(system_u:object_r:sectool_var_lib_t,s0) -+/var/log/sectool\.log.* -- gen_context(system_u:object_r:sectool_var_log_t,s0) -diff --git a/sectoolm.if b/sectoolm.if -index c78a569..9007451 100644 ---- a/sectoolm.if -+++ b/sectoolm.if -@@ -1,24 +1,2 @@ --## Sectool security audit tool. -+## Sectool security audit tool - --######################################## --## --## Role access for sectoolm. --## --## --## --## Role allowed access. --## --## --## --## --## User domain for the role. --## --## --# --interface(`sectoolm_role',` -- gen_require(` -- type sectoolm_t; -- ') -- -- allow sectoolm_t $2:unix_dgram_socket sendto; --') -diff --git a/sectoolm.te b/sectoolm.te -index 8193bf1..b6a0bbd 100644 ---- a/sectoolm.te -+++ b/sectoolm.te -@@ -1,4 +1,4 @@ --policy_module(sectoolm, 1.0.1) -+policy_module(sectoolm, 1.0.0) - - ######################################## - # -@@ -7,7 +7,7 @@ policy_module(sectoolm, 1.0.1) - - type sectoolm_t; - type sectoolm_exec_t; --init_system_domain(sectoolm_t, sectoolm_exec_t) -+init_daemon_domain(sectoolm_t, sectoolm_exec_t) - - type sectool_var_lib_t; - files_type(sectool_var_lib_t) -@@ -20,14 +20,14 @@ files_tmp_file(sectool_tmp_t) - - ######################################## - # --# Local policy -+# sectool local policy - # - --allow sectoolm_t self:capability { dac_override net_admin sys_nice }; -+allow sectoolm_t self:capability { dac_override net_admin sys_nice sys_ptrace }; - allow sectoolm_t self:process { getcap getsched signull setsched }; - dontaudit sectoolm_t self:process { execstack execmem }; - allow sectoolm_t self:fifo_file rw_fifo_file_perms; --allow sectoolm_t self:unix_dgram_socket sendto; -+allow sectoolm_t self:unix_dgram_socket { create_socket_perms sendto }; - - manage_dirs_pattern(sectoolm_t, sectool_tmp_t, sectool_tmp_t) - manage_files_pattern(sectoolm_t, sectool_tmp_t, sectool_tmp_t) -@@ -37,7 +37,7 @@ manage_files_pattern(sectoolm_t, sectool_var_lib_t, sectool_var_lib_t) - manage_dirs_pattern(sectoolm_t, sectool_var_lib_t, sectool_var_lib_t) - files_var_lib_filetrans(sectoolm_t, sectool_var_lib_t, { file dir }) - --allow sectoolm_t sectool_var_log_t:file { append_file_perms create_file_perms setattr_file_perms }; -+manage_files_pattern(sectoolm_t, sectool_var_log_t, sectool_var_log_t) - logging_log_filetrans(sectoolm_t, sectool_var_log_t, file) - - kernel_read_net_sysctls(sectoolm_t) -@@ -65,6 +65,7 @@ fs_list_noxattr_fs(sectoolm_t) - - selinux_validate_context(sectoolm_t) - -+# tcp_wrappers test - application_exec_all(sectoolm_t) - - auth_use_nsswitch(sectoolm_t) -@@ -73,30 +74,36 @@ libs_exec_ld_so(sectoolm_t) - - logging_send_syslog_msg(sectoolm_t) - -+# tests related to network - sysnet_domtrans_ifconfig(sectoolm_t) - --userdom_write_user_tmp_sockets(sectoolm_t) -+userdom_manage_user_tmp_sockets(sectoolm_t) -+userdom_dgram_send(sectoolm_t) - - optional_policy(` -- mount_exec(sectoolm_t) -+ dbus_system_domain(sectoolm_t, sectoolm_exec_t) - ') - - optional_policy(` -- dbus_system_domain(sectoolm_t, sectoolm_exec_t) -+ # tests related to network -+ hostname_exec(sectoolm_t) -+') - -- optional_policy(` -- policykit_dbus_chat(sectoolm_t) -- ') -+optional_policy(` -+ # tests related to network -+ iptables_domtrans(sectoolm_t) - ') - - optional_policy(` -- hostname_exec(sectoolm_t) -+ mount_exec(sectoolm_t) - ') - - optional_policy(` -- iptables_domtrans(sectoolm_t) -+ policykit_dbus_chat(sectoolm_t) - ') - -+# suid test using -+# rpm -Vf option - optional_policy(` - prelink_domtrans(sectoolm_t) - ') -diff --git a/sendmail.fc b/sendmail.fc -index d14b6bf..da5d41d 100644 ---- a/sendmail.fc -+++ b/sendmail.fc -@@ -1,7 +1,8 @@ --/etc/rc\.d/init\.d/sendmail -- gen_context(system_u:object_r:sendmail_initrc_exec_t,s0) - --/var/log/sendmail\.st.* -- gen_context(system_u:object_r:sendmail_log_t,s0) --/var/log/mail(/.*)? gen_context(system_u:object_r:sendmail_log_t,s0) -+/etc/rc\.d/init\.d/sendmail -- gen_context(system_u:object_r:sendmail_initrc_exec_t,s0) - --/var/run/sendmail\.pid -- gen_context(system_u:object_r:sendmail_var_run_t,s0) --/var/run/sm-client\.pid -- gen_context(system_u:object_r:sendmail_var_run_t,s0) -+/var/log/sendmail\.st.* -- gen_context(system_u:object_r:sendmail_log_t,s0) -+/var/log/mail(/.*)? gen_context(system_u:object_r:sendmail_log_t,s0) -+ -+/var/run/sendmail\.pid -- gen_context(system_u:object_r:sendmail_var_run_t,s0) -+/var/run/sm-client\.pid -- gen_context(system_u:object_r:sendmail_var_run_t,s0) -diff --git a/sendmail.if b/sendmail.if -index 88e753f..133d993 100644 ---- a/sendmail.if -+++ b/sendmail.if -@@ -1,4 +1,4 @@ --## Internetwork email routing facility. -+## Policy for sendmail. - - ######################################## - ## -@@ -10,7 +10,7 @@ - ## - ## - # --interface(`sendmail_stub',` -+interface(`rsync_stub',` - gen_require(` - type sendmail_t; - ') -@@ -18,7 +18,8 @@ interface(`sendmail_stub',` - - ######################################## - ## --## Read and write sendmail unnamed pipes. -+## Allow attempts to read and write to -+## sendmail unnamed pipes. - ## - ## - ## -@@ -36,7 +37,7 @@ interface(`sendmail_rw_pipes',` - - ######################################## - ## --## Execute a domain transition to run sendmail. -+## Domain transition to sendmail. - ## - ## - ## -@@ -49,19 +50,30 @@ interface(`sendmail_domtrans',` - type sendmail_t; - ') - -- corecmd_search_bin($1) - mta_sendmail_domtrans($1, sendmail_t) -+') - -- allow sendmail_t $1:fd use; -- allow sendmail_t $1:fifo_file rw_fifo_file_perms; -- allow sendmail_t $1:process sigchld; -+####################################### -+## -+## Execute sendmail in the sendmail domain. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`sendmail_initrc_domtrans',` -+ gen_require(` -+ type sendmail_initrc_exec_t; -+ ') -+ -+ init_labeled_script_domtrans($1, sendmail_initrc_exec_t) - ') - - ######################################## - ## --## Execute the sendmail program in the --## sendmail domain, and allow the --## specified role the sendmail domain. -+## Execute the sendmail program in the sendmail domain. - ## - ## - ## -@@ -70,18 +82,18 @@ interface(`sendmail_domtrans',` - ## - ## - ## --## Role allowed access. -+## The role to allow the sendmail domain. - ## - ## - ## - # - interface(`sendmail_run',` - gen_require(` -- attribute_role sendmail_roles; -+ type sendmail_t; - ') - - sendmail_domtrans($1) -- roleattribute $2 sendmail_roles; -+ role $2 types sendmail_t; - ') - - ######################################## -@@ -141,8 +153,7 @@ interface(`sendmail_dontaudit_rw_tcp_sockets',` - - ######################################## - ## --## Read and write sendmail unix --## domain stream sockets. -+## Read and write sendmail unix_stream_sockets. - ## - ## - ## -@@ -179,7 +190,7 @@ interface(`sendmail_dontaudit_rw_unix_stream_sockets',` - - ######################################## - ## --## Read sendmail log files. -+## Read sendmail logs. - ## - ## - ## -@@ -199,8 +210,7 @@ interface(`sendmail_read_log',` - - ######################################## - ## --## Create, read, write, and delete --## sendmail log files. -+## Create, read, write, and delete sendmail logs. - ## - ## - ## -@@ -220,8 +230,7 @@ interface(`sendmail_manage_log',` - - ######################################## - ## --## Create specified objects in generic --## log directories sendmail log file type. -+## Create sendmail logs with the correct type. - ## - ## - ## -@@ -230,43 +239,16 @@ interface(`sendmail_manage_log',` - ## - # - interface(`sendmail_create_log',` -- refpolicywarn(`$0($*) has been deprecated, use sendmail_log_filetrans_sendmail_log() instead.') -- sendmail_log_filetrans_sendmail_log($1, $2, $3) --') -- --######################################## --## --## Create specified objects in generic --## log directories sendmail log file type. --## --## --## --## Domain allowed access. --## --## --## --## --## Class of the object being created. --## --## --## --## --## The name of the object being created. --## --## --# --interface(`sendmail_log_filetrans_sendmail_log',` - gen_require(` - type sendmail_log_t; - ') - -- logging_log_filetrans($1, sendmail_log_t, $2, $3) -+ logging_log_filetrans($1, sendmail_log_t, file) - ') - - ######################################## - ## --## Create, read, write, and delete --## sendmail tmp files. -+## Manage sendmail tmp files. - ## - ## - ## -@@ -285,58 +267,27 @@ interface(`sendmail_manage_tmp_files',` - - ######################################## - ## --## Execute sendmail in the unconfined sendmail domain. --## --## --## --## Domain allowed to transition. --## --## --# --interface(`sendmail_domtrans_unconfined',` -- gen_require(` -- type unconfined_sendmail_t; -- ') -- -- mta_sendmail_domtrans($1, unconfined_sendmail_t) -- -- allow unconfined_sendmail_t $1:fd use; -- allow unconfined_sendmail_t $1:fifo_file rw_fifo_file_perms; -- allow unconfined_sendmail_t $1:process sigchld; --') -- --######################################## --## --## Execute sendmail in the unconfined --## sendmail domain, and allow the --## specified role the unconfined --## sendmail domain. -+## Set the attributes of sendmail pid files. - ## - ## - ## --## Domain allowed to transition. --## --## --## --## --## Role allowed access. -+## Domain allowed access. - ## - ## --## - # --interface(`sendmail_run_unconfined',` -+interface(`sendmail_setattr_pid_files',` - gen_require(` -- attribute_role sendmail_unconfined_roles; -+ type sendmail_var_run_t; - ') - -- sendmail_domtrans_unconfined($1) -- roleattribute $2 sendmail_unconfined_roles; -+ allow $1 sendmail_var_run_t:file setattr_file_perms; -+ files_search_pids($1) - ') - - ######################################## - ## --## All of the rules required to --## administrate an sendmail environment. -+## All of the rules required to administrate -+## an sendmail environment - ## - ## - ## -@@ -353,13 +304,17 @@ interface(`sendmail_run_unconfined',` - interface(`sendmail_admin',` - gen_require(` - type sendmail_t, sendmail_initrc_exec_t, sendmail_log_t; -- type sendmail_tmp_t, sendmail_var_run_t, unconfined_sendmail_t; -+ type sendmail_tmp_t, sendmail_var_run_t; -+ type mail_spool_t; - ') - -- allow $1 { unconfined_sendmail_t sendmail_t }:process { ptrace signal_perms }; -- ps_process_pattern($1, { unconfined_sendmail_t sendmail_t }) -+ allow $1 sendmail_t:process signal_perms; -+ ps_process_pattern($1, sendmail_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 sendmail_t:process ptrace; -+ ') - -- init_labeled_script_domtrans($1, sendmail_initrc_exec_t) -+ sendmail_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 sendmail_initrc_exec_t system_r; - -@@ -372,6 +327,6 @@ interface(`sendmail_admin',` - files_list_pids($1) - admin_pattern($1, sendmail_var_run_t) - -- sendmail_run($1, $2) -- sendmail_run_unconfined($1, $2) -+ files_list_spool($1) -+ admin_pattern($1, mail_spool_t) - ') -diff --git a/sendmail.te b/sendmail.te -index 5f35d78..d4003d0 100644 ---- a/sendmail.te -+++ b/sendmail.te -@@ -1,18 +1,10 @@ --policy_module(sendmail, 1.11.5) -+policy_module(sendmail, 1.11.0) - - ######################################## - # - # Declarations - # - --attribute_role sendmail_roles; -- --attribute_role sendmail_unconfined_roles; --roleattribute system_r sendmail_unconfined_roles; -- --type sendmail_initrc_exec_t; --init_script_file(sendmail_initrc_exec_t) -- - type sendmail_log_t; - logging_log_file(sendmail_log_t) - -@@ -26,27 +18,26 @@ type sendmail_t; - mta_sendmail_mailserver(sendmail_t) - mta_mailserver_delivery(sendmail_t) - mta_mailserver_sender(sendmail_t) --role sendmail_roles types sendmail_t; - --type unconfined_sendmail_t; --application_domain(unconfined_sendmail_t, sendmail_exec_t) --role sendmail_unconfined_roles types unconfined_sendmail_t; -+type sendmail_initrc_exec_t; -+init_script_file(sendmail_initrc_exec_t) - - ######################################## - # --# Local policy -+# Sendmail local policy - # - --allow sendmail_t self:capability { dac_override setuid setgid sys_nice chown sys_tty_config }; -+allow sendmail_t self:capability { dac_override setuid setgid net_bind_service sys_nice chown sys_tty_config }; -+dontaudit sendmail_t self:capability net_admin; - allow sendmail_t self:process { setsched setpgid setrlimit signal signull }; - allow sendmail_t self:fifo_file rw_fifo_file_perms; --allow sendmail_t self:unix_stream_socket { accept listen }; --allow sendmail_t self:tcp_socket { accept listen }; -+allow sendmail_t self:unix_stream_socket create_stream_socket_perms; -+allow sendmail_t self:unix_dgram_socket create_socket_perms; -+allow sendmail_t self:tcp_socket create_stream_socket_perms; -+allow sendmail_t self:udp_socket create_socket_perms; - --allow sendmail_t sendmail_log_t:dir setattr_dir_perms; --append_files_pattern(sendmail_t, sendmail_log_t, sendmail_log_t) --create_files_pattern(sendmail_t, sendmail_log_t, sendmail_log_t) --setattr_files_pattern(sendmail_t, sendmail_log_t, sendmail_log_t) -+allow sendmail_t sendmail_log_t:dir setattr; -+manage_files_pattern(sendmail_t, sendmail_log_t, sendmail_log_t) - logging_log_filetrans(sendmail_t, sendmail_log_t, { file dir }) - - manage_dirs_pattern(sendmail_t, sendmail_tmp_t, sendmail_tmp_t) -@@ -58,33 +49,21 @@ files_pid_filetrans(sendmail_t, sendmail_var_run_t, file) - - kernel_read_network_state(sendmail_t) - kernel_read_kernel_sysctls(sendmail_t) -+# for piping mail to a command - kernel_read_system_state(sendmail_t) - --corenet_all_recvfrom_unlabeled(sendmail_t) - corenet_all_recvfrom_netlabel(sendmail_t) - corenet_tcp_sendrecv_generic_if(sendmail_t) - corenet_tcp_sendrecv_generic_node(sendmail_t) - corenet_tcp_sendrecv_all_ports(sendmail_t) - corenet_tcp_bind_generic_node(sendmail_t) -- --corenet_sendrecv_smtp_server_packets(sendmail_t) - corenet_tcp_bind_smtp_port(sendmail_t) -- --corenet_sendrecv_all_client_packets(sendmail_t) - corenet_tcp_connect_all_ports(sendmail_t) -+corenet_sendrecv_smtp_server_packets(sendmail_t) -+corenet_sendrecv_smtp_client_packets(sendmail_t) - --corecmd_exec_bin(sendmail_t) --corecmd_exec_shell(sendmail_t) -- --dev_read_sysfs(sendmail_t) - dev_read_urand(sendmail_t) -- --domain_use_interactive_fds(sendmail_t) -- --files_read_all_tmp_files(sendmail_t) --files_read_etc_runtime_files(sendmail_t) --files_read_usr_files(sendmail_t) --files_search_spool(sendmail_t) -+dev_read_sysfs(sendmail_t) - - fs_getattr_all_fs(sendmail_t) - fs_search_auto_mountpoints(sendmail_t) -@@ -93,35 +72,49 @@ fs_rw_anon_inodefs_files(sendmail_t) - term_dontaudit_use_console(sendmail_t) - term_dontaudit_use_generic_ptys(sendmail_t) - -+# for piping mail to a command -+corecmd_exec_shell(sendmail_t) -+corecmd_exec_bin(sendmail_t) -+ -+domain_use_interactive_fds(sendmail_t) -+ -+files_search_spool(sendmail_t) -+# for piping mail to a command -+files_read_etc_runtime_files(sendmail_t) -+files_read_all_tmp_files(sendmail_t) -+ - init_use_fds(sendmail_t) - init_use_script_ptys(sendmail_t) -+# sendmail wants to read /var/run/utmp if the controlling tty is /dev/console - init_read_utmp(sendmail_t) - init_dontaudit_write_utmp(sendmail_t) - init_rw_script_tmp_files(sendmail_t) - - auth_use_nsswitch(sendmail_t) - -+# Read /usr/lib/sasl2/.* - libs_read_lib_files(sendmail_t) - - logging_send_syslog_msg(sendmail_t) - logging_dontaudit_write_generic_logs(sendmail_t) - - miscfiles_read_generic_certs(sendmail_t) --miscfiles_read_localization(sendmail_t) - - userdom_dontaudit_use_unpriv_user_fds(sendmail_t) -+userdom_read_user_home_content_files(sendmail_t) -+userdom_dontaudit_list_user_home_dirs(sendmail_t) - --mta_etc_filetrans_aliases(sendmail_t, file, "aliases") --mta_etc_filetrans_aliases(sendmail_t, file, "aliases.db") --mta_etc_filetrans_aliases(sendmail_t, file, "aliasesdb-stamp") -+mta_read_config(sendmail_t) -+mta_etc_filetrans_aliases(sendmail_t) -+# Write to /etc/aliases and /etc/mail. - mta_manage_aliases(sendmail_t) -+# Write to /var/spool/mail and /var/spool/mqueue. - mta_manage_queue(sendmail_t) - mta_manage_spool(sendmail_t) --mta_read_config(sendmail_t) - mta_sendmail_exec(sendmail_t) - - optional_policy(` -- cfengine_dontaudit_write_log_files(sendmail_t) -+ cfengine_dontaudit_write_log(sendmail_t) - ') - - optional_policy(` -@@ -129,8 +122,8 @@ optional_policy(` - ') - - optional_policy(` -- clamav_search_lib(sendmail_t) -- clamav_stream_connect(sendmail_t) -+ antivirus_search_db(sendmail_t) -+ antivirus_stream_connect(sendmail_t) - ') - - optional_policy(` -@@ -158,6 +151,10 @@ optional_policy(` - ') - - optional_policy(` -+ inn_write_inherited_news_lib(sendmail_t) -+') -+ -+optional_policy(` - milter_stream_connect_all(sendmail_t) - ') - -@@ -166,6 +163,11 @@ optional_policy(` - ') - - optional_policy(` -+ openshift_dontaudit_rw_inherited_fifo_files(sendmail_t) -+ openshift_rw_inherited_content(sendmail_t) -+') -+ -+optional_policy(` - postfix_domtrans_postdrop(sendmail_t) - postfix_domtrans_master(sendmail_t) - postfix_domtrans_postqueue(sendmail_t) -@@ -187,21 +189,13 @@ optional_policy(` - ') - - optional_policy(` -- udev_read_db(sendmail_t) -+ spamd_stream_connect(sendmail_t) - ') - - optional_policy(` -- uucp_domtrans_uux(sendmail_t) -+ udev_read_db(sendmail_t) - ') - --######################################## --# --# Unconfined local policy --# -- - optional_policy(` -- mta_etc_filetrans_aliases(unconfined_sendmail_t, file, "aliases") -- mta_etc_filetrans_aliases(unconfined_sendmail_t, file, "aliases.db") -- mta_etc_filetrans_aliases(unconfined_sendmail_t, file, "aliasesdb-stamp") -- unconfined_domain(unconfined_sendmail_t) -+ uucp_domtrans_uux(sendmail_t) - ') -diff --git a/sensord.fc b/sensord.fc -index 8185d5a..719ac47 100644 ---- a/sensord.fc -+++ b/sensord.fc -@@ -1,3 +1,5 @@ -+/lib/systemd/system/sensord.service -- gen_context(system_u:object_r:sensord_unit_file_t,s0) -+ - /etc/rc\.d/init\.d/sensord -- gen_context(system_u:object_r:sensord_initrc_exec_t,s0) - - /usr/sbin/sensord -- gen_context(system_u:object_r:sensord_exec_t,s0) -diff --git a/sensord.if b/sensord.if -index d204752..5eba5fd 100644 ---- a/sensord.if -+++ b/sensord.if -@@ -1,35 +1,75 @@ --## Sensor information logging daemon. -+ -+## Sensor information logging daemon - - ######################################## - ## --## All of the rules required to --## administrate an sensord environment. -+## Execute sensord in the sensord domain. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`sensord_domtrans',` -+ gen_require(` -+ type sensord_t, sensord_exec_t; -+ ') -+ -+ corecmd_search_bin($1) -+ domtrans_pattern($1, sensord_exec_t, sensord_t) -+') -+######################################## -+## -+## Execute sensord server in the sensord domain. - ## - ## - ## --## Domain allowed access. -+## Domain allowed to transition. - ## - ## --## -+# -+interface(`sensord_systemctl',` -+ gen_require(` -+ type sensord_t; -+ type sensord_unit_file_t; -+ ') -+ -+ systemd_exec_systemctl($1) -+ allow $1 sensord_unit_file_t:file read_file_perms; -+ allow $1 sensord_unit_file_t:service manage_service_perms; -+ -+ ps_process_pattern($1, sensord_t) -+') -+ -+ -+######################################## -+## -+## All of the rules required to administrate -+## an sensord environment -+## -+## - ## --## Role allowed access. -+## Domain allowed access. - ## - ## - ## - # - interface(`sensord_admin',` - gen_require(` -- type sensord_t, sensord_initrc_exec_t, sensord_var_run_t; -+ type sensord_t; -+ type sensord_unit_file_t; - ') - - allow $1 sensord_t:process { ptrace signal_perms }; - ps_process_pattern($1, sensord_t) - -- init_labeled_script_domtrans($1, sensord_initrc_exec_t) -- domain_system_change_exemption($1) -- role_transition $2 sensord_initrc_exec_t system_r; -- allow $2 system_r; -+ sensord_systemctl($1) -+ admin_pattern($1, sensord_unit_file_t) -+ allow $1 sensord_unit_file_t:service all_service_perms; - -- files_search_pids($1) -- admin_pattern($1, sensord_var_run_t) -+ optional_policy(` -+ systemd_passwd_agent_exec($1) -+ systemd_read_fifo_file_passwd_run($1) -+ ') - ') -diff --git a/sensord.te b/sensord.te -index 5e82fd6..fa352d8 100644 ---- a/sensord.te -+++ b/sensord.te -@@ -9,6 +9,9 @@ type sensord_t; - type sensord_exec_t; - init_daemon_domain(sensord_t, sensord_exec_t) - -+type sensord_unit_file_t; -+systemd_unit_file(sensord_unit_file_t) -+ - type sensord_initrc_exec_t; - init_script_file(sensord_initrc_exec_t) - -@@ -28,8 +31,5 @@ files_pid_filetrans(sensord_t, sensord_var_run_t, file) - - dev_read_sysfs(sensord_t) - --files_read_etc_files(sensord_t) -- - logging_send_syslog_msg(sensord_t) - --miscfiles_read_localization(sensord_t) -diff --git a/setroubleshoot.fc b/setroubleshoot.fc -index 0b3a971..397a522 100644 ---- a/setroubleshoot.fc -+++ b/setroubleshoot.fc -@@ -1,9 +1,9 @@ - /usr/sbin/setroubleshootd -- gen_context(system_u:object_r:setroubleshootd_exec_t,s0) - --/usr/share/setroubleshoot/SetroubleshootFixit\.py* -- gen_context(system_u:object_r:setroubleshoot_fixit_exec_t,s0) -+/usr/share/setroubleshoot/SetroubleshootFixit\.py* -- gen_context(system_u:object_r:setroubleshoot_fixit_exec_t,s0) - --/var/run/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_run_t,s0) -+/var/run/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_run_t,s0) - --/var/log/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_log_t,s0) -+/var/log/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_log_t,s0) - --/var/lib/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_lib_t,s0) -+/var/lib/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_lib_t,s0) -diff --git a/setroubleshoot.if b/setroubleshoot.if -index 3a9a70b..039b0c8 100644 ---- a/setroubleshoot.if -+++ b/setroubleshoot.if -@@ -1,9 +1,8 @@ --## SELinux troubleshooting service. -+## SELinux troubleshooting service - - ######################################## - ## --## Connect to setroubleshootd with a --## unix domain stream socket. -+## Connect to setroubleshootd over a unix stream socket. - ## - ## - ## -@@ -23,9 +22,8 @@ interface(`setroubleshoot_stream_connect',` - - ######################################## - ## --## Do not audit attempts to connect to --## setroubleshootd with a unix --## domain stream socket. -+## Dontaudit attempts to connect to setroubleshootd -+## over a unix stream socket. - ## - ## - ## -@@ -107,8 +105,27 @@ interface(`setroubleshoot_dbus_chat_fixit',` - - ######################################## - ## --## All of the rules required to --## administrate an setroubleshoot environment. -+## Dontaudit read/write to a setroubleshoot leaked sockets. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`setroubleshoot_fixit_dontaudit_leaks',` -+ gen_require(` -+ type setroubleshoot_fixit_t; -+ ') -+ -+ dontaudit $1 setroubleshoot_fixit_t:unix_dgram_socket { read write }; -+ dontaudit $1 setroubleshoot_fixit_t:unix_stream_socket { read write }; -+') -+ -+######################################## -+## -+## All of the rules required to administrate -+## an setroubleshoot environment - ## - ## - ## -@@ -119,12 +136,15 @@ interface(`setroubleshoot_dbus_chat_fixit',` - # - interface(`setroubleshoot_admin',` - gen_require(` -- type setroubleshootd_t, setroubleshoot_var_log_t, setroubleshoot_fixit_t; -- type setroubleshoot_var_lib_t, setroubleshoot_var_run_t; -+ type setroubleshootd_t, setroubleshoot_var_log_t, setroubleshoot_var_run_t; -+ type setroubleshoot_var_lib_t; - ') - -- allow $1 { setroubleshoot_fixit_t setroubleshootd_t }:process { ptrace signal_perms }; -- ps_process_pattern($1, { setroubleshootd_t setroubleshoot_fixit_t }) -+ allow $1 setroubleshootd_t:process signal_perms; -+ ps_process_pattern($1, setroubleshootd_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 setroubleshootd_t:process ptrace; -+ ') - - logging_list_logs($1) - admin_pattern($1, setroubleshoot_var_log_t) -diff --git a/setroubleshoot.te b/setroubleshoot.te -index 49b12ae..d686e4a 100644 ---- a/setroubleshoot.te -+++ b/setroubleshoot.te -@@ -1,4 +1,4 @@ --policy_module(setroubleshoot, 1.11.2) -+policy_module(setroubleshoot, 1.11.0) - - ######################################## - # -@@ -7,43 +7,50 @@ policy_module(setroubleshoot, 1.11.2) - - type setroubleshootd_t alias setroubleshoot_t; - type setroubleshootd_exec_t; --init_system_domain(setroubleshootd_t, setroubleshootd_exec_t) -+domain_type(setroubleshootd_t) -+init_daemon_domain(setroubleshootd_t, setroubleshootd_exec_t) - - type setroubleshoot_fixit_t; - type setroubleshoot_fixit_exec_t; --init_system_domain(setroubleshoot_fixit_t, setroubleshoot_fixit_exec_t) -+init_daemon_domain(setroubleshoot_fixit_t, setroubleshoot_fixit_exec_t) - - type setroubleshoot_var_lib_t; - files_type(setroubleshoot_var_lib_t) - -+# log files - type setroubleshoot_var_log_t; - logging_log_file(setroubleshoot_var_log_t) - -+# pid files - type setroubleshoot_var_run_t; - files_pid_file(setroubleshoot_var_run_t) - - ######################################## - # --# Local policy -+# setroubleshootd local policy - # - - allow setroubleshootd_t self:capability { dac_override sys_nice sys_ptrace sys_tty_config }; --allow setroubleshootd_t self:process { getattr getsched setsched sigkill signull signal execmem execstack }; -+allow setroubleshootd_t self:process { getattr getsched setsched sigkill signull signal }; -+# if bad library causes setroubleshoot to require these, we want to give it so setroubleshoot can continue to run -+allow setroubleshootd_t self:process { execmem execstack }; - allow setroubleshootd_t self:fifo_file rw_fifo_file_perms; --allow setroubleshootd_t self:tcp_socket { accept listen }; --allow setroubleshootd_t self:unix_stream_socket { accept connectto listen }; -+allow setroubleshootd_t self:tcp_socket create_stream_socket_perms; -+allow setroubleshootd_t self:unix_stream_socket { create_stream_socket_perms connectto }; -+allow setroubleshootd_t self:unix_dgram_socket create_socket_perms; - --allow setroubleshootd_t setroubleshoot_var_lib_t:dir setattr_dir_perms; -+# database files -+allow setroubleshootd_t setroubleshoot_var_lib_t:dir setattr; - manage_files_pattern(setroubleshootd_t, setroubleshoot_var_lib_t, setroubleshoot_var_lib_t) - files_var_lib_filetrans(setroubleshootd_t, setroubleshoot_var_lib_t, { file dir }) - --allow setroubleshootd_t setroubleshoot_var_log_t:dir setattr_dir_perms; --append_files_pattern(setroubleshootd_t, setroubleshoot_var_log_t, setroubleshoot_var_log_t) --create_files_pattern(setroubleshootd_t, setroubleshoot_var_log_t, setroubleshoot_var_log_t) --setattr_files_pattern(setroubleshootd_t, setroubleshoot_var_log_t, setroubleshoot_var_log_t) -+# log files -+allow setroubleshootd_t setroubleshoot_var_log_t:dir setattr; -+manage_files_pattern(setroubleshootd_t, setroubleshoot_var_log_t, setroubleshoot_var_log_t) - manage_sock_files_pattern(setroubleshootd_t, setroubleshoot_var_log_t, setroubleshoot_var_log_t) - logging_log_filetrans(setroubleshootd_t, setroubleshoot_var_log_t, { file dir }) - -+# pid file - manage_dirs_pattern(setroubleshootd_t, setroubleshoot_var_run_t, setroubleshoot_var_run_t) - manage_files_pattern(setroubleshootd_t, setroubleshoot_var_run_t, setroubleshoot_var_run_t) - manage_sock_files_pattern(setroubleshootd_t, setroubleshoot_var_run_t, setroubleshoot_var_run_t) -@@ -61,14 +68,13 @@ corecmd_exec_bin(setroubleshootd_t) - corecmd_exec_shell(setroubleshootd_t) - corecmd_read_all_executables(setroubleshootd_t) - --corenet_all_recvfrom_unlabeled(setroubleshootd_t) - corenet_all_recvfrom_netlabel(setroubleshootd_t) - corenet_tcp_sendrecv_generic_if(setroubleshootd_t) - corenet_tcp_sendrecv_generic_node(setroubleshootd_t) -- --corenet_sendrecv_smtp_client_packets(setroubleshootd_t) -+corenet_tcp_sendrecv_all_ports(setroubleshootd_t) -+corenet_tcp_bind_generic_node(setroubleshootd_t) - corenet_tcp_connect_smtp_port(setroubleshootd_t) --corenet_tcp_sendrecv_smtp_port(setroubleshootd_t) -+corenet_sendrecv_smtp_client_packets(setroubleshootd_t) - - dev_read_urand(setroubleshootd_t) - dev_read_sysfs(setroubleshootd_t) -@@ -76,10 +82,9 @@ dev_getattr_all_blk_files(setroubleshootd_t) - dev_getattr_all_chr_files(setroubleshootd_t) - dev_getattr_mtrr_dev(setroubleshootd_t) - --domain_dontaudit_search_all_domains_state(setroubleshootd_t) -+domain_read_all_domains_state(setroubleshootd_t) - domain_signull_all_domains(setroubleshootd_t) - --files_read_usr_files(setroubleshootd_t) - files_list_all(setroubleshootd_t) - files_getattr_all_files(setroubleshootd_t) - files_getattr_all_pipes(setroubleshootd_t) -@@ -101,33 +106,32 @@ selinux_read_policy(setroubleshootd_t) - term_dontaudit_use_all_ptys(setroubleshootd_t) - term_dontaudit_use_all_ttys(setroubleshootd_t) - -+mls_dbus_recv_all_levels(setroubleshootd_t) -+ - auth_use_nsswitch(setroubleshootd_t) - - init_read_utmp(setroubleshootd_t) - init_dontaudit_write_utmp(setroubleshootd_t) - - libs_exec_ld_so(setroubleshootd_t) -+libs_exec_ldconfig(setroubleshootd_t) - - locallogin_dontaudit_use_fds(setroubleshootd_t) - - logging_send_audit_msgs(setroubleshootd_t) - logging_send_syslog_msg(setroubleshootd_t) - logging_stream_connect_dispatcher(setroubleshootd_t) -+logging_stream_connect_syslog(setroubleshootd_t) - --miscfiles_read_localization(setroubleshootd_t) -- -+seutil_read_bin_policy(setroubleshootd_t) - seutil_read_config(setroubleshootd_t) -+seutil_read_default_contexts(setroubleshootd_t) - seutil_read_file_contexts(setroubleshootd_t) --seutil_read_bin_policy(setroubleshootd_t) - - userdom_dontaudit_read_user_home_content_files(setroubleshootd_t) - - optional_policy(` -- dbus_system_domain(setroubleshootd_t, setroubleshootd_exec_t) -- -- optional_policy(` -- abrt_dbus_chat(setroubleshootd_t) -- ') -+ abrt_dbus_chat(setroubleshootd_t) - ') - - optional_policy(` -@@ -135,10 +139,18 @@ optional_policy(` - ') - - optional_policy(` -+ mock_getattr_lib(setroubleshootd_t) -+') -+ -+optional_policy(` - modutils_read_module_config(setroubleshootd_t) - ') - - optional_policy(` -+ dbus_system_domain(setroubleshootd_t, setroubleshootd_exec_t) -+') -+ -+optional_policy(` - rpm_exec(setroubleshootd_t) - rpm_signull(setroubleshootd_t) - rpm_read_db(setroubleshootd_t) -@@ -148,26 +160,36 @@ optional_policy(` - - ######################################## - # --# Fixit local policy -+# setroubleshoot_fixit local policy - # - - allow setroubleshoot_fixit_t self:capability sys_nice; - allow setroubleshoot_fixit_t self:process { setsched getsched }; -+dontaudit setroubleshoot_fixit_t self:process execmem; - allow setroubleshoot_fixit_t self:fifo_file rw_fifo_file_perms; -+allow setroubleshoot_fixit_t self:unix_dgram_socket create_socket_perms; - - allow setroubleshoot_fixit_t setroubleshootd_t:process signull; - -+setroubleshoot_dbus_chat(setroubleshoot_fixit_t) - setroubleshoot_stream_connect(setroubleshoot_fixit_t) - - kernel_read_system_state(setroubleshoot_fixit_t) -+kernel_read_network_state(setroubleshoot_fixit_t) - - corecmd_exec_bin(setroubleshoot_fixit_t) - corecmd_exec_shell(setroubleshoot_fixit_t) - corecmd_getattr_all_executables(setroubleshoot_fixit_t) - -+dev_read_sysfs(setroubleshoot_fixit_t) -+dev_read_urand(setroubleshoot_fixit_t) -+ -+selinux_read_policy(setroubleshoot_fixit_t) -+ - seutil_domtrans_setfiles(setroubleshoot_fixit_t) -+seutil_domtrans_setsebool(setroubleshoot_fixit_t) -+seutil_read_module_store(setroubleshoot_fixit_t) - --files_read_usr_files(setroubleshoot_fixit_t) - files_list_tmp(setroubleshoot_fixit_t) - - auth_use_nsswitch(setroubleshoot_fixit_t) -@@ -175,23 +197,26 @@ auth_use_nsswitch(setroubleshoot_fixit_t) - logging_send_audit_msgs(setroubleshoot_fixit_t) - logging_send_syslog_msg(setroubleshoot_fixit_t) - --miscfiles_read_localization(setroubleshoot_fixit_t) -- --userdom_read_all_users_state(setroubleshoot_fixit_t) -+userdom_dontaudit_search_admin_dir(setroubleshoot_fixit_t) - userdom_signull_unpriv_users(setroubleshoot_fixit_t) - - optional_policy(` - dbus_system_domain(setroubleshoot_fixit_t, setroubleshoot_fixit_exec_t) -- setroubleshoot_dbus_chat(setroubleshoot_fixit_t) -+') - -- optional_policy(` -- policykit_dbus_chat(setroubleshoot_fixit_t) -- ') -+optional_policy(` -+ gnome_dontaudit_search_config(setroubleshoot_fixit_t) - ') - - optional_policy(` -+ rpm_exec(setroubleshoot_fixit_t) - rpm_signull(setroubleshoot_fixit_t) - rpm_read_db(setroubleshoot_fixit_t) - rpm_dontaudit_manage_db(setroubleshoot_fixit_t) - rpm_use_script_fds(setroubleshoot_fixit_t) - ') -+ -+optional_policy(` -+ policykit_dbus_chat(setroubleshoot_fixit_t) -+ userdom_read_all_users_state(setroubleshoot_fixit_t) -+') -diff --git a/sge.fc b/sge.fc -new file mode 100644 -index 0000000..160ddc2 ---- /dev/null -+++ b/sge.fc -@@ -0,0 +1,6 @@ -+ -+/usr/bin/sge_execd -- gen_context(system_u:object_r:sge_execd_exec_t,s0) -+/usr/bin/sge_shepherd -- gen_context(system_u:object_r:sge_shepherd_exec_t,s0) -+ -+/var/spool/gridengine(/.*)? gen_context(system_u:object_r:sge_spool_t,s0) -+ -diff --git a/sge.if b/sge.if -new file mode 100644 -index 0000000..c9d2d9c ---- /dev/null -+++ b/sge.if -@@ -0,0 +1,24 @@ -+## Policy for gridengine MPI jobs -+ -+###################################### -+## -+## Creates types and rules for a basic -+## sge domain. -+## -+## -+## -+## Prefix for the domain. -+## -+## -+# -+template(`sge_basic_types_template',` -+ gen_require(` -+ attribute sge_domain; -+ ') -+ -+ type $1_t, sge_domain; -+ type $1_exec_t; -+ -+ kernel_read_system_state($1_t) -+') -+ -diff --git a/sge.te b/sge.te -new file mode 100644 -index 0000000..af30acf ---- /dev/null -+++ b/sge.te -@@ -0,0 +1,195 @@ -+policy_module(sge, 1.0.0) -+ -+######################################## -+# -+# Declarations -+# -+ -+## -+##

    -+## Allow sge to access nfs file systems. -+##

    -+##     -+gen_tunable(sge_use_nfs, false) -+ -+## -+##

    -+## Allow sge to connect to the network using any TCP port -+##

    -+##     -+gen_tunable(sge_domain_can_network_connect, false) -+ -+attribute sge_domain; -+ -+sge_basic_types_template(sge_execd) -+init_daemon_domain(sge_execd_t, sge_execd_exec_t) -+ -+type sge_spool_t; -+files_type(sge_spool_t) -+ -+type sge_tmp_t; -+files_tmp_file(sge_tmp_t) -+ -+sge_basic_types_template(sge_shepherd) -+application_domain(sge_shepherd_t, sge_shepherd_exec_t) -+role system_r types sge_shepherd_t; -+ -+sge_basic_types_template(sge_job) -+application_domain(sge_job_t, sge_job_exec_t) -+corecmd_shell_entry_type(sge_job_t) -+role system_r types sge_job_t; -+ -+####################################### -+# -+# sge_execd local policy -+# -+ -+allow sge_execd_t self:capability { dac_override kill setuid chown setgid }; -+allow sge_execd_t self:process { setsched signal setpgid }; -+ -+allow sge_execd_t sge_shepherd_t:process signal; -+ -+kernel_read_kernel_sysctls(sge_execd_t) -+ -+corenet_tcp_bind_sge_port(sge_execd_t) -+corenet_tcp_connect_sge_port(sge_execd_t) -+ -+dev_read_sysfs(sge_execd_t) -+ -+files_exec_usr_files(sge_execd_t) -+files_search_spool(sge_execd_t) -+ -+fs_getattr_xattr_fs(sge_execd_t) -+fs_read_cgroup_files(sge_execd_t) -+ -+auth_use_nsswitch(sge_execd_t) -+ -+logging_send_syslog_msg(sge_execd_t) -+ -+init_read_utmp(sge_execd_t) -+ -+optional_policy(` -+ sendmail_domtrans(sge_execd_t) -+') -+ -+###################################### -+# -+# sge_shepherd local policy -+# -+ -+allow sge_shepherd_t self:capability { setuid sys_nice chown kill setgid dac_override }; -+allow sge_shepherd_t self:process { setsched setrlimit setpgid }; -+allow sge_shepherd_t self:process signal_perms; -+ -+domtrans_pattern(sge_execd_t, sge_shepherd_exec_t, sge_shepherd_t) -+ -+kernel_read_sysctl(sge_shepherd_t) -+kernel_read_kernel_sysctls(sge_shepherd_t) -+ -+dev_read_sysfs(sge_shepherd_t) -+ -+fs_getattr_all_fs(sge_shepherd_t) -+ -+logging_send_syslog_msg(sge_shepherd_t) -+ -+optional_policy(` -+ mta_send_mail(sge_shepherd_t) -+') -+ -+optional_policy(` -+ ssh_domtrans(sge_shepherd_t) -+') -+ -+optional_policy(` -+ unconfined_domain(sge_shepherd_t) -+') -+ -+##################################### -+# -+# sge_job local policy -+# -+ -+allow sge_shepherd_t sge_job_t:process signal_perms; -+ -+corecmd_shell_domtrans(sge_shepherd_t, sge_job_t) -+ -+kernel_read_kernel_sysctls(sge_job_t) -+ -+term_use_all_terms(sge_job_t) -+ -+logging_send_syslog_msg(sge_job_t) -+ -+optional_policy(` -+ ssh_basic_client_template(sge_job, sge_job_t, system_r) -+ ssh_domtrans(sge_job_t) -+ -+ allow sge_job_t sge_job_ssh_t:process sigkill; -+ allow sge_shepherd_t sge_job_ssh_t:process sigkill; -+ -+ xserver_exec_xauth(sge_job_ssh_t) -+ -+ tunable_policy(`sge_use_nfs',` -+ fs_list_auto_mountpoints(sge_job_ssh_t) -+ fs_manage_nfs_dirs(sge_job_ssh_t) -+ fs_manage_nfs_files(sge_job_ssh_t) -+ fs_read_nfs_symlinks(sge_job_ssh_t) -+ ') -+ ') -+ -+optional_policy(` -+ xserver_domtrans_xauth(sge_job_t) -+') -+ -+optional_policy(` -+ unconfined_domain(sge_job_t) -+') -+ -+##################################### -+# -+# sge_domain local policy -+# -+ -+allow sge_domain self:fifo_file rw_fifo_file_perms; -+allow sge_domain self:tcp_socket create_stream_socket_perms; -+ -+manage_dirs_pattern(sge_domain, sge_spool_t, sge_spool_t) -+manage_files_pattern(sge_domain, sge_spool_t, sge_spool_t) -+manage_lnk_files_pattern(sge_domain, sge_spool_t, sge_spool_t) -+ -+manage_files_pattern(sge_domain, sge_tmp_t, sge_tmp_t) -+manage_dirs_pattern(sge_domain, sge_tmp_t, sge_tmp_t) -+files_tmp_filetrans(sge_domain, sge_tmp_t, { file dir }) -+ -+kernel_read_network_state(sge_domain) -+ -+corecmd_exec_bin(sge_domain) -+corecmd_exec_shell(sge_domain) -+ -+domain_read_all_domains_state(sge_domain) -+ -+ -+dev_read_urand(sge_domain) -+ -+tunable_policy(`sge_domain_can_network_connect',` -+ corenet_tcp_connect_all_ports(sge_domain) -+') -+ -+tunable_policy(`sge_use_nfs',` -+ fs_list_auto_mountpoints(sge_domain) -+ fs_manage_nfs_dirs(sge_domain) -+ fs_manage_nfs_files(sge_domain) -+ fs_read_nfs_symlinks(sge_domain) -+ fs_exec_nfs_files(sge_domain) -+') -+ -+optional_policy(` -+ sysnet_dns_name_resolve(sge_domain) -+') -+ -+optional_policy(` -+ hostname_exec(sge_domain) -+') -+ -+optional_policy(` -+ nslcd_stream_connect(sge_domain) -+') -diff --git a/shorewall.if b/shorewall.if -index 1aeef8a..d5ce40a 100644 ---- a/shorewall.if -+++ b/shorewall.if -@@ -1,4 +1,4 @@ --## Shoreline Firewall high-level tool for configuring netfilter. -+## Shoreline Firewall high-level tool for configuring netfilter - - ######################################## - ## -@@ -15,7 +15,6 @@ interface(`shorewall_domtrans',` - type shorewall_t, shorewall_exec_t; - ') - -- corecmd_search_bin($1) - domtrans_pattern($1, shorewall_exec_t, shorewall_t) - ') - -@@ -34,13 +33,12 @@ interface(`shorewall_lib_domtrans',` - type shorewall_t, shorewall_var_lib_t; - ') - -- files_search_var_lib($1) - domtrans_pattern($1, shorewall_var_lib_t, shorewall_t) - ') - - ####################################### - ## --## Read shorewall configuration files. -+## Read shorewall etc configuration files. - ## - ## - ## -@@ -57,47 +55,9 @@ interface(`shorewall_read_config',` - read_files_pattern($1, shorewall_etc_t, shorewall_etc_t) - ') - --####################################### --## --## Read shorewall pid files. --## --## --## --## Domain allowed access. --## --## --# --interface(`shorewall_read_pid_files',` -- gen_require(` -- type shorewall_var_run_t; -- ') -- -- files_search_pids($1) -- read_files_pattern($1, shorewall_var_run_t, shorewall_var_run_t) --') -- --####################################### --## --## Read and write shorewall pid files. --## --## --## --## Domain allowed access. --## --## --# --interface(`shorewall_rw_pid_files',` -- gen_require(` -- type shorewall_var_run_t; -- ') -- -- files_search_pids($1) -- rw_files_pattern($1, shorewall_var_run_t, shorewall_var_run_t) --') -- - ###################################### - ## --## Read shorewall lib files. -+## Read shorewall /var/lib files. - ## - ## - ## -@@ -106,36 +66,38 @@ interface(`shorewall_rw_pid_files',` - ## - # - interface(`shorewall_read_lib_files',` -- gen_require(` -+ gen_require(` - type shorewall_var_lib_t; -- ') -+ ') - -- files_search_var_lib($1) -- read_files_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t) -+ files_search_var_lib($1) -+ search_dirs_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t) -+ read_files_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t) - ') - - ####################################### - ## --## Read and write shorewall lib files. -+## Read and write shorewall /var/lib files. - ## - ## --## --## Domain allowed access. --## -+## -+## Domain allowed access. -+## - ## - # - interface(`shorewall_rw_lib_files',` -- gen_require(` -- type shorewall_var_lib_t; -- ') -+ gen_require(` -+ type shorewall_var_lib_t; -+ ') - -- files_search_var_lib($1) -- rw_files_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t) -+ files_search_var_lib($1) -+ search_dirs_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t) -+ rw_files_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t) - ') - - ####################################### - ## --## Read shorewall temporary files. -+## Read shorewall tmp files. - ## - ## - ## -@@ -154,8 +116,8 @@ interface(`shorewall_read_tmp_files',` - - ####################################### - ## --## All of the rules required to --## administrate an shorewall environment. -+## All of the rules required to administrate -+## an shorewall environment - ## - ## - ## -@@ -164,28 +126,30 @@ interface(`shorewall_read_tmp_files',` - ## - ## - ## --## Role allowed access. -+## The role to be allowed to manage the syslog domain. - ## - ## - ## - # - interface(`shorewall_admin',` - gen_require(` -- type shorewall_t, shorewall_lock_t, shorewall_log_t; -- type shorewall_exec_t, shorewall_initrc_exec_t, shorewall_var_lib_t; -+ type shorewall_t, shorewall_lock_t; -+ type shorewall_log_t; -+ type shorewall_initrc_exec_t, shorewall_var_lib_t; - type shorewall_tmp_t, shorewall_etc_t; - ') - -- allow $1 shorewall_t:process { ptrace signal_perms }; -+ allow $1 shorewall_t:process signal_perms; - ps_process_pattern($1, shorewall_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 shorewall_t:process ptrace; -+ ') - - init_labeled_script_domtrans($1, shorewall_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 shorewall_initrc_exec_t system_r; - allow $2 system_r; - -- can_exec($1, shorewall_exec_t) -- - files_list_etc($1) - admin_pattern($1, shorewall_etc_t) - -diff --git a/shorewall.te b/shorewall.te -index ca03de6..c3b5559 100644 ---- a/shorewall.te -+++ b/shorewall.te -@@ -44,9 +44,7 @@ manage_files_pattern(shorewall_t, shorewall_lock_t, shorewall_lock_t) - files_lock_filetrans(shorewall_t, shorewall_lock_t, file) - - manage_dirs_pattern(shorewall_t, shorewall_log_t, shorewall_log_t) --append_files_pattern(shorewall_t, shorewall_log_t, shorewall_log_t) --create_files_pattern(shorewall_t, shorewall_log_t, shorewall_log_t) --setattr_files_pattern(shorewall_t, shorewall_log_t, shorewall_log_t) -+manage_files_pattern(shorewall_t, shorewall_log_t, shorewall_log_t) - logging_log_filetrans(shorewall_t, shorewall_log_t, { file dir }) - - manage_dirs_pattern(shorewall_t, shorewall_tmp_t, shorewall_tmp_t) -@@ -57,6 +55,9 @@ exec_files_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t) - manage_dirs_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t) - manage_files_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t) - files_var_lib_filetrans(shorewall_t, shorewall_var_lib_t, { dir file }) -+allow shorewall_t shorewall_var_lib_t:file entrypoint; -+ -+allow shorewall_t shorewall_initrc_exec_t:file read_file_perms; - - allow shorewall_t shorewall_initrc_exec_t:file read_file_perms; - -@@ -74,7 +75,6 @@ dev_read_urand(shorewall_t) - domain_read_all_domains_state(shorewall_t) - - files_getattr_kernel_modules(shorewall_t) --files_read_usr_files(shorewall_t) - files_search_kernel_modules(shorewall_t) - - fs_getattr_all_fs(shorewall_t) -@@ -86,12 +86,11 @@ init_rw_utmp(shorewall_t) - logging_read_generic_logs(shorewall_t) - logging_send_syslog_msg(shorewall_t) - --miscfiles_read_localization(shorewall_t) -- - sysnet_domtrans_ifconfig(shorewall_t) - --userdom_dontaudit_list_user_home_dirs(shorewall_t) --userdom_use_user_terminals(shorewall_t) -+userdom_dontaudit_list_admin_dir(shorewall_t) -+userdom_use_inherited_user_ttys(shorewall_t) -+userdom_use_inherited_user_ptys(shorewall_t) - - optional_policy(` - brctl_domtrans(shorewall_t) -diff --git a/shutdown.fc b/shutdown.fc -index a91f33b..631dbc1 100644 ---- a/shutdown.fc -+++ b/shutdown.fc -@@ -8,4 +8,4 @@ - - /usr/sbin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0) - --/var/run/shutdown\.pid -- gen_context(system_u:object_r:shutdown_var_run_t,s0) -+/var/run/shutdown\.pid -- gen_context(system_u:object_r:shutdown_var_run_t,s0) -diff --git a/shutdown.if b/shutdown.if -index d1706bf..87ab4a7 100644 ---- a/shutdown.if -+++ b/shutdown.if -@@ -1,30 +1,4 @@ --## System shutdown command. -- --######################################## --## --## Role access for shutdown. --## --## --## --## Role allowed access. --## --## --## --## --## User domain for the role. --## --## --# --interface(`shutdown_role',` -- gen_require(` -- type shutdown_t; -- ') -- -- shutdown_run($2, $1) -- -- allow $2 shutdown_t:process { ptrace signal_perms }; -- ps_process_pattern($2, shutdown_t) --') -+## System shutdown command - - ######################################## - ## -@@ -43,13 +17,26 @@ interface(`shutdown_domtrans',` - - corecmd_search_bin($1) - domtrans_pattern($1, shutdown_exec_t, shutdown_t) -+ -+ init_reboot($1) -+ init_halt($1) -+ -+ optional_policy(` -+ systemd_exec_systemctl($1) -+ init_stream_connect($1) -+ systemd_login_reboot($1) -+ systemd_login_halt($1) -+ ') -+ -+ ifdef(`hide_broken_symptoms', ` -+ dontaudit shutdown_t $1:fifo_file rw_inherited_fifo_file_perms; -+ ') - ') - - ######################################## - ## --## Execute shutdown in the shutdown --## domain, and allow the specified role --## the shutdown domain. -+## Execute shutdown in the shutdown domain, and -+## allow the specified role the shutdown domain. - ## - ## - ## -@@ -64,16 +51,62 @@ interface(`shutdown_domtrans',` - # - interface(`shutdown_run',` - gen_require(` -+ type shutdown_t; - attribute_role shutdown_roles; - ') - -- shutdown_domtrans($1) -- roleattribute $2 shutdown_roles; -+ shutdown_domtrans($1) -+ roleattribute $2 shutdown_roles; - ') - - ######################################## - ## --## Send generic signals to shutdown. -+## Role access for shutdown -+## -+## -+## -+## Role allowed access -+## -+## -+## -+## -+## User domain for the role -+## -+## -+# -+interface(`shutdown_role',` -+ gen_require(` -+ type shutdown_t; -+ ') -+ -+ shutdown_run($2, $1) -+ -+ allow $2 shutdown_t:process { ptrace signal_perms }; -+ ps_process_pattern($2, shutdown_t) -+') -+ -+######################################## -+## -+## Recieve sigchld from shutdown -+## -+## -+## -+## Domain allowed access -+## -+## -+# -+interface(`shutdown_send_sigchld',` -+ gen_require(` -+ type shutdown_t; -+ ') -+ -+ allow shutdown_t $1:process signal; -+') -+ -+######################################## -+## -+## Send and receive messages from -+## shutdown over dbus. - ## - ## - ## -@@ -81,17 +114,19 @@ interface(`shutdown_run',` - ## - ## - # --interface(`shutdown_signal',` -+interface(`shutdown_dbus_chat',` - gen_require(` - type shutdown_t; -+ class dbus send_msg; - ') - -- allow shutdown_t $1:process signal; -+ allow $1 shutdown_t:dbus send_msg; -+ allow shutdown_t $1:dbus send_msg; - ') - - ######################################## - ## --## Get attributes of shutdown executable files. -+## Get attributes of shutdown executable. - ## - ## - ## -diff --git a/shutdown.te b/shutdown.te -index 7880d1f..8804935 100644 ---- a/shutdown.te -+++ b/shutdown.te -@@ -44,7 +44,7 @@ files_read_generic_pids(shutdown_t) - - mls_file_write_to_clearance(shutdown_t) - --term_use_all_terms(shutdown_t) -+term_use_all_inherited_terms(shutdown_t) - - auth_use_nsswitch(shutdown_t) - auth_write_login_records(shutdown_t) -@@ -56,8 +56,6 @@ init_telinit(shutdown_t) - logging_search_logs(shutdown_t) - logging_send_audit_msgs(shutdown_t) - --miscfiles_read_localization(shutdown_t) -- - optional_policy(` - cron_system_entry(shutdown_t, shutdown_exec_t) - ') -@@ -68,10 +66,15 @@ optional_policy(` - ') - - optional_policy(` -- oddjob_dontaudit_rw_fifo_files(shutdown_t) -- oddjob_sigchld(shutdown_t) -+ oddjob_dontaudit_rw_fifo_file(shutdown_t) -+ oddjob_sigchld(shutdown_t) -+') -+ -+optional_policy(` -+ rhev_sigchld_agentd(shutdown_t) - ') - - optional_policy(` - xserver_dontaudit_write_log(shutdown_t) -+ xserver_xdm_append_log(shutdown_t) - ') -diff --git a/slocate.te b/slocate.te -index ba26427..83d21aa 100644 ---- a/slocate.te -+++ b/slocate.te -@@ -53,7 +53,6 @@ fs_read_noxattr_fs_symlinks(locate_t) - - auth_use_nsswitch(locate_t) - --miscfiles_read_localization(locate_t) - - ifdef(`enable_mls',` - files_dontaudit_getattr_all_dirs(locate_t) -diff --git a/slpd.if b/slpd.if -index ca32e89..98278dd 100644 ---- a/slpd.if -+++ b/slpd.if -@@ -2,6 +2,43 @@ - - ######################################## - ## -+## Transition to slpd. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`slpd_domtrans',` -+ gen_require(` -+ type slpd_t, slpd_exec_t; -+ ') -+ -+ corecmd_search_bin($1) -+ domtrans_pattern($1, slpd_exec_t, slpd_t) -+') -+ -+######################################## -+## -+## Execute slpd server in the slpd domain. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`slpd_initrc_domtrans',` -+ gen_require(` -+ type slpd_initrc_exec_t; -+ ') -+ -+ init_labeled_script_domtrans($1, slpd_initrc_exec_t) -+') -+ -+######################################## -+## - ## All of the rules required to - ## administrate an slpd environment. - ## -@@ -26,7 +63,7 @@ interface(`slpd_admin',` - allow $1 slpd_t:process { ptrace signal_perms }; - ps_process_pattern($1, slpd_t) - -- init_labeled_script_domtrans($1, slpd_initrc_exec_t) -+ slpd_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 slpd_initrc_exec_t system_r; - allow $2 system_r; -@@ -36,4 +73,10 @@ interface(`slpd_admin',` - - files_search_pids($1) - admin_pattern($1, slpd_var_run_t) -+ -+ optional_policy(` -+ systemd_passwd_agent_exec($1) -+ systemd_read_fifo_file_passwd_run($1) -+ ') -+ - ') -diff --git a/slpd.te b/slpd.te -index 66ac42a..1a4c952 100644 ---- a/slpd.te -+++ b/slpd.te -@@ -50,6 +50,10 @@ corenet_sendrecv_svrloc_server_packets(slpd_t) - corenet_tcp_bind_svrloc_port(slpd_t) - corenet_udp_bind_svrloc_port(slpd_t) - -+corenet_udp_bind_dhcpc_port(slpd_t) -+ -+dev_read_urand(slpd_t) -+ - auth_use_nsswitch(slpd_t) - --miscfiles_read_localization(slpd_t) -+sysnet_dns_name_resolve(slpd_t) -diff --git a/slrnpull.te b/slrnpull.te -index 5437237..3dfc982 100644 ---- a/slrnpull.te -+++ b/slrnpull.te -@@ -13,7 +13,7 @@ type slrnpull_var_run_t; - files_pid_file(slrnpull_var_run_t) - - type slrnpull_spool_t; --files_type(slrnpull_spool_t) -+files_spool_file(slrnpull_spool_t) - - type slrnpull_log_t; - logging_log_file(slrnpull_log_t) -@@ -44,7 +44,6 @@ dev_read_sysfs(slrnpull_t) - - domain_use_interactive_fds(slrnpull_t) - --files_read_etc_files(slrnpull_t) - files_search_spool(slrnpull_t) - - fs_getattr_all_fs(slrnpull_t) -@@ -52,8 +51,6 @@ fs_search_auto_mountpoints(slrnpull_t) - - logging_send_syslog_msg(slrnpull_t) - --miscfiles_read_localization(slrnpull_t) -- - userdom_dontaudit_use_unpriv_user_fds(slrnpull_t) - userdom_dontaudit_search_user_home_dirs(slrnpull_t) - -diff --git a/smartmon.if b/smartmon.if -index e0644b5..ea347cc 100644 ---- a/smartmon.if -+++ b/smartmon.if -@@ -42,9 +42,13 @@ interface(`smartmon_admin',` - type fsdaemon_var_lib_t, fsdaemon_initrc_exec_t; - ') - -- allow $1 fsdaemon_t:process { ptrace signal_perms }; -+ allow $1 fsdaemon_t:process signal_perms; - ps_process_pattern($1, fsdaemon_t) - -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 fsdaemon_t:process ptrace; -+ ') -+ - init_labeled_script_domtrans($1, fsdaemon_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 fsdaemon_initrc_exec_t system_r; -diff --git a/smartmon.te b/smartmon.te -index 9ade9c5..60d6c41 100644 ---- a/smartmon.te -+++ b/smartmon.te -@@ -60,21 +60,27 @@ kernel_read_system_state(fsdaemon_t) - - corecmd_exec_all_executables(fsdaemon_t) - -+corenet_all_recvfrom_netlabel(fsdaemon_t) -+corenet_udp_sendrecv_generic_if(fsdaemon_t) -+corenet_udp_sendrecv_generic_node(fsdaemon_t) -+corenet_udp_sendrecv_all_ports(fsdaemon_t) -+ - dev_read_sysfs(fsdaemon_t) - dev_read_urand(fsdaemon_t) - - domain_use_interactive_fds(fsdaemon_t) - - files_exec_etc_files(fsdaemon_t) --files_read_etc_files(fsdaemon_t) - files_read_etc_runtime_files(fsdaemon_t) --files_read_usr_files(fsdaemon_t) - - fs_getattr_all_fs(fsdaemon_t) - fs_search_auto_mountpoints(fsdaemon_t) -+fs_read_removable_files(fsdaemon_t) - - mls_file_read_all_levels(fsdaemon_t) - -+storage_create_fixed_disk_dev(fsdaemon_t) -+storage_dev_filetrans_named_fixed_disk(fsdaemon_t) - storage_raw_read_fixed_disk(fsdaemon_t) - storage_raw_write_fixed_disk(fsdaemon_t) - storage_raw_read_removable_device(fsdaemon_t) -@@ -83,7 +89,9 @@ storage_write_scsi_generic(fsdaemon_t) - - term_dontaudit_search_ptys(fsdaemon_t) - --application_signull(fsdaemon_t) -+domain_signull_all_domains(fsdaemon_t) -+ -+auth_read_passwd(fsdaemon_t) - - init_read_utmp(fsdaemon_t) - -@@ -92,12 +100,13 @@ libs_exec_lib_files(fsdaemon_t) - - logging_send_syslog_msg(fsdaemon_t) - --miscfiles_read_localization(fsdaemon_t) -+seutil_sigchld_newrole(fsdaemon_t) - - sysnet_dns_name_resolve(fsdaemon_t) - - userdom_dontaudit_use_unpriv_user_fds(fsdaemon_t) - userdom_dontaudit_search_user_home_dirs(fsdaemon_t) -+userdom_use_user_ptys(fsdaemon_t) - - tunable_policy(`smartmon_3ware',` - allow fsdaemon_t self:process setfscreate; -@@ -116,9 +125,9 @@ optional_policy(` - ') - - optional_policy(` -- seutil_sigchld_newrole(fsdaemon_t) -+ udev_read_db(fsdaemon_t) - ') - - optional_policy(` -- udev_read_db(fsdaemon_t) -+ virt_read_images(fsdaemon_t) - ') -diff --git a/smokeping.if b/smokeping.if -index 1fa51c1..82e111c 100644 ---- a/smokeping.if -+++ b/smokeping.if -@@ -158,8 +158,11 @@ interface(`smokeping_admin',` - type smokeping_var_run_t; - ') - -- allow $1 smokeping_t:process { ptrace signal_perms }; -+ allow $1 smokeping_t:process signal_perms; - ps_process_pattern($1, smokeping_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 smokeping_t:process ptrace; -+ ') - - smokeping_initrc_domtrans($1) - domain_system_change_exemption($1) -diff --git a/smokeping.te b/smokeping.te -index a8b1aaf..fc0a2be 100644 ---- a/smokeping.te -+++ b/smokeping.te -@@ -24,6 +24,7 @@ files_type(smokeping_var_lib_t) - # - - dontaudit smokeping_t self:capability { dac_read_search dac_override }; -+allow smokeping_t self:process signal_perms; - allow smokeping_t self:fifo_file rw_fifo_file_perms; - allow smokeping_t self:unix_stream_socket { accept listen }; - -@@ -39,7 +40,6 @@ corecmd_exec_bin(smokeping_t) - - dev_read_urand(smokeping_t) - --files_read_usr_files(smokeping_t) - files_search_tmp(smokeping_t) - - auth_use_nsswitch(smokeping_t) -@@ -47,8 +47,6 @@ auth_dontaudit_read_shadow(smokeping_t) - - logging_send_syslog_msg(smokeping_t) - --miscfiles_read_localization(smokeping_t) -- - mta_send_mail(smokeping_t) - - netutils_domtrans_ping(smokeping_t) -@@ -70,6 +68,8 @@ optional_policy(` - files_search_tmp(httpd_smokeping_cgi_script_t) - files_search_var_lib(httpd_smokeping_cgi_script_t) - -+ auth_read_passwd(httpd_smokeping_cgi_script_t) -+ - sysnet_dns_name_resolve(httpd_smokeping_cgi_script_t) - - netutils_domtrans_ping(httpd_smokeping_cgi_script_t) -diff --git a/smoltclient.te b/smoltclient.te -index 9c8f9a5..14f15a4 100644 ---- a/smoltclient.te -+++ b/smoltclient.te -@@ -51,14 +51,12 @@ fs_list_auto_mountpoints(smoltclient_t) - - files_getattr_generic_locks(smoltclient_t) - files_read_etc_runtime_files(smoltclient_t) --files_read_usr_files(smoltclient_t) - - auth_use_nsswitch(smoltclient_t) - - logging_send_syslog_msg(smoltclient_t) - - miscfiles_read_hwdata(smoltclient_t) --miscfiles_read_localization(smoltclient_t) - - optional_policy(` - abrt_stream_connect(smoltclient_t) -diff --git a/smsd.fc b/smsd.fc -new file mode 100644 -index 0000000..4c3fcec ---- /dev/null -+++ b/smsd.fc -@@ -0,0 +1,11 @@ -+/etc/rc\.d/init\.d/smsd -- gen_context(system_u:object_r:smsd_initrc_exec_t,s0) -+ -+/usr/sbin/smsd -- gen_context(system_u:object_r:smsd_exec_t,s0) -+ -+/var/lib/smstools(/.*)? gen_context(system_u:object_r:smsd_var_lib_t,s0) -+ -+/var/log/smsd(/.*)? gen_context(system_u:object_r:smsd_log_t,s0) -+ -+/var/run/smsd(/.*)? gen_context(system_u:object_r:smsd_var_run_t,s0) -+ -+/var/spool/sms(/.*)? gen_context(system_u:object_r:smsd_spool_t,s0) -diff --git a/smsd.if b/smsd.if -new file mode 100644 -index 0000000..52450c7 ---- /dev/null -+++ b/smsd.if -@@ -0,0 +1,240 @@ -+## The SMS Server Tools are made to send and receive short messages through GSM modems. It supports easy file interfaces and it can run external programs for automatic actions. -+ -+######################################## -+## -+## Execute smsd in the smsd domin. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`smsd_domtrans',` -+ gen_require(` -+ type smsd_t, smsd_exec_t; -+ ') -+ -+ corecmd_search_bin($1) -+ domtrans_pattern($1, smsd_exec_t, smsd_t) -+') -+ -+######################################## -+## -+## Execute smsd server in the smsd domain. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`smsd_initrc_domtrans',` -+ gen_require(` -+ type smsd_initrc_exec_t; -+ ') -+ -+ init_labeled_script_domtrans($1, smsd_initrc_exec_t) -+') -+ -+######################################## -+## -+## Read smsd's log files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`smsd_read_log',` -+ gen_require(` -+ type smsd_log_t; -+ ') -+ -+ logging_search_logs($1) -+ read_files_pattern($1, smsd_log_t, smsd_log_t) -+') -+ -+######################################## -+## -+## Append to smsd log files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`smsd_append_log',` -+ gen_require(` -+ type smsd_log_t; -+ ') -+ -+ logging_search_logs($1) -+ append_files_pattern($1, smsd_log_t, smsd_log_t) -+') -+ -+######################################## -+## -+## Manage smsd log files -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`smsd_manage_log',` -+ gen_require(` -+ type smsd_log_t; -+ ') -+ -+ logging_search_logs($1) -+ manage_dirs_pattern($1, smsd_log_t, smsd_log_t) -+ manage_files_pattern($1, smsd_log_t, smsd_log_t) -+ manage_lnk_files_pattern($1, smsd_log_t, smsd_log_t) -+') -+######################################## -+## -+## Read smsd PID files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`smsd_read_pid_files',` -+ gen_require(` -+ type smsd_var_run_t; -+ ') -+ -+ files_search_pids($1) -+ read_files_pattern($1, smsd_var_run_t, smsd_var_run_t) -+') -+ -+######################################## -+## -+## Search smsd spool directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`smsd_search_spool',` -+ gen_require(` -+ type smsd_spool_t; -+ ') -+ -+ allow $1 smsd_spool_t:dir search_dir_perms; -+ files_search_spool($1) -+') -+ -+######################################## -+## -+## Read smsd spool files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`smsd_read_spool_files',` -+ gen_require(` -+ type smsd_spool_t; -+ ') -+ -+ files_search_spool($1) -+ read_files_pattern($1, smsd_spool_t, smsd_spool_t) -+') -+ -+######################################## -+## -+## Manage smsd spool files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`smsd_manage_spool_files',` -+ gen_require(` -+ type smsd_spool_t; -+ ') -+ -+ files_search_spool($1) -+ manage_files_pattern($1, smsd_spool_t, smsd_spool_t) -+') -+ -+######################################## -+## -+## Manage smsd spool dirs. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`smsd_manage_spool_dirs',` -+ gen_require(` -+ type smsd_spool_t; -+ ') -+ -+ files_search_spool($1) -+ manage_dirs_pattern($1, smsd_spool_t, smsd_spool_t) -+') -+ -+######################################## -+## -+## All of the rules required to administrate -+## an smsd environment -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## Role allowed access. -+## -+## -+## -+# -+interface(`smsd_admin',` -+ gen_require(` -+ type smsd_t; -+ type smsd_initrc_exec_t; -+ type smsd_log_t; -+ type smsd_var_run_t; -+ type smsd_spool_t; -+ ') -+ -+ allow $1 smsd_t:process { ptrace signal_perms }; -+ ps_process_pattern($1, smsd_t) -+ -+ smsd_initrc_domtrans($1) -+ domain_system_change_exemption($1) -+ role_transition $2 smsd_initrc_exec_t system_r; -+ allow $2 system_r; -+ -+ logging_search_logs($1) -+ admin_pattern($1, smsd_log_t) -+ -+ files_search_pids($1) -+ admin_pattern($1, smsd_var_run_t) -+ -+ files_search_spool($1) -+ admin_pattern($1, smsd_spool_t) -+ -+ optional_policy(` -+ systemd_passwd_agent_exec($1) -+ systemd_read_fifo_file_passwd_run($1) -+ ') -+') -diff --git a/smsd.te b/smsd.te -new file mode 100644 -index 0000000..1fad7b8 ---- /dev/null -+++ b/smsd.te -@@ -0,0 +1,73 @@ -+policy_module(smsd, 1.0.0) -+ -+######################################## -+# -+# Declarations -+# -+ -+type smsd_t; -+type smsd_exec_t; -+init_daemon_domain(smsd_t, smsd_exec_t) -+ -+type smsd_initrc_exec_t; -+init_script_file(smsd_initrc_exec_t) -+ -+type smsd_log_t; -+logging_log_file(smsd_log_t) -+ -+type smsd_var_lib_t; -+files_type(smsd_var_lib_t) -+ -+type smsd_var_run_t; -+files_pid_file(smsd_var_run_t) -+ -+type smsd_spool_t; -+files_type(smsd_spool_t) -+ -+type smsd_tmp_t; -+files_tmp_file(smsd_tmp_t) -+ -+######################################## -+# -+# smsd local policy -+# -+ -+allow smsd_t self:capability { kill setgid setuid }; -+allow smsd_t self:process { fork signal }; -+allow smsd_t self:fifo_file rw_fifo_file_perms; -+allow smsd_t self:unix_stream_socket create_stream_socket_perms; -+ -+manage_dirs_pattern(smsd_t, smsd_log_t, smsd_log_t) -+manage_files_pattern(smsd_t, smsd_log_t, smsd_log_t) -+manage_lnk_files_pattern(smsd_t, smsd_log_t, smsd_log_t) -+logging_log_filetrans(smsd_t, smsd_log_t, { dir }) -+ -+manage_dirs_pattern(smsd_t, smsd_var_lib_t, smsd_var_lib_t) -+manage_files_pattern(smsd_t, smsd_var_lib_t, smsd_var_lib_t) -+manage_lnk_files_pattern(smsd_t, smsd_var_lib_t, smsd_var_lib_t) -+ -+manage_dirs_pattern(smsd_t, smsd_var_run_t, smsd_var_run_t) -+manage_files_pattern(smsd_t, smsd_var_run_t, smsd_var_run_t) -+manage_lnk_files_pattern(smsd_t, smsd_var_run_t, smsd_var_run_t) -+files_pid_filetrans(smsd_t, smsd_var_run_t, { dir }) -+ -+manage_dirs_pattern(smsd_t, smsd_spool_t, smsd_spool_t) -+manage_files_pattern(smsd_t, smsd_spool_t, smsd_spool_t) -+manage_lnk_files_pattern(smsd_t, smsd_spool_t, smsd_spool_t) -+files_spool_filetrans(smsd_t, smsd_spool_t, { dir }) -+can_exec(smsd_t, smsd_spool_t) -+ -+manage_dirs_pattern(smsd_t, smsd_tmp_t, smsd_tmp_t) -+manage_files_pattern(smsd_t, smsd_tmp_t, smsd_tmp_t) -+files_tmp_filetrans(smsd_t, smsd_tmp_t, { file dir }) -+ -+kernel_read_system_state(smsd_t) -+kernel_read_kernel_sysctls(smsd_t) -+ -+corecmd_exec_shell(smsd_t) -+ -+auth_use_nsswitch(smsd_t) -+ -+logging_send_syslog_msg(smsd_t) -+ -+sysnet_dns_name_resolve(smsd_t) -diff --git a/smstools.if b/smstools.if -index cbfe369..6594af3 100644 ---- a/smstools.if -+++ b/smstools.if -@@ -1,5 +1,81 @@ - ## Tools to send and receive short messages through GSM modems or mobile phones. - -+####################################### -+## -+## Search smsd lib directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`smsd_search_lib',` -+ gen_require(` -+ type smsd_var_lib_t; -+ ') -+ -+ allow $1 smsd_var_lib_t:dir search_dir_perms; -+ files_search_var_lib($1) -+') -+ -+####################################### -+## -+## Read smsd lib files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`smsd_read_lib_files',` -+ gen_require(` -+ type smsd_var_lib_t; -+ ') -+ -+ files_search_var_lib($1) -+ read_files_pattern($1, smsd_var_lib_t, smsd_var_lib_t) -+') -+ -+####################################### -+## -+## Manage smsd lib files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`smsd_manage_lib_files',` -+ gen_require(` -+ type smsd_var_lib_t; -+ ') -+ -+ files_search_var_lib($1) -+ manage_files_pattern($1, smsd_var_lib_t, smsd_var_lib_t) -+') -+ -+####################################### -+## -+## Manage smsd lib directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`smsd_manage_lib_dirs',` -+ gen_require(` -+ type smsd_var_lib_t; -+ ') -+ -+ files_search_var_lib($1) -+ manage_dirs_pattern($1, smsd_var_lib_t, smsd_var_lib_t) -+') -+ - ######################################## - ## - ## All of the rules required to -@@ -32,7 +108,7 @@ interface(`smstools_admin',` - role_transition $2 smsd_initrc_exec_t system_r; - allow $2 system_r; - -- files_search_config($1) -+ files_search_etc($1) - admin_pattern($1, smsd_conf_t) - - files_search_var_lib($1) -diff --git a/snapper.fc b/snapper.fc -new file mode 100644 -index 0000000..3f412d5 ---- /dev/null -+++ b/snapper.fc -@@ -0,0 +1 @@ -+/usr/sbin/snapperd -- gen_context(system_u:object_r:snapperd_exec_t,s0) -diff --git a/snapper.if b/snapper.if -new file mode 100644 -index 0000000..94105ee ---- /dev/null -+++ b/snapper.if -@@ -0,0 +1,42 @@ -+ -+## policy for snapperd -+ -+######################################## -+## -+## Execute TEMPLATE in the snapperd domin. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`snapper_domtrans',` -+ gen_require(` -+ type snapperd_t, snapperd_exec_t; -+ ') -+ -+ corecmd_search_bin($1) -+ domtrans_pattern($1, snapperd_exec_t, snapperd_t) -+') -+ -+######################################## -+## -+## Send and receive messages from -+## snapperd over dbus. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`snapper_dbus_chat',` -+ gen_require(` -+ type snapperd_t; -+ class dbus send_msg; -+ ') -+ -+ allow $1 snapperd_t:dbus send_msg; -+ allow snapperd_t $1:dbus send_msg; -+') -diff --git a/snapper.te b/snapper.te -new file mode 100644 -index 0000000..ad232be ---- /dev/null -+++ b/snapper.te -@@ -0,0 +1,33 @@ -+policy_module(snapper, 1.0.0) -+ -+######################################## -+# -+# Declarations -+# -+ -+type snapperd_t; -+type snapperd_exec_t; -+init_daemon_domain(snapperd_t, snapperd_exec_t) -+ -+######################################## -+# -+# snapperd local policy -+# -+ -+allow snapperd_t self:fifo_file rw_fifo_file_perms; -+allow snapperd_t self:unix_stream_socket create_stream_socket_perms; -+ -+storage_raw_read_fixed_disk(snapperd_t) -+ -+auth_use_nsswitch(snapperd_t) -+ -+miscfiles_read_localization(snapperd_t) -+ -+optional_policy(` -+ dbus_system_bus_client(snapperd_t) -+ dbus_connect_system_bus(snapperd_t) -+') -+ -+optional_policy(` -+ mount_domtrans(snapperd_t) -+') -diff --git a/snmp.fc b/snmp.fc -index c73fa24..408ff61 100644 ---- a/snmp.fc -+++ b/snmp.fc -@@ -1,6 +1,6 @@ - /etc/rc\.d/init\.d/((snmpd)|(snmptrapd)) -- gen_context(system_u:object_r:snmpd_initrc_exec_t,s0) - --/usr/sbin/snmptrap -- gen_context(system_u:object_r:snmpd_exec_t,s0) -+/usr/sbin/snmpd -- gen_context(system_u:object_r:snmpd_exec_t,s0) - /usr/sbin/snmptrapd -- gen_context(system_u:object_r:snmpd_exec_t,s0) - - /usr/share/snmp/mibs/\.index -- gen_context(system_u:object_r:snmpd_var_lib_t,s0) -@@ -10,9 +10,12 @@ - - /var/lib/net-snmp(/.*)? gen_context(system_u:object_r:snmpd_var_lib_t,s0) - /var/lib/snmp(/.*)? gen_context(system_u:object_r:snmpd_var_lib_t,s0) -+/var/spool/snmptt(/.*)? gen_context(system_u:object_r:snmpd_var_lib_t,s0) - - /var/log/snmpd\.log.* -- gen_context(system_u:object_r:snmpd_log_t,s0) - -+/var/net-snmp(/.*)? gen_context(system_u:object_r:snmpd_var_lib_t,s0) -+ - /var/run/net-snmpd(/.*)? gen_context(system_u:object_r:snmpd_var_run_t,s0) --/var/run/snmpd(/.*)? gen_context(system_u:object_r:snmpd_var_run_t,s0) -+/var/run/snmpd(/.*)? gen_context(system_u:object_r:snmpd_var_run_t,s0) - /var/run/snmpd\.pid -- gen_context(system_u:object_r:snmpd_var_run_t,s0) -diff --git a/snmp.if b/snmp.if -index 7a9cc9d..86cbca9 100644 ---- a/snmp.if -+++ b/snmp.if -@@ -57,8 +57,7 @@ interface(`snmp_udp_chat',` - - ######################################## - ## --## Create, read, write, and delete --## snmp lib directories. -+## Read snmpd lib content. - ## - ## - ## -@@ -66,19 +65,39 @@ interface(`snmp_udp_chat',` - ## - ## - # --interface(`snmp_manage_var_lib_dirs',` -+interface(`snmp_read_snmp_var_lib_files',` - gen_require(` - type snmpd_var_lib_t; - ') - - files_search_var_lib($1) -- allow $1 snmpd_var_lib_t:dir manage_dir_perms; -+ allow $1 snmpd_var_lib_t:dir list_dir_perms; -+ read_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t) -+ read_lnk_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t) -+') -+ -+####################################### -+## -+## Read snmpd libraries directories -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`snmp_read_snmp_var_lib_dirs',` -+ gen_require(` -+ type snmpd_var_lib_t; -+ ') -+ -+ files_search_var_lib($1) -+ allow $1 snmpd_var_lib_t:dir list_dir_perms; - ') - - ######################################## - ## --## Create, read, write, and delete --## snmp lib files. -+## Manage snmpd libraries directories - ## - ## - ## -@@ -86,19 +105,18 @@ interface(`snmp_manage_var_lib_dirs',` - ## - ## - # --interface(`snmp_manage_var_lib_files',` -+interface(`snmp_manage_var_lib_dirs',` - gen_require(` - type snmpd_var_lib_t; - ') - -- files_search_var_lib($1) -- allow $1 snmpd_var_lib_t:dir list_dir_perms; -- manage_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t) -+ allow $1 snmpd_var_lib_t:dir manage_dir_perms; -+ files_var_lib_filetrans($1, snmpd_var_lib_t, dir) - ') - - ######################################## - ## --## Read snmpd lib content. -+## Manage snmpd libraries. - ## - ## - ## -@@ -106,14 +124,14 @@ interface(`snmp_manage_var_lib_files',` - ## - ## - # --interface(`snmp_read_snmp_var_lib_files',` -+interface(`snmp_manage_var_lib_files',` - gen_require(` - type snmpd_var_lib_t; - ') - -+ files_search_var_lib($1) - allow $1 snmpd_var_lib_t:dir list_dir_perms; -- read_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t) -- read_lnk_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t) -+ manage_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t) - ') - - ######################################## -@@ -179,8 +197,12 @@ interface(`snmp_admin',` - type snmpd_var_lib_t, snmpd_var_run_t; - ') - -- allow $1 snmpd_t:process { ptrace signal_perms }; -+ allow $1 snmpd_t:process signal_perms; -+ - ps_process_pattern($1, snmpd_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 snmpd_t:process ptrace; -+ ') - - init_labeled_script_domtrans($1, snmpd_initrc_exec_t) - domain_system_change_exemption($1) -diff --git a/snmp.te b/snmp.te -index 81864ce..4b6b771 100644 ---- a/snmp.te -+++ b/snmp.te -@@ -27,14 +27,16 @@ files_type(snmpd_var_lib_t) - # - - allow snmpd_t self:capability { chown dac_override kill ipc_lock setgid setuid net_admin sys_nice sys_tty_config sys_ptrace }; -+ - dontaudit snmpd_t self:capability { sys_module sys_tty_config }; - allow snmpd_t self:process { signal_perms getsched setsched }; - allow snmpd_t self:fifo_file rw_fifo_file_perms; --allow snmpd_t self:unix_stream_socket { accept connectto listen }; --allow snmpd_t self:tcp_socket { accept listen }; -+allow snmpd_t self:unix_dgram_socket create_socket_perms; -+allow snmpd_t self:unix_stream_socket { create_stream_socket_perms connectto }; -+allow snmpd_t self:tcp_socket create_stream_socket_perms; - allow snmpd_t self:udp_socket connected_stream_socket_perms; - --allow snmpd_t snmpd_log_t:file { append_file_perms create_file_perms setattr_file_perms }; -+manage_files_pattern(snmpd_t, snmpd_log_t, snmpd_log_t) - logging_log_filetrans(snmpd_t, snmpd_log_t, file) - - manage_dirs_pattern(snmpd_t, snmpd_var_lib_t, snmpd_var_lib_t) -@@ -53,12 +55,13 @@ kernel_read_kernel_sysctls(snmpd_t) - kernel_read_fs_sysctls(snmpd_t) - kernel_read_net_sysctls(snmpd_t) - kernel_read_network_state(snmpd_t) -+kernel_read_proc_symlinks(snmpd_t) -+kernel_read_all_proc(snmpd_t) - kernel_read_system_state(snmpd_t) - - corecmd_exec_bin(snmpd_t) - corecmd_exec_shell(snmpd_t) - --corenet_all_recvfrom_unlabeled(snmpd_t) - corenet_all_recvfrom_netlabel(snmpd_t) - corenet_tcp_sendrecv_generic_if(snmpd_t) - corenet_udp_sendrecv_generic_if(snmpd_t) -@@ -75,9 +78,7 @@ corenet_udp_bind_snmp_port(snmpd_t) - corenet_tcp_sendrecv_snmp_port(snmpd_t) - corenet_udp_sendrecv_snmp_port(snmpd_t) - --corenet_sendrecv_snmp_client_packets(snmpd_t) - corenet_tcp_connect_agentx_port(snmpd_t) --corenet_sendrecv_snmp_server_packets(snmpd_t) - corenet_tcp_bind_agentx_port(snmpd_t) - corenet_udp_bind_agentx_port(snmpd_t) - corenet_tcp_sendrecv_agentx_port(snmpd_t) -@@ -94,7 +95,6 @@ domain_signull_all_domains(snmpd_t) - domain_read_all_domains_state(snmpd_t) - domain_exec_all_entry_files(snmpd_t) - --files_read_usr_files(snmpd_t) - files_read_etc_runtime_files(snmpd_t) - files_search_home(snmpd_t) - -@@ -112,10 +112,12 @@ auth_use_nsswitch(snmpd_t) - - init_read_utmp(snmpd_t) - init_dontaudit_write_utmp(snmpd_t) -+# need write to /var/run/systemd/notify -+init_write_pid_socket(snmpd_t) - - logging_send_syslog_msg(snmpd_t) - --miscfiles_read_localization(snmpd_t) -+sysnet_read_config(snmpd_t) - - seutil_dontaudit_search_config(snmpd_t) - -@@ -131,7 +133,11 @@ optional_policy(` - ') - - optional_policy(` -- corosync_stream_connect(snmpd_t) -+ fstools_domtrans(snmpd_t) -+') -+ -+optional_policy(` -+ rhcs_stream_connect_cluster(snmpd_t) - ') - - optional_policy(` -diff --git a/snort.if b/snort.if -index 7d86b34..5f58180 100644 ---- a/snort.if -+++ b/snort.if -@@ -42,8 +42,11 @@ interface(`snort_admin',` - type snort_etc_t, snort_initrc_exec_t; - ') - -- allow $1 snort_t:process { ptrace signal_perms }; -+ allow $1 snort_t:process signal_perms; - ps_process_pattern($1, snort_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 snort_t:process ptrace; -+ ') - - init_labeled_script_domtrans($1, snort_initrc_exec_t) - domain_system_change_exemption($1) -@@ -51,11 +54,11 @@ interface(`snort_admin',` - allow $2 system_r; - - admin_pattern($1, snort_etc_t) -- files_search_etc($1) -+ files_list_etc($1) - - admin_pattern($1, snort_log_t) -- logging_search_logs($1) -+ logging_list_logs($1) - - admin_pattern($1, snort_var_run_t) -- files_search_pids($1) -+ files_list_pids($1) - ') -diff --git a/snort.te b/snort.te -index ccd28bb..80106ac 100644 ---- a/snort.te -+++ b/snort.te -@@ -32,10 +32,13 @@ files_pid_file(snort_var_run_t) - allow snort_t self:capability { setgid setuid net_admin net_raw dac_override }; - dontaudit snort_t self:capability sys_tty_config; - allow snort_t self:process signal_perms; -+allow snort_t self:netlink_route_socket create_netlink_socket_perms; - allow snort_t self:netlink_socket create_socket_perms; --allow snort_t self:tcp_socket { accept listen }; -+allow snort_t self:tcp_socket create_stream_socket_perms; -+allow snort_t self:udp_socket create_socket_perms; - allow snort_t self:packet_socket create_socket_perms; - allow snort_t self:socket create_socket_perms; -+# Snort IPS node. unverified. - allow snort_t self:netlink_firewall_socket create_socket_perms; - - allow snort_t snort_etc_t:dir list_dir_perms; -@@ -63,7 +66,6 @@ kernel_request_load_module(snort_t) - kernel_dontaudit_read_system_state(snort_t) - kernel_read_network_state(snort_t) - --corenet_all_recvfrom_unlabeled(snort_t) - corenet_all_recvfrom_netlabel(snort_t) - corenet_tcp_sendrecv_generic_if(snort_t) - corenet_udp_sendrecv_generic_if(snort_t) -@@ -86,18 +88,17 @@ dev_rw_generic_usb_dev(snort_t) - - domain_use_interactive_fds(snort_t) - --files_read_etc_files(snort_t) - files_dontaudit_read_etc_runtime_files(snort_t) - - fs_getattr_all_fs(snort_t) - fs_search_auto_mountpoints(snort_t) - -+auth_read_passwd(snort_t) -+ - init_read_utmp(snort_t) - - logging_send_syslog_msg(snort_t) - --miscfiles_read_localization(snort_t) -- - sysnet_dns_name_resolve(snort_t) - - userdom_dontaudit_use_unpriv_user_fds(snort_t) -diff --git a/sosreport.if b/sosreport.if -index 634c6b4..e1edfd9 100644 ---- a/sosreport.if -+++ b/sosreport.if -@@ -42,7 +42,7 @@ interface(`sosreport_run',` - ') - - sosreport_domtrans($1) -- roleattribute $2 sospreport_roles; -+ roleattribute $2 sosreport_roles; - ') - - ######################################## -diff --git a/sosreport.te b/sosreport.te -index 703efa3..9610be1 100644 ---- a/sosreport.te -+++ b/sosreport.te -@@ -19,6 +19,9 @@ files_tmp_file(sosreport_tmp_t) - type sosreport_tmpfs_t; - files_tmpfs_file(sosreport_tmpfs_t) - -+type sosreport_var_run_t; -+files_pid_file(sosreport_var_run_t) -+ - optional_policy(` - pulseaudio_tmpfs_content(sosreport_tmpfs_t) - ') -@@ -29,10 +32,13 @@ optional_policy(` - # - - allow sosreport_t self:capability { kill net_admin net_raw setuid sys_admin sys_nice dac_override }; -+dontaudit sosreport_t self:capability { sys_ptrace }; - allow sosreport_t self:process { setsched signull }; - allow sosreport_t self:fifo_file rw_fifo_file_perms; - allow sosreport_t self:tcp_socket { accept listen }; - allow sosreport_t self:unix_stream_socket { accept listen }; -+allow sosreport_t self:rawip_socket create_socket_perms; -+allow sosreport_t self:netlink_kobject_uevent_socket create_socket_perms; - - manage_dirs_pattern(sosreport_t, sosreport_tmp_t, sosreport_tmp_t) - manage_files_pattern(sosreport_t, sosreport_tmp_t, sosreport_tmp_t) -@@ -40,6 +46,12 @@ manage_lnk_files_pattern(sosreport_t, sosreport_tmp_t, sosreport_tmp_t) - files_root_filetrans(sosreport_t, sosreport_tmp_t, file, ".ismount-test-file") - files_tmp_filetrans(sosreport_t, sosreport_tmp_t, { file dir }) - -+manage_files_pattern(sosreport_t, sosreport_var_run_t, sosreport_var_run_t) -+manage_dirs_pattern(sosreport_t, sosreport_var_run_t, sosreport_var_run_t) -+manage_sock_files_pattern(sosreport_t, sosreport_var_run_t, sosreport_var_run_t) -+manage_lnk_files_pattern(sosreport_t, sosreport_var_run_t, sosreport_var_run_t) -+files_pid_filetrans(sosreport_t, sosreport_var_run_t, { file dir sock_file }) -+ - manage_files_pattern(sosreport_t, sosreport_tmpfs_t, sosreport_tmpfs_t) - fs_tmpfs_filetrans(sosreport_t, sosreport_tmpfs_t, file) - -@@ -58,6 +70,9 @@ dev_read_rand(sosreport_t) - dev_read_urand(sosreport_t) - dev_read_raw_memory(sosreport_t) - dev_read_sysfs(sosreport_t) -+dev_rw_generic_usb_dev(sosreport_t) -+dev_getattr_all_chr_files(sosreport_t) -+dev_getattr_all_blk_files(sosreport_t) - - domain_getattr_all_domains(sosreport_t) - domain_read_all_domains_state(sosreport_t) -@@ -65,12 +80,13 @@ domain_getattr_all_sockets(sosreport_t) - domain_getattr_all_pipes(sosreport_t) - - files_getattr_all_sockets(sosreport_t) -+files_getattr_all_files(sosreport_t) -+files_getattr_all_pipes(sosreport_t) - files_exec_etc_files(sosreport_t) - files_list_all(sosreport_t) - files_read_config_files(sosreport_t) - files_read_generic_tmp_files(sosreport_t) - files_read_non_auth_files(sosreport_t) --files_read_usr_files(sosreport_t) - files_read_var_lib_files(sosreport_t) - files_read_var_symlinks(sosreport_t) - files_read_kernel_modules(sosreport_t) -@@ -79,27 +95,42 @@ files_manage_etc_runtime_files(sosreport_t) - files_etc_filetrans_etc_runtime(sosreport_t, file) - - fs_getattr_all_fs(sosreport_t) -+fs_getattr_all_dirs(sosreport_t) - fs_list_inotifyfs(sosreport_t) - - storage_dontaudit_read_fixed_disk(sosreport_t) - storage_dontaudit_read_removable_device(sosreport_t) - -+term_getattr_pty_fs(sosreport_t) -+term_getattr_all_ptys(sosreport_t) -+term_use_generic_ptys(sosreport_t) -+ -+# some config files do not have configfile attribute -+# sosreport needs to read various files on system -+files_read_non_security_files(sosreport_t) -+ - auth_use_nsswitch(sosreport_t) -+auth_dontaudit_read_shadow(sosreport_t) - - init_domtrans_script(sosreport_t) -+init_getattr_initctl(sosreport_t) - - libs_domtrans_ldconfig(sosreport_t) - - logging_read_all_logs(sosreport_t) - logging_send_syslog_msg(sosreport_t) - --miscfiles_read_localization(sosreport_t) -+sysnet_read_config(sosreport_t) - --modutils_read_module_deps(sosreport_t) - - optional_policy(` - abrt_manage_pid_files(sosreport_t) - abrt_manage_cache(sosreport_t) -+ abrt_stream_connect(sosreport_t) -+') -+ -+optional_policy(` -+ brctl_domtrans(sosreport_t) - ') - - optional_policy(` -@@ -111,6 +142,11 @@ optional_policy(` - ') - - optional_policy(` -+ # needed by modinfo -+ modutils_read_module_deps(sosreport_t) -+') -+ -+optional_policy(` - fstools_domtrans(sosreport_t) - ') - -diff --git a/soundserver.if b/soundserver.if -index a5abc5a..b9eff74 100644 ---- a/soundserver.if -+++ b/soundserver.if -@@ -38,9 +38,13 @@ interface(`soundserver_admin',` - type soundd_state_t; - ') - -- allow $1 soundd_t:process { ptrace signal_perms }; -+ allow $1 soundd_t:process signal_perms; - ps_process_pattern($1, soundd_t) - -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 soundd_t:process ptrace; -+ ') -+ - init_labeled_script_domtrans($1, soundd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 soundd_initrc_exec_t system_r; -diff --git a/soundserver.te b/soundserver.te -index db1bc6f..b6c0d16 100644 ---- a/soundserver.te -+++ b/soundserver.te -@@ -65,7 +65,6 @@ kernel_read_kernel_sysctls(soundd_t) - kernel_list_proc(soundd_t) - kernel_read_proc_symlinks(soundd_t) - --corenet_all_recvfrom_unlabeled(soundd_t) - corenet_all_recvfrom_netlabel(soundd_t) - corenet_tcp_sendrecv_generic_if(soundd_t) - corenet_tcp_sendrecv_generic_node(soundd_t) -@@ -81,7 +80,6 @@ dev_write_sound(soundd_t) - - domain_use_interactive_fds(soundd_t) - --files_read_etc_files(soundd_t) - files_read_etc_runtime_files(soundd_t) - - fs_getattr_all_fs(soundd_t) -@@ -89,8 +87,6 @@ fs_search_auto_mountpoints(soundd_t) - - logging_send_syslog_msg(soundd_t) - --miscfiles_read_localization(soundd_t) -- - sysnet_read_config(soundd_t) - - userdom_dontaudit_use_unpriv_user_fds(soundd_t) -diff --git a/spamassassin.fc b/spamassassin.fc -index e9bd097..e059e27 100644 ---- a/spamassassin.fc -+++ b/spamassassin.fc -@@ -1,20 +1,26 @@ --HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamassassin_home_t,s0) --HOME_DIR/\.spamd(/.*)? gen_context(system_u:object_r:spamd_home_t,s0) -+HOME_DIR/\.pyzor(/.*)? gen_context(system_u:object_r:spamc_home_t,s0) -+HOME_DIR/\.razor(/.*)? gen_context(system_u:object_r:spamc_home_t,s0) -+HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamc_home_t,s0) -+HOME_DIR/\.spamd(/.*)? gen_context(system_u:object_r:spamc_home_t,s0) -+/root/\.pyzor(/.*)? gen_context(system_u:object_r:spamc_home_t,s0) -+/root/\.razor(/.*)? gen_context(system_u:object_r:spamc_home_t,s0) -+/root/\.spamassassin(/.*)? gen_context(system_u:object_r:spamc_home_t,s0) -+/root/\.spamd(/.*)? gen_context(system_u:object_r:spamc_home_t,s0) - - /etc/rc\.d/init\.d/spamd -- gen_context(system_u:object_r:spamd_initrc_exec_t,s0) --/etc/rc\.d/init\.d/spampd -- gen_context(system_u:object_r:spamd_initrc_exec_t,s0) -+/etc/rc\.d/init\.d/spampd -- gen_context(system_u:object_r:spamd_initrc_exec_t,s0) - /etc/rc\.d/init\.d/mimedefang.* -- gen_context(system_u:object_r:spamd_initrc_exec_t,s0) - - /usr/bin/sa-learn -- gen_context(system_u:object_r:spamc_exec_t,s0) - /usr/bin/spamassassin -- gen_context(system_u:object_r:spamc_exec_t,s0) --/usr/bin/spamc -- gen_context(system_u:object_r:spamc_exec_t,s0) --/usr/bin/spamd -- gen_context(system_u:object_r:spamd_exec_t,s0) -+/usr/bin/spamc -- gen_context(system_u:object_r:spamc_exec_t,s0) -+/usr/bin/spamd -- gen_context(system_u:object_r:spamd_exec_t,s0) - /usr/bin/sa-update -- gen_context(system_u:object_r:spamd_update_exec_t,s0) - --/usr/sbin/spamd -- gen_context(system_u:object_r:spamd_exec_t,s0) --/usr/sbin/spampd -- gen_context(system_u:object_r:spamd_exec_t,s0) -+/usr/sbin/spamd -- gen_context(system_u:object_r:spamd_exec_t,s0) -+/usr/sbin/spampd -- gen_context(system_u:object_r:spamd_exec_t,s0) - /usr/bin/mimedefang -- gen_context(system_u:object_r:spamd_exec_t,s0) --/usr/bin/mimedefang-multiplexor -- gen_context(system_u:object_r:spamd_exec_t,s0) -+/usr/bin/mimedefang-multiplexor -- gen_context(system_u:object_r:spamd_exec_t,s0) - - /var/lib/spamassassin(/.*)? gen_context(system_u:object_r:spamd_var_lib_t,s0) - /var/lib/spamassassin/compiled(/.*)? gen_context(system_u:object_r:spamd_compiled_t,s0) -@@ -25,7 +31,22 @@ HOME_DIR/\.spamd(/.*)? gen_context(system_u:object_r:spamd_home_t,s0) - /var/run/spamassassin(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0) - - /var/spool/spamassassin(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0) --/var/spool/spamd(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0) --/var/spool/spampd(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0) -+/var/spool/spamd(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0) -+/var/spool/spampd(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0) - /var/spool/MD-Quarantine(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0) - /var/spool/MIMEDefang(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0) -+ -+/etc/pyzor(/.*)? gen_context(system_u:object_r:spamd_etc_t, s0) -+/etc/razor(/.*)? gen_context(system_u:object_r:spamd_etc_t,s0) -+/etc/rc\.d/init\.d/pyzord -- gen_context(system_u:object_r:spamd_initrc_exec_t,s0) -+ -+/usr/bin/razor.* -- gen_context(system_u:object_r:spamc_exec_t,s0) -+ -+/var/lib/pyzord(/.*)? gen_context(system_u:object_r:spamd_var_lib_t,s0) -+/var/lib/razor(/.*)? gen_context(system_u:object_r:spamd_var_lib_t,s0) -+ -+/var/log/pyzord\.log.* -- gen_context(system_u:object_r:spamd_log_t,s0) -+/var/log/razor-agent\.log.* -- gen_context(system_u:object_r:spamd_log_t,s0) -+ -+/usr/bin/pyzor -- gen_context(system_u:object_r:spamc_exec_t,s0) -+/usr/bin/pyzord -- gen_context(system_u:object_r:spamd_exec_t,s0) -diff --git a/spamassassin.if b/spamassassin.if -index 1499b0b..6950cab 100644 ---- a/spamassassin.if -+++ b/spamassassin.if -@@ -2,39 +2,45 @@ - - ######################################## - ## --## Role access for spamassassin. -+## Role access for spamassassin - ## - ## - ## --## Role allowed access. -+## Role allowed access - ## - ## - ## - ## --## User domain for the role. -+## User domain for the role - ## - ## -+## - # - interface(`spamassassin_role',` - gen_require(` - type spamc_t, spamc_exec_t, spamc_tmp_t; -- type spamassassin_t, spamassassin_exec_t, spamd_home_t; -+ type spamassassin_t, spamassassin_exec_t; - type spamassassin_home_t, spamassassin_tmp_t; - ') - - role $1 types { spamc_t spamassassin_t }; - - domtrans_pattern($2, spamassassin_exec_t, spamassassin_t) -+ -+ allow $2 spamassassin_t:process signal_perms; -+ ps_process_pattern($2, spamassassin_t) -+ - domtrans_pattern($2, spamc_exec_t, spamc_t) - -- allow $2 { spamc_t spamassassin_t}:process { ptrace signal_perms }; -- ps_process_pattern($2, { spamc_t spamassassin_t }) -+ allow $2 spamc_t:process signal_perms; -+ ps_process_pattern($2, spamc_t) - -- allow $2 { spamc_tmp_t spamd_home_t spamassassin_home_t spamassassin_tmp_t }:dir { manage_dir_perms relabel_dir_perms }; -- allow $2 { spamc_tmp_t spamd_home_t spamassassin_home_t spamassassin_tmp_t }:file { manage_file_perms relabel_file_perms }; -- allow $2 { spamc_tmp_t spamd_home_t spamassassin_home_t spamassassin_tmp_t }:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; -- userdom_user_home_dir_filetrans($2, spamassassin_home_t, dir, ".spamassassin") -- userdom_user_home_dir_filetrans($2, spamd_home_t, dir, ".spamd") -+ manage_dirs_pattern($2, spamassassin_home_t, spamassassin_home_t) -+ manage_files_pattern($2, spamassassin_home_t, spamassassin_home_t) -+ manage_lnk_files_pattern($2, spamassassin_home_t, spamassassin_home_t) -+ relabel_dirs_pattern($2, spamassassin_home_t, spamassassin_home_t) -+ relabel_files_pattern($2, spamassassin_home_t, spamassassin_home_t) -+ relabel_lnk_files_pattern($2, spamassassin_home_t, spamassassin_home_t) - ') - - ######################################## -@@ -53,13 +59,12 @@ interface(`spamassassin_exec',` - type spamassassin_exec_t; - ') - -- corecmd_search_bin($1) - can_exec($1, spamassassin_exec_t) - ') - - ######################################## - ## --## Send generic signals to spamd. -+## Singnal the spam assassin daemon - ## - ## - ## -@@ -77,7 +82,8 @@ interface(`spamassassin_signal_spamd',` - - ######################################## - ## --## Execute spamd in the caller domain. -+## Execute the spamassassin daemon -+## program in the caller directory. - ## - ## - ## -@@ -90,13 +96,12 @@ interface(`spamassassin_exec_spamd',` - type spamd_exec_t; - ') - -- corecmd_search_bin($1) - can_exec($1, spamd_exec_t) - ') - - ######################################## - ## --## Execute spamc in the spamc domain. -+## Execute spamassassin client in the spamassassin client domain. - ## - ## - ## -@@ -109,32 +114,13 @@ interface(`spamassassin_domtrans_client',` - type spamc_t, spamc_exec_t; - ') - -- corecmd_search_bin($1) - domtrans_pattern($1, spamc_exec_t, spamc_t) -+ allow $1 spamc_exec_t:file ioctl; - ') - - ######################################## - ## --## Execute spamc in the caller domain. --## --## --## --## Domain allowed access. --## --## --# --interface(`spamassassin_exec_client',` -- gen_require(` -- type spamc_exec_t; -- ') -- -- corecmd_search_bin($1) -- can_exec($1, spamc_exec_t) --') -- --######################################## --## --## Send kill signals to spamc. -+## Send kill signal to spamassassin client - ## - ## - ## -@@ -152,28 +138,28 @@ interface(`spamassassin_kill_client',` - - ######################################## - ## --## Execute spamassassin standalone client --## in the user spamassassin domain. -+## Manage spamc home files. - ## - ## - ## --## Domain allowed to transition. -+## Domain allowed access. - ## - ## - # --interface(`spamassassin_domtrans_local_client',` -+interface(`spamassassin_manage_home_client',` - gen_require(` -- type spamassassin_t, spamassassin_exec_t; -+ type spamc_home_t; - ') - -- corecmd_search_bin($1) -- domtrans_pattern($1, spamassassin_exec_t, spamassassin_t) -+ userdom_search_user_home_dirs($1) -+ manage_dirs_pattern($1, spamc_home_t, spamc_home_t) -+ manage_files_pattern($1, spamc_home_t, spamc_home_t) -+ manage_lnk_files_pattern($1, spamc_home_t, spamc_home_t) - ') - - ######################################## - ## --## Create, read, write, and delete --## spamd home content. -+## Read spamc home files. - ## - ## - ## -@@ -181,20 +167,21 @@ interface(`spamassassin_domtrans_local_client',` - ## - ## - # --interface(`spamassassin_manage_spamd_home_content',` -+interface(`spamassassin_read_home_client',` - gen_require(` -- type spamd_home_t; -+ type spamc_home_t; - ') - - userdom_search_user_home_dirs($1) -- allow $1 spamd_home_t:dir manage_dir_perms; -- allow $1 spamd_home_t:file manage_file_perms; -- allow $1 spamd_home_t:lnk_file manage_lnk_file_perms; -+ list_dirs_pattern($1, spamc_home_t, spamc_home_t) -+ read_files_pattern($1, spamc_home_t, spamc_home_t) -+ read_lnk_files_pattern($1, spamc_home_t, spamc_home_t) - ') - - ######################################## - ## --## Relabel spamd home content. -+## Execute the spamassassin client -+## program in the caller directory. - ## - ## - ## -@@ -202,49 +189,35 @@ interface(`spamassassin_manage_spamd_home_content',` - ## - ## - # --interface(`spamassassin_relabel_spamd_home_content',` -+interface(`spamassassin_exec_client',` - gen_require(` -- type spamd_home_t; -+ type spamc_exec_t; - ') - -- userdom_search_user_home_dirs($1) -- allow $1 spamd_home_t:dir relabel_dir_perms; -- allow $1 spamd_home_t:file relabel_file_perms; -- allow $1 spamd_home_t:lnk_file relabel_lnk_file_perms; -+ can_exec($1, spamc_exec_t) - ') - - ######################################## - ## --## Create objects in user home --## directories with the spamd home type. -+## Execute spamassassin standalone client in the user spamassassin domain. - ## - ## - ## --## Domain allowed access. --## --## --## --## --## Class of the object being created. --## --## --## --## --## The name of the object being created. -+## Domain allowed to transition. - ## - ## - # --interface(`spamassassin_home_filetrans_spamd_home',` -+interface(`spamassassin_domtrans_local_client',` - gen_require(` -- type spamd_home_t; -+ type spamassassin_t, spamassassin_exec_t; - ') - -- userdom_user_home_dir_filetrans($1, spamd_home_t, $2, $3) -+ domtrans_pattern($1, spamassassin_exec_t, spamassassin_t) - ') - - ######################################## - ## --## Read spamd lib files. -+## read spamd lib files. - ## - ## - ## -@@ -258,7 +231,9 @@ interface(`spamassassin_read_lib_files',` - ') - - files_search_var_lib($1) -+ list_dirs_pattern($1, spamd_var_lib_t, spamd_var_lib_t) - read_files_pattern($1, spamd_var_lib_t, spamd_var_lib_t) -+ read_lnk_files_pattern($1, spamd_var_lib_t, spamd_var_lib_t) - ') - - ######################################## -@@ -283,7 +258,7 @@ interface(`spamassassin_manage_lib_files',` - - ######################################## - ## --## Read spamd pid files. -+## Read temporary spamd file. - ## - ## - ## -@@ -291,56 +266,56 @@ interface(`spamassassin_manage_lib_files',` - ## - ## - # --interface(`spamassassin_read_spamd_pid_files',` -+interface(`spamassassin_read_spamd_tmp_files',` - gen_require(` -- type spamd_var_run_t; -+ type spamd_tmp_t; - ') - -- files_search_pids($1) -- read_files_pattern($1, spamd_var_run_t, spamd_var_run_t) -+ files_search_tmp($1) -+ allow $1 spamd_tmp_t:file read_file_perms; - ') - - ######################################## - ## --## Read temporary spamd files. -+## Do not audit attempts to get attributes of temporary -+## spamd sockets/ - ## - ## - ## --## Domain allowed access. -+## Domain to not audit. - ## - ## - # --interface(`spamassassin_read_spamd_tmp_files',` -+interface(`spamassassin_dontaudit_getattr_spamd_tmp_sockets',` - gen_require(` - type spamd_tmp_t; - ') - -- allow $1 spamd_tmp_t:file read_file_perms; -+ dontaudit $1 spamd_tmp_t:sock_file getattr_sock_file_perms; - ') - - ######################################## - ## --## Do not audit attempts to get --## attributes of temporary spamd sockets. -+## Connect to run spamd. - ## - ## - ## --## Domain to not audit. -+## Domain allowed to connect. - ## - ## - # --interface(`spamassassin_dontaudit_getattr_spamd_tmp_sockets',` -+interface(`spamd_stream_connect',` - gen_require(` -- type spamd_tmp_t; -+ type spamd_t, spamd_var_run_t; - ') - -- dontaudit $1 spamd_tmp_t:sock_file getattr; -+ files_search_pids($1) -+ stream_connect_pattern($1, spamd_var_run_t, spamd_var_run_t, spamd_t) - ') - - ######################################## - ## --## Connect to spamd with a unix --## domain stream socket. -+## Read spamd pid files. - ## - ## - ## -@@ -348,19 +323,62 @@ interface(`spamassassin_dontaudit_getattr_spamd_tmp_sockets',` - ## - ## - # --interface(`spamassassin_stream_connect_spamd',` -+interface(`spamassassin_read_pid_files',` - gen_require(` -- type spamd_t, spamd_var_run_t; -+ type spamd_var_run_t; - ') - - files_search_pids($1) -- stream_connect_pattern($1, spamd_var_run_t, spamd_var_run_t, spamd_t) -+ read_files_pattern($1, spamd_var_run_t, spamd_var_run_t) - ') - -+###################################### -+## -+## Transition to spamassassin named content -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`spamassassin_filetrans_home_content',` -+ gen_require(` -+ type spamc_home_t; -+ ') -+ -+ userdom_user_home_dir_filetrans($1, spamc_home_t, dir, ".pyzor") -+ userdom_user_home_dir_filetrans($1, spamc_home_t, file, ".spamassassin") -+ userdom_user_home_dir_filetrans($1, spamc_home_t, dir, ".spamd") -+ userdom_user_home_dir_filetrans($1, spamc_home_t, dir, ".razor") -+') -+ -+###################################### -+## -+## Transition to spamassassin named content -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`spamassassin_filetrans_admin_home_content',` -+ gen_require(` -+ type spamc_home_t; -+ ') -+ -+ userdom_admin_home_dir_filetrans($1, spamc_home_t, dir, ".pyzor") -+ userdom_admin_home_dir_filetrans($1, spamc_home_t, file, ".spamassassin") -+ userdom_admin_home_dir_filetrans($1, spamc_home_t, dir, ".spamd") -+ userdom_admin_home_dir_filetrans($1, spamc_home_t, dir, ".razor") -+') -+ -+ - ######################################## - ## --## All of the rules required to --## administrate an spamassassin environment. -+## All of the rules required to administrate -+## an spamassassin environment - ## - ## - ## -@@ -369,20 +387,22 @@ interface(`spamassassin_stream_connect_spamd',` - ## - ## - ## --## Role allowed access. -+## The role to be allowed to manage the spamassassin domain. - ## - ## --## - # --interface(`spamassassin_admin',` -+interface(`spamassassin_spamd_admin',` - gen_require(` - type spamd_t, spamd_tmp_t, spamd_log_t; - type spamd_spool_t, spamd_var_lib_t, spamd_var_run_t; - type spamd_initrc_exec_t; - ') - -- allow $1 spamd_t:process { ptrace signal_perms }; -+ allow $1 spamd_t:process signal_perms; - ps_process_pattern($1, spamd_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 spamd_t:process ptrace; -+ ') - - init_labeled_script_domtrans($1, spamd_initrc_exec_t) - domain_system_change_exemption($1) -@@ -403,6 +423,4 @@ interface(`spamassassin_admin',` - - files_list_pids($1) - admin_pattern($1, spamd_var_run_t) -- -- spamassassin_role($2, $1) - ') -diff --git a/spamassassin.te b/spamassassin.te -index 4faa7e0..4babad1 100644 ---- a/spamassassin.te -+++ b/spamassassin.te -@@ -1,4 +1,4 @@ --policy_module(spamassassin, 2.5.8) -+policy_module(spamassassin, 2.5.0) - - ######################################## - # -@@ -7,50 +7,23 @@ policy_module(spamassassin, 2.5.8) - - ## - ##

    --## Determine whether spamassassin --## clients can use the network. -+## Allow user spamassassin clients to use the network. - ##

    - ##     - gen_tunable(spamassassin_can_network, false) - - ## - ##

    --## Determine whether spamd can manage --## generic user home content. -+## Allow spamd to read/write user home directories. - ##

    - ##     --gen_tunable(spamd_enable_home_dirs, false) -+gen_tunable(spamd_enable_home_dirs, true) -+ - - type spamd_update_t; - type spamd_update_exec_t; --init_system_domain(spamd_update_t, spamd_update_exec_t) -- --type spamassassin_t; --type spamassassin_exec_t; --typealias spamassassin_t alias { user_spamassassin_t staff_spamassassin_t sysadm_spamassassin_t }; --typealias spamassassin_t alias { auditadm_spamassassin_t secadm_spamassassin_t }; --userdom_user_application_domain(spamassassin_t, spamassassin_exec_t) -- --type spamassassin_home_t; --typealias spamassassin_home_t alias { user_spamassassin_home_t staff_spamassassin_home_t sysadm_spamassassin_home_t }; --typealias spamassassin_home_t alias { auditadm_spamassassin_home_t secadm_spamassassin_home_t }; --userdom_user_home_content(spamassassin_home_t) -- --type spamassassin_tmp_t; --typealias spamassassin_tmp_t alias { user_spamassassin_tmp_t staff_spamassassin_tmp_t sysadm_spamassassin_tmp_t }; --typealias spamassassin_tmp_t alias { auditadm_spamassassin_tmp_t secadm_spamassassin_tmp_t }; --userdom_user_tmp_file(spamassassin_tmp_t) -- --type spamc_t; --type spamc_exec_t; --typealias spamc_t alias { user_spamc_t staff_spamc_t sysadm_spamc_t }; --typealias spamc_t alias { auditadm_spamc_t secadm_spamc_t }; --userdom_user_application_domain(spamc_t, spamc_exec_t) -- --type spamc_tmp_t; --typealias spamc_tmp_t alias { user_spamc_tmp_t staff_spamc_tmp_t sysadm_spamc_tmp_t }; --typealias spamc_tmp_t alias { auditadm_spamc_tmp_t secadm_spamc_tmp_t }; --userdom_user_tmp_file(spamc_tmp_t) -+application_domain(spamd_update_t, spamd_update_exec_t) -+role system_r types spamd_update_t; - - type spamd_t; - type spamd_exec_t; -@@ -59,12 +32,6 @@ init_daemon_domain(spamd_t, spamd_exec_t) - type spamd_compiled_t; - files_type(spamd_compiled_t) - --type spamd_etc_t; --files_config_file(spamd_etc_t) -- --type spamd_home_t; --userdom_user_home_content(spamd_home_t) -- - type spamd_initrc_exec_t; - init_script_file(spamd_initrc_exec_t) - -@@ -72,87 +39,196 @@ type spamd_log_t; - logging_log_file(spamd_log_t) - - type spamd_spool_t; --files_type(spamd_spool_t) -+files_spool_file(spamd_spool_t) - - type spamd_tmp_t; - files_tmp_file(spamd_tmp_t) - -+# var/lib files - type spamd_var_lib_t; - files_type(spamd_var_lib_t) - - type spamd_var_run_t; - files_pid_file(spamd_var_run_t) - --######################################## -+ifdef(`distro_redhat',` -+ # spamassassin client executable -+ type spamc_t; -+ type spamc_exec_t; -+ application_domain(spamc_t, spamc_exec_t) -+ role system_r types spamc_t; -+ -+ type spamd_etc_t; -+ files_config_file(spamd_etc_t) -+ -+ typealias spamc_exec_t alias spamassassin_exec_t; -+ typealias spamc_t alias spamassassin_t; -+ -+ type spamc_home_t; -+ userdom_user_home_content(spamc_home_t) -+ typealias spamc_home_t alias { spamassassin_home_t user_spamassassin_home_t staff_spamassassin_home_t sysadm_spamassassin_home_t }; -+ typealias spamc_home_t alias { auditadm_spamassassin_home_t secadm_spamassassin_home_t }; -+ typealias spamc_home_t alias { user_spamc_home_t staff_spamc_home_t sysadm_spamc_home_t }; -+ typealias spamc_home_t alias { auditadm_spamc_home_t secadm_spamc_home_t }; -+ -+ type spamc_tmp_t; -+ files_tmp_file(spamc_tmp_t) -+ typealias spamc_tmp_t alias spamassassin_tmp_t; -+ typealias spamc_tmp_t alias { user_spamassassin_tmp_t staff_spamassassin_tmp_t sysadm_spamassassin_tmp_t }; -+ typealias spamc_tmp_t alias { auditadm_spamassassin_tmp_t secadm_spamassassin_tmp_t }; -+ -+ typealias spamc_tmp_t alias { user_spamc_tmp_t staff_spamc_tmp_t sysadm_spamc_tmp_t }; -+ typealias spamc_tmp_t alias { auditadm_spamc_tmp_t secadm_spamc_tmp_t }; -+ typealias spamc_t alias pyzor_t; -+ typealias spamc_exec_t alias pyzor_exec_t; -+ typealias spamd_t alias pyzord_t; -+ typealias spamd_initrc_exec_t alias pyzord_initrc_exec_t; -+ typealias spamd_exec_t alias pyzord_exec_t; -+ typealias spamc_tmp_t alias pyzor_tmp_t; -+ typealias spamd_log_t alias pyzor_log_t; -+ typealias spamd_log_t alias pyzord_log_t; -+ typealias spamd_var_lib_t alias pyzor_var_lib_t; -+ typealias spamd_etc_t alias pyzor_etc_t; -+ typealias spamc_home_t alias pyzor_home_t; -+ typealias spamc_home_t alias user_pyzor_home_t; -+ typealias spamc_t alias razor_t; -+ typealias spamc_exec_t alias razor_exec_t; -+ typealias spamd_log_t alias razor_log_t; -+ typealias spamd_var_lib_t alias razor_var_lib_t; -+ typealias spamd_etc_t alias razor_etc_t; -+ typealias spamc_home_t alias razor_home_t; -+ typealias spamc_home_t alias { user_razor_home_t staff_razor_home_t sysadm_razor_home_t }; -+ typealias spamc_home_t alias { auditadm_razor_home_t secadm_razor_home_t }; -+ typealias spamc_tmp_t alias { user_razor_tmp_t staff_razor_tmp_t sysadm_razor_tmp_t }; -+ typealias spamc_tmp_t alias { auditadm_razor_tmp_t secadm_razor_tmp_t }; -+',` -+ type spamassassin_t; -+ type spamassassin_exec_t; -+ typealias spamassassin_t alias { user_spamassassin_t staff_spamassassin_t sysadm_spamassassin_t }; -+ typealias spamassassin_t alias { auditadm_spamassassin_t secadm_spamassassin_t }; -+ application_domain(spamassassin_t, spamassassin_exec_t) -+ ubac_constrained(spamassassin_t) -+ -+ type spamassassin_home_t; -+ typealias spamassassin_home_t alias { user_spamassassin_home_t staff_spamassassin_home_t sysadm_spamassassin_home_t }; -+ typealias spamassassin_home_t alias { auditadm_spamassassin_home_t secadm_spamassassin_home_t }; -+ userdom_user_home_content(spamassassin_home_t) -+ -+ type spamassassin_tmp_t; -+ typealias spamassassin_tmp_t alias { user_spamassassin_tmp_t staff_spamassassin_tmp_t sysadm_spamassassin_tmp_t }; -+ typealias spamassassin_tmp_t alias { auditadm_spamassassin_tmp_t secadm_spamassassin_tmp_t }; -+ files_tmp_file(spamassassin_tmp_t) -+ ubac_constrained(spamassassin_tmp_t) -+ -+ type spamc_t; -+ type spamc_exec_t; -+ typealias spamc_t alias { user_spamc_t staff_spamc_t sysadm_spamc_t }; -+ typealias spamc_t alias { auditadm_spamc_t secadm_spamc_t }; -+ application_domain(spamc_t, spamc_exec_t) -+ ubac_constrained(spamc_t) -+ -+ type spamc_tmp_t; -+ typealias spamc_tmp_t alias { user_spamc_tmp_t staff_spamc_tmp_t sysadm_spamc_tmp_t }; -+ typealias spamc_tmp_t alias { auditadm_spamc_tmp_t secadm_spamc_tmp_t }; -+ files_tmp_file(spamc_tmp_t) -+ ubac_constrained(spamc_tmp_t) -+') -+ -+############################## - # --# Standalone local policy -+# Standalone program local policy - # - - allow spamassassin_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; - allow spamassassin_t self:fd use; - allow spamassassin_t self:fifo_file rw_fifo_file_perms; -+allow spamassassin_t self:sock_file read_sock_file_perms; -+allow spamassassin_t self:unix_dgram_socket create_socket_perms; -+allow spamassassin_t self:unix_stream_socket create_stream_socket_perms; - allow spamassassin_t self:unix_dgram_socket sendto; --allow spamassassin_t self:unix_stream_socket { accept connectto listen }; -+allow spamassassin_t self:unix_stream_socket connectto; -+allow spamassassin_t self:shm create_shm_perms; -+allow spamassassin_t self:sem create_sem_perms; -+allow spamassassin_t self:msgq create_msgq_perms; -+allow spamassassin_t self:msg { send receive }; - - manage_dirs_pattern(spamassassin_t, spamassassin_home_t, spamassassin_home_t) - manage_files_pattern(spamassassin_t, spamassassin_home_t, spamassassin_home_t) - manage_lnk_files_pattern(spamassassin_t, spamassassin_home_t, spamassassin_home_t) - manage_fifo_files_pattern(spamassassin_t, spamassassin_home_t, spamassassin_home_t) - manage_sock_files_pattern(spamassassin_t, spamassassin_home_t, spamassassin_home_t) --userdom_user_home_dir_filetrans(spamassassin_t, spamassassin_home_t, dir, ".spamassassin") - - manage_dirs_pattern(spamassassin_t, spamassassin_tmp_t, spamassassin_tmp_t) - manage_files_pattern(spamassassin_t, spamassassin_tmp_t, spamassassin_tmp_t) - files_tmp_filetrans(spamassassin_t, spamassassin_tmp_t, { file dir }) - -+manage_dirs_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t) -+manage_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t) -+manage_lnk_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t) -+manage_fifo_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t) -+manage_sock_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t) -+userdom_home_manager(spamassassin_t) -+ - kernel_read_kernel_sysctls(spamassassin_t) - - dev_read_urand(spamassassin_t) - --fs_getattr_all_fs(spamassassin_t) - fs_search_auto_mountpoints(spamassassin_t) -+fs_getattr_all_fs(spamassassin_t) -+ -+# this should probably be removed -+corecmd_list_bin(spamassassin_t) -+corecmd_read_bin_symlinks(spamassassin_t) -+corecmd_read_bin_files(spamassassin_t) -+corecmd_read_bin_pipes(spamassassin_t) -+corecmd_read_bin_sockets(spamassassin_t) - - domain_use_interactive_fds(spamassassin_t) - --files_read_etc_files(spamassassin_t) - files_read_etc_runtime_files(spamassassin_t) - files_list_home(spamassassin_t) --files_read_usr_files(spamassassin_t) - files_dontaudit_search_var(spamassassin_t) - - logging_send_syslog_msg(spamassassin_t) - --miscfiles_read_localization(spamassassin_t) -+# cjp: this could probably be removed -+seutil_read_config(spamassassin_t) - - sysnet_dns_name_resolve(spamassassin_t) - -+# set tunable if you have spamassassin do DNS lookups - tunable_policy(`spamassassin_can_network',` -- allow spamassassin_t self:tcp_socket { accept listen }; -+ allow spamassassin_t self:tcp_socket create_stream_socket_perms; -+ allow spamassassin_t self:udp_socket create_socket_perms; - -- corenet_all_recvfrom_unlabeled(spamassassin_t) -- corenet_all_recvfrom_netlabel(spamassassin_t) - corenet_tcp_sendrecv_generic_if(spamassassin_t) -+ corenet_udp_sendrecv_generic_if(spamassassin_t) - corenet_tcp_sendrecv_generic_node(spamassassin_t) -+ corenet_udp_sendrecv_generic_node(spamassassin_t) - corenet_tcp_sendrecv_all_ports(spamassassin_t) -- -+ corenet_udp_sendrecv_all_ports(spamassassin_t) - corenet_tcp_connect_all_ports(spamassassin_t) - corenet_sendrecv_all_client_packets(spamassassin_t) -+ corenet_udp_bind_generic_node(spamassassin_t) -+ corenet_udp_bind_generic_port(spamassassin_t) -+ corenet_dontaudit_udp_bind_all_ports(spamassassin_t) -+ -+ sysnet_read_config(spamassassin_t) - ') - --tunable_policy(`use_nfs_home_dirs',` -- fs_manage_nfs_dirs(spamassassin_t) -- fs_manage_nfs_files(spamassassin_t) -- fs_manage_nfs_symlinks(spamassassin_t) -+tunable_policy(`spamd_enable_home_dirs',` -+ userdom_manage_user_home_content_dirs(spamd_t) -+ userdom_manage_user_home_content_files(spamd_t) -+ userdom_manage_user_home_content_symlinks(spamd_t) - ') - --tunable_policy(`use_samba_home_dirs',` -- fs_manage_cifs_dirs(spamassassin_t) -- fs_manage_cifs_files(spamassassin_t) -- fs_manage_cifs_symlinks(spamassassin_t) -+optional_policy(` -+ # Write pid file and socket in ~/.evolution/cache/tmp -+ evolution_home_filetrans(spamd_t, spamd_tmp_t, { file sock_file }) - ') - - optional_policy(` -- tunable_policy(`spamassassin_can_network && allow_ypbind',` -+ tunable_policy(`spamassassin_can_network && nis_enabled',` - nis_use_ypbind_uncond(spamassassin_t) - ') - ') -@@ -160,6 +236,8 @@ optional_policy(` - optional_policy(` - mta_read_config(spamassassin_t) - sendmail_stub(spamassassin_t) -+ sendmail_dontaudit_rw_unix_stream_sockets(spamassassin_t) -+ sendmail_dontaudit_rw_tcp_sockets(spamassassin_t) - ') - - ######################################## -@@ -167,72 +245,85 @@ optional_policy(` - # Client local policy - # - --allow spamc_t self:capability dac_override; - allow spamc_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; - allow spamc_t self:fd use; - allow spamc_t self:fifo_file rw_fifo_file_perms; -+allow spamc_t self:sock_file read_sock_file_perms; -+allow spamc_t self:shm create_shm_perms; -+allow spamc_t self:sem create_sem_perms; -+allow spamc_t self:msgq create_msgq_perms; -+allow spamc_t self:msg { send receive }; -+allow spamc_t self:unix_dgram_socket create_socket_perms; -+allow spamc_t self:unix_stream_socket create_stream_socket_perms; - allow spamc_t self:unix_dgram_socket sendto; --allow spamc_t self:unix_stream_socket { accept connectto listen }; --allow spamc_t self:tcp_socket { accept listen }; -+allow spamc_t self:unix_stream_socket connectto; -+allow spamc_t self:tcp_socket create_stream_socket_perms; -+allow spamc_t self:udp_socket create_socket_perms; -+ -+can_exec(spamc_t, spamc_exec_t) - - manage_dirs_pattern(spamc_t, spamc_tmp_t, spamc_tmp_t) - manage_files_pattern(spamc_t, spamc_tmp_t, spamc_tmp_t) - files_tmp_filetrans(spamc_t, spamc_tmp_t, { file dir }) - --manage_dirs_pattern(spamc_t, spamassassin_home_t, spamassassin_home_t) --manage_files_pattern(spamc_t, spamassassin_home_t, spamassassin_home_t) --manage_lnk_files_pattern(spamc_t, spamassassin_home_t, spamassassin_home_t) --manage_fifo_files_pattern(spamc_t, spamassassin_home_t, spamassassin_home_t) --manage_sock_files_pattern(spamc_t, spamassassin_home_t, spamassassin_home_t) --userdom_user_home_dir_filetrans(spamc_t, spamassassin_home_t, dir, ".spamassassin") -+manage_dirs_pattern(spamc_t, spamc_home_t, spamc_home_t) -+manage_files_pattern(spamc_t, spamc_home_t, spamc_home_t) -+manage_lnk_files_pattern(spamc_t, spamc_home_t, spamc_home_t) -+manage_fifo_files_pattern(spamc_t, spamc_home_t, spamc_home_t) -+manage_sock_files_pattern(spamc_t, spamc_home_t, spamc_home_t) -+userdom_append_user_home_content_files(spamc_t) -+# for /root/.pyzor -+allow spamc_t self:capability dac_override; - - list_dirs_pattern(spamc_t, spamd_var_lib_t, spamd_var_lib_t) - read_files_pattern(spamc_t, spamd_var_lib_t, spamd_var_lib_t) - --stream_connect_pattern(spamc_t, { spamd_var_run_t spamd_tmp_t }, { spamd_var_run_t spamd_tmp_t }, spamd_t) -+# Allow connecting to a local spamd -+allow spamc_t spamd_t:unix_stream_socket connectto; -+allow spamc_t spamd_tmp_t:sock_file rw_sock_file_perms; -+spamd_stream_connect(spamc_t) -+allow spamc_t spamd_tmp_t:file read_inherited_file_perms; - - kernel_read_kernel_sysctls(spamc_t) - kernel_read_system_state(spamc_t) - --corenet_all_recvfrom_unlabeled(spamc_t) -+corecmd_exec_bin(spamc_t) -+ - corenet_all_recvfrom_netlabel(spamc_t) - corenet_tcp_sendrecv_generic_if(spamc_t) -+corenet_udp_sendrecv_generic_if(spamc_t) - corenet_tcp_sendrecv_generic_node(spamc_t) -+corenet_udp_sendrecv_generic_node(spamc_t) - corenet_tcp_sendrecv_all_ports(spamc_t) -- --corenet_sendrecv_all_client_packets(spamc_t) -+corenet_udp_sendrecv_all_ports(spamc_t) - corenet_tcp_connect_all_ports(spamc_t) -+corenet_sendrecv_all_client_packets(spamc_t) -+corenet_tcp_connect_spamd_port(spamc_t) - --corecmd_exec_bin(spamc_t) -+fs_search_auto_mountpoints(spamc_t) - --domain_use_interactive_fds(spamc_t) -+# cjp: these should probably be removed: -+corecmd_list_bin(spamc_t) -+corecmd_read_bin_symlinks(spamc_t) -+corecmd_read_bin_files(spamc_t) -+corecmd_read_bin_pipes(spamc_t) -+corecmd_read_bin_sockets(spamc_t) - --fs_getattr_all_fs(spamc_t) --fs_search_auto_mountpoints(spamc_t) -+domain_use_interactive_fds(spamc_t) - - files_read_etc_runtime_files(spamc_t) --files_read_usr_files(spamc_t) - files_dontaudit_search_var(spamc_t) -+# cjp: this may be removable: - files_list_home(spamc_t) - files_list_var_lib(spamc_t) - --auth_use_nsswitch(spamc_t) -+fs_search_auto_mountpoints(spamc_t) - - logging_send_syslog_msg(spamc_t) - --miscfiles_read_localization(spamc_t) -- --tunable_policy(`use_nfs_home_dirs',` -- fs_manage_nfs_dirs(spamc_t) -- fs_manage_nfs_files(spamc_t) -- fs_manage_nfs_symlinks(spamc_t) --') -+auth_use_nsswitch(spamc_t) - --tunable_policy(`use_samba_home_dirs',` -- fs_manage_cifs_dirs(spamc_t) -- fs_manage_cifs_files(spamc_t) -- fs_manage_cifs_symlinks(spamc_t) --') -+userdom_home_manager(spamc_t) - - optional_policy(` - abrt_stream_connect(spamc_t) -@@ -243,6 +334,7 @@ optional_policy(` - ') - - optional_policy(` -+ # Allow connection to spamd socket above - evolution_stream_connect(spamc_t) - ') - -@@ -251,52 +343,55 @@ optional_policy(` - ') - - optional_policy(` -+ postfix_domtrans_postdrop(spamc_t) -+ postfix_search_spool(spamc_t) -+ postfix_rw_local_pipes(spamc_t) -+ postfix_rw_inherited_master_pipes(spamc_t) -+') -+ -+optional_policy(` - mta_send_mail(spamc_t) - mta_read_config(spamc_t) - mta_read_queue(spamc_t) -- sendmail_rw_pipes(spamc_t) - sendmail_stub(spamc_t) --') -- --optional_policy(` -- postfix_domtrans_postdrop(spamc_t) -- postfix_search_spool(spamc_t) -- postfix_rw_local_pipes(spamc_t) -- postfix_rw_master_pipes(spamc_t) -+ sendmail_rw_pipes(spamc_t) -+ sendmail_dontaudit_rw_tcp_sockets(spamc_t) - ') - - ######################################## - # --# Daemon local policy -+# Server local policy - # - -+# Spamassassin, when run as root and using per-user config files, -+# setuids to the user running spamc. Comment this if you are not -+# using this ability. -+ - allow spamd_t self:capability { kill setuid setgid dac_override sys_tty_config }; - dontaudit spamd_t self:capability sys_tty_config; - allow spamd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; - allow spamd_t self:fd use; - allow spamd_t self:fifo_file rw_fifo_file_perms; -+allow spamd_t self:sock_file read_sock_file_perms; -+allow spamd_t self:shm create_shm_perms; -+allow spamd_t self:sem create_sem_perms; -+allow spamd_t self:msgq create_msgq_perms; -+allow spamd_t self:msg { send receive }; -+allow spamd_t self:unix_dgram_socket create_socket_perms; -+allow spamd_t self:unix_stream_socket create_stream_socket_perms; - allow spamd_t self:unix_dgram_socket sendto; --allow spamd_t self:unix_stream_socket { accept connectto listen }; --allow spamd_t self:tcp_socket { accept listen }; -- --manage_dirs_pattern(spamd_t, spamd_home_t, spamd_home_t) --manage_files_pattern(spamd_t, spamd_home_t, spamd_home_t) --manage_lnk_files_pattern(spamd_t, spamd_home_t, spamd_home_t) --manage_fifo_files_pattern(spamd_t, spamd_home_t, spamd_home_t) --manage_sock_files_pattern(spamd_t, spamd_home_t, spamd_home_t) --userdom_user_home_dir_filetrans(spamd_t, spamd_home_t, dir, ".spamd") -+allow spamd_t self:unix_stream_socket connectto; -+allow spamd_t self:tcp_socket create_stream_socket_perms; -+allow spamd_t self:udp_socket create_socket_perms; - --manage_dirs_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t) --manage_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t) --manage_lnk_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t) --manage_fifo_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t) --manage_sock_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t) --userdom_user_home_dir_filetrans(spamd_t, spamassassin_home_t, dir, ".spamassassin") -+# needed by razor -+rw_files_pattern(spamd_t, spamd_etc_t, spamd_etc_t) - -+can_exec(spamd_t, spamd_compiled_t) - manage_dirs_pattern(spamd_t, spamd_compiled_t, spamd_compiled_t) - manage_files_pattern(spamd_t, spamd_compiled_t, spamd_compiled_t) - --allow spamd_t spamd_log_t:file { append_file_perms create_file_perms setattr_file_perms }; -+manage_files_pattern(spamd_t, spamd_log_t, spamd_log_t) - logging_log_filetrans(spamd_t, spamd_log_t, file) - - manage_dirs_pattern(spamd_t, spamd_spool_t, spamd_spool_t) -@@ -308,7 +403,8 @@ manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t) - manage_files_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t) - files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir }) - --allow spamd_t spamd_var_lib_t:dir list_dir_perms; -+# var/lib files for spamd -+manage_dirs_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t) - manage_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t) - manage_lnk_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t) - -@@ -317,12 +413,13 @@ manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t) - manage_sock_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t) - files_pid_filetrans(spamd_t, spamd_var_run_t, { file dir }) - --can_exec(spamd_t, { spamd_exec_t spamd_compiled_t }) -+read_files_pattern(spamd_t, spamc_home_t, spamc_home_t) -+ -+can_exec(spamd_t, spamd_exec_t) - - kernel_read_all_sysctls(spamd_t) - kernel_read_system_state(spamd_t) - --corenet_all_recvfrom_unlabeled(spamd_t) - corenet_all_recvfrom_netlabel(spamd_t) - corenet_tcp_sendrecv_generic_if(spamd_t) - corenet_udp_sendrecv_generic_if(spamd_t) -@@ -331,78 +428,58 @@ corenet_udp_sendrecv_generic_node(spamd_t) - corenet_tcp_sendrecv_all_ports(spamd_t) - corenet_udp_sendrecv_all_ports(spamd_t) - corenet_tcp_bind_generic_node(spamd_t) --corenet_udp_bind_generic_node(spamd_t) -- --corenet_sendrecv_spamd_server_packets(spamd_t) - corenet_tcp_bind_spamd_port(spamd_t) -- --corenet_sendrecv_razor_client_packets(spamd_t) - corenet_tcp_connect_razor_port(spamd_t) -- --corenet_sendrecv_smtp_client_packets(spamd_t) - corenet_tcp_connect_smtp_port(spamd_t) -- --corenet_sendrecv_generic_server_packets(spamd_t) -+corenet_sendrecv_razor_client_packets(spamd_t) -+corenet_sendrecv_spamd_server_packets(spamd_t) -+# spamassassin 3.1 needs this for its -+# DnsResolver.pm module which binds to -+# random ports >= 1024. -+corenet_udp_bind_generic_node(spamd_t) - corenet_udp_bind_generic_port(spamd_t) -- --corenet_sendrecv_imaze_server_packets(spamd_t) - corenet_udp_bind_imaze_port(spamd_t) -- - corenet_dontaudit_udp_bind_all_ports(spamd_t) -- --corecmd_exec_bin(spamd_t) -+corenet_sendrecv_imaze_server_packets(spamd_t) -+corenet_sendrecv_generic_server_packets(spamd_t) - - dev_read_sysfs(spamd_t) - dev_read_urand(spamd_t) - --domain_use_interactive_fds(spamd_t) -- --files_read_usr_files(spamd_t) --files_read_etc_runtime_files(spamd_t) -- - fs_getattr_all_fs(spamd_t) - fs_search_auto_mountpoints(spamd_t) - --auth_use_nsswitch(spamd_t) - auth_dontaudit_read_shadow(spamd_t) - -+corecmd_exec_bin(spamd_t) -+ -+domain_use_interactive_fds(spamd_t) -+ -+files_read_etc_runtime_files(spamd_t) -+# /var/lib/spamassin -+files_read_var_lib_files(spamd_t) -+ - init_dontaudit_rw_utmp(spamd_t) - -+auth_use_nsswitch(spamd_t) -+ - libs_use_ld_so(spamd_t) - libs_use_shared_libs(spamd_t) - - logging_send_syslog_msg(spamd_t) - --miscfiles_read_localization(spamd_t) -- --sysnet_use_ldap(spamd_t) -- - userdom_use_unpriv_users_fds(spamd_t) -- --tunable_policy(`spamd_enable_home_dirs',` -- userdom_manage_user_home_content_dirs(spamd_t) -- userdom_manage_user_home_content_files(spamd_t) -- userdom_manage_user_home_content_symlinks(spamd_t) --') -- --tunable_policy(`use_nfs_home_dirs',` -- fs_manage_nfs_dirs(spamd_t) -- fs_manage_nfs_files(spamd_t) -- fs_manage_nfs_symlinks(spamd_t) --') -- --tunable_policy(`use_samba_home_dirs',` -- fs_manage_cifs_dirs(spamd_t) -- fs_manage_cifs_files(spamd_t) -- fs_manage_cifs_symlinks(spamd_t) --') -+userdom_search_user_home_dirs(spamd_t) -+userdom_home_manager(spamd_t) - - optional_policy(` -- amavis_manage_lib_files(spamd_t) -+ antivirus_stream_connect(spamd_t) -+ antivirus_manage_db(spamd_t) - ') - - optional_policy(` -- clamav_stream_connect(spamd_t) -+ exim_manage_spool_dirs(spamd_t) -+ exim_manage_spool_files(spamd_t) - ') - - optional_policy(` -@@ -421,21 +498,13 @@ optional_policy(` - ') - - optional_policy(` -- evolution_home_filetrans(spamd_t, spamd_tmp_t, { file sock_file }) --') -- --optional_policy(` -- exim_manage_spool_dirs(spamd_t) -- exim_manage_spool_files(spamd_t) --') -- --optional_policy(` - milter_manage_spamass_state(spamd_t) - ') - - optional_policy(` -- mysql_stream_connect(spamd_t) - mysql_tcp_connect(spamd_t) -+ mysql_search_db(spamd_t) -+ mysql_stream_connect(spamd_t) - ') - - optional_policy(` -@@ -443,8 +512,8 @@ optional_policy(` - ') - - optional_policy(` -- postgresql_stream_connect(spamd_t) - postgresql_tcp_connect(spamd_t) -+ postgresql_stream_connect(spamd_t) - ') - - optional_policy(` -@@ -455,7 +524,12 @@ optional_policy(` - optional_policy(` - razor_domtrans(spamd_t) - razor_read_lib_files(spamd_t) -- razor_manage_home_content(spamd_t) -+') -+ -+optional_policy(` -+ tunable_policy(`spamd_enable_home_dirs',` -+ razor_manage_user_home_files(spamd_t) -+ ') - ') - - optional_policy(` -@@ -463,9 +537,9 @@ optional_policy(` - ') - - optional_policy(` -+ mta_send_mail(spamd_t) - sendmail_stub(spamd_t) - mta_read_config(spamd_t) -- mta_send_mail(spamd_t) - ') - - optional_policy(` -@@ -474,32 +548,32 @@ optional_policy(` - - ######################################## - # --# Update local policy -+# spamd_update local policy - # - --allow spamd_update_t self:capability dac_override; - allow spamd_update_t self:fifo_file manage_fifo_file_perms; - allow spamd_update_t self:unix_stream_socket create_stream_socket_perms; -+allow spamd_update_t self:capability dac_read_search; -+dontaudit spamd_update_t self:capability dac_override; - - manage_dirs_pattern(spamd_update_t, spamd_tmp_t, spamd_tmp_t) - manage_files_pattern(spamd_update_t, spamd_tmp_t, spamd_tmp_t) - files_tmp_filetrans(spamd_update_t, spamd_tmp_t, { file dir }) - -+allow spamd_update_t spamd_var_lib_t:dir list_dir_perms; - manage_dirs_pattern(spamd_update_t, spamd_var_lib_t, spamd_var_lib_t) - manage_files_pattern(spamd_update_t, spamd_var_lib_t, spamd_var_lib_t) - manage_lnk_files_pattern(spamd_update_t, spamd_var_lib_t, spamd_var_lib_t) - --kernel_read_system_state(spamd_update_t) -+allow spamd_update_t spamc_home_t:dir search_dir_perms; -+allow spamd_update_t spamd_tmp_t:file read_file_perms; - --corenet_all_recvfrom_unlabeled(spamd_update_t) --corenet_all_recvfrom_netlabel(spamd_update_t) --corenet_tcp_sendrecv_generic_if(spamd_update_t) --corenet_tcp_sendrecv_generic_node(spamd_update_t) --corenet_tcp_sendrecv_all_ports(spamd_update_t) -+allow spamd_update_t spamc_home_t:dir search_dir_perms; - --corenet_sendrecv_http_client_packets(spamd_update_t) -+kernel_read_system_state(spamd_update_t) -+ -+# for updating rules - corenet_tcp_connect_http_port(spamd_update_t) --corenet_tcp_sendrecv_http_port(spamd_update_t) - - corecmd_exec_bin(spamd_update_t) - corecmd_exec_shell(spamd_update_t) -@@ -508,25 +582,21 @@ dev_read_urand(spamd_update_t) - - domain_use_interactive_fds(spamd_update_t) - --files_read_usr_files(spamd_update_t) - - auth_use_nsswitch(spamd_update_t) - auth_dontaudit_read_shadow(spamd_update_t) - --miscfiles_read_localization(spamd_update_t) -+mta_read_config(spamd_update_t) - --userdom_use_user_terminals(spamd_update_t) -+userdom_search_admin_dir(spamd_update_t) -+userdom_use_inherited_user_ptys(spamd_update_t) - - optional_policy(` - cron_system_entry(spamd_update_t, spamd_update_exec_t) - ') - --# probably want a solution same as httpd_use_gpg since this will --# give spamd_update a path to users gpg keys --# optional_policy(` --# gpg_domtrans(spamd_update_t) --# ') -- - optional_policy(` -- mta_read_config(spamd_update_t) -+ gpg_domtrans(spamd_update_t) -+ gpg_manage_home_content(spamd_update_t) - ') -+ -diff --git a/speedtouch.te b/speedtouch.te -index 9025dbd..388ce0a 100644 ---- a/speedtouch.te -+++ b/speedtouch.te -@@ -39,16 +39,12 @@ dev_read_usbfs(speedmgmt_t) - - domain_use_interactive_fds(speedmgmt_t) - --files_read_etc_files(speedmgmt_t) --files_read_usr_files(speedmgmt_t) - - fs_getattr_all_fs(speedmgmt_t) - fs_search_auto_mountpoints(speedmgmt_t) - - logging_send_syslog_msg(speedmgmt_t) - --miscfiles_read_localization(speedmgmt_t) -- - userdom_dontaudit_use_unpriv_user_fds(speedmgmt_t) - userdom_dontaudit_search_user_home_dirs(speedmgmt_t) - -diff --git a/squid.fc b/squid.fc -index 0a8b0f7..ebbec17 100644 ---- a/squid.fc -+++ b/squid.fc -@@ -1,12 +1,15 @@ --/etc/squid(/.*)? gen_context(system_u:object_r:squid_conf_t,s0) -- --/etc/rc\.d/init\.d/squid -- gen_context(system_u:object_r:squid_initrc_exec_t,s0) -+/etc/rc\.d/init\.d/squid -- gen_context(system_u:object_r:squid_initrc_exec_t,s0) -+/etc/squid(/.*)? gen_context(system_u:object_r:squid_conf_t,s0) -+/etc/lightsquid(/.*)? gen_context(system_u:object_r:squid_conf_t,s0) - - /usr/lib/squid/cachemgr\.cgi -- gen_context(system_u:object_r:httpd_squid_script_exec_t,s0) - -+/usr/sbin/lightparser.pl -- gen_context(system_u:object_r:squid_cron_exec_t,s0) -+ - /usr/sbin/squid -- gen_context(system_u:object_r:squid_exec_t,s0) - - /usr/share/squid(/.*)? gen_context(system_u:object_r:squid_conf_t,s0) -+/usr/share/lightsquid/cgi(/.*)? gen_context(system_u:object_r:httpd_squid_script_exec_t,s0) - - /var/cache/squid(/.*)? gen_context(system_u:object_r:squid_cache_t,s0) - -@@ -15,6 +18,7 @@ - - /var/run/squid\.pid -- gen_context(system_u:object_r:squid_var_run_t,s0) - --/var/spool/squid(/.*)? gen_context(system_u:object_r:squid_cache_t,s0) -+/var/spool/squid(/.*)? gen_context(system_u:object_r:squid_cache_t,s0) -+/var/squidGuard(/.*)? gen_context(system_u:object_r:squid_cache_t,s0) - --/var/squidGuard(/.*)? gen_context(system_u:object_r:squid_cache_t,s0) -+/var/lightsquid(/.*)? gen_context(system_u:object_r:squid_cache_t,s0) -diff --git a/squid.if b/squid.if -index 5e1f053..e7820bc 100644 ---- a/squid.if -+++ b/squid.if -@@ -72,7 +72,7 @@ interface(`squid_rw_stream_sockets',` - type squid_t; - ') - -- allow $1 squid_t:unix_stream_socket { getattr read write }; -+ allow $1 squid_t:unix_stream_socket rw_socket_perms; - ') - - ######################################## -@@ -85,7 +85,6 @@ interface(`squid_rw_stream_sockets',` - ## Domain to not audit. - ##     - ## --## - # - interface(`squid_dontaudit_search_cache',` - gen_require(` -@@ -213,9 +212,13 @@ interface(`squid_admin',` - type squid_initrc_exec_t, squid_tmp_t; - ') - -- allow $1 squid_t:process { ptrace signal_perms }; -+ allow $1 squid_t:process signal_perms; - ps_process_pattern($1, squid_t) - -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 squid_t:process ptrace; -+ ') -+ - init_labeled_script_domtrans($1, squid_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 squid_initrc_exec_t system_r; -diff --git a/squid.te b/squid.te -index 221c560..fcf6da0 100644 ---- a/squid.te -+++ b/squid.te -@@ -29,7 +29,7 @@ type squid_cache_t; - files_type(squid_cache_t) - - type squid_conf_t; --files_type(squid_conf_t) -+files_config_file(squid_conf_t) - - type squid_initrc_exec_t; - init_script_file(squid_initrc_exec_t) -@@ -37,15 +37,21 @@ init_script_file(squid_initrc_exec_t) - type squid_log_t; - logging_log_file(squid_log_t) - --type squid_tmp_t; --files_tmp_file(squid_tmp_t) -- - type squid_tmpfs_t; - files_tmpfs_file(squid_tmpfs_t) - -+type squid_tmp_t; -+files_tmp_file(squid_tmp_t) -+ - type squid_var_run_t; - files_pid_file(squid_var_run_t) - -+type squid_cron_t; -+type squid_cron_exec_t; -+init_daemon_domain(squid_cron_t, squid_cron_exec_t) -+application_domain(squid_cron_t, squid_cron_exec_t) -+role system_r types squid_cron_t; -+ - ######################################## - # - # Local policy -@@ -74,19 +80,17 @@ allow squid_t squid_conf_t:file read_file_perms; - allow squid_t squid_conf_t:lnk_file read_lnk_file_perms; - - manage_dirs_pattern(squid_t, squid_log_t, squid_log_t) --append_files_pattern(squid_t, squid_log_t, squid_log_t) --create_files_pattern(squid_t, squid_log_t, squid_log_t) --setattr_files_pattern(squid_t, squid_log_t, squid_log_t) -+manage_files_pattern(squid_t, squid_log_t, squid_log_t) - manage_lnk_files_pattern(squid_t, squid_log_t, squid_log_t) - logging_log_filetrans(squid_t, squid_log_t, { file dir }) - -+manage_files_pattern(squid_t, squid_tmpfs_t, squid_tmpfs_t) -+fs_tmpfs_filetrans(squid_t, squid_tmpfs_t, file) -+ - manage_dirs_pattern(squid_t, squid_tmp_t, squid_tmp_t) - manage_files_pattern(squid_t, squid_tmp_t, squid_tmp_t) - files_tmp_filetrans(squid_t, squid_tmp_t, { file dir }) - --manage_files_pattern(squid_t, squid_tmpfs_t, squid_tmpfs_t) --fs_tmpfs_filetrans(squid_t, squid_tmpfs_t, file) -- - manage_files_pattern(squid_t, squid_var_run_t, squid_var_run_t) - files_pid_filetrans(squid_t, squid_var_run_t, file) - -@@ -96,7 +100,6 @@ kernel_read_kernel_sysctls(squid_t) - kernel_read_system_state(squid_t) - kernel_read_network_state(squid_t) - --corenet_all_recvfrom_unlabeled(squid_t) - corenet_all_recvfrom_netlabel(squid_t) - corenet_tcp_sendrecv_generic_if(squid_t) - corenet_udp_sendrecv_generic_if(squid_t) -@@ -134,6 +137,7 @@ corenet_tcp_sendrecv_gopher_port(squid_t) - corenet_udp_sendrecv_gopher_port(squid_t) - - corenet_sendrecv_squid_server_packets(squid_t) -+corenet_sendrecv_squid_client_packets(squid_t) - corenet_tcp_bind_squid_port(squid_t) - corenet_udp_bind_squid_port(squid_t) - corenet_tcp_sendrecv_squid_port(squid_t) -@@ -156,7 +160,6 @@ dev_read_urand(squid_t) - domain_use_interactive_fds(squid_t) - - files_read_etc_runtime_files(squid_t) --files_read_usr_files(squid_t) - files_search_spool(squid_t) - files_dontaudit_getattr_tmp_dirs(squid_t) - files_getattr_home_dir(squid_t) -@@ -178,7 +181,6 @@ libs_exec_lib_files(squid_t) - logging_send_syslog_msg(squid_t) - - miscfiles_read_generic_certs(squid_t) --miscfiles_read_localization(squid_t) - - userdom_use_unpriv_users_fds(squid_t) - userdom_dontaudit_search_user_home_dirs(squid_t) -@@ -200,6 +202,8 @@ tunable_policy(`squid_use_tproxy',` - optional_policy(` - apache_content_template(squid) - -+ allow httpd_squid_script_t self:tcp_socket create_socket_perms; -+ - corenet_all_recvfrom_unlabeled(httpd_squid_script_t) - corenet_all_recvfrom_netlabel(httpd_squid_script_t) - corenet_tcp_sendrecv_generic_if(httpd_squid_script_t) -@@ -209,18 +213,18 @@ optional_policy(` - corenet_tcp_connect_http_cache_port(httpd_squid_script_t) - corenet_tcp_sendrecv_http_cache_port(httpd_squid_script_t) - -- sysnet_dns_name_resolve(httpd_squid_script_t) -+ corenet_tcp_connect_squid_port(httpd_squid_script_t) - -- squid_read_config(httpd_squid_script_t) --') -+ sysnet_dns_name_resolve(httpd_squid_script_t) - --optional_policy(` -- cron_system_entry(squid_t, squid_exec_t) -+ optional_policy(` -+ squid_read_config(httpd_squid_script_t) -+ ') - ') - - optional_policy(` -- kerberos_manage_host_rcache(squid_t) -- kerberos_tmp_filetrans_host_rcache(squid_t, file, "host_0") -+ kerberos_tmp_filetrans_host_rcache(squid_t, "host_0") -+ kerberos_manage_host_rcache(squid_t) - ') - - optional_policy(` -@@ -238,3 +242,24 @@ optional_policy(` - optional_policy(` - udev_read_db(squid_t) - ') -+ -+######################################## -+# -+# squid cron Local policy -+# -+manage_dirs_pattern(squid_cron_t, squid_cache_t, squid_cache_t) -+manage_files_pattern(squid_cron_t, squid_cache_t, squid_cache_t) -+manage_lnk_files_pattern(squid_cron_t, squid_cache_t, squid_cache_t) -+files_var_filetrans(squid_cron_t, squid_cache_t, dir, "squid") -+ -+read_files_pattern(squid_cron_t, squid_conf_t, squid_conf_t) -+ -+read_files_pattern(squid_cron_t, squid_log_t, squid_log_t) -+ -+corecmd_exec_bin(squid_cron_t) -+ -+dev_read_urand(squid_cron_t) -+ -+optional_policy(` -+ cron_system_entry(squid_cron_t, squid_cron_exec_t) -+') -diff --git a/sssd.fc b/sssd.fc -index dbb005a..45291bb 100644 ---- a/sssd.fc -+++ b/sssd.fc -@@ -1,15 +1,17 @@ - /etc/rc\.d/init\.d/sssd -- gen_context(system_u:object_r:sssd_initrc_exec_t,s0) - --/etc/sssd(/.*)? gen_context(system_u:object_r:sssd_conf_t,s0) -+/etc/sssd(/.*)? gen_context(system_u:object_r:sssd_conf_t,s0) - --/usr/sbin/sssd -- gen_context(system_u:object_r:sssd_exec_t,s0) -+/usr/sbin/sssd -- gen_context(system_u:object_r:sssd_exec_t,s0) - --/var/lib/sss(/.*)? gen_context(system_u:object_r:sssd_var_lib_t,s0) -+/usr/lib/systemd/system/sssd.* -- gen_context(system_u:object_r:sssd_unit_file_t,s0) - --/var/lib/sss/mc(/.*)? gen_context(system_u:object_r:sssd_public_t,s0) -+/var/lib/sss(/.*)? gen_context(system_u:object_r:sssd_var_lib_t,s0) -+ -+/var/lib/sss/mc(/.*)? gen_context(system_u:object_r:sssd_public_t,s0) - - /var/lib/sss/pubconf(/.*)? gen_context(system_u:object_r:sssd_public_t,s0) - --/var/log/sssd(/.*)? gen_context(system_u:object_r:sssd_var_log_t,s0) -+/var/log/sssd(/.*)? gen_context(system_u:object_r:sssd_var_log_t,s0) - --/var/run/sssd\.pid -- gen_context(system_u:object_r:sssd_var_run_t,s0) -+/var/run/sssd.pid -- gen_context(system_u:object_r:sssd_var_run_t,s0) -diff --git a/sssd.if b/sssd.if -index a240455..02ad8a9 100644 ---- a/sssd.if -+++ b/sssd.if -@@ -1,21 +1,21 @@ --## System Security Services Daemon. -+## System Security Services Daemon - - ####################################### - ## --## Get attributes of sssd executable files. -+## Allow a domain to getattr on sssd binary. - ## - ## --## --## Domain allowed access. --## -+## -+## Domain allowed to transition. -+## - ## - # - interface(`sssd_getattr_exec',` -- gen_require(` -- type sssd_exec_t; -- ') -+ gen_require(` -+ type sssd_t, sssd_exec_t; -+ ') - -- allow $1 sssd_exec_t:file getattr_file_perms; -+ allow $1 sssd_exec_t:file getattr; - ') - - ######################################## -@@ -33,14 +33,12 @@ interface(`sssd_domtrans',` - type sssd_t, sssd_exec_t; - ') - -- corecmd_search_bin($1) - domtrans_pattern($1, sssd_exec_t, sssd_t) - ') - - ######################################## - ## --## Execute sssd init scripts in --## the initrc domain. -+## Execute sssd server in the sssd domain. - ## - ## - ## -@@ -56,49 +54,90 @@ interface(`sssd_initrc_domtrans',` - init_labeled_script_domtrans($1, sssd_initrc_exec_t) - ') - -+######################################## -+## -+## Execute sssd server in the sssd domain. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`sssd_systemctl',` -+ gen_require(` -+ type sssd_t; -+ type sssd_unit_file_t; -+ ') -+ -+ systemd_exec_systemctl($1) -+ allow $1 sssd_unit_file_t:file read_file_perms; -+ allow $1 sssd_unit_file_t:service manage_service_perms; -+ -+ ps_process_pattern($1, sssd_t) -+') -+ - ####################################### - ## --## Read sssd configuration content. -+## Read sssd configuration. - ## - ## --## --## Domain allowed access. --## -+## -+## Domain allowed access. -+## - ## - # - interface(`sssd_read_config',` -- gen_require(` -- type sssd_conf_t; -- ') -+ gen_require(` -+ type sssd_conf_t; -+ ') - -- files_search_etc($1) -- list_dirs_pattern($1, sssd_conf_t, sssd_conf_t) -- read_files_pattern($1, sssd_conf_t, sssd_conf_t) -+ files_search_etc($1) -+ list_dirs_pattern($1, sssd_conf_t, sssd_conf_t) -+ read_files_pattern($1, sssd_conf_t, sssd_conf_t) - ') - - ###################################### - ## --## Write sssd configuration files. -+## Write sssd configuration. - ## - ## --## --## Domain allowed access. --## -+## -+## Domain allowed access. -+## - ## - # - interface(`sssd_write_config',` -- gen_require(` -- type sssd_conf_t; -- ') -+ gen_require(` -+ type sssd_conf_t; -+ ') - -- files_search_etc($1) -- write_files_pattern($1, sssd_conf_t, sssd_conf_t) -+ files_search_etc($1) -+ write_files_pattern($1, sssd_conf_t, sssd_conf_t) -+') -+ -+##################################### -+## -+## Write sssd configuration. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`sssd_create_config',` -+ gen_require(` -+ type sssd_conf_t; -+ ') -+ -+ files_search_etc($1) -+ create_files_pattern($1, sssd_conf_t, sssd_conf_t) - ') - - #################################### - ## --## Create, read, write, and delete --## sssd configuration files. -+## Manage sssd configuration. - ## - ## - ## -@@ -107,12 +146,12 @@ interface(`sssd_write_config',` - ## - # - interface(`sssd_manage_config',` -- gen_require(` -- type sssd_conf_t; -- ') -+ gen_require(` -+ type sssd_conf_t; -+ ') - -- files_search_etc($1) -- manage_files_pattern($1, sssd_conf_t, sssd_conf_t) -+ files_search_etc($1) -+ manage_files_pattern($1, sssd_conf_t, sssd_conf_t) - ') - - ######################################## -@@ -131,33 +170,32 @@ interface(`sssd_read_public_files',` - ') - - sssd_search_lib($1) -- allow $1 sssd_public_t:dir list_dir_perms; -+ list_dirs_pattern($1, sssd_public_t, sssd_public_t) - read_files_pattern($1, sssd_public_t, sssd_public_t) - ') - - ####################################### - ## --## Create, read, write, and delete --## sssd public files. -+## Manage sssd public files. - ## - ## --## --## Domain allowed access. --## -+## -+## Domain allowed access. -+## - ## - # - interface(`sssd_manage_public_files',` -- gen_require(` -- type sssd_public_t; -- ') -+ gen_require(` -+ type sssd_public_t; -+ ') - -- sssd_search_lib($1) -- manage_files_pattern($1, sssd_public_t, sssd_public_t) -+ sssd_search_lib($1) -+ manage_files_pattern($1, sssd_public_t, sssd_public_t) - ') - - ######################################## - ## --## Read sssd pid files. -+## Read sssd PID files. - ## - ## - ## -@@ -176,8 +214,7 @@ interface(`sssd_read_pid_files',` - - ######################################## - ## --## Create, read, write, and delete --## sssd pid content. -+## Manage sssd var_run files. - ## - ## - ## -@@ -216,8 +253,7 @@ interface(`sssd_search_lib',` - - ######################################## - ## --## Do not audit attempts to search --## sssd lib directories. -+## Do not audit attempts to search sssd lib directories. - ## - ## - ## -@@ -235,6 +271,24 @@ interface(`sssd_dontaudit_search_lib',` - - ######################################## - ## -+## Do not audit attempts to read sssd lib files. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`sssd_dontaudit_read_lib',` -+ gen_require(` -+ type sssd_var_lib_t; -+ ') -+ -+ dontaudit $1 sssd_var_lib_t:file read_file_perms; -+') -+ -+######################################## -+## - ## Read sssd lib files. - ## - ## -@@ -297,8 +351,7 @@ interface(`sssd_dbus_chat',` - - ######################################## - ## --## Connect to sssd with a unix --## domain stream socket. -+## Connect to sssd over a unix stream socket. - ## - ## - ## -@@ -317,8 +370,27 @@ interface(`sssd_stream_connect',` - - ######################################## - ## --## All of the rules required to --## administrate an sssd environment. -+## Dontaudit attempts to connect to sssd over a unix stream socket. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`sssd_dontaudit_stream_connect',` -+ gen_require(` -+ type sssd_t, sssd_var_lib_t; -+ ') -+ -+ dontaudit $1 sssd_t:unix_stream_socket connectto; -+ dontaudit $1 sssd_var_lib_t:sock_file { read write }; -+') -+ -+######################################## -+## -+## All of the rules required to administrate -+## an sssd environment - ## - ## - ## -@@ -327,7 +399,7 @@ interface(`sssd_stream_connect',` - ## - ## - ## --## Role allowed access. -+## The role to be allowed to manage the sssd domain. - ## - ## - ## -@@ -335,27 +407,29 @@ interface(`sssd_stream_connect',` - interface(`sssd_admin',` - gen_require(` - type sssd_t, sssd_public_t, sssd_initrc_exec_t; -- type sssd_var_lib_t, sssd_var_run_t, sssd_conf_t; -- type sssd_log_t; -+ type sssd_unit_file_t; - ') - -- allow $1 sssd_t:process { ptrace signal_perms }; -+ allow $1 sssd_t:process signal_perms; - ps_process_pattern($1, sssd_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 sssd_t:process ptrace; -+ ') - -+ # Allow sssd_t to restart the apache service - sssd_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 sssd_initrc_exec_t system_r; - allow $2 system_r; - -- files_search_etc($1) -- admin_pattern($1, sssd_conf_t) -+ sssd_manage_pids($1) - -- files_search_var_lib($1) -- admin_pattern($1, { sssd_var_lib_t sssd_public_t }) -+ sssd_manage_lib_files($1) - -- files_search_pids($1) -- admin_pattern($1, sssd_var_run_t) -+ admin_pattern($1, sssd_public_t) -+ -+ sssd_systemctl($1) -+ admin_pattern($1, sssd_unit_file_t) -+ allow $1 sssd_unit_file_t:service all_service_perms; - -- logging_search_logs($1) -- admin_pattern($1, sssd_log_t) - ') -diff --git a/sssd.te b/sssd.te -index 8b537aa..3bce4df 100644 ---- a/sssd.te -+++ b/sssd.te -@@ -1,4 +1,4 @@ --policy_module(sssd, 1.1.4) -+policy_module(sssd, 1.1.0) - - ######################################## - # -@@ -28,9 +28,12 @@ logging_log_file(sssd_var_log_t) - type sssd_var_run_t; - files_pid_file(sssd_var_run_t) - -+type sssd_unit_file_t; -+systemd_unit_file(sssd_unit_file_t) -+ - ######################################## - # --# Local policy -+# sssd local policy - # - - allow sssd_t self:capability { chown dac_read_search dac_override kill net_admin sys_nice setgid setuid sys_admin sys_resource }; -@@ -38,7 +41,7 @@ allow sssd_t self:capability2 block_suspend; - allow sssd_t self:process { setfscreate setsched sigkill signal getsched setrlimit }; - allow sssd_t self:fifo_file rw_fifo_file_perms; - allow sssd_t self:key manage_key_perms; --allow sssd_t self:unix_stream_socket { accept connectto listen }; -+allow sssd_t self:unix_stream_socket { create_stream_socket_perms connectto }; - - read_files_pattern(sssd_t, sssd_conf_t, sssd_conf_t) - -@@ -51,9 +54,7 @@ manage_lnk_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t) - manage_sock_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t) - files_var_lib_filetrans(sssd_t, sssd_var_lib_t, { file dir }) - --append_files_pattern(sssd_t, sssd_var_log_t, sssd_var_log_t) --create_files_pattern(sssd_t, sssd_var_log_t, sssd_var_log_t) --setattr_files_pattern(sssd_t, sssd_var_log_t, sssd_var_log_t) -+manage_files_pattern(sssd_t, sssd_var_log_t, sssd_var_log_t) - logging_log_filetrans(sssd_t, sssd_var_log_t, file) - - manage_dirs_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t) -@@ -63,16 +64,9 @@ files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir }) - kernel_read_network_state(sssd_t) - kernel_read_system_state(sssd_t) - --corenet_all_recvfrom_unlabeled(sssd_t) --corenet_all_recvfrom_netlabel(sssd_t) --corenet_udp_sendrecv_generic_if(sssd_t) --corenet_udp_sendrecv_generic_node(sssd_t) --corenet_udp_sendrecv_all_ports(sssd_t) --corenet_udp_bind_generic_node(sssd_t) -- --corenet_sendrecv_generic_server_packets(sssd_t) - corenet_udp_bind_generic_port(sssd_t) - corenet_dontaudit_udp_bind_all_ports(sssd_t) -+corenet_tcp_connect_kerberos_password_port(sssd_t) - - corecmd_exec_bin(sssd_t) - -@@ -83,9 +77,7 @@ domain_read_all_domains_state(sssd_t) - domain_obj_id_change_exemption(sssd_t) - - files_list_tmp(sssd_t) --files_read_etc_files(sssd_t) - files_read_etc_runtime_files(sssd_t) --files_read_usr_files(sssd_t) - files_list_var_lib(sssd_t) - - fs_list_inotifyfs(sssd_t) -@@ -94,14 +86,15 @@ selinux_validate_context(sssd_t) - - seutil_read_file_contexts(sssd_t) - # sssd wants to write /etc/selinux//logins/ for SELinux PAM module --# seutil_rw_login_config_dirs(sssd_t) --# seutil_manage_login_config_files(sssd_t) -+seutil_rw_login_config_dirs(sssd_t) -+seutil_manage_login_config_files(sssd_t) - - mls_file_read_to_clearance(sssd_t) - mls_socket_read_to_clearance(sssd_t) - mls_socket_write_to_clearance(sssd_t) - mls_trusted_object(sssd_t) - -+# auth_use_nsswitch(sssd_t) - auth_domtrans_chk_passwd(sssd_t) - auth_domtrans_upd_passwd(sssd_t) - auth_manage_cache(sssd_t) -@@ -112,18 +105,32 @@ logging_send_syslog_msg(sssd_t) - logging_send_audit_msgs(sssd_t) - - miscfiles_read_generic_certs(sssd_t) --miscfiles_read_localization(sssd_t) - - sysnet_dns_name_resolve(sssd_t) - sysnet_use_ldap(sssd_t) - -+userdom_manage_tmp_role(system_r, sssd_t) -+userdom_manage_all_users_keys(sssd_t) -+ - optional_policy(` - dbus_system_bus_client(sssd_t) - dbus_connect_system_bus(sssd_t) - ') - - optional_policy(` -- kerberos_read_config(sssd_t) - kerberos_manage_host_rcache(sssd_t) -- kerberos_tmp_filetrans_host_rcache(sssd_t, file, "host_0") -+ kerberos_tmp_filetrans_host_rcache(sssd_t, "host_0") -+ kerberos_read_home_content(sssd_t) -+') -+ -+optional_policy(` -+ dirsrv_stream_connect(sssd_t) - ') -+ -+optional_policy(` -+ ldap_stream_connect(sssd_t) -+ ldap_read_certs(sssd_t) -+') -+ -+userdom_home_reader(sssd_t) -+ -diff --git a/stapserver.fc b/stapserver.fc -new file mode 100644 -index 0000000..0ccce59 ---- /dev/null -+++ b/stapserver.fc -@@ -0,0 +1,7 @@ -+/usr/bin/stap-server -- gen_context(system_u:object_r:stapserver_exec_t,s0) -+ -+/var/lib/stap-server(/.*)? gen_context(system_u:object_r:stapserver_var_lib_t,s0) -+ -+/var/log/stap-server(/.*)? gen_context(system_u:object_r:stapserver_log_t,s0) -+ -+/var/run/stap-server(/.*)? gen_context(system_u:object_r:stapserver_var_run_t,s0) -diff --git a/stapserver.if b/stapserver.if -new file mode 100644 -index 0000000..80c6480 ---- /dev/null -+++ b/stapserver.if -@@ -0,0 +1,151 @@ -+ -+## Instrumentation System Server -+ -+######################################## -+## -+## Execute stapserver in the stapserver domain. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`stapserver_domtrans',` -+ gen_require(` -+ type stapserver_t, stapserver_exec_t; -+ ') -+ -+ corecmd_search_bin($1) -+ domtrans_pattern($1, stapserver_exec_t, stapserver_t) -+') -+######################################## -+## -+## Read stapserver's log files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`stapserver_read_log',` -+ gen_require(` -+ type stapserver_log_t; -+ ') -+ -+ logging_search_logs($1) -+ read_files_pattern($1, stapserver_log_t, stapserver_log_t) -+') -+ -+######################################## -+## -+## Append to stapserver log files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`stapserver_append_log',` -+ gen_require(` -+ type stapserver_log_t; -+ ') -+ -+ logging_search_logs($1) -+ append_files_pattern($1, stapserver_log_t, stapserver_log_t) -+') -+ -+######################################## -+## -+## Manage stapserver log files -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`stapserver_manage_log',` -+ gen_require(` -+ type stapserver_log_t; -+ ') -+ -+ logging_search_logs($1) -+ manage_dirs_pattern($1, stapserver_log_t, stapserver_log_t) -+ manage_files_pattern($1, stapserver_log_t, stapserver_log_t) -+ manage_lnk_files_pattern($1, stapserver_log_t, stapserver_log_t) -+') -+######################################## -+## -+## Read stapserver PID files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`stapserver_read_pid_files',` -+ gen_require(` -+ type stapserver_var_run_t; -+ ') -+ -+ files_search_pids($1) -+ allow $1 stapserver_var_run_t:file read_file_perms; -+') -+ -+####################################### -+## -+## Manage stapserver lib files -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`stapserver_manage_lib',` -+ gen_require(` -+ type stapserver_var_lib_t; -+ ') -+ -+ manage_dirs_pattern($1, stapserver_var_lib_t, stapserver_var_lib_t) -+ manage_files_pattern($1, stapserver_var_lib_t, stapserver_var_lib_t) -+') -+ -+######################################## -+## -+## All of the rules required to administrate -+## an stapserver environment -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`stapserver_admin',` -+ gen_require(` -+ type stapserver_t; -+ type stapserver_log_t; -+ type stapserver_var_run_t; -+ ') -+ -+ allow $1 stapserver_t:process { ptrace signal_perms }; -+ ps_process_pattern($1, stapserver_t) -+ -+ logging_search_logs($1) -+ admin_pattern($1, stapserver_log_t) -+ -+ files_search_pids($1) -+ admin_pattern($1, stapserver_var_run_t) -+ -+ optional_policy(` -+ systemd_passwd_agent_exec($1) -+ systemd_read_fifo_file_passwd_run($1) -+ ') -+') -diff --git a/stapserver.te b/stapserver.te -new file mode 100644 -index 0000000..e472397 ---- /dev/null -+++ b/stapserver.te -@@ -0,0 +1,113 @@ -+policy_module(stapserver, 1.0.0) -+ -+######################################## -+# -+# Declarations -+# -+ -+type stapserver_t; -+type stapserver_exec_t; -+init_daemon_domain(stapserver_t, stapserver_exec_t) -+ -+type stapserver_var_lib_t; -+files_type(stapserver_var_lib_t) -+ -+type stapserver_log_t; -+logging_log_file(stapserver_log_t) -+ -+type stapserver_var_run_t; -+files_pid_file(stapserver_var_run_t) -+ -+type stapserver_tmp_t; -+files_tmp_file(stapserver_tmp_t) -+ -+######################################## -+# -+# stapserver local policy -+# -+ -+#runuser -+allow stapserver_t self:capability { setuid setgid }; -+allow stapserver_t self:process setsched; -+ -+allow stapserver_t self:capability { dac_override kill }; -+allow stapserver_t self:process { setrlimit signal }; -+ -+allow stapserver_t self:fifo_file rw_fifo_file_perms; -+allow stapserver_t self:key write; -+allow stapserver_t self:unix_stream_socket create_stream_socket_perms; -+allow stapserver_t self:tcp_socket { accept listen }; -+ -+manage_dirs_pattern(stapserver_t, stapserver_var_lib_t, stapserver_var_lib_t) -+manage_files_pattern(stapserver_t, stapserver_var_lib_t, stapserver_var_lib_t) -+files_var_lib_filetrans(stapserver_t, stapserver_var_lib_t, dir) -+ -+manage_dirs_pattern(stapserver_t, stapserver_log_t, stapserver_log_t) -+manage_files_pattern(stapserver_t, stapserver_log_t, stapserver_log_t) -+logging_log_filetrans(stapserver_t, stapserver_log_t, dir ) -+ -+manage_dirs_pattern(stapserver_t, stapserver_tmp_t, stapserver_tmp_t) -+manage_files_pattern(stapserver_t, stapserver_tmp_t, stapserver_tmp_t) -+manage_lnk_files_pattern(stapserver_t, stapserver_tmp_t, stapserver_tmp_t) -+files_tmp_filetrans(stapserver_t, stapserver_tmp_t, { file dir }) -+ -+manage_dirs_pattern(stapserver_t, stapserver_var_run_t, stapserver_var_run_t) -+manage_files_pattern(stapserver_t, stapserver_var_run_t, stapserver_var_run_t) -+files_pid_filetrans(stapserver_t, stapserver_var_run_t, dir ) -+ -+kernel_read_system_state(stapserver_t) -+kernel_read_kernel_sysctls(stapserver_t) -+ -+corecmd_exec_bin(stapserver_t) -+corecmd_exec_shell(stapserver_t) -+ -+domain_read_all_domains_state(stapserver_t) -+domain_use_interactive_fds(stapserver_t) -+ -+dev_read_sysfs(stapserver_t) -+dev_read_rand(stapserver_t) -+dev_read_urand(stapserver_t) -+ -+files_list_tmp(stapserver_t) -+files_search_kernel_modules(stapserver_t) -+ -+fs_search_cgroup_dirs(stapserver_t) -+ -+auth_use_nsswitch(stapserver_t) -+ -+init_read_utmp(stapserver_t) -+ -+logging_send_audit_msgs(stapserver_t) -+logging_send_syslog_msg(stapserver_t) -+ -+#lspci -+miscfiles_read_hwdata(stapserver_t) -+ -+systemd_dbus_chat_logind(stapserver_t) -+ -+userdom_use_user_terminals(stapserver_t) -+ -+optional_policy(` -+ avahi_dbus_chat(stapserver_t) -+') -+ -+optional_policy(` -+ consoletype_exec(stapserver_t) -+') -+ -+optional_policy(` -+ dbus_system_bus_client(stapserver_t) -+') -+ -+optional_policy(` -+ hostname_exec(stapserver_t) -+') -+ -+optional_policy(` -+ plymouthd_exec_plymouth(stapserver_t) -+') -+ -+optional_policy(` -+ rpm_exec(stapserver_t) -+') -+ -diff --git a/stunnel.te b/stunnel.te -index 9992e62..47f1802 100644 ---- a/stunnel.te -+++ b/stunnel.te -@@ -48,7 +48,6 @@ kernel_read_network_state(stunnel_t) - - corecmd_exec_bin(stunnel_t) - --corenet_all_recvfrom_unlabeled(stunnel_t) - corenet_all_recvfrom_netlabel(stunnel_t) - corenet_tcp_sendrecv_generic_if(stunnel_t) - corenet_tcp_sendrecv_generic_node(stunnel_t) -@@ -75,7 +74,6 @@ auth_use_nsswitch(stunnel_t) - logging_send_syslog_msg(stunnel_t) - - miscfiles_read_generic_certs(stunnel_t) --miscfiles_read_localization(stunnel_t) - - userdom_dontaudit_use_unpriv_user_fds(stunnel_t) - userdom_dontaudit_search_user_home_dirs(stunnel_t) -@@ -105,4 +103,5 @@ optional_policy(` - gen_require(` - type stunnel_port_t; - ') -+ - allow stunnel_t stunnel_port_t:tcp_socket name_bind; -diff --git a/svnserve.fc b/svnserve.fc -index effffd0..12ca090 100644 ---- a/svnserve.fc -+++ b/svnserve.fc -@@ -1,8 +1,13 @@ --/etc/rc\.d/init\.d/svnserve -- gen_context(system_u:object_r:svnserve_initrc_exec_t,s0) -+/etc/rc.d/init.d/svnserve -- gen_context(system_u:object_r:svnserve_initrc_exec_t,s0) - --/usr/bin/svnserve -- gen_context(system_u:object_r:svnserve_exec_t,s0) -+/usr/bin/svnserve -- gen_context(system_u:object_r:svnserve_exec_t,s0) - --/var/lib/subversion/repo(/.*)? gen_context(system_u:object_r:svnserve_content_t,s0) -+/lib/systemd/system/svnserve\.service -- gen_context(system_u:object_r:svnserve_unit_file_t,s0) -+/usr/lib/systemd/system/svnserve\.service -- gen_context(system_u:object_r:svnserve_unit_file_t,s0) - --/var/run/svnserve(/.*)? gen_context(system_u:object_r:svnserve_var_run_t,s0) --/var/run/svnserve\.pid -- gen_context(system_u:object_r:svnserve_var_run_t,s0) -+/var/run/svnserve(/.*)? gen_context(system_u:object_r:svnserve_var_run_t,s0) -+/var/run/svnserve.pid -- gen_context(system_u:object_r:svnserve_var_run_t,s0) -+ -+/var/svn(/.*)? gen_context(system_u:object_r:svnserve_content_t,s0) -+/var/subversion/repo(/.*)? gen_context(system_u:object_r:svnserve_content_t,s0) -+/var/lib/subversion/repo(/.*)? gen_context(system_u:object_r:svnserve_content_t,s0) -diff --git a/svnserve.if b/svnserve.if -index 2ac91b6..dd2ac36 100644 ---- a/svnserve.if -+++ b/svnserve.if -@@ -1,35 +1,118 @@ --## Server for the svn repository access method. -+ -+## policy for svnserve -+ -+ -+######################################## -+## -+## Transition to svnserve. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`svnserve_domtrans',` -+ gen_require(` -+ type svnserve_t, svnserve_exec_t; -+ ') -+ -+ corecmd_search_bin($1) -+ domtrans_pattern($1, svnserve_exec_t, svnserve_t) -+') -+ -+ -+######################################## -+## -+## Execute svnserve server in the svnserve domain. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`svnserve_initrc_domtrans',` -+ gen_require(` -+ type svnserve_initrc_exec_t; -+ ') -+ -+ init_labeled_script_domtrans($1, svnserve_initrc_exec_t) -+') -+ -+####################################### -+## -+## Execute svnserve server in the svnserve domain. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`svnserve_systemctl',` -+ gen_require(` -+ type svnserve_t; -+ type svnserve_unit_file_t; -+ ') -+ -+ systemd_exec_systemctl($1) -+ allow $1 svnserve_unit_file_t:file read_file_perms; -+ allow $1 svnserve_unit_file_t:service manage_service_perms; -+ -+ ps_process_pattern($1, svnserve_t) -+') - - ######################################## - ## --## All of the rules required to --## administrate an svnserve environment. -+## Read svnserve PID files. - ## - ## - ## - ## Domain allowed access. - ## - ## --## -+# -+interface(`svnserve_read_pid_files',` -+ gen_require(` -+ type svnserve_var_run_t; -+ ') -+ -+ files_search_pids($1) -+ allow $1 svnserve_var_run_t:file read_file_perms; -+') -+ -+ -+######################################## -+## -+## All of the rules required to administrate -+## an svnserve environment -+## -+## - ## --## Role allowed access. -+## Domain allowed access. - ## - ## --## - # - interface(`svnserve_admin',` - gen_require(` -- type svnserve_t, svnserve_initrc_exec_t, svnserve_var_run_t; -+ type svnserve_t; -+ type svnserve_var_run_t; -+ type svnserve_unit_file_t; - ') - - allow $1 svnserve_t:process { ptrace signal_perms }; - ps_process_pattern($1, svnserve_t) - -- init_labeled_script_domtrans($1, svnserve_initrc_exec_t) -- domain_system_change_exemption($1) -- role_transition $2 svnserve_initrc_exec_t system_r; -- allow $2 system_r; -- - files_search_pids($1) -- admin_pattern($1, httpd_var_run_t) -+ admin_pattern($1, svnserve_var_run_t) -+ -+ svnserve_systemctl($1) -+ admin_pattern($1, svnserve_unit_file_t) -+ allow $1 svnserve_unit_file_t:service all_service_perms; -+ optional_policy(` -+ systemd_passwd_agent_exec($1) -+ systemd_read_fifo_file_passwd_run($1) -+ ') - ') -+ -diff --git a/svnserve.te b/svnserve.te -index c6aaac7..a5600a8 100644 ---- a/svnserve.te -+++ b/svnserve.te -@@ -12,12 +12,18 @@ init_daemon_domain(svnserve_t, svnserve_exec_t) - type svnserve_initrc_exec_t; - init_script_file(svnserve_initrc_exec_t) - -+type svnserve_unit_file_t; -+systemd_unit_file(svnserve_unit_file_t) -+ - type svnserve_content_t; - files_type(svnserve_content_t) - - type svnserve_var_run_t; - files_pid_file(svnserve_var_run_t) - -+type svnserve_tmp_t; -+files_tmp_file(svnserve_tmp_t) -+ - ######################################## - # - # Local policy -@@ -27,6 +33,11 @@ allow svnserve_t self:fifo_file rw_fifo_file_perms; - allow svnserve_t self:tcp_socket create_stream_socket_perms; - allow svnserve_t self:unix_stream_socket { listen accept }; - -+manage_dirs_pattern(svnserve_t, svnserve_tmp_t, svnserve_tmp_t) -+manage_files_pattern(svnserve_t, svnserve_tmp_t, svnserve_tmp_t) -+manage_lnk_files_pattern(svnserve_t, svnserve_tmp_t, svnserve_tmp_t) -+files_tmp_filetrans(svnserve_t, svnserve_tmp_t, { file dir }) -+ - manage_dirs_pattern(svnserve_t, svnserve_content_t, svnserve_content_t) - manage_files_pattern(svnserve_t, svnserve_content_t, svnserve_content_t) - -@@ -34,9 +45,6 @@ manage_dirs_pattern(svnserve_t, svnserve_var_run_t, svnserve_var_run_t) - manage_files_pattern(svnserve_t, svnserve_var_run_t, svnserve_var_run_t) - files_pid_filetrans(svnserve_t, svnserve_var_run_t, { dir file }) - --files_read_etc_files(svnserve_t) --files_read_usr_files(svnserve_t) -- - corenet_all_recvfrom_unlabeled(svnserve_t) - corenet_all_recvfrom_netlabel(svnserve_t) - corenet_tcp_sendrecv_generic_if(svnserve_t) -@@ -54,6 +62,4 @@ corenet_udp_sendrecv_svn_port(svnserve_t) - - logging_send_syslog_msg(svnserve_t) - --miscfiles_read_localization(svnserve_t) -- - sysnet_dns_name_resolve(svnserve_t) -diff --git a/swift.fc b/swift.fc -new file mode 100644 -index 0000000..744f0ce ---- /dev/null -+++ b/swift.fc -@@ -0,0 +1,29 @@ -+/usr/bin/swift-account-auditor -- gen_context(system_u:object_r:swift_exec_t,s0) -+/usr/bin/swift-account-reaper -- gen_context(system_u:object_r:swift_exec_t,s0) -+/usr/bin/swift-account-replicator -- gen_context(system_u:object_r:swift_exec_t,s0) -+/usr/bin/swift-account-server -- gen_context(system_u:object_r:swift_exec_t,s0) -+ -+/usr/bin/swift-container-auditor -- gen_context(system_u:object_r:swift_exec_t,s0) -+/usr/bin/swift-container-replicator -- gen_context(system_u:object_r:swift_exec_t,s0) -+/usr/bin/swift-container-server -- gen_context(system_u:object_r:swift_exec_t,s0) -+/usr/bin/swift-container-sync -- gen_context(system_u:object_r:swift_exec_t,s0) -+/usr/bin/swift-container-updater -- gen_context(system_u:object_r:swift_exec_t,s0) -+ -+/usr/bin/swift-object-auditor -- gen_context(system_u:object_r:swift_exec_t,s0) -+/usr/bin/swift-object-info -- gen_context(system_u:object_r:swift_exec_t,s0) -+/usr/bin/swift-object-replicator -- gen_context(system_u:object_r:swift_exec_t,s0) -+/usr/bin/swift-object-server -- gen_context(system_u:object_r:swift_exec_t,s0) -+/usr/bin/swift-object-updater -- gen_context(system_u:object_r:swift_exec_t,s0) -+ -+/usr/lib/systemd/system/openstack-swift.* -- gen_context(system_u:object_r:swift_unit_file_t,s0) -+ -+/var/cache/swift(/.*)? -- gen_context(system_u:object_r:swift_var_cache_t,s0) -+/var/run/swift(/.*)? -- gen_context(system_u:object_r:swift_var_run_t,s0) -+ -+# This seems to be a de-facto standard when using swift. -+/srv/node(/.*)? gen_context(system_u:object_r:swift_data_t,s0) -+ -+# This is specific to RHOS's packstack utility -+ifdef(`distro_redhat', ` -+/srv/loopback-device(/.*)? gen_context(system_u:object_r:swift_data_t,s0) -+') -diff --git a/swift.if b/swift.if -new file mode 100644 -index 0000000..df82c36 ---- /dev/null -+++ b/swift.if -@@ -0,0 +1,118 @@ -+ -+## policy for swift -+ -+######################################## -+## -+## Execute TEMPLATE in the swift domin. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`swift_domtrans',` -+ gen_require(` -+ type swift_t, swift_exec_t; -+ ') -+ -+ corecmd_search_bin($1) -+ domtrans_pattern($1, swift_exec_t, swift_t) -+') -+ -+######################################## -+## -+## Read swift PID files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`swift_read_pid_files',` -+ gen_require(` -+ type swift_var_run_t; -+ ') -+ -+ files_search_pids($1) -+ read_files_pattern($1, swift_var_run_t, swift_var_run_t) -+') -+ -+######################################## -+## -+## Manage swift data files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`swift_manage_data_files',` -+ gen_require(` -+ type swift_data_t; -+ ') -+ -+ files_search_pids($1) -+ manage_files_pattern($1, swift_data_t, swift_data_t) -+ manage_dirs_pattern($1, swift_data_t, swift_data_t) -+') -+ -+######################################## -+## -+## Execute swift server in the swift domain. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`swift_systemctl',` -+ gen_require(` -+ type swift_t; -+ type swift_unit_file_t; -+ ') -+ -+ systemd_exec_systemctl($1) -+ allow $1 swift_unit_file_t:file read_file_perms; -+ allow $1 swift_unit_file_t:service manage_service_perms; -+ -+ ps_process_pattern($1, swift_t) -+') -+ -+ -+######################################## -+## -+## All of the rules required to administrate -+## an swift environment -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`swift_admin',` -+ gen_require(` -+ type swift_t; -+ type swift_var_run_t; -+ type swift_unit_file_t; -+ ') -+ -+ allow $1 swift_t:process { ptrace signal_perms }; -+ ps_process_pattern($1, swift_t) -+ -+ files_search_pids($1) -+ admin_pattern($1, swift_var_run_t) -+ -+ swift_systemctl($1) -+ admin_pattern($1, swift_unit_file_t) -+ allow $1 swift_unit_file_t:service all_service_perms; -+ optional_policy(` -+ systemd_passwd_agent_exec($1) -+ systemd_read_fifo_file_passwd_run($1) -+ ') -+') -diff --git a/swift.te b/swift.te -new file mode 100644 -index 0000000..c7b2bf6 ---- /dev/null -+++ b/swift.te -@@ -0,0 +1,69 @@ -+policy_module(swift, 1.0.0) -+ -+######################################## -+# -+# Declarations -+# -+ -+type swift_t; -+type swift_exec_t; -+init_daemon_domain(swift_t, swift_exec_t) -+ -+type swift_var_cache_t; -+files_type(swift_var_cache_t) -+ -+type swift_var_run_t; -+files_pid_file(swift_var_run_t) -+ -+type swift_unit_file_t; -+systemd_unit_file(swift_unit_file_t) -+ -+type swift_data_t; -+files_type(swift_data_t) -+ -+######################################## -+# -+# swift local policy -+# -+ -+allow swift_t self:process signal; -+ -+allow swift_t self:fifo_file rw_fifo_file_perms; -+allow swift_t self:tcp_socket create_stream_socket_perms; -+allow swift_t self:unix_stream_socket create_stream_socket_perms; -+allow swift_t self:unix_dgram_socket create_socket_perms; -+ -+manage_dirs_pattern(swift_t, swift_var_cache_t, swift_var_cache_t) -+manage_files_pattern(swift_t, swift_var_cache_t, swift_var_cache_t) -+manage_lnk_files_pattern(swift_t, swift_var_cache_t, swift_var_cache_t) -+files_var_filetrans(swift_t,swift_var_cache_t, { dir file }) -+ -+manage_dirs_pattern(swift_t, swift_var_run_t, swift_var_run_t) -+manage_files_pattern(swift_t, swift_var_run_t, swift_var_run_t) -+manage_lnk_files_pattern(swift_t, swift_var_run_t, swift_var_run_t) -+files_pid_filetrans(swift_t, swift_var_run_t, { dir }) -+ -+# swift makes use of rsync, so we need to give rsync permissions -+# to edit swift_data_t files as well as swift_t those permissions -+manage_dirs_pattern(swift_t, swift_data_t, swift_data_t) -+manage_files_pattern(swift_t, swift_data_t, swift_data_t) -+ -+kernel_dgram_send(swift_t) -+kernel_read_system_state(swift_t) -+kernel_read_network_state(swift_t) -+ -+corecmd_exec_shell(swift_t) -+ -+dev_read_urand(swift_t) -+ -+domain_use_interactive_fds(swift_t) -+ -+files_dontaudit_search_home(swift_t) -+ -+auth_use_nsswitch(swift_t) -+ -+libs_exec_ldconfig(swift_t) -+ -+logging_send_syslog_msg(swift_t) -+ -+userdom_dontaudit_search_user_home_dirs(swift_t) -diff --git a/swift_alias.fc b/swift_alias.fc -new file mode 100644 -index 0000000..b7db254 ---- /dev/null -+++ b/swift_alias.fc -@@ -0,0 +1 @@ -+# Empty -diff --git a/swift_alias.if b/swift_alias.if -new file mode 100644 -index 0000000..3fed1a3 ---- /dev/null -+++ b/swift_alias.if -@@ -0,0 +1,2 @@ -+ -+## swift_alias policy module -diff --git a/swift_alias.te b/swift_alias.te -new file mode 100644 -index 0000000..6e39c4f ---- /dev/null -+++ b/swift_alias.te -@@ -0,0 +1,26 @@ -+policy_module(swift_alias, 1.0.0) -+ -+# -+# swift_alias.pp policy replaces swift.pp policy -+# which is a part of openstack-selinux.rpm package -+# -+ -+######################################## -+# -+# Declarations -+# -+ -+#call stub interfaces for basic types -+init_stub_initrc() -+corecmd_stub_bin() -+files_stub_var_run() -+files_stub_var() -+systemd_stub_unit_file() -+ -+typealias initrc_t alias swift_t; -+typealias bin_t alias swift_exec_t; -+typealias var_run_t alias swift_var_run_t; -+typealias systemd_unit_file_t alias swift_unit_file_t; -+typealias var_t alias swift_data_t; -+ -+ -diff --git a/sxid.te b/sxid.te -index c9824cb..1973f71 100644 ---- a/sxid.te -+++ b/sxid.te -@@ -40,7 +40,6 @@ kernel_read_kernel_sysctls(sxid_t) - corecmd_exec_bin(sxid_t) - corecmd_exec_shell(sxid_t) - --corenet_all_recvfrom_unlabeled(sxid_t) - corenet_all_recvfrom_netlabel(sxid_t) - corenet_tcp_sendrecv_generic_if(sxid_t) - corenet_udp_sendrecv_generic_if(sxid_t) -@@ -66,7 +65,7 @@ fs_list_all(sxid_t) - - term_dontaudit_use_console(sxid_t) - --files_read_non_auth_files(sxid_t) -+files_read_non_security_files(sxid_t) - auth_dontaudit_getattr_shadow(sxid_t) - - init_use_fds(sxid_t) -@@ -74,8 +73,6 @@ init_use_script_ptys(sxid_t) - - logging_send_syslog_msg(sxid_t) - --miscfiles_read_localization(sxid_t) -- - sysnet_read_config(sxid_t) - - userdom_dontaudit_use_unpriv_user_fds(sxid_t) -diff --git a/sysstat.te b/sysstat.te -index c8b80b2..c81d332 100644 ---- a/sysstat.te -+++ b/sysstat.te -@@ -24,9 +24,7 @@ allow sysstat_t self:capability { dac_override sys_admin sys_resource sys_tty_co - allow sysstat_t self:fifo_file rw_fifo_file_perms; - - manage_dirs_pattern(sysstat_t,sysstat_log_t,sysstat_log_t) --append_files_pattern(sysstat_t, sysstat_log_t, sysstat_log_t) --create_files_pattern(sysstat_t, sysstat_log_t, sysstat_log_t) --setattr_files_pattern(sysstat_t, sysstat_log_t, sysstat_log_t) -+manage_files_pattern(sysstat_t, sysstat_log_t, sysstat_log_t) - manage_lnk_files_pattern(sysstat_t,sysstat_log_t,sysstat_log_t) - logging_log_filetrans(sysstat_t, sysstat_log_t, { file dir }) - -@@ -38,6 +36,7 @@ kernel_read_kernel_sysctls(sysstat_t) - kernel_read_fs_sysctls(sysstat_t) - kernel_read_rpc_sysctls(sysstat_t) - -+corecmd_exec_shell(sysstat_t) - corecmd_exec_bin(sysstat_t) - - dev_read_sysfs(sysstat_t) -@@ -46,11 +45,13 @@ dev_read_urand(sysstat_t) - files_search_var(sysstat_t) - files_read_etc_runtime_files(sysstat_t) - --fs_getattr_xattr_fs(sysstat_t) -+fs_getattr_all_fs(sysstat_t) - fs_list_inotifyfs(sysstat_t) - -+storage_getattr_fixed_disk_dev(sysstat_t) -+ - term_use_console(sysstat_t) --term_use_all_terms(sysstat_t) -+term_use_all_inherited_terms(sysstat_t) - - auth_use_nsswitch(sysstat_t) - -@@ -60,10 +61,9 @@ locallogin_use_fds(sysstat_t) - - logging_send_syslog_msg(sysstat_t) - --miscfiles_read_localization(sysstat_t) -- - userdom_dontaudit_list_user_home_dirs(sysstat_t) - - optional_policy(` - cron_system_entry(sysstat_t, sysstat_exec_t) - ') -+ -diff --git a/systemtap.fc b/systemtap.fc -deleted file mode 100644 -index 1710cbb..0000000 ---- a/systemtap.fc -+++ /dev/null -@@ -1,11 +0,0 @@ --/etc/stap-server(/.*)? -- gen_context(system_u:object_r:stapserver_conf_t,s0) -- --/etc/rc\.d/init\.d/stap-server -- gen_context(system_u:object_r:stapserver_initrc_exec_t,s0) -- --/usr/bin/stap-server -- gen_context(system_u:object_r:stapserver_exec_t,s0) -- --/var/lib/stap-server(/.*)? gen_context(system_u:object_r:stapserver_var_lib_t,s0) -- --/var/log/stap-server(/.*)? gen_context(system_u:object_r:stapserver_log_t,s0) -- --/var/run/stap-server(/.*)? gen_context(system_u:object_r:stapserver_var_run_t,s0) -diff --git a/systemtap.if b/systemtap.if -deleted file mode 100644 -index c755e2d..0000000 ---- a/systemtap.if -+++ /dev/null -@@ -1,45 +0,0 @@ --## instrumentation system for Linux. -- --######################################## --## --## All of the rules required to --## administrate an stapserver environment. --## --## --## --## Domain allowed access. --## --## --## --## --## Role allowed access. --## --## --## --# --interface(`stapserver_admin',` -- gen_require(` -- type stapserver_t, stapserver_conf_t, stapserver_log_t; -- type stap_server_var_run_t, stapserver_initrc_exec_t, stapserver_var_lib_t; -- ') -- -- allow $1 stapserver_t:process { ptrace signal_perms }; -- ps_process_pattern($1, stapserver_t) -- -- init_labeled_script_domtrans($1, stapserver_initrc_exec_t) -- domain_system_change_exemption($1) -- role_transition $2 stapserver_initrc_exec_t system_r; -- allow $2 system_r; -- -- files_search_etc($1) -- admin_pattern($1, stapserver_conf_t) -- -- files_search_var_lib($1) -- admin_pattern($1, stapserver_var_lib_t) -- -- logging_search_logs($1) -- admin_pattern($1, stapserver_log_t) -- -- files_search_pids($1) -- admin_pattern($1, stapserver_var_run_t) --') -diff --git a/systemtap.te b/systemtap.te -deleted file mode 100644 -index 6c06a84..0000000 ---- a/systemtap.te -+++ /dev/null -@@ -1,101 +0,0 @@ --policy_module(systemtap, 1.0.2) -- --######################################## --# --# Declarations --# -- --type stapserver_t; --type stapserver_exec_t; --init_daemon_domain(stapserver_t, stapserver_exec_t) -- --type stapserver_initrc_exec_t; --init_script_file(stapserver_initrc_exec_t) -- --type stapserver_conf_t; --files_config_file(stapserver_conf_t) -- --type stapserver_var_lib_t; --files_type(stapserver_var_lib_t) -- --type stapserver_log_t; --logging_log_file(stapserver_log_t) -- --type stapserver_var_run_t; --files_pid_file(stapserver_var_run_t) -- --######################################## --# --# Local policy --# -- --allow stapserver_t self:capability { dac_override kill setuid setgid }; --allow stapserver_t self:process { setrlimit setsched signal }; --allow stapserver_t self:fifo_file rw_fifo_file_perms; --allow stapserver_t self:key write; --allow stapserver_t self:unix_stream_socket { accept listen }; --allow stapserver_t self:tcp_socket create_stream_socket_perms; -- --allow stapserver_t stapserver_conf_t:file read_file_perms; -- --manage_dirs_pattern(stapserver_t, stapserver_var_lib_t, stapserver_var_lib_t) --manage_files_pattern(stapserver_t, stapserver_var_lib_t, stapserver_var_lib_t) --files_var_lib_filetrans(stapserver_t, stapserver_var_lib_t, dir) -- --manage_dirs_pattern(stapserver_t, stapserver_log_t, stapserver_log_t) --append_files_pattern(stapserver_t, stapserver_log_t, stapserver_log_t) --create_files_pattern(stapserver_t, stapserver_log_t, stapserver_log_t) --setattr_files_pattern(stapserver_t, stapserver_log_t, stapserver_log_t) --logging_log_filetrans(stapserver_t, stapserver_log_t, dir ) -- --manage_dirs_pattern(stapserver_t, stapserver_var_run_t, stapserver_var_run_t) --manage_files_pattern(stapserver_t, stapserver_var_run_t, stapserver_var_run_t) --files_pid_filetrans(stapserver_t, stapserver_var_run_t, dir ) -- --kernel_read_kernel_sysctls(stapserver_t) --kernel_read_system_state(stapserver_t) -- --corecmd_exec_bin(stapserver_t) --corecmd_exec_shell(stapserver_t) -- --domain_read_all_domains_state(stapserver_t) -- --dev_read_rand(stapserver_t) --dev_read_sysfs(stapserver_t) --dev_read_urand(stapserver_t) -- --files_list_tmp(stapserver_t) --files_read_usr_files(stapserver_t) --files_search_kernel_modules(stapserver_t) -- --auth_use_nsswitch(stapserver_t) -- --init_read_utmp(stapserver_t) -- --logging_send_audit_msgs(stapserver_t) --logging_send_syslog_msg(stapserver_t) -- --miscfiles_read_localization(stapserver_t) --miscfiles_read_hwdata(stapserver_t) -- --userdom_use_user_terminals(stapserver_t) -- --optional_policy(` -- consoletype_exec(stapserver_t) --') -- --optional_policy(` -- dbus_system_bus_client(stapserver_t) --') -- --optional_policy(` -- hostname_exec(stapserver_t) --') -- --optional_policy(` -- plymouthd_exec_plymouth(stapserver_t) --') -- --optional_policy(` -- rpm_exec(stapserver_t) --') -diff --git a/tcpd.te b/tcpd.te -index f388db3..1e1a075 100644 ---- a/tcpd.te -+++ b/tcpd.te -@@ -23,7 +23,6 @@ manage_dirs_pattern(tcpd_t, tcpd_tmp_t, tcpd_tmp_t) - manage_files_pattern(tcpd_t, tcpd_tmp_t, tcpd_tmp_t) - files_tmp_filetrans(tcpd_t, tcpd_tmp_t, { file dir }) - --corenet_all_recvfrom_unlabeled(tcpd_t) - corenet_all_recvfrom_netlabel(tcpd_t) - corenet_tcp_sendrecv_generic_if(tcpd_t) - corenet_tcp_sendrecv_generic_node(tcpd_t) -@@ -31,15 +30,12 @@ corenet_tcp_sendrecv_all_ports(tcpd_t) - - fs_getattr_xattr_fs(tcpd_t) - --corecmd_search_bin(tcpd_t) -+corecmd_exec_bin(tcpd_t) - --files_read_etc_files(tcpd_t) - files_dontaudit_search_var(tcpd_t) - - logging_send_syslog_msg(tcpd_t) - --miscfiles_read_localization(tcpd_t) -- - sysnet_read_config(tcpd_t) - - inetd_domtrans_child(tcpd_t) -diff --git a/tcsd.if b/tcsd.if -index b42ec1d..91b8f71 100644 ---- a/tcsd.if -+++ b/tcsd.if -@@ -138,8 +138,11 @@ interface(`tcsd_admin',` - type tcsd_t, tcsd_initrc_exec_t, tcsd_var_lib_t; - ') - -- allow $1 tcsd_t:process { ptrace signal_perms }; -+ allow $1 tcsd_t:process signal_perms; - ps_process_pattern($1, tcsd_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 tcsd_t:process ptrace; -+ ') - - tcsd_initrc_domtrans($1) - domain_system_change_exemption($1) -diff --git a/tcsd.te b/tcsd.te -index ac8213a..14da480 100644 ---- a/tcsd.te -+++ b/tcsd.te -@@ -41,10 +41,8 @@ corenet_tcp_sendrecv_tcs_port(tcsd_t) - dev_read_urand(tcsd_t) - dev_rw_tpm(tcsd_t) - --files_read_usr_files(tcsd_t) -- - auth_use_nsswitch(tcsd_t) - --logging_send_syslog_msg(tcsd_t) -+init_read_utmp(tcsd_t) - --miscfiles_read_localization(tcsd_t) -+logging_send_syslog_msg(tcsd_t) -diff --git a/telepathy.fc b/telepathy.fc -index c7de0cf..03fc880 100644 ---- a/telepathy.fc -+++ b/telepathy.fc -@@ -1,34 +1,23 @@ --HOME_DIR/\.cache/\.mc_connections -- gen_context(system_u:object_r:telepathy_mission_control_cache_home_t,s0) -+HOME_DIR/\.cache/\.mc_connections -- gen_context(system_u:object_r:telepathy_mission_control_cache_home_t, s0) - HOME_DIR/\.cache/telepathy(/.*)? gen_context(system_u:object_r:telepathy_cache_home_t, s0) - HOME_DIR/\.cache/telepathy/logger(/.*)? gen_context(system_u:object_r:telepathy_logger_cache_home_t,s0) --HOME_DIR/\.cache/telepathy/gabble(/.*)? gen_context(system_u:object_r:telepathy_gabble_cache_home_t,s0) --HOME_DIR/\.cache/wocky(/.*)? gen_context(system_u:object_r:telepathy_gabble_cache_home_t,s0) --HOME_DIR/\.mission-control(/.*)? gen_context(system_u:object_r:telepathy_mission_control_home_t,s0) -+HOME_DIR/\.cache/telepathy/avatars/gabble(/.*)? gen_context(system_u:object_r:telepathy_gabble_cache_home_t, s0) -+HOME_DIR/\.cache/telepathy/gabble(/.*)? gen_context(system_u:object_r:telepathy_gabble_cache_home_t, s0) -+HOME_DIR/\.cache/wocky(/.*)? gen_context(system_u:object_r:telepathy_gabble_cache_home_t, s0) -+HOME_DIR/\.mission-control(/.*)? gen_context(system_u:object_r:telepathy_mission_control_home_t, s0) - HOME_DIR/\.local/share/telepathy(/.*)? gen_context(system_u:object_r:telepathy_data_home_t,s0) --HOME_DIR/\.local/share/telepathy/mission-control(/.*)? gen_context(system_u:object_r:telepathy_mission_control_data_home_t,s0) --HOME_DIR/\.telepathy-sunshine(/.*)? gen_context(system_u:object_r:telepathy_sunshine_home_t,s0) --HOME_DIR/\.local/share/TpLogger(/.*)? gen_context(system_u:object_r:telepathy_logger_data_home_t,s0) -+HOME_DIR/\.local/share/telepathy/mission-control(/.*)? gen_context(system_u:object_r:telepathy_mission_control_data_home_t, s0) -+HOME_DIR/\.telepathy-sunshine(/.*)? gen_context(system_u:object_r:telepathy_sunshine_home_t, s0) -+HOME_DIR/\.local/share/TpLogger(/.*)? gen_context(system_u:object_r:telepathy_logger_data_home_t,s0) - --/usr/lib/telepathy/mission-control-5 -- gen_context(system_u:object_r:telepathy_mission_control_exec_t,s0) --/usr/lib/telepathy/telepathy-butterfly -- gen_context(system_u:object_r:telepathy_msn_exec_t,s0) --/usr/lib/telepathy/telepathy-gabble -- gen_context(system_u:object_r:telepathy_gabble_exec_t,s0) --/usr/lib/telepathy/telepathy-haze -- gen_context(system_u:object_r:telepathy_msn_exec_t,s0) --/usr/lib/telepathy/telepathy-idle -- gen_context(system_u:object_r:telepathy_idle_exec_t,s0) --/usr/lib/telepathy/telepathy-logger -- gen_context(system_u:object_r:telepathy_logger_exec_t,s0) --/usr/lib/telepathy/telepathy-salut -- gen_context(system_u:object_r:telepathy_salut_exec_t,s0) --/usr/lib/telepathy/telepathy-sofiasip -- gen_context(system_u:object_r:telepathy_sofiasip_exec_t,s0) --/usr/lib/telepathy/telepathy-rakia -- gen_context(system_u:object_r:telepathy_sofiasip_exec_t,s0) --/usr/lib/telepathy/telepathy-stream-engine -- gen_context(system_u:object_r:telepathy_stream_engine_exec_t,s0) --/usr/lib/telepathy/telepathy-sunshine -- gen_context(system_u:object_r:telepathy_sunshine_exec_t,s0) -- --/usr/libexec/mission-control-5 -- gen_context(system_u:object_r:telepathy_mission_control_exec_t,s0) --/usr/libexec/telepathy-butterfly -- gen_context(system_u:object_r:telepathy_msn_exec_t,s0) --/usr/libexec/telepathy-gabble -- gen_context(system_u:object_r:telepathy_gabble_exec_t,s0) --/usr/libexec/telepathy-haze -- gen_context(system_u:object_r:telepathy_msn_exec_t,s0) --/usr/libexec/telepathy-idle -- gen_context(system_u:object_r:telepathy_idle_exec_t,s0) --/usr/libexec/telepathy-logger -- gen_context(system_u:object_r:telepathy_logger_exec_t,s0) --/usr/libexec/telepathy-salut -- gen_context(system_u:object_r:telepathy_salut_exec_t, s0) --/usr/libexec/telepathy-sofiasip -- gen_context(system_u:object_r:telepathy_sofiasip_exec_t,s0) --/usr/libexec/telepathy-rakia -- gen_context(system_u:object_r:telepathy_sofiasip_exec_t,s0) --/usr/libexec/telepathy-stream-engine -- gen_context(system_u:object_r:telepathy_stream_engine_exec_t,s0) --/usr/libexec/telepathy-sunshine -- gen_context(system_u:object_r:telepathy_sunshine_exec_t,s0) -+/usr/libexec/mission-control-5 -- gen_context(system_u:object_r:telepathy_mission_control_exec_t, s0) -+/usr/libexec/telepathy-butterfly -- gen_context(system_u:object_r:telepathy_msn_exec_t, s0) -+/usr/libexec/telepathy-gabble -- gen_context(system_u:object_r:telepathy_gabble_exec_t, s0) -+/usr/libexec/telepathy-haze -- gen_context(system_u:object_r:telepathy_msn_exec_t, s0) -+/usr/libexec/telepathy-idle -- gen_context(system_u:object_r:telepathy_idle_exec_t, s0) -+/usr/libexec/telepathy-logger -- gen_context(system_u:object_r:telepathy_logger_exec_t,s0) -+/usr/libexec/telepathy-salut -- gen_context(system_u:object_r:telepathy_salut_exec_t, s0) -+/usr/libexec/telepathy-sofiasip -- gen_context(system_u:object_r:telepathy_sofiasip_exec_t, s0) -+/usr/libexec/telepathy-rakia -- gen_context(system_u:object_r:telepathy_sofiasip_exec_t, s0) -+/usr/libexec/telepathy-stream-engine -- gen_context(system_u:object_r:telepathy_stream_engine_exec_t, s0) -+/usr/libexec/telepathy-sunshine -- gen_context(system_u:object_r:telepathy_sunshine_exec_t, s0) -diff --git a/telepathy.if b/telepathy.if -index 42946bc..9f70e4c 100644 ---- a/telepathy.if -+++ b/telepathy.if -@@ -2,45 +2,39 @@ - - ####################################### - ## --## The template to define a telepathy domain. -+## Creates basic types for telepathy -+## domain - ## --## -+## - ## --## Domain prefix to be used. -+## Prefix for the domain. - ## - ## - # - template(`telepathy_domain_template',` - gen_require(` -- attribute telepathy_domain, telepathy_executable, telepathy_tmp_content; -+ attribute telepathy_domain; -+ attribute telepathy_executable; - ') - - type telepathy_$1_t, telepathy_domain; - type telepathy_$1_exec_t, telepathy_executable; -- userdom_user_application_domain(telepathy_$1_t, telepathy_$1_exec_t) -+ application_domain(telepathy_$1_t, telepathy_$1_exec_t) -+ ubac_constrained(telepathy_$1_t) - -- type telepathy_$1_tmp_t, telepathy_tmp_content; -+ type telepathy_$1_tmp_t; - userdom_user_tmp_file(telepathy_$1_tmp_t) - -+ kernel_read_system_state(telepathy_$1_t) -+ - auth_use_nsswitch(telepathy_$1_t) - ') - - ####################################### - ## --## The role template for the telepathy module. -+## Role access for telepathy domains -+## that executes via dbus-session - ## --## --##

    --## This template creates a derived domains which are used --## for window manager applications. --##

    --##     --## --## --## The prefix of the user domain (e.g., user --## is the prefix for user_t). --## --## - ## - ## - ## The role associated with the user domain. -@@ -51,10 +45,15 @@ template(`telepathy_domain_template',` - ## The type of the user domain. - ## - ## -+## -+## -+## User domain prefix to be used. -+## -+## - # --template(`telepathy_role_template',` -+template(`telepathy_role',` - gen_require(` -- attribute telepathy_domain, telepathy_tmp_content; -+ attribute telepathy_domain; - type telepathy_gabble_t, telepathy_sofiasip_t, telepathy_idle_t; - type telepathy_mission_control_t, telepathy_salut_t, telepathy_sunshine_t; - type telepathy_stream_engine_t, telepathy_msn_t, telepathy_gabble_exec_t; -@@ -63,91 +62,84 @@ template(`telepathy_role_template',` - type telepathy_mission_control_exec_t, telepathy_salut_exec_t; - type telepathy_sunshine_exec_t, telepathy_stream_engine_exec_t; - type telepathy_msn_exec_t; -- -- type telepathy_mission_control_cache_home_t, telepathy_cache_home_t, telepathy_logger_cache_home_t; -- type telepathy_gabble_cache_home_t, telepathy_mission_control_home_t, telepathy_data_home_t; -- type telepathy_mission_control_data_home_t, telepathy_sunshine_home_t, telepathy_logger_data_home_t; - ') - -- role $2 types telepathy_domain; -- -- allow $3 telepathy_domain:process { ptrace signal_perms }; -- ps_process_pattern($3, telepathy_domain) -+ role $1 types telepathy_domain; - -- telepathy_gabble_stream_connect($3) -- telepathy_msn_stream_connect($3) -- telepathy_salut_stream_connect($3) -+ allow $2 telepathy_domain:process signal_perms; -+ ps_process_pattern($2, telepathy_domain) - -- dbus_spec_session_domain($1, telepathy_gabble_exec_t, telepathy_gabble_t) -- dbus_spec_session_domain($1, telepathy_sofiasip_exec_t, telepathy_sofiasip_t) -- dbus_spec_session_domain($1, telepathy_idle_exec_t, telepathy_idle_t) -- dbus_spec_session_domain($1, telepathy_logger_exec_t, telepathy_logger_t) -- dbus_spec_session_domain($1, telepathy_mission_control_exec_t, telepathy_mission_control_t) -- dbus_spec_session_domain($1, telepathy_salut_exec_t, telepathy_salut_t) -- dbus_spec_session_domain($1, telepathy_sunshine_exec_t, telepathy_sunshine_t) -- dbus_spec_session_domain($1, telepathy_stream_engine_exec_t, telepathy_stream_engine_t) -- dbus_spec_session_domain($1, telepathy_msn_exec_t, telepathy_msn_t) -+ telepathy_gabble_stream_connect($2) -+ telepathy_msn_stream_connect($2) -+ telepathy_salut_stream_connect($2) - -- allow $3 { telepathy_mission_control_cache_home_t telepathy_cache_home_t telepathy_logger_cache_home_t }:dir { manage_dir_perms relabel_dir_perms }; -- allow $3 { telepathy_gabble_cache_home_t telepathy_mission_control_home_t telepathy_data_home_t }:dir { manage_dir_perms relabel_dir_perms }; -- allow $3 { telepathy_mission_control_data_home_t telepathy_sunshine_home_t telepathy_logger_data_home_t }:dir { manage_dir_perms relabel_dir_perms }; -+ dbus_session_domain($3, telepathy_gabble_exec_t, telepathy_gabble_t) -+ dbus_session_domain($3, telepathy_sofiasip_exec_t, telepathy_sofiasip_t) -+ dbus_session_domain($3, telepathy_idle_exec_t, telepathy_idle_t) -+ dbus_session_domain($3, telepathy_logger_exec_t, telepathy_logger_t) -+ dbus_session_domain($3, telepathy_mission_control_exec_t, telepathy_mission_control_t) -+ dbus_session_domain($3, telepathy_salut_exec_t, telepathy_salut_t) -+ dbus_session_domain($3, telepathy_sunshine_exec_t, telepathy_sunshine_t) -+ dbus_session_domain($3, telepathy_stream_engine_exec_t, telepathy_stream_engine_t) -+ dbus_session_domain($3, telepathy_msn_exec_t, telepathy_msn_t) - -- allow $3 { telepathy_mission_control_cache_home_t telepathy_cache_home_t telepathy_logger_cache_home_t }:file { manage_file_perms relabel_file_perms }; -- allow $3 { telepathy_gabble_cache_home_t telepathy_mission_control_home_t telepathy_data_home_t }:file { manage_file_perms relabel_file_perms }; -- allow $3 { telepathy_mission_control_data_home_t telepathy_sunshine_home_t telepathy_logger_data_home_t }:file { manage_file_perms relabel_file_perms }; -- -- filetrans_pattern($3, telepathy_cache_home_t, telepathy_gabble_cache_home_t, dir, "gabble") -- # gnome_cache_filetrans($3, telepathy_gabble_cache_home_t, dir, "wocky") -- -- filetrans_pattern($3, telepathy_cache_home_t, telepathy_logger_cache_home_t, dir, "logger") -- # gnome_data_filetrans($3, telepathy_logger_data_home_t, dir, "TpLogger") -- -- userdom_user_home_dir_filetrans($3, telepathy_mission_control_home_t, dir, ".mission-control") -- filetrans_pattern($3, telepathy_data_home_t, telepathy_mission_control_data_home_t, dir, "mission-control") -- # gnome_cache_filetrans($3, telepathy_mission_control_cache_home_t, file, ".mc_connections") -- -- userdom_user_home_dir_filetrans($3, telepathy_sunshine_home_t, dir, ".telepathy-sunshine") -- -- # gnome_cache_filetrans($3, telepathy_cache_home_t, dir, "telepathy") -- # gnome_data_filetrans($3, telepathy_data_home_t, dir, "telepathy") -- -- allow $3 telepathy_tmp_content:dir { manage_dir_perms relabel_dir_perms }; -- allow $3 telepathy_tmp_content:file { manage_file_perms relabel_file_perms }; -- allow $3 telepathy_tmp_content:sock_file { manage_sock_file_perms relabel_sock_file_perms }; -+ telepathy_dbus_chat($2) - ') - - ######################################## - ## --## Connect to gabble with a unix --## domain stream socket. -+## Stream connect to Telepathy Gabble - ## - ## --## -+## - ## Domain allowed access. - ## - ## - # --interface(`telepathy_gabble_stream_connect',` -+interface(`telepathy_gabble_stream_connect', ` - gen_require(` - type telepathy_gabble_t, telepathy_gabble_tmp_t; - ') - -- files_search_tmp($1) - stream_connect_pattern($1, telepathy_gabble_tmp_t, telepathy_gabble_tmp_t, telepathy_gabble_t) -+ files_search_tmp($1) - ') - - ######################################## - ## --## Send dbus messages to and from --## gabble. -+## Allow Telepathy Gabble to stream connect to a domain. - ## - ## --## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`telepathy_gabble_stream_connect_to', ` -+ gen_require(` -+ type telepathy_gabble_t; -+ ') -+ -+ stream_connect_pattern(telepathy_gabble_t, $2, $2, $1) -+') -+ -+######################################## -+## -+## Send DBus messages to and from -+## Telepathy Gabble. -+## -+## -+## - ## Domain allowed access. - ## - ## - # --interface(`telepathy_gabble_dbus_chat',` -+interface(`telepathy_gabble_dbus_chat', ` - gen_require(` - type telepathy_gabble_t; - class dbus send_msg; -@@ -159,10 +151,10 @@ interface(`telepathy_gabble_dbus_chat',` - - ######################################## - ## --## Read mission control process state files. -+## Read telepathy mission control state. - ## - ## --## -+## - ## Domain allowed access. - ## - ## -@@ -173,15 +165,12 @@ interface(`telepathy_mission_control_read_state',` - ') - - kernel_search_proc($1) -- allow $1 telepathy_mission_control_t:dir list_dir_perms; -- allow $1 telepathy_mission_control_t:file read_file_perms; -- allow $1 telepathy_mission_control_t:lnk_file read_lnk_file_perms; -+ ps_process_pattern($1, telepathy_mission_control_t) - ') - - ####################################### - ## --## Connect to msn with a unix --## domain stream socket. -+## Stream connect to telepathy MSN managers - ## - ## - ## -@@ -189,19 +178,18 @@ interface(`telepathy_mission_control_read_state',` - ## - ## - # --interface(`telepathy_msn_stream_connect',` -+interface(`telepathy_msn_stream_connect', ` - gen_require(` - type telepathy_msn_t, telepathy_msn_tmp_t; - ') - -- files_search_tmp($1) - stream_connect_pattern($1, telepathy_msn_tmp_t, telepathy_msn_tmp_t, telepathy_msn_t) -+ files_search_tmp($1) - ') - - ######################################## - ## --## Connect to salut with a unix --## domain stream socket. -+## Stream connect to Telepathy Salut - ## - ## - ## -@@ -209,11 +197,140 @@ interface(`telepathy_msn_stream_connect',` - ## - ## - # --interface(`telepathy_salut_stream_connect',` -+interface(`telepathy_salut_stream_connect', ` - gen_require(` - type telepathy_salut_t, telepathy_salut_tmp_t; - ') - -- files_search_tmp($1) - stream_connect_pattern($1, telepathy_salut_tmp_t, telepathy_salut_tmp_t, telepathy_salut_t) -+ files_search_tmp($1) -+') -+ -+####################################### -+## -+## Send DBus messages to and from -+## all Telepathy domain. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`telepathy_dbus_chat',` -+ gen_require(` -+ attribute telepathy_domain; -+ class dbus send_msg; -+ ') -+ -+ allow $1 telepathy_domain:dbus send_msg; -+ allow telepathy_domain $1:dbus send_msg; -+') -+ -+###################################### -+## -+## Execute telepathy executable -+## in the specified domain. -+## -+## -+##

    -+## Execute a telepathy executable -+## in the specified domain. This allows -+## the specified domain to execute any file -+## on these filesystems in the specified -+## domain. -+##

    -+##

    -+## No interprocess communication (signals, pipes, -+## etc.) is provided by this interface since -+## the domains are not owned by this module. -+##

    -+##     -+## -+## -+## Domain allowed to transition. -+## -+## -+## -+## -+## The type of the new process. -+## -+## -+# -+interface(`telepathy_command_domtrans', ` -+ gen_require(` -+ attribute telepathy_executable; -+ ') -+ -+ allow $2 telepathy_executable:file entrypoint; -+ domain_transition_pattern($1, telepathy_executable, $2) -+ type_transition $1 telepathy_executable:process $2; -+ -+ # needs to dbus chat with unconfined_t and unconfined_dbusd_t -+ optional_policy(` -+ telepathy_dbus_chat($1) -+ telepathy_dbus_chat($2) -+ ') -+') -+ -+######################################## -+## -+## Create telepathy content in the user home directory -+## with an correct label. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`telepathy_filetrans_home_content',` -+ gen_require(` -+ type telepathy_mission_control_cache_home_t; -+ type telepathy_mission_control_home_t; -+ type telepathy_logger_cache_home_t; -+ type telepathy_gabble_cache_home_t; -+ type telepathy_sunshine_home_t; -+ type telepathy_logger_data_home_t; -+ type telepathy_cache_home_t, telepathy_data_home_t; -+ type telepathy_mission_control_data_home_t; -+ ') -+ -+ filetrans_pattern($1, telepathy_cache_home_t, telepathy_logger_cache_home_t, dir, "logger") -+ filetrans_pattern($1, telepathy_cache_home_t, telepathy_logger_cache_home_t, file, "sqlite-data-journal") -+ filetrans_pattern($1, telepathy_cache_home_t, telepathy_gabble_cache_home_t, dir, "gabble") -+ -+ filetrans_pattern($1, telepathy_data_home_t, telepathy_mission_control_data_home_t, dir, "mission-control") -+ -+ userdom_user_home_dir_filetrans($1, telepathy_mission_control_home_t, dir, ".mission-control") -+ userdom_user_home_dir_filetrans($1, telepathy_sunshine_home_t, dir, ".telepathy-sunshine") -+ -+ optional_policy(` -+ gnome_cache_filetrans($1, telepathy_mission_control_cache_home_t, file, ".mc_connections") -+ gnome_cache_filetrans($1, telepathy_gabble_cache_home_t, dir, "gabble") -+ gnome_cache_filetrans($1, telepathy_gabble_cache_home_t, dir, "wocky") -+ gnome_cache_filetrans($1, telepathy_cache_home_t, dir, "telepathy") -+ -+ gnome_data_filetrans($1, telepathy_logger_data_home_t, dir, "TpLogger") -+ gnome_data_filetrans($1, telepathy_data_home_t, dir, "telepathy") -+ ') -+') -+ -+###################################### -+## -+## Execute telepathy in the caller domain. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`telepathy_exec',` -+ gen_require(` -+ attribute telepathy_executable; -+ ') -+ -+ corecmd_search_bin($1) -+ can_exec($1, telepathy_executable) - ') -diff --git a/telepathy.te b/telepathy.te -index e9c0964..5a41683 100644 ---- a/telepathy.te -+++ b/telepathy.te -@@ -1,29 +1,28 @@ --policy_module(telepathy, 1.3.5) -+policy_module(telepathy, 1.3.0) - - ######################################## - # --# Declarations -+# Declarations. - # - - ## --##

    --## Determine whether telepathy connection --## managers can connect to generic tcp ports. --##

    -+##

    -+## Allow the Telepathy connection managers -+## to connect to any generic TCP port. -+##

    - ##     - gen_tunable(telepathy_tcp_connect_generic_network_ports, false) - - ## --##

    --## Determine whether telepathy connection --## managers can connect to any port. --##

    -+##

    -+## Allow the Telepathy connection managers -+## to connect to any network port. -+##

    - ##     - gen_tunable(telepathy_connect_all_ports, false) - - attribute telepathy_domain; - attribute telepathy_executable; --attribute telepathy_tmp_content; - - telepathy_domain_template(gabble) - -@@ -67,176 +66,147 @@ userdom_user_home_content(telepathy_sunshine_home_t) - - ####################################### - # --# Gabble local policy -+# Telepathy Gabble local policy. - # - --allow telepathy_gabble_t self:tcp_socket { accept listen }; -+allow telepathy_gabble_t self:tcp_socket create_stream_socket_perms; - allow telepathy_gabble_t self:unix_dgram_socket { create_socket_perms sendto }; - --# ~/.cache/telepathy/gabble/caps-cache.db-journal --manage_dirs_pattern(telepathy_gabble_t, telepathy_gabble_cache_home_t, telepathy_gabble_cache_home_t) --manage_files_pattern(telepathy_gabble_t, telepathy_gabble_cache_home_t, telepathy_gabble_cache_home_t) --filetrans_pattern(telepathy_gabble_t, telepathy_cache_home_t, telepathy_gabble_cache_home_t, dir, "gabble") --# gnome_cache_filetrans(telepathy_gabble_t, telepathy_gabble_cache_home_t, dir, "wocky") -- - manage_dirs_pattern(telepathy_gabble_t, telepathy_gabble_tmp_t, telepathy_gabble_tmp_t) - manage_sock_files_pattern(telepathy_gabble_t, telepathy_gabble_tmp_t, telepathy_gabble_tmp_t) - files_tmp_filetrans(telepathy_gabble_t, telepathy_gabble_tmp_t, { dir sock_file }) - --corenet_all_recvfrom_unlabeled(telepathy_gabble_t) -+# ~/.cache/telepathy/gabble/caps-cache.db-journal -+optional_policy(` -+ manage_dirs_pattern(telepathy_gabble_t, telepathy_gabble_cache_home_t, telepathy_gabble_cache_home_t) -+ manage_files_pattern(telepathy_gabble_t, telepathy_gabble_cache_home_t, telepathy_gabble_cache_home_t) -+ filetrans_pattern(telepathy_gabble_t, telepathy_cache_home_t, telepathy_gabble_cache_home_t, dir) -+ # ~/.cache/wocky -+ gnome_cache_filetrans(telepathy_gabble_t, telepathy_gabble_cache_home_t, dir) -+') -+ - corenet_all_recvfrom_netlabel(telepathy_gabble_t) - corenet_tcp_sendrecv_generic_if(telepathy_gabble_t) - corenet_tcp_sendrecv_generic_node(telepathy_gabble_t) -- --corenet_sendrecv_http_client_packets(telepathy_gabble_t) - corenet_tcp_connect_http_port(telepathy_gabble_t) --corenet_tcp_sendrecv_http_port(telepathy_gabble_t) -- --corenet_sendrecv_jabber_client_client_packets(telepathy_gabble_t) - corenet_tcp_connect_jabber_client_port(telepathy_gabble_t) --corenet_tcp_sendrecv_jabber_client_port(telepathy_gabble_t) -- --corenet_sendrecv_vnc_client_packets(telepathy_gabble_t) - corenet_tcp_connect_vnc_port(telepathy_gabble_t) --corenet_tcp_sendrecv_vnc_port(telepathy_gabble_t) -+corenet_sendrecv_http_client_packets(telepathy_gabble_t) -+corenet_sendrecv_jabber_client_client_packets(telepathy_gabble_t) -+corenet_sendrecv_vnc_client_packets(telepathy_gabble_t) - - dev_read_rand(telepathy_gabble_t) - - files_read_config_files(telepathy_gabble_t) --files_read_usr_files(telepathy_gabble_t) -+ -+fs_getattr_all_fs(telepathy_gabble_t) - - miscfiles_read_all_certs(telepathy_gabble_t) - - tunable_policy(`telepathy_connect_all_ports',` -- corenet_sendrecv_all_client_packets(telepathy_gabble_t) - corenet_tcp_connect_all_ports(telepathy_gabble_t) - corenet_tcp_sendrecv_all_ports(telepathy_gabble_t) -+ corenet_udp_sendrecv_all_ports(telepathy_gabble_t) - ') - - tunable_policy(`telepathy_tcp_connect_generic_network_ports',` -- corenet_sendrecv_generic_client_packets(telepathy_gabble_t) - corenet_tcp_connect_generic_port(telepathy_gabble_t) -- corenet_tcp_sendrecv_generic_port(telepathy_gabble_t) -+ corenet_sendrecv_generic_client_packets(telepathy_gabble_t) - ') - --tunable_policy(`use_nfs_home_dirs',` -- fs_manage_nfs_dirs(telepathy_gabble_t) -- fs_manage_nfs_files(telepathy_gabble_t) --') -- --tunable_policy(`use_samba_home_dirs',` -- fs_manage_cifs_dirs(telepathy_gabble_t) -- fs_manage_cifs_files(telepathy_gabble_t) --') -+userdom_home_manager(telepathy_gabble_t) - - optional_policy(` - dbus_system_bus_client(telepathy_gabble_t) - ') - --# optional_policy(` -- # ~/.config/dconf/user -- # gnome_manage_generic_home_content(telepathy_gabble_t) --# ') -+optional_policy(` -+ gnome_manage_home_config(telepathy_gabble_t) -+') - - ####################################### - # --# Idle local policy -+# Telepathy Idle local policy. - # - - corenet_all_recvfrom_netlabel(telepathy_idle_t) --corenet_all_recvfrom_unlabeled(telepathy_idle_t) - corenet_tcp_sendrecv_generic_if(telepathy_idle_t) - corenet_tcp_sendrecv_generic_node(telepathy_idle_t) -- --corenet_sendrecv_gatekeeper_client_packets(telepathy_idle_t) - corenet_tcp_connect_gatekeeper_port(telepathy_idle_t) --corenet_tcp_sendrecv_gatekeeper_port(telepathy_idle_t) -- --corenet_sendrecv_ircd_client_packets(telepathy_idle_t) - corenet_tcp_connect_ircd_port(telepathy_idle_t) --corenet_tcp_sendrecv_ircd_port(telepathy_idle_t) -+corenet_sendrecv_ircd_client_packets(telepathy_idle_t) - - dev_read_rand(telepathy_idle_t) - --files_read_usr_files(telepathy_idle_t) -- - tunable_policy(`telepathy_connect_all_ports',` -- corenet_sendrecv_all_client_packets(telepathy_idle_t) - corenet_tcp_connect_all_ports(telepathy_idle_t) - corenet_tcp_sendrecv_all_ports(telepathy_idle_t) -+ corenet_udp_sendrecv_all_ports(telepathy_idle_t) - ') - - tunable_policy(`telepathy_tcp_connect_generic_network_ports',` -- corenet_sendrecv_generic_client_packets(telepathy_idle_t) - corenet_tcp_connect_generic_port(telepathy_idle_t) -- corenet_tcp_sendrecv_generic_port(telepathy_idle_t) -+ corenet_sendrecv_generic_client_packets(telepathy_idle_t) - ') - - ####################################### - # --# Logger local policy -+# Telepathy Logger local policy. - # - - allow telepathy_logger_t self:unix_stream_socket create_socket_perms; - - manage_dirs_pattern(telepathy_logger_t, telepathy_logger_cache_home_t, telepathy_logger_cache_home_t) - manage_files_pattern(telepathy_logger_t, telepathy_logger_cache_home_t, telepathy_logger_cache_home_t) --filetrans_pattern(telepathy_logger_t, telepathy_cache_home_t, telepathy_logger_cache_home_t, dir, "logger") -+filetrans_pattern(telepathy_logger_t, telepathy_cache_home_t, telepathy_logger_cache_home_t, dir) - - manage_dirs_pattern(telepathy_logger_t, telepathy_logger_data_home_t, telepathy_logger_data_home_t) - manage_files_pattern(telepathy_logger_t, telepathy_logger_data_home_t, telepathy_logger_data_home_t) --# gnome_data_filetrans(telepathy_logger_t, telepathy_logger_data_home_t, dir, "TpLogger") - --files_read_usr_files(telepathy_logger_t) -+optional_policy(` -+ gnome_data_filetrans(telepathy_logger_t, telepathy_logger_data_home_t, dir) -+') -+ - files_search_pids(telepathy_logger_t) - --tunable_policy(`use_nfs_home_dirs',` -- fs_manage_nfs_dirs(telepathy_logger_t) -- fs_manage_nfs_files(telepathy_logger_t) --') -+fs_getattr_all_fs(telepathy_logger_t) - --tunable_policy(`use_samba_home_dirs',` -- fs_manage_cifs_dirs(telepathy_logger_t) -- fs_manage_cifs_files(telepathy_logger_t) --') -+userdom_home_manager(telepathy_logger_t) - --# optional_policy(` -+optional_policy(` - # ~/.config/dconf/user -- # gnome_manage_generic_home_content(telepathy_logger_t) --# ') -+ gnome_manage_home_config(telepathy_logger_t) -+') - - ####################################### - # --# Mission-Control local policy -+# Telepathy Mission-Control local policy. - # -- - allow telepathy_mission_control_t self:process setsched; - - manage_dirs_pattern(telepathy_mission_control_t, telepathy_mission_control_home_t, telepathy_mission_control_home_t) - manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_home_t, telepathy_mission_control_home_t) --userdom_user_home_dir_filetrans(telepathy_mission_control_t, telepathy_mission_control_home_t, dir, ".mission-control") -+userdom_search_user_home_dirs(telepathy_mission_control_t) - --manage_dirs_pattern(telepathy_mission_control_t, telepathy_mission_control_data_home_t, telepathy_mission_control_data_home_t) -+manage_files_pattern(telepathy_mission_control_t, telepathy_gabble_cache_home_t, telepathy_gabble_cache_home_t) -+manage_dirs_pattern(telepathy_mission_control_t, telepathy_gabble_cache_home_t, telepathy_gabble_cache_home_t) -+ -+manage_dirs_pattern(telepathy_mission_control_t, { telepathy_data_home_t telepathy_mission_control_data_home_t }, { telepathy_data_home_t telepathy_mission_control_data_home_t }) - manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_data_home_t, telepathy_mission_control_data_home_t) --filetrans_pattern(telepathy_mission_control_t, telepathy_data_home_t, telepathy_mission_control_data_home_t, dir, "mission-control") -+filetrans_pattern(telepathy_mission_control_t, telepathy_data_home_t, telepathy_mission_control_data_home_t, { dir file }) - --manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_cache_home_t, telepathy_mission_control_cache_home_t) --# gnome_cache_filetrans(telepathy_mission_control_t, telepathy_mission_control_cache_home_t, file, ".mc_connections") -+optional_policy(` -+ gnome_data_filetrans(telepathy_mission_control_t, telepathy_data_home_t, dir) -+ gnome_manage_home_config(telepathy_mission_control_t) -+') - - dev_read_rand(telepathy_mission_control_t) - --files_list_tmp(telepathy_mission_control_t) --files_read_usr_files(telepathy_mission_control_t) -+fs_getattr_all_fs(telepathy_mission_control_t) - --tunable_policy(`use_nfs_home_dirs',` -- fs_manage_nfs_dirs(telepathy_mission_control_t) -- fs_manage_nfs_files(telepathy_mission_control_t) --') -+files_list_tmp(telepathy_mission_control_t) - --tunable_policy(`use_samba_home_dirs',` -- fs_manage_cifs_dirs(telepathy_mission_control_t) -- fs_manage_cifs_files(telepathy_mission_control_t) --') -+userdom_home_manager(telepathy_mission_control_t) - - optional_policy(` - dbus_system_bus_client(telepathy_mission_control_t) -@@ -245,59 +215,51 @@ optional_policy(` - devicekit_dbus_chat_power(telepathy_mission_control_t) - ') - optional_policy(` -- gnome_dbus_chat_all_gkeyringd(telepathy_mission_control_t) -+ gnome_dbus_chat_gkeyringd(telepathy_mission_control_t) - ') - optional_policy(` - networkmanager_dbus_chat(telepathy_mission_control_t) - ') - ') - --# optional_policy(` -- # ~/.config/dconf/user -- # gnome_manage_generic_home_content(telepathy_mission_control_t) --# ') -+# ~/.cache/.mc_connections. -+optional_policy(` -+ manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_cache_home_t, telepathy_mission_control_cache_home_t) -+ gnome_cache_filetrans(telepathy_mission_control_t, telepathy_mission_control_cache_home_t, file) -+') - - ####################################### - # --# Butterfly and Haze local policy -+# Telepathy Butterfly and Haze local policy. - # - - allow telepathy_msn_t self:process setsched; -+allow telepathy_msn_t self:unix_dgram_socket { write create connect }; - - manage_dirs_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t) - manage_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t) - manage_sock_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t) -+exec_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t) - files_tmp_filetrans(telepathy_msn_t, telepathy_msn_tmp_t, { dir file sock_file }) -- - userdom_user_tmp_filetrans(telepathy_msn_t, telepathy_msn_tmp_t, { dir file sock_file }) -- -+userdom_dontaudit_setattr_user_tmp(telepathy_msn_t) - can_exec(telepathy_msn_t, telepathy_msn_tmp_t) - - corenet_all_recvfrom_netlabel(telepathy_msn_t) --corenet_all_recvfrom_unlabeled(telepathy_msn_t) - corenet_tcp_sendrecv_generic_if(telepathy_msn_t) - corenet_tcp_sendrecv_generic_node(telepathy_msn_t) -- --corenet_sendrecv_http_client_packets(telepathy_msn_t) -+corenet_tcp_bind_generic_node(telepathy_msn_t) - corenet_tcp_connect_http_port(telepathy_msn_t) --corenet_tcp_sendrecv_http_port(telepathy_msn_t) -- --corenet_sendrecv_mmcc_client_packets(telepathy_msn_t) - corenet_tcp_connect_mmcc_port(telepathy_msn_t) --corenet_tcp_sendrecv_mmcc_port(telepathy_msn_t) -- --corenet_sendrecv_msnp_client_packets(telepathy_msn_t) - corenet_tcp_connect_msnp_port(telepathy_msn_t) --corenet_tcp_sendrecv_msnp_port(telepathy_msn_t) -- --corenet_sendrecv_sip_client_packets(telepathy_msn_t) - corenet_tcp_connect_sip_port(telepathy_msn_t) --corenet_tcp_sendrecv_sip_port(telepathy_msn_t) -+corenet_sendrecv_http_client_packets(telepathy_msn_t) -+corenet_sendrecv_mmcc_client_packets(telepathy_msn_t) -+corenet_sendrecv_msnp_client_packets(telepathy_msn_t) - - corecmd_exec_bin(telepathy_msn_t) - corecmd_exec_shell(telepathy_msn_t) -- --files_read_usr_files(telepathy_msn_t) -+corecmd_read_bin_symlinks(telepathy_msn_t) - - init_read_state(telepathy_msn_t) - -@@ -307,18 +269,19 @@ logging_send_syslog_msg(telepathy_msn_t) - - miscfiles_read_all_certs(telepathy_msn_t) - --# userdom_dontaudit_setattr_user_tmp(telepathy_msn_t) -- - tunable_policy(`telepathy_connect_all_ports',` -- corenet_sendrecv_all_client_packets(telepathy_msn_t) - corenet_tcp_connect_all_ports(telepathy_msn_t) - corenet_tcp_sendrecv_all_ports(telepathy_msn_t) -+ corenet_udp_sendrecv_all_ports(telepathy_msn_t) - ') - - tunable_policy(`telepathy_tcp_connect_generic_network_ports',` -- corenet_sendrecv_generic_client_packets(telepathy_msn_t) - corenet_tcp_connect_generic_port(telepathy_msn_t) -- corenet_tcp_sendrecv_generic_port(telepathy_msn_t) -+ corenet_sendrecv_generic_client_packets(telepathy_msn_t) -+') -+ -+optional_policy(` -+ gnome_read_gconf_home_files(telepathy_msn_t) - ') - - optional_policy(` -@@ -329,43 +292,33 @@ optional_policy(` - ') - ') - --# optional_policy(` -- # ~/.config/dconf/user -- # gnome_manage_generic_home_content(telepathy_msn_t) --# ') -- - ####################################### - # --# Salut local policy -+# Telepathy Salut local policy. - # - --allow telepathy_salut_t self:tcp_socket { accept listen }; -+allow telepathy_salut_t self:tcp_socket create_stream_socket_perms; - - manage_sock_files_pattern(telepathy_salut_t, telepathy_salut_tmp_t, telepathy_salut_tmp_t) - files_tmp_filetrans(telepathy_salut_t, telepathy_salut_tmp_t, sock_file) - - corenet_all_recvfrom_netlabel(telepathy_salut_t) --corenet_all_recvfrom_unlabeled(telepathy_salut_t) - corenet_tcp_sendrecv_generic_if(telepathy_salut_t) - corenet_tcp_sendrecv_generic_node(telepathy_salut_t) - corenet_tcp_bind_generic_node(telepathy_salut_t) -- --corenet_sendrecv_presence_server_packets(telepathy_salut_t) - corenet_tcp_bind_presence_port(telepathy_salut_t) --corenet_sendrecv_presence_client_packets(telepathy_salut_t) - corenet_tcp_connect_presence_port(telepathy_salut_t) --corenet_tcp_sendrecv_presence_port(telepathy_salut_t) -+corenet_sendrecv_presence_server_packets(telepathy_salut_t) - - tunable_policy(`telepathy_connect_all_ports',` -- corenet_sendrecv_all_client_packets(telepathy_salut_t) - corenet_tcp_connect_all_ports(telepathy_salut_t) - corenet_tcp_sendrecv_all_ports(telepathy_salut_t) -+ corenet_udp_sendrecv_all_ports(telepathy_salut_t) - ') - - tunable_policy(`telepathy_tcp_connect_generic_network_ports',` -- corenet_sendrecv_generic_client_packets(telepathy_salut_t) - corenet_tcp_connect_generic_port(telepathy_salut_t) -- corenet_tcp_sendrecv_generic_port(telepathy_salut_t) -+ corenet_sendrecv_generic_client_packets(telepathy_salut_t) - ') - - optional_policy(` -@@ -378,73 +331,53 @@ optional_policy(` - - ####################################### - # --# Sofiasip local policy -+# Telepathy Sofiasip local policy. - # - --allow telepathy_sofiasip_t self:rawip_socket create_stream_socket_perms; --allow telepathy_sofiasip_t self:tcp_socket { accept listen }; -+allow telepathy_sofiasip_t self:rawip_socket { create_socket_perms listen }; -+allow telepathy_sofiasip_t self:tcp_socket create_stream_socket_perms; - - corenet_all_recvfrom_netlabel(telepathy_sofiasip_t) --corenet_all_recvfrom_unlabeled(telepathy_sofiasip_t) - corenet_tcp_sendrecv_generic_if(telepathy_sofiasip_t) - corenet_raw_sendrecv_generic_if(telepathy_sofiasip_t) - corenet_raw_sendrecv_generic_node(telepathy_sofiasip_t) - corenet_tcp_sendrecv_generic_node(telepathy_sofiasip_t) - corenet_tcp_bind_generic_node(telepathy_sofiasip_t) - corenet_raw_bind_generic_node(telepathy_sofiasip_t) -- --corenet_sendrecv_all_server_packets(telepathy_sofiasip_t) - corenet_tcp_bind_all_unreserved_ports(telepathy_sofiasip_t) --corenet_tcp_sendrecv_all_ports(telepathy_sofiasip_t) -- - corenet_dontaudit_tcp_bind_all_ports(telepathy_sofiasip_t) -- --corenet_sendrecv_sip_client_packets(telepathy_sofiasip_t) - corenet_tcp_connect_sip_port(telepathy_sofiasip_t) --corenet_tcp_sendrecv_sip_port(telepathy_sofiasip_t) -+corenet_sendrecv_sip_client_packets(telepathy_sofiasip_t) - - kernel_request_load_module(telepathy_sofiasip_t) - - tunable_policy(`telepathy_connect_all_ports',` -- corenet_sendrecv_all_client_packets(telepathy_sofiasip_t) - corenet_tcp_connect_all_ports(telepathy_sofiasip_t) - corenet_tcp_sendrecv_all_ports(telepathy_sofiasip_t) -+ corenet_udp_sendrecv_all_ports(telepathy_sofiasip_t) - ') - - tunable_policy(`telepathy_tcp_connect_generic_network_ports',` -- corenet_sendrecv_generic_client_packets(telepathy_sofiasip_t) - corenet_tcp_connect_generic_port(telepathy_sofiasip_t) -- corenet_tcp_sendrecv_generic_port(telepathy_sofiasip_t) -+ corenet_sendrecv_generic_client_packets(telepathy_sofiasip_t) - ') - - ####################################### - # --# Sunshine local policy -+# Telepathy Sunshine local policy. - # - - manage_dirs_pattern(telepathy_sunshine_t, telepathy_sunshine_home_t, telepathy_sunshine_home_t) - manage_files_pattern(telepathy_sunshine_t, telepathy_sunshine_home_t, telepathy_sunshine_home_t) --userdom_user_home_dir_filetrans(telepathy_sunshine_t, telepathy_sunshine_home_t, dir, ".telepathy-sunshine") -+userdom_user_home_dir_filetrans(telepathy_sunshine_t, telepathy_sunshine_home_t, { dir file }) -+userdom_search_user_home_dirs(telepathy_sunshine_t) - - manage_files_pattern(telepathy_sunshine_t, telepathy_sunshine_tmp_t, telepathy_sunshine_tmp_t) -+exec_files_pattern(telepathy_sunshine_t, telepathy_sunshine_tmp_t, telepathy_sunshine_tmp_t) - files_tmp_filetrans(telepathy_sunshine_t, telepathy_sunshine_tmp_t, file) - --can_exec(telepathy_sunshine_t, telepathy_sunshine_tmp_t) -- - corecmd_exec_bin(telepathy_sunshine_t) - --files_read_usr_files(telepathy_sunshine_t) -- --tunable_policy(`use_nfs_home_dirs',` -- fs_manage_nfs_dirs(telepathy_sunshine_t) -- fs_manage_nfs_files(telepathy_sunshine_t) --') -- --tunable_policy(`use_samba_home_dirs',` -- fs_manage_cifs_dirs(telepathy_sunshine_t) -- fs_manage_cifs_files(telepathy_sunshine_t) --') -- - optional_policy(` - xserver_read_xdm_pid(telepathy_sunshine_t) - xserver_stream_connect(telepathy_sunshine_t) -@@ -452,31 +385,49 @@ optional_policy(` - - ####################################### - # --# Common telepathy domain local policy -+# telepathy domains common policy - # - - allow telepathy_domain self:process { getsched signal sigkill }; - allow telepathy_domain self:fifo_file rw_fifo_file_perms; -+allow telepathy_domain self:tcp_socket create_socket_perms; -+allow telepathy_domain self:udp_socket create_socket_perms; - - manage_dirs_pattern(telepathy_domain, telepathy_cache_home_t, telepathy_cache_home_t) --# gnome_cache_filetrans(telepathy_domain, telepathy_cache_home_t, dir, "telepathy") -- --manage_dirs_pattern(telepathy_domain, telepathy_data_home_t, telepathy_data_home_t) --# gnome_data_filetrans(telepathy_domain, telepathy_data_home_t, dir, "telepathy") -+optional_policy(` -+ gnome_cache_filetrans(telepathy_domain, telepathy_cache_home_t, dir, "telepathy") -+') - - dev_read_urand(telepathy_domain) - --kernel_read_system_state(telepathy_domain) - - fs_getattr_all_fs(telepathy_domain) - fs_search_auto_mountpoints(telepathy_domain) -+fs_rw_inherited_tmpfs_files(telepathy_domain) - --miscfiles_read_localization(telepathy_domain) -+userdom_search_user_tmp_dirs(telepathy_domain) -+userdom_search_user_home_dirs(telepathy_domain) - - optional_policy(` - automount_dontaudit_getattr_tmp_dirs(telepathy_domain) - ') - - optional_policy(` -+ gnome_read_generic_cache_files(telepathy_domain) -+ gnome_write_generic_cache_files(telepathy_domain) -+ gnome_filetrans_config_home_content(telepathy_domain) -+') -+ -+optional_policy(` -+ systemd_dbus_chat_logind(telepathy_domain) -+ systemd_write_inhibit_pipes(telepathy_domain) -+') -+ -+optional_policy(` -+ telepathy_dbus_chat(telepathy_domain) -+') -+ -+optional_policy(` - xserver_rw_xdm_pipes(telepathy_domain) - ') -+ -diff --git a/telnet.te b/telnet.te -index 9f89916..1bdef51 100644 ---- a/telnet.te -+++ b/telnet.te -@@ -26,13 +26,17 @@ files_pid_file(telnetd_var_run_t) - allow telnetd_t self:capability { fsetid chown fowner setuid setgid sys_tty_config dac_override }; - allow telnetd_t self:process signal_perms; - allow telnetd_t self:fifo_file rw_fifo_file_perms; -+allow telnetd_t self:tcp_socket connected_stream_socket_perms; -+allow telnetd_t self:udp_socket create_socket_perms; -+# for identd; cjp: this should probably only be inetd_child rules? -+allow telnetd_t self:netlink_tcpdiag_socket r_netlink_socket_perms; - - allow telnetd_t telnetd_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms }; -+ - term_create_pty(telnetd_t, telnetd_devpts_t) - - manage_dirs_pattern(telnetd_t, telnetd_tmp_t, telnetd_tmp_t) - manage_files_pattern(telnetd_t, telnetd_tmp_t, telnetd_tmp_t) --files_tmp_filetrans(telnetd_t, telnetd_tmp_t, { file dir }) - - manage_files_pattern(telnetd_t, telnetd_var_run_t, telnetd_var_run_t) - files_pid_filetrans(telnetd_t, telnetd_var_run_t, file) -@@ -41,7 +45,6 @@ kernel_read_kernel_sysctls(telnetd_t) - kernel_read_system_state(telnetd_t) - kernel_read_network_state(telnetd_t) - --corenet_all_recvfrom_unlabeled(telnetd_t) - corenet_all_recvfrom_netlabel(telnetd_t) - corenet_tcp_sendrecv_generic_if(telnetd_t) - corenet_udp_sendrecv_generic_if(telnetd_t) -@@ -49,6 +52,7 @@ corenet_tcp_sendrecv_generic_node(telnetd_t) - corenet_udp_sendrecv_generic_node(telnetd_t) - corenet_tcp_sendrecv_all_ports(telnetd_t) - corenet_udp_sendrecv_all_ports(telnetd_t) -+corenet_tcp_bind_telnetd_port(telnetd_t) - - corecmd_search_bin(telnetd_t) - -@@ -56,7 +60,6 @@ dev_read_urand(telnetd_t) - - domain_interactive_fd(telnetd_t) - --files_read_usr_files(telnetd_t) - files_read_etc_runtime_files(telnetd_t) - files_search_home(telnetd_t) - -@@ -69,12 +72,12 @@ init_rw_utmp(telnetd_t) - - logging_send_syslog_msg(telnetd_t) - --miscfiles_read_localization(telnetd_t) -- - seutil_read_config(telnetd_t) - - userdom_search_user_home_dirs(telnetd_t) - userdom_setattr_user_ptys(telnetd_t) -+userdom_manage_user_tmp_files(telnetd_t) -+userdom_tmp_filetrans_user_tmp(telnetd_t, file) - - tunable_policy(`use_nfs_home_dirs',` - fs_search_nfs(telnetd_t) -@@ -86,7 +89,7 @@ tunable_policy(`use_samba_home_dirs',` - - optional_policy(` - kerberos_keytab_template(telnetd, telnetd_t) -- kerberos_tmp_filetrans_host_rcache(telnetd_t, file, "host_0") -+ kerberos_tmp_filetrans_host_rcache(telnetd_t, "host_0") - kerberos_manage_host_rcache(telnetd_t) - ') - -diff --git a/tftp.fc b/tftp.fc -index 93a5bf4..621f343 100644 ---- a/tftp.fc -+++ b/tftp.fc -@@ -1,9 +1,9 @@ --/etc/xinetd\.d/tftp -- gen_context(system_u:object_r:tftpd_conf_t,s0) -+/etc/xinetd\.d/tftp -- gen_context(system_u:object_r:tftpd_etc_t,s0) - - /usr/sbin/atftpd -- gen_context(system_u:object_r:tftpd_exec_t,s0) - /usr/sbin/in\.tftpd -- gen_context(system_u:object_r:tftpd_exec_t,s0) - --/tftpboot -d gen_context(system_u:object_r:tftpdir_t,s0) --/tftpboot/.* gen_context(system_u:object_r:tftpdir_t,s0) -+/tftpboot -d gen_context(system_u:object_r:tftpdir_t,s0) -+/tftpboot/.* gen_context(system_u:object_r:tftpdir_t,s0) - --/var/lib/tftpboot(/.*)? gen_context(system_u:object_r:tftpdir_rw_t,s0) -+/var/lib/tftpboot(/.*)? gen_context(system_u:object_r:tftpdir_rw_t,s0) -diff --git a/tftp.if b/tftp.if -index 9957e30..cf0b925 100644 ---- a/tftp.if -+++ b/tftp.if -@@ -1,8 +1,8 @@ --## Trivial file transfer protocol daemon. -+## Trivial file transfer protocol daemon - - ######################################## - ## --## Read tftp content files. -+## Read tftp content - ## - ## - ## -@@ -13,18 +13,21 @@ - interface(`tftp_read_content',` - gen_require(` - type tftpdir_t; -+ type tftpdir_rw_t; - ') - -- files_search_var_lib($1) -- allow $1 tftpdir_t:dir list_dir_perms; -- allow $1 tftpdir_t:file read_file_perms; -- allow $1 tftpdir_t:lnk_file read_lnk_file_perms; -+ list_dirs_pattern($1, tftpdir_t, tftpdir_t) -+ read_files_pattern($1, tftpdir_t, tftpdir_t) -+ read_lnk_files_pattern($1, tftpdir_t, tftpdir_t) -+ -+ list_dirs_pattern($1, tftpdir_rw_t, tftpdir_rw_t) -+ read_files_pattern($1, tftpdir_rw_t, tftpdir_rw_t) -+ read_lnk_files_pattern($1, tftpdir_rw_t, tftpdir_rw_t) - ') - - ######################################## - ## --## Create, read, write, and delete --## tftp rw content. -+## Search tftp /var/lib directories. - ## - ## - ## -@@ -32,20 +35,18 @@ interface(`tftp_read_content',` - ## - ## - # --interface(`tftp_manage_rw_content',` -+interface(`tftp_search_rw_content',` - gen_require(` - type tftpdir_rw_t; - ') - -+ search_dirs_pattern($1, tftpdir_rw_t, tftpdir_rw_t) - files_search_var_lib($1) -- allow $1 tftpdir_rw_t:dir manage_dir_perms; -- allow $1 tftpdir_rw_t:file manage_file_perms; -- allow $1 tftpdir_rw_t:lnk_file manage_lnk_file_perms; - ') - - ######################################## - ## --## Read tftpd configuration files. -+## Manage tftp /var/lib files. - ## - ## - ## -@@ -53,19 +54,19 @@ interface(`tftp_manage_rw_content',` - ## - ## - # --interface(`tftp_read_config_files',` -+interface(`tftp_manage_rw_content',` - gen_require(` -- type tftpd_conf_t; -+ type tftpdir_rw_t; - ') - -- files_search_etc($1) -- allow $1 tftpd_conf_t:file read_file_perms; -+ files_search_var_lib($1) -+ manage_dirs_pattern($1, tftpdir_rw_t, tftpdir_rw_t) -+ manage_files_pattern($1, tftpdir_rw_t, tftpdir_rw_t) - ') - - ######################################## - ## --## Create, read, write, and delete --## tftpd configuration files. -+## Read tftp config files. - ## - ## - ## -@@ -73,55 +74,44 @@ interface(`tftp_read_config_files',` - ## - ## - # --interface(`tftp_manage_config_files',` -+interface(`tftp_read_config',` - gen_require(` -- type tftpd_conf_t; -+ type tftpd_etc_t; - ') - -- files_search_etc($1) -- allow $1 tftpd_conf_t:file manage_file_perms; -+ read_files_pattern($1, tftpd_etc_t, tftpd_etc_t) - ') - - ######################################## - ## --## Create objects in etc directories --## with tftp conf type. -+## Manage tftp config files. - ## - ## - ## --## Domain allowed to transition. --## --## --## --## --## Class of the object being created. --## --## --## --## --## The name of the object being created. -+## Domain allowed access. - ## - ## - # --interface(`tftp_etc_filetrans_config',` -+interface(`tftp_manage_config',` - gen_require(` -- type tftp_conf_t; -+ type tftpd_etc_t; - ') - -- files_etc_filetrans($1, tftp_conf_t, $2, $3) -+ manage_files_pattern($1, tftpd_etc_t, tftpd_etc_t) -+ files_etc_filetrans($1, tftpd_etc_t, file, "tftp") - ') - - ######################################## - ## - ## Create objects in tftpdir directories --## with a private type. -+## with specified types. - ## - ## - ## - ## Domain allowed access. - ## - ## --## -+## - ## - ## Private file type. - ## -@@ -131,25 +121,38 @@ interface(`tftp_etc_filetrans_config',` - ## Class of the object being created. - ## - ## --## --## --## The name of the object being created. --## --## - # - interface(`tftp_filetrans_tftpdir',` - gen_require(` - type tftpdir_rw_t; - ') - -+ filetrans_pattern($1, tftpdir_rw_t, $2, $3) - files_search_var_lib($1) -- filetrans_pattern($1, tftpdir_rw_t, $2, $3, $4) - ') - - ######################################## - ## --## All of the rules required to --## administrate an tftp environment. -+## Transition to tftp named content -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`tftp_filetrans_named_content',` -+ gen_require(` -+ type tftpd_etc_t; -+ ') -+ -+ files_etc_filetrans($1, tftpd_etc_t, file, "tftp") -+') -+ -+######################################## -+## -+## All of the rules required to administrate -+## an tftp environment - ## - ## - ## -@@ -161,18 +164,22 @@ interface(`tftp_filetrans_tftpdir',` - interface(`tftp_admin',` - gen_require(` - type tftpd_t, tftpdir_t, tftpdir_rw_t, tftpd_var_run_t; -- type tftpd_conf_t; - ') - -- allow $1 tftpd_t:process { ptrace signal_perms }; -+ allow $1 tftpd_t:process signal_perms; - ps_process_pattern($1, tftpd_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 tftpd_t:process ptrace; -+ ') - -- files_search_etc($1) -- admin_pattern($1, tftpd_conf_t) -+ files_list_var_lib($1) - -- files_search_var_lib($1) -- admin_pattern($1, { tftpdir_t tftpdir_rw_t }) -+ admin_pattern($1, tftpdir_rw_t) -+ -+ admin_pattern($1, tftpdir_t) - - files_list_pids($1) - admin_pattern($1, tftpd_var_run_t) -+ -+ tftp_manage_config($1) - ') -diff --git a/tftp.te b/tftp.te -index f455e70..a3b440c 100644 ---- a/tftp.te -+++ b/tftp.te -@@ -1,4 +1,4 @@ --policy_module(tftp, 1.12.4) -+policy_module(tftp, 1.12.0) - - ######################################## - # -@@ -6,30 +6,24 @@ policy_module(tftp, 1.12.4) - # - - ## --##

    --## Determine whether tftp can modify --## public files used for public file --## transfer services. Directories/Files must --## be labeled public_content_rw_t. --##

    -+##

    -+## Allow tftp to modify public files -+## used for public file transfer services. -+##

    - ##     - gen_tunable(tftp_anon_write, false) - - ## --##

    --## Determine whether tftp can manage --## generic user home content. --##

    -+##

    -+## Allow tftp to read and write files in the user home directories -+##

    - ##     --gen_tunable(tftp_enable_homedir, false) -+gen_tunable(tftp_home_dir, false) - - type tftpd_t; - type tftpd_exec_t; - init_daemon_domain(tftpd_t, tftpd_exec_t) - --type tftpd_conf_t; --files_config_file(tftpd_conf_t) -- - type tftpd_var_run_t; - files_pid_file(tftpd_var_run_t) - -@@ -39,6 +33,9 @@ files_type(tftpdir_t) - type tftpdir_rw_t; - files_type(tftpdir_rw_t) - -+type tftpd_etc_t; -+files_config_file(tftpd_etc_t) -+ - ######################################## - # - # Local policy -@@ -46,15 +43,17 @@ files_type(tftpdir_rw_t) - - allow tftpd_t self:capability { setgid setuid sys_chroot }; - dontaudit tftpd_t self:capability sys_tty_config; --allow tftpd_t self:tcp_socket { accept listen }; --allow tftpd_t self:unix_stream_socket { accept listen }; -- --allow tftpd_t tftpd_conf_t:file read_file_perms; -+allow tftpd_t self:tcp_socket create_stream_socket_perms; -+allow tftpd_t self:udp_socket create_socket_perms; -+allow tftpd_t self:unix_dgram_socket create_socket_perms; -+allow tftpd_t self:unix_stream_socket create_stream_socket_perms; - - allow tftpd_t tftpdir_t:dir list_dir_perms; - allow tftpd_t tftpdir_t:file read_file_perms; - allow tftpd_t tftpdir_t:lnk_file read_lnk_file_perms; - -+read_files_pattern(tftpd_t, tftpd_etc_t, tftpd_etc_t) -+ - manage_dirs_pattern(tftpd_t, tftpdir_rw_t, tftpdir_rw_t) - manage_files_pattern(tftpd_t, tftpdir_rw_t, tftpdir_rw_t) - manage_lnk_files_pattern(tftpd_t, tftpdir_rw_t, tftpdir_rw_t) -@@ -65,18 +64,23 @@ files_pid_filetrans(tftpd_t, tftpd_var_run_t, file) - kernel_read_system_state(tftpd_t) - kernel_read_kernel_sysctls(tftpd_t) - --corenet_all_recvfrom_unlabeled(tftpd_t) - corenet_all_recvfrom_netlabel(tftpd_t) -+corenet_tcp_sendrecv_generic_if(tftpd_t) - corenet_udp_sendrecv_generic_if(tftpd_t) -+corenet_tcp_sendrecv_generic_node(tftpd_t) - corenet_udp_sendrecv_generic_node(tftpd_t) -+corenet_tcp_sendrecv_all_ports(tftpd_t) -+corenet_udp_sendrecv_all_ports(tftpd_t) -+corenet_tcp_bind_generic_node(tftpd_t) - corenet_udp_bind_generic_node(tftpd_t) -- --corenet_sendrecv_tftp_server_packets(tftpd_t) - corenet_udp_bind_tftp_port(tftpd_t) --corenet_udp_sendrecv_tftp_port(tftpd_t) -+corenet_sendrecv_tftp_server_packets(tftpd_t) - - dev_read_sysfs(tftpd_t) - -+fs_getattr_all_fs(tftpd_t) -+fs_search_auto_mountpoints(tftpd_t) -+ - domain_use_interactive_fds(tftpd_t) - - files_read_etc_runtime_files(tftpd_t) -@@ -84,43 +88,46 @@ files_read_var_files(tftpd_t) - files_read_var_symlinks(tftpd_t) - files_search_var(tftpd_t) - --fs_getattr_all_fs(tftpd_t) --fs_search_auto_mountpoints(tftpd_t) -- - auth_use_nsswitch(tftpd_t) - - logging_send_syslog_msg(tftpd_t) - --miscfiles_read_localization(tftpd_t) - miscfiles_read_public_files(tftpd_t) - - userdom_dontaudit_use_unpriv_user_fds(tftpd_t) - userdom_dontaudit_use_user_terminals(tftpd_t) --userdom_user_home_dir_filetrans_user_home_content(tftpd_t, { dir file lnk_file }) -+userdom_dontaudit_search_user_home_dirs(tftpd_t) -+ -+userdom_home_manager(tftpd_t) - - tunable_policy(`tftp_anon_write',` - miscfiles_manage_public_files(tftpd_t) - ') - --tunable_policy(`tftp_enable_homedir',` -- allow tftpd_t self:capability { dac_override dac_read_search }; -+tunable_policy(`tftp_home_dir',` -+ allow tftpd_t self:capability { dac_override dac_read_search }; - -+ # allow access to /home - files_list_home(tftpd_t) -- userdom_manage_user_home_content_dirs(tftpd_t) -- userdom_manage_user_home_content_files(tftpd_t) -- userdom_manage_user_home_content_symlinks(tftpd_t) -+ userdom_read_user_home_content_files(tftpd_t) -+ userdom_manage_user_home_content(tftpd_t) -+ -+ auth_read_all_dirs_except_shadow(tftpd_t) -+ auth_read_all_files_except_shadow(tftpd_t) -+ auth_read_all_symlinks_except_shadow(tftpd_t) -+',` -+ # Needed for permissive mode, to make sure everything gets labeled correctly -+ userdom_user_home_dir_filetrans_pattern(tftpd_t, { dir file lnk_file }) - ') - --tunable_policy(`tftp_enable_homedir && use_nfs_home_dirs',` -- fs_manage_nfs_dirs(tftpd_t) -- fs_manage_nfs_files(tftpd_t) -- fs_read_nfs_symlinks(tftpd_t) -+tunable_policy(`tftp_home_dir && use_nfs_home_dirs',` -+ fs_manage_nfs_files(tftpd_t) -+ fs_read_nfs_symlinks(tftpd_t) - ') - --tunable_policy(`tftp_enable_homedir && use_samba_home_dirs',` -- fs_manage_cifs_dirs(tftpd_t) -- fs_manage_cifs_files(tftpd_t) -- fs_read_cifs_symlinks(tftpd_t) -+tunable_policy(`tftp_home_dir && use_samba_home_dirs',` -+ fs_manage_cifs_files(tftpd_t) -+ fs_read_cifs_symlinks(tftpd_t) - ') - - optional_policy(` -diff --git a/tgtd.fc b/tgtd.fc -index 38389e6..4847b43 100644 ---- a/tgtd.fc -+++ b/tgtd.fc -@@ -1,7 +1,4 @@ --/etc/rc\.d/init\.d/tgtd -- gen_context(system_u:object_r:tgtd_initrc_exec_t,s0) -- --/usr/sbin/tgtd -- gen_context(system_u:object_r:tgtd_exec_t,s0) -- --/var/lib/tgtd(/.*)? gen_context(system_u:object_r:tgtd_var_lib_t,s0) -- --/var/run/tgtd.* -s gen_context(system_u:object_r:tgtd_var_run_t,s0) -+/etc/rc\.d/init\.d/tgtd -- gen_context(system_u:object_r:tgtd_initrc_exec_t,s0) -+/usr/sbin/tgtd -- gen_context(system_u:object_r:tgtd_exec_t,s0) -+/var/lib/tgtd(/.*)? gen_context(system_u:object_r:tgtd_var_lib_t,s0) -+/var/run/tgtd.* -s gen_context(system_u:object_r:tgtd_var_run_t,s0) -diff --git a/tgtd.if b/tgtd.if -index 5406b6e..dc5b46e 100644 ---- a/tgtd.if -+++ b/tgtd.if -@@ -97,6 +97,6 @@ interface(`tgtd_admin',` - files_search_tmp($1) - admin_pattern($1, tgtd_tmp_t) - -- files_search_tmpfs($1) -+ fs_search_tmpfs($1) - admin_pattern($1, tgtd_tmpfs_t) - ') -diff --git a/tgtd.te b/tgtd.te -index c93c973..60f4ce9 100644 ---- a/tgtd.te -+++ b/tgtd.te -@@ -29,7 +29,7 @@ files_pid_file(tgtd_var_run_t) - # Local policy - # - --allow tgtd_t self:capability sys_resource; -+allow tgtd_t self:capability { dac_override ipc_lock sys_resource sys_rawio sys_admin }; - allow tgtd_t self:capability2 block_suspend; - allow tgtd_t self:process { setrlimit signal }; - allow tgtd_t self:fifo_file rw_fifo_file_perms; -@@ -58,27 +58,27 @@ kernel_read_system_state(tgtd_t) - kernel_read_fs_sysctls(tgtd_t) - - corenet_all_recvfrom_netlabel(tgtd_t) --corenet_all_recvfrom_unlabeled(tgtd_t) - corenet_tcp_sendrecv_generic_if(tgtd_t) - corenet_tcp_sendrecv_generic_node(tgtd_t) - corenet_tcp_bind_generic_node(tgtd_t) - - corenet_sendrecv_iscsi_server_packets(tgtd_t) - corenet_tcp_bind_iscsi_port(tgtd_t) -+corenet_tcp_connect_isns_port(tgtd_t) - corenet_tcp_sendrecv_iscsi_port(tgtd_t) - - dev_read_sysfs(tgtd_t) - --files_read_etc_files(tgtd_t) -+files_list_mnt(tgtd_t) - - fs_read_anon_inodefs_files(tgtd_t) - - storage_manage_fixed_disk(tgtd_t) -+storage_read_scsi_generic(tgtd_t) -+storage_write_scsi_generic(tgtd_t) - - logging_send_syslog_msg(tgtd_t) - --miscfiles_read_localization(tgtd_t) -- - optional_policy(` - iscsi_manage_semaphores(tgtd_t) - ') -diff --git a/thin.fc b/thin.fc -new file mode 100644 -index 0000000..1f8a908 ---- /dev/null -+++ b/thin.fc -@@ -0,0 +1,12 @@ -+/usr/bin/thin -- gen_context(system_u:object_r:thin_exec_t,s0) -+ -+/usr/bin/aeolus-configserver-thinwrapper -- gen_context(system_u:object_r:thin_aeolus_configserver_exec_t,s0) -+ -+/var/lib/aeolus-configserver(/.*)? gen_context(system_u:object_r:thin_aeolus_configserver_lib_t,s0) -+ -+/var/log/aeolus-configserver(/.*)? gen_context(system_u:object_r:thin_aeolus_configserver_log_t,s0) -+/var/log/thin\.log.* -- gen_context(system_u:object_r:thin_log_t,s0) -+ -+/var/run/aeolus-configserver(/.*)? gen_context(system_u:object_r:thin_aeolus_configserver_var_run_t,s0) -+/var/run/aeolus/thin\.pid -- gen_context(system_u:object_r:thin_var_run_t,s0) -+/var/run/thin(/.*)? gen_context(system_u:object_r:thin_var_run_t,s0) -diff --git a/thin.if b/thin.if -new file mode 100644 -index 0000000..5e3637e ---- /dev/null -+++ b/thin.if -@@ -0,0 +1,64 @@ -+## thin policy -+ -+####################################### -+## -+## Creates types and rules for a basic -+## thin daemon domain. -+## -+## -+## -+## Prefix for the domain. -+## -+## -+# -+template(`thin_domain_template',` -+ gen_require(` -+ attribute thin_domain; -+ ') -+ -+ type $1_t, thin_domain; -+ type $1_exec_t; -+ init_daemon_domain($1_t, $1_exec_t) -+ -+ can_exec($1_t, $1_exec_t) -+ -+ kernel_read_system_state($1_t) -+') -+ -+###################################### -+## -+## Execute mongod in the caller domain. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`thin_exec',` -+ gen_require(` -+ type thin_exec_t; -+ ') -+ -+ can_exec($1, thin_exec_t) -+') -+ -+##################################### -+## -+## Connect to thin over a unix domain -+## stream socket. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`thin_stream_connect',` -+ gen_require(` -+ type thin_t, thin_var_run_t; -+ ') -+ -+ files_search_pids($1) -+ stream_connect_pattern($1, thin_var_run_t, thin_var_run_t, thin_t) -+') -diff --git a/thin.te b/thin.te -new file mode 100644 -index 0000000..39d17b7 ---- /dev/null -+++ b/thin.te -@@ -0,0 +1,115 @@ -+policy_module(thin, 1.0) -+ -+######################################## -+# -+# Declarations -+# -+ -+attribute thin_domain; -+ -+thin_domain_template(thin) -+ -+type thin_log_t; -+logging_log_file(thin_log_t) -+ -+type thin_var_run_t; -+files_pid_file(thin_var_run_t) -+ -+thin_domain_template(thin_aeolus_configserver) -+ -+type thin_aeolus_configserver_lib_t; -+files_type(thin_aeolus_configserver_lib_t) -+ -+type thin_aeolus_configserver_log_t; -+logging_log_file(thin_aeolus_configserver_log_t) -+ -+type thin_aeolus_configserver_var_run_t; -+files_pid_file(thin_aeolus_configserver_var_run_t) -+ -+######################################## -+# -+# thin_domain local policy -+# -+ -+allow thin_domain self:process signal; -+ -+allow thin_domain self:fifo_file rw_fifo_file_perms; -+allow thin_domain self:tcp_socket create_stream_socket_perms; -+ -+# we want to stay in a new thin domain if we call thin binary from a script -+# # initrc_t@thin_test_exec_t->thin_test_t@thin_exec_t->thin_test_t -+can_exec(thin_domain, thin_exec_t) -+ -+corecmd_exec_bin(thin_domain) -+corecmd_exec_shell(thin_domain) -+ -+corenet_tcp_bind_generic_node(thin_domain) -+ -+dev_read_rand(thin_domain) -+dev_read_urand(thin_domain) -+ -+ -+auth_read_passwd(thin_domain) -+ -+miscfiles_read_certs(thin_domain) -+ -+ -+fs_search_auto_mountpoints(thin_domain) -+ -+init_read_utmp(thin_domain) -+ -+kernel_read_kernel_sysctls(thin_domain) -+ -+optional_policy(` -+ apache_read_sys_content(thin_domain) -+') -+ -+optional_policy(` -+ sysnet_read_config(thin_domain) -+') -+ -+######################################## -+# -+# thin local policy -+# -+ -+allow thin_t self:capability { setuid kill setgid dac_override }; -+allow thin_t self:capability2 block_suspend; -+ -+allow thin_t self:netlink_route_socket r_netlink_socket_perms; -+allow thin_t self:udp_socket create_socket_perms; -+allow thin_t self:unix_stream_socket create_stream_socket_perms; -+ -+manage_files_pattern(thin_t, thin_log_t, thin_log_t) -+manage_dirs_pattern(thin_t, thin_log_t, thin_log_t) -+logging_log_filetrans(thin_t, thin_log_t, { file dir }) -+ -+manage_dirs_pattern(thin_t, thin_var_run_t, thin_var_run_t) -+manage_files_pattern(thin_t, thin_var_run_t, thin_var_run_t) -+manage_lnk_files_pattern(thin_t, thin_var_run_t, thin_var_run_t) -+manage_sock_files_pattern(thin_t, thin_var_run_t, thin_var_run_t) -+files_pid_filetrans(thin_t, thin_var_run_t, { dir file sock_file }) -+ -+corenet_tcp_bind_ntop_port(thin_t) -+corenet_tcp_connect_postgresql_port(thin_t) -+ -+####################################### -+# -+# thin aeolus configserver local policy -+# -+ -+allow thin_aeolus_configserver_t self:capability { setuid setgid }; -+ -+corenet_tcp_bind_tram_port(thin_aeolus_configserver_t) -+ -+manage_files_pattern(thin_aeolus_configserver_t, thin_aeolus_configserver_lib_t, thin_aeolus_configserver_lib_t) -+manage_dirs_pattern(thin_aeolus_configserver_t, thin_aeolus_configserver_lib_t, thin_aeolus_configserver_lib_t) -+files_var_lib_filetrans(thin_aeolus_configserver_t, thin_aeolus_configserver_lib_t, { file dir }) -+ -+manage_files_pattern(thin_aeolus_configserver_t, thin_aeolus_configserver_log_t, thin_aeolus_configserver_log_t) -+manage_dirs_pattern(thin_aeolus_configserver_t, thin_aeolus_configserver_log_t, thin_aeolus_configserver_log_t) -+logging_log_filetrans(thin_aeolus_configserver_t, thin_aeolus_configserver_log_t, { file dir }) -+ -+manage_files_pattern(thin_aeolus_configserver_t, thin_aeolus_configserver_var_run_t, thin_aeolus_configserver_var_run_t) -+manage_dirs_pattern(thin_aeolus_configserver_t, thin_aeolus_configserver_var_run_t, thin_aeolus_configserver_var_run_t) -+files_pid_filetrans(thin_aeolus_configserver_t, thin_aeolus_configserver_var_run_t, { dir file }) -diff --git a/thumb.fc b/thumb.fc -new file mode 100644 -index 0000000..92b6843 ---- /dev/null -+++ b/thumb.fc -@@ -0,0 +1,18 @@ -+HOME_DIR/\.texlive2012(/.*)? gen_context(system_u:object_r:thumb_home_t,s0) -+HOME_DIR/\.thumbnails(/.*)? gen_context(system_u:object_r:thumb_home_t,s0) -+HOME_DIR/\.cache/thumbnails(/.*)? gen_context(system_u:object_r:thumb_home_t,s0) -+HOME_DIR/missfont\.log.* gen_context(system_u:object_r:thumb_home_t,s0) -+ -+/usr/bin/evince-thumbnailer -- gen_context(system_u:object_r:thumb_exec_t,s0) -+/usr/bin/gsf-office-thumbnailer -- gen_context(system_u:object_r:thumb_exec_t,s0) -+/usr/bin/gnome-thumbnail-font -- gen_context(system_u:object_r:thumb_exec_t,s0) -+/usr/bin/gnome-[^/]*-thumbnailer(.sh)? -- gen_context(system_u:object_r:thumb_exec_t,s0) -+/usr/bin/raw-thumbnailer -- gen_context(system_u:object_r:thumb_exec_t,s0) -+/usr/bin/shotwell-video-thumbnailer -- gen_context(system_u:object_r:thumb_exec_t,s0) -+/usr/bin/totem-video-thumbnailer -- gen_context(system_u:object_r:thumb_exec_t,s0) -+/usr/bin/whaaw-thumbnailer -- gen_context(system_u:object_r:thumb_exec_t,s0) -+/usr/bin/[^/]*thumbnailer -- gen_context(system_u:object_r:thumb_exec_t,s0) -+/usr/bin/ffmpegthumbnailer -- gen_context(system_u:object_r:thumb_exec_t,s0) -+/usr/bin/mate-thumbnail-font -- gen_context(system_u:object_r:thumb_exec_t,s0) -+ -+/usr/lib/tumbler[^/]*/tumblerd -- gen_context(system_u:object_r:thumb_exec_t,s0) -diff --git a/thumb.if b/thumb.if -new file mode 100644 -index 0000000..c1fd8b4 ---- /dev/null -+++ b/thumb.if -@@ -0,0 +1,133 @@ -+ -+## policy for thumb -+ -+######################################## -+## -+## Transition to thumb. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`thumb_domtrans',` -+ gen_require(` -+ type thumb_t, thumb_exec_t; -+ ') -+ -+ corecmd_search_bin($1) -+ domtrans_pattern($1, thumb_exec_t, thumb_t) -+') -+ -+ -+######################################## -+## -+## Execute thumb in the thumb domain, and -+## allow the specified role the thumb domain. -+## -+## -+## -+## Domain allowed to transition -+## -+## -+## -+## -+## The role to be allowed the thumb domain. -+## -+## -+# -+interface(`thumb_run',` -+ gen_require(` -+ type thumb_t; -+ ') -+ -+ thumb_domtrans($1) -+ role $2 types thumb_t; -+ -+ allow $1 thumb_t:process signal_perms; -+ -+ dontaudit thumb_t $1:dir list_dir_perms; -+ dontaudit thumb_t $1:file read_file_perms; -+ dontaudit thumb_t $1:unix_stream_socket rw_socket_perms; -+ -+ allow thumb_t $1:shm create_shm_perms; -+ allow thumb_t $1:sem create_sem_perms; -+') -+ -+######################################## -+## -+## Role access for thumb -+## -+## -+## -+## Role allowed access -+## -+## -+## -+## -+## User domain for the role -+## -+## -+# -+interface(`thumb_role',` -+ gen_require(` -+ type thumb_t; -+ class dbus send_msg; -+ ') -+ -+ thumb_run($2, $1) -+ -+ ps_process_pattern($2, thumb_t) -+ allow thumb_t $2:unix_stream_socket connectto; -+ -+ thumb_dbus_chat($2) -+ thumb_filetrans_home_content($2) -+') -+ -+######################################## -+## -+## Send and receive messages from -+## thumb over dbus. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`thumb_dbus_chat',` -+ gen_require(` -+ type thumb_t; -+ class dbus send_msg; -+ ') -+ -+ allow $1 thumb_t:dbus send_msg; -+ allow thumb_t $1:dbus send_msg; -+ ps_process_pattern(thumb_t, $1) -+') -+ -+######################################## -+## -+## Create thumb content in the user home directory -+## with an correct label. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`thumb_filetrans_home_content',` -+ -+ gen_require(` -+ type thumb_home_t; -+ ') -+ -+ userdom_user_home_dir_filetrans($1, thumb_home_t, dir, ".thumbnails") -+ userdom_user_home_dir_filetrans($1, thumb_home_t, file, "missfont.log") -+ -+ optional_policy(` -+ gnome_cache_filetrans($1, thumb_home_t, dir, "thumbnails") -+ ') -+') -diff --git a/thumb.te b/thumb.te -new file mode 100644 -index 0000000..b57cc3c ---- /dev/null -+++ b/thumb.te -@@ -0,0 +1,149 @@ -+policy_module(thumb, 1.0.0) -+ -+######################################## -+# -+# Declarations -+# -+ -+type thumb_t; -+type thumb_exec_t; -+application_domain(thumb_t, thumb_exec_t) -+ubac_constrained(thumb_t) -+userdom_home_manager(thumb_t) -+ -+type thumb_tmp_t; -+files_tmp_file(thumb_tmp_t) -+ubac_constrained(thumb_tmp_t) -+ -+type thumb_home_t; -+userdom_user_home_content(thumb_home_t) -+ -+type thumb_tmpfs_t; -+files_tmpfs_file(thumb_tmpfs_t) -+ -+######################################## -+# -+# thumb local policy -+# -+ -+allow thumb_t self:process { setsched signal signull setrlimit }; -+dontaudit thumb_t self:capability sys_tty_config; -+ -+tunable_policy(`deny_execmem',`',` -+ allow thumb_t self:process execmem; -+') -+ -+allow thumb_t self:fifo_file manage_fifo_file_perms; -+allow thumb_t self:unix_stream_socket create_stream_socket_perms; -+allow thumb_t self:netlink_route_socket r_netlink_socket_perms; -+allow thumb_t self:udp_socket create_socket_perms; -+allow thumb_t self:tcp_socket create_socket_perms; -+allow thumb_t self:shm create_shm_perms; -+allow thumb_t self:sem create_sem_perms; -+ -+manage_dirs_pattern(thumb_t, thumb_home_t, thumb_home_t) -+manage_files_pattern(thumb_t, thumb_home_t, thumb_home_t) -+userdom_user_home_dir_filetrans(thumb_t, thumb_home_t, dir, ".thumbnails") -+userdom_user_home_dir_filetrans(thumb_t, thumb_home_t, file, "missfont.log") -+userdom_dontaudit_access_check_user_content(thumb_t) -+userdom_rw_inherited_user_tmpfs_files(thumb_t) -+ -+manage_files_pattern(thumb_t, thumb_tmp_t, thumb_tmp_t) -+manage_dirs_pattern(thumb_t, thumb_tmp_t, thumb_tmp_t) -+manage_sock_files_pattern(thumb_t, thumb_tmp_t, thumb_tmp_t) -+exec_files_pattern(thumb_t, thumb_tmp_t, thumb_tmp_t) -+files_tmp_filetrans(thumb_t, thumb_tmp_t, { file dir sock_file }) -+userdom_user_tmp_filetrans(thumb_t, thumb_tmp_t, { file dir sock_file }) -+xserver_xdm_tmp_filetrans(thumb_t, thumb_tmp_t, sock_file) -+ -+manage_dirs_pattern(thumb_t, thumb_tmpfs_t, thumb_tmpfs_t) -+manage_files_pattern(thumb_t, thumb_tmpfs_t, thumb_tmpfs_t) -+fs_tmpfs_filetrans(thumb_t, thumb_tmpfs_t, { dir file }) -+ -+can_exec(thumb_t, thumb_exec_t) -+ -+kernel_read_system_state(thumb_t) -+ -+corecmd_exec_bin(thumb_t) -+corecmd_exec_shell(thumb_t) -+ -+dev_read_sysfs(thumb_t) -+dev_read_urand(thumb_t) -+dev_dontaudit_rw_dri(thumb_t) -+dev_rw_xserver_misc(thumb_t) -+ -+domain_use_interactive_fds(thumb_t) -+domain_dontaudit_read_all_domains_state(thumb_t) -+ -+files_read_non_security_files(thumb_t) -+ -+fs_getattr_all_fs(thumb_t) -+fs_read_dos_files(thumb_t) -+fs_rw_inherited_tmpfs_files(thumb_t) -+ -+auth_read_passwd(thumb_t) -+ -+tunable_policy(`selinuxuser_execmod',` -+ libs_legacy_use_shared_libs(thumb_t) -+') -+ -+miscfiles_read_fonts(thumb_t) -+miscfiles_dontaudit_setattr_fonts_dirs(thumb_t) -+miscfiles_dontaudit_setattr_fonts_cache_dirs(thumb_t) -+ -+sysnet_read_config(thumb_t) -+ -+userdom_dontaudit_setattr_user_tmp(thumb_t) -+userdom_read_user_tmp_files(thumb_t) -+userdom_read_user_home_content_files(thumb_t) -+userdom_exec_user_home_content_files(thumb_t) -+userdom_dontaudit_write_user_tmp_files(thumb_t) -+userdom_dontaudit_delete_user_tmp_files(thumb_t) -+userdom_read_home_audio_files(thumb_t) -+userdom_home_reader(thumb_t) -+ -+userdom_use_user_terminals(thumb_t) -+ -+xserver_read_xdm_home_files(thumb_t) -+xserver_append_xdm_home_files(thumb_t) -+xserver_dontaudit_read_xdm_pid(thumb_t) -+xserver_dontaudit_xdm_tmp_dirs(thumb_t) -+xserver_stream_connect(thumb_t) -+xserver_use_user_fonts(thumb_t) -+ -+optional_policy(` -+ dbus_dontaudit_stream_connect_session_bus(thumb_t) -+ dbus_dontaudit_chat_session_bus(thumb_t) -+') -+ -+optional_policy(` -+ # .config -+ gnome_dontaudit_search_config(thumb_t) -+ gnome_dontaudit_write_config_files(thumb_t) -+ gnome_append_generic_cache_files(thumb_t) -+ gnome_read_generic_data_home_files(thumb_t) -+ gnome_dontaudit_rw_generic_cache_files(thumb_t) -+ gnome_manage_gstreamer_home_files(thumb_t) -+ gnome_manage_gstreamer_home_dirs(thumb_t) -+ gnome_exec_gstreamer_home_files(thumb_t) -+ gnome_create_generic_cache_dir(thumb_t) -+ gnome_cache_filetrans(thumb_t, thumb_home_t, dir, "thumbnails") -+ gnome_cache_filetrans(thumb_t, thumb_home_t, file) -+') -+ -+optional_policy(` -+ sssd_dontaudit_stream_connect(thumb_t) -+') -+ -+optional_policy(` -+ nscd_dontaudit_write_sock_file(thumb_t) -+') -+ -+optional_policy(` -+ nslcd_dontaudit_write_sock_file(thumb_t) -+') -+ -+tunable_policy(`nis_enabled',` -+ corenet_dontaudit_udp_bind_all_ports(thumb_t) -+ corenet_dontaudit_udp_bind_generic_node(thumb_t) -+') -diff --git a/thunderbird.te b/thunderbird.te -index 4257ede..fc265b8 100644 ---- a/thunderbird.te -+++ b/thunderbird.te -@@ -53,7 +53,6 @@ kernel_read_system_state(thunderbird_t) - - corecmd_exec_shell(thunderbird_t) - --corenet_all_recvfrom_unlabeled(thunderbird_t) - corenet_all_recvfrom_netlabel(thunderbird_t) - corenet_tcp_sendrecv_generic_if(thunderbird_t) - corenet_tcp_sendrecv_generic_node(thunderbird_t) -@@ -82,7 +81,6 @@ dev_read_urand(thunderbird_t) - dev_dontaudit_search_sysfs(thunderbird_t) - - files_list_tmp(thunderbird_t) --files_read_usr_files(thunderbird_t) - files_read_etc_runtime_files(thunderbird_t) - files_read_var_files(thunderbird_t) - files_read_var_symlinks(thunderbird_t) -@@ -98,7 +96,6 @@ fs_search_auto_mountpoints(thunderbird_t) - auth_use_nsswitch(thunderbird_t) - - miscfiles_read_fonts(thunderbird_t) --miscfiles_read_localization(thunderbird_t) - - userdom_write_user_tmp_sockets(thunderbird_t) - -@@ -107,23 +104,14 @@ userdom_manage_user_tmp_files(thunderbird_t) - - userdom_manage_user_home_content_dirs(thunderbird_t) - userdom_manage_user_home_content_files(thunderbird_t) --userdom_user_home_dir_filetrans_user_home_content(thunderbird_t, { dir file }) -+userdom_filetrans_home_content(thunderbird_t) - - xserver_user_x_domain_template(thunderbird, thunderbird_t, thunderbird_tmpfs_t) - xserver_read_xdm_tmp_files(thunderbird_t) - xserver_dontaudit_getattr_xdm_tmp_sockets(thunderbird_t) - --tunable_policy(`use_nfs_home_dirs',` -- fs_manage_nfs_dirs(thunderbird_t) -- fs_manage_nfs_files(thunderbird_t) -- fs_manage_nfs_symlinks(thunderbird_t) --') -- --tunable_policy(`use_samba_home_dirs',` -- fs_manage_cifs_dirs(thunderbird_t) -- fs_manage_cifs_files(thunderbird_t) -- fs_manage_cifs_symlinks(thunderbird_t) --') -+# Access ~/.thunderbird -+userdom_home_manager(thunderbird_t) - - ifndef(`enable_mls',` - fs_search_removable(thunderbird_t) -diff --git a/timidity.te b/timidity.te -index 67ca5c5..a1ef2d2 100644 ---- a/timidity.te -+++ b/timidity.te -@@ -36,7 +36,6 @@ fs_tmpfs_filetrans(timidity_t, timidity_tmpfs_t, { dir file lnk_file sock_file f - kernel_read_kernel_sysctls(timidity_t) - kernel_read_system_state(timidity_t) - --corenet_all_recvfrom_unlabeled(timidity_t) - corenet_all_recvfrom_netlabel(timidity_t) - corenet_tcp_sendrecv_generic_if(timidity_t) - corenet_udp_sendrecv_generic_if(timidity_t) -@@ -51,8 +50,6 @@ dev_write_sound(timidity_t) - - domain_use_interactive_fds(timidity_t) - --files_read_etc_files(timidity_t) --files_read_usr_files(timidity_t) - files_search_tmp(timidity_t) - - fs_search_auto_mountpoints(timidity_t) -diff --git a/tmpreaper.te b/tmpreaper.te -index a4a949c..9ae28c6 100644 ---- a/tmpreaper.te -+++ b/tmpreaper.te -@@ -8,6 +8,7 @@ policy_module(tmpreaper, 1.6.3) - type tmpreaper_t; - type tmpreaper_exec_t; - init_system_domain(tmpreaper_t, tmpreaper_exec_t) -+application_domain(tmpreaper_t, tmpreaper_exec_t) - - ######################################## - # -@@ -18,20 +19,25 @@ allow tmpreaper_t self:capability { dac_override dac_read_search fowner }; - - kernel_list_unlabeled(tmpreaper_t) - kernel_read_system_state(tmpreaper_t) -+kernel_delete_unlabeled(tmpreaper_t) - - dev_read_urand(tmpreaper_t) - - fs_getattr_xattr_fs(tmpreaper_t) - fs_list_all(tmpreaper_t) -+fs_setattr_tmpfs_dirs(tmpreaper_t) -+fs_delete_tmpfs_files(tmpreaper_t) - --files_getattr_all_dirs(tmpreaper_t) --files_getattr_all_files(tmpreaper_t) - files_read_var_lib_files(tmpreaper_t) - files_purge_tmp(tmpreaper_t) -+files_delete_all_non_security_files(tmpreaper_t) -+# why does it need setattr? - files_setattr_all_tmp_dirs(tmpreaper_t) -+files_setattr_isid_type_dirs(tmpreaper_t) -+files_setattr_usr_dirs(tmpreaper_t) -+files_getattr_all_dirs(tmpreaper_t) -+files_getattr_all_files(tmpreaper_t) - --mcs_file_read_all(tmpreaper_t) --mcs_file_write_all(tmpreaper_t) - mls_file_read_all_levels(tmpreaper_t) - mls_file_write_all_levels(tmpreaper_t) - -@@ -39,14 +45,16 @@ auth_use_nsswitch(tmpreaper_t) - - logging_send_syslog_msg(tmpreaper_t) - --miscfiles_read_localization(tmpreaper_t) - miscfiles_delete_man_pages(tmpreaper_t) - - ifdef(`distro_redhat',` -- userdom_list_all_user_home_content(tmpreaper_t) -+ userdom_list_user_home_content(tmpreaper_t) -+ userdom_list_admin_dir(tmpreaper_t) - userdom_delete_all_user_home_content_dirs(tmpreaper_t) - userdom_delete_all_user_home_content_files(tmpreaper_t) -+ userdom_delete_all_user_home_content_sock_files(tmpreaper_t) - userdom_delete_all_user_home_content_symlinks(tmpreaper_t) -+ userdom_setattr_all_user_home_content_dirs(tmpreaper_t) - ') - - optional_policy(` -@@ -54,6 +62,7 @@ optional_policy(` - ') - - optional_policy(` -+ apache_delete_sys_content_rw(tmpreaper_t) - apache_list_cache(tmpreaper_t) - apache_delete_cache_dirs(tmpreaper_t) - apache_delete_cache_files(tmpreaper_t) -@@ -69,7 +78,19 @@ optional_policy(` - ') - - optional_policy(` -- lpd_manage_spool(tmpreaper_t) -+ lpd_manage_spool(tmpreaper_t) -+') -+ -+optional_policy(` -+ mandb_delete_cache(tmpreaper_t) -+') -+ -+optional_policy(` -+ sandbox_list(tmpreaper_t) -+ sandbox_delete_dirs(tmpreaper_t) -+ sandbox_delete_files(tmpreaper_t) -+ sandbox_delete_sock_files(tmpreaper_t) -+ sandbox_setattr_dirs(tmpreaper_t) - ') - - optional_policy(` -diff --git a/tomcat.fc b/tomcat.fc -new file mode 100644 -index 0000000..a8385bc ---- /dev/null -+++ b/tomcat.fc -@@ -0,0 +1,11 @@ -+/usr/lib/systemd/system/tomcat.service -- gen_context(system_u:object_r:tomcat_unit_file_t,s0) -+ -+/usr/sbin/tomcat(6)? -- gen_context(system_u:object_r:tomcat_exec_t,s0) -+ -+/var/cache/tomcat6?(/.*)? gen_context(system_u:object_r:tomcat_cache_t,s0) -+ -+/var/lib/tomcat6?(/.*)? gen_context(system_u:object_r:tomcat_var_lib_t,s0) -+ -+/var/log/tomcat6?(/.*)? gen_context(system_u:object_r:tomcat_log_t,s0) -+ -+/var/run/tomcat6?\.pid -- gen_context(system_u:object_r:tomcat_var_run_t,s0) -diff --git a/tomcat.if b/tomcat.if -new file mode 100644 -index 0000000..9abef48 ---- /dev/null -+++ b/tomcat.if -@@ -0,0 +1,395 @@ -+ -+## policy for tomcat -+ -+###################################### -+## -+## Creates types and rules for a basic -+## tomcat daemon domain. -+## -+## -+## -+## Prefix for the domain. -+## -+## -+# -+template(`tomcat_domain_template',` -+ gen_require(` -+ attribute tomcat_domain; -+ ') -+ -+ type $1_t, tomcat_domain; -+ type $1_exec_t; -+ init_daemon_domain($1_t, $1_exec_t) -+ -+ type $1_cache_t; -+ files_type($1_cache_t) -+ -+ type $1_log_t; -+ logging_log_file($1_log_t) -+ -+ type $1_var_lib_t; -+ files_type($1_var_lib_t) -+ -+ type $1_var_run_t; -+ files_pid_file($1_var_run_t) -+ -+ type $1_tmp_t; -+ files_tmp_file($1_tmp_t) -+ -+ ################################## -+ # -+ # Local policy -+ # -+ -+ manage_dirs_pattern($1_t, $1_cache_t, $1_cache_t) -+ manage_files_pattern($1_t, $1_cache_t, $1_cache_t) -+ manage_lnk_files_pattern($1_t, $1_cache_t, $1_cache_t) -+ files_var_filetrans($1_t, $1_cache_t, { dir file }) -+ -+ manage_dirs_pattern($1_t, $1_log_t, $1_log_t) -+ manage_files_pattern($1_t, $1_log_t, $1_log_t) -+ manage_lnk_files_pattern($1_t, $1_log_t, $1_log_t) -+ logging_log_filetrans($1_t, $1_log_t, { dir file }) -+ -+ manage_dirs_pattern($1_t, $1_var_lib_t, $1_var_lib_t) -+ manage_files_pattern($1_t, $1_var_lib_t, $1_var_lib_t) -+ manage_lnk_files_pattern($1_t, $1_var_lib_t, $1_var_lib_t) -+ files_var_lib_filetrans($1_t, $1_var_lib_t, { dir file lnk_file }) -+ -+ manage_dirs_pattern($1_t, $1_var_run_t, $1_var_run_t) -+ manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t) -+ manage_lnk_files_pattern($1_t, $1_var_run_t, $1_var_run_t) -+ files_pid_filetrans($1_t, $1_var_run_t, { dir file lnk_file }) -+ -+ manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t) -+ manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t) -+ manage_fifo_files_pattern($1_t, $1_tmp_t, $1_tmp_t) -+ files_tmp_filetrans($1_t, $1_tmp_t, { file fifo_file dir }) -+ -+ can_exec($1_t, $1_exec_t) -+ -+ kernel_read_system_state($1_t) -+ -+ logging_send_syslog_msg($1_t) -+') -+ -+######################################## -+## -+## Transition to tomcat. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`tomcat_domtrans',` -+ gen_require(` -+ type tomcat_t, tomcat_exec_t; -+ ') -+ -+ corecmd_search_bin($1) -+ domtrans_pattern($1, tomcat_exec_t, tomcat_t) -+') -+ -+######################################## -+## -+## Search tomcat cache directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`tomcat_search_cache',` -+ gen_require(` -+ type tomcat_cache_t; -+ ') -+ -+ allow $1 tomcat_cache_t:dir search_dir_perms; -+ files_search_var($1) -+') -+ -+######################################## -+## -+## Read tomcat cache files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`tomcat_read_cache_files',` -+ gen_require(` -+ type tomcat_cache_t; -+ ') -+ -+ files_search_var($1) -+ read_files_pattern($1, tomcat_cache_t, tomcat_cache_t) -+') -+ -+######################################## -+## -+## Create, read, write, and delete -+## tomcat cache files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`tomcat_manage_cache_files',` -+ gen_require(` -+ type tomcat_cache_t; -+ ') -+ -+ files_search_var($1) -+ manage_files_pattern($1, tomcat_cache_t, tomcat_cache_t) -+') -+ -+######################################## -+## -+## Manage tomcat cache dirs. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`tomcat_manage_cache_dirs',` -+ gen_require(` -+ type tomcat_cache_t; -+ ') -+ -+ files_search_var($1) -+ manage_dirs_pattern($1, tomcat_cache_t, tomcat_cache_t) -+') -+ -+######################################## -+## -+## Read tomcat's log files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`tomcat_read_log',` -+ gen_require(` -+ type tomcat_log_t; -+ ') -+ -+ logging_search_logs($1) -+ read_files_pattern($1, tomcat_log_t, tomcat_log_t) -+') -+ -+######################################## -+## -+## Append to tomcat log files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`tomcat_append_log',` -+ gen_require(` -+ type tomcat_log_t; -+ ') -+ -+ logging_search_logs($1) -+ append_files_pattern($1, tomcat_log_t, tomcat_log_t) -+') -+ -+######################################## -+## -+## Manage tomcat log files -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`tomcat_manage_log',` -+ gen_require(` -+ type tomcat_log_t; -+ ') -+ -+ logging_search_logs($1) -+ manage_dirs_pattern($1, tomcat_log_t, tomcat_log_t) -+ manage_files_pattern($1, tomcat_log_t, tomcat_log_t) -+ manage_lnk_files_pattern($1, tomcat_log_t, tomcat_log_t) -+') -+ -+######################################## -+## -+## Search tomcat lib directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`tomcat_search_lib',` -+ gen_require(` -+ type tomcat_var_lib_t; -+ ') -+ -+ allow $1 tomcat_var_lib_t:dir search_dir_perms; -+ files_search_var_lib($1) -+') -+ -+######################################## -+## -+## Read tomcat lib files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`tomcat_read_lib_files',` -+ gen_require(` -+ type tomcat_var_lib_t; -+ ') -+ -+ files_search_var_lib($1) -+ read_files_pattern($1, tomcat_var_lib_t, tomcat_var_lib_t) -+') -+ -+######################################## -+## -+## Manage tomcat lib files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`tomcat_manage_lib_files',` -+ gen_require(` -+ type tomcat_var_lib_t; -+ ') -+ -+ files_search_var_lib($1) -+ manage_files_pattern($1, tomcat_var_lib_t, tomcat_var_lib_t) -+') -+ -+######################################## -+## -+## Manage tomcat lib directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`tomcat_manage_lib_dirs',` -+ gen_require(` -+ type tomcat_var_lib_t; -+ ') -+ -+ files_search_var_lib($1) -+ manage_dirs_pattern($1, tomcat_var_lib_t, tomcat_var_lib_t) -+') -+ -+######################################## -+## -+## Read tomcat PID files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`tomcat_read_pid_files',` -+ gen_require(` -+ type tomcat_var_run_t; -+ ') -+ -+ files_search_pids($1) -+ allow $1 tomcat_var_run_t:file read_file_perms; -+') -+ -+######################################## -+## -+## Execute tomcat server in the tomcat domain. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`tomcat_systemctl',` -+ gen_require(` -+ type tomcat_t; -+ type tomcat_unit_file_t; -+ ') -+ -+ systemd_exec_systemctl($1) -+ allow $1 tomcat_unit_file_t:file read_file_perms; -+ allow $1 tomcat_unit_file_t:service manage_service_perms; -+ -+ ps_process_pattern($1, tomcat_t) -+') -+ -+ -+######################################## -+## -+## All of the rules required to administrate -+## an tomcat environment -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`tomcat_admin',` -+ gen_require(` -+ type tomcat_t; -+ type tomcat_cache_t; -+ type tomcat_log_t; -+ type tomcat_var_lib_t; -+ type tomcat_var_run_t; -+ type tomcat_unit_file_t; -+ ') -+ -+ allow $1 tomcat_t:process { ptrace signal_perms }; -+ ps_process_pattern($1, tomcat_t) -+ -+ files_search_var($1) -+ admin_pattern($1, tomcat_cache_t) -+ -+ logging_search_logs($1) -+ admin_pattern($1, tomcat_log_t) -+ -+ files_search_var_lib($1) -+ admin_pattern($1, tomcat_var_lib_t) -+ -+ files_search_pids($1) -+ admin_pattern($1, tomcat_var_run_t) -+ -+ tomcat_systemctl($1) -+ admin_pattern($1, tomcat_unit_file_t) -+ allow $1 tomcat_unit_file_t:service all_service_perms; -+ optional_policy(` -+ systemd_passwd_agent_exec($1) -+ systemd_read_fifo_file_passwd_run($1) -+ ') -+') -diff --git a/tomcat.te b/tomcat.te -new file mode 100644 -index 0000000..5a263b2 ---- /dev/null -+++ b/tomcat.te -@@ -0,0 +1,69 @@ -+policy_module(tomcat, 1.0.0) -+ -+######################################## -+# -+# Declarations -+# -+ -+attribute tomcat_domain; -+ -+tomcat_domain_template(tomcat) -+ -+type tomcat_unit_file_t; -+systemd_unit_file(tomcat_unit_file_t) -+ -+####################################### -+# -+# tomcat local policy -+# -+ -+optional_policy(` -+ unconfined_domain(tomcat_t) -+') -+ -+######################################## -+# -+# tomcat domain local policy -+# -+ -+allow tomcat_t self:process execmem; -+allow tomcat_t self:process { signal signull }; -+ -+allow tomcat_t self:tcp_socket { accept listen }; -+allow tomcat_domain self:fifo_file rw_fifo_file_perms; -+allow tomcat_domain self:unix_stream_socket create_stream_socket_perms; -+ -+# we want to stay in a new tomcat domain if we call tomcat binary from a script -+# initrc_t@tomcat_test_exec_t->tomcat_test_t@tomcat_exec_t->tomcat_test_t -+can_exec(tomcat_domain, tomcat_exec_t) -+ -+kernel_read_network_state(tomcat_domain) -+ -+corecmd_exec_bin(tomcat_domain) -+corecmd_exec_shell(tomcat_domain) -+ -+corenet_tcp_bind_generic_node(tomcat_domain) -+corenet_udp_bind_generic_node(tomcat_domain) -+corenet_tcp_bind_http_port(tomcat_domain) -+corenet_tcp_bind_http_cache_port(tomcat_domain) -+corenet_tcp_bind_mxi_port(tomcat_domain) -+corenet_tcp_connect_http_port(tomcat_domain) -+corenet_tcp_connect_mxi_port(tomcat_domain) -+ -+dev_read_rand(tomcat_domain) -+dev_read_urand(tomcat_domain) -+dev_read_sysfs(tomcat_domain) -+ -+domain_use_interactive_fds(tomcat_domain) -+ -+fs_getattr_all_fs(tomcat_domain) -+fs_read_hugetlbfs_files(tomcat_domain) -+ -+ -+auth_read_passwd(tomcat_domain) -+ -+sysnet_dns_name_resolve(tomcat_domain) -+ -+optional_policy(` -+ tomcat_search_lib(tomcat_domain) -+') -diff --git a/tor.fc b/tor.fc -index 6b9d449..ac02092 100644 ---- a/tor.fc -+++ b/tor.fc -@@ -6,6 +6,8 @@ - - /usr/sbin/tor -- gen_context(system_u:object_r:tor_exec_t,s0) - -+/usr/lib/systemd/system/tor.* -- gen_context(system_u:object_r:tor_unit_file_t,s0) -+ - /var/lib/tor(/.*)? gen_context(system_u:object_r:tor_var_lib_t,s0) - /var/lib/tor-data(/.*)? gen_context(system_u:object_r:tor_var_lib_t,s0) - -diff --git a/tor.if b/tor.if -index 61c2e07..5e1df41 100644 ---- a/tor.if -+++ b/tor.if -@@ -19,6 +19,29 @@ interface(`tor_domtrans',` - domtrans_pattern($1, tor_exec_t, tor_t) - ') - -+####################################### -+## -+## Execute tor server in the tor domain. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`tor_systemctl',` -+ gen_require(` -+ type tor_t; -+ type tor_unit_file_t; -+ ') -+ -+ systemd_exec_systemctl($1) -+ allow $1 tor_unit_file_t:file read_file_perms; -+ allow $1 tor_unit_file_t:service manage_service_perms; -+ -+ ps_process_pattern($1, tor_t) -+') -+ - ######################################## - ## - ## All of the rules required to -@@ -39,12 +62,18 @@ interface(`tor_domtrans',` - interface(`tor_admin',` - gen_require(` - type tor_t, tor_var_log_t, tor_etc_t; -- type tor_var_lib_t, tor_var_run_t, tor_initrc_exec_t; -+ type tor_var_lib_t, tor_var_run_t; -+ type tor_initrc_exec_t; -+ type tor_unit_file_t; - ') - -- allow $1 tor_t:process { ptrace signal_perms }; -+ allow $1 tor_t:process signal_perms; - ps_process_pattern($1, tor_t) - -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 tor_t:process ptrace; -+ ') -+ - init_labeled_script_domtrans($1, tor_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 tor_initrc_exec_t system_r; -@@ -61,4 +90,13 @@ interface(`tor_admin',` - - files_list_pids($1) - admin_pattern($1, tor_var_run_t) -+ -+ tor_systemctl($1) -+ admin_pattern($1, tor_unit_file_t) -+ allow $1 tor_unit_file_t:service all_service_perms; -+ -+ optional_policy(` -+ systemd_passwd_agent_exec($1) -+ systemd_read_fifo_file_passwd_run($1) -+ ') - ') -diff --git a/tor.te b/tor.te -index 964a395..78962c4 100644 ---- a/tor.te -+++ b/tor.te -@@ -13,6 +13,13 @@ policy_module(tor, 1.8.4) - ## - gen_tunable(tor_bind_all_unreserved_ports, false) - -+## -+##

    -+## Allow tor to act as a relay -+##

    -+##     -+gen_tunable(tor_can_network_relay, false) -+ - type tor_t; - type tor_exec_t; - init_daemon_domain(tor_t, tor_exec_t) -@@ -33,6 +40,9 @@ type tor_var_run_t; - files_pid_file(tor_var_run_t) - init_daemon_run_dir(tor_var_run_t, "tor") - -+type tor_unit_file_t; -+systemd_unit_file(tor_unit_file_t) -+ - ######################################## - # - # Local policy -@@ -77,7 +87,6 @@ corenet_tcp_sendrecv_generic_node(tor_t) - corenet_udp_sendrecv_generic_node(tor_t) - corenet_tcp_bind_generic_node(tor_t) - corenet_udp_bind_generic_node(tor_t) -- - corenet_sendrecv_dns_server_packets(tor_t) - corenet_udp_bind_dns_port(tor_t) - corenet_udp_sendrecv_dns_port(tor_t) -@@ -98,19 +107,22 @@ dev_read_urand(tor_t) - domain_use_interactive_fds(tor_t) - - files_read_etc_runtime_files(tor_t) --files_read_usr_files(tor_t) - - auth_use_nsswitch(tor_t) - - logging_send_syslog_msg(tor_t) - --miscfiles_read_localization(tor_t) -- - tunable_policy(`tor_bind_all_unreserved_ports',` - corenet_sendrecv_all_server_packets(tor_t) - corenet_tcp_bind_all_unreserved_ports(tor_t) - ') - -+tunable_policy(`tor_can_network_relay',` -+ # allow httpd to work as a relay -+ corenet_tcp_connect_all_ephemeral_ports(tor_t) -+ corenet_tcp_bind_http_port(tor_t) -+') -+ - optional_policy(` - seutil_sigchld_newrole(tor_t) - ') -diff --git a/transproxy.te b/transproxy.te -index 20d1a28..494a46d 100644 ---- a/transproxy.te -+++ b/transproxy.te -@@ -32,7 +32,6 @@ kernel_read_kernel_sysctls(transproxy_t) - kernel_list_proc(transproxy_t) - kernel_read_proc_symlinks(transproxy_t) - --corenet_all_recvfrom_unlabeled(transproxy_t) - corenet_all_recvfrom_netlabel(transproxy_t) - corenet_tcp_sendrecv_generic_if(transproxy_t) - corenet_tcp_sendrecv_generic_node(transproxy_t) -@@ -46,15 +45,12 @@ dev_read_sysfs(transproxy_t) - - domain_use_interactive_fds(transproxy_t) - --files_read_etc_files(transproxy_t) - - fs_getattr_all_fs(transproxy_t) - fs_search_auto_mountpoints(transproxy_t) - - logging_send_syslog_msg(transproxy_t) - --miscfiles_read_localization(transproxy_t) -- - sysnet_read_config(transproxy_t) - - userdom_dontaudit_use_unpriv_user_fds(transproxy_t) -diff --git a/tripwire.te b/tripwire.te -index 2e1110d..2c989b4 100644 ---- a/tripwire.te -+++ b/tripwire.te -@@ -86,7 +86,7 @@ files_getattr_all_sockets(tripwire_t) - - logging_send_syslog_msg(tripwire_t) - --userdom_use_user_terminals(tripwire_t) -+userdom_use_inherited_user_terminals(tripwire_t) - - optional_policy(` - cron_system_entry(tripwire_t, tripwire_exec_t) -@@ -107,9 +107,7 @@ files_search_etc(twadmin_t) - - logging_send_syslog_msg(twadmin_t) - --miscfiles_read_localization(twadmin_t) -- --userdom_use_user_terminals(twadmin_t) -+userdom_use_inherited_user_terminals(twadmin_t) - - ######################################## - # -@@ -135,9 +133,7 @@ files_search_var_lib(twprint_t) - - logging_send_syslog_msg(twprint_t) - --miscfiles_read_localization(twprint_t) -- --userdom_use_user_terminals(twprint_t) -+userdom_use_inherited_user_terminals(twprint_t) - - ######################################## - # -@@ -150,6 +146,4 @@ files_read_all_files(siggen_t) - - logging_send_syslog_msg(siggen_t) - --miscfiles_read_localization(siggen_t) -- --userdom_use_user_terminals(siggen_t) -+userdom_use_inherited_user_terminals(siggen_t) -diff --git a/tuned.if b/tuned.if -index e29db63..061fb98 100644 ---- a/tuned.if -+++ b/tuned.if -@@ -119,9 +119,13 @@ interface(`tuned_admin',` - type tuned_etc_t, tuned_rw_etc_t, tuned_log_t; - ') - -- allow $1 tuned_t:process { ptrace signal_perms }; -+ allow $1 tuned_t:process signal_perms; - ps_process_pattern($1, tuned_t) - -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 tuned_t:process ptrace; -+ ') -+ - tuned_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 tuned_initrc_exec_t system_r; -diff --git a/tuned.te b/tuned.te -index 7116181..6b315d8 100644 ---- a/tuned.te -+++ b/tuned.te -@@ -21,6 +21,9 @@ files_config_file(tuned_rw_etc_t) - type tuned_log_t; - logging_log_file(tuned_log_t) - -+type tuned_tmp_t; -+files_tmp_file(tuned_tmp_t) -+ - type tuned_var_run_t; - files_pid_file(tuned_var_run_t) - -@@ -29,10 +32,13 @@ files_pid_file(tuned_var_run_t) - # Local policy - # - --allow tuned_t self:capability { sys_admin sys_nice }; -+allow tuned_t self:capability { net_admin sys_admin sys_nice sys_rawio }; - dontaudit tuned_t self:capability { dac_override sys_tty_config }; --allow tuned_t self:process { setsched signal }; -+allow tuned_t self:process { setsched signal }; - allow tuned_t self:fifo_file rw_fifo_file_perms; -+allow tuned_t self:netlink_kobject_uevent_socket create_socket_perms; -+allow tuned_t self:netlink_socket create_socket_perms; -+allow tuned_t self:udp_socket create_socket_perms; - - read_files_pattern(tuned_t, tuned_etc_t, tuned_etc_t) - exec_files_pattern(tuned_t, tuned_etc_t, tuned_etc_t) -@@ -41,14 +47,18 @@ manage_files_pattern(tuned_t, tuned_etc_t, tuned_rw_etc_t) - files_etc_filetrans(tuned_t, tuned_rw_etc_t, file, "active_profile") - - manage_dirs_pattern(tuned_t, tuned_log_t, tuned_log_t) --append_files_pattern(tuned_t, tuned_log_t, tuned_log_t) --create_files_pattern(tuned_t, tuned_log_t, tuned_log_t) --setattr_files_pattern(tuned_t, tuned_log_t, tuned_log_t) --logging_log_filetrans(tuned_t, tuned_log_t, file) -+manage_files_pattern(tuned_t, tuned_log_t, tuned_log_t) -+logging_log_filetrans(tuned_t, tuned_log_t, file, "tuned.log") -+ -+manage_dirs_pattern(tuned_t, tuned_tmp_t, tuned_tmp_t) -+manage_files_pattern(tuned_t, tuned_tmp_t, tuned_tmp_t) -+files_tmp_filetrans(tuned_t, tuned_tmp_t, { file dir }) -+can_exec(tuned_t, tuned_tmp_t) - - manage_files_pattern(tuned_t, tuned_var_run_t, tuned_var_run_t) - manage_dirs_pattern(tuned_t, tuned_var_run_t, tuned_var_run_t) - files_pid_filetrans(tuned_t, tuned_var_run_t, { dir file }) -+can_exec(tuned_t, tuned_var_run_t) - - kernel_read_system_state(tuned_t) - kernel_read_network_state(tuned_t) -@@ -57,6 +67,8 @@ kernel_request_load_module(tuned_t) - kernel_rw_kernel_sysctl(tuned_t) - kernel_rw_hotplug_sysctls(tuned_t) - kernel_rw_vm_sysctls(tuned_t) -+kernel_setsched(tuned_t) -+kernel_rw_all_sysctls(tuned_t) - - corecmd_exec_bin(tuned_t) - corecmd_exec_shell(tuned_t) -@@ -64,31 +76,55 @@ corecmd_exec_shell(tuned_t) - dev_getattr_all_blk_files(tuned_t) - dev_getattr_all_chr_files(tuned_t) - dev_read_urand(tuned_t) -+dev_rw_cpu_microcode(tuned_t) - dev_rw_sysfs(tuned_t) - dev_rw_netcontrol(tuned_t) - --files_read_usr_files(tuned_t) -+files_dontaudit_all_access_check(tuned_t) - files_dontaudit_search_home(tuned_t) --files_dontaudit_list_tmp(tuned_t) -+files_list_tmp(tuned_t) - --fs_getattr_xattr_fs(tuned_t) -+fs_getattr_all_fs(tuned_t) -+fs_search_all(tuned_t) -+fs_rw_hugetlbfs_files(tuned_t) -+ -+auth_use_nsswitch(tuned_t) - - logging_send_syslog_msg(tuned_t) - --miscfiles_read_localization(tuned_t) -+mount_read_pid_files(tuned_t) - - udev_read_pid_files(tuned_t) - - userdom_dontaudit_search_user_home_dirs(tuned_t) - - optional_policy(` -+ dbus_system_bus_client(tuned_t) -+ dbus_connect_system_bus(tuned_t) -+') -+ -+optional_policy(` -+ dmidecode_domtrans(tuned_t) -+') -+ -+# to allow disk tuning -+optional_policy(` - fstools_domtrans(tuned_t) - ') - - optional_policy(` -+ gnome_dontaudit_search_config(tuned_t) -+') -+ -+optional_policy(` -+ libs_exec_ldconfig(tuned_t) -+') -+ -+optional_policy(` - mount_domtrans(tuned_t) - ') - -+# to allow network interface tuning - optional_policy(` - sysnet_domtrans_ifconfig(tuned_t) - ') -diff --git a/tvtime.if b/tvtime.if -index 1bb0f7c..372be2f 100644 ---- a/tvtime.if -+++ b/tvtime.if -@@ -1,5 +1,23 @@ - ## High quality television application. - -+####################################### -+## -+## Transition to alsa named content -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`tvtime_filetrans_home_content',` -+ gen_require(` -+ type tvtime_home_t; -+ ') -+ -+ userdom_user_home_dir_filetrans($1, tvtime_home_t, dir, ".tvtime") -+') -+ - ######################################## - ## - ## Role access for tvtime -diff --git a/tvtime.te b/tvtime.te -index 3292fcc..20099b0 100644 ---- a/tvtime.te -+++ b/tvtime.te -@@ -42,7 +42,6 @@ allow tvtime_t self:unix_stream_socket rw_stream_socket_perms; - manage_dirs_pattern(tvtime_t, tvtime_home_t, tvtime_home_t) - manage_files_pattern(tvtime_t, tvtime_home_t, tvtime_home_t) - manage_lnk_files_pattern(tvtime_t, tvtime_home_t, tvtime_home_t) --userdom_user_home_dir_filetrans(tvtime_t, tvtime_home_t, dir) - - manage_dirs_pattern(tvtime_t, tvtime_tmp_t, tvtime_tmp_t) - manage_files_pattern(tvtime_t, tvtime_tmp_t, tvtime_tmp_t) -@@ -61,7 +60,6 @@ dev_read_realtime_clock(tvtime_t) - dev_read_sound(tvtime_t) - dev_read_urand(tvtime_t) - --files_read_usr_files(tvtime_t) - - fs_getattr_all_fs(tvtime_t) - fs_search_auto_mountpoints(tvtime_t) -@@ -69,21 +67,12 @@ fs_search_auto_mountpoints(tvtime_t) - auth_use_nsswitch(tvtime_t) - - miscfiles_read_fonts(tvtime_t) --miscfiles_read_localization(tvtime_t) - --userdom_use_user_terminals(tvtime_t) -+userdom_use_inherited_user_terminals(tvtime_t) -+userdom_read_user_home_content_files(tvtime_t) - --tunable_policy(`use_nfs_home_dirs',` -- fs_manage_nfs_dirs(tvtime_t) -- fs_manage_nfs_files(tvtime_t) -- fs_manage_nfs_symlinks(tvtime_t) --') -- --tunable_policy(`use_samba_home_dirs',` -- fs_manage_cifs_dirs(tvtime_t) -- fs_manage_cifs_files(tvtime_t) -- fs_manage_cifs_symlinks(tvtime_t) --') -+# X access, Home files -+userdom_home_manager(tvtime_t) - - optional_policy(` - xserver_user_x_domain_template(tvtime, tvtime_t, tvtime_tmpfs_t) -diff --git a/tzdata.te b/tzdata.te -index aa6ae96..9f86987 100644 ---- a/tzdata.te -+++ b/tzdata.te -@@ -27,11 +27,10 @@ term_dontaudit_list_ptys(tzdata_t) - - locallogin_dontaudit_use_fds(tzdata_t) - --miscfiles_read_localization(tzdata_t) - miscfiles_manage_localization(tzdata_t) - miscfiles_etc_filetrans_localization(tzdata_t) - --userdom_use_user_terminals(tzdata_t) -+userdom_use_inherited_user_terminals(tzdata_t) - - optional_policy(` - postfix_search_spool(tzdata_t) -diff --git a/ucspitcp.te b/ucspitcp.te -index 5e365c2..0fbc46e 100644 ---- a/ucspitcp.te -+++ b/ucspitcp.te -@@ -33,7 +33,6 @@ corenet_udp_sendrecv_all_ports(rblsmtpd_t) - corenet_tcp_bind_generic_node(rblsmtpd_t) - corenet_udp_bind_generic_port(rblsmtpd_t) - --files_read_etc_files(rblsmtpd_t) - files_search_var(rblsmtpd_t) - - optional_policy(` -@@ -82,7 +81,6 @@ corenet_udp_bind_dns_port(ucspitcp_t) - corenet_sendrecv_generic_server_packets(ucspitcp_t) - corenet_udp_bind_generic_port(ucspitcp_t) - --files_read_etc_files(ucspitcp_t) - files_search_var(ucspitcp_t) - - sysnet_read_config(ucspitcp_t) -diff --git a/ulogd.if b/ulogd.if -index 9b95c3e..a892845 100644 ---- a/ulogd.if -+++ b/ulogd.if -@@ -123,8 +123,11 @@ interface(`ulogd_admin',` - type ulogd_var_log_t, ulogd_initrc_exec_t; - ') - -- allow $1 ulogd_t:process { ptrace signal_perms }; -+ allow $1 ulogd_t:process signal_perms; - ps_process_pattern($1, ulogd_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 ulogd_t:process ptrace; -+ ') - - init_labeled_script_domtrans($1, ulogd_initrc_exec_t) - domain_system_change_exemption($1) -diff --git a/ulogd.te b/ulogd.te -index c6acbbe..bd23e7f 100644 ---- a/ulogd.te -+++ b/ulogd.te -@@ -27,10 +27,12 @@ logging_log_file(ulogd_var_log_t) - # - - allow ulogd_t self:capability { net_admin sys_nice }; --allow ulogd_t self:process setsched; -+allow ulogd_t self:process { setsched }; - allow ulogd_t self:netlink_nflog_socket create_socket_perms; -+allow ulogd_t self:netlink_route_socket r_netlink_socket_perms; - allow ulogd_t self:netlink_socket create_socket_perms; --allow ulogd_t self:tcp_socket create_stream_socket_perms; -+allow ulogd_t self:tcp_socket { create_stream_socket_perms connect }; -+allow ulogd_t self:udp_socket create_socket_perms; - - read_files_pattern(ulogd_t, ulogd_etc_t, ulogd_etc_t) - -@@ -42,10 +44,7 @@ create_files_pattern(ulogd_t, ulogd_var_log_t, ulogd_var_log_t) - setattr_files_pattern(ulogd_t, ulogd_var_log_t, ulogd_var_log_t) - logging_log_filetrans(ulogd_t, ulogd_var_log_t, file) - --files_read_etc_files(ulogd_t) --files_read_usr_files(ulogd_t) - --miscfiles_read_localization(ulogd_t) - - sysnet_dns_name_resolve(ulogd_t) - -diff --git a/uml.if b/uml.if -index ab5c1d0..d13105e 100644 ---- a/uml.if -+++ b/uml.if -@@ -32,7 +32,7 @@ interface(`uml_role',` - allow uml_t $2:unix_dgram_socket sendto; - - ps_process_pattern($2, uml_t) -- allow $2 uml_t:process { ptrace signal_perms }; -+ allow $2 uml_t:process signal_perms; - - allow $2 { uml_ro_t uml_rw_t uml_tmp_t uml_exec_t }:dir { manage_dir_perms relabel_dir_perms }; - allow $2 { uml_ro_t uml_rw_t uml_tmp_t uml_tmpfs_t uml_exec_t }:file { manage_file_perms relabel_file_perms }; -diff --git a/uml.te b/uml.te -index dc03cc5..423afe4 100644 ---- a/uml.te -+++ b/uml.te -@@ -90,7 +90,6 @@ kernel_write_proc_files(uml_t) - - corecmd_exec_bin(uml_t) - --corenet_all_recvfrom_unlabeled(uml_t) - corenet_all_recvfrom_netlabel(uml_t) - corenet_tcp_sendrecv_generic_if(uml_t) - corenet_tcp_sendrecv_generic_node(uml_t) -@@ -115,7 +114,13 @@ init_dontaudit_write_utmp(uml_t) - - libs_exec_lib_files(uml_t) - --userdom_use_user_terminals(uml_t) -+# Inherit and use descriptors from newrole. -+seutil_use_newrole_fds(uml_t) -+ -+# Use the network. -+sysnet_read_config(uml_t) -+ -+userdom_use_inherited_user_terminals(uml_t) - userdom_attach_admin_tun_iface(uml_t) - - tunable_policy(`use_nfs_home_dirs',` -@@ -133,10 +138,6 @@ tunable_policy(`use_samba_home_dirs',` - ') - - optional_policy(` -- seutil_use_newrole_fds(uml_t) --') -- --optional_policy(` - virt_attach_tun_iface(uml_t) - ') - -@@ -171,8 +172,6 @@ init_use_script_ptys(uml_switch_t) - - logging_send_syslog_msg(uml_switch_t) - --miscfiles_read_localization(uml_switch_t) -- - userdom_dontaudit_use_unpriv_user_fds(uml_switch_t) - userdom_dontaudit_search_user_home_dirs(uml_switch_t) - -diff --git a/updfstab.te b/updfstab.te -index 2d871b8..acbf304 100644 ---- a/updfstab.te -+++ b/updfstab.te -@@ -66,8 +66,6 @@ init_use_script_ptys(updfstab_t) - logging_search_logs(updfstab_t) - logging_send_syslog_msg(updfstab_t) - --miscfiles_read_localization(updfstab_t) -- - seutil_read_config(updfstab_t) - seutil_read_default_contexts(updfstab_t) - seutil_read_file_contexts(updfstab_t) -@@ -75,9 +73,8 @@ seutil_read_file_contexts(updfstab_t) - userdom_dontaudit_search_user_home_content(updfstab_t) - userdom_dontaudit_use_unpriv_user_fds(updfstab_t) - --optional_policy(` -- auth_domtrans_pam_console(updfstab_t) --') -+auth_use_nsswitch(updfstab_t) -+auth_domtrans_pam_console(updfstab_t) - - optional_policy(` - dbus_system_bus_client(updfstab_t) -diff --git a/uptime.if b/uptime.if -index 01a3234..19f4724 100644 ---- a/uptime.if -+++ b/uptime.if -@@ -19,7 +19,7 @@ - # - interface(`uptime_admin',` - gen_require(` -- type uptimed_t, uptimed_initrc_exec_t. uptimed_etc_t; -+ type uptimed_t, uptimed_initrc_exec_t, uptimed_etc_t; - type uptimed_spool_t, uptimed_var_run_t; - ') - -diff --git a/uptime.te b/uptime.te -index 09741f6..8e5b35c 100644 ---- a/uptime.te -+++ b/uptime.te -@@ -16,7 +16,7 @@ type uptimed_initrc_exec_t; - init_script_file(uptimed_initrc_exec_t) - - type uptimed_spool_t; --files_type(uptimed_spool_t) -+files_spool_file(uptimed_spool_t) - - type uptimed_var_run_t; - files_pid_file(uptimed_var_run_t) -@@ -55,8 +55,6 @@ fs_search_auto_mountpoints(uptimed_t) - - logging_send_syslog_msg(uptimed_t) - --miscfiles_read_localization(uptimed_t) -- - userdom_dontaudit_use_unpriv_user_fds(uptimed_t) - userdom_dontaudit_search_user_home_dirs(uptimed_t) - -diff --git a/usbmodules.te b/usbmodules.te -index cb9b5bb..3aa7952 100644 ---- a/usbmodules.te -+++ b/usbmodules.te -@@ -24,8 +24,6 @@ files_list_kernel_modules(usbmodules_t) - dev_list_usbfs(usbmodules_t) - dev_rw_usbfs(usbmodules_t) - --files_list_etc(usbmodules_t) -- - term_read_console(usbmodules_t) - term_write_console(usbmodules_t) - -@@ -35,10 +33,12 @@ logging_send_syslog_msg(usbmodules_t) - - miscfiles_read_hwdata(usbmodules_t) - --modutils_read_module_deps(usbmodules_t) -- --userdom_use_user_terminals(usbmodules_t) -+userdom_use_inherited_user_terminals(usbmodules_t) - - optional_policy(` - hotplug_read_config(usbmodules_t) - ') -+ -+optional_policy(` -+ modutils_read_module_deps(usbmodules_t) -+') -diff --git a/usbmuxd.fc b/usbmuxd.fc -index 220f6ad..cd80b9b 100644 ---- a/usbmuxd.fc -+++ b/usbmuxd.fc -@@ -1,3 +1,4 @@ - /usr/sbin/usbmuxd -- gen_context(system_u:object_r:usbmuxd_exec_t,s0) - --/var/run/usbmuxd.* gen_context(system_u:object_r:usbmuxd_var_run_t,s0) -+/var/run/usbmuxd.* gen_context(system_u:object_r:usbmuxd_var_run_t,s0) -+/usr/lib/systemd/system/usbmuxd.* -- gen_context(system_u:object_r:usbmuxd_unit_file_t,s0) -diff --git a/usbmuxd.if b/usbmuxd.if -index 1ec5e99..88e287d 100644 ---- a/usbmuxd.if -+++ b/usbmuxd.if -@@ -38,3 +38,66 @@ interface(`usbmuxd_stream_connect',` - files_search_pids($1) - stream_connect_pattern($1, usbmuxd_var_run_t, usbmuxd_var_run_t, usbmuxd_t) - ') -+ -+######################################## -+## -+## Execute usbmuxd server in the usbmuxd domain. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`usbmuxd_systemctl',` -+ gen_require(` -+ type usbmuxd_t; -+ type usbmuxd_unit_file_t; -+ ') -+ -+ systemd_exec_systemctl($1) -+ allow $1 usbmuxd_unit_file_t:file read_file_perms; -+ allow $1 usbmuxd_unit_file_t:service manage_service_perms; -+ -+ ps_process_pattern($1, usbmuxd_t) -+') -+ -+##################################### -+## -+## All of the rules required to administrate -+## an usbmuxd environment -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## The role to be allowed to manage the usbmuxd domain. -+## -+## -+## -+# -+interface(`usbmuxd_admin',` -+ gen_require(` -+ type usbmuxd_t,usbmuxd_var_run_t; -+ type usbmuxd_unit_file_t; -+ ') -+ -+ allow $1 usbmuxd_t:process { signal_perms }; -+ ps_process_pattern($1, usbmuxd_t) -+ -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 usbmuxd_t:process ptrace; -+ ') -+ -+ allow $2 system_r; -+ -+ files_list_pids($1) -+ admin_pattern($1, usbmuxd_var_run_t) -+ -+ usbmuxd_systemctl($1) -+ admin_pattern($1, usbmuxd_unit_file_t) -+ allow $1 usbmuxd_unit_file_t:service all_service_perms; -+') -diff --git a/usbmuxd.te b/usbmuxd.te -index 8840be6..d2c7596 100644 ---- a/usbmuxd.te -+++ b/usbmuxd.te -@@ -10,12 +10,16 @@ roleattribute system_r usbmuxd_roles; - - type usbmuxd_t; - type usbmuxd_exec_t; -+init_system_domain(usbmuxd_t, usbmuxd_exec_t) - application_domain(usbmuxd_t, usbmuxd_exec_t) - role usbmuxd_roles types usbmuxd_t; - - type usbmuxd_var_run_t; - files_pid_file(usbmuxd_var_run_t) - -+type usbmuxd_unit_file_t; -+systemd_unit_file(usbmuxd_unit_file_t) -+ - ######################################## - # - # Local policy -@@ -24,6 +28,7 @@ files_pid_file(usbmuxd_var_run_t) - allow usbmuxd_t self:capability { kill setgid setuid }; - allow usbmuxd_t self:process { signal signull }; - allow usbmuxd_t self:fifo_file rw_fifo_file_perms; -+allow usbmuxd_t self:netlink_kobject_uevent_socket create_socket_perms; - - manage_dirs_pattern(usbmuxd_t, usbmuxd_var_run_t, usbmuxd_var_run_t) - manage_files_pattern(usbmuxd_t, usbmuxd_var_run_t, usbmuxd_var_run_t) -@@ -38,6 +43,10 @@ dev_rw_generic_usb_dev(usbmuxd_t) - - auth_use_nsswitch(usbmuxd_t) - --miscfiles_read_localization(usbmuxd_t) -- - logging_send_syslog_msg(usbmuxd_t) -+ -+seutil_dontaudit_read_file_contexts(usbmuxd_t) -+ -+optional_policy(` -+ virt_dontaudit_read_chr_dev(usbmuxd_t) -+') -diff --git a/userhelper.fc b/userhelper.fc -index c416a83..cd83b89 100644 ---- a/userhelper.fc -+++ b/userhelper.fc -@@ -1,5 +1,10 @@ --/etc/security/console\.apps(/.*)? gen_context(system_u:object_r:userhelper_conf_t,s0) -+# -+# /etc -+# -+/etc/security/console\.apps(/.*)? gen_context(system_u:object_r:userhelper_conf_t,s0) - --/usr/bin/consolehelper -- gen_context(system_u:object_r:consolehelper_exec_t,s0) -- --/usr/sbin/userhelper -- gen_context(system_u:object_r:userhelper_exec_t,s0) -\ No newline at end of file -+# -+# /usr -+# -+/usr/sbin/userhelper -- gen_context(system_u:object_r:userhelper_exec_t,s0) -+/usr/bin/consolehelper -- gen_context(system_u:object_r:consolehelper_exec_t,s0) -diff --git a/userhelper.if b/userhelper.if -index cf118fd..cd80e83 100644 ---- a/userhelper.if -+++ b/userhelper.if -@@ -1,4 +1,4 @@ --## A wrapper that helps users run system programs. -+## SELinux utility to run a shell with a new role - - ####################################### - ## -@@ -23,9 +23,9 @@ - # - template(`userhelper_role_template',` - gen_require(` -- attribute userhelper_type, consolehelper_type; -- attribute_role userhelper_roles, consolehelper_roles; -- type userhelper_exec_t, consolehelper_exec_t, userhelper_conf_t; -+ attribute userhelper_type; -+ type userhelper_exec_t, userhelper_conf_t; -+ class dbus send_msg; - ') - - ######################################## -@@ -33,64 +33,123 @@ template(`userhelper_role_template',` - # Declarations - # - -- type $1_consolehelper_t, consolehelper_type; -- userdom_user_application_domain($1_consolehelper_t, consolehelper_exec_t) -- -- role consolehelper_roles types $1_consolehelper_t; -- roleattribute $2 consolehelper_roles; -- - type $1_userhelper_t, userhelper_type; - userdom_user_application_domain($1_userhelper_t, userhelper_exec_t) -- - domain_role_change_exemption($1_userhelper_t) - domain_obj_id_change_exemption($1_userhelper_t) - domain_interactive_fd($1_userhelper_t) - domain_subj_id_change_exemption($1_userhelper_t) -- -- role userhelper_roles types $1_userhelper_t; -- roleattribute $2 userhelper_roles; -+ role $2 types $1_userhelper_t; - - ######################################## - # -- # Consolehelper local policy -+ # Local policy - # -+ allow $1_userhelper_t self:capability { setuid setgid net_bind_service dac_override chown sys_tty_config }; -+ allow $1_userhelper_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; -+ allow $1_userhelper_t self:process setexec; -+ allow $1_userhelper_t self:fd use; -+ allow $1_userhelper_t self:fifo_file rw_fifo_file_perms; -+ allow $1_userhelper_t self:shm create_shm_perms; -+ allow $1_userhelper_t self:sem create_sem_perms; -+ allow $1_userhelper_t self:msgq create_msgq_perms; -+ allow $1_userhelper_t self:msg { send receive }; -+ allow $1_userhelper_t self:unix_dgram_socket create_socket_perms; -+ allow $1_userhelper_t self:unix_stream_socket create_stream_socket_perms; -+ allow $1_userhelper_t self:unix_dgram_socket sendto; -+ allow $1_userhelper_t self:unix_stream_socket connectto; -+ allow $1_userhelper_t self:sock_file read_sock_file_perms; - -- allow $1_consolehelper_t $3:unix_stream_socket connectto; -+ #Transition to the derived domain. -+ domtrans_pattern($3, userhelper_exec_t, $1_userhelper_t) - -- domtrans_pattern($3, consolehelper_exec_t, $1_consolehelper_t) -+ allow $1_userhelper_t userhelper_conf_t:dir rw_dir_perms; -+ rw_files_pattern($1_userhelper_t, userhelper_conf_t, userhelper_conf_t) - -- allow $3 $1_consolehelper_t:process { ptrace signal_perms }; -- ps_process_pattern($3, $1_consolehelper_t) -+ can_exec($1_userhelper_t, userhelper_exec_t) - -- auth_use_pam($1_consolehelper_t) -+ dontaudit $3 $1_userhelper_t:process signal; - -- optional_policy(` -- dbus_connect_all_session_bus($1_consolehelper_t) -+ kernel_read_all_sysctls($1_userhelper_t) -+ kernel_getattr_debugfs($1_userhelper_t) -+ kernel_read_system_state($1_userhelper_t) - -- optional_policy(` -- userhelper_dbus_chat_all_consolehelper($3) -- ') -- ') -+ # Execute shells -+ corecmd_exec_shell($1_userhelper_t) -+ # By default, revert to the calling domain when a program is executed -+ corecmd_bin_domtrans($1_userhelper_t, $3) - -- ######################################## -- # -- # Userhelper local policy -- # -+ # Inherit descriptors from the current session. -+ domain_use_interactive_fds($1_userhelper_t) -+ # for when the user types "exec userhelper" at the command line -+ domain_sigchld_interactive_fds($1_userhelper_t) - -- domtrans_pattern($3, userhelper_exec_t, $1_userhelper_t) -+ dev_read_urand($1_userhelper_t) -+ # Read /dev directories and any symbolic links. -+ dev_list_all_dev_nodes($1_userhelper_t) - -- dontaudit $3 $1_userhelper_t:process signal; -+ files_list_var_lib($1_userhelper_t) -+ # Read the /etc/security/default_type file -+ files_read_etc_files($1_userhelper_t) -+ # Read /var. -+ files_read_var_files($1_userhelper_t) -+ files_read_var_symlinks($1_userhelper_t) -+ # for some PAM modules and for cwd -+ files_search_home($1_userhelper_t) - -- corecmd_bin_domtrans($1_userhelper_t, $3) -+ fs_search_auto_mountpoints($1_userhelper_t) -+ fs_read_nfs_files($1_userhelper_t) -+ fs_read_nfs_symlinks($1_userhelper_t) -+ -+ # Allow $1_userhelper to obtain contexts to relabel TTYs -+ selinux_get_fs_mount($1_userhelper_t) -+ selinux_validate_context($1_userhelper_t) -+ selinux_compute_access_vector($1_userhelper_t) -+ selinux_compute_create_context($1_userhelper_t) -+ selinux_compute_relabel_context($1_userhelper_t) -+ selinux_compute_user_contexts($1_userhelper_t) -+ -+ # Read the devpts root directory. -+ term_list_ptys($1_userhelper_t) -+ # Relabel terminals. -+ term_relabel_all_ttys($1_userhelper_t) -+ term_relabel_all_ptys($1_userhelper_t) -+ # Access terminals. -+ term_use_all_ttys($1_userhelper_t) -+ term_use_all_ptys($1_userhelper_t) - - auth_domtrans_chk_passwd($1_userhelper_t) -+ auth_manage_pam_pid($1_userhelper_t) -+ auth_manage_var_auth($1_userhelper_t) -+ auth_search_pam_console_data($1_userhelper_t) - auth_use_nsswitch($1_userhelper_t) - -+ logging_send_syslog_msg($1_userhelper_t) -+ -+ # Inherit descriptors from the current session. -+ init_use_fds($1_userhelper_t) -+ # Write to utmp. -+ init_manage_utmp($1_userhelper_t) -+ init_pid_filetrans_utmp($1_userhelper_t) -+ -+ -+ seutil_read_config($1_userhelper_t) -+ seutil_read_default_contexts($1_userhelper_t) -+ -+ # Allow $1_userhelper_t to transition to user domains. - userdom_bin_spec_domtrans_unpriv_users($1_userhelper_t) - userdom_entry_spec_domtrans_unpriv_users($1_userhelper_t) - -+ ifdef(`distro_redhat',` -+ optional_policy(` -+ # Allow transitioning to rpm_t, for up2date -+ rpm_domtrans($1_userhelper_t) -+ ') -+ ') -+ - optional_policy(` - tunable_policy(`! secure_mode',` -+ #if we are not in secure mode then we can transition to sysadm_t - sysadm_bin_spec_domtrans($1_userhelper_t) - sysadm_entry_spec_domtrans($1_userhelper_t) - ') -@@ -99,7 +158,7 @@ template(`userhelper_role_template',` - - ######################################## - ## --## Search userhelper configuration directories. -+## Search the userhelper configuration directory. - ## - ## - ## -@@ -118,7 +177,7 @@ interface(`userhelper_search_config',` - ######################################## - ## - ## Do not audit attempts to search --## userhelper configuration directories. -+## the userhelper configuration directory. - ## - ## - ## -@@ -136,28 +195,26 @@ interface(`userhelper_dontaudit_search_config',` - - ######################################## - ## --## Send and receive messages from --## consolehelper over dbus. -+## Do not audit attempts to write -+## the userhelper configuration files. - ## - ## - ## --## Domain allowed access. -+## Domain to not audit. - ## - ## - # --interface(`userhelper_dbus_chat_all_consolehelper',` -+interface(`userhelper_dontaudit_write_config',` - gen_require(` -- attribute consolehelper_type; -- class dbus send_msg; -+ type userhelper_conf_t; - ') - -- allow $1 consolehelper_type:dbus send_msg; -- allow consolehelper_type $1:dbus send_msg; -+ dontaudit $1 userhelper_conf_t:file write; - ') - - ######################################## - ## --## Use userhelper all userhelper file descriptors. -+## Allow domain to use userhelper file descriptor. - ## - ## - ## -@@ -175,7 +232,7 @@ interface(`userhelper_use_fd',` - - ######################################## - ## --## Send child terminated signals to all userhelper. -+## Allow domain to send sigchld to userhelper. - ## - ## - ## -@@ -206,6 +263,93 @@ interface(`userhelper_exec',` - type userhelper_exec_t; - ') - -- corecmd_search_bin($1) - can_exec($1, userhelper_exec_t) - ') -+ -+####################################### -+## -+## The role template for the consolehelper module. -+## -+## -+##

    -+## This template creates a derived domains which are used -+## for consolehelper applications. -+##

    -+##     -+## -+## -+## The prefix of the user domain (e.g., user -+## is the prefix for user_t). -+## -+## -+## -+## -+## The role associated with the user domain. -+## -+## -+## -+## -+## The type of the user domain. -+## -+## -+# -+template(`userhelper_console_role_template',` -+ gen_require(` -+ type consolehelper_exec_t; -+ attribute consolehelper_domain; -+ class dbus send_msg; -+ ') -+ type $1_consolehelper_t, consolehelper_domain; -+ domain_type($1_consolehelper_t) -+ domain_entry_file($1_consolehelper_t, consolehelper_exec_t) -+ role $2 types $1_consolehelper_t; -+ -+ domtrans_pattern($3, consolehelper_exec_t, $1_consolehelper_t) -+ -+ allow $3 $1_consolehelper_t:process signal; -+ allow $3 $1_consolehelper_t:dbus send_msg; -+ allow $1_consolehelper_t $3:dbus send_msg; -+ allow $1_consolehelper_t $3:unix_stream_socket connectto; -+ -+ kernel_read_system_state($1_consolehelper_t) -+ -+ auth_use_pam($1_consolehelper_t) -+ -+ userdom_manage_tmpfs_role($2, $1_consolehelper_t) -+ -+ optional_policy(` -+ dbus_connect_session_bus($1_consolehelper_t) -+ ') -+ -+ optional_policy(` -+ shutdown_run($1_consolehelper_t, $2) -+ shutdown_send_sigchld($3) -+ ') -+ -+ optional_policy(` -+ mock_run($1_consolehelper_t, $2) -+ ') -+ -+ optional_policy(` -+ xserver_run_xauth($1_consolehelper_t, $2) -+ xserver_read_xdm_pid($1_consolehelper_t) -+ ') -+') -+ -+######################################## -+## -+## Execute the consolehelper program in the caller domain. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`userhelper_exec_console',` -+ gen_require(` -+ type consolehelper_exec_t; -+ ') -+ -+ can_exec($1, consolehelper_exec_t) -+') -diff --git a/userhelper.te b/userhelper.te -index 274ed9c..cc18d6f 100644 ---- a/userhelper.te -+++ b/userhelper.te -@@ -1,15 +1,12 @@ --policy_module(userhelper, 1.7.3) -+policy_module(userhelper, 1.7.0) - - ######################################## - # - # Declarations - # - --attribute consolehelper_type; - attribute userhelper_type; -- --attribute_role consolehelper_roles; --attribute_role userhelper_roles; -+attribute consolehelper_domain; - - type userhelper_conf_t; - files_config_file(userhelper_conf_t) -@@ -22,141 +19,77 @@ application_executable_file(consolehelper_exec_t) - - ######################################## - # --# Common consolehelper domain local policy -+# consolehelper local policy - # - --allow consolehelper_type self:capability { setgid setuid dac_override }; --allow consolehelper_type self:process signal; --allow consolehelper_type self:fifo_file rw_fifo_file_perms; --allow consolehelper_type self:unix_stream_socket create_stream_socket_perms; --allow consolehelper_type self:shm create_shm_perms; -- --dontaudit consolehelper_type userhelper_conf_t:file audit_access; --read_files_pattern(consolehelper_type, userhelper_conf_t, userhelper_conf_t) -+allow consolehelper_domain self:shm create_shm_perms; -+allow consolehelper_domain self:capability { setgid setuid dac_override sys_nice }; -+allow consolehelper_domain self:process { signal_perms getsched setsched }; - --domain_use_interactive_fds(consolehelper_type) -+allow consolehelper_domain userhelper_conf_t:file audit_access; -+dontaudit consolehelper_domain userhelper_conf_t:file write; -+read_files_pattern(consolehelper_domain, userhelper_conf_t, userhelper_conf_t) - --kernel_read_system_state(consolehelper_type) --kernel_read_kernel_sysctls(consolehelper_type) -+# Init script handling -+domain_use_interactive_fds(consolehelper_domain) - --corecmd_exec_bin(consolehelper_type) -+# internal communication is often done using fifo and unix sockets. -+allow consolehelper_domain self:fifo_file rw_fifo_file_perms; -+allow consolehelper_domain self:unix_stream_socket create_stream_socket_perms; - --dev_getattr_all_chr_files(consolehelper_type) --dev_dontaudit_list_all_dev_nodes(consolehelper_type) -+kernel_read_kernel_sysctls(consolehelper_domain) - --files_read_config_files(consolehelper_type) --files_read_usr_files(consolehelper_type) -+corecmd_exec_bin(consolehelper_domain) - --fs_getattr_all_dirs(consolehelper_type) --fs_getattr_all_fs(consolehelper_type) --fs_search_auto_mountpoints(consolehelper_type) --files_search_mnt(consolehelper_type) -+dev_getattr_all_chr_files(consolehelper_domain) -+dev_dontaudit_list_all_dev_nodes(consolehelper_domain) -+dev_dontaudit_getattr_all(consolehelper_domain) -+fs_getattr_all_fs(consolehelper_domain) -+fs_getattr_all_dirs(consolehelper_domain) - --term_list_ptys(consolehelper_type) -+files_read_config_files(consolehelper_domain) - --auth_search_pam_console_data(consolehelper_type) --auth_read_pam_pid(consolehelper_type) -+term_list_ptys(consolehelper_domain) - --miscfiles_read_localization(consolehelper_type) --miscfiles_read_fonts(consolehelper_type) -+auth_search_pam_console_data(consolehelper_domain) -+auth_read_pam_pid(consolehelper_domain) - --userhelper_exec(consolehelper_type) -+init_read_utmp(consolehelper_domain) -+init_telinit(consolehelper_domain) - --userdom_use_user_terminals(consolehelper_type) -+miscfiles_read_fonts(consolehelper_domain) - --# might want to make this consolehelper_tmp_t --userdom_manage_user_tmp_dirs(consolehelper_type) --userdom_manage_user_tmp_files(consolehelper_type) --userdom_tmp_filetrans_user_tmp(consolehelper_type, { dir file }) -+userhelper_exec(consolehelper_domain) - --tunable_policy(`use_nfs_home_dirs',` -- fs_search_nfs(consolehelper_type) --') -+userdom_use_user_ptys(consolehelper_domain) -+userdom_use_user_ttys(consolehelper_domain) -+userdom_read_user_home_content_files(consolehelper_domain) -+userdom_search_admin_dir(consolehelper_domain) - --tunable_policy(`use_samba_home_dirs',` -- fs_search_cifs(consolehelper_type) -+optional_policy(` -+ dbus_session_bus_client(consolehelper_domain) -+ optional_policy(` -+ devicekit_dbus_chat_disk(consolehelper_domain) -+ ') - ') - - optional_policy(` -- shutdown_run(consolehelper_type, consolehelper_roles) -- shutdown_signal(consolehelper_type) -+ gnome_read_gconf_home_files(consolehelper_domain) - ') - - optional_policy(` -- xserver_domtrans_xauth(consolehelper_type) -- xserver_read_xdm_pid(consolehelper_type) -- xserver_stream_connect(consolehelper_type) -+ xserver_read_home_fonts(consolehelper_domain) -+ xserver_stream_connect(consolehelper_domain) -+ xserver_admin_home_dir_filetrans_xauth(consolehelper_domain) -+ xserver_manage_user_xauth(consolehelper_domain) - ') - --######################################## --# --# Common userhelper domain local policy --# -- --allow userhelper_type self:capability { setuid setgid net_bind_service dac_override chown sys_tty_config }; --allow userhelper_type self:process ~{ ptrace setcurrent setfscreate setrlimit execmem execstack execheap }; --allow userhelper_type self:fd use; --allow userhelper_type self:fifo_file rw_fifo_file_perms; --allow userhelper_type self:shm create_shm_perms; --allow userhelper_type self:sem create_sem_perms; --allow userhelper_type self:msgq create_msgq_perms; --allow userhelper_type self:msg { send receive }; --allow userhelper_type self:unix_dgram_socket sendto; --allow userhelper_type self:unix_stream_socket { accept connectto listen }; -- --dontaudit userhelper_type userhelper_conf_t:file audit_access; --read_files_pattern(userhelper_type, userhelper_conf_t, userhelper_conf_t) -- --can_exec(userhelper_type, userhelper_exec_t) -- --kernel_read_all_sysctls(userhelper_type) --kernel_getattr_debugfs(userhelper_type) --kernel_read_system_state(userhelper_type) -- --corecmd_exec_shell(userhelper_type) -- --domain_use_interactive_fds(userhelper_type) --domain_sigchld_interactive_fds(userhelper_type) -- --dev_read_urand(userhelper_type) --dev_list_all_dev_nodes(userhelper_type) -- --files_list_var_lib(userhelper_type) --files_read_var_files(userhelper_type) --files_read_var_symlinks(userhelper_type) --files_search_home(userhelper_type) -- --fs_getattr_all_fs(userhelper_type) --fs_search_auto_mountpoints(userhelper_type) -- --selinux_get_fs_mount(userhelper_type) --selinux_validate_context(userhelper_type) --selinux_compute_access_vector(userhelper_type) --selinux_compute_create_context(userhelper_type) --selinux_compute_relabel_context(userhelper_type) --selinux_compute_user_contexts(userhelper_type) -- --term_list_ptys(userhelper_type) --term_relabel_all_ttys(userhelper_type) --term_relabel_all_ptys(userhelper_type) --term_use_all_ttys(userhelper_type) --term_use_all_ptys(userhelper_type) -- --auth_manage_pam_pid(userhelper_type) --auth_manage_var_auth(userhelper_type) --auth_search_pam_console_data(userhelper_type) -- --init_use_fds(userhelper_type) --init_manage_utmp(userhelper_type) --init_pid_filetrans_utmp(userhelper_type) -- --logging_send_syslog_msg(userhelper_type) -- --miscfiles_read_localization(userhelper_type) -- --seutil_read_config(userhelper_type) --seutil_read_default_contexts(userhelper_type) -+tunable_policy(`use_nfs_home_dirs',` -+ files_search_mnt(consolehelper_domain) -+ fs_search_nfs(consolehelper_domain) -+') - --optional_policy(` -- rpm_domtrans(userhelper_type) -+tunable_policy(`use_samba_home_dirs',` -+ files_search_mnt(consolehelper_domain) -+ fs_search_cifs(consolehelper_domain) - ') -diff --git a/usernetctl.if b/usernetctl.if -index 7deec55..c542887 100644 ---- a/usernetctl.if -+++ b/usernetctl.if -@@ -39,6 +39,7 @@ interface(`usernetctl_domtrans',` - # - interface(`usernetctl_run',` - gen_require(` -+ type usernetctl_t; - attribute_role usernetctl_roles; - ') - -diff --git a/usernetctl.te b/usernetctl.te -index dd3f01e..465c661 100644 ---- a/usernetctl.te -+++ b/usernetctl.te -@@ -6,12 +6,12 @@ policy_module(usernetctl, 1.6.1) - # - - attribute_role usernetctl_roles; -+roleattribute system_r usernetctl_roles; - - type usernetctl_t; - type usernetctl_exec_t; - application_domain(usernetctl_t, usernetctl_exec_t) - domain_interactive_fd(usernetctl_t) --role usernetctl_roles types usernetctl_t; - - ######################################## - # -@@ -40,7 +40,6 @@ files_exec_etc_files(usernetctl_t) - files_read_etc_runtime_files(usernetctl_t) - files_list_pids(usernetctl_t) - files_list_home(usernetctl_t) --files_read_usr_files(usernetctl_t) - - fs_search_auto_mountpoints(usernetctl_t) - -@@ -48,18 +47,14 @@ auth_use_nsswitch(usernetctl_t) - - logging_send_syslog_msg(usernetctl_t) - --miscfiles_read_localization(usernetctl_t) -- - seutil_read_config(usernetctl_t) - -+sysnet_read_config(usernetctl_t) -+ - sysnet_run_ifconfig(usernetctl_t, usernetctl_roles) - sysnet_run_dhcpc(usernetctl_t, usernetctl_roles) - --userdom_use_user_terminals(usernetctl_t) -- --optional_policy(` -- consoletype_run(usernetctl_t, usernetctl_roles) --') -+userdom_use_inherited_user_terminals(usernetctl_t) - - optional_policy(` - hostname_exec(usernetctl_t) -@@ -74,5 +69,9 @@ optional_policy(` - ') - - optional_policy(` -+ nis_use_ypbind(usernetctl_t) -+') -+ -+optional_policy(` - ppp_run(usernetctl_t, usernetctl_roles) - ') -diff --git a/uucp.if b/uucp.if -index af9acc0..cdaf82e 100644 ---- a/uucp.if -+++ b/uucp.if -@@ -90,11 +90,6 @@ interface(`uucp_domtrans_uux',` - ## Domain allowed access. - ##     - ## --## --## --## Role allowed access. --## --## - ## - # - interface(`uucp_admin',` -@@ -104,14 +99,13 @@ interface(`uucp_admin',` - type uucpd_var_run_t, uucpd_initrc_exec_t; - ') - -- init_labeled_script_domtrans($1, uucpd_initrc_exec_t) -- domain_system_change_exemption($1) -- role_transition $2 uucpd_initrc_exec_t system_r; -- allow $2 system_r; -- -- allow $1 uucpd_t:process { ptrace signal_perms }; -+ allow $1 uucpd_t:process signal_perms; - ps_process_pattern($1, uucpd_t) - -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 uucpd_t:process ptrace; -+ ') -+ - logging_list_logs($1) - admin_pattern($1, uucpd_log_t) - -diff --git a/uucp.te b/uucp.te -index 380902c..75545d6 100644 ---- a/uucp.te -+++ b/uucp.te -@@ -31,7 +31,7 @@ type uucpd_ro_t; - files_type(uucpd_ro_t) - - type uucpd_spool_t; --files_type(uucpd_spool_t) -+files_spool_file(uucpd_spool_t) - - type uucpd_log_t; - logging_log_file(uucpd_log_t) -@@ -84,15 +84,19 @@ kernel_read_kernel_sysctls(uucpd_t) - kernel_read_system_state(uucpd_t) - kernel_read_network_state(uucpd_t) - --corenet_all_recvfrom_unlabeled(uucpd_t) - corenet_all_recvfrom_netlabel(uucpd_t) - corenet_tcp_sendrecv_generic_if(uucpd_t) - corenet_tcp_sendrecv_generic_node(uucpd_t) -+corenet_udp_sendrecv_generic_node(uucpd_t) -+corenet_tcp_sendrecv_all_ports(uucpd_t) -+corenet_udp_sendrecv_all_ports(uucpd_t) - - corenet_sendrecv_ssh_client_packets(uucpd_t) - corenet_tcp_connect_ssh_port(uucpd_t) - corenet_tcp_sendrecv_ssh_port(uucpd_t) - -+corenet_tcp_connect_uucpd_port(uucpd_t) -+ - corecmd_exec_bin(uucpd_t) - corecmd_exec_shell(uucpd_t) - -@@ -110,7 +114,7 @@ auth_use_nsswitch(uucpd_t) - - logging_send_syslog_msg(uucpd_t) - --miscfiles_read_localization(uucpd_t) -+mta_send_mail(uucpd_t) - - optional_policy(` - cron_system_entry(uucpd_t, uucpd_exec_t) -@@ -125,10 +129,6 @@ optional_policy(` - ') - - optional_policy(` -- mta_send_mail(uucpd_t) --') -- --optional_policy(` - ssh_exec(uucpd_t) - ') - -@@ -160,10 +160,15 @@ auth_use_nsswitch(uux_t) - logging_search_logs(uux_t) - logging_send_syslog_msg(uux_t) - --miscfiles_read_localization(uux_t) -- - optional_policy(` - mta_send_mail(uux_t) - mta_read_queue(uux_t) -+') -+ -+optional_policy(` - sendmail_dontaudit_rw_unix_stream_sockets(uux_t) - ') -+ -+optional_policy(` -+ postfix_rw_inherited_master_pipes(uux_t) -+') -diff --git a/uuidd.if b/uuidd.if -index 6e48653..6abf74a 100644 ---- a/uuidd.if -+++ b/uuidd.if -@@ -148,11 +148,12 @@ interface(`uuidd_read_pid_files',` - # - interface(`uuidd_stream_connect_manager',` - gen_require(` -- type uuidd_t, uuidd_var_run_t; -+ type uuidd_t, uuidd_var_run_t, uuidd_var_lib_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, uuidd_var_run_t, uuidd_var_run_t, uuidd_t) -+ stream_connect_pattern($1, uuidd_var_lib_t, uuidd_var_lib_t, uuidd_t) - ') - - ######################################## -@@ -180,6 +181,9 @@ interface(`uuidd_admin',` - - allow $1 uuidd_t:process signal_perms; - ps_process_pattern($1, uuidd_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 uuidd_t:process ptrace; -+ ') - - uuidd_initrc_domtrans($1) - domain_system_change_exemption($1) -diff --git a/uuidd.te b/uuidd.te -index e670f55..2b332c5 100644 ---- a/uuidd.te -+++ b/uuidd.te -@@ -42,6 +42,4 @@ dev_read_urand(uuidd_t) - - domain_use_interactive_fds(uuidd_t) - --files_read_etc_files(uuidd_t) - --miscfiles_read_localization(uuidd_t) -diff --git a/uwimap.te b/uwimap.te -index b81e5c8..d120c52 100644 ---- a/uwimap.te -+++ b/uwimap.te -@@ -37,7 +37,6 @@ kernel_read_kernel_sysctls(imapd_t) - kernel_list_proc(imapd_t) - kernel_read_proc_symlinks(imapd_t) - --corenet_all_recvfrom_unlabeled(imapd_t) - corenet_all_recvfrom_netlabel(imapd_t) - corenet_tcp_sendrecv_generic_if(imapd_t) - corenet_tcp_sendrecv_generic_node(imapd_t) -@@ -56,8 +55,6 @@ dev_read_urand(imapd_t) - - domain_use_interactive_fds(imapd_t) - --files_read_etc_files(imapd_t) -- - fs_getattr_all_fs(imapd_t) - fs_search_auto_mountpoints(imapd_t) - -@@ -65,8 +62,6 @@ auth_domtrans_chk_passwd(imapd_t) - - logging_send_syslog_msg(imapd_t) - --miscfiles_read_localization(imapd_t) -- - sysnet_dns_name_resolve(imapd_t) - - userdom_dontaudit_use_unpriv_user_fds(imapd_t) -diff --git a/varnishd.if b/varnishd.if -index 1c35171..2cba4df 100644 ---- a/varnishd.if -+++ b/varnishd.if -@@ -153,12 +153,16 @@ interface(`varnishd_manage_log',` - # - interface(`varnishd_admin_varnishlog',` - gen_require(` -+ type varnishd_t; - type varnishlog_t, varnishlog_initrc_exec_t, varnishlog_log_t; - type varnishlog_var_run_t; - ') - -- allow $1 varnishlog_t:process { ptrace signal_perms }; -+ allow $1 varnishlog_t:process signal_perms; - ps_process_pattern($1, varnishlog_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 varnishd_t:process ptrace; -+ ') - - init_labeled_script_domtrans($1, varnishlog_initrc_exec_t) - domain_system_change_exemption($1) -@@ -196,9 +200,13 @@ interface(`varnishd_admin',` - type varnishd_initrc_exec_t; - ') - -- allow $1 varnishd_t:process { ptrace signal_perms }; -+ allow $1 varnishd_t:process signal_perms; - ps_process_pattern($1, varnishd_t) - -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 varnishd_t:process ptrace; -+ ') -+ - init_labeled_script_domtrans($1, varnishd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 varnishd_initrc_exec_t system_r; -diff --git a/varnishd.te b/varnishd.te -index 9d4d8cb..f50c3ff 100644 ---- a/varnishd.te -+++ b/varnishd.te -@@ -21,7 +21,7 @@ type varnishd_initrc_exec_t; - init_script_file(varnishd_initrc_exec_t) - - type varnishd_etc_t; --files_type(varnishd_etc_t) -+files_config_file(varnishd_etc_t) - - type varnishd_tmp_t; - files_tmp_file(varnishd_tmp_t) -@@ -43,7 +43,7 @@ type varnishlog_var_run_t; - files_pid_file(varnishlog_var_run_t) - - type varnishlog_log_t; --files_type(varnishlog_log_t) -+logging_log_file(varnishlog_log_t) - - ######################################## - # -@@ -52,7 +52,7 @@ files_type(varnishlog_log_t) - - allow varnishd_t self:capability { kill dac_override ipc_lock setuid setgid }; - dontaudit varnishd_t self:capability sys_tty_config; --allow varnishd_t self:process signal; -+allow varnishd_t self:process { execmem signal }; - allow varnishd_t self:fifo_file rw_fifo_file_perms; - allow varnishd_t self:tcp_socket { accept listen }; - -@@ -103,7 +103,6 @@ corenet_tcp_sendrecv_varnishd_port(varnishd_t) - - dev_read_urand(varnishd_t) - --files_read_usr_files(varnishd_t) - - fs_getattr_all_fs(varnishd_t) - -@@ -111,7 +110,7 @@ auth_use_nsswitch(varnishd_t) - - logging_send_syslog_msg(varnishd_t) - --miscfiles_read_localization(varnishd_t) -+sysnet_read_config(varnishd_t) - - tunable_policy(`varnishd_connect_any',` - corenet_sendrecv_all_client_packets(varnishd_t) -diff --git a/vbetool.te b/vbetool.te -index 14e1eec..b33d259 100644 ---- a/vbetool.te -+++ b/vbetool.te -@@ -27,6 +27,7 @@ role vbetool_roles types vbetool_t; - # - - allow vbetool_t self:capability { dac_override sys_tty_config sys_admin }; -+allow vbetool_t self:capability2 compromise_kernel; - allow vbetool_t self:process execmem; - - dev_wx_raw_memory(vbetool_t) -@@ -43,7 +44,6 @@ mls_file_write_all_levels(vbetool_t) - - term_use_unallocated_ttys(vbetool_t) - --miscfiles_read_localization(vbetool_t) - - tunable_policy(`vbetool_mmap_zero_ignore',` - dontaudit vbetool_t self:memprotect mmap_zero; -diff --git a/vdagent.if b/vdagent.if -index 31c752e..ef52235 100644 ---- a/vdagent.if -+++ b/vdagent.if -@@ -24,15 +24,15 @@ interface(`vdagent_domtrans',` - ## Get attributes of vdagent executable files. - ##     - ## --## -+## - ## Domain allowed access. --## -+## - ## - # - interface(`vdagent_getattr_exec_files',` -- gen_require(` -- type vdagent_exec_t; -- ') -+ gen_require(` -+ type vdagent_exec_t; -+ ') - - allow $1 vdagent_exec_t:file getattr_file_perms; - ') -@@ -42,18 +42,18 @@ interface(`vdagent_getattr_exec_files',` - ## Get attributes of vdagent log files. - ##     - ## --## --## Domain allowed access. --## -+## -+## Domain allowed access. -+## - ## - # - interface(`vdagent_getattr_log',` -- gen_require(` -- type vdagent_log_t; -- ') -+ gen_require(` -+ type vdagent_log_t; -+ ') - -- logging_search_logs($1) -- allow $1 vdagent_log_t:file getattr_file_perms; -+ logging_search_logs($1) -+ allow $1 vdagent_log_t:file getattr_file_perms; - ') - - ######################################## -@@ -81,18 +81,18 @@ interface(`vdagent_read_pid_files',` - ## domain stream socket. - ##     - ## --## --## Domain allowed access. --## -+## -+## Domain allowed access. -+## - ## - # - interface(`vdagent_stream_connect',` -- gen_require(` -- type vdagent_var_run_t, vdagent_t; -- ') -+ gen_require(` -+ type vdagent_var_run_t, vdagent_t; -+ ') - -- files_search_pids($1) -- stream_connect_pattern($1, vdagent_var_run_t, vdagent_var_run_t, vdagent_t) -+ files_search_pids($1) -+ stream_connect_pattern($1, vdagent_var_run_t, vdagent_var_run_t, vdagent_t) - ') - - ######################################## -@@ -110,7 +110,6 @@ interface(`vdagent_stream_connect',` - ## Role allowed access. - ##     - ## --## - # - interface(`vdagent_admin',` - gen_require(` -@@ -120,6 +119,9 @@ interface(`vdagent_admin',` - - allow $1 vdagent_t:process signal_perms; - ps_process_pattern($1, vdagent_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 vdagent_t:process ptrace; -+ ') - - init_labeled_script_domtrans($1, vdagentd_initrc_exec_t) - domain_system_change_exemption($1) -diff --git a/vdagent.te b/vdagent.te -index 77be35a..0e9a7d1 100644 ---- a/vdagent.te -+++ b/vdagent.te -@@ -25,6 +25,7 @@ logging_log_file(vdagent_log_t) - - dontaudit vdagent_t self:capability sys_admin; - allow vdagent_t self:process signal; -+ - allow vdagent_t self:fifo_file rw_fifo_file_perms; - allow vdagent_t self:unix_stream_socket { accept listen }; - -@@ -39,17 +40,20 @@ create_files_pattern(vdagent_t, vdagent_log_t, vdagent_log_t) - setattr_files_pattern(vdagent_t, vdagent_log_t, vdagent_log_t) - logging_log_filetrans(vdagent_t, vdagent_log_t, file) - -+kernel_request_load_module(vdagent_t) -+ - dev_rw_input_dev(vdagent_t) - dev_read_sysfs(vdagent_t) - dev_dontaudit_write_mtrr(vdagent_t) - --files_read_etc_files(vdagent_t) -- - init_read_state(vdagent_t) - --logging_send_syslog_msg(vdagent_t) -+systemd_read_logind_sessions_files(vdagent_t) -+systemd_login_read_pid_files(vdagent_t) -+ -+term_use_virtio_console(vdagent_t) - --miscfiles_read_localization(vdagent_t) -+logging_send_syslog_msg(vdagent_t) - - userdom_read_all_users_state(vdagent_t) - -diff --git a/vhostmd.if b/vhostmd.if -index 22edd58..c3a5364 100644 ---- a/vhostmd.if -+++ b/vhostmd.if -@@ -216,9 +216,13 @@ interface(`vhostmd_admin',` - type vhostmd_tmpfs_t; - ') - -- allow $1 vhostmd_t:process { ptrace signal_perms }; -+ allow $1 vhostmd_t:process signal_perms; - ps_process_pattern($1, vhostmd_t) - -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 vhostmd_t:process ptrace; -+ ') -+ - vhostmd_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 vhostmd_initrc_exec_t system_r; -diff --git a/vhostmd.te b/vhostmd.te -index 0be8535..b96e329 100644 ---- a/vhostmd.te -+++ b/vhostmd.te -@@ -58,14 +58,11 @@ dev_read_urand(vhostmd_t) - dev_read_sysfs(vhostmd_t) - - files_list_tmp(vhostmd_t) --files_read_usr_files(vhostmd_t) - - auth_use_nsswitch(vhostmd_t) - - logging_send_syslog_msg(vhostmd_t) - --miscfiles_read_localization(vhostmd_t) -- - optional_policy(` - hostname_exec(vhostmd_t) - ') -@@ -77,6 +74,7 @@ optional_policy(` - - optional_policy(` - virt_stream_connect(vhostmd_t) -+ virt_write_content(vhostmd_t) - ') - - optional_policy(` -diff --git a/virt.fc b/virt.fc -index c30da4c..9bad8b9 100644 ---- a/virt.fc -+++ b/virt.fc -@@ -1,52 +1,92 @@ --HOME_DIR/\.libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0) --HOME_DIR/\.libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_home_t,s0) --HOME_DIR/\.virtinst(/.*)? gen_context(system_u:object_r:virt_home_t,s0) --HOME_DIR/VirtualMachines(/.*)? gen_context(system_u:object_r:virt_home_t,s0) --HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0) -+HOME_DIR/\.libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0) -+HOME_DIR/\.libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_home_t,s0) -+HOME_DIR/\.virtinst(/.*)? gen_context(system_u:object_r:virt_home_t,s0) -+HOME_DIR/\.cache/libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0) -+HOME_DIR/\.cache/libvirt-sandbox(/.*)? gen_context(system_u:object_r:virt_home_t,s0) -+HOME_DIR/\.cache/gnome-boxes(/.*)? gen_context(system_u:object_r:virt_home_t,s0) -+HOME_DIR/\.cache/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_home_t,s0) -+HOME_DIR/\.config/libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0) -+HOME_DIR/\.config/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_home_t,s0) -+HOME_DIR/VirtualMachines(/.*)? gen_context(system_u:object_r:virt_home_t,s0) -+HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0) -+HOME_DIR/\.local/share/gnome-boxes/images(/.*)? gen_context(system_u:object_r:svirt_home_t,s0) - --/etc/libvirt -d gen_context(system_u:object_r:virt_etc_t,s0) -+/etc/libvirt -d gen_context(system_u:object_r:virt_etc_t,s0) - /etc/libvirt/[^/]* -- gen_context(system_u:object_r:virt_etc_t,s0) - /etc/libvirt/[^/]* -d gen_context(system_u:object_r:virt_etc_rw_t,s0) --/etc/libvirt/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0) -+/etc/libvirt/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0) -+/etc/rc\.d/init\.d/libvirtd -- gen_context(system_u:object_r:virtd_initrc_exec_t,s0) -+/etc/xen -d gen_context(system_u:object_r:virt_etc_t,s0) -+/etc/xen/[^/]* -- gen_context(system_u:object_r:virt_etc_t,s0) -+/etc/xen/[^/]* -d gen_context(system_u:object_r:virt_etc_rw_t,s0) -+/etc/xen/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0) - --/etc/rc\.d/init\.d/libvirt-bin -- gen_context(system_u:object_r:virtd_initrc_exec_t,s0) --/etc/rc\.d/init\.d/libvirtd -- gen_context(system_u:object_r:virtd_initrc_exec_t,s0) -+/usr/libexec/libvirt_lxc -- gen_context(system_u:object_r:virtd_lxc_exec_t,s0) -+/usr/libexec/qemu-bridge-helper gen_context(system_u:object_r:virt_bridgehelper_exec_t,s0) - --/etc/xen -d gen_context(system_u:object_r:virt_etc_t,s0) --/etc/xen/[^/]* -- gen_context(system_u:object_r:virt_etc_t,s0) --/etc/xen/[^/]* -d gen_context(system_u:object_r:virt_etc_rw_t,s0) --/etc/xen/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0) -- --/usr/libexec/libvirt_lxc -- gen_context(system_u:object_r:virtd_lxc_exec_t,s0) --/usr/libexec/qemu-bridge-helper gen_context(system_u:object_r:virt_bridgehelper_exec_t,s0) -- --/usr/bin/virsh -- gen_context(system_u:object_r:virsh_exec_t,s0) --/usr/bin/virt-sandbox-service.* -- gen_context(system_u:object_r:virsh_exec_t,s0) -- --/usr/sbin/condor_vm-gahp -- gen_context(system_u:object_r:virtd_exec_t,s0) --/usr/sbin/fence_virtd -- gen_context(system_u:object_r:virsh_exec_t,s0) - /usr/sbin/libvirt-qmf -- gen_context(system_u:object_r:virt_qmf_exec_t,s0) - /usr/sbin/libvirtd -- gen_context(system_u:object_r:virtd_exec_t,s0) -+/usr/sbin/virtlockd -- gen_context(system_u:object_r:virtd_exec_t,s0) -+/usr/bin/virsh -- gen_context(system_u:object_r:virsh_exec_t,s0) -+/usr/sbin/condor_vm-gahp -- gen_context(system_u:object_r:virtd_exec_t,s0) -+/usr/sbin/xl -- gen_context(system_u:object_r:virsh_exec_t,s0) -+/usr/sbin/xm -- gen_context(system_u:object_r:virsh_exec_t,s0) - - /var/cache/libvirt(/.*)? gen_context(system_u:object_r:virt_cache_t,s0-mls_systemhigh) - --/var/lib/libvirt(/.*)? gen_context(system_u:object_r:virt_var_lib_t,s0) --/var/lib/libvirt/boot(/.*)? gen_context(system_u:object_r:virt_content_t,s0) --/var/lib/libvirt/images(/.*)? gen_context(system_u:object_r:virt_image_t,s0) --/var/lib/libvirt/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0) --/var/lib/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_var_run_t,s0-mls_systemhigh) -+/var/lib/libvirt(/.*)? gen_context(system_u:object_r:virt_var_lib_t,s0) -+/var/lib/libvirt/boot(/.*)? gen_context(system_u:object_r:virt_content_t,s0) -+/var/lib/libvirt/images(/.*)? gen_context(system_u:object_r:virt_image_t,s0) -+/var/lib/libvirt/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0) -+/var/lib/libvirt/qemu(/.*)? gen_context(system_u:object_r:qemu_var_run_t,s0-mls_systemhigh) - --/var/log/log(/.*)? gen_context(system_u:object_r:virt_log_t,s0) --/var/log/libvirt(/.*)? gen_context(system_u:object_r:virt_log_t,s0) --/var/log/vdsm(/.*)? gen_context(system_u:object_r:virt_log_t,s0) -- --/var/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0) -- --/var/run/libguestfs(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0) -+/var/lock/xl -- gen_context(system_u:object_r:virt_log_t,s0) -+/var/log/log(/.*)? gen_context(system_u:object_r:virt_log_t,s0) -+/var/log/libvirt(/.*)? gen_context(system_u:object_r:virt_log_t,s0) -+/var/log/vdsm(/.*)? gen_context(system_u:object_r:virt_log_t,s0) - /var/run/libvirtd\.pid -- gen_context(system_u:object_r:virt_var_run_t,s0) - /var/run/libvirt(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0) --/var/run/libvirt/lxc(/.*)? gen_context(system_u:object_r:virtd_lxc_var_run_t,s0) --/var/run/libvirt-sandbox(/.*)? gen_context(system_u:object_r:virtd_lxc_var_run_t,s0) --/var/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_var_run_t,s0-mls_systemhigh) --/var/run/user/[^/]*/libguestfs(/.*)? gen_context(system_u:object_r:virt_home_t,s0) --/var/run/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0) -+/var/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:qemu_var_run_t,s0-mls_systemhigh) -+/var/run/libvirt/lxc(/.*)? gen_context(system_u:object_r:virt_lxc_var_run_t,s0) -+/var/run/libvirt-sandbox(/.*)? gen_context(system_u:object_r:virt_lxc_var_run_t,s0) -+/var/run/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0) -+ -+/var/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0) -+ -+# support for AEOLUS project -+/usr/bin/imagefactory -- gen_context(system_u:object_r:virtd_exec_t,s0) -+/usr/bin/imgfac\.py -- gen_context(system_u:object_r:virtd_exec_t,s0) -+/var/cache/oz(/.*)? gen_context(system_u:object_r:virt_cache_t,s0) -+/var/lib/imagefactory/images(/.*)? gen_context(system_u:object_r:virt_image_t,s0) -+/var/lib/oz(/.*)? gen_context(system_u:object_r:virt_var_lib_t,s0) -+/var/lib/oz/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0) -+/var/lib/vdsm(/.*)? gen_context(system_u:object_r:virt_content_t,s0) -+ -+# add support vios-proxy-* -+/usr/bin/vios-proxy-host -- gen_context(system_u:object_r:virtd_exec_t,s0) -+/usr/bin/vios-proxy-guest -- gen_context(system_u:object_r:virtd_exec_t,s0) -+ -+# support for nova-stack -+/usr/bin/nova-compute -- gen_context(system_u:object_r:virtd_exec_t,s0) -+/usr/bin/qemu -- gen_context(system_u:object_r:qemu_exec_t,s0) -+/usr/bin/qemu-system-.* -- gen_context(system_u:object_r:qemu_exec_t,s0) -+/usr/bin/qemu-kvm -- gen_context(system_u:object_r:qemu_exec_t,s0) -+/usr/libexec/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0) -+ -+/etc/qemu-ga/fsfreeze-hook.d(/.*)? gen_context(system_u:object_r:virt_qemu_ga_unconfined_exec_t,s0) -+/usr/libexec/qemu-ga/fsfreeze-hook.d(/.*)? gen_context(system_u:object_r:virt_qemu_ga_unconfined_exec_t,s0) -+/var/run/qemu-ga/fsfreeze-hook.d(/.*)? gen_context(system_u:object_r:virt_qemu_ga_unconfined_exec_t,s0) -+ -+/usr/libexec/qemu-ga(/.*)? gen_context(system_u:object_r:virt_qemu_ga_exec_t,s0) -+ -+/usr/lib/systemd/system/virt.*\.service -- gen_context(system_u:object_r:virtd_unit_file_t,s0) -+/usr/lib/systemd/system/libvirt.*\.service -- gen_context(system_u:object_r:virtd_unit_file_t,s0) -+/usr/lib/systemd/system/.*xen.*\.service -- gen_context(system_u:object_r:virtd_unit_file_t,s0) -+ -+/usr/bin/qemu-ga -- gen_context(system_u:object_r:virt_qemu_ga_exec_t,s0) -+ -+/var/run/qemu-ga\.pid -- gen_context(system_u:object_r:virt_qemu_ga_var_run_t,s0) -+/var/run/qga\.state -- gen_context(system_u:object_r:virt_qemu_ga_var_run_t,s0) -+ -+/var/log/qemu-ga\.log -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0) -+/var/log/qemu-ga(/.*)? gen_context(system_u:object_r:virt_qemu_ga_log_t,s0) -diff --git a/virt.if b/virt.if -index 9dec06c..73549fd 100644 ---- a/virt.if -+++ b/virt.if -@@ -1,120 +1,51 @@ --## Libvirt virtualization API. -+## Libvirt virtualization API - --####################################### -+######################################## - ## --## The template to define a virt domain. -+## Creates types and rules for a basic -+## qemu process domain. - ## --## -+## - ## --## Domain prefix to be used. -+## Prefix for the domain. - ## - ## - # - template(`virt_domain_template',` - gen_require(` -- attribute_role virt_domain_roles; -- attribute virt_image_type, virt_domain, virt_tmpfs_type; -- attribute virt_ptynode, virt_tmp_type; -+ attribute virt_image_type, virt_domain; -+ attribute virt_tmpfs_type; -+ attribute virt_ptynode; -+ type qemu_exec_t; - ') - -- ######################################## -- # -- # Declarations -- # -- - type $1_t, virt_domain; -- application_type($1_t) -- qemu_entry_type($1_t) -+ application_domain($1_t, qemu_exec_t) - domain_user_exemption_target($1_t) - mls_rangetrans_target($1_t) - mcs_constrained($1_t) -- role virt_domain_roles types $1_t; -+ role system_r types $1_t; - - type $1_devpts_t, virt_ptynode; - term_pty($1_devpts_t) - -- type $1_tmp_t, virt_tmp_type; -- files_tmp_file($1_tmp_t) -- -- type $1_tmpfs_t, virt_tmpfs_type; -- files_tmpfs_file($1_tmpfs_t) -+ kernel_read_system_state($1_t) - -- optional_policy(` -- pulseaudio_tmpfs_content($1_tmpfs_t) -- ') -+ auth_read_passwd($1_t) - -- type $1_image_t, virt_image_type; -- files_type($1_image_t) -- dev_node($1_image_t) -- dev_associate_sysfs($1_image_t) -+ logging_send_syslog_msg($1_t) - -- ######################################## -- # -- # Policy -- # -- -- allow $1_t $1_devpts_t:chr_file { rw_term_perms setattr_chr_file_perms }; -+ allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms }; - term_create_pty($1_t, $1_devpts_t) -- -- manage_dirs_pattern($1_t, $1_image_t, $1_image_t) -- manage_files_pattern($1_t, $1_image_t, $1_image_t) -- manage_fifo_files_pattern($1_t, $1_image_t, $1_image_t) -- read_lnk_files_pattern($1_t, $1_image_t, $1_image_t) -- manage_sock_files_pattern($1_t, $1_image_t, $1_image_t) -- rw_chr_files_pattern($1_t, $1_image_t, $1_image_t) -- rw_blk_files_pattern($1_t, $1_image_t, $1_image_t) -- fs_hugetlbfs_filetrans($1_t, $1_image_t, file) -- -- manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t) -- manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t) -- manage_lnk_files_pattern($1_t, $1_tmp_t, $1_tmp_t) -- files_tmp_filetrans($1_t, $1_tmp_t, { file dir }) -- -- manage_dirs_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) -- manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) -- manage_lnk_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) -- fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { dir file lnk_file }) -- -- optional_policy(` -- pulseaudio_run($1_t, virt_domain_roles) -- ') -- -- optional_policy(` -- xserver_rw_shm($1_t) -- ') --') -- --####################################### --## --## The template to define a virt lxc domain. --## --## --## --## Domain prefix to be used. --## --## --# --template(`virt_lxc_domain_template',` -- gen_require(` -- attribute_role svirt_lxc_domain_roles; -- attribute svirt_lxc_domain; -- ') -- -- type $1_t, svirt_lxc_domain; -- domain_type($1_t) -- domain_user_exemption_target($1_t) -- mls_rangetrans_target($1_t) -- mcs_constrained($1_t) -- role svirt_lxc_domain_roles types $1_t; - ') - - ######################################## - ## --## Make the specified type virt image type. -+## Make the specified type usable as a virt image - ## - ## - ## --## Type to be used as a virtual image. -+## Type to be used as a virtual image - ## - ## - # -@@ -125,31 +56,32 @@ interface(`virt_image',` - - typeattribute $1 virt_image_type; - files_type($1) -+ -+ # virt images can be assigned to blk devices - dev_node($1) - ') - --######################################## -+####################################### - ## --## Execute a domain transition to run virtd. -+## Getattr on virt executable. - ## - ## --## --## Domain allowed to transition. --## -+## -+## Domain allowed to transition. -+## - ## - # --interface(`virt_domtrans',` -- gen_require(` -- type virtd_t, virtd_exec_t; -- ') -+interface(`virt_getattr_exec',` -+ gen_require(` -+ type virtd_exec_t; -+ ') - -- corecmd_search_bin($1) -- domtrans_pattern($1, virtd_exec_t, virtd_t) -+ allow $1 virtd_exec_t:file getattr; - ') - - ######################################## - ## --## Execute a domain transition to run virt qmf. -+## Execute a domain transition to run virt. - ## - ## - ## -@@ -157,162 +89,71 @@ interface(`virt_domtrans',` - ## - ## - # --interface(`virt_domtrans_qmf',` -+interface(`virt_domtrans',` - gen_require(` -- type virt_qmf_t, virt_qmf_exec_t; -+ type virtd_t, virtd_exec_t; - ') - -- corecmd_search_bin($1) -- domtrans_pattern($1, virt_qmf_exec_t, virt_qmf_t) -+ domtrans_pattern($1, virtd_exec_t, virtd_t) - ') - - ######################################## - ## --## Execute a domain transition to --## run virt bridgehelper. -+## Execute virtd in the caller domain. - ## - ## - ## --## Domain allowed to transition. -+## Domain allowed access. - ## - ## - # --interface(`virt_domtrans_bridgehelper',` -+interface(`virt_exec',` - gen_require(` -- type virt_bridgehelper_t, virt_bridgehelper_exec_t; -+ type virtd_exec_t; - ') - -- corecmd_search_bin($1) -- domtrans_pattern($1, virt_bridgehelper_exec_t, virt_bridgehelper_t) -+ can_exec($1, virtd_exec_t) - ') - - ######################################## - ## --## Execute bridgehelper in the bridgehelper --## domain, and allow the specified role --## the bridgehelper domain. -+## Transition to virt_qmf. - ## - ## --## --## Domain allowed to transition. --## --## --## --## --## Role allowed access. --## --## --# --interface(`virt_run_bridgehelper',` -- gen_require(` -- attribute_role virt_bridgehelper_roles; -- ') -- -- virt_domtrans_bridgehelper($1) -- roleattribute $2 virt_bridgehelper_roles; --') -- --######################################## - ## --## Execute virt domain in the their --## domain, and allow the specified --## role that virt domain. --## --## --## - ## Domain allowed to transition. --## --## --## --## --## Role allowed access. --## --## --# --interface(`virt_run_virt_domain',` -- gen_require(` -- attribute virt_domain; -- attribute_role virt_domain_roles; -- ') -- -- allow $1 virt_domain:process { signal transition }; -- roleattribute $2 virt_domain_roles; -- -- allow virt_domain $1:fd use; -- allow virt_domain $1:fifo_file rw_fifo_file_perms; -- allow virt_domain $1:process sigchld; --') -- --######################################## --## --## Send generic signals to all virt domains. - ## --## --## --## Domain allowed access. --## - ## - # --interface(`virt_signal_all_virt_domains',` -+interface(`virt_domtrans_qmf',` - gen_require(` -- attribute virt_domain; -+ type virt_qmf_t, virt_qmf_exec_t; - ') - -- allow $1 virt_domain:process signal; -+ corecmd_search_bin($1) -+ domtrans_pattern($1, virt_qmf_exec_t, virt_qmf_t) - ') - - ######################################## - ## --## Send kill signals to all virt domains. -+## Transition to virt_bridgehelper. - ## - ## --## --## Domain allowed access. --## --## --# --interface(`virt_kill_all_virt_domains',` -- gen_require(` -- attribute virt_domain; -- ') -- -- allow $1 virt_domain:process sigkill; --') -- --######################################## - ## --## Execute svirt lxc domains in their --## domain, and allow the specified --## role that svirt lxc domain. -+## Domain allowed to transition. - ## --## --## --## Domain allowed to transition. --## --## --## --## --## Role allowed access. --## - ## --# --interface(`virt_run_svirt_lxc_domain',` -+interface(`virt_domtrans_bridgehelper',` - gen_require(` -- attribute svirt_lxc_domain; -- attribute_role svirt_lxc_domain_roles; -+ type virt_bridgehelper_t, virt_bridgehelper_exec_t; - ') - -- allow $1 svirt_lxc_domain:process { signal transition }; -- roleattribute $2 svirt_lxc_domain_roles; -- -- allow svirt_lxc_domain $1:fd use; -- allow svirt_lxc_domain $1:fifo_file rw_fifo_file_perms; -- allow svirt_lxc_domain $1:process sigchld; -+ domtrans_pattern($1, virt_bridgehelper_exec_t, virt_bridgehelper_t) - ') - - ####################################### - ## --## Get attributes of virtd executable files. -+## Connect to virt over a unix domain stream socket. - ## - ## - ## -@@ -320,18 +161,18 @@ interface(`virt_run_svirt_lxc_domain',` - ## - ## - # --interface(`virt_getattr_virtd_exec_files',` -+interface(`virt_stream_connect',` - gen_require(` -- type virtd_exec_t; -+ type virtd_t, virt_var_run_t; - ') - -- allow $1 virtd_exec_t:file getattr_file_perms; -+ files_search_pids($1) -+ stream_connect_pattern($1, virt_var_run_t, virt_var_run_t, virtd_t) - ') - - ####################################### - ## --## Connect to virt with a unix --## domain stream socket. -+## Connect to svirt process over a unix domain stream socket. - ## - ## - ## -@@ -339,18 +180,17 @@ interface(`virt_getattr_virtd_exec_files',` - ## - ## - # --interface(`virt_stream_connect',` -+interface(`virt_stream_connect_svirt',` - gen_require(` -- type virtd_t, virt_var_run_t; -+ type svirt_t; - ') - -- files_search_pids($1) -- stream_connect_pattern($1, virt_var_run_t, virt_var_run_t, virtd_t) -+ allow $1 svirt_t:unix_stream_socket connectto; - ') - - ######################################## - ## --## Attach to virt tun devices. -+## Allow domain to attach to virt TUN devices - ## - ## - ## -@@ -369,7 +209,7 @@ interface(`virt_attach_tun_iface',` - - ######################################## - ## --## Read virt configuration content. -+## Read virt config files. - ## - ## - ## -@@ -383,7 +223,6 @@ interface(`virt_read_config',` - ') - - files_search_etc($1) -- allow $1 { virt_etc_t virt_etc_rw_t }:dir list_dir_perms; - read_files_pattern($1, virt_etc_t, virt_etc_t) - read_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t) - read_lnk_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t) -@@ -391,8 +230,7 @@ interface(`virt_read_config',` - - ######################################## - ## --## Create, read, write, and delete --## virt configuration content. -+## manage virt config files. - ## - ## - ## -@@ -406,7 +244,6 @@ interface(`virt_manage_config',` - ') - - files_search_etc($1) -- allow $1 { virt_etc_t virt_etc_rw_t }:dir manage_dir_perms; - manage_files_pattern($1, virt_etc_t, virt_etc_t) - manage_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t) - manage_lnk_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t) -@@ -414,8 +251,7 @@ interface(`virt_manage_config',` - - ######################################## - ## --## Create, read, write, and delete --## virt image files. -+## Allow domain to manage virt image files - ## - ## - ## -@@ -450,8 +286,7 @@ interface(`virt_read_content',` - - ######################################## - ## --## Create, read, write, and delete --## virt content. -+## Allow domain to write virt image files - ## - ## - ## -@@ -459,35 +294,17 @@ interface(`virt_read_content',` - ## - ## - # --interface(`virt_manage_virt_content',` -+interface(`virt_write_content',` - gen_require(` - type virt_content_t; - ') - -- userdom_search_user_home_dirs($1) -- allow $1 virt_content_t:dir manage_dir_perms; -- allow $1 virt_content_t:file manage_file_perms; -- allow $1 virt_content_t:fifo_file manage_fifo_file_perms; -- allow $1 virt_content_t:lnk_file manage_lnk_file_perms; -- allow $1 virt_content_t:sock_file manage_sock_file_perms; -- allow $1 virt_content_t:blk_file manage_blk_file_perms; -- -- tunable_policy(`virt_use_nfs',` -- fs_manage_nfs_dirs($1) -- fs_manage_nfs_files($1) -- fs_manage_nfs_symlinks($1) -- ') -- -- tunable_policy(`virt_use_samba',` -- fs_manage_cifs_dirs($1) -- fs_manage_cifs_files($1) -- fs_manage_cifs_symlinks($1) -- ') -+ allow $1 virt_content_t:file write_file_perms; - ') - - ######################################## - ## --## Relabel virt content. -+## Read virt PID symlinks files. - ## - ## - ## -@@ -495,53 +312,37 @@ interface(`virt_manage_virt_content',` - ## - ## - # --interface(`virt_relabel_virt_content',` -+interface(`virt_read_pid_symlinks',` - gen_require(` -- type virt_content_t; -+ type virt_var_run_t; - ') - -- userdom_search_user_home_dirs($1) -- allow $1 virt_content_t:dir relabel_dir_perms; -- allow $1 virt_content_t:file relabel_file_perms; -- allow $1 virt_content_t:fifo_file relabel_fifo_file_perms; -- allow $1 virt_content_t:lnk_file relabel_lnk_file_perms; -- allow $1 virt_content_t:sock_file relabel_sock_file_perms; -- allow $1 virt_content_t:blk_file relabel_blk_file_perms; -+ files_search_pids($1) -+ read_lnk_files_pattern($1, virt_var_run_t, virt_var_run_t) - ') - - ######################################## - ## --## Create specified objects in user home --## directories with the virt content type. -+## Read virt PID files. - ## - ## - ## - ## Domain allowed access. - ## - ## --## --## --## Class of the object being created. --## --## --## --## --## The name of the object being created. --## --## - # --interface(`virt_home_filetrans_virt_content',` -+interface(`virt_read_pid_files',` - gen_require(` -- type virt_content_t; -+ type virt_var_run_t; - ') - -- virt_home_filetrans($1, virt_content_t, $2, $3) -+ files_search_pids($1) -+ read_files_pattern($1, virt_var_run_t, virt_var_run_t) - ') - - ######################################## - ## --## Create, read, write, and delete --## svirt home content. -+## Manage virt pid directories. - ## - ## - ## -@@ -549,34 +350,21 @@ interface(`virt_home_filetrans_virt_content',` - ## - ## - # --interface(`virt_manage_svirt_home_content',` -+interface(`virt_manage_pid_dirs',` - gen_require(` -- type svirt_home_t; -- ') -- -- userdom_search_user_home_dirs($1) -- allow $1 svirt_home_t:dir manage_dir_perms; -- allow $1 svirt_home_t:file manage_file_perms; -- allow $1 svirt_home_t:fifo_file manage_fifo_file_perms; -- allow $1 svirt_home_t:lnk_file manage_lnk_file_perms; -- allow $1 svirt_home_t:sock_file manage_sock_file_perms; -- -- tunable_policy(`virt_use_nfs',` -- fs_manage_nfs_dirs($1) -- fs_manage_nfs_files($1) -- fs_manage_nfs_symlinks($1) -+ type virt_var_run_t; -+ type virt_lxc_var_run_t; - ') - -- tunable_policy(`virt_use_samba',` -- fs_manage_cifs_dirs($1) -- fs_manage_cifs_files($1) -- fs_manage_cifs_symlinks($1) -- ') -+ files_search_pids($1) -+ manage_dirs_pattern($1, virt_var_run_t, virt_var_run_t) -+ manage_dirs_pattern($1, virt_lxc_var_run_t, virt_lxc_var_run_t) -+ virt_filetrans_named_content($1) - ') - - ######################################## - ## --## Relabel svirt home content. -+## Manage virt pid files. - ## - ## - ## -@@ -584,32 +372,36 @@ interface(`virt_manage_svirt_home_content',` - ## - ## - # --interface(`virt_relabel_svirt_home_content',` -+interface(`virt_manage_pid_files',` - gen_require(` -- type svirt_home_t; -+ type virt_var_run_t; -+ type virt_lxc_var_run_t; - ') - -- userdom_search_user_home_dirs($1) -- allow $1 svirt_home_t:dir relabel_dir_perms; -- allow $1 svirt_home_t:file relabel_file_perms; -- allow $1 svirt_home_t:fifo_file relabel_fifo_file_perms; -- allow $1 svirt_home_t:lnk_file relabel_lnk_file_perms; -- allow $1 svirt_home_t:sock_file relabel_sock_file_perms; -+ files_search_pids($1) -+ manage_files_pattern($1, virt_var_run_t, virt_var_run_t) -+ manage_files_pattern($1, virt_lxc_var_run_t, virt_lxc_var_run_t) - ') - - ######################################## - ## --## Create specified objects in user home --## directories with the svirt home type. -+## Create objects in the pid directory -+## with a private type with a type transition. - ## - ## - ## - ## Domain allowed access. - ## - ## --## -+## -+## -+## Type to which the created node will be transitioned. -+## -+## -+## - ## --## Class of the object being created. -+## Object class(es) (single or set including {}) for which this -+## the transition will occur. - ## - ## - ## -@@ -618,54 +410,36 @@ interface(`virt_relabel_svirt_home_content',` - ## - ## - # --interface(`virt_home_filetrans_svirt_home',` -+interface(`virt_pid_filetrans',` - gen_require(` -- type svirt_home_t; -+ type virt_var_run_t; - ') - -- virt_home_filetrans($1, svirt_home_t, $2, $3) -+ filetrans_pattern($1, virt_var_run_t, $2, $3, $4) - ') - - ######################################## - ## --## Create specified objects in generic --## virt home directories with private --## home type. -+## Search virt lib directories. - ## - ## - ## - ## Domain allowed access. - ## - ## --## --## --## Private file type. --## --## --## --## --## Class of the object being created. --## --## --## --## --## The name of the object being created. --## --## - # --interface(`virt_home_filetrans',` -+interface(`virt_search_lib',` - gen_require(` -- type virt_home_t; -+ type virt_var_lib_t; - ') - -- userdom_search_user_home_dirs($1) -- filetrans_pattern($1, virt_home_t, $2, $3, $4) -+ allow $1 virt_var_lib_t:dir search_dir_perms; -+ files_search_var_lib($1) - ') - - ######################################## - ## --## Create, read, write, and delete --## virt home files. -+## Read virt lib files. - ## - ## - ## -@@ -673,54 +447,38 @@ interface(`virt_home_filetrans',` - ## - ## - # --interface(`virt_manage_home_files',` -+interface(`virt_read_lib_files',` - gen_require(` -- type virt_home_t; -+ type virt_var_lib_t; - ') - -- userdom_search_user_home_dirs($1) -- manage_files_pattern($1, virt_home_t, virt_home_t) -+ files_search_var_lib($1) -+ read_files_pattern($1, virt_var_lib_t, virt_var_lib_t) -+ read_lnk_files_pattern($1, virt_var_lib_t, virt_var_lib_t) - ') - - ######################################## - ## --## Create, read, write, and delete --## virt home content. -+## Dontaudit inherited read virt lib files. - ## - ## - ## --## Domain allowed access. -+## Domain to not audit. - ## - ## - # --interface(`virt_manage_generic_virt_home_content',` -+interface(`virt_dontaudit_read_lib_files',` - gen_require(` -- type virt_home_t; -- ') -- -- userdom_search_user_home_dirs($1) -- allow $1 virt_home_t:dir manage_dir_perms; -- allow $1 virt_home_t:file manage_file_perms; -- allow $1 virt_home_t:fifo_file manage_fifo_file_perms; -- allow $1 virt_home_t:lnk_file manage_lnk_file_perms; -- allow $1 virt_home_t:sock_file manage_sock_file_perms; -- -- tunable_policy(`virt_use_nfs',` -- fs_manage_nfs_dirs($1) -- fs_manage_nfs_files($1) -- fs_manage_nfs_symlinks($1) -+ type virt_var_lib_t; - ') - -- tunable_policy(`virt_use_samba',` -- fs_manage_cifs_dirs($1) -- fs_manage_cifs_files($1) -- fs_manage_cifs_symlinks($1) -- ') -+ dontaudit $1 virt_var_lib_t:file read_inherited_file_perms; - ') - - ######################################## - ## --## Relabel virt home content. -+## Create, read, write, and delete -+## virt lib files. - ## - ## - ## -@@ -728,52 +486,39 @@ interface(`virt_manage_generic_virt_home_content',` - ## - ## - # --interface(`virt_relabel_generic_virt_home_content',` -+interface(`virt_manage_lib_files',` - gen_require(` -- type virt_home_t; -+ type virt_var_lib_t; - ') - -- userdom_search_user_home_dirs($1) -- allow $1 virt_home_t:dir relabel_dir_perms; -- allow $1 virt_home_t:file relabel_file_perms; -- allow $1 virt_home_t:fifo_file relabel_fifo_file_perms; -- allow $1 virt_home_t:lnk_file relabel_lnk_file_perms; -- allow $1 virt_home_t:sock_file relabel_sock_file_perms; -+ files_search_var_lib($1) -+ manage_files_pattern($1, virt_var_lib_t, virt_var_lib_t) - ') - - ######################################## - ## --## Create specified objects in user home --## directories with the generic virt --## home type. -+## Allow the specified domain to read virt's log files. - ## - ## - ## - ## Domain allowed access. - ## - ## --## --## --## Class of the object being created. --## --## --## --## --## The name of the object being created. --## --## -+## - # --interface(`virt_home_filetrans_virt_home',` -+interface(`virt_read_log',` - gen_require(` -- type virt_home_t; -+ type virt_log_t; - ') - -- userdom_user_home_dir_filetrans($1, virt_home_t, $2, $3) -+ logging_search_logs($1) -+ read_files_pattern($1, virt_log_t, virt_log_t) - ') - - ######################################## - ## --## Read virt pid files. -+## Allow the specified domain to append -+## virt log files. - ## - ## - ## -@@ -781,19 +526,18 @@ interface(`virt_home_filetrans_virt_home',` - ## - ## - # --interface(`virt_read_pid_files',` -+interface(`virt_append_log',` - gen_require(` -- type virt_var_run_t; -+ type virt_log_t; - ') - -- files_search_pids($1) -- read_files_pattern($1, virt_var_run_t, virt_var_run_t) -+ logging_search_logs($1) -+ append_files_pattern($1, virt_log_t, virt_log_t) - ') - - ######################################## - ## --## Create, read, write, and delete --## virt pid files. -+## Allow domain to manage virt log files - ## - ## - ## -@@ -801,18 +545,19 @@ interface(`virt_read_pid_files',` - ## - ## - # --interface(`virt_manage_pid_files',` -+interface(`virt_manage_log',` - gen_require(` -- type virt_var_run_t; -+ type virt_log_t; - ') - -- files_search_pids($1) -- manage_files_pattern($1, virt_var_run_t, virt_var_run_t) -+ manage_dirs_pattern($1, virt_log_t, virt_log_t) -+ manage_files_pattern($1, virt_log_t, virt_log_t) -+ manage_lnk_files_pattern($1, virt_log_t, virt_log_t) - ') - - ######################################## - ## --## Search virt lib directories. -+## Allow domain to search virt image direcories - ## - ## - ## -@@ -820,18 +565,18 @@ interface(`virt_manage_pid_files',` - ## - ## - # --interface(`virt_search_lib',` -+interface(`virt_search_images',` - gen_require(` -- type virt_var_lib_t; -+ attribute virt_image_type; - ') - -- files_search_var_lib($1) -- allow $1 virt_var_lib_t:dir search_dir_perms; -+ virt_search_lib($1) -+ allow $1 virt_image_type:dir search_dir_perms; - ') - - ######################################## - ## --## Read virt lib files. -+## Allow domain to read virt image files - ## - ## - ## -@@ -839,20 +584,73 @@ interface(`virt_search_lib',` - ## - ## - # --interface(`virt_read_lib_files',` -+interface(`virt_read_images',` - gen_require(` - type virt_var_lib_t; -+ attribute virt_image_type; - ') - -- files_search_var_lib($1) -- read_files_pattern($1, virt_var_lib_t, virt_var_lib_t) -- read_lnk_files_pattern($1, virt_var_lib_t, virt_var_lib_t) -+ virt_search_lib($1) -+ allow $1 virt_image_type:dir list_dir_perms; -+ list_dirs_pattern($1, virt_image_type, virt_image_type) -+ read_files_pattern($1, virt_image_type, virt_image_type) -+ read_lnk_files_pattern($1, virt_image_type, virt_image_type) -+ read_blk_files_pattern($1, virt_image_type, virt_image_type) -+ read_chr_files_pattern($1, virt_image_type, virt_image_type) -+ -+ tunable_policy(`virt_use_nfs',` -+ fs_list_nfs($1) -+ fs_read_nfs_files($1) -+ fs_read_nfs_symlinks($1) -+ ') -+ -+ tunable_policy(`virt_use_samba',` -+ fs_list_cifs($1) -+ fs_read_cifs_files($1) -+ fs_read_cifs_symlinks($1) -+ ') -+') -+ -+######################################## -+## -+## Allow domain to read virt blk image files -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`virt_read_blk_images',` -+ gen_require(` -+ attribute virt_image_type; -+ ') -+ -+ read_blk_files_pattern($1, virt_image_type, virt_image_type) -+') -+ -+######################################## -+## -+## Allow domain to read/write virt image chr files -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`virt_rw_chr_files',` -+ gen_require(` -+ attribute virt_image_type; -+ ') -+ -+ rw_chr_files_pattern($1, virt_image_type, virt_image_type) - ') - - ######################################## - ## - ## Create, read, write, and delete --## virt lib files. -+## svirt cache files. - ## - ## - ## -@@ -860,94 +658,189 @@ interface(`virt_read_lib_files',` - ## - ## - # --interface(`virt_manage_lib_files',` -+interface(`virt_manage_cache',` - gen_require(` -- type virt_var_lib_t; -+ type virt_cache_t; - ') - -- files_search_var_lib($1) -- manage_files_pattern($1, virt_var_lib_t, virt_var_lib_t) -+ files_search_var($1) -+ manage_dirs_pattern($1, virt_cache_t, virt_cache_t) -+ manage_files_pattern($1, virt_cache_t, virt_cache_t) -+ manage_lnk_files_pattern($1, virt_cache_t, virt_cache_t) - ') - - ######################################## - ## --## Create objects in virt pid --## directories with a private type. -+## Allow domain to manage virt image files - ## - ## - ## - ## Domain allowed access. - ## - ## --## -+# -+interface(`virt_manage_images',` -+ gen_require(` -+ type virt_var_lib_t; -+ attribute virt_image_type; -+ ') -+ -+ virt_search_lib($1) -+ allow $1 virt_image_type:dir list_dir_perms; -+ manage_dirs_pattern($1, virt_image_type, virt_image_type) -+ manage_files_pattern($1, virt_image_type, virt_image_type) -+ read_lnk_files_pattern($1, virt_image_type, virt_image_type) -+ rw_blk_files_pattern($1, virt_image_type, virt_image_type) -+ rw_chr_files_pattern($1, virt_image_type, virt_image_type) -+') -+ -+####################################### -+## -+## Allow domain to manage virt image files -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`virt_manage_default_image_type',` -+ gen_require(` -+ type virt_var_lib_t; -+ type virt_image_t; -+ ') -+ -+ virt_search_lib($1) -+ manage_dirs_pattern($1, virt_image_t, virt_image_t) -+ manage_files_pattern($1, virt_image_t, virt_image_t) -+ read_lnk_files_pattern($1, virt_image_t, virt_image_t) -+') -+ -+######################################## -+## -+## Execute virt server in the virt domain. -+## -+## - ## --## The type of the object to be created. -+## Domain allowed to transition. - ## - ## --## -+# -+interface(`virt_systemctl',` -+ gen_require(` -+ type virtd_unit_file_t; -+ type virtd_t; -+ ') -+ -+ systemd_exec_systemctl($1) -+ allow $1 virtd_unit_file_t:file read_file_perms; -+ allow $1 virtd_unit_file_t:service manage_service_perms; -+ -+ ps_process_pattern($1, virtd_t) -+') -+ -+######################################## -+## -+## Ptrace the svirt domain -+## -+## - ## --## The object class of the object being created. -+## Domain allowed to transition. - ## - ## --## -+# -+interface(`virt_ptrace',` -+ gen_require(` -+ attribute virt_domain; -+ ') -+ -+ allow $1 virt_domain:process ptrace; -+') -+ -+####################################### -+## -+## Connect to virt over a unix domain stream socket. -+## -+## - ## --## The name of the object being created. -+## Domain allowed access. - ## - ## --## - # --interface(`virt_pid_filetrans',` -+interface(`virt_stream_connect_sandbox',` - gen_require(` -- type virt_var_run_t; -+ attribute svirt_sandbox_domain; -+ type svirt_sandbox_file_t; - ') - - files_search_pids($1) -- filetrans_pattern($1, virt_var_run_t, $2, $3, $4) -+ stream_connect_pattern($1, svirt_sandbox_file_t, svirt_sandbox_file_t, svirt_sandbox_domain) -+ ps_process_pattern(svirt_sandbox_domain, $1) - ') - - ######################################## - ## --## Read virt log files. -+## Execute qemu in the svirt domain, and -+## allow the specified role the svirt domain. - ## - ## - ## --## Domain allowed access. -+## Domain allowed access -+## -+## -+## -+## -+## The role to be allowed the sandbox domain. - ## - ## - ## - # --interface(`virt_read_log',` -+interface(`virt_transition_svirt',` - gen_require(` -- type virt_log_t; -+ attribute virt_domain; -+ type virt_bridgehelper_t; -+ type svirt_image_t; -+ type svirt_socket_t; - ') - -- logging_search_logs($1) -- read_files_pattern($1, virt_log_t, virt_log_t) -+ allow $1 virt_domain:process transition; -+ role $2 types virt_domain; -+ role $2 types virt_bridgehelper_t; -+ role $2 types svirt_socket_t; -+ -+ allow $1 virt_domain:process { sigkill sigstop signull signal }; -+ allow $1 svirt_image_t:file { relabelfrom relabelto }; -+ allow $1 svirt_image_t:fifo_file { read_fifo_file_perms relabelto }; -+ allow $1 svirt_image_t:sock_file { create_sock_file_perms relabelto }; -+ allow $1 svirt_socket_t:unix_stream_socket create_stream_socket_perms; -+ -+ optional_policy(` -+ ptchown_run(virt_domain, $2) -+ ') - ') - - ######################################## - ## --## Append virt log files. -+## Do not audit attempts to write virt daemon unnamed pipes. - ## - ## - ## --## Domain allowed access. -+## Domain to not audit. - ## - ## - # --interface(`virt_append_log',` -+interface(`virt_dontaudit_write_pipes',` - gen_require(` -- type virt_log_t; -+ type virtd_t; - ') - -- logging_search_logs($1) -- append_files_pattern($1, virt_log_t, virt_log_t) -+ dontaudit $1 virtd_t:fd use; -+ dontaudit $1 virtd_t:fifo_file write_fifo_file_perms; - ') - - ######################################## - ## --## Create, read, write, and delete --## virt log files. -+## Send a sigkill to virtual machines - ## - ## - ## -@@ -955,20 +848,17 @@ interface(`virt_append_log',` - ## - ## - # --interface(`virt_manage_log',` -+interface(`virt_kill_svirt',` - gen_require(` -- type virt_log_t; -+ attribute virt_domain; - ') - -- logging_search_logs($1) -- manage_dirs_pattern($1, virt_log_t, virt_log_t) -- manage_files_pattern($1, virt_log_t, virt_log_t) -- manage_lnk_files_pattern($1, virt_log_t, virt_log_t) -+ allow $1 virt_domain:process sigkill; - ') - - ######################################## - ## --## Search virt image directories. -+## Send a sigkill to virtd daemon. - ## - ## - ## -@@ -976,18 +866,17 @@ interface(`virt_manage_log',` - ## - ## - # --interface(`virt_search_images',` -+interface(`virt_kill',` - gen_require(` -- attribute virt_image_type; -+ type virtd_t; - ') - -- virt_search_lib($1) -- allow $1 virt_image_type:dir search_dir_perms; -+ allow $1 virtd_t:process sigkill; - ') - - ######################################## - ## --## Read virt image files. -+## Send a signal to virtual machines - ## - ## - ## -@@ -995,73 +884,75 @@ interface(`virt_search_images',` - ## - ## - # --interface(`virt_read_images',` -+interface(`virt_signal_svirt',` - gen_require(` -- type virt_var_lib_t; -- attribute virt_image_type; -+ attribute virt_domain; - ') - -- virt_search_lib($1) -- allow $1 virt_image_type:dir list_dir_perms; -- list_dirs_pattern($1, virt_image_type, virt_image_type) -- read_files_pattern($1, virt_image_type, virt_image_type) -- read_lnk_files_pattern($1, virt_image_type, virt_image_type) -- read_blk_files_pattern($1, virt_image_type, virt_image_type) -+ allow $1 virt_domain:process signal; -+') - -- tunable_policy(`virt_use_nfs',` -- fs_list_nfs($1) -- fs_read_nfs_files($1) -- fs_read_nfs_symlinks($1) -+######################################## -+## -+## Manage virt home files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`virt_manage_home_files',` -+ gen_require(` -+ type virt_home_t; - ') - -- tunable_policy(`virt_use_samba',` -- fs_list_cifs($1) -- fs_read_cifs_files($1) -- fs_read_cifs_symlinks($1) -- ') -+ userdom_search_user_home_dirs($1) -+ manage_files_pattern($1, virt_home_t, virt_home_t) - ') - - ######################################## - ## --## Read and write all virt image --## character files. -+## allow domain to read -+## virt tmpfs files - ## - ## - ## --## Domain allowed access. -+## Domain allowed access - ## - ## - # --interface(`virt_rw_all_image_chr_files',` -+interface(`virt_read_tmpfs_files',` - gen_require(` -- attribute virt_image_type; -+ attribute virt_tmpfs_type; - ') - -- virt_search_lib($1) -- allow $1 virt_image_type:dir list_dir_perms; -- rw_chr_files_pattern($1, virt_image_type, virt_image_type) -+ allow $1 virt_tmpfs_type:file read_file_perms; - ') - - ######################################## - ## --## Create, read, write, and delete --## svirt cache files. -+## allow domain to manage -+## virt tmpfs files - ## - ## - ## --## Domain allowed access. -+## Domain allowed access - ## - ## - # --interface(`virt_manage_svirt_cache',` -- refpolicywarn(`$0($*) has been deprecated, use virt_manage_virt_cache() instead.') -- virt_manage_virt_cache($1) -+interface(`virt_manage_tmpfs_files',` -+ gen_require(` -+ attribute virt_tmpfs_type; -+ ') -+ -+ allow $1 virt_tmpfs_type:file manage_file_perms; - ') - - ######################################## - ## --## Create, read, write, and delete --## virt cache content. -+## Create .virt directory in the user home directory -+## with an correct label. - ## - ## - ## -@@ -1069,21 +960,28 @@ interface(`virt_manage_svirt_cache',` - ## - ## - # --interface(`virt_manage_virt_cache',` -+interface(`virt_filetrans_home_content',` - gen_require(` -- type virt_cache_t; -+ type virt_home_t; -+ type svirt_home_t; - ') - -- files_search_var($1) -- manage_dirs_pattern($1, virt_cache_t, virt_cache_t) -- manage_files_pattern($1, virt_cache_t, virt_cache_t) -- manage_lnk_files_pattern($1, virt_cache_t, virt_cache_t) -+ userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".libvirt") -+ userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".virtinst") -+ filetrans_pattern($1, virt_home_t, svirt_home_t, dir, "qemu") -+ -+ optional_policy(` -+ gnome_config_filetrans($1, virt_home_t, dir, "libvirt") -+ gnome_cache_filetrans($1, virt_home_t, dir, "libvirt") -+ gnome_cache_filetrans($1, virt_home_t, dir, "libvirt-sandbox") -+ gnome_cache_filetrans($1, virt_home_t, dir, "gnome-boxes") -+ gnome_data_filetrans($1, svirt_home_t, dir, "images") -+ ') - ') - - ######################################## - ## --## Create, read, write, and delete --## virt image files. -+## Dontaudit attempts to Read virt_image_type devices. - ## - ## - ## -@@ -1091,36 +989,148 @@ interface(`virt_manage_virt_cache',` - ## - ## - # --interface(`virt_manage_images',` -+interface(`virt_dontaudit_read_chr_dev',` - gen_require(` -- type virt_var_lib_t; - attribute virt_image_type; - ') - -- virt_search_lib($1) -- allow $1 virt_image_type:dir list_dir_perms; -- manage_dirs_pattern($1, virt_image_type, virt_image_type) -- manage_files_pattern($1, virt_image_type, virt_image_type) -- read_lnk_files_pattern($1, virt_image_type, virt_image_type) -- rw_blk_files_pattern($1, virt_image_type, virt_image_type) -+ dontaudit $1 virt_image_type:chr_file read_chr_file_perms; -+') - -- tunable_policy(`virt_use_nfs',` -- fs_manage_nfs_dirs($1) -- fs_manage_nfs_files($1) -- fs_read_nfs_symlinks($1) -+######################################## -+## -+## Creates types and rules for a basic -+## virt_lxc process domain. -+## -+## -+## -+## Prefix for the domain. -+## -+## -+# -+template(`virt_sandbox_domain_template',` -+ gen_require(` -+ attribute svirt_sandbox_domain; - ') - -- tunable_policy(`virt_use_samba',` -- fs_manage_cifs_files($1) -- fs_manage_cifs_files($1) -- fs_read_cifs_symlinks($1) -+ type $1_t, svirt_sandbox_domain; -+ domain_type($1_t) -+ domain_user_exemption_target($1_t) -+ mls_rangetrans_target($1_t) -+ mcs_constrained($1_t) -+ role system_r types $1_t; -+ -+ kernel_read_system_state($1_t) -+') -+ -+######################################## -+## -+## Make the specified type usable as a lxc domain -+## -+## -+## -+## Type to be used as a lxc domain -+## -+## -+# -+template(`virt_sandbox_domain',` -+ gen_require(` -+ attribute svirt_sandbox_domain; -+ ') -+ -+ typeattribute $1 svirt_sandbox_domain; -+') -+ -+######################################## -+## -+## Execute a qemu_exec_t in the callers domain -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`virt_exec_qemu',` -+ gen_require(` -+ type qemu_exec_t; -+ ') -+ -+ can_exec($1, qemu_exec_t) -+') -+ -+######################################## -+## -+## Transition to virt named content -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`virt_filetrans_named_content',` -+ gen_require(` -+ type virt_lxc_var_run_t; -+ type virt_var_run_t; -+ ') -+ -+ files_pid_filetrans($1, virt_lxc_var_run_t, dir, "libvirt-sandbox") -+ files_pid_filetrans($1, virt_var_run_t, dir, "libvirt") -+ files_pid_filetrans($1, virt_var_run_t, dir, "libguestfs") -+') -+ -+######################################## -+## -+## Execute qemu in the svirt domain, and -+## allow the specified role the svirt domain. -+## -+## -+## -+## Domain allowed access -+## -+## -+## -+## -+## The role to be allowed the sandbox domain. -+## -+## -+## -+# -+interface(`virt_transition_svirt_sandbox',` -+ gen_require(` -+ attribute svirt_sandbox_domain; -+ ') -+ -+ allow $1 svirt_sandbox_domain:process transition; -+ role $2 types svirt_sandbox_domain; -+ allow $1 svirt_sandbox_domain:unix_dgram_socket sendto; -+ -+ allow svirt_sandbox_domain $1:process sigchld; -+') -+ -+######################################## -+## -+## Read and write to svirt_image devices. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`virt_rw_svirt_dev',` -+ gen_require(` -+ type svirt_image_t; - ') -+ -+ allow $1 svirt_image_t:chr_file rw_file_perms; - ') - - ######################################## - ## --## All of the rules required to --## administrate an virt environment. -+## All of the rules required to administrate -+## an virt environment - ## - ## - ## -@@ -1136,50 +1146,36 @@ interface(`virt_manage_images',` - # - interface(`virt_admin',` - gen_require(` -- attribute virt_domain, virt_image_type, virt_tmpfs_type; -- attribute virt_ptynode, svirt_lxc_domain, virt_tmp_type; -- type virtd_t, virtd_initrc_exec_t, virtd_lxc_t; -- type virsh_t, virtd_lxc_var_run_t, svirt_lxc_file_t; -- type virt_bridgehelper_t, virt_qmf_t, virt_var_lib_t; -- type virt_var_run_t, virt_tmp_t, virt_log_t; -- type virt_lock_t, svirt_var_run_t, virt_etc_rw_t; -- type virt_etc_t, svirt_cache_t; -+ attribute virt_domain; -+ attribute virt_system_domain; -+ attribute svirt_file_type; -+ attribute virt_file_type; -+ type virtd_initrc_exec_t; - ') - -- allow $1 { virt_domain svirt_lxc_domain virtd_t }:process { ptrace signal_perms }; -- allow $1 { virtd_lxc_t virsh_t virt_bridgehelper_t virt_qmf_t }:process { ptrace signal_perms }; -- ps_process_pattern($1, { virt_domain svirt_lxc_domain virtd_t }) -- ps_process_pattern($1, { virtd_lxc_t virsh_t virt_bridgehelper_t virt_qmf_t }) -+ allow $1 virt_system_domain:process signal_perms; -+ allow $1 virt_domain:process signal_perms; -+ ps_process_pattern($1, virt_system_domain) -+ ps_process_pattern($1, virt_domain) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 virt_system_domain:process ptrace; -+ allow $1 virt_domain:process ptrace; -+ ') - - init_labeled_script_domtrans($1, virtd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 virtd_initrc_exec_t system_r; - allow $2 system_r; - -- fs_search_tmpfs($1) -- admin_pattern($1, virt_tmpfs_type) -- -- files_search_tmp($1) -- admin_pattern($1, { virt_tmp_type virt_tmp_t }) -- -- files_search_etc($1) -- admin_pattern($1, { virt_etc_t virt_etc_rw_t }) -- -- logging_search_logs($1) -- admin_pattern($1, virt_log_t) -+ allow $1 virt_domain:process signal_perms; - -- files_search_pids($1) -- admin_pattern($1, { virt_var_run_t virtd_lxc_var_run_t svirt_var_run_t }) -- -- files_search_var($1) -- admin_pattern($1, svirt_cache_t) -- -- files_search_var_lib($1) -- admin_pattern($1, { virt_image_type virt_var_lib_t svirt_lxc_file_t }) -+ admin_pattern($1, virt_file_type) -+ admin_pattern($1, svirt_file_type) - -- files_search_locks($1) -- admin_pattern($1, virt_lock_t) -+ virt_systemctl($1) -+ allow $1 virtd_unit_file_t:service all_service_perms; - -- dev_list_all_dev_nodes($1) -- allow $1 virt_ptynode:chr_file rw_term_perms; -+ virt_stream_connect_sandbox($1) -+ virt_stream_connect_svirt($1) -+ virt_stream_connect($1) - ') -diff --git a/virt.te b/virt.te -index 1f22fba..62390bf 100644 ---- a/virt.te -+++ b/virt.te -@@ -1,147 +1,167 @@ --policy_module(virt, 1.6.10) -+policy_module(virt, 1.5.0) - - ######################################## - # - # Declarations - # -+attribute virsh_transition_domain; -+attribute virt_ptynode; -+attribute virt_system_domain; -+attribute virt_domain; -+attribute virt_image_type; -+attribute virt_tmpfs_type; -+attribute svirt_file_type; -+attribute virt_file_type; -+attribute sandbox_net_domain; -+ -+type svirt_tmp_t, svirt_file_type; -+files_tmp_file(svirt_tmp_t) -+ -+type svirt_tmpfs_t, virt_tmpfs_type, svirt_file_type; -+files_tmpfs_file(svirt_tmpfs_t) -+ -+type svirt_image_t, virt_image_type, svirt_file_type; -+files_type(svirt_image_t) -+dev_node(svirt_image_t) -+dev_associate_sysfs(svirt_image_t) - - ## --##

    --## Determine whether confined virtual guests --## can use serial/parallel communication ports. --##

    -+##

    -+## Allow confined virtual guests to use serial/parallel communication ports -+##

    - ##     - gen_tunable(virt_use_comm, false) - - ## --##

    --## Determine whether confined virtual guests --## can use executable memory and can make --## their stack executable. --##

    -+##

    -+## Allow virtual processes to run as userdomains -+##

    -+##     -+gen_tunable(virt_transition_userdomain, false) -+ -+## -+##

    -+## Allow confined virtual guests to use executable memory and executable stack -+##

    - ##     - gen_tunable(virt_use_execmem, false) - - ## --##

    --## Determine whether confined virtual guests --## can use fuse file systems. --##

    -+##

    -+## Allow confined virtual guests to read fuse files -+##

    - ##     - gen_tunable(virt_use_fusefs, false) - - ## --##

    --## Determine whether confined virtual guests --## can use nfs file systems. --##

    -+##

    -+## Allow confined virtual guests to manage nfs files -+##

    - ##     - gen_tunable(virt_use_nfs, false) - - ## --##

    --## Determine whether confined virtual guests --## can use cifs file systems. --##

    -+##

    -+## Allow confined virtual guests to manage cifs files -+##

    - ##     - gen_tunable(virt_use_samba, false) - - ## --##

    --## Determine whether confined virtual guests --## can manage device configuration. --##

    -+##

    -+## Allow confined virtual guests to interact with the sanlock -+##

    - ##     --gen_tunable(virt_use_sysfs, false) -+gen_tunable(virt_use_sanlock, false) - - ## --##

    --## Determine whether confined virtual guests --## can use usb devices. --##

    -+##

    -+## Allow confined virtual guests to interact with rawip sockets -+##

    - ##     --gen_tunable(virt_use_usb, false) -+gen_tunable(virt_use_rawip, false) - - ## --##

    --## Determine whether confined virtual guests --## can interact with xserver. --##

    -+##

    -+## Allow confined virtual guests to interact with the xserver -+##

    - ##     - gen_tunable(virt_use_xserver, false) - --attribute virt_ptynode; --attribute virt_domain; --attribute virt_image_type; --attribute virt_tmp_type; --attribute virt_tmpfs_type; -- --attribute svirt_lxc_domain; -- --attribute_role virt_domain_roles; --roleattribute system_r virt_domain_roles; -+## -+##

    -+## Allow confined virtual guests to use usb devices -+##

    -+##     -+gen_tunable(virt_use_usb, true) - --attribute_role virt_bridgehelper_roles; --roleattribute system_r virt_bridgehelper_roles; -+virt_domain_template(svirt) -+role system_r types svirt_t; -+typealias svirt_t alias qemu_t; - --attribute_role svirt_lxc_domain_roles; --roleattribute system_r svirt_lxc_domain_roles; -+virt_domain_template(svirt_tcg) -+role system_r types svirt_tcg_t; - --virt_domain_template(svirt) --virt_domain_template(svirt_prot_exec) -+type qemu_exec_t, virt_file_type; - --type virt_cache_t alias svirt_cache_t; -+type virt_cache_t alias svirt_cache_t, virt_file_type; - files_type(virt_cache_t) - --type virt_etc_t; -+type virt_etc_t, virt_file_type; - files_config_file(virt_etc_t) - --type virt_etc_rw_t; -+type virt_etc_rw_t, virt_file_type; - files_type(virt_etc_rw_t) - --type virt_home_t; -+type virt_home_t, virt_file_type; - userdom_user_home_content(virt_home_t) - --type svirt_home_t; -+type svirt_home_t, svirt_file_type; - userdom_user_home_content(svirt_home_t) - --type svirt_var_run_t; --files_pid_file(svirt_var_run_t) --mls_trusted_object(svirt_var_run_t) -- --type virt_image_t; # customizable -+# virt Image files -+type virt_image_t, virt_file_type; # customizable - virt_image(virt_image_t) - files_mountpoint(virt_image_t) - --type virt_content_t; # customizable -+# virt Image files -+type virt_content_t, virt_file_type; # customizable - virt_image(virt_content_t) - userdom_user_home_content(virt_content_t) - --type virt_lock_t; --files_lock_file(virt_lock_t) -+type virt_tmp_t, virt_file_type; -+files_tmp_file(virt_tmp_t) - --type virt_log_t; -+type virt_log_t, virt_file_type; - logging_log_file(virt_log_t) - mls_trusted_object(virt_log_t) - --type virt_tmp_t; --files_tmp_file(virt_tmp_t) -+type virt_lock_t, virt_file_type; -+files_lock_file(virt_lock_t) - --type virt_var_run_t; -+type virt_var_run_t, virt_file_type; - files_pid_file(virt_var_run_t) - --type virt_var_lib_t; -+type virt_var_lib_t, virt_file_type; - files_mountpoint(virt_var_lib_t) - --type virtd_t; --type virtd_exec_t; -+type virtd_t, virt_system_domain; -+type virtd_exec_t, virt_file_type; - init_daemon_domain(virtd_t, virtd_exec_t) - domain_obj_id_change_exemption(virtd_t) - domain_subj_id_change_exemption(virtd_t) - --type virtd_initrc_exec_t; -+type virtd_unit_file_t, virt_file_type; -+systemd_unit_file(virtd_unit_file_t) -+ -+type virtd_initrc_exec_t, virt_file_type; - init_script_file(virtd_initrc_exec_t) - -+type qemu_var_run_t, virt_file_type; -+typealias qemu_var_run_t alias svirt_var_run_t; -+files_pid_file(qemu_var_run_t) -+mls_trusted_object(qemu_var_run_t) -+ - ifdef(`enable_mcs',` - init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh) - ') -@@ -150,295 +170,141 @@ ifdef(`enable_mls',` - init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mls_systemhigh) - ') - --type virt_qmf_t; --type virt_qmf_exec_t; -+type virt_qmf_t, virt_system_domain; -+type virt_qmf_exec_t, virt_file_type; - init_daemon_domain(virt_qmf_t, virt_qmf_exec_t) - --type virt_bridgehelper_t; --type virt_bridgehelper_exec_t; -+type virt_bridgehelper_t, virt_system_domain; - domain_type(virt_bridgehelper_t) -+ -+type virt_bridgehelper_exec_t, virt_file_type; - domain_entry_file(virt_bridgehelper_t, virt_bridgehelper_exec_t) --role virt_bridgehelper_roles types virt_bridgehelper_t; -+role system_r types virt_bridgehelper_t; - --type virtd_lxc_t; --type virtd_lxc_exec_t; --init_system_domain(virtd_lxc_t, virtd_lxc_exec_t) -+# policy for qemu_ga -+type virt_qemu_ga_t, virt_system_domain; -+type virt_qemu_ga_exec_t, virt_file_type; -+init_daemon_domain(virt_qemu_ga_t, virt_qemu_ga_exec_t) - --type virtd_lxc_var_run_t; --files_pid_file(virtd_lxc_var_run_t) -+type virt_qemu_ga_var_run_t, virt_file_type; -+files_pid_file(virt_qemu_ga_var_run_t) - --type svirt_lxc_file_t; --files_mountpoint(svirt_lxc_file_t) --fs_noxattr_type(svirt_lxc_file_t) --term_pty(svirt_lxc_file_t) -+type virt_qemu_ga_log_t, virt_file_type; -+logging_log_file(virt_qemu_ga_log_t) - --virt_lxc_domain_template(svirt_lxc_net) -+type virt_qemu_ga_tmp_t, virt_file_type; -+files_tmp_file(virt_qemu_ga_tmp_t) - --type virsh_t; --type virsh_exec_t; --init_system_domain(virsh_t, virsh_exec_t) -+type virt_qemu_ga_data_t, virt_file_type; -+files_type(virt_qemu_ga_data_t) -+ -+type virt_qemu_ga_unconfined_exec_t, virt_file_type; -+application_executable_file(virt_qemu_ga_unconfined_exec_t) - - ######################################## - # --# Common virt domain local policy -+# Declarations - # -+attribute svirt_sandbox_domain; - --allow virt_domain self:process { signal getsched signull }; --allow virt_domain self:fifo_file rw_fifo_file_perms; --allow virt_domain self:netlink_route_socket r_netlink_socket_perms; --allow virt_domain self:shm create_shm_perms; --allow virt_domain self:tcp_socket create_stream_socket_perms; --allow virt_domain self:unix_stream_socket { accept listen }; --allow virt_domain self:unix_dgram_socket sendto; -- --allow virt_domain virtd_t:fd use; --allow virt_domain virtd_t:fifo_file rw_fifo_file_perms; --allow virt_domain virtd_t:process sigchld; -- --dontaudit virt_domain virtd_t:unix_stream_socket { read write }; -- --manage_dirs_pattern(virt_domain, virt_cache_t, virt_cache_t) --manage_files_pattern(virt_domain, virt_cache_t, virt_cache_t) --files_var_filetrans(virt_domain, virt_cache_t, { file dir }) -- --manage_dirs_pattern(virt_domain, svirt_var_run_t, svirt_var_run_t) --manage_files_pattern(virt_domain, svirt_var_run_t, svirt_var_run_t) --manage_sock_files_pattern(virt_domain, svirt_var_run_t, svirt_var_run_t) --manage_lnk_files_pattern(virt_domain, svirt_var_run_t, svirt_var_run_t) --files_pid_filetrans(virt_domain, svirt_var_run_t, { dir file }) -- --stream_connect_pattern(virt_domain, svirt_var_run_t, svirt_var_run_t, virtd_t) -- --dontaudit virt_domain virt_tmpfs_type:file { read write }; -- --append_files_pattern(virt_domain, virt_log_t, virt_log_t) -- --append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t) -- --kernel_read_system_state(virt_domain) -- --fs_getattr_xattr_fs(virt_domain) -- --corecmd_exec_bin(virt_domain) --corecmd_exec_shell(virt_domain) -- --corenet_all_recvfrom_unlabeled(virt_domain) --corenet_all_recvfrom_netlabel(virt_domain) --corenet_tcp_sendrecv_generic_if(virt_domain) --corenet_tcp_sendrecv_generic_node(virt_domain) --corenet_tcp_bind_generic_node(virt_domain) -- --corenet_sendrecv_vnc_server_packets(virt_domain) --corenet_tcp_bind_vnc_port(virt_domain) --corenet_tcp_sendrecv_vnc_port(virt_domain) -- --corenet_sendrecv_virt_migration_server_packets(virt_domain) --corenet_tcp_bind_virt_migration_port(virt_domain) --corenet_sendrecv_virt_migration_client_packets(virt_domain) --corenet_tcp_connect_virt_migration_port(virt_domain) --corenet_tcp_sendrecv_virt_migration_port(virt_domain) -- --corenet_rw_tun_tap_dev(virt_domain) -- --dev_getattr_fs(virt_domain) --dev_list_sysfs(virt_domain) --dev_read_generic_symlinks(virt_domain) --dev_read_rand(virt_domain) --dev_read_sound(virt_domain) --dev_read_urand(virt_domain) --dev_write_sound(virt_domain) --dev_rw_ksm(virt_domain) --dev_rw_kvm(virt_domain) --dev_rw_qemu(virt_domain) --dev_rw_vhost(virt_domain) -- --domain_use_interactive_fds(virt_domain) -- --files_read_etc_files(virt_domain) --files_read_mnt_symlinks(virt_domain) --files_read_usr_files(virt_domain) --files_read_var_files(virt_domain) --files_search_all(virt_domain) -- --fs_getattr_all_fs(virt_domain) --fs_rw_anon_inodefs_files(virt_domain) --fs_rw_tmpfs_files(virt_domain) --fs_getattr_hugetlbfs(virt_domain) -- --# fs_rw_inherited_nfs_files(virt_domain) --# fs_rw_inherited_cifs_files(virt_domain) --# fs_rw_inherited_noxattr_fs_files(virt_domain) -- --storage_raw_write_removable_device(virt_domain) --storage_raw_read_removable_device(virt_domain) -- --term_use_all_terms(virt_domain) --term_getattr_pty_fs(virt_domain) --term_use_generic_ptys(virt_domain) --term_use_ptmx(virt_domain) -- --logging_send_syslog_msg(virt_domain) -- --miscfiles_read_localization(virt_domain) --miscfiles_read_public_files(virt_domain) -- --sysnet_read_config(virt_domain) -- --userdom_search_user_home_dirs(virt_domain) --userdom_read_all_users_state(virt_domain) -- --virt_run_bridgehelper(virt_domain, virt_domain_roles) --virt_read_config(virt_domain) --virt_read_lib_files(virt_domain) --virt_read_content(virt_domain) --virt_stream_connect(virt_domain) -- --qemu_exec(virt_domain) -- --tunable_policy(`virt_use_execmem',` -- allow virt_domain self:process { execmem execstack }; --') -- --tunable_policy(`virt_use_comm',` -- term_use_unallocated_ttys(virt_domain) -- dev_rw_printer(virt_domain) --') -- --tunable_policy(`virt_use_fusefs',` -- fs_manage_fusefs_dirs(virt_domain) -- fs_manage_fusefs_files(virt_domain) -- fs_read_fusefs_symlinks(virt_domain) --') -- --tunable_policy(`virt_use_nfs',` -- fs_manage_nfs_dirs(virt_domain) -- fs_manage_nfs_files(virt_domain) -- fs_manage_nfs_named_sockets(virt_domain) -- fs_read_nfs_symlinks(virt_domain) --') -+type virtd_lxc_t, virt_system_domain; -+type virtd_lxc_exec_t, virt_file_type; -+init_system_domain(virtd_lxc_t, virtd_lxc_exec_t) - --tunable_policy(`virt_use_samba',` -- fs_manage_cifs_dirs(virt_domain) -- fs_manage_cifs_files(virt_domain) -- fs_manage_cifs_named_sockets(virt_domain) -- fs_read_cifs_symlinks(virt_domain) --') -+type virt_lxc_var_run_t, virt_file_type; -+files_pid_file(virt_lxc_var_run_t) -+typealias virt_lxc_var_run_t alias virtd_lxc_var_run_t; - --tunable_policy(`virt_use_sysfs',` -- dev_rw_sysfs(virt_domain) --') -+# virt lxc container files -+type svirt_sandbox_file_t alias svirt_lxc_file_t, svirt_file_type; -+files_mountpoint(svirt_sandbox_file_t) - --tunable_policy(`virt_use_usb',` -- dev_rw_usbfs(virt_domain) -- dev_read_sysfs(virt_domain) -- fs_manage_dos_dirs(virt_domain) -- fs_manage_dos_files(virt_domain) --') -+######################################## -+# -+# svirt local policy -+# - --optional_policy(` -- tunable_policy(`virt_use_xserver',` -- xserver_read_xdm_pid(virt_domain) -- xserver_stream_connect(virt_domain) -- ') --') -+# it was a part of auth_use_nsswitch -+allow svirt_t self:netlink_route_socket r_netlink_socket_perms; - --optional_policy(` -- dbus_read_lib_files(virt_domain) --') -+corenet_udp_sendrecv_generic_if(svirt_t) -+corenet_udp_sendrecv_generic_node(svirt_t) -+corenet_udp_sendrecv_all_ports(svirt_t) -+corenet_udp_bind_generic_node(svirt_t) -+corenet_udp_bind_all_ports(svirt_t) -+corenet_tcp_bind_all_ports(svirt_t) -+corenet_tcp_connect_all_ports(svirt_t) - --optional_policy(` -- nscd_use(virt_domain) --') -+miscfiles_read_generic_certs(svirt_t) - - optional_policy(` -- samba_domtrans_smbd(virt_domain) -+ nscd_dontaudit_write_sock_file(svirt_t) - ') - - optional_policy(` -- xen_rw_image_files(virt_domain) -+ sssd_dontaudit_stream_connect(svirt_t) -+ sssd_dontaudit_read_lib(svirt_t) - ') - --######################################## -+####################################### - # --# svirt local policy -+# svirt_prot_exec local policy - # - --list_dirs_pattern(svirt_t, virt_content_t, virt_content_t) --read_files_pattern(svirt_t, virt_content_t, virt_content_t) -- --dontaudit svirt_t virt_content_t:file write_file_perms; --dontaudit svirt_t virt_content_t:dir rw_dir_perms; -- --append_files_pattern(svirt_t, virt_home_t, virt_home_t) --manage_dirs_pattern(svirt_t, svirt_home_t, svirt_home_t) --manage_files_pattern(svirt_t, svirt_home_t, svirt_home_t) --manage_sock_files_pattern(svirt_t, svirt_home_t, svirt_home_t) -- --filetrans_pattern(svirt_t, virt_home_t, svirt_home_t, dir, "qemu") -- --stream_connect_pattern(svirt_t, svirt_home_t, svirt_home_t, virtd_t) -- --corenet_udp_sendrecv_generic_if(svirt_t) --corenet_udp_sendrecv_generic_node(svirt_t) --corenet_udp_sendrecv_all_ports(svirt_t) --corenet_udp_bind_generic_node(svirt_t) -- --corenet_all_recvfrom_unlabeled(svirt_t) --corenet_all_recvfrom_netlabel(svirt_t) --corenet_tcp_sendrecv_generic_if(svirt_t) --corenet_udp_sendrecv_generic_if(svirt_t) --corenet_tcp_sendrecv_generic_node(svirt_t) --corenet_udp_sendrecv_generic_node(svirt_t) --corenet_tcp_sendrecv_all_ports(svirt_t) --corenet_udp_sendrecv_all_ports(svirt_t) --corenet_tcp_bind_generic_node(svirt_t) --corenet_udp_bind_generic_node(svirt_t) -- --corenet_sendrecv_all_server_packets(svirt_t) --corenet_udp_bind_all_ports(svirt_t) --corenet_tcp_bind_all_ports(svirt_t) -+allow svirt_tcg_t self:process { execmem execstack }; -+allow svirt_tcg_t self:netlink_route_socket r_netlink_socket_perms; - --corenet_sendrecv_all_client_packets(svirt_t) --corenet_tcp_connect_all_ports(svirt_t) -+corenet_udp_sendrecv_generic_if(svirt_tcg_t) -+corenet_udp_sendrecv_generic_node(svirt_tcg_t) -+corenet_udp_sendrecv_all_ports(svirt_tcg_t) -+corenet_udp_bind_generic_node(svirt_tcg_t) -+corenet_udp_bind_all_ports(svirt_tcg_t) -+corenet_tcp_bind_all_ports(svirt_tcg_t) -+corenet_tcp_connect_all_ports(svirt_tcg_t) - - ######################################## - # - # virtd local policy - # - --allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice }; -+allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice sys_ptrace }; -+allow virtd_t self:capability2 compromise_kernel; - allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setsockcreate setsched }; -+ifdef(`hide_broken_symptoms',` -+ # caused by some bogus kernel code -+ dontaudit virtd_t self:capability { sys_module }; -+') -+ - allow virtd_t self:fifo_file { manage_fifo_file_perms relabelfrom relabelto }; --allow virtd_t self:unix_stream_socket { accept connectto listen }; --allow virtd_t self:tcp_socket { accept listen }; -+allow virtd_t self:unix_stream_socket { connectto create_stream_socket_perms relabelfrom relabelto }; -+allow virtd_t self:tcp_socket create_stream_socket_perms; - allow virtd_t self:tun_socket { create_socket_perms relabelfrom relabelto }; - allow virtd_t self:rawip_socket create_socket_perms; - allow virtd_t self:packet_socket create_socket_perms; - allow virtd_t self:netlink_kobject_uevent_socket create_socket_perms; --allow virtd_t self:netlink_route_socket nlmsg_write; -- --allow virtd_t virt_domain:process { getattr getsched setsched transition signal signull sigkill }; --dontaudit virtd_t virt_domain:process { siginh noatsecure rlimitinh }; -- --allow virtd_t svirt_lxc_domain:unix_stream_socket { create_stream_socket_perms connectto }; --allow virtd_t svirt_lxc_domain:process signal_perms; -- --allow virtd_t virtd_lxc_t:process { signal signull sigkill }; -- --domtrans_pattern(virtd_t, virtd_lxc_exec_t, virtd_lxc_t) -+allow virtd_t self:netlink_route_socket create_netlink_socket_perms; - - manage_dirs_pattern(virtd_t, virt_cache_t, virt_cache_t) - manage_files_pattern(virtd_t, virt_cache_t, virt_cache_t) - - manage_dirs_pattern(virtd_t, virt_content_t, virt_content_t) - manage_files_pattern(virtd_t, virt_content_t, virt_content_t) --filetrans_pattern(virtd_t, virt_home_t, virt_content_t, dir, "isos") - --allow virtd_t svirt_var_run_t:file relabel_file_perms; --manage_dirs_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t) --manage_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t) --manage_sock_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t) --filetrans_pattern(virtd_t, virt_var_run_t, svirt_var_run_t, dir, "qemu") -+allow virtd_t virt_domain:process { getattr getsched setsched transition signal signull sigkill }; -+allow virtd_t svirt_sandbox_domain:process { getattr getsched setsched transition signal signull sigkill }; -+allow virt_domain virtd_t:fd use; -+dontaudit virt_domain virtd_t:unix_stream_socket { read write }; -+allow virtd_t virt_domain:unix_stream_socket { connectto create_stream_socket_perms }; -+ -+can_exec(virtd_t, qemu_exec_t) -+can_exec(virt_domain, qemu_exec_t) -+ -+allow virtd_t qemu_var_run_t:file relabel_file_perms; -+manage_dirs_pattern(virtd_t, qemu_var_run_t, qemu_var_run_t) -+manage_files_pattern(virtd_t, qemu_var_run_t, qemu_var_run_t) -+manage_sock_files_pattern(virtd_t, qemu_var_run_t, qemu_var_run_t) -+stream_connect_pattern(virtd_t, qemu_var_run_t, qemu_var_run_t, virt_domain) -+filetrans_pattern(virtd_t, virt_var_run_t, qemu_var_run_t, dir, "qemu") - - read_files_pattern(virtd_t, virt_etc_t, virt_etc_t) - read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t) -@@ -448,42 +314,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) - manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) - filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir) - --manage_dirs_pattern(virtd_t, virt_home_t, virt_home_t) --manage_files_pattern(virtd_t, virt_home_t, virt_home_t) --manage_sock_files_pattern(virtd_t, virt_home_t, virt_home_t) --manage_lnk_files_pattern(virtd_t, virt_home_t, virt_home_t) -- --userdom_user_home_dir_filetrans(virtd_t, virt_home_t, dir, ".libvirt") --userdom_user_home_dir_filetrans(virtd_t, virt_home_t, dir, ".virtinst") --userdom_user_home_dir_filetrans(virtd_t, virt_home_t, dir, "VirtualMachines") -- - manage_files_pattern(virtd_t, virt_image_type, virt_image_type) - manage_chr_files_pattern(virtd_t, virt_image_type, virt_image_type) - manage_blk_files_pattern(virtd_t, virt_image_type, virt_image_type) - manage_lnk_files_pattern(virtd_t, virt_image_type, virt_image_type) -- -+allow virtd_t virt_image_type:dir setattr; - allow virtd_t virt_image_type:file relabel_file_perms; - allow virtd_t virt_image_type:blk_file relabel_blk_file_perms; - allow virtd_t virt_image_type:chr_file relabel_chr_file_perms; --allow virtd_t virt_image_type:chr_file relabel_chr_file_perms; -- -+allow virtd_t virt_image_type:unix_stream_socket relabel_file_perms; - allow virtd_t virt_ptynode:chr_file rw_term_perms; - - manage_dirs_pattern(virtd_t, virt_tmp_t, virt_tmp_t) - manage_files_pattern(virtd_t, virt_tmp_t, virt_tmp_t) - files_tmp_filetrans(virtd_t, virt_tmp_t, { file dir }) -+can_exec(virtd_t, virt_tmp_t) - --# This needs a file context specification - manage_dirs_pattern(virtd_t, virt_lock_t, virt_lock_t) - manage_files_pattern(virtd_t, virt_lock_t, virt_lock_t) - manage_lnk_files_pattern(virtd_t, virt_lock_t, virt_lock_t) - files_lock_filetrans(virtd_t, virt_lock_t, { dir file lnk_file }) - - manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t) --append_files_pattern(virtd_t, virt_log_t, virt_log_t) --create_files_pattern(virtd_t, virt_log_t, virt_log_t) --read_files_pattern(virtd_t, virt_log_t, virt_log_t) --setattr_files_pattern(virtd_t, virt_log_t, virt_log_t) -+manage_files_pattern(virtd_t, virt_log_t, virt_log_t) - logging_log_filetrans(virtd_t, virt_log_t, { file dir }) - - manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t) -@@ -496,16 +349,12 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) - manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) - files_pid_filetrans(virtd_t, virt_var_run_t, { file dir }) - --manage_dirs_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) --manage_files_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) --filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc") -+manage_dirs_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t) -+manage_files_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t) -+filetrans_pattern(virtd_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc") -+allow virtd_t virt_lxc_var_run_t:file { relabelfrom relabelto }; -+stream_connect_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t, virtd_lxc_t) - --stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t) --stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain) -- --can_exec(virtd_t, virt_tmp_t) -- --kernel_read_crypto_sysctls(virtd_t) - kernel_read_system_state(virtd_t) - kernel_read_network_state(virtd_t) - kernel_rw_net_sysctls(virtd_t) -@@ -513,6 +362,7 @@ kernel_read_kernel_sysctls(virtd_t) - kernel_request_load_module(virtd_t) - kernel_search_debugfs(virtd_t) - kernel_setsched(virtd_t) -+kernel_write_proc_files(virtd_t) - - corecmd_exec_bin(virtd_t) - corecmd_exec_shell(virtd_t) -@@ -520,24 +370,16 @@ corecmd_exec_shell(virtd_t) - corenet_all_recvfrom_netlabel(virtd_t) - corenet_tcp_sendrecv_generic_if(virtd_t) - corenet_tcp_sendrecv_generic_node(virtd_t) -+corenet_tcp_sendrecv_all_ports(virtd_t) - corenet_tcp_bind_generic_node(virtd_t) -- --corenet_sendrecv_virt_server_packets(virtd_t) - corenet_tcp_bind_virt_port(virtd_t) --corenet_tcp_sendrecv_virt_port(virtd_t) -- --corenet_sendrecv_vnc_server_packets(virtd_t) - corenet_tcp_bind_vnc_port(virtd_t) --corenet_sendrecv_vnc_client_packets(virtd_t) - corenet_tcp_connect_vnc_port(virtd_t) --corenet_tcp_sendrecv_vnc_port(virtd_t) -- --corenet_sendrecv_soundd_client_packets(virtd_t) - corenet_tcp_connect_soundd_port(virtd_t) --corenet_tcp_sendrecv_soundd_port(virtd_t) -- - corenet_rw_tun_tap_dev(virtd_t) -+corenet_relabel_tun_tap_dev(virtd_t) - -+dev_rw_vfio_dev(virtd_t) - dev_rw_sysfs(virtd_t) - dev_read_urand(virtd_t) - dev_read_rand(virtd_t) -@@ -548,22 +390,27 @@ dev_rw_vhost(virtd_t) - dev_setattr_generic_usb_dev(virtd_t) - dev_relabel_generic_usb_dev(virtd_t) - -+# Init script handling - domain_use_interactive_fds(virtd_t) - domain_read_all_domains_state(virtd_t) -+domain_signull_all_domains(virtd_t) - --files_read_usr_files(virtd_t) - files_read_etc_runtime_files(virtd_t) - files_search_all(virtd_t) - files_read_kernel_modules(virtd_t) - files_read_usr_src_files(virtd_t) -+files_relabelto_system_conf_files(virtd_t) -+files_relabelfrom_system_conf_files(virtd_t) -+files_relabelfrom_boot_files(virtd_t) -+files_relabelto_boot_files(virtd_t) -+files_manage_boot_files(virtd_t) - - # Manages /etc/sysconfig/system-config-firewall --# files_relabelto_system_conf_files(virtd_t) --# files_relabelfrom_system_conf_files(virtd_t) --# files_manage_system_conf_files(virtd_t) -+files_manage_system_conf_files(virtd_t) - -+fs_read_tmpfs_symlinks(virtd_t) - fs_list_auto_mountpoints(virtd_t) --fs_getattr_all_fs(virtd_t) -+fs_getattr_xattr_fs(virtd_t) - fs_rw_anon_inodefs_files(virtd_t) - fs_list_inotifyfs(virtd_t) - fs_manage_cgroup_dirs(virtd_t) -@@ -594,15 +441,18 @@ term_use_ptmx(virtd_t) - - auth_use_nsswitch(virtd_t) - --miscfiles_read_localization(virtd_t) -+init_dbus_chat(virtd_t) -+ - miscfiles_read_generic_certs(virtd_t) - miscfiles_read_hwdata(virtd_t) - - modutils_read_module_deps(virtd_t) -+modutils_read_module_config(virtd_t) - modutils_manage_module_config(virtd_t) - - logging_send_syslog_msg(virtd_t) - logging_send_audit_msgs(virtd_t) -+logging_stream_connect_syslog(virtd_t) - - selinux_validate_context(virtd_t) - -@@ -613,18 +463,26 @@ seutil_read_file_contexts(virtd_t) - sysnet_signull_ifconfig(virtd_t) - sysnet_signal_ifconfig(virtd_t) - sysnet_domtrans_ifconfig(virtd_t) -+sysnet_read_config(virtd_t) - --userdom_read_all_users_state(virtd_t) -- --ifdef(`hide_broken_symptoms',` -- dontaudit virtd_t self:capability { sys_module sys_ptrace }; --') -+systemd_dbus_chat_logind(virtd_t) -+systemd_write_inhibit_pipes(virtd_t) - --tunable_policy(`virt_use_fusefs',` -- fs_manage_fusefs_dirs(virtd_t) -- fs_manage_fusefs_files(virtd_t) -- fs_read_fusefs_symlinks(virtd_t) --') -+userdom_list_admin_dir(virtd_t) -+userdom_getattr_all_users(virtd_t) -+userdom_list_user_home_content(virtd_t) -+userdom_read_all_users_state(virtd_t) -+userdom_read_user_home_content_files(virtd_t) -+userdom_relabel_user_tmp_files(virtd_t) -+userdom_setattr_user_tmp_files(virtd_t) -+userdom_relabel_user_home_files(virtd_t) -+userdom_setattr_user_home_content_files(virtd_t) -+manage_dirs_pattern(virtd_t, virt_home_t, virt_home_t) -+manage_files_pattern(virtd_t, virt_home_t, virt_home_t) -+manage_sock_files_pattern(virtd_t, virt_home_t, virt_home_t) -+manage_lnk_files_pattern(virtd_t, virt_home_t, virt_home_t) -+#userdom_user_home_dir_filetrans(virtd_t, virt_home_t, { dir file }) -+virt_filetrans_home_content(virtd_t) - - tunable_policy(`virt_use_nfs',` - fs_manage_nfs_dirs(virtd_t) -@@ -633,7 +491,7 @@ tunable_policy(`virt_use_nfs',` - ') - - tunable_policy(`virt_use_samba',` -- fs_manage_cifs_files(virtd_t) -+ fs_manage_nfs_files(virtd_t) - fs_manage_cifs_files(virtd_t) - fs_read_cifs_symlinks(virtd_t) - ') -@@ -658,20 +516,12 @@ optional_policy(` - ') - - optional_policy(` -- firewalld_dbus_chat(virtd_t) -- ') -- -- optional_policy(` - hal_dbus_chat(virtd_t) - ') - - optional_policy(` - networkmanager_dbus_chat(virtd_t) - ') -- -- optional_policy(` -- policykit_dbus_chat(virtd_t) -- ') - ') - - optional_policy(` -@@ -684,14 +534,20 @@ optional_policy(` - dnsmasq_kill(virtd_t) - dnsmasq_signull(virtd_t) - dnsmasq_create_pid_dirs(virtd_t) -- dnsmasq_spec_filetrans_pid(virtd_t, virt_var_run_t, dir, "network") -- dnsmasq_spec_filetrans_pid(virtd_t, virt_var_run_t, file, "dnsmasq.pid") -+ dnsmasq_filetrans_named_content_fromdir(virtd_t, virt_var_run_t); - dnsmasq_manage_pid_files(virtd_t) - ') - - optional_policy(` -+ firewalld_dbus_chat(virtd_t) -+') -+ -+optional_policy(` - iptables_domtrans(virtd_t) - iptables_initrc_domtrans(virtd_t) -+ iptables_systemctl(virtd_t) -+ -+ # Manages /etc/sysconfig/system-config-firewall - iptables_manage_config(virtd_t) - ') - -@@ -704,11 +560,13 @@ optional_policy(` - ') - - optional_policy(` -+ # Run mount in the mount_t domain. - mount_domtrans(virtd_t) - mount_signal(virtd_t) - ') - - optional_policy(` -+ policykit_dbus_chat(virtd_t) - policykit_domtrans_auth(virtd_t) - policykit_domtrans_resolve(virtd_t) - policykit_read_lib(virtd_t) -@@ -719,10 +577,18 @@ optional_policy(` - ') - - optional_policy(` -+ sanlock_stream_connect(virtd_t) -+') -+ -+optional_policy(` - sasl_connect(virtd_t) - ') - - optional_policy(` -+ setrans_manage_pid_files(virtd_t) -+') -+ -+optional_policy(` - kernel_read_xen_state(virtd_t) - kernel_write_xen_state(virtd_t) - -@@ -737,44 +603,264 @@ optional_policy(` - udev_read_db(virtd_t) - ') - -+optional_policy(` -+ unconfined_domain(virtd_t) -+') -+ - ######################################## - # --# Virsh local policy -+# virtual domains common policy - # -+allow virt_domain self:capability2 compromise_kernel; -+allow virt_domain self:process { setrlimit signal_perms getsched setsched }; -+allow virt_domain self:fifo_file rw_fifo_file_perms; -+allow virt_domain self:shm create_shm_perms; -+allow virt_domain self:unix_stream_socket create_stream_socket_perms; -+allow virt_domain self:unix_dgram_socket { create_socket_perms sendto }; -+allow virt_domain self:tcp_socket create_stream_socket_perms; -+allow virt_domain self:udp_socket create_socket_perms; -+allow virt_domain self:netlink_kobject_uevent_socket create_socket_perms; - --allow virsh_t self:capability { setpcap dac_override ipc_lock sys_nice sys_tty_config }; --allow virsh_t self:process { getcap getsched setsched setcap signal }; --allow virsh_t self:fifo_file rw_fifo_file_perms; --allow virsh_t self:unix_stream_socket { accept connectto listen }; --allow virsh_t self:tcp_socket { accept listen }; -+list_dirs_pattern(virt_domain, virt_content_t, virt_content_t) -+read_files_pattern(virt_domain, virt_content_t, virt_content_t) -+dontaudit virt_domain virt_content_t:file write_file_perms; -+dontaudit virt_domain virt_content_t:dir write; - --manage_files_pattern(virsh_t, virt_image_type, virt_image_type) --manage_blk_files_pattern(virsh_t, virt_image_type, virt_image_type) --manage_lnk_files_pattern(virsh_t, virt_image_type, virt_image_type) -+kernel_read_net_sysctls(virt_domain) - --manage_dirs_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) --manage_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) --manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) --manage_lnk_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) --manage_sock_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) --manage_fifo_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) -+userdom_search_user_home_content(virt_domain) -+userdom_read_user_home_content_symlinks(virt_domain) -+userdom_read_all_users_state(virt_domain) -+append_files_pattern(virt_domain, virt_home_t, virt_home_t) -+manage_dirs_pattern(virt_domain, svirt_home_t, svirt_home_t) -+manage_files_pattern(virt_domain, svirt_home_t, svirt_home_t) -+manage_sock_files_pattern(virt_domain, svirt_home_t, svirt_home_t) -+filetrans_pattern(virt_domain, virt_home_t, svirt_home_t, { dir sock_file file }) -+stream_connect_pattern(virt_domain, svirt_home_t, svirt_home_t, virtd_t) - --manage_dirs_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) --manage_files_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) --filetrans_pattern(virsh_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc") -+manage_dirs_pattern(virt_domain, virt_cache_t, virt_cache_t) -+manage_files_pattern(virt_domain, virt_cache_t, virt_cache_t) -+files_var_filetrans(virt_domain, virt_cache_t, { file dir }) - --dontaudit virsh_t virt_var_lib_t:file read_file_perms; -+read_lnk_files_pattern(virt_domain, virt_image_t, virt_image_t) -+ -+manage_dirs_pattern(virt_domain, svirt_image_t, svirt_image_t) -+manage_files_pattern(virt_domain, svirt_image_t, svirt_image_t) -+manage_sock_files_pattern(virt_domain, svirt_image_t, svirt_image_t) -+manage_fifo_files_pattern(virt_domain, svirt_image_t, svirt_image_t) -+read_lnk_files_pattern(virt_domain, svirt_image_t, svirt_image_t) -+rw_chr_files_pattern(virt_domain, svirt_image_t, svirt_image_t) -+rw_blk_files_pattern(virt_domain, svirt_image_t, svirt_image_t) -+fs_hugetlbfs_filetrans(virt_domain, svirt_image_t, file) -+ -+manage_dirs_pattern(virt_domain, svirt_tmp_t, svirt_tmp_t) -+manage_files_pattern(virt_domain, svirt_tmp_t, svirt_tmp_t) -+manage_lnk_files_pattern(virt_domain, svirt_tmp_t, svirt_tmp_t) -+files_tmp_filetrans(virt_domain, svirt_tmp_t, { file dir lnk_file }) -+userdom_user_tmp_filetrans(virt_domain, svirt_tmp_t, { dir file lnk_file }) -+ -+manage_dirs_pattern(virt_domain, svirt_tmpfs_t, svirt_tmpfs_t) -+manage_files_pattern(virt_domain, svirt_tmpfs_t, svirt_tmpfs_t) -+manage_lnk_files_pattern(virt_domain, svirt_tmpfs_t, svirt_tmpfs_t) -+fs_tmpfs_filetrans(virt_domain, svirt_tmpfs_t, { dir file lnk_file }) -+ -+manage_dirs_pattern(virt_domain, qemu_var_run_t, qemu_var_run_t) -+manage_files_pattern(virt_domain, qemu_var_run_t, qemu_var_run_t) -+manage_sock_files_pattern(virt_domain, qemu_var_run_t, qemu_var_run_t) -+manage_lnk_files_pattern(virt_domain, qemu_var_run_t, qemu_var_run_t) -+files_pid_filetrans(virt_domain, qemu_var_run_t, { dir file }) -+stream_connect_pattern(virt_domain, qemu_var_run_t, qemu_var_run_t, virtd_t) -+ -+dontaudit virtd_t virt_domain:process { siginh noatsecure rlimitinh }; - --allow virsh_t svirt_lxc_domain:process transition; -+dontaudit virt_domain virt_tmpfs_type:file { read write }; - --can_exec(virsh_t, virsh_exec_t) -+append_files_pattern(virt_domain, virt_log_t, virt_log_t) -+ -+append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t) -+ -+corecmd_exec_bin(virt_domain) -+corecmd_exec_shell(virt_domain) -+ -+corenet_tcp_sendrecv_generic_if(virt_domain) -+corenet_tcp_sendrecv_generic_node(virt_domain) -+corenet_tcp_sendrecv_all_ports(virt_domain) -+corenet_tcp_bind_generic_node(virt_domain) -+corenet_tcp_bind_vnc_port(virt_domain) -+corenet_tcp_bind_virt_migration_port(virt_domain) -+corenet_tcp_connect_virt_migration_port(virt_domain) -+corenet_rw_inherited_tun_tap_dev(virt_domain) -+ -+dev_list_sysfs(virt_domain) -+dev_getattr_fs(virt_domain) -+dev_dontaudit_getattr_all(virt_domain) -+dev_read_generic_symlinks(virt_domain) -+dev_read_rand(virt_domain) -+dev_read_sound(virt_domain) -+dev_read_urand(virt_domain) -+dev_write_sound(virt_domain) -+dev_rw_ksm(virt_domain) -+dev_rw_vfio_dev(virt_domain) -+dev_rw_kvm(virt_domain) -+dev_rw_qemu(virt_domain) -+dev_rw_inherited_vhost(virt_domain) -+ -+domain_use_interactive_fds(virt_domain) -+ -+files_read_mnt_symlinks(virt_domain) -+files_read_var_files(virt_domain) -+files_search_all(virt_domain) -+ -+fs_getattr_xattr_fs(virt_domain) -+fs_getattr_tmpfs(virt_domain) -+fs_rw_anon_inodefs_files(virt_domain) -+fs_rw_inherited_tmpfs_files(virt_domain) -+fs_getattr_hugetlbfs(virt_domain) -+fs_rw_inherited_nfs_files(virt_domain) -+fs_rw_inherited_cifs_files(virt_domain) -+fs_rw_inherited_noxattr_fs_files(virt_domain) -+ -+# I think we need these for now. -+miscfiles_read_public_files(virt_domain) -+storage_raw_read_removable_device(virt_domain) -+ -+sysnet_read_config(virt_domain) -+ -+term_use_all_inherited_terms(virt_domain) -+term_getattr_pty_fs(virt_domain) -+term_use_generic_ptys(virt_domain) -+term_use_ptmx(virt_domain) -+ -+tunable_policy(`virt_use_execmem',` -+ allow virt_domain self:process { execmem execstack }; -+') -+ -+optional_policy(` -+ alsa_read_rw_config(virt_domain) -+') -+ -+optional_policy(` -+ ptchown_domtrans(virt_domain) -+') -+ -+optional_policy(` -+ pulseaudio_dontaudit_exec(virt_domain) -+') -+ -+optional_policy(` -+ virt_read_config(virt_domain) -+ virt_read_lib_files(virt_domain) -+ virt_read_content(virt_domain) -+ virt_stream_connect(virt_domain) -+ virt_read_pid_symlinks(virt_domain) -+ virt_domtrans_bridgehelper(virt_domain) -+') -+ -+optional_policy(` -+ xserver_rw_shm(virt_domain) -+') -+ -+tunable_policy(`virt_use_comm',` -+ term_use_unallocated_ttys(virt_domain) -+ dev_rw_printer(virt_domain) -+') -+ -+tunable_policy(`virt_use_fusefs',` -+ fs_manage_fusefs_dirs(virt_domain) -+ fs_manage_fusefs_files(virt_domain) -+ fs_read_fusefs_symlinks(virt_domain) -+ fs_getattr_fusefs(virt_domain) -+') -+ -+tunable_policy(`virt_use_nfs',` -+ fs_manage_nfs_dirs(virt_domain) -+ fs_manage_nfs_files(virt_domain) -+ fs_manage_nfs_named_sockets(virt_domain) -+ fs_read_nfs_symlinks(virt_domain) -+ fs_getattr_nfs(virt_domain) -+') - -+tunable_policy(`virt_use_samba',` -+ fs_manage_cifs_dirs(virt_domain) -+ fs_manage_cifs_files(virt_domain) -+ fs_manage_cifs_named_sockets(virt_domain) -+ fs_read_cifs_symlinks(virt_domain) -+ fs_getattr_cifs(virt_domain) -+') -+ -+tunable_policy(`virt_use_usb',` -+ dev_rw_usbfs(virt_domain) -+ dev_read_sysfs(virt_domain) -+ fs_getattr_dos_fs(virt_domain) -+ fs_manage_dos_dirs(virt_domain) -+ fs_manage_dos_files(virt_domain) -+') -+ -+optional_policy(` -+ tunable_policy(`virt_use_sanlock',` -+ sanlock_stream_connect(virt_domain) -+ ') -+') -+ -+tunable_policy(`virt_use_rawip',` -+ allow virt_domain self:rawip_socket create_socket_perms; -+') -+ -+optional_policy(` -+ tunable_policy(`virt_use_xserver',` -+ xserver_stream_connect(virt_domain) -+ ') -+') -+ -+######################################## -+# -+# xm local policy -+# -+type virsh_t, virt_system_domain; -+type virsh_exec_t, virt_file_type; -+init_system_domain(virsh_t, virsh_exec_t) -+typealias virsh_t alias xm_t; -+typealias virsh_exec_t alias xm_exec_t; -+ -+allow virsh_t self:capability { setpcap dac_override ipc_lock sys_admin sys_chroot sys_nice sys_tty_config }; -+allow virsh_t self:process { getcap getsched setsched setcap setexec signal }; -+allow virsh_t self:fifo_file rw_fifo_file_perms; -+allow virsh_t self:unix_stream_socket { create_stream_socket_perms connectto }; -+allow virsh_t self:tcp_socket create_stream_socket_perms; -+ -+ps_process_pattern(virsh_t, svirt_sandbox_domain) -+ -+can_exec(virsh_t, virsh_exec_t) - virt_domtrans(virsh_t) - virt_manage_images(virsh_t) - virt_manage_config(virsh_t) - virt_stream_connect(virsh_t) - --kernel_read_crypto_sysctls(virsh_t) -+manage_dirs_pattern(virsh_t, virt_lock_t, virt_lock_t) -+manage_files_pattern(virsh_t, virt_lock_t, virt_lock_t) -+manage_lnk_files_pattern(virsh_t, virt_lock_t, virt_lock_t) -+files_lock_filetrans(virsh_t, virt_lock_t, { dir file lnk_file }) -+ -+manage_files_pattern(virsh_t, virt_image_type, virt_image_type) -+manage_blk_files_pattern(virsh_t, virt_image_type, virt_image_type) -+manage_lnk_files_pattern(virsh_t, virt_image_type, virt_image_type) -+ -+manage_dirs_pattern(virsh_t, svirt_sandbox_file_t, svirt_sandbox_file_t) -+manage_files_pattern(virsh_t, svirt_sandbox_file_t, svirt_sandbox_file_t) -+manage_chr_files_pattern(virsh_t, svirt_sandbox_file_t, svirt_sandbox_file_t) -+manage_lnk_files_pattern(virsh_t, svirt_sandbox_file_t, svirt_sandbox_file_t) -+manage_sock_files_pattern(virsh_t, svirt_sandbox_file_t, svirt_sandbox_file_t) -+manage_fifo_files_pattern(virsh_t, svirt_sandbox_file_t, svirt_sandbox_file_t) -+virt_transition_svirt_sandbox(virsh_t, system_r) -+ -+manage_dirs_pattern(virsh_t, virt_lxc_var_run_t, virt_lxc_var_run_t) -+manage_files_pattern(virsh_t, virt_lxc_var_run_t, virt_lxc_var_run_t) -+virt_filetrans_named_content(virsh_t) -+filetrans_pattern(virsh_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc") -+ -+dontaudit virsh_t virt_var_lib_t:file read_inherited_file_perms; -+ -+kernel_write_proc_files(virsh_t) - kernel_read_system_state(virsh_t) - kernel_read_network_state(virsh_t) - kernel_read_kernel_sysctls(virsh_t) -@@ -785,25 +871,18 @@ kernel_write_xen_state(virsh_t) - corecmd_exec_bin(virsh_t) - corecmd_exec_shell(virsh_t) - --corenet_all_recvfrom_unlabeled(virsh_t) --corenet_all_recvfrom_netlabel(virsh_t) - corenet_tcp_sendrecv_generic_if(virsh_t) - corenet_tcp_sendrecv_generic_node(virsh_t) --corenet_tcp_bind_generic_node(virsh_t) -- --corenet_sendrecv_soundd_client_packets(virsh_t) - corenet_tcp_connect_soundd_port(virsh_t) --corenet_tcp_sendrecv_soundd_port(virsh_t) - - dev_read_rand(virsh_t) - dev_read_urand(virsh_t) - dev_read_sysfs(virsh_t) - - files_read_etc_runtime_files(virsh_t) --files_read_etc_files(virsh_t) --files_read_usr_files(virsh_t) - files_list_mnt(virsh_t) - files_list_tmp(virsh_t) -+# Some common macros (you might be able to remove some) - - fs_getattr_all_fs(virsh_t) - fs_manage_xenfs_dirs(virsh_t) -@@ -812,23 +891,23 @@ fs_search_auto_mountpoints(virsh_t) - - storage_raw_read_fixed_disk(virsh_t) - --term_use_all_terms(virsh_t) -+term_use_all_inherited_terms(virsh_t) -+term_dontaudit_use_generic_ptys(virsh_t) -+ -+userdom_search_admin_dir(virsh_t) -+userdom_read_home_certs(virsh_t) - - init_stream_connect_script(virsh_t) - init_rw_script_stream_sockets(virsh_t) - init_use_fds(virsh_t) - --logging_send_syslog_msg(virsh_t) -+systemd_exec_systemctl(virsh_t) - --miscfiles_read_localization(virsh_t) -+auth_read_passwd(virsh_t) - --sysnet_dns_name_resolve(virsh_t) -+logging_send_syslog_msg(virsh_t) - --tunable_policy(`virt_use_fusefs',` -- fs_manage_fusefs_dirs(virsh_t) -- fs_manage_fusefs_files(virsh_t) -- fs_read_fusefs_symlinks(virsh_t) --') -+sysnet_dns_name_resolve(virsh_t) - - tunable_policy(`virt_use_nfs',` - fs_manage_nfs_dirs(virsh_t) -@@ -847,14 +926,20 @@ optional_policy(` - ') - - optional_policy(` -+ rhcs_domtrans_fenced(virsh_t) -+') -+ -+optional_policy(` - rpm_exec(virsh_t) - ') - - optional_policy(` - xen_manage_image_dirs(virsh_t) -+ xen_read_image_files(virsh_t) -+ xen_read_lib_files(virsh_t) - xen_append_log(virsh_t) - xen_domtrans(virsh_t) -- xen_read_xenstored_pid_files(virsh_t) -+ xen_read_pid_files_xenstored(virsh_t) - xen_stream_connect(virsh_t) - xen_stream_connect_xenstore(virsh_t) - ') -@@ -879,49 +964,65 @@ optional_policy(` - kernel_read_xen_state(virsh_ssh_t) - kernel_write_xen_state(virsh_ssh_t) - -+ dontaudit virsh_ssh_t virsh_transition_domain:fifo_file rw_inherited_fifo_file_perms; - files_search_tmp(virsh_ssh_t) - - fs_manage_xenfs_dirs(virsh_ssh_t) - fs_manage_xenfs_files(virsh_ssh_t) -+ -+ userdom_search_admin_dir(virsh_ssh_t) - ') - - ######################################## - # --# Lxc local policy -+# virt_lxc local policy - # -+allow virtd_lxc_t self:capability { dac_override net_admin net_raw setpcap chown sys_admin sys_boot sys_resource setuid sys_nice setgid }; -+allow virtd_lxc_t self:process { transition setpgid signal_perms }; -+allow virtd_lxc_t self:capability2 compromise_kernel; - --allow virtd_lxc_t self:capability { dac_override net_admin net_raw setpcap chown sys_admin sys_boot sys_resource }; - allow virtd_lxc_t self:process { setexec setrlimit setsched getcap setcap signal_perms }; - allow virtd_lxc_t self:fifo_file rw_fifo_file_perms; --allow virtd_lxc_t self:netlink_route_socket nlmsg_write; --allow virtd_lxc_t self:unix_stream_socket { accept listen }; -+allow virtd_lxc_t self:netlink_route_socket rw_netlink_socket_perms; -+allow virtd_lxc_t self:unix_stream_socket { connectto create_stream_socket_perms }; - allow virtd_lxc_t self:packet_socket create_socket_perms; -+ps_process_pattern(virtd_lxc_t, svirt_sandbox_domain) -+allow virtd_t virtd_lxc_t:unix_stream_socket create_stream_socket_perms; - --allow virtd_lxc_t svirt_lxc_domain:process { getattr getsched setsched transition signal signull sigkill }; -+files_entrypoint_all_files(virtd_lxc_t) - - allow virtd_lxc_t virt_image_type:dir mounton; - manage_files_pattern(virtd_lxc_t, virt_image_t, virt_image_t) - -+domtrans_pattern(virtd_t, virtd_lxc_exec_t, virtd_lxc_t) -+allow virtd_t virtd_lxc_t:process { getattr signal signull sigkill }; -+ - allow virtd_lxc_t virt_var_run_t:dir search_dir_perms; --manage_dirs_pattern(virtd_lxc_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) --manage_files_pattern(virtd_lxc_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) --manage_sock_files_pattern(virtd_lxc_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) --files_pid_filetrans(virtd_lxc_t, virtd_lxc_var_run_t, { file dir }) -- --manage_dirs_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t) --manage_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t) --manage_chr_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t) --manage_lnk_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t) --manage_sock_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t) --manage_fifo_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t) --allow virtd_lxc_t svirt_lxc_file_t:dir_file_class_set { relabelto relabelfrom }; --allow virtd_lxc_t svirt_lxc_file_t:filesystem { relabelto relabelfrom }; -+manage_dirs_pattern(virtd_lxc_t, virt_lxc_var_run_t, virt_lxc_var_run_t) -+manage_files_pattern(virtd_lxc_t, virt_lxc_var_run_t, virt_lxc_var_run_t) -+manage_sock_files_pattern(virtd_lxc_t, virt_lxc_var_run_t, virt_lxc_var_run_t) -+files_pid_filetrans(virtd_lxc_t, virt_lxc_var_run_t, { file dir }) -+filetrans_pattern(virtd_lxc_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc") -+ -+manage_dirs_pattern(virtd_lxc_t, svirt_sandbox_file_t, svirt_sandbox_file_t) -+manage_files_pattern(virtd_lxc_t, svirt_sandbox_file_t, svirt_sandbox_file_t) -+manage_chr_files_pattern(virtd_lxc_t, svirt_sandbox_file_t, svirt_sandbox_file_t) -+manage_lnk_files_pattern(virtd_lxc_t, svirt_sandbox_file_t, svirt_sandbox_file_t) -+manage_sock_files_pattern(virtd_lxc_t, svirt_sandbox_file_t, svirt_sandbox_file_t) -+manage_fifo_files_pattern(virtd_lxc_t, svirt_sandbox_file_t, svirt_sandbox_file_t) -+allow virtd_lxc_t svirt_sandbox_file_t:dir_file_class_set { relabelto relabelfrom }; -+allow virtd_lxc_t svirt_sandbox_file_t:filesystem { relabelto relabelfrom }; -+files_associate_rootfs(svirt_sandbox_file_t) -+ -+seutil_read_file_contexts(virtd_lxc_t) - - storage_manage_fixed_disk(virtd_lxc_t) -+storage_rw_fuse(virtd_lxc_t) - - kernel_read_all_sysctls(virtd_lxc_t) - kernel_read_network_state(virtd_lxc_t) - kernel_read_system_state(virtd_lxc_t) -+kernel_request_load_module(virtd_lxc_t) - - corecmd_exec_bin(virtd_lxc_t) - corecmd_exec_shell(virtd_lxc_t) -@@ -933,17 +1034,16 @@ dev_read_urand(virtd_lxc_t) - - domain_use_interactive_fds(virtd_lxc_t) - --files_associate_rootfs(svirt_lxc_file_t) - files_search_all(virtd_lxc_t) - files_getattr_all_files(virtd_lxc_t) --files_read_usr_files(virtd_lxc_t) - files_relabel_rootfs(virtd_lxc_t) - files_mounton_non_security(virtd_lxc_t) - files_mount_all_file_type_fs(virtd_lxc_t) - files_unmount_all_file_type_fs(virtd_lxc_t) - files_list_isid_type_dirs(virtd_lxc_t) --files_root_filetrans(virtd_lxc_t, svirt_lxc_file_t, dir_file_class_set) -+files_root_filetrans(virtd_lxc_t, svirt_sandbox_file_t, dir_file_class_set) - -+fs_read_fusefs_files(virtd_lxc_t) - fs_getattr_all_fs(virtd_lxc_t) - fs_manage_tmpfs_dirs(virtd_lxc_t) - fs_manage_tmpfs_chr_files(virtd_lxc_t) -@@ -955,8 +1055,23 @@ fs_rw_cgroup_files(virtd_lxc_t) - fs_unmount_all_fs(virtd_lxc_t) - fs_relabelfrom_tmpfs(virtd_lxc_t) - -+logging_send_audit_msgs(virtd_lxc_t) -+ - selinux_mount_fs(virtd_lxc_t) - selinux_unmount_fs(virtd_lxc_t) -+seutil_read_config(virtd_lxc_t) -+ -+term_use_generic_ptys(virtd_lxc_t) -+term_use_ptmx(virtd_lxc_t) -+term_relabel_pty_fs(virtd_lxc_t) -+ -+auth_use_nsswitch(virtd_lxc_t) -+ -+logging_send_syslog_msg(virtd_lxc_t) -+ -+seutil_domtrans_setfiles(virtd_lxc_t) -+seutil_read_default_contexts(virtd_lxc_t) -+ - selinux_get_enforce_mode(virtd_lxc_t) - selinux_get_fs_mount(virtd_lxc_t) - selinux_validate_context(virtd_lxc_t) -@@ -965,194 +1080,238 @@ selinux_compute_create_context(virtd_lxc_t) - selinux_compute_relabel_context(virtd_lxc_t) - selinux_compute_user_contexts(virtd_lxc_t) - --term_use_generic_ptys(virtd_lxc_t) --term_use_ptmx(virtd_lxc_t) --term_relabel_pty_fs(virtd_lxc_t) -+sysnet_exec_ifconfig(virtd_lxc_t) - --auth_use_nsswitch(virtd_lxc_t) -+userdom_read_admin_home_files(virtd_lxc_t) - --logging_send_syslog_msg(virtd_lxc_t) -+optional_policy(` -+ dbus_system_bus_client(virtd_lxc_t) -+ init_dbus_chat(virtd_lxc_t) - --miscfiles_read_localization(virtd_lxc_t) -+ optional_policy(` -+ hal_dbus_chat(virtd_lxc_t) -+ ') -+') - --seutil_domtrans_setfiles(virtd_lxc_t) --seutil_read_config(virtd_lxc_t) --seutil_read_default_contexts(virtd_lxc_t) -+optional_policy(` -+ gnome_read_generic_cache_files(virtd_lxc_t) -+') - --sysnet_domtrans_ifconfig(virtd_lxc_t) -+optional_policy(` -+ setrans_manage_pid_files(virtd_lxc_t) -+') -+ -+optional_policy(` -+ unconfined_domain(virtd_lxc_t) -+') - - ######################################## - # --# Common virt lxc domain local policy -+# svirt_sandbox_domain local policy - # -+allow svirt_sandbox_domain self:key manage_key_perms; -+allow svirt_sandbox_domain self:process { getattr signal_perms getsched getpgid getcap setsched setcap setpgid setrlimit }; -+allow svirt_sandbox_domain self:fifo_file manage_file_perms; -+allow svirt_sandbox_domain self:sem create_sem_perms; -+allow svirt_sandbox_domain self:shm create_shm_perms; -+allow svirt_sandbox_domain self:msgq create_msgq_perms; -+allow svirt_sandbox_domain self:unix_stream_socket { create_stream_socket_perms connectto }; -+allow svirt_sandbox_domain self:unix_dgram_socket { sendto create_socket_perms }; -+ -+ -+allow virtd_t svirt_sandbox_domain:unix_stream_socket { create_stream_socket_perms connectto }; -+allow virtd_t svirt_sandbox_domain:process { signal_perms getattr }; -+allow virtd_lxc_t svirt_sandbox_domain:process { getattr getsched setsched setrlimit transition signal_perms }; -+ -+allow svirt_sandbox_domain virtd_lxc_t:process sigchld; -+allow svirt_sandbox_domain virtd_lxc_t:fd use; -+allow svirt_sandbox_domain virtd_lxc_t:unix_stream_socket { connectto rw_socket_perms }; -+ -+manage_dirs_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t) -+manage_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t) -+manage_lnk_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t) -+manage_sock_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t) -+manage_fifo_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t) -+allow svirt_sandbox_domain svirt_sandbox_file_t:chr_file setattr; -+rw_chr_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t) -+ -+allow svirt_sandbox_domain svirt_sandbox_file_t:blk_file setattr; -+rw_blk_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t) -+can_exec(svirt_sandbox_domain, svirt_sandbox_file_t) -+allow svirt_sandbox_domain svirt_sandbox_file_t:dir mounton; -+allow svirt_sandbox_domain svirt_sandbox_file_t:filesystem getattr; -+ -+kernel_getattr_proc(svirt_sandbox_domain) -+kernel_list_all_proc(svirt_sandbox_domain) -+kernel_read_all_sysctls(svirt_sandbox_domain) -+kernel_rw_net_sysctls(svirt_sandbox_domain) -+kernel_dontaudit_search_kernel_sysctl(svirt_sandbox_domain) -+ -+corecmd_exec_all_executables(svirt_sandbox_domain) -+ -+files_dontaudit_getattr_all_dirs(svirt_sandbox_domain) -+files_dontaudit_getattr_all_files(svirt_sandbox_domain) -+files_dontaudit_getattr_all_symlinks(svirt_sandbox_domain) -+files_dontaudit_getattr_all_pipes(svirt_sandbox_domain) -+files_dontaudit_getattr_all_sockets(svirt_sandbox_domain) -+files_dontaudit_list_all_mountpoints(svirt_sandbox_domain) -+files_dontaudit_write_etc_runtime_files(svirt_sandbox_domain) -+files_entrypoint_all_files(svirt_sandbox_domain) -+files_list_var(svirt_sandbox_domain) -+files_list_var_lib(svirt_sandbox_domain) -+files_search_all(svirt_sandbox_domain) -+files_read_config_files(svirt_sandbox_domain) -+files_read_usr_symlinks(svirt_sandbox_domain) -+files_search_locks(svirt_sandbox_domain) -+ -+fs_getattr_all_fs(svirt_sandbox_domain) -+fs_list_inotifyfs(svirt_sandbox_domain) -+fs_rw_inherited_tmpfs_files(svirt_sandbox_domain) -+fs_read_fusefs_files(svirt_sandbox_domain) -+ -+auth_dontaudit_read_passwd(svirt_sandbox_domain) -+auth_dontaudit_read_login_records(svirt_sandbox_domain) -+auth_dontaudit_write_login_records(svirt_sandbox_domain) -+auth_search_pam_console_data(svirt_sandbox_domain) -+ -+clock_read_adjtime(svirt_sandbox_domain) -+ -+init_read_utmp(svirt_sandbox_domain) -+init_dontaudit_write_utmp(svirt_sandbox_domain) -+ -+libs_dontaudit_setattr_lib_files(svirt_sandbox_domain) -+ -+miscfiles_dontaudit_access_check_cert(svirt_sandbox_domain) -+miscfiles_dontaudit_setattr_fonts_cache_dirs(svirt_sandbox_domain) -+miscfiles_read_fonts(svirt_sandbox_domain) -+miscfiles_read_hwdata(svirt_sandbox_domain) -+ -+systemd_read_unit_files(svirt_sandbox_domain) -+ -+userdom_use_inherited_user_terminals(svirt_sandbox_domain) -+userdom_dontaudit_append_inherited_admin_home_file(svirt_sandbox_domain) -+userdom_dontaudit_read_inherited_admin_home_files(svirt_sandbox_domain) -+ -+optional_policy(` -+ apache_exec_modules(svirt_sandbox_domain) -+ apache_read_sys_content(svirt_sandbox_domain) -+') -+ -+optional_policy(` -+ mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain) -+') - --allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot }; --allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid }; --allow svirt_lxc_domain self:fifo_file manage_file_perms; --allow svirt_lxc_domain self:sem create_sem_perms; --allow svirt_lxc_domain self:shm create_shm_perms; --allow svirt_lxc_domain self:msgq create_msgq_perms; --allow svirt_lxc_domain self:unix_stream_socket { create_stream_socket_perms connectto }; --allow svirt_lxc_domain self:unix_dgram_socket { sendto create_socket_perms }; -- --allow svirt_lxc_domain virtd_lxc_t:fd use; --allow svirt_lxc_domain virtd_lxc_t:fifo_file rw_fifo_file_perms; --allow svirt_lxc_domain virtd_lxc_t:process sigchld; -- --allow svirt_lxc_domain virtd_lxc_t:unix_stream_socket { connectto rw_socket_perms }; -- --allow svirt_lxc_domain virsh_t:fd use; --allow svirt_lxc_domain virsh_t:fifo_file rw_fifo_file_perms; --allow svirt_lxc_domain virsh_t:process sigchld; -- --allow svirt_lxc_domain virtd_lxc_var_run_t:dir list_dir_perms; --allow svirt_lxc_domain virtd_lxc_var_run_t:file read_file_perms; -- --manage_dirs_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) --manage_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) --manage_lnk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) --manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) --manage_fifo_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) --rw_chr_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) --rw_blk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) -- --allow svirt_lxc_net_t svirt_lxc_file_t:dir mounton; --allow svirt_lxc_net_t svirt_lxc_file_t:filesystem getattr; -- --can_exec(svirt_lxc_domain, svirt_lxc_file_t) -- --kernel_getattr_proc(svirt_lxc_domain) --kernel_list_all_proc(svirt_lxc_domain) --kernel_read_kernel_sysctls(svirt_lxc_domain) --kernel_rw_net_sysctls(svirt_lxc_domain) --kernel_read_system_state(svirt_lxc_domain) --kernel_dontaudit_search_kernel_sysctl(svirt_lxc_domain) -- --corecmd_exec_all_executables(svirt_lxc_domain) -- --files_dontaudit_getattr_all_dirs(svirt_lxc_domain) --files_dontaudit_getattr_all_files(svirt_lxc_domain) --files_dontaudit_getattr_all_symlinks(svirt_lxc_domain) --files_dontaudit_getattr_all_pipes(svirt_lxc_domain) --files_dontaudit_getattr_all_sockets(svirt_lxc_domain) --files_dontaudit_list_all_mountpoints(svirt_lxc_domain) --files_dontaudit_write_etc_runtime_files(svirt_lxc_domain) --# files_entrypoint_all_files(svirt_lxc_domain) --files_list_var(svirt_lxc_domain) --files_list_var_lib(svirt_lxc_domain) --files_search_all(svirt_lxc_domain) --files_read_config_files(svirt_lxc_domain) --files_read_usr_files(svirt_lxc_domain) --files_read_usr_symlinks(svirt_lxc_domain) -- --fs_getattr_all_fs(svirt_lxc_domain) --fs_list_inotifyfs(svirt_lxc_domain) -- --# fs_rw_inherited_tmpfs_files(svirt_lxc_domain) --# fs_rw_inherited_cifs_files(svirt_lxc_domain) --# fs_rw_inherited_noxattr_fs_files(svirt_lxc_domain) -- --auth_dontaudit_read_login_records(svirt_lxc_domain) --auth_dontaudit_write_login_records(svirt_lxc_domain) --auth_search_pam_console_data(svirt_lxc_domain) -- --clock_read_adjtime(svirt_lxc_domain) -- --init_read_utmp(svirt_lxc_domain) --init_dontaudit_write_utmp(svirt_lxc_domain) -- --libs_dontaudit_setattr_lib_files(svirt_lxc_domain) -- --miscfiles_read_localization(svirt_lxc_domain) --miscfiles_dontaudit_setattr_fonts_cache_dirs(svirt_lxc_domain) --miscfiles_read_fonts(svirt_lxc_domain) -- --mta_dontaudit_read_spool_symlinks(svirt_lxc_domain) -+optional_policy(` -+ ssh_use_ptys(svirt_sandbox_domain) -+') - - optional_policy(` -- udev_read_pid_files(svirt_lxc_domain) -+ udev_read_pid_files(svirt_sandbox_domain) - ') - - optional_policy(` -- apache_exec_modules(svirt_lxc_domain) -- apache_read_sys_content(svirt_lxc_domain) -+ userhelper_dontaudit_write_config(svirt_sandbox_domain) - ') - - ######################################## - # --# Lxc net local policy -+# svirt_lxc_net_t local policy - # -+virt_sandbox_domain_template(svirt_lxc_net) -+typeattribute svirt_lxc_net_t sandbox_net_domain; - --allow svirt_lxc_net_t self:capability { chown dac_read_search dac_override fowner fsetid net_raw net_admin sys_admin sys_nice sys_ptrace sys_resource setpcap }; -+allow svirt_lxc_net_t self:capability { kill setuid setgid sys_boot ipc_lock chown dac_read_search dac_override fowner fsetid sys_chroot sys_admin sys_nice sys_ptrace sys_resource setpcap }; - dontaudit svirt_lxc_net_t self:capability2 block_suspend; --allow svirt_lxc_net_t self:process setrlimit; --allow svirt_lxc_net_t self:tcp_socket { accept listen }; --allow svirt_lxc_net_t self:netlink_route_socket nlmsg_write; --allow svirt_lxc_net_t self:packet_socket create_socket_perms; --allow svirt_lxc_net_t self:socket create_socket_perms; --allow svirt_lxc_net_t self:rawip_socket create_socket_perms; -+allow svirt_lxc_net_t self:process { execstack execmem }; - allow svirt_lxc_net_t self:netlink_socket create_socket_perms; --allow svirt_lxc_net_t self:netlink_tcpdiag_socket create_socket_perms; -+allow svirt_lxc_net_t self:netlink_tcpdiag_socket create_netlink_socket_perms; - allow svirt_lxc_net_t self:netlink_kobject_uevent_socket create_socket_perms; - --kernel_read_network_state(svirt_lxc_net_t) --kernel_read_irq_sysctls(svirt_lxc_net_t) -+allow svirt_lxc_net_t virt_lxc_var_run_t:dir list_dir_perms; -+allow svirt_lxc_net_t virt_lxc_var_run_t:file read_file_perms; - --corenet_all_recvfrom_unlabeled(svirt_lxc_net_t) --corenet_all_recvfrom_netlabel(svirt_lxc_net_t) --corenet_tcp_sendrecv_generic_if(svirt_lxc_net_t) --corenet_udp_sendrecv_generic_if(svirt_lxc_net_t) --corenet_tcp_sendrecv_generic_node(svirt_lxc_net_t) --corenet_udp_sendrecv_generic_node(svirt_lxc_net_t) --corenet_tcp_sendrecv_all_ports(svirt_lxc_net_t) --corenet_udp_sendrecv_all_ports(svirt_lxc_net_t) --corenet_tcp_bind_generic_node(svirt_lxc_net_t) --corenet_udp_bind_generic_node(svirt_lxc_net_t) -- --corenet_sendrecv_all_server_packets(svirt_lxc_net_t) --corenet_udp_bind_all_ports(svirt_lxc_net_t) --corenet_tcp_bind_all_ports(svirt_lxc_net_t) -- --corenet_sendrecv_all_client_packets(svirt_lxc_net_t) --corenet_tcp_connect_all_ports(svirt_lxc_net_t) -+kernel_read_irq_sysctls(svirt_lxc_net_t) - -+dev_read_sysfs(svirt_lxc_net_t) - dev_getattr_mtrr_dev(svirt_lxc_net_t) - dev_read_rand(svirt_lxc_net_t) --dev_read_sysfs(svirt_lxc_net_t) - dev_read_urand(svirt_lxc_net_t) - - files_read_kernel_modules(svirt_lxc_net_t) - -+fs_noxattr_type(svirt_sandbox_file_t) - fs_mount_cgroup(svirt_lxc_net_t) - fs_manage_cgroup_dirs(svirt_lxc_net_t) --fs_rw_cgroup_files(svirt_lxc_net_t) -+fs_manage_cgroup_files(svirt_lxc_net_t) -+ -+term_pty(svirt_sandbox_file_t) - - auth_use_nsswitch(svirt_lxc_net_t) - -+rpm_read_db(svirt_lxc_net_t) -+ - logging_send_audit_msgs(svirt_lxc_net_t) - - userdom_use_user_ptys(svirt_lxc_net_t) - --optional_policy(` -- rpm_read_db(svirt_lxc_net_t) --') -- --####################################### -+######################################## - # --# Prot exec local policy -+# svirt_lxc_net_t local policy - # -+virt_sandbox_domain_template(svirt_qemu_net) -+typeattribute svirt_qemu_net_t sandbox_net_domain; -+ -+allow svirt_qemu_net_t self:capability { kill setuid setgid sys_boot ipc_lock chown dac_read_search dac_override fowner fsetid sys_chroot sys_admin sys_nice sys_ptrace sys_resource setpcap }; -+dontaudit svirt_qemu_net_t self:capability2 block_suspend; -+allow svirt_qemu_net_t self:process { execstack execmem }; -+allow svirt_qemu_net_t self:netlink_socket create_socket_perms; -+allow svirt_qemu_net_t self:netlink_tcpdiag_socket create_netlink_socket_perms; -+allow svirt_qemu_net_t self:netlink_kobject_uevent_socket create_socket_perms; -+ -+term_use_generic_ptys(svirt_qemu_net_t) -+term_use_ptmx(svirt_qemu_net_t) -+ -+dev_rw_kvm(svirt_qemu_net_t) -+ -+manage_sock_files_pattern(svirt_qemu_net_t, qemu_var_run_t, qemu_var_run_t) -+ -+list_dirs_pattern(svirt_qemu_net_t, virt_content_t, virt_content_t) -+read_files_pattern(svirt_qemu_net_t, virt_content_t, virt_content_t) -+ -+append_files_pattern(svirt_qemu_net_t, virt_log_t, virt_log_t) -+ -+kernel_read_irq_sysctls(svirt_qemu_net_t) -+ -+dev_read_sysfs(svirt_qemu_net_t) -+dev_getattr_mtrr_dev(svirt_qemu_net_t) -+dev_read_rand(svirt_qemu_net_t) -+dev_read_urand(svirt_qemu_net_t) -+ -+files_read_kernel_modules(svirt_qemu_net_t) -+ -+fs_noxattr_type(svirt_sandbox_file_t) -+fs_mount_cgroup(svirt_qemu_net_t) -+fs_manage_cgroup_dirs(svirt_qemu_net_t) -+fs_manage_cgroup_files(svirt_qemu_net_t) - --allow svirt_prot_exec_t self:process { execmem execstack }; -+term_pty(svirt_sandbox_file_t) -+ -+auth_use_nsswitch(svirt_qemu_net_t) -+ -+rpm_read_db(svirt_qemu_net_t) -+ -+logging_send_audit_msgs(svirt_qemu_net_t) -+ -+userdom_use_user_ptys(svirt_qemu_net_t) - - ######################################## - # --# Qmf local policy -+# virt_qmf local policy - # -- - allow virt_qmf_t self:capability { sys_nice sys_tty_config }; - allow virt_qmf_t self:process { setsched signal }; - allow virt_qmf_t self:fifo_file rw_fifo_file_perms; --allow virt_qmf_t self:unix_stream_socket { accept listen }; -+allow virt_qmf_t self:unix_stream_socket create_stream_socket_perms; - allow virt_qmf_t self:tcp_socket create_stream_socket_perms; - allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms; - -@@ -1165,12 +1324,12 @@ dev_read_sysfs(virt_qmf_t) - dev_read_rand(virt_qmf_t) - dev_read_urand(virt_qmf_t) - -+corenet_tcp_connect_matahari_port(virt_qmf_t) -+ - domain_use_interactive_fds(virt_qmf_t) - - logging_send_syslog_msg(virt_qmf_t) - --miscfiles_read_localization(virt_qmf_t) -- - sysnet_read_config(virt_qmf_t) - - optional_policy(` -@@ -1183,9 +1342,8 @@ optional_policy(` - - ######################################## - # --# Bridgehelper local policy -+# virt_bridgehelper local policy - # -- - allow virt_bridgehelper_t self:process { setcap getcap }; - allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin }; - allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; -@@ -1198,5 +1356,194 @@ kernel_read_network_state(virt_bridgehelper_t) - - corenet_rw_tun_tap_dev(virt_bridgehelper_t) - --userdom_search_user_home_dirs(virt_bridgehelper_t) --userdom_use_user_ptys(virt_bridgehelper_t) -+userdom_use_inherited_user_ptys(virt_bridgehelper_t) -+ -+####################################### -+# -+# virt_qemu_ga local policy -+# -+ -+allow virt_qemu_ga_t self:capability { sys_admin sys_tty_config }; -+ -+allow virt_qemu_ga_t self:fifo_file rw_fifo_file_perms; -+allow virt_qemu_ga_t self:unix_stream_socket create_stream_socket_perms; -+ -+allow virt_qemu_ga_t virt_qemu_ga_exec_t:dir search_dir_perms; -+can_exec(virt_qemu_ga_t, virt_qemu_ga_exec_t) -+ -+manage_dirs_pattern(virt_qemu_ga_t, virt_qemu_ga_tmp_t, virt_qemu_ga_tmp_t) -+manage_files_pattern(virt_qemu_ga_t, virt_qemu_ga_tmp_t, virt_qemu_ga_tmp_t) -+files_tmp_filetrans(virt_qemu_ga_t, virt_qemu_ga_tmp_t, { file dir }) -+ -+manage_files_pattern(virt_qemu_ga_t, virt_qemu_ga_var_run_t, virt_qemu_ga_var_run_t) -+manage_dirs_pattern(virt_qemu_ga_t, virt_qemu_ga_var_run_t, virt_qemu_ga_var_run_t) -+files_pid_filetrans(virt_qemu_ga_t, virt_qemu_ga_var_run_t, { dir file } ) -+ -+manage_files_pattern(virt_qemu_ga_t, virt_qemu_ga_data_t, virt_qemu_ga_data_t) -+manage_dirs_pattern(virt_qemu_ga_t, virt_qemu_ga_data_t, virt_qemu_ga_data_t) -+ -+manage_dirs_pattern(virt_qemu_ga_t, virt_qemu_ga_log_t, virt_qemu_ga_log_t) -+manage_files_pattern(virt_qemu_ga_t, virt_qemu_ga_log_t, virt_qemu_ga_log_t) -+logging_log_filetrans(virt_qemu_ga_t, virt_qemu_ga_log_t, { dir file }) -+ -+kernel_read_system_state(virt_qemu_ga_t) -+ -+corecmd_exec_shell(virt_qemu_ga_t) -+corecmd_exec_bin(virt_qemu_ga_t) -+ -+dev_rw_sysfs(virt_qemu_ga_t) -+ -+files_list_all_mountpoints(virt_qemu_ga_t) -+files_write_all_mountpoints(virt_qemu_ga_t) -+ -+fs_list_all(virt_qemu_ga_t) -+fs_getattr_all_fs(virt_qemu_ga_t) -+ -+term_use_virtio_console(virt_qemu_ga_t) -+term_use_all_ttys(virt_qemu_ga_t) -+term_use_unallocated_ttys(virt_qemu_ga_t) -+ -+logging_send_syslog_msg(virt_qemu_ga_t) -+ -+sysnet_dns_name_resolve(virt_qemu_ga_t) -+ -+systemd_exec_systemctl(virt_qemu_ga_t) -+systemd_start_power_services(virt_qemu_ga_t) -+ -+userdom_use_user_ptys(virt_qemu_ga_t) -+ -+optional_policy(` -+ bootloader_domtrans(virt_qemu_ga_t) -+') -+ -+optional_policy(` -+ dbus_system_bus_client(virt_qemu_ga_t) -+') -+ -+optional_policy(` -+ cron_initrc_domtrans(virt_qemu_ga_t) -+ cron_domtrans(virt_qemu_ga_t) -+') -+ -+optional_policy(` -+ devicekit_manage_pid_files(virt_qemu_ga_t) -+') -+ -+optional_policy(` -+ fstools_domtrans(virt_qemu_ga_t) -+') -+ -+optional_policy(` -+ shutdown_domtrans(virt_qemu_ga_t) -+') -+ -+####################################### -+# -+# qemu-ga unconfined hook script local policy -+# -+ -+optional_policy(` -+ type virt_qemu_ga_unconfined_t; -+ domain_type(virt_qemu_ga_unconfined_t) -+ -+ domain_entry_file(virt_qemu_ga_unconfined_t, virt_qemu_ga_unconfined_exec_t) -+ role system_r types virt_qemu_ga_unconfined_t; -+ -+ domtrans_pattern(virt_qemu_ga_t, virt_qemu_ga_unconfined_exec_t, virt_qemu_ga_unconfined_t) -+ -+ allow virt_qemu_ga_t virt_qemu_ga_unconfined_exec_t:dir search_dir_perms; -+ allow virt_qemu_ga_t virt_qemu_ga_unconfined_exec_t:dir read_file_perms; -+ allow virt_qemu_ga_t virt_qemu_ga_unconfined_exec_t:file ioctl; -+ -+ init_domtrans_script(virt_qemu_ga_unconfined_t) -+ -+ optional_policy(` -+ unconfined_domain(virt_qemu_ga_unconfined_t) -+ ') -+') -+ -+####################################### -+# -+# tye for svirt sockets -+# -+ -+type svirt_socket_t; -+domain_type(svirt_socket_t) -+role system_r types svirt_socket_t; -+allow virtd_t svirt_socket_t:unix_stream_socket { connectto create_stream_socket_perms }; -+allow virt_domain svirt_socket_t:unix_stream_socket { connectto create_stream_socket_perms }; -+ -+tunable_policy(`virt_transition_userdomain',` -+ userdom_transition(virtd_t) -+ userdom_transition(virtd_lxc_t) -+') -+ -+######################################## -+# -+# svirt_lxc_net_t local policy -+# -+virt_sandbox_domain_template(svirt_kvm_net) -+typeattribute svirt_kvm_net_t sandbox_net_domain; -+ -+allow svirt_kvm_net_t self:capability { kill setuid setgid sys_boot ipc_lock chown dac_read_search dac_override fowner fsetid sys_chroot sys_admin sys_nice sys_ptrace sys_resource setpcap }; -+dontaudit svirt_kvm_net_t self:capability2 block_suspend; -+allow svirt_kvm_net_t self:netlink_socket create_socket_perms; -+allow svirt_kvm_net_t self:netlink_tcpdiag_socket create_netlink_socket_perms; -+allow svirt_kvm_net_t self:netlink_kobject_uevent_socket create_socket_perms; -+ -+term_use_generic_ptys(svirt_kvm_net_t) -+term_use_ptmx(svirt_kvm_net_t) -+ -+dev_rw_kvm(svirt_kvm_net_t) -+ -+manage_sock_files_pattern(svirt_kvm_net_t, virt_var_run_t, virt_var_run_t) -+ -+list_dirs_pattern(svirt_kvm_net_t, virt_content_t, virt_content_t) -+read_files_pattern(svirt_kvm_net_t, virt_content_t, virt_content_t) -+ -+append_files_pattern(svirt_kvm_net_t, virt_log_t, virt_log_t) -+ -+kernel_read_network_state(svirt_kvm_net_t) -+kernel_read_irq_sysctls(svirt_kvm_net_t) -+ -+dev_read_sysfs(svirt_kvm_net_t) -+dev_getattr_mtrr_dev(svirt_kvm_net_t) -+dev_read_rand(svirt_kvm_net_t) -+dev_read_urand(svirt_kvm_net_t) -+ -+files_read_kernel_modules(svirt_kvm_net_t) -+ -+fs_noxattr_type(svirt_sandbox_file_t) -+fs_mount_cgroup(svirt_kvm_net_t) -+fs_manage_cgroup_dirs(svirt_kvm_net_t) -+fs_manage_cgroup_files(svirt_kvm_net_t) -+ -+term_pty(svirt_sandbox_file_t) -+ -+auth_use_nsswitch(svirt_kvm_net_t) -+ -+rpm_read_db(svirt_kvm_net_t) -+ -+logging_send_audit_msgs(svirt_kvm_net_t) -+ -+userdom_use_user_ptys(svirt_kvm_net_t) -+ -+kernel_read_network_state(sandbox_net_domain) -+ -+allow sandbox_net_domain self:capability { net_raw net_admin net_bind_service }; -+ -+allow sandbox_net_domain self:udp_socket create_socket_perms; -+allow sandbox_net_domain self:tcp_socket create_stream_socket_perms; -+allow sandbox_net_domain self:netlink_route_socket create_netlink_socket_perms; -+allow sandbox_net_domain self:packet_socket create_socket_perms; -+allow sandbox_net_domain self:socket create_socket_perms; -+allow sandbox_net_domain self:rawip_socket create_socket_perms; -+ -+corenet_tcp_bind_generic_node(sandbox_net_domain) -+corenet_udp_bind_generic_node(sandbox_net_domain) -+corenet_tcp_sendrecv_all_ports(sandbox_net_domain) -+corenet_udp_sendrecv_all_ports(sandbox_net_domain) -+corenet_udp_bind_all_ports(sandbox_net_domain) -+corenet_tcp_bind_all_ports(sandbox_net_domain) -+corenet_tcp_connect_all_ports(sandbox_net_domain) -+ -diff --git a/vlock.te b/vlock.te -index 9ead775..b5285e7 100644 ---- a/vlock.te -+++ b/vlock.te -@@ -38,7 +38,7 @@ auth_use_pam(vlock_t) - - init_dontaudit_rw_utmp(vlock_t) - --miscfiles_read_localization(vlock_t) -+logging_send_syslog_msg(vlock_t) - - userdom_dontaudit_search_user_home_dirs(vlock_t) --userdom_use_user_terminals(vlock_t) -+userdom_use_inherited_user_terminals(vlock_t) -diff --git a/vmware.if b/vmware.if -index 20a1fb2..470ea95 100644 ---- a/vmware.if -+++ b/vmware.if -@@ -26,7 +26,11 @@ interface(`vmware_role',` - domtrans_pattern($2, vmware_exec_t, vmware_t) - - ps_process_pattern($2, vmware_t) -- allow $2 vmware_t:process { ptrace signal_perms }; -+ allow $2 vmware_t:process signal_perms; -+ -+ tunable_policy(`deny_ptrace',`',` -+ allow $2 vmware_t:process ptrace; -+ ') - - allow $2 { vmware_tmp_t vmware_file_t }:dir { manage_dir_perms relabel_dir_perms }; - allow $2 { vmware_conf_t vmware_file_t vmware_tmp_t vmware_tmpfs_t }:file { manage_file_perms relabel_file_perms }; -diff --git a/vmware.te b/vmware.te -index 3a56513..d7ec42b 100644 ---- a/vmware.te -+++ b/vmware.te -@@ -65,7 +65,8 @@ ifdef(`enable_mcs',` - # Host local policy - # - --allow vmware_host_t self:capability { setgid setuid net_raw sys_nice sys_time sys_ptrace kill dac_override }; -+allow vmware_host_t self:capability { net_admin sys_module }; -+allow vmware_host_t self:capability { setgid setuid net_raw sys_nice sys_time kill dac_override }; - dontaudit vmware_host_t self:capability sys_tty_config; - allow vmware_host_t self:process { execstack execmem signal_perms }; - allow vmware_host_t self:fifo_file rw_fifo_file_perms; -@@ -94,8 +95,8 @@ can_exec(vmware_host_t, vmware_host_exec_t) - kernel_read_kernel_sysctls(vmware_host_t) - kernel_read_system_state(vmware_host_t) - kernel_read_network_state(vmware_host_t) -+kernel_request_load_module(vmware_host_t) - --corenet_all_recvfrom_unlabeled(vmware_host_t) - corenet_all_recvfrom_netlabel(vmware_host_t) - corenet_tcp_sendrecv_generic_if(vmware_host_t) - corenet_udp_sendrecv_generic_if(vmware_host_t) -@@ -115,14 +116,13 @@ dev_getattr_all_blk_files(vmware_host_t) - dev_read_sysfs(vmware_host_t) - dev_read_urand(vmware_host_t) - dev_rw_vmware(vmware_host_t) -+dev_rw_generic_chr_files(vmware_host_t) - - domain_use_interactive_fds(vmware_host_t) - domain_dontaudit_read_all_domains_state(vmware_host_t) - - files_list_tmp(vmware_host_t) --files_read_etc_files(vmware_host_t) - files_read_etc_runtime_files(vmware_host_t) --files_read_usr_files(vmware_host_t) - - fs_getattr_all_fs(vmware_host_t) - fs_search_auto_mountpoints(vmware_host_t) -@@ -138,23 +138,27 @@ libs_exec_ld_so(vmware_host_t) - - logging_send_syslog_msg(vmware_host_t) - --miscfiles_read_localization(vmware_host_t) -- - sysnet_dns_name_resolve(vmware_host_t) - sysnet_domtrans_ifconfig(vmware_host_t) - -+systemd_start_power_services(vmware_host_t) -+ - userdom_dontaudit_use_unpriv_user_fds(vmware_host_t) - userdom_dontaudit_search_user_home_dirs(vmware_host_t) - - netutils_domtrans_ping(vmware_host_t) - - optional_policy(` -- hostname_exec(vmware_host_t) -+ unconfined_domain(vmware_host_t) - ') - - optional_policy(` -+ hostname_exec(vmware_host_t) -+') -+ -+optional_policy(` - modutils_domtrans_insmod(vmware_host_t) --') -+') - - optional_policy(` - samba_read_config(vmware_host_t) -@@ -244,9 +248,7 @@ dev_search_sysfs(vmware_t) - - domain_use_interactive_fds(vmware_t) - --files_read_etc_files(vmware_t) - files_read_etc_runtime_files(vmware_t) --files_read_usr_files(vmware_t) - files_list_home(vmware_t) - - fs_getattr_all_fs(vmware_t) -@@ -258,9 +260,8 @@ storage_raw_write_removable_device(vmware_t) - libs_exec_ld_so(vmware_t) - libs_read_lib_files(vmware_t) - --miscfiles_read_localization(vmware_t) - --userdom_use_user_terminals(vmware_t) -+userdom_use_inherited_user_terminals(vmware_t) - userdom_list_user_home_dirs(vmware_t) - - sysnet_dns_name_resolve(vmware_t) -diff --git a/vnstatd.if b/vnstatd.if -index 137ac44..b644854 100644 ---- a/vnstatd.if -+++ b/vnstatd.if -@@ -157,7 +157,6 @@ interface(`vnstatd_manage_lib_files',` - ## Role allowed access. - ##     - ## --## - # - interface(`vnstatd_admin',` - gen_require(` -@@ -165,9 +164,13 @@ interface(`vnstatd_admin',` - type vnstatd_var_run_t; - ') - -- allow $1 vnstatd_t:process { ptrace signal_perms }; -+ allow $1 vnstatd_t:process signal_perms; - ps_process_pattern($1, vnstatd_t) - -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 vnstatd_t:process ptrace; -+ ') -+ - init_labeled_script_domtrans($1, vnstatd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 vnstatd_initrc_exec_t system_r; -diff --git a/vnstatd.te b/vnstatd.te -index febc3e5..ff18188 100644 ---- a/vnstatd.te -+++ b/vnstatd.te -@@ -36,7 +36,7 @@ allow vnstatd_t self:unix_stream_socket { accept listen }; - - manage_dirs_pattern(vnstatd_t, vnstatd_var_lib_t, vnstatd_var_lib_t) - manage_files_pattern(vnstatd_t, vnstatd_var_lib_t, vnstatd_var_lib_t) --files_var_lib_filetrans(vnstatd_t, vnstatd_var_lib_t, { dir file }) -+files_var_lib_filetrans(vnstatd_t, vnstatd_var_lib_t, dir) - - manage_files_pattern(vnstatd_t, vnstatd_var_run_t, vnstatd_var_run_t) - manage_dirs_pattern(vnstatd_t, vnstatd_var_run_t, vnstatd_var_run_t) -@@ -47,14 +47,10 @@ kernel_read_system_state(vnstatd_t) - - domain_use_interactive_fds(vnstatd_t) - --files_read_etc_files(vnstatd_t) -- - fs_getattr_xattr_fs(vnstatd_t) - - logging_send_syslog_msg(vnstatd_t) - --miscfiles_read_localization(vnstatd_t) -- - ######################################## - # - # Client local policy -@@ -64,23 +60,19 @@ allow vnstat_t self:process signal; - allow vnstat_t self:fifo_file rw_fifo_file_perms; - allow vnstat_t self:unix_stream_socket { accept listen }; - -+files_search_var_lib(vnstat_t) - manage_dirs_pattern(vnstat_t, vnstatd_var_lib_t, vnstatd_var_lib_t) - manage_files_pattern(vnstat_t, vnstatd_var_lib_t, vnstatd_var_lib_t) --files_var_lib_filetrans(vnstat_t, vnstatd_var_lib_t, { dir file }) - - kernel_read_network_state(vnstat_t) - kernel_read_system_state(vnstat_t) - - domain_use_interactive_fds(vnstat_t) - --files_read_etc_files(vnstat_t) -- - fs_getattr_xattr_fs(vnstat_t) - - logging_send_syslog_msg(vnstat_t) - --miscfiles_read_localization(vnstat_t) -- - optional_policy(` - cron_system_entry(vnstat_t, vnstat_exec_t) - ') -diff --git a/vpn.fc b/vpn.fc -index 524ac2f..076dcc3 100644 ---- a/vpn.fc -+++ b/vpn.fc -@@ -1,7 +1,13 @@ --/sbin/vpnc -- gen_context(system_u:object_r:vpnc_exec_t,s0) -+# -+# sbin -+# -+/sbin/vpnc -- gen_context(system_u:object_r:vpnc_exec_t,s0) - -+# -+# /usr -+# - /usr/bin/openconnect -- gen_context(system_u:object_r:vpnc_exec_t,s0) - --/usr/sbin/vpnc -- gen_context(system_u:object_r:vpnc_exec_t,s0) -+/usr/sbin/vpnc -- gen_context(system_u:object_r:vpnc_exec_t,s0) - --/var/run/vpnc(/.*)? gen_context(system_u:object_r:vpnc_var_run_t,s0) -+/var/run/vpnc(/.*)? gen_context(system_u:object_r:vpnc_var_run_t,s0) -diff --git a/vpn.if b/vpn.if -index 7a7f342..afedcba 100644 ---- a/vpn.if -+++ b/vpn.if -@@ -1,8 +1,8 @@ --## Virtual Private Networking client. -+## Virtual Private Networking client - - ######################################## - ## --## Execute vpn clients in the vpnc domain. -+## Execute VPN clients in the vpnc domain. - ## - ## - ## -@@ -15,15 +15,13 @@ interface(`vpn_domtrans',` - type vpnc_t, vpnc_exec_t; - ') - -- corecmd_search_bin($1) - domtrans_pattern($1, vpnc_exec_t, vpnc_t) - ') - - ######################################## - ## --## Execute vpn clients in the vpnc --## domain, and allow the specified --## role the vpnc domain. -+## Execute VPN clients in the vpnc domain, and -+## allow the specified role the vpnc domain. - ## - ## - ## -@@ -40,6 +38,7 @@ interface(`vpn_domtrans',` - interface(`vpn_run',` - gen_require(` - attribute_role vpnc_roles; -+ type vpnc_t; - ') - - vpn_domtrans($1) -@@ -48,7 +47,7 @@ interface(`vpn_run',` - - ######################################## - ## --## Send kill signals to vpnc. -+## Send VPN clients the kill signal. - ## - ## - ## -@@ -66,7 +65,7 @@ interface(`vpn_kill',` - - ######################################## - ## --## Send generic signals to vpnc. -+## Send generic signals to VPN clients. - ## - ## - ## -@@ -84,7 +83,7 @@ interface(`vpn_signal',` - - ######################################## - ## --## Send null signals to vpnc. -+## Send signull to VPN clients. - ## - ## - ## -@@ -103,7 +102,7 @@ interface(`vpn_signull',` - ######################################## - ## - ## Send and receive messages from --## vpnc over dbus. -+## Vpnc over dbus. - ## - ## - ## -diff --git a/vpn.te b/vpn.te -index 9329eae..824e86f 100644 ---- a/vpn.te -+++ b/vpn.te -@@ -1,4 +1,4 @@ --policy_module(vpn, 1.15.1) -+policy_module(vpn, 1.15.0) - - ######################################## - # -@@ -6,6 +6,7 @@ policy_module(vpn, 1.15.1) - # - - attribute_role vpnc_roles; -+roleattribute system_r vpnc_roles; - - type vpnc_t; - type vpnc_exec_t; -@@ -28,9 +29,13 @@ allow vpnc_t self:capability { dac_read_search dac_override net_admin ipc_lock n - allow vpnc_t self:process { getsched signal }; - allow vpnc_t self:fifo_file rw_fifo_file_perms; - allow vpnc_t self:netlink_route_socket rw_netlink_socket_perms; --allow vpnc_t self:tcp_socket { accept listen }; -+allow vpnc_t self:tcp_socket create_stream_socket_perms; -+allow vpnc_t self:udp_socket create_socket_perms; - allow vpnc_t self:rawip_socket create_socket_perms; -+allow vpnc_t self:unix_dgram_socket create_socket_perms; -+allow vpnc_t self:unix_stream_socket create_socket_perms; - allow vpnc_t self:tun_socket { create_socket_perms relabelfrom }; -+# cjp: this needs to be fixed - allow vpnc_t self:socket create_socket_perms; - - manage_dirs_pattern(vpnc_t, vpnc_tmp_t, vpnc_tmp_t) -@@ -47,7 +52,6 @@ kernel_read_all_sysctls(vpnc_t) - kernel_request_load_module(vpnc_t) - kernel_rw_net_sysctls(vpnc_t) - --corenet_all_recvfrom_unlabeled(vpnc_t) - corenet_all_recvfrom_netlabel(vpnc_t) - corenet_tcp_sendrecv_generic_if(vpnc_t) - corenet_udp_sendrecv_generic_if(vpnc_t) -@@ -58,38 +62,32 @@ corenet_raw_sendrecv_generic_node(vpnc_t) - corenet_tcp_sendrecv_all_ports(vpnc_t) - corenet_udp_sendrecv_all_ports(vpnc_t) - corenet_udp_bind_generic_node(vpnc_t) -- --corenet_sendrecv_all_server_packets(vpnc_t) - corenet_udp_bind_generic_port(vpnc_t) -- --corenet_sendrecv_isakmp_server_packets(vpnc_t) - corenet_udp_bind_isakmp_port(vpnc_t) -- --corenet_sendrecv_generic_server_packets(vpnc_t) - corenet_udp_bind_ipsecnat_port(vpnc_t) -- --corenet_sendrecv_all_client_packets(vpnc_t) - corenet_tcp_connect_all_ports(vpnc_t) -- -+corenet_sendrecv_all_client_packets(vpnc_t) -+corenet_sendrecv_isakmp_server_packets(vpnc_t) -+corenet_sendrecv_generic_server_packets(vpnc_t) - corenet_rw_tun_tap_dev(vpnc_t) - --corecmd_exec_all_executables(vpnc_t) -- - dev_read_rand(vpnc_t) - dev_read_urand(vpnc_t) - dev_read_sysfs(vpnc_t) - - domain_use_interactive_fds(vpnc_t) - --files_exec_etc_files(vpnc_t) --files_read_etc_runtime_files(vpnc_t) --files_dontaudit_search_home(vpnc_t) -- - fs_getattr_xattr_fs(vpnc_t) - fs_getattr_tmpfs(vpnc_t) - --term_use_all_ptys(vpnc_t) --term_use_all_ttys(vpnc_t) -+term_use_all_inherited_ptys(vpnc_t) -+term_use_all_inherited_ttys(vpnc_t) -+ -+corecmd_exec_all_executables(vpnc_t) -+ -+files_exec_etc_files(vpnc_t) -+files_read_etc_runtime_files(vpnc_t) -+files_dontaudit_search_home(vpnc_t) - - auth_use_nsswitch(vpnc_t) - -@@ -103,16 +101,15 @@ locallogin_use_fds(vpnc_t) - logging_send_syslog_msg(vpnc_t) - logging_dontaudit_search_logs(vpnc_t) - --miscfiles_read_localization(vpnc_t) -- --seutil_dontaudit_search_config(vpnc_t) -+seutil_use_newrole_fds(vpnc_t) - - sysnet_run_ifconfig(vpnc_t, vpnc_roles) - sysnet_etc_filetrans_config(vpnc_t) - sysnet_manage_config(vpnc_t) - - userdom_use_all_users_fds(vpnc_t) --userdom_dontaudit_search_user_home_content(vpnc_t) -+userdom_read_home_certs(vpnc_t) -+userdom_search_admin_dir(vpnc_t) - - optional_policy(` - dbus_system_bus_client(vpnc_t) -@@ -125,7 +122,3 @@ optional_policy(` - optional_policy(` - networkmanager_attach_tun_iface(vpnc_t) - ') -- --optional_policy(` -- seutil_use_newrole_fds(vpnc_t) --') -diff --git a/watchdog.fc b/watchdog.fc -index eecd0e0..8df2e8c 100644 ---- a/watchdog.fc -+++ b/watchdog.fc -@@ -1,7 +1,12 @@ - /etc/rc\.d/init\.d/watchdog -- gen_context(system_u:object_r:watchdog_initrc_exec_t,s0) -+/etc/watchdog\.d(/.*)? gen_context(system_u:object_r:watchdog_unconfined_exec_t,s0) - - /usr/sbin/watchdog -- gen_context(system_u:object_r:watchdog_exec_t,s0) - -+/usr/libexec/watchdog/scripts(/.*)? gen_context(system_u:object_r:watchdog_unconfined_exec_t,s0) -+ -+/var/cache/watchdog(/.*)? gen_context(system_u:object_r:watchdog_cache_t,s0) -+ - /var/log/watchdog.* gen_context(system_u:object_r:watchdog_log_t,s0) - - /var/run/watchdog\.pid -- gen_context(system_u:object_r:watchdog_var_run_t,s0) -diff --git a/watchdog.te b/watchdog.te -index 29f79e8..45b3926 100644 ---- a/watchdog.te -+++ b/watchdog.te -@@ -12,12 +12,18 @@ init_daemon_domain(watchdog_t, watchdog_exec_t) - type watchdog_initrc_exec_t; - init_script_file(watchdog_initrc_exec_t) - -+type watchdog_cache_t; -+files_type(watchdog_cache_t) -+ - type watchdog_log_t; - logging_log_file(watchdog_log_t) - - type watchdog_var_run_t; - files_pid_file(watchdog_var_run_t) - -+type watchdog_unconfined_exec_t; -+application_executable_file(watchdog_unconfined_exec_t) -+ - ######################################## - # - # Local policy -@@ -29,8 +35,12 @@ allow watchdog_t self:process { setsched signal_perms }; - allow watchdog_t self:fifo_file rw_fifo_file_perms; - allow watchdog_t self:tcp_socket { accept listen }; - --allow watchdog_t watchdog_log_t:file { append_file_perms create_file_perms setattr_file_perms }; --logging_log_filetrans(watchdog_t, watchdog_log_t, file) -+manage_files_pattern(watchdog_t, watchdog_cache_t, watchdog_cache_t) -+manage_dirs_pattern(watchdog_t, watchdog_cache_t, watchdog_cache_t) -+ -+manage_files_pattern(watchdog_t,watchdog_log_t,watchdog_log_t) -+manage_dirs_pattern(watchdog_t,watchdog_log_t,watchdog_log_t) -+logging_log_filetrans(watchdog_t, watchdog_log_t,{dir file}) - - manage_files_pattern(watchdog_t, watchdog_var_run_t, watchdog_var_run_t) - files_pid_filetrans(watchdog_t, watchdog_var_run_t, file) -@@ -63,7 +73,6 @@ domain_signull_all_domains(watchdog_t) - domain_signal_all_domains(watchdog_t) - domain_kill_all_domains(watchdog_t) - --files_read_etc_files(watchdog_t) - files_manage_etc_runtime_files(watchdog_t) - files_etc_filetrans_etc_runtime(watchdog_t, file) - -@@ -75,8 +84,6 @@ auth_append_login_records(watchdog_t) - - logging_send_syslog_msg(watchdog_t) - --miscfiles_read_localization(watchdog_t) -- - sysnet_dns_name_resolve(watchdog_t) - - userdom_dontaudit_use_unpriv_user_fds(watchdog_t) -@@ -97,3 +104,28 @@ optional_policy(` - optional_policy(` - udev_read_db(watchdog_t) - ') -+ -+######################################## -+# -+# watchdog_unconfined_script_t local policy -+# -+ -+optional_policy(` -+ type watchdog_unconfined_t; -+ domain_type(watchdog_unconfined_t) -+ -+ domain_entry_file(watchdog_unconfined_t, watchdog_unconfined_exec_t) -+ role system_r types watchdog_unconfined_t; -+ -+ domtrans_pattern(watchdog_t, watchdog_unconfined_exec_t, watchdog_unconfined_t) -+ -+ allow watchdog_t watchdog_unconfined_exec_t:dir search_dir_perms; -+ allow watchdog_t watchdog_unconfined_exec_t:dir read_file_perms; -+ allow watchdog_t watchdog_unconfined_exec_t:file ioctl; -+ -+ init_domtrans_script(watchdog_unconfined_t) -+ -+ optional_policy(` -+ unconfined_domain(watchdog_unconfined_t) -+ ') -+') -diff --git a/wdmd.fc b/wdmd.fc -index 66f11f7..e051997 100644 ---- a/wdmd.fc -+++ b/wdmd.fc -@@ -1,5 +1,7 @@ - /etc/rc\.d/init\.d/wdmd -- gen_context(system_u:object_r:wdmd_initrc_exec_t,s0) - --/usr/sbin/wdmd -- gen_context(system_u:object_r:wdmd_exec_t,s0) -+/usr/sbin/wdmd -- gen_context(system_u:object_r:wdmd_exec_t,s0) -+ -+/var/run/wdmd(/.*)? gen_context(system_u:object_r:wdmd_var_run_t,s0) -+/var/run/checkquorum-timer -- gen_context(system_u:object_r:wdmd_var_run_t,s0) - --/var/run/wdmd(/.*)? gen_context(system_u:object_r:wdmd_var_run_t,s0) -diff --git a/wdmd.if b/wdmd.if -index 1e3aec0..d17ff39 100644 ---- a/wdmd.if -+++ b/wdmd.if -@@ -1,29 +1,47 @@ --## Watchdog multiplexing daemon. -+ -+## watchdog multiplexing daemon - - ######################################## - ## --## Connect to wdmd with a unix --## domain stream socket. -+## Execute a domain transition to run wdmd. - ## - ## --## -+## - ## Domain allowed access. -+## -+## -+# -+interface(`wdmd_domtrans',` -+ gen_require(` -+ type wdmd_t, wdmd_exec_t; -+ ') -+ -+ domtrans_pattern($1, wdmd_exec_t, wdmd_t) -+') -+ -+ -+######################################## -+## -+## Execute wdmd server in the wdmd domain. -+## -+## -+## -+## The type of the process performing this action. - ## - ## - # --interface(`wdmd_stream_connect',` -+interface(`wdmd_initrc_domtrans',` - gen_require(` -- type wdmd_t, wdmd_var_run_t; -+ type wdmd_initrc_exec_t; - ') - -- files_search_pids($1) -- stream_connect_pattern($1, wdmd_var_run_t, wdmd_var_run_t, wdmd_t) -+ init_labeled_script_domtrans($1, wdmd_initrc_exec_t) - ') - - ######################################## - ## --## All of the rules required to --## administrate an wdmd environment. -+## All of the rules required to administrate -+## an wdmd environment - ## - ## - ## -@@ -39,17 +57,77 @@ interface(`wdmd_stream_connect',` - # - interface(`wdmd_admin',` - gen_require(` -- type wdmd_t, wdmd_initrc_exec_t, wdmd_var_run_t; -+ type wdmd_t; -+ type wdmd_initrc_exec_t; - ') - -- allow $1 wdmd_t:process { ptrace signal_perms }; -+ allow $1 wdmd_t:process signal_perms; - ps_process_pattern($1, wdmd_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 wdmd_t:process ptrace; -+ ') - -- init_labeled_script_domtrans($1, wdmd_initrc_exec_t) -+ wdmd_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 wdmd_initrc_exec_t system_r; - allow $2 system_r; - -+') -+ -+###################################### -+## -+## Create, read, write, and delete wdmd PID files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`wdmd_manage_pid_files',` -+ gen_require(` -+ type wdmd_var_run_t; -+ ') -+ - files_search_pids($1) -- admin_pattern($1, wdmd_var_run_t) -+ manage_files_pattern($1, wdmd_var_run_t, wdmd_var_run_t) -+') -+ -+######################################## -+## -+## Connect to wdmd over a unix stream socket. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`wdmd_stream_connect',` -+ gen_require(` -+ type wdmd_t, wdmd_var_run_t; -+ ') -+ -+ files_search_pids($1) -+ stream_connect_pattern($1, wdmd_var_run_t, wdmd_var_run_t, wdmd_t) -+') -+ -+ -+#################################### -+## -+## Allow the specified domain to read/write wdmd's tmpfs files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`wdmd_rw_tmpfs',` -+ gen_require(` -+ type wdmd_tmpfs_t; -+ ') -+ -+ rw_files_pattern($1, wdmd_tmpfs_t, wdmd_tmpfs_t) -+ - ') -diff --git a/wdmd.te b/wdmd.te -index ebbdaf6..144c0e7 100644 ---- a/wdmd.te -+++ b/wdmd.te -@@ -45,16 +45,15 @@ corecmd_exec_shell(wdmd_t) - dev_read_watchdog(wdmd_t) - dev_write_watchdog(wdmd_t) - -+fs_getattr_all_fs(wdmd_t) - fs_read_anon_inodefs_files(wdmd_t) - - auth_use_nsswitch(wdmd_t) - - logging_send_syslog_msg(wdmd_t) - --miscfiles_read_localization(wdmd_t) -- - optional_policy(` -- corosync_initrc_domtrans(wdmd_t) -- corosync_stream_connect(wdmd_t) -- corosync_rw_tmpfs(wdmd_t) -+ rhcs_initrc_domtrans_cluster(wdmd_t) -+ rhcs_stream_connect_cluster(wdmd_t) -+ rhcs_rw_cluster_tmpfs(wdmd_t) - ') -diff --git a/webadm.te b/webadm.te -index 708254f..d26f598 100644 ---- a/webadm.te -+++ b/webadm.te -@@ -25,6 +25,9 @@ role webadm_r; - - userdom_base_user_template(webadm) - -+type webadm_tmp_t; -+files_tmp_file(webadm_tmp_t) -+ - ######################################## - # - # Local policy -@@ -32,6 +35,12 @@ userdom_base_user_template(webadm) - - allow webadm_t self:capability { dac_override dac_read_search kill sys_nice }; - -+manage_dirs_pattern(webadm_t, webadm_tmp_t, webadm_tmp_t) -+manage_files_pattern(webadm_t, webadm_tmp_t, webadm_tmp_t) -+manage_lnk_files_pattern(webadm_t, webadm_tmp_t, webadm_tmp_t) -+files_tmp_filetrans(webadm_t, webadm_tmp_t, { file dir }) -+can_exec(webadm_t, webadm_tmp_t) -+ - files_dontaudit_search_all_dirs(webadm_t) - files_list_var(webadm_t) - -@@ -43,7 +52,9 @@ logging_send_syslog_msg(webadm_t) - - userdom_dontaudit_search_user_home_dirs(webadm_t) - --apache_admin(webadm_t, webadm_r) -+optional_policy(` -+ apache_admin(webadm_t, webadm_r) -+') - - tunable_policy(`webadm_manage_user_files',` - userdom_manage_user_home_content_files(webadm_t) -diff --git a/webalizer.te b/webalizer.te -index cdca8c7..3c09628 100644 ---- a/webalizer.te -+++ b/webalizer.te -@@ -55,27 +55,35 @@ can_exec(webalizer_t, webalizer_exec_t) - kernel_read_kernel_sysctls(webalizer_t) - kernel_read_system_state(webalizer_t) - --files_read_etc_runtime_files(webalizer_t) -+corenet_all_recvfrom_netlabel(webalizer_t) -+corenet_tcp_sendrecv_generic_if(webalizer_t) -+corenet_tcp_sendrecv_generic_node(webalizer_t) -+corenet_tcp_sendrecv_all_ports(webalizer_t) - - fs_search_auto_mountpoints(webalizer_t) - fs_getattr_xattr_fs(webalizer_t) - fs_rw_anon_inodefs_files(webalizer_t) - --auth_use_nsswitch(webalizer_t) -+files_read_etc_runtime_files(webalizer_t) - - logging_list_logs(webalizer_t) - logging_send_syslog_msg(webalizer_t) - --miscfiles_read_localization(webalizer_t) -+auth_use_nsswitch(webalizer_t) -+ - miscfiles_read_public_files(webalizer_t) - --userdom_use_user_terminals(webalizer_t) -+sysnet_dns_name_resolve(webalizer_t) -+sysnet_read_config(webalizer_t) -+ -+userdom_use_inherited_user_terminals(webalizer_t) - userdom_use_unpriv_users_fds(webalizer_t) - userdom_dontaudit_search_user_home_content(webalizer_t) - - optional_policy(` - apache_read_log(webalizer_t) - apache_content_template(webalizer) -+ apache_manage_sys_content(webalizer_t) - manage_dirs_pattern(webalizer_t, httpd_webalizer_content_t, httpd_webalizer_content_t) - manage_files_pattern(webalizer_t, httpd_webalizer_content_t, httpd_webalizer_content_t) - ') -diff --git a/wine.if b/wine.if -index fd2b6cc..52a2e72 100644 ---- a/wine.if -+++ b/wine.if -@@ -1,46 +1,57 @@ --## Run Windows programs in Linux. -+## Wine Is Not an Emulator. Run Windows programs in Linux. - --######################################## -+####################################### - ## --## Role access for wine. -+## The per role template for the wine module. - ## --## -+## -+##

    -+## This template creates a derived domains which are used -+## for wine applications. -+##

    -+##     -+## - ## --## Role allowed access. -+## The role associated with the user domain. - ## - ## --## -+## - ## --## User domain for the role. -+## The type of the user domain. - ## - ## - # --interface(`wine_role',` -+template(`wine_role',` - gen_require(` -- attribute_role wine_roles; -- type wine_exec_t, wine_t, wine_tmp_t; -+ type wine_t; - type wine_home_t; -+ type wine_exec_t; - ') - -- roleattribute $1 wine_roles; -- -- domtrans_pattern($2, wine_exec_t, wine_t) -+ role $1 types wine_t; - -+ domain_auto_trans($2, wine_exec_t, wine_t) -+ # Unrestricted inheritance from the caller. -+ allow $2 wine_t:process { noatsecure siginh rlimitinh }; -+ allow wine_t $2:fd use; -+ allow wine_t $2:process { sigchld signull }; - allow wine_t $2:unix_stream_socket connectto; -- allow wine_t $2:process signull; - -+ # Allow the user domain to signal/ps. - ps_process_pattern($2, wine_t) -- allow $2 wine_t:process { ptrace signal_perms }; -+ allow $2 wine_t:process signal_perms; - - allow $2 wine_t:fd use; -- allow $2 wine_t:shm { associate getattr }; -- allow $2 wine_t:shm rw_shm_perms; -+ allow $2 wine_t:shm { associate getattr unix_read unix_write }; - allow $2 wine_t:unix_stream_socket connectto; - -- allow $2 { wine_tmp_t wine_home_t }:dir { manage_dir_perms relabel_dir_perms }; -- allow $2 { wine_tmp_t wine_home_t }:file { manage_file_perms relabel_file_perms }; -- allow $2 wine_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; -- userdom_user_home_dir_filetrans($2, wine_home_t, dir, ".wine") -+ # X access, Home files -+ manage_dirs_pattern($2, wine_home_t, wine_home_t) -+ manage_files_pattern($2, wine_home_t, wine_home_t) -+ manage_lnk_files_pattern($2, wine_home_t, wine_home_t) -+ relabel_dirs_pattern($2, wine_home_t, wine_home_t) -+ relabel_files_pattern($2, wine_home_t, wine_home_t) -+ relabel_lnk_files_pattern($2, wine_home_t, wine_home_t) - ') - - ####################################### -@@ -72,31 +83,25 @@ interface(`wine_role',` - # - template(`wine_role_template',` - gen_require(` -+ type wine_t; -+ attribute wine_domain; - type wine_exec_t; - ') - -- type $1_wine_t; -- userdom_user_application_domain($1_wine_t, wine_exec_t) -+ type $1_wine_t, wine_domain; -+ domain_type($1_wine_t) -+ domain_entry_file($1_wine_t, wine_exec_t) -+ ubac_constrained($1_wine_t) - role $2 types $1_wine_t; -- -- allow $1_wine_t self:process { execmem execstack }; -- -- allow $3 $1_wine_t:process { ptrace noatsecure signal_perms }; -- ps_process_pattern($3, $1_wine_t) -- -+ allow $3 $1_wine_t:process { getattr noatsecure signal_perms }; - domtrans_pattern($3, wine_exec_t, $1_wine_t) -- -- corecmd_bin_domtrans($1_wine_t, $3) -+ corecmd_bin_domtrans($1_wine_t, $1_t) - - userdom_unpriv_usertype($1, $1_wine_t) -- userdom_manage_user_tmpfs_files($1_wine_t) -+ userdom_manage_tmpfs_role($2, $1_wine_t) - - domain_mmap_low($1_wine_t) - -- tunable_policy(`wine_mmap_zero_ignore',` -- dontaudit $1_wine_t self:memprotect mmap_zero; -- ') -- - optional_policy(` - xserver_role($1_r, $1_wine_t) - ') -@@ -123,9 +128,8 @@ interface(`wine_domtrans',` - - ######################################## - ## --## Execute wine in the wine domain, --## and allow the specified role --## the wine domain. -+## Execute wine in the wine domain, and -+## allow the specified role the wine domain. - ## - ## - ## -@@ -140,11 +144,11 @@ interface(`wine_domtrans',` - # - interface(`wine_run',` - gen_require(` -- attribute_role wine_roles; -+ type wine_t; - ') - - wine_domtrans($1) -- roleattribute $2 wine_roles; -+ role $2 types wine_t; - ') - - ######################################## -diff --git a/wine.te b/wine.te -index b51923c..8e47110 100644 ---- a/wine.te -+++ b/wine.te -@@ -14,10 +14,11 @@ policy_module(wine, 1.10.1) - ## - gen_tunable(wine_mmap_zero_ignore, false) - -+attribute wine_domain; - attribute_role wine_roles; - roleattribute system_r wine_roles; - --type wine_t; -+type wine_t, wine_domain; - type wine_exec_t; - userdom_user_application_domain(wine_t, wine_exec_t) - role wine_roles types wine_t; -@@ -25,56 +26,57 @@ role wine_roles types wine_t; - type wine_home_t; - userdom_user_home_content(wine_home_t) - --type wine_tmp_t; --userdom_user_tmp_file(wine_tmp_t) -- - ######################################## - # - # Local policy - # -+domain_mmap_low(wine_t) -+ -+optional_policy(` -+ unconfined_domain(wine_t) -+') - --allow wine_t self:process { execstack execmem execheap }; --allow wine_t self:fifo_file manage_fifo_file_perms; - --can_exec(wine_t, wine_exec_t) -+######################################## -+# -+# Common wine domain policy -+# - --userdom_user_home_dir_filetrans(wine_t, wine_home_t, dir, ".wine") -+allow wine_domain self:process { execstack execmem execheap }; -+allow wine_domain self:fifo_file manage_fifo_file_perms; - --manage_dirs_pattern(wine_t, wine_tmp_t, wine_tmp_t) --manage_files_pattern(wine_t, wine_tmp_t, wine_tmp_t) --files_tmp_filetrans(wine_t, wine_tmp_t, { file dir }) -+can_exec(wine_domain, wine_exec_t) - --domain_mmap_low(wine_t) -+manage_files_pattern(wine_domain, wine_home_t, wine_home_t) -+manage_dirs_pattern(wine_domain, wine_home_t, wine_home_t) -+userdom_user_home_dir_filetrans(wine_domain, wine_home_t, dir, ".wine") -+userdom_tmpfs_filetrans(wine_domain, file) - --files_execmod_all_files(wine_t) -+files_execmod_all_files(wine_domain) - --userdom_use_user_terminals(wine_t) -+userdom_use_inherited_user_terminals(wine_domain) - - tunable_policy(`wine_mmap_zero_ignore',` -- dontaudit wine_t self:memprotect mmap_zero; -+ dontaudit wine_domain self:memprotect mmap_zero; - ') - - optional_policy(` -- dbus_system_bus_client(wine_t) -+ dbus_system_bus_client(wine_domain) - - optional_policy(` -- hal_dbus_chat(wine_t) -+ hal_dbus_chat(wine_domain) - ') - - optional_policy(` -- policykit_dbus_chat(wine_t) -+ policykit_dbus_chat(wine_domain) - ') - ') - - optional_policy(` -- rtkit_scheduled(wine_t) --') -- --optional_policy(` -- unconfined_domain(wine_t) -+ rtkit_scheduled(wine_domain) - ') - - optional_policy(` -- xserver_read_xdm_pid(wine_t) -- xserver_rw_shm(wine_t) -+ xserver_read_xdm_pid(wine_domain) -+ xserver_rw_shm(wine_domain) - ') -diff --git a/wireshark.te b/wireshark.te -index cf5cab6..a2d910f 100644 ---- a/wireshark.te -+++ b/wireshark.te -@@ -34,7 +34,7 @@ userdom_user_tmpfs_file(wireshark_tmpfs_t) - # Local Policy - # - --allow wireshark_t self:capability { net_admin net_raw setgid }; -+allow wireshark_t self:capability { net_admin net_raw }; - allow wireshark_t self:process { signal getsched }; - allow wireshark_t self:fifo_file rw_fifo_file_perms; - allow wireshark_t self:shm create_shm_perms; -@@ -82,7 +82,6 @@ dev_read_rand(wireshark_t) - dev_read_sysfs(wireshark_t) - dev_read_urand(wireshark_t) - --files_read_usr_files(wireshark_t) - - fs_getattr_all_fs(wireshark_t) - fs_list_inotifyfs(wireshark_t) -@@ -90,31 +89,15 @@ fs_search_auto_mountpoints(wireshark_t) - - auth_use_nsswitch(wireshark_t) - --libs_read_lib_files(wireshark_t) -- - miscfiles_read_fonts(wireshark_t) --miscfiles_read_localization(wireshark_t) - - userdom_use_user_terminals(wireshark_t) - - userdom_manage_user_home_content_files(wireshark_t) --userdom_user_home_dir_filetrans_user_home_content(wireshark_t, file) -- --tunable_policy(`use_nfs_home_dirs',` -- fs_manage_nfs_dirs(wireshark_t) -- fs_manage_nfs_files(wireshark_t) -- fs_manage_nfs_symlinks(wireshark_t) --') - --tunable_policy(`use_samba_home_dirs',` -- fs_manage_cifs_dirs(wireshark_t) -- fs_manage_cifs_files(wireshark_t) -- fs_manage_cifs_symlinks(wireshark_t) --') -+userdom_filetrans_home_content(wireshark_t) - --optional_policy(` -- seutil_use_newrole_fds(wireshark_t) --') -+userdom_home_manager(wireshark_t) - - optional_policy(` - userhelper_use_fd(wireshark_t) -diff --git a/wm.fc b/wm.fc -index 304ae09..c1d10a1 100644 ---- a/wm.fc -+++ b/wm.fc -@@ -1,4 +1,4 @@ - /usr/bin/gnome-shell -- gen_context(system_u:object_r:wm_exec_t,s0) - /usr/bin/openbox -- gen_context(system_u:object_r:wm_exec_t,s0) - /usr/bin/metacity -- gen_context(system_u:object_r:wm_exec_t,s0) --/usr/bin/twm -- gen_context(system_u:object_r:wm_exec_t,s0) -+/usr/bin/twm -- gen_context(system_u:object_r:wm_exec_t,s0) -diff --git a/wm.if b/wm.if -index 25b702d..36b2f81 100644 ---- a/wm.if -+++ b/wm.if -@@ -1,4 +1,4 @@ --## X Window Managers. -+## X Window Managers - - ####################################### - ## -@@ -29,54 +29,46 @@ - # - template(`wm_role_template',` - gen_require(` -- attribute wm_domain; - type wm_exec_t; -+ class dbus send_msg; -+ attribute wm_domain; - ') - -- ######################################## -- # -- # Declarations -- # -- - type $1_wm_t, wm_domain; -- userdom_user_application_domain($1_wm_t, wm_exec_t) -+ domain_type($1_wm_t) -+ domain_entry_file($1_wm_t, wm_exec_t) - role $2 types $1_wm_t; - -- ######################################## -- # -- # Policy -- # -- - allow $1_wm_t $3:unix_stream_socket connectto; - allow $3 $1_wm_t:unix_stream_socket connectto; -+ allow $3 $1_wm_t:process { signal sigchld signull }; -+ allow $1_wm_t $3:process { signull sigkill }; - -- allow $3 $1_wm_t:process { ptrace signal_perms }; -- ps_process_pattern($3, $1_wm_t) -+ allow $1_wm_t $3:dbus send_msg; -+ allow $3 $1_wm_t:dbus send_msg; - -- allow $1_wm_t $3:process { signull sigkill }; -+ userdom_manage_home_role($2, $1_wm_t) -+ userdom_manage_tmpfs_role($2, $1_wm_t) -+ userdom_manage_tmp_role($2, $1_wm_t) -+ userdom_exec_user_tmp_files($1_wm_t) - - domtrans_pattern($3, wm_exec_t, $1_wm_t) - - corecmd_bin_domtrans($1_wm_t, $3) - corecmd_shell_domtrans($1_wm_t, $3) - -+ auth_use_nsswitch($1_wm_t) -+ -+ kernel_read_system_state($1_wm_t) -+ -+ auth_use_nsswitch($1_wm_t) -+ - mls_file_read_all_levels($1_wm_t) - mls_file_write_all_levels($1_wm_t) - mls_xwin_read_all_levels($1_wm_t) - mls_xwin_write_all_levels($1_wm_t) - mls_fd_use_all_levels($1_wm_t) - -- auth_use_nsswitch($1_wm_t) -- -- optional_policy(` -- dbus_spec_session_bus_client($1, $1_wm_t) -- dbus_system_bus_client($1_wm_t) -- -- optional_policy(` -- wm_dbus_chat($1, $3) -- ') -- ') -- - optional_policy(` - pulseaudio_run($1_wm_t, $2) - ') -@@ -89,7 +81,7 @@ template(`wm_role_template',` - - ######################################## - ## --## Execute wm in the caller domain. -+## Execute the wm program in the wm domain. - ## - ## - ## -@@ -102,33 +94,5 @@ interface(`wm_exec',` - type wm_exec_t; - ') - -- corecmd_search_bin($1) - can_exec($1, wm_exec_t) - ') -- --######################################## --## --## Send and receive messages from --## specified wm over dbus. --## --## --## --## The prefix of the user domain (e.g., user --## is the prefix for user_t). --## --## --## --## --## Domain allowed access. --## --## --# --interface(`wm_dbus_chat',` -- gen_require(` -- type $1_wm_t; -- class dbus send_msg; -- ') -- -- allow $2 $1_wm_t:dbus send_msg; -- allow $1_wm_t $2:dbus send_msg; --') -diff --git a/wm.te b/wm.te -index 7c7f7fa..20ce90b 100644 ---- a/wm.te -+++ b/wm.te -@@ -1,36 +1,88 @@ --policy_module(wm, 1.2.5) -+policy_module(wm, 1.2.0) -+ -+attribute wm_domain; - - ######################################## - # - # Declarations - # - --attribute wm_domain; -- - type wm_exec_t; -- --######################################## --# --# Common wm domain local policy --# -+corecmd_executable_file(wm_exec_t) - - allow wm_domain self:fifo_file rw_fifo_file_perms; --allow wm_domain self:process getsched; -+allow wm_domain self:process { setcap setrlimit execmem signal_perms getsched setsched }; -+allow wm_domain self:netlink_kobject_uevent_socket create_socket_perms; -+ - allow wm_domain self:shm create_shm_perms; - allow wm_domain self:unix_dgram_socket create_socket_perms; - --kernel_read_system_state(wm_domain) -- - dev_read_urand(wm_domain) -+dev_read_sound(wm_domain) -+dev_write_sound(wm_domain) -+dev_rw_wireless(wm_domain) -+dev_read_sysfs(wm_domain) -+ -+fs_getattr_all_fs(wm_domain) -+ -+corecmd_dontaudit_access_all_executables(wm_domain) -+corecmd_getattr_all_executables(wm_domain) - --files_read_usr_files(wm_domain) -+application_signull(wm_domain) -+ -+init_read_state(wm_domain) - - miscfiles_read_fonts(wm_domain) --miscfiles_read_localization(wm_domain) - --userdom_manage_user_tmp_sockets(wm_domain) --userdom_tmp_filetrans_user_tmp(wm_domain, sock_file) -+systemd_dbus_chat_logind(wm_domain) -+systemd_read_logind_sessions_files(wm_domain) -+systemd_write_inhibit_pipes(wm_domain) -+systemd_login_read_pid_files(wm_domain) -+ -+userdom_read_user_home_content_files(wm_domain) -+ -+udev_read_pid_files(wm_domain) -+ -+optional_policy(` -+ gnome_stream_connect_gkeyringd(wm_domain) -+') -+ -+optional_policy(` -+ dbus_system_bus_client(wm_domain) -+ dbus_session_bus_client(wm_domain) -+ optional_policy(` -+ accountsd_dbus_chat(wm_domain) -+ ') -+ -+ optional_policy(` -+ bluetooth_dbus_chat(wm_domain) -+ ') -+ -+ optional_policy(` -+ devicekit_dbus_chat_power(wm_domain) -+ ') -+ -+ optional_policy(` -+ networkmanager_dbus_chat(wm_domain) -+ ') -+ -+ optional_policy(` -+ policykit_dbus_chat(wm_domain) -+ ') -+ -+ optional_policy(` -+ systemd_dbus_chat_logind(wm_domain) -+ ') -+') -+ -+optional_policy(` -+ pulseaudio_stream_connect(wm_domain) -+') -+ -+optional_policy(` -+ userhelper_exec_console(wm_domain) -+') - --userdom_manage_user_home_content_dirs(wm_domain) --userdom_manage_user_home_content_files(wm_domain) --userdom_user_home_dir_filetrans_user_home_content(wm_domain, { dir file }) -+optional_policy(` -+ xserver_manage_core_devices(wm_domain) -+') -diff --git a/xen.fc b/xen.fc -index 42d83b0..651d1cb 100644 ---- a/xen.fc -+++ b/xen.fc -@@ -1,38 +1,42 @@ - /dev/xen/tapctrl.* -p gen_context(system_u:object_r:xenctl_t,s0) - --/usr/lib/xen-[^/]*/bin/xenconsoled -- gen_context(system_u:object_r:xenconsoled_exec_t,s0) --/usr/lib/xen-[^/]*/bin/xend -- gen_context(system_u:object_r:xend_exec_t,s0) --/usr/lib/xen-[^/]*/bin/xenstored -- gen_context(system_u:object_r:xenstored_exec_t,s0) --/usr/lib/xen-[^/]*/bin/xl -- gen_context(system_u:object_r:xm_exec_t,s0) --/usr/lib/xen-[^/]*/bin/xm -- gen_context(system_u:object_r:xm_exec_t,s0) -- - /usr/sbin/blktapctrl -- gen_context(system_u:object_r:blktap_exec_t,s0) - /usr/sbin/evtchnd -- gen_context(system_u:object_r:evtchnd_exec_t,s0) - /usr/sbin/tapdisk -- gen_context(system_u:object_r:blktap_exec_t,s0) -+ -+#/usr/lib/xen/bin/qemu-dm -- gen_context(system_u:object_r:qemu_dm_exec_t,s0) -+ -+ifdef(`distro_debian',` -+/usr/lib/xen-[^/]*/bin/xenconsoled -- gen_context(system_u:object_r:xenconsoled_exec_t,s0) -+/usr/lib/xen-[^/]*/bin/xend -- gen_context(system_u:object_r:xend_exec_t,s0) -+/usr/lib/xen-[^/]*/bin/xenstored -- gen_context(system_u:object_r:xenstored_exec_t,s0) -+/usr/lib/xen-[^/]*/bin/xm -- gen_context(system_u:object_r:xm_exec_t,s0) -+',` - /usr/sbin/xenconsoled -- gen_context(system_u:object_r:xenconsoled_exec_t,s0) --/usr/sbin/xend -- gen_context(system_u:object_r:xend_exec_t,s0) -+/usr/sbin/xend -- gen_context(system_u:object_r:xend_exec_t,s0) - /usr/sbin/xenstored -- gen_context(system_u:object_r:xenstored_exec_t,s0) --/usr/sbin/xl -- gen_context(system_u:object_r:xm_exec_t,s0) --/usr/sbin/xm -- gen_context(system_u:object_r:xm_exec_t,s0) -+/usr/sbin/oxenstored -- gen_context(system_u:object_r:xenstored_exec_t,s0) -+') - --/var/lib/xen(/.*)? gen_context(system_u:object_r:xend_var_lib_t,s0) -+/var/lib/xen(/.*)? gen_context(system_u:object_r:xend_var_lib_t,s0) - /var/lib/xen/images(/.*)? gen_context(system_u:object_r:xen_image_t,s0) --/var/lib/xend(/.*)? gen_context(system_u:object_r:xend_var_lib_t,s0) -+/var/lib/xend(/.*)? gen_context(system_u:object_r:xend_var_lib_t,s0) - /var/lib/xenstored(/.*)? gen_context(system_u:object_r:xenstored_var_lib_t,s0) - - /var/log/evtchnd\.log.* -- gen_context(system_u:object_r:evtchnd_var_log_t,s0) --/var/log/xen(/.*)? gen_context(system_u:object_r:xend_var_log_t,s0) -+/var/log/xen(/.*)? gen_context(system_u:object_r:xend_var_log_t,s0) - /var/log/xen-hotplug\.log.* -- gen_context(system_u:object_r:xend_var_log_t,s0) - /var/log/xend\.log.* -- gen_context(system_u:object_r:xend_var_log_t,s0) - /var/log/xend-debug\.log.* -- gen_context(system_u:object_r:xend_var_log_t,s0) -+/var/log/xenstored.* gen_context(system_u:object_r:xenstored_var_log_t,s0) - - /var/run/evtchnd -s gen_context(system_u:object_r:evtchnd_var_run_t,s0) - /var/run/evtchnd\.pid -- gen_context(system_u:object_r:evtchnd_var_run_t,s0) --/var/run/xenconsoled\.pid -- gen_context(system_u:object_r:xenconsoled_var_run_t,s0) --/var/run/xend(/.*)? gen_context(system_u:object_r:xend_var_run_t,s0) -+/var/run/xenconsoled\.pid -- gen_context(system_u:object_r:xenconsoled_var_run_t,s0) -+/var/run/xend(/.*)? gen_context(system_u:object_r:xend_var_run_t,s0) - /var/run/xend\.pid -- gen_context(system_u:object_r:xend_var_run_t,s0) --/var/run/xenner(/.*)? gen_context(system_u:object_r:xend_var_run_t,s0) -+/var/run/xenner(/.*)? gen_context(system_u:object_r:xend_var_run_t,s0) - /var/run/xenstore\.pid -- gen_context(system_u:object_r:xenstored_var_run_t,s0) - /var/run/xenstored(/.*)? gen_context(system_u:object_r:xenstored_var_run_t,s0) - --/xen(/.*)? gen_context(system_u:object_r:xen_image_t,s0) -+/xen(/.*)? gen_context(system_u:object_r:xen_image_t,s0) -diff --git a/xen.if b/xen.if -index f93558c..16e29c1 100644 ---- a/xen.if -+++ b/xen.if -@@ -1,13 +1,13 @@ --## Xen hypervisor. -+## Xen hypervisor - - ######################################## - ## - ## Execute a domain transition to run xend. - ## - ## --## -+## - ## Domain allowed to transition. --## -+## - ## - # - interface(`xen_domtrans',` -@@ -15,18 +15,18 @@ interface(`xen_domtrans',` - type xend_t, xend_exec_t; - ') - -- corecmd_search_bin($1) - domtrans_pattern($1, xend_exec_t, xend_t) - ') - - ######################################## - ## --## Execute xend in the caller domain. -+## Allow the specified domain to execute xend -+## in the caller domain. - ## - ## --## -+## - ## Domain allowed access. --## -+## - ## - # - interface(`xen_exec',` -@@ -34,7 +34,6 @@ interface(`xen_exec',` - type xend_exec_t; - ') - -- corecmd_search_bin($1) - can_exec($1, xend_exec_t) - ') - -@@ -75,24 +74,43 @@ interface(`xen_dontaudit_use_fds',` - dontaudit $1 xend_t:fd use; - ') - -+####################################### -+## -+## Read xend pid files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`xen_read_pid_files_xenstored',` -+ gen_require(` -+ type xenstored_var_run_t; -+ ') -+ -+ files_search_pids($1) -+ -+ read_files_pattern($1, xenstored_var_run_t, xenstored_var_run_t) -+') -+ - ######################################## - ## --## Create, read, write, and delete --## xend image directories. -+## Read xend lib files. - ## - ## --## -+## - ## Domain allowed access. --## -+## - ## - # --interface(`xen_manage_image_dirs',` -+interface(`xen_read_lib_files',` - gen_require(` - type xend_var_lib_t; - ') - -- files_search_var_lib($1) -- manage_dirs_pattern($1, xend_var_lib_t, xend_var_lib_t) -+ files_list_var_lib($1) -+ read_files_pattern($1, xend_var_lib_t, xend_var_lib_t) - ') - - ######################################## -@@ -100,9 +118,9 @@ interface(`xen_manage_image_dirs',` - ## Read xend image files. - ## - ## --## -+## - ## Domain allowed access. --## -+## - ## - # - interface(`xen_read_image_files',` -@@ -111,18 +129,40 @@ interface(`xen_read_image_files',` - ') - - files_list_var_lib($1) -+ - list_dirs_pattern($1, xend_var_lib_t, xend_var_lib_t) - read_files_pattern($1, { xend_var_lib_t xen_image_t }, xen_image_t) - ') - - ######################################## - ## --## Read and write xend image files. -+## Allow the specified domain to read/write -+## xend image files. - ## - ## --## -+## - ## Domain allowed access. --## -+## -+## -+# -+interface(`xen_manage_image_dirs',` -+ gen_require(` -+ type xend_var_lib_t; -+ ') -+ -+ files_list_var_lib($1) -+ manage_dirs_pattern($1, xend_var_lib_t, xend_var_lib_t) -+') -+ -+######################################## -+## -+## Allow the specified domain to read/write -+## xend image files. -+## -+## -+## -+## Domain allowed to transition. -+## - ## - # - interface(`xen_rw_image_files',` -@@ -137,7 +177,8 @@ interface(`xen_rw_image_files',` - - ######################################## - ## --## Append xend log files. -+## Allow the specified domain to append -+## xend log files. - ## - ## - ## -@@ -157,13 +198,13 @@ interface(`xen_append_log',` - - ######################################## - ## --## Create, read, write, and delete -+## Create, read, write, and delete the - ## xend log files. - ## - ## --## -+## - ## Domain allowed access. --## -+## - ## - # - interface(`xen_manage_log',` -@@ -176,29 +217,11 @@ interface(`xen_manage_log',` - manage_files_pattern($1, xend_var_log_t, xend_var_log_t) - ') - --####################################### --## --## Read xenstored pid files. --## --## --## --## Domain allowed access. --## --## --# --interface(`xen_read_xenstored_pid_files',` -- gen_require(` -- type xenstored_var_run_t; -- ') -- -- files_search_pids($1) -- read_files_pattern($1, xenstored_var_run_t, xenstored_var_run_t) --') -- - ######################################## - ## - ## Do not audit attempts to read and write --## Xen unix domain stream sockets. -+## Xen unix domain stream sockets. These -+## are leaked file descriptors. - ## - ## - ## -@@ -216,8 +239,7 @@ interface(`xen_dontaudit_rw_unix_stream_sockets',` - - ######################################## - ## --## Connect to xenstored with a unix --## domain stream socket. -+## Connect to xenstored over a unix stream socket. - ## - ## - ## -@@ -236,8 +258,7 @@ interface(`xen_stream_connect_xenstore',` - - ######################################## - ## --## Connect to xend with a unix --## domain stream socket. -+## Connect to xend over a unix domain stream socket. - ## - ## - ## -@@ -270,16 +291,15 @@ interface(`xen_stream_connect',` - interface(`xen_domtrans_xm',` - gen_require(` - type xm_t, xm_exec_t; -+ attribute virsh_transition_domain; - ') -- -- corecmd_search_bin($1) -+ typeattribute $1 virsh_transition_domain; - domtrans_pattern($1, xm_exec_t, xm_t) - ') - - ######################################## - ## --## Connect to xm with a unix --## domain stream socket. -+## Connect to xm over a unix stream socket. - ## - ## - ## -@@ -289,7 +309,7 @@ interface(`xen_domtrans_xm',` - # - interface(`xen_stream_connect_xm',` - gen_require(` -- type xm_t; -+ type xm_t, xenstored_var_run_t; - ') - - files_search_pids($1) -diff --git a/xen.te b/xen.te -index ed40676..3fe3e35 100644 ---- a/xen.te -+++ b/xen.te -@@ -1,42 +1,34 @@ --policy_module(xen, 1.12.5) -+policy_module(xen, 1.12.0) - - ######################################## - # - # Declarations - # -+attribute xm_transition_domain; - - ## --##

    --## Determine whether xend can --## run blktapctrl and tapdisk. -+##

    -+## Allow xend to run blktapctrl/tapdisk. -+## Not required if using dedicated logical volumes for disk images. - ##

    - ##     --gen_tunable(xend_run_blktap, false) -+gen_tunable(xend_run_blktap, true) - - ## --##

    --## Determine whether xen can --## use fusefs file systems. --##

    -+##

    -+## Allow xend to run qemu-dm. -+## Not required if using paravirt and no vfb. -+##

    - ##     --gen_tunable(xen_use_fusefs, false) -+gen_tunable(xend_run_qemu, true) - - ## --##

    --## Determine whether xen can --## use nfs file systems. --##

    -+##

    -+## Allow xen to manage nfs files -+##

    - ##     - gen_tunable(xen_use_nfs, false) - --## --##

    --## Determine whether xen can --## use samba file systems. --##

    --##     --gen_tunable(xen_use_samba, false) -- - type blktap_t; - type blktap_exec_t; - domain_type(blktap_t) -@@ -50,41 +42,55 @@ type evtchnd_t; - type evtchnd_exec_t; - init_daemon_domain(evtchnd_t, evtchnd_exec_t) - -+# log files - type evtchnd_var_log_t; - logging_log_file(evtchnd_var_log_t) - -+# pid files - type evtchnd_var_run_t; - files_pid_file(evtchnd_var_run_t) - -+type qemu_dm_t; -+type qemu_dm_exec_t; -+domain_type(qemu_dm_t) -+domain_entry_file(qemu_dm_t, qemu_dm_exec_t) -+role system_r types qemu_dm_t; -+ -+# console ptys - type xen_devpts_t; - term_pty(xen_devpts_t) - files_type(xen_devpts_t) - -+# Xen Image files - type xen_image_t; # customizable - files_type(xen_image_t) -+# xen_image_t can be assigned to blk devices - dev_node(xen_image_t) -- --optional_policy(` -- virt_image(xen_image_t) --') -+virt_image(xen_image_t) - - type xenctl_t; - files_type(xenctl_t) - - type xend_t; - type xend_exec_t; -+domain_type(xend_t) - init_daemon_domain(xend_t, xend_exec_t) - -+# tmp files - type xend_tmp_t; - files_tmp_file(xend_tmp_t) - -+# var/lib files - type xend_var_lib_t; - files_type(xend_var_lib_t) -+# for mounting an NFS store - files_mountpoint(xend_var_lib_t) - -+# log files - type xend_var_log_t; - logging_log_file(xend_var_log_t) - -+# pid files - type xend_var_run_t; - files_pid_file(xend_var_run_t) - files_mountpoint(xend_var_run_t) -@@ -96,51 +102,50 @@ init_daemon_domain(xenstored_t, xenstored_exec_t) - type xenstored_tmp_t; - files_tmp_file(xenstored_tmp_t) - -+# var/lib files - type xenstored_var_lib_t; - files_type(xenstored_var_lib_t) - files_mountpoint(xenstored_var_lib_t) - -+# log files - type xenstored_var_log_t; - logging_log_file(xenstored_var_log_t) - -+# pid files - type xenstored_var_run_t; - files_pid_file(xenstored_var_run_t) --init_daemon_run_dir(xenstored_var_run_t, "xenstored") - - type xenconsoled_t; - type xenconsoled_exec_t; - init_daemon_domain(xenconsoled_t, xenconsoled_exec_t) - -+# pid files - type xenconsoled_var_run_t; - files_pid_file(xenconsoled_var_run_t) - --type xm_t; --type xm_exec_t; --init_system_domain(xm_t, xm_exec_t) -- - ######################################## - # - # blktap local policy - # -- -+# Do we need to allow execution of blktap? - tunable_policy(`xend_run_blktap',` -+ # If yes, transition to its own domain. - domtrans_pattern(xend_t, blktap_exec_t, blktap_t) - -- allow blktap_t self:fifo_file { read write }; -+',` -+ # If no, then silently refuse to run it. -+ dontaudit xend_t blktap_exec_t:file { execute execute_no_trans }; -+') - -- dev_read_sysfs(blktap_t) -- dev_rw_xen(blktap_t) -+allow blktap_t self:fifo_file { read write }; - -- files_read_etc_files(blktap_t) -+dev_read_sysfs(blktap_t) -+dev_rw_xen(blktap_t) - -- logging_send_syslog_msg(blktap_t) - -- miscfiles_read_localization(blktap_t) -+logging_send_syslog_msg(blktap_t) - -- xen_stream_connect_xenstore(blktap_t) --',` -- dontaudit xend_t blktap_exec_t:file { execute execute_no_trans }; --') -+xen_stream_connect_xenstore(blktap_t) - - ####################################### - # -@@ -148,9 +153,7 @@ tunable_policy(`xend_run_blktap',` - # - - manage_dirs_pattern(evtchnd_t, evtchnd_var_log_t, evtchnd_var_log_t) --append_files_pattern(evtchnd_t, evtchnd_var_log_t, evtchnd_var_log_t) --create_files_pattern(evtchnd_t, evtchnd_var_log_t, evtchnd_var_log_t) --setattr_files_pattern(evtchnd_t, evtchnd_var_log_t, evtchnd_var_log_t) -+manage_files_pattern(evtchnd_t, evtchnd_var_log_t, evtchnd_var_log_t) - logging_log_filetrans(evtchnd_t, evtchnd_var_log_t, { file dir }) - - manage_dirs_pattern(evtchnd_t, evtchnd_var_run_t, evtchnd_var_run_t) -@@ -160,28 +163,68 @@ files_pid_filetrans(evtchnd_t, evtchnd_var_run_t, { file sock_file dir }) - - ######################################## - # -+# qemu-dm local policy -+# -+ -+# TODO: This part of policy should be removed -+# qemu-dm should run in xend_t domain -+ -+# Do we need to allow execution of qemu-dm? -+tunable_policy(`xend_run_qemu',` -+ allow qemu_dm_t self:capability sys_resource; -+ allow qemu_dm_t self:process setrlimit; -+ allow qemu_dm_t self:fifo_file { read write }; -+ allow qemu_dm_t self:tcp_socket create_stream_socket_perms; -+ -+ # If yes, transition to its own domain. -+ domtrans_pattern(xend_t, qemu_dm_exec_t, qemu_dm_t) -+ -+ append_files_pattern(qemu_dm_t, xend_var_log_t, xend_var_log_t) -+ -+ rw_fifo_files_pattern(qemu_dm_t, xend_var_run_t, xend_var_run_t) -+ -+ corenet_tcp_bind_generic_node(qemu_dm_t) -+ corenet_tcp_bind_vnc_port(qemu_dm_t) -+ -+ dev_rw_xen(qemu_dm_t) -+ -+ -+ fs_manage_xenfs_dirs(qemu_dm_t) -+ fs_manage_xenfs_files(qemu_dm_t) -+ -+ -+ xen_stream_connect_xenstore(qemu_dm_t) -+',` -+ # If no, then silently refuse to run it. -+ dontaudit xend_t qemu_dm_exec_t:file { execute execute_no_trans }; -+') -+ -+######################################## -+# - # xend local policy - # - --allow xend_t self:capability { dac_override ipc_lock net_admin setuid sys_admin sys_nice sys_tty_config net_raw sys_resource sys_rawio }; --dontaudit xend_t self:capability { sys_ptrace }; --allow xend_t self:process { setrlimit signal sigkill }; --dontaudit xend_t self:process ptrace; -+allow xend_t self:capability { dac_override ipc_lock net_admin setuid sys_admin sys_nice sys_tty_config net_raw sys_rawio }; -+allow xend_t self:process { signal sigkill }; -+ -+# needed by qemu_dm -+allow xend_t self:capability sys_resource; -+allow xend_t self:process setrlimit; -+ -+# internal communication is often done using fifo and unix sockets. - allow xend_t self:fifo_file rw_fifo_file_perms; --allow xend_t self:unix_stream_socket { accept listen }; --allow xend_t self:tcp_socket { accept listen }; -+allow xend_t self:unix_stream_socket create_stream_socket_perms; -+allow xend_t self:unix_dgram_socket create_socket_perms; -+allow xend_t self:netlink_route_socket r_netlink_socket_perms; -+allow xend_t self:tcp_socket create_stream_socket_perms; - allow xend_t self:packet_socket create_socket_perms; - allow xend_t self:tun_socket create_socket_perms; - - allow xend_t xen_image_t:dir list_dir_perms; - manage_dirs_pattern(xend_t, xen_image_t, xen_image_t) --manage_fifo_files_pattern(xend_t, xen_image_t, xen_image_t) - manage_files_pattern(xend_t, xen_image_t, xen_image_t) - read_lnk_files_pattern(xend_t, xen_image_t, xen_image_t) --read_sock_files_pattern(xend_t, xen_image_t, xen_image_t) --rw_chr_files_pattern(xend_t, xen_image_t, xen_image_t) - rw_blk_files_pattern(xend_t, xen_image_t, xen_image_t) --fs_hugetlbfs_filetrans(xend_t, xen_image_t, file) - - allow xend_t xenctl_t:fifo_file manage_fifo_file_perms; - dev_filetrans(xend_t, xenctl_t, fifo_file) -@@ -190,33 +233,37 @@ manage_files_pattern(xend_t, xend_tmp_t, xend_tmp_t) - manage_dirs_pattern(xend_t, xend_tmp_t, xend_tmp_t) - files_tmp_filetrans(xend_t, xend_tmp_t, { file dir }) - -+# pid file - manage_dirs_pattern(xend_t, xend_var_run_t, xend_var_run_t) - manage_files_pattern(xend_t, xend_var_run_t, xend_var_run_t) - manage_sock_files_pattern(xend_t, xend_var_run_t, xend_var_run_t) - manage_fifo_files_pattern(xend_t, xend_var_run_t, xend_var_run_t) - files_pid_filetrans(xend_t, xend_var_run_t, { file sock_file fifo_file dir }) - -+# log files - manage_dirs_pattern(xend_t, xend_var_log_t, xend_var_log_t) --append_files_pattern(xend_t, xend_var_log_t, xend_var_log_t) --create_files_pattern(xend_t, xend_var_log_t, xend_var_log_t) --setattr_files_pattern(xend_t, xend_var_log_t, xend_var_log_t) -+manage_files_pattern(xend_t, xend_var_log_t, xend_var_log_t) - manage_sock_files_pattern(xend_t, xend_var_log_t, xend_var_log_t) - logging_log_filetrans(xend_t, xend_var_log_t, { sock_file file dir }) - -+# var/lib files for xend - manage_dirs_pattern(xend_t, xend_var_lib_t, xend_var_lib_t) - manage_files_pattern(xend_t, xend_var_lib_t, xend_var_lib_t) - manage_sock_files_pattern(xend_t, xend_var_lib_t, xend_var_lib_t) - manage_fifo_files_pattern(xend_t, xend_var_lib_t, xend_var_lib_t) - files_var_lib_filetrans(xend_t, xend_var_lib_t, { file dir }) - -+# transition to store -+domtrans_pattern(xend_t, xenstored_exec_t, xenstored_t) -+ -+# manage xenstored pid file - manage_files_pattern(xend_t, xenstored_var_run_t, xenstored_var_run_t) - --allow xend_t xenstored_var_lib_t:dir list_dir_perms; -+# mount tmpfs on /var/lib/xenstored -+allow xend_t xenstored_var_lib_t:dir read; - -+# transition to console - domtrans_pattern(xend_t, xenconsoled_exec_t, xenconsoled_t) --domtrans_pattern(xend_t, xenstored_exec_t, xenstored_t) -- --xen_stream_connect_xenstore(xend_t) - - kernel_read_kernel_sysctls(xend_t) - kernel_read_system_state(xend_t) -@@ -224,61 +271,44 @@ kernel_write_xen_state(xend_t) - kernel_read_xen_state(xend_t) - kernel_rw_net_sysctls(xend_t) - kernel_read_network_state(xend_t) -+kernel_request_load_module(xend_t) - - corecmd_exec_bin(xend_t) - corecmd_exec_shell(xend_t) - --corenet_all_recvfrom_unlabeled(xend_t) - corenet_all_recvfrom_netlabel(xend_t) - corenet_tcp_sendrecv_generic_if(xend_t) - corenet_tcp_sendrecv_generic_node(xend_t) - corenet_tcp_sendrecv_all_ports(xend_t) - corenet_tcp_bind_generic_node(xend_t) -- --corenet_sendrecv_xen_server_packets(xend_t) - corenet_tcp_bind_xen_port(xend_t) -- --corenet_sendrecv_soundd_server_packets(xend_t) - corenet_tcp_bind_soundd_port(xend_t) -- --corenet_sendrecv_generic_server_packets(xend_t) - corenet_tcp_bind_generic_port(xend_t) -- --corenet_sendrecv_vnc_server_packets(xend_t) - corenet_tcp_bind_vnc_port(xend_t) -- --corenet_sendrecv_xserver_client_packets(xend_t) - corenet_tcp_connect_xserver_port(xend_t) -- --corenet_sendrecv_xen_client_packets(xend_t) - corenet_tcp_connect_xen_port(xend_t) -- -+corenet_sendrecv_xserver_client_packets(xend_t) -+corenet_sendrecv_xen_server_packets(xend_t) -+corenet_sendrecv_xen_client_packets(xend_t) -+corenet_sendrecv_soundd_server_packets(xend_t) - corenet_rw_tun_tap_dev(xend_t) - --dev_getattr_all_chr_files(xend_t) - dev_read_urand(xend_t) -+# run lsscsi -+dev_getattr_all_chr_files(xend_t) - dev_filetrans_xen(xend_t) - dev_rw_sysfs(xend_t) - dev_rw_xen(xend_t) - - domain_dontaudit_read_all_domains_state(xend_t) --domain_dontaudit_ptrace_all_domains(xend_t) - --files_read_etc_files(xend_t) - files_read_kernel_symbol_table(xend_t) - files_read_kernel_img(xend_t) - files_manage_etc_runtime_files(xend_t) - files_etc_filetrans_etc_runtime(xend_t, file) --files_read_usr_files(xend_t) - files_read_default_symlinks(xend_t) --files_search_mnt(xend_t) - --fs_getattr_all_fs(xend_t) --fs_list_auto_mountpoints(xend_t) --fs_read_dos_files(xend_t) - fs_read_removable_blk_files(xend_t) --fs_manage_xenfs_dirs(xend_t) --fs_manage_xenfs_files(xend_t) - - storage_read_scsi_generic(xend_t) - -@@ -295,7 +325,8 @@ locallogin_dontaudit_use_fds(xend_t) - - logging_send_syslog_msg(xend_t) - --miscfiles_read_localization(xend_t) -+auth_read_passwd(xend_t) -+ - miscfiles_read_hwdata(xend_t) - - sysnet_domtrans_dhcpc(xend_t) -@@ -308,23 +339,7 @@ sysnet_rw_dhcp_config(xend_t) - - userdom_dontaudit_search_user_home_dirs(xend_t) - --tunable_policy(`xen_use_fusefs',` -- fs_manage_fusefs_dirs(xend_t) -- fs_manage_fusefs_files(xend_t) -- fs_read_fusefs_symlinks(xend_t) --') -- --tunable_policy(`xen_use_nfs',` -- fs_manage_nfs_dirs(xend_t) -- fs_manage_nfs_files(xend_t) -- fs_read_nfs_symlinks(xend_t) --') -- --tunable_policy(`xen_use_samba',` -- fs_manage_cifs_dirs(xend_t) -- fs_manage_cifs_files(xend_t) -- fs_read_cifs_symlinks(xend_t) --') -+xen_stream_connect_xenstore(xend_t) - - optional_policy(` - brctl_domtrans(xend_t) -@@ -342,7 +357,7 @@ optional_policy(` - mount_domtrans(xend_t) - ') - --optional_policy(` -+optional_policy(` - netutils_domtrans(xend_t) - ') - -@@ -351,6 +366,7 @@ optional_policy(` - ') - - optional_policy(` -+ virt_manage_default_image_type(xend_t) - virt_search_images(xend_t) - virt_read_config(xend_t) - ') -@@ -365,13 +381,9 @@ allow xenconsoled_t self:process setrlimit; - allow xenconsoled_t self:unix_stream_socket create_stream_socket_perms; - allow xenconsoled_t self:fifo_file rw_fifo_file_perms; - --allow xenconsoled_t xen_devpts_t:chr_file { rw_term_perms setattr_chr_file_perms }; -- --manage_dirs_pattern(xenconsoled_t, xend_var_log_t, xend_var_log_t) --append_files_pattern(xenconsoled_t, xend_var_log_t, xend_var_log_t) --create_files_pattern(xenconsoled_t, xend_var_log_t, xend_var_log_t) --setattr_files_pattern(xenconsoled_t, xend_var_log_t, xend_var_log_t) -+allow xenconsoled_t xen_devpts_t:chr_file { rw_term_perms setattr }; - -+# pid file - manage_files_pattern(xenconsoled_t, xenconsoled_var_run_t, xenconsoled_var_run_t) - manage_sock_files_pattern(xenconsoled_t, xenconsoled_var_run_t, xenconsoled_var_run_t) - files_pid_filetrans(xenconsoled_t, xenconsoled_var_run_t, { file sock_file }) -@@ -384,10 +396,6 @@ dev_rw_xen(xenconsoled_t) - dev_filetrans_xen(xenconsoled_t) - dev_rw_sysfs(xenconsoled_t) - --domain_dontaudit_ptrace_all_domains(xenconsoled_t) -- --files_read_etc_files(xenconsoled_t) --files_read_usr_files(xenconsoled_t) - - fs_list_tmpfs(xenconsoled_t) - fs_manage_xenfs_dirs(xenconsoled_t) -@@ -395,15 +403,13 @@ fs_manage_xenfs_files(xenconsoled_t) - - term_create_pty(xenconsoled_t, xen_devpts_t) - term_use_generic_ptys(xenconsoled_t) --term_use_console(xenconsoled_t) - - init_use_fds(xenconsoled_t) - init_use_script_ptys(xenconsoled_t) - --logging_search_logs(xenconsoled_t) -- --miscfiles_read_localization(xenconsoled_t) -+auth_read_passwd(xenconsoled_t) - -+xen_manage_log(xenconsoled_t) - xen_stream_connect_xenstore(xenconsoled_t) - - optional_policy(` -@@ -416,24 +422,26 @@ optional_policy(` - # - - allow xenstored_t self:capability { dac_override ipc_lock sys_resource }; --allow xenstored_t self:unix_stream_socket { accept listen }; -+allow xenstored_t self:unix_stream_socket create_stream_socket_perms; -+allow xenstored_t self:unix_dgram_socket create_socket_perms; - - manage_files_pattern(xenstored_t, xenstored_tmp_t, xenstored_tmp_t) - manage_dirs_pattern(xenstored_t, xenstored_tmp_t, xenstored_tmp_t) - files_tmp_filetrans(xenstored_t, xenstored_tmp_t, { file dir }) - -+# pid file - manage_dirs_pattern(xenstored_t, xenstored_var_run_t, xenstored_var_run_t) - manage_files_pattern(xenstored_t, xenstored_var_run_t, xenstored_var_run_t) - manage_sock_files_pattern(xenstored_t, xenstored_var_run_t, xenstored_var_run_t) - files_pid_filetrans(xenstored_t, xenstored_var_run_t, { file sock_file dir }) - -+# log files - manage_dirs_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t) --append_files_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t) --create_files_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t) --setattr_files_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t) -+manage_files_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t) - manage_sock_files_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t) - logging_log_filetrans(xenstored_t, xenstored_var_log_t, { sock_file file dir }) - -+# var/lib files for xenstored - manage_dirs_pattern(xenstored_t, xenstored_var_lib_t, xenstored_var_lib_t) - manage_files_pattern(xenstored_t, xenstored_var_lib_t, xenstored_var_lib_t) - manage_sock_files_pattern(xenstored_t, xenstored_var_lib_t, xenstored_var_lib_t) -@@ -448,157 +456,40 @@ dev_filetrans_xen(xenstored_t) - dev_rw_xen(xenstored_t) - dev_read_sysfs(xenstored_t) - --files_read_etc_files(xenstored_t) --files_read_usr_files(xenstored_t) -+ - - fs_search_xenfs(xenstored_t) - fs_manage_xenfs_files(xenstored_t) - - term_use_generic_ptys(xenstored_t) -+term_use_console(xenconsoled_t) - - init_use_fds(xenstored_t) - init_use_script_ptys(xenstored_t) - - logging_send_syslog_msg(xenstored_t) - --miscfiles_read_localization(xenstored_t) -- - xen_append_log(xenstored_t) - --######################################## --# --# xm local policy --# -- --allow xm_t self:capability { setpcap dac_override ipc_lock sys_nice sys_tty_config }; --allow xm_t self:process { getcap getsched setsched setcap signal }; --allow xm_t self:fifo_file rw_fifo_file_perms; --allow xm_t self:unix_stream_socket { accept connectto listen }; --allow xm_t self:tcp_socket { accept listen }; -- --manage_files_pattern(xm_t, xend_var_lib_t, xend_var_lib_t) --manage_fifo_files_pattern(xm_t, xend_var_lib_t, xend_var_lib_t) --manage_sock_files_pattern(xm_t, xend_var_lib_t, xend_var_lib_t) -- --manage_files_pattern(xm_t, xen_image_t, xen_image_t) --manage_blk_files_pattern(xm_t, xen_image_t, xen_image_t) --manage_lnk_files_pattern(xm_t, xen_image_t, xen_image_t) -- --read_files_pattern(xm_t, xenstored_var_run_t, xenstored_var_run_t) -- --xen_manage_image_dirs(xm_t) --xen_append_log(xm_t) --xen_domtrans(xm_t) --xen_stream_connect(xm_t) --xen_stream_connect_xenstore(xm_t) -- --can_exec(xm_t, xm_exec_t) -- --kernel_read_system_state(xm_t) --kernel_read_network_state(xm_t) --kernel_read_kernel_sysctls(xm_t) --kernel_read_sysctl(xm_t) --kernel_read_xen_state(xm_t) --kernel_write_xen_state(xm_t) -- --corecmd_exec_bin(xm_t) --corecmd_exec_shell(xm_t) -- --corenet_all_recvfrom_unlabeled(xm_t) --corenet_all_recvfrom_netlabel(xm_t) --corenet_tcp_sendrecv_generic_if(xm_t) --corenet_tcp_sendrecv_generic_node(xm_t) -- --corenet_sendrecv_soundd_client_packets(xm_t) --corenet_tcp_connect_soundd_port(xm_t) --corenet_tcp_sendrecv_soundd_port(xm_t) -- --dev_read_rand(xm_t) --dev_read_urand(xm_t) --dev_read_sysfs(xm_t) -- --files_read_etc_runtime_files(xm_t) --files_read_etc_files(xm_t) --files_read_usr_files(xm_t) --files_search_pids(xm_t) --files_search_var_lib(xm_t) --files_list_mnt(xm_t) --files_list_tmp(xm_t) -- --fs_getattr_all_fs(xm_t) --fs_manage_xenfs_dirs(xm_t) --fs_manage_xenfs_files(xm_t) --fs_search_auto_mountpoints(xm_t) -- --storage_raw_read_fixed_disk(xm_t) -- --term_use_all_terms(xm_t) -- --init_stream_connect_script(xm_t) --init_rw_script_stream_sockets(xm_t) --init_use_fds(xm_t) -- --logging_send_syslog_msg(xm_t) -- --miscfiles_read_localization(xm_t) -- --sysnet_dns_name_resolve(xm_t) -- --tunable_policy(`xen_use_fusefs',` -- fs_manage_fusefs_dirs(xm_t) -- fs_manage_fusefs_files(xm_t) -- fs_read_fusefs_symlinks(xm_t) --') -- --tunable_policy(`xen_use_nfs',` -- fs_manage_nfs_dirs(xm_t) -- fs_manage_nfs_files(xm_t) -- fs_read_nfs_symlinks(xm_t) --') -- --tunable_policy(`xen_use_samba',` -- fs_manage_cifs_dirs(xm_t) -- fs_manage_cifs_files(xm_t) -- fs_read_cifs_symlinks(xm_t) --') -- - optional_policy(` -- cron_system_entry(xm_t, xm_exec_t) -+ virt_read_config(xenstored_t) - ') - -+######################################## -+# -+# SSH component local policy -+# - optional_policy(` -- dbus_system_bus_client(xm_t) -- -- optional_policy(` -- hal_dbus_chat(xm_t) -+ #Should have a boolean wrapping these -+ fs_list_auto_mountpoints(xend_t) -+ files_search_mnt(xend_t) -+ fs_getattr_all_fs(xend_t) -+ fs_read_dos_files(xend_t) -+ fs_manage_xenfs_dirs(xend_t) -+ fs_manage_xenfs_files(xend_t) -+ -+ tunable_policy(`xen_use_nfs',` -+ fs_manage_nfs_files(xend_t) -+ fs_read_nfs_symlinks(xend_t) - ') - ') -- --optional_policy(` -- rpm_exec(xm_t) --') -- --optional_policy(` -- vhostmd_rw_tmpfs_files(xm_t) -- vhostmd_stream_connect(xm_t) -- vhostmd_dontaudit_rw_stream_connect(xm_t) --') -- --optional_policy(` -- virt_domtrans(xm_t) -- virt_manage_images(xm_t) -- virt_manage_config(xm_t) -- virt_stream_connect(xm_t) --') -- --optional_policy(` -- ssh_basic_client_template(xm, xm_t, system_r) -- -- kernel_read_xen_state(xm_ssh_t) -- kernel_write_xen_state(xm_ssh_t) -- -- files_search_tmp(xm_ssh_t) -- -- fs_manage_xenfs_dirs(xm_ssh_t) -- fs_manage_xenfs_files(xm_ssh_t) --') -diff --git a/xfs.te b/xfs.te -index 0cea2cd..7668014 100644 ---- a/xfs.te -+++ b/xfs.te -@@ -41,7 +41,6 @@ can_exec(xfs_t, xfs_exec_t) - kernel_read_kernel_sysctls(xfs_t) - kernel_read_system_state(xfs_t) - --corenet_all_recvfrom_unlabeled(xfs_t) - corenet_all_recvfrom_netlabel(xfs_t) - corenet_tcp_sendrecv_generic_if(xfs_t) - corenet_tcp_sendrecv_generic_node(xfs_t) -@@ -63,7 +62,6 @@ fs_search_auto_mountpoints(xfs_t) - domain_use_interactive_fds(xfs_t) - - files_read_etc_runtime_files(xfs_t) --files_read_usr_files(xfs_t) - - auth_use_nsswitch(xfs_t) - -@@ -71,7 +69,6 @@ init_script_tmp_filetrans(xfs_t, xfs_tmp_t, sock_file, "fs7100") - - logging_send_syslog_msg(xfs_t) - --miscfiles_read_localization(xfs_t) - miscfiles_read_fonts(xfs_t) - - userdom_dontaudit_use_unpriv_user_fds(xfs_t) -diff --git a/xguest.te b/xguest.te -index 2882821..8cf4841 100644 ---- a/xguest.te -+++ b/xguest.te -@@ -1,4 +1,4 @@ --policy_module(xguest, 1.1.2) -+policy_module(xguest, 1.1.0) - - ######################################## - # -@@ -6,46 +6,47 @@ policy_module(xguest, 1.1.2) - # - - ## --##

    --## Determine whether xguest can --## mount removable media. --##

    -+##

    -+## Allow xguest users to mount removable media -+##

    - ##     --gen_tunable(xguest_mount_media, false) -+gen_tunable(xguest_mount_media, true) - - ## --##

    --## Determine whether xguest can --## configure network manager. --##

    -+##

    -+## Allow xguest users to configure Network Manager and connect to apache ports -+##

    - ##     --gen_tunable(xguest_connect_network, false) -+gen_tunable(xguest_connect_network, true) - - ## --##

    --## Determine whether xguest can --## use blue tooth devices. --##

    -+##

    -+## Allow xguest to use blue tooth devices -+##

    - ##     --gen_tunable(xguest_use_bluetooth, false) -+gen_tunable(xguest_use_bluetooth, true) - - role xguest_r; - - userdom_restricted_xwindows_user_template(xguest) -+sysnet_dns_name_resolve(xguest_t) -+ -+init_dbus_chat(xguest_t) -+init_status(xguest_t) -+systemd_dontaudit_dbus_chat(xguest_t) - - ######################################## - # - # Local policy - # - --kernel_dontaudit_request_load_module(xguest_t) -- - ifndef(`enable_mls',` - fs_exec_noxattr(xguest_t) - -- tunable_policy(`user_rw_noexattrfile',` -+ tunable_policy(`selinuxuser_rw_noexattrfile',` - fs_manage_noxattr_fs_files(xguest_t) - fs_manage_noxattr_fs_dirs(xguest_t) -+ # Write floppies - storage_raw_read_removable_device(xguest_t) - storage_raw_write_removable_device(xguest_t) - ',` -@@ -54,9 +55,22 @@ ifndef(`enable_mls',` - ') - - optional_policy(` -+ # Dontaudit fusermount -+ mount_dontaudit_exec_fusermount(xguest_t) -+') -+ -+kernel_dontaudit_request_load_module(xguest_t) -+kernel_read_software_raid_state(xguest_t) -+ -+tunable_policy(`selinuxuser_execstack',` -+ allow xguest_t self:process execstack; -+') -+ -+# Allow mounting of file systems -+optional_policy(` - tunable_policy(`xguest_mount_media',` - kernel_read_fs_sysctls(xguest_t) -- -+ kernel_request_load_module(xguest_t) - files_dontaudit_getattr_boot_dirs(xguest_t) - files_search_mnt(xguest_t) - -@@ -65,10 +79,9 @@ optional_policy(` - fs_manage_noxattr_fs_dirs(xguest_t) - fs_getattr_noxattr_fs(xguest_t) - fs_read_noxattr_fs_symlinks(xguest_t) -+ fs_mount_fusefs(xguest_t) - - auth_list_pam_console_data(xguest_t) -- -- init_read_utmp(xguest_t) - ') - ') - -@@ -84,12 +97,17 @@ optional_policy(` - ') - ') - -+ - optional_policy(` -- apache_role(xguest_r, xguest_t) -+ colord_dbus_chat(xguest_t) -+') -+ -+optional_policy(` -+ chrome_role(xguest_r, xguest_t) - ') - - optional_policy(` -- gnomeclock_dontaudit_dbus_chat(xguest_t) -+ dbus_dontaudit_chat_system_bus(xguest_t) - ') - - optional_policy(` -@@ -97,75 +115,82 @@ optional_policy(` - ') - - optional_policy(` -- java_role(xguest_r, xguest_t) -+ apache_role(xguest_r, xguest_t) - ') - - optional_policy(` -- mozilla_role(xguest_r, xguest_t) -+ gnome_role(xguest_r, xguest_t) - ') - - optional_policy(` -- tunable_policy(`xguest_connect_network',` -- kernel_read_network_state(xguest_t) -+ mozilla_run_plugin(xguest_t, xguest_r) -+') - -+optional_policy(` -+ mount_run_fusermount(xguest_t, xguest_r) -+') -+ -+optional_policy(` -+ pcscd_read_pid_files(xguest_t) -+ pcscd_stream_connect(xguest_t) -+') -+ -+optional_policy(` -+ rhsmcertd_dontaudit_dbus_chat(xguest_t) -+') -+ -+optional_policy(` -+ tunable_policy(`xguest_connect_network',` - networkmanager_dbus_chat(xguest_t) - networkmanager_read_lib_files(xguest_t) -+ ') -+') -+ -+optional_policy(` -+ tunable_policy(`xguest_connect_network',` -+ kernel_read_network_state(xguest_t) - -- corenet_all_recvfrom_unlabeled(xguest_t) -- corenet_all_recvfrom_netlabel(xguest_t) -+ corenet_tcp_connect_pulseaudio_port(xguest_t) - corenet_tcp_sendrecv_generic_if(xguest_t) - corenet_raw_sendrecv_generic_if(xguest_t) - corenet_tcp_sendrecv_generic_node(xguest_t) - corenet_raw_sendrecv_generic_node(xguest_t) -- -- corenet_sendrecv_pulseaudio_client_packets(xguest_t) -- corenet_tcp_connect_pulseaudio_port(xguest_t) -- corenet_tcp_sendrecv_pulseaudio_port(xguest_t) -- -- corenet_sendrecv_http_client_packets(xguest_t) -- corenet_tcp_connect_http_port(xguest_t) -+ corenet_tcp_connect_commplex_link_port(xguest_t) - corenet_tcp_sendrecv_http_port(xguest_t) -- -- corenet_sendrecv_http_cache_client_packets(xguest_t) -- corenet_tcp_connect_http_cache_port(xguest_t) - corenet_tcp_sendrecv_http_cache_port(xguest_t) -- -- corenet_sendrecv_squid_client_packets(xguest_t) -- corenet_tcp_connect_squid_port(xguest_t) - corenet_tcp_sendrecv_squid_port(xguest_t) -- -- corenet_sendrecv_ftp_client_packets(xguest_t) -- corenet_tcp_connect_ftp_port(xguest_t) - corenet_tcp_sendrecv_ftp_port(xguest_t) -- -- corenet_sendrecv_ipp_client_packets(xguest_t) -- corenet_tcp_connect_ipp_port(xguest_t) - corenet_tcp_sendrecv_ipp_port(xguest_t) -- -- corenet_sendrecv_generic_client_packets(xguest_t) -+ corenet_tcp_connect_http_port(xguest_t) -+ corenet_tcp_connect_http_cache_port(xguest_t) -+ corenet_tcp_connect_squid_port(xguest_t) -+ corenet_tcp_connect_flash_port(xguest_t) -+ corenet_tcp_connect_ftp_port(xguest_t) -+ corenet_tcp_connect_ipp_port(xguest_t) - corenet_tcp_connect_generic_port(xguest_t) -- corenet_tcp_sendrecv_generic_port(xguest_t) -- -- corenet_sendrecv_soundd_client_packets(xguest_t) - corenet_tcp_connect_soundd_port(xguest_t) -- corenet_tcp_sendrecv_soundd_port(xguest_t) -- -- corenet_sendrecv_speech_client_packets(xguest_t) -- corenet_tcp_connect_speech_port(xguest_t) -- corenet_tcp_sendrecv_speech_port(xguest_t) -- -- corenet_sendrecv_transproxy_client_packets(xguest_t) -- corenet_tcp_connect_transproxy_port(xguest_t) -- corenet_tcp_sendrecv_transproxy_port(xguest_t) -- -+ corenet_sendrecv_http_client_packets(xguest_t) -+ corenet_sendrecv_http_cache_client_packets(xguest_t) -+ corenet_sendrecv_squid_client_packets(xguest_t) -+ corenet_sendrecv_ftp_client_packets(xguest_t) -+ corenet_sendrecv_ipp_client_packets(xguest_t) -+ corenet_sendrecv_generic_client_packets(xguest_t) -+ # Should not need other ports - corenet_dontaudit_tcp_sendrecv_generic_port(xguest_t) - corenet_dontaudit_tcp_bind_generic_port(xguest_t) -+ corenet_tcp_connect_speech_port(xguest_t) -+ corenet_tcp_sendrecv_transproxy_port(xguest_t) -+ corenet_tcp_connect_transproxy_port(xguest_t) - ') - ') - - optional_policy(` -- pcscd_read_pid_files(xguest_t) -- pcscd_stream_connect(xguest_t) -+ gen_require(` -+ type mozilla_t; -+ ') -+ -+ allow xguest_t mozilla_t:process transition; -+ role xguest_r types mozilla_t; - ') - --#gen_user(xguest_u,, xguest_r, s0, s0) -+gen_user(xguest_u, user, xguest_r, s0, s0) -diff --git a/xprint.te b/xprint.te -index 3c44d84..ce5e69d 100644 ---- a/xprint.te -+++ b/xprint.te -@@ -32,7 +32,6 @@ kernel_read_kernel_sysctls(xprint_t) - corecmd_exec_bin(xprint_t) - corecmd_exec_shell(xprint_t) - --corenet_all_recvfrom_unlabeled(xprint_t) - corenet_all_recvfrom_netlabel(xprint_t) - corenet_tcp_sendrecv_generic_if(xprint_t) - corenet_udp_sendrecv_generic_if(xprint_t) -@@ -46,9 +45,7 @@ dev_read_urand(xprint_t) - - domain_use_interactive_fds(xprint_t) - --files_read_etc_files(xprint_t) - files_read_etc_runtime_files(xprint_t) --files_read_usr_files(xprint_t) - files_search_var_lib(xprint_t) - files_search_tmp(xprint_t) - -@@ -58,7 +55,6 @@ fs_search_auto_mountpoints(xprint_t) - logging_send_syslog_msg(xprint_t) - - miscfiles_read_fonts(xprint_t) --miscfiles_read_localization(xprint_t) - - sysnet_read_config(xprint_t) - -diff --git a/xscreensaver.te b/xscreensaver.te -index c9c9650..485e77d 100644 ---- a/xscreensaver.te -+++ b/xscreensaver.te -@@ -25,7 +25,6 @@ allow xscreensaver_t self:fifo_file rw_fifo_file_perms; - - kernel_read_system_state(xscreensaver_t) - --files_read_usr_files(xscreensaver_t) - - auth_use_nsswitch(xscreensaver_t) - auth_domtrans_chk_passwd(xscreensaver_t) -@@ -35,9 +34,8 @@ init_read_utmp(xscreensaver_t) - logging_send_audit_msgs(xscreensaver_t) - logging_send_syslog_msg(xscreensaver_t) - --miscfiles_read_localization(xscreensaver_t) -- --userdom_use_user_terminals(xscreensaver_t) -+userdom_use_inherited_user_ptys(xscreensaver_t) -+#access to .icons and ~/.xscreensaver - userdom_read_user_home_content_files(xscreensaver_t) - - xserver_user_x_domain_template(xscreensaver, xscreensaver_t, xscreensaver_tmpfs_t) -diff --git a/yam.te b/yam.te -index d837e88..910aeec 100644 ---- a/yam.te -+++ b/yam.te -@@ -73,11 +73,11 @@ auth_use_nsswitch(yam_t) - - logging_send_syslog_msg(yam_t) - --miscfiles_read_localization(yam_t) -- - seutil_read_config(yam_t) - --userdom_use_user_terminals(yam_t) -+sysnet_read_config(yam_t) -+ -+userdom_use_inherited_user_terminals(yam_t) - userdom_use_unpriv_users_fds(yam_t) - userdom_search_user_home_dirs(yam_t) - -diff --git a/zabbix.fc b/zabbix.fc -index ce10cb1..3181728 100644 ---- a/zabbix.fc -+++ b/zabbix.fc -@@ -4,11 +4,15 @@ - /usr/bin/zabbix_server -- gen_context(system_u:object_r:zabbix_exec_t,s0) - /usr/bin/zabbix_agentd -- gen_context(system_u:object_r:zabbix_agent_exec_t,s0) - --/usr/sbin/zabbix_server -- gen_context(system_u:object_r:zabbix_exec_t,s0) - /usr/sbin/zabbix_agentd -- gen_context(system_u:object_r:zabbix_agent_exec_t,s0) -+/usr/sbin/zabbix_server -- gen_context(system_u:object_r:zabbix_exec_t,s0) - /usr/sbin/zabbix_server_mysql -- gen_context(system_u:object_r:zabbix_exec_t,s0) - /usr/sbin/zabbix_server_pgsql -- gen_context(system_u:object_r:zabbix_exec_t,s0) - /usr/sbin/zabbix_server_sqlite3 -- gen_context(system_u:object_r:zabbix_exec_t,s0) -+/usr/sbin/zabbix_proxy -- gen_context(system_u:object_r:zabbix_exec_t,s0) -+/usr/sbin/zabbix_proxy_mysql -- gen_context(system_u:object_r:zabbix_exec_t,s0) -+/usr/sbin/zabbix_proxy_pgsql -- gen_context(system_u:object_r:zabbix_exec_t,s0) -+/usr/sbin/zabbix_proxy_sqlite3 -- gen_context(system_u:object_r:zabbix_exec_t,s0) - - /var/log/zabbix(/.*)? gen_context(system_u:object_r:zabbix_log_t,s0) - -diff --git a/zabbix.if b/zabbix.if -index dd63de0..38ce620 100644 ---- a/zabbix.if -+++ b/zabbix.if -@@ -1,4 +1,4 @@ --## Distributed infrastructure monitoring. -+## Distributed infrastructure monitoring - - ######################################## - ## -@@ -15,13 +15,12 @@ interface(`zabbix_domtrans',` - type zabbix_t, zabbix_exec_t; - ') - -- corecmd_search_bin($1) - domtrans_pattern($1, zabbix_exec_t, zabbix_t) - ') - - ######################################## - ## --## Connect to zabbit on the TCP network. -+## Allow connectivity to the zabbix server - ## - ## - ## -@@ -34,7 +33,7 @@ interface(`zabbix_tcp_connect',` - type zabbix_t; - ') - -- corenet_sendrecv_zabbix_client_packets($1) -+ corenet_sendrecv_zabbix_agent_client_packets($1) - corenet_tcp_connect_zabbix_port($1) - corenet_tcp_recvfrom_labeled($1, zabbix_t) - corenet_tcp_sendrecv_zabbix_port($1) -@@ -42,7 +41,7 @@ interface(`zabbix_tcp_connect',` - - ######################################## - ## --## Read zabbix log files. -+## Allow the specified domain to read zabbix's log files. - ## - ## - ## -@@ -62,13 +61,34 @@ interface(`zabbix_read_log',` - - ######################################## - ## --## Append zabbix log files. -+## Allow the specified domain to read zabbix's tmp files. - ## - ## - ## - ## Domain allowed access. - ## - ## -+## -+# -+interface(`zabbix_read_tmp',` -+ gen_require(` -+ type zabbix_tmp_t; -+ ') -+ -+ files_search_tmp($1) -+ read_files_pattern($1, zabbix_tmp_t, zabbix_tmp_t) -+') -+ -+######################################## -+## -+## Allow the specified domain to append -+## zabbix log files. -+## -+## -+## -+## Domain allowed access. -+## -+## - # - interface(`zabbix_append_log',` - gen_require(` -@@ -81,7 +101,7 @@ interface(`zabbix_append_log',` - - ######################################## - ## --## Read zabbix pid files. -+## Read zabbix PID files. - ## - ## - ## -@@ -100,7 +120,7 @@ interface(`zabbix_read_pid_files',` - - ######################################## - ## --## Connect to zabbix agent on the TCP network. -+## Allow connectivity to a zabbix agent - ## - ## - ## -@@ -110,7 +130,7 @@ interface(`zabbix_read_pid_files',` - # - interface(`zabbix_agent_tcp_connect',` - gen_require(` -- type zabbix_agent_t; -+ type zabbix_t, zabbix_agent_t; - ') - - corenet_sendrecv_zabbix_agent_client_packets($1) -@@ -121,8 +141,8 @@ interface(`zabbix_agent_tcp_connect',` - - ######################################## - ## --## All of the rules required to --## administrate an zabbix environment. -+## All of the rules required to administrate -+## an zabbix environment - ## - ## - ## -@@ -131,7 +151,7 @@ interface(`zabbix_agent_tcp_connect',` - ## - ## - ## --## Role allowed access. -+## The role to be allowed to manage the zabbix domain. - ## - ## - ## -@@ -139,16 +159,18 @@ interface(`zabbix_agent_tcp_connect',` - interface(`zabbix_admin',` - gen_require(` - type zabbix_t, zabbix_log_t, zabbix_var_run_t; -- type zabbix_initrc_exec_t, zabbit_agent_initrc_exec_t, zabbix_tmp_t; -- type zabbit_tmpfs_t; -+ type zabbix_initrc_exec_t; - ') - -- allow $1 { zabbix_t zabbix_agent_t }:process { ptrace signal_perms }; -- ps_process_pattern($1, { zabbix_t zabbix_agent_t }) -+ allow $1 zabbix_t:process signal_perms; -+ ps_process_pattern($1, zabbix_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 zabbix_t:process ptrace; -+ ') - -- init_labeled_script_domtrans($1, { zabbix_agent_initrc_exec_t zabbix_initrc_exec_t }) -+ init_labeled_script_domtrans($1, zabbix_initrc_exec_t) - domain_system_change_exemption($1) -- role_transition $2 { zabbix_agent_initrc_exec_t zabbix_initrc_exec_t } system_r; -+ role_transition $2 zabbix_initrc_exec_t system_r; - allow $2 system_r; - - logging_list_logs($1) -@@ -156,10 +178,4 @@ interface(`zabbix_admin',` - - files_list_pids($1) - admin_pattern($1, zabbix_var_run_t) -- -- files_list_tmp($1) -- admin_pattern($1, zabbix_tmp_t) -- -- fs_list_tmpfs($1) -- admin_pattern($1, zabbix_tmpfs_t) - ') -diff --git a/zabbix.te b/zabbix.te -index 46e4cd3..79317e6 100644 ---- a/zabbix.te -+++ b/zabbix.te -@@ -6,21 +6,23 @@ policy_module(zabbix, 1.5.3) - # - - ## --##

    -+##

    - ## Determine whether zabbix can - ## connect to all TCP ports - ##

    - ##     - gen_tunable(zabbix_can_network, false) - --type zabbix_t; -+attribute zabbix_domain; -+ -+type zabbix_t, zabbix_domain; - type zabbix_exec_t; - init_daemon_domain(zabbix_t, zabbix_exec_t) - - type zabbix_initrc_exec_t; - init_script_file(zabbix_initrc_exec_t) - --type zabbix_agent_t; -+type zabbix_agent_t, zabbix_domain; - type zabbix_agent_exec_t; - init_daemon_domain(zabbix_agent_t, zabbix_agent_exec_t) - -@@ -41,22 +43,40 @@ files_pid_file(zabbix_var_run_t) - - ######################################## - # -+# zabbix domain local policy -+# -+ -+allow zabbix_domain self:capability { setuid setgid }; -+allow zabbix_domain self:process { setpgid setsched getsched signal_perms }; -+allow zabbix_domain self:fifo_file rw_fifo_file_perms; -+allow zabbix_domain self:sem create_sem_perms; -+allow zabbix_domain self:shm create_shm_perms; -+allow zabbix_domain self:tcp_socket { accept listen }; -+allow zabbix_domain self:unix_stream_socket create_stream_socket_perms; -+ -+kernel_read_all_sysctls(zabbix_domain) -+ -+corenet_tcp_sendrecv_generic_if(zabbix_domain) -+corenet_tcp_sendrecv_generic_node(zabbix_domain) -+corenet_tcp_bind_generic_node(zabbix_domain) -+ -+corecmd_exec_shell(zabbix_domain) -+corecmd_exec_bin(zabbix_domain) -+ -+dev_read_sysfs(zabbix_domain) -+dev_read_urand(zabbix_domain) -+ -+######################################## -+# - # Local policy - # - --allow zabbix_t self:capability { dac_read_search dac_override setuid setgid }; --allow zabbix_t self:process { setsched signal_perms }; --allow zabbix_t self:fifo_file rw_fifo_file_perms; --allow zabbix_t self:unix_stream_socket create_stream_socket_perms; --allow zabbix_t self:sem create_sem_perms; --allow zabbix_t self:shm create_shm_perms; --allow zabbix_t self:tcp_socket create_stream_socket_perms; -+allow zabbix_t self:capability { dac_read_search dac_override }; - --allow zabbix_t zabbix_log_t:dir setattr_dir_perms; --append_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t) --create_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t) --setattr_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t) --logging_log_filetrans(zabbix_t, zabbix_log_t, file) -+manage_dirs_pattern(zabbix_t, zabbix_log_t, zabbix_log_t) -+manage_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t) -+manage_lnk_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t) -+logging_log_filetrans(zabbix_t, zabbix_log_t, { dir file }) - - manage_dirs_pattern(zabbix_t, zabbix_tmp_t, zabbix_tmp_t) - manage_files_pattern(zabbix_t, zabbix_tmp_t, zabbix_tmp_t) -@@ -70,13 +90,9 @@ manage_files_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t) - files_pid_filetrans(zabbix_t, zabbix_var_run_t, { dir file }) - - kernel_read_system_state(zabbix_t) --kernel_read_kernel_sysctls(zabbix_t) - - corenet_all_recvfrom_unlabeled(zabbix_t) - corenet_all_recvfrom_netlabel(zabbix_t) --corenet_tcp_sendrecv_generic_if(zabbix_t) --corenet_tcp_sendrecv_generic_node(zabbix_t) --corenet_tcp_bind_generic_node(zabbix_t) - - corenet_sendrecv_ftp_client_packets(zabbix_t) - corenet_tcp_connect_ftp_port(zabbix_t) -@@ -90,17 +106,8 @@ corenet_sendrecv_zabbix_server_packets(zabbix_t) - corenet_tcp_bind_zabbix_port(zabbix_t) - corenet_tcp_sendrecv_zabbix_port(zabbix_t) - --corecmd_exec_bin(zabbix_t) --corecmd_exec_shell(zabbix_t) -- --dev_read_urand(zabbix_t) -- --files_read_usr_files(zabbix_t) -- - auth_use_nsswitch(zabbix_t) - --miscfiles_read_localization(zabbix_t) -- - zabbix_agent_tcp_connect(zabbix_t) - - tunable_policy(`zabbix_can_network',` -@@ -110,12 +117,11 @@ tunable_policy(`zabbix_can_network',` - ') - - optional_policy(` -- netutils_domtrans_ping(zabbix_t) -+ mysql_stream_connect(zabbix_t) - ') - - optional_policy(` -- mysql_stream_connect(zabbix_t) -- mysql_tcp_connect(zabbix_t) -+ netutils_domtrans_ping(zabbix_t) - ') - - optional_policy(` -@@ -125,6 +131,7 @@ optional_policy(` - - optional_policy(` - snmp_read_snmp_var_lib_files(zabbix_t) -+ snmp_read_snmp_var_lib_dirs(zabbix_t) - ') - - ######################################## -@@ -132,18 +139,7 @@ optional_policy(` - # Agent local policy - # - --allow zabbix_agent_t self:capability { setuid setgid }; --allow zabbix_agent_t self:process { setsched getsched signal }; --allow zabbix_agent_t self:fifo_file rw_fifo_file_perms; --allow zabbix_agent_t self:sem create_sem_perms; --allow zabbix_agent_t self:shm create_shm_perms; --allow zabbix_agent_t self:tcp_socket { accept listen }; --allow zabbix_agent_t self:unix_stream_socket create_stream_socket_perms; -- --append_files_pattern(zabbix_agent_t, zabbix_log_t, zabbix_log_t) --create_files_pattern(zabbix_agent_t, zabbix_log_t, zabbix_log_t) --setattr_files_pattern(zabbix_agent_t, zabbix_log_t, zabbix_log_t) --filetrans_pattern(zabbix_agent_t, zabbix_log_t, zabbix_log_t, file) -+manage_files_pattern(zabbix_agent_t, zabbix_log_t, zabbix_log_t) - - rw_files_pattern(zabbix_agent_t, zabbix_tmpfs_t, zabbix_tmpfs_t) - fs_tmpfs_filetrans(zabbix_agent_t, zabbix_tmpfs_t, file) -@@ -151,16 +147,12 @@ fs_tmpfs_filetrans(zabbix_agent_t, zabbix_tmpfs_t, file) - manage_files_pattern(zabbix_agent_t, zabbix_var_run_t, zabbix_var_run_t) - files_pid_filetrans(zabbix_agent_t, zabbix_var_run_t, file) - --kernel_read_all_sysctls(zabbix_agent_t) - kernel_read_system_state(zabbix_agent_t) - --corecmd_read_all_executables(zabbix_agent_t) -- - corenet_all_recvfrom_unlabeled(zabbix_agent_t) - corenet_all_recvfrom_netlabel(zabbix_agent_t) --corenet_tcp_sendrecv_generic_if(zabbix_agent_t) --corenet_tcp_sendrecv_generic_node(zabbix_agent_t) --corenet_tcp_bind_generic_node(zabbix_agent_t) -+ -+corecmd_read_all_executables(zabbix_agent_t) - - corenet_sendrecv_zabbix_agent_server_packets(zabbix_agent_t) - corenet_tcp_bind_zabbix_agent_port(zabbix_agent_t) -@@ -182,7 +174,6 @@ domain_search_all_domains_state(zabbix_agent_t) - files_getattr_all_dirs(zabbix_agent_t) - files_getattr_all_files(zabbix_agent_t) - files_read_all_symlinks(zabbix_agent_t) --files_read_etc_files(zabbix_agent_t) - - fs_getattr_all_fs(zabbix_agent_t) - -@@ -190,8 +181,11 @@ init_read_utmp(zabbix_agent_t) - - logging_search_logs(zabbix_agent_t) - --miscfiles_read_localization(zabbix_agent_t) -- - sysnet_dns_name_resolve(zabbix_agent_t) - - zabbix_tcp_connect(zabbix_agent_t) -+ -+optional_policy(` -+ hostname_exec(zabbix_agent_t) -+') -+ -diff --git a/zarafa.fc b/zarafa.fc -index faf99ed..44e94fa 100644 ---- a/zarafa.fc -+++ b/zarafa.fc -@@ -1,33 +1,34 @@ --/etc/zarafa(/.*)? gen_context(system_u:object_r:zarafa_etc_t,s0) -+/etc/zarafa(/.*)? gen_context(system_u:object_r:zarafa_etc_t,s0) - --/etc/rc\.d/init\.d/zarafa.* -- gen_context(system_u:object_r:zarafa_initrc_exec_t,s0) -+/usr/bin/zarafa-dagent -- gen_context(system_u:object_r:zarafa_deliver_exec_t,s0) -+/usr/bin/zarafa-gateway -- gen_context(system_u:object_r:zarafa_gateway_exec_t,s0) -+/usr/bin/zarafa-ical -- gen_context(system_u:object_r:zarafa_ical_exec_t,s0) -+/usr/bin/zarafa-indexer -- gen_context(system_u:object_r:zarafa_indexer_exec_t,s0) -+/usr/bin/zarafa-monitor -- gen_context(system_u:object_r:zarafa_monitor_exec_t,s0) -+/usr/bin/zarafa-search -- gen_context(system_u:object_r:zarafa_indexer_exec_t,s0) -+/usr/bin/zarafa-server -- gen_context(system_u:object_r:zarafa_server_exec_t,s0) -+/usr/bin/zarafa-spooler -- gen_context(system_u:object_r:zarafa_spooler_exec_t,s0) - --/usr/bin/zarafa-dagent -- gen_context(system_u:object_r:zarafa_deliver_exec_t,s0) --/usr/bin/zarafa-gateway -- gen_context(system_u:object_r:zarafa_gateway_exec_t,s0) --/usr/bin/zarafa-ical -- gen_context(system_u:object_r:zarafa_ical_exec_t,s0) --/usr/bin/zarafa-indexer -- gen_context(system_u:object_r:zarafa_indexer_exec_t,s0) --/usr/bin/zarafa-monitor -- gen_context(system_u:object_r:zarafa_monitor_exec_t,s0) --/usr/bin/zarafa-server -- gen_context(system_u:object_r:zarafa_server_exec_t,s0) --/usr/bin/zarafa-spooler -- gen_context(system_u:object_r:zarafa_spooler_exec_t,s0) -- --/var/lib/zarafa(/.*)? gen_context(system_u:object_r:zarafa_var_lib_t,s0) -+/var/lib/zarafa(/.*)? gen_context(system_u:object_r:zarafa_var_lib_t,s0) - /var/lib/zarafa-webaccess(/.*)? gen_context(system_u:object_r:zarafa_var_lib_t,s0) --/var/lib/zarafa-webapp(/.*)? gen_context(system_u:object_r:zarafa_var_lib_t,s0) -+/var/lib/zarafa-webapp(/.*)? gen_context(system_u:object_r:zarafa_var_lib_t,s0) - --/var/log/zarafa/dagent\.log.* -- gen_context(system_u:object_r:zarafa_deliver_log_t,s0) -+/var/log/zarafa/dagent\.log.* -- gen_context(system_u:object_r:zarafa_deliver_log_t,s0) - /var/log/zarafa/gateway\.log.* -- gen_context(system_u:object_r:zarafa_gateway_log_t,s0) - /var/log/zarafa/ical\.log.* -- gen_context(system_u:object_r:zarafa_ical_log_t,s0) - /var/log/zarafa/indexer\.log.* -- gen_context(system_u:object_r:zarafa_indexer_log_t,s0) - /var/log/zarafa/monitor\.log.* -- gen_context(system_u:object_r:zarafa_monitor_log_t,s0) - /var/log/zarafa/server\.log.* -- gen_context(system_u:object_r:zarafa_server_log_t,s0) -+/var/log/zarafa/search\.log.* -- gen_context(system_u:object_r:zarafa_indexer_log_t,s0) - /var/log/zarafa/spooler\.log.* -- gen_context(system_u:object_r:zarafa_spooler_log_t,s0) - --/var/run/zarafa -s gen_context(system_u:object_r:zarafa_server_var_run_t,s0) --/var/run/zarafa-dagent\.pid -- gen_context(system_u:object_r:zarafa_deliver_var_run_t,s0) -+/var/run/zarafa -s gen_context(system_u:object_r:zarafa_server_var_run_t,s0) -+/var/run/zarafa-dagent\.pid -- gen_context(system_u:object_r:zarafa_deliver_var_run_t,s0) - /var/run/zarafa-gateway\.pid -- gen_context(system_u:object_r:zarafa_gateway_var_run_t,s0) - /var/run/zarafa-ical\.pid -- gen_context(system_u:object_r:zarafa_ical_var_run_t,s0) --/var/run/zarafa-indexer -s gen_context(system_u:object_r:zarafa_indexer_var_run_t,s0) -+/var/run/zarafa-indexer -s gen_context(system_u:object_r:zarafa_indexer_var_run_t,s0) - /var/run/zarafa-indexer\.pid -- gen_context(system_u:object_r:zarafa_indexer_var_run_t,s0) - /var/run/zarafa-monitor\.pid -- gen_context(system_u:object_r:zarafa_monitor_var_run_t,s0) - /var/run/zarafa-server\.pid -- gen_context(system_u:object_r:zarafa_server_var_run_t,s0) -+/var/run/zarafa-search\.pid -- gen_context(system_u:object_r:zarafa_indexer_var_run_t,s0) - /var/run/zarafa-spooler\.pid -- gen_context(system_u:object_r:zarafa_spooler_var_run_t,s0) -diff --git a/zarafa.if b/zarafa.if -index 36e32df..3d08962 100644 ---- a/zarafa.if -+++ b/zarafa.if -@@ -1,55 +1,59 @@ - ## Zarafa collaboration platform. - --####################################### -+###################################### - ## --## The template to define a zarafa domain. -+## Creates types and rules for a basic -+## zararfa init daemon domain. - ## --## -+## - ## --## Domain prefix to be used. -+## Prefix for the domain. - ## - ## - # - template(`zarafa_domain_template',` - gen_require(` -- attribute zarafa_domain, zarafa_logfile, zarafa_pidfile; -+ attribute zarafa_domain; - ') - -- ######################################## -+ ############################## - # -- # Declarations -+ # $1_t declarations - # - - type zarafa_$1_t, zarafa_domain; - type zarafa_$1_exec_t; - init_daemon_domain(zarafa_$1_t, zarafa_$1_exec_t) - -- type zarafa_$1_log_t, zarafa_logfile; -+ type zarafa_$1_log_t; - logging_log_file(zarafa_$1_log_t) - -- type zarafa_$1_var_run_t, zarafa_pidfile; -+ type zarafa_$1_var_run_t; - files_pid_file(zarafa_$1_var_run_t) - -- ######################################## -+ ############################## - # -- # Policy -+ # $1_t local policy - # - - manage_files_pattern(zarafa_$1_t, zarafa_$1_var_run_t, zarafa_$1_var_run_t) - manage_sock_files_pattern(zarafa_$1_t, zarafa_$1_var_run_t, zarafa_$1_var_run_t) - files_pid_filetrans(zarafa_$1_t, zarafa_$1_var_run_t, { file sock_file }) - -- append_files_pattern(zarafa_$1_t, zarafa_$1_log_t, zarafa_$1_log_t) -- create_files_pattern(zarafa_$1_t, zarafa_$1_log_t, zarafa_$1_log_t) -- setattr_files_pattern(zarafa_$1_t, zarafa_$1_log_t, zarafa_$1_log_t) -- logging_log_filetrans(zarafa_$1_t, zarafa_$1_log_t, file) -+ manage_files_pattern(zarafa_$1_t, zarafa_$1_log_t, zarafa_$1_log_t) -+ logging_log_filetrans(zarafa_$1_t, zarafa_$1_log_t, { file }) -+ -+ kernel_read_system_state(zarafa_$1_t) - - auth_use_nsswitch(zarafa_$1_t) -+ -+ logging_send_syslog_msg(zarafa_$1_t) - ') - - ###################################### - ## --## search zarafa configuration directories. -+## Allow the specified domain to search -+## zarafa configuration dirs. - ## - ## - ## -@@ -68,7 +72,7 @@ interface(`zarafa_search_config',` - - ######################################## - ## --## Execute a domain transition to run zarafa deliver. -+## Execute a domain transition to run zarafa_deliver. - ## - ## - ## -@@ -81,13 +85,12 @@ interface(`zarafa_domtrans_deliver',` - type zarafa_deliver_t, zarafa_deliver_exec_t; - ') - -- corecmd_search_bin($1) - domtrans_pattern($1, zarafa_deliver_exec_t, zarafa_deliver_t) - ') - - ######################################## - ## --## Execute a domain transition to run zarafa server. -+## Execute a domain transition to run zarafa_server. - ## - ## - ## -@@ -100,14 +103,12 @@ interface(`zarafa_domtrans_server',` - type zarafa_server_t, zarafa_server_exec_t; - ') - -- corecmd_search_bin($1) - domtrans_pattern($1, zarafa_server_exec_t, zarafa_server_t) - ') - - ####################################### - ## --## Connect to zarafa server with a unix --## domain stream socket. -+## Connect to zarafa-server unix domain stream socket. - ## - ## - ## -@@ -124,51 +125,24 @@ interface(`zarafa_stream_connect_server',` - stream_connect_pattern($1, zarafa_server_var_run_t, zarafa_server_var_run_t, zarafa_server_t) - ') - --######################################## -+#################################### - ## --## All of the rules required to --## administrate an zarafa environment. -+## Allow the specified domain to manage -+## zarafa /var/lib files. - ## - ## --## --## Domain allowed access. --## --## --## --## --## Role allowed access. --## -+## -+## Domain allowed access. -+## - ## --## - # --interface(`zarafa_admin',` -- gen_require(` -- attribute zarafa_domain, zarafa_logfile, zarafa_pidfile; -- type zarafa_etc_t, zarafa_initrc_exec_t, zarafa_deliver_tmp_t; -- type zarafa_indexer_tmp_t, zarafa_server_tmp_t, zarafa_share_t; -- type zarafa_var_lib_t; -- ') -- -- allow $1 zarafa_domain:process { ptrace signal_perms }; -- ps_process_pattern($1, zarafa_domain) -- -- init_labeled_script_domtrans($1, zarafa_initrc_exec_t) -- domain_system_change_exemption($1) -- role_transition $2 zarafa_initrc_exec_t system_r; -- allow $2 system_r; -- -- files_search_etc($1) -- admin_pattern($1, zarafa_etc_t) -- -- files_search_tmp($1) -- admin_pattern($1, { zarafa_deliver_tmp_t zarafa_indexer_tmp_t zarafa_server_tmp_t }) -- -- logging_search_log($1) -- admin_pattern($1, zarafa_logfile) -- -- files_search_var_lib($1) -- admin_pattern($1, { zarafa_var_lib_t zarafa_share_t }) -- -- files_search_pids($1) -- admin_pattern($1, zarafa_pidfile) -+interface(`zarafa_manage_lib_files',` -+ gen_require(` -+ type zarafa_var_lib_t; -+ ') -+ -+ files_search_var_lib($1) -+ manage_files_pattern($1, zarafa_var_lib_t, zarafa_var_lib_t) -+ manage_lnk_files_pattern($1, zarafa_var_lib_t, zarafa_var_lib_t) -+ manage_dirs_pattern($1, zarafa_var_lib_t, zarafa_var_lib_t) - ') -diff --git a/zarafa.te b/zarafa.te -index a4479b1..a40d580 100644 ---- a/zarafa.te -+++ b/zarafa.te -@@ -1,13 +1,18 @@ --policy_module(zarafa, 1.1.4) -+policy_module(zarafa, 1.1.0) - - ######################################## - # - # Declarations - # - -+## -+##

    -+## Allow zarafa domains to setrlimit/sys_rouserce. -+##

    -+##     -+gen_tunable(zarafa_setrlimit, false) -+ - attribute zarafa_domain; --attribute zarafa_logfile; --attribute zarafa_pidfile; - - zarafa_domain_template(deliver) - -@@ -17,9 +22,6 @@ files_tmp_file(zarafa_deliver_tmp_t) - type zarafa_etc_t; - files_config_file(zarafa_etc_t) - --type zarafa_initrc_exec_t; --init_script_file(zarafa_initrc_exec_t) -- - zarafa_domain_template(gateway) - zarafa_domain_template(ical) - zarafa_domain_template(indexer) -@@ -43,61 +45,74 @@ files_tmp_file(zarafa_var_lib_t) - - ######################################## - # --# Deliver local policy -+# zarafa-deliver local policy - # - - manage_dirs_pattern(zarafa_deliver_t, zarafa_deliver_tmp_t, zarafa_deliver_tmp_t) - manage_files_pattern(zarafa_deliver_t, zarafa_deliver_tmp_t, zarafa_deliver_tmp_t) - files_tmp_filetrans(zarafa_deliver_t, zarafa_deliver_tmp_t, { file dir }) - -+auth_use_nsswitch(zarafa_deliver_t) -+ -+corenet_tcp_bind_lmtp_port(zarafa_deliver_t) -+ - ######################################## - # --# Gateway local policy -+# zarafa_gateway local policy - # -- --corenet_all_recvfrom_unlabeled(zarafa_gateway_t) - corenet_all_recvfrom_netlabel(zarafa_gateway_t) - corenet_tcp_sendrecv_generic_if(zarafa_gateway_t) - corenet_tcp_sendrecv_generic_node(zarafa_gateway_t) -+corenet_tcp_sendrecv_all_ports(zarafa_gateway_t) - corenet_tcp_bind_generic_node(zarafa_gateway_t) -- --corenet_sendrecv_pop_server_packets(zarafa_gateway_t) - corenet_tcp_bind_pop_port(zarafa_gateway_t) --corenet_tcp_sendrecv_pop_port(zarafa_gateway_t) -+ -+###################################### -+# -+# zarafa-indexer local policy -+# -+ -+ -+manage_dirs_pattern(zarafa_indexer_t, zarafa_indexer_tmp_t, zarafa_indexer_tmp_t) -+manage_files_pattern(zarafa_indexer_t, zarafa_indexer_tmp_t, zarafa_indexer_tmp_t) -+files_tmp_filetrans(zarafa_indexer_t, zarafa_indexer_tmp_t, { file dir }) -+ -+manage_dirs_pattern(zarafa_indexer_t, zarafa_var_lib_t, zarafa_var_lib_t) -+manage_files_pattern(zarafa_indexer_t, zarafa_var_lib_t, zarafa_var_lib_t) -+manage_lnk_files_pattern(zarafa_indexer_t, zarafa_var_lib_t, zarafa_var_lib_t) -+ -+auth_use_nsswitch(zarafa_indexer_t) - - ####################################### - # --# Ical local policy -+# zarafa-ical local policy - # - --corenet_all_recvfrom_unlabeled(zarafa_ical_t) -+ - corenet_all_recvfrom_netlabel(zarafa_ical_t) - corenet_tcp_sendrecv_generic_if(zarafa_ical_t) - corenet_tcp_sendrecv_generic_node(zarafa_ical_t) -+corenet_tcp_sendrecv_all_ports(zarafa_ical_t) - corenet_tcp_bind_generic_node(zarafa_ical_t) -- --corenet_sendrecv_http_cache_client_packets(zarafa_ical_t) - corenet_tcp_bind_http_cache_port(zarafa_ical_t) --corenet_tcp_sendrecv_http_cache_port(zarafa_ical_t) -+ -+auth_use_nsswitch(zarafa_ical_t) - - ###################################### - # --# Indexer local policy -+# zarafa-monitor local policy - # - --manage_dirs_pattern(zarafa_indexer_t, zarafa_indexer_tmp_t, zarafa_indexer_tmp_t) --manage_files_pattern(zarafa_indexer_t, zarafa_indexer_tmp_t, zarafa_indexer_tmp_t) --files_tmp_filetrans(zarafa_indexer_t, zarafa_indexer_tmp_t, { file dir }) - --manage_dirs_pattern(zarafa_indexer_t, zarafa_var_lib_t, zarafa_var_lib_t) --manage_files_pattern(zarafa_indexer_t, zarafa_var_lib_t, zarafa_var_lib_t) --manage_lnk_files_pattern(zarafa_indexer_t, zarafa_var_lib_t, zarafa_var_lib_t) -+auth_use_nsswitch(zarafa_monitor_t) - - ######################################## - # --# Server local policy -+# zarafa_server local policy - # - -+allow zarafa_server_t self:capability net_bind_service; -+ - manage_dirs_pattern(zarafa_server_t, zarafa_server_tmp_t, zarafa_server_tmp_t) - manage_files_pattern(zarafa_server_t, zarafa_server_tmp_t, zarafa_server_tmp_t) - files_tmp_filetrans(zarafa_server_t, zarafa_server_tmp_t, { file dir }) -@@ -109,70 +124,85 @@ files_var_lib_filetrans(zarafa_server_t, zarafa_var_lib_t, { file dir lnk_file } - - stream_connect_pattern(zarafa_server_t, zarafa_indexer_var_run_t, zarafa_indexer_var_run_t, zarafa_indexer_t) - --corenet_all_recvfrom_unlabeled(zarafa_server_t) - corenet_all_recvfrom_netlabel(zarafa_server_t) - corenet_tcp_sendrecv_generic_if(zarafa_server_t) - corenet_tcp_sendrecv_generic_node(zarafa_server_t) -+corenet_tcp_sendrecv_all_ports(zarafa_server_t) - corenet_tcp_bind_generic_node(zarafa_server_t) -- --corenet_sendrecv_zarafa_server_packets(zarafa_server_t) - corenet_tcp_bind_zarafa_port(zarafa_server_t) --corenet_tcp_sendrecv_zarafa_port(zarafa_server_t) - --files_read_usr_files(zarafa_server_t) - -+auth_use_nsswitch(zarafa_server_t) -+ -+logging_send_syslog_msg(zarafa_server_t) - logging_send_audit_msgs(zarafa_server_t) - -+sysnet_dns_name_resolve(zarafa_server_t) -+ - optional_policy(` - kerberos_use(zarafa_server_t) - ') - - optional_policy(` - mysql_stream_connect(zarafa_server_t) -- mysql_tcp_connect(zarafa_server_t) --') -- --optional_policy(` -- postgresql_stream_connect(zarafa_server_t) -- postgresql_tcp_connect(zarafa_server_t) - ') - - ######################################## - # --# Spooler local policy -+# zarafa_spooler local policy - # - - can_exec(zarafa_spooler_t, zarafa_spooler_exec_t) - --corenet_all_recvfrom_unlabeled(zarafa_spooler_t) - corenet_all_recvfrom_netlabel(zarafa_spooler_t) - corenet_tcp_sendrecv_generic_if(zarafa_spooler_t) - corenet_tcp_sendrecv_generic_node(zarafa_spooler_t) -- --corenet_sendrecv_smtp_client_packets(zarafa_spooler_t) -+corenet_tcp_sendrecv_all_ports(zarafa_spooler_t) - corenet_tcp_connect_smtp_port(zarafa_spooler_t) --corenet_tcp_sendrecv_smtp_port(zarafa_spooler_t) -+ -+auth_use_nsswitch(zarafa_spooler_t) - - ######################################## - # --# Zarafa domain local policy -+# zarafa_gateway local policy - # -+corenet_tcp_bind_pop_port(zarafa_gateway_t) - -+####################################### -+# -+# zarafa-ical local policy -+# -+ -+corenet_tcp_bind_http_cache_port(zarafa_ical_t) -+ -+###################################### -+# -+# zarafa-monitor local policy -+# -+ -+ -+######################################## -+# -+# zarafa domains local policy -+# -+ -+# bad permission on /etc/zarafa - allow zarafa_domain self:capability { kill dac_override chown setgid setuid }; --allow zarafa_domain self:process { setrlimit signal }; -+allow zarafa_domain self:process { signal_perms }; - allow zarafa_domain self:fifo_file rw_fifo_file_perms; --allow zarafa_domain self:tcp_socket { accept listen }; --allow zarafa_domain self:unix_stream_socket { accept listen }; -+allow zarafa_domain self:tcp_socket create_stream_socket_perms; -+allow zarafa_domain self:unix_stream_socket create_stream_socket_perms; -+ -+tunable_policy(`zarafa_setrlimit',` -+ allow zarafa_domain self:capability sys_resource; -+ allow zarafa_domain self:process setrlimit; -+') - - stream_connect_pattern(zarafa_domain, zarafa_server_var_run_t, zarafa_server_var_run_t, zarafa_server_t) - - read_files_pattern(zarafa_domain, zarafa_etc_t, zarafa_etc_t) - --kernel_read_system_state(zarafa_domain) -- - dev_read_rand(zarafa_domain) - dev_read_urand(zarafa_domain) - --logging_send_syslog_msg(zarafa_domain) -- --miscfiles_read_localization(zarafa_domain) -+dev_read_sysfs(zarafa_domain) -diff --git a/zebra.fc b/zebra.fc -index 28ee4ca..e1b30b2 100644 ---- a/zebra.fc -+++ b/zebra.fc -@@ -1,21 +1,22 @@ --/etc/quagga(/.*)? gen_context(system_u:object_r:zebra_conf_t,s0) --/etc/zebra(/.*)? gen_context(system_u:object_r:zebra_conf_t,s0) -- - /etc/rc\.d/init\.d/bgpd -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0) --/etc/rc\.d/init\.d/ospf6d -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0) --/etc/rc\.d/init\.d/ospfd -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0) -+/etc/rc\.d/init\.d/ospf6d -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0) -+/etc/rc\.d/init\.d/ospfd -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0) - /etc/rc\.d/init\.d/ripd -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0) --/etc/rc\.d/init\.d/ripngd -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0) --/etc/rc\.d/init\.d/zebra -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0) -+/etc/rc\.d/init\.d/ripngd -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0) -+/etc/rc\.d/init\.d/zebra -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0) -+ -+/usr/sbin/bgpd -- gen_context(system_u:object_r:zebra_exec_t,s0) -+/usr/sbin/zebra -- gen_context(system_u:object_r:zebra_exec_t,s0) -+ -+/etc/quagga(/.*)? gen_context(system_u:object_r:zebra_conf_t,s0) -+/etc/zebra(/.*)? gen_context(system_u:object_r:zebra_conf_t,s0) - --/usr/sbin/bgpd -- gen_context(system_u:object_r:zebra_exec_t,s0) - /usr/sbin/ospf.* -- gen_context(system_u:object_r:zebra_exec_t,s0) --/usr/sbin/rip.* -- gen_context(system_u:object_r:zebra_exec_t,s0) --/usr/sbin/zebra -- gen_context(system_u:object_r:zebra_exec_t,s0) -+/usr/sbin/rip.* -- gen_context(system_u:object_r:zebra_exec_t,s0) - --/var/log/quagga(/.*)? gen_context(system_u:object_r:zebra_log_t,s0) --/var/log/zebra(/.*)? gen_context(system_u:object_r:zebra_log_t,s0) -+/var/log/quagga(/.*)? gen_context(system_u:object_r:zebra_log_t,s0) -+/var/log/zebra(/.*)? gen_context(system_u:object_r:zebra_log_t,s0) - - /var/run/\.zebra -s gen_context(system_u:object_r:zebra_var_run_t,s0) - /var/run/\.zserv -s gen_context(system_u:object_r:zebra_var_run_t,s0) --/var/run/quagga(/.*)? gen_context(system_u:object_r:zebra_var_run_t,s0) -+/var/run/quagga(/.*)? gen_context(system_u:object_r:zebra_var_run_t,s0) -diff --git a/zebra.if b/zebra.if -index 3416401..ef64e73 100644 ---- a/zebra.if -+++ b/zebra.if -@@ -1,8 +1,8 @@ --## Zebra border gateway protocol network routing service. -+## Zebra border gateway protocol network routing service - - ######################################## - ## --## Read zebra configuration content. -+## Read the configuration files for zebra. - ## - ## - ## -@@ -18,14 +18,13 @@ interface(`zebra_read_config',` - - files_search_etc($1) - allow $1 zebra_conf_t:dir list_dir_perms; -- allow $1 zebra_conf_t:file read_file_perms; -- allow $1 zebra_conf_t:lnk_file read_lnk_file_perms; -+ read_files_pattern($1, zebra_conf_t, zebra_conf_t) -+ read_lnk_files_pattern($1, zebra_conf_t, zebra_conf_t) - ') - - ######################################## - ## --## Connect to zebra with a unix --## domain stream socket. -+## Connect to zebra over an unix stream socket. - ## - ## - ## -@@ -44,8 +43,8 @@ interface(`zebra_stream_connect',` - - ######################################## - ## --## All of the rules required to --## administrate an zebra environment. -+## All of the rules required to administrate -+## an zebra environment - ## - ## - ## -@@ -54,7 +53,7 @@ interface(`zebra_stream_connect',` - ## - ## - ## --## Role allowed access. -+## The role to be allowed to manage the zebra domain. - ## - ## - ## -@@ -62,12 +61,14 @@ interface(`zebra_stream_connect',` - interface(`zebra_admin',` - gen_require(` - type zebra_t, zebra_tmp_t, zebra_log_t; -- type zebra_conf_t, zebra_var_run_t; -- type zebra_initrc_exec_t; -+ type zebra_conf_t, zebra_var_run_t, zebra_initrc_exec_t; - ') - -- allow $1 zebra_t:process { ptrace signal_perms }; -+ allow $1 zebra_t:process signal_perms; - ps_process_pattern($1, zebra_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 zebra_t:process ptrace; -+ ') - - init_labeled_script_domtrans($1, zebra_initrc_exec_t) - domain_system_change_exemption($1) -diff --git a/zebra.te b/zebra.te -index b0803c2..f1fa5f7 100644 ---- a/zebra.te -+++ b/zebra.te -@@ -1,4 +1,4 @@ --policy_module(zebra, 1.12.1) -+policy_module(zebra, 1.12.0) - - ######################################## - # -@@ -6,19 +6,19 @@ policy_module(zebra, 1.12.1) - # - - ## --##

    --## Determine whether zebra daemon can --## manage its configuration files. --##

    -+##

    -+## Allow zebra daemon to write it configuration files -+##

    - ##     --gen_tunable(allow_zebra_write_config, false) -+# -+gen_tunable(zebra_write_config, false) - - type zebra_t; - type zebra_exec_t; - init_daemon_domain(zebra_t, zebra_exec_t) - - type zebra_conf_t; --files_type(zebra_conf_t) -+files_config_file(zebra_conf_t) - - type zebra_initrc_exec_t; - init_script_file(zebra_initrc_exec_t) -@@ -40,24 +40,24 @@ files_pid_file(zebra_var_run_t) - allow zebra_t self:capability { setgid setuid net_admin net_raw }; - dontaudit zebra_t self:capability sys_tty_config; - allow zebra_t self:process { signal_perms getcap setcap }; --allow zebra_t self:fifo_file rw_fifo_file_perms; --allow zebra_t self:unix_stream_socket { accept connectto listen }; -+allow zebra_t self:file rw_file_perms; -+allow zebra_t self:unix_dgram_socket create_socket_perms; -+allow zebra_t self:unix_stream_socket { connectto create_stream_socket_perms }; - allow zebra_t self:netlink_route_socket rw_netlink_socket_perms; - allow zebra_t self:tcp_socket { connect connected_stream_socket_perms }; - allow zebra_t self:udp_socket create_socket_perms; - allow zebra_t self:rawip_socket create_socket_perms; - - allow zebra_t zebra_conf_t:dir list_dir_perms; --allow zebra_t zebra_conf_t:file read_file_perms; --allow zebra_t zebra_conf_t:lnk_file read_lnk_file_perms; -+read_files_pattern(zebra_t, zebra_conf_t, zebra_conf_t) -+read_lnk_files_pattern(zebra_t, zebra_conf_t, zebra_conf_t) - - allow zebra_t zebra_log_t:dir setattr_dir_perms; --append_files_pattern(zebra_t, zebra_log_t, zebra_log_t) --create_files_pattern(zebra_t, zebra_log_t, zebra_log_t) --setattr_files_pattern(zebra_t, zebra_log_t, zebra_log_t) -+manage_files_pattern(zebra_t, zebra_log_t, zebra_log_t) - manage_sock_files_pattern(zebra_t, zebra_log_t, zebra_log_t) - logging_log_filetrans(zebra_t, zebra_log_t, { sock_file file dir }) - -+# /tmp/.bgpd is such a bad idea! - allow zebra_t zebra_tmp_t:sock_file manage_sock_file_perms; - files_tmp_filetrans(zebra_t, zebra_tmp_t, sock_file) - -@@ -71,7 +71,6 @@ kernel_read_network_state(zebra_t) - kernel_read_kernel_sysctls(zebra_t) - kernel_rw_net_sysctls(zebra_t) - --corenet_all_recvfrom_unlabeled(zebra_t) - corenet_all_recvfrom_netlabel(zebra_t) - corenet_tcp_sendrecv_generic_if(zebra_t) - corenet_udp_sendrecv_generic_if(zebra_t) -@@ -79,48 +78,44 @@ corenet_raw_sendrecv_generic_if(zebra_t) - corenet_tcp_sendrecv_generic_node(zebra_t) - corenet_udp_sendrecv_generic_node(zebra_t) - corenet_raw_sendrecv_generic_node(zebra_t) -+corenet_tcp_sendrecv_all_ports(zebra_t) -+corenet_udp_sendrecv_all_ports(zebra_t) - corenet_tcp_bind_generic_node(zebra_t) - corenet_udp_bind_generic_node(zebra_t) -- --corenet_sendrecv_bgp_server_packets(zebra_t) - corenet_tcp_bind_bgp_port(zebra_t) --corenet_sendrecv_bgp_client_packets(zebra_t) -+corenet_tcp_bind_zebra_port(zebra_t) -+corenet_udp_bind_router_port(zebra_t) - corenet_tcp_connect_bgp_port(zebra_t) --corenet_tcp_sendrecv_bgp_port(zebra_t) -- - corenet_sendrecv_zebra_server_packets(zebra_t) --corenet_tcp_bind_zebra_port(zebra_t) --corenet_tcp_sendrecv_zebra_port(zebra_t) -- - corenet_sendrecv_router_server_packets(zebra_t) --corenet_udp_bind_router_port(zebra_t) --corenet_udp_sendrecv_router_port(zebra_t) - - dev_associate_usbfs(zebra_var_run_t) - dev_list_all_dev_nodes(zebra_t) -+dev_read_rand(zebra_t) -+dev_read_urand(zebra_t) - dev_read_sysfs(zebra_t) - dev_rw_zero(zebra_t) - --domain_use_interactive_fds(zebra_t) -- --files_read_etc_files(zebra_t) --files_read_etc_runtime_files(zebra_t) -- - fs_getattr_all_fs(zebra_t) - fs_search_auto_mountpoints(zebra_t) - - term_list_ptys(zebra_t) - --logging_send_syslog_msg(zebra_t) -+domain_use_interactive_fds(zebra_t) -+ -+files_search_etc(zebra_t) -+files_read_etc_runtime_files(zebra_t) - --miscfiles_read_localization(zebra_t) -+auth_read_passwd(zebra_t) -+ -+logging_send_syslog_msg(zebra_t) - - sysnet_read_config(zebra_t) - - userdom_dontaudit_use_unpriv_user_fds(zebra_t) - userdom_dontaudit_search_user_home_dirs(zebra_t) - --tunable_policy(`allow_zebra_write_config',` -+tunable_policy(`zebra_write_config',` - manage_files_pattern(zebra_t, zebra_conf_t, zebra_conf_t) - ') - -@@ -139,3 +134,7 @@ optional_policy(` - optional_policy(` - udev_read_db(zebra_t) - ') -+ -+optional_policy(` -+ unconfined_sigchld(zebra_t) -+') -diff --git a/zoneminder.fc b/zoneminder.fc -new file mode 100644 -index 0000000..8c61505 ---- /dev/null -+++ b/zoneminder.fc -@@ -0,0 +1,13 @@ -+/etc/rc\.d/init\.d/zoneminder -- gen_context(system_u:object_r:zoneminder_initrc_exec_t,s0) -+ -+/usr/bin/zmpkg.pl -- gen_context(system_u:object_r:zoneminder_exec_t,s0) -+ -+/usr/lib/systemd/system/zoneminder.* -- gen_context(system_u:object_r:zoneminder_unit_file_t,s0) -+ -+/usr/libexec/zoneminder/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_zoneminder_script_exec_t,s0) -+ -+/var/lib/zoneminder(/.*)? gen_context(system_u:object_r:zoneminder_var_lib_t,s0) -+ -+/var/log/zoneminder(/.*)? gen_context(system_u:object_r:zoneminder_log_t,s0) -+ -+/var/spool/zoneminder-upload(/.*)? gen_context(system_u:object_r:zoneminder_spool_t,s0) -diff --git a/zoneminder.if b/zoneminder.if -new file mode 100644 -index 0000000..d02a6f4 ---- /dev/null -+++ b/zoneminder.if -@@ -0,0 +1,374 @@ -+## policy for zoneminder -+ -+######################################## -+## -+## Transition to zoneminder. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`zoneminder_domtrans',` -+ gen_require(` -+ type zoneminder_t, zoneminder_exec_t; -+ ') -+ -+ corecmd_search_bin($1) -+ domtrans_pattern($1, zoneminder_exec_t, zoneminder_t) -+') -+ -+######################################## -+## -+## Allow the specified domain to execute zoneminder -+## in the caller domain. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`zoneminder_exec',` -+ gen_require(` -+ type zoneminder_exec_t; -+ ') -+ -+ corecmd_search_bin($1) -+ can_exec($1, zoneminder_exec_t) -+') -+ -+ -+######################################## -+## -+## Execute zoneminder server in the zoneminder domain. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`zoneminder_initrc_domtrans',` -+ gen_require(` -+ type zoneminder_initrc_exec_t; -+ ') -+ -+ init_labeled_script_domtrans($1, zoneminder_initrc_exec_t) -+') -+ -+ -+######################################## -+## -+## Read zoneminder's log files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`zoneminder_read_log',` -+ gen_require(` -+ type zoneminder_log_t; -+ ') -+ -+ logging_search_logs($1) -+ read_files_pattern($1, zoneminder_log_t, zoneminder_log_t) -+') -+ -+######################################## -+## -+## Append to zoneminder log files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`zoneminder_append_log',` -+ gen_require(` -+ type zoneminder_log_t; -+ ') -+ -+ logging_search_logs($1) -+ append_files_pattern($1, zoneminder_log_t, zoneminder_log_t) -+') -+ -+######################################## -+## -+## Manage zoneminder log files -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`zoneminder_manage_log',` -+ gen_require(` -+ type zoneminder_log_t; -+ ') -+ -+ logging_search_logs($1) -+ manage_dirs_pattern($1, zoneminder_log_t, zoneminder_log_t) -+ manage_files_pattern($1, zoneminder_log_t, zoneminder_log_t) -+ manage_lnk_files_pattern($1, zoneminder_log_t, zoneminder_log_t) -+') -+ -+######################################## -+## -+## Search zoneminder lib directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`zoneminder_search_lib',` -+ gen_require(` -+ type zoneminder_var_lib_t; -+ ') -+ -+ allow $1 zoneminder_var_lib_t:dir search_dir_perms; -+ files_search_var_lib($1) -+') -+ -+######################################## -+## -+## Read zoneminder lib files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`zoneminder_read_lib_files',` -+ gen_require(` -+ type zoneminder_var_lib_t; -+ ') -+ -+ files_search_var_lib($1) -+ read_files_pattern($1, zoneminder_var_lib_t, zoneminder_var_lib_t) -+') -+ -+######################################## -+## -+## Manage zoneminder lib files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`zoneminder_manage_lib_files',` -+ gen_require(` -+ type zoneminder_var_lib_t; -+ ') -+ -+ files_search_var_lib($1) -+ manage_files_pattern($1, zoneminder_var_lib_t, zoneminder_var_lib_t) -+') -+ -+######################################## -+## -+## Manage zoneminder lib directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`zoneminder_manage_lib_dirs',` -+ gen_require(` -+ type zoneminder_var_lib_t; -+ ') -+ -+ files_search_var_lib($1) -+ manage_dirs_pattern($1, zoneminder_var_lib_t, zoneminder_var_lib_t) -+') -+ -+######################################## -+## -+## Manage zoneminder sock_files files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`zoneminder_manage_lib_sock_files',` -+ gen_require(` -+ type sock_var_lib_t; -+ ') -+ files_search_var_lib($1) -+ manage_sock_files_pattern($1, zoneminder_var_lib_t, zoneminder_var_lib_t) -+') -+ -+######################################## -+## -+## Search zoneminder spool directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`zoneminder_search_spool',` -+ gen_require(` -+ type zoneminder_spool_t; -+ ') -+ -+ allow $1 zoneminder_spool_t:dir search_dir_perms; -+ files_search_spool($1) -+') -+ -+######################################## -+## -+## Read zoneminder spool files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`zoneminder_read_spool_files',` -+ gen_require(` -+ type zoneminder_spool_t; -+ ') -+ -+ files_search_spool($1) -+ read_files_pattern($1, zoneminder_spool_t, zoneminder_spool_t) -+') -+ -+######################################## -+## -+## Manage zoneminder spool files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`zoneminder_manage_spool_files',` -+ gen_require(` -+ type zoneminder_spool_t; -+ ') -+ -+ files_search_spool($1) -+ manage_files_pattern($1, zoneminder_spool_t, zoneminder_spool_t) -+') -+ -+######################################## -+## -+## Manage zoneminder spool dirs. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`zoneminder_manage_spool_dirs',` -+ gen_require(` -+ type zoneminder_spool_t; -+ ') -+ -+ files_search_spool($1) -+ manage_dirs_pattern($1, zoneminder_spool_t, zoneminder_spool_t) -+') -+ -+######################################## -+## -+## Connect to zoneminder over a unix stream socket. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`zoneminder_stream_connect',` -+ gen_require(` -+ type zoneminder_t, zoneminder_var_lib_t; -+ ') -+ -+ files_search_pids($1) -+ stream_connect_pattern($1, zoneminder_var_lib_t, zoneminder_var_lib_t, zoneminder_t) -+') -+ -+###################################### -+## -+## Read/write zonerimender tmpfs files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`zoneminder_rw_tmpfs_files',` -+ gen_require(` -+ type zoneminder_tmpfs_t; -+ ') -+ -+ fs_search_tmpfs($1) -+ rw_files_pattern($1, zoneminder_tmpfs_t, zoneminder_tmpfs_t) -+') -+ -+######################################## -+## -+## All of the rules required to administrate -+## an zoneminder environment -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## Role allowed access. -+## -+## -+## -+# -+interface(`zoneminder_admin',` -+ gen_require(` -+ type zoneminder_t; -+ type zoneminder_initrc_exec_t; -+ type zoneminder_log_t; -+ type zoneminder_var_lib_t; -+ type zoneminder_spool_t; -+ ') -+ -+ allow $1 zoneminder_t:process { ptrace signal_perms }; -+ ps_process_pattern($1, zoneminder_t) -+ -+ zoneminder_initrc_domtrans($1) -+ domain_system_change_exemption($1) -+ role_transition $2 zoneminder_initrc_exec_t system_r; -+ allow $2 system_r; -+ -+ logging_search_logs($1) -+ admin_pattern($1, zoneminder_log_t) -+ -+ files_search_var_lib($1) -+ admin_pattern($1, zoneminder_var_lib_t) -+ -+ files_search_spool($1) -+ admin_pattern($1, zoneminder_spool_t) -+ -+') -+ -diff --git a/zoneminder.te b/zoneminder.te -new file mode 100644 -index 0000000..add28f7 ---- /dev/null -+++ b/zoneminder.te -@@ -0,0 +1,187 @@ -+policy_module(zoneminder, 1.0.0) -+ -+######################################## -+# -+# Declarations -+# -+ -+## -+##

    -+## Allow ZoneMinder to run su/sudo. -+##

    -+##     -+gen_tunable(zoneminder_run_sudo, false) -+ -+ -+## -+##

    -+## Allow ZoneMinder to modify public files -+## used for public file transfer services. -+##

    -+##     -+gen_tunable(zoneminder_anon_write, false) -+ -+gen_require(` -+ class passwd rootok; -+ class passwd passwd; -+ ') -+ -+type zoneminder_t; -+type zoneminder_exec_t; -+init_daemon_domain(zoneminder_t, zoneminder_exec_t) -+ -+type zoneminder_unit_file_t; -+systemd_unit_file(zoneminder_unit_file_t) -+ -+type zoneminder_initrc_exec_t; -+init_script_file(zoneminder_initrc_exec_t) -+ -+type zoneminder_log_t; -+logging_log_file(zoneminder_log_t) -+ -+type zoneminder_tmpfs_t; -+files_tmpfs_file(zoneminder_tmpfs_t) -+ -+type zoneminder_spool_t; -+files_type(zoneminder_spool_t) -+ -+type zoneminder_var_lib_t; -+files_type(zoneminder_var_lib_t) -+ -+type zoneminder_var_run_t; -+files_pid_file(zoneminder_var_run_t) -+ -+######################################## -+# -+# zoneminder local policy -+# -+allow zoneminder_t self:capability { chown dac_override }; -+allow zoneminder_t self:process { signal_perms setpgid }; -+allow zoneminder_t self:shm create_shm_perms; -+allow zoneminder_t self:fifo_file rw_fifo_file_perms; -+allow zoneminder_t self:unix_stream_socket { create_stream_socket_perms connectto }; -+allow zoneminder_t self:netlink_selinux_socket create_socket_perms; -+ -+manage_dirs_pattern(zoneminder_t, zoneminder_log_t, zoneminder_log_t) -+manage_files_pattern(zoneminder_t, zoneminder_log_t, zoneminder_log_t) -+logging_log_filetrans(zoneminder_t, zoneminder_log_t, { dir file }) -+ -+manage_dirs_pattern(zoneminder_t, zoneminder_tmpfs_t, zoneminder_tmpfs_t) -+manage_files_pattern(zoneminder_t, zoneminder_tmpfs_t, zoneminder_tmpfs_t) -+manage_lnk_files_pattern(zoneminder_t, zoneminder_tmpfs_t, zoneminder_tmpfs_t) -+fs_tmpfs_filetrans(zoneminder_t, zoneminder_tmpfs_t, { dir file lnk_file }) -+ -+manage_dirs_pattern(zoneminder_t, zoneminder_var_lib_t, zoneminder_var_lib_t) -+manage_files_pattern(zoneminder_t, zoneminder_var_lib_t, zoneminder_var_lib_t) -+manage_sock_files_pattern(zoneminder_t, zoneminder_var_lib_t, zoneminder_var_lib_t) -+manage_lnk_files_pattern(zoneminder_t, zoneminder_var_lib_t, zoneminder_var_lib_t) -+files_var_lib_filetrans(zoneminder_t, zoneminder_var_lib_t, { dir file lnk_file sock_file }) -+ -+manage_dirs_pattern(zoneminder_t, zoneminder_var_run_t, zoneminder_var_run_t) -+manage_files_pattern(zoneminder_t, zoneminder_var_run_t, zoneminder_var_run_t) -+files_pid_filetrans(zoneminder_t, zoneminder_var_run_t, { dir file }) -+ -+manage_dirs_pattern(zoneminder_t, zoneminder_spool_t, zoneminder_spool_t) -+manage_files_pattern(zoneminder_t, zoneminder_spool_t, zoneminder_spool_t) -+manage_lnk_files_pattern(zoneminder_t, zoneminder_spool_t, zoneminder_spool_t) -+files_spool_filetrans(zoneminder_t, zoneminder_spool_t, { dir file }) -+ -+kernel_read_system_state(zoneminder_t) -+ -+domain_read_all_domains_state(zoneminder_t) -+ -+corecmd_exec_bin(zoneminder_t) -+corecmd_exec_shell(zoneminder_t) -+ -+corenet_tcp_bind_http_cache_port(zoneminder_t) -+corenet_tcp_bind_transproxy_port(zoneminder_t) -+corenet_tcp_connect_http_port(zoneminder_t) -+ -+dev_read_sysfs(zoneminder_t) -+dev_read_rand(zoneminder_t) -+dev_read_urand(zoneminder_t) -+dev_read_video_dev(zoneminder_t) -+dev_write_video_dev(zoneminder_t) -+ -+auth_use_nsswitch(zoneminder_t) -+#auth_read_shadow(zoneminder_t) need to debug zmpkg.pl to see why is needed this rule. -+ -+logging_send_syslog_msg(zoneminder_t) -+logging_send_audit_msgs(zoneminder_t) -+ -+mta_send_mail(zoneminder_t) -+ -+tunable_policy(`zoneminder_anon_write',` -+ miscfiles_manage_public_files(zoneminder_t) -+') -+ -+tunable_policy(`zoneminder_run_sudo',` -+ allow zoneminder_t self:capability { setuid setgid sys_resource }; -+ allow zoneminder_t self:process { setrlimit setsched }; -+ allow zoneminder_t self:key write; -+ allow zoneminder_t self:passwd { passwd rootok }; -+ -+ auth_rw_lastlog(zoneminder_t) -+ auth_rw_faillog(zoneminder_t) -+ auth_exec_chkpwd(zoneminder_t) -+ -+ selinux_compute_access_vector(zoneminder_t) -+ -+ systemd_write_inherited_logind_sessions_pipes(zoneminder_t) -+ systemd_dbus_chat_logind(zoneminder_t) -+ -+ xserver_exec_xauth(zoneminder_t) -+') -+ -+optional_policy(` -+ tunable_policy(`zoneminder_run_sudo',` -+ dbus_system_bus_client(zoneminder_t) -+ ') -+') -+ -+optional_policy(` -+ tunable_policy(`zoneminder_run_sudo',` -+ sudo_exec(zoneminder_t) -+ su_exec(zoneminder_t) -+ ') -+') -+optional_policy(` -+ mysql_stream_connect(zoneminder_t) -+') -+ -+optional_policy(` -+ fprintd_dbus_chat(zoneminder_t) -+') -+ -+optional_policy(` -+ motion_manage_all_files(zoneminder_t) -+') -+ -+######################################## -+# -+# zoneminder cgi local policy -+# -+ -+optional_policy(` -+ apache_content_template(zoneminder) -+ -+ # need more testing -+ #allow httpd_zoneminder_script_t self:shm create_shm_perms; -+ -+ manage_sock_files_pattern(httpd_zoneminder_script_t, zoneminder_var_lib_t, zoneminder_var_lib_t) -+ -+ rw_files_pattern(httpd_zoneminder_script_t, zoneminder_tmpfs_t, zoneminder_tmpfs_t) -+ -+ zoneminder_stream_connect(httpd_zoneminder_script_t) -+ -+ can_exec(zoneminder_t, httpd_zoneminder_script_exec_t) -+ -+ files_search_var_lib(httpd_zoneminder_script_t) -+ -+ logging_send_syslog_msg(httpd_zoneminder_script_t) -+ -+ optional_policy(` -+ mysql_stream_connect(httpd_zoneminder_script_t) -+ ') -+ -+') -diff --git a/zosremote.if b/zosremote.if -index b14698c..16e1581 100644 ---- a/zosremote.if -+++ b/zosremote.if -@@ -35,6 +35,7 @@ interface(`zosremote_domtrans',` - ## Role allowed access. - ##     - ## -+## - # - interface(`zosremote_run',` - gen_require(` -diff --git a/zosremote.te b/zosremote.te -index 9ba9f81..983b6c8 100644 ---- a/zosremote.te -+++ b/zosremote.te -@@ -24,6 +24,4 @@ allow zos_remote_t self:unix_stream_socket { accept listen }; - - auth_use_nsswitch(zos_remote_t) - --miscfiles_read_localization(zos_remote_t) -- - logging_send_syslog_msg(zos_remote_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index 21bca3e..33e2b5f 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,12 +19,12 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.12.1 -Release: 101%{?dist} +Release: 102%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz -patch: policy-rawhide-base.patch -patch1: policy-rawhide-contrib.patch +patch: policy-f20-base.patch +patch1: policy-f20-contrib.patch Source1: modules-targeted-base.conf Source31: modules-targeted-contrib.conf Source2: booleans-targeted.conf @@ -573,6 +573,27 @@ SELinux Reference policy mls base module. %endif %changelog +* Fri Nov 15 2013 Miroslav Grepl 3.12.1-102 +- Fix files_dontaudit_unmount_all_mountpoints() +- Add support for 2608-2609 tcp/udp ports +- Should allow domains to lock the terminal device +- More fixes for user config files to make crond_t running in userdomain +- Add back disable/reload/enable permissions for system class +- Fix manage_service_perms macro +- We need to require passwd rootok +- Fix zebra.fc +- Fix dnsmasq_filetrans_named_content() interface +- Allow all sandbox domains create content in svirt_home_t +- Allow zebra domains also create zebra_tmp_t files in /tmp +- Add support for new zebra services:isisd,babeld. Add systemd support for zebra services. +- Fix labeling on neutron and remove transition to iconfig_t +- abrt needs to read mcelog log file +- Fix labeling on dnsmasq content +- Fix labeling on /etc/dnsmasq.d +- Allow glusterd to relabel own lib files +- Allow sandbox domains to use pam_rootok, and dontaudit attempts to unmount file systems, this is caused by a bug in systemd +- Allow ipc_lock for abrt to run journalctl + * Thu Nov 14 2013 Miroslav Grepl 3.12.1-101 - Fix config.tgz